Hardening Guide For Solaris

HARDENING GUIDE FOR SOLARIS OPERATING SYSTEM
TABLE OF CONTENTS
OBJECTIVE..........................................................................................ERROR! BOOKMARK NOT DEFINED.
DEFINITION ........................................................................................ERROR! BOOKMARK NOT DEFINED.
SCOPE ................................................................................................ERROR! BOOKMARK NOT DEFINED.
STATEMENT OF APPLICABILITY .........................................................ERROR! BOOKMARK NOT DEFINED.
HARDENING PROCEDURE ...................................................................................................................... 4

1
1.1
1.2
1.3
2
2.1
2.2
3
3.1
3.2
3.3
3.4
3.5
3.6
3.7
3.8
3.9
4
4.1
4.2
4.3
4.4
4.5
4.6.
4.7.
4.8
5
5.1
6
6.1
6.2
7
7.1
7.2
8
9
9.1
9.2
9.3
Internal
FILE SYSTEM SECURITY ........................................................................................................................... 4

INTRODUCTION ................................................................................................................................... 4
SOLARIS OPERATING ENVIRONMENT INSTALLATION ...................................................................... 4
RECOMMENDED PARTITIONS ............................................................................................................. 4
APPLYING SECURITY PATCHES ............................................................................................................... 5
INTRODUCTION .................................................................................................................................. 5
PATCH INSTALLATION PROCEDURE .................................................................................................. 5
SECURING ACCOUNTS ............................................................................................................................ 5
REMOVING AND DISABLING SYSTEM ACCOUNTS ............................................................................ 5
ACCOUNTS THAT CAN BE SAFELY DISABLED ..................................................................................... 6
ACCOUNTS THAT CAN BE SAFELY DELETED ....................................................................................... 6
PASSWORD CONFIGURATION ............................................................................................................. 7
LOGIN RETRIES ................................................................................................................................. 7
RESTRICT REMOTE ROOT LOGIN ........................................................................................................ 7
RESTRICT DIRECT ROOT LOGIN ENTIRELY ........................................................................................ 7
LOGIN BANNER.................................................................................................................................... 8
RESTRICT SU COMMAND..................................................................................................................... 8
DISABLING NON-ESSENTIAL SERVICES ................................................................................................ 9
DISABLE NON-ESSENTIAL SERVICES ................................................................................................. 9
DISABLING SERVICES FROM THE STARTUP SCRIPTS ..................................................................... 10
FTP AND TELNET BANNERS ........................................................................................................... 11
RESTRICT FTP USERS ....................................................................................................................... 11
SECURING SNMP SERVICE ............................................................................................................. 11
DISABLE DARPA NAME SERVER ..................................................................................................... 12
REMOVING RSH ............................................................................................................................... 12
TO DISABLE RLOGIN ......................................................................................................................... 13
ADDING SECURE SERVICES ................................................................................................................ 13
OPENSSH PACKAGES ..................................................................................................................... 13
MISCELLANEOUS SECURITY SETTINGS .............................................................................................. 14
SECURE EXECUTABLE STACKS ........................................................................................................ 14
SECURING NFS ............................................................................................................................... 14
FILE RELATED SETTINGS ...................................................................................................................... 15
USER UMASK SETTING...................................................................................................................... 15
SYSTEM UMASK SETTING ................................................................................................................. 15
CRON AND AT SECURITY .................................................................................................................... 15
SYSLOG .................................................................................................................................................. 16
LOGIN LOGS ..................................................................................................................................... 17
PERMISSION ON THE LOG FILES ..................................................................................................... 17
FOLDER PERMISSIONS..................................................................................................................... 17
Page 2 of 23

