Here is the contents of the slides on securing a solaris host, from my Advanced Topics in Systems Administration Tutorial. Comments welcome. Sorry about the (lack of) formatting.
First, physically secure the hardware Use most recent, appropriate release of Solaris Secure EEPROM ok setenv security= none - default command - only "b" and "c" commands allowed, no arguments full - only "c" command allowed, reboot requires password Check and reset EEPROM bad login count eeprom security-#badlogins eeprom security-#badlogins=0 Secure from remote root telnet Uncomment "CONSOLE" of /etc/default/login Disable keyboard abort /etc/default/kbd: KEYBOARD_ABORT=disabled But now powercycle needed to reset system Secure from remote ftp /etc/ftpusers (Solaris 10 /etc/ftpd/ftpusers) Disable r* daemons if possible /etc/inetd.conf Install latest patch cluster Monitor for new patches! root must run nothing from directories not owned by root and in root's groups Use fix-modes most directories should be owned by root If root runs programs from a dir, dir should be owned by root (with group and perms correct) http://www.fwi.uva.nl/pub/comp/solaris/fix-modes.tar.gz pkgrm Sun sendmail and install Berkeley sendmail, smap, smtpd (from www.obtuse.com), qmail, exim or postfix (vmail) (and bind!) Disable sendmail as a daemon if possible Disable all unused daemons in /etc/inetd.conf Rename all unneeded startup files in /etc/rc2.d and /etc/rc3.d Replace bind with a better version Put "NP" in password field of all non-login accounts ("sys", "uucp", etc) Disable automount by renaming /etc/auto_* Disable NFS by renaming /etc/rc3.d/S15nfs.server and /etc/rc2.d/S73nfs.client Disable routing by force via At last line of /etc/init.d/inetinit ndd -set /dev/ip ip_forwarding 0 touch /etc/notrouter (>=Solaris 2.5.1) Enable authentication info logging in /etc/syslog.conf uncommenting "auth.notice" lines pkill -HUP syslogd touch /var/admin/loginlog chmod 0600 /var/adm/loginlog chown root:sys /var/adm/loginlog Review all cron and at jobs, disable all unnecessary Use static routes when possible Remove setuid functionality from /tmp in /etc/vfstab Mount filesystem read-only, no-setuid, noexec where possible Solaris < 8, edit /etc/rmmount.conf to add "nosuid" options to mount commands Use passmgmt command to disable unneeded accounts (smtp, nuucp, listen, etc) Install useful security tools: tcp-wrappers - protect tcp daemons tiger - host security scanner titan - host security tightener crack - password cracker ssh - secure remote shell sudo - root-task limits and logging saint - network security scanner Solaris < 8, fix default startup umask: echo "umask 022" > /etc/init.d/umask.sh chmod 744 /etc/init.d/umask.sh chgrp sys /etc/init.d/umask.sh for d in /etc/rc?.d; do ln /etc/init.d/umask.sh $d/S00umask.sh Edit /etc/issue to include legal system-use warning Comment out the "rlogin" and "rsh" lines from /etc/pam.conf Carefully! Consider network security tools such as SunScreen and SunScreen Lite SunScreen Lite is free and runs on Solaris 8 Limited to 2 network interfaces Sunscreen is free with Solaris 9 Or ipfilter for Solaris >= 2.3 Make TCP Sequence Predicition Attacks more difficult by editing /etc/default/inetinit: TCP_STRONG_ISS=2 Use nscd -g to review caching settings Consider disabling caching of passwd, group, hosts But performance impact Comment out "mcastif" section of /etc/init.d/inetsvc unless participating in multicast Other removable sections include dhcp and named if not used If using telnet and ftp, change /etc/default/telnetd and ftpd to have a generic banner Also, can change the sendmail banner in /etc/sendmail.cf Peter Baer Galvin CTO, Corporate Technologies www.cptech.com / pbg at cptech.com 781 791 2112 www.petergalvin.info -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Edward Ned Harvey Sent: Wednesday, June 09, 2004 9:37 AM To: BBLISA Subject: [BBLISA] Hardening Solaris I've got to configure an outward facing Solaris box for smtp. Of course I have sunsolve, and have looked through there to look up their recommendations for hardening the box, but I wonder if any of you's can suggest some documentation for me to keep this solaris box secure. Thanks in advance. _______________________________________________ bblisa mailing list [EMAIL PROTECTED] http://www.bblisa.org/mailman/listinfo/bblisa _______________________________________________ bblisa mailing list [EMAIL PROTECTED] http://www.bblisa.org/mailman/listinfo/bblisa
