Solaris 8 System and Network Security Checklist
|
Install the Solaris 8 operating environment and applications from the original CD-ROM. |
|
Install all the current security and recommended patches. |
|
Do not use the upgrade procedure. Do a fresh installation. |
|
Assign every user his or her own personal account. |
|
Make sure all accounts have passwords. |
|
Make sure users don't share passwords. Tell them that this is for their own good. |
|
Make sure no two accounts have the same user ID (UID). |
|
Use "good" passwords, that is, passwords that are not words in any language and that contain at least one digit or special character. |
|
If possible, generate passwords automatically. Consider using genpass, a free random-password generator available from http://www.danielyan.com/~edd/genpass. |
|
Use the root account as little as possible. |
|
Periodically scan your entire filesystem for SUID/SGID files, and save the lists. Any sudden increase or modification should sound the alarm. |
|
Disable SUID whenever possible (that is, when it is not required). |
|
See if there are any device files in inappropriate places (outside of /dev and /devices). |
|
If you have to use NFS, share filesystems read-only, with no SUID, and with Secure RPC (DH) or Kerberos authentication whenever possible. |
|
Use NFS Version 3 in TCP mode if possible. |
|
Do not place the current directory (.) in your PATH. |
|
If you use directly connected modems for dial-up, make sure they disconnect and hang up automatically after the line is disconnected. |
|
Do not use r commands (rlogin, rsh, rcp). |
|
Disable all unnecessary services in /etc/inet/inetd.conf. |
|
Have aliases for all accounts on the system so that all e-mail goes to a person and is read. |
|
If you use sendmail, disable the SMTP EXPN and VRFY commands and restrict mail queue access. |
|
Block SNMP and RMON from outside your network. |
|
Never run web servers or any application servers as root. Have a separate special account for every service. |
|
Disable automatic directory listings in web servers. |
|
If you have a choice, use the "deny all, permit some" approach in packet filtering and at your firewall. |
|
If possible, use centralized services for network services such as e-mail and DNS. Do not keep user accounts on these servers. |
|
Use disk space quotas on systems with user accounts. |
|
Always put your Acceptable Use Policy (AUP) and the site security policy in writing. Ask your staff to confirm in writing that they have read it and agree to be bound by it. |
|
Do not use clear-text protocols such as telnet and FTP over insecure networks for logging into more-or-less important systems. Instead, use Secure Shell or a comparable application that provides cryptographically strong encryption and authentication. |
|
Use auditing if appropriate. |
|
Use accounting if appropriate. |
|
Use Kerberos if appropriate. |
|
Use Secure RPC if possible. |
|
Do not allow .rhosts files in users' home directories. |
|
Do not allow the creation of /etc/hosts.equiv. |
|
Take care of cron(1) and at(1) security by having restrictive cron.allow, cron.deny, at.allow, and at.deny files. |
/etc
The following configuration files, located in /etc, should be examined and modified as appropriate. This list is not all-inclusive; it includes only Solaris 8 system configuration files. Other application-specific configuration files (such as of Apache, Secure Shell, and others) should also be checked for security-conscious configuration.
/etc/auto_home
Automounter's home directory map file. Comment out +auto_home to disable home mounting.
/etc/auto_master
Automounter's master file. Comment out everything that is not currently being used. Keep the number of automounted resources to a minimum. Better yet, do not use automounter.
/etc/bootrc
The boot loader configuration file. Comment out set boot_timeout to prevent automatic booting after power-on. (Note that this might not be desired on headless systems.)
/etc/coreadm.conf
The core files configuration file. Do not edit this yourself. Use coreadm(1) to change defaults.
/etc/default/cron
cron's configuration file. Make sure CRONLOG is set to YES.
/etc/default/devfsadm
The device administrator's configuration file. Use devfsadm(1M) to configure.
/etc/default/dhcpagent
The DHCP agent's configuration file. See dhcpagent(1M) for more information.
/etc/default/inetinit
Sets the TCP initial sequence number generator's parameters. Set TCP_STRONG_ISS to 1 or 2, never to 0 (2 is best).
