Solaris 8 and 9 OS Harding Guidelines

Solaris 8 and 9 OS Harding Guidelines

 

1. Purpose of OS Hardening

Computers and network elements connected to networks are vulnerable to attacks. The following is a list of commonly known types of attacks:

1. Viruses, worms, backdoors and trojans
2. Wire tapping and sniffing
3. Password cracking
4. Exploits of known vulnerabilities such as software buffer overflow 5. Denial of services (DOS)

Some of these attacks are based on well-publicized techniques, with scripts and other tools available to make it possible for less knowledgeable crackers to apply exploits against systems. Once a system has been compromised, an intruder can do a number of things, including the following:

1. Modify or destroy information
2. Disclose sensitive information
3. Install malicious code to gather information
4. Use the compromised server to attack other systems

Our goal is to provide some reference guidelines so that you can use to improve the resistance of your Solaris-based systems to attacks. We present what we believe to be sound practices. But we must point out that no system is absolutely secure and that continued vigilance is still required even after your system has been hardened. It is highly recommended that you monitor early warning forums to obtain the newest vulnerability reports and stay on your vendor’s bug-fix mailing list to get the latest security patches and bug fixes for the Solaris operating system you use.

The hardening procedure is verified on Solaris 8 and 9 Operating Environment for the Sparc platform and may be adapted for other Solaris based systems.

We assume that you have working knowledge of Solaris or general UNIX system administration and that the system installation and hardening will be performed in an isolated or safe network environment.

We would also recommend installing only the core Solaris system along with any needed packages. One of the advantages to this kind of stripped-down OS install is size. The full Solaris install requires at least a gigabyte of space just for the OS files themselves (not counting swap space, space for logging, user and application data, etc). The Core cluster can fit in a couple of hundred megabytes. Also, with less installed on the system, there's less that can go wrong to cause the system to crash or lock up, and rebooting or restarting the system happens much faster. The more information you log about your systems, the more likely you are to log something, which enables you to detect an attacker.

 

2. Solaris 8 and 9 Hardening Procedures


Step 1: Removing Unnecessary Services and Users

Many unnecessary services are installed by default when setting up a Solaris server. The next step to harden the operating system is to remove them from the startup files. Like Linux and many other Unix variants, Solaris takes advantage of the /etc/rc?.d directory structure, where ? denotes the available run levels. At each run level init uses a driver script to run other scripts found in the run level directories. The available run levels with startup or shutdown scripts in Solaris are S, 0, 1, 2, and 3.

There are many unused services which are started by the init process. These services are usually run as root and a number of them have potential security loop holes which can be exploited. The rule of thumb is that if the service is not needed, then do not start it. The simplest approach to disable a group of services manually is to use the following scripting commands in a terminal console:

      # change to the directory where you want to disable services

      cd /etc/rc2.d

      # list filenames. Use wildcards to save typing

      for file in *sysid* *auto* *nscd *power *dtlogin

      do

       mv $file .NO$file

      done

      # it’s recommended to use shorter list to avoid errors

      for file in *dmi *snmpdx *nfs* *cache* *rpc *route

      do

       mv $file .NO$file

      done

      #

      for file in *PRESERVE *sendmail *spc *lp*

      do

       mv $file .NO$file

      done

This will rename the files starting with S to .NOfilename, which will then not be automatically started upon system reboot. For example,

S30sysid.net .NOS30sysid.net

A more radical approach would be to delete them completely. It is recommended that the files be renamed first and be removed after thorough tests have been done to make sure the system works as expected. This step could also be accomplished via the script in Appendix F.

The following sections outline the removal of the candidate services in detail

Unnecessary System Services Started by init Process

Disable PCMCIA

PCMCIA stands for Personal Computer Memory Card International Association. This standard memory card interface is most commonly used in notebook-type computers. If your product does not take advantage of the PCMCIA hardware configuration then this support should be disabled.

In order to disable PCMCIA in Solaris 8, the following file is renamed:

   /etc/rcS.d/S10initpcmcia

 

Disable CacheFS

CacheFS is commonly used to support diskless clients (root file system is cachefs instead of ufs) and provides better performance by caching the NFS. cachefs can be safely disabled because all OAM server hardware configurations have their own disks, ufs is almost always the default file system, and NFS should never be part of normal OAM operation. The rule of the thumb is that if the network service is not required, it should be disabled. Please note that NFS does not need cachefs; cachefs provides better NFS performance according to Sun.

This is part one of four script files that need to be renamed in order to fully disable CacheFS; for clarity purposes, they are each listed in different subsections of this document. The following scripts should be disabled in the following order to properly disable the cachefs:

/etc/rcS.d/S35cacheos.sh /etc/rcS.d/S41cachefs.root /etc/rc2.d/S73cachefs.daemon /etc/rc2.d/S93cacheos.finish

An entry in /etc/inet/inetd.conf, which is controlled by the RPC daemon, is also required to be commented out. It is discussed later in the section.

   /etc/inet/inetd.conf

Disable CacheFS for Root Partition

This is a continuation of CacheFS disabling feature as described above.

This is part two of four script files that need to be renamed in order to fully disable CacheFS; for clarity purposes, they are each listed in different subsections of this document:

   /etc/rcS.d/S35cacheos.sh

/etc/rcS.d/S41cachefs.root /etc/rc2.d/S73cachefs.daemon /etc/rc2.d/S93cacheos.finish

An entry in /etc/inet/inetd.conf, which is controlled by the RPC daemon, is also required to be commented out. It is discussed later in the section.

   /etc/inet/inetd.conf

 

Disable Solaris Network Cache and Accelerator (NCA)

The NCA is a kernel module designed to provide improved web server performance. The kernel module, ncakmod, services HTTP requests. To improve the performance of servicing HTTP requests, the NCA kernel module maintains an in-kernel cache of web pages. If the NCA kernel module cannot service the request itself, it passes the request to the http daemon (httpd) by means of a private interface. The logging facility, ncalogd logs all requests.

The NCA cache consistency is maintained by honoring HTTP headers dealing with a given content type and expiration date, much the same way as a proxy cache.

The NCA is intended to be run on a dedicated web server. Running other large processes while running NCA may cause undesirable behavior. This is a new feature in Solaris 8 and is available in Solaris 9. Sun recommends that this service be disabled.

This is part one of three script files that need to be renamed in order to fully disable NCA; for clarity purposes, they are each listed in different subsections of this document:

/etc/rcS.d/S42ncakmod /etc/rc2.d/S94ncalogd /etc/rc2.d/S95ncad

Disable System Activity Data Gathering

By default, this script is commented out by the OS installation and Sun recommends that it be disabled.

In order to disable system activity data gathering, the following script file should be renamed to prevent access:

   /etc/rc2.d/S21perf

Disable Class 2 Logic Link Control driver (LLC2)

The LLC2 driver interfaces network software (NetBIOS, SNA, OSI, etc.) running under Solaris to a physical LAN network controlled by one of the supported communications adapters. The LLC2 driver, which appears as a STREAMS driver to the network software, resides in the kernel and is accessed by standard UNIX STREAMS functions.

This is a new function for Solaris 8 and is available in Solaris 9 as well. It should be disabled if this network interface is not needed in the OAM network.

In order to disable the LLC2 driver, the following script file should be renamed to prevent access:

   /etc/rc2.d/S40llc2

Disable Async PPP Server

Unless PPP dial-up is used, which appears not to be the case, this service should be disabled as recommended by Sun.

In order to disable PPP, the following script file should be renamed to prevent access:

   /etc/rc2.d/S47asppp

   /etc/rc2.d/S47pppd

Disable Unix to Unix Copy Daemon (UUCP)

Unless UUCP is used, which appears not to be the case, the UUCP should be disabled. This is not a common service for a server. Sun recommends that it be disabled.

Renaming the following script file will disable UUCP:

   /etc/rc2.d/S70uucp

 

Disable Sun Stock LDAP Client

Sun recommends that this stock version be disabled. Renaming the following script file will disable Sun Stock LDAP Client:

   /etc/rc2.d/S71ldap.client

Disable Auto-Installation Service

This service is only used if the /etc/.UNCONFIGURED or /AUTOINSTALL files are created so the system can be re-installed. After initial installation and configuration, there is generally little reason for this service to remain available. Sun recommends that it be disabled.

Renaming the following script file will disable the auto-installation service:

   /etc/rc2.d/S72autoinstall

Disable Sun Stock Service Location Protocol Daemon

Sun recommends that this stock version be disabled. The following script file is renamed to disable the Sun Stock Service Location Protocol Daemon:

   /etc/rc2.d/S72slpd

Disable CacheFS Daemon

This is a continuation of CacheFS disabling feature as described earlier.

This is part three of four script files that need to be renamed in order to fully disable CacheFS; for clarity purposes, they are each listed in different subsections of this document:

/etc/rcS.d/S35cacheos.sh /etc/rcS.d/S41cachefs.root /etc/rc2.d/S73cachefs.daemon /etc/rc2.d/S93cacheos.finish

An entry in /etc/inet/inetd.conf, which is controlled by the RPC daemon, is also required to be commented out. It is discussed later in the section.

   /etc/inet/inetd.conf

Disable NFS Client Service

The Solaris boot sequence assumes that some of your file system will use an NFS file server. Therefore, optional services are started in the assumption that some users will need them if they use an NFS file server.

There's a collection of historically dangerous RPC services started at boot time from the script “S73nfs.client“ found in /etc/rc2.d. This includes the statd and lockd daemons mentioned in the SANSTopTenSecurityThreats2002.NFSclientsystemsneedstatd andlockdtodofilelockson NFS file systems -- the client has to tell the server to hold a lock so that other clients can honor it.

Over the years there has been many security compromises associated with RPC services required for NFS -- Sun recommends that these services be disabled for security reasons.

The following script file should be renamed to disable the NFS client service:

   /etc/rc2.d/S73nfs.client

Disable NFS Auto-Mount

The automount service manages automated NFS mounts. NFS clients may need to mount file systems from many different NFS servers. The automount service mounts file systems automatically when they are needed and unmounts them after a specific amount of idle time. A table used by this service defines the file system mount points, mount options, and the associated NFS servers. Also, in order to centralize the management of automount, the configuration tables can be stored in a name service such as NIS or NIS+. A kernel level service (autofs) interacts with the system daemon (automountd) to manage file system mount and unmount requests. The primary automount configuration table is stored in the /etc/auto_master file. The /etc/auto_master file determines the locations of all autofs mount points. By default, this file contains four entries.

Ideally, automount should be disabled because, not only does it run as a privileged daemon, but it also uses NFS and RPC. Sun highly recommends that it be disabled.

To disable autofs, you also need to remove /etc/auto_master and /etc/auto_home. If they or either one of them cannot be removed, this service must remain on.

The following files should be renamed or removed to fully disable NFS auto-mount:

   /etc/rc2.d/S74autofs

   /etc/auto_master

   /etc/auto_home

Disable Print Service

The /etc/rc2.d/S80lp script is required for both a server providing print services to other systems and a system which requires access to printers hosted by other systems. If this functionality is not required, Sun recommends that the packages for lp be removed from the system, and the in.lpd entry be removed from /etc/inet/inetd.conf.

The following script file should be renamed to disable the print service:

   /etc/rc2.d/S80lp

Disable Preserve

This service automatically saves the files currently being edited to /usr/preserve when the session is lost or the server is rebooted. This service can be safely disabled and Sun recommends that it be disabled.

