Skip Navigation Links | |
Exit Print View | |
Oracle Solaris 11 Security Guidelines Oracle Solaris 11 Information Library |
1. Overview of Oracle Solaris 11 Security
2. Configuring Oracle Solaris 11 Security
Installing the Oracle Solaris OS
Set Stronger Password Constraints
Set Account Locking for Regular Users
Set More Restrictive umask Value for Regular Users
Audit Significant Events in Addition to Login/Logout
Monitor lo Events in Real Time
Remove Unneeded Basic Privileges From Users
Display Security Message to ssh and ftp Users
Disable the Network Routing Daemon
Disable Broadcast Packet Forwarding
Disable Responses to Echo Requests
Set Maximum Number of Incomplete TCP Connections
Set Maximum Number of Pending TCP Connections
Specify a Strong Random Number for Initial TCP Connection
Reset Network Parameters to Secure Values
Protecting File Systems and Files
Protecting and Modifying Files
Securing Applications and Services
Creating Zones to Contain Critical Applications
Adding SMF to a Legacy Service
Creating a BART Snapshot of the System
Adding Multilevel (Labeled) Security
Configuring Trusted Extensions
The following tasks are best performed in order. At this point, the Oracle Solaris 11 OS is installed and only the initial user who can assume the root role has access to the system.
|
Immediately after installation, validate the installation by verifying your packages.
Before You Begin
You must be in the root role.
To keep a record, send the command output to a file.
# pkg verify > /var/pkgverifylog
See Also
For more information, see the pkg(1) and pkg(5) man pages. The man pages contain examples of using the pkg verify command.
Use this procedure to disable services that are not required, given the purpose of your system.
Before You Begin
You must be in the root role.
# svcs | grep network online Sep_07 svc:/network/loopback:default ... online Sep_07 svc:/network/ssh:default
For example, if the system is not an NFS server or a web server and the services are online, disable them.
# svcadm disable svc:/network/nfs/server:default # svcadm disable svc:/network/http:apache22
See Also
For more information, see Chapter 6, Managing Services (Overview), in Oracle Solaris Administration: Common Tasks and the svcs(1) man page.
Use this procedure to prevent users of this system from suspending the system or powering it down.
Before You Begin
You must be in the root role.
% getent prof_attr | grep Console Console User:RO::Manage System as the Console User: profiles=Desktop Removable Media User,Suspend To RAM,Suspend To Disk, Brightness,CPU Power Management,Network Autoconf User; auths=solaris.system.shutdown;help=RtConsUser.html
For instructions, see How to Create or Change a Rights Profile in Oracle Solaris Administration: Security Services.
#CONSOLE_USER=Console User
# usermod -P +new-profile username
See Also
For more information, see policy.conf File in Oracle Solaris Administration: Security Services and the policy.conf(4) and usermod(1M) man pages.
Use this procedure to create warning messages that reflect your site's security policy. The contents of these files display at local and remote login.
Note - The sample messages in this procedure do not satisfy U.S. government requirements and likely do not satisfy your security policy.
Before You Begin
You must be in the root role. Best practice is to consult with your company's legal counsel about the content of the security message.
# vi /etc/issue ALERT ALERT ALERT ALERT ALERT This machine is available to authorized users only. If you are an authorized user, continue. Your actions are monitored, and can be recorded.
For more information, see the issue(4) man page.
The telnet program displays the contents of the /etc/issue file as its login message. For use of this file by other applications, see Display Security Message to ssh and ftp Users and Place Security Message on the Desktop Login Screen.
# vi /etc/motd This system serves authorized users only. Activity is monitored and reported.
Choose from several methods to create a security message for users to review at login.
For more information, click the System > Help menu on the desktop to bring up the GNOME Help Browser. You can also use the yelp command. Desktop login scripts are discussed in the GDM Login Scripts and Session Files section of the gdm(1M) man page.
Note - The sample message in this procedure does not satisfy U.S. government requirements and likely does not satisfy your security policy.
Before You Begin
You must be in the root role. Best practice is to consult with your company's legal counsel about the content of the security message.
You have several options. The options that create a dialog box can use the /etc/issue file from Step 1 of Place Security Message in Banner Files.
# vi /usr/share/gdm/autostart/LoginWindow/banner.desktop [Desktop Entry] Type=Application Name=Banner Dialog Exec=/usr/bin/zenity --text-info --width=800 --height=300 \ --title="Security Message" \ --filename=/etc/issue OnlyShowIn=GNOME; X-GNOME-Autostart-Phase=Application
After being authenticated in the login window, the user must close the dialog box to reach the workspace. For the options to the zenity command, see the zenity(1) man page.
The /etc/gdm directory contains three initialization scripts that display the security message before, during, or immediately after desktop login. These scripts are also available in the Oracle Solaris 10 release.
# vi /etc/gdm/Init/Default /usr/bin/zenity --text-info --width=800 --height=300 \ --title="Security Message" \ --filename=/etc/issue
This script runs before the user workspace appears. You modify the Default.sample script to create this script.
# vi /etc/gdm/PostLogin/Default /usr/bin/zenity --text-info --width=800 --height=300 \ --title="Security Message" \ --filename=/etc/issue
# vi /etc/gdm/PreSession/Default /usr/bin/zenity --text-info --width=800 --height=300 \ --title="Security Message" \ --filename=/etc/issue
Note - The dialog box can be covered by windows on the user's workspace.
The login window expands to fit your message. This method does not point to the /etc/issue file. You must type the text into the GUI.
Note - The login window, gdm-greeter-login-window.ui, is overwritten by the pkg fix and pkg update commands. To preserve your changes, copy the file to a configuration files directory, and merge its changes with the new file after upgrading the system. For more information, see the pkg(5) man page.
# cd /usr/share/gdm
# cp gdm-greeter-login-window.ui /etc/gdm/gdm-greeter-login-window.ui.orig
The glade-3 program opens the GTK+ interface designer. You type the security message into a label that displays above the user entry field.
# /usr/bin/glade-3 /usr/share/gdm/gdm-greeter-login-window.ui
To review the guide to the interface designer, click Development in the GNOME Help Browser. The glade-3(1) man page is listed under Applications in the Manual Pages.
# cp gdm-greeter-login-window.ui /etc/gdm/gdm-greeter-login-window.ui.site
Example 2-1 Creating a Short Warning Message at Desktop Login
In this example, the administrator types a short message as an argument to the zenity command in the desktop file. The administrator also uses the --warning option, which displays a warning icon with the message.
# vi /usr/share/gdm/autostart/LoginWindow/bannershort.desktop [Desktop Entry] Type=Application Name=Banner Dialog Exec=/usr/bin/zenity --warning --width=800 --height=150 --title="Security Message" \ --text="This system serves authorized users only. Activity is monitored and reported." OnlyShowIn=GNOME; X-GNOME-Autostart-Phase=Application