################################################################# # # cf.solaris - for sdsc.edu # # $Header: /sdsc/admin/refsys/Data/cfengine/RCS/cf.solaris,v 1.384 2000/07/25 01:04:32 jeff Exp $ # This file contains solaris specific patches # ################################################################# ### # restart_daemon script looks for comments of the form: # # restart_daemon: daemon_name daemon_configs restart_method # where # daemon_name is the name of the daemon as reported by ps (if using HUP) # or the name of the startup script in /etc/init.d (if using SS) # daemon_configs is the full path to the config or other file(s) used to # indicate a restart is needed, and may contain wildcards # restart_method can be: # HUP - finds pid using ps, does kill -HUP on pid # SS - uses stop/start method in /etc/init.d # RESTART - uses restart method in /etc/init.d ### ### # # BEGIN cf.solaris # ### links: basics:: # These should all be there by default, but we've been accidentally trashing # them with cfengine. /etc/inetd.conf ->! /etc/inet/inetd.conf /etc/netmasks ->! /etc/inet/netmasks /etc/protocols ->! /etc/inet/protocols !foreign:: # this is for remedy /etc/ar ->! /projects/us/remedy4/ar webfarm|torah|castor|pollux|nbcr1:: /etc/rc3.d/S99www ->! /etc/init.d/www starfire:: /etc/rc0.d/K99mathlm ->! ../init.d/mathlm /etc/rc2.d/S99mathlm ->! ../init.d/mathlm # for Adobe FrameMaker License Server /etc/rc2.d/S99fmfls ->! ../init.d/fmfls /etc/rc0.d/K99fmfls ->! ../init.d/fmfls shovel:: /etc/rc2.d/S82lprng ->! ../init.d/lprng billthecat:: /etc/rc0.d/K99gnufinger ->! ../init.d/gnufinger /etc/rc2.d/S99gnufinger ->! ../init.d/gnufinger #################################### webfarm1:: /etc/rc2.d/S91dynaweb ->! /etc/init.d/dynaweb webfarm2|webfarm8:: /etc/rc3.d/S99sybase.ndb ->! /etc/init.d/sybase.ndb /etc/rc3.d/K99sybase.ndb ->! /etc/init.d/sybase.ndb lprng:: /usr/ucb/lpr ->! /usr/local/apps/lprng/bin/lpr /usr/ucb/lpq ->! /usr/local/apps/lprng/bin/lpq /usr/ucb/lprm ->! /usr/local/apps/lprng/bin/lprm /usr/ucb/lpc ->! /usr/local/apps/lprng/bin/lpc /usr/bin/lp ->! /usr/local/apps/lprng/bin/lpr /usr/sdsc/bin/checkpc ->! /usr/local/apps/lprng/bin/checkpc /usr/ucb/lpstat ->! /usr/local/apps/lprng/bin/lprm /usr/ucb/stat ->! /usr/local/apps/lprng/bin/lprm !e10k.!e10k_ssp.!foreign:: # Unbundled compilers /opt/SUNWspro ->! /usr/local/apps/workshop/opt/SUNWspro /usr/ccs/bin/ucbcc ->! /opt/SUNWspro/bin/cc !e10k_ssp:: # Stock su doesn't check wheel group /usr/bin/su ->! /usr/sdsc/bin/keysu # /sbin/su will remain to be verdor binary so that one can use -c option # /sbin/su ->! /sbin/keysu !sunos_5_7.!sunos_5_6.!e10k:: /etc/rc2.d/S98probesys ->! /etc/init.d/probesys hpcmail:: /etc/rc2.d/S97xnewud ->! /etc/init.d/xnewud # Solaris ping bug exploit wrapper in 5.5 and 5.5.1 sunos_5_5|sunos_5_5_1:: /usr/sbin/ping ->! /usr/sbin/ping_wrapper any:: /etc/rc0.d/K00notify ->! /etc/init.d/notify /etc/rc0.d/K30ssh ->! /etc/init.d/ssh /etc/rc2.d/S69inet ->! /etc/init.d/inetinit /etc/rc2.d/S70xntp ->! /etc/init.d/xntp /etc/rc2.d/S74syslog ->! /etc/init.d/syslog /etc/rc2.d/S74cfengine ->! /etc/init.d/cfengine /etc/rc2.d/S78ssh ->! /etc/init.d/ssh /etc/rc2.d/S88sendmail ->! /etc/init.d/sendmail /etc/rc2.d/S99notify ->! /etc/init.d/notify /usr/sbin/rpcbind ->! /usr/sdsc/etc/rpcbind define=cmd_restart_rpcbind /var/mail ->! /var/spool/mail /etc/mail/aliases ->! /etc/aliases /etc/mail/aliases.dir ->! /etc/aliases.dir /etc/mail/aliases.pag ->! /etc/aliases.pag /etc/mail/sendmail.cf ->! /etc/sendmail.cf /usr/openwin/bin/xlock ->! /usr/sdsc/bin/xlock /usr/openwin/bin/xmlock ->! /usr/sdsc/bin/xmlock /usr/openwin/bin/xhost ->! /usr/sdsc/bin/xhost /usr/lib/newsyslog ->! /usr/sdsc/lib/newsyslog # This quota symlink has been changed back to the standard Solaris form. # It should be safe to delete this cfengine rule after 1 March 1998. /usr/ucb/quota ->! ../lib/fs/ufs/quota # Solaris PS bug exploit wrapper # /usr/bin/ps ->! /usr/bin/ps_wrapper # messed up /etc/termcap - Hans /etc/termcap ->! /usr/share/lib/termcap ############################################################## tidy: any:: /etc/mail pat=aliases.cf* a=0 /etc/mail pat=main.cf a=0 /etc/mail pat=sendmail.cf.