Securing Solaris Servers Randy Marchany
General Strategy <ul><li>Most Solaris security checklists recommend installing the minimum set of software needed to run t...
Two Strategies <ul><li>Use the SANS Securing Solaris checklist </li></ul><ul><li>Use the Center for Internet Security Secu...
Solaris Installation <ul><li>Disconnect the system from the net? </li></ul><ul><ul><li>Optional </li></ul></ul><ul><li>Dow...
Solaris Installation <ul><li>Boot time configuration </li></ul><ul><ul><li>SANS Guide steps 1.1.1-1.1.8, Basic OS Installa...
Solaris Hardening <ul><li>Remove all packages not needed for the operation of the server. </li></ul><ul><li>Verify /etc/ho...
Solaris Hardening <ul><li>Verify /etc/nsswitch.conf contains the following entry: </li></ul><ul><ul><li>hosts:  files dns ...
Solaris Hardening <ul><li>Installing patches takes time, about 1 hour. </li></ul><ul><li>It’s CRITICAL that you install th...
Solaris Hardening  <ul><li>SANS Guide step 2.1.1, purging boot directories of Unnecessary Services </li></ul><ul><li>SANS ...
Solaris Hardening <ul><li>Install TCP Wrappers </li></ul><ul><li>SANS Guide 2.3.1-2.3.3, file system configuration </li></...
Solaris Hardening <ul><li>Sendmail </li></ul><ul><ul><li>Obtain updated  sendmail kit via anonymous ftp. One such site is:...
Upcoming SlideShare
Loading in...5
×

Solaris servers sec

443

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
443
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
14
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Solaris servers sec

  1. 1. Securing Solaris Servers Randy Marchany
  2. 2. General Strategy <ul><li>Most Solaris security checklists recommend installing the minimum set of software needed to run the system. </li></ul><ul><li>Most sysadmins don’t do this. </li></ul><ul><li>General strategy </li></ul><ul><ul><li>Remove all privilege and access and grant or enable only what is needed. </li></ul></ul><ul><ul><li>Enable as much system logging as possible! </li></ul></ul>
  3. 3. Two Strategies <ul><li>Use the SANS Securing Solaris checklist </li></ul><ul><li>Use the Center for Internet Security Securing Solaris Benchmark </li></ul><ul><li>Use the CERT Securing Solaris Server checklist. </li></ul><ul><ul><li>Use the SANS or CIS checklists when the CERT checklist recommends it. </li></ul></ul>
  4. 4. Solaris Installation <ul><li>Disconnect the system from the net? </li></ul><ul><ul><li>Optional </li></ul></ul><ul><li>Download patches, other software to another machine if possible. </li></ul><ul><li>Obtain the following information </li></ul><ul><ul><li>IP name, IP address, subnet mask, default gateway, DNS server, Domain name, Time Zone </li></ul></ul>
  5. 5. Solaris Installation <ul><li>Boot time configuration </li></ul><ul><ul><li>SANS Guide steps 1.1.1-1.1.8, Basic OS Installation </li></ul></ul><ul><ul><li>Step 1.1.5, select ‘other’. </li></ul></ul><ul><li>Minimal OS installation (optional) </li></ul><ul><ul><li>SANS Guide steps 1.2.1-1.2.7, select “system accounting”. </li></ul></ul>
  6. 6. Solaris Hardening <ul><li>Remove all packages not needed for the operation of the server. </li></ul><ul><li>Verify /etc/hostname.<interface name> contains only the machine name. </li></ul><ul><li>Verify /etc/inet/hosts (aka /etc/hosts) contains the following entries: </li></ul><ul><ul><li>127.0.0.1 localhost </li></ul></ul><ul><ul><li><IP address> FQDN UQHN loghost </li></ul></ul><ul><ul><li><IP address> central syslog server (optional) </li></ul></ul>
  7. 7. Solaris Hardening <ul><li>Verify /etc/nsswitch.conf contains the following entry: </li></ul><ul><ul><li>hosts: files dns </li></ul></ul><ul><li>Verify /etc/netmasks contains: </li></ul><ul><ul><li><network number> <subnet mask> </li></ul></ul><ul><ul><li>SANS guide steps 1.3.1 – 1.35, Post Install/networking configuration </li></ul></ul><ul><ul><li>Pick a secure password for the root account </li></ul></ul><ul><ul><li>SANS guide steps 1.4.2-1.4.7, Installing Patches </li></ul></ul>
  8. 8. Solaris Hardening <ul><li>Installing patches takes time, about 1 hour. </li></ul><ul><li>It’s CRITICAL that you install the most current set of patches. Check security patches at least once a month. Use tools like patchdiag or GASP to make installation easier. </li></ul><ul><li>Install Tripwire. </li></ul><ul><li>Install SSH </li></ul>
  9. 9. Solaris Hardening <ul><li>SANS Guide step 2.1.1, purging boot directories of Unnecessary Services </li></ul><ul><li>SANS Guide step 2.1.2-2.1.5, 2.1.7, 2.1.8, 2.1.9, 2.1.10 </li></ul><ul><ul><li>Set umask to 027 </li></ul></ul><ul><li>Remove all services from /etc/inet.conf </li></ul><ul><li>SANS Guide 2.2.1-2.2.5, Cleaning House </li></ul>
  10. 10. Solaris Hardening <ul><li>Install TCP Wrappers </li></ul><ul><li>SANS Guide 2.3.1-2.3.3, file system configuration </li></ul><ul><li>Set enhanced syslog logging </li></ul><ul><ul><li>Set debug level for kern, user, mail, daemon, auth, syslog, lpr, news, uucp, cron, local0-7 </li></ul></ul><ul><li>SANS Guide 2.4.3-2.4.4, Additional Logging </li></ul>
  11. 11. Solaris Hardening <ul><li>Sendmail </li></ul><ul><ul><li>Obtain updated sendmail kit via anonymous ftp. One such site is: </li></ul></ul><ul><ul><ul><li>ftp.vt.edu/pub/cc/Solaris/sendmail*2.8* </li></ul></ul></ul><ul><li>SANS guide 2.6.1-2.6.5 </li></ul><ul><li>SANS guide 2.7.1-2.7.9, Miscellaneous </li></ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×