This
articles elaborately describes about the hardening procedure of Solaris
OS. Hardening process will take place in different segments of the OS,
hence due to lengthy procedures have split into 3 parts.
1. Services
a) Disabling the Restricted Services
i) Restricted services
Stop the restricted services which will pose a risk to servers. The following are restricted services.
telnet
Uucp
Netstat
Comsat
Time
Echo
Discard
ftp
tftp
Daytime
Rquoted
Rexecd
Rpc.ttdbserverd
finger
talk
chargen
ident
systat
yppasswdd, ypserve, ypxfrd
services (i.e. shell, login, klogin, exec, etc.) that listen to r-commands (rlogin, rsh etc).
ToolTalk (ttdbserverd)
Calendar Manager (cmsd)
statd (Unless required by NFS. See Use of NFS section for restrictions)
sadmind (solstice admin daemon)
rstatd
rusersd
rwalld
sprayd
automount (Solaris)
ii) SSH client and server
Only Secure Shell protocol version 2 is allowed, SSH protocol v1 must be disabled. It is mentione in the file /etc/ssh/sshd_config
#Protocol 1
Protocol 2
iii) Disable NIS services
#svcadm disable svc:/network/nis/server:default
#svcadm disable svc:/network/nis/client:default
iv) Disable Sendmail
#svcadm disable svc:/network/smtp:sendmail
2) Desktop environments
i) X-Windows
X-Windows are not allowed in production, xhost must not be used.
X-window traffic must be tunneled through SSH. To perform this comment out "X11Forwarding yes" in the file /etc/ssh/sshd_config
ii) Desktop Environment
DE environments are not allowed. Disable dt login service
#svcadm disable cde-login
iii)#rm /usr/openwin/bin/xwd
#rm /usr/openwin/bin/xwud
3) Password Security
i) Local Unix Password Baseline
Min no of alphabetic characters is 1
/etc/default/passwd contains the setting MINALPHA=1
Min no of special characters is 1
/etc/default/passwd contains the setting"MINSPECIAL=1"
Maximum number of repeatable characters is 1
/etc/default/passwd contanis the MINREPEATS=1
ii) Unix Password History
Set Prior password history to 10
/etc/default/passwd contains the HISTORY=10
iii) Unix Account unsuccessful login retries
/etc/default/passwd contains "RETRIES=3"
/etc/user_attr contains "lock_after_retries=no" for root
root::::auths=solaris.*,solaris.grant;profiles=Web Console Management,All;lock_after_retries=no;
iv) Account Password life
Password is valid for 30 days.
#passwd -x 30 -n 7 -w 7 <username>
v) Session Inactive
Enable inactive login session timeout to 15 mins (300 secs)
#cat /etc/default/login
:::
TIMEOUT = 300
:::
vi) In addition, add the following lines in /etc/default/passwd
MAXWEEKS=4
MINWEEKS=1
PASSLENGTH=8
MAXWEEKS - Maximum time period that a password is valid.
MINWEEKS - Minimum time period before a password can be changed.
PASSLENGTH - Minimum length of a password, in characters.
All Successful and failed logins are logged .
Add "auth.info /var/log/authlog" to /etc/syslog.conf for capturing syslog events sent to LOG_AUTH. This contains information on successful and failed login and su (switch user) attempt
#touch /var/log/authlog
#chown root:sys /var/log/authlog
#chmod 600 /var/log/authlog
CRONLOG=YES
5) Folder and File permissions
Set the permissions on the system important folders and files
#chmod 755 /etc /var /var/spool
#chmod 700 /var/cron
#chmod 750 /etc/security
#chmod 600 /var/adm/messages /var/log/syslog /var/adm/loginlog
1. Services
a) Disabling the Restricted Services
i) Restricted services
Stop the restricted services which will pose a risk to servers. The following are restricted services.
telnet
Uucp
Netstat
Comsat
Time
Echo
Discard
ftp
tftp
Daytime
Rquoted
Rexecd
Rpc.ttdbserverd
finger
talk
chargen
ident
systat
yppasswdd, ypserve, ypxfrd
services (i.e. shell, login, klogin, exec, etc.) that listen to r-commands (rlogin, rsh etc).
