Hardening Guide for Solaris

HARDENING GUIDE FOR SOLARIS OPERATING SYSTEM

Internal Page 2 of 23

TABLE OF CONTENTS

1 OBJECTIVE..........................................................................................ERROR! BOOKMARK NOT DEFINED.

2 DEFINITION ........................................................................................ERROR! BOOKMARK NOT DEFINED.

3 SCOPE ................................................................................................ERROR! BOOKMARK NOT DEFINED.

4 STATEMENT OF APPLICABILITY .........................................................ERROR! BOOKMARK NOT DEFINED.

5 HARDENING PROCEDURE ...................................................................................................................... 4

1 FILE SYSTEM SECURITY ........................................................................................................................... 4

1.1 INTRODUCTION ................................................................................................................................... 4

1.2 SOLARIS OPERATING ENVIRONMENT INSTALLATION ...................................................................... 4

1.3 RECOMMENDED PARTITIONS ............................................................................................................. 4

2 APPLYING SECURITY PATCHES ............................................................................................................... 5

2.1 INTRODUCTION .................................................................................................................................. 5

2.2 PATCH INSTALLATION PROCEDURE .................................................................................................. 5

3 SECURING ACCOUNTS ............................................................................................................................ 5

3.1 REMOVING AND DISABLING SYSTEM ACCOUNTS ............................................................................ 5

3.2 ACCOUNTS THAT CAN BE SAFELY DISABLED ..................................................................................... 6

3.3 ACCOUNTS THAT CAN BE SAFELY DELETED ....................................................................................... 6

3.4 PASSWORD CONFIGURATION ............................................................................................................. 7

3.5 LOGIN RETRIES ................................................................................................................................. 7

3.6 RESTRICT REMOTE ROOT LOGIN ........................................................................................................ 7

3.7 RESTRICT DIRECT ROOT LOGIN ENTIRELY ........................................................................................ 7

3.8 LOGIN BANNER .................................................................................................................................... 8

3.9 RESTRICT SU COMMAND..................................................................................................................... 8

4 DISABLING NON-ESSENTIAL SERVICES ................................................................................................ 9

4.1 DISABLE NON-ESSENTIAL SERVICES ................................................................................................. 9

4.2 DISABLING SERVICES FROM THE STARTUP SCRIPTS ..................................................................... 10

4.3 FTP AND TELNET BANNERS ........................................................................................................... 11

4.4 RESTRICT FTP USERS ....................................................................................................................... 11

4.5 SECURING SNMP SERVICE ............................................................................................................. 11

4.6. DISABLE DARPA NAME SERVER ..................................................................................................... 12

4.7. REMOVING RSH ............................................................................................................................... 12

4.8 TO DISABLE RLOGIN ......................................................................................................................... 13

5 ADDING SECURE SERVICES ................................................................................................................ 13

5.1 OPENSSH PACKAGES ..................................................................................................................... 13

6 MISCELLANEOUS SECURITY SETTINGS .............................................................................................. 14

6.1 SECURE EXECUTABLE STACKS ........................................................................................................ 14

6.2 SECURING NFS ............................................................................................................................... 14

7 FILE RELATED SETTINGS ...................................................................................................................... 15

7.1 USER UMASK SETTING ...................................................................................................................... 15

7.2 SYSTEM UMASK SETTING ................................................................................................................. 15

8 CRON AND AT SECURITY .................................................................................................................... 15

9 SYSLOG .................................................................................................................................................. 16

9.1 LOGIN LOGS ..................................................................................................................................... 17

9.2 PERMISSION ON THE LOG FILES ..................................................................................................... 17

9.3 FOLDER PERMISSIONS ..................................................................................................................... 17



9.4 MOUNT NON-ROOT UFS FILE SYSTEM ............................................................................................ 18

9.5 ENABLING TCP WRAPPERS ............................................................................................................. 18

10 NETWORK SECURITY SETTINGS .......................................................................................................... 18

