Documente Academic
Documente Profesional
Documente Cultură
Security Control
2. System Services :
Security Baseline defined for this server ?
NFS Client ?
NFS Server ?
Your site uses Suns Solaris Management Console for system administration
The system uses the Solaris Volume Manager for RAID storage management
Is this system a Kerberos Key Distribution Center (KDC) for the site?
Is the Kerberos security system in use at this site, or some other security
software that makes use of the GSS API?
No
NA
Does this system require NIS+, secure NFS, or any other secure RPCbased service?
Yes
Date :
Page : 1
Security Control
Only enable the volume manager if absolutely necessary :
Is there a business need for the machine to access file systems from
remote file servers via NFS?
Is there a business need that requires users to access this system via
telnet, rather than the more secure SSH protocol?
Is this system a boot server or is there some other business reason why
data must be transferred to and from this system via TFTP?
Is this system a print server, or is there a business reason why users must
submit print jobs from this system?
Is there a business reason why this system must run a Web server?
Is the Solaris Volume Manager GUI administration tool required for the
administration of this system?
Date :
Yes
No
NA
Page : 2
3. Kernel Tuning :
Restrict core dumps to protected directory:
mkdir -p /var/core
chown root:root /var/core
chmod 700 /var/core
coreadm -g /var/core/core_%n_%f_%u_%g_%t_%p \
-e log -e global -e global-setid \
-d process -d proc-setid
4. Logging:
Turn on inetd tracing :
inetadm -M tcp_trace=true
Create /var/adm/loginlog :
touch /var/adm/loginlog chown root:sys /var/adm/loginlog chmod 600
/var/adm/loginlog cd /etc/default awk '/SYSLOG_FAILED_LOGINS=/ \ { $1 =
"SYSLOG_FAILED_LOGINS=0" }; \ { print }' login >login.new mv login.new
login pkgchk -f -n -p /etc/default/login logadm -w loginlog -C 13
/var/adm/loginlog
Date :
Page : 3
5. File/Directory Permissions/Access
Set daemon umask :
cd /etc/default awk '/^CMASK=/ { $1 = "CMASK=022" } { print }' init
>init.new mv init.new init pkgchk -f -n -p /etc/default/init
Configure SSH :
cd /etc/ssh cat <<EOCliConfig >>ssh_config Host * Protocol 2 EOCliConfig
awk '/^Protocol/ { $2 = "2" }; \ /^X11Forwarding/ { $2 = "yes" }; \
/^MaxAuthTries/ { $2 = "5" }; \ /^MaxAuthTriesLog/ { $2 = "0" }; \
/^IgnoreRhosts/ { $2 = "yes" }; \ /^RhostsAuthentication/ { $2 = "no" }; \
/^RhostsRSAAuthentication/ { $2 = "no" }; \ /^PermitRootLogin/ { $2 = "no"
}; \ /^PermitEmptyPasswords/ { $2 = "no" }; \ /^#Banner/ { $1 = "Banner" }
\ { print }' sshd_config > sshd_config.new mv sshd_config.new sshd_config
pkgchk -f -n -p /etc/ssh/sshd_config
Create /etc/ftpd/ftpusers :
cd /etc/ftpd for user in root daemon bin sys adm lp uucp nuucp \ smmsp
listen gdm webservd nobody \ noaccess nobody4 do echo $user >>ftpusers
done sort -u ftpusers >ftpusers.new mv ftpusers.new ftpusers pkgchk -f -n
-p /etc/ftpd/ftpusers
Is this system a mail serverthat is, does this machine receive and
process email from other hosts? if not-
Date :
Page : 4
eeprom security-#badlogins=0 if [ ! "`crontab -l | grep security#badlogins`" ]; then cd /var/spool/cron/crontabs crontab -l >root.tmp echo
"0 0,8,16 * * * /usr/bin/logger -p auth.info \ \`/usr/sbin/eeprom
security-#badlogins\`" >>root.tmp crontab root.tmp rm -f root.tmp fi
eeprom security-mode=command
Date :
Page : 5
done
Verify no legacy '+' entries exist in passwd, shadow, and group files:
grep '^+:' /etc/passwd /etc/shadow /etc/group
passmgmt -m -g 0 root
8. Warning Banners :
Create warnings for standard login services:
echo "Authorized uses only. All activity may be \ monitored and reported."
>/etc/motd echo "Authorized uses only. All activity may be \ monitored and
reported." >/etc/issue pkgchk -f -n -p /etc/motd chown root:root
/etc/issue chmod 644 /etc/issue
Date :
Page : 6
verify :
securitymodenonenone
securitypassword
security#badlogins0
Command Security
With securitymodeset to command:
A password is not required if you type the bootcommand by itself. However, if
you use the bootcommand with an argument, a password is required.
The gocommand never asks for a password.
A password is required to execute any other command.
Examples are shown in the following screen.
Caution It is important to remember your security password and to set the
security password before setting the security mode. If you forget this password, you
cannot use your system; you must call your vendors customer support service to
make your machine bootable again.
TABLE 3-4 Commands
Mode Commands
Date :
Page : 7