{"id":5391,"date":"2015-11-13T10:38:21","date_gmt":"2015-11-13T02:38:21","guid":{"rendered":"http:\/\/rmohan.com\/?p=5391"},"modified":"2015-11-13T14:17:24","modified_gmt":"2015-11-13T06:17:24","slug":"solaris-security-tips","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=5391","title":{"rendered":"Solaris Security Tips"},"content":{"rendered":"

Aditing<\/b><\/p>\n

    \n
  1. Enable the Basic Security Module (BSM):\n
    \n
    \n
    \/etc\/security\/bsmconv<\/pre>\n<\/dd>\n<\/dl>\n<\/li>\n
  2. Configure the classes of events to log in \/etc\/security\/audit_control:\n
    \n
    \n
    dir:\/var\/audit\r\nflags:lo,ad,pc,fc,fd,fm\r\nnaflags:lo,ad\r\n#\r\n#   lo - login\/logout events\r\n#   ad - administrative actions: mount, exportfs, etc.\r\n#   pc - process operations: fork, exec, exit, etc.\r\n#   fc - file creation\r\n#   fd - file deletion\r\n#   fm - change of object attributes: chown, flock, etc.\r\n#\r\n<\/pre>\n<\/dd>\n<\/dl>\n<\/li>\n
  3. Create \/etc\/security\/newauditlog.sh:\n
    \n
    \n
    #!\/sbin\/sh\r\n#\r\n# newauditlog.sh - Start a new audit file and expire the old logs\r\n#\r\nAUDIT_EXPIRE=30\r\nAUDIT_DIR=\"\/var\/audit\"\r\n\r\n\/usr\/sbin\/audit -n\r\n\r\ncd $AUDIT_DIR # in case it is a link\r\n\/usr\/bin\/find . $AUDIT_DIR -type f -mtime +$AUDIT_EXPIRE \\\r\n    -exec rm {} > \/dev\/null 2>&1 \\;\r\n<\/pre>\n<\/dd>\n<\/dl>\n<\/li>\n
  4. Run the script nightly from cron:\n
    \n
    \n
    \/usr\/bin\/crontab -e root\r\n0 0 * * * \/etc\/security\/newauditlog.sh\r\n<\/pre>\n<\/dd>\n<\/dl>\n<\/li>\n
  5. The audit files generated are not human readable. The praudit(1M) command can be used to convert audit data into several ASCII formats.<\/li>\n<\/ol>\n
     <\/p>\n
    Boot files<\/b><\/p>\n
      \n
    1. Disable all startup files for services that are not needed from \/etc\/rc2.d and \/etc\/rc3.d. Services may be disabled by changing the capital ‘S’ in the name of the script to a lowercase ‘s’. The following startup files should not<\/b> be disabled:\n
      \n
      \n
      S01MOUNTFSYS   S69inet        S72inetsvc     S74xntpd       S80PRESERVE\r\nS05RMTMPFILES  S71rpc         S74autofs      S75cron        S88utmpd\r\nS20sysetup     S71sysid.sys   S74syslog      S75savecore    S99audit\r\nS30sysid.net\r\n<\/pre>\n<\/dd>\n<\/dl>\n<\/li>\n
    2. In order to ensure that all of the startup scripts run with the proper umask, execute the following script:\n
      \n
      \n
      umask 022  # make sure umask.sh gets created with the proper mode\r\necho \"umask 022\" > \/etc\/init.d\/umask.sh\r\nfor d in \/etc\/rc?.d\r\ndo\r\n   ln \/etc\/init.d\/umask.sh $d\/S00umask.sh\r\ndone\r\n<\/pre>\n<\/dd>\n<\/dl>\n<\/li>\n
    3. In order to log as much information as possible, add the following lines to your \/etc\/syslog.conf:\n
      \n
      \n
      mail.debug              \/var\/log\/syslog\r\n*.info;mail.none        \/var\/adm\/messages\r\n<\/pre>\n<\/dd>\n<\/dl>\n
      Note: Tabs must<\/b> be used to separate the fields.<\/p>\n
      This will log mail entries to \/var\/log\/syslog and everything else to \/var\/adm\/messages.<\/li>\n
    4. Log failed login attempts by creating the \/var\/adm\/loginlog file:\n
      \n
      \n
      touch \/var\/adm\/loginlog\r\nchown root \/var\/adm\/loginlog\r\nchgrp sys \/var\/adm\/loginlog\r\n<\/pre>\n<\/dd>\n<\/dl>\n<\/li>\n
    5. Set the permissions on the log files as follows:\n
      \n
      \n
      chmod 600 \/var\/adm\/messages \/var\/log\/syslog \/var\/adm\/loginlog\r\n<\/pre>\n<\/dd>\n<\/dl>\n<\/li>\n
    6. Enable hardware protection for buffer overflow exploits in \/etc\/system (sun4u, sun4d, and sun4m systems only).\n