10.1 PRELIMINARY NETWORK SETTINGS ............................................................................................ 18

10.2 BROADCAST PING ........................................................................................................................ 19

10.3 DIRECTED BROADCAST ................................................................................................................ 19

10.4 PREVENT SPOOFING .................................................................................................................... 19

10.5 SOURCE ROUTED PACKETS .......................................................................................................... 19

10.6 NETMASK QUERIES ...................................................................................................................... 19

10.7 TIMESTAMP QUERIES .................................................................................................................. 20

10.8 TIMESTAMP BROADCAST .............................................................................................................. 20

10.9 ROUTING REDIRECTS ..................................................................................................................... 20

10.10 DEFENSE AGAINST SYN FLOOD ................................................................................................ 20

10.11 AVOID DOS .................................................................................................................................. 21

10.12 STRENGTHEN TCP SEQUENCE NUMBER GENERATION ............................................................... 21

10.13 ENSURE THAT THE MACHINE DOES NOT ACT AS A ROUTER ............................................................ 21

10.14 SET ARP_CLEANUP_INTERVAL .................................................................................................... 21

10.15 SET TCP_REV_SRC_ROUTES ....................................................................................................... 21

11 CONFIGURING TO NTP SERVER....................................................................................................... 22



55 HHAARRDDEENNIINNGG PPRROOCCEEDDUURREE

1 File system security

1.1 Introduction

It is important that the file systems and local security of the Solaris Operating Environment system not be neglected. Often, administrators are greatly concerned about

attackers breaking into systems remotely. There should be equal concern for local,

authorized users gaining extra privileges on a system by exploiting a problem with internal system security.

1.2 Solaris Operating Environment Installation

Each new release includes security improvements and additional features to enhance system security. Always use the latest version of the Solaris Operating Environment that

your applications will support.

1.3 Recommended Partitions

When creating operating system file partitions, be sure to allocate adequate disk space for system directories, log files, and applications. Certain server applications or services may require extra disk space or separate partitions to operate effectively without impacting other services.

Procedure

Typically, there should be separate partitions for: / (root file system) /usr

/var /opt /tmp /home (user partition)

To create additional partitions use the format command.

Note: Most applications install themselves in /opt or /usr/local. Check the application installation directory location before allocating space



2 Applying Security Patches

2.1 Introduction

Sun provides patches to the Solaris Operating Environment and unbundled software products. You can download recommended, security, and other patches for the Solaris Operating environment from sunsolve.sun.com. All systems should have the latest

recommended, security, and application patches installed

2.2 Patch installation Procedure

To install a patch (where patch is patch no. e.g. 102548-01)

# init 0

# boot s # Boot in single user mode # mkdir /var/spool/patch # This directory may be present. Else create it

# cp [patch.zip] /var/spool/patch # Cd /var/spool/patch # unzip [102548-01.zip]

# Patchadd 102548-01 # init 6 # # Reboot the system if the patch requires a reboot to take effect

Note: Schedule a downtime for the machine if the patch requires a reboot. Ensure that no users are connected to the system when you are applying patches.

Be sure to examine all system init scripts and test all patches on non-production systems

to discover any configuration changes.

3 Securing Accounts

Managing user and system accounts is an important aspect of the Solaris Operating Environment security. Some system accounts may need to be modified or deleted.

3.1 Removing and Disabling System Accounts



A default Solaris Operating Environment installation contains several accounts that either

need to be deleted or modified to strengthen security. Some accounts are not necessary

for normal system operation.

3.2 Accounts that can be safely disabled

daemon

bin

adm lp uucp nuucp

Nobody smtp Listen noaccess

nobody4 smmsp

The command to disable user daemon is given below as an example

# usermod s /sbin/noshell daemon

Note: smtp user is required by the SENDMAIL service.

Nobody is required by the NFS services

Noaccess is required the automount service.

