| |
Sun Solaris Servers Security Guide (SPARC Platform Only)
Security Checklist for Sun Solaris Server 2.6, 7, and 8
This table outlines some of the steps you should take to secure Sun Solaris Server 2.6, 7, and 8.
NOTE: this document does not take into consideration firewalls or proxy servers. It also assumes the company has a security policy in place.
General Information
Server Name :
Asset # :
Setup Date :
Manufacturer :
Location :
Set up by :
Security Tightening Implemented by :
Security Tightening Implemented Date :
Step 1: Initial Configuration & Installation
q Unpack and set up hardware
Follow the hardware manufacturer's manuals accompanying your computer system to unpack and connect your computer
system components. Physically secure the hardware to the extent necessary, including using optical fiber if cabling must pass
through unsecured areas, or isolating the network in a secure building if very high security is needed. Be sure to consider fire
protection, electrical service, and physical access to the machine as part of your physical security planning.
NOTE: An intruder who can physically open your server¡¯s cabinet can adjust hardware switches to disable the power-on password. Access to the internal components of the server could also permit temporary installation of a drive from which a less secure OS, or a version of Solaris that lacks your security settings, can be used to start the computer. Options for preventing unauthorized access to internal components include locking the case (if the model permits it), using server hardware that transmits an alarm signal when the case is opened, or increasing physical security on the room where the server¡¯s located.
q Enable hardware boot protection
Choose appropriate boot protection measures on your servers. Depending on your needs and your hardware configuration, you
can do any of the following:
1. Consider removing the system¡¯s floppy and CD-ROM drives to prevent booting from them. However, this will definitely have an adverse impact on recovery time.
2. Use a physical lock on the floppy drive
q Install Solaris
Keep in mind the following considerations:
1. Always put 10 MB in slice 7 for future disk mirroring. Unable to do so will have to reinstall Solaris if there is a need for Disk Mirroring in the future
2. When the Root password option appears, choose a strong password. For maximum security, select a 9-character password on Solaris systems. Using these lengths makes Solaris passwords much harder to guess than shorter ones. Also, use punctuation and other non-alphabetic characters in the first 7 characters. Never leave the password field blank.
Step 2: Patches
q Install latest Security & Recommended Patches
a. Go to http://sunsolve.sun.com
b. Select the Security & Recommended Patches
c. Accept the License Agreement
d. Select FTP from the Appropriate OS and Platform
NOTE: This is a cluster download
e. After downloading, extract the files
For Solaris 2.6
#uncompress 2.6_Recommended.tar.Z
#tar –xvf 2.6_Recommended.tar
For Solaris 7
#unzip 7_Recommended.zip
For Solaris 8
#unzip 8_Recommended.zip
f. Run the cluster install script
For Solaris 2.6
#cd 2.6_Recommended
#./install_cluster
For Solaris 7
#cd 7_Recommended
#./install_cluster
For Solaris 8
#cd 8_Recommended
#./install_cluster
g. Reboot the machine
#reboot
q Install Latest SDK & JRE and JDK & JRE
If there is a Database Server and Application Server installed using Java Runtime Environment, install the latest SDK and JRE to 1.2.2._07 or later and JDK and JRE to 1.1.8_12 or later. An example of this is Oracle Database Server and Netscape Application Server.
