4.5.7.3 Unix
Server Security
We secure
our UNIX Sun servers utilizing the EIS-SMN JumpStart. EIS-SMN designs, tests,
and releases Sun JumpStart packages based on different versions of Solaris
operating system. For the iPlanet directory
server software we use JumpStart 2.1 based on Solaris 2.6.
The EIS-SMN
JumpStart includes the latest patches from SUN, as well as
several security packages, as discussed in the following.
Secure
Shell: ssh-1.2.27
Secure Shell
(SSH) is a program to log into another computer over a network,
to execute
commands in a remote machine, and to move files from one machine
to
another. It provides strong
authentication and secure communications over
unsecure
channels. It is intended as a replacement for rlogin, rsh, and rcp.
Additionally,
SSH provides secure X connections and secure forwarding of arbitrary TCP
connections.
TCP
Wrapper: tcpwrap-7.6
TCP Wrapper
allows monitoring and control over who connects to a host, and through which
port. It also includes a library so that other programs can be controlled and
monitored in the same fashion. The wrapper reports the name of the client host
and of the requested service. It does not, however, exchange information with
the client or server applications, or imposes no overhead on the actual
conversation between the client and server applications.
Berkeley
Sendmail: sendmail-8.9.3
Sendmail is
a transport agent, a program which interfaces between user agents, and delivery
agent in e-mail system. Sendmail shipped with Solaris is not quite trusted,
because of possible security holes in the homogeneous environment. Therefore
EIS-FIL has configured the "Berkeley sendmail" to replace the SUN
version of sendmail. It is also linked with the TCPwrapper library.
Network
Services:
All network
services except the following are disabled. The allowed services are as follows:
shell
#
"shell" is a BSD protocol
time
# Time
service is used for clock synchronization
100232/10
#
Solstice system and network administration class agent server
rstatd/2-4
#Rstatd
is used by programs such as perfmeter
100068/2-4
#
rpc.cmsd is a data base daemon which manages calendar data backed
# by
files in /var/spool/calendar
bootps
# Used
for programs such as jumpstart.