[BBLISA] Hardening Solaris
Peter Baer Galvin
pbg at cptech.com
Wed Jun 9 10:23:18 EDT 2004
Here is the contents of the slides on securing a solaris host, from my
Advanced Topics in Systems Administration Tutorial. Comments welcome. Sorry
about the (lack of) formatting.
First, physically secure the hardware
Use most recent, appropriate release of Solaris
Secure EEPROM
ok setenv security=
none - default
command - only "b" and "c" commands allowed, no arguments
full - only "c" command allowed, reboot requires password
Check and reset EEPROM bad login count
eeprom security-#badlogins
eeprom security-#badlogins=0
Secure from remote root telnet
Uncomment "CONSOLE" of /etc/default/login
Disable keyboard abort
/etc/default/kbd: KEYBOARD_ABORT=disabled
But now powercycle needed to reset system
Secure from remote ftp
/etc/ftpusers (Solaris 10 /etc/ftpd/ftpusers)
Disable r* daemons if possible
/etc/inetd.conf
Install latest patch cluster
Monitor for new patches!
root must run nothing from directories not owned by root and in root's
groups
Use fix-modes
most directories should be owned by root
If root runs programs from a dir, dir should be
owned by root (with group and perms correct)
http://www.fwi.uva.nl/pub/comp/solaris/fix-modes.tar.gz
pkgrm Sun sendmail and install Berkeley sendmail,
smap, smtpd (from www.obtuse.com), qmail, exim or
postfix (vmail) (and bind!)
Disable sendmail as a daemon if possible
Disable all unused daemons in /etc/inetd.conf
Rename all unneeded startup files in /etc/rc2.d and
/etc/rc3.d
Replace bind with a better version
Put "NP" in password field of all non-login accounts ("sys", "uucp", etc)
Disable automount by renaming /etc/auto_*
Disable NFS by renaming /etc/rc3.d/S15nfs.server and
/etc/rc2.d/S73nfs.client
Disable routing by force via
At last line of /etc/init.d/inetinit
ndd -set /dev/ip ip_forwarding 0
touch /etc/notrouter (>=Solaris 2.5.1)
Enable authentication info logging in /etc/syslog.conf
uncommenting "auth.notice" lines
pkill -HUP syslogd
touch /var/admin/loginlog
chmod 0600 /var/adm/loginlog
chown root:sys /var/adm/loginlog
Review all cron and at jobs, disable all unnecessary
Use static routes when possible
Remove setuid functionality from /tmp in /etc/vfstab
Mount filesystem read-only, no-setuid, noexec where possible
Solaris < 8, edit /etc/rmmount.conf to add "nosuid" options to mount
commands
Use passmgmt command to disable unneeded accounts (smtp, nuucp, listen, etc)
Install useful security tools:
tcp-wrappers - protect tcp daemons
tiger - host security scanner
titan - host security tightener
crack - password cracker
ssh - secure remote shell
sudo - root-task limits and logging
saint - network security scanner
Solaris < 8, fix default startup umask:
echo "umask 022" > /etc/init.d/umask.sh
chmod 744 /etc/init.d/umask.sh
chgrp sys /etc/init.d/umask.sh
for d in /etc/rc?.d; do
ln /etc/init.d/umask.sh $d/S00umask.sh
Edit /etc/issue to include legal system-use warning
Comment out the "rlogin" and "rsh" lines from /etc/pam.conf
Carefully!
Consider network security tools such as SunScreen and SunScreen Lite
SunScreen Lite is free and runs on Solaris 8
Limited to 2 network interfaces
Sunscreen is free with Solaris 9
Or ipfilter for Solaris >= 2.3
Make TCP Sequence Predicition Attacks more difficult by editing
/etc/default/inetinit: TCP_STRONG_ISS=2
Use nscd -g to review caching settings
Consider disabling caching of passwd, group, hosts
But performance impact
Comment out "mcastif" section of /etc/init.d/inetsvc unless participating in
multicast
Other removable sections include dhcp and named if not used
If using telnet and ftp, change /etc/default/telnetd and ftpd to have a
generic banner
Also, can change the sendmail banner in /etc/sendmail.cf
Peter Baer Galvin
CTO, Corporate Technologies
www.cptech.com / pbg at cptech.com
781 791 2112
www.petergalvin.info
-----Original Message-----
From: bblisa-bounces at bblisa.org [mailto:bblisa-bounces at bblisa.org] On Behalf
Of Edward Ned Harvey
Sent: Wednesday, June 09, 2004 9:37 AM
To: BBLISA
Subject: [BBLISA] Hardening Solaris
I've got to configure an outward facing Solaris box for smtp.
Of course I have sunsolve, and have looked through there to look up
their recommendations for hardening the box, but I wonder if any of
you's can suggest some documentation for me to keep this solaris box
secure.
Thanks in advance.
_______________________________________________
bblisa mailing list
bblisa at bblisa.org
http://www.bblisa.org/mailman/listinfo/bblisa
More information about the bblisa
mailing list