[Alcatel logo]

Unix DMZ hardening procedure

revised

This is a loose document of things to do to harden the Solaris/Unix system for use in the DMZ. There is a LOT that needs doing, at some point I would hope to be able to turn this into a script..... uh-huh... More to the point, some portions of this document can be applied to the DMZ target via 'cut and paste'; while other steps are really a top level description of what needs to be fixed (and thus need some external intelligence to drive the action). Note: that SUN provides a tool that will automate this via the Solaris Security Toolkit (JASS), this tool has a very high overhead both in learning and configuration.

Since this is going to be a cookbook for Alcatel IND, I'm including all of the stuff that we do on a box in the DMZ, things like routing, cshrc mods, legatto.....

Also NOTE: this stuff must be done prior to placing the box into a live Internet, and you should get complete ufsdump tapes of the whole box just before placing it into the DMZ..... (A ufsdump tape can be restored from a single user cdrom loaded kernel, unlike a Legatto or Veritas tape)

A few different areas to deal with:

  1. System Installation (Install Solaris 7 or greater!)
    1. Select a User workstaion install
    2. Use the following _minimums_ for partition sizing:
      • 0 / 128 Mbytes
      • 1 swap 2048 MBytes
      • 3 /var 512 MBytes
      • 5 /opt 512 MBytes
      • 6 /usr 1024 MBytes
      • 7 /export/home Remaining disk (This slice map would be for a single disk install - YMMV)
    3. Install latest MU
    4. Install latest recomended patches (for Solaris 2.5.1, Solaris 2.6, Solaris 7, Solaris 8, Solaris 9)
    5. Install latest security (see SunSolve)
    6. Install OS specifics:
      1. Solaris 2.5.1
      2. Solaris 2.6
      3. Solaris 7
      4. Solaris 8
    7. Install platform specifics:
      1. Netra T1/105
    8. Install the following local packages:
      1. TCP wrappers
      2. PRNGD entropy generator.
      3. OpenSSH tools.
    9. For DNS servers install latest BIND (chroot'd)
    10. For Mail gateway boxes install the latest Sendmail or Juniper smtpd (chroot'd)
    11. Remove the following packages
      • pkgrm SUNWpcelx SUNWpcmci SUNWpcmcu SUNWpcmem SUNWpcser SUNWpsdpr
      • pkgrm SUNWpcelxx SUNWpcmcx SUNWpcmemx SUNWpsdprx SUNWpcserx
      • pkgrm SUNWnisr SUNWnisu
      • pkgrm SUNWypu SUNWypr
      • pkgrm SUNWatfsr SUNWatfsu
      • pkgrm SUNWadmfw (needed for showrev)
      • pkgrm SUNWinst
      • pkgrm SUNWluu SUNWlur
      • pkgrm SUNWbnur SUNWbnuu
      • pkgrm SUNWkcspf SUNWkcsrl SUNWkcspx SUNWkcspg SUNWkcsrt
      • pkgrm SUNWmipu SUNWmipr
      • pkgrm SUNWsacom SUNWsadmi SUNWsadmx SUNWsasnm SUNWsasnx SUNWmibii
      • pkgrm SUNWsndmr SUNWsndmu
      • pkgrm SUNWsshdu SUNWsshdr SUNWsshcu SUNWsshr SUNWsshu

  2. Initial system setup (from console)
    1. setup csh as root shell in /etc/passwd and move root's home to /root
    2. create root's home directory /root
    3. setup root-mo and root-th accounts, also with home in /root
    4. set terminal console terminal type to vt100 in /etc/inittab
    5. setup temporary default router
    6. modify /etc/default/login to allow root login on ptys, and set UMASK to 077

  3. General file and permission stuff - The goal here is to setup a resonably safe root login environment and then to lock the configuration files down so that changes are a little harder to make. By moving root's home directory we will keep root's files out of /. This will keep / a little cleaner and perhaps keep folks from poking around root's files.

