1.Disabled Volume Management
# cd /etc/rc2.d
# mv S92volmgt s92volmgt
After this configuration, CD-ROMs will not be automatically mounted. To manually mount a CD-ROM use:
# mount -F hsfs -o ro /dev/dsk/c0t6d0s0 /mnt
2.Disabled Dtlogin
Dtlogin is disabled if the server is not intended to run the Common Desktop Environment (CDE) or GUIs.
# cd /etc/rc2.d
# mv S99dtlogin s99dtlogin
3.Disabled Printing
# /usr/lib/lpshut
# cd /etc/rc2.d
# mv S80lp s80lp
4.Disabled RPC
RPC is disabled if the server is not intended to run CDE. To determine what is using rcp, use “rpcinfo –p”.
# cd /etc/rc2.d
# mv /etc/rc2.d/S71rpc /etc/rc2.d/s71rpc
5.Disabled the NFS Client
# /etc/init.d/nfs.client stop
# cd /etc/rc2.d
# mv S73nfs.client s73nfs.client
6.Disabled the NFS Server
# /etc/init.d/nfs.server stop
# cd /etc/rc3.d
# mv S15nfs.server s15nfs.server
7.Disabled UUCP
# cd /etc/rc2.d
# mv S70uucp s70uucp
8.Disabled the LDAP Client
# cd /etc/rc2.d
# mv S71ldap.client s71ldap.client
9.Disabled the Auto Mounter
# /etc/init.d/autofs stop
# cd /etc/rc2.d
# mv S74autofs s74autofs
10.Disabled the Network Time Daemon
# /etc/init.d/xntpd stop
# cd /etc/rc2.d
# mv S74xntpd s74xntpd
11.Disabled the Logical Link Control Driver
# cd /etc/rc2.d
# ./S40llc2 stop
# mv S40llc2 s40llc2
12.Disabled Auto Install
# cd /etc/rc2.d
# mv S72autoinstall s72autoinstall
13.Disabled Cachefs Daemon
# cd /etc/rc2.d
# mv S73cachefs.daemon s73cachefs.daemon
14.Disabled Asynchronous PPP Daemon
# cd /etc/rc2.d
# mv S47pppd s47pppd
15.Disabled cacheos.finish Script
# cd /etc/rc2.d
# mv S93cacheos.finish s93cacheos.finish
16.Disabled Preservation of Files Killed by Vi
# cd /etc/rc2.d
# mv S80PRESERVE s80PRESERVE
17.Disabled Power Management
# cd /etc/rc2.d
# mv S85power s85power
18.Disabled Flash Prom Update
# cd /etc/rc2.d
# mv S75flashprom s75flashprom
Before attempting to update the eeprom, temporally enable this script.
19.Disabled “Buttons n Dials-Setup”
# cd /etc/rc2.d
# mv S89bdconfig s89bdconfig
20.Disabled Spc
# cd /etc/rc2.d
# mv S80spc s80spc
21.Disabled Sun Management Center
# cd /etc/rc2.d
# mv S90wbem s90wbem
22.Disabled Network Cache and Accelerator
# cd /etc/rc2.d
# mv S94ncalogd s94ncalogd
# mv S95ncad s95ncad
Used to increase web server performance
23.Disabled Mobile IP Agent
# cd /etc/rc3.d
# mv S80mipagent s80mipagent
24.Disabled SNMP
# cd /etc/rc3.d
# /usr/bin/pkill -9 -x -u 0 '(snmpdx|snmpv2d|mibiisa)'
# mv S76snmpdx s76snmpdx
25.Disabled Apache
# cd /etc/rc3.d
# mv S50apache s50apache
26.Disabled DMI
# cd /etc/rc3.d
# /usr/bin/pkill -9 -x -u 0 '(snmpXdmid|dmispd)'
# mv S77dmi s77dmi
27.Disabled the Sendmail Daemon
The system continues to send mail out. It does not receive mail in to the server. This eliminates a significant security
vulnerability.
