Re: Securing Solaris 10

• Previous message: Shahul Hameed: "rsync destination size never matches source"
• Maybe in reply to: Pepper Orlando: "Securing Solaris 10"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: sunmanagers@sunmanagers.org
Date: Fri, 07 Oct 2005 11:35:32 -0500

This almost works for me! The script worked fine and then I re-enabled the
two entries for GUI. Now dtlogin comes up and I am able to log into
JavaDesktop3, but I can no longer log into a CDE session because of a dt
message server error. It actually brings me in far enough to SEE the CDE
desktop but it gives me an error and once I click OK I am back at dtlogin
again.

To add to my original question, what do I need to re-enable to allow me to
at least log into CDE?

Thank you

>From: Sam Nelson <sam@unix.ms>
>To: Pepper Orlando <woodenbicycle@hotmail.com>
>Subject: Re: Securing Solaris 10
>Date: Fri, 07 Oct 2005 16:51:25 +0100
>
>
>Hi Pepper - I use this; caution! it shuts down everything but SSH.
>
>cheers
>
>Sam
>
>bung this in as /var/svc/profile/upgrade and reboot.
>
>#!/bin/sh
># Remove / disable all the crap that solaris 10 starts by default.
># This enables the box to reach the CIS Level-1 benchmark.
>#
># Either run this manually or rename to
># /var/svc/profile/upgrade and reboot the box.
>#
># Run with no modifications, this script will leave SSHD running only.
># Any questions see Sam N.
>#
>set -x
># Item 1.1, enable sshd :)
>svcadm enable svc:/network/ssh:default
># Item 1.2, rpcbind
>svcadm disable svc:/network/rpc/bind:default
># Item 1.3, secure RPC
>svcadm disable svc:/network/rpc/keyserv:default
># Item 1.4, NIS server
>svcadm disable svc:/network/nis/server:default
>svcadm disable svc:/network/nis/passwd:default
>svcadm disable svc:/network/nis/update:default
>svcadm disable svc:/network/nis/xfr:default
># Item 1.5, NIS client
>svcadm disable svc:/network/nis/client:default
># Item 1.6, NIS+
>svcadm disable svc:/network/rpc/nisplus:default
># Item 1.7, LDAP cache mgr
>svcadm disable svc:/network/ldap/client:default
># Item 1.8, Kerberos server
>svcadm disable svc:/network/security/kadmin:default
>svcadm disable svc:/network/security/krb5kdc:default
>svcadm disable svc:/network/security/krb5_prop:default
># Item 1.9, Kerberos client
>svcadm disable svc:/network/security/ktkt_warn:default
># Item 1.10, GSS
>svcadm disable svc:/network/rpc/gss:default
># Item 1.11, GUI
>mv /etc/rc2.d/S99dtlogin /etc/rc2.d/.NOS99dtlogin 2> /dev/null
>svcadm disable svc:/network/rpc-100083_1/rpc_tcp:default
># Item 1.12, Solaris Management Console
>mv /etc/rc2.d/S90wbem /etc/rc2.d/.NOS90wbem 2> /dev/null
>mv /etc/rc2.d/S90webconsole /etc/rc2.d/.NOS90webconsole 2> /dev/null
># Item 1.13, volume manager
>svcadm disable svc:/network/rpc/smserver:default
>mv /etc/rc3.d/S81volmgt /etc/rc3.d/.NOS81volmgt 2> /dev/null
># Item 1.14, SAMBA
>mv /etc/rc3.d/S90samba /etc/rc3.d/.NOS90samba 2> /dev/null
># Item 1.15, NFS server
>svcadm disable svc:/network/nfs/server:default
>svcadm disable svc:/network/nfs/cbd:default
>svcadm disable svc:/network/nfs/mapid:default
># Item 1.16, rquota
>svcadm disable svc:/network/nfs/rquota:default
># Item 1.17, NFS client
>svcadm disable svc:/network/nfs/client:default
># Both NFS servers and clients need these (see 2.16 and 2.18 above)
>svcadm disable svc:/network/nfs/status:default
