Preparing to Audit Security
To use the instructions and recommendations in this chapter, you need a security profile. For information about developing and implementing a security profile, refer to Chapter 2.
A variety of security profile templates are included with the Solaris Security Toolkit distribution as drivers. As mentioned earlier in this book, the default security profile and changes made by these drivers might not be appropriate for your systems. Typically, the security profiles implemented by these drivers are "high-water" marks for security. By this, we mean that they disable services that are not required, and they enable optional security features disabled by default.
Many Solaris Security Toolkit software users find that the standard and product-specific security profile templates are acceptable for their environments. If this applies to your situation, then determine which security profile is closest to the security posture you want, and use it for both assessing and hardening your systems.
The preferred practice we recommend, however, is that you review and customize the security profile templates for your environment, or develop new ones. Techniques and recommendations for customizing security profiles are provided in Chapter 10. This approach provides a security posture tailored for your organization, and it minimizes the amount of false errors returned during a security assessment. For example, if you know that Telnet needs to be enabled, you can customize the security profile so that when performing a security assessment, the software does not consider Telnet a vulnerability. For example, a site using Telnet with Kerberos, for authentication and encryption, would not consider the use of Telnet a vulnerability.