Solaris 10 is the most widely deployed Unix operating system on the market, despite flip-flopping between open and close-sourced status multiple times between versions. Notwithstanding, users are well-advised to stay proactive in bolstering the security of deployments. The Center for Internet Security (CIS) provides guidelines for a wide range of enterprise software that can be helpful in this regard—the following are 10 of its security benchmarks for Solaris 10.
1. Disable The Local CDE ToolTalk Database Server
Unused services should be disabled to reduce the potential attack service of your Solaris 10 deployment. The ToolTalk service may be useful for enabling independent CDE applications to communicate with each other, but contains multiple vulnerabilities and should be disabled if not in use.
2. Disable The Local CDE Calendar Manager
CDE Calendar Manager is an appointment and resource scheduling tool, primarily for assisting users in scheduling and keeping track of daily appointments. Several vulnerabilities exist in the tool, however, including a critical flaw in the CDE Calendar Manager Service Daemon (rpc.cmsd) that could lead to a buffer overflow. If not in use, the tool should be disabled to prevent exploitation.
3. Disable The Local Graphical Login Environment
Seasoned *nix users are well-aware of the dangers of leaving X Window System services running on production servers. GUIs are nice, but also highly-exploitable on Unix-based systems. Solaris 10 has its own X Windows-type interface that should be disabled if not in use, or at least restricted to local-only mode.
4. Disable The Local Sendmail Service
Sendmail is a popular target for remote attackers, and should be disabled if not in use. If your Solaris 10 server will not be processing or sending any mail, its sendmail service should be disabled to prevent it from being exploited. Most systems can safely keep sendmail in local-only mode, but again—disabling service entirely effectively eliminates that attack vector.
5. Set Appropriate Intervals for Scanning IRE_CACHE
The ip_ire_arp_interval parameter determines the intervals in the IRE_CACHE (IP Resolved Entries) are scanned. This parameter should be set based on your organization's requirements to mitigate ARP attacks, otherwise known as ARP poisoning.
6. Ignore ICMP Redirect Messages
IP redirects are unnecessary if your network infrastructure is well-maintained and thought-out. Additionally, ICMP redirect exploits are commonly used by remote attackers for launching denial-of-service (DoS) attacks. The ip_ignore_redirect and ip6_ignore_redirect parameters should be set to 1 in high-risk scenarios, 0 (the default value) in normal circumstances.
7. Set The Maximum Number of Half-open TCP Connections
The tcp_conn_req_max_q0 parameter defines the number of allowable half-open TCP connections per port; 4096 is the recommended minimum for maintaining a good security posture. This value should be increased for highly-trafficked web servers to provide protection against DoS attacks.
8. Lock Down dtspcd(8), The CDE Subprocess Control Service
This optional service is seldom used and should therefore be locked down by making it a privileged port, especially since its commonly exploited by remote attackers for malicious scanning purposes. This can be accomplished by adding the port to the tcp_extra_priv_ports_add parameter.
9. Enable inetd Connection Logging
Comprehensive usage of system logging is crucial to maintaining a vigilant watch over critical servers; to this end, the tracing feature should be used to log information about the source of any network connections seen by the Internet standard services daemon.
10. Restrict Set-UID on User Mounted Devices
Malicious software is often introduced into local systems via removable media. By setting this restriction, file systems on external devices are mounted with the nosuid option, effectively preventing the introduction of set-UID programs via CD-ROMs, floppy disks, USB drives, and other forms of removable media.
The aforementioned only highlights a few critical items from the complete Solaris 10 CIS Security Benchmark checklist. If you're looking for an easy way to implement all of these hardening tactics with a few mouseclicks, look no further—ScriptRock's policy-driven integrity monitoring and validation suite can perform all of these checks automatically against your whole IT infrastructure.