4.6. Security - lateralblast/parsec GitHub Wiki
Security Information:
General Security information:
$ ./parsec.rb --server=hostname --report=security --format=table --masked
+---------------+--------------------+
| NTP Configuration Information |
+---------------+--------------------+
| Parameter | Value |
+---------------+--------------------+
| server | MASKED |
| driftfile | /var/ntp/ntp.drift |
+---------------+--------------------+
+--------+--------+----+---+------+------+-------+-------+--------+---------+
| NTPQ Information |
+--------+--------+----+---+------+------+-------+-------+--------+---------+
| remote | refid | st | t | when | poll | reach | delay | offset | disp |
+--------+--------+----+---+------+------+-------+-------+--------+---------+
| MASKED | MASKED | 16 | - | - | 64 | 0 | 0.00 | 0.000 | 16000.0 |
+--------+--------+----+---+------+------+-------+-------+--------+---------+
+---------+----------+-----------+------------------------+-------------+
| PAM Information |
+---------+----------+-----------+------------------------+-------------+
| Service | Type | Security | Library | Arguments |
+---------+----------+-----------+------------------------+-------------+
| login | auth | requisite | pam_authtok_get.so.1 | |
| login | auth | required | pam_dhkeys.so.1 | |
| login | auth | required | pam_unix_cred.so.1 | |
| login | auth | required | pam_unix_auth.so.1 | |
| login | auth | required | pam_dial_auth.so.1 | |
| rlogin | auth | requisite | pam_authtok_get.so.1 | |
| rlogin | auth | required | pam_dhkeys.so.1 | |
| rlogin | auth | required | pam_unix_cred.so.1 | |
| rlogin | auth | required | pam_unix_auth.so.1 | |
| krlogin | auth | required | pam_unix_cred.so.1 | |
| krlogin | auth | required | pam_krb5.so.1 | |
| rsh | auth | required | pam_unix_cred.so.1 | |
| krsh | auth | required | pam_unix_cred.so.1 | |
| krsh | auth | required | pam_krb5.so.1 | |
| ktelnet | auth | required | pam_unix_cred.so.1 | |
| ktelnet | auth | required | pam_krb5.so.1 | |
| ppp | auth | requisite | pam_authtok_get.so.1 | |
| ppp | auth | required | pam_dhkeys.so.1 | |
| ppp | auth | required | pam_unix_cred.so.1 | |
| ppp | auth | required | pam_unix_auth.so.1 | |
| ppp | auth | required | pam_dial_auth.so.1 | |
| other | auth | requisite | pam_authtok_get.so.1 | |
| other | auth | required | pam_dhkeys.so.1 | |
| other | auth | required | pam_unix_cred.so.1 | |
| other | auth | required | pam_unix_auth.so.1 | |
| passwd | auth | required | pam_passwd_auth.so.1 | |
| cron | account | required | pam_unix_account.so.1 | |
| other | account | requisite | pam_roles.so.1 | |
| other | account | required | pam_unix_account.so.1 | |
| other | session | required | pam_unix_session.so.1 | |
| other | password | required | pam_dhkeys.so.1 | |
| other | password | requisite | pam_authtok_get.so.1 | |
| other | password | requisite | pam_authtok_check.so.1 | force_check |
| other | password | required | pam_authtok_store.so.1 | |
+---------+----------+-----------+------------------------+-------------+
+---------------------------------------------------+-----------+
| Elfsign Verification |
+---------------------------------------------------+-----------+
| Library / Algorithm | Status |
+---------------------------------------------------+-----------+
| /kernel/crypto/sparcv9/blowfish448 | passed. |
| /kernel/crypto/sparcv9/sha2 | passed. |
| /kernel/crypto/sparcv9/arcfour2048 | passed. |
| /kernel/crypto/sparcv9/aes256 | passed. |
| /kernel/crypto/sparcv9/sha1 | passed. |
| /kernel/crypto/sparcv9/blowfish | passed. |
| /kernel/crypto/sparcv9/des | passed. |
| /kernel/crypto/sparcv9/md5 | passed. |
| /kernel/crypto/sparcv9/arcfour | passed. |
| /kernel/crypto/sparcv9/swrand | passed. |
| /kernel/crypto/sparcv9/aes | passed. |
