Professional Documents
Culture Documents
Version 1.0
NOT FOR PUBLIC RELEASE
15 October 2005
www.cybertrust.com
13650 Dulles Technology Dr. Suite 500 Herndon, VA 20171-4602 P 703.480.8510 F 703.780.8440
Cybertrust 2006. Proprietary and confidential. Not for disclosure to outside parties without written permission of Cybertrust, Inc.
Publication History Date 15 October 2005 15 February 2006 Version Number 1.0 1.0 Summary of Changes Initial publication No content change, Cybertrust brand updated
Copyright 2006 Cybertrust, Inc. All Rights Reserved. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording or any information retrieval system, without the express permission of Cybertrust, Inc. Cybertrust and other names of Cybertrust, Inc., products and services referenced herein are trademarks, service marks, or registered trademarks of Cybertrust, Inc. Other products, services, and company names mentioned herein are the trademarks of their respective owners. Direct all requests for permission to reproduce any portion of this document to Cybertrust, Inc. Use of this information. The information in this document is provided as is and, to the fullest extent permissible under applicable law, Cybertrust, Inc., disclaims all warranties, express or implied, including, but not limited to, warranties of merchantability and fitness for a particular purpose. We do not warrant that the information contained in this document is error-free or that defects will be corrected. We do not warrant or make any representations regarding the use or obtainable results of the use of this information in terms of correctness, accuracy, reliability, or otherwise. By using this information, you acknowledge your understanding of these terms and you agree to assume the entire risk and cost of any necessary configuration changes, testing, damages, or remediation arising from such use. Limitation of liability. To the maximum extent possible under applicable law, Cybertrust, Inc., shall not be liable for any damages, including, but not limited to, special, indirect, incidental, punitive, or consequential damages, that may result from the use or inability to use the information in this document, even if we or our authorized representative has been advised of the possibility of such damages.
Cybertrust 2006. Proprietary and confidential. Not for disclosure to outside parties without written permission of Cybertrust, Inc.
Table of Contents
1. Introduction ........................................................................................................................................... 1 1.1. Intended Audience...................................................................................................................... 1 1.2. Quick Start Guide ....................................................................................................................... 2 Solaris 10 Essential Configuration ........................................................................................................ 2 2.1. Before You Begin........................................................................................................................ 2 2.2. Applicable Essential Practices .................................................................................................... 2 2.3. Configuration Steps .................................................................................................................... 2 2.4. Synergistic Controls.................................................................................................................. 11 2.5. References and Related Documentation .................................................................................. 11 Frequently Asked Questions............................................................................................................... 12
2.
3.
Cybertrust 2006. Proprietary and confidential. Not for disclosure to outside parties without written permission of Cybertrust, Inc.
1. Introduction
The hardening of critical systems has long been a staple of good security practice. Unfortunately, traditional hardening is typically very expensive. It usually is time-consuming, requires significant experimentation, often causes nonfunctional applications, and even with guides and checklists often requires significant expertise. Therefore, both Cybertrust and the security community at large feel that hardening is most useful and appropriate only when deploying new systems. A Cybertrust Essential Configuration (EC) is a simplified, checklist-oriented guide whose steps are based on empirical risk evidence and modeling. An EC does not make a system secure against all attack. For example, successfully applying an operating system EC will not necessarily mitigate existing application flaws. An EC does efficiently address a majority of current and predicted risks, even when applied very quickly (typically under an hour) to systems already in operation. An EC typically requires very little tuning, and there is low likelihood of negatively affecting the operating system or its normally functioning applications. EC controls are synergistic with other Cybertrust controls and, therefore, work best in Cybertrust-engaged environments. Physical, policy, and administrative controls continue to be critical, even for essentially configured devices. Further, there is a continuous stream of newly publicized software vulnerabilities, some of which may require changes to an EC. Various Cybertrust mailing lists, Cybertrust Alert Manager, and Cybertrust Hype or Hot maintain customer awareness and help in mitigating near-term risk. Use of an EC, in conjunction with other Cybertrust offerings, not only reduces hardening cost, but also reduces maintenance cost, including patching and response to new threats. Cybertrust has successfully tested this EC in several laboratory environments, where the EC provided an enhanced security posture without negatively affecting system operations. However, an organizations fielded systems may differ significantly from Cybertrusts test environment. As such, experienced system and security administrators should be involved in EC implementation to facilitate any business-specific decisions and to minimize unexpected downtime caused by differences between Cybertrusts test environment and your fielded systems. Also, before applying an EC to a production system, please take appropriate precautions, such as creating backups of critical data and coordinating with your in-house information security staff.
