SecurityHandbook Solaris

SOLARIS SERVER SECURITY HANDBOOK
POLARIS SOFTWARE LAB LIMITED
Confidentiality Agreement: This document is intended for the use of Polaris and Paladion Networks only. The recipient should ensure that this document is not deconstructed, reproduced or circulated without the prior approval of the document owner.
DOCUMENT VERSION CONTROL

ISSUE DATE 19-11-2004 VERSION 1.0 PREPARED BY Mr Sachin Shetty APPROVED BY Ms. Sangita Pakala
DOCUMENT CHANGE CONTROL

ISSUE DATE VERSION DESCRIPTION REQUESTED BY CHANGED BY
DOCUMENT DISTRIBUTION LIST

# 1) 2) NAME Mr Prabhakar V. Mr Thanukrishnan ORGANIZATION Polaris Software Lab Ltd Polaris Software Lab Ltd PURPOSE Review Review
About this document

This document presents the steps for vulnerability assessment of Solaris Server. The document provides a brief description of the vulnerability, the impact it can have when it occurs and recommendations to fix the vulnerability.
Table of Contents
SOLARIS 7 AND 8 SERVER SECURITY ............................................................ 1

1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23. 24. 25. NON-ESSENTIAL USER ACCOUNTS IN THE SYSTEM ................................................................. 1 PASSWORD POLICY IS NOT ENABLED IN THE SYSTEM .............................................................. 2 ACCOUNT LOCKOUT IS NOT ENABLED .................................................................................... 2 REMOTE ROOT LOGIN IS ENABLED......................................................................................... 2 SU COMMAND IS NOT RESTRICTED ........................................................................................ 3 NON ESSENTIAL SERVICES ARE ENABLED IN INETD ................................................................. 3 NON ESSENTIAL SERVICES ARE ENABLED IN STARTUP SCRIPTS ............................................... 5 FTP AND TELNET BANNERS ARE ABSENT IN THE SYSTEM ....................................................... 7 INCORRECT PERMISSIONS ON FTP USERS FILE...................................................................... 7 SNMP SERVICE IS NOT SECURED ........................................................................................ 8 TELNET IS USED FOR REMOTE ADMINISTRATION ..................................................................... 8 W EAK NFS SERVICE SETTINGS ............................................................................................ 9 W EAK USER PERMISSIONS FOR CRON AND AT ..................................................................... 9 USER AUTHENTICATION IS NOT AUDITED.............................................................................. 10 FAILED LOGIN ATTEMPTS ARE NOT AUDITED......................................................................... 11 W EAK PERMISSION ON LOG FILES ....................................................................................... 11 W EAK FOLDER PERMISSION................................................................................................ 12 W EAK PRELIMINARY NETWORK SETTINGS ............................................................................ 13 ADDRESS RESOLUTION PROTOCOL (ARP) CLEANUP INTERVAL IS SET TO A LARGE VALUE...... 15 IP FORWARDING IS ENABLED ............................................................................................ 15 WEAK TCP SEQUENCE NUMBER ........................................................................................ 16 INTENSE USE OF SYSTEM RESOURCES ................................................................................ 16 KERNEL LEVEL AUDITING IS NOT ENABLED ........................................................................... 16 EEPROM SECURITY FUNCTIONALITY IS DISABLED ............................................................... 17 SECURITY PATCHES ARE NOT INSTALLED ............................................................................ 18
APPENDIX A ...................................................................................................... 17
CHECKLIST FOR SOLARIS SERVER ................................................................................................ 17
Solaris 7 and 8 Server Security

