|
Key
This line was removed.
This word was removed. This word was added.
This line was added.
|
Changes (4)
View page history| This page is structured after the headings used in the [Center for Internet Security|http://www.cisecurity.org] [Solaris 10 Benchmark|http://www.cisecurity.org/bench_solaris.html]. The actions described on this page were adapted to [OpenSolaris|http://www.opensolaris.com] based upon the CIS material (originally developed for [Solaris 10|http://www.sun.com/solaris]). The settings noted below are intended to closely mimic the CIS Solaris 10 Benchmark (as applied to OpenSolaris) so that a CIS-compliant hardened OpenSolaris machine image configuration can be developed for Compute Cloud providers such as Amazon Web Services (EC2). Unless otherwise stated, the settings are appropriate for OpenSolaris 2008.11 and newer versions. Any issues or differences are covered in the "Additional Information" sections below. Feedback as always is appreciated. |
| {note:title=This Page Has Moved} This page has [moved|http://wikis.sun.com/display/ISC/OpenSolaris+Security+Hardening]. You should change your bookmarks to use the new [OpenSolaris Security Hardening|http://wikis.sun.com/display/ISC/OpenSolaris+Security+Hardening] page. |
| {note} |
| \\ {info:title=*Get It Now*} You can obtain [OpenSolaris 2008.11|http://blogs.sun.com/ec2/entry/hardened_opensolaris_2008_11_on] and [OpenSolaris 2009.06|http://blogs.sun.com/ec2/entry/hardened_opensolaris_2009_06_on] Amazon Machine Images (AMIs) pre-configured with these settings. Give them a try today! {info} \\ {info:title=*Action Taken* Legend} * *DEFAULT* - This recommendation corresponds to an OpenSolaris default setting, so no action was required. * *YES* - This recommendation differs from the OpenSolaris default setting, so the corresponding action was taken to adjust the OpenSolaris configuration. * *NO* - This recommendation does not apply to the OpenSolaris configuration, so no action was taken. {info} \\ \\ {toc} h1. Install Patches and Additional Software ||#||Description||Action Taken||Additional Information|| |1.1|Apply Latest OS Patches|*NO*|Updates to OpenSolaris AMIs are restricted by design as there is no way to determine if patches may require changes to the ramdisk and kernel which are managed separately on EC2. Current versions of OpenSolaris AMIs should be used to mitigate this issue.| |1.2|Install Solaris Encryption Kit|DEFAULT|The Solaris Encryption is integrated by default (since Solaris 10 08/07).| h1. Restrict Services ||#||Description||Implemented||Additional Information|| |2.1|Establish a Secure Baseline|DEFAULT|Secure by Default is the default out of the box setting for OpenSolaris. No additional steps were required.| |2.2.1|Disable Local CDE ToolTalk Database Server|DEFAULT|Software was not installed by default.| |2.2.2|Disable Local CDE Calendar Manager|DEFAULT|Software was not installed by default.| |2.2.3|Disable Local Common Desktop Environment|DEFAULT|Software was not installed by default.| |2.2.4|Disable Local Sendmail Service|*NO*|Sendmail is configured for queue processing services only and is not configured to accept incoming mail requests originating from off of the system.| |2.2.5|Disable Local Web Console|DEFAULT|Software was not installed by default.| |2.2.6|Disable Local WBEM|DEFAULT|Software was not installed by default.| |2.2.7|Disable Local BSD Print Protocol Adaptor|DEFAULT|Service was disabled by Item 2.1.| |2.3.1|Disable RPC Encryption Key|DEFAULT|Service was disabled by default.| |2.3.2|Disable NIS Server Daemons|DEFAULT|Service was not installed by default.| |2.3.3|Disable NIS Client Daemons|DEFAULT|Service was disabled by default.| |2.3.4|Disable NIS+ Daemons|DEFAULT|Service was disabled by default.| |2.3.5|Disable LDAP Cache Manager|DEFAULT|Service was disabled by default.| |2.3.6|Disable Kerberos TGT Expiration Warning|*YES*|Service was enabled by default. Since Kerberos is often not needed for AMIs, this service was disabled. If enabled, the service is configured to use a loopback transport provider (no external network port is exposed) and run with limited privileges.| |2.3.7|Disable Generic Security Services (GSS) Daemons|*YES*|Service was enabled by default. Since GSS is often not needed for AMIs, this service was disabled. If enabled, the service is configured to use a loopback transport provider (no external network port is exposed) and run with limited privileges.| |2.3.8|Disable Volume Manager|*YES*|Service was enabled by default. Since access to removable media is not needed for AMIs, this service was disabled. Note that OpenSolaris uses the FMRI "rmvolmgr" in place of "volfs".| |2.3.9|Disable Samba Support|DEFAULT|Software was not installed by default.| |2.3.10|Disable Automount Daemon|*YES*|Service was enabled by default. Since Automount is often not needed for AMIs, this service was disabled. If enabled, this service does not expose a network port.