Solaris Security Guide

This document provides a list of configuration changes which enhance the security of a Sun SolarisTM (SunOS 5.X) system.


Auditing

  1. Enable the Basic Security Module (BSM):
    /etc/security/bsmconv

  2. Configure the classes of events to log in /etc/security/audit_control:
    dir:/var/audit
    flags:lo,ad,pc,fc,fd,fm
    naflags:lo,ad
    #
    #   lo - login/logout events
    #   ad - administrative actions: mount, exportfs, etc.
    #   pc - process operations: fork, exec, exit, etc.
    #   fc - file creation
    #   fd - file deletion
    #   fm - change of object attributes: chown, flock, etc.
    #
    

  3. Create /etc/security/newauditlog.sh:
    #!/sbin/sh
    #
    # newauditlog.sh - Start a new audit file and expire the old logs
    #
    AUDIT_EXPIRE=30
    AUDIT_DIR="/var/audit"
    
    /usr/sbin/audit -n
    
    cd $AUDIT_DIR # in case it is a link
    /usr/bin/find . $AUDIT_DIR -type f -mtime +$AUDIT_EXPIRE \
        -exec rm {} > /dev/null 2>&1 \;
    

  4. Run the script nightly from cron:
    /usr/bin/crontab -e root
    0 0 * * * /etc/security/newauditlog.sh
    

Boot files

  1. Disable all startup files for services that are not needed from /etc/rc2.d and /etc/rc3.d. Services may be disabled by changing the capital 'S' in the name of the script to a lowercase 's'. The following startup files should not be disabled:

    S01MOUNTFSYS   S30sysid.net   S72inetsvc     S74xntpd       S80PRESERVE
    S05RMTMPFILES  S69inet        S74autofs      S75cron        S88utmpd
    S20sysetup     S71sysid.sys   S74syslog      S75savecore    S99audit
    
  2. In order to ensure that all of the startup scripts run with the proper umask, execute the following script:

    umask 022  # make sure umask.sh gets created with the proper mode
    echo "umask 022" > /etc/init.d/umask.sh
    for d in /etc/rc?.d
    do
       ln /etc/init.d/umask.sh $d/S00umask.sh
    done
    
  3. In order to log as much information as possible, add the following lines to your /etc/syslog.conf:

    mail.debug              /var/log/syslog
    *.info;mail.none        /var/adm/messages
    

    Note: Tabs must be used to separate the fields.

    This will log mail entries to /var/log/syslog and everything else to /var/adm/messages.

  4. Log failed login attempts by creating the /var/adm/loginlog file:

    touch /var/adm/loginlog
    chown root /var/adm/loginlog
    chgrp sys /var/adm/loginlog
    
  5. Set the permissions on the log files as follows:

    chmod 600 /var/adm/messages /var/log/syslog /var/adm/loginlog
    
  6. Enable hardware protection for buffer overflow exploits in /etc/system (sun4u, sun4d, and sun4m systems only).
    * Foil certain classes of bug exploits
    set noexec_user_stack = 1
    
    * Log attempted exploits
    set noexec_user_stack_log = 1
    

    Network Services

    1. Create /etc/init.d/nddconfig and create a link to /etc/rc2.d/S70nddconfig.

      touch /etc/init.d/nddconfig
      ln /etc/init.d/nddconfig /etc/rc2.d/S70nddconfig
      
      Add the following lines to the /etc/init.d/nddconfig file:

      #!/bin/sh
      #
      # /etc/init.d/nddconfig
      #
      
      # Fix for broadcast ping bug
      /usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast 0
      
      # Block directed broadcast packets
      /usr/sbin/ndd -set /dev/ip ip_forward_directed_broadcasts 0
      
      # Prevent spoofing
      /usr/sbin/ndd -set /dev/ip ip_strict_dst_multihoming 1
      /usr/sbin/ndd -set /dev/ip ip_ignore_redirect 1
      
      # No IP forwarding
      /usr/sbin/ndd -set /dev/ip ip_forwarding 0
      
      # Drop source routed packets
      /usr/sbin/ndd -set /dev/ip ip_forward_src_routed 0
       
      # Shorten ARP expiration to one minute to minimize ARP spoofing/hijacking
      # [Source: Titan adjust-arp-timers module]
      /usr/sbin/ndd -set /dev/ip ip_ire_flush_interval 60000    
      /usr/sbin/ndd -set /dev/arp arp_cleanup_interval 60               
      
    2. Deny services executed by inetd(3) the ability to create core files and enable logging for all TCP services by editing the /etc/rc2.d/S72inetsvc:

      # Run inetd in "standalone" mode (-s flag) so that it doesn't have
      # to submit to the will of SAF.  Why did we ever let them change inetd?
      
      ulimit -c 0
      /usr/sbin/inetd -s -t&     
      
    3. Configure RFC 1948 TCP sequence number generation in /etc/default/inetinit:

      TCP_STRONG_ISS=2
      
    4. Comment out or remove all unnecessary services in the /etc/inet/inetd.conf file including the following:

      shell		login		exec
      comsat		talk		uucp
      tftp		finger		sysstat
      netstat		time		echo
      discard		daytime		chargen
      rquotad		sprayd		walld
      rexd		rpc.ttdbserverd
      ufsd		printer		dtspc
      rpc.cmsd
      
    5. Create /etc/rc3.d/S79tmpfix so that upon boot the /tmp directory will always have the sticky bit set mode 1777.
      #!/bin/sh
      #ident  "@(#)tmpfix 1.0    95/09/14"
      
      if [ -d /tmp ]
      then
      /usr/bin/chmod 1777 /tmp
      /usr/bin/chgrp sys /tmp
      /usr/bin/chown sys /tmp
      fi
      
      [Source: Titan psfix module]

    Access Controls

    1. Disable network root logins by enabling the "CONSOLE" line in /etc/default/login.

    2. Remove, lock, or comment out unnecessary accounts, including "sys", "uucp", "nuucp", and "listen". The cleanest way to shut them down is to put "NP" in the password field of the /etc/shadow file.