1. Non-Essential user accounts in the system
Description: Managing user and system accounts is an important aspect of the Solaris Operating Environment security. Some system accounts may need to be modified or deleted. A default Solaris Operating Environment installation contains several accounts. Impact: Non-essential user accounts increase the likelihood of compromise by providing attackers with more user accounts to check for security holes. How to Check: Check /etc/passwd file for all user accounts in the system. Check the following accounts are present or not: Non-essential accounts daemon bin adm lp uucp nuucp nobody smtp listen noaccess nobody4 smmsp
Solution: These accounts either need to be deleted or modified to strengthen security. Some accounts are not necessary for normal system operation. Non-essential accounts daemon bin adm lp uucp nuucp nobody smtp listen noaccess nobody4 smmsp
Risk Level: Medium
2.
Password policy is not enabled in the system
Description: Password policy is required to control user password characteristics including password minimum length and password aging. Impact: Users may use weak passwords or may not change passwords on a periodic basis, such user accounts will be compromised and can lead to unauthorized access. How to Check: Check /etc/default/passwd file to verify password policy is enabled or not. Solution: Edit /etc/default/passwd file and set the following password configuration: Set password length to PASSLENGTH=8 Password aging as required MAXWEEKS=7 Password aging as required MINWEEKS=1 Risk Level: High
3. Account lockout is not enabled

Description: Account lockout specifies the number of consecutive failed logins that can occur for a user before the login process terminates the connection. Impact: An attacker can brute force passwords and can compromise the system. How to Check: Check RETRIES parameter in /etc/default/login file. Solution: Edit /etc/default/login file and set RETRIES parameter to a value of 3. Risk Level: High
4. Remote root login is enabled

Description: Root user must not be able to login from a remote console. The login command is part of the authentication process to access a local Solaris Operating Environment account. It is used on the console and by the in.telnetd daemon to determine if a user may be granted access to the system. Impact: Login to the system through telnet session can reveal the clear text password of root user. Allowing remote login for root also enables a malicious user to attempt access to the system leading to system compromise.
How to Check: In /etc/default/login file, verify that CONSOLE=/dev/console parameter is commented out or not. Solution: Disable remote root login. The console device is defined by the following entry in the /etc/default/login file: CONSOLE=/dev/console When this line is commented out, the root account can log directly into the system over the network via telnet in addition to the console. If the line is commented out, remove the comment # from the line and save the file. Risk Level: High
5. Su command is not restricted

Description: Su command allows a user to switch to the context of another user without logging off. The default user name is root (super user). Impact: Su command should be restricted from access by normal users. Successful use of su can lead to unauthorized access. How to Check: In the /etc/group file, check which users are the members of wheel group. Member of this group cannot use the su command. Solution: Restrict users permitted to use su command. Add the users to the wheel group. If the wheel group has been removed please create one by following the steps given below. # /usr/sbin/groupadd -g 13 wheel # /usr/bin/chgrp wheel /usr/bin/su /sbin/su.static # /usr/bin/chmod 4550 /usr/bin/su /sbin/su.static Given below is an example of an existing user test being added to the wheel group. # usermod G wheel test Risk Level: Medium
6. Non essential services are enabled in inetd

Description: System services are started by the init system. Some services are not necessary to system operation and should be disabled.
Impact: New/Old vulnerabilities found in unused applications/services can be used by malicious users for break in How to Check: Check the /etc/inetd.conf file to verify enabled and disabled services in the system. For disabled services a # symbol can be found at the beginning of the service name. Nonessential services in inetd.conf Shell Uucp Time Rquotad Ufsd Login Tftp Echo Sprayd Printer exec finger discard walld dtspc Comsat Sysstat Daytime Rexecd rpc.cmsd talk netstat chargen rpc.ttdbserverd rstatd rusersd sadmind
Solution: Disable a service by placing a hash [#] sign in front of the service in /etc/inetd.conf file. Following is a list of services, which can be disabled in inetd.conf: Disable services in inetd.conf Shell Uucp Time Rquotad Ufsd Login Tftp Echo Sprayd Printer exec finger discard walld dtspc Comsat Sysstat Daytime Rexecd rpc.cmsd talk netstat chargen rpc.ttdbserverd rstatd rusersd sadmind
As an example to disable the rlogin services in /etc/inetd.conf file insert the # as shown below. #rlogin Risk Level: Medium stream tcp nowait root /usr/sbin/in.rlogin.d in.rlogind
7. Non essential services are enabled in startup scripts

