One might reasonably contrast S4 with the "autoinstall" environment set
up here at UCI: http://www.oac.uci.edu/support/dcs/automation.
The goals appear to be quite similar: fix security holes and provide
services in a quick, consistent manner. We've chosen to focus on 100%
non-interactivity - all choices related to a machine's configuration are
recorded in various scripts, and there they remain, conveniently
available for future upgrades and disaster recovery.
Our current autoinstall environment handles Solaris 2.5.1 (on sparc),
Irix 6.2, OSF/1 3.2c and SunOS 4.1.4. Linux (based on debian) is
planned. Some rudimentary support for older versions of some of these
operating systems are also included.
We have 150+ hosts configured with this system.
There is a fair amount of traffic on similar subjects, on the auto-net
list: auto-net @
math .
gatech .
edu .
Marc Chatel wrote:
>
> Hello all,
>
> I am looking for one or more anonymous FTP sites that would be
> interested in hosting a new security software kit called "S4". S4 stands
> for the "Secure System Setup Script". The kit is currently about 6.5 megabytes
> (and will probably grow), and it may be necessary to keep several versions
> archived over time if the kit proves popular.
>
> The kit does not currently contain anything that would cause "export
> control" problems if hosted in the U.S., but this COULD change over time.
> Because of this (and if sites are interested, of course), the ideal setup
> may be for a non-U.S. master FTP site, with mirrors in the U.S or elsewhere.
> Better suggestions from people more knowledgeable than me about the problem
> are welcome. :-)
>
> Interested sites may contact me at mchatel @
dial .
oleane .
com .
> I will need to use a "simple" authentication method to update the FTP area,
> since I live in France and basically cannot use any serious crypto without
> a permit.
>
> A bit more detail on S4 is included below for your reading pleasure...
>
> Sincere Regards,
>
> Marc Chatel
> 9, ave Jean Monnet
> 74940 ANNECY-LE-VIEUX
> FRANCE
>
> Private E-mail: mchatel @
dial .
oleane .
com
>
> ----------- details on S4 (the Secure System Setup Script) -------------
>
> S4 is best described as "a security glueware compromise". The goal of S4
> is to minimize the time necessary to accomplish the following:
>
> Move from a) system with freshly installed base operating system
> with no config done yet
>
> to b) system with a maximum number of obvious security holes
> closed, ready to connect to an insecure network,
> and which offers some basic services that people need today:
> FTP/WWW/SMTP/POP. Most services offered (including the ones
> I just listed) run chrooted and non-privileged.
>
> The current S4 is able to move a system from a) to b) in approx. 60 minutes.
> The installer spends most of that time pressing "Y", "N", and RETURN to accept
> default parameters and page through the output. I guess it could be described
> as an "automatic system defense tool", as opposed to "automatic system
> scanning tools", which are more common...
>
> Although it currently runs on only one platform (OSF/Digital Unix on Alpha),
> I believe people will find the tool interesting (even if it is just to pick
> some parts out of it). My goal in publishing S4 is to find volunteers that
> will find it useful enough to add functionality to it, and help me port it
> to other platforms (my experience is that testing a tool like this requires
> exclusive access to at least one machine of the type being tested,
> preferably two).
>
> The actual S4 "kit" is composed at > 90% of software packages already
> published on Internet and written by many people. All packages included are
> in source form (S4 compiles all packages during installation, that's why it
> takes an hour to run). In some cases, I have made slight modifications to
> the packages (usually to improve drop privilege/chroot methods and to fix
> syslog issues introduced by chroot environments).
>
> Packages currently included in the S4 kit (either as-is or modified) are:
> -----------------------------------------------------------------------------
> "aftpd", originally written by Marcus J. Ranum, based on Berkeley
> sources
>
> "arpwatch" from the University of California, Lawrence Berkeley Laboratory
>
> the Berkeley "db" package, from the University of California at Berkeley
>
> "gzip", from the Free Software Foundation
>
> "libpcap" from the University of California, Lawrence Berkeley Laboratory
>
> the NCSA "httpd" web server, from the National Center for Supercomputing
> Applications at the University of Illinois at Urbana-Champaign
>
> PERL (version 5.003), from Larry Wall
>
> "poppasswd", originally from Daniel L. Leavitt at MITRE (I believe)
>
> "qpopper", a collective work currently hosted at QualComm
>
> "sendmail", from the University of California at Berkeley
>
> "spop", put in the public domain by the RAND Corporation
>
> "tcpd", from Wietse Venema at the Eindhoven University of Technology
> -----------------------------------------------------------------------------
>
> The parts of S4 actually written by me are mostly installation shellscripts,
> and a few C programs here and there to handle specific issues.
>
> ***************************
> LICENSING/COPYRIGHT ISSUES:
> ***************************
>
> My primary goal is usefulness.
>
> To some extent, the S4 kit can be considered an "aggregation" of many
> software packages (the S4 shellscripts sit in their own directory and drive
> each package's installation script from outside). Each package included
> in the S4 kit remains on its own license/copyright terms.
>
> The top directory of the S4 kit includes a file called S4_LICENSE.txt
> that includes the basic license text from all of the parties involved
> (I think). Each kit included is in source and includes its own license
> text.
>
> For the parts of S4 specifically written by me, I chose licensing
> terms as convenient as possible. The S4-specific files include the
> following text:
>
> # ------------------------------------------------------------------------------
> # Copyright (c) 1995,1996 Donated to the public domain
> #
> # Original author and maintainer: Marc Chatel mchatel @
dial .
oleane .
com
> # Last known maintainer: Marc Chatel mchatel @
dial .
oleane .
com
> #
> # This file was created as part of the S4 (Secure System Setup Script) kit.
> # Permission is granted to any person or entity to do any of the following:
> # a) use this file alone or in some other software
> # b) modify this file or include parts of this file in other files
> # c) re-distribute this file AS IS or modified, for non-commercial
> # or commercial purposes, alone or as part of some software package
> #
> # No warranties of any kind, express or implied, on the functionality and safety
> # of the contents of this file. Use at your own risk!
> #
> # If you do useful changes to this file (bug fixes, portability fixes,
> # enhancements), you should TRY to contact the current maintainer, who may be
> # maintaining a "latest greatest" version of the file. You do not HAVE TO,
> # but you should TRY. Promote software reuse! It helps everybody, including you!
> # ------------------------------------------------------------------------------
>
> --------------- end of message -----------------
References:
|
|
