VT Solaris Security Configuration

This document was written specifically for beginning Solaris System Administrators, but can also be used by advanced administrators to verify that a minimal level of security has been applied to their systems. Your comments and suggestions for improving this documentation and associted scripts are encouraged; please send them via the author's documentation web update form.

The following procedures describe how to configure a new Solaris User Desktop System which includes a GUI desktop environment and software development tools. Suggestions are also included for modifying these procedures to provide additional security for server systems. In addition to the "VT Solaris Security Configuration CD", also required are the two Solaris Installation CDs, and, optionally, installation CDs for other software products, such as Tripwire and the Sun One Studio Compilers.

The scripts described here are designed to assist you in setting up a new desktop system; however, knowledgeable system administrators should be able to modify them to satisfy specific needs. The scripts provided here should NOT be applied to production systems without first testing on an exact clone of your system. It is quite possible that the increased security provided by these scripts might cause some applications on the system to fail!

It is recommended that you review the details of all steps described below prior to installing Solaris on your system.

Before beginning the installation, you should define the following values for your system:

Description

Values

Host Name

IP Address

Netmask

Default Router

Domain Name

Disk Layout

Disk Drive Partitions -- for suggested values, see: Disk Drive Partitioning

Partition	File System	Size (MB)
	/
	swap
	/opt
	/usr
	/var
	/usr/local
	/home or /export/home

Level of Solaris Installation:

For discussion, see: Solaris Operating Environment Software Groups

Your choices include (Check One):

It is recommended that you read through this full document and each of its sections at least once before starting your installation.

Do NOT connect your system to the network until ALL of the basic security configurations have been completed and you are instructed to do so in Step 13 of these procedures!

Unless stated otherwise in the instructions which follow, the scripts descriped here assume that you have created a "Solaris Security Configuration CD", that your CD-ROM drive can be accessed using the path /cdrom/cdrom0/, and that temporary copies of files needed from this CD will be copied to: /usr/local/src

Use of the "script" command is recommended when installing patches and new software to preserve records of changes you have made to the system. If you enter the command "script" followed by the name of a file, everything that appears on the screen until the "script" command is terminated, including your responses, will be preserved in the file you have named. To terminate the "script" command and end capture of screen information, press the "Ctrl-d" key sequence, where "Ctrl-d" means press and hold down the "Control" key and while it is depressed, press the "d" key.

As you complete them, place a date to the left of each of the following steps:

Step Description

1 Plan Your Installation

2 Install Solaris from Sun Microsystems installation CDs.
Note: Unless specified otherwise, to complete the Security Configurations described in this document, you will need to log onto the system using the   root   account.

3 Apply Solaris Recommended and Security Patches:

4 Run the VT Sun Setup Script. This script assists you in completing the network configuration of your system, installs and configures accounting, copies a sample /var/adm/changelog file and example security configuration files to the system, and installs additional recommended software such as TCP wrappers, OpenSSH (Solaris 8), fix-modes, and the CIS Scanner.

5 Begin Maintaining a Record of System Changes in the file /var/adm/changelog

6 Install Additional Required Software Applications available on CDs and apply known application patches. If you have a set of CDs for the Sun Studio Compilers, install these compliers now using the install script on the CDs. Install any other software (e.g., IMSL Libraries and SAS) which will be used on your system which you have available on CD.

7 Develop, Test, & Enable System Monitoring Scripts.

8 Create a Non-Root Userid for Yourself
As a best practice, it is recommended that you do all web browsing, file downloads, and other tasks that do not require root capabilities using a non-root account.   Thus, it is recommended that you create a non-root account for your day to day use on the system.
The GUI "admintool" or "Solaris Management Console" (Solaris 9 and later) can be used to create and modify userids on your system; or, you can use the command "useradd" to create a new account on your system. For example, to create the userid "user_id" and assign the comment information "New User", the UID "1612" , and the Korn Shell as the default shell, you could use the following command:
useradd -c "New User" -d /home/user_id -m -u 1612 -s /bin/ksh user_id
Enter the command "man useradd" to obtain detailled information about use of this command.
To assign an initial password to the account, use the "passwd" command followed by the account name. Since the passsword is not displayed as you type, you will be prompted twice for the value of the new password to confirm that it had been entered correctly. If, after assigning the password, you would like to force the individual to change their password when they first logon, enter the password command again, this time followed by the "-f" option and the account name.
Use the account which you have created for yourself whenever you log onto the system and do not need root priviledges!
Note: After the CIS script is run (Step 9 below), new accounts will be set with the following Center for Internet Security password aging parameters (these parameters are assigned within the operating system in increments of weeks, thus each of the values below is a multiple of 7 days):

Minimum password age of 7 days
Maximum age of 91 days
Expiration warning beginning 4 weeks (28 days) prior to the maximum password age
Note: If these options are in place and you use the "password -f user_id" command after you create and assign a password to a userid, the individual will not be able to change their password when they first logon. To change the minimum password age to zero days so that the individual can logon and then change their password, you could use the following command:
password -n 0 account_name
where "account_name" is the name of the account whose characteristics you wish to change.

