Firewalls: Re: Tightening up SunOS 5.4 (was Re: Hardened OS)

Firewalls
(October 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Tightening up SunOS 5.4 (was Re: Hardened OS)
From:	"C Matthew Curtin" <cmcurtin @ gatekeeper . cb . att . com>
Date:	Tue, 31 Oct 1995 22:44:52 -0500
To:	Eric Sheppard <Eric_Sheppard . BCI @ bbs . bellsouth . com>, firewalls <firewalls @ GreatCircle . COM>
In-reply-to:	Eric Sheppard <Eric_Sheppard . BCI @ bbs . bellsouth . com> "Tightening up SunOS 5.4 (was Re: Hardened OS)" (Oct 31, 10:18am)
References:	<m0tAIY7-000DjfC @ bstfirewall . bst . bls . com>

On Oct 31, 10:18am, Eric Sheppard wrote:

>I would like to hear about your experiences, as I'm beginning the same journey.
> What are some specific things I should be looking for?  I made sure most 
> services were removed from inetd and the system, turned off IP forwarding
> in the config file, and installed tripwire and tcp-wrappers.  I'm also
> planning to implement SecureID to lock down the only login to the system,
> that being root.

Basically, I define:
	* What services we need
	* What applications we use to support those services
	* What system commands/drivers/etc are needed to support those apps

And blew away everything else.

If your only user is root, there is no point in having setuid on things like
ps, since anyone non-root trying to run that is obviously someone who broke
in, right? I removed all of the setuid/setgid bits, made them only runnable
by root.

Since you've already blown away everything that isn't directly needed
by your system or the applications you run to support necessary services,
things like tar, ar, cc, cpio, etc. are gone. If someone does break in,
make it impossible for them to bring in archives and build binaries. Do
you really need to have an ftp command on the system? I even removed vi :-)

Remove stuff like BCP mode, volume managers, source compat, modules you
don't need that live down in /usr/lib/nss*. Don't run admind, make liberal
use of exclude in /etc/system...

And do all of this after having done the minimal install, so I'm also assuming
there's no window system, man pages, etc.

pkgadd(1M) is your friend. By making a baseline configuration that fits
for all of your machines and making it a package, you can make installation
easy. Also, you can do the same thing for certain systems (i.e., multiple
layered gateways ... maybe your internal-side gateway has some different
configs from your external-side gateway) like "internal gateway package,"
and then another package for each of your machines where config files 
might be different.

The great thing about going this route is that you don't do anything on
the system itself ... you do it somewhere else first, test it, package it,
and then install it via tape (or whatever) on the production systems. Since
you don't ever do anything on your systems, you won't feel like you need
a big command set there, and if someone does break in, it'll be totally
useless if they have no commands available to them :-)

Hope that helps.

-- 
C Matthew Curtin    [AT&T|Bell] Labs     Internet Gateway Applications Group
http://www.att.com/homes/matt_curtin.html PGP OK cmcurtin @
 gatekeeper .
 att .
 com

Indexed By Date	Previous:	Using Unix in Firewalls From: Darren Reed <avalon @ coombs . anu . edu . au>
Indexed By Date	Next:	[no subject] From: Unknown
Indexed By Thread	Previous:	Re: Tightening up SunOS 5.4 (was Re: Hardened OS) From: Doug Hughes <Doug . Hughes @ Eng . Auburn . EDU>
Indexed By Thread	Next:	FWTK on Solaris 2. From: Craig Buffinton <craigb @ ftp . com>