9.4
MOUNT NON-ROOT UFS FILE SYSTEM ............................................................................................ 18
9.5
ENABLING TCP WRAPPERS ............................................................................................................. 18
10 NETWORK SECURITY SETTINGS.......................................................................................................... 18
10.1
PRELIMINARY NETWORK SETTINGS ............................................................................................ 18
10.2
BROADCAST PING ........................................................................................................................ 19
10.3
DIRECTED BROADCAST ................................................................................................................ 19
10.4
PREVENT SPOOFING.................................................................................................................... 19
10.5
SOURCE ROUTED PACKETS .......................................................................................................... 19
10.6
NETMASK QUERIES ...................................................................................................................... 19
10.7
TIMESTAMP QUERIES .................................................................................................................. 20
10.8
TIMESTAMP BROADCAST.............................................................................................................. 20
10.9
ROUTING REDIRECTS ..................................................................................................................... 20
10.10
DEFENSE AGAINST SYN FLOOD ................................................................................................ 20
10.11
AVOID DOS.................................................................................................................................. 21
10.12
STRENGTHEN TCP SEQUENCE NUMBER GENERATION ............................................................... 21
10.13 ENSURE THAT THE MACHINE DOES NOT ACT AS A ROUTER ............................................................ 21
10.14
SET ARP_CLEANUP_INTERVAL .................................................................................................... 21
10.15
SET TCP_REV_SRC_ROUTES....................................................................................................... 21
11
CONFIGURING TO NTP SERVER....................................................................................................... 22
Internal
Page 3 of 23
HA RD E N I NG P R O C E D U RE
File system security
1.1 Introduction
It is important that the file systems and local security of the Solaris Operating
Environment system not be neglected. Often, administrators are greatly concerned about
attackers breaking into systems remotely. There should be equal concern for local,
authorized users gaining extra privileges on a system by exploiting a problem with
internal system security.
1.2 Solaris Operating Environment Installation

Each new release includes security improvements and additional features to enhance
system security. Always use the latest version of the Solaris Operating Environment that
your applications will support.
1.3 Recommended Partitions

When creating operating system file partitions, be sure to allocate adequate disk space
for system directories, log files, and applications. Certain server applications or services
may require extra disk space or separate partitions to operate effectively without
impacting other services.
Procedure
Typically, there should be separate partitions for:
/ (root file system)
/usr
/var
/opt
/tmp
/home (user partition)
To create additional partitions use the format command.
Note: Most applications install themselves in /opt or /usr/local. Check the application
installation directory location before allocating space
Internal
Page 4 of 23
Applying Security Patches
2.1
Introduction
Sun provides patches to the Solaris Operating Environment and unbundled software
products. You can download recommended, security, and other patches for the Solaris
Operating environment from sunsolve.sun.com. All systems should have the latest
recommended, security, and application patches installed
2.2
Patch installation Procedure
To install a patch (where patch is patch no. e.g. 102548-01)

#
#
#
#
#
#
#
#
init 0
boot s # Boot in single user mode
mkdir /var/spool/patch
# This directory may be present. Else create it
cp [patch.zip] /var/spool/patch
Cd /var/spool/patch
unzip [102548-01.zip]
Patchadd 102548-01
init 6 #
# Reboot the system if the patch requires a reboot to take effect
Note: Schedule a downtime for the machine if the patch requires a reboot.
Ensure that no users are connected to the system when you are applying patches.
Be sure to examine all system init scripts and test all patches on non-production systems
to discover any configuration changes.
Securing Accounts
Managing user and system accounts is an important aspect of the Solaris Operating
Environment security. Some system accounts may need to be modified or deleted.
3.1 Removing and Disabling System Accounts
Internal
Page 5 of 23

A default Solaris Operating Environment installation contains several accounts that either
need to be deleted or modified to strengthen security. Some accounts are not necessary
for normal system operation.
3.2 Accounts that can be safely disabled

daemon
bin
adm
lp
uucp
nuucp
Nobody
smtp
Listen
noaccess
nobody4
smmsp
The command to disable user daemon is given below as an example

# usermod s /sbin/noshell daemon
Note: smtp user is required by the SENDMAIL service.

Nobody is required by the NFS services
Noaccess is required the automount service.
3.3 Accounts that can be safely deleted

smtp
Listen
nobody4
The command to delete user smtp is given below as an example
# userdel smtp
Internal
Page 6 of 23

3.4 Password configuration
Procedure
Edit /etc/default/passwd file and set the following password configuration:
# vi /etc/default/passwd
#Goto the insert mode by pressing I on the keyboard .
Edit the file to reflect the following changes.

