15k OS Security Suite

Application Readiness Service for Sun Fire 12K/15K
Sun Proprietary and Confidential: Need to Know Security
Application Readiness Service for Sun Fire 12K/15K: Sun Fire 12K/15K Security
Security
Page 1 of 36 Copyright 2001 Sun Microsystems, Inc. All rights reserved.
February 27, 2002
Table of Contents
1. Introduction...............................................................................................3
1.1. Legal Disclaimer..............................................................................................3 1.2. Security Customization..................................................................................3
1.2.1. System Controller Security Options..........................................................................3 1.2.2. Domain Security Options............................................................................................3
1.3. Disabled Services/Applications/Scripts.........................................................4 1.4. Common Changes...........................................................................................4

1.4.1. /etc/dt/config/Xaccess...................................................................................................4 1.4.2. /etc/default/sendmail....................................................................................................4 1.4.3. /etc/nsswitch.conf..........................................................................................................4
1.5. Solaris Security Toolkit Sample Output.......................................................5 1.6. Solaris Security Toolkit Steps........................................................................5 1.7. Solaris Security Toolkit File Content............................................................9
1.7.1. /etc/issue and /etc/motd................................................................................................9 1.7.2. /etc/notrouter...............................................................................................................10 1.7.3. /etc/nsswitch.conf........................................................................................................10 1.7.4. /etc/syslog.conf............................................................................................................10 1.7.5. /etc/default/sendmail..................................................................................................10 1.7.6. /etc/dt/config/Xaccess.................................................................................................11 1.7.7. /etc/init.d/nddconfig and /etc/rc2.d/S70nddconfig.................................................12 1.7.8. set-tmp-permissions scripts......................................................................................19 1.7.9. /etc/init.d/inetsvc.........................................................................................................20 1.7.10. /etc/inet/inetd.conf....................................................................................................20 1.7.11. /etc/init.d/nddconfig.................................................................................................21 1.7.12. /dev/ip qfe0:ip_forwarding (note: domains only)................................................22
Appendix A: Solaris Security Toolkit Sample Output...........................23
Security
February 27, 2002
1. Introduction
This document provides information about the methods used to increase the security of the Sun Fire 12K/15K (it is applicable to either platform) during the delivery of the Application Readiness Service (ARS) for the Sun Fire 12K/15K. The security methods used in the delivery of this service conform with Sun's recommended practices. During the delivery of this service, OpenSSH for Solaris (secure shell, often abbreviated as ssh) is installed and configured. In addition, the Solaris Security Toolkit1 (Toolkit), formerly known as JASS (JumpStart Architecture and Security Scripts) is installed and used to increase the security of the Sun Fire 12K/15K. More information on the Security for the Sun Fire 12K/15K can be found at http: //www.sun.com/blueprints/1101/sunfire15k.html. More information about the Solaris Security Toolkit can be found at http: //www.sun.com/security/jass/. The purpose of this document is to provide the information necessary to assess the impact of using the Toolkit. This document will provide a "representative" set of commands as executed by the Toolkit, as well as "representative" output captured from the use of the Toolkit. The output from the Toolkit, as executed on the Sun Fire 15K, will be provided as a part of the ARS for the Sun Fire 12K/15K. This output is also applicable to Sun Fire 12K platforms. This information is not guaranteed to be accurate because the Toolkit may change over time due to changes in the Sun Fire 12K/15K platform, changes in Solaris, or due to general improvements in the Toolkit. This document also provides the "representative" content of the files supplied by the Toolkit, so that it can be assessed by potential users of the Toolkit and adjusted after the delivery of the service. The content of the files that are modified by the Toolkit is not supplied in this document, but the content can be determined by examining the output of the Toolkit after it has been used. It is important to note that the ARS for the Sun Fire 12K/15K does not include modification of the content of these files by Sun during the delivery of the ARS for the Sun Fire 12K/15K service. A list of disabled applications, services, and scripts is provided in this document along with identifying the files which are commonly considered as candidates for change, subsequent to use of the Toolkit.
1.1. Legal Disclaimer

This document contains include Sun intellectual property and Sun confidential information, especially trade secrets, and is covered as a Service Item by assumption #10 in the Statement of Work for the Application Readiness Service for the Sun Fire 12K/15K.
1.2. Security Customization

The following choices are available to customize the platform hardening of the Sun Fire 12K/15K. Any customization beyond the options below is beyond the scope of the ARS service. 1.2.1. System Controller Security Options The following is the only available option when implementing the security hardening of the Sun Fire 12K/15K system controllers. Telnet - Available only when telnet is the only available protocol that can be used to establish an interactive session to the system controller. 1.2.2. Domain Security Options The following options are available when implementing the security hardening of the Sun Fire 12K/15K domains. Telnet -Available only when telnet is the only available protocol that can be used to establish an interactive session to the domain. NFS Client - Recommended for domain configurations that require NFS client services to start automatically during the multi-user stage of system boot. RPC - Recommended when the domain configuration requires RPC services to start automatically during the multi-user stage of system boot. RPC/NFS Server - Recommended when the domain configuration requires RPC and
1 The Solaris Security Toolkit is not a traditional SunTM product, and as such, is not supported by Sun Microsystems. However, any resulting configuration of the Solaris Operating Environment after using the toolkit is supported. Page 3 of 36 Copyright 2001 Sun Microsystems, Inc. All rights reserved. February 27, 2002
Security
NFS server services to start automatically during the multi-user stage of system boot. Note:
Options may be combined with any other, except for the RPC, and RPC/NFS Server options, which are mutually exclusive.
1.3. Disabled Services/Applications/Scripts

The following services,applications,and scripts are disabled by the Toolkit without selecting any of the options. Selection of one or more options (such as selecting the option for NFS Client services) may modify the list of disabled services, applications, and scripts. 1. The Apache web server shipped with Solaris OE 8. 2. Asynchronous PPP (asppp). 3. Solaris scripts used to re-initialize or re-install the system, including S30sysid.net, S71sysid.sys, and S72autoinstall. 4. The automounter. 5. The DHCP server included in Solaris OE version 8. 6. Sun Solstice Enterprise DMI Service Provider and Sun Solstice Enterprise SNMPDMI mapper subagent. 7. The Common Desktop Environment. 8. The LDAP client daemons included with Solaris OE version 8. 9. lp services 10. Mobile IP (MIP) agents included in Solaris OE version 8. 11. NFS client. 12. NFS server. 13. The Platform Information and Control Library (PICL) server. 14. The auto power shutdown option. 15. rhosts authentication for rlogin and rsh. 16. Remote Procedure Calls (RPC). 17. The sendmail daemon. 18. Service Location Protocol (SLP). 19. The default Solaris OE SNMP daemons. 20. SunSoft Print Client. 21. UUCP. 22. Volume management service. 23. Web Based Enterprise Management (WBEM) daemons.
1.4. Common Changes

Files which are commonly considered as candidates for change, subsequent to use of the Toolkit are identified in this section of the document. 1.4.1. /etc/dt/config/Xaccess This file disables all remote access, whether directed or broadcast, to any X server running on this system. If your use of the system requires that users have remote access to an X server running on your Sun Fire 12K/15K domain or system controller, you will need to remove this file, or edit the contents of the file to match your specific requirements. 1.4.2. /etc/default/sendmail This script disables the sendmail daemon startup and shutdown scripts, and adds an entry to the cron subsystem which executes sendmail once an hour. This method of purging outgoing mail is more secure than having the daemon running continually. Removing or editing of the /etc/default/sendmail file may be necessary to meet your requirements.
Security
February 27, 2002
Application Readiness Service for Sun Fire 12K/15K 1.4.3. /etc/nsswitch.conf
It may be necessary to edit the contents of this file, or replace it, if your name service requirements differ from those enabled by the file provided through the Toolkit.
1.5. Solaris Security Toolkit Steps

The following table provides a "representative" set of steps as executed by the Toolkit. Notice that backup copies of a number of files are made. This enables the Toolkit to have a limited "undo" capability. Removal of these file copies is discouraged since it will eliminate the limited "undo" ability of the Toolkit.
# Step 1 Copy /etc/profile to /etc/profile.JASS.DATE-OF-EXECUTION 2 Add default terminal type (vt100) to /etc/profile. 3 Copy /etc/.login to /etc/.login.JASS.DATE-OF-EXECUTION 4 Add default terminal type (vt100) to /etc/.login. 5 Copy /etc/dt/config/Xaccess from /opt/SUNWjass/Files/etc/dt/config/Xaccess. 6 Copy /etc/init.d/inetsvc to /etc/init.d/inetsvc.JASS.DATE-OF-EXECUTION 7 Copy /etc/init.d/inetsvc from /opt/SUNWjass/Files/etc/init.d/inetsvc. 8 Copy /etc/init.d/nddconfig from /opt/SUNWjass/Files/etc/init.d/nddconfig. 9 Copy /etc/init.d/set-tmp-permissions from /opt/SUNWjass/Files/etc/init.d/set-tmp-permissions. 10 Copy /etc/issue from /opt/SUNWjass/Files/etc/issue. 11 Copy /etc/motd to /etc/motd.JASS.DATE-OF-EXECUTION 12 Copy /etc/motd from /opt/SUNWjass/Files/etc/motd. 13 Copy /etc/notrouter from /opt/SUNWjass/Files/etc/notrouter. 14 Copy /etc/nsswitch.conf to /etc/nsswitch.conf.JASS.DATE-OF-EXECUTION 15 Copy /etc/nsswitch.conf from /opt/SUNWjass/Files/etc/nsswitch.conf. 16 Link /etc/rc2.d/S00set-tmp-permissions from /opt/SUNWjass/Files/etc/rc2.d/S00set-tmppermissions. 17 Link /etc/rc2.d/S07set-tmp-permissions from /opt/SUNWjass/Files/etc/rc2.d/S07set-tmppermissions. 18 Link /etc/rc2.d/S70nddconfig from /opt/SUNWjass/Files/etc/rc2.d/S70nddconfig. 19 Rename /etc/rc3.d/S50apache to /etc/rc3.d/_S50apache.JASS.DATE-OF-EXECUTION 20 Rename /etc/rc2.d/S47asppp to /etc/rc2.d/_S47asppp.JASS.DATE-OF-EXECUTION 21 Rename /etc/rc2.d/S30sysid.net to /etc/rc2.d/_S30sysid.net.JASS.DATE-OF-EXECUTION 22 Rename /etc/rc2.d/S71sysid.sys to /etc/rc2.d/_S71sysid.sys.JASS.DATE-OF-EXECUTION 23 Rename /etc/rc2.d/S72autoinstall to /etc/rc2.d/_S72autoinstall.JASS.DATE-OF-EXECUTION 24 Rename /etc/rc2.d/S74autofs to /etc/rc2.d/_S74autofs.JASS.DATE-OF-EXECUTION 25 Rename /etc/rc3.d/S34dhcp to /etc/rc3.d/_S34dhcp.JASS.DATE-OF-EXECUTION 26 Rename /etc/rc3.d/S77dmi to /etc/rc3.d/_S77dmi.JASS.DATE-OF-EXECUTION 27 Rename /etc/rc2.d/S99dtlogin to /etc/rc2.d/_S99dtlogin.JASS.DATE-OF-EXECUTION 28 Copy /etc/init.d/rpc to /etc/init.d/rpc.JASS.DATE-OF-EXECUTION 29 Add the -d option to /usr/sbin/keyserv in /etc/init.d/rpc. 30 Rename /etc/rc2.d/S71ldap.client to /etc/rc2.d/_S71ldap.client.JASS.DATE-OF-EXECUTION 31 Rename /etc/rc2.d/S80lp to /etc/rc2.d/_S80lp.JASS.DATE-OF-EXECUTION 32 Copy /etc/cron.d/cron.deny to /etc/cron.d/cron.deny.JASS.DATE-OF-EXECUTION 33 Add the lp account to the cron.deny file. 34 Create backup directory /var/spool/cron/crontabs.JASS 35 Move /var/spool/cron/crontabs/lp to /var/spool/cron/crontabs.JASS/lp.JASS.DATE-OFEXECUTION 36 Rename /etc/rc3.d/S80mipagent to /etc/rc3.d/_S80mipagent.JASS.DATE-OF-EXECUTION 37 Rename /etc/rc2.d/S73nfs.client to /etc/rc2.d/_S73nfs.client.JASS.DATE-OF-EXECUTION 38 Rename /etc/rc3.d/S15nfs.server to /etc/rc3.d/_S15nfs.server.JASS.DATE-OF-EXECUTION 39 Copy /etc/nscd.conf to /etc/nscd.conf.JASS.DATE-OF-EXECUTION 40 Add enable-cache no for the passwd group and hosts entries.
Security
February 27, 2002

