You are on page 1of 6

Rules

Security Patches

Install the latest patch, cluster and patches. Make sure that no users are connected to the system
during patch installation. Be sure to test all patches on non-production systems to discover any
configuration changes. Reboot the machine after installation of patches.
Latest patch cluster and patches of Solaris can be found at the following URL:
http://sunsolve,sun.m/pubcgi/show.pl?tarQet=patches/patch-license&nav= pub-patches
Non-root ufs file system

Mount non-root- ufs file systems with "nosuid" option to prevent setuid programs executing from
here. Edit /etc/vfstab to add nosuid option.
E.g. Vi /etcvfstab (Eg. Append nosuid at the end of the line containing /var)
/var ufs 2 yes nosuid
This can be done only if the /var file system is on different partition other than the root.
Folder Permission

Set: the following permissions on the /etc, /var, /var/spool, /var/cron and /etc/secunty files and folders.
Use "chmod <permission> <filename>" for changing the permissions as specified below.

Folder Permission
/etc 755
/var 755
/var/spool 755
/var/cron/ 700
/etc/security 750

NFS Service settings

Configure/etc/dfstab files and ensures that all file systems that are shared have restricted
permissions. Provide read-write access to appropriate groups and users. As a minimum precaution
ensure that the shares are not world writable.Enable restricted NFS port access. When this is
enabled the NFS server will only accept connections from ports less then 1024. These parameters
are denned in /etc/system.
Add set nfssrv:nfs_portmon=l in the/etc/system file.
vi /etc/system
set nfssrv:nfs_portmon=l
NOTE: File permission for /tmp and /var/tmp was omitted it will restrict user in doing compilation and
other process.
User Privileges (DONE su is allowed only for oracle user)
Restrict: users permitted to use su command.
Add the users to the wheel group. If the wheel group has been removed please create one by
following the steps given below:
Rules
groupadd -g 13 wheel
chgrp wheel /usr/bin/su /sbin/su.static
chmod 4550 /usr/bin/su /sbin/su.static
To add a user in the wheel group use the following command:
usermod -G wheel <username>
Password Policy
Edit /etc/default/passwd file and set the following password configuration:
PASSLENGTH = 8
MAXWEEKS = 4
MINWEEKS =1
Certain default accounts in Solaris either need to be deleted or modified to strengthen security.
These accounts are not necessary for normal system operation.
usermod -s /bin/false <username>
Non-essential accounts(username)
daemon
nuucp
nobody4
Bin
Nobody
Smmsp
Adm
Amtp
Lp
Listen
Uucp
noaccess
Edit /etc/default/login file and set "RETRIES" parameter to a value of '3'.
vi /etc/default/login RETRIES=3
Disable remote root login.
The console device is defined by the following entry in the /etc/default/login file:
vi /etc/default/login
CONSOLE=/dev/con sole
If the line is commented out, remove the comment "#" from the line and save the file. When this line
is commented out, the root account can log directly into the system over the network via telnet in
addition to the console.
Create or modify the /etc/issue and /etc/motd files with appropriate statutory warning. Sample text for
statutory warning:

vi /etc/issue (Enter the following text in the file)
vi /etc/motd (Enter the following text in the file)
"This system is for the use of authorized users only. Individuals using this computer system without
authority, or in excess of their authority, are subject to having all their activities on this system
monitored and recorded by system personnel."
Enable user authentication auditing

Rules
Add "auth.info /var/log/authlog" to /etc/syslog.conf for capturing syslog events sent to LOG_AUTH.
This contains information on successful and failed login and su (switch user) attempts.
vi /etc/syslog.conf
auth.info /var/log/authlog
Use TAB to separate auth.info from /var/log/authlog & not space.
Create /var/log/authlog by executing the following commands,
touch /var/log/authlog
chown root:sys /var/ log/authlog
chmod 600 /var/ log/authlog
Create /var/adm/loginlog to capture failed logins.
touch /var/ adm/loginlog
chown root:root /var/adm/loginlog
chmod 600 /var/adm/loginlog
Permission on log files (DONE)
Set the permissions on the log files as follows.
Chmod 600 /var/adm/messages /var/log/syslog /var/adm/loginlog
Disable services from inetd
Disable a service by placing a hash [#] sign in front of the service in /etc/inetd.conf file.
Following is a list of services, which can be disabled in inetd.conf:
Disable services in inetd.conf
Shell
Login
Exec
Comsat
Talk
Usersd
Uucp
Tftp
Finger
Sysstat
Netstat
Sadmind
Time
Echo
Discard
Daytime
Chargen
Rquoted
Sprayd
Walld
Rexecd
Rpc.ttdbserverd

