How to secure a Solaris 10 serverContext: I received my AMD server few days ago, but since I don't have a jumpstart PXE aware, I decide to do a full install (it's my first Solaris full install, I must confess I'm feeling a bit ashamed, I hope God will forgive me), which comes with lot of useless packages, services, etc… That's I decide to take notes about my consolidation process. SecurityIn order to avoid Unix crypt password and use MD5, edit the file /etc/security/policy.conf # uncomment the following line : CRYPT_ALGORITHMS_DEPRECATE=__unix__ # edit this one : CRYPT_DEFAULT=1 update your users password, and take a look in /etc/shadow, you'll see something like : asyd:$1$vY6aWgP1$QbLM9FKPRrJPEXyoDYEK70:13193:::::: NetworkEnforce TCP sequence number randomization# ndd -set /dev/tcp tcp_strong_iss 2 Legacy servicesLegacy services are not managed by SMF, that's why we need to remove some files in init # cd /etc/rc3.d # rm -f S* # cd /etc/rc.2d # rm -f S90wbem S90webconsole SMF ProfileWarning :
So, if you used to have autofs enabled, please be aware to move /export/home to /home This profile is a hack from /var/svc/profile/generic_limited_net.xml Download or copy/paste the following SMF profile, and do : # svccfg apply restricted.xml ResultStarting Nmap 3.95 ( http://www.insecure.org/nmap/ ) at 2006-02-14 11:23 CET Interesting ports on 192.168.3.202: (The 1668 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 22/tcp open ssh Nmap finished: 1 IP address (1 host up) scanned in 44.786 seconds Attachment<?xml version='1.0'?> <!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'> <!-- Copyright 2004 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. ident "@(#)generic_limited_net.xml 1.2 04/11/22 SMI" The purpose of the limited_net profile is to provide a set of active services that allow one to connect to the machine via ssh (requires sshd,) to be authenticated (requires rpc,) and to access network filesystems (requires nfs.) The services which are deactivated here are those that are at odds with this goal. Those which are activated are explicit requirements for the goal's satisfaction. NOTE: Service profiles delivered by this package are not editable, and their contents will be overwritten by package or patch operations, including operating system upgrade. Make customizations in a distinct file. The path, /var/svc/profile/site.xml, is a distinguished location for a site-specific service profile, treated otherwise equivalently to this file. --> <service_bundle type='profile' name='generic_limited_net' xmlns:xi='http://www.w3.org/2003/XInclude' > <!-- Include name service profile, as set by system id tools. --> <xi:include href='file:/var/svc/profile/name_service.xml' /> <!-- svc.startd(1M) services --> <service name='system/coreadm' version='1' type='service'> <instance name='default' enabled='true'/> </service> <service name='system/cron' version='1' type='service'> <instance name='default' enabled='true'/> </service> <service name='system/cryptosvc' version='1' type='service'> <instance name='default' enabled='true'/> </service> <service name='system/identity' version='1' type='service'> <instance name='domain' enabled='true'/> </service> <service name='system/keymap' version='1' type='service'> <instance name='default' enabled='true'/> </service> <service name='system/picl' version='1' type='service'> <instance name='default' enabled='true'/> </service> <service name='system/sac' version='1' type='service'> <instance name='default' enabled='true'/> </service> <service name='system/system-log' version='1' type='service'> <instance name='default' enabled='true'/> </service> <service name='system/utmp' version='1' type='service'> <instance name='default' enabled='true'/> </service> <service name='system/zones' version='1' type='service'> <instance name='default' enabled='true'/> </service> <service name='network/rpc/bind' version='1' type='service'> <instance name='default' enabled='false'/> </service> <service name='system/name-service-cache' version='1' type='service'> <instance name='default' enabled='true'/> </service> <service name='network/nfs/status' version='1' type='service'> <instance name='default' enabled='false'/> </service> <service name='network/nfs/nlockmgr' version='1' type='service'> <instance name='default' enabled='false'/> </service> <service name='network/nfs/client' version='1' type='service'> <instance name='default' enabled='false'/> </service> <service name='network/nfs/server' version='1' type='service'> <instance name='default' enabled='false'/> </service> <service name='network/nfs/rquota' version='1' type='service'> <instance name='default' enabled='flase'/> </service> <service name='network/ssh' version='1' type='service'> <instance name='default' enabled='true'/> </service> <service name='network/smtp' version='1' type='service'> <instance name='sendmail' enabled='false'/> </service> <service name='network/inetd' version='1' type='restarter'> <instance name='default' enabled='true'/> </service> <service name='system/filesystem/autofs' version='1' type='service'> <instance name='default' enabled='false'/> </service> <service name='system/power' version='1' type='service'> <instance name='default' enabled='true'/> </service> <service name='application/print/cleanup' version='1' type='service'> <instance name='default' enabled='true' /> </service> <service name='network/pfil' version='1' type='service'> <instance name='default' enabled='true' /> </service> <!