fixsolaris.txt Version 1.1 Copyright (c) 1998-1999 Christopher A. Petro. This document may be distributed freely so long as it is distributed in its entirety, unmodified. Non-commercial use of portions of it and the ideas contained in it is allowed so long as credit is given. If you wish to republish the content of this document commercially, please contact the author at petro@gibraltar.ncsc.mil. ABSTRACT -------- The following document is a summary of what I do when I get my hands on a new Solaris box. It works well for me. It may not work well for you. You may hate me forever if you try and don't like it; I won't care. If you have some suggestions of things to add, or constructive criticism, please email them to me at petro@gibraltar.ncsc.mil. If you don't like this at all and think Solaris is just fine the way it comes... Well, just make sure your firewall doesn't let anything through. This covers Solaris 2.6. I haven’t started using Solaris 7 and won’t until the applications I use, such as Oracle, are certified on 7. At that point, I’ll do this to a Solaris 7 box and update this document. I really don’t like Solaris x86. Most of this will apply to x86 as well, but I couldn’t tell you exactly where it differs. This document no longer really applies to Solaris 2.5.1. You can use the ideas in it to do your own evaluation of 2.5.1, but much of it cannot be used verbatim on that version. For example, /proc is lame on 2.5.1, and ps needs to be run as root. When I move to Solaris 7, the new version will probably not apply to 2.6. it’s just not worth complicating the document to cover terribly old versions. You should upgrade anyway, since there are holes that Sun has never fixed on older versions (i.e., the admintool symlinks problem). INTRODUCTION ------------ I know that a lot of people disagree with me, but I feel that Solaris is a Good Thing. It has a really good kernel, and scales very well. It has excellent support from third-party software vendors. I also love Sun hardware, and Solaris is currently the only thing I’ve seen do Sun hardware justice. Nonetheless, Solaris comes out of the box quite broken. There are brain-dead permissions on files. Several of the basic UNIX utilities are broken (most of those have been broken since at least 2.3). Every version, Sun manages to introduce some mind-numbingly stupid bugs into a few key applications that give anyone on your system access to root permissions. Because of my love-hate relationship with Solaris, I started fixing it. For a while, I was just keeping track in my head of what to do. Eventually, the number of things I was trying to remember became too much for my mediocre mind, and I decided I needed to document the process. I figured as long as I was doing that, I might as well make it presentable and release it so that other people could enjoy Solaris as Sun should have released it :^) Thus was fixsolaris.txt v0.5 born. After receiving many, many complaints from the 5 or 6 people I showed it to, I decided to fix it up. First I just added URL’s as requested, but eventually, after Shawn Holwegner complained about the grammar in a few of the sentences, I rewrote the whole thing. Thus was fixsolaris.txt v1.0, the document you are reading now, born. This new and improved version includes URLs for all software mentioned in it. It features improved grammar, and is composed largely of complete sentences. The commentary is wittier, the metaphors more colorful, and the apostrophes far more lively. This document is still not ready for a complete novice to follow along with it, and probably never will be. If you’re a complete novice, you should go buy some good books and graduate to the level of ’mostly competent admin’ before you try and modify the OS like this. It’s quite possible to lock yourself out of your system if you don’t know what you’re doing. If you find any typos or errors, PLEASE email me. I had /etc/nsswitch.conf written as /etc/nisswitch.conf and no one pointed it out to me. Don't assume someone else already let me know. INSTALLATION ------------ The following is the basic rules I use for choosing installation options. I haven't tested this in every possible combination. Please let me know if there are any dependencies not listed properly here. Core System Support + Archive Libraries + SunOS Header Files + Audio (if openwindows is desired) + CDE (if cde support is desired) + Documentation tools + DPS motif library (if openwindows is desired) + Font Server Cluster (if openwindows is desired) + Graphics Headers + Install Software + Interprocess Communications + Line Printer Support (if solaris lpd is needed) + Motif RunTime Kit (if openwindows is desired) + Motif UIL Compiler (if openwindows is desired) + On-Line Manual pages + OpenWindows (if openwindows is desired) + Openwin Keymap Table + Programming Tools + Programming Tools and Libraries - SPARCompilers Binary Compatibility Libraries + Solaris Documentation Server Lookup (if openwindows is desired) + Solstice Enterprise Agents (if SNMP support is desired) + Source compatibility support - SunSoft Print - Source compatibility (unless solaris lpd is needed) + SPARCompilers Bundled libc + Static Utilities + SunSoft WorkShop Bundled libC + System Accounting + System and Network Admin + Terminal Information + ToolTalk End User and Programmer (if openwindows is desired) + VIS/XIL Support (if openwindows is desired) + Volume Management + X11 fonts (if openwindows is desired) + XIL Runtime (if openwindows is desired) + XGL (if XGL is desired) And, of course... + any needed frame buffer/platform/network/drive array drivers BASIC TASKS ----------- The following addition was sent in by reader Daniel Kadosh. I can't speak for the accuracy of it, but it sounds like sage advice to me :^) "If you think you're ever going to install SUN's Autoclient, your server MUST start as a completely unpatched system. After the fresh install or upgrade (upgrade process removes patches) of Solaris, BEFORE installing ANY patches, install the Autoclient software. Then, install the current patches to Autoclient. Only then can you begin installing other Solaris patches." Before you delve into any major surgery on the system, you should go ahead and set up the basic stuff. First of all, install the latest recommended patch set from Sun. If you have Sunsolve access (you really should purchase support if not), check the patches not in the recommended set and install any that are important to you or fix security problems with programs you plan to use. Get the patches at http://sunsolve.sun.com. Click on the "Patch Access" button. Edit /etc/default/login and /etc/default/su. The first controls several things that happen during login, and the second when you su. Make sure the CONSOLE= line in /etc/default/login is uncommented if you want to prevent root logins from remote terminals. You should probably fix the paths here in these files. These paths are assigned before any .profile or .login files are executed. Note that there is a different path for the superuser in each case. The superuser path, and probably the path for normal users, should not include the current directory (.), to avoid accidental execution of trojan scripts. If you installed without NIS and you want to use DNS, edit /etc/nsswitch.conf and change the hosts line to read: hosts: files dns If you want to use DNS, edit /etc/resolv.conf and insert something like the following: nameserver 1.2.3.4 nameserver 1.2.3.5 domain mydomain.com Put the IP address of your default router in /etc/defaultrouter. You can add it manually during your first boot with a command like the following: route add default 192.168.1.1 1 This isn't really a security or fix issue, but a lot of people seem unsure of where to put it. Edit /etc/syslog.conf. The default Solaris syslog configuration is, well, not optimal. For one thing, AUTH messages don’t get logged to any files. This is important if you want to know when people are trying to break into your system. Following is what I'm currently using. Note that, according to the man page, "A configuration entry with a level value of notice must appear on a separate line." You may want to forward important messages to a remote loghost, in case they are lost in a system crash or when the machine is compromised. kern.notice /dev/console kern.notice;daemon.notice /var/log/messages auth.none;kern.err;daemon.err;mail.crit;*.alert /var/log/messages auth.info /var/log/authlog auth.notice /var/log/authlog *.alert root,petro *.emerg * Edit /etc/hosts and add any hosts whose names always need to be resolvable. The last thing you need when your dns service goes down is for other critical services to go down at the same time. Change TCP_STRONG_ISS in /etc/default/inetinit if you want stronger TCP sequence number generation. Edit /etc/default/cron. CRONLOG controls whether all cron actions are logged. It's on by default, which may generate more logs than you want. You can also specify PATH and SUPATH for cron jobs in this file. Be careful, especially with SUPATH. If you want to share things via NFS, put the share commands