solaris hardening guide v1

Printed 12/23/2003 - 12:46 PM

Nortel Networks Portfolio Integration

Issue Date December, 2003 Author Nortel Networks

Solaris 8 and 9 Operating System Hardening Guideline Document Issue 1.0

Nortel Networks Solaris 8 and 9 Operating System Hardening Guide

0f 56

Please Note THIS DOCUMENT IS FOR INFORMATIONAL PURPOSES ONLY AND DOES NOT CONSTITUTE ADVICE. ANY RELIANCE UPON THIS DOCUMENT SHALL BE AT YOUR OWN RISK. THE INFORMATION CONTAINED HEREIN IS PROVIDED “AS IS” WITHOUT ANY WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL NORTEL NETWORKS, ITS AGENTS OR SUPPLIERS BE LIABLE FOR ANY DIRECT, INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS), WHETHER IN CONTRACT, TORT OR OTHERWISE (INCLUDING NEGLIGENCE) FROM USE OF OR RELIANCE UPON THE INFORMATION CONTAINED HEREIN, EVEN IF NORTEL NETWORKS, ITS AGENTS OR SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. © Copyright Nortel Networks 2003 This document is the property of Nortel Networks who own the copyright therein. The information in this document is given in confidence and without the written consent of Nortel Networks given by contract or otherwise the document must not be copied reprinted or reproduced in any material form either wholly or in part nor must the contents of the document or any method or technique available there from be disclosed to any third party.


0f 56

Summary This document provides background information and detailed steps that should be taken in order to harden the Solaris 8 and Solaris 9 operating systems against common network security attacks. Please note however that operating system hardening procedures cannot be followed blindly. Operating system hardening involves, among other things, turning off all services that are not required for particular application. For this reason, each operating system hardening instance must be customized and this document should only be considered as a general guideline to follow during this customization.


0f 56

1. Purpose of OS Hardening ................................................................................................... 5

2. Solaris 8 and 9 Hardening Procedures ............................................................................... 6

Step 0: Installing the Solaris Base Security Module (BSM)............................................ 6

Step 1: Removing Unnecessary Services and Users......................................................... 8

Step 2: Setting Up Time Synchronization using NTP ................................................... 32

Step 3: Configuring Additional Logging ........................................................................ 33

Step 4: Fixing File Permissions........................................................................................ 34

Step 5: Other Miscellaneous Actions............................................................................... 35

Step 6: Enhance Solaris Network Security..................................................................... 38

Step 7: File System Lockdown......................................................................................... 42

Step 8: Vulnerability Testing and Patching ................................................................... 43

Appendix A: Replacement /etc/init.d/inetsvc script .............................................................. 44

Appendix B: Sample newsyslog script................................................................................... 45

Appendix C: Minimal sendmail configuration file............................................................... 46

Appendix D: Sample /etc/issue and /etc/motd file................................................................. 47

Appendix E: TCP Wrapper generic configuration file......................................................... 48

Appendix F: Security Script .................................................................................................. 49

Appendix G: References ........................................................................................................ 55


0f 56

1. Purpose of OS Hardening Computers and network elements connected to networks are vulnerable to attacks. The following is a list of commonly known types of attacks:

1. Viruses, worms, backdoors and trojans 2. Wire tapping and sniffing 3. Password cracking 4. Exploits of known vulnerabilities such as software buffer overflow 5. Denial of services (DOS)

Some of these attacks are based on well-publicized techniques, with scripts and other tools available to make it possible for less knowledgeable crackers to apply exploits against systems. Once a system has been compromised, an intruder can do a number of things, including the following:

1. Modify or destroy information 2. Disclose sensitive information 3. Install malicious code to gather information 4. Use the compromised server to attack other systems

Our goal is to provide some reference guidelines so that you can use to improve the resistance of your Solaris-based systems to attacks. We present what we believe to be sound practices. But we must point out that no system is absolutely secure and that continued vigilance is still required even after your system has been hardened. It is highly recommended that you monitor early warning forums such as http://www.cert.org to obtain the newest vulnerability reports and stay on your vendor’s bug-fix mailing list to get the latest security patches and bug fixes for the Solaris operating system you use. The hardening procedure is verified on Solaris 8 and 9 Operating Environment for the Sparc platform and may be adapted for other Solaris based systems. We assume that you have working knowledge of Solaris or general UNIX system administration and that the system installation and hardening will be performed in an isolated or safe network environment.


0f 56

2. Solaris 8 and 9 Hardening Procedures

Step 0: Installing the Solaris Base Security Module (BSM) Base Security Module is a loadable kernel module which, operating at the kernel level, intercepts and logs system calls on basis of an audit policy. It has a C2 security rating defined in the Trusted Computer System Eveluation Criteria (TCSEC), commonly known as the Orange Book. Turning on BSM is usually considered the first step to harden a Solaris operating system. Please note that BSM introduces 5-10% performance overhead and it can only log to the local disk and may require large amount of storage space depending on the audit policy. Execute the following commands to install BSM:

Login: root Password: rootpassword /etc/telinit 1

The system will then go into single user mode. Enter the root password again for system maintenance. Then execute the following command:

/etc/security/bsmconv (unbsmconv is the command to turn off BSM)

Enter the letter y to continue with the BSM conversion. And then execute the following command to restart the system to enable BSM:

/etc/telinit 6 or /usr/sbin/shutdown –y now

You may want to make use of the sample script in Appendix F to automate this step if you need to enable BSM on multiple systems. However, the script was developed on a test system and therefore you should modify it to suit your specific environment. It is recommended that BSM be enabled by default and that detailed documentation be provided to the customers on at least the following:

1. the auditing options and what they mean 2. step-by-step configuration guide 3. how to turn it on and off 4. how to process the log

Timely processing of the log is very important. Unprocessed logs will not only defeat the purpose of logging but also consume disk space to the point where the server stops working, which is equivalent to a self-inflicted Denial of Service (DoS) attack. You can configure BSM to either #1 stop the server when the auditing partitions are full or to #2 drop auditing events and continue running the server. The default configuration is #2. Whether you choose #1 or #2, you need to document that for the customers and make them aware of the implication, i.e.,

when the partition is full: #1 = DoS #2 = no auditing

The default configuration is defined by the bsmconv script that is run to enable BSM on a system. When run, the bsmconv script creates the /etc/security/audit_startup script. This script, contains the following:

#!/bin/sh


0f 56

auditconfig -conf auditconfig -setpolicy none auditconfig -setpolicy +cnt

By specifying setpolicy +cnt, the audit_startup script created by bsmconv forces the auditing subsystem to drop auditable events while keeping a count of the total number of events dropped. For more information on the various configuration options, please refer to the Sun Blueprint document entitled “Auditing in the Solaris 8 Operating Environment” at the following URL: http://www.sun.com/solutions/blueprints/0201/audit_config.pdf


0f 56

Step 1: Removing Unnecessary Services and Users

Many unnecessary services are installed by default when setting up a Solaris server. The next step to harden the operating system is to remove them from the startup files. Like Linux and many other Unix variants, Solaris takes advantage of the /etc/rc?.d directory structure, where ? denotes the available run levels. At each run level init uses a driver script to run other scripts found in the run level directories. The available run levels with startup or shutdown scripts in Solaris are S, 0, 1, 2, and 3. There are many unused services which are started by the init process. These services are usually run as root and a number of them have potential security loop holes which can be exploited. The rule of thumb is that if the service is not needed, then do not start it. The simplest approach to disable a group of services manually is to use the following scripting commands in a terminal console:

# change to the directory where you want to disable services cd /etc/rc2.d # list filenames. Use wildcards to save typing for file in *sysid* *auto* *nscd *power *dtlogin do mv $file .NO$file done # it’s recommended to use shorter list to avoid errors for file in *dmi *snmpdx *nfs* *cache* *rpc *route do mv $file .NO$file done # for file in *PRESERVE *sendmail *spc *lp* do mv $file .NO$file done

This will rename the files starting with S to .NOfilename, which will then not be automatically started upon system reboot. For example,

S30sysid.net .NOS30sysid.net A more radical approach would be to delete them completely. It is recommended that the files be renamed first and be removed after thorough tests have been done to make sure the system works as expected. This step could also be accomplished via the script in Appendix F. The following sections outline the removal of the candidate services in detail. Additional technical information about these services can be found online at Solaris 8 System Administrator Collection. Unnecessary System Services Started by init Process Disable PCMCIA PCMCIA stands for Personal Computer Memory Card International Association. This standard memory card interface is most commonly used in notebook-type computers. If your product does not take advantage of the PCMCIA hardware configuration then this support should be disabled.

In order to disable PCMCIA in Solaris 8, the following file is renamed:

/etc/rcS.d/S10initpcmcia


0f 56

Disable CacheFS CacheFS is commonly used to support diskless clients (root file system is cachefs instead of ufs) and provides better performance by caching the NFS. cachefs can be safely disabled because all OAM server hardware configurations have their own disks, ufs is almost always the default file system, and NFS should never be part of normal OAM operation. The rule of the thumb is that if the network service is not required, it should be disabled. Please note that NFS does not need cachefs; cachefs provides better NFS performance according to Sun.

This is part one of four script files that need to be renamed in order to fully disable CacheFS; for clarity purposes, they are each listed in different subsections of this document. The following scripts should be disabled in the following order to properly disable the cachefs:

/etc/rcS.d/S35cacheos.sh /etc/rcS.d/S41cachefs.root /etc/rc2.d/S73cachefs.daemon /etc/rc2.d/S93cacheos.finish

An entry in /etc/inet/inetd.conf, which is controlled by the RPC daemon, is also required to be commented out. It is discussed later in the section.

/etc/inet/inetd.conf

Disable CacheFS for Root Partition This is a continuation of CacheFS disabling feature as described above.

This is part two of four script files that need to be renamed in order to fully disable CacheFS; for clarity purposes, they are each listed in different subsections of this document:

/etc/rcS.d/S35cacheos.sh

/etc/rcS.d/S41cachefs.root /etc/rc2.d/S73cachefs.daemon /etc/rc2.d/S93cacheos.finish



Disable Solaris Network Cache and Accelerator (NCA) The NCA is a kernel module designed to provide improved web server performance. The kernel module, ncakmod, services HTTP requests. To improve the performance of servicing HTTP requests, the NCA kernel module maintains an in-kernel cache of web pages. If the NCA kernel module cannot service the request itself, it passes the request to the http daemon (httpd) by means of a private interface. The logging facility, ncalogd logs all requests.

The NCA cache consistency is maintained by honoring HTTP headers dealing with a given content type and expiration date, much the same way as a proxy cache.

For detail configuration information, please see the Solaris 8 System Administration Guide, Volume 3.


0f 56

The NCA is intended to be run on a dedicated web server. Running other large processes while running NCA may cause undesirable behavior. This is a new feature in Solaris 8 and is available in Solaris 9. Sun recommends that this service be disabled.

