From: Beck, Joseph (jbeck@seic.com)
Date: Fri Sep 08 2006 - 21:08:48 EDT
Sorry for the slow response...like most of you I'm forced to jump from
one hot item to the next at the drop of a hat.
I did not find what I was looking for, which is a modern/sol10 version
of an article Lance Spitzner wrote years ago called something like
armoring solaris (see
http://www.mgmg-interactive.com/mgmg/packages3.html), but I did get some
good information.
Many suggested this site:
#1 http://www.cisecurity.org/bench_solaris.html
#2 regarding which initial install, someone suggested using the reduced
network cluster for installation...alan
#3 insight into just how small you can make an initial Solaris
installtion:
http://blogs.sun.com/eric_boutilier/date/20050406#unix_from_scratch_tabl
e_of
-this email had other worthwhile info (posted at bottom)
#4 I also found excellent material in an internal document that a former
consultant was working on...I'll have to scrub it & send it out (focus
on banking & financials).
Some interesting sections from the doc:
Implement the following reqs:
http://grkvlt.blogspot.com/2006/03/hardening-solaris-ten.html
http://www.sun.com/bigadmin/xperts/sessions/17_sol10install/
http://www.sun.com/software/security/jass/
As an example, Solaris 10 includes over 75 public domain software
packages in /usr/sfw including such software packages as MySQL, gcc, TCL
and TK. Many of these packages are subject to exploitations which often
times elevate a user's privileges within the server.
At a minimum, the following software should never be installed onto
production servers:
* Compilers (GNU gcc or Sun's SUNWspro)
* Java development kits including java compilers (SUNWj3dev,
SUNWj5dev, etc.)
* Database access tools (except on database servers themselves)
o SQL*Net
o Interpreted software (perl, python, etc.) database access modules
(e.g. perl's DBO for oracle).
* Point-to-point protocol (PPP) drivers and configuration
* Directory (LDAP) Server
* Mobile IP
* Apache Server
* DHCP Software
* Sun's Java Application Server
* StarOffice
* tcpdump
Note, 3rd party software should be checked to insure applications such
as compilers are not included.
In addition, Pzone servers should be further hardened by removing
network intrusive applications such as:
* snoop(1M)
Minimize System Services
Many of the default system services (time, echo, discard, NFS, NIS,
etc.) are not required and are often a target for exploitation.
Internet Services
Internet services are managed by the inetd daemon. The following inetd
services should be disabled:
* chargen
* in.comsat
* daytime
* discard
* dtspc
* echo
* exec
* finger
* fs
* ftp (see below)
* krb5_prop
* login
* name
* netstat
* printer
* rquotad
* rstatd
* rusersd
* shell
* sprayd
* sun-dr
* systat
* talk
* telnet
* tftp
* time
* uucp
* walld
Solaris Security Toolkit:
http://www.sun.com/security/jass/
Solaris Fingerprint Database:
http://sunsolve.sun.com/pub-cgi/fileFingerprints.pl
Sun's Kerberos Information
http://www.sun.com/software/security/kerberos/
Role-Based Access Control (RBAC) white paper:
http://wwws.sun.com/software/whitepapers/wp-rbac/
OpenSSH white paper, NTP white paper, information on kernel (ndd)
settings, et al:
http://www.sun.com/security/blueprints/
System Integrity Solutions
Commercial Tripwire (enterprise ready):
Open Source Tripwire:
http://sourceforge.net/projects/tripwire/
Basic Audit and Reporting Tool (BART):
http://www.sun.com/blueprints/0305/819-2259.pdf
***download this doc & get something basic setup & cron'd***
Other Miscellaneous Documentation
Various documentation on Solaris security issues:
http://ist.uwaterloo.ca/security/howto/
On BSM Audit flags:
http://www.samag.com/documents/s=9427/sam0414c/0414c.htm
On hiding information in Solaris extended attributes:
http://www.usenix.org/publications/login/2004-02/pdfs/brunette.pdf
Discussion of "locked" vs. "blocked" accounts:
http://www.securitydocs.com/library/2636
Primary source for information on NTP -
Information on MIT Kerberos -
http://web.mit.edu/kerberos/www/
Apache "Security Tips" document:
http://httpd.apache.org/docs-2.0/misc/security_tips.html
Information on Sendmail and DNS:
http://www.deer-run.com/~hal/dns-sendmail/DNSandSendmail.pdf
Software
Pre-compiled software packages for Solaris:
LogSurfer+ (real time log monitoring):
http://www.crypt.gen.nz/logsurfer/
Open Source Sendmail (email server) distributions:
#3 complete email:
This may not be exactly what you want, and it does have an x86 Solaris
slant however, it is a fascinating insight into just how small you can
make an initial Solaris installtion:
http://blogs.sun.com/eric_boutilier/date/20050406#unix_from_scratch_tabl
e_of
The thread has seemingly petered out now but if you haven't come across
it before, I think you'll find it worth the read.
I initially installed a Sol10 test box on SPARC hardware using the
Reduced Net Core cluster as the starting point and I seem to recall it
came out at under 90 packages.
The only relevant notes I can find now are these:
--8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<---
These are needed for compilation
Already Installed
system SUNWlibmsr Math & Microtasking Libraries CD1
system SUNWlibms Math & Microtasking Libraries CD1
Needed to be added
system SUNWarc Lint Libraries CD4
system SUNWbtool CCS tools bundled with SunOS CD4
system SUNWhea SunOS Header Files CD4
system SUNWtoo Programming tools CD1
system SUNWlibmr Math Library Lint Files CD4
system SUNWlibm Math & Microtasking Library Headers CD4
system SUNWsprot Solaris Bundled tools CD4
and possibly these to get a working compiler
system SUNWgcmn gcmn - Common GNU package CD2
system SUNWgccruntime GCC Runtime libraries CD2
system SUNWgcc gcc - The GNU C compiler CD4
system SUNWbinutils binutils - GNU binutils CD4
After this a "gcc hello.c" works (gcc is in /usr/sfw/bin)
Maybe these will be need later (Eric Boutillier's blog)
SUNWxcu4 XCU4 Utilities
SUNWscpr Source Compatibility, (Root)
SUNWscpu Source Compatibility, (Usr)
--8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<---
If you want any more info, I could try and find some more notes but I
/didn't take it all that far/haven't taken yet it any futher/, however I
would think that following your nose from the thread above will be all
you'ld need to get a minimal installtion.
Joe Beck Ciber Inc. - a consultant to SEI One Freedom Valley Drive/ 100
Cider Mill Road| Oaks, PA 19456 | p: 610.676.2258 | jbeck@seic.com
-----Original Message-----
From: Dave Mitchell [mailto:davem@iabyn.com]
Sent: Tuesday, August 29, 2006 1:03 PM
To: Beck, Joseph
Subject: Re: Minimizing the Solaris Operating Environment for
Security...sol10 version
On Tue, Aug 29, 2006 at 12:04:34PM -0400, Beck, Joseph wrote:
> Anyone seen such a document yet?
>
> I have a need to start building some web servers that will be solaris
> 10. I have the beginngings of a document and wanted to leverage any
> previous work in deciding things such as which initial (metacluster)
> install & which pkgs to remove after, which services, etc...I had to
do
> this years ago, but was dealing with sol6 & sol7 at the time.
http://www.cisecurity.org/bench_solaris.html
-- SCO - a train crash in slow motion _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:40:46 EDT