Here's my offering: 1) Wipe out everything that's there. Install the machine fresh on freshly formatted disks. 2) If you are going to use the open-source version of Tripwire, pick it up and gcc. Compile it with the static link option. In the next step you're going to wipe out everything that would allow you to do this later. If you're using the commercial version of the Tripwire binaries, this can come between steps 10 and 11. Most of the Tripwire install is going to move to read-only media later so make appropriate allowances in anticipation of this. 3) Remove all packages that are not absolutely required. This means all compilers and programming/development tools, CDE/OpenWindows (does the package name start with SUNWdt or SUNWol?) and localization files (e.g. starts with SUNWeu) and anything else windowing-related (XIL/XGL/OpenGL support), AnswerBooks and the AnswerBook server (starts with SUNWab), Solstice components of any stripe, WebNFS/NFS/lp/uucp/FTP/X11/sendmail/volume management binaries and support configuration packages (e.g. X11 font packages beginning with SUNWi and then a number) of any sort, non-standard shells, and Java/ToolTalk/KCMS stuff just in case you forgot to include them under the rubric of development stuff. Look at pkginfo to see what's out there that might need to go. You know the philosophy: If it didn't come with Solaris, isn't a package that you understand and are comfortable with, or isn't a version of ssh that you have checked against the BUGTRAQ archives, it should go. 4) Go through /etc/inetd.conf and kill everything except perhaps s/telnet or ssh, which you should add to the system. 5) Pick up a copy of TCP wrappers and wrapper s/telnet and ssh. 6) At the very least, check out what run control scripts init will run between bringing your system up through the levels to hit #3. Delete anything you won't be using at all from /etc/init.d and kill all the symlinks from the /etc/rc?.d directories just so no one can slip something nasty into scripts that you don't think you are using. 7) Remove entries in /etc/passwd and /etc/shadow that support disabled services. Set the shell to something like "/bin/noshell" for anything left that doesn't have a shell defined. Make sure that entries like nobody and noaccess that don't support login access have NP for their password in /etc/shadow. 8) Leave CONSOLE undefined in /etc/default/login (i.e. leave it uncommented without providing a value for it). Create an account for yourself so you have a way of logging in initially with using the root account. Also set SYSLOG=YES and PASSWORD=YES in /etc/default/login. Make sure that SULOG is defined appropriately in /etc/default/su. 9) Settle on a logging strategy and procedure. At the very least you should set up syslog to send logs off to a well-secured system (a dedicated OpenBSD machine running nothing but syslog and OpenSSH will do nicely) or set up a drop box such as a printer or other device that can write out data through a local port such that it can't be retrieved. A dedicated 486/25 running Linux or OpenBSD without a network interface would do the trick quite nicely. 10) Run ASET with security level "high" (remember there's no going back on that) or, better yet, pick up Titan from http://www.fish.com. Remember that most of these tools make it damned near impossible for anybody but root to do much of anything, but that's exactly what you want. 11) Do a Tripwire run on your system, focusing particularly on the /usr, /sbin, and /bin filesystems which should be getting close to their final state. Do a run on /etc as well so you can note what files are changed in the next few steps. Look at the process list and see what you have running. Take notes on this. 12) Install your firewall software. Do NOT configure it yet. 13) Do another Tripwire run to pick up the diffs on your sytem post-install. Have another look at the process list. 14) Configure the firewall software. 15) Do another Tripwire run to pick up the diffs from your configuration changes. Have another look at the process list. 16) Do whatever you've got to do for network testing to validate your configuration. Fine tune and do a complete Tripwire run. Have a final look at the process list. 17) Burn the tripwire binaries and your base configuration database onto a CD-ROM as a system reference. Tripwire lives here from now on. Set up a regular Tripwire run in cron. 18) Put the firewall into production. 19) Take notes on the diffs throughout the configuration process, taking care to make a record of which files you would expect to change and what processes you expect to see running at any given point in time. Do what you can to verify these notes in combination with regular Tripwire runs during the first thirty to ninety days in production. 20) Let me know if I've forgotten anything (and I'll claim that this was only because it was 6:00 AM when I wrote this). -Bayard Brad Van Orden wrote: > > Hello All, > > Does anyone know of a checklist for preparing a solaris computer to be a > firewall? Thanks! > > Regards, > > Brad Van Orden
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:57:48 PDT