# /etc/init.d/sendmail stop
Prevented sendmail from starting at boot:
# cd /etc/rc2.d
# mv S88sendmail s88sendmail
Ensured the sendmail queue is cleaned out:
# crontab –e
# The Sendmail daemon is not running - This tells it to send mail out
05,20,35,50 * * * * /usr/lib/sendmail –q
28.Disabled Multicasting
Multicasting is typically used for clustering. Ensure that it is not required by an application.
# vi /etc/init.d/inetsvc
#
# Add a static route for multicast packets out our default interface.
# The default interface is the interface that corresponds to the node name.
#
#mcastif=`/sbin/dhcpinfo Yiaddr`
#
#if [ $? -ne 0 ]; then
# mcastif=`uname -n`
#fi
#
#echo "Setting default interface for multicast: \c"
#/usr/sbin/route add -interface -netmask "240.0.0.0" "224.0.0.0" "$mcastif"
29.Disabled the Serial Port Listeners
This configuration can be accomplished unless there is a modem or console terminal attached to the system.
# vi /etc/inittab
Remove the line with “/usr/lib/saf/sac -t 300”
# chown root:sys /etc/inittab
# chmod 644 /etc/inittab
1.Added Warning Banners
These configurations replace the operating system version with a warning banner displayed during the login process.
Login:
# vi /etc/motd (replaced operating system version with a warning banner)
Property of Company
WARNING: To protect systems from unauthorized use and to ensure that the
system is functioning properly, activities on this system are monitored and
recorded and subject to audit. Use of this system is expressed consent to such
monitoring and recording. Any unauthorized access or use of this system is
prohibited and could be subject to criminal and civil penalties.
# cp /etc/motd /etc/issue
Telnet:
# vi /etc/default/telnetd
UMASK=022
BANNER=""
# chown root:sys /etc/default/telnetd
# chmod 444 /etc/default/telnetd
FTP:
# vi /etc/default/ftpd
UMASK=022
BANNER=`cat /etc/motd`
# chown root:sys /etc/default/ftpd
# chmod 444 /etc/default/ftpd
2.Enabled Logging of the su Command
This configuration logs both success and failure of su command usage.
NOTE: This configuration is required by the root login notification script (below).
# vi /etc/default/su
SULOG=/var/adm/sulog (uncommented)
# cd /var/adm
# touch sulog
# chgrp sys sulog
# chmod 600 sulog
3.Enabled AUTH Logging
The auth facility controls account access with login, su, etc.
# vi /etc/syslog.conf
auth.info /var/log/authlog
auth.notice /var/log/authlog
NOTE: The entries must be separated by tabs.
# /etc/init.d/syslog stop
# /etc/init.d/syslog start
4.Enabled Logging of Unsuccessful Login Attempts
The loginlog file records consecutive failed login attempts.
# cd /var/adm
# touch loginlog
# chgrp sys loginlog
# chmod 600 loginlog
5.Enabled Logging of Successful Logins
# cd /var/log
# touch logins
# chgrp sys logins
# chmod 600 logins
# vi /etc/syslog.conf
# log successful logins
local0.info /var/log/logins
NOTE: The entries must be separated by tabs.
# /etc/init.d/syslog stop
# /etc/init.d/syslog start
Added the following entry to /etc/profile and /etc/.login:
logger -p local0.info "User $LOGNAME has logged in"
6.Enabled Logging of CDE Login Attempts
# vi /etc/pam.conf
Added the word “debug” after the account management entries
#
# Account management
#
login account required /usr/lib/security/$ISA/pam_unix.so.1 debug
dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1 debug
# vi /etc/syslog.conf
Added “;auth.debug;user.debug” to the line that logs successful logins
# log successful logins
local0.info;auth.debug;user.debug /var/log/logins
NOTE: The entries must be separated by tabs.
# /etc/init.d/syslog stop
# /etc/init.d/syslog start
7.Enabled Performance Logging
# su – sys
# EDITOR=vi; export EDITOR
# crontab –e
# The sys crontab should be used to do performance collection. See cron
# and performance manual pages for details on startup.
#
0 * * * 0-6 /usr/lib/sa/sa1
20,40 6-22 * * 1-5 /usr/lib/sa/sa1
5 18 * * 1-5 /usr/lib/sa/sa2 -s 8:00 -e 18:01 -i 1200 -A