UNCLASSIFIED I331TechnicalReport I331007R2004

GuidetotheSecureConfigurationof Solaris9
OperatingSystemsDivisionUNIXTeam ofthe SystemsandNetworkAttackCenter(SNAC)

Dated:16July2004 Version1.0

NationalSecurityAgency 9800SavageRd.Suite6704 Ft.Meade,MD207556704 SNAC.Guides@nsa.gov

UNCLASSIFIED

UNCLASSIFIED

Thispageisintentionallyleftblank

UNCLASSIFIED

ii

UNCLASSIFIED

Warnings

Donotattempttoimplementanyofthesettingsinthisguidewithout firsttestinginanonoperationalenvironment. Thisdocumentisonlyaguidecontainingrecommendedsecurity settings.Itisnotmeanttoreplacewellstructuredpolicyorsound judgment.Furthermorethisguidedoesnotaddresssitespecific configurationissues.Caremustbetakenwhenimplementingthis guidetoaddresslocaloperationalandpolicyconcerns. Thesecuritychangesdescribedinthisdocumentonlyapplytothe Solaris9OperatingSystemandshouldnotbeappliedtoanyother operatingsystem. TherecommendationsinthisguidewerewrittenforSPARCbased systems.Somescriptsmayneedtobemodifiedtoworkonx86based systems. SOFTWAREISPROVIDED"ASIS"ANDANYEXPRESSOR IMPLIEDWARRANTIES,INCLUDING,BUTNOTLIMITEDTO, THEIMPLIEDWARRANTIESOFMERCHANTABILITYAND FITNESSFORAPARTICULARPURPOSEAREEXPRESSLY DISCLAIMED.INNOEVENTSHALLTHECONTRIBUTORSBE LIABLEFORANYDIRECT,INDIRECT,INCIDENTAL,SPECIAL, EXEMPLARY,ORCONSEQUENTIALDAMAGES(INCLUDING, BUTNOTLIMITEDTO,PROCUREMENTOFSUBSTITUTE GOODSORSERVICES;LOSSOFUSE,DATA,ORPROFITS;OR BUSINESSINTERRUPTION)HOWEVERCAUSEDANDONANY THEORYOFLIABILITY,WHETHERINCONTRACT,STRICT LIABILITY,ORTORT(INCLUDINGNEGLIGENCEOR OTHERWISE)ARISINGINANYWAYOUTOFTHEUSEOF THISSOFTWARE,EVENIFADVISEDOFTHEPOSSIBILITYOF SUCHDAMAGE. Downloadedinformationandutilitiesarevalidasof1July2004. Newerversionshavenotbeentestedforthisguide.

UNCLASSIFIED

iii

UNCLASSIFIED

Acknowledgements
ThisdocumentisbasedcloselyupontheCenterforInternetSecurity's (CIS)SolarisBenchmark,withoutwhichthisguidewouldnotbe possible.Wewouldliketothankalloftheteammembersthat participatedinthedevelopmentoftheCISSolarisBenchmarkguide.

TrademarkInformation
SolarisisaregisteredtrademarkofSunMicrosystems.

UNCLASSIFIED

iv

UNCLASSIFIED TableofContents 1PatchesandAdditionalSoftware....................................................................................1 1.1Partitionharddrivetocompartmentalizedata.........................................................1 1.2ApplylatestOSpatches..........................................................................................2 1.3InstallTCPWrappers..............................................................................................4 1.4Referencesystemrandomnumbergenerator..........................................................5 1.5ConfigureIPsec.......................................................................................................5 1.6ConfigureSSHServer...........................................................................................12 1.7InstallNTP............................................................................................................13 2MinimizeinetdNetworkServices................................................................................15 2.1Disablestandardservices......................................................................................15 2.8OnlyenableCDErelateddaemonsifabsolutelynecessary.................................17 2.10Onlyenableremovablemediadaemonifabsolutelynecessary..........................17 2.12OnlyenableGSSdaemonifabsolutelynecessary..............................................18 2.13Disablemulticastingandroutingdiscovery........................................................19 2.14DisableIPv6........................................................................................................19 2.15Enableencryptedremoteadministrationifnecessary.........................................20 3MinimizeBootServices................................................................................................21 3.1Disablelogin:promptsonserialports..................................................................21 3.2Setdaemonumask.................................................................................................21 3.3Disableinetdifpossible........................................................................................22 3.4Disableemailserverifpossible............................................................................22 3.5Disablebootservicesifpossible...........................................................................23 3.6Disableotherstandardbootservices.....................................................................24 3.7OnlyenableWindowscompatibilityserversifabsolutelynecessary...................26 3.8OnlyenableNFSserverprocessesifabsolutelynecessary..................................26 3.9OnlyenableNFSclientprocessesifabsolutelynecessary...................................27 3.10Onlyenableautomountdaemonifabsolutelynecessary....................................27 3.11OnlyenableotherRPCbasedservicesifabsolutelynecessary..........................28 3.12OnlyenableKerberosserverdaemonsifabsolutelynecessary..........................29 3.13OnlyenableLDAPdirectoryserverifabsolutelynecessary..............................29 3.14OnlyenabletheLDAPcachemanagerifabsolutelynecessary..........................29 3.15Onlyenabletheprinterdaemonsifabsolutelynecessary...................................30 3.16Onlyenablethevolumemanagerifabsolutelynecessary..................................30 3.17OnlyenableGUIloginifabsolutelynecessary...................................................31 3.18Onlyenablewebserverifabsolutelynecessary.................................................31 3.19OnlyenableSNMPifabsolutelynecessary........................................................32 3.20OnlyenableDHCPserverifabsolutelynecessary.............................................33 3.21DisableBIND......................................................................................................33 3.22Disablenscd........................................................................................................34 3.23UseRMTMPFILEStoclear/var/tmp.................................................................34

UNCLASSIFIED

UNCLASSIFIED 4KernelTuning...............................................................................................................35 4.1Restrictcoredumpstoprotecteddirectory...........................................................35 4.2Enablestackprotection.........................................................................................36 4.3RestrictNFSclientrequeststoprivilegedports....................................................36 4.4Modifynetworkparameters..................................................................................37 4.5Modifyadditionalnetworkparameters.................................................................38 4.6UsebetterTCPsequencenumbers........................................................................38 4.7Setuphostbasedfirewalls....................................................................................39 4.8Setroutingpolicies/configuration.........................................................................43 5Logging.........................................................................................................................43 5.1Turnoninetdtracing.............................................................................................44 5.2TurnonadditionalloggingforFTPdaemons.......................................................45 5.3CaptureFTPandinetdconnectiontracinginfo....................................................45 5.4CapturemessagessenttosyslogAuthfacility......................................................46 5.5Create/var/adm/loginlog.......................................................................................47 5.6Turnoncronlogging.............................................................................................48 5.7Enablesystemaccounting.....................................................................................48 5.8Enablekernellevelauditing.................................................................................49 5.9Configurerolebasedaccesscontrol......................................................................50 5.10Confirmpermissionsonsystemlogfiles............................................................53 5.11Implementautomatedlogrotation......................................................................54 6File/DirectoryPermissions/Access...............................................................................55 6.1Add'logging'optiontorootfilesystem................................................................55 6.2Add'nosuid'optionto/etc/rmmount.conf.............................................................56 6.3Configurevold.conftoallowusersaccesstoCDROMonly...............................56 6.4Verifypasswd,shadow,andgroupfilepermissions.............................................57 6.5Verifyworldwritabledirectorieshavetheirstickybitset....................................57 6.6Findunauthorizedworldwritablefiles.................................................................57 6.7FindunauthorizedSUID/SGIDsystemexecutables.............................................58 6.8Findunownedfilesanddirectories........................................................................59 6.9Runfixmodes.......................................................................................................59 7SystemAccess,Authentication,andAuthorization......................................................60 7.1Sethighersecuritylevelforsadmindservice.......................................................60 7.2Disable"nobody"accessforsecureRPC..............................................................60 7.3Remove.rhostssupportin/etc/pam.conf..............................................................61 7.4Create/etc/ftpd/ftpusers........................................................................................62 7.5Preventsyslogfromacceptingmessagesfromnetwork.......................................62 7.6PreventremoteXDMCPaccess............................................................................63 7.7PreventXserverfromlisteningonport6000/tcp.................................................64 7.8Setdefaultlockingscreensavertimeout................................................................64 7.9Restrictat/crontoauthorizedusers.......................................................................65 7.10Removeemptycrontabfilesandrestrictfilepermissions..................................65

UNCLASSIFIED

vi

UNCLASSIFIED 7.11Preventrootloginstosystemconsole.................................................................66 7.12Limitnumberoffailedloginattempts................................................................67 7.13SetEEPROMsecuritymodeandlogfailedaccess............................................67 8UserAccountsandEnvironment..................................................................................68 8.1Blocksystemaccounts..........................................................................................69 8.2Assignnoshellforsystemaccounts......................................................................70 8.3Verifythattherearenoaccountswithemptypasswordfields.............................71 8.4Setaccountexpirationparametersonactiveaccounts..........................................71 8.5Verifynolegacy'+'entriesexistinpasswd,shadowandgroupfiles...................72 8.6VerifythatnoUID0accountsexistotherthanrootandaudit.............................72 8.7Setdefaultgroupforrootaccount.........................................................................73 8.8Disallow'.'orgroup/worldwritabledirectoryinroot$PATH.............................73 8.9Setuserhomedirectoriestomode750ormorerestrictive...................................73 8.10Disallowgroup/worldwritableuserdotfiles.....................................................74 8.11Changeuser's.forwardfiletomode600.............................................................74 8.12Removeuser.netrcfiles......................................................................................76 8.13SetdefaultUMASKforusers.............................................................................76 8.14SetdefaultUMASKforFTPusers.....................................................................77 8.15Set"mesgn"asdefaultforallusers....................................................................78 8.16Changeroot'shomedirectory..............................................................................78 8.17Setupuserfilequotas.........................................................................................79 9WarningBanners...........................................................................................................80 9.1Createwarningsforphysicalaccessservices..........................................................81 9.2CreatewarningsforGUIbasedlogins...................................................................81 9.3Createwarningsfortelnetdaemon.......................................................................82 9.4CreatewarningsforFTPdaemons........................................................................82 AppendixA:FileBackupScript.......................................................................................83 AppendixB:AdditionalSecurityNotes...........................................................................84 SN.1Enableprocessaccountingatboottime.............................................................84 SN.2Usefullpathnamesin/etc/dfs/dfstabfile..........................................................85 SN.3Restrictaccesstopowermanagementfunctions.................................................85 SN.4Restrictaccesstosyssuspendfeature...............................................................86 SN.5Createsymlinksfordangerousfiles...................................................................86 SN.6ChangedefaultgreetingstringforSendmail.....................................................87 AppendixC:HighRiskItems............................................................................................88 2.2Onlyenabletelnetifabsolutelynecessary............................................................88 2.3OnlyenableFTPifabsolutelynecessary..............................................................88 2.4Onlyenablerlogin/rsh/rcpifabsolutelynecessary...............................................89 2.5OnlyenableTFTPifabsolutelynecessary............................................................89 2.6Onlyenableprinterserviceifabsolutelynecessary..............................................90 2.7Onlyenablerquotadifabsolutelynecessary.........................................................90 2.9OnlyenableSolarisVolumeManagerdaemonsifabsolutelynecessary...........91

UNCLASSIFIED

vii

UNCLASSIFIED 2.11OnlyenableKerberosrelateddaemonsifabsolutelynecessary.........................92 References..........................................................................................................................93 CenterforInternetSecurity..........................................................................................93 SunMicrosystems........................................................................................................93 OtherMiscellaneousDocumentation...........................................................................94 Software.......................................................................................................................94

UNCLASSIFIED

viii

UNCLASSIFIED

ABSTRACT
Thisdocumentprovidesadditionalsecuritymeasuresbeyondthosespecifiedin theCenterforInternetSecurity(CIS)SolarisBenchmark.Thedocumentwas developedtoprovidesystemadministratorswithstepstocreateamoresecure Solaris9operatingenvironmentrunningonaSPARCprocessor. Thedocumentiswrittentogiveadetailedstepbystepdescriptiononhowto secureasystemrunningSolaris9.Guidanceisprovidedonhowtosetupthe partitions,applythelatestrecommendedpatches,andconfiguresystemsettings. WhiletheCISSolarisBenchmarkconsistsofsecurityactionsformultiple versionsofSolaris,theadditionalinformationprovidedbytheNationalSecurity Agency(NSA)onlyappliestoSolaris9.Manyofthestepsinthisdocumentwill needtoberepeatedonaregularbasistomaintainsystemsecurityandallofthe stepsshouldbereviewedifthesystemisupgradedforanyreason.This documentshouldbereadintheorderpresentedsincesomeItemsbuildupon previousItems. TheinformationintheCISdocumentisthecollaborativeworkofseveral agencies,includingtheNSA,colleges,andcompanyrepresentatives.TheNSA configurationguideiscomprisedofindustrybestpractices,academicexpertise, practicalexperience,andSolaris9documentation.

UNCLASSIFIED

ix

UNCLASSIFIED

HowtoUseThisDocument
ShadedItems Systemsdeployedasdesktopworkstationstypicallyhavedifferentsecurityexpectations thansystemsdeployedasnetworkservers.Inanefforttofacilitateuseofthisbenchmark onthesedifferentclassesofmachines,shadedtexthasbeenusedtoindicatequestions and/oractionsthataretypicallynotapplicabletodesktopsystemsinalargeenterprise environment.Theseshadeditemsmaybeskippedonthesedesktopplatforms. SystemConfiguration ThisguidewastestedonannewlyconfiguredsystemwiththeEndUserCluster (SUNWCuser)installed.Severaloftheitemsinthisguiderequireinstallingadditional packagesthatarefoundintheSUNWCallclusterbutnottheSUNWCusercluster.These packagesare:SUNWhea(headerfiles),SUNWsprot(makeutility),SUNWsprox (SPARCv9libariesformakeutility).Forcompilingsoftware,thefollowingpackagesare requiredinadditiontoinstallinggcc:SUNWgcmn,SUNWarc,SUNWarcx(for64bit systems),andSUNWbtool.ForSystemAccounting,thefollowingpackagesare required:SUNWaccuandSUNWaccr.Also,severaloftheserversenabledinChapter3 areonlyapplicableiftheywerepreviouslyinstalled.Theseincludekerberos,ldap,http, anddhcpservers. RootShellEnvironmentAssumed Theactionslistedinthisdocumentarewrittenwiththeassumptionthattheywillbe executedbytherootuserrunningthe/sbin/shshellandwithoutnoclobberset. ExecutingActions Theactionslistedinthisdocumentarewrittenwiththeassumptionthattheywillbe executedintheorderpresentedhere.Someactionsmayneedtobemodifiediftheorder ischanged.Actionsarewrittensothattheymaybecopieddirectlyfromthisdocument intoarootshellwindowwitha"copyandpaste"operation.The"copyandpaste" operationappliestoallsectionswiththeexceptionofsectionscontainingredshaded variables<os>,<ver>,x.x.x.xetc.Theredshadedvariablesdenoteinstanceswherethe systemadministratormustinputtheappropriateinformation RebootRequired Rebootingthesystemisrequiredaftercompletingalloftheactionsbelowinorderto completethereconfigurationofthesystem.Inmanycases,thechangesmadeinthe stepsbelowwillnottakeeffectuntilthisrebootisperformed.

UNCLASSIFIED

UNCLASSIFIED BackupKeyFiles Beforeperformingthestepsofthisbenchmarkitisastronglyrecommendedthat administratorsmakebackupcopiesofcriticalconfigurationfilesthatmaygetmodified byvariousbenchmarkitems.Ifthisstepisnotperformed,thenthesitemayhaveno reasonablebackoutstrategyforreversingsystemmodificationsmadeasaresultofthis document.ThescriptprovidedinAppendixAofthisdocumentwillautomaticallyback upallfilesthatmaybemodifiedbytheactionsbelow,exceptforthebootscripts manipulatedbythevariousitemsinChapter3ofthisdocument,whicharebackedup automaticallybytheindividualitemsinChapter3.Thisguideisintendedfor configurationofanewsystem.Foroldersystems,afullbackupmaybeappropriate.

UNCLASSIFIED

xi

UNCLASSIFIED

Thispageisintentionallyleftblank

UNCLASSIFIED

xii

UNCLASSIFIED

1PatchesandAdditionalSoftware
1.1Partitionharddrivetocompartmentalizedata Action: Keepingtheirusesinmind,createthefollowingpartitionsduringtheinstallprocess.The numberofconfigurablediskslicesislimitedtosevenonaSPARCplatformandnineon theIntelplatform.However,Solaris9allowsforsoftpartitioningwhichcanbeusedto subdividedisksintoasmanyas8192logicalvolumes.Slicesthatareusedforsoft partitionscannotbeusedforotherpurposes. Thefollowingdiskslicesarecommonlyusedandshouldbecreatedonthesystem.
/

filesanddirectoriesthatmakeuptheoperatingsystem;onceinstalled,verylittleis addedtothisdirectory. ataminimum,thisshouldbe512MB;agoodruleistomakeswapequivalenttoRAM sizeunlesslargeloadsareanticipated,inwhichcaseasettingof1.5timesfast memoryisappropriateforstandardapplications(e.g.ls, lp, vi, etc.).Theswap partitionistypicallymountedas/tmp. documentation,systemprograms,andlibraryroutines

swap

/usr

Thesedirectorynamesarecommonlyusedandhardorsoftpartitionsshouldbecreated accordingly.
/var

forlogging;whenusingBasicSeurityModule(BSM),loggingdatacangrowquite quicklysomakesurethispartitionissufficientlylargeinsize.Ifusingthesavecore feature,allocateatleasttwiceasmuchspaceasthereisphysicalmemoryforthis partition. forthirdpartysoftware;softwareismostfrequentlyaddedhereasnewapplications andtoolsaremarketedsomakethispartitionsufficientlylargetoaccommodatenew software.

/opt

UNCLASSIFIED

UNCLASSIFIED
/usr/local

forlocalworkstationsoftware(e.g.opensourcesoftwarelikePerl,GNUtools,etc.)

Thefollowingpartitionshavesuggestednamesthatmaybechangedasdesired.These directoriesmayormaynotbeneeded,dependingonthefunctionthemachineserves. /var/spool/mqueue forlocalqueuingofmailbeforesending;remembertoavoidusingthesamenamefor thisdirectoryasthedirectoryusedbythemailserver.

/export/home

eachusershouldhaveanadequateamountofspacefortheworktheyaredoing; estimatethenumberofusersandplanaccordingly. ifanonymousftpuploadisallowed,makethewritabledirectoryitsownpartition. Oncethepartitionsarecreatedandinstalled,setthepermissionsforthesedirectories asrecommendedinthisguide.

/anonftp/incoming

Discussion: Partitioningdatawillhelpsecurityinanumberofways,including:protectingagainsta denialofservicesystemfailurebyusersfillingtheirhomedirectoriesorbylogsfilling up,makingiteasiertomanagespaceandbackuproutines,protectingagainstNFS weaknesses,andmakingiteasiertoprotectdataandpreventunauthorizedchangingof databyseparatingitintoitsownpartition. Theadministratormustalreadyhaveaplanforwhatsizeeachhardpartitionmustbe. Thisrequiresknowledgeofwhichsoftwareclusterisneeded,thesystem'sintendeduse, andwhowilluseit.Softpartitionscanbeenlargedaftercreationifspaceisneeded,as longasspaceisavailableontheunderlyingdevice.Onceenlarged,theycannotbe reduced. InformationonplanningfordiskspacecanbefoundintheSystemAdministrationGuide: BasicAdministrationbook.Informationoncreatingsoftpartitionscanbefoundinthe SolarisVolumeManagerAdministrationGuide.BothofthesecanbefoundontheSun documentationsitehttp://docs.sun.com

1.2ApplylatestOSpatches Action: 1.DownloadSunRecommendedPatchClusterinto/var/sadm.

UNCLASSIFIED

UNCLASSIFIED SunRecommendedPatchclusterscanbedownloadedviaFTPorHTTPfrom
http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-access

Patchfinder,PatchReports,RecommendedPatchClusterREADMEfiles,andY2KPatch Clusterscanalsobeaccessedfromthissite.
ftp://sunsolve.sun.com/patchroot/clusters

Lookfor9_Recommended.zip.

2.Executethefollowingcommands:
cd /var/sadm unzip -qq 9_Recommended.zip cd 9_Recommended ./install_cluster -q

Bydefault,when./install_clusterisrun,itchecksifsufficientdiskspaceexistsfor theinstallationofthePatchCluster.Ifthereisinsufficientspace,theusercanabortthe install.The"-q"(quiet)optionsupressesthisinteractiveoption.It'srecommendedthat theCLUSTER_READMEfilebereadfordetails. Discussion: Developingaprocedureforkeepinguptodatewithvendorpatchesiscriticalforthe securityandreliabilityofthesystem.Vendorsissueoperatingsystemupdateswhenthey becomeawareofsecurityvulnerabilitiesandotherseriousfunctionalityissues,butitis uptotheircustomerstoactuallydownloadandinstallthesepatches.Inadditionto installingtheSolarisRecommendedPatchClustersasdescribedabove,administrators maywishtoalsochecktheSolaris9patchreportfile,9_patch_report,(availablefrom thesameHTTPsiteasthepatchclusters)foradditionalsecurity,Y2K,orfunctionality patchesthatmayberequiredonthelocalsystem.Administratorsarealsoencouragedto checktheindividualREADMEfilesprovidedwitheachpatchforfurtherinformationand postinstallinstructions. Automatedtoolsformaintainingcurrentpatchlevelsarealsoavailable,suchasthe SolarisPatchManager,PatchProInteractive,andPatchProExpert.It'srecommended thatsystemadministratorsresearchthesetoolstodeterminewhich,ifany,shouldbe implemented.Formoreinformationoneachofthesetools,visittheSunSolvePatch Portal(http://sunsolve.sun.com/pub-cgi/show.pl?target=patchpage).For informationonSolaris9patchmanagement,includingacomparisonofpatch managementtools,seeChapters15and16ofSystemAdministrationGuide:Basic Administration,partoftheSolaris99/04SystemAdmistratorCollection (http://docs.sun.com/app/docs/doc/817-6958).

