This page has been created in an attempt to develop, refine and promote security hardening recommended practices for OpenSolaris. This page is structured after the headings used in the Center for Internet Security Solaris 10 Benchmark. The actions described on this page were adapted to OpenSolaris based upon the CIS material (originally developed for Solaris 10). The settings noted below are intended to closely mimic the CIS Solaris 10 Benchmark (as applied to OpenSolaris) so that a CIS-compliant hardened OpenSolaris configurations can be developed. Unless otherwise stated, the settings are appropriate for OpenSolaris 2008.11 and newer versions. Any considerations, issues or differences are covered in the "Additional Information" sections below. Feedback as always is appreciated.
Legend
The following values are permitted for the Action Taken section of each item:
- DEFAULT - This recommendation corresponds to an OpenSolaris default setting, so no action was required.
- YES - This recommendation differs from the OpenSolaris default setting, so the corresponding action was taken to adjust the OpenSolaris configuration.
- NO - This recommendation does not apply to the OpenSolaris configuration, so no action was taken.
Security Hardening Recommendations
Install Patches and Additional Software
| # | Description | Action Taken | Additional Information |
|---|---|---|---|
| 1.1 | Apply Latest OS Patches | NO | Amazon EC2: For OpenSolaris images (AMIs) made available on Amazon EC2, updates to the operating system are restricted by design as there is no way to determine if patches may require changes to the ramdisk and kernel (which are managed separately on EC2). Current versions of OpenSolaris AMIs should be used to mitigate this issue. This issue is specific to Amazon EC2 implementations. All Others: All other versions can and should be updated using standard OpenSolaris methods. |
| 1.2 | Install Solaris Encryption Kit | DEFAULT | The Solaris Encryption Kit is integrated by default (since Solaris 10 08/07) so no further action was required. |
Restrict Services
| # | Description | Implemented | Additional Information |
|---|---|---|---|
| 2.1 | Establish a Secure Baseline | DEFAULT | Secure by Default is the default setting for OpenSolaris. No additional steps were required. |
| 2.2.1 | Disable Local CDE ToolTalk Database Server | DEFAULT | Software was not installed by default. |
| 2.2.2 | Disable Local CDE Calendar Manager | DEFAULT | Software was not installed by default. |
| 2.2.3 | Disable Local Common Desktop Environment | DEFAULT | Software was not installed by default. |
| 2.2.4 | Disable Local Sendmail Service | NO | sendmail was configured for queue processing services only. It was not configured to accept incoming mail requests originating from off of the system. |
| 2.2.5 | Disable Local Web Console | DEFAULT | Software was not installed by default. |
| 2.2.6 | Disable Local WBEM | DEFAULT | Software was not installed by default. |
| 2.2.7 | Disable Local BSD Print Protocol Adaptor | DEFAULT | Service was disabled by Item 2.1. |
| 2.3.1 | Disable RPC Encryption Key | DEFAULT | Service was disabled by default. |
| 2.3.2 | Disable NIS Server Daemons | DEFAULT | Service was not installed by default. |
| 2.3.3 | Disable NIS Client Daemons | DEFAULT | Service was disabled by default. |
| 2.3.4 | Disable NIS+ Daemons | DEFAULT | Service was disabled by default. |
| 2.3.5 | Disable LDAP Cache Manager | DEFAULT | Service was disabled by default. |
| 2.3.6 | Disable Kerberos TGT Expiration Warning | YES | Service was enabled by default. It has been disabled, but it can be re-enabled if needed. If re-enabled, the service is configured to use a loopback transport provider (no external network port is exposed) and will run with limited privileges. |
