Solaris System Security reinforcement list

Or we can look at these two articles:

Http://www.bkjia.com/Article/200508/6185.html,http://www.bkjia.com/Article/200507/5953.html

Source: amxkus blog

I. Security Philosophy
1. Security risks come from within the enterprise.
2. Administrator requirements: Do not trust anyone
3. layered protection policy: assume that some security protection layers are completely invalid.
4. Minimize services
5. Make plans for the worst case

Ii. Physical Security
1. Record the personnel list in and out of the IDC and consider installing the camera
2. Check whether the PROM is replaced. You can record the hostid for comparison.
3. The OpenBoot password for each system should be different, and the password solution is unpredictable.
4. Remove CD-ROM after system installation
5. Place version media in a media storage room that is not in the site

Iii. account and password policies
1. Set the PATH (defined in/. profile) of the Super User:
PATH =/usr/bin:/sbin:/usr/sbin
No user's PATH or LD_LIBRARY_PATH should contain "."
2. password files, image files, and group files
/Etc/passwd must be read by all users. root users can write-rw-r-
/Etc/shadow only supports root readable-r --------
/Etc/group must be read by all users, and root users can write-rw-r --
3. Password Security
Solaris has at least 6 Mandatory passwords, but this restriction is not imposed when a Super User modifies the password.
Force the test account to change the password every 30 days.
# Passwd & ndash; n 30 test
Force the test account to change its password upon next login
# Passwd & ndash; f test
Prohibit the test account from modifying the password
# Passwd & ndash; n 2 & ndash; x 1 test
Block the test account and disable logon.
# Passwd & ndash; l test
4. Group passwords
Use the newgrp command to temporarily change the gid
Because the sysadmin group can execute admintool, it must be well protected. The process of adding a group password is as follows:
Delete unnecessary members (if the member belongs to sysadmin, no password is required when the group is changed)
# Passwd (normally blocked account)
Extract the user password string in/etc/shadow and insert it to the sysadmin Password Field in/etc/group.
Block user accounts
5. Modify password policies
/Etc/default/passwd file
MAXWEEKS = 4 password change at least once every four weeks
MINWEEKS = 1 password can be changed at most once every one week
WARNWEEKS = 3 the password is about to be changed in the third week
PASSLENGTH = 6 the user's password must be at least 6 characters long
6. Restrict su groups (only sysadmin groups are allowed to execute su commands)
# Chgrp sysadmin/bin/su
# Chmod o-rwx/bin/su
7. su records
/Etc/default/su File
SULOG =/var/adm/sulog
SYSLOG = YES
CONSOLE =/dev/console
PATH =/usr/bin:
SUPATH =/usr/sbin:/usr/bin
8. Remote root Login prohibited
Set CONSOLE =/dev/null in/etc/default/login
Add root to/etc/ftpusers.
Add permitRootLogin = no to the SSH configuration file.
(The root login is disabled by default when the SSH client is installed on Solaris 9. For Solaris 9,/etc/ftpusers is no longer used, and FTP configuration files are all under/etc/ftpd. If/etc/ftpusers exists at ftpd startup, it will be moved to/etc/ftpd)

Iv. System reinforcement

1. Set a password for OpenBoot

Set password # eeprom security-password in Solaris
Set the password "OK password" in OpenBoot
SET command # eeprom security-mode = command in Solaris
Set the security level (command) OK setenv security-mode command in OpenBoot
Set the security level (full) OK setenv security-mode full in OpenBoot

2. Cancel account not required
To remove or lock accounts that are not necessary, such as sysuucpuucplisten, put NP characters in the/etc/shadow password domain.
(The simple method is passwd-l username)

3. File System
No files in the/etc directory should be in a group or can be written by other users.
Find/etc/-type f & ndash; perm & ndash; g + w & ndash; print (search for writable files in a group)
Find/etc/-type f & ndash; perm & ndash; o + w & ndash; print (find files that can be written by other users)
Chmod & ndash; R go-w/etc (change the write permission of any wrong group/other Users)
The permissions for/var/adm/utmp and/var/adm/utmpx files should be 644
4. X-Windows manual locking (when the Administrator leaves the computer)
Lock icon on the panel in CDE
In OpenWindows-right-click Utilities-Lock Screen

5./etc access permission
Run the chmod-R g-w/etc command to remove the write permission of the group user to/etc.