Set password length to PASSLENGTH=8
Password aging as required MAXWEEKS=7
Password aging as required MINWEEKS=1
Type :wq! to save your changes.
Also please refer to the organizations password policy to set the above
mentioned parameters
3.5 Login Retries

Specify the number of consecutive failed logins that can occur for a user before the login
process logs the failure and terminates the connection.
Edit the /etc/default/login file and set the RETRIES parameter to a value of 3.
3.6 Restrict remote root login

Root user must not be able to login from a remote console. The login command is part of
the authentication process to access a local Solaris Operating Environment account. It is
used on the console and by the in.telnetd daemon to determine if a user may be granted
access to the system. By default, only the root user can log into a Solaris Operating
Environment system from the console device.
Procedure
The console device is defined by the following entry in the /etc/default/login file:
CONSOLE=/dev/console
Note: When this line is commented out, the root account can log directly into the
system over the network via telnet in addition to the console. This is insecure and should
be avoided. Do not alter the default configuration.
3.7 Restrict direct root login entirely
Internal
Page 7 of 23

Make the following CONSOLE entry in the /etc/default/login file to restrict direct root
logins entirely
CONSOLE=-
3.8 Login banner

An appropriate login message must be displayed to the user when he/she tries to login
to the system. The contents of the /etc/issue file are displayed on the console during
login and for incoming telnet connections.
The contents of the login banner is as follows
!!!WARNING!!!
This System is for the use of authorized xxx personnel and channel partners only. By
accessing this system you hereby consent to the system being monitored by xxx. Any
Unauthorized use will be considered a breach of xxx Information security policies and may
also be unlawful under law. xxx Reserves the right to take any action including disciplinary
action or legal proceeding in the court of law against persons involved in the violation of the
access restriction here in
3.9 Restrict su command
You can restrict users that are permitted to su the server.
Procedure
If the wheel group has been removed please create one by following the
below steps
# /usr/sbin/groupadd -g 13 wheel
# /usr/bin/chgrp wheel /usr/bin/su /sbin/su.static
# /usr/bin/chmod 4550 /usr/bin/su /sbin/su.static
Note The GID for the wheel group does not need to be 13. Any valid GID can be used.
You will need to edit /etc/group to add users to the wheel group.
Add the users to the wheel group using the following command.
Given below is an example of an existing user test being added to the wheel
group.
Internal
Page 8 of 23

# usermod G wheel test
Disabling Non-essential Services
System services are started by the init system. Some services are not necessary to
system operation and should be disabled. There are also services that may allow a
system to be compromised due to incorrect configuration
4.1 Disable non-essential services

For security purposes, only required services should be enabled. The fewer services that
are enabled, the less likely it is that an attacker will discover a way to exploit the system
using an enabled service.
Note: The list of services to be disabled can be determined after an initial system study. Disable
a service by putting a hash [#] sign in front of unnecessary service in /etc/inetd.conf file.
Procedure to disable rlogin services in /etc/inetd.conf insert the # as shown below
#rlogin stream tcp nowait root /usr/sbin/in.rlogin.d
in.rlogind
Note: If you want the changes made to /etc/inetd.conf have an immediate effect without
rebooting the server, run the command given below.
# pkill HUP inetd

Following is a list of services, which can be disabled in inetd.conf:
Shell
Login
Exec
Comsat
Talk
rusersd
uucp
Tftp
Finger
Sysstat
Netstat
sadmind
time
Echo
Discard
Internal
Page 9 of 23

Daytime
Chargen
Namerquotad
Sprayd
Walld
Rexecd
rpc.ttdbserverd
Shell
Ufsd
Printer
Dtspc
rpc.cmsd
rstatd
login
rquotd
fs
ocfserv
Rpc.rexd
4.2 Disabling services from the Startup scripts

We will prevent services from starting by changing the capital 'S' in the name of the script to a
lowercase 's'. Rename the following auto configuration related links in /etc/rc2.d and
unnecessary startup scripts. Run the following commands:
Disabling services from the startup scripts folders /etc/rc2.d and /etc/rc3.d
ab2 (Answerbook 2)
dtlogin (CDEand X service)
IPV6
NFS Client
PRESERVE
SENDMAIL
Apache
Desktop Management Interface
KDC
NFS Server
Print Services
Serial Line Printing
Asppp
DHCP
MIP ( Mobile IP Agent)
Power-Management Service
RPC
spc ( Solaris print client)
Auto installer
Directory service
Name server caching daemon
PPP
SAMBA
UUCP
Volume Manager
WBEM
CacheFS
Internal
Page 10 of 23

