Manualshelf

User's Manual

ManualsBrandsSolaris ManualsSoftwareCX-310-301
61626364656667686970
Solaris 9 Security CX-310-301 66
¾ Only install the Solaris cluster containing packages that you actually need. There is no need to
install everything if it’s not required and it will created unnecessary security risks if you do
¾ Restrict network services in /etc/inetd.conf
¾ Restrict RPC services
¾ Manage user accounts effectively by including expiry dates and locking the passwords of dormant
accounts
¾ Secure system accounts such as adm, lp, sys, nobody etc. These accounts have no password by
default, so lock them using passwd –l
¾ Remove NFS software if your system is not going to act as an NFS server or client
¾ Secure the system console at both the OpenBoot PROM level and also restrict root logins to only
be allowed from the console itself and not remotely
¾ Mount filesystems read-only where appropriate and include the nosuid flag so that any programs
or file with set-uid or set-gid privileges are negated
¾ Review all set-uid and set-gid programs and scripts. These are potentially dangerous and could
compromise the security of the system
¾ Restrict cron, at and batch actions to prohibit automatic processing by unauthorized users
¾ Implement roles using RBAC to give additional privileges to users without having to allow root
access
¾ Modify the default umask value, normally set to 022. Set a new default of 027 for example so that
other users have no access to files and directories
¾ Enable logging and accounting
¾ Display suitable access warnings in the appropriate files where users can access your system
remotely
¾ Disable the automounter if this facility is not to be used. Rename the startup script
/etc/rc2.d/S74autofs to do this
See http://www.sun.com/solutions/blueprints/1202/816-5242.pdf
for full details of how to implement the
techniques above.
Solaris Security Toolkit
The Solaris Security Toolkit (SST), also known as the Jumpstart Architecture and Security Scripts Toolkit
(JASS) provides an easy, automated method of securing your system. The package can be downloaded
from Sun Microsystems at:
http://wwws.sun.com/software/security/jass/index.html
and Sun blueprints for a quick-start guide can be found at: