Solaris Security
This page contains information about how to secure Solaris systems.
General guidelines
When working on any UNIX based system, be sure to check the following:
- Patching is your first line of defence. Start by installing any patches that your vendor may have. For Solaris and AIX, WSG provides superglue.
- Only essential services should be started out of inetd.conf. This should be determined on a per-machine basis, but a good rule of thumb is to turn off anything you can and run everything else through tcp wrappers.
- OpenSSH should be installed to replace telnet and older versions of SSH as the preferred means of remote access.
- Sendmail can, and should be turned off if there is no need for it on a particular system.
- Avoid using the root account when you don't have to.
- SuperUser accounts should be created for everyone who needs to operate as root. The permissions are the same, but SU accounts create an extra record of who did what.
- Netstat is a useful tool in checking for unwanted daemons. Look mainly at the tcp and udp lines.
Solaris guidelines
For a step-by-step guide to securing and configuring a new Solaris machine, try our Securing Solaris Guide.
Best practices
To enable logging of failed login attempts, you will need to create the /var/adm/loginlog file and change the permissions to restrict read and write access to owner only. The owner must be root and the group must be sys.
Remote X logins can be a security hazard. To minimize the risk, change /usr/dt/config/Xaccess to disallow XDMCP connections from everywhere. Because this change will be lost during upgrades, it is a good idea to copy /usr/dt/config/Xaccess to /etc/dt/config/Xaccess.