| |2.3.11|Disable Apache Services|DEFAULT|Service was not installed by default.| |2.3.12|Disable Solaris Volume Manager Services|*YES*|Service (metainit) was enabled by default. Since the Solaris Volume Manager is often not needed for AMIs, this service was disabled. If enabled, this service does not expose a network port. In addition to metainit, the metasync service was also disabled (for the same reason).| |2.3.13|Disable Solaris Volume Manager GUI|DEFAULT|Service was disabled by default.| |2.3.14|Disable Local RPC Port Mapping Service|*YES*|Service is enabled by default. Since no RPC services were left running as part of this process, this service was disabled. If enabled, the service is configured to access communication originating only from the local system. This service runs with limited privileges.| |2.4.1|Enable Kerberos Server Daemons|DEFAULT|Service was disabled by default. Note that the "krb5_prop" service was not installed by default.| |2.4.2|Enable NFS Server Processes|DEFAULT|Service was disabled by default.| |2.4.3|Enable NFS Client Processes|DEFAULT|Service was disabled by default.| |2.4.4|Enable telnet Access|DEFAULT|Service was disabled by default.| |2.4.5|Enable FTP Access|DEFAULT|Service was disabled by default.| |2.4.6|Enable Boot Services|DEFAULT|Software was not installed by default.| |2.4.7|Enable Reverse Address Resolution Protocol (RARP)|DEFAULT|Software was not installed by default.| |2.4.8|Enable DHCP Server Support|DEFAULT|Software was not installed by default.| |2.4.9|Enable Domain Name System (DNS) Server Support|DEFAULT|Service was disabled by default.| |2.4.10|Enable Trivial File Transfer Protocol (TFTP) Services|DEFAULT|Software was not installed by default| |2.4.11|Enable Printer Daemons|DEFAULT|Service was disabled by default. Note that the "print/cleanup" service was not installed by default| |2.4.12|Enable Simple Network Management Protocol (SNMP)|DEFAULT|Software was not installed by default.| |2.5|Configure TCP Wrappers|*NO*|For a generic AMI, using this recommendation does not make much sense. Individual users can enable this functionality if needed else use other mitigating controls such as IP Filter or Amazon Security Groups| Beyond those services noted above, the following services were disabled as part of the OpenSolaris AMI Hardening process: ||Services||Rationale|| |svc:/application/desktop-cache/desktop-mime-cache:default svc:/application/desktop-cache/gconf-cache:default svc:/application/desktop-cache/icon-cache:default svc:/application/desktop-cache/input-method-cache:default svc:/application/desktop-cache/mime-types-cache:default svc:/application/desktop-cache/pixbuf-loaders-installer:default svc:/application/font/fc-cache:default svc:/application/graphical-login/gdm:default|Desktop services are often not needed for AMIs| |svc:/application/pkg/update:default|Image updates are not permitted for AMIs| |svc:/application/print/ppd-cache-update:default|Printing services are often not needed for AMIs| |svc:/network/dns/multicast:default|mDNS services are often not needed for AMIs| |svc:/network/inetd:default|Since no inetd services were left running as part of this process, this service was disabled.| |svc:/system/avahi-bridge-dsd:default svc:/system/dbus:default|Message bus services are likely not needed for AMIs| |svc:/system/hal:default|Hardware abstraction layer services are often not needed for AMIs| |svc:/system/power:default|Power management services are often not needed for AMIs| h1. Kernel Tuning ||#||Description||Implemented||Additional Information|| |3.1|Restrict Core Dumps to Protected Directory|*YES*| | |3.2|Enable Stack Protection|*SEE NOTE*|For OpenSolaris 2008.11, this change is not implemented as a new boot image would first need to be created. For OpenSolaris 2009.06, this change is implemented.| |3.3|Enable Strong TCP Sequence Number Generation|*YES*| | |3.4|Modify Network Parameters|*YES*| | |3.5|Disable Network Routing|DEFAULT| | h1. Logging ||#||Description||Implemented||Additional Information|| |4.1|Enable inetd Connection Logging|*YES*|This step is only meaningful if inetd is re-enabled.| |4.2|Enable FTP Daemon Logging|*YES*|This step is only meaningful if FTP is re-enabled.| |4.3|Enable Debug Level Daemon Logging|*YES*| | |4.4|Capture SYSLOG AUTH Messages|*YES*| | |4.5|Enable Login Records|*YES*| | |4.6|Capture All Failed Login Attempts|*YES*| | |4.7|Enable cron Logging|DEFAULT| | |4.8|Enable System Accounting|*YES*| | |4.9|Enable Kernel Level Auditing|*SEE NOTE*|For OpenSolaris 2008.11, this change is not implemented as a new boot image would first need to be created. For OpenSolaris 2009.06, this change is implemented although a reduced audit configuration is implemented for simplicity.| h1. File/Directory Permissions/Access ||#||Description||Implemented||Additional Information|| |5.1|Set Daemon umask|DEFAULT| | |5.2|Restrict Set-UID on User Mounted Devices|DEFAULT| | |5.3|Verify System File Permissions|*NO*|The system file permissions are as delivered in OpenSolaris. Change requests should be submitted to [bugs.opensolaris.org].