The following script files should be renamed to disable the preserve feature:

   /etc/rc2.d/S80PRESERVE (Solaris 8)

   /etc/rc2.d/S89PRESERVE (Solaris 9)

 

Disable Solatice Print Client Service (SPC)

Yet another printing related service that is not needed. Sun recommends that it be disabled. The following script file should be renamed to disable the SPC service:

   /etc/rc2.d/S80spc

Disable Power Management Daemon

The powerd daemon is started by pmconfig to monitor system activity and perform an automatic shutdown using the suspend-resume feature. When the system is suspended, the complete current state information is saved on the disk before power is removed. This service is only useful for workstations that are configured for power saving mode (they shutdown to save energy) and should never be used on a server. This can be safely disabled and this is recommended by Sun. Once it is disabled, a blank file /noautoshutdown should be created to prevent the system from asking power management questions (workstations only).

The following script file should be renamed to prevent access to powerd daemon: /etc/rc2.d/S85power

The following file should be created to prevent system from asking power management related questions:

   /noautoshutdown

Disable SMTP Mail Server

The sendmail utility is used on a Solaris system to forward and receive mail from other systems. Centralized mail servers should be used to receive mail and not local servers. Ideally, a more secure Mail Transport Agent (MTA) should be used instead of the MTA bundled with Solaris. The sendmail daemon, bundled with the Solaris, has been subject to numerous denial of service, buffer overflow, and misconfiguration attacks.

Sun recommends that sentmail be disabled unless it is absolutely necessary. In a later section, system logging is modified to send warning messages to logs instead of mailing them to root (it could filled up /var if root's mail is not checked regularly, thus halting the system). You may invoke sendmail periodically from crontab to process queued mail from programs and processes that use mail to send out messages.

Renaming the following script file will disable the SMTP mail server:

   /etc/rc2.d/S88sendmail

Replace the installed sendmail.cf file with the minimal sendmail.cf in Appendix C. Add the following entry to root’s contab to flush the mail queue once per hour:

0 * * * * /usr/lib/sendmail -q

Disable Web-Based Enterprise Management (WBEM) service

WBEM is an initiative and a technology. As an initiative, WBEM includes standards for managing systems, networks, users, and applications by using Internet technology. As a technology, WBEM provides a way for management applications to share management data independently of vendor, protocol, operating system, or management standard. The core of the WBEM is the Common Information Model (CIM) concepts. All compatible objects must implement CIM model. This is an optional software package new to the Solaris 8 and is available in Solaris 9 as well. Sun recommends that it be disabled if it is not needed.

The following script file should be renamed to disable the WBEM service:

   /etc/rc2.d/S90wbem

Disable CacheFS Daemon

This is a continuation of CacheFS disabling feature as described earlier.

This is part four of the four script files that need to be renamed in order to fully disable CacheFS; for clarity purposes, they are each listed in different subsections of this document:

/etc/rcS.d/S35cacheos.sh /etc/rcS.d/S41cachefs.root /etc/rc2.d/S73cachefs.daemon /etc/rc2.d/S93cacheos.finish

An entry in /etc/inet/inetd.conf, which is controlled by the RPC daemon, is also required to be commented out. It is discussed later in the section.

   /etc/inet/inetd.conf

Disable NCA Logging

This is a continuation of NCA disabling feature as described earlier.

This is part two of the three script files that need to be renamed in order to fully disable NCA; for clarity purposes, they are each listed in different subsections of this document:

   /etc/rcS.d/S42ncakmod

/etc/rc2.d/S94ncalogd /etc/rc2.d/S95ncad

Disable NCA Daemon

This is a continuation of NCA disabling feature as described earlier.

This is part three of the three script files that need to be renamed in order to fully disable NCA; for clarity purposes, they are each listed in different subsections of this document:

/etc/rcS.d/S42ncakmod /etc/rc2.d/S94ncalogd /etc/rc2.d/S95ncad

Disable NFS Server Service

The Solaris boot sequence assumes that some systems will be NFS file servers. The network services required to support NFS file services are only started if the system has been configured appropriately. That is a prudent strategy.

There's a collection of historically dangerous RPC services that can be started at boot time from the script S15nfs.server found in /etc/rc3.d. This includes the mountd daemon mentioned in the SANS Top Ten Security Threats 2002. If the system isn't an NFS file server, mountd and nfsd servers should not be started. All NFS file sharing information is transported in clear text, so it is susceptible to snooping. Therefore, Sun recommends that NFS not be configured for security concerns.

The following two scripts need to be renamed or removed in order to fully disable the NFS server service:

   /etc/rc3.d/S15nfs.server

   /etc/dfs/dfstab

Disable Sun Stock Apache Server

By default, this service (new to Solaris 8 and is available in Solaris 9 as well) is not started automatically at boot time. If web access is not needed or a newer version is installed, this stock version that comes with the OS should be disabled. Sun recommends that this stock version be disabled.

Renaming the following script file will disable the Sun stock apache server:

   /etc/rc3.d/S50apache

Disable SNMP services

There are several stock Simple Network Management Protocol (SNMP) services enabled by default on Solaris -- these are the snmpdx, snmpXdmid and mibiisa. The snmp service is always at port 161, the other port numbers vary. the snmpdx daemon uses the snmpXdmid to answer some questions and the mibiisa daemon to answer other questions. All of these processes run as user and might be compromised.

Some OAM applications use their own SNMP agent, thus the stock SNMP services started by Sun are not needed. If SNMP is not required, Sun recommends that the startup script be disabled so that these stock SNMP services will not provide system information to unknown persons.

Please note that some servers which use the T3 disk-array require the Sun stock SNMP services to manage the RAID disk-arrays. Also, if Sun SMC3.0 agent is running on the server, SNMP services must not be turned off.

Renaming the following script file will disable SNMP services:

   /etc/rc3.d/S76snmpdx

Disable Desktop Management Interface (DMI)

There is a well-known vulnerability on Solaris 8 concerning the DMI; that buffer overflow can lead to local and remote root compromise. Please see the archive Solaris SNMP to DMI mapper daemon vulnerability for more information.

DMI can be safely turned off and Sun recommends that it be disabled. The following script file should be renamed to disable DMI:

   /etc/rc3.d/S77dmi

 

Disable Mobile IP Agent Service

The MIP agent utility implements the Mobile IP home agent and foreign agent functionality described in RFC 2002. It responds to Mobile IP registration and deregistration requests and router discovery solicitation messages from a mobile node. Besides responding to external messages, the mipagent utility also tasks on a periodic basis, such as aging mobility bindings and visitor entries and sending agent advertisements.

This service is new to Solaris 8 and is available in Solaris 9 as well. It requires that the /etc/inet/mipagent.conf file be present during the startup. The Solaris 8 and 9 default installation disables this service and Sun recommends that the startup script be disabled if it is not needed.

The following script file should be renamed to disable the Mobile IP agent service:

   /etc/rc3.d/S80mipagent

 

Unnecessary Network Services Managed by inetd Process

The inetd daemon provides access to system and network services available on a system. Its configuration file, /etc/inet/inetd.conf, defines what services are managed by the inetd daemon. An ideal secured server should have neither the /etc/inet/inetd.conf file nor run inetd, as the daemonsstartedinthe/etc/inet/inetd.conf arefrequentlynotneeded.Todisableaservice,the /etc/inet/inetd.conf fileiseditedandacommentcharacter(“#”)isplacedinfrontoftheline containing the service definition. Once this is completed, a HUP signal is sent to the inetd process. This causes the inetd daemon to reread its configuration file.

The removal of unnecessary system packages from the system, called minimization, reduces the number of components that have to be patched and made secure. Reducing the number of components reduces the number of possible entry points into the system by an intruder.

ItisrecommendedbySunthatmostoftheservicesin/etc/inet/inetd.conf bedisabled.

Disable DARPA name server

DARPA stands for Defense Advanced Research Projects Agency. in.tnamed is a server that supports the DARPA Name Server Protocol. The name server operates at the port indicated in the "name" service description, and is invoked by inetd when a request is made to the name server.

The protocol implemented by this program is obsolete. Its use should be phased out in favor of the Internet Domain Name Service (DNS) protocol.

To disable DARPA, the following file is modified:

   /etc/inet/inetd.conf

and the following lines are commented out:

   name dgram udp wait root /usr/sbin/in.tnamed in.tnamed

Disable rsh

Access control and accountability are critical to the security of a system. Access control should involve strong authentication for system access, while accountability information should provide tracking data relative to system changes. The standard r* commands (i.e., rsh, rlogin, and rcp) break both of these requirements. This is because most implementations of r* commands involve “zones of trust.” Within a zone of trust, all systems are trusted and no additional authentication is required. Hence, an intruder need only gain access to one server in order to gain access to all the servers.

rsh createsaremoteshellonahostwhichallowsausertoexecutecommandsontheremoteunixhost. Thersh servicesuseinadequateauthenticationbasedonIPaddresssecurity(whichcanbespoofed), DNS security (which can be spoofed) and the notion of reserved ports (on Unix systems only user root can open the client port.) The server can trust a whole variety of hosts (with /etc/hosts.equiv); individual users can trust user/host pairs (with ~user/.rhosts). This is a very convenient system with many possible security compromises. For example, all the data that is sent from the client to the server is transmitted across the network without encryption. This may be compromised by network sniffer attacks. For security purposes, rsh should be disabled or replaced with an SSH protocol system such as ssh or OpenSSH.

This is part one of the disabling "r" based services (rsh, rlogin etc), the disabling of the authentication part of the service is done later in the subsection: Disable PAM configuration for rsh and rlogin.

This is part one of a two part script to disable the rsh service in which the following files are either locked or modified:

   /etc/pam.conf file

/etc/inet/inetd.conf

/etc/hosts.equiv
To disable the program part of rsh, the following file is modified:

   /etc/inet/inetd.conf

and the following lines are commented out:

   shell stream tcp   nowait root /usr/sbin/in.rshd  in.rshd

   shell stream tcp6  nowait root /usr/sbin/in.rshd  in.rshd

 

Disable rlogin

rlogin establishes a remote login session from trusted users/sites without a password challenge. The rlogin service uses in adequate authentication based on IP address security (whichcanbespoofed), DNS security (which can be spoofed) and the notion of reserved ports (on Unix systems only user root can open the client port). The server can trust a whole variety of hosts (with /etc/hosts.equiv); individual users can trust user/host pairs (with ~user/.rhosts). ). This is a very convenient system with many possible security compromises. For example, the server will issue a Password: challenge if the user doesn't pass the weak authentication requirements. Unfortunately that password data, as well as all other communications, is not encrypted when transmitted over the network. This may be compromised by networksnifferattacks. rlogin runs as root and for security purposes, it should be disabled or replaced with an SSH protocol system such as ssh or OpenSSH.

This is part one of the disabling "r" based services (rsh, rlogin etc), the disabling of the authentication part of the service is done later in the subsection: Disable PAM configuration for rsh and rlogin.

This is part one of a two-part script to disable the rlogin service in which the following files are either locked or modified:

   /etc/pam.conf file

/etc/inet/inetd.conf

   /etc/hosts.equiv

To disable the program part of rlogin, the following file is modified:

   /etc/inet/inetd.conf

and the following lines are commented out:

   login stream tcp6 nowait  root /usr/sbin/in.rlogind in.rlogind

 

Disable remote execution

The remote execution server daemon, in.rexecd, is started from /etc/inetd.conf when a connection request is made. This daemon provides remote execution facilities based on user name and password information. Once authenticated, the daemon executes the command passed along with the authentication information. Unfortunately, neither the user name nor password is encrypted while

transmitted over the network. This exposes the in.rexecd daemon to man in the middle, session hijacking, and network sniffing attacks. For this reason, and the fact that it runs as user root, the in.rexecd daemon entries in /etc/inetd.conf should be disabled.