      \n
      \n
      * Foil certain classes of bug exploits\r\nset noexec_user_stack = 1\r\n\r\n* Log attempted exploits\r\nset noexec_user_stack_log = 1\r\n<\/pre>\n<\/dd>\n<\/dl>\n
      Network Services<\/b><\/p>\n
        \n
      1. Create \/etc\/init.d\/nddconfig and create a link to \/etc\/rc2.d\/S70nddconfig.\n
        \n
        \n
        touch \/etc\/init.d\/nddconfig\r\nln \/etc\/init.d\/nddconfig \/etc\/rc2.d\/S70nddconfig\r\n<\/pre>\n<\/dd>\n<\/dl>\n
        Add the following lines to the \/etc\/init.d\/nddconfig file:<\/p>\n
        \n
        \n
        #!\/bin\/sh\r\n#\r\n# \/etc\/init.d\/nddconfig\r\n#\r\n\r\n# Fix for broadcast ping bug\r\n\/usr\/sbin\/ndd -set \/dev\/ip ip_respond_to_echo_broadcast 0\r\n\r\n# Block directed broadcast packets\r\n\/usr\/sbin\/ndd -set \/dev\/ip ip_forward_directed_broadcasts 0\r\n\r\n# Prevent spoofing\r\n\/usr\/sbin\/ndd -set \/dev\/ip ip_strict_dst_multihoming 1\r\n\/usr\/sbin\/ndd -set \/dev\/ip ip_ignore_redirect 1\r\n\r\n# No IP forwarding\r\n\/usr\/sbin\/ndd -set \/dev\/ip ip_forwarding 0\r\n\r\n# Drop source routed packets\r\n\/usr\/sbin\/ndd -set \/dev\/ip ip_forward_src_routed 0\r\n \r\n# Shorten ARP expiration to one minute to minimize ARP spoofing\/hijacking\r\n# [Source: Titan adjust-arp-timers module]\r\n\/usr\/sbin\/ndd -set \/dev\/ip ip_ire_flush_interval 60000    \r\n\/usr\/sbin\/ndd -set \/dev\/arp arp_cleanup_interval 60               \r\n<\/pre>\n<\/dd>\n<\/dl>\n<\/li>\n
      2. Deny services executed by inetd(3) the ability to create core files and enable logging for all TCP services by editing the \/etc\/rc2.d\/S72inetsvc:\n
        \n
        \n
        # Run inetd in \"standalone\" mode (-s flag) so that it doesn't have\r\n# to submit to the will of SAF.  Why did we ever let them change inetd?\r\n\r\nulimit -c 0\r\n\/usr\/sbin\/inetd -s -t&     \r\n<\/pre>\n<\/dd>\n<\/dl>\n<\/li>\n
      3. Configure RFC 1948 TCP sequence number generation in \/etc\/default\/inetinit:\n
        \n
        \n
        TCP_STRONG_ISS=2\r\n<\/pre>\n<\/dd>\n<\/dl>\n<\/li>\n
      4. Comment out or remove all unnecessary services in the \/etc\/inet\/inetd.conf file including the following:\n
        \n
        \n
        shell\t\tlogin\t\texec\r\ncomsat\t\ttalk\t\tuucp\r\ntftp\t\tfinger\t\tsysstat\r\nnetstat\t\ttime\t\techo\r\ndiscard\t\tdaytime\t\tchargen\r\nrquotad\t\tsprayd\t\twalld\r\nrexd\t\trpc.ttdbserverd\r\nufsd\t\tprinter\t\tdtspc\r\nrpc.cmsd\r\n<\/pre>\n<\/dd>\n<\/dl>\n<\/li>\n
      5. Create \/etc\/rc3.d\/S79tmpfix so that upon boot the \/tmp directory will always have the sticky bit set mode 1777.\n
        \n
        \n
        #!\/bin\/sh\r\n#ident  \"@(#)tmpfix 1.0    95\/09\/14\"\r\n\r\nif [ -d \/tmp ]\r\nthen\r\n\/usr\/bin\/chmod 1777 \/tmp\r\n\/usr\/bin\/chgrp sys \/tmp\r\n\/usr\/bin\/chown sys \/tmp\r\nfi\r\n<\/pre>\n<\/dd>\n<\/dl>\n
        [Source: Titan psfix module]<\/li>\n<\/ol>\n
        Access Controls<\/b><\/p>\n
          \n
        1. Disable network root logins by enabling the “CONSOLE” line in \/etc\/default\/login.<\/li>\n
        2. Remove, lock, or comment out unnecessary accounts, including “sys”, “uucp”, “nuucp”, and “listen”. The cleanest way to shut them down is to put “NP” in the password field of the \/etc\/shadow file.<\/li>\n
        3. Require authentication for remote commands by commenting out the following line in \/etc\/pam.conf:\n
          \n
          \n
          #rlogin  auth sufficient \/usr\/lib\/security\/pam_rhosts_auth.so.1\r\n<\/pre>\n<\/dd>\n<\/dl>\n
          and changing the rsh line to read:<\/p>\n
          \n
          \n
