gibbsie.org Knowledge Base

Basic Solaris Security Checks

Aug 7th 2008
No Comments
respond
trackback

Decrypting a file that has been encrypted (low-grade encryption):
# crypt abc && rm abc.cr

File encryption with crypt (low-grade encryption):
# crypt abc.cr && rm abc

Stops users logging in:
# echo 'Please go away' > /etc/nologin

Find all your writable directories:
# find / -perm -0777 -type d -ls

Find all SGID files:
# find / -type f -perm -2000 -print

Find all SUID files:
# find / -type f -perm -4000 -print

Generate passwords for LDAP Using ‘getpwenc’ Utility:
# getpwenc [encryption scheme] password

Trap specific signals and exit:
# trap 'exit 0' 1 2 3 9 15

Encrypt a file with vi editor:
# vi -x [filename]

Create a protected area for core dumps:
# mkdir -p /var/core
# chown root:root /var/core
# chmod 700 /var/core
# coreadm -g /var/core/core_%n_%f_%u_%g_%t_%p -e log -e global -e global-setid -d process -d proc-setid

Completely disable core dumps:
# coreadm -d global -d global-setid -d process -d proc-setid

Stack protection – limit buffer overflow exploits:
if [ ! "`grep noexec_user_stack /etc/system`" ]; then
cat <>/etc/system
* Attempt to prevent and log stack-smashing attacks
set noexec_user_stack = 1
set noexec_user_stack_log = 1
END_CFG
fi

Enable Strong TCP Sequence Number Generation:
# cd /etc/default
# awk '/TCP_STRONG_ISS=/ { $1 = "TCP_STRONG_ISS=2" }; \
{ print }' inetinit > inetinit.new
# mv inetinit.new inetinit
# pkgchk -f -n -p /etc/default/inetinit

The variable TCP_STRONG_ISS sets the mechanism for generating the order of TCP packets. If an attacker can predict the next sequence number, it is possible to inject fraudulent packets into the data stream to hijack the session. Solaris supports three sequence number methods:
# 0 = Old-fashioned sequential initial sequence number generation.
# 1 = Improved sequential generation, with random variance in increment.
# 2 = RFC 1948 sequence number generation, unique-per-connection-ID.

Log all failed login attempts:
# touch /var/adm/loginlog
# chown root:sys /var/adm/loginlog
# chmod 600 /var/adm/loginlog
# logadm -w loginlog -C 13 /var/adm/loginlog
# cd /etc/default
# awk '/SYSLOG_FAILED_LOGINS=/ { $1 = "SYSLOG_FAILED_LOGINS=0" }; \
{ print }' login >login.new
# mv login.new login
# pkgchk -f -n -p /etc/default/login

Enable cron logging:
# cd /etc/default
# awk '/CRONLOG=/ { $1 = "CRONLOG=YES" }; { print }' cron > cron.new
# mv cron.new cron
# pkgchk -f -n -p /etc/default/cron
# chown root:root /var/cron/log
# chmod go-rwx /var/cron/log

Enable system accounting:
# svcadm enable -r svc:/system/sar:default
# export EDITOR=vi
# crontab -e sys << END_ENTRIES
\$a
0,20,40 * * * * /usr/lib/sa/sa1
45 23 * * * /usr/lib/sa/sa2 -s 0:00 -e 23:59 -i 1200 ñA
.
w
q
END_ENTRIES
# chown sys:sys /var/adm/sa/*
# chmod go-wx /var/adm/sa/*

Check file and group permissions of all installed packages:
# pkgchk -n

Find all world-writable directories:
# find / \( -fstype nfs -o -fstype cachefs -o -fstype ctfs -o -fstype mntfs -o -fstype objfs -o -fstype proc \) -prune -o -type d \( -perm -0002 -a ! -perm -1000 \) -print

Find all world-writeable files:
# find / \( -fstype nfs -o -fstype cachefs -o -fstype ctfs -o -fstype mntfs -o -fstype objfs -o -fstype proc \) -prune -o -type f -perm -0002 -print

Enable sticky-bit on all world-writable directories:
# for DIR in `find / \( -fstype nfs -o -fstype cachefs -o -fstype ctfs -o -fstype mntfs -o -fstype objfs -o -fstype proc \) -prune -o -type d \( -perm -0002 -a ! -perm -1000 \) -print`; do
chmod +t $DIR
done
# for FILE in `find / \( -fstype nfs -o -fstype cachefs -o -fstype ctfs -o -fstype mntfs -o -fstype objfs -o -fstype proc \) -prune -o -type f -perm -0002 -print`; do
chmod +t $FILE
done

Using ASET (Automated Security Enhancement Tool):
/usr/aset/aset -l [level] -d [pathname]
Where:
level is low, medium, high
pathname is working dir (default /usr/aset)


This post is tagged , ,

No Comments

Leave a Reply