SOLARIS 9 - Security checkList
1. Is it possible to use dictionary files to validate passwords changes via Patch or manual configuration?
can be done, if you upgrade to Solaris 10 and edit /etc/default/passwd (see man passwd) this is the asnwer I have got from this forum, I appreciate however i need a solution in solaris 9 itself, in this particular scenario upgradation is not possible.
2. Is it possible to set an historic record of passwords in order to avoid that users re assign previous values, using patch?
I know by Default No, by using additional Softwares, Yes! Can it be done.
can be done, if you upgrade to Solaris 10 and edit /etc/default/passwd (see man passwd)
3. Is it possible to set passwords inactivity period for automatic deactivation, using patch or manual configuration?
It is possible; we don�t need any additional software for that. I guess its etc/shadow (pls let me know if im wrong)
well, should work. At least you can set how long a password is valid (see man passwd).
4. .-How can we set, the password mandatory option? By default solaris accepts blank password, is there anyway we can make it mandatory?
(if some one can help me in this, that will be great.)
5. How can it be configured, that initial passwords are valid only for one session?
Can be done with if you use something like MS AD or LDAP for your naming service, don't think Standard Solaris can do it. Even if you of course can use the PAM framework to create a PAM module which does this, or search the net to see if someone have done it already.
Thinking of it, it might be possible in pure Solaris as well, but if it is haven't done it. Perhaps someone else knows.
6. Is it possible to set the retry limit for denied access, if so how? How can we set the block interval when the access denied threshold is reached?
Possible, again, if you upgrade to Solaris 10. In Solaris 10 you can lock an account after X amount of failed login attempts by editing /etc/security/policy.conf and make sure that LOCK_AFTER_RETRIES are set to "yes".
By default this feature allows the user to try and login 4 times, after 4 bad login attempts the account is locked. The amount of retries can be set in /etc/default/login .
The time can also be set in login, sort of.
The latter file can also be used to specify when to log the failed attemt to syslog. See (on Solaris 10): man login : man policy.conf
7. How can we set the administrator passwords policy?
If you are refering to the root account; in the same way as any other account i'ld suppose. Even if you have to be more careful. The root accounts might not be used very frequently, and when you have to use them its probably an emergency..[/b
Please update this, I want help in solaris 9, not 10. If some one can contribute, I appreciate.
Thanks,
You should also look into the JASS package from Sun.
http://wwws.sun.com/software/security/jass/
Similar Messages
-
Windows 2012 server security checklist for corporate company standard/recommended check-list
Hello All,
Good Day.
I am looking for Windows 2012 server security checklist (standard hardening
settings), would you kindly assist me by providing Wintel 2012 standard/recommended check-list ASAP?
Thanks in advance.Hi,
The Microsoft Security Compliance Manager 3.0 tool is designed to provide you with an end-to-end solution to help you plan, deploy, and monitor security baselines for computers running Windows Server 2012 in your environment.
For more detailed information, please refer to the articles below:
Windows Server 2012 Security Baseline
http://technet.microsoft.com/en-us/library/jj898542.aspx
Security Hardening Tips and Recommendations
http://social.technet.microsoft.com/wiki/contents/articles/18931.security-hardening-tips-and-recommendations.aspx
Regards,
Mandy
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Solaris Security Toolkit 4.2
Hi!
I've downloaded the Solaris Security Toolkit 4.2 (http://www.sun.com/software/security/jass/) and I've installed on a Solaris 9 but when I try to run the jass-execute I got the folwong error:
./jass-execute: syntax error at line 974: `end of file' unexpected
Could anyone help me?
Thanks.I was running form /opt/SUNWjass/bin but it needs to be run from /opt/SUNWjass directory.
-
Hyperion Essbase on Solaris & Security issue in Shared services
I installed Hyperion system 9.3.1 in my dev environment. Every thing is working properlly.
But i still have questions on couple of things.
1) I installed essbase on solaris 10. I was just trying to configure the sql interface for ESSBASE.
I went through the documentation. It says i supposed to get a file called libesssql.so.1
But i can't able to see this file in ARBORPATH/bin location. But still I could able to load the data
into sample Essbase application. My essbase is working fine. when i ran the script inst -sql.sh
it created a file called libesssql.so in the ARBORPATH/bin location. But no libesssql.so.1.
Can some one help me regarding this................
2)In the shared services when i clicked under Hyperion system 9 BI+, i cant able to see
any reporting related files to assign security. i am seeing a message saying refer to the security guide to confiure
permissions for this application.
I logged into the shared services with admin privileges.
