How to secure a Solaris 10 server

Context: I received my AMD server few days ago, but since I don't have a jumpstart PXE aware, I decide to do a full install (it's my first Solaris full install, I must confess I'm feeling a bit ashamed, I hope God will forgive me), which comes with lot of useless packages, services, etc… That's I decide to take notes about my consolidation process.

Security

In order to avoid Unix crypt password and use MD5, edit the file /etc/security/policy.conf

# uncomment the following line :
CRYPT_ALGORITHMS_DEPRECATE=__unix__
# edit this one :
CRYPT_DEFAULT=1

update your users password, and take a look in /etc/shadow, you'll see something like :

asyd:$1$vY6aWgP1$QbLM9FKPRrJPEXyoDYEK70:13193::::::

Network

Enforce TCP sequence number randomization

# ndd -set /dev/tcp tcp_strong_iss 2

Legacy services

Legacy services are not managed by SMF, that's why we need to remove some files in init

# cd /etc/rc3.d
# rm -f S*
# cd /etc/rc.2d
# rm -f S90wbem S90webconsole

SMF Profile

Warning :

So, if you used to have autofs enabled, please be aware to move /export/home to /home

This profile is a hack from /var/svc/profile/generic_limited_net.xml

Download or copy/paste the following SMF profile, and do :

# svccfg apply restricted.xml

Result

Starting Nmap 3.95 ( http://www.insecure.org/nmap/ ) at 2006-02-14 11:23 CET
Interesting ports on 192.168.3.202:
(The 1668 ports scanned but not shown below are in state: closed)
PORT   STATE SERVICE
22/tcp open  ssh

Nmap finished: 1 IP address (1 host up) scanned in 44.786 seconds

Attachment

<?xml version='1.0'?>
<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
<!--
    Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
    Use is subject to license terms.
 
    ident       "@(#)generic_limited_net.xml    1.2     04/11/22 SMI"
 
    The purpose of the limited_net profile is to provide a set of active
    services that allow one to connect to the machine via ssh (requires
    sshd,) to be authenticated (requires rpc,) and to access network
    filesystems (requires nfs.)  The services which are deactivated here
    are those that are at odds with this goal.  Those which are activated
    are explicit requirements for the goal's satisfaction.
 
    NOTE:  Service profiles delivered by this package are not editable,
    and their contents will be overwritten by package or patch
    operations, including operating system upgrade.  Make customizations
    in a distinct file.  The path, /var/svc/profile/site.xml, is a
    distinguished location for a site-specific service profile, treated
    otherwise equivalently to this file.
-->
<service_bundle type='profile' name='generic_limited_net'
         xmlns:xi='http://www.w3.org/2003/XInclude' >
  <!--
      Include name service profile, as set by system id tools.
  -->
  <xi:include href='file:/var/svc/profile/name_service.xml' />
 
  <!--
      svc.startd(1M) services
  -->
  <service name='system/coreadm' version='1' type='service'>
    <instance name='default' enabled='true'/>
  </service>
  <service name='system/cron' version='1' type='service'>
    <instance name='default' enabled='true'/>
  </service>
  <service name='system/cryptosvc' version='1' type='service'>
    <instance name='default' enabled='true'/>
  </service>
  <service name='system/identity' version='1' type='service'>
    <instance name='domain' enabled='true'/>
  </service>
  <service name='system/keymap' version='1' type='service'>
    <instance name='default' enabled='true'/>
  </service>
  <service name='system/picl' version='1' type='service'>
    <instance name='default' enabled='true'/>
  </service>
  <service name='system/sac' version='1' type='service'>
    <instance name='default' enabled='true'/>
  </service>
  <service name='system/system-log' version='1' type='service'>
    <instance name='default' enabled='true'/>
  </service>
  <service name='system/utmp' version='1' type='service'>
    <instance name='default' enabled='true'/>
  </service>
  <service name='system/zones' version='1' type='service'>
    <instance name='default' enabled='true'/>
  </service>
  <service name='network/rpc/bind' version='1' type='service'>
    <instance name='default' enabled='false'/>
  </service>
  <service name='system/name-service-cache' version='1' type='service'>
    <instance name='default' enabled='true'/>
  </service>
  <service name='network/nfs/status' version='1' type='service'>
    <instance name='default' enabled='false'/>
  </service>
  <service name='network/nfs/nlockmgr' version='1' type='service'>
    <instance name='default' enabled='false'/>
  </service>
  <service name='network/nfs/client' version='1' type='service'>
    <instance name='default' enabled='false'/>
  </service>
  <service name='network/nfs/server' version='1' type='service'>
    <instance name='default' enabled='false'/>
  </service>
  <service name='network/nfs/rquota' version='1' type='service'>
    <instance name='default' enabled='flase'/>
  </service>
  <service name='network/ssh' version='1' type='service'>
    <instance name='default' enabled='true'/>
  </service>
  <service name='network/smtp' version='1' type='service'>
    <instance name='sendmail' enabled='false'/>
  </service>
  <service name='network/inetd' version='1' type='restarter'>
    <instance name='default' enabled='true'/>
  </service>
  <service name='system/filesystem/autofs' version='1' type='service'>
    <instance name='default' enabled='false'/>
  </service>
  <service name='system/power' version='1' type='service'>
    <instance name='default' enabled='true'/>
  </service>
  <service name='application/print/cleanup' version='1' type='service'>
    <instance name='default' enabled='true' />
  </service>
  <service name='network/pfil' version='1' type='service'>
    <instance name='default' enabled='true' />
  </service>
 
