Re: System hardening

[Paul Greene <pauljgreene () comcast net>]

www.cisecurity.org also has a good hardening list for Solaris. Their 
guide has a good balance between securing a system and breaking a bunch 
of functionality.

They've also got a scripted test that'll score the level of security 
against their recommended guidelines.

pg

James R. Hendrick wrote:

> Have to jump in here..
>
> Stop-A or EEPROM passwords are important only to guard against people with physical access.
>
> If your system is in a restricted access area, they might not help much.
>
> I would suggest following the advice of "Google for it" and find several references on hardening UNIX in general and Solaris in particular. 
>
> The system needs to be looked at in terms of required services vs. risk. 
>
> Think about what needs to be running on the system:
> - snort and its related programs
> - a way to access the system (local terminal)
> - a way to access the system remotely ?
> - time service (so that the timestamps in the sensor logs actually mean something)
>
> Other than that, you should look at disabling as much as possible. The inetd is a good place to start. The startup 
> scripts are another good place to look.
>
> Learn to check the output from "netstat" to see what network services your computer is providing.
> Look at the output from "ps" to see what programs are running.
>
> Think small. If you don't know what it is, find out. If you don't need it, find out how to disable it.
>
> Please take a bit of time and research this before you start implementing. 
>
> Make backups or be prepared to re-install from media. (not a bad thing to do anyway. You can often get a more secure system by 
> installing a minimal set of packages. You may need to do this a few times to get to the "right" set. For example, you may 
> not need any development tools if you can build software on another compatible system. If a system does not have libraries or 
> compilers, it is less useful for many attackers. If you don't need a graphical environment, even better. X-windows and display 
> managers are often too eager to allow remote connections. If you can do without them for your snort box, great.
>
>
> Good luck.
>
> Jim
>
>
>
>  
>
> > -----Original Message-----
> > From: Slighter, Tim [mailto:tslighter () itc nrcs usda gov]
> > Sent: Wednesday, September 03, 2003 11:18 AM
> > To: 'John Creegan'; snort-users () lists sourceforge net
> > Subject: RE: [Snort-users] System hardening
> >
> >
> > There are many hardening techniques that can be implemented aside from
> > Yassp.  This of course all depends upon one's definition of a 
> > secure system
> > as well as any mandated security requirements or criteria as 
> > specified by a
> > security policy or practice within their organization.  If you are
> > attempting this more along the lines of Ad-hoc, then just run a google
> > search on how to secure a Solaris system.  Primarily the 
> > first items that
> > should be done is to disable the STOP-A capability.  Locate the
> > /etc/default/kbd file and make sure that the KEYBOARD_ABORT is set to
> > disable.  Then set yourself with EEPROM security and password 
> > to prevent
> > unauthorized booting or EEPROM changes to the system.  Do 
> > this as follows
> > from a C shell:
> >
> > setenv security-mode full
> > setenv security-password *******
> >
> > Make sure that you never forget this EEPROM password or you 
> > will have to
> > call SUN to have them come out and replace the EEPROM.
> >
> > My next recommendations would be to eliminate any unnecessary 
> > packages such
> > as TFTP, FTP, etc using "pkgrm" and then onto the services in 
> > /etc/rc2.d and
> > /etc/rc3.d...especially NFS.  Assuming that no remote 
> > connection access will
> > be required to this system, use an empty /etc/inetd.conf file 
> > and chmod 400
> > this file and kill -HUP inetd.  Check your /etc/default/login file and
> > disallow root console login by changing the line 
> > CONSOLE=/dev/console to
> > CONSOLE= whereby only normal users can log onto the system 
> > and either must
> > SU or issue command via SUDO (providing that package has been 
> > installed and
> > configured).  Essentially, your netstat -a should yield no 
> > listening ports.
> > That would be a decent starting point but there a many more 
> > security steps
> > that can be implemented.  
> >
> > -----Original Message-----
> > From: John Creegan [mailto:jcreegan () questarweb com]
> > Sent: Wednesday, September 03, 2003 8:28 AM
> > To: snort-users () lists sourceforge net
> > Subject: [Snort-users] System hardening
> >
> >
> > I've got the basic snort and reporting systems up and running (snort,
> > ACID, MySQL) and I'm ready to turn my attention to 
> > protecting/hardening
> > my system (Solaris 8 on SPARC) before I do any more with snort
> > (barnyard, oinkmaster, etc.)
> >
> > I'm looking at a tool (yassp) for going beyond the system hardening
> > described in the docs.  I can't find any mention of it (so far) in the
> > archives, FAQ or the recommended three books.  Yassp seems a bit old. 
> > It may work well for Solaris 8, but it appears there's been no recent
> > support for it.
> >
> > Does anyone think it's worth hardening a system so much?  I've already
> > got tripwire running but that, to me, is a reactive approach.  I'd
> > rather prevent someone from changing my system files than to know they
> > already did it.
> >
> > I'm aware that unless I proceed carefully I can make the 
> > system useless
> > for its intended purpose, running snort.
> >    




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users