Professional Documents
Culture Documents
GuidetotheSecureConfigurationof Solaris9
OperatingSystemsDivisionUNIXTeam ofthe SystemsandNetworkAttackCenter(SNAC)
Dated:16July2004 Version1.0
UNCLASSIFIED
UNCLASSIFIED
Thispageisintentionallyleftblank
UNCLASSIFIED
ii
UNCLASSIFIED
Warnings
Donotattempttoimplementanyofthesettingsinthisguidewithout firsttestinginanonoperationalenvironment. Thisdocumentisonlyaguidecontainingrecommendedsecurity settings.Itisnotmeanttoreplacewellstructuredpolicyorsound judgment.Furthermorethisguidedoesnotaddresssitespecific configurationissues.Caremustbetakenwhenimplementingthis guidetoaddresslocaloperationalandpolicyconcerns. Thesecuritychangesdescribedinthisdocumentonlyapplytothe Solaris9OperatingSystemandshouldnotbeappliedtoanyother operatingsystem. TherecommendationsinthisguidewerewrittenforSPARCbased systems.Somescriptsmayneedtobemodifiedtoworkonx86based systems. SOFTWAREISPROVIDED"ASIS"ANDANYEXPRESSOR IMPLIEDWARRANTIES,INCLUDING,BUTNOTLIMITEDTO, THEIMPLIEDWARRANTIESOFMERCHANTABILITYAND FITNESSFORAPARTICULARPURPOSEAREEXPRESSLY DISCLAIMED.INNOEVENTSHALLTHECONTRIBUTORSBE LIABLEFORANYDIRECT,INDIRECT,INCIDENTAL,SPECIAL, EXEMPLARY,ORCONSEQUENTIALDAMAGES(INCLUDING, BUTNOTLIMITEDTO,PROCUREMENTOFSUBSTITUTE GOODSORSERVICES;LOSSOFUSE,DATA,ORPROFITS;OR BUSINESSINTERRUPTION)HOWEVERCAUSEDANDONANY THEORYOFLIABILITY,WHETHERINCONTRACT,STRICT LIABILITY,ORTORT(INCLUDINGNEGLIGENCEOR OTHERWISE)ARISINGINANYWAYOUTOFTHEUSEOF THISSOFTWARE,EVENIFADVISEDOFTHEPOSSIBILITYOF SUCHDAMAGE. Downloadedinformationandutilitiesarevalidasof1July2004. Newerversionshavenotbeentestedforthisguide.
UNCLASSIFIED
iii
UNCLASSIFIED
Acknowledgements
ThisdocumentisbasedcloselyupontheCenterforInternetSecurity's (CIS)SolarisBenchmark,withoutwhichthisguidewouldnotbe possible.Wewouldliketothankalloftheteammembersthat participatedinthedevelopmentoftheCISSolarisBenchmarkguide.
TrademarkInformation
SolarisisaregisteredtrademarkofSunMicrosystems.
UNCLASSIFIED
iv
UNCLASSIFIED TableofContents 1PatchesandAdditionalSoftware....................................................................................1 1.1Partitionharddrivetocompartmentalizedata.........................................................1 1.2ApplylatestOSpatches..........................................................................................2 1.3InstallTCPWrappers..............................................................................................4 1.4Referencesystemrandomnumbergenerator..........................................................5 1.5ConfigureIPsec.......................................................................................................5 1.6ConfigureSSHServer...........................................................................................12 1.7InstallNTP............................................................................................................13 2MinimizeinetdNetworkServices................................................................................15 2.1Disablestandardservices......................................................................................15 2.8OnlyenableCDErelateddaemonsifabsolutelynecessary.................................17 2.10Onlyenableremovablemediadaemonifabsolutelynecessary..........................17 2.12OnlyenableGSSdaemonifabsolutelynecessary..............................................18 2.13Disablemulticastingandroutingdiscovery........................................................19 2.14DisableIPv6........................................................................................................19 2.15Enableencryptedremoteadministrationifnecessary.........................................20 3MinimizeBootServices................................................................................................21 3.1Disablelogin:promptsonserialports..................................................................21 3.2Setdaemonumask.................................................................................................21 3.3Disableinetdifpossible........................................................................................22 3.4Disableemailserverifpossible............................................................................22 3.5Disablebootservicesifpossible...........................................................................23 3.6Disableotherstandardbootservices.....................................................................24 3.7OnlyenableWindowscompatibilityserversifabsolutelynecessary...................26 3.8OnlyenableNFSserverprocessesifabsolutelynecessary..................................26 3.9OnlyenableNFSclientprocessesifabsolutelynecessary...................................27 3.10Onlyenableautomountdaemonifabsolutelynecessary....................................27 3.11OnlyenableotherRPCbasedservicesifabsolutelynecessary..........................28 3.12OnlyenableKerberosserverdaemonsifabsolutelynecessary..........................29 3.13OnlyenableLDAPdirectoryserverifabsolutelynecessary..............................29 3.14OnlyenabletheLDAPcachemanagerifabsolutelynecessary..........................29 3.15Onlyenabletheprinterdaemonsifabsolutelynecessary...................................30 3.16Onlyenablethevolumemanagerifabsolutelynecessary..................................30 3.17OnlyenableGUIloginifabsolutelynecessary...................................................31 3.18Onlyenablewebserverifabsolutelynecessary.................................................31 3.19OnlyenableSNMPifabsolutelynecessary........................................................32 3.20OnlyenableDHCPserverifabsolutelynecessary.............................................33 3.21DisableBIND......................................................................................................33 3.22Disablenscd........................................................................................................34 3.23UseRMTMPFILEStoclear/var/tmp.................................................................34
UNCLASSIFIED
UNCLASSIFIED 4KernelTuning...............................................................................................................35 4.1Restrictcoredumpstoprotecteddirectory...........................................................35 4.2Enablestackprotection.........................................................................................36 4.3RestrictNFSclientrequeststoprivilegedports....................................................36 4.4Modifynetworkparameters..................................................................................37 4.5Modifyadditionalnetworkparameters.................................................................38 4.6UsebetterTCPsequencenumbers........................................................................38 4.7Setuphostbasedfirewalls....................................................................................39 4.8Setroutingpolicies/configuration.........................................................................43 5Logging.........................................................................................................................43 5.1Turnoninetdtracing.............................................................................................44 5.2TurnonadditionalloggingforFTPdaemons.......................................................45 5.3CaptureFTPandinetdconnectiontracinginfo....................................................45 5.4CapturemessagessenttosyslogAuthfacility......................................................46 5.5Create/var/adm/loginlog.......................................................................................47 5.6Turnoncronlogging.............................................................................................48 5.7Enablesystemaccounting.....................................................................................48 5.8Enablekernellevelauditing.................................................................................49 5.9Configurerolebasedaccesscontrol......................................................................50 5.10Confirmpermissionsonsystemlogfiles............................................................53 5.11Implementautomatedlogrotation......................................................................54 6File/DirectoryPermissions/Access...............................................................................55 6.1Add'logging'optiontorootfilesystem................................................................55 6.2Add'nosuid'optionto/etc/rmmount.conf.............................................................56 6.3Configurevold.conftoallowusersaccesstoCDROMonly...............................56 6.4Verifypasswd,shadow,andgroupfilepermissions.............................................57 6.5Verifyworldwritabledirectorieshavetheirstickybitset....................................57 6.6Findunauthorizedworldwritablefiles.................................................................57 6.7FindunauthorizedSUID/SGIDsystemexecutables.............................................58 6.8Findunownedfilesanddirectories........................................................................59 6.9Runfixmodes.......................................................................................................59 7SystemAccess,Authentication,andAuthorization......................................................60 7.1Sethighersecuritylevelforsadmindservice.......................................................60 7.2Disable"nobody"accessforsecureRPC..............................................................60 7.3Remove.rhostssupportin/etc/pam.conf..............................................................61 7.4Create/etc/ftpd/ftpusers........................................................................................62 7.5Preventsyslogfromacceptingmessagesfromnetwork.......................................62 7.6PreventremoteXDMCPaccess............................................................................63 7.7PreventXserverfromlisteningonport6000/tcp.................................................64 7.8Setdefaultlockingscreensavertimeout................................................................64 7.9Restrictat/crontoauthorizedusers.......................................................................65 7.10Removeemptycrontabfilesandrestrictfilepermissions..................................65
UNCLASSIFIED
vi
UNCLASSIFIED 7.11Preventrootloginstosystemconsole.................................................................66 7.12Limitnumberoffailedloginattempts................................................................67 7.13SetEEPROMsecuritymodeandlogfailedaccess............................................67 8UserAccountsandEnvironment..................................................................................68 8.1Blocksystemaccounts..........................................................................................69 8.2Assignnoshellforsystemaccounts......................................................................70 8.3Verifythattherearenoaccountswithemptypasswordfields.............................71 8.4Setaccountexpirationparametersonactiveaccounts..........................................71 8.5Verifynolegacy'+'entriesexistinpasswd,shadowandgroupfiles...................72 8.6VerifythatnoUID0accountsexistotherthanrootandaudit.............................72 8.7Setdefaultgroupforrootaccount.........................................................................73 8.8Disallow'.'orgroup/worldwritabledirectoryinroot$PATH.............................73 8.9Setuserhomedirectoriestomode750ormorerestrictive...................................73 8.10Disallowgroup/worldwritableuserdotfiles.....................................................74 8.11Changeuser's.forwardfiletomode600.............................................................74 8.12Removeuser.netrcfiles......................................................................................76 8.13SetdefaultUMASKforusers.............................................................................76 8.14SetdefaultUMASKforFTPusers.....................................................................77 8.15Set"mesgn"asdefaultforallusers....................................................................78 8.16Changeroot'shomedirectory..............................................................................78 8.17Setupuserfilequotas.........................................................................................79 9WarningBanners...........................................................................................................80 9.1Createwarningsforphysicalaccessservices..........................................................81 9.2CreatewarningsforGUIbasedlogins...................................................................81 9.3Createwarningsfortelnetdaemon.......................................................................82 9.4CreatewarningsforFTPdaemons........................................................................82 AppendixA:FileBackupScript.......................................................................................83 AppendixB:AdditionalSecurityNotes...........................................................................84 SN.1Enableprocessaccountingatboottime.............................................................84 SN.2Usefullpathnamesin/etc/dfs/dfstabfile..........................................................85 SN.3Restrictaccesstopowermanagementfunctions.................................................85 SN.4Restrictaccesstosyssuspendfeature...............................................................86 SN.5Createsymlinksfordangerousfiles...................................................................86 SN.6ChangedefaultgreetingstringforSendmail.....................................................87 AppendixC:HighRiskItems............................................................................................88 2.2Onlyenabletelnetifabsolutelynecessary............................................................88 2.3OnlyenableFTPifabsolutelynecessary..............................................................88 2.4Onlyenablerlogin/rsh/rcpifabsolutelynecessary...............................................89 2.5OnlyenableTFTPifabsolutelynecessary............................................................89 2.6Onlyenableprinterserviceifabsolutelynecessary..............................................90 2.7Onlyenablerquotadifabsolutelynecessary.........................................................90 2.9OnlyenableSolarisVolumeManagerdaemonsifabsolutelynecessary...........91
UNCLASSIFIED
vii
UNCLASSIFIED
viii
UNCLASSIFIED
ABSTRACT
Thisdocumentprovidesadditionalsecuritymeasuresbeyondthosespecifiedin theCenterforInternetSecurity(CIS)SolarisBenchmark.Thedocumentwas developedtoprovidesystemadministratorswithstepstocreateamoresecure Solaris9operatingenvironmentrunningonaSPARCprocessor. Thedocumentiswrittentogiveadetailedstepbystepdescriptiononhowto secureasystemrunningSolaris9.Guidanceisprovidedonhowtosetupthe partitions,applythelatestrecommendedpatches,andconfiguresystemsettings. WhiletheCISSolarisBenchmarkconsistsofsecurityactionsformultiple versionsofSolaris,theadditionalinformationprovidedbytheNationalSecurity Agency(NSA)onlyappliestoSolaris9.Manyofthestepsinthisdocumentwill needtoberepeatedonaregularbasistomaintainsystemsecurityandallofthe stepsshouldbereviewedifthesystemisupgradedforanyreason.This documentshouldbereadintheorderpresentedsincesomeItemsbuildupon previousItems. TheinformationintheCISdocumentisthecollaborativeworkofseveral agencies,includingtheNSA,colleges,andcompanyrepresentatives.TheNSA configurationguideiscomprisedofindustrybestpractices,academicexpertise, practicalexperience,andSolaris9documentation.
