Hardening Solaris 

Secure installation of Bastion hosts

By SeŠn Boran
www.boran.com/security/sp/Solaris_hardening2.html

Note:
- a newer article is available in draft form and includes Yassp beta#11.
- This version will not longer be updated.

This article presents a concise step-by-step approach to securely installing Solaris for use in a firewall DMZ or other sensitive environment, using the Yassp tool (beta#5) and (with Solaris 8) the Sunscreen EFS firewall.

The focus in this article is on preparing the Operating System to securely run services, but tips are also provided on the use of free security tools and configuring common services.

This article was written (and tested) for Solaris 2.6/7/8, but the techniques described here should work fine on earlier versions too. This article has been updated since the original release, see the section Changes to this article.

Your feedback is welcome.


The hardening process is divided into the following steps:

  1. Preparation
  2. Initial OS installation
  3. Install SSH
  4. Run YASSP
  5. Solaris 8: Install Sunscreen EFS
  6. Installing tools & sysadmin software
  7. Logging
  8. Install an Integrity Checker: e.g. Tripwire
  9. Install, test, harden applications: General, DNS, ftp, httpd, smtp
  10. Going Live

Regular maintenance
Yassp Overview
Additional Notes
References
Changes to this article


1. Preparation


2. Initial OS installation

Connect the serial console, switch on, halt to the OK prompt by sending a Stop-A (~#, ~%b, or F5 depending on whether you use tip, cu or a vt100 terminal), then start the installation procedure:  boot cdrom - install .
Note: On Solaris 8, make sure your use "Software CD#1" and not the "Installation CD".

Install the end user bundle (or even better only the core packages), set hostname, terminal, IP parameters, timezone, etc. Don't enable any naming services like NIS or NFS. Don't enable power management, or mount any remote file systems (NFS).
Note: On Solaris 8, the user bundle can be customised via "F4", packages can be added or removed, e.g. for a web server Apache can be added.

Choose manual disk partitioning:

Set a strong password (7 or 8 chars with numbers, letters and punctuation) for root.

Reboot. 

If you use the C-Shell, the following will make editing easier and enable history functions:

csh;
setenv TERM vt100; setenv VISUAL vi; setenv EDITOR vi;
set filec; set history=40; alias h history; alias ls 'ls -aF \!*';

No man pages are installed with the user bundle, so install them while the Solaris CD is still mounted:

cd /cdrom/cdrom0/s0/Solaris_2.6/Product;
pkgadd -d . SUNWman SUNWdtma SUNWjvman SUNWpmowm SUNWolman SUNWtltkm SUNWxwman SUNWxwpmn

cd /cdrom/cdrom0/s0/Solaris_2.7/Product;
pkgadd -d . SUNWman SUNWdtmaz SUNWdtma SUNWjvman SUNWpmowm SUNWolman SUNWtltkm SUNWxwman SUNWxwpmn

On Solaris 8, insert CD#2:
cd /cdrom/cdrom0/Solaris_8/Product;
pkgadd -d . SUNWman SUNWdtmaz SUNWdtma SUNWjvman SUNWpmowm SUNWolman SUNWtltkm SUNWxwman SUNWxwpmn SUNWj2man

Update indices, so that "man -k keyword" will allow searching of relevant man pages:

/usr/lib/makewhatis /usr/man;
/usr/lib/makewhatis /usr/openwin/man;

If a patch CD is available, install the recommended & security patches from Sun. Typically a separate CD "Maintenance Release" is provided with a patch bundle.
Reboot and logon again as root. The list of patches installed can be listed with showrev -p .
Note that the current patches will be checked and updated over the network in Step 6 below.


3. Install SSH

Install SSH, the secure Shell for login access (to avoid using telnet/ftp). There are two key implementations 'ssh1' and 'OpenSSH', here we use ssh1 as an example. OpenSSH is more interesting in some ways (truly free and support for ssh2 protocol), but ssh1 also supports securid (which is useful to me) and is easier to install. OpenSSH will probably become the definitive standard in the future. See also [7] for a detailed discussion of SSH and it's various implementations.