#

Step
41 Rename /etc/rcS.d/S95picld to /etc/rcS.d/_S95picld.JASS.DATE-OF-EXECUTION 42 Disable PRESERVE startup and shutdown scripts 43 Rename /etc/rc2.d/S80PRESERVE to /etc/rc2.d/_S80PRESERVE.JASS.DATE-OFEXECUTION 44 Disable power management startup and shutdown scripts 45 Rename /etc/rc2.d/S85power to /etc/rc2.d/_S85power.JASS.DATE-OF-EXECUTION 46 Create /noautoshutdown file to disable power management 47 Copy /etc/default/sendmail from /opt/SUNWjass/Files/etc/default/sendmail. 48 Rename /etc/rc2.d/S72slpd to /etc/rc2.d/_S72slpd.JASS.DATE-OF-EXECUTION 49 Rename /etc/rc3.d/S76snmpdx to /etc/rc3.d/_S76snmpdx.JASS.DATE-OF-EXECUTION 50 Rename /etc/rc2.d/S80spc to /etc/rc2.d/_S80spc.JASS.DATE-OF-EXECUTION 51 Copy /sbin/noshell from /opt/SUNWjass/Files/sbin/noshell. 52 Copy /etc/passwd to /etc/passwd.JASS.DATE-OF-EXECUTION 53 Disable account daemon. 54 Disable account bin. 55 Disable account adm. 56 Disable account lp. 57 Disable account uucp. 58 Disable account nuucp. 59 Disable account nobody. 60 Disable account listen. 61 Disable account noaccess. 62 Disable account nobody4. 63 Rename /etc/rc2.d/S70uucp to /etc/rc2.d/_S70uucp.JASS.DATE-OF-EXECUTION 64 Remove the nuucp system account 65 Copy /etc/passwd to /etc/passwd.JASS.DATE-OF-EXECUTION 66 Copy /etc/shadow to /etc/shadow.JASS.DATE-OF-EXECUTION 67 Move /var/spool/cron/crontabs/uucp to /var/spool/cron/crontabs.JASS/uucp.JASS.DATE-OFEXECUTION 68 Rename /etc/rc2.d/S92volmgt to /etc/rc2.d/_S92volmgt.JASS.DATE-OF-EXECUTION 69 Rename /etc/rc2.d/S90wbem to /etc/rc2.d/_S90wbem.JASS.DATE-OF-EXECUTION 70 Copy /etc/inet/inetd.conf to /etc/inet/inetd.conf.JASS.DATE-OF-EXECUTION 71 Add the -l option to /usr/sbin/in.ftpd in /etc/inet/inetd.conf. 72 Copy /etc/system to /etc/system.JASS.DATE-OF-EXECUTION 73 Add set nfssrv:nfs_portmon=1 to /etc/system. 74 Copy /etc/default/inetinit to /etc/default/inetinit.JASS.DATE-OF-EXECUTION 75 Set TCP_STRONG_ISS to 2 in /etc/default/inetinit. 76 Enable kernel-level stack protections and logging. 77 Copy /etc/system to /etc/system.JASS.DATE-OF-EXECUTION 78 Add set noexec_user_stack=1 to /etc/system. 79 Add set noexec_user_stack_log=1 to /etc/system. 80 Updating at facility access controls (at.allow) 81 Copy /etc/ftpusers to /etc/ftpusers.JASS.DATE-OF-EXECUTION 82 Add sms-codd to /etc/ftpusers. 83 Add sms-dca to /etc/ftpusers. 84 Add sms-dsmd to /etc/ftpusers. 85 Add sms-dxs to /etc/ftpusers. 86 Add sms-efe to /etc/ftpusers. 87 Add sms-esmd to /etc/ftpusers. 88 Add sms-fomd to /etc/ftpusers. 89 Add sms-frad to /etc/ftpusers. 90 Add sms-osd to /etc/ftpusers.
Security
February 27, 2002

# 91 Add sms-pcd to /etc/ftpusers. 92 Add sms-tmd to /etc/ftpusers. 93 Add sms-svc to /etc/ftpusers. 94 Create the /var/adm/loginlog file.

Step
95 Copy /etc/inet/inetd.conf to /etc/inet/inetd.conf.JASS.DATE-OF-EXECUTION 96 Copy /etc/shells to /etc/shells.JASS.DATE-OF-EXECUTION 97 Add /usr/bin/sh to /etc/shells. 98 Add /usr/bin/csh to /etc/shells. 99 Add /usr/bin/ksh to /etc/shells. 100 Add /usr/bin/jsh to /etc/shells. 101 Add /bin/sh to /etc/shells. 102 Add /bin/csh to /etc/shells. 103 Add /bin/ksh to /etc/shells. 104 Add /bin/jsh to /etc/shells. 105 Add /sbin/sh to /etc/shells. 106 Add /sbin/jsh to /etc/shells. 107 Add /bin/bash to /etc/shells. 108 Add /bin/pfcsh to /etc/shells. 109 Add /bin/pfksh to /etc/shells. 110 Add /bin/pfsh to /etc/shells. 111 Add /bin/tcsh to /etc/shells. 112 Add /bin/zsh to /etc/shells. 113 Add /usr/bin/bash to /etc/shells. 114 Add /usr/bin/pfcsh to /etc/shells. 115 Add /usr/bin/pfksh to /etc/shells. 116 Add /usr/bin/pfsh to /etc/shells. 117 Add /usr/bin/tcsh to /etc/shells. 118 Add /usr/bin/zsh to /etc/shells. 119 Copy /etc/passwd to /etc/passwd.JASS.DATE-OF-EXECUTION 120 Copy /etc/shadow to /etc/shadow.JASS.DATE-OF-EXECUTION 121 Remove the account listen from the system. 122 Remove the account nobody4 from the system. 123 Copy /etc/default/ftpd to /etc/default/ftpd.JASS.DATE-OF-EXECUTION 124 Set BANNER to "Authorized Use Only" in /etc/default/ftpd. 125 Copy /etc/default/telnetd to /etc/default/telnetd.JASS.DATE-OF-EXECUTION 126 Set BANNER to "Authorized Use Only" in /etc/default/telnetd. 127 Copy /etc/default/ftpd to /etc/default/ftpd.JASS.DATE-OF-EXECUTION 128 Set UMASK to 22 in /etc/default/ftpd. 129 Copy /etc/default/login to /etc/default/login.JASS.DATE-OF-EXECUTION 130 Set RETRIES to 3 in /etc/default/login. 131 Copy /etc/default/power to /etc/default/power.JASS.DATE-OF-EXECUTION 132 Change PMCHANGEPERM setting from console-owner to -. in /etc/default/power 133 Change CPRCHANGEPERM setting from console-owner to -. in /etc/default/power 134 Copy /etc/default/sys-suspend to /etc/default/sys-suspend.JASS.DATE-OF-EXECUTION 135 Change PERMS setting from console-owner to -. in /etc/default/sys-suspend 136 Copy /etc/vfstab to /etc/vfstab.JASS.DATE-OF-EXECUTION 137 Set maximum /tmp filesystem size to be 512m 138 Copy /etc/default/passwd to /etc/default/passwd.JASS.DATE-OF-EXECUTION 139 Change MINWEEKS setting from NONE to 1 140 Change MAXWEEKS setting from NONE to 8 141 Change WARNWEEKS setting from NONE to 1 142 Change PASSLENGTH setting from 6 to 8 Security Page 7 of 36 Copyright 2001 Sun Microsystems, Inc. All rights reserved. February 27, 2002

#

Step
143 Set umask (UMASK) value to 22 in /etc/.login 144 Copy /etc/.login to /etc/.login.JASS.DATE-OF-EXECUTION 145 Copy /etc/skel/local.login to /etc/skel/local.login.JASS.DATE-OF-EXECUTION 146 Set umask (UMASK) value to 22 in /etc/skel/local.login 147 Copy /etc/skel/local.profile to /etc/skel/local.profile.JASS.DATE-OF-EXECUTION 148 Set umask (UMASK) value to 22 in /etc/skel/local.profile 149 Copy /etc/default/login to /etc/default/login.JASS.DATE-OF-EXECUTION 150 Set umask (UMASK) value to 22 in /etc/default/login 151 Copy /etc/cron.d/at.deny to /etc/cron.d/at.deny.JASS.DATE-OF-EXECUTION 152 Add root to /etc/cron.d/at.deny 153 Add sys to /etc/cron.d/at.deny 154 Add adm to /etc/cron.d/at.deny 155 Add lp to /etc/cron.d/at.deny 156 Add uucp to /etc/cron.d/at.deny 157 Add sms-codd to /etc/cron.d/at.deny 158 Add sms-dca to /etc/cron.d/at.deny 159 Add sms-dsmd to /etc/cron.d/at.deny 160 Add sms-dxs to /etc/cron.d/at.deny 161 Add sms-efe to /etc/cron.d/at.deny 162 Add sms-esmd to /etc/cron.d/at.deny 163 Add sms-fomd to /etc/cron.d/at.deny 164 Add sms-frad to /etc/cron.d/at.deny 165 Add sms-osd to /etc/cron.d/at.deny 166 Add sms-pcd to /etc/cron.d/at.deny 167 Add sms-tmd to /etc/cron.d/at.deny 168 Add sms-svc to /etc/cron.d/at.deny 169 Copy /etc/cron.d/cron.allow to /etc/cron.d/cron.allow.JASS.DATE-OF-EXECUTION 170 Add root to /etc/cron.d/cron.allow. 171 Copy /etc/cron.d/cron.deny to /etc/cron.d/cron.deny.JASS.DATE-OF-EXECUTION 172 Add sys to /etc/cron.d/cron.deny. 174 Add adm to /etc/cron.d/cron.deny. 174 Add uucp to /etc/cron.d/cron.deny. 175 Add sms-codd to /etc/cron.d/cron.deny. 176 Add sms-dca to /etc/cron.d/cron.deny. 177 Add sms-dsmd to /etc/cron.d/cron.deny. 178 Add sms-dxs to /etc/cron.d/cron.deny. 179 Add sms-efe to /etc/cron.d/cron.deny. 180 Add sms-esmd to /etc/cron.d/cron.deny. 181 Add sms-fomd to /etc/cron.d/cron.deny. 182 Add sms-frad to /etc/cron.d/cron.deny. 183 Add sms-osd to /etc/cron.d/cron.deny. 184 Add sms-pcd to /etc/cron.d/cron.deny. 185 Add sms-tmd to /etc/cron.d/cron.deny. 186 Add sms-svc to /etc/cron.d/cron.deny. 187 Copy /etc/cron.d/logchecker to /etc/cron.d/logchecker.JASS.DATE-OF-EXECUTION 188 Set the maximum size of the CRON facility log to 20480 from its previous value of 1024 189 Copy /etc/inet/inetd.conf to /etc/inet/inetd.conf.JASS.DATE-OF-EXECUTION 190 Disable service ftp (/usr/sbin/in.ftpd). 191 Disable service telnet (/usr/sbin/in.telnetd). 192 Disable service name (/usr/sbin/in.tnamed). 193 Disable service talk (/usr/sbin/in.talkd). 194 Disable service uucp (/usr/sbin/in.uucpd). Security Page 8 of 36 Copyright 2001 Sun Microsystems, Inc. All rights reserved. February 27, 2002

