[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Memo: Solaris Security Step by Step version 1.0

To: terrence@xxxxxxxxxxxxxxxxxxxxxxxx
Subject: Memo: Solaris Security Step by Step version 1.0
From: Terrence Miao <t.miao@xxxxxxxxxxxxxxxxxx>
Date: Tue, 26 Sep 2000 17:29:42 +1100

				Solaris Security Step by Step  version 1.0


Boot-Time Configuration
-----------------------

	1. Enter host name, select "Networked", enter IP address
	2. Select "None" for name service
	3. Enter appropriate netmask information
	4. ...


Minimal OS Installation
-----------------------

	1. Choose "Initial" install
	2. Select "Core System Support"
	3. "Customize" and add "Terminial Information". User destops may need
	   other packages which contain CDE, programming tools and include 
	   files, etc.
	4. Lay out file system on disks. swap 1 - 4x main memory

	bash-2.02# df -k
	Filesystem            kbytes    used   avail capacity  Mounted on
	/dev/dsk/c0t0d0s0     232733   17741  191719     9%    /
	/dev/dsk/c0t0d0s6    3311127 2906119  371897    89%    /usr
	/proc                      0       0       0     0%    /proc
	fd                         0       0       0     0%    /dev/fd
	/dev/dsk/c0t0d0s3     595101  255164  280427    48%    /var
	/dev/dsk/c0t0d0s7    1023364  521722  440241    55%    /export/home
	/dev/dsk/c0t0d0s5     219959   34742  163222    18%    /opt
	/dev/dsk/c0t0d0s1     500963  203425  247442    46%    /usr/openwin
	/dev/dsk/c0t1d0s0    7211277  499465 6639700     7%    /servers
	swap                  204064    5280  198784     3%    /tmp

	partition> print
	Current partition table (original):
	Total disk cylinders available: 13408 + 2 (reserved cylinders)

	Part      Tag    Flag     Cylinders         Size            Blocks
	  0       root    wm       0 -   524      242.25MB    (525/0/0)     496125
	  1        usr    wm     525 -  1654      521.41MB    (1130/0/0)   1067850
	  2     backup    wm       0 - 13407        6.04GB    (13408/0/0) 12670560
	  3        var    wm    1655 -  2996      619.23MB    (1342/0/0)   1268190
	  4       swap    wu    2997 -  3551      256.09MB    (555/0/0)     524475
	  5 unassigned    wm    3552 -  4048      229.33MB    (497/0/0)     469665
	  6        usr    wm    4049 - 11170        3.21GB    (7122/0/0)   6730290
	  7       home    wm   11171 - 13407        1.01GB    (2237/0/0)   2113965

	5. Do not choose to mount any remote file system

Post Install/networking Configuration
-------------------------------------

	1.	

	bash-2.02# cat /etc/defaultrouter 
	137.111.20.129

	2. 

	bash-2.02# cat /etc/resolv.conf 
	domain          its.unimacq.edu.au unimacq.edu.au
	nameserver      137.111.20.2
	nameserver      137.111.66.5

	3.

	bash-2.02# diff /etc/nsswitch.conf /etc/nsswitch.conf.orig 
	12c12
	< hosts:      files dns
	---
	> hosts:      files

Installing Patches
------------------

	1. Remove any dependencies on /usr/xpg4/bin/grep (not installed as part
	   of the "Core System Support" image) from the patchadd script:

	mv /usr/sbin/patchadd /usr/sbin/patchadd.orig 
	sed s/\\/xpg4// /usr/sbin/patchadd.orig > /usr/sbin/patchadd
	chomd 555 /usr/sbin/patchadd
	chgrp bin /usr/sbin/patchadd

	2. Download Recommended (and Year 2000 ) Patch Cluster from 

		ftp://sunsolve.sun.com

	3. 

	bash-2.02# cd /var/tmp/
	bash-2.02# ls -al
	drwxr-xr-x 103 root     other       2560 Sep 18 18:34 2.6_Recommended
	-rw-r--r--   1 root     other   42033063 Sep 21 17:44 2.6_Recommended.tar.Z
	drwxr-xr-x  12 root     other        512 Aug  8 18:43 2.6_y2000_ALL
	-rw-r--r--   1 root     other    6115039 Sep 21 17:29 2.6_y2000_ALL.tar.Z

	4.

	bash-2.02# 2.6_Recommended/install_cluster -nosave

Purging Boot Directories of Unnessary Services
----------------------------------------------

	1. Remove files for run states other than level 2

	rm -f /etc/rc[013].d/*

	2. Rename "auto configuration" related links

	for file in S30sysid.net S71sysid.sys S72autoinstall
	do
		mv $file .NO$file
	done

	3. Rename NFS-related links

	for file in K60nfs.server S73nfs.client S74autofs *cache*
	do
		mv $file .NO$file
	done
	
