Solaris 10 Server Hardening Checklist

The hardening checklists are based on the comprehensive checklists produced by UT Austin.

How to use the checklist

Print the checklist and check off each item you complete to ensure that you cover the critical steps for securing your server. The Office of Information Security uses this checklist during risk assessments as part of the process to verify that servers are secure.

How to read the checklist

Step - The step number in the procedure. If there is a UT Note for this step, the note # corresponds to the step #.

Check (√) - This is for administrators to check off when she/he completes this portion.

To Do - Basic instructions on what to do to harden the respective system

UT Note - The UT Note provides additional detail about the step for the university computing environment.

Cat A - For systems that include Category-A data, required steps are denoted with the ! symbol. All steps are recommended.

Cat B/C - For systems that include Category B or C data, all steps are recommended, and some are required (denoted by the !).

Server Information

MAC Address
IP Address
Machine Name
Asset Tag
Administrator Name
Date

Preparation and Installation
Step	√	To Do	UT Note	Cat A	Cat B/C
1		If machine is a new install, protect it from hostile network traffic, until the operating system is installed and hardened.	§	!	!
Patches and Additional Software
2		Apply the latest OS patches.	§	!	!
3		Enable automatic notification of new patches.	§	!	!
4		Minimize System Services.	§	!
Kernel Tuning
5		Enable Stack Protection.
6		Use better TCP Sequence numbers.
Logging
7		Turn on inetd tracing.		!
8		Capture messages sent to syslog AUTH facility.		!
9		Create /var/adm/loginlog.		!
10		Log all failed login attempts.		!
11		Turn on cron logging.		!
12		Enable system accounting.		!
Files/Directory Permissions/Access
13		Verify passwd, shadow, and group file permissions.		!
System Access, Authentication, and Authorization
14		Disable login: prompts on serial ports.		!
15		Configure SSH.	§	!
16		Create /etc/ftpd/ftpusers.
17		Configure TCP Wrappers.		!
18		If additional methods of restricting connections are necessary, implement them.	§	!
19		Restrict root logins to system console.		!
20		On Sparc-based Solaris systems, set the EEPROM security mode to prevent unauthorized booting from non-standard media.		!
21		Configure the console to lock automatically if it is left unattended for an extended period of time.
User Accounts and Environment
22		Verify that there are no accounts with empty password fields.		!
23		Set strong password enforcement policies.	§	!
24		Verify no UID 0 accounts exist other than ‘root’
25		Install, configure, and use ‘sudo’ instead of ‘su root’.	§
Warning Banners
26		Create warning banners for standard login services.	§	!
27		Create warning for GUI-based logins.	§	!
28		Create warnings for FTP daemon (if in use).	§	!
29		Create power-on warning.	§	!
30		Systems will provide secure storage for Category A data as required by confidentiality, integrity, and availability needs. Security can be provided by means such as, but not limited to, encryption, access controls, filesystem audits, physically securing the storage media, or any combination thereof as deemed appropriate.	§	!
31		Install software to check the integrity of critical operating system files.	§	!
32		Install and enable anti-virus software.	§	!	!
33		Configure to update signature daily on AV.	§	!
34		Set up time synchronization using NTP.	§
35		Enable Process accounting at boot time.		!

UTB Example

This list provides specific tasks related to the computing environment at The University of Texas at Austin.

1	If other alternatives are unavailable, this can be accomplished by installing a SOHO router/firewall in between the network and the host to be protected.
2	Sun Update Manager/Sun Patch Manager For Solaris 8, 9, & 10 These services now require valid service contracts with Sun.
3	Sun Connection Update Manager can provide desktop notifications of new patches.
4	Each server is unique in its needs. The CIS guide will discuss many services that are part of the core Solaris OS. Review these services and disable those that are unnecessary.
15	SSH is distributed with the Solaris operating system as of version 9. If you decide to utilize SSH, the ISO highly recommends the following: Change the port from port 22 to something/anything else. There are scripts online that malicious hackers can use against an SSH server. These scripts always attack port 22 since most people do not change the default port. Do not allow root logins via SSH. If possible, use keys with passphrase instead of just passwords. To create rsa keys, follow these commands: ssh-keygen –t rsa ssh server “mkdir .ssh; chmod 0700 .ssh” scp ./ssh/ida_rsa.pub server:.ssh/authorized_keys2 The CIS Solaris Benchmark covers some suggested basic settings to place in the configuration file. You may also want to visit the SSL Web site.
18	Ipfilter is the primary software firewall available for Solaris 10, from Sun. You may also want to visit the ipfilter home page.
23	If other methods of ensuring that passwords are in line with IT Security Operations Manual password requirements, enable the entries in the /etc/default/passwd file that will bring the machine's policy into compliance.
25	Use ‘sudo’ or other similar utility to allow your systems administrators to run commands as root. This provides better accountability, particularly where there are multiple sysadmins, and flexibility (non-sysadmins can be given access to a restricted set of priviledged commands they need for their work instead of being given the ‘root’ password). More information is available on the Sudo Main Page.
26	The text of the university's official warning banner can be found on the ITS Web site. You may add localized information to the banner as long as the university banner is included.
27	The text of the university's official warning banner can be found on the ITS Web site. You may add localized information to the banner as long as the university banner is included.
28	The text of the university's official warning banner can be found on the ITS Web site. You may add localized information to the banner as long as the university banner is included.
29	The text of the university's official warning banner can be found on the ITS Web site. You may add localized information to the banner as long as the university banner is included.
30	There are a variety of methods available to accomplish this goal. Two good candidates are PGP (cost) and GNUPG (free).
31	Tripwire has a charge. The Tripwire management console can be very helpful for managing more complex installations. AIDE is a free tool available from SourceForge. SamHain and OSSEC are other free tools.
32	There are few viruses that infect Solaris computers; therefore, it is understandable for most Solaris servers to have an exception to this rule. See the Operations Manual for information on the exception process. You may choose any proven anti-virus product. One option is ClamAV.
33	Anti-spyware software must be installed and enabled for Category A data if the machine is used by administrators to browse Web sites not specifically related to the administration of the machine. In addition, anti-spyware software must be installed if users are able to install software. Very few spyware applications target Unix OSes, so most Unix servers will have an exception to this rule. See the Operations Manual for information on the exception process.
34	To configure NTP on a Solaris server: Create the file /etc/inet/ntp.conf with the following entries: server 128.83.185.40 server 128.83.185.41 driftfile /etc/ntp.drift Create the file /etc/ntp.drift with the following entry: 0.0 Restart the NTP service by issuing the following commands: /etc/rc2.d/S74xntd stop /etc/rc2.d/S74xntd start ITS Networking operates two stratum 2 NTPv4 (NTP version 4) servers for network time synchronization services for university network administrators.

For comments and questions, please contact the Webmaster. Scroll

Close X