Cybertrust 2006. Proprietary and confidential. Not for disclosure to outside parties without written permission of Cybertrust, Inc.
Before beginning, ensure that you have made backup copies of all important content and configuration information.
Cybertrust 2006. Proprietary and confidential. Not for disclosure to outside parties without written permission of Cybertrust, Inc.
The administrator must be conversant with a text editor (such as vi) and must be capable of navigating around the file system and making modifications to configuration files. Some steps in this process may temporarily disable X-Windows and require the administrator to operate from a text-mode console. In actual deployment, the administrator should be aware of exactly which services on a system are intended for use, as opposed to those that were incidentally enabled as part of the system build. In addition, as with any significant configuration change, the user is advised to perform adequate backups before making any changes. As with most OS distributions, the default configuration for Solaris includes services that are unnecessary for most organizations. The approach taken in this document will be to disable everything (i.e., establish a default deny configuration) and then re-enable only those services that are essential to the specific application. Common Desktop Environment (CDE) is the default and current window management system supplied with Solaris. Unfortunately, from a security perspective, CDE depends on remote procedure call (RPC) services being active to function properly. Cybertrust considers disabling or restricting access to RPC an essential step in securing Solaris. Some Solaris RPC-based services have presented significant security issues, and barring an insurmountable business need, disabling those services is key. The general options for securing Solaris are as follows: Use no graphical user interface (GUI), and disable all services, possibly using Secure Shell (SSH) or X to a remote system. Block access to RPC and X.
If full-time CDE, Network File System (NFS), Network Information System (NIS), ToolTalk, or other RPCbased services are required for business reasons, use of an alternate access control mechanism, such as Sunscreen Lite or ipfilter, should be considered. Do not proceed with this configuration process if your business requirements include RPC-based services. The following steps implement the Solaris 10 EC: 1. Disable unnecessary services. Solaris 10 ships with a number of services that are on by default, but are not needed. A service that is not on cannot be exploited. Administrators should use their own judgment in turning services off, because doing so may reduce system functionality. Test all removed services to be sure that your applications do not depend on them. The chart below lists service names and their associated instances:
Cybertrust 2006. Proprietary and confidential. Not for disclosure to outside parties without written permission of Cybertrust, Inc.
Command to Stop It svcadm disable svc:/network/rpc/bind:default svcadm disable svc:/network/rpc/keyserv:default svcadm disable svc:/network/nis/server:default svcadm disable svc:/network/nis/passwd:default svcadm disable svc:/network/nis/updatedefault svcadm disable svc:/network/nis/xfrdefault
NIS client NIS+ Lightweight Directory Access Protocol (LDAP) cache manager Kerberos server
svcadm disable svc:/network/security/ktkt_warn:default svcadm disable svc:/network/rpc/gss:default mv /etc/rc2.d/S99dtlogin /etc/rc2.d/.NOS99dtlogin 2>/dev/null svcadm disable svc:/network/rpc100083_1/rpc_tcp:default
mv /etc/rc2.d/S90wbem /etc/rc2.d/.NOS90wbem 2> /dev/null mv /etc/rc2.d/S90webconsole /etc/rc2.d/.NOS90webconsole 2> /dev/null mv /etc/rc3.d/S81volmgt /etc/rc3.d/.NOS81volmgt 2> /dev/null svcadm disable svc:/network/rpc/smserver:default
mv /etc/rc3.d/S90samba /etc/rc3.d/.NOS90samba 2> /dev/null svcadm disable svc:/network/nfs/server:default svcadm disable svc:/network/nfs/cbd:default svcadm disable svc:/network/nfs/mapid:default
Cybertrust 2006. Proprietary and confidential. Not for disclosure to outside parties without written permission of Cybertrust, Inc.