	4. Renam Sendmail start-up script

	mv S88sendmail .NOS88sendmail

	5. Rename expreserve initiation script

	mv S80PRESERVE .NOS80PRESERVE

	6.

	bash-2.02# cd /etc/rc2.d/
	bash-2.02# ls -al .NO*
	-rwxr--r--   2 root     sys         1738 Jul 16  1997 .NOK60nfs.server
	-rwxr-xr-x   2 root     other       1644 Jul  3  1997 .NOS30sysid.net
	-rwxr-xr-x   2 root     other       1498 Jul  3  1997 .NOS71sysid.sys
	-rwxr-xr-x   2 root     other       1558 Jul  3  1997 .NOS72autoinstall
	-rwxr--r--   2 root     sys          579 Jul 16  1997 .NOS73cachefs.daemon
	-rwxr--r--   2 root     sys         1236 Jul 16  1997 .NOS73nfs.client
	-rwxr--r--   2 root     sys          602 Jul 16  1997 .NOS74autofs
	-rwxr--r--   2 root     sys          218 Jul 16  1997 .NOS80PRESERVE
	-rwxr--r--   2 root     sys          976 Sep 18 18:32 .NOS88sendmail
	-rwxr--r--   2 root     sys          373 Jul 16  1997 .NOS93cacheos.finish

	7. RPC related links can be renamed if you want to run X-windows. So 
	   keep S71rpc and S76nscd there. Otherwise, user will be hanged there
	   during X-Windows login

	8.

	bash-2.02# cat /etc/init.d/umask.sh 
	umask 022

	9. 

	bash-2.02# ls -al /etc/rc2.d/S00umask.sh 
	lrwxrwxrwx   1 root     other         18 Sep 24 14:05 /etc/rc2.d/S00umask.sh -> ../init.d/umask.sh

	10. Add to the END of /etc/init.d/inetinit

	ndd -set /dev/tcp tcp_conn_req_max_q0 10240
	ndd -set /dev/ip ip_ignore_redirect 1
	ndd -set /dev/ip ip_send_redirects 0
	ndd -set /dev/ip ip_ire_flush_interval 60000
	ndd -set /dev/arp arp_cleanup_interval 60
	ndd -set /dev/ip ip_forward_directed_broadcasts 0
	ndd -set /dev/ip ip_forward_src_routed 0
	ndd -set /dev/ip ip_forwarding 0
	ndd -set /dev/ip ip_strict_dst_multihoming 1

	NOTE: for version sof Solaris prior to 2.6 replace the first line
		  above with

			ndd -set /dev/tcp tcp_conn_req_max 1024

		  Solaris 2.5.1 systems may applyy patch 103582-12 to enable use
		  of the tcp_conn_req_max_q0 paramter

		  Note also that setting the ip_forwarding parameter to 0 is
		  equivalent to creating the /etc/notrouter file

Cleaning House
--------------

	1. Remove other NFS-related configuration files

	rm /etc/auto_home /etc/auto_master /etc/dfs/dfstab

	2. Clean out /etc/passwd file

	for user in uucp nuucp adm lp smtp listen
	do
		/usr/sbin/passmgmt -d $user
	done

	3. Make /dev/null the shell for all non-root users in /etc/passwd

	Notes: Administrator who wish to log failed login attempts may use the
		   noshell program provided with the Titan Security Packages:

			http://www.fish.com/titan/

		   Jens Voeckler "Solaris 2.x - Tuning Your TCP/IP Stack and More"

			http://www.rvs.uni-hannover.de/people/voeckler/tune/EN/tune.html

File System Configuration
-------------------------

	1. Mount /usr read-only, nosuid to prevent set-UID to /var and /local, if
	   possible mount the root file system nosuid in /etc/vfstab


	bash-2.02# cat /etc/vfstab
	# device         device          mount           FS      fsck    mount   mount
	# to mount       to fsck         point           type    pass    at boot options
	#
	fd      -       /dev/fd fd      -       no      -
	/proc   -       /proc   proc    -       no      -
	/dev/dsk/c0t0d0s4       -       -       swap    -       no      -
	/dev/dsk/c0t0d0s0       /dev/rdsk/c0t0d0s0      /       ufs     1       no      remount,nosuid
	/dev/dsk/c0t0d0s6       /dev/rdsk/c0t0d0s6      /usr    ufs     1       no      -
	/dev/dsk/c0t0d0s3       /dev/rdsk/c0t0d0s3      /var    ufs     1       no      nosuid
	/dev/dsk/c0t0d0s7       /dev/rdsk/c0t0d0s7      /export/home    ufs     2       yes     -
	/dev/dsk/c0t0d0s5       /dev/rdsk/c0t0d0s5      /opt    ufs     2       yes     -
	/dev/dsk/c0t0d0s1       /dev/rdsk/c0t0d0s1      /usr/openwin    ufs     2       yes     -
	/dev/dsk/c0t1d0s0       /dev/rdsk/c0t1d0s0      /servers        ufs     2       yes     -
	swap    -       /tmp    tmpfs   -       yes     -

