EXAMPLES
These are examples from the article "Armoring Solaris"
 
 
 
Example A
This is an example of the /etc/issue file.
#cat /etc/issue
 
#
#
#  WARNING:  You must have specific authorization to access
#            this machine.  Unauthorized users will be logged,
#            monitored, and then shot on site!
#
#
 
 
 
 

 
Example B
This is an example of the /etc/ftpusers file.
#cat /etc/ftpusers

root
daemon
bin
sys
adm
lp
smtp
uucp
nuucp
listen
nobody
noaccess
nobody4
 
 
 
 
 

 
Example C
This is an example of part of the /etc/default/login file
 #head -12 /etc/default/login

#ident  "@(#)login.dfl  1.8     96/10/18 SMI"   /* SVr4.0 1.1.1.1       */
# Set the TZ environment variable of the shell.
#
#TIMEZONE=EST5EDT
# ULIMIT sets the file size limit for the login.  Units are disk blocks.
# The default of zero means no limit.
#
#ULIMIT=0
# If CONSOLE is set, root can only login on that device.
# Comment this line out to allow remote login by root.
#
CONSOLE=/dev/console
   
 
 
 
 
 
 
Example D
 This is an example of part of the /etc/inetd.conf file
#head -35 /etc/inetd.conf
 
#ident  "@(#)inetd.conf 1.27    96/09/24 SMI"   /* SVr4.0 1.5   */
#
#
# Configuration file for inetd(1M).  See inetd.conf(4).
#
# To re-configure the running inetd process, edit this file, then
# send the inetd process a SIGHUP.
#
# Syntax for socket-based Internet services:
#  <service_name> <socket_type> <proto> <flags> <user> <server_pathname> <args>
#
# Syntax for TLI-based Internet services:
#
#  <service_name> tli <proto> <flags> <user> <server_pathname> <args>
#
# Ftp and telnet are standard Internet services.
#
#ftp    stream  tcp     nowait  root    /usr/sbin/in.ftpd       in.ftpd
#telnet stream  tcp     nowait  root    /usr/sbin/in.telnetd    in.telnetd
#
# TCP Wrappers for Telnet and FTP
# Installed 7 June, 1998
#
ftp     stream  tcp     nowait  root    /usr/local/bin/tcpd     in.ftpd
telnet  stream  tcp     nowait  root    /usr/local/bin/tcpd     in.telnetd
#
# Tnamed serves the obsolete IEN-116 name server protocol.
#
#name   dgram   udp     wait    root    /usr/sbin/in.tnamed     in.tnamed
#
# Shell, login, exec, comsat and talk are BSD protocols.
#
#shell     stream  tcp     nowait  root    /usr/sbin/in.rshd       in.rshd
#login     stream  tcp     nowait  root    /usr/sbin/in.rlogind    in.rlogind
#exec   stream  tcp    nowait   root    /usr/sbin/in.rexecd    in.rexecd
#comsat dgram   udp    wait     root    /usr/sbin/in.comsat    in.comsat

 
 
 
 
 
Example E
This is an example of the /etc/syslog.conf file  NOTE:  Do not use the space bar for /etc/syslog.conf, you must use tabs!
#cat /etc/syslog.conf
 
#ident  "@(#)syslog.conf        1.4     96/10/11 SMI"   /* SunOS 5.0 */
#
# Copyright (c) 1991-1993, by Sun Microsystems, Inc.
#
# syslog configuration file.
#
# This file is processed by m4 so be careful to quote (`') names
# that match m4 reserved words.  Also, within ifdef's, arguments
# containing commas must be quoted.
#
*.err;kern.notice;auth.notice                  /dev/console
*.err;kern.debug;mail.crit,daemon.notice       /var/adm/messages
#
# Log all TCP Wrapper connections
#
local3.info                                    /var/adm/tcpdlog 
 
*.alert;kern.err;daemon.err                     operator
*.alert                                         root

*.emerg                                         *

# if a non-loghost machine chooses to have authentication messages
# sent to the loghost machine, un-comment out the following line:
#auth.notice                    ifdef(`LOGHOST', /var/log/authlog, @loghost)

mail.debug                      ifdef(`LOGHOST', /var/log/syslog, @loghost)

#
# non-loghost machines will use the following lines to cause "user"
# log messages to be logged locally.
#
ifdef(`LOGHOST', ,
user.err                                        /dev/console
user.err                                        /var/adm/messages
user.alert                                      `root, operator'
user.emerg                                      *
)

 
 
 
 
Example F
This is an example of the access control lists for TCP Wrappers
#cat /etc/hosts.allow
ALL: merlin,zeus,david: ALLOW

#cat /etc/hosts.deny
ALL:  ALL
 
 
 
 
 
 
Example G
This is an example of setting the TCP initial sequence number generation parameters in the file /etc/default/inetinit

#cat /etc/default/inetint
# @(#)inetinit.dfl 1.2 97/05/08
#
# TCP_STRONG_ISS sets the TCP initial sequence number generation parameters.
# Set TCP_STRONG_ISS to be:
#   0 = Old-fashioned sequential initial sequence number generation.
#   1 = Improved sequential generation, with random variance in increment.
#   2 = RFC 1948 sequence number generation, unique-per-connection-ID.
#
TCP_STRONG_ISS=2
 
 
 
 
 
 
 
 
Example H
 These commands set paramertes for the IP module, /dev/ip.  ndd is the command used to set these modules.  For more information on ndd, see the ndd(1M) man page.
 
ndd -set /dev/ip ip_respond_to_echo_broadcast 0
    System will not to ICMP broadcast requests (such as 192.168.1.255)
 
ndd -set /dev/ip ip_forward_directed_broadcasts 0
    System will not forward (route) ICMP broadcast requests.
 
ndd -set /dev/ip ip_respond_to_timestamp 0
    System will not respond to timestamp requests.
 
ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
    System will not respond to broadcast timestamp requests
 
ndd -set /dev/ip ip_forward_src_routed 0
    System will not forward (route) ip_source routed packets.
 
ndd -set /dev/ip ip_ignore_redirect 1
    System will ignore all ICMP redirects.