To disable remote execution, the following file is modified:

   /etc/inet/inetd.conf

with the following lines commented out:

   exec  stream  tcp  nowait  root  /usr/sbin/in.rexecd   in.rexecd

   exec  stream  tcp6 nowait  root  /usr/sbin/in.rexecd   in.rexecd

Disable biff server

The biff server gives notification of incoming mail messages. Also known as the comsat service, it listens for reports of incoming mail and notifies users who have requested to be told when mail arrives with a ‘you have mail message’ on their screen. This notification can be turned off or on for each terminal session. With no arguments, biff displays the current notification status for the terminal. If notification is allowed, the terminal rings the bell and displays the header and the first few lines of each arriving mail message.biff operates asynchronously. For synchronized notices, the MAIL variable of short the mail variable of csh are used.

comsat is invoked as needed by inetd, and times out if inactive for a few minutes. It runs as user root and it may be compromised. Therefore, if it is not being used, it should be disabled. Since it is recommended that the smtp server be disabled and all logging be sent to either a file or the console, it is no longer necessary for this service to be turned on.

To disable the biff server, the following file is modified:

   /etc/inet/inetd.conf

with the following line commented out:

   comsat dgram udp  wait  root  /usr/sbin/in.comsat   in.comsat

Disable talk server

talkd is the server used by the talk program. It listens at the UDP port indicated in the “talk” service description. The actual conversation takes place on a TCP connection that is established by negotiation between the two machines involved. It runs as user root and might be compromised. Therefore, if it is not needed it should be disabled.

To disable the talk server, the following file is modified:

   /etc/inet/inetd.conf

with the following line commented out:

   talk dgram  udp   wait  root  /usr/sbin/in.talkd   in.talkd

Disable UUCP (UNIX-UNIX copy) server

uucpd is the Unix-to-Unix system copy server which supports traditional UUCP style networking over the IP network. It copies files named by the source-file arguments to the destination-file argument. It runs as user root and might be compromised. Therefore, if it is not needed then it should be disabled.

To disable the UNIX-UNIX copy server, the following file is modified:

   /etc/inet/inetd.conf

with the following line commented out:

   uucp stream tcp nowait  root /usr/sbin/in.uucpd  in.uucpd

Disable trivial FTP server

The tftp service (Trivial File Transfer Protocol) exists to provide disk-less systems with a way to access files on the network. tftp service is provided primarily for booting. Most sites run this only on machines acting as "boot servers". The tftp(in.tftpd)daemon has no authentication facilities; it only allows clients to access publicly readable files in a restricted directory. Disk-less workstations, X-terminals, and some printers use this service to load files needed to boot. The tftp service is often configured in error and hackers use it to pick up password files and other system files that may compromise system integrity. It runs as user root and might be compromised. Therefore, if it is not needed it should be disabled.

The in.tftpd is managed by the inetd server process and is configured in /etc/inetd.conf. By default, it is not enabled in the Solaris. If this service is necessary, it should be configured securely.

To disable the trivial FTP server, the following file is modified:

   /etc/inet/inetd.conf

with the following line commented out (the default state of this service is off, i.e. commented out):

   #tftp dgram udp6  wait root /usr/sbin/in.tftpd  in.tftpd –s tftpboot

Disable finger server

The fingerd( in.fingerd) service provides information about local andr emote users on the system. Historically, it has been used to compromise systems and it is a good tool for hackers to find out about system users. Many sites disable the service. It runs as user root and might be compromised. Therefore if it is not needed, it should be disabled.

To disable the finger server, the following file is modified:

   /etc/inet/inetd.conf

with the following line commented out:

   finger stream cp6  nowait  nobody /usr/sbin/in.fingerd  in.fingerd

Disable systat

systat allows for the remote learning of process status, i.e., what jobs are currently running on a system, by displaying the out put of ps -ef. The ps command prints information about active processes. Without options, ps prints information about processes that have the same effective user ID and the same controlling terminal as the invoker. The output contains only the process ID, terminal identifier, cumulative execution time, and the command name. Otherwise, the information that is displayed is controlled by the several options. Please see the MAN pages for more information.

systat should be disabled because it runs as root and it provides too much system information. Therefore, it may be compromised and should be disabled if it is not needed.

To disable systat, the following file is modified:

/etc/inet/inetd.conf

with the following line commented out (the default state of this service is off, i.e. commented out):

   #systat stream  tcp   nowait  root /usr/bin/ps  ps –ef

Disable netstat

netstat allows for remote learning of network status, i.e., what peers are currently connected to the system. netstat displays the contents of certain network-related data structures in various formats, depending on the options you select. The first form of the command displays a list of active sockets for each protocol. The second form selects one from among various other network data structures. The third form shows the state of the interfaces. The fourth form displays the routing table, the fifth form displays the multicast routing table, and the sixth form displays the state of DHCP on one or all interfaces. With no arguments, netstat prints the connected sockets for PF_INET, PF_INET6, and PF_UNIX, unless modified otherwise by the -f option. Please see the MAN pages for more information on options.

The netstat command provides system information which may then be used to launch attacks against the system. It also runs as root and may be compromised. Therefore, if it is not needed it should be disabled.

To disable netstat, the following file is modified:

   /etc/inet/inetd.conf

with the following line commented out (the default state of this service is off, i.e. commented out):

   #netstat  stream  tcp nowait  root /usr/bin/netstat  netstat -f inet

Disable legacy time services

time

Service (not to be confused with Network Time Protocol) print sout the current system time and date. The Solaris2.6x ntp functionality has been included with the Solaris distribution for time synchronization. The xntp daemon offers additional security and functionality improvements over rdate and time. Whenever possible xntp should be used in stead of the time service.The time service is very old, it predates NTP, and it is seldom used. It is an internal built-in function of inetd which runs as user root and might be compromised. Therefore, if it is not needed, it should be disabled.

To disable the legacy time services, the following file is modified:

   /etc/inet/inetd.conf

with the following line commented out :

   time    stream  tcp6    nowait  root    internal

   time    dgram   udp6    wait    root    internal

Disable echo

echo (not to be  confused with the ICMP echo used by ping) echos back the in coming data stream. The echo utility writes its arguments, separated by BLANK sand terminated by a NEWLINE, to the standard output. If there are no arguments, only the NEWLINE character will be written. echo is useful for producing diagnostics in command files, for sending known data into a pipe, and for displaying the contents of environment variables.

The echo service is very old, it probably predates ping, and it is seldom used any more. It could be used in a Denial of Service attack to gobble up sockets. It is an internal, built-in function of inetd which runs as user root and might be compromised. Therefore, it should be disabled.

To disable echo, the following file is modified:

   /etc/inet/inetd.conf

with the following line commented out :

   echo    stream  tcp6    nowait  root

   echo    dgram   udp6    wait    root

Disable discard

internal

internal

The discard utility discards the incoming data stream. It is very old and was most probably used for diagnostics; A function for which it is not used any more. It could be used in a Denial of Service attack to gobble up sockets. It is an internal, built-in function of inetd which runs as user root and might be compromised. Therefore, it should be disabled.

To disable discard, the following file is modified:

   /etc/inet/inetd.conf

with the following line commented out :

   discard stream  tcp6    nowait  root

   discard dgram   udp6    wait    root

Disable daytime

internal

internal

daytime

service(nottobeconfusedwithNetworkTimeProtocol)displaysthesystemtimeasastring.It is very old, it predates NTP, and it is seldom used. It is an internal, built-in function of inetd which runs as user root and may be compromised. Therefore, if it is not needed, it should be disabled.

To disable daytime, the following file is modified:

   /etc/inet/inetd.conf

with the following line commented out :

   daytime stream  tcp6    nowait  root

   daytime dgram   udp6    wait    root

Disable chargen

internal

internal

chargen generates a continuous stream of characters that was useful in testing TCP services back in 1982. Today it is not used. However, it could be used in a Denial of Service attack to gobble up sockets and bandwidth.Itisaninternal,built-infunctionofinetd whichrunsasuserrootandmaybecompromised. Therefore, it should be disabled.

To disable chargen, the following file is modified:

   /etc/inet/inetd.conf

with the following line commented out :

   chargen stream  tcp6    nowait  root

   chargen dgram   udp6    wait    root

internal

internal

Disable Soltice system and network administration class agent server

sadmind, the distributed system administration daemon, is used by the AdminSuite applications to perform distributed system administration operations remotely. The sadmind daemon is started automatically by the inetd daemon whenever a request to invoke an operation is received. The sadmind daemon process continues to run for 15 minutes after the last request is completed, unless a different idle- time is specified. The sadmind daemon may be started independently from the command line, for example, at system boot time. In this case, the idle-time specification has no effect; sadmind continues to run,even if there are no active requests.The sad mind daemon process can be configured to write tracing information into a log file.

sadmind typically does not make use of the stronger authentication mechanisms available to it but rather defaults to weak authentication. It also runs as user root and may be compromised: This ranks as one of the SANS TOP TEN Security threats 2002. Network-based attacks against sadmind pose a significant threat to the security of a server and therefore should be disabled if it is not being used.

Sun states that on almost all servers, the RPC services in /etc/inet/inetd.conf can be removed. Many applications that use RPC services add additional entries to the /etc/inet/inetd.conf in addition to using one of the RPC based daemons. The RPC services in /etc/inet/inetd.conf should be removed unless specifically required.

To disable the Soltice system and network administration class agent server, the following file is modified:

   /etc/inet/inetd.conf

with the following line commented out :

   100232/10  tli  rpc/udp wait root /usr/sbin/sadmind  sadmind

Disable Remote Disk Quota Server

rquotad is an rpc server which returns quotas for a user of a local file system which is mounted by a remote machine over the NFS. The results are used to display user quotas for remote file systems. The rquotad daemonis normally invoked by the inetd process. It runs as user root and might be compromised. Therefore, if it is not being used, it should be disabled.

To disable the remote disk quota server, the following file is modified:

   /etc/inet/inetd.conf

with the following line commented out :

   rquotad/1 tli rpc/datagram_v wait root /usr/lib/nfs/rquotad rquotad

Disable rusers service

rpc.rusersd, the network username server, is a server that returns a list of users on the host. The rpc.rusersd daemon may be started by the inetd process or by the listen process. rpc.rusersd gives out information about your system. It's not an essential service and it runs as user root and may be compromised. Therefore, if it is not being used, it should be disabled.

To disable the rusers server, the following file is modified:

   /etc/inet/inetd.conf

with the following line commented out :

   rusersd/2-3 tli rpc/datagram_v,circuit_v  wait root

      /usr/lib/netsvc/rusers/rpc.rusersd rpc.rusersd

Disable spray service

rpc.sprayd , the spray server, receives and records the packets sent by spray, a ping-like tool. The service provided by rpc.sprayd is not useful as a networking benchmark as it uses unreliable connectionless transports, udp for example. It can report a large number of packets dropped when the drops were caused by the program sending packets faster than they can be buffered locally before the packets are transmitted to the network medium.

The rpc.sprayd daemon may be started by the inetd process or the listen process. It runs as user root and may be compromised. Therefore, if it is not being used, it should be disabled.

To disable spray service, the following file is modified:

   /etc/inet/inetd.conf

with the following line commented out :

   sprayd/1  tli rpc/datagram_v  wait root

      /usr/lib/netsvc/spray/rpc.sprayd  rpc.sprayd

Disable wall service

rpc.rwalld is a network server that handles rwall requests (write to all users on remote systems). It is implemented by calling wall on all the appropriate network machines.

The rpc.rwalld daemon may be started by the inetd process or the listen process. It is not considered an essential tool. It runs as user root and may be compromised. Therefore, if it is not being used it should be disabled.

