Softpanorama

May the source be with you, but remember the KISS principle ;-)
Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Softpanorama Bulletin
Vol 15, No. 02 (April, 2003)

Bulletin 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007
2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018

Slightly Skeptical Notes on Titan

Nikolai Bezroukov

v.0.2

Titan (here is a download link) is a good collection of Solaris hardening scripts written in Borne shell. The only survivor in the harsh world of open source security scripts :-(.  IMHO it's very important that the author promotes KISS philosophy: Titan architecture is essentially the same architecture as the architecture of Unix startup sctips in system V: there is a central repository of modules and modules for a particular version of Os are linked to a central repositoty. The structure of scripts itself is also pretty similar they source a common functions and have three modes: help (i), check (v) and hardern (f). Here is how the author explains his design:

Some philosophy behind Titan

Titan was designed using the KISS module. ``Keep  It Simple Stupid''

At one time I built shell scripts that did all the fixes at one time. The trouble was that sometimes you wanted some things left alone so you ended up modifying the shell script (or C program) and commenting out some portions. Then when you went back to re-use the script the next time it was possible that I forgot that the script would leave that commented item enabled when *this* time you wanted it disabled. Thus no consistency.

Or you have the script ask before doing every change. This can be a pain and time consuming if you need to do multiple systems and are on a time limit like most of us usually are. Or want to run things from a crontab.

I abandoned these models in favor of short succinct set of scripts each of which did -one- and only one specific type of thing. Script names were picked that (mostly) made reference to what each module did. I have been hampered by porting to-from filesystems that restrict file name lengths at times (msdos for instance; ever try and copy files with names like disable_ip_forwarding.sh to a PC laptop and then back to a real system? arg!) Thus the names are kept reasonably short at the expense of loosing a descriptive name.

To write such set of scripts in Borne shell was rather strange decision if you know about availability of ksh and ksh93 (dtksh) in Solaris (you may put them into /root/bin is you are really paranoid). In almost 100% Solaris systems I saw ksh is installed.

Generally Titan can and should be considered to be a Cops derivative, but most modules are written by Brad M. Powell. Formal coauthors are Matthew Archibald and Dan Farmer (of Cops and Satan fame). But it looks like the last two were just for inspiration: in reality several other contributors provided most interesting modules :-)

As of Feb 1, 2001 the current version is 3.8. This is mostly a bug-fix for 3.7. Also 3.8 contain a newer fix-modes (the old one screwed Solaris 8 in a very interesting way :-) Among fixed modules are:

Attention: version 3.7 of Titan included an old version of fix-modes. God forbid using old version of fix-modes on Solaris 8. Update before running to the April 2000 version or you will  really have a chance to test your understanding of the Solaris ;-)

Titan does not go as far as YASSP and does not introduces any dynamic reconfiguration capabilities (which might be a good thing ;-). It does not helps to install TCP Wrappers, Tripwire and several other useful products, etc) but I think that this should a separate package anyway.  Like YASSP uses fix-mode for fixing permissions.

It's not perfect and does not do some very reasonable things (like changing directory for the user root to /root, instead of  archaic / setting that for some strange reason preserved in Solaris). Code quality is very uneven byte titan unlike all other tools I saw impose some discipline into modules and contain a template of module skeleton.

Titan checking mode can provide useful auditing information somewhat similar to Cops. Titan is a less demanding toward system administrator program and can be used in facilities with average sysadmins.  Actually TCP Wrappers can be installed using YASSP after running Titan.

Titan is highly recommended for administrators who know at least a little bit of scripting. See TITAN_documentation for more information. Here are some relevant quotes:

Titan is a collection of programs, each of which either fixes or tightens one or more potential security problems with a particular aspect in the setup or configuration of a Unix system. Conceived and created by Brad Powell, it was written in Bourne shell, and its simple modular design makes it trivial for anyone who can write a shell script or program to add to it, as well completely understand the internal workings of the system.

Titan does not replace other security tools, but when used in combination with them it can help make the transformation of a new, out of the box system into a firewall or security conscious system into a significantly easier task. In a nutshell, it attempts to help improve the security of the system it runs on.

... ... ...