| /kernel/crypto/sparcv9/rsa | passed. |
| /platform/sun4u/kernel/crypto/sparcv9/sha1 | passed. |
| /platform/sun4u/kernel/crypto/sparcv9/arcfour2048 | passed. |
| /platform/sun4u/kernel/crypto/sparcv9/des | passed. |
| /platform/sun4u/kernel/crypto/sparcv9/md5 | passed. |
| /platform/sun4u/kernel/crypto/sparcv9/arcfour | passed. |
| /platform/sun4u/kernel/crypto/sparcv9/rsa | passed. |
+---------------------------------------------------+-----------+
+--------------+---------------------------+---------------------------+----------+
| Security Settings (/etc/default/passwd) |
+--------------+---------------------------+---------------------------+----------+
| Item | Current | Recommended | Complies |
+--------------+---------------------------+---------------------------+----------+
| MAXWEEKS | 8 | 13 | *No* |
| MINWEEKS | 1 | 1 | Yes |
| WARNWEEKS | 1 | 4 | *No* |
| PASSLENGTH | 8 | 8 | Yes |
| NAMECHECK | YES | YES | Yes |
| HISTORY | 4 | 10 | *No* |
| MINDIFF | 5 | 3 | *No* |
| MINALPHA | 3 | 2 | *No* |
| MINUPPER | 1 | 1 | Yes |
| MINLOWER | 1 | 1 | Yes |
| MINDIGIT | N/A | 1 | *No* |
| MINNONALPHA | 1 | 1 | Yes |
| MAXREPEATS | 2 | 0 | *No* |
| WHITESPACE | YES | YES | Yes |
| DICTIONDBDIR | /var/passwd | /var/passwd | Yes |
| DICTIONLIST | /usr/share/lib/dict/words | /usr/share/lib/dict/words | Yes |
+--------------+---------------------------+---------------------------+----------+
+----------------------+--------------+--------------+----------+
| Security Settings (/etc/default/login) |
+----------------------+--------------+--------------+----------+
| Item | Current | Recommended | Complies |
+----------------------+--------------+--------------+----------+
| UMASK | 022 | 077 | *No* |
| SYSLOG_FAILED_LOGINS | 0 | 0 | Yes |
| SYSLOG | YES | YES | Yes |
| SYSLOG | 0 | YES | *No* |
| PASSREQ | YES | YES | Yes |
| SLEEPTIME | N/A | 4 | *No* |
| RETRIES | 3 | 3 | Yes |
| DISABLETIME | N/A | 3600 | *No* |
| CONSOLE | /dev/console | /dev/console | Yes |
+----------------------+--------------+--------------+----------+
+---------------+----------+-------------+----------+
| Security Settings (/etc/default/sendmail) |
+---------------+----------+-------------+----------+
| Item | Current | Recommended | Complies |
+---------------+----------+-------------+----------+
| QUEUEINTERVAL | N/A | 15 | *No* |
+---------------+----------+-------------+----------+
+----------------+----------+-------------+----------+
| Security Settings (/etc/default/inetinit) |
+----------------+----------+-------------+----------+
| Item | Current | Recommended | Complies |
+----------------+----------+-------------+----------+
| TCP_STRONG_ISS | 2 | 2 | Yes |
+----------------+----------+-------------+----------+
+---------------------------+----------+-------------+----------+
| Security Settings (/etc/default/inetd) |
+---------------------------+----------+-------------+----------+
| Item | Current | Recommended | Complies |
+---------------------------+----------+-------------+----------+
| ENABLE_CONNECTION_LOGGING | N/A | YES | *No* |
+---------------------------+----------+-------------+----------+
+---------+---------+-------------+----------+
| Security Settings (/etc/default/su) |
+---------+---------+-------------+----------+
| Item | Current | Recommended | Complies |
+---------+---------+-------------+----------+
| SYSLOG | YES | YES | Yes |
+---------+---------+-------------+----------+
+---------+---------+-------------+----------+
| Security Settings (/etc/default/cron) |
+---------+---------+-------------+----------+
| Item | Current | Recommended | Complies |
+---------+---------+-------------+----------+
| CRONLOG | YES | YES | Yes |
+---------+---------+-------------+----------+
+--------------------+----------+-------------+----------+