To disable wall service, the following file is modified:

   /etc/inet/inetd.conf

with the following line commented out :

walld/1 tli rpc/datagram_v wait root /usr/lib/netsvc/rwall/rpc.rwalld rpc.rwalld

Disable kernel statistics server

rpc.rstatd, a RPC service, is a server which returns performance statistics of your system obtained from the kernel. In general this service is not used since it impacts the overall server performance and Sun recommends disabling it. It runs as user root and may be compromised. Therefore, if it is not being used, it should be disabled.

To disable the kernel statistcis server, the following file is modified:

   /etc/inet/inetd.conf

with the following line commented out :

   rstatd/2-4  tli rpc/datagram_v wait root

      /usr/lib/netsvc/rstat/rpc.rstatd  rpc.rstatd

 

Disable RPC based remote execution server

rpc.rexd is the Sun RPC-based remote execution server used to remotely execute programs and commands on a target system. rpc.rexd does not make use of the stronger authentication mechanisms available to it, but rather it defaults to weak authentication. Network-based attacks against these services pose a significant threat to the security of a server.

The rpc.rexd daemon is started by the inetd process whenever a remote execution request is made. It runs as user root and may be compromised. Therefore, if it is not being used, it should be disabled.

To disable the RPC based remote execution server, the following file is modified:

   /etc/inet/inetd.conf

with the following line commented out (the default state of this service is off, i.e. commented out):

   #rexd/1  tli  rpc/tcp wait root /usr/sbin/rpc.rexd  rpc.rexd

Disable calendar server

rpc.cmsd is the calendar manager daemon which allows a user to update his calendar, and, since it runs as root, to look at other user’s calendars. This service is part of the CDE (Common Desktop Envrionment) in which the user can set up calendar entries in the GUI. Since it runs as root, it is a security exposure which may be compromised. Therefore, if it is not being used, it should be disabled.

The following file is modified:

   /etc/inet/inetd.conf

with the following line commented out:

   100068/2-5 dgram rpc/udp wait root /usr/dt/bin/rpc.cmsd rpc.cmsd

Disable Sun tool talk server

Sun tool talk server is a RPC-based ToolTalk database server. It serves four purposes:
1. Mapping a spec to its associated file and a file to its associated specs.
2. Mapping a spec to its properties.
3. Mapping a file to a list of sessions with clients having patterns registered in the scope of that file. 4. Answering netfile queries; see tt_file_netfile and tt_host_file_netfile.

In general, it should be disabled. The following file is modified :

   /etc/inet/inetd.conf

with the following line commented out:

   100083/1 tli rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd

      rpc.ttdbserverd

Disable UFS-aware server

This service is part of RPC managed daemon and it is disabled by default. The following file is modified:

   /etc/inet/inetd.conf

 

to ensure that the line below stays commented out:

   #ufsd/1 tli  rpc/*  wait root  /usr/lib/fs/ufs/ufsd  ufsd –p

Disable KCMS server

The kcms_server provides remote access to local KCMS profiles which are used by Kodak Color Management System for advanced graphics. It runs as user root and may be compromised. Therefore, if it is not being used, then it should be disabled.

The following file is modified :

   /etc/inet/inetd.conf

with the line below commented out:

   100221/1 tli rpc/tcp wait root /usr/openwin/bin/kcms_server

      kcms_server

Disable Sun font server

fs is the X11 font server. If your system does not supply X11 fonts to anyone then this service is not needed. It runs as user root and may be compromised. In most of cases, an OAM server should never be a font server. Therefore, it

The following file will be modified:

   /etc/inet/inetd.conf

with the line below commented out:

   fs stream  tcp wait nobody /usr/openwin/lib/fs.auto fs

Disable cachefs daemon

The cachefsd daemon layers local file caching of NFS mounted disks similar to a smart auto-mounter. It will increase NFS performance, especially on file systems that are essentially read-only (like /usr). However, it runs as user root and may be compromised. Therefore, if it is not being used, it should be disabled.

This is last part of the cachefs disabling with the following system files affected:

/etc/rcS.d/S35cacheos.sh /etc/rcS.d/S41cachefs.root /etc/rc2.d/S73cachefs.daemon /etc/rc2.d/S93cacheos.finish /etc/inet/inetd.conf

The following file will be modified:

   /etc/inet/inetd.conf

with the line below commented out:

100235/1 tli rpc/tcp wait root /usr/lib/fs/cachefs/cachefsd cachefsd

 

Disable kerberos V5 warning server

The Kerberos system authenticates individual users in a network environment. After a user is authenticated to Kerberos, he can use the kerberos authentication option of network services such as NFS. In addition, in some environments you can use network utilities such as rlogin, rcp, and rsh without having to present passwords to remote hosts and without having to bother with .rhosts files. For Kerberos to be used effectively and correctly, an entire infrastructure of Kerberos components must be deployed. This infrastructure adds additional administrative overhead that may not be desired.

Kerberos is managed by RPC. It should be disabled because it runs as root and it may be a security exposure which might be compromised.

The following file will be modified:

   /etc/inet/inetd.conf

 

with the line below commented out:

   100134/1  tli rpc/ticotsord wait root /usr/lib/krb5/ktkt_warnd

      ktkt_warnd

Disable BSD print listener

Unless it is running on a print server, this service should be disabled. The following file will be modified:

   /etc/inet/inetd.conf

with the line below commented out:

   printer  stream  tcp6 nowait  root /usr/lib/print/in.lpd   in.lpd

Disable dtterm subprocess daemon

This service is the part of CDE package. The CDE sub-process daemon /usr/dt/bin/dtspcd contains an insufficient check on client credentials. The insufficient check can lead to a local root compromise because it runs as root. It should be disabled.

The following file will be modified:

   /etc/inet/inetd.conf

with the line below commented out:

   dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd

Disable OCF (smart card) daemon

Unless the server has a smartcard reader, this service should be disabled (the service is managed by RPC). Some of the newer SunBlade workstations may come with a smartcard reader, but the hardware documenation states that the current OS does not have a driver for it. In short, a Sun enterprise class server should not need this service.

The following file will be modified:

   /etc/inet/inetd.conf

with the line below commented out:

   100150/1 tli rpc/ticotsord wait  root  /usr/sbin/ocfserv  ocfserv

Reduce inetsvc Functionalities

The following section illustrates the steps to minimize the fuctions provided by the inetsvc script in order to reduce the risks associated with the unneeded functions started by inetsvc.

Alternatively, you may install a replacement /etc/init.d/inetsvc file like the example in Appendix A and be sure to re-create the hard link in /etc/rc2.d:

ln /etc/init.d/inetsvc /etc/rc2.d/S72inetsvc

Disable DHCP support

OAM servers are normally configured with static IPs and hostnames, therefore, the DHCP support should be disabled as recommended by Sun. Please note that this DHCP support has nothing to do with DHCP servers used in the OAM network.

The following files will be modified:

   /etc/init.d/inetsvc

   /etc/rc2.d/S72inetsvc

with these blocks of script code removed:

if [ "$_INIT_NET_STRATEGY" = "dhcp" ]; then dnsdomain=`/sbin/dhcpinfo DNSdmain`

else
dnsdomain=

fi

if [ -n "$dnsdomain" ]; then dnsservers=`/sbin/dhcpinfo DNSserv` if [ -n "$dnsservers" ]; then

if [ -f /etc/resolv.conf ]; then
/usr/bin/rm -f /tmp/resolv.conf.$$
/usr/bin/sed -e '/^domain/d' -e '/^nameserver/d' \

/etc/resolv.conf >/tmp/resolv.conf.$$

fi
echo "domain $dnsdomain" >>/tmp/resolv.conf.$$ for name in $dnsservers; do

echo nameserver $name >>/tmp/resolv.conf.$$

done else

if [ -f /etc/resolv.conf ]; then
/usr/bin/rm -f /tmp/resolv.conf.$$
/usr/bin/sed -e '/^domain/d' /etc/resolv.conf \

>/tmp/resolv.conf.$$
echo "domain $dnsdomain" >>/tmp/resolv.conf.$$

fi
#
# Warning: The umask is 000 during boot, which requires explicit # setting of file permission modes when we create files.
#
/usr/bin/mv /tmp/resolv.conf.$$ /etc/resolv.conf
/usr/bin/chmod 644 /etc/resolv.conf

# Add dns to the nsswitch file, if it isn't already there. /usr/bin/rm -f /tmp/nsswitch.conf.$$
/usr/bin/awk ' $1 ~ /^hosts:/ {

n = split($0, a); newl = a[1];
if ($0 !~ /dns/) {

printf("#%s # Commented out by DHCP\n", $0);

fi

updated = 0;
for (i = 2; i <= n; i++) {

if (updated == 0 && index(a[i], "[") == 1) { newl = newl" dns";

updated++; newl = newl" "a[i];

}
if (updated == 0) {

newl = newl" dns"; updated++;

}
if (updated != 0)

newl = newl" # Added by DHCP";

else
newl = $0;

printf("%s\n", newl); } else

printf("%s\n", $0);
} $1 !~ /^hosts:/ { printf("%s\n", $0); }' /etc/nsswitch.conf \

>/tmp/nsswitch.conf.$$

/usr/bin/mv /tmp/nsswitch.conf.$$ /etc/nsswitch.conf /usr/bin/chmod 644 /etc/nsswitch.conf

elif grep '# Added by DHCP$' /etc/nsswitch.conf >/dev/null 2>&1; then

fi

}

# If we added DNS to a hosts line in the nsswitch, remove it. /usr/bin/rm -f /tmp/nsswitch.conf.$$
/usr/bin/sed \

-e '/# Added by DHCP$/d' \
-e 's/^\(#hosts:\)\(.*[^#]\)\(#.*\)$/hosts: \2/' \ /etc/nsswitch.conf >/tmp/nsswitch.conf.$$

/usr/bin/mv /tmp/nsswitch.conf.$$ /etc/nsswitch.conf /usr/bin/chmod 644 /etc/nsswitch.conf

if [ "$_INIT_NET_STRATEGY" = "dhcp" ]; then #

  1. 1.                     #  if DHCP doesn't return a hostname, use "unknown" so
  2. 2.                     #  client can resolve IP address into a local hostname. #
hostname=`/sbin/dhcpinfo Hostname`
if [ -z "$hostname" ]; then 
hostname="unknown" 
fi
ipaddr=`/sbin/dhcpinfo Yiaddr`
/usr/bin/rm -f /tmp/hosts.$$ /tmp/hosts_clear.$$ 
# Delete any old lines added by dhcp.
/usr/bin/sed -e '/# Added by DHCP$/d' /etc/inet/hosts \ 
> /tmp/hosts_clear.$$ 
shift $# # Clear $0-9 first in case grep fails set -- `/usr/bin/grep "^[ ]*$ipaddr[ ]" \ 
/tmp/hosts_clear.$$ 2>/dev/null` 
if [ $# -gt 0 ]; then #

                                            #  IP address is already in the hosts file. Ensure the

                                            #  associated hostname is the same as the Hostname

                                            #  property returned by the DHCP server. # 
/usr/bin/sed -e "/^[ ]*${ipaddr}[ ]/s/${2}/${hostname}/" \ /tmp/hosts_clear.$$ >/tmp/hosts.$$ 
else
# 
# IP address is missing from the hosts file. Now check

fi

fi fi

# to see if the hostname is present with a different IP. #
shift $# # Clear $0-9 in case grep fails
set -- `/usr/bin/grep -s -v '^#' /tmp/hosts_clear.$$ | \

/usr/bin/egrep "[ ]${hostname}([ ]|$)"`

if [ $# -gt 0 ]; then #

            #  Hostname is present in the hosts file. Rewrite this

            #  line to have the new IP address and the DHCP comment. #

/usr/bin/sed -e "/^[ ]*${1}[ ]/d" \

/tmp/hosts_clear.$$ >/tmp/hosts.$$

shift # Shift off $1 (the old IP)

echo "$ipaddr $*\c" | /usr/bin/tr ' ' '\t' \ >>/tmp/hosts.$$

echo "\t# Added by DHCP" >>/tmp/hosts.$$

else
#

            #  Hostname is not present in the hosts file.

            #  Add a new line for the host at the end of

            #  the new hosts file. # 
/usr/bin/mv /tmp/hosts_clear.$$ /tmp/hosts.$$ echo "${ipaddr}\t${hostname}\t# Added by DHCP" \ 
>>/tmp/hosts.$$

# Update loopback transport hosts files for inet in /etc/net/*/hosts; do

echo "# RPC hosts" > $inet
echo "$hostname\t$hostname" >> $inet /usr/bin/chmod 644 $inet

done

/usr/bin/rm -f /tmp/hosts_clear.$$ /usr/bin/mv /tmp/hosts.$$ /etc/inet/hosts /usr/bin/chmod 644 /etc/inet/hosts

Disable multi-cast support

Multicast is a method used to send network data simultaneously to many systems with only a single address. Unless the system must participate in a multicast application, Sun recommends disabling the code that enables the multicast route assignment in /etc/init.d/inetsvc and /etc/rc2.d/S72inetsvc.

