 | What is purpose of box? |
| Install off line |
| Select core, end user, developer---most often end user |
| Need the cc packages, not wise to put them on the local system, install,
compile, then remove. Or create on secured machine and move the binaries
over |
| sunwlib.cf and sunwlib.? And install in /usr/ccs/bin |
| Mount /usr as read only. Then make /usr/local a separate partition can use
this model on other UNIX, but might have to mount read/write when installing
new stuff |
| Separate var partion for logging and mail |
| Make swap space closer to inside of disk for performance boost |
| After install, and restarted, add patches, revision_? metalab.unc.edu
unzip and pkgadd -d |
| Keep the patches up to date! |
| Edit the system logs before putting on line, edit syslog to send specific
log entries to central server |
| Etc/init.d change umode 700 ownership to root and bin |
| Don't delete stop and start files, but rename |
| Tcp wrappers enlnxs.eas.asu.edu anonymous ftp /pub/linux/security . Edit
the make file for your appropriate system. Uncomment your os line in the
library--- one for irix, sunos, sys4 in more than one place |
| Make sunos,make install turn off telnet, remove dfstab files,useless cron
files, remove from etc/inittab sc:234:respawn:/usr/lib/saf/sac -t 300 |
| Turn off sendmail, leaving only local mail |
| Etc/vsftab mount disks no suid, not on /dev partition |
| Build ssh, how to file for using with tcp wrappers |
| Shut down root, use sudo or su to do account management, remove unused
users and associated groups, add ftp users in etc/shells |
| System log file---set priority of importance 1-emergency, etc |
| Port sentry written by someone from 3com, works with TCP wrappers,
monitors ports for scans, attempted exploits, add bad boys to host deny
file. Make generic make install. /usr/local/psionic/portsentry -tcp |
| Create authorization log to log su logins. Touch /var/log/authlog. Comment
out offlog in syslog.conf file |
| Set EPROM password: eeprom security -mode= none, command, full If hacker
gets in and sets this to full, you're in trouble. None is a good choice |
| dev openprom file, password is plain text |
| NFS |
| In etc/system file under require nfs: set nfssrv: nfs_portmon = 1, set
nfs:nfs-portman <1. Create rhosts file with permissions 400. Remove all
rfiles, or link to ssh |
| Tcp wrappers hosts.allow ALL: LOCaL, ALL:asu.edu Hosts.deny ALL:ALL |
| Install lsof, shows all open files even if hacker has tried to hide the
files or processes |
| Yassp (yet another security for Solaris Program) similar to bastille---get
from hassp.parc.xerox.com directory is /pkg/yassp/.tar.z |
| Titan, another hardening program from www.fish.com/titan oder program |
| Tripwire |
| Www.sunworld.com/sunworldonline/common/security-faq.html |
