Tripwire Agent silent install

Create a Solaris pkg answer file

Note change the password to the real password.

cat response_file
ACCEPT_EULA='y'
BASEDIR='/opt/tripwire/te/agent'
CLIENT_BASEDIR='/opt/tripwire/te/agent'
TE_SERVER='tripwire1.domain.com'
TE_PORT='9898'
SERVICES_PASSWORD='password'
PROXY_HOST=''
PROXY_PORT=''
TE_OWNER='0'
STRICT_CRYPTO=''
TE_SERVER_HTTP_PORT=''
RTM_PORT='1169'

Create a Solaris pkg admin file

cat admin_file
#
# Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
#ident    "@(#)default    1.7    04/12/21 SMI"
#
mail=
instance=overwrite
partial=ask
runlevel=ask
idepend=ask
rdepend=ask
space=ask
setuid=ask
conflict=ask
action=nocheck
networktimeout=60
networkretries=3
authentication=quit
keystore=/var/sadm/security
proxy=
basedir=default

Run the silent install

pkgadd -n -r response_file -a admin_file -d te_agent.pkg TWeagent

Multi NIC Support

Add to /opt/tripwire/te/agent/data/config/agent.properties

echo "" >> /opt/tripwire/te/agent/data/config/agent.properties
echo 'tw.rpc.interfaceAddr=10.100.12.193' >> /opt/tripwire/te/agent/data/config/agent.properties 
echo 'java.rmi.server.hostname=clientname.domain.com' >> /opt/tripwire/te/agent/data/config/agent.properties

Start the agent

svcadm enable teges teeg
svcadm enable teagent

Agent properties

The default properties are listed in table below:

Note: We tuned two of the properties listed below

With TE 7.7 and newer, the tesvc looks for configuration files when it starts. These files have exactly the same format as Java properties files. The following locations are searched and, if found, the configuration files are read one-by-one and the values therein are merged into the configuration. Therefore, if the same property is defined in more than one file, only the last read value will be used. The locations searched for the configuration files in order are:

1.  /opt/tripwire/te/agent/data/config/tesvc.conf (Solaris and Linux)
2. {installed location}/tesvc.conf (all platforms)
3. {installed location}/../../data/config/tesvc.conf (Solaris and Linux)


Property Name     Default Value                        Description

debug-rule-trace false                                 Whether to trace rule processing

disable-log      false                                 Whether to disable logging

allow-dump       true                                  Whether to allow core dump (Linux and Solaris only)

raise-priority   true (false on Windows)               Whether to raise process priority

logfile-path     tesvc.log                             Log file name (and path)

log-limit-mb     20                                    Log file size limit

log-level        info                                  Logging level

port             1169                                  TCP-IP Port for socket connection to TE Agent

dvrqueue         1000, Solaris: 10000 (max 10k)        Driver queue size limit in events

svcqueue         10000, Solaris: 50000 (max 100k)      Service queue size limit in number of events

pidfile-path     pid                                   file path (currently Linux only)

dvr-trace        false                                  Whether to enable driver tracing (Windows only)

dispatch-threads 1                                      Number of rule checker threads

read-tick        100000                                 debug output in read proc every n events

disp-tick        100000                                 debug output in dispatch proc every n events

Properties we tuned

Solaris: 10000 (max 10k) Driver queue size limit in events

• dvrqueue 5000

Solaris: 50000 (max 100k) Service queue size limit in number of events

• svcqueue 30000

Server hardening list

Solaris PCI services disable list

Notes on before doing this

1. The ipp listener needs to run on the print servers
2. Section 2.2.2. 8 – telnet can not be disabled on the apps becuse they are used by the wireless hand-helds
3. Section 2.2.2.22, 2.2.2.24, 2.2.2.28, 2.2.2.30 and 2.2.2.29
   1. NFS client and id mapping etc needs to run on the NFS client’s
4. Section 2.2.2.37 Verify That inetd Daemon Is Disabled
   1. inetd can not be disabled its used by a number of services like NetBackup, Sun service tags, telnet (on the appss), and more
5. Section 2.2.0.1. 4 Verify That the Following Users Are Locked
   1. Refer to this doc on why this can not be done on soalris10 Managing Non-Login and Locked Solaris Accounts

look again on  section as there is a problem to change this file mask in prod because  one user needs to over write other users files.
- 7.1.1.38
- 7.1.1.49
- 7.1.1.50
- 7.1.1.54

#the programers  shuld change the umask on files to not be world writable
chmod  o-w `find /  \( -fstype  ctfs -o -fstype mntfs -o -fstype objfs -o -fstype proc -o ! -local \) -prune -o -type f -perm -0002 -print  2>/dev/null` 2>/dev/null

auditing is not turned on, should  we for all sun servers? 
- 10.2.2.1

send "echo 'set nfssrv:nfs_portmon = 1' >>/etc/system\r"
 
send "svccfg -s svc:/system/system-log setprop config/log_from_remote = false\r"
send "svcadm refresh svc:/system/system-log\r"
 
send "svcadm enable svc:/system/sar:default\r"
 
send "perl -pi -e 's-PrivacyOptions.*$-PrivacyOptions=authwarnings,goaway-' /etc/mail/sendmail.cf\r"
send "svcadm restart sendmail\r"
 
send "svcadm disable svc:/network/rpc/cde-ttdbserver:tcp\r"
 
send "svcadm disable svc:/application/print/ipp-listener:default \r"
 
send "chmod go-rwx /usr/sbin/traceroute\r"
 
send "chmod u-x,g-wx,o-rwx /etc/syslog.conf\r"
 
