About SOLARIS Security

R3turn.blogbus.com & nbsp; The following is an article I have read a few days ago, inside more specifically said how to patch the original article can be found in the http://secinf.net SUN system basic security configuration byJeffreyBoulier (jeffreyb@gwu.edu) a SUN system like and

R3turn.blogbus.com

The following is an article I have read a few days ago. I have translated it briefly and explained how to install patches.
Can be found in http://secinf.n et

Basic security configuration of SUN System

By Jeffrey Boulier (jeffreyb@gwu.edu)

A sun system, like an NT system, is vulnerable to various hateful attacks from the internet. Lucky
Unlike NT, you can use the following three simple methods to make SUN safer:

At least 90% of security issues come from the so-called "Stack Overflow ". By sending a root identity
A running program provides much more information than it expected, making the attacked program unable to process and change the execution.
The process executes the code specified by the attacker.

Both Solaris 2.6 and Solaris 7 have the ability to set user stacks to be unexecutable so that such attacks do not
Yes. To enable this feature:

Cp/etc/system. BACKUP
　　　　　　　

Set noexec_user_stack = 1
Set noexec_user_stack_log = 1

Once the machine is restarted, these changes will take effect. If this is not a system that you can shut down, use
It is also possible for adb to change the parameters of a running system, but this is not something I would like to do.

Of course, some programs that legally use the executable stack cannot run normally after you make the above changes. Fortunately
There are not many such programs. I only know the GNU ada compiler.

Many unnecessary services are automatically in the enabling status. These vulnerabilities may cause attackers or even
You can control your machine without an account. Disable unnecessary services to protect your system. you can
Use the following method to disable it:

Cp/etc/inetd. conf/etc/inetd. conf. BACKUP
　　　　　　　
Unactivated services are commented out by the "#" symbol. for example, some of your inetd. conf may
Yes:

Name dgram udp wait root/usr/sbin/in. tnamed in. tnamed

You don't need this service because 99.999% of you won't use this "obsolete IEN-116 name service
Protocol ". after this is commented out, this line will look like:

^
|
See the new "#" symbol.

I suggest you comment out almost all services, leaving only:

Ftp stream tcp nowait root/usr/sbin/in. ftpd in. ftpd
Telnet stream tcp nowait root/usr/sbin/in. telnetd in. telnetd
Time stream tcp nowait root internal
Time dgram udp wait root internal
Echo stream tcp nowait root internal
Echo dgram udp wait root internal
Discard stream tcp nowait root internal
Discard dgram udp wait root internal
Daytime stream tcp nowait root internal
Daytime dgram udp wait root internal
Rstatd/2-4 tli rpc/initram_v wait root/usr/lib/netsvc/rstat/rpc. rstatd rpc. rstatd
Fs stream tcp wait nobody/usr/openwin/lib/fs. auto fs

On a server that only requires few graphic operations or ensures high security, you may need to disable the font service fs.
Turn off the system performance monitor rstatd and tooltalk server ttdbserverd. In fact, on a machine that really needs security
You should even comment out telnet and ftp.

You can use grep to find out the services provided by inetd:
　　　　　
Grep-v "quot; ^ #" quot;/etc/inetd. conf

This will return all uncommented rows in/etc/inetd. conf.

It. Make sure that the inetd process is still running after it is killed, for example:

Root @ multics: ps-ef | grep inetd
Root 196 1 0 15:32:14? 0: 00/usr/sbin/inetd-s
Root @ multics: kill-HUP 196
Root @ multics: ps-ef | grep inetd
Root 196 1 0 15:32:14? 0: 00/usr/sbin/inetd-s
　

Like all complex systems, SUN has its vulnerabilities. some of them are very serious in nature. SUN Company orientation
Its customers are even customers without technical support. These patches can be supplemented by a collection package or by a single
Ding form. Unfortunately, to completely patch your system, you need both a large patch set package and a single patch.
However, we will introduce a method that combines patch packages with a single patch.