Additional Logging
------------------

	1. By default, Solaris does not capture syslog events sent to LOG_AUTH.
	   This information is very useful since it contains information on 
	   unsuccessful login attempts, successful and failed su attempts, 
	   reboots, and a wealth of other securit-related information.

	bash-2.02# cat /etc/syslog.conf
	#ident  "@(#)syslog.conf        1.4     96/10/11 SMI"   /* SunOS 5.0 */
	#
	# Copyright (c) 1991-1993, by Sun Microsystems, Inc.
	#
	# syslog configuration file.
	#
	# This file is processed by m4 so be careful to quote (`') names
	# that match m4 reserved words.  Also, within ifdef's, arguments
	# containing commas must be quoted.
	#
	*.err;kern.notice;auth.notice                   /dev/console
	*.err;kern.debug;daemon.notice;mail.crit        /var/adm/messages

	*.alert;kern.err;daemon.err                     operator
	*.alert                                         root

	*.emerg                                         *

	# if a non-loghost machine chooses to have authentication messages
	# sent to the loghost machine, un-comment out the following line:
	auth.notice                     ifdef(`LOGHOST', /var/log/authlog, @loghost)

	mail.debug                      ifdef(`LOGHOST', /var/log/syslog, @loghost)

	#
	# non-loghost machines will use the following lines to cause "user"
	# log messages to be logged locally.
	#
	ifdef(`LOGHOST', ,
	user.err                                        /dev/console
	user.err                                        /var/adm/messages
	user.alert                                      `root, operator'
	user.emerg                                      *
	)

Fix-Modes Script
----------------

	1. The default permissions on many files are somewhat insecure. 
	   fix-modes was written by Caspar Dik to correct these permissions for
	   Solaris 2.2 through 2.6:

		ftp://ftp.fwi.uva.nl/pub/solaris/fix-modes.tar.gz

	2. /etc/issue with an appropriate statutory warning.

	bash-2.02# cat /etc/issue 

This system if for the use of authorized users only.  Individuals using this computer system without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by system personnel.

In the course of monitoring individuals improperly using this system, or in the course of system maintenance, the activities of authorized users may also be monitored.

Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials.

	3. Turn on EEPROM security functionallity

	ok eeprom security-mode=command

	4. 

	bash-2.02# cat /etc/ftpusers 
	root
	daemon
	bin
	sys
	nobody
	noaccess
	nobody4
	uucp
	nuucp
	adm
	lp
	smtp
	listen
	terrence

	5. Remove .rhosts support form /etc/pam.conf

	bash-2.02# diff /etc/pam.conf /etc/pam.conf.orig 
	9a10
	> rlogin  auth sufficient /usr/lib/security/pam_rhosts_auth.so.1
	13a15
	> rsh   auth required   /usr/lib/security/pam_rhosts_auth.so.1

	6. 

	bash-2.02# diff /etc/default/login /etc/default/login.orig 
	40c40
	< UMASK=022
	---
	> #UMASK=022

	7. Disable the Stop-A abort sequence by editing

	bash-2.02# diff /etc/default/kbd /etc/default/kbd.orig 
	20c20
	< KEYBOARD_ABORT=enable
	---
	> #KEYBOARD_ABORT=enable

	8. Edit /etc/default/inetinit and set TCP_STRONG_ISS=2 to cause the 
	   system to use better TCP sequence unumber generation algorithm

	bash-2.02# diff /etc/default/inetinit /etc/default/inetinit.orig 
	9c9
	< TCP_STRONG_ISS=2
	---
	> TCP_STRONG_ISS=1

	9. Edit /etc/default/passwd file:

	bash-2.02# cat /etc/default/passwd 
	#ident  "@(#)passwd.dfl 1.3     92/07/14 SMI"
	MAXWEEKS=
	MINWEEKS=
	PASSLENGTH=6

	10. Prevent and log some buffer overrun attacks by adding the following
	    to /etc/system

	bash-2.02# diff /etc/system /etc/system.orig 
	79,81d78
	< * Attempt to prevent and log stack-smashing attacks
	< set noexec_user_stack = 1
	< set noexec_user_stack_log = 1

Building and Installing the TCP Wrapper software
------------------------------------------------

	1. Obtain TCP Wrappers from:

		ftp://ftp.win.tue.nl/pub/security/tcp_wrapper.tar.gz

	2. Uncomment the correct value of REAL_DAEMON_DIR for your system. Also
	   mmodify the FACILITY variable so all logging goes to LOG_AUTH