UNCLASSIFIED

UNCLASSIFIED Duringtheclusterinstallationprocess,administratorsmayignoreindividualpatchinstalls thatfailwitheitherreturncode2(indicatesthatthepatchhasalreadybeeninstalledon thesystem)orreturncode8(thepatchappliestoanoperatingsystempackagewhichis notinstalledonthemachine).Ifapatchinstallfailswithanyotherreturncode,consult thepatchinstallationlogin/var/sadm/install_data/<cluster name>_log. 1.3InstallTCPWrappers Action: 1.Create/etc/hosts.allow:
echo "ALL: <net>/<mask>, <net>/<mask>, ..." > /etc/hosts.allow

whereeach<net>/<mask>combination(forexample, "192.168.1.0/255.255.255.0")representsonenetworkblockinusebyyour organization. 2.Create/etc/hosts.deny:

echo "ALL: ALL " > /etc/hosts.deny

3.TurnonTCPWrappers
cd /etc/default awk '/#ENABLE_TCPWRAPPERS/ { $1 = "ENABLE_TCPWRAPPERS=YES" }; \ { print }' inetd > inetd.new mv inetd.new inetd chown root:sys inetd chmod 444 inetd pkill -HUP -u 0 -P 1 -x inetd

Discussion: TCPWrappersallowtheadministratortocontrolwhathostshaveaccesstovarious networkservicesbasedontheIPaddressoftheremoteendoftheconnection.TCP Wrappersalsoprovidelogginginformationviasyslogaboutbothsuccessfuland unsuccessfulconnections.Solaris9nowincludestheTCPWrappersdistributionaspart oftheoperatingsystem(assumingtheadministratorhasinstalledtheSUNWtcpdsoftware package).

UNCLASSIFIED

UNCLASSIFIED TheaboveactionswillonlyprovidefilteringonstandardTCPbasedservicesthatare spawnedbyinetd.ToprotectUDPandRPCbasedservicesthatarespawnedbyinetd, considerimplementingahostbasedfirewallsuchasSun'sSunScreensoftware,whichis bundledintotheSolaris9operatingsystem,oripfilter(seeItem4.7).Seethe documentationprovidedwiththeTCPWrapperssourcecodereleaseforinformationon usingTCPWrappersstylefilteringwithstandalonedaemonsthatarenotspawnedoutof inetd.

1.4Referencesystemrandomnumbergenerator Action: Forapplicationsneedingrandomnumbers,configurethemtouse/dev/randomor /dev/urandom,asappropriate. Discussion: Solaris9shipswithrandomnumbergeneratordevices/dev/randomand /dev/urandom.Thesearepreferrabletogeneratorssuchasprngd,whicharenotnative totheoperatingsystem.

1.5ConfigureIPsec IPsecisanetworklayerprotocolthatemploysarobustsetofsecuritymechanismsin ordertosecurenetworktraffic.IPsecconsistsoftwonetworkpacketprotocols:the AuthenticationHeader(AH)andtheEncapsulatingSecurityPayload(ESP). AuthenticationisaccomplishedbyusingeithertheMD5ortheSHA1algorithmsto produceanintegritychecksumbasedonthedataandthekey.TheAuthenticationHeader providesstrongintegrity,dataauthenticationandpartialsequenceintegrity(replay protection). TheEncapsulatingSecurityPayloadusestheDES(DataEncryptionStandard),3DES (TripleDES),orAES(AdvancedEncryptionStandard)encryptionalgorithmstoprovide dataconfidentialityandtrafficanalysisprotection.Inaddition,theESPiscapableof providingauthentication(ThereissomeoverlapinthefunctionalityofAHandESP). BecauseIPsecoperatesonthenetworklayer,itistransparenttonetworkapplicationsand protectsalltrafficincludingTCP,UDP,andICMP.

UNCLASSIFIED

UNCLASSIFIED MoreinformatononSolarisIPseccanbefoundintheSolarisSystemAdministration Guide:IPServices.ItcanbedownloadedfromtheSunMicrosystemswebsiteat:

http://docs.sun.com/db/doc/806-4075

Additionally,the"IPsecintheSolaris9OperatingEnvironment"whitepapercanbe downloadedfromtheSunMicrosystemswebsiteat:
http://www.sun.com/software/solaris/9/whitepapers.html

InstallSolaris9DataEncryptionSupplement InordertousetheAESencryptionalgorithm,itisnecessarytoinstalltheSolaris9Data EncryptionSupplement.EncryptionalgorithmsDESand3DESareprovidedaspartof thebaseSolaris9installation. Action: 0.BeforeinstallingtheSolaris9DataEncryptionSupplement,verifythatthenecessary packagesarenotalreadyinstalled.Thefollowingcommandcanbeused:

for ver in SUNWcry SUNWcry64 SUNWcryrx SUNWcryr ; do echo $ver VERSION `pkginfo -x $ver | sed 1d | awk '{ print $2 }' \ | cut -f1 -d,`; done

IfeachofthefourpackagesareVERSION11.9.0orhigher,thentheAESand encryptionalgorithmisalreadyinstalled.Ifnot,thentheSolaris9DataEncryption Supplementmustbedownloadedandinstalled. 1.DownloadtheSolaris9DataEncryptionSupplement.Itcanbedownloadedfromthe SunMicrosystemswebsiteat:

http://www.sun.com/download/products.xml?id=3e3af5a6

2.Oncedownloaded,installthenecessarypackages:
unzip sol-9-sparc-crypto.zip pkgadd -d sol-9-sparc-crypto/Encryption_9/sparc/Packages all

The"all"optionwillinstallallpackagesavailableintheSolaris9DataEncryption Supplement. 3.Removethepackagefileafterinstallation:

rm -f sol-9-sparc-crypto.zip rm -rf ./sol-9-sparc-crypto/

UNCLASSIFIED

UNCLASSIFIED IPsecConfiguration SolarisIPsecprovidesvariousmeansofprotectingnetworktraffic.Itcanprotectall trafficbetweentwohosts,protectindividualservices,beusedasaVirtualPrivate Network(VPN)andalsoperformsimplepacketfiltering.Thefollowingisaprocedure tosecurealltrafficbetweentwoIPv4hostsusingESP(usingitsownauthentication)with sharedkeys.Inthisexample,trafficbetween10.1.1.2(testbox1)and10.1.1.3(testbox2) willbesecured.ThisprocedureisintendedtosecuretrafficbetweentwoSolaris9hosts. InordertousethisprocedureonaSolaris8host,theSolaris8optionalencyption packagesmustbedownloadedandinstalled.TheycanbedownloadedfromtheSun Microsystemswebsiteat:
http://www.sun.com/software/solaris/encryption/download.html

TheSolaris8optionalencryptionpackagesprovidetheDESand3DESencryption algorithmsforusewithIPsec.Thesealgorithmscanbeusedtosecuretrafficbetweena Solaris8andaSolaris9host. Action: 1.ConfiguretheSecurityPolicy: Forsecuritypurposes,thisprocedureshouldbecarriedoutwhenloggedinassuperuser onthesystemconsole. Thefollowingcommandsshouldberuntocreatethesecuritypolicyfile.Thiscanbeany file;however,itmusthavethecorrectownershipandfilepermissions(seebelow).For thisexample,/etc/inet/ipsec.polwillbeused. Onthefirsthost(testbox1),runthefollowingcommands:
cat <<EOF>> /etc/inet/ipsec.pol { saddr 10.1.1.2 daddr 10.1.1.3 { encr_algs 3des encr_auth_algs { saddr 10.1.1.3 daddr 10.1.1.2 { encr_algs 3des encr_auth_algs EOF } apply \ md5 sa shared } } permit \ md5 }

Setthefile'sownershipandpermissions:
chown root:root /etc/inet/ipsec.pol chmod 600 /etc/inet/ipsec.pol

The /etc/inet/ipsec.polfilewillnowreadasfollows:

UNCLASSIFIED

UNCLASSIFIED
{ saddr 10.1.1.2 daddr 10.1.1.3 } apply { encr_algs 3des encr_auth_algs md5 sa shared } { saddr 10.1.1.3 daddr 10.1.1.2 } permit { encr_algs 3des encr_auth_algs md5 }

Thefirstlinespecifiesthepolicyforoutgoingtraffic.Itindicatesthatalltrafficwitha sourceIPof10.1.1.2andadestinationIPof10.1.1.3willusethe3DESencryption algorithm,theMD5authenticationalgorithm,andusedsharedkeys.Thesecondline specifiesthepolicyforincomingtraffic.ItindicatesthatalltrafficwithasourceIPof 10.1.1.3andadestinationIPof10.1.1.2mustusethe3DESencryptionalgorithmandthe MD5authenticationalgorithm. Onthesecondhost(testbox2),runthefollowingcommands:

cat <<EOF>> /etc/inet/ipsec.pol { saddr 10.1.1.3 daddr 10.1.1.2 { encr_algs 3des encr_auth_algs { saddr 10.1.1.2 daddr 10.1.1.3 { encr_algs 3des encr_auth_algs EOF } apply \ md5 sa shared } } permit \ md5 }

Setthefile'sownershipandpermissions:
chown root:root /etc/inet/ipsec.pol chmod 600 /etc/inet/ipsec.pol

2.Generaterandomkeys: Thestrengthofencryptionreliesonthequalityofrandomkeygeneration.Solaris providesthe/dev/randompseudodevicetogeneraterandomkeysforencryption purposes.Fourdifferentkeysmustbegenerated;onefortheAH,onefortheESPand oneforeachSecurityParametersIndex(SPI).TheSecurityParametersIndexisa random32bit(8hexdigit)numberthatspecifiestothedevicerecieivingthepacket whichSecurityAssociation(SA)touse.ThisSAcontainscontainsthenecessary informationonhowthereceivingdevicewilldecryptthepacket.TheSPIcannotbe encryptedwithinthepacketbecausethereceivingmachinemustusethisvalueto determinethecorrectSAtoutilize. TogeneratethekeysfortheAHandtheESP,thefollowingcommandisused:
od -x -A n -N 48 </dev/random | sed 's/ //g' \ | awk '{printf("%s\n",$1)}'

Theoutputwillbe96(pseudo)randomhexadecimalcharacterssimilarto:
cbf503c4d505d3c8254aa12fe0ef941d 48078bfa312893bbb7b0ac133449f71f 7d8a4f32128d6298f37c3e44057032a2

UNCLASSIFIED

UNCLASSIFIED Eachalgorithmrequiresakeyofaspecifiedlength.Thenumberofcharactersusedfrom theaboveoutputisdependentonthealgorithmused.Belowisalistofthekeylengthsfor eachauthenticationandencryptionalgorithm:

MD-5 SHA-1 DES 3DES AES (128 bit) (160 bit) (64 bit) (192 bit) (128,192,256 bit) 32 characters 40 characters 16 characters 48 characters 32,48,68 characters

Forexample,ifMD5weretobeusedastheauthenticationalgorithm,thefollowing32 characterstringcouldbeusedfromtheoutputaboveforthekey:
48078bfa312893bbb7b0ac133449f71f

TogeneratethekeysforeachSPI,thefollowingcommandisused:
od -An -N4 </dev/random | sed 's/ //g' | awk '{printf("%.8s\n",$1)}'

Theoutputwillbeeight(pseudo)randomoctalcharacterssimilarto:
06075310

TheSPIhasakeylenthof8octalcharacters.EachSPImustbeunique.Runthis commandonceforeachuniqueSPIrequired.InthisexampletwouniqueSPIsare required. Eachofthesekeys,astheymustbeidenticaloneachhostforIPsectofunctionproperly. 3.ConfiguretheSecurityAssociation: Addthefollowingtwolinestothesecurityassociationfile.Thiscanbeanyfile, however,itmusthavethecorrectownershipandfilepermissions.Forthisexample,use /etc/inet/ipsec.sa.

UNCLASSIFIED

UNCLASSIFIED Runthefollowingcommandoneachhost:
cat <<EOF>> /etc/inet/ipsec.sa # From 10.1.1.2 to 10.1.1.3 # SPI: <Unique 8 character SPI> # Auth Alg: MD-5 # Auth Key: <32 Hex digit MD-5 key> # Encr Alg: 3des # Encr Key: <48 Hex digit 3des key> add esp spi <Unique 8 character SPI> src testbox1 dst testbox2 \ auth_alg md5 encr_alg 3des authkey <32 Hex digit MD-5 key> \ encrkey <48 Hex digit 3des key> # From 10.1.1.3 to 10.1.1.2 # SPI: <Unique 8 character SPI> //Different SPI from above # Auth Alg: MD-5 # Auth Key: <32 Hex digit MD-5 key> //same MD-5 key from above # Encr Alg: 3des # Encr Key: <48 Hex digit 3des key> //same 3DES key from above add esp spi <Unique 8 character SPI> src testbox2 dst testbox1 \ auth_alg md5 encr_alg 3des authkey <32 Hex digit MD-5 key> \ encrkey <48 Hex digit 3des key> EOF

Note:Intheaboveaction,choosethekeysequencesfromthe96characterhexadecimal ouputfromstep2.Also,usethesameauthenticationkeythroughoutaswellasthesame Encryptionkeythroughouttheaboveaction.UseuniqueSPIkeys(totaloftwointhis example)throughout. Oneachhost,setthefile'sownershipandpermissions:

chown root:root /etc/inet/ipsec.sa chmod 600 /etc/inet/ipsec.sa

4.EnableIPsecatboottime: Oneachhost,addthefollowingto/etc/init.d/ipsec:

UNCLASSIFIED

10

UNCLASSIFIED
cat <<EOF>> /etc/init.d/ipsec #!/bin/sh #Startup script for IPsec. case "\$1" in start) /usr/sbin/ipsecconf -f /usr/sbin/ipseckey flush /usr/sbin/ipseckey -f /etc/inet/ipsec.sa /usr/sbin/ipsecconf -a /etc/inet/ipsec.pol ;; stop) /usr/sbin/ipseckey flush /usr/sbin/ipsecconf -f ;; *) echo "Usage: \$0 { start | stop }" exit 1 ;; esac exit 0 EOF

Linkthescripttothestartupdirectoryandsettheownershipandfilepermissions:
ln -s /etc/init.d/ipsec /etc/rc2.d/S69ipsec chown root:sys /etc/init.d/ipsec chmod 700 /etc/init.d/ipsec

IPsecwillnowbeenabledatboottimeandprotectalltrafficbetween10.1.1.2(testbox1) and10.1.1.3(testbox2). Additionalinformation: TomanuallystartandstopIPsec.Usethefollowingcommand:

/etc/rc2.d/S69ipsec { stop | start }

TodisplaythecurrentSecurityPolicy,usethefollowingcommand:
ipsecconf -l

TodisplaythecurrentSecurityAssociation,usethefollowingcommand:
ipseckey dump

Discussion: ThisisthemanualmethodforconfigurationofIPsec.Solaris9nowemploysit'sown keymanagementfacility:InternetKeyExchange(IKE).Thismethodcanalsobeusedto configureIPseconSolaris9.SeetheSundocumentationIPsecandIKEAdministration Guide(http://docs.sun.com/app/docs/doc/817-2694)fortheappropriateSolaris9 releaseformoreinformation. UNCLASSIFIED 11

UNCLASSIFIED It'srecommendedthatkeysbechangedregularlytodecreasetheimpactofcompromised keys.ThiscanbeaccomplishedbymanuallyeditingthenewkeysintotheSecurity Associationfileoneachmachineandrestartingtheservice.

1.6ConfigureSSHServer Action: Thefollowingscriptisintendedtomodifythedefaultsshd_config fileinstalledwith Solaris9.

touch /etc/issue cd /etc/ssh /etc/init.d/sshd stop if [ ! -f /etc/hostname6.* ]; then nawk ' /#ListenAddress 0\.0\.0\.0/ { sub(/^#/,"") }; \ /ListenAddress ::/ { $1 = "#ListenAddress" }; \ { print }' sshd_config > sshd_config.new mv sshd_config.new sshd_config fi nawk '/#Banner/ { sub(/^#/,""); $2 = "/etc/issue" }; \ /#IgnoreUserKnownHosts/ { sub(/^#/,""); $2 = "yes" }; \ /KeyRegenerationInterval/ { $2 = "1800" }; \ /LoginGraceTime/ { $2 = "60" }; \ /ServerKeyBits/ { $2 = "1024" }; \ { print }' sshd_config > sshd_config.new echo "KbdInteractiveAuthentication no" >> sshd_config.new mv sshd_config.new sshd_config chown root:sys sshd_config chmod 600 sshd_config /etc/init.d/sshd start

Discussion: SundevelopedaversionofSSHbasedonOpenSSHandbeganbundlingitwiththeir SolarisoperatingsystemasofthereleaseofSolaris9.Sun'sversionhasmanyofthe sameconfigurationoptionsasinOpenSSH,thoughprivilegeseparation,afeaturethat contributestothesecurityofthesystemthroughuseofanunprivilegedprocess,isstill notavailable.

UNCLASSIFIED

12

UNCLASSIFIED TheconfigurationoptionsabovedonotincludetheoptionsAllowGroups,DenyGroups, AllowUsers,andDenyUsers.Anyone,butonlyone,oftheseoptionscanbeusedto specifyanaccesscontrollist.Itisstronglyrecommendedthatoneoftheseoptionsbe usedtofurtherrestrictaccesstotheservertoauthorizedusersonly.Themanpagesfor sshd_configexplainshowtospecifyuserorgroupnameswiththeseoptions. ThoughtheaboveActionisspecificallyfortheserver,similaroptionsalsoexistforthe sshclient.Seethemanpagesforssh_configtolearnhowtosethostdefaultsforssh. ForinformationonbuildingOpenSSHfromsource,seehttp://www.openssh.org.Sun alsopublishesinformationonbuildingOpenSSHforSolarisaspartofitsBlueprints series(seehttp://www.sun.com/blueprints/0404/817-6261.pdf). 1.7InstallNTP ThefollowingconfigurationisforanNTPclientthatwillfunctionasalocalserver. Action: NTPserverinformation: 1. Createthentpconfigurationfile Note:Enterthecorrectipaddressforyoursite.
cat << END_SCRIPT > /etc/inet/ntp.conf # subnet #The netmask used in this example is for Class C networks restrict x.x.x.x mask 255.255.255.0 notrust nomodify notrap # ip address of this system's time server restrict x.x.x.x noquery nomodify notrap # ip address of this system's time server server x.x.x.x key 2 enable auth # Add drift file if necessary driftfile /var/ntp/drift keys /etc/inet/ntp.keys trustedkey 1 2 END_SCRIPT chown root:root /etc/inet/ntp.conf chmod 600 /etc/inet/ntp.conf

2.Createthedriftfile
touch /var/ntp/drift chown root:root /var/ntp/drift chmod 600 /var/ntp/drift

UNCLASSIFIED

13

UNCLASSIFIED 3. Keysetup Note:Thefollowingstepsassumethatakeyfilealreadyexistsonthesystem.The newlyaddedkeyswillbeappendedtotheendofthecurrentntp.keysfile.Ifa ntp.keysfiledoesnotexist,thefilewillbecreatedinthefollowingsteps.

cat <<END_SCRIPT >> /etc/inet/ntp.keys #keyid key_type key_value 1 M keypass1 2 M keypass2 END_SCRIPT chown root:root /etc/inet/ntp.keys chmod 600 /etc/inet/ntp.keys

4. Startntpdaemon
/etc/init.d/xntpd start

NTPclientinformation: 1. Createthentpconfigurationfile Note:Pleaseenterthecorrectipaddressforyoursite.

cat << END_SCRIPT > /etc/inet/ntp.conf # ip address of time server created above or known network time server restrict x.x.x.x noquery nomodify notrap server x.x.x.x key 1 enable auth # Add drift file if necessary driftfile /var/ntp/drift keys /etc/inet/ntp.keys trustedkey 1 END_SCRIPT chown root:root /etc/inet/ntp.conf chmod 600 /etc/inet/ntp.conf

2. Createthedriftfile
touch /var/ntp/drift chown root:root /var/ntp/drift chmod 600 /var/ntp/drift

3. Keysetup Note:Thefollowingstepsassumethatakeyfilealreadyexistsonthesystem.
cat <<END_SCRIPT >> /etc/inet/ntp.keys #keyid key_type key_value 1 M keypass1 END_SCRIPT chown root:root /etc/inet/ntp.keys chmod 600 /etc/inet/ntp.keys

4. Startntpdaemon
/etc/init.d/xntpd start

UNCLASSIFIED

14

UNCLASSIFIED Discussion: Itisimportantforthecomputersystemtomaintaincorrecttime,especiallyifdatabasesor auditingtoolsarerunningonthesystem.Thedriftfileisusedtostorethetime differencebetweenthelocalclockandthenetworkclock.Becausethevalueisstoredon thesystem,itdoesnothavetoberecalculatedeverytimesynchronizationoccurs.The driftfileshouldbeusedifmultipleserversarelistedinthentp.conffile. Thekeyfileinformationaboveisanexample.Thesekeysareusedtocomputethedigital signaturesfortheNTPtransaction.Thekeyfilemustlimitreadpermissionsbecauseit containsauthorizationdata.Thekeyidcanrangefrom1to4294967295butmustnotbe 0(zero).Eachkeynumbermustbeunique.Theremustbeaspacebetweenthekeyid andthekey_type.Thekey_valuefield,shownaskeypass1above,shouldbeanarbitrary stringofuptoeightcharacters. Thekeyidandassociatedkey_valuemustbeknowntoboththeserverandtheclient attemptingtoaccesstheserver.Ifthecorrectkeyinformationisnotprovided,time synchronizationwillnottakeplace.Thekeyinformationshouldbetransferredtoeach clientinthemostsecuremannerpossible.Forexample,thekeyinformationcanbeput onadiskandthesystemadministratorcanloadthekeysoneachsystem.Ifsshisused, thekeyscanbetransferredoverthenetwork.NTPversion4hasabuiltinkey distributionprocess.InformationaboutthisprocesscanbefoundintheNTPversion4 documentation. Insomesituations,suchasarouterinDefenseMessageSystem(DMS)architecture,itis appropriatetoutilizeatleasttwoNTPservers.Adjusttheactionasnecessaryifmore thanoneNTPserverisappropriate. AdditionalinformationonhowtoconfigureaNTPserverandclientcanbeobtainedfrom
http://www.sun.com/security/blueprints/

2Minimizeinetd NetworkServices
2.1Disablestandardservices Action:
cd /etc/inet for svc in time echo discard daytime chargen fs dtspc \ exec comsat talk finger uucp name xaudio \ netstat ufsd rexd systat sun-dr uuidgen krb5_prop;

UNCLASSIFIED

15

UNCLASSIFIED
do awk "(\$1 == \"$svc\") { \$1 = \"#\" \$1 }; {print}" \ inetd.conf > inetd.conf.new mv inetd.conf.new inetd.conf done for svc in 100068 100146 100147 100150 100221 \ 100232 100235 kerbd rstatd rusersd sprayd walld; do awk "/^$svc\\// { \$1 = \"#\" \$1 }; { print }" \ inetd.conf > inetd.conf.new mv inetd.conf.new inetd.conf done for svc in printer shell login telnet ftp tftp; do awk "(\$1 == \"$svc\") { \$1 = \"#\" \$1 }; {print}" \ inetd.conf > inetd.conf.new mv inetd.conf.new inetd.conf done for svc in 100083 100229 100230 100242 \ 100234 100134 100155 rquotad 100153; do awk "/^$svc\\// { \$1 = \"#\" \$1 }; { print }" \ inetd.conf > inetd.conf.new mv inetd.conf.new inetd.conf done chown root:sys inetd.conf chmod 444 inetd.conf pkill -HUP -u 0 -P 1 -x inetd

Discussion: Thestock/etc/inet/inetd.conffileshippedwithSolariscontainsmanyservices whicharerarelyusedorwhichhavemoresecurealternatives.Indeed,afterenabling SSH(seeItem1.6)itmaybepossibletocompletelydoawaywithallinetdbased services,sinceSSHprovidesbothasecureloginmechanismandameansoftransferring filestoandfromthesystem.Infact,theactionsabovewilldisableallstandardservices normallyenabledintheSolarisinetd.conf file. Mostoftheremainingactionsinthischaptergivetheadministratortheoptionofre enablingcertainservicesinparticular,theservicesthataredisabledinthelasttwoloops inthe"Action"sectionabove.Ratherthandisablingandthenreenablingtheseservices, experiencedadministratorsmaywishtosimplydisableonlythoseservicesthatthey knowareunnecessaryfortheirsystems.Servicescoloredinredarereenabledinthisin thischapterasneeded. Note:Items2.2through2.7,2.9and2.11havebeenmovedtoAppendixC.These Itemsenabletoolsthatdecreasesystemsecurity.Thesetoolsshouldonlybeenabled ifthereisamissioncriticalneed.

