From: Matt Collins [matt@clues.com] Sent: mardi, 29. octobre 2002 18:35 To: focus-sun@securityfocus.com Subject: Hardening Solaris: Information resources Hey Folks, Thanks for all your help. I received a LOT of documents. Many of them were crib sheets that added little to material from other sources, and I spotted outright cut and pastes a plenty between several. I've included the most useful below (in no particular order) - some were very very basic but may be useful to those of you who aren't full time in the security area. Others were more technical and terse, assuming you already understood the issues. I was rather surprised at the lack of anything really novel - there were one or two cleaner more elegant ways of doing things than we already do, but I guess the 'received wisdom' on Solaris hardening is now so widespread and homogonised (thanks google! ;) ) that theres little new that needs to be done. I've included only those things appropriate to a baseline build - specific package stripping lists for Checkpoint, iWeb, Apache, etc, are all out there but weren't what I was interested in. If anyone out there thinks of something obviously missed then feel free to chime in ;) Having spent time wading through all the documentation I was sent in the fear of missing just one novel important thing, I hope that having cut it down to a shorter list will help some of you - even still there is much duplication between a lot of these documents. Personally I found the JASS Internals PDF, compass security checklist, Solaris TCP/IP tunig, Network security settings blueprint and university of waterloo documents to provide a very good cross section of cover. Enjoy, Matt Vendor material --------------- Sun Security blueprints http://www.sun.com/solutions/blueprints/browsesubject.html#security http://www.sun.com/software/solutions/blueprints/1299/network.pdf http://www.sun.com/solutions/blueprints/0601/jass_quick_start-v03.pdf http://www.sun.com/solutions/blueprints/0601/jass_release_notes-v03.pdf http://www.sun.com/solutions/blueprints/tools Unsurprisingly by far the most referenced documents ;) The JASS internals PDF can make a good substitude for some of the 'checklist' approaches below, and may have the management-friendly advantage of being supplied by the Vendor with supportable end states (if not processes). Good general (basic) introductions to concepts and issues ('How hackers do it!' ;-) ) and also useful technical information for specific products (BSM, JASS, fingerprint database, etc). Non Vendor guides ----------------- Christopher A. Petro's 'corrections' guide: http://fixsolaris.sunhelp.org Not exclusively security oriented, a 'crib sheet' of common admin changes ('fixes') to Sun default settings with explanations. University of Waterloo security documents: http://ist.uwaterloo.ca/security/howto/ A collection of security documents ranging from the configuration and usage of individual products; their solaris documents are well thought out and go to great lengths to explain what each service (for example, in inetd, or individual setuid programs) do to allow a user of an existing system to try and assess whether it's required. Security Focus articles: http://online.securityfocus.com/infocus/1365 http://online.securityfocus.com/infocus/1366 Hardening Solaris: Diamond in the Rough Pt.1 & 2 Basic primer on network services http://online.securityfocus.com/infocus/1385 Solaris kernel tunic for security Basic kernel tweaks with explanation of change reasoning http://online.securityfocus.com/infocus/1489 Solaris File ACL's Basic introduction to Solaris's granular file ACL system recommended if you're still using traditional unix owner/group/other file permissions on multiuser servers. SANS institute top 20 list http://www.sans.org/top20/#U1 The ever famous top 20 SANS issues well described in a clear, concise corporate manner. Given the FBI tie in this may be useful to reinforce the idea that issues like FTP and SNMP are, in fact, serious, and help you overcome the 'but everyone uses them' attitude. Perhaps. ;) SANS institute 'reading room' articles: http://rr.sans.org/firewall/solaris_servers.php A case study in the installation of firewalls on a university campus. Again, rather basic but a useful and readable guide to the reasons certain decisions were taken which may help clarify issues and their presentation for some. http://rr.sans.org/intrusion/host_solaris.php A case study in the selection of a host based IDS for solaris systems. Again, more useful for the methodological approach than technical data. http://rr.sans.org/malicious/chkrootkit.php A basic introduction to the check root kit scanning tool, and some advice on its operational usage. http://rr.sans.org/tools/BSM.php Introduction to Solaris's kernel auditing tool, BSM. Like filesystem ACLs a good feature to get to know if you are not already considering it. I (personally) wouldn't recommend some of the verbatim steps,e.g. the cron files suggested, but rather use it as a primer document. Boran Consulting papers: http://www.boran.com/security/sp/Solaris_bsm.html Some tips and scripts for managing and interpreting BSM http://www.boran.com/security/sp/Solaris_hardening4.html A step by step guide for using JASS on Solaris 8 to get a boran hardened build. Includes some firewalling information, etc. Sabernet papers: http://sabernet.home.attbi.com/papers/Solaris.html Step by step cribsheet for building a minimal hardened Solaris system. The system administrators guild (SAGE) checklist: http://sageweb.sage.org/resources/online/solaris/index.html This is *extremely* nicely laid out, providing a basic crib sheet of steps that we're all likely more than familiar with but serve as a useful reminder, then allowing 'drill down' for detail. While not huge on technical detail the format may be worth looking over for your own documentation. http://www.accs.com/p_and_p/SolSec/ Another administrator crib sheet with detailed explanations of the steps taken. Somewhat purist in places, and useful as a tool for bespoke builds (i.e. hardening a server you know the end use of) but possibly not so much for a generic 'secured build'. The center for internet security http://www.cisecurity.org/ 'Benchmarking' tools to check the configuration of your system against a list of known issues. Compass Security solaris hardening guide http://www.csnc.ch/downloads/docs/hardening/SolarisHardening_CSNC.pdf A nice checklist document with further detail from a practical DMZ deployment perspective. Includes guidelines for OS and application deployment, but assumes general prior familiarity with the issues and suggested remedies raised. Lance Spitzners security papers http://www.enteract.com/~lspitz/papers.html Useful set of tips and how to's for various operating systems, with an emphasis on network security devices (firewalls, routers, etc). Solaris TCP/IP kernel tuning http://www.sean.de/Solaris/soltune.html An excellent technical resource detailing network stack related ndd settings with possible values and explanations; not, however, focused around security. Toolsets -------- * scanners Fyodors Nmap: (network scanner) http://www.insecure.org/nmap Chkrootkit: (local scanner) http://www.chkrootkit.org/ Foundstone SNScan: http://www.foundstone.com/knowledge/free_tools.html SANS SNMPing: email snmptool@sans.org Nessus: http://www.nessus.org * hardening kits JASS (See Vendor materials above) TITAN http://www.fish.com/titan/ YASSP http://www.yassp.org/src/examples/yassp.conf * operational utilities Papillon kernel security module http://www.roqe.org/papillon Wietses tools (tcp wrappers, rpcbind, portmap, etc) : ftp://ftp.porcupine.org/pub/security/index.html Sudo http://www.courtesan.com/sudo OpenSSH http://www.openssh.org