Você está na página 1de 56

Printed 12/23/2003 - 12:46 PM

Nortel Networks
Portfolio Integration

Solaris 8 and 9 Operating System


Hardening Guideline Document

Issue 1.0

Issue Date December, 2003

Author Nortel Networks


Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

Please Note
THIS DOCUMENT IS FOR INFORMATIONAL PURPOSES ONLY AND DOES NOT CONSTITUTE
ADVICE. ANY RELIANCE UPON THIS DOCUMENT SHALL BE AT YOUR OWN RISK. THE
INFORMATION CONTAINED HEREIN IS PROVIDED “AS IS” WITHOUT ANY WARRANTIES OF
ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-
INFRINGEMENT. IN NO EVENT SHALL NORTEL NETWORKS, ITS AGENTS OR SUPPLIERS BE
LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL
DAMAGES (INCLUDING LOST PROFITS OR SAVINGS), WHETHER IN CONTRACT, TORT OR
OTHERWISE (INCLUDING NEGLIGENCE) FROM USE OF OR RELIANCE UPON THE INFORMATION
CONTAINED HEREIN, EVEN IF NORTEL NETWORKS, ITS AGENTS OR SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

© Copyright Nortel Networks 2003 This document is the property of Nortel Networks who own the
copyright therein. The information in this document is given in confidence and without the written
consent of Nortel Networks given by contract or otherwise the document must not be copied reprinted
or reproduced in any material form either wholly or in part nor must the contents of the document or
any method or technique available there from be disclosed to any third party.

Page 2 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

Summary
This document provides background information and detailed steps that should be taken in
order to harden the Solaris 8 and Solaris 9 operating systems against common network
security attacks. Please note however that operating system hardening procedures cannot be
followed blindly. Operating system hardening involves, among other things, turning off all
services that are not required for particular application. For this reason, each operating
system hardening instance must be customized and this document should only be considered
as a general guideline to follow during this customization.

Page 3 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

1. Purpose of OS Hardening ................................................................................................... 5


2. Solaris 8 and 9 Hardening Procedures ............................................................................... 6
Step 0: Installing the Solaris Base Security Module (BSM)............................................ 6
Step 1: Removing Unnecessary Services and Users......................................................... 8
Step 2: Setting Up Time Synchronization using NTP ................................................... 32
Step 3: Configuring Additional Logging ........................................................................ 33
Step 4: Fixing File Permissions........................................................................................ 34
Step 5: Other Miscellaneous Actions............................................................................... 35
Step 6: Enhance Solaris Network Security..................................................................... 38
Step 7: File System Lockdown ......................................................................................... 42
Step 8: Vulnerability Testing and Patching ................................................................... 43
Appendix A: Replacement /etc/init.d/inetsvc script .............................................................. 44
Appendix B: Sample newsyslog script................................................................................... 45
Appendix C: Minimal sendmail configuration file............................................................... 46
Appendix D: Sample /etc/issue and /etc/motd file................................................................. 47
Appendix E: TCP Wrapper generic configuration file......................................................... 48
Appendix F: Security Script .................................................................................................. 49
Appendix G: References ........................................................................................................ 55

Page 4 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

1. Purpose of OS Hardening
Computers and network elements connected to networks are vulnerable to attacks. The following is a
list of commonly known types of attacks:

1. Viruses, worms, backdoors and trojans


2. Wire tapping and sniffing
3. Password cracking
4. Exploits of known vulnerabilities such as software buffer overflow
5. Denial of services (DOS)

Some of these attacks are based on well-publicized techniques, with scripts and other tools available
to make it possible for less knowledgeable crackers to apply exploits against systems. Once a system
has been compromised, an intruder can do a number of things, including the following:

1. Modify or destroy information


2. Disclose sensitive information
3. Install malicious code to gather information
4. Use the compromised server to attack other systems

Our goal is to provide some reference guidelines so that you can use to improve the resistance of
your Solaris-based systems to attacks. We present what we believe to be sound practices. But we
must point out that no system is absolutely secure and that continued vigilance is still required even
after your system has been hardened. It is highly recommended that you monitor early warning
forums such as http://www.cert.org to obtain the newest vulnerability reports and stay on your
vendor’s bug-fix mailing list to get the latest security patches and bug fixes for the Solaris operating
system you use.

The hardening procedure is verified on Solaris 8 and 9 Operating Environment for the Sparc platform
and may be adapted for other Solaris based systems.

We assume that you have working knowledge of Solaris or general UNIX system administration and
that the system installation and hardening will be performed in an isolated or safe network
environment.

Page 5 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

2. Solaris 8 and 9 Hardening Procedures


Step 0: Installing the Solaris Base Security Module (BSM)

Base Security Module is a loadable kernel module which, operating at the kernel level, intercepts and
logs system calls on basis of an audit policy. It has a C2 security rating defined in the Trusted
Computer System Eveluation Criteria (TCSEC), commonly known as the Orange Book. Turning on
BSM is usually considered the first step to harden a Solaris operating system.

Please note that BSM introduces 5-10% performance overhead and it can only log to the local disk
and may require large amount of storage space depending on the audit policy.

Execute the following commands to install BSM:


Login: root
Password: rootpassword
/etc/telinit 1

The system will then go into single user mode. Enter the root password again for system
maintenance. Then execute the following command:
/etc/security/bsmconv (unbsmconv is the command to turn off BSM)

Enter the letter y to continue with the BSM conversion. And then execute the following command to
restart the system to enable BSM:
/etc/telinit 6
or
/usr/sbin/shutdown –y now

You may want to make use of the sample script in Appendix F to automate this step if you need to
enable BSM on multiple systems. However, the script was developed on a test system and therefore
you should modify it to suit your specific environment.

It is recommended that BSM be enabled by default and that detailed documentation be provided to
the customers on at least the following:
1. the auditing options and what they mean
2. step-by-step configuration guide
3. how to turn it on and off
4. how to process the log

Timely processing of the log is very important. Unprocessed logs will not only defeat the purpose of
logging but also consume disk space to the point where the server stops working, which is equivalent
to a self-inflicted Denial of Service (DoS) attack.

You can configure BSM to either #1 stop the server when the auditing partitions are full or to #2 drop
auditing events and continue running the server. The default configuration is #2. Whether you choose
#1 or #2, you need to document that for the customers and make them aware of the implication, i.e.,

when the partition is full:


#1 = DoS
#2 = no auditing

The default configuration is defined by the bsmconv script that is run to enable BSM on a system.
When run, the bsmconv script creates the /etc/security/audit_startup script. This script, contains the
following:
#!/bin/sh

Page 6 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

auditconfig -conf
auditconfig -setpolicy none
auditconfig -setpolicy +cnt

By specifying setpolicy +cnt, the audit_startup script created by bsmconv forces the auditing
subsystem to drop auditable events while keeping a count of the total number of events dropped.

For more information on the various configuration options, please refer to the Sun Blueprint document
entitled “Auditing in the Solaris 8 Operating Environment” at the following URL:
http://www.sun.com/solutions/blueprints/0201/audit_config.pdf

Page 7 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

Step 1: Removing Unnecessary Services and Users

Many unnecessary services are installed by default when setting up a Solaris server. The next step to
harden the operating system is to remove them from the startup files. Like Linux and many other Unix
variants, Solaris takes advantage of the /etc/rc?.d directory structure, where ? denotes the available
run levels. At each run level init uses a driver script to run other scripts found in the run level
directories. The available run levels with startup or shutdown scripts in Solaris are S, 0, 1, 2, and 3.

There are many unused services which are started by the init process. These services are usually run
as root and a number of them have potential security loop holes which can be exploited. The rule of
thumb is that if the service is not needed, then do not start it. The simplest approach to disable a
group of services manually is to use the following scripting commands in a terminal console:

# change to the directory where you want to disable services


cd /etc/rc2.d
# list filenames. Use wildcards to save typing
for file in *sysid* *auto* *nscd *power *dtlogin
do
mv $file .NO$file
done
# it’s recommended to use shorter list to avoid errors
for file in *dmi *snmpdx *nfs* *cache* *rpc *route
do
mv $file .NO$file
done
#
for file in *PRESERVE *sendmail *spc *lp*
do
mv $file .NO$file
done

This will rename the files starting with S to .NOfilename, which will then not be automatically started
upon system reboot. For example,

S30sysid.net Æ .NOS30sysid.net

A more radical approach would be to delete them completely. It is recommended that the files be
renamed first and be removed after thorough tests have been done to make sure the system works
as expected. This step could also be accomplished via the script in Appendix F.

The following sections outline the removal of the candidate services in detail. Additional technical
information about these services can be found online at Solaris 8 System Administrator Collection.

Unnecessary System Services Started by init Process


Disable PCMCIA
PCMCIA stands for Personal Computer Memory Card International Association. This standard memory
card interface is most commonly used in notebook-type computers. If your product does not take
advantage of the PCMCIA hardware configuration then this support should be disabled.

In order to disable PCMCIA in Solaris 8, the following file is renamed:

/etc/rcS.d/S10initpcmcia

Page 8 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

Disable CacheFS
CacheFS is commonly used to support diskless clients (root file system is cachefs instead of ufs) and
provides better performance by caching the NFS. cachefs can be safely disabled because all OAM server
hardware configurations have their own disks, ufs is almost always the default file system, and NFS should
never be part of normal OAM operation. The rule of the thumb is that if the network service is not required, it
should be disabled. Please note that NFS does not need cachefs; cachefs provides better NFS
performance according to Sun.

This is part one of four script files that need to be renamed in order to fully disable CacheFS; for clarity
purposes, they are each listed in different subsections of this document. The following scripts should be
disabled in the following order to properly disable the cachefs:

/etc/rcS.d/S35cacheos.sh Å
/etc/rcS.d/S41cachefs.root
/etc/rc2.d/S73cachefs.daemon
/etc/rc2.d/S93cacheos.finish
An entry in /etc/inet/inetd.conf, which is controlled by the RPC daemon, is also required to be
commented out. It is discussed later in the section.

/etc/inet/inetd.conf

Disable CacheFS for Root Partition


This is a continuation of CacheFS disabling feature as described above.

This is part two of four script files that need to be renamed in order to fully disable CacheFS; for clarity
purposes, they are each listed in different subsections of this document:

/etc/rcS.d/S35cacheos.sh
/etc/rcS.d/S41cachefs.root Å
/etc/rc2.d/S73cachefs.daemon
/etc/rc2.d/S93cacheos.finish
An entry in /etc/inet/inetd.conf, which is controlled by the RPC daemon, is also required to be
commented out. It is discussed later in the section.

/etc/inet/inetd.conf

Disable Solaris Network Cache and Accelerator (NCA)


The NCA is a kernel module designed to provide improved web server performance. The kernel module,
ncakmod, services HTTP requests. To improve the performance of servicing HTTP requests, the NCA
kernel module maintains an in-kernel cache of web pages. If the NCA kernel module cannot service the
request itself, it passes the request to the http daemon (httpd) by means of a private interface. The
logging facility, ncalogd logs all requests.

The NCA cache consistency is maintained by honoring HTTP headers dealing with a given content type
and expiration date, much the same way as a proxy cache.

For detail configuration information, please see the Solaris 8 System Administration Guide, Volume 3.

Page 9 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

The NCA is intended to be run on a dedicated web server. Running other large processes while running
NCA may cause undesirable behavior. This is a new feature in Solaris 8 and is available in Solaris 9. Sun
recommends that this service be disabled.

This is part one of three script files that need to be renamed in order to fully disable NCA; for clarity
purposes, they are each listed in different subsections of this document:

/etc/rcS.d/S42ncakmod Å
/etc/rc2.d/S94ncalogd
/etc/rc2.d/S95ncad

Disable System Activity Data Gathering


By default, this script is commented out by the OS installation and Sun recommends that it be disabled.

