Home > Articles

Solaris 8 System and Network Security Checklist

  • Print
  • + Share This
Nowadays, no day passes without breaking news about security incidents. Yesterday it was someone’s web site that was defaced; today it’s stolen credit card numbers. Tomorrow it will be something else. In the mass media, computer security is presented as something mysterious and out of the control of users and system administrators alike. But that is simply not true. Most of the time, all it takes to have a secure system is common sense, knowledge, and attention to detail. This system and network security checklist, although not exhaustive, should help you quickly check the basic security settings of your Solaris 8 installation and TCP/IP network configuration and help you make and keep your Solaris 8 systems secure.
This article is excerpted from Solaris 8 Security, by Edgar Danielyan.
From the author of

From the author of

Install the Solaris 8 operating environment and applications from the original CD-ROM.

Install all the current security and recommended patches.

Do not use the upgrade procedure. Do a fresh installation.

Assign every user his or her own personal account.

Make sure all accounts have passwords.

Make sure users don't share passwords. Tell them that this is for their own good.

Make sure no two accounts have the same user ID (UID).

Use "good" passwords, that is, passwords that are not words in any language and that contain at least one digit or special character.

If possible, generate passwords automatically. Consider using genpass, a free random-password generator available from http://www.danielyan.com/~edd/genpass.

Use the root account as little as possible.

Periodically scan your entire filesystem for SUID/SGID files, and save the lists. Any sudden increase or modification should sound the alarm.

Disable SUID whenever possible (that is, when it is not required).

See if there are any device files in inappropriate places (outside of /dev and /devices).

If you have to use NFS, share filesystems read-only, with no SUID, and with Secure RPC (DH) or Kerberos authentication whenever possible.

Use NFS Version 3 in TCP mode if possible.

Do not place the current directory (.) in your PATH.

If you use directly connected modems for dial-up, make sure they disconnect and hang up automatically after the line is disconnected.

Do not use r commands (rlogin, rsh, rcp).

Disable all unnecessary services in /etc/inet/inetd.conf.

Have aliases for all accounts on the system so that all e-mail goes to a person and is read.

If you use sendmail, disable the SMTP EXPN and VRFY commands and restrict mail queue access.

Block SNMP and RMON from outside your network.

Never run web servers or any application servers as root. Have a separate special account for every service.

Disable automatic directory listings in web servers.

If you have a choice, use the "deny all, permit some" approach in packet filtering and at your firewall.

If possible, use centralized services for network services such as e-mail and DNS. Do not keep user accounts on these servers.

Use disk space quotas on systems with user accounts.

Always put your Acceptable Use Policy (AUP) and the site security policy in writing. Ask your staff to confirm in writing that they have read it and agree to be bound by it.

Do not use clear-text protocols such as telnet and FTP over insecure networks for logging into more-or-less important systems. Instead, use Secure Shell or a comparable application that provides cryptographically strong encryption and authentication.

Use auditing if appropriate.

Use accounting if appropriate.

Use Kerberos if appropriate.

Use Secure RPC if possible.

Do not allow .rhosts files in users' home directories.

Do not allow the creation of /etc/hosts.equiv.

Take care of cron(1) and at(1) security by having restrictive cron.allow, cron.deny, at.allow, and at.deny files.


/etc

The following configuration files, located in /etc, should be examined and modified as appropriate. This list is not all-inclusive; it includes only Solaris 8 system configuration files. Other application-specific configuration files (such as of Apache, Secure Shell, and others) should also be checked for security-conscious configuration.

/etc/auto_home

Automounter's home directory map file. Comment out +auto_home to disable home mounting.

/etc/auto_master

Automounter's master file. Comment out everything that is not currently being used. Keep the number of automounted resources to a minimum. Better yet, do not use automounter.

/etc/bootrc

The boot loader configuration file. Comment out set boot_timeout to prevent automatic booting after power-on. (Note that this might not be desired on headless systems.)

/etc/coreadm.conf

The core files configuration file. Do not edit this yourself. Use coreadm(1) to change defaults.

/etc/default/cron

cron's configuration file. Make sure CRONLOG is set to YES.

/etc/default/devfsadm

The device administrator's configuration file. Use devfsadm(1M) to configure.

/etc/default/dhcpagent

The DHCP agent's configuration file. See dhcpagent(1M) for more information.

