This article explains shortly how to secure a Solaris 10 server, especially password policy, network services and some kernel tunable parameters to increase network security.

This article was written especially for Solaris update 3 (11/06) but it will available for future version too, regarding some minor changes in new Solaris versions.

Secure password

Algorithm

By default, Solaris still use the old crypt_unix(5) algorithm to crypts password. While it's not unsecure, there are actually some better choice, like md5, which allow password with more than 8 characters length.

Some others algorithm are available by default, you can take a look in /etc/security/crypt.conf. For example, to use MD5 password rather crypt, you must edit the file /etc/security/policy.conf, uncomment the line CRYPT_ALGORITHMS