+--------------------------------------------------+
| Notice to all TrinityOS viewers: |
| |
| - If there are any sections that you would |
| like to be added/modified/corrected, etc, |
| just let me know! |
| |
| ** Do you want to get an e-mail when I |
| update the TrinityOS doc? Just send an |
| e-mail to dranch at trinnet dot net with a |
| subject of "Add me to your updates list" and |
| I'll add you to the list! ** |
| |
| dranch at trinnet dot net |
+--------------------------------------------------+
See all prior updates older than 01/12/03 at:
http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS/UPDATES/TrinityOS-old-updates.txt
**************************************************
** TrinityOS **
** "CRITICALITY" list **
**************************************************
- This section is for TrinityOS users to better track what TrinityOS
changes ARE and AREN'T so IMPORTANT to be fixed on their Linux box
Key:
----
*C = CRITICAL:
Something CRITICAL means that your are vulnerable to
attack either due to some new security exploit, an
error on my part (firewall rules, etc), or something
that should be tested ASAP.
I = IMPORTANT:
Something IMPORTANT means that these changes will
have direct impact on the functionality of your box
or is a medium security risk. Not all IMPORTANT things
are important to everyone.
G = GOOD READ:
Something as GOOD READ means that it is informative
and will better help you track your machine.
N = Not Important:
Something NOT IMPORTANT are things like Typo corrections,
formatting changes, etc.
================================================================================
Criticality
--
Date What was changed and in what [Section]
-------- ------------------------------------------------
================================================================================
------------------------------------------------------------------------------
All of TrinityOS's step-by-step instructions, files, and scripts are fully
scripted out for an automatic installation at:
http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-security/TrinityOS-security.tar.gz
-----------------------------------------------------------------------------
N 05/22/05 - Updated various programs to their newest versions
* Sent [Section 5 - URLs]
Update *
- Cleaned up the ssh section a little
[Section 30 - SSH]
-----------------
G 04/16/05 - Updated the IPCHAINS firewall to 4.21 where I updated the
bogon list to reflect changed bogon listing and added
output Multicast and NFS traffic filters
-----------------
N 02/25/05 - There was a typo in the IANA assignments URL for the wget
line compared to the raw URL.
[Section 5 - URLs]
-----------------
G 07/31/04 - Fixed the lock entry to point to /var/lock vs. /var/log
Thanks to Bill Marr for this one.
[Section 36 - UPSes]
-----------------
N 07/26/04 - Updated the example host name for finding out the Bind
version from @xyz.com to @ns1.xyz.com.
[Section 24 - DNS]
-----------------
N 07/24/04 - Updated the kernel versions:
2.6.x --> added 2.6.7
2.4.22 --> 2.4.26
2.2.25 --> 2.2.26
2.0.39 --> 2.0.40
- Updated the apcupsd website url and version
[Section 5 - URLs]
-----------------
N 07/13/04 - Updated the ISC DHCPd server version to 3.0.1rc14
[Section 5 - URLs]
G - Updated the Linux distribution section a bitA
- Added a RPM list that is offered in RHEL ES 3.0
[Section 6 - Distros]
G - Updated the DHCPd configuration to reflect 3.0.1rc14
- Updated 255.255.255.255 route requirement is for 2.0.x
and 2.2.x kernels
- changed location of the dhcpd.lease file from /etc to
/var/dhcpd/
[Section 27 - DHCPd]
-----------------
G 03/21/04 - Updated the sendlogs section to 03/14/03 which includes
* Sent log reduction. Specifically, many users get lots and
Update * LOTs of firewall hits but they might not care about say
port 80. Sendlogs now counts the # of hits and deletes
them out of the email so you can more quickly scan your
logs email. I've been using this for a long time now and
it's a VERY nice feature.
[Section 9 - Adv. System Logging]
-----------------
G 03/14/04 - Added the backup-to-disk script to support both local and
remote NFS / SAMBA backups to hard drives. This includes
both internal as well as firewire and USB HDs.
[Section 29 - Backups]
-----------------
G 02/29/04 - Added a wget command to download a local IANA list
[Section 5 - URLs]
-----------------
G 11/21/03 - Clarified that cutting and pasting TrinityOS scripts from
a web browser into a text file will most likely create many
errors. It's ALWAYS recommended to get a copy of the
TrinityOS scripts via the TrinityOS-archive file.