UNCLASSIFIED

16

UNCLASSIFIED 2.8OnlyenableCDErelateddaemonsifabsolutelynecessary Question: IsthereamissioncriticalreasontorunCDEonthissystem? Iftheanswertothisquestionisyes,proceedwiththeActionbelow. Note:WorkstationsmusthaveCDErelateddaemonsenabled. Action:

cd /etc/inet sed 's/^#100083/100083/' inetd.conf > inetd.conf.new mv inetd.conf.new inetd.conf

Discussion: Therpc.ttdbserverdprocesssupportsmanytoolsandapplicationsinSun'sCDE windowingenvironment,buthashistoricallybeenamajorsecurityissueforSolaris systems.Ifthisserviceisenabled,itisvitaltokeepuptodateonvendorpatches.Never enablethisserviceonanysystemwhichisnotwellprotectedbyacompletenetwork securityinfrastructure(includingnetworkandhostbasedfirewalls,packetfilters,and intrusiondetectioninfrastructure). SincethisserviceusesSun'sstandardRPCmechanism,itisimportantthatthesystem's RPCportmapper(rpcbind)alsobeenabledwhenthisserviceisturnedon.Formore informationseeItem3.11,"OnlyenableotherRPCbasedservicesifabsolutely necessary."

2.10Onlyenableremovablemediadaemonifabsolutelynecessary Question: IsthereamissioncriticalreasonwhyCDROMsandfloppydisksshouldbe automaticallymountedwheninsertedintothesystemdrives? Iftheanswertothisquestionisyes,proceedwiththeactionbelow. Action:

cd /etc/inet sed 's/^#100155/100155/' inetd.conf > inetd.conf.new mv inetd.conf.new inetd.conf

UNCLASSIFIED

17

UNCLASSIFIED Discussion: Thisitemreenablestherpc.smserverdprocessthatworkswiththevolumemanager (seeItem3.16below)andtheCDEfilemanagerapplicationtoautomaticallymountCD ROMsandfloppieswhentheuserinsertsthenewmediaintothesystem'sdrives(the mountcommandisnormallyaprivilegedcommandthatcanonlybeperformedbythe superuser).Beawarethatallowinguserstomountandaccessdatafromremovable mediamakesiteasierformaliciousprogramsanddatatobeimportedontoyournetwork. SincethisserviceusesSun'sstandardRPCmechanism,itisimportantthatthesystem's RPCportmapper(rpcbind)alsobeenabledwhenthisserviceisturnedon.Formore informationseeItem3.11,"OnlyenableotherRPCbasedservicesifabsolutely necessary." 2.12OnlyenableGSSdaemonifabsolutelynecessary Question: ArethereanysecurityrelatedservicesinuseatthissitethatmakeuseoftheGSSAPI? Note:InSolaris9,theGSSdaemonisgenerallyneededonlywhenKerberosisbeing usedtosecureNFS. Iftheanswertothisquestionisyes,proceedwiththeActionbelow. Action:
cd /etc/inet sed 's/^#100234/100234/' inetd.conf > inetd.conf.new mv inetd.conf.new inetd.conf

Discussion: TheGSSAPIisasecurityabstractionlayerthatisdesignedtomakeiteasierfor developerstointegratewithdifferentauthenticationschemes.Itismostcommonlyused inapplicationsforsitesthatuseKerberosfornetworkauthentication,thoughitcanalso allowapplicationstointeroperatewithotherauthenticationschemes. SincethisserviceusesSun'sstandardRPCmechanism,itisimportantthatthesystem's RPCportmapper(rpcbind)alsobeenabledwhenthisserviceisturnedon.Formore informationseeItem3.11,"OnlyenableotherRPCbasedservicesifabsolutely necessary."

UNCLASSIFIED

18

UNCLASSIFIED 2.13Disablemulticastingandroutingdiscovery Question: Isthereamissioncriticalreasontorunmulticastingnetworkservicesatthissite? Iftheanswerisno,proceedwiththeActionbelow. Note:Ifipfilterswillbeused(seeItem4.7),thenskipthisstep.Changesto /etc/init.d/inetsvcarelikelytobeoverwritteninafuturepatchorupdate.They mayneedtobereappliedafterpatching. Action:

awk '/Setting default IPv4 interface for multicast/ {$1 = "#"$1}; \ /add net 224/ {$1 = "#"$1}; \ /add -interface/ {$1 = "#"$1}; \ { print }' /etc/init.d/inetsvc > /etc/init.d/inetsvc.new mv /etc/init.d/inetsvc.new /etc/init.d/inetsvc chown root:sys /etc/init.d/inetsvc chmod 744 /etc/init.d/inetsvc

Discussion: Bydisablingmulticasting,routerdiscoverycannotbeperformed.Inaddition,the followingactionwilldisableroutingfunctionality.

touch /etc/notrouter chown root:sys /etc/notrouter chmod 644 /etc/notrouter

2.14DisableIPv6 Question: IsIPv6inuseatthissite? Iftheanswerisno,proceedwiththeActionbelow. Action: 1.RemoveallIPv6hostnameinformation

cd /etc rm hostname6.*

UNCLASSIFIED

19

UNCLASSIFIED 2.CommentoutallIPv6TCPandUDPinformationfrominetd.conf
awk '(( $3 == "tcp6" || $3 == "udp6" ) && ( $1 !~ /^#/ )) \ { $1 = "#"$1}; \ { print }' /etc/inet/inetd.conf > /etc/inet/inetd.conf.new mv /etc/inet/inetd.conf.new /etc/inet/inetd.conf chown root:sys /etc/inet/inetd.conf chmod 444 /etc/inet/inetd.conf

Discussion: IfthesystemisconfiguredtohandleIPv6anditisnotbeingused,IPv6relatedservices andinterfacesshouldbedisabled.Someservices,suchastime,echo,discard,daytime, andchargen,requiretcp6orudp6inordertofunctionproperly.Commentingthese protocolsoutoftheinetdfilewillalsoeliminatethoseservices'IPv4functionality.

2.15Enableencryptedremoteadministrationifnecessary Action: EnableXGraphicalUserInterfaceforadministrationifnecessary Onthemachinethatistobeadministered,thefollowingcommandsmustbeissued locallyasroot.Ensurethatnosshsessionsareactivebeforebeginning.

/etc/init.d/sshd stop cd /etc/ssh awk '/X11Forwarding/ { $2 = "yes" }; \ { print }' sshd_config > sshd_config.new mv sshd_config.new sshd_config chown root:sys sshd_config chmod 600 sshd_config /etc/init.d/sshd start

Discussion: Remoteadministrationmustbedoneoveranencryptedchanneltoprotectagainst informationorcontrolleakage.SSHisanappropriatecommunicationencryptiontoolto useforremoteadministration.Theboxthatistobeadministeredremotelymustfirstbe configuredlocallytoallowX11forwarding.

UNCLASSIFIED

20

UNCLASSIFIED

3MinimizeBootServices
3.1Disablelogin:promptsonserialports Action:
pmadm -d -p zsmon -s ttya pmadm -d -p zsmon -s ttyb

Discussion: Disablingthelogin:promptonthesystemserialdevicemakesitmoredifficultfor unauthorizeduserstoattachmodems,terminals,andotherremoteaccessdevicestothese ports. Thisactionmaysafelybeperformedevenifconsoleaccesstothesystemisprovidedvia theserialports,becausethelogin:promptontheconsoledeviceisprovidedthrougha differentmechanism.

3.2Setdaemonumask Action:
cd /etc/default awk '/^CMASK=/ { $1 = "CMASK=022" }\ { print }' init > init.new mv init.new init chown root:sys init chmod 444 init

Discussion: Thesystemdefaultumaskshouldbesettoatleast022inordertopreventdaemon processesfromcreatingworldwritablefilesbydefault.Morerestrictiveumaskvalues (suchas077)canbeusedbutmaycauseproblemsforcertainapplicationsconsult vendordocumentationforfurtherinformation. Note:AlthoughthisisalreadythedefaultconfigurationforSolaris9,thisactionserves toreinforcethedefaultortochangethesettingbacktodefaultincaseithasbeenaltered.

UNCLASSIFIED

21

UNCLASSIFIED 3.3Disableinetdifpossible Note:Ifinetdisdisabled,itmaygetreenabledinafuturepatch.Thissettingshouldbe checked,andreappliedifnecessaryafterapplyingpatchesorupdates. Action:

cd /etc/init.d LINE=`awk '/\/usr\/sbin\/inetd/ && \ !/\[/ { print }' inetsvc` if [ -n "$LINE" ]; then grep -v /usr/sbin/inetd inetsvc > inetsvc.new cat <<'EONewInetd' >> inetsvc.new lines=`grep -v '^#' /etc/inet/inetd.conf 2>/dev/null | \ wc -l | sed 's/ //g'` EONewInetd echo '[ "$lines" != '0' ] && \c' >> inetsvc.new echo $LINE >> inetsvc.new mv inetsvc.new inetsvc fi chown root:sys inetsvc chmod 744 inetsvc

Discussion: IftheactionsinChapter2resultinalltheinetdbasedservicebeingdisabled,thenthere isnopointinrunninginetdatboottime.Thecodeaddedtotheinetsvcbootscript willresultininetdautomaticallybeingrestartedatboottimeifservicesareeverenabled ininetd.conf.However,itmaybenecessarytomanuallystartinetdifthe administratorwishestoenablesomeoftheseserviceswithoutrebootingthesystem.

3.4Disableemailserverifpossible Question: Isthissystemamailserverthatis,doesthismachinereceiveandprocessemailfrom otherhosts? Iftheanswertothisquestionisno,proceedwiththeActionbelow.

UNCLASSIFIED

22

UNCLASSIFIED Action:
cd /etc/default cat <<END_DEFAULT > sendmail MODE= QUEUEINTERVAL="15m" END_DEFAULT chown root:sys sendmail chmod 644 sendmail

Discussion: ItispossibletorunaUNIXsystemwiththeSendmaildaemondisabledandstillallow usersonthatsystemtosendemailoutfromthatmachine.RunningSendmailin"daemon mode"(withthe-bdcommandlineoption)isonlyrequiredonmachinesthatactasmail servers,receivingandprocessingemailfromotherhostsonthenetwork. Afterdisablingthe-bdoptiononthelocalmailserveronSolaris9(oranysystem runningSendmailv8.12orlater)itisalsonecessarytomodifythe /etc/mail/submit.cffile.Findthelinethatreads"D{MTAHost}localhost"and changelocalhosttothenameoftheappropriatemailserverfortheorganization.This willcauseemailgeneratedonthelocalsystemtoberelayedtothatmailserverforfurther processinganddelivery. Ifthesystemisanemailserver,theadministratorisencouragedtosearchtheWebfor additionaldocumentationonSendmailsecurityissues.Someinformationisavailableat http://www.deer-run.com/~hal/dns-sendmail/DNSandSendmail.pdf andat
http://www.sendmail.org.

3.5Disablebootservicesifpossible Question: IsthismachineanetworkbootserverorJumpstartserver? Iftheanswertobothpartsofthequestionisno,thenperformtheActionbelow. Action:

mv /etc/rc3.d/S16boot.server /etc/rc3.d/.NOS16boot.server

Discussion: Ifthe/tftpbootdirectoryexists(seeAppendixCItem2.5),thein.rarpdand rpc.bootparamdserviceswillbeenabled.Theseservicesaredesignedtoassist machinesanddevicesthatneedtodownloadtheirbootimagesoverthenetworkfrom UNCLASSIFIED 23

UNCLASSIFIED somecentralserver.However,thesystemmayberunningTFTPandhavea/tftpboot directorybutnotbeactingasabootserver(forexample,manysitesuseTFTPtobackup configurationfilesfromtheirnetworkrouters).in.rarpd andrpc.bootparamdshould onlybeenabledifthemachineisactuallygoingtobeactingasabootserver.

3.6Disableotherstandardbootservices Action: Note:Sincetheactualnumberforeachstartupscriptmayvary(i.e.,S74autofsvs. S70autofs),wildcardshavebeenusedtomatchtheproperscriptregardlessofnumber.

cd /etc/rc2.d for file in S*autoinstall S*power S*bdconfig \ S*cachefs.daemon S*cacheos.finish S*llc2 S*pppd \ S*asppp S*uucp S*slpd S*flashprom S*PRESERVE \ S*wbem S*ncalogd S*ncad S*ab2mgr; do [ -s $file ] && mv $file .NO$file done cd /etc/rc3.d for file in S*dmi S*mipagent; do [ -s $file ] && mv $file .NO$file done cd /etc/rc2.d for file in S*nfs.client S*autofs S*rpc \ S*directory S*ldap.client S*lp S*spc \ S*afbinit S*ifbinit S*dtlogin S*ncakmod; do [ -s $file ] && mv $file .NO$file done cd /etc/rc3.d for file in S*samba S*nfs.server S*kdc.master S*kdc \ S*apache S*snmpdx S*volmgt S*dhcp; do [ -s $file ] && mv $file .NO$file done

Discussion: Renamingthesescriptsinthesystembootdirectorieswilleffectivelydisableawide varietyofinfrequentlyusedsubsystems.Thescriptsaremerelyrenamed(ratherthan removedoutright)sothatthelocaladministratorcaneasily"restore"anyofthesefilesif theydiscoveramissioncriticalneedforoneoftheseservices.Notallofthescriptslisted abovewillexistonallsystems(someareonlyvalidforcertainreleases,othersonlyexist ifcertainOEMvendorsoftwareisinstalled).Also,vendorpatchesmayrestoresomeof theoriginalentriesinthe/etc/rc*.ddirectoriesitisalwaysagoodideatocheckthese bootdirectoriesandremoveanyscriptsthatmayhavebeenaddedbythepatch installationprocess. UNCLASSIFIED 24

UNCLASSIFIED Thechartbelowcanbeusedtodetermineiftheredhighlightedbootscriptsaboveshould bedisabledbythesystemadministrators. ManyoftheactionsinChapter3givetheadministratortheoptionofreenablingcertain servicesinparticular,theservicesthataredisabledinthelasttwoloopsintheaction above.Ratherthandisablingandthenreenablingtheseservices,experienced administratorsmaywishtosimplydisableonlythoseservicesthattheyknoware unnecessaryfortheirsystems. Filename /etc/rc2.d/S71rpc Purpose Startsnetworkservicerpcbinddaemon UsedbyNIS&NIS+configuration,keyservices,XSun services RequiredtorunCDE /etc/rc2.d/S74autofs /etc/rc2.d/S90wbem /etc/rc2.d/S91afbinit Startautomountdaemon Usedforautomountingandtolocatedirectories ConfiguresWebBasedEnterpriseManagementServices NeededforSolarisManagementConsole Configuresanygraphicframebuffersorgraphic accelerators NeededforsystemwithElite3Dgraphics NeededforXWindow /etc/rc2.d/S91ifbinit Configuresanygraphicframebuffersorgraphic accelerators NeededforsystemwithExpert3D(IFB)graphics /etc/rc3.d/S81volmgt /etc/rc2.d/S99dtlogin /etc/rc3.d/S15nfs.server /etc/rc3.d/S76snmpdx Startsthevolddaemon Neededtomountcdromsandfloppydisks StartstheCDEdesktoploginprocess,dtlogin NeededforlogginginusingCDE StartstheNFSserverdaemonsnfsd,mountdandnfslogd NeededtomountNFSsystems Startssnmpdaemon NeededbySolsticeEnterpriseAgentsdmispdand
snmpXdmid

UNCLASSIFIED

25

UNCLASSIFIED 3.7OnlyenableWindowscompatibilityserversifabsolutelynecessary Question: Doesthismachineprovideauthentication,filesharing,orprintersharingservicesto systemsrunningMicrosoftWindowsoperatingsystems? Iftheanswertoanypartofthequestionlistedaboveisyes,proceedwiththeAction below. Action:

mv /etc/rc3.d/.NOS90samba /etc/rc3.d/S90samba

Discussion: Solaris9nowincludesthepopularopensourceSambaserverforprovidingfileandprint servicestoWindowsbasedsystems.ThisallowsaSolarissystemtoactasafileorprint serveronaWindowsnetwork,andevenactasaDomainController(authentication server)toolderWindowsoperatingsystems.However,ifthisfunctionalityisnot requiredbythesite,theserviceshouldbedisabled.

3.8OnlyenableNFSserverprocessesifabsolutelynecessary Question: IsthismachineanNFSfileserver? Iftheanswertothisquestionisyes,proceedwiththeActionbelow. Action:

mv /etc/rc3.d/.NOS15nfs.server /etc/rc3.d/S15nfs.server

Discussion: NFSisfrequentlyexploitedtogainunauthorizedaccesstofilesandsystems.Thereisno needtoruntheNFSserverrelateddaemonsonhoststhatarenotNFSservers.Ifthe systemisanNFSserver,theadminshouldtakereasonableprecautionswhenexporting filesystems,includingrestrictingNFSaccesstoaspecificrangeoflocalIPaddressesand exportingfilesystems"readonly"and"nosuid"whereappropriate.Formore informationconsultthe share_nfsmanualpage.IfthemachinewillbeanNFSclient thentherpcbindprocessmustberunning(seeItem3.11,"OnlyenableotherRPCbased servicesifabsolutelynecessary"below).

UNCLASSIFIED

26

UNCLASSIFIED 3.9OnlyenableNFSclientprocessesifabsolutelynecessary Question: Isthereamissioncriticalreasonwhythissystemmustaccessfilesystemsfromremote serversviaNFS? Iftheanswertothisquestionisyes,proceedwiththeActionbelow. Action:

mv /etc/rc2.d/.NOS73nfs.client /etc/rc2.d/S73nfs.client

Discussion: WhilethisactiondisablesthestandardNFSclientprocesses(statdandlockd),itisstill possibleforthesuperusertomountremotefilesystemsonthelocalmachineviaNFS. StartingwithSolaris9,theadministratorcancompletelydisableNFSclientaccessby removingtheNFSclientsoftwarepackages(SUNWnfscr,SUNWnfscu,and SUNWnfscx),butthesepackageswillhavetobereinstalledifNFSistobereenabledat alaterdate. Otherfiletransferschemes(suchasrdistviaSSH)canoftenbepreferabletoNFSfor certainapplications,althoughtheuseofsecureRPCorKerberoscansignificantly improveNFSsecurity.IfthemachinewillbeanNFSclientthentherpcbindprocess mustberunning(seeItem3.11,"OnlyenableotherRPCbasedservicesifabsolutely necessary"). 3.10Onlyenableautomountdaemonifabsolutelynecessary Question: Areanyofthefollowingstatmentstrue? Thesystemrequiresanautomountdaemontoautomaticallymountlocaland/orNFS filesystemsasneeded. ThesiteusesSun'sSMCgraphicaladministrativeinterfaceforsystemmanagement. Iftheanswertothisquestionisyes,proceedwiththeActionbelow. Action:
mv /etc/rc2.d/.NOS74autofs /etc/rc2.d/S74autofs

UNCLASSIFIED

27

UNCLASSIFIED Discussion: TheautomountdaemonisnormallyusedtoautomaticallymountNFSfilesystemsfrom remotefileserverswhenneeded.However,theautomountdaemoncanalsobe configuredtomountlocal(loopback)filesystemsaswell,whichmayincludelocaluser homedirectories,dependingonthesystemconfiguration.Sitesthathavelocalhome directoriesconfiguredviatheautomountdaemoninthisfashionwillneedtoensurethat thisdaemonisrunningforSun'sSMCgraphicaladministrativeinterfacetofunction properly. 3.11OnlyenableotherRPCbasedservicesifabsolutelynecessary Question: Areanyofthefollowingstatementstrue? ThismachineisanNFSclientorserver ThismachineisanNIS(YP)orNIS+clientorserver TheKerberossecuritysystemisinuseatthissite ThismachinerunsaGUIorGUIbasedadministrationtool ThesystemrequirestheVolumeManager(vold) ThismachineisanetworkbootserverorJumpstartserver Themachinerunsathirdpartysoftwareapplicationwhichisdependenton RPCsupport(examples:FlexLMLicensemanagers,Veritas,SolarisDiskSuite) Iftheanswertothisquestionisyes,proceedwiththeActionbelow. Action:
mv /etc/rc2.d/.NOS71rpc /etc/rc2.d/S71rpc

Discussion: RPCbasedservicestypicallyuseveryweakornonexistentauthenticationandyetmay shareverysensitiveinformation.Unlessoneoftheserviceslistedaboveisrequiredon thismachine,itisbesttodisableRPCbasedtoolscompletely.Toclarifywhetherornot aparticularthirdpartyapplicationrequiresRPCservices,consultwiththeapplication vendor.

