Securing a Clean Solaris Install

As the root user:
/sbin/mount solaris-patches.cites.uiuc.edu:/services/patches /mnt
/mnt/superglue
/sbin/umount /mnt

The latest version can be found at ftp://ftp.porcupine.org/pub/security/.

One of several web pages detailing TCP Wrapper installation can be found at http://www.kempston.net/solaris/tcpwrappers.html.

A secure version of rpcbind can be found at ftp://ftp.porcupine.org/pub/security/index.html. Make sure to add rules for rpcbind to your /etc/hosts.allow file.

Runlevels 2 and 3 are used for a normal, multiuser startup in Solaris. You can stop a service by invoking the correct script in /etc/init.d, usually with the "stop" argument, or by using the svcadm command in Solaris 10. For example, to stop the sendmail daemon, you would issue the following command as root:

Versions of Solaris through 9:

/etc/init.d/sendmail stop

Solaris 10:

svcadm disable -t sendmail

You can keep those unnecessary services from starting at boot time by renaming the appropriate symlinks in /etc/rc2.d and /etc/rc3.d or by using the svcadm command in Solaris 10. For example, if you want to prevent the sendmail daemon from starting at each boot, you would do the following as root:

Versions of Solaris through 9:

mv /etc/rc2.d/S88sendmail /etc/rc2.d/noS88sendmail

Solaris 10:

svcadm disable sendmail

Some services that you may not need include:

ldap.client
nfs.client
nfs.server
sendmail
slpd

Note: the services which are absolutely required are:

MOUNTFSYS
RMTMPFILES
inetsvc
standardmounts
buildmnttab
rootusr
sysetup
devlinks
cron
drvconfig
syslog
inetinit
utmpd
rpc (if using graphical interface)
dtlogin (if using graphical interface)

Make sure that such accounts have "NP" or "*LK*" in their password fields in the /etc/shadow file. You may also wish to assign an invalid shell for these accounts such as /bin/false or /bin/true.

adm
bin
daemon
listen
lp
nobody
nobody4 (remove if you do not have to support SunOS systems)
noaccess
nuucp
smtp
sys
uucp

Create file /etc/default/telnetd and put the line BANNER="" into it to remove telnetd OS banner. Create similar file called /etc/default/ftpd for ftpd OS banner.

adm
bin
daemon
listen
lp
nobody
noaccess
nobody4 (unless it was deleted)
nuucp
root
smtp
sys
uucp

Replace the following line in /etc/mail/sendmail.cf

O SmtpGreetingMessage=$j Sendmail $v/$Z; $b

with

O SmtpGreetingMessage=

Append to the line in /etc/mail/sendmail.cf that begins with

O PrivacyOptions

these options...

noexpn,novrfy

(Note: numbers 11, 12, 13, 14, 15, 16, 17 are not persistent across reboots - either append to /etc/rc2.d/S69inet or put into their own init script and symlink to an appropriate runlevel)

/usr/sbin/ndd -set /dev/tcp tcp_mss_def 546

/usr/sbin/ndd -set /dev/ip ip_path_mtu_discovery 0

/usr/sbin/ndd -set /dev/ip ip_ire_pathmtu_interval 600000

/usr/sbin/ndd -set /dev/ip ip_forward_directed_broadcasts 0

/usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast 0

/usr/sbin/ndd -set /dev/ip ip_forward_src_routed 0

/usr/sbin/ndd -set /dev/ip ip_strict_dst_multihoming 0
/usr/sbin/ndd -set /dev/ip ip_ire_arp_interval 60000
/usr/sbin/ndd -set /dev/arp arp_cleanup_interval 60

Change /etc/default/inetinit TCP_STRONG_ISS from 1 to 2 (TCP_STRONG_ISS=2)

touch /etc/notrouter

Add the following to the /etc/system file (Caution: may break some SPARC V8 ABI programs, esp old compilers)... requires reboot to take effect. This is not needed in Solaris 10.

noexec_user_stack = 1 noexec_user_stack_log = 1