This is part one of three script files that need to be renamed in order to fully disable NCA; for clarity purposes, they are each listed in different subsections of this document:

/etc/rcS.d/S42ncakmod /etc/rc2.d/S94ncalogd /etc/rc2.d/S95ncad

Disable System Activity Data Gathering By default, this script is commented out by the OS installation and Sun recommends that it be disabled.

In order to disable system activity data gathering, the following script file should be renamed to prevent access:

/etc/rc2.d/S21perf

Disable Class 2 Logic Link Control driver (LLC2) The LLC2 driver interfaces network software (NetBIOS, SNA, OSI, etc.) running under Solaris to a physical LAN network controlled by one of the supported communications adapters. The LLC2 driver, which appears as a STREAMS driver to the network software, resides in the kernel and is accessed by standard UNIX STREAMS functions.

This is a new function for Solaris 8 and is available in Solaris 9 as well. It should be disabled if this network interface is not needed in the OAM network.

In order to disable the LLC2 driver, the following script file should be renamed to prevent access:

/etc/rc2.d/S40llc2

Disable Async PPP Server Unless PPP dial-up is used, which appears not to be the case, this service should be disabled as recommended by Sun.

In order to disable PPP, the following script file should be renamed to prevent access:

/etc/rc2.d/S47asppp /etc/rc2.d/S47pppd

Disable Unix to Unix Copy Daemon (UUCP) Unless UUCP is used, which appears not to be the case, the UUCP should be disabled. This is not a common service for a server. Sun recommends that it be disabled.

Renaming the following script file will disable UUCP:

/etc/rc2.d/S70uucp


0f 56

Disable Sun Stock LDAP Client Sun recommends that this stock version be disabled. Renaming the following script file will disable Sun Stock LDAP Client:

/etc/rc2.d/S71ldap.client

Disable Auto-Installation Service This service is only used if the /etc/.UNCONFIGURED or /AUTOINSTALL files are created so the system can be re-installed. After initial installation and configuration, there is generally little reason for this service to remain available. Sun recommends that it be disabled.

Renaming the following script file will disable the auto-installation service:

/etc/rc2.d/S72autoinstall

Disable Sun Stock Service Location Protocol Daemon Sun recommends that this stock version be disabled. The following script file is renamed to disable the Sun Stock Service Location Protocol Daemon:

/etc/rc2.d/S72slpd

Disable CacheFS Daemon This is a continuation of CacheFS disabling feature as described earlier.

This is part three of four script files that need to be renamed in order to fully disable CacheFS; for clarity purposes, they are each listed in different subsections of this document:

/etc/rcS.d/S35cacheos.sh /etc/rcS.d/S41cachefs.root

/etc/rc2.d/S73cachefs.daemon /etc/rc2.d/S93cacheos.finish



Disable NFS Client Service The Solaris boot sequence assumes that some of your file system will use an NFS file server. Therefore, optional services are started in the assumption that some users will need them if they use an NFS file server.

There's a collection of historically dangerous RPC services started at boot time from the script “S73nfs.client“ found in /etc/rc2.d. This includes the statd and lockd daemons mentioned in the SANS Top Ten Security Threats 2002. NFS client systems need statd and lockd to do file locks on NFS file systems -- the client has to tell the server to hold a lock so that other clients can honor it.


0f 56

Over the years there has been many security compromises associated with RPC services required for NFS -- Sun recommends that these services be disabled for security reasons.

The following script file should be renamed to disable the NFS client service:

/etc/rc2.d/S73nfs.client

Disable NFS Auto-Mount The automount service manages automated NFS mounts. NFS clients may need to mount file systems from many different NFS servers. The automount service mounts file systems automatically when they are needed and unmounts them after a specific amount of idle time. A table used by this service defines the file system mount points, mount options, and the associated NFS servers. Also, in order to centralize the management of automount, the configuration tables can be stored in a name service such as NIS or NIS+. A kernel level service (autofs) interacts with the system daemon (automountd) to manage file system mount and unmount requests. The primary automount configuration table is stored in the /etc/auto_master file. The /etc/auto_master file determines the locations of all autofs mount points. By default, this file contains four entries.

Ideally, automount should be disabled because, not only does it run as a privileged daemon, but it also uses NFS and RPC. Sun highly recommends that it be disabled.

To disable autofs, you also need to remove /etc/auto_master and /etc/auto_home. If they or either one of them cannot be removed, this service must remain on.

The following files should be renamed or removed to fully disable NFS auto-mount:

/etc/rc2.d/S74autofs /etc/auto_master /etc/auto_home

Disable Print Service The /etc/rc2.d/S80lp script is required for both a server providing print services to other systems and a system which requires access to printers hosted by other systems. If this functionality is not required, Sun recommends that the packages for lp be removed from the system, and the in.lpd entry be removed from /etc/inet/inetd.conf.

The following script file should be renamed to disable the print service:

/etc/rc2.d/S80lp

Disable Preserve This service automatically saves the files currently being edited to /usr/preserve when the session is lost or the server is rebooted. This service can be safely disabled and Sun recommends that it be disabled.

The following script files should be renamed to disable the preserve feature:

/etc/rc2.d/S80PRESERVE (Solaris 8) /etc/rc2.d/S89PRESERVE (Solaris 9)


0f 56

Disable Solatice Print Client Service (SPC) Yet another printing related service that is not needed. Sun recommends that it be disabled.

The following script file should be renamed to disable the SPC service:

/etc/rc2.d/S80spc

Disable Power Management Daemon The powerd daemon is started by pmconfig to monitor system activity and perform an automatic shutdown using the suspend-resume feature. When the system is suspended, the complete current state information is saved on the disk before power is removed. This service is only useful for workstations that are configured for power saving mode (they shutdown to save energy) and should never be used on a server. This can be safely disabled and this is recommended by Sun. Once it is disabled, a blank file /noautoshutdown should be created to prevent the system from asking power management questions (workstations only).

The following script file should be renamed to prevent access to powerd daemon:

/etc/rc2.d/S85power

The following file should be created to prevent system from asking power management related questions:

/noautoshutdown

Disable SMTP Mail Server The sendmail utility is used on a Solaris system to forward and receive mail from other systems. Centralized mail servers should be used to receive mail and not local servers. Ideally, a more secure Mail Transport Agent (MTA) should be used instead of the MTA bundled with Solaris. The sendmail daemon, bundled with the Solaris, has been subject to numerous denial of service, buffer overflow, and misconfiguration attacks.

Sun recommends that sentmail be disabled unless it is absolutely necessary. In a later section, system logging is modified to send warning messages to logs instead of mailing them to root (it could filled up /var if root's mail is not checked regularly, thus halting the system). You may invoke sendmail periodically from crontab to process queued mail from programs and processes that use mail to send out messages.

Renaming the following script file will disable the SMTP mail server:

/etc/rc2.d/S88sendmail

Replace the installed sendmail.cf file with the minimal sendmail.cf in Appendix C.

Add the following entry to root’s contab to flush the mail queue once per hour:

0 * * * * /usr/lib/sendmail -q

Disable Web-Based Enterprise Management (WBEM) service WBEM is an initiative and a technology. As an initiative, WBEM includes standards for managing systems, networks, users, and applications by using Internet technology. As a technology, WBEM provides a way for management applications to share management data independently of vendor, protocol, operating system, or management standard. The core of the WBEM is the Common Information Model (CIM) concepts. All compatible objects must implement CIM model. This is an optional software package new to the Solaris 8 and is available in Solaris 9 as well. Sun recommends that it be disabled if it is not needed.


0f 56

For more information about WBEM, please refers to the WBEM on Sun Developer's Guide.

The following script file should be renamed to disable the WBEM service:

/etc/rc2.d/S90wbem

Disable CacheFS Daemon This is a continuation of CacheFS disabling feature as described earlier.

This is part four of the four script files that need to be renamed in order to fully disable CacheFS; for clarity purposes, they are each listed in different subsections of this document:

/etc/rcS.d/S35cacheos.sh /etc/rcS.d/S41cachefs.root /etc/rc2.d/S73cachefs.daemon

/etc/rc2.d/S93cacheos.finish An entry in /etc/inet/inetd.conf, which is controlled by the RPC daemon, is also required to be commented out. It is discussed later in the section.


Disable NCA Logging This is a continuation of NCA disabling feature as described earlier.

This is part two of the three script files that need to be renamed in order to fully disable NCA; for clarity purposes, they are each listed in different subsections of this document:

/etc/rcS.d/S42ncakmod

/etc/rc2.d/S94ncalogd

/etc/rc2.d/S95ncad

Disable NCA Daemon This is a continuation of NCA disabling feature as described earlier.

This is part three of the three script files that need to be renamed in order to fully disable NCA; for clarity purposes, they are each listed in different subsections of this document:

/etc/rcS.d/S42ncakmod /etc/rc2.d/S94ncalogd

/etc/rc2.d/S95ncad

Disable NFS Server Service The Solaris boot sequence assumes that some systems will be NFS file servers. The network services required to support NFS file services are only started if the system has been configured appropriately. That is a prudent strategy.


0f 56

There's a collection of historically dangerous RPC services that can be started at boot time from the script S15nfs.server found in /etc/rc3.d. This includes the mountd daemon mentioned in the SANS Top Ten Security Threats 2002. If the system isn't an NFS file server, mountd and nfsd servers should not be started. All NFS file sharing information is transported in clear text, so it is susceptible to snooping. Therefore, Sun recommends that NFS not be configured for security concerns.

The following two scripts need to be renamed or removed in order to fully disable the NFS server service:

/etc/rc3.d/S15nfs.server /etc/dfs/dfstab

Disable Sun Stock Apache Server By default, this service (new to Solaris 8 and is available in Solaris 9 as well) is not started automatically at boot time. If web access is not needed or a newer version is installed, this stock version that comes with the OS should be disabled. Sun recommends that this stock version be disabled.

Renaming the following script file will disable the Sun stock apache server:

/etc/rc3.d/S50apache

Disable SNMP services There are several stock Simple Network Management Protocol (SNMP) services enabled by default on Solaris -- these are the snmpdx, snmpXdmid and mibiisa. The snmp service is always at port 161, the other port numbers vary. the snmpdx daemon uses the snmpXdmid to answer some questions and the mibiisa daemon to answer other questions. All of these processes run as user root and might be compromised.

Some OAM applications use their own SNMP agent, thus the stock SNMP services started by Sun are not needed. If SNMP is not required, Sun recommends that the startup script be disabled so that these stock SNMP services will not provide system information to unknown persons.

Please note that some servers which use the T3 disk-array require the Sun stock SNMP services to manage the RAID disk-arrays. Also, if Sun SMC3.0 agent is running on the server, SNMP services must not be turned off.

Renaming the following script file will disable SNMP services:

/etc/rc3.d/S76snmpdx

Disable Desktop Management Interface (DMI) There is a well-known vulnerability on Solaris 8 concerning the DMI; that buffer overflow can lead to local and remote root compromise. Please see the archive Solaris SNMP to DMI mapper daemon vulnerability for more information.

DMI can be safely turned off and Sun recommends that it be disabled.