-- non-default svc.startd(1M) services disabled --> <service name='network/dhcp-server' version='1' type='service'> <instance name='default' enabled='false' /> </service> <service name='network/ntp' version='1' type='service'> <instance name='default' enabled='false' /> </service> <service name='network/rarp' version='1' type='service'> <instance name='default' enabled='false' /> </service> <service name='network/slp' version='1' type='service'> <instance name='default' enabled='false' /> </service> <service name='network/security/kadmin' version='1' type='service'> <instance name='default' enabled='false' /> </service> <service name='network/security/krb5_prop' version='1' type='service'> <instance name='default' enabled='false' /> </service> <service name='network/security/krb5kdc' version='1' type='service'> <instance name='default' enabled='false' /> </service> <!-- default inetd(1M) services disabled --> <service name='network/finger' version='1' type='service'> <instance name='default' enabled='false'/> </service> <service name='network/ftp' version='1' type='service'> <instance name='default' enabled='false'/> </service> <service name='network/login' version='1' type='service'> <instance name='rlogin' enabled='false'/> <!-- non-default inetd(1M) instances disabled --> <instance name='klogin' enabled='false'/> <instance name='eklogin' enabled='false'/> </service> <service name='network/shell' version='1' type='service'> <instance name='default' enabled='false'/> <!-- non-default inetd(1M) instance disabled --> <instance name='kshell' enabled='false'/> </service> <service name='network/telnet' version='1' type='service'> <instance name='default' enabled='false'/> </service> <!-- non-default inetd(1M) services disabled --> <service name='network/tname' version='1' type='service'> <instance name='default' enabled='false'/> </service> <service name='network/uucp' version='1' type='service'> <instance name='default' enabled='false'/> </service> <service name='network/chargen' version='1' type='service'> <instance name='stream' enabled='false'/> <instance name='dgram' enabled='false'/> </service> <service name='network/daytime' version='1' type='service'> <instance name='stream' enabled='false'/> <instance name='dgram' enabled='false'/> </service> <service name='network/discard' version='1' type='service'> <instance name='stream' enabled='false'/> <instance name='dgram' enabled='false'/> </service> <service name='network/echo' version='1' type='service'> <instance name='stream' enabled='false'/> <instance name='dgram' enabled='false'/> </service> <service name='network/time' version='1' type='service'> <instance name='stream' enabled='false'/> <instance name='dgram' enabled='false'/> </service> <service name='network/comsat' version='1' type='service'> <instance name='default' enabled='false'/> </service> <service name='network/rexec' version='1' type='service'> <instance name='default' enabled='false'/> </service> <service name='network/talk' version='1' type='service'> <instance name='default' enabled='false'/> </service> <!-- default inetd(1M) RPC services enabled --> <service name='network/rpc/gss' version='1' type='service'> <instance name='default' enabled='true'/> </service> <service name='network/rpc/mdcomm' version='1' type='service'> <instance name='default' enabled='true'/> </service> <service name='network/rpc/meta' version='1' type='service'> <instance name='default' enabled='true'/> </service> <service name='network/rpc/metamed' version='1' type='service'> <instance name='default' enabled='true'/> </service> <service name='network/rpc/metamh' version='1' type='service'> <instance name='default' enabled='true'/> </service> <service name='network/rpc/smserver' version='1' type='service'> <instance name='default' enabled='true'/> </service> <service name='network/security/ktkt_warn' version='1' type='service'> <instance name='default' enabled='true'/> </service> <!-- default inetd(1M) RPC services disabled --> <service name='network/rpc/rstat' version='1' type='service'> <instance name='default' enabled='false'/> </service> <service name='network/rpc/rusers' version='1' type='service'> <instance name='default' enabled='false'/> </service> <!-- non-default inetd(1M) RPC services disabled --> <service name='network/rpc/ocfserv' version='1' type='service'> <instance name='default' enabled='false'/> </service> <service name='network/rpc/rex' version='1' type='service'> <instance name='default' enabled='false'/> </service> <service name='network/rpc/spray' version='1' type='service'> <instance name='default' enabled='false'/> </service> <service name='network/rpc/wall' version='1' type='service'> <instance name='default' enabled='false'/> </service> <service name='application/x11/xfs' version='1' type='service'> <instance name='default' enabled='false'/> </service> </service_bundle> |
Welcome to Bruno Bonfils's (aka asyd homepage).
Discussion