	3. Build software

		make sunos5

	   May add CC=gcc ot the command line

	4. install.sh

	bash-2.02# cat /usr/local/src/tcp_wrappers_7.6/install.sh 
	#!/bin/sh

	for file in safe_finger tcpd tcpdchk tcpdmatch try-from
	do
		/usr/sbin/install -s -f /usr/local/sbin -m 0555 -u root -g daemon $file
	done

	/usr/sbin/install -s -f /usr/local/include -m 0444 -u root -g daemon tcpd.h
	/usr/sbin/install -s -f /usr/local/lib -m 0555 -u root -g daemon libwrap.a

Building and Installing the SSH software
----------------------------------------

	1. Build software 

	./configure --with-libwrap --without-rsh --disable-suid-ssh

	2. hosts.allow and hosts.deny

	bash-2.02# cat /etc/hosts.allow 
	in.telnetd: \
	igloo.its.unimacq.edu.au \
	oscar.its.unimacq.edu.au \
	localhost.its.unimacq.edu.au: rfc931: ALLOW

	in.ftpd: \
	igloo.its.unimacq.edu.au \
	oberon.its.unimacq.edu.au

	sshd sshdfwd-X11: .its.unimacq.edu.au: rcf931: ALLOW

	bash-2.02# cat /etc/hosts.deny 
	ALL: ALL: /usr/bin/mailx -s "%s: connection attempt from %a" root@xxxxxxxxxxxxxx

	3. sshd_config

	bash-2.02# cat /etc/sshd_config
	# This is ssh server systemwide configuration file.

	Port 22
	ListenAddress 0.0.0.0
	PidFile /etc/sshd.pid
	SyslogFacility AUTH
	FascistLogging yes

	HostKey /etc/ssh_host_key
	KeyRegenerationInterval 900
	RandomSeed /etc/ssh_random_seed
	ServerKeyBits 1024

	CheckMail no
	KeepAlive no
	PrintMotd no
	QuietMode no
	SilentDeny no

	PermitRootLogin no
	IgnoreRhosts yes
	RhostsAuthentication no
	RhostsRSAAuthentication no
	PasswordAuthentication yes
	PermitEmptyPasswords no
	RSAAuthentication yes
	StrictModes yes
	UseLogin no
	LoginGraceTime 180

	X11Forwarding yes
	X11DisplayOffset 10
	SyslogFacility DAEMON

	AllowHosts *.its.unimacq.edu.au
	DenyHosts lowsecurity.theirs.com *.evil.org evil.org
	Umask 022

	4. Generate server key file:

	/usr/local/bin/ssh-keygen -b 1024 -N '' -f /etc/ssh_host_key

	5. sshd start-up script

	bash-2.02# cat /etc/init.d/sshd 
	#!/bin/sh
	#
	# Copyright (c) 1991, by Sun Microsystems, Inc.
	#
	#ident  "@(#)sshd       1.7     96/10/02 SMI"

	case "$1" in
	'start')
			if [ -x /usr/local/sbin/sshd -a -f /etc/sshd_config ]; then
					echo "sshd service starting."
					if [ ! -f /var/adm/messages ]
					then
							cp /dev/null /var/adm/messages
					fi
					/usr/local/sbin/sshd 1>/dev/console 2>&1
			fi
			;;
	'stop')
			[ ! -f /etc/sshd.pid ] && exit 0
			sshpid=`cat /etc/sshd.pid`
			if [ "$sshpid" -gt 0 ]; then
					echo "Stopping the sshd service."
					kill -15 $sshpid 2>&1 | /usr/bin/grep -v "no such process"
			fi
			;;
	*)
			echo "Usage: /etc/init.d/sshd { start | stop }"
			;;
	esac
	exit 0
	
	bash-2.02# ls -al /etc/rc2.d/S75sshd 
	lrwxrwxrwx   1 root     other         14 Sep 25 12:17 /etc/rc2.d/S75sshd -> ../init.d/sshd

Make a Backup
-------------

	1. Boot the system in single-user mode

	reboot -- -s

	2. Mount all filesystems

	fsck
	mount -a

	3. Back up all ufs file systems to tape or other media TWICE

	mt /dev/rmt/0 rewind
	for dir in / /usr /var /local
	do
		ufsdump 0f /dev/rmt/0n $dir
	done
	mt /dev/rmt/0 eject
Prev by Date: Installing and securing Solaris 2.6 servers <http://www.cert.org/security-improvement/implementations/i027.02.html>
Next by Date: Tips: using tar and ssh copying files
Previous by thread: Installing and securing Solaris 2.6 servers <http://www.cert.org/security-improvement/implementations/i027.02.html>
Next by thread: Tips: using tar and ssh copying files
Index(es):
- Main
- Thread