Version 1.4
1/5/2004

Securing a Solaris Server - Close the Doors

  1. Introduction
  2. History of this Web Page
  3. Overview
  4. Network Topology
  5. System Hardware Configuration
  6. Initial Installation
  7. Minimizing Solaris
  8. Minimizing Network Services
  9. Remove the Solaris Installation Leftovers
  10. Install Necessary Third Party Packages
  11. Close the Doors
  12. Obscure the Tracks
  13. Post the Warnings
  14. Perform System Backups
  15. Watch for Changes
  16. Sources of Tools
  17. Bibliography

---------------

 
Purchase Policies Contact ACCS Aout ACCS Home Papers & Projects Services Products

11. Close the Doors

Many of the items in this section came from two papers by Alex Noordergraaf and Keith Watson (7 and 8), and a document from SUN (9). There is also information here from a web page by Lance Spitzner (3).
Add administrative group
Add the group wheel (or some similar name) to the /etc/group file, making sure that the GID is unique. This will be the group that can perform privileged functions.

Create Administrator Login
Create the login account for the primary administrator. This is not root, but the user that will log in, then su as necessary. Use the useradd command with the -d and -m options to do this. This user should be a member of the administrative group (wheel). Please remember to set a password immediately.

Check setuid files
Check for setuid files, and modify them, as appropriate. The command to check for these files is:
find / -local -type f -perm -4000 -exec ls -ld {} \;
Some files must be left unchanged (/usr/bin/login, /usr/bin/passwd). Other files may have their group set to the administrative group (wheel), and have their modes changed to 4750 (/usr/sbin/ping, /usr/sbin/traceroute). Still others may be removed. NOTE: A server should be checked for setuid files after patches are updated, and after third-party packages (source or binary) are installed.

The setuid files found on my system, and the action performed, is as follows:

/bin/su                      set administrative group
/sbin/su.static              set administrative group
/usr/bin/at                  set administrative group (1)
/usr/bin/atq                 set administrative group (1)
/usr/bin/atrm                set administrative group (1)
/usr/bin/crontab             set administrative group (1)
/usr/bin/eject               set administrative group
/usr/bin/fdformat            set administrative group
/usr/bin/login               leave alone
/usr/bin/newgrp              leave alone
/usr/bin/passwd              leave alone
/usr/bin/pfexec              set administrative group (1)
/usr/bin/rcp                 set administrative group (1)
/usr/bin/rdist               set administrative group
/usr/bin/rlogin              set administrative group (1)
/usr/bin/rsh                 set administrative group (1)
/usr/bin/i86/ps              leave alone (3)
/usr/bin/i86/uptime          leave alone (3)
/usr/bin/i86/w               leave alone (3)
/usr/bin/su                  set administrative group
/usr/bin/tip                 set administrative group (4)
/usr/bin/yppasswd            remove (2)
/usr/lib/acct/accton         set administrative group
/usr/lib/fs/ufs/quota        leave alone (4)
/usr/lib/fs/ufs/ufsdump      set 555 mode
/usr/lib/fs/ufs/ufsrestore   set 555 mode
/usr/lib/pt_chmod            leave alone
/usr/lib/sendmail            leave alone
/usr/lib/utmp_update         leave alone
/usr/local/bin/lpq           leave alone
/usr/local/bin/lprm          leave alone
/usr/local/bin/lpr           leave alone
/usr/local/bin/lpstat        leave alone
/usr/local/bin/ssh1          leave alone
/usr/local/bin/ssh-signer2   leave alone
/usr/local/sbin/lpc          leave alone
/usr/sbin/allocate           leave alone (4)
/usr/sbin/deallocate         leave alone (4)
/usr/sbin/list_devices       leave alone (4)
/usr/sbin/mkdevalloc         leave alone (4)
/usr/sbin/mkdevmaps          leave alone (4)
/usr/sbin/ping               set administrative group
/usr/sbin/sacadm             set administrative group
/usr/sbin/i86/whodo          leave alone (3)
/usr/sbin/traceroute         set administrative group
Note 1: For these commands, it might be preferable to create another group (the privileged group), similar to the administrative group, but with more members. The members of the administrative group should also be members of this group.

