Solaris Security Guide


This document provides a list of configuration changes which enhance the security of a Sun SolarisTM (SunOS 5.X) system.

| Auditing | Boot Files | Network Services | Access Controls | Time Synchronization | Recommended Tools | Installing Solaris |


Auditing

  1. Enable the Basic Security Module (BSM):
    /etc/security/bsmconv

  2. Configure the classes of events to log in /etc/security/audit_control:
    dir:/var/audit
    flags:lo,ad,pc,fc,fd,fm
    naflags:lo,ad
    #
    #   lo - login/logout events
    #   ad - administrative actions: mount, exportfs, etc.
    #   pc - process operations: fork, exec, exit, etc.
    #   fc - file creation
    #   fd - file deletion
    #   fm - change of object attributes: chown, flock, etc.
    #
    

  3. Create /etc/security/newauditlog.sh:
    #!/sbin/sh
    #
    # newauditlog.sh - Start a new audit file and expire the old logs
    #
    AUDIT_EXPIRE=30
    AUDIT_DIR="/var/audit"
    
    /usr/sbin/audit -n
    
    cd $AUDIT_DIR # in case it is a link
    /usr/bin/find . $AUDIT_DIR -type f -mtime +$AUDIT_EXPIRE \
        -exec rm {} > /dev/null 2>&1 \;
    

  4. Run the script nightly from cron:
    chmod 500 /etc/security/newauditlog.sh
    /usr/bin/crontab -e root
    0 0 * * * /etc/security/newauditlog.sh
    
  5. The audit files generated are not human readable. The praudit(1M) command can be used to convert audit data into several ASCII formats.

Boot Files

  1. Disable all startup files for services that are not needed from /etc/rc2.d and /etc/rc3.d. Services may be disabled by changing the capital 'S' in the name of the script to a lowercase 's'. The following startup files should not be disabled:

    S01MOUNTFSYS   S69inet        S72inetsvc     S74xntpd       S80PRESERVE
    S05RMTMPFILES  S71rpc         S74autofs      S75cron        S88utmpd
    S20sysetup     S71sysid.sys   S74syslog      S75savecore    S99audit
    S30sysid.net
    
  2. In order to ensure that all of the startup scripts run with the proper umask, execute the following script:

    umask 022  # make sure umask.sh gets created with the proper mode
    echo "umask 022" > /etc/init.d/umask.sh
    chmod 544 /etc/init.d/umask.sh
    for d in /etc/rc?.d
    do
       ln /etc/init.d/umask.sh $d/S00umask.sh
    done
    
  3. In order to log as much information as possible, add the following lines to your /etc/syslog.conf:

    mail.debug              /var/log/syslog
    *.info;mail.none        /var/adm/messages
    

    Note: Tabs must be used to separate the fields.

    This will log mail entries to /var/log/syslog and everything else to /var/adm/messages.

  4. Log failed login attempts by creating the /var/adm/loginlog file:

    touch /var/adm/loginlog
    chown root /var/adm/loginlog
    chgrp sys /var/adm/loginlog
    
  5. Set the permissions on the log files as follows:

    chmod 600 /var/adm/messages /var/log/syslog /var/adm/loginlog
    
  6. Configure syslogd to not listen on port 514/udp by specifiing the -t flag in /etc/rc2.d/S74syslog (Solaris >= 8):

    /usr/sbin/syslogd -t > /dev/msglog 2>&1
    
  7. Configure logs files to be rotated daily archiving old versions for 30 dain /etc/logadm.conf (Solaris >= 9):

    /var/log/syslog -A 30d -p 1d -z 1 -a 'kill -HUP `cat /var/run/syslog.pid`'
    /var/adm/messages -A 30d -p 1d -z 1 -a 'kill -HUP `cat /var/run/syslog.pid`; \
    logger -t logadm Begin new logfile'
    
  8. Enable hardware protection for buffer overflow exploits in /etc/system (sun4u, sun4d, and sun4m systems only).
    * Foil certain classes of bug exploits
    set noexec_user_stack = 1
    
