Académique Documents
Professionnel Documents
Culture Documents
TABLE OF CONTENTS
Internal
Page 2 of 23
Internal
Page 3 of 23
HA RD E N I NG P R O C E D U RE
1.1 Introduction
It is important that the file systems and local security of the Solaris Operating
Environment system not be neglected. Often, administrators are greatly concerned about
attackers breaking into systems remotely. There should be equal concern for local,
authorized users gaining extra privileges on a system by exploiting a problem with
internal system security.
Procedure
Typically, there should be separate partitions for:
/ (root file system)
/usr
/var
/opt
/tmp
/home (user partition)
To create additional partitions use the format command.
Note: Most applications install themselves in /opt or /usr/local. Check the application
installation directory location before allocating space
Internal
Page 4 of 23
2.1
Introduction
Sun provides patches to the Solaris Operating Environment and unbundled software
products. You can download recommended, security, and other patches for the Solaris
Operating environment from sunsolve.sun.com. All systems should have the latest
recommended, security, and application patches installed
2.2
init 0
boot s # Boot in single user mode
mkdir /var/spool/patch
# This directory may be present. Else create it
cp [patch.zip] /var/spool/patch
Cd /var/spool/patch
unzip [102548-01.zip]
Patchadd 102548-01
init 6 #
# Reboot the system if the patch requires a reboot to take effect
Note: Schedule a downtime for the machine if the patch requires a reboot.
Ensure that no users are connected to the system when you are applying patches.
Be sure to examine all system init scripts and test all patches on non-production systems
to discover any configuration changes.
Securing Accounts
Managing user and system accounts is an important aspect of the Solaris Operating
Environment security. Some system accounts may need to be modified or deleted.
Internal
Page 5 of 23
# userdel smtp
Internal
Page 6 of 23
Procedure
The console device is defined by the following entry in the /etc/default/login file:
CONSOLE=/dev/console
Note: When this line is commented out, the root account can log directly into the
system over the network via telnet in addition to the console. This is insecure and should
be avoided. Do not alter the default configuration.
Internal
Page 7 of 23
CONSOLE=-
!!!WARNING!!!
This System is for the use of authorized xxx personnel and channel partners only. By
accessing this system you hereby consent to the system being monitored by xxx. Any
Unauthorized use will be considered a breach of xxx Information security policies and may
also be unlawful under law. xxx Reserves the right to take any action including disciplinary
action or legal proceeding in the court of law against persons involved in the violation of the
access restriction here in
3.9 Restrict su command
You can restrict users that are permitted to su the server.
Procedure
If the wheel group has been removed please create one by following the
below steps
# /usr/sbin/groupadd -g 13 wheel
# /usr/bin/chgrp wheel /usr/bin/su /sbin/su.static
# /usr/bin/chmod 4550 /usr/bin/su /sbin/su.static
Note The GID for the wheel group does not need to be 13. Any valid GID can be used.
You will need to edit /etc/group to add users to the wheel group.
Add the users to the wheel group using the following command.
Given below is an example of an existing user test being added to the wheel
group.
Internal
Page 8 of 23
System services are started by the init system. Some services are not necessary to
system operation and should be disabled. There are also services that may allow a
system to be compromised due to incorrect configuration
Note: The list of services to be disabled can be determined after an initial system study. Disable
a service by putting a hash [#] sign in front of unnecessary service in /etc/inetd.conf file.
Procedure to disable rlogin services in /etc/inetd.conf insert the # as shown below
#rlogin stream tcp nowait root /usr/sbin/in.rlogin.d
in.rlogind
Note: If you want the changes made to /etc/inetd.conf have an immediate effect without
rebooting the server, run the command given below.
Internal
Page 9 of 23
Internal
Page 10 of 23
touch /etc/ftpusers
chown root /etc/ftpusers
chgrp root /etc/ftpusers
chmod 600 /etc/ftpusers
cat /etc/password | cut -f -d: > /etc/ftpusers
Note: The above step will deny all accounts for ftp access, remove accounts that require
ftp
access.
Internal
Page 11 of 23
Internal
Page 12 of 23
Internal
Page 13 of 23
The following configuration items apply to both local and remote security.
6.1
6.2
Securing NFS
Internal
Page 14 of 23
CRON and AT related files must be secured. Only root must be given permissions to run
Internal
Page 15 of 23
Syslog
The syslog daemon receives log messages from several sources and directs them to the
appropriate location based on the configured facility and priority.
The facility (or application type) and the priority are configured in the /etc/syslog.conf
file to direct the log messages. The directed location can be a log file, a network host,
specific users,or all users logged into the system.
It must be ensured that Syslog does not accept log messages from remote machines
unless explicitly required. As by default this is enabled this must be disabled.
Procedure
Add the following entry to /etc/syslog.conf for capturing syslog events sent to
LOG_AUTH. This contains information on unsuccessful login attempts, successful and
failed su (switch user) attempts.
auth.info /var/log/authlog
Note Use TAB key to separate auth.info from /var/log/authlog & not spacebar.
Create /var/log/authlog by executing the following commands
# touch /var/log/authlog
# chown root /var/log/authlog
# chmod 600 /var/log/authlog
Internal
Page 16 of 23
chmod
chmod
chmod
chmod
chmod
Internal
Page 17 of 23
10
There are many possible ways to attack network services. These services contain
programming flaws, use weak authentication, transfer sensitive data in unencrypted
format, and allow connections from any network host. These weaknesses allow a system
to be compromised by an attacker.
Internal
Page 18 of 23
10.6
Internal
Netmask queries
Page 19 of 23
10.7
Timestamp queries
Procedure
Add the following lines to the /etc/init.d/nddconfig file:
# Do not respond to queries for our timestamp
/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp 0
10.8
Timestamp broadcast
Procedure
Add the following lines to the /etc/init.d/nddconfig file:
# Do not respond to queries for our timestamp broadcast
/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
10.9
Routing redirects
Procedure
Add the following lines to the /etc/init.d/nddconfig file:
# Do not issue redirects -- fix the routing table instead
/usr/sbin/ndd -set /dev/ip ip_send_redirects 0
10.10
Procedure
Add the following lines to the /etc/init.d/nddconfig file:
Internal
Page 20 of 23
10.11
Avoid DoS
Procedure
Add the following lines to the /etc/init.d/nddconfig file
# Increase the minimum TCP MSS value to avoid Dos
/usr/sbin/ndd -set /dev/tcp tcp_mss_min 128
Note To ensure that the values have been set as stated above use command similar to
# ndd -get /dev/ip ip_respond_to_timestamp_broadcast
10.12
10.14
Set arp_cleanup_interval
10.15
Internal
Set tcp_rev_src_routes
Page 21 of 23
Internal
Page 22 of 23
Internal
Page 23 of 23