    1. close up trusts
    2. mkdir /root
    3. chmod 700 /root
    4. cd /root
    5. touch .rhosts .forward .profile .kshrc .netrc
    6. chmod 0 .rhosts .forward .profile .kshrc .netrc
    7. chown root:sys .rhosts .forward .profile .kshrc .netrc
    8. cd /
    9. touch .cshrc .logout .login .rhosts .forward .profile .kshrc .netrc .exrc
    10. chmod 0 .cshrc .logout .login .rhosts .forward .profile .kshrc .netrc .exrc
    11. chown root:sys .cshrc .logout .login .rhosts .forward .profile .kshrc .netrc .exrc
    12. rm /etc/hosts.equiv
    13. touch /etc/hosts.equiv
    14. chmod 0 /etc/hosts.equiv
    15. chown root:sys /etc/hosts.equiv
    16. touch /.cpr_config
    17. chmod 0 /.cpr_config
    18. chown root:sys /.cpr_config
    19. chmod 0 /etc/dfs/dfstab
    20. chown root:sys /etc/dfs/dfstab
    21. set directory/file perms /etc /var/mail via
    22. chmod -R g-w /etc
    23. chmod +t /var/mail
    24. Close up utmp and utmpx
    25. chmod 644 /var/adm/utmp*
    26. Protect global login profile
    27. chmod 600 /etc/.login
    28. ex/vi - holes
    29. touch /root/.exrc
    30. chmod 0 /root/.exrc
    31. chown root:sys /root/.exrc
    32. "set noexrc" and "set nomodelines" in EXINIT env var (in cshrc)
    33. Configure logging
    34. touch /var/adm/sulog
    35. chmod 600 /var/adm/sulog
    36. chown root:sys /var/adm/sulog
    37. touch /var/adm/loginlog
    38. chmod 600 /var/adm/loginlog
    39. chown root:sys /var/adm/loginlog
    40. touch /var/log/tripwire
    41. chown root:sys /var/log/tripwire
    42. chmod 600 /var/log/tripwire
    43. touch /var/log/authlog
    44. chown root:sys /var/log/authlog
    45. chmod 600 /var/log/authlog
    46. rm -rf /var/tmp
    47. ln -s /tmp /var/tmp
    48. Kill routed/rdisc
    49. touch /etc/notrouter
    50. mv /usr/sbin/in.rdisc /usr/sbin/in.rdisc.disabled
    51. chmod 444 /usr/sbin/in.rdisc.disabled
    52. echo "Norip le0" > /etc/gateways
    53. echo "Norip hme0" >> /etc/gateways
    54. echo "Norip hme1" >> /etc/gateways
    55. echo "Norip dmfe0" >> /etc/gateways
    56. echo "Norip dmfe1" >> /etc/gateways
    57. Close up 'su'
    58. chmod o-rwx /usr/bin/su
    59. chmod o-rwx /usr/sbin/su
    60. chmod o-rwx /sbin/su.static
    61. chgrp sys /usr/bin/su
    62. chgrp sys /usr/sbin/su
    63. chgrp sys /sbin/su.static
    64. Remove promicous things
    65. rm /usr/sbin/snoop
    66. File permissions
    67. chmod go-w /var/saf/_log
    68. chmod go-w /var/mail/:saved
    69. chmod go-w /dev/kstat
    70. chmod go-w /dev/ksyms
    71. chmod go-w /dev/conslog
    72. Some CERT/wiretap file fixes - fixes some stoopid file permissions
    73. chmod u-s /usr/lib/fs/ufs/ufsrestore
    74. chmod u-s /usr/sbin/pgxconfig
    75. chmod 0 /usr/openwin/bin/Xsun
    76. chmod 0 /usr/sbin/sadmind
    77. chmod 0 /usr/lib/dmi/snmpXdmid

    78. cd /usr/lib/fs/ufs
    79. chmod -s quota ufsdump
    80. cd /usr/bin
    81. chmod -s write at atq atrm crontab eject newgrp fdformat yppasswd tip uptime admintool chkey cancel lp lpset lpstat netstat
    82. chmod 0 rcp rdist rlogin rpcinfo rsh rup ruptime rusers rwho
    83. chmod -s sparcv[79]/ipcs sparcv[79]/ps sparcv[79]/uptime sparcv[79]/w
    84. cd /usr/sbin
    85. chmod -s wall traceroute ping pmconfig sacadm arp lpmove ffbconfig m64config afbconfig igsconfig pgxconfig dmesg
    86. chmod -s sparcv[79]/prtconf sparcv[79]/swap sparcv[79]/sysdef sparcv[79]/whodo
    87. chmod 0 /usr/sbin/static/rcp
    88. cd /usr/ucb
    89. chmod -s sparcv7/ps sparcv9/ps
    90. cd /usr/platform/`uname -i`/sbin
    91. chmod -s eeprom prtdiag

