solaris 加固规范例子

bobkey

author:bobkey
date:2004.8
mail:toqinbo@msn.com

网上已经很多类似的帖子了，重要的是过程要规范，避免由于加固而导致的风险。加固情况要注意每个系统的配置不同而且应用也不同,不可全部一样步骤,否则导致生产环境机器DOWN掉,造成不必要的损失.

目 录
一 Solaris安全修复技术规范 2
1.1 Recommended补丁安装规范 2
1)拷贝补丁至硬盘 2
2)补丁安装 2
3)校验补丁 2
4)删除补丁 4
5)参考 4
1.2安全配置规范 5
1）安全修复－本地层 5
2）安全修复－网络层 6
二、观察系统运行状态 9
1）系统运行状态观察 9
2）生产环境状态观察 10


－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－－
一 Solaris安全修复技术规范
1.1 Recommended补丁安装规范
1)拷贝补丁至硬盘
#uname –a 查看版本系统信息，并把对应补丁拷贝，以下是以slaris_sparc_5.9为例
1.1mount光驱
把安装光盘放入cdrom,
#/etc/init.d/volmgt stop
#ls -1 /dev/dsk/c*s2
#mount -F hsfs -o ro /dev/dsk/c0t6d0s2 /cdrom

或者

#/etc/init.d/volmgt stop
#/etc/init.d/volmgt start
#volcheck
#eject
df –ka 查看磁盘空间，不要放在/tmp下，默认位置一般建议放/var/tmp下
1.2 其他系统取补丁可通过ftp
#ftp hosts 21
>lcd /var/tmp
>bin
>get 9_Recommended.zip
>by
2)补丁安装
#/usr/sbin/shutdown -y -g0 -i0
ok boot –s
#mountall 把所有设备mount

记录系统当前补丁状态
#showrev –p>before_patchStat.log
#unzip /var/tmp/9_Recommended.zip
#cd /var/tmp/9_Recommended
# ./install_cluster
这里大概要两个小时以上


3)校验补丁
#more /var/sadm/install_data/<cluster name>_log
根据返回码判断出错信息，2和8可忽略。其他信息按如下表，

RETURN CODES:
-------------
The following are the explanation of patchdd script exit codes:

0 No error
1 Usage error
2 Attempt to apply a patch that's already been applied
3 Effective UID is not root
4 Attempt to save original files failed
5 pkgadd failed
6 Patch is obsoleted
7 Invalid package directory
8 Attempting to patch a package that is not installed
9 Cannot access /usr/sbin/pkgadd (client problem)
10 Package validation errors
11 Error adding patch to root template
12 Patch script terminated due to signal
13 Symbolic link included in patch
14 NOT USED
15 The prepatch script had a return code other than 0.
16 The postpatch script had a return code other than 0.
17 Mismatch of the -d option between a previous patch
install and the current one.
18 Not enough space in the file systems that are targets
of the patch.
19 $SOFTINFO/INST_RELEASE file not found
20 A direct instance patch was required but not found
21 The required patches have not been installed on the
manager
22 A progressive instance patch was required but not found
23 A restricted patch is already applied to the package
24 An incompatible patch is applied
25 A required patch is not applied
26 The user specified backout data can't be found
27 The relative directory supplied can't be found
28 A pkginfo file is corrupt or missing
29 Bad patch ID format
30 Dryrun failure(s)
31 Path given for -C option is invalid
32 Must be running Solaris 2.6 or greater
33 Bad formatted patch file or patch file not found
34 Incorrect patch spool directory
35 Later revision already installed
36 Cannot create safe temporary directory
37 Illegal backout directory specified
38 A prepatch, prePatch or a postpatch script could not be
executed

4)删除补丁
1、 安装完毕后重新启动服务器进入运行级别3
#/usr/sbin/shutdown -y -g0 –i6
2、 所有服务正常启动
3、 在生产环境下监视运行状态，记录反常状态
4、 有反常情况，则重新进入单用户模式，参考第一步的单用户模式进入方法
#shutdown –y –g0 –i0
ok boot –s
#mountall
5、 根据/var/sadm/install_data/<cluster name>_log，删除补丁
#patchrm id
7、重新启动服务器
#/usr/sbin/shutdown -y -g0 –i6

5)参考
sun把补丁分为Cluster和Point补丁
sun各版本的补丁描述，每月更新两次
http://sunsolve.sun.com/pub-cgi/show...&nav=patchpage

Sun Alert Patch Report
http://sunsolve.sun.com/pub-cgi/show...nalert_patches

相应的solaris部分可从如下链接得到：

http://sunsolve.sun.com/pub-cgi/show...atches#Solaris
ftp下载地址
ftp://ftp.sunsolve.sun.com/pub/patches