6. enable packet forwarding
# Ndd & ndash; set/dev/ip ip_forwarding 1 (executed when the system acts as a router)
Disable packet forwarding
# Ndd & ndash; set/dev/ip ip_forwarding 0 (it is recommended to add this command to/etc/init. d/inetinit)
Ignore redirection data packets (otherwise, DOS attacks may occur)
# Ndd & ndash; set/dev/ip ip_ignore_redirects 1 (Add/etc/init. d/inetinit)
Do not send redirect data packets
# Ndd & ndash; set/dev/ip ip_send_redirects 0 (Add/etc/init. d/inetinit)
Prohibit forwarding of targeted broadcast (if the bridge connection is disabled)
# Ndd & ndash; set/dev/ip ip_forward_directed_broadcasts 0 (Add/etc/init. d/inetinit)
Packet forwarding prohibited when a route is set in the data source
# Ndd & ndash; set/dev/ip ip_forward_src_routed 0 (Add/etc/init. d/inetinit)
7. Disable IP Forwarding using/etc/notrouter
Create the/etc/notrouter file and restart the computer (if intruders can access the root directory, use the ndd command to re-enable IP Forwarding)
Configuration in/etc/inet/hosts
127.0.0.1 Localhost (all systems have this option)
192.168.0.13 Loghost (syslog used)
192.168.0.109 wy_solaris (Host IP address and host name)
/Etc/defaultrouter contains the default vro name or IP address
If the default vro is used, the vro name must be included in the/etc/inet/hosts file, because if the route table is set, the system will not run any Directory Service (DNS, NIS, or NIS +)

8. cron (the task is in/var/spool/cron/crontabs/the common behavior is in/etc/default/cron)
Format: minute hour day-of-month day-of-week command
(A space is used for each item, and a comma is used for the same item and each item is a number or Asterisk)
Configuration:
View command crontab-l
(1) enter a directory that is only readable to the current user.
(2) crontab-l> mycronfile
(3) EDIT mycronfile
(4) crontab <mycronfile
Do not use the crontab-e command because it creates a crontab copy that can be read by all users under/tmp.
Access the cron system
/Etc/cron. d/cron. allow (allowed)
/Etc/cron. d/cron. deny (not allowed)
Cron. allow exists. If no user exists, the user is not allowed to access the cron system.
Cron. deny exists. If no user exists, this user is allowed to access the cron system.
Set "CRONLOG = yes" in/etc/default/cron to record the corn action.
PATH should not contain "/tmp" "~" "."
At (task in/var/spool/cron/atjobs)
/Etc/cron. d/at. allow and/etc/cron. d/at. deny are identical to cron files.

9. Add static routes
Format: route add net-address subnet-mask router hops
Example: route add net 10.15.0.0 255.255.0.0 10.14.48.2 1
(To reach the network 10.15.x.x, you need to send the data packet to the vro 10.14.48.2, there is a hop from 10.15.x.x. This command will be added to the Startup file/etc/rc2.d/S72inetsvc)
Add dynamic routing (posing security risks)
Add And yes command lines in/etc/rc2.d/S72inetsvc
Run in. routed or in. rdisc
The diagnosis tool snoop can be sniff and can only be used by the root user. You can delete snoop from unwanted UNIX machines.

10. The root umask settings are incorrect.
Modify the/etc/profile file and set umask to 077 or 027.

11. Protection settings for stack buffer overflow attacks
Add the following statement to/etc/system to prohibit buffer overflow:
Echo "set noexec_user_stack = 1">/etc/system
Echo "set noexec_user_stack_log = 1">/etc/system
(For Solaris 9, you can set the stack unexecutable attribute for a single program, provided that the source code of the program is available, for example: # cc-M/usr/lib/ld/map. noexstk myprogram. c)

12. Make the IP forwarding and sourec routing (Source Path) invalid
In Inetinit, make the IP forwarding and sourec routing (Source Path) invalid (if there is more than one network interface ). Add the following settings in/etc/init. d/inetinit:

Ndd-set/dev/ip ip_forward_directed_broadcasts 0
Ndd-set/dev/ip ip_forward_src_routed 0
Ndd-set/dev/ip ip_forwarding 0
13. Prevent TCP serial number prediction attacks (ip Spoofing)
We recommend that you add the following initialization serial number settings in/etc/default/inetinit to prevent TCP serial number prediction attacks (ip Spoofing): TCP_STRONG_ISS = 2

14. (If ftp service exists) do not use anonymous ftp
Ftpd in/etc/inet/inetd. conf is (record)
Ftp stream tcp nowait root/usr/sbin/in. ftpd in. ftpd-dl
Do not use ftp as root (password is not encrypted)
Add a Super User in/etc/ftpusers (the account here prohibits the use of ftp to connect to the System)
FTP service exposes sensitive system information
Edit the/etc/default/ftpd file. If the file does not exist, create a new one. Add the following to the file: BANNER = XXXX (XXXX can be changed to any version ), shield the system version information.

15. Disable the NFS service.

16. Use SSH to replace the Telnet Service

17. restrict the use of. rhosts,. netrc, and/etc/hosts. equiv files
Restrict the use of. rhosts,. netrc, and/etc/hosts. equiv files. The r commands use these files to access the system. To lock these files, first create them, and then modify its attribute to zero. In this way, no other user except the root user can create or modify them.
/Usr/bin/touch/. rhosts/. netrc/etc/hosts. equiv
/Usr/bin/chmod 0/. rhosts/. netrc/etc/hosts. equiv
. The rhosts file can be used as a typical backdoor file, which exists in a user's directory. in the rhosts file, any user can log on to the system using rlogin without a password.
Run the following command