* a=0 /etc/mail pat=subsidiary.cf a=0 /etc/rc1.d pat=*.cfsaved a=0 /etc/rc2.d pat=*.cfsaved a=0 /etc/rc3.d pat=*.cfsaved a=0 /usr/sdsc/lib/ pat=sendmail a=0 /usr/sdsc/lib/ pat=sendmail* a=0 # Cleanup the link and old files if they're around - this needs to be removed # in a few days (say by 11/25/96) to keep cfengine from churning # /usr/lib pat=sendmail.hf a=0 links=tidy # /usr/lib pat=sendmail.cf* a=0 links=tidy # We don't run automountd /etc pat=auto_home a=0 /etc pat=auto_master a=0 /etc/rc2.d/ pat=S74autofs a=0 # We don't run Sun's Solstice Enterprise software /etc/rc3.d/ pat=S77dmi a=0 /etc/rc3.d/ pat=S76snmpdx a=0 # Need to fix deamon restart code before doing this # only need these for one pass on all machines to make up for # old cfengine configuration - henry 960813 # /etc pat=*.cfsaved a=0 # /etc pat=*.cf-saved a=0 # /usr/sdsc pat=*.cfsaved r=1 a=0 # /usr/sdsc pat=*.cf-saved r=1 a=0 # remove all krb4 header files # /usr/include/kerberos pat=* r=0 a=0 # this appears to trigger a bug in cfengine-1.3.6 # /usr/include pat=kerberos r=0 a=0 # installed in wrong place /usr/sdsc/bin pat=lsof r=0 a=0 # This to get around a really bad bug in cfengine (it leaves replaced # setuid files lying around....) # /usr/bin /usr/bin pat=ps.cfsaved r=0 a=0 /usr/bin pat=su.cfsaved r=0 a=0 /usr/bin pat=passwd.cfsaved r=0 a=0 /usr/bin pat=exploitable.ps r=0 a=0 /usr/bin pat=ps_wrapper r=0 a=0 # /usr/ucb /usr/ucb pat=ps.cfsaved r=0 a=0 # /usr/lib /usr/lib pat=sendmail.cfsaved r=0 a=0 # /usr/sbin /usr/sbin pat=ping.cfsaved r=0 a=0 # (don't uncomment till the Great Rebooting) # /usr/sbin pat=exploitable.ping r=0 a=0 # /usr/sbin pat=ping_wrapper r=0 a=0 # /usr/sdsc/bin /usr/sdsc/bin pat=xlock.cfsaved r=0 a=0 # /usr/openwin/bin /usr/openwin/bin pat=xlock.cfsaved r=0 a=0 # /var/lp/logs /var/lp/logs pat=lpNe* r=0 a=0 /var/lp/logs pat=lpsche* r=0 a=0 need_diskspace:: # We want to delete old saved files in # /var/sadm//save/archive.cpio.Z, # /var/sadm/pkg//save//undo.Z, and # /var/sadm/pkg//save//obsolete.Z # This won't touch the files unless they've not been # touched in 30 days. /var/sadm/patch pat=archive.cpio.Z r=2 type=mtime a=30 /var/sadm/pkg pat=undo.Z r=4 type=mtime a=30 /var/sadm/pkg pat=obsolete.Z r=4 type=mtime a=30 !krusty|!shovel:: # /var/adm/lpd-errs /var/adm/ pat=lpd-errs r=0 a=0 ############################################################## copy: ####################################### ### Machine specific files ### ####################################### shovel:: $(common)/etc/printcap.shovel dest=/etc/printcap m=0744 o=$(owner) g=$(group) type=byte pop_server:: $(base_images_arch)/usr/sdsc/etc/imapd dest=/usr/sdsc/etc/imapd m=0755 o=0 g=0 type=byte $(base_images_arch)/usr/sdsc/etc/qpopper dest=/usr/sdsc/etc/qpopper m=0755 o=0 g=0 type=byte $(base_images_arch)/usr/sdsc/bin/popauth dest=/usr/sdsc/bin/popauth m=4755 o=0 g=0 type=byte $(base_images_arch)/usr/sdsc/man/man8/popauth.8 dest=/usr/sdsc/man/man8/popauth.8 m=0755 o=0 g=0 type=byte $(base_images_arch)/usr/sdsc/man/man8/popper.8 dest=/usr/sdsc/man/man8/popper.8 m=0755 o=0 g=0 type=byte $(base_images_arch)/usr/sdsc/etc/sslwrap dest=/usr/sdsc/etc/sslwrap m=0755 o=0 g=0 type=byte $(base_images_arch)/usr/sdsc/etc/imapsd dest=/usr/sdsc/etc/imapsd m=0755 o=0 g=0 type=byte $(base_images_arch)/usr/sdsc/etc/pop3sd dest=/usr/sdsc/etc/pop3sd m=0755 o=0 g=0 type=byte $(base_images_arch)/usr/sdsc/etc/certs/ssl-imap.pem dest=/usr/sdsc/etc/certs/ssl-imap.pem m=0400 o=60001 g=0 type=byte $(base_images_arch)/usr/sdsc/etc/certs/ssl-pop.pem dest=/usr/sdsc/etc/certs/ssl-pop.pem m=0400 o=60001 g=0 type=byte $(base_images_arch)/usr/sdsc/etc/certs/ca-cert.pem dest=/usr/sdsc/etc/certs/ca-cert.pem m=0444 o=0 g=0 type=byte tpage_gateway:: $(base_data_arch)/usr/sdsc/tpage/README dest=/usr/sdsc/tpage/README m=0644 o=28387 g=223 type=byte $(base_data_arch)/usr/sdsc/tpage/devices dest=/usr/sdsc/tpage/devices m=0644 o=28387 g=223 type=byte $(base_data_arch)/usr/sdsc/tpage/generate_table.pl dest=/usr/sdsc/tpage/generate_table.pl m=0755 o=28387 g=223 type=byte $(base_data_arch)/usr/sdsc/tpage/ixocico dest=/usr/sdsc/tpage/ixocico m=0755 o=28387 g=223 type=byte $(base_data_arch)/usr/sdsc/tpage/schedule dest=/usr/sdsc/tpage/schedule m=0644 o=28387 g=223 type=byte $(base_data_arch)/usr/sdsc/tpage/startdaemon dest=/usr/sdsc/tpage/startdaemon m=0755 o=28387 g=223 type=byte # $(base_data_arch)/usr/sdsc/tpage/table # dest=/usr/sdsc/tpage/table # m=0644 o=28387 g=223 type=byte $(base_data_arch)/usr/sdsc/tpage/tpaged dest=/usr/sdsc/tpage/tpaged m=0755 o=28387 g=223 type=byte $(base_data_arch)/usr/sdsc/tpage/bin/tpage dest=/usr/sdsc/tpage/bin/tpage m=0755 o=28387 g=223 type=byte $(base_data_arch)/usr/sdsc/tpage/bin/tpageq dest=/usr/sdsc/tpage/bin/tpageq m=0755 o=28387 g=223 type=byte $(base_data_arch)/usr/sdsc/tpage/ixocico dest=/usr/sdsc/tpage/ixocico m=0755 o=28387 g=223 type=byte $(base_data_arch)/usr/sdsc/tpage/tpage-startdaemon dest=/usr/sdsc/tpage/tpage-startdaemon m=0755 o=28387 g=223 type=byte $(base_data_arch)/usr/sdsc/tpage/tpage-generate_table dest=/usr/sdsc/tpage/tpage-generate_table m=5755 o=28387 g=223 type=byte # $(base_data_arch)/usr/sdsc/tpage/tpage.sendmail.cf # dest=/etc/sendmail.cf # m=0644 o=$(owner) g=$(group2) type=byte # $(base_data_arch)/usr/sdsc/tpage/tpage.crontab # dest=/var/spool/cron/crontabs/tpage # m=0444 o=$(owner) g=$(group2) type=byte loghost:: $(base_data_arch)/usr/sdsc/lib/newsyslog.loghost dest=/usr/sdsc/lib/newsyslog m=0755 o=$(owner) g=$(group2) type=byte !loghost:: $(base_data_arch)/usr/sdsc/lib/newsyslog dest=/usr/sdsc/lib/newsyslog m=0755 o=$(owner) g=$(group2) type=byte webfarm|torah|castor|pollux|nbcr1:: $(base_data_arch)/etc/init.d/www dest=/etc/init.d/www m=0744 o=$(owner) g=$(group) type=byte webfarm1:: $(base_data_arch)/etc/init.d/dynaweb dest=/etc/init.d/dynaweb m=0744 o=$(owner) g=$(group) type=byte webfarm2|webfarm8:: $(base_data_arch)/etc/init.d/sybase.ndb dest=/etc/init.d/sybase.ndb m=0744 o=$(owner) g=$(group) type=byte starfire:: $(base_data_arch)/etc/init.d/mathlm dest=/etc/init.d/mathlm m=0744 o=$(owner) g=$(group) type=byte # for Adobe FrameMaker License Server $(base_data_arch)/etc/init.d/fmfls dest=/etc/init.d/fmfls m=0744 o=$(owner) g=$(group) type=byte shovel:: $(base_data_arch)/etc/init.d/lprng dest=/etc/init.d/lprng m=0744 o=$(owner) g=$(group) type=byte capsun:: $(common)/etc/etalk.local dest=/etc/etalk.local m=0644 o=$(owner) g=$(group) type=byte $(base_data_arch)/etc/init.d/cap dest=/etc/init.d/cap m=0644 o=$(owner) g=$(group) type=byte billthecat:: $(base_images_arch)/usr/sdsc/etc/gnufingerserver dest=/usr/sdsc/etc/gnufingerserver m=755 o=$(owner) g=$(group) type=byte $(base_data_arch)/etc/init.d/gnufinger dest=/etc/init.d/gnufinger m=744 o=$(owner) g=$(group) type=byte ####################################### ### Special cases of standard files ### ####################################### e10k_ssp:: $(base_data_arch)/etc/inetd.conf.ssp dest=/etc/inet/inetd.conf m=0644 o=$(owner) g=$(group) type=byte define=cmd_hup_inetd e10k:: $(base_data_arch)/etc/inetd.conf.e10k dest=/etc/inet/inetd.conf m=0644 o=$(owner) g=$(group) type=byte define=cmd_hup_inetd anonftp:: $(base_data_arch)/etc/inetd.conf.anonftp dest=/etc/inet/inetd.conf m=0644 o=$(owner) g=$(group) type=byte define=cmd_hup_inetd pop_server:: $(base_data_arch)/etc/inetd.conf.popper dest=/etc/inet/inetd.conf m=0644 o=$(owner) g=$(group) type=byte define=cmd_hup_inetd hpc:: $(base_data_arch)/etc/inetd.conf.sun_hpc dest=/etc/inet/inetd.conf m=0644 o=$(owner) g=$(group) type=byte define=cmd_hup_inetd solaris_bootserver:: $(base_data_arch)/etc/inetd.conf.solaris_bootserver dest=/etc/inet/inetd.conf m=0644 o=$(owner) g=$(group) type=byte define=cmd_hup_inetd extra_security:: $(base_data_arch)/etc/inetd.conf.extra_security dest=/etc/inet/inetd.conf m=0644 o=$(owner) g=$(group) type=byte define=cmd_hup_inetd # disable execution of rpcbind on extra_security systems $(base_images_arch)/usr/sdsc/etc/rpcbind dest=/usr/sdsc/etc/rpcbind m=644 o=$(owner) g=$(group) type=byte define=cmd_restart_rpcbind billthecat|flenser|hpcmail:: $(base_data_arch)/etc/inetd.conf.