This material is excerpted from an internal U.S. Government document on Web security, which the authors played leading roles in preparing. The authors have been granted permission to use this material in a non-official publication.
The series of Web pages presented here is the result of a need for guidelines to provide system administrators with a uniform approach to enhancing the security of Solaris hosts. In their present form, these guides are an extensively revised and expanded version of a deliverable provided as part of a contract with MITRE.
The information use in creating the guides was distilled from a number of reliable sources and is based on lessons learned in setting up an SSL-based secure Web service using Solaris hosts and Netscape SuiteSpot servers. Some materials, particularly scripts, have been culled from USENET and other sources. Where materials are presented without attribution, it is because we are unable to identify sources and authors. We will be happy to add missing attributions. Please direct such corrections to Paul D. J. Vandenberg (pdjv@pdjv.com).
Paul D.J. Vandenberg has worked for the Federal Government since earning an M.S. in Computer Science from New Mexico State University in 1988. Since shifting his focus to Solaris systems about three years ago, he has built and managed Web servers on an intranet.
Susan D. Wyess is an employee of GTE Government Systems Corporation with over ten years of hands-on UNIX system administration experience. She currently provides UNIX system administration and development support for a number of projects.
Machines connected to networks are vulnerable to any number of attacks, including:
Backdoor programs
Sniffing programs
Password grabber and cracking tools
Exploitation of defects in operating system services
Denial of service (DoS)
Some of these attacks are based on well-publicized techniques, with scripts and other tools available to make it possible for less knowledgeable crackers to apply exploits against systems. Once a system has been compromised, an intruder can do a number of things, among which are to:
Modify or destroy information
Disclose sensitive information
Install malicious code to gather information
Use the compromised server to attack other systems
Our goal is to provide an easy to follow guide that system administrators can use to improve the resistance of Solaris-based systems to attacks. We present what we believe to be sound practices you can follow during the installation and configuration of both operating system and server applications. We have used these procedures to build several hosts, and while no system is absolutely secure, we are confident that following these guides will result in systems that are harder for crackers to compromise.
Continued vigilance is required to keep systems secure. The checklists also provide basic guidance on administering and monitoring systems once they have been placed in operational status.
Since each site may have its own set of operational requirements, not all items shown on these checklists may be applicable. The system or Web administrator should document exceptions while completing each checklist. In this way, the checklist can serve as part of the system documentation.
or
NOTE: Checkmarks made through the Web browser interface will not be saved. Users who wish to make the checklists part of their system documentation should print them and fill out the paper copy.
