Changes to Solaris

This section discusses the onetime only changes and the reconfigurable changes that may be made to Solaris services during host configuration. If you accept the default installation setting, these changes will be made on the host where Solaris for ISPs is installed.

You must review and may modify, if necessary, these changes to foundation Solaris during host configuration. These changes may not be incorporated in future releases of Solaris for ISPs.

Onetime Only Settings

Solaris for ISPs consists of a foundation configuration unit that runs only once to ensure security for passwords and to safeguard file permissions to the file owner. It makes a set of default changes as part of the initial installation process. The functionality of this unit is similar to the functionality of the script in ftp://ftp.wins.uva.nl:/pub/solaris/fix-modes.tar.gz. To undo these changes, go to "Undoing the Changes".

This section examines the initial installation steps automatically executed only once in the foundation package. You must address this section before installing Solaris for ISPs.

The script will be executed. However, these changes will take place only if conflicting changes to the files have not already been set up by you.

• It runs a script that make modes of files installed as part of Solaris packages more secure. These changes are as follows:

  • Removes group and world read permissions for setuid and setgid.

  • Removes group and world write permissions on all non-setuid files that meet any of the following criteria:

    • The file has group and world readable permission, but no world writable permission.

    • The file has world executable permission.

    • The file has identical owner, group, and world permissions.

    • It is a bin-owned directory or non-volatile file and has identical group and world read and executable permissions.

  • Removes write permissions for owners on executables not owned by root.

• It adds umask 077 to /.cshrc and /.profile. This makes the default file permission for files created under an interactive root shell readable and writable only by root.

• It adds root to /etc/ftpusers to disable root's ability to ftp to the host.

• It sets noshell as the default shell for sys, uucp, nuucp, and listen accounts to log unauthorized logging attempts. This makes it easier to detect intrusion on the system.

• It sets MAXWEEKS=12 in /etc/default/passwd. If local files are used for password management, this forces all passwords to change periodically.

• It creates S35umask to make default file permission for files created by system daemons writable only by the file owner.

• It disables a denial of service attack by adding the line ndd-set/dev/ipip_respond_to_echo_broadcast 0 in the file /etc/rc2.d/S69inet.

• It replaces /etc/syslog.conf with a new version for ensuring more granular logging and for detecting intrusion. This new version isolates messages by both facility and logging level and sends the high-level messages to a central logging server.

• It executes bsmconv and configures /etc/security to log administrative actions, and logins and logouts. This enables C2 auditing, which may catch events missed by syslog.

• All changes made by this unit are logged to /var/sadm/install/contents. This enables patch installation in the future.

Reconfigurable Settings

The installation of Solaris for ISPs platform extensions and services with their default configuration will override the default service behavior on the hosts where they are installed. This procedure creates a more secure server by disabling Solaris network utilities that are not essential to the Solaris for ISPs software installed on the system.

You must review and may modify, if necessary, the default configuration during host configuration.

If you accept the default installation setup, these Solaris services will be disabled, unless noted otherwise. Disabling of these services is not required, but we recommend disabling these services to avoid potential security holes and to conserve resources. To change the value of these services, inetd.conf will be modified, unless stated otherwise. To undo these changes, go to "Undoing the Changes"

Closing Potential Security Holes

We recommend disabling of the following services to ensure protection for passwords and to restrict access to hosts for unauthorized individuals.

If you accept the default setting, you will no longer be able to access the host with these disabled "r" commands.

• rexecd: Disable this service to discontinue support for remote command execution via the rexec(3N) function, which passes passwords in the clear.

• rlogind: Disable this service to ensure security for passwords because it relies on .rhosts and hosts.equiv for password-less authentication during remote logging.

• rshd: Disable this service to protect password because it relies on .rhosts and hosts.equiv for password-less authentication during remote command execution.

  ---

  Note -

  If you accept the default setting, the following services will be enabled. You must review and may modify the setting.

  ---

• telnetd: If you accept the default installation setting, note that this service is enabled as this enables remote login mechanisms.

• ftpd: If you accept the default installation setting, note that this service is enabled because it provides support for file transfer to and from remote network sites in the least insecure manner. This service will be disabled if you select Sun Internet FTP Server for installation.

  ---

  Note -

  If you require security for telnet and FTP services, set up your network such that file transfer requests are made within the network.

  ---

We recommend disabling the following services to protect information from unauthorized users. Disabling these services will enhance system security and will restrict access to system information by preventing host responses to these network requests.

• fingerd: Disable this service to safeguard information from a network-based finger request.