Note 2: For some reason, SUN leaves this link to /bin/passwd around, even after all the NIS packages have been removed. If NIS isn't being used, this link should be removed.

Note 3: These commands are architecture specific. The SPARC versions for a SPARCstation LX are:

/usr/bin/sparcv7/ps
/usr/bin/sparcv7/uptime
/usr/bin/sparcv7/w
/usr/sbin/sparcv7/whodo

Note 4: For these commands, it might be preferable to place them into a privileged group (see Note 1) and change their mode to 4750, or remove them.

Check setgid files
Check for setgid files, and modify them, as appropriate. The command to check for these files is:
find / -local -type f -perm -2000 -exec ls -ld {} \;
NOTE: A server should be checked for setgid files after patches are updated, and after third-party packages (source or binary) are installed.

The setgid files found on my system, and the action performed, is as follows:

/usr/bin/mail                     leave alone
/usr/bin/mailx                    leave alone
/usr/bin/netstat                  leave alone
/usr/bin/passwd                   leave alone
/usr/bin/write                    leave alone
/usr/bin/yppasswd                 remove
/usr/platform/i86pc/sbin/eeprom   set 2550 mode (1)
/usr/sbin/i86/prtconf             set 2550 mode (1)
/usr/sbin/i86/swap                set 2550 mode (1)
/usr/sbin/i86/sysdef              set 2550 mode (1)
/usr/sbin/wall                    set 2550 mode
/usr/xpg4/bin/i86/ipcs            set 2550 mode (1)
Note 1: These commands are architecture specific. The SPARC versions for a SPARCstation LX are:
/usr/platform/sun4m/sbin/eeprom
/usr/sbin/sparcv7/prtconf
/usr/sbin/sparcv7/swap
/usr/sbin/sparcv7/sysdef
/usr/xpg4/bin/sparcv7/ipcs

Check for world writable files and directories
Check for world writable files and directories, and modify them, as appropriate. The command to check for these files is:
find / -local -perm -2 \! -type l -exec ls -ld {} \;
NOTE: A server should be checked for world writable files and directories after patches are updated, and after third-party packages (source or binary) are installed.

The world writable files and directories found on my system, and the action performed, is as follows:

/var/sadm/install/.pkg.lock   set 644 mode
/var/adm/spellhist            leave alone, or remove
/var/mail                     leave alone on mail server;
                              otherwise remove
/var/preserve                 remove
/var/spool/pkg                set 750 mode
/var/tmp                      set 1755 mode
/tmp                          set 1755 mode
/tmp/.s.PGSQL.5432            leave alone (used by DBMS)

In addition to the above files, there were many device nodes (under /dev and /devices). These are either protected by the device driver, or are not in need of protection (i.e. /dev/null).

Check permissions on /tmp and /var/tmp
The permissions on /tmp and /var/tmp should be set, both before and after the file-system mounts are performed. This can be done by entering the following commands:
echo '#! /bin/sh' > /etc/rc2.d/S00setmodes
echo '' >> /etc/rc2.d/S00setmodes
echo 'chmod 1755 /tmp' >> /etc/rc2.d/S00setmodes
echo 'chmod 1755 /var/tmp' >> /etc/rc2.d/S00setmodes
chmod 744 /etc/rc2.d/S00setmodes
ln /etc/rc2.d/S00setmodes S02setmodes

Set permissions on /etc/security
Change the mode of the /etc/security directory to 750.

Lock down remote commands
The files /etc/hosts.equiv, /.rhosts and /.netrc should be removed, touched and chmoded to 0. Doing so will lock out the remote commands for root. Some people suggest that these files be removed. I feel that it's easier for an intruder to create a file than it is for them to remove, then create a file.