UNCLASSIFIED
ix
UNCLASSIFIED
HowtoUseThisDocument
ShadedItems Systemsdeployedasdesktopworkstationstypicallyhavedifferentsecurityexpectations thansystemsdeployedasnetworkservers.Inanefforttofacilitateuseofthisbenchmark onthesedifferentclassesofmachines,shadedtexthasbeenusedtoindicatequestions and/oractionsthataretypicallynotapplicabletodesktopsystemsinalargeenterprise environment.Theseshadeditemsmaybeskippedonthesedesktopplatforms. SystemConfiguration ThisguidewastestedonannewlyconfiguredsystemwiththeEndUserCluster (SUNWCuser)installed.Severaloftheitemsinthisguiderequireinstallingadditional packagesthatarefoundintheSUNWCallclusterbutnottheSUNWCusercluster.These packagesare:SUNWhea(headerfiles),SUNWsprot(makeutility),SUNWsprox (SPARCv9libariesformakeutility).Forcompilingsoftware,thefollowingpackagesare requiredinadditiontoinstallinggcc:SUNWgcmn,SUNWarc,SUNWarcx(for64bit systems),andSUNWbtool.ForSystemAccounting,thefollowingpackagesare required:SUNWaccuandSUNWaccr.Also,severaloftheserversenabledinChapter3 areonlyapplicableiftheywerepreviouslyinstalled.Theseincludekerberos,ldap,http, anddhcpservers. RootShellEnvironmentAssumed Theactionslistedinthisdocumentarewrittenwiththeassumptionthattheywillbe executedbytherootuserrunningthe/sbin/shshellandwithoutnoclobberset. ExecutingActions Theactionslistedinthisdocumentarewrittenwiththeassumptionthattheywillbe executedintheorderpresentedhere.Someactionsmayneedtobemodifiediftheorder ischanged.Actionsarewrittensothattheymaybecopieddirectlyfromthisdocument intoarootshellwindowwitha"copyandpaste"operation.The"copyandpaste" operationappliestoallsectionswiththeexceptionofsectionscontainingredshaded variables<os>,<ver>,x.x.x.xetc.Theredshadedvariablesdenoteinstanceswherethe systemadministratormustinputtheappropriateinformation RebootRequired Rebootingthesystemisrequiredaftercompletingalloftheactionsbelowinorderto completethereconfigurationofthesystem.Inmanycases,thechangesmadeinthe stepsbelowwillnottakeeffectuntilthisrebootisperformed.
UNCLASSIFIED
UNCLASSIFIED BackupKeyFiles Beforeperformingthestepsofthisbenchmarkitisastronglyrecommendedthat administratorsmakebackupcopiesofcriticalconfigurationfilesthatmaygetmodified byvariousbenchmarkitems.Ifthisstepisnotperformed,thenthesitemayhaveno reasonablebackoutstrategyforreversingsystemmodificationsmadeasaresultofthis document.ThescriptprovidedinAppendixAofthisdocumentwillautomaticallyback upallfilesthatmaybemodifiedbytheactionsbelow,exceptforthebootscripts manipulatedbythevariousitemsinChapter3ofthisdocument,whicharebackedup automaticallybytheindividualitemsinChapter3.Thisguideisintendedfor configurationofanewsystem.Foroldersystems,afullbackupmaybeappropriate.
UNCLASSIFIED
xi
UNCLASSIFIED
Thispageisintentionallyleftblank
UNCLASSIFIED
xii
UNCLASSIFIED
1PatchesandAdditionalSoftware
1.1Partitionharddrivetocompartmentalizedata Action: Keepingtheirusesinmind,createthefollowingpartitionsduringtheinstallprocess.The numberofconfigurablediskslicesislimitedtosevenonaSPARCplatformandnineon theIntelplatform.However,Solaris9allowsforsoftpartitioningwhichcanbeusedto subdividedisksintoasmanyas8192logicalvolumes.Slicesthatareusedforsoft partitionscannotbeusedforotherpurposes. Thefollowingdiskslicesarecommonlyusedandshouldbecreatedonthesystem.
/
filesanddirectoriesthatmakeuptheoperatingsystem;onceinstalled,verylittleis addedtothisdirectory. ataminimum,thisshouldbe512MB;agoodruleistomakeswapequivalenttoRAM sizeunlesslargeloadsareanticipated,inwhichcaseasettingof1.5timesfast memoryisappropriateforstandardapplications(e.g.ls, lp, vi, etc.).Theswap partitionistypicallymountedas/tmp. documentation,systemprograms,andlibraryroutines
swap
/usr
Thesedirectorynamesarecommonlyusedandhardorsoftpartitionsshouldbecreated accordingly.
/var
/opt
UNCLASSIFIED
UNCLASSIFIED
/usr/local
forlocalworkstationsoftware(e.g.opensourcesoftwarelikePerl,GNUtools,etc.)
/anonftp/incoming
Discussion: Partitioningdatawillhelpsecurityinanumberofways,including:protectingagainsta denialofservicesystemfailurebyusersfillingtheirhomedirectoriesorbylogsfilling up,makingiteasiertomanagespaceandbackuproutines,protectingagainstNFS weaknesses,andmakingiteasiertoprotectdataandpreventunauthorizedchangingof databyseparatingitintoitsownpartition. Theadministratormustalreadyhaveaplanforwhatsizeeachhardpartitionmustbe. Thisrequiresknowledgeofwhichsoftwareclusterisneeded,thesystem'sintendeduse, andwhowilluseit.Softpartitionscanbeenlargedaftercreationifspaceisneeded,as longasspaceisavailableontheunderlyingdevice.Onceenlarged,theycannotbe reduced. InformationonplanningfordiskspacecanbefoundintheSystemAdministrationGuide: BasicAdministrationbook.Informationoncreatingsoftpartitionscanbefoundinthe SolarisVolumeManagerAdministrationGuide.BothofthesecanbefoundontheSun documentationsitehttp://docs.sun.com
UNCLASSIFIED
UNCLASSIFIED SunRecommendedPatchclusterscanbedownloadedviaFTPorHTTPfrom
http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-access
Patchfinder,PatchReports,RecommendedPatchClusterREADMEfiles,andY2KPatch Clusterscanalsobeaccessedfromthissite.
ftp://sunsolve.sun.com/patchroot/clusters
Lookfor9_Recommended.zip.
2.Executethefollowingcommands:
cd /var/sadm unzip -qq 9_Recommended.zip cd 9_Recommended ./install_cluster -q
Bydefault,when./install_clusterisrun,itchecksifsufficientdiskspaceexistsfor theinstallationofthePatchCluster.Ifthereisinsufficientspace,theusercanabortthe install.The"-q"(quiet)optionsupressesthisinteractiveoption.It'srecommendedthat theCLUSTER_READMEfilebereadfordetails. Discussion: Developingaprocedureforkeepinguptodatewithvendorpatchesiscriticalforthe securityandreliabilityofthesystem.Vendorsissueoperatingsystemupdateswhenthey becomeawareofsecurityvulnerabilitiesandotherseriousfunctionalityissues,butitis uptotheircustomerstoactuallydownloadandinstallthesepatches.Inadditionto installingtheSolarisRecommendedPatchClustersasdescribedabove,administrators maywishtoalsochecktheSolaris9patchreportfile,9_patch_report,(availablefrom thesameHTTPsiteasthepatchclusters)foradditionalsecurity,Y2K,orfunctionality patchesthatmayberequiredonthelocalsystem.Administratorsarealsoencouragedto checktheindividualREADMEfilesprovidedwitheachpatchforfurtherinformationand postinstallinstructions. Automatedtoolsformaintainingcurrentpatchlevelsarealsoavailable,suchasthe SolarisPatchManager,PatchProInteractive,andPatchProExpert.It'srecommended thatsystemadministratorsresearchthesetoolstodeterminewhich,ifany,shouldbe implemented.Formoreinformationoneachofthesetools,visittheSunSolvePatch Portal(http://sunsolve.sun.com/pub-cgi/show.pl?target=patchpage).For informationonSolaris9patchmanagement,includingacomparisonofpatch managementtools,seeChapters15and16ofSystemAdministrationGuide:Basic Administration,partoftheSolaris99/04SystemAdmistratorCollection (http://docs.sun.com/app/docs/doc/817-6958).
UNCLASSIFIED
UNCLASSIFIED Duringtheclusterinstallationprocess,administratorsmayignoreindividualpatchinstalls thatfailwitheitherreturncode2(indicatesthatthepatchhasalreadybeeninstalledon thesystem)orreturncode8(thepatchappliestoanoperatingsystempackagewhichis notinstalledonthemachine).Ifapatchinstallfailswithanyotherreturncode,consult thepatchinstallationlogin/var/sadm/install_data/<cluster name>_log. 1.3InstallTCPWrappers Action: 1.Create/etc/hosts.allow:
echo "ALL: <net>/<mask>, <net>/<mask>, ..." > /etc/hosts.allow
3.TurnonTCPWrappers
cd /etc/default awk '/#ENABLE_TCPWRAPPERS/ { $1 = "ENABLE_TCPWRAPPERS=YES" }; \ { print }' inetd > inetd.new mv inetd.new inetd chown root:sys inetd chmod 444 inetd pkill -HUP -u 0 -P 1 -x inetd
UNCLASSIFIED
1.5ConfigureIPsec IPsecisanetworklayerprotocolthatemploysarobustsetofsecuritymechanismsin ordertosecurenetworktraffic.IPsecconsistsoftwonetworkpacketprotocols:the AuthenticationHeader(AH)andtheEncapsulatingSecurityPayload(ESP). AuthenticationisaccomplishedbyusingeithertheMD5ortheSHA1algorithmsto produceanintegritychecksumbasedonthedataandthekey.TheAuthenticationHeader providesstrongintegrity,dataauthenticationandpartialsequenceintegrity(replay protection). TheEncapsulatingSecurityPayloadusestheDES(DataEncryptionStandard),3DES (TripleDES),orAES(AdvancedEncryptionStandard)encryptionalgorithmstoprovide dataconfidentialityandtrafficanalysisprotection.Inaddition,theESPiscapableof providingauthentication(ThereissomeoverlapinthefunctionalityofAHandESP). BecauseIPsecoperatesonthenetworklayer,itistransparenttonetworkapplicationsand protectsalltrafficincludingTCP,UDP,andICMP.
