Solaris Security Handbook

1. Preparation

The least secure method is to run only one or two services on the host. Using a machine is much safer than using a machine with all the rights, because it can be isolated and easy to find the problem. In short: Run some of your most essential services on your machine. Consider removing the keyboard, screen, so that you can avoid using X11 and knowing the command line to test in an isolated, trusted network segment. Be clear about what kind of results your system and hardware configuration can produce, such as when installing sun Disksuite

Do you need RPC service, because disksuite must use RPC service. Identify how the various applications work, such as what ports and files are used.

2, initialize the installation of the operating system.

Connect serial console, boot, when the OK prompts to send stop-a information (~#,~%b, or F5, depending on your use of TIP,CU or VT100 terminal), and then start the installation process-boot Cdrom-install

Use the minimal installation end user bundle (unless you want additional server/developer tools), set hostname, terminal, IP parameters, time zone, and so on, do not activate NIS or NFS and do not activate power management. Select Manual partitioning: separate/usr and/opt and root so that the partitions can be hung (mounted) in read-only mode. Consider a large/var file system and a larger number of data such as (WEB,FTP) into separate partitions.

If the hard drive is 2GB recommended 200MB/(+var), 200MB Swap, 600mb/usr and 1GB to/opt

If the hard drive is 2GB recommended 300MB/(+var+opt), 200MB swap, 500MB/USR

Set ROOT to a 7 to 8 character combination of uppercase and lowercase, and so strong passwords, and then reboot.

Then secure the security patches by sun. Typically, these security patches are included on the CD. After restarting and starting as root, you can use Showrev-p to view the patch list.

3, configure the operating system

Disk Sharing (Mount): In order to reduce Trojans and unauthorized modifications, use the REMOUNT,NOSUID option on Mount/When/etc/vfstab, and on the/var please bring nosuid option;

SIZE=100M,NOSUID option (Allow/TMP can only use 100M space and do not allow SUID program);

If the floppy disk is not needed, then comment out the/dev/fd line.

(The following command assumes that you are using a C-shell)

Make NFS Invalid:

Rm/etc/rc2.d/{s73nfs.client,k28nfs.server}/etc/rc3.d/s15nfs.server/etc/dfs/dfstab invalidates the SendMail daemon, Although SendMail is not run as a daemon, the binary program is still there, and email can be sent (but not accepted) by it. Set as long as a host to accept email, you must use SMAP or other equivalent command to reduce the sendmail risk to the bottom.

Rm/etc/rc2.d/s88sendmail

Then increase the command to process the message queue in the Cron line:

0 * * * */USR/LIB/SENDMAIL-Q

In the closing of some other services:

Rm/etc/rc2.d/{s74autofs,s30sysid.net,s71sysid.sys,s72autoinstall}

Rm/etc/rc2.d/{s93cacheos.finish,s73cachefs.daemon,s80preserve}

RM/ETC/RC2.D/{S85POWER,K07DMI}

Rm/etc/rc3.d/s77dmi

If you have Server/developer packages:

RM/ETC/RC2.D/{S47ASPPP,S89BDCONFIG,S70UUCP}

Invalidates RPC: This is generally recommended to turn off this feature, but some programs such as Disksuite will open RPC services, so it is generally recommended that you do not use the Disksuite tool. If you do not want to invalidate RPC, be sure to use the packet filter.

Rm/etc/rc2.d/s71rpc

Invalidates the Print service (unless a local printer exists):

RM/ETC/RC2.D/{S80LP,S80SPC}

Invalidates the naming services Caching Daemon (name Service buffer daemon) service:

Mv/etc/rc2.d/s76nscd/etc/rc2.d/. S76nscd

Invalidate the CDE program (unless you insist on using the graphics console):

Rm/etc/rc2.d/s99dtlogin

Invalidates the Ntp-network time protocol (NTP increases bandwidth and insecurity and recommends using

Rdate to a machine that uses NTP to get the exact time:

Rm/etc/rc2.d/s74xntpd

Make SNMP Invalid:

Rm/etc/rc2.d/k07snmpdx/etc/rc3.d/s76snmpdx

In Inetinit, IP forwarding and Sourec routing (source path) are invalid (if there is more than one network interface). In/etc/init.d/inetinit, add the following settings:

NDD-SET/DEV/IP ip_forward_directed_broadcasts 0

NDD-SET/DEV/IP ip_forward_src_routed 0

NDD-SET/DEV/IP ip_forwarding 0

According to RFC1948, add the following build initialization serial number setting in/etc/default/inetinit to prevent TCP serial number prediction attacks (IP spoofing):

tcp_strong_iss=2

Add the following settings in the/etc/system to prevent some buffer overflow attacks. These protections are attacks that need to be performed on the stack. However, hardware support is required (valid only in sun4u/sun4d/sun4m systems):

Set Noexec_user_stack=1

Set Noexec_user_stack_log=1

Use the default route: Add an IP address to the/etc/defaultrouter or use route to create a startup file in/etc/rc2.d/s99static_routes. To invalidate a dynamic route:

Touch/etc/notrouter

In order to invalidate the multicast (multicasting), please comment out the/etc/init.d/inetsvc

Route add 224.0.0.0 a few lines around it.

To record all information for the inetd connection, add the-t parameter to the boot line at the lower end of the inetd

That is::/usr/sbin/inetd-s-T

Configure some of the hosts you want to choose (some you do not want to resolve via DNS) in/etc/hosts.

/etc/inetd.conf:

Make all services invalid first;

Configure the services you really need, but you must use the FWTK Netacl or TCP wrappers to allow minimal IP address access and various records