[Snort-users] System hardening

Paul Greene pauljgreene at ...5068...
Wed Sep 3 12:35:15 EDT 2003

www.cisecurity.org also has a good hardening list for Solaris. Their 
guide has a good balance between securing a system and breaking a bunch 
of functionality.

They've also got a scripted test that'll score the level of security 
against their recommended guidelines.


James R. Hendrick wrote:

>Have to jump in here..
>Stop-A or EEPROM passwords are important only to guard against people with physical access.
>If your system is in a restricted access area, they might not help much.
>I would suggest following the advice of "Google for it" and find several references on hardening UNIX in general and Solaris in particular. 
>The system needs to be looked at in terms of required services vs. risk. 
>Think about what needs to be running on the system:
>- snort and its related programs
>- a way to access the system (local terminal)
>- a way to access the system remotely ?
>- time service (so that the timestamps in the sensor logs actually mean something)
>Other than that, you should look at disabling as much as possible. The inetd is a good place to start. The startup scripts are another good place to look.
>Learn to check the output from "netstat" to see what network services your computer is providing.
>Look at the output from "ps" to see what programs are running.
>Think small. If you don't know what it is, find out. If you don't need it, find out how to disable it.
>Please take a bit of time and research this before you start implementing. 
>Make backups or be prepared to re-install from media. (not a bad thing to do anyway. You can often get a more secure system by installing a minimal set of packages. You may need to do this a few times to get to the "right" set. For example, you may not need any development tools if you can build software on another compatible system. If a system does not have libraries or compilers, it is less useful for many attackers. If you don't need a graphical environment, even better. X-windows and display managers are often too eager to allow remote connections. If you can do without them for your snort box, great.
>Good luck.
>>-----Original Message-----
>>From: Slighter, Tim [mailto:tslighter at ...5174...]
>>Sent: Wednesday, September 03, 2003 11:18 AM
>>To: 'John Creegan'; snort-users at lists.sourceforge.net
>>Subject: RE: [Snort-users] System hardening
>>There are many hardening techniques that can be implemented aside from
>>Yassp.  This of course all depends upon one's definition of a 
>>secure system
>>as well as any mandated security requirements or criteria as 
>>specified by a
>>security policy or practice within their organization.  If you are
>>attempting this more along the lines of Ad-hoc, then just run a google
>>search on how to secure a Solaris system.  Primarily the 
>>first items that
>>should be done is to disable the STOP-A capability.  Locate the
>>/etc/default/kbd file and make sure that the KEYBOARD_ABORT is set to
>>disable.  Then set yourself with EEPROM security and password 
>>to prevent
>>unauthorized booting or EEPROM changes to the system.  Do 
>>this as follows
>>from a C shell:
>>setenv security-mode full
>>setenv security-password *******
>>Make sure that you never forget this EEPROM password or you 
>>will have to
>>call SUN to have them come out and replace the EEPROM.
>>My next recommendations would be to eliminate any unnecessary 
>>packages such
>>as TFTP, FTP, etc using "pkgrm" and then onto the services in 
>>/etc/rc2.d and
>>/etc/rc3.d...especially NFS.  Assuming that no remote 
>>connection access will
>>be required to this system, use an empty /etc/inetd.conf file 
>>and chmod 400
>>this file and kill -HUP inetd.  Check your /etc/default/login file and
>>disallow root console login by changing the line 
>>CONSOLE=/dev/console to
>>CONSOLE= whereby only normal users can log onto the system 
>>and either must
>>SU or issue command via SUDO (providing that package has been 
>>installed and
>>configured).  Essentially, your netstat -a should yield no 
>>listening ports.
>>That would be a decent starting point but there a many more 
>>security steps
>>that can be implemented.  
>>-----Original Message-----
>>From: John Creegan [mailto:jcreegan at ...9729...]
>>Sent: Wednesday, September 03, 2003 8:28 AM
>>To: snort-users at lists.sourceforge.net
>>Subject: [Snort-users] System hardening
>>I've got the basic snort and reporting systems up and running (snort,
>>ACID, MySQL) and I'm ready to turn my attention to 
>>my system (Solaris 8 on SPARC) before I do any more with snort
>>(barnyard, oinkmaster, etc.)
>>I'm looking at a tool (yassp) for going beyond the system hardening
>>described in the docs.  I can't find any mention of it (so far) in the
>>archives, FAQ or the recommended three books.  Yassp seems a bit old. 
>>It may work well for Solaris 8, but it appears there's been no recent
>>support for it.
>>Does anyone think it's worth hardening a system so much?  I've already
>>got tripwire running but that, to me, is a reactive approach.  I'd
>>rather prevent someone from changing my system files than to know they
>>already did it.
>>I'm aware that unless I proceed carefully I can make the 
>>system useless
>>for its intended purpose, running snort.

More information about the Snort-users mailing list