This document provides a list of configuration changes which enhance the
security of a Sun SolarisTM (SunOS 5.X) system.
| Auditing |
Boot Files |
Network Services |
Access Controls |
Time Synchronization |
Recommended Tools |
Installing Solaris |
Auditing
- Enable the Basic Security Module (BSM):
/etc/security/bsmconv
- Configure the classes of events to log in /etc/security/audit_control:
dir:/var/audit
flags:lo,ad,pc,fc,fd,fm
naflags:lo,ad
#
# lo - login/logout events
# ad - administrative actions: mount, exportfs, etc.
# pc - process operations: fork, exec, exit, etc.
# fc - file creation
# fd - file deletion
# fm - change of object attributes: chown, flock, etc.
#
- Create /etc/security/newauditlog.sh:
#!/sbin/sh
#
# newauditlog.sh - Start a new audit file and expire the old logs
#
AUDIT_EXPIRE=30
AUDIT_DIR="/var/audit"
/usr/sbin/audit -n
cd $AUDIT_DIR # in case it is a link
/usr/bin/find . $AUDIT_DIR -type f -mtime +$AUDIT_EXPIRE \
-exec rm {} > /dev/null 2>&1 \;
- Run the script nightly from cron:
chmod 500 /etc/security/newauditlog.sh
/usr/bin/crontab -e root
0 0 * * * /etc/security/newauditlog.sh
- The audit files generated are not human readable. The
praudit(1M) command can be used to convert audit data into several
ASCII formats.
Boot Files
Disable all startup files for services that are not needed from
/etc/rc2.d and /etc/rc3.d. Services may be disabled by changing the
capital 'S' in the name of the script to a lowercase 's'.
The following startup files should not be disabled:
-
S01MOUNTFSYS S69inet S72inetsvc S74xntpd S80PRESERVE
S05RMTMPFILES S71rpc S74autofs S75cron S88utmpd
S20sysetup S71sysid.sys S74syslog S75savecore S99audit
S30sysid.net
In order to ensure that all of the startup scripts run with the proper
umask, execute the following script:
-
umask 022 # make sure umask.sh gets created with the proper mode
echo "umask 022" > /etc/init.d/umask.sh
chmod 544 /etc/init.d/umask.sh
for d in /etc/rc?.d
do
ln /etc/init.d/umask.sh $d/S00umask.sh
done
In order to log as much information as possible,
add the following lines to your /etc/syslog.conf:
-
mail.debug /var/log/syslog
*.info;mail.none /var/adm/messages
Note: Tabs must be used to separate the fields.
This will log mail entries to /var/log/syslog and everything else to /var/adm/messages.
Log failed login attempts by creating the /var/adm/loginlog file:
touch /var/adm/loginlog
chown root /var/adm/loginlog
chgrp sys /var/adm/loginlog
Set the permissions on the log files as follows:
-
chmod 600 /var/adm/messages /var/log/syslog /var/adm/loginlog
Configure syslogd to not listen on port 514/udp by specifiing the -t flag in /etc/rc2.d/S74syslog (Solaris >= 8):
-
/usr/sbin/syslogd -t > /dev/msglog 2>&1
Configure logs files to be rotated daily archiving old versions for 30 dain /etc/logadm.conf (Solaris >= 9):
-
/var/log/syslog -A 30d -p 1d -z 1 -a 'kill -HUP cat /var/run/syslog.pid '
/var/adm/messages -A 30d -p 1d -z 1 -a 'kill -HUP cat /var/run/syslog.pid ; \
logger -t logadm Begin new logfile'
- Enable hardware protection for buffer overflow exploits in /etc/system (sun4u, sun4d, and sun4m systems only).