  <!--
      non-default svc.startd(1M) services disabled
  -->
  <service name='network/dhcp-server' version='1' type='service'>
    <instance name='default' enabled='false' />
  </service>
  <service name='network/ntp' version='1' type='service'>
    <instance name='default' enabled='false' />
  </service>
  <service name='network/rarp' version='1' type='service'>
    <instance name='default' enabled='false' />
  </service>
  <service name='network/slp' version='1' type='service'>
    <instance name='default' enabled='false' />
  </service>
  <service name='network/security/kadmin' version='1' type='service'>
    <instance name='default' enabled='false' />
  </service>
  <service name='network/security/krb5_prop' version='1' type='service'>
    <instance name='default' enabled='false' />
  </service>
  <service name='network/security/krb5kdc' version='1' type='service'>
    <instance name='default' enabled='false' />
  </service>
 
  <!--
        default inetd(1M) services disabled
  -->
  <service name='network/finger' version='1' type='service'>
    <instance name='default' enabled='false'/>
  </service>
  <service name='network/ftp' version='1' type='service'>
    <instance name='default' enabled='false'/>
  </service>
  <service name='network/login' version='1' type='service'>
    <instance name='rlogin' enabled='false'/>
    <!--
        non-default inetd(1M) instances disabled
    -->
    <instance name='klogin' enabled='false'/>
    <instance name='eklogin' enabled='false'/>
  </service>
  <service name='network/shell' version='1' type='service'>
    <instance name='default' enabled='false'/>
    <!--
        non-default inetd(1M) instance disabled
    -->
    <instance name='kshell' enabled='false'/>
  </service>
  <service name='network/telnet' version='1' type='service'>
    <instance name='default' enabled='false'/>
  </service>
 
  <!--
        non-default inetd(1M) services disabled
  -->
  <service name='network/tname' version='1' type='service'>
    <instance name='default' enabled='false'/>
  </service>
  <service name='network/uucp' version='1' type='service'>
    <instance name='default' enabled='false'/>
  </service>
  <service name='network/chargen' version='1' type='service'>
    <instance name='stream' enabled='false'/>
    <instance name='dgram' enabled='false'/>
  </service>
  <service name='network/daytime' version='1' type='service'>
    <instance name='stream' enabled='false'/>
    <instance name='dgram' enabled='false'/>
  </service>
  <service name='network/discard' version='1' type='service'>
    <instance name='stream' enabled='false'/>
    <instance name='dgram' enabled='false'/>
  </service>
  <service name='network/echo' version='1' type='service'>
    <instance name='stream' enabled='false'/>
    <instance name='dgram' enabled='false'/>
  </service>
  <service name='network/time' version='1' type='service'>
    <instance name='stream' enabled='false'/>
    <instance name='dgram' enabled='false'/>
  </service>
  <service name='network/comsat' version='1' type='service'>
    <instance name='default' enabled='false'/>
  </service>
  <service name='network/rexec' version='1' type='service'>
    <instance name='default' enabled='false'/>
  </service>
  <service name='network/talk' version='1' type='service'>
    <instance name='default' enabled='false'/>
  </service>
 
  <!--
        default inetd(1M) RPC services enabled
  -->
  <service name='network/rpc/gss' version='1' type='service'>
    <instance name='default' enabled='true'/>
  </service>
  <service name='network/rpc/mdcomm' version='1' type='service'>
    <instance name='default' enabled='true'/>
  </service>
  <service name='network/rpc/meta' version='1' type='service'>
    <instance name='default' enabled='true'/>
  </service>
  <service name='network/rpc/metamed' version='1' type='service'>
    <instance name='default' enabled='true'/>
  </service>
  <service name='network/rpc/metamh' version='1' type='service'>
    <instance name='default' enabled='true'/>
  </service>
  <service name='network/rpc/smserver' version='1' type='service'>
    <instance name='default' enabled='true'/>
  </service>
  <service name='network/security/ktkt_warn' version='1' type='service'>
    <instance name='default' enabled='true'/>
  </service>
 
  <!--
        default inetd(1M) RPC services disabled
  -->
  <service name='network/rpc/rstat' version='1' type='service'>
    <instance name='default' enabled='false'/>
  </service>
  <service name='network/rpc/rusers' version='1' type='service'>
    <instance name='default' enabled='false'/>
  </service>
 
  <!--
        non-default inetd(1M) RPC services disabled
  -->
  <service name='network/rpc/ocfserv' version='1' type='service'>
    <instance name='default' enabled='false'/>
  </service>
  <service name='network/rpc/rex' version='1' type='service'>
    <instance name='default' enabled='false'/>
  </service>
  <service name='network/rpc/spray' version='1' type='service'>
    <instance name='default' enabled='false'/>
  </service>
  <service name='network/rpc/wall' version='1' type='service'>
    <instance name='default' enabled='false'/>
  </service>
 
  <service name='application/x11/xfs' version='1' type='service'>
    <instance name='default' enabled='false'/>
  </service>
</service_bundle>