| 2.3.7 | Disable Generic Security Services (GSS) Daemons | YES | Service was enabled by default. It has been disabled, but it can be re-enabled if needed. If re-enabled, the service is configured to use a loopback transport provider (no external network port is exposed) and will run with limited privileges. |
| 2.3.8 | Disable Volume Manager | YES | Service was enabled by default. It has been disabled, but it can be re-enabled if needed. Note that OpenSolaris uses the FMRI rmvolmgr in place of volfs. |
| 2.3.9 | Disable Samba Support | DEFAULT | Software was not installed by default. |
| 2.3.10 | Disable Automount Daemon | YES | Service was enabled by default. It has been disabled, but it can be re-enabled if needed. If re-enabled, this service does not expose a network port. |
| 2.3.11 | Disable Apache Services | DEFAULT | Service was not installed by default. |
| 2.3.12 | Disable Solaris Volume Manager Services | YES | Service (metainit) was enabled by default. It has been disabled, but it can be re-enabled if needed. If re-enabled, this service does not expose a network port. In addition to metainit, the metasync service was also disabled. |
| 2.3.13 | Disable Solaris Volume Manager GUI | DEFAULT | Service was disabled by default. |
| 2.3.14 | Disable Local RPC Port Mapping Service | YES | Service is enabled by default. Since no RPC services were left running as part of the hardening process, this service was also disabled. If enabled, the service is configured to access communication originating only from the local system. This service runs with limited privileges. |
| 2.4.1 | Enable Kerberos Server Daemons | DEFAULT | Service was disabled by default. Note that the krb5_prop service was not installed by default. |
| 2.4.2 | Enable NFS Server Processes | DEFAULT | Service was disabled by default. |
| 2.4.3 | Enable NFS Client Processes | DEFAULT | Service was disabled by default. |
| 2.4.4 | Enable telnet Access | DEFAULT | Service was disabled by default. |
| 2.4.5 | Enable FTP Access | DEFAULT | Service was disabled by default. |
| 2.4.6 | Enable Boot Services | DEFAULT | Software was not installed by default. |
| 2.4.7 | Enable Reverse Address Resolution Protocol (RARP) | DEFAULT | Software was not installed by default. |
| 2.4.8 | Enable DHCP Server Support | DEFAULT | Software was not installed by default. |
| 2.4.9 | Enable Domain Name System (DNS) Server Support | DEFAULT | Service was disabled by default. |
| 2.4.10 | Enable Trivial File Transfer Protocol (TFTP) Services | DEFAULT | Software was not installed by default |
| 2.4.11 | Enable Printer Daemons | DEFAULT | Service was disabled by default. Note that the print/cleanup service was not installed by default. |
| 2.4.12 | Enable Simple Network Management Protocol (SNMP) | DEFAULT | Software was not installed by default. |
| 2.5 | Configure TCP Wrappers | NO | For a generic installation with specific filtering requirements, using this recommendation does not make much sense. Individual users can enable this functionality if needed else use other mitigating controls such as IP Filter. |
Beyond those services noted above, the following services were disabled as part of the OpenSolaris Security Hardening process. If any of these services are required, they can be re-enabled using standard OpenSolaris methods:
| Services | Rationale |
|---|---|
svc:/application/desktop-cache/desktop-mime-cache:default | Desktop services are not needed for server configurations. |
| svc:/application/pkg/update:default | Amazon EC2: Image updates are not permitted for OpenSolaris AMIs. All Others: This service can be re-enabled if needed. |
| svc:/application/print/ppd-cache-update:default | Printing services are often not needed for server configurations. |
| svc:/network/dns/multicast:default | mDNS services are often not needed for server configurations. |
| svc:/network/inetd:default | Since no inetd services were left running as part of this hardening process, this service was disabled. |
svc:/system/avahi-bridge-dsd:default | Message bus services are likely not needed for server configurations. |
