Escolar Documentos
Profissional Documentos
Cultura Documentos
Nortel Networks
Portfolio Integration
Issue 1.0
Please Note
THIS DOCUMENT IS FOR INFORMATIONAL PURPOSES ONLY AND DOES NOT CONSTITUTE
ADVICE. ANY RELIANCE UPON THIS DOCUMENT SHALL BE AT YOUR OWN RISK. THE
INFORMATION CONTAINED HEREIN IS PROVIDED “AS IS” WITHOUT ANY WARRANTIES OF
ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-
INFRINGEMENT. IN NO EVENT SHALL NORTEL NETWORKS, ITS AGENTS OR SUPPLIERS BE
LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL
DAMAGES (INCLUDING LOST PROFITS OR SAVINGS), WHETHER IN CONTRACT, TORT OR
OTHERWISE (INCLUDING NEGLIGENCE) FROM USE OF OR RELIANCE UPON THE INFORMATION
CONTAINED HEREIN, EVEN IF NORTEL NETWORKS, ITS AGENTS OR SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
© Copyright Nortel Networks 2003 This document is the property of Nortel Networks who own the
copyright therein. The information in this document is given in confidence and without the written
consent of Nortel Networks given by contract or otherwise the document must not be copied reprinted
or reproduced in any material form either wholly or in part nor must the contents of the document or
any method or technique available there from be disclosed to any third party.
Page 2 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
Summary
This document provides background information and detailed steps that should be taken in
order to harden the Solaris 8 and Solaris 9 operating systems against common network
security attacks. Please note however that operating system hardening procedures cannot be
followed blindly. Operating system hardening involves, among other things, turning off all
services that are not required for particular application. For this reason, each operating
system hardening instance must be customized and this document should only be considered
as a general guideline to follow during this customization.
Page 3 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
Page 4 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
1. Purpose of OS Hardening
Computers and network elements connected to networks are vulnerable to attacks. The following is a
list of commonly known types of attacks:
Some of these attacks are based on well-publicized techniques, with scripts and other tools available
to make it possible for less knowledgeable crackers to apply exploits against systems. Once a system
has been compromised, an intruder can do a number of things, including the following:
Our goal is to provide some reference guidelines so that you can use to improve the resistance of
your Solaris-based systems to attacks. We present what we believe to be sound practices. But we
must point out that no system is absolutely secure and that continued vigilance is still required even
after your system has been hardened. It is highly recommended that you monitor early warning
forums such as http://www.cert.org to obtain the newest vulnerability reports and stay on your
vendor’s bug-fix mailing list to get the latest security patches and bug fixes for the Solaris operating
system you use.
The hardening procedure is verified on Solaris 8 and 9 Operating Environment for the Sparc platform
and may be adapted for other Solaris based systems.
We assume that you have working knowledge of Solaris or general UNIX system administration and
that the system installation and hardening will be performed in an isolated or safe network
environment.
Page 5 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
Base Security Module is a loadable kernel module which, operating at the kernel level, intercepts and
logs system calls on basis of an audit policy. It has a C2 security rating defined in the Trusted
Computer System Eveluation Criteria (TCSEC), commonly known as the Orange Book. Turning on
BSM is usually considered the first step to harden a Solaris operating system.
Please note that BSM introduces 5-10% performance overhead and it can only log to the local disk
and may require large amount of storage space depending on the audit policy.
The system will then go into single user mode. Enter the root password again for system
maintenance. Then execute the following command:
/etc/security/bsmconv (unbsmconv is the command to turn off BSM)
Enter the letter y to continue with the BSM conversion. And then execute the following command to
restart the system to enable BSM:
/etc/telinit 6
or
/usr/sbin/shutdown –y now
You may want to make use of the sample script in Appendix F to automate this step if you need to
enable BSM on multiple systems. However, the script was developed on a test system and therefore
you should modify it to suit your specific environment.
It is recommended that BSM be enabled by default and that detailed documentation be provided to
the customers on at least the following:
1. the auditing options and what they mean
2. step-by-step configuration guide
3. how to turn it on and off
4. how to process the log
Timely processing of the log is very important. Unprocessed logs will not only defeat the purpose of
logging but also consume disk space to the point where the server stops working, which is equivalent
to a self-inflicted Denial of Service (DoS) attack.
You can configure BSM to either #1 stop the server when the auditing partitions are full or to #2 drop
auditing events and continue running the server. The default configuration is #2. Whether you choose
#1 or #2, you need to document that for the customers and make them aware of the implication, i.e.,
The default configuration is defined by the bsmconv script that is run to enable BSM on a system.
When run, the bsmconv script creates the /etc/security/audit_startup script. This script, contains the
following:
#!/bin/sh
Page 6 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
auditconfig -conf
auditconfig -setpolicy none
auditconfig -setpolicy +cnt
By specifying setpolicy +cnt, the audit_startup script created by bsmconv forces the auditing
subsystem to drop auditable events while keeping a count of the total number of events dropped.
For more information on the various configuration options, please refer to the Sun Blueprint document
entitled “Auditing in the Solaris 8 Operating Environment” at the following URL:
http://www.sun.com/solutions/blueprints/0201/audit_config.pdf
Page 7 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
Many unnecessary services are installed by default when setting up a Solaris server. The next step to
harden the operating system is to remove them from the startup files. Like Linux and many other Unix
variants, Solaris takes advantage of the /etc/rc?.d directory structure, where ? denotes the available
run levels. At each run level init uses a driver script to run other scripts found in the run level
directories. The available run levels with startup or shutdown scripts in Solaris are S, 0, 1, 2, and 3.
There are many unused services which are started by the init process. These services are usually run
as root and a number of them have potential security loop holes which can be exploited. The rule of
thumb is that if the service is not needed, then do not start it. The simplest approach to disable a
group of services manually is to use the following scripting commands in a terminal console:
This will rename the files starting with S to .NOfilename, which will then not be automatically started
upon system reboot. For example,
S30sysid.net Æ .NOS30sysid.net
A more radical approach would be to delete them completely. It is recommended that the files be
renamed first and be removed after thorough tests have been done to make sure the system works
as expected. This step could also be accomplished via the script in Appendix F.
The following sections outline the removal of the candidate services in detail. Additional technical
information about these services can be found online at Solaris 8 System Administrator Collection.
