Skip Navigation Links | |
Exit Print View | |
Oracle Solaris 11 Security Guidelines Oracle Solaris 11 Information Library |
1. Overview of Oracle Solaris 11 Security
2. Configuring Oracle Solaris 11 Security
Installing the Oracle Solaris OS
Remove Power Management Capability From Users
Place Security Message in Banner Files
Place Security Message on the Desktop Login Screen
Set Stronger Password Constraints
Set Account Locking for Regular Users
Set More Restrictive umask Value for Regular Users
Audit Significant Events in Addition to Login/Logout
Monitor lo Events in Real Time
Remove Unneeded Basic Privileges From Users
Display Security Message to ssh and ftp Users
Disable the Network Routing Daemon
Disable Broadcast Packet Forwarding
Disable Responses to Echo Requests
Set Maximum Number of Incomplete TCP Connections
Set Maximum Number of Pending TCP Connections
Protecting File Systems and Files
Protecting and Modifying Files
Securing Applications and Services
Creating Zones to Contain Critical Applications
Adding SMF to a Legacy Service
Creating a BART Snapshot of the System
Adding Multilevel (Labeled) Security
Configuring Trusted Extensions
At this point, you might have created users who can assume roles, and have created the roles. Only the root role can modify system files.
From the following network tasks, perform the tasks that provide additional security according to your site requirements. These network tasks notify users who are logging in remotely that the system is protected, and strengthen the IP, ARP, and TCP protocols.
|
Use this procedure to display warnings at remote login and file transfer.
Before You Begin
You must be in the root role. You created the /etc/issue file in Step 1 of Place Security Message in Banner Files.
# vi /etc/ssh/sshd_config # Banner to be printed before authentication starts. Banner /etc/issue
# svcadm refresh ssh
For more information, see the issue(4) and sshd_config(4) man pages.
# vi /etc/proftpd.conf # Banner to be printed before authentication starts. DisplayConnect /etc/issue
# svcadm restart ftp
For more information, see the ProFTPD web site.
Use this procedure to prevent network routing after installation by specifying a default router. Otherwise, perform this procedure after configuring routing manually.
Note - Many network configuration procedures require that the routing daemon be disabled. Therefore, you might have disabled this daemon as part of a larger configuration procedure.
Before You Begin
You must be assigned the Network Management rights profile.
# svcs -x svc:/network/routing/route:default svc:/network/routing/route:default (in.routed network routing daemon) State: online since April 10, 2011 05:15:35 AM PDT See: in.routed(1M) See: /var/svc/log/network-routing-route:default.log Impact: None.
If the service is not running, you can stop here.
# routeadm -d ipv4-forwarding -d ipv6-forwarding # routeadm -d ipv4-routing -d ipv6-routing # routeadm -u
# svcs -x routing/route:default svc:/network/routing/route:default (in.routed network routing daemon) State: disabled since April 11, 2011 10:10:10 AM PDT Reason: Disabled by an administrator. See: http://sun.com/msg/SMF-8000-05 See: in.routed(1M) Impact: This service is not running.
See Also
routeadm(1M) man page
By default, Oracle Solaris forwards broadcast packets. If your site security policy requires you to reduce the possibility of broadcast flooding, change the default by using this procedure.
Note - When you disable the _forward_directed_broadcasts network property, you are disabling broadcast pings.
Before You Begin
You must be assigned the Network Management rights profile.
# ipadm set-prop -p _forward_directed_broadcasts=0 ip
# ipadm show-prop -p _forward_directed_broadcasts ip PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE ip _forward_directed_broadcasts rw 0 -- 0 0,1
See Also
ipadm(1M) man page
Use this procedure to prevent the dissemination of information about the network topology.
Before You Begin
You must be assigned the Network Management rights profile.
# ipadm set-prop -p _respond_to_echo_broadcast=0 ip # ipadm show-prop -p _respond_to_echo_broadcast ip PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE ip _respond_to_echo_broadcast rw 0 -- 1 0,1
# ipadm set-prop -p _respond_to_echo_multicast=0 ipv4 # ipadm set-prop -p _respond_to_echo_multicast=0 ipv6 # ipadm show-prop -p _respond_to_echo_multicast ipv4 PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE ipv4 _respond_to_echo_multicast rw 0 -- 1 0,1 # ipadm show-prop -p _respond_to_echo_multicast ipv6 PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE ipv6 _respond_to_echo_multicast rw 0 -- 1 0,1
See Also
For more information, see _respond_to_echo_broadcast and _respond_to_echo_multicast (ipv4 or ipv6) in Oracle Solaris Tunable Parameters Reference Manual and the ipadm(1M) man page.
For systems that are gateways to other domains, such as a firewall or a VPN node, use this procedure to turn on strict multihoming.
The Oracle Solaris 11 release introduces a new property, hostmodel, for IPv4 and IPv6. This property controls the send and receive behavior for IP packets on a multihomed system.