Description: Solaris starts many services at boot time, some of which are dangerous or simply not useful. By renaming the links in the /etc/rc*.d directories, the administrator prevents these processes from starting. Impact: New/Old vulnerabilities found in unused applications/services can be used by malicious users for break in How to Check: Check /etc/rc2.d and /etc/rc3.d folder to verify that non-essential services are renamed. Nonessential services from the startup scripts folders /etc/rc2.d and /etc/rc3.d ab2 (Answer book 2) dtlogin (CDE and X service) Desktop Apache Management Interface MIP ( Asppp DHCP Mobile IP Agent) Name Auto installer Directory service (ldap) server caching daemon (nscd) Volume Manager PPP SAMBA UUCP PowerManagement Service RPC KDC NFS Server IPV6 NFS Client PRESERVE SENDMAIL
Print Services
Serial Line Printing
spc ( Solaris print client)
WBEM Autofs Sysid.net
Solution: Services can be prevented from starting by changing the capital 'S' in the name of the script to a lowercase 's'. Rename the following auto configuration related links in /etc/rc2.d and unnecessary startup scripts.
Disable services from the startup scripts folders /etc/rc2.d and /etc/rc3.d ab2 (Answer book 2) dtlogin (CDE and X service) Desktop Apache Management Interface MIP ( Asppp DHCP Mobile IP Agent) Name Auto installer Directory service (ldap) server caching daemon (nscd) Volume Manager PPP SAMBA UUCP PowerManagement Service RPC KDC NFS Server IPV6 NFS Client PRESERVE SENDMAIL
Print Services
Serial Line Printing
spc ( Solaris print client)
WBEM Autofs Sysid.net
As an example to disable autoinstall, uucp, NFS and nscd, run the following commands: # cd /etc/rc2.d # mv S72autoinstall s72autoinstall # mv S70uucp s70uucp # mv K28nfs.server k28nfs.server # mv S76nscd s76nscd Risk Level: Medium
8. FTP and Telnet banners are absent in the system

Description: FTP or TELNET services should run on the system with appropriate banners to ensure that the services do not advertise the operating system version when users connect to the system. Impact: Attackers can fingerprint the OS from the banner and use the information to launch specific attacks on the system. How to Check: Check for the two files telnetd and ftpd in the /etc/default folder and verify BANNER= parameter in those files are set or not. Remove the OS version number from telnetd and ftpd banner. Solution: Create files telnetd and ftpd in /etc/default with the entry below to mask the OS version number in the banner. BANNER= Risk Level: Low
9. Incorrect permissions on FTP users file

Description: By default all local accounts users have FTP access to the system. This access should be restricted to the users according to the company security policy. Impact: User can download important files or upload viruses to the system. How to Check: Check the owner and permission of the /etc/ftpusers file and verify user names are present in this file. FTP access will be denied for these accounts. Solution: To restrict the FTP access for the all users, use the following commands: # touch /etc/ftpusers # chown root /etc/ftpusers # chgrp root /etc/ftpusers # chmod 600 /etc/ftpusers # cat /etc/password | cut -f -d: > /etc/ftpusers The above steps will deny all accounts for ftp access; remove accounts that require ftp access from /etc/ftpusers Risk Level: High
10. SNMP Service is not secured

Description: SNMP is used to manage servers. SNMP uses community strings for secure access. By default SNMP read community strin g is named as Public and write community string is named as Private. These are well known community strings. Impact: System information can be read by an attacker using the default SNMP strings. An attacker can also configure the system with administrative privileges leading to denial of service. How to Check: Check /etc/snmp/conf/snmpd.conf file to verify the community string names. Solution: Edit /etc/snmp/conf/snmpd.conf file and set non-guessable community strings. The following is a sample snmpd.conf file. Replace the default community strings public and private in this file with stronger ones. Limit the SNMP Servers that can query your machine by replacing the value snmp-server in this file with the name of the SNMP server in your environment. sysdescr syscontact sysLocation # system-group-read-community #system-group-write-community read-community public #write-community private trap localhost public private ALLDESC ALLCONT ALLLOC
trap-community SNMP-trap managers Risk Level: High snmp-server
11. Telnet is used for remote administration

