rotaris357
asked on
How to harden solaris 8 ?
Does anyone know what i should do for making my Solaris stronger ? Which files or any services or anything else I have to do ? Please suggest.
Many Thanks in Advance.
Many Thanks in Advance.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You've got some pretty good answers already but I'll add my favorites to the list:
- SANS has some VERY good information regarding all aspects of security. Check their Reading Room out at http://www.sans.org/rr/.
- http://www.securityfocus.com has a ton of tools, docs and other things that may be of help.
All of these places can tell you how to harden your box(es). You should, after properly hardening them, test your efforts using a Vulnerability Assessment Tool like:
- Nessus - http://nessus.org/
- SARA - http://www-arc.com/sara/
These tools will show you how well you did and then point you towards other remediation steps if needed. I'd recommend doing these scans before and after. BE VERY CAREFUL THOUGH!!! Doing these scans on a corporate network may be construed as hacking/cracking and can land you in trouble. Always make sure you have explicit permission before using them. You can find lots of other tools like these at securityfocus.com.
--- M
- SANS has some VERY good information regarding all aspects of security. Check their Reading Room out at http://www.sans.org/rr/.
- http://www.securityfocus.com has a ton of tools, docs and other things that may be of help.
All of these places can tell you how to harden your box(es). You should, after properly hardening them, test your efforts using a Vulnerability Assessment Tool like:
- Nessus - http://nessus.org/
- SARA - http://www-arc.com/sara/
These tools will show you how well you did and then point you towards other remediation steps if needed. I'd recommend doing these scans before and after. BE VERY CAREFUL THOUGH!!! Doing these scans on a corporate network may be construed as hacking/cracking and can land you in trouble. Always make sure you have explicit permission before using them. You can find lots of other tools like these at securityfocus.com.
--- M
If wish to avoid much of the reading..
Go here. http://wwws.sun.com/software/security/jass/
Install the packages and run jass-execute -d secure.driver
Done.
Now you will have to test that your applications still work since it will make lots of changes.
You can do many things with JASS. Even roll back if you don't like what it has done. ./jass-execute -u
I would suggest reading the documentation and making edits for your enviroment first.
--russ
Go here. http://wwws.sun.com/software/security/jass/
Install the packages and run jass-execute -d secure.driver
Done.
Now you will have to test that your applications still work since it will make lots of changes.
You can do many things with JASS. Even roll back if you don't like what it has done. ./jass-execute -u
I would suggest reading the documentation and making edits for your enviroment first.
--russ
Also, a good referene for both what should be done and how to test whether it's been done is the Center for Internet Security Solaris Benchmark. www.cisecurity.org
This is soon to be the U.S. Government standard for measuring Solaris system security and is based in large part on many of the tools/papers referenced above.
This is soon to be the U.S. Government standard for measuring Solaris system security and is based in large part on many of the tools/papers referenced above.
ASKER
Thanks so much for all suggestions. I'll try to test and test.
Use "aset" which is a tightening tool in Solaris.
You can run it at 3 different levels depending on how
strict you want it.
Check the aset manpage and read up on the stuff afterwards
if you are interested.
If you are connected to the outside there is also some
things you might want to turn off, like icmp echo etc.
There is script at www.sun.com/blueprints that does the
ndd stuff.
BUT most important, Solaris isnt that bad as it comes,
just make sure you always install the latest security
patches in the Recommended patch-cluster.( from sunsolve.com)
HTH