in /etc/dfs/dfstab. Be sure to set sane permissions on the shares. See below for more cautionary advice about using NFS. If you are using NFS, you may want to add the following line to /etc/system as well: set nfssrv:nfs_portmon = 1 This will provide some added protection since it will require NFS clients to connect from privileged ports. If all of your authorized clients are UNIX boxen or otherwise implement privileged ports and they are reasonably secure, this will help stop people from making unauthorized connections to the NFS server. Put your message of the day in /etc/motd, if you want one. Don't bother editing /etc/named.boot if this is going to run a dns server. The version of named that comes with Solaris is horribly insecure and shouldn't be used unless you need some of it's NIS integration. Newer versions of bind use named.conf instead. Edit the default profile in /etc/profile. This will be run by the Bourne and Korn shells before a user's local .profile. Make sure you set LD_LIBRARY_PATH to point to all of your library locations to simplify development. If users will be working on the console of this system, /etc/logindevperm controls the changing of ownership and permissions on local devices during the login process. Edit /etc/shells to include any shells you will have on the system. Otherwise, users having a shell such as /bin/tcsh will be unable to use ftp and perhaps other services. Edit /etc/ftpusers to block access to the system by certain users. One good one to put in there might be root. Why remote root logins are disabled by default but root ftp sessions are allowed by default is beyond me. Solaris does not come with a windex database by default. Don't even try and ask me why. If you ask Sun and they answer, please pass their reply on to me. Run the following to build the windex database: catman -w This will allow you to use man -k and such to do keyword searches on man pages. An optional but often good step to take is to move root's home directory. By default, all of root's files go in /, which is just ugly, and can pose some risk. If you change root:x:0:1:Super-User:/:/bin/sh to root:x:0:1:Super-User:/root:/bin/sh and create /root with 700 permissions, you'll have a lot fewer files and directories pile up in your / directory and perhaps keep people from poking around root's files. BASIC TOOLS ----------- Now that you have a fully configured base Solaris installation, you need to get some software installed on it. A computer without software is hardly very useful. There is certainly very little useful software included with Solaris. Most software is going to be distributed in GNU zip (.gz, .tgz) format. Solaris 2.6 only includes the vastly inferior standard UNIX compress utility, so we'll need to get a copy of gzip. Take a trip over to http://www.sunfreeware.com and pick one up. Use pkgadd to install it. NOTE: If you aren't sure how to do install packages, read the man page or the documentation on www.sunfreeware.com. The basic procedure is: 1) gzip -d package.gz 2) pkgadd -d package The gzip package is not, of course, gzipped, so you only need to perform the second step. NOTE: While you're on www.sunfreeware.com, I'd recommend getting the local versions of programs. SVR4 seems to enjoy having optional software installed in /opt. However, everyone else puts it in /usr/local, and some software expects it to be there. It is also far easier to put /usr/local/{bin,lib} in your PATH and LD_LIBRARY_PATH than to put 20 different /opt/*/{bin,lib} paths in them. However, other than breaking software that expects stuff in /usr/local (one could argue that it's already broken), there is no real problem with using the opt versions of software. Now that you have gzip, you can install a C compiler. Get the gcc package off of http://www.sunfreeware.com. Check for notes on the page about which version of gcc to install. There have been problems with various versions, and it is better to have an older, more stable version than to have the latest C++ widgets and have none of your software compile. If the newest version of gcc on sunfreeware is not the latest available and you know that the latest version is better, download the source code from the FSF site at ftp://prep.ai.mit.edu/pub/gnu. Follow the INSTALL directions to compile it. Now that we have a working compiler, we can replace some of the broken software that comes with Solaris. Either download the source code for these programs and libraries from ftp://prep.ai.mit.edu/pub/gnu, or install them as packages from