ToolTalk (ttdbserverd)
Calendar Manager (cmsd)
statd (Unless required by NFS. See Use of NFS section for restrictions)
sadmind (solstice admin daemon)
rstatd
rusersd
rwalld
sprayd
automount (Solaris)
ii) SSH client and server
Only Secure Shell protocol version 2 is allowed, SSH protocol v1 must be disabled. It is mentione in the file /etc/ssh/sshd_config
#Protocol 1
Protocol 2
iii) Disable NIS services
#svcadm disable svc:/network/nis/server:default
#svcadm disable svc:/network/nis/client:default
iv) Disable Sendmail
#svcadm disable svc:/network/smtp:sendmail
2) Desktop environments
i) X-Windows
X-Windows are not allowed in production, xhost must not be used.
X-window traffic must be tunneled through SSH. To perform this comment out "X11Forwarding yes" in the file /etc/ssh/sshd_config
ii) Desktop Environment
DE environments are not allowed. Disable dt login service
#svcadm disable cde-login
iii)#rm /usr/openwin/bin/xwd
#rm /usr/openwin/bin/xwud
3) Password Security
i) Local Unix Password Baseline
Min no of alphabetic characters is 1
/etc/default/passwd contains the setting MINALPHA=1
Min no of special characters is 1
/etc/default/passwd contains the setting"MINSPECIAL=1"
Maximum number of repeatable characters is 1
/etc/default/passwd contanis the MINREPEATS=1
ii) Unix Password History
Set Prior password history to 10
/etc/default/passwd contains the HISTORY=10
iii) Unix Account unsuccessful login retries
/etc/default/passwd contains "RETRIES=3"
/etc/user_attr contains "lock_after_retries=no" for root
root::::auths=solaris.*,solaris.grant;profiles=Web Console Management,All;lock_after_retries=no;
iv) Account Password life
Password is valid for 30 days.
#passwd -x 30 -n 7 -w 7 <username>
v) Session Inactive
Enable inactive login session timeout to 15 mins (300 secs)
#cat /etc/default/login
:::
TIMEOUT = 300
:::
vi) In addition, add the following lines in /etc/default/passwd
MAXWEEKS=4
MINWEEKS=1
PASSLENGTH=8
MAXWEEKS - Maximum time period that a password is valid.
MINWEEKS - Minimum time period before a password can be changed.
PASSLENGTH - Minimum length of a password, in characters.
4) Logging and Enabling User authentication auditing
All Successful and failed logins are logged .
Add "auth.info /var/log/authlog" to /etc/syslog.conf for capturing syslog events sent to LOG_AUTH. This contains information on successful and failed login and su (switch user) attempt
#touch /var/log/authlog
#chown root:sys /var/log/authlog
#chmod 600 /var/log/authlog
#vi /etc/syslog.conf
auth.info /var/log/authlog
auth.info /var/log/authlog
Logging only Failed Logins
#cat /etc/default/login
SYSLOG=YES
SYSLOG_FAILED_LOGINS=3
#touch /var/adm/loginlog
#chmod 600 /var/adm/loginlog
#chown root:sys /var/adm/loginlog
#chmod 600 /var/adm/loginlog
#chown root:sys /var/adm/loginlog
Logging only Successful logins
#touch /var/log/logins
#chgrp sys logins
#chmod 600 logins
#chgrp sys logins
#chmod 600 logins
#cat /etc/syslog.conf
local0.info /var/log/logins
Added the following entry to /etc/profile and /etc/.login:
logger -p local0.info "User $LOGNAME has logged in"
logger -p local0.info "User $LOGNAME has logged in"
After editing the /etc/syslog.conf file restart the service
#svcadm disable system-log
#svcadm enable system-log
SU events logging
#cat /etc/default/su
SYSLOG=yes
SYSLOG=yes
SULOG=/var/adm/sulog
Cron commands should be logged
#cat /etc/default/cronCRONLOG=YES
5) Folder and File permissions
Set the permissions on the system important folders and files
#chmod 755 /etc /var /var/spool
#chmod 700 /var/cron
#chmod 750 /etc/security
#chmod 600 /var/adm/messages /var/log/syslog /var/adm/loginlog
No comments:
Post a Comment