Recommendations for Improving the Security of Solaris 8

by Gurney Halleck (gurneyh AT ix DOT netcom DOT com)

Patches

After the installation of Solaris 8, the latest system patches should be downloaded from Sun and installed.

Minimization

Unnecessary applications and system packages should be removed. A minimization philosophy should be taken. Install only the minimum set of applications and system utilities to meet operational requirements.

System Foot Print/File Integrity

After installation and application of patches (and subsequent application of patches or installation of applications) a system foot print should be generated. Tools such as Tripwire or AIDE may be helpful. Foot print data should be archived and stored off of the system.

Open Ports

By default Solaris installs a number of services that should be disabled unless there is a specific need. Many of these services are started by inetd and should be commented out of the /etc/inetd.conf file. Other services may be started in the various rcX.d scripts. These scripts should be inspected for unwanted services and removed.

Open ports for a Solaris 8 basic install

Port       State       Service		 Recommendation
7/tcp      open        echo              Close      
9/tcp      open        discard           Close      
13/tcp     open        daytime           Close      
19/tcp     open        chargen           Close
21/tcp	   open	       ftp		 Close (use scp or sftp)      
25/tcp     open        smtp              Close unless mail service is needed
23/tcp	   open	       telent		 Close (use ssh)
37/tcp     open        time              Close      
79/tcp     open        finger            OK      
111/tcp    open        sunrpc            Close unless rpc/portmapper is needed
512/tcp    open        exec              Close (rexec)      
513/tcp    open        login             Close (rlogin)      
514/tcp    open        shell             Close (rsh)      
515/tcp    open        printer           Close unless printing needed      
540/tcp    open        uucp              Close      
4045/tcp   open        lockd             Close unless NFS required      
6000/tcp   open        X11               OK      
7100/tcp   open        font-service      Close      
8888/tcp   open        sun-answerbook    Close

System File Permissions

System files should be reviewed for proper permission setting. Tools like Titan and FixModes may be helpful.

SUID and SGID Files

SUID and SGID files should be identified and modified if appropriate. Tools like Titan and FixModes may be helpful

System Accounts

Any guest accounts should be removed. System accounts (such as bin, lp and daemon) should be su only and have non-interactive shells. Unnecessary system/user accounts (such as uucp and postgres) should be removed.

Syslog

/etc/syslog.conf should be reviewed for proper system logging. Additional logging can be added. A remote log host can be designated.

Hosts Allow and Deny Files

Configure, appropriately, the /etc/hosts.allow and /etc/hosts.deny files. For additional access control and logging capabilities TCP Wrappers may be installed

IPv6

By default, Solaris 8 installs and enables IPv6. It also enables IPv6 routing. Unless this is specifically needed, the IPv6 device and IPv6 routing capability should be disabled.

IPv6 Removal and Clean up steps

Move or remove the /etc/hostname6. file, where devname is the name of the network device (e.g. le0)
Edit /etc/inet/protocols and comment out IPv6 extension headers
Edit /etc/inetd.conf and comment out services for IPv6 (tcp6/udp6)
Edit /etc/netconf and comment out references to udp6 and tcp6
Verify that /etc/nsswitch.conf is no using IPv6 services for name lookup.
The file /etc/inet/ndpd.conf allows for IPv6 routing if this file exists it should be moved or removed.
Reboot the system for these changes to take effect.

FTP

If FTP is absolutely required for automated file transfers, a chrooted jail should be setup. A chrooted jail prevent the ftp user from accessing systems areas outside of a defined "jail" area protecting them from modification. Also, if files are only written to this area then it can be set write only. This allows the writing of files to the area but prevents directory listings by the ftp user.

SSH

Clear text protocols such as telnet, rsh, rlogin, rcp, and ftp are unacceptable. SSH should be installed for secure (encrypted) communication. SSH provides ssh (secure shell), scp (secure copy) and sftp (secure replacement for ftp). http://www.openssh.org/ supports a free, open source version of SSH which will install and operate on Solaris 8 (and other versions of Solaris, subsequent to Solaris 2.5.1).

Follow-on Activities

Security Updates and Patches

Periodic checks should be made to see if new security patches have been released by Sun and application vendors. Patches should be installed as soon as they become available.

Logfile Review

System logs and application logs should be reviewed on a regular basis. Tools like logcheck or swatch may be helpful.

System Maintenance

Inactive accounts should be removed. Old logfiles should be moved off the system and archived.

File Integrity

Periodic checks of file integrity should be made. Tools like Tripwire or AIDE may be helpful.

System Backup

Regular system backups should be made. Backups should be validated by periodic restores. Backups should be stored securely.

References

Solaris Specific Security Tools

Titan for Solaris 8: http://www.fish.com/titan/TITAN_Solaris8.html
"JASS" Solaris Security Toolkit: http://wwwwswest.sun.com/blueprints/tools/
FixModes Scripts: http://wwwwswest.sun.com/blueprints/tools/

General Unix Security Tools

OpenSSH - open source secure shell: http://www.openssh.org/
SSH - commercial secure shell: http://www.ssh.com/
OpenSSL - open source secure sockets layer: http://www.openssl.org/
AIDE (Advanced Intrusion Detection Environment): http://www.cs.tut.fi/~rammer/aide.html
Tripwire: http://www.tripwire.com/
Logcheck: http://www.psionic.com/

Reading Material

Solaris[tm] Operating Environment Minimization for Security: A Simple, Reproducible and Secure Application Installation Methodology (Updated for Solaris 8 Operating Environment) -by Alex Noordergraaf: http://wwwwswest.sun.com/blueprints/1299/minimization.pdf
Securing Solaris Servers - A Checklist Approach Paul D. J. Vandenberg and Susan D. Wyess (Specific to Solaris 2.5 but still useful): http://www.usenix.org/sage/sysadmins/solaris/
Building and Deploying OpenSSH on the Solaris[tm] Operating Environment -by Jason Reid and Keith Watson: http://wwwwswest.sun.com/blueprints/0701/openSSH.pdf
Solaris[tm] Operating Environment Network Settings for Security (Updated for Solaris 8 Operating Environment) -by Keith Watson and Alex Noordergraaf: http://wwwwswest.sun.com/blueprints/1200/network-updt1.pdf
Solaris Operating Environment Security -by Keith Watson and Alex Noordergraaf: http://wwwwswest.sun.com/blueprints/0100/security.pdf

Last modified: Sat Oct 30 23:11:41 PDT 2004