Please help me in this...........
Thanks,Hi,
What version are you using ?
Just to be clear are you saying that the utility only exported one native user and you expected it to export more ?
Cheers
John
http://john-goodwin.blogspot.com/ -
I am selling my Mac - "Gasp?! WHY?!" I hear you say. Don't worry, it is for a better model, I am not going back to PCs.
Before I hand over my computer I want to make sure that there is no way of anyone gaining any personal/secure knowledge about me from my Mac.
Can anyone think of a checklist to run through to make sure this can't be done.
I'll start:
1) Delete all my documents.
2) Open iTunes, click "advanced" and "deauthorise computer"
....what next?
Regards
PISMO Mac OS X (10.3.9)Bjorn...
Prepare Your MAC fo Resale or to be donated....
1. After you have backed up all your data...insert your Mac OS Install Disc..
2. Double-click Install Mac OS X...and then click Restart
3. Enter your password when prompted...click OK.The computor will restart from the Mac OS X Install disc.
4. In the language selection screen...choose English...click Continue.
5. Choose Installer>Open Disk Utility and select the physical volume...this will be the upper left Pane (assuming you only have one hard drive)
6. Click ...Erase and in the next window...
• Volume Format....should be Mac OS Extended (Journaled)
• Name..... Macintosh HDii
7. Click on Security Options...you have two options..
• Zero All Data
• 8 Way Random Write...This will take much, much longer to erase.
8. To continue, click OK and then click ... Erase
9. Dialog will warn you everything will be erased...click on Erase.
10. When erase is done...choose Disk Utility>Quit Disk Utility.
11. At this point you can proceed with your chose of Mac OS Installation.
12. Click continue until you see the disk selection screen.
13. Choose the internal hard drive....then initiate the installation
14. The computor will automatically restart when installation is done, and take you to the Mac OS X Setup Assistant.
15. Do not create a new user account, instead, wait intil the assistant is done loading...then hold the power button for five seconds to sutdown the Mac.
16. When the new owner first starts up ... now they will go through the
Mac OS Setup Assistant...just as though it was a new Mac computor.
george -
Solaris Security Toolkit 4.2 download format
I've downloaded the newest release of the ToolKit for Sol10 and it appears to be in compressed tar format.
(Solaris_Security_Toolkit_4_2_0_pkg.tar.Z)
According to docs it should be in compressed package format and I should be able to do a pkgadd after uncompressing.
What am I missing?
Thanks in advance!
sI think when I last installed SUNWjass (this was under solaris 9)I had to go into that directory (once moved to /opt) and run the install scripts something like:
~/jass-execute -d secure.driver (read the INSTALL file)
and then it showed up in things like pkginfo .
Hope this helps more.
cheers
Paul -
Not quite sure what you mean by the question - usual unix security
applies plus ACLs and kerberos. There are also some good whitepapers you can find at the Sun website
For serious applications Trusted Solaris for both Sparc and Intel
platforms can be purchased via www.sun.com/store
Product details at sun.com:
Home -> Products & Solutions -> Software -> Operating Environments & Platforms -> Solaris Product Line -> Products -> Trusted Solaris 8 -
Hi All,
I would like to ask some questions, I have an Solaris 10 and RHEL which is install in separate machine..
The question is:
1. how can I check the latest patches or latest update? (I need a step or command)
2. where can I get the latest security patch or necessary patch that I need to put in into my servers?
Please help to give me some guidance or information for this issue.. I would like to thank you first for your reply and help. GBU.Hi,
Where can I check the patch that installed in my servers? which directory or path..? so I will know what is the next patch that I should install into this servers.
oh btw, I check above link and I use the search function 'updatemanager' but it ended up lots of links in 'support'
Thanks for your reply. -
Accepting Manual Updates - Solaris Security Toolkit
I have hardened a Solaris 10 server with Security Toolkit 4.2 and since then have
modified the system.
How do I get the Toolkit (Jass) to accept the changes?
I suspect that I must create a new driver and do a Jass Execute but I would like to approach
this problem with some certainty. FYI - I created some new slices and mounted them
but the changes to vfstab do not seem to stick.
Any advice is appreciated.
LBI think I found the issue, only somewhat related to Security Toolkit ...
[http://groups.google.de/group/comp.unix.solaris/browse_frm/thread/93f6231c5bdc8409|http://groups.google.de/group/comp.unix.solaris/browse_frm/thread/93f6231c5bdc8409]
I activated smserver and the drive now works...
