 |
|
|
Solaris 10 Server Hardening Checklist
The hardening checklists are based on the comprehensive checklists produced
by CIS. The Information Security Office has distilled the CIS lists down
to the most critical steps for your systems, with a particular focus on configuration
issues that are unique to the computing environment at The University of
Texas at Austin.
How to use the checklist
Print the checklist and check off each item you complete to ensure that you
cover the critical steps for securing your server. The Information
Security Office uses this checklist during risk assessments as part of
the process to verify that servers are secure.
How to read the checklist
Step - The step number in the procedure. If there is a UT
Note for this step, the note # corresponds to the step #.
Check (√) - This is for administrators to check off
when she/he completes this portion.
To Do - Basic instructions on what to do to harden the
respective system
CIS - Reference number in the Center for Internet Security
Solaris 10 Benchmark (PDF,
Requires UT EID login.) The CIS document outlines in much greater
detail how to complete each step.
UT Note - The UT Note at the bottom
of the page provides additional detail about the step for the university computing
environment.
Cat I - For systems that include Category-I data, required steps are denoted with the ! symbol.
All steps are recommended.
Cat II/III - For systems that include Category-II or -III data, all steps are recommended, and some are required (denoted
by the !).
Min Std - This column links to the specific requirement
for the university in the Minimum Security Standards for Systems document.
Server Information
| MAC Address | |
|---|
| IP Address | |
|---|
| Machine Name | |
|---|
| Asset Tag | |
|---|
| Administrator Name | |
|---|
| Date | |
|---|
| Preparation and Installation |
|---|
| Step |
√ |
To Do |
CIS |
UT Note |
Cat I |
Cat II/III |
Min Std |
1 |
|
If machine is a new install, protect it from hostile
network traffic, until the operating system is installed and hardened. |
|
§ |
! |
! |
5.1 |
| Patches and Additional Software |
2 |
|
Apply the latest OS patches. |
1.1 |
§ |
! |
! |
5.2 |
3 |
|
Enable automatic notification of new patches. |
|
§ |
! |
! |
5.3 |
4 |
|
Minimize System Services. |
2 |
§ |
! |
|
5.4 |
| Kernel Tuning |
5 |
|
Enable Stack Protection. |
3.2 |
|
|
|
|
6 |
|
Use better TCP Sequence numbers. |
3.4 |
|
|
|
|
| Logging |
7 |
|
Turn on inetd tracing. |
4.1 |
|
! |
|
6.1 |
8 |
|
Capture messages sent to syslog AUTH facility. |
4.4 |
|
! |
|
6.1 |
9 |
|
Create /var/adm/loginlog. |
4.5 |
|
! |
|
6.1 |
10 |
|
Turn on cron logging. |
4.6 |
|
! |
|
6.1 |
11 |
|
Enable system accounting. |
4.7 |
|
! |
|
6.1 |
12 |
|
Confirm permissions on system log files. |
4.9 |
|
! |
|
6.1 |
| Files/Directory Permissions/Access |
13 |
|
Verify passwd, shadow, and group file permissions. |
5.3 |
|
! |
|
|
| System Access, Authentication, and Authorization |
14 |
|
Disable login: prompts on serial ports. |
6.1 |
|
! |
|
4.1 |
15 |
|
Configure SSH. |
6.3 |
§ |
! |
|
5.6 |
16 |
|
Create /etc/ftpd/ftpusers. |
6.5 |
|
|
|
|
17 |
|
Prevent email server from listening on external interfaces. |
6.6 |
|
|
|
5.5 |
18 |
|
If the host is not a logserver, prevent Syslog from
accepting messages from network. |
6.7 |
|
! |
|
6.1 |
19 |
|
Configure TCP Wrappers. |
6.10 |
|
! |
|
5.5 |
20 |
|
If additional methods of restricting connections are
necessary, implement them. |
|
§ |
! |
|
5.5 |
21 |
|
Restrict root logins to system console. |
6.14 |
|
! |
|
4.1 |
22 |
|
On Sparc-based Solaris systems, set the EEPROM security
mode to prevent unauthorized booting from non-standard media. |
6.16 |
|
! |
|
4.1 |
23 |
|
Configure the console to lock automatically if it is
left unattended for an extended period of time. |
|
|
|
|
4.1 |
| User Accounts and Environment |
24 |
|
Verify that there are no accounts with empty password
fields. |
7.2 |
|
! |
|
5.12 |
25 |
|
Set strong password enforcement policies. |
7.4 |
§ |
! |
|
5.12 |
26 |
|
Verify no UID 0 accounts exist other
than ‘root’ |
7.6 |
|
|
|
|
27 |
|
Install, configure, and use ‘sudo’ instead
of ‘su root’. |
|
§ |
|
|
|
| Warning Banners |
28 |
|
Create warning banners for standard login services. |
8.1 |
§ |
! |
|
5.10 |
29 |
|
Create warning for GUI-based logins. |
8.2 |
§ |
! |
|
5.10 |
30 |
|
Create warnings for FTP daemon (if in use). |
8.3 |
§ |
! |
|
5.10 |
31 |
|
Create power-on warning. |
8.4 |
§ |
! |
|
5.10 |
32 |
|
Systems will provide secure storage for Category-I data as required by confidentiality, integrity, and availability needs. Security can be provided by means such as, but not limited to, encryption, access controls, filesystem audits, physically securing the storage media, or any combination thereof as deemed appropriate. |
|
§ |
! |
|
5.7 |
33 |
|
Install software to check the integrity of critical
operating system files. |
N/A |
§ |
! |
|
5.8 |
34 |
|
Install and enable anti-virus software. |
N/A |
§ |
! |
! |
3.1 |
35 |
|
Configure to update signature daily on AV. |
N/A |
§ |
! |
|
3.3 |
36 |
|
Set up time synchronization using NTP. |
|
§ |
|
|
|
37 |
|
Enable Process accounting at boot time. |
SN.1 |
|
! |
|
6.1 |
UT Note: Addendum
This list provides specific tasks related to the computing environment at The University of Texas at Austin.
