Solaris for ISPs consists of a foundation configuration unit that runs only once to ensure security for passwords and to safeguard file permissions to the file owner. It makes a set of default changes as part of the initial installation process. The functionality of this unit is similar to the functionality of the script in ftp://ftp.wins.uva.nl:/pub/solaris/fix-modes.tar.gz. To undo these changes, go to "Undoing the Changes".
This section examines the initial installation steps automatically executed only once in the foundation package. You must address this section before installing Solaris for ISPs.
The script will be executed. However, these changes will take place only if conflicting changes to the files have not already been set up by you.
It runs a script that make modes of files installed as part of Solaris packages more secure. These changes are as follows:
Removes group and world read permissions for setuid and setgid.
Removes group and world write permissions on all non-setuid files that meet any of the following criteria:
The file has group and world readable permission, but no world writable permission.
The file has world executable permission.
The file has identical owner, group, and world permissions.
It is a bin-owned directory or non-volatile file and has identical group and world read and executable permissions.
Removes write permissions for owners on executables not owned by root.
It adds umask 077 to /.cshrc and /.profile. This makes the default file permission for files created under an interactive root shell readable and writable only by root.
It adds root to /etc/ftpusers to disable root's ability to ftp to the host.
It sets noshell as the default shell for sys, uucp, nuucp, and listen accounts to log unauthorized logging attempts. This makes it easier to detect intrusion on the system.
It sets MAXWEEKS=12 in /etc/default/passwd. If local files are used for password management, this forces all passwords to change periodically.
It creates S35umask to make default file permission for files created by system daemons writable only by the file owner.
It disables a denial of service attack by adding the line ndd-set/dev/ipip_respond_to_echo_broadcast 0 in the file /etc/rc2.d/S69inet.
It replaces /etc/syslog.conf with a new version for ensuring more granular logging and for detecting intrusion. This new version isolates messages by both facility and logging level and sends the high-level messages to a central logging server.
It executes bsmconv and configures /etc/security to log administrative actions, and logins and logouts. This enables C2 auditing, which may catch events missed by syslog.
All changes made by this unit are logged to /var/sadm/install/contents. This enables patch installation in the future.