Table of Contents Table of Contents ................................................................................................................................................. 4 Overview ................................................................................................................................................................. 8 Consensus Guidance ....................................................................................................................................... 8 Intended Audience .......................................................................................................................................... 8 Acknowledgements ........................................................................................................................................ 9 Typographic Conventions .......................................................................................................................... 10 Configuration Levels ................................................................................................................................... 10 Level-I Benchmark settings/actions ................................................................................................. 10 Level-II Benchmark settings/actions................................................................................................ 10 Scoring Status ................................................................................................................................................ 10 Scorable ....................................................................................................................................................... 10 Not Scorable .............................................................................................................................................. 11 Identification Table ..................................................................................................................................... 11 Assumptions and Recommendations .................................................................................................... 11 OS Platform ................................................................................................................................................ 11 System State .............................................................................................................................................. 11 Test Actions ............................................................................................................................................... 11 Shell Environment ................................................................................................................................... 12 Order of Operations ................................................................................................................................ 12 Backup Key Files ...................................................................................................................................... 12 Create /opt/CIS Directory (optional) .......................................................................................... 12 Benchmark Items .............................................................................................................................................. 13 1. Install Updates, Patches and Additional Software ....................................................................... 13 1.1 Use the Latest OS Release .............................................................................................................. 13 1.2 Apply Latest OS Patches ................................................................................................................. 14 1.3 Install Solaris Encryption Kit ....................................................................................................... 15 2. Restrict Services ....................................................................................................................................... 17 2.1 Establish a Secure Baseline .......................................................................................................... 17 2.2 Disable Unnecessary Local Services .......................................................................................... 18 2.2.1 Disable Local CDE ToolTalk Database Server ............................................................... 19 2.2.2 Disable Local CDE Calendar Manager .............................................................................. 19 2.2.3 Disable Local Graphical Login Environment ................................................................. 20 2.2.4 Disable Local sendmail Service .......................................................................................... 21 2.2.5 Disable Local Web Console .................................................................................................. 22 2.2.6 Disable Local WBEM ............................................................................................................... 22 2.2.7 Disable Local BSD Print Protocol Adapter ..................................................................... 23 2.3 Disable Other Services .................................................................................................................... 24 2.3.1 Disable RPC Encryption Key ................................................................................................ 24 2.3.2 Disable NIS Server Daemons ............................................................................................... 25 2.3.3 Disable NIS Client Daemons................................................................................................. 26 2.3.4 Disable NIS+ Daemons ........................................................................................................... 26 2.3.5 Disable LDAP Cache Manager ............................................................................................. 27 2.3.6 Disable Kerberos TGT Expiration Warning ................................................................... 28 2.3.7 Disable Generic Security Services (GSS) Daemons ..................................................... 28 2.3.8 Disable Volume Manager ...................................................................................................... 29 2.3.9 Disable Samba Support .......................................................................................................... 30 2.3.10 Disable automount Daemon......................................................................................... 31 2.3.11 Disable Apache Services ................................................................................................... 32 2.3.12 Disable Solaris Volume Manager Services ................................................................. 33 2.3.13 Disable Solaris Volume Manager GUI .......................................................................... 34 2.3.14 Disable Local RPC Port Mapping Service ................................................................... 35 2.4 Configure TCP Wrappers ............................................................................................................... 36 3. Kernel Tuning ........................................................................................................................................... 38 3.1 Restrict Core Dumps to Protected Directory ......................................................................... 38 3.2 Enable Stack Protection ................................................................................................................. 