The following script file should be renamed to disable DMI:

/etc/rc3.d/S77dmi


0f 56

Disable Mobile IP Agent Service The MIP agent utility implements the Mobile IP home agent and foreign agent functionality described in RFC 2002. It responds to Mobile IP registration and deregistration requests and router discovery solicitation messages from a mobile node. Besides responding to external messages, the mipagent utility also tasks on a periodic basis, such as aging mobility bindings and visitor entries and sending agent advertisements.

This service is new to Solaris 8 and is available in Solaris 9 as well. It requires that the /etc/inet/mipagent.conf file be present during the startup. The Solaris 8 and 9 default installation disables this service and Sun recommends that the startup script be disabled if it is not needed.

The following script file should be renamed to disable the Mobile IP agent service:

/etc/rc3.d/S80mipagent


0f 56

Unnecessary Network Services Managed by inetd Process The inetd daemon provides access to system and network services available on a system. Its configuration file, /etc/inet/inetd.conf, defines what services are managed by the inetd daemon. An ideal secured server should have neither the /etc/inet/inetd.conf file nor run inetd, as the daemons started in the /etc/inet/inetd.conf are frequently not needed. To disable a service, the /etc/inet/inetd.conf file is edited and a comment character (“#”) is placed in front of the line containing the service definition. Once this is completed, a HUP signal is sent to the inetd process. This causes the inetd daemon to reread its configuration file.

The removal of unnecessary system packages from the system, called minimization, reduces the number of components that have to be patched and made secure. Reducing the number of components reduces the number of possible entry points into the system by an intruder.

It is recommended by Sun that most of the services in /etc/inet/inetd.conf be disabled. For more information, please check out the latest Sun Blueprints for securing Solaris: Solaris Operating Environment Security - Updated for Solaris 8 Operating Environment and Solaris Operating Environment Security - Updated for Solaris 9 Operating Environment.

Disable DARPA name server DARPA stands for Defense Advanced Research Projects Agency. in.tnamed is a server that supports the DARPA Name Server Protocol. The name server operates at the port indicated in the "name" service description, and is invoked by inetd when a request is made to the name server.

The protocol implemented by this program is obsolete. Its use should be phased out in favor of the Internet Domain Name Service (DNS) protocol.

To disable DARPA, the following file is modified:


and the following lines are commented out:

name dgram udp wait root /usr/sbin/in.tnamed in.tnamed

Disable rsh Access control and accountability are critical to the security of a system. Access control should involve strong authentication for system access, while accountability information should provide tracking data relative to system changes. The standard r* commands (i.e., rsh, rlogin, and rcp) break both of these requirements. This is because most implementations of r* commands involve “zones of trust.” Within a zone of trust, all systems are trusted and no additional authentication is required. Hence, an intruder need only gain access to one server in order to gain access to all the servers.

rsh creates a remote shell on a host which allows a user to execute commands on the remote unix host. The rsh services use inadequate authentication based on IP address security (which can be spoofed), DNS security (which can be spoofed) and the notion of reserved ports (on Unix systems only user root can open the client port.) The server can trust a whole variety of hosts (with /etc/hosts.equiv); individual users can trust user/host pairs (with ~user/.rhosts). This is a very convenient system with many possible security compromises. For example, all the data that is sent from the client to the server is transmitted across the network without encryption. This may be compromised by network sniffer attacks. For security purposes, rsh should be disabled or replaced with an SSH protocol system such as ssh or OpenSSH.


0f 56

This is part one of the disabling "r" based services (rsh, rlogin etc), the disabling of the authentication part of the service is done later in the subsection: Disable PAM configuration for rsh and rlogin.

This is part one of a two part script to disable the rsh service in which the following files are either locked or modified:

/etc/pam.conf file

/etc/inet/inetd.conf /etc/hosts.equiv

To disable the program part of rsh, the following file is modified:



shell stream tcp nowait root /usr/sbin/in.rshd in.rshd shell stream tcp6 nowait root /usr/sbin/in.rshd in.rshd

Disable rlogin rlogin establishes a remote login session from trusted users/sites without a password challenge. The rlogin service uses inadequate authentication based on IP address security (which can be spoofed), DNS security (which can be spoofed) and the notion of reserved ports (on Unix systems only user root can open the client port). The server can trust a whole variety of hosts (with /etc/hosts.equiv); individual users can trust user/host pairs (with ~user/.rhosts). ). This is a very convenient system with many possible security compromises. For example, the server will issue a Password: challenge if the user doesn't pass the weak authentication requirements. Unfortunately that password data, as well as all other communications, is not encrypted when transmitted over the network. This may be compromised by network sniffer attacks. rlogin runs as root and for security purposes, it should be disabled or replaced with an SSH protocol system such as ssh or OpenSSH.

This is part one of the disabling "r" based services (rsh, rlogin etc), the disabling of the authentication part of the service is done later in the subsection: Disable PAM configuration for rsh and rlogin.

This is part one of a two part script to disable the rlogin service in which the following files are either locked or modified:

/etc/pam.conf file

/etc/inet/inetd.conf /etc/hosts.equiv

To disable the program part of rlogin, the following file is modified:



login stream tcp6 nowait root /usr/sbin/in.rlogind in.rlogind

Disable remote execution The remote execution server daemon, in.rexecd, is started from /etc/inetd.conf when a connection request is made. This daemon provides remote execution facilities based on user name and password information. Once authenticated, the daemon executes the command passed along with the authentication information. Unfortunately, neither the user name nor password is encrypted while


0f 56

transmitted over the network. This exposes the in.rexecd daemon to man in the middle, session hijacking, and network sniffing attacks. For this reason, and the fact that it runs as user root, the in.rexecd daemon entries in /etc/inetd.conf should be disabled.

To disable remote execution, the following file is modified:


with the following lines commented out:

exec stream tcp nowait root /usr/sbin/in.rexecd in.rexecd exec stream tcp6 nowait root /usr/sbin/in.rexecd in.rexecd

Disable biff server The biff server gives notification of incoming mail messages. Also known as the comsat service, it listens for reports of incoming mail and notifies users who have requested to be told when mail arrives with a ‘you have mail message’ on their screen. This notification can be turned off or on for each terminal session. With no arguments, biff displays the current notification status for the terminal. If notification is allowed, the terminal rings the bell and displays the header and the first few lines of each arriving mail message. biff operates asynchronously. For synchronized notices, the MAIL variable of sh or the mail variable of csh are used.

comsat is invoked as needed by inetd, and times out if inactive for a few minutes. It runs as user root and it may be compromised. Therefore, if it is not being used, it should be disabled. Since it is recommended that the smtp server be disabled and all logging be sent to either a file or the console, it is no longer necessary for this service to be turned on.

To disable the biff server, the following file is modified:


with the following line commented out:

comsat dgram udp wait root /usr/sbin/in.comsat in.comsat

Disable talk server talkd is the server used by the talk program. It listens at the UDP port indicated in the “talk” service description. The actual conversation takes place on a TCP connection that is established by negotiation between the two machines involved. It runs as user root and might be compromised. Therefore, if it is not needed it should be disabled.

To disable the talk server, the following file is modified:



talk dgram udp wait root /usr/sbin/in.talkd in.talkd

Disable UUCP (UNIX-UNIX copy) server uucpd is the Unix-to-Unix system copy server which supports traditional UUCP style networking over the IP network. It copies files named by the source-file arguments to the destination-file argument. It runs as user root and might be compromised. Therefore, if it is not needed then it should be disabled.


0f 56

To disable the UNIX-UNIX copy server, the following file is modified:



uucp stream tcp nowait root /usr/sbin/in.uucpd in.uucpd

Disable trivial FTP server The tftp service (Trivial File Transfer Protocol) exists to provide disk-less systems with a way to access files on the network. tftp service is provided primarily for booting. Most sites run this only on machines acting as "boot servers". The tftp(in.tftpd)daemon has no authentication facilities; it only allows clients to access publicly readable files in a restricted directory. Disk-less workstations, X-terminals, and some printers use this service to load files needed to boot. The tftp service is often configured in error and hackers use it to pick up password files and other system files that may compromise system integrity. It runs as user root and might be compromised. Therefore, if it is not needed it should be disabled.

The in.tftpd is managed by the inetd server process and is configured in /etc/inetd.conf. By default, it is not enabled in the Solaris. If this service is necessary, it should be configured securely.

To disable the trivial FTP server, the following file is modified:


with the following line commented out (the default state of this service is off, i.e. commented out):

#tftp dgram udp6 wait root /usr/sbin/in.tftpd in.tftpd –s tftpboot

Disable finger server The fingerd (in.fingerd)service provides information about local and remote users on the system. Historically, it has been used to compromise systems and it is a good tool for hackers to find out about system users. Many sites disable the service. It runs as user root and might be compromised. Therefore if it is not needed, it should be disabled.

To disable the finger server, the following file is modified:



finger stream cp6 nowait nobody /usr/sbin/in.fingerd in.fingerd

Disable systat systat allows for the remote learning of process status, i.e., what jobs are currently running on a system, by displaying the output of ps -ef. The ps command prints information about active processes. Without options, ps prints information about processes that have the same effective user ID and the same controlling terminal as the invoker. The output contains only the process ID, terminal identifier, cumulative execution time, and the command name. Otherwise, the information that is displayed is controlled by the several options. Please see the MAN pages for more information.

systat should be disabled because it runs as root and it provides too much system information. Therefore, it may be compromised and should be disabled if it is not needed.

To disable systat, the following file is modified:


0f 56



#systat stream tcp nowait root /usr/bin/ps ps –ef

Disable netstat netstat allows for remote learning of network status, i.e., what peers are currently connected to the system. netstat displays the contents of certain network-related data structures in various formats, depending on the options you select. The first form of the command displays a list of active sockets for each protocol. The second form selects one from among various other network data structures. The third form shows the state of the interfaces. The fourth form displays the routing table, the fifth form displays the multicast routing table, and the sixth form displays the state of DHCP on one or all interfaces. With no arguments, netstat prints the connected sockets for PF_INET, PF_INET6, and PF_UNIX, unless modified otherwise by the -f option. Please see the MAN pages for more information on options.

The netstat command provides system information which may then be used to launch attacks against the system. It also runs as root and may be compromised. Therefore, if it is not needed it should be disabled. To disable netstat, the following file is modified:



#netstat stream tcp nowait root /usr/bin/netstat netstat -f inet

Disable legacy time services time service (not to be confused with Network Time Protocol) prints out the current system time and date. The Solaris 2.6 xntp functionality has been included with the Solaris distribution for time synchronization. The xntp daemon offers additional security and functionality improvements over rdate and time. Whenever possible xntp should be used instead of the time service. The time service is very old, it predates NTP, and it is seldom used. It is an internal built-in function of inetd which runs as user root and might be compromised. Therefore, if it is not needed, it should be disabled.

