SUMMARY: Minimizing the Solaris Operating Environment for Security...sol10 version

Beck, Joseph jbeck at seic.com
Fri Sep 8 21:08:48 EDT 2006


Sorry for the slow response...like most of you I'm forced to jump from
one hot item to the next at the drop of a hat.



I did not find what I was looking for, which is a modern/sol10 version
of an article Lance Spitzner wrote years ago called something like
armoring solaris (see
http://www.mgmg-interactive.com/mgmg/packages3.html), but I did get some
good information.



Many suggested this site:

#1 http://www.cisecurity.org/bench_solaris.html



#2 regarding which initial install, someone suggested using the reduced
network cluster for installation...alan



#3 insight into just how small you can make an initial Solaris
installtion:

http://blogs.sun.com/eric_boutilier/date/20050406#unix_from_scratch_tabl
e_of

-this email had other worthwhile info (posted at bottom)



#4 I also found excellent material in an internal document that a former
consultant was working on...I'll have to scrub it & send it out (focus
on banking & financials).



Some interesting sections from the doc:

Implement the following reqs:

http://grkvlt.blogspot.com/2006/03/hardening-solaris-ten.html

http://www.sun.com/bigadmin/xperts/sessions/17_sol10install/

http://www.sun.com/software/security/jass/



As an example, Solaris 10 includes over 75 public domain software
packages in /usr/sfw including such software packages as MySQL, gcc, TCL
and TK.  Many of these packages are subject to exploitations which often
times elevate a user's privileges within the server.



At a minimum, the following software should never be installed onto
production servers:

*     Compilers (GNU gcc or Sun's SUNWspro)

*     Java development kits including java compilers (SUNWj3dev,
SUNWj5dev, etc.)

*     Database access tools (except on database servers themselves)

o     SQL*Net

o     Interpreted software (perl, python, etc.) database access modules
(e.g. perl's DBO for oracle).

*     Point-to-point protocol (PPP) drivers and configuration

*     Directory (LDAP) Server

*     Mobile IP

*     Apache Server

*     DHCP Software

*     Sun's Java Application Server

*     StarOffice

*     tcpdump



Note, 3rd party software should be checked to insure applications such
as compilers are not included.



In addition, Pzone servers should be further hardened by removing
network intrusive applications such as:

*     snoop(1M)



Minimize System Services

Many of the default system services (time, echo, discard, NFS, NIS,
etc.) are not required and are often a target for exploitation.

Internet Services

Internet services are managed by the inetd daemon.  The following inetd
services should be disabled:

*     chargen

*     in.comsat

*     daytime

*     discard

*     dtspc

*     echo

*     exec

*     finger

*     fs

*     ftp (see below)

*     krb5_prop

*     login

*     name

*     netstat

*     printer

*     rquotad

*     rstatd

*     rusersd

*     shell

*     sprayd

*     sun-dr

*     systat

*     talk

*     telnet

*     tftp

*     time

*     uucp

*     walld



Solaris Security Toolkit:

http://www.sun.com/security/jass/



Solaris Fingerprint Database:

http://sunsolve.sun.com/pub-cgi/fileFingerprints.pl



Sun's Kerberos Information

http://www.sun.com/software/security/kerberos/



Role-Based Access Control (RBAC) white paper:

http://wwws.sun.com/software/whitepapers/wp-rbac/



OpenSSH white paper, NTP white paper, information on kernel (ndd)
settings, et al:

http://www.sun.com/security/blueprints/

System Integrity Solutions

Commercial Tripwire (enterprise ready):

http://www.tripwire.com/



Open Source Tripwire:

http://sourceforge.net/projects/tripwire/



Basic Audit and Reporting Tool (BART):

http://www.sun.com/blueprints/0305/819-2259.pdf

***download this doc & get something basic setup & cron'd***

Other Miscellaneous Documentation

Various documentation on Solaris security issues:

http://ist.uwaterloo.ca/security/howto/



On BSM Audit flags:

http://www.samag.com/documents/s=9427/sam0414c/0414c.htm



On hiding information in Solaris extended attributes:

http://www.usenix.org/publications/login/2004-02/pdfs/brunette.pdf



Discussion of "locked" vs. "blocked" accounts:

http://www.securitydocs.com/library/2636



Primary source for information on NTP -

http://www.ntp.org/



Information on MIT Kerberos -

http://web.mit.edu/kerberos/www/



Apache "Security Tips" document:

http://httpd.apache.org/docs-2.0/misc/security_tips.html



Information on Sendmail and DNS:

http://www.sendmail.org/

http://www.deer-run.com/~hal/dns-sendmail/DNSandSendmail.pdf

Software

Pre-compiled software packages for Solaris:

http://www.sunfreeware.com/

ftp://ftp.cisecurity.org/



LogSurfer+ (real time log monitoring):

http://www.crypt.gen.nz/logsurfer/



Open Source Sendmail (email server) distributions:

ftp://ftp.sendmail.org/







#3 complete email:

This may not be exactly what you want, and it does have an x86 Solaris
slant however, it is a fascinating insight into just how small you can
make an initial Solaris installtion:



http://blogs.sun.com/eric_boutilier/date/20050406#unix_from_scratch_tabl
e_of



The thread has seemingly petered out now but if you haven't come across
it before, I think you'll find it worth the read.



I initially installed a Sol10 test box on SPARC hardware using the
Reduced Net Core cluster as the starting point and I seem to recall it
came out at under 90 packages.



The only relevant notes I can find now are these:



--8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<---



These are needed for compilation



Already Installed

system      SUNWlibmsr     Math & Microtasking Libraries        CD1

system      SUNWlibms      Math & Microtasking Libraries        CD1



Needed to be added



system      SUNWarc        Lint Libraries                       CD4

system      SUNWbtool      CCS tools bundled with SunOS         CD4

system      SUNWhea        SunOS Header Files                   CD4

system      SUNWtoo        Programming tools                    CD1

system      SUNWlibmr      Math Library Lint Files              CD4

system      SUNWlibm       Math & Microtasking Library Headers  CD4

system      SUNWsprot      Solaris Bundled tools                CD4



and possibly these to get a working compiler



system      SUNWgcmn       gcmn - Common GNU package            CD2

system      SUNWgccruntime GCC Runtime libraries                CD2

system      SUNWgcc        gcc - The GNU C compiler             CD4

system      SUNWbinutils   binutils - GNU binutils              CD4



After this a "gcc hello.c" works (gcc is in /usr/sfw/bin)



Maybe these will be need later (Eric Boutillier's blog)



  SUNWxcu4         XCU4 Utilities

  SUNWscpr         Source Compatibility, (Root)

  SUNWscpu         Source Compatibility, (Usr)



--8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<---





If you want any more info, I could try and find some more notes but I
/didn't take it all that far/haven't taken yet it any futher/, however I
would think that following your nose from the thread above will be all
you'ld need to get a minimal installtion.











Joe Beck Ciber Inc. - a consultant to SEI  One Freedom Valley Drive/ 100
Cider Mill Road| Oaks, PA 19456 | p: 610.676.2258 | jbeck at seic.com





-----Original Message-----
From: Dave Mitchell [mailto:davem at iabyn.com]
Sent: Tuesday, August 29, 2006 1:03 PM
To: Beck, Joseph
Subject: Re: Minimizing the Solaris Operating Environment for
Security...sol10 version



On Tue, Aug 29, 2006 at 12:04:34PM -0400, Beck, Joseph wrote:

> Anyone seen such a document yet?

>

> I have a need to start building some web servers that will be solaris

> 10. I have the beginngings of a document and wanted to leverage any

> previous work in deciding things such as which initial (metacluster)

> install & which pkgs to remove after, which services, etc...I had to
do

> this years ago, but was dealing with sol6 & sol7 at the time.





http://www.cisecurity.org/bench_solaris.html



--

SCO - a train crash in slow motion
_______________________________________________
sunmanagers mailing list
sunmanagers at sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers



More information about the summaries mailing list