Description: Telnet is used for remote administration in Solaris. Telnet protocol sends authentication credentials and data in clear text to the server. SSH is a secure protocol that encrypts data. 8
Impact: Attackers can get sensitive data like username and password using simple packet sniffer if the data transmission is not encrypted between client and server. How to Check: Use pkginfo x command to check OPENSSH, OPENSSL and ZLIB packages are installed in the system or not. Solution: Download the latest precompiled version of these packages and install them. Install the SSH client software at the client end. Risk Level: High
12. Weak NFS service settings

Description: NFS is used to share file systems, normally all users have global write permission on the network shares through NFS. Impact: Malicious users can read, write or delete data from network shares. How to Check: If the NFS service is enabled, check /etc/dfstab to verif y users permissions on network shares. Also check the nfssrv:nfs_portmon parameter in /etc/system file. Solution: Configure /etc/dfstab file and ensure that all file systems that are shared have restricted permissions. Provide read-write access to appropriate groups and users. As a minimum precaution ensure that the shares are not world writable. Enable restricted NFS port access. When this is enabled the NFS server will only accept connections from ports less then 1024. These parameters are defined in /etc/system. Add the following line in the /etc/system file. set nfssrv:nfs_portmon=1 Risk Level: Medium
13. Weak user permissions for CRON and AT

Description: CRON and AT can be used to create scheduled tasks. Users should be given granular permissions for scheduling tasks. Impact: Unauthorized access to these services can be used to run malicious processes including backdoors. How to Check: In the /etc/cron.d/ folder check cron.allow, cron.deny, at.allow and at.deny files are present or not. Verify the added username in these files according to company policy.
Solution: CRON and AT related files must be secured. Only root must be given permissions to run CRON and AT jobs. Permissions for other users if required should be given at a granular level. The files in /etc/cron.d control which users can use the cron and at facilities: Create a /etc/cron.d/cron.allow file: # echo "root" > /etc/cron.d/cron.allow # chown root /etc/cron.d/cron.allow # chmod 600 /etc/cron.d/cron.allow Create a /etc/cron.d/at.allow file: # cp -p /etc/cron.d/cron.allow /etc/cron.d/at.allow Create a /etc/cron.d/cron.deny file: #cat /etc/passwd | cut -f1 -d: | grep -v root > /etc/cron.d/cron.deny # chown root /etc/cron.d/cron.deny # chmod 600 /etc/cron.d/cron.deny Create a /etc/cron.d/at.deny file: # cp -p /etc/cron.d/cron.deny /etc/cron.d/at.deny Risk Level: Medium
14. User authentication is not audited

Description: Syslog facility is used to log system activities. Syslog daemon receives log messages from several sources and directs them to the appropriate location based on the configured facility and priority. It can be used to capture all successful and failed logins. Impact: Malicious login attempts cannot be monitored. How to Check: Check the following line is present or not in /etc/syslog.conf file: auth.info /var/log/authlog Check authlog file is present or not in /var/log folder and verify the permission on the file. Solution: Add the following entry to /etc/syslog.conf for capturing syslog events sent to LOG_AUTH. This contains information on successful and failed login and su (switch user) attempts.
10
auth.info
/var/log/authlog
Use TAB to separate auth.info from /var/log/authlog & not space. Create /var/log/authlog by executing the following commands # touch /var/log/authlog # chown root /var/log/authlog # chmod 600 /var/log/authlog Risk Level: High
15. Failed login attempts are not audited

Description: Failed login attempts must be enabled in the system and administrator should review the logs on a periodic basis. These log messages are stored in the /var/adm/loginlog file and it captures only the failed login attempts after 5 continuous bad attempts from any console/remote. This logging feature is used to isolate only failed login attempts. Impact: Attacker can try brute force attack to get into the system and these attempts cannot be monitored. How to Check: In the /var/adm folder check loginlog file is present or not and verify permissions on the file. Solution: Create /var/adm/loginlog to capture failed logins # touch /var/adm/loginlog # chown root /var/adm/loginlog # chmod 600 /var/adm/loginlog Risk Level: High
16. Weak permission on log files