$(host) dest=/etc/inet/inetd.conf m=0644 o=$(owner) g=$(group) type=byte define=cmd_hup_inetd !foreign.!extra_security.!billthecat.!hpc.!pop_server.!e10k_ssp.!hpcmail.!e10k.!flenser.!anonftp.!solaris_bootserver:: $(base_data_arch)/etc/inetd.conf dest=/etc/inet/inetd.conf m=0644 o=$(owner) g=$(group) type=byte define=cmd_hup_inetd !extra_security:: $(base_images_arch)/usr/sdsc/etc/rpcbind dest=/usr/sdsc/etc/rpcbind m=755 o=$(owner) g=$(group) type=byte define=cmd_restart_rpcbind ca|doctor|shovel|webfarm4:: $(base_data_arch)/var/spool/cron/crontabs/root.$(host) dest=/var/spool/cron/crontabs/root m=0640 o=$(owner) g=$(group) type=byte webfarm.!webfarm4|nbcr1:: $(base_data_arch)/var/spool/cron/crontabs/root.webfarm dest=/var/spool/cron/crontabs/root m=0640 o=$(owner) g=$(group) type=byte e10k|e10k_ssp:: $(base_data_arch)/var/spool/cron/crontabs/root.e10k dest=/var/spool/cron/crontabs/root m=0640 o=$(owner) g=$(group) type=byte dns_server:: $(base_data_arch)/var/spool/cron/crontabs/root.dns_server dest=/var/spool/cron/crontabs/root m=0640 o=$(owner) g=$(group) type=byte tpage_gateway:: $(base_data_arch)/var/spool/cron/crontabs/root.tpage_gateway dest=/var/spool/cron/crontabs/root m=0640 o=$(owner) g=$(group) type=byte # the root crontab files on castor and pollux are managed in cf.rcsb !ca.!doctor.!shovel.!webfarm.!nbcr1.!e10k.!e10k_ssp.!dns_server.!tpage_gateway.!castor.!pollux:: $(base_data_arch)/var/spool/cron/crontabs/root dest=/var/spool/cron/crontabs/root m=0640 o=$(owner) g=$(group) type=byte spirit:: $(base_data_arch)/var/spool/cron/crontabs/kcback.spirit dest=/var/spool/cron/crontabs/kcback m=0640 o=$(owner) g=$(group) type=byte $(base_data_arch)/var/spool/cron/crontabs/rmtback.spirit dest=/var/spool/cron/crontabs/rmtback m=0640 o=$(owner) g=$(group) type=byte # Because of IPv6 issuses, Solaris8 needs its own inetinit at least # for the time being !ghost.!sunos_5_8:: $(base_data_arch)/etc/init.d/inetinit dest=/etc/init.d/inetinit m=0744 o=$(owner) g=$(group) type=byte ghost:: $(base_data_arch)/etc/routes.$(host) dest=/etc/routes m=0544 o=$(owner) g=$(group) type=byte $(base_data_arch)/etc/init.d/inetinit.static_routes dest=/etc/init.d/inetinit m=0544 o=$(owner) g=$(group) type=byte !mailhub:: $(base_data_arch)/etc/init.d/sendmail dest=/etc/init.d/sendmail m=0744 o=$(owner) g=$(group) type=byte $(base_images_arch)/usr/lib/sendmail dest=/usr/lib/sendmail m=4755 o=$(owner) g=$(group) type=byte mailhub:: $(base_data_arch)/etc/init.d/sendmail.server dest=/etc/init.d/sendmail m=0744 o=$(owner) g=$(group) type=byte $(base_images_arch)/usr/lib/sendmail.$(host) dest=/usr/lib/sendmail m=4755 o=$(owner) g=$(group) type=byte hpcmail:: $(base_data_arch)/etc/init.d/xnewud dest=/etc/init.d/xnewud m=0744 o=$(owner) g=$(group) type=byte postal:: $(base_data_arch)/usr/sdsc/etc/generate-aliaseshpc dest=/usr/sdsc/etc/generate-aliaseshpc m=0755 o=$(owner) g=$(group) type=byte $(common)/usr/sdsc/etc/cfengine_mail_filter dest=/usr/sdsc/etc/cfengine_mail_filter m=0755 o=$(owner) g=$(group) type=byte # restart_daemon: cron /var/spool/cron/crontabs/* SS $(base_data_arch)/var/spool/cron/crontabs/daemon.postal dest=/var/spool/cron/crontabs/daemon m=0444 o=$(owner) g=$(group) type=byte $(base_data_arch)/var/spool/cron/crontabs/majordomo.postal dest=/var/spool/cron/crontabs/majordomo m=0444 o=$(owner) g=$(group) type=byte keni|miki:: $(base_data_arch)/etc/nsswitch.conf.ssp dest=/etc/nsswitch.conf m=0644 o=$(owner) g=$(group) type=byte !keni.!miki:: $(base_data_arch)/etc/nsswitch.conf dest=/etc/nsswitch.conf m=0644 o=$(owner) g=$(group) type=byte vvm:: $(common)/etc/rc2.d/S96vmsa-server dest=/etc/rc2.d/S96vmsa-server m=0644 o=$(owner) g=$(group) type=byte f5:: $(base_data_arch)/etc/defaultrouter.f5 dest=/etc/defaultrouter m=0644 o=$(owner) g=$(group) type=byte acct:: $(common)/usr/lib/acct/roll_log dest=/usr/lib/acct/roll_log m=0755 o=bin g=bin type=byte $(common)/var/spool/cron/crontabs/timecard dest=/var/spool/cron/crontabs/timecard m=0444 o=bin g=bin type=byte $(base_data_arch)/usr/lib/acct/runacct.sdsc dest=/usr/lib/acct/runacct m=0755 o=bin g=bin type=byte $(base_data_arch)/usr/lib/acct/acctcon.sdsc dest=/usr/lib/acct/acctcon m=0755 o=bin g=bin type=byte $(base_data_arch)/usr/lib/acct/acctdisk.sdsc dest=/usr/lib/acct/acctdisk m=0755 o=bin g=bin type=byte $(base_data_arch)/usr/lib/acct/acctmerg.sdsc dest=/usr/lib/acct/acctmerg