#

Step
195 Disable service finger (/usr/sbin/in.fingerd). 196 Disable service rquotad (/usr/lib/nfs/rquotad). 197 Disable service rusersd (/usr/lib/netsvc/rusers/rpc.rusersd). 198 Disable service sprayd (/usr/lib/netsvc/spray/rpc.sprayd). 199 Disable service walld (/usr/lib/netsvc/rwall/rpc.rwalld). 200 Disable service comsat (/usr/sbin/in.comsat). 201 Disable service time (internal). 202 Disable service echo (internal). 203 Disable service discard (internal). 204 Disable service daytime (internal). 205 Disable service chargen (internal). 206 Disable service rstatd (/usr/lib/netsvc/rstat/rpc.rstatd). 207 Disable service 100068 (/usr/dt/bin/rpc.cmsd). 208 Disable service 100083 (/usr/dt/bin/rpc.ttdbserverd). 209 Disable service 100221 (/usr/openwin/bin/kcms_server). 210 Disable service fs (/usr/openwin/lib/fs.auto). 211 Disable service 100232 (/usr/sbin/sadmind). 212 Disable service 100235 (/usr/lib/fs/cachefs/cachefsd). 213 Disable service printer (/usr/lib/print/in.lpd). 214 Disable service 100234 (/usr/lib/gss/gssd). 215 Disable service dtspc (/usr/dt/bin/dtspcd). 216 Disable service 100146 (/usr/lib/security/amiserv). 217 Disable service 100147 (/usr/lib/security/amiserv). 218 Disable service 100150 (/usr/sbin/ocfserv). 219 Disable service 100134 (/usr/lib/krb5/ktkt_warnd). 220 Disable service 100229 (/usr/sbin/rpc.metad). 221 Disable service 100230 (/usr/sbin/rpc.metamhd). 222 Disable service 300326 (/platform/SUNWUltra-Enterprise-10000/lib/dr_daemon).
1.6. Solaris Security Toolkit File Content