3.3 Accounts that can be safely deleted

smtp Listen

nobody4

The command to delete user smtp is given below as an example

# userdel smtp



3.4 Password configuration

Procedure

Edit /etc/default/passwd file and set the following password configuration:

# vi /etc/default/passwd #Goto the insert mode by pressing I on the keyboard. Edit the file to reflect the following changes. Set password length to PASSLENGTH=8

Password aging as required MAXWEEKS=7 Password aging as required MINWEEKS=1 Type :wq! to save your changes. Also please refer to the organizations password policy to set the above

mentioned parameters

3.5 Login Retries

Specify the number of consecutive failed logins that can occur for a user before the login

process logs the failure and terminates the connection. Edit the /etc/default/login file and set the RETRIES parameter to a value of 3.

3.6 Restrict remote root login

Root user must not be able to login from a remote console. The login command is part of the authentication process to access a local Solaris Operating Environment account. It is

used on the console and by the in.telnetd daemon to determine if a user may be granted access to the system. By default, only the root user can log into a Solaris Operating

Environment system from the console device.

Procedure The console device is defined by the following entry in the /etc/default/login file:

CONSOLE=/dev/console

Note: When this line is commented out, the root account can log directly into the system over the network via telnet in addition to the console. This is insecure and should be avoided. Do not alter the default configuration.

3.7 Restrict direct root login entirely



Make the following CONSOLE entry in the /etc/default/login file to restrict direct root

logins entirely

CONSOLE=-

3.8 Login banner

An appropriate login message must be displayed to the user when he/she tries to login

to the system. The contents of the /etc/issue file are displayed on the console during login and for incoming telnet connections. The contents of the login banner is as follows

!!!WARNING!!!

This System is for the use of authorized xxx personnel and channel partners only. By accessing this system you hereby consent to the system being monitored by xxx. Any Unauthorized use will be considered a breach of xxx Information security policies and may also be unlawful under law. xxx Reserves the right to take any action including disciplinary action or legal proceeding in the court of law against persons involved in the violation of the access restriction here in

3.9 Restrict su command

You can restrict users that are permitted to su the server.

Procedure If the wheel group has been removed please create one by following the

below steps

# /usr/sbin/groupadd -g 13 wheel # /usr/bin/chgrp wheel /usr/bin/su /sbin/su.static # /usr/bin/chmod 4550 /usr/bin/su /sbin/su.static

Note The GID for the wheel group does not need to be 13. Any valid GID can be used. You will need to edit /etc/group to add users to the wheel group.

Add the users to the wheel group using the following command.

Given below is an example of an existing user test being added to the wheel

group.



# usermod G wheel test

4 Disabling Non-essential Services

System services are started by the init system. Some services are not necessary to

system operation and should be disabled. There are also services that may allow a system to be compromised due to incorrect configuration

4.1 Disable non-essential services

For security purposes, only required services should be enabled. The fewer services that are enabled, the less likely it is that an attacker will discover a way to exploit the system

using an enabled service.

Note: The list of services to be disabled can be determined after an initial system study. Disable a service by putting a hash [#] sign in front of unnecessary service in /etc/inetd.conf file.

Procedure to disable rlogin services in /etc/inetd.conf insert the # as shown below

#rlogin stream tcp nowait root /usr/sbin/in.rlogin.d in.rlogind

Note: If you want the changes made to /etc/inetd.conf have an immediate effect without rebooting the server, run the command given below.

# pkill HUP inetd

Following is a list of services, which can be disabled in inetd.conf:

Shell Login Exec Comsat Talk rusersd uucp Tftp Finger Sysstat Netstat sadmind time Echo Discard



Daytime Chargen Name- rquotad Sprayd Walld Rexecd rpc.ttdbserverd Shell Ufsd Printer Dtspc rpc.cmsd rstatd login rquotd fs ocfserv Rpc.rexd

4.2 Disabling services from the Startup scripts

We will prevent services from starting by changing the capital 'S' in the name of the script to a lowercase 's'. Rename the following auto configuration related links in /etc/rc2.d and unnecessary startup scripts. Run the following commands:

Disabling services from the startup scripts folders /etc/rc2.d and /etc/rc3.d

ab2 (Answerbook 2) dtlogin (CDEand X service) IPV6 NFS Client PRESERVE SENDMAIL Apache Desktop Management Interface KDC NFS Server Print Services Serial Line Printing Asppp DHCP MIP ( Mobile IP Agent) Power-Management Service RPC spc ( Solaris print client) Auto installer Directory service Name server caching daemon PPP SAMBA UUCP Volume Manager WBEM CacheFS



NCA LLC2 Silpd NFS Automount DMI perf

# cd /etc/rc2.d # mv S72autoinstall s72autoinstall # mv S70uucp s70uucp

# mv K28nfs.server k28nfs.sever # mv S76nscd s76nscd

4.3 FTP and TELNET banners

If FTP or TELNET services are required to run on the system then ensure that the services do not advertise the operating system version when users connect to the system. Remove the OS version number from telnetd and ftpd banner.

Procedure

Create files telnetd and ftpd in /etc/default with the entry below to mask the OS version number in the banner

BANNER=

4.4 Restrict ftp users

Even though we are not going to run the ftp daemon, we will set up the ftpd security file to reject remote logins to local user accounts.

Procedure Use the following commands:

# touch /etc/ftpusers # chown root /etc/ftpusers # chgrp root /etc/ftpusers # chmod 600 /etc/ftpusers # cat /etc/password | cut -f -d: > /etc/ftpusers

Note: The above step will deny all accounts for ftp access, remove accounts that require ftp access.

4.5 Securing SNMP service

IF SNMP is required to be running on the machine. Set the SNMP community strings to

ensure that unauthorized users do not query SNMP details.



Procedure Edit /etc/snmp/conf/snmpd.conf file and set non-guessable community strings. The following is a sample snmpd.conf file. Replace the default community strings public and

private in this file with stronger ones. Limit the SNMP Servers that can query your machine by replacing the value snmp-server in this file with the name of the SNMP

server in your environment.

sysdescr ALLDESC syscontact ALLCONT sysLocation ALLLOC

# system-group-read-community public

# system-group-write-community private

# read-community public # write-community private trap localhost

trap-community SNMP-trap managers snmp-server

4.6. Disable DARPA name server

DARPA stands for defends advanced research project agency. in.tnamed is a server that supports the DARPA Name Server Protocol. The Name server operates at the port indicates in the "name" service description and is invoked by inetd when a request is

made to the name server. The protocol implemented by this program is obsolete. Its use should be phased out in favour of the internet Domain Name Service (DNS) protocol.

To disable DARPA, the following file is modified.

/etc/inet/inetd.conf

and the following lines are commented out name dgram udp wait root /usr/sbin/in.tnamed in.tnamed

4.7. Removing RSH

rsh create a remote shell on a host which allows a user to execute commands on the

remote UNIX host. The rsh services use inadequate authentication based on IP address security (which can be spoofed).This may be compromised by the network sniffer

attacks. For security purposes rsh should be disabled or replaced with an ssh protocol system such as ssh or OPEN SSH.

This is part one of the disabling "r" based services (rsh, rlogin etc) the disabling of the



authentication part of the service is done later in the subsection: Disable PAM

configuration for rsh and rlogin. This is part one of a two part script to disable the rsh service in which the following files are either locked or modified.

/etc/pam.conf file /etc/inet/inetd.conf ----

/etc/hosts.equiv

To disable the program part of rsh, the following file is modified

/etc/inet/inetd.conf

And the following lines are commented out:

shell stream tcp nowait root /usr/sbin/in.rshd in.rshd

shell stream tcp6 nowait root /usr/sbin/in.rshd in.rshd

4.8 To disable rlogin

Login stream tcp6 nowait root /usr/sbin/in.rlogind in.rlogind

To disable talk server

talk dgram udp wait root /usr/sbin/in.talkd in.talkd

5 Adding Secure Services

5.1 OpenSSH Packages

The 4 packages that need to be on the system to use SSH are: 1. zlib 2. openssl 3. openssh



4. perl

The packages can either be downloaded as sources and compiled or as pre-compiled packages from sunfreeware.com.