In order to disable system activity data gathering, the following script file should be renamed to prevent
access:

/etc/rc2.d/S21perf

Disable Class 2 Logic Link Control driver (LLC2)


The LLC2 driver interfaces network software (NetBIOS, SNA, OSI, etc.) running under Solaris to a physical
LAN network controlled by one of the supported communications adapters. The LLC2 driver, which appears
as a STREAMS driver to the network software, resides in the kernel and is accessed by standard UNIX
STREAMS functions.

This is a new function for Solaris 8 and is available in Solaris 9 as well. It should be disabled if this network
interface is not needed in the OAM network.

In order to disable the LLC2 driver, the following script file should be renamed to prevent access:

/etc/rc2.d/S40llc2

Disable Async PPP Server


Unless PPP dial-up is used, which appears not to be the case, this service should be disabled as
recommended by Sun.

In order to disable PPP, the following script file should be renamed to prevent access:

/etc/rc2.d/S47asppp
/etc/rc2.d/S47pppd

Disable Unix to Unix Copy Daemon (UUCP)


Unless UUCP is used, which appears not to be the case, the UUCP should be disabled. This is not a
common service for a server. Sun recommends that it be disabled.

Renaming the following script file will disable UUCP:

/etc/rc2.d/S70uucp

Page 10 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

Disable Sun Stock LDAP Client


Sun recommends that this stock version be disabled. Renaming the following script file will disable Sun
Stock LDAP Client:

/etc/rc2.d/S71ldap.client

Disable Auto-Installation Service


This service is only used if the /etc/.UNCONFIGURED or /AUTOINSTALL files are created so the system
can be re-installed. After initial installation and configuration, there is generally little reason for this service to
remain available. Sun recommends that it be disabled.

Renaming the following script file will disable the auto-installation service:

/etc/rc2.d/S72autoinstall

Disable Sun Stock Service Location Protocol Daemon


Sun recommends that this stock version be disabled. The following script file is renamed to disable the Sun
Stock Service Location Protocol Daemon:

/etc/rc2.d/S72slpd

Disable CacheFS Daemon


This is a continuation of CacheFS disabling feature as described earlier.

This is part three of four script files that need to be renamed in order to fully disable CacheFS; for clarity
purposes, they are each listed in different subsections of this document:

/etc/rcS.d/S35cacheos.sh
/etc/rcS.d/S41cachefs.root
/etc/rc2.d/S73cachefs.daemon Å
/etc/rc2.d/S93cacheos.finish
An entry in /etc/inet/inetd.conf, which is controlled by the RPC daemon, is also required to be
commented out. It is discussed later in the section.

/etc/inet/inetd.conf

Disable NFS Client Service


The Solaris boot sequence assumes that some of your file system will use an NFS file server. Therefore,
optional services are started in the assumption that some users will need them if they use an NFS file
server.

There's a collection of historically dangerous RPC services started at boot time from the script
“S73nfs.client“ found in /etc/rc2.d. This includes the statd and lockd daemons mentioned in the
SANS Top Ten Security Threats 2002. NFS client systems need statd and lockd to do file locks on
NFS file systems -- the client has to tell the server to hold a lock so that other clients can honor it.

Page 11 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

Over the years there has been many security compromises associated with RPC services required for NFS
-- Sun recommends that these services be disabled for security reasons.

The following script file should be renamed to disable the NFS client service:

/etc/rc2.d/S73nfs.client

Disable NFS Auto-Mount


The automount service manages automated NFS mounts. NFS clients may need to mount file systems
from many different NFS servers. The automount service mounts file systems automatically when they
are needed and unmounts them after a specific amount of idle time. A table used by this service defines the
file system mount points, mount options, and the associated NFS servers. Also, in order to centralize the
management of automount, the configuration tables can be stored in a name service such as NIS or
NIS+. A kernel level service (autofs) interacts with the system daemon (automountd) to manage file
system mount and unmount requests. The primary automount configuration table is stored in the
/etc/auto_master file. The /etc/auto_master file determines the locations of all autofs mount
points. By default, this file contains four entries.

Ideally, automount should be disabled because, not only does it run as a privileged daemon, but it also
uses NFS and RPC. Sun highly recommends that it be disabled.

To disable autofs, you also need to remove /etc/auto_master and /etc/auto_home. If they or
either one of them cannot be removed, this service must remain on.

The following files should be renamed or removed to fully disable NFS auto-mount:

/etc/rc2.d/S74autofs
/etc/auto_master
/etc/auto_home

Disable Print Service


The /etc/rc2.d/S80lp script is required for both a server providing print services to other systems and
a system which requires access to printers hosted by other systems. If this functionality is not required, Sun
recommends that the packages for lp be removed from the system, and the in.lpd entry be removed
from /etc/inet/inetd.conf.

The following script file should be renamed to disable the print service:

/etc/rc2.d/S80lp

Disable Preserve
This service automatically saves the files currently being edited to /usr/preserve when the session is
lost or the server is rebooted. This service can be safely disabled and Sun recommends that it be disabled.

The following script files should be renamed to disable the preserve feature:

/etc/rc2.d/S80PRESERVE (Solaris 8)
/etc/rc2.d/S89PRESERVE (Solaris 9)

Page 12 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

Disable Solatice Print Client Service (SPC)


Yet another printing related service that is not needed. Sun recommends that it be disabled.

The following script file should be renamed to disable the SPC service:

/etc/rc2.d/S80spc

Disable Power Management Daemon


The powerd daemon is started by pmconfig to monitor system activity and perform an automatic
shutdown using the suspend-resume feature. When the system is suspended, the complete current state
information is saved on the disk before power is removed. This service is only useful for workstations that
are configured for power saving mode (they shutdown to save energy) and should never be used on a
server. This can be safely disabled and this is recommended by Sun. Once it is disabled, a blank file
/noautoshutdown should be created to prevent the system from asking power management questions
(workstations only).

The following script file should be renamed to prevent access to powerd daemon:

/etc/rc2.d/S85power

The following file should be created to prevent system from asking power management related questions:

/noautoshutdown

Disable SMTP Mail Server


The sendmail utility is used on a Solaris system to forward and receive mail from other systems. Centralized
mail servers should be used to receive mail and not local servers. Ideally, a more secure Mail Transport
Agent (MTA) should be used instead of the MTA bundled with Solaris. The sendmail daemon, bundled with
the Solaris, has been subject to numerous denial of service, buffer overflow, and misconfiguration attacks.

Sun recommends that sentmail be disabled unless it is absolutely necessary. In a later section, system
logging is modified to send warning messages to logs instead of mailing them to root (it could filled up /var
if root's mail is not checked regularly, thus halting the system). You may invoke sendmail periodically from
crontab to process queued mail from programs and processes that use mail to send out messages.

Renaming the following script file will disable the SMTP mail server:

/etc/rc2.d/S88sendmail
Replace the installed sendmail.cf file with the minimal sendmail.cf in Appendix C.

Add the following entry to root’s contab to flush the mail queue once per hour:

0 * * * * /usr/lib/sendmail -q

Disable Web-Based Enterprise Management (WBEM) service


WBEM is an initiative and a technology. As an initiative, WBEM includes standards for managing systems,
networks, users, and applications by using Internet technology. As a technology, WBEM provides a way for
management applications to share management data independently of vendor, protocol, operating system,
or management standard. The core of the WBEM is the Common Information Model (CIM) concepts. All
compatible objects must implement CIM model. This is an optional software package new to the Solaris 8
and is available in Solaris 9 as well. Sun recommends that it be disabled if it is not needed.

Page 13 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

For more information about WBEM, please refers to the WBEM on Sun Developer's Guide.

The following script file should be renamed to disable the WBEM service:

/etc/rc2.d/S90wbem

Disable CacheFS Daemon


This is a continuation of CacheFS disabling feature as described earlier.

This is part four of the four script files that need to be renamed in order to fully disable CacheFS; for clarity
purposes, they are each listed in different subsections of this document:

/etc/rcS.d/S35cacheos.sh
/etc/rcS.d/S41cachefs.root
/etc/rc2.d/S73cachefs.daemon
/etc/rc2.d/S93cacheos.finish Å
An entry in /etc/inet/inetd.conf, which is controlled by the RPC daemon, is also required to be
commented out. It is discussed later in the section.

/etc/inet/inetd.conf

Disable NCA Logging


This is a continuation of NCA disabling feature as described earlier.

This is part two of the three script files that need to be renamed in order to fully disable NCA; for clarity
purposes, they are each listed in different subsections of this document:

/etc/rcS.d/S42ncakmod
/etc/rc2.d/S94ncalogd Å
/etc/rc2.d/S95ncad

Disable NCA Daemon


This is a continuation of NCA disabling feature as described earlier.

This is part three of the three script files that need to be renamed in order to fully disable NCA; for clarity
purposes, they are each listed in different subsections of this document:

/etc/rcS.d/S42ncakmod
/etc/rc2.d/S94ncalogd
/etc/rc2.d/S95ncad Å

Disable NFS Server Service


The Solaris boot sequence assumes that some systems will be NFS file servers. The network services
required to support NFS file services are only started if the system has been configured appropriately. That
is a prudent strategy.

Page 14 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

There's a collection of historically dangerous RPC services that can be started at boot time from the script
S15nfs.server found in /etc/rc3.d. This includes the mountd daemon mentioned in the SANS Top
Ten Security Threats 2002. If the system isn't an NFS file server, mountd and nfsd servers should not be
started. All NFS file sharing information is transported in clear text, so it is susceptible to snooping.
Therefore, Sun recommends that NFS not be configured for security concerns.

The following two scripts need to be renamed or removed in order to fully disable the NFS server service:

/etc/rc3.d/S15nfs.server
/etc/dfs/dfstab

Disable Sun Stock Apache Server


By default, this service (new to Solaris 8 and is available in Solaris 9 as well) is not started automatically at
boot time. If web access is not needed or a newer version is installed, this stock version that comes with the
OS should be disabled. Sun recommends that this stock version be disabled.

Renaming the following script file will disable the Sun stock apache server:

/etc/rc3.d/S50apache

Disable SNMP services


There are several stock Simple Network Management Protocol (SNMP) services enabled by default on
Solaris -- these are the snmpdx, snmpXdmid and mibiisa. The snmp service is always at port 161, the other
port numbers vary. the snmpdx daemon uses the snmpXdmid to answer some questions and the mibiisa
daemon to answer other questions. All of these processes run as user root and might be compromised.

Some OAM applications use their own SNMP agent, thus the stock SNMP services started by Sun are not
needed. If SNMP is not required, Sun recommends that the startup script be disabled so that these stock
SNMP services will not provide system information to unknown persons.

Please note that some servers which use the T3 disk-array require the Sun stock SNMP services to
manage the RAID disk-arrays. Also, if Sun SMC3.0 agent is running on the server, SNMP services must
not be turned off.

Renaming the following script file will disable SNMP services:

/etc/rc3.d/S76snmpdx

Disable Desktop Management Interface (DMI)


There is a well-known vulnerability on Solaris 8 concerning the DMI; that buffer overflow can lead to local
and remote root compromise. Please see the archive Solaris SNMP to DMI mapper daemon vulnerability
for more information.

DMI can be safely turned off and Sun recommends that it be disabled.

The following script file should be renamed to disable DMI:

/etc/rc3.d/S77dmi

Page 15 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

Disable Mobile IP Agent Service


The MIP agent utility implements the Mobile IP home agent and foreign agent functionality described in
RFC 2002. It responds to Mobile IP registration and deregistration requests and router discovery solicitation
messages from a mobile node. Besides responding to external messages, the mipagent utility also tasks
on a periodic basis, such as aging mobility bindings and visitor entries and sending agent advertisements.

