BluePrints:
An important resource is the security section of Sun's BluePrints archive. Security relevant BluePrints on various topics are available at http://www.sun.com/blueprints/browsesubject.html#security

Several other useful documents are linked from the BigAdmin community on the Sun website: http://www.sun.com/bigadmin/collections/security.html

Jumpstart is a Sun framework for automating Solaris installation. The Solaris Security Toolkit (previously known as JASS) can be used integrated with Jumpstart to secure Solaris systems at the install stage. See E. below for details on the Security Toolkit.

Use signed patches wherever possible. Instructions for applying signed patches using Patch Manager Base and PatchPro are available at http://patchpro.sun.com

Applying patches may accidentally re-enable services that you have disabled. To avoid this it is recommended to check the README and pkgmap files of a package when installing it.

Sun describes how to approach this for Solaris in the BluePrint "Solaris Minimization for Security" http://www.sun.com/blueprints/1100/minimize-updt1.pdf

In Solaris 8 and 9, the inetd configuration is held in /etc/inet/inetd.conf

Under Solaris 10, inetd.conf is no longer used. Instead the inetd services are integrated with the Service Management Facility and can be controlled using command inetadm(1M). With no parameters, this command will show the services run via inetd and whether they are enabled.

For Solaris 8 and 9, rexecd should already be disabled in /etc/inet/inetd.conf

In Solaris 10, the command svcs svc:/network/rexec:default will verify that rexecd is not running. (If it is running, then svcadm disable svc:/network/rexec:default to disable.)

Consider disabling the automount daemon (vold). If vold is used, confirm that automounted media are not mounted world-writable by default.

Some specific recommendations for disabling SetUID/SetGID programs on Solaris are provided by Reg Quinton at http://ist.uwaterloo.ca/security/howto/2003-04-21/

Solaris Security Toolkit
The Solaris Security Toolkit, previously known as JASS, provides an extensible mechanism to minimise, harden, and secure Solaris. The primary goal behind the toolkit is to simplify and automate the process of securing the Solaris systems. Additional information and downloads are available at http://www.sun.com/software/security/jass/

Note: If the Solaris Security Toolkit is used in an automated Jumpstart installation then the set-root-password.fin script sets the root password to be t00lk1t. Ensure this is changed before deploying the server.

For an example of installing Solaris with the Security Toolkit, refer to "Hardening Solaris with JASS" at http://www.boran.com/security/sp/Solaris_hardening4.html

Titan
Another useful tool to secure Solaris is Titan, available at http://www.trouble.org/titan/

For Solaris SPARC systems the eeprom(1M) command can be used to secure the boot process, as follows
eeprom security-mode=command

On Solaris x86 systems there is no eeprom so these settings have no effect - instead the PC BIOS controls the boot process and can be configured to boot from hard disk only and disallow configuration changes without a password.

Framebuffers:
Under Solaris, /dev/fbs is a directory that contains links to the framebuffer devices. The /etc/logindevperm file contains information that is used by login(1) and ttymon(1M) to change the owner, group, and permissions of devices upon logging into or out of a console device. By default, this file contains lines for the keyboard, mouse, audio, and frame buffer devices.

Read the man page for logindevperm(4) for more information.

More detailed information about configuring PAM on Solaris is available from: http://www.sun.com/solaris/pam/ (Solaris)

Fix Modes tool
Under Solaris changing ownership of system files can cause warning messages during installation of patches and system packages. One utility available to help Solaris administrators avoid this problem is Fix Modes. This is available together with the Solaris Security Toolkit at http://www.sun.com/software/security/jass/

A good introduction to Sun's implementation of RBAC is the white paper "RBAC in the Solaris Operating Environment", available at http://wwws.sun.com/software/whitepapers/wp_rbac/wp_rbac.pdf

Non-executable stack on Solaris
To enable this feature, you may need to edit the file /etc/system and add the following lines: set noexec_user_stack=1
set noexec_user_stack_log=1 Note that this may go against the SPARC and Intel ABIs. It can be selectively turned off for specific programs with mprotect(2).

