Solaris Benchmark v1.1.0
53
pages
English
Documents
Le téléchargement nécessite un accès à la bibliothèque YouScribe Tout savoir sur nos offres
53
pages
English
Documents
Le téléchargement nécessite un accès à la bibliothèque YouScribe Tout savoir sur nos offres
Solaris Benchmark v1.1.0
Copyright 2001-2002, The Center for Internet Security
http://www.CISecurity.org/
Solaris Benchmark v1.1.0
October 22, 2002
Copyright 2001-2002, The Center for Internet Security (CIS)
Terms of Use Agreement
1. Grant of Permission to use the Solaris Download Package consisting of the Solaris Benchmark, software
tools for scoring and monitoring the status of Benchmark settings at the network and system level, plus
associated documentation.
Subject to the terms and provisions listed below, CIS grants to you the nonexclusive and limited right to
use the Solaris Download Package components.
You are not receiving any ownership or proprietary right, title or interest in or to the Solaris Download
Package components or the copyrights, trademarks, or other rights related thereto.
2. Limitations on Use.
Receipt of the Solaris Download Package components does not permit you to:
a. Sell the Solaris Download Package components;
b. Lease or lend the Solaris Download Package components;
c. Distribute the Solaris Download Package components by any means, including, but not limited to, through
the Internet or other electronic distribution, direct mail, retail, or mail order (Certain internal distribution
rights are specifically granted to CIS Consulting and User Members as noted in (2.e.) below);
d. In any other manner and through any medium commercially exploit or use the Solaris Download Package ...
Solaris Benchmark v1.1.0
Copyright 2001-2002, The Center for Internet Security http://www.CISecurity.org/
Solaris Benchmark v1.1.0
October 22, 2002 Copyright 2001-2002, The Center for Internet Security (CIS)
Terms of Use Agreement1. Grant of Permissionto use the Solaris Download Package consisting of the Solaris Benchmark, software tools for scoring and monitoring the status of Benchmark settings at the network and system level, plus associated documentation.
Subject to the terms and provisions listed below, CIS grants to you thenonexclusive and limited rightto use the Solaris Download Package components.
You are not receiving any ownership or proprietary right, title or interest in or to the Solaris Download Package components or the copyrights, trademarks, or other rights related thereto. 2. Limitations on Use.
Receipt of the Solaris Download Package components does not permit you to:
a. Sell the Solaris Download Package components;
b. Lease or lend the Solaris Download Package components;
c. Distribute the Solaris Download Package components by any means, including, but not limited to, through the Internet or other electronic distribution, direct mail, retail, or mail order (Certain internal distribution rights are specifically granted to CIS Consulting and User Members as noted in (2.e.) below);
d. In any other manner and through any medium commercially exploit or use the Solaris Download Package components for any commercial purpose;
e. Post the Benchmark, software tools, or associated documentation on any internal or external web site. (Consulting and User Members of CIS may distribute the Solaris Download Package components within their own organization);
f. Represent or claim a particular level of compliance with the Solaris Benchmark unless the system is operated by a Consulting or User Member of CIS and has been scored against the Benchmark criteria by a monitoring tool obtained directly from CIS or a commercial monitoring tool certified by CIS.