Description: In Solaris OS only root has the read and write permissions on the log files by default. Permission of any other user or group on these log files is suspicious. Impact: Attackers can remove the trace of an attack from the log files. How to Check: Check the permission on the following files: /var/adm/messages /var/log/syslog /var/adm/loginlog Solution: Set the permissions on the log files as follows: (if files present)
11
#chmod 600 /var/adm/messages /var/log/syslog /var/adm/loginlog Risk Level: Medium
17. Weak folder permission

Description: Some folders in the Solaris system contain critical files of the system. Permission on these folders should be secured. The folders like /var/spool (contains the cron jobs), /etc/security (contains security related files) etc. have weak permission. Impact: Any user on the system can easily access the files on those folders. How to Check: Ensure that the permissions on the /tmp folder is appropriately set. A check on the permissions on /tmp folder must be made before file systems are mounted and after. Ensure that the sticky bit is set on the /tmp and /var/tmp folders. In a default install the /tmp and /var/tmp folders have the sticky bit set. Folder /etc /var /var/spool /var/cron /etc/security /tmp /var/tmp Safe Permission 755 755 755 700 750 1755 1755
Solution: Set the following permissions on the /etc, /var, /var/spool, /var/cron and /etc/security files and folders. Folder /etc Permission 755
12
Folder /var /var/spool /var/cron /etc/security /tmp /var/tmp Risk Level: Medium
Permission 755 755 700 750 1755 1755
18.
Weak preliminary network settings

Description: There are many possible ways to compromise network services. These services contain programming flaws, use weak authentication, transfer sensitive data in unencrypted format, and allow connections from any network host. Network settings should be securely configured to prevent attacks. Impact: Weak network settings can be used to launch DOS attacks on the server or use the machine as an intermediary in attacks. How to Check: In the /etc/init.d check nddconfig file is present or not. If the file is present check its permission. Check the value of the following parameters in the nddconfig file. Parameter ip_forward_directed_broadcasts Ip_strict_dst_multihoming ip_ignore_redirect ip_forward_src_routed ip_respond_to_address_mask_broadcast Ip_respond_to_timestamp ip_respond_to_timestamp_broadcast ip_send_redirects Safe Value 0 1 1 0 0 0 0 0
13
tcp_conn_req_max_q tcp_conn_req_max_q0 tcp_mss_min
1280 10240 128
Solution:
Create
/etc/init.d/nddconfig
and
also
create
link
to
/etc/rc2.d/S70nddconfig Use the following commands: # touch /etc/init.d/nddconfig # ln /etc/init.d/nddconfig /etc/rc2.d/S70nddconfig
Set ownership/permissions on nddconfig file: chown root:root /etc/init.d/nddconfig chmod 744 /etc/init.d/nddconfig
Set the following parameters in the nddconfig file:
Parameter ip_forward_directed_broadcasts ip_strict_dst_multihoming ip_ignore_redirect ip_forward_src_routed ip_respond_to_address_mask_broadcast ip_respond_to_timestamp ip_respond_to_timestamp_broadcast ip_send_redirects tcp_conn_req_max_q tcp_conn_req_max_q0 tcp_mss_min
Value 0 1 1 0 0 0 0 0 1280 10240 128
Alternatively set the parameters from the command line using the command:
14
/usr/sbin/ndd -set /dev/<protocol_name> <parameter_name> <value> For example: /usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast 0 Risk Level: Medium
19. Address Resolution Protocol (ARP) cleanup interval is set to a large value
Description: ARP cleanup interval determines the period of time the ARP cache maintains entries. Impact: ARP attacks may be effective with the default interval. How to Check: In the nddconfig file check following parameter is present or not. If the parameter is present then check its value is safe or not. The safe value is 1000. arp_cleanup_interval Solution: Configure arp cache value to 1000. Add the following lines to the /etc/init.d/nddconfig file: # ndd -set /dev/arp arp_cleanup_interval 1000 Risk Level: High
20. IP forwarding is enabled

