Manualshelf

User's Manual

ManualsBrandsSolaris ManualsSoftwareCX-310-301
41424344454647484950
Solaris 9 Security CX-310-301 45
Kernel Trust and OpenBoot
The kernel is implicitly trusted because it IS the operating system. For this reason, the kernel is potentially
vulnerable to attacks, because, once compromised, an attacker has full control of the system.
At system boot time, kernel modules are loaded from these directories:
¾ /platform/`uname –i`/kernel/
¾ /platform/`uname –m`/kernel/
¾ /kernel
¾ /usr/kernel
To protect the kernel as much as possible, these directories should be checked regularly and audited to
make sure there are no unauthorized additions.
You should also check /etc/system because this file is used to load modules as well. Make sure this file is
properly protected and inspected regularly. Using a product such as Tripwire will monitor any changes to
the file.
OpenBoot
The OpenBoot PROM is the low level system interpreter that is often unprotected. If an attacker gains
access to the system console, then this might be your only defense, but only if it is properly secured.
By default, the OpenBoot PROM comes completely unsecured, which means a command can be issued to
boot from a different kernel file, boot across a network, the potential for compromise is endless.
There are two settings that need to be addressed to secure the OpenBoot console so that anyone gaining
access to the console can reboot the system, but cannot alter any configuration parameters. The first is
security-mode:
There are three levels of OpenBoot EEPROM security:
¾ None – There are no restrictions and any command can be used without entering a password. This
is the default state
¾ Command – Restricted access with the user only being able to enter the boot or continue
commands without a password. All other commands require a password
¾ Full – The highest security level where the user can only enter the continue command without a
password
To set the security to the highest level, enter the following as root on the running system:
# eeprom security-mode=full
The second setting is the EEPROM password, set this by executing
# eeprom security-password=