To disable the legacy time services, the following file is modified:


with the following line commented out :

time stream tcp6 nowait root internal time dgram udp6 wait root internal

Disable echo echo (not to be confused with the ICMP echo used by ping) echos back the incoming data stream. The echo utility writes its arguments, separated by BLANKs and terminated by a NEWLINE, to the standard output. If there are no arguments, only the NEWLINE character will be written. echo is useful for producing diagnostics in command files, for sending known data into a pipe, and for displaying the contents of environment variables.

The echo service is very old, it probably predates ping, and it is seldom used any more. It could be used in a Denial of Service attack to gobble up sockets. It is an internal, built-in function of inetd which runs as user root and might be compromised. Therefore, it should be disabled.


0f 56

To disable echo, the following file is modified:



echo stream tcp6 nowait root internal echo dgram udp6 wait root internal

Disable discard The discard utility discards the incoming data stream. It is very old and was most probably used for diagnostics; A function for which it is not used any more. It could be used in a Denial of Service attack to gobble up sockets. It is an internal, built-in function of inetd which runs as user root and might be compromised. Therefore, it should be disabled.

To disable discard, the following file is modified:



discard stream tcp6 nowait root internal discard dgram udp6 wait root internal

Disable daytime daytime service (not to be confused with Network Time Protocol) displays the system time as a string. It is very old, it predates NTP, and it is seldom used. It is an internal, built-in function of inetd which runs as user root and may be compromised. Therefore, if it is not needed, it should be disabled.

To disable daytime, the following file is modified:



daytime stream tcp6 nowait root internal daytime dgram udp6 wait root internal

Disable chargen chargen generates a continuous stream of characters that was useful in testing TCP services back in 1982. Today it is not used. However, it could be used in a Denial of Service attack to gobble up sockets and bandwidth. It is an internal, built-in function of inetd which runs as user root and may be compromised. Therefore, it should be disabled.

To disable chargen, the following file is modified:



chargen stream tcp6 nowait root internal chargen dgram udp6 wait root internal


0f 56

Disable Soltice system and network administration class agent server sadmind, the distributed system administration daemon, is used by the AdminSuite applications to perform distributed system administration operations remotely. The sadmind daemon is started automatically by the inetd daemon whenever a request to invoke an operation is received. The sadmind daemon process continues to run for 15 minutes after the last request is completed, unless a different idle-time is specified. The sadmind daemon may be started independently from the command line, for example, at system boot time. In this case, the idle-time specification has no effect; sadmind continues to run, even if there are no active requests. The sadmind daemon process can be configured to write tracing information into a log file.

sadmind typically does not make use of the stronger authentication mechanisms available to it but rather defaults to weak authentication. It also runs as user root and may be compromised: This ranks as one of the SANS TOP TEN Security threats 2002. Network-based attacks against sadmind pose a significant threat to the security of a server and therefore should be disabled if it is not being used.

Sun states that on almost all servers, the RPC services in /etc/inet/inetd.conf can be removed. Many applications that use RPC services add additional entries to the /etc/inet/inetd.conf in addition to using one of the RPC based daemons. The RPC services in /etc/inet/inetd.conf should be removed unless specifically required.

To disable the Soltice system and network administration class agent server, the following file is modified:



100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind

Disable Remote Disk Quota Server rquotad is an rpc server which returns quotas for a user of a local file system which is mounted by a remote machine over the NFS. The results are used to display user quotas for remote file systems. The rquotad daemon is normally invoked by the inetd process. It runs as user root and might be compromised. Therefore, if it is not being used, it should be disabled.

To disable the remote disk quota server, the following file is modified:



rquotad/1 tli rpc/datagram_v wait root /usr/lib/nfs/rquotad rquotad

Disable rusers service rpc.rusersd, the network username server, is a server that returns a list of users on the host. The rpc.rusersd daemon may be started by the inetd process or by the listen process. rpc.rusersd gives out information about your system. It's not an essential service and it runs as user root and may be compromised. Therefore, if it is not being used, it should be disabled.

To disable the rusers server, the following file is modified:




0f 56

rusersd/2-3 tli rpc/datagram_v,circuit_v wait root /usr/lib/netsvc/rusers/rpc.rusersd rpc.rusersd

Disable spray service rpc.sprayd , the spray server, receives and records the packets sent by spray, a ping-like tool. The service provided by rpc.sprayd is not useful as a networking benchmark as it uses unreliable connectionless transports, udp for example. It can report a large number of packets dropped when the drops were caused by the program sending packets faster than they can be buffered locally before the packets are transmitted to the network medium.

The rpc.sprayd daemon may be started by the inetd process or the listen process. It runs as user root and may be compromised. Therefore, if it is not being used, it should be disabled.

To disable spray service, the following file is modified:



sprayd/1 tli rpc/datagram_v wait root /usr/lib/netsvc/spray/rpc.sprayd rpc.sprayd

Disable wall service rpc.rwalld is a network server that handles rwall requests (write to all users on remote systems). It is implemented by calling wall on all the appropriate network machines.

The rpc.rwalld daemon may be started by the inetd process or the listen process. It is not considered an essential tool. It runs as user root and may be compromised. Therefore, if it is not being used it should be disabled.

To disable wall service, the following file is modified:



walld/1 tli rpc/datagram_v wait root /usr/lib/netsvc/rwall/rpc.rwalld rpc.rwalld

Disable kernel statistics server rpc.rstatd, a RPC service, is a server which returns performance statistics of your system obtained from the kernel. In general this service is not used since it impacts the overall server performance and Sun recommends disabling it. It runs as user root and may be compromised. Therefore, if it is not being used, it should be disabled.

To disable the kernel statistcis server, the following file is modified:



rstatd/2-4 tli rpc/datagram_v wait root /usr/lib/netsvc/rstat/rpc.rstatd rpc.rstatd


0f 56

Disable RPC based remote execution server rpc.rexd is the Sun RPC-based remote execution server used to remotely execute programs and commands on a target system. rpc.rexd does not make use of the stronger authentication mechanisms available to it, but rather it defaults to weak authentication. Network-based attacks against these services pose a significant threat to the security of a server.

The rpc.rexd daemon is started by the inetd process whenever a remote execution request is made. It runs as user root and may be compromised. Therefore, if it is not being used, it should be disabled.

To disable the RPC based remote execution server, the following file is modified:



#rexd/1 tli rpc/tcp wait root /usr/sbin/rpc.rexd rpc.rexd

Disable calendar server rpc.cmsd is the calendar manager daemon which allows a user to update his calendar, and, since it runs as root, to look at other user’s calendars. This service is part of the CDE (Common Desktop Envrionment) in which the user can set up calendar entries in the GUI. Since it runs as root, it is a security exposure which may be compromised. Therefore, if it is not being used, it should be disabled.

The following file is modified:



100068/2-5 dgram rpc/udp wait root /usr/dt/bin/rpc.cmsd rpc.cmsd

Disable Sun tool talk server Sun tool talk server is a RPC-based ToolTalk database server. It serves four purposes:

1. Mapping a spec to its associated file and a file to its associated specs.

2. Mapping a spec to its properties.

3. Mapping a file to a list of sessions with clients having patterns registered in the scope of that file.

4. Answering netfile queries; see tt_file_netfile and tt_host_file_netfile.

In general, it should be disabled. The following file is modified :


with the following line commented out: 100083/1 tli rpc/tcp wait root /usr/dt/bin/rpc.ttdbserverd

rpc.ttdbserverd

Disable UFS-aware server This service is part of RPC managed daemon and it is disabled by default.

The following file is modified:



0f 56

to ensure that the line below stays commented out:

#ufsd/1 tli rpc/* wait root /usr/lib/fs/ufs/ufsd ufsd –p

Disable KCMS server The kcms_server provides remote access to local KCMS profiles which are used by Kodak Color Management System for advanced graphics. It runs as user root and may be compromised. Therefore, if it is not being used, then it should be disabled.

For more information about KCMS server, please refer to Sun KCMS collection web site .

The following file is modified :


with the line below commented out:

100221/1 tli rpc/tcp wait root /usr/openwin/bin/kcms_server kcms_server

Disable Sun font server fs is the X11 font server. If your system does not supply X11 fonts to anyone then this service is not needed. It runs as user root and may be compromised. In most of cases, an OAM server should never be a font server. Therefore, it should be disabled.

For more information about the font server. Please refer to Sun Solaris 8 Font Admin Guide .

The following file will be modified:



fs stream tcp wait nobody /usr/openwin/lib/fs.auto fs

Disable cachefs daemon The cachefsd daemon layers local file caching of NFS mounted disks similar to a smart auto-mounter. It will increase NFS performance, especially on file systems that are essentially read-only (like /usr). However, it runs as user root and may be compromised. Therefore, if it is not being used, it should be disabled.

This is last part of the cachefs disabling with the following system files affected: /etc/rcS.d/S35cacheos.sh /etc/rcS.d/S41cachefs.root /etc/rc2.d/S73cachefs.daemon /etc/rc2.d/S93cacheos.finish

/etc/inet/inetd.conf The following file will be modified:




0f 56

100235/1 tli rpc/tcp wait root /usr/lib/fs/cachefs/cachefsd cachefsd

Disable kerberos V5 warning server The Kerberos system authenticates individual users in a network environment. After a user is authenticated to Kerberos, he can use the kerberos authentication option of network services such as NFS. In addition, in some environments you can use network utilities such as rlogin, rcp, and rsh without having to present passwords to remote hosts and without having to bother with .rhosts files. For Kerberos to be used effectively and correctly, an entire infrastructure of Kerberos components must be deployed. This infrastructure adds additional administrative overhead that may not be desired.

Kerberos is managed by RPC. It should be disabled because it runs as root and it may be a security exposure which might be compromised.




100134/1 tli rpc/ticotsord wait root /usr/lib/krb5/ktkt_warnd ktkt_warnd

Disable BSD print listener Unless it is running on a print server, this service should be disabled.




printer stream tcp6 nowait root /usr/lib/print/in.lpd in.lpd

Disable dtterm subprocess daemon This service is the part of CDE package. The CDE sub-process daemon /usr/dt/bin/dtspcd contains an insufficient check on client credentials. The insufficient check can lead to a local root compromise because it runs as root. It should be disabled.




dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd

Disable OCF (smart card) daemon Unless the server has a smartcard reader, this service should be disabled (the service is managed by RPC). Some of the newer SunBlade workstations may come with a smartcard reader, but the hardware documenation states that the current OS does not have a driver for it. In short, a Sun enterprise class server should not need this service.




0f 56


100150/1 tli rpc/ticotsord wait root /usr/sbin/ocfserv ocfserv

Reduce inetsvc Functionalities The following section illustrates the steps to minimize the fuctions provided by the inetsvc script in order to reduce the risks associated with the unneeded functions started by inetsvc. Alternatively, you may install a replacement /etc/init.d/inetsvc file like the example in Appendix A and be sure to re-create the hard link in /etc/rc2.d:

ln /etc/init.d/inetsvc /etc/rc2.d/S72inetsvc Disable DHCP support OAM servers are normally configured with static IPs and hostnames, therefore, the DHCP support should be disabled as recommended by Sun. Please note that this DHCP support has nothing to do with DHCP servers used in the OAM network.

