15k os security suite
TRANSCRIPT
-
7/28/2019 15k OS Security Suite
1/36
Sun Proprietary and Confidential: Need to Know
Application Readiness Service for Sun Fire 12K/15K Security
Application Readiness Service for Sun Fire 12K/15K:Sun Fire 12K/15K Security
Security Page 1 of 36 February 27, 2002
Copyright 2001 Sun Microsystems, Inc. All rights reserved.
-
7/28/2019 15k OS Security Suite
2/36
Sun Proprietary and Confidential: Need to Know
Application Readiness Service for Sun Fire 12K/15K Security
Table of Contents
1. Introduction...............................................................................................31.1. Legal Disclaimer..............................................................................................3
1.2. Security Customization..................................................................................31.2.1. System Controller Security Options..........................................................................3
1.2.2. Domain Security Options............................................................................................3
1.3. Disabled Services/Applications/Scripts.........................................................4
1.4. Common Changes...........................................................................................41.4.1. /etc/dt/config/Xaccess...................................................................................................4
1.4.2. /etc/default/sendmail....................................................................................................4
1.4.3. /etc/nsswitch.conf..........................................................................................................4
1.5. Solaris Security Toolkit Sample Output.......................................................5
1.6. Solaris Security Toolkit Steps........................................................................5
1.7. Solaris Security Toolkit File Content............................................................91.7.1. /etc/issue and /etc/motd................................................................................................9
1.7.2. /etc/notrouter...............................................................................................................101.7.3. /etc/nsswitch.conf........................................................................................................10
1.7.4. /etc/syslog.conf............................................................................................................10
1.7.5. /etc/default/sendmail..................................................................................................10
1.7.6. /etc/dt/config/Xaccess.................................................................................................11
1.7.7. /etc/init.d/nddconfig and /etc/rc2.d/S70nddconfig.................................................12
1.7.8. set-tmp-permissions scripts......................................................................................19
1.7.9. /etc/init.d/inetsvc.........................................................................................................20
1.7.10. /etc/inet/inetd.conf....................................................................................................20
1.7.11. /etc/init.d/nddconfig.................................................................................................21
1.7.12. /dev/ip qfe0:ip_forwarding (note: domains only)................................................22
Appendix A: Solaris Security Toolkit Sample Output...........................23
Security Page 2 of 36 February 27, 2002
Copyright 2001 Sun Microsystems, Inc. All rights reserved.
-
7/28/2019 15k OS Security Suite
3/36
Sun Proprietary and Confidential: Need to Know
Application Readiness Service for Sun Fire 12K/15K Security
1. Introduction
This document provides information about the methods used to increase the security of the Sun Fire 12K/15K (it is applicableto either platform) during the delivery of the Application Readiness Service (ARS) for the Sun Fire 12K/15K. The securitymethods used in the delivery of this service conform with Sun's recommended practices. During the delivery of this service,OpenSSH for Solaris (secure shell, often abbreviated as ssh) is installed and configured. In addition, the Solaris Security
Toolkit1 (Toolkit), formerly known as JASS (JumpStart Architecture and Security Scripts) is installed and used to increase thesecurity of the Sun Fire 12K/15K. More information on the Security for the Sun Fire 12K/15K can be found at http://www.sun.com/blueprints/1101/sunfire15k.html. More information about the Solaris Security Toolkit can be found at http://www.sun.com/security/jass/.
The purpose of this document is to provide the information necessary to assess the impact of using the Toolkit. This documentwill provide a "representative" set of commands as executed by the Toolkit, as well as "representative" output captured fromthe use of the Toolkit. The output from the Toolkit, as executed on the Sun Fire 15K, will be provided as a part of the ARS forthe Sun Fire 12K/15K. This output is also applicable to Sun Fire 12K platforms. This information is not guaranteed to beaccurate because the Toolkit may change over time due to changes in the Sun Fire 12K/15K platform, changes in Solaris, ordue to general improvements in the Toolkit.
This document also provides the "representative" content of the files supplied by the Toolkit, so that it can be assessed bypotential users of the Toolkit and adjusted after the delivery of the service. The content of the files that are modified by theToolkit is not supplied in this document, but the content can be determined by examining the output of the Toolkit after it has
been used. It is important to note that the ARS for the Sun Fire 12K/15K does not include modification of the content of thesefiles by Sun during the delivery of the ARS for the Sun Fire 12K/15K service.
A list of disabled applications, services, and scripts is provided in this document along with identifying the files which arecommonly considered as candidates for change, subsequent to use of the Toolkit.
1.1. Legal Disclaimer
This document contains include Sun intellectual property and Sun confidentialinformation, especially trade secrets, and is covered as a Service Item by assumption #10in the Statement of Work for the Application Readiness Service for the Sun Fire12K/15K.
1.2. Security Customization
The following choices are available to customize the platform hardening of the Sun Fire12K/15K. Any customization beyond the options below is beyond the scope of the ARSservice.
1.2.1. System Controller Security Options
The following is the only available option when implementing the security hardening ofthe Sun Fire 12K/15K system controllers.
Telnet - Available only when telnet is the only available protocol that can be used to
establish an interactive session to the system controller.
1.2.2. Domain Security Options
The following options are available when implementing the security hardening of the SunFire 12K/15K domains.
Telnet -Available only when telnet is the only available protocol that can be used toestablish an interactive session to the domain.
NFS Client - Recommended for domain configurations that require NFS client
services to start automatically during the multi-user stage of system boot.
RPC - Recommended when the domain configuration requires RPC services to start
automatically during the multi-user stage of system boot.
RPC/NFS Server - Recommended when the domain configuration requires RPC and
1 The Solaris Security Toolkit is not a traditional SunTM product, and as such, is not supported by Sun Microsystems. However, any resultingconfiguration of the Solaris Operating Environment after using the toolkit is supported.
Security Page 3 of 36 February 27, 2002
Copyright 2001 Sun Microsystems, Inc. All rights reserved.
-
7/28/2019 15k OS Security Suite
4/36
Sun Proprietary and Confidential: Need to Know
Application Readiness Service for Sun Fire 12K/15K Security
NFS server services to start automatically during the multi-user stage of system boot.
Note: Options may be combined with any other, except for the RPC, and RPC/NFS Serveroptions, which are mutually exclusive.
1.3. Disabled Services/Applications/Scripts
The following services,applications,and scripts are disabled by the Toolkit without
selecting any of the options. Selection of one or more options (such as selecting theoption for NFS Client services) may modify the list of disabled services, applications, andscripts.
1. The Apache web server shipped with Solaris OE 8.
2. Asynchronous PPP (asppp).
3. Solaris scripts used to re-initialize or re-install the system, including S30sysid.net,S71sysid.sys, and S72autoinstall.
4. The automounter.
5. The DHCP server included in Solaris OE version 8.
6. Sun Solstice Enterprise DMI Service Provider and Sun Solstice Enterprise SNMP-DMI mapper subagent.
7. The Common Desktop Environment.
8. The LDAP client daemons included with Solaris OE version 8.
9. lp services
10. Mobile IP (MIP) agents included in Solaris OE version 8.
11. NFS client.
12. NFS server.
13. The Platform Information and Control Library (PICL) server.
14. The auto power shutdown option.
15. rhosts authentication for rlogin and rsh.
16. Remote Procedure Calls (RPC).
17. The sendmail daemon.
18. Service Location Protocol (SLP).
19. The default Solaris OE SNMP daemons.
20. SunSoft Print Client.
21. UUCP.
22. Volume management service.
23. Web Based Enterprise Management (WBEM) daemons.
1.4. Common Changes
Files which are commonly considered as candidates for change, subsequent to use of theToolkit are identified in this section of the document.
1.4.1. /etc/dt/config/Xaccess
This file disables all remote access, whether directed or broadcast, to any X serverrunning on this system. If your use of the system requires that users have remote access toan X server running on your Sun Fire 12K/15K domain or system controller, you willneed to remove this file, or edit the contents of the file to match your specificrequirements.
1.4.2. /etc/default/sendmail
This script disables the sendmail daemon startup and shutdown scripts, and adds an entryto the cron subsystem which executes sendmail once an hour. This method of purgingoutgoing mail is more secure than having the daemon running continually.
Removing or editing of the /etc/default/sendmail file may be necessary to meet yourrequirements.
Security Page 4 of 36 February 27, 2002
Copyright 2001 Sun Microsystems, Inc. All rights reserved.
-
7/28/2019 15k OS Security Suite
5/36
Sun Proprietary and Confidential: Need to Know
Application Readiness Service for Sun Fire 12K/15K Security
1.4.3. /etc/nsswitch.conf
It may be necessary to edit the contents of this file, or replace it, if your name servicerequirements differ from those enabled by the file provided through the Toolkit.
1.5. Solaris Security Toolkit Steps
The following table provides a "representative" set of steps as executed by the Toolkit.
Notice that backup copies of a number of files are made. This enables the Toolkit to havea limited "undo" capability. Removal of these file copies is discouraged since it willeliminate the limited "undo" ability of the Toolkit.