Description: IP forwarding is used to forward IP packets from one network interface to another interface of the system. Impact: IP forwarding feature can occupy system resources if traffic load is very high and this can lead to performance bottlenecks. How to Check: In the nddconfig file check the value of the following parameter: ip_forwarding Solution: Disable IP forwarding if it is not required. Add the following lines to /etc/init.d/nddconfig file: /usr/sbin/ndd -set /dev/ip ip_forwarding 0 Risk Level: Low
15
21. Weak TCP sequence number

Description: Different Operating Systems use different algorithms for generating TCP sequence numbers. Solaris can be configured to generate strong sequence numbers. TCP ISN number randomization should be strong enough to resist attacks. Impact: Weak ISN generation can lead to TCP session hijacking. How to Check: In the /etc/default/inetinit file check the value of the following parameter: TCP_STRONG_ISS Solution: Add the following lines to the /etc/default/inetinit file: Configure RFC 1948 TCP sequence number generation in /etc/default/inetinit: TCP_STRONG_ISS=2 Risk Level: High
22. Intense use of system resources

Description: Server performance can affect end user response. It is important to restrict usage of system resources such that no single user process can hijack system resources. Impact: Excessive usage can cause performance overheads and lead to Denial of Service for users. How to Check: In the /etc/system file check the value of the following parameter. Safe value of Maxuprc = 128 and sys:coredumpsize = 0. Maxuprc and sys:coredumpsize Solution: Limit the user resource consumption by adding the following line in /etc/system. Set maxuprc = 128 Set sys:coredumpsize = 0 Risk Level: Medium
23. Kernel level auditing is not enabled

Description: Suns Basic Security Module (BSM) auditing functionality can provide the administrator with a detailed report of all system activity.
16
Impact: Malicious attacks on system cannot get monitored without enabling system level audit. Audit of failed attempts can be early indicators of attacks. How to Check: In the /etc/security folder check the following file: bsmconv and audit_control. Using ps ef command check bsm is running or not. Check following parameters are set in the audit_control file or not. Dir:/var/audit Flags:lo,ad,-all,^-fm Naflags:lo,ad Minfree:20 Solution: Enable BSM by running following command: echo y | /etc/security/bsmconv Configure the /etc/security/audit_control file: Dir:/var/audit Flags:lo,ad,-all,^-fm Naflags:lo,ad Minfree:20 Risk Level: Medium
24. EEPROM security functionality is disabled

Description: A number of system changes can be configured from EEPROM of SUN hardware including changes to boot parameters. EEPROM security functionality should be enabled in the system. Impact: A malicious user can execute system level changes and modify the boot parameters leading to system downtime. How to Check: Use the following command to check the security mode: eeprom security-mode Solution: Turn on EEPROM security functionality using the command: # eeprom security-mode=command To set the password, use the following command. # eeprom security-password=
17
Risk Level: High
25. Security Patches are not installed