ii
Special Terms of Use For US Federal Government Agencies and Authorized Federal Contractors Terms of Usewithin the entities and confines of the US Federal Government agencies and departments and by authorized federal contractors and sub-contractors, in accordance with the provisions of a federal government contract between the General Services Administration and The Center for Internet Security (CIS). These terms apply only for the six-month period beginning September 9, 2002, and ending March 8, 2003. 1.Grant of Permissionuse and distribute the CIS Security Benchmarks and Scoring Tools:to Subject to the terms and provisions listed below, CIS grants to every entity within the confines of the US Federal Government agencies and departments, the nonexclusive and limited right to use and distribute within the confines of the US Federal government agencies and departments and to authorized federal government contractors and sub-contractors, the CIS Benchmarks and Scoring Tools plus associated documentation, that are available via the CIS website (http://www.cisecurity.org), The entities within the confines of the US Federal Government agencies and departments are not receiving any ownership or proprietary right, title or interest in or to the CIS Security Benchmark documents or Scoring Tool software, or the copyrights, trademarks, or other rights related thereto. 2.Limitations on Use and Distribution.Receipt of the CIS Security Benchmarks or Scoring Tools doesnotpreim:ta. Selling, licensing, or leasing them, or exploiting them for any commercial purpose; b. Distributing them outside the entities within the confines of the US Federal Government agencies and departments by any means, including, but not limited to, the Internet or other electronic distribution. They may be distributed freely within the entities and confines of the US Federal Government agencies and departments, provided this Terms of Use language in its entirety is included. Distribution to any entities outside the confines of the US Federal Government agencies and departments is prohibited, except that distribution to federal government contractors and sub-contractors is permitted for contractor use in conjunction with their specific contractual requirements to complete assigned federal government tasks. Internal distribution by federal government contractors and sub-contractors within their organization is limited to contractor personnel directly involved in completing assigned government contract tasks. c. Posting the Benchmarks or Scoring Tools or associated documentation on any internal or external web site, except for the purpose of internal distribution within the entities and confines of the US Federal Government agencies and departments and to authorized federal government contractors and sub-contractors. Internal distribution by federal government contractors and sub-contractors is limited as noted in 2 b. above.
iii
CIS Solaris Benchmark
1 Patches ........................................................................................................................... 2 1.1 Apply latest OS patches ......................................................................................... 2 2 Minimizeinetd 3network services ............................................................................... 2.1 Create emptye/i/ct/tfennotce.ndi......................................................... 3 2.2 Only enabletelnetif absolutely necessary ....................................................... 3 2.3 Only enable FTP if absolutely necessary............................................................... 4 2.4 Only enablerlogin/rsh/rcpif absolutely necessary....................................... 4 2.5 Only enable TFTP if absolutely necessary ............................................................ 5 2.6 Only enable printer service if absolutely necessary............................................... 5 2.7 Only enablequradotif absolutely necessary ..................................................... 6 2.8 Only enable CDE-related daemons if absolutely necessary .................................. 6 2.9 Disable Solaris Volume Manager daemons unless needed.................................... 7 2.10 Disable Kerberos-related daemons unless needed ................................................. 7 3 Minimize boot services .................................................................................................. 8 3.1 Turn off services which are not commonly used ................................................... 8 3.2 Disable Windows-compatibility servers, if possible ............................................. 8 3.3 Disable NFS server processes, if possible ............................................................. 9 3.4 Disable NFS client processes, if possible .............................................................. 9 3.5 Disable other RPC-based services, if possible..................................................... 10 3.6 Disable Kerberos server daemons, if possible ..................................................... 10 3.7 Disable directory server, if possible..................................................................... 11 3.8 Disable LDAP cache manager, if possible .......................................................... 11 3.9 Disable printer daemons, if possible .................................................................... 12 3.10 Disable volume manager, if possible ................................................................... 12 3.11 Disable GUI login, if possible ............................................................................. 13 3.12 Disable email server, if possible .......................................................................... 13 3.13 Disable Web server, if possible ........................................................................... 14 3.14 Disable SNMP, if possible ................................................................................... 15 3.15 Disable DHCP server, if possible ........................................................................ 15 3.16 Prevent Syslog from accepting messages from network ..................................... 16 3.17 Turn oninetdtracing, disableinetdif possible............................................ 17 3.18 Disablelogin:prompts on serial ports........................................................... 17 3.19 Set daemon umask ............................................................................................... 18 4 Kernel Tuning .............................................................................................................. 18 4.1 Disable core dumps.............................................................................................. 18 4.2 Enable stack protection ........................................................................................ 19 4.3 Restrict NFS client requests to privileged ports .................................................. 19 4.4 Network Parameter Modifications ....................................................................... 20 4.5 Additional network parameter modifications ...................................................... 21 4.6 Use better TCP sequence numbers ...................................................................... 21 5 Logging ........................................................................................................................ 22 5.1 Capture messages sent to syslogAUTHfacility ................................................... 22 5.2 Capture FTP andinetdConnection Tracing Info............................................. 22
