Your SlideShare is downloading. ×
0
Solaris servers sec
Solaris servers sec
Solaris servers sec
Solaris servers sec
Solaris servers sec
Solaris servers sec
Solaris servers sec
Solaris servers sec
Solaris servers sec
Solaris servers sec
Solaris servers sec
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Solaris servers sec

436

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
436
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
14
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  1. Securing Solaris Servers Randy Marchany
  2. General Strategy <ul><li>Most Solaris security checklists recommend installing the minimum set of software needed to run the system. </li></ul><ul><li>Most sysadmins don’t do this. </li></ul><ul><li>General strategy </li></ul><ul><ul><li>Remove all privilege and access and grant or enable only what is needed. </li></ul></ul><ul><ul><li>Enable as much system logging as possible! </li></ul></ul>
  3. Two Strategies <ul><li>Use the SANS Securing Solaris checklist </li></ul><ul><li>Use the Center for Internet Security Securing Solaris Benchmark </li></ul><ul><li>Use the CERT Securing Solaris Server checklist. </li></ul><ul><ul><li>Use the SANS or CIS checklists when the CERT checklist recommends it. </li></ul></ul>
  4. Solaris Installation <ul><li>Disconnect the system from the net? </li></ul><ul><ul><li>Optional </li></ul></ul><ul><li>Download patches, other software to another machine if possible. </li></ul><ul><li>Obtain the following information </li></ul><ul><ul><li>IP name, IP address, subnet mask, default gateway, DNS server, Domain name, Time Zone </li></ul></ul>
  5. Solaris Installation <ul><li>Boot time configuration </li></ul><ul><ul><li>SANS Guide steps 1.1.1-1.1.8, Basic OS Installation </li></ul></ul><ul><ul><li>Step 1.1.5, select ‘other’. </li></ul></ul><ul><li>Minimal OS installation (optional) </li></ul><ul><ul><li>SANS Guide steps 1.2.1-1.2.7, select “system accounting”. </li></ul></ul>
  6. Solaris Hardening <ul><li>Remove all packages not needed for the operation of the server. </li></ul><ul><li>Verify /etc/hostname.<interface name> contains only the machine name. </li></ul><ul><li>Verify /etc/inet/hosts (aka /etc/hosts) contains the following entries: </li></ul><ul><ul><li>127.0.0.1 localhost </li></ul></ul><ul><ul><li><IP address> FQDN UQHN loghost </li></ul></ul><ul><ul><li><IP address> central syslog server (optional) </li></ul></ul>
  7. Solaris Hardening <ul><li>Verify /etc/nsswitch.conf contains the following entry: </li></ul><ul><ul><li>hosts: files dns </li></ul></ul><ul><li>Verify /etc/netmasks contains: </li></ul><ul><ul><li><network number> <subnet mask> </li></ul></ul><ul><ul><li>SANS guide steps 1.3.1 – 1.35, Post Install/networking configuration </li></ul></ul><ul><ul><li>Pick a secure password for the root account </li></ul></ul><ul><ul><li>SANS guide steps 1.4.2-1.4.7, Installing Patches </li></ul></ul>
  8. Solaris Hardening <ul><li>Installing patches takes time, about 1 hour. </li></ul><ul><li>It’s CRITICAL that you install the most current set of patches. Check security patches at least once a month. Use tools like patchdiag or GASP to make installation easier. </li></ul><ul><li>Install Tripwire. </li></ul><ul><li>Install SSH </li></ul>
  9. Solaris Hardening <ul><li>SANS Guide step 2.1.1, purging boot directories of Unnecessary Services </li></ul><ul><li>SANS Guide step 2.1.2-2.1.5, 2.1.7, 2.1.8, 2.1.9, 2.1.10 </li></ul><ul><ul><li>Set umask to 027 </li></ul></ul><ul><li>Remove all services from /etc/inet.conf </li></ul><ul><li>SANS Guide 2.2.1-2.2.5, Cleaning House </li></ul>
  10. Solaris Hardening <ul><li>Install TCP Wrappers </li></ul><ul><li>SANS Guide 2.3.1-2.3.3, file system configuration </li></ul><ul><li>Set enhanced syslog logging </li></ul><ul><ul><li>Set debug level for kern, user, mail, daemon, auth, syslog, lpr, news, uucp, cron, local0-7 </li></ul></ul><ul><li>SANS Guide 2.4.3-2.4.4, Additional Logging </li></ul>
  11. Solaris Hardening <ul><li>Sendmail </li></ul><ul><ul><li>Obtain updated sendmail kit via anonymous ftp. One such site is: </li></ul></ul><ul><ul><ul><li>ftp.vt.edu/pub/cc/Solaris/sendmail*2.8* </li></ul></ul></ul><ul><li>SANS guide 2.6.1-2.6.5 </li></ul><ul><li>SANS guide 2.7.1-2.7.9, Miscellaneous </li></ul>

×