/etc/default/inetinit

Sets the TCP initial sequence number generator's parameters. Set TCP_STRONG_ISS to 1 or 2, never to 0 (2 is best).

/etc/default/kbd

The console keyboard's configuration. In some cases, you might want to disable the ABORT sequence by setting KEYBOARD_ABORT to disable: KEYBOARD_ABORT=disable.

/etc/default/login

The login configuration file. Very important. Make sure that the following are set:

CONSOLE=/dev/console

Permits root logins only from the console.

PASSREQ=yes

Requires passwords.

TIMEOUT=120

Sets the login timeout to 2 minutes.

UMASK=077

Sets umask to o-rwx,g-rwx.

SYSLOG=yes

Logs all root logins.

SLEEPTIME=5

Delays before printing the Login incorrect message.

RETRIES=1

Allows only one try.

SYSLOG_FAILED_LOGINS=0

Logs all failed login attempts.

/etc/default/nfslogd

Sets NFS logging levels. See nfslogd(1M) for more information.

/etc/default/passwd

The passwd configuration file. Very important. Set PASSLENGTH to 8 (PASSLENGTH=8) to require passwords to be a minimum of eight characters long. The default setting of 6 is inadequate.

/etc/default/su

The su(1) configuration file. Make sure the following are set:

SULOG=/var/adm/sulog

Logs all su attempts in /var/adm/sulog.

CONSOLE=/dev/console

Logs su attemps to the console.

SYSLOG=yes

Logs su attempts via syslog.

/etc/defaultrouter

Contains the IPv4 address of the default router. Make sure it is the correct one.

/etc/dumpadm.conf

Do not edit this yourself. Use dumpadm(1M). In many cases, you might want to disable dumps.

/etc/ftpusers

A list of users denied FTP service. If you must use FTP, make sure all users who don't need or are not authorized to use FTP are in this file. In any case, it should contain root, daemon, nobody, bin, sys, adm, and other system accounts. Make sure it is not writable by anyone.

/etc/group

Contains the UNIX groups list. Check group memberships.

/etc/inet/hosts (also known as /etc/hosts)

The IPv4 hosts table. Make sure it contains entries for the system itself, for localhost, and for loghost:

127.0.0.1localhost loghost

/etc/inet/inetd.conf

The Internet daemon's (inetd) configuration file. Very important. Comment out (disable) everything that is not currently used. For configuration options, see inetd(1M).

/etc/inet/ipsec.key

Contains IPsec keys. See ipseckey(1M) for more information.

/etc/inet/ipsecinit.conf

IPsec's configuration file. See ipsecconf(1M) for more information.

/etc/inet/ipsecpolicy.conf

IPsec system policy. See ipsecconf(1M) for more information.

/etc/init.d/*

Boot scripts. Disable everything that is not currently used.

/etc/mail/aliases

sendmail's aliases database (text file). Make sure root, nobody, postmaster, daemon, and other system accounts are aliased to a working e-mail account, preferably on the same system.

/etc/mail/sendmail.cf (aka /etc/sendmail.cf)

sendmail's configuration file.

/etc/nfssec.conf

The Network File System (NFS) security configuration file. Do not edit this yourself. See nfssec(5) and mount_nfs(1M) for more information. Use dh or krb4. Do not use sys or none.

/etc/nodename

Node (also known as host) name. Make sure it contains the actual and correct host name.

/etc/nscd.conf

The name service cache daemon's (nscd) configuration file. See nscd(1M) for more information. Generally, it is recommended that you disable nscd unless you have strong reasons not to.

/etc/nsswitch.conf

The name service switch configuration file. Very important. Make sure all sources start with "files." See nsswitch.conf(4) for more information.

/etc/pam.conf

Pluggable Authentication Modules' configuration file. See pam.conf(4) for more information.

/etc/passwd

The password fileæwithout passwords. Make sure it is not writable by anyone.

/etc/shadow

Very important. The password file. Contains encrypted passwords. Make sure it is readable only by root. All other permissions should be disabled using -r--------.

/etc/syslog.conf

The system logging (syslog) server configuration. See syslogd(1M) for more information.

/etc/system

Important. The kernel's configuration file. See system(4) for more information.

/etc/vfstab

The virtual file system configuration.

/etc/vold.conf

The Volume Management server's configuration file.

/etc/resolv.conf

The DNS resolver's configuration file.

/etc/profile

The global shell profile.

  • + Share This
  • 🔖 Save To Your Account