1. Services
a) Disabling the Restricted Services
i) Restricted services
Stop the restricted services which will pose a risk to servers. The following are restricted services.
telnet
Uucp
Netstat
Comsat
Time
Echo
Discard
ftp
tftp
Daytime
Rquoted
Rexecd
Rpc.ttdbserverd
finger
talk
chargen
ident
systat
yppasswdd, ypserve, ypxfrd
services (i.e. shell, login, klogin, exec, etc.) that listen to r-commands (rlogin, rsh etc).
ToolTalk (ttdbserverd)
Calendar Manager (cmsd)
statd (Unless required by NFS. See Use of NFS section for restrictions)
sadmind (solstice admin daemon)
rstatd
rusersd
rwalld
sprayd
automount (Solaris)
ii) SSH client and server
Only Secure Shell protocol version 2 is allowed, SSH protocol v1 must be disabled. It is mentione in the file /etc/ssh/sshd_config
#Protocol 1
Protocol 2
iii) Disable NIS services
#svcadm disable svc:/network/nis/server:default
#svcadm disable svc:/network/nis/client:default
iv) Disable Sendmail
#svcadm disable svc:/network/smtp:sendmail
2) Desktop environments
i) X-Windows
X-Windows are not allowed in production, xhost must not be used.
X-window traffic must be tunneled through SSH. To perform this comment out "X11Forwarding yes" in the file /etc/ssh/sshd_config
ii) Desktop Environment
DE environments are not allowed. Disable dt login service
#svcadm disable cde-login
iii)#rm /usr/openwin/bin/xwd
#rm /usr/openwin/bin/xwud
3) Password Security
i) Local Unix Password Baseline
Min no of alphabetic characters is 1
/etc/default/passwd contains the setting MINALPHA=1
Min no of special characters is 1
/etc/default/passwd contains the setting"MINSPECIAL=1"
Maximum number of repeatable characters is 1
/etc/default/passwd contanis the MINREPEATS=1
ii) Unix Password History
Set Prior password history to 10
/etc/default/passwd contains the HISTORY=10
iii) Unix Account unsuccessful login retries
/etc/default/passwd contains "RETRIES=3"
/etc/user_attr contains "lock_after_retries=no" for root
root::::auths=solaris.*,solaris.grant;profiles=Web Console Management,All;lock_after_retries=no;
iv) Account Password life
Password is valid for 30 days.
#passwd -x 30 -n 7 -w 7 <username>
v) Session Inactive
Enable inactive login session timeout to 15 mins (300 secs)
#cat /etc/default/login
:::
TIMEOUT = 300
:::
vi) In addition, add the following lines in /etc/default/passwd
MAXWEEKS=4
MINWEEKS=1
PASSLENGTH=8
MAXWEEKS - Maximum time period that a password is valid.
MINWEEKS - Minimum time period before a password can be changed.
PASSLENGTH - Minimum length of a password, in characters.
4) Logging and Enabling User authentication auditing
All Successful and failed logins are logged .
Add "auth.info /var/log/authlog" to /etc/syslog.conf for capturing syslog events sent to LOG_AUTH. This contains information on successful and failed login and su (switch user) attempt
#touch /var/log/authlog
#chown root:sys /var/log/authlog
#chmod 600 /var/log/authlog
#vi /etc/syslog.conf
auth.info /var/log/authlog
auth.info /var/log/authlog
Logging only Failed Logins
#cat /etc/default/login
SYSLOG=YES
SYSLOG_FAILED_LOGINS=3
#touch /var/adm/loginlog
#chmod 600 /var/adm/loginlog
#chown root:sys /var/adm/loginlog
#chmod 600 /var/adm/loginlog
#chown root:sys /var/adm/loginlog
Logging only Successful logins
#touch /var/log/logins
#chgrp sys logins
#chmod 600 logins
#chgrp sys logins
#chmod 600 logins
#cat /etc/syslog.conf
local0.info /var/log/logins
Added the following entry to /etc/profile and /etc/.login:
logger -p local0.info "User $LOGNAME has logged in"
logger -p local0.info "User $LOGNAME has logged in"
After editing the /etc/syslog.conf file restart the service
#svcadm disable system-log
#svcadm enable system-log
SU events logging
#cat /etc/default/su
SYSLOG=yes
SYSLOG=yes
SULOG=/var/adm/sulog
Cron commands should be logged
#cat /etc/default/cronCRONLOG=YES
5) Folder and File permissions
Set the permissions on the system important folders and files
#chmod 755 /etc /var /var/spool
#chmod 700 /var/cron
#chmod 750 /etc/security
#chmod 600 /var/adm/messages /var/log/syslog /var/adm/loginlog
excelente, y la parte II como la consigo.?
ReplyDeleteGreat article for Solaris security hardening. Do you know my open source tool Lynis? It can help with auditing, especially after implementing your tips in the article!
ReplyDeletehttp://www.rootkit.nl/projects/lynis.html
Thanks for sharing this article for Solaris
ReplyDeleteThanks for sharing this article for Solaris
ReplyDeletethanks a lot NX GURU.
ReplyDeleteAs claimed by Stanford Medical, It's really the SINGLE reason women in this country get to live 10 years more and weigh on average 19 KG less than us.
ReplyDelete(And actually, it is not related to genetics or some secret diet and really, EVERYTHING to do with "how" they eat.)
BTW, I said "HOW", and not "WHAT"...
TAP on this link to uncover if this quick test can help you find out your true weight loss possibility
Did you hear there's a 12 word sentence you can communicate to your partner... that will trigger deep emotions of love and impulsive attractiveness for you deep inside his chest?
ReplyDeleteBecause deep inside these 12 words is a "secret signal" that triggers a man's impulse to love, treasure and guard you with his entire heart...
12 Words Who Trigger A Man's Love Instinct
This impulse is so hardwired into a man's brain that it will drive him to work harder than ever before to make your relationship as strong as it can be.
In fact, triggering this influential impulse is absolutely mandatory to having the best possible relationship with your man that the instance you send your man one of these "Secret Signals"...
...You will instantly find him open his heart and mind for you in such a way he never expressed before and he'll see you as the one and only woman in the world who has ever truly understood him.