    * Log attempted exploits
    set noexec_user_stack_log = 1
    

Network Services

  1. Because the /usr/lib/sendmail daemon is not running, you should add the following line to root's crontab file:

    0 * * * * /usr/lib/sendmail -q
    
  2. Replace /etc/mail/sendmail.cf with the following:

    # Minimal client sendmail.cf
    
    ### Defined macros
    # The name of the mail hub
    DRmailhost
    
    # Define version
    V8
    
    # Whom errors should appear to be from
    DnMailer-Daemon
    
    # Formatting of the UNIX from line
    DlFrom $g $d
    
    # Separators
    Do.:%@!^=/[]
    
    # From of the sender's address
    Dq<$g>
    
    # Spool directory
    OQ/usr/spool/mqueue
    
    
    ### Mailer Delivery Agents
    # Mailer to forward mail to the hub machine
    Mhub,   P=[IPC], S=0, R=0, F=mDFMuCX, A=IPC $h
    # Sendmail requires these, but are not used
    Mlocal, P=/bin/mail, F=rlsDFMmnuP, S=0, R=0, A=mail -d $u
    Mprog,  P=/bin/sh,   F=lsDFMeuP,  S=0, R=0, A=sh -c $u
    
    ### Rule sets
    S0
    R@$+    $#error $: Missing user name
    R$+ $#hub $@$R $:$1         forward to hub
    
    S3
    R$*<>$*     $n              handle <> error address
    R$*<$*>$*   $2              basic RFC822 parsing
    

    This configuration should be sufficient for servers where no local mail delivery is required.

  3. Create /etc/init.d/nddconfig and create a link to /etc/rc2.d/S70nddconfig.

    touch /etc/init.d/nddconfig
    ln /etc/init.d/nddconfig /etc/rc2.d/S70nddconfig
    chmod 544 /etc/init.d/nddconfig
    
    Add the following lines to the /etc/init.d/nddconfig file:

    #!/bin/sh
    #
    # /etc/init.d/nddconfig
    #
    
    # Fix for broadcast ping bug
    /usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast 0
    
    # Block directed broadcast packets
    /usr/sbin/ndd -set /dev/ip ip_forward_directed_broadcasts 0
    
    # Prevent spoofing
    /usr/sbin/ndd -set /dev/ip ip_strict_dst_multihoming 1
    /usr/sbin/ndd -set /dev/ip ip_ignore_redirect 1
    
    # No IP forwarding
    /usr/sbin/ndd -set /dev/ip ip_forwarding 0
    
    # Drop source routed packets
    /usr/sbin/ndd -set /dev/ip ip_forward_src_routed 0
     
    # Shorten ARP expiration to one minute to minimize ARP spoofing/hijacking
    # [Source: Titan adjust-arp-timers module]
    /usr/sbin/ndd -set /dev/ip ip_ire_flush_interval 60000    
    /usr/sbin/ndd -set /dev/arp arp_cleanup_interval 60               
    
    # --
    #
    # The following tweaks are from 'Tuning Solaris for FireWall-1' by
    # Rob Thomas (http://www.enteract.com/~robt
    #
    # Do not respond to queries for our netmask
    /usr/sbin/ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0
    #
    # Do not issue redirects -- fix the routing table instead
    /usr/sbin/ndd -set /dev/ip ip_send_redirects 0
    #
    # Increase our defense against SYN floods.
    # The "q" queue is the completed socket holding pen where sockets
    # remain until the application issues accept().
    /usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q 1280
    # The "q0" queue is the half-open socket queue.
    /usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q0 10240
    #
    # --
    
    A sample nddconfig file can also be found on the Sun BluePrints site at http://www.sun.com/blueprints/tools/
  4. Deny services executed by inetd(3) the ability to create core files and enable logging for all TCP services by editing the /etc/rc2.d/S72inetsvc:

    # Run inetd in "standalone" mode (-s flag) so it doesn't have 
    # to submit to the will of SAF.  Why did we ever let them change inetd?
    
    ulimit -c 0
    /usr/sbin/inetd -s -t&     
    
  5. Configure RFC 1948 TCP sequence number generation in /etc/default/inetinit:

    TCP_STRONG_ISS=2
    
  6. Comment out or remove all unnecessary services in the /etc/inet/inetd.conf file including the following:

    shell		login		exec
    comsat		talk		uucp
    tftp		finger		sysstat
    netstat		time		echo
    discard		daytime		chargen
    rquotad		sprayd		walld
    rexd		rpc.ttdbserverd
    ufsd		printer		dtspc
    rpc.cmsd
    