Umask 022
　　　　　　　
To set your license mode? Patching the system requires that all patches be "quot; nobody" quot; readable and include patches
All the preceding directories (do not ask why, this is generally the case ).

　　　　　　　
Mkdir/var/tmp/patch
Cd/var/tmp/patch
　　　　　　　
Make sure there is sufficient disk space in the file system where you create the "patch" directory (note: you can try to type

Df-k

Check the available disk space on the file system. do not use/tmp!

Ftp sunsolve.sun.com

Your logon username is "anonymous" and the password is your email address.

Bin
Close prompt, type:
Prompt

? You don't need to answer "Yes, I need that patch" to download each patch.

Cd/pub/patches

Ls *. PatchReport

For example:
-=- =-
Ftp "gt; ls *. PatchReport
Solaris1.1.1.PatchReport
Solaris1.1.2.PatchReport
Solaris1.1.PatchReport
Solaris2.3.PatchReport
Solaris2.4.PatchReport
Solaris2.4 _ x86.PatchReport
Solaris2.5.1.PatchReport
Solaris2.5.1 _ x86.PatchReport
Solaris2.5.PatchReport
Solaris2.5 _ x86.PatchReport
Solaris2.6.PatchReport
Solaris2.6 _ x86.PatchReport
Solaris7.PatchReport
Solaris7_x86.PatchReport
Remote: *. PatchReport
-=- =-

There are different patch report files for x86 and iSCSI files. Those in the latter version do not have the words "x86.

Get Solaris2.6.PatchReport

List recommended files:

Ls * Recommended *

The output may be like this:
-=- =-
Ftp "gt; ls * Recommended *
-=- =-

You can use the mget command to get both the recommendation file and readme, for example:

Mget 7_x86_Recommended *

This may take a while.

It may be like this:
-=- =-

Solaris 2.5.1 Patches Containing Security Fixes:
----------------

("Amp; c .)
-=- =-

"*" The labeled patches are not included in the recommended patch collection package. we need to include them.

Use mget:

Mget 106689*106905*106411 *

Important: you may want to use an mget command to obtain all the patches, but the number of mget parameters is limited!

Besides, I have not specified a version number. this is not only to reduce the number of input characters and obtain the relevant README file, but also because
During the patch report release process, the version number may change.

Quit

To end the ftp session.

We will first merge the patch package and a single patch.

First, extract the patch package:

If you use Solaris 2.6 or earlier,

Uncompress 2 * Recommended.tar. Z
Tar-xvf 2 * Recommended.tar

If Solaris 7 is used,

Unzip 7 * Recommended.zip

Next, move all the individual patches to your created Recommended Directory:

Mv 1 ** Recommended

Then, go to the Recommended directory where all patches are saved:

Cd * Recommended

All the patches that will be installed by the install_cluster script. you can manually add them (note:
This is a wrong choice) or use UNIX command tools to help you do this.

For Solaris 7, run the following command:

Ls *. zip | cut-d "quot;." quot;-f1 "gt;" gt; patch_order

If it is Solaris 2.6 or earlier:

Ls *. tar. Z | cut-d "quot;." quot;-f1 "gt;" gt; patch_order

A) if you use Solaris 7, you can decompress A file at A time using unzip:

Unzip 723.zip

You cannot use "unzip *. zip" because unzip cannot work like this.
Unzip: you can use the following UNIX command to decompress unzip for you:

Ls *. zip | xargs-n1 unzip

B) if Solaris 2.6 or lower is used, type:

Uncompress *. tar. Z

Now you must use tar to separate a single patch. you can use the following command to process a file at a time:

Tar-xvf limit 723.tar

You cannot use tar-xvf *. tar because tar cannot work like this.
Tar, you can use the following UNIX command to let tar separate everything for you:

Ls *. zip | xargs-n1 tar-xvf

/Us