[Section 10 - Firewalls]
-----------------
N 11/10/03 - Updated / deleted all URLs that pointed to kernelnotes.org
Thanks to Jamie Alessio for the notice
-----------------
G 11/08/03 - Updated various daemon versions
* Sent - 2.4.22 is stable
Update * - bind 9.2.3
- bind 8.4.1
- sendmail 8.12.10
- dhcp 3.0p2
- wuftp 2.6.2 with many patches
- mozilla 1.5
- openssh 3.7.1p2
- raidtools 1.00.3
- samba 3.0.0
- apcupsd 3.10.6
- apache 2.0.48 and 1.3.29
- nmap v3.48
- gaim 0.72
[Section 5 - URL]
- Updated the versions of distros
- Mandrake 9.2
- SuSe 9.0
- Slackware 9.1
- Mentioned that SuSe is being bought by Novell / IBM
[Section 6 - distros]
-----------------
G 11/05/03 - Updated the distro discussion section about Redhat's
withdrawl from the basic enduser distribution business.
It also talks about their new Fedora project as well as
the various Enterprise Linux versions. If you have questions
about RH EL, I have it running and can give you my thoughts.
[Section 6 - Distros]
-----------------
G 10/05/03 - Updated the powerchute-generate-ups-graph.sh and
apcupsd-generate-ups-graph.sh scripts to fix an ellusive
decimal to octat conversion issue found in Bash.
Specifically, the script would throw errors like:
--
Filtering original powerchute.dat file..
Deleteing old ps and pdf files..
Creating files..
"generate-apc-graph-11003.gnuplot",
line 6: illegal day of month
- done creating files
Creating /tmp/ups-log-11003.ps..
Error: /undefinedfilename in (/tmp/ups-log-11003.ps)
Operand stack:
--
[Section 31 - UPS]
-----------------
*C* 08/30/03 - Updated the Sendmail section to reflect that
* Sent relays.osirusoft.com is defunct and thus greatly slowing
Update * SMTP performance due to stalled DNS lookups for their
domain.
NOTE: The loss of SPEWS isn't all that bad as they commonly
would block entire ISPs for a single spammer. Not
very nice.
NOTE2: Simply putting a "#" in front of the line:
FEATURE(dnsbl, `relays.osirusoft.com', \
`Rejected - See http://relays.osirusoft.com/')dnl
does NOT disable the use of osirusoft. You must
DELETE the line, re-run the "generate-cf" script,
and then restart Sendmail for the changes to take
effect.
[Section 25 - Sendmail]
-----------------
N 07/09/03 - Updated the SSH section to reflect OpenSSH and SSH.com
* Sent code versions 3.6.1p2 and 3.2.0
Update * [Section 5 - URLs]
G - Updated the kernel compiling script "build-it" to
abort if the kernel image doesn't complete properly,
added the use of PATH variables, and added additional
ECHO statements for better compile tracking. Changes
are also in the TrinityOS-security archive as well
- I also updated the section's text to flow better, added
additional troubleshooting steps, etc.
[Section 14 - Kernel Compiling]
G - I wrote this up AGES ago but never added it to TrinityOS.
Anyway, I /finally/ added the installation of OpenSSH to
TrintiyOS and no longer recommend the use of SSH.com code
due to licensing prices.
- Fixed a ssh typo where I was restarting syslogd and
not sshd (cut and paste error)
[Section 30 - SSH]
N - Renamed the TrinityOS-old-updates WRI file to TXT
N - Moved all ChangeLOG entries older than 01/12/03 to
the TrinityOS-old-updates.txt file
[Section 57 - ChangeLOG]
-----------------
G 06/24/03 - Fixed a typeo of /car/spool vs. /var/spool
- deleted the incorrect restarting of the syslogd daemon when
it should have been crond. Ultimately, this step wasn't
needed as cron will detect crontab changes automatically.
Thanks to LiNuCe for the report!
[Section 41 - EXT2 tuning]
-----------------
N 06/12/03 - updated the IANA URL
[Section 5 - URLs]
-----------------
N 06/07/03 - Updated the system info to reflect I'm running Mandrake 9.1
on the laptop (if anyone has questions about 9.1)
N - Updated the Redhat versions from 7.1 to 9.0; Mandrake 8.1
to 9.1; Slackware 8.0 to 9.0; Debian 2.2R5 to 3.0R1;
SuSe 7.3 to 8.1; Added Gentoo
N - Mentioned that the Corel and Storm distros are defunct;
N - Mentioned which distros are community effort distros vs.
commercial ones. Also mentioned that Caldera is now owned
by SCO; also added a note about their recent legal persuits
G - updated my thoughts on RPM hell (it's not that bad now)
I - Updated my thoughts on patch and errata support. Specifically,
this was about my research on the Enterprise versions of
Redhat Enterprise and Mandrake Corporate server.
N - Updated my thoughts on Mandrake's "drak family" utilities.
- Some edits and distro update prods via Julian Buckley
[ Section 6 - Distros ]
-----------------
N 05/17/03 - Added the recommendation to download ISC's PGP key
[Section 5- URLs]
G - Added PGP verification for Bind 9 source code
[Section 24 - DNS]
-----------------
G 05/08/03 - The manual test of starting named still had the old Bind8
command line that included the old and wrong
"-g chroot-dns-int" syntax.