Representative file content provided by the Toolkit during the delivery of the ARS for the Sun Fire 12K/15K is illustrated in Appendix A. 1.6.1. /etc/issue and /etc/motd These files are based on U.S. government recommendations. They provide users legal notice that their activities may be monitored. If an organization has specific legal banners, they can be installed into these files. The file content is shown below.
################################################################### # This system is for the use of authorized users only. # # Individuals using this computer system without authority, or in # # excess of their authority, are subject to having all of their # # activities on this system monitored and recorded by system # # personnel. # # # # In the course of monitoring individuals improperly using this # # system, or in the course of system maintenance, the activities # # of authorized users may also be monitored. # # # # Anyone using this system expressly consents to such monitoring # # and is advised that if such monitoring reveals possible # # evidence of criminal activity, system personnel may provide the # # evidence of such monitoring to law enforcement officials. # ###################################################################
1.6.2. /etc/notrouter This file disables IP forwarding between interfaces on the system by creating an /etc/notrouter file. Once the JumpStart client is rebooted, the client will no longer function as a router, regardless of the number of network interfaces. This is an empty file.
Security Page 9 of 36 Copyright 2001 Sun Microsystems, Inc. All rights reserved. February 27, 2002
Application Readiness Service for Sun Fire 12K/15K 1.6.3. /etc/nsswitch.conf
This is an nsswitch.conf file configured so that a system will use files for name resolution. It is a copy of the /etc/nsswitch.files shipped with Solaris 8 OE. The file content is shown below.
# /etc/nsswitch.files: # # An example file that could be copied over to /etc/nsswitch.conf; it # does not use any naming service. # # "hosts:" and "services:" in this file are used only if the # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports. passwd: files group: files hosts: files # dns ipnodes: files networks: files protocols: files rpc: files ethers: files netmasks: files bootparams: files publickey: files # At present there isn't a 'files' backend for netgroup; the system will # figure it out pretty quickly, and won't use netgroups at all. netgroup: files automount: files aliases: files services: files sendmailvars: files printers: user files auth_attr: prof_attr: files files
1.6.4. /etc/syslog.conf This modified /etc/syslog.conf file is installed to perform additional logging. It serves as a placeholder for organizations to add in their own centralized log server (or servers) so that proactive log analysis can be done. The file content is shown below.
# # Copyright (c) 2000, 2001 by Sun Microsystems, Inc. # All rights reserved. # #ident "@(#)syslog.conf 2.2 01/06/10 SMI" # # This "syslog.conf" file was installed by JASS. This # file should be used to log information both locally as # well as to a centralized log server (or servers) so that # proactive log analysis can be done. *.err;kern.notice;auth.notice /dev/console *.alert root *.emerg * *.debug /var/adm/message # *.debug @loghost1 # *.debug @loghost2
1.6.5. /etc/default/sendmail This script is copied onto the system being hardened by the disable-sendmail.fin script on a Solaris 8 OE system. The file content is shown below. This sendmail.cf file sends all mail to the root account on the local host
# sendmail.cf to local root user # Define version V8 # Whom errors should appear to be from DnMailer-Daemon # Formatting of the unix from line DlFrom $g $d # Separators Do.:%@!^=/[] # From of the sender's address Dq<$g> # Spool directory OQ/usr/spool/mqueue ### Mailer Delivery Agents Mlocal, P=/usr/lib/mail.local, F=lsDFMAw5:/|@qSXfmnz9, S=10/30, R=20/40, Security Page 10 of 36 Copyright 2001 Sun Microsystems, Inc. All rights reserved. February 27, 2002
T=DNS/RFC822/X-UNIX, A=mail.local -l Mprog, P=/dev/null, F=lsDFMeuP, S=0, R=0, A=/dev/null ### Rule sets - whitespace between columns must be tabs!!! S0 R@$+ $#error $: missing user name R$+ $#local $@$R $:root forward to local root user S3 R$*<>$* $:root handle <> error address R$*<$*>$* $:root basic rfc822 parsing
1.6.6. /etc/dt/config/Xaccess This file disables all remote access, whether directed or broadcast, to any X server running on this system. The file content is shown below.
####################################################################### ## ## Xaccess ## Common Desktop Environment ## ## (c) Copyright 1993, 1994 Hewlett-Packard Company ## (c) Copyright 1993, 1994 International Business Machines Corp. ## (c) Copyright 1993, 1994 Sun Microsystems, Inc. ## (c) Copyright 1993, 1994 Novell, Inc. ## ## ************** DO NOT EDIT THIS FILE ************** ## ## /usr/dt/config/Xaccess is a factory-default file and will ## be unconditionally overwritten upon subsequent installation. ## Before making changes to the file, copy it to the configuration ## directory, /etc/dt/config. You must also update the accessFile ## resource in /etc/dt/config/Xconfig. ## ## $XConsortium: Xaccess.src /main/cde1_maint/2 1995/08/30 16:21:28 gtsang $ ## ####################################################################### ## ## This file contains a list of host names which are allowed or ## denied XDMCP connection access to this machine. When a remote ## display (typically an X-termimal) requests login service, Dtlogin ## will consult this file to determine if service should be granted ## or denied. ## ## # Access control file for XDMCP connections ## ## To control Direct and Broadcast access: ## ## pattern ## ## To control Indirect queries: ## ## pattern list of hostnames and/or macros ... ## ## To use the chooser: ## ## pattern CHOOSER BROADCAST ## ## or ## ## pattern CHOOSER list of hostnames and/or macros ... ## ## To define macros: ## ## %name list of hosts ... ## ## ## The first form tells dtlogin which displays to respond to itself. ## The second form tells dtlogin to forward indirect queries from hosts ## matching the specified pattern to the indicated list of hosts. ## The third form tells dtlogin to handle indirect queries using the ## chooser; the chooser is directed to send its own queries out via the ## broadcast address and display the results on the terminal. ## The fourth form is similar to the third, except instead of using the ## broadcast address, it sends DirectQuerys to each of the hosts in ## the list ## ## In all cases, dtlogin uses the first entry which matches the terminal; ## for IndirectQuery messages only entries with right hand sides can ## match, for Direct and Broadcast Query messages, only entries without ## right hand sides can match. ## ## Information regarding the format of entries in this file is Security Page 11 of 36 Copyright 2001 Sun Microsystems, Inc. All rights reserved. February 27, 2002
## included at the end of the file. ## ######################################################################## ## Entries... # #* # grant service to all remote displays # ## ## The nicest way to run the chooser is to just ask it to broadcast ## requests to the network - that way new hosts show up automatically. ## Sometimes, however, the chooser can't figure out how to broadcast, ## so this may not work in all environments. ## # #* CHOOSER BROADCAST #any indirect host can get a chooser # ## ## If you'd prefer to configure the set of hosts each terminal sees, ## then just uncomment these lines (and comment the CHOOSER line above) ## and edit the %hostlist line as appropriate ## # ##%hostlist host-a host-b # ##* CHOOSER %hostlist # # ####################################################################### ## ## ENTRY FORMAT ## ## An entry in this file is either a host name or a pattern. A ## pattern may contain one or more meta characters (`*' matches any ## sequence of 0 or more characters, and `?' matches any single ## character) which are compared against the host name of the remote ## device requesting service. ## ## If the entry is a host name, all comparisons are done using ## network addresses, so any name which converts to the correct ## network address may be used. For patterns, only canonical host ## names are used in the comparison, so do not attempt to match ## aliases. ## ## Preceding either a host name or a pattern with a `!' character ## causes hosts which match that entry to be excluded. ## ## When checking access for a particular display host, each entry is ## scanned in turn and the first matching entry determines the ## response. ## ## Blank lines are ignored, `#' is treated as a comment delimiter ## causing the rest of that line to be ignored, ## ## ex. ## !xtra.lcs.mit.edu # disallow direct/broadcast service for xtra ## bambi.ogi.edu # allow access from this particular display ## *.lcs.mit.edu # allow access from any display in LCS ## Deny all remote access (direct/broadcast) to this X server. !*
1.6.7. /etc/init.d/nddconfig and /etc/rc2.d/S70nddconfig These files copy over the nddconfig and S70nddconfig startup scripts. The file content is shown below.
#!/sbin/sh # # Copyright (c) 1999-2001 by Sun Microsystems, Inc. # All rights reserved. # # $Id: nddconfig,v 1.5 2000/12/08 02:10:14 kaw Exp $ # # INTRODUCTION # # This script sets network driver parameters to prevent some network # attacks. Install this script to make changes at system boot. For # further information on the parameters set in this script, see # the Sun Blueprints(tm) OnLine article entitled "Solaris Operating # Environment Network Settings for Security - updated for 8". # # http://www.sun.com/blueprints/1200/network-updt1.pdf # # The latest version of this script is available from the Blueprints # Online tools area at: Security Page 12 of 36 Copyright 2001 Sun Microsystems, Inc. All rights reserved. February 27, 2002
# # http://www.sun.com/blueprints/tools/ # # This script is written for the Solaris 2.5.1, 2.6, 7, and 8 Operating # Environment releases. # # WARNING # # This script makes changes to the system default network driver # parameters. The settings included in this script are considered safe # in terms of security. However, some settings may not work in your # environment. The comments provided for each parameter explain the # effect the setting has. # # INSTALLATION # # # cp <script> /etc/init.d/nddconfig # # chmod 744 /etc/init.d/nddconfig # # chown root:sys /etc/init.d/nddconfig # # ln /etc/init.d/nddconfig /etc/rc2.d/S70nddconfig # # WARNING MESSAGES # # When adding specific privileged ports ({tcp|udp}_extra_priv_ports_add), # if a specific port number has already been applied, the following # warning message is displayed: # # operation failed, File exists # # This is a very poor ndd warning message. It can be safely ignored. # # Keith A. Watson <keith.watson@Sun.COM> # PATH=/usr/bin:/usr/sbin # # A note about parameter values: # '0' == false/off/disable # '1' == true/on/enable # # # verbose # # This option enables verbose output generated by this script. # verbose=1 # # arp_cleanup_interval # # This option determines the period of time the Address Resolution # Protocol (ARP) cache maintains entries. ARP attacks may be effective # with the default interval. Shortening the timeout interval should # reduce the effectiveness of such an attack. # The default value is 300000 milliseconds (5 minutes). # arp_cleanup_interval=60000 # # ip_forward_directed_broadcasts # # This option determines whether to forward broadcast packets directed # to a specific net or subnet, if that net or subnet is directly # connected to the machine. If the system is acting as a router, this # option can be exploited to generate a great deal of broadcast network # traffic. Turning this option off will help prevent broadcast traffic # attacks. # The default value is 1 (true). # ip_forward_directed_broadcasts=0 # # ip_forward_src_routed # ip6_forward_src_routed (Solaris 8) # # This option determines whether to forward packets that are source # routed. These packets define the path the packet should take instead # of allowing network routers to define the path.
Security
February 27, 2002
# The default value is 1 (true). # ip_forward_src_routed=0 ip6_forward_src_routed=0 # # ip_ignore_redirect # ip6_ignore_redirect (Solaris 8) # # This option determines whether to ignore Internet Control Message # Protocol (ICMP) packets that define new routes. If the system is # acting as a router, an attacker may send redirect messages to alter # routing tables as part of sophisticated attack (man in the middle # attack) or a simple denial of service. # The default value is 0 (false). # ip_ignore_redirect=1 ip6_ignore_redirect=1 # # ip_ire_flush_interval (Solaris 2.5.1, 2.6, and 7) # ip_ire_arp_interval (Solaris 8) # # This option determines the period of time at which a specific route # will be kept, even if currently in use. ARP attacks may be effective # with the default interval. Shortening the time interval may reduce # the effectiveness of attacks. # The default interval is 1200000 milliseconds (20 minutes). # ip_ire_flush_interval=60000 ip_ire_arp_interval=60000 # # ip_respond_to_address_mask_broadcast # # This options determines whether to respond to ICMP netmask requests # which are typically sent by diskless clients when booting. An # attacker may use the netmask information for determining network # topology or the broadcast address for the subnet. # The default value is 0 (false). # ip_respond_to_address_mask_broadcast=0 # # ip_respond_to_echo_broadcast # ip6_respond_to_echo_multicast (Solaris 8) # # This option determines whether to respond to ICMP broadcast echo # requests (ping). An attacker may try to create a denial of service # attack on subnets by sending many broadcast echo requests to which all # systems will respond. This also provides information on systems that # are available on the network. # The default value is 1 (true). # ip_respond_to_echo_broadcast=0 ip6_respond_to_echo_multicast=0 # # ip_respond_to_timestamp # # This option determines whether to respond to ICMP timestamp requests # which some systems use to discover the time on a remote system. An # attacker may use the time information to schedule an attack at a # period of time when the system may run a cron job (or other time# based event) or otherwise be busy. It may also be possible predict # ID or sequence numbers that are based on the time of day for spoofing # services. # The default value is 1 (true). # ip_respond_to_timestamp=0 # # ip_respond_to_timestamp_broadcast # # This option determines whether to respond to ICMP broadcast timestamp # requests which are used to discover the time on all systems in the # broadcast range. This option is dangerous for the same reasons as # responding to a single timestamp request. Additionally, an attacker # may try to create a denial of service attack by generating many # broadcast timestamp requests.
Security
February 27, 2002
# The default value is 1 (true). # ip_respond_to_timestamp_broadcast=0 # # ip_send_redirects # ip6_send_redirects (Solaris 8) # # This option determines whether to send ICMP redirect messages which # can introduce changes into remote system's routing table. It should # only be used on systems that act as routers. # The default value is 1 (true). # ip_send_redirects=0 ip6_send_redirects=0 # # ip_strict_dst_multihoming # ip6_strict_dst_multihoming (Solaris 8) # # This option determines whether to enable strict destination # multihoming. If this is set to 1 and ip_forwarding is set to 0, then # a packet sent to an interface from which it did not arrive will be # dropped. This setting prevents an attacker from passing packets across # a machine with multiple interfaces that is not acting a router. # The default value is 0 (false). # ip_strict_dst_multihoming=1 ip6_strict_dst_multihoming=1 # # tcp_conn_req_max_q0 # # This option sets the size of the queue containing unestablished # connections. This queue is part of a protection mechanism against # SYN flood attacks. The queue size default is adequate for most # systems but should be increased for busy servers. # The default value is 1024. # tcp_conn_req_max_q0=4096 # # tcp_conn_req_max_q # # This option sets the maximum number fully established connections. # Increasing the size of this queue provides some limited protection # against resource consumption attacks. The queue size default is # adequate for most systems but should be increased for busy servers. # The default value is 128. # tcp_conn_req_max_q=1024 # # tcp_rev_src_routes (Solaris 8) # # This option determines whether the specified route in a source # routed packet will be used in returned packets. TCP source routed # packets may be used in spoofing attacks, so the reverse route should # not be used. # The default value is 0 (false). # tcp_rev_src_routes=0 # # Adding specific privileged ports (Solaris 2.6, 7, and 8) # # These options define additional TCP and UDP privileged ports outside # of the 1-1023 range. Any program that attempts to bind the ports # listed here must run as root. This prevents normal users from # starting server processes on specific ports. Multiple ports can be # specifed by quoting and separating them with spaces. # # Defaults values: # tcp_extra_priv_ports: 2049 (nfsd) 4045 (lockd) # udp_extra_priv_ports: 2049 (nfsd) 4045 (lockd) # tcp_extra_priv_ports_add="6112" udp_extra_priv_ports_add="" # # Ephemeral port range adjustment (Solaris 2.5.1, 2.6, 7, and 8)
Security
February 27, 2002
# # These options define the upper and lower bounds on ephemeral ports. # Ephemeral (means short-lived) ports are used when establishing # outbound network connections. # # Defaults values: # tcp_smallest_anon_port=32768 # tcp_largest_anon_port=65535 # udp_smallest_anon_port=32768 # udp_largest_anon_port=65535 # tcp_smallest_anon_port=32768 tcp_largest_anon_port=65535 udp_smallest_anon_port=32768 udp_largest_anon_port=65535 # # Nonprivileged port range adjustment (Solaris 2.5.1, 2.6, 7, and 8) # # These options define the start of nonprivileged TCP and UDP ports. # The nonprivileged port range normally starts at 1024. Any program # that attempts to bind a nonprivileged port does not have to run as # root. # # Defaults values: # tcp_smallest_nonpriv_port=1024 # udp_smallest_nonpriv_port=1024 # tcp_smallest_nonpriv_port=1024 udp_smallest_nonpriv_port=1024
# # #
+-----------------------------------------+ | No modification needed below this line. | +-----------------------------------------+
# # base parameters (the same across the 2.5.1, 2.6, 7, 8, and 9 (alpha) # releases) # base_parameters="arp_cleanup_interval \ ip_forward_directed_broadcasts \ ip_forward_src_routed \ ip_ignore_redirect \ ip_respond_to_address_mask_broadcast \ ip_respond_to_echo_broadcast \ ip_respond_to_timestamp \ ip_respond_to_timestamp_broadcast \ ip_send_redirects \ ip_strict_dst_multihoming \ tcp_conn_req_max_q0 \ tcp_conn_req_max_q \ tcp_smallest_anon_port \ tcp_largest_anon_port \ udp_smallest_anon_port \ udp_largest_anon_port \ tcp_smallest_nonpriv_port \ udp_smallest_nonpriv_port" # # OS_revision specific parameters # # Solaris 2.5.1 specific parameters SunOS5_5_1="ip_ire_flush_interval" # Solaris 2.6 specific parameters SunOS5_6="ip_ire_flush_interval \ tcp_extra_priv_ports_add \ udp_extra_priv_ports_add" # Solaris 7 specific parameters SunOS5_7="ip_ire_flush_interval \ tcp_extra_priv_ports_add \ udp_extra_priv_ports_add" # Solaris 8 specific parameters SunOS5_8="ip_ire_arp_interval \ Security Page 16 of 36 Copyright 2001 Sun Microsystems, Inc. All rights reserved. February 27, 2002
tcp_extra_priv_ports_add \ udp_extra_priv_ports_add \ tcp_rev_src_routes" # Solaris 9 (alpha) specific parameters SunOS5_9="ip_ire_arp_interval \ tcp_extra_priv_ports_add \ udp_extra_priv_ports_add \ tcp_rev_src_routes" # # IPv6 parameters (apply to Solaris 8 and 9 (alpha)) # ip6_parameters="ip6_forward_src_routed \ ip6_respond_to_echo_multicast \ ip6_send_redirects \ ip6_ignore_redirect \ ip6_strict_dst_multihoming" # # system privilege ports defaults # extra_priv_ports_defaults="2049 4045 " # # get OS name and revision information # os=ùname -s` revision=ùname -r` OSRev=$osècho $revision | sed -e 's/\./_/g'` # # check if IPv6 is enabled # ip6_interfaces="ècho /etc/hostname6.*[0-9] 2> /dev/null`" [ "$ip6_interfaces" != "/etc/hostname6.*[0-9]" ] && ip6_enabled=true # # do_in_order -- This function executes the specified functions with # the appropriate parameters for the local OS, revision, and # configuration. Currently it acts on a specific base set of # parameters, OS and revision specific parameters, and IPv6 # parameters. # do_in_order() { # function_name function_name=$1 # handle the base parameters for param in $base_parameters; do $function_name $param done # handle the OS/revision specific parameters eval OSRev_params=\$$OSRev for param in $OSRev_params; do $function_name $param done # handle IPv6 parameters if [ "$ip6_enabled" = "true" ]; then for param in $ip6_parameters; do $function_name $param done fi } # # set_parameter -- This function uses ndd to set a parameter. # The supplied parameter name has a shell variable with the same # name which contains the value for the parameter. # set_parameter() { # parameter # definition for local variable param=$1
Security
February 27, 2002
# determine the driver from the first substring in the parameter name driver=/dev/ècho $param | sed -e 's/_.*//'` eval values=\$$param # First check that a value for the parameter exists. If not, skip it. if [ -n "$values" ]; then # Some parameters may have multiple values specified in one # assignment further up in the script. ndd only accepts one # parameter at a time. Loop through and set each value. for value in $values; do [ "$verbose" = "1" ] && \ echo "Setting $driver $param to $value" ndd -set $driver $param $value done fi } # # display_parameter -- This function uses ndd to extract the value of # a parameter and display it. # display_parameter() { # parameter # definition for local variable param=$1 # hack for the "write only" extra privileged ports parameters param=ècho $param | sed -e 's/_add$//'` # determine the driver from the first substring in the parameter name driver=/dev/ècho $param | sed -e 's/_.*//'` # execute the ndd command to retrieve settings and remove newlines value=`ndd $driver $param | tr -d '\n'` # print parameter value echo " $driver $param = '$value'" }
# # compare_parameter -- This function uses ndd to extract the value of # a parameter. It compares the current parameter value to the one # defined in this script. # compare_parameter() { # parameter # definition for local variable originalParam=$1 # hack for the "write only" extra privileged ports parameters modifiedParam=ècho $originalParam | sed -e 's/_add$//'` # determine the driver from the first substring in the parameter name driver=/dev/ècho $modifiedParam | sed -e 's/_.*//'` # execute the ndd command to retrieve settings and remove newlines currentValue=`ndd $driver $modifiedParam | tr -d '\n'` eval intendedValue="\$$originalParam" # if the modified parameter name is different from the original # parameter, then we are dealing with the privileged port parameters if [ "$modifiedParam" != "$originalParam" ]; then # the privileged port parameters have system defaults that must # be accounted for in the comparison if [ -n "$intendedValue" ]; then intendedValue="$extra_priv_ports_defaults$intendedValue " else intendedValue="$extra_priv_ports_defaults" fi
Security
February 27, 2002

