Thursday, 6 December 2012

Solaris Hardening Procedure -- Part 1

       This articles elaborately describes about the hardening procedure of Solaris OS. Hardening process will take place in different segments of the OS, hence due to lengthy procedures have split into 3 parts. 
       
1. Services
    a) Disabling the Restricted Services
            i) Restricted services 
                  Stop the restricted services which will pose a risk to servers. The following are restricted services.
        telnet
        Uucp
        Netstat   
        Comsat
        Time
        Echo
        Discard
        ftp
        tftp
        Daytime
        Rquoted
        Rexecd
        Rpc.ttdbserverd
        finger
        talk
        chargen
        ident
        systat
        yppasswdd, ypserve, ypxfrd
        services (i.e. shell, login, klogin, exec, etc.) that listen to r-commands  (rlogin, rsh etc).
        ToolTalk (ttdbserverd)
        Calendar Manager (cmsd)
        statd (Unless required by NFS. See Use of NFS section for restrictions)
        sadmind (solstice admin daemon)
        rstatd   
        rusersd
        rwalld
        sprayd
        automount (Solaris)

           ii) SSH client and server
              Only Secure Shell protocol version 2 is allowed, SSH protocol v1 must be disabled. It is mentione in the file /etc/ssh/sshd_config
              #Protocol 1
              Protocol 2

          iii) Disable NIS services
             #svcadm disable svc:/network/nis/server:default   
             #svcadm disable svc:/network/nis/client:default 

          iv) Disable Sendmail
             #svcadm disable svc:/network/smtp:sendmail

2) Desktop environments
        i) X-Windows 
              X-Windows are not allowed in production, xhost must not be used.
              X-window traffic must be tunneled through SSH. To perform this comment out "X11Forwarding yes" in the file /etc/ssh/sshd_config 
       ii) Desktop Environment
              DE environments are not allowed. Disable dt login service
              #svcadm disable cde-login
       iii)#rm /usr/openwin/bin/xwd
           #rm /usr/openwin/bin/xwud

3) Password Security  
       i) Local Unix Password Baseline 
             Min no of alphabetic characters is 1
               /etc/default/passwd contains the setting MINALPHA=1
            Min no of special characters is 1
              /etc/default/passwd contains the setting"MINSPECIAL=1"
            Maximum number of repeatable characters is 1
              /etc/default/passwd contanis the MINREPEATS=1

        ii) Unix Password History 
             Set Prior password history to 10
                /etc/default/passwd contains the HISTORY=10
       iii) Unix Account unsuccessful login retries
              /etc/default/passwd contains "RETRIES=3"
              /etc/user_attr    contains "lock_after_retries=no" for root
             root::::auths=solaris.*,solaris.grant;profiles=Web Console Management,All;lock_after_retries=no;

       iv) Account Password life
             Password is valid for 30 days.
            #passwd -x 30 -n 7 -w 7 <username>

       v) Session Inactive  
            Enable inactive login session timeout to 15 mins (300 secs)  
            #cat /etc/default/login 
            ::: 
            TIMEOUT = 300
            :::
       vi) In addition, add the following lines in /etc/default/passwd 
            MAXWEEKS=4
            MINWEEKS=1
            PASSLENGTH=8
    
            MAXWEEKS - Maximum time period that a password is valid.
            MINWEEKS - Minimum time period before a password can be changed.
            PASSLENGTH - Minimum length of a password, in characters.           


4) Logging and Enabling User authentication auditing
            
         All Successful and failed logins are logged .
           Add "auth.info /var/log/authlog" to /etc/syslog.conf for capturing syslog events sent to LOG_AUTH. This contains information on successful and failed login and su (switch user) attempt 

             #touch /var/log/authlog
             #chown root:sys /var/log/authlog
             #chmod 600 /var/log/authlog

             #vi /etc/syslog.conf
              auth.info /var/log/authlog

          Logging only Failed Logins
                #cat /etc/default/login 
              SYSLOG=YES 
              SYSLOG_FAILED_LOGINS=3
             #touch /var/adm/loginlog
             #chmod 600 /var/adm/loginlog
             #chown root:sys /var/adm/loginlog
            
          Logging only Successful logins
              #touch /var/log/logins
              #chgrp sys logins
              #chmod 600 logins
              #cat /etc/syslog.conf
              local0.info /var/log/logins
              
         Added the following entry to /etc/profile and /etc/.login:   
         logger -p local0.info "User $LOGNAME has logged in"

         After editing the /etc/syslog.conf file restart the service
             #svcadm disable system-log
             #svcadm  enable system-log

         SU events logging
              #cat /etc/default/su
               SYSLOG=yes
               SULOG=/var/adm/sulog   

         Cron commands should be logged
               #cat /etc/default/cron
               CRONLOG=YES


5) Folder and File permissions 
        Set the permissions on the system important folders and files 
              #chmod 755 /etc /var /var/spool
              #chmod 700 /var/cron
              #chmod 750 /etc/security
              #chmod 600 /var/adm/messages /var/log/syslog /var/adm/loginlog

 

             

  

5 comments:

  1. excelente, y la parte II como la consigo.?

    ReplyDelete
  2. Great article for Solaris security hardening. Do you know my open source tool Lynis? It can help with auditing, especially after implementing your tips in the article!

    http://www.rootkit.nl/projects/lynis.html

    ReplyDelete
  3. Thanks for sharing this article for Solaris

    ReplyDelete
  4. Thanks for sharing this article for Solaris

    ReplyDelete
  5. BlueHost is the best website hosting provider for any hosting plans you require.

    ReplyDelete