Solaris 10

Cybertrust Essential Security Configuration for Solaris 10
Version 1.0
NOT FOR PUBLIC RELEASE
15 October 2005
www.cybertrust.com
13650 Dulles Technology Dr. Suite 500 Herndon, VA 20171-4602 P 703.480.8510 F 703.780.8440
Cybertrust 2006. Proprietary and confidential. Not for disclosure to outside parties without written permission of Cybertrust, Inc.
Cybertrust Essential Security Configuration for Solaris 10 | Page i
Publication History Date 15 October 2005 15 February 2006 Version Number 1.0 1.0 Summary of Changes Initial publication No content change, Cybertrust brand updated
Copyright 2006 Cybertrust, Inc. All Rights Reserved. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopy, recording or any information retrieval system, without the express permission of Cybertrust, Inc. Cybertrust and other names of Cybertrust, Inc., products and services referenced herein are trademarks, service marks, or registered trademarks of Cybertrust, Inc. Other products, services, and company names mentioned herein are the trademarks of their respective owners. Direct all requests for permission to reproduce any portion of this document to Cybertrust, Inc. Use of this information. The information in this document is provided as is and, to the fullest extent permissible under applicable law, Cybertrust, Inc., disclaims all warranties, express or implied, including, but not limited to, warranties of merchantability and fitness for a particular purpose. We do not warrant that the information contained in this document is error-free or that defects will be corrected. We do not warrant or make any representations regarding the use or obtainable results of the use of this information in terms of correctness, accuracy, reliability, or otherwise. By using this information, you acknowledge your understanding of these terms and you agree to assume the entire risk and cost of any necessary configuration changes, testing, damages, or remediation arising from such use. Limitation of liability. To the maximum extent possible under applicable law, Cybertrust, Inc., shall not be liable for any damages, including, but not limited to, special, indirect, incidental, punitive, or consequential damages, that may result from the use or inability to use the information in this document, even if we or our authorized representative has been advised of the possibility of such damages.
Cybertrust Essential Security Configuration for Solaris 10 | Page ii
Table of Contents
1. Introduction ........................................................................................................................................... 1 1.1. Intended Audience...................................................................................................................... 1 1.2. Quick Start Guide ....................................................................................................................... 2 Solaris 10 Essential Configuration ........................................................................................................ 2 2.1. Before You Begin........................................................................................................................ 2 2.2. Applicable Essential Practices .................................................................................................... 2 2.3. Configuration Steps .................................................................................................................... 2 2.4. Synergistic Controls.................................................................................................................. 11 2.5. References and Related Documentation .................................................................................. 11 Frequently Asked Questions............................................................................................................... 12
2.
3.
Cybertrust Essential Security Configuration for Solaris 10 | Page 1
1. Introduction
The hardening of critical systems has long been a staple of good security practice. Unfortunately, traditional hardening is typically very expensive. It usually is time-consuming, requires significant experimentation, often causes nonfunctional applications, and even with guides and checklists often requires significant expertise. Therefore, both Cybertrust and the security community at large feel that hardening is most useful and appropriate only when deploying new systems. A Cybertrust Essential Configuration (EC) is a simplified, checklist-oriented guide whose steps are based on empirical risk evidence and modeling. An EC does not make a system secure against all attack. For example, successfully applying an operating system EC will not necessarily mitigate existing application flaws. An EC does efficiently address a majority of current and predicted risks, even when applied very quickly (typically under an hour) to systems already in operation. An EC typically requires very little tuning, and there is low likelihood of negatively affecting the operating system or its normally functioning applications. EC controls are synergistic with other Cybertrust controls and, therefore, work best in Cybertrust-engaged environments. Physical, policy, and administrative controls continue to be critical, even for essentially configured devices. Further, there is a continuous stream of newly publicized software vulnerabilities, some of which may require changes to an EC. Various Cybertrust mailing lists, Cybertrust Alert Manager, and Cybertrust Hype or Hot maintain customer awareness and help in mitigating near-term risk. Use of an EC, in conjunction with other Cybertrust offerings, not only reduces hardening cost, but also reduces maintenance cost, including patching and response to new threats. Cybertrust has successfully tested this EC in several laboratory environments, where the EC provided an enhanced security posture without negatively affecting system operations. However, an organizations fielded systems may differ significantly from Cybertrusts test environment. As such, experienced system and security administrators should be involved in EC implementation to facilitate any business-specific decisions and to minimize unexpected downtime caused by differences between Cybertrusts test environment and your fielded systems. Also, before applying an EC to a production system, please take appropriate precautions, such as creating backups of critical data and coordinating with your in-house information security staff.
1.1. Intended Audience