-
* Foil certain classes of bug exploits
set noexec_user_stack = 1
* Log attempted exploits
set noexec_user_stack_log = 1
Network Services
Because the /usr/lib/sendmail daemon is not running, you should add the following line to root's crontab file:
-
0 * * * * /usr/lib/sendmail -q
Replace /etc/mail/sendmail.cf with the following:
-
# Minimal client sendmail.cf
### Defined macros
# The name of the mail hub
DRmailhost
# Define version
V8
# Whom errors should appear to be from
DnMailer-Daemon
# Formatting of the UNIX from line
DlFrom $g $d
# Separators
Do.:%@!^=/[]
# From of the sender's address
Dq<$g>
# Spool directory
OQ/usr/spool/mqueue
### Mailer Delivery Agents
# Mailer to forward mail to the hub machine
Mhub, P=[IPC], S=0, R=0, F=mDFMuCX, A=IPC $h
# Sendmail requires these, but are not used
Mlocal, P=/bin/mail, F=rlsDFMmnuP, S=0, R=0, A=mail -d $u
Mprog, P=/bin/sh, F=lsDFMeuP, S=0, R=0, A=sh -c $u
### Rule sets
S0
R@$+ $#error $: Missing user name
R$+ $#hub $@$R $:$1 forward to hub
S3
R$*<>$* $n handle <> error address
R$*<$*>$* $2 basic RFC822 parsing
This configuration should be sufficient for servers where no local mail delivery is required.
Create /etc/init.d/nddconfig and create a link to /etc/rc2.d/S70nddconfig.
-
touch /etc/init.d/nddconfig
ln /etc/init.d/nddconfig /etc/rc2.d/S70nddconfig
chmod 544 /etc/init.d/nddconfig
Add the following lines to the /etc/init.d/nddconfig file:
#!/bin/sh
#
# /etc/init.d/nddconfig
#
# Fix for broadcast ping bug
/usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast 0
# Block directed broadcast packets
/usr/sbin/ndd -set /dev/ip ip_forward_directed_broadcasts 0
# Prevent spoofing
/usr/sbin/ndd -set /dev/ip ip_strict_dst_multihoming 1
/usr/sbin/ndd -set /dev/ip ip_ignore_redirect 1
# No IP forwarding
/usr/sbin/ndd -set /dev/ip ip_forwarding 0
# Drop source routed packets
/usr/sbin/ndd -set /dev/ip ip_forward_src_routed 0
# Shorten ARP expiration to one minute to minimize ARP spoofing/hijacking
# [Source: Titan adjust-arp-timers module]
/usr/sbin/ndd -set /dev/ip ip_ire_flush_interval 60000
/usr/sbin/ndd -set /dev/arp arp_cleanup_interval 60
# --
#
# The following tweaks are from 'Tuning Solaris for FireWall-1' by
# Rob Thomas (http://www.enteract.com/~robt
#
# Do not respond to queries for our netmask
/usr/sbin/ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0
#
# Do not issue redirects -- fix the routing table instead
/usr/sbin/ndd -set /dev/ip ip_send_redirects 0
#
# Increase our defense against SYN floods.
# The "q" queue is the completed socket holding pen where sockets
# remain until the application issues accept().
/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q 1280
# The "q0" queue is the half-open socket queue.
/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q0 10240
#
# --
A sample nddconfig file can also be found on the Sun BluePrints site at http://www.sun.com/blueprints/tools/
Deny services executed by inetd(3) the ability to create core files and
enable logging for all TCP services by editing the /etc/rc2.d/S72inetsvc:
-
# Run inetd in "standalone" mode (-s flag) so it doesn't have
# to submit to the will of SAF. Why did we ever let them change inetd?
ulimit -c 0
/usr/sbin/inetd -s -t&
Configure RFC 1948 TCP sequence number generation in /etc/default/inetinit:
TCP_STRONG_ISS=2
Comment out or remove all unnecessary services in the /etc/inet/inetd.conf file including the following:
-
shell login exec
comsat talk uucp
tftp finger sysstat
netstat time echo
discard daytime chargen
rquotad sprayd walld
rexd rpc.ttdbserverd
ufsd printer dtspc
rpc.cmsd
- Create /etc/rc3.d/S79tmpfix so that upon boot the /tmp
directory will always have the sticky bit set mode 1777.
