Solaris Security Guide

This document provides a list of configuration changes which enhance the security of a Sun SolarisTM (SunOS 5.X) system.

Source : http://www.sabernet.net/papers/Solaris.html

Auditing

1. Enable the Basic Security Module (BSM): 
   /etc/security/bsmconv
2. Configure the classes of events to log in /etc/security/audit_control: 
   dir:/var/audit
   flags:lo,ad,pc,fc,fd,fm
   naflags:lo,ad
   #
   #   lo - login/logout events
   #   ad - administrative actions: mount, exportfs, etc.
   #   pc - process operations: fork, exec, exit, etc.
   #   fc - file creation
   #   fd - file deletion
   #   fm - change of object attributes: chown, flock, etc.
   #
3. Create /etc/security/newauditlog.sh: 
   #!/sbin/sh
   #
   # newauditlog.sh - Start a new audit file and expire the old logs
   #
   AUDIT_EXPIRE=30
   AUDIT_DIR="/var/audit"
   
   
   /usr/sbin/audit -n
   
   
   cd $AUDIT_DIR # in case it is a link
   /usr/bin/find . $AUDIT_DIR -type f -mtime +$AUDIT_EXPIRE \
       -exec rm {} > /dev/null 2>&1 \;
4. Run the script nightly from cron: 
   chmod 500 /etc/security/newauditlog.sh
   /usr/bin/crontab -e root
   0 0 * * * /etc/security/newauditlog.sh
5. The audit files generated are not human readable. The praudit(1M) command can be used to convert audit data into several ASCII formats.
   
   

Boot Files

1. Disable all startup files for services that are not needed from /etc/rc2.d and /etc/rc3.d. Services may be disabled by changing the capital 'S' in the name of the script to a lowercase 's'. The following startup files should not be disabled: 
   S01MOUNTFSYS   S69inet        S72inetsvc     S74xntpd       S80PRESERVE
   S05RMTMPFILES  S71rpc         S74autofs      S75cron        S88utmpd
   S20sysetup     S71sysid.sys   S74syslog      S75savecore    S99audit
   S30sysid.net
2. In order to ensure that all of the startup scripts run with the proper umask, execute the following script: 
   umask 022  # make sure umask.sh gets created with the proper mode
   echo "umask 022" > /etc/init.d/umask.sh
   chmod 544 /etc/init.d/umask.sh
   for d in /etc/rc?.d
   do
      ln /etc/init.d/umask.sh $d/S00umask.sh
   done
3. In order to log as much information as possible, add the following lines to your /etc/syslog.conf: 
   mail.debug              /var/log/syslog
   *.info;mail.none        /var/adm/messages
   
   
   Note: Tabs must be used to separate the fields.
   This will log mail entries to /var/log/syslog and everything else to /var/adm/messages.
4. Log failed login attempts by creating the /var/adm/loginlog file: 
   touch /var/adm/loginlog
   chown root /var/adm/loginlog
   chgrp sys /var/adm/loginlog
5. Set the permissions on the log files as follows: 
   chmod 600 /var/adm/messages /var/log/syslog /var/adm/loginlog
6. Configure syslogd to not listen on port 514/udp by specifiing the -t flag in /etc/rc2.d/S74syslog (Solaris >= 8): 
   /usr/sbin/syslogd -t > /dev/msglog 2>&1
7. Configure logs files to be rotated daily archiving old versions for 30 dain /etc/logadm.conf (Solaris >= 9): 
   /var/log/syslog -A 30d -p 1d -z 1 -a 'kill -HUP `cat /var/run/syslog.pid`'
   /var/adm/messages -A 30d -p 1d -z 1 -a 'kill -HUP `cat /var/run/syslog.pid`; \
   logger -t logadm Begin new logfile'
8. Enable hardware protection for buffer overflow exploits in /etc/system (sun4u, sun4d, and sun4m systems only). 
   * Foil certain classes of bug exploits
   set noexec_user_stack = 1
   
   
   * Log attempted exploits
   set noexec_user_stack_log = 1

Network Services

1. Because the /usr/lib/sendmail daemon is not running, you should add the following line to root's crontab file: 
   0 * * * * /usr/lib/sendmail -q
2. Replace /etc/mail/sendmail.cf with the following: 
   # Minimal client sendmail.cf
   