This service is new to Solaris 8 and is available in Solaris 9 as well. It requires that the
/etc/inet/mipagent.conf file be present during the startup. The Solaris 8 and 9 default installation
disables this service and Sun recommends that the startup script be disabled if it is not needed.

The following script file should be renamed to disable the Mobile IP agent service:

/etc/rc3.d/S80mipagent

Page 16 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

Unnecessary Network Services Managed by inetd Process


The inetd daemon provides access to system and network services available on a system. Its
configuration file, /etc/inet/inetd.conf, defines what services are managed by the inetd daemon.
An ideal secured server should have neither the /etc/inet/inetd.conf file nor run inetd, as the
daemons started in the /etc/inet/inetd.conf are frequently not needed. To disable a service, the
/etc/inet/inetd.conf file is edited and a comment character (“#”) is placed in front of the line
containing the service definition. Once this is completed, a HUP signal is sent to the inetd process. This
causes the inetd daemon to reread its configuration file.

The removal of unnecessary system packages from the system, called minimization, reduces the number
of components that have to be patched and made secure. Reducing the number of components reduces
the number of possible entry points into the system by an intruder.

It is recommended by Sun that most of the services in /etc/inet/inetd.conf be disabled. For more
information, please check out the latest Sun Blueprints for securing Solaris: Solaris Operating Environment
Security - Updated for Solaris 8 Operating Environment and Solaris Operating Environment Security -
Updated for Solaris 9 Operating Environment.

Disable DARPA name server


DARPA stands for Defense Advanced Research Projects Agency. in.tnamed is a server that supports
the DARPA Name Server Protocol. The name server operates at the port indicated in the "name" service
description, and is invoked by inetd when a request is made to the name server.

The protocol implemented by this program is obsolete. Its use should be phased out in favor of the Internet
Domain Name Service (DNS) protocol.

To disable DARPA, the following file is modified:

/etc/inet/inetd.conf

and the following lines are commented out:

name dgram udp wait root /usr/sbin/in.tnamed in.tnamed

Disable rsh
Access control and accountability are critical to the security of a system. Access control should involve
strong authentication for system access, while accountability information should provide tracking data
relative to system changes. The standard r* commands (i.e., rsh, rlogin, and rcp) break both of these
requirements. This is because most implementations of r* commands involve “zones of trust.” Within a zone
of trust, all systems are trusted and no additional authentication is required. Hence, an intruder need only
gain access to one server in order to gain access to all the servers.

rsh creates a remote shell on a host which allows a user to execute commands on the remote unix host.
The rsh services use inadequate authentication based on IP address security (which can be spoofed),
DNS security (which can be spoofed) and the notion of reserved ports (on Unix systems only user root can
open the client port.) The server can trust a whole variety of hosts (with /etc/hosts.equiv); individual users
can trust user/host pairs (with ~user/.rhosts). This is a very convenient system with many possible security
compromises. For example, all the data that is sent from the client to the server is transmitted across the
network without encryption. This may be compromised by network sniffer attacks. For security purposes,
rsh should be disabled or replaced with an SSH protocol system such as ssh or OpenSSH.

Page 17 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

This is part one of the disabling "r" based services (rsh, rlogin etc), the disabling of the authentication part of
the service is done later in the subsection: Disable PAM configuration for rsh and rlogin.

This is part one of a two part script to disable the rsh service in which the following files are either locked or
modified:

/etc/pam.conf file
/etc/inet/inetd.conf Å
/etc/hosts.equiv
To disable the program part of rsh, the following file is modified:

/etc/inet/inetd.conf
and the following lines are commented out:

shell stream tcp nowait root /usr/sbin/in.rshd in.rshd


shell stream tcp6 nowait root /usr/sbin/in.rshd in.rshd

Disable rlogin
rlogin establishes a remote login session from trusted users/sites without a password challenge. The
rlogin service uses inadequate authentication based on IP address security (which can be spoofed),
DNS security (which can be spoofed) and the notion of reserved ports (on Unix systems only user root can
open the client port). The server can trust a whole variety of hosts (with /etc/hosts.equiv); individual users
can trust user/host pairs (with ~user/.rhosts). ). This is a very convenient system with many possible
security compromises. For example, the server will issue a Password: challenge if the user doesn't pass
the weak authentication requirements. Unfortunately that password data, as well as all other
communications, is not encrypted when transmitted over the network. This may be compromised by
network sniffer attacks. rlogin runs as root and for security purposes, it should be disabled or replaced
with an SSH protocol system such as ssh or OpenSSH.

This is part one of the disabling "r" based services (rsh, rlogin etc), the disabling of the authentication part of
the service is done later in the subsection: Disable PAM configuration for rsh and rlogin.

This is part one of a two part script to disable the rlogin service in which the following files are either
locked or modified:

/etc/pam.conf file
/etc/inet/inetd.conf Å
/etc/hosts.equiv
To disable the program part of rlogin, the following file is modified:

/etc/inet/inetd.conf
and the following lines are commented out:

login stream tcp6 nowait root /usr/sbin/in.rlogind in.rlogind

Disable remote execution


The remote execution server daemon, in.rexecd, is started from /etc/inetd.conf when a
connection request is made. This daemon provides remote execution facilities based on user name and
password information. Once authenticated, the daemon executes the command passed along with the
authentication information. Unfortunately, neither the user name nor password is encrypted while

Page 18 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

transmitted over the network. This exposes the in.rexecd daemon to man in the middle, session
hijacking, and network sniffing attacks. For this reason, and the fact that it runs as user root, the
in.rexecd daemon entries in /etc/inetd.conf should be disabled.

To disable remote execution, the following file is modified:

/etc/inet/inetd.conf
with the following lines commented out:

exec stream tcp nowait root /usr/sbin/in.rexecd in.rexecd


exec stream tcp6 nowait root /usr/sbin/in.rexecd in.rexecd

Disable biff server


The biff server gives notification of incoming mail messages. Also known as the comsat service, it
listens for reports of incoming mail and notifies users who have requested to be told when mail arrives with
a ‘you have mail message’ on their screen. This notification can be turned off or on for each terminal
session. With no arguments, biff displays the current notification status for the terminal. If notification is
allowed, the terminal rings the bell and displays the header and the first few lines of each arriving mail
message. biff operates asynchronously. For synchronized notices, the MAIL variable of sh or the mail
variable of csh are used.

comsat is invoked as needed by inetd, and times out if inactive for a few minutes. It runs as user root
and it may be compromised. Therefore, if it is not being used, it should be disabled. Since it is
recommended that the smtp server be disabled and all logging be sent to either a file or the console, it is no
longer necessary for this service to be turned on.

To disable the biff server, the following file is modified:

/etc/inet/inetd.conf
with the following line commented out:

comsat dgram udp wait root /usr/sbin/in.comsat in.comsat

Disable talk server


talkd is the server used by the talk program. It listens at the UDP port indicated in the “talk” service
description. The actual conversation takes place on a TCP connection that is established by negotiation
between the two machines involved. It runs as user root and might be compromised. Therefore, if it is
not needed it should be disabled.

To disable the talk server, the following file is modified:

/etc/inet/inetd.conf
with the following line commented out:

talk dgram udp wait root /usr/sbin/in.talkd in.talkd

Disable UUCP (UNIX-UNIX copy) server


uucpd is the Unix-to-Unix system copy server which supports traditional UUCP style networking over the IP
network. It copies files named by the source-file arguments to the destination-file argument. It runs as user
root and might be compromised. Therefore, if it is not needed then it should be disabled.

Page 19 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

To disable the UNIX-UNIX copy server, the following file is modified:

/etc/inet/inetd.conf
with the following line commented out:

uucp stream tcp nowait root /usr/sbin/in.uucpd in.uucpd

Disable trivial FTP server


The tftp service (Trivial File Transfer Protocol) exists to provide disk-less systems with a way to access
files on the network. tftp service is provided primarily for booting. Most sites run this only on machines
acting as "boot servers". The tftp(in.tftpd)daemon has no authentication facilities; it only allows
clients to access publicly readable files in a restricted directory. Disk-less workstations, X-terminals, and
some printers use this service to load files needed to boot. The tftp service is often configured in error
and hackers use it to pick up password files and other system files that may compromise system
integrity. It runs as user root and might be compromised. Therefore, if it is not needed it should be
disabled.

The in.tftpd is managed by the inetd server process and is configured in /etc/inetd.conf. By
default, it is not enabled in the Solaris. If this service is necessary, it should be configured securely.

To disable the trivial FTP server, the following file is modified:

/etc/inet/inetd.conf
with the following line commented out (the default state of this service is off, i.e. commented out):

#tftp dgram udp6 wait root /usr/sbin/in.tftpd in.tftpd –s tftpboot

Disable finger server


The fingerd (in.fingerd)service provides information about local and remote users on the system.
Historically, it has been used to compromise systems and it is a good tool for hackers to find out about
system users. Many sites disable the service. It runs as user root and might be compromised. Therefore if it
is not needed, it should be disabled.

To disable the finger server, the following file is modified:

/etc/inet/inetd.conf
with the following line commented out:

finger stream cp6 nowait nobody /usr/sbin/in.fingerd in.fingerd

Disable systat
systat allows for the remote learning of process status, i.e., what jobs are currently running on a system,
by displaying the output of ps -ef. The ps command prints information about active processes. Without
options, ps prints information about processes that have the same effective user ID and the same
controlling terminal as the invoker. The output contains only the process ID, terminal identifier, cumulative
execution time, and the command name. Otherwise, the information that is displayed is controlled by the
several options. Please see the MAN pages for more information.

systat should be disabled because it runs as root and it provides too much system information. Therefore, it
may be compromised and should be disabled if it is not needed.

To disable systat, the following file is modified:

Page 20 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

/etc/inet/inetd.conf
with the following line commented out (the default state of this service is off, i.e. commented out):

#systat stream tcp nowait root /usr/bin/ps ps –ef

Disable netstat
netstat allows for remote learning of network status, i.e., what peers are currently connected to the
system. netstat displays the contents of certain network-related data structures in various formats,
depending on the options you select. The first form of the command displays a list of active sockets for each
protocol. The second form selects one from among various other network data structures. The third form
shows the state of the interfaces. The fourth form displays the routing table, the fifth form displays the
multicast routing table, and the sixth form displays the state of DHCP on one or all interfaces. With no
arguments, netstat prints the connected sockets for PF_INET, PF_INET6, and PF_UNIX, unless modified
otherwise by the -f option. Please see the MAN pages for more information on options.

The netstat command provides system information which may then be used to launch attacks against
the system. It also runs as root and may be compromised. Therefore, if it is not needed it should be
disabled.

To disable netstat, the following file is modified:

/etc/inet/inetd.conf
with the following line commented out (the default state of this service is off, i.e. commented out):

#netstat stream tcp nowait root /usr/bin/netstat netstat -f inet

Disable legacy time services


time service (not to be confused with Network Time Protocol) prints out the current system time and date.
The Solaris 2.6 xntp functionality has been included with the Solaris distribution for time synchronization.
The xntp daemon offers additional security and functionality improvements over rdate and time.
Whenever possible xntp should be used instead of the time service. The time service is very old, it
predates NTP, and it is seldom used. It is an internal built-in function of inetd which runs as user root and
might be compromised. Therefore, if it is not needed, it should be disabled.

To disable the legacy time services, the following file is modified:

/etc/inet/inetd.conf
with the following line commented out :

time stream tcp6 nowait root internal


time dgram udp6 wait root internal

Disable echo
echo (not to be confused with the ICMP echo used by ping) echos back the incoming data stream. The
echo utility writes its arguments, separated by BLANKs and terminated by a NEWLINE, to the standard
output. If there are no arguments, only the NEWLINE character will be written. echo is useful for producing
diagnostics in command files, for sending known data into a pipe, and for displaying the contents of
environment variables.

