Solaris Hardening Checklist

Solaris Security Hardening Checklist

  1. Was OS loaded from an official Solaris CD?
  2. Are partitions large enough to accommodate patches and upgrades?
  3. Was Tripwire used to baseline the system before connecting it to a network?
  4. Is the system at he current patch level?
  5. Are there 2 system back ups? One on site, one off site?
  6. Is OpenBoot Security level set to command or full?
  7. Has OpenBoot banner been changed?
  8. Has screen autolock been turned on?
  9. Does the system implement Filesystem Quotas?
  10. Does the system have a complex permissions scheme? If so have ACL’s been implemented?
  11. What files/directories have SetUID bit turned on?
  12. Are any files with SetUID bit turned on shell scripts?
  13. Is there a group password that must be used with the newgrp command?
  14. Is root umask set to 077 or 027?
  15. Check system device permissions
  16. Use ASET, COPS, Tiger Tripwire and lsof to audit filesystem.
  17. Make sure no files in /etc are group or other writeable
  18. Make sure /var/adm/utmp and /var/adm/utmpx are 644
  19. Has ls command been aliased to show hidden files?
  20. Has rm command been aliased to ask for verification?
  21. Have filesystem inode numbers been randomized?
  22. Have daemon, lp, bin, sys, adm, uucp, nuucp, listen, nobody, and noaccess accounts been locked?
  23. Have sysadmin and sys groups been locked?
  24. Do any PATH or LD_LIBRARY_PATH statements contain “.”?
  25. Are permissions on /etc/passwd –rw-r—r--?
  26. Are permissions on /etc/shadow –r--------?
  27. Check /etc/default/passwd to ensure password aging and length.
  28. Use grpck to check consistency of /etc/group
  29. Are permissions on /etc/group –rw-r—r--?
  30. Can root log in from console only?
  31. Is su available only to admins?
  32. Are all su attemps logged?
  33. Is system name part of shell prompt for root and other admins?
  34. Has /etc/system been configured to prevent stack-based buffer overflows?
  35. Check /etc/default/cron and crontab files.
  36. Ensure that proper /etc/cron.d/cron.allow and cron.deny files are set up.
  37. Check /var/spool/cron/atjobs file.
  38. Ensure that proper /etc/cron.d/at.allow and at.deny files are set up.
  39. Make sure that scripts and programs launched by cron are readable only by owner.
  40. Are failed login attempts logged to loginlog?
  41. Is ip_forwarding turned off if machine is not used as a router?
  42. Has logcheck auditing tool been installed and used?
  43. Is the system configured to ignore redirects?
  44. If system is not used as a router, is ip_forward_directed_broadcasts turned off?
  45. Is ip_forward_src_routed turned off?
  46. Is root the only user with execute privileges for snoop?
  47. Has auth (identd) been disabled at the firewall by blocking TCP and UDP port 113?
  48. Is sendmail daemon running on a system that is not a mail server?
  49. Has /etc/mail/ been configured to prevent message source routing?
  50. Does only the print service have write access to the print device?
  51. Are only needed services running?
  52. Has inetd tracing been turned on?
  53. HasTCPWrappers been implemented?
  54. Make sure there is not a /etc/hosts.equiv file unless absolutely necessary.
  55. Has Secure Shell (ssh) been installed?
  56. Has anonymous ftp been turned off?
  57. Has ftpd logging been turned on for logging and debugging?
  58. Have root,uupc, and bin been added to /etc/ftpusers file to prohibit ftp connections?
  59. Has tftp been turned off?
  60. Is a GUI installed only on necessary systems?
  61. Is there any type of Intrusion Detection System installed?
  62. Has Diffie-Hellman or Kerberos Authentication been configured?
  63. Has IPsec been implemented?
  64. If DNS is used, has a Split-Horizon DNS architecture been implemented?
  65. If DNS is used, has BIND version been configured to stop illicit zone transfers?
  66. Is the latest version of BIND being used?
  67. If NIS is used, have NIS maps been moved out of /etc directory?
  68. If NIS is used, does root user have the only read and write access to /var/yp directory?
  69. Is NIS domain name different from DNS domain name?
  70. If NIS is used, has /var/yp/securenets beent implemented to make NIS maps available only to specific networks or systems?
  71. Are NIS clients bound to specific servers?
  72. Use rpcinfo –b option to detect illicit NIS servers.
  73. If NIS or NIS+ is used, does nsswitch.conf specify “passwd: hosts nis” or “passwd: hosts nisplus” to keep root account local?
  74. If NIS+ is used, ensure that there are no rights for “nobody” using niscat command.
  75. If NIS+ is used, does “nobody” have access rights?
  76. If NIS+ is used, is security level set to at least 2?
  77. If NIS+ is used, is it administered with admintool?
  78. Are all NIS+ tables backed up daily?
  79. Are NIS+ transactions flushed daily?
  80. Has nscd caching been disabled?
  81. If NFS is used, have systems that can mount an NFS directory been restricted with the share command in /etc/dfs/dfstab?
  82. Are permanent NFS client mounts set up in /etc/vfstab?
  83. Has NFS Portmon been set in /etc/system?
  84. Are any servers NFS clients?
  85. Have indirect automounter maps been set up?
  86. Is automounter browsing disabled on NFS clients?
  87. Have all services been commented out of /etc/inetd.conf?
  88. Are permissions on sulog and loginlog set to 640?
  89. Has /etc/issue file been created to display warning banner for telnet logins?
  90. Has /etc/default/login been set so that root cannot telnet into the system directly?
  91. Has /etc/default/telnetd been configured to remove the OS banner?
  92. Has /etc/default/ftpd been configured with a warning banner?
  93. Has the wheel group been created and su command in both /usr/bin/su and /sbin/su.static limited to it?
  94. Have permissions on .rhost,.netrc, and /etc/host.equiv been set to 0?
  95. Have TCP initial sequences been randomized by setting TCP_STRONG_ISS=2 in /etc/default/inetinit?
  96. Has ulimit been set to 0 in the system profile to restrict core file generation?
  97. Are there any unnecessary world writeable files?
  98. Do all users have a password set in /etc/shadow?
  99. Does each user have his/her own account and not a shared account?
  100. Does each user have a unique UID?
  101. Has CD-ROM drive been removed from servers after initial installation?
  102. Is SetUID disabled on local and remote disk partition mounts?
  103. Are any guest or default accounts on the system?
  104. Have all inactive user accounts been removed?
  105. Do only authorized users have write access to any bin or lib directories?
  106. Check for all . directories and ensure their validity.
  107. Have ICMP type 17 packets (MASKREQ) been blocked at the router or firewall?


MOTD : :-)