SlideShare a Scribd company logo

Hardening solaris

Femi Adeyemi
Femi Adeyemi

Hardening Oracle Solaris OS

Technology
1 of 40
Download to read offline
Hardening Solaris Sun Microystem's Solaris Operating system is reasonably secure as delivered, but does have vunerablilities. This session will discuss how to remove those issues, and harden the Operating System to prevent attacks.
What Version of Solaris? ● Three Paths Available ● Solaris Operating System ● Solaris SE ● Trusted Solaris
Solaris Operating System ● Used by majority of Sun's Customers ● Can be hardened with reasonable effort ● Currently at Version 9 (SunOS 2.9)
But for those who want to be Certified...
Solaris 2.6SE ● Solaris 2.6SE has been evaluated at the ITSEC E3/F-C2 level. ● The evaluated configuration consists of Solaris 2.6 5/98 and a small set of standard Solaris 2.6 patches. ● Information about it can be found at: http://wwws.sun.com/software/security/securitycert/2.6.html
Trusted Solaris ● Trusted Solaris is Sun's product for those who are looking for the ultimate in commericial OS Security. ● Trusted Solaris 8 has entered evaulation under Common Criteria EAL4. ● Trusted Solaris 2.5 was ITSEC certified E3/F-B1 and E3/F-C2 in September, 1998. ● More information on Trusted Solaris is at: http://wwws.sun.com/software/solaris/trustedsolaris
Configuring Solaris This section covers changes in Kernel, Filesystems, Permissions, Network Configuration to improve Solaris Security
Kernel Configuration Changes ● Add the following to /etc/system to prevent and log stack buffer overflows attacks set noexec_user_stack=1 set noexec_user_stack_log =1
Root User Configuration ● Ensure root has a umask setting of 077 or 027. ● Ensure root has a safe search path, as in / usr/bin:/sbin:/usr/sbin
Securing the files in /etc ● Remove group write from all files in /etc. ● This can be done with the command chmod -R g-w /etc ● /etc/utmp can be set to mode 644 without disrupting services.
Review all Startup Files ● Examine all startup files in /etc/rc2.d and / etc/rc3.d. (They start with an “S”) ● Rename any unnecessary startup files so they don't start with “S” ● Test by rebooting, and examining / var/adm/messages ● Check for extraneous processes with ps -elf command.
Lock all Administrative Accounts ● Lock, or comment out unnecessary accounts ● Don't forget "sys", "uucp", "nuucp", and "listen". ● The easy way is to put "*LK*" in the password field of the /etc/shadow file. ● Use the noshell program to log attempts to use secured accounts. ● Noshell is part of Titan, which can be found at: http://www.fish.com/titan
Securing Devices ● Examine the file /etc/logindevperm. ● It contains the configuration information for what permissions to set on devices associated with login (console, keyboard, etc). ● Modify them to give different permissions as needed.
Securing Removable Devices ● The Basic Security Module (BSM) can provide allocate and deallocate commands to ensure that only a single user can access removable media (such as tapes) at any one time. ● You can find a BSM Guide at: http://www.sans.org/rr/paper.php?id=403
Diasble the Automounter ● Automounter is controlled by the /etc/auto_* configuration files. ● Remove those files, and/or disable the / etc/rc2.d/S74autofs.
Don't forget the Cron Jobs ● Review the cron jobs of every system account in / var/spool/cron/crontabs. ● Log all cron activities by setting "CRONLOG=yes" in /etc/default/cron.
Remove setuid/setgid from Programs ● Find them with find / -perm -4000 -print ● Most are run by root or the user or group that owns them ● They can have the setuid and setgid bit removed ● Periodically check and make sure the list remains static
Network Configuration Changes This Section details changes to Network Configuration files to improve Security
Disable Network root logins, rlogin and rsh ● Enable the "CONSOLE" line in / etc/default/login. ● Remove /etc/hosts.equiv, /.rhosts ● Remove the "r" commands from /etc/inetd.conf ● Refresh the inetd process with kill -HUP [inetd process id].
Don't let your machine be a router... ● Solaris will route packets if it has multiple network interfaces. ● This behavior is controlled by /etc/init.d/inetinit. ● Add ndd -set /dev/ip ip_forwarding 0 at the end of /etc/init.d/inetinit. (Solaris 2.4 and below). ● Touch /etc/notrouter (Solaris 2.5 and above). ● A small window of vulnerability exists during startup before the routing is turned off.
Prevent TCP Sequence Prediction Attacks ● Modify the variable TCP_STRONG_ISS to be set to 2 in /etc/default/inetinit
Disable NFS Services ● Remove the /etc/dfs/dfstab file. This disables NFS exports. ● Disable the NFS server daemon by renaming / etc/rc3.d/S15nfs.server. ● To prevent becoming an NFS client, rename / etc/rc2.d/S73nfs.client. ● Be sure to name them with a starting letter other than "S".
Use Static Routes whenever possible ● Dynamic routing (in.routed,in.rdisc) is vulnerable to receiving incorrect routes. ● Use static routes to prevent this from happening.
Use Static ARP ● Solaris machines dynamically determine ARP by default. ● Use the arp command to statically set ARP table entries and flush other entries. ● Best used when there are few, unchanging systems on a network with no router between machines, and machines need to be assured of each other's identities.
Hardening System Services This next section will address what can be removed or modified to increase Security
Disabling INETD Services ● Comment out the entries in the /etc/inetd.conf file, except for telnet and ftp. ● If using ssh for network access, you can remove them as well. ● If needed, use xinetd instead of inetd to add logging facilities.
Sendmail ● The current version of sendmail is always available from Berkeley. ● Note: Sun specific modifcations that will be lost if you move to a Berkley sendmail. ● Sun sendmail patches have a tendency to replace Berkeley sendmail with Sun's sendmail. ● Check that the sendmail version that you want to run is still in place after installing patches.
BIND ● Bind on Solaris has known security problems (Just check www.cert.org). ● The problems do get patched, but Solaris bind is generally behind on patches. ● The current standard bind release is always available at ftp://ftp.isc.org/isc/bind
FTP ● wu-ftp is a replacement for the standard ftpd daemon. It has extensive logging and access control. ● You can find it at: http://www.wu-ftpd.org/wu-ftpd-faq.html
Patches ● According to CERT, many systems are compromised by exploiting known bugs for which patches exist. Simply keeping patches up-to-date, especially on "exposed" machines, will greatly decrease the chance of a break-in. You can get recommended and security patches at: http://sunsolve1.sun.com.
Tools Available Summary of Tools available to help secure Solaris
Tools to help Secure Solaris ● Fix-modes was created by Casper Dik to adjust the permissions of several files and directories in Solaris, for the purpose of improving security. It is available from ftp://ftp.wins.uva.nl/pub/solaris/fix-modes.tar.gz. ● The Titan toolkit was created by Brad Powell to fix or tighten potential security holes in UNIX (Solaris, Linux and FreeBSD). It's available from http://www.fish.com/titan.
Tools to help Secure Solaris(cont.) ● The Solaris Security Toolkit “Jass” is designed to assist in the development, deployment, and maintenance of secured Solaris Operating Environment systems. Jass is a set of scripts and directories implementing the recommendations of the security-related Sun BluePrints OnLine articles. Documentation is available from http://www.sun.com/blueprints/browsesubject.html#sec
Tools to help Secure Solaris(cont.) ● Yassp stands for “Yet another Solaris Security Package”. It was written by Jean Chouanard. It automates a large majority of the sercurity changes that were detailed in this presentation. You can find it at: http://www.yassp.org
SunScreen ● One of the bigest additions of Solaris 9 is the inclusion of SunScreen, Sun's previously commericial firewall. ● SunScreen is a full-featured firewall. It has an extensive feature set and provides the bulk of the features found in other major firewalls. It is stateful and dynamic, and at its core is a packet- filtering system like Checkpoint Firewall-1.
Solaris Website Resources ● http://www.sun.com/bigadmin/faq/indexSec.html - Sun's Big Admin Security Resources ● http://www.wins.uva.nl/pub/solaris/solaris2 - The excellent Solaris FAQ ● sunsolve.Sun.COM/pub-cgi/show.pl?target=home - SUN Recommended & Security Patches ● www.sunhelp.org - An excellant Sun Resource ● web.mit.edu/kerberos/www - Kerberos home page
Sun Web Resources(Cont.) ● www.auscert.org.au - Australian Computer Emergency Response Team ● www.cert.org - CERT Coordination Center ● www.cisecurity.com - The Center for Internet Security ● www.fish.com - Dan Farmer's web site with lots of computer security related stuff ● www.ibiblio.org/pub/solaris/sparc - Solaris Package Archive (SUNSite)
Sun Web Resources(Cont.) ● www.infrastructures.org/cfengine - Cfengine ● www.rootprompt.org - Root Prompt -- Nothing but Unix ● www.sabernet.net/papers/Solaris.html - Solaris Security Guide ● www.sans.org - SANS Institute ● www.securityfocus.com - SecurityFocus ● www.solarisguide.com - SolarisGuide.com
Sun Web Resources(Cont.) ● www.sun.com/bigadmin - Sun Large System Administration ● www.sun.com/blueprints - SUN Blueprints ● www.sun.com/security/blueprints - SUN Security Blueprints ● www.sun.com/security/jass - Additional information on the SUN JASS toolkit ● www.sunfreeware.com - Sunfreeware
References ● http://www.itworld.com/Comp/2377/security-faq ● http://www.accs.com/p_and_p/SolSec/index.html ● http://www.sun.com/bigadmin/faq/indexSec.html ● http://www.samag.com/documents/s=7667/sam0213l/0213l.htm ● http://www.samag.com/documents/s=7667/sam0213d/0213d.htm ● http://www.boran.com/security/sp/hardening_solaris_%20resources.txt

