Unwanted inetd Services
[posted 2000/02/01]
A user asked: "About security... Can PIKT check if unwanted inetd services like finger, walld, rusersd are closed?"
Although we have removed it from the configs_samples in order to preserve our privacy/security, we manage our inetd.conf in the file =piktdir/lib/configs/files/inetd_conf_files.cfg. By commenting out the finger, walld, rusersd, etc. lines with '//, or by prepending such lines with '#', it is very easy for us to enforce consistent access policies across our systems.
So, for example, here are some relevant portions of our configuration:
In files.cfg:
// under development #ifndef generic // only solaris is finished, so the following #if has us bypass the others # if solaris # include <files/inetd_conf_files.cfg> # endif #include <files/hosts_allow_files.cfg> #include <files/hosts_deny_files.cfg> #endifdef // generic
In files/inetd_conf_files.cfg:
...
#finger stream tcp nowait nobody /usr/sbin/in.fingerd in.fingerd
...
#rusersd/2-3 tli rpc/datagram_v,circuit_v wait root
/usr/lib/netsvc/rusers/rpc.rusersd rpc.rusersd
...
# if ! cssys | comp | perf | madrid // multi-user systems
walld/1 tli rpc/datagram_v wait root
/usr/lib/netsvc/rwall/ rpc.rwalld
rpc.rwalld
# else
#walld/1 tli rpc/datagram_v wait root
/usr/lib/netsvc/rwall/rpc.rwalld rpc.rwalld
# endif
We install inetd.conf files with:
# piktc -iv +F inetd.conf +H solaris
and restart inetd with
# piktc -xv +S SigHupInetd +H solaris
Nightly, we run the PiktcDiffChkWarning to verify that the distributed PIKT-managed files, including inetd.conf, do not diverge from the central configuration.
Another possibility would be to write a new alarm script to scan the inetd.conf files regularly, sending out alert mail if it finds any of the troublesome services uncommented. Something like:
if $inline =~ "^(finger|rusersd|walld)"
output mail "COMMENT THIS OUT: $inline"
fi
I'm sure that there are other good solutions to this unwanted inetd services problem as well.
For more examples, see Developer's Notes.