UNCLASSIFIED
Additionally,the"IPsecintheSolaris9OperatingEnvironment"whitepapercanbe downloadedfromtheSunMicrosystemswebsiteat:
http://www.sun.com/software/solaris/9/whitepapers.html
2.Oncedownloaded,installthenecessarypackages:
unzip sol-9-sparc-crypto.zip pkgadd -d sol-9-sparc-crypto/Encryption_9/sparc/Packages all
UNCLASSIFIED
UNCLASSIFIED IPsecConfiguration SolarisIPsecprovidesvariousmeansofprotectingnetworktraffic.Itcanprotectall trafficbetweentwohosts,protectindividualservices,beusedasaVirtualPrivate Network(VPN)andalsoperformsimplepacketfiltering.Thefollowingisaprocedure tosecurealltrafficbetweentwoIPv4hostsusingESP(usingitsownauthentication)with sharedkeys.Inthisexample,trafficbetween10.1.1.2(testbox1)and10.1.1.3(testbox2) willbesecured.ThisprocedureisintendedtosecuretrafficbetweentwoSolaris9hosts. InordertousethisprocedureonaSolaris8host,theSolaris8optionalencyption packagesmustbedownloadedandinstalled.TheycanbedownloadedfromtheSun Microsystemswebsiteat:
http://www.sun.com/software/solaris/encryption/download.html
TheSolaris8optionalencryptionpackagesprovidetheDESand3DESencryption algorithmsforusewithIPsec.Thesealgorithmscanbeusedtosecuretrafficbetweena Solaris8andaSolaris9host. Action: 1.ConfiguretheSecurityPolicy: Forsecuritypurposes,thisprocedureshouldbecarriedoutwhenloggedinassuperuser onthesystemconsole. Thefollowingcommandsshouldberuntocreatethesecuritypolicyfile.Thiscanbeany file;however,itmusthavethecorrectownershipandfilepermissions(seebelow).For thisexample,/etc/inet/ipsec.polwillbeused. Onthefirsthost(testbox1),runthefollowingcommands:
cat <<EOF>> /etc/inet/ipsec.pol { saddr 10.1.1.2 daddr 10.1.1.3 { encr_algs 3des encr_auth_algs { saddr 10.1.1.3 daddr 10.1.1.2 { encr_algs 3des encr_auth_algs EOF } apply \ md5 sa shared } } permit \ md5 }
Setthefile'sownershipandpermissions:
chown root:root /etc/inet/ipsec.pol chmod 600 /etc/inet/ipsec.pol
The /etc/inet/ipsec.polfilewillnowreadasfollows:
UNCLASSIFIED
UNCLASSIFIED
{ saddr 10.1.1.2 daddr 10.1.1.3 } apply { encr_algs 3des encr_auth_algs md5 sa shared } { saddr 10.1.1.3 daddr 10.1.1.2 } permit { encr_algs 3des encr_auth_algs md5 }
Setthefile'sownershipandpermissions:
chown root:root /etc/inet/ipsec.pol chmod 600 /etc/inet/ipsec.pol
2.Generaterandomkeys: Thestrengthofencryptionreliesonthequalityofrandomkeygeneration.Solaris providesthe/dev/randompseudodevicetogeneraterandomkeysforencryption purposes.Fourdifferentkeysmustbegenerated;onefortheAH,onefortheESPand oneforeachSecurityParametersIndex(SPI).TheSecurityParametersIndexisa random32bit(8hexdigit)numberthatspecifiestothedevicerecieivingthepacket whichSecurityAssociation(SA)touse.ThisSAcontainscontainsthenecessary informationonhowthereceivingdevicewilldecryptthepacket.TheSPIcannotbe encryptedwithinthepacketbecausethereceivingmachinemustusethisvalueto determinethecorrectSAtoutilize. TogeneratethekeysfortheAHandtheESP,thefollowingcommandisused:
od -x -A n -N 48 </dev/random | sed 's/ //g' \ | awk '{printf("%s\n",$1)}'
Theoutputwillbe96(pseudo)randomhexadecimalcharacterssimilarto:
cbf503c4d505d3c8254aa12fe0ef941d 48078bfa312893bbb7b0ac133449f71f 7d8a4f32128d6298f37c3e44057032a2
UNCLASSIFIED
Forexample,ifMD5weretobeusedastheauthenticationalgorithm,thefollowing32 characterstringcouldbeusedfromtheoutputaboveforthekey:
48078bfa312893bbb7b0ac133449f71f
TogeneratethekeysforeachSPI,thefollowingcommandisused:
od -An -N4 </dev/random | sed 's/ //g' | awk '{printf("%.8s\n",$1)}'
Theoutputwillbeeight(pseudo)randomoctalcharacterssimilarto:
06075310
UNCLASSIFIED
UNCLASSIFIED Runthefollowingcommandoneachhost:
cat <<EOF>> /etc/inet/ipsec.sa # From 10.1.1.2 to 10.1.1.3 # SPI: <Unique 8 character SPI> # Auth Alg: MD-5 # Auth Key: <32 Hex digit MD-5 key> # Encr Alg: 3des # Encr Key: <48 Hex digit 3des key> add esp spi <Unique 8 character SPI> src testbox1 dst testbox2 \ auth_alg md5 encr_alg 3des authkey <32 Hex digit MD-5 key> \ encrkey <48 Hex digit 3des key> # From 10.1.1.3 to 10.1.1.2 # SPI: <Unique 8 character SPI> //Different SPI from above # Auth Alg: MD-5 # Auth Key: <32 Hex digit MD-5 key> //same MD-5 key from above # Encr Alg: 3des # Encr Key: <48 Hex digit 3des key> //same 3DES key from above add esp spi <Unique 8 character SPI> src testbox2 dst testbox1 \ auth_alg md5 encr_alg 3des authkey <32 Hex digit MD-5 key> \ encrkey <48 Hex digit 3des key> EOF
4.EnableIPsecatboottime: Oneachhost,addthefollowingto/etc/init.d/ipsec:
UNCLASSIFIED
10
UNCLASSIFIED
cat <<EOF>> /etc/init.d/ipsec #!/bin/sh #Startup script for IPsec. case "\$1" in start) /usr/sbin/ipsecconf -f /usr/sbin/ipseckey flush /usr/sbin/ipseckey -f /etc/inet/ipsec.sa /usr/sbin/ipsecconf -a /etc/inet/ipsec.pol ;; stop) /usr/sbin/ipseckey flush /usr/sbin/ipsecconf -f ;; *) echo "Usage: \$0 { start | stop }" exit 1 ;; esac exit 0 EOF
Linkthescripttothestartupdirectoryandsettheownershipandfilepermissions:
ln -s /etc/init.d/ipsec /etc/rc2.d/S69ipsec chown root:sys /etc/init.d/ipsec chmod 700 /etc/init.d/ipsec
TodisplaythecurrentSecurityPolicy,usethefollowingcommand:
ipsecconf -l
TodisplaythecurrentSecurityAssociation,usethefollowingcommand:
ipseckey dump
UNCLASSIFIED
12
UNCLASSIFIED TheconfigurationoptionsabovedonotincludetheoptionsAllowGroups,DenyGroups, AllowUsers,andDenyUsers.Anyone,butonlyone,oftheseoptionscanbeusedto specifyanaccesscontrollist.Itisstronglyrecommendedthatoneoftheseoptionsbe usedtofurtherrestrictaccesstotheservertoauthorizedusersonly.Themanpagesfor sshd_configexplainshowtospecifyuserorgroupnameswiththeseoptions. ThoughtheaboveActionisspecificallyfortheserver,similaroptionsalsoexistforthe sshclient.Seethemanpagesforssh_configtolearnhowtosethostdefaultsforssh. ForinformationonbuildingOpenSSHfromsource,seehttp://www.openssh.org.Sun alsopublishesinformationonbuildingOpenSSHforSolarisaspartofitsBlueprints series(seehttp://www.sun.com/blueprints/0404/817-6261.pdf). 1.7InstallNTP ThefollowingconfigurationisforanNTPclientthatwillfunctionasalocalserver. Action: NTPserverinformation: 1. Createthentpconfigurationfile Note:Enterthecorrectipaddressforyoursite.
cat << END_SCRIPT > /etc/inet/ntp.conf # subnet #The netmask used in this example is for Class C networks restrict x.x.x.x mask 255.255.255.0 notrust nomodify notrap # ip address of this system's time server restrict x.x.x.x noquery nomodify notrap # ip address of this system's time server server x.x.x.x key 2 enable auth # Add drift file if necessary driftfile /var/ntp/drift keys /etc/inet/ntp.keys trustedkey 1 2 END_SCRIPT chown root:root /etc/inet/ntp.conf chmod 600 /etc/inet/ntp.conf
2.Createthedriftfile
touch /var/ntp/drift chown root:root /var/ntp/drift chmod 600 /var/ntp/drift
UNCLASSIFIED
13
4. Startntpdaemon
/etc/init.d/xntpd start
2. Createthedriftfile
touch /var/ntp/drift chown root:root /var/ntp/drift chmod 600 /var/ntp/drift
3. Keysetup Note:Thefollowingstepsassumethatakeyfilealreadyexistsonthesystem.
cat <<END_SCRIPT >> /etc/inet/ntp.keys #keyid key_type key_value 1 M keypass1 END_SCRIPT chown root:root /etc/inet/ntp.keys chmod 600 /etc/inet/ntp.keys
4. Startntpdaemon
/etc/init.d/xntpd start
UNCLASSIFIED
14
UNCLASSIFIED Discussion: Itisimportantforthecomputersystemtomaintaincorrecttime,especiallyifdatabasesor auditingtoolsarerunningonthesystem.Thedriftfileisusedtostorethetime differencebetweenthelocalclockandthenetworkclock.Becausethevalueisstoredon thesystem,itdoesnothavetoberecalculatedeverytimesynchronizationoccurs.The driftfileshouldbeusedifmultipleserversarelistedinthentp.conffile. Thekeyfileinformationaboveisanexample.Thesekeysareusedtocomputethedigital signaturesfortheNTPtransaction.Thekeyfilemustlimitreadpermissionsbecauseit containsauthorizationdata.Thekeyidcanrangefrom1to4294967295butmustnotbe 0(zero).Eachkeynumbermustbeunique.Theremustbeaspacebetweenthekeyid andthekey_type.Thekey_valuefield,shownaskeypass1above,shouldbeanarbitrary stringofuptoeightcharacters. Thekeyidandassociatedkey_valuemustbeknowntoboththeserverandtheclient attemptingtoaccesstheserver.Ifthecorrectkeyinformationisnotprovided,time synchronizationwillnottakeplace.Thekeyinformationshouldbetransferredtoeach clientinthemostsecuremannerpossible.Forexample,thekeyinformationcanbeput onadiskandthesystemadministratorcanloadthekeysoneachsystem.Ifsshisused, thekeyscanbetransferredoverthenetwork.NTPversion4hasabuiltinkey distributionprocess.InformationaboutthisprocesscanbefoundintheNTPversion4 documentation. Insomesituations,suchasarouterinDefenseMessageSystem(DMS)architecture,itis appropriatetoutilizeatleasttwoNTPservers.Adjusttheactionasnecessaryifmore thanoneNTPserverisappropriate. AdditionalinformationonhowtoconfigureaNTPserverandclientcanbeobtainedfrom
http://www.sun.com/security/blueprints/
2Minimizeinetd NetworkServices
2.1Disablestandardservices Action:
cd /etc/inet for svc in time echo discard daytime chargen fs dtspc \ exec comsat talk finger uucp name xaudio \ netstat ufsd rexd systat sun-dr uuidgen krb5_prop;
UNCLASSIFIED
15
UNCLASSIFIED
do awk "(\$1 == \"$svc\") { \$1 = \"#\" \$1 }; {print}" \ inetd.conf > inetd.conf.new mv inetd.conf.new inetd.conf done for svc in 100068 100146 100147 100150 100221 \ 100232 100235 kerbd rstatd rusersd sprayd walld; do awk "/^$svc\\// { \$1 = \"#\" \$1 }; { print }" \ inetd.conf > inetd.conf.new mv inetd.conf.new inetd.conf done for svc in printer shell login telnet ftp tftp; do awk "(\$1 == \"$svc\") { \$1 = \"#\" \$1 }; {print}" \ inetd.conf > inetd.conf.new mv inetd.conf.new inetd.conf done for svc in 100083 100229 100230 100242 \ 100234 100134 100155 rquotad 100153; do awk "/^$svc\\// { \$1 = \"#\" \$1 }; { print }" \ inetd.conf > inetd.conf.new mv inetd.conf.new inetd.conf done chown root:sys inetd.conf chmod 444 inetd.conf pkill -HUP -u 0 -P 1 -x inetd
Discussion: Thestock/etc/inet/inetd.conffileshippedwithSolariscontainsmanyservices whicharerarelyusedorwhichhavemoresecurealternatives.Indeed,afterenabling SSH(seeItem1.6)itmaybepossibletocompletelydoawaywithallinetdbased services,sinceSSHprovidesbothasecureloginmechanismandameansoftransferring filestoandfromthesystem.Infact,theactionsabovewilldisableallstandardservices normallyenabledintheSolarisinetd.conf file. Mostoftheremainingactionsinthischaptergivetheadministratortheoptionofre enablingcertainservicesinparticular,theservicesthataredisabledinthelasttwoloops inthe"Action"sectionabove.Ratherthandisablingandthenreenablingtheseservices, experiencedadministratorsmaywishtosimplydisableonlythoseservicesthatthey knowareunnecessaryfortheirsystems.Servicescoloredinredarereenabledinthisin thischapterasneeded. Note:Items2.2through2.7,2.9and2.11havebeenmovedtoAppendixC.These Itemsenabletoolsthatdecreasesystemsecurity.Thesetoolsshouldonlybeenabled ifthereisamissioncriticalneed.
UNCLASSIFIED
16
Discussion: Therpc.ttdbserverdprocesssupportsmanytoolsandapplicationsinSun'sCDE windowingenvironment,buthashistoricallybeenamajorsecurityissueforSolaris systems.Ifthisserviceisenabled,itisvitaltokeepuptodateonvendorpatches.Never enablethisserviceonanysystemwhichisnotwellprotectedbyacompletenetwork securityinfrastructure(includingnetworkandhostbasedfirewalls,packetfilters,and intrusiondetectioninfrastructure). SincethisserviceusesSun'sstandardRPCmechanism,itisimportantthatthesystem's RPCportmapper(rpcbind)alsobeenabledwhenthisserviceisturnedon.Formore informationseeItem3.11,"OnlyenableotherRPCbasedservicesifabsolutely necessary."
UNCLASSIFIED
17
UNCLASSIFIED Discussion: Thisitemreenablestherpc.smserverdprocessthatworkswiththevolumemanager (seeItem3.16below)andtheCDEfilemanagerapplicationtoautomaticallymountCD ROMsandfloppieswhentheuserinsertsthenewmediaintothesystem'sdrives(the mountcommandisnormallyaprivilegedcommandthatcanonlybeperformedbythe superuser).Beawarethatallowinguserstomountandaccessdatafromremovable mediamakesiteasierformaliciousprogramsanddatatobeimportedontoyournetwork. SincethisserviceusesSun'sstandardRPCmechanism,itisimportantthatthesystem's RPCportmapper(rpcbind)alsobeenabledwhenthisserviceisturnedon.Formore informationseeItem3.11,"OnlyenableotherRPCbasedservicesifabsolutely necessary." 2.12OnlyenableGSSdaemonifabsolutelynecessary Question: ArethereanysecurityrelatedservicesinuseatthissitethatmakeuseoftheGSSAPI? Note:InSolaris9,theGSSdaemonisgenerallyneededonlywhenKerberosisbeing usedtosecureNFS. Iftheanswertothisquestionisyes,proceedwiththeActionbelow. Action:
cd /etc/inet sed 's/^#100234/100234/' inetd.conf > inetd.conf.new mv inetd.conf.new inetd.conf
UNCLASSIFIED
18
UNCLASSIFIED
19
UNCLASSIFIED 2.CommentoutallIPv6TCPandUDPinformationfrominetd.conf
awk '(( $3 == "tcp6" || $3 == "udp6" ) && ( $1 !~ /^#/ )) \ { $1 = "#"$1}; \ { print }' /etc/inet/inetd.conf > /etc/inet/inetd.conf.new mv /etc/inet/inetd.conf.new /etc/inet/inetd.conf chown root:sys /etc/inet/inetd.conf chmod 444 /etc/inet/inetd.conf
UNCLASSIFIED
20
UNCLASSIFIED
3MinimizeBootServices
3.1Disablelogin:promptsonserialports Action:
pmadm -d -p zsmon -s ttya pmadm -d -p zsmon -s ttyb
3.2Setdaemonumask Action:
cd /etc/default awk '/^CMASK=/ { $1 = "CMASK=022" }\ { print }' init > init.new mv init.new init chown root:sys init chmod 444 init
UNCLASSIFIED
21
UNCLASSIFIED
22
UNCLASSIFIED Action:
cd /etc/default cat <<END_DEFAULT > sendmail MODE= QUEUEINTERVAL="15m" END_DEFAULT chown root:sys sendmail chmod 644 sendmail
Discussion: ItispossibletorunaUNIXsystemwiththeSendmaildaemondisabledandstillallow usersonthatsystemtosendemailoutfromthatmachine.RunningSendmailin"daemon mode"(withthe-bdcommandlineoption)isonlyrequiredonmachinesthatactasmail servers,receivingandprocessingemailfromotherhostsonthenetwork. Afterdisablingthe-bdoptiononthelocalmailserveronSolaris9(oranysystem runningSendmailv8.12orlater)itisalsonecessarytomodifythe /etc/mail/submit.cffile.Findthelinethatreads"D{MTAHost}localhost"and changelocalhosttothenameoftheappropriatemailserverfortheorganization.This willcauseemailgeneratedonthelocalsystemtoberelayedtothatmailserverforfurther processinganddelivery. Ifthesystemisanemailserver,theadministratorisencouragedtosearchtheWebfor additionaldocumentationonSendmailsecurityissues.Someinformationisavailableat http://www.deer-run.com/~hal/dns-sendmail/DNSandSendmail.pdf andat
http://www.sendmail.org.
