Solaris servers sec
Upcoming SlideShare
Loading in...5

Solaris servers sec






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Solaris servers sec Solaris servers sec Presentation Transcript

  • Securing Solaris Servers Randy Marchany
  • General Strategy
    • Most Solaris security checklists recommend installing the minimum set of software needed to run the system.
    • Most sysadmins don’t do this.
    • General strategy
      • Remove all privilege and access and grant or enable only what is needed.
      • Enable as much system logging as possible!
  • Two Strategies
    • Use the SANS Securing Solaris checklist
    • Use the Center for Internet Security Securing Solaris Benchmark
    • Use the CERT Securing Solaris Server checklist.
      • Use the SANS or CIS checklists when the CERT checklist recommends it.
  • Solaris Installation
    • Disconnect the system from the net?
      • Optional
    • Download patches, other software to another machine if possible.
    • Obtain the following information
      • IP name, IP address, subnet mask, default gateway, DNS server, Domain name, Time Zone
  • Solaris Installation
    • Boot time configuration
      • SANS Guide steps 1.1.1-1.1.8, Basic OS Installation
      • Step 1.1.5, select ‘other’.
    • Minimal OS installation (optional)
      • SANS Guide steps 1.2.1-1.2.7, select “system accounting”.
  • Solaris Hardening
    • Remove all packages not needed for the operation of the server.
    • Verify /etc/hostname.<interface name> contains only the machine name.
    • Verify /etc/inet/hosts (aka /etc/hosts) contains the following entries:
      • localhost
      • <IP address> FQDN UQHN loghost
      • <IP address> central syslog server (optional)
  • Solaris Hardening
    • Verify /etc/nsswitch.conf contains the following entry:
      • hosts: files dns
    • Verify /etc/netmasks contains:
      • <network number> <subnet mask>
      • SANS guide steps 1.3.1 – 1.35, Post Install/networking configuration
      • Pick a secure password for the root account
      • SANS guide steps 1.4.2-1.4.7, Installing Patches
  • Solaris Hardening
    • Installing patches takes time, about 1 hour.
    • It’s CRITICAL that you install the most current set of patches. Check security patches at least once a month. Use tools like patchdiag or GASP to make installation easier.
    • Install Tripwire.
    • Install SSH
  • Solaris Hardening
    • SANS Guide step 2.1.1, purging boot directories of Unnecessary Services
    • SANS Guide step 2.1.2-2.1.5, 2.1.7, 2.1.8, 2.1.9, 2.1.10
      • Set umask to 027
    • Remove all services from /etc/inet.conf
    • SANS Guide 2.2.1-2.2.5, Cleaning House
  • Solaris Hardening
    • Install TCP Wrappers
    • SANS Guide 2.3.1-2.3.3, file system configuration
    • Set enhanced syslog logging
      • Set debug level for kern, user, mail, daemon, auth, syslog, lpr, news, uucp, cron, local0-7
    • SANS Guide 2.4.3-2.4.4, Additional Logging
  • Solaris Hardening
    • Sendmail
      • Obtain updated sendmail kit via anonymous ftp. One such site is:
    • SANS guide 2.6.1-2.6.5
    • SANS guide 2.7.1-2.7.9, Miscellaneous