# Step
1 Copy /etc/profile to /etc/profile.JASS.DATE-OF-EXECUTION
2 Add default terminal type (vt100) to /etc/profile.
3 Copy /etc/.login to /etc/.login.JASS.DATE-OF-EXECUTION
4 Add default terminal type (vt100) to /etc/.login.
5 Copy /etc/dt/config/Xaccess from /opt/SUNWjass/Files/etc/dt/config/Xaccess.
6 Copy /etc/init.d/inetsvc to /etc/init.d/inetsvc.JASS.DATE-OF-EXECUTION
7 Copy /etc/init.d/inetsvc from /opt/SUNWjass/Files/etc/init.d/inetsvc.
8 Copy /etc/init.d/nddconfig from /opt/SUNWjass/Files/etc/init.d/nddconfig.
9 Copy /etc/init.d/set-tmp-permissions from /opt/SUNWjass/Files/etc/init.d/set-tmp-permissions.
10 Copy /etc/issue from /opt/SUNWjass/Files/etc/issue.
11 Copy /etc/motd to /etc/motd.JASS.DATE-OF-EXECUTION
12 Copy /etc/motd from /opt/SUNWjass/Files/etc/motd.
13 Copy /etc/notrouter from /opt/SUNWjass/Files/etc/notrouter.
14 Copy /etc/nsswitch.conf to /etc/nsswitch.conf.JASS.DATE-OF-EXECUTION
15 Copy /etc/nsswitch.conf from /opt/SUNWjass/Files/etc/nsswitch.conf.
16 Link /etc/rc2.d/S00set-tmp-permissions from /opt/SUNWjass/Files/etc/rc2.d/S00set-tmp-permissions.
17 Link /etc/rc2.d/S07set-tmp-permissions from /opt/SUNWjass/Files/etc/rc2.d/S07set-tmp-permissions.
18 Link /etc/rc2.d/S70nddconfig from /opt/SUNWjass/Files/etc/rc2.d/S70nddconfig.
19 Rename /etc/rc3.d/S50apache to /etc/rc3.d/_S50apache.JASS.DATE-OF-EXECUTION
20 Rename /etc/rc2.d/S47asppp to /etc/rc2.d/_S47asppp.JASS.DATE-OF-EXECUTION
21 Rename /etc/rc2.d/S30sysid.net to /etc/rc2.d/_S30sysid.net.JASS.DATE-OF-EXECUTION
22 Rename /etc/rc2.d/S71sysid.sys to /etc/rc2.d/_S71sysid.sys.JASS.DATE-OF-EXECUTION
23 Rename /etc/rc2.d/S72autoinstall to /etc/rc2.d/_S72autoinstall.JASS.DATE-OF-EXECUTION
24 Rename /etc/rc2.d/S74autofs to /etc/rc2.d/_S74autofs.JASS.DATE-OF-EXECUTION
25 Rename /etc/rc3.d/S34dhcp to /etc/rc3.d/_S34dhcp.JASS.DATE-OF-EXECUTION
26 Rename /etc/rc3.d/S77dmi to /etc/rc3.d/_S77dmi.JASS.DATE-OF-EXECUTION
27 Rename /etc/rc2.d/S99dtlogin to /etc/rc2.d/_S99dtlogin.JASS.DATE-OF-EXECUTION
28 Copy /etc/init.d/rpc to /etc/init.d/rpc.JASS.DATE-OF-EXECUTION
29 Add the -d option to /usr/sbin/keyserv in /etc/init.d/rpc.
30 Rename /etc/rc2.d/S71ldap.client to /etc/rc2.d/_S71ldap.client.JASS.DATE-OF-EXECUTION
31 Rename /etc/rc2.d/S80lp to /etc/rc2.d/_S80lp.JASS.DATE-OF-EXECUTION
32 Copy /etc/cron.d/cron.deny to /etc/cron.d/cron.deny.JASS.DATE-OF-EXECUTION
33 Add the lp account to the cron.deny file.
34 Create backup directory /var/spool/cron/crontabs.JASS
35 Move /var/spool/cron/crontabs/lp to /var/spool/cron/crontabs.JASS/lp.JASS.DATE-OF-EXECUTION
36 Rename /etc/rc3.d/S80mipagent to /etc/rc3.d/_S80mipagent.JASS.DATE-OF-EXECUTION
37 Rename /etc/rc2.d/S73nfs.client to /etc/rc2.d/_S73nfs.client.JASS.DATE-OF-EXECUTION
38 Rename /etc/rc3.d/S15nfs.server to /etc/rc3.d/_S15nfs.server.JASS.DATE-OF-EXECUTION
39 Copy /etc/nscd.conf to /etc/nscd.conf.JASS.DATE-OF-EXECUTION
40 Add enable-cache no for the passwd group and hosts entries.
Security Page 5 of 36 February 27, 2002
Copyright 2001 Sun Microsystems, Inc. All rights reserved.
-
7/28/2019 15k OS Security Suite
6/36
-
7/28/2019 15k OS Security Suite
7/36
Sun Proprietary and Confidential: Need to Know
Application Readiness Service for Sun Fire 12K/15K Security
# Step
91 Add sms-pcd to /etc/ftpusers.
92 Add sms-tmd to /etc/ftpusers.
93 Add sms-svc to /etc/ftpusers.
94 Create the /var/adm/loginlog file.
95 Copy /etc/inet/inetd.conf to /etc/inet/inetd.conf.JASS.DATE-OF-EXECUTION
96 Copy /etc/shells to /etc/shells.JASS.DATE-OF-EXECUTION97 Add /usr/bin/sh to /etc/shells.
98 Add /usr/bin/csh to /etc/shells.
99 Add /usr/bin/ksh to /etc/shells.
100 Add /usr/bin/jsh to /etc/shells.
101 Add /bin/sh to /etc/shells.
102 Add /bin/csh to /etc/shells.
103 Add /bin/ksh to /etc/shells.
104 Add /bin/jsh to /etc/shells.
105 Add /sbin/sh to /etc/shells.
106 Add /sbin/jsh to /etc/shells.
107 Add /bin/bash to /etc/shells.
108 Add /bin/pfcsh to /etc/shells.
109 Add /bin/pfksh to /etc/shells.
110 Add /bin/pfsh to /etc/shells.
111 Add /bin/tcsh to /etc/shells.
112 Add /bin/zsh to /etc/shells.
113 Add /usr/bin/bash to /etc/shells.
114 Add /usr/bin/pfcsh to /etc/shells.
115 Add /usr/bin/pfksh to /etc/shells.
116 Add /usr/bin/pfsh to /etc/shells.
117 Add /usr/bin/tcsh to /etc/shells.
118 Add /usr/bin/zsh to /etc/shells.
119 Copy /etc/passwd to /etc/passwd.JASS.DATE-OF-EXECUTION
120 Copy /etc/shadow to /etc/shadow.JASS.DATE-OF-EXECUTION
121 Remove the account listen from the system.122 Remove the account nobody4 from the system.
123 Copy /etc/default/ftpd to /etc/default/ftpd.JASS.DATE-OF-EXECUTION
124 Set BANNER to "Authorized Use Only" in /etc/default/ftpd.
125 Copy /etc/default/telnetd to /etc/default/telnetd.JASS.DATE-OF-EXECUTION
126 Set BANNER to "Authorized Use Only" in /etc/default/telnetd.
127 Copy /etc/default/ftpd to /etc/default/ftpd.JASS.DATE-OF-EXECUTION
128 Set UMASK to 22 in /etc/default/ftpd.
129 Copy /etc/default/login to /etc/default/login.JASS.DATE-OF-EXECUTION
130 Set RETRIES to 3 in /etc/default/login.
131 Copy /etc/default/power to /etc/default/power.JASS.DATE-OF-EXECUTION
132 Change PMCHANGEPERM setting from console-owner to -. in /etc/default/power
133 Change CPRCHANGEPERM setting from console-owner to -. in /etc/default/power
134 Copy /etc/default/sys-suspend to /etc/default/sys-suspend.JASS.DATE-OF-EXECUTION
135 Change PERMS setting from console-owner to -. in /etc/default/sys-suspend
136 Copy /etc/vfstab to /etc/vfstab.JASS.DATE-OF-EXECUTION
137 Set maximum /tmp filesystem size to be 512m
138 Copy /etc/default/passwd to /etc/default/passwd.JASS.DATE-OF-EXECUTION
139 Change MINWEEKS setting from NONE to 1
140 Change MAXWEEKS setting from NONE to 8
141 Change WARNWEEKS setting from NONE to 1
142 Change PASSLENGTH setting from 6 to 8
Security Page 7 of 36 February 27, 2002
Copyright 2001 Sun Microsystems, Inc. All rights reserved.
-
7/28/2019 15k OS Security Suite
8/36
Sun Proprietary and Confidential: Need to Know
Application Readiness Service for Sun Fire 12K/15K Security
# Step
143 Set umask (UMASK) value to 22 in /etc/.login
144 Copy /etc/.login to /etc/.login.JASS.DATE-OF-EXECUTION
145 Copy /etc/skel/local.login to /etc/skel/local.login.JASS.DATE-OF-EXECUTION
146 Set umask (UMASK) value to 22 in /etc/skel/local.login
147 Copy /etc/skel/local.profile to /etc/skel/local.profile.JASS.DATE-OF-EXECUTION
148 Set umask (UMASK) value to 22 in /etc/skel/local.profile149 Copy /etc/default/login to /etc/default/login.JASS.DATE-OF-EXECUTION
150 Set umask (UMASK) value to 22 in /etc/default/login
151 Copy /etc/cron.d/at.deny to /etc/cron.d/at.deny.JASS.DATE-OF-EXECUTION
152 Add root to /etc/cron.d/at.deny
153 Add sys to /etc/cron.d/at.deny
154 Add adm to /etc/cron.d/at.deny
155 Add lp to /etc/cron.d/at.deny
156 Add uucp to /etc/cron.d/at.deny
157 Add sms-codd to /etc/cron.d/at.deny
158 Add sms-dca to /etc/cron.d/at.deny
159 Add sms-dsmd to /etc/cron.d/at.deny
160 Add sms-dxs to /etc/cron.d/at.deny
161 Add sms-efe to /etc/cron.d/at.deny
162 Add sms-esmd to /etc/cron.d/at.deny
163 Add sms-fomd to /etc/cron.d/at.deny
164 Add sms-frad to /etc/cron.d/at.deny
165 Add sms-osd to /etc/cron.d/at.deny
166 Add sms-pcd to /etc/cron.d/at.deny
167 Add sms-tmd to /etc/cron.d/at.deny
168 Add sms-svc to /etc/cron.d/at.deny
169 Copy /etc/cron.d/cron.allow to /etc/cron.d/cron.allow.JASS.DATE-OF-EXECUTION
170 Add root to /etc/cron.d/cron.allow.
171 Copy /etc/cron.d/cron.deny to /etc/cron.d/cron.deny.JASS.DATE-OF-EXECUTION
172 Add sys to /etc/cron.d/cron.deny.
174 Add adm to /etc/cron.d/cron.deny.174 Add uucp to /etc/cron.d/cron.deny.
175 Add sms-codd to /etc/cron.d/cron.deny.
176 Add sms-dca to /etc/cron.d/cron.deny.
177 Add sms-dsmd to /etc/cron.d/cron.deny.
178 Add sms-dxs to /etc/cron.d/cron.deny.
179 Add sms-efe to /etc/cron.d/cron.deny.
180 Add sms-esmd to /etc/cron.d/cron.deny.
181 Add sms-fomd to /etc/cron.d/cron.deny.
182 Add sms-frad to /etc/cron.d/cron.deny.
183 Add sms-osd to /etc/cron.d/cron.deny.
184 Add sms-pcd to /etc/cron.d/cron.deny.
185 Add sms-tmd to /etc/cron.d/cron.deny.
186 Add sms-svc to /etc/cron.d/cron.deny.
187 Copy /etc/cron.d/logchecker to /etc/cron.d/logchecker.JASS.DATE-OF-EXECUTION
188 Set the maximum size of the CRON facility log to 20480 from its previous value of 1024
189 Copy /etc/inet/inetd.conf to /etc/inet/inetd.conf.JASS.DATE-OF-EXECUTION
190 Disable service ftp (/usr/sbin/in.ftpd).
191 Disable service telnet (/usr/sbin/in.telnetd).
192 Disable service name (/usr/sbin/in.tnamed).
193 Disable service talk (/usr/sbin/in.talkd).
194 Disable service uucp (/usr/sbin/in.uucpd).
Security Page 8 of 36 February 27, 2002
Copyright 2001 Sun Microsystems, Inc. All rights reserved.