LB -
Best Practice paper for SSO Security CheckList
Is there any white papers or guides on how to secure the SSO? THKS
also, try:
SSL + certificate (will login automatically)
Portal Security and Login Server Forum -
Does anybody have any documents or links that cover "hardening" a Weblogic server?
We are putting together a security plan and we are trying to list the steps that
one would take to secure a default Weblogic install. Any help would be appreciated.
Thanksinstead of import weblogic.security.SubjectUtils; use import weblogic.security.spi.WLSUser; and get the username as below
Set users = subject.getPrincipals(WLSUser.class);
Iterator iter = users.iterator();
while (iter.hasNext()){
userName = ((WLSUser)iter.next()).getName();
System.out.println(userName);
this returns you the username -
Solaris Security Toolkit (JASS) for Solaris 11?
Has anyone heard anything about an updated version of this for Solaris 11?
Or I'm curious if anyone has tried running the Solaris 10 version on 11?
ThanksDon't run the Solaris 10 version on Solaris 11, it will not work correctly.
Many aspects of what SST did on Solaris 10 are part of Solaris 11. If there are things you need that aren't covered, I'd suggest opening a support case. -
Webologic solution for below question (security checklist)
how to disable multiple session in weblogic?
Edited by: 946501 on Jul 15, 2012 6:15 AMHi,
What you mean by disabling multiple session in weblogic ?
can you brief with your query?
Regards,
Kal -
Solaris 10, Tomcat 5 Cant connect to a database
Hi:
I installed Solaris 10 in a Sun Sunfire V100 Server and installed Tomcat 5.5.20 with JDK1.5, when my application needs to connect to my database server (MS Windows 2000 with MS SQL SERVER 2000 by Port 1433) using JDBC, the application do nothing, There's no information in Tomcat and System logs, I think it is related with Solaris Security (IPFilter) open/closed ports but I am not sure.
I tested the connection to the database using a java class program and got the next error: [Microsoft][SQLServer 2000 Driver for JDBC]Error establishing socket.
Thanks for the help.I know nothing about tomcat & DBs, but you could
try telnetting out from Solaris on various ports to
connect to other services on the MSWin box.
Eg,
$ telnet 192.168.1.244 80
will attempt to hit port 80 on the MSWin machine.
You'll know what services WIndows is running.
This'll help you isolate the problem, if you can get
through on some ports rather than others. If can't
get out at all at all, check that your network services
are ok with
# svcs -x
'snoop' is also worth trying out on the Solaris box.
snoop 192.168.1.244
will give you brief info on packets.
snoop -V 192.168.1.244
will give you more info
snoop -v 192.168.1.244
will give you shedloads
Apologies if these steps were already known to you. -
ISS Security Advisory
May 6, 1999
Multiple File System Vulnerabilities in Oracle 8
Synopsis:
Internet Security Systems (ISS) X-Force has discovered that
multiple vulnerabilities exist in Oracle 8 that may allow local
attackers to exploit weaknesses in Oracle administrative tools.
Oracle is the market leader in enterprise database solutions.
Attackers may use these vulnerabilities to amplify their
privilege to that of the foracleF user. By default, the oracle
user controls the entire Oracle database system. Attackers may
launch local denial of service attacks against the database as
well as alter or manipulate data.
Affected Versions:
ISS X-Force has determined that most current versions of Oracle
8 for Unix are vulnerable. These versions include 8.03, 8.04,
8.05, and 8.15. Oracle 8 for Windows NT is not affected by
these vulnerabilities.
Description:
The Oracle 8 distribution is shipped with many administrative
utilities that are owned by the oracle user with the setuid bit
enabled. Several of these utilities implement insecure file
creation and manipulation. These utilities also trust Oracle-
related environment variables. The combined effect of these
vulnerabilities may allow local attackers to create, append to,
or overwrite privileged oracle files. Certain vulnerabilities
exist that may allow local attackers to execute arbitrary
commands as the oracle user. Attackers may also be able to
permanently elevate their privilege to that of the oracle user.
Temporary files that follow symbolic links are a common source
of vulnerabilities in setuid executables. Administrators should
remove or restrict access to setuid executables if possible.
Developers of setuid programs need to take special precautions
to prevent
the introduction of vulnerabilities of this nature. ISS X-Force
recommends
that all Unix developers become familiar with Matt BishopFs
secure
programming guide, available at
http://olympus.cs.ucdavis.edu/~bishop/secprog.html
Fix Information:
ISS X-Force has worked with Oracle to provide a patch for the
vulnerabilities described in this advisory. Oracle has provided
the following FAQ to answer any questions concerning these
vulnerabilities.
