I received several responses ranging from "Don't do it unless you want your
system to be unstable" to "I don't see any reason why it won't work".
So I decided to experiment on a less critical system ( Alpha 2100, 4.0D no
ASE).
1) Changing the root home directory to /root at first seemed okay. However,
I experienced problems using vipw. When exiting vipw, I recieved the
message "you mangled the temp file, /etc/passwd unchanged". When I put
root's home directory back to /, I had no problems with vipw. Although this
problem could be easily worked around with vi and mkpasswd (which worked
fine), I was wary of what other problems may pop up that may not be easily
circumvented. I've decided to leave root's home directory at /.
2) I changed the permissions on /etc/inittab to 640 and had no problems. I
will leave the permissions at 640.
3) the comsat service is only used for mail notification. Our general user
community does not receive mail on these systems so I disabled the comsat
service. Several peolple who responded believed that the cfgmgr service was
needed for the cluster. I will leave the cfgmgr service enabled.
I will be making these changes on the clustered systems in the next few
weeks. If anything else occurs, I will post another summary.
Thanks to all who responded.
John Seel
------- Original Post -----------
> Hello managers,
>
> A client recently underwent a security audit. The auditor has made the
> following recommendations. I was wondering what the ramifications may be
> of implementing his suggestions. He was not overly familiar with T64 UNIX
> and some of the other recommendations he made did not apply. As far as I
> know, all of the following points are based on the default T64
> installation.
>
> This is version 4.0D patch 3. TruCluster ASE 1.5. (two Alpha 4100s). (Yes,
> I know it's behind) This system is safely behind a firewall and there is
> no direct access from the internet to any services on these systems.
>
> 1) The /etc/inittab file is world readable ( although owned by
> root:system). He suggests removing the world read access.
> 2)Take root's home directory off of "/" and create a private root home
> directory. (Like /root on linux I suppose)
> 3) Disable the "comsat" and "cfgmgr" services in /etc/inittab.
>
>
> Thanks.
>
> John Seel
>
>
> ----------------------------------------------------
> John Seel
> UNIX Systems Administrator
> Faulding, Inc.
> 'john.seel_at_us.faulding.com"
> (908) 659-2398
> -----------------------------------------------------
>
Received on Mon Aug 21 2000 - 13:15:55 NZST