The echo service is very old, it probably predates ping, and it is seldom used any more. It could be used in
a Denial of Service attack to gobble up sockets. It is an internal, built-in function of inetd which runs as user
root and might be compromised. Therefore, it should be disabled.

Page 21 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

To disable echo, the following file is modified:

/etc/inet/inetd.conf
with the following line commented out :

echo stream tcp6 nowait root internal


echo dgram udp6 wait root internal

Disable discard
The discard utility discards the incoming data stream. It is very old and was most probably used for
diagnostics; A function for which it is not used any more. It could be used in a Denial of Service attack to
gobble up sockets. It is an internal, built-in function of inetd which runs as user root and might be
compromised. Therefore, it should be disabled.

To disable discard, the following file is modified:

/etc/inet/inetd.conf
with the following line commented out :

discard stream tcp6 nowait root internal


discard dgram udp6 wait root internal

Disable daytime
daytime service (not to be confused with Network Time Protocol) displays the system time as a string. It
is very old, it predates NTP, and it is seldom used. It is an internal, built-in function of inetd which runs as
user root and may be compromised. Therefore, if it is not needed, it should be disabled.

To disable daytime, the following file is modified:

/etc/inet/inetd.conf
with the following line commented out :

daytime stream tcp6 nowait root internal


daytime dgram udp6 wait root internal

Disable chargen
chargen generates a continuous stream of characters that was useful in testing TCP services back in 1982.
Today it is not used. However, it could be used in a Denial of Service attack to gobble up sockets and
bandwidth. It is an internal, built-in function of inetd which runs as user root and may be compromised.
Therefore, it should be disabled.

To disable chargen, the following file is modified:

/etc/inet/inetd.conf
with the following line commented out :

chargen stream tcp6 nowait root internal


chargen dgram udp6 wait root internal

Page 22 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

Disable Soltice system and network administration class agent server


sadmind, the distributed system administration daemon, is used by the AdminSuite applications to
perform distributed system administration operations remotely. The sadmind daemon is started
automatically by the inetd daemon whenever a request to invoke an operation is received. The sadmind
daemon process continues to run for 15 minutes after the last request is completed, unless a different idle-
time is specified. The sadmind daemon may be started independently from the command line, for
example, at system boot time. In this case, the idle-time specification has no effect; sadmind continues to
run, even if there are no active requests. The sadmind daemon process can be configured to write tracing
information into a log file.

sadmind typically does not make use of the stronger authentication mechanisms available to it but rather
defaults to weak authentication. It also runs as user root and may be compromised: This ranks as one of
the SANS TOP TEN Security threats 2002. Network-based attacks against sadmind pose a significant
threat to the security of a server and therefore should be disabled if it is not being used.

Sun states that on almost all servers, the RPC services in /etc/inet/inetd.conf can be removed. Many
applications that use RPC services add additional entries to the /etc/inet/inetd.conf in addition to using one
of the RPC based daemons. The RPC services in /etc/inet/inetd.conf should be removed unless specifically
required.

To disable the Soltice system and network administration class agent server, the following file is modified:

/etc/inet/inetd.conf
with the following line commented out :

100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind

Disable Remote Disk Quota Server


rquotad is an rpc server which returns quotas for a user of a local file system which is mounted by a
remote machine over the NFS. The results are used to display user quotas for remote file systems. The
rquotad daemon is normally invoked by the inetd process. It runs as user root and might be
compromised. Therefore, if it is not being used, it should be disabled.

To disable the remote disk quota server, the following file is modified:

/etc/inet/inetd.conf
with the following line commented out :

rquotad/1 tli rpc/datagram_v wait root /usr/lib/nfs/rquotad rquotad

Disable rusers service


rpc.rusersd, the network username server, is a server that returns a list of users on the host. The
rpc.rusersd daemon may be started by the inetd process or by the listen process. rpc.rusersd gives out
information about your system. It's not an essential service and it runs as user root and may be
compromised. Therefore, if it is not being used, it should be disabled.

To disable the rusers server, the following file is modified:

/etc/inet/inetd.conf
with the following line commented out :

Page 23 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

rusersd/2-3 tli rpc/datagram_v,circuit_v wait root


/usr/lib/netsvc/rusers/rpc.rusersd rpc.rusersd

Disable spray service


rpc.sprayd , the spray server, receives and records the packets sent by spray, a ping-like tool. The service
provided by rpc.sprayd is not useful as a networking benchmark as it uses unreliable connectionless
transports, udp for example. It can report a large number of packets dropped when the drops were caused
by the program sending packets faster than they can be buffered locally before the packets are transmitted
to the network medium.

The rpc.sprayd daemon may be started by the inetd process or the listen process. It runs as user root and
may be compromised. Therefore, if it is not being used, it should be disabled.

To disable spray service, the following file is modified:

/etc/inet/inetd.conf
with the following line commented out :

sprayd/1 tli rpc/datagram_v wait root


/usr/lib/netsvc/spray/rpc.sprayd rpc.sprayd

Disable wall service


rpc.rwalld is a network server that handles rwall requests (write to all users on remote systems). It is
implemented by calling wall on all the appropriate network machines.

The rpc.rwalld daemon may be started by the inetd process or the listen process. It is not considered an
essential tool. It runs as user root and may be compromised. Therefore, if it is not being used it should be
disabled.

To disable wall service, the following file is modified:

/etc/inet/inetd.conf
with the following line commented out :

walld/1 tli rpc/datagram_v wait root /usr/lib/netsvc/rwall/rpc.rwalld


rpc.rwalld

Disable kernel statistics server


rpc.rstatd, a RPC service, is a server which returns performance statistics of your system obtained from the
kernel. In general this service is not used since it impacts the overall server performance and Sun
recommends disabling it. It runs as user root and may be compromised. Therefore, if it is not being used, it
should be disabled.

To disable the kernel statistcis server, the following file is modified:

/etc/inet/inetd.conf
with the following line commented out :

rstatd/2-4 tli rpc/datagram_v wait root


/usr/lib/netsvc/rstat/rpc.rstatd rpc.rstatd

Page 24 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

Disable RPC based remote execution server


rpc.rexd is the Sun RPC-based remote execution server used to remotely execute programs and
commands on a target system. rpc.rexd does not make use of the stronger authentication mechanisms
available to it, but rather it defaults to weak authentication. Network-based attacks against these services pose a
significant threat to the security of a server.

The rpc.rexd daemon is started by the inetd process whenever a remote execution request is
made. It runs as user root and may be compromised. Therefore, if it is not being used, it should be
disabled.

To disable the RPC based remote execution server, the following file is modified:

/etc/inet/inetd.conf
with the following line commented out (the default state of this service is off, i.e. commented out):

#rexd/1 tli rpc/tcp wait root /usr/sbin/rpc.rexd rpc.rexd

Disable calendar server


rpc.cmsd is the calendar manager daemon which allows a user to update his calendar, and, since it runs as
root, to look at other user’s calendars. This service is part of the CDE (Common Desktop Envrionment) in
which the user can set up calendar entries in the GUI. Since it runs as root, it is a security exposure which
may be compromised. Therefore, if it is not being used, it should be disabled.

The following file is modified:

/etc/inet/inetd.conf
with the following line commented out:

100068/2-5 dgram rpc/udp wait root /usr/dt/bin/rpc.cmsd rpc.cmsd

Disable Sun tool talk server


Sun tool talk server is a RPC-based ToolTalk database server. It serves four purposes:
1. Mapping a spec to its associated file and a file to its associated specs.
2. Mapping a spec to its properties.
3. Mapping a file to a list of sessions with clients having patterns registered in the scope of that file.
4. Answering netfile queries; see tt_file_netfile and tt_host_file_netfile.
In general, it should be disabled. The following file is modified :
/etc/inet/inetd.conf
with the following line commented out:
100083/1 tli rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd
rpc.ttdbserverd

Disable UFS-aware server


This service is part of RPC managed daemon and it is disabled by default.

The following file is modified:

/etc/inet/inetd.conf

Page 25 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

to ensure that the line below stays commented out:

#ufsd/1 tli rpc/* wait root /usr/lib/fs/ufs/ufsd ufsd –p

Disable KCMS server


The kcms_server provides remote access to local KCMS profiles which are used by Kodak Color
Management System for advanced graphics. It runs as user root and may be compromised. Therefore, if it
is not being used, then it should be disabled.

For more information about KCMS server, please refer to Sun KCMS collection web site .

The following file is modified :

/etc/inet/inetd.conf
with the line below commented out:

100221/1 tli rpc/tcp wait root /usr/openwin/bin/kcms_server


kcms_server

Disable Sun font server


fs is the X11 font server. If your system does not supply X11 fonts to anyone then this service is not
needed. It runs as user root and may be compromised. In most of cases, an OAM server should never be a
font server. Therefore, it should be disabled.

For more information about the font server. Please refer to Sun Solaris 8 Font Admin Guide .

The following file will be modified:

/etc/inet/inetd.conf
with the line below commented out:

fs stream tcp wait nobody /usr/openwin/lib/fs.auto fs

Disable cachefs daemon


The cachefsd daemon layers local file caching of NFS mounted disks similar to a smart auto-mounter. It
will increase NFS performance, especially on file systems that are essentially read-only (like /usr). However,
it runs as user root and may be compromised. Therefore, if it is not being used, it should be disabled.

This is last part of the cachefs disabling with the following system files affected:
/etc/rcS.d/S35cacheos.sh
/etc/rcS.d/S41cachefs.root
/etc/rc2.d/S73cachefs.daemon
/etc/rc2.d/S93cacheos.finish
/etc/inet/inetd.conf Å

The following file will be modified:

/etc/inet/inetd.conf
with the line below commented out:

Page 26 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

100235/1 tli rpc/tcp wait root /usr/lib/fs/cachefs/cachefsd cachefsd

Disable kerberos V5 warning server


The Kerberos system authenticates individual users in a network environment. After a user is authenticated
to Kerberos, he can use the kerberos authentication option of network services such as NFS. In addition, in
some environments you can use network utilities such as rlogin, rcp, and rsh without having to present
passwords to remote hosts and without having to bother with .rhosts files. For Kerberos to be used
effectively and correctly, an entire infrastructure of Kerberos components must be deployed. This
infrastructure adds additional administrative overhead that may not be desired.

Kerberos is managed by RPC. It should be disabled because it runs as root and it may be a security
exposure which might be compromised.

The following file will be modified:

/etc/inet/inetd.conf
with the line below commented out:

100134/1 tli rpc/ticotsord wait root /usr/lib/krb5/ktkt_warnd


ktkt_warnd

Disable BSD print listener


Unless it is running on a print server, this service should be disabled.

The following file will be modified:

/etc/inet/inetd.conf
with the line below commented out:

printer stream tcp6 nowait root /usr/lib/print/in.lpd in.lpd

Disable dtterm subprocess daemon


This service is the part of CDE package. The CDE sub-process daemon /usr/dt/bin/dtspcd contains
an insufficient check on client credentials. The insufficient check can lead to a local root compromise
because it runs as root. It should be disabled.

The following file will be modified:

/etc/inet/inetd.conf
with the line below commented out:

dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd

Disable OCF (smart card) daemon


Unless the server has a smartcard reader, this service should be disabled (the service is managed by
RPC). Some of the newer SunBlade workstations may come with a smartcard reader, but the hardware
documenation states that the current OS does not have a driver for it. In short, a Sun enterprise class server
should not need this service.