#!/bin/sh
#ident "@(#)tmpfix 1.0 95/09/14"
if [ -d /tmp ]
then
/usr/bin/chmod 1777 /tmp
/usr/bin/chgrp sys /tmp
/usr/bin/chown sys /tmp
fi
[Source: Titan psfix module]
Access Controls
Disable network root logins by enabling the "CONSOLE" line in /etc/default/login.
Remove, lock, or comment out unnecessary accounts, including "sys", "uucp", "nuucp", and "listen". The cleanest way to shut them down is to put "NP" in the password field of the /etc/shadow file.
Require authentication for remote commands by commenting out the
following line in /etc/pam.conf:
#rlogin auth sufficient /usr/lib/security/pam_rhosts_auth.so.1
and changing the rsh line to read:
rsh auth required /usr/lib/security/pam_unix.so.1
[Source: Titan pam-rhosts module]
Only add accounts for users who require access to the system.
If using NIS, use the compat
mode by editing the /etc/nsswitch.conf file:
passwd: compat
Add each user to the /etc/passwd file
+nis_user:x::::/home_dir:/bin/sh
and the /etc/shadow file
+nis_user::10626::::::
Create an /etc/issue file to display the following
warning banner:
-
WARNING: To protect the system from unauthorized use and to ensure that the
system is functioning properly, activities on this system are monitored and
recorded and subject to audit. Use of this system is expressed consent to such
monitoring and recording. Any unauthorized access or use of this Automated
Information System is prohibited and could be subject to criminal and civil
penalties.
- Source: CIAC-2317 Windows NT Network Security: A Manager's Guide
Add the banner to the /etc/motd file:
cp /etc/motd /etc/motd.orig
cat /etc/issue /etc/motd.orig > /etc/motd
- The Automated Security Enhancement Tool (ASET) checks the
settings and contents of system files. Many of the setuid and setgid
programs on Solaris are used only by root, or by the user or group-id to
which they are set.
Run aset using the highest security level and review the report files
that are generated in /usr/aset/reports.
/usr/aset/aset -l high
Use of the FixModes program available from the
Sun BluePrints site at http://www.sun.com/blueprints/tools is recommended.
Create a master list of the remaining setuid/setgid programs on your
system and check that the list remains static over time.
/bin/find / -type f \( -perm -4000 -o -perm -2000 \) \
-exec ls -ldb {} \;
- Execution of the su(1M) command can be controlled by adding and configuring a
wheel group such as that found on most BSD derived systems.
-
/usr/sbin/groupadd -g 13 wheel
/usr/bin/chgrp wheel /usr/bin/su /sbin/su.static
/usr/bin/chmod 4550 /usr/bin/su /sbin/su.static
The GID for the wheel group does not need to be 13, any valid GID can be
used. You will need to edit /etc/group to add users to the wheel group.
- Create an /etc/ftpusers file:
cat /etc/passwd | cut -f1 -d: > /etc/ftpusers
chown root /etc/ftpusers
chmod 600 /etc/ftpusers
Remove any users that require ftp access from the /etc/ftpusers file.
- Set the default umask so that it does not include world access.
Add "umask 027" to the following files:
/etc/.login /etc/profile
/etc/skel/local.cshrc /etc/skel/local.login
/etc/skel/local.profile
Enable the "UMASK" line in the /etc/default/login file and set the value to 027
- The files in /etc/cron.d control which users can use the cron(1M)
and at(1) facilities.
-
Create an /etc/cron.d/cron.allow file:
echo "root" > /etc/cron.d/cron.allow
chown root /etc/cron.d/cron.allow
chmod 600 /etc/cron.d/cron.allow
Create an /etc/cron.d/at.allow file:
cp -p /etc/cron.d/cron.allow /etc/cron.d/at.allow
Create an /etc/cron.d/cron.deny file:
cat /etc/passwd | cut -f1 -d: | grep -v root > /etc/cron.d/cron.deny
chown root /etc/cron.d/cron.deny
chmod 600 /etc/cron.d/cron.deny
Create an /etc/cron.d/at.deny file:
cp -p /etc/cron.d/cron.deny /etc/cron.d/at.deny
If CDE is installed, replace the default CDE "Welcome" greeting.
