Solaris 9 Security Setting for V240
I. Auditing
1. Enable the Basic Security Module (BSM):
# /etc/security/bsmconv
2. Configure the classes of events to log in /etc/security/audit_control:
# vi /etc/security/audit_control
dir:/var/audit
flags:lo,ad,pc,fc,fd,fm
naflags:lo,ad
#
# lo - login/logout events
# ad - administrative actions: mount, exportfs, etc.
# pc - process operations: fork, exec, exit, etc.
# fc - file creation
# fd - file deletion
# fm - change of object attributes: chown, flock, etc.
#
3. Create /etc/security/newauditlog.sh:
# touch /etc/security/newauditlog.sh
# vi /etc/security/newauditlog.sh
#!/sbin/sh
#
# newauditlog.sh - Start a new audit file and expire the old logs
#
AUDIT_EXPIRE=30
AUDIT_DIR="/var/audit"
/usr/sbin/audit -n
cd $AUDIT_DIR # in case it is a link
/usr/bin/find . $AUDIT_DIR -type f -mtime +$AUDIT_EXPIRE \
-exec rm {} > /dev/null 2>&1 \;
# chmod a+x /etc/security/newauditlog.sh
4. Add to crontab, run the script nightly from cron:
# vi /var/spool/cron/crontabs/root
Add the following:
0 0 * * * /etc/security/newauditlog.sh
5. Use “praudit” command to read the audit files.
II. Boot Files
1. Disable startup files for services that are not needed from /etc/rc2.d and /etc/rc3.d. Services are disabled by changing the capital 'S' in the name of the script to a lowercase 's'. The following startup files are disabled:
rc2.d: S71ldap.client, S72autoinstall, S72slpd, S73nfs.client, S77uucp, S80lp, S99dtlogin
rc3.d: S15nfs.server, S76snmpdx, S77dmi
Attention: The following startup files should not be disabled:
S01MOUNTFSYS S69inet S72inetsvc S74xntpd S80PRESERVE
S05RMTMPFILES S71rpc S74autofs S75cron S88utmpd
S20sysetup S71sysid.sys S74syslog S75savecore S99audit
S30sysid.net
2. Set the default umask so that it does not include world access. Add "umask 027" to the following files:
/etc/.login /etc/profile
/etc/skel/local.cshrc /etc/skel/local.login
/etc/skel/local.profile
Enable the "UMASK" line in the /etc/default/login file and set the value to 027
In order to ensure that all of the startup scripts run with the proper umask, execute the following:
# echo "umask 027" > /etc/init.d/umask.sh
# chmod 544 /etc/init.d/umask.sh
# ln –s /etc/init.d/umask.sh /etc/rc2.d/S00umask.sh
# ln –s /etc/init.d/umask.sh /etc/rc3.d/S00umask.sh
3. Log failed login attempts by creating the /var/adm/loginlog file:
# touch /var/adm/loginlog
# chown root /var/adm/loginlog
# chgrp sys /var/adm/loginlog
# chmod 600 /var/adm/messages /var/log/syslog /var/adm/loginlog
4. Configure syslogd to not listen on port 514/udp by specifiing the -t flag in /etc/rc2.d/S74syslog:
# vi /etc/rc2.d/S74syslog
Change “/usr/sbin/syslogd > /dev/msglog 2>&1”
to “/usr/sbin/syslogd -t > /dev/msglog 2>&1”
5. Configure logs files to be rotated daily archiving old versions for 30 dain /etc/logadm.conf:
# vi /etc/logadm.conf
And make the following changes:
/var/log/syslog -A 30d -p 1d -z 1 -a 'kill -HUP `cat /var/run/syslog.pid`'
/var/adm/messages -A 30d -p 1d -z 1 -a 'kill -HUP `cat /var/run/syslog.pid`; \
logger -t logadm Begin new logfile'
6. Enable hardware protection for buffer overflow exploits in /etc/system
# vi /etc/system
Add the following:
* Foil certain classes of bug exploits
set noexec_user_stack = 1
* Log attempted exploits
set noexec_user_stack_log = 1
III. Network Services
1. Create /etc/init.d/nddconfig and create a link to /etc/rc2.d/S70nddconfig.
# touch /etc/init.d/nddconfig
# ln /etc/init.d/nddconfig /etc/rc2.d/S70nddconfig
# chmod 544 /etc/init.d/nddconfig
Set the following in nddconfig: (nddconfig file is attached to this document)
Changed:
tcp_strong_iss=2 (original is 1)
arp_cleanup_interval=60000 (original is 300000)
ip_ire_arp_interval=60000 (original is 1200000)
tcp_conn_req_max_q0=4096 (original is 1024)
tcp_conn_req_max_q=1024 (original is 12
tcp_smallest_nonpriv_port=4097 (original is 1024)
ucp_smallest_nonpriv_port=4097 (original is 1024)
Disabled:
ip_respond_to_echo_broadcast=0
ip_respond_to_echo_multicast=0
ip6_respond_to_echo_multicast=0
ip_send_redirects=0
ip_respond_to_timestamp=0
Enabled:
ip_ignore_redirect=1
i6_ignore_redirect=1
ip_strict_dst_multihoming=1
ip6_strict_dst_multihoming=1
2. Update /etc/init.d/inetsvc
# touch /etc/init.d/inetsvc
# vi /etc/init.d/inetsvc
#!/sbin/sh
#Update System Interfaces with correct netmask and broadcast address
/usr/sbin/ifconfig -au netmask + broadcast +
# start the inet deamon
# -s enables runs stand alone mode
# -t trace connects and log to Syslog
/usr/sbin/inetd -s -t
# rm /etc/rc2.d/S72inetsvc
# ln -s /etc/init.d/inetsvc /etc/rc2.d/S72inetsvc
3. Configure RFC 1948 TCP sequence number generation in /etc/default/inetinit:
#vi /etc/default/inetinit
and change the following:
TCP_STRONG_ISS=2
4. Comment out or remove all unnecessary services in the /etc/inet/inetd.conf file including the following:
# cp /etc/inet/inetd.conf /etc/inet/inetd.conf.bak
# vi /etc/inet/inetd.conf
Comment out the following services
shell login exec
uucp tftp finger
sysstat netstat time
echo discard daytime
chargen rpc.ttdbserverd
printer dtspc rpc.cmsd
5. Create /etc/rc3.d/S79tmpfix so that upon boot the /tmp directory will always have the sticky bit set mode 1777.
# touch /etc/rc3.d/S79tmpfix
# vi /etc/rc3.d/S79tmpfix
#!/bin/sh
#ident "@(#)tmpfix 1.0 95/09/14"
if [ -d /tmp ]
then
/usr/bin/chmod 1777 /tmp
/usr/bin/chgrp sys /tmp
/usr/bin/chown sys /tmp
fi
IV. Access Controls
1. Disable network root logins by enabling the "CONSOLE" line in /etc/default/login.
2. Remove, lock, or comment out unnecessary accounts, including "sys", "uucp", "nuucp", and "listen" by putting "NP" in the password field of the /etc/shadow file.
3.Require authentication for remote commands by commenting out the following line in /etc/pam.conf:
# rlogin auth sufficient /usr/lib/security/pam_rhosts_auth.so.1
and changing the rsh line to read:
rsh auth required /usr/lib/security/pam_unix.so.1
4. Disable “r” services
# chmod 000 /usr/bin/rsh
# chmod 000 /usr/bin/rcp
# chmod 000 /usr/bin/rdist
# chmod 000 /usr/bin/rksh
# chmod 000 /usr/bin/rup
# chmod 000 /usr/bin/rusers
# chmod 000 /usr/bin/rdate
# chmod 000 /usr/bin/rlogin
# chmod 000 /usr/bin/ruptime
# chmod 000 /usr/bin/rwho
5. Create an /etc/issue file to display the following warning banner:
WARNING: To protect the system from unauthorized use and to ensure that the
system is functioning properly, activities on this system are monitored and
recorded and subject to audit. Use of this system is expressed consent to such
monitoring and recording. Any unauthorized access or use of this Automated
Information System is prohibited and could be subject to criminal and civil
penalties.
Add the banner to the /etc/motd file:
# cp /etc/motd /etc/motd.orig
# cat /etc/issue /etc/motd.orig > /etc/motd
6. The Automated Security Enhancement Tool (ASET) checks the settings and contents of system files. Many of the setuid and setgid programs on Solaris are used only by root, or by the user or group-id to which they are set.
The following packages will need to be added to the system to run the utility;
pkgadd SUNWast
pkgadd SUNWnisu
Once added, execute the following command
# /usr/aset/aset -l high
Reports are stored in /usr/aset/reports/latest/*.rpt
7. Execution of the su(1M) command can be controlled by adding and configuring a wheel group such as that found on most BSD derived systems.
# /usr/sbin/groupadd -g 13 wheel
# /usr/bin/chgrp wheel /usr/bin/su /sbin/su.static
# /usr/bin/chmod 4550 /usr/bin/su /sbin/su.static
8. Create an /etc/ftpusers file:
# cat /etc/passwd | cut -f1 -d: > /etc/ftpusers
# chown root /etc/ftpusers
# chmod 600 /etc/ftpusers
9. The files in /etc/cron.d control which users can use the cron and at.
Create an /etc/cron.d/cron.allow file:
# echo "root" > /etc/cron.d/cron.allow
# chown root /etc/cron.d/cron.allow
# chmod 600 /etc/cron.d/cron.allow
Create an /etc/cron.d/at.allow file:
# cp -p /etc/cron.d/cron.allow /etc/cron.d/at.allow
Create an /etc/cron.d/cron.deny file:
# cat /etc/passwd | cut -f1 -d: | grep -v root > /etc/cron.d/cron.deny
# chown root /etc/cron.d/cron.deny
# chmod 600 /etc/cron.d/cron.deny
Create an /etc/cron.d/at.deny file:
# cp -p /etc/cron.d/cron.deny /etc/cron.d/at.deny
V. Time Synchronization
Edit the /etc/inet/ntp.conf file:
# touch /etc/inet/ntp.conf
# vi /etc/inet/ntp.conf
#
# /etc/inet/ntp.client
#
# An example file that could be copied over to /etc/inet/ntp.conf; it
# provides a configuration for an ntp server that uses three public sources
# with an internal fallback (127.127.1.0).
#
# A simple NTP clilent would specify one or more network servers in your
# organization:
#
# server ntp.example.com
#
# Public NTP Server list:
#
server 192.5.41.40 # tick.usno.navy.mil
server 192.5.5.250 # clock.isc.org
server 128.9.176.30 # timekeeper.isi.edu
server 127.127.1.0 # internal clock
fudge 127.127.1.0 stratum 10
阅读(484) | 评论(0) | 转发(0) |