www.sunfreeware.com. gdbm glibc libg++ libstdc++ ncurses patch tar termcap The following are not on the FSF site, but should also be installed to replace the broken versions included with Solaris. You should be able to find them at the site listed. Many of them are also on www.sunfreeware.com. db (http://abyssinian.sleepycat.com/db/) The following will give you better versions of the few programs that solaris comes with that occasionally work. These are highly recommended. They're also all on the FSF ftp site, and most of them are probably on www.sunfreeware.com. binutils bison fileutils findutils flex gawk grep less make sed You may also want to install some of the following, They are also all on the FSF ftp site or www.sunfreeware.com. These are recommended but not necessary. bash (if you have to use the bourne shell, use it in style) emacs (vi is great for editing config files. it sucks for writing C code) groff (print man pages in lovely postscript) ispell (chek for speeling erors) lynx (browse the web from a terminal session in an emergency, or all the time if you hate yourself) mc (like Norton Commander, but for UNIX -- very, very handy) perl (probably the world's worst language, and probably the most useful) You should definitely install some of the following as well. They're not on the FSF site but you should be able to find them at the site listed. Many of them are also on www.sunfreeware.com. Some of them may have security risks associated with them, so be sure you understand what the risks may be before installation. top (this will let you view the processes using the most resources) ftp://ftp.funet.fi/pub/unix/tools/top/ traceroute (yes, I'm serious. Solaris 2.6 doesn't include traceroute.) ftp://ftp.funet.fi/pub/unix/networking/traceroute-1.2.tar.Z gated (if you do dynamic routing, get this. Solaris only supports RIP v1.) http://www.gated.org tcp wrappers (if you to limit access to tcp-based services) ftp://ftp.porcupine.org/pub/security/tcp_wrappers_7.6.tar.gz ipfilter (this will allow you to protect services like RPC and NFS with ACL's if you absolutely have to leave them enabled) http://coombs.anu.edu.au/~avalon/ip-filter.html apache (the world's most popular web server, with good reason) http://www.apache.org samba (allows UNIX machines to act as Windows file, print, and domain servers) http://samba.anu.edu.au ssh (secure shell. secure, encrypted rlogin replacement. a must have.) http://www.ssh.fi/sshprotocols2/, ftp://ftp.cs.hut.fi/pub/ssh wuftpd (good replacement ftpd for UNIX) http://www.academ.com/academ/wu-ftpd ytalk (if you or your users want talk, this is a very feature-filled version of it) ftp://ftp.funet.fi/pub/unix/networking/ytalk-3.0.3-8bit.tar.gz LOCKDOWN -------- Congratulations. You've now got a useful, working Solaris box. Now it's time to clean it up. There are many evil things lurking on your box. Try doing a ps -ef and see how many of the processes you can identify, and how many of them you think you really need. There are almost certainly several that you don't need. Edit /etc/inetd.conf. You can comment out just about everything in this file. The following are the services you may want to leave enabled. The general rule is to remove anything you don't need. You can always re-enable it later. telnet (ssh would be better) ftp (be sure to install wuftpd or something else safe) finger (you should probably install sfingerd instead of normal finger) talk (you should probably install ytalk instead) login/shell/exec (these are dangerous, but you might need them) tftp (used by routers and such. be careful configuring this one) kerbd (if you are using kerberos authentication) rpc.ttdbserverd [RPC] (if you're running openwindows and/or CDE) rpc.cmsd [RPC] (if you're running the CDE calendar program) xaudio (if you're running sun X11 audio stuff on the console) You may also need to install some other services such as IMAP4, POP3, and ident. Be sure that you get current versions that are free of known security vulnerabilities. Both POP3 and IMAP4 have been the source of many security holes. If you are using some RPC software (nfs, nis, or anything marked [RPC] above), you will need to leave the RPC startup script enabled later on. Depending on what services you are running, you may wish to replace inetd with xinetd. It provides much better access control and logging. You can find xinetd at http://synack.net/xinetd/. Install ssh-1.x. Get it at ftp://ftp.cs.hut.fi/pub/ssh. ssh-2.x has more strict licensing, and a lot of people are still nervous about some of the new