1 |
If other alternatives are unavailable, this can be accomplished by installing
a SOHO router/firewall in between the network and the host to be protected. |
2 |
Sun Update Manager/Sun Patch Manager
These services now require valid service contracts with Sun. |
3 |
Sun Update Manager can provide desktop notifications of new patches. |
4 |
Each server is unique in its needs. The CIS guide will discuss
many services that are part of the core Solaris OS. Review these
services and disable those that are unnecessary. |
15 |
SSH is distributed with the Solaris operating system as of version
9. If you decide to utilize SSH, the ISO highly recommends the
following:
- Change the port from port 22 to something/anything
else. There are scripts online that malicious hackers can use against
an SSH server. These scripts always attack port 22 since most
people do not change the default port.
- Do not allow root logins
via SSH.
- If possible, use keys with passphrase instead of just
passwords. To create rsa keys, follow these commands:
- ssh-keygen –t rsa
- ssh server “mkdir .ssh; chmod 0700 .ssh”
- scp ./ssh/ida_rsa.pub server:.ssh/authorized_keys2
The CIS Solaris
Benchmark covers some suggested basic settings to place in the
configuration file. You may also want to visit the SSL Web site.
|
20 |
Ipfilter is the primary
software firewall available for Solaris 10,
from Sun.
You may also want to visit the ipfilter
home page. |
25 |
If other methods of ensuring that passwords are in line with IT
Security Operations Manual password requirements, enable the entries
in the /etc/default/passwd file that will bring the machine's policy
into compliance. |
27 |
Use ‘sudo’ or other similar
utility to allow your systems administrators to run commands as root.
This provides better accountability, particularly where there are multiple
sysadmins, and flexibility (non-sysadmins can be given access to a restricted
set of priviledged commands they need for their work instead of being
given the ‘root’ password).
More information is available on the Sudo
Main Page. |
28 |
The text of the university's official
warning banner can be found on the ITS Web site. You may add localized
information to the banner as long as the university banner is included. |
29 |
The text of the university's official
warning banner can be found on the ITS Web site. You may add localized
information to the banner as long as the university banner is included. |
30 |
The text of the university's official
warning banner can be found on the ITS Web site. You may add localized
information to the banner as long as the university banner is included. |
31 |
The text of the university's official
warning banner can be found on the ITS Web site. You may add localized
information to the banner as long as the university banner is included. |
32 |
There are a variety of methods available to accomplish this goal.
Two good candidates are PGP (cost) and GNUPG (free). |
33 |
Tripwire has a charge. The Tripwire
management console can be very helpful for managing more complex installations.
AIDE is a free tool available
from SourceForge.
SamHain is another free tool. |
34 |
There are few viruses that infect Solaris computers; therefore, it
is understandable for most Solaris servers to have an exception to this
rule. See the Operations Manual
for information
on the exception process.
You may choose any proven anti-virus product. One option is ClamAV. |
35 |
Anti-spyware software must be installed and enabled for Category
I data if the machine is used by administrators to browse Web sites
not specifically related to the administration of the machine. In addition,
anti-spyware software must be installed if users are able to install
software.
Very few spyware applications target Unix OSes, so most Unix servers
will have an exception to this rule. See the Operations Manual for
information on the exception
process.
|
36 |
To configure NTP on a Solaris server:
- Create the file /etc/inet/ntp.conf with the following entries:
server 128.83.185.40
server 128.83.185.41
driftfile /etc/ntp.drift
- Create the file /etc/ntp.drift
with the following entry:
0.0
- Restart the NTP service by issuing the following commands:
/etc/rc2.d/S74xntd stop
/etc/rc2.d/S74xntd start
ITS Networking operates two stratum 2 NTPv4 (NTP
version 4) servers for network
time synchronization services for university network administrators. |
|