Download sources (ssh-1.2.27.tar.gz from [7a]) and compile on a separate machine

zcat ssh-1.2.27.tar.gz | tar xf - 
cd ssh-1.2.27; ./configure --prefix=/usr --without-none --without-rsh --without-idea
make

and create a binary distribution. See also [7] for a detailed discussion of SSH and it's various implementations.

Download ssh_bin.tar.Z (or whatever your binary is called) to the new target system:
extract in root, "rehash" (if using csh) and then generate a host key:
     zcat ssh_bin.tar.Z | tar xvf -;
   /usr/local/bin/ssh-keygen -b 1024 -f /etc/ssh_host_key -N '';

Add the ssh service to /etc/services:
     ssh 22/tcp            # Secure Shell
Start the ssh daemon:
     sh /etc/rc2.d/S10sshd start

Configure an appropriate /etc/ssh_config file (see also [7]), so that access is restricted to named hosts with known public keys (/etc/ssh_known_hosts) and rhosts authentication is disabled. Avoid trusts. Only allow specific users and hosts to access SSH. Deny daemon accounts access.


4. Run YASSP

Jean Chouanard has developed the Yassp (Yet Another Solaris Security Package) scripts for hardening Solaris and which have evolved quit a bit this year. See the Yassp section below which presents Yassp in more detail. In particular we use the 'cleanup' and 'SECclean' parts of Yassp. We use Yassp for this section of the hardening because it is comprehensive, is a consensus of security experts, can be backed out, has been tested by many people and is backed by SANS. An example of yassp output is useful in understanding what it does: yassp_output.txt.

Download clean-up_5.X.tar.Z and secclean.Z [1] to the target.

Shutdown the network interface during this next phase, just in case (the interface name depends on the architecture e.g. hme0 on UltraSPARC):

ifconfig le0 down

Run the package content database cleaning and file permission tightening:

zcat clean-up_5.7.tar.Z | tar xvf -
/var/sadm/clean-up_5.7/install.sh

There should be no errors and the output of the last command "pkgchk -n" should be null, except a warning on "/home" as the automounter is still running. It make take 15 minutes.. 
If this step needs to be undone, run /var/sadm/clean-up_5.7/un-install.sh

Run the hardening package (make take 15 minutes):

uncompress secclean.Z;
pkgadd -d secclean SECclean

Note: Changed files are backed up under /var/sadm/pkg/SECclean/save.

Remove scripts:

rm clean-up_5.7.tar.Z secclean

Reboot.

Login as root and check the process list, it should be something like:
  tests# ps -ef
UID PID PPID C STIME TTY TIME CMD
root 0 0 0 15:13:51 ? 0:01 sched
root 1 0 0 15:13:54 ? 0:00 /etc/init -
root 2 0 0 15:13:54 ? 0:00 pageout
root 3 0 0 15:13:54 ? 0:00 fsflush
root 170 167 0 15:14:16 ? 0:00 /usr/lib/saf/ttymon
root 138 1 0  15:14:14 ? 0:00 /usr/sbin/syslogd
root 167 1 0  15:14:15 ? 0:00 /usr/lib/saf/sac -t 300
root 168 1 1  15:14:15 console 0:00 -sh
root 152 1 0  15:14:15 ? 0:00 /usr/lib/utmpd
root 174 168 1 15:14:56 console 0:00 csh
root 137 1 0  15:14:14 ? 0:00 /usr/sbin/cron
root 175 174 1 15:14:58 console 0:00 ps -ef

check the network connections, only syslog should be listening:

UDP
Local Address Remote Address State
-------------------- -------------------- -------
*.syslog Idle
*.* Unbound

TCP
Local Address Remote Address Swind Send-Q Rwind Recv-Q State
-------------------- -------------------- ----- ------ ----- ------ -------
*.* *.* 0 0 0 0 IDLE
*.* *.* 0 0 0 0 IDLE

Solaris 8: Fixes for issues not yet supported by Yassp beta#3:

Configuring the hardening level - typically nothing needs to be enabled for bastion hosts. These files are well commented and easy to understand.

vi /etc/rc.conf
vi /etc/yassp.conf

If any user other than root needs to use at/cron, the allow files in /etc/cron.d will need adapting.