The following files will be modified:

/etc/init.d/inetsvc /etc/rc2.d/S72inetsvc

with these blocks of script code removed:

if [ "$_INIT_NET_STRATEGY" = "dhcp" ]; then dnsdomain=`/sbin/dhcpinfo DNSdmain` else dnsdomain= fi if [ -n "$dnsdomain" ]; then dnsservers=`/sbin/dhcpinfo DNSserv` if [ -n "$dnsservers" ]; then if [ -f /etc/resolv.conf ]; then /usr/bin/rm -f /tmp/resolv.conf.$$ /usr/bin/sed -e '/^domain/d' -e '/^nameserver/d' \ /etc/resolv.conf >/tmp/resolv.conf.$$ fi echo "domain $dnsdomain" >>/tmp/resolv.conf.$$ for name in $dnsservers; do echo nameserver $name >>/tmp/resolv.conf.$$ done else if [ -f /etc/resolv.conf ]; then /usr/bin/rm -f /tmp/resolv.conf.$$ /usr/bin/sed -e '/^domain/d' /etc/resolv.conf \ >/tmp/resolv.conf.$$ fi echo "domain $dnsdomain" >>/tmp/resolv.conf.$$ fi # # Warning: The umask is 000 during boot, which requires explicit # setting of file permission modes when we create files. # /usr/bin/mv /tmp/resolv.conf.$$ /etc/resolv.conf /usr/bin/chmod 644 /etc/resolv.conf # Add dns to the nsswitch file, if it isn't already there. /usr/bin/rm -f /tmp/nsswitch.conf.$$ /usr/bin/awk ' $1 ~ /^hosts:/ { n = split($0, a); newl = a[1]; if ($0 !~ /dns/) { printf("#%s # Commented out by DHCP\n", $0);


0f 56

updated = 0; for (i = 2; i <= n; i++) { if (updated == 0 && index(a[i], "[") == 1) { newl = newl" dns"; updated++; } newl = newl" "a[i]; } if (updated == 0) { newl = newl" dns"; updated++; } if (updated != 0) newl = newl" # Added by DHCP"; else newl = $0; printf("%s\n", newl); } else printf("%s\n", $0); } $1 !~ /^hosts:/ { printf("%s\n", $0); }' /etc/nsswitch.conf \ >/tmp/nsswitch.conf.$$ /usr/bin/mv /tmp/nsswitch.conf.$$ /etc/nsswitch.conf /usr/bin/chmod 644 /etc/nsswitch.conf elif grep '# Added by DHCP$' /etc/nsswitch.conf >/dev/null 2>&1; then # If we added DNS to a hosts line in the nsswitch, remove it. /usr/bin/rm -f /tmp/nsswitch.conf.$$ /usr/bin/sed \ -e '/# Added by DHCP$/d' \ -e 's/^$#hosts:$$.*[^#]$$#.*$$/hosts: \2/' \ /etc/nsswitch.conf >/tmp/nsswitch.conf.$$ /usr/bin/mv /tmp/nsswitch.conf.$$ /etc/nsswitch.conf /usr/bin/chmod 644 /etc/nsswitch.conf fi if [ "$_INIT_NET_STRATEGY" = "dhcp" ]; then # # if DHCP doesn't return a hostname, use "unknown" so # client can resolve IP address into a local hostname. # hostname=`/sbin/dhcpinfo Hostname` if [ -z "$hostname" ]; then hostname="unknown" fi ipaddr=`/sbin/dhcpinfo Yiaddr` /usr/bin/rm -f /tmp/hosts.$$ /tmp/hosts_clear.$$ # Delete any old lines added by dhcp. /usr/bin/sed -e '/# Added by DHCP$/d' /etc/inet/hosts \ > /tmp/hosts_clear.$$ shift $# # Clear $0-9 first in case grep fails set -- `/usr/bin/grep "^[ ]*$ipaddr[ ]" \ /tmp/hosts_clear.$$ 2>/dev/null` if [ $# -gt 0 ]; then # # IP address is already in the hosts file. Ensure the # associated hostname is the same as the Hostname # property returned by the DHCP server. # /usr/bin/sed -e "/^[ ]*${ipaddr}[ ]/s/${2}/${hostname}/" \ /tmp/hosts_clear.$$ >/tmp/hosts.$$ else # # IP address is missing from the hosts file. Now check


0f 56

# to see if the hostname is present with a different IP. # shift $# # Clear $0-9 in case grep fails set -- `/usr/bin/grep -s -v '^#' /tmp/hosts_clear.$$ | \ /usr/bin/egrep "[ ]${hostname}([ ]|$)"` if [ $# -gt 0 ]; then # # Hostname is present in the hosts file. Rewrite this # line to have the new IP address and the DHCP comment. # /usr/bin/sed -e "/^[ ]*${1}[ ]/d" \ /tmp/hosts_clear.$$ >/tmp/hosts.$$ shift # Shift off $1 (the old IP) echo "$ipaddr $*\c" | /usr/bin/tr ' ' '\t' \ >>/tmp/hosts.$$ echo "\t# Added by DHCP" >>/tmp/hosts.$$ else # # Hostname is not present in the hosts file. # Add a new line for the host at the end of # the new hosts file. # /usr/bin/mv /tmp/hosts_clear.$$ /tmp/hosts.$$ echo "${ipaddr}\t${hostname}\t# Added by DHCP" \ >>/tmp/hosts.$$ fi fi # Update loopback transport hosts files for inet in /etc/net/*/hosts; do echo "# RPC hosts" > $inet echo "$hostname\t$hostname" >> $inet /usr/bin/chmod 644 $inet done /usr/bin/rm -f /tmp/hosts_clear.$$ /usr/bin/mv /tmp/hosts.$$ /etc/inet/hosts /usr/bin/chmod 644 /etc/inet/hosts fi

Disable multi-cast support Multicast is a method used to send network data simultaneously to many systems with only a single address. Unless the system must participate in a multicast application, Sun recommends disabling the code that enables the multicast route assignment in /etc/init.d/inetsvc and /etc/rc2.d/S72inetsvc.



with the following block of script code commented out:

# # Add a static route for multicast packets out our default interface. # The default interface is the interface that corresponds to the node name. # Run in background subshell to avoid waiting for name service. # ( if [ "$_INIT_NET_STRATEGY" = "dhcp" ]; then mcastif=`/sbin/dhcpinfo Yiaddr` || mcastif=$_INIT_UTS_NODENAME else


0f 56

mcastif=$_INIT_UTS_NODENAME fi echo "Setting default IPv4 interface for multicast:" \ "add net 224.0/4: gateway $mcastif" /usr/sbin/route -n add -interface "224.0/4" "$mcastif" >/dev/null ) &

Add inetd logging to inetsvc Sun recommends that for restricted access servers, all connections to services managed by inetd should be logged. This can be done by adding an additional option to the startup of inetd in /etc/rc2.d/S72inetsvc. By adding a -t option, the inetd daemon logs the IP address of all systems requesting inetd based services. The IP addresses are logged through the syslog service.



with the following line replacing the original line (The extra "-t" switch enables the logging for the inetd): /usr/sbin/inetd -s -t &

Clean Up password File This activity removes all the well known system accounts that are not used. This minimizes the chance of security breaches. The following account management files are modified:

/etc/passwd /etc/shadow

The following default system accounts, which were created by Solaris at installation, can be removed using the script given below:

uucp nuucp listen lp nobody4 smmsp (new in Solaris 9)

# use this script to remove unnecessary accounts for user in uucp nuucp listen lp nobody4 smmp do /usr/sbin/passmgmt –d $user done

Edit the password file and make /dev/null the shell for all but root and authorized users as per the customer network security policy. Shadow pasword is supported in Solaris 8 and 9 and shall be used by default. All unnecessary services and users should have now been disabled or removed.


0f 56

Step 2: Setting Up Time Synchronization using NTP System timekeeping can be done via both xntpd (daemon) and ntpdate (client). While the daemon may provide more network functionalities, it also presents volunerabilities, one of which is xntpd buffer-overflow. Unlike xntpd which listens on port 123 constantly for connections, ntpdate is a client to be executed only when needed to get the time of day from a pre-defined NTP server. Use ntpdate to set system clock according to the NTP server on the core network. Add the following to /etc/rc.local startup script to set the time of day at boot time:

/usr/sbin/ntpdate –s NTP_server_addr The –s switch will log ntpdate actions via the syslog facility rather than sending it to the standard output. For precise timekeeping this command can also be run from a cron job every hour on the hour:

0 * * * * /usr/sbin/ntpdate –s NTP_server_addr >> /var/log/ntpdate.log If xntpd must be used, please make sure it is the latest patched version that’s free of any of the known vulnerabilities. The latest xntpd vulnerability announced by CERT affects Solaris 8. For more information please refer to this URL: http://www.kb.cert.org/vuls/id/JSHA-53ZUEY


0f 56

Step 3: Configuring Additional Logging

Syslogd provides both local and remote logging. It is able to send messages to a remote host running syslogd. To forward messages to another host, prepend the hostname with the at sign (“@”). For maximum security of the logging information, it is recommended that logs be sent to both the local files and dedicated logging host. Make sure that the logging server is located within the same protected management network because syslogd does not have access control and would be subject to denial of service attacks if the server is exposed to the public network such as the Internet. Do the following to expand on the default system logging function and make sure all authentication errors are logged: Add the following to /etc/syslog.conf to log the authentication errors to the local log file and everything including the authentication errors to the remote log server:

auth.info /var/log/authlog *.* @remote_logging_host

Create /var/log/authlog.

touch /var/log/authlog chown root /var/log/authlog chmod 600 /var/log/authlog

Loginlog is a log of all failed login attempts. The loginlog is not enabled by default. It can be enabled by creating the loginlog file in /var/adm with read/write permission for the owner only. The default setting is that after 5 failed login attempts, all the attempts are logged in the loginlog file. If you have followed the instructions earlier in this document, all failed login attempts should be logged in the loginlog file. Inetd logs can be enabled by launching inetd with the –t option. If inetd logs are enabled, a log entry is created every time an inetd service is requested. If you have followed the instructions earlier in this document, inetd logging should be enabled. Create a log rotation script to rotate these logs. A sample can be found in the /usr/lib/newsyslog file and in Appendix B of this document. Modify the root crontab file to run this every day.


0f 56

Step 4: Fixing File Permissions

Solaris versions prior to Solaris 9 ship with file system permissions that need to be adjusted for security reasons. With the release of Solaris 9,it is reported that this adjustment is no longer necessary for the core Solaris OE packages. In Solaris 8 and older versions, many files and directories have the group write bit set. In most instances, this permission is not necessary and should be switched off. Although file permission changes are not required for Solaris 9, they may be required of applications installed on top of the operating system. Consequently, you should monitor permissions on all Solaris versions. File permissions can be adjusted using a tool called fix-modes. It can be downloaded from: http://www.sun.com/blueprints/tools or ftp://ftp.wins.uva.nl/pub/solaris/fix-modes.tar.gz Please note that this tool is not supported by Sun. The fix-modes version available from sun.com is precompiled while the version from uva.nl is not. If compilation is required, it must be performed on a Solaris system with a C compiler. Once compiled, install the fix-modes files and execute it to correct file system permissions. It is reported that this tool has been used in production environments with no problems. Be careful when installing patches and new packages. These may set permissions back to their original state. Execute the fix-modes tool after installing any packages or patches.