The following files will be modified:

   /etc/init.d/inetsvc

   /etc/rc2.d/S72inetsvc

 

with the following block of script code commented out:

#

            #  Add a static route for multicast packets out our default interface.

            #  The default interface is the interface that corresponds to the node name.

            #  Run in background subshell to avoid waiting for name service. # 
(
if [ "$_INIT_NET_STRATEGY" = "dhcp" ]; then

else

mcastif=`/sbin/dhcpinfo Yiaddr` || mcastif=$_INIT_UTS_NODENAME

fi

mcastif=$_INIT_UTS_NODENAME

echo "Setting default IPv4 interface for multicast:" \ "add net 224.0/4: gateway $mcastif"

/usr/sbin/route -n add -interface "224.0/4" "$mcastif" >/dev/null )&

Add inetd logging to inetsvc

Sunrecommendsthatforrestrictedaccessservers,allconnectionstoservicesmanagedbyinetd should be logged. This can be done by adding an additional option to the startup of inetd in /etc/rc2.d/S72inetsvc. By adding a -t option, the inetd daemon logs the IP address of all systems requesting inetd based services. The IP addresses are logged through the syslog service.

The following files will be modified:

   /etc/init.d/inetsvc

   /etc/rc2.d/S72inetsvc

 

with the following line replacing the original line (The extra "-t" switch enables the logging for the inetd):

   /usr/sbin/inetd -s -t &

 

Clean Up password File

This activity removes all the well-known system accounts that are not used. This minimizes the chance of security breaches. The following account management files are modified:

/etc/passwd
/etc/shadow

The following default system accounts, which were created by Solaris at installation, can be removed using the script given below (Make sure that you backup /etc/shadow and /etc/password first incase something that is needed is removed):

uucp
nuucp
listen
lp
nobody4
smmsp (new in Solaris 9)

# use this script to remove unnecessary accounts for user in uucp nuucp listen lp nobody4 smmp do

/usr/sbin/passmgmt –d $user done

Edit the password file and make /dev/null the shell (like adm, daemon, bin, etc.) for all but root and authorized users as per the customer network security policy. Shadow pasword is supported in Solaris 8 and 9 and shall be used by default.

All unnecessary services and users should have now been disabled or removed. The easy way is to put "*LK*" in the password field of the /etc/shadow file to lock the administrative accounts.

Step 2: Setting Up Time Synchronization using NTP

System timekeeping can be done via both xntpd (daemon) and ntpdate (client). While the daemon may provide more network functionalities, it also presents volunerabilities, one of which is xntpd buffer-overflow. Unlike xntpd which listens on port 123 constantly for connections, ntpdate is a client to be executed only when needed to get the time of day from a pre-defined NTP server.

Use ntpdate to set system clock according to the NTP server on the core network. Add the following to /etc/rc.local startup script to set the time of day at boot time:

/usr/sbin/ntpdate –s NTP_server_addr

The –s switch will log ntpdate actions via the syslog facility rather than sending it to the standard output. For precise timekeeping this command can also be run from a cron job every hour on the hour:

0 * * * * /usr/sbin/ntpdate –s NTP_server_addr >> /var/log/ntpdate.log

If xntpd must be used, please make sure it is the latest patched version that’s free of any of the known vulnerabilities. The latest xntpd vulnerability announced by CERT affects Solaris 8.

Step 3: Configuring Additional Logging

Syslogd provides both local and remote logging. It is able to send messages to a remote host running syslogd. To forward messages to another host, prepend the hostname with the at sign (“@”).

For maximum security of the logging information, it is recommended that logs be sent to both the local files and dedicated logging host. Make sure that the logging server is located within the same protected management network because syslogd does not have access control and would be subject to denial of service attacks if the server is exposed to the public network such as the Internet.

Do the following to expand on the default system logging function and make sure all authentication errors are logged:

Add the following to /etc/syslog.conf to log the authentication errors to the local log file and everything including the authentication errors to the remote log server:

auth.info /var/log/authlog
*.* @remote_logging_host

Create /var/log/authlog.
touch /var/log/authlog

chown root /var/log/authlog chmod 600 /var/log/authlog

Loginlog is a log of all failed login attempts. The loginlog is not enabled by default. It can be enabled by creating the loginlog file in /var/adm with read/write permission for the owner only. The default setting is that after 5 failed login attempts, all the attempts are logged in the loginlog file. If you have followed the instructions earlier in this document, all failed login attempts should be logged in the loginlog file.

Inetd logs can be enabled by launching inetd with the –t option. If inetd logs are enabled, a log entry is created every time an inetd service is requested, then you also need to log daemon.notice in order to get the connection logs from inetd.  If you have followed the instructions earlier in this document, inetd logging should be enabled.

Create a log rotation script to rotate these logs. A sample can be found in the /usr/lib/newsyslog file and in Appendix B of this document. Modify the root crontab file to run this every day.

There are several other options beyond these sorts of standard logging facilities. System accounting keeps track of system usage information (CPU load, memory usage, disk usage, etc.)– by defining a baseline for your system's performance, you can detect unexpected or illicit usage by detecting departures from the baseline.

Step 4: Fixing File Permissions

Solaris versions prior to Solaris 9 ship with file system permissions that need to be adjusted for security reasons. With the release of Solaris 9,it is reported that this adjustment is no longer necessary for the core Solaris OE packages. In Solaris 8 and older versions, many files and directories have the group write bit set. In most instances, this permission is not necessary and should be switched off.

Although file permission changes are not required for Solaris 9, they may be required of applications installed on top of the operating system. Consequently, you should monitor permissions on all Solaris versions.

File permissions can be adjusted using a tool called fix-modes. It can be downloaded from: http://www.sun.com/blueprints/tools or ftp://ftp.wins.uva.nl/pub/solaris/fix-modes.tar.gz

Please note that this tool is not supported by Sun. The fix-modes version available from sun.com is precompiled while the version from uva.nl is not. If compilation is required, it must be performed on a Solaris system with a C compiler. Once compiled, install the fix-modes files and execute it to correct file system permissions. It is reported that this tool has been used in production environments with no problems.

Be careful when installing patches and new packages. These may set permissions back to their original state. Execute the fix-modes tool after installing any packages or patches.

 

Step 5: Other Miscellaneous Actions

Restrict crontab and at Jobs

The cron systems execute commands at a specified future time. User submission for the cron system is handled by the crontab command. The at command does a similar job. Access to these commands should be restricted. The access control files are stored in the /usr/lib/cron directory. The cron.deny and cron.allow files manage access to the cron system whereas the at.deny and at.allow files manage access to the at system..

The allow file is checked first to see if the account is explicitly allowed to use the system. If the file does not exist or the account is not listed in this file, the deny file is checked. If the account is explicitly listed in the deny file then access is refused. Otherwise, access is permitted. If neither the deny nor the allow files exist, then only the root account can use the at or cron system. Solaris includes cron.deny and at.deny files containing some system accounts.

Please make sure that the /usr partition is mounted as read/write before carrying out this step. The following are the default crontab jobs created by the Solaris 8 and 9 installation process:

adm lp root sys uucp

They can be removed using this command:

       cd /var/spool/cron/crontabs

       rm adm lp sys uucp

 

The following default users are listed in both the cron.deny and at.deny files: bin

daemon smtp nuucp listen nobody noaccess

which means all other users are allowed to run the crontab and at commands. If you don’t have a need for other users to run crontab and at jobs on the system, you should consider removing both deny files, which will then allow only the root user to run those commands.

Message of the Day (motd)

Create the files /etc/motd and /etc/issue. A sample message is in Appendix D.

EEPROM Password

Turn on EEPROM security. You will be prompted for a password. Assign a password that is different from the superuser password. This password will be required in order to execute low level hardware commands at the ok prompt. Setting "eeprom security-mode=command" will cause the machine to prompt for a password before boot-level commands are accepted. This prevents attackers with physical access from booting from alternate media (like a CD-ROM) and bypassing your system security.

      eeprom security-mode=command

 

In-bound FTP User Access Permission

All well-known system accounts' in-bound ftp access are disabled. This is the default setting when Solaris 8 or 9 is installed. This section is meant for you to check to ensure this default has not been changed. Type the following command to display the content of the /etc/ftpusers file:

cat /etc/ftpusers

If the output does not match the folllowing: root

daemon bin
sys adm

lp
uucp nuucp listen nobody noaccess nobody4

you can run the following script to recreate it:

      rm /etc/ftpusers

      touch /etc/ftpusers

      for user in root daemon bin sys adm \

         lp uucp nuucp listen nobody \

         noaccess nobody4

      do

         echo $user >> /etc/ftpusers

      done

      chown root /etc/ftpusers

      chgrp root /etc/ftpusers

      chmod 600 /etc/ftpusers

 

The .rhost Support

Remove .rhosts support from /etc/pam.conf.

      grep –v rhosts_auth /etc/pam.conf > \

         /etc/pam.new

      mv /etc/pam.new /etc/pam.conf

      chown root /etc/pam.conf

      chgrp sys /etc/pam.conf

      chmod 644 /etc/pam.conf

 

Default Login

Edit the /etc/default/login file and uncomment

  • the UMASK line to set the initial shell file creation mode mask 022.
  • the CONSOLE=/dev/console line to disable root remote login(via telnet for example).
  • the SUPATH=/usr/sbin:/usr/bin to make sure root has a safe path.
  • the RETRIES=5 line to allow only 5 failed logins – you can reduce it to, say, 3.
  • the SYSLOG_FAILED_LOGINS=5 line and change 5 to 0 to force syslogd to log all failed 
login attempts.

Keyboard Abort (Stop-A)

Keyboard Abort is automatically disabled when BSM is enabled. To manually disable it, edit /etc/default/kbd and uncomment and set the entry for KEYBOARD_ABORT=enable to disable the Stop-A sequence (aka: break). The down side of this is that if the machine gets locked up, only a hard power cycle will fix it.

TCP Sequence Number

Edit the /etc/default/inetinit file and set TCP_STRONG_ISS=2 so that the system will use a better algorithm to generate TCP sequence numbers.

Default Password Length

Set the default password length from 6 to 8 in /etc/default/passwd and password aging to 12 weeks (or set to the values specified by customer security policy requirements):

       MAXWEEKS=12

       MINWEEKS=10

       PASSLENGTH=8

 

Shadow Password

Shadow pasword is supported in Solaris 8 and 9 and shall be used by default. Please refer to the Strong Password Guide provided by Nortel Networks.