code. Note that if you use ssh for commercial purposes, you owe someone some money. Read the docs to figure out if this applies to you. Install the latest academic WU-FTPD. WU-FTPD is a popular and sane replacement for ftpd. It has been known to have some security problems, so keep up with the latest patches. You can get it at http://www.academ.com/academ/wu-ftpd. The installation of WU-FTPD isn't exactly trivial, as it requires your chroot()'d directory to have several devices and libraries that a sane person wouldn't want. You can probably simplify the installation of WU-FTPD a little by using the statically-linked ls found at http://www.eng.auburn.edu/~doug/second.html. When someone is attempting to break into a system, they will often scan the machine to see what services are available on it. Klaxon and Tocsin can be used to detect these port scans, and are both available from http://www.eng.auburn.edu/~doug/second.html. Install klaxon and add it to /etc/inetd.conf on some typical services and some rarely used ones to catch portscans and attacks. For example: shell stream tcp nowait root /usr/local/bin/klaxid klaxon shell login stream tcp nowait root /usr/local/bin/klaxid klaxon login exec stream tcp nowait root /usr/local/bin/klaxid klaxon exec supdup stream tcp nowait root /usr/local/bin/klaxon klaxon supdup tcpmux stream tcp nowait root /usr/local/bin/klaxon klaxon tcpmux tftp dgram udp wait root /usr/local/bin/klaxid klaxon tftp echo stream tcp nowait root /usr/local/bin/klaxon klaxon echo discard stream tcp nowait root /usr/local/bin/klaxon klaxon discard chargen stream tcp nowait root /usr/local/bin/klaxon klaxon chargen Install tocsin and create a script to start it at runtime. Hook it up to some ports that should only show up on a portscan attempt. Example: /usr/local/bin/tocsin tcpmux echo discard chargen supdup x400 [NOTE: the lists of scripts in the following section have been removed for now. I'll probably put updated ones in soon. Check out all the scripts yourself to see what they do and remove what you don't need.] We can now start eliminating some of the software that is started by Solaris at boot time. On Solaris 2.6, I only left the following startup scripts: [*** out-of-date list removed. may be replaced soon. ***] Most of these remaining scripts simply do initialization and do not start any services. In many cases, you do not need a lot of them and you could remove or at least edit large portions out of them to speed your boot time. Most SPARC systems have little need to initialize PCMCIA :) The scripts I did rename include: [*** out-of-date list removed. may be replaced soon. ***] Some of these really don't hurt, but minimalism is the way to go. I don't need any of these, so I took them out. If you are doing RPC and NFS, you will need to leave some of these enabled. You really ought to look into getting a replacement portmapper and rpcbind. You can get these at ftp://ftp.porcupine.org/pub/security. At the very least, make sure that all the current patches are installed and there are no unfixed security holes. You should also limit access to RPC and NFS using ipfilter. If you need network printing, you'll probably be better off with another lp system. There are several available. A port of the BSD lpd system to Solaris is available at http://www.eng.auburn.edu/~doug/second.html. If you want to use the Solaris one, be sure there are no known holes in it. You should also make sure that whatever lp system you use, limit access to it to local systems via wrappers or ipfilter. Install a sane mail server. If you really, really must use sendmail, install the latest one. Solaris 2.6 still comes with 8.6. I would recommend using something besides sendmail, however. If you don't need to use standard unix mailspool format, you can install qmail (www.qmail.org). exim (www.exim.org) provides similar functionality, decent security, acceptable performance, and can still use normal unix mailspools. Postfix is finally finished! It looks to be good, though I haven't gotten it on my systems yet. As soon as I do, it will probably become my recommended mailer. You can find it at www.postfix.com. If you need to get mail remotely, install some a POP3 and/or IMAP4 server. The University of Washington system works well. You can get it from ftp://ftp.cac.washington.edu/mail. If you use this one, be sure to keep up with new versions, as it has been known to have some very serious security problems. There are a few other options, such as qpopper (ftp://ftp.qualcomm.com/eudora/servers/unix/popper) and