0f 56

Step 5: Other Miscellaneous Actions

Restrict crontab and at Jobs The cron systems execute commands at a specified future time. User submission for the cron system is handled by the crontab command. The at command does a similar job. Access to these commands should be restricted. The access control files are stored in the /usr/lib/cron directory. The cron.deny and cron.allow files manage access to the cron system whereas the at.deny and at.allow files manage access to the at system..

The allow file is checked first to see if the account is explicitly allowed to use the system. If the file does not exist or the account is not listed in this file, the deny file is checked. If the account is explicitly listed in the deny file then access is refused. Otherwise, access is permitted. If neither the deny nor the allow files exist, then only the root account can use the at or cron system. Solaris includes cron.deny and at.deny files containing some system accounts.

Please make sure that the /usr partition is mounted as read/write before carrying out this step. The following are the default crontab jobs created by the Solaris 8 and 9 installation process:

adm lp root sys uucp

They can be removed using this command: cd /var/spool/cron/crontabs rm adm lp sys uucp

The following default users are listed in both the cron.deny and at.deny files:

bin daemon smtp nuucp listen nobody noaccess

which means all other users are allowed to run the crontab and at commands. If you don’t have a need for other users to run crontab and at jobs on the system, you should consider removing both deny files, which will then allow only the root user to run those commands. Message of the Day (motd) Create the files /etc/motd and /etc/issue. A sample message is in Appendix D. EEPROM Password Turn on EEPROM security . You will be prompted for a password. Assign a password that is different from the superuser password. This password will be required in order to execute low level hardware commands at the ok prompt.

eeprom security-mode=command


0f 56

In-bound FTP User Access Permission All well-known system accounts' in-bound ftp access are disabled. This is the default setting when Solaris 8 or 9 is installed. This section is meant for you to check to ensure this default has not been changed. Type the following command to display the content of the /etc/ftpusers file:

cat /etc/ftpusers If the output does not match the folllowing:

root daemon bin sys adm lp uucp nuucp listen nobody noaccess nobody4

you can run the following script to recreate it:

rm /etc/ftpusers touch /etc/ftpusers for user in root daemon bin sys adm \ lp uucp nuucp listen nobody \ noaccess nobody4 do echo $user >> /etc/ftpusers done chown root /etc/ftpusers chgrp root /etc/ftpusers chmod 600 /etc/ftpusers

The .rhost Support Remove .rhosts support from /etc/pam.conf.

grep –v rhosts_auth /etc/pam.conf > \ /etc/pam.new mv /etc/pam.new /etc/pam.conf chown root /etc/pam.conf chgrp sys /etc/pam.conf chmod 644 /etc/pam.conf

Default Login Edit the /etc/default/login file and uncomment

• the UMASK line to set the initial shell file creation mode mask 022. • the CONSOLE=/dev/console line to disable root remote login(via telnet for example). • the SUPATH=/usr/sbin:/usr/bin to make sure root has a safe path. • the RETRIES=5 line to allow only 5 failed logins – you can reduce it to, say, 3. • the SYSLOG_FAILED_LOGINS=5 line and change 5 to 0 to force syslogd to log all failed

login attempts.


0f 56

Keyboard Abort (Stop-A) Keyboard Abort is automatically disabled when BSM is enabled. To manually disable it, edit /etc/default/kbd and uncomment and set the entry for KEYBOARD_ABORT=enable to disable the Stop-A sequence (aka: break). The down side of this is that if the machine gets locked up, only a hard power cycle will fix it. TCP Sequence Number Edit the /etc/default/inetinit file and set TCP_STRONG_ISS=2 so that the system will use a better algorithm to generate TCP sequence numbers. Default Password Length Set the default password length from 6 to 8 in /etc/default/passwd and password aging to 12 weeks (or set to the values specified by customer security policy requirements):

MAXWEEKS=12 MINWEEKS=10 PASSLENGTH=8

Shadow Password Shadow pasword is supported in Solaris 8 and 9 and shall be used by default. Please refer to the Strong Password Guide provided by Nortel Networks. Stack-smashing Edit /etc/system and add the following:

* Attempt to prevent and log stack-smashing * attacks set noexec_user_stack = 1 set noexec_user_stack_log = 1

TCP Wrapper and SSH Install TCP Wrapper binary tcpd in /usr/sbin from ftp://ftp.cert.org/pub/tools/tcp_wrappers. If you must leave telnet and FTP on the system, put them behind the TCP Wrapper. Make sure /etc/hosts.deny file contains the following uncommented entry only:

ALL:ALL Make sure /etc/hosts.allow file contains uncommented entries only for the hosts you want to grant remote login access to. Example:

ALL: trusted_host1, trusted_ip1 It is recommended that SSH be used instead of telnet and FTP. SSH is shipped with Solaris 9 but not with Solaris 8. For more information on purchasing a commercially available and supported SSH solution, visit http://www.ssh.com. Or refer to OpenSSH for Solaris User Guide provided by Nortel Networks for information on how to obtain, install, configure and use OpenSSH on Solaris 8.


0f 56

Step 6: Enhance Solaris Network Security Add Network Setting For Security Two files will be created and individual commands will be added to the files to add network settings for security. Create the first file by executing the following command:

touch /etc/init.d/nddconfig

Create the second file by making a symbolic link to the first file: ln –s /etc/init.d/nddconfig /etc/rc2.d/S70nddconfig

You may directly add the following commands into the first file using your favourite editor such as vi:

ndd -set /dev/arp arp_cleanup_interval 60000 ndd -set /dev/ip ip_forward_directed_broadcasts 0 ndd -set /dev/ip ip_forward_src_routed 0 ndd -set /dev/ip ip_ignore_redirect 1 ndd -set /dev/ip ip_ire_arp_interval 60000 ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0 ndd -set /dev/ip ip_respond_to_echo_broadcast 0 ndd -set /dev/ip ip_respond_to_timestamp 0 ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0 ndd -set /dev/ip ip_send_redirects 0 ndd -set /dev/ip ip_strict_dst_multihoming 1 ndd -set /dev/tcp tcp_conn_req_max_q0 4096 ndd -set /dev/tcp tcp_conn_req_max_q 1024 ndd -set /dev/tcp tcp_rev_src_routes 0

Or you may follow the steps outlined below to first understand what each command does and then add it to the file.

Set arp_cleanup_interval This option determines the period of time the Address Resolution Protocol (ARP) cache maintains entries. ARP attacks may be effective with the default interval. Shortening the timeout interval should reduce the effectiveness of such an attack. The system default value is 300000 milliseconds (5 minutes), and the new setting is 60000 milliseconds (1 minute). Execute the following command to add this setting:

echo “ndd -set /dev/arp arp_cleanup_interval 60000” >> /etc/init.d/nddconfig

The ARP cleanup interval is set to 1 minute.

Set ip_forward_directed_broadcasts This option determines whether to forward broadcast packets directed to a specific net or subnet, if that net or subnet is directly connected to the machine. If the system is acting as a router, this option can be exploited to generate a great deal of broadcast network traffic. Turning this option off will help prevent broadcast traffic attacks. The system default value is 1 (true), and the new setting is 0 (false). Execute the following command to add this setting:

echo “ndd -set /dev/ip ip_forward_directed_broadcasts 0” >> /etc/init.d/nddconfig

IP forward directed broadcasts will be disabled.


0f 56

Set ip_forward_src_routed This option determines whether to forward packets that are source routed. These packets define the path the packet should take instead of allowing network routers to define the path. The system default value is 1 (true) and the new setting is 0. Execute the following command to add this setting:

echo “ndd -set /dev/ip ip_forward_src_routed 0” >> /etc/init.d/nddconfig

IP forward source routing will be disabled.

Set ip_ignore_redirect This option determines whether to ignore Internet Control Message Protocol (ICMP) packets that define new routes. If the system is acting as a router, an attacker may send redirect messages to alter routing tables as part of sophisticated attack (man in the middle attack) or a simple denial of service. The system default value is 0 (false), and the new setting is 1. Execute the following command to add this setting:

echo “ndd -set /dev/ip ip_ignore_redirect 1” >> /etc/init.d/nddconfig

ICMP packets that define new routes will be ignored.

Set ip_ire_arp_interval This option determines the period of time at which a specific route will be kept, even if currently in use. ARP attacks may be effective with the default interval. Shortening the time interval may reduce the effectiveness of attacks. The system default interval is 1200000 milliseconds (20 minutes), and the new setting is 60000 milliseconds (1 minute). Execute the following command to add this setting:

echo “ndd -set /dev/ip ip_ire_arp_interval 60000” >> /etc/init.d/nddconfig

The IP_IRE_ARP interval will be set to 1 minute.

Set ip_respond_to_address_mask_broadcast This options determines whether to respond to ICMP netmask requests which are typically sent by diskless clients when booting. An attacker may use the netmask information for determining network topology or the broadcast address for the subnet. The default value is 0 (false) and the new setting is 0 as well. Execute the following command to add this setting:

echo “ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0” >> /etc/init.d/nddconfig

The response to ICMP netmask requests will be disabled.

Set ip_respond_to_echo_broadcast This option determines whether to respond to ICMP broadcast echo requests (ping). An attacker may try to create a denial of service attack on subnets by sending many broadcast echo requests to which all systems will respond. This also provides information on systems that are available on the network. The system default value is 1 (true), and the new setting is 0. Execute the following command to add this setting:

echo “ndd -set /dev/ip ip_respond_to_echo_broadcast 0” >> /etc/init.d/nddconfig

The response to ICMP broadcast echo requests (ping) will be disabled.

Set ip_respond_to_timestamp This option determines whether to respond to ICMP timestamp requests which some systems use to discover the time on a remote system. An attacker may use the time information to schedule an attack at a period of time when the system may run a cron job (or other time-based event) or otherwise be busy. It may


0f 56

also be possible predict ID or sequence numbers that are based on the time of day for spoofing services. The system default value is 1 (true), and the new setting is 0. Execute the following command to add this setting:

echo “ndd -set /dev/ip ip_respond_to_timestamp 0” >> /etc/init.d/nddconfig

The response to ICMP timestamp requests will be disabled.

Set ip_respond_to_timestamp_broadcast This option determines whether to respond to ICMP broadcast timestamp requests which are used to discover the time on all systems in the broadcast range. This option is dangerous for the same reasons as responding to a single timestamp request. Additionally, an attacker may try to create a denial of service attack by generating many broadcast timestamp requests. The default value is 1 (true), and the new setting is 0. Execute the following command to add this setting:

echo “ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0” >> /etc/init.d/nddconfig

The response to ICMP broadcast timestamp requests will be disabled.

