Is your Solaris environment is secure enough ? How can we tighten the system security ? Here we will see some basic Hardening steps for Solaris OS.Every organization should maintain hardening checklists of each operating systems which they are using it.Before server is bringing to operation/production, hardening check list needs to be verified by support team who supports the server.
Actually OS hardening part is begins before system built.Because you need to choose the customized OS image according to your environment.By reducing the OS image size,the possibility of risk(security and reliability) is very less and less size OS image speeds up the boot process and consumes less disk space.
1.Apply Recommended Patch Cluster bundle regularly . It has very important bug fixes and security fix patches. Visit https://support.oracle.com to check latest additional security patches and install it if applicable to your environment.
2.Disable all the services which are not being used anymore.There are many services which will make you system in high-risk.Disable services like RPC based services,NFS,NIS, Sendmail,Apache,SNMP,printer services and internet based services if no longer used in server.
3.Disable inetd services and use ssh for remote login and file-transfer.
Its better not to use telnet,ftp,rlogin services.
4.There are many parameters in the Solaris kernel which can be tuned to increase the system security.Network parameters can be tuned using ndd command.Other kernel parameters can modified using /etc/system file.
Network tweaks:
- Disable IP forwarding on OS
- Protect against SYN floods attacks
- Reduce ARP timeouts
5.Restrict root to login only via console and remove un-used users from the system.
Restrict cron access to normal users and disable .rhosts.
6.Set warning banners in /etc/motd & /etc/issue.
7.Increase the level of logging in system accounting,process accounting,kernel level auditing.
8.Create /etc/ftpd/ftpusers to restrict ftp to all users.
9.Remove the group writable from all files in /etc.
# chmod -R g-w /etc
10.Validate the OS start up scripts in all the run levels.Remove the start-up scrips which no longer needed.(/etc/rc2.d & /etc/rc3.d)
11.Turns on “stack protection” which will help to protect your system from many buffer overflow attacks.Add the below lines in /etc/system to turn on this feature.
set noexec_user_stack = 1
set noexec_user_stack_log = 1
12.Protect File Systems which are mounted on the system by setting “nosuid” or “ro” and set “logging” option for root file system in vfstab.
13.Enable Packet Filtering is necessary to increase system security.
14.Restrict access to TCP based network services by using TCP wrappers.
15.Disable un-used SMF service using svcadm command.
16.Use Solaris Security Toolkit (JASS)
17.Be cautious with removable media devices.Stop “vold” if possible.
To know More security information
Thank you for reading this article. If leave a comment if you would like to add more information here.
Image source:www.oralce.com