          rsh auth required   \/usr\/lib\/security\/pam_unix.so.1\r\n<\/pre>\n<\/dd>\n<\/dl>\n
          [Source: Titan pam-rhosts module]<\/li>\n
        4. Only add accounts for users who require access to the system. If using NIS, use the compat mode by editing the \/etc\/nsswitch.conf file:\n
          \n
          \n
                     passwd: compat \r\n<\/pre>\n<\/dd>\n<\/dl>\n
          Add each user to the \/etc\/passwd file<\/p>\n
          \n
          \n
          +nis_user:x::::\/home_dir:\/bin\/sh\r\n<\/pre>\n<\/dd>\n<\/dl>\n
          and the \/etc\/shadow file<\/p>\n
          \n
          \n
          +nis_user::10626::::::\r\n<\/pre>\n<\/dd>\n<\/dl>\n<\/li>\n
        5. Create an \/etc\/issue file to display the following warning banner:\n
          \n
          \n
          WARNING: To protect the system from unauthorized use and to ensure that the\r\nsystem is functioning properly, activities on this system are monitored and\r\nrecorded and subject to audit. Use of this system is expressed consent to such\r\nmonitoring and recording. Any unauthorized access or use of this Automated\r\nInformation System is prohibited and could be subject to criminal and civil\r\npenalties.\r\n<\/pre>\n<\/dd>\n
          Source: CIAC-2317 Windows NT Network Security: A Manager’s Guide<\/a><\/dd>\n<\/dl>\n
          Add the banner to the \/etc\/motd file:<\/p>\n
          \n
          \n
          cp \/etc\/motd \/etc\/motd.orig\r\ncat \/etc\/issue \/etc\/motd.orig > \/etc\/motd\r\n<\/pre>\n<\/dd>\n<\/dl>\n<\/li>\n
        6. The Automated Security Enhancement Tool (ASET) checks the settings and contents of system files. Many of the setuid and setgid programs on Solaris are used only by root, or by the user or group-id to which they are set.Run aset using the highest security level and review the report files that are generated in\/usr\/aset\/reports<\/tt>.\n
          \n
          \n
          \/usr\/aset\/aset -l high\r\n<\/pre>\n<\/dd>\n<\/dl>\n<\/li>\n
        7. Create a master list of the remaining setuid\/setgid programs on your system and check that the list remains static over time.\n
          \n
          \n
          \/bin\/find \/ -type f \\( -perm -4000 -o -perm -2000 \\) \\\r\n            -exec ls -ldb {} \\;\r\n<\/pre>\n<\/dd>\n<\/dl>\n<\/li>\n
        8. Execution of the su(1M) command can be controlled by adding and configuring a wheel group such as that found on most BSD derived systems.\n
          \n
          \n
          \/usr\/sbin\/groupadd -g 13 wheel\r\n\/usr\/bin\/chgrp wheel \/usr\/bin\/su \/sbin\/static.su\r\n\/usr\/bin\/chmod 4550 \/usr\/bin\/su \/sbin\/static.su\r\n<\/pre>\n<\/dd>\n<\/dl>\n
          The GID for the wheel group does not need to be 13, any valid GID can be used. You will need to edit \/etc\/group to add users to the wheel group.<\/li>\n
        9. Create an \/etc\/ftpusers file:\n
          \n
          \n
          cat \/etc\/passwd | cut -f1 -d: > \/etc\/ftpusers\r\nchown root \/etc\/ftpusers\r\nchmod 600 \/etc\/ftpusers\r\n<\/pre>\n<\/dd>\n<\/dl>\n
          Remove any users that require ftp access from the \/etc\/ftpusers file.<\/li>\n
        10. Set the default umask so that it does not include world access. Add “umask 027” to the following files:\n
          \n
          \n
          \/etc\/.login              \/etc\/profile\r\n\/etc\/skel\/local.cshrc    \/etc\/skel\/local.login\r\n\/etc\/skel\/local.profile \r\n<\/pre>\n<\/dd>\n<\/dl>\n
          Enable the “UMASK” line in the \/etc\/default\/login file and set the value to 027<\/li>\n
        11. The files in \/etc\/cron.d control which users can use the cron(1M) and at(1) facilities.\n
          \n
          Create an \/etc\/cron.d\/cron.allow file:<\/p>\n