/etc/rcS.d/S10initpcmcia
Page 8 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
Disable CacheFS
CacheFS is commonly used to support diskless clients (root file system is cachefs instead of ufs) and
provides better performance by caching the NFS. cachefs can be safely disabled because all OAM server
hardware configurations have their own disks, ufs is almost always the default file system, and NFS should
never be part of normal OAM operation. The rule of the thumb is that if the network service is not required, it
should be disabled. Please note that NFS does not need cachefs; cachefs provides better NFS
performance according to Sun.
This is part one of four script files that need to be renamed in order to fully disable CacheFS; for clarity
purposes, they are each listed in different subsections of this document. The following scripts should be
disabled in the following order to properly disable the cachefs:
/etc/rcS.d/S35cacheos.sh Å
/etc/rcS.d/S41cachefs.root
/etc/rc2.d/S73cachefs.daemon
/etc/rc2.d/S93cacheos.finish
An entry in /etc/inet/inetd.conf, which is controlled by the RPC daemon, is also required to be
commented out. It is discussed later in the section.
/etc/inet/inetd.conf
This is part two of four script files that need to be renamed in order to fully disable CacheFS; for clarity
purposes, they are each listed in different subsections of this document:
/etc/rcS.d/S35cacheos.sh
/etc/rcS.d/S41cachefs.root Å
/etc/rc2.d/S73cachefs.daemon
/etc/rc2.d/S93cacheos.finish
An entry in /etc/inet/inetd.conf, which is controlled by the RPC daemon, is also required to be
commented out. It is discussed later in the section.
/etc/inet/inetd.conf
The NCA cache consistency is maintained by honoring HTTP headers dealing with a given content type
and expiration date, much the same way as a proxy cache.
For detail configuration information, please see the Solaris 8 System Administration Guide, Volume 3.
Page 9 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
The NCA is intended to be run on a dedicated web server. Running other large processes while running
NCA may cause undesirable behavior. This is a new feature in Solaris 8 and is available in Solaris 9. Sun
recommends that this service be disabled.
This is part one of three script files that need to be renamed in order to fully disable NCA; for clarity
purposes, they are each listed in different subsections of this document:
/etc/rcS.d/S42ncakmod Å
/etc/rc2.d/S94ncalogd
/etc/rc2.d/S95ncad
In order to disable system activity data gathering, the following script file should be renamed to prevent
access:
/etc/rc2.d/S21perf
This is a new function for Solaris 8 and is available in Solaris 9 as well. It should be disabled if this network
interface is not needed in the OAM network.
In order to disable the LLC2 driver, the following script file should be renamed to prevent access:
/etc/rc2.d/S40llc2
In order to disable PPP, the following script file should be renamed to prevent access:
/etc/rc2.d/S47asppp
/etc/rc2.d/S47pppd
/etc/rc2.d/S70uucp
Page 10 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
/etc/rc2.d/S71ldap.client
Renaming the following script file will disable the auto-installation service:
/etc/rc2.d/S72autoinstall
/etc/rc2.d/S72slpd
This is part three of four script files that need to be renamed in order to fully disable CacheFS; for clarity
purposes, they are each listed in different subsections of this document:
/etc/rcS.d/S35cacheos.sh
/etc/rcS.d/S41cachefs.root
/etc/rc2.d/S73cachefs.daemon Å
/etc/rc2.d/S93cacheos.finish
An entry in /etc/inet/inetd.conf, which is controlled by the RPC daemon, is also required to be
commented out. It is discussed later in the section.
/etc/inet/inetd.conf
There's a collection of historically dangerous RPC services started at boot time from the script
“S73nfs.client“ found in /etc/rc2.d. This includes the statd and lockd daemons mentioned in the
SANS Top Ten Security Threats 2002. NFS client systems need statd and lockd to do file locks on
NFS file systems -- the client has to tell the server to hold a lock so that other clients can honor it.
Page 11 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
Over the years there has been many security compromises associated with RPC services required for NFS
-- Sun recommends that these services be disabled for security reasons.
The following script file should be renamed to disable the NFS client service:
/etc/rc2.d/S73nfs.client
Ideally, automount should be disabled because, not only does it run as a privileged daemon, but it also
uses NFS and RPC. Sun highly recommends that it be disabled.
To disable autofs, you also need to remove /etc/auto_master and /etc/auto_home. If they or
either one of them cannot be removed, this service must remain on.
The following files should be renamed or removed to fully disable NFS auto-mount:
/etc/rc2.d/S74autofs
/etc/auto_master
/etc/auto_home
The following script file should be renamed to disable the print service:
/etc/rc2.d/S80lp
Disable Preserve
This service automatically saves the files currently being edited to /usr/preserve when the session is
lost or the server is rebooted. This service can be safely disabled and Sun recommends that it be disabled.
The following script files should be renamed to disable the preserve feature:
/etc/rc2.d/S80PRESERVE (Solaris 8)
/etc/rc2.d/S89PRESERVE (Solaris 9)
Page 12 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
The following script file should be renamed to disable the SPC service:
/etc/rc2.d/S80spc
The following script file should be renamed to prevent access to powerd daemon:
/etc/rc2.d/S85power
The following file should be created to prevent system from asking power management related questions:
/noautoshutdown
Sun recommends that sentmail be disabled unless it is absolutely necessary. In a later section, system
logging is modified to send warning messages to logs instead of mailing them to root (it could filled up /var
if root's mail is not checked regularly, thus halting the system). You may invoke sendmail periodically from
crontab to process queued mail from programs and processes that use mail to send out messages.
Renaming the following script file will disable the SMTP mail server:
/etc/rc2.d/S88sendmail
Replace the installed sendmail.cf file with the minimal sendmail.cf in Appendix C.
Add the following entry to root’s contab to flush the mail queue once per hour:
0 * * * * /usr/lib/sendmail -q
Page 13 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
For more information about WBEM, please refers to the WBEM on Sun Developer's Guide.
The following script file should be renamed to disable the WBEM service:
/etc/rc2.d/S90wbem
This is part four of the four script files that need to be renamed in order to fully disable CacheFS; for clarity
purposes, they are each listed in different subsections of this document:
/etc/rcS.d/S35cacheos.sh
/etc/rcS.d/S41cachefs.root
/etc/rc2.d/S73cachefs.daemon
/etc/rc2.d/S93cacheos.finish Å
An entry in /etc/inet/inetd.conf, which is controlled by the RPC daemon, is also required to be
commented out. It is discussed later in the section.