If the /etc/dt/config/C directory does not exist,
create the directory structure and copy the default configuration file:
mkdir -p /etc/dt/config/C
chmod -R a+rX /etc/dt/config
cp -p /usr/dt/config/C/Xresources /etc/dt/config/C
Add the following lines to /etc/dt/config/C/Xresources:
Dtlogin*greeting.labelString: %LocalHost%
Dtlogin*greeting.persLabelString: login: %s
If CDE is installed, disable XDMCP connection access by
creating or replacing the /etc/dt/config/Xaccess file:
#
# Xaccess - disable all XDMCP connections
#
!*
Set the permissions on /etc/dt/config/Xaccess to 444:
chmod 444 /etc/dt/config/Xaccess
Time Synchronization
-
Edit the /etc/inet/ntp.conf file:
#
# /etc/inet/ntp.client
#
# An example file that could be copied over to /etc/inet/ntp.conf; it
# provides a configuration for an ntp server that uses three public sources
# with an internal fallback (127.127.1.0).
#
# A simple NTP clilent would specify one or more network servers in your
# organization:
#
# server ntp.example.com
#
# Public NTP Server list: http://www.eecis.udel.edu/~mills/ntp/clock1.htm
#
server 192.5.41.40 # tick.usno.navy.mil
server 192.5.5.250 # clock.isc.org
server 128.9.176.30 # timekeeper.isi.edu
server 127.127.1.0 # internal clock
fudge 127.127.1.0 stratum 10
Recommended Tools
-
FixModes
- FixModes is a script that tries to make Solaris file modes more
secure.
Sudo
- Sudo (superuser do) allows a system administrator to give certain users
(or groups of users) the ability to run some (or all)
commands as root while logging all commands and arguments.
SunScreen
- SunScreen is a host-based firewall product that is packaged with
Solaris 8 and later. See also Securing Systems with Host-Based Firewalls
TCP Wrappers
- With this package you can monitor and filter incoming requests for the
SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other
network services. TCP Wrappers is included in Solaris 9.
Secure Shell (ssh)
-
Ssh is a program to log into another computer over a
network, to execute commands in a remote machine, and to move files
from one machine to another. It provides strong authentication and
secure communications over unsecure channels. It is intended as a
replacement for rlogin, rsh, and rcp.
Titan
- Titan is a collection of programs, each of which either fixes or
tightens one or more potential security problems with a
particular aspect in the setup or configuration of a Unix system.
Logcheck
- Logcheck is a perl script that monitors system logs for unusual
activity.
Installing Solaris
-
This section describes the steps necessary to install Solaris with the
smallest OS image possible.
- Remove any network connections from the machine before installing the OS.
- Boot the machine from the OS install CD-ROM
- Answer the installation questions as they pertain to this instance. You
will want to mark the machine as being networked and give the machine an IP
address even though it is not connected to the network.
- In the Solaris install program, select the Core SPARC cluster. Then
select Customize. The following is a list of all the clusters that should
be selected. For clusters that have subparts, select only the subparts listed,
not the entire cluster.
- AutoFS
- Automated Security Enhancement Tools
- Federated Naming System
- FrameBuffer Device Drivers
- Dumb frame buffer device drivers
- FTP Server, (Root)
- FTP Server, (Usr)
- GX (cg6) OS support files
- Install and Patch Utilities
- Interprocess Communication
- Keyboard configuration tables
- Motif Runtime Kit
- Network Information System (NIS)
- Openwindows Version 3
- Openwindows kernel modules
- X Window system window drivers
- PCMCIA Support
- Patch utilities
- Platform Support, OS Functionality (Usr)
- Portable layout services for Complex Text Layout support
- Programming tools and libraries
- Sun workshop bundled shared libm
- SPARCompilers bundled libc
- Static utilities
- Solaris desktop /usr/dt filesystem anchor
- Solaris Naming Enabler
- SunFastEthernet/FastWideSCSI-2 Adaptor Drivers
- SunSwift SBus Adaptor Drivers
- System Accounting
- System and Network Administration
- Terminal Information
- Color Legend: | Solaris 2.6 & 7 | Solaris 2.6 | Solaris >=7 |
Be sure to install any device drivers specific to your hardware!
