Solaris Hardening Document 14

[GideonRasmussen]

To all,

I just posted my 55 page Solaris build/hardening document
(

http://www.sun.com/bigadmin/content/submitted/Solaris_build_document.pdf).

It details the configuration, hardening, monitoring and vulnerability assessment of the Solaris operating system. The document can also be used as a configuration standard, providing a baseline to audit against.

I have spent a great deal of time and effort on it. Please feel free to pass this on to your colleagues. I'm hoping to get the word out and have some impact. Thank you.

Gideon

Gideon Rasmussen, CISSP
Norwalk, CT

 

[dnormant]

This is nice. It has a lot of stuff in one document. It may be too much for every server installation but it's a good memory jogger at build time.

Thanks Gideon!

 

[KenCunningham]

Thanks, Gideon.

 

[jad]

shame i can't read it ... maybe it's time to upgrade my ghostscript/acroread ...

 

[MrHPUX]

I am unable to download this document from BigAdmin.
Is there an FTP site where I can get it?

Thanks,
Brian M. Fisher
BMF5@MeadWestvaco.com

 

[MikeLacey]

http://www.sun.com/bigadmin/content/submitted/Solaris_build_document.pdf

Mike

"Experience is the comb that Nature gives us, after we are bald."

Is that a haiku?
I never could get the hang
of writing those things.

 

[MikeLacey]

I can't open doc either, tried "saving target to" from link above but file is corrupt, acrobat reader 5 says. Mike

"Experience is the comb that Nature gives us, after we are bald."

Is that a haiku?
I never could get the hang
of writing those things.

 

[GideonRasmussen]

Thanks for letting me know. As a test, I downloaded the file from the Sun site (

http://www.sun.com/bigadmin/content/submitted/Solaris_build_document.pdf).

I was able to open it with no problem. If it still doesn't work for you, you may need to upgrade Acrobat reader to version 5 (

http://www.adobe.com/products/acrobat/readstep2.html).

Gideon

Gideon Rasmussen, CISSP
Norwalk, CT
gideon@infostruct.net

 

[mmirchandani]

56 pages of pure gold.
Thanks from a newbie.
Regards
MM

 

[UnixSkunk]

Wow....Okay. This document is huge. ANd quite useful. Not just telling you what to do, but how to do it as well! I'll add this to my permanent archives. Many thanks!

UnixSkunk - Tux's Evil Nemesis.

 

[sm42]

Hello

This doc was once available via the link posted above.

Now the doc is not available.

Do you know where I can get this doc?

Thanks.

 

[iribach]

in the INSTALLED REPORTING / LOGGING SCRIPTS section
(as example) you exec 10times 'ps' grepping something...
why not a ps-snapshot and grepping in the snapshot?

nowaday we have gigs of (mostly unused) mem and disk +
you repeat 10times ps in a shell-script ???
do you see the impact, if the script runs 3times a min, 24/24hours and 7/7days ?

last time i used
ps -ef|grep xxx|grep -v grep|awk zzz
my daughter was 10, i am grandfather

and all the statements: do-something >>output
you are opening + reopening x-time the same file
did you already read about:
(
do-something
do-something
do-something
do-something
) >outfile

the Q is: as long we (i also am unix seasoned) write s..t,
why||how can young people learn to do it better,
efficient, clean?

this will never change.
look at the (worse) CDE scripts, or /etc/rc?.d/?*

it's NOT a performance issue, just understand what we write!

a good one:

    if(aaa){
       bbb();
       ccc();
       [b]exit;[/b]
    }
    else{
       ddd();
       eee();
    }

 

[chrs0302]

I want to run some of the scripts from the hardening documentaion of GideonRasmussen on our Sparc systems.

These scripts are with
#!/bin/ksh

The output from "echo $SHELL" seperately on our two machines is

/sbin/sh and /bin/bash.

Can I run these scripts just by copying the entire script from the documentation with #! /bin/ksh as the shell at the first line of these scripts?

If not can you tell me how to safely change the shell to ksh.

Thanks

 

[mrjazz]

Hi chrs0302,

with echo $SHELL you will get the path to your login shell back.
You are right: if your login shells are bash and sh then to run a ksh script you have to start that script with the

#!interpreter

line, where "interpreter" is the absolute path of the ksh (or in fact of any other shell which you want to interpret your script).

Generally, it is a good thing when shell scripts start with such a line to make them portable.

HTH

mrjazz

 

[chrs0302]

mrjazz

I have checked as root with

# ls -la | grep ksh
No ksh at all

But for

# ls -la | grep sh
There are both sh and jsh.

Could you pl suggest me which one to select (sh/jsh) for better performence of the scripts at the begining #! -- in the place of ksh.

Thanks

 

[chrs0302]

Hi mrjazz

ksh is not availale in our systems. Can I run the scripts with #! /bin/sh or #! /bin/bash?

Thanks

 

[KenCunningham]

You could try it, but you'll probably find ksh as /sbin/ksh, not /bin/ksh. Is it there?

 

[chrs0302]

Hi KenCunningham

I will try and let you know.

Thank you

 

[johngiggs]

Great work, Gideon. I'm sure a lot of admins would appreciate such a useful resource!!

John