UNCLASSIFIED

28

UNCLASSIFIED 3.12OnlyenableKerberosserverdaemonsifabsolutelynecessary Question: IsthissystemaKerberosKeyDistributionCenter(KDC)forthesite? Iftheanswertothisquestionisyes,proceedwiththeActionbelow. Action:

mv /etc/rc3.d/.NOS13kdc.master /etc/rc3.d/S13kdc.master mv /etc/rc3.d/.NOS14kdc /etc/rc3.d/S14kdc

Discussion: Solaris9includesgreatersupportfortheKerberosauthenticationsystem.Inparticular, theKerberosserverdaemonshavebeenbundledwiththecoreoperatingsystem. However,ifthesiteisnotusingKerberosorifthismachineisnotconfiguredasoneof thesite'sKerberosservers,thereisnoreasontoenablethisservice.

3.13OnlyenableLDAPdirectoryserverifabsolutelynecessary Question: IsthissystemanLDAPdirectoryserverforthissite? Iftheanswertothisquestionisyes,proceedwiththeActionbelow. Action:

mv /etc/rc2.d/.NOS72directory /etc/rc2.d/S72directory

Discussion: Solaris9hasincludedtheiPlanetDirectoryServerproductaspartoftheoperating system.However,thisserviceonlyneedstoberunningonthemachinesthathavebeen designatedasLDAPserversfortheorganization.IfthemachineisanLDAPserver,the administratorisencouragedtosearchtheWebforadditionaldocumentationonLDAP securityissues. 3.14OnlyenabletheLDAPcachemanagerifabsolutelynecessary Question: IstheLDAPdirectoryserviceinuseatthissite,andisthismachineanLDAPclient? Iftheanswertobothpartsofthequestionlistedaboveisyes,proceedwiththeAction below. UNCLASSIFIED 29

UNCLASSIFIED Action:
mv /etc/rc2.d/.NOS71ldap.client /etc/rc2.d/S71ldap.client

Discussion: IfthelocalsiteisnotcurrentlyusingLDAPasanamingservice,thenthereisnoneedto keepLDAPrelateddaemonsrunningonthelocalmachine.

3.15Onlyenabletheprinterdaemonsifabsolutelynecessary Question: Isthissystemaprintserver,oristhereamissioncriticalreasonwhyusersmustsubmit printjobsfromthissystem? Iftheanswertothisquestionisyes,proceedwiththeActionbelow. Action:

mv /etc/rc2.d/.NOS80lp /etc/rc2.d/S80lp mv /etc/rc2.d/.NOS80spc /etc/rc2.d/S80spc

Discussion: Ifuserswillneverprintfilesfromthismachineandthesystemwillneverbeusedasa printserverbyotherhostsonthenetwork,thenitissafetodisabletheseservices.The UNIXprintservicehasgenerallyhadapoorsecurityrecordbesuretokeepuptodate onvendorpatches.TheadministratormaywishtoconsiderconvertingtotheLPRng printsystem(seehttp://www.lprng.org/)whichwasdesignedwithsecurityinmind andiswidelyportableacrossmanydifferentUNIXplatforms.However,LPRngisnot supportedbySunMicrosystems.

3.16Onlyenablethevolumemanagerifabsolutelynecessary Question: IsthereamissioncriticalreasonwhyCDROMsandfloppydisksshouldbe automaticallymountedwheninsertedintosystemdrives? Iftheanswertothisquestionisyes,proceedwiththeActionbelow. Action:

mv /etc/rc3.d/.NOS81volmgt /etc/rc3.d/S81volmgt

UNCLASSIFIED

30

UNCLASSIFIED Discussion: TheSolarisvolumemanagerautomaticallymountsCDROMsandfloppydisksforusers wheneveradiskisinsertedinthelocalsystem'sdrive(themountcommandisnormallya privilegedcommandwhichcanonlybeperformedbythesuperuser).Beawarethat allowinguserstomountandaccessdatafromremovablemediadrivesmakesiteasierfor maliciousprogramsanddatatobeimportedontoyournetwork.Themaliciousprograms anddatacouldbeusedbyanunauthorizedusertogainrootaccessonthesystem. Itisalsonecessarytoreenabletherpc.smserverdprocessforthevolumemanagerto function(seeItem2.10,"Onlyenableremovablemediadaemonifabsolutelynecessary".)

3.17OnlyenableGUIloginifabsolutelynecessary Question: IsthereamissioncriticalreasontorunaGUIonthissystem? Iftheanswertothisquestionisyes,proceedwiththeActionbelow. Action:

mv /etc/rc2.d/.NOS99dtlogin /etc/rc2.d/S99dtlogin mv /etc/rc2.d/.NOS91afbinit /etc/rc2.d/S91afbinit mv /etc/rc2.d/.NOS91ifbinit /etc/rc2.d/S91ifbinit

Discussion: FortheSolarisCDEGUItofunctionproperly,itisalsonecessarytoenabletherpcbind process(seeItem3.11)andtherpc.ttdbserverdprocess(seeItem2.8)TheX WindowsbasedCDEGUIonSolarissystemshashadahistoryofsecurityissues.Never runanyGUIorientedserviceorapplicationonasystemunlessthatmachineisprotected byastrongnetworksecurityinfrastructure.

3.18Onlyenablewebserverifabsolutelynecessary Question: Isthereamissioncriticalreasonwhythissystemmustrunawebserver? Iftheanswertothisquestionisyes,proceedwiththeActionbelow.

UNCLASSIFIED

31

UNCLASSIFIED Action:
mv /etc/rc3.d/.NOS50apache /etc/rc3.d/S50apache mv /etc/rc2.d/.NOS42ncakmod /etc/rc2.d/S42ncakmod

Discussion: EvenifthismachineisaWebserver,thelocalsitemaychoosenottousethewebserver providedwithSolarisinfavorofalocallydevelopedandsupportedwebenvironment.If themachineisawebserver,theadministratorisencouragedtosearchthewebfor additionaldocumentationonwebserversecurity.Agoodstartingpointisthe http://httpd.apache.org/docs-2.0/misc/security_tips.html.TheCenterfor InternetSecuritywillbepublishinganApacheWebServerBenchmarkat http://www.cisecurity.org.

3.19OnlyenableSNMPifabsolutelynecessary Question: Arehostsatthissiteremotelymonitoredbyatool(e.g.,HPOpenView,MRTG,Cricket) thatreliesonSNMP? Iftheanswertothisquestionisyes,proceedwiththeActionbelow. Action:

mv /etc/rc3.d/.NOS76snmpdx /etc/rc3.d/S76snmpdx

Discussion: IfSNMPisusedtomonitorthehostsonthenetwork,itisrecommendedthatthedefault communitystringusedtoaccessdataviaSNMPbechanged.OnSolarissystems,this parametercanbechangedbymodifyingthesystem-group-read-communityparameter in/etc/snmp/conf/snmpd.conf. SNMPisshippedwithadefaultcommunitystringof"public"or"private".Ifthedefault communitystringissettothestringof"private",anunauthorizeduserwillhaveaccessto remotelyreadandmodifyparameters.Ifthedefaultcommunitystringissetto"public", anunauthorizeduserwillhavereadaccesstonetworkmanagementinformation. Thecommunitystringshouldbechangedtopreventaccesstothesystemparametersby anunauthorizeduser.TheSNMPcommunitystringneedstobehardtoguess,like passwords.Itshouldincludeacombinationofletters,numbers,specialcharactersand haveaminimumlengthofsixcharacters.Evenifcommunitystringischanged,SNMP versions1and2usethecommunitystringunencryptedforauthentication.

UNCLASSIFIED

32

UNCLASSIFIED 3.20OnlyenableDHCPserverifabsolutelynecessary Question: DoesthismachineactasaDHCPserverforthenetwork? Iftheanswertothisquestionisyes,proceedwiththeActionbelow. Action:

mv /etc/rc3.d/.NOS34dhcp /etc/rc3.d/S34dhcp

Discussion: DHCPisapopularprotocolfordynamicallyassigningIPaddressesandothernetwork informationtosystemsonthenetwork(ratherthanhavingadministratorsmanually managethisinformationoneachhost).However,ifthissystemisnotaDHCPserverfor thenetwork,thereisnoneedtoberunningthisservice.

3.21DisableBIND Question: IsthereamissioncriticalreasontorunaDNSServeronthissystem? Iftheanswerisno,proceedwiththeActionbelow: Action: 1.CreatescripttodisableInternetdomainnameserver

cd /etc/init.d cat << END_NAMED > named.script /if \[ -f \/etc\/named.conf/ { s!if \[ -f!#if \[ -f! } /starting internet domain name server/ { s!echo!#echo! } /\/usr\/sbin\/in.named &/ { s!/!#/! n s!^fi!#fi! } END_NAMED chown root:sys named.script chmod 744 named.script

UNCLASSIFIED

33

UNCLASSIFIED 2.Runthescripttochangetheinetsvcfile
sed -f named.script inetsvc > inetsvc.new mv inetsvc.new inetsvc chown root:sys inetsvc chmod 744 inetsvc

3.Stopthenrestarttheservice
/etc/init.d/inetsvc stop /etc/init.d/inetsvc start

Discussion: BINDcanbeusedbyattackerstogatherinformationaboutthenetwork.Ifthesystemis nottheDNSserver,thebinddaemonshouldnotberunning.Ifthenameddaemonmust berunning,thelatestversionofbindshouldbeinstalledonthesystem.Additional precautionsshouldbetakentorunbindsecurely.Foradditionalinformationregarding theinstallationandconfigurationofBIND,see:

http://www.deer-run.com/~hal/dns-sendmail/DNSandSendmail.pdf

3.22Disablenscd Question: IsthissystemaDNSclientorrunningtheBasicSecurityModule? Iftheanswertobothpartsofthequestionisno,proceedwiththeActionbelow: Action:

mv /etc/rc2.d/S76nscd /etc/rc2.d/.NOS76nscd

Discussion: TheNameServiceCacheDaemonmaintainsadatabasecontainingcommonlyused DomainNamedService(DNS)lookupinformationsuchaspasswords,groupsandhosts. ThisserviceisneededifthesystemhastheBasicSecurityModule(BSM)orDNS enabled.IfBSMorDNSarenotused,itisrecommendedthatNameServiceCache Daemonbedisabled.IfBSMorDNSareused,thenscddaemonmustberunning. 3.23UseRMTMPFILEStoclear/var/tmp Question: Isthereamissioncriticalreasonwhyfilesin/var/tmp shouldnotberemoved? Iftheanswerisno,proceedwiththeActionbelow: UNCLASSIFIED 34

UNCLASSIFIED Note:Thischangemaybeoverwritteninafutureupdateorpatchandshouldbereapplied ifnecessary. Action:

cd /etc/init.d sed 's/^exit/#exit/' RMTMPFILES > RMTMPFILES.new mv RMTMPFILES.new RMTMPFILES chown root:sys RMTMPFILES chmod 744 RMTMPFILES rm -f /etc/rc2.d/S05RMTMPFILES ln -s /etc/init.d/RMTMPFILES /etc/rc2.d/S05RMTMPFILES

Discussion: /var/tmpcouldcontaininformationusefulingainingaccesstothesystem.Whenthe stepslistedabovearetaken,allthefilesin/var/tmpareremovedatbootupexceptEx* files.TheEx*filesarecreatedbyusingthevicommand.Ex*filesareremovedthrough theuseofthe/etc/init.d/PRESERVE script.

4KernelTuning
4.1Restrictcoredumpstoprotecteddirectory Action:
mkdir -p /var/core chown root:root /var/core chmod 700 /var/core coreadm -g /var/core/core_global_%n_%f_%u_%g_%t_%p \ -i /var/core/core_per_proc_%n_%f_%u_%g_%t_%p \ -e log \ -e global -e global-setid -e process -e proc-setid

Discussion: Bydefaultcoredumpfilesareworldreadable.Yetcoredumps,particularlythosefrom setUIDandsetGIDprocesses,maycontainsensitivedatathatshouldnotbeviewedby allusersonthesystem.Theaboveactioncausesallcoredumpsonthesystemtobe writtentoaspecialdirectorythatisonlyaccessiblebythesuperuser.Ondevelopment workstations,thismaymakeitdifficultfordeveloperstoobtaincorefilesfordebugging withoutadministrativeintervention.

UNCLASSIFIED

35

UNCLASSIFIED Coredumpstendtobelargefilesandthecontentsofthe/var/coredirectorycanendup rapidlyconsuminglargeamountsofdiskspaceandpossiblycausingadenialofservice attackonthesystem.Itisagoodideatomonitorthisdirectoryonaregularbasisand removeanyunneededcorefiles.Ifthelocalsitechooses,dumpingofcorefilescanbe completelydisabledwiththefollowingcommand:"coreadm -d global -d globalsetid -d process -d proc-setid".

4.2Enablestackprotection Action:
if [ ! "`grep noexec_user_stack /etc/system`" ]; then cat <<END_CFG >> /etc/system * Attempt to prevent and log stack-smashing attacks set noexec_user_stack = 1 set noexec_user_stack_log = 1 END_CFG fi

Discussion: Bufferoverflowexploitshavebeenthebasisformanyoftherecenthighlypublicized compromisesanddefacementsoflargenumbersofInternetconnectedsystems.Manyof theautomatedtoolsinusebysystemcrackersexploitwellknownbufferoverflow problemsinvendorsuppliedandthirdpartysoftware.Enablingstackprotection preventscertainclassesofbufferoverflowattacksandisasignificantsecurity enhancement.

4.3RestrictNFSclientrequeststoprivilegedports Action:
if [ ! "`grep nfssrv:nfs_portmon /etc/system`" ]; then cat <<END_CFG >> /etc/system * Require NFS clients to use privileged ports set nfssrv:nfs_portmon = 1 END_CFG fi

UNCLASSIFIED

36

UNCLASSIFIED Discussion: SettingthisparametercausestheNFSserverprocessonthelocalsystemtoignoreNFS clientrequeststhatdonotoriginatefromtheprivilegedportrange(portslessthan1024). ThisshouldnothindernormalNFSoperationsbutmayblocksomeautomatedNFS attacksthatarerunbyunprivilegedusers.

4.4Modifynetworkparameters Action:
if [ ! -f /etc/init.d/netconfig ]; then cat <<END_SCRIPT > /etc/init.d/netconfig #!/sbin/sh ndd -set /dev/ip ip_def_ttl ='255' ndd -set /dev/ip ip_forward_src_routed 0 ndd -set /dev/ip ip6_forward_src_routed 0 ndd -set /dev/tcp tcp_rev_src_routes 0 ndd -set /dev/ip ip_forward_directed_broadcasts 0 ndd -set /dev/tcp tcp_conn_req_max_q0 4096 ndd -set /dev/tcp tcp_conn_req_max_q 1024 ndd -set /dev/ip ip_respond_to_timestamp 0 ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0 ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0 ndd -set /dev/ip ip_respond_to_echo_broadcast 0 ndd -set /dev/arp arp_cleanup_interval 60000 ndd -set /dev/ip ip_ire_arp_interval 60000 ndd -set /dev/ip ip_ignore_redirect 1 ndd -set /dev/ip ip6_ignore_redirect 1 ndd -set /dev/tcp tcp_extra_priv_ports_add 6112 END_SCRIPT chown root:root /etc/init.d/netconfig chmod 744 /etc/init.d/netconfig ln -s /etc/init.d/netconfig /etc/rc2.d/S69netconfig fi

Discussion: Anewscriptiscreatedintheactionlistedabove.TheS69netconfigscriptwillbe executedatboottimetoreconfigurevariousnetworkparameters.Foramorecomplete discussionoftheseparametersandtheireffectonthesecurityofthesystem,see:

http://www.sun.com/security/blueprints/

UNCLASSIFIED

37

UNCLASSIFIED 4.5Modifyadditionalnetworkparameters Question: Isthissystemgoingtobeusedasafirewallorgatewaytopassnetworktrafficbetween differentnetworks? Iftheanswertobothpartsofthequestionisno,thenperformtheActionbelow. Action:

if [ ! "`grep ip_forwarding /etc/init.d/netconfig`" ] then cat <<END_SCRIPT >> /etc/init.d/netconfig ndd -set /dev/ip ip_forwarding 0 ndd -set /dev/ip ip6_forwarding 0 ndd -set /dev/ip ip_strict_dst_multihoming 1 ndd -set /dev/ip ip6_strict_dst_multihoming 1 ndd -set /dev/ip ip_send_redirects 0 ndd -set /dev/ip ip6_send_redirects 0 ndd -set /dev/ip ip_respond_to_echo_multicast 0 ndd -set /dev/ip ip6_respond_to_echo_multicast 0 END_SCRIPT fi

Discussion: Foramorecompletediscussionoftheseparametersandtheireffectonthesecurityofthe system,see: http://www.sun.com/security/blueprints/.

4.6UsebetterTCPsequencenumbers Action:
cd /etc/default awk '/^TCP_STRONG_ISS/ { $1 = "TCP_STRONG_ISS=2" }; \ { print }' inetinit > inetinit.new mv inetinit.new inetinit chown root:sys inetinit chmod 444 inetinit

Discussion: Settingthisparameterin/etc/default/inetinit causesthesystemtouseabetter randomizationalgorithmforgeneratinginitialTCPsequencenumbers.Thismakes remotesessionhijackingattacksmoredifficult,aswellasanyothernetworkbasedattack thatreliesonpredictingTCPsequencenumberinformation.

UNCLASSIFIED

38

UNCLASSIFIED 4.7Setuphostbasedfirewalls Action: 1. Downloadlibiconv-1.8-sol9-sparc-localgzandgcc-3.4.0-sol9-sparclocal.gz fromhttp://www.sunfreeware.com.Placethefilesinthe/opt directory. Note:Inordertocompileipfilters sourcecode,acompilercapableofcreatinga64 bitexecutablemustbeused.GCCversions2.95.5andlatercanbeusedtocreate64bit executables. 2. Installpackage:
cd /opt gunzip libiconf-1.8-sol9-sparc-local.gz gunzip gcc-3.4.0-sol9-sparc-local.gz pkgadd -d libiconv-1.8-sol9-sparc-local all pkgadd -d gcc-3.4.0-sol9-sparc-local all

3. Downloadpfil-2.1.2.tar.gz and ip_fil4.1.2.tar.gz(ipfiltersdependson pfil)fromhttp://coombs.anu.edu.au/~avalon/ip-filter.html.Placethefiles inthe/optdirectory. 4. Executethefollowingcommandstoextractthesource:

cd /opt gunzip pfil-2.1.2.tar.gz gunzip ip_fil4.1.2.tar.gz tar xvf pfil-2.1.2.tar tar xvpf ip_fil4.1.2.tar

5. Installpfil: a)SetPATHenvironmentvariable b)Compilethepfilpackage

PATH=/usr/local/bin:/usr/ccs/bin:$PATH; export PATH cd pfil sed 's/S64FLAGS=-xildoff/#S64FLAGS=-xildoff/' Makefile \ > Makefile.new sed 's/#S64FLAGS=-m64/S64FLAGS=-m64/' Makefile.new > Makefile CC=gcc make package pkgadd -d /tmp/pfil.pkg all

c)Installthenewlycreatedipfilpackage

Note:Atthetimeofwriting,theversionofIPFilterusedinthisguidewasthecurrent version.Laterversionsmaynotrequirethemakefilepatchinsteps6,a)and6,b). However,laterversionshavenotbeentestedforinclusioninthisguide.

UNCLASSIFIED

39

UNCLASSIFIED 6. Installip_fil4.1.2 Note:Aloadablekernelmodule(/etc/rc2.d/S65ipfboot)iscreatedduringthe ipfiltersinstallation. a)PatchtheMakefile. TheMakefileforSolarisinip_fil4.1.2containsanerrorandmustbepatchedas follows: MakeabackupcopyoftheoriginalMakefile b)Createthepatchfile(inplaceof[space]and[tab],insertasinglespaceortab character,respectivelythisiscriticalforMakefileformatting)andpatchthe Makefile
cat << END_SCRIPT > Makefile.patch 199,200c199,200 <[space]\$(OBJ)/ip_rules.o: \$(TOP)/ip_rules.c \$(TOP)/ip_rules.h <[space][tab]\$(CC) -I\$(TOP) \$(DFLAGS) -c \$(TOP)/ip_rules.c \ -o \$@ -->[space]\$(OBJ)/ip_rules.o: \$(OBJ)/ip_rules.c \$(TOP)/ip_rules.h >[space][tab]\$(CC) -I\$(TOP) \$(DFLAGS) -c \$(OBJ)/ip_rules.c \ -o \$@ 306,307c306,314 <[space]\$(OBJ)/ip_rules_u.o: \$(TOP)/ip_rules.c \ \$(TOP)/ip_fil.h \$(TOP)/ip_rules.h <[space][tab]\$(CC) \$(CCARGS) \$(EXTRA) -c \$(TOP)/ip_rules.c \ -o \$@ -->[space]\$(OBJ)/ip_rules.c: \$(OBJ)/ipf.exe \ \$(TOP)/tools/ipfcomp.c \$(TOP)/rules/ip_rules >[space][tab]\$(OBJ)/ipf.exe -cc -nf \$(TOP)/rules/ip_rules >[space][tab]-/bin/mv -f ip_rules.c \$(OBJ) >[space] >[space]\$(TOP)/ip_rules.h: \$(OBJ)/ip_rules.c >[space][tab]/bin/mv -f ip_rules.h \$(TOP) >[space] >[space]\$(OBJ)/ip_rules_u.o: \$(OBJ)/ip_rules.c \ \$(TOP)/ip_fil.h \$(TOP)/ip_rules.h >[space][tab]\$(CC) \$(CCARGS) \$(EXTRA) -c \ \$(OBJ)/ip_rules.c -o \$@ END_SCRIPT patch Makefile < Makefile.patch cd .. CC=gcc make solaris cd SunOS5 CC=gcc make package cd /opt/ip_fil4.1.2/SunOS5 cp Makefile Makefile.orig

c)Createtheipfilterbinaries

d)Buildandinstallthepackage

UNCLASSIFIED

40

UNCLASSIFIED 7. Turnonipfilter
cat << END_SCRIPT >> /etc/rc.conf ipfilter_enable="YES" ipfilter_rules="/etc/opt/ipf/ipf.conf" ipfilter_flags="-E" END_SCRIPT