When booted in 64-bit mode, Solaris has stack protection enabled by default, without needing modifications to /etc/system. This change was made in line with the new SPARC V9 ABI that mandates a non-executable stack.

Applications can be compiled with stack protection built-in, using
cc -M /usr/lib/ld/map.noexstk programname.c

On Solaris 10, Solaris containers and zones can be used for configurable confinement of processes with individual control over resource allocation.

Consider running different services in separate zones, to protect the processes from one another.

Software that usually requires the root account to run can be confined in Solaris using fine-grained control of process privileges. Instead of granting all root powers, the system administrator can identify which specific process privileges the software actually needs, and run it in a non-root account with the extra privilege added.

For services controlled by the Solaris Service Management Facility starting privileges are stored in the service config repository and can be configured with svccfg(1M). Many of the default Solaris services already have appropriate reduced privileges configured.

Processes can also be run with specified privileges directly using the ppriv(1) command.

Note that in Solaris, the NFS exports configuration is in /etc/dfs/dfstab rather than /etc/exports.

Enable NFS port monitoring. To do this add the following line to /etc/system: set nfs:nfs_portmon = 1
set nfssrv:nfs_portmon = 1

On Solaris the standard audit subsystem is the BSM (Basic Security Module) which is installed but not enabled by default. The audit subsystem can be enabled with the script /etc/security/bsmconv and is configured in the files /etc/security/audit_control and /etc/security/audit_user. Details on setting up and using BSM are available at http://docs.sun.com/app/docs/doc/816-4557/6maosrjog?a=view

An alternative management and reporting interface for the BSM audit data is provided by SNARE for Solaris, available at http://www.intersectalliance.com/projects/SnareSolaris/index.html.

The Basic Audit and Reporting Tool (BART) which comes with Solaris can be used for this purpose.

For details see the Sun BluePrint "Automating Solaris 10 File Integrity Checks" at http://www.sun.com/blueprints/0305/819-2259.pdf

On Solaris 8 and 9 Sunscreen Lite was Sun's standard host firewall software. Details on configuring Sunscreen are available at http://docs.sun.com/app/docs/coll/557.4 though note that the Lite version only supports a subset of features. For these systems the open source host firewall IP Filter (ipf) was a flexible alternative that could be installed from source.

Starting with Solaris 10, IP Filter (ipf) is now incorporated as the officially supported host firewall system. Sun's documentation for IP Filter is available in the System Administration Guide: IP Services at http://docs.sun.com/app/docs/doc/816-4554/6maoq0245?a=view Detailed information on using IP Filter is available from the upstream site at http://coombs.anu.edu.au/~avalon/

For Solaris systems with more than one network interface, the weak end system issue can be addressed by setting the following sysctls: ip_strict_dst_multihoming=1
ip6_strict_dst_multihoming=1

Disabling IP forwarding and source routing:
To do this you will need to edit the file /etc/rc2.d/S69.inet and set the options ip_forwarding, ip6_forwarding and ip_ip_forward_src_routed to zero as illustrated below:
ndd -set /dev/ip ip_forwarding 0
ndd -set /dev/ip6 ip6_forwarding 0
ndd -set /dev/ip ip_forward_src_routed 0
For the changes to take effect you will then need to reboot.

The Sun BluePrint "Solaris Operating Environment Network Settings for Security" is available at http://www.sun.com/blueprints/1200/network-updt1.pdf

An init script implementing those recommendations is available as nddconfig from the page http://www.sun.com/blueprints/tools/

The integrity of standard Solaris binaries can be verified using the Solaris Fingerprint Database. This assumes running the md5 tool on a trusted computer. http://sunsolve.sun.com/pub-cgi/show.pl?target=content/content7