Discussion: Renamingthesescriptsinthesystembootdirectorieswilleffectivelydisableawide varietyofinfrequentlyusedsubsystems.Thescriptsaremerelyrenamed(ratherthan removedoutright)sothatthelocaladministratorcaneasily"restore"anyofthesefilesif theydiscoveramissioncriticalneedforoneoftheseservices.Notallofthescriptslisted abovewillexistonallsystems(someareonlyvalidforcertainreleases,othersonlyexist ifcertainOEMvendorsoftwareisinstalled).Also,vendorpatchesmayrestoresomeof theoriginalentriesinthe/etc/rc*.ddirectoriesitisalwaysagoodideatocheckthese bootdirectoriesandremoveanyscriptsthatmayhavebeenaddedbythepatch installationprocess. UNCLASSIFIED 24
UNCLASSIFIED Thechartbelowcanbeusedtodetermineiftheredhighlightedbootscriptsaboveshould bedisabledbythesystemadministrators. ManyoftheactionsinChapter3givetheadministratortheoptionofreenablingcertain servicesinparticular,theservicesthataredisabledinthelasttwoloopsintheaction above.Ratherthandisablingandthenreenablingtheseservices,experienced administratorsmaywishtosimplydisableonlythoseservicesthattheyknoware unnecessaryfortheirsystems. Filename /etc/rc2.d/S71rpc Purpose Startsnetworkservicerpcbinddaemon UsedbyNIS&NIS+configuration,keyservices,XSun services RequiredtorunCDE /etc/rc2.d/S74autofs /etc/rc2.d/S90wbem /etc/rc2.d/S91afbinit Startautomountdaemon Usedforautomountingandtolocatedirectories ConfiguresWebBasedEnterpriseManagementServices NeededforSolarisManagementConsole Configuresanygraphicframebuffersorgraphic accelerators NeededforsystemwithElite3Dgraphics NeededforXWindow /etc/rc2.d/S91ifbinit Configuresanygraphicframebuffersorgraphic accelerators NeededforsystemwithExpert3D(IFB)graphics /etc/rc3.d/S81volmgt /etc/rc2.d/S99dtlogin /etc/rc3.d/S15nfs.server /etc/rc3.d/S76snmpdx Startsthevolddaemon Neededtomountcdromsandfloppydisks StartstheCDEdesktoploginprocess,dtlogin NeededforlogginginusingCDE StartstheNFSserverdaemonsnfsd,mountdandnfslogd NeededtomountNFSsystems Startssnmpdaemon NeededbySolsticeEnterpriseAgentsdmispdand
snmpXdmid
UNCLASSIFIED
25
Discussion: NFSisfrequentlyexploitedtogainunauthorizedaccesstofilesandsystems.Thereisno needtoruntheNFSserverrelateddaemonsonhoststhatarenotNFSservers.Ifthe systemisanNFSserver,theadminshouldtakereasonableprecautionswhenexporting filesystems,includingrestrictingNFSaccesstoaspecificrangeoflocalIPaddressesand exportingfilesystems"readonly"and"nosuid"whereappropriate.Formore informationconsultthe share_nfsmanualpage.IfthemachinewillbeanNFSclient thentherpcbindprocessmustberunning(seeItem3.11,"OnlyenableotherRPCbased servicesifabsolutelynecessary"below).
UNCLASSIFIED
26
Discussion: WhilethisactiondisablesthestandardNFSclientprocesses(statdandlockd),itisstill possibleforthesuperusertomountremotefilesystemsonthelocalmachineviaNFS. StartingwithSolaris9,theadministratorcancompletelydisableNFSclientaccessby removingtheNFSclientsoftwarepackages(SUNWnfscr,SUNWnfscu,and SUNWnfscx),butthesepackageswillhavetobereinstalledifNFSistobereenabledat alaterdate. Otherfiletransferschemes(suchasrdistviaSSH)canoftenbepreferabletoNFSfor certainapplications,althoughtheuseofsecureRPCorKerberoscansignificantly improveNFSsecurity.IfthemachinewillbeanNFSclientthentherpcbindprocess mustberunning(seeItem3.11,"OnlyenableotherRPCbasedservicesifabsolutely necessary"). 3.10Onlyenableautomountdaemonifabsolutelynecessary Question: Areanyofthefollowingstatmentstrue? Thesystemrequiresanautomountdaemontoautomaticallymountlocaland/orNFS filesystemsasneeded. ThesiteusesSun'sSMCgraphicaladministrativeinterfaceforsystemmanagement. Iftheanswertothisquestionisyes,proceedwiththeActionbelow. Action:
mv /etc/rc2.d/.NOS74autofs /etc/rc2.d/S74autofs
UNCLASSIFIED
27
UNCLASSIFIED Discussion: TheautomountdaemonisnormallyusedtoautomaticallymountNFSfilesystemsfrom remotefileserverswhenneeded.However,theautomountdaemoncanalsobe configuredtomountlocal(loopback)filesystemsaswell,whichmayincludelocaluser homedirectories,dependingonthesystemconfiguration.Sitesthathavelocalhome directoriesconfiguredviatheautomountdaemoninthisfashionwillneedtoensurethat thisdaemonisrunningforSun'sSMCgraphicaladministrativeinterfacetofunction properly. 3.11OnlyenableotherRPCbasedservicesifabsolutelynecessary Question: Areanyofthefollowingstatementstrue? ThismachineisanNFSclientorserver ThismachineisanNIS(YP)orNIS+clientorserver TheKerberossecuritysystemisinuseatthissite ThismachinerunsaGUIorGUIbasedadministrationtool ThesystemrequirestheVolumeManager(vold) ThismachineisanetworkbootserverorJumpstartserver Themachinerunsathirdpartysoftwareapplicationwhichisdependenton RPCsupport(examples:FlexLMLicensemanagers,Veritas,SolarisDiskSuite) Iftheanswertothisquestionisyes,proceedwiththeActionbelow. Action:
mv /etc/rc2.d/.NOS71rpc /etc/rc2.d/S71rpc
UNCLASSIFIED
28
Discussion: Solaris9hasincludedtheiPlanetDirectoryServerproductaspartoftheoperating system.However,thisserviceonlyneedstoberunningonthemachinesthathavebeen designatedasLDAPserversfortheorganization.IfthemachineisanLDAPserver,the administratorisencouragedtosearchtheWebforadditionaldocumentationonLDAP securityissues. 3.14OnlyenabletheLDAPcachemanagerifabsolutelynecessary Question: IstheLDAPdirectoryserviceinuseatthissite,andisthismachineanLDAPclient? Iftheanswertobothpartsofthequestionlistedaboveisyes,proceedwiththeAction below. UNCLASSIFIED 29
UNCLASSIFIED Action:
mv /etc/rc2.d/.NOS71ldap.client /etc/rc2.d/S71ldap.client
UNCLASSIFIED
30
UNCLASSIFIED Discussion: TheSolarisvolumemanagerautomaticallymountsCDROMsandfloppydisksforusers wheneveradiskisinsertedinthelocalsystem'sdrive(themountcommandisnormallya privilegedcommandwhichcanonlybeperformedbythesuperuser).Beawarethat allowinguserstomountandaccessdatafromremovablemediadrivesmakesiteasierfor maliciousprogramsanddatatobeimportedontoyournetwork.Themaliciousprograms anddatacouldbeusedbyanunauthorizedusertogainrootaccessonthesystem. Itisalsonecessarytoreenabletherpc.smserverdprocessforthevolumemanagerto function(seeItem2.10,"Onlyenableremovablemediadaemonifabsolutelynecessary".)
UNCLASSIFIED
31
UNCLASSIFIED Action:
mv /etc/rc3.d/.NOS50apache /etc/rc3.d/S50apache mv /etc/rc2.d/.NOS42ncakmod /etc/rc2.d/S42ncakmod
Discussion: IfSNMPisusedtomonitorthehostsonthenetwork,itisrecommendedthatthedefault communitystringusedtoaccessdataviaSNMPbechanged.OnSolarissystems,this parametercanbechangedbymodifyingthesystem-group-read-communityparameter in/etc/snmp/conf/snmpd.conf. SNMPisshippedwithadefaultcommunitystringof"public"or"private".Ifthedefault communitystringissettothestringof"private",anunauthorizeduserwillhaveaccessto remotelyreadandmodifyparameters.Ifthedefaultcommunitystringissetto"public", anunauthorizeduserwillhavereadaccesstonetworkmanagementinformation. Thecommunitystringshouldbechangedtopreventaccesstothesystemparametersby anunauthorizeduser.TheSNMPcommunitystringneedstobehardtoguess,like passwords.Itshouldincludeacombinationofletters,numbers,specialcharactersand haveaminimumlengthofsixcharacters.Evenifcommunitystringischanged,SNMP versions1and2usethecommunitystringunencryptedforauthentication.
UNCLASSIFIED
32
UNCLASSIFIED
33
UNCLASSIFIED 2.Runthescripttochangetheinetsvcfile
sed -f named.script inetsvc > inetsvc.new mv inetsvc.new inetsvc chown root:sys inetsvc chmod 744 inetsvc
3.Stopthenrestarttheservice
/etc/init.d/inetsvc stop /etc/init.d/inetsvc start
Discussion: TheNameServiceCacheDaemonmaintainsadatabasecontainingcommonlyused DomainNamedService(DNS)lookupinformationsuchaspasswords,groupsandhosts. ThisserviceisneededifthesystemhastheBasicSecurityModule(BSM)orDNS enabled.IfBSMorDNSarenotused,itisrecommendedthatNameServiceCache Daemonbedisabled.IfBSMorDNSareused,thenscddaemonmustberunning. 3.23UseRMTMPFILEStoclear/var/tmp Question: Isthereamissioncriticalreasonwhyfilesin/var/tmp shouldnotberemoved? Iftheanswerisno,proceedwiththeActionbelow: UNCLASSIFIED 34
4KernelTuning
4.1Restrictcoredumpstoprotecteddirectory Action:
mkdir -p /var/core chown root:root /var/core chmod 700 /var/core coreadm -g /var/core/core_global_%n_%f_%u_%g_%t_%p \ -i /var/core/core_per_proc_%n_%f_%u_%g_%t_%p \ -e log \ -e global -e global-setid -e process -e proc-setid
UNCLASSIFIED
35
UNCLASSIFIED Coredumpstendtobelargefilesandthecontentsofthe/var/coredirectorycanendup rapidlyconsuminglargeamountsofdiskspaceandpossiblycausingadenialofservice attackonthesystem.Itisagoodideatomonitorthisdirectoryonaregularbasisand removeanyunneededcorefiles.Ifthelocalsitechooses,dumpingofcorefilescanbe completelydisabledwiththefollowingcommand:"coreadm -d global -d globalsetid -d process -d proc-setid".
