+--------------------------------------------------+
| Notice to all TrinityOS viewers: |
| |
| - If there are any sections that you would |
| like to be added/modified/corrected, etc, |
| just let me know! |
| |
| ** Do you want to get an e-mail when I |
| update the TrinityOS doc? Just send an |
| e-mail to dranch@trinnet.net with a |
| subject of "Add me to your updates list" and |
| I'll add you to the list! ** |
| |
| dranch@trinnet.net |
+--------------------------------------------------+
AA
See all prior updates older than 10/15/00 at:
http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-old-updates.wri
**************************************************
** TrinityOS **
** "CRITICALITY" list **
**************************************************
- This section is for TrinityOS users to better track what TrinityOS
changes ARE and AREN'T so IMPORTANT to be fixed on their Linux box
Key:
----
*C = CRITICAL:
Something CRITICAL means that your are vulnerable to
attack either due to some new security exploit, an
error on my part (firewall rules, etc), or something
that should be tested ASAP.
I = IMPORTANT:
Something IMPORTANT means that these changes will
have direct impact on the functionality of your box
or is a medium security risk. Not all IMPORTANT things
are important to everyone.
G = GOOD READ:
Something as GOOD READ means that it is informative
and will better help you track your machine.
N = Not Important:
Something NOT IMPORTANT are things like Typo corrections,
formatting changes, etc.
================================================================================
Criticality
--
Date What was changed and in what [Section]
-------- ------------------------------------------------
================================================================================
------------------------------------------------------------------------------
All of TrinityOS's step-by-step instructions, files, and scripts are fully
scripted out for an automatic installation at:
http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-security/TrinityOS-security.tar.gz
-----------------------------------------------------------------------------
I 03/07/01 Doh! Updated all the TrinityOS-security.tgz URLs to
* Sent point to .tar.gz files.
Update * - Thanks to Mark Rushing for catching this
N Moved all ChangeLOG updates older than 10/15/01 to the
TrinityOS-old-updates.wri file
N Moved all IPCHAINS rc.firewall errata older than 3.72
to the TrinityOS-old-updates.wri file
G Updated the ISC Bind versions and URLs
[Section 5]
I Updated the IPCHAINS rc.firewall ruleset to 3.83d
# - Fixed a typo (stray #) where the RFC1918
# 10.x.x.x network was NOT being filtered in
# the OUTPUT section
[Section 10]
G Updated the DNS section to include CHROOTed and Split
Bind 9.1.0
- Updated the intro text for Section 24 for clarity,
cleaned up some formatting issues, removed pricing
info for registering domain names (I've seen
registrars offering from $14.95 to $45/yr).
- Added additional methods on how to figure out what
version of Bind is running
- Updated the minimum secure version of Bind to 8.9.3
- Removed ALL older BIND information to the
TrinityOS-old-configs.txt files
- Changed from explicting moving named and named-xfer
binaries into the CHROOTed jails to copying named*.
The reason for this is that named-xfer no longer
exists in Bind9 but there are two new files. This
way is a little more generic.
- One of the changes from Bind8 to Bind9 is that the
TYPE record in the named.conf file must now be the
FIRST line.
- Changed the filename 192.168.0.db to be
acme123-int.com.db since it really was a FORWARD zone
file and not a reverse
* Updated the TrinityOS-security script to reflect all
of these changes as well as cleaned up the chapter
numbers, etc.
[Section 24]
-----------------
I 02/18/01 Made another fix to the root-hints-update script
# v2.4 - Updated the dig info lookup from ns.internic.net
# to a.root-servers.net
[Section 24]
----------------
G 02/14/01 Made some fixed to the root-hints-update script for
DNS:
# v2.3 - Updated the initial CD into one of the real
# CHROOTed dirs vs. /var/named. The old script
# was also leaving a stray NEW file in the EXT
# directory. Because of all this, the email
# notification would show an old root.hints
# file though DNS would have the correct
# updated file.
Thanks to Jehan Bing for this errata.