    92. cd /usr/openwin/bin
    93. chmod -s xlock mailtool kcms_c* sys-suspend
    94. cd /usr/dt/bin
    95. chmod -s dtaction dtappgather dtmail dtprintinfo dtsession

    96. cd /usr/sbin
    97. mv in.fingerd in.fingerd.disabled
    98. mv in.named in.named.disabled
    99. mv in.rarpd in.rarpd.disabled
    100. mv in.routed in.routed.disabled
    101. mv in.tftpd in.tftpd.disabled
    102. mv in.tnamed in.tnamed.disabled
    103. mv in.uucpd in.uucpd.disabled
    104. mv rpc.bootpramed rpc.bootpramed.disabled
    105. mv rpc.nisd rpc.nisd.disabled
    106. mv rpc.nisd_resolv rpc.nisd_resolv.disabled
    107. mv rpc.nispasswdd rpc.nispasswdd.disabled
    108. chmod 0 *.disabled

    109. 'fsirand' on all filesystems (Note: this must be done in single user mode, prefferably boot -s from cdrom). This step randomizes the inodes such that file allocation does not follow predictable patterns anymore. If this is not done from the single user state, your file systems (esp. /) will likely become trashed.

    110. set /, /usr, /opt, /export/... to ro and nosuid in /etc/vfstab (except for the ~ftp file system)