Recommended

Oracle Autonomous Health Framework (AHF) White Paper
Oracle Autonomous Health Framework (AHF) White PaperOracle Autonomous Health Framework (AHF) White Paper
Oracle Autonomous Health Framework (AHF) White PaperAnkita Khandelwal
 
Oracle cloud environment architecture orientation
Oracle cloud environment architecture orientationOracle cloud environment architecture orientation
Oracle cloud environment architecture orientationOsama Abdullah
 
15 Troubleshooting Tips and Tricks for database 21c - OGBEMEA KSAOUG
15 Troubleshooting Tips and Tricks for database 21c - OGBEMEA KSAOUG15 Troubleshooting Tips and Tricks for database 21c - OGBEMEA KSAOUG
15 Troubleshooting Tips and Tricks for database 21c - OGBEMEA KSAOUGSandesh Rao
 
Sap application log
Sap application logSap application log
Sap application logAdaikalam Alexander Rayappa™
 
How to Use EXAchk Effectively to Manage Exadata Environments
How to Use EXAchk Effectively to Manage Exadata EnvironmentsHow to Use EXAchk Effectively to Manage Exadata Environments
How to Use EXAchk Effectively to Manage Exadata EnvironmentsSandesh Rao
 
Whats new in oracle trace file analyzer 19.2
Whats new in oracle trace file analyzer 19.2Whats new in oracle trace file analyzer 19.2
Whats new in oracle trace file analyzer 19.2Sandesh Rao
 
AIOUG-GroundBreakers-Jul 2019 - 19c RAC
AIOUG-GroundBreakers-Jul 2019 - 19c RACAIOUG-GroundBreakers-Jul 2019 - 19c RAC
AIOUG-GroundBreakers-Jul 2019 - 19c RACSandesh Rao
 
TFA, ORAchk and EXAchk 20.2 - What's new
TFA, ORAchk and EXAchk 20.2 - What's new TFA, ORAchk and EXAchk 20.2 - What's new
TFA, ORAchk and EXAchk 20.2 - What's new Sandesh Rao
 

Recommended

Oracle Autonomous Health Framework (AHF) White Paper
Oracle Autonomous Health Framework (AHF) White PaperOracle Autonomous Health Framework (AHF) White Paper
Oracle Autonomous Health Framework (AHF) White PaperAnkita Khandelwal
 
Oracle cloud environment architecture orientation
Oracle cloud environment architecture orientationOracle cloud environment architecture orientation
Oracle cloud environment architecture orientationOsama Abdullah
 
15 Troubleshooting Tips and Tricks for database 21c - OGBEMEA KSAOUG
15 Troubleshooting Tips and Tricks for database 21c - OGBEMEA KSAOUG15 Troubleshooting Tips and Tricks for database 21c - OGBEMEA KSAOUG
15 Troubleshooting Tips and Tricks for database 21c - OGBEMEA KSAOUGSandesh Rao
 
Sap application log
Sap application logSap application log
Sap application logAdaikalam Alexander Rayappa™
 
How to Use EXAchk Effectively to Manage Exadata Environments
How to Use EXAchk Effectively to Manage Exadata EnvironmentsHow to Use EXAchk Effectively to Manage Exadata Environments
How to Use EXAchk Effectively to Manage Exadata EnvironmentsSandesh Rao
 
Whats new in oracle trace file analyzer 19.2
Whats new in oracle trace file analyzer 19.2Whats new in oracle trace file analyzer 19.2
Whats new in oracle trace file analyzer 19.2Sandesh Rao
 
AIOUG-GroundBreakers-Jul 2019 - 19c RAC
AIOUG-GroundBreakers-Jul 2019 - 19c RACAIOUG-GroundBreakers-Jul 2019 - 19c RAC
AIOUG-GroundBreakers-Jul 2019 - 19c RACSandesh Rao
 
TFA, ORAchk and EXAchk 20.2 - What's new
TFA, ORAchk and EXAchk 20.2 - What's new TFA, ORAchk and EXAchk 20.2 - What's new
TFA, ORAchk and EXAchk 20.2 - What's new Sandesh Rao
 
RAC - Test
RAC - TestRAC - Test
RAC - TestDaralmadinah
 
TFA_Whats_New_in version 12.1.2.8.4
TFA_Whats_New_in version 12.1.2.8.4TFA_Whats_New_in version 12.1.2.8.4
TFA_Whats_New_in version 12.1.2.8.4Sandesh Rao
 
New Generation Oracle RAC Performance
New Generation Oracle RAC PerformanceNew Generation Oracle RAC Performance
New Generation Oracle RAC PerformanceAnil Nair
 
Oracle ORAchk & EXAchk, What's New in 12.1.0.2.7
Oracle ORAchk & EXAchk, What's New in 12.1.0.2.7Oracle ORAchk & EXAchk, What's New in 12.1.0.2.7
Oracle ORAchk & EXAchk, What's New in 12.1.0.2.7Gareth Chapman
 
Oracle Autonomous Health Service- For Protecting Your On-Premise Databases- F...
Oracle Autonomous Health Service- For Protecting Your On-Premise Databases- F...Oracle Autonomous Health Service- For Protecting Your On-Premise Databases- F...
Oracle Autonomous Health Service- For Protecting Your On-Premise Databases- F...Sandesh Rao
 
Oracle Real Application Clusters 19c- Best Practices and Internals- EMEA Tour...
Oracle Real Application Clusters 19c- Best Practices and Internals- EMEA Tour...Oracle Real Application Clusters 19c- Best Practices and Internals- EMEA Tour...
Oracle Real Application Clusters 19c- Best Practices and Internals- EMEA Tour...Sandesh Rao
 
TFA Collector - what can one do with it
TFA Collector - what can one do with it TFA Collector - what can one do with it
TFA Collector - what can one do with it Sandesh Rao
 
Expert performance tuning tips for Oracle RAC
Expert performance tuning tips for Oracle RACExpert performance tuning tips for Oracle RAC
Expert performance tuning tips for Oracle RACSolarWinds
 
Oracle-11g-upgrade
Oracle-11g-upgradeOracle-11g-upgrade
Oracle-11g-upgradeAntonio Carlos dos Santos Jr
 
Oracle dba online training
Oracle dba online trainingOracle dba online training
Oracle dba online trainingkeylabstraining
 
Colvin exadata and_oem12c
Colvin exadata and_oem12cColvin exadata and_oem12c
Colvin exadata and_oem12cEnkitec
 
Using Machine Learning to Debug Oracle RAC Issues
Using Machine Learning to Debug Oracle RAC IssuesUsing Machine Learning to Debug Oracle RAC Issues
Using Machine Learning to Debug Oracle RAC IssuesAnil Nair
 
RAC - The Savior of DBA
RAC - The Savior of DBARAC - The Savior of DBA
RAC - The Savior of DBANikhil Kumar
 
Smart monitoring how does oracle rac manage resource, state ukoug19
Smart monitoring how does oracle rac manage resource, state ukoug19Smart monitoring how does oracle rac manage resource, state ukoug19
Smart monitoring how does oracle rac manage resource, state ukoug19Anil Nair
 
RMAN best practices for RAC
RMAN best practices for RACRMAN best practices for RAC
RMAN best practices for RACSyed Hussain
 
Oracle 11g R2 RAC implementation and concept
Oracle 11g R2 RAC implementation and conceptOracle 11g R2 RAC implementation and concept
Oracle 11g R2 RAC implementation and conceptSantosh Kangane
 
Oracle RAC features on Exadata
Oracle RAC features on ExadataOracle RAC features on Exadata
Oracle RAC features on ExadataAnil Nair
 
Discoverer 11.1.1.7 web logic (10.3.6) & ebs r12 12.1.3) implementation guide...
Discoverer 11.1.1.7 web logic (10.3.6) & ebs r12 12.1.3) implementation guide...Discoverer 11.1.1.7 web logic (10.3.6) & ebs r12 12.1.3) implementation guide...
Discoverer 11.1.1.7 web logic (10.3.6) & ebs r12 12.1.3) implementation guide...ginniapps
 