The following file will be modified:

/etc/inet/inetd.conf

Page 27 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

with the line below commented out:

100150/1 tli rpc/ticotsord wait root /usr/sbin/ocfserv ocfserv

Reduce inetsvc Functionalities


The following section illustrates the steps to minimize the fuctions provided by the inetsvc script in
order to reduce the risks associated with the unneeded functions started by inetsvc.

Alternatively, you may install a replacement /etc/init.d/inetsvc file like the example in Appendix A and
be sure to re-create the hard link in /etc/rc2.d:
ln /etc/init.d/inetsvc /etc/rc2.d/S72inetsvc

Disable DHCP support


OAM servers are normally configured with static IPs and hostnames, therefore, the DHCP support should
be disabled as recommended by Sun. Please note that this DHCP support has nothing to do with DHCP
servers used in the OAM network.

The following files will be modified:

/etc/init.d/inetsvc
/etc/rc2.d/S72inetsvc
with these blocks of script code removed:

if [ "$_INIT_NET_STRATEGY" = "dhcp" ]; then


dnsdomain=`/sbin/dhcpinfo DNSdmain`
else
dnsdomain=
fi

if [ -n "$dnsdomain" ]; then
dnsservers=`/sbin/dhcpinfo DNSserv`
if [ -n "$dnsservers" ]; then
if [ -f /etc/resolv.conf ]; then
/usr/bin/rm -f /tmp/resolv.conf.$$
/usr/bin/sed -e '/^domain/d' -e '/^nameserver/d' \
/etc/resolv.conf >/tmp/resolv.conf.$$
fi
echo "domain $dnsdomain" >>/tmp/resolv.conf.$$
for name in $dnsservers; do
echo nameserver $name >>/tmp/resolv.conf.$$
done
else
if [ -f /etc/resolv.conf ]; then
/usr/bin/rm -f /tmp/resolv.conf.$$
/usr/bin/sed -e '/^domain/d' /etc/resolv.conf \
>/tmp/resolv.conf.$$
fi
echo "domain $dnsdomain" >>/tmp/resolv.conf.$$
fi
#
# Warning: The umask is 000 during boot, which requires explicit
# setting of file permission modes when we create files.
#
/usr/bin/mv /tmp/resolv.conf.$$ /etc/resolv.conf
/usr/bin/chmod 644 /etc/resolv.conf

# Add dns to the nsswitch file, if it isn't already there.


/usr/bin/rm -f /tmp/nsswitch.conf.$$
/usr/bin/awk ' $1 ~ /^hosts:/ {
n = split($0, a);
newl = a[1];
if ($0 !~ /dns/) {
printf("#%s # Commented out by DHCP\n", $0);

Page 28 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

updated = 0;
for (i = 2; i <= n; i++) {
if (updated == 0 && index(a[i], "[") == 1) {
newl = newl" dns";
updated++;
}
newl = newl" "a[i];
}
if (updated == 0) {
newl = newl" dns";
updated++;
}
if (updated != 0)
newl = newl" # Added by DHCP";
else
newl = $0;
printf("%s\n", newl);
} else
printf("%s\n", $0);
} $1 !~ /^hosts:/ { printf("%s\n", $0); }' /etc/nsswitch.conf \
>/tmp/nsswitch.conf.$$

/usr/bin/mv /tmp/nsswitch.conf.$$ /etc/nsswitch.conf


/usr/bin/chmod 644 /etc/nsswitch.conf

elif grep '# Added by DHCP$' /etc/nsswitch.conf >/dev/null 2>&1; then

# If we added DNS to a hosts line in the nsswitch, remove it.


/usr/bin/rm -f /tmp/nsswitch.conf.$$
/usr/bin/sed \
-e '/# Added by DHCP$/d' \
-e 's/^\(#hosts:\)\(.*[^#]\)\(#.*\)$/hosts: \2/' \
/etc/nsswitch.conf >/tmp/nsswitch.conf.$$

/usr/bin/mv /tmp/nsswitch.conf.$$ /etc/nsswitch.conf


/usr/bin/chmod 644 /etc/nsswitch.conf
fi

if [ "$_INIT_NET_STRATEGY" = "dhcp" ]; then


#
# if DHCP doesn't return a hostname, use "unknown" so
# client can resolve IP address into a local hostname.
#
hostname=`/sbin/dhcpinfo Hostname`
if [ -z "$hostname" ]; then
hostname="unknown"
fi

ipaddr=`/sbin/dhcpinfo Yiaddr`

/usr/bin/rm -f /tmp/hosts.$$ /tmp/hosts_clear.$$

# Delete any old lines added by dhcp.


/usr/bin/sed -e '/# Added by DHCP$/d' /etc/inet/hosts \
> /tmp/hosts_clear.$$

shift $# # Clear $0-9 first in case grep fails


set -- `/usr/bin/grep "^[ ]*$ipaddr[ ]" \
/tmp/hosts_clear.$$ 2>/dev/null`

if [ $# -gt 0 ]; then
#
# IP address is already in the hosts file. Ensure the
# associated hostname is the same as the Hostname
# property returned by the DHCP server.
#
/usr/bin/sed -e "/^[ ]*${ipaddr}[ ]/s/${2}/${hostname}/" \
/tmp/hosts_clear.$$ >/tmp/hosts.$$
else
#
# IP address is missing from the hosts file. Now check

Page 29 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

# to see if the hostname is present with a different IP.


#
shift $# # Clear $0-9 in case grep fails
set -- `/usr/bin/grep -s -v '^#' /tmp/hosts_clear.$$ | \
/usr/bin/egrep "[ ]${hostname}([ ]|$)"`

if [ $# -gt 0 ]; then
#
# Hostname is present in the hosts file. Rewrite this
# line to have the new IP address and the DHCP comment.
#
/usr/bin/sed -e "/^[ ]*${1}[ ]/d" \
/tmp/hosts_clear.$$ >/tmp/hosts.$$

shift # Shift off $1 (the old IP)

echo "$ipaddr $*\c" | /usr/bin/tr ' ' '\t' \


>>/tmp/hosts.$$

echo "\t# Added by DHCP" >>/tmp/hosts.$$


else
#
# Hostname is not present in the hosts file.
# Add a new line for the host at the end of
# the new hosts file.
#
/usr/bin/mv /tmp/hosts_clear.$$ /tmp/hosts.$$
echo "${ipaddr}\t${hostname}\t# Added by DHCP" \
>>/tmp/hosts.$$
fi
fi

# Update loopback transport hosts files


for inet in /etc/net/*/hosts; do
echo "# RPC hosts" > $inet
echo "$hostname\t$hostname" >> $inet
/usr/bin/chmod 644 $inet
done

/usr/bin/rm -f /tmp/hosts_clear.$$
/usr/bin/mv /tmp/hosts.$$ /etc/inet/hosts
/usr/bin/chmod 644 /etc/inet/hosts
fi

Disable multi-cast support


Multicast is a method used to send network data simultaneously to many systems with only a single
address. Unless the system must participate in a multicast application, Sun recommends disabling the code
that enables the multicast route assignment in /etc/init.d/inetsvc and /etc/rc2.d/S72inetsvc.

The following files will be modified:

/etc/init.d/inetsvc
/etc/rc2.d/S72inetsvc
with the following block of script code commented out:

#
# Add a static route for multicast packets out our default interface.
# The default interface is the interface that corresponds to the node name.
# Run in background subshell to avoid waiting for name service.
#

(
if [ "$_INIT_NET_STRATEGY" = "dhcp" ]; then
mcastif=`/sbin/dhcpinfo Yiaddr` || mcastif=$_INIT_UTS_NODENAME
else

Page 30 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

mcastif=$_INIT_UTS_NODENAME
fi

echo "Setting default IPv4 interface for multicast:" \


"add net 224.0/4: gateway $mcastif"

/usr/sbin/route -n add -interface "224.0/4" "$mcastif" >/dev/null


) &

Add inetd logging to inetsvc


Sun recommends that for restricted access servers, all connections to services managed by inetd should
be logged. This can be done by adding an additional option to the startup of inetd in
/etc/rc2.d/S72inetsvc. By adding a -t option, the inetd daemon logs the IP address of all systems
requesting inetd based services. The IP addresses are logged through the syslog service.

The following files will be modified:

/etc/init.d/inetsvc
/etc/rc2.d/S72inetsvc
with the following line replacing the original line (The extra "-t" switch enables the logging for the inetd):
/usr/sbin/inetd -s -t &

Clean Up password File


This activity removes all the well known system accounts that are not used. This minimizes the
chance of security breaches. The following account management files are modified:
/etc/passwd
/etc/shadow

The following default system accounts, which were created by Solaris at installation, can be removed
using the script given below:
uucp
nuucp
listen
lp
nobody4
smmsp (new in Solaris 9)

# use this script to remove unnecessary accounts


for user in uucp nuucp listen lp nobody4 smmp
do
/usr/sbin/passmgmt –d $user
done

Edit the password file and make /dev/null the shell for all but root and authorized users as per the
customer network security policy. Shadow pasword is supported in Solaris 8 and 9 and shall be used
by default.

All unnecessary services and users should have now been disabled or removed.

Page 31 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

Step 2: Setting Up Time Synchronization using NTP

System timekeeping can be done via both xntpd (daemon) and ntpdate (client). While the daemon
may provide more network functionalities, it also presents volunerabilities, one of which is xntpd
buffer-overflow. Unlike xntpd which listens on port 123 constantly for connections, ntpdate is a client
to be executed only when needed to get the time of day from a pre-defined NTP server.

Use ntpdate to set system clock according to the NTP server on the core network.

Add the following to /etc/rc.local startup script to set the time of day at boot time:

/usr/sbin/ntpdate –s NTP_server_addr

The –s switch will log ntpdate actions via the syslog facility rather than sending it to the standard
output. For precise timekeeping this command can also be run from a cron job every hour on the
hour:

0 * * * * /usr/sbin/ntpdate –s NTP_server_addr >> /var/log/ntpdate.log

If xntpd must be used, please make sure it is the latest patched version that’s free of any of the
known vulnerabilities. The latest xntpd vulnerability announced by CERT affects Solaris 8. For more
information please refer to this URL: http://www.kb.cert.org/vuls/id/JSHA-53ZUEY

Page 32 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

Step 3: Configuring Additional Logging

Syslogd provides both local and remote logging. It is able to send messages to a remote host running
syslogd. To forward messages to another host, prepend the hostname with the at sign (“@”).

For maximum security of the logging information, it is recommended that logs be sent to both the
local files and dedicated logging host. Make sure that the logging server is located within the same
protected management network because syslogd does not have access control and would be subject
to denial of service attacks if the server is exposed to the public network such as the Internet.

Do the following to expand on the default system logging function and make sure all authentication
errors are logged:

Add the following to /etc/syslog.conf to log the authentication errors to the local log file and everything
including the authentication errors to the remote log server:

auth.info /var/log/authlog
*.* @remote_logging_host

Create /var/log/authlog.
touch /var/log/authlog
chown root /var/log/authlog
chmod 600 /var/log/authlog

Loginlog is a log of all failed login attempts. The loginlog is not enabled by default. It can be
enabled by creating the loginlog file in /var/adm with read/write permission for the owner only. The
default setting is that after 5 failed login attempts, all the attempts are logged in the loginlog file. If
you have followed the instructions earlier in this document, all failed login attempts should be
logged in the loginlog file.

Inetd logs can be enabled by launching inetd with the –t option. If inetd logs are enabled, a log
entry is created every time an inetd service is requested. If you have followed the instructions
earlier in this document, inetd logging should be enabled.

Create a log rotation script to rotate these logs. A sample can be found in the /usr/lib/newsyslog file
and in Appendix B of this document. Modify the root crontab file to run this every day.