Rules
Disable rlogin services

Ufsd,Printer,Dtspc,Rpc.cmsd,rstatd
As an example to disable rlogin services in /etc/inetd.conf insert the '#' as shown below
Vi /etc/inetd.conf
(put a # mark before the services name to disable it as shown below)
1. #rlogin stream tcp nowait root /usr/sbin/in.rlogin.din.rlogind
Services can be prevented from starting by changing the capital 'S' in the name of the script to a
lowercases. Rename the following auto configuration related links in /etc/rc2.d and unnecessary
startup scripts.

Disable services from /etc/rc2.d and/etc/rc3.d
ab2 (Answer book 2)
Dtlogin (CDE and X service)
IPV6
NFS Client
PRESERVE
SENDMAIL
Apache
Desktop Management Interfaces
KDC
NFS Server
Print Services
Serial Line Printing
Aspp
DHCP
MIP (Mobile IP Agent)
Powre Management Services
RPC
SPC (Solaris print client)
Auto Installer
Directory Service (ldap)
Name server caching daemon (nscd)
PPP
yesyesSAMBA
UUCP
Volume Manager
WBEM
Autofs
Sysid.net

As an example to disable autoinstall, uucp, and nscd, run the following commands:
cd/etc/rc2.d
mv S72autoinstall s72autoinstall
mv S70uucp s&0uucp
mv 376nscd s76nscd
Rules
SNMP Service checking for non-guessable value

Edit /etc/snmp/conf/snmpd.conf file and set non-guessable community strings. The following is a
sample snmpd.conf file. Replace the default community strings public and private in this file with
stronger ones.
vi // sr.mp/con f/snmpd . conf
system-group- read-conununity public ***Change chis value"
<
'
system-group -write-cominunicy privace "''Change triis value*''
Preliminary network settings

Create /etc/init.d/nddconfig and also create a link /etc/rc2.d/S70nddconfig
Use the following commands:
touch /etc.init.d/nddconfig
ln -s /etc/init.d/nddconfig /etc/rc2.d/S70nddconfig
Set ownership/permissions on nddconfig file:
chown root:root / etc/init.d/nddconfig
chmod 744 /etc/init.d/nddconfig
Set the following parameters in the nddconfig file:
1.1 #Parameter Value
ip_forward_directed_broadcasts
ip_strict_dst_multihoming
ip_ignore_redirect
ip_forward_src_routed
ip_respond_to_address_mask_broadcast
ip_respond_to_timestamp
ip_respond_to_ timestamp_broadcast
ip_send_redirects
tcp_conn_req_max_q
tcp_conn_req_max_q0
10240
11
tcp_mss_min
128

vi/etc.init.d/nddconfig
ndd set / dev/<protocol_name> <parameter_name> <value>
For example:
vi/etc/init.d/nddconfig
ndd-set/dev/ip ip_respond_to_echo_broadcast 0
Address Resolution Protocol (ARP) cleanup interval (DONE)

Configure arp cache value to 1000. Add the following lines to the /etc/init.d/nddconfig file:
ndd-set/dev/arp arp_cleanup_interval 1000
Installing SSH (DONE)

Rules
SSH allows the user to have encrypted she access. This can cause instead Telnet. SSH also has
built in facility for secure file transfer SSh' is a freeware SSH package. Download the attest redeemed
version accepts of these packages (and install them.
The following packages are required to
1 Openssh-3.6.1pl
2 Openssl-0.9.7b
3 Zlib-1.1.4- and
4 The patch for random seed generation 228438-01