Table of Contents
Preface
Part I: Solaris Operating Environment Security
Chapter 1: Solaris Operating Environment Security
File Systems and Local Security
Initial Installation
Minimization
Console Security
File System
Accounts
The init System
Kernel Adjustments
Log Files
Miscellaneous Configuration
Network Service Security
Network Service Issues
Available Tools
Telnet
Remote Access Services (rsh, rlogin, and rcp)
Remote Execution Service (rexec)
FTP
Trivial FTP
inetd Managed Services
RPC Services
NFS Server
Automount
sendmail
Name Service Caching (nscd)
Print Services
IP Forwarding
Network Routing
Multicast Routing
Reducing inetsvc
Network Service Banners
Related Resources
Chapter 2: Network Settings for Security
The ndd Command
Notes on Parameter Changes
Address Resolution Protocol (ARP)
ARP Attacks
ARP Defenses
Internet Control Message Protocol (ICMP)
Broadcasts
Redirect Errors
Internet Protocol (IP)
IP Forwarding
Strict Destination Multihoming
Forwarding Directed Broadcasts
Routing
Forwarding Source Routed Packets
Transmission Control Protocol (TCP)
SYN Flood Attacks
Connection Exhaustion Attacks
IP Spoofing Attacks
Common TCP and UDP Parameters
Adding Privileged Ports
Changing the Ephemeral Port Range
Script for Implementing ndd Commands
Related Resources
Chapter 3: Minimization
Installation Clusters
Test Environment
Methodology Overview
Verifying JumpStart Software
Installing Core Solaris OE Cluster
Installing Patches
Removing Unnecessary Packages
Using JumpStart Software to Configure the OS
Installing and Configuring Software Packages
Checking For Errors
Testing Software Installation
Final Configuration of iPlanet Web Server 4.1
Solaris 8 OE
Solaris 7 OE
Solaris 2.6 OE
Related Resources
Publications
Web Sites
Chapter 4: Auditing
Sun SHIELD Basic Security Module (BSM)
Auditing Principles
Auditing Goals
Enabling Auditing
Definition of Terms
Audit Flag
Audit Preselection Mask
Audit Trail
Audit User ID (AUID)
audit_class
audit_control
audit_event
audit_user
Audit Trails
Audit Classes and Events
Login or Logout (lo)
Non-attribute (na)
Administrative (ad)
Additional Audit Events
Application Audit Class
Excluded Audit Classes
Audit Trail Analysis
audit_control, audit_class, and audit_event Files
audit_control File
Modified audit_class File
Modified audit_event File
audit_event Modifications
Solaris OE Upgrades
Related Resources
Part II: Architecture Security
Chapter 5: Building Secure N-Tier Environments
Is There a Silver Bullet?
N-Tier Description
Web Server Tier
Application Server Tier
Database Server Tier
Storage Area Network Tier
Backup Tier
ExtraNet/Service Provider Tier
Management Tier
Defense-In-Depth
Segmentation
System Build Requirements
Dedicated Functionality
Hardening
Host-Based Firewall
Minimization
Communication and IP Forwarding
Network Flow
System Configuration
Network Segmentation
Internet-Web Server Tier
Web Server-Application Server Tier
Application Server Tier-Database Tier
ExtraNet Tier-Database Tier
Backup Tier-Systems Being Backed Up
SAN Tier-Systems Using SAN
Management Tier-All Servers
Build Process
Encryption
Backups
Centralized Logging
Intrusion Detection
Related Resources
Part III: Justification for Security
Chapter 6: How Hackers Do It: Tricks, Tools, and Techniques
Tricks
Finding Access Vulnerabilities
Finding Operating System Vulnerabilities
Attacking Solaris OE Vulnerabilities
Tools
Port Scanners
Vulnerability Scanners
Rootkits BR>
Sniffers
Techniques
Attacks From the Internet
Attacks From Employees
How to Use the Tools
Using Port Scanners
Using Vulnerability Scanners
Using Rootkits
Using Sniffers
References
Related Resources
Publications
Web Sites
Part IV: Tools Security
Chapter 7: Solaris Fingerprint Database
How Does the sfpDB Work?