Maximizing Oracle RAC Uptime
Maximizing Oracle RAC UptimeMaximizing Oracle RAC Uptime
Maximizing Oracle RAC UptimeMarkus Michalewicz
 
Oracle Clusterware Node Management and Voting Disks
Oracle Clusterware Node Management and Voting DisksOracle Clusterware Node Management and Voting Disks
Oracle Clusterware Node Management and Voting DisksMarkus Michalewicz
 
Server control utility reference
Server control utility referenceServer control utility reference
Server control utility referenceFemi Adeyemi
 
Les 20 dup_db
Les 20 dup_dbLes 20 dup_db
Les 20 dup_dbFemi Adeyemi
 

More Related Content

What's hot

TFA_Whats_New_in version 12.1.2.8.4
TFA_Whats_New_in version 12.1.2.8.4TFA_Whats_New_in version 12.1.2.8.4
TFA_Whats_New_in version 12.1.2.8.4Sandesh Rao
 
New Generation Oracle RAC Performance
New Generation Oracle RAC PerformanceNew Generation Oracle RAC Performance
New Generation Oracle RAC PerformanceAnil Nair
 
Oracle ORAchk & EXAchk, What's New in 12.1.0.2.7
Oracle ORAchk & EXAchk, What's New in 12.1.0.2.7Oracle ORAchk & EXAchk, What's New in 12.1.0.2.7
Oracle ORAchk & EXAchk, What's New in 12.1.0.2.7Gareth Chapman
 
Oracle Autonomous Health Service- For Protecting Your On-Premise Databases- F...
Oracle Autonomous Health Service- For Protecting Your On-Premise Databases- F...Oracle Autonomous Health Service- For Protecting Your On-Premise Databases- F...
Oracle Autonomous Health Service- For Protecting Your On-Premise Databases- F...Sandesh Rao
 
Oracle Real Application Clusters 19c- Best Practices and Internals- EMEA Tour...
Oracle Real Application Clusters 19c- Best Practices and Internals- EMEA Tour...Oracle Real Application Clusters 19c- Best Practices and Internals- EMEA Tour...
Oracle Real Application Clusters 19c- Best Practices and Internals- EMEA Tour...Sandesh Rao
 
TFA Collector - what can one do with it
TFA Collector - what can one do with it TFA Collector - what can one do with it
TFA Collector - what can one do with it Sandesh Rao
 
Expert performance tuning tips for Oracle RAC
Expert performance tuning tips for Oracle RACExpert performance tuning tips for Oracle RAC
Expert performance tuning tips for Oracle RACSolarWinds
 
Oracle dba online training
Oracle dba online trainingOracle dba online training
Oracle dba online trainingkeylabstraining
 
Colvin exadata and_oem12c
Colvin exadata and_oem12cColvin exadata and_oem12c
Colvin exadata and_oem12cEnkitec
 
Using Machine Learning to Debug Oracle RAC Issues
Using Machine Learning to Debug Oracle RAC IssuesUsing Machine Learning to Debug Oracle RAC Issues
Using Machine Learning to Debug Oracle RAC IssuesAnil Nair
 
RAC - The Savior of DBA
RAC - The Savior of DBARAC - The Savior of DBA
RAC - The Savior of DBANikhil Kumar
 
Smart monitoring how does oracle rac manage resource, state ukoug19
Smart monitoring how does oracle rac manage resource, state ukoug19Smart monitoring how does oracle rac manage resource, state ukoug19
Smart monitoring how does oracle rac manage resource, state ukoug19Anil Nair
 
RMAN best practices for RAC
RMAN best practices for RACRMAN best practices for RAC
RMAN best practices for RACSyed Hussain
 
Oracle 11g R2 RAC implementation and concept
Oracle 11g R2 RAC implementation and conceptOracle 11g R2 RAC implementation and concept
Oracle 11g R2 RAC implementation and conceptSantosh Kangane
 
Oracle RAC features on Exadata
Oracle RAC features on ExadataOracle RAC features on Exadata
Oracle RAC features on ExadataAnil Nair
 
Discoverer 11.1.1.7 web logic (10.3.6) & ebs r12 12.1.3) implementation guide...
Discoverer 11.1.1.7 web logic (10.3.6) & ebs r12 12.1.3) implementation guide...Discoverer 11.1.1.7 web logic (10.3.6) & ebs r12 12.1.3) implementation guide...
Discoverer 11.1.1.7 web logic (10.3.6) & ebs r12 12.1.3) implementation guide...ginniapps
 
Oracle Clusterware Node Management and Voting Disks
Oracle Clusterware Node Management and Voting DisksOracle Clusterware Node Management and Voting Disks
Oracle Clusterware Node Management and Voting DisksMarkus Michalewicz
 

What's hot (20)

RAC - Test
RAC - TestRAC - Test
RAC - Test
 
TFA_Whats_New_in version 12.1.2.8.4
TFA_Whats_New_in version 12.1.2.8.4TFA_Whats_New_in version 12.1.2.8.4
TFA_Whats_New_in version 12.1.2.8.4
 
New Generation Oracle RAC Performance
New Generation Oracle RAC PerformanceNew Generation Oracle RAC Performance
New Generation Oracle RAC Performance
 
Oracle ORAchk & EXAchk, What's New in 12.1.0.2.7
Oracle ORAchk & EXAchk, What's New in 12.1.0.2.7Oracle ORAchk & EXAchk, What's New in 12.1.0.2.7
Oracle ORAchk & EXAchk, What's New in 12.1.0.2.7
 
Oracle Autonomous Health Service- For Protecting Your On-Premise Databases- F...
Oracle Autonomous Health Service- For Protecting Your On-Premise Databases- F...Oracle Autonomous Health Service- For Protecting Your On-Premise Databases- F...
Oracle Autonomous Health Service- For Protecting Your On-Premise Databases- F...
 
