Re: Securing Solaris 10


---- Glenn Brunette <Glenn.Brunette@xxxxxxx> wrote:

Jeff,

Sun has been working with the Center for Internet Security for
nearly four years on their Solaris guides to align them with
Sun's recommended practices and to ensure that the settings
recommended could be supported by Sun. In fact, we are working
with CIS right now to update the Solaris 10 guide to account for
the changes made in the upcoming Solaris 10 11/06 release.

The only other guide which does cover some aspects of Solaris
10 is the current version of the DISA UNIX STIG.

Of course to automate the implementation and/or assessment of the
changes, you can use the Solaris Security Toolkit which is tool
developed and supported by Sun. It can be found at:

http://www.sun.com/security/jass/

I believe that there are a few settings recommended by CIS that
are not accounted for today in the Solaris Security Toolkit, but
the vast majority are.

All of the other documents and/or checklists of which I am aware
have not been updated for Solaris 10.

Glenn


jeffnjillian@xxxxxxxxx wrote:
All,

Has anyone out there found a good checklist or tool for securing Solaris 10? I found the CISecurity benchmark, but I didn't know if there was anything else out there? I'm not very well versed on Solaris, but I have the task of double checking the admins to ensure it was locked down. I haven't seen very many checklists posted for this version of Solaris yet.

Any suggestions?

Thanks in Advance,
Jeff


--
Glenn Brunette
Distinguished Engineer
Director, GSS Security Office
Sun Microsystems, Inc.

Glenn,

As someone who has to use the DISA STIG to secure systems Solaris and Linux systems, I would not recommend the current DISA STIG as guidance for anyone trying to secure a Solaris 10 system. From what I have read of DISA's current STIG (5.1) mentions Solaris 10 in 11 instances but does not go into any deatil on how to use the security features of the OS or any recommendations. Further, I just used the September release of the DISA SRR scripts (generally not available to the public) and found that some of them support Solaris 10, while other scripts do not.

If I was going to recommend documentation from the Government, I would recommend the NSA guides. The NSA has not released a guide for Solaris 10 (yet), but I find their guides straightforward and cover securing the OS (and why) far better than anything DISA produces.


Robert Escue
System Administrator

Relevant Pages

  • [NEWS] Hardening Solaris for MGC
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The Media Gateway Controller product is installed on top of Solaris ... In the default installation, Solaris has several known ... Since vulnerabilities are in the underlying Operating System customers do ...
    (Securiteam)
  • [UNIX] Remote Root Exploitation of Default Solaris sadmind Setting
    ... Get your security news from a reliable source. ... its Solaris operating system to help administrators manage systems ... The sadmind daemon is used by Solstice AdminSuite applications to ... documented to some extent in Sun documentation, ...
    (Securiteam)
  • [EXPL] Solaris Xlock Heap Overflow Vulnerability (Exploit, XUSERFILESEARCHPATH)
    ... Solaris Xlock Heap Overflow Vulnerability ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... * sol_x86_xlockex.c - Proof of Concept Code for xlock heap overflow bug. ...
    (Securiteam)
  • Cisco Security Advisory: Hardening of Solaris OS for MGC
    ... Solaris operating system. ... In order to guarantee the stability of the application Cisco must ... The second issue is the security of the default Solaris installation. ...
    (Bugtraq)
  • [UNIX] William LeFebvre "top" Format String Vulnerability
    ... Get your security news from a reliable source. ... Over four years later the vulnerability ... bug and the issue has since been patched. ... OpenBSD, FreeBSD, SCO Skunkware, and Solaris have all been subject to this ...
    (Securiteam)