Titan can help with all of these problems; its main design goals are:
 

Titan does not try to do all the other important things, like fix bugs, check for poor passwords, install patches, or check for COPS/Tiger/SATAN-like problems. But there is much more to security than that! And it is not meant to be run once and forgotten, nor should all Titan modules be run on all systems. But any system administrators that are concerned about security should have considered, if not resolved or fixed, a significant number (if not all) of the problems
that Titan covers on their security critical systems. Titan helps by being systematic about things. No longer do you need to wonder if you finished applying all your changes. Just run Titan -v and it will spit out all the things Titan thinks need hardening. 

History

Anyone working in security or systems administration who has been been around the Internet for any length of time has done it - making the same changes, over and over again, to secure a system. Worse yet, each new OS release would bring tiny, seemingly completely arbitrary changes that would invalidate prior work. And forget it when a new major release came out, or you had to work with another operating system altogether! And between the three of us we've ftp'd Crack, COPS, and other security programs from the net many thousands of times.

Eventually it became clear. I was not only making the same changes to the underlying OS over and over again to secure my system from attack (the many security exploits and investigations that are saved on my system make it a target), but also when building various firewall configurations (which is what I do for a living.) I was making the same changes over and over again. I started writing Titan almost in self defense - initially as a simple set of tools for my personal systems, but it also quickly proved a valuable sanity check for confirming consistency when building firewalls. Its next natural task was to use it when examining or auditing a system. Laziness is the best motivation there is - if I had to type those same commands manually  one more time...

Analyzing the security of a system is depressing - the same sets of problems always come up. Worse yet, these problems almost always can be easily fixed - so why aren't they? Worst of all, these problems keep coming up; if you don't find them the first time, wait a few months or a year, and they'll be there then. And it's not Sun - it's NEC,  it's HP, it's IBM,  yes, Linux too! It's everyone that has even a mildly complex system. Yes, even Microsoft.

So why do these same problems show up over and over and by different suppliers? Good question. I don't know exactly, but I do know that having a tool that can help ensure that your systems are consistent in your organization is a positive step in the right direction. Having a system consistently adhering to the security policy is perhaps the most valuable thing you can do to keeping it secure.

I'm often asked how to tighten down the OS when a firewall product gets installed. There is a reasonable expectation from the customer that after the firewall is installed that the system will not be compromised by an attack that is outside the scope of the firewall product. After all, aren't firewalls supposed to protect you? You wouldn't say it was okay to run my business on the Internet unless you could protect me, would you?

And it's true - it really is unreasonable to expect the user, a customer, to understand all, or even most (any? ;^}), of the security issues of running a system on the Internet. Why should they? Security isn't the goal of a business, making money is. However, this does place both the firewall vendor and security people in general in a rather awkward situation. Indeed, this probably scares firewall vendors more than anything else - the fact that their firewalls are failing because some user or administrator doesn't fix or upgrade an old version of a potentially vulnerable network service! I can no longer count the number of times I've heard "I didn't know leaving sendmail running on my firewall might make it vulnerable."

Titan tries to along with using some common sense on your part, and doing a minimum OS install, to build you a consistent, reproducible base install.  Making the system suitable to then install a firewall or other product and knowing that the underlying foundation isn't all sand.

What Titan is not.

Titan isn't a replacement for anything (period; end of discussion) Titan doesn't mean you no longer need to install vendors security patches (although it might save you in some cases if you didn't install a patch) Titan doesn't mean that you shouldn't install SKIP, openssh, smap, smrsh, tripwire, Tcp_wrappers, rpcbind, noshell, COPS, SATAN, TIGER, crack5, cracklib, or any of the other security tools you are (or should be) currently using but it should make the results of running COPS look shorter.

Titan works at the lower OS level to fix common configuration errors. Things like the user ``lp'' account having a valid shell and some administrator exporting /var/spool read-write via NFS so users can share an e-mail server.

If you can't guess, "/var/spool" is a home directory, and if user ``lp'' has a valid shell, a remote user can add in a rhosts entry to /var/spool and login as user ``lp''; oh and guess what? In some OS's the user ``lp'' is in a privileged group  (/etc is mode 775 in Solaris for instance) or owns a directory where root runs commands out of.

... ... ....

  • See the FAQ  Question number 4 on how to build a titan module and how a titan script is designed
  • Descriptions as to what each script does:


  • Etc

    FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. 

    ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.  

    Society

    Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

    Quotes

    War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

    Bulletin:

    Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

    History:

    Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

    Classic books:

    The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Haterís Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

    Most popular humor pages:

    Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

    The Last but not Least


    Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.

    The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

    Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

    FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

    This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

    You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

    Disclaimer:

    The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

    Last modified: October, 11, 2015