  4. Remove un-nessecary service startup scripts
    1. In /etc/rc2.d, move the following:
    2. cd /etc/rc2.d
    3. mkdir defunct
    4. mv S30sysid.net defunct
    5. mv S40llc2 defunct
    6. mv S42ncakmod defunct
    7. mv S47asppp defunct
    8. mv S47pppd defunct
    9. mv S70uucp defunct
    10. mv S71ldap.client defunct
    11. mv S71rpc defunct
    12. mv S71sysid.sys defunct
    13. mv S72autoinstall defunct
    14. mv S72directory defunct
    15. mv S72slpd defunct
    16. mv S73cachefs.daemon defunct
    17. mv S73nfs.client defunct
    18. mv S74autofs defunct
    19. mv S74xntpd defunct
    20. mv S75flashprom defunct
    21. mv S80lp defunct
    22. mv S80spc defunct
    23. mv S85power defunct
    24. mv S88sendmail defunct
    25. mv S89bdconfig defunct
    26. mv S90wbem defunct
    27. mv S91zuluinit defunct
    28. mv S91leoconfig defunct
    29. mv S92volmgt defunct
    30. mv S93cacheos.finish defunct
    31. mv S94ncalogd defunct
    32. mv S95ncad defunct
    33. mv S95IIim defunct
    34. mv S95svm.sync defunct
    35. mv S98efcode defunct
    36. mv S99dtlogin defunct
    37. mv S99rcapd defunct
    38. mv S99tsquantum defunct
    39. chmod -R 0 defunct
    40. In /etc/rc3.d, move the following:
    41. cd /etc/rc3.d
    42. mkdir defunct
    43. mv S13kdc.master defunct
    44. mv S14kdc defunct
    45. mv S15nfs.server defunct
    46. mv S16boot.server defunct
    47. mv S34dhcp defunct
    48. mv S52imq defunct
    49. mv S76snmpdx defunct
    50. mv S77dmi defunct
    51. mv S81volmgt defunct
    52. mv S84appserv defunct
    53. mv S89sshd defunct
    54. mv S90samba defunct
    55. chmod -R 0 defunct
    56. In /etc/init.d, move the following:
    57. cd /etc/init.d
    58. mkdir defunct
    59. rm *.old
    60. mv appserv defunct
    61. mv asppp defunct
    62. mv autofs defunct
    63. mv autoinstall defunct
    64. mv boot.server defunct
    65. mv buttons_n_dials-setup defunct
    66. mv cachefs.daemon defunct
    67. mv cacheos.finish defunct
    68. mv dhcp defunct
    69. mv dhcpagent defunct
    70. mv directory defunct
    71. mv dtlogin defunct
    72. mv efcode defunct
    73. mv flashprom defunct
    74. mv imq defunct
    75. mv init.dmi defunct
    76. mv init.snmpdx defunct
    77. mv init.wbem defunct
    78. mv kdc defunct
    79. mv kdc.master defunct
    80. mv ldap.client defunct
    81. mv leoconfig defunct
    82. mv llc2 defunct
    83. mv lp defunct
    84. mv ncad defunct
    85. mv ncakmod defunct
    86. mv ncalogd defunct
    87. mv nfs.client defunct
    88. mv nfs.server defunct
    89. mv power defunct
    90. mv pppd defunct
    91. mv rcapd defunct
    92. mv rpc defunct
    93. mv samba defunct
    94. mv sendmail defunct
    95. mv slpd defunct
    96. mv spc defunct
    97. mv sshd defunct
    98. mv svm.init defunct
    99. mv svm.sync defunct
    100. mv sysid.net defunct
    101. mv sysid.sys defunct
    102. mv tsquantum defunct
    103. mv uucp defunct
    104. mv volmgt defunct
    105. mv webstart defunct
    106. mv xntpd defunct
    107. mv zuluinit defunct
    108. chmod -R 0 defunct
    109. Clean-out automounter files and NIS reminants
    110. rm /etc/auto_*
    111. rm /etc/defaultdomain
    112. lock down at/cron
    113. echo root > /etc/cron.d/at.allow
    114. echo root > /etc/cron.d/cron.allow
    115. chown root:sys /etc/cron.d/*.allow
    116. chmod 644 /etc/cron.d/*.allow
    117. fixup service rcs
    118. echo 'UMASK=077' > /etc/default/ftpd
    119. echo 'BANNER=""' >> /etc/default/ftpd
    120. echo 'BANNER=""' > /etc/default/telnetd
    121. chmod 644 /etc/default/ftpd /etc/default/telnetd
    122. chown root:sys /etc/default/ftpd /etc/default/telnetd
    123. close up DTlogin/XDMCP
    124. echo localhost > /usr/dt/config/Xaccess
    125. echo 127.0.0.1 >> /usr/dt/config/Xaccess
    126. echo "\!*" >> /usr/dt/config/Xaccess
    127. mkdir /etc/dt
    128. mkdir /etc/dt/config
    129. cp /usr/dt/config/Xaccess /etc/dt/config/Xaccess
    130. chmod 644 /usr/dt/config/Xaccess /etc/dt/config/Xaccess
    131. chown root:sys /usr/dt/config/Xaccess /etc/dt/config/Xaccess

  5. Setup temporary trusts
  6. add the following hosts to /root/.rhosts:
  7. nameserver
  8. omni
  9. oncilla
  10. hypatia
    11.
  11. add the following host IP address pairs to /etc/hosts:
  12. 198.206.181.139 nameserver
  13. 198.206.181.20 omni
  14. 198.206.181.190 oncilla
  15. 198.206.181.43 hypatia
    16.

  16. File copies from hypatia archives  Note: the archive is setup so that you can use scp to copy three specific directories onto the target and be done with the whole operation....

    1. Install the following root env files from Hypatia. You can either copy them from the browser or login to hypatia and use scp.
    2. rcp -p /export/hy_h0/library/DMZ/root/.alias ${DMZHOST}:/root/.alias
    3. rcp -p /export/hy_h0/library/DMZ/root/.cshrc ${DMZHOST}:/root/.cshrc
    4. rcp -p /export/hy_h0/library/DMZ/root/.local-paths ${DMZHOST}:/root/.local-paths
    5. rcp -p /export/hy_h0/library/DMZ/root/.logout ${DMZHOST}:/root/.logout
    6. rcp -p /export/hy_h0/library/DMZ/root/.prmpt ${DMZHOST}:/root/.prmpt
    7. rcp -p /export/hy_h0/library/DMZ/root/.xredirect ${DMZHOST}:/root/.xredirect

