[Snort-users] System hardening

Slighter, Tim tslighter at ...5174...
Wed Sep 3 08:22:11 EDT 2003


There are many hardening techniques that can be implemented aside from
Yassp.  This of course all depends upon one's definition of a secure system
as well as any mandated security requirements or criteria as specified by a
security policy or practice within their organization.  If you are
attempting this more along the lines of Ad-hoc, then just run a google
search on how to secure a Solaris system.  Primarily the first items that
should be done is to disable the STOP-A capability.  Locate the
/etc/default/kbd file and make sure that the KEYBOARD_ABORT is set to
disable.  Then set yourself with EEPROM security and password to prevent
unauthorized booting or EEPROM changes to the system.  Do this as follows
from a C shell:

setenv security-mode full
setenv security-password *******

Make sure that you never forget this EEPROM password or you will have to
call SUN to have them come out and replace the EEPROM.

My next recommendations would be to eliminate any unnecessary packages such
as TFTP, FTP, etc using "pkgrm" and then onto the services in /etc/rc2.d and
/etc/rc3.d...especially NFS.  Assuming that no remote connection access will
be required to this system, use an empty /etc/inetd.conf file and chmod 400
this file and kill -HUP inetd.  Check your /etc/default/login file and
disallow root console login by changing the line CONSOLE=/dev/console to
CONSOLE= whereby only normal users can log onto the system and either must
SU or issue command via SUDO (providing that package has been installed and
configured).  Essentially, your netstat -a should yield no listening ports.
That would be a decent starting point but there a many more security steps
that can be implemented.  

-----Original Message-----
From: John Creegan [mailto:jcreegan at ...9729...]
Sent: Wednesday, September 03, 2003 8:28 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] System hardening


I've got the basic snort and reporting systems up and running (snort,
ACID, MySQL) and I'm ready to turn my attention to protecting/hardening
my system (Solaris 8 on SPARC) before I do any more with snort
(barnyard, oinkmaster, etc.)

I'm looking at a tool (yassp) for going beyond the system hardening
described in the docs.  I can't find any mention of it (so far) in the
archives, FAQ or the recommended three books.  Yassp seems a bit old. 
It may work well for Solaris 8, but it appears there's been no recent
support for it.

Does anyone think it's worth hardening a system so much?  I've already
got tripwire running but that, to me, is a reactive approach.  I'd
rather prevent someone from changing my system files than to know they
already did it.

I'm aware that unless I proceed carefully I can make the system useless
for its intended purpose, running snort.


This message (including any attachments) contains confidential 
information intended for a specific individual and purpose, 
and is protected by law.  If you are not the intended recipient,
you should delete this message and are hereby notified that any 
disclosure,copying, or distribution of this message, or the taking 
of any action based on it, is strictly prohibited.



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list