Stack-smashing

Edit /etc/system and add the following:

      * Attempt to prevent and log stack-smashing

      * attacks

      set noexec_user_stack = 1

      set noexec_user_stack_log = 1

 

TCP Wrapper and SSH

Install TCP Wrapper binary tcpd in /usr/sbin from ftp://ftp.cert.org/pub/tools/tcp_wrappers. If you must leave telnet and FTP on the system, put them behind the TCP Wrapper. Make sure /etc/hosts.deny file contains the following uncommented entry only:

ALL:ALL

Make sure /etc/hosts.allow file contains uncommented entries only for the hosts you want to grant remote login access to. Example:

      ALL: trusted_host1, trusted_ip1

It is recommended that SSH be used instead of telnet and FTP. SSH is shipped with Solaris 9 but not with Solaris 8.

Secure X Windows

If you're running X Windows on the machine, make sure to disable remote XDMCP access in /etc/dt/config/Xaccess. You may also want to set a default locking screensaver timeout for your users in /etc/dt/config/*/sys.resources.

Step 6: Enhance Solaris Network Security

Add Network Setting For Security

Two files will be created and individual commands will be added to the files to add network settings for security. Create the first file by executing the following command:

   touch /etc/init.d/nddconfig

 

Create the second file by making a symbolic link to the first file:

   ln –s /etc/init.d/nddconfig /etc/rc2.d/S70nddconfig

 

You may directly add the following commands into the first file using your favourite editor such as vi:

ndd -set /dev/arp arp_cleanup_interval 60000
ndd -set /dev/ip ip_forward_directed_broadcasts 0
ndd -set /dev/ip ip_forward_src_routed 0
ndd -set /dev/ip ip_ignore_redirect 1
ndd -set /dev/ip ip_ire_arp_interval 60000
ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0 ndd -set /dev/ip ip_respond_to_echo_broadcast 0
ndd -set /dev/ip ip_respond_to_timestamp 0
ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0 ndd -set /dev/ip ip_send_redirects 0
ndd -set /dev/ip ip_strict_dst_multihoming 1
ndd -set /dev/tcp tcp_conn_req_max_q0 4096
ndd -set /dev/tcp tcp_conn_req_max_q 1024
ndd -set /dev/tcp tcp_rev_src_routes 0

Or you may follow the steps outlined below to first understand what each command does and then add it to the file.

Set arp_cleanup_interval

This option determines the period of time the Address Resolution Protocol (ARP) cache maintains entries. ARP attacks may be effective with the default interval. Shortening the timeout interval should reduce the effectiveness of such an attack. The system default value is 300000 milliseconds (5 minutes), and the new setting is 60000 milliseconds (1 minute). Execute the following command to add this setting:

   echo “ndd -set /dev/arp arp_cleanup_interval 60000” >>

      /etc/init.d/nddconfig

 

The ARP cleanup interval is set to 1 minute.

Set ip_forward_directed_broadcasts

This option determines whether to forward broadcast packets directed to a specific net or subnet, if that net or subnet is directly connected to the machine. If the system is acting as a router, this option can be exploited to generate a great deal of broadcast network traffic. Turning this option off will help prevent broadcast traffic attacks. The system default value is 1 (true), and the new setting is 0 (false). Execute the following command to add this setting:

   echo “ndd -set /dev/ip ip_forward_directed_broadcasts 0” >>

      /etc/init.d/nddconfig

 

IP forward directed broadcasts will be disabled.

Set ip_forward_src_routed

This option determines whether to forward packets that are source routed. These packets define the path the packet should take instead of allowing network routers to define the path. The system default value is 1 (true) and the new setting is 0. Execute the following command to add this setting:

   echo “ndd -set /dev/ip ip_forward_src_routed 0” >>

      /etc/init.d/nddconfig

 

IP forward source routing will be disabled.

Set ip_ignore_redirect

This option determines whether to ignore Internet Control Message Protocol (ICMP) packets that define new routes. If the system is acting as a router, an attacker may send redirect messages to alter routing tables as part of sophisticated attack (man in the middle attack) or a simple denial of service. The system default value is 0 (false), and the new setting is 1. Execute the following command to add this setting:

   echo “ndd -set /dev/ip ip_ignore_redirect 1” >> /etc/init.d/nddconfig

 

ICMP packets that define new routes will be ignored.

Set ip_ire_arp_interval

This option determines the period of time at which a specific route will be kept, even if currently in use. ARP attacks may be effective with the default interval. Shortening the time interval may reduce the effectiveness of attacks. The system default interval is 1200000 milliseconds (20 minutes), and the new setting is 60000 milliseconds (1 minute). Execute the following command to add this setting:

   echo “ndd -set /dev/ip ip_ire_arp_interval 60000” >>

      /etc/init.d/nddconfig

The IP_IRE_ARP interval will be set to 1 minute.

Set ip_respond_to_address_mask_broadcast

This options determines whether to respond to ICMP netmask requests which are typically sent by diskless clients when booting. An attacker may use the netmask information for determining network topology or the broadcast address for the subnet. The default value is 0 (false) and the new setting is 0 as well. Execute the following command to add this setting:

   echo “ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0” >>

      /etc/init.d/nddconfig

 

The response to ICMP netmask requests will be disabled.

Set ip_respond_to_echo_broadcast

This option determines whether to respond to ICMP broadcast echo requests (ping). An attacker may try to create a denial of service attack on subnets by sending many broadcast echo requests to which all systems will respond. This also provides information on systems that are available on the network. The system default value is 1 (true), and the new setting is 0. Execute the following command to add this setting:

   echo “ndd -set /dev/ip ip_respond_to_echo_broadcast 0” >>

      /etc/init.d/nddconfig

 

The response to ICMP broadcast echo requests (ping) will be disabled.

Set ip_respond_to_timestamp

This option determines whether to respond to ICMP timestamp requests which some systems use to discover the time on a remote system. An attacker may use the time information to schedule an attack at a period of time when the system may run a cron job (or other time-based event) or otherwise be busy. It may also be possible predict ID or sequence numbers that are based on the time of day for spoofing services. The system default value is 1 (true), and the new setting is 0. Execute the following command to add this setting:

   echo “ndd -set /dev/ip ip_respond_to_timestamp 0” >>

      /etc/init.d/nddconfig

 

The response to ICMP timestamp requests will be disabled.

Set ip_respond_to_timestamp_broadcast

This option determines whether to respond to ICMP broadcast timestamp requests which are used to discover the time on all systems in the broadcast range. This option is dangerous for the same reasons as responding to a single timestamp request. Additionally, an attacker may try to create a denial of service attack by generating many broadcast timestamp requests. The default value is 1 (true), and the new setting is 0. Execute the following command to add this setting:

   echo “ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0” >>

      /etc/init.d/nddconfig

 

The response to ICMP broadcast timestamp requests will be disabled.

Set ip_send_redirects

This option determines whether to send ICMP redirect messages which can introduce changes into remote system's routing table. It should only be used on systems that act as routers. The system default value is 1 (true), and the new setting is 0. Execute the following command to add this setting:

   echo “ndd -set /dev/ip ip_send_redirects 0” >> /etc/init.d/nddconfig

 

ICMP redirect messages will be disabled.

Set ip_strict_dst_multihoming

This option determines whether to enable strict destination multihoming. If this is set to 1 and ip_forwarding is set to 0, then a packet sent to an interface from which it did not arrive will be dropped. This setting prevents an attacker from passing packets across a machine with multiple interfaces that is not acting as a router. The system default value is 0 (false), and the new setting is 1. Execute the following command to add this setting:

   echo “ndd -set /dev/ip ip_strict_dst_multihoming 1” >>

      /etc/init.d/nddconfig

 

Strict destination multihoming will be enabled.

Set tcp_conn_req_max_q0

This option sets the size of the queue containing unestablished connections. This queue is part of a protection mechanism against SYN flood attacks. The queue size default is adequate for most systems but should be increased for busy servers. The system default value is 1024, and the new setting is 4096.

   echo “ndd -set /dev/tcp tcp_conn_req_max_q0 4096” >>

      /etc/init.d/nddconfig

 

The size of the queue containing unestablished connections will be increased to 4096.

Set tcp_conn_req_max_q

This option sets the maximum number fully established connections. Increasing the size of this queue provides some limited protection against resource consumption attacks. The queue size default is adequate for most systems but should be increased for busy servers. The system default value is 128, and the new setting is 1024. Execute the following command to add this setting:

echo “ndd -set /dev/tcp tcp_conn_req_max_q 1024” >>

      /etc/init.d/nddconfig

 

The maximum number fully established connections will be increased to 1024.

Set tcp_rev_src_routes

This option determines whether the specified route in a source routed packet will be used in returned packets. TCP source routed packets may be used in spoofing attacks, so the reverse route should not be used. The default value is 0 (false), and the new setting is 0 as well. Execute the following command to add this setting:

   echo “ndd -set /dev/tcp tcp_rev_src_routes 0” >> /etc/init.d/nddconfig

The specified route in a source routed packet will not be used in returned packets.

 

Step 7: File System Lockdown

After you have installed and configured all the necessary software on your system, you may want to make sure that no one can modify them. You may also want to prevent rogue setuid programs from showing up. In order to do that, you can modify the /etc/vfstab file and set the appropriate flags.

Edit the /etc/vfstab file vi /etc/vfstab

Mount /usr as read-only.

In particular, the /usr file system contains all of the critical OS programs and set-UID binaries but is relatively static, so you should mount /usr "ro" (read-only).

When you need to install patches, you can make the file system read-write again with the command "mount –o remount,rw /usr", but you'll need to reboot the system to make it read-only again.

Mount other non-root ufs file systems with nosuid.

You may be able to mount /opt, /usr/local, and other file systems containing third-party software tools "ro" as well.

All other file systems should be mounted "nosuid". Unfortunately, Sun has decided that setting "nosuid" also implies "nodev" (device files don't work), which means you can't mount the root file system (which contains /devices) "nosuid"– and you can't make it read-only either. You also need to be careful about the whole "nosuid"/"nodev" settings on the file systems where you're running chroot()ed daemons (FTP servers, BIND, etc.) since the "nosuid" will interfere with the device files required in your chroot() directory structure.

Also, be sure to set the "nosuid" option for all removable media devices in the volume manager configuration file, /etc/rmmount.conf (this is the default for Solaris 8 and later).

Examine the file /etc/logindevperm because it contains the configuration information for what permissions to set on devices associated with login (console, keyboard, etc).
You might also want to ensure that root has a umask set to 077 or 027 and that a safe search path , as in / usr/bin:/sbin:/usr/sbin  is set. Securing the files in /etc and removing group write from all files in /etc can be done with the following command:

chmod -R g-w /etc

Also /etc/utmp can be set to mode 644 without disrupting services.

The final vfstab file should look like the example below. The last column is the area of interest.

Sample /etc/vfstab

If your partitions for binaries, variable data and user space differ from the above example, it is recommended that you mount the binaries partition(s) as read-only and mount other non-root file systems with nosuid.

Please make sure you have double-checked everything at this point. Once you finish here, you will reboot to verify everything. If you have not added all your components properly, you will not easily be able to make changes, in which case you will have to remount your binaries partition to make it writable.

There are third party applications that can be used to monitor your file system. But it’s beyond the scope of this hardening guide to discuss and evaluate them.

