Beruflich Dokumente
Kultur Dokumente
Confidentiality Agreement: This document is intended for the use of Polaris and Paladion Networks only. The recipient should ensure that this document is not deconstructed, reproduced or circulated without the prior approval of the document owner.
Confidentiality Agreement: This document is intended for the use of Polaris and Paladion Networks only. The recipient should ensure that this document is not deconstructed, reproduced or circulated without the prior approval of the document owner.
Table of Contents
APPENDIX A ...................................................................................................... 17
CHECKLIST FOR SOLARIS SERVER ................................................................................................ 17
Confidentiality Agreement: This document is intended for the use of Polaris and Paladion Networks only. The recipient should ensure that this document is not deconstructed, reproduced or circulated without the prior approval of the document owner.
Solution: These accounts either need to be deleted or modified to strengthen security. Some accounts are not necessary for normal system operation. Non-essential accounts daemon bin adm lp uucp nuucp nobody smtp listen noaccess nobody4 smmsp
Confidentiality Agreement: This document is intended for the use of Polaris and Paladion Networks only. The recipient should ensure that this document is not deconstructed, reproduced or circulated without the prior approval of the document owner.
2.
Description: Password policy is required to control user password characteristics including password minimum length and password aging. Impact: Users may use weak passwords or may not change passwords on a periodic basis, such user accounts will be compromised and can lead to unauthorized access. How to Check: Check /etc/default/passwd file to verify password policy is enabled or not. Solution: Edit /etc/default/passwd file and set the following password configuration: Set password length to PASSLENGTH=8 Password aging as required MAXWEEKS=7 Password aging as required MINWEEKS=1 Risk Level: High
Confidentiality Agreement: This document is intended for the use of Polaris and Paladion Networks only. The recipient should ensure that this document is not deconstructed, reproduced or circulated without the prior approval of the document owner.
How to Check: In /etc/default/login file, verify that CONSOLE=/dev/console parameter is commented out or not. Solution: Disable remote root login. The console device is defined by the following entry in the /etc/default/login file: CONSOLE=/dev/console When this line is commented out, the root account can log directly into the system over the network via telnet in addition to the console. If the line is commented out, remove the comment # from the line and save the file. Risk Level: High
Confidentiality Agreement: This document is intended for the use of Polaris and Paladion Networks only. The recipient should ensure that this document is not deconstructed, reproduced or circulated without the prior approval of the document owner.
Impact: New/Old vulnerabilities found in unused applications/services can be used by malicious users for break in How to Check: Check the /etc/inetd.conf file to verify enabled and disabled services in the system. For disabled services a # symbol can be found at the beginning of the service name. Nonessential services in inetd.conf Shell Uucp Time Rquotad Ufsd Login Tftp Echo Sprayd Printer exec finger discard walld dtspc Comsat Sysstat Daytime Rexecd rpc.cmsd talk netstat chargen rpc.ttdbserverd rstatd rusersd sadmind
Solution: Disable a service by placing a hash [#] sign in front of the service in /etc/inetd.conf file. Following is a list of services, which can be disabled in inetd.conf: Disable services in inetd.conf Shell Uucp Time Rquotad Ufsd Login Tftp Echo Sprayd Printer exec finger discard walld dtspc Comsat Sysstat Daytime Rexecd rpc.cmsd talk netstat chargen rpc.ttdbserverd rstatd rusersd sadmind
As an example to disable the rlogin services in /etc/inetd.conf file insert the # as shown below. #rlogin Risk Level: Medium stream tcp nowait root /usr/sbin/in.rlogin.d in.rlogind
Confidentiality Agreement: This document is intended for the use of Polaris and Paladion Networks only. The recipient should ensure that this document is not deconstructed, reproduced or circulated without the prior approval of the document owner.
Print Services
Solution: Services can be prevented from starting by changing the capital 'S' in the name of the script to a lowercase 's'. Rename the following auto configuration related links in /etc/rc2.d and unnecessary startup scripts.
Confidentiality Agreement: This document is intended for the use of Polaris and Paladion Networks only. The recipient should ensure that this document is not deconstructed, reproduced or circulated without the prior approval of the document owner.