39 3.3 Enable Strong TCP Sequence Number Generation .............................................................. 40 3.4 Modify Network Parameters ........................................................................................................ 41 3.4.1 Disable Source Packet Forwarding ................................................................................... 44 3.4.2 Disable Broadcast Packet Forwarding............................................................................. 45 3.4.3 Disable Response to ICMP Timestamp Requests ........................................................ 46 3.4.4 Disable Response to ICMP Broadcast Timestamp Requests ................................... 47 3.4.5 Disable Response to ICMP Netmask Requests ............................................................. 48 3.4.6 Disable ICMPv6 Redirect Messages .................................................................................. 50 3.4.7 Disable Response to Broadcast ICMPv4 Echo Request ............................................. 51 3.4.8 Disable Response to Multicast Echo Request ............................................................... 52 3.4.9 Set Interval for Scanning IRE_CACHE .............................................................................. 53 3.4.10 Ignore ICMP Redirect Messages .................................................................................... 55 3.4.11 Set Strict Multihoming ....................................................................................................... 56 3.4.12 Disable ICMPv4 Redirect Messages .............................................................................. 57 3.4.13 Set ARP Cleanup Interval .................................................................................................. 59 3.4.14 Disable TCP Reverse IP Source Routing ..................................................................... 60 Set Maximum Number of Half-open TCP Connections ...................................................... 61 3.4.15 ............................................................................................................................................................ 61 3.4.16 Set Maximum Number of Incoming Connections.................................................... 62 3.4.17 Lock down dtspcd(8) ................................................................................................... 64 3.5 Disable Network Routing .............................................................................................................. 65 4. Logging ........................................................................................................................................................ 66 4.1 Enable inetd Connection Logging ............................................................................................... 66 4.2 Enable FTP daemon Logging ........................................................................................................ 67 4.3 Enable Debug Level Daemon Logging ...................................................................................... 68 4.4 Capture syslog AUTH Messages.............................................................................................. 69 4.5 Enable Login Records ..................................................................................................................... 70 4.6 Capture All Failed Login Attempts ............................................................................................. 71 4.7 Enable cron Logging ........................................................................................................................ 71 4.8 Enable System Accounting ............................................................................................................ 72 4.9 Enable Kernel Level Auditing ...................................................................................................... 73 5. File/Directory Permissions/Access .................................................................................................. 76 5.1 Set daemon umask ........................................................................................................................... 76 5.2 Restrict Set-UID on User Mounted Devices ............................................................................ 77 5.3 Set Sticky Bit on World Writable Directories ........................................................................ 78 6. System Access, Authentication, and Authorization ..................................................................... 79 6.1 Disable login: Prompts on Serial Ports ............................................................................... 79 6.2 Disable "nobody" Access for RPC Encryption Key Storage Service .............................. 80 6.3 Configure SSH.................................................................................................................................... 80 6.3.1 Set SSH Protocol to 2 .............................................................................................................. 81 6.3.2 Disable SSH X11Forwarding ................................................................................................ 82 6.3.3 Set SSH MaxAuthTries to 3 ................................................................................................... 83 6.3.4 Set SSH MaxAuthTriesLog to 0 ........................................................................................... 84 6.3.5 Set SSH IgnoreRhosts to yes ................................................................................................ 85 6.3.6 Set SSH RhostsAuthentication to no ................................................................................. 86 6.3.7 Set SSH RhostsRSAAuthentication to no......................................................................... 87 6.3.8 Disable SSH root login ............................................................................................................ 87 6.3.9 Set SSH PermitEmptyPasswords to no ............................................................................ 88 6.3.10 Set SSH Banner ..................................................................................................................... 89 6.4 Disable .rhosts Support in /etc/pam.conf ............................................................................... 90 6.5 Restrict FTP Use ............................................................................................................................... 91 6.6 Set Delay between Failed Login Attempts to 4 ..................................................................... 92 6.7 Set Default Screen Lock for CDE Users ..................................................................................... 93 6.8 Set Default Screen Lock for GNOME Users ............................................................................. 94 6.9 Restrict at/cron to Authorized Users ....................................................................................... 95 6.10 Restrict root Login to System Console .............................................................................. 96 6.11 Set Retry Limit for Account Lockout ..................................................................................... 97 6.12 Set EEPROM Security Mode and Log Failed Access ........................................................ 98 6.13 Secure the GRUB Menu ............................................................................................................ 100 7. User Accounts and Environment ...................................................................................................... 