Unwanted inetd Services

[posted 2000/02/01]

A user asked:  "About security...  Can PIKT check if unwanted inetd services like finger, walld, rusersd are closed?"

Although we have removed it from the configs_samples in order to preserve our privacy/security, we manage our inetd.conf in the file =piktdir/lib/configs/files/inetd_conf_files.cfg.  By commenting out the finger, walld, rusersd, etc. lines with '//, or by prepending such lines with '#', it is very easy for us to enforce consistent access policies across our systems.

So, for example, here are some relevant portions of our configuration:

In files.cfg:

// under development

#ifndef generic

// only solaris is finished, so the following #if has us bypass the others
#  if solaris
#    include <files/inetd_conf_files.cfg>
#  endif

#include <files/hosts_allow_files.cfg>
#include <files/hosts_deny_files.cfg>

#endifdef  // generic

In files/inetd_conf_files.cfg:

...

        #finger stream  tcp  nowait  nobody  /usr/sbin/in.fingerd    in.fingerd

...

        #rusersd/2-3    tli  rpc/datagram_v,circuit_v    wait root
           /usr/lib/netsvc/rusers/rpc.rusersd    rpc.rusersd

...

#    if ! cssys | comp | perf | madrid          // multi-user systems
        walld/1         tli  rpc/datagram_v  wait root
           /usr/lib/netsvc/rwall/   rpc.rwalld
          rpc.rwalld
#    else
        #walld/1             tli     rpc/datagram_v  wait root
           /usr/lib/netsvc/rwall/rpc.rwalld    rpc.rwalld
#    endif

We install inetd.conf files with:

# piktc -iv +F inetd.conf +H solaris

and restart inetd with

# piktc -xv +S SigHupInetd +H solaris

Nightly, we run the PiktcDiffChkWarning to verify that the distributed PIKT-managed files, including inetd.conf, do not diverge from the central configuration.

Another possibility would be to write a new alarm script to scan the inetd.conf files regularly, sending out alert mail if it finds any of the troublesome services uncommented.  Something like:

        if $inline =~ "^(finger|rusersd|walld)"
                output mail "COMMENT THIS OUT: $inline"
        fi

I'm sure that there are other good solutions to this unwanted inetd services problem as well.

For more examples, see Developer's Notes.

 
Home | FAQ | News | Intro | Samples | Tutorial | Reference | Software
Developer's Notes | Licensing | Authors | Pikt-Users | Pikt-Workers | Related Projects | Site Index | Privacy Policy | Contact Us
Page best viewed at 1024x768 or greater.   Page last updated 2019-01-12.   This site is PIKT® powered.
Copyright © 1998-2019 Robert Osterlund. All rights reserved.
Home FAQ News Intro Samples Tutorial Reference Software
PIKT Logo
PIKT Page Title
View sample
log scan
Pikt script