| |5.4|Set Sticky Bit on World Writable Directories|DEFAULT|No non-sticky world writable directories exist by default. | |5.5|Find World Writable Files|*YES*|The only world writable file by default is /var/adm/spellhist.| |5.6|Find SUID/SGID System Executables|DEFAULT|The executable ownership and permissions are as delivered in OpenSolaris.| |5.7|Find Un-owned Files and Directories|DEFAULT|No un-owned files or directories exist by default.| |5.8|Find Files and Directories with Extended Attributes|DEFAULT|No files and directories with extended attributes exist by default.| Beyond those checks noted above, it was verified that no files or directories with ACLs exist by default. h1. System Access, Authentication and Authorization ||#||Description||Implemented||Additional Information|| |6.1|Disable login: Prompts on Serial Ports|*YES*| | |6.2|Disable "nobody" Access for RPC Encryption Key Storage Service|*YES*| | |6.3|Configure SSH|*NO*|OpenSolaris default values were used with the exception of _PermitRootLogin_ which was set to _without-password_ (which is necessary for Amazon EC2). Only the root account has access and even then only using public-key authentication. There are no passwords assigned, by default, to local accounts.| |6.4|Disable .rhosts Support in /etc/pam.conf|*YES*| | |6.5|Restrict FTP Use|DEFAULT|Beyond the users identified in this item, the users "postgres" and "xvm" were added to the restricted FTP user list.| |6.6|Verify Delay between Failed Login Attempts Set to 4|DEFAULT| | |6.7|Set Default Screen Lock for CDE Users|DEFAULT|Software was not installed by default.| |6.8|Set Default Screen Lock for Gnome Users|*NO*|OpenSolaris GDM screen lock is enabled, default time out value used. (Sun: 15:00, CIS: 10:00)| |6.9|Restrict at/cron to Authorized Users|*YES*|The account "sys" was added to support Item 4.8.| |6.10|Restrict root Login to System Console|DEFAULT|Note: SSH is configured to allow remote root login using public key authentication (standard for AMIs).| |6.11|Set Retry Limit for Account Lockout|*YES*|Limited impact as only root account is enabled by default . The root account has no password and is accessed remotely only using SSH public key authentication.| |6.12|Set EEPROM Security Mode and Log Failed Access|*NO*|Not applicable to AMIs.| |6.13|Secure the GRUB Menu|*NO*|Not applicable to AMIs.| h1. User Accounts and Environment ||#||Description||Implemented||Additional Information|| |7.1|Disable System Accounts|DEFAULT|Only root account is active. Shell changes were not implemented.| |7.2|Ensure Password Fields are Not Empty|DEFAULT| | |7.3|Set Password Expiration Parameters on Active Accounts|*YES*|Only root account is active (accessibly only via SSH public key authentication) so no "active account" changes were required.| |7.4|Set Strong Password Creation Policies|*PARTIAL*|The changes to /etc/default/passwd have been implemented as per the CIS recommendations. No changes have been made to any of the system accounts directly as there are no active accounts (all are locked or set to non-login) and the only way to authenticate by default is to use SSH as root with public key authentication.| |7.5|Verify No Legacy "+" Entries Exist in passwd, shadow, and group files|DEFAULT| | |7.6|Verify No UID 0 Accounts Exist Other than root|DEFAULT| | |7.7|Set Default Group for root Account|DEFAULT| | |7.8|Change Home Directory for root Account|DEFAULT| | |7.9|Ensure root PATH Integrity|DEFAULT| | |7.10|Check Permissions on User Home Directories|DEFAULT|There are no active user accounts by default.| |7.11|Check User Dot File Permissions|DEFAULT|There are no active user accounts by default.| |7.12|Check Permissions on User .netrc Files|DEFAULT|There are no .netrc files by default.| |7.13|Check for Presence of User .rhosts Files|DEFAULT|There are no .rhosts files by default.| |7.14|Set Default umask for Users|*NO*|Default file creation mask of 022 is used.| |7.15|Set Default umask for FTP Users|*NO*|FTP is disabled by Item 2.4.5 and access is restricted by Item 6.5 (no user access is permitted). Default file creation mask of 022 is used.| |7.16|Set "mesg n" as Default for All Users|*YES*| | h1. Warning Banners ||#||Description||Implemented||Additional Information|| |8.1|Create Warnings for Standard Login Services|*YES*| | |8.2|Create Warning Banner for CDE Users|DEFAULT|Software was not installed by default.| |8.3|Create Warning Banner for GNOME Users|*NO*|GDM is disabled in Section 2.| |8.4|Create Warning Banner for FTP Daemon|*YES*|FTP is disabled by Item 2.4.5.| |8.5|Check Banner Setting for TELNET is NULL|DEFAULT|Telnet is disabled by Item 2.4.4.| |8.6|Create Power On Warning|DEFAULT|Not applicable to AMIs.| |8.7|Change Default Greeting String for Sendmail|*YES*| | |