6 Miscellaneous Security Settings

The following configuration items apply to both local and remote security.

6.1 Secure executable stacks

Some security exploitation programs take advantage of the Solaris Operating Environment kernel executable system stack to attack the system. These attack programs attempt to overwrite parts of the program stack of a privileged program in an attempt to control it. Some of these exploits can be avoided by making the system stack

non-executable.

Procedure

Add the following lines to the /etc/system file:

# set noexec_user_stack = 1

# set noexec_user_stack_log = 1

Version dependencies The non-executable stack feature only works on the following

SPARC architectures:

Sun4d, Sun4m, and Sun4u hardware. Note: With noexec_user_stack_log set to one, the system logs programmatic attempts

to execute code on the stack. This allows you to track unsuccessful exploit programs and the account, which made the attempt.

6.2 Securing NFS

If required the NFS file sharing should be implemented in a secure manner.

Procedure

Edit /etc/dfstab file and ensure that all file systems that are shared have restricted

permissions.

For example give read-write access to appropriate groups and users. The shares must not be world writable at least.

Enable restricted NFS port access. When this is enabled the NFS server will only accept connections from ports less then 1024. These parameters are defined in /etc/system.

Procedure



Add the following line in the /etc/system file.

set nfssrv:nfs_portmon=1

7 File Related Settings

7.1 User umask setting

A default umask of 022 must be set for User created files. Set the umask so that it does not include world access.

Procedure

Add "umask 022" to the following files:

/etc/.login /etc/profile /etc/skel/local.cshrc

/etc/skel/local.login /etc/skel/local.profile

7.2 System umask setting

A default umask of 022 must be set for System created files during initial boot stage. The default system file mode creation mask for the Solaris Operating Environment is 000. This means that files created by system daemons are created with permission bits

that are 666 (readable and writeable by all users). This can be a problem since normal users now have permission to overwrite the contents of system files. Procedure

Use the following script to set the system unmask to a more reasonable value:

echo umask 022 > /etc/init.d/umask.sh

chmod 744 /etc/init.d/umask.sh

chgrp sys /etc/init.d/umask.sh for d in /etc/rc?.d; do

ln /etc/init.d/umask.sh $d/S00umask.sh done

8 CRON and AT security

CRON and AT related files must be secured. Only root must be given permissions to run



CRON and AT jobs.

The files in /etc/cron.d control which users can use the cron and at facilities: Procedure

Create an /etc/cron.d/cron.allow file:

# echo "root" > /etc/cron.d/cron.allow

# chown root /etc/cron.d/cron.allow

# chmod 600 /etc/cron.d/cron.allow

Create an /etc/cron.d/at.allow file:

# cp -p /etc/cron.d/cron.allow /etc/cron.d/at.allow

Create an /etc/cron.d/cron.deny file:

#cat /etc/passwd | cut -f1 -d: | grep -v root > /etc/cron.d/cron.deny

# chown root /etc/cron.d/cron.deny # chmod 600 /etc/cron.d/cron.deny

Create an /etc/cron.d/at.deny file: # cp -p /etc/cron.d/cron.deny /etc/cron.d/at.deny

9 Syslog

The syslog daemon receives log messages from several sources and directs them to the

appropriate location based on the configured facility and priority. The facility (or application type) and the priority are configured in the /etc/syslog.conf file to direct the log messages. The directed location can be a log file, a network host,

specific users,or all users logged into the system. It must be ensured that Syslog does not accept log messages from remote machines unless explicitly required. As by default this is enabled this must be disabled.