Disable services from the startup scripts folders /etc/rc2.d and /etc/rc3.d ab2 (Answer book 2) dtlogin (CDE and X service) Desktop Apache Management Interface MIP ( Asppp DHCP Mobile IP Agent) Name Auto installer Directory service (ldap) server caching daemon (nscd) Volume Manager PPP SAMBA UUCP PowerManagement Service RPC KDC NFS Server IPV6 NFS Client PRESERVE SENDMAIL
Print Services
As an example to disable autoinstall, uucp, NFS and nscd, run the following commands: # cd /etc/rc2.d # mv S72autoinstall s72autoinstall # mv S70uucp s70uucp # mv K28nfs.server k28nfs.server # mv S76nscd s76nscd Risk Level: Medium
Confidentiality Agreement: This document is intended for the use of Polaris and Paladion Networks only. The recipient should ensure that this document is not deconstructed, reproduced or circulated without the prior approval of the document owner.
Confidentiality Agreement: This document is intended for the use of Polaris and Paladion Networks only. The recipient should ensure that this document is not deconstructed, reproduced or circulated without the prior approval of the document owner.
Confidentiality Agreement: This document is intended for the use of Polaris and Paladion Networks only. The recipient should ensure that this document is not deconstructed, reproduced or circulated without the prior approval of the document owner.
Impact: Attackers can get sensitive data like username and password using simple packet sniffer if the data transmission is not encrypted between client and server. How to Check: Use pkginfo x command to check OPENSSH, OPENSSL and ZLIB packages are installed in the system or not. Solution: Download the latest precompiled version of these packages and install them. Install the SSH client software at the client end. Risk Level: High
Confidentiality Agreement: This document is intended for the use of Polaris and Paladion Networks only. The recipient should ensure that this document is not deconstructed, reproduced or circulated without the prior approval of the document owner.
Solution: CRON and AT related files must be secured. Only root must be given permissions to run CRON and AT jobs. Permissions for other users if required should be given at a granular level. The files in /etc/cron.d control which users can use the cron and at facilities: Create a /etc/cron.d/cron.allow file: # echo "root" > /etc/cron.d/cron.allow # chown root /etc/cron.d/cron.allow # chmod 600 /etc/cron.d/cron.allow Create a /etc/cron.d/at.allow file: # cp -p /etc/cron.d/cron.allow /etc/cron.d/at.allow Create a /etc/cron.d/cron.deny file: #cat /etc/passwd | cut -f1 -d: | grep -v root > /etc/cron.d/cron.deny # chown root /etc/cron.d/cron.deny # chmod 600 /etc/cron.d/cron.deny Create a /etc/cron.d/at.deny file: # cp -p /etc/cron.d/cron.deny /etc/cron.d/at.deny Risk Level: Medium
10
auth.info
/var/log/authlog
Use TAB to separate auth.info from /var/log/authlog & not space. Create /var/log/authlog by executing the following commands # touch /var/log/authlog # chown root /var/log/authlog # chmod 600 /var/log/authlog Risk Level: High
11
Solution: Set the following permissions on the /etc, /var, /var/spool, /var/cron and /etc/security files and folders. Folder /etc Permission 755
Confidentiality Agreement: This document is intended for the use of Polaris and Paladion Networks only. The recipient should ensure that this document is not deconstructed, reproduced or circulated without the prior approval of the document owner.
12
Folder /var /var/spool /var/cron /etc/security /tmp /var/tmp Risk Level: Medium
18.
Confidentiality Agreement: This document is intended for the use of Polaris and Paladion Networks only. The recipient should ensure that this document is not deconstructed, reproduced or circulated without the prior approval of the document owner.
13
Solution:
Create
/etc/init.d/nddconfig
and
also
create
link
to
Set ownership/permissions on nddconfig file: chown root:root /etc/init.d/nddconfig chmod 744 /etc/init.d/nddconfig
Parameter ip_forward_directed_broadcasts ip_strict_dst_multihoming ip_ignore_redirect ip_forward_src_routed ip_respond_to_address_mask_broadcast ip_respond_to_timestamp ip_respond_to_timestamp_broadcast ip_send_redirects tcp_conn_req_max_q tcp_conn_req_max_q0 tcp_mss_min
Alternatively set the parameters from the command line using the command:
Confidentiality Agreement: This document is intended for the use of Polaris and Paladion Networks only. The recipient should ensure that this document is not deconstructed, reproduced or circulated without the prior approval of the document owner.