Auto Mounter Telnet Server File Transfer Protocol (FTP) Server rlogin/rsh Servers
svcadm disable svc:/system/filesystem/autofs:default svcadm disable svc:/network/telnet:default svcadm disable svc:/network/ftp:default svcadm disable svc:/network/login:rlogin svcadm disable svc:/network/shell:deafult
Boot Services
Dynamic Host Configuration Protocol (DHCP) Server Domain Name System (DNS) Server (Trivial File Transfer Protocol) TFTP server Print Servers
svcadm disable svc:/network/dhcp-server:default svcadm disable svc:/network/dns/server:default svcadm disable svc:/network/tftp:default svcadm disable s svc:/application/print/cleanup:default svcadm disable svc:/application/print/server:default svcadm disable svc:/application/print/rfc1179:default
Web Servers
svcadm disable svc:/network/http:/apache2 mv /etc/rc3.d/S50apache /etc/rc3.d/.NOs50apache 2> /dev/null mv/etc/rc2.d/S42ncakmod /etc/rc2.d/.NOS42ncakmod 2> /dev/null mv /etc/rc2.d/S94ncalogd /etc/rc2.d/.NOS94ncalogd 2>/dev/null
Simple Network Management Protocol (SNMP) Server inetd Solaris Volume Manager services
mv /etc/rc3.d/S82initsma /etc/rc3.d/.NOS82initsma 2>/dev/null svcadm disable svc:/network/inetd:default svcadm disable svc:/system/metainit:default svcadm disable svc:/platform/sun4u/mpxioupgrade:default svcadm disable svc:/system/mdmonitor:default
Cybertrust 2006. Proprietary and confidential. Not for disclosure to outside parties without written permission of Cybertrust, Inc.
Command To Stop It svcadm disable svc:/network/chargen:dgram svcadm disable svc:/network/chargen:stream svcadm disable svc:/network/daytime:dgram svcadm disable svc:/network/daytime:stream svcadm disable svc:/network/discard:dgram svcadm disable svc:/network/discard:stream svcadm disable svc:/network/echo:dgram svcadm disable svc:/network/echo:stream svcadm disable svc:/network/time:dgram svcadm disable svc:/network/time:stream svcadm disable svc:/network/rpc/rex:default svcadm disable svc:/network/rexec:default svcadm disable svc:/network/uucp:default svcadm disable svc:/network/comsat:default svcadm disable svc:/network/rpc/spray:default svcadm disable svc:/network/rpc/wall:default svcadm disable svc:/network/tname:default svcadm disable svc:/network/talk:default svcadm disable svc:/network/finger:default svcadm disable svc:/network/rpc/rstat:default svcadm disable svc:/network/rpc/ruser:default svcadm disable svc:/network/rpc/ocfserv:default svcadm disable svc:/network/login:eklogin svcadm disable svc:/network/login:klogin svcadm disable svc:/network/shell:kshell svcadm disable s svc:/system/power:default svcadm disable svc:/network/slp:default svcadm disable svc:/application/management/webmin:default svcadm disable svc:/system/consadm:default svcadm disable svc:/application/gdm2-login:default svcadm disable svc:/application//print/ipplistener:default svcadm disable s svc:/system/name-servicecache:default scvadm disable svc:/network/apocd/udp:default scvadm disable svc:/application/x11/xfs:default
Cybertrust 2006. Proprietary and confidential. Not for disclosure to outside parties without written permission of Cybertrust, Inc.