8. Setupfilterrules Note:Useappropriateinterfaceinplaceofhme0.Useifconfig -atolistavailable networkinterfaces.Usetheappropriatenetworkaddressinplaceofthex.x.x

cat << END_SCRIPT > /etc/opt/ipf/ipf.conf # block all but localhost access block return-rst in log first level auth.warn quick on hme0 proto from any to any port = 898 # web-based enterprise management block return-rst in log first level auth.warn quick on hme0 proto from any to any port = 3852 # sunscreen gui block return-rst in log first level auth.warn quick on hme0 proto from any to any port = 3853 # sunscreen remote admin block return-rst in log first level auth.warn quick on hme0 proto from any to any port = 5981 # java browser block return-rst in log first level auth.warn quick on hme0 proto from any to any port = 5987 # web-based enterprise management block return-rst in log first level auth.warn quick on hme0 proto from any to any port 5999 >< 6064 # Xserver block return-rst in log first level auth.warn quick on hme0 proto from any to any port = 8888 # answerbook # block all but local network block return-rst in log first level auth.warn quick on hme0 from !x.x.x.0/24 to any port = 111 # rpcbind block return-rst in log first level auth.warn quick on hme0 from !x.x.x.0/24 to any port = 587 # mail submission block return-rst in log first level auth.warn quick on hme0 from !x.x.x.0/24 to any port = 2049 # nfsd block return-rst in log first level auth.warn quick on hme0 from !x.x.x.0/24 to any port = 2099 # rmi block return-rst in log first level auth.warn quick on hme0 from !x.x.x.0/24 to any port = 4045 # lockd block return-rst in log first level auth.warn quick on hme0 from !x.x.x.0/24 to any port 32767 >< 32901 # rpc services tcp \ tcp \ tcp \ tcp \ tcp \ tcp \ tcp \

proto tcp \ proto tcp \ proto tcp \ proto tcp \ proto tcp \ proto tcp \

UNCLASSIFIED

41

UNCLASSIFIED
block return-icmp(port-unr) in log first level auth.warn quick on \ hme0 proto udp from !x.x.x.0/24 to any port = 111 # rpcbind block return-icmp(port-unr) in log first level auth.warn quick on \ hme0 proto udp from !x.x.x.0/24 to any port = 161 # snmpdx block return-icmp(port-unr) in log first level auth.warn quick on \ hme0 proto udp from !x.x.x.0/24 to any port = 514 # syslog block return-icmp(port-unr) in log first level auth.warn quick on \ hme0 proto udp from !x.x.x.0/24 to any port = 2049 # nfsd block return-icmp(port-unr) in log first level auth.warn quick on \ hme0 proto udp from !x.x.x.0/24 to any port = 2099 # rmi block return-icmp(port-unr) in log first level auth.warn quick on \ hme0 proto udp from !x.x.x.0/24 to any port = 4045 # lockd block return-icmp(port-unr) in log first level auth.warn quick on \ hme0 proto udp from !x.x.x.0/24 to any port 32767 >< 32901 # rpc svcs END_SCRIPT chown root:sys /etc/opt/ipf/ipf.conf chmod 644 /etc/opt/ipf/ipf.conf

9. Configurerouterinformation Note:Replacex.x.x.xwiththeactualIPaddressforthedefaultrouter.
route add x.x.x.x localhost 0 # default router

10.Addthefollowingto/etc/syslog.conf
printf "local0.info;local0.err;local0.debug\t\t/var/log/ipflog\n" \ >> /etc/syslog.conf

11.Create/var/log/ipflog
touch /var/log/ipflog chown root:sys /var/log/ipflog chmod 600 /var/log/ipflog

12.Rebootthesystem Note:Thesyslogdaemonwillberestartedwhenthesystemisrebooted.
init 6

Discussion: Insomeenvironments,servicesthatshouldideallybedisabledmustremainopendueto operationalnecessity.Careshouldbetakentopreventunauthorizedorinsecureaccessto theseservices.Inthecaseofservicesspawnedbyinetd,theTCPWrappersdaemon, discussedpreviously,isusedtoperformthisaccesscontrol.Notallservicesarespawned byinetdandsomeoftheseservicesdonothavethemeanstopreventunauthorized access.Thereforeitisrecommendedtouseahostbasedfirewalltolimitaccesstoa machine'sservices. Thefirewallconfigurationgivenaboveisfortheipfilterfirewall.Inthis configuration,someportsareblockedoutrightsothatonlythelocalmachinecanconnect tothem.Accesstootherports,however,isgrantedtoanymachineonalocalsubnet. UNCLASSIFIED 42

UNCLASSIFIED AccesstootherportsnotspecificallymentionedisassumedtobeblockedbyTCP Wrappersoraservicespecificaccesscontrolmechanism.Foralltheportsblocked above,thefirewallwilllogallincomingaccessattemptsandrespondtotherequestasif theportwerenotopen. TheipfilterfirewallwaschosenbecauseitcompilesandrunsonbothSparcandx86 platforms,for32and64bitversionsofSolaris.Furthermore,modernversionsofthe firewallsoftwarecontainsupportforIPv6firewallrules. Moreinformationregardingthepatchinstep6bcanbefoundattheauthor'swebsite:

http://blog.graves.com/b2evolution/blogs/blog_a.php?p=590.

4.8Setroutingpolicies/configuration Question: IsyourmachineactingasarouterordoesitneedtoperformIPv4routerdiscovery? Iftheanswerisno,proceedwiththeActionbelowtosetupstaticrouting. Action: Note:x.x.x.xmustbereplacedwiththeaddressappropriateforyournetwork.

echo x.x.x.x > /etc/defaultrouter chown root:sys /etc/defaultrouter chmod 644 /etc/defaultrouter

Discussion: Thedefaultrouterfileisusedtoprovideadefaultnetworkrouteforthemachine.Its presencealsopreventstheIPv4routerdiscoverydaemon,in.rdisc,fromstartingat boottime. Note:DHCPpublishedroutessupersedetherouterfoundin/etc/defaultrouter.

5Logging
Theitemsinthischaptercoverenablingvariousdifferentformsofsystemloggingin ordertokeeptrackofactivitiesonthesystem.ToolssuchasSwatch (http://swatch.sf.net)andLogcheck (http://sourceforge.net/projects/sentrytools/)canbeusedtoautomatically monitorlogsforintrusionattemptsandothersuspicioussystembehavior.Thesetoolsare notofficiallysupportedbySunMicrosystems. UNCLASSIFIED 43

UNCLASSIFIED Inadditiontothelocallogfilescreatedbythestepsinthischapter,itisalso recommendedthatsitescollectcopiesoftheirsystemlogsonasecurecentralizedlog server.Notonlydoescentralizedlogginghelpsitescorrelateeventsthatmaybeoccuring onmultiplesystems,buthavingasecondcopyofthesystemloginformationmaybe criticalafterasystemcompromisewheretheattackerhasmodifiedlocallogfilesonthe affectedsystem(s). Becauseitisoftennecessarytocorrelateloginformationfrommanydifferentsystems (particularlyafterasecurityincident)expertsrecommendestablishingsomeformoftime synchronizationamongsystemsanddevicesconnectedtothelocalnetwork.The standardInternetprotocolfortimesynchronizationistheNetworkTimeProtocol(NTP), whichissupportedbymostnetworkreadydevices.MoreinformationonNTPcanbe foundinItem1.7,athttp://www.ntp.organdat http://www.sun.com/security/blueprints.

5.1Turnoninetdtracing Action:
cd /etc/default if [ "`grep ENABLE_CONNECTION_LOGGING= inetd`" ]; then awk '/ENABLE_CONNECTION_LOGGING=/ \ { $1 = "ENABLE_CONNECTION_LOGGING=YES" } { print }' inetd > inetd.new mv inetd.new inetd else echo ENABLE_CONNECTION_LOGGING=YES >> inetd fi chown root:sys inetd chmod 444 inetd

Discussion: Ifinetdisrunning,itisagoodideatomakeuseofthe"tracing"(-t)featureofthe Solarisinetdthatlogsinformationaboutthesourceofanynetworkconnectionsseenby thedaemon.Thisinformationisloggedviasyslog.BydefaultSolarissystemsdeposit thislogginginformationin/var/adm/messages withothersystemlogmessages. Shouldtheadministratorwishtocapturethisinformationinaseparatefile,simply modify/etc/syslog.conf tologdaemon.noticetosomeotherlogfiledestination (seeItem5.3).

UNCLASSIFIED

44

UNCLASSIFIED Inadditiontotheinformationprovidedbyinetdtracing,thepopularfreePortSentrytool (http://sourceforge.net/projects/sentrytools/)canbeusedtomonitoraccess attemptsonunusedports.RunningPortSentrymayresultinsomesecuritytestingtools reporting"falsepositives"for"active"portsthatareactuallybeingheldbythePortSentry daemon.PortSentryisnotofficiallysupportedbySunMicrosystems.

5.2TurnonadditionalloggingforFTPdaemons Action:
cd /etc/inet awk '/in.ftpd/ && !/-d/ { $NF = $NF " -d" } /in.ftpd/ && !/-l/ { $NF = $NF " -l" } { print }' inetd.conf > inetd.conf.new mv inetd.conf.new inetd.conf chown root:sys inetd.conf chmod 444 inetd.conf

Discussion: IftheFTPdaemonislefton,itisrecommendedthatthedebugging(-d)andconnection logging(-l)flagsalsobeenabledtotrackFTPactivityonthesystem.Enabling debuggingontheFTPdaemoncancauseuserpasswordstoappearincleartextformin thesystemlogs,iftheuseraccidentallytypesintheirpasswordattheusernameprompt. InformationaboutFTPsessionswillbeloggedviasyslog,butthesystemmustbe configuredtocapturethesemessages.Forfurtherinformation,seeItem5.3,"Capture FTPandinetdConnectionTracingInfo"below.

5.3CaptureFTPandinetdconnectiontracinginfo Action:
if [ ! "`grep -v '^#' /etc/syslog.conf | \ grep /var/log/connlog`" ]; then echo "daemon.debug\t\t\t\t\t/var/log/connlog" \ >> /etc/syslog.conf fi touch /var/log/connlog chown root:root /var/log/connlog chmod 600 /var/log/connlog /etc/init.d/syslog stop /etc/init.d/syslog start

UNCLASSIFIED

45

UNCLASSIFIED Discussion: IftheFTPserviceisenabledonthesystem,Item5.2alsoenablesthedebugging(-d)and connectionlogging(-l)flagstotrackFTPactivityonthesystem.Similarly,thetracing (-t)optiontoinetdwasenabledinItem5.1.Allofthisinformationisloggedto syslog,butthesyslogdaemonmustbeconfiguredtocapturethisinformationtoafile. Theconnlogfileshouldbereviewedandarchivedonaregularbasis.Asamplescript forarchivinglogfilesisprovidedinItem5.11. Note:SyslogmessageformatissubjecttochangeinSolarispatchesandupdates.

5.4Capturemessagessenttosyslog Authfacility Action: 1) Edit/etc/syslog.conf

cd /etc awk '/err;kern.notice/ { $1 = "#"$1 }; \ /err;kern.debug/ { $1 = "#"$1 }; \ /alert;kern.err/ { $1 = "#"$1 }; \ /user.alert/ { $1 = "#"$1 }; \ /user.emerg/ { $1 = "#"$1 }; \ { print }' syslog.conf > syslog.conf.new mv syslog.conf.new syslog.conf chown root:sys syslog.conf chmod 644 syslog.conf

2)Addthefollowingnewinformationto/etc/syslog.conf
printf "auth.err\t\t\t\t\t/dev/console *.err;auth.notice;kern.debug\t\t\tifdef(\`LOGHOST', \ /var/adm/messages, @loghost) kern.info\t\t\t\t\tifdef(\`LOGHOST', /var/log/kernlog, @loghost) user.info\t\t\t\t\tifdef(\`LOGHOST', /var/log/userlog, @loghost) mail.info\t\t\t\t\tifdef(\`LOGHOST', /var/log/maillog, @loghost) daemon.info\t\t\t\t\tifdef(\`LOGHOST', /var/log/daemonlog, @loghost) auth.info\t\t\t\t\tifdef(\`LOGHOST', /var/log/authlog, @loghost) cron.info\t\t\t\t\tifdef(\`LOGHOST', /var/log/cronlog, @loghost)\n"\ >> syslog.conf

3)Createlogfiles
cd /var/log touch kernlog userlog maillog daemonlog cronlog authlog chown root:sys kernlog userlog maillog daemonlog cronlog authlog chmod 600 kernlog userlog maillog daemonlog cronlog authlog

UNCLASSIFIED

46

UNCLASSIFIED 4)Restartthesyslogdaemon
/etc/init.d/syslog stop /etc/init.d/syslog start

Discussion: TheoriginalconfigurationfileforsyslogdoesnotlogAUTHmessagestoanyfiles.AUTH messagesshouldbeloggedtokeeptrackofwhologsintothesystem.Theremotelog hostnameshouldbeaddedto/etc/hostssotheremotehostnamewillalwaysbe resolved,eveniftheDNSserverisdown.Theremoteloghostshouldbelistedin /etc/hostsastheloghost.Acronjobcanbesetupusingthegrepcommandto separatethetwosystems'informationin/var/log/authlog.

5.5Create/var/adm/loginlog Action:
touch /var/adm/loginlog chown root:sys /var/adm/loginlog chmod 600 /var/adm/loginlog cd /etc/default awk '/SYSLOG_FAILED_LOGINS=/ \ { $1 = "SYSLOG_FAILED_LOGINS=0" }; \ { print }' login > login.new mv login.new login chown root:sys login chmod 444 login

Discussion: Iftheloginlogexists,thefile/var/adm/loginlog willcapturefailedloginattempt messages(thisfiledoesnotexistbydefault).Administratorsmayalsomodifythe SYSLOG_FAILED_LOGINS parameterin/etc/default/logintocontrolhowmanylogin failuresareallowedbeforelogmessagesaregeneratedifsettozerothenallfailedlogins willbeloggedinbatchesoffive. Theloginlogfileshouldbereviewedandarchivedonaregularbasis.Thelogadm utilitycanbeusedtoarchivealllogfiles.Asamplescriptforarchivinglogfilesis providedinItem5.11.

UNCLASSIFIED

47

UNCLASSIFIED 5.6Turnoncronlogging Action:

cd /etc/default awk '/CRONLOG/ { $1 = "CRONLOG=YES" }; \ { print }' cron > cron.new mv cron.new cron chown root:sys cron chmod 444 cron

Discussion: SettingtheCRONLOGparametertoYESin/etc/default/croncausesinformationtobe loggedforeverycronjobthatgetsexecutedonthesystem.Logdatacanbefoundin /var/cron/log andthisfileshouldbereviewedonaregularbasis. Note:AlthoughthisisalreadythedefaultconfigurationforSolaris9,thisactionservesto reinforcethedefaultortochangethesettingbacktodefaultincaseithasbeenaltered.

5.7Enablesystemaccounting Action:
cat <<END_SCRIPT > /etc/init.d/newperf #!/sbin/sh /usr/bin/su sys -c \ "/usr/lib/sa/sadc /var/adm/sa/sa\`date +%d\`" END_SCRIPT mv /etc/init.d/newperf /etc/init.d/perf chown root:sys /etc/init.d/perf chmod 744 /etc/init.d/perf rm -f /etc/rc2.d/S21perf ln -s /etc/init.d/perf /etc/rc2.d/S21perf /usr/bin/su sys -c crontab <<END_ENTRIES 0,20,40 * * * * /usr/lib/sa/sa1 45 23 * * * /usr/lib/sa/sa2 -s 0:00 -e 23:59 -i 1200 -A END_ENTRIES

Discussion: Thesystemaccountingscriptabovegathersbaselinesystemdata(CPUutilization,disk I/O,etc.)every20minutes.Thedatamaybeaccessedwiththesar command(seeman sar formoreinformation),orbyreviewingthenightlyreportfilesnamed /var/adm/sa/sar*.Onceanormalbaselineforthesystemhasbeenestablished, unauthorizedactivity(passwordcrackersandotherCPUintensivejobs,andactivity outsideofnormalusagehours)maybedetectedduetodeparturesfromthenormal systemperformancecurve. UNCLASSIFIED 48

UNCLASSIFIED Thisdataisonlyarchivedforoneweekbeforebeingautomaticallyremovedbythe regularnightlycronjob.Administratorsmaywishtoarchivethe/var/adm/sa directoryonaregularbasistopreservethisdataforlongerperiods.

5.8Enablekernellevelauditing Action: 1)EnableBasicSecurityModule(BSM)

echo y | /etc/security/bsmconv

Note:The"y"isusedtoanswerthefollowingquestion,"Shallwecontinuewiththe conversionnow?[y/n]". 2)Configuretheclassesofeventstolog

mkdir -p /var/log/auditlog mkdir -p /opt/log/auditlog cd /etc/security cat << END_PARAMS > audit_control dir:/var/log/auditlog flags: lo,ad,ex,fm,-fw,-fc,-fd,na naflags: lo,ad,ex,fm,-fw,-fc,-fd minfree:20 /usr/sbin/auditconfig -setpolicy -cnt,argv,arge # location for log overflow dir:/opt/log/auditlog END_PARAMS

3)Createarootcronjobtoforcenewauditlogsdaily
cd /var/spool/cron/crontabs crontab -l > root.tmp echo '0 0 * * * /usr/sbin/audit -n' >> root.tmp crontab root.tmp rm -f root.tmp

4)Rebootsystem Note:IfL1-Aisneeded,pleaseenableitbeforethesystemisrebooted(Seeinformation providedintheDiscussionsection).

init 6

5)SeeItem5.11forlogrotationscript

UNCLASSIFIED

49

UNCLASSIFIED Discussion: Auditinggatherssystemdataaboutloginsandlogouts,administrativeactions,exec systemcalls,etc.Althoughauditingmaycausesomeperformancedegradation,inthe eventsystemintrusiondoesoccur,theinformationobtainedfromtheauditlogswill provideveryvaluableforensicevidence. WhenBSMisenabled,thestartupscriptsforL1-Aandvoldaredisabled.TheL1-A featureallowsthesystemadministratortohaltthesystems.IfL1-Aisneeded,comment outthelinecontaining"abort_enable=0"in/etc/system.Thevolddaemonisused forvolumemanagementservices.Ifvoldisneeded,move /etc/security/spool/S81volmgtto/etc/rc3.d/S81volmgt.Iftheminfreevalueis reached,thesystemwillbeginloggingtheauditinginformationinthesecondary directoryifoneislisted. Note:TheBSMshouldnotbeenabledmorethanonce.

5.9Configurerolebasedaccesscontrol Thesecuritypolicyofyourorganizationwilldetermineifallofthefollowingrole accountsareneeded. Note:Theroleaddcommandwillpopulatethe/etc/passwd, /etc/shadow,and /etc/user_attrfiles.Theroleaddcommandrestrictsthelengthoftherolenameto eightcharacters.ThePrimaryAdministratorrolecanalsobecreatedusingtheSolaris ManagementConsole. Action: 1.Setuptheauditaccountrole TheAuditroleallowsassignedusersaccesstomonitortheauditlogs.Toprevent unauthorizedusersfromgainingaccesstoauditinformation,onlythoseuserswho requirealloftheprivilegesassociatedwiththisroleshouldbeassignedthisrole. a)Addauditaccountto/etc/passwd file Note:Thefollowingentryshouldbeplaceddirectlyaftertherootentry
audit::0:1:Audit_User:/:/sbin/sh

b)Addauditaccountinformationto/etc/shadow
pwconv

c)Setpasswordforauditaccount
passwd audit

UNCLASSIFIED

50

UNCLASSIFIED d)Addentryin/etc/security/audit_usertoturnoffauditingfortheaudit account

echo "audit:no:all" >> /etc/security/audit_user

e)Maketheauditaccountarole
echo "audit::::type=role;auths=solaris.audit.;\ profiles=Audit Control, Audit Review" >> \ /etc/user_attr

f)Assignuserstotheauditrole Note:Thisstepshouldberepeatedforeachuserthatneedsaccesstoauditrole. usernameisthenameofthedesiredauditroleuser.

usermod -R audit username

2.SetupthePrimaryAdministratorrole ThePrimaryAdministratorroleallowsassignedusersaccesstoperformadministrative tasks.Onlythoseuserswhorequirealloftheprivilegesassociatedwiththisroleshould beassignedtothisrole. a)Add"PrimaryAdministrator"role Note:useridisthedesireduseridnumberforthenewlycreatedPrimAdmrole. homeaccountdiristhedirectoryunderwhichindividualhomedirectoriesare strored,suchas/home/.

roleadd -u userid -o -g sysadmin -d /homeaccountdir/PrimAdm \ -s /bin/pfsh -m -P "Primary Administrator" PrimAdm

b)SetupthePrimaryAdministratorpassword Note:Thenewlycreatedrolewillremainlockeduntilthepasswdcommandisused toassignapasswordtotheaccount.

passwd PrimAdm

c)AssignusertothePrimaryAdministratorrole toassignanexistingusertotheroleofPrimaryAdministrator,performthe following Note:usernameistheusernameofanexistingusertobeassignedtothePrimAdm role.

usermod -R PrimAdm username

tocreateanewuseraccountandassigntheusertothePrimaryAdministrator role,performthefollowing Note:useridisthedesireduseridforthenewlycreateduser.usergrpisthe desiredprimarygroupforthenewlycreateduser./homeaccountdir/isthe directoryunderwhichindividualhomedirectoriesarestoredsuchas/homes/. usernameisthedesiredusernameforthenewlycreateduser.

useradd -u userid -o -g usergrp -d /homeaccountdir/username -m \ -s /bin/sh -R PrimAdm username

UNCLASSIFIED

51

UNCLASSIFIED 3.SetuptheSystemAdministratorrole TheSystemAdministratorroleallowsassignedusersaccesstoperform"nonsecurity" administrativetask;suchas,devicemanagement,networkmanagement,software installations,etc.Onlythoseuserswhorequirealloftheprivilegesassociatedwiththis roleshouldbeassignedtothisrole. a)add"SystemAdministrator"role

roleadd -u userid -o -g sysadmin -d /homeaccountdir/SystAdm \ -s /bin/pfsh -m -P "System Administrator" SystAdm

b)SetuptheSystemAdministratorpassword Note:Thenewlycreatedrolewillremainlockeduntilthepasswdcommandisused toassignapasswordtotheaccount.

passwd SystAdm

c)AssignusertotheSystemAdministratorrole iftheuseraccountalreadyexists,addusertorolebyperformingthefollowing
usermod -R SystAdm username

tocreateanewuseraccountandassigntheusertothePrimaryAdministrator role,performthefollowing
useradd -u userid -o -g usergrp -d /homeaccountdir/username -m -s /bin/sh -R SystAdm username \

4.SetuptheOperatorrole TheOperatorroleallowsassignedusersaccesstoperformtapebackups,taperestores andprintermanagement.Topreventunauthorizedusersfromintroducingexploitsonthe system,onlythoseuserswhorequirealloftheprivilegesassociatedwiththisroleshould beassignedtothisrole. a)add"Operator"role

roleadd -u userid -o -g sysadmin -d /homeaccountdir/TapeOp \ -s /bin/pfsh -m -P "Operator" TapeOp

b)SetuptheOperatorpassword Note:Thenewlycreatedrolewillremainlockeduntilthepasswdcommandisused toassignapasswordtotheaccount.

passwd TapeOp

c)AssignusertotheOperatorrole iftheuseraccountalreadyexist,addusertorolebyperformingthefollowing
usermod -R TapeOp username

UNCLASSIFIED

52

UNCLASSIFIED tocreateanewuseraccountandassigntheusertotheOperatorrole,performthe following

useradd -u userid -o -g usergrp -d /homeaccountdir/username -m \ -s /bin/sh -R TapeOp username

5.Restartthenameservicecachedaemoninorderforthenewrolestotakeeffect.
/etc/init.d/nscd stop /etc/init.d/nscd start

Discussion: RoleBasedAccessControl(RBAC)assignsuserprivilegesbasedonleastprivilegeand separationofduty.RBACallowsasystemadministratortoassignindividualstoroles basedontheirjobfunction.Ausercanusethe"su"commandtoswitchtoanassigned role. Toeliminatethesystemadministratorfromloggingontothesystemasroot,rootcanbe madeintoarole.Bycreatingthisrole,userswillberequiredtologonasthemselves beforeswitchingtotherootaccount.PleaseseeSundocumentation (http://docs.sun.com/app/docs/doc/806-4078/6jd6cjs58?a=view)onmakingthe rootuserintoarole.

