github.com/Arquivotheca.SunOS-4.1.4
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Arquivotheca.SunOS-4.1.4/usr.etc/C2conv.sh
seta75D ff309bfe1c Init
2021-10-11 18:37:13 -03:00

355 lines
7.7 KiB
Bash
Raw Blame History

#! /bin/sh
#
# @(#)C2conv.sh 1.1 94/10/31 SMI
#
# Copyright (c) 1987 by Sun Microsystems, Inc.
#
# Script to convert a SunOS system to C2 security.
#
BASE=""
EXECS="/usr"
ROOTS=""
CLIENTS=""
DEVICES=""
DIRECTORIES=""
FILESYSTEMS=""
OPTIONS=""
FLAGS="ad,lo,p0,p1"
MINFREE="20"
HOSTNAME=`hostname`
SYSADMIN=root@$HOSTNAME
#
# Should only be run by root
#
name=`whoami`
case "$name" in
"root" )
break;;
* )
echo "C2conv can only be run by root."
exit 1
break;;
esac
#
# Introduction
#
echo "You are about to run the C2conv program. Please read the C2 security"
echo "chapter in the System and Network Administration Manual if you have not"
echo "done so yet. This program generates a shell script before it actually"
echo "affects any files. You may cancel the installation by entering Control-C"
echo "at any prompt. At the end of the procedure, you will receive a final"
echo "confirmation before applying the changes. You may then abort the"
echo "procedure and examine the generated files."
echo ""
#
# Should be run single-user
#
while true; do
echo -n "Is the system in single-user mode? [y|n]: "
read RESPONSE;
case "$RESPONSE" in
"y" | "yes" )
#
# local audit and export filesystems must be mounted
#
mount -at 4.2
break;;
"n" | "no" )
echo "Aborting conversion."
echo "C2conv must be run in single-user mode."
exit 1
break;;
esac
done
#
# Non-root base can be specified in 2nd argument
#
if test $2
then
BASE=$2
fi
#
# Get mount options
#
while true; do
echo -n "Do you want audit file systems mounted using Secure NFS [y|n]: "
read RESPONSE;
case "$RESPONSE" in
"y" | "yes" )
OPTIONS="secure"
break;;
"n" | "no" )
break;;
esac
done
#
# Get the location of the clients' roots
#
while true; do
echo ""
echo -n "Is $HOSTNAME a server for diskless clients? [y|n]: "
read RESPONSE;
case "$RESPONSE" in
"y" | "yes" )
while true; do
echo -n " Enter path of clients' root (e.g. '/export/root'): "
read ROOTS;
if [ -d "$BASE""$ROOTS" ]
then
CLIENTS=`ls "$BASE""$ROOTS" | sed -e '/lost+found/d'`
CLIENTS=`echo $CLIENTS | sed -e 's/ */,/g'`
break
else
echo "'$BASE$ROOTS': no such directory"
fi
done
while true; do
echo " Enter path of additional architecture's executables "
echo -n " (e.g. '/export/execs/sun3') or 'done': "
read RESPONSE;
case "$RESPONSE" in
"/usr" )
;;
"done" )
break ;;
* )
if [ ! -d "$RESPONSE" ]
then
echo "'$RESPONSE': no such directory"
continue
fi
EXECS="$EXECS","$RESPONSE" ;;
esac
done
break ;;
"n" | "no" )
ROOTS=""
break ;;
esac
done
#
# Set up the default list of audit clients. Assume that the local set
# is it.
#
echo ""
while true; do
echo -n "Is $HOSTNAME an audit file server? [y|n]: "
read RESPONSE;
case "$RESPONSE" in
"y" | "yes" )
while true; do
echo -n " Enter audit device (e.g. 'xy1d'), or 'done': "
read RESPONSE;
case "$RESPONSE" in
"done" )
break ;;
* )
DEVICES="$DEVICES","$RESPONSE" ;;
esac
done
break ;;
"n" | "no" )
DEVICES=""
break ;;
esac
done
#
# Names of audit servers and file systems
#
echo ""
while true; do
echo -n "Enter name of remote audit file server, or 'done': "
read RESPONSE;
case "$RESPONSE" in
"done" )
break ;;
"" )
continue ;;
* )
while true; do
echo " Enter remote audit file system on $RESPONSE"
echo -n " (e.g. '/etc/security/audit/$RESPONSE'), or 'done': "
read RESPONSE1;
case "$RESPONSE1" in
"done" )
break ;;
* )
FILESYSTEMS="$FILESYSTEMS","$RESPONSE":"$RESPONSE1" ;;
esac
done
;;
esac
done
#
# Names of other directories to audit to
#
echo ""
while true; do
echo -n "Specify other audit directories or 'done': "
read RESPONSE
case "$RESPONSE" in
"done" )
break ;;
"" )
continue ;;
* )
DIRECTORIES="$DIRECTORIES","$RESPONSE" ;;
esac
done
if [ -n "$DIRECTORIES" -a -n "$CLIENTS" ]
then
echo ""
echo "Notice: Clients may require mounts for these directories."