14
/usr/sbin/ndd -set /dev/<protocol_name> <parameter_name> <value> For example: /usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast 0 Risk Level: Medium
19. Address Resolution Protocol (ARP) cleanup interval is set to a large value
Description: ARP cleanup interval determines the period of time the ARP cache maintains entries. Impact: ARP attacks may be effective with the default interval. How to Check: In the nddconfig file check following parameter is present or not. If the parameter is present then check its value is safe or not. The safe value is 1000. arp_cleanup_interval Solution: Configure arp cache value to 1000. Add the following lines to the /etc/init.d/nddconfig file: # ndd -set /dev/arp arp_cleanup_interval 1000 Risk Level: High
Confidentiality Agreement: This document is intended for the use of Polaris and Paladion Networks only. The recipient should ensure that this document is not deconstructed, reproduced or circulated without the prior approval of the document owner.
15
Confidentiality Agreement: This document is intended for the use of Polaris and Paladion Networks only. The recipient should ensure that this document is not deconstructed, reproduced or circulated without the prior approval of the document owner.
16
Impact: Malicious attacks on system cannot get monitored without enabling system level audit. Audit of failed attempts can be early indicators of attacks. How to Check: In the /etc/security folder check the following file: bsmconv and audit_control. Using ps ef command check bsm is running or not. Check following parameters are set in the audit_control file or not. Dir:/var/audit Flags:lo,ad,-all,^-fm Naflags:lo,ad Minfree:20 Solution: Enable BSM by running following command: echo y | /etc/security/bsmconv Configure the /etc/security/audit_control file: Dir:/var/audit Flags:lo,ad,-all,^-fm Naflags:lo,ad Minfree:20 Risk Level: Medium
Confidentiality Agreement: This document is intended for the use of Polaris and Paladion Networks only. The recipient should ensure that this document is not deconstructed, reproduced or circulated without the prior approval of the document owner.
17
Confidentiality Agreement: This document is intended for the use of Polaris and Paladion Networks only. The recipient should ensure that this document is not deconstructed, reproduced or circulated without the prior approval of the document owner.
18
Appendix A
Checklist for Solaris Server
Description
Risk Level
Server1
Server 2
Weak file system configuration Non-Essential user accounts in the system Password policy is not enabled in the system Accounts with empty passwords Duplicate UIDs are present in the system Account lockout is not enabled Remote root login is enabled Password is not mandatory Login banner is not enabled Su command is not restricted
Medium Medium High High High High High High Low Medium
Confidentiality Agreement: This document is intended for the use of Polaris and Paladion Networks only. The recipient should ensure that this document is not deconstructed, reproduced or circulated without the prior approval of the document owner.
17
# 11. 12. 13. 14. 15. 16. 17. 18. 19. 20. 21. 22. 23.
Description
Risk Level
Server1
Server 2
Non essential services are enabled in inetd Non essential services are enabled in startup scripts FTP and Telnet banners are absent in the system FTP users are not restricted SNMP Service is not secured Telnet is used for remote administration Executable stacks are not secured Weak NFS service settings Weak system umask Weak user permissions for CRON and AT User authentication is not audited Failed login attempts are not audited Weak permission on log files
Medium Medium Low High High High Medium Medium High Medium High High Medium
Confidentiality Agreement: This document is intended for the use of Polaris and Paladion Networks only. The recipient should ensure that this document is not deconstructed, reproduced or circulated without the prior approval of the document owner.
18
# 24. 25.
Description
Risk Level
Server1
Server 2
Weak folder permission Non-root ufs file system is mounted with suid enabled
Medium
High
Weak preliminary network settings ARP cleanup interval is set to a large value IP forwarding is enabled Weak TCP sequence number Intense use of system resources Kernel level auditing is not enabled EEPROM security functionality is disabled Remote login by unauthenticated users Security Patches are not installed
Confidentiality Agreement: This document is intended for the use of Polaris and Paladion Networks only. The recipient should ensure that this document is not deconstructed, reproduced or circulated without the prior approval of the document owner.
19
PALADION NETWORKS
www.paladion.net info@paladion.net
Head office 307, Devavrata, Plot 83, Sector 17, Vashi, Navi Mumbai 400703 India Phone: +91-22-55910513 Fax: +91-22-55913580
Branch offices India Manipal Centre, 47, Dickenson Road, Bangalore 560042 India Phone: +91-80-5588698 Fax: +91-80-5092108
USA 12801 World gate Drive, Suite 500 Herndon, VA 20170 USA Phone: +1-703-871-3934 Fax: +1-703-871-3936 4160 Technology Drive, Suite G3 Fremont, CA 94538 USA Phone: +1-510-490-3755 Fax: +1-510-490-3755
Malaysia F313, Block F Phileo Damansara 1 No. 9, Jln 16/11 off Jalan Damansara 46350 Petaling Jaya Phone : +603.7960.4275