|
Name |
Solaris Benchmark Version 1.3.0 |
|
Version |
Version
1.3.0 |
|
Status |
Final |
| Creation
Date |
2001-05-13 |
| Revision
Date |
2004-08-11 |
| Product
Category |
Operating
System |
| Vendor |
Sun
Microsystems |
| Product |
Solaris |
| Product
Version |
Solaris Versions 2.5.1 and later |
| Product
Role |
Server operating system, desktop operating system |
|
Checklist
Summary |
This document provides recommendations for securing Solaris operating systems. This benchmark document covers Solaris version 2.5.1 and later for both servers and desktops. Desktop systems typically have different security expectations than server-class systems. In an effort to facilitate use of this benchmark on these different classes of machines, shaded text has been used to indicate questions and/or actions that are typically not applicable to desktop systems in a large enterprise environment. These shaded items may be skipped on these desktop platforms. |
| Known
Issues |
The actions listed in this document are written with the assumption that they will be executed in the order presented here. Some actions may need to be modified if the order is changed. Actions are written so that they may be copied directly from this document into a root shell window with a "cut-and-paste" operation. The actions listed in this document are written with the assumption that they will be executed by the root user running the /sbin/sh shell and without noclobber set. Before performing the steps of this benchmark, it is strongly recommended that administrators make backup copies of critical configuration files that may get modified by various benchmark items. If this step is not performed, then the site may have no reasonable back-out strategy for reversing system modifications made as a result of this document. The script provided in Appendix A of this document will automatically back up all files that may be modified by the actions, except for the boot scripts manipulated by the various items in Section 3 of this document, which are backed up automatically by the individual items in Section 3. |
| Target
Audience |
xxxx |
| Target
Operational Environment |
Enterprise |
| Checklist
Installation Tools |
Not
Available. |
| Rollback
Capability |
Not
Available. |
| Testing
Information |
Not
Available. |
| NIAP/CMVP
Status |
|
| Regulatory
Compliance |
|
Comments,
Warnings, Disclaimer, Miscellaneous
|
Refer
to Known Issues. |
| Disclaimer |
Proper use of the recommendations requires careful analysis and adaptation to specific user requirements. The recommendations are not in any way intended to be a "quick fix" for anyone's information security needs. CIS makes no representations, warranties or covenants whatsoever as to (i) the positive or negative effect of the products or the recommendations on the operation or the security of any particular network, computer system, network device, software, hardware, or any component of any of the foregoing or (ii) the accuracy, reliability, timeliness or completeness of any product or recommendation. CIS is providing the products and the recommendations "as is" and "as available" without representations, warranties or covenants of any kind. |
| Product
Support |
|
| Submitting
Organization/Authors |
The
Center for Internet Security (CIS) |
| Point
of Contact |
sol-bench@cisecurity.org |
| Sponsor |
|
| Licensing |
Commercial
use license
EDUCAUSE Member license
US Federal, state and local government agency
license
|
| Checklist
Homepage |
http://www.cisecurity.org/ |
| Download
Package |
http://www.cisecurity.org/sub_form.html |
| Integrity |
sha1
(CIS_Solaris_Benchmark_v1.3.pdf) = 7e3a2f533ebf34af3eff6f4bbfdd14e53034c48e
sha256 (CIS_Solaris_Benchmark_v1.3.pdf) =
f4340c86baf21b7cb9ddb69d0df6039f87eaa5
25dc1cf9d46665b601bb2a2766 |
| Change
History |
Version
1.3.0: 2004-08-11
Version 1.2.0: 2003-03-17
Version 1.0.1b: 2001-09-27
Version 1.0.1a: 2001-09-05
Version 1.0.1: 2001-06-30
Version 1.0: 2001-05-13
|
| Dependency/Requirement |
|
| References |
Free
benchmark documents and security tools for various
OS platforms and applications: http://www.cisecurity.org/
Pre-compiled software packages for various OS
platforms:
ftp://ftp.cisecurity.org/
Sun Microsystems Patches and related documentation:
ftp://sunsolve.sun.com/pub/patches/
Sun Patch Manager tool:
http://www.sun.com/service/support/
sw_only/patchmanager.html
Solaris Security Toolkit:
http://www.sun.com/security/jass/
Pre-compiled fix-modes software:
http://wwws.sun.com/software/
security/downloads.html
Solaris Fingerprint Database:
http://sunsolve.sun.com/pub-cgi/fileFingerprints.pl
Sun's Kerberos Information
http://wwws.sun.com/software/security/kerberos/
Role-Based Access Control (RBAC) white paper:
http://wwws.sun.com/software/whitepapers/wp-rbac/
OpenSSH white paper, NTP white paper, information
on kernel (ndd) settings, et al:
http://www.sun.com/security/blueprints/
Various documentation on Solaris security issues:
http://ist.uwaterloo.ca/security/howto/
Primary source for information on NTP:
http://www.ntp.org/
Information on MIT Kerberos:
http://web.mit.edu/kerberos/www/
Apache "Security Tips" document:
http://httpd.apache.org/docs-
2.0/misc/security_tips.html
Information on Sendmail and DNS:
http://www.sendmail.org/
http://www.deer-run.com/~hal/dns-
sendmail/DNSandSendmail.pdf
Pre-compiled software packages for Solaris:
http://www.sunfreeware.com/
ftp://ftp.cisecurity.org/
OpenSSH (secure encrypted network logins):
www.openssh.org
TCP Wrappers source distribution:
ftp.porcupine.org
PortSentry and Logcheck (port and log monitoring
tools):
http://sourceforge.net/projects/sentrytools/
Swatch (log monitoring tool):
http://www.oit.ucsb.edu/~eta/swatch/
Open Source Sendmail (email server) distributions:
ftp://ftp.sendmail.org/
LPRng (Open Source replacement printing system
for Unix):
http://www.lprng.org/
fix-modes (free tool to correct permissions
and ownerships in the Solaris OS):
ftp://ftp.science.uva.nl/pub/solaris/fix-modes.tar.gz
sudo (provides fine-grained access controls
for superuser activity):
http://www.courtesan.com/sudo/ |
| NIST
Identifier |
1051 |