NOTE: Before doing this, Advice your Database Administrator
a. Go to the following url¡¯s
SDK and JRE 1.2.2_07
http://www.sun.com/software/solaris/java/download.html
JDK and JRE 1.1.8_12
http://www.sun.com/software/solaris/java/archive.html
b. Select the latest version of SDK and JDK
c. Accept the License Agreement
d. Select the Appropriate OS and Platform
e. For example, download the following
SDK & JRE For Solaris 2.6
j2sdk-1_3_0_02-solsparc[1].tar.Z
j2sdk-1_3_0_02-solsparc-5_6_patch.tar
JDK & JRE For Solaris 2.6
jdk-1_1_8_13-solsparc[1].tar.Z
jdk-1_1_8_13-solsparc-5_6_patch.tar
SDK & JRE For Solaris 7
j2sdk-1_3_0_02-solsparc-5_7_patch.tar
JDK & JRE For Solaris 7
jdk-1_1_8_13-solsparc[1].tar.Z
jdk-1_1_8_13-solsparc-5_7_patch.tar
SDK & JRE For Solaris 8
j2sdk-1_3_0_02-solsparc-5_8_patch.tar
JDK & JRE For Solaris 8
jdk-1_1_8_13-solsparc[1].tar.Z
f. After downloading, extract the files
SDK & JRE For Solaris 2.6
#uncompress j2sdk-1_3_0_02-solsparc[1].tar.Z
#tar –xvf j2sdk-1_3_0_02-solsparc[1].tar
#tar –xvf j2sdk-1_3_0_02-solsparc-5_6_patch.tar
JDK & JRE For Solaris 2.6
#uncompress jdk-1_1_8_13-solsparc[1].tar.Z
#tar –xvf jdk-1_1_8_13-solsparc[1].tar
#tar –xvf jdk-1_1_8_13-solsparc-5_6_patch.tar
SDK & JRE For Solaris 7
#tar –xvf j2sdk-1_3_0_02-solsparc-5_7_patch.tar
JDK & JRE For Solaris 7
#uncompress jdk-1_1_8_13-solsparc[1].tar.Z
#tar –xvf jdk-1_1_8_13-solsparc[1].tar
#tar –xvf jdk-1_1_8_13-solsparc-5_7_patch.tar
SDK & JRE For Solaris 8
#tar –xvf j2sdk-1_3_0_02-solsparc-5_8_patch.tar
JDK & JRE For Solaris 8
#uncompress jdk-1_1_8_13-solsparc[1].tar.Z
#tar –xvf jdk-1_1_8_13-solsparc[1].tar
g. Run the install script
SDK & JRE For Solaris 2.6
JDK & JRE For Solaris 2.6
SDK & JRE For Solaris 7
JDK & JRE For Solaris 7
SDK & JRE For Solaris 8
JDK & JRE For Solaris 8
h. Reboot the machine
#reboot
Step 3: Disable Unnecessary Startup Processes if not use
q LP - k20lp, s80lp
#ls –l /etc/rc2.d
If the first character of the filenames of the above files is capital letter K and/or S, follow the commands below
#cd /etc/rc2.d
#mv K20lp k20lp
#mv S80lp s80lp
q PPP - s47asppp
#ls –l /etc/rc2.d
If the first character of the filename of the above file is capital letter S, follow the commands below
#cd /etc/rc2.d
#mv S47aspp s47aspp
q Autofs - s74autofs
#ls –l /etc/rc2.d
If the first character of the filename of the above file is capital letter S, follow the commands below
#cd /etc/rc2.d
#mv S74autofs s74autofs
NOTE: Comment out all entries in /etc/auto_home, /etc/auto_master (put # as the first character of all the text lines)
#cd /etc
#vi auto_home
#vi auto_mas
q NFS - k60nfs.server, s73nfs.client, s15nfs.server
#ls –l /etc/rc2.d
#ls –l /etc/rc3.d
If the first character of the filenames of the above files is capital letter K and/or S, follow the
commands below
#cd /etc/rc2.d
#mv K60nfs.server k60nfs.server
#mv S73nfs.client s73nfs.client
#cd /etc/rc3.d
#mv S15nfs.server s15nfs.server
q UUCP - s70uucp
#ls –l /etc/rc2.d
If the first character of the filename of the above file is capital letter S, follow the commands below
#cd /etc/rc2.d
#mv S70uucp s70uucp
q Mail - s88sendmail
#ls –l /etc/rc2.d
If the first character of the filename of the above file is capital letter S, follow the commands below
#cd /etc/rc2.d
#mv S88sendmail s88sendmail
q Vold - s92volmgt
#ls –l /etc/rc2.d
If the first character of the filename of the above file is capital letter S, follow the commands below
#cd /etc/rc2.d
#mv S92volmgt s92volmgt
q RPC - Comment out services keyserv and kerbd under /etc/rc2.d/S71rpc (put # as the first character of
the text lines)
#cd /etc/rc2.d
#vi S71rpc
q NSCD - s76nscd
#ls –l /etc/rc2.d
If the first character of the filename of the above file is capital letter S, follow the commands below
#cd /etc/rc2.d
#mv S76nscd s76nscd
q CDE - s99dtlogin
#ls –l /etc/rc2.d
If the first character of the filename of the above file is capital letter S, follow the commands below
#cd /etc/rc2.d
#mv S99dtlogin s99dtlogin
q Make sure to restart the sytem once the changes are made
#reboot
Step 4: Turn off all unnecessary services at /etc/inetd.conf