| svc:/system/hal:default | Hardware abstraction layer services are often not needed for server configurations. |
| svc:/system/power:default | Power management services are often not needed for server configurations. |
Kernel Tuning
| # | Description | Implemented | Additional Information |
|---|---|---|---|
| 3.1 | Restrict Core Dumps to Protected Directory | YES | |
| 3.2 | Enable Stack Protection | SEE NOTE | Amazon EC2: For OpenSolaris 2008.11, this change was not implemented as a new boot image would first need to be created. For OpenSolaris 2009.06, this change is implemented. All Others: This setting is in effect for all other implementations. |
| 3.3 | Enable Strong TCP Sequence Number Generation | YES | |
| 3.4 | Modify Network Parameters | YES | |
| 3.5 | Disable Network Routing | DEFAULT |
Logging
| # | Description | Implemented | Additional Information |
|---|---|---|---|
| 4.1 | Enable inetd Connection Logging | YES | This step is only meaningful if inetd is re-enabled. |
| 4.2 | Enable FTP Daemon Logging | YES | This step is only meaningful if FTP is re-enabled. |
| 4.3 | Enable Debug Level Daemon Logging | YES | |
| 4.4 | Capture SYSLOG AUTH Messages | YES | |
| 4.5 | Enable Login Records | YES | |
| 4.6 | Capture All Failed Login Attempts | YES | |
| 4.7 | Enable cron Logging | DEFAULT | |
| 4.8 | Enable System Accounting | YES | |
| 4.9 | Enable Kernel Level Auditing | SEE NOTE | Amazon EC2: For OpenSolaris 2008.11, this change is not implemented as a new boot image would first need to be created. For OpenSolaris 2009.06, this change is implemented. A reduced audit configuration is implemented for simplicity. All Others: This setting is in effect for all other implementations. A reduced audit configuration is implemented for simplicity. |
File/Directory Permissions/Access
| # | Description | Implemented | Additional Information |
|---|---|---|---|
| 5.1 | Set Daemon umask | DEFAULT | |
| 5.2 | Restrict Set-UID on User Mounted Devices | DEFAULT | |
| 5.3 | Verify System File Permissions | NO | The system file permissions are as delivered in OpenSolaris. Change requests should be submitted to bugs.opensolaris.org. |
| 5.4 | Set Sticky Bit on World Writable Directories | DEFAULT | No non-sticky world writable directories exist by default. |
| 5.5 | Find World Writable Files | YES | The only world writable file by default is /var/adm/spellhist. |
| 5.6 | Find SUID/SGID System Executables | DEFAULT | The executable ownership and permissions are as delivered in OpenSolaris. |
| 5.7 | Find Un-owned Files and Directories | DEFAULT | No un-owned files or directories exist by default. |
| 5.8 | Find Files and Directories with Extended Attributes | DEFAULT | No files and directories with extended attributes exist by default. |
Beyond those checks noted above, it was verified that no files or directories with ACLs exist by default.
System Access, Authentication and Authorization
| # | Description | Implemented | Additional Information |
|---|---|---|---|
| 6.1 | Disable login: Prompts on Serial Ports | YES | |
| 6.2 | Disable "nobody" Access for RPC Encryption Key Storage Service | YES | |
| 6.3 | Configure SSH | NO | Amazon EC2: PermitRootLogin was set to without-password. On Amazon EC2, only the root account has access and even then only using public-key authentication. There are no passwords assigned, by default, to local accounts. All Others: This setting is in effect for all other implementations. |
| 6.4 | Disable .rhosts Support in /etc/pam.conf | YES | |
| 6.5 | Restrict FTP Use | DEFAULT | Beyond the users identified in this item, the users postgres and xvm were added to the restricted FTP user list. |
| 6.6 | Verify Delay between Failed Login Attempts Set to 4 | DEFAULT | |
| 6.7 | Set Default Screen Lock for CDE Users | DEFAULT | Software was not installed by default. |