| Security Settings (/etc/default/keyserv) |
+--------------------+----------+-------------+----------+
| Item | Current | Recommended | Complies |
+--------------------+----------+-------------+----------+
| ENABLE_NOBODY_KEYS | NO | NO | Yes |
+--------------------+----------+-------------+----------+
+----------+---------------------+-------------+----------+
| Security Settings (/etc/default/telnetd) |
+----------+---------------------+-------------+----------+
| Item | Current | Recommended | Complies |
+----------+---------------------+-------------+----------+
| BANNER | "AuthorizedUseOnly" | /etc/issue | *No* |
+----------+---------------------+-------------+----------+
+---------------+----------+-------------+----------+
| Security Settings (/etc/default/power) |
+---------------+----------+-------------+----------+
| Item | Current | Recommended | Complies |
+---------------+----------+-------------+----------+
| PMCHANGEPERM | - | - | Yes |
| CPRCHANGEPERM | - | - | Yes |
+---------------+----------+-------------+----------+
+-----------+-----------+-------------+-----------+
| Security Settings (/etc/default/sys-suspend) |
+-----------+-----------+-------------+-----------+
| Item | Current | Recommended | Complies |
+-----------+-----------+-------------+-----------+
| PERMS | - | - | Yes |
+-----------+-----------+-------------+-----------+
+-------------------------+------------------+-------------+----------+
| Security Settings (/etc/ssh/sshd_config) |
+-------------------------+------------------+-------------+----------+
| Item | Current | Recommended | Complies |
+-------------------------+------------------+-------------+----------+
| Protocol | 2 | 2 | Yes |
| X11Forwarding | yes | no | *No* |
| MaxAuthTries | N/A | 3 | *No* |
| MaxAuthTriesLog | N/A | 0 | *No* |
| RhostsAuthentication | no | no | Yes |
| IgnoreRhosts | yes | yes | Yes |
| StrictModes | yes | yes | Yes |
| AllowTcpForwarding | no | no | Yes |
| ServerKeyBits | 768 | 1024 | *No* |
| GatewayPorts | no | no | Yes |
| RhostsRSAAuthentication | no | no | Yes |
| PermitRootLogin | without-password | no | *No* |
| PermitRootLogin | no | no | Yes |
| PermitEmptyPasswords | no | no | Yes |
| PermitUserEnvironment | N/A | no | *No* |
| HostbasedAuthentication | N/A | no | *No* |
| Banner | /etc/issue | /etc/issue | Yes |
| PrintMotd | no | no | Yes |
| ClientAliveInterval | N/A | 300 | *No* |
| ClientAliveCountMax | N/A | 0 | *No* |
| LogLevel | info | VERBOSE | *No* |
| RSAAuthentication | yes | no | *No* |
| UsePrivilegeSeparation | N/A | yes | *No* |
| LoginGraceTime | 600 | 120 | *No* |
| ServerKeyBits | 768 | 1024 | *No* |
+-------------------------+------------------+-------------+----------+
+---------------------------+---------+-------------+----------+
| Security Settings (/etc/system) |
+---------------------------+---------+-------------+----------+
| Item | Current | Recommended | Complies |
+---------------------------+---------+-------------+----------+
| set nfssrv:nfs_portmon | 1 | 1 | Yes |
| set noexec_user_stack_log | 1 | 1 | Yes |
| set noexec_user_stack | 1 | 1 | Yes |
| set noexec_user_stack | 1 | 1 | Yes |
+---------------------------+---------+-------------+----------+
No CUPS SNMP information available
+-------------+----------+-------------+----------+
| Security Settings (/etc/inetd.conf) |
+-------------+----------+-------------+----------+
| Service | Current | Recommended | Complies |
+-------------+----------+-------------+----------+
| 100235/1 | Disabled | N/A | N/A |
| tftp | Disabled | Disabled | *Yes* |
| bpcd | Enabled | N/A | N/A |
| vnetd | Enabled | N/A | N/A |
| vopied | Enabled | N/A | N/A |
| bpjava-msvc | Enabled | N/A | N/A |
+-------------+----------+-------------+----------+