This document provides a series of configuration activities whose cumulative effect is an improved security posture. It is intended for administrators and technicians familiar with Solaris 10 security configuration. Although the configuration activities will apply to most environments, there will be situations in which knowledgeable individuals must make important decisions about how to proceed. Examples include determining whether a configuration step may have an adverse impact on a given environment and determining whether a configured device is functioning normally. Please ensure that adequately trained system and security administrators are involved in all EC activities.
1.2. Quick Start Guide

This EC is intended for Solaris 10 servers (Note: While this EC is written for Solaris 10, most steps are also applicable to Solaris 9). There is a separate EC for Solaris 8 and earlier versions. This EC includes the following major steps: Disable unnecessary and/or dangerous network services. Provide a secure environment for programs to run.
2. Solaris 10 Essential Configuration

Sun Solaris is one of the few non-open-source UNIX-derived operating systems (OSs) on the market today. Solaris 10 (current as of this writing) is the ninth iteration of Suns SVR4-derived OS, and is the successor to its earlier BSD-derived SunOS.
2.1. Before You Begin

This document assumes the following about the Solaris server to be configured: Physical access to the system console is available. The OS has a minimum version of Solaris 9 (Note: While this EC is written for Solaris 10, most steps are also applicable to Solaris 9).
Before beginning, ensure that you have made backup copies of all important content and configuration information.
2.2. Applicable Essential Practices

Cybertrust has an essential practice requiring that critical devices be resistant to electronic attacks for which there are available defenses. In support of that essential practice, this EC presents a list of configuration steps for Solaris 10 that provides the minimum acceptable security posture for important systems. Certainly, there are more extreme configurations yielding a more secure system, and organizations should use their judgment to establish whether the additional effort is warranted (or even viable) for their particular needs.
2.3. Configuration Steps