Before You Begin
You must be assigned the Network Management rights profile.
# ipadm set-prop -p hostmodel=strong ipv4 # ipadm set-prop -p hostmodel=strong ipv6
# ipadm show-prop -p hostmodel ip PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE ipv6 hostmodel rw strong strong weak strong,src-priority,weak ipv4 hostmodel rw strong strong weak strong,src-priority,weak
See Also
For more information, see hostmodel (ipv4 or ipv6) in Oracle Solaris Tunable Parameters Reference Manual and the ipadm(1M) man page.
For more information about the use of strict multihoming, see How to Protect a VPN With IPsec in Tunnel Mode in Oracle Solaris Administration: IP Services.
Use this procedure to prevent denial of service (DOS) attacks by controlling the number of pending connections that are incomplete.
Before You Begin
You must be assigned the Network Management rights profile.
# ipadm set-prop -p _conn_req_max_q0=4096 tcp
# ipadm show-prop -p _conn_req_max_q0 tcp PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE tcp _conn_req_max_q0 rw 4096 -- 128 1-4294967295
See Also
For more information, see _conn_req_max_q0 in Oracle Solaris Tunable Parameters Reference Manual and the ipadm(1M) man page.
Use this procedure to prevent DOS attacks by controlling the number of permitted incoming connections.
Before You Begin
You must be assigned the Network Management rights profile.
# ipadm set-prop -p _conn_req_max_q=1024 tcp
# ipadm show-prop -p _conn_req_max_q tcp PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE tcp _conn_req_max_q rw 1024 -- 128 1-4294967295
See Also
For more information, see _conn_req_max_q in Oracle Solaris Tunable Parameters Reference Manual and the ipadm(1M) man page.
This procedure sets the TCP initial sequence number generation parameter to comply with RFC 1948.
Before You Begin
You must be in the root role to modify a system file.
# vi /etc/default/inetinit # TCP_STRONG_ISS=1 TCP_STRONG_ISS=2
Many network parameters that are secure by default are tunable, so they can be changed. If site conditions permit, return the following tunable parameters to their default values.
Before You Begin
You must be assigned the Network Management rights profile. The current value of the parameter is less secure than the default value.
The default value prevents DOS attacks from spoofed packets.
# ipadm set-prop -p _forward_src_routed=0 ipv4 # ipadm set-prop -p _forward_src_routed=0 ipv6 # ipadm show-prop -p _forward_src_routed ipv4 PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE ipv4 _forward_src_routed rw 0 -- 0 0,1 # ipadm show-prop -p _forward_src_routed ipv6 PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE ipv6 _forward_src_routed rw 0 -- 0 0,1
For more information, see forwarding (ipv4 or ipv6) in Oracle Solaris Tunable Parameters Reference Manual.
The default value prevents the dissemination of information about the network topology.
# ipadm set-prop -p _respond_to_address_mask_broadcast=0 ip # ipadm show-prop -p _respond_to_address_mask_broadcast ip PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE ip _respond_to_address_mask_broadcast rw 0 -- 0 0,1
The default value removes additional CPU demands on systems and prevents the dissemination of information about the network.
# ipadm set-prop -p _respond_to_timestamp=0 ip # ipadm show-prop -p _respond_to_timestamp ip PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE ip _respond_to_timestamp rw 0 -- 0 0,1
The default value removes additional CPU demands on systems and prevents dissemination of information about the network.
# ipadm set-prop -p _respond_to_timestamp_broadcast=0 ip # ipadm show-prop -p _respond_to_timestamp_broadcast ip PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE ip _respond_to_timestamp_broadcast rw 0 -- 0 0,1
The default value prevents additional CPU demands on systems.
# ipadm set-prop -p _ignore_redirect=0 ipv4 # ipadm set-prop -p _ignore_redirect=0 ipv6 # ipadm show-prop -p _ignore_redirect ipv4 PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE ipv4 _ignore_redirect rw 0 -- 0 0,1 # ipadm show-prop -p _ignore_redirect ipv6 PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE ipv6 _ignore_redirect rw 0 -- 0 0,1
If you need IP source routing for diagnostic purposes, do not disable this network parameter.
# ipadm set-prop -p _rev_src_routes=0 tcp # ipadm show-prop -p _rev_src_routes tcp PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE tcp _rev_src_routes rw 0 -- 0 0,1
For more information, see _rev_src_routes in Oracle Solaris Tunable Parameters Reference Manual.
The default value prevents additional CPU demands on systems. Redirects are typically not necessary on a well-designed network.
# ipadm set-prop -p _ignore_redirect=0 ipv4 # ipadm set-prop -p _ignore_redirect=0 ipv6 # ipadm show-prop -p _ignore_redirect ipv4 PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE ipv4 _ignore_redirect rw 0 -- 0 0,1 # ipadm show-prop -p _ignore_redirect ipv6 PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE ipv6 _ignore_redirect rw 0 -- 0 0,1
See Also
ipadm(1M) man page