Security Hardening (Solaris ISP Server 2.0 Administration Guide)

Solaris ISP Server 2.0 Administration Guide

Security Hardening

This Solaris ISP Server component can be installed to ensure security for passwords and to safeguard file permissions to the file owner. The functionality of this unit is similar to the functionality of the script in ftp://ftp.wins.uva.nl/pub/solaris/fix-modes.tar.gz.

This component, when installed, runs a script that make modes of files installed as part of Solaris packages more secure. These changes are as follows:
- Removes group and world read permissions for setuid and setgid.
- Removes group and world write permissions on all non-setuid files that meet any of the following criteria:
  - The file has group and world readable permission, but no world writable permission.
  - The file has world executable permission.
  - The file has identical owner, group, and world permissions.
  - It is a bin-owned directory or nonvolatile file and has identical group and world read and executable permissions.
- Removes write permissions for owners on executables not owned by root.
It adds umask 077 to /.cshrc, /.profile, and /.zshenv. This makes the default file permission for files created under an interactive root shell readable and writable only by root. If you do not want this umask, add a umask of your choice to these files prior to installing Solaris ISP Server. The configuration script will respect your settings.
It adds root to /etc/ftpusers to disable root's ability to connect to the host using FTP.
It sets noshell as the default shell for sys, uucp, nuucp, and listen accounts to log unauthorized logging attempts. This makes it easier to detect intrusion on the system.
It sets MAXWEEKS=12 in /etc/default/passwd. If local files are used for password management, this forces all passwords to change periodically.
It creates S35umask to make default file permission for files created by system daemons writable only by the file owner.
It disables a denial of service attack by adding the lines
- ndd -set /dev/ip ip_respond_to_echo_broadcast 0
- ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
in the file /etc/rc2.d/S69inet.
It replaces /etc/syslog.conf with a new version for ensuring more granular logging and for detecting intrusion. This new version isolates messages by both facility and logging level and sends the high-level messages to a central logging server.
It executes bsmconv and configures /etc/security to log administrative actions, and logins and logouts. This enables C2 auditing, which may catch events missed by syslog.
All changes made by this unit are logged to /var/sadm/install/contents. This enables patch installation in the future.