Solaris 9 Security Setting for V240

I. Auditing


1. Enable the Basic Security Module (BSM):

# /etc/security/bsmconv


2. Configure the classes of events to log in /etc/security/audit_control:

# vi /etc/security/audit_control


dir:/var/audit

flags:lo,ad,pc,fc,fd,fm

naflags:lo,ad

#

# lo - login/logout events

# ad - administrative actions: mount, exportfs, etc.

# pc - process operations: fork, exec, exit, etc.

# fc - file creation

# fd - file deletion

# fm - change of object attributes: chown, flock, etc.

#


3. Create /etc/security/newauditlog.sh:

# touch /etc/security/newauditlog.sh

# vi /etc/security/newauditlog.sh


#!/sbin/sh

#

# newauditlog.sh - Start a new audit file and expire the old logs

#

AUDIT_EXPIRE=30

AUDIT_DIR="/var/audit"


/usr/sbin/audit -n


cd $AUDIT_DIR # in case it is a link

/usr/bin/find . $AUDIT_DIR -type f -mtime +$AUDIT_EXPIRE \

-exec rm {} > /dev/null 2>&1 \;


# chmod a+x /etc/security/newauditlog.sh


4. Add to crontab, run the script nightly from cron:

# vi /var/spool/cron/crontabs/root

Add the following:

0 0 * * * /etc/security/newauditlog.sh


5. Use “praudit” command to read the audit files.


II. Boot Files


1. Disable startup files for services that are not needed from /etc/rc2.d and /etc/rc3.d. Services are disabled by changing the capital 'S' in the name of the script to a lowercase 's'. The following startup files are disabled:

rc2.d: S71ldap.client, S72autoinstall, S72slpd, S73nfs.client, S77uucp, S80lp, S99dtlogin

rc3.d: S15nfs.server, S76snmpdx, S77dmi


Attention: The following startup files should not be disabled:

S01MOUNTFSYS S69inet S72inetsvc S74xntpd S80PRESERVE

S05RMTMPFILES S71rpc S74autofs S75cron S88utmpd

S20sysetup S71sysid.sys S74syslog S75savecore S99audit

S30sysid.net


2. Set the default umask so that it does not include world access. Add "umask 027" to the following files:

/etc/.login /etc/profile

/etc/skel/local.cshrc /etc/skel/local.login

/etc/skel/local.profile

Enable the "UMASK" line in the /etc/default/login file and set the value to 027

In order to ensure that all of the startup scripts run with the proper umask, execute the following:

# echo "umask 027" > /etc/init.d/umask.sh

# chmod 544 /etc/init.d/umask.sh

# ln –s /etc/init.d/umask.sh /etc/rc2.d/S00umask.sh

# ln –s /etc/init.d/umask.sh /etc/rc3.d/S00umask.sh


3. Log failed login attempts by creating the /var/adm/loginlog file:

# touch /var/adm/loginlog

# chown root /var/adm/loginlog

# chgrp sys /var/adm/loginlog

# chmod 600 /var/adm/messages /var/log/syslog /var/adm/loginlog


4. Configure syslogd to not listen on port 514/udp by specifiing the -t flag in /etc/rc2.d/S74syslog:

# vi /etc/rc2.d/S74syslog

Change “/usr/sbin/syslogd > /dev/msglog 2>&1”

to “/usr/sbin/syslogd -t > /dev/msglog 2>&1”


5. Configure logs files to be rotated daily archiving old versions for 30 dain /etc/logadm.conf:

# vi /etc/logadm.conf

And make the following changes:

/var/log/syslog -A 30d -p 1d -z 1 -a 'kill -HUP `cat /var/run/syslog.pid`'

/var/adm/messages -A 30d -p 1d -z 1 -a 'kill -HUP `cat /var/run/syslog.pid`; \

logger -t logadm Begin new logfile'


6. Enable hardware protection for buffer overflow exploits in /etc/system

# vi /etc/system

Add the following:

* Foil certain classes of bug exploits

set noexec_user_stack = 1

* Log attempted exploits

set noexec_user_stack_log = 1

III. Network Services


1. Create /etc/init.d/nddconfig and create a link to /etc/rc2.d/S70nddconfig.


# touch /etc/init.d/nddconfig

# ln /etc/init.d/nddconfig /etc/rc2.d/S70nddconfig

# chmod 544 /etc/init.d/nddconfig

Set the following in nddconfig: (nddconfig file is attached to this document)

Changed:

tcp_strong_iss=2 (original is 1)

arp_cleanup_interval=60000 (original is 300000)

ip_ire_arp_interval=60000 (original is 1200000)

tcp_conn_req_max_q0=4096 (original is 1024)

tcp_conn_req_max_q=1024 (original is 12

tcp_smallest_nonpriv_port=4097 (original is 1024)

ucp_smallest_nonpriv_port=4097 (original is 1024)

Disabled:

ip_respond_to_echo_broadcast=0

ip_respond_to_echo_multicast=0

ip6_respond_to_echo_multicast=0

ip_send_redirects=0

ip_respond_to_timestamp=0

Enabled:

ip_ignore_redirect=1

i6_ignore_redirect=1

ip_strict_dst_multihoming=1

ip6_strict_dst_multihoming=1


2. Update /etc/init.d/inetsvc


# touch /etc/init.d/inetsvc

# vi /etc/init.d/inetsvc

#!/sbin/sh

#Update System Interfaces with correct netmask and broadcast address

/usr/sbin/ifconfig -au netmask + broadcast +

# start the inet deamon

# -s enables runs stand alone mode

# -t trace connects and log to Syslog

/usr/sbin/inetd -s -t

# rm /etc/rc2.d/S72inetsvc

# ln -s /etc/init.d/inetsvc /etc/rc2.d/S72inetsvc


3. Configure RFC 1948 TCP sequence number generation in /etc/default/inetinit:

#vi /etc/default/inetinit

and change the following:

TCP_STRONG_ISS=2


4. Comment out or remove all unnecessary services in the /etc/inet/inetd.conf file including the following:

# cp /etc/inet/inetd.conf /etc/inet/inetd.conf.bak

# vi /etc/inet/inetd.conf

Comment out the following services

shell login exec

uucp tftp finger

sysstat netstat time

echo discard daytime

chargen rpc.ttdbserverd

printer dtspc rpc.cmsd


5. Create /etc/rc3.d/S79tmpfix so that upon boot the /tmp directory will always have the sticky bit set mode 1777.

# touch /etc/rc3.d/S79tmpfix

# vi /etc/rc3.d/S79tmpfix

#!/bin/sh

#ident "@(#)tmpfix 1.0 95/09/14"


if [ -d /tmp ]

then

/usr/bin/chmod 1777 /tmp

/usr/bin/chgrp sys /tmp

/usr/bin/chown sys /tmp

fi

IV. Access Controls


1. Disable network root logins by enabling the "CONSOLE" line in /etc/default/login.


2. Remove, lock, or comment out unnecessary accounts, including "sys", "uucp", "nuucp", and "listen" by putting "NP" in the password field of the /etc/shadow file.


3.Require authentication for remote commands by commenting out the following line in /etc/pam.conf:


# rlogin auth sufficient /usr/lib/security/pam_rhosts_auth.so.1

and changing the rsh line to read:

rsh auth required /usr/lib/security/pam_unix.so.1


4. Disable “r” services

# chmod 000 /usr/bin/rsh

# chmod 000 /usr/bin/rcp

# chmod 000 /usr/bin/rdist

# chmod 000 /usr/bin/rksh

# chmod 000 /usr/bin/rup

# chmod 000 /usr/bin/rusers

# chmod 000 /usr/bin/rdate

# chmod 000 /usr/bin/rlogin

# chmod 000 /usr/bin/ruptime

# chmod 000 /usr/bin/rwho


5. Create an /etc/issue file to display the following warning banner:


WARNING: To protect the system from unauthorized use and to ensure that the

system is functioning properly, activities on this system are monitored and

recorded and subject to audit. Use of this system is expressed consent to such

monitoring and recording. Any unauthorized access or use of this Automated

Information System is prohibited and could be subject to criminal and civil

penalties.


Add the banner to the /etc/motd file:

# cp /etc/motd /etc/motd.orig

# cat /etc/issue /etc/motd.orig > /etc/motd



6. The Automated Security Enhancement Tool (ASET) checks the settings and contents of system files. Many of the setuid and setgid programs on Solaris are used only by root, or by the user or group-id to which they are set.

The following packages will need to be added to the system to run the utility;

pkgadd SUNWast

pkgadd SUNWnisu

Once added, execute the following command

# /usr/aset/aset -l high

Reports are stored in /usr/aset/reports/latest/*.rpt


7. Execution of the su(1M) command can be controlled by adding and configuring a wheel group such as that found on most BSD derived systems.

# /usr/sbin/groupadd -g 13 wheel

# /usr/bin/chgrp wheel /usr/bin/su /sbin/su.static

# /usr/bin/chmod 4550 /usr/bin/su /sbin/su.static


8. Create an /etc/ftpusers file:

# cat /etc/passwd | cut -f1 -d: > /etc/ftpusers

# chown root /etc/ftpusers

# chmod 600 /etc/ftpusers


9. The files in /etc/cron.d control which users can use the cron and at.

Create an /etc/cron.d/cron.allow file:

# echo "root" > /etc/cron.d/cron.allow

# chown root /etc/cron.d/cron.allow

# chmod 600 /etc/cron.d/cron.allow


Create an /etc/cron.d/at.allow file:

# cp -p /etc/cron.d/cron.allow /etc/cron.d/at.allow


Create an /etc/cron.d/cron.deny file:

# cat /etc/passwd | cut -f1 -d: | grep -v root > /etc/cron.d/cron.deny

# chown root /etc/cron.d/cron.deny

# chmod 600 /etc/cron.d/cron.deny


Create an /etc/cron.d/at.deny file:

# cp -p /etc/cron.d/cron.deny /etc/cron.d/at.deny

V. Time Synchronization


Edit the /etc/inet/ntp.conf file:

# touch /etc/inet/ntp.conf

# vi /etc/inet/ntp.conf

#

# /etc/inet/ntp.client

#

# An example file that could be copied over to /etc/inet/ntp.conf; it

# provides a configuration for an ntp server that uses three public sources

# with an internal fallback (127.127.1.0).

#

# A simple NTP clilent would specify one or more network servers in your

# organization:

#

# server ntp.example.com

#

# Public NTP Server list:

#

server 192.5.41.40 # tick.usno.navy.mil

server 192.5.5.250 # clock.isc.org

server 128.9.176.30 # timekeeper.isi.edu

server 127.127.1.0 # internal clock

fudge 127.127.1.0 stratum 10