5.10Confirmpermissionsonsystemlogfiles Action:
chown root:sys /var/log/syslog /var/log/authlog \ /var/adm/loginlog chown root:root /var/cron/log /var/adm/messages chmod go-wx /var/log/syslog /var/adm/messages chmod go-rwx /var/log/authlog /var/adm/loginlog \ /var/cron/log cd /var/adm chown root:bin utmpx chown adm:adm wtmpx chmod 644 utmpx wtmpx chown sys:sys /var/adm/sa/* chmod go-wx /var/adm/sa/* dir=`awk -F: '($1 == "dir") { print $2 }' \ /etc/security/audit_control` chown root:root $dir/* chmod go-rwx $dir/*

UNCLASSIFIED

53

UNCLASSIFIED Discussion: Itiscriticaltoprotectsystemlogfilesfrombeingmodifiedbyunauthorizedindividuals. Also,certainlogscontainsensitivedatathatshouldonlybeavailabletothesystem administrator. Sitesusingtherunacctscriptforgeneratingbillingreportsandotherdatafromthe systemprocessaccountinglogswillnoticethatthescriptincorrectlysetsthemodeonthe wtmpxfileto664(addsthe"groupwritability"bit).Thelocalsitemaywishto"chmod g-w /var/adm/wtmpx"afterrunningtherunacctscript.Additionalinformationabout howtouserunacctcanbefoundonSUNrunacctman page. Note:AlthoughthisisalreadythedefaultconfigurationforSolaris9,thisactionservesto reinforcethedefaultortochangethesettingbacktodefaultincaseithasbeenaltered. 5.11Implementautomatedlogrotation Action: Modifythe/etc/logadm.conffile Note:ThetimelistedafterthePoptionindicatesthelasttimethelogwasrotated.
cat << END_SCRIPT >> /etc/logadm.conf /var/log/kernlog -C 4 -p 1m -p 5d \ -a 'kill -HUP \`cat /var/run/syslog.pid\`' /var/log/userlog -C 4 -p 1m -p 5d \ -a 'kill -HUP \`cat /var/run/syslog.pid\`' /var/log/maillog -C 4 -p 1m -p 5d \ -a 'kill -HUP \`cat /var/run/syslog.pid\`' /var/log/daemonlog -C 4 -p 1m -p 5d \ -a 'kill -HUP \`cat /var/run/syslog.pid\`' /var/log/authlog -C 4 -p 1m -p 5d \ -a 'kill -HUP \`cat /var/run/syslog.pid\`' /var/log/cronlog -C 4 -p 1m -p 5d \ -a 'kill -HUP \`cat /var/run/syslog.pid\`' /var/log/connlog -C 4 -p 1m -p 5d \ -a 'kill -HUP \`cat /var/run/syslog.pid\`' /var/log/loginlog -C 4 -p 1m -p 5d \ -a 'kill -HUP \`cat /var/run/syslog.pid\`' END_SCRIPT chown root:sys /etc/logadm.conf chmod 644 /etc/logadm.conf

Modifyrootcrontabentryforlogadm Note:Thetimeinthecrontabfileshouldbesetforthetimeinwhichyourorganization wouldliketohavelogadmstarted.

EDITOR=path_to_favorite_editor crontab -e change logadm line to read "30 6 11 * * /usr/sbin/logadm"

UNCLASSIFIED

54

UNCLASSIFIED Discussion: Systemadministratorsmustbeawarethattheinformationcollectedinthelogsis importantandcouldpontentiallyserveasforensicevidence.Theymustalsoremember thatdiskspaceislimitedandeverypossiblestepshouldbetakentopreserveit. The logadmandcrontab commands can be used by systemadministratorstosetup automatedlogrotation.Thelogadmcanbeusedatthecommandlinetoupdatealogthat hasbecometoolargebeforethelogisscheduledtoberotated.The-Voptionshouldbe usedtovalidatethattheentriesinthefilearecorrectwhenusingthelogadmcommandto manuallyeditthe/etc/logadm.confconfigurationfile.

6File/DirectoryPermissions/Access
6.1Add'logging'optiontorootfilesystem Action:
awk '($4 == "ufs" && $3 == "/" && $7 == "-") \ { $7 = "logging" }; \ ($4 == "ufs" && $3 == "/" && $7 !~ /logging/) \ { $7 = $7",logging"}; \ { print }' /etc/vfstab > /etc/vfstab.new mv /etc/vfstab.new /etc/vfstab chown root:sys /etc/vfstab chmod 664 /etc/vfstab

Discussion: Acorruptedrootfilesystemisonemechanismthatanattackerwithphysicalaccesstothe systemconsolecanusetocompromisethesystem.Byenablingtheloggingoptiononthe rootfilesystem,itismuchmoredifficultfortherootfilesystemtobecomecorruptedat all,thwartingthisparticulartypeofattack.However,othersortsofattacksarepossibleif theattackerhasunrestrictedphysicalaccesstothesystem.Besuretokeepcritical systemsinlimitedaccessdatacentersorotherrestrictedfacilities. Theadministratormayalsowishtoaddtheloggingoptiontootherufstypefilesystems in/etc/vfstab.Thiswillhelpthesystemtorebootfasterintheeventofacrashatthe costofsomediskoverhead(uptoamaximumof64MBperpartition)forthefilesystem transactionlogfile.

UNCLASSIFIED

55

UNCLASSIFIED 6.2Add'nosuid'optionto/etc/rmmount.conf Action:

if [ ! "`grep -- '-o nosuid' /etc/rmmount.conf`" ]; then fs=`awk '($1 == "ident") && ($2 != "pcfs") \ { print $2 }' /etc/rmmount.conf` echo mount \* $fs -o nosuid >> /etc/rmmount.conf fi

Discussion: Removablemediaisonemethodbywhichmalicioussoftwarecanbeintroducedintothe system.Byforcingthesefilesystemstobemountedwiththenosuidoption,the administratorpreventsusersfrombringingsetUIDprogramsintothesystemviaCD ROMsandfloppydisks. Note:AlthoughthisisalreadythedefaultconfigurationforSolaris9,thisactionservesto reinforcethedefaultortochangethesettingbacktodefaultincaseithasbeenaltered.

6.3Configurevold.conftoallowusersaccesstoCDROMonly Action:
awk '($2 == "floppy" || $2 == "dev/diskette[0-9]/*" \ || $4 == "floppy" || $2 == "rmdisk" ) {$1 = "#"$1}; { print}' /etc/vold.conf > /etc/vold.conf.new mv /etc/vold.conf.new /etc/vold.conf chown root:bin /etc/vold.conf chmod 444 /etc/vold.conf \

Discussion: Userscanuseremovablemedia,suchasfloppydisks,toinsertmaliciouscodeonthe system.Bypreventingregularusersfromhavingaccesstothefloppydriveandother removabledevices,thereislessofachancethatanexploitwillbeloadedonthesystem. Onlytherootuserwillbeallowedtomountfloppydrives. InSolaris9,theVolumeManagernowallowsusersaccesstoremovabledevices,suchas DVDROMs,jazandzipdrives.Thermformatcommandshouldbeusedtoformat, label,andsetread/writeprotectionfortheremovabledevices. Note:IfauserhasaccesstoCDburners,thethreatoftheuserloadinganexploiton thesystemstillexists.

UNCLASSIFIED

56

UNCLASSIFIED 6.4Verifypasswd,shadow,andgroupfilepermissions Action:

cd /etc chown root:sys passwd shadow group chmod 644 passwd group chmod 400 shadow

Discussion: Thisensuresthecorrectownershipandaccesspermissionsforthesefiles. Note:AlthoughthisisalreadythedefaultconfigurationforSolaris9,thisactionservesto reinforcethedefaultortochangethesettingbacktodefaultincaseithasbeenaltered.

6.5Verifyworldwritabledirectorieshavetheirstickybitset Action: Administratorswhowishtoobtainalistofworldwritabledirectoriesmayexecutethe followingcommands:

for part in `awk '($4 == "ufs" || $4 == "tmpfs") \ { print $3 }' /etc/vfstab` do find $part -xdev -type d \ \( -perm -0002 -a ! -perm -1000 \) -print done

Discussion: Whenthesocalled"stickybit"issetonadirectory,thenonlytheownerofafilemay removethatfilefromthedirectory(asopposedtotheusualbehaviorwhereanybodywith writeaccesstothatdirectorymayremovethefile).Settingthestickybitpreventsusers fromoverwritingeachother'sfiles,whetheraccidentallyormaliciously,andisgenerally appropriateformostworldwritabledirectories.However,consultappropriatevendor documentationbeforeblindlyapplyingthestickybittoanyworldwritabledirectories foundinordertoavoidbreakinganyapplicationdependenciesonagivendirectory. 6.6Findunauthorizedworldwritablefiles Action: Administratorswhowishtoobtainalistoftheworldwritablefilescurrentlyonthe systemmayrunthefollowingcommands: UNCLASSIFIED 57

UNCLASSIFIED
for part in `awk '($4 == "ufs" || $4 == "tmpfs") \ { print $3 }' /etc/vfstab` do find $part -xdev -type f -perm -0002 -print done

Discussion: Datainworldwritablefilescanbemodifiedandcompromisedbyanyuseronthe system.Worldwritablefilesmayalsoindicateanincorrectlywrittenscriptorprogram thatcouldpotentiallybethecauseofalargercompromisetothesystem'sintegrity. Generallyremovingwriteaccessforthe"other"category(chmod o-w <filename>)is advisable,butalwaysconsultrelevantvendordocumentationinordertoavoidbreaking anyapplicationdependenciesonagivenfile.

6.7FindunauthorizedSUID/SGIDsystemexecutables Action: AdministratorswhowishtoobtainalistofthesetuserIDandsetgroupIDprograms currentlyinstalledonthesystemmayrunthefollowingcommands:

for part in `awk '($4 == "ufs" || $4 == "tmpfs") \ { print $3 }' /etc/vfstab` do find $part -xdev -type f \ \( -perm -04000 -o -perm -02000 \) -print done

Discussion: TheadministratorshouldtakecaretoensurethatnoroguesetUIDprogramshavebeen introducedintothesystem.InformationonthesetUIDandsetGIDapplicationsthat normallyshipwithSolarissystemscanbefoundat http://ist.uwaterloo.ca/security/howto.Cryptographicchecksumsofthesefiles (alongwithallstandardfilesintheSolarisoperatingsystem)canbeobtainedfromthe SolarisFingerprintDatabase (seehttp://sunsolve.sun.com/pub-cgi/fileFingerprints.pl).Toolsfor interactingwiththeFingerprintDatabaseareavailablefrom http://www.sun.com/blueprints/tools/.

UNCLASSIFIED

58

UNCLASSIFIED 6.8Findunownedfilesanddirectories Action: Administratorswhowishtoobtainalistoffilesanddirectoriescurrentlyinstalledonthe systemwheretheuserorgroupownerofthefileisnotlistedinthe/etc/passwdor /etc/groupfilesmayrunthefollowingcommand:

find / \( -nouser -o -nogroup \) -print

Discussion: Sometimeswhenadministratorsdeleteusersfromthesystem,theyneglecttoremoveall thefilesownedbythoseusersfromthesystem.Anewuserwhoisassignedthedeleted user'suserIDorgroupIDmaythenendup"owning"thesefiles,andthushavemore accessonthesystemthanwasintended.Itisagoodideatolocatefilesthatareownedby usersorgroupsnotlistedinthesystemconfigurationfiles,andmakesuretoresetthe ownershipofthesefilestosomeactiveuseronthesystemasappropriate.

6.9Runfix-modes Action: 1.Downloadtheprecompiledfix-modessoftwarefrom

http://www.sun.com/software/security/downloads.html

2.Unpackandinstallthesoftware
uncompress SUNBEfixm.pkg.Z pkgadd -d SUNBEfixm.pkg all

3.Runthefixmodesprogram.
/opt/SUNBEfixm/fix-modes

Discussion: Thefix-modessoftwarecorrectsvariousownershipandpermissionissueswithfiles throughouttheSolarisOSfilesystems.Thisprogramshouldbereruneverytime packagesareaddedtothesystem,orpatchesareapplied.Administratorsmaywishto runthetoolperiodicallyoutofcron. Theactionsaboverecommendusingaprecompiledversionoffix-modes suppliedby SunforusewiththeirSolarisSecurityToolkitframework.Thesourcecodeisalso availablefromthesameURL.Sun'sversionofthetoolhasbeenspecificallymodifiedto avoidwellknownproblemswhenrunningfix-modesonSSPsystemsfortheE10Kand E15Kproducts. UNCLASSIFIED 59

UNCLASSIFIED ExploitingprogramsthathavetheirSUIDand/orSGIDbitssetisoneofthemost commonmethodsemployedbyanattackerforprivilegeescalation.Inmostcasesthese programsarerarelyneededbytheaverageuser(e.g.videocardconfiguration).Thus, manysetUIDandsetGIDexecutablescanhavetheirSUID/SGIDbitsremovedwithout anyappreciabledifferenceinsystemusability.

ystemAccess,Authentication,andAuthorization 7S
7.1Sethighersecuritylevelforsadmindservice Action:
cd /etc/inet awk '/sadmind /&& !/-S/ { $7 = $7 " -S 2" } { print }' inetd.conf > inetd.conf.new mv inetd.conf.new inetd.conf chown root:sys inetd.conf chmod 444 inetd.conf

Discussion: ThesadmindserviceistheprimarydaemonthatenablestheSolarisremote administrationframeworkfordistributedsystemadministrationtasks.Sincethe operationsallowedbythisdaemonareextremelypowerful,itisbesttousethehighest securitysettingavailableforauthorizingclientconnections.Giventhehistoryof significantsecurityissueswithsadmind,theitemsofChapter2ofthisdocumentactually disablethesadmindservice,sothissettingwillonlytakeeffectiftheserviceisre enabledininetd.conf.

7.2Disable"nobody"accessforsecureRPC Action:
cd /etc/default awk '/ENABLE_NOBODY_KEYS=/ \ { $1 = "ENABLE_NOBODY_KEYS=NO" } { print }' keyserv > keyserv.new mv keyserv.new keyserv chown root:sys keyserv chmod 444 keyserv

UNCLASSIFIED

60

UNCLASSIFIED Discussion: ThekeyservprocessstoresuserkeysthatareutilizedwithSun'ssecureRPC mechanism.Theaboveactionpreventskeyservfromusingdefaultkeysforthe "nobody"user,effectivelystoppingthisuserfromaccessinginformationviasecureRPC.

7.3Remove.rhostssupportin/etc/pam.conf Action:
cd /etc grep -v rhosts_auth pam.conf > pam.conf.new mv pam.conf.new pam.conf chown root:sys pam.conf chmod 644 pam.conf

Discussion: UsedinconjunctionwiththeBSDstyle"rcommands"(rlogin,rsh,rcp),.rhostsfiles implementaweakformofauthenticationbasedonthenetworkaddressorhostnameof theremotecomputer.Disabling.rhosts supporthelpspreventusersfromsubverting thesystem'snormalaccesscontrolmechanisms. If.rhosts supportisrequired,somebasicprecautionsshouldbetakenwhencreating andmanaging.rhostsfiles.Neverusethe"+"wildcardcharacterin.rhostsfiles.In fact,.rhostsentriesshouldalwaysspecifyaspecifictrustedhostnamealongwiththe usernameofthetrustedaccountonthatsystem(e.g.,"trustedhostalice"andnotjust "trustedhost").Avoidestablishingtrustrelationshipswithsystemsoutsideofthe organization'ssecurityperimeterand/orsystemsnotcontrolledbythelocal administrativestaff.Firewallsandothernetworksecurityelementsshouldactuallyblock rlogin/rsh/rcpaccessfromexternalhosts.Theseservicesaretypicallyrunonports 512through514.Otherservicesmaysharetheseportnumbers.Finally,makesurethat .rhostsfilesareonlyreadablebytheownerofthefile(i.e.,thesefilesshouldbemode 600).

UNCLASSIFIED

61

UNCLASSIFIED 7.4Create /etc/ftpd/ftpusers Action:

if [ -d /etc/ftpd ]; then file=/etc/ftpd/ftpusers for user in root daemon bin sys adm lp uucp nuucp \ smmsp listen nobody noaccess nobody4 do echo $user >> $file done sort -u $file > $file.new mv $file.new $file chown root:root $file chmod 600 $file else echo "ftpusers file does not exist" fi

Discussion: ftpuserscontainsalistofuserswhoarenotallowedtoaccessthesystemviaFTP.For Solaris9thisfileis/etc/ftpd/ftpusers.Generally,onlynormalusersshouldever accessthesystemviaFTPthereshouldbenoreasonfor"system"typeaccountstobe transferringinformationviathismechanism.Certainlytherootaccountshouldneverbe allowedtotransferfilesdirectlyviaFTP.Consideralsoaddingthenamesofother privilegedorsharedaccountswhichmayexistonyoursystemsuchasuseroracleand theaccountunderwhichyourWebserverprocessruns.

7.5Preventsyslogfromacceptingmessagesfromnetwork Question: Isthismachinealogserver,ordoesitneedtoreceivesyslogmessagesviathenetwork fromothersystems? Iftheanswertobothpartsofthequestionisno,proceedwiththeActionbelow.

UNCLASSIFIED

62

UNCLASSIFIED Action:
cd /etc/default if [ "`grep LOG_FROM_REMOTE= syslogd`" ]; then awk '/LOG_FROM_REMOTE=/ \ { $1 = "LOG_FROM_REMOTE=NO"} { print }' syslogd > syslogd.new mv syslogd.new syslogd else echo LOG_FROM_REMOTE=NO >> syslogd fi chown root:sys syslogd chmod 444 syslogd

Discussion: Bydefaultthesystemloggingdaemon,syslogd,listensforlogmessagesfromother systemsonnetworkport514/udp.Unfortunately,theprotocolusedtotransferthese messagesdoesnotincludeanyformofauthentication,soamaliciousoutsidercould simplybarragethelocalsystem'sSyslogportwithspurioustrafficeitherasadenialof serviceattackonthesystem,ortofillupthelocalsystem'sloggingfilesothatsubsequent attackswillnotbelogged. Itisconsideredgoodpracticetosetuponeormoremachinesascentral"logservers"to aggregatelogtrafficfromallmachinesatasite.However,unlessasystemissetuptobe oneofthese"logserver"systems,itshouldnotbelisteningon514/udpforincominglog messages.

7.6PreventremoteXDMCPaccess Action:
mkdir -p /etc/dt/config cat <<EOXaccess > /etc/dt/config/Xaccess !* !* CHOOSER BROADCAST EOXaccess chown root:sys /etc/dt/config/Xaccess chmod 755 /etc/dt/config chmod 644 /etc/dt/config/Xaccess

Discussion: ThestandardGUIloginprovidedonmostUNIXsystemscanactasaremoteloginserver tootherdevices(includingXterminalsandotherworkstations).Accesscontrolis handledviatheXaccessfile.ThedefaultSolaris9configurationallowsanysystemon thenetworktogetaremoteloginscreenfromthelocalsystem.Thisdefaultbehaviorcan beoverriddeninthe/etc/dt/config/Xaccessfile. UNCLASSIFIED 63

UNCLASSIFIED 7.7PreventXserverfromlisteningonport6000/tcp Action:

if [ -f /etc/dt/config/Xservers ]; then file=/etc/dt/config/Xservers else file=/usr/dt/config/Xservers fi awk '/Xsun/ && !/^#/ && !/-nolisten tcp/ \ { print $0 " -nolisten tcp"; next }; \ { print }' $file > $file.new mkdir -p /etc/dt/config mv $file.new /etc/dt/config/Xservers chown root:sys /etc/dt/config/Xservers chmod 444 /etc/dt/config/Xservers chown root:bin /etc/dt/config /usr/dt/config chmod 755 /etc/dt/config /usr/dt/config

Discussion: Xserverslistenonport6000/tcpformessagesfromremoteclientsrunningonother systems.However,XWindowsusesarelativelyinsecureauthenticationprotocolan attackerwhoisabletogainunauthorizedaccesstothelocalXservercaneasily compromisethesystem.Invokingthe"-nolisten tcp"optioncausestheXservernot tolistenonport6000/tcpbydefault. Disablinglisteningonport6000forXserversdoeshavethesideeffectthatitalso preventsauthorizedremoteXclientsfromdisplayingwindowsonthelocalsystem. However,theforwardingofXeventsviasshwillstillworkproperly.Thisisthe preferred,moresecuremethodoftransmittingdatafromremoteXclients.

7.8Setdefaultlockingscreensavertimeout Action:
for file in /usr/dt/config/*/sys.resources; do dir=`dirname $file | sed s/usr/etc/` mkdir -p $dir echo 'dtsession*saverTimeout: 10' >> $dir/sys.resources echo 'dtsession*lockTimeout: 10' >> $dir/sys.resources chown root:sys $dir/sys.resources chmod 444 $dir/sys.resources done

UNCLASSIFIED

64

UNCLASSIFIED Discussion: Thedefaulttimeoutis30minutesofkeyboard/mouseinactivitybeforeapassword protectedscreensaverisinvokedbytheCDEsessionmanager.Theaboveaction reducesthisdefaulttimeoutvalueto10minutes,thoughthissettingcanstillbe overriddenbyindividualusersintheirownenvironment.