These procedures apply to Solaris 10 systems. These procedures are intended for a Solaris server (e.g., a web server or domain name service server), as opposed to a development platform or personal productivity system. The administrator must have physical console access to and control of the target system and must have appropriate installation media. This document does not presume to be a replacement for the detailed information available in the system manual pages or the Sun Answerbooks, both of which are available as part of the manufacturers provided materials. Administrators with questions should take the time to read the pertinent manual pages and available documentation before making changes.
The administrator must be conversant with a text editor (such as vi) and must be capable of navigating around the file system and making modifications to configuration files. Some steps in this process may temporarily disable X-Windows and require the administrator to operate from a text-mode console. In actual deployment, the administrator should be aware of exactly which services on a system are intended for use, as opposed to those that were incidentally enabled as part of the system build. In addition, as with any significant configuration change, the user is advised to perform adequate backups before making any changes. As with most OS distributions, the default configuration for Solaris includes services that are unnecessary for most organizations. The approach taken in this document will be to disable everything (i.e., establish a default deny configuration) and then re-enable only those services that are essential to the specific application. Common Desktop Environment (CDE) is the default and current window management system supplied with Solaris. Unfortunately, from a security perspective, CDE depends on remote procedure call (RPC) services being active to function properly. Cybertrust considers disabling or restricting access to RPC an essential step in securing Solaris. Some Solaris RPC-based services have presented significant security issues, and barring an insurmountable business need, disabling those services is key. The general options for securing Solaris are as follows: Use no graphical user interface (GUI), and disable all services, possibly using Secure Shell (SSH) or X to a remote system. Block access to RPC and X.
If full-time CDE, Network File System (NFS), Network Information System (NIS), ToolTalk, or other RPCbased services are required for business reasons, use of an alternate access control mechanism, such as Sunscreen Lite or ipfilter, should be considered. Do not proceed with this configuration process if your business requirements include RPC-based services. The following steps implement the Solaris 10 EC: 1. Disable unnecessary services. Solaris 10 ships with a number of services that are on by default, but are not needed. A service that is not on cannot be exploited. Administrators should use their own judgment in turning services off, because doing so may reduce system functionality. Test all removed services to be sure that your applications do not depend on them. The chart below lists service names and their associated instances:
Service Rpcbind Secure RPC NIS server
Command to Stop It svcadm disable svc:/network/rpc/bind:default svcadm disable svc:/network/rpc/keyserv:default svcadm disable svc:/network/nis/server:default svcadm disable svc:/network/nis/passwd:default svcadm disable svc:/network/nis/updatedefault svcadm disable svc:/network/nis/xfrdefault
NIS client NIS+ Lightweight Directory Access Protocol (LDAP) cache manager Kerberos server
svcadm disable svc:/network/nis/client:default svcadm disable svc:/network/rpc/nisplus:default svcadm disable svc:/network/ldap/client:default
svcadm disable svc:/network/security/kadmin:default svcadm disable svc:/network/security/krb5kdc:default svcadm disable svc:/network/security/krb5_prop:default
Kerberos client Generic Security Service (GSS) GUI
svcadm disable svc:/network/security/ktkt_warn:default svcadm disable svc:/network/rpc/gss:default mv /etc/rc2.d/S99dtlogin /etc/rc2.d/.NOS99dtlogin 2>/dev/null svcadm disable svc:/network/rpc100083_1/rpc_tcp:default
Solaris Management Console Volume Manager
mv /etc/rc2.d/S90wbem /etc/rc2.d/.NOS90wbem 2> /dev/null mv /etc/rc2.d/S90webconsole /etc/rc2.d/.NOS90webconsole 2> /dev/null mv /etc/rc3.d/S81volmgt /etc/rc3.d/.NOS81volmgt 2> /dev/null svcadm disable svc:/network/rpc/smserver:default
Samba NFS server
mv /etc/rc3.d/S90samba /etc/rc3.d/.NOS90samba 2> /dev/null svcadm disable svc:/network/nfs/server:default svcadm disable svc:/network/nfs/cbd:default svcadm disable svc:/network/nfs/mapid:default
rquota NFS client
svcadm disable svc:/network/nfs/rquota:default svcadm disable svc:/network/client:default
Service NFS Client and Server
Command to Stop It svcadm disable svc:/network/nfs/status:default svcadm disable svc:/network/nfs/nlockmgr:default