4.2Enablestackprotection Action:
if [ ! "`grep noexec_user_stack /etc/system`" ]; then cat <<END_CFG >> /etc/system * Attempt to prevent and log stack-smashing attacks set noexec_user_stack = 1 set noexec_user_stack_log = 1 END_CFG fi
4.3RestrictNFSclientrequeststoprivilegedports Action:
if [ ! "`grep nfssrv:nfs_portmon /etc/system`" ]; then cat <<END_CFG >> /etc/system * Require NFS clients to use privileged ports set nfssrv:nfs_portmon = 1 END_CFG fi
UNCLASSIFIED
36
4.4Modifynetworkparameters Action:
if [ ! -f /etc/init.d/netconfig ]; then cat <<END_SCRIPT > /etc/init.d/netconfig #!/sbin/sh ndd -set /dev/ip ip_def_ttl ='255' ndd -set /dev/ip ip_forward_src_routed 0 ndd -set /dev/ip ip6_forward_src_routed 0 ndd -set /dev/tcp tcp_rev_src_routes 0 ndd -set /dev/ip ip_forward_directed_broadcasts 0 ndd -set /dev/tcp tcp_conn_req_max_q0 4096 ndd -set /dev/tcp tcp_conn_req_max_q 1024 ndd -set /dev/ip ip_respond_to_timestamp 0 ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0 ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0 ndd -set /dev/ip ip_respond_to_echo_broadcast 0 ndd -set /dev/arp arp_cleanup_interval 60000 ndd -set /dev/ip ip_ire_arp_interval 60000 ndd -set /dev/ip ip_ignore_redirect 1 ndd -set /dev/ip ip6_ignore_redirect 1 ndd -set /dev/tcp tcp_extra_priv_ports_add 6112 END_SCRIPT chown root:root /etc/init.d/netconfig chmod 744 /etc/init.d/netconfig ln -s /etc/init.d/netconfig /etc/rc2.d/S69netconfig fi
UNCLASSIFIED
37
4.6UsebetterTCPsequencenumbers Action:
cd /etc/default awk '/^TCP_STRONG_ISS/ { $1 = "TCP_STRONG_ISS=2" }; \ { print }' inetinit > inetinit.new mv inetinit.new inetinit chown root:sys inetinit chmod 444 inetinit
UNCLASSIFIED
38
UNCLASSIFIED 4.7Setuphostbasedfirewalls Action: 1. Downloadlibiconv-1.8-sol9-sparc-localgzandgcc-3.4.0-sol9-sparclocal.gz fromhttp://www.sunfreeware.com.Placethefilesinthe/opt directory. Note:Inordertocompileipfilters sourcecode,acompilercapableofcreatinga64 bitexecutablemustbeused.GCCversions2.95.5andlatercanbeusedtocreate64bit executables. 2. Installpackage:
cd /opt gunzip libiconf-1.8-sol9-sparc-local.gz gunzip gcc-3.4.0-sol9-sparc-local.gz pkgadd -d libiconv-1.8-sol9-sparc-local all pkgadd -d gcc-3.4.0-sol9-sparc-local all
c)Installthenewlycreatedipfilpackage
UNCLASSIFIED
39
UNCLASSIFIED 6. Installip_fil4.1.2 Note:Aloadablekernelmodule(/etc/rc2.d/S65ipfboot)iscreatedduringthe ipfiltersinstallation. a)PatchtheMakefile. TheMakefileforSolarisinip_fil4.1.2containsanerrorandmustbepatchedas follows: MakeabackupcopyoftheoriginalMakefile b)Createthepatchfile(inplaceof[space]and[tab],insertasinglespaceortab character,respectivelythisiscriticalforMakefileformatting)andpatchthe Makefile
cat << END_SCRIPT > Makefile.patch 199,200c199,200 <[space]\$(OBJ)/ip_rules.o: \$(TOP)/ip_rules.c \$(TOP)/ip_rules.h <[space][tab]\$(CC) -I\$(TOP) \$(DFLAGS) -c \$(TOP)/ip_rules.c \ -o \$@ -->[space]\$(OBJ)/ip_rules.o: \$(OBJ)/ip_rules.c \$(TOP)/ip_rules.h >[space][tab]\$(CC) -I\$(TOP) \$(DFLAGS) -c \$(OBJ)/ip_rules.c \ -o \$@ 306,307c306,314 <[space]\$(OBJ)/ip_rules_u.o: \$(TOP)/ip_rules.c \ \$(TOP)/ip_fil.h \$(TOP)/ip_rules.h <[space][tab]\$(CC) \$(CCARGS) \$(EXTRA) -c \$(TOP)/ip_rules.c \ -o \$@ -->[space]\$(OBJ)/ip_rules.c: \$(OBJ)/ipf.exe \ \$(TOP)/tools/ipfcomp.c \$(TOP)/rules/ip_rules >[space][tab]\$(OBJ)/ipf.exe -cc -nf \$(TOP)/rules/ip_rules >[space][tab]-/bin/mv -f ip_rules.c \$(OBJ) >[space] >[space]\$(TOP)/ip_rules.h: \$(OBJ)/ip_rules.c >[space][tab]/bin/mv -f ip_rules.h \$(TOP) >[space] >[space]\$(OBJ)/ip_rules_u.o: \$(OBJ)/ip_rules.c \ \$(TOP)/ip_fil.h \$(TOP)/ip_rules.h >[space][tab]\$(CC) \$(CCARGS) \$(EXTRA) -c \ \$(OBJ)/ip_rules.c -o \$@ END_SCRIPT patch Makefile < Makefile.patch cd .. CC=gcc make solaris cd SunOS5 CC=gcc make package cd /opt/ip_fil4.1.2/SunOS5 cp Makefile Makefile.orig
c)Createtheipfilterbinaries
d)Buildandinstallthepackage
UNCLASSIFIED
40
UNCLASSIFIED 7. Turnonipfilter
cat << END_SCRIPT >> /etc/rc.conf ipfilter_enable="YES" ipfilter_rules="/etc/opt/ipf/ipf.conf" ipfilter_flags="-E" END_SCRIPT
proto tcp \ proto tcp \ proto tcp \ proto tcp \ proto tcp \ proto tcp \
UNCLASSIFIED
41
UNCLASSIFIED
block return-icmp(port-unr) in log first level auth.warn quick on \ hme0 proto udp from !x.x.x.0/24 to any port = 111 # rpcbind block return-icmp(port-unr) in log first level auth.warn quick on \ hme0 proto udp from !x.x.x.0/24 to any port = 161 # snmpdx block return-icmp(port-unr) in log first level auth.warn quick on \ hme0 proto udp from !x.x.x.0/24 to any port = 514 # syslog block return-icmp(port-unr) in log first level auth.warn quick on \ hme0 proto udp from !x.x.x.0/24 to any port = 2049 # nfsd block return-icmp(port-unr) in log first level auth.warn quick on \ hme0 proto udp from !x.x.x.0/24 to any port = 2099 # rmi block return-icmp(port-unr) in log first level auth.warn quick on \ hme0 proto udp from !x.x.x.0/24 to any port = 4045 # lockd block return-icmp(port-unr) in log first level auth.warn quick on \ hme0 proto udp from !x.x.x.0/24 to any port 32767 >< 32901 # rpc svcs END_SCRIPT chown root:sys /etc/opt/ipf/ipf.conf chmod 644 /etc/opt/ipf/ipf.conf
9. Configurerouterinformation Note:Replacex.x.x.xwiththeactualIPaddressforthedefaultrouter.
route add x.x.x.x localhost 0 # default router
10.Addthefollowingto/etc/syslog.conf
printf "local0.info;local0.err;local0.debug\t\t/var/log/ipflog\n" \ >> /etc/syslog.conf
11.Create/var/log/ipflog
touch /var/log/ipflog chown root:sys /var/log/ipflog chmod 600 /var/log/ipflog
12.Rebootthesystem Note:Thesyslogdaemonwillberestartedwhenthesystemisrebooted.
init 6
Discussion: Insomeenvironments,servicesthatshouldideallybedisabledmustremainopendueto operationalnecessity.Careshouldbetakentopreventunauthorizedorinsecureaccessto theseservices.Inthecaseofservicesspawnedbyinetd,theTCPWrappersdaemon, discussedpreviously,isusedtoperformthisaccesscontrol.Notallservicesarespawned byinetdandsomeoftheseservicesdonothavethemeanstopreventunauthorized access.Thereforeitisrecommendedtouseahostbasedfirewalltolimitaccesstoa machine'sservices. Thefirewallconfigurationgivenaboveisfortheipfilterfirewall.Inthis configuration,someportsareblockedoutrightsothatonlythelocalmachinecanconnect tothem.Accesstootherports,however,isgrantedtoanymachineonalocalsubnet. UNCLASSIFIED 42
5Logging
Theitemsinthischaptercoverenablingvariousdifferentformsofsystemloggingin ordertokeeptrackofactivitiesonthesystem.ToolssuchasSwatch (http://swatch.sf.net)andLogcheck (http://sourceforge.net/projects/sentrytools/)canbeusedtoautomatically monitorlogsforintrusionattemptsandothersuspicioussystembehavior.Thesetoolsare notofficiallysupportedbySunMicrosystems. UNCLASSIFIED 43
UNCLASSIFIED Inadditiontothelocallogfilescreatedbythestepsinthischapter,itisalso recommendedthatsitescollectcopiesoftheirsystemlogsonasecurecentralizedlog server.Notonlydoescentralizedlogginghelpsitescorrelateeventsthatmaybeoccuring onmultiplesystems,buthavingasecondcopyofthesystemloginformationmaybe criticalafterasystemcompromisewheretheattackerhasmodifiedlocallogfilesonthe affectedsystem(s). Becauseitisoftennecessarytocorrelateloginformationfrommanydifferentsystems (particularlyafterasecurityincident)expertsrecommendestablishingsomeformoftime synchronizationamongsystemsanddevicesconnectedtothelocalnetwork.The standardInternetprotocolfortimesynchronizationistheNetworkTimeProtocol(NTP), whichissupportedbymostnetworkreadydevices.MoreinformationonNTPcanbe foundinItem1.7,athttp://www.ntp.organdat http://www.sun.com/security/blueprints.
5.1Turnoninetdtracing Action:
cd /etc/default if [ "`grep ENABLE_CONNECTION_LOGGING= inetd`" ]; then awk '/ENABLE_CONNECTION_LOGGING=/ \ { $1 = "ENABLE_CONNECTION_LOGGING=YES" } { print }' inetd > inetd.new mv inetd.new inetd else echo ENABLE_CONNECTION_LOGGING=YES >> inetd fi chown root:sys inetd chmod 444 inetd
Discussion: Ifinetdisrunning,itisagoodideatomakeuseofthe"tracing"(-t)featureofthe Solarisinetdthatlogsinformationaboutthesourceofanynetworkconnectionsseenby thedaemon.Thisinformationisloggedviasyslog.BydefaultSolarissystemsdeposit thislogginginformationin/var/adm/messages withothersystemlogmessages. Shouldtheadministratorwishtocapturethisinformationinaseparatefile,simply modify/etc/syslog.conf tologdaemon.noticetosomeotherlogfiledestination (seeItem5.3).
UNCLASSIFIED
44
5.2TurnonadditionalloggingforFTPdaemons Action:
cd /etc/inet awk '/in.ftpd/ && !/-d/ { $NF = $NF " -d" } /in.ftpd/ && !/-l/ { $NF = $NF " -l" } { print }' inetd.conf > inetd.conf.new mv inetd.conf.new inetd.conf chown root:sys inetd.conf chmod 444 inetd.conf
5.3CaptureFTPandinetdconnectiontracinginfo Action:
if [ ! "`grep -v '^#' /etc/syslog.conf | \ grep /var/log/connlog`" ]; then echo "daemon.debug\t\t\t\t\t/var/log/connlog" \ >> /etc/syslog.conf fi touch /var/log/connlog chown root:root /var/log/connlog chmod 600 /var/log/connlog /etc/init.d/syslog stop /etc/init.d/syslog start
UNCLASSIFIED
45
2)Addthefollowingnewinformationto/etc/syslog.conf
printf "auth.err\t\t\t\t\t/dev/console *.err;auth.notice;kern.debug\t\t\tifdef(\`LOGHOST', \ /var/adm/messages, @loghost) kern.info\t\t\t\t\tifdef(\`LOGHOST', /var/log/kernlog, @loghost) user.info\t\t\t\t\tifdef(\`LOGHOST', /var/log/userlog, @loghost) mail.info\t\t\t\t\tifdef(\`LOGHOST', /var/log/maillog, @loghost) daemon.info\t\t\t\t\tifdef(\`LOGHOST', /var/log/daemonlog, @loghost) auth.info\t\t\t\t\tifdef(\`LOGHOST', /var/log/authlog, @loghost) cron.info\t\t\t\t\tifdef(\`LOGHOST', /var/log/cronlog, @loghost)\n"\ >> syslog.conf
3)Createlogfiles
cd /var/log touch kernlog userlog maillog daemonlog cronlog authlog chown root:sys kernlog userlog maillog daemonlog cronlog authlog chmod 600 kernlog userlog maillog daemonlog cronlog authlog
UNCLASSIFIED
46
UNCLASSIFIED 4)Restartthesyslogdaemon
/etc/init.d/syslog stop /etc/init.d/syslog start
5.5Create/var/adm/loginlog Action:
touch /var/adm/loginlog chown root:sys /var/adm/loginlog chmod 600 /var/adm/loginlog cd /etc/default awk '/SYSLOG_FAILED_LOGINS=/ \ { $1 = "SYSLOG_FAILED_LOGINS=0" }; \ { print }' login > login.new mv login.new login chown root:sys login chmod 444 login
Discussion: Iftheloginlogexists,thefile/var/adm/loginlog willcapturefailedloginattempt messages(thisfiledoesnotexistbydefault).Administratorsmayalsomodifythe SYSLOG_FAILED_LOGINS parameterin/etc/default/logintocontrolhowmanylogin failuresareallowedbeforelogmessagesaregeneratedifsettozerothenallfailedlogins willbeloggedinbatchesoffive. Theloginlogfileshouldbereviewedandarchivedonaregularbasis.Thelogadm utilitycanbeusedtoarchivealllogfiles.Asamplescriptforarchivinglogfilesis providedinItem5.11.