7.9Restrictat/crontoauthorizedusers Action:
cd /etc/cron.d rm -f cron.deny at.deny echo root > cron.allow echo root > at.allow chown root:root cron.allow at.allow chmod 400 cron.allow at.allow

Discussion: Thecron.allow andat.allowfilesarealistofuserswhoareallowedtorunthe crontabandatcommandstosubmitjobstoberunatscheduledintervals.Onmany systems,onlythesystemadministratorneedstheabilitytoschedulejobs. Eventhoughagivenuserisnotlistedincron.allow,cronjobscanstillberunasthat user(e.g.,thecronjobsrunningasusersys forsystemaccountingtasksseeItem5.7, "EnablesystemAccounting").cron.allowonlycontrolsadministrativeaccesstothe crontabcommandforschedulingandmodifyingcronjobs.Muchmoreeffectiveaccess controlsforcronsystemcanbeobtainedbyusingRoleBasedAccessControls(RBAC).

7.10Removeemptycrontabfilesandrestrictfilepermissions Action:
cd /var/spool/cron/crontabs for file in * do lines=`grep -v '^#' $file | wc -l | sed 's/ //g'` if [ "$lines" = "0" ]; then rm $file fi done chown root:sys * chmod 400 *

UNCLASSIFIED

65

UNCLASSIFIED Discussion: Thesystemcrontabfilesareaccessedonlybythecrondaemon(whichrunswithroot privileges)andthecrontabcommand(whichissetUIDtoroot).Allowing unprivilegeduserstoreador(evenworse)modifysystemcrontabfilescancreatethe potentialforalocaluseronthesystemtogainelevatedprivileges.

7.11Preventrootloginstosystemconsole Action:
cd /etc/default awk '/CONSOLE=/ { print "CONSOLE=/dev/null"; next }; \ { print }' login > login.new mv login.new login chown root:sys login chmod 444 login

Discussion: SettingtheCONSOLEvariableto/dev/null preventsrootloginsfromtheconsole. Administratorswillhavetologintothesystemasthemselvesandthen'su'toroot.If thesystemisinsingleusermode,theuserwillbeallowedtologinasroot. Anonymousrootloginsshouldneverbeallowed,exceptonthesystemconsolein emergencysituations(thisisthedefaultconfigurationforSolaris).Atallothertimesthe administratorshouldaccessthesystemviaaprivilegedaccountandusesomeauthorized mechanism(suchasthesucommand,orthefreelyavailablesudopackage)togain additionalprivilege.Thesemechanismsprovideatleastsomelimitedaudittrailinthe eventofproblems.

UNCLASSIFIED

66

UNCLASSIFIED 7.12Limitnumberoffailedloginattempts Action:

cd /etc/default if [ "`grep RETRIES= login`" ]; then awk '/RETRIES=/ { $1 = "RETRIES=3" } { print }' login > login.new mv login.new login chown root:sys login chmod 444 login else echo RETRIES=3 >> login fi

Discussion: TheRETRIES parameteristhenumberoffailedloginattemptsauserisallowedbefore beingdisconnectedfromthesystemandhavingtoreinitiatealoginsession.Settingthis numbertoareasonablylowvaluehelpsdiscouragebruteforcepasswordguessing attacks. 7.13SetEEPROMsecuritymodeandlogfailedaccess HardwareCompatibility: ThisactiononlyappliestoSPARCbasedsystems(notSolarisx86orSolarisPPC). Action:
eeprom security-#badlogins=0 if [ ! "`crontab -l | grep security-#badlogins`" ]; then cd /var/spool/cron/crontabs crontab -l > root.tmp echo "0 0,8,16 * * * /usr/bin/logger -p auth.info \ \`/usr/sbin/eeprom security-#badlogins\`" >> root.tmp crontab root.tmp rm -f root.tmp fi eeprom security-mode=command

Note:Ifnotpromptedforapassword,thenanEEPROMpasswordhaspreviouslybeen set.ToresettheEEPROMpassword,usethefollowingcommand
eeprom security-password=

UNCLASSIFIED

67

UNCLASSIFIED Discussion: Afterenteringthelastcommandabove,theadministratorwillbepromptedfora password.Thispasswordwillberequiredtoauthorizeanyfuturecommandissuedat bootlevelonthesystem(the`ok'or`>'prompt)exceptforthenormalmultiuserboot command(i.e.,thesystemwillbeabletorebootunattended).Thismeasurehelpsprevent anattackerwithphysicalaccesstothesystemconsolefromsubvertingthesecurityofthe systembyrequiringauthenticationwhenbootingoffanexternaldevice(suchasaCD ROMorfloppydisk). Theadministratorshouldwritedownthispasswordandplacethepasswordinasealed envelopeinasecurelocation(lockeddeskdrawersaretypicallynotsecure).Ifthe passwordislostorforgotten,simplyrunthecommand"eeprom security-password=" asroottoresettheforgottenpassword. Note:EEPROMsecurityfeaturesareavailableonlyonSunSPARChardware,andnot Intelx86compatiblehardware.

8UserAccountsandEnvironment
Theitemsinthischapteraretasksthatthelocaladministratorshouldundertakeona regularbasisperhapsinanautomatedfashionviacron.Theautomatedhostbased scanningtoolsprovidedfromtheCenterforInternetSecuritycanbeusedforthis purpose.Thesescanningtoolsareavailableforfreedownloadfrom http://www.cisecurity.org.

UNCLASSIFIED

68

UNCLASSIFIED 8.1Blocksystemaccounts Note:Thefollowingscriptwillmakechangestothe/etc/shadowfile.Itisimperativethat thisfilebebackedupfirst. Action:

passwd -l daemon for user in bin adm lp uucp nuucp smmsp \ listen nobody noaccess nobody4; do /usr/sbin/passmgmt -m -s /dev/null $user done for user listen nobody noaccess nobody4; do passwd -l $user done awk -F: '/^(daemon|sys|bin|adm|lp|uucp|nuucp|smmsp):/ \ { $2="NP" } { print }' /etc/shadow |sed 's/ /:/g' > \ /etc/shadow.new mv /etc/shadow.new /etc/shadow chmod 400 /etc/shadow chown root:sys

Discussion: Accountsthatarenotbeingusedbyregularusersshouldnotallowinteractivelogins.As ofSolaris9,thereisastricterdistinctionbetweenalockedaccountandanonlogin account.Whileneitherofthesetypesofaccountsallowinteractivelogins,anonlogin accountcanbeusedtoperformtaskssuchasrunacronjob,thatalockedaccountcannot. AnonloginaccounthasapasswordofNPandalockedaccounthasapasswordof*LK*. SincethereisnointerfaceinSolaris9tosetanonloginpassword,the/etc/shadowfile mustbeediteddirectly.Notonlyshouldthepasswordfieldfortheaccountbesettoan invalidstring,butalsotheshellfieldinthe/etc/passwdfileshouldcontainaninvalid shell./dev/null isagoodchoicebecauseitisnotavalidloginshell,andshouldan attackerattempttoreplaceitwithacopyofavalidshellthesystemwillnotoperate properly.

UNCLASSIFIED

69

UNCLASSIFIED 8.2Assignnoshellforsystemaccounts Action: Createnoshellscript

cat <<END_SCRIPT > /sbin/noshell #!/bin/sh # # Copyright (c) 2000-2002 by Sun Microsystems, Inc. # All rights reserved. # #ident "@(#)noshell 1.3 02/12/16 SMI" # trap "" 1 2 3 4 5 6 7 8 9 10 12 15 19 PATH=/usr/bin:/usr/sbin export PATH HNAME="\`uname -n\`" UNAME="\`id | awk '{ print $1 }'\`" logger -i -p auth.crit "Unauthorized access attempt on \ \${HNAME} by \${UNAME}" wait exit END_SCRIPT chown root:root /sbin/noshell chmod 744 /sbin/noshell

Discussion: Ifthesystempasswordswerelockedinapreviousstep,thenoshellscriptwillnotwork forthoseaccounts.Ifaccountsarenotlockedorhaveapasswordsetting"no passwd; setuid only",theshellcanbesettouse/sbin/noshell whichwillcauseanerrorto appearin/var/log/syslog.Thescriptwilllogallattemptstoswitchusertoasystem account.ThescriptlistedaboveistakenfromtheSUNSolarisSecurityTookitscriptfor noshell. Note:Thenoshellscriptshouldnotbeusedontherootaccount.

UNCLASSIFIED

70

UNCLASSIFIED 8.3Verifythattherearenoaccountswithemptypasswordfields Action: Thefollowingcommandshouldreturnnolinesofoutput

logins -p

Discussion: Anaccountwithanemptypasswordfieldmeansthatanybodymayloginasthatuser withoutprovidingapassword.Allaccountsshouldhavestrongpasswordsorshouldbe lockedbyapasswordstringof"NP"or"*LK*". 8.4Setaccountexpirationparametersonactiveaccounts Action:

logins -ox |awk -F: '($1 == "root" || $1 == "audit" || $8 == "LK") \ { next } { $cmd = "passwd" } ($11 <= 0 || $11 > 91) { $cmd = $cmd " -x 91" } ($10 < 7) { $cmd = $cmd " -n 7" } ($12 < 28) { $cmd = $cmd " -w 28" } ($cmd != "passwd") { print $cmd " " $1 }' \ > /etc/NSAupd_accounts /sbin/sh /etc/NSAupd_accounts rm -f /etc/NSAupd_accounts cat <<EO_DefPass > /etc/default/passwd MAXWEEKS=13 MINWEEKS=1 WARNWEEKS=4 PASSLENGTH=6 EO_DefPass

Discussion: Itisagoodideatoforceuserstochangepasswordsonaregularbasis.Thecommands abovewillsetallactiveaccounts(excepttherootandauditaccounts)toforce passwordchangesevery91days(13weeks),andthenpreventpasswordchangesfor sevendays(oneweek)thereafter.Userswillbeginreceivingwarnings28days(4weeks) beforetheirpasswordexpires.Sitesalsohavetheoptionofexpiringidleaccountsaftera certainnumberofdays(seetheonlinemanualpagefortheusermodcommand, particularlythe -f option).

UNCLASSIFIED

71

UNCLASSIFIED Thesearerecommendedstartingvalues,butsitesmaychoosetomakethemmore restrictivedependingonlocalpolicies.Duetothefactthat /etc/default/passwd setsdefaultsintermsofnumberofweeks(eventhoughthe actualvaluesonuseraccountsarekeptintermsofdays),itisprobablybesttochoose intervalvaluesthataremultiplesof7.

8.5Verifynolegacy'+'entriesexistinpasswd,shadowandgroupfiles Action: Thefollowingcommandshouldreturnnolinesofoutput

grep '^+:' /etc/passwd /etc/shadow /etc/group

Discussion: '+'entriesinvariousfilesusedtobemarkersforsystemstoinsertdatafromNISmapsat acertainpointinasystemconfigurationfile.Theseentriesarenolongerrequiredon Solarissystems,butmayexistinfilesthathavebeenimportedfromotherplatforms. Theseentriesmayprovideanavenueforattackerstogainprivilegedaccessonthe system,andshouldbedeletediftheyexist.

8.6VerifythatnoUID0accountsexistotherthanrootand audit Action: Thefollowingcommandshouldreturnonlythewordsrootandaudit.

logins -o | awk -F: '($2 == 0) { print $1 }'

Discussion: AnyaccountwithUID0hassuperuserprivilegesonthesystem.Theonlysuperuser accountonthemachineshouldbetherootandauditaccounts,andtheyshouldbe accessedbylogginginasanunprivilegeduserandusingthesucommandtogain additionalprivileges. Finergranularityaccesscontrolforadministrativeaccesscanbeobtainedbyusingthe freelyavailablesudoprogram(http://www.courtesan.com/sudo/)orSun'sown RoleBasedAccessControl(RBAC)system.FormoreinformationonSolarisRBAC, see http://www.sun.com/software/whitepapers/wp-rbac/wp-rbac.pdf.

UNCLASSIFIED

72

UNCLASSIFIED 8.7Setdefaultgroupforrootaccount Action:

passmgmt -m -g 0 root

Discussion: ThedefaultgroupfortherootaccountunderSolarisisthe"other"group,whichmaybe sharedbymanyotheracountsonthesystem.Changingthedefaultgroupfortheroot accounthelpspreventrootownedfilesfromaccidentallybecomingacessibletonon privilegedusers.

8.8Disallow'.'orgroup/worldwritabledirectoryinroot $PATH Action:

for dir in `logins -ox | \ awk -F: '($1 == "root") { print $6 }'` do for file in $dir/.[A-Za-z0-9]*; do if [ ! -h "$file" -a -f "$file" ]; then chmod go-w "$file" fi done done

Discussion: Includingthecurrentworkingdirectory('.')orotherwritabledirectoryinroot's executablepathmakesitlikelythatanattackercangainadministratoraccessbyforcing anadministratoroperatingasroottoexecuteaTrojanhorseprogram.

8.9Setuserhomedirectoriestomode750ormorerestrictive Action:
for dir in `logins -ox | \ awk -F: '($8 == "PS" && $1 != "root" && $1 != "audit") \ { print $6 }'` do chmod g-w $dir chmod o-rwx $dir done

UNCLASSIFIED

73

UNCLASSIFIED Discussion: Grouporworldwritableuserhomedirectoriesmayenablemalicioususerstostealor modifyotherusers'dataortogainanotheruser'ssystemprivileges.Disabling"read"and "execute"accessforuserswhoarenotmembersofthesamegroup(the"other"access category)allowsforappropriateuseofdiscretionaryaccesscontrolbyeachuser.While theabovemodificationsarerelativelybenign,makingglobalmodificationstouserhome directorieswithoutalertingtheusercommunitycanresultinunexpectedoutagesand unhappyusers.

8.10Disallowgroup/worldwritableuserdotfiles Action:
for dir in `logins -ox | \ awk -F: '($8 == "PS") { print $6 }'` do for file in $dir/.[A-Za-z0-9]*; do if [ ! -h "$file" -a -f "$file" ]; then chmod go-w "$file" fi done done

Discussion: Grouporworldwritableuserconfigurationfilesmayenablemalicioususerstostealor modifyotherusers'dataortogainanotheruser'ssystemprivileges.Whiletheabove modificationsarerelativelybenign,makingglobalmodificationstouserhomedirectories withoutalertingtheusercommunitycanresultinunexpectedoutagesandunhappyusers. 8.11Changeuser's.forwardfiletomode600 Action: 1.Createscripttocheckfor.forwardfileinhomeaccounts

cat <<END_SCRIPT > /etc/forward #!/bin/sh for userhome in \`awk -F: '(\$7 != "/sbin/sh" && \ \$7 != " " && \$7 != "/usr/lib/uucp/uucico" && \ \$6 != "/" && \$6 != "/var/adm" && \$6 !~ /usr/)\ { print \$6 }' /etc/passwd\` do if [ -f \$userhome/.forward ]; then /bin/logger -i -p user.info \ "Changed the .forward permission for \$userhome" ls -al \$userhome/.forward > forwardls.new

UNCLASSIFIED

74

UNCLASSIFIED
for username in \`awk '(\$1 != "-rw-------") \ { print \$3 }' forwardls.new\` do chmod go-rwx \$userhome/.forward chmod u-x \$userhome/.forward mailx -s .forward \$username < /etc/permchange done rm forwardls.new else echo ".forward file does not exist for \$userhome" fi done END_SCRIPT chown root:sys /etc/forward chmod 700 /etc/forward

2.Createtheemailmessagetosendtousers
echo "The permissions on the .forward file for this account were \ changed by an administrator." > /etc/permchange chown root:sys /etc/permchange chmod 744 /etc/permchange

3. Addthefollowinglineto/etc/syslog.conf
printf "user.info\t\t\t\t\t/var/log/forward\n" >> /etc/syslog.conf

4. Create/var/log/forward
touch /var/log/forward chown root:sys /var/log/forward chmod 600 /var/log/forward

5.Stopthenrestartsyslogdaemon
/etc/init.d/syslog stop /etc/init.d/syslog start

6.Runtheforwardscript
/etc/forward

Discussion: The.forwardfileshouldnotbeworldorgroupwritable.Ifthe.forward fileis world/groupwritable,anattackercouldusethisfiletoembedscriptsonthesystemthat maycontainexploits.Theexploitcanthenbeusedtogainrootaccess.

UNCLASSIFIED

75

UNCLASSIFIED 8.12Removeuser.netrcfiles Action:

for dir in `logins -ox | \ awk -F: '($8 == "PS") { print $6 }'` do rm -f $dir/.netrc done

Discussion: .netrcfilesmaycontainunencryptedpasswordswhichmaybeusedtoattackother systems.Whiletheabovemodificationsarerelativelybenign,makingglobal modificationstouserhomedirectorieswithoutalertingtheusercommunitycanresultin unexpectedoutagesandunhappyusers. 8.13SetdefaultUMASKforusers Action:

cd /etc/default if [ "`grep UMASK= login`" ]; then awk '/UMASK=/ { $1 = "UMASK=077" } { print }' login > login.new mv login.new login else echo UMASK=077 >> login fi cd /etc for file in profile .login do if [ "`grep umask $file`" ]; then awk '$1 == "umask" { $2 = "077" } { print }' $file > $file.new mv $file.new $file else echo umask 077 >> $file fi done chown root:sys /etc/default/login /etc/profile /etc/.login chmod 444 /etc/default/login /etc/profile /etc/.login

UNCLASSIFIED

76

UNCLASSIFIED Discussion: WithadefaultUMASKsettingof077,filesanddirectoriescreatedbyuserswillnotbe readablebyanyotheruseronthesystem.Theusercreatingthefilehasthediscretionof makinghis/herfilesanddirectoriesreadablebyothersviathechmodcommand.Users whowishtoallowtheirfilesanddirectoriestobereadablebyothersbydefaultmay chooseadifferentdefaultUMASKbyinsertingtheUMASKcommandintothestandardshell configurationfiles(.profile,.cshrc,etc.)intheirhomedirectories.AUMASKof027 wouldmakefilesanddirectoriesreadablebyusersinthesameUNIXgroup,whilea UMASKof022wouldmakefilesreadablebyeveryuseronthesystem.

8.14SetdefaultUMASKforFTPusers Action:
cd /etc/ftpd if [ "`grep '^defumask' ftpaccess`" ]; then awk '/^defumask/ { $2 = "0777" } { print }' ftpaccess > ftpaccess.new mv ftpaccess.new ftpaccess else echo defumask 077 >> ftpaccess fi chown root:sys ftpaccess chmod 444 ftpaccess

Discussion: TheSolaris9FTPdaemonisderivedfromtheWashintonUniversityFTPdaemon,sothe defaultUMASKvalueissetin/etc/ftpd/ftpaccess.Pleaserefertothediscussionin Item8.13formoreinformationonumaskvalues.

UNCLASSIFIED

77

UNCLASSIFIED 8.15Set"mesg n"asdefaultforallusers Action:

cd /etc for file in profile .login do if [ "`grep mesg $file`" ]; then awk '$1 == "mesg" { $2 = "n" } { print }' $file > $file.new mv $file.new $file else echo mesg n >> $file fi chown root:sys $file chmod 444 $file done

Discussion: "mesg n"blocksattemptstousethewrite ortalk commandstocontacttheuserat theirterminal,buthasthesideeffectofslightlystrengtheningpermissionsontheuser's ttydevice.Sincewriteandtalk arenolongerwidelyusedatmostsites,the incrementalsecurityincreaseisworththelossoflegacyfunctionality.

8.16Changeroot'shomedirectory Action:
mkdir /root mv -i /.?* /root/ passmgmt -m -h /root root passmgmt -m -h /root audit chmod 700 /root

Discussion: Changingroot'shomedirectory(aswellasaudit's)aidsinsystemadministrationas wellasprovidesasmallobfuscationtosomeonewhoattemptstogainunauthorized accesstotherootaccount.Thesystemadministrator'spersonalfilesshouldbekeptin /rootsoastoprovideaclearseparationofwhatfilesareandarenotpartofthesystem software.Abenefitisthattheseprivatefilesandtheircontentswillnotbevisibletonon rootusers.Thischangeofhomedirectorycouldalsoservetoconfuseanyautomated scriptthatassumesrootaccessbeginswiththe"/"directory.

UNCLASSIFIED

78

UNCLASSIFIED Note:ThischangemayconfusealreadyconfiguredprogramssuchasNetscape.Either usetheseprogramsfromanonrootuserordeleteconfigurationfilesandreinitializethe programwhenloggedinasroot.

8.17Setupuserfilequotas Action: 1.SetupUFSfilesystem(s)forquotas(wheremount_pointisthefilesystemonwhich quotasaretobeset).

cd mount_point touch quotas chown root:root quotas chmod 600 quotas cd /etc awk '($4 == "ufs" && $3 == "mount_point" && $7 == "-") \ { $7 = "rq" }; \ ($4 == "ufs" && $3 == "mount_point" && $7 !~ /rq/) \ { $7 = $7",rq"}; \ { print }' /etc/vfstab > /etc/vfstab.new mv vfstab.new vfstab chown root:sys vfstab chmod 664 vfstab EDITOR=/usr/bin/vi export EDITOR edquota -t mount_point #The vi editor will be spawned with the line shown below. Modify the #corresponding higlighted fields in the editor to meet the block #and file time limits chosen. fs mount_point blocks time limit = number time_unit, files time limit = number time_unit

2.Establishandenablequotasforusers,whereproto_useristheprototypeuserforother users
edquota proto_user #The vi editor will be spawned with the line shown below. Modify the #corresponding higlighted fields in the editor to meet the block #and inode limits chosen. fs mount_point blocks (soft=soft_lim, hard=hard_lim) inodes (soft=soft_lim2, hard=hard_lim2) edquota -p proto_user user_1 user_2 quotacheck -v -a #Activate the quotas previously generated using the following command: quotaon -v mount_point

UNCLASSIFIED

79

UNCLASSIFIED 3.Viewuserquotausage
repquota -v -a

Discussion: Quotasareestablishedtopreventuserfilesfromconsumingallavailableharddrivedisk space.Onlytherootusercancreateoreditquotas.Thehardlimitistheabsolute maximumamountausercanconsumeandonceitisreached,theusercannotcreatenew files,editoldfiles,compileprograms,etc.Thesoftlimitisthemaximumthatthe administratorwouldprefer.Oncethesoftlimitisexceededthesystemwarnstheuser andstartsthegraceperiod,usuallybetween5and9days.Duringthistime,theuseris stillabletoperformfileoperationsthatexceedthesoftlimitbutnotthehardlimit.When thegraceperiodends,thesoftlimitisenforcedasahardlimit.Diskquotasshouldbe enforcedonfilesystemsusedformail(eg. /var/spool/mail),userhomedirectories (eg./export/home),andtemporaryfiles(eg./tmp).Theadministratormustchoose whichfilesystemsneedquotas,theappropriatesofttimelimit(nomorethantwoweeks), whichusersshouldhavequotasenforced,andtheappropriatesoftandhardlimits.See manedquotaforexplanationofredcoloredvariables.