Oracle Real Application Clusters 19c- Best Practices and Internals- EMEA Tour...
Oracle Real Application Clusters 19c- Best Practices and Internals- EMEA Tour...Oracle Real Application Clusters 19c- Best Practices and Internals- EMEA Tour...
Oracle Real Application Clusters 19c- Best Practices and Internals- EMEA Tour...
 
TFA Collector - what can one do with it
TFA Collector - what can one do with it TFA Collector - what can one do with it
TFA Collector - what can one do with it
 
Expert performance tuning tips for Oracle RAC
Expert performance tuning tips for Oracle RACExpert performance tuning tips for Oracle RAC
Expert performance tuning tips for Oracle RAC
 
Oracle-11g-upgrade
Oracle-11g-upgradeOracle-11g-upgrade
Oracle-11g-upgrade
 
Oracle dba online training
Oracle dba online trainingOracle dba online training
Oracle dba online training
 
Colvin exadata and_oem12c
Colvin exadata and_oem12cColvin exadata and_oem12c
Colvin exadata and_oem12c
 
Using Machine Learning to Debug Oracle RAC Issues
Using Machine Learning to Debug Oracle RAC IssuesUsing Machine Learning to Debug Oracle RAC Issues
Using Machine Learning to Debug Oracle RAC Issues
 
RAC - The Savior of DBA
RAC - The Savior of DBARAC - The Savior of DBA
RAC - The Savior of DBA
 
Smart monitoring how does oracle rac manage resource, state ukoug19
Smart monitoring how does oracle rac manage resource, state ukoug19Smart monitoring how does oracle rac manage resource, state ukoug19
Smart monitoring how does oracle rac manage resource, state ukoug19
 
RMAN best practices for RAC
RMAN best practices for RACRMAN best practices for RAC
RMAN best practices for RAC
 
Oracle 11g R2 RAC implementation and concept
Oracle 11g R2 RAC implementation and conceptOracle 11g R2 RAC implementation and concept
Oracle 11g R2 RAC implementation and concept
 
Oracle RAC features on Exadata
Oracle RAC features on ExadataOracle RAC features on Exadata
Oracle RAC features on Exadata
 
Discoverer 11.1.1.7 web logic (10.3.6) & ebs r12 12.1.3) implementation guide...
Discoverer 11.1.1.7 web logic (10.3.6) & ebs r12 12.1.3) implementation guide...Discoverer 11.1.1.7 web logic (10.3.6) & ebs r12 12.1.3) implementation guide...
Discoverer 11.1.1.7 web logic (10.3.6) & ebs r12 12.1.3) implementation guide...
 
Maximizing Oracle RAC Uptime
Maximizing Oracle RAC UptimeMaximizing Oracle RAC Uptime
Maximizing Oracle RAC Uptime
 
Oracle Clusterware Node Management and Voting Disks
Oracle Clusterware Node Management and Voting DisksOracle Clusterware Node Management and Voting Disks
Oracle Clusterware Node Management and Voting Disks
 

Viewers also liked

Server control utility reference
Server control utility referenceServer control utility reference
Server control utility referenceFemi Adeyemi
 
Vi editor commands
Vi editor commandsVi editor commands
Vi editor commandsFemi Adeyemi
 
High availability overview: Oracle Database 12c
High availability overview: Oracle Database 12cHigh availability overview: Oracle Database 12c
High availability overview: Oracle Database 12cFemi Adeyemi
 
Oracle data guard broker 12c
Oracle data guard broker 12cOracle data guard broker 12c
Oracle data guard broker 12cFemi Adeyemi
 
Using VirtualBox - Learn Oracle Database 12c and EBS R12
Using VirtualBox - Learn Oracle Database 12c and EBS R12Using VirtualBox - Learn Oracle Database 12c and EBS R12
Using VirtualBox - Learn Oracle Database 12c and EBS R12Biju Thomas
 
RAC Attack 12c Installation Instruction
RAC Attack 12c Installation InstructionRAC Attack 12c Installation Instruction
RAC Attack 12c Installation InstructionYury Velikanov
 
Oracle database 12c sql tuning
Oracle database 12c sql tuningOracle database 12c sql tuning
Oracle database 12c sql tuningFemi Adeyemi
 
Solaris Operating System
Solaris Operating SystemSolaris Operating System
Solaris Operating SystemJoshua Guillano
 
Oracle database 12c sql worshop 1 student guide vol 2
Oracle database 12c sql worshop 1 student guide vol 2Oracle database 12c sql worshop 1 student guide vol 2
Oracle database 12c sql worshop 1 student guide vol 2Otto Paiz
 
Solaris Operating System - Oracle
Solaris Operating System - Oracle Solaris Operating System - Oracle
Solaris Operating System - OracleMalan Amarasinghe
 

Viewers also liked (11)

Server control utility reference
Server control utility referenceServer control utility reference
Server control utility reference
 
Les 20 dup_db
Les 20 dup_dbLes 20 dup_db
Les 20 dup_db
 
Vi editor commands
Vi editor commandsVi editor commands
Vi editor commands
 
High availability overview: Oracle Database 12c
High availability overview: Oracle Database 12cHigh availability overview: Oracle Database 12c
High availability overview: Oracle Database 12c
 
Oracle data guard broker 12c
Oracle data guard broker 12cOracle data guard broker 12c
Oracle data guard broker 12c
 
Using VirtualBox - Learn Oracle Database 12c and EBS R12
Using VirtualBox - Learn Oracle Database 12c and EBS R12Using VirtualBox - Learn Oracle Database 12c and EBS R12
Using VirtualBox - Learn Oracle Database 12c and EBS R12
 
RAC Attack 12c Installation Instruction
RAC Attack 12c Installation InstructionRAC Attack 12c Installation Instruction
RAC Attack 12c Installation Instruction
 