    8. Install the following local configurations from Hypatia   These files may need modifications depending on the version of Solaris you are installing.... Please make the appropriate mods after installation
    9. rcp -p /export/hy_h0/library/DMZ/etc/defaultrouter ${DMZHOST}:/etc
    10. rcp -p /export/hy_h0/library/DMZ/etc/ftpusers ${DMZHOST}:/etc
    11. rcp -p /export/hy_h0/library/DMZ/etc/issue ${DMZHOST}:/etc
    12. rcp -p /export/hy_h0/library/DMZ/etc/netmasks ${DMZHOST}:/etc
    13. rcp -p /export/hy_h0/library/DMZ/etc/networks ${DMZHOST}:/etc
    14. rcp -p /export/hy_h0/library/DMZ/etc/nscd.conf ${DMZHOST}:/etc
    15. rcp -p /export/hy_h0/library/DMZ/etc/nsswitch.conf ${DMZHOST}:/etc
    16. rcp -p /export/hy_h0/library/DMZ/etc/resolv.conf ${DMZHOST}:/etc
    17. rcp -p /export/hy_h0/library/DMZ/etc/shells ${DMZHOST}:/etc
    18. rcp -p /export/hy_h0/library/DMZ/etc/syslog.conf ${DMZHOST}:/etc
    19. rcp -p /export/hy_h0/library/DMZ/etc/system ${DMZHOST}:/etc
    20. rcp -p /export/hy_h0/library/DMZ/etc/rc2.d/S98aind ${DMZHOST}:/etc/rc2.d
    21. rcp -p /export/hy_h0/library/DMZ/etc/mail/aliases ${DMZHOST}:/etc/mail
    22. rcp -p /export/hy_h0/library/DMZ/etc/mail/sendmail.cf.dmz ${DMZHOST}:/etc/mail/sendmail.cf
    23. rcp -p /export/hy_h0/library/DMZ/etc/hosts ${DMZHOST}:/etc NOTE: you will need to uncomment the appropriate defrouter entry for the DMZ leg that the dmzhost is installed on.

    24. Name mappings
    25. rcp -p /var/DMZ/rpc ${DMZHOST}:/etc

  17. Verify file contents
    1. Verify /etc/group,passwd,shadow file base from nameserver
    2. *LK* all psuedo users in /etc/shadow
    3. Close up inetd.conf (verify nameserver:/var/DMZ/inetd.conf) Add tcp-wrappers to ftp,telnet,shell,login,exec,comsat,talk
    4. Copy S98routing from nameserver Verify for your location
    5. Set TCP_STRONG_ISS=2 in /etc/default/inetinit
    6. Uncomment KEYBOARD_ABORT=alternate in /etc/default/kbd. This sets the ABORT sequence ‹CR›~^B
    7. Modify /etc/system to suit local conditions.
    8. Copy snmp.conf from nameserver to /etc/snmp/conf/snmpd.conf and modify to suit.
    9. Modify /etc/inetd.conf in.ftp entry to include -dl (connection logging)
    10. Add -t option to inetd startup in /etc/init.d/inetsvc
    11. Comment out in.named entries in /etc/init.d/inetsvc (for non-DNS)
    12. Set PASSLENGTH=8 in /etc/default/passwd

  18. Install packages (FROM omni)
    1. Install NTP
    2. rcp -rp /usr/local/DMZ/ntp $DMZHOST:/opt

    3. On dmzhost
    4. mv /opt/ntp/etc/S73xntp /etc/rc2.d
    5. OR add to crontab
      6.
      #
      # time sync this beast
      #
      12,42 * * * * /opt/ntp/bin/ntpdate timeserver > /dev/null 2>&1
      #
      # other security thingys
      #
      15 7 * * 6 find / -user root -perm -4000 -exec ls -lat {} \;
    6. Install idled
    7. rcp -rp /usr/local/DMZ/idled $DMZHOST:/opt

    8. On dmzhost
    9. cp /opt/idled/S95idled /etc/rc2.d
    10. Install minimum local utilities
    11. rcp -rp /usr/local/DMZ/local $DMZHOST:/opt
    12. Install tripwire (from nameserver)
    13. rcp -p /net/sun/Packages/tw-sol-2.2.1.tar.gz $DMZHOST:/tmp