G - Incorrect Redhat "chkconfig" command to make named start
after every reboot. I was referencing "bind" instead of
"named". It's now "chkconfig --level=345 named on"
- Thanks to Nelson Rodriguez for top the bug report
[Section 24 - DNS]
-----------------
N 04/08/03 - Update the kernel version to 2.2.25
* Sent - deleted the ICQ MASQ module sub-section as it isn't relevant
Update * for modern versions of ICQ
- Updated samba to 2.2.8a to reflect new security issues
[Section 5 - URLs]
G - Change the name of the section to now be "System Backups:
Recommended minimal file to floppy and using BRU"
- Added the command to format the floppy
- Change the MBR backup from going directly to the floppy to
/etc/info/mbr.dd
- Added additional files tothe backup to the floppy:
fstab, raidtab, smb.conf(optional), smbusers (optional),
ssh2/ssh*, lilo.conf, resolv.conf, conf.modules, hosts,
hosts.*, inittab, dhcpd.conf (optional),
mail/*(optional)
[Section 29 - Backups]
G - Change the title to reflect only SSHv2 and not v1/v2
- mentioned that tools are available to actively decrypt
SSHv1 traffic thus making SSHv1 basically useless
[Section 30 - SSHv2]
*C* - Updated the section to reflect that 2.2.8a is the current
secure version.
- Updated the PGP key section to reflect that samba now signs
the tar files and not the .tar.gz or tar.bz2 files
[Section 33 - Samba]
-----------------
*C* 03/29/03 - Yet another problem with Sendmail. Updated the recommended
version to 8.11.7 or 8.12.9.
[Section 5 - URLs]
*C* - Updated the minimum version of Sendmail to avoid new security
issues. HOW can Sendmail 8.12.x be chrooted but still have
two massive security expliots within weeks. The new security
mechanism in 8.12.x is obviously flawed at best.
- In the future, TrinityOS will move over to Postfix
[Section 25 - Sendmail]
-----------------
*C* 03/28/03 - Updated the version of Samba to 2.2.8 to reflect a newly
fixed buffer overflow problem.
[Section 5 - URLs]
*G* - Updated the Samba section to reflect 2.2.8 and I also
improved the chapterization of this section
- Added a specific code hack to help some users (utimes)
compile Samba
[Section 33 - Samba]
-----------------
*C* 03/08/03 - Updated the version numbers of Sendmail to 8.12.8 and
8.11.6+ to reflect the recent remote root exploit issue.
[Section 5 - URLs]
N - Updated the version of Bind to 9.2.2
[Section 5 - URLs]
G - Updated the intro to reflect that Bind 9.2.2 requires a
non-vulnerable version of OpenSSL to be installed to support
DNSSEC. TrinityOS doesn't cover this topic yet so this
issue is only mentioned.
[Section 24 - DNS]
*C* - Updated the versions numbers of Sendmail to 8.12.8 and
8.11.6+ to reflect the recent remote root exploit issue.
G - Added an additional compiling recommendation to HIDE the
version of Sendmail you are running from the Internet.
[Section 25 - Sendmail]
-----------------
G 02/22/03 - Updated the Copyright section to reflect some refined
wording, note TrinityOS's trademark numbers, and fixed
the URL pointing to the ultra-OLD .wri file.
Thanks to Simon Soltek for brining this to my attention.
[Section 1 - Copyright ]
-----------------
I 02/18/03 - Updated the APCUPSd daemon to reflect 3.8.6 which fixes
a security issue
[Section 5 - URLs]
-----------------
N 02/08/03 - Fixed some typos
- Added XMMS and OpenSSH to the minimum recommended software
packages to install.
[Section 53 - Minimum Recommended Software]
-----------------
N 01/31/03 - Updated the 3NIC IPCHAINS ruleset to add a missing
* Sent INT2BROAD varibale. No worries, the correct settings are
Update * automatically used anyway.
[Section 10 - Firewalls]
-----------------
G 01/26/03 - Added a URL for the Remote Serial Console HOWTO
[Section 5 - URLs]
N - Updated the Serial Console and Reverse TELNET section
to mention URLs in section 5.
[Section 55 - Serial Consoles]
-----------------
N 01/13/02 - Updated the IPCHAINS rc.firewall ruleset to 4.10
- The latter half of the OUTPUT section was using
$UNIVERSE/0 instead of $UNIVERSE which was already
set to 0.0.0.0/0. This was a harmless typo and
didn't hurt anything but was incorrect. Thanks to
Matteo Lunardi for catching this.
[Section 10 - Firewalls]
*******************************************************************************
* All prior updates dated 01/12/03 or older can be found at: *
* *
* http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-old-updates.txt *
*******************************************************************************