Oracle database 12c sql tuning
Oracle database 12c sql tuningOracle database 12c sql tuning
Oracle database 12c sql tuning
 
Solaris Operating System
Solaris Operating SystemSolaris Operating System
Solaris Operating System
 
Oracle database 12c sql worshop 1 student guide vol 2
Oracle database 12c sql worshop 1 student guide vol 2Oracle database 12c sql worshop 1 student guide vol 2
Oracle database 12c sql worshop 1 student guide vol 2
 
Solaris Operating System - Oracle
Solaris Operating System - Oracle Solaris Operating System - Oracle
Solaris Operating System - Oracle
 

Similar to Hardening solaris

Red Hat Linux 5 Hardening Tips - National Security Agency
Red Hat Linux 5 Hardening Tips - National Security AgencyRed Hat Linux 5 Hardening Tips - National Security Agency
Red Hat Linux 5 Hardening Tips - National Security Agencysanchetanparmar
 
Linux security quick reference guide
Linux security quick reference guideLinux security quick reference guide
Linux security quick reference guideCraig Cannon
 
Automotive Grade Linux and systemd
Automotive Grade Linux and systemdAutomotive Grade Linux and systemd
Automotive Grade Linux and systemdAlison Chaiken
 
Unix Security
Unix SecurityUnix Security
Unix Securityreplay21
 
Tuning systemd for embedded
Tuning systemd for embeddedTuning systemd for embedded
Tuning systemd for embeddedAlison Chaiken
 
EM12C High Availability without SLB and RAC
EM12C High Availability without SLB and RACEM12C High Availability without SLB and RAC
EM12C High Availability without SLB and RACSecure-24
 
Dru lavigne servers-tutorial
Dru lavigne servers-tutorialDru lavigne servers-tutorial
Dru lavigne servers-tutorialDru Lavigne
 
Oracle11g On Fedora14
Oracle11g On Fedora14Oracle11g On Fedora14
Oracle11g On Fedora14kmsa
 
UKOUG Tech17 - Stay Secure With Oracle Solaris
UKOUG Tech17 - Stay Secure With Oracle SolarisUKOUG Tech17 - Stay Secure With Oracle Solaris
UKOUG Tech17 - Stay Secure With Oracle SolarisJomaSoft
 
Timings of Init : Android Ramdisks for the Practical Hacker
Timings of Init : Android Ramdisks for the Practical HackerTimings of Init : Android Ramdisks for the Practical Hacker
Timings of Init : Android Ramdisks for the Practical HackerStacy Devino
 
Squid proxy server
Squid proxy serverSquid proxy server
Squid proxy serverGreen Jb
 
Release notes 3_d_v61
Release notes 3_d_v61Release notes 3_d_v61
Release notes 3_d_v61sundar sivam
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawnGábor Nyers
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)David Sweigert
 
Your first dive into systemd!
Your first dive into systemd!Your first dive into systemd!
Your first dive into systemd!Etsuji Nakai
 

Similar to Hardening solaris (20)

Red Hat Linux 5 Hardening Tips - National Security Agency
Red Hat Linux 5 Hardening Tips - National Security AgencyRed Hat Linux 5 Hardening Tips - National Security Agency
Red Hat Linux 5 Hardening Tips - National Security Agency
 
Linux security quick reference guide
Linux security quick reference guideLinux security quick reference guide
Linux security quick reference guide
 
Automotive Grade Linux and systemd
Automotive Grade Linux and systemdAutomotive Grade Linux and systemd
Automotive Grade Linux and systemd
 
Unix Security
Unix SecurityUnix Security
Unix Security
 
Tuning systemd for embedded
Tuning systemd for embeddedTuning systemd for embedded
Tuning systemd for embedded
 
EM12C High Availability without SLB and RAC
EM12C High Availability without SLB and RACEM12C High Availability without SLB and RAC
EM12C High Availability without SLB and RAC
 
Dru lavigne servers-tutorial
Dru lavigne servers-tutorialDru lavigne servers-tutorial
Dru lavigne servers-tutorial
 
Oracle11g On Fedora14
Oracle11g On Fedora14Oracle11g On Fedora14
Oracle11g On Fedora14
 
Oracle11g on fedora14
Oracle11g on fedora14Oracle11g on fedora14
Oracle11g on fedora14
 
Ch04 system administration
Ch04 system administration Ch04 system administration
Ch04 system administration
 
Ch04
Ch04Ch04
Ch04
 
UKOUG Tech17 - Stay Secure With Oracle Solaris
UKOUG Tech17 - Stay Secure With Oracle SolarisUKOUG Tech17 - Stay Secure With Oracle Solaris
UKOUG Tech17 - Stay Secure With Oracle Solaris
 
Unix Administration 2
Unix Administration 2Unix Administration 2
Unix Administration 2
 
Timings of Init : Android Ramdisks for the Practical Hacker
Timings of Init : Android Ramdisks for the Practical HackerTimings of Init : Android Ramdisks for the Practical Hacker
Timings of Init : Android Ramdisks for the Practical Hacker
 
Squid proxy server
Squid proxy serverSquid proxy server
Squid proxy server
 
Freeradius edir
Freeradius edirFreeradius edir
Freeradius edir
 
Release notes 3_d_v61
Release notes 3_d_v61Release notes 3_d_v61
Release notes 3_d_v61
 
Containers with systemd-nspawn
Containers with systemd-nspawnContainers with systemd-nspawn
Containers with systemd-nspawn
 
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
EXAM NOTES for DOD Standard 8570 CompTia Advanced Security Practitioner (CASP)
 
Your first dive into systemd!
Your first dive into systemd!Your first dive into systemd!
Your first dive into systemd!
 

