Solaris Safety Manual
Release Date: 1999-12-8
content:
1, Preparation
2, Initial OS Installation
3, stripping / configuring OS: 1st Pass
4, Connect to Test NetWork
5, Installing Tools & Sysadmin Software
6, stripping / configuring os: 2nd pass
7, Create Tripwire Image, Backup, Test
8, INSTALL, TEST, HARDEN Applications.
9, INSTALL ON Live Network, Test
PREPARATION
Minimage to ensure safety method is to run one or two services on the host. Make
With a machine than only one machine with all rights, because this
It can be isolated and easy to find the problem. Summary: Run you on your machine
Some necessary services. Consider removing the keyboard and screen, so you can avoid using X11
And know that the command line is tested in a network segment of an isolated trust. Bright
What kind of result can be made by your system and hardware configuration, such as installing Sun
Consider when disksuite
Do you need an RPC service, because DiskSuite must use RPC services. Clear
What is the application of how to use: What ports and files are used.
2, initialize the installation operating system.
Connect the serial port console, boot, send STOP-A information when the OK prompt appears
(~ #, ~% B, or F5, mainly depending on the TIP, CU or VT100 terminal),
Post-start installation process - "Boot CDROM - Install"
Use minimum installation END User bundle (unless you want extra
Server / Developer Tools, set host name, terminal, IP parameters, time zone, etc.
Wait, do not activate NIS or NFS and do not activate power management. Select hand division division
District: Separate / USR and / OPT and ROOT to these partitions can be read-only
Plug up (MOUNT). Consider putting large / var file systems and has more data volume
Such as (web, ftp) is divided into independent partitions.
If the hard disk is 2GB recommended 200MB / ( var), 200MB SWAP, 600MB / USR
1GB to / OPT
If the hard disk is 2GB recommended 300MB / ( VAR OPT), 200MB SWAP, 500MB
/ usr
Set up a 7 to 8-character case in a 7 to 8-character case, and then restart
move.
Then the safety patch is secured by Sun. Generally, these security patches are included on the CD
package. After restarting and as root restart, you can use showrev -p to view
Ding list.
3, configure the operating system
Disk Sharing (MOUNT): In order to reduce Trojans and unauthorized modifications,
/ etc / vfstab, please use the "Remount, Nosuid" option when mount / when
/ VAR, please bring the "Nosuid" option; add it after / TMP
"size = 100m, nosuid" option (Allow / TMP can only use 100M space and not allow
Execute the SUID program);
If the floppy disk is not required, then the "/ dev / fd" is released off.
(The following command assumes that you are using the c-shell)
Enable NFS:
Rm /etc/rc2.d/{s73nfs.client ,k28nfs.server}
/etc/rc3.d/s15nfs.server / etc / dfs / dfstab makes the sendmail daemon, although Sendmail is not run as a daemon, but two into
The procedure still exists, Email can also be sent by it (but not connected
Affected. Set as long as a host accepts Email, you must use SMAP or other et al.
The same order is reduced to the bottom of the senedmail.
Rm /etc/rc2.d/s88sendmail
In addition, add commands to process the mail queue in the CRON row:
0 * * * * / usr / lib / sendmail -q
Close some other services:
RM
/etc/rc2.d/ (s74autofs ,s30sysid.net, s71sysid.sys, s72autoinstall)
RM
/etc/rc2.d/ (s93cacheos.finish, s73cachefs.daemon ,s80preserve}
Rm /etc/rc2.d/{s85power ,k07dmi}
Rm /etc/rc3.d/s77dmi
IF you have server / wevelPer Packages:
Rm /etc/rc2.d/{s47asppp, s89bdconfig, s70uucp}
To make RPC: this is generally recommended to turn off this feature, but some programs such as
Disksuite will turn on the RPC service, so it is generally recommended not to use Disksuite.
. If you don't want RPC to be invalid, you must use the packet filter.
Rm /etc/rc2.d/s71rpc
Keep the print service (unless there is a local printer exists):
Rm /etc/rc2.d/}}
Make Naming Services Caching Daemon (Name Service Buffer Progress)
Invalidity:
mv /etc/rc2.d/s76nscd /etc/rc2.d/.s76nscd
Make the CDE program (unless you insist on using a graphic console):
Rm /etc/rc2.d/s99dtlogin
Enables NTP-NetWork Time Protocol (NTP increase bandwidth and unsafe)
Factors, recommended use
RDATE to a machine using NTP to get exact time):
Rm /etc/rc2.d/s74xntpd
Make SNMP ineffective:
Rm /etc/rc2.d/k07snmpdx /etc/rc3.d/s76snmpdx
In inetinit is IP Forwarding and Soureg Routing (Source) by invalid
(If there is more than a network interface). Increase in /etc/init.d/inetinit
Add the settings shown in:
NDD -SET / DEV / IP IP_FORWARD_DIRECTED_BROADCASTS 0
NDD -SET / DEV / IP IP_FORWARD_SRC_ROUTED 0
NDD -SET / DEV / IP IP_FORWARDING 0
According to RFC1948, it is recommended to increase the following production in / etc / default / inetinit.
The sequence number setting is initiated to prevent TCP serial number prediction attack (IP spoof):
TCP_STRONG_ISS = 2
Increasing the following settings in / etc / system to prevent certain buffer attacks. These ones
Protection is the way of attacks that need to be performed in the stack. But need hardware support (only
Valid in the Sun4U / Sun4D / Sun4M system):
SET NOEXEC_USER_STACK = 1
SET NOEXEC_USER_STACK_LOG = 1
Use the default route: add IP addresses in / etc / defaultrouter, or use
"Route" establishes a startup file in /etc/rc2.d/s99static_routes. in order to
Make the dynamic route ineffective:
Touch / etc / notrouter In order to make multiple broadcasts, please in /tc/init.d/inetsvc
Injury
A few lines around Route Add 224.0.0.0.
In order to record all the information connected in inetd, increase in the starting line of inetd low-end
"-t" parameters,
That is: / usr / sbin / inetd -s -t
Configuring some hosts you want to pay in / etc / hosts (some you don't want to solve DNS
Analysis.
/etc/inetd.conf:
First make all services are invalid;
Configure your truly needs, but you must use fwtk netaacl or tcp
Wrappers to allow minimal IP address access and various records
4, connection and test network
The system must be properly working by the system through the safety peel and screening above.
Connect it to a secure isolated network. Round and log in as root
Taiwan, check the error message when the console starts and modifies as needed.
5, install system management tool software
This part will install standard tools and utilities. The most important thing is SSH, these work
It must be compiled and carefully tested on other machines.
surroundings:
DNS client: add domain name and DNS service in /etc/resolv.conf;
The host of the DNS entry is added to /etc/nsswitch.conf.
Email: If the host does not need to send Email outside the subnet, you don't need to use it.
Mailhost alias. Otherwise, you must edit / etc / mail / aliases, in
/ etc / hosts Set Mailhost, cancel DJ in /etc/mail/sendmail.cf
The comment of the row and set it to DJ $ W.YOOOOS.
If DNS is not configured, add this too machine alias in / etc / hosts
Hostname.Yourdomain.com.
Now send a test Email: Mailx -V -S Test_Email root