iv
5.3 Createloingv/raa/mdl/go......................................................................... 23 5.4 Turn oncronlogging ......................................................................................... 24 5.5 Enable system accounting.................................................................................... 24 5.6 Enable kernel-level auditing ................................................................................ 25 5.7 Confirm permissions on system log files............................................................. 26 6 File/Directory Permissions/Access .............................................................................. 26 6.1 File systems are mounted either 'ro' or 'nosuid' .............................................. 26 6.2 Add 'logging' option to root file system .......................................................... 27 6.3 Add 'nosuid' option to/c/etmormt.unocfn............................................. 28 6.4 Use full path names indfs/etc/abdfst/file .............................................. 28 6.5 Verifypasswd,shadow, andgroupfile permissions .................................... 28 6.6 World-writable directories should have their sticky bit set ................................. 29 6.7 Find unauthorized world-writable files................................................................ 29 6.8 Find unauthorized SUID/SGID system executables............................................ 30 7 System Access, Authentication, and Authorization..................................................... 30 7.1 Remove .rhostssupport in/etc/pa.mocfn.............................................. 30 7.2 Create symlinks for dangerous files..................................................................... 31 7.3 Createte/f/[c]dptptf/eruss.................................................................. 32 7.4 Create/telesl/chs........................................................................................ 32 7.5 Prevent remote XDMCP access........................................................................... 33 7.6 Prevent X server from listening on port 6000/tcp................................................ 33 7.7 Set default locking screensaver timeout .............................................................. 34 7.8 Restrictat/cronto authorized users ................................................................. 34 7.9 Remove empty crontab files and restrict file permissions ................................... 35 7.10 Create appropriate warning banners .................................................................... 35 7.11 Restrict root logins to system console ................................................................. 37 7.12 Limit number of failed login attempts ................................................................. 37 7.13 Set EEPROMerity-modsecuand log failed access..................................... 38 8 User Accounts and Environment ................................................................................. 38 8.1 Block system accounts ......................................................................................... 38 8.2 Set account expiration parameters on active accounts......................................... 39 8.3 Verify no legacy '+' entries exist inpasswd,shadow, andgroupfiles ......... 40 8.4 Verify that there are no accounts with empty password fields ............................ 40 8.5 Verify that no UID 0 accounts exist other thanroot......................................... 40 8.6 No '.' or group/world-writable directory inroot$PATH.................................. 41 8.7 User home directories should be mode 750 or more restrictive .......................... 41 8.8 No user dot-files should be group/world writable ............................................... 41 8.9 Remove user.netrcfiles ................................................................................. 42 8.10 Set default umask for users .................................................................................. 42 8.11 Set "mesg n" as default for all users ................................................................. 43 9 Key Security tools installed ......................................................................................... 43 9.1 Install TCP Wrappers........................................................................................... 44 9.2 Install SSH ........................................................................................................... 46 9.3 Runx-fiedoms................................................................................................ 47 Appendix A: Log Rotation Script ........................................................................................ 48
v
CIS Solaris Benchmark
A Word about Shaded Items Desktop systems typically have different security expectations than server-class
shaded items may be skipped on these desktop platforms.
Root Shell Environment Assumed The actions listed in this document are written with the assumption that they will be executed by therootuser running theh/sinsb/shell and withoutnoclobberset.
Executing Actions The actions listed in this document are written with the assumption that they will be executed in the order presented here. Some actions may need to be modified if the order is changed. Actions are written so that they may be copied directly from this document into a root shell window with a "cut-and-paste" operation.
Reboot Required Rebooting the system is required after completing all of the actions below in order to complete the re-configuration of the system. In many cases, the changes made in the steps below will not take effect until this reboot is performed.