Other people suggest that empty (mode=0, owner=root) directories be placed here. Using directories, instead of empty files, adds a minor improvement in security, but at an increase in potential confusion.

Disable rhost authentication
In the file /etc/pam.conf, comment out all lines that contain pam_rhosts_auth. If the remote commands (rlogin, rexec, rcp and rsh) have been left in the /etc/inetd.conf file, they will require passwords.

Disable dialup authentication
In the file /etc/pam.conf, comment out all lines that contain pam_dial_auth. If the system has modems connected, do not do this.

Lock down cron and at commands
The cron and at commands should be locked down, so that only those users who have a need of them will be allowed to. To lock these commands down, the /etc/cron.d/cron.allow and the /usr/lib/cron/at.allow files will need to be modified. The following commands will initialize these files for minimal usage:
echo 'root' > /etc/cron.d/cron.allow
echo '' > /usr/lib/cron/at.allow
chmod 644 /etc/cron.d/cron.allow /usr/lib/cron/at.allow

If a user needs access to either the cron or at command, their login should be added to the appropriate file.

Enable cron logging
Enable cron logging of executed commands by adding the following line to the /etc/default/cron file.
CRONLOG=YES

Disable execution of stack
Add the following two lines to the /etc/system file, to disallow execution of instructions in the stack. In 32-bit architectures, this should not be done if debuggers are to be used on the system, as they break debuggers. This is not usually a problem on servers. Also, on x86 architechures, these two lines don't do anything.

The reason for adding these settings is that many buffer overflow problems are related to execution of code on the stack. Although it is possible to exploit a buffer overflow with these settings, it is much more difficult.

set noexec_user_stack=1
set noexec_user_stack_log=1

Ignore NFS requests from non-privileged ports
Add the following line to the /etc/system file to cause NFS to ignore requests originating on non-privileged ports (over 1024). This change should be made, even if NFS has been disabled.
set nfssrv:nfs_portmon=1

Inhibit core dumps
Add the following line to the /etc/system file to keep core files from being generated.
set sys:coredumpsize=0

System crash dumps
System crash dumps can be both good and bad. They can be bad, as they introduce the ability for an experienced Solaris person to extract passwords, or other critical information. On the other hand, they are very helpful for solving problems related to system crashes. If you have either the ability to perform a crash analysis, of a support contract that covers crash analysis, then I feel that the benefit outweighs the risk.

If you have neither the ability, nor a support contract that includes crash analysis, then you should disable copying of crash dumps into /var/crash. This may be done by entering the following commands (NOTE: number may not be 71; please check first with ls /etc/rc2.d/S*savecore):

mv /etc/rc2.d/S71savecore /etc/rc2.d/_S71savecore

Set query port for Bind version 8
In Bind version 8, it is possible to set the port number for queries to remote systems. This should be set to port 53, by placing the following line into the options section of /etc/named.conf, and restarting named. This simplifies firewall configuration, as allowing port 53 (UDP and TCP) through the firewall is all that's required for DNS to function properly.
query-source address * port 53

Create ftpusers file
In Solaris, the /etc/ftpusers file is used to limit the user accounts which can receive an FTP connection. As a minimum, root and all users that have login disabled, should be listed in this file. If FTP is not to be used on this system. the entire user population should be listed in this file.

Anonymous FTP
Anonymous FTP carries with it special hazards. When running Anonymous FTP, it is important to follow all of the directions included with the FTP package you use.

One additional hazard is that special attention should be paid to any directory in which anonymous users are allowed to have write permissions. If they are also allowed read or directory permissions, your system could easilly be subverted for unlawful or unwanted data. Although you would be unlikely to face criminal charges, you could easilly find that your server is cofiscated (at least temporarily) by law enforcement agencies.

Disable IP forwarding
To disable IP forwarding, you should touch the /etc/notrouter file. This file should exist, even if there is only one network interface on your system.