cucipop (ftp://ftp.fdt.net/pub/unix/packages/cucipop) that I have not had extensive experience with. One of the more bloated, broken things included with Solaris is Openwindows, Sun's version of the X11 Windowing System. It includes some nice extra functionality, such as CDE and display postscript, but it is incredibly slow and consumes large amounts of RAM. Most versions of it have heinous memory leaks. Because of this, you may want to install real X11 instead of Openwindows. It has a much smaller footprint, is much less buggy, and is a lot faster. You might be able to get CDE to work with it, but I've never tried, because CDE sucks anyway. I'd suggest using one of the following window managers instead: twm Very minimal. If you're on an 8bpp or black and white system, this works great. It's very configurable, though you just can't make it look fancy. You either love it or hate it. TWM is included with any correct X distribution. windowmaker Nice NeXT-like interface. Very configurable. Looks great on a 24bpp framebuffer. You'll have to do some work to keep it from eating all your colors on an 8bpp. http://www.windowmaker.org There are also plenty of others that give you everything from full configurability through a lisp interpreter to the exact look of windows '95 or macos. These are just my personal favorites. Don't email me to complain that I left out your favorite. This is MY document, and I'll pimp MY favorite software :^). You can find a list of X window managers at http://www.plig.org/xwinman. If users will have shell access, go through and remove or disable all of the buggy and insecure software we've replaced. Even if a program poses no security risk, it can be frustrating to users if they run /usr/bin/patch and it crashes on them because it leaks like a screen door on a submarine. Link /usr/bin/patch to /usr/local/bin/patch and make everyone happy. There are a lot of apps that are setuid root that don't need to be. Some of them just aren't used in on a typical system and are yet another place for people to find security holes. Others are things like ufsdump that should only be run by root in the first place. Some of them, like ps(1), don't even NEED to be run as root and still work just fine. You should use find(1) to get a list of all setuid and setgid programs on your machine and do some sanity checking. The following are things that I changed on my system. Your users may need to use some of these, in which case you have to will them setuid and just pay attention to bugtraq. You might want to be more paranoid and remove even more than I did. To get a list of setuid software, run the following: find / -perm -4000 -print and for setgid: find / -perm -2000 -print ----- removed setuid ----- /usr/openwin/lib/mkcookie (see NOTE below) /usr/openwin/bin/ff.core /usr/dt/bin/dtaction (see NOTE below) /usr/bin/at (enable at* if your users need it) /usr/bin/atq /usr/bin/atrm /usr/bin/crontab (enable if your users need it) /usr/bin/login (not needed in most cases) /usr/bin/newgrp (most users don't need this. enable it if you do) /usr/bin/ps (ps does NOT need to be setuid. /proc/*/psinfo is o+r) /usr/bin/rcp (r* services are evil. consider totally disabling them) /usr/bin/rlogin /usr/bin/rsh /usr/bin/uptime (does NOT need to be setuid) /usr/bin/w (does NOT need to be setuid) /usr/bin/admintool (known to have holes, and not really needed) /usr/bin/chkey /usr/bin/cancel (enable lp*, cancel if you need solaris lp) /usr/bin/lp /usr/bin/lpset /usr/bin/lpstat /usr/sbin/ffbconfig (*config may be needed if you have console users) /usr/sbin/m64config /usr/sbin/lpmove /usr/sbin/pmconfig /usr/sbin/static/rcp /usr/ucb/ps /etc/lp/alerts/printer ----- removed setgid ----- /usr/openwin/bin/ff.core /usr/openwin/bin/mailtool (known to have problems, get a real MUA) /usr/platform/sun4m/sbin/eeprom (do normal users REALLY need this?) /usr/dt/bin/dtaction (see NOTE below) /usr/bin/netstat (most users don't use this) /usr/bin/ipcs (ditto) /usr/sbin/arp (ditto) /usr/sbin/fusage (ditto) /usr/sbin/prtconf (ditto) /usr/sbin/swap (ditto) /usr/sbin/sysdef (ditto) /usr/sbin/dmesg (ditto) NOTES: I need to see if dtaction and mkcookie need the bits on to work. also, netstat, ipcs, arp, fusage, prtconf, swap, sysdef and dmesg will now only work for root. This shouldn't be a problem, since most of these are only needed for admin work anyway. Write and wall were left setgid because I'm not aware of any security issues, and they are sometimes useful. Mail and mailx may be disabled after replacing them with