101 7.1 Disable System Accounts ............................................................................................................. 101 7.2 Set Password Expiration Parameters on Active Accounts ............................................. 103 7.3 Set Strong Password Creation Policies .................................................................................. 104 7.4 Set Default Group for root Account ...................................................................................... 106 7.5 Change Home Directory for root Account ........................................................................ 107 7.6 Set Default umask for Users ....................................................................................................... 108 7.7 Set Default umask for FTP Users .............................................................................................. 109 7.8 Set "mesg n" as Default for All Users ....................................................................................... 110 7.9 Lock Inactive User Accounts ...................................................................................................... 111 8. Warning Banners ................................................................................................................................... 112 8.1 Create Warnings for Standard Login Services..................................................................... 113 8.2 Create Warning Banner for CDE Users .................................................................................. 114 8.3 Create Warning Banner for GNOME Users ........................................................................... 115 8.4 Create Warning Banner for FTP daemon .............................................................................. 116 8.5 Check Banner Setting for telnet is Null ............................................................................. 117 9. System Maintenance ............................................................................................................................. 117 9.1 Check for Remote Consoles ........................................................................................................ 118 9.2 Verify System File Permissions ................................................................................................. 118 9.3 Ensure Password Fields are Not Empty ................................................................................ 119 9.4 Verify No Legacy “+” Entries Exist in passwd, shadow, and group Files ............. 120 9.5 Verify No UID 0 Accounts Exist Other than root ................................................................ 120 9.6 Ensure root PATH Integrity ........................................................................................................ 121 9.7 Check Permissions on User Home Directories .................................................................... 122 9.8 Check User Dot File Permissions .............................................................................................. 123 9.9 Check Permissions on User .netrc Files ............................................................................ 124 9.10 Check for Presence of User .rhosts Files............................................................................ 125 9.11 Check Groups in /etc/passwd ............................................................................................... 126 9.12 Check That Users Are Assigned Home Directories ....................................................... 127 9.13 Check That Defined Home Directories Exist .................................................................... 128 9.14 Check User Home Directory Ownership ........................................................................... 130 9.15 Check for Duplicate UIDs ......................................................................................................... 131 9.16 Check for Duplicate GIDs ......................................................................................................... 132 9.17 Check That Reserved UIDs Are Assigned to System Accounts ................................. 132 9.18 Check for Duplicate User Names .......................................................................................... 133 9.19 Check for Duplicate Group Names ....................................................................................... 134 9.20 Check for Presence of User .netrc Files .............................................................................. 135 9.21 Check for Presence of User .forward Files ........................................................................ 136 9.22 Find World Writable Files ....................................................................................................... 137 9.23 Find SUID/SGID System Executables ................................................................................. 137 9.24 Find Un-owned Files and Directories ................................................................................. 138 9.25 Find Files and Directories with Extended Attributes ................................................... 139 Appendix A: File Backup Script .................................................................................................................. 141 Appendix B: Service Manifest for /lib/svc/method/cis_netconfig.sh ........................................ 142 Appendix C: Additional Security Notes .................................................................................................. 144 SN.1 Enable process accounting at boot time ............................................................................ 144 SN.2 Use full path names in /etc/dfs/dfstab file ...................................................................... 145 SN.3 Restrict access to power management functions .......................................................... 145 SN.4 Restrict access to sys-suspend feature .............................................................................. 146 SN.5 Create symlinks for dangerous files .................................................................................... 147 SN.7 Remove Support for Internet Services (inetd) ............................................................... 148 Appendix D: Application Notes ................................................................................................................... 150 AN.1 Samba: Enable SSH Port Forwarding in Web Admin Tool ......................................... 150 AN.2 Samba: Set Secure Permissions on smb.conf File...................................................... 150 AN.3 Samba: Set Group Ownership of smb.conf File .......................................................... 151 AN.4 Samba: Set Secure Permissions on smbpasswd File ................................................... 152 AN.5 Samba: Set Group Ownership of smbpasswd File ....................................................... 152 AN.6 Samba: Set Secure smb.conf File Options ......................................................................... 153 AN.7 sendmail: Set Secure Logfile Ownership to the root User ....................................... 154 AN.8 sendmail: Set Secure Permissions on Log File ................................................................ 154 Appendix E: References ................................................................................................................................ 156 Appendix F: Change History ........................................................................................................................ 159
剩余159页未读,继续阅读
- 粉丝: 1
- 资源: 2
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助