    14. On dmzhost
    15. cd /tmp
    16. gzcat tw-sol-2.2.1.tar.gz|tar xvf -
    17. cd /tmp/tripwire??
    18. ./install.sh
    19. cp /tmp/tripwire??/README.kris /opt/TSS
    20. Install networker client (from ??)
    21. rcp /net/sun/Packages/LGTOclient.tar.gz $DMZHOST:/tmp

    22. On dmzhost
    23. cd /tmp
    24. gzcat LGTOclient.tar.gz|tar xvf -
    25. pkgadd -d . LGTOclnt

  19. Run ASET in high mode - fix security

  20. Install tocsin/klaxon to detect port scans. - modify the /etc/inetd.conf file as shown to catch some trivial scans.
    1. shell stream tcp nowait root /usr/local/bin/klaxid klaxon shell
    2. login stream tcp nowait root /usr/local/bin/klaxid klaxon login
    3. exec stream tcp nowait root /usr/local/bin/klaxid klaxon exec
    4. supdup stream tcp nowait root /usr/local/bin/klaxon klaxon supdup
    5. tcpmux stream tcp nowait root /usr/local/bin/klaxon klaxon tcpmux
    6. tftp dgram udp wait root /usr/local/bin/klaxid klaxon tftp
    7. echo stream tcp nowait root /usr/local/bin/klaxon klaxon echo
    8. discard stream tcp nowait root /usr/local/bin/klaxon klaxon discard
    9. chargen stream tcp nowait root /usr/local/bin/klaxon klaxon chargen

    10. Or for tocsin - /usr/local/bin/tocsin tcpmux echo discard chargen supdup x400

  21. Mods to move into DMZ
    1. Modify /etc/hosts for new hostname/IP addr
    2. Modify /etc/hostname.ifN, /etc/nodename, /etc/net/*
    3. Verify mail aliases and sendmail.cf
    4. remove hosts from /root/.rhosts:
    5. rm /root/.rhosts
    6. touch /root/.rhosts
    7. chown root:sys /root/.rhosts
    8. chmod 0 /root/.rhosts
    9. Verify /etc/resolv.conf
    10. Verify S98routing for YOUR net config.
    11. Verify and initiate Tripwire processing. (README.kris) add to crontab: '5 1 * * * /opt/TSS/bin/tripwire -m c -M -s -n > /dev/null 2>&1' copy twpol.txt, hosname.twd, tw.pol to DMZ save area
    12. Remove pam_rhosts_auth lines in /etc/pam.conf

  22. Configure tripwire 7) install tripwire into /opt/TSS - follow the README.kris instructions
    1. Edit the policy file in /opt/TSS/policy/twpol.txt
    2. Configure database
    3. cd /opt/TSS/policy

  23. Install user accounts - The last step is to install the global login that Alcanet can use to access this box. Though these folk will not normally access our boxen, we need to provide a door for them to help us.
  24. mkdir /opt/logins
  25. chmod 755 /opt/logins
  26. mkdir /opt/logins/alcanet
  27. chmod 755 /opt/logins/alcanet
  28. chown alcanet:alcatel /opt/logins/alcanet
  29. cd /opt/logins/alcanet
  30. touch .rhosts .forward .profile .kshrc .netrc .exrc
  31. chmod 0 .rhosts .forward .profile .kshrc .netrc .exrc
  32. cp /root/.cshrc .
  33. cp /root/.prmpt .
  34. cp /root/.logout .
  35. chown alcanet:alcatel .rhosts .forward .profile .exrc .kshrc .netrc .cshrc .prmpt .logout

Post-install

  1. Maintain security patch level
  2. Maintain Sendmail
  3. Maintain BIND

(some generic notes from previous DMZ hardening: install recomeded patches JRE1.8? SunScan DNS

do port scan..... )

additional stuff Insure tripwire is auditing:

/etc, /etc/init.d, /etc/rc0.d, /etc/rc1.d, /etc/rc2.d, /etc/rc3.d /usr/sbin, /kernel, /etc/cron.d, /etc/defautl, /var/cron, /var/spool/cron, !/var/spool/cron/atjobs, /etc/cron.d/*{allow,deny}

add secure rpcbind to machines that MUST have rpcs (ftp.pocupine.org/pub/security/rpcbind...)

Add 103582-12 (or higher) TCP connection Queue patch (2.5.1)