Titan

Unix and Linux environments present a unique challenge to “lockdown” or hardening scripts. Although just about every Unix variant has an /etc/passwd file, not all variants implement shadow passwords, or even store password hashes in the /etc/passwd or /etc/shadow file. Titan addresses this type of problem by applying a checklist to a specific set of operating systems. In practice, you may find that Titan is best suited for Solaris systems because the current Linux distributions have been updated so frequently that Titan has been unable to track all of the changes.

Titan is an excellent tool for establishing a secure base installation. Most of its configuration checks relate to file permissions and environment variables. Although many tests do apply to network security, Titan’s advantages lie in the secure user environment it creates.

Download and Installation

Titan is a collection of shell scripts that can be downloaded from http://www.fish.com/titan/. Once you have obtained the tarball, unzip it in a directory (/tmp is a good choice). To install Titan, run the following command from the Titan-version directory (you must have root privileges):

[mike@corrino Titan,v4.0BETA6]$ sudo ./Titan-Config –I checking for dependencies... finding out where we are... we are in '/tmp/Titan,v4.0BETA6'     checking out your system... this system runs: Linux-2.4.21-0.25mdkcustom-i686 we will be using: RedHat     setting up links... removing old links... linking bin into path... linking lib into path... linking logs into path... linking tmp into path... linking done. cleaning up is_root, sanity_check, Titan... pulling in local Titan script...     Run Titan utilites with 'Titan -[v,f,i]' after reading the Docs...                         OR Run Titan using a config file. (Titan -c sample.Server) after reading the Docs     Titan can backup all of the files it modifies; This is recommended NOTE: in the process of backing up files /etc/shadow as well as other important files will be backed up. It is IMPORTANT that you keep this backup SAFE, or delete it after you are sure Titan didn't do something unwanted proceed? y/n: y Okay... Checking for backup program... Found backtit.sh - Backing up system files now... This might take a while.. Generating listings..... Looking for SAVEFILES in all modules... grep: /tmp/Titan,v4.0BETA6/bin/bin/modules/*: No such file or directory No files listed in modules.. Nothing to backup... You might want to add a SAVEFILES variable to your modules Something like this: SAVEFILE='/etc/motd /usr/aset/asetenv'     Backtit.sh now only looks for this variable and does not attempt to calculate files to backup by reading the contents of modules

You should quickly notice that Titan is verbose and provides good documentation. The Titan-Config script does not perform any security checks or modify the file system; it sets up Titan’s environment with soft links to the shell scripts and security definitions specific to the target operating system. If Titan does not recognize your system (uses the uname command to identify the system) or does not have checks defined for your system, its configuration script stops.

If you have never run Titan before or you are running it on a production system, be sure to create the directories necessary to save backup copies of any files that Titan may change. The output of the Titan-Config script provides instructions on how to accomplish this.

Implementation

Titan has two main modes: Verify Security Settings and Fix Security Settings. The verify (-v) mode performs each test and reports a pass/fail. The fix (-f) mode performs each test and actually changes a failed point to its recommended setting. For example, if the /etc/passwd file is world-writeable, it will remove the word-writeable bit (chmod o-w /etc/passwd).

Always run Titan in verify mode first to get an idea of the system’s risk level. Here is portion of a Titan check against a Mandrake 9.1 system:

[mike@corrino Titan,v4.0BETA6]$ sudo ./Titan –v     *=*=*=*=* Running modules/add-umask.sh now..... No umask file /etc/rc.d/init.d/umask.sh found *=*=*=*=* Running modules/adjust-arp-timers.sh now..... *=*=*=*=* Running modules/aliases.sh now..... *=*=*=*=* Running modules/atset.sh now..... CRONLOG entry not found or misconfigured - FAILS CHECK /var/cron permissions - FAILS CHECK /etc/cron.daily/logrotate LIMIT - FAILS CHECK /etc/cron.deny NOT FOUND - FAILS CHECK *=*=*=*=* Running modules/create-issue.sh now..... Mandrake Linux release 9.1 (Bamboo) for i586 Kernel 2.4.21-0.25mdkcustom on an i686 / \l *=*=*=*=* Running modules/create-umask-redhat.sh now..... No umask file /etc/rc.d/init.d/umask.sh found *=*=*=*=* Running modules/cronlog-redhat.sh now..... CRONLOG entry not found or misconfigured - FAILS CHECK /etc/cron.daily/logrotate LIMIT - FAILS CHECK /etc/cron.deny NOT FOUND - FAILS CHECK *=*=*=*=* Running modules/disable-accounts.sh now..... bin shell = /bin/sh - FAILS CHECK daemon shell = /bin/sh - FAILS CHECK adm shell = /bin/sh - FAILS CHECK lp shell = /bin/sh - FAILS CHECK

Even though certain items are false positives (such as the UNMASK check), Titan has correctly found some security lapses, namely the presence of legitimate shells for the bin, daemon, adm, and lp system accounts in the /etc/passwd file. If we were to run Titan in fix mode (-f), the shells would be replaced with a more secure setting that uses /sbin/noshell.

If you find Titan’s output to be too plain, try the intro (-i) mode. Running the checks leads Titan to print only a basic description of the check and whether the system passed or failed. On the other hand, intro mode provides a lengthier description that defines the security problem and solution that Titan is trying to address. This is an excellent feature for first-time users, junior sys admins, or novice security professionals. For example, run ./Titan –I to get more information about the modules/disable-accounts.sh check:

*=*=*=*=* Information about modules/disable-accounts.sh  Ensure login shell for "system" accounts are disabled  these are accounts < 100 > 60000 by default but may  include others.  A basic listing for SysV Unix is:      bin, daemon, adm, lp, smtp, sys, uucp, nuucp, listen, nobody, noaccess      Note: "sys" account might need to be left open since it starts accounting         on some systems. Titan turns it off by default      Note2: PLEASE look at /src1/noshell.c A binary version of noshell is         MUCH better than this shell version. Replace the /sbin/noshell that this         script creates with the noshell.c binary you compile if possible.

Titan’s fix mode works best for Solaris platforms because the modified settings are less likely to interfere with other security measures provided by various Linux distributions. For example, notice that in the previous example Titan would run RedHat checks against the Mandrake system. The two Linux distributions are similar but do not have identical administration and security settings. Solaris, for the most part, installs with a standard suite of tools and default settings.