sfpDB Scope
Limitations
Downloading and Installing MD5
Creating an MD5 Digital Fingerprint
Testing an MD5 Digital Fingerprint
Real-World Results
Additional sfpDB Tools
Solaris FingerPrint Database Companion (sfpC)
Solaris Fingerprint Database Sidekick (sfpS)
Frequently Asked Questions
Related Resources
Part V. Hardware and Software Security
Chapter 8: Securing the Sun Fire 15K System Controller
Introduction to Sun Fire 15K SC
Assumptions and Limitations
Understanding the SC Functions
Redundant SCs
System Management Services (SMS) Software
Securing the Sun Fire 15K SC
Solaris Security Toolkit Software
Obtaining Support
Default SC SMS Software Configuration
SC Solaris OE SMS Packages
SC SMS Accounts and Security
SC SMS Daemons
SC Network Interfaces
Main SC Network Interfaces
Spare SC Network Interfaces
Secured SC Solaris OE Configuration
Security Recommendations
Implementing the Recommendations
Software Installation
Securing the SC with the Solaris Security Toolkit Software
Related Resources
Chapter 9: Securing Sun Fire 15K Domains
Disclaimer
Obtaining Support
Assumptions and Limitations
Solaris 8 OE
SMS
Solaris OE Packages
Solaris Security Toolkit Software
Network Cards
Minimization
Domain Solaris OE Configuration
Sun Fire 15K Domain Hardening
Standalone Versus JumpStart Modes
Solaris Security Toolkit Software
Security Modifications
Installing Security Software
Installing the Solaris Security Toolkit Software
Installing the Recommended and Security Patch Clusters
Installing the FixModes Software
Installing the OpenSSH Software
Installing the MD5 Software
Domain Solaris OE Modifications
Executing the Solaris Security Toolkit Software
Verifying Domain Hardening
Secured Domain Solaris OE Configuration
Solaris Security Toolkit Scripts
Related Resources
Chapter 10: Securing Sun Enterprise 10000 System Service Processors
Background Information
Assumptions and Limitations
Qualified Software Versions
Obtaining Support
Sun Enterprise 10000 System Features and Security
System Service Processor (SSP)
Solaris OE Defaults and Modifications
Building a Secure Sun Enterprise 10000 System
Modifying Network Topology
Installing Main SSP Detection Script
Adding Security Software
Creating Domain Administrator Accounts
Adding Host-Based Firewalls
Verifying SSP Hardening
Testing the Main SSP
Testing the Spare SSP
Sample SunScreen Software Configuration File
Related Resources
Chapter 11: Sun Cluster 3.0 (12/01) Security with the Apache and iPlanet Web
Messaging Agents
Software Versions
Obtaining Support
Assumptions and Limitations
Solaris 8 OE
Sun Cluster 3.0 (12/01) Software
iPlanet Web and Messaging Servers and Apache Web Server Supported
Solaris OE Packages and Installation
Cluster Interconnect Links
Solaris Security Toolkit Software
Security Modification Scope
Minimization
Solaris OE Service Restriction
Hardening Modifications
Hardening Results
Sun Cluster 3.0 Daemons
Terminal Server Usage
Node Authentication
Securing Sun Cluster 3.0 Software
Installing Security Software
Sun Cluster 3.0 Node Solaris OE Modifications
Verifying Node Hardening
Maintaining a Secure System
Solaris Security Toolkit Software Backout Capabilities
Related Resources
Chapter 12: Securing the Sun Fire Midframe System Controller
System Controller (SC) Overview
Midframe Service Processor
Hardware Requirements
Mapping of MSP to SC
Network Topology
Terminal Servers
Control-A and Control-X Commands
MSP Fault Tolerance
MSP Security
MSP Hardening
Solaris Security Toolkit Installation
Recommended and Security Patch Installation
Solaris Security Toolkit Execution
MSP SYSLOG Configuration
SC Application Security Settings
Platform Administrator
Domain Administrator
Domain Security Settings
The setkeyswitch Command
Other System Controller Security Issues
Engineering Mode
dumpconfig and restoreconfig
flashupdate
Recovering a Platform Administrator's Lost Password
Related Resources
Publications
Web Sites
Part VI: Solaris Security Toolkit Documentation
Chapter 13: Quick Start
Installation
Compressed Tar Archive
Package Format
Configuration and Usage
Standalone Mode
JumpStart Mode
Undo
Frequently Asked Questions
Related Resources
Chapter 14: Installation, Configuration, and User Guide
Problem
Solution
Standalone Mode
JumpStart Technology Mode
Supported Versions
Obtaining Support
Architecture
Installation and Basic Configuration
Advanced Configuration
driver.init Configuration File
JASS_FILES_DIR
finish.init Configuration File
user.init Configuration File
Using the Solaris Security Toolkit
JumpStart Mode
Standalone Mode
Building Custom Packages
Related Resources
Chapter 15: Internals
Supported Solaris OE Versions
Architecture
Documentation Directory
Drivers Directory
Driver Script Creation
Driver Script Listing
Files Directory
The JASS_FILES Environment Variable and Files Directory Set Up
Files Directory Listing
Finish Directory
Finish Script Creation
Finish Script Listing
Install Finish Scripts
Minimize Finish Script
Print Finish Scripts
Remove Finish Script
Set Finish Scripts
Update Finish Scripts
OS Directory
Packages Directory
Patches Directory
Profiles Directory
Profile Creation
Profile Configuration Files
Sysidcfg Directory
Version Control
Related Resources
Chapter 16: Release Notes
New Undo Feature
Updated Framework
driver.run Script
JASS_CONFIG_DIR Variable Renamed
SCRIPTS* and FILES* Prefix Conventions
SUNWjass
New Data Repository
copy_files Function Enhanced
New Configuration File finish.init
Changes to Profiles
New Driver Scripts
Changes to Driver Scripts
New Finish Scripts
Changes to Finish Scripts
Disabled Accounts
Increased Partition Size Default
Modified disable-system-accounts.fin
Renamed disable-rlogin-rhosts.fin
Updated install-strong-permissions.fin
Removed EvilList Parameter Duplicates
Improved Output Format for print-jass-environment.fin
Symbolic Links Changed in set-system-umask.fin
Improved Finish Scripts
Preventing kill Scripts from Being Disabled
New File Templates
Miscellaneous Changes
Logging Changes to System Files
Symbolic Links to Files and Directories
Formatting Leading Slashes (/)
Processing User Variables-Bug Fixed
Removed add-client Directory Dependency
Changed Default le0 Entry
New Variable JASS_HOSTNAME
Index