q Comment out everything you don¡¯t use (put # as the first character of all the text lines under RPC), but not ftp (if you want to ftp to this server, otherwise comment it out), telnet (if you want to telnet to this server, otherwise comment it out), time (if you want to synchronize your server time with International Time Clock, otherwise comment it out), metadb (last 2 lines, if you have disk mirroring, otherwise comment it out) services
#cd /etc
#vi inetd.conf
q Make sure to restart inetd once the changes are made
#ps –ef | grep inetd | grep –v grep
#kill –HUP process_id
Step 5: System Wide Security Configurations
Ensure the following entries in the following files (include it if its not there)
q /etc/default/login
#more /etc/default/login
CONSOLE=/dev/console
PASSREQ=YES
TIMEOUT=60
UMASK= 027 or 077
SYSLOG=YES
NOTE: The CONSOLE=/dev/console will not allow the user root to telnet directly to the server, you need to use other account to telnet first then switch to user root (#su root). If in some cases that your process requires you to telnet as user root directly, comment out this line (put a # as the first character) but don¡¯t forget to uncomment it afterwards (use SSH also so that nobody will hijack your session)
q /etc/default/passwd
#more /etc/default/passwd
MAXWEEKS=5
MINWEEKS=0
PASSLENGTH=9
WARNWEEKS=1
NOTE: This will require you to change your password every 5 weeks.
q /etc/default/su
#more /etc/default/su
SULOG=/var/adm/sulog
SYSLOG=YES
q Make sure to logoff and login again to see the effect of the changes made
Ensure the following logs in place (if its not there, find it and put it there)
q /var/adm/sulog
#ls /var/adm/sulog
q /var/log/syslog
#ls /var/log/syslog
Verify TCP logging of all incoming TCP connections
q Ensure the line /usr/sbin/inetd –s –t exists (include it if its not there)
#cat /etc/init.d/inetsvc
q Make sure to stop and start inetd once the changes are made
#ps –ef | grep inetd | grep –v grep
#kill –9 process_id
#/usr/sbin/inetd –s -t
Verify shadow passwords in use
q Ensure the second field of each line is X (include it if its not there)
#cat /etc/passwd
For multi-user system, allow some users to schedule a cron job and deny some users to schedule a cron job
q Create a file /etc/cron.d/cron.allow and add user account name to allow to schedule a cron job
#cd /etc/cron.d
#vi cron.allow
q Create a file /etc/cron.d/cron.deny and add user account name not allowed to schedule a cron job
#cd /etc/cron.d
#vi cron.deny
Step 6: Users
Profile
q Ensure /etc/profile do not include ¡°.¡± in the search path (if its there, removed it)
#more /etc/profile
User Home Directory
q Only owner and user administrator should have write permission on his/her directory
q Ensure that the following files profile, .login, .cshrc have a maximum permission of 755
#ls –l /etc/profile
#ls –l /etc/.login
#ls –l /etc/.cshrc
#cd /etc
#chmod 755 profile
#chmod 755 .login
#chmod 755 .cshrc
System Generated Group ID¡¯s
q No user account is to be created under the following group
root
other
bin
sys
adm
uucp
mail
tty
lp
nuucp
daemon
sysadmin
nobody
noaccess
#admintool&
From the GUI of Admintool check the above groups
Passwords
q Check for guest, redundant accounts and accounts with no password in /etc/passwd, and /etc/shadow (disable or remove it if its there)
#more /etc/passwd
#more /etc/shadow
q The following accounts should be disabled by adding an ¡°NP¡± in the second field
daemon
bin
sys
adm
lp
uucp
nuucp
nobody
noaccess
nobody4
#more /etc/shadow
If ¡°NP¡± is not yet included, follow the commands below and include it
#cd /etc
#chmod 644 shadow
#vi shadow
q Add /bin/false to shell entry (last field) in /etc/passwd for the following accounts
daemon
bin
sys
adm
lp
smtp
uucp
listen
nobody
noaccess
nobody4
#more /etc/passwd
If /bin/false is not yet included, follow the commands below and include it
#cd /etc
#chmod 644 passwd
#vi passwd
q The nuucp accounts (if any) should have the shell set to /usr/lib/uucp/uucico
#more /etc/passwd
If the shell /usr/lib/uucp/uucico is not yet included, follow the commands below and include it
#cd /etc
#chmod 644 passwd
#vi passwd
q Make sure account named ftp does not exist
#more /etc/passwd
#more /etc/shadow
If it does exist, follow the commands below and removed it
#cd /etc
#chmod 644 passwd
#chmod 644 shadow
#vi passwd
#vi shadow
q No accounts other than root should have the user id (UID) of 0.