Backup Key Files Before performing the steps of this benchmark it is a good idea to make backup copies of critical configuration files that may get modified by various benchmark items: for file in /etc/ftpusers /etc/hosts.equiv /etc/inittab \ /etc/issue /etc/.login /etc/motd /etc/pam.conf \ /etc/passwd /etc/profile /etc/rmmount.conf \ /etc/shadow /etc/shells /etc/syslog.conf /etc/system \ /etc/vfstab /etc/default/cron /etc/default/ftpd \ /etc/default/inetinit /etc/default/init \ /etc/default/login /etc/default/sendmail \ /etc/default/telnetd /etc/inet/inetd.conf \ /etc/dfs/dfstab /etc/ssh/sshd config /.rhosts \ _ /.shosts /etc/cron.d/*.allow /etc/cron.d/*.deny \ /etc/dt/config/Xaccess /etc/dt/config/Xservers \ /etc/dt/config/*/sys.resources \ /etc/dt/config/*/Xresources; do [ -f $file ] && cp $file $file-preCIS done
1
1 Patches
1.1 Apply latest OS patches
Action(Solaris 7 and later): 1. Download Sun Recommended Patch Cluster into/tmp(Sun Recommended Patch Clusters can be obtained from.eus.nocs/nuosvlftp:/s/hetcpab/pum/--look for files named<osrel>pidez.emdncemoR, whereo<lers>is the Solaris _ OS release number). 2. Execute the following commands: cd /tmp unzip -qq * Recommended.zip _ cd * Recommended _ ./install cluster -q _
Action(Solaris 2.6 and earlier): 1. Download Sun Recommended Patch Cluster into/tmp(Sun Recommended Patch Clusters can be obtained fromhcse/p/bup/taom.cun.sveolnssu//:ptf--look for files named<osrel>tad.Zr.mmcodeeneR, where<l>reosis the _ Solaris OS release number). 2. Execute the following commands: cd /tmp zcat * Recommended.tar.Z | tar xf -_ cd * Recommended _ ./install cluster -q _
Discussion:Installing up-to-date vendor patches and developing a procedure for keeping up with vendor patches is critical for the security and reliability of the system. Vendors will issue operating system updates when they become aware of security vulnerabilities and other serious functionality issues, but it is up to their customers to actually download and install these patches. Note that in addition to installing the Solaris Recommended Patch Clusters as described above, administrators may wish to also check the Solaris<os>lertropeRhctaP.file (available from the same FTP site as the patch clusters) for additional security, Y2K, or functionality patches that may be required on the local system. Administrators are also encouraged to check the individualREADMEfiles provided with each patch for further information and post-install instructions. During the patch cluster installation process, some patches may not be installed. Administrators may ignore individual patch installations that fail with either return code 2 (which indicates that the given patch has already been installed on the system) or return code 8 (the patch applies to an operating system package which is not installed
2
on the machine). If a patch installation fails with any other return code, the administrator should consult the patch installation log in /var/sadm/install data. _ 2 Minimizeinetdnetwork services
2.1 Create emptyf.connetdet/inc//iet
Action:cd /etc/inet mv inetd.conf inetd.conf.orig touch inetd.conf chown root:sys inetd.conf chmod 444 inetd.conf
Discussion:The stocket//ietinc/c.noendtffile shipped with Solaris contains many services which are rarely used and a great deal of commentary. This can make the file difficult to audit and make it easier for attackers to hide malicious services in the file. By starting with a "clean slate", we make it easier to verify that theonftd.cienfile is in a known good configuration. Note that we save a backup copy of the original version of the file for use in later steps in this section (a backup copy of the file should already have been saved by an earlier action asine-fnoc.dtSICerp). Note that this process will effectively disable any entries the local site may have added to theirte.docfnnifile for third-party software packages or other locally installed-software. Make sure to extract these entries from thegocfno.ird.etinfile and re-install them into the newly createdincdo.neft.
2.2 Only enabletelnetif absolutely necessary
Question: Is there a mission-critical reason that requires users to access this system viatelnet, rather than the more secure SSH protocol? If the answer to this question is yes, proceed with the action below.