/dev/dsk/c0t0d0s3 -                   -

/dev/dsk/c0t0d0s0 /dev/rdsk/c0t0d0s0 /

/dev/dsk/c0t0d0s6 /dev/rdsk/c0t0d0s6 /usr

/dev/dsk/c0t0d0s1 /dev/rdsk/c0t0d0s1 /var

/dev/dsk/c0t0d0s7 /dev/rdsk/c0t0d0s7 /extra ufs     2

/dev/dsk/c0t0d0s5 /dev/rdsk/c0t0d0s5 /opt   ufs     2

no- no-
no ro
no nosuid yes nosuid yes nosuid

swap    -

ufs     1

ufs     1

ufs     1

 

Step 8: Vulnerability Testing and Patching

Please visit http://netsec.ca.nortel.com for the Threat and Risk Assessment Program and the Security Advisory Task Force (SATF) triage process of handling vulnerability advisories and patches.

Once you've decided exactly which pieces of the operating system you wish to install, download and install the Recommended Patch Cluster for your OS version. It's important that you install all of the OS packages that you'll need before you apply patches. If you install OS software after your patch install, you may end up with unpatched software that has security issues.

Patches can be found by logging into your sunsolve account at https://support.oracle.com : the cluster files are named <vers>_Recommended.zip (or .tar.Z for Solaris 2.6 and earlier).

Note that not all security patches are necessarily included in the recommended patch set, so you'll also want to check out the Solaris<vers>.PatchReport files in the same directory.

 

Step 9: Securing SSH/SSHD

Change default port

The vast majority of ssh attacks are directed by compromised zombie machines against ssh servers listening on the default port of "22". By changing this port to something else you greatly reduce the risk of an automated break-in. Edit /etc/ssh/sshd_config and change the line which reads "Port 22" to "Port 3320", or any other unused port of your choosing, preferably above 1024. A line preceded by a '#' is the commented out default value.

#Port 22

Port 3320

Disable unsecure protocals

SSH speaks two protocols: The old and insecure Protocol 1, and the newer Protocol 2. Almost all SSH clients now speak Protocol 2, so it is best to disable the older one. Edit sshd_config to include only Protocol 2, and not both:

#Protocol 2,1

Protocol 2

 

Disable root logins

This one is easy. There is (almost) no to allow remote root logins via ssh. Disabling the ability to do so won’t cause you any pain, it’s easy to do, and gives you quite an improvement in security.

Use your favorite editor to open your ssh configuration file. The file is located at /etc/ssh/sshd_config. Find the line that says PermitRootLogin (or create it if it doesn’t exist) and change the value to “no”:

#PermitRootLogin yes

PermitRootLogin no

Now, this doesn’t prevent anyone from breaking into a normal user account. After connecting as a normal user, you can still "su -" to root.

If root login is required - e.g. for remote system backups - you may alternatively permit root to login, but only if using ssh keys, not interactive password entry:

PermitRootLogin without-password

Finally, it's also possible to limit root access to only be able to run specific commands, such as backup scripts (beyond the scope of this article):

PermitRootLogin forced-commands-only

Limit number of connections

Limit the maximum number of unauthenticated connections that the ssh server will handle at the same time. The smaller this is, the harder it is for script kiddies to make parallel, a coordinated cracking attempt with multiple connections.

Edit sshd_config and change MaxStartups from the default of "10" to "3:50:10". The colon separated values tells the ssh server to, "allow 3 users to attempt logging in at the same time, and to randomly and increasingly drop connection attempts between 3 and the maximum of 10".

Note: this should be increased on servers with substantial numbers of valid ssh users logging in.

 

#MaxStartups 10

MaxStartups 3:50:10

 

Reduce time allowed to login

Reduce the maximum amount of time allowed to successfully login before disconnecting. The default of 2 minutes is too much time to hold open an unauthenticated connection attempt (see above); 30 seconds is more than enough time to log in:

 

#LoginGraceTime 2m

LoginGraceTime 30

Validate user/group logins

Reduce the maximum amount of time allowed to successfully login before disconnecting. The default of 2 minutes is too much time to hold open an unauthenticated connection attempt (see above); 30 seconds is more than enough time to log in:

#LoginGraceTime 2m
LoginGraceTime 30

 

By default, all valid users on the system are allowed to log in. A more secure policy is to only allow a whitelist of users or groups to log in. For example, to allow only the users "john", "mary", "joeblow", "joeschmoe", "joejoe", and any username that starts with "joe" to login, add the following line to sshd_config:

AllowUsers john mary joe*

Alternatively, you may instead allow only users who are members of certain groups to login. For example, to allow only the members of the "sshusers" group to connect, first make sure the group exists (groupadd sshusers) and add your users to it (usermod -a -G sshusers username), then add the following line to sshd_config:

 

AllowGroups sshusers

 

 

Secure SSH network access

Allow only users from certain IP addresses to connect. Before allowing specific IPs, the default policy must first be set to DENY to be effective. edit /etc/hosts.deny and add the following line:


sshd: ALL

Next add to /etc/hosts.allow the networks you want to allow. For example, to allow all 254 hosts on the class C network "192.168.1.*", all 16million hosts from the class A network "10.0.0.0", and the lonely IP 24.42.69.101, you would add the following to /etc/hosts.allow:


sshd: 192.168.1.0/255.255.255.0
sshd: 10.0.0.0/255.0.0.0
sshd: 24.42.69.101

You may also allow/deny connections via a firewall, but to maintain sanity it's best to stick to one method or the other.

 

To remove the possibility of anybody ever guessing a user's password, disable password authentication completely, and require that public/private key pairs be used instead. While much more secure than passwords, a user's private key can still be compromised, especially if not protected by a passphrase. To disable password logins, add the following to sshd_config:

 


PasswordAuthentication no

 

By default, the ssh server listens for connections on ALL interfaces (0.0.0.0). If a ssh server is to only be accessible internally, bind it to a LAN IP. For example: edit sshd_config:

ListenAddress 192.168.1.10

 

Appendix A: Replacement /etc/init.d/inetsvc script

#!/bin/sh

#

#

#

# Re-set the netmask and broadcast addr for all IP interfaces. This

# ifconfig is run here, after NIS has been started, so that “netmask

# +” will find the netmask if it lives in a NIS map.

# The 'D' in -auD tells ifconfig NOT to mess with the interface

# if it is under DHCP control

#

/usr/sbin/ifconfig -auD netmask + broadcast +

#

# If this machine is configured to be an Internet Domain Name

# System (DNS) server, run the name daemon.

# Start named prior to: route add net host, to avoid dns

# gethostbyname timout delay for nameserver during boot.

#

if [ -f /usr/sbin/in.named -a -f /etc/named.boot ]; then

/usr/sbin/in.named; echo “starting internet domain name server.”

fi

#mcastif=`uname -n`

#echo “Setting default interface for multicast: \c”

#/usr/sbin/route add -interface -netmask “240.0.0.0” “224.0.0.0”

“$mcastif”

#

# Run inetd in “standalone” mode (-s flag) so that it doesn’t have

# to submit to the will of SAF. Why did we ever let them change inetd?

#

#/usr/sbin/inetd –s

 

Appendix B: Sample newsyslog script

#! /bin/sh

#

#

#

LOG=messages

cd /var/adm

test -f $LOG.2 && mv $LOG.2 $LOG.3

test -f $LOG.1 && mv $LOG.1 $LOG.2

test -f $LOG.0 && mv $LOG.0 $LOG.1

mv $LOG   $LOG.0

cp /dev/null $LOG

chmod 644    $LOG

#

LOGDIR=/var/log

LOG=syslog

if test -d $LOGDIR

then

        cd $LOGDIR

        if test -s $LOG

fi fi

then

test -f $LOG.6 && mv $LOG.6  $LOG.7

test -f $LOG.5 && mv $LOG.5  $LOG.6

test -f $LOG.4 && mv $LOG.4  $LOG.5

test -f $LOG.3 && mv $LOG.3  $LOG.4

test -f $LOG.2 && mv $LOG.2  $LOG.3

test -f $LOG.1 && mv $LOG.1  $LOG.2

test -f $LOG.0 && mv $LOG.0  $LOG.1

mv $LOG    $LOG.0

cp /dev/null $LOG

chmod 644    $LOG

sleep 40

#

kill -HUP `cat /etc/syslog.pid`

97/03/31 SMI

Appendix C: Minimal sendmail configuration file

# Minimal client sendmail.cf

### Defined macros

# The name of the mail hub - PUT APPROPRIATE HOSTNAME FOR YOUR SITE

HERE!!!

DRmailhost

# Define version

V8

# Whom errors should appear to be from

DnMailer-Daemon

# Formatting of the UNIX from line

DlFrom $g $d

# Separators

Do.:%@!^=/[]

# From of the sender’s address

Dq<$g>

# Spool directory

OQ/usr/spool/mqueue

### Mailer Delivery Agents

# Mailer to forward mail to the hub machine

Mhub,   P=[IPC],     F=mDFMuCX,    S=0, R=0, A=IPC $h

# Sendmail requires these, but are not used

Mlocal, P=/dev/null, F=rlsDFMmnuP, S=0, R=0, A=/dev/null

Mprog,  P=/dev/null, F=lsDFMeuP,   S=0, R=0, A=/dev/null

### Rule sets -- WHITESPACE BETWEEN COLUMNS MUST BE TABS!!!

S0

R@$+  $#error $: Missing user name

R$+   $#hub $@$R $:$1

S3

R$*<>$*     $n

R$*<$*>$*   $2

forward to hub

handle <> error address

basic RFC822 parsing

 

Appendix D: Sample /etc/issue and /etc/motd file

This system is for the use of authorized users only. Individuals using this

computer system without authority, or in excess of their authority, are subject to

having all of their activities on this system monitored and recorded by system

personnel.

In the course of monitoring individuals improperly using this system, or in the

course of system maintenance, the activities of authorized users may also be

monitored.

Anyone using this system expressly consents to such monitoring and is advised that

if such monitoring reveals possible evidence of criminal activity, system personnel

may provide the evidence of such monitoring to law enforcement officials.

 

Appendix E: TCP Wrapper generic configuration file

vi /etc/hosts.allow

#

# Only allow access from the management network. Explicit

# deny policy in /etc/hosts.deny

#

# The IP addresses allocated from the management network

/usr/local/bin/sshd: 172.16.1.0/255.255.255.0

vi /etc/hosts.deny

#

# Explicitly deny access from all stations except those

# that match the allow rule in /etc/hosts.allow

#

ALL : ALL

Appendix F: Security Script

Please note that the following script is included here for illustration purposes only.

################################################################### #Please Set the following variables
#LOGFILE is the location of the logfile $0 will contain the name of the script LOGFILE=/SECURITY/$0.log

#NEWFILE is the location of the files changed by this script.
#The files that should be in the NEWFILES directory are:
#new_inetd.conf, new_inetsvc, new_login, new_passwd and new_syslog.conf NEWFILES=/SECURITY
#
#Section 1#########################################################
#
echo WARNING... This script is intended to be executed on a
echo newly installed Solaris operating system and is not
echo designed to be executed more than once on the same server.
echo
echo Please abort now with CTRL-C if this is not the case
echo
echo Execution will resume in 15 seconds
sleep 15
echo running $0 at `date` | tee -a $LOGFILE
echo logfile is $LOGFILE | tee -a $LOGFILE
echo new files are stored in $NEWFILES | tee -a $LOGFILE
#
#Section 2######################################################### #This section enables the basic security module(BSM). BSM is needed
#by the auditing applications. Also in this section, we configure
#auditing for administrative and login/logout attempts for the root
#user.
#
echo installing basic security module | tee -a $LOGFILE
echo y > y
/etc/security/bsmconv < y | tee -a $LOGFILE
cp /etc/security/audit_user /etc/security/audit_user.orig
sed s/root:lo:no/root:ad,lo:no/g /etc/security/audit_user > /etc/security/audit_user.new mv /etc/security/audit_user.new /etc/security/audit_user
chown root:sys /etc/security/audit_user
chmod 655 /etc/security/audit_user
#
#Section 3######################################################## #This section sets the appropriate umask value in startup script for
#each startup directory to make sure that all the services are started
#with the appropriate file permissions.
#
#echo starting the system deamons with appropriate umask value | tee -a $LOGFILE echo 'umask 022' > /etc/init.d/umask.sh

chmod 744 /etc/init.d/umask.sh
for dir in /etc/rc?.d
do
ln -s /etc/init.d/umask.sh $dir/S00umask.sh
echo ln -s /etc/init.d/umask.sh $dir/S00umask.sh | tee -a $LOGFILE done

#Section 4########################################################## #This section removes all unused services from the rc2.d and rc3.d
#startup directories. The services are renamed so that they wont be
#executed on startup.

