Server Hardening Checklists

Solaris 10 Server Hardening Checklist

The hardening checklists are based on the comprehensive checklists produced by CIS. The VCU Security Team has distilled the CIS lists down to the most critical steps for your systems, with a particular focus on configuration issues that are unique to the computing environment at VCU.

How to use the checklist

Print the checklist and check off each item you complete to ensure that you cover the critical steps for securing your server. The checklist will be used during risk assessments and audits as part of the process to verify that servers are secure.

How to read the checklist

Step - The step number in the procedure. If there is a VCU Note for this step, the note # corresponds to the step #.

Check (√) - This is for administrators to check off when she/he completes this portion.

To Do - Basic instructions on what to do to harden the respective system

CIS - Reference number in the Center for Internet Security Solaris 10 Benchmark (PDF, Requires VCU eID login.) The CIS document outlines in much greater detail how to complete each step.

UT Note - The VCU Note at the bottom of the page provides additional detail about the step for the university computing environment.

Cat I - For systems that include category I data, required steps are denoted with the ! symbol. All steps are recommended.

Cat II/II - For systems that include category II or III data, all steps are recommended, and some are required (denoted by the !).

Min Std - This column links to the specific requirement for the university in the Minimum Security Standards for Systems document.

Server Information

MAC Address

 

IP Address

 

Machine Name

 

Asset Tag

 

Administrator Name

 

Date

 

Preparation and Installation

Step

To Do

CIS

VCU Note

Cat I

Cat II/II

Min Std

1

 

If machine is a new install, protect it from hostile network traffic, until the operating system is installed and hardened.

 

§

!

 !

5.1

Patches and Additional Software

2

 

Apply the latest OS patches.

1.1

§

!

!

5.2

3

 

Enable automatic notification of new patches.

 

§

!

!

5.3

4

 

Minimize System Services.

2

§

!

 

5.4

Kernel Tuning

5

 

Enable Stack Protection.

3.2

 

 

 

 

6

 

Use better TCP Sequence numbers.

3.4

 

 

 

 

Logging

7

 

Turn on inetd tracing.

4.1

 

!

 

6.1

8

 

Capture messages sent to syslog AUTH facility.

4.4

 

!

 

6.1

9

 

Create /var/adm/loginlog.

4.5

 

!

 

6.1

10

 

Turn on cron logging.

4.6

 

!

 

6.1

11

 

Enable system accounting.

4.7

 

!

 

6.1

12

 

Confirm permissions on system log files.

4.9

 

!

 

6.1

Files/Directory Permissions/Access

13

 

Verify passwd, shadow, and group file permissions.

5.3

 

!

 

 

System Access, Authentication, and Authorization

14

 

Disable login: prompts on serial ports.

6.1

 

!

 

4.1

15

 

Configure SSH.

6.3

§

!

 

5.6

16

 

Create /etc/ftpd/ftpusers.

6.5

 

 

 

 

17

 

Prevent email server from listening on external interfaces.

6.6

 

 

 

5.5

18

 

If the host is not a logserver, prevent Syslog from accepting messages from network.

6.7

 

!

 

6.1

19

 

Configure TCP Wrappers.

6.10

 

!

 

5.5

20

 

If additional methods of restricting connections are necessary, implement them.

 

§

!

 

5.5

21

 

Restrict root logins to system console.

6.14

 

!

 

4.1

22

 

On Sparc-based Solaris systems, set the EEPROM security mode to prevent unauthorized booting from non-standard media.

6.16

 

!

 

4.1

23

 

Configure the console to lock automatically if it is left unattended for an extended period of time.

 

 

 

 

4.1

User Accounts and Environment

24

 

Verify that there are no accounts with empty password fields.

7.2

 

!

 

5.12

25

 

Set strong password enforcement policies.

7.4

§

!

 

5.12

26

 

Verify no UID 0 accounts exist other than ‘root’

7.6

 

 

 

 

27

 

Install, configure, and use ‘sudo’ instead of ‘su root’.

 

§

 

 

 

Warning Banners

28

 

Create warning banners for standard login services.

8.1

§

!

 

5.10

29

 

Create warning for GUI-based logins.

8.2

§

!

 

5.10

30

 

Create warnings for FTP daemon (if in use).