5. Solaris 8: Install Sunscreen EFS

Sunscreen EFS Firewall: On Solaris 8, the iPlanet CD#2 contains among other things, a restricted edition of the Sunscreen EFS firewall, 'lite v3.0.1'. It can be used to protect network communications to the local machine (among other things).

Below we present a quick overview of setting up some simple rules on the command line, see [9] for a detailed discussion of Sunscreen configuration.

# cd /opt/SUNWicg/SunScreen/bin;
# ./ssadm active
Active configuration: www default Initial.2
# ./ssadm edit Initial
edit> list rule
1 "common" "*" "*" ALLOW
edit> list address
"*" RANGE 0.0.0.0 255.255.255.255
"le0.net" RANGE 176.17.17.0 176.17.17.255
"localhost" HOST
"smtp-server" HOST 1.1.1.1
"www_le0" GROUP { } { }
edit> list service common
"common" GROUP "tcp all" "udp all" "syslog" "dns" "rpc all" "nfs prog" "icmp all" "rip" "ftp" "rsh" "real audio" "pmap udp all" "pmap tcp all" "rpc tcp all" "nis" "archie" "traceroute" "ping"

So we see that the default policy allows quite a few services through.

Let's presume that we are setting up a HTTPD server (on port 80) and intend to manage it via SSH. We also want to allow ping and traceroute for initial trouble shooting. We could then create and active the new firewall policy restricting access to these services as follows

# ./ssadm edit Initial
edit> add service ssh      SINGLE FORWARD "tcp" PORT 22
edit> add service myhttp GROUP ping traceroute ssh www
edit> replace rule 1 ALLOW myhttp "*" "*"
edit> list rule
1 "myhttp" "*" "*" ALLOW
edit> save
edit> verify
Configuration verified successfully (not activated).
edit> quit
www# ./ssadm activate Initial
Configuration activated successfully on www.

Voila!

# cd /opt/SUNWicg/SunScreen/bin;
# ./ssadm edit Initial
edit> add address mgt_net RANGE 176.17.17.0 176.17.17.255
edit> add service mgt GROUP ping traceroute ssh
edit> replace rule 1 ALLOW www "*" localhost
edit> replace rule 2 ALLOW mgt mgt_net localhost
edit> replace rule 3 ALLOW mgt localhost "*"
edit> replace rule 4 ALLOW dns localhost "*"
edit> save
edit> verify
Configuration verified successfully (not activated).
# ./ssadm activate Initial
Configuration activated successfully on www.

Now test the network connections, to ensure the rules have the desired effect. To rollback to the initial configuration, delete all rules and add:

replace rule 1 ALLOW "common" "*" "*"

Finally, we can stop the remote Firewall management GUI. Why would we do this? If we are comfortable with the command line "ssadm" then one daemon more and one more configuration interface, that needs to be correctly configured and watched.

Disabling the following line in /etc/rc2.d/S63sunscreen
$SS_LIBDIR/run_httpd start efshttpd

In /opt/SUNWicg/SunScreen/lib/ss_boot, disable:
$SS_LIBDIR/ssadmserver start >/dev/console 2>&1

See also [9] for a detailed discussion of Sunscreen configuration.



6. Installing tools & sysadmin software

The system has now gone through a first hardening phase and should be still working! Boot and login on the console as root. Check for error messages on the console, fix if necessary.

More Solaris patches: During installation, some patches were installed. However, it's unlikely that they are the newest and may have been only the recommended ones.. Now that the system is reasonably secured, it's time to get the most recent versions of security patches. Get the Patchdiag tool from Sunsolve along with and update patchdiag.xref [15] and run it to see what recommended and security patches are needed, then download & install the missing ones. If you don't have a support contract just installed the latest security bundle or use the SecurityFocus vulnerability calculator  [15].
DNS note: even if you install BIND, the Solaris libresolv still needs patching.

Environment:

/.cshrc /.profile: set aliases, variables (such as VISUAL, EDITOR and PATH don't include "."). Set umask to 077, or 027.

Search path: Yassp adds /opt/local/bin to the su path (in /etc/default/su), if your tools are more likely to be in /usr/local, this will need adapting.

Disk mounting (vfstab options):
Several options can be set to improve the security of robustness of filesystems when they are mounted.

Mount option OS Description When to use it
nosuid 2.x Disables SUID programs, but also disables devices! /var or /home or data disks where no SUID programs, or devices (and hence chroot environments are used).
/tmp won't work either, unless it is on disk.
logging 2.7 or later keeps a transaction log within the mounted partition. The advantage is an almost instantaneous filesystem check - which may take a considerable while with larger harddisks, e.g. 18 GB. The disadvantage is the additional time spent writing the transaction log. /usr /opt /home

Recommended for all file systems except: root (where Veritas VxVM used), or where lots of file accesses are expected.
noatime 2.7 or later allows mounting file systems without updating inodes at each access to any file. This will significantly speed up services like web caches or news servers, which do a lot of file IO with small files. /var or any partition where lots of file access are expected (web cache or news partitions).
size=100m 2.5.1 or later Allow /tmp to only use 100MB of swap space. The value could be set to say 30% of swap space. /tmp

Email: If hosts are not supposed to send email outside the subnet, don't configure the mailhost alias. Delete /usr/lib/sendmail if you don't need any kind of email.
Otherwise edit /etc/mail/aliases (at least point root to a real address), set mailhost in /etc/hosts and in /etc/mail/sendmail.cf set the following to ensure all outgoing email is channeled over mailhost:
   Dj$w.YOURDOMAIN.COM.
   DSmailhost
   DRmailhost
   DHmailhost
   O FallbackMXhost=mailhost
Add a hostname.YOURDOMAIN.COM alias for this machine in /etc/hosts.
Send a test email to check the config:
   mailx -v -s test_email root </dev/null

Install tools and scripts: Tools should already have been compiled and tested extensively on another machine.


7. Logging

Configure logging:

Disable the Solaris log pruning (& other) lines in the root cron, since you're doing it yourself:

#10 3 * * 0,4 /etc/cron.d/logchecker
#10 3 * * 0 /usr/lib/newsyslog 

Syslog logging: Split up log analysis according to the example /etc/syslog.conf [3] which enables more logging than the default and splits up services into separate logfiles. Designate one machine as the loghost (in /etc/hosts) or log locally.

Syslog "loghost": Give the loghost a whopping great disk for logs. Create empty logs & set permissions:

cd /var/log;
touch daemonlog authlog kernlog userlog maillog lprlog cronlog newslog local0log local2log local5log alertlog;
chmod 600 daemonlog authlog kernlog userlog maillog lprlog cronlog newslog local2log local5log alertlog;
kill -1 `pgrep syslogd`

Use rotate_log [3] to prune & compress logs, add the root cron entries:
## Prune syslog logs weekly, keeping the last 6 months or so:
55 23 * * 6 /secure/rotate_log -n 40 alertlog
55 23 * * 6 /secure/rotate_log -n 40 authlog
55 23 * * 6 /secure/rotate_log -n 20 cronlog
55 23 * * 6 /secure/rotate_log -n 40 daemonlog
55 23 * * 6 /secure/rotate_log -n 40 kernlog
55 23 * * 6 /secure/rotate_log -n 40 locallog
55 23 * * 6 /secure/rotate_log -n 20 newslog
55 23 * * 6 /secure/rotate_log -n 40 userlog
55 23 * * 6 /secure/rotate_log -n 10 lprlog
55 23 * * 6 /secure/rotate_log -n 20 maillog