  7. Create /etc/rc3.d/S79tmpfix so that upon boot the /tmp directory will always have the sticky bit set mode 1777.
    #!/bin/sh
    #ident  "@(#)tmpfix 1.0    95/09/14"
    
    if [ -d /tmp ]
    then
    /usr/bin/chmod 1777 /tmp
    /usr/bin/chgrp sys /tmp
    /usr/bin/chown sys /tmp
    fi
    
    [Source: Titan psfix module]

Access Controls

  1. Disable network root logins by enabling the "CONSOLE" line in /etc/default/login.

  2. Remove, lock, or comment out unnecessary accounts, including "sys", "uucp", "nuucp", and "listen". The cleanest way to shut them down is to put "NP" in the password field of the /etc/shadow file.

  3. Require authentication for remote commands by commenting out the following line in /etc/pam.conf:

    #rlogin  auth sufficient /usr/lib/security/pam_rhosts_auth.so.1
    
    and changing the rsh line to read:
    rsh auth required   /usr/lib/security/pam_unix.so.1
    
    [Source: Titan pam-rhosts module]

  4. Only add accounts for users who require access to the system. If using NIS, use the compat mode by editing the /etc/nsswitch.conf file:

    passwd: compat 
    
    Add each user to the /etc/passwd file
    +nis_user:x::::/home_dir:/bin/sh
    
    and the /etc/shadow file
    +nis_user::10626::::::
    

  5. Create an /etc/issue file to display the following warning banner:

    WARNING: To protect the system from unauthorized use and to ensure that the
    system is functioning properly, activities on this system are monitored and
    recorded and subject to audit. Use of this system is expressed consent to such
    monitoring and recording. Any unauthorized access or use of this Automated
    Information System is prohibited and could be subject to criminal and civil
    penalties.
    
    Source: CIAC-2317 Windows NT Network Security: A Manager's Guide

    Add the banner to the /etc/motd file:
    cp /etc/motd /etc/motd.orig
    cat /etc/issue /etc/motd.orig > /etc/motd
    

  6. The Automated Security Enhancement Tool (ASET) checks the settings and contents of system files. Many of the setuid and setgid programs on Solaris are used only by root, or by the user or group-id to which they are set.

    Run aset using the highest security level and review the report files that are generated in /usr/aset/reports.

    /usr/aset/aset -l high
    
    Use of the FixModes program available from the Sun BluePrints site at http://www.sun.com/blueprints/tools is recommended.
  7. Create a master list of the remaining setuid/setgid programs on your system and check that the list remains static over time.

    /bin/find / -type f \( -perm -4000 -o -perm -2000 \) \
                -exec ls -ldb {} \;
    

  8. Execution of the su(1M) command can be controlled by adding and configuring a wheel group such as that found on most BSD derived systems.
    /usr/sbin/groupadd -g 13 wheel
    /usr/bin/chgrp wheel /usr/bin/su /sbin/su.static
    /usr/bin/chmod 4550 /usr/bin/su /sbin/su.static
    

    The GID for the wheel group does not need to be 13, any valid GID can be used. You will need to edit /etc/group to add users to the wheel group.

  9. Create an /etc/ftpusers file:
    cat /etc/passwd | cut -f1 -d: > /etc/ftpusers
    chown root /etc/ftpusers
    chmod 600 /etc/ftpusers
    
    Remove any users that require ftp access from the /etc/ftpusers file.

  10. Set the default umask so that it does not include world access. Add "umask 027" to the following files:
    /etc/.login              /etc/profile
    /etc/skel/local.cshrc    /etc/skel/local.login
    /etc/skel/local.profile 
    
    Enable the "UMASK" line in the /etc/default/login file and set the value to 027

  11. The files in /etc/cron.d control which users can use the cron(1M) and at(1) facilities.

    Create an /etc/cron.d/cron.allow file:
    echo "root" > /etc/cron.d/cron.allow
    chown root /etc/cron.d/cron.allow
    chmod 600 /etc/cron.d/cron.allow
    
    Create an /etc/cron.d/at.allow file:
    cp -p /etc/cron.d/cron.allow /etc/cron.d/at.allow
    
    Create an /etc/cron.d/cron.deny file:
    cat /etc/passwd | cut -f1 -d: | grep -v root > /etc/cron.d/cron.deny
    chown root /etc/cron.d/cron.deny
    chmod 600 /etc/cron.d/cron.deny
    