NCA
LLC2
Silpd
NFS Automount
DMI
perf
# cd /etc/rc2.d
# mv S72autoinstall s72autoinstall
# mv S70uucp s70uucp
# mv K28nfs.server k28nfs.sever
# mv S76nscd s76nscd
4.3 FTP and TELNET banners

If FTP or TELNET services are required to run on the system then ensure that the services do
not advertise the operating system version when users connect to the system.
Remove the OS version number from telnetd and ftpd banner.
Procedure
Create files telnetd and ftpd in /etc/default with the entry below to mask the OS version
number in the banner
BANNER=
4.4 Restrict ftp users

Even though we are not going to run the ftp daemon, we will set up the ftpd security file
to
reject remote logins to local user accounts.
Procedure
Use the following commands:
#
#
#
#
#
touch /etc/ftpusers
chown root /etc/ftpusers
chgrp root /etc/ftpusers
chmod 600 /etc/ftpusers
cat /etc/password | cut -f -d: > /etc/ftpusers
Note: The above step will deny all accounts for ftp access, remove accounts that require
ftp
access.
4.5 Securing SNMP service

IF SNMP is required to be running on the machine. Set the SNMP community strings to
ensure that unauthorized users do not query SNMP details.
Internal
Page 11 of 23

Procedure
Edit /etc/snmp/conf/snmpd.conf file and set non-guessable community strings. The
following is a sample snmpd.conf file. Replace the default community strings public and
private in this file with stronger ones. Limit the SNMP Servers that can query your
machine by replacing the value snmp-server in this file with the name of the SNMP
server in your environment.
sysdescr ALLDESC
syscontact ALLCONT
sysLocation ALLLOC
# system-group-read-community public
# system-group-write-community private
# read-community public
# write-community private
trap localhost
trap-community SNMP-trap
managers snmp-server
4.6. Disable DARPA name server

DARPA stands for defends advanced research project agency. in.tnamed is a server that
supports the DARPA Name Server Protocol. The Name server operates at the port
indicates in the "name" service description and is invoked by inetd when a request is
made to the name server.
The protocol implemented by this program is obsolete. Its use should be phased out in
favour of the internet Domain Name Service (DNS) protocol.
To disable DARPA, the following file is modified.
/etc/inet/inetd.conf
and the following lines are commented out
name dgram udp wait root /usr/sbin/in.tnamed in.tnamed
4.7. Removing RSH

rsh create a remote shell on a host which allows a user to execute commands on the
remote UNIX host. The rsh services use inadequate authentication based on IP address
security (which can be spoofed).This may be compromised by the network sniffer
attacks. For security purposes rsh should be disabled or replaced with an ssh protocol
system such as ssh or OPEN SSH.
This is part one of the disabling "r" based services (rsh, rlogin etc) the disabling of the
Internal
Page 12 of 23

authentication part of the service is done later in the subsection: Disable PAM
configuration for rsh and rlogin.
This is part one of a two part script to disable the rsh service in which the following files
are either locked or modified.
/etc/pam.conf file
/etc/inet/inetd.conf ---/etc/hosts.equiv
To disable the program part of rsh, the following file is modified
/etc/inet/inetd.conf
And the following lines are commented out:
shell stream tcp nowait root /usr/sbin/in.rshd in.rshd
shell stream tcp6 nowait root /usr/sbin/in.rshd in.rshd
4.8 To disable rlogin

Login stream tcp6 nowait root /usr/sbin/in.rlogind in.rlogind
To disable talk server
talk dgram udp wait root /usr/sbin/in.talkd in.talkd
Adding Secure Services
5.1 OpenSSH Packages

The 4 packages that need to be on the system to use SSH are:
1. zlib
2. openssl
3. openssh
Internal
Page 13 of 23