a new mailer. You will also want to make sure that any interesting devices (such as your tape drive) do not have stupid permissions. You really don't need an intruder overwriting your backup tapes with a copy of /dev/zero. Use find to look for anything odd in /dev. There are also plenty of directories with stupid permissions. You'll probably want to remove the \0002 bit on most of these. Once again, use find to get a list that's accurate for your system. Below are some of the ones I fixed on my 2.6 box. I'm particularly nervous about the directories in /var, because I don't want a user filling up the log space before launching an attack. One thing you really ought to do is put /var/mail on a separate file system to avoid this problem, since there is no way to not give users write access to /var/mail. (Note that this actually _isn't_ a problem if you install a maildir or Similar MTA like qmail that can store the user's mail in their home directory where it belongs). To find a list of world-writable directories, use the following command: find / -type d -perm -2 These are the ones I removed the world-writable bit from: /var/preserve (this will upset some users. consider linking to /usr maybe) /var/spool/pkg /var/spool/uucppublic /vol/rmt /vol/dsk /vol/rdsk Note that rmt, dsk and rdsk may break something (perhaps file system mounting for normal users, a dubious activity at best). Like most things, their use isn't documented anywhere obvious, and I haven't had a chance to look into it in more detail. You should also enable the sticky bit on any temporary directories to avoid possible exploits taking advantage of race conditions. This is done on by default on most of these directories on Solaris 2.6. If you want to allow others to do some management of the system, I'd recommend installing sudo or osh to avoid giving out full root priveleges. It is very hard to limit what people can do, however, so be careful, and never give privileged access to anyone you don't trust completely. You may also want to install some goodies like a fake su program to catch anyone who's trying to cause trouble. If you need to provide any potentially dangerous services like NFS or telnet, you should install ipfilter and tcp wrappers and configure them configure them to only allow access from trusted machines. NOTE: It has come to my attention that ipfilter causes Solaris/SPARC machines to crash after a month or so. This is not a good thing, unless you reboot machines regularly as part of a maintenance program. However, I am not aware of any other option to provide host-based packet filtering, so it is a risk you may be willing to take. NOTE: I have been told that the ipf package with the VERSION string of 3.2,REV=9 on ARCH sparc,i386 does not cause any crashes. If you have knowledge of a very stable version of SPARC architectures, please let me know. If you're extra paranoid, you should enable some of Solaris' reasonably extensive auditing features. The man pages (audit_control, audit_startup, auditconfig, audit_user, bsmconv) are quite good, and there is no real reason to discuss the process here. Another tool I haven't mentioned in any detail yet is aset. I plan to include some information on it in the near future. At this point, your Solaris box should be as secure as a PC running a free implementation of UNIX. :^) Maybe even a little more. Always be sure to follow mailing lists like bugtraq to keep up with new developments. And do a little legwork yourself. I'm sure to have missed some important stuff. CREDITS ------- This document has grown and been improved thanks to contributions, suggestions, nagging and criticism from the following people: Kolb Norbert / http://jester.htl.de / nkolb@htl.de Michael Wilkinson / michael@cache.net Super-User / root@hkhosting.com (don't ask, that's where it came from :P) Michael Douglass / mikedoug@staff.texas.net If you wish to be removed from this list, if your contact info is incorrect, or if you feel you have been left out, please contact me. WILD ENTHUSIASTIC REVIEWS ------------------------- In case you're wondering if anyone actually reads this thing, as I was for a long time, I have received some praise along with all the suggestion email. Keep it coming! :^) "It a quite good article. Nearly every admin has one of those files, I guess, but this is the first I saw published." "Thanks so much for putting fixsolaris.txt on the Web. I have some sys admin experience, but none with Solaris. This information was most helpful." "...it is valuable even to experienced admins."