-
7/28/2019 15k OS Security Suite
9/36
Sun Proprietary and Confidential: Need to Know
Application Readiness Service for Sun Fire 12K/15K Security
# Step
195 Disable service finger (/usr/sbin/in.fingerd).
196 Disable service rquotad (/usr/lib/nfs/rquotad).
197 Disable service rusersd (/usr/lib/netsvc/rusers/rpc.rusersd).
198 Disable service sprayd (/usr/lib/netsvc/spray/rpc.sprayd).
199 Disable service walld (/usr/lib/netsvc/rwall/rpc.rwalld).
200 Disable service comsat (/usr/sbin/in.comsat).201 Disable service time (internal).
202 Disable service echo (internal).
203 Disable service discard (internal).
204 Disable service daytime (internal).
205 Disable service chargen (internal).
206 Disable service rstatd (/usr/lib/netsvc/rstat/rpc.rstatd).
207 Disable service 100068 (/usr/dt/bin/rpc.cmsd).
208 Disable service 100083 (/usr/dt/bin/rpc.ttdbserverd).
209 Disable service 100221 (/usr/openwin/bin/kcms_server).
210 Disable service fs (/usr/openwin/lib/fs.auto).
211 Disable service 100232 (/usr/sbin/sadmind).
212 Disable service 100235 (/usr/lib/fs/cachefs/cachefsd).
213 Disable service printer (/usr/lib/print/in.lpd).
214 Disable service 100234 (/usr/lib/gss/gssd).
215 Disable service dtspc (/usr/dt/bin/dtspcd).
216 Disable service 100146 (/usr/lib/security/amiserv).
217 Disable service 100147 (/usr/lib/security/amiserv).
218 Disable service 100150 (/usr/sbin/ocfserv).
219 Disable service 100134 (/usr/lib/krb5/ktkt_warnd).
220 Disable service 100229 (/usr/sbin/rpc.metad).
221 Disable service 100230 (/usr/sbin/rpc.metamhd).
222 Disable service 300326 (/platform/SUNWUltra-Enterprise-10000/lib/dr_daemon).
1.6. Solaris Security Toolkit File Content
Representative file content provided by the Toolkit during the delivery of the ARS for theSun Fire 12K/15K is illustrated in Appendix A.
1.6.1. /etc/issue and /etc/motd
These files are based on U.S. government recommendations. They provide users legalnotice that their activities may be monitored. If an organization has specific legal banners,they can be installed into these files. The file content is shown below.
#################################################################### This system is for the use of authorized users only. ## Individuals using this computer system without authority, or in ## excess of their authority, are subject to having all of their ## activities on this system monitored and recorded by system ## personnel. ## ## In the course of monitoring individuals improperly using this ## system, or in the course of system maintenance, the activities #
# of authorized users may also be monitored. ## ## Anyone using this system expressly consents to such monitoring ## and is advised that if such monitoring reveals possible ## evidence of criminal activity, system personnel may provide the ## evidence of such monitoring to law enforcement officials. ####################################################################
1.6.2. /etc/notrouter
This file disables IP forwarding between interfaces on the system by creating an/etc/notrouter file. Once the JumpStart client is rebooted, the client will no longer functionas a router, regardless of the number of network interfaces. This is an empty file.
Security Page 9 of 36 February 27, 2002
Copyright 2001 Sun Microsystems, Inc. All rights reserved.
-
7/28/2019 15k OS Security Suite
10/36
Sun Proprietary and Confidential: Need to Know
Application Readiness Service for Sun Fire 12K/15K Security
1.6.3. /etc/nsswitch.conf
This is an nsswitch.conf file configured so that a system will use files for name resolution.It is a copy of the /etc/nsswitch.files shipped with Solaris 8 OE. The file content is shownbelow.
# /etc/nsswitch.files:## An example file that could be copied over to /etc/nsswitch.conf; it
# does not use any naming service.## "hosts:" and "services:" in this file are used only if the# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.passwd: filesgroup: fileshosts: files # dnsipnodes: filesnetworks: filesprotocols: filesrpc: filesethers: filesnetmasks: filesbootparams: filespublickey: files# At present there isn't a 'files' backend for netgroup; the system will# figure it out pretty quickly, and won't use netgroups at all.netgroup: filesautomount: filesaliases: filesservices: filessendmailvars: filesprinters: user files
auth_attr: filesprof_attr: files
1.6.4. /etc/syslog.conf
This modified /etc/syslog.conf file is installed to perform additional logging. It serves as aplaceholder for organizations to add in their own centralized log server (or servers) so thatproactive log analysis can be done. The file content is shown below.
## Copyright (c) 2000, 2001 by Sun Microsystems, Inc.# All rights reserved.##ident "@(#)syslog.conf 2.2 01/06/10 SMI"#
# This "syslog.conf" file was installed by JASS. This# file should be used to log information both locally as# well as to a centralized log server (or servers) so that# proactive log analysis can be done.*.err;kern.notice;auth.notice /dev/console*.alert root*.emerg **.debug /var/adm/message# *.debug @loghost1# *.debug @loghost2
1.6.5. /etc/default/sendmail
This script is copied onto the system being hardened by the disable-sendmail.fin script ona Solaris 8 OE system. The file content is shown below. This sendmail.cf file sends allmail to the root account on the local host
# sendmail.cf to local root user
# Define versionV8# Whom errors should appear to be fromDnMailer-Daemon# Formatting of the unix from lineDlFrom $g $d# SeparatorsDo.:%@!^=/[]# From of the sender's addressDq# Spool directoryOQ/usr/spool/mqueue### Mailer Delivery Agents
Mlocal, P=/usr/lib/mail.local, F=lsDFMAw5:/|@qSXfmnz9, S=10/30, R=20/40,
Security Page 10 of 36 February 27, 2002
Copyright 2001 Sun Microsystems, Inc. All rights reserved.
-
7/28/2019 15k OS Security Suite
11/36
Sun Proprietary and Confidential: Need to Know
Application Readiness Service for Sun Fire 12K/15K Security
T=DNS/RFC822/X-UNIX, A=mail.local -l
Mprog, P=/dev/null, F=lsDFMeuP, S=0, R=0, A=/dev/null### Rule sets - whitespace between columns must be tabs!!!S0R@$+ $#error $: missing user nameR$+ $#local $@$R $:root forward to local root userS3R$*$* $:root handle error addressR$*$* $:root basic rfc822 parsing
1.6.6. /etc/dt/config/Xaccess
This file disables all remote access, whether directed or broadcast, to any X serverrunning on this system. The file content is shown below.
########################################################################### Xaccess## Common Desktop Environment#### (c) Copyright 1993, 1994 Hewlett-Packard Company## (c) Copyright 1993, 1994 International Business Machines Corp.## (c) Copyright 1993, 1994 Sun Microsystems, Inc.## (c) Copyright 1993, 1994 Novell, Inc.#### ************** DO NOT EDIT THIS FILE **************#### /usr/dt/config/Xaccess is a factory-default file and will
## be unconditionally overwritten upon subsequent installation.## Before making changes to the file, copy it to the configuration## directory, /etc/dt/config. You must also update the accessFile## resource in /etc/dt/config/Xconfig.#### $XConsortium: Xaccess.src /main/cde1_maint/2 1995/08/30 16:21:28 gtsang $############################################################################# This file contains a list of host names which are allowed or## denied XDMCP connection access to this machine. When a remote## display (typically an X-termimal) requests login service, Dtlogin## will consult this file to determine if service should be granted## or denied.#### # Access control file for XDMCP connections#### To control Direct and Broadcast access:#### pattern
#### To control Indirect queries:#### pattern list of hostnames and/or macros ...#### To use the chooser:#### pattern CHOOSER BROADCAST#### or#### pattern CHOOSER list of hostnames and/or macros ...#### To define macros:#### %name list of hosts ...###### The first form tells dtlogin which displays to respond to itself.## The second form tells dtlogin to forward indirect queries from hosts## matching the specified pattern to the indicated list of hosts.## The third form tells dtlogin to handle indirect queries using the## chooser; the chooser is directed to send its own queries out via the## broadcast address and display the results on the terminal.## The fourth form is similar to the third, except instead of using the## broadcast address, it sends DirectQuerys to each of the hosts in## the list#### In all cases, dtlogin uses the first entry which matches the terminal;## for IndirectQuery messages only entries with right hand sides can## match, for Direct and Broadcast Query messages, only entries without## right hand sides can match.#### Information regarding the format of entries in this file is
Security Page 11 of 36 February 27, 2002
Copyright 2001 Sun Microsystems, Inc. All rights reserved.
-
7/28/2019 15k OS Security Suite
12/36
Sun Proprietary and Confidential: Need to Know
Application Readiness Service for Sun Fire 12K/15K Security
## included at the end of the file.############################################################################ Entries...##* # grant service to all remote displays##### The nicest way to run the chooser is to just ask it to broadcast## requests to the network - that way new hosts show up automatically.