   
   ### Defined macros
   # The name of the mail hub
   DRmailhost
   
   
   # Define version
   V8
   
   
   # Whom errors should appear to be from
   DnMailer-Daemon
   
   
   # Formatting of the UNIX from line
   DlFrom $g $d
   
   
   # Separators
   Do.:%@!^=/[]
   
   
   # From of the sender's address
   Dq<$g>
   
   
   # Spool directory
   OQ/usr/spool/mqueue
   
   
   
   
   ### Mailer Delivery Agents
   # Mailer to forward mail to the hub machine
   Mhub,   P=[IPC], S=0, R=0, F=mDFMuCX, A=IPC $h
   # Sendmail requires these, but are not used
   Mlocal, P=/bin/mail, F=rlsDFMmnuP, S=0, R=0, A=mail -d $u
   Mprog,  P=/bin/sh,   F=lsDFMeuP,  S=0, R=0, A=sh -c $u
   
   
   ### Rule sets
   S0
   R@$+    $#error $: Missing user name
   R$+ $#hub $@$R $:$1         forward to hub
   
   
   S3
   R$*<>$*     $n              handle <> error address
   R$*<$*>$*   $2              basic RFC822 parsing
   
   
   This configuration should be sufficient for servers where no local mail delivery is required.
3. Create /etc/init.d/nddconfig and create a link to /etc/rc2.d/S70nddconfig. 
   touch /etc/init.d/nddconfig
   ln /etc/init.d/nddconfig /etc/rc2.d/S70nddconfig
   chmod 544 /etc/init.d/nddconfig
   
   
   Add the following lines to the /etc/init.d/nddconfig file:
   #!/bin/sh
   #
   # /etc/init.d/nddconfig
   #
   
   
   # Fix for broadcast ping bug
   /usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast 0
   
   
   # Block directed broadcast packets
   /usr/sbin/ndd -set /dev/ip ip_forward_directed_broadcasts 0
   
   
   # Prevent spoofing
   /usr/sbin/ndd -set /dev/ip ip_strict_dst_multihoming 1
   /usr/sbin/ndd -set /dev/ip ip_ignore_redirect 1
   
   
   # No IP forwarding
   /usr/sbin/ndd -set /dev/ip ip_forwarding 0
   
   
   # Drop source routed packets
   /usr/sbin/ndd -set /dev/ip ip_forward_src_routed 0
    
   # Shorten ARP expiration to one minute to minimize ARP spoofing/hijacking
   # [Source: Titan adjust-arp-timers module]
   /usr/sbin/ndd -set /dev/ip ip_ire_flush_interval 60000    
   /usr/sbin/ndd -set /dev/arp arp_cleanup_interval 60               
   
   
   # --
   #
   # The following tweaks are from 'Tuning Solaris for FireWall-1' by
   # Rob Thomas (http://www.enteract.com/~robt
   #
   # Do not respond to queries for our netmask
   /usr/sbin/ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0
   #
   # Do not issue redirects -- fix the routing table instead
   /usr/sbin/ndd -set /dev/ip ip_send_redirects 0
   #
   # Increase our defense against SYN floods.
   # The "q" queue is the completed socket holding pen where sockets
   # remain until the application issues accept().
   /usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q 1280
   # The "q0" queue is the half-open socket queue.
   /usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q0 10240
   #
   # --
   
   
   A sample nddconfig file can also be found on the Sun BluePrints site at http://www.sun.com/blueprints/tools/
4. Deny services executed by inetd(3) the ability to create core files and enable logging for all TCP services by editing the /etc/rc2.d/S72inetsvc: 
   # Run inetd in "standalone" mode (-s flag) so it doesn't have 
   # to submit to the will of SAF.  Why did we ever let them change inetd?
   
   
   ulimit -c 0
   /usr/sbin/inetd -s -t&     
5. Configure RFC 1948 TCP sequence number generation in /etc/default/inetinit: 
   TCP_STRONG_ISS=2
6. Comment out or remove all unnecessary services in the /etc/inet/inetd.conf file including the following:
   shell                login                exec
   comsat                talk                uucp
   tftp                finger                sysstat
   netstat                time                echo
   discard                daytime                chargen
   rquotad                sprayd                walld
   rexd                rpc.ttdbserverd
   ufsd                printer                dtspc
   rpc.cmsd
7. Create /etc/rc3.d/S79tmpfix so that upon boot the /tmp directory will always have the sticky bit set mode 1777. 
   #!/bin/sh
   #ident  "@(#)tmpfix 1.0    95/09/14"
   
   
   if [ -d /tmp ]
   then
   /usr/bin/chmod 1777 /tmp
   /usr/bin/chgrp sys /tmp
   /usr/bin/chown sys /tmp
   fi
   