fi
# print parameter value and note all deviations echo " $driver $modifiedParam = '$currentValue'\c" if [ "$intendedValue" != "$currentValue" ]; then echo " (should be '$intendedValue')" else echo " (ok)" fi } # Process the command argument case "$1" in 'start') # set the parameters in the defined order do_in_order set_parameter ;; 'show') echo "Current ndd parameter settings:" do_in_order display_parameter ;; 'compare') echo "Comparison of ndd parameter settings:" do_in_order compare_parameter ;; 'stop') # ignored [ "$verbose" = "1" ] && \ echo "$0: 'stop' ignored. ;; *) echo "Usage: $0 { start | stop | show | compare }" exit 1 ;; esac exit 0
No network changes applied."
1.6.8. set-tmp-permissions scripts The purpose of these scripts (etc/init.d/set-tmp-permissions, /etc/rc2.d/S00set-tmppermissions and /etc/rc2.d/S07set-tmp-permissions) is to set the correct permissions on the /tmp and /var/tmp directories when the system is rebooted. If an inconsistency is found, it will be displayed to standard output and logged via SYSLOG. This script is installed into /etc/rc2.d twice to permit this check to be performed both before and after the mountall command is run from S01MOUNTFSYS. This helps ensure that both the mount point and the mounted filesystem have the correct permissions and ownership. The file content is shown below. The contents of each file is identical.
#!/bin/sh # # Copyright (c) 2001 by Sun Microsystems, Inc. # All rights reserved. # #ident "@(#)set-tmp-permissions 1.2 01/06/10 SMI" # # INTRODUCTION # # The purpose of this script is to set the correct # permissions on the /tmp and /var/tmp directories # when the system is rebooted. If an inconsistency # is found, it will be displayed to standard output # and logged via SYSLOG. # # INSTALLATION # # To install this script, the following commands should # be performed as 'root'. Security Page 19 of 36 Copyright 2001 Sun Microsystems, Inc. All rights reserved. February 27, 2002

# # # # # # # # # # # # # # # # # # # #
cp <script> /etc/init.d/set-tmp-permissions chmod 744 /etc/init.d/set-tmp-permissions chown root:sys /etc/init.d/set-tmp-permissions ln /etc/init.d/set-tmp-permissions /etc/rc2.d/S01set-tmp-permissions ln /etc/init.d/set-tmp-permissions /etc/rc2.d/S07set-tmp-permissions
The reason that this script is installed into /etc/rc2.d twice is to permit this check to be performed both before and after the "mountall" command is run (from S01MOUNTFSYS). That way, both the mount point and the mounted filesystem will be sure to have the correct permissions and ownership. Glenn M. Brunette <glenn.brunette@sun.com>
TMP_OWNER="root" TMP_GROUP="sys" # If you change TMP_PERMS for any reason, be sure to update # TMP_PERMS_SET accordingly. These values are reasonable, # however, and should not need to be changed. TMP_PERMS="drwxrwxrwt" TMP_PERMS_SET="1777" # Verify both /tmp and /var/tmp. for tmppath in /tmp /var/tmp; do if [ -d "${tmppath}" ]; then oldVal="`ls -ld ${tmppath}`" # Obtain and verify the permissions on ${tmppath}. perms="ècho ${oldVal} | awk '{ print $1 }'`" if [ "${TMP_PERMS}" != "${perms}" ]; then echo "WARNING: ${tmppath} had incorrect permissions (${perms})." fi # Obtain and verify the ownership of ${tmppath}. owner="ècho ${oldVal} | awk '{ print $3 }'`" if [ "${TMP_OWNER}" != "${owner}" ]; then echo "WARNING: ${tmppath} had incorrect ownership (${owner})." fi # Obtain and verify the group of ${tmppath}. group="ècho ${oldVal} | awk '{ print $4 }'`" if [ "${TMP_GROUP}" != "${group}" ]; then echo "WARNING: ${tmppath} had an incorrect group setting (${group})." fi # Make all of the changes to ${tmppath} to bring it into # compliance with the settings as defined above. /bin/chown ${TMP_OWNER} ${tmppath} /bin/chgrp ${TMP_GROUP} ${tmppath} /bin/chmod ${TMP_PERMS_SET} ${tmppath} fi done
1.6.9. /etc/init.d/inetsvc This file replaces the default /etc/init.d/inetsvc with a minimized version containing only those commands required for the configuration of the network interfaces. The minimized script has only four lines, as compared to the 256 lines of the Solaris 8 OE version. The minimized inetsvc script is as follows:
#!/bin/sh Security Page 20 of 36 Copyright 2001 Sun Microsystems, Inc. All rights reserved. February 27, 2002
/usr/sbin/ifconfig -au netmask + broadcast + /usr/sbin/inetd -s -t &
1.6.10. /etc/inet/inetd.conf The following table shows sample contents of the inetd.conf file contents, excluding the header, prior to use of the Toolkit.
ftp telnet name shell shell login exec exec comsat talk uucp finger time time echo echo discard discard daytime daytime chargen chargen 100232/10 rquotad/1 sprayd/1 walld/1 rstatd/2-4 100083/1 100221/1 fs 100235/1 100134/1 printer 100234/1 100146/1 100147/1 100150/1 dtspc stream stream dgram stream stream stream stream stream dgram dgram stream stream stream dgram stream dgram stream dgram stream dgram stream dgram tli tli tli tli tli tli tli stream tli tli stream tli tli tli tli stream tcp6 tcp6 udp tcp tcp6 tcp6 tcp tcp6 udp udp tcp tcp6 tcp6 udp6 tcp6 udp6 tcp6 udp6 tcp6 udp6 tcp6 udp6 rpc/udp rpc/datagram_v rpc/datagram_v rpc/datagram_v rpc/datagram_v rpc/tcp rpc/tcp tcp rpc/tcp rpc/ticotsord tcp6 rpc/ticotsord rpc/ticotsord rpc/ticotsord rpc/ticotsord tcp rpc/udp tcp tcp6 rpc/tcp rpc/tcp rpc/tcp nowait nowait wait nowait nowait nowait nowait nowait wait wait nowait nowait nowait wait nowait wait nowait wait nowait wait nowait wait wait wait wait wait wait wait wait wait wait wait nowait wait wait wait wait nowait wait wait wait wait wait wait root root root root root root root root root root root /usr/sbin/in.ftpd /usr/sbin/in.telnetd /usr/sbin/in.tnamed /usr/sbin/in.rshd /usr/sbin/in.rshd /usr/sbin/in.rlogind /usr/sbin/in.rexecd /usr/sbin/in.rexecd /usr/sbin/in.comsat /usr/sbin/in.talkd /usr/sbin/in.uucpd in.ftpd in.telnetd in.tnamed in.rshd in.rshd in.rlogind in.rexecd in.rexecd in.comsat in.talkd in.uucpd in.fingerd
nobod /usr/sbin/in.fingerd y root root root root root root root root root root root root root root root root root root internal internal internal internal internal internal internal internal internal internal /usr/sbin/sadmind /usr/lib/nfs/rquotad /usr/lib/netsvc/spray/rpc.sprayd /usr/lib/netsvc/rwall/rpc.rwalld /usr/lib/netsvc/rstat/rpc.rstatd /usr/dt/bin/rpc.ttdbserverd /usr/openwin/bin/kcms_server
sadmind rquotad rpc.sprayd rpc.rwalld rpc.rstatd rpc.ttdbserverd kcms_server fs cachefsd ktkt_warnd in.lpd gssd amiserv amiserv ocfserv /usr/dt/bin/dtspc d rpc.cmsd dcs dcs dr_daemon rpc.metad rpc.metamhd February 27, 2002
rusersd/2-3 tli
rpc/datagram_v,circuit_v wait
/usr/lib/netsvc/rusers/rpc.rusersd rpc.rusersd
nobod /usr/openwin/lib/fs.auto y root root root root root root root root root root root root root root /usr/lib/fs/cachefs/cachefsd /usr/lib/krb5/ktkt_warnd /usr/lib/print/in.lpd /usr/lib/gss/gssd /usr/lib/security/amiserv /usr/lib/security/amiserv /usr/sbin/ocfserv /usr/dt/bin/dtspcd /usr/dt/bin/rpc.cmsd /usr/lib/dcs /usr/lib/dcs /platform/SUNW,UltraEnterprise-10000/lib/dr_daemon /usr/sbin/rpc.metad /usr/sbin/rpc.metamhd
100068/2-5 dgram sun-dr sun-dr 300326/4 100229/1 100230/1 Security stream stream tli tli tli
The following table shows the contents of the inetd.conf file contents on the system controller, excluding the header, after use of the Toolkit. shell shell login exec exec sun-dr sun-dr stream stream stream stream stream stream stream tcp tcp6 tcp6 tcp tcp6 tcp tcp6 nowait nowait nowait nowait nowait wait wait root root root root root root root /usr/sbin/in.rshd /usr/sbin/in.rshd /usr/sbin/in.rlogind /usr/sbin/in.rexecd /usr/sbin/in.rexecd /usr/lib/dcs /usr/lib/dcs in.rshd in.rshd in.rlogind in.rexecd in.rexecd dcs dcs
The following table shows the contents of the inetd.conf file contents on the domains, excluding the header, after use of the Toolkit. sun-dr sun-dr 1.6.11. /etc/init.d/nddconfig The following table is the baseline modifications to the network device drivers that are done to harden the SCs and domains: Network device driver configuration settings Default Hardened /dev/ip ip_forwarding 1 0 /dev/ip lo0:ip_forwarding 1 0 /dev/ip eri1:ip_forwarding (note: SCs only) 1 0 /dev/ip hme0:ip_forwarding 1 0 /dev/ip scman0:ip_forwarding (note: SCs only) 1 0 /dev/ip scman1:ip_forwarding (note: SCs only) 1 0 /dev/ip dman0:ip_forwarding (note: domains only) 1 0 1.6.12. /dev/ip qfe0:ip_forwarding (note: domains only) /dev/arp arp_cleanup_interval /dev/ip ip_forward_directed_broadcasts /dev/ip ip_forward_src_routed /dev/ip ip_ignore_redirect /dev/ip ip_respond_to_address_mask_broadcast /dev/ip ip_respond_to_echo_broadcast /dev/ip ip_respond_to_timestamp /dev/ip ip_respond_to_timestamp_broadcast /dev/ip ip_send_redirects /dev/ip ip_strict_dst_multihoming /dev/ip ip_def_ttl /dev/tcp tcp_conn_req_max_q0 /dev/tcp tcp_conn_req_max_q /dev/tcp tcp_smallest_anon_port /dev/tcp tcp_largest_anon_port /dev/udp udp_smallest_anon_port /dev/udp udp_largest_anon_port /dev/tcp tcp_smallest_nonpriv_port /dev/udp udp_smallest_nonpriv_port /dev/ip ip_ire_arp_interval /dev/tcp tcp_extra_priv_ports stream stream tcp tcp6 wait wait root /usr/lib/dcs root /usr/lib/dcs dcs dcs
300000 1 1 0 0 1 1 1 1 0 255 1024 128 32768 65535 32768 65535 1024 1024 1200000 2049, 4045
/dev/udp udp_extra_priv_ports /dev/tcp tcp_rev_src_routes