    Create an /etc/cron.d/at.deny file:
    cp -p /etc/cron.d/cron.deny /etc/cron.d/at.deny
    
  12. If CDE is installed, replace the default CDE "Welcome" greeting. If the /etc/dt/config/C directory does not exist, create the directory structure and copy the default configuration file:

    mkdir -p /etc/dt/config/C
    chmod -R a+rX /etc/dt/config
    cp -p /usr/dt/config/C/Xresources /etc/dt/config/C
    
    Add the following lines to /etc/dt/config/C/Xresources:
    Dtlogin*greeting.labelString:       %LocalHost%
    Dtlogin*greeting.persLabelString:   login: %s
    
  13. If CDE is installed, disable XDMCP connection access by creating or replacing the /etc/dt/config/Xaccess file:

    #
    # Xaccess - disable all XDMCP connections
    #
    !*
    
    Set the permissions on /etc/dt/config/Xaccess to 444:
    chmod 444 /etc/dt/config/Xaccess
    

Time Synchronization

Edit the /etc/inet/ntp.conf file:
#
# /etc/inet/ntp.client
#
# An example file that could be copied over to /etc/inet/ntp.conf; it
# provides a configuration for an ntp server that uses three public sources 
# with an internal fallback (127.127.1.0).
#
# A simple NTP clilent would specify one or more network servers in your
# organization:
#
#    server ntp.example.com
#
# Public NTP Server list: http://www.eecis.udel.edu/~mills/ntp/clock1.htm
#
server 192.5.41.40  # tick.usno.navy.mil
server 192.5.5.250  # clock.isc.org
server 128.9.176.30 # timekeeper.isi.edu
server 127.127.1.0  # internal clock
fudge 127.127.1.0 stratum 10

Recommended Tools

FixModes
FixModes is a script that tries to make Solaris file modes more secure.

Sudo

Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments.

SunScreen

SunScreen is a host-based firewall product that is packaged with Solaris 8 and later. See also Securing Systems with Host-Based Firewalls

TCP Wrappers

With this package you can monitor and filter incoming requests for the SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other network services. TCP Wrappers is included in Solaris 9.

Secure Shell (ssh)

Ssh is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over unsecure channels. It is intended as a replacement for rlogin, rsh, and rcp.

Titan

Titan is a collection of programs, each of which either fixes or tightens one or more potential security problems with a particular aspect in the setup or configuration of a Unix system.

Logcheck

Logcheck is a perl script that monitors system logs for unusual activity.


Installing Solaris

This section describes the steps necessary to install Solaris with the smallest OS image possible.

  1. Remove any network connections from the machine before installing the OS.

  2. Boot the machine from the OS install CD-ROM

  3. Answer the installation questions as they pertain to this instance. You will want to mark the machine as being networked and give the machine an IP address even though it is not connected to the network.

  4. In the Solaris install program, select the Core SPARC cluster. Then select Customize. The following is a list of all the clusters that should be selected. For clusters that have subparts, select only the subparts listed, not the entire cluster.

    • AutoFS
    • Automated Security Enhancement Tools
    • Federated Naming System
    • FrameBuffer Device Drivers
      • Dumb frame buffer device drivers
    • FTP Server, (Root)
    • FTP Server, (Usr)
    • GX (cg6) OS support files
      • GX (cg6) device drivers
    • Install and Patch Utilities
    • Interprocess Communication
    • Keyboard configuration tables
    • Motif Runtime Kit
    • Network Information System (NIS)
    • Openwindows Version 3
      • Openwindows kernel modules
      • X Window system window drivers
    • PCMCIA Support
    • Patch utilities
    • Platform Support, OS Functionality (Usr)
    • Portable layout services for Complex Text Layout support
    • Programming tools and libraries
      • Sun workshop bundled shared libm
    • SPARCompilers bundled libc
    • Static utilities
    • Solaris desktop /usr/dt filesystem anchor
    • Solaris Naming Enabler
    • SunFastEthernet/FastWideSCSI-2 Adaptor Drivers
      • SunSwift SBus Adaptor Drivers
    • System Accounting
    • System and Network Administration
    • Terminal Information

    Color Legend: | Solaris 2.6 & 7 | Solaris 2.6 | Solaris >=7 |

    Be sure to install any device drivers specific to your hardware!

    Solaris >=7: 64-bit package versions should also be selected if 64-bit support has been enabled.