   
   [Source: Titan psfix module]

Access Controls

1. Disable network root logins by enabling the "CONSOLE" line in /etc/default/login.
2. Remove, lock, or comment out unnecessary accounts, including "sys", "uucp", "nuucp", and "listen". The cleanest way to shut them down is to put "NP" in the password field of the /etc/shadow file.
3. Require authentication for remote commands by commenting out the following line in /etc/pam.conf: 
   #rlogin  auth sufficient /usr/lib/security/pam_rhosts_auth.so.1
   
   
   and changing the rsh line to read: 
   rsh auth required   /usr/lib/security/pam_unix.so.1
   
   
   [Source: Titan pam-rhosts module]
4. Only add accounts for users who require access to the system. If using NIS, use the compat mode by editing the /etc/nsswitch.conf file: 
   passwd: compat 
   
   
   Add each user to the /etc/passwd file 
   +nis_user:x::::/home_dir:/bin/sh
   
   
   and the /etc/shadow file 
   +nis_user::10626::::::
5. Create an /etc/issue file to display the following warning banner: 
   WARNING: To protect the system from unauthorized use and to ensure that the
   system is functioning properly, activities on this system are monitored and
   recorded and subject to audit. Use of this system is expressed consent to such
   monitoring and recording. Any unauthorized access or use of this Automated
   Information System is prohibited and could be subject to criminal and civil
   penalties.
   
   
   Source: CIAC-2317 Windows NT Network Security: A Manager's Guide
   Add the banner to the /etc/motd file: 
   cp /etc/motd /etc/motd.orig
   cat /etc/issue /etc/motd.orig > /etc/motd
6. The Automated Security Enhancement Tool (ASET) checks the settings and contents of system files. Many of the setuid and setgid programs on Solaris are used only by root, or by the user or group-id to which they are set. 
   Run aset using the highest security level and review the report files that are generated in /usr/aset/reports.
   /usr/aset/aset -l high
   
   
   Use of the FixModes program available from the Sun BluePrints site at http://www.sun.com/blueprints/tools is recommended.
7. Create a master list of the remaining setuid/setgid programs on your system and check that the list remains static over time. 
   /bin/find / -type f \( -perm -4000 -o -perm -2000 \) \
               -exec ls -ldb {} \;
8. Execution of the su(1M) command can be controlled by adding and configuring a wheel group such as that found on most BSD derived systems. 
   /usr/sbin/groupadd -g 13 wheel
   /usr/bin/chgrp wheel /usr/bin/su /sbin/su.static
   /usr/bin/chmod 4550 /usr/bin/su /sbin/su.static
   
   
   The GID for the wheel group does not need to be 13, any valid GID can be used. You will need to edit /etc/group to add users to the wheel group.
9. Create an /etc/ftpusers file: 
   cat /etc/passwd | cut -f1 -d: > /etc/ftpusers
   chown root /etc/ftpusers
   chmod 600 /etc/ftpusers
   
   
   Remove any users that require ftp access from the /etc/ftpusers file.
10. Set the default umask so that it does not include world access. Add "umask 027" to the following files: 
    /etc/.login              /etc/profile
    /etc/skel/local.cshrc    /etc/skel/local.login
    /etc/skel/local.profile 
    
    
    Enable the "UMASK" line in the /etc/default/login file and set the value to 027
11. The files in /etc/cron.d control which users can use the cron(1M) and at(1) facilities.
    Create an /etc/cron.d/cron.allow file: 
    echo "root" > /etc/cron.d/cron.allow
    chown root /etc/cron.d/cron.allow
    chmod 600 /etc/cron.d/cron.allow
    
    
    Create an /etc/cron.d/at.allow file: 
    cp -p /etc/cron.d/cron.allow /etc/cron.d/at.allow
    
    
    Create an /etc/cron.d/cron.deny file: 
    cat /etc/passwd | cut -f1 -d: | grep -v root > /etc/cron.d/cron.deny
    chown root /etc/cron.d/cron.deny
    chmod 600 /etc/cron.d/cron.deny
    