Auto Mounter Telnet Server File Transfer Protocol (FTP) Server rlogin/rsh Servers
svcadm disable svc:/system/filesystem/autofs:default svcadm disable svc:/network/telnet:default svcadm disable svc:/network/ftp:default svcadm disable svc:/network/login:rlogin svcadm disable svc:/network/shell:deafult
Boot Services
svcadm disable svc:/network/rpc/bootparams:default svcadm disable svc:/network/rarp:default
Dynamic Host Configuration Protocol (DHCP) Server Domain Name System (DNS) Server (Trivial File Transfer Protocol) TFTP server Print Servers
svcadm disable svc:/network/dhcp-server:default svcadm disable svc:/network/dns/server:default svcadm disable svc:/network/tftp:default svcadm disable s svc:/application/print/cleanup:default svcadm disable svc:/application/print/server:default svcadm disable svc:/application/print/rfc1179:default
Web Servers
svcadm disable svc:/network/http:/apache2 mv /etc/rc3.d/S50apache /etc/rc3.d/.NOs50apache 2> /dev/null mv/etc/rc2.d/S42ncakmod /etc/rc2.d/.NOS42ncakmod 2> /dev/null mv /etc/rc2.d/S94ncalogd /etc/rc2.d/.NOS94ncalogd 2>/dev/null
Simple Network Management Protocol (SNMP) Server inetd Solaris Volume Manager services
mv /etc/rc3.d/S82initsma /etc/rc3.d/.NOS82initsma 2>/dev/null svcadm disable svc:/network/inetd:default svcadm disable svc:/system/metainit:default svcadm disable svc:/platform/sun4u/mpxioupgrade:default svcadm disable svc:/system/mdmonitor:default
Service Miscellaneous Services
Command To Stop It svcadm disable svc:/network/chargen:dgram svcadm disable svc:/network/chargen:stream svcadm disable svc:/network/daytime:dgram svcadm disable svc:/network/daytime:stream svcadm disable svc:/network/discard:dgram svcadm disable svc:/network/discard:stream svcadm disable svc:/network/echo:dgram svcadm disable svc:/network/echo:stream svcadm disable svc:/network/time:dgram svcadm disable svc:/network/time:stream svcadm disable svc:/network/rpc/rex:default svcadm disable svc:/network/rexec:default svcadm disable svc:/network/uucp:default svcadm disable svc:/network/comsat:default svcadm disable svc:/network/rpc/spray:default svcadm disable svc:/network/rpc/wall:default svcadm disable svc:/network/tname:default svcadm disable svc:/network/talk:default svcadm disable svc:/network/finger:default svcadm disable svc:/network/rpc/rstat:default svcadm disable svc:/network/rpc/ruser:default svcadm disable svc:/network/rpc/ocfserv:default svcadm disable svc:/network/login:eklogin svcadm disable svc:/network/login:klogin svcadm disable svc:/network/shell:kshell svcadm disable s svc:/system/power:default svcadm disable svc:/network/slp:default svcadm disable svc:/application/management/webmin:default svcadm disable svc:/system/consadm:default svcadm disable svc:/application/gdm2-login:default svcadm disable svc:/application//print/ipplistener:default svcadm disable s svc:/system/name-servicecache:default scvadm disable svc:/network/apocd/udp:default scvadm disable svc:/application/x11/xfs:default
Service Miscellaneous Services (continued)
Command To Stop It scvadm disable svc:/application/font/stfsloader:default scvadm disable svc:/network/rpc-100068_25/rpc_udp:default scvadm disable svc:/network/rpc100235_1/rpc_ticotsord:default mv /etc/rc2.d/S4011c2 /etc/rc2.d/.NOS4011c2 2> /dev/null mv /etc/rc2.d/S47pppd /etc/rc2.d/.NOS47pppd 2> /dev/null mv /etc/rc2.d/S70uucp /etc/rc2.d/.NOS70uucp 2> /dev/null mv /etc/rc2.d/S72autoinstall /etc/rc2.d/.NOS72autoinstall 2> /dev/null mv /etc/rc2.d/S73cachefs.daemon /etc/rc2.d/.NOS73cachefs.daemon 2> /dev/null mv /etc/rc2.d/S89bdconfig /etc/rc2.d/.NOS89bdconfig 2> /dev/null mv /etc/rc2.d/S89PRESERVE /etc/rc2.d/.NOS89PRESERVE 2> /dev/null mv /etc/rc2.d/S16boot.server /etc/rc2.d/.NOS16boot.server 2> /dev/null mv /etc/rc2.d/S52imq /etc/rc2.d/.NOS52imq 2> /dev/null mv /etc/rc2.d/S84appserv /etc/rc2.d/.NOS84appserv 2> /dev/null mv /etc/rc2.d/S75seaport /etc/rc2.d/.NOS75seaport 2> /dev/null mv /etc/rc2.d/S76snmpdx /etc/rc2.d/.NOS76snmpdx 2> /dev/null mv /etc/rc2.d/S77dmi /etc/rc2.d/.NOS77dmi 2> /dev/null mv /etc/rc2.d/S80mipagent /etc/rc2.d/.NOS80mipagent 2> /dev/null
2.
Create a protected core dump directory. Creating a directory that only root can see protects any information that might be contained in a core dump directory from a set userid (UID) or set grouprid (GID) process. Perform the following actions to create and isolate the new directory: mkdir p /var/core chown root:root /var/core chmod 700 /var/core coreadm g /var/core/core_%n_%f_%u_%g_%t_%p e log e global e global-setid d process d proc-setid
3.
Reset the Transmission Control Protocol (TCP) initial sequence number generation parameter. By truly randomizing the initial sequence number of TCP connections, you can better protect the system. vi /etc/default/inetinit Change the appropriate line to read: TCP_STRONG_ISS=2
4.
Modify the Internet Protocol (IP) module by adding these commands to one of your start-up scripts: vi /etc/init.d/netconfig a. Add the following lines:
### Set kernel parameters for /dev/ip /usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast 0 /usr/sbin/ndd -set /dev/ip ip_forward_directed_broadcasts 0 /usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp 0 /usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0 /usr/sbin/ndd -set /dev/ip ip_forward_src_routed 0 /usr/sbin/ndd -set /dev/ip ip_ignore_redirect 1 /usr/sbin/ndd -set /dev/tcp tcp_rev_src_routes 0 /usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q 1024 /usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q0 4096 /usr/sbin/ndd -set /dev/arp arp_cleanup_interval 60000 b. Protect the administrative files: chown root:root /etc/init.d/netconfig chmod 744 /etc/init.d/netconfig 5. Capture syslog AUTH messages. Messages sent to the LOG_AUTH facility are normally not stored. To capture this information (including su attempts and log-in attempts), execute the following: if [ ! `grep v ^3 /etc/syslog.conf | grep /var/log/autholog ` ]; then echo auth.info\t\t\t/var/log/authlog >>/etc/syslog.conf fi logadm w authlog C 13 a pkill HUP syslogd /var/log/authlog 6. Capture failed log-ins. Log-in failures for regular accounts are normally not captured. The following process will allow you to review any potential break-in attempts: touch /var/adm/loginlog chown root:sys /var/adm/loginlog chmod 600 /var/adm/loginlog cd /etc/default awk /SYSLOG_FAILED_LOGINS=/ { $1 = Syslog_FAILED_LOGINS=0 }; {print } login > login.new mv login.net login pkgchk f n p /etc/default/login
logadm w connlog C 13 /var/adm/loginlog 7. Log all cron jobs. By logging cron job execution, you can better monitor the automatic processes that are running on your server. a. b. Edit the /etc/default/cron file. Change the appropriate line to read: CRON LOG=YES c. d. Save and close. Confirm that the change worked by using the following: pkgchk f n p /etc/default/cron 8. Check system file permissions. Confirm that all the essential system files are editable only by root by running the following commands: pkgchk f n p /var/log/syslog pkgchk f n p /var/log/authlog pkgchk f n p /var/adm/utmpx pkgchk f n p /var/adm/wtmpx chown root:sys /var/adm/loginlog chown root:root /var/cron /log /var/adm/messages /var/log/connlog chmod go-wx /var/adm/messages chmod go-rwk /var/adm/loginlog /car/cron /log /var/log/connlog chown sys:sys /var/adm/sa/* chmod go-wx /var/adm/sa/* dir =`ask F: ($1 == dir) { print $2} /etc/security/auditcontrol` chown root:root $dir/* chmod go-rwx $dir/* 9. Set the daemon umask. Resetting the umask prevents any daemons that are running from creating world readable files. a. Run the following command: vi /etc/default/init b. Change the appropriate line to read: UMASK=022 c. d. Save and close. Confirm that the change worked by using the following: pkgchk f n p /etc/default/init
10. Confirm ownership of other essential system files. Make sure that each file is owned by root. Run the following commands: pkgchk f n p /etc/passwd pkgchk f n p /etc/shadow pkgchk f n p /etc/group 11. Remove files and directories that have no owner. Removing users can sometimes leave files behind that now belong to no one, which presents a security risk. These files should be chowned or deleted. To detect these files, run the following command: find / $ -nouser -o -nogroup $ print 12. Tighten the SSH client configuration. By adjusting some of the configuration parameters of your SSH client, you can better protect your remote communications by making them more secure. Run the following commands: cd /etc/sssh cat <<EOCliConfig >> ssh_config Host * Protocol 2 EOCliConfig awk /^Protocol/ { $2 = 2}; \ /^X11Forwarding { $2 = yes} ; \ /^MaxAuthTries/ { $2 = 5 }; \ /^IgnoreRhosts/ { $2 = 0 }; \ /^RhostsAuthentication/ { $2 = no } ; \ /^RhostsRSAAuthentication/ { $2 = yes } ; \ /^PermitRootLogin/ { $2 = no } ; \ /^PermitEmptyPasswords/ { $2 = no } ; \ /^#Banner/ { $2 = Banner } ; \ { print } sshd_config > sshd_config.new mv sshd_config.new sshd.config pkgchk f n p /etc/ssh/sshd_config 13. Enable the screen saver with a password. Forcing the screen saver to come on prevents the casual observer from sitting down at an open terminal. Run the following commands: for file in /usr/dt/config/*/sys.resources; do dir=`dirname $file | sed s/usr/etc/` mkdir p $dir echo dtsession*saveTimeout: 10 >> $dir/sys.resources echo dtsession*lockTimeout: 10 >> $dir/sys.resources chown root:sys $dir /sys.resources chmod 444 $dir/sys.resources done cd /usr/openwin/lib/app-defaults
awk /^\*timeout:/ { $2 = :0:10:00 } /^\*lockTimeout:/ { $2 = 0:00:00 } /^\*lock:/ { $2 = True } {print } XScreenSaver >XScreenSaver.new mv XScreenSaver.new XScreenSaver pkgchk f n p /usr/openwin/lib/app-defaults/XScreenSaver 14. Make sure that all accounts have non-null passwords. To detect the number of accounts with empty passwords, run the following command: logins p
2.4. Synergistic Controls