Use random IP sequence numbers
In the file /etc/default/inetinit, change the value of TCP_STRONG_ISS to 2 to generate random sequence numbers, instead of the default randomly incrementing sequence numbers. This change is made for the purpose of combating IP spoofing attacks.

Close off IP security holes
Add the following commands to the /etc/rc2.d/S69inet script (NOTE: number may not be 69; please check first with ls /etc/rc2.d/S*inet). Detailed information on what the individual changes mean can be found in the Solaris Tunable Parameters Reference Manual (9). These commands should be located immediately after the ISS generation is set:
# Change LOTS of network parameters.  This should help to secure
# the system against some types of Denial Of Service attacks, and
# intrusion attempts.  It will also keep us from forwarding Denial
# Of Service attacks to other networks.


# Combat ARP DOS attacks by flushing entries faster.
/usr/sbin/ndd -set /dev/arp arp_cleanup_interval 60000
/usr/sbin/ndd -set /dev/ip ip_ire_arp_interval 60000


# Combat ICMP DOS attacks by ignoring them.
/usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast 0
/usr/sbin/ndd -set /dev/ip ip6_respond_to_echo_multicast 0
/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
/usr/sbin/ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0


# Ignore redirect requests.  These change routing tables.
/usr/sbin/ndd -set /dev/ip ip_ignore_redirect 1
/usr/sbin/ndd -set /dev/ip ip6_ignore_redirect 1


# Don't send redirect requests.  This is a router function.
/usr/sbin/ndd -set /dev/ip ip_send_redirects 0
/usr/sbin/ndd -set /dev/ip ip6_send_redirects 0


# Don't respond to timestamp requests.  This may break rdate
# on some systems.
/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp 0


# If a packet isn't for the interface it came in on, drop it.
/usr/sbin/ndd -set /dev/ip ip_strict_dst_multihoming 1
/usr/sbin/ndd -set /dev/ip ip6_strict_dst_multihoming 1


# Don't forward broadcasts.
/usr/sbin/ndd -set /dev/ip ip_forward_directed_broadcasts 0


# Don't forward source routed packets.
/usr/sbin/ndd -set /dev/ip ip_forward_src_routed 0
/usr/sbin/ndd -set /dev/ip ip6_forward_src_routed 0


# Combat SYN flood attacks.
/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q0 8192


# Combat connection exhaustion attacks.
/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q 1024


# Don't forward reverse source routed packets.
/usr/sbin/ndd -set /dev/tcp tcp_rev_src_routes 0


# Combat IP DOS attacks by decreasing the rate at which errors
# are sent.
/usr/sbin/ndd -set /dev/ip ip_icmp_err_interval 1000
/usr/sbin/ndd -set /dev/ip ip_icmp_err_burst 5
There are also places in this script where ip6_ignore_redirect is set to 0. These lines should be commented out.

SUN also has a package called nddconfig that performs these functions. It is one of their BluePrint security tools. It performs most of the functions of the above, but it has been tested to work on all versions of Solaris from 2.5.1 to 8.

Disable Multicast
Multicast is used to send data to multiple locations, using only a single address. If the server doesn't use Multicast (most don't), it should be disabled. This can be done by commenting it out of the /etc/rc2.d/S72inetsvc file (NOTE: number may not be 72; please check first with ls /etc/rc2.d/S*inetsvc). It is near the end of the file, and well commented.

Set up accounting
The system accounting information is very useful for determining the extent of an intrusion. The information stored in the accounting records may indicate what actions were performed by the intruder, thus giving an idea as to the extent of the intrusion, and possibly the reason.

Also, The system accounting information may be useful in monitoring a system for intrusions. This information is used to determine changes in user behavior. As the number of systems being monitored increases, the usefulness of manual monitoring of this data decreases. This is due to the limited amount of time available to check the results.

If the monitoring is automated, the usefulness of accounting data for intrusion detection remains high with more systems. To perform this properly would require a complex database system. It would also require several months of usage, before it could put out useful information.

As an example, if a user has been using 45MB of their 1GB quota, and their usage jumps to 950MB, then there has been a change that should be checked. This change could be due to a runaway program. It could also be due to an intrusion.

To run accounting, the SUNWaccr and SUNWaccu packages must be installed. Also, the following lines should be added to the crontab for the root user.

#
# The root crontab should be used to perform accounting data collection.
#
0 * * * * /usr/lib/acct/ckpacct > /dev/null 2>&1
0 23 * * * /usr/lib/acct/dodisk / /usr /var /usr/local > /dev/null 2>&1
59 23 * * * /usr/lib/acct/runacct > /dev/null 2>&1

The dodisk line should list all file-systems that you want to run disk accounting on. This should include all local file-systems that are normally mounted read/write.

Quotas
Quotas don't help to secure a system against intrusion, but can be used to limit the amount of data that an intruder can store on the system. On the other hand, poorly administered quotas could cause user data to receive lower security than is appropriate.

Quotas are a two-edged sword. Proper usage of quotas (along with user education) will tend to create a cooperative user community, which should tend to reduce the amount of time that a system administrator needs to spend on solving disk space issues. Also, if a user account is compromised, quotas can be used to limit the amount of data that an intruder can store on the system.

On the other hand, by controlling quotas too tightly, and not considering the needs of the users it's possible to create a situation where the users ignore security to find a place to put their files. In extreme cases, this could become a security problem.

In general, normal users shouldn't be writing data in the root, /usr, /usr/local or /var (exclusive of /var/tmp) file-systems. The non-root usage of these file-systems should be static, and the root usage should change slowly.

With respect to users, quotas are best used to remind users when it's time to clean up their files, and to keep runaway programs from filling an entire file-system. Currently, disk is so inexpensive that for the effort required to minimize space usage, it would have been cheaper to just buy more disk. Obviously, this philosophy has limits, but if users are often hitting their disk quotas, the system administrator might want to try to determine the root cause for the problem.

NTP
In the NTP configuration file, include the entry restrict default ignore after the servers and/or peers are set. After this, add specific permissions that you want hosts to have.

Enable logging
You should touch the log files /var/adm/loginlog, /var/adm/sulog, and /var/adm/tcpdlog. The daemons think that if the log file isn't there, then they shouldn't do logging.

Enable inetd logging
The inetd daemon posts listens, according to the /etc/inetd.conf file. When a connection occurs, inetd executes the appropriate command, and waits for another connection. By adding the -t option to the inetd invocation (in /etc/rc2.d/S72inetsvc), you can cause inetd to log all connections via the syslogd daemon. The daemon facility is used at the notice priority. This should be done, even if inetd is disabled in /etc/rc2.d/S72inetsvc.

Log FTP sessions
The in.ftpd daemon is executed by the inetd daemon when a connection is made to the TCP port 21 (if FTP is enabled in /etc/inetd.conf). By adding the -l option to the in.ftpd invocation (in /etc/inetd.conf), you can cause in.ftpd to log all sessions via the syslogd daemon. The daemon facility is used at the notice priority. This should be done, even if in.ftpd is disabled in /etc/inetd.conf.

Limit nscd caching
The nscd daemon is used by Solaris to cache frequently used data. This daemon's abilities have grown considerably, since it's inception as a Name Service Cache Daemon. These extra abilities can easily be disabled. It is not suggested that the nscd daemon be disabled, as that can cause severe problems.

A sample /etc/nscd.conf file, which minimizes the functionality of nscd, is as follows:

logfile                 /var/adm/nscd.log
enable-cache            passwd          no
enable-cache            group           no
positive-time-to-live   hosts           3600
negative-time-to-live   hosts           5
suggested-size          hosts           211
keep-hot-count          hosts           20
old-data-ok             hosts           no
check-files             hosts           yes
enable-cache            exec_attr       no
enable-cache            prof_attr       no
enable-cache            user_attr       no

If your system has any instability with respect to host names and/or IP addresses, it is possible to substitute the following line for all the above lines containing hosts. This may slow down host name lookups, but it should fix the name translation problem.

enable-cache            hosts           no

Set mount options
SUN suggests that the nosuid (no setUID) mount option be set on the /var file-system. I feel that this is normally a good idea.