Procedure Add the following entry to /etc/syslog.conf for capturing syslog events sent to

LOG_AUTH. This contains information on unsuccessful login attempts, successful and failed su (switch user) attempts.

auth.info /var/log/authlog

Note Use TAB key to separate auth.info from /var/log/authlog & not spacebar. Create /var/log/authlog by executing the following commands

# touch /var/log/authlog

# chown root /var/log/authlog # chmod 600 /var/log/authlog



9.1 Login logs

Procedure

Create /var/adm/loginlog to capture failed logins

# touch /var/adm/loginlog # chown root /var/adm/loginlog # chmod 600 /var/adm/loginlog

Note Loginlog captures the failed login attempts after 5 continuous bad attempts from any console/remote.

Apart from the above syslog must also be configured to store the:

1. sulog messages. 2. The inetd daemon also must log connection related details in syslog. 3. If ftp service is running on the machine then ftp connection related details must be logged.

9.2 Permission on the log files

Dont set insecure permission on the log files. Procedure Set the permissions on the log files as follows: (if files present)

#chmod 600 /var/adm/messages /var/log/syslog /var/adm/loginlog Version dependencies none

9.3 Folder permissions

Ensure that the permissions on the /tmp folder is appropriately set. 1. A check on the permissions on /tmp folder must be made before file systems are

mounted and after. 2. Ensure that the stick bit is set on the /tmp and /var/tmp folders.

Note: In a default install the /tmp and /var/tmp folders have the sticky bit set.

3. Set the following permissions on the /etc, /var, /var/spool, /var/cron and /etc/security files and folders.

# chmod -fR g-w ${JASS_ROOT_DIR}/etc

# chmod g-w ${JASS_ROOT_DIR}/var # chmod g-w ${JASS_ROOT_DIR}/var/spool

# chmod 0700 ${JASS_ROOT_DIR}/var/cron # chmod 0750 ${JASS_ROOT_DIR}/etc/security



9.4 Mount non-root ufs file system

Mount other non-root ufs file systems nosuid to prevent set-UID programs executing

from here. Edit /etc/vfstab to add nosuid option.

Procedure

Use the following commands:

#/dev/dsk/c0t3d0s5 /dev/rdsk/c0t3d0s5 /var ufs 1 no nosuid

#/dev/dsk/c0t3d0s6 /dev/rdsk/c0t3d0s6 /local ufs 2 yes nosuid

Note: This can be done only if the /var, /local file systems are on different partitions other than the root.

9.5 Enabling TCP Wrappers

To enable TCP wrappers on a Solaris 9 OE system

Modify the ENABLE_TCPWRAPPERS in /etc/default/inetd as follows

ENABLE_TCPWRAPPERS=YES

2. Verify that inetd has either restarted or sent a HUP and that services listed in

/etc/inetd.conf can use the capabilities of TCP wrappers.

10 Network Security Settings

There are many possible ways to attack network services. These services contain programming flaws, use weak authentication, transfer sensitive data in unencrypted format, and allow connections from any network host. These weaknesses allow a system

to be compromised by an attacker.

10.1 Preliminary Network settings

Procedure

Check for /etc/init.d/nddconfig file. If its not found create /etc/init.d/nddconfig and also create a link to /etc/rc2.d/S70nddconfig

Use the following commands:

# touch /etc/init.d/nddconfig # ln /etc/init.d/nddconfig /etc/rc2.d/S70nddconfig



After creating the files run the ndd commands given below.

