Learn how to secure hosts from attack
Identify common vulnerabilities for networked systems
Discover how to protect sensitive files
Create access control lists
Security is a central concern of system administrators of all network operating systems, because all services may potentially have inherent flaws or weaknesses revealed through undetected bugs that can compromise a system. Solaris is no exception, and new Solaris administrators will find themselves visiting issues that they may have encountered with other operating systems. For example, Linux, Microsoft Windows, and Solaris all run database systems that have daemons that listen for connections arriving through the Internet. These servers may be shipped with default user accounts with well-known passwords that are not inactivated by local administrators after configuration and administration. Consequently, exploits involving such services are often broadcast on USENET newsgroups, cracking mailing lists, and web sites.
Some security issues are specific to Solaris. For example, username and password sniffing while a remote user is using telnet to spawn a local shell is unique to Solaris and other UNIX systems, because PC-based products that provide remote access (such as Symantec’s pcAnywhere product) encrypt the exchange of authentication credentials by default.
This chapter will lay the groundwork to help you understand the vulnerabilities of the Solaris operating system, as well as detail the techniques used by Solaris managers to reduce the risk of a successful attack by a rogue user. Our starting point will be the single host, which can be secured from both internal and externals threats by strict administration of user accounts and groups and their corresponding entries within standard password and shadowed password files.
It is critical that you maintain access to various files and directories by setting user and group ownership on those files. Once a user and group have been assigned ownership of a file or directory, they are free to determine which other users (if any) are able to read or write to that file—or for a directory, whether any files can be created under that directory. An exception to user- and group-based access control is the special “superuser” account (also known as the “root” user), who has global read, write, and create access on all files on a Solaris system. This includes normal files as well as directories and device files.
Finally, we’ll examine how to keep tabs on all active users on a Solaris system, so that their behavior and activities can be monitored to ensure that only authorized activities are being conducted at all times.