m=0755 o=bin g=bin type=byte $(base_data_arch)/usr/lib/acct/acctprc.sdsc dest=/usr/lib/acct/acctprc m=0755 o=bin g=bin type=byte $(base_data_arch)/usr/lib/acct/runacct.local dest=/usr/lib/acct/runacct.local m=0755 o=bin g=bin type=byte $(base_data_arch)/usr/lib/acct/prettyprint.tacct dest=/usr/lib/acct/prettyprint.tacct m=0755 o=bin g=bin type=byte ### lsof is instruction set dependent. # for 64bit binary 64bit:: $(base_data_arch)/usr/sdsc/etc/lsof_64bit dest=/usr/sdsc/etc/lsof m=755 o=$(owner) g=$(group) type=byte $(base_images_arch)/usr/sdsc/man/man1/lsof.1 dest=/usr/sdsc/man/man1/lsof.1 m=644 o=$(owner) g=$(group) type=byte # for rest of !64bit:: $(base_images_arch)/usr/sdsc/etc/lsof dest=/usr/sdsc/etc/lsof m=755 o=$(owner) g=$(group) type=byte $(base_images_arch)/usr/sdsc/man/man1/lsof.1 dest=/usr/sdsc/man/man1/lsof.1 m=644 o=$(owner) g=$(group) type=byte # networking # Because of IPv6, Solaris8 needs its own protocols file. !sunos_5_8:: $(base_data_arch)/etc/protocols dest=$(etcinet)/protocols m=0644 o=$(owner) g=$(group) type=byte afs|nbcr1|spirit|catharsis|pia|aith|torah|topflop|elmak:: $(base_data_arch)/etc/system.$(host) dest=/etc/system m=0644 o=$(owner) g=$(group) type=byte !afs.!nbcr1.!spirit.!catharsis.!pia.!aith.!torah.!topflop.!elmak.!e10k.!e10k_ssp.!castor.!pollux:: $(base_data_arch)/etc/system dest=/etc/system m=0644 o=$(owner) g=$(group) type=byte # Temp fix for Solaris ping exploit. Needs to be modified to put the # original ping (/usr/sbin/exploitable.ping) back in the right place before # we run Sun's patch, whenever it comes out. sunos_5_5|sunos_5_5_1:: $(base_data_arch)/usr/sbin/exploitable.ping dest=/usr/sbin/exploitable.ping m=0511 o=$(owner) g=$(group) type=byte $(base_data_arch)/usr/sbin/ping_wrapper dest=/usr/sbin/ping_wrapper m=4555 o=$(owner) g=$(group) type=byte # $(base_data_arch)/usr/sbin/ping # dest=/usr/sbin/ping # m=4555 o=$(owner) g=$(group) type=byte ####################################### ### Standard files for all machines ### ####################################### any:: # ibm-dx $(common)/etc/ncs/glb_site.txt dest=/etc/ncs/glb_site.txt m=0644 o=0 g=0 type=byte # sar accounting script $(common)/usr/sdsc/etc/sa1.sdsc dest=/usr/sdsc/etc/sa1.sdsc m=0755 o=$(owner) g=$(group) type=byte # basic system config files $(base_data_arch)/etc/login.csh dest=/etc/.login m=0644 o=$(owner) g=$(group) type=byte $(base_data_arch)/etc/default/init dest=/etc/default/init m=0555 o=$(owner) g=$(group2) type=byte $(base_data_arch)/etc/default/login dest=/etc/default/login m=0444 o=$(owner) g=$(group) type=byte $(base_data_arch)/etc/mail/mailx.rc dest=/etc/mail/mailx.rc m=0644 o=$(owner) g=$(group2) type=byte $(base_data_arch)/usr/share/lib/termcap dest=/usr/share/lib/termcap m=0644 o=$(owner) g=$(group) type=byte # modified startup files $(common)/cfengine_wrapper dest=/etc/init.d/cfengine m=0744 o=$(owner) g=$(group) type=byte $(base_data_arch)/etc/init.d/cron dest=/etc/init.d/cron m=0744 o=$(owner) g=$(group) type=byte $(base_data_arch)/etc/init.d/notify dest=/etc/init.d/notify m=0744 o=$(owner) g=$(group) type=byte $(base_data_arch)/etc/init.d/rpc dest=/etc/init.d/rpc m=0744 o=$(owner) g=$(group) type=byte $(base_data_arch)/etc/init.d/ssh dest=/etc/init.d/ssh m=0744 o=$(owner) g=$(group) type=byte $(base_data_arch)/etc/init.d/syslog dest=/etc/init.d/syslog m=0744 o=$(owner) g=$(group) type=byte $(base_data_arch)/etc/init.d/xntp dest=/etc/init.d/xntp m=0744 o=$(owner) g=$(group) type=byte # SysV su doesn't check gid $(base_images_arch)/usr/sdsc/bin/keysu dest=/sbin/keysu m=4755 o=$(owner) g=$(group) type=byte # SDSC specific binaries and replacements for standard system binaries # xhost and manpage $(base_images_arch)/usr/sdsc/bin/xhost dest=/usr/sdsc/bin/xhost m=755 o=$(owner) g=$(group) type=byte $(base_images_arch)/usr/sdsc/man/man1/xhost.1 dest=/usr/sdsc/man/man1/xhost.1 m=644 o=$(owner) g=$(group) type=byte # To make automatic pkgadds easier $(base_data_arch)/var/sadm/install/admin/sdsc_refsys_install dest=/var/sadm/install/admin/sdsc_refsys_install m=444 o=$(owner) g=$(group) type=byte # this is for pushing out the new xlock and its support stuff $(base_images_arch)/usr/sdsc/bin/xlock dest=/usr/sdsc/bin/xlock m=4755 o=$(owner) g=$(group) type=byte $(base_images_arch)/usr/sdsc/bin/xmlock dest=/usr/sdsc/bin/xmlock m=755 o=$(owner) g=$(group) type=byte $(base_data_arch)/usr/openwin/lib/app-defaults/XLock dest=/usr/openwin/lib/app-defaults/XLock m=644 o=$(owner) g=$(group) type=byte $(base_data_arch)/usr/openwin/lib/app-defaults/XmLock dest=/usr/openwin/lib/app-defaults/XmLock m=644 o=$(owner) g=$(group) type=byte $(base_data_arch)/usr/openwin/man/man1/xlock.1 dest=/usr/openwin/man/man1/xlock.1 m=644 o=$(owner) g=$(group) type=byte # put the original xlock in sdsc area until the permanent replacement # is ready # $(base_images_arch)/usr/openwin/bin/xlock.FCS # dest=/usr/sdsc/bin/xlock # m=4755 o=$(owner) g=$(group) type=byte # Top, the system monitor program. Only let root use it (for now, at least). $(base_images_arch)/usr/sdsc/etc/top dest=/usr/sdsc/etc/top m=755 o=$(owner) g=$(group) type=byte # Proctool and pmon, system monitoring package. Only let root use it. # Note: these are built for Solaris 2.5.x. This entry should be moved # into the cf.solaris2.5.x configuration files at a later time. # $(base_images_arch)/usr/sdsc/etc/proctool # dest=/usr/sdsc/etc/proctool # m=755 o=$(owner) g=$(group) type=byte # $(base_images_arch)/usr/sdsc/etc/pmon # dest=/usr/sdsc/etc/pmon # m=755 o=$(owner) g=$(group) type=byte # probesys (a.k.a sysinfo) $(base_data_arch)/etc/init.d/probesys dest=/etc/init.d/probesys m=744 o=$(owner) g=$(group) type=byte # patchdiag program $(base_images_arch)/usr/sdsc/bin/patchdiag.sparc dest=/usr/sdsc/bin/patchdiag.sparc m=555 o=$(owner) g=$(group) type=byte $(base_images_arch)/usr/sdsc/bin/timelocal.pl dest=/usr/sdsc/bin/timelocal.pl m=644 o=$(owner) g=$(group) type=byte # Temp fix for Solaris ps exploit. Needs to be modified to put the # original ps (/usr/bin/exploitable.ps) back in the right place before # we run Sun's patch, whenever it comes out. # $(base_data_arch)/usr/bin/exploitable.ps # dest=/usr/bin/exploitable.ps # m=0511 o=$(owner) g=$(group) type=byte # $(base_data_arch)/usr/bin/ps_wrapper # dest=/usr/bin/ps_wrapper # m=4555 o=$(owner) g=$(group) type=byte ############################################################## ############################################################## editfiles: # check cfengine.conf for the order of editfiles.basics basics.solaris:: { /etc/rmmount.conf HashCommentLinesContaining "action_filemgr.so" } { /etc/inet/inetd.conf HashCommentLinesContaining "100083" HashCommentLinesContaining "100068" } basics.banzai:: { /etc/inet/hosts AppendIfNoSuchLine "192.168.1.2 teramw" AppendIfNoSuchLine "192.168.1.3 happi" } ############################################################## ############################################################## shellcommands: exitcommands:: "/sdsc/admin/refsys/Data/cfengine/scripts/patchcheck" #rebuild windex files - but only when it is Saturday exitcommands.Saturday:: "/usr/lib/makewhatis /usr/share/man" "/usr/lib/makewhatis /usr/sdsc/man" "/usr/openwin/man/makewhatis /usr/openwin/man" # restart any daemons that have had config files modified !sunos_5_7:: "/sdsc/admin/refsys/Data/cfengine/scripts/restart_daemons solaris $(class)" shovel:: "/usr/local/apps/lprng/bin/lpc lpd hup" storagearray:: "/sdsc/admin/refsys/Data/cfengine/scripts/install_solaris_packages SUNWassa /sdsc/admin/refsys/Images/sparc-sun-solaris2.5.1/2.5.1_SSA_PKGS " "/sdsc/admin/refsys/Data/cfengine/scripts/install_solaris_packages SUNWvmman /sdsc/admin/refsys/Images/sparc-sun-solaris2.5.1/2.5.1_SSA_PKGS " "/sdsc/admin/refsys/Data/cfengine/scripts/install_solaris_packages SUNWvxva /sdsc/admin/refsys/Images/sparc-sun-solaris2.5.1/2.5.1_SSA_PKGS " "/sdsc/admin/refsys/Data/cfengine/scripts/install_solaris_packages SUNWvxvm /sdsc/admin/refsys/Images/sparc-sun-solaris2.5.1/2.5.1_SSA_PKGS " disksuite:: # Should reboot machine after installing disksuite # DiskSuite 4.2 "/sdsc/admin/refsys/Data/cfengine/scripts/install_solaris_packages SUNWmd /sdsc/admin/refsys/Images/sparc-sun-solaris7/disksuite_4_2/sparc responses/SUNWmd.any" "/sdsc/admin/refsys/Data/cfengine/scripts/install_solaris_packages SUNWmdg /sdsc/admin/refsys/Images/sparc-sun-solaris7/disksuite_4_2/sparc responses/SUNWmdg.any" "/sdsc/admin/refsys/Data/cfengine/scripts/install_solaris_packages SUNWmdn /sdsc/admin/refsys/Images/sparc-sun-solaris7/disksuite_4_2/sparc responses/SUNWmdn.any" # DiskSuite 4.0 # "/sdsc/admin/refsys/Data/cfengine/scripts/install_solaris_packages SUNWmd /sdsc/admin/refsys/Images/sparc-sun-solaris2.5/disksuite_4_0 responses/SUNWmd.any" # # "/sdsc/admin/refsys/Data/cfengine/scripts/install_solaris_packages SUNWmdg /sdsc/admin/refsys/Images/sparc-sun-solaris2.5/disksuite_4_0/ responses/SUNWmdg.any" # # "/sdsc/admin/refsys/Data/cfengine/scripts/install_solaris_packages SUNWabmd /sdsc/admin/refsys/Images/sparc-sun-solaris2.5/disksuite_4_0 responses/SUNWabmd.any" processes: cmd_hup_inetd:: " /usr/sbin/inetd " matches=1 signal=hup cmd_restart_rpcbind:: "rpcbind" signal=term inform=off restart "/etc/init.d/rpc restart" ############################################################## ############################################################## disable: #Had to add back a single krb4 library to make the HPC software work #Sun is working on allowing us to remove it. # added by jeffknee on 10/02/97 !hpc:: /usr/lib/libkrb.so.1 /usr/lib/libkrb.a /usr/lib/libkrb.so sunos_5_6|sunos_5_7:: /etc/rc2.d/S98probesys /etc/rc2.d/S80spc !acct:: # use disable instead of tidy for these, so restart script # has files to work with # restart_daemon: cron /var/spool/cron/crontabs/* SS /var/spool/cron/crontabs/adm any:: /var/spool/cron/crontabs/sys /var/spool/cron/crontabs/uucp /usr/sbin/sadmind # remove all krb4 files /etc/krb.conf /etc/krb.realms /usr/bin/kdestroy /usr/bin/kinit /usr/bin/klist /usr/bin/ksrvtgt /usr/lib/sendmail.hf /usr/sbin/kerbd /usr/share/man/man1/kdestroy.1 /usr/share/man/man1/kerberos.1 /usr/share/man/man1/kinit.1 /usr/share/man/man1/klist.1 /usr/share/man/man1/ksrvtgt.1 /usr/share/man/man1m/kerbd.1m /usr/share/man/man3n/kerberos.3n /usr/share/man/man3n/kerberos_rpc.3n /usr/share/man/man3n/krb_get_admhst.3n /usr/share/man/man3n/krb_get_cred.3n /usr/share/man/man3n/krb_get_krbhst.3n /usr/share/man/man3n/krb_get_lrealm.3n /usr/share/man/man3n/krb_get_phost.3n /usr/share/man/man3n/krb_kntoln.3n /usr/share/man/man3n/krb_mk_err.3n /usr/share/man/man3n/krb_mk_req.3n /usr/share/man/man3n/krb_mk_safe.3n /usr/share/man/man3n/krb_net_read.3n /usr/share/man/man3n/krb_net_write.3n /usr/share/man/man3n/krb_rd_err.3n /usr/share/man/man3n/krb_rd_req.3n /usr/share/man/man3n/krb_rd_safe.3n /usr/share/man/man3n/krb_realmofhost.3n /usr/share/man/man3n/krb_recvauth.3n /usr/share/man/man3n/krb_sendauth.3n /usr/share/man/man3n/krb_set_key.3n /usr/share/man/man3n/krb_set_tkt_string.3n /usr/share/man/man4/krb.conf.4 /usr/share/man/man4/krb.realms.4 # remove old proctool files /usr/sdsc/etc/proctool /usr/sdsc/etc/pmon ############################################################## ############################################################## directories: tpage_gateway:: /usr/sdsc/tpage m=0755 o=28387 g=223 /usr/sdsc/tpage/bin m=0755 o=28387 g=223 /var/spool/pqueue m=0755 o=28387 g=223 /usr/spool/uucp m=0775 o=5 g=223 #billthecat is the gnufinger server and needs the fingerdir directory billthecat:: /etc/fingerdir m=0644 o=root g=root any:: /usr/adm/sa m=0775 o=root g=sys /etc/ncs m=0755 o=root g=root # # note - current version of cfengine (1.3.6) does not allow # macros in this clause !! --tep 6/19/1997 # /etc m=2755 o=root g=root /etc/init.d m=0755 o=root g=root /etc/rc0.d m=0755 o=root g=root /etc/rc1.d m=0755 o=root g=root /etc/rc2.d m=0755 o=root g=root /etc/rc3.d m=0755 o=root g=root /etc/rcS.d m=0755 o=root g=root /sbin m=0755 o=root g=root /usr m=0755 o=root g=root /usr/bin m=0755 o=root g=root /usr/sbin m=0755 o=root g=root /usr/ucb m=0755 o=root g=root /dev m=0755 o=root g=root /devices m=0755 o=root g=root /mnt m=0755 o=root g=root /opt m=0755 o=root g=root /var m=0755 o=root g=root ############################################################## ############################################################## files: basics:: /etc/notrouter m=0644 o=$(owner) g=other action=touch /etc/shadow m=0400 o=$(owner) g=other action=fixplain /usr/bin