## Sometimes, however, the chooser can't figure out how to broadcast,## so this may not work in all environments.####* CHOOSER BROADCAST #any indirect host can get a chooser##### If you'd prefer to configure the set of hosts each terminal sees,## then just uncomment these lines (and comment the CHOOSER line above)## and edit the %hostlist line as appropriate#####%hostlist host-a host-b###* CHOOSER %hostlist ############################################################################# ENTRY FORMAT
#### An entry in this file is either a host name or a pattern. A## pattern may contain one or more meta characters (`*' matches any## sequence of 0 or more characters, and `?' matches any single## character) which are compared against the host name of the remote## device requesting service.#### If the entry is a host name, all comparisons are done using## network addresses, so any name which converts to the correct## network address may be used. For patterns, only canonical host## names are used in the comparison, so do not attempt to match## aliases.#### Preceding either a host name or a pattern with a `!' character## causes hosts which match that entry to be excluded.#### When checking access for a particular display host, each entry is## scanned in turn and the first matching entry determines the## response.##
## Blank lines are ignored, `#' is treated as a comment delimiter## causing the rest of that line to be ignored,#### ex.## !xtra.lcs.mit.edu # disallow direct/broadcast service for xtra## bambi.ogi.edu # allow access from this particular display## *.lcs.mit.edu # allow access from any display in LCS## Deny all remote access (direct/broadcast) to this X server.!*
1.6.7. /etc/init.d/nddconfig and /etc/rc2.d/S70nddconfig
These files copy over the nddconfig and S70nddconfig startup scripts. The file content isshown below.
#!/sbin/sh## Copyright (c) 1999-2001 by Sun Microsystems, Inc.# All rights reserved.
## $Id: nddconfig,v 1.5 2000/12/08 02:10:14 kaw Exp $## INTRODUCTION## This script sets network driver parameters to prevent some network# attacks. Install this script to make changes at system boot. For# further information on the parameters set in this script, see# the Sun Blueprints(tm) OnLine article entitled "Solaris Operating# Environment Network Settings for Security - updated for 8".## http://www.sun.com/blueprints/1200/network-updt1.pdf## The latest version of this script is available from the Blueprints# Online tools area at:
Security Page 12 of 36 February 27, 2002
Copyright 2001 Sun Microsystems, Inc. All rights reserved.
-
7/28/2019 15k OS Security Suite
13/36
Sun Proprietary and Confidential: Need to Know
Application Readiness Service for Sun Fire 12K/15K Security
## http://www.sun.com/blueprints/tools/## This script is written for the Solaris 2.5.1, 2.6, 7, and 8 Operating# Environment releases.## WARNING## This script makes changes to the system default network driver# parameters. The settings included in this script are considered safe
# in terms of security. However, some settings may not work in your# environment. The comments provided for each parameter explain the# effect the setting has.## INSTALLATION## # cp /etc/init.d/nddconfig# # chmod 744 /etc/init.d/nddconfig# # chown root:sys /etc/init.d/nddconfig# # ln /etc/init.d/nddconfig /etc/rc2.d/S70nddconfig## WARNING MESSAGES## When adding specific privileged ports ({tcp|udp}_extra_priv_ports_add),# if a specific port number has already been applied, the following# warning message is displayed:## operation failed, File exists#
# This is a very poor ndd warning message. It can be safely ignored.## Keith A. Watson #
PATH=/usr/bin:/usr/sbin
## A note about parameter values:# '0' == false/off/disable# '1' == true/on/enable#
## verbose## This option enables verbose output generated by this script.#verbose=1
## arp_cleanup_interval## This option determines the period of time the Address Resolution# Protocol (ARP) cache maintains entries. ARP attacks may be effective# with the default interval. Shortening the timeout interval should# reduce the effectiveness of such an attack.# The default value is 300000 milliseconds (5 minutes).#arp_cleanup_interval=60000
## ip_forward_directed_broadcasts## This option determines whether to forward broadcast packets directed# to a specific net or subnet, if that net or subnet is directly# connected to the machine. If the system is acting as a router, this# option can be exploited to generate a great deal of broadcast network# traffic. Turning this option off will help prevent broadcast traffic# attacks.# The default value is 1 (true).#ip_forward_directed_broadcasts=0
## ip_forward_src_routed# ip6_forward_src_routed (Solaris 8)## This option determines whether to forward packets that are source# routed. These packets define the path the packet should take instead# of allowing network routers to define the path.
Security Page 13 of 36 February 27, 2002
Copyright 2001 Sun Microsystems, Inc. All rights reserved.
-
7/28/2019 15k OS Security Suite
14/36
Sun Proprietary and Confidential: Need to Know
Application Readiness Service for Sun Fire 12K/15K Security
# The default value is 1 (true).#ip_forward_src_routed=0ip6_forward_src_routed=0
## ip_ignore_redirect# ip6_ignore_redirect (Solaris 8)#
# This option determines whether to ignore Internet Control Message# Protocol (ICMP) packets that define new routes. If the system is# acting as a router, an attacker may send redirect messages to alter# routing tables as part of sophisticated attack (man in the middle# attack) or a simple denial of service.# The default value is 0 (false).#ip_ignore_redirect=1ip6_ignore_redirect=1
## ip_ire_flush_interval (Solaris 2.5.1, 2.6, and 7)# ip_ire_arp_interval (Solaris 8)## This option determines the period of time at which a specific route# will be kept, even if currently in use. ARP attacks may be effective# with the default interval. Shortening the time interval may reduce# the effectiveness of attacks.# The default interval is 1200000 milliseconds (20 minutes).#ip_ire_flush_interval=60000ip_ire_arp_interval=60000
## ip_respond_to_address_mask_broadcast## This options determines whether to respond to ICMP netmask requests# which are typically sent by diskless clients when booting. An# attacker may use the netmask information for determining network# topology or the broadcast address for the subnet.# The default value is 0 (false).#ip_respond_to_address_mask_broadcast=0
## ip_respond_to_echo_broadcast# ip6_respond_to_echo_multicast (Solaris 8)#
# This option determines whether to respond to ICMP broadcast echo# requests (ping). An attacker may try to create a denial of service# attack on subnets by sending many broadcast echo requests to which all# systems will respond. This also provides information on systems that# are available on the network.# The default value is 1 (true).#ip_respond_to_echo_broadcast=0ip6_respond_to_echo_multicast=0
## ip_respond_to_timestamp## This option determines whether to respond to ICMP timestamp requests# which some systems use to discover the time on a remote system. An# attacker may use the time information to schedule an attack at a# period of time when the system may run a cron job (or other time-# based event) or otherwise be busy. It may also be possible predict# ID or sequence numbers that are based on the time of day for spoofing# services.# The default value is 1 (true).#ip_respond_to_timestamp=0
## ip_respond_to_timestamp_broadcast## This option determines whether to respond to ICMP broadcast timestamp# requests which are used to discover the time on all systems in the# broadcast range. This option is dangerous for the same reasons as# responding to a single timestamp request. Additionally, an attacker# may try to create a denial of service attack by generating many# broadcast timestamp requests.
Security Page 14 of 36 February 27, 2002
Copyright 2001 Sun Microsystems, Inc. All rights reserved.
-
7/28/2019 15k OS Security Suite
15/36
Sun Proprietary and Confidential: Need to Know
Application Readiness Service for Sun Fire 12K/15K Security
# The default value is 1 (true).#ip_respond_to_timestamp_broadcast=0
## ip_send_redirects# ip6_send_redirects (Solaris 8)## This option determines whether to send ICMP redirect messages which
# can introduce changes into remote system's routing table. It should# only be used on systems that act as routers.# The default value is 1 (true).#ip_send_redirects=0ip6_send_redirects=0
## ip_strict_dst_multihoming# ip6_strict_dst_multihoming (Solaris 8)## This option determines whether to enable strict destination# multihoming. If this is set to 1 and ip_forwarding is set to 0, then# a packet sent to an interface from which it did not arrive will be# dropped. This setting prevents an attacker from passing packets across# a machine with multiple interfaces that is not acting a router.# The default value is 0 (false).#ip_strict_dst_multihoming=1ip6_strict_dst_multihoming=1
## tcp_conn_req_max_q0## This option sets the size of the queue containing unestablished# connections. This queue is part of a protection mechanism against# SYN flood attacks. The queue size default is adequate for most# systems but should be increased for busy servers.# The default value is 1024.#tcp_conn_req_max_q0=4096
## tcp_conn_req_max_q## This option sets the maximum number fully established connections.# Increasing the size of this queue provides some limited protection# against resource consumption attacks. The queue size default is
# adequate for most systems but should be increased for busy servers.# The default value is 128.#tcp_conn_req_max_q=1024
## tcp_rev_src_routes (Solaris 8)## This option determines whether the specified route in a source# routed packet will be used in returned packets. TCP source routed# packets may be used in spoofing attacks, so the reverse route should# not be used.# The default value is 0 (false).#tcp_rev_src_routes=0
## Adding specific privileged ports (Solaris 2.6, 7, and 8)#
# These options define additional TCP and UDP privileged ports outside# of the 1-1023 range. Any program that attempts to bind the ports# listed here must run as root. This prevents normal users from# starting server processes on specific ports. Multiple ports can be# specifed by quoting and separating them with spaces.## Defaults values:# tcp_extra_priv_ports: 2049 (nfsd) 4045 (lockd)# udp_extra_priv_ports: 2049 (nfsd) 4045 (lockd)#tcp_extra_priv_ports_add="6112"udp_extra_priv_ports_add=""## Ephemeral port range adjustment (Solaris 2.5.1, 2.6, 7, and 8)
Security Page 15 of 36 February 27, 2002
Copyright 2001 Sun Microsystems, Inc. All rights reserved.