4. perl
The packages can either be downloaded as sources and compiled or as pre-compiled
packages from sunfreeware.com.
Miscellaneous Security Settings
The following configuration items apply to both local and remote security.
6.1
Secure executable stacks
Some security exploitation programs take advantage of the Solaris Operating

Environment kernel executable system stack to attack the system. These attack
programs attempt to overwrite parts of the program stack of a privileged program in an
attempt to control it. Some of these exploits can be avoided by making the system stack
non-executable.
Procedure
Add the following lines to the /etc/system file:
# set noexec_user_stack = 1
# set noexec_user_stack_log = 1
Version dependencies The non-executable stack feature only works on the following
SPARC architectures:
Sun4d, Sun4m, and Sun4u hardware.
Note: With noexec_user_stack_log set to one, the system logs programmatic attempts
to execute code on the stack. This allows you to track unsuccessful exploit programs and
the account, which made the attempt.
6.2
Securing NFS
If required the NFS file sharing should be implemented in a secure manner.

Procedure
Edit /etc/dfstab file and ensure that all file systems that are shared have restricted
permissions.
For example give read-write access to appropriate groups and users. The shares must
not be world writable at least.
Enable restricted NFS port access. When this is enabled the NFS server will only accept
connections from ports less then 1024. These parameters are defined in /etc/system.
Procedure
Internal
Page 14 of 23

Add the following line in the /etc/system file.
set nfssrv:nfs_portmon=1
File Related Settings
7.1 User umask setting

A default umask of 022 must be set for User created files.
Set the umask so that it does not include world access.
Procedure
Add "umask 022" to the following files:
/etc/.login /etc/profile /etc/skel/local.cshrc
/etc/skel/local.login /etc/skel/local.profile
7.2 System umask setting

A default umask of 022 must be set for System created files during initial boot stage.
The default system file mode creation mask for the Solaris Operating Environment is
000. This means that files created by system daemons are created with permission bits
that are 666 (readable and writeable by all users). This can be a problem since normal
users now have permission to overwrite the contents of system files.
Procedure
Use the following script to set the system unmask to a more reasonable value:
echo umask 022 > /etc/init.d/umask.sh
chmod 744 /etc/init.d/umask.sh
chgrp sys /etc/init.d/umask.sh
for d in /etc/rc?.d; do
ln /etc/init.d/umask.sh $d/S00umask.sh
done
CRON and AT security
CRON and AT related files must be secured. Only root must be given permissions to run
Internal
Page 15 of 23

CRON and AT jobs.
The files in /etc/cron.d control which users can use the cron and at facilities:
Procedure
Create an /etc/cron.d/cron.allow file:
# echo "root" > /etc/cron.d/cron.allow
# chown root /etc/cron.d/cron.allow
# chmod 600 /etc/cron.d/cron.allow
Create an /etc/cron.d/at.allow file:
# cp -p /etc/cron.d/cron.allow /etc/cron.d/at.allow
Create an /etc/cron.d/cron.deny file:
#cat /etc/passwd | cut -f1 -d: | grep -v root > /etc/cron.d/cron.deny
# chown root /etc/cron.d/cron.deny
# chmod 600 /etc/cron.d/cron.deny
Create an /etc/cron.d/at.deny file:
# cp -p /etc/cron.d/cron.deny /etc/cron.d/at.deny
Syslog
The syslog daemon receives log messages from several sources and directs them to the
appropriate location based on the configured facility and priority.
The facility (or application type) and the priority are configured in the /etc/syslog.conf
file to direct the log messages. The directed location can be a log file, a network host,
specific users,or all users logged into the system.
It must be ensured that Syslog does not accept log messages from remote machines
unless explicitly required. As by default this is enabled this must be disabled.
Procedure
Add the following entry to /etc/syslog.conf for capturing syslog events sent to
LOG_AUTH. This contains information on unsuccessful login attempts, successful and
failed su (switch user) attempts.
auth.info /var/log/authlog
Note Use TAB key to separate auth.info from /var/log/authlog & not spacebar.
Create /var/log/authlog by executing the following commands
# touch /var/log/authlog
# chown root /var/log/authlog
# chmod 600 /var/log/authlog
Internal
Page 16 of 23
9.1 Login logs