    
    Create an /etc/cron.d/at.deny file: 
    cp -p /etc/cron.d/cron.deny /etc/cron.d/at.deny
12. If CDE is installed, replace the default CDE "Welcome" greeting. If the /etc/dt/config/C directory does not exist, create the directory structure and copy the default configuration file: 
    mkdir -p /etc/dt/config/C
    chmod -R a+rX /etc/dt/config
    cp -p /usr/dt/config/C/Xresources /etc/dt/config/C
    
    
    Add the following lines to /etc/dt/config/C/Xresources: 
    Dtlogin*greeting.labelString:       %LocalHost%
    Dtlogin*greeting.persLabelString:   login: %s
13. If CDE is installed, disable XDMCP connection access by creating or replacing the /etc/dt/config/Xaccess file: 
    #
    # Xaccess - disable all XDMCP connections
    #
    !*
    
    
    Set the permissions on /etc/dt/config/Xaccess to 444: 
    chmod 444 /etc/dt/config/Xaccess

Time Synchronization

Edit the /etc/inet/ntp.conf file:

#

# /etc/inet/ntp.client

#

# An example file that could be copied over to /etc/inet/ntp.conf; it

# provides a configuration for an ntp server that uses three public sources 

# with an internal fallback (127.127.1.0).

#

# A simple NTP clilent would specify one or more network servers in your

# organization:

#

#    server ntp.example.com

#

# Public NTP Server list: http://www.eecis.udel.edu/~mills/ntp/clock1.htm

#

server 192.5.41.40  # tick.usno.navy.mil

server 192.5.5.250  # clock.isc.org

server 128.9.176.30 # timekeeper.isi.edu

server 127.127.1.0  # internal clock

fudge 127.127.1.0 stratum 10

Recommended Tools

FixModes

FixModes is a script that tries to make Solaris file modes more secure.

Sudo

Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments.

SunScreen

SunScreen is a host-based firewall product that is packaged with Solaris 8 and later. See also Securing Systems with Host-Based Firewalls

TCP Wrappers

With this package you can monitor and filter incoming requests for the SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other network services. TCP Wrappers is included in Solaris 9.

Secure Shell (ssh)

Ssh is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over unsecure channels. It is intended as a replacement for rlogin, rsh, and rcp.

Titan

Titan is a collection of programs, each of which either fixes or tightens one or more potential security problems with a particular aspect in the setup or configuration of a Unix system.

Logcheck

Logcheck is a perl script that monitors system logs for unusual activity.

Installing Solaris

This section describes the steps necessary to install Solaris with the smallest OS image possible.

1. Remove any network connections from the machine before installing the OS.
2. Boot the machine from the OS install CD-ROM
3. Answer the installation questions as they pertain to this instance. You will want to mark the machine as being networked and give the machine an IP address even though it is not connected to the network.
4. In the Solaris install program, select the Core SPARC cluster. Then select Customize. The following is a list of all the clusters that should be selected. For clusters that have subparts, select only the subparts listed, not the entire cluster.
• AutoFS
• Automated Security Enhancement Tools
• Federated Naming System
• FrameBuffer Device Drivers
• Dumb frame buffer device drivers
• FTP Server, (Root)
• FTP Server, (Usr)
• GX (cg6) OS support files
• GX (cg6) device drivers
• Install and Patch Utilities
• Interprocess Communication
• Keyboard configuration tables
• Motif Runtime Kit
• Network Information System (NIS)
• Openwindows Version 3
• Openwindows kernel modules
• X Window system window drivers
• PCMCIA Support
• Patch utilities
• Platform Support, OS Functionality (Usr)
• Portable layout services for Complex Text Layout support
• Programming tools and libraries
• Sun workshop bundled shared libm
• SPARCompilers bundled libc
• Static utilities
• Solaris desktop /usr/dt filesystem anchor
• Solaris Naming Enabler
• SunFastEthernet/FastWideSCSI-2 Adaptor Drivers
• SunSwift SBus Adaptor Drivers
• System Accounting
• System and Network Administration
• Terminal Information
  Color Legend: | Solaris 2.6 & 7 | Solaris 2.6 | Solaris >=7 |
  Be sure to install any device drivers specific to your hardware!
  Solaris >=7: 64-bit package versions should also be selected if 64-bit support has been enabled.
  If you need printer support, select the following:
• Line Printer Support
• Tooltalk end user
• Tooltalk runtime
  For remote Motif/X support, select the following:
• Font Server Cluster
• X Window System common (not required) fonts
• X Window System optional fonts
• X Window System platform required fonts
• OpenWindows Version 3
• ICE components
• X Window System platform software
• Tooltalk end user
• Tooltalk runtime
• XIL Runtime Environment
  The following is required for FireWall-1:
• Source compatibilty support
• Source Compatibilty, (Usr)