UNCLASSIFIED
47
5.7Enablesystemaccounting Action:
cat <<END_SCRIPT > /etc/init.d/newperf #!/sbin/sh /usr/bin/su sys -c \ "/usr/lib/sa/sadc /var/adm/sa/sa\`date +%d\`" END_SCRIPT mv /etc/init.d/newperf /etc/init.d/perf chown root:sys /etc/init.d/perf chmod 744 /etc/init.d/perf rm -f /etc/rc2.d/S21perf ln -s /etc/init.d/perf /etc/rc2.d/S21perf /usr/bin/su sys -c crontab <<END_ENTRIES 0,20,40 * * * * /usr/lib/sa/sa1 45 23 * * * /usr/lib/sa/sa2 -s 0:00 -e 23:59 -i 1200 -A END_ENTRIES
Discussion: Thesystemaccountingscriptabovegathersbaselinesystemdata(CPUutilization,disk I/O,etc.)every20minutes.Thedatamaybeaccessedwiththesar command(seeman sar formoreinformation),orbyreviewingthenightlyreportfilesnamed /var/adm/sa/sar*.Onceanormalbaselineforthesystemhasbeenestablished, unauthorizedactivity(passwordcrackersandotherCPUintensivejobs,andactivity outsideofnormalusagehours)maybedetectedduetodeparturesfromthenormal systemperformancecurve. UNCLASSIFIED 48
3)Createarootcronjobtoforcenewauditlogsdaily
cd /var/spool/cron/crontabs crontab -l > root.tmp echo '0 0 * * * /usr/sbin/audit -n' >> root.tmp crontab root.tmp rm -f root.tmp
5)SeeItem5.11forlogrotationscript
UNCLASSIFIED
49
UNCLASSIFIED Discussion: Auditinggatherssystemdataaboutloginsandlogouts,administrativeactions,exec systemcalls,etc.Althoughauditingmaycausesomeperformancedegradation,inthe eventsystemintrusiondoesoccur,theinformationobtainedfromtheauditlogswill provideveryvaluableforensicevidence. WhenBSMisenabled,thestartupscriptsforL1-Aandvoldaredisabled.TheL1-A featureallowsthesystemadministratortohaltthesystems.IfL1-Aisneeded,comment outthelinecontaining"abort_enable=0"in/etc/system.Thevolddaemonisused forvolumemanagementservices.Ifvoldisneeded,move /etc/security/spool/S81volmgtto/etc/rc3.d/S81volmgt.Iftheminfreevalueis reached,thesystemwillbeginloggingtheauditinginformationinthesecondary directoryifoneislisted. Note:TheBSMshouldnotbeenabledmorethanonce.
5.9Configurerolebasedaccesscontrol Thesecuritypolicyofyourorganizationwilldetermineifallofthefollowingrole accountsareneeded. Note:Theroleaddcommandwillpopulatethe/etc/passwd, /etc/shadow,and /etc/user_attrfiles.Theroleaddcommandrestrictsthelengthoftherolenameto eightcharacters.ThePrimaryAdministratorrolecanalsobecreatedusingtheSolaris ManagementConsole. Action: 1.Setuptheauditaccountrole TheAuditroleallowsassignedusersaccesstomonitortheauditlogs.Toprevent unauthorizedusersfromgainingaccesstoauditinformation,onlythoseuserswho requirealloftheprivilegesassociatedwiththisroleshouldbeassignedthisrole. a)Addauditaccountto/etc/passwd file Note:Thefollowingentryshouldbeplaceddirectlyaftertherootentry
audit::0:1:Audit_User:/:/sbin/sh
b)Addauditaccountinformationto/etc/shadow
pwconv
c)Setpasswordforauditaccount
passwd audit
UNCLASSIFIED
50
e)Maketheauditaccountarole
echo "audit::::type=role;auths=solaris.audit.;\ profiles=Audit Control, Audit Review" >> \ /etc/user_attr
UNCLASSIFIED
51
c)AssignusertotheSystemAdministratorrole iftheuseraccountalreadyexists,addusertorolebyperformingthefollowing
usermod -R SystAdm username
tocreateanewuseraccountandassigntheusertothePrimaryAdministrator role,performthefollowing
useradd -u userid -o -g usergrp -d /homeaccountdir/username -m -s /bin/sh -R SystAdm username \
c)AssignusertotheOperatorrole iftheuseraccountalreadyexist,addusertorolebyperformingthefollowing
usermod -R TapeOp username
UNCLASSIFIED
52
5.Restartthenameservicecachedaemoninorderforthenewrolestotakeeffect.
/etc/init.d/nscd stop /etc/init.d/nscd start
Discussion: RoleBasedAccessControl(RBAC)assignsuserprivilegesbasedonleastprivilegeand separationofduty.RBACallowsasystemadministratortoassignindividualstoroles basedontheirjobfunction.Ausercanusethe"su"commandtoswitchtoanassigned role. Toeliminatethesystemadministratorfromloggingontothesystemasroot,rootcanbe madeintoarole.Bycreatingthisrole,userswillberequiredtologonasthemselves beforeswitchingtotherootaccount.PleaseseeSundocumentation (http://docs.sun.com/app/docs/doc/806-4078/6jd6cjs58?a=view)onmakingthe rootuserintoarole.
5.10Confirmpermissionsonsystemlogfiles Action:
chown root:sys /var/log/syslog /var/log/authlog \ /var/adm/loginlog chown root:root /var/cron/log /var/adm/messages chmod go-wx /var/log/syslog /var/adm/messages chmod go-rwx /var/log/authlog /var/adm/loginlog \ /var/cron/log cd /var/adm chown root:bin utmpx chown adm:adm wtmpx chmod 644 utmpx wtmpx chown sys:sys /var/adm/sa/* chmod go-wx /var/adm/sa/* dir=`awk -F: '($1 == "dir") { print $2 }' \ /etc/security/audit_control` chown root:root $dir/* chmod go-rwx $dir/*
UNCLASSIFIED
53
UNCLASSIFIED Discussion: Itiscriticaltoprotectsystemlogfilesfrombeingmodifiedbyunauthorizedindividuals. Also,certainlogscontainsensitivedatathatshouldonlybeavailabletothesystem administrator. Sitesusingtherunacctscriptforgeneratingbillingreportsandotherdatafromthe systemprocessaccountinglogswillnoticethatthescriptincorrectlysetsthemodeonthe wtmpxfileto664(addsthe"groupwritability"bit).Thelocalsitemaywishto"chmod g-w /var/adm/wtmpx"afterrunningtherunacctscript.Additionalinformationabout howtouserunacctcanbefoundonSUNrunacctman page. Note:AlthoughthisisalreadythedefaultconfigurationforSolaris9,thisactionservesto reinforcethedefaultortochangethesettingbacktodefaultincaseithasbeenaltered. 5.11Implementautomatedlogrotation Action: Modifythe/etc/logadm.conffile Note:ThetimelistedafterthePoptionindicatesthelasttimethelogwasrotated.
cat << END_SCRIPT >> /etc/logadm.conf /var/log/kernlog -C 4 -p 1m -p 5d \ -a 'kill -HUP \`cat /var/run/syslog.pid\`' /var/log/userlog -C 4 -p 1m -p 5d \ -a 'kill -HUP \`cat /var/run/syslog.pid\`' /var/log/maillog -C 4 -p 1m -p 5d \ -a 'kill -HUP \`cat /var/run/syslog.pid\`' /var/log/daemonlog -C 4 -p 1m -p 5d \ -a 'kill -HUP \`cat /var/run/syslog.pid\`' /var/log/authlog -C 4 -p 1m -p 5d \ -a 'kill -HUP \`cat /var/run/syslog.pid\`' /var/log/cronlog -C 4 -p 1m -p 5d \ -a 'kill -HUP \`cat /var/run/syslog.pid\`' /var/log/connlog -C 4 -p 1m -p 5d \ -a 'kill -HUP \`cat /var/run/syslog.pid\`' /var/log/loginlog -C 4 -p 1m -p 5d \ -a 'kill -HUP \`cat /var/run/syslog.pid\`' END_SCRIPT chown root:sys /etc/logadm.conf chmod 644 /etc/logadm.conf
UNCLASSIFIED
54
UNCLASSIFIED Discussion: Systemadministratorsmustbeawarethattheinformationcollectedinthelogsis importantandcouldpontentiallyserveasforensicevidence.Theymustalsoremember thatdiskspaceislimitedandeverypossiblestepshouldbetakentopreserveit. The logadmandcrontab commands can be used by systemadministratorstosetup automatedlogrotation.Thelogadmcanbeusedatthecommandlinetoupdatealogthat hasbecometoolargebeforethelogisscheduledtoberotated.The-Voptionshouldbe usedtovalidatethattheentriesinthefilearecorrectwhenusingthelogadmcommandto manuallyeditthe/etc/logadm.confconfigurationfile.
6File/DirectoryPermissions/Access
6.1Add'logging'optiontorootfilesystem Action:
awk '($4 == "ufs" && $3 == "/" && $7 == "-") \ { $7 = "logging" }; \ ($4 == "ufs" && $3 == "/" && $7 !~ /logging/) \ { $7 = $7",logging"}; \ { print }' /etc/vfstab > /etc/vfstab.new mv /etc/vfstab.new /etc/vfstab chown root:sys /etc/vfstab chmod 664 /etc/vfstab
Discussion: Acorruptedrootfilesystemisonemechanismthatanattackerwithphysicalaccesstothe systemconsolecanusetocompromisethesystem.Byenablingtheloggingoptiononthe rootfilesystem,itismuchmoredifficultfortherootfilesystemtobecomecorruptedat all,thwartingthisparticulartypeofattack.However,othersortsofattacksarepossibleif theattackerhasunrestrictedphysicalaccesstothesystem.Besuretokeepcritical systemsinlimitedaccessdatacentersorotherrestrictedfacilities. Theadministratormayalsowishtoaddtheloggingoptiontootherufstypefilesystems in/etc/vfstab.Thiswillhelpthesystemtorebootfasterintheeventofacrashatthe costofsomediskoverhead(uptoamaximumof64MBperpartition)forthefilesystem transactionlogfile.
UNCLASSIFIED
55
6.3Configurevold.conftoallowusersaccesstoCDROMonly Action:
awk '($2 == "floppy" || $2 == "dev/diskette[0-9]/*" \ || $4 == "floppy" || $2 == "rmdisk" ) {$1 = "#"$1}; { print}' /etc/vold.conf > /etc/vold.conf.new mv /etc/vold.conf.new /etc/vold.conf chown root:bin /etc/vold.conf chmod 444 /etc/vold.conf \
Discussion: Userscanuseremovablemedia,suchasfloppydisks,toinsertmaliciouscodeonthe system.Bypreventingregularusersfromhavingaccesstothefloppydriveandother removabledevices,thereislessofachancethatanexploitwillbeloadedonthesystem. Onlytherootuserwillbeallowedtomountfloppydrives. InSolaris9,theVolumeManagernowallowsusersaccesstoremovabledevices,suchas DVDROMs,jazandzipdrives.Thermformatcommandshouldbeusedtoformat, label,andsetread/writeprotectionfortheremovabledevices. Note:IfauserhasaccesstoCDburners,thethreatoftheuserloadinganexploiton thesystemstillexists.
UNCLASSIFIED
56
Discussion: Whenthesocalled"stickybit"issetonadirectory,thenonlytheownerofafilemay removethatfilefromthedirectory(asopposedtotheusualbehaviorwhereanybodywith writeaccesstothatdirectorymayremovethefile).Settingthestickybitpreventsusers fromoverwritingeachother'sfiles,whetheraccidentallyormaliciously,andisgenerally appropriateformostworldwritabledirectories.However,consultappropriatevendor documentationbeforeblindlyapplyingthestickybittoanyworldwritabledirectories foundinordertoavoidbreakinganyapplicationdependenciesonagivendirectory. 6.6Findunauthorizedworldwritablefiles Action: Administratorswhowishtoobtainalistoftheworldwritablefilescurrentlyonthe systemmayrunthefollowingcommands: UNCLASSIFIED 57
UNCLASSIFIED
for part in `awk '($4 == "ufs" || $4 == "tmpfs") \ { print $3 }' /etc/vfstab` do find $part -xdev -type f -perm -0002 -print done
Discussion: TheadministratorshouldtakecaretoensurethatnoroguesetUIDprogramshavebeen introducedintothesystem.InformationonthesetUIDandsetGIDapplicationsthat normallyshipwithSolarissystemscanbefoundat http://ist.uwaterloo.ca/security/howto.Cryptographicchecksumsofthesefiles (alongwithallstandardfilesintheSolarisoperatingsystem)canbeobtainedfromthe SolarisFingerprintDatabase (seehttp://sunsolve.sun.com/pub-cgi/fileFingerprints.pl).Toolsfor interactingwiththeFingerprintDatabaseareavailablefrom http://www.sun.com/blueprints/tools/.
UNCLASSIFIED
58
2.Unpackandinstallthesoftware
uncompress SUNBEfixm.pkg.Z pkgadd -d SUNBEfixm.pkg all
3.Runthefixmodesprogram.
