Installing Security Software
The security recommendations to secure the Sun Fire 15K domain involve the installation of several security software packages. These packages include:
- Recommended and Security patch clusters
- FixModes software
- OpenSSH software
- MD5 software
Of the packages described in this section, only the Solaris Security Toolkit software, the latest Recommend and Security patch clusters, the FixModes software, and the MD5 software are required. The use of OpenSSH, while strongly recommended, is not required. Commercial versions of SSH, available from a variety of vendors, may be substituted for OpenSSH.
The first step of securing a domain is to install the required software. This section describes how to install all required software packages.
Installing the Solaris Security Toolkit Software
First, download the Solaris Security Toolkit software and install it on the domain. The toolkit is used to automate the Solaris OE hardening tasks described later in this article.
The purpose of using the toolkit is to automate and simplify the building of secured Solaris OE systems based on the recommendations contained in this and other security-related Sun BluePrints articles referenced in this article. In the context of this article, a module has been developed to harden Sun Fire 15K domains.
Specifically, the toolkit focuses on Solaris OE security modifications that harden and minimize a system. Hardening is the modification of Solaris OE configurations to improve the security of the system. Minimization is the removal of unnecessary Solaris OE packages from the system to reduce the number of components that must be patched and secured. Reducing the number of components can potentially reduce entry points to an intruder.
The toolkit does not address modifications for performance enhancement and software configuration.
The toolkit can harden systems during a Solaris OE installation by using the JumpStart technology as a mechanism for running toolkit scripts. Alternatively, the toolkit can be run outside of the JumpStart framework in standalone mode. This standalone mode enables you to use the toolkit on systems that require security modifications or updates but which cannot be taken out of service to reinstall the OS from scratch.
The Sun Fire 15K specific domain driver can be used in either standalone or JumpStart mode to secure a domain. It automates the hardening recommendations made in this Sun BluePrints article. This driver is included in version 0.3.4 of the Solaris Security Toolkit software.
When running the toolkit, either in standalone or JumpStart installation modes, copies of the files modified by the toolkit must not be deleted, which is the default behavior of the toolkit. The JASS_SAVE_BACKUP environment variable controls whether or not backup copies of files are kept.
The following instructions use file names that are correct only for this release of the toolkit. It is recommended that you always use the most current version of the toolkit available from the URL provided in the first step of the following procedure.
Use the following procedure to download and install the toolkit:
Download the source file (SUNWjass-0.3.4.pkg.Z).
The source file is located at http://www.sun.com/security/jass
Use the uncompress command to extract the source file into a directory on the server as follows:
# uncompress SUNWjass-0.3.4.pkg.Z
Use the pkgadd command to install the Solaris Security Toolkit software on the server as follows:
# pkgadd -d SUNWjass-0.3.4.pkg SUNWjass
Executing this command creates the SUNWjass directory in /opt, which contains all of the toolkit directories and associated files. The script make-jass-pkg, which is included in toolkit releases since 0.3, enables you to create custom packages using a different installation directory.
Installing the Recommended and Security Patch Clusters
The installation procedures in this section use the Solaris Security Toolkit software to install the most recent Recommended and Security Patch clusters which are available from the SunSolveSM Online Web site. To install these patches with the toolkit, download them and store them, uncompressed, in the /opt/SUNWjass/Patches directory on the domain.
Sun regularly releases patches to provide Solaris OE fixes for performance, stability, functionality, and security reasons. It is critical to the security of the system that you install the most up-to-date patch clusters. This section describes how to use the Solaris Security Toolkit software to automatically install patches, thereby ensuring that the latest Recommended and Security patch clusters are installed on the domain.
To download the latest cluster, go to the SunSolve Online Web site at http://sunsolve.sun.com and click the Patches link on the top of the left navigation bar.
Downloading the Solaris OE Recommended and Security patch clusters does not require a SunSolveSM support contract.
Next, select the appropriate Solaris OE version in the Recommended Solaris Patch Clusters box. This example uses Solaris 8 OE.
After selecting the appropriate Solaris OE version, select the best download option, either HTTP or FTP, with the associated radio button and click the Go button.
In the Save As window that appears in your browser, save the file locally in preparation for uploading it to the domain being hardened.
