Softpanorama (slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-)

Slightly Skeptical Notes on Titan

Nikolai Bezroukov

v.0.2

Titan (here is a download link) is a good collection of Solaris hardening scripts written in Borne shell. The only survivor in the harsh world of open source security scripts :-(.  IMHO it's very important that the author promotes KISS philosophy: Titan architecture is essentially the same architecture as the architecture of Unix startup sctips in system V: there is a central repository of modules and modules for a particular version of Os are linked to a central repositoty. The structure of scripts itself is also pretty similar they source a common functions and have three modes: help (i), check (v) and hardern (f). Here is how the author explains his design:

Some philosophy behind Titan

Titan was designed using the KISS module. ``Keep  It Simple Stupid''

At one time I built shell scripts that did all the fixes at one time. The trouble was that sometimes you wanted some things left alone so you ended up modifying the shell script (or C program) and commenting out some portions. Then when you went back to re-use the script the next time it was possible that I forgot that the script would leave that commented item enabled when *this* time you wanted it disabled. Thus no consistency.

Or you have the script ask before doing every change. This can be a pain and time consuming if you need to do multiple systems and are on a time limit like most of us usually are. Or want to run things from a crontab.

I abandoned these models in favor of short succinct set of scripts each of which did -one- and only one specific type of thing. Script names were picked that (mostly) made reference to what each module did. I have been hampered by porting to-from filesystems that restrict file name lengths at times (msdos for instance; ever try and copy files with names like disable_ip_forwarding.sh to a PC laptop and then back to a real system? arg!) Thus the names are kept reasonably short at the expense of loosing a descriptive name.

To write such set of scripts in Borne shell was rather strange decision if you know about availability of ksh and ksh93 (dtksh) in Solaris (you may put them into /root/bin is you are really paranoid). In almost 100% Solaris systems I saw ksh is installed.

Generally Titan can and should be considered to be a Cops derivative, but most modules are written by Brad M. Powell. Formal coauthors are Matthew Archibald and Dan Farmer (of Cops and Satan fame). But it looks like the last two were just for inspiration: in reality several other contributors provided most interesting modules :-)

As of Feb 1, 2001 the current version is 3.8. This is mostly a bug-fix for 3.7. Also 3.8 contain a newer fix-modes (the old one screwed Solaris 8 in a very interesting way :-) Among fixed modules are:

• rootchk.sh
• automount2.sh
• utmp2.7.sh
• ziplock.sh
• keyserv2.8.sh

Attention: version 3.7 of Titan included an old version of fix-modes. God forbid using old version of fix-modes on Solaris 8. Update before running to the April 2000 version or you will  really have a chance to test your understanding of the Solaris ;-)

Titan does not go as far as YASSP and does not introduces any dynamic reconfiguration capabilities (which might be a good thing ;-). It does not helps to install TCP Wrappers, Tripwire and several other useful products, etc) but I think that this should a separate package anyway.  Like YASSP uses fix-mode for fixing permissions.

It's not perfect and does not do some very reasonable things (like changing directory for the user root to /root, instead of  archaic / setting that for some strange reason preserved in Solaris). Code quality is very uneven byte titan unlike all other tools I saw impose some discipline into modules and contain a template of module skeleton.

Titan checking mode can provide useful auditing information somewhat similar to Cops. Titan is a less demanding toward system administrator program and can be used in facilities with average sysadmins.  Actually TCP Wrappers can be installed using YASSP after running Titan.

Titan is highly recommended for administrators who know at least a little bit of scripting. See TITAN_documentation for more information. Here are some relevant quotes:

Titan is a collection of programs, each of which either fixes or tightens one or more potential security problems with a particular aspect in the setup or configuration of a Unix system. Conceived and created by Brad Powell, it was written in Bourne shell, and its simple modular design makes it trivial for anyone who can write a shell script or program to add to it, as well completely understand the internal workings of the system.

Titan does not replace other security tools, but when used in combination with them it can help make the transformation of a new, out of the box system into a firewall or security conscious system into a significantly easier task. In a nutshell, it attempts to help improve the security of the system it runs on.

... ... ...

Titan can help with all of these problems; its main design goals are:
 

• After being run, the system should be more secure than when we started. Things may be broken, but it should be more secure! The truth is that most things you do to secure a system are probably not going to cause a problem. A vendor can't take that chance - but we can. In any case, we haven't run into anything that Titan has broken, but it certainly could happen.
• Security comes first, right along with functionality. If Titan has been run at its highest level of security, there will be no significant configuration security problems that I know of. The system will not be 100% secure - none are - but it will be pretty darn secure.
• Producing a consistent and understandably secure system.
• It can help create a programmatically defined technical aspect of a system or site's security policy.  Allow the administrator to have complete control over what modules in Titan are run - with full source code and a fair bit of flexibility, it is easy to remove unwanted security fixes. After all, not everyone wants or needs all the actions that Titan does.
• Titan is easily extended. Shell scripts or other programs can be placed into Titan's framework, and they will be run alongside all the other programs. All you need do is build your scripts/code to produce output that an expects.
• To be a useful security tool in the overall security framework.
   

