Enterprise Infrastructure Services

Secure Solaris Setup

Outline

• Note
  
• I. Limit Access
  
• II. Maintain System Security
  
• III. Network Services
  
• IV. Further information
  

Note

This document is intended to walk you through some of the steps required to set up a secure Solaris machine. The following steps should be considered a good beginning, not a guarantee that the resulting machine will be secure.

We are assuming that you have completed the initial installation correctly. Here are some additional steps that you can take to secure your system. You will need network access for obtaining information mentioned in this document.

I. Limit Access

• A. Use password protected screensaver: Use eeprom(1M) for Firmware security password protection.
• B. Install npasswd. Run Crack on a regular basis. Also examine your /etc/shadow file to verify that you do not have blank password entries for any user.
  http://www.utexas.edu/cc/unix/software/npasswd/
  ftp://coast.cs.purdue.edu/pub/tools/unix/
• C. Restrict access to X server. For information about X security and authorization, see the following manual pages: xhost(1), xauth(1), Xserver(1), xdm(1), and X(1).
• D. Change file and directory ownerships and permissions, where appropriate. As a general rule, nothing in root's path, and no parent directories of such files should be group-writable or owned by anyone except for root.
• E. Limit network access to the system. Install and configure tcpwrappers to restrict access to certain services on a Unix machine and make detailed syslog entries to help administrators track problems and detect intrusion attempts. For further information, see:
  http://www.sunfreeware.com
  http://www.freeware4sun.com/
• F. Try to run as few services as possible as root. In particular, license managers, web servers and answerbook servers should be run by a nonprivileged userid.
• G. Remove /.rhosts and /etc/hosts.equiv files. Also edit your /usr/dt/config/Xaccess and/or /etc/dt/config/Xaccess files so that you only provide xdm login service to appropriate external hosts. (The syntax of these files is explained in the comments.) For most hosts, "localhost" is the only entry that should exist in the Xaccess file.
• H. Examine the SUID and SGID files on your system. Remove the SUID/SGID bit from programs that are not run by regular users (such as ufsdump/ufsrestore or the kcms* files).

II. Maintain System Security

• A. Install the current Sun patches for your OS.

• Patches are available at http://sunsolve.Sun.COM
• Patch Reports are located at http://sunsolve.Sun.COM/pub-cgi/show.pl?target=home
• You should check for updated patches on a regular basis, at least twice per month.
• B. Check logs and the system for suspicious behavior. This should include checking users who are running processes while not logged in, logins from unusual locations and processes that are hogging resources. Any of these could be innocent but it doesn't hurt to investigate.
• C. Monitor system activity on an ongoing basis. Use sar to keep track of useage, and be suspicious about unexplained spikes. Use top to pinpoint the useage hogs. Pay particular attention to processes that continue to run after the users have logged out, especially if they have names like bnc, eggdrop, or irc.
• D. Configure Tripwire and set up a Tripwire database NOW, while you know that your system has not been altered. Run Tripwire against your system on a regular basis to see which files have changed and to update your databases. See http://tripwire.org
• E. Make regular backups. Consider using TSM. See http://www.princeton.edu/tsm
• F. Examine and keep up on security advisories from Sun.

III. Network Services

Unix systems have a large number of network services enabled by default. To prevent unauthorized access, many of these network services should be replaced or disabled.

• A. Replace telnet with ssh (http://www.ssh.org or http://www.sunfreeware.com) or kerberos http://web.mit.edu/kerberos/www/ for remote logins. In any case, be aware of the problems associated with broadcasting passwords (and particularly the root password) in unencrypted sessions over the network.
• B. Disable unnecessary services in inetd.conf. As a general rule, comment out every line of the /etc/inetd.conf file.
• C. Disable unnecessary services in rc2.d and rc3.d. Standalone services can be disabled by renaming the associated startup script in one of the /etc/rc*.d directories.

Here are some services started in /etc/rc*.d that you may want to disable:

• 1. Turn off CDE if it is not needed. (Most server systems do not require CDE.) You can turn off CDE on a system by moving the /etc/rc2.d/S99dtlogin file somewhere else and rebooting.
• 2. Network File System (NFS). Allowing other machines to access your computer's file system is very risky.
• 3. Install the current version of Eric Allman's sendmail, http://www.sendmail.org. You should not run sendmail in daemon mode unless your system is actually serving email (ie, receiving and processing email from other locations. To turn off daemon mode, remove the "-bd" flag from the sendmail invocation in /etc/init.d/sendmail.
• D. For Solaris 2.6+ systems, you can disable the ability to execute code from the stack. Add the following lines to the /etc/system file and reboot.
• set noexec_user_stack=1
• set noexec_user_stack_log=1

IV. Further information

Links:

• Unix Insider: http://www.itworld.com/Comp/2378/UnixInsider/
• Ohio State Unix FAQ: http://wks.uts.ohio-state.edu/sun/faqs/index.html
• Yale University workstation security page: http://www.yale.edu/its/security/securing/unix/workstation/index.htm

Compiled August 2002 by D. Kaiser. Thanks to M. Harriss and C. Dietrich for contributions. © 2002-2003 by the Trustees of Princeton University.
Last modified Sept 2007