Pruning of login logs:

## Empty login/logout records at year end
0 0 31 12 * /secure/wtrim.pl wtmp 20
0 0 31 12 * /secure/wtrim.pl wtmpx 20
# Solaris 2.x logs:
0 4 * * 6 /secure/rotate_log -L /var/adm -n 30 loginlog
0 4 * * 6 /secure/rotate_log -L /var/adm -n 30 sulog
0 4 * * 6 /secure/rotate_log -L /var/adm -n 2 vold.log
0 4 * * 6 /secure/rotate_cron

Note: I've written a script /etc/weekly [3] which includes the above weekly entries and can be run on both loghost and client, with a cron entry like this:
50 23 * * 6 sh /etc/weekly 2>&1| tee /var/log/weekly.out

Crons

Root cron entries:

Set date once a day with a reliable source using rdate (you may prefer NTP, it's more accurate, but complex, uses bandwidth and is an additional security worry):

## Synchronise the time:
0 * * * * /usr/bin/rdate YOURTIMEHOST  >/dev/null 2>&1

# process the mail queue hourly:
0 * * * * /usr/lib/sendmail -q

File permissions: tighten more permissions, and restrict certain tools to root or disable:

chmod 0500 /usr/sbin/snoop /usr/sbin/devinfo
chmod o-r /var/spool/cron/crontabs/*
chmod 000 /bin/rdist
chmod o-rx /etc/security
chmod og-rwx /var/adm/vold.log
chmod u-s /usr/lib/sendmail       #Not for mailgateways or multi-user hosts
chmod 400 /.shosts /etc/sshd_config /etc/ssh_known_hosts

Documentation:

Document configuration changes in a text file such as /etc/mods, update after each change, with date, author, files affected, description.
cat > /etc/mods <<EOF
10.4.00  sb  New install of Solaris8 & tools according to hardening guidelines
EOF

Edit login banners to warn users about unauthorised access, you'll need this if you want to prosecute intruders. For Telnet and SSH, use /etc/issue (for pre-login) and /etc/motd (for post-login). Default banners are installed by yassp.

Reboot, login via SSH.

Mount /usr and /opt read-only (in /etc/vfstab with "ro" option). This reduces the risk of trojan horses and unauthorised modifications.
Mount other partitions nosuid (SUID programs cannot assume other identities).
Reboot.
Run the mount command to check that filesystems options are effective.


8. Install an Integrity Checker: e.g. Tripwire

At this stage, we need to install a file integrity checker that uses secure hashing algorithms, initialise it's database and run regular checks to monitor for changes. If possible, keep the master database on another machine or offline or on write-once media.

What options do we have for integrity checking?

An example using the free Tripwire Version 1.2:


9. Install, test, harden applications


General

Consider installing applications on a separate partition or /opt. If /opt is used, it will have to be mounted read-write during installation and testing, and switched back to read-only afterwards.

Depending on the function of the server, applications such as ftpd, BIND, proxies, etc. are installed at this point. Web servers and firewall engines in particular, are complex and require careful configuration. The following is a general checklist that servers/applications should conform to:

FTP server (ftpd)
DNS servers
HTTP servers
Email gateways (smtp)

Consider using SMAP on email gateways exposed to the Internet. If using sendmail, keep up to date with fixes, or consider using Postfix. See also [16].