Q: IFve heard about a setuid security issue with the Oracle
database? What is this all about?
A: On Unix platforms, some executable files have the setuid bit
on. It may be possible for a very knowledgeable user to use
these executables to bypass your system security by elevating
their operating system privileges to that of the Oracle user.
Q: Which releases are affected by this problem?
A: This problem affects Oracle data server releases 8.03, 8.0.4,
8.0.5, and 8.1.5 on Unix platforms only.
Q: Can I correct this problem or do I need a patch?
A: This problem can easily be corrected. The customer can
download the patch from the Oracle MetaLink webpages at
http://www.oracle.com/support/elec_sup. The patch is a Unix
shell script. This shell script should be run immediately, and
also run after each relink of Oracle.
Q: What is Oracle doing to fix this problem?
A: Effective immediately, Oracle will provide the patch on
OracleFs Worldwide Support Web pages. Oracle will ensure the
patches are incorporated into future releases of Oracle8i
(8.1.6) and Oracle8.0 (8.0.6)
Q: What is Oracle doing to notify users about this problem now?
A: Oracle is notifying all supported customers, via the Oracle
Worldwide Support Web pages, of this issue so they can address
it as required.
ISS X-Force also recommends that all administrators complete a
proactive survey on the use or potential misuse of setuid bits
on privileged executables on their systems.
Credits:
These vulnerabilities were primarily researched by Dan
Ingevaldson of the ISS X-Force.
Copyright ( 1999 by Internet Security Systems, Inc. Permission
is hereby granted for the electronic redistribution of this
Security Alert. It is not to be edited in any way without
express consent of the X-Force. If you wish to reprint the
whole or any part of this Alert Summary in any other medium
excluding electronic medium, please e-mail [email protected] for
permission.
About ISS
ISS is the pioneer and leading provider of adaptive network
security software delivering enterprise-wide information
protection solutions. ISSF award-winning SAFEsuite family of
products enables information risk management within intranet,
extranet and electronic commerce environments. By combining
proactive vulnerability detection with real-time intrusion
detection and response, ISSF adaptive security approach creates
a flexible cycle of continuous security improvement, including
security policy implementation and enforcement. ISS SAFEsuite
solutions strengthen the security of existing systems and have
dramatically improved the security posture for organizations
worldwide, making ISS a trusted security advisor for firms in
the Global 2000, 21 of the 25 largest U.S. commercial banks and
over 35 governmental agencies. For more information, call ISS at
678-443-6000 or 800-776-2362 or visit the ISS Web site at
www.iss.net.
Disclaimer
The information within this paper may change without notice. Use
of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties with regard to this
information. In no event shall the author be liable for any
damages whatsoever arising out of or in connection with the use
or spread of this information. Any use of this information is at
the userFs own risk.
X-Force PGP Key available at:
http://www.iss.net/xforce/sensitive.html as well as on MITFs PGP
key server and PGP.comFs key server.
Please send suggestions, updates, and comments to:
X-Force <[email protected] <mailto:[email protected]>> of Internet
Security Systems, Inc.
nullhttp://metalink.oracle.com has all the Oracle documentation online. If you search for Security, you'll get plenty of documents. The Oracle Administrator's Guide has a Security Checklist that it probably a good starting point.
This is a huge topic, though.
Justin
Maybe you are looking for
-
Hi, Im new to XI. I have a problem with the handling of the File Adapter. In my scenario a third party system puts a data file into the directory. The directory and file are configured in the file adapter. XI should not transfer the File until the t
-
Business partner address issue
Hi Experts, I am involved in a CRM upgrade project from 4.0 to 5.1. There is a typical problem. For some business partner types, all the BPs are having double address maintained in the database,i.e., the address of the business partners are maintaned
-
Is it possible to use linux drivers to get a pluscom USB to ethernet adaptor to work.
I'm grasping at straws here, the adaptor it seems has only linux and windows drivers and I'm avoiding having to return it, given the dramatic difference in price between these adaptors and the official apple onese for a device with the same functiona
-
Download ora client 8.0.5
I'm facing a problem with an old version of Ora DB 8.0.5. I want to install a client to access this DB, but I can't find any ORA805 client under the OTN web site nor my stuffs. Can you help me to find out a version? ED
-
Video renders to 3x normal length DUE 2 DAYS TIME
I am so frustrated with this, When I render a 1 minute keyed video (Keylight) in after effects it takes about 6 minutes but when I look at the rendered video it doesnt play and says it is 13 MINUTES LONG!!! This is due on Wednesday so PLEASE HELP!!!