/etc/inet/inetd.conf
This is part two of the three script files that need to be renamed in order to fully disable NCA; for clarity
purposes, they are each listed in different subsections of this document:
/etc/rcS.d/S42ncakmod
/etc/rc2.d/S94ncalogd Å
/etc/rc2.d/S95ncad
This is part three of the three script files that need to be renamed in order to fully disable NCA; for clarity
purposes, they are each listed in different subsections of this document:
/etc/rcS.d/S42ncakmod
/etc/rc2.d/S94ncalogd
/etc/rc2.d/S95ncad Å
Page 14 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
There's a collection of historically dangerous RPC services that can be started at boot time from the script
S15nfs.server found in /etc/rc3.d. This includes the mountd daemon mentioned in the SANS Top
Ten Security Threats 2002. If the system isn't an NFS file server, mountd and nfsd servers should not be
started. All NFS file sharing information is transported in clear text, so it is susceptible to snooping.
Therefore, Sun recommends that NFS not be configured for security concerns.
The following two scripts need to be renamed or removed in order to fully disable the NFS server service:
/etc/rc3.d/S15nfs.server
/etc/dfs/dfstab
Renaming the following script file will disable the Sun stock apache server:
/etc/rc3.d/S50apache
Some OAM applications use their own SNMP agent, thus the stock SNMP services started by Sun are not
needed. If SNMP is not required, Sun recommends that the startup script be disabled so that these stock
SNMP services will not provide system information to unknown persons.
Please note that some servers which use the T3 disk-array require the Sun stock SNMP services to
manage the RAID disk-arrays. Also, if Sun SMC3.0 agent is running on the server, SNMP services must
not be turned off.
/etc/rc3.d/S76snmpdx
DMI can be safely turned off and Sun recommends that it be disabled.
/etc/rc3.d/S77dmi
Page 15 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
This service is new to Solaris 8 and is available in Solaris 9 as well. It requires that the
/etc/inet/mipagent.conf file be present during the startup. The Solaris 8 and 9 default installation
disables this service and Sun recommends that the startup script be disabled if it is not needed.
The following script file should be renamed to disable the Mobile IP agent service:
/etc/rc3.d/S80mipagent
Page 16 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
The removal of unnecessary system packages from the system, called minimization, reduces the number
of components that have to be patched and made secure. Reducing the number of components reduces
the number of possible entry points into the system by an intruder.
It is recommended by Sun that most of the services in /etc/inet/inetd.conf be disabled. For more
information, please check out the latest Sun Blueprints for securing Solaris: Solaris Operating Environment
Security - Updated for Solaris 8 Operating Environment and Solaris Operating Environment Security -
Updated for Solaris 9 Operating Environment.
The protocol implemented by this program is obsolete. Its use should be phased out in favor of the Internet
Domain Name Service (DNS) protocol.
/etc/inet/inetd.conf
Disable rsh
Access control and accountability are critical to the security of a system. Access control should involve
strong authentication for system access, while accountability information should provide tracking data
relative to system changes. The standard r* commands (i.e., rsh, rlogin, and rcp) break both of these
requirements. This is because most implementations of r* commands involve “zones of trust.” Within a zone
of trust, all systems are trusted and no additional authentication is required. Hence, an intruder need only
gain access to one server in order to gain access to all the servers.
rsh creates a remote shell on a host which allows a user to execute commands on the remote unix host.
The rsh services use inadequate authentication based on IP address security (which can be spoofed),
DNS security (which can be spoofed) and the notion of reserved ports (on Unix systems only user root can
open the client port.) The server can trust a whole variety of hosts (with /etc/hosts.equiv); individual users
can trust user/host pairs (with ~user/.rhosts). This is a very convenient system with many possible security
compromises. For example, all the data that is sent from the client to the server is transmitted across the
network without encryption. This may be compromised by network sniffer attacks. For security purposes,
rsh should be disabled or replaced with an SSH protocol system such as ssh or OpenSSH.
Page 17 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
This is part one of the disabling "r" based services (rsh, rlogin etc), the disabling of the authentication part of
the service is done later in the subsection: Disable PAM configuration for rsh and rlogin.
This is part one of a two part script to disable the rsh service in which the following files are either locked or
modified:
/etc/pam.conf file
/etc/inet/inetd.conf Å
/etc/hosts.equiv
To disable the program part of rsh, the following file is modified:
/etc/inet/inetd.conf
and the following lines are commented out:
Disable rlogin
rlogin establishes a remote login session from trusted users/sites without a password challenge. The
rlogin service uses inadequate authentication based on IP address security (which can be spoofed),
DNS security (which can be spoofed) and the notion of reserved ports (on Unix systems only user root can
open the client port). The server can trust a whole variety of hosts (with /etc/hosts.equiv); individual users
can trust user/host pairs (with ~user/.rhosts). ). This is a very convenient system with many possible
security compromises. For example, the server will issue a Password: challenge if the user doesn't pass
the weak authentication requirements. Unfortunately that password data, as well as all other
communications, is not encrypted when transmitted over the network. This may be compromised by
network sniffer attacks. rlogin runs as root and for security purposes, it should be disabled or replaced
with an SSH protocol system such as ssh or OpenSSH.
This is part one of the disabling "r" based services (rsh, rlogin etc), the disabling of the authentication part of
the service is done later in the subsection: Disable PAM configuration for rsh and rlogin.
This is part one of a two part script to disable the rlogin service in which the following files are either
locked or modified:
/etc/pam.conf file
/etc/inet/inetd.conf Å
/etc/hosts.equiv
To disable the program part of rlogin, the following file is modified:
/etc/inet/inetd.conf
and the following lines are commented out:
Page 18 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
transmitted over the network. This exposes the in.rexecd daemon to man in the middle, session
hijacking, and network sniffing attacks. For this reason, and the fact that it runs as user root, the
in.rexecd daemon entries in /etc/inetd.conf should be disabled.
/etc/inet/inetd.conf
with the following lines commented out:
comsat is invoked as needed by inetd, and times out if inactive for a few minutes. It runs as user root
and it may be compromised. Therefore, if it is not being used, it should be disabled. Since it is
recommended that the smtp server be disabled and all logging be sent to either a file or the console, it is no
longer necessary for this service to be turned on.