10. Going live


Preparing to go live
  1. You probably won't need CR-ROMs or floppies anymore, so disable the volume manager in /etc/yassp.conf (if it was still enabled, which it not by default).
    If you do need to mount a CD in the future, start vold manually & check for new devices:
        drvconfig; disks; vold &; volcheck; df -k
  2. Consider installing a script to check that important daemons are running. Install monitor_processes.pl  [3] and add a root cron entry:
    ## Check that important processes are running during office hours:
    ## [If you run 7x24, modify accordingly]
    0,30 8-19 * * 1-5 /secure/monitor_processes.pl sshd httpd
  3. If partitions such as /opt or /usr had to be mounted read-write during the application install/testing, mount them read-only now.
  4. Reinitialise tripwire (or equivalent integrity checker).
  5. Backup the system to two tapes, one offsite.
  6. Run a network scan on the system, to ensure that only expected services are visible. A commercial tool such as ISS or a free one like Nessus, nmap or Satan should do the job. Print out the results and archive.
  7. If possible, have additional people do the final testing, just in case something was forgotten.
  8. Test in detail - What works? What is forbidden? Check console/log entries. Does the system behave as expected? Watch the logs very frequently during the first few days of production.
Going Live

Connect to the live network. Test in detail. Check log entries. Does the system behave as expected?

Have applications been tested in detail, by different people with different points of view, from different access points on the network?


Regular maintenance

The following activities should take place hourly, daily, weekly or monthly, depending on how critical the system is:


Yassp Overview

Jean Chouanard's Yet Another Solaris Security Package [1] is a set of scripts used internally by Xerox that are being offered to the world for free. Jean is trying to make the scripts more general, to make them more useful outside of Xerox. The first version appeared in summer 1999 and adheres pretty closely to the SANS Solaris Guide. We now have an improved yassp beta 5 (May.2000) that allows more individual tuning and can be used for bastion hosts, servers and workstations. It's been tested by many admins, has received much input from experts and tried to pull together all known issues of Solaris hardening into one bundle.
An example of yassp output is useful in understanding what it does: yassp_output.txt.

There is also a tarball available in addition to the packages. It's only recommended for experts. This tarball includes the hardening packages plus "GNUgzip GNUrcs SSHsdi WVtcpd PARCdaily". It doesn't allow any more flexibility, just bundles a few binary packages, it is only for SPARC Solaris 2.6/7 and not as well tested. The tarball does not ask you what you do or don't what to install/harden. It installs SSH1 with Jean's patches for SecurID (which are very useful). The GNU stuff is installed in /opt/local.

YASSP Goodies
Yassp disadvantages
Yassp - suggested improvements

Additional Notes

This article has been very specific, in the interest of making it practical. However, each security administrator has his own methods and each site has different requirements.


References

[1] Jean Chouanard's YASSP (yet another solaris security package) for Solaris 2.x

See yassp.parc.xerox.com
The list of SECclean hardening actions is documented at yassp.parc.xerox.com/internal.html
The developers email list is archived at www.theorygroup.com/Archive/YASSP
Local copies (if you can't get to the main site): secclean.Z (beta#8), parcdaily.Z (beta#5).

