Hardening solaris


Copyright 2002, 2003 Andy Barclay
OpenContent License (OPL) 

Install the OS, Solaris 2.6, Entire Distribution
================================================
-one large / file system unless:
	-multiple disks are present, then suggest installing Solstice Disk Suite
	and striping /var (logging area), /opt, /usr/local, etc.
	-this machine will be an NFS server, then the directory being NFS shared
	should be a separate file system
-Apply the latest recommended patch set
-Apply the disksuite patch

Harden the OS
=============
-start by doing a ps and looking at all running processes.
-examine each one individually to decide which ones are not required
--vold (no need for magic mounting of cd's and floppy diskettes on firewall)
	-mv /etc/rc2.d/S92volmgt /etc/rc2.d/s92volmgt
--in.routed (firewalls should use static routes, or at least a routing
protocol that isn't braindead like RIPv1)
	-touch /etc/notrouter (shuts off ip_forwarding)
	-vi /etc/init.d/inetinit and comment out the "if" statement that starts
		in.routed (lines 153-158)
--in.rdisc (firewalls should use static routes)
	-touch /etc/notrouter (shuts off ip_forwarding)
	-vi /etc/init.d/inet and comment out the "if" statement that starts
		in.rdisc (lines 153-158)
--sac (will we be supporting ASCII terminals or modems or hosting a network
printer on this box? - its a firewall, so I hope not!)
	-vi /etc/inittab and change "respawn" to "off" on the second last line
	-init q
--rpcbind (hmmm, practical experience says that CDE requires rpcbind, so if
you wish to run openwindows or no xdm at all, then this can be commented 
out of the startup file /etc/rc2.d/S71rpc
--syslogd (yep, need this)
--inetd (ok, lets edit the /etc/inetd.conf and see what we need)
	-ftp (hmmm, do we want people to be able to ftp TO this box?)
	-telnet (hmmm, at this moment we probably want to keep telnet, but
		later we can replace it with a secure shell login)
	-nothing else in the file is required for the firewall, so comment
		it all out
	-now send a HUP signal to inetd
--keyserv (nope, not running secure rpc (nis+/secure nfs, yp, etc))
	-vi /etc/init.d/rpc and comment out the "if" statement that starts
		keyserv
--automountd, statd, lockd (shouldn't run nfs on a firewall, even as a client)
	-mv /etc/rc2.d/S74autofs /etc/rc2.d/s74autofs
	-mv /etc/rc2.d/S73nfs.client /etc/rc2.d/s73nfs.client
--nscd (hmmm, the name service cache daemon defeats round-robin DNS, so
either disable it completely, or edit the /etc/nscd.conf to disable
host information caching.)
	-mv /etc/rc2.d/S76nscd /etc/rc2.d/s76nscd
	***if you will be running solaris 7 and netscape 4.x browsers, do not disable
this daemon
--cron (yep, need that)
--lpsched (do we need to print stuff from this machine? If its going to run
firewall-1 then, the GUI can [and should] run on a different machine, and
all printing can be done from that third-party machine.
	-mv /etc/rc2.d/S80lp /etc/rc2.d/s80lp
--sendmail (hmmm, are we going to use sendmail to relay mail? Well, if we
are, then we need to upgrade to the latest version which has blind relay
prevention. If not, then we need to install qmail, or if we are using
firewall-1, we can setup a proxy connection. In any event, might as well
want to shut it down at this point.)
	-mv /etc/rc2.d/S88sendmail /etc/rc2.d/s88sendmail
--powerd (I probably don't want the drives and monitor on my firewall to
power down. Probably best to disable this.)
	-mv /etc/rc2.d/S85power /etc/rc2.d/s85power
--snmpdx (Don't need the Sun Solstice Enterprise Master Agent)
	-mv /etc/rc3.d/S76snmpdx /etc/rc3.d/s76snmpdx
--ttymon (hmmm, this is the thing that puts the login prompt on the console.
If you are brave, and believe that the xdm login screen will always be 
available, then you can comment this out - I am not so brave)
--dmispd, snmpXdmid (this is for communicating between management applications
and smtp stuff. We don't need it)
	-mv /etc/rc3.d/S77dmi /etc/rc3.d/s77dmi
--ttdbserverd (this gets started by inetd, and we have already commented this
out of /etc/inetd.conf)
--enable strong sequence number generation by changing the value of
TCP_STRONG in the file /etc/default/inetinit from "1" to "2"
--Add the following lines to /etc/system to prevent code from executing
on the stack
--------
set noexec_user_stack=1
set noexec_user_stack_log=1
--------

Now reboot the OS, and it will be running in hardenned mode.

Other security stuff
====================
-install tripwire
-install wu-ftpd
-populate /etc/ftpusers
	Add root to the file /etc/ftpusers
	echo root >/etc/ftpusers
-change "CONSOLE=/dev/console" to "CONSOLE=" in /etc/default/login
-install tcp wrappers
-change "umask 022" to "umask 027" or "umask 077" in /etc/profile and /etc/login
-upgrade to latest version of BIND
-upgrade to latest version of Sendmail