/etc/inet/inetd.conf
with the following line commented out:
/etc/inet/inetd.conf
with the following line commented out:
Page 19 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
/etc/inet/inetd.conf
with the following line commented out:
The in.tftpd is managed by the inetd server process and is configured in /etc/inetd.conf. By
default, it is not enabled in the Solaris. If this service is necessary, it should be configured securely.
/etc/inet/inetd.conf
with the following line commented out (the default state of this service is off, i.e. commented out):
/etc/inet/inetd.conf
with the following line commented out:
Disable systat
systat allows for the remote learning of process status, i.e., what jobs are currently running on a system,
by displaying the output of ps -ef. The ps command prints information about active processes. Without
options, ps prints information about processes that have the same effective user ID and the same
controlling terminal as the invoker. The output contains only the process ID, terminal identifier, cumulative
execution time, and the command name. Otherwise, the information that is displayed is controlled by the
several options. Please see the MAN pages for more information.
systat should be disabled because it runs as root and it provides too much system information. Therefore, it
may be compromised and should be disabled if it is not needed.
Page 20 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
/etc/inet/inetd.conf
with the following line commented out (the default state of this service is off, i.e. commented out):
Disable netstat
netstat allows for remote learning of network status, i.e., what peers are currently connected to the
system. netstat displays the contents of certain network-related data structures in various formats,
depending on the options you select. The first form of the command displays a list of active sockets for each
protocol. The second form selects one from among various other network data structures. The third form
shows the state of the interfaces. The fourth form displays the routing table, the fifth form displays the
multicast routing table, and the sixth form displays the state of DHCP on one or all interfaces. With no
arguments, netstat prints the connected sockets for PF_INET, PF_INET6, and PF_UNIX, unless modified
otherwise by the -f option. Please see the MAN pages for more information on options.
The netstat command provides system information which may then be used to launch attacks against
the system. It also runs as root and may be compromised. Therefore, if it is not needed it should be
disabled.
/etc/inet/inetd.conf
with the following line commented out (the default state of this service is off, i.e. commented out):
/etc/inet/inetd.conf
with the following line commented out :
Disable echo
echo (not to be confused with the ICMP echo used by ping) echos back the incoming data stream. The
echo utility writes its arguments, separated by BLANKs and terminated by a NEWLINE, to the standard
output. If there are no arguments, only the NEWLINE character will be written. echo is useful for producing
diagnostics in command files, for sending known data into a pipe, and for displaying the contents of
environment variables.
The echo service is very old, it probably predates ping, and it is seldom used any more. It could be used in
a Denial of Service attack to gobble up sockets. It is an internal, built-in function of inetd which runs as user
root and might be compromised. Therefore, it should be disabled.
Page 21 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
/etc/inet/inetd.conf
with the following line commented out :
Disable discard
The discard utility discards the incoming data stream. It is very old and was most probably used for
diagnostics; A function for which it is not used any more. It could be used in a Denial of Service attack to
gobble up sockets. It is an internal, built-in function of inetd which runs as user root and might be
compromised. Therefore, it should be disabled.
/etc/inet/inetd.conf
with the following line commented out :
Disable daytime
daytime service (not to be confused with Network Time Protocol) displays the system time as a string. It
is very old, it predates NTP, and it is seldom used. It is an internal, built-in function of inetd which runs as
user root and may be compromised. Therefore, if it is not needed, it should be disabled.
/etc/inet/inetd.conf
with the following line commented out :
Disable chargen
chargen generates a continuous stream of characters that was useful in testing TCP services back in 1982.
Today it is not used. However, it could be used in a Denial of Service attack to gobble up sockets and
bandwidth. It is an internal, built-in function of inetd which runs as user root and may be compromised.
Therefore, it should be disabled.
/etc/inet/inetd.conf
with the following line commented out :
Page 22 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
sadmind typically does not make use of the stronger authentication mechanisms available to it but rather
defaults to weak authentication. It also runs as user root and may be compromised: This ranks as one of
the SANS TOP TEN Security threats 2002. Network-based attacks against sadmind pose a significant
threat to the security of a server and therefore should be disabled if it is not being used.
Sun states that on almost all servers, the RPC services in /etc/inet/inetd.conf can be removed. Many
applications that use RPC services add additional entries to the /etc/inet/inetd.conf in addition to using one
of the RPC based daemons. The RPC services in /etc/inet/inetd.conf should be removed unless specifically
required.
To disable the Soltice system and network administration class agent server, the following file is modified:
/etc/inet/inetd.conf
with the following line commented out :
To disable the remote disk quota server, the following file is modified:
/etc/inet/inetd.conf
with the following line commented out :
/etc/inet/inetd.conf
with the following line commented out :
Page 23 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
The rpc.sprayd daemon may be started by the inetd process or the listen process. It runs as user root and
may be compromised. Therefore, if it is not being used, it should be disabled.
/etc/inet/inetd.conf
with the following line commented out :
The rpc.rwalld daemon may be started by the inetd process or the listen process. It is not considered an
essential tool. It runs as user root and may be compromised. Therefore, if it is not being used it should be
disabled.
/etc/inet/inetd.conf
with the following line commented out :
/etc/inet/inetd.conf
with the following line commented out :
Page 24 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
The rpc.rexd daemon is started by the inetd process whenever a remote execution request is
made. It runs as user root and may be compromised. Therefore, if it is not being used, it should be
disabled.
To disable the RPC based remote execution server, the following file is modified:
/etc/inet/inetd.conf
with the following line commented out (the default state of this service is off, i.e. commented out):
/etc/inet/inetd.conf
with the following line commented out:
/etc/inet/inetd.conf
Page 25 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
For more information about KCMS server, please refer to Sun KCMS collection web site .
/etc/inet/inetd.conf
with the line below commented out:
For more information about the font server. Please refer to Sun Solaris 8 Font Admin Guide .
/etc/inet/inetd.conf
with the line below commented out:
This is last part of the cachefs disabling with the following system files affected:
/etc/rcS.d/S35cacheos.sh
/etc/rcS.d/S41cachefs.root
/etc/rc2.d/S73cachefs.daemon
/etc/rc2.d/S93cacheos.finish
/etc/inet/inetd.conf Å
/etc/inet/inetd.conf
with the line below commented out:
Page 26 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
Kerberos is managed by RPC. It should be disabled because it runs as root and it may be a security
exposure which might be compromised.