9 Run CIS script to apply Center of Internet Security recommended settings.
If you have installed Solaris 10, perform the following additional steps to enable IP Filters:

Edit the file "/etc/ipf/pfil.ap" and uncomment (remove the "#" -- pound sign) from the line corresponding to the type of your interface card which carries the traffic you wish to filter; you use the command "ipconfig -a" to return information about installed interfaces.
Activate the changes to the change you have made to /etc/ipf/pfile.ap by entering the following command:
svcadm restart network/pfil

Review packet filtering rules in the file "/etc/ipf/ipf.conf" and make changes as appropriate for your system.
Enable the Solaris IP Filter program by entering the following command:
svcadm enable network/ipfilter

10 Reboot the System to fully enable the changes defined by the CIS script.
11 Run the CIS scanner --   This software was installed as part of the VT Sun Setup Script.   To run the scanner, enter:
cd /opt/CIS ./cis-scan

Review output and make any manual corrections required. Rerun the script (./cis-scan) and make additional manual corrections.   Repeat the process of making corrections and running the scanner as many times as required until you are satisfied with the balance of security and functionality you have achieved for your system. Note that a system reboot may be required in order to activate some of your changes.
Note: As of October 7th, 2005, the CIS Scanner had not yet been updated for Solaris 10!

12 Optionally Install and Configure Tripwire.
Tripwire provides a useful tool for monitoring your system to detect potential hacker modifications.   It also provides you with the capability of listing changes which had been made between tripwire runs so that you can more easily back out changes you have made should this be necessary.
Note: The CIS script above assigns read-only characteristices to the /opt, /usr, and /usr/local partitions of your system. In order to install tripwire or to modify its configuration files, you must first make the /usr/local partition read/write accessible. To do so, you can enter the following command:
mount -o remount,rw /usr/local

Note: You should run tripwire immediately before and after each time you update software on your system -- assuming you have installed tripwire in the default location, you can use the following commands to update the tripwire database:
cd /usr/local/tripwire/tfs/bin/ ./tripwire --check --interactive
After you run the above command, Tripwire will scan your system for files which have changed. A list of changes will be displayed in an editor window; review the list of changes. When you are done reviewing the list, save (":wq" if you are using vi) or quit (":q!" if you are using vi) the list of changes. You will then be asked for the Local Tripwire Phassphrase in order to update the Tripwire Database with the results of this analysis.

13 Attach to Network
Attach your ethernet cable. If you are then not able to use the Internet to access other systems, reboot the system. If you encounter problems using the network connection or suspect it may not be working properly, see Test Networking.
14 Download and Apply the Latest Security Patches:   Sun Microsystems provides Sun Patch Manager 2.0 as a tool to update systems with required patches; for information on using this tool, see: http://www.sun.com/service/support/sw_only/patchmanager.html
See also patches.htm for information on downloading and applying the latest Security & Recommended Patch Cluster.
For a Sun Whitepaper on developing a strategy of patch management, see Solaris Patch Management: Recommended Strategy
Note: Sun Microsystems frequently reorganizes their web site; if the above links fail, go to http://sunsolve.sun.com and search the page for the appropriate link for the information you require.

15 Test Network Applications
Verify that network connectivity and installed applications are working properly.

16 Optionally Download and Install Additional Required Software Applications; then apply known application patches.
If you have installed Tripwire, be sure to run it immediately prior to and following installation of new software or software updates.
Update your System Monitoring Scripts to include tests of the additional software you have installed.