Security Page 22 of 36 Copyright 2001 Sun Microsystems, Inc. All rights reserved.
2049 4045 0
60000 0 0 1 0 0 0 0 0 1 255 4096 1024 32768 65535 32768 65535 1024 1024 60000 2049, 4045, 6112 2049 4045 0
February 27, 2002
Sun Proprietary and Confidential: Need to Know Security 1 1 0 0 0 0 0 0 1 1
/dev/ip6 ip6_forward_src_routed /dev/ip6 ip6_respond_to_echo_multicast /dev/ip6 ip6_send_redirects /dev/ip6 ip6_ignore_redirect /dev/ip6 ip6_strict_dst_multihoming
Security
February 27, 2002
Appendix A: Solaris Security Toolkit Sample Output

Sample output captured from the use of the Toolkit is provided in this section of the document. Actual output from the Toolkit will be provided after it has been used to enhance the security of the Sun Fire 12K/15K. Note:
A "driver" in the context of the Toolkit, provides input to the Toolkit. Customization of the driver for the Solaris Security Toolkit is not included in this service.
============================================================================== sunfire_15k_domain-secure.driver.test: Driver started. ============================================================================== ============================================================================== JASS Version: 0.3.2 Node name: xcat-domain2 Host ID: 82a84eaf Host address: 129.148.202.158 MAC address: 8:0:20:f6:42:30 Date: Wed Oct 10 11:49:06 EDT 2001 ============================================================================== ============================================================================== sunfire_15k_domain-secure.driver.test: Copying personalized files. ============================================================================== Copying ///.cshrc from /opt/SUNWjass/Files//.cshrc. Copying ///.profile to ///.profile.JASS.20011010114906 Copying ///.profile from /opt/SUNWjass/Files//.profile. ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: print-jass-environment.fin ============================================================================== JASS_ACCT_DISABLE daemon bin adm lp uucp nuucp nobody smtp listen noaccess nobody4 JASS_ACCT_REMOVE smtp listen nobody4 JASS_AGING_MINWEEKS 1 JASS_AGING_MAXWEEKS 8 JASS_AT_ALLOW JASS_AT_DENY root daemon bin sys adm lp uucp nuucp listen nobody noaccess nobody4 oracle apache JASS_BANNER_FTPD Security Page 24 of 36 Copyright 2001 Sun Microsystems, Inc. All rights reserved. February 27, 2002

Authorized Use Only JASS_BANNER_TELNETD Authorized Use Only JASS_CPR_MGT_USER JASS_CRON_ALLOW root JASS_CRON_DENY root daemon bin sys adm lp uucp nuucp listen nobody noaccess nobody4 JASS_CRON_LOG_SIZE 20480 JASS_FILES_DIR /opt/SUNWjass/Files JASS_FINISH_DIR /opt/SUNWjass/Finish JASS_FIXMODES_DIR JASS_FIXMODES_OPTIONS JASS_FTPUSERS root daemon bin sys adm lp uucp nuucp listen nobody noaccess nobody4 JASS_FTPD_UMASK 022 JASS_HOME_DIR /opt/SUNWjass JASS_HOSTNAME xcat-domain2 JASS_KILL_SCRIPT_DISABLE 0 JASS_LOGIN_RETRIES 3 JASS_PACKAGE_DIR /opt/SUNWjass/Packages JASS_PACKAGE_MOUNT JASS_PASS_LENGTH 8
Security
February 27, 2002

JASS_PASSWD //etc/passwd JASS_PATCH_DIR /opt/SUNWjass/Patches JASS_PATCH_MOUNT JASS_POWER_MGT_USER JASS_REC_PATCH_OPTIONS JASS_RHOSTS_FILE JASS_ROOT_DIR / JASS_ROOT_PASSWORD JdqZ5HrSDYM.o JASS_SADMIND_OPTIONS -S 2 JASS_SAVE_BACKUP 1 JASS_SENDMAIL_MODE JASS_SGID_FILE JASS_SHELLS /usr/bin/sh /usr/bin/csh /usr/bin/ksh /usr/bin/jsh /bin/sh /bin/csh /bin/ksh /bin/jsh /sbin/sh /sbin/jsh /bin/bash /bin/pfcsh /bin/pfksh /bin/pfsh /bin/tcsh /bin/zsh /usr/bin/bash /usr/bin/pfcsh /usr/bin/pfksh /usr/bin/pfsh /usr/bin/tcsh /usr/bin/zsh JASS_SHELL_DISABLE /sbin/noshell JASS_STANDALONE 1 JASS_SUFFIX JASS.20011010114906 JASS_SUID_FILE JASS_SUSPEND_PERMS JASS_SVCS_DISABLE ftp telnet name talk
Security
February 27, 2002