/etc/inet/inetd.conf
with the line below commented out:
/etc/inet/inetd.conf
with the line below commented out:
/etc/inet/inetd.conf
with the line below commented out:
/etc/inet/inetd.conf
Page 27 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
Alternatively, you may install a replacement /etc/init.d/inetsvc file like the example in Appendix A and
be sure to re-create the hard link in /etc/rc2.d:
ln /etc/init.d/inetsvc /etc/rc2.d/S72inetsvc
/etc/init.d/inetsvc
/etc/rc2.d/S72inetsvc
with these blocks of script code removed:
if [ -n "$dnsdomain" ]; then
dnsservers=`/sbin/dhcpinfo DNSserv`
if [ -n "$dnsservers" ]; then
if [ -f /etc/resolv.conf ]; then
/usr/bin/rm -f /tmp/resolv.conf.$$
/usr/bin/sed -e '/^domain/d' -e '/^nameserver/d' \
/etc/resolv.conf >/tmp/resolv.conf.$$
fi
echo "domain $dnsdomain" >>/tmp/resolv.conf.$$
for name in $dnsservers; do
echo nameserver $name >>/tmp/resolv.conf.$$
done
else
if [ -f /etc/resolv.conf ]; then
/usr/bin/rm -f /tmp/resolv.conf.$$
/usr/bin/sed -e '/^domain/d' /etc/resolv.conf \
>/tmp/resolv.conf.$$
fi
echo "domain $dnsdomain" >>/tmp/resolv.conf.$$
fi
#
# Warning: The umask is 000 during boot, which requires explicit
# setting of file permission modes when we create files.
#
/usr/bin/mv /tmp/resolv.conf.$$ /etc/resolv.conf
/usr/bin/chmod 644 /etc/resolv.conf
Page 28 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
updated = 0;
for (i = 2; i <= n; i++) {
if (updated == 0 && index(a[i], "[") == 1) {
newl = newl" dns";
updated++;
}
newl = newl" "a[i];
}
if (updated == 0) {
newl = newl" dns";
updated++;
}
if (updated != 0)
newl = newl" # Added by DHCP";
else
newl = $0;
printf("%s\n", newl);
} else
printf("%s\n", $0);
} $1 !~ /^hosts:/ { printf("%s\n", $0); }' /etc/nsswitch.conf \
>/tmp/nsswitch.conf.$$
ipaddr=`/sbin/dhcpinfo Yiaddr`
if [ $# -gt 0 ]; then
#
# IP address is already in the hosts file. Ensure the
# associated hostname is the same as the Hostname
# property returned by the DHCP server.
#
/usr/bin/sed -e "/^[ ]*${ipaddr}[ ]/s/${2}/${hostname}/" \
/tmp/hosts_clear.$$ >/tmp/hosts.$$
else
#
# IP address is missing from the hosts file. Now check
Page 29 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
if [ $# -gt 0 ]; then
#
# Hostname is present in the hosts file. Rewrite this
# line to have the new IP address and the DHCP comment.
#
/usr/bin/sed -e "/^[ ]*${1}[ ]/d" \
/tmp/hosts_clear.$$ >/tmp/hosts.$$
/usr/bin/rm -f /tmp/hosts_clear.$$
/usr/bin/mv /tmp/hosts.$$ /etc/inet/hosts
/usr/bin/chmod 644 /etc/inet/hosts
fi
/etc/init.d/inetsvc
/etc/rc2.d/S72inetsvc
with the following block of script code commented out:
#
# Add a static route for multicast packets out our default interface.
# The default interface is the interface that corresponds to the node name.
# Run in background subshell to avoid waiting for name service.
#
(
if [ "$_INIT_NET_STRATEGY" = "dhcp" ]; then
mcastif=`/sbin/dhcpinfo Yiaddr` || mcastif=$_INIT_UTS_NODENAME
else
Page 30 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
mcastif=$_INIT_UTS_NODENAME
fi
/etc/init.d/inetsvc
/etc/rc2.d/S72inetsvc
with the following line replacing the original line (The extra "-t" switch enables the logging for the inetd):
/usr/sbin/inetd -s -t &
The following default system accounts, which were created by Solaris at installation, can be removed
using the script given below:
uucp
nuucp
listen
lp
nobody4
smmsp (new in Solaris 9)
Edit the password file and make /dev/null the shell for all but root and authorized users as per the
customer network security policy. Shadow pasword is supported in Solaris 8 and 9 and shall be used
by default.
All unnecessary services and users should have now been disabled or removed.
Page 31 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
System timekeeping can be done via both xntpd (daemon) and ntpdate (client). While the daemon
may provide more network functionalities, it also presents volunerabilities, one of which is xntpd
buffer-overflow. Unlike xntpd which listens on port 123 constantly for connections, ntpdate is a client
to be executed only when needed to get the time of day from a pre-defined NTP server.
Use ntpdate to set system clock according to the NTP server on the core network.
Add the following to /etc/rc.local startup script to set the time of day at boot time:
/usr/sbin/ntpdate –s NTP_server_addr
The –s switch will log ntpdate actions via the syslog facility rather than sending it to the standard
output. For precise timekeeping this command can also be run from a cron job every hour on the
hour:
If xntpd must be used, please make sure it is the latest patched version that’s free of any of the
known vulnerabilities. The latest xntpd vulnerability announced by CERT affects Solaris 8. For more
information please refer to this URL: http://www.kb.cert.org/vuls/id/JSHA-53ZUEY
Page 32 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
Syslogd provides both local and remote logging. It is able to send messages to a remote host running
syslogd. To forward messages to another host, prepend the hostname with the at sign (“@”).
For maximum security of the logging information, it is recommended that logs be sent to both the
local files and dedicated logging host. Make sure that the logging server is located within the same
protected management network because syslogd does not have access control and would be subject
to denial of service attacks if the server is exposed to the public network such as the Internet.
Do the following to expand on the default system logging function and make sure all authentication
errors are logged:
Add the following to /etc/syslog.conf to log the authentication errors to the local log file and everything
including the authentication errors to the remote log server:
auth.info /var/log/authlog
*.* @remote_logging_host
Create /var/log/authlog.
touch /var/log/authlog
chown root /var/log/authlog
chmod 600 /var/log/authlog
Loginlog is a log of all failed login attempts. The loginlog is not enabled by default. It can be
enabled by creating the loginlog file in /var/adm with read/write permission for the owner only. The
default setting is that after 5 failed login attempts, all the attempts are logged in the loginlog file. If
you have followed the instructions earlier in this document, all failed login attempts should be
logged in the loginlog file.