5. The Core SPARC cluster requires much less disk space than most types of Solaris installs. The following partition table is appropriate for machines loaded with the Core SPARC cluster: 
   s0:      /            250 megabytes
   s1:      swap         1 gigabyte
   s2:      overlap
   s3:                   8 megabytes (for metadb)
   s4:      /usr         500 megabytes
   s5:      /var         2 gigabytes
   s6:      /opt         (rest of disk)

The /var partition is large to accommodate extra logging and auditing information. You may wish to scale the swap space as appropriate for your hardware, but extra swap helps prevent "denial-of-service" attacks.

6. The Core SPARC cluster, even with the most recent patches, provides many services which are unnecessary. 
   Execute pkginfo. The results should match the following: 
   % pkginfo
   system      SUNWaccr       System Accounting, (Root)
   system      SUNWaccu       System Accounting, (Usr)
   system      SUNWadmap      System administration applications
   system      SUNWadmc       System administration core libraries
   system      SUNWadmfw      System & Network Administration Framework
   system      SUNWadmr       System & Network Administration Root
   system      SUNWast        Automated Security Enhancement Tools
   system      SUNWatfsr      AutoFS, (Root)
   system      SUNWatfsu      AutoFS, (Usr)
   system      SUNWcar        Core Architecture, (Root)
   system      SUNWcg6        GX (cg6) Device Driver
   system      SUNWcsd        Core Solaris Devices
   system      SUNWcsr        Core Solaris, (Root)
   system      SUNWcsu        Core Solaris, (Usr)
   CTL         SUNWctpls      Portable layout services for Complex Text Layout support
   system      SUNWdfb        Dumb Frame Buffer Device Drivers
   system      SUNWdtcor      Solaris Desktop /usr/dt filesystem anchor
   system      SUNWesu        Extended System Utilities
   system      SUNWfns        Federated Naming System
   system      SUNWftpr       FTP Server, (Root)
   system      SUNWftpu       FTP Server, (Usr)
   system      SUNWhmd        SunSwift SBus Adapter Drivers
   system      SUNWipc        Interprocess Communications
   system      SUNWkey        Keyboard configuration tables
   system      SUNWkvm        Core Architecture, (Kvm)
   system      SUNWlibC       SPARCompilers Bundled libC
   system      SUNWlibms      Sun WorkShop Bundled shared libm
   system      SUNWmfrun      Motif RunTime Kit
   system      SUNWnisr       Network Information System, (Root)
   system      SUNWnisu       Network Information System, (Usr)
   system      SUNWos86u      Platform Support, OS Functionality (Usr)
   system      SUNWpcelx      3COM EtherLink III PCMCIA Ethernet Driver
   system      SUNWpcmci      PCMCIA Card Services, (Root)
   system      SUNWpcmcu      PCMCIA Card Services, (Usr)
   system      SUNWpcmem      PCMCIA memory card driver
   system      SUNWpcser      PCMCIA serial card driver
   system      SUNWpsdpr      PCMCIA ATA card driver
   system      SUNWsolnm      Solaris Naming Enabler
   system      SUNWsutl       Static Utilities
   system      SUNWswmt       Patch Utilities
   system      SUNWswmt       Install and Patch Utilities
   system      SUNWter        Terminal Information
   system      SUNWxwdv       X Windows System Window Drivers
   system      SUNWxwmod      OpenWindows kernel modules
   
   
   Solaris >=7: 64-bit package versions will also be listed if 64-bit support has been enabled.
   Use the pkgrm command to remove any non-essential packages that are not listed above.

Resources

Sun Recommended & Security Patches

Sun Security Bulletins

The Solaris Security FAQ

SANS Solaris Security: Step-by-Step

Solaris BSM Auditing

Tuning Solaris for FireWall-1 by Rob Thomas

jrr

Source: http://www.sabernet.net/papers/Solaris.html