Titan does not try to do all the other important things, like fix bugs, check for poor passwords, install patches, or check for COPS/Tiger/SATAN-like problems. But there is much more to security than that! And it is not meant to be run once and forgotten, nor should all Titan modules be run on all systems. But any system administrators that are concerned about security should have considered, if not resolved or fixed, a significant number (if not all) of the problems
that Titan covers on their security critical systems. Titan helps by being systematic about things. No longer do you need to wonder if you finished applying all your changes. Just run Titan -v and it will spit out all the things Titan thinks need hardening. 

History

Anyone working in security or systems administration who has been been around the Internet for any length of time has done it - making the same changes, over and over again, to secure a system. Worse yet, each new OS release would bring tiny, seemingly completely arbitrary changes that would invalidate prior work. And forget it when a new major release came out, or you had to work with another operating system altogether! And between the three of us we've ftp'd Crack, COPS, and other security programs from the net many thousands of times.

Eventually it became clear. I was not only making the same changes to the underlying OS over and over again to secure my system from attack (the many security exploits and investigations that are saved on my system make it a target), but also when building various firewall configurations (which is what I do for a living.) I was making the same changes over and over again. I started writing Titan almost in self defense - initially as a simple set of tools for my personal systems, but it also quickly proved a valuable sanity check for confirming consistency when building firewalls. Its next natural task was to use it when examining or auditing a system. Laziness is the best motivation there is - if I had to type those same commands manually  one more time...

Analyzing the security of a system is depressing - the same sets of problems always come up. Worse yet, these problems almost always can be easily fixed - so why aren't they? Worst of all, these problems keep coming up; if you don't find them the first time, wait a few months or a year, and they'll be there then. And it's not Sun - it's NEC,  it's HP, it's IBM,  yes, Linux too! It's everyone that has even a mildly complex system. Yes, even Microsoft.

So why do these same problems show up over and over and by different suppliers? Good question. I don't know exactly, but I do know that having a tool that can help ensure that your systems are consistent in your organization is a positive step in the right direction. Having a system consistently adhering to the security policy is perhaps the most valuable thing you can do to keeping it secure.

I'm often asked how to tighten down the OS when a firewall product gets installed. There is a reasonable expectation from the customer that after the firewall is installed that the system will not be compromised by an attack that is outside the scope of the firewall product. After all, aren't firewalls supposed to protect you? You wouldn't say it was okay to run my business on the Internet unless you could protect me, would you?

And it's true - it really is unreasonable to expect the user, a customer, to understand all, or even most (any? ;^}), of the security issues of running a system on the Internet. Why should they? Security isn't the goal of a business, making money is. However, this does place both the firewall vendor and security people in general in a rather awkward situation. Indeed, this probably scares firewall vendors more than anything else - the fact that their firewalls are failing because some user or administrator doesn't fix or upgrade an old version of a potentially vulnerable network service! I can no longer count the number of times I've heard "I didn't know leaving sendmail running on my firewall might make it vulnerable."

Titan tries to along with using some common sense on your part, and doing a minimum OS install, to build you a consistent, reproducible base install.  Making the system suitable to then install a firewall or other product and knowing that the underlying foundation isn't all sand.

What Titan is not.

Titan isn't a replacement for anything (period; end of discussion) Titan doesn't mean you no longer need to install vendors security patches (although it might save you in some cases if you didn't install a patch) Titan doesn't mean that you shouldn't install SKIP, openssh, smap, smrsh, tripwire, Tcp_wrappers, rpcbind, noshell, COPS, SATAN, TIGER, crack5, cracklib, or any of the other security tools you are (or should be) currently using but it should make the results of running COPS look shorter.

Titan works at the lower OS level to fix common configuration errors. Things like the user ``lp'' account having a valid shell and some administrator exporting /var/spool read-write via NFS so users can share an e-mail server.

If you can't guess, "/var/spool" is a home directory, and if user ``lp'' has a valid shell, a remote user can add in a rhosts entry to /var/spool and login as user ``lp''; oh and guess what? In some OS's the user ``lp'' is in a privileged group  (/etc is mode 775 in Solaris for instance) or owns a directory where root runs commands out of.

... ... ....

See the FAQ  Question number 4 on how to build a titan module and how a titan script is designed

Descriptions as to what each script does:

• SunOS 4.1.X
• Solaris 2.X
• Solaris 8

Last modifed:

Created: May 16, 1996; Last modified: February 28, 2008