More from Femi Adeyemi

More from Femi Adeyemi (20)

Xpp c user_rec
Xpp c user_recXpp c user_rec
Xpp c user_rec
 
Xpp b tspitr
Xpp b tspitrXpp b tspitr
Xpp b tspitr
 
Les 19 space_db
Les 19 space_dbLes 19 space_db
Les 19 space_db
 
Les 18 space
Les 18 spaceLes 18 space
Les 18 space
 
Les 17 sched
Les 17 schedLes 17 sched
Les 17 sched
 
Les 16 resource
Les 16 resourceLes 16 resource
Les 16 resource
 
Les 15 perf_sql
Les 15 perf_sqlLes 15 perf_sql
Les 15 perf_sql
 
Les 14 perf_db
Les 14 perf_dbLes 14 perf_db
Les 14 perf_db
 
Les 13 memory
Les 13 memoryLes 13 memory
Les 13 memory
 
Les 12 fl_db
Les 12 fl_dbLes 12 fl_db
Les 12 fl_db
 
Les 11 fl2
Les 11 fl2Les 11 fl2
Les 11 fl2
 
Les 10 fl1
Les 10 fl1Les 10 fl1
Les 10 fl1
 
Les 09 diag
Les 09 diagLes 09 diag
Les 09 diag
 
Les 08 tune_rman
Les 08 tune_rmanLes 08 tune_rman
Les 08 tune_rman
 
Les 07 rman_rec
Les 07 rman_recLes 07 rman_rec
Les 07 rman_rec
 
Les 06 rec
Les 06 recLes 06 rec
Les 06 rec
 
Les 05 create_bu
Les 05 create_buLes 05 create_bu
Les 05 create_bu
 
Les 04 config_bu
Les 04 config_buLes 04 config_bu
Les 04 config_bu
 
Les 03 catalog
Les 03 catalogLes 03 catalog
Les 03 catalog
 
Les 02 config
Les 02 configLes 02 config
Les 02 config
 

Recently uploaded

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

Hardening solaris

  • 1. Hardening Solaris Sun Microystem's Solaris Operating system is reasonably secure as delivered, but does have vunerablilities. This session will discuss how to remove those issues, and harden the Operating System to prevent attacks.
  • 2. What Version of Solaris? ● Three Paths Available ● Solaris Operating System ● Solaris SE ● Trusted Solaris
  • 3. Solaris Operating System ● Used by majority of Sun's Customers ● Can be hardened with reasonable effort ● Currently at Version 9 (SunOS 2.9)
  • 4. But for those who want to be Certified...
  • 5. Solaris 2.6SE ● Solaris 2.6SE has been evaluated at the ITSEC E3/F-C2 level. ● The evaluated configuration consists of Solaris 2.6 5/98 and a small set of standard Solaris 2.6 patches. ● Information about it can be found at: http://wwws.sun.com/software/security/securitycert/2.6.html
  • 6. Trusted Solaris ● Trusted Solaris is Sun's product for those who are looking for the ultimate in commericial OS Security. ● Trusted Solaris 8 has entered evaulation under Common Criteria EAL4. ● Trusted Solaris 2.5 was ITSEC certified E3/F-B1 and E3/F-C2 in September, 1998. ● More information on Trusted Solaris is at: http://wwws.sun.com/software/solaris/trustedsolaris
  • 7. Configuring Solaris This section covers changes in Kernel, Filesystems, Permissions, Network Configuration to improve Solaris Security
  • 8. Kernel Configuration Changes ● Add the following to /etc/system to prevent and log stack buffer overflows attacks set noexec_user_stack=1 set noexec_user_stack_log =1
  • 9. Root User Configuration ● Ensure root has a umask setting of 077 or 027. ● Ensure root has a safe search path, as in / usr/bin:/sbin:/usr/sbin
  • 10. Securing the files in /etc ● Remove group write from all files in /etc. ● This can be done with the command chmod -R g-w /etc ● /etc/utmp can be set to mode 644 without disrupting services.
  • 11. Review all Startup Files ● Examine all startup files in /etc/rc2.d and / etc/rc3.d. (They start with an “S”) ● Rename any unnecessary startup files so they don't start with “S” ● Test by rebooting, and examining / var/adm/messages ● Check for extraneous processes with ps -elf command.
  • 12. Lock all Administrative Accounts ● Lock, or comment out unnecessary accounts ● Don't forget "sys", "uucp", "nuucp", and "listen". ● The easy way is to put "*LK*" in the password field of the /etc/shadow file. ● Use the noshell program to log attempts to use secured accounts. ● Noshell is part of Titan, which can be found at: http://www.fish.com/titan
  • 13. Securing Devices ● Examine the file /etc/logindevperm. ● It contains the configuration information for what permissions to set on devices associated with login (console, keyboard, etc). ● Modify them to give different permissions as needed.
  • 14. Securing Removable Devices ● The Basic Security Module (BSM) can provide allocate and deallocate commands to ensure that only a single user can access removable media (such as tapes) at any one time. ● You can find a BSM Guide at: http://www.sans.org/rr/paper.php?id=403
  • 15. Diasble the Automounter ● Automounter is controlled by the /etc/auto_* configuration files. ● Remove those files, and/or disable the / etc/rc2.d/S74autofs.
  • 16. Don't forget the Cron Jobs ● Review the cron jobs of every system account in / var/spool/cron/crontabs. ● Log all cron activities by setting "CRONLOG=yes" in /etc/default/cron.
  • 17. Remove setuid/setgid from Programs ● Find them with find / -perm -4000 -print ● Most are run by root or the user or group that owns them ● They can have the setuid and setgid bit removed ● Periodically check and make sure the list remains static
  • 18. Network Configuration Changes This Section details changes to Network Configuration files to improve Security
  • 19. Disable Network root logins, rlogin and rsh ● Enable the "CONSOLE" line in / etc/default/login. ● Remove /etc/hosts.equiv, /.rhosts ● Remove the "r" commands from /etc/inetd.conf ● Refresh the inetd process with kill -HUP [inetd process id].
  • 20. Don't let your machine be a router... ● Solaris will route packets if it has multiple network interfaces. ● This behavior is controlled by /etc/init.d/inetinit. ● Add ndd -set /dev/ip ip_forwarding 0 at the end of /etc/init.d/inetinit. (Solaris 2.4 and below). ● Touch /etc/notrouter (Solaris 2.5 and above). ● A small window of vulnerability exists during startup before the routing is turned off.