[2] Sunworld security columns
www.sunworld.com/sunworldonline/common/swol-backissues-columns.html
Solaris Security FAQ www.sunworld.com/common/security-faq.html
Padded Cells: www.sunworld.com/swol-01-1999/swol-01-security.html
Tripwire: sunworld.com/sunworldonline/swol-02-2000/swol-02-security.html?0306a
[3] Scripts included with this article: S11tocsin, monitor_socket.pl, monitor_processes.pl, tripwire, trip_host.sh, tw.config.SunOS, rotate_log , rotate_cron, wtrim.pl, logcheck.sh, syslog.conf, yassp_output.txt .
[4] Klaxon and tocsin www.eng.auburn.edu/users/doug/second.html
[5] Tripwire:
Free version V1.2 ftp.cerias.purdue.edu/pub/tools/unix/ids/tripwire (last updated in 1994).
Commercial Version www.tripwiresecurity.com (starts at $495.-/server) also runs on NT.
Sunworld article.
[6]  Sample tools for analysing logs:
Logcheck www.psionic.com/abacus/logcheck (see also my improved version of logcheck.sh, a zip with my improvements and solaris binaries and a local copy of the original logcheck-1_1.tar.gz)
Swatch  ftp.stanford.edu/general/security-tools/swatch
[7] All About SSH PartI and Part II, by SecurityPortal:
All about SSH - PartI securityportal.com/direct.cgi?/research/ssh-part1.html,
All about SSH - Part II securityportal.com/direct.cgi?/research/ssh-part2.html  
[7a] ftp.cs.hut.fi/pub/ssh
[8] Casper Dik's fix-modes script contains a huge number of file permission improvements for most Solaris versions. ftp.wins.uva.nl:/pub/solaris/fix-modes.tar.gz
[9] Review: Sunscreen EFS3 Firewall -  Checking out Sun's Stealth Firewall
SunscreenEFS.html
[10] Jens VŲckler's nettune script www.rvs.uni-hannover.de/people/voeckler/tune/EN/tune.html
See also the local copy nettune.
[11] The Titan Project  www.titan.org
[12] AIDE, a GPL file integrity checker. www.cs.tut.fi/~rammer/aide.html
[13] BIND sources and home page: www.isc.org/products/BIND
Troubleshooting:  www.ebsinc.com/solaris/dns.html   
Testing Domains: www.ip-plus.net/tools/dns_check_set_en.html
Chroot BIND 8 on Solaris: www.securityfocus.com/focus/sun/articles/bind-inst.html
Chroot BIND 4.9.x on Solaris:
www.homeport.org/~adam/dns.html
Chroot BIND 8 on RedHat & OpenBSD
www.psionic.com/papers/dns
[14] Wietse Venema's tools and papers (tcp wrapper, rpcbind/portmapper, postfix, Satan, ....) ftp.porcupine.org/pub/security/index.html
[15] Sun sunsolve.sun.com   sunsolve.sun.ch
Patchdiag: sunsolve.sun.ch/private-cgi/show.pl?target=resources/tools
Patch XREF file: sunsolve.sun.ch/private-cgi/show.pl?target=patches/patch-access
[16] SMAP & FWTK (Firewall Toolkit) www.fwtk.org
Sendmail www.sendmail.org  
Postfix www.Postfix.org
Anti-Virus Mail Scanner for Linux/UNIX amavis.org (currently needs sendmail)
Scan4Virus - Virus Scan Wrapper for Qmail www.geocities.com/jhaar/scan4virus
[17] syslog replacements:
syslog-ng www.balabit.hu/products/syslog-ng (tcp connections, content filtering, encryption, authentication)
secure syslog  www.core-sdi.com/english/slogging/ssyslog.html
Nsyslogd coombs.anu.edu.au/~avalon/nsyslog.html (tcp connections & SSL)
[18] Security Advisories: www.cert.org  www.first.org   www.ciac.org
CERT provide several useful firewall/hardening/intrusion detection papers online www.cert.org/tech_tips.
Technical Discussion of advisories: www.SecurityFocus.com/sun
[19] Security Newsletters:
SecurityPortal's weekly or the SANS weekly/monthly.


Other useful links:


Changes to this article

25.Oct.'99  First Publication.
08.Nov.'99 Thanks to the following people for providing feedback and suggestions after the initial publication: Glenn Brunette, Andrew van der Stock, Darrel Goeddel and Kamal Kantawala.
28.Jan.'00 Integrate first Yassp version
08.Mar.'00 Rearrange links and references.

21.Apr.'00 Rewrite. Adapt for yassp beta3, Solaris 8, Sunscreen, Apache. New: /etc/weekly script.
13.May.'00 Update: Links, Venema's tools, Yassp beta5, tripwire, feedback Jean Chouanard
                New: RPC, smtp. (Second Publication)
16.may'00 Update: yassp#5 deinstall problems, rpc.
23.may'00 Update: tripwire URL and check parameters. Cert references. Fix Links.
20.jun'00   Update: typos in OS section, More Solaris patches, Disk mounting (vfstab options).


SeŠn Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.

© Copyright 2001, S.Boran, All Rights Reserved, Last Update: 18 avril, 2002