Page 33 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

Step 4: Fixing File Permissions

Solaris versions prior to Solaris 9 ship with file system permissions that need to be adjusted for
security reasons. With the release of Solaris 9,it is reported that this adjustment is no longer
necessary for the core Solaris OE packages. In Solaris 8 and older versions, many files and
directories have the group write bit set. In most instances, this permission is not necessary and
should be switched off.

Although file permission changes are not required for Solaris 9, they may be required of applications
installed on top of the operating system. Consequently, you should monitor permissions on all Solaris
versions.

File permissions can be adjusted using a tool called fix-modes. It can be downloaded from:
http://www.sun.com/blueprints/tools or ftp://ftp.wins.uva.nl/pub/solaris/fix-modes.tar.gz

Please note that this tool is not supported by Sun. The fix-modes version available from sun.com is
precompiled while the version from uva.nl is not. If compilation is required, it must be performed on a
Solaris system with a C compiler. Once compiled, install the fix-modes files and execute it to correct
file system permissions. It is reported that this tool has been used in production environments with no
problems.

Be careful when installing patches and new packages. These may set permissions back to their
original state. Execute the fix-modes tool after installing any packages or patches.

Page 34 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

Step 5: Other Miscellaneous Actions

Restrict crontab and at Jobs


The cron systems execute commands at a specified future time. User submission for the cron system is
handled by the crontab command. The at command does a similar job. Access to these commands should
be restricted. The access control files are stored in the /usr/lib/cron directory. The cron.deny and
cron.allow files manage access to the cron system whereas the at.deny and at.allow files manage
access to the at system..

The allow file is checked first to see if the account is explicitly allowed to use the system. If the file does not
exist or the account is not listed in this file, the deny file is checked. If the account is explicitly listed in the
deny file then access is refused. Otherwise, access is permitted. If neither the deny nor the allow files exist,
then only the root account can use the at or cron system. Solaris includes cron.deny and at.deny files
containing some system accounts.

Please make sure that the /usr partition is mounted as read/write before carrying out this step. The
following are the default crontab jobs created by the Solaris 8 and 9 installation process:

adm
lp
root
sys
uucp

They can be removed using this command:


cd /var/spool/cron/crontabs
rm adm lp sys uucp

The following default users are listed in both the cron.deny and at.deny files:
bin
daemon
smtp
nuucp
listen
nobody
noaccess
which means all other users are allowed to run the crontab and at commands. If you don’t have a
need for other users to run crontab and at jobs on the system, you should consider removing both
deny files, which will then allow only the root user to run those commands.

Message of the Day (motd)


Create the files /etc/motd and /etc/issue. A sample message is in Appendix D.

EEPROM Password
Turn on EEPROM security . You will be prompted for a password. Assign a password that
is different from the superuser password. This password will be required in order to execute
low level hardware commands at the ok prompt.

eeprom security-mode=command

Page 35 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

In-bound FTP User Access Permission


All well-known system accounts' in-bound ftp access are disabled. This is the default setting when Solaris 8
or 9 is installed. This section is meant for you to check to ensure this default has not been changed. Type
the following command to display the content of the /etc/ftpusers file:

cat /etc/ftpusers

If the output does not match the folllowing:


root
daemon
bin
sys
adm
lp
uucp
nuucp
listen
nobody
noaccess
nobody4

you can run the following script to recreate it:

rm /etc/ftpusers
touch /etc/ftpusers
for user in root daemon bin sys adm \
lp uucp nuucp listen nobody \
noaccess nobody4
do
echo $user >> /etc/ftpusers
done
chown root /etc/ftpusers
chgrp root /etc/ftpusers
chmod 600 /etc/ftpusers

The .rhost Support


Remove .rhosts support from /etc/pam.conf.
grep –v rhosts_auth /etc/pam.conf > \
/etc/pam.new

mv /etc/pam.new /etc/pam.conf
chown root /etc/pam.conf
chgrp sys /etc/pam.conf
chmod 644 /etc/pam.conf

Default Login
Edit the /etc/default/login file and uncomment
• the UMASK line to set the initial shell file creation mode mask 022.
• the CONSOLE=/dev/console line to disable root remote login(via telnet for example).
• the SUPATH=/usr/sbin:/usr/bin to make sure root has a safe path.
• the RETRIES=5 line to allow only 5 failed logins – you can reduce it to, say, 3.
• the SYSLOG_FAILED_LOGINS=5 line and change 5 to 0 to force syslogd to log all failed
login attempts.

Page 36 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

Keyboard Abort (Stop-A)


Keyboard Abort is automatically disabled when BSM is enabled. To manually disable it, edit
/etc/default/kbd and uncomment and set the entry for KEYBOARD_ABORT=enable to disable the
Stop-A sequence (aka: break). The down side of this is that if the machine gets locked up, only a hard
power cycle will fix it.

TCP Sequence Number


Edit the /etc/default/inetinit file and set TCP_STRONG_ISS=2 so that the system will use a better
algorithm to generate TCP sequence numbers.

Default Password Length


Set the default password length from 6 to 8 in /etc/default/passwd and password aging to 12 weeks
(or set to the values specified by customer security policy requirements):
MAXWEEKS=12
MINWEEKS=10
PASSLENGTH=8

Shadow Password
Shadow pasword is supported in Solaris 8 and 9 and shall be used by default. Please refer to the
Strong Password Guide provided by Nortel Networks.

Stack-smashing
Edit /etc/system and add the following:

* Attempt to prevent and log stack-smashing


* attacks

set noexec_user_stack = 1
set noexec_user_stack_log = 1

TCP Wrapper and SSH


Install TCP Wrapper binary tcpd in /usr/sbin from ftp://ftp.cert.org/pub/tools/tcp_wrappers. If you must
leave telnet and FTP on the system, put them behind the TCP Wrapper. Make sure /etc/hosts.deny
file contains the following uncommented entry only:
ALL:ALL

Make sure /etc/hosts.allow file contains uncommented entries only for the hosts you want to grant
remote login access to. Example:
ALL: trusted_host1, trusted_ip1

It is recommended that SSH be used instead of telnet and FTP. SSH is shipped with Solaris 9 but not
with Solaris 8. For more information on purchasing a commercially available and supported SSH
solution, visit http://www.ssh.com. Or refer to OpenSSH for Solaris User Guide provided by Nortel
Networks for information on how to obtain, install, configure and use OpenSSH on Solaris 8.

Page 37 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

Step 6: Enhance Solaris Network Security

Add Network Setting For Security


Two files will be created and individual commands will be added to the files to add network settings for
security. Create the first file by executing the following command:

touch /etc/init.d/nddconfig
Create the second file by making a symbolic link to the first file:
ln –s /etc/init.d/nddconfig /etc/rc2.d/S70nddconfig

You may directly add the following commands into the first file using your favourite editor such as vi:
ndd -set /dev/arp arp_cleanup_interval 60000
ndd -set /dev/ip ip_forward_directed_broadcasts 0
ndd -set /dev/ip ip_forward_src_routed 0
ndd -set /dev/ip ip_ignore_redirect 1
ndd -set /dev/ip ip_ire_arp_interval 60000
ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0
ndd -set /dev/ip ip_respond_to_echo_broadcast 0
ndd -set /dev/ip ip_respond_to_timestamp 0
ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
ndd -set /dev/ip ip_send_redirects 0
ndd -set /dev/ip ip_strict_dst_multihoming 1
ndd -set /dev/tcp tcp_conn_req_max_q0 4096
ndd -set /dev/tcp tcp_conn_req_max_q 1024
ndd -set /dev/tcp tcp_rev_src_routes 0
Or you may follow the steps outlined below to first understand what each command does and then add it to
the file.

Set arp_cleanup_interval
This option determines the period of time the Address Resolution Protocol (ARP) cache maintains entries.
ARP attacks may be effective with the default interval. Shortening the timeout interval should reduce the
effectiveness of such an attack. The system default value is 300000 milliseconds (5 minutes), and the new
setting is 60000 milliseconds (1 minute). Execute the following command to add this setting:

echo “ndd -set /dev/arp arp_cleanup_interval 60000” >>


/etc/init.d/nddconfig
The ARP cleanup interval is set to 1 minute.

Set ip_forward_directed_broadcasts
This option determines whether to forward broadcast packets directed to a specific net or subnet, if that net
or subnet is directly connected to the machine. If the system is acting as a router, this option can be
exploited to generate a great deal of broadcast network traffic. Turning this option off will help prevent
broadcast traffic attacks. The system default value is 1 (true), and the new setting is 0 (false). Execute the
following command to add this setting:

echo “ndd -set /dev/ip ip_forward_directed_broadcasts 0” >>


/etc/init.d/nddconfig
IP forward directed broadcasts will be disabled.

Page 38 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

Set ip_forward_src_routed
This option determines whether to forward packets that are source routed. These packets define the path
the packet should take instead of allowing network routers to define the path. The system default value is 1
(true) and the new setting is 0. Execute the following command to add this setting:

echo “ndd -set /dev/ip ip_forward_src_routed 0” >>


/etc/init.d/nddconfig
IP forward source routing will be disabled.

Set ip_ignore_redirect
This option determines whether to ignore Internet Control Message Protocol (ICMP) packets that define
new routes. If the system is acting as a router, an attacker may send redirect messages to alter routing
tables as part of sophisticated attack (man in the middle attack) or a simple denial of service. The system
default value is 0 (false), and the new setting is 1. Execute the following command to add this setting:

echo “ndd -set /dev/ip ip_ignore_redirect 1” >> /etc/init.d/nddconfig


ICMP packets that define new routes will be ignored.

Set ip_ire_arp_interval
This option determines the period of time at which a specific route will be kept, even if currently in use. ARP
attacks may be effective with the default interval. Shortening the time interval may reduce the effectiveness
of attacks. The system default interval is 1200000 milliseconds (20 minutes), and the new setting is 60000
milliseconds (1 minute). Execute the following command to add this setting:

echo “ndd -set /dev/ip ip_ire_arp_interval 60000” >>


/etc/init.d/nddconfig
The IP_IRE_ARP interval will be set to 1 minute.

Set ip_respond_to_address_mask_broadcast
This options determines whether to respond to ICMP netmask requests which are typically sent by diskless
clients when booting. An attacker may use the netmask information for determining network topology or the
broadcast address for the subnet. The default value is 0 (false) and the new setting is 0 as well. Execute the
following command to add this setting:

echo “ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0” >>


/etc/init.d/nddconfig
The response to ICMP netmask requests will be disabled.

Set ip_respond_to_echo_broadcast
This option determines whether to respond to ICMP broadcast echo requests (ping). An attacker may try to
create a denial of service attack on subnets by sending many broadcast echo requests to which all systems
will respond. This also provides information on systems that are available on the network. The system
default value is 1 (true), and the new setting is 0. Execute the following command to add this setting:

echo “ndd -set /dev/ip ip_respond_to_echo_broadcast 0” >>


/etc/init.d/nddconfig
The response to ICMP broadcast echo requests (ping) will be disabled.

Set ip_respond_to_timestamp
This option determines whether to respond to ICMP timestamp requests which some systems use to
discover the time on a remote system. An attacker may use the time information to schedule an attack at a
period of time when the system may run a cron job (or other time-based event) or otherwise be busy. It may

Page 39 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

also be possible predict ID or sequence numbers that are based on the time of day for spoofing services.
The system default value is 1 (true), and the new setting is 0. Execute the following command to add this
setting:

echo “ndd -set /dev/ip ip_respond_to_timestamp 0” >>


/etc/init.d/nddconfig
The response to ICMP timestamp requests will be disabled.