Inetd logs can be enabled by launching inetd with the –t option. If inetd logs are enabled, a log
entry is created every time an inetd service is requested. If you have followed the instructions
earlier in this document, inetd logging should be enabled.
Create a log rotation script to rotate these logs. A sample can be found in the /usr/lib/newsyslog file
and in Appendix B of this document. Modify the root crontab file to run this every day.
Page 33 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
Solaris versions prior to Solaris 9 ship with file system permissions that need to be adjusted for
security reasons. With the release of Solaris 9,it is reported that this adjustment is no longer
necessary for the core Solaris OE packages. In Solaris 8 and older versions, many files and
directories have the group write bit set. In most instances, this permission is not necessary and
should be switched off.
Although file permission changes are not required for Solaris 9, they may be required of applications
installed on top of the operating system. Consequently, you should monitor permissions on all Solaris
versions.
File permissions can be adjusted using a tool called fix-modes. It can be downloaded from:
http://www.sun.com/blueprints/tools or ftp://ftp.wins.uva.nl/pub/solaris/fix-modes.tar.gz
Please note that this tool is not supported by Sun. The fix-modes version available from sun.com is
precompiled while the version from uva.nl is not. If compilation is required, it must be performed on a
Solaris system with a C compiler. Once compiled, install the fix-modes files and execute it to correct
file system permissions. It is reported that this tool has been used in production environments with no
problems.
Be careful when installing patches and new packages. These may set permissions back to their
original state. Execute the fix-modes tool after installing any packages or patches.
Page 34 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
The allow file is checked first to see if the account is explicitly allowed to use the system. If the file does not
exist or the account is not listed in this file, the deny file is checked. If the account is explicitly listed in the
deny file then access is refused. Otherwise, access is permitted. If neither the deny nor the allow files exist,
then only the root account can use the at or cron system. Solaris includes cron.deny and at.deny files
containing some system accounts.
Please make sure that the /usr partition is mounted as read/write before carrying out this step. The
following are the default crontab jobs created by the Solaris 8 and 9 installation process:
adm
lp
root
sys
uucp
The following default users are listed in both the cron.deny and at.deny files:
bin
daemon
smtp
nuucp
listen
nobody
noaccess
which means all other users are allowed to run the crontab and at commands. If you don’t have a
need for other users to run crontab and at jobs on the system, you should consider removing both
deny files, which will then allow only the root user to run those commands.
EEPROM Password
Turn on EEPROM security . You will be prompted for a password. Assign a password that
is different from the superuser password. This password will be required in order to execute
low level hardware commands at the ok prompt.
eeprom security-mode=command
Page 35 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
cat /etc/ftpusers
rm /etc/ftpusers
touch /etc/ftpusers
for user in root daemon bin sys adm \
lp uucp nuucp listen nobody \
noaccess nobody4
do
echo $user >> /etc/ftpusers
done
chown root /etc/ftpusers
chgrp root /etc/ftpusers
chmod 600 /etc/ftpusers
mv /etc/pam.new /etc/pam.conf
chown root /etc/pam.conf
chgrp sys /etc/pam.conf
chmod 644 /etc/pam.conf
Default Login
Edit the /etc/default/login file and uncomment
• the UMASK line to set the initial shell file creation mode mask 022.
• the CONSOLE=/dev/console line to disable root remote login(via telnet for example).
• the SUPATH=/usr/sbin:/usr/bin to make sure root has a safe path.
• the RETRIES=5 line to allow only 5 failed logins – you can reduce it to, say, 3.
• the SYSLOG_FAILED_LOGINS=5 line and change 5 to 0 to force syslogd to log all failed
login attempts.
Page 36 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
Shadow Password
Shadow pasword is supported in Solaris 8 and 9 and shall be used by default. Please refer to the
Strong Password Guide provided by Nortel Networks.
Stack-smashing
Edit /etc/system and add the following:
set noexec_user_stack = 1
set noexec_user_stack_log = 1
Make sure /etc/hosts.allow file contains uncommented entries only for the hosts you want to grant
remote login access to. Example:
ALL: trusted_host1, trusted_ip1
It is recommended that SSH be used instead of telnet and FTP. SSH is shipped with Solaris 9 but not
with Solaris 8. For more information on purchasing a commercially available and supported SSH
solution, visit http://www.ssh.com. Or refer to OpenSSH for Solaris User Guide provided by Nortel
Networks for information on how to obtain, install, configure and use OpenSSH on Solaris 8.
Page 37 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
touch /etc/init.d/nddconfig
Create the second file by making a symbolic link to the first file:
ln –s /etc/init.d/nddconfig /etc/rc2.d/S70nddconfig
You may directly add the following commands into the first file using your favourite editor such as vi:
ndd -set /dev/arp arp_cleanup_interval 60000
ndd -set /dev/ip ip_forward_directed_broadcasts 0
ndd -set /dev/ip ip_forward_src_routed 0
ndd -set /dev/ip ip_ignore_redirect 1
ndd -set /dev/ip ip_ire_arp_interval 60000
ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0
ndd -set /dev/ip ip_respond_to_echo_broadcast 0
ndd -set /dev/ip ip_respond_to_timestamp 0
ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
ndd -set /dev/ip ip_send_redirects 0
ndd -set /dev/ip ip_strict_dst_multihoming 1
ndd -set /dev/tcp tcp_conn_req_max_q0 4096
ndd -set /dev/tcp tcp_conn_req_max_q 1024
ndd -set /dev/tcp tcp_rev_src_routes 0
Or you may follow the steps outlined below to first understand what each command does and then add it to
the file.
Set arp_cleanup_interval
This option determines the period of time the Address Resolution Protocol (ARP) cache maintains entries.
ARP attacks may be effective with the default interval. Shortening the timeout interval should reduce the
effectiveness of such an attack. The system default value is 300000 milliseconds (5 minutes), and the new
setting is 60000 milliseconds (1 minute). Execute the following command to add this setting:
Set ip_forward_directed_broadcasts
This option determines whether to forward broadcast packets directed to a specific net or subnet, if that net
or subnet is directly connected to the machine. If the system is acting as a router, this option can be
exploited to generate a great deal of broadcast network traffic. Turning this option off will help prevent
broadcast traffic attacks. The system default value is 1 (true), and the new setting is 0 (false). Execute the
following command to add this setting:
Page 38 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
Set ip_forward_src_routed
This option determines whether to forward packets that are source routed. These packets define the path
the packet should take instead of allowing network routers to define the path. The system default value is 1
(true) and the new setting is 0. Execute the following command to add this setting:
Set ip_ignore_redirect
This option determines whether to ignore Internet Control Message Protocol (ICMP) packets that define
new routes. If the system is acting as a router, an attacker may send redirect messages to alter routing
tables as part of sophisticated attack (man in the middle attack) or a simple denial of service. The system
default value is 0 (false), and the new setting is 1. Execute the following command to add this setting:
Set ip_ire_arp_interval
This option determines the period of time at which a specific route will be kept, even if currently in use. ARP
attacks may be effective with the default interval. Shortening the time interval may reduce the effectiveness
of attacks. The system default interval is 1200000 milliseconds (20 minutes), and the new setting is 60000
milliseconds (1 minute). Execute the following command to add this setting:
Set ip_respond_to_address_mask_broadcast
This options determines whether to respond to ICMP netmask requests which are typically sent by diskless
clients when booting. An attacker may use the netmask information for determining network topology or the
broadcast address for the subnet. The default value is 0 (false) and the new setting is 0 as well. Execute the
following command to add this setting:
Set ip_respond_to_echo_broadcast
This option determines whether to respond to ICMP broadcast echo requests (ping). An attacker may try to
create a denial of service attack on subnets by sending many broadcast echo requests to which all systems
will respond. This also provides information on systems that are available on the network. The system
default value is 1 (true), and the new setting is 0. Execute the following command to add this setting:
Set ip_respond_to_timestamp
This option determines whether to respond to ICMP timestamp requests which some systems use to
discover the time on a remote system. An attacker may use the time information to schedule an attack at a
period of time when the system may run a cron job (or other time-based event) or otherwise be busy. It may
Page 39 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
also be possible predict ID or sequence numbers that are based on the time of day for spoofing services.
The system default value is 1 (true), and the new setting is 0. Execute the following command to add this
setting:
Set ip_respond_to_timestamp_broadcast
This option determines whether to respond to ICMP broadcast timestamp requests which are used to
discover the time on all systems in the broadcast range. This option is dangerous for the same reasons as
responding to a single timestamp request. Additionally, an attacker may try to create a denial of service
attack by generating many broadcast timestamp requests. The default value is 1 (true), and the new setting
is 0. Execute the following command to add this setting:
Set ip_send_redirects
This option determines whether to send ICMP redirect messages which can introduce changes into remote
system's routing table. It should only be used on systems that act as routers. The system default value is 1
(true), and the new setting is 0. Execute the following command to add this setting:
Set ip_strict_dst_multihoming
This option determines whether to enable strict destination multihoming. If this is set to 1 and ip_forwarding
is set to 0, then a packet sent to an interface from which it did not arrive will be dropped. This setting
prevents an attacker from passing packets across a machine with multiple interfaces that is not acting as a
router. The system default value is 0 (false), and the new setting is 1. Execute the following command to
add this setting:
Set tcp_conn_req_max_q0
This option sets the size of the queue containing unestablished connections. This queue is part of a
protection mechanism against SYN flood attacks. The queue size default is adequate for most systems but
should be increased for busy servers. The system default value is 1024, and the new setting is 4096.
Set tcp_conn_req_max_q
This option sets the maximum number fully established connections. Increasing the size of this queue
provides some limited protection against resource consumption attacks. The queue size default is adequate
for most systems but should be increased for busy servers. The system default value is 128, and the new
setting is 1024. Execute the following command to add this setting:
Page 40 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
Set tcp_rev_src_routes
This option determines whether the specified route in a source routed packet will be used in returned
packets. TCP source routed packets may be used in spoofing attacks, so the reverse route should not be
used. The default value is 0 (false), and the new setting is 0 as well. Execute the following command to add
this setting:
Page 41 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
vi /etc/vfstab
The final vfstab file should look like the example below. The last column is the area of interest.
Sample /etc/vfstab
/dev/dsk/c0t0d0s3 - - swap - no -
/dev/dsk/c0t0d0s0 /dev/rdsk/c0t0d0s0 / ufs 1 no -
/dev/dsk/c0t0d0s6 /dev/rdsk/c0t0d0s6 /usr ufs 1 no ro
/dev/dsk/c0t0d0s1 /dev/rdsk/c0t0d0s1 /var ufs 1 no nosuid
/dev/dsk/c0t0d0s7 /dev/rdsk/c0t0d0s7 /extra ufs 2 yes nosuid
/dev/dsk/c0t0d0s5 /dev/rdsk/c0t0d0s5 /opt ufs 2 yes nosuid
If your partitions for binaries, vairable data and user space differ from the above example, it is
recommended that you mount the binaries partition(s) as read-only and mount other non-root
filesystems with nosuid.
Please make sure you have double checked everything at this point. Once you finish here, you will
reboot to verify everything. If you have not added all your components properly, you will not easily be
able to make changes, in which case you will have to remount your binaries partition to make it
writable.
There are third party applications that can be used to monitor your file system. But it’s beyond the
scope of this hardening guide to discuss and evaluate them.
Page 42 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
Please visit http://netsec.ca.nortel.com for the Threat and Risk Assessment Program and the Security
Advisory Task Force (SATF) triage process of handling vulnerability advisories and patches.
Page 43 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
#
# Re-set the netmask and broadcast addr for all IP interfaces. This
# ifconfig is run here, after NIS has been started, so that “netmask
# +” will find the netmask if it lives in a NIS map.
# The 'D' in -auD tells ifconfig NOT to mess with the interface
# if it is under DHCP control
#
#
# If this machine is configured to be an Internet Domain Name
# System (DNS) server, run the name daemon.
# Start named prior to: route add net host, to avoid dns
# gethostbyname timout delay for nameserver during boot.
#
#mcastif=`uname -n`
#echo “Setting default interface for multicast: \c”
#/usr/sbin/route add -interface -netmask “240.0.0.0” “224.0.0.0”
“$mcastif”
#
# Run inetd in “standalone” mode (-s flag) so that it doesn’t have
# to submit to the will of SAF. Why did we ever let them change inetd?
#
#/usr/sbin/inetd –s
Page 44 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
Page 45 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
# Define version
V8
# Separators
Do.:%@!^=/[]
# Spool directory
OQ/usr/spool/mqueue
S0
R@$+ $#error $: Missing user name
R$+ $#hub $@$R $:$1 forward to hub
S3
R$*<>$* $n handle <> error address
R$*<$*>$* $2 basic RFC822 parsing
Page 46 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
Anyone using this system expressly consents to such monitoring and is advised that
if such monitoring reveals possible evidence of criminal activity, system personnel
may provide the evidence of such monitoring to law enforcement officials.
Page 47 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
vi /etc/hosts.deny
#
# Explicitly deny access from all stations except those
# that match the allow rule in /etc/hosts.allow
#
ALL : ALL
Page 48 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
###################################################################
#Please Set the following variables
#LOGFILE is the location of the logfile $0 will contain the name of the script
LOGFILE=/SECURITY/$0.log
#NEWFILE is the location of the files changed by this script.
#The files that should be in the NEWFILES directory are:
#new_inetd.conf, new_inetsvc, new_login, new_passwd and new_syslog.conf
NEWFILES=/SECURITY
#
#Section 1#########################################################
#
echo WARNING... This script is intended to be executed on a
echo newly installed Solaris operating system and is not
echo designed to be executed more than once on the same server.
echo
echo Please abort now with CTRL-C if this is not the case
echo
echo Execution will resume in 15 seconds
sleep 15
echo running $0 at `date` | tee -a $LOGFILE
echo logfile is $LOGFILE | tee -a $LOGFILE
echo new files are stored in $NEWFILES | tee -a $LOGFILE
#
#Section 2#########################################################
#This section enables the basic security module(BSM). BSM is needed
#by the auditing applications. Also in this section, we configure
#auditing for administrative and login/logout attempts for the root
#user.
#
echo installing basic security module | tee -a $LOGFILE
echo y > y
/etc/security/bsmconv < y | tee -a $LOGFILE
cp /etc/security/audit_user /etc/security/audit_user.orig
sed s/root:lo:no/root:ad,lo:no/g /etc/security/audit_user > /etc/security/audit_user.new
mv /etc/security/audit_user.new /etc/security/audit_user
chown root:sys /etc/security/audit_user
chmod 655 /etc/security/audit_user
#
#Section 3########################################################
#This section sets the appropriate umask value in startup script for
#each startup directory to make sure that all the services are started
#with the appropriate file permissions.
#
#echo starting the system deamons with appropriate umask value | tee -a $LOGFILE
echo 'umask 022' > /etc/init.d/umask.sh
Page 49 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
Page 50 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
Page 51 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
Page 52 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
mv /etc/default/kbd.new /etc/default/kbd
chown root:sys /etc/default/kbd
chmod 444 /etc/default/kbd
#
#Section 13###########################################################
#This section sets networking parameters as recommended by SUN for
#security. For more details on each of these parameters, see Solaris™
#Operating Environment Security, Updated for Solaris 8 Operating
#Environment, Sun BluePrints™ OnLine
#
echo Setting TCP_STRONG_ISS=1 | tee -a $LOGFILE
cp /etc/default/inetinit /etc/default/inetinit.orig
sed s/TCP_STRONG_ISS=1/TCP_STRONG_ISS=2/g /etc/default/inetinit >
/etc/default/inetinit.new
mv /etc/default/inetinit.new /etc/default/inetinit
chown root:sys /etc/default/inetinit
chmod 444 /etc/default/inetinit
echo tuning parameters to the end of the /etc/init.d/inetinit file | tee -a $LOGFILE
echo 'ndd -set /dev/tcp tcp_conn_req_max_q0 4096 >> /etc/init.d/inetinit
echo 'ndd -set /dev/tcp tcp_conn_req_max_q 1024 >> /etc/init.d/inetinit
echo 'ndd -set /dev/ip ip_ignore_redirect 1' >> /etc/init.d/inetinit
echo 'ndd -set /dev/ip ip_send_redirects 0' >> /etc/init.d/inetinit
echo 'ndd -set /dev/ip ip_ire_flush_interval 60000' >> /etc/init.d/inetinit
echo 'ndd -set /dev/arp arp_cleanup_interval 60000' >> /etc/init.d/inetinit
echo 'ndd -set /dev/ip ip_forward_directed_broadcasts 0' >> /etc/init.d/inetinit
echo 'ndd -set /dev/ip ip_forward_src_routed 0' >> /etc/init.d/inetinit
echo 'ndd -set /dev/ip ip_forwarding 0' >> /etc/init.d/inetinit
echo 'ndd -set /dev/ip ip_strict_dst_multihoming 1' >> /etc/init.d/inetinit
cat /etc/init.d/inetinit | grep ndd | tee -a $LOGFILE
#
#Section 14##########################################################
#This section replaces the password file to enfore password aging and
#increases the minimum passwork length to 8.
#
echo Replacing /etc/default/passwd with new version | tee -a $LOGFILE
cp /etc/default/passwd /etc/default/passwd.orig
cp $NEWFILES/new_passwd /etc/default/passwd
chown root:sys /etc/default/passwd
chmod 444 /etc/default/passwd
#
#Section 15##########################################################
#The following entries in the /etc/system file prevents users from
#executing code on the system stack (buffer overflow attacks).
#
cp /etc/system /etc/system.orig
echo 'set noexec_user_stack=1' | tee -a /etc/system | tee -a $LOGFILE
echo 'set noexec_user_stack_log=1' | tee -a /etc/system | tee -a $LOGFILE
#
#Section 16##########################################################
#This section enables additionnal logging by replacinf the syslog.conf
#file with additionnal entries. Also, we create the loginlog file that
Page 53 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
Page 54 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
Appendix G: References
1. “Solaris BSM Auditing” by Darren J. Moffat, Solaris Security Technologies Group (last
updated Monday, November 27, 2000)
2. “Solaris Operating Environment Security” by Alex Noordergraaf and Keith Watson, Global
Enterprise Security Service – Sun BluePrints Online, January 2000
3. “Solaris Operating Environment Security - Updated for Solaris 9 Operating Environment,”
December 2002, by Alex Noordergraaf and Keith Watson
4. “Solaris 8 System Administration Guide”
5. “Solaris 9 System Administration Guide”
Page 55 0f 56
Nortel Networks Solaris 8 and 9 Operating System Hardening Guide
Page 56 0f 56