8.3

§

!

 

5.10

31

 

Create power-on warning.

8.4

§

!

 

5.10

32

 

Provide a method to encrypt Category I and other sensitive data.

 

§

!

 

5.7

33

 

Install software to check the integrity of critical operating system files.

N/A

§

!

 

5.8

34

 

Install and enable anti-virus software.

N/A

§

!

!

3.1

35

 

Configure to update signature daily on AV.

N/A

§

!

 

3.3

36

 

Set up time synchronization using NTP.

 

§

 

 

 

37

 

Enable Process accounting at boot time.

SN.1

 

!

 

6.1

VCU Note: Addendum

This list provides specific tasks related to the computing environment at VCU.

1

If other alternatives are unavailable, this can be accomplished by installing a SOHO router/firewall in between the network and the host to be protected.

2

Sun Update Manager/Sun Patch Manager

These services now require valid service contracts with Sun.

3

Sun Update Manager can provide desktop notifications of new patches.

4

Each server is unique in its needs. The CIS guide will discuss many services that are part of the core Solaris OS. Review these services and disable those that are unnecessary.

15

SSH is distributed with the Solaris operating system as of version 9. If you decide to utilize SSH, the ISO highly recommends the following:

  • Change the port from port 22 to something/anything else. There are scripts online that malicious hackers can use against an SSH server. These scripts always attack port 22 since most people do not change the default port.
  • Do not allow root logins via SSH.
  • If possible, use keys with passphrase instead of just passwords. To create rsa keys, follow these commands:
    • ssh-keygen –t rsa
    • ssh server “mkdir .ssh; chmod 0700 .ssh
    • scp ./ssh/ida_rsa.pub server:.ssh/authorized_keys2

The CIS Solaris Benchmark covers some suggested basic settings to place in the configuration file.

You may also want to visit the SSL Web site.

20

Ipfilter is the primary software firewall available for Solaris 10, from Sun.

You may also want to visit the ipfilter home page.

25

If other methods of ensuring that passwords are in line with University Security Operations Manual password requirements, enable the entries in the /etc/default/passwd file that will bring the machine's policy into compliance.

27

Use ‘sudo’ or other similar utility to allow your systems administrators to run commands as root. This provides better accountability, particularly where there are multiple sysadmins, and flexibility (non-sysadmins can be given access to a restricted set of priviledged commands they need for their work instead of being given the ‘root’ password).

More information is available on the Sudo Main Page.

28

The text of the university's official warning banner can be found on the VCU Web site. You may add localized information to the banner as long as the university banner is included.

29

The text of the university's official warning banner can be found on the VCU Web site. You may add localized information to the banner as long as the university banner is included.

30

The text of the university's official warning banner can be found on the VCU Web site. You may add localized information to the banner as long as the university banner is included.

31

The text of the university's official warning banner can be found on the VCU Web site. You may add localized information to the banner as long as the university banner is included.

32

There are a variety of methods available to accomplish this goal. Two good candidates are PGP (cost) and GNUPG (free).

33

Tripwire is available from Software Distribution & Sales for a nominal charge. The Tripwire management console, which is also available from SDS for a nominal charge, can be very helpful for managing more complex installations.

AIDE is a free tool available from SourceForge.

SamHain is another free tool.

34

There are few viruses that infect Solaris computers; therefore, it is understandable for most Solaris servers to have an exception to this rule. See the Operations Manual for information on the exception process.

You may choose any proven anti-virus product. One option is ClamAV.

35

Anti-spyware software must be installed and enabled for Category I data if the machine is used by administrators to browse Web sites not specifically related to the administration of the machine. In addition, anti-spyware software must be installed if users are able to install software.

Very few spyware applications target Unix OSes, so most Unix servers will have an exception to this rule. See the Operations Manual for information on the exception process.

36

To configure NTP on a Solaris server:

1.     Create the file /etc/inet/ntp.conf with the following entries:
   server 128.83.185.40
   server 128.83.185.41
   driftfile /etc/ntp.drift

2.     Create the file /etc/ntp.drift with the following entry:
   0.0

3.     Restart the NTP service by issuing the following commands:
   /etc/rc2.d/S74xntd stop
   /etc/rc2.d/S74xntd start