N Moved over the root-hints-update script to the automatic
extraction from HTML (no more manual file sync'ing
[Section 24]
----------------
N 02/10/01 Cleaned up some formatting issues
* Sent
N Update * Updated Section 4 to reflect the current hardware
I'm running
[Section 4]
G Updated several URLs and version numbers:
Updated the 2.0.x URL to 2.0.39
Updated the 2.2.x URL to 2.2.18
Updated the URLs to reflect the 2.4.x kernels
Updated the PPPd URL to 2.3.11
Updated the Bind URL to 8.2.3
Updated the Sendmail URL to 8.11.2
*C* Updated the SSH URLs to 1.2.31 and 2.4.0
* Please note that SSH v1.2.31 still has a
critical exploitable bug. The fix has not
been posted yet to ssh.com. I will soon post
installation instructions for OpenSSH to
avoid these technical and new licensing
issues (SSHv1 from ssh.com is no
longer free to everyone)
[Section 5]
------------
N 01/28/01 Updated the /etc/rc.d/init.d/named startup
script
# 01/28/01 - Added a few CR-LFs to clean up the output
# between starting the internal and external
# zones
[Section 24]
-----------------
G 01/27/01 Updated the IPCHAINS firewall
# v3.83c - 01/27/01
# - Fixed a wrong output netmask for NET-TEST-B being
# a /12 instead of a /16. But, this really doesn't
# matter as I have disabled the filtering of reserved
# IP space as ARIN constantly is releasing this
# address space to the public without any form of
# notification. See the update for v3.83a
# Thanks to Keith Mitchell for this one.
[Section 10]
----------------
G 01/06/01 Updated the Sendlogs script a bit:
- Fixed some formatting issues and moved it over to make
the .sgml code the primary source for the script vs.
two seperate copies
- Added --MARK-- filtering
- Made the output more pretty
- Cleaned up the error reports in the SUID and RCMD searches
- Added an lsof log entry
- Added a #ed out section to DD one HD to another backup
[Section 9]
----------------
G 12/31/00 Changed the versioning mechanism of TrinityOS.
The new system no longer includes the published
date of TrinityOS in the actual filename of
each file ( i.e. TrinityOS-122100-c-1.html ).
I did this because the dates were hosing search
engines since once I would push out a new
update, it would invalidate all of the various
search engines links due to the change in date.
N Updated the IPCHAINS firewall
- Added a missing .0 to the 72.0.0 networks in the
Reserved-7 filters.
Thanks to Michael Briegl for this one.
[Section 10]
N Fixed a spelling error in the title of Chapter 29
[Section 29]
----------------
G 11/11/00 Changed all the archives on the WWW site from .tgz to
.tar.gz to fix the corrupted file issue that people
are complaining about. Basically, the issue is that
the WWW server has the wrong MIME type for .tgz files.
I've tried to get them to fix this without results so
I'll just use this work around.
N - Added links to IPROUTE2 code and documentation
N - Also cleaned up the indentation of the 2.0.x URLs
[Section 5]
N - Fixed two typos where I was restarting syslogd
instead of inetd.
Thanks to Jason Ramey for the sharp eye
[Section 8]
G Fixed a BASH version issue for the deletion of the
.bash_history file. The new syntax is
"trap "rm -f ~$LOGNAME/.bash_history" 0"
instead of the older KSH-style of
"trap 0 rm -f ~$LOGNAME/.bash_history".
Thanks to Jason Schadel for reporting this.
[Section 9]
N - Fixed a echo typo in the /etc/rc.d/init.d/firewall
script where I was setting the default policy to
REJECT but the echo statement said ACCEPT.
- Also added a "mlist" option to display current MASQ
entries.
Thanks to Brandon Keirns for catching this
[Section 10]
N Fixed a typo where I was touching a "var/adm/messages
file for Redhat instead of /var/log/messages.
Thanks to Jason Schadel for reporting this.
[Section 19]
----------------
I 11/09/00 Updates the IPCHAINS ruleset again and ripped out all
the Non-RFC1918 filtered addresses. I guess it was
my mistake to believe IANA that addresses were
reserved when things like 65.x.x.x are used by
MediaONE, etc. Sorry peoples.. my mistake.
[Section 10]
I - Updated the firewall-confirm script
# 11/09/00 - The initial release was the wrong version. Ack!
# This updated version includes a critical check for
# /tmp/fwok. This version includes a 30 second screen
# timer.
# Please upgrade!
Thanks to Ryan Snodgrass for catching this
I have also updated the TrinityOS-security script
to reflect this.
[Section 10]
N Moved all old ChangeLOG entries dated 07/14/00 and older
to the TrinityOS-old-updates.wri file.
N I also cleaned up some formatting issues in the
existing ChangeLOG entries.
[Section 58]
------------------
N 10/28/00 - Updated the IPCHAINS firewall to v3.82
# Updated the Xwindows filtering to from ports 6000-6010
# to 6000-6063.
Thanks to John Soltow for this one.
[Section 10]
N - Fixed the text for the firewall-confirm script that
should reference /tmp/fwok and not /tmp/ok
Thanks to Xavier for this one.
[Section 10]
-------------------
*******************************************************************************
* All prior updates dated 10/15/00 or older can be found at: *
* *
* http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-old-updates.wri *
*******************************************************************************