Note that an essentially configured application or operating system cannot protect itself from all attacks. It continues to rely on the various physical, administrative, and network-level controls that form the overall organizational security architecture.
2.5. References and Related Documentation

For more information on Solaris 10 security issues, see: Solaris 10. http://www.sun.com/software/solaris/security.jsp. Sun Solaris Benchmarks. Center for Internet Security. August 2005: http://www.cisecurity.org/bench_solaris.html.
3. Frequently Asked Questions

Q: What if I dont need a GUI on my system? A: At install time, you might try the base configuration install, which does not include any window managers. The base configuration still installs a large number of (generally) unnecessary services, so the procedure listed here is still useful in locking down the system. Lance Spitzners paper on JASS includes a lot of useful information on installing/removing specific packages as required for security reasons. A: If you are planning on using SSH for remote management of the Solaris system, you may want to install the X components anyway, but disable the GUI startup. SSH allows the local X tools (such as xterms and file managers) to be used over an encrypted link from a remote station. Q: After completing this procedure, my system did not function as it did before. How do I restore it? A: The instructions were very specific about making copies of modified configuration files. Copying each backup version to its original location/name, and mving the saved rc files back to their original directories and restoring the original inittab values will restore the original configuration. Q: While trying to determine exactly what services I needed to start to make my application function, the CDE GUI became unstable and now goes blank after I sign on. How do I sign on to fix it? A: One of the options from the GUI sign-on screen is to do a command line login or a failsafe login. Either of these options will allow you to sign on to a system that has a broken window manager. Another (more serious) option is to boot the system to single user mode or to run-level 1, which will not initialize the graphical log on environment.

Solaris 10

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Solaris 10

Uploaded by

Copyright:

Available Formats

Cybertrust Essential Security Configuration for Solaris 10

Cybertrust Essential Security Configuration for Solaris 10 | Page i

Cybertrust Essential Security Configuration for Solaris 10 | Page ii

Cybertrust Essential Security Configuration for Solaris 10 | Page 1

1.1. Intended Audience

Cybertrust Essential Security Configuration for Solaris 10 | Page 2

1.2. Quick Start Guide

2. Solaris 10 Essential Configuration

2.1. Before You Begin

2.2. Applicable Essential Practices

2.3. Configuration Steps

Cybertrust Essential Security Configuration for Solaris 10 | Page 3

Cybertrust Essential Security Configuration for Solaris 10 | Page 4

Service Rpcbind Secure RPC NIS server

svcadm disable svc:/network/nis/client:default svcadm disable svc:/network/rpc/nisplus:default svcadm disable svc:/network/ldap/client:default

svcadm disable svc:/network/security/kadmin:default svcadm disable svc:/network/security/krb5kdc:default svcadm disable svc:/network/security/krb5_prop:default

Kerberos client Generic Security Service (GSS) GUI

Solaris Management Console Volume Manager

Samba NFS server

rquota NFS client

svcadm disable svc:/network/nfs/rquota:default svcadm disable svc:/network/client:default

Cybertrust Essential Security Configuration for Solaris 10 | Page 5

Service NFS Client and Server

Command to Stop It svcadm disable svc:/network/nfs/status:default svcadm disable svc:/network/nfs/nlockmgr:default

svcadm disable svc:/network/rpc/bootparams:default svcadm disable svc:/network/rarp:default

Cybertrust Essential Security Configuration for Solaris 10 | Page 6

Service Miscellaneous Services

Cybertrust Essential Security Configuration for Solaris 10 | Page 7

Service Miscellaneous Services (continued)

Cybertrust Essential Security Configuration for Solaris 10 | Page 8

Cybertrust Essential Security Configuration for Solaris 10 | Page 9

Cybertrust Essential Security Configuration for Solaris 10 | Page 10

Cybertrust Essential Security Configuration for Solaris 10 | Page 11

2.4. Synergistic Controls

2.5. References and Related Documentation

Cybertrust Essential Security Configuration for Solaris 10 | Page 12

3. Frequently Asked Questions

You might also like