Securing Solaris Servers Randy Marchany vascan Copyright 2002

  • Slides: 11
Download presentation
Securing Solaris Servers Randy Marchany va-scan Copyright 2002, Marchany

Securing Solaris Servers Randy Marchany va-scan Copyright 2002, Marchany

General Strategy w Most Solaris security checklists recommend installing the minimum set of software

General Strategy w Most Solaris security checklists recommend installing the minimum set of software needed to run the system. w Most sysadmins don’t do this. w General strategy – Remove all privilege and access and grant or enable only what is needed. – Enable as much system logging as possible! va-scan Copyright 2002, Marchany

Two Strategies w Use the SANS Securing Solaris checklist w Use the Center for

Two Strategies w Use the SANS Securing Solaris checklist w Use the Center for Internet Security Securing Solaris Benchmark w Use the CERT Securing Solaris Server checklist. – Use the SANS or CIS checklists when the CERT checklist recommends it. va-scan Copyright 2002, Marchany

Solaris Installation w Disconnect the system from the net? – Optional w Download patches,

Solaris Installation w Disconnect the system from the net? – Optional w Download patches, other software to another machine if possible. w Obtain the following information – IP name, IP address, subnet mask, default gateway, DNS server, Domain name, Time Zone va-scan Copyright 2002, Marchany

Solaris Installation w Boot time configuration – SANS Guide steps 1. 1. 1 -1.

Solaris Installation w Boot time configuration – SANS Guide steps 1. 1. 1 -1. 1. 8, Basic OS Installation – Step 1. 1. 5, select ‘other’. w Minimal OS installation (optional) – SANS Guide steps 1. 2. 1 -1. 2. 7, select “system accounting”. va-scan Copyright 2002, Marchany

Solaris Hardening w Remove all packages not needed for the operation of the server.

Solaris Hardening w Remove all packages not needed for the operation of the server. w Verify /etc/hostname. <interface name> contains only the machine name. w Verify /etc/inet/hosts (aka /etc/hosts) contains the following entries: – 127. 0. 0. 1 localhost – <IP address> FQDN UQHN loghost – <IP address> central syslog server (optional) va-scan Copyright 2002, Marchany

Solaris Hardening w Verify /etc/nsswitch. conf contains the following entry: – hosts: files dns

Solaris Hardening w Verify /etc/nsswitch. conf contains the following entry: – hosts: files dns w Verify /etc/netmasks contains: – <network number> <subnet mask> – SANS guide steps 1. 3. 1 – 1. 35, Post Install/networking configuration – Pick a secure password for the root account – SANS guide steps 1. 4. 2 -1. 4. 7, Installing Patches va-scan Copyright 2002, Marchany

Solaris Hardening w Installing patches takes time, about 1 hour. w It’s CRITICAL that

Solaris Hardening w Installing patches takes time, about 1 hour. w It’s CRITICAL that you install the most current set of patches. Check security patches at least once a month. Use tools like patchdiag or GASP to make installation easier. w Install Tripwire. w Install SSH va-scan Copyright 2002, Marchany

Solaris Hardening w SANS Guide step 2. 1. 1, purging boot directories of Unnecessary

Solaris Hardening w SANS Guide step 2. 1. 1, purging boot directories of Unnecessary Services w SANS Guide step 2. 1. 2 -2. 1. 5, 2. 1. 7, 2. 1. 8, 2. 1. 9, 2. 1. 10 – Set umask to 027 w Remove all services from /etc/inet. conf w SANS Guide 2. 2. 1 -2. 2. 5, Cleaning House va-scan Copyright 2002, Marchany

Solaris Hardening w Install TCP Wrappers w SANS Guide 2. 3. 1 -2. 3.

Solaris Hardening w Install TCP Wrappers w SANS Guide 2. 3. 1 -2. 3. 3, file system configuration w Set enhanced syslog logging – Set debug level for kern, user, mail, daemon, auth, syslog, lpr, news, uucp, cron, local 0 -7 w SANS Guide 2. 4. 3 -2. 4. 4, Additional Logging va-scan Copyright 2002, Marchany

Solaris Hardening w Sendmail – Obtain updated sendmail kit via anonymous ftp. One such

Solaris Hardening w Sendmail – Obtain updated sendmail kit via anonymous ftp. One such site is: • ftp. vt. edu/pub/cc/Solaris/sendmail*2. 8* w SANS guide 2. 6. 1 -2. 6. 5 w SANS guide 2. 7. 1 -2. 7. 9, Miscellaneous va-scan Copyright 2002, Marchany

Securing Solaris Systems Randy Marchany VA Tech ComputingSecuring Solaris Systems Randy Marchany VA Tech Computing
Unit 8 Solaris File Systems Randy Marchany VAUnit 8 Solaris File Systems Randy Marchany VA
Unit 7 Solaris Process Control Randy Marchany VAUnit 7 Solaris Process Control Randy Marchany VA
Solaris System Management Understanding System Concepts Randy MarchanySolaris System Management Understanding System Concepts Randy Marchany
Unit 8 Solaris File Systems Randy Marchany VAUnit 8 Solaris File Systems Randy Marchany VA
Unit 7 Solaris Process Control Randy Marchany VAUnit 7 Solaris Process Control Randy Marchany VA
Vmware solaris Solaris 1 Vmware solaris install 1Vmware solaris Solaris 1 Vmware solaris install 1
Securing Solaris and Linux Systems A Strategy RandySecuring Solaris and Linux Systems A Strategy Randy
Freeware Security Tools You Need Randy Marchany VAFreeware Security Tools You Need Randy Marchany VA
Building a Campus Dshield Randy Marchany IT SecurityBuilding a Campus Dshield Randy Marchany IT Security