Command To Stop It scvadm disable svc:/application/font/stfsloader:default scvadm disable svc:/network/rpc-100068_25/rpc_udp:default scvadm disable svc:/network/rpc100235_1/rpc_ticotsord:default mv /etc/rc2.d/S4011c2 /etc/rc2.d/.NOS4011c2 2> /dev/null mv /etc/rc2.d/S47pppd /etc/rc2.d/.NOS47pppd 2> /dev/null mv /etc/rc2.d/S70uucp /etc/rc2.d/.NOS70uucp 2> /dev/null mv /etc/rc2.d/S72autoinstall /etc/rc2.d/.NOS72autoinstall 2> /dev/null mv /etc/rc2.d/S73cachefs.daemon /etc/rc2.d/.NOS73cachefs.daemon 2> /dev/null mv /etc/rc2.d/S89bdconfig /etc/rc2.d/.NOS89bdconfig 2> /dev/null mv /etc/rc2.d/S89PRESERVE /etc/rc2.d/.NOS89PRESERVE 2> /dev/null mv /etc/rc2.d/S16boot.server /etc/rc2.d/.NOS16boot.server 2> /dev/null mv /etc/rc2.d/S52imq /etc/rc2.d/.NOS52imq 2> /dev/null mv /etc/rc2.d/S84appserv /etc/rc2.d/.NOS84appserv 2> /dev/null mv /etc/rc2.d/S75seaport /etc/rc2.d/.NOS75seaport 2> /dev/null mv /etc/rc2.d/S76snmpdx /etc/rc2.d/.NOS76snmpdx 2> /dev/null mv /etc/rc2.d/S77dmi /etc/rc2.d/.NOS77dmi 2> /dev/null mv /etc/rc2.d/S80mipagent /etc/rc2.d/.NOS80mipagent 2> /dev/null
2.
Create a protected core dump directory. Creating a directory that only root can see protects any information that might be contained in a core dump directory from a set userid (UID) or set grouprid (GID) process. Perform the following actions to create and isolate the new directory: mkdir p /var/core chown root:root /var/core chmod 700 /var/core coreadm g /var/core/core_%n_%f_%u_%g_%t_%p e log e global e global-setid d process d proc-setid
Cybertrust 2006. Proprietary and confidential. Not for disclosure to outside parties without written permission of Cybertrust, Inc.
3.
Reset the Transmission Control Protocol (TCP) initial sequence number generation parameter. By truly randomizing the initial sequence number of TCP connections, you can better protect the system. vi /etc/default/inetinit Change the appropriate line to read: TCP_STRONG_ISS=2
4.
Modify the Internet Protocol (IP) module by adding these commands to one of your start-up scripts: vi /etc/init.d/netconfig a. Add the following lines:
### Set kernel parameters for /dev/ip /usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast 0 /usr/sbin/ndd -set /dev/ip ip_forward_directed_broadcasts 0 /usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp 0 /usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0 /usr/sbin/ndd -set /dev/ip ip_forward_src_routed 0 /usr/sbin/ndd -set /dev/ip ip_ignore_redirect 1 /usr/sbin/ndd -set /dev/tcp tcp_rev_src_routes 0 /usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q 1024 /usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q0 4096 /usr/sbin/ndd -set /dev/arp arp_cleanup_interval 60000 b. Protect the administrative files: chown root:root /etc/init.d/netconfig chmod 744 /etc/init.d/netconfig 5. Capture syslog AUTH messages. Messages sent to the LOG_AUTH facility are normally not stored. To capture this information (including su attempts and log-in attempts), execute the following: if [ ! `grep v ^3 /etc/syslog.conf | grep /var/log/autholog ` ]; then echo auth.info\t\t\t/var/log/authlog >>/etc/syslog.conf fi logadm w authlog C 13 a pkill HUP syslogd /var/log/authlog 6. Capture failed log-ins. Log-in failures for regular accounts are normally not captured. The following process will allow you to review any potential break-in attempts: touch /var/adm/loginlog chown root:sys /var/adm/loginlog chmod 600 /var/adm/loginlog cd /etc/default awk /SYSLOG_FAILED_LOGINS=/ { $1 = Syslog_FAILED_LOGINS=0 }; {print } login > login.new mv login.net login pkgchk f n p /etc/default/login
Cybertrust 2006. Proprietary and confidential. Not for disclosure to outside parties without written permission of Cybertrust, Inc.