/opt/SUNBEfixm/fix-modes
Discussion: Thefix-modessoftwarecorrectsvariousownershipandpermissionissueswithfiles throughouttheSolarisOSfilesystems.Thisprogramshouldbereruneverytime packagesareaddedtothesystem,orpatchesareapplied.Administratorsmaywishto runthetoolperiodicallyoutofcron. Theactionsaboverecommendusingaprecompiledversionoffix-modes suppliedby SunforusewiththeirSolarisSecurityToolkitframework.Thesourcecodeisalso availablefromthesameURL.Sun'sversionofthetoolhasbeenspecificallymodifiedto avoidwellknownproblemswhenrunningfix-modesonSSPsystemsfortheE10Kand E15Kproducts. UNCLASSIFIED 59
ystemAccess,Authentication,andAuthorization 7S
7.1Sethighersecuritylevelforsadmindservice Action:
cd /etc/inet awk '/sadmind /&& !/-S/ { $7 = $7 " -S 2" } { print }' inetd.conf > inetd.conf.new mv inetd.conf.new inetd.conf chown root:sys inetd.conf chmod 444 inetd.conf
7.2Disable"nobody"accessforsecureRPC Action:
cd /etc/default awk '/ENABLE_NOBODY_KEYS=/ \ { $1 = "ENABLE_NOBODY_KEYS=NO" } { print }' keyserv > keyserv.new mv keyserv.new keyserv chown root:sys keyserv chmod 444 keyserv
UNCLASSIFIED
60
7.3Remove.rhostssupportin/etc/pam.conf Action:
cd /etc grep -v rhosts_auth pam.conf > pam.conf.new mv pam.conf.new pam.conf chown root:sys pam.conf chmod 644 pam.conf
Discussion: UsedinconjunctionwiththeBSDstyle"rcommands"(rlogin,rsh,rcp),.rhostsfiles implementaweakformofauthenticationbasedonthenetworkaddressorhostnameof theremotecomputer.Disabling.rhosts supporthelpspreventusersfromsubverting thesystem'snormalaccesscontrolmechanisms. If.rhosts supportisrequired,somebasicprecautionsshouldbetakenwhencreating andmanaging.rhostsfiles.Neverusethe"+"wildcardcharacterin.rhostsfiles.In fact,.rhostsentriesshouldalwaysspecifyaspecifictrustedhostnamealongwiththe usernameofthetrustedaccountonthatsystem(e.g.,"trustedhostalice"andnotjust "trustedhost").Avoidestablishingtrustrelationshipswithsystemsoutsideofthe organization'ssecurityperimeterand/orsystemsnotcontrolledbythelocal administrativestaff.Firewallsandothernetworksecurityelementsshouldactuallyblock rlogin/rsh/rcpaccessfromexternalhosts.Theseservicesaretypicallyrunonports 512through514.Otherservicesmaysharetheseportnumbers.Finally,makesurethat .rhostsfilesareonlyreadablebytheownerofthefile(i.e.,thesefilesshouldbemode 600).
UNCLASSIFIED
61
UNCLASSIFIED
62
UNCLASSIFIED Action:
cd /etc/default if [ "`grep LOG_FROM_REMOTE= syslogd`" ]; then awk '/LOG_FROM_REMOTE=/ \ { $1 = "LOG_FROM_REMOTE=NO"} { print }' syslogd > syslogd.new mv syslogd.new syslogd else echo LOG_FROM_REMOTE=NO >> syslogd fi chown root:sys syslogd chmod 444 syslogd
Discussion: Bydefaultthesystemloggingdaemon,syslogd,listensforlogmessagesfromother systemsonnetworkport514/udp.Unfortunately,theprotocolusedtotransferthese messagesdoesnotincludeanyformofauthentication,soamaliciousoutsidercould simplybarragethelocalsystem'sSyslogportwithspurioustrafficeitherasadenialof serviceattackonthesystem,ortofillupthelocalsystem'sloggingfilesothatsubsequent attackswillnotbelogged. Itisconsideredgoodpracticetosetuponeormoremachinesascentral"logservers"to aggregatelogtrafficfromallmachinesatasite.However,unlessasystemissetuptobe oneofthese"logserver"systems,itshouldnotbelisteningon514/udpforincominglog messages.
7.6PreventremoteXDMCPaccess Action:
mkdir -p /etc/dt/config cat <<EOXaccess > /etc/dt/config/Xaccess !* !* CHOOSER BROADCAST EOXaccess chown root:sys /etc/dt/config/Xaccess chmod 755 /etc/dt/config chmod 644 /etc/dt/config/Xaccess
Discussion: Xserverslistenonport6000/tcpformessagesfromremoteclientsrunningonother systems.However,XWindowsusesarelativelyinsecureauthenticationprotocolan attackerwhoisabletogainunauthorizedaccesstothelocalXservercaneasily compromisethesystem.Invokingthe"-nolisten tcp"optioncausestheXservernot tolistenonport6000/tcpbydefault. Disablinglisteningonport6000forXserversdoeshavethesideeffectthatitalso preventsauthorizedremoteXclientsfromdisplayingwindowsonthelocalsystem. However,theforwardingofXeventsviasshwillstillworkproperly.Thisisthe preferred,moresecuremethodoftransmittingdatafromremoteXclients.
7.8Setdefaultlockingscreensavertimeout Action:
for file in /usr/dt/config/*/sys.resources; do dir=`dirname $file | sed s/usr/etc/` mkdir -p $dir echo 'dtsession*saverTimeout: 10' >> $dir/sys.resources echo 'dtsession*lockTimeout: 10' >> $dir/sys.resources chown root:sys $dir/sys.resources chmod 444 $dir/sys.resources done
UNCLASSIFIED
64
7.9Restrictat/crontoauthorizedusers Action:
cd /etc/cron.d rm -f cron.deny at.deny echo root > cron.allow echo root > at.allow chown root:root cron.allow at.allow chmod 400 cron.allow at.allow
Discussion: Thecron.allow andat.allowfilesarealistofuserswhoareallowedtorunthe crontabandatcommandstosubmitjobstoberunatscheduledintervals.Onmany systems,onlythesystemadministratorneedstheabilitytoschedulejobs. Eventhoughagivenuserisnotlistedincron.allow,cronjobscanstillberunasthat user(e.g.,thecronjobsrunningasusersys forsystemaccountingtasksseeItem5.7, "EnablesystemAccounting").cron.allowonlycontrolsadministrativeaccesstothe crontabcommandforschedulingandmodifyingcronjobs.Muchmoreeffectiveaccess controlsforcronsystemcanbeobtainedbyusingRoleBasedAccessControls(RBAC).
7.10Removeemptycrontabfilesandrestrictfilepermissions Action:
cd /var/spool/cron/crontabs for file in * do lines=`grep -v '^#' $file | wc -l | sed 's/ //g'` if [ "$lines" = "0" ]; then rm $file fi done chown root:sys * chmod 400 *
UNCLASSIFIED
65
7.11Preventrootloginstosystemconsole Action:
cd /etc/default awk '/CONSOLE=/ { print "CONSOLE=/dev/null"; next }; \ { print }' login > login.new mv login.new login chown root:sys login chmod 444 login
Discussion: SettingtheCONSOLEvariableto/dev/null preventsrootloginsfromtheconsole. Administratorswillhavetologintothesystemasthemselvesandthen'su'toroot.If thesystemisinsingleusermode,theuserwillbeallowedtologinasroot. Anonymousrootloginsshouldneverbeallowed,exceptonthesystemconsolein emergencysituations(thisisthedefaultconfigurationforSolaris).Atallothertimesthe administratorshouldaccessthesystemviaaprivilegedaccountandusesomeauthorized mechanism(suchasthesucommand,orthefreelyavailablesudopackage)togain additionalprivilege.Thesemechanismsprovideatleastsomelimitedaudittrailinthe eventofproblems.
UNCLASSIFIED
66
Discussion: TheRETRIES parameteristhenumberoffailedloginattemptsauserisallowedbefore beingdisconnectedfromthesystemandhavingtoreinitiatealoginsession.Settingthis numbertoareasonablylowvaluehelpsdiscouragebruteforcepasswordguessing attacks. 7.13SetEEPROMsecuritymodeandlogfailedaccess HardwareCompatibility: ThisactiononlyappliestoSPARCbasedsystems(notSolarisx86orSolarisPPC). Action:
eeprom security-#badlogins=0 if [ ! "`crontab -l | grep security-#badlogins`" ]; then cd /var/spool/cron/crontabs crontab -l > root.tmp echo "0 0,8,16 * * * /usr/bin/logger -p auth.info \ \`/usr/sbin/eeprom security-#badlogins\`" >> root.tmp crontab root.tmp rm -f root.tmp fi eeprom security-mode=command
Note:Ifnotpromptedforapassword,thenanEEPROMpasswordhaspreviouslybeen set.ToresettheEEPROMpassword,usethefollowingcommand
eeprom security-password=
UNCLASSIFIED
67
UNCLASSIFIED Discussion: Afterenteringthelastcommandabove,theadministratorwillbepromptedfora password.Thispasswordwillberequiredtoauthorizeanyfuturecommandissuedat bootlevelonthesystem(the`ok'or`>'prompt)exceptforthenormalmultiuserboot command(i.e.,thesystemwillbeabletorebootunattended).Thismeasurehelpsprevent anattackerwithphysicalaccesstothesystemconsolefromsubvertingthesecurityofthe systembyrequiringauthenticationwhenbootingoffanexternaldevice(suchasaCD ROMorfloppydisk). Theadministratorshouldwritedownthispasswordandplacethepasswordinasealed envelopeinasecurelocation(lockeddeskdrawersaretypicallynotsecure).Ifthe passwordislostorforgotten,simplyrunthecommand"eeprom security-password=" asroottoresettheforgottenpassword. Note:EEPROMsecurityfeaturesareavailableonlyonSunSPARChardware,andnot Intelx86compatiblehardware.
8UserAccountsandEnvironment
Theitemsinthischapteraretasksthatthelocaladministratorshouldundertakeona regularbasisperhapsinanautomatedfashionviacron.Theautomatedhostbased scanningtoolsprovidedfromtheCenterforInternetSecuritycanbeusedforthis purpose.Thesescanningtoolsareavailableforfreedownloadfrom http://www.cisecurity.org.
UNCLASSIFIED
68
Discussion: Accountsthatarenotbeingusedbyregularusersshouldnotallowinteractivelogins.As ofSolaris9,thereisastricterdistinctionbetweenalockedaccountandanonlogin account.Whileneitherofthesetypesofaccountsallowinteractivelogins,anonlogin accountcanbeusedtoperformtaskssuchasrunacronjob,thatalockedaccountcannot. AnonloginaccounthasapasswordofNPandalockedaccounthasapasswordof*LK*. SincethereisnointerfaceinSolaris9tosetanonloginpassword,the/etc/shadowfile mustbeediteddirectly.Notonlyshouldthepasswordfieldfortheaccountbesettoan invalidstring,butalsotheshellfieldinthe/etc/passwdfileshouldcontainaninvalid shell./dev/null isagoodchoicebecauseitisnotavalidloginshell,andshouldan attackerattempttoreplaceitwithacopyofavalidshellthesystemwillnotoperate properly.
UNCLASSIFIED
69
Discussion: Ifthesystempasswordswerelockedinapreviousstep,thenoshellscriptwillnotwork forthoseaccounts.Ifaccountsarenotlockedorhaveapasswordsetting"no passwd; setuid only",theshellcanbesettouse/sbin/noshell whichwillcauseanerrorto appearin/var/log/syslog.Thescriptwilllogallattemptstoswitchusertoasystem account.ThescriptlistedaboveistakenfromtheSUNSolarisSecurityTookitscriptfor noshell. Note:Thenoshellscriptshouldnotbeusedontherootaccount.
UNCLASSIFIED
70
UNCLASSIFIED
71
Discussion: AnyaccountwithUID0hassuperuserprivilegesonthesystem.Theonlysuperuser accountonthemachineshouldbetherootandauditaccounts,andtheyshouldbe accessedbylogginginasanunprivilegeduserandusingthesucommandtogain additionalprivileges. Finergranularityaccesscontrolforadministrativeaccesscanbeobtainedbyusingthe freelyavailablesudoprogram(http://www.courtesan.com/sudo/)orSun'sown RoleBasedAccessControl(RBAC)system.FormoreinformationonSolarisRBAC, see http://www.sun.com/software/whitepapers/wp-rbac/wp-rbac.pdf.
UNCLASSIFIED
72
8.9Setuserhomedirectoriestomode750ormorerestrictive Action:
for dir in `logins -ox | \ awk -F: '($8 == "PS" && $1 != "root" && $1 != "audit") \ { print $6 }'` do chmod g-w $dir chmod o-rwx $dir done
UNCLASSIFIED
73
8.10Disallowgroup/worldwritableuserdotfiles Action:
for dir in `logins -ox | \ awk -F: '($8 == "PS") { print $6 }'` do for file in $dir/.[A-Za-z0-9]*; do if [ ! -h "$file" -a -f "$file" ]; then chmod go-w "$file" fi done done
UNCLASSIFIED
74
UNCLASSIFIED
for username in \`awk '(\$1 != "-rw-------") \ { print \$3 }' forwardls.new\` do chmod go-rwx \$userhome/.forward chmod u-x \$userhome/.forward mailx -s .forward \$username < /etc/permchange done rm forwardls.new else echo ".forward file does not exist for \$userhome" fi done END_SCRIPT chown root:sys /etc/forward chmod 700 /etc/forward
2.Createtheemailmessagetosendtousers
echo "The permissions on the .forward file for this account were \ changed by an administrator." > /etc/permchange chown root:sys /etc/permchange chmod 744 /etc/permchange
3. Addthefollowinglineto/etc/syslog.conf
printf "user.info\t\t\t\t\t/var/log/forward\n" >> /etc/syslog.conf
4. Create/var/log/forward
touch /var/log/forward chown root:sys /var/log/forward chmod 600 /var/log/forward
5.Stopthenrestartsyslogdaemon
/etc/init.d/syslog stop /etc/init.d/syslog start
6.Runtheforwardscript
/etc/forward
UNCLASSIFIED
75
UNCLASSIFIED
76
UNCLASSIFIED Discussion: WithadefaultUMASKsettingof077,filesanddirectoriescreatedbyuserswillnotbe readablebyanyotheruseronthesystem.Theusercreatingthefilehasthediscretionof makinghis/herfilesanddirectoriesreadablebyothersviathechmodcommand.Users whowishtoallowtheirfilesanddirectoriestobereadablebyothersbydefaultmay chooseadifferentdefaultUMASKbyinsertingtheUMASKcommandintothestandardshell configurationfiles(.profile,.cshrc,etc.)intheirhomedirectories.AUMASKof027 wouldmakefilesanddirectoriesreadablebyusersinthesameUNIXgroup,whilea UMASKof022wouldmakefilesreadablebyeveryuseronthesystem.
