9. Remove the Solaris Installation Leftovers
Much of the information for this section came from a security benchmark by the
Center for Internet Security (6).
When the Solaris installation is performed, a significant amount of unnecessary
stuff is left behind, which should be cleaned up, to minimize unauthorized system
access.
- Remove reconfiguration scripts.
- Three configuration scripts are left behind. The purpose of these scripts
is to allow simple reconfiguration, if necessary. The bad news is that these
scripts can be triggered just by the creation of a file. Many exploits will
allow the creation of such a file. As a result, when the system is rebooted
the next time, the startup will be delayed, while the reconfiguration scripts
run, and wait for input. Also, when they run, they may destroy some of the
previously entered configuration information.
The following commands will keep the system installation configuration
scripts from being run at boot time: (NOTE: numbers may not be 30, 71 and
72; please check first with ls /etc/rc2.d/S*sysid.net /etc/rc2.d/S*sysid.sys
/etc/rc2.d/S*autoinstall):
mv /etc/rc2.d/S30sysid.net /etc/rc2.d/_S30sysid.net
mv /etc/rc2.d/S71sysid.sys /etc/rc2.d/_S71sysid.sys
mv /etc/rc2.d/S72autoinstall /etc/rc2.d/_S72autoinstall
- Remove unneeded accounts
- Remove any unnecessary accounts from the system. Usually, this will include
listen, nobody4, nuucp, smtp and uucp.
The command to do this is passmgmt -d ACCOUNT.
- Lock system accounts
- Any non-root system accounts (UID < 100) should be locked, so that they
can't be used as login accounts. The command to do this is passwd -l ACCOUNT.
The login shell should also be changed on these accounts. The most
secure login shell I know of is /dev/null, but some IDSs use a special
shell to warn of intrusion attempts. The command to change the login shell
is passwd -e ACCOUNT.
- Set directories for NULL accounts
- The accounts nobody, noaccess and nobody4 should
have their login directories changed to /dev/null. The command to
change the login directory is passmgmt -m -h /dev/null ACCOUNT.
The login shell for these accounts should also be changed, as above.
- Adjust /etc/inittab for system console
- As distributed, the /etc/inittab file allows logins from both
the console and the serial ports. This should be changed to allow logins on
only one of these. If the keyboard is in use, then the serial ports should
be disabled by commenting out the line containing /usr/lib/saf/sac.
If a serial console is in use, then the keyboard should be disabled by commenting
out the line containing /usr/lib/saf/ttymon.
- Remove cachefs startup
- In most servers, there is no need for the cachefs daemon. If this is the
case, the startup script should be disabled. This can be done by the use of
the following commands (NOTE: numbers may not be 73 and 93; please check first
with ls /etc/rc2.d/S*cachefs.daemon and ls /etc/rc2.d/S*cacheos.finish):
mv /etc/rc2.d/S73cachefs.daemon /etc/rc2.d/_S73cachefs.daemon
mv /etc/rc2.d/S93cacheos.finish /etc/rc2.d/_S93cacheos.finish
- Remove preservation of editor sessions
- When the system is taken down (or crashes) and an editor (vi)
session is active, the keystroke file is left behind. The startup script /etc/rc2.d/S80PRESERVE
copies these keystroke files to the /usr/preserve directory, and
sends E-mail to the users whose sessions were saved, informing them of the
procedure to recover their sessions.
On most servers, there will be little editing, and this step in the startup
procedure need not be done. The following commands will disable the saving
of keystroke files during startup: (NOTE: number may not be 80; please check
first with ls /etc/rc2.d/S*PRESERVE):
mv /etc/rc2.d/S80PRESERVE /etc/rc2.d/_S80PRESERVE