fi
#
# Get audit flags
#
echo ""
echo "You are about to be asked to set the audit flags."
echo -n "Do you need a summary? [y|n]: "
read RESPONSE;
case "$RESPONSE" in
"y" | "yes" )
echo ""
echo "The audit flags specify which event classes are to be audited."
echo "Each flag identifies a single audit class. To specify more"
echo "than one flag, enter them as a comma-separated list. No spaces"
echo "are allowed in your answer."
echo ""
echo "The following table lists the audit classes:"
echo ""
echo " flag name short description"
echo ""
echo " dr Read of data, open for reading, etc."
echo " dw Write or modification of data"
echo " dc Creation or deletion of any object"
echo " da Change in object access (modes, owner)"
echo " lo Login, logout, creation by at(1)"
echo " ad Normal administrative operation"
echo " p0 Privileged operation"
echo " p1 Unusual privileged operation"
echo ""
echo "The following prefixes may be used as options:"
echo ""
echo " - audit for failure only"
echo " + audit for success only"
echo "(no prefix) audit for both successes and failures "
echo ""
echo "The default audit flags are '$FLAGS'"
echo ""
break;;
"n" | "no" )
break;;
esac
while true; do
echo -n "OK to use audit flags '$FLAGS'? [y|n]: "
read RESPONSE;
case "$RESPONSE" in
"y" | "yes" )
break;;
"n" | "no" )
echo -n "Enter audit flags (e.g. '-ad,p0,+lo'): "
read FLAGS;
FLAGS=`echo $FLAGS | sed 's/ //g'`
break;;
esac
done
#
# Get minfree value
#
while true; do
echo -n "OK to use soft disk space limit of 20%? [y|n]: "
read RESPONSE;
case "$RESPONSE" in
"y" | "yes" )
break;;
"n" | "no" )
echo -n "Enter soft limit percentage (e.g. '10'): "
read MINFREE;
break;;
esac
done
#
# Get notification list
#
while true; do
echo -n "OK to notify '$SYSADMIN' when administration is required? [y|n]: "
read RESPONSE;
case "$RESPONSE" in
"y" | "yes" )
break;;
"n" | "no" )
echo -n "Enter notification address (e.g. 'joe@capitale'): "
read SYSADMIN;
break;;
esac
done
#
#
#
rm -f C2conv_input C2conv_script
echo "base=$BASE" >> C2conv_input
echo "flags=$FLAGS" >> C2conv_input
echo "minfree=$MINFREE" >> C2conv_input
echo "sysadmin=$SYSADMIN" >> C2conv_input
echo "execs=`echo "$EXECS" | sed -e 's/^,//'`" >> C2conv_input
echo "roots=`echo "$ROOTS" | sed -e 's/^,//'`" >> C2conv_input
echo "clients=`echo "$CLIENTS" | sed -e 's/^,//'`" >> C2conv_input
echo "devices=`echo "$DEVICES" | sed -e 's/^,//'`" >> C2conv_input
echo "filesystems=`echo "$FILESYSTEMS" | sed -e 's/^,//'`" >> C2conv_input
echo "directories=`echo "$DIRECTORIES" | sed -e 's/^,//'`" >> C2conv_input
echo "options=`echo "$OPTIONS" | sed -e 's/^,//'`" >> C2conv_input
/usr/lib/c2convert < C2conv_input > C2conv_script
#
#
# Offer escape
#
while true; do
echo -n "Last chance to abort gracefully." \
" Do you want to continue? [y|n]: "
read RESPONSE;
case "$RESPONSE" in
"y" | "yes" )
sh C2conv_script
rm C2conv_script C2conv_input
#
# Set password for "audit" id
#
echo -n "Do you want to set a local password for 'audit'? [y|n]: "
read RESPONSE;
case "$RESPONSE" in
"y" | "yes" )
while true; do
echo "Setting password for 'audit' ..."
passwd audit
if test $? -eq 1
then
:
else
break
fi
done
break;;
"n" | "no" )
break;;
esac
echo "Some additional file systems may now be mounted."
break;;
"n" | "no" )
echo "Aborting conversion."
echo " Replies left in 'C2conv_input'. Script left in 'C2conv_script'."
echo "Some additional file systems may now be mounted."
exit 1
break;;
esac
done
Reference in New Issue View Git Blame Copy Permalink