Set ip_send_redirects This option determines whether to send ICMP redirect messages which can introduce changes into remote system's routing table. It should only be used on systems that act as routers. The system default value is 1 (true), and the new setting is 0. Execute the following command to add this setting:

echo “ndd -set /dev/ip ip_send_redirects 0” >> /etc/init.d/nddconfig

ICMP redirect messages will be disabled.

Set ip_strict_dst_multihoming This option determines whether to enable strict destination multihoming. If this is set to 1 and ip_forwarding is set to 0, then a packet sent to an interface from which it did not arrive will be dropped. This setting prevents an attacker from passing packets across a machine with multiple interfaces that is not acting as a router. The system default value is 0 (false), and the new setting is 1. Execute the following command to add this setting:

echo “ndd -set /dev/ip ip_strict_dst_multihoming 1” >> /etc/init.d/nddconfig

Strict destination multihoming will be enabled.

Set tcp_conn_req_max_q0 This option sets the size of the queue containing unestablished connections. This queue is part of a protection mechanism against SYN flood attacks. The queue size default is adequate for most systems but should be increased for busy servers. The system default value is 1024, and the new setting is 4096.

echo “ndd -set /dev/tcp tcp_conn_req_max_q0 4096” >> /etc/init.d/nddconfig

The size of the queue containing unestablished connections will be increased to 4096.

Set tcp_conn_req_max_q This option sets the maximum number fully established connections. Increasing the size of this queue provides some limited protection against resource consumption attacks. The queue size default is adequate for most systems but should be increased for busy servers. The system default value is 128, and the new setting is 1024. Execute the following command to add this setting:


0f 56

echo “ndd -set /dev/tcp tcp_conn_req_max_q 1024” >> /etc/init.d/nddconfig

The maximum number fully established connections will be increased to 1024.

Set tcp_rev_src_routes This option determines whether the specified route in a source routed packet will be used in returned packets. TCP source routed packets may be used in spoofing attacks, so the reverse route should not be used. The default value is 0 (false), and the new setting is 0 as well. Execute the following command to add this setting:

echo “ndd -set /dev/tcp tcp_rev_src_routes 0” >> /etc/init.d/nddconfig

The specified route in a source routed packet will not be used in returned packets.


0f 56

Step 7: File System Lockdown

After you have installed and configured all the necessary software on your system, you may want to make sure that no one can modify them. You may also want to prevent rogue setuid programs from showing up. In order to do that, you can modify the /etc/vfstab file and set the appropriate flags. Edit the /etc/vfstab file

vi /etc/vfstab Mount /usr as read-only. Mount other non-root ufs filesystems with nosuid. The final vfstab file should look like the example below. The last column is the area of interest. Sample /etc/vfstab

/dev/dsk/c0t0d0s3 - - swap - no - /dev/dsk/c0t0d0s0 /dev/rdsk/c0t0d0s0 / ufs 1 no - /dev/dsk/c0t0d0s6 /dev/rdsk/c0t0d0s6 /usr ufs 1 no ro /dev/dsk/c0t0d0s1 /dev/rdsk/c0t0d0s1 /var ufs 1 no nosuid /dev/dsk/c0t0d0s7 /dev/rdsk/c0t0d0s7 /extra ufs 2 yes nosuid /dev/dsk/c0t0d0s5 /dev/rdsk/c0t0d0s5 /opt ufs 2 yes nosuid

If your partitions for binaries, vairable data and user space differ from the above example, it is recommended that you mount the binaries partition(s) as read-only and mount other non-root filesystems with nosuid. Please make sure you have double checked everything at this point. Once you finish here, you will reboot to verify everything. If you have not added all your components properly, you will not easily be able to make changes, in which case you will have to remount your binaries partition to make it writable. There are third party applications that can be used to monitor your file system. But it’s beyond the scope of this hardening guide to discuss and evaluate them.


0f 56

Step 8: Vulnerability Testing and Patching Please visit http://netsec.ca.nortel.com for the Threat and Risk Assessment Program and the Security Advisory Task Force (SATF) triage process of handling vulnerability advisories and patches.


0f 56

Appendix A: Replacement /etc/init.d/inetsvc script #!/bin/sh # # Copyright (c) 1995, by Sun Microsystems, Inc. # All Rights Reserved # #ident “@(#)inetsvc 1.16 97/04/17 SMI” # # # Re-set the netmask and broadcast addr for all IP interfaces. This # ifconfig is run here, after NIS has been started, so that “netmask # +” will find the netmask if it lives in a NIS map. # The 'D' in -auD tells ifconfig NOT to mess with the interface # if it is under DHCP control # /usr/sbin/ifconfig -auD netmask + broadcast + # # If this machine is configured to be an Internet Domain Name # System (DNS) server, run the name daemon. # Start named prior to: route add net host, to avoid dns # gethostbyname timout delay for nameserver during boot. # if [ -f /usr/sbin/in.named -a -f /etc/named.boot ]; then /usr/sbin/in.named; echo “starting internet domain name server.” fi #mcastif=`uname -n` #echo “Setting default interface for multicast: \c” #/usr/sbin/route add -interface -netmask “240.0.0.0” “224.0.0.0” “$mcastif” # # Run inetd in “standalone” mode (-s flag) so that it doesn’t have # to submit to the will of SAF. Why did we ever let them change inetd? # #/usr/sbin/inetd –s


0f 56

Appendix B: Sample newsyslog script #! /bin/sh # # Copyright(c) 1997, by Sun Microsystems, Inc. # All rights reserved. # #ident @Z%newsyslog 1.3 97/03/31 SMI # LOG=messages cd /var/adm test -f $LOG.2 && mv $LOG.2 $LOG.3 test -f $LOG.1 && mv $LOG.1 $LOG.2 test -f $LOG.0 && mv $LOG.0 $LOG.1 mv $LOG $LOG.0 cp /dev/null $LOG chmod 644 $LOG # LOGDIR=/var/log LOG=syslog if test -d $LOGDIR then cd $LOGDIR if test -s $LOG then test -f $LOG.6 && mv $LOG.6 $LOG.7 test -f $LOG.5 && mv $LOG.5 $LOG.6 test -f $LOG.4 && mv $LOG.4 $LOG.5 test -f $LOG.3 && mv $LOG.3 $LOG.4 test -f $LOG.2 && mv $LOG.2 $LOG.3 test -f $LOG.1 && mv $LOG.1 $LOG.2 test -f $LOG.0 && mv $LOG.0 $LOG.1 mv $LOG $LOG.0 cp /dev/null $LOG chmod 644 $LOG sleep 40 fi fi # kill -HUP `cat /etc/syslog.pid`


0f 56

Appendix C: Minimal sendmail configuration file # Minimal client sendmail.cf ### Defined macros # The name of the mail hub - PUT APPROPRIATE HOSTNAME FOR YOUR SITE HERE!!! DRmailhost # Define version V8 # Whom errors should appear to be from DnMailer-Daemon # Formatting of the UNIX from line DlFrom $g $d # Separators Do.:%@!^=/[] # From of the sender’s address Dq<$g> # Spool directory OQ/usr/spool/mqueue ### Mailer Delivery Agents # Mailer to forward mail to the hub machine Mhub, P=[IPC], F=mDFMuCX, S=0, R=0, A=IPC $h # Sendmail requires these, but are not used Mlocal, P=/dev/null, F=rlsDFMmnuP, S=0, R=0, A=/dev/null Mprog, P=/dev/null, F=lsDFMeuP, S=0, R=0, A=/dev/null ### Rule sets -- WHITESPACE BETWEEN COLUMNS MUST BE TABS!!! S0 R@$+ $#error $: Missing user name R$+ $#hub $@$R $:$1 forward to hub S3 R$*<>$* $n handle <> error address R$*<$*>$* $2 basic RFC822 parsing


0f 56

Appendix D: Sample /etc/issue and /etc/motd file

This system is for the use of authorized users only. Individuals using this computer system without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by system personnel. In the course of monitoring individuals improperly using this system, or in the course of system maintenance, the activities of authorized users may also be monitored. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials.


0f 56

Appendix E: TCP Wrapper generic configuration file

vi /etc/hosts.allow # # Only allow access from the management network. Explicit # deny policy in /etc/hosts.deny # # The IP addresses allocated from the management network /usr/local/bin/sshd: 172.16.1.0/255.255.255.0 vi /etc/hosts.deny # # Explicitly deny access from all stations except those # that match the allow rule in /etc/hosts.allow # ALL : ALL


0f 56

Appendix F: Security Script Please note that the following script is included here for illustration purposes only. ################################################################### #Please Set the following variables #LOGFILE is the location of the logfile $0 will contain the name of the script LOGFILE=/SECURITY/$0.log #NEWFILE is the location of the files changed by this script. #The files that should be in the NEWFILES directory are: #new_inetd.conf, new_inetsvc, new_login, new_passwd and new_syslog.conf NEWFILES=/SECURITY # #Section 1######################################################### # echo WARNING... This script is intended to be executed on a echo newly installed Solaris operating system and is not echo designed to be executed more than once on the same server. echo echo Please abort now with CTRL-C if this is not the case echo echo Execution will resume in 15 seconds sleep 15 echo running $0 at `date` | tee -a $LOGFILE echo logfile is $LOGFILE | tee -a $LOGFILE echo new files are stored in $NEWFILES | tee -a $LOGFILE # #Section 2######################################################### #This section enables the basic security module(BSM). BSM is needed #by the auditing applications. Also in this section, we configure #auditing for administrative and login/logout attempts for the root #user. # echo installing basic security module | tee -a $LOGFILE echo y > y /etc/security/bsmconv < y | tee -a $LOGFILE cp /etc/security/audit_user /etc/security/audit_user.orig sed s/root:lo:no/root:ad,lo:no/g /etc/security/audit_user > /etc/security/audit_user.new mv /etc/security/audit_user.new /etc/security/audit_user chown root:sys /etc/security/audit_user chmod 655 /etc/security/audit_user # #Section 3######################################################## #This section sets the appropriate umask value in startup script for #each startup directory to make sure that all the services are started #with the appropriate file permissions. # #echo starting the system deamons with appropriate umask value | tee -a $LOGFILE echo 'umask 022' > /etc/init.d/umask.sh