    3. Require authentication for remote commands by commenting out the following line in /etc/pam.conf:

      #rlogin  auth sufficient /usr/lib/security/pam_rhosts_auth.so.1
      
      and changing the rsh line to read:
      rsh auth required   /usr/lib/security/pam_unix.so.1
      
      [Source: Titan pam-rhosts module]

    4. Create an /etc/issue file to display the following warning banner:

      WARNING: To protect the system from unauthorized use and to ensure that the
      system is functioning properly, activities on this system are monitored and
      recorded and subject to audit. Use of this system is expressed consent to such
      monitoring and recording. Any unauthorized access or use of this Automated
      Information System is prohibited and could be subject to criminal and civil
      penalties.
      
      Add the banner to the /etc/motd file:
      cp /etc/motd /etc/motd.orig
      cat /etc/issue /etc/motd.orig > /etc/motd
      

    5. The Automated Security Enhancement Tool (ASET) checks the settings and contents of system files. Many of the setuid and setgid programs on Solaris are used only by root, or by the user or group-id to which they are set.

      Run aset using the highest security level and review the report files that are generated in /usr/aset/reports.

      /usr/aset/aset -l high
      
    6. Create a master list of the remaining setuid/setgid programs on your system and check that the list remains static over time.

      /bin/find / -type f \( -perm -4000 -o -perm -2000 \) \
                  -exec ls -ldb {} \;
      

    7. Execution of the su(1M) command can be controlled by adding and configuring a wheel group such as that found on most BSD derived systems.
      /usr/sbin/groupadd -g 13 wheel
      /usr/bin/chgrp wheel /usr/bin/su /sbin/static.su
      /usr/bin/chmod 4550 /usr/bin/su /sbin/static.su
      

      The GID for the wheel group does not need to be 13, any valid GID can be used. You will need to edit /etc/group to add users to the wheel group.

    8. Create an /etc/ftpusers file:
      cat /etc/passwd | cut -f1 -d: > /etc/ftpusers
      chown root /etc/ftpusers
      chmod 600 /etc/ftpusers
      
      Remove any users that require ftp access from the /etc/ftpusers file.

    9. Set the default umask so that it does not include world access. Add "umask 027" to the following files:
      /etc/.login              /etc/profile
      /etc/skel/local.cshrc    /etc/skel/local.login
      /etc/skel/local.profile 
      
      Enable the "UMASK" line in the /etc/default/login file and set the value to 027

    10. The files in /etc/cron.d control which users can use the cron(1M) and at(1) facilities.

      Create an /etc/cron.d/cron.allow file:
      echo "root" > /etc/cron.d/cron.allow
      chown root /etc/cron.d/cron.allow
      chmod 600 /etc/cron.d/cron.allow
      
      Create an /etc/cron.d/at.allow file:
      cp -p /etc/cron.d/cron.allow /etc/cron.d/at.allow
      
      Create an /etc/cron.d/cron.deny file:
      cat /etc/passwd | cut -f1 -d: | grep -v root > /etc/cron.d/cron.deny
      chown root /etc/cron.d/cron.deny
      chmod 600 /etc/cron.d/cron.deny
      
      Create an /etc/cron.d/at.deny file:
      cp -p /etc/cron.d/cron.deny /etc/cron.d/at.deny
      
    11. If CDE is installed, replace the default CDE "Welcome" greeting. If the /etc/dt/config/C directory does not exist, create the directory structure and copy the default configuration file:

      mkdir -p /etc/dt/config/C
      chmod -R a+rX /etc/dt/config
      cp -p /usr/dt/config/C/Xresources /etc/dt/config/C
      
      Add the following lines to /etc/dt/config/C/Xresources:
      Dtlogin*greeting.labelString:       %LocalHost%
      Dtlogin*greeting.persLabelString:   login: %s
      
    12. If CDE is installed, disable XDMCP connection access by creating or replacing the /etc/dt/config/Xaccess file:

      #
      # Xaccess - disable all XDMCP connections
      #
      !*
      
      Set the permissions on /etc/dt/config/Xaccess to 444:
      chmod 444 /etc/dt/config/Xaccess
      

    Time Synchronization

    Edit the /etc/inet/ntp.conf file:
    # @(#)ntp.client        1.2     96/11/06 SMI
    #
    # /etc/inet/ntp.client
    #
    # An example file that could be copied over to /etc/inet/ntp.conf; it
    # provides a configuration for a host that passively waits for a server
    # to provide NTP packets on the ntp multicast net.
    #
    # Public NTP Server list: http://www.eecis.udel.edu/~mills/ntp/clock1.htm
    #
    server clock.llnl.gov
    

    Recommended Tools

    Sudo
    Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments.

    TCP Wrappers

    With this package you can monitor and filter incoming requests for the SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other network services.

    Secure Shell (ssh)

    Ssh is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over unsecure channels. It is intended as a replacement for rlogin, rsh, and rcp.

    Titan

    Titan is a collection of programs, each of which either fixes or tightens one or more potential security problems with a particular aspect in the setup or configuration of a Unix system.

    Logcheck

    Logcheck is a perl script that monitors system logs for unusual activity.


    Resources

    Sun Recommended & Security Patches

    Sun Security Bulletins

    The Solaris Security FAQ

    SANS Solaris Security: Step-by-Step


jrr