Sorry for the slow response...like most of you I'm forced to jump from one hot item to the next at the drop of a hat. I did not find what I was looking for, which is a modern/sol10 version of an article Lance Spitzner wrote years ago called something like armoring solaris (see http://www.mgmg-interactive.com/mgmg/packages3.html), but I did get some good information. Many suggested this site: #1 http://www.cisecurity.org/bench_solaris.html #2 regarding which initial install, someone suggested using the reduced network cluster for installation...alan #3 insight into just how small you can make an initial Solaris installtion: http://blogs.sun.com/eric_boutilier/date/20050406#unix_from_scratch_tabl e_of -this email had other worthwhile info (posted at bottom) #4 I also found excellent material in an internal document that a former consultant was working on...I'll have to scrub it & send it out (focus on banking & financials). Some interesting sections from the doc: Implement the following reqs: http://grkvlt.blogspot.com/2006/03/hardening-solaris-ten.html http://www.sun.com/bigadmin/xperts/sessions/17_sol10install/ http://www.sun.com/software/security/jass/ As an example, Solaris 10 includes over 75 public domain software packages in /usr/sfw including such software packages as MySQL, gcc, TCL and TK. Many of these packages are subject to exploitations which often times elevate a user's privileges within the server. At a minimum, the following software should never be installed onto production servers: * Compilers (GNU gcc or Sun's SUNWspro) * Java development kits including java compilers (SUNWj3dev, SUNWj5dev, etc.) * Database access tools (except on database servers themselves) o SQL*Net o Interpreted software (perl, python, etc.) database access modules (e.g. perl's DBO for oracle). * Point-to-point protocol (PPP) drivers and configuration * Directory (LDAP) Server * Mobile IP * Apache Server * DHCP Software * Sun's Java Application Server * StarOffice * tcpdump Note, 3rd party software should be checked to insure applications such as compilers are not included. In addition, Pzone servers should be further hardened by removing network intrusive applications such as: * snoop(1M) Minimize System Services Many of the default system services (time, echo, discard, NFS, NIS, etc.) are not required and are often a target for exploitation. Internet Services Internet services are managed by the inetd daemon. The following inetd services should be disabled: * chargen * in.comsat * daytime * discard * dtspc * echo * exec * finger * fs * ftp (see below) * krb5_prop * login * name * netstat * printer * rquotad * rstatd * rusersd * shell * sprayd * sun-dr * systat * talk * telnet * tftp * time * uucp * walld Solaris Security Toolkit: http://www.sun.com/security/jass/ Solaris Fingerprint Database: http://sunsolve.sun.com/pub-cgi/fileFingerprints.pl Sun's Kerberos Information http://www.sun.com/software/security/kerberos/ Role-Based Access Control (RBAC) white paper: http://wwws.sun.com/software/whitepapers/wp-rbac/ OpenSSH white paper, NTP white paper, information on kernel (ndd) settings, et al: http://www.sun.com/security/blueprints/ System Integrity Solutions Commercial Tripwire (enterprise ready): http://www.tripwire.com/ Open Source Tripwire: http://sourceforge.net/projects/tripwire/ Basic Audit and Reporting Tool (BART): http://www.sun.com/blueprints/0305/819-2259.pdf ***download this doc & get something basic setup & cron'd*** Other Miscellaneous Documentation Various documentation on Solaris security issues: http://ist.uwaterloo.ca/security/howto/ On BSM Audit flags: http://www.samag.com/documents/s=9427/sam0414c/0414c.htm On hiding information in Solaris extended attributes: http://www.usenix.org/publications/login/2004-02/pdfs/brunette.pdf Discussion of "locked" vs. "blocked" accounts: http://www.securitydocs.com/library/2636 Primary source for information on NTP - http://www.ntp.org/ Information on MIT Kerberos - http://web.mit.edu/kerberos/www/ Apache "Security Tips" document: http://httpd.apache.org/docs-2.0/misc/security_tips.html Information on Sendmail and DNS: http://www.sendmail.org/ http://www.deer-run.com/~hal/dns-sendmail/DNSandSendmail.pdf Software Pre-compiled software packages for Solaris: http://www.sunfreeware.com/ ftp://ftp.cisecurity.org/ LogSurfer+ (real time log monitoring): http://www.crypt.gen.nz/logsurfer/ Open Source Sendmail (email server) distributions: ftp://ftp.sendmail.org/ #3 complete email: This may not be exactly what you want, and it does have an x86 Solaris slant however, it is a fascinating insight into just how small you can make an initial Solaris installtion: http://blogs.sun.com/eric_boutilier/date/20050406#unix_from_scratch_tabl e_of The thread has seemingly petered out now but if you haven't come across it before, I think you'll find it worth the read. I initially installed a Sol10 test box on SPARC hardware using the Reduced Net Core cluster as the starting point and I seem to recall it came out at under 90 packages. The only relevant notes I can find now are these: --8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<--- These are needed for compilation Already Installed system SUNWlibmsr Math & Microtasking Libraries CD1 system SUNWlibms Math & Microtasking Libraries CD1 Needed to be added system SUNWarc Lint Libraries CD4 system SUNWbtool CCS tools bundled with SunOS CD4 system SUNWhea SunOS Header Files CD4 system SUNWtoo Programming tools CD1 system SUNWlibmr Math Library Lint Files CD4 system SUNWlibm Math & Microtasking Library Headers CD4 system SUNWsprot Solaris Bundled tools CD4 and possibly these to get a working compiler system SUNWgcmn gcmn - Common GNU package CD2 system SUNWgccruntime GCC Runtime libraries CD2 system SUNWgcc gcc - The GNU C compiler CD4 system SUNWbinutils binutils - GNU binutils CD4 After this a "gcc hello.c" works (gcc is in /usr/sfw/bin) Maybe these will be need later (Eric Boutillier's blog) SUNWxcu4 XCU4 Utilities SUNWscpr Source Compatibility, (Root) SUNWscpu Source Compatibility, (Usr) --8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<-----8<--- If you want any more info, I could try and find some more notes but I /didn't take it all that far/haven't taken yet it any futher/, however I would think that following your nose from the thread above will be all you'ld need to get a minimal installtion. Joe Beck Ciber Inc. - a consultant to SEI One Freedom Valley Drive/ 100 Cider Mill Road| Oaks, PA 19456 | p: 610.676.2258 | jbeck@seic.com -----Original Message----- From: Dave Mitchell [mailto:davem@iabyn.com] Sent: Tuesday, August 29, 2006 1:03 PM To: Beck, Joseph Subject: Re: Minimizing the Solaris Operating Environment for Security...sol10 version On Tue, Aug 29, 2006 at 12:04:34PM -0400, Beck, Joseph wrote: > Anyone seen such a document yet? > > I have a need to start building some web servers that will be solaris > 10. I have the beginngings of a document and wanted to leverage any > previous work in deciding things such as which initial (metacluster) > install & which pkgs to remove after, which services, etc...I had to do > this years ago, but was dealing with sol6 & sol7 at the time. http://www.cisecurity.org/bench_solaris.html -- SCO - a train crash in slow motion _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Fri Sep 8 21:09:30 2006
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:44:00 EST