#admintool&
From the GUI of Admintool check and remove any user using user id (UID) of 0
NOTE: You can also use the command below
#more /etc/passwd
and check the third field on each user, only user root should have a 0 in the third field
Step 7: Auditing
q Check audit setting and path
#more /etc/security/audit_control
Confirm the presence of the following lines (include it if its not there)
dir:/var/audit
flags:lo,ad,na
minfree:20
naflags:lo,ad
q Verify auditing is enabled
#auditconfig –getcond
to get
audit condition=auditing
NOTE: This only show if you enable accounting of users, in some cases it is not necessary to enable this auditing.
q Enable connection authentication logs on /etc/syslog.conf
#cd /etc
#vi syslog.conf
Uncomment the line below (remove # in the first character of the text line)
# auth.notice ifdef(`LOGHOST`, /var/log/authlog, @loghost)
To check any user connection log (WHO, WHERE, WHEN)
#more /var/log/authlog
q Make sure to restart syslogd once the changes are made
#ps –ef | grep syslogd | grep –v grep
#kill –HUP process_id
Step 8: Network Security
q Verify defaultrouter and ensure that there is only one entry (remove other entries if there is)
#cat /etc/defaultrouter
If the router is a hostname, verify that the hostname is in /etc/hosts
#more /etc/hosts
q hosts.equiv should not exist (remove it if it exist)
#ls –ldgb /etc/hosts.equiv
#rm /wherever_it_is/hosts.equiv
NOTE: Before removing it, verify if there¡¯s a need for it to use
q If hosts.equiv is in use/or to be use
#cd /etc
#more hosts.equiv
- Use IP Address instead of machine name/username pairs in hosts.equiv
- hosts.equiv should not contain a line with only a ¡°+¡±, ¡°!¡± or ¡°#¡±
- Use only fully qualified hostnames (i. e. hostname.domainname.com)
- Use netgroups if NIS or NIS+ is in use
- The first character of the file is not ¡°-¡°
q Users should not have a .rhosts and .netrc file
#find / -name .rhosts \-exec ls –ldb {} \; -exec more {} \;
#find / -name .netrc \-exec ls –ldb {} \; -exec more {} \;
#rm /wherever_it_is/.rhosts
#rm /wherever_it_is/.netrc
NOTE: Before removing it, verify if there¡¯s a need for it to use
q In cases that .rhosts and/or .netrc is in use/or to be use, secure it
#chmod go-r .rhosts
#chmod go-r .netrc
NOTE: Those commands above will only allow user currently login who execute those commands to have access to those files
Network File System (NFS)
q Not to be enabled at all
q If NFS is in use/or to be use
- Export only necessary file system
- The ¡°root=¡± options should not be used unless absolutely necessary
- Export to fully qualified hostnames only (use ¡°access=hostname¡±)
- Set NFS monitoring on by adding the following line to /etc/system
set nfssrv:nfs_portmon=1
- Install Rpcbindwrapper
Network Plus Information System (NIS)
q Not to be enabled at all
q If NIS is in use/or to be use, use NIS+
Telnet
q Install TCPwrapper and SSH.