          \n
          \n
          echo \"root\" > \/etc\/cron.d\/cron.allow\r\nchown root \/etc\/cron.d\/cron.allow\r\nchmod 600 \/etc\/cron.d\/cron.allow\r\n<\/pre>\n<\/dd>\n<\/dl>\n
          Create an \/etc\/cron.d\/at.allow file:<\/p>\n
          \n
          \n
          cp -p \/etc\/cron.d\/cron.allow \/etc\/cron.d\/at.allow\r\n<\/pre>\n<\/dd>\n<\/dl>\n
          Create an \/etc\/cron.d\/cron.deny file:<\/p>\n
          \n
          \n
          cat \/etc\/passwd | cut -f1 -d: | grep -v root > \/etc\/cron.d\/cron.deny\r\nchown root \/etc\/cron.d\/cron.deny\r\nchmod 600 \/etc\/cron.d\/cron.deny\r\n<\/pre>\n<\/dd>\n<\/dl>\n
          Create an \/etc\/cron.d\/at.deny file:<\/p>\n
          \n
          \n
          cp -p \/etc\/cron.d\/cron.deny \/etc\/cron.d\/at.deny\r\n<\/pre>\n<\/dd>\n<\/dl>\n<\/dd>\n<\/dl>\n<\/li>\n
        12. If CDE is installed, replace the default CDE “Welcome” greeting. If the \/etc\/dt\/config\/C directory does not exist, create the directory structure and copy the default configuration file:\n
          \n
          \n
          mkdir -p \/etc\/dt\/config\/C\r\nchmod -R a+rX \/etc\/dt\/config\r\ncp -p \/usr\/dt\/config\/C\/Xresources \/etc\/dt\/config\/C\r\n<\/pre>\n<\/dd>\n<\/dl>\n
          Add the following lines to \/etc\/dt\/config\/C\/Xresources:<\/p>\n
          \n
          \n
          Dtlogin*greeting.labelString:       %LocalHost%\r\nDtlogin*greeting.persLabelString:   login: %s\r\n<\/pre>\n<\/dd>\n<\/dl>\n<\/li>\n
        13. If CDE is installed, disable XDMCP connection access by creating or replacing the \/etc\/dt\/config\/Xaccess file:\n
          \n
          \n
          #\r\n# Xaccess - disable all XDMCP connections\r\n#\r\n!*\r\n<\/pre>\n<\/dd>\n<\/dl>\n
          Set the permissions on \/etc\/dt\/config\/Xaccess to 444:<\/p>\n
          \n
          \n
          chmod 444 \/etc\/dt\/config\/Xaccess\r\n<\/pre>\n<\/dd>\n<\/dl>\n<\/li>\n<\/ol>\n
          Time Synchronization<\/b><\/p>\n
          \n
          Edit the \/etc\/inet\/ntp.conf file:<\/p>\n
          \n
          \n
          # @(#)ntp.client        1.2     96\/11\/06 SMI\r\n#\r\n# \/etc\/inet\/ntp.client\r\n#\r\n# An example file that could be copied over to \/etc\/inet\/ntp.conf; it\r\n# provides a configuration for a host that passively waits for a server\r\n# to provide NTP packets on the ntp multicast net.\r\n#\r\n# Public NTP Server list: http:\/\/www.eecis.udel.edu\/~mills\/ntp\/clock1.htm\r\n#\r\nserver clock.llnl.gov\r\n<\/pre>\n<\/dd>\n<\/dl>\n<\/dd>\n<\/dl>\n<\/li>\n<\/ol>\n
           <\/p>\n","protected":false},"excerpt":{"rendered":"
          Aditing<\/p>\n
           Enable the Basic Security Module (BSM): \/etc\/security\/bsmconv Configure the classes of events to log in \/etc\/security\/audit_control: dir:\/var\/audit flags:lo,ad,pc,fc,fd,fm naflags:lo,ad # # lo – login\/logout events # ad – administrative actions: mount, exportfs, etc. # pc – process operations: fork, exec, exit, etc. # fc – file creation # fd – file deletion # fm […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[39],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5391"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5391"}],"version-history":[{"count":2,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5391\/revisions"}],"predecessor-version":[{"id":5393,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/5391\/revisions\/5393"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5391"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5391"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5391"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}