uucp smtp tftp finger systat netstat rquotad rusersd sprayd walld rexd shell login exec comsat time echo discard daytime chargen 100087 rwalld rstatd 100068 100083 100221 fs ufsd 100232 100235 536870916 kerbd printer 100234 dtspc xaudio 100146 100147 100150 100134 100229 100230 100242 300326 JASS_TMPFS_SIZE 512m JASS_UMASK 022 JASS_UNAME 5.8 JASS_UNOWNED_FILE JASS_USER_DIR /opt/SUNWjass/Drivers JASS_WRITABLE_FILE
============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: set-term-type.fin ============================================================================== Setting the default terminal type to 'vt100'. Adding default terminal type (vt100) to //etc/profile. Copying //etc/profile to //etc/profile.JASS.20011010114908 Adding default terminal type (vt100) to //etc/.login. Copying //etc/.login to //etc/.login.JASS.20011010114908 ============================================================================== sunfire_15k_domain-secure.driver.test: Driver finished. ============================================================================== Security Page 27 of 36 Copyright 2001 Sun Microsystems, Inc. All rights reserved. February 27, 2002
============================================================================== sunfire_15k_domain-secure.driver.test: Driver started. ============================================================================== ============================================================================== JASS Version: 0.3.2 Node name: xcat-domain2 Host ID: 82a84eaf Host address: 129.148.202.158 MAC address: 8:0:20:f6:42:30 Date: Wed Oct 10 11:49:08 EDT 2001 ============================================================================== ============================================================================== sunfire_15k_domain-secure.driver.test: Copying personalized files. ============================================================================== Copying Copying Copying Copying Copying Copying ///etc/dt/config/Xaccess from /opt/SUNWjass/Files//etc/dt/config/Xaccess. ///etc/init.d/inetsvc.test from /opt/SUNWjass/Files//etc/init.d/inetsvc.test. ///etc/init.d/nddconfig from /opt/SUNWjass/Files//etc/init.d/nddconfig. ///etc/init.d/set-tmp-permissions from /opt/SUNWjass/Files//etc/init.d/set-tmp-permissions. ///etc/issue from /opt/SUNWjass/Files//etc/issue. ///etc/motd to ///etc/motd.JASS.20011010114908
Copying ///etc/motd from /opt/SUNWjass/Files//etc/motd. Copying ///etc/notrouter from /opt/SUNWjass/Files//etc/notrouter. Copying ///etc/nsswitch.conf to ///etc/nsswitch.conf.JASS.20011010114909 Copying Linking Linking Linking Copying ///etc/nsswitch.conf from /opt/SUNWjass/Files//etc/nsswitch.conf. ///etc/rc2.d/S00set-tmp-permissions from /opt/SUNWjass/Files//etc/rc2.d/S00set-tmp-permissions. ///etc/rc2.d/S07set-tmp-permissions from /opt/SUNWjass/Files//etc/rc2.d/S07set-tmp-permissions. ///etc/rc2.d/S70nddconfig from /opt/SUNWjass/Files//etc/rc2.d/S70nddconfig. ///etc/syslog.conf to ///etc/syslog.conf.JASS.20011010114909
Copying ///etc/syslog.conf from /opt/SUNWjass/Files//etc/syslog.conf. ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: disable-apache.fin ============================================================================== Disabling Apache startup and shutdown scripts Renaming //etc/rc3.d/S50apache to //etc/rc3.d/_S50apache.JASS.20011010114910 ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: disable-asppp.fin ============================================================================== Disabling ASPPP startup and shutdown scripts Renaming //etc/rc2.d/S47asppp to //etc/rc2.d/_S47asppp.JASS.20011010114910 ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: disable-autoinst.fin ============================================================================== Disabling sysid/autoinstall startup and shutdown scripts Renaming //etc/rc2.d/S30sysid.net to //etc/rc2.d/_S30sysid.net.JASS.20011010114910 Renaming //etc/rc2.d/S71sysid.sys to //etc/rc2.d/_S71sysid.sys.JASS.20011010114910 Renaming //etc/rc2.d/S72autoinstall to //etc/rc2.d/_S72autoinstall.JASS.20011010114910 ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: disable-automount.fin ============================================================================== Disabling Automount startup and shutdown scripts Renaming //etc/rc2.d/S74autofs to //etc/rc2.d/_S74autofs.JASS.20011010114910 ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: disable-dhcpd.fin ============================================================================== Disabling DHCP server startup and shutdown scripts Renaming //etc/rc3.d/S34dhcp to //etc/rc3.d/_S34dhcp.JASS.20011010114910 ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: disable-dmi.fin ============================================================================== Security Page 28 of 36 Copyright 2001 Sun Microsystems, Inc. All rights reserved. February 27, 2002
Disabling DMI startup and shutdown scripts Renaming //etc/rc3.d/S77dmi to //etc/rc3.d/_S77dmi.JASS.20011010114910 ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: disable-dtlogin.fin ============================================================================== Disabling dtlogin startup and shutdown scripts Renaming //etc/rc2.d/S99dtlogin to //etc/rc2.d/_S99dtlogin.JASS.20011010114911 ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: disable-keyserv-uid-nobody.fin ============================================================================== Disabling 'nobody' access to SecureRPC information Copying //etc/init.d/rpc to //etc/init.d/rpc.JASS.20011010114911 Adding the '-d' option to '/usr/sbin/keyserv' in //etc/init.d/rpc. ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: disable-ldap-client.fin ============================================================================== Disabling LDAP client startup and shutdown scripts Renaming //etc/rc2.d/S71ldap.client to //etc/rc2.d/_S71ldap.client.JASS.20011010114911 ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: disable-lp.fin ============================================================================== Disabling LP startup and shutdown scripts Renaming //etc/rc2.d/S80lp to //etc/rc2.d/_S80lp.JASS.20011010114911 Copying //etc/cron.d/cron.deny to //etc/cron.d/cron.deny.JASS.20011010114911 Adding the 'lp' account to the 'cron.deny' file. Disabling the LP cron entry Creating backup directory, //var/spool/cron/crontabs.JASS Moving //var/spool/cron/crontabs/lp to //var/spool/cron/crontabs.JASS/lp.JASS.20011010114911 ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: disable-mipagent.fin ============================================================================== Disabling Mobile IP agent startup and shutdown scripts Renaming //etc/rc3.d/S80mipagent to //etc/rc3.d/_S80mipagent.JASS.20011010114911 ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: disable-nfs-client.fin ============================================================================== Disabling NFS client startup and shutdown scripts Renaming //etc/rc2.d/S73nfs.client to //etc/rc2.d/_S73nfs.client.JASS.20011010114911 ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: disable-nfs-server.fin ============================================================================== Disabling NFS server startup and shutdown scripts Renaming //etc/rc3.d/S15nfs.server to //etc/rc3.d/_S15nfs.server.JASS.20011010114912 ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: disable-nscd-caching.fin ============================================================================== Disabling caching of information in //etc/nscd.conf. Copying //etc/nscd.conf to //etc/nscd.conf.JASS.20011010114912 Adding 'enable-cache no' for the passwd, group and hosts entries.
============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: disable-preserve.fin ============================================================================== Disabling PRESERVE startup and shutdown scripts Security Page 29 of 36 Copyright 2001 Sun Microsystems, Inc. All rights reserved. February 27, 2002
Renaming //etc/rc2.d/S80PRESERVE to //etc/rc2.d/_S80PRESERVE.JASS.20011010114912 ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: disable-picld.fin ============================================================================== Disabling PICL daemon startup and shutdown scripts Renaming //etc/rcS.d/S95picld to //etc/rcS.d/_S95picld.JASS.20011010114912 ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: disable-power-mgmt.fin ============================================================================== Disabling power management startup and shutdown scripts Renaming //etc/rc2.d/S85power to //etc/rc2.d/_S85power.JASS.20011010114912 Creating /noautoshutdown file to disable power management ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: disable-remote-root-login.fin ============================================================================== Disabling direct remote root login to the system. Copying //etc/default/login to //etc/default/login.JASS.20011010114912 Setting the 'CONSOLE' parameter in //etc/default/login. ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: disable-rhosts.fin ============================================================================== Disabling the ability to use rhosts authentication. Copying //etc/pam.conf to //etc/pam.conf.JASS.20011010114912 Commenting the 'rsh' and 'rlogin' entries in //etc/pam.conf that use the 'pam_rhosts_auth' module. ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: disable-sendmail.fin ============================================================================== Disabling the ability to accept connections for /usr/lib/sendmail. Copying ///etc/default/sendmail from /opt/SUNWjass/Files//etc/default/sendmail. ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: disable-slp.fin ============================================================================== Disabling SLP startup and shutdown scripts Renaming //etc/rc2.d/S72slpd to //etc/rc2.d/_S72slpd.JASS.20011010114913 ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: disable-snmp.fin ============================================================================== Disabling SNMP startup and shutdown scripts Renaming //etc/rc3.d/S76snmpdx to //etc/rc3.d/_S76snmpdx.JASS.20011010114913 ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: disable-spc.fin ============================================================================== Disabling SPC startup and shutdown scripts Renaming //etc/rc2.d/S80spc to //etc/rc2.d/_S80spc.JASS.20011010114913 ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: disable-syslogd-listen.fin ============================================================================== Preventing syslogd from listening for remote connections. syslogd will not accept connections from other systems. Copying //etc/init.d/syslog to //etc/init.d/syslog.JASS.20011010114913 Adding the '-t' option to /usr/sbin/syslogd in //etc/init.d/syslog. ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: disable-system-accounts.fin ==============================================================================
Security
February 27, 2002

Disabling accounts by changing their shell to /sbin/noshell. Installing the /sbin/noshell shell script as //sbin/noshell. Copying ///sbin/noshell from /opt/SUNWjass/Files//sbin/noshell. Copying //etc/passwd to //etc/passwd.JASS.20011010114913 Disabling Disabling Disabling Disabling Disabling Disabling Disabling Disabling Disabling Disabling account, account, account, account, account, account, account, account, account, account, daemon. bin. adm. lp. uucp. nuucp. nobody. listen. noaccess. nobody4.
============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: disable-uucp.fin ============================================================================== Disabling UUCP startup and shutdown scripts Renaming //etc/rc2.d/S70uucp to //etc/rc2.d/_S70uucp.JASS.20011010114916 Removing the nuucp system account Copying //etc/passwd to //etc/passwd.JASS.20011010114916 Copying //etc/shadow to //etc/shadow.JASS.20011010114916 Removing the UUCP cron entry Moving //var/spool/cron/crontabs/uucp to //var/spool/cron/crontabs.JASS/uucp.JASS.20011010114918 ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: disable-vold.fin ============================================================================== Disabling Volume Management startup and shutdown scripts Renaming //etc/rc2.d/S92volmgt to //etc/rc2.d/_S92volmgt.JASS.20011010114919 ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: disable-wbem.fin ============================================================================== Disabling WBEM startup and shutdown scripts Renaming //etc/rc2.d/S90wbem to //etc/rc2.d/_S90wbem.JASS.20011010114919 ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: enable-ftp-syslog.fin ============================================================================== Enabling enhanced logging for the FTP daemon. Copying //etc/inet/inetd.conf to //etc/inet/inetd.conf.JASS.20011010114919 Adding the '-l' option to /usr/sbin/in.ftpd in //etc/inet/inetd.conf. ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: enable-inetd-syslog.fin ============================================================================== Configuring the Intenet services daemon to log all incoming connections. Copying //etc/init.d/inetsvc to //etc/init.d/inetsvc.JASS.20011010114919 Adding the '-t' option to /usr/sbin/inetd in //etc/init.d/inetsvc. ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: enable-priv-nfs-ports.fin ============================================================================== Configure NFS server daemon to accept connections/requests from privileged ports only. Copying //etc/system to //etc/system.JASS.20011010114919 Adding 'set nfssrv:nfs_portmon=1' to //etc/system. ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: enable-rfc1948.fin ============================================================================== Security Page 31 of 36 Copyright 2001 Sun Microsystems, Inc. All rights reserved. February 27, 2002
Enabling RFC 1948 sequence number generation. Copying //etc/default/inetinit to //etc/default/inetinit.JASS.20011010114919 Setting 'TCP_STRONG_ISS' to '2' in //etc/default/inetinit. ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: enable-stack-protection.fin ============================================================================== Enabling kernel-level stack protections and logging. Copying //etc/system to //etc/system.JASS.20011010114920 Adding 'set noexec_user_stack=1' to //etc/system. Adding 'set noexec_user_stack_log=1' to //etc/system. ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: install-at-allow.fin ============================================================================== Updating 'at' facility access controls (at.allow) ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: install-ftpusers.fin ============================================================================== Restricting access to the 'FTP' service. Copying //etc/ftpusers to //etc/ftpusers.JASS.20011010114920 Adding root to //etc/ftpusers. ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: install-loginlog.fin ============================================================================== Creating log file to track failed login attempts. Creating the //var/adm/loginlog file. ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: install-newaliases.fin ============================================================================== sunfire_15k_domain-secure.driver.test: NOTE : The 'newaliases' link for 'sendmail' is already installed. ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: install-sadmind-options.fin ============================================================================== Configuring the system administration daemon. Copying //etc/inet/inetd.conf to //etc/inet/inetd.conf.JASS.20011010114920 Adding the '-S 2' to /usr/sbin/sadmind in //etc/inet/inetd.conf. ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: install-security-mode.fin ============================================================================== The EEPROM security-mode parameter is set as: none. To improve the security of the system, the following command should be executed manually from the operating system. For more information on this command and its possible values, refer to the eeprom(1M) manual entry. eeprom "security-mode=command" The current number of EEPROM 'badlogins' is 0. Setting the number of badlogins to 0. ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: install-shells.fin ============================================================================== Defining valid shells for this system. Copying //etc/shells to //etc/shells.JASS.20011010114922 Adding /usr/bin/sh to //etc/shells. Adding /usr/bin/csh to //etc/shells. Security Page 32 of 36 Copyright 2001 Sun Microsystems, Inc. All rights reserved. February 27, 2002

