| The University of Texas at Austin
|
Information Security Office
|

| |
Securing Departmental Systems

Solaris 10 Server Hardening Checklist

The hardening checklists are based on the comprehensive checklists produced by CIS. The Information Security Office has distilled the CIS lists down to the most critical steps for your systems, with a particular focus on configuration issues that are unique to the computing environment at The University of Texas at Austin.

How to use the checklist

Print the checklist and check off each item you complete to ensure that you cover the critical steps for securing your server. The Information Security Office uses this checklist during risk assessments as part of the process to verify that servers are secure.

How to read the checklist

Step - The step number in the procedure. If there is a UT Note for this step, the note # corresponds to the step #.

Check (√) - This is for administrators to check off when she/he completes this portion.

To Do - Basic instructions on what to do to harden the respective system

CIS - Reference number in the Center for Internet Security Solaris 10 Benchmark (PDF, Requires UT EID login.) The CIS document outlines in much greater detail how to complete each step.

UT Note - The UT Note at the bottom of the page provides additional detail about the step for the university computing environment.

Cat I - For systems that include Category-I data, required steps are denoted with the ! symbol. All steps are recommended.

Cat II/III - For systems that include Category-II or -III data, all steps are recommended, and some are required (denoted by the !).

Min Std - This column links to the specific requirement for the university in the Minimum Security Standards for Systems document.

Server Information

MAC Address  
IP Address  
Machine Name  
Asset Tag  
Administrator Name  
Date  

Preparation and Installation
Step To Do CIS UT Note Cat I Cat II/III Min Std

1

 

If machine is a new install, protect it from hostile network traffic, until the operating system is installed and hardened.

 

§

!

 !

5.1

Patches and Additional Software

2

 

Apply the latest OS patches.

1.1

§

!

!

5.2

3

 

Enable automatic notification of new patches.

 

§

!

!

5.3

4

 

Minimize System Services.

2

§

!

 

5.4

Kernel Tuning

5

 

Enable Stack Protection.

3.2

 

 

 

 

6

 

Use better TCP Sequence numbers.

3.4

 

 

 

 

Logging

7

 

Turn on inetd tracing.

4.1

 

!

 

6.1

8

 

Capture messages sent to syslog AUTH facility.

4.4

 

!

 

6.1

9

 

Create /var/adm/loginlog.

4.5

 

!

 

6.1

10

 

Log all failed login attempts.

4.6

 

!

 

6.1

11

 

Turn on cron logging.

4.6

 

!

 

6.1

12

 

Enable system accounting.

4.7

 

!

 

6.1

Files/Directory Permissions/Access

13

 

Verify passwd, shadow, and group file permissions.

5.3

 

!

 

 

System Access, Authentication, and Authorization

14

 

Disable login: prompts on serial ports.

6.1

 

!

 

4.1

15

 

Configure SSH.

6.3

§

!

 

5.6

16

 

Create /etc/ftpd/ftpusers.

6.5

 

 

 

 

17

 

Configure TCP Wrappers.

2.5

 

!

 

5.5

18

 

If additional methods of restricting connections are necessary, implement them.

 

§

!

 

5.5

19

 

Restrict root logins to system console.

6.10

 

!

 

4.1

20

 

On Sparc-based Solaris systems, set the EEPROM security mode to prevent unauthorized booting from non-standard media.

6.12

 

!

 

4.1

21

 

Configure the console to lock automatically if it is left unattended for an extended period of time.

6.7 6.8

 

 

 

4.1

User Accounts and Environment

22

 

Verify that there are no accounts with empty password fields.

7.2

 

!

 

5.12

23

 

Set strong password enforcement policies.

7.4

§

!

 

5.12

24

 

Verify no UID 0 accounts exist other than ‘root’

7.6

 

 

 

 

25

 

Install, configure, and use ‘sudo’ instead of ‘su root’.

 

§

 

 

 

Warning Banners

26

 

Create warning banners for standard login services.

8.1

§

!

 

5.10

27

 

Create warning for GUI-based logins.

8.2 8.3

§

!

 

5.10

28

 

Create warnings for FTP daemon (if in use).

8.4

§

!

 

5.10

29

 

Create power-on warning.

8.6

§

!

 

5.10

30

 

Systems will provide secure storage for Category-I data as required by confidentiality, integrity, and availability needs. Security can be provided by means such as, but not limited to, encryption, access controls, filesystem audits, physically securing the storage media, or any combination thereof as deemed appropriate.