send "chmod 640 /etc/syslog.conf\r"
send "chmod 600 /etc/cron.d/cron.deny\r"
send "chmod 600 /etc/cron.d/at.deny\r"
send "chmod 640 /etc/security/audit_user\r"
 
send "perl -pi -e 's-^.*MAXWEEKS.*$-MAXWEEKS=12-' /etc/default/passwd\r"
send "perl -pi -e 's-^.*PASSLENGTH.*$-PASSLENGTH=8-' /etc/default/passwd\r"
send "perl -pi -e 's-^.*MINDIGIT.*$-MINDIGIT=1-' /etc/default/passwd\r"
send "perl -pi -e 's-^.*HISTORY.*$-HISTORY=4-' /etc/default/passwd\r"
send "perl -pi -e 's-^.*LOCK_AFTER_RETRIES.*$-LOCK_AFTER_RETRIES=YES-' /etc/security/policy.conf\r"
 
# ??????
echo "* sshd1: ALL" >>/etc/hosts.deny
echo "sshd2: ALL" >>/etc/hosts.deny
echo "sshdfwd-X11 : ALL" >>/etc/hosts.deny
echo "ALL: ALL" >>/etc/hosts.deny

Linux hardening

#system should not mount automatically 
chkconfig --level 0123456 autofs off
 
#turn of sendmail daemon (we don't want to do this one)
chkconfig --level 0123456 sendmail off
 
#hidd off disables Bluetooth support
chkconfig --level 0123456 hidd off
chkconfig --level 0123456 isdn off
 
perl -pi -e 's,# Host *,Host *,' /etc/ssh/sshd_config
perl -pi -e 's,#PasswordAuthentication yes,PasswordAuthentication no,' /etc/ssh/sshd_config
perl -pi -e 's,#Port 22,Port 22,' /etc/ssh/sshd_config
perl -pi -e 's,#LogLevel INFO,LogLevel VERBOSE,' /etc/ssh/sshd_config
service sshd restart
perl -pi -e 's,umask 022,umask 027,' /etc/init.d/functions
 
#Sendmail should not be configured to listen to port 25 for incoming mail. 
perl -pi -e 's,DAEMON=yes,DAEMON=no,' /etc/sysconfig/sendmail
 
#With TCP Syn Cookies, the kernel does not really allocate the TCP buffers unless the server's ACK/SYN packet gets an ACK back, meaning that it was a legitimate request. 
echo "net.ipv4.tcp_max_syn_backlog=4096" >> /etc/sysctl.conf 
#Enforce sanity checking, also called ingress filtering or egress filtering.  The point is to drop a packet if the source and destination IP addresses in the IP header do not make sense when considered in light of the physical interface on which it arrived. 
echo "net.ipv4.conf.all.rp_filter=1" >>/etc/sysctl.conf
 
#Disable ICMP broadcast echo activity.  Otherwise, your system could be used as part of a Smurf attack: 
echo "net.ipv4.icmp_echo_ignore_broadcasts=1" >>/etc/sysctl.conf
 
#Disable IP source routing.  The only use of IP source routing these days is by attackers trying to spoof IP addresses that you would trust as internal hosts:
echo "net.ipv4.conf.all.accept_source_route=0" >>/etc/sysctl.conf
 
#Disable ICMP routing redirects.  Otherwise, your system could have its routing table misadjusted by an attacker (Use only if server acts as a router)
echo "net.ipv4.conf.all.send_redirects=0" >>/etc/sysctl.conf
echo "net.ipv4.conf.default.send_redirects=0" >>/etc/sysctl.conf
 
#Sometimes you will come across routers that send out invalid responses to broadcast frames. This is a violation of RFC 1122, "Requirements for Internet Hosts -- Communication Layers". As a result, these events are logged by the kernel. To avoid filling up your logfile with unnecessary clutter, you can tell the kernel not to issue these warnings:
echo "net.ipv4.icmp_ignore_bogus_error_responses=1" >>/etc/sysctl.conf
 
 
sysctl -p net.ipv4.conf.all.rp_filter 1
sysctl -p net.ipv4.tcp_max_syn_backlog 4096
sysctl -p net.ipv4.conf.all.accept_source_route 0
sysctl -p net.ipv4.icmp_echo_ignore_broadcasts 1
sysctl -p net.ipv4.conf.all.send_redirects 0
sysctl -p net.ipv4.conf.default.send_redirects 0
 
#Disables USB during boot - renables after boot ??
grubby --update-kernel=`grubby --default-kernel` --args="nousb"
echo "install usb-storage /bin/true" >> /etc/modprobe.conf
 
#
perl -pi -e 's,auth       required     pam_rhosts_auth.so,#auth       required     pam_rhosts_auth.so,' /etc/pam.d/ekshell
perl -pi -e 's,auth       required     pam_rhosts_auth.so,#auth       required     pam_rhosts_auth.so,' /etc/pam.d/kshell
 
rm -rf /etc/at.deny /etc/cron.deny 
echo root >> /etc/at.allow
echo root >> /etc/cron.allow
 
#This makes the file uneditable/deletable unless chattr -i attribute is ran on it
chattr +i /etc/fstab
 
#Prevent access to GRUB Console and editor without providing the password (see http://www.geekride.com/index.php/how-to-secure-grub-boot-loader/)
perl -pi -e 's,default,password --md5 \$1\$v30jd/\$oRh5M7DZGAGqoaSSYNO4h.\ndefault,' /boo/grub/grub.conf
 
2.2.3.33 ???
2.2.3.37
2.2.3.39
2.2.3.41