Solaris Security

When working on any UNIX based system, be sure to check the following:

• Patching is your first line of defence. Start by installing any patches that your vendor may have. For Solaris and AIX, WSG provides superglue.
• Only essential services should be started out of inetd.conf. This should be determined on a per-machine basis, but a good rule of thumb is to turn off anything you can and run everything else through tcp wrappers.
• OpenSSH should be installed to replace telnet and older versions of SSH as the preferred means of remote access.
• Sendmail can, and should be turned off if there is no need for it on a particular system.
• Avoid using the root account when you don't have to.
• SuperUser accounts should be created for everyone who needs to operate as root. The permissions are the same, but SU accounts create an extra record of who did what.
• Netstat is a useful tool in checking for unwanted daemons. Look mainly at the tcp and udp lines.

For a step-by-step guide to securing and configuring a new Solaris machine, try our Securing Solaris Guide.

To enable logging of failed login attempts, you will need to create the /var/adm/loginlog file and change the permissions to restrict read and write access to owner only. The owner must be root and the group must be sys.

Remote X logins can be a security hazard. To minimize the risk, change /usr/dt/config/Xaccess to disallow XDMCP connections from everywhere. Because this change will be lost during upgrades, it is a good idea to copy /usr/dt/config/Xaccess to /etc/dt/config/Xaccess.