Procedure
Create /var/adm/loginlog to capture failed logins
# touch /var/adm/loginlog
# chown root /var/adm/loginlog
# chmod 600 /var/adm/loginlog
Note Loginlog captures the failed login attempts after 5 continuous bad attempts from any
console/remote.
Apart from the above syslog must also be configured to store the:
1. sulog messages.
2. The inetd daemon also must log connection related details in syslog.
3. If ftp service is running on the machine then ftp connection related details must be logged.
9.2 Permission on the log files

Dont set insecure permission on the log files.
Procedure
Set the permissions on the log files as follows: (if files present)
#chmod 600 /var/adm/messages /var/log/syslog /var/adm/loginlog
Version dependencies none
9.3 Folder permissions

Ensure that the permissions on the /tmp folder is appropriately set.
1. A check on the permissions on /tmp folder must be made before file systems are
mounted and after.
2. Ensure that the stick bit is set on the /tmp and /var/tmp folders.
Note: In a default install the /tmp and /var/tmp folders have the sticky bit set.
3. Set the following permissions on the /etc, /var, /var/spool, /var/cron and /etc/security
files and folders.
#
#
#
#
#
chmod
chmod
chmod
chmod
chmod
Internal
-fR g-w ${JASS_ROOT_DIR}/etc

g-w ${JASS_ROOT_DIR}/var
g-w ${JASS_ROOT_DIR}/var/spool
0700 ${JASS_ROOT_DIR}/var/cron
0750 ${JASS_ROOT_DIR}/etc/security
Page 17 of 23
9.4 Mount non-root ufs file system

Mount other non-root ufs file systems nosuid to prevent set-UID programs executing
from here. Edit /etc/vfstab to add nosuid option.
Procedure
#/dev/dsk/c0t3d0s5 /dev/rdsk/c0t3d0s5 /var ufs 1 no nosuid
#/dev/dsk/c0t3d0s6 /dev/rdsk/c0t3d0s6 /local ufs 2 yes nosuid
Note: This can be done only if the /var, /local file systems are on different partitions
other than the root.
9.5 Enabling TCP Wrappers

To enable TCP wrappers on a Solaris 9 OE system
Modify the ENABLE_TCPWRAPPERS in /etc/default/inetd as follows
ENABLE_TCPWRAPPERS=YES
2. Verify that inetd has either restarted or sent a HUP and that services listed in
/etc/inetd.conf can use the capabilities of TCP wrappers.
10
Network Security Settings
There are many possible ways to attack network services. These services contain
programming flaws, use weak authentication, transfer sensitive data in unencrypted
format, and allow connections from any network host. These weaknesses allow a system
to be compromised by an attacker.
10.1 Preliminary Network settings

Procedure
Check for /etc/init.d/nddconfig file.
If its not found create /etc/init.d/nddconfig and also create a link to
/etc/rc2.d/S70nddconfig
# touch /etc/init.d/nddconfig
# ln /etc/init.d/nddconfig /etc/rc2.d/S70nddconfig
Internal
Page 18 of 23

After creating the files run the ndd commands given below.
10.2 Broadcast ping

Procedure
Add the following lines to the /etc/init.d/nddconfig file:
# Fix for broadcast ping bug
/usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast 0
10.3 Directed broadcast

Procedure
# Block directed broadcast packets
/usr/sbin/ndd -set /dev/ip ip_forward_directed_broadcasts 0
10.4 Prevent spoofing

Procedure
# Prevent spoofing
/usr/sbin/ndd -set /dev/ip ip_strict_dst_multihoming 1
/usr/sbin/ndd -set /dev/ip ip_ignore_redirect 1
10.5 Source routed packets

Procedure
# Drop source routed packets
/usr/sbin/ndd -set /dev/ip ip_forward_src_routed 0
10.6
Internal
Netmask queries
Page 19 of 23

Procedure
# Do not respond to queries for our netmask
/usr/sbin/ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0
10.7
Timestamp queries
Procedure
# Do not respond to queries for our timestamp
/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp 0
10.8
Timestamp broadcast
Procedure
# Do not respond to queries for our timestamp broadcast
/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
10.9
Routing redirects
Procedure
# Do not issue redirects -- fix the routing table instead
/usr/sbin/ndd -set /dev/ip ip_send_redirects 0
10.10
Defense against SYN flood
Procedure
Internal
Page 20 of 23