Solaris >=7: 64-bit package versions should also be selected if 64-bit
support has been enabled.
If you need printer support, select the following:
- Line Printer Support
- Tooltalk end user
For remote Motif/X support, select the following:
- Font Server Cluster
- X Window System common (not required) fonts
- X Window System optional fonts
- X Window System platform required fonts
- OpenWindows Version 3
- ICE components
- X Window System platform software
- Tooltalk end user
- XIL Runtime Environment
The following is required for FireWall-1:
- Source compatibilty support
- Source Compatibilty, (Usr)
- The Core SPARC cluster requires much less disk space than most types of Solaris installs. The following partition table is appropriate for machines loaded with the Core SPARC cluster:
s0: / 250 megabytes
s1: swap 1 gigabyte
s2: overlap
s3: 8 megabytes (for metadb)
s4: /usr 500 megabytes
s5: /var 2 gigabytes
s6: /opt (rest of disk)
The /var partition is large to accommodate extra logging and auditing information. You may wish to scale the swap space as appropriate for your hardware,
but extra swap helps prevent "denial-of-service" attacks.
The Core SPARC cluster, even with the most recent patches, provides many services which are unnecessary.
Execute pkginfo. The results should match the following:
% pkginfo
system SUNWaccr System Accounting, (Root)
system SUNWaccu System Accounting, (Usr)
system SUNWadmap System administration applications
system SUNWadmc System administration core libraries
system SUNWadmfw System & Network Administration Framework
system SUNWadmr System & Network Administration Root
system SUNWast Automated Security Enhancement Tools
system SUNWatfsr AutoFS, (Root)
system SUNWatfsu AutoFS, (Usr)
system SUNWcar Core Architecture, (Root)
system SUNWcg6 GX (cg6) Device Driver
system SUNWcsd Core Solaris Devices
system SUNWcsr Core Solaris, (Root)
system SUNWcsu Core Solaris, (Usr)
CTL SUNWctpls Portable layout services for Complex Text Layout support
system SUNWdfb Dumb Frame Buffer Device Drivers
system SUNWdtcor Solaris Desktop /usr/dt filesystem anchor
system SUNWesu Extended System Utilities
system SUNWfns Federated Naming System
system SUNWftpr FTP Server, (Root)
system SUNWftpu FTP Server, (Usr)
system SUNWhmd SunSwift SBus Adapter Drivers
system SUNWipc Interprocess Communications
system SUNWkey Keyboard configuration tables
system SUNWkvm Core Architecture, (Kvm)
system SUNWlibC SPARCompilers Bundled libC
system SUNWlibms Sun WorkShop Bundled shared libm
system SUNWmfrun Motif RunTime Kit
system SUNWnisr Network Information System, (Root)
system SUNWnisu Network Information System, (Usr)
system SUNWos86u Platform Support, OS Functionality (Usr)
system SUNWpcelx 3COM EtherLink III PCMCIA Ethernet Driver
system SUNWpcmci PCMCIA Card Services, (Root)
system SUNWpcmcu PCMCIA Card Services, (Usr)
system SUNWpcmem PCMCIA memory card driver
system SUNWpcser PCMCIA serial card driver
system SUNWpsdpr PCMCIA ATA card driver
system SUNWsolnm Solaris Naming Enabler
system SUNWsutl Static Utilities
system SUNWswmt Patch Utilities
system SUNWswmt Install and Patch Utilities
system SUNWter Terminal Information
system SUNWxwdv X Windows System Window Drivers
system SUNWxwmod OpenWindows kernel modules
Solaris >=7: 64-bit package versions will also be listed if 64-bit support has
been enabled.
Use the pkgrm command to remove any non-essential packages that are not
listed above.
Resources
-
Sun Recommended & Security Patches
Sun Security Bulletins
The Solaris Security FAQ
SANS Solaris Security: Step-by-Step
Solaris BSM Auditing
Tuning Solaris for FireWall-1 by Rob Thomas
|