o=$(owner) g=$(group) r=1 action=fixall /var/adm/wtmpx m=0644 o=adm g=adm action=fixplain /var/adm/wtmpx m=0644 o=adm g=adm action=touch # should really make dirs 700, not 711. Bug in cfengine? - henry # /etc m=0755 o=$(owner) g=$(group) action=fixall # /usr m=0755 o=$(owner) g=$(group) action=fixall # /usr/ucb m=0755 o=$(owner) g=$(group) action=fixall acct:: /usr/lib/acct/accton m=4750 o=root g=adm action=fixall sunos_5_5|sunos_5_5_1:: /usr/bin/chkey m=4755 o=$(owner) g=$(group) action=fixall /usr/bin/nispasswd m=0755 action=fixall /usr/bin/uuname m=0755 o=$(owner) g=$(group) action=fixall any:: # SDSC setuid programs /sbin/keysu m=4755 o=$(owner) g=$(group) action=fixall # original setuid programs /usr/bin/crontab m=4755 o=$(owner) g=$(group) action=fixall /usr/bin/eject m=4755 o=$(owner) g=$(group) action=fixall /usr/bin/login m=4755 o=$(owner) g=$(group) action=fixall /usr/bin/newgrp m=4755 o=$(owner) g=$(group) action=fixall /usr/bin/rcp m=4755 o=$(owner) g=$(group) action=fixall /usr/bin/rlogin m=4755 o=$(owner) g=$(group) action=fixall /usr/bin/rsh m=4755 o=$(owner) g=$(group) action=fixall /usr/bin/su m=4755 o=$(owner) g=$(group) action=fixall /usr/bin/uptime m=4755 o=$(owner) g=$(group) action=fixall /usr/bin/volcheck m=4755 o=$(owner) g=$(group) action=fixall /usr/bin/w m=4755 o=$(owner) g=$(group) action=fixall /etc/init.d/cfengine m=0744 o=$(owner) g=$(group) action=fixall # cleanup some world or group-writable files: (97-0221,tep) /usr/openwin/bin/rpc.cmsd m=755 o=$(owner) g=$(group) action=fixall /usr/openwin/bin/rpc.ttdbserverd m=755 o=$(owner) g=$(group) action=fixall # cleaning up some more interesting default permissions (23-01-98, kowallik) /var/adm/vold.log m=0644 o=$(owner) g=$(group) action=fixall /var/adm/spellhist m=0666 o=$(owner) g=$(group) action=fixall /var/adm/messages m=0644 o=$(owner) g=$(group) action=fixall /var/news m=0755 o=$(owner) g=$(group) action=fixall /var/log/syslog m=0644 o=$(owner) g=$(group) action=fixall /var/preserve m=0755 o=$(owner) g=$(group) action=fixall /var/spool/pkg m=0755 o=$(owner) g=$(group) action=fixall /var/sadm/install/.pkg.lock m=0644 o=$(owner) g=$(group) action=fixall # original setgid programs /usr/bin/netstat m=2755 g=sys action=fixall /usr/bin/write m=2755 g=tty action=fixall /usr/bin/ipcs m=2555 g=sys action=fixall # /usr/lib/sendmail.hf action=fixall links=tidy /usr/lib/sendmail m=4755 o=$(owner) g=$(group) action=fixall links=tidy # set uid or set gid on distribution # We don't use nis/yp /usr/bin/yppasswd m=0755 action=fixall # CERT Advisory CA-96.15 - kcms_c* are security holes if suid /usr/openwin/bin/kcms_calibrate m=0755 action=fixall /usr/openwin/bin/kcms_configure m=0755 action=fixall # CERT Advisory CA-96.16 - admintool has security problems /usr/bin/admintool m=0400 o=$(owner) g=$(group) action=fixall # CERT Advisory VN-98.08 - ufsrestore and ufsdump buffer overflows /usr/lib/fs/ufs/ufsdump m=0555 o=$(owner) g=$(group) action=fixall /usr/lib/fs/ufs/ufsrestore m=0555 o=$(owner) g=$(group) action=fixall /usr/lib/fs/ufs/quota m=0555 o=$(owner) g=$(group) action=fixall # disable rdist /usr/bin/rdist m=0400 action=fixall # /usr/bin/rdist m=4755 action=fixall # /usr/bin/ct m=4755 action=fixall # /usr/bin/cu m=4755 action=fixall # /usr/bin/tip m=4755 action=fixall # /usr/bin/uucp m=4755 action=fixall # /usr/bin/uuglist m=4755 action=fixall # /usr/bin/uustat m=4755 action=fixall # /usr/bin/uux m=4755 action=fixall # at(1) (buffer overflow exploit) has been patched /usr/bin/at m=4755 action=fixall # # unset uid ff.core /usr/openwin/bin/ff.core m=0555 action=fixall !lprng:: /usr/bin/lp m=4755 o=$(owner) g=$(group) action=fixall /usr/bin/lpstat m=4755 o=$(owner) g=$(group) action=fixall /usr/bin/lpset m=4755 o=$(owner) g=$(group) action=fixall /usr/sbin/lpmove m=4755 o=$(owner) g=$(group) action=fixall /var/spool/lp/fifos/FIFO m=0664 o=lp g=lp action=fixall # disable execution of statd and lockd on extra_security systems extra_security:: /usr/lib/nfs/lockd m=0444 action=fixall /usr/lib/nfs/statd m=0444 action=fixall !extra_security:: /usr/lib/nfs/lockd m=0555 action=fixall /usr/lib/nfs/statd m=0555 action=fixall ### # # END cf.solaris # ###