10.2 Broadcast ping

Procedure

Add the following lines to the /etc/init.d/nddconfig file:

# Fix for broadcast ping bug

/usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast 0

10.3 Directed broadcast

Procedure


# Block directed broadcast packets

/usr/sbin/ndd -set /dev/ip ip_forward_directed_broadcasts 0

10.4 Prevent spoofing

Procedure


# Prevent spoofing /usr/sbin/ndd -set /dev/ip ip_strict_dst_multihoming 1 /usr/sbin/ndd -set /dev/ip ip_ignore_redirect 1

10.5 Source routed packets

Procedure


# Drop source routed packets /usr/sbin/ndd -set /dev/ip ip_forward_src_routed 0

10.6 Netmask queries



Procedure


# Do not respond to queries for our netmask /usr/sbin/ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0

10.7 Timestamp queries

Procedure


# Do not respond to queries for our timestamp

/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp 0

10.8 Timestamp broadcast

Procedure


# Do not respond to queries for our timestamp broadcast

/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0

10.9 Routing redirects

Procedure


# Do not issue redirects -- fix the routing table instead

/usr/sbin/ndd -set /dev/ip ip_send_redirects 0

10.10 Defense against SYN flood

Procedure




# Increase our defense against SYN floods. The q queue

# is the completed socket holding pen where sockets # remain until the application issues accept().

/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q 1280

# The "q0" queue is the half-open socket queue. /usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q0 10240

10.11 Avoid DoS

Procedure

Add the following lines to the /etc/init.d/nddconfig file

# Increase the minimum TCP MSS value to avoid Dos /usr/sbin/ndd -set /dev/tcp tcp_mss_min 128

Note To ensure that the values have been set as stated above use command similar to

# ndd -get /dev/ip ip_respond_to_timestamp_broadcast

10.12 Strengthen TCP sequence number generation

Cause the system to use a better TCP sequence generation algorithm.

Procedure

Configure RFC 1948 TCP sequence number generation in /etc/default/inetinit:

TCP_STRONG_ISS=2

10.13 Ensure that the machine does not act as a router

This setting can be configured by creating a file in the /etc folder and call it notrouter.

# touch /etc/notrouter

10.14 Set arp_cleanup_interval

Add the following lines to the /etc/init.d/nddconfig: arp arp_cleanup_interval 60000 The ARP cleanup interval is set to 1 minute

10.15 Set tcp_rev_src_routes



Add the following lines to the /etc/init.d/nddconfig:

tcp tcp_rev_src_routes 0 The specified route in a source routed packet will not be used in returned packet

11 Configuring to NTP server

Follow the below mentioned steps 1. Create a work directory for NTP installation.

#cd / #mkdir ntpfiles

2. Download the NTP package (ntp-*-sol9-sparc-local.gz) from the Internet for SUN Solaris - http://www.sunfreeware.com/

3. Unzip the package and add the package

#gzip d ntp-4.1.1a-sol9-sparc-local.gz #pkgadd d ntp-4.1.1a-sol9-sparc-local

4. Open the ntp.conf file from the default location

#cd /usr/local/doc/ntp/scripts/support/conf/

#vi ntp.conf

5. Add the following lines in ntp.conf file

server driftfile /usr/local/doc/ntp/scripts/support/conf/ntp.drift

6. Create ntp.drift file in the above location

#cd /usr/local/doc/ntp/scripts/support/conf/ #touch ntp.drift

7. Run the NTP daemon

#ntpd -c /usr/local/doc/ntp/scripts/support/conf/ntp.conf

8. To check the time synchronization of the NTP Server and clients, run the NTP Querry program.

#ntpq p

Note: Make sure that the Timezone is IST on each server before installing the ntp client.

9. You can synchronize the ntp client with ntp server with the following command

#ntpdate 10.132.176.155



Note: Make sure that the NTP daemon is not running while executing the above command 10. Create the startup script to synchronize the ntp client with the ntp server each time the system restarts #cd /etc/rc2.d # vi S168ntp

11. Add the following line in the newly created file S168ntp

/usr/local/bin/ntpd -c /usr/local/doc/ntp/scripts/support/conf/ntp.conf 12. Change the permissions and ownership of the file

#chmod 744 S168ntp #chown root:sys S168ntp

Note: Internal NTP server IP is 10.132.176.155 Once NTP is configured, please ensure that port 121 UDP is opened from server to enterprise NTP servers.

Hardening Guide for Solaris

Documents

Transcript of Hardening Guide for Solaris