    If you need printer support, select the following:

    • Line Printer Support
    • Tooltalk end user
      • Tooltalk runtime

    For remote Motif/X support, select the following:

    • Font Server Cluster
      • X Window System common (not required) fonts
      • X Window System optional fonts
      • X Window System platform required fonts
    • OpenWindows Version 3
      • ICE components
      • X Window System platform software
    • Tooltalk end user
      • Tooltalk runtime
    • XIL Runtime Environment

    The following is required for FireWall-1:

    • Source compatibilty support
      • Source Compatibilty, (Usr)

  5. The Core SPARC cluster requires much less disk space than most types of Solaris installs. The following partition table is appropriate for machines loaded with the Core SPARC cluster:

    s0:      /            250 megabytes
    s1:      swap         1 gigabyte
    s2:      overlap
    s3:                   8 megabytes (for metadb)
    s4:      /usr         500 megabytes
    s5:      /var         2 gigabytes
    s6:      /opt         (rest of disk)
    
  6. The /var partition is large to accommodate extra logging and auditing information. You may wish to scale the swap space as appropriate for your hardware, but extra swap helps prevent "denial-of-service" attacks.

  7. The Core SPARC cluster, even with the most recent patches, provides many services which are unnecessary.

    Execute pkginfo. The results should match the following:

    % pkginfo
    system      SUNWaccr       System Accounting, (Root)
    system      SUNWaccu       System Accounting, (Usr)
    system      SUNWadmap      System administration applications
    system      SUNWadmc       System administration core libraries
    system      SUNWadmfw      System & Network Administration Framework
    system      SUNWadmr       System & Network Administration Root
    system      SUNWast        Automated Security Enhancement Tools
    system      SUNWatfsr      AutoFS, (Root)
    system      SUNWatfsu      AutoFS, (Usr)
    system      SUNWcar        Core Architecture, (Root)
    system      SUNWcg6        GX (cg6) Device Driver
    system      SUNWcsd        Core Solaris Devices
    system      SUNWcsr        Core Solaris, (Root)
    system      SUNWcsu        Core Solaris, (Usr)
    CTL         SUNWctpls      Portable layout services for Complex Text Layout support
    system      SUNWdfb        Dumb Frame Buffer Device Drivers
    system      SUNWdtcor      Solaris Desktop /usr/dt filesystem anchor
    system      SUNWesu        Extended System Utilities
    system      SUNWfns        Federated Naming System
    system      SUNWftpr       FTP Server, (Root)
    system      SUNWftpu       FTP Server, (Usr)
    system      SUNWhmd        SunSwift SBus Adapter Drivers
    system      SUNWipc        Interprocess Communications
    system      SUNWkey        Keyboard configuration tables
    system      SUNWkvm        Core Architecture, (Kvm)
    system      SUNWlibC       SPARCompilers Bundled libC
    system      SUNWlibms      Sun WorkShop Bundled shared libm
    system      SUNWmfrun      Motif RunTime Kit
    system      SUNWnisr       Network Information System, (Root)
    system      SUNWnisu       Network Information System, (Usr)
    system      SUNWos86u      Platform Support, OS Functionality (Usr)
    system      SUNWpcelx      3COM EtherLink III PCMCIA Ethernet Driver
    system      SUNWpcmci      PCMCIA Card Services, (Root)
    system      SUNWpcmcu      PCMCIA Card Services, (Usr)
    system      SUNWpcmem      PCMCIA memory card driver
    system      SUNWpcser      PCMCIA serial card driver
    system      SUNWpsdpr      PCMCIA ATA card driver
    system      SUNWsolnm      Solaris Naming Enabler
    system      SUNWsutl       Static Utilities
    system      SUNWswmt       Patch Utilities
    system      SUNWswmt       Install and Patch Utilities
    system      SUNWter        Terminal Information
    system      SUNWxwdv       X Windows System Window Drivers
    system      SUNWxwmod      OpenWindows kernel modules
    

    Solaris >=7: 64-bit package versions will also be listed if 64-bit support has been enabled.

    Use the pkgrm command to remove any non-essential packages that are not listed above.



Resources

Sun Recommended & Security Patches

Sun Security Bulletins

The Solaris Security FAQ

SANS Solaris Security: Step-by-Step

Solaris BSM Auditing

Tuning Solaris for FireWall-1 by Rob Thomas


jrr