-
7/28/2019 15k OS Security Suite
16/36
Sun Proprietary and Confidential: Need to Know
Application Readiness Service for Sun Fire 12K/15K Security
## These options define the upper and lower bounds on ephemeral ports.# Ephemeral (means short-lived) ports are used when establishing# outbound network connections.## Defaults values:# tcp_smallest_anon_port=32768# tcp_largest_anon_port=65535# udp_smallest_anon_port=32768# udp_largest_anon_port=65535
#tcp_smallest_anon_port=32768tcp_largest_anon_port=65535udp_smallest_anon_port=32768udp_largest_anon_port=65535
## Nonprivileged port range adjustment (Solaris 2.5.1, 2.6, 7, and 8)## These options define the start of nonprivileged TCP and UDP ports.# The nonprivileged port range normally starts at 1024. Any program# that attempts to bind a nonprivileged port does not have to run as# root.## Defaults values:# tcp_smallest_nonpriv_port=1024# udp_smallest_nonpriv_port=1024#tcp_smallest_nonpriv_port=1024
udp_smallest_nonpriv_port=1024
# +-----------------------------------------+# | No modification needed below this line. |# +-----------------------------------------+
## base parameters (the same across the 2.5.1, 2.6, 7, 8, and 9 (alpha)# releases)#base_parameters="arp_cleanup_interval \
ip_forward_directed_broadcasts \ip_forward_src_routed \ip_ignore_redirect \ip_respond_to_address_mask_broadcast \ip_respond_to_echo_broadcast \
ip_respond_to_timestamp \ip_respond_to_timestamp_broadcast \ip_send_redirects \ip_strict_dst_multihoming \tcp_conn_req_max_q0 \tcp_conn_req_max_q \tcp_smallest_anon_port \tcp_largest_anon_port \udp_smallest_anon_port \udp_largest_anon_port \tcp_smallest_nonpriv_port \udp_smallest_nonpriv_port"
## OS_revision specific parameters#
# Solaris 2.5.1 specific parametersSunOS5_5_1="ip_ire_flush_interval"
# Solaris 2.6 specific parametersSunOS5_6="ip_ire_flush_interval \
tcp_extra_priv_ports_add \udp_extra_priv_ports_add"
# Solaris 7 specific parametersSunOS5_7="ip_ire_flush_interval \
tcp_extra_priv_ports_add \udp_extra_priv_ports_add"
# Solaris 8 specific parametersSunOS5_8="ip_ire_arp_interval \
Security Page 16 of 36 February 27, 2002
Copyright 2001 Sun Microsystems, Inc. All rights reserved.
-
7/28/2019 15k OS Security Suite
17/36
Sun Proprietary and Confidential: Need to Know
Application Readiness Service for Sun Fire 12K/15K Security
tcp_extra_priv_ports_add \udp_extra_priv_ports_add \tcp_rev_src_routes"
# Solaris 9 (alpha) specific parametersSunOS5_9="ip_ire_arp_interval \
tcp_extra_priv_ports_add \udp_extra_priv_ports_add \tcp_rev_src_routes"
## IPv6 parameters (apply to Solaris 8 and 9 (alpha))#ip6_parameters="ip6_forward_src_routed \
ip6_respond_to_echo_multicast \ip6_send_redirects \ip6_ignore_redirect \ip6_strict_dst_multihoming"
## system privilege ports defaults#extra_priv_ports_defaults="2049 4045 "
## get OS name and revision information#os=`uname -s`
revision=`uname -r`OSRev=$os`echo $revision | sed -e 's/\./_/g'`
## check if IPv6 is enabled#ip6_interfaces="`echo /etc/hostname6.*[0-9] 2> /dev/null`"[ "$ip6_interfaces" != "/etc/hostname6.*[0-9]" ] && ip6_enabled=true
## do_in_order -- This function executes the specified functions with# the appropriate parameters for the local OS, revision, and# configuration. Currently it acts on a specific base set of# parameters, OS and revision specific parameters, and IPv6# parameters.#do_in_order() { # function_name
function_name=$1
# handle the base parametersfor param in $base_parameters; do
$function_name $paramdone
# handle the OS/revision specific parameterseval OSRev_params=\$$OSRevfor param in $OSRev_params; do
$function_name $paramdone
# handle IPv6 parametersif [ "$ip6_enabled" = "true" ]; then
for param in $ip6_parameters; do$function_name $param
done
fi
}
## set_parameter -- This function uses ndd to set a parameter.# The supplied parameter name has a shell variable with the same# name which contains the value for the parameter.#set_parameter() { # parameter
# definition for local variableparam=$1
Security Page 17 of 36 February 27, 2002
Copyright 2001 Sun Microsystems, Inc. All rights reserved.
-
7/28/2019 15k OS Security Suite
18/36
Sun Proprietary and Confidential: Need to Know
Application Readiness Service for Sun Fire 12K/15K Security
# determine the driver from the first substring in the parameter namedriver=/dev/`echo $param | sed -e 's/_.*//'`
eval values=\$$param
# First check that a value for the parameter exists. If not, skip it.if [ -n "$values" ]; then
# Some parameters may have multiple values specified in one# assignment further up in the script. ndd only accepts one# parameter at a time. Loop through and set each value.for value in $values; do
[ "$verbose" = "1" ] && \echo "Setting $driver $param to $value"
ndd -set $driver $param $valuedone
fi}
## display_parameter -- This function uses ndd to extract the value of# a parameter and display it.#display_parameter() { # parameter
# definition for local variable
param=$1
# hack for the "write only" extra privileged ports parametersparam=`echo $param | sed -e 's/_add$//'`
# determine the driver from the first substring in the parameter namedriver=/dev/`echo $param | sed -e 's/_.*//'`
# execute the ndd command to retrieve settings and remove newlinesvalue=`ndd $driver $param | tr -d '\n'`
# print parameter valueecho " $driver $param = '$value'"
}
#
# compare_parameter -- This function uses ndd to extract the value of# a parameter. It compares the current parameter value to the one# defined in this script.#compare_parameter() { # parameter
# definition for local variableoriginalParam=$1
# hack for the "write only" extra privileged ports parametersmodifiedParam=`echo $originalParam | sed -e 's/_add$//'`
# determine the driver from the first substring in the parameter namedriver=/dev/`echo $modifiedParam | sed -e 's/_.*//'`
# execute the ndd command to retrieve settings and remove newlinescurrentValue=`ndd $driver $modifiedParam | tr -d '\n'`
eval intendedValue="\$$originalParam"
# if the modified parameter name is different from the original# parameter, then we are dealing with the privileged port parametersif [ "$modifiedParam" != "$originalParam" ]; then
# the privileged port parameters have system defaults that must# be accounted for in the comparisonif [ -n "$intendedValue" ]; then
intendedValue="$extra_priv_ports_defaults$intendedValue "else
intendedValue="$extra_priv_ports_defaults"fi
Security Page 18 of 36 February 27, 2002
Copyright 2001 Sun Microsystems, Inc. All rights reserved.
-
7/28/2019 15k OS Security Suite
19/36
Sun Proprietary and Confidential: Need to Know
Application Readiness Service for Sun Fire 12K/15K Security
fi
# print parameter value and note all deviationsecho " $driver $modifiedParam = '$currentValue'\c"if [ "$intendedValue" != "$currentValue" ]; then
echo " (should be '$intendedValue')"else
echo " (ok)"fi
}
# Process the command argumentcase "$1" in
'start')
# set the parameters in the defined orderdo_in_order set_parameter;;
'show')
echo "Current ndd parameter settings:"do_in_order display_parameter;;
'compare')
echo "Comparison of ndd parameter settings:"do_in_order compare_parameter;;
'stop')# ignored[ "$verbose" = "1" ] && \
echo "$0: 'stop' ignored. No network changes applied.";;
*)echo "Usage: $0 { start | stop | show | compare }"exit 1;;
esac
exit 0
1.6.8. set-tmp-permissions scripts
The purpose of these scripts (etc/init.d/set-tmp-permissions, /etc/rc2.d/S00set-tmp-permissions and /etc/rc2.d/S07set-tmp-permissions) is to set the correct permissions onthe /tmp and /var/tmp directories when the system is rebooted. If an inconsistency isfound, it will be displayed to standard output and logged via SYSLOG. This script isinstalled into /etc/rc2.d twice to permit this check to be performed both before and afterthe mountall command is run from S01MOUNTFSYS. This helps ensure that both themount point and the mounted filesystem have the correct permissions and ownership. Thefile content is shown below. The contents of each file is identical.
#!/bin/sh## Copyright (c) 2001 by Sun Microsystems, Inc.# All rights reserved.
##ident "@(#)set-tmp-permissions 1.2 01/06/10 SMI"## INTRODUCTION## The purpose of this script is to set the correct# permissions on the /tmp and /var/tmp directories# when the system is rebooted. If an inconsistency# is found, it will be displayed to standard output# and logged via SYSLOG.## INSTALLATION## To install this script, the following commands should# be performed as 'root'.
Security Page 19 of 36 February 27, 2002
Copyright 2001 Sun Microsystems, Inc. All rights reserved.
-
7/28/2019 15k OS Security Suite
20/36
Sun Proprietary and Confidential: Need to Know
Application Readiness Service for Sun Fire 12K/15K Security
## # cp /etc/init.d/set-tmp-permissions# # chmod 744 /etc/init.d/set-tmp-permissions# # chown root:sys /etc/init.d/set-tmp-permissions# # ln /etc/init.d/set-tmp-permissions /etc/rc2.d/S01set-tmp-permissions# # ln /etc/init.d/set-tmp-permissions /etc/rc2.d/S07set-tmp-permissions## The reason that this script is installed into /etc/rc2.d# twice is to permit this check to be performed both before# and after the "mountall" command is run (from S01MOUNTFSYS).
# That way, both the mount point and the mounted filesystem# will be sure to have the correct permissions and ownership.## Glenn M. Brunette #
TMP_OWNER="root"TMP_GROUP="sys"
# If you change TMP_PERMS for any reason, be sure to update# TMP_PERMS_SET accordingly. These values are reasonable,# however, and should not need to be changed.