Set ip_respond_to_timestamp_broadcast
This option determines whether to respond to ICMP broadcast timestamp requests which are used to
discover the time on all systems in the broadcast range. This option is dangerous for the same reasons as
responding to a single timestamp request. Additionally, an attacker may try to create a denial of service
attack by generating many broadcast timestamp requests. The default value is 1 (true), and the new setting
is 0. Execute the following command to add this setting:

echo “ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0” >>


/etc/init.d/nddconfig
The response to ICMP broadcast timestamp requests will be disabled.

Set ip_send_redirects
This option determines whether to send ICMP redirect messages which can introduce changes into remote
system's routing table. It should only be used on systems that act as routers. The system default value is 1
(true), and the new setting is 0. Execute the following command to add this setting:

echo “ndd -set /dev/ip ip_send_redirects 0” >> /etc/init.d/nddconfig


ICMP redirect messages will be disabled.

Set ip_strict_dst_multihoming
This option determines whether to enable strict destination multihoming. If this is set to 1 and ip_forwarding
is set to 0, then a packet sent to an interface from which it did not arrive will be dropped. This setting
prevents an attacker from passing packets across a machine with multiple interfaces that is not acting as a
router. The system default value is 0 (false), and the new setting is 1. Execute the following command to
add this setting:

echo “ndd -set /dev/ip ip_strict_dst_multihoming 1” >>


/etc/init.d/nddconfig
Strict destination multihoming will be enabled.

Set tcp_conn_req_max_q0
This option sets the size of the queue containing unestablished connections. This queue is part of a
protection mechanism against SYN flood attacks. The queue size default is adequate for most systems but
should be increased for busy servers. The system default value is 1024, and the new setting is 4096.

echo “ndd -set /dev/tcp tcp_conn_req_max_q0 4096” >>


/etc/init.d/nddconfig
The size of the queue containing unestablished connections will be increased to 4096.

Set tcp_conn_req_max_q
This option sets the maximum number fully established connections. Increasing the size of this queue
provides some limited protection against resource consumption attacks. The queue size default is adequate
for most systems but should be increased for busy servers. The system default value is 128, and the new
setting is 1024. Execute the following command to add this setting:

Page 40 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

echo “ndd -set /dev/tcp tcp_conn_req_max_q 1024” >>


/etc/init.d/nddconfig
The maximum number fully established connections will be increased to 1024.

Set tcp_rev_src_routes
This option determines whether the specified route in a source routed packet will be used in returned
packets. TCP source routed packets may be used in spoofing attacks, so the reverse route should not be
used. The default value is 0 (false), and the new setting is 0 as well. Execute the following command to add
this setting:

echo “ndd -set /dev/tcp tcp_rev_src_routes 0” >> /etc/init.d/nddconfig


The specified route in a source routed packet will not be used in returned packets.

Page 41 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

Step 7: File System Lockdown


After you have installed and configured all the necessary software on your system, you may want to
make sure that no one can modify them. You may also want to prevent rogue setuid programs from
showing up. In order to do that, you can modify the /etc/vfstab file and set the appropriate flags.

Edit the /etc/vfstab file

vi /etc/vfstab

Mount /usr as read-only.

Mount other non-root ufs filesystems with nosuid.

The final vfstab file should look like the example below. The last column is the area of interest.
Sample /etc/vfstab
/dev/dsk/c0t0d0s3 - - swap - no -
/dev/dsk/c0t0d0s0 /dev/rdsk/c0t0d0s0 / ufs 1 no -
/dev/dsk/c0t0d0s6 /dev/rdsk/c0t0d0s6 /usr ufs 1 no ro
/dev/dsk/c0t0d0s1 /dev/rdsk/c0t0d0s1 /var ufs 1 no nosuid
/dev/dsk/c0t0d0s7 /dev/rdsk/c0t0d0s7 /extra ufs 2 yes nosuid
/dev/dsk/c0t0d0s5 /dev/rdsk/c0t0d0s5 /opt ufs 2 yes nosuid

If your partitions for binaries, vairable data and user space differ from the above example, it is
recommended that you mount the binaries partition(s) as read-only and mount other non-root
filesystems with nosuid.

Please make sure you have double checked everything at this point. Once you finish here, you will
reboot to verify everything. If you have not added all your components properly, you will not easily be
able to make changes, in which case you will have to remount your binaries partition to make it
writable.

There are third party applications that can be used to monitor your file system. But it’s beyond the
scope of this hardening guide to discuss and evaluate them.

Page 42 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

Step 8: Vulnerability Testing and Patching

Please visit http://netsec.ca.nortel.com for the Threat and Risk Assessment Program and the Security
Advisory Task Force (SATF) triage process of handling vulnerability advisories and patches.

Page 43 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

Appendix A: Replacement /etc/init.d/inetsvc script


#!/bin/sh
#
# Copyright (c) 1995, by Sun Microsystems, Inc.
# All Rights Reserved
#
#ident “@(#)inetsvc 1.16 97/04/17 SMI”
#

#
# Re-set the netmask and broadcast addr for all IP interfaces. This
# ifconfig is run here, after NIS has been started, so that “netmask
# +” will find the netmask if it lives in a NIS map.
# The 'D' in -auD tells ifconfig NOT to mess with the interface
# if it is under DHCP control
#

/usr/sbin/ifconfig -auD netmask + broadcast +

#
# If this machine is configured to be an Internet Domain Name
# System (DNS) server, run the name daemon.
# Start named prior to: route add net host, to avoid dns
# gethostbyname timout delay for nameserver during boot.
#

if [ -f /usr/sbin/in.named -a -f /etc/named.boot ]; then


/usr/sbin/in.named; echo “starting internet domain name server.”
fi

#mcastif=`uname -n`
#echo “Setting default interface for multicast: \c”
#/usr/sbin/route add -interface -netmask “240.0.0.0” “224.0.0.0”
“$mcastif”

#
# Run inetd in “standalone” mode (-s flag) so that it doesn’t have
# to submit to the will of SAF. Why did we ever let them change inetd?
#

#/usr/sbin/inetd –s

Page 44 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

Appendix B: Sample newsyslog script


#! /bin/sh
#
# Copyright(c) 1997, by Sun Microsystems, Inc.
# All rights reserved.
#
#ident @Z%newsyslog 1.3 97/03/31 SMI
#
LOG=messages
cd /var/adm
test -f $LOG.2 && mv $LOG.2 $LOG.3
test -f $LOG.1 && mv $LOG.1 $LOG.2
test -f $LOG.0 && mv $LOG.0 $LOG.1
mv $LOG $LOG.0
cp /dev/null $LOG
chmod 644 $LOG
#
LOGDIR=/var/log
LOG=syslog
if test -d $LOGDIR
then
cd $LOGDIR
if test -s $LOG
then
test -f $LOG.6 && mv $LOG.6 $LOG.7
test -f $LOG.5 && mv $LOG.5 $LOG.6
test -f $LOG.4 && mv $LOG.4 $LOG.5
test -f $LOG.3 && mv $LOG.3 $LOG.4
test -f $LOG.2 && mv $LOG.2 $LOG.3
test -f $LOG.1 && mv $LOG.1 $LOG.2
test -f $LOG.0 && mv $LOG.0 $LOG.1
mv $LOG $LOG.0
cp /dev/null $LOG
chmod 644 $LOG
sleep 40
fi
fi
#
kill -HUP `cat /etc/syslog.pid`

Page 45 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

Appendix C: Minimal sendmail configuration file


# Minimal client sendmail.cf

### Defined macros


# The name of the mail hub - PUT APPROPRIATE HOSTNAME FOR YOUR SITE
HERE!!!
DRmailhost

# Define version
V8

# Whom errors should appear to be from


DnMailer-Daemon

# Formatting of the UNIX from line


DlFrom $g $d

# Separators
Do.:%@!^=/[]

# From of the sender’s address


Dq<$g>

# Spool directory
OQ/usr/spool/mqueue

### Mailer Delivery Agents


# Mailer to forward mail to the hub machine
Mhub, P=[IPC], F=mDFMuCX, S=0, R=0, A=IPC $h
# Sendmail requires these, but are not used
Mlocal, P=/dev/null, F=rlsDFMmnuP, S=0, R=0, A=/dev/null
Mprog, P=/dev/null, F=lsDFMeuP, S=0, R=0, A=/dev/null

### Rule sets -- WHITESPACE BETWEEN COLUMNS MUST BE TABS!!!

S0
R@$+ $#error $: Missing user name
R$+ $#hub $@$R $:$1 forward to hub
S3
R$*<>$* $n handle <> error address
R$*<$*>$* $2 basic RFC822 parsing

Page 46 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

Appendix D: Sample /etc/issue and /etc/motd file


This system is for the use of authorized users only. Individuals using this
computer system without authority, or in excess of their authority, are subject to
having all of their activities on this system monitored and recorded by system
personnel.

In the course of monitoring individuals improperly using this system, or in the


course of system maintenance, the activities of authorized users may also be
monitored.

Anyone using this system expressly consents to such monitoring and is advised that
if such monitoring reveals possible evidence of criminal activity, system personnel
may provide the evidence of such monitoring to law enforcement officials.

Page 47 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

Appendix E: TCP Wrapper generic configuration file


vi /etc/hosts.allow
#
# Only allow access from the management network. Explicit
# deny policy in /etc/hosts.deny
#

# The IP addresses allocated from the management network


/usr/local/bin/sshd: 172.16.1.0/255.255.255.0

vi /etc/hosts.deny
#
# Explicitly deny access from all stations except those
# that match the allow rule in /etc/hosts.allow
#

ALL : ALL

Page 48 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

Appendix F: Security Script


Please note that the following script is included here for illustration purposes only.

###################################################################
#Please Set the following variables
#LOGFILE is the location of the logfile $0 will contain the name of the script
LOGFILE=/SECURITY/$0.log
#NEWFILE is the location of the files changed by this script.
#The files that should be in the NEWFILES directory are:
#new_inetd.conf, new_inetsvc, new_login, new_passwd and new_syslog.conf
NEWFILES=/SECURITY
#
#Section 1#########################################################
#
echo WARNING... This script is intended to be executed on a
echo newly installed Solaris operating system and is not
echo designed to be executed more than once on the same server.
echo
echo Please abort now with CTRL-C if this is not the case
echo
echo Execution will resume in 15 seconds
sleep 15
echo running $0 at `date` | tee -a $LOGFILE
echo logfile is $LOGFILE | tee -a $LOGFILE
echo new files are stored in $NEWFILES | tee -a $LOGFILE
#
#Section 2#########################################################
#This section enables the basic security module(BSM). BSM is needed
#by the auditing applications. Also in this section, we configure
#auditing for administrative and login/logout attempts for the root
#user.
#
echo installing basic security module | tee -a $LOGFILE
echo y > y
/etc/security/bsmconv < y | tee -a $LOGFILE
cp /etc/security/audit_user /etc/security/audit_user.orig
sed s/root:lo:no/root:ad,lo:no/g /etc/security/audit_user > /etc/security/audit_user.new
mv /etc/security/audit_user.new /etc/security/audit_user
chown root:sys /etc/security/audit_user
chmod 655 /etc/security/audit_user
#
#Section 3########################################################
#This section sets the appropriate umask value in startup script for
#each startup directory to make sure that all the services are started
#with the appropriate file permissions.
#
#echo starting the system deamons with appropriate umask value | tee -a $LOGFILE
echo 'umask 022' > /etc/init.d/umask.sh