Adding Adding Adding Adding Adding Adding Adding Adding Adding Adding Adding Adding Adding Adding Adding Adding Adding Adding Adding Adding /usr/bin/ksh to //etc/shells. /usr/bin/jsh to //etc/shells. /bin/sh to //etc/shells. /bin/csh to //etc/shells. /bin/ksh to //etc/shells. /bin/jsh to //etc/shells. /sbin/sh to //etc/shells. /sbin/jsh to //etc/shells. /bin/bash to //etc/shells. /bin/pfcsh to //etc/shells. /bin/pfksh to //etc/shells. /bin/pfsh to //etc/shells. /bin/tcsh to //etc/shells. /bin/zsh to //etc/shells. /usr/bin/bash to //etc/shells. /usr/bin/pfcsh to //etc/shells. /usr/bin/pfksh to //etc/shells. /usr/bin/pfsh to //etc/shells. /usr/bin/tcsh to //etc/shells. /usr/bin/zsh to //etc/shells.
============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: install-sulog.fin ============================================================================== Creating log file to track attempts to use 'su'. sunfire_15k_domain-secure.driver.test: NOTE : //var/adm/sulog already exists. ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: remove-unneeded-accounts.fin ============================================================================== Removing non-essential accounts. Copying //etc/passwd to //etc/passwd.JASS.20011010114922 Copying //etc/shadow to //etc/shadow.JASS.20011010114922 Removing the account, listen, from the system. Removing the account, nobody4, from the system. ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: set-banner-ftpd.fin ============================================================================== Setting the banner for the FTP daemon. Copying //etc/default/ftpd to //etc/default/ftpd.JASS.20011010114923 Setting 'BANNER' to '"Authorized Use Only"' in //etc/default/ftpd. ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: set-banner-telnetd.fin ============================================================================== Setting the banner for the TELNET daemon. Copying //etc/default/telnetd to //etc/default/telnetd.JASS.20011010114924 Setting 'BANNER' to '"Authorized Use Only"' in //etc/default/telnetd. ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: set-ftpd-umask.fin ============================================================================== Setting the default file creation mask for the FTP daemon. Copying //etc/default/ftpd to //etc/default/ftpd.JASS.20011010114924 Setting 'UMASK' to '022' in //etc/default/ftpd. ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: set-login-retries.fin ============================================================================== Limiting number of failed login attempts permitted before the 'login' program exits. Copying //etc/default/login to //etc/default/login.JASS.20011010114924 Setting 'RETRIES' to '3' in //etc/default/login. ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: set-power-restrictions.fin ============================================================================== Restricting access to power management functions. Changing PMCHANGEPERM setting from console-owner to -. Security Page 33 of 36 Copyright 2001 Sun Microsystems, Inc. All rights reserved. February 27, 2002
Changing CPRCHANGEPERM setting from console-owner to -. Copying //etc/default/power to //etc/default/power.JASS.20011010114924 ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: set-rmmount-nosuid.fin ============================================================================== Preventing remove media types from being mounted set-uid. ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: set-sys-suspend-restrictions.fin ============================================================================== Restricting access to suspend/resume functions. Changing PERMS setting from console-owner to -. Copying //etc/default/sys-suspend to //etc/default/sys-suspend.JASS.20011010114924 ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: set-system-umask.fin ============================================================================== Setting system-wide default file creation mask. No changes necessary for Solaris 8+. The CMASK variable in //etc/default/init is set correctly to 022. ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: set-tmpfs-limit.fin ============================================================================== Setting limits on the usable size of the /tmp filesystem. Copying //etc/vfstab to //etc/vfstab.JASS.20011010114925 Setting maximum /tmp filesystem size to be 512m ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: set-user-password-reqs.fin ============================================================================== Installing user password requirements. Changing MINWEEKS setting from NONE to 1. Changing MAXWEEKS setting from NONE to 8. Changing WARNWEEKS setting from NONE to 1. Changing PASSLENGTH setting from 6 to 8. Copying //etc/default/passwd to //etc/default/passwd.JASS.20011010114925
============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: set-user-umask.fin ============================================================================== Configuring default file creation mask parameters for users. Setting umask (UMASK) value to 022 in //etc/.login Copying //etc/.login to //etc/.login.JASS.20011010114925 Setting umask (UMASK) value to 022 in //etc/profile Setting umask (UMASK) value to 022 in //etc/skel/local.cshrc Setting umask (UMASK) value to 022 in //etc/skel/local.login Copying //etc/skel/local.login to //etc/skel/local.login.JASS.20011010114925 Setting umask (UMASK) value to 022 in //etc/skel/local.profile Copying //etc/skel/local.profile to //etc/skel/local.profile.JASS.20011010114925 Setting umask (UMASK) value to 022 in //etc/default/login Copying //etc/default/login to //etc/default/login.JASS.20011010114925 ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: update-at-deny.fin
Security
February 27, 2002
============================================================================== Updating 'at' facility access controls (at.deny) Copying //etc/cron.d/at.deny to //etc/cron.d/at.deny.JASS.20011010114925 Adding root to //etc/cron.d/at.deny Adding sys to //etc/cron.d/at.deny Adding adm to //etc/cron.d/at.deny Adding lp to //etc/cron.d/at.deny Adding uucp to //etc/cron.d/at.deny Adding oracle to //etc/cron.d/at.deny Adding apache to //etc/cron.d/at.deny ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: update-cron-allow.fin ============================================================================== Updating cron facility access controls (cron.allow) Copying //etc/cron.d/cron.allow to //etc/cron.d/cron.allow.JASS.20011010114927 Adding root to //etc/cron.d/cron.allow. ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: update-cron-deny.fin ============================================================================== Updating cron facility access controls (cron.deny) Account, root, will not be added to //etc/cron.d/cron.deny. Copying //etc/cron.d/cron.deny to //etc/cron.d/cron.deny.JASS.20011010114927 Adding sys to //etc/cron.d/cron.deny. Adding adm to //etc/cron.d/cron.deny. Adding uucp to //etc/cron.d/cron.deny. ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: update-cron-log-size.fin ============================================================================== Setting maximum size limits for the CRON facility log file. Copying //etc/cron.d/logchecker to //etc/cron.d/logchecker.JASS.20011010114928 Setting the maximum size of the CRON facility log to 20480 from its previous value of 1024. ============================================================================== sunfire_15k_domain-secure.driver.test: Starting finish script: update-inetd-conf.fin ============================================================================== Disabling unnecessary services in //etc/inet/inetd.conf. Copying //etc/inet/inetd.conf to //etc/inet/inetd.conf.JASS.20011010114928 Disabling service, ftp (/usr/sbin/in.ftpd). Disabling service, telnet (/usr/sbin/in.telnetd). Disabling service, name (/usr/sbin/in.tnamed). Disabling service, talk (/usr/sbin/in.talkd). Disabling service, uucp (/usr/sbin/in.uucpd). Disabling service, finger (/usr/sbin/in.fingerd). Disabling service, rquotad (/usr/lib/nfs/rquotad). Disabling service, rusersd (/usr/lib/netsvc/rusers/rpc.rusersd). Disabling service, sprayd (/usr/lib/netsvc/spray/rpc.sprayd). Disabling service, walld (/usr/lib/netsvc/rwall/rpc.rwalld). Disabling service, shell (/usr/sbin/in.rshd). Disabling service, login (/usr/sbin/in.rlogind). Disabling service, exec (/usr/sbin/in.rexecd). Disabling service, comsat (/usr/sbin/in.comsat). Disabling service, time (internal). Disabling service, echo (internal). Disabling service, discard (internal). Disabling service, daytime (internal). Disabling service, chargen (internal). Disabling service, rstatd (/usr/lib/netsvc/rstat/rpc.rstatd). Disabling service, 100068 (/usr/dt/bin/rpc.cmsd). Disabling service, 100083 (/usr/dt/bin/rpc.ttdbserverd). Disabling service, 100221 (/usr/openwin/bin/kcms_server). Disabling service, fs (/usr/openwin/lib/fs.auto). Disabling service, 100232 (/usr/sbin/sadmind). Disabling service, 100235 (/usr/lib/fs/cachefs/cachefsd). Disabling service, printer (/usr/lib/print/in.lpd). Disabling service, 100234 (/usr/lib/gss/gssd). Disabling service, dtspc (/usr/dt/bin/dtspcd). Disabling service, 100146 (/usr/lib/security/amiserv).
Security
February 27, 2002
Disabling service, 100147 (/usr/lib/security/amiserv). Disabling service, 100150 (/usr/sbin/ocfserv). Disabling service, 100134 (/usr/lib/krb5/ktkt_warnd). Disabling service, 100229 (/usr/sbin/rpc.metad). Disabling service, 100230 (/usr/sbin/rpc.metamhd). Disabling service, 300326 (/platform/SUNW,Ultra-Enterprise-10000/lib/dr_daemon). ============================================================================== sunfire_15k_domain-secure.driver.test: Driver finished. ==============================================================================
Security
February 27, 2002

15k OS Security Suite

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

15k OS Security Suite

Transféré par

Droits d'auteur :

Formats disponibles

Application Readiness Service for Sun Fire 12K/15K

Sun Proprietary and Confidential: Need to Know Security

Page 1 of 36 Copyright 2001 Sun Microsystems, Inc. All rights reserved.

February 27, 2002

Application Readiness Service for Sun Fire 12K/15K

Sun Proprietary and Confidential: Need to Know Security

1.3. Disabled Services/Applications/Scripts.........................................................4 1.4. Common Changes...........................................................................................4

Appendix A: Solaris Security Toolkit Sample Output...........................23

Page 2 of 36 Copyright 2001 Sun Microsystems, Inc. All rights reserved.

February 27, 2002

Application Readiness Service for Sun Fire 12K/15K

Sun Proprietary and Confidential: Need to Know Security

1.1. Legal Disclaimer

1.2. Security Customization

Application Readiness Service for Sun Fire 12K/15K

Sun Proprietary and Confidential: Need to Know Security

1.3. Disabled Services/Applications/Scripts

1.4. Common Changes

Page 4 of 36 Copyright 2001 Sun Microsystems, Inc. All rights reserved.

February 27, 2002

Application Readiness Service for Sun Fire 12K/15K 1.4.3. /etc/nsswitch.conf

Sun Proprietary and Confidential: Need to Know Security

1.5. Solaris Security Toolkit Steps

Page 5 of 36 Copyright 2001 Sun Microsystems, Inc. All rights reserved.

February 27, 2002

Application Readiness Service for Sun Fire 12K/15K

Sun Proprietary and Confidential: Need to Know Security

Page 6 of 36 Copyright 2001 Sun Microsystems, Inc. All rights reserved.

February 27, 2002

Application Readiness Service for Sun Fire 12K/15K

Sun Proprietary and Confidential: Need to Know Security

Application Readiness Service for Sun Fire 12K/15K

Sun Proprietary and Confidential: Need to Know Security

Application Readiness Service for Sun Fire 12K/15K

Sun Proprietary and Confidential: Need to Know Security

1.6. Solaris Security Toolkit File Content

Application Readiness Service for Sun Fire 12K/15K 1.6.3. /etc/nsswitch.conf

Sun Proprietary and Confidential: Need to Know Security

Application Readiness Service for Sun Fire 12K/15K

Sun Proprietary and Confidential: Need to Know Security

Application Readiness Service for Sun Fire 12K/15K

Sun Proprietary and Confidential: Need to Know Security

Application Readiness Service for Sun Fire 12K/15K

Sun Proprietary and Confidential: Need to Know Security

Page 13 of 36 Copyright 2001 Sun Microsystems, Inc. All rights reserved.

February 27, 2002

Application Readiness Service for Sun Fire 12K/15K

Sun Proprietary and Confidential: Need to Know Security

Page 14 of 36 Copyright 2001 Sun Microsystems, Inc. All rights reserved.

February 27, 2002

Application Readiness Service for Sun Fire 12K/15K

Sun Proprietary and Confidential: Need to Know Security

Page 15 of 36 Copyright 2001 Sun Microsystems, Inc. All rights reserved.

February 27, 2002

Application Readiness Service for Sun Fire 12K/15K

Sun Proprietary and Confidential: Need to Know Security

+-----------------------------------------+ | No modification needed below this line. | +-----------------------------------------+

Application Readiness Service for Sun Fire 12K/15K

Sun Proprietary and Confidential: Need to Know Security

Page 17 of 36 Copyright 2001 Sun Microsystems, Inc. All rights reserved.

February 27, 2002

Application Readiness Service for Sun Fire 12K/15K

Sun Proprietary and Confidential: Need to Know Security

Page 18 of 36 Copyright 2001 Sun Microsystems, Inc. All rights reserved.