Description: Sun provides patches to the Solaris Operating Environment and unbundled software products. All systems should have the latest recommended security patches installed. Impact: Attackers can exploit known vulnerabilities and gain administrative access or cause denial of service. How to Check: Use the command showrev p to see the all installed patches in the system. Use patchdiag.xref file to get the latest patch information and compare it with the installed patches in the system. Solution: Update system with latest security patches. Note: Schedule a downtime for the machine if the patch requires a reboot. Ensure that no users are connected to the system when you are applying patches. Be sure to examine all system init scripts and test all patches on non-production systems to discover any configuration changes. Risk Level: High
18
Appendix A
Checklist for Solaris Server
# System Settings 1. 2. 3. 4. 5. 6. 7. 8. 9. 10.
Description
Risk Level
Server1
Server 2
Weak file system configuration Non-Essential user accounts in the system Password policy is not enabled in the system Accounts with empty passwords Duplicate UIDs are present in the system Account lockout is not enabled Remote root login is enabled Password is not mandatory Login banner is not enabled Su command is not restricted
Medium Medium High High High High High High Low Medium
17
# 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23.
Description
Risk Level
Server1
Server 2
Non essential services are enabled in inetd Non essential services are enabled in startup scripts FTP and Telnet banners are absent in the system FTP users are not restricted SNMP Service is not secured Telnet is used for remote administration Executable stacks are not secured Weak NFS service settings Weak system umask Weak user permissions for CRON and AT User authentication is not audited Failed login attempts are not audited Weak permission on log files
Medium Medium Low High High High Medium Medium High Medium High High Medium
18
# 24. 25.
Description
Risk Level
Server1
Server 2
Weak folder permission Non-root ufs file system is mounted with suid enabled
Medium
High
26. 27. 28. 29. 30. 31. 32. 33. 34.
Weak preliminary network settings ARP cleanup interval is set to a large value IP forwarding is enabled Weak TCP sequence number Intense use of system resources Kernel level auditing is not enabled EEPROM security functionality is disabled Remote login by unauthenticated users Security Patches are not installed
Medium High Low High Medium Medium High High High
19
PALADION NETWORKS
www.paladion.net info@paladion.net
Head office 307, Devavrata, Plot 83, Sector 17, Vashi, Navi Mumbai 400703 India Phone: +91-22-55910513 Fax: +91-22-55913580
Branch offices India Manipal Centre, 47, Dickenson Road, Bangalore 560042 India Phone: +91-80-5588698 Fax: +91-80-5092108
USA 12801 World gate Drive, Suite 500 Herndon, VA 20170 USA Phone: +1-703-871-3934 Fax: +1-703-871-3936 4160 Technology Drive, Suite G3 Fremont, CA 94538 USA Phone: +1-510-490-3755 Fax: +1-510-490-3755
Malaysia F313, Block F Phileo Damansara 1 No. 9, Jln 16/11 off Jalan Damansara 46350 Petaling Jaya Phone : +603.7960.4275

SecurityHandbook Solaris

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

SecurityHandbook Solaris

Hochgeladen von

Copyright:

Verfügbare Formate

SOLARIS SERVER SECURITY HANDBOOK

POLARIS SOFTWARE LAB LIMITED

DOCUMENT VERSION CONTROL

DOCUMENT CHANGE CONTROL

DOCUMENT DISTRIBUTION LIST

About this document

SOLARIS 7 AND 8 SERVER SECURITY ............................................................ 1

Solaris 7 and 8 Server Security

Risk Level: Medium

Password policy is not enabled in the system

3. Account lockout is not enabled

4. Remote root login is enabled

5. Su command is not restricted

6. Non essential services are enabled in inetd

7. Non essential services are enabled in startup scripts

Serial Line Printing

spc ( Solaris print client)

WBEM Autofs Sysid.net

Serial Line Printing

spc ( Solaris print client)

WBEM Autofs Sysid.net

8. FTP and Telnet banners are absent in the system

9. Incorrect permissions on FTP users file

10. SNMP Service is not secured

trap-community SNMP-trap managers Risk Level: High snmp-server

11. Telnet is used for remote administration

12. Weak NFS service settings

13. Weak user permissions for CRON and AT

14. User authentication is not audited

15. Failed login attempts are not audited

16. Weak permission on log files

#chmod 600 /var/adm/messages /var/log/syslog /var/adm/loginlog Risk Level: Medium

17. Weak folder permission

Permission 755 755 700 750 1755 1755

Weak preliminary network settings

tcp_conn_req_max_q tcp_conn_req_max_q0 tcp_mss_min

1280 10240 128

/etc/rc2.d/S70nddconfig Use the following commands: # touch /etc/init.d/nddconfig # ln /etc/init.d/nddconfig /etc/rc2.d/S70nddconfig

Set the following parameters in the nddconfig file:

Value 0 1 1 0 0 0 0 0 1280 10240 128

20. IP forwarding is enabled

21. Weak TCP sequence number

22. Intense use of system resources

23. Kernel level auditing is not enabled

24. EEPROM security functionality is disabled

Risk Level: High

25. Security Patches are not installed

# System Settings 1. 2. 3. 4. 5. 6. 7. 8. 9. 10.

26. 27. 28. 29. 30. 31. 32. 33. 34.

Medium High Low High Medium Medium High High High

Das könnte Ihnen auch gefallen