Page 49 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

chmod 744 /etc/init.d/umask.sh


for dir in /etc/rc?.d
do
ln -s /etc/init.d/umask.sh $dir/S00umask.sh
echo ln -s /etc/init.d/umask.sh $dir/S00umask.sh | tee -a $LOGFILE
done
#Section 4##########################################################
#This section removes all unused services from the rc2.d and rc3.d
#startup directories. The services are renamed so that they wont be
#executed on startup.
#
echo Removing unused services from startup directories | tee -a $LOGFILE
cd /etc/rc2.d
echo Removing from /etc/rc2.d ... | tee -a $LOGFILE
SERVICES_TO_REMOVE='*nfs* *perf *asppp *auto* *xntpd *lp *spc *power *sendmail
*bdconfig *sysid.net *nscd *cacheos.finish *uucp *PRESERVE *sysid.sys *cachefs.daemon'
for file in $SERVICES_TO_REMOVE
do
mv $file .NO$file
echo renaming $file to .NO$file in RC2 | tee -a $LOGFILE
done
echo Removing from /etc/rc3.d ... | tee -a $LOGFILE
cd /etc/rc3.d
for file in *nfs.server *dmi *snmpdx
do
mv $file .NO$file
echo renaming $file to .NO$file in RC3 | tee -a $LOGFILE
done
#
#Section 5##########################################################
#This section replaces the inetd.con file with a new one (were all
#services have been commented out). Also, the inetsvc file is
#replaced with a more secure version.
#
echo Replacing inetd.conf with new version | tee -a $LOGFILE
mv /etc/inet/inetd.conf /etc/inet/inetd.conf.orig
cp $NEWFILES/new_inetd.conf /etc/inet/inetd.conf
chmod 444 /etc/inet/inetd.conf
echo Installing a replacement /etc/init.d/inetsvc file | tee -a $LOGFILE
cp /etc/init.d/inetsvc /etc/init.d/inetsvc.orig
cp $NEWFILES/new_inetsvc /etc/init.d/inetsvc
chmod 744 /etc/init.d/inetsvc
ln /etc/init.d/inetsvc /etc/rc2.d/S72inetsvc
#
#Section 6##########################################################
#This section renames several configuration files used by NFS. If
#NFS is not used, it is best practice to remove all related cfg files.
#we can rename these files until we are sure we want to remove them
#
echo moving /etc/auto_master to /etc/.auto_master.orig | tee -a $LOGFILE
mv /etc/auto_master /etc/.auto_master.orig

Page 50 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

echo moving /etc/auto_home to /etc/.auto_home.orig | tee -a $LOGFILE


mv /etc/auto_home /etc/.auto_home.orig
echo moving /etc/dfs/dfstab to /etc/dfs/.dfstab.orig | tee -a $LOGFILE
mv /etc/dfs/dfstab /etc/dfs/.dfstab.orig
#
#Section 7#########################################################
#This section removes all unuses users from the passwd and shadow
#file. Several users are in a default Solaris installation and most
#are not needed in our Wireless OAM context.
#
echo removing unused users from passwd file | tee -a $LOGFILE
for user in uucp nuucp adm lp smtp listen
do
/usr/sbin/passmgmt -d $user
echo /usr/sbin/passmgmt -d $user | tee -a $LOGFILE
done
#
#Section 8###########################################################
#This section removes the crontab entries for all users that dont need
#to have scheduled jobs. This is UNIX best practices.
#
echo Renaming crontab files for default users other that root | tee -a $LOGFILE
cd /var/spool/cron/crontabs
for files in adm lp sys uucp
do
mv $files .$files.orig
echo moving $files to .$files.orig | tee -a $LOGFILE
done
#
#Section 9###########################################################
#Should telnet not be disabled on all servers, ftp should be disallowed
#for all normal accounts and must be disallow for the root user.
#placing the usernames in the ftpusers file will disallow ftp for
#those users. Also, the .netrc file is used to provide login credentials
#for a specific host (e.g. host1) so that when a user ftp's to host1, the
#login credentials provided in the .netrc file will be used.
#We are locking all .netrc files by creating them as root with no
#write permissions.
#
echo Disallowing ftp for all default users... | tee -a $LOGFILE
cut -f1 -d: /etc/passwd >> /etc/ftpusers
chown root:root /etc/ftpusers
chmod 600 /etc/ftpusers
echo more /etc/ftpusers | tee -a $LOGFILE
more /etc/ftpusers | tee -a $LOGFILE
echo locking down all .n etrc files | tee -a $LOGFILE
for users in `cut -f6 -d: /etc/passwd`
do
cd $users
touch ./.netrc
chmod 000 ./.netrc

Page 51 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

echo locking down .netrc file in $users | tee -a $LOGFILE


done
#
#Section 10##########################################################
#This section disable remote authentication in the pam.conf file.
#Also, we are locking down the hosts.equiv file and all the .rhosts.
#IMPORTANT:We have not tested this with NSP but from my experience
#with INM and PresideAP, we used the .rhosts files for remote launch.
#NSP installation might hick-up when trying to write to a locked file.
#
echo Disabling remote authentication from pam.conf | tee -a $LOGFILE
cp /etc/pam.conf /etc/pam.conf.orig
grep -v rhosts_auth /etc/pam.conf > /etc/pam.new
mv /etc/pam.new /etc/pam.conf
chown root:sys /etc/pam.conf
chmod 644 /etc/pam.conf
echo locking down hosts.equiv and .rhosts for all users | tee -a $LOGFILE
touch /etc/hosts.equiv
chmod 000 /etc/hosts.equiv
for users in `cut -f6 -d: /etc/passwd`
do
cd $users
touch .rhosts
chmod 000 .rhosts
echo locking down .rhosts in $users | tee -a $LOGFILE
done
#
#Section 11###########################################################
#This section replaces the /etc/default/login file. The new file ensures
#that CONSOLE is set so that users can only login directly as root
#when on the console. SUPATH is set to ensure a safe path to the
#root user. UMASK is set to 022 to ensure proper shell file creation
#mode mask.
#
echo Replacing /etc/default/login file with new version | tee -a $LOGFILE
cp /etc/default/login /etc/default/login.orig
cp $NEWFILES/new_login /etc/default/login
chown root:sys /etc/default/login
chmod 444 /etc/default/login
#
#Section 12###########################################################
#This section sets keyboard abort to disabled. Keyboard abort is enabled
#by default and a user can halt the server by entering the <stop-a>
#sequence on the console's keyboard. This can be done by inadvertance or
#purposely and couls cause a network outage in the case of DNS, DHCP or
#RADIUS servers.
#
echo Disabling stop-a | tee -a $LOGFILE
cp /etc/default/kbd /etc/default/kbd.orig
sed s/#KEYBOARD_ABORT=enable/KEYBOARD_ABORT=disabled/g /etc/default/kbd >
/etc/default/kbd.new

Page 52 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

mv /etc/default/kbd.new /etc/default/kbd
chown root:sys /etc/default/kbd
chmod 444 /etc/default/kbd
#
#Section 13###########################################################
#This section sets networking parameters as recommended by SUN for
#security. For more details on each of these parameters, see Solaris™
#Operating Environment Security, Updated for Solaris 8 Operating
#Environment, Sun BluePrints™ OnLine
#
echo Setting TCP_STRONG_ISS=1 | tee -a $LOGFILE
cp /etc/default/inetinit /etc/default/inetinit.orig
sed s/TCP_STRONG_ISS=1/TCP_STRONG_ISS=2/g /etc/default/inetinit >
/etc/default/inetinit.new
mv /etc/default/inetinit.new /etc/default/inetinit
chown root:sys /etc/default/inetinit
chmod 444 /etc/default/inetinit
echo tuning parameters to the end of the /etc/init.d/inetinit file | tee -a $LOGFILE
echo 'ndd -set /dev/tcp tcp_conn_req_max_q0 4096 >> /etc/init.d/inetinit
echo 'ndd -set /dev/tcp tcp_conn_req_max_q 1024 >> /etc/init.d/inetinit
echo 'ndd -set /dev/ip ip_ignore_redirect 1' >> /etc/init.d/inetinit
echo 'ndd -set /dev/ip ip_send_redirects 0' >> /etc/init.d/inetinit
echo 'ndd -set /dev/ip ip_ire_flush_interval 60000' >> /etc/init.d/inetinit
echo 'ndd -set /dev/arp arp_cleanup_interval 60000' >> /etc/init.d/inetinit
echo 'ndd -set /dev/ip ip_forward_directed_broadcasts 0' >> /etc/init.d/inetinit
echo 'ndd -set /dev/ip ip_forward_src_routed 0' >> /etc/init.d/inetinit
echo 'ndd -set /dev/ip ip_forwarding 0' >> /etc/init.d/inetinit
echo 'ndd -set /dev/ip ip_strict_dst_multihoming 1' >> /etc/init.d/inetinit
cat /etc/init.d/inetinit | grep ndd | tee -a $LOGFILE
#
#Section 14##########################################################
#This section replaces the password file to enfore password aging and
#increases the minimum passwork length to 8.
#
echo Replacing /etc/default/passwd with new version | tee -a $LOGFILE
cp /etc/default/passwd /etc/default/passwd.orig
cp $NEWFILES/new_passwd /etc/default/passwd
chown root:sys /etc/default/passwd
chmod 444 /etc/default/passwd
#
#Section 15##########################################################
#The following entries in the /etc/system file prevents users from
#executing code on the system stack (buffer overflow attacks).
#
cp /etc/system /etc/system.orig
echo 'set noexec_user_stack=1' | tee -a /etc/system | tee -a $LOGFILE
echo 'set noexec_user_stack_log=1' | tee -a /etc/system | tee -a $LOGFILE
#
#Section 16##########################################################
#This section enables additionnal logging by replacinf the syslog.conf
#file with additionnal entries. Also, we create the loginlog file that

Page 53 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

#logs failed login attempts.


#
echo Configuring Additionnal Logging | tee -a $LOGFILE
echo changing syslog.conf file | tee -a $LOGFILE
cp /etc/syslog.conf /etc/syslog.conf.orig
cp $NEWFILES/new_syslog.conf /etc/syslog.conf
chown root:sys /etc/syslog.conf
chmod 644 /etc/syslog.conf
echo touching the loginlog file | tee -a $LOGFILE
touch /var/adm/loginlog
chown root:sys /var/adm/loginlog
chmod 600 /var/adm/loginlog
echo touching the authlog file | tee -a $LOGFILE
touch /var/adm/authlog
chown root:sys /var/adm/authlog
chmod 600 /var/adm/authlog
#
#Section 17############################################################
#This section adds an entry in the root crontab to start sendmail once
#per day. This is a better approch that letting the sendmail deamon
#running.
#
echo Configuring sendmail in crontab once per hour | tee -a $LOGFILE
cp /var/spool/cron/crontabs/root /var/spool/cron/crontabs/root.orig
echo '0 * * * * /usr/lib/sendmail -q' | tee -a /var/spool/cron/crontabs/root | tee -a $LOGFILE
#
#Section 18###########################################################
#This section does not perform any changes on the serves. It is just
#prompt to mount the /usr filesystem as read only. This can be done by
#adding the 'ro' as a mount option for the /usr filesystem.
#
cp /etc/vfstab /etc/vfstab.orig
echo mount /usr filesystem as read only in /etc/vfstab
echo IMPORTANT--This step should be done manually.
#Section 19###########################################################
#
#For all the above changes to take effect, a shutdown to the server is
#require. (init 6). This step should be done manually.
echo please shutdown now (init 6)for all change to take effect| tee -a $LOGFILE

Page 54 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

Appendix G: References

1. “Solaris BSM Auditing” by Darren J. Moffat, Solaris Security Technologies Group (last
updated Monday, November 27, 2000)
2. “Solaris Operating Environment Security” by Alex Noordergraaf and Keith Watson, Global
Enterprise Security Service – Sun BluePrints Online, January 2000
3. “Solaris Operating Environment Security - Updated for Solaris 9 Operating Environment,”
December 2002, by Alex Noordergraaf and Keith Watson
4. “Solaris 8 System Administration Guide”
5. “Solaris 9 System Administration Guide”

Page 55 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

Last Page of This Document

Page 56 0f 56

Você também pode gostar