补丁分析工具PatchCheck
pchk_1.1.tar.Z ，它包含以下几个文件：
COPYRIGHT
userguide
patchk.pl

下载参照文件，命名为patchdiag.xref和patchk工具放同一目录
http://sunsolve.sun.com/pub-cgi/patc....xref&method=H
patchdiag.xref
根据提示输入，结果会生成一个html文件
#perl patchk.pl -b -l

或者

把结果输入到一个文本文件也可以
#perl patchk.pl –x patchdiag.xref >atch_over.log
检查结果仔细查看

1.2安全配置规范
1）安全修复－本地层

修复系统溢出
配置文件/etc/system
堆栈缓冲溢出攻击防护设置
在里加上如下语句，禁止缓冲溢出：
#echo "set noexec_user_stack=1" >> /etc/system
#echo "set noexec_user_stack_log=1" >> /etc/system
#chmod 644 /etc/system

修复口令管理
配置文件/etc/passwd
配置口令安全
删除root以外id为0的帐户
配置文件/etc/shadow
禁用如下帐户，密码域用字符NP代替
bin, daemon,adm,lp,smtp,sys,uucp,nuucp,nobody,noaccess

配置文件/etc/default/passwd
MAXWEEKS=4 #口令至少每隔4星期更改一次
MINWEEKS=1 #口令至多每隔1星期更改一次
WARNWEEKS=3 #修改口令后第三个星期会收到快要修改口令的信息
PASSLENGTH=8 #设定最小用户密码长度为8位

环境设置
配置文件/etc/profile /.login /.cshrc /.profile
去除PATH中的 . 和多余的 : 符号，其中/etc/profile /.profile设置umask值为077
去除环境设置和历史文件history的链接符
umask= 077
#echo $PATH | grep ":."
Cronjob配置
配置文件/etc/default/cron
CRONLOG=YES #记录所有cronjob到日志
过滤目录下job #/var/spool/cron/crontabs


2）安全修复－网络层
远程登陆
配置文件/etc/default/login
CONSOLE=/dev/console #禁止root远程登陆
SYSLOG=YES #记录登陆行为到日志里
TIMEOUT=120 #超时120秒断开连接
PASSREQ=YES #请求口令

超级进程
配置文件/etc/inetd.conf
注释掉所有不需要的服务
#grep -v “^#”/etc/inetd.conf #命令来察看你当前没有注释的服务
#vi /etc/inetd.conf #注释不需要的服务如下,r系列服务和其他服务和电信商议后决定屏蔽
/etc/inet/services在相应服务前加“#”注释掉
/etc/inet/inetd.conf中注释掉services中相应的条目
#ps –ef|grep inetd
#kill –HUP (inetd pid)
必须禁用如下服务：
finger：会泄漏系统的有关信息
exec、login、shell:这些服务是由r系列命令所使用的
tftp：文件传输协议服务，没有用户、系统身份验证机制
echo、discard、chargen：有可能被利用来充满网络或消耗系统资源

