Solaris System Security reinforcement list

Solaris System Security reinforcement list ps: as many Solaris Security reinforcement lists are old, the Solaris System reinforcement list summarized in the following documents and practices will inevitably affect the service) and errors and deficiencies, I hope you will not hesitate to enlighten me that it was a Word document and the format will be messy after it is published)
Thanks to lgx and ghoststone for their help in this article.

Solaris System Security reinforcement list
-- Wang Yu

I. Security Philosophy

1. Security risks come from within the enterprise.
2. Administrator requirements: Do not trust anyone
3. layered protection policy: assume that some security protection layers are completely invalid.
4. Minimize services
5. Make plans for the worst case

Ii. Physical Security

1. Record the personnel list in and out of the IDC and consider installing the camera
2. Check whether the PROM is replaced. You can record the hostid for comparison.
3. The OpenBoot password for each system should be different, and the password solution is unpredictable.
4. Remove CD-ROM after system installation
5. Place version media in a media storage room that is not in the site

Iii. account and password policies

1. The PATH defined by the Super User in/. profile is set:

PATH =/usr/bin:/sbin:/usr/sbin
No user's PATH or LD_LIBRARY_PATH should contain "."

2. password files, image files, and group files

/Etc/passwd must be read by all users. root users can write-rw-r-
/Etc/shadow only supports root readable-r --------
/Etc/group must be read by all users, and root users can write-rw-r --

3. Password Security

Solaris has at least 6 Mandatory passwords, but this restriction is not imposed when a Super User modifies the password.
Force the test account to change the password every 30 days.
# Passwd-n 30 test
Force the test account to change its password upon next login
# Passwd-f test
Prohibit the test account from modifying the password
# Passwd-n 2-x 1 test
Block the test account and disable logon.
# Passwd-l test

4. Group passwords

Newgrp Command to temporarily change the gid
Because the sysadmin group can execute admintool, it must be well protected. The process of adding a group password is as follows:
Delete unnecessary members. If the member belongs to sysadmin, no password is required when the group is changed)
# Passwd ; Normally blocked accounts)
Extract the user password string in/etc/shadow and insert it to the sysadmin Password Field in/etc/group.
Block user accounts

5. Modify password policies

/Etc/default/passwd file
MAXWEEKS = 4 password change at least once every four weeks
MINWEEKS = 1 password can be changed at most once every one week
WARNWEEKS = 3 the password is about to be changed in the third week
PASSLENGTH = 6 the user's password must be at least 6 characters long

6. Restrict su groups to allow only sysadmin groups to execute su commands)

# Chgrp sysadmin/bin/su
# Chmod o-rwx/bin/su

7. su records

/Etc/default/su File
SULOG =/var/adm/sulog
SYSLOG = YES
CONSOLE =/dev/console
PATH =/usr/bin:
SUPATH =/usr/sbin:/usr/bin

8. Remote root Login prohibited

Set CONSOLE =/dev/null in/etc/default/login
Add root to/etc/ftpusers.
Add permitRootLogin = no to the SSH configuration file.
Solaris 9 comes with SSH. By default, root login is prohibited. For Solaris 9,/etc/ftpusers is no longer used, and FTP configuration files are all under/etc/ftpd. If/etc/ftpusers exists at ftpd startup, it will be moved to/etc/ftpd)

Iv. System reinforcement

1. Set a password for OpenBoot

Set password # eeprom security-password in Solaris
Set the password "OK password" in OpenBoot
Set the security level command in Solaris) # eeprom security-mode = command
Set the security level command in OpenBoot) OK setenv security-mode command

1. Sun OpenSolaris Kernel Panic Remote Denial of Service Vulnerability
2. Sniffer attack instance in Solaris System
3. Use Solaris's system security features for enterprise audits