8.14SetdefaultUMASKforFTPusers Action:
cd /etc/ftpd if [ "`grep '^defumask' ftpaccess`" ]; then awk '/^defumask/ { $2 = "0777" } { print }' ftpaccess > ftpaccess.new mv ftpaccess.new ftpaccess else echo defumask 077 >> ftpaccess fi chown root:sys ftpaccess chmod 444 ftpaccess
UNCLASSIFIED
77
8.16Changeroot'shomedirectory Action:
mkdir /root mv -i /.?* /root/ passmgmt -m -h /root root passmgmt -m -h /root audit chmod 700 /root
UNCLASSIFIED
78
2.Establishandenablequotasforusers,whereproto_useristheprototypeuserforother users
edquota proto_user #The vi editor will be spawned with the line shown below. Modify the #corresponding higlighted fields in the editor to meet the block #and inode limits chosen. fs mount_point blocks (soft=soft_lim, hard=hard_lim) inodes (soft=soft_lim2, hard=hard_lim2) edquota -p proto_user user_1 user_2 quotacheck -v -a #Activate the quotas previously generated using the following command: quotaon -v mount_point
UNCLASSIFIED
79
UNCLASSIFIED 3.Viewuserquotausage
repquota -v -a
Discussion: Quotasareestablishedtopreventuserfilesfromconsumingallavailableharddrivedisk space.Onlytherootusercancreateoreditquotas.Thehardlimitistheabsolute maximumamountausercanconsumeandonceitisreached,theusercannotcreatenew files,editoldfiles,compileprograms,etc.Thesoftlimitisthemaximumthatthe administratorwouldprefer.Oncethesoftlimitisexceededthesystemwarnstheuser andstartsthegraceperiod,usuallybetween5and9days.Duringthistime,theuseris stillabletoperformfileoperationsthatexceedthesoftlimitbutnotthehardlimit.When thegraceperiodends,thesoftlimitisenforcedasahardlimit.Diskquotasshouldbe enforcedonfilesystemsusedformail(eg. /var/spool/mail),userhomedirectories (eg./export/home),andtemporaryfiles(eg./tmp).Theadministratormustchoose whichfilesystemsneedquotas,theappropriatesofttimelimit(nomorethantwoweeks), whichusersshouldhavequotasenforced,andtheappropriatesoftandhardlimits.See manedquotaforexplanationofredcoloredvariables.
9WarningBanners
Presentingsomesortofstatutorywarningmessagepriortothenormaluserlogonmay assisttheprosecutionoftrespassersonthecomputersystem.Changingsomeofthese loginbannersalsohasthesideeffectofhidingOSversioninformationandotherdetailed systeminformationfromattackersattemptingtotargetspecificattacksatasystem. GuidelinespublishedbytheUSDepartmentofDefenserequirethatwarningmessages includeatleastthenameoftheorganizationthatownsthesystem,thefactthatthe systemissubjecttomonitoringandthatsuchmonitoringisincompliancewithlocal statutes,andthattheuseofthesystemimpliesconsenttosuchmonitoring.Clearly,the organization'slocallegalcounseland/orsitesecurityadministratorshouldreviewthe contentofallmessagesbeforeanysystemmodificationsaremade,asthesewarning messagesareinherentlysitespecific.Moreinformation(includingcitationsofrelevant caselaw)canbefoundat: http://www.usdoj.gov/criminal/cybercrime/s&sappendix2002.htm. IfTCPWrappersarebeingusedtodisplaywarningbannersforvariousinetdbased services,itisimportantthatthebannermessagesbeformattedproperlyasnottointerfere withtheapplicationprotocol.TheBanners.MakefilefileprovidedwiththeTCP Wrapperssourcedistribution(availablefromftp.porcupine.orgaswellas http://www.sunfreeware.com)containsshellcommandstohelpproduceproperly formattedbannermessages.
UNCLASSIFIED
80
UNCLASSIFIED
81
9.3Createwarningsfortelnetdaemon Action:
cd /etc/default if [ ! "`grep \"^BANNER=\" telnetd`" ]; then echo "BANNER=\"Authorized uses only. All activity may \ be monitored and reported.\\\n\\\n\"" > telnetd chown root:sys telnetd chmod 444 telnetd fi
UNCLASSIFIED
82
UNCLASSIFIED
AppendixA:FileBackupScript
#!/bin/sh ext=`date '+%Y%m%d-%H:%M:%S'` for file in /etc/.login /etc/coreadm.conf /etc/cron.d/at.allow /etc/cron.d/at.deny /etc/cron.d/cron.allow /etc/cron.d/cron.deny /etc/default/cron /etc/default/power /etc/default/inetd /etc/defualt/inetinit /etc/default/init /etc/default/keyserv /etc/default/login /etc/default/passwd /etc/default/sendmail /etc/default/syslogd /etc/default/telnetd /etc/default-sys-suspend /etc/dt/config/Xaccess /etc/dt/config/*/Xresources /etc/dt/config/*/sys.resources /etc/dt/config/Xservers /etc/ftpd/banner.msg /etc/ftpd/ftpaccess /etc/ftpusers /etc/defaultrouter /etc/hosts.allow /etc/hosts.deny /etc/inet/inetd.conf /etc/inet/ntp.conf /etc/inet/ntp.keys /etc/init.d/RMTMPFILES /etc/init.d/netconfig /etc/init.d/inetsvc /etc/init.d/perf /etc/dfs/dfstab /etc/issue /etc/motd /etc/pam.conf /etc/passwd /etc/profile /etc/shadow /etc/rmmount.conf /etc/security/audit_class /etc/security/audit_control /etc/security/audit_event /etc/security/audit_startup /etc/security/audit_user /etc/usr_attr /etc/logadm.conf /etc/mail/sendmail.cf /etc/ssh/sshd_config /etc/syslog.conf /etc/system /etc/vfstab /etc/vold.conf do [ -f $file ] && cp -p $file $file-preNSA-$ext done mkdir -p -m 0700 /var/spool/cron/crontabs-preNSA-$ext cd /var/spool/cron/crontabs tar cf - * | (cd ../crontabs-preNSA-$ext; tar xfp -)
\ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \ \
UNCLASSIFIED
83
UNCLASSIFIED
AppendixB:AdditionalSecurityNotes
Theitemsinthisappendixaresecurityconfigurationsettingsthathavebeensuggestedby severalotherresourcesandsystemhardeningtools.However,giventheothersettingsin thebenchmarkdocument,thesettingspresentedhereproviderelativelylittleincremental securitybenefit.Nevertheless,noneofthesesettingsshouldhaveasignificantimpacton thefunctionalityofthesystem,andsomesitesmayfeelthattheslightsecurity enhancementofthesesettingsoutweighsthe(sometimesminimal)administrativecostof performingthem. Noneofthesesettingswillbecheckedbytheautomatedscoringtoolprovidedwiththe benchmarkdocument.Theyarepurelyoptionalandmaybeappliedornotatthe discretionoflocalsiteadministrators. SN.1Enableprocessaccountingatboottime Action:
ln -s /etc/init.d/acct /etc/rc3.d/S99acct
Discussion: Processaccountinglogsinformationabouteveryprocessthatrunstocompletiononthe system,includingtheamountofCPUtime,memory,etc.consumedbyeachprocess. Whilethiswouldseemlikeusefulinformationinthewakeofapotentialsecurityincident onthesystem,kernellevelauditingwiththe"+argv,arge"policy(asenabledinItem 5.8)providesmoreinformationabouteachprocessexecutioningeneral(althoughkernel levelauditingdoesnotcapturesystemresourceusageinformation).Bothprocess accountingandkernellevelauditingcanbeasignificantperformancedrainonthe system,soenablingbothseemsexcessivegiventhelargeamountofoverlapinthe informationeachprovides.
UNCLASSIFIED
84
SN.3Restrictaccesstopowermanagementfunctions Action:
cd /etc/default awk '/^PMCHANGEPERM=/ /^CPRCHANGEPERM=/ mv power.new power chown root:sys power chmod 444 power { $1 = "PMCHANGEPERM=-" } { $1 = "CPRCHANGEPERM=-" } { print }' power > power.new
UNCLASSIFIED
85
SN.5Createsymlinksfordangerousfiles Action:
for file in /.rhosts /.shosts /etc/hosts.equiv do rm -f $file ln -s /dev/null $file done
UNCLASSIFIED
86
UNCLASSIFIED
87
UNCLASSIFIED
AppendixC:HighRiskItems
UNCLASSIFIED
88
UNCLASSIFIED
89
UNCLASSIFIED Action:
cd /etc/inet sed 's/^#tftp/tftp/' inetd.conf > inetd.conf.new mv inetd.conf.new inetd.conf mkdir -p /tftpboot chown root:root /tftpboot chmod 711 /tftpboot
UNCLASSIFIED
90
UNCLASSIFIED Action:
cd /etc/inet sed 's/^#rquotad/rquotad/' inetd.conf > inetd.conf.new mv inetd.conf.new inetd.conf
Discussion: TheSolarisVolumeManager(formerlySolarisDiskSuite)providessoftwareRAID capabilityforSolarissystems.ThisfunctionalitycaneitherbecontrolledviatheGUI administrationtoolsprovidedwiththeoperatingsystem,orviathecommandline. However,theGUItoolscannotfunctionwithoutseveraldaemonsenabledin inetd.conf.SincethesamefunctionalitythatisintheGUIisavailablefromthe commandlineinterface,administratorsarestronglyurgedtoleavethesedaemons disabledandadministervolumesdirectlyfromthecommandline. SincethisserviceusesSun'sstandardRPCmechanism,itisimportantthatthesystem's RPCportmapper(rpcbind)alsobeenabledwhenthisserviceisturnedon.Formore informationseeItem3.11,"OnlyenableotherRPCbasedservicesifabsolutely necessary."
UNCLASSIFIED
91
UNCLASSIFIED
92
UNCLASSIFIED
References
CenterforInternetSecurity FreebenchmarkdocumentsandsecuritytoolsforvariousOSplatformsandapplications:
http://www.cisecurity.org/
PrecompiledsoftwarepackagesforvariousOSplatforms:
ftp://ftp.cisecurity.org/
SunMicrosystems Sunsecurityhome:
http://www.sun.com/security
Sunsecurityblueprints:
http://www.sun.com/security/blueprints
Sunproductdocumentation:
http://docs.sun.com/prod/solaris
Patchesandrelateddocumentation:
ftp://sunsolve.sun.com/patchroot/clusters/
SunPatchManagertool:
http://www.sun.com/service/support/sw_only/patchmanager.html
SolarisSecurityToolkit:
http://www.sun.com/security/jass/
Precompiledfix-modessoftware:
http://wwws.sun.com/software/security/downloads.html
SolarisFingerprintDatabase:
http://sunsolve.sun.com/pub-cgi/fileFingerprints.pl
Sun'sKerberosInformation:
http://wwws.sun.com/software/security/kerberos
RoleBasedAccessControl(RBAC)whitepaper:
http://www.sun.com/software/whitepapers/wp-rbac/wp-rbac.pdf
OpenSSHwhitepaper,NTPwhitepaper,informationonkernel(ndd)settings,etal:
http://www.sun.com/security/blueprints/
UNCLASSIFIED
93
PrimarysourceforinformationonNTP:
http://www.ntp.org/
InformationonMITKerberos:
http://web.mit.edu/kerberos/www/
Apache"SecurityTips"document:
http://httpd.apache.org/docs-2.0/misc/security_tips.html
InformationonSendmailandDNS:
http://www.sendmail.org/ http://www.deer-run.com/~hal/dns-sendmail/DNSandSendmail.pdf
Software PatchedMakefileforIPFilter:
http://blog.graves.com/b2evolution/blogs/blog_a.php?p=590
PrecompiledsoftwarepackagesforSolaris:
http://www.sunfreeware.com/ ftp://ftp.cisecurity.org/
OpenSSH(secureencryptednetworklogins):
http://www.openssh.org
TCPWrapperssourcedistribution:
ftp://ftp.porcupine.org
PortSentryandLogcheck(portandlogmonitoringtools):
http://sourceforge.net/projects/sentrytools
Swatch(logmonitoringtool):
http://swatch.sourceforge.net
OpenSourceSendmail(emailserver)distributions:
ftp://ftp.sendmail.org/
LPRng(OpenSourcereplacementprintingsystemforUnix):
http://www.lprng.org/
fixmodes(freetooltocorrectpermissionsandownershipsintheSolarisOS):
ftp://ftp.science.uva.nl/pub/solaris/fix-modes.tar.gz
UNCLASSIFIED
94
UNCLASSIFIED sudo(providesfinegrainedaccesscontrolsforsuperuseractivity):
http://www.courtesan.com/sudo/
UNCLASSIFIED
95