/etc/default/kbd
The console keyboard's configuration. In some cases, you might want to disable the ABORT sequence by setting KEYBOARD_ABORT to disable: KEYBOARD_ABORT=disable.
/etc/default/login
The login configuration file. Very important. Make sure that the following are set:
CONSOLE=/dev/console
Permits root logins only from the console.
PASSREQ=yes
Requires passwords.
TIMEOUT=120
Sets the login timeout to 2 minutes.
UMASK=077
Sets umask to o-rwx,g-rwx.
SYSLOG=yes
Logs all root logins.
SLEEPTIME=5
Delays before printing the Login incorrect message.
RETRIES=1
Allows only one try.
SYSLOG_FAILED_LOGINS=0
Logs all failed login attempts.
/etc/default/nfslogd
Sets NFS logging levels. See nfslogd(1M) for more information.
/etc/default/passwd
The passwd configuration file. Very important. Set PASSLENGTH to 8 (PASSLENGTH=8) to require passwords to be a minimum of eight characters long. The default setting of 6 is inadequate.
/etc/default/su
The su(1) configuration file. Make sure the following are set:
SULOG=/var/adm/sulog
Logs all su attempts in /var/adm/sulog.
CONSOLE=/dev/console
Logs su attemps to the console.
SYSLOG=yes
Logs su attempts via syslog.
/etc/defaultrouter
Contains the IPv4 address of the default router. Make sure it is the correct one.
/etc/dumpadm.conf
Do not edit this yourself. Use dumpadm(1M). In many cases, you might want to disable dumps.
/etc/ftpusers
A list of users denied FTP service. If you must use FTP, make sure all users who don't need or are not authorized to use FTP are in this file. In any case, it should contain root, daemon, nobody, bin, sys, adm, and other system accounts. Make sure it is not writable by anyone.
/etc/group
Contains the UNIX groups list. Check group memberships.
/etc/inet/hosts (also known as /etc/hosts)
The IPv4 hosts table. Make sure it contains entries for the system itself, for localhost, and for loghost:
127.0.0.1localhost loghost
/etc/inet/inetd.conf
The Internet daemon's (inetd) configuration file. Very important. Comment out (disable) everything that is not currently used. For configuration options, see inetd(1M).
/etc/inet/ipsec.key
Contains IPsec keys. See ipseckey(1M) for more information.
/etc/inet/ipsecinit.conf
IPsec's configuration file. See ipsecconf(1M) for more information.
/etc/inet/ipsecpolicy.conf
IPsec system policy. See ipsecconf(1M) for more information.
/etc/init.d/*
Boot scripts. Disable everything that is not currently used.
/etc/mail/aliases
sendmail's aliases database (text file). Make sure root, nobody, postmaster, daemon, and other system accounts are aliased to a working e-mail account, preferably on the same system.
/etc/mail/sendmail.cf (aka /etc/sendmail.cf)
sendmail's configuration file.
/etc/nfssec.conf
The Network File System (NFS) security configuration file. Do not edit this yourself. See nfssec(5) and mount_nfs(1M) for more information. Use dh or krb4. Do not use sys or none.
/etc/nodename
Node (also known as host) name. Make sure it contains the actual and correct host name.
/etc/nscd.conf
The name service cache daemon's (nscd) configuration file. See nscd(1M) for more information. Generally, it is recommended that you disable nscd unless you have strong reasons not to.
/etc/nsswitch.conf
The name service switch configuration file. Very important. Make sure all sources start with "files." See nsswitch.conf(4) for more information.
/etc/pam.conf
Pluggable Authentication Modules' configuration file. See pam.conf(4) for more information.
/etc/passwd
The password fileæwithout passwords. Make sure it is not writable by anyone.
/etc/shadow
Very important. The password file. Contains encrypted passwords. Make sure it is readable only by root. All other permissions should be disabled using -r--------.
/etc/syslog.conf
The system logging (syslog) server configuration. See syslogd(1M) for more information.
/etc/system
Important. The kernel's configuration file. See system(4) for more information.
/etc/vfstab
The virtual file system configuration.
/etc/vold.conf
The Volume Management server's configuration file.
/etc/resolv.conf
The DNS resolver's configuration file.
/etc/profile
The global shell profile.