Re: Solaris Configuration List (the improv version)

["Bayard G. Bell" <bbell01 () emory edu>]

Here's my offering:

1) Wipe out everything that's there.  Install the machine fresh on
freshly formatted disks.

2) If you are going to use the open-source version of Tripwire, pick it
up and gcc.  Compile it with the static link option.  In the next step
you're going to wipe out everything that would allow you to do this
later.  If you're using the commercial version of the Tripwire binaries,
this can come between steps 10 and 11.  Most of the Tripwire install is
going to move to read-only media later so make appropriate allowances in
anticipation of this.

3) Remove all packages that are not absolutely required.  This means all
compilers and programming/development tools, CDE/OpenWindows (does the
package name start with SUNWdt or SUNWol?) and localization files (e.g.
starts with SUNWeu) and anything else windowing-related (XIL/XGL/OpenGL
support), AnswerBooks and the AnswerBook server (starts with SUNWab),
Solstice components of any stripe,
WebNFS/NFS/lp/uucp/FTP/X11/sendmail/volume management binaries and
support configuration packages (e.g. X11 font packages beginning with
SUNWi and then a number) of any sort, non-standard shells, and
Java/ToolTalk/KCMS stuff just in case you forgot to include them under
the rubric of development stuff.  Look at pkginfo to see what's out
there that might need to go.  You know the philosophy: If it didn't come
with Solaris, isn't a package that you understand and are comfortable
with, or isn't a version of ssh that you have checked against the
BUGTRAQ archives, it should go.

4) Go through /etc/inetd.conf and kill everything except perhaps
s/telnet or ssh, which you should add to the system.

5) Pick up a copy of TCP wrappers and wrapper s/telnet and ssh.

6) At the very least, check out what run control scripts init will run
between bringing your system up through the levels to hit #3.  Delete
anything you won't be using at all from /etc/init.d and kill all the
symlinks from the /etc/rc?.d directories just so no one can slip
something nasty into scripts that you don't think you are using.

7) Remove entries in /etc/passwd and /etc/shadow that support disabled
services.  Set the shell to something like "/bin/noshell" for anything
left that doesn't have a shell defined.  Make sure that entries like
nobody and noaccess that don't support login access have NP for their
password in /etc/shadow.

8) Leave CONSOLE undefined in /etc/default/login (i.e. leave it
uncommented without providing a value for it).  Create an account for
yourself so you have a way of logging in initially with using the root
account.  Also set SYSLOG=YES and PASSWORD=YES in /etc/default/login. 
Make sure that SULOG is defined appropriately in /etc/default/su.

9) Settle on a logging strategy and procedure.  At the very least you
should set up syslog to send logs off to a well-secured system (a
dedicated OpenBSD machine running nothing but syslog and OpenSSH will do
nicely) or set up a drop box such as a printer or other device that can
write out data through a local port such that it can't be retrieved.  A
dedicated 486/25 running Linux or OpenBSD without a network interface
would do the trick quite nicely.

10) Run ASET with security level "high" (remember there's no going back
on that) or, better yet, pick up Titan from http://www.fish.com. 
Remember that most of these tools make it damned near impossible for
anybody but root to do much of anything, but that's exactly what you
want.

11) Do a Tripwire run on your system, focusing particularly on the /usr,
/sbin, and /bin filesystems which should be getting close to their final
state.  Do a run on /etc as well so you can note what files are changed
in the next few steps.  Look at the process list and see what you have
running.  Take notes on this.

12) Install your firewall software.  Do NOT configure it yet.

13) Do another Tripwire run to pick up the diffs on your sytem
post-install.  Have another look at the process list.

14) Configure the firewall software.

15) Do another Tripwire run to pick up the diffs from your configuration
changes.  Have another look at the process list.

16) Do whatever you've got to do for network testing to validate your
configuration.  Fine tune and do a complete Tripwire run.  Have a final
look at the process list.

17) Burn the tripwire binaries and your base configuration database onto
a CD-ROM as a system reference.  Tripwire lives here from now on.  Set
up a regular Tripwire run in cron.

18) Put the firewall into production.

19) Take notes on the diffs throughout the configuration process, taking
care to make a record of which files you would expect to change and what
processes you expect to see running at any given point in time.  Do what
you can to verify these notes in combination with regular Tripwire runs
during the first thirty to ninety days in production.

20) Let me know if I've forgotten anything (and I'll claim that this was
only because it was 6:00 AM when I wrote this).

-Bayard

Brad Van Orden wrote:
> Hello All,
>
> Does anyone know of a checklist for preparing a solaris computer to be a
> firewall? Thanks!
>
> Regards,
>
> Brad Van Orden