>svcadm disable svc:/network/nfs/nlockmgr:default
># Item 1.18, auto mounter
>svcadm disable svc:/system/filesystem/autofs:default
># Item 1.19, telnet server
>svcadm disable svc:/network/telnet:default
># Item 1.20, FTP server
>svcadm disable svc:/network/ftp:default
># Item 1.21, rlogin/rsh servers
>svcadm disable svc:/network/login:rlogin
>svcadm disable svc:/network/shell:default
># Item 1.22, boot services
>svcadm disable svc:/network/rpc/bootparams:default
>svcadm disable svc:/network/rarp:default
># Item 1.23, DHCP server
>svcadm disable svc:/network/dhcp-server:default
># Item 1.24, DNS server
>svcadm disable svc:/network/dns/server:default
># Set up TFTP server entry if necessary
>if [ ! "`inetadm | grep tftp`" ]; then
>cd /var/svc/profile
>echo 'tftp dgram udp6 wait root /usr/sbin/in.tftpd in.tftpd /tftpboot'
> >inetd-tftpd.tmp
>inetconv -n -i ./inetd-tftpd.tmp -o /var/svc/profile
>sed 's#tftp/udp6#tftp#' tftp-udp6.xml >tftp.xml
>svccfg import tftp.xml
>rm -f inetd-tftpd.tmp tftp-udp6.xml tftp.xml
>fi
># Item 1.25, TFTP server
>svcadm disable svc:/network/tftp:default
># Item 1.26, print servers
># Use -s for print/cleanup because it has already been started
># before upgrade script is read
>svcadm disable -s svc:/application/print/cleanup:default
>svcadm disable svc:/application/print/server:default
>svcadm disable svc:/application/print/rfc1179:default
># Item 1.27, Web servers
># Apache 2.x (the first line below) is preferred. If you would
># rather run Apache 1.3.x, then disable the Apache 2.x service and
># move the /etc/rc3.d/S50apache script back into place.
>#
>svcadm disable svc:/network/http:apache2
>mv /etc/rc3.d/S50apache /etc/rc3.d/.NOS50apache 2> /dev/null
>mv /etc/rc2.d/S42ncakmod /etc/rc2.d/.NOS42ncakmod 2> /dev/null
>mv /etc/rc2.d/S94ncalogd /etc/rc2.d/.NOS94ncalogd 2> /dev/null
># Item 1.28, SNMP server (initsma is net-snmp)
>mv /etc/rc3.d/S82initsma /etc/rc3.d/.NOS82initsma 2> /dev/null
># Item 1.29, Solaris Volume Manager (software RAID) services
>svcadm disable svc:/system/metainit:default
>svcadm disable svc:/platform/sun4u/mpxio-upgrade:default
>svcadm disable svc:/system/mdmonitor:default
># Item 1.30, Solaris Volume Manager GUI services
>svcadm disable svc:/network/rpc/mdcomm:default
>svcadm disable svc:/network/rpc/meta:default
>svcadm disable svc:/network/rpc/metamed:default
>svcadm disable svc:/network/rpc/metamh:default
># Item 1.31, inetd
>if [ "`inetadm | grep '^enable'`" ]; then
>svcadm enable svc:/network/inetd:default
>else
>svcadm disable svc:/network/inetd:default
>fi
># Item 1.32, sendmail
>svcadm disable svc:/network/smtp:sendmail
># Item 1.33, all the other crap
>svcadm disable svc:/network/chargen:dgram
>svcadm disable svc:/network/chargen:stream
>svcadm disable svc:/network/daytime:dgram
>svcadm disable svc:/network/daytime:stream
>svcadm disable svc:/network/discard:dgram
>svcadm disable svc:/network/discard:stream
>svcadm disable svc:/network/echo:dgram
>svcadm disable svc:/network/echo:stream
>svcadm disable svc:/network/time:dgram
>svcadm disable svc:/network/time:stream
>svcadm disable svc:/network/rpc/rex:default
>svcadm disable svc:/network/rexec:default
>svcadm disable svc:/network/uucp:default
>svcadm disable svc:/network/comsat:default
>svcadm disable svc:/network/rpc/spray:default