0f 56

chmod 744 /etc/init.d/umask.sh for dir in /etc/rc?.d do ln -s /etc/init.d/umask.sh $dir/S00umask.sh echo ln -s /etc/init.d/umask.sh $dir/S00umask.sh | tee -a $LOGFILE done #Section 4########################################################## #This section removes all unused services from the rc2.d and rc3.d #startup directories. The services are renamed so that they wont be #executed on startup. # echo Removing unused services from startup directories | tee -a $LOGFILE cd /etc/rc2.d echo Removing from /etc/rc2.d ... | tee -a $LOGFILE SERVICES_TO_REMOVE='*nfs* *perf *asppp *auto* *xntpd *lp *spc *power *sendmail *bdconfig *sysid.net *nscd *cacheos.finish *uucp *PRESERVE *sysid.sys *cachefs.daemon' for file in $SERVICES_TO_REMOVE do mv $file .NO$file echo renaming $file to .NO$file in RC2 | tee -a $LOGFILE done echo Removing from /etc/rc3.d ... | tee -a $LOGFILE cd /etc/rc3.d for file in *nfs.server *dmi *snmpdx do mv $file .NO$file echo renaming $file to .NO$file in RC3 | tee -a $LOGFILE done # #Section 5########################################################## #This section replaces the inetd.con file with a new one (were all #services have been commented out). Also, the inetsvc file is #replaced with a more secure version. # echo Replacing inetd.conf with new version | tee -a $LOGFILE mv /etc/inet/inetd.conf /etc/inet/inetd.conf.orig cp $NEWFILES/new_inetd.conf /etc/inet/inetd.conf chmod 444 /etc/inet/inetd.conf echo Installing a replacement /etc/init.d/inetsvc file | tee -a $LOGFILE cp /etc/init.d/inetsvc /etc/init.d/inetsvc.orig cp $NEWFILES/new_inetsvc /etc/init.d/inetsvc chmod 744 /etc/init.d/inetsvc ln /etc/init.d/inetsvc /etc/rc2.d/S72inetsvc # #Section 6########################################################## #This section renames several configuration files used by NFS. If #NFS is not used, it is best practice to remove all related cfg files. #we can rename these files until we are sure we want to remove them # echo moving /etc/auto_master to /etc/.auto_master.orig | tee -a $LOGFILE mv /etc/auto_master /etc/.auto_master.orig


0f 56

echo moving /etc/auto_home to /etc/.auto_home.orig | tee -a $LOGFILE mv /etc/auto_home /etc/.auto_home.orig echo moving /etc/dfs/dfstab to /etc/dfs/.dfstab.orig | tee -a $LOGFILE mv /etc/dfs/dfstab /etc/dfs/.dfstab.orig # #Section 7######################################################### #This section removes all unuses users from the passwd and shadow #file. Several users are in a default Solaris installation and most #are not needed in our Wireless OAM context. # echo removing unused users from passwd file | tee -a $LOGFILE for user in uucp nuucp adm lp smtp listen do /usr/sbin/passmgmt -d $user echo /usr/sbin/passmgmt -d $user | tee -a $LOGFILE done # #Section 8########################################################### #This section removes the crontab entries for all users that dont need #to have scheduled jobs. This is UNIX best practices. # echo Renaming crontab files for default users other that root | tee -a $LOGFILE cd /var/spool/cron/crontabs for files in adm lp sys uucp do mv $files .$files.orig echo moving $files to .$files.orig | tee -a $LOGFILE done # #Section 9########################################################### #Should telnet not be disabled on all servers, ftp should be disallowed #for all normal accounts and must be disallow for the root user. #placing the usernames in the ftpusers file will disallow ftp for #those users. Also, the .netrc file is used to provide login credentials #for a specific host (e.g. host1) so that when a user ftp's to host1, the #login credentials provided in the .netrc file will be used. #We are locking all .netrc files by creating them as root with no #write permissions. # echo Disallowing ftp for all default users... | tee -a $LOGFILE cut -f1 -d: /etc/passwd >> /etc/ftpusers chown root:root /etc/ftpusers chmod 600 /etc/ftpusers echo more /etc/ftpusers | tee -a $LOGFILE more /etc/ftpusers | tee -a $LOGFILE echo locking down all .n etrc files | tee -a $LOGFILE for users in `cut -f6 -d: /etc/passwd` do cd $users touch ./.netrc chmod 000 ./.netrc


0f 56

echo locking down .netrc file in $users | tee -a $LOGFILE done # #Section 10########################################################## #This section disable remote authentication in the pam.conf file. #Also, we are locking down the hosts.equiv file and all the .rhosts. #IMPORTANT:We have not tested this with NSP but from my experience #with INM and PresideAP, we used the .rhosts files for remote launch. #NSP installation might hick-up when trying to write to a locked file. # echo Disabling remote authentication from pam.conf | tee -a $LOGFILE cp /etc/pam.conf /etc/pam.conf.orig grep -v rhosts_auth /etc/pam.conf > /etc/pam.new mv /etc/pam.new /etc/pam.conf chown root:sys /etc/pam.conf chmod 644 /etc/pam.conf echo locking down hosts.equiv and .rhosts for all users | tee -a $LOGFILE touch /etc/hosts.equiv chmod 000 /etc/hosts.equiv for users in `cut -f6 -d: /etc/passwd` do cd $users touch .rhosts chmod 000 .rhosts echo locking down .rhosts in $users | tee -a $LOGFILE done # #Section 11########################################################### #This section replaces the /etc/default/login file. The new file ensures #that CONSOLE is set so that users can only login directly as root #when on the console. SUPATH is set to ensure a safe path to the #root user. UMASK is set to 022 to ensure proper shell file creation #mode mask. # echo Replacing /etc/default/login file with new version | tee -a $LOGFILE cp /etc/default/login /etc/default/login.orig cp $NEWFILES/new_login /etc/default/login chown root:sys /etc/default/login chmod 444 /etc/default/login # #Section 12########################################################### #This section sets keyboard abort to disabled. Keyboard abort is enabled #by default and a user can halt the server by entering the <stop-a> #sequence on the console's keyboard. This can be done by inadvertance or #purposely and couls cause a network outage in the case of DNS, DHCP or #RADIUS servers. # echo Disabling stop-a | tee -a $LOGFILE cp /etc/default/kbd /etc/default/kbd.orig sed s/#KEYBOARD_ABORT=enable/KEYBOARD_ABORT=disabled/g /etc/default/kbd > /etc/default/kbd.new


0f 56

mv /etc/default/kbd.new /etc/default/kbd chown root:sys /etc/default/kbd chmod 444 /etc/default/kbd # #Section 13########################################################### #This section sets networking parameters as recommended by SUN for #security. For more details on each of these parameters, see Solaris™ #Operating Environment Security, Updated for Solaris 8 Operating #Environment, Sun BluePrints™ OnLine # echo Setting TCP_STRONG_ISS=1 | tee -a $LOGFILE cp /etc/default/inetinit /etc/default/inetinit.orig sed s/TCP_STRONG_ISS=1/TCP_STRONG_ISS=2/g /etc/default/inetinit > /etc/default/inetinit.new mv /etc/default/inetinit.new /etc/default/inetinit chown root:sys /etc/default/inetinit chmod 444 /etc/default/inetinit echo tuning parameters to the end of the /etc/init.d/inetinit file | tee -a $LOGFILE echo 'ndd -set /dev/tcp tcp_conn_req_max_q0 4096 >> /etc/init.d/inetinit echo 'ndd -set /dev/tcp tcp_conn_req_max_q 1024 >> /etc/init.d/inetinit echo 'ndd -set /dev/ip ip_ignore_redirect 1' >> /etc/init.d/inetinit echo 'ndd -set /dev/ip ip_send_redirects 0' >> /etc/init.d/inetinit echo 'ndd -set /dev/ip ip_ire_flush_interval 60000' >> /etc/init.d/inetinit echo 'ndd -set /dev/arp arp_cleanup_interval 60000' >> /etc/init.d/inetinit echo 'ndd -set /dev/ip ip_forward_directed_broadcasts 0' >> /etc/init.d/inetinit echo 'ndd -set /dev/ip ip_forward_src_routed 0' >> /etc/init.d/inetinit echo 'ndd -set /dev/ip ip_forwarding 0' >> /etc/init.d/inetinit echo 'ndd -set /dev/ip ip_strict_dst_multihoming 1' >> /etc/init.d/inetinit cat /etc/init.d/inetinit | grep ndd | tee -a $LOGFILE # #Section 14########################################################## #This section replaces the password file to enfore password aging and #increases the minimum passwork length to 8. # echo Replacing /etc/default/passwd with new version | tee -a $LOGFILE cp /etc/default/passwd /etc/default/passwd.orig cp $NEWFILES/new_passwd /etc/default/passwd chown root:sys /etc/default/passwd chmod 444 /etc/default/passwd # #Section 15########################################################## #The following entries in the /etc/system file prevents users from #executing code on the system stack (buffer overflow attacks). # cp /etc/system /etc/system.orig echo 'set noexec_user_stack=1' | tee -a /etc/system | tee -a $LOGFILE echo 'set noexec_user_stack_log=1' | tee -a /etc/system | tee -a $LOGFILE # #Section 16########################################################## #This section enables additionnal logging by replacinf the syslog.conf #file with additionnal entries. Also, we create the loginlog file that


0f 56

#logs failed login attempts. # echo Configuring Additionnal Logging | tee -a $LOGFILE echo changing syslog.conf file | tee -a $LOGFILE cp /etc/syslog.conf /etc/syslog.conf.orig cp $NEWFILES/new_syslog.conf /etc/syslog.conf chown root:sys /etc/syslog.conf chmod 644 /etc/syslog.conf echo touching the loginlog file | tee -a $LOGFILE touch /var/adm/loginlog chown root:sys /var/adm/loginlog chmod 600 /var/adm/loginlog echo touching the authlog file | tee -a $LOGFILE touch /var/adm/authlog chown root:sys /var/adm/authlog chmod 600 /var/adm/authlog # #Section 17############################################################ #This section adds an entry in the root crontab to start sendmail once #per day. This is a better approch that letting the sendmail deamon #running. # echo Configuring sendmail in crontab once per hour | tee -a $LOGFILE cp /var/spool/cron/crontabs/root /var/spool/cron/crontabs/root.orig echo '0 * * * * /usr/lib/sendmail -q' | tee -a /var/spool/cron/crontabs/root | tee -a $LOGFILE # #Section 18########################################################### #This section does not perform any changes on the serves. It is just #prompt to mount the /usr filesystem as read only. This can be done by #adding the 'ro' as a mount option for the /usr filesystem. # cp /etc/vfstab /etc/vfstab.orig echo mount /usr filesystem as read only in /etc/vfstab echo IMPORTANT--This step should be done manually. #Section 19########################################################### # #For all the above changes to take effect, a shutdown to the server is #require. (init 6). This step should be done manually. echo please shutdown now (init 6)for all change to take effect| tee -a $LOGFILE


0f 56

Appendix G: References

1. “Solaris BSM Auditing” by Darren J. Moffat, Solaris Security Technologies Group (last updated Monday, November 27, 2000)

2. “Solaris Operating Environment Security” by Alex Noordergraaf and Keith Watson, Global Enterprise Security Service – Sun BluePrints Online, January 2000

3. “Solaris Operating Environment Security - Updated for Solaris 9 Operating Environment,” December 2002, by Alex Noordergraaf and Keith Watson

4. “Solaris 8 System Administration Guide” 5. “Solaris 9 System Administration Guide”


0f 56

Last Page of This Document

solaris hardening guide v1

Documents

copyright nortel networks

property of nortel networks

hardening procedures

solaris network security

appendix f

notethis document

appendix e

appendix d