9WarningBanners
Presentingsomesortofstatutorywarningmessagepriortothenormaluserlogonmay assisttheprosecutionoftrespassersonthecomputersystem.Changingsomeofthese loginbannersalsohasthesideeffectofhidingOSversioninformationandotherdetailed systeminformationfromattackersattemptingtotargetspecificattacksatasystem. GuidelinespublishedbytheUSDepartmentofDefenserequirethatwarningmessages includeatleastthenameoftheorganizationthatownsthesystem,thefactthatthe systemissubjecttomonitoringandthatsuchmonitoringisincompliancewithlocal statutes,andthattheuseofthesystemimpliesconsenttosuchmonitoring.Clearly,the organization'slocallegalcounseland/orsitesecurityadministratorshouldreviewthe contentofallmessagesbeforeanysystemmodificationsaremade,asthesewarning messagesareinherentlysitespecific.Moreinformation(includingcitationsofrelevant caselaw)canbefoundat: http://www.usdoj.gov/criminal/cybercrime/s&sappendix2002.htm. IfTCPWrappersarebeingusedtodisplaywarningbannersforvariousinetdbased services,itisimportantthatthebannermessagesbeformattedproperlyasnottointerfere withtheapplicationprotocol.TheBanners.MakefilefileprovidedwiththeTCP Wrapperssourcedistribution(availablefromftp.porcupine.orgaswellas http://www.sunfreeware.com)containsshellcommandstohelpproduceproperly formattedbannermessages.

UNCLASSIFIED

80

UNCLASSIFIED 9.1Createwarningsforphysicalaccessservices Action:

eeprom oem-banner="Authorized uses only. All activity \ may be monitored and reported." eeprom oem-banner\?=true echo "Authorized uses only. All activity may be \ monitored and reported." > /etc/motd echo "Authorized uses only. All activity may be \ monitored and reported." > /etc/issue chown root:sys /etc/motd chown root:root /etc/issue chmod 644 /etc/motd /etc/issue

Discussion: Thecontentsofthe/etc/issuefilearedisplayedpriortotheloginpromptonthe system'sconsoleandserialdevices./etc/motdisgenerallydisplayedafterallsuccessful logins,nomatterwheretheuserislogginginfrom,butisthoughttobelessuseful becauseitonlyprovidesnotificationtotheuserafterthemachinehasbeenaccessed. TheOEMbannerwillbedisplayedonlywhenthesystemispoweredon.Settingthis bannerhasthesideeffectofhidingthestandardSunpoweronbanner,whichnormally displaysthesystemhostID,MACaddress,etc.

9.2CreatewarningsforGUIbasedlogins Action: for file in /usr/dt/config/*/Xresources

do dir=`dirname $file |sed s/usr/etc/` mkdir -p $dir if [ ! -f $dir/Xresources ]; then cp $file $dir/Xresources fi echo "Dtlogin*greeting.labelString: Authorized uses \ only. All activity may be monitored and reported." \ >> $dir/Xresources echo "Dtlogin*greeting.persLabelString: Authorized \ uses only. All activity may be monitored and reported." \ >> $dir/Xresources done chown root:sys /etc/dt/config/*/Xresources chmod 644 /etc/dt/config/*/Xresources

UNCLASSIFIED

81

UNCLASSIFIED Discussion: ThestandardgraphicalloginprogramforSolarisrequiresthetheusernametobeentered inonedialogboxandthecorrespondingpasswordtobeenteredinasecond,separate dialog.Thecommandsabovesetthewarningmessageonbothtobethesamemessage, butthesitehastheoptionofusingdifferentmessagesoneachscreen.The Dtlogin*greeting.labelStringisthemessageforthefirstdialogwheretheuseris promptedfortheirusername,and...perslabelStringisthemessageonthesecond dialogbox.

9.3Createwarningsfortelnetdaemon Action:
cd /etc/default if [ ! "`grep \"^BANNER=\" telnetd`" ]; then echo "BANNER=\"Authorized uses only. All activity may \ be monitored and reported.\\\n\\\n\"" > telnetd chown root:sys telnetd chmod 444 telnetd fi

Discussion: Settingthisbannerhasthesideeffectofhidingthedefaulttelnetbanner,which advertisestheversionoftheSolarisrunningonthesystem. 9.4CreatewarningsforFTPdaemons Action:

echo Authorized uses only. All activity may \ be monitored and reported. > /etc/ftpd/banner.msg chown root:root /etc/ftpd/banner.msg chmod 444 /etc/ftpd/banner.msg

Discussion: TheFTPdaemoninSolaris9isbasedonthepopularWashintonUniversityFTPdaemon (WUFTPD),whichisanOpenSourceprogramwidelydistributedontheInternet.The procedureforsettingthewarningbanneronSolaris9differsfrompreviousreleases.

UNCLASSIFIED

82

UNCLASSIFIED

AppendixA:FileBackupScript
#!/bin/sh ext=`date '+%Y%m%d-%H:%M:%S'` for file in /etc/.login /etc/coreadm.conf /etc/cron.d/at.allow /etc/cron.d/at.deny /etc/cron.d/cron.allow /etc/cron.d/cron.deny /etc/default/cron /etc/default/power /etc/default/inetd /etc/defualt/inetinit /etc/default/init /etc/default/keyserv /etc/default/login /etc/default/passwd /etc/default/sendmail /etc/default/syslogd /etc/default/telnetd /etc/default-sys-suspend /etc/dt/config/Xaccess /etc/dt/config/*/Xresources /etc/dt/config/*/sys.resources /etc/dt/config/Xservers /etc/ftpd/banner.msg /etc/ftpd/ftpaccess /etc/ftpusers /etc/defaultrouter /etc/hosts.allow /etc/hosts.deny /etc/inet/inetd.conf /etc/inet/ntp.conf /etc/inet/ntp.keys /etc/init.d/RMTMPFILES /etc/init.d/netconfig /etc/init.d/inetsvc /etc/init.d/perf /etc/dfs/dfstab /etc/issue /etc/motd /etc/pam.conf /etc/passwd /etc/profile /etc/shadow /etc/rmmount.conf /etc/security/audit_class /etc/security/audit_control /etc/security/audit_event /etc/security/audit_startup /etc/security/audit_user /etc/usr_attr /etc/logadm.conf /etc/mail/sendmail.cf /etc/ssh/sshd_config /etc/syslog.conf /etc/system /etc/vfstab /etc/vold.conf do [ -f $file ] && cp -p $file $file-preNSA-$ext done mkdir -p -m 0700 /var/spool/cron/crontabs-preNSA-$ext cd /var/spool/cron/crontabs tar cf - * | (cd ../crontabs-preNSA-$ext; tar xfp -)

\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \

UNCLASSIFIED

83

UNCLASSIFIED

AppendixB:AdditionalSecurityNotes
Theitemsinthisappendixaresecurityconfigurationsettingsthathavebeensuggestedby severalotherresourcesandsystemhardeningtools.However,giventheothersettingsin thebenchmarkdocument,thesettingspresentedhereproviderelativelylittleincremental securitybenefit.Nevertheless,noneofthesesettingsshouldhaveasignificantimpacton thefunctionalityofthesystem,andsomesitesmayfeelthattheslightsecurity enhancementofthesesettingsoutweighsthe(sometimesminimal)administrativecostof performingthem. Noneofthesesettingswillbecheckedbytheautomatedscoringtoolprovidedwiththe benchmarkdocument.Theyarepurelyoptionalandmaybeappliedornotatthe discretionoflocalsiteadministrators. SN.1Enableprocessaccountingatboottime Action:
ln -s /etc/init.d/acct /etc/rc3.d/S99acct

Discussion: Processaccountinglogsinformationabouteveryprocessthatrunstocompletiononthe system,includingtheamountofCPUtime,memory,etc.consumedbyeachprocess. Whilethiswouldseemlikeusefulinformationinthewakeofapotentialsecurityincident onthesystem,kernellevelauditingwiththe"+argv,arge"policy(asenabledinItem 5.8)providesmoreinformationabouteachprocessexecutioningeneral(althoughkernel levelauditingdoesnotcapturesystemresourceusageinformation).Bothprocess accountingandkernellevelauditingcanbeasignificantperformancedrainonthe system,soenablingbothseemsexcessivegiventhelargeamountofoverlapinthe informationeachprovides.

UNCLASSIFIED

84

UNCLASSIFIED SN.2Usefullpathnamesin/etc/dfs/dfstabfile Action:

cd /etc/dfs awk '($1 == "share") { $1 = "/usr/sbin/share" }; \ { print }' dfstab > dfstab.new mv dfstab.new dfstab chown root:sys dfstab chmod 644 dfstab

Discussion: Thecommandsinthedfstabfileareexecutedviathe/usr/sbin/shareallscriptat boottime,aswellasbyadministratorsexecutingtheshareallcommandduringthe uptimeofthemachine.Usetheabsolutepathnametothesharecommandtoprotect againstanexploitsstemmingfromanattackontheadministrator'sPATHenvironment, etc.However,ifanattackerisabletocorruptroot'spathtothisextent,otherattacks seemmorelikelyandmoredamagingtotheintegrityofthesystem.

SN.3Restrictaccesstopowermanagementfunctions Action:
cd /etc/default awk '/^PMCHANGEPERM=/ /^CPRCHANGEPERM=/ mv power.new power chown root:sys power chmod 444 power { $1 = "PMCHANGEPERM=-" } { $1 = "CPRCHANGEPERM=-" } { print }' power > power.new

Discussion: Thesettingsin/etc/default/powercontrolwhichusershaveaccesstothe configurationsettingsforthesystempowermanagementandcheckpoint/resumefeatures. Bysettingbothvaluesto"-",configurationchangesarerestrictedtoonlythesuperuser. Giventhatthebenchmarkdocumentdisablesthepowermanagementdaemonbydefault, theeffectofthesesettingsisnegligible,butsitesmaywishtomakethisconfiguration changeasa"defenseindepth"measure.

UNCLASSIFIED

85

UNCLASSIFIED SN.4Restrictaccesstosys-suspendfeature Action:

cd /etc/default awk '/^PERMS=/ { $1 = "PERMS=-" } { print }' sys-suspend > sys-suspend.new mv sys-suspend.new sys-suspend chown root:sys sys-suspend chmod 444 sys-suspend

Discussion: The /etc/default/sys-suspendsettingscontrolwhichusersareallowedtousethe sys-suspendcommandtoshutdownthesystem.Setting"PERMS=-"meansthatonly thesuperuserisgrantedthisprivilege.Auserwhoistrulymotivatedtotakethesystem offlineandhasphysicalaccesstothesystemcansimplyremovepowerfromthe machine.Grantingsys-suspendaccessmaybeamoregracefulwayofallowingnormal userstoshutdowntheirownmachines.

SN.5Createsymlinksfordangerousfiles Action:
for file in /.rhosts /.shosts /etc/hosts.equiv do rm -f $file ln -s /dev/null $file done

Discussion: The/.rhosts, /.shosts,and/etc/hosts.equivfilesenableaweakformofaccess control(seethediscussionof.rhostsfilesinItem7.3).Attackerswilloftentargetthese filesaspartoftheirexploitscripts.Bylinkingthesefilesto/dev/null,anydatathatan attackerwritestothesefilesissimplydiscarded(thoughanastuteattackercanstill removethelinkpriortowritingtheirmaliciousdata).However,thebenchmarkalready disables.rhostsstyleauthenticationinseveralways,sotheadditionalsecurityprovided bycreatingthesesymlinksisminimal.

UNCLASSIFIED

86

UNCLASSIFIED SN.6ChangedefaultgreetingstringforSendmail Action:

cd /etc/mail awk '/O SmtpGreetingMessage=/ \ { print "O SmtpGreetingMessage=mailer ready"; next} { print }' sendmail.cf > sendmail.cf.new mv sendmail.cf.new sendmail.cf chown root:bin sendmail.cf chmod 444 sendmail.cf

Discussion: ThedefaultSMTPgreetingstringdisplaystheversionoftheSendmailsoftwarerunning ontheremotesystem.Hidingthisinformationisgenerallyconsideredtobegood practice,sinceitcanhelpattackerstargetattacksatmachinesrunningavulnerable versionofSendmail.However,theactionsinthebenchmarkdocumentcompletely disableSendmailonthesystem,sochangingthisdefaultgreetingstringaffordsno benefitunlessthemachinehappenstobeanemailserver.

UNCLASSIFIED

87

UNCLASSIFIED

AppendixC:HighRiskItems

2.2Onlyenabletelnetifabsolutelynecessary Question: Isthereamissioncriticalreasonthatrequiresuserstoaccessthissystemviatelnet, ratherthanthemoresecureSSHprotocol? Iftheanswertothisquestionisyes,proceedwiththeActionbelow. Action:

cd /etc/inet sed 's/^#telnet/telnet/' inetd.conf > inetd.conf.new mv inetd.conf.new inetd.conf

Discussion: Telnetusesanunencryptednetworkprotocol,whichmeansdatafromtheloginsession (suchaspasswordsandallotherdatatransmittedduringthesession)canbestolenby eavesdroppersonthenetwork,andalsothatthesessioncanbehijackedbyoutsidersto gainaccesstotheremotesystem.ThefreelyavailableSSHutilities(seeItem1.6) provideencryptednetworkloginsandshouldbeusedinstead.

2.3OnlyenableFTPifabsolutelynecessary Question: Isthismachinean(anonymous)FTPserver,oristhereamissioncriticalreasonwhy datamustbetransferredtoandfromthissystemviaftp,ratherthanscp? Iftheanswertoeitherpartofthisquestionisyes,proceedwiththeActionbelow. Action:

cd /etc/inet sed 's/^#ftp/ftp/' inetd.conf > inetd.conf.new mv inetd.conf.new inetd.conf

UNCLASSIFIED

88

UNCLASSIFIED Discussion: Liketelnet,theFTPprotocolisunencrypted,whichmeanspasswordsandotherdata transmittedduringthesessioncanbecapturedbysniffingthenetwork,andthattheFTP sessionitselfcanbehijackedbyanexternalattacker.SSHprovidestwodifferent encryptedfiletransfermechanismsscpandsftpandshouldbeusedinstead.Evenif FTPisrequiredbecausethelocalsystemisananonymousFTPserver,considerrequiring nonanonymoususersonthesystemtotransferfilesviaSSHbasedprotocols.For furtherinformationonrestrictingFTPaccesstothesystem,seeItem7.4.

2.4Onlyenablerlogin/rsh/rcpifabsolutelynecessary Question: Isthereamissioncriticalreasonwhyrlogin/rsh/rcpmustbeusedinsteadofthemore securessh/scp? Iftheanswertothisquestionisyes,proceedwiththeActionbelow. Action:

cd /etc/inet sed 's/^#shell/shell/; s/^#login/login/' \ inetd.conf > inetd.conf.new mv inetd.conf.new inetd.conf

Discussion: SSHwasdesignedtobeadropinreplacementfortheseprotocols.Giventhewide availabilityoffreeSSHimplementations,itisunlikelythatthereisacasewherethese toolscannotbereplacedwithSSH(seeItem1.6). Iftheseprotocolsareleftenabled,pleasealsoseeItem7.1foradditionalsecurityrelated configurationsettings.

2.5OnlyenableTFTPifabsolutelynecessary Question: Isthissystemabootserveroristheresomeothermissioncriticalreasonwhydatamust betransferredtoandfromthissystemviaTFTP? Iftheanswertoeitherpartofthisquestionisyes,proceedwiththeActionbelow.

UNCLASSIFIED

89

UNCLASSIFIED Action:
cd /etc/inet sed 's/^#tftp/tftp/' inetd.conf > inetd.conf.new mv inetd.conf.new inetd.conf mkdir -p /tftpboot chown root:root /tftpboot chmod 711 /tftpboot

Discussion: TFTPistypicallyusedfornetworkbootingofdisklessworkstations,Xterminals,and othersimilardevices(TFTPisalsousedduringnetworkinstallsofsystemsviathe SolarisJumpstartfacility).Routersandothernetworkdevicesmaycopyconfiguration datatoremotesystemsviaTFTPforbackup.However,unlessthissystemisneededin oneoftheseroles,itisbesttoleavetheTFTPservicedisabled.

2.6Onlyenableprinterserviceifabsolutelynecessary Question: Isthismachineaprintserverforyournetwork? Iftheanswertothisquestionisyes,proceedwiththeActionbelow. Action:

cd /etc/inet sed 's/^#printer/printer/' inetd.conf > inetd.conf.new mv inetd.conf.new inetd.conf

Discussion: in.lpdprovidesaBSDcompatibleprintserverinterface.Machinesthatareprint serversmaywishtoleavethisservicedisablediftheydonotneedtosupportBSDstyle printing.

2.7Onlyenablerquotadifabsolutelynecessary Question: IsthissystemanNFSfileserverwithdiskquotasenabled? Iftheanswertothisquestionisyes,proceedwiththeActionbelow.

UNCLASSIFIED

90

UNCLASSIFIED Action:
cd /etc/inet sed 's/^#rquotad/rquotad/' inetd.conf > inetd.conf.new mv inetd.conf.new inetd.conf

Discussion: rquotadallowsNFSclientstoenforcediskquotasonfilesystemsthataremountedfrom thelocalsystem.Ifyoursitedoesnotusediskquotas,thenyoumayleavetherquotad servicedisabled.

2.9OnlyenableSolarisVolumeManagerdaemonsifabsolutelynecessary Question: IstheSolarisVolumeManagerGUIadministrationtoolrequiredfortheadministration ofthissystem? Iftheanswertothisquestionisyes,proceedwiththeActionbelow. Action:

cd /etc/inet sed 's/^#100229/100229/; s/^#100230/100230/; s/^#100242/100242/' inetd.conf > inetd.conf.new mv inetd.conf.new inetd.conf

Discussion: TheSolarisVolumeManager(formerlySolarisDiskSuite)providessoftwareRAID capabilityforSolarissystems.ThisfunctionalitycaneitherbecontrolledviatheGUI administrationtoolsprovidedwiththeoperatingsystem,orviathecommandline. However,theGUItoolscannotfunctionwithoutseveraldaemonsenabledin inetd.conf.SincethesamefunctionalitythatisintheGUIisavailablefromthe commandlineinterface,administratorsarestronglyurgedtoleavethesedaemons disabledandadministervolumesdirectlyfromthecommandline. SincethisserviceusesSun'sstandardRPCmechanism,itisimportantthatthesystem's RPCportmapper(rpcbind)alsobeenabledwhenthisserviceisturnedon.Formore informationseeItem3.11,"OnlyenableotherRPCbasedservicesifabsolutely necessary."

UNCLASSIFIED

91

UNCLASSIFIED 2.11OnlyenableKerberosrelateddaemonsifabsolutelynecessary Question: IstheKerberossecuritysysteminuseatthissite? Iftheanswertothisquestionisyes,proceedwiththeActionbelow. Action:

cd /etc/inet sed 's/^#100134/100134/' inetd.conf > inetd.conf.new mv inetd.conf.new inetd.conf

Discussion: KerberossupporthasbeenaddedtoSolaris(seeSun'sKerberossite, http://wwws.sun.com/software/security/kerberos/).However,Kerberosmay notbeinuseatallsites.FormoreinformationonKerberossee http://web.mit.edu/kerberos/www/. SincethisserviceusesSun'sstandardRPCmechanism,itisimportantthatthesystem's RPCportmapper(rpcbind)alsobeenabledwhenthisserviceisturnedon.Formore informationseeItem3.11,"OnlyenableotherRPCbasedservicesifabsolutely necessary."

UNCLASSIFIED

92

UNCLASSIFIED

References
CenterforInternetSecurity FreebenchmarkdocumentsandsecuritytoolsforvariousOSplatformsandapplications:
http://www.cisecurity.org/

PrecompiledsoftwarepackagesforvariousOSplatforms:
ftp://ftp.cisecurity.org/

SunMicrosystems Sunsecurityhome:
http://www.sun.com/security

Sunsecurityblueprints:
http://www.sun.com/security/blueprints

Sunproductdocumentation:
http://docs.sun.com/prod/solaris

Patchesandrelateddocumentation:
ftp://sunsolve.sun.com/patchroot/clusters/

SunPatchManagertool:
http://www.sun.com/service/support/sw_only/patchmanager.html

SolarisSecurityToolkit:
http://www.sun.com/security/jass/

Precompiledfix-modessoftware:
http://wwws.sun.com/software/security/downloads.html

SolarisFingerprintDatabase:
http://sunsolve.sun.com/pub-cgi/fileFingerprints.pl

Sun'sKerberosInformation:
http://wwws.sun.com/software/security/kerberos

RoleBasedAccessControl(RBAC)whitepaper:
http://www.sun.com/software/whitepapers/wp-rbac/wp-rbac.pdf

OpenSSHwhitepaper,NTPwhitepaper,informationonkernel(ndd)settings,etal:
http://www.sun.com/security/blueprints/

UNCLASSIFIED

93

UNCLASSIFIED OtherMiscellaneousDocumentation VariousdocumentationonSolarissecurityissues:

http://ist.uwaterloo.ca/security/howto/

PrimarysourceforinformationonNTP:
http://www.ntp.org/

InformationonMITKerberos:
http://web.mit.edu/kerberos/www/

Apache"SecurityTips"document:
http://httpd.apache.org/docs-2.0/misc/security_tips.html

InformationonSendmailandDNS:
http://www.sendmail.org/ http://www.deer-run.com/~hal/dns-sendmail/DNSandSendmail.pdf

Software PatchedMakefileforIPFilter:
http://blog.graves.com/b2evolution/blogs/blog_a.php?p=590

PrecompiledsoftwarepackagesforSolaris:
http://www.sunfreeware.com/ ftp://ftp.cisecurity.org/

OpenSSH(secureencryptednetworklogins):
http://www.openssh.org

TCPWrapperssourcedistribution:
ftp://ftp.porcupine.org

PortSentryandLogcheck(portandlogmonitoringtools):
http://sourceforge.net/projects/sentrytools

Swatch(logmonitoringtool):
http://swatch.sourceforge.net

OpenSourceSendmail(emailserver)distributions:
ftp://ftp.sendmail.org/

LPRng(OpenSourcereplacementprintingsystemforUnix):
http://www.lprng.org/

fixmodes(freetooltocorrectpermissionsandownershipsintheSolarisOS):
ftp://ftp.science.uva.nl/pub/solaris/fix-modes.tar.gz

UNCLASSIFIED

94

UNCLASSIFIED sudo(providesfinegrainedaccesscontrolsforsuperuseractivity):
http://www.courtesan.com/sudo/

UNCLASSIFIED

95