Action:grep '^telnet' inetd.conf.orig >>inetd.conf
Discussion:telnetan unencrypted network protocol, which means data from the loginuses session (such as passwords) can be stolen by eavesdroppers on the network, and also
3
that the session can be hijacked by outsiders to gain access to the remote system. The freely-available SSH utilities (see/:w/thptepsnwwo.mo/hsc.) provide encrypted network logins and should be used instead.
2.3 Only enable FTP if absolutely necessary
Question: Is this machine an (anonymous) FTP server, or is there a mission-critical reason why data must be transferred to and from this system viaftp, rather thanscp? If the answer to this question is yes, proceed with the actions below.
Action:awk '/in.ftpd/ { print $0 " -d l }' \ -" inetd.conf.orig >>inetd.conf
Discussion:Liketelnet, the FTP protocol is unencrypted which means theft of data and session hijacking are an issue with this protocol. SSH provides two different encrypted file transfer mechanismsscpandsftp if FTP is Evenand should be used instead. required because the local system is an anonymous FTP server, consider requiring non-anonymous users on the system to transfer files via SSH-based protocols. For further information on restricting FTP access to the system, see Item 7.3 below. Note that if the FTP daemon is left on, it is recommended that the "debugging" (-d) and connection logging (-l) flags also be enabled to track FTP activity on the system. Information about FTP sessions will be logged via Syslog, but the system must be configured to capture these messages. For further configuration information, see Item 5.2 below.
2.4 Only enablerlogin/rsh/rcpif absolutely necessary Question: Is there a mission-critical reason whyrlogin/rsh/rcpmust be used instead of the more securessh/scp?
If the answer to this question is yes, proceed with the actions below.
Action:grep '^shell' inetd.conf.orig >>inetd.conf grep '^login' inetd.conf.orig >>inetd.conf
4
Discussion:SSH was designed to be a drop-in replacement for these protocols. Given the wide availability of free SSH implementations, it seems unlikely that there is ever a case where these tools cannot be replaced with SSH (again, seetp://www.opensshc.mo/th). If these protocols are left enabled, please also see Item 7.1 for additional security-related configuration settings.
2.5 Only enable TFTP if absolutely necessary
Question:
must be transferred to and from this system via TFTP? If the answer to this question is yes, proceed with the actions below.
Action:grep '^#*tftp' inetd.conf.orig | \ sed 's/^#//' >>inetd.conf mkdir -m 711 /tftpboot chown root:root /tftpboot
Discussion:
data to remote systems via TFTP for backup. However, unless this system is needed in one of these roles, it is best to leave the TFTP service disabled.
2.6 Only enable printer service if absolutely necessary
Question: Is this machine a print server for your network? If the answer to this question is yes, proceed with the actions below.
Action:grep '^printer' inetd.conf.orig >>inetd.conf
Discussion:in.lpd machines that are Evenprovides a BSD-compatible print server interface. BSD-style printing.
5
2.7
Only enablerquotadif absolutely necessary
Question: Is this system an NFS file server with disk quotas enabled? If the answer to this question is yes, proceed with the actions below.
Action:grep '^rquotad' inetd.conf.orig >>inetd.conf
Discussion:rquotadallows NFS clients to enforce disk quotas on file systems that are mounted
rquotadservice disabled.
2.8 Only enable CDE-related daemons if absolutely necessary
Question: Is there a mission-critical reason to run a GUI on this system? If the answer to this question is yes, proceed with the actions below.
Action:grep 'rpc.ttdbserverd$' inetd.conf.orig >>inetd.conf
Discussion:Thec.rpdbttvresdreprocess supports many tools and applications in Sun's CDE windowing environment, but has historically been a major security issue for Solaris systems. If you do plan to leave this service enabled, not only is it vital to keep up to date on vendor patches, but alsoneverservice on any system which is notenable this well protected by a complete network security infrastructure (including network and host-based firewalls, packet filters, and intrusion detection infrastructure).
6