logadm w connlog C 13 /var/adm/loginlog 7. Log all cron jobs. By logging cron job execution, you can better monitor the automatic processes that are running on your server. a. b. Edit the /etc/default/cron file. Change the appropriate line to read: CRON LOG=YES c. d. Save and close. Confirm that the change worked by using the following: pkgchk f n p /etc/default/cron 8. Check system file permissions. Confirm that all the essential system files are editable only by root by running the following commands: pkgchk f n p /var/log/syslog pkgchk f n p /var/log/authlog pkgchk f n p /var/adm/utmpx pkgchk f n p /var/adm/wtmpx chown root:sys /var/adm/loginlog chown root:root /var/cron /log /var/adm/messages /var/log/connlog chmod go-wx /var/adm/messages chmod go-rwk /var/adm/loginlog /car/cron /log /var/log/connlog chown sys:sys /var/adm/sa/* chmod go-wx /var/adm/sa/* dir =`ask F: ($1 == dir) { print $2} /etc/security/auditcontrol` chown root:root $dir/* chmod go-rwx $dir/* 9. Set the daemon umask. Resetting the umask prevents any daemons that are running from creating world readable files. a. Run the following command: vi /etc/default/init b. Change the appropriate line to read: UMASK=022 c. d. Save and close. Confirm that the change worked by using the following: pkgchk f n p /etc/default/init
Cybertrust 2006. Proprietary and confidential. Not for disclosure to outside parties without written permission of Cybertrust, Inc.
10. Confirm ownership of other essential system files. Make sure that each file is owned by root. Run the following commands: pkgchk f n p /etc/passwd pkgchk f n p /etc/shadow pkgchk f n p /etc/group 11. Remove files and directories that have no owner. Removing users can sometimes leave files behind that now belong to no one, which presents a security risk. These files should be chowned or deleted. To detect these files, run the following command: find / \( -nouser -o -nogroup \) print 12. Tighten the SSH client configuration. By adjusting some of the configuration parameters of your SSH client, you can better protect your remote communications by making them more secure. Run the following commands: cd /etc/sssh cat <<EOCliConfig >> ssh_config Host * Protocol 2 EOCliConfig awk /^Protocol/ { $2 = 2}; \ /^X11Forwarding { $2 = yes} ; \ /^MaxAuthTries/ { $2 = 5 }; \ /^IgnoreRhosts/ { $2 = 0 }; \ /^RhostsAuthentication/ { $2 = no } ; \ /^RhostsRSAAuthentication/ { $2 = yes } ; \ /^PermitRootLogin/ { $2 = no } ; \ /^PermitEmptyPasswords/ { $2 = no } ; \ /^#Banner/ { $2 = Banner } ; \ { print } sshd_config > sshd_config.new mv sshd_config.new sshd.config pkgchk f n p /etc/ssh/sshd_config 13. Enable the screen saver with a password. Forcing the screen saver to come on prevents the casual observer from sitting down at an open terminal. Run the following commands: for file in /usr/dt/config/*/sys.resources; do dir=`dirname $file | sed s/usr/etc/` mkdir p $dir echo dtsession*saveTimeout: 10 >> $dir/sys.resources echo dtsession*lockTimeout: 10 >> $dir/sys.resources chown root:sys $dir /sys.resources chmod 444 $dir/sys.resources done cd /usr/openwin/lib/app-defaults
Cybertrust 2006. Proprietary and confidential. Not for disclosure to outside parties without written permission of Cybertrust, Inc.
awk /^\*timeout:/ { $2 = :0:10:00 } /^\*lockTimeout:/ { $2 = 0:00:00 } /^\*lock:/ { $2 = True } {print } XScreenSaver >XScreenSaver.new mv XScreenSaver.new XScreenSaver pkgchk f n p /usr/openwin/lib/app-defaults/XScreenSaver 14. Make sure that all accounts have non-null passwords. To detect the number of accounts with empty passwords, run the following command: logins p
Cybertrust 2006. Proprietary and confidential. Not for disclosure to outside parties without written permission of Cybertrust, Inc.
Cybertrust 2006. Proprietary and confidential. Not for disclosure to outside parties without written permission of Cybertrust, Inc.