Step	Description
1	Plan Your Installation
2	Install Solaris from Sun Microsystems installation CDs. Note: Unless specified otherwise, to complete the Security Configurations described in this document, you will need to log onto the system using the `root` account.
3	Apply Solaris Recommended and Security Patches:
4	Run the VT Sun Setup Script. This script assists you in completing the network configuration of your system, installs and configures accounting, copies a sample /var/adm/changelog file and example security configuration files to the system, and installs additional recommended software such as TCP wrappers, OpenSSH (Solaris 8), fix-modes, and the CIS Scanner.
5	Begin Maintaining a Record of System Changes in the file /var/adm/changelog
6	Install Additional Required Software Applications available on CDs and apply known application patches. If you have a set of CDs for the Sun Studio Compilers, install these compliers now using the install script on the CDs. Install any other software (e.g., IMSL Libraries and SAS) which will be used on your system which you have available on CD.
7	Develop, Test, & Enable System Monitoring Scripts.
8	Create a Non-Root Userid for Yourself As a best practice, it is recommended that you do all web browsing, file downloads, and other tasks that do not require root capabilities using a non-root account. Thus, it is recommended that you create a non-root account for your day to day use on the system. The GUI "`admintool`" or "`Solaris Management Console`" (Solaris 9 and later) can be used to create and modify userids on your system; or, you can use the command "`useradd`" to create a new account on your system. For example, to create the userid "`user_id`" and assign the comment information "`New User`", the UID "`1612`" , and the Korn Shell as the default shell, you could use the following command: useradd -c "New User" -d /home/user_id -m -u 1612 -s /bin/ksh user_id Enter the command "`man useradd`" to obtain detailled information about use of this command. To assign an initial password to the account, use the "`passwd`" command followed by the account name. Since the passsword is not displayed as you type, you will be prompted twice for the value of the new password to confirm that it had been entered correctly. If, after assigning the password, you would like to force the individual to change their password when they first logon, enter the password command again, this time followed by the "-f" option and the account name. *Use the account which you have created for yourself whenever you log onto the system and do not need root priviledges! Note:* After the CIS script is run (Step 9 below), new accounts will be set with the following Center for Internet Security password aging parameters (these parameters are assigned within the operating system in increments of weeks, thus each of the values below is a multiple of 7 days): Minimum password age of 7 days Maximum age of 91 days Expiration warning beginning 4 weeks (28 days) prior to the maximum password age Note: If these options are in place and you use the "`password -f user_id`" command after you create and assign a password to a userid, the individual will not be able to change their password when they first logon. To change the minimum password age to zero days so that the individual can logon and then change their password, you could use the following command: password -n 0 account_name where "account_name" is the name of the account whose characteristics you wish to change.
9	Run CIS script to apply Center of Internet Security recommended settings. If you have installed Solaris 10, perform the following additional steps to enable IP Filters: Edit the file "`/etc/ipf/pfil.ap`" and uncomment (remove the "#" -- pound sign) from the line corresponding to the type of your interface card which carries the traffic you wish to filter; you use the command "`ipconfig -a`" to return information about installed interfaces. Activate the changes to the change you have made to /etc/ipf/pfile.ap by entering the following command: svcadm restart network/pfil Review packet filtering rules in the file "/etc/ipf/ipf.conf" and make changes as appropriate for your system. Enable the Solaris IP Filter program by entering the following command: svcadm enable network/ipfilter
10	Reboot the System to fully enable the changes defined by the CIS script.
11	Run the CIS scanner -- This software was installed as part of the VT Sun Setup Script. To run the scanner, enter: cd /opt/CIS ./cis-scan Review output and make any manual corrections required. Rerun the script (`./cis-scan`) and make additional manual corrections. Repeat the process of making corrections and running the scanner as many times as required until you are satisfied with the balance of security and functionality you have achieved for your system. Note that a system reboot may be required in order to activate some of your changes. Note: As of October 7th, 2005, the CIS Scanner had not yet been updated for Solaris 10!
12	Optionally Install and Configure Tripwire. Tripwire provides a useful tool for monitoring your system to detect potential hacker modifications. It also provides you with the capability of listing changes which had been made between tripwire runs so that you can more easily back out changes you have made should this be necessary. Note: The CIS script above assigns read-only characteristices to the /opt, /usr, and /usr/local partitions of your system. In order to install tripwire or to modify its configuration files, you must first make the /usr/local partition read/write accessible. To do so, you can enter the following command: mount -o remount,rw /usr/local Note: You should run tripwire immediately before and after each time you update software on your system -- assuming you have installed tripwire in the default location, you can use the following commands to update the tripwire database: cd /usr/local/tripwire/tfs/bin/ ./tripwire --check --interactive After you run the above command, Tripwire will scan your system for files which have changed. A list of changes will be displayed in an editor window; review the list of changes. When you are done reviewing the list, save (":wq" if you are using vi) or quit (":q!" if you are using vi) the list of changes. You will then be asked for the Local Tripwire Phassphrase in order to update the Tripwire Database with the results of this analysis.

13	Attach to Network Attach your ethernet cable. If you are then not able to use the Internet to access other systems, reboot the system. If you encounter problems using the network connection or suspect it may not be working properly, see Test Networking.
14	Download and Apply the Latest Security Patches: Sun Microsystems provides Sun Patch Manager 2.0 as a tool to update systems with required patches; for information on using this tool, see: http://www.sun.com/service/support/sw_only/patchmanager.html See also patches.htm for information on downloading and applying the latest Security & Recommended Patch Cluster. For a Sun Whitepaper on developing a strategy of patch management, see Solaris Patch Management: Recommended Strategy Note: Sun Microsystems frequently reorganizes their web site; if the above links fail, go to http://sunsolve.sun.com and search the page for the appropriate link for the information you require.
15	Test Network Applications Verify that network connectivity and installed applications are working properly.
16	Optionally Download and Install Additional Required Software Applications; then apply known application patches. If you have installed Tripwire, be sure to run it immediately prior to and following installation of new software or software updates. Update your System Monitoring Scripts to include tests of the additional software you have installed.

References

Solaris

General UNIX

Last updated:
Please send comments or suggestions for improving this page to Webmaster.
Privacy Statement