JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris 11 Security Guidelines     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information


1.  Overview of Oracle Solaris Security

2.  Configuring Oracle Solaris Security

Installing the Oracle Solaris OS

Securing the System

How to Verify Your Packages

How to Disable Unneeded Services

How to Remove Power Management Capability From Users

How to Place a Security Message in Banner Files

How to Place a Security Message on the Desktop Login Screen

Securing Users

How to Set Stronger Password Constraints

How to Set Account Locking for Regular Users

How to Set More Restrictive umask Value for Regular Users

How to Audit Significant Events in Addition to Login/Logout

How to Monitor lo Events in Real Time

How to Remove Unneeded Basic Privileges From Users

Securing the Kernel

Configuring the Network

How to Display a Security Message to ssh Users

How to Use TCP Wrappers

Protecting File Systems and Files

How to Limit the Size of the tmpfs File System

Protecting and Modifying Files

Securing Applications and Services

Creating Zones to Contain Critical Applications

Managing Resources in Zones

Configuring IPsec and IKE

Configuring IP Filter

Configuring Kerberos

Adding SMF to a Legacy Service

Creating a BART Snapshot of the System

Adding Multilevel (Labeled) Security

Configuring Trusted Extensions

Configuring Labeled IPsec

3.  Monitoring and Maintaining Oracle Solaris Security

A.  Bibliography for Oracle Solaris Security

Configuring the Network

At this point, you might have created users who can assume roles, and have created the roles. Only the root role can modify system files.

From the following network tasks, perform the tasks that provide additional security according to your site requirements. These network tasks notify users who are logging in remotely that the system is protected, and strengthen the IP, ARP, and TCP protocols.

For Instructions
Display warning messages that reflect your site's security policy.
Notifies users and would-be attackers that the system is monitored.
Disable the network routing daemon.
Limits access to systems by would-be network sniffers.
Prevent the dissemination of information about the network topology.
Prevents the broadcast of packets.
Prevents responses to broadcast echo requests and multicast echo requests.
For systems that are gateways to other domains, such as a firewall or a VPN node, turn on strict source and destination multihoming.
Prevents packets that do not have the address of the gateway in their header from moving beyond the gateway.
Prevent Denial of Service (DOS) attacks by controlling the number of incomplete system connections.
Limits the allowable number of incomplete TCP connections for a TCP listener.
Prevent DOS attacks by controlling the number of permitted incoming connections.
Specifies the default maximum number of pending TCP connections for a TCP listener.
Generate strong random numbers for initial TCP connections.
Complies with the sequence number generation value specified by RFC 6528.
Return network parameters to their secure default values.
Increases security that was reduced by administrative actions.
Add TCP wrappers to network services to limit applications to legitimate users.
Specifies systems that are allowed access to network services, such as FTP.

How to Display a Security Message to ssh Users

Use this procedure to display warnings when logging in using the ssh protocol.

Before You Begin

You created the /etc/issue file in Step 1 of How to Place a Security Message in Banner Files.

You must become an administrator who is assigned the solaris.admin.edit/etc/ssh/sshd_config authorization and one of the Network rights profiles. The root role has all of these rights. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.

How to Use TCP Wrappers

The following steps show three ways that TCP wrappers are used or can be used in Oracle Solaris.

Before You Begin

You must assume the root role to modify a program to use TCP wrappers.

  1. You do not need to protect the sendmail application with TCP wrappers.

    By default, it is protected with TCP wrappers, as described in Support for TCP Wrappers From Version 8.12 of sendmail in Managing sendmail Services in Oracle Solaris 11.1.

  2. To enable TCP wrappers for all inetd services, see How to Use TCP Wrappers to Control Access to TCP Services in Configuring and Administering Oracle Solaris 11.1 Networks.
  3. Protect the FTP network service with TCP wrappers.
    1. Follow the instructions in the /usr/share/doc/proftpd/modules/mod_wrap.html module.

      Because this module is dynamic, you must load it to use TCP wrappers with FTP.

    2. Load the module by adding the following instructions to the /etc/proftpd.conf file:
      <IfModule mod_dso.c>
          LoadModule mod_wrap.c
    3. Restart the FTP service.
      $ svcadm restart svc:/network/ftp