Aditing
- Enable the Basic Security Module (BSM):
-
/etc/security/bsmconv
-
- Configure the classes of events to log in /etc/security/audit_control:
-
dir:/var/audit flags:lo,ad,pc,fc,fd,fm naflags:lo,ad # # lo - login/logout events # ad - administrative actions: mount, exportfs, etc. # pc - process operations: fork, exec, exit, etc. # fc - file creation # fd - file deletion # fm - change of object attributes: chown, flock, etc. #
-
- Create /etc/security/newauditlog.sh:
-
#!/sbin/sh # # newauditlog.sh - Start a new audit file and expire the old logs # AUDIT_EXPIRE=30 AUDIT_DIR="/var/audit" /usr/sbin/audit -n cd $AUDIT_DIR # in case it is a link /usr/bin/find . $AUDIT_DIR -type f -mtime +$AUDIT_EXPIRE \ -exec rm {} > /dev/null 2>&1 \;
-
- Run the script nightly from cron:
-
/usr/bin/crontab -e root 0 0 * * * /etc/security/newauditlog.sh
-
- The audit files generated are not human readable. The praudit(1M) command can be used to convert audit data into several ASCII formats.
Boot files
- Disable all startup files for services that are not needed from /etc/rc2.d and /etc/rc3.d. Services may be disabled by changing the capital ‘S’ in the name of the script to a lowercase ‘s’. The following startup files should not be disabled:
-
S01MOUNTFSYS S69inet S72inetsvc S74xntpd S80PRESERVE S05RMTMPFILES S71rpc S74autofs S75cron S88utmpd S20sysetup S71sysid.sys S74syslog S75savecore S99audit S30sysid.net
-
- In order to ensure that all of the startup scripts run with the proper umask, execute the following script:
-
umask 022 # make sure umask.sh gets created with the proper mode echo "umask 022" > /etc/init.d/umask.sh for d in /etc/rc?.d do ln /etc/init.d/umask.sh $d/S00umask.sh done
-
- In order to log as much information as possible, add the following lines to your /etc/syslog.conf:
-
mail.debug /var/log/syslog *.info;mail.none /var/adm/messages
Note: Tabs must be used to separate the fields.
This will log mail entries to /var/log/syslog and everything else to /var/adm/messages.
-
- Log failed login attempts by creating the /var/adm/loginlog file:
-
touch /var/adm/loginlog chown root /var/adm/loginlog chgrp sys /var/adm/loginlog
-
- Set the permissions on the log files as follows:
-
chmod 600 /var/adm/messages /var/log/syslog /var/adm/loginlog
-
- Enable hardware protection for buffer overflow exploits in /etc/system (sun4u, sun4d, and sun4m systems only).
-
* Foil certain classes of bug exploits set noexec_user_stack = 1 * Log attempted exploits set noexec_user_stack_log = 1
Network Services
- Create /etc/init.d/nddconfig and create a link to /etc/rc2.d/S70nddconfig.
-
touch /etc/init.d/nddconfig ln /etc/init.d/nddconfig /etc/rc2.d/S70nddconfig
Add the following lines to the /etc/init.d/nddconfig file:
-
#!/bin/sh # # /etc/init.d/nddconfig # # Fix for broadcast ping bug /usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast 0 # Block directed broadcast packets /usr/sbin/ndd -set /dev/ip ip_forward_directed_broadcasts 0 # Prevent spoofing /usr/sbin/ndd -set /dev/ip ip_strict_dst_multihoming 1 /usr/sbin/ndd -set /dev/ip ip_ignore_redirect 1 # No IP forwarding /usr/sbin/ndd -set /dev/ip ip_forwarding 0 # Drop source routed packets /usr/sbin/ndd -set /dev/ip ip_forward_src_routed 0 # Shorten ARP expiration to one minute to minimize ARP spoofing/hijacking # [Source: Titan adjust-arp-timers module] /usr/sbin/ndd -set /dev/ip ip_ire_flush_interval 60000 /usr/sbin/ndd -set /dev/arp arp_cleanup_interval 60
-
- Deny services executed by inetd(3) the ability to create core files and enable logging for all TCP services by editing the /etc/rc2.d/S72inetsvc:
-
# Run inetd in "standalone" mode (-s flag) so that it doesn't have # to submit to the will of SAF. Why did we ever let them change inetd? ulimit -c 0 /usr/sbin/inetd -s -t&
-
- Configure RFC 1948 TCP sequence number generation in /etc/default/inetinit:
-
TCP_STRONG_ISS=2
-
- Comment out or remove all unnecessary services in the /etc/inet/inetd.conf file including the following:
-
shell login exec comsat talk uucp tftp finger sysstat netstat time echo discard daytime chargen rquotad sprayd walld rexd rpc.ttdbserverd ufsd printer dtspc rpc.cmsd
-
- Create /etc/rc3.d/S79tmpfix so that upon boot the /tmp directory will always have the sticky bit set mode 1777.
-
#!/bin/sh #ident "@(#)tmpfix 1.0 95/09/14" if [ -d /tmp ] then /usr/bin/chmod 1777 /tmp /usr/bin/chgrp sys /tmp /usr/bin/chown sys /tmp fi
[Source: Titan psfix module]
-
Access Controls
- Disable network root logins by enabling the “CONSOLE” line in /etc/default/login.
- Remove, lock, or comment out unnecessary accounts, including “sys”, “uucp”, “nuucp”, and “listen”. The cleanest way to shut them down is to put “NP” in the password field of the /etc/shadow file.
- Require authentication for remote commands by commenting out the following line in /etc/pam.conf:
-
#rlogin auth sufficient /usr/lib/security/pam_rhosts_auth.so.1
and changing the rsh line to read:
-
rsh auth required /usr/lib/security/pam_unix.so.1
[Source: Titan pam-rhosts module]
-
- Only add accounts for users who require access to the system. If using NIS, use the compat mode by editing the /etc/nsswitch.conf file:
-
passwd: compat
Add each user to the /etc/passwd file
-
+nis_user:x::::/home_dir:/bin/sh
and the /etc/shadow file
-
+nis_user::10626::::::
-
- Create an /etc/issue file to display the following warning banner:
-
WARNING: To protect the system from unauthorized use and to ensure that the system is functioning properly, activities on this system are monitored and recorded and subject to audit. Use of this system is expressed consent to such monitoring and recording. Any unauthorized access or use of this Automated Information System is prohibited and could be subject to criminal and civil penalties.
- Source: CIAC-2317 Windows NT Network Security: A Manager’s Guide
Add the banner to the /etc/motd file:
-
cp /etc/motd /etc/motd.orig cat /etc/issue /etc/motd.orig > /etc/motd
-
- The Automated Security Enhancement Tool (ASET) checks the settings and contents of system files. Many of the setuid and setgid programs on Solaris are used only by root, or by the user or group-id to which they are set.Run aset using the highest security level and review the report files that are generated in/usr/aset/reports.
-
/usr/aset/aset -l high
-
- Create a master list of the remaining setuid/setgid programs on your system and check that the list remains static over time.
-
/bin/find / -type f \( -perm -4000 -o -perm -2000 \) \ -exec ls -ldb {} \;
-
- Execution of the su(1M) command can be controlled by adding and configuring a wheel group such as that found on most BSD derived systems.
-
/usr/sbin/groupadd -g 13 wheel /usr/bin/chgrp wheel /usr/bin/su /sbin/static.su /usr/bin/chmod 4550 /usr/bin/su /sbin/static.su
The GID for the wheel group does not need to be 13, any valid GID can be used. You will need to edit /etc/group to add users to the wheel group.
-
- Create an /etc/ftpusers file:
-
cat /etc/passwd | cut -f1 -d: > /etc/ftpusers chown root /etc/ftpusers chmod 600 /etc/ftpusers
Remove any users that require ftp access from the /etc/ftpusers file.
-
- Set the default umask so that it does not include world access. Add “umask 027” to the following files:
-
/etc/.login /etc/profile /etc/skel/local.cshrc /etc/skel/local.login /etc/skel/local.profile
Enable the “UMASK” line in the /etc/default/login file and set the value to 027
-
- The files in /etc/cron.d control which users can use the cron(1M) and at(1) facilities.
- Create an /etc/cron.d/cron.allow file:
-
echo "root" > /etc/cron.d/cron.allow chown root /etc/cron.d/cron.allow chmod 600 /etc/cron.d/cron.allow
Create an /etc/cron.d/at.allow file:
-
cp -p /etc/cron.d/cron.allow /etc/cron.d/at.allow
Create an /etc/cron.d/cron.deny file:
-
cat /etc/passwd | cut -f1 -d: | grep -v root > /etc/cron.d/cron.deny chown root /etc/cron.d/cron.deny chmod 600 /etc/cron.d/cron.deny
Create an /etc/cron.d/at.deny file:
-
cp -p /etc/cron.d/cron.deny /etc/cron.d/at.deny
-
- Create an /etc/cron.d/cron.allow file:
- If CDE is installed, replace the default CDE “Welcome” greeting. If the /etc/dt/config/C directory does not exist, create the directory structure and copy the default configuration file:
-
mkdir -p /etc/dt/config/C chmod -R a+rX /etc/dt/config cp -p /usr/dt/config/C/Xresources /etc/dt/config/C
Add the following lines to /etc/dt/config/C/Xresources:
-
Dtlogin*greeting.labelString: %LocalHost% Dtlogin*greeting.persLabelString: login: %s
-
- If CDE is installed, disable XDMCP connection access by creating or replacing the /etc/dt/config/Xaccess file:
-
# # Xaccess - disable all XDMCP connections # !*
Set the permissions on /etc/dt/config/Xaccess to 444:
-
chmod 444 /etc/dt/config/Xaccess
-
Time Synchronization
- Edit the /etc/inet/ntp.conf file:
-
# @(#)ntp.client 1.2 96/11/06 SMI # # /etc/inet/ntp.client # # An example file that could be copied over to /etc/inet/ntp.conf; it # provides a configuration for a host that passively waits for a server # to provide NTP packets on the ntp multicast net. # # Public NTP Server list: http://www.eecis.udel.edu/~mills/ntp/clock1.htm # server clock.llnl.gov
-
-
Recent Comments