Re: Hardening a Solaris system.
From: Dr. David Kirkby (see_my_signature_for_my_real_address_at_hotmail.com)
Date: 11/15/03
- Previous message: Dr. David Kirkby: "Re: Hardening a Solaris system."
- In reply to: Greg Mortensen: "Re: Hardening a Solaris system."
- Next in thread: Jim Cochrane: "Re: Hardening a Solaris system."
- Reply: Jim Cochrane: "Re: Hardening a Solaris system."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 15 Nov 2003 09:23:49 -0800
Greg Mortensen <thevision@pobox.com> wrote in message news:<bp30lg$dau$1@reader2.panix.com>...
> In <c99d2c79.0311140749.2e91890e@posting.google.com> see_my_signature_for_my_real_address@hotmail.com (Dr. David Kirkby) writes:
>
> >1) Installing the bare minimum Solaris.
> >2) Have a firewall hardware only open on port 80
> >3) Turning off what services I don't need
>
> These are good ideas.
>
> >4) Not installed any man pages, so someone not knowing a Solaris
> >command would be stuck.
>
> This is less of a good idea -- what happens if you to need to look up the
> syntax of a command? If you do the hardening properly, there's more of a
> chance of that scenario occurring than someone breaking in and becoming
> befuddled because they don't have the manpages.
The thing is I will connect to this SPARC 20 (the webserver) from my
Ultra 80. , which runs the same version of the OS (Solaris 9, release
4). So I have the man pages on a nice GUI enviroment - I don't see the
need to have them on the webserver. Clearly if I was hosting on a
Linux box and connection to the web server with a Solaris box, it
would be very different. But in my particular case, I don't think man
pages are of any use.
> >etc, but I was wondering if it is okay to remove the setuid bit from
> >all files ?
>
> It's possible for a box that's going to have a single (or limited) role.
> I wrote a perl script that un-suids and un-sgids all privileged binaries
> (and updates /var/sadm/install/contents), keeping only ones that I need
> for the box to function (such as /bin/passwd, /bin/su, /usr/lib/pt_chmod,
> etc). You can always add back the permissions if some functionality is
> broken.
I've just bought in another SPARC 20 from the garage and will install
Solaris 9 on that to play around with - seeing just how far I can go
before I break something.
- Previous message: Dr. David Kirkby: "Re: Hardening a Solaris system."
- In reply to: Greg Mortensen: "Re: Hardening a Solaris system."
- Next in thread: Jim Cochrane: "Re: Hardening a Solaris system."
- Reply: Jim Cochrane: "Re: Hardening a Solaris system."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