其他可参考以下服务筛选
tcpmux 1/tcp /*必须*/
echo 7/tcp
echo 7/udp
discard 9/tcp sink null
discard 9/udp sink null
systat 11/tcp users
daytime 13/tcp
daytime 13/udp
netstat 15/tcp
chargen 19/tcp ttytst source
chargen 19/udp ttytst source
ftp-data 20/tcp /*依服务可选*/
ftp 21/tcp /*依服务可选*/
ssh 22/tcp /*依服务可选*/
telnet 23/tcp /*依服务可选*/
smtp 25/tcp mail /*依服务可选*/
time 37/tcp timserver
time 37/udp timserver
name 42/udp nameserver
whois 43/tcp nicname # usually to sri-nic
domain 53/udp /*依服务可选*/
domain 53/tcp /*依服务可选*/
bootps 67/udp # BOOTP/DHCP server
bootpc 68/udp # BOOTP/DHCP client
hostnames 101/tcp hostname # usually to sri-nic
pop2 109/tcp pop-2 # Post Office Protocol - V2
pop3 110/tcp # Post Office Protocol - Version 3
sunrpc 111/udp rpcbind
sunrpc 111/tcp rpcbind
imap 143/tcp imap2 # Internet Mail Access Protocol v2
ldap 389/tcp # Lightweight Directory Access Protocol
ldap 389/udp # Lightweight Directory Access Protocol
submission 587/tcp # Mail Message Submission
submission 587/udp # see RFC 2476
ldaps 636/tcp # LDAP protocol over TLS/SSL (was sldap)
ldaps 636/udp # LDAP protocol over TLS/SSL (was sldap)
#
# Host specific functions
#
tftp 69/udp
rje 77/tcp
finger 79/tcp
link 87/tcp ttylink
supdup 95/tcp
iso-tsap 102/tcp
x400 103/tcp # ISO Mail
x400-snd 104/tcp
csnet-ns 105/tcp
pop-2 109/tcp # Post Office
uucp-path 117/tcp
nntp 119/tcp usenet # Network News Transfer
ntp 123/tcp # Network Time Protocol
ntp 123/udp # Network Time Protocol
netbios-ns 137/tcp # NETBIOS Name Service
netbios-ns 137/udp # NETBIOS Name Service
netbios-dgm 138/tcp # NETBIOS Datagram Service
netbios-dgm 138/udp # NETBIOS Datagram Service
netbios-ssn 139/tcp # NETBIOS Session Service
netbios-ssn 139/udp # NETBIOS Session Service
NeWS 144/tcp news # Window System
slp 427/tcp slp # Service Location Protocol, V2
slp 427/udp slp # Service Location Protocol, V2
mobile-ip 434/udp mobile-ip # Mobile-IP
cvc_hostd 442/tcp # Network Console
#
# UNIX specific services
#
# these are NOT officially assigned
#
exec 512/tcp
login 513/tcp
shell 514/tcp cmd # no passwords used
printer 515/tcp spooler # line printer spooler
courier 530/tcp rpc # experimental
uucp 540/tcp uucpd # uucp daemon
biff 512/udp comsat
who 513/udp whod
syslog 514/udp /*依服务可选*/
talk 517/udp
route 520/udp router routed
ripng 521/udp
klogin 543/tcp # Kerberos authenticated rlogin
kshell 544/tcp cmd # Kerberos authenticated remote shell
new-rwho 550/udp new-who # experimental
rmonitor 560/udp rmonitord # experimental
monitor 561/udp # experimental
pcserver 600/tcp # ECD Integrated PC board srvr
sun-dr 665/tcp # Remote Dynamic Reconfiguration
kerberos-adm 749/tcp # Kerberos V5 Administration
kerberos-adm 749/udp # Kerberos V5 Administration
kerberos 750/udp kdc # Kerberos key server
kerberos 750/tcp kdc # Kerberos key server
krb5_prop 754/tcp # Kerberos V5 KDC propogation
ufsd 1008/tcp ufsd # UFS-aware server
ufsd 1008/udp ufsd
cvc 1495/tcp # Network Console
ingreslock 1524/tcp
www-ldap-gw 1760/tcp # HTTP to LDAP gateway
www-ldap-gw 1760/udp # HTTP to LDAP gateway
listen 2766/tcp # System V listener port
nfsd 2049/udp nfs # NFS server daemon (clts)
nfsd 2049/tcp nfs # NFS server daemon (cots)
eklogin 2105/tcp # Kerberos encrypted rlogin
lockd 4045/udp # NFS lock daemon/manager
lockd 4045/tcp
dtspc 6112/tcp # CDE subprocess control /*依服务可选*/
fs 7100/tcp # Font server /*依服务可选*/

停止rc脚本启动的网络服务
配置文件/etc/rc*.d/
取消不必要的后台服务，如下，同一改名例如：mv S88sendmai cnns.$date.S88sendmai(date格式为：YYMMDD 050425)

sendmail /etc/rc2.d/S88sendmail
automounter /etc/rc2.d/S74autofs
ntp /etc/rc2.d/S74xntpd
syslog /etc/rc2.d/S74syslog
lpsched /etc/rc2.d/S80lp
apache /etc/rc3.d/S50apache
snmpdx /etc/rc3.d/S76snmpdx
NFS /etc/rc3.d/S15nfs.server
并注释掉/etc/dfs/dfstab中条目 Nfsd

二、观察系统运行状态
1）系统运行状态观察
查看系统启动状态
#dmesg
查看CPU的性能
#uptime
查看内存的使用情况
#vmstat
查看磁盘系统的性能
#iostat
#format</dev/null
#df -ka
查看磁盘系统的性能
#netstat -i
#netstat -anP tcp;netstat -anU udp|more
查看进程使用情况
#prstat
#ps -ef
查看日志动态输出
#tail /var/adm/messages
查看网络连通性
#ifconfig –a
#ping hosts
#nslookup

2）生产环境状态观察
根据solaris承担的服务角色，例如：DNS www telnetd ftpd等，测试是否能正常提供服务，需要系统管理员配合。

晨想

管理员 转去 solaris 版吧。。