Version 1.4
1/5/2004

Securing a Solaris Server - Remove the Solaris Installation Leftovers

  1. Introduction
  2. History of this Web Page
  3. Overview
  4. Network Topology
  5. System Hardware Configuration
  6. Initial Installation
  7. Minimizing Solaris
  8. Minimizing Network Services
  9. Remove the Solaris Installation Leftovers
  10. Install Necessary Third Party Packages
  11. Close the Doors
  12. Obscure the Tracks
  13. Post the Warnings
  14. Perform System Backups
  15. Watch for Changes
  16. Sources of Tools
  17. Bibliography

---------------

 
Purchase Policies Contact ACCS Aout ACCS Home Papers & Projects Services Products

9. Remove the Solaris Installation Leftovers

Much of the information for this section came from a security benchmark by the Center for Internet Security (6).

When the Solaris installation is performed, a significant amount of unnecessary stuff is left behind, which should be cleaned up, to minimize unauthorized system access.

Remove reconfiguration scripts.
Three configuration scripts are left behind. The purpose of these scripts is to allow simple reconfiguration, if necessary. The bad news is that these scripts can be triggered just by the creation of a file. Many exploits will allow the creation of such a file. As a result, when the system is rebooted the next time, the startup will be delayed, while the reconfiguration scripts run, and wait for input. Also, when they run, they may destroy some of the previously entered configuration information.

The following commands will keep the system installation configuration scripts from being run at boot time: (NOTE: numbers may not be 30, 71 and 72; please check first with ls /etc/rc2.d/S*sysid.net /etc/rc2.d/S*sysid.sys /etc/rc2.d/S*autoinstall):

mv /etc/rc2.d/S30sysid.net /etc/rc2.d/_S30sysid.net
mv /etc/rc2.d/S71sysid.sys /etc/rc2.d/_S71sysid.sys
mv /etc/rc2.d/S72autoinstall /etc/rc2.d/_S72autoinstall

Remove unneeded accounts
Remove any unnecessary accounts from the system. Usually, this will include listen, nobody4, nuucp, smtp and uucp. The command to do this is passmgmt -d ACCOUNT.

Lock system accounts
Any non-root system accounts (UID < 100) should be locked, so that they can't be used as login accounts. The command to do this is passwd -l ACCOUNT. The login shell should also be changed on these accounts. The most secure login shell I know of is /dev/null, but some IDSs use a special shell to warn of intrusion attempts. The command to change the login shell is passwd -e ACCOUNT.

Set directories for NULL accounts
The accounts nobody, noaccess and nobody4 should have their login directories changed to /dev/null. The command to change the login directory is passmgmt -m -h /dev/null ACCOUNT. The login shell for these accounts should also be changed, as above.

Adjust /etc/inittab for system console
As distributed, the /etc/inittab file allows logins from both the console and the serial ports. This should be changed to allow logins on only one of these. If the keyboard is in use, then the serial ports should be disabled by commenting out the line containing /usr/lib/saf/sac. If a serial console is in use, then the keyboard should be disabled by commenting out the line containing /usr/lib/saf/ttymon.

Remove cachefs startup
In most servers, there is no need for the cachefs daemon. If this is the case, the startup script should be disabled. This can be done by the use of the following commands (NOTE: numbers may not be 73 and 93; please check first with ls /etc/rc2.d/S*cachefs.daemon and ls /etc/rc2.d/S*cacheos.finish):
mv /etc/rc2.d/S73cachefs.daemon /etc/rc2.d/_S73cachefs.daemon
mv /etc/rc2.d/S93cacheos.finish /etc/rc2.d/_S93cacheos.finish

Remove preservation of editor sessions
When the system is taken down (or crashes) and an editor (vi) session is active, the keystroke file is left behind. The startup script /etc/rc2.d/S80PRESERVE copies these keystroke files to the /usr/preserve directory, and sends E-mail to the users whose sessions were saved, informing them of the procedure to recover their sessions.

On most servers, there will be little editing, and this step in the startup procedure need not be done. The following commands will disable the saving of keystroke files during startup: (NOTE: number may not be 80; please check first with ls /etc/rc2.d/S*PRESERVE):

mv /etc/rc2.d/S80PRESERVE /etc/rc2.d/_S80PRESERVE

Prev Index Next

If you have any comments or suggestions, please E-mail webmaster@accs.com

© 2004 - Ashford Computer Consulting Service