After downloading the cluster, move the file securely to the domain using either the scp SSH command or the sftp SSH command. If SSH is not yet installed, use the ftp command. The scp command used to copy the file to an domain called domain01 should appear similar to the following:
% scp 8_Recommended.zip domain01:/var/tmp
Next, you must move the file to the /opt/SUNWjass/Patches directory and uncompress it. The following commands perform these tasks:
# cd /opt/SUNWjass/Patches # mv /var/tmp/8_Recommended.zip . # unzip 8_Recommended.zip Archive: 8_Recommended.zip creating: 8_Recommended/ inflating: 8_Recommended/CLUSTER_README inflating: 8_Recommended/copyright inflating: 8_Recommended/install_cluster [. . .]
Once unzipped in the /opt/SUNWjass/Patches/8_Recommended directory, the latest patch cluster is automatically installed by the Solaris Security Toolkit software.
Installing the FixModes Software
This section describes how to download and install the FixModes software into the appropriate toolkit directory so it can be used to tighten file permissions during the toolkit run. By selectively modifying system permissions, it will be more difficult for malicious users to gain additional privileges on the system.
Follow these instructions to download the FixModes software:
Download the FixModes precompiled binaries from http://www.sun.com/blueprints/tools/FixModes_license.html
The FixModes software is distributed as a precompiled and compressed tar file.
Save the downloaded file, FixModes.tar.Z, to the Solaris Security Toolkit Packages directory in /opt/SUNWjass/Packages
Do not uncompress the tar archive.
Installing the OpenSSH Software
In any secured environment, the use of encryption, in combination with strong authentication, is highly recommended. At a minimum, user interactive sessions should be encrypted. The tool most commonly used to implement this is an implementation of secure shell (SSH) software. You can use either the commercially purchased version of the software or the freeware version of the software.
The use of a SSH variant is strongly recommended when implementing all of the security modifications performed by the Solaris Security Toolkit software. The toolkit disables all nonencrypted user-interactive services and daemons on the system. In particular, services such as in.rshd, in.telnetd, and in.ftpd are disabled. Access to the system can be gained with SSH in a similar fashion to what is provided by RSH, TELNET, and FTP. It is strongly recommended that you install SSH during a toolkit run as described in this article.
For information about compiling and deploying OpenSSH, refer to the Sun BluePrints OnLine article "Building and Deploying OpenSSH on the Solaris_ Operating Environment (July 2001)" available at http://www.sun.com/blueprints/0701/openSSH.pdf
Information about obtaining commercial versions of SSH is provided in the Bibliography section of this article.
Installing the MD5 Software
This section describes how to download and install the MD5 software used to validate MD5 digital fingerprints on Sun Fire 15K domains. The ability to validate the integrity of Solaris OE binaries provides a robust mechanism for detecting system binaries that may have been altered by unauthorized users of the system. By modifying system binaries, attackers can gain back-door access to the system.
Once it is installed, you can use the Solaris Fingerprint Database to verify the integrity of the executables included in the package. For more information about the Solaris Fingerprint Database, refer to the Sun BluePrint OnLine article "The Solaris_ Fingerprint DatabaseA Security Tool for Solaris Operating Environment and Files" available at http://www.sun.com/blueprints/0501/Fingerprint.pdf. This article also provides information about additional tools that can be used to simplify the process of validating system binaries against the database of MD5 checksums maintained by Sun at SunSolve Online Web site.
It is strongly recommended that you use these tools, in combination with the MD5 software installed in this section, to frequently validate the integrity of the Solaris OE binaries and files on the domain. In addition, ensure that MD5 signatures generated on the server are protected until they are sent to the Solaris FingerPrint Database for validation. After they have been used, delete the MD5 signatures until they are regenerated for the next validation check.
To install the MD5 program (Intel and SPARC_ technologies), follow these steps:
Download the MD5 binaries from http://www.sun.com/blueprints/tools/md5_license.html
The MD5 programs are distributed as a compressed tar file.
Save the downloaded file, md5.tar.Z, to the Solaris Security Toolkit Packages directory in /opt/SUNWjass/Packages
Do not uncompress the tar archive.
After the MD5 software has been saved to the /opt/SUNWjass/Packages directory, it is installed during the execution of the Solaris Security Toolkit software.