1.1 Objective
1.2 References
1.3 Overview

2.2 Apply Latest Security and Recommended Patch Cluster
2.3 Remove Unnecessary Solaris Packages
2.4 Remove Vulnerable Files

2.6 Remove rhosts Support
2.7 Remove Unneeded Services
2.8 Add Useful Solaris Packages

2.10 Use Strong/RFC 1948 tcp Sequence Numbers
2.11 Use a Different MAC Address on Each Physical Interface
2.12 Setup Static Routing
2.13 Configure /etc/syslog.conf And /etc/init.d/syslog
2.14 Create /etc/init.d/tmpfix And /etc/rc3.d/s79tmpfix
2.15 Fix Various File/Directory Permissions

2.22 Update /etc/inetd.conf And inetd
2.23 Core dumps - Enabled or disabled.
2.24 Set Deamon Umask
2.25 Root Environment Settings
2.26 Enable Automated Security Enhancement Tool (ASET)
2.27 Configure C2 Security Auditing (BSMCONV and AUDITD)
2.28 Configure DNS (if required)
2.29 Protect Against Stack Buffer Overflow Attacks
2.30 Update /etc/default/login For Secure Settings
2.31 Disable System Suspending

recomendations can most likely be applied to Solaris 7 also but this has not be tested.
If you have any additions, comments or modifications please email your suggestion to Paul Johnson
The latest version of this document is located atHERE.
The objective of this document is to define a task list for hardening a Solaris v2.6 or v8(SunOS v5.8)

Example code is provided which can be added to a script. Verifying the Hardening has been applied
successfully (Section 3) This contains a checklist and details of how to verify that your server is hardened.
This includes running through hardening task list, checking for running processes/services and executing
the cis security tool.

If a malicious user is able to penetrate perimeter defenses (e.g. packet filtering router, firewall, NAT
device, etc.), a hardened server provides the final layer for the security of the data assets and functionality
of the server. Host security also provides the first line of defense against internal threats (e.g. users trying
to elevate their privilages), which may have equal or higher probability of occurrence as external threats.

It is important to note that hardening is not a panacea for security. It is just another layer in a good
security model. By definition, any machine that is accessible on a network and running services (i.e.
pretty much any server these days) is a potential security exposure.

Physical security is outside the scope of this document (including adding EEPROM passwords & banners, tracking failed console login attempts, disabling sac, disabling physical loading of CDROMs etc). If you are concerned about the physical security of your machine you should investigate the above mentioned topics on your own.

Begin with a server not connected to any network (internal or external). Install the minimal operating
system elements required for the server's function. If in doubt install the Solaris core cluster. Not only will
this help to secure your server, but it will also help minimize the disk space devoted to the OS and thus
leaves more available for applications and/or data.