| 6.8 | Set Default Screen Lock for Gnome Users | NO | OpenSolaris GDM screen lock is enabled, default time out value used. (Sun: 15:00, CIS: 10:00) |
| 6.9 | Restrict at/cron to Authorized Users | YES | The account sys was added to support Item 4.8. |
| 6.10 | Restrict root Login to System Console | DEFAULT | Amazon EC2: SSH is configured to allow remote root login using public key authentication. All Others: This setting is in effect for all other implementations. |
| 6.11 | Set Retry Limit for Account Lockout | YES | Amazon EC2: Limited impact as generally only _root_ account is enabled by default. *All Others*: This setting is in effect for all other implementations. |
| 6.12 | Set EEPROM Security Mode and Log Failed Access | NO | This recommendation may not be appropriate for virtualized environments. |
| 6.13 | Secure the GRUB Menu | NO | This recommendation may not be appropriate for virtualized environments. |
User Accounts and Environment
| # | Description | Implemented | Additional Information |
|---|---|---|---|
| 7.1 | Disable System Accounts | DEFAULT | Only root account is active by default. Shell changes were not implemented. |
| 7.2 | Ensure Password Fields are Not Empty | DEFAULT | |
| 7.3 | Set Password Expiration Parameters on Active Accounts | YES | |
| 7.4 | Set Strong Password Creation Policies | PARTIAL | The changes to /etc/default/passwd have been implemented as per the CIS recommendations. No changes have been made to any of the system accounts directly. |
| 7.5 | Verify No Legacy "+" Entries Exist in passwd, shadow, and group files | DEFAULT | |
| 7.6 | Verify No UID 0 Accounts Exist Other than root | DEFAULT | |
| 7.7 | Set Default Group for root Account | DEFAULT | |
| 7.8 | Change Home Directory for root Account | DEFAULT | |
| 7.9 | Ensure root PATH Integrity | DEFAULT | |
| 7.10 | Check Permissions on User Home Directories | DEFAULT | Amazon EC2: There are no active user accounts by default. All Others: This check should be manually verified and corrective action taken if necessary. |
| 7.11 | Check User Dot File Permissions | DEFAULT | Amazon EC2: There are no active user accounts by default. All Others: This check should be manually verified and corrective action taken if necessary. |
| 7.12 | Check Permissions on User .netrc Files | DEFAULT | There are no .netrc files by default. |
| 7.13 | Check for Presence of User .rhosts Files | DEFAULT | There are no .rhosts files by default. |
| 7.14 | Set Default umask for Users | NO | Default file creation mask of 022 is used. |
| 7.15 | Set Default umask for FTP Users | *NO* | FTP is disabled by Item 2.4.5 and access is restricted by Item 6.5 (no user access is permitted). Default file creation mask of 022 is used. |
| 7.16 | Set "mesg n" as Default for All Users | YES |
Warning Banners
| # | Description | Implemented | Additional Information |
|---|---|---|---|
| 8.1 | Create Warnings for Standard Login Services | YES | |
| 8.2 | Create Warning Banner for CDE Users | DEFAULT | Software was not installed by default. |
| 8.3 | Create Warning Banner for GNOME Users | NO | GDM is disabled in Section 2. |
| 8.4 | Create Warning Banner for FTP Daemon | YES | FTP is disabled by Item 2.4.5. |
| 8.5 | Check Banner Setting for TELNET is NULL | DEFAULT | telnet is disabled by Item 2.4.4. |
| 8.6 | Create Power On Warning | DEFAULT | This recommendation may not be appropriate for virtualized environments. |
| 8.7 | Change Default Greeting String for Sendmail | YES |
Pre-Configured OpenSolaris Images and Projects
The above security hardening recommendations have been implemented in the following projects:
Immutable Service Containers
Pre-Configured OpenSolaris Images on Amazon EC2
- OpenSolaris 2009.06 (US)
- OpenSolaris 2009.06 (Europe)
- Drupal with AMP Stack (OpenSolaris 2008.11, US)
- Drupal with AMP Stack (OpenSolaris 2008.11, Europe)
- OpenSolaris 2008.11 (US)
- OpenSolaris 2008.11 (Europe)
OpenSolaris Just Enough OS (JeOS) Project
- OpenSolaris 2009.06 (US)