# Increase our defense against SYN floods. The q queue
# is the completed socket holding pen where sockets
# remain until the application issues accept().
/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q 1280
# The "q0" queue is the half-open socket queue.
/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q0 10240
10.11
Avoid DoS
Procedure
Add the following lines to the /etc/init.d/nddconfig file
# Increase the minimum TCP MSS value to avoid Dos
/usr/sbin/ndd -set /dev/tcp tcp_mss_min 128
Note To ensure that the values have been set as stated above use command similar to
# ndd -get /dev/ip ip_respond_to_timestamp_broadcast
10.12
Strengthen TCP sequence number generation
Cause the system to use a better TCP sequence generation algorithm.

Procedure
Configure RFC 1948 TCP sequence number generation in /etc/default/inetinit:
TCP_STRONG_ISS=2
10.13 Ensure that the machine does not act as a router

This setting can be configured by creating a file in the /etc folder and call it notrouter.
# touch /etc/notrouter
10.14
Set arp_cleanup_interval
Add the following lines to the /etc/init.d/nddconfig:

arp arp_cleanup_interval 60000
The ARP cleanup interval is set to 1 minute
10.15
Internal
Set tcp_rev_src_routes
Page 21 of 23

Add the following lines to the /etc/init.d/nddconfig:
tcp tcp_rev_src_routes 0
The specified route in a source routed packet will not be used in returned packet
11 Configuring to NTP server

Follow the below mentioned steps
1. Create a work directory for NTP installation.
#cd /
#mkdir ntpfiles
2. Download the NTP package (ntp-*-sol9-sparc-local.gz) from the Internet for SUN
Solaris - http://www.sunfreeware.com/
3. Unzip the package and add the package
#gzip d ntp-4.1.1a-sol9-sparc-local.gz
#pkgadd d ntp-4.1.1a-sol9-sparc-local
4. Open the ntp.conf file from the default location
#cd /usr/local/doc/ntp/scripts/support/conf/
#vi ntp.conf
5. Add the following lines in ntp.conf file

server <NTP Server IP>
driftfile /usr/local/doc/ntp/scripts/support/conf/ntp.drift
6. Create ntp.drift file in the above location
#cd /usr/local/doc/ntp/scripts/support/conf/
#touch ntp.drift
7. Run the NTP daemon
#ntpd -c /usr/local/doc/ntp/scripts/support/conf/ntp.conf
8. To check the time synchronization of the NTP Server and clients, run the NTP Querry
program.
#ntpq p
Note: Make sure that the Timezone is IST on each server before installing the ntp client.
9. You can synchronize the ntp client with ntp server with the following command
#ntpdate 10.132.176.155
Internal
Page 22 of 23

Note: Make sure that the NTP daemon is not running while executing the above command
10. Create the startup script to synchronize the ntp client with the ntp server each time the
system restarts
#cd /etc/rc2.d
# vi S168ntp
11. Add the following line in the newly created file S168ntp
/usr/local/bin/ntpd -c /usr/local/doc/ntp/scripts/support/conf/ntp.conf
12. Change the permissions and ownership of the file
#chmod 744 S168ntp
#chown root:sys S168ntp
Note: Internal NTP server IP is 10.132.176.155
Once NTP is configured, please ensure that port 121 UDP is opened from server to
enterprise NTP servers.
Internal
Page 23 of 23

Hardening Guide For Solaris

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Hardening Guide For Solaris

Transféré par

Droits d'auteur :

Formats disponibles

HARDENING GUIDE FOR SOLARIS OPERATING SYSTEM

OBJECTIVE..........................................................................................ERROR! BOOKMARK NOT DEFINED.

DEFINITION ........................................................................................ERROR! BOOKMARK NOT DEFINED.

SCOPE ................................................................................................ERROR! BOOKMARK NOT DEFINED.

STATEMENT OF APPLICABILITY .........................................................ERROR! BOOKMARK NOT DEFINED.

HARDENING PROCEDURE ...................................................................................................................... 4

FILE SYSTEM SECURITY ........................................................................................................................... 4