>svcadm disable svc:/network/rpc/wall:default
>svcadm disable svc:/network/tname:default
>svcadm disable svc:/network/talk:default
>svcadm disable svc:/network/finger:default
>svcadm disable svc:/network/rpc/rstat:default
>svcadm disable svc:/network/rpc/rusers:default
>svcadm disable svc:/network/rpc/ocfserv:default
>svcadm disable svc:/network/login:eklogin
>svcadm disable svc:/network/login:klogin
>svcadm disable svc:/network/shell:kshell
># Use -s for system/power because it has already been started
># before upgrade script is read
>svcadm disable -s svc:/system/power:default
>svcadm disable svc:/network/slp:default
>svcadm disable svc:/application/management/webmin:default
>svcadm disable svc:/system/consadm:default
>svcadm disable svc:/application/gdm2-login:default
>svcadm disable svc:/application/print/ipp-listener:default
># Use -s for system/name-service-cache because it has already
># been started before upgrade script is read
>svcadm disable -s svc:/system/name-service-cache:default
>svcadm disable svc:/network/apocd/udp:default
>svcadm disable svc:/application/x11/xfs:default
>svcadm disable svc:/application/font/stfsloader:default
>svcadm disable svc:/network/rpc-100068_2-5/rpc_udp:default
>svcadm disable svc:/network/rpc-100235_1/rpc_ticotsord:default
># Item 1.33, move the remaining (legacy) rc2.d stuff
>mv /etc/rc2.d/S40llc2 /etc/rc2.d/.NOS40llc2 2> /dev/null
>mv /etc/rc2.d/S47pppd /etc/rc2.d/.NOS47pppd 2> /dev/null
>mv /etc/rc2.d/S70uucp /etc/rc2.d/.NOS70uucp 2> /dev/null
>mv /etc/rc2.d/S72autoinstall /etc/rc2.d/.NOS72autoinstall 2> /dev/null
>mv /etc/rc2.d/S73cachefs.daemon /etc/rc2.d/.NOS73cachefs.daemon 2>
>/dev/null
>mv /etc/rc2.d/S89bdconfig /etc/rc2.d/.NOS89bdconfig 2> /dev/null
>mv /etc/rc2.d/S89PRESERVE /etc/rc2.d/.NOS89PRESERVE 2> /dev/null
>mv /etc/rc3.d/S16boot.server /etc/rc3.d/.NOS16boot.server 2> /dev/null
>mv /etc/rc3.d/S52imq /etc/rc3.d/.NOS52imq 2> /dev/null
>mv /etc/rc3.d/S84appserv /etc/rc3.d/.NOS84appserv 2> /dev/null
>mv /etc/rc3.d/S75seaport /etc/rc3.d/.NOS75seaport 2> /dev/null
>mv /etc/rc3.d/S76snmpdx /etc/rc3.d/.NOS76snmpdx 2> /dev/null
>mv /etc/rc3.d/S77dmi /etc/rc3.d/.NOS77dmi 2> /dev/null
>mv /etc/rc3.d/S80mipagent /etc/rc3.d/.NOS80mipagent 2> /dev/null
>
>
>
>Pepper Orlando wrote:
>>Is there a good guide for securing a default installation of Solaris 10?
>>Ten minutes of Google did not come up with much. I am familar with
>>securing Solaris 9 but 10 is new territory for me. I don't even fully
>>understand the new SMF.
>>
>>A shame FixSolaris hasn't yet been updated for 10!
>>
>>_________________________________________________________________
>>On the road to retirement? Check out MSN Life Events for advice on how to
>>get there! http://lifeevents.msn.com/category.aspx?cid=Retirement
>>_______________________________________________
>>sunmanagers mailing list
>>sunmanagers@sunmanagers.org
>>http://www.sunmanagers.org/mailman/listinfo/sunmanagers
>>
>>
>
>

_________________________________________________________________
Is your PC infected? Get a FREE online computer virus scan from McAfee.
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

• Previous message: Shahul Hameed: "rsync destination size never matches source"
• Maybe in reply to: Pepper Orlando: "Securing Solaris 10"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]