#
echo Removing unused services from startup directories | tee -a $LOGFILE
cd /etc/rc2.d
echo Removing from /etc/rc2.d ... | tee -a $LOGFILE
SERVICES_TO_REMOVE='*nfs* *perf *asppp *auto* *xntpd *lp *spc *power *sendmail *bdconfig *sysid.net *nscd *cacheos.finish *uucp *PRESERVE *sysid.sys *cachefs.daemon' for file in $SERVICES_TO_REMOVE
do
mv $file .NO$file
echo renaming $file to .NO$file in RC2 | tee -a $LOGFILE
done
echo Removing from /etc/rc3.d ... | tee -a $LOGFILE
cd /etc/rc3.d
for file in *nfs.server *dmi *snmpdx
do
mv $file .NO$file
echo renaming $file to .NO$file in RC3 | tee -a $LOGFILE
done
#
#Section 5##########################################################
#This section replaces the inetd.con file with a new one (were all
#services have been commented out). Also, the inetsvc file is
#replaced with a more secure version.
#
echo Replacing inetd.conf with new version | tee -a $LOGFILE
mv /etc/inet/inetd.conf /etc/inet/inetd.conf.orig
cp $NEWFILES/new_inetd.conf /etc/inet/inetd.conf
chmod 444 /etc/inet/inetd.conf
echo Installing a replacement /etc/init.d/inetsvc file | tee -a $LOGFILE
cp /etc/init.d/inetsvc /etc/init.d/inetsvc.orig
cp $NEWFILES/new_inetsvc /etc/init.d/inetsvc
chmod 744 /etc/init.d/inetsvc
ln /etc/init.d/inetsvc /etc/rc2.d/S72inetsvc
#
#Section 6##########################################################
#This section renames several configuration files used by NFS. If
#NFS is not used, it is best practice to remove all related cfg files.
#we can rename these files until we are sure we want to remove them
#
echo moving /etc/auto_master to /etc/.auto_master.orig | tee -a $LOGFILE
mv /etc/auto_master /etc/.auto_master.orig

echo moving /etc/auto_home to /etc/.auto_home.orig | tee -a $LOGFILE mv /etc/auto_home /etc/.auto_home.orig
echo moving /etc/dfs/dfstab to /etc/dfs/.dfstab.orig | tee -a $LOGFILE mv /etc/dfs/dfstab /etc/dfs/.dfstab.orig

#
#Section 7######################################################### #This section removes all unuses users from the passwd and shadow
#file. Several users are in a default Solaris installation and most
#are not needed in our Wireless OAM context.
#
echo removing unused users from passwd file | tee -a $LOGFILE
for user in uucp nuucp adm lp smtp listen
do
/usr/sbin/passmgmt -d $user
echo /usr/sbin/passmgmt -d $user | tee -a $LOGFILE
done
#
#Section 8########################################################### #This section removes the crontab entries for all users that dont need
#to have scheduled jobs. This is UNIX best practices.
#
echo Renaming crontab files for default users other that root | tee -a $LOGFILE
cd /var/spool/cron/crontabs
for files in adm lp sys uucp
do
mv $files .$files.orig
echo moving $files to .$files.orig | tee -a $LOGFILE
done
#
#Section 9########################################################### #Should telnet not be disabled on all servers, ftp should be disallowed
#for all normal accounts and must be disallow for the root user.
#placing the usernames in the ftpusers file will disallow ftp for
#those users. Also, the .netrc file is used to provide login credentials
#for a specific host (e.g. host1) so that when a user ftp's to host1, the
#login credentials provided in the .netrc file will be used.
#We are locking all .netrc files by creating them as root with no
#write permissions.
#
echo Disallowing ftp for all default users... | tee -a $LOGFILE
cut -f1 -d: /etc/passwd >> /etc/ftpusers
chown root:root /etc/ftpusers
chmod 600 /etc/ftpusers
echo more /etc/ftpusers | tee -a $LOGFILE
more /etc/ftpusers | tee -a $LOGFILE
echo locking down all .n etrc files | tee -a $LOGFILE
for users in `cut -f6 -d: /etc/passwd`
do
cd $users
touch ./.netrc
chmod 000 ./.netrc

echo locking down .netrc file in $users | tee -a $LOGFILE
done
#
#Section 10########################################################## #This section disable remote authentication in the pam.conf file.

#Also, we are locking down the hosts.equiv file and all the .rhosts.
#IMPORTANT:We have not tested this with NSP but from my experience
#with INM and PresideAP, we used the .rhosts files for remote launch.
#NSP installation might hick-up when trying to write to a locked file.
#
echo Disabling remote authentication from pam.conf | tee -a $LOGFILE
cp /etc/pam.conf /etc/pam.conf.orig
grep -v rhosts_auth /etc/pam.conf > /etc/pam.new
mv /etc/pam.new /etc/pam.conf
chown root:sys /etc/pam.conf
chmod 644 /etc/pam.conf
echo locking down hosts.equiv and .rhosts for all users | tee -a $LOGFILE
touch /etc/hosts.equiv
chmod 000 /etc/hosts.equiv
for users in `cut -f6 -d: /etc/passwd`
do
cd $users
touch .rhosts
chmod 000 .rhosts
echo locking down .rhosts in $users | tee -a $LOGFILE
done
#
#Section 11###########################################################
#This section replaces the /etc/default/login file. The new file ensures
#that CONSOLE is set so that users can only login directly as root
#when on the console. SUPATH is set to ensure a safe path to the
#root user. UMASK is set to 022 to ensure proper shell file creation
#mode mask.
#
echo Replacing /etc/default/login file with new version | tee -a $LOGFILE
cp /etc/default/login /etc/default/login.orig
cp $NEWFILES/new_login /etc/default/login
chown root:sys /etc/default/login
chmod 444 /etc/default/login
#
#Section 12###########################################################
#This section sets keyboard abort to disabled. Keyboard abort is enabled
#by default and a user can halt the server by entering the <stop-a>
#sequence on the console's keyboard. This can be done by inadvertance or
#purposely and couls cause a network outage in the case of DNS, DHCP or
#RADIUS servers.
#
echo Disabling stop-a | tee -a $LOGFILE
cp /etc/default/kbd /etc/default/kbd.orig
sed s/#KEYBOARD_ABORT=enable/KEYBOARD_ABORT=disabled/g /etc/default/kbd > /etc/default/kbd.new

mv /etc/default/kbd.new /etc/default/kbd chown root:sys /etc/default/kbd
chmod 444 /etc/default/kbd
#

#Section 13########################################################### #This section sets networking parameters as recommended by SUN for
#security. For more details on each of these parameters, see SolarisTM
#Operating Environment Security, Updated for Solaris 8 Operating

#Environment, Sun BluePrintsTM OnLine
#
echo Setting TCP_STRONG_ISS=1 | tee -a $LOGFILE
cp /etc/default/inetinit /etc/default/inetinit.orig
sed s/TCP_STRONG_ISS=1/TCP_STRONG_ISS=2/g /etc/default/inetinit > /etc/default/inetinit.new
mv /etc/default/inetinit.new /etc/default/inetinit
chown root:sys /etc/default/inetinit
chmod 444 /etc/default/inetinit
echo tuning parameters to the end of the /etc/init.d/inetinit file | tee -a $LOGFILE echo 'ndd -set /dev/tcp tcp_conn_req_max_q0 4096 >> /etc/init.d/inetinit
echo 'ndd -set /dev/tcp tcp_conn_req_max_q 1024 >> /etc/init.d/inetinit
echo 'ndd -set /dev/ip ip_ignore_redirect 1' >> /etc/init.d/inetinit
echo 'ndd -set /dev/ip ip_send_redirects 0' >> /etc/init.d/inetinit
echo 'ndd -set /dev/ip ip_ire_flush_interval 60000' >> /etc/init.d/inetinit
echo 'ndd -set /dev/arp arp_cleanup_interval 60000' >> /etc/init.d/inetinit
echo 'ndd -set /dev/ip ip_forward_directed_broadcasts 0' >> /etc/init.d/inetinit
echo 'ndd -set /dev/ip ip_forward_src_routed 0' >> /etc/init.d/inetinit
echo 'ndd -set /dev/ip ip_forwarding 0' >> /etc/init.d/inetinit
echo 'ndd -set /dev/ip ip_strict_dst_multihoming 1' >> /etc/init.d/inetinit
cat /etc/init.d/inetinit | grep ndd | tee -a $LOGFILE
#
#Section 14########################################################## #This section replaces the password file to enfore password aging and
#increases the minimum passwork length to 8.
#
echo Replacing /etc/default/passwd with new version | tee -a $LOGFILE
cp /etc/default/passwd /etc/default/passwd.orig
cp $NEWFILES/new_passwd /etc/default/passwd
chown root:sys /etc/default/passwd
chmod 444 /etc/default/passwd
#
#Section 15########################################################## #The following entries in the /etc/system file prevents users from
#executing code on the system stack (buffer overflow attacks).
#
cp /etc/system /etc/system.orig
echo 'set noexec_user_stack=1' | tee -a /etc/system | tee -a $LOGFILE
echo 'set noexec_user_stack_log=1' | tee -a /etc/system | tee -a $LOGFILE
#
#Section 16########################################################## #This section enables additionnal logging by replacinf the syslog.conf
#file with additionnal entries. Also, we create the loginlog file that

#logs failed login attempts.
#
echo Configuring Additionnal Logging | tee -a $LOGFILE
echo changing syslog.conf file | tee -a $LOGFILE
cp /etc/syslog.conf /etc/syslog.conf.orig
cp $NEWFILES/new_syslog.conf /etc/syslog.conf
chown root:sys /etc/syslog.conf
chmod 644 /etc/syslog.conf
echo touching the loginlog file | tee -a $LOGFILE
touch /var/adm/loginlog
chown root:sys /var/adm/loginlog
chmod 600 /var/adm/loginlog
echo touching the authlog file | tee -a $LOGFILE
touch /var/adm/authlog
chown root:sys /var/adm/authlog
chmod 600 /var/adm/authlog
#
#Section 17############################################################ #This section adds an entry in the root crontab to start sendmail once
#per day. This is a better approch that letting the sendmail deamon
#running.
#
echo Configuring sendmail in crontab once per hour | tee -a $LOGFILE
cp /var/spool/cron/crontabs/root /var/spool/cron/crontabs/root.orig
echo '0 * * * * /usr/lib/sendmail -q' | tee -a /var/spool/cron/crontabs/root | tee -a $LOGFILE #
#Section 18########################################################### #This section does not perform any changes on the serves. It is just
#prompt to mount the /usr filesystem as read only. This can be done by
#adding the 'ro' as a mount option for the /usr filesystem.
#
cp /etc/vfstab /etc/vfstab.orig
echo mount /usr filesystem as read only in /etc/vfstab
echo IMPORTANT--This step should be done manually.
#Section 19###########################################################
#
#For all the above changes to take effect, a shutdown to the server is
#require. (init 6). This step should be done manually.
echo please shutdown now (init 6)for all change to take effect| tee -a $LOGFILE