NOTE: a. If you have FireWall, you don¡¯t need TCPwrapper, it will only complicate network troubleshooting and administration. Unless
you want to deny access in your server from certain hosts inside your organization (behind FireWall)
b. If you are using Telnet in Private Networks only or you are using Private IP Addresses to Telnet, you don¡¯t need SSH. Unless
you don¡¯t trust anyone inside your organization
FTP
q Install TCPwrapper and SSH.
NOTE: a. If you have FireWall, you don¡¯t need TCPwrapper, it will only complicate network troubleshooting and administration. Unless
you want to deny access in your server from certain hosts inside your organization (behind FireWall)
b. If you are using FTP in Private Networks only or you are using Private IP Addresses to FTP, you don¡¯t need SSH. Unless you
don¡¯t trust anyone inside your organization
q Make sure the following user accounts exist in /etc/ftpusers file.
root
daemon
bin
sys
adm
lp
uucp
nuucp
listen
nobody
noaccess
nobody4
#more /etc/ftpusers
If any of the above user account is not there, put it. Also include users that are not allowed to FTP to the server
#cd /etc
#vi ftpusers
NOTE: Users that exists in the /etc/ftpusers will not be able to ftp to the server (do not confuse with the name ftpusers)
NTP
q Network Time Protocol use port number 123 and uses both TCP and UDP. Install TCPwrapper and allow only incoming TCP and UDP traffic from the IP Address of the Time Server you¡¯re connecting.
NOTE: If you have FireWall, you don¡¯t need TCPwrapper, it will only complicate network troubleshooting and administration. Unless you want to deny access in your server from certain hosts inside your organization (behind FireWall)
Sendmail
q Install the latest version of Sendmail, 8.9.3 or latest
or
q Install Mail wrapper (smap, qmail)
NOTE: If you have FireWall, you don¡¯t need Mailwrapper, it will only complicate network troubleshooting and administration. Unless you want to deny access in your server from certain hosts inside your organization (behind FireWall)
Rpcbind
q Install Rpcbind Wrapper.
NOTE: If you have FireWall, you don¡¯t need RPCbindwrapper, it will only complicate network troubleshooting and administration. Unless you want to deny access in your server from certain hosts inside your organization (behind FireWall)
LPD
q Not to be enabled at all.
q If LPD is in use/or to be use
The /etc/hosts.lpd file should meet the following below
- First character is not ¡°-¡°
- No ¡°!¡± or ¡°#¡± in file
Step 9: Aliases
q Comment out ¡°decode¡± or ¡°uudecode¡± alias in /etc/aliases (put # as the first character of each text line).
#cd /etc
#vi aliases
Step 10: Inetinit restrictions
q Add the following statements in /etc/init.d/inetinit:
NOTE: Check with your Database Administrator before adding these lines.
#cd /etc/init.d
#vi inetinit
ndd –set /dev/ip ip_forwarding 0
ndd –set /dev/ip ip_respond_to_echo_broadcast 0
ndd –set /dev/ip ip_respond_to_timestamp_broadcast 0
ndd –set /dev/ip ip_ignore_redirect 1
ndd –set /dev/ip ip_send_redirects 0
ndd –set /dev/ip ip_respond_to_timestamp 0
ndd –set /dev/ip ip_strict_dst_multihoming 1
ndd –set /dev/ip ip_forward_src_routed 0
Step 11: System restrictions
q Add the following statements in /etc/system:
NOTE: Check with your Database Administrator before adding these lines.
#cd /etc
#vi system
set no exec_user_stack=1
set no exec_user_stack_log=1
set sys:coredumpsize=0
Step 12: APPENDIX (System commands)
a. Restart a process
#ps –ef | grep process_name | grep –v grep
#kill –HUP process_id
b. Ascertain which services are registered with the portmapper
#rpcinfo –p
c. Rebuild alias maps
#newaliases
If you run NIS (YP), you will then need to rebuild your maps to have the change take effect over all clients;
#make aliases
d. If using sendmail, test whether sendmail wizard is enabled
%telnet hostname 25
wiz
debug
kill
quit
%
You should see the response ¡°5nn error return¡± (e.g., ¡°500 Command unrecognized¡±) after each of the commands `wiz`, `debug` and `kill`. Otherwise, your version of sendmail may be vulnerable. If you are unsure whether your version is vulnerable, update it.
