Tip

Solaris Web services security: Force the use of su to gain root access

To enhance audit of root access, direct logon should be denied for the root account. It is recommended using only the su command to gain root privileges.

A word of warning: before you do this, make sure there is at least one active user account you can use to log in. If there isn't one active user account, you'll have to boot using the CDROM and undo the following step to regain root access.

To prevent direct login of the root account, edit the file /etc/default/login.

Look for the line CONSOLE=/dev/console. This line may be commented out. Make sure there is an uncommented version of this line that reads:
CONSOLE=

Restrict root's Search Path

To prevent the execution of Trojanized copy of utilities such as ls and ps hackers may have placed in a hacked directory structure, restrict root's search path to directories root owns, i.e., /sbin, /usr/bin and /usr/sbin. Edit root's .cshrc, .profile, and .login and remove the current directory specification (.) and restrict root's PATH to the above directories.

Set root's File Mask

Root's umask should be set to 077 or 027. Add the following entry in root's .profile or .cshrc:
umask 077

When this is done, all files or directories created by root will have rwx------ for 077 or rwxr-x--- for 027 file mask.


In this 12-part tip Unix expert Gary Smith breaks down the process of building and maintaining a highly secure Web services architecture on the

    Requires Free Membership to View

Solaris platform.

Table of contents:
Part 1: Isolate the Web services host server
Part 2: Install and configure a very basic operating system
Part 3: Force the use of su to gain root access
Part 4: Disable trusted host relationships and create a warning banner
Part 5: Configuring user accounts
Part 6: Disabling and removing unnecessary accounts
Part 7: Configure network access control
Part 8: Configure network services
Part 9: Install OpenSSH, disable NFS and reboot
Part 10: Set file permissions
Part 11: Test the configuration
Part 12: Conclusion

This was first published in October 2002

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.