SUN also suggests that the ro (read-only) mount option be set on the /usr file-system. This has good effects, but it requires that additional work be done prior to adding patches. In particular, it requires that the file-system be remounted read-write. This can be done with the command /etc/mount -o remount,rw /usr. Unfortunately, the only way to return to read-only is to reboot the system. Since a reboot is often done after patches are installed, the inability to return to read-only should be a minor nuisance.

They also suggest that whenever possible, other file-systems be mounted with either the ro option, the nosuid option, or, even better, both options. This may be quite difficult, politically.

The ro option might be useful on an archive file-system. The nosuid should always be used on NFS mounted file-systems, and may be appropriate for file-systems containing users' home directories.

Vold
The vold daemon is used to automatically mount removable media (CDROM, Floppy, Optical, JAZ and ZIP). This simplifies the process of mounting removable media, but creates a potential security issue if an unauthorized person gains access to the system. Also, this daemon, although potentially useful, is not normally necessary on a server. My advice is to not use it. To disable vold, remove the SUNWvolg, SUNWvolr and SUNWvolu packages.

Also, the /etc/rmmount.conf file should be configured to mount file-systems with the -o nosuid flag set. This flag would be placed in the mount line for the file-system.

Set user file creation mask
In each of the files /etc/.login, /etc/cshrc and /etc/profile, there should be an invocation of the umask command. This invocation should be positioned immediately after the initial comments. The value passed to umask is an octal mask of the mode bits that are not set when a file is created. Acceptable values are 022, 026 (suggested) and 027. Each of these has advantages and disadvantages. Please read the umask manual page prior to selecting the value to be set.

Set FTP file creation mask
Add the following line at the end of the /etc/default/ftpd file. If there is another line for UMASK, it should be commented out. This line contains the default umask value that will be used by FTP when a file is created. The value shown here is for demonstration purposes only. The umask value chosen for the user file creation mask (above) should be used.
UMASK=026

Set system startup file creation mask
The default umask during system startup should be changed from 000 (022 in Solaris 8) to 077 (the umask is an octal mask of the mode bits that are not set when a file is created). This change can be done by entering the following commands:
echo '#! /bin/sh' > /etc/rc2.d/S00UMASK.sh
echo '' >> /etc/rc2.d/S00UMASK.sh
echo 'umask 077' >> /etc/rc2.d/S00UMASK.sh
chmod 744 /etc/rc2.d/S00UMASK.sh

Set the PROM security mode
For SPARC systems, use the eeprom Solaris command, or thesetenv OpenBoot command to set the security-mode variable to either command or full. It should be noted that on some systems, setting security-mode to full will disable autoboot.

For a PC, the BIOS usually has a value that can be set to require a password prior to booting, or prior to entering BIOS. The procedures for this are different from system to system. Setting the BIOS to require a password prior to booting will disable auto-boot.

Set the PROM password
For SPARC systems, use the eeprom Solaris command, or the setenv OpenBoot command to set the security-password variable to the password you'd like to use. NOTE: If you forget this password, it is very difficult to reset, and will usually require a service call.

For a PC, the BIOS usually has a password that can be set. The procedures for this are different from system to system. NOTE: If you forget this password, you will have to reset all the BIOS parameters to factory default to reset it, which will require setting a jumper on the motherboard.

Disable keyboard abort
For SPARC systems, you may want to disable the keyboard abort sequence (L1-A). If the system hangs, this will require a power cycle to initiate a reboot. If you want to do this, use the eeprom Solaris command, or the setenv OpenBoot command to set the keyboard_abort variable to disable. This may not be available in older systems.

Prev Index Next

If you have any comments or suggestions, please E-mail webmaster@accs.com

© 2004 - Ashford Computer Consulting Service