Manualshelf

User's Manual

ManualsBrandsSolaris ManualsSoftwareCX-310-301
11121314151617181920
Solaris 9 Security CX-310-301 14
Application Security
An insecure application can undermine the entire security policy and must be treated with respect when
defining a security policy. Most of the time, you will not have the source code for an application (unless it
is open source), so there is a reliance on the supplier to provide a “fix” for a security problem. The security
policy must state the accepted tolerance (if any) to allow a solution to be implemented. In extreme
circumstances, the policy could state that the application must not be used until a documented solution is
installed and tested.
Security Operations and Management
The following recommendations will assist the smooth running of a security policy:
¾ If possible, install the latest release of the operating environment. Sun Microsystems release an
update approximately every 3 months. Some of these will contain new security features or
auditing facilities.
¾ Ensure that you have applied the most recent patches on a regular basis and look for security
patches as a priority
¾ Establish a “fingerprint” database so it is easy to determine if a file or program has been tampered
with. Sun Microsystems provide the Sun Fingerprint database for this purpose, but Tripwire
(www.tipwire.com
) carries out a similar function.
¾ Ensure that sufficient logging and auditing is enabled on the system to be able to catch important
messages and events
¾ Identify a sensible backup strategy, stick to it and carry out periodic tests of backup media. This
facility is essential if a security breach occurs and the system needs to be restored to a time prior to
the attack.
¾ Adhere to a realistic user account management procedure. Run a password cracking program to
identify weak passwords and disable dormant user accounts.
¾ Ensure that the user community is educated and informed of potential security risks and that the
user is aware of security issues.
¾ Never allow a compiler to exist on a production system. This is an attacker’s dream – you might as
well leave the root password on your company’s homepage!
Insecure Systems
An insecure system is one that is not adequately protected against unauthorized access. This could also be
the result of poor internal security allowing an authorized user of the system to gain access to privileged
information or utilities. Reasons for insecure systems include:
¾ Lax file/directory permissions
¾ Poor user account management – allowing users to login without a password, or using a weak
password