  • 21. Prevent TCP Sequence Prediction Attacks ● Modify the variable TCP_STRONG_ISS to be set to 2 in /etc/default/inetinit
  • 22. Disable NFS Services ● Remove the /etc/dfs/dfstab file. This disables NFS exports. ● Disable the NFS server daemon by renaming / etc/rc3.d/S15nfs.server. ● To prevent becoming an NFS client, rename / etc/rc2.d/S73nfs.client. ● Be sure to name them with a starting letter other than "S".
  • 23. Use Static Routes whenever possible ● Dynamic routing (in.routed,in.rdisc) is vulnerable to receiving incorrect routes. ● Use static routes to prevent this from happening.
  • 24. Use Static ARP ● Solaris machines dynamically determine ARP by default. ● Use the arp command to statically set ARP table entries and flush other entries. ● Best used when there are few, unchanging systems on a network with no router between machines, and machines need to be assured of each other's identities.
  • 25. Hardening System Services This next section will address what can be removed or modified to increase Security
  • 26. Disabling INETD Services ● Comment out the entries in the /etc/inetd.conf file, except for telnet and ftp. ● If using ssh for network access, you can remove them as well. ● If needed, use xinetd instead of inetd to add logging facilities.
  • 27. Sendmail ● The current version of sendmail is always available from Berkeley. ● Note: Sun specific modifcations that will be lost if you move to a Berkley sendmail. ● Sun sendmail patches have a tendency to replace Berkeley sendmail with Sun's sendmail. ● Check that the sendmail version that you want to run is still in place after installing patches.
  • 28. BIND ● Bind on Solaris has known security problems (Just check www.cert.org). ● The problems do get patched, but Solaris bind is generally behind on patches. ● The current standard bind release is always available at ftp://ftp.isc.org/isc/bind
  • 29. FTP ● wu-ftp is a replacement for the standard ftpd daemon. It has extensive logging and access control. ● You can find it at: http://www.wu-ftpd.org/wu-ftpd-faq.html
  • 30. Patches ● According to CERT, many systems are compromised by exploiting known bugs for which patches exist. Simply keeping patches up-to-date, especially on "exposed" machines, will greatly decrease the chance of a break-in. You can get recommended and security patches at: http://sunsolve1.sun.com.
  • 31. Tools Available Summary of Tools available to help secure Solaris
  • 32. Tools to help Secure Solaris ● Fix-modes was created by Casper Dik to adjust the permissions of several files and directories in Solaris, for the purpose of improving security. It is available from ftp://ftp.wins.uva.nl/pub/solaris/fix-modes.tar.gz. ● The Titan toolkit was created by Brad Powell to fix or tighten potential security holes in UNIX (Solaris, Linux and FreeBSD). It's available from http://www.fish.com/titan.
  • 33. Tools to help Secure Solaris(cont.) ● The Solaris Security Toolkit “Jass” is designed to assist in the development, deployment, and maintenance of secured Solaris Operating Environment systems. Jass is a set of scripts and directories implementing the recommendations of the security-related Sun BluePrints OnLine articles. Documentation is available from http://www.sun.com/blueprints/browsesubject.html#sec
  • 34. Tools to help Secure Solaris(cont.) ● Yassp stands for “Yet another Solaris Security Package”. It was written by Jean Chouanard. It automates a large majority of the sercurity changes that were detailed in this presentation. You can find it at: http://www.yassp.org
  • 35. SunScreen ● One of the bigest additions of Solaris 9 is the inclusion of SunScreen, Sun's previously commericial firewall. ● SunScreen is a full-featured firewall. It has an extensive feature set and provides the bulk of the features found in other major firewalls. It is stateful and dynamic, and at its core is a packet- filtering system like Checkpoint Firewall-1.
  • 36. Solaris Website Resources ● http://www.sun.com/bigadmin/faq/indexSec.html - Sun's Big Admin Security Resources ● http://www.wins.uva.nl/pub/solaris/solaris2 - The excellent Solaris FAQ ● sunsolve.Sun.COM/pub-cgi/show.pl?target=home - SUN Recommended & Security Patches ● www.sunhelp.org - An excellant Sun Resource ● web.mit.edu/kerberos/www - Kerberos home page
  • 37. Sun Web Resources(Cont.) ● www.auscert.org.au - Australian Computer Emergency Response Team ● www.cert.org - CERT Coordination Center ● www.cisecurity.com - The Center for Internet Security ● www.fish.com - Dan Farmer's web site with lots of computer security related stuff ● www.ibiblio.org/pub/solaris/sparc - Solaris Package Archive (SUNSite)
  • 38. Sun Web Resources(Cont.) ● www.infrastructures.org/cfengine - Cfengine ● www.rootprompt.org - Root Prompt -- Nothing but Unix ● www.sabernet.net/papers/Solaris.html - Solaris Security Guide ● www.sans.org - SANS Institute ● www.securityfocus.com - SecurityFocus ● www.solarisguide.com - SolarisGuide.com
  • 39. Sun Web Resources(Cont.) ● www.sun.com/bigadmin - Sun Large System Administration ● www.sun.com/blueprints - SUN Blueprints ● www.sun.com/security/blueprints - SUN Security Blueprints ● www.sun.com/security/jass - Additional information on the SUN JASS toolkit ● www.sunfreeware.com - Sunfreeware
  • 40. References ● http://www.itworld.com/Comp/2377/security-faq ● http://www.accs.com/p_and_p/SolSec/index.html ● http://www.sun.com/bigadmin/faq/indexSec.html ● http://www.samag.com/documents/s=7667/sam0213l/0213l.htm ● http://www.samag.com/documents/s=7667/sam0213d/0213d.htm ● http://www.boran.com/security/sp/hardening_solaris_%20resources.txt