e. If using sendmail, set sendmail log level to 9
Include lines describing the log level (similar to the following two) in the options part of the general configuration information section of
the sendmail configuration file;
# log level
OL9
The log level syntax changed in sendmail 8.7 to;
# log level
O LogLevel=9
f. Set syslog log level for mail messages
Include lines describing the logging required (similar to the following two) in the syslog.conf file;
mail.info /dev/console
mail.info /var/adm/messages
For the change to take effect, you must then instruct syslog to reread the configuration file;
#ps –ef | grep syslogd | grep –v grep
#kill –HUP process_id
In the logs, look for error messages like;
- Mail to or from a single pipe (¡°|¡±)
- Mail to or from an obviously invalid user (e.g., bounce or blah)
g. If using sendmail, restarting sendmail (version 8 and above)
To restart sendmail, you should kill all existing sendmail processes by sending them a TERM signal using kill, then restart sendmail;
#ps –ef | grep sendmail | grep –v grep
#kill process_id
#sendmail –bd –q1h
h. If using ftp, test whether ftpd supports SITE EXEC
For normal users;
%telnet localhost 21
USER username
PASS password
SITE EXEC
For anonymous users;
%telnet localhost 21
USER ftp
PASS username@domainname.com
SITE EXEC
You should see the response ¡°5nn error return¡± (e.g., ¡°500 `SITE EXEC` command not understood¡±). If your ftp daemon has SITE EXEC
enabled, make sure you have the most recent version of the daemon (e.g., wu-ftp 2.4). Older versions of ftpd allow any user to gain shell
access using the SITE EXEC command. Use QUIT to end the telnet session.
i. If using ftp, ascertain whether anonymous ftp is enabled
%ftp localhost
Connected to localhost
220 hostname FTP server ready
Name (localhost:username): anonymous
Password: username@domainname.com
230 Guest login ok, access restrictions apply
Remote system type is UNIX
Using binary mode to transfer files
ftp>
j. If using NIS, ensure that * in the password field is correctly implemented First test: Try using NIS with the `*` in the password field for example;
+:*:0:0:::
If NIS users cannot log in to that machine, remove the `*` and try the next test
Second test: With `*` removed, try logging in again. If NIS users can log in AND you can also log in unauthenticated as the user `+`, then your implementation is vulnerable. Contact the vendor for more information. If NIS users can log in AND you cannot log in as the user `+`, your implementation should not be vulnerable to this problem.
k. Find .exrc files
#find / -name `.exrc` -exec cat {} \; -print
l. Locate and print .forward files
#find / -name `.forward` -exec cat {} \; -print
m. Remove execute permission on /usr/lib/expreserve
#chmod 400 /usr/lib/expreserve
n. Set ownership and permissions for /tmp correctly
#chown root /tmp
#chgrp 0 /tmp
#chmod 1777 /tmp
NOTE: This will NOT recursively set the sticky bit on sub-directories below /tmp, such as /tmp/.X11-unix and /tmp/.NeWS-unix; you may have to set these manually or through the system startup files.
o. Find group and world writable files and directories
#find / -type f \( -perm –2 –o –perm –20 \) –exec ls –lg {} \;<
#find / -type d \( -perm –2 –o –perm –20 \) –exec ls –ldg {} \;>
p. Find files with the SUID or SGID bit enabled
#find / -type f \( -perm –004000 –o –perm –002000 \) \ -exec ls –lg {} \;
q. Find normal files in /dev
#find /dev –type f –exec ls –l {} \;
r. Find block or character special files
#find /\( -type b –o –type c \) –print | grep –v `^/dev/`>
s. Avoid NFS mounted file systems when using /bin/find
#find /\( \! –fstype nfs –o –prune \)
As an example, could be
-type f\( -perm –004000 –o –perm –00200 \) –exec ls –lg {} \;
undefined
undefined
More...
ADVERTISEMENT
[Close]
ADVERTISEMENT
[Close]
Click Here
|