 

§

!

 

5.7

31

 

Install software to check the integrity of critical operating system files.

N/A

§

!

 

5.8

32

 

Install and enable anti-virus software.

N/A

§

!

!

3.1

33

 

Configure to update signature daily on AV.

N/A

§

!

 

3.3

34

 

Set up time synchronization using NTP.

 

§

 

 

 

35

 

Enable Process accounting at boot time.

SN.1

 

!

 

6.1

UT Note: Addendum

This list provides specific tasks related to the computing environment at The University of Texas at Austin.

1

If other alternatives are unavailable, this can be accomplished by installing a SOHO router/firewall in between the network and the host to be protected.

2

Sun Update Manager/Sun Patch Manager

These services now require valid service contracts with Sun.

3

Sun Connection Update Manager can provide desktop notifications of new patches.

4

Each server is unique in its needs. The CIS guide will discuss many services that are part of the core Solaris OS. Review these services and disable those that are unnecessary.

15

SSH is distributed with the Solaris operating system as of version 9. If you decide to utilize SSH, the ISO highly recommends the following:

  • Change the port from port 22 to something/anything else. There are scripts online that malicious hackers can use against an SSH server. These scripts always attack port 22 since most people do not change the default port.
  • Do not allow root logins via SSH.
  • If possible, use keys with passphrase instead of just passwords. To create rsa keys, follow these commands:
    • ssh-keygen –t rsa
    • ssh server “mkdir .ssh; chmod 0700 .ssh”
    • scp ./ssh/ida_rsa.pub server:.ssh/authorized_keys2

The CIS Solaris Benchmark covers some suggested basic settings to place in the configuration file.

You may also want to visit the SSL Web site.

18

Ipfilter is the primary software firewall available for Solaris 10, from Sun.

You may also want to visit the ipfilter home page.

23

If other methods of ensuring that passwords are in line with IT Security Operations Manual password requirements, enable the entries in the /etc/default/passwd file that will bring the machine's policy into compliance.

25

Use ‘sudo’ or other similar utility to allow your systems administrators to run commands as root. This provides better accountability, particularly where there are multiple sysadmins, and flexibility (non-sysadmins can be given access to a restricted set of priviledged commands they need for their work instead of being given the ‘root’ password).

More information is available on the Sudo Main Page.

26

The text of the university's official warning banner can be found on the CIO Web site. You may add localized information to the banner as long as the university banner is included.

27

The text of the university's official warning banner can be found on the CIO Web site. You may add localized information to the banner as long as the university banner is included.

28

The text of the university's official warning banner can be found on the CIO Web site. You may add localized information to the banner as long as the university banner is included.

29

The text of the university's official warning banner can be found on the CIO Web site. You may add localized information to the banner as long as the university banner is included.

30

There are a variety of methods available to accomplish this goal. Two good candidates are PGP (cost) and GNUPG (free).

31

Tripwire has a charge. The Tripwire management console can be very helpful for managing more complex installations.

AIDE is a free tool available from SourceForge.

SamHain and OSSEC are other free tools.

32

There are few viruses that infect Solaris computers; therefore, it is understandable for most Solaris servers to have an exception to this rule. See the Operations Manual for information on the exception process.

You may choose any proven anti-virus product. One option is ClamAV.

33

Anti-spyware software must be installed and enabled for Category I data if the machine is used by administrators to browse Web sites not specifically related to the administration of the machine. In addition, anti-spyware software must be installed if users are able to install software.

Very few spyware applications target Unix OSes, so most Unix servers will have an exception to this rule. See the Operations Manual for information on the exception process.

34

To configure NTP on a Solaris server:

  1. Create the file /etc/inet/ntp.conf with the following entries:
       server 128.83.185.40
       server 128.83.185.41
       driftfile /etc/ntp.drift
  2. Create the file /etc/ntp.drift with the following entry:
       0.0
  3. Restart the NTP service by issuing the following commands:
       /etc/rc2.d/S74xntd stop
       /etc/rc2.d/S74xntd start

ITS Networking operates two stratum 2 NTPv4 (NTP version 4) servers for network time synchronization services for university network administrators.

 

 



Last updated October 21, 2011.
Copyright © 2006-14, Information Security Office. All rights reserved.
Privacy | Accessibility | Emergency Preparedness, Safety and Security

Send computing questions to the ITS Help Desk or call (512) 475-9400.

 

| | | |