TMP_PERMS="drwxrwxrwt"TMP_PERMS_SET="1777"
# Verify both /tmp and /var/tmp.
for tmppath in /tmp /var/tmp; do
if [ -d "${tmppath}" ]; then
oldVal="`ls -ld ${tmppath}`"
# Obtain and verify the permissions on ${tmppath}.
perms="`echo ${oldVal} | awk '{ print $1 }'`"
if [ "${TMP_PERMS}" != "${perms}" ]; thenecho "WARNING: ${tmppath} had incorrect permissions (${perms})."
fi
# Obtain and verify the ownership of ${tmppath}.
owner="`echo ${oldVal} | awk '{ print $3 }'`"
if [ "${TMP_OWNER}" != "${owner}" ]; thenecho "WARNING: ${tmppath} had incorrect ownership (${owner})."
fi
# Obtain and verify the group of ${tmppath}.
group="`echo ${oldVal} | awk '{ print $4 }'`"
if [ "${TMP_GROUP}" != "${group}" ]; thenecho "WARNING: ${tmppath} had an incorrect group setting (${group})."
fi
# Make all of the changes to ${tmppath} to bring it into# compliance with the settings as defined above.
/bin/chown ${TMP_OWNER} ${tmppath}/bin/chgrp ${TMP_GROUP} ${tmppath}
/bin/chmod ${TMP_PERMS_SET} ${tmppath}fi
done
1.6.9. /etc/init.d/inetsvc
This file replaces the default /etc/init.d/inetsvc with a minimized version containing onlythose commands required for the configuration of the network interfaces. The minimizedscript has only four lines, as compared to the 256 lines of the Solaris 8 OE version. Theminimized inetsvc script is as follows:
#!/bin/sh
Security Page 20 of 36 February 27, 2002
Copyright 2001 Sun Microsystems, Inc. All rights reserved.
-
7/28/2019 15k OS Security Suite
21/36
Sun Proprietary and Confidential: Need to Know
Application Readiness Service for Sun Fire 12K/15K Security
/usr/sbin/ifconfig -au netmask + broadcast +/usr/sbin/inetd -s -t &
1.6.10. /etc/inet/inetd.conf
The following table shows sample contents of the inetd.conf file contents, excluding theheader, prior to use of the Toolkit.
ftp stream tcp6 nowait root /usr/sbin/in.ftpd in.ftpd
telnet stream tcp6 nowait root /usr/sbin/in.telnetd in.telnetd
name dgram udp wait root /usr/sbin/in.tnamed in.tnamed
shell stream tcp nowait root /usr/sbin/in.rshd in.rshd
shell stream tcp6 nowait root /usr/sbin/in.rshd in.rshd
login stream tcp6 nowait root /usr/sbin/in.rlogind in.rlogind
exec stream tcp nowait root /usr/sbin/in.rexecd in.rexecd
exec stream tcp6 nowait root /usr/sbin/in.rexecd in.rexecd
comsat dgram udp wait root /usr/sbin/in.comsat in.comsat
talk dgram udp wait root /usr/sbin/in.talkd in.talkd
uucp stream tcp nowait root /usr/sbin/in.uucpd in.uucpd
finger stream tcp6 nowait nobody
/usr/sbin/in.fingerd in.fingerd
time stream tcp6 nowait root internal
time dgram udp6 wait root internal
echo stream tcp6 nowait root internal
echo dgram udp6 wait root internal
discard stream tcp6 nowait root internal
discard dgram udp6 wait root internal
daytime stream tcp6 nowait root internal
daytime dgram udp6 wait root internal
chargen stream tcp6 nowait root internal
chargen dgram udp6 wait root internal
100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind
rquotad/1 tli rpc/datagram_v wait root /usr/lib/nfs/rquotad rquotad
rusersd/2-3 tli rpc/datagram_v,circuit_v wait root /usr/lib/netsvc/rusers/rpc.rusersd rpc.rusersd
sprayd/1 tli rpc/datagram_v wait root /usr/ lib/netsvc/spray/rpc.sprayd rpc.spraydwalld/1 tli rpc/datagram_v wait root /usr/lib/netsvc/rwall/rpc.rwalld rpc.rwalld
rstatd/2-4 tli rpc/datagram_v wait root /usr/lib/netsvc/rstat/rpc.rstatd rpc.rstatd
100083/1 tli rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd rpc.ttdbserverd
100221/1 tli rpc/tcp wait root /usr/openwin/bin/kcms_server kcms_server
fs stream tcp wait nobody
/usr/openwin/lib/fs.auto fs
100235/1 tli rpc/tcp wait root /usr/lib/fs/cachefs/cachefsd cachefsd
100134/1 tli rpc/ticotsord wait root /usr/lib/krb5/ktkt_warnd ktkt_warnd
printer stream tcp6 nowait root /usr/lib/print/in.lpd in.lpd
100234/1 tli rpc/ticotsord wait root /usr/lib/gss/gssd gssd
100146/1 tli rpc/ticotsord wait root /usr/lib/security/amiserv amiserv
100147/1 tli rpc/ticotsord wait root /usr/lib/security/amiserv amiserv
100150/1 tli rpc/ticotsord wait root /usr/sbin/ocfserv ocfserv
dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd
100068/2-5 dgram rpc/udp wait root /usr/dt/bin/rpc.cmsd rpc.cmsd
sun-dr stream tcp wait root /usr/lib/dcs dcs
sun-dr stream tcp6 wait root /usr/lib/dcs dcs
300326/4 tli rpc/tcp wait root /platform/SUNW,Ultra-Enterprise-10000/lib/dr_daemon
dr_daemon
100229/1 tli rpc/tcp wait root /usr/sbin/rpc.metad rpc.metad
100230/1 tli rpc/tcp wait root /usr/sbin/rpc.metamhd rpc.metamhd
Security Page 21 of 36 February 27, 2002
Copyright 2001 Sun Microsystems, Inc. All rights reserved.
-
7/28/2019 15k OS Security Suite
22/36
Sun Proprietary and Confidential: Need to Know
Application Readiness Service for Sun Fire 12K/15K Security
The following table shows the contents of the inetd.conf file contents on the systemcontroller, excluding the header, after use of the Toolkit.
shell stream tcp nowait root /usr/sbin/in.rshd in.rshd
shell stream tcp6 nowait root /usr/sbin/in.rshd in.rshd
login stream tcp6 nowait root /usr/sbin/in.rlogind in.rlogind
exec stream tcp nowait root /usr/sbin/in.rexecd in.rexecdexec stream tcp6 nowait root /usr/sbin/in.rexecd in.rexecd
sun-dr stream tcp wait root /usr/lib/dcs dcs
sun-dr stream tcp6 wait root /usr/lib/dcs dcs
The following table shows the contents of the inetd.conf file contents on the domains,excluding the header, after use of the Toolkit.
sun-dr stream tcp wait root /usr/lib/dcs dcs
sun-dr stream tcp6 wait root /usr/lib/dcs dcs
1.6.11. /etc/init.d/nddconfig
The following table is the baseline modifications to the network device drivers that aredone to harden the SCs and domains:
Network device driver configuration settings Default Hardened/dev/ip ip_forwarding 1 0/dev/ip lo0:ip_forwarding 1 0/dev/ip eri1:ip_forwarding (note: SCs only) 1 0/dev/ip hme0:ip_forwarding 1 0/dev/ip scman0:ip_forwarding (note: SCs only) 1 0/dev/ip scman1:ip_forwarding (note: SCs only) 1 0/dev/ip dman0:ip_forwarding (note: domains only) 1 0
1.6.12. /dev/ip qfe0:ip_forwarding (note: domains only)
/dev/arp arp_cleanup_interval 300000 60000/dev/ip ip_forward_directed_broadcasts 1 0/dev/ip ip_forward_src_routed 1 0
/dev/ip ip_ignore_redirect 0 1/dev/ip ip_respond_to_address_mask_broadcast 0 0/dev/ip ip_respond_to_echo_broadcast 1 0/dev/ip ip_respond_to_timestamp 1 0/dev/ip ip_respond_to_timestamp_broadcast 1 0/dev/ip ip_send_redirects 1 0/dev/ip ip_strict_dst_multihoming 0 1/dev/ip ip_def_ttl 255 255/dev/tcp tcp_conn_req_max_q0 1024 4096/dev/tcp tcp_conn_req_max_q 128 1024/dev/tcp tcp_smallest_anon_port 32768 32768/dev/tcp tcp_largest_anon_port 65535 65535/dev/udp udp_smallest_anon_port 32768 32768
/dev/udp udp_largest_anon_port 65535 65535/dev/tcp tcp_smallest_nonpriv_port 1024 1024/dev/udp udp_smallest_nonpriv_port 1024 1024/dev/ip ip_ire_arp_interval 1200000 60000/dev/tcp tcp_extra_priv_ports 2049, 4045 2049,
4045,6112
/dev/udp udp_extra_priv_ports 2049
4045
2049
4045/dev/tcp tcp_rev_src_routes 0 0
Security Page 22 of 36 February 27, 2002
Copyright 2001 Sun Microsystems, Inc. All rights reserved.
-
7/28/2019 15k OS Security Suite
23/36
Sun Proprietary and Confidential: Need to Know
Application Readiness Service for Sun Fire 12K/15K Security
/dev/ip6 ip6_forward_src_routed 1 0/dev/ip6 ip6_respond_to_echo_multicast 1 0/dev/ip6 ip6_send_redirects 0 0/dev/ip6 ip6_ignore_redirect 0 1/dev/ip6 ip6_strict_dst_multihoming 0 1
Security Page 23 of 36 February 27, 2002
Copyright 2001 Sun Microsystems, Inc. All rights reserved.
-
7/28/2019 15k OS Security Suite
24/36
Sun Proprietary and Confidential: Need to Know
Application Readiness Service for Sun Fire 12K/15K Security
Appendix A: Solaris Security Toolkit Sample OutputSample output captured from the use of the Toolkit is provided in this section of the document. Actual output from theToolkit will be provided after it has been used to enhance the security of the Sun Fire 12K/15K.
Note: A "driver" in the context of the Toolkit, provides input to the Toolkit. Customization of the driver for the Solaris Security Toolkitisnot included in this service.
==============================================================================sunfire_15k_domain-secure.driver.test: Driver started.==============================================================================
==============================================================================JASS Version: 0.3.2Node name: xcat-domain2Host ID: 82a84eafHost address: 129.148.202.158MAC address: 8:0:20:f6:42:30Date: Wed Oct 10 11:49:06 EDT 2001==============================================================================
==============================================================================sunfire_15k_domain-secure.driver.test: Copying personalized files.==============================================================================
Copying ///.cshrc from /opt/SUNWjass/Files//.cshrc.Copying ///.profile to ///.profile.JASS.20011010114906
Copying ///.profile from /opt/SUNWjass/Files//.profile.