• netstat: Disable this service to ensure that the contents of the various network-related data structures are not exposed by remote invocation of netstat.

• rstatd: Disable this service to prevent access to system statistics.

• rusersd: Disable this service to protect information about logged-in users.

• systat: Disable this service to discontinue support for remotely running ps on the host.

• routing: Disable this service to ensure that the host is not operated as a router. If disabled, the file /etc/notrouter is created.

• sendmail: Disable this service to protect against denial of service attacks and to disable support for receiving and sending mail. S88sendmail is modified.

• sprayd: Disable this service to discontinue support to test the network and record packages sent by spray.

Conserving Resources

We recommend disabling of the following CDE and OpenWindows services unless they are required in your environment. Disabling these services will enhance system performance.

• cmsd: Disable this service as it is required only if CDE calendars are located on the host.

• dtspcd: Disable this service to discontinue support for CDE sessions.

• kcms_server: Disable this service to discontinue support for remote access to OpenWindows KCMS profiles.

• ttdbserverd: Disable this service to discontinue support for Tooltalk database server required for proper CDE operation.

We recommend disabling the following network (inetd) services unless required in your environment. Disabling these services will free resources and enhance system performance. Modify the default configuration if you require any network utilities listed below.

• chargen: Disable this service to discontinue support to test inetd and generate characters.

• discard: Disable this service to discontinue discarding all input from testing inetd.

• echo: Disable this service to discontinue support to echo back all input from testing inetd.

• fs.auto: Disable this service to disable the font server.

  ---

  Note -

  If you accept the default setting, the following service will be enabled. You must review and may modify the setting.

  ---

• time: If you accept the default installation setting, note that this service will be enabled as it keeps someone from querying the system's time remotely. It returns machine-readable time.

• cachefsd: If you accept the default installation setting, note that this service will be enabled. This is the cacheFS daemon.

We recommend disabling of the following services unless they are essential for your environment. Disabling these services will enhance system performance. Please modify the default configuration if you require any services listed below.

• automountd: Disable this service as this supports automounting only and not normal NFS mounts. To change its value, S74autofs will be modified.

• comsat: Disable this service to discontinue biff(1) notification of new mail on the host.

• daytime: Disable this service to discontinue support to return the time of day.

• rquotad: Disable this service to ensure that the host is not operated as an NFS server supporting disk quotas on its file system.

• sadmind: Disable this service to discontinue support for performing distributed system administration operations using Solstice AdminSuite.

• talkd: Disable this service to discontinue support for running the interactive talk program.

• tnamed: Disable this service to discontinue support for DARPA name server protocol.

• lpd: Disable this service to ensure that the host is not operated as a BSD print server. This does not disable the system V print server.

• uucpd: Disable this service and discontinue support for copying files named by the source-file arguments to the destination-file argument.

• walld: Disable this service and discontinue support for sending messages by wall.

• Xaserver: Disable this service and discontinue support for X-based audio.

You can also refer to the on line help during host configuration for help in enabling or disabling the Solaris services.

Undoing the Changes

The changes made during host configuration, to harden and fine tune the system for security and for performance, may not be incorporated in the next release of Solaris for ISPs. This section discusses the steps you can take to undo the changes made to foundation Solaris during host configuration.

Log into the computer where you want to undo the changes and give yourself root access. Determine the changes you want to undo and follow the instructions in the bulleted list:

• The foundation Solaris services are tuned for security and optimum performance from the host configuration graphical user interface (GUI). These changes are reconfigurable and you can reset the values using the host configuration GUI. Refer Solaris for ISPs Installation Guide and host configuration on line help to reset Solaris service values.

• The two additional boot files, S35umask and S68echo in /etc/rc2.d, created after installation are automatically removed when the Solaris for ISPs Platform component is uninstalled.

  ---

  Note -

  You must manually undo some of the one-time only changes made to the system configuration. To undo the hardening changes:

  ---

• Enter: # /opt/SUNWfixm/bin/fixmodes -u to undo the one-time only changes.

• Enter: # bsmunconv to switch from C2 auditing mode to C1 mode. This will turn off auditing turned on to catch events missed by syslog.

• Compare the current version of /.cshrc, /.profile, /.zshenv, /etc/ftpusers, /etc/default/passwd, /etc/syslog.conf to the file.pre-hcfconfig version of the file. The current file contains the hardening changes and any other edits that may have been made after hardening was performed. Determine the changes made by the host configuration software and use a text editor to undo the changes.

  ---

  Note -

  Do not copy the file.pre-hcfconfig to the current version of the file without determining the changes made by and after the host configuration.

  ---