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: print-jass-environment.fin==============================================================================
JASS_ACCT_DISABLEdaemonbinadmlpuucpnuucpnobodysmtplistennoaccess
nobody4
JASS_ACCT_REMOVEsmtplistennobody4
JASS_AGING_MINWEEKS1
JASS_AGING_MAXWEEKS8
JASS_AT_ALLOW
JASS_AT_DENYrootdaemonbinsysadmlpuucpnuucplistennobodynoaccessnobody4oracleapache
JASS_BANNER_FTPD
Security Page 24 of 36 February 27, 2002
Copyright 2001 Sun Microsystems, Inc. All rights reserved.
-
7/28/2019 15k OS Security Suite
25/36
Sun Proprietary and Confidential: Need to Know
Application Readiness Service for Sun Fire 12K/15K Security
Authorized Use Only
JASS_BANNER_TELNETDAuthorized Use Only
JASS_CPR_MGT_USER-
JASS_CRON_ALLOWroot
JASS_CRON_DENYrootdaemonbinsysadmlpuucpnuucplistennobodynoaccessnobody4
JASS_CRON_LOG_SIZE20480
JASS_FILES_DIR/opt/SUNWjass/Files
JASS_FINISH_DIR/opt/SUNWjass/Finish
JASS_FIXMODES_DIR
JASS_FIXMODES_OPTIONS
JASS_FTPUSERSrootdaemonbinsysadmlp
uucpnuucplistennobodynoaccessnobody4
JASS_FTPD_UMASK022
JASS_HOME_DIR/opt/SUNWjass
JASS_HOSTNAMExcat-domain2
JASS_KILL_SCRIPT_DISABLE0
JASS_LOGIN_RETRIES3
JASS_PACKAGE_DIR/opt/SUNWjass/Packages
JASS_PACKAGE_MOUNT
JASS_PASS_LENGTH8
Security Page 25 of 36 February 27, 2002
Copyright 2001 Sun Microsystems, Inc. All rights reserved.
-
7/28/2019 15k OS Security Suite
26/36
Sun Proprietary and Confidential: Need to Know
Application Readiness Service for Sun Fire 12K/15K Security
JASS_PASSWD//etc/passwd
JASS_PATCH_DIR/opt/SUNWjass/Patches
JASS_PATCH_MOUNT
JASS_POWER_MGT_USER-
JASS_REC_PATCH_OPTIONS
JASS_RHOSTS_FILE
JASS_ROOT_DIR/
JASS_ROOT_PASSWORDJdqZ5HrSDYM.o
JASS_SADMIND_OPTIONS-S2
JASS_SAVE_BACKUP1
JASS_SENDMAIL_MODE
JASS_SGID_FILE
JASS_SHELLS/usr/bin/sh/usr/bin/csh/usr/bin/ksh/usr/bin/jsh/bin/sh/bin/csh/bin/ksh/bin/jsh/sbin/sh/sbin/jsh/bin/bash
/bin/pfcsh/bin/pfksh/bin/pfsh/bin/tcsh/bin/zsh/usr/bin/bash/usr/bin/pfcsh/usr/bin/pfksh/usr/bin/pfsh/usr/bin/tcsh/usr/bin/zsh
JASS_SHELL_DISABLE/sbin/noshell
JASS_STANDALONE1
JASS_SUFFIXJASS.20011010114906
JASS_SUID_FILE
JASS_SUSPEND_PERMS-
JASS_SVCS_DISABLEftptelnetnametalk
Security Page 26 of 36 February 27, 2002
Copyright 2001 Sun Microsystems, Inc. All rights reserved.
-
7/28/2019 15k OS Security Suite
27/36
Sun Proprietary and Confidential: Need to Know
Application Readiness Service for Sun Fire 12K/15K Security
uucpsmtptftpfingersystatnetstatrquotadrusersdspraydwalld
rexdshellloginexeccomsattimeechodiscarddaytimechargen100087rwalldrstatd100068100083100221fsufsd100232
100235536870916kerbdprinter100234dtspcxaudio100146100147100150100134100229100230100242300326
JASS_TMPFS_SIZE512m
JASS_UMASK022
JASS_UNAME5.8
JASS_UNOWNED_FILE
JASS_USER_DIR/opt/SUNWjass/Drivers
JASS_WRITABLE_FILE
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: set-term-type.fin==============================================================================
Setting the default terminal type to 'vt100'.
Adding default terminal type (vt100) to //etc/profile.
Copying //etc/profile to //etc/profile.JASS.20011010114908
Adding default terminal type (vt100) to //etc/.login.
Copying //etc/.login to //etc/.login.JASS.20011010114908
==============================================================================sunfire_15k_domain-secure.driver.test: Driver finished.==============================================================================
Security Page 27 of 36 February 27, 2002
Copyright 2001 Sun Microsystems, Inc. All rights reserved.
-
7/28/2019 15k OS Security Suite
28/36
Sun Proprietary and Confidential: Need to Know
Application Readiness Service for Sun Fire 12K/15K Security
==============================================================================sunfire_15k_domain-secure.driver.test: Driver started.==============================================================================
==============================================================================JASS Version: 0.3.2Node name: xcat-domain2Host ID: 82a84eaf
Host address: 129.148.202.158MAC address: 8:0:20:f6:42:30Date: Wed Oct 10 11:49:08 EDT 2001==============================================================================
==============================================================================sunfire_15k_domain-secure.driver.test: Copying personalized files.==============================================================================
Copying ///etc/dt/config/Xaccess from /opt/SUNWjass/Files//etc/dt/config/Xaccess.Copying ///etc/init.d/inetsvc.test from /opt/SUNWjass/Files//etc/init.d/inetsvc.test.Copying ///etc/init.d/nddconfig from /opt/SUNWjass/Files//etc/init.d/nddconfig.Copying ///etc/init.d/set-tmp-permissions from /opt/SUNWjass/Files//etc/init.d/set-tmp-permissions.Copying ///etc/issue from /opt/SUNWjass/Files//etc/issue.Copying ///etc/motd to ///etc/motd.JASS.20011010114908
Copying ///etc/motd from /opt/SUNWjass/Files//etc/motd.Copying ///etc/notrouter from /opt/SUNWjass/Files//etc/notrouter.
Copying ///etc/nsswitch.conf to ///etc/nsswitch.conf.JASS.20011010114909
Copying ///etc/nsswitch.conf from /opt/SUNWjass/Files//etc/nsswitch.conf.Linking ///etc/rc2.d/S00set-tmp-permissions from /opt/SUNWjass/Files//etc/rc2.d/S00set-tmp-permissions.Linking ///etc/rc2.d/S07set-tmp-permissions from /opt/SUNWjass/Files//etc/rc2.d/S07set-tmp-permissions.Linking ///etc/rc2.d/S70nddconfig from /opt/SUNWjass/Files//etc/rc2.d/S70nddconfig.Copying ///etc/syslog.conf to ///etc/syslog.conf.JASS.20011010114909
Copying ///etc/syslog.conf from /opt/SUNWjass/Files//etc/syslog.conf.==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-apache.fin==============================================================================
Disabling Apache startup and shutdown scriptsRenaming //etc/rc3.d/S50apache to //etc/rc3.d/_S50apache.JASS.20011010114910
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-asppp.fin
==============================================================================
Disabling ASPPP startup and shutdown scriptsRenaming //etc/rc2.d/S47asppp to //etc/rc2.d/_S47asppp.JASS.20011010114910
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-autoinst.fin==============================================================================
Disabling sysid/autoinstall startup and shutdown scriptsRenaming //etc/rc2.d/S30sysid.net to //etc/rc2.d/_S30sysid.net.JASS.20011010114910Renaming //etc/rc2.d/S71sysid.sys to //etc/rc2.d/_S71sysid.sys.JASS.20011010114910Renaming //etc/rc2.d/S72autoinstall to //etc/rc2.d/_S72autoinstall.JASS.20011010114910
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-automount.fin==============================================================================
Disabling Automount startup and shutdown scriptsRenaming //etc/rc2.d/S74autofs to //etc/rc2.d/_S74autofs.JASS.20011010114910
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-dhcpd.fin==============================================================================
Disabling DHCP server startup and shutdown scriptsRenaming //etc/rc3.d/S34dhcp to //etc/rc3.d/_S34dhcp.JASS.20011010114910
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-dmi.fin==============================================================================
Security Page 28 of 36 February 27, 2002
Copyright 2001 Sun Microsystems, Inc. All rights reserved.
-
7/28/2019 15k OS Security Suite
29/36
Sun Proprietary and Confidential: Need to Know
Application Readiness Service for Sun Fire 12K/15K Security
Disabling DMI startup and shutdown scriptsRenaming //etc/rc3.d/S77dmi to //etc/rc3.d/_S77dmi.JASS.20011010114910
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-dtlogin.fin==============================================================================
Disabling dtlogin startup and shutdown scriptsRenaming //etc/rc2.d/S99dtlogin to //etc/rc2.d/_S99dtlogin.JASS.20011010114911
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-keyserv-uid-nobody.fin==============================================================================
Disabling 'nobody' access to SecureRPC informationCopying //etc/init.d/rpc to //etc/init.d/rpc.JASS.20011010114911Adding the '-d' option to '/usr/sbin/keyserv' in //etc/init.d/rpc.
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-ldap-client.fin==============================================================================
Disabling LDAP client startup and shutdown scriptsRenaming //etc/rc2.d/S71ldap.client to //etc/rc2.d/_S71ldap.client.JASS.20011010114911
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-lp.fin==============================================================================
Disabling LP startup and shutdown scriptsRenaming //etc/rc2.d/S80lp to //etc/rc2.d/_S80lp.JASS.20011010114911Copying //etc/cron.d/cron.deny to //etc/cron.d/cron.deny.JASS.20011010114911
Adding the 'lp' account to the 'cron.deny' file.Disabling the LP cron entryCreating backup directory, //var/spool/cron/crontabs.JASSMoving //var/spool/cron/crontabs/lp to //var/spool/cron/crontabs.JASS/lp.JASS.20011010114911
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-mipagent.fin==============================================================================
Disabling Mobile IP agent startup and shutdown scripts
Renaming //etc/rc3.d/S80mipagent to //etc/rc3.d/_S80mipagent.JASS.20011010114911
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-nfs-client.fin==============================================================================
Disabling NFS client startup and shutdown scriptsRenaming //etc/rc2.d/S73nfs.client to //etc/rc2.d/_S73nfs.client.JASS.20011010114911
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-nfs-server.fin==============================================================================
Disabling NFS server startup and shutdown scriptsRenaming //etc/rc3.d/S15nfs.server to //etc/rc3.d/_S15nfs.server.JASS.20011010114912
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-nscd-caching.fin==============================================================================
Disabling caching of information in //etc/nscd.conf.Copying //etc/nscd.conf to //etc/nscd.conf.JASS.20011010114912Adding 'enable-cache no' for the passwd, group and hosts entries.
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-preserve.fin==============================================================================
Disabling PRESERVE startup and shutdown scripts
Security Page 29 of 36 February 27, 2002
Copyright 2001 Sun Microsystems, Inc. All rights reserved.
-
7/28/2019 15k OS Security Suite
30/36
Sun Proprietary and Confidential: Need to Know
Application Readiness Service for Sun Fire 12K/15K Security
Renaming //etc/rc2.d/S80PRESERVE to //etc/rc2.d/_S80PRESERVE.JASS.20011010114912
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-picld.fin==============================================================================
Disabling PICL daemon startup and shutdown scriptsRenaming //etc/rcS.d/S95picld to //etc/rcS.d/_S95picld.JASS.20011010114912
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-power-mgmt.fin==============================================================================
Disabling power management startup and shutdown scriptsRenaming //etc/rc2.d/S85power to //etc/rc2.d/_S85power.JASS.20011010114912Creating /noautoshutdown file to disable power management
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-remote-root-login.fin==============================================================================
Disabling direct remote root login to the system.Copying //etc/default/login to //etc/default/login.JASS.20011010114912Setting the 'CONSOLE' parameter in //etc/default/login.
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-rhosts.fin==============================================================================
Disabling the ability to use rhosts authentication.Copying //etc/pam.conf to //etc/pam.conf.JASS.20011010114912Commenting the 'rsh' and 'rlogin' entries in //etc/pam.confthat use the 'pam_rhosts_auth' module.
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-sendmail.fin==============================================================================
Disabling the ability to accept connections for /usr/lib/sendmail.Copying ///etc/default/sendmail from /opt/SUNWjass/Files//etc/default/sendmail.
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-slp.fin==============================================================================
Disabling SLP startup and shutdown scriptsRenaming //etc/rc2.d/S72slpd to //etc/rc2.d/_S72slpd.JASS.20011010114913
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-snmp.fin==============================================================================
Disabling SNMP startup and shutdown scriptsRenaming //etc/rc3.d/S76snmpdx to //etc/rc3.d/_S76snmpdx.JASS.20011010114913
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-spc.fin==============================================================================
Disabling SPC startup and shutdown scriptsRenaming //etc/rc2.d/S80spc to //etc/rc2.d/_S80spc.JASS.20011010114913
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-syslogd-listen.fin==============================================================================
Preventing syslogd from listening for remote connections.syslogd will not accept connections from other systems.Copying //etc/init.d/syslog to //etc/init.d/syslog.JASS.20011010114913Adding the '-t' option to /usr/sbin/syslogd in //etc/init.d/syslog.
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-system-accounts.fin==============================================================================
Security Page 30 of 36 February 27, 2002
Copyright 2001 Sun Microsystems, Inc. All rights reserved.
-
7/28/2019 15k OS Security Suite
31/36
Sun Proprietary and Confidential: Need to Know
Application Readiness Service for Sun Fire 12K/15K Security
Disabling accounts by changing their shell to /sbin/noshell.Installing the /sbin/noshell shell script as //sbin/noshell.
Copying ///sbin/noshell from /opt/SUNWjass/Files//sbin/noshell.Copying //etc/passwd to //etc/passwd.JASS.20011010114913
Disabling account, daemon.Disabling account, bin.Disabling account, adm.
Disabling account, lp.Disabling account, uucp.Disabling account, nuucp.Disabling account, nobody.Disabling account, listen.Disabling account, noaccess.Disabling account, nobody4.
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-uucp.fin==============================================================================
Disabling UUCP startup and shutdown scripts
Renaming //etc/rc2.d/S70uucp to //etc/rc2.d/_S70uucp.JASS.20011010114916Removing the nuucp system account
Copying //etc/passwd to //etc/passwd.JASS.20011010114916
Copying //etc/shadow to //etc/shadow.JASS.20011010114916
Removing the UUCP cron entryMoving //var/spool/cron/crontabs/uucp to //var/spool/cron/crontabs.JASS/uucp.JASS.20011010114918
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-vold.fin==============================================================================
Disabling Volume Management startup and shutdown scriptsRenaming //etc/rc2.d/S92volmgt to //etc/rc2.d/_S92volmgt.JASS.20011010114919
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: disable-wbem.fin==============================================================================
Disabling WBEM startup and shutdown scripts
Renaming //etc/rc2.d/S90wbem to //etc/rc2.d/_S90wbem.JASS.20011010114919
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: enable-ftp-syslog.fin==============================================================================
Enabling enhanced logging for the FTP daemon.Copying //etc/inet/inetd.conf to //etc/inet/inetd.conf.JASS.20011010114919Adding the '-l' option to /usr/sbin/in.ftpd in //etc/inet/inetd.conf.
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: enable-inetd-syslog.fin==============================================================================
Configuring the Intenet services daemon to log all incoming connections.Copying //etc/init.d/inetsvc to //etc/init.d/inetsvc.JASS.20011010114919Adding the '-t' option to /usr/sbin/inetd in //etc/init.d/inetsvc.
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: enable-priv-nfs-ports.fin==============================================================================
Configure NFS server daemon to accept connections/requestsfrom privileged ports only.
Copying //etc/system to //etc/system.JASS.20011010114919Adding 'set nfssrv:nfs_portmon=1' to //etc/system.
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: enable-rfc1948.fin==============================================================================
Security Page 31 of 36 February 27, 2002
Copyright 2001 Sun Microsystems, Inc. All rights reserved.
-
7/28/2019 15k OS Security Suite
32/36
Sun Proprietary and Confidential: Need to Know
Application Readiness Service for Sun Fire 12K/15K Security
Enabling RFC 1948 sequence number generation.Copying //etc/default/inetinit to //etc/default/inetinit.JASS.20011010114919Setting 'TCP_STRONG_ISS' to '2' in //etc/default/inetinit.
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: enable-stack-protection.fin==============================================================================
Enabling kernel-level stack protections and logging.Copying //etc/system to //etc/system.JASS.20011010114920Adding 'set noexec_user_stack=1' to //etc/system.Adding 'set noexec_user_stack_log=1' to //etc/system.
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: install-at-allow.fin==============================================================================
Updating 'at' facility access controls (at.allow)
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: install-ftpusers.fin==============================================================================
Restricting access to the 'FTP' service.Copying //etc/ftpusers to //etc/ftpusers.JASS.20011010114920Adding root to //etc/ftpusers.
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: install-loginlog.fin==============================================================================
Creating log file to track failed login attempts.Creating the //var/adm/loginlog file.
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: install-newaliases.fin==============================================================================
sunfire_15k_domain-secure.driver.test: NOTE : The 'newaliases' link for 'sendmail' is already installed.
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: install-sadmind-options.fin==============================================================================
Configuring the system administration daemon.Copying //etc/inet/inetd.conf to //etc/inet/inetd.conf.JASS.20011010114920Adding the '-S 2' to /usr/sbin/sadmind in //etc/inet/inetd.conf.
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: install-security-mode.fin==============================================================================
The EEPROM security-mode parameter is set as: none.
To improve the security of the system, the following commandshould be executed manually from the operating system.For more information on this command and its possible values,refer to the eeprom(1M) manual entry.
eeprom "security-mode=command"
The current number of EEPROM 'badlogins' is 0.Setting the number of badlogins to 0.
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: install-shells.fin==============================================================================
Defining valid shells for this system.Copying //etc/shells to //etc/shells.JASS.20011010114922
Adding /usr/bin/sh to //etc/shells.Adding /usr/bin/csh to //etc/shells.
Security Page 32 of 36 February 27, 2002
Copyright 2001 Sun Microsystems, Inc. All rights reserved.
-
7/28/2019 15k OS Security Suite
33/36
Sun Proprietary and Confidential: Need to Know
Application Readiness Service for Sun Fire 12K/15K Security
Adding /usr/bin/ksh to //etc/shells.Adding /usr/bin/jsh to //etc/shells.Adding /bin/sh to //etc/shells.Adding /bin/csh to //etc/shells.Adding /bin/ksh to //etc/shells.Adding /bin/jsh to //etc/shells.Adding /sbin/sh to //etc/shells.Adding /sbin/jsh to //etc/shells.Adding /bin/bash to //etc/shells.Adding /bin/pfcsh to //etc/shells.
Adding /bin/pfksh to //etc/shells.Adding /bin/pfsh to //etc/shells.Adding /bin/tcsh to //etc/shells.Adding /bin/zsh to //etc/shells.Adding /usr/bin/bash to //etc/shells.Adding /usr/bin/pfcsh to //etc/shells.Adding /usr/bin/pfksh to //etc/shells.Adding /usr/bin/pfsh to //etc/shells.Adding /usr/bin/tcsh to //etc/shells.Adding /usr/bin/zsh to //etc/shells.
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: install-sulog.fin==============================================================================
Creating log file to track attempts to use 'su'.sunfire_15k_domain-secure.driver.test: NOTE : //var/adm/sulog already exists.
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: remove-unneeded-accounts.fin==============================================================================
Removing non-essential accounts.Copying //etc/passwd to //etc/passwd.JASS.20011010114922Copying //etc/shadow to //etc/shadow.JASS.20011010114922Removing the account, listen, from the system.Removing the account, nobody4, from the system.
==============================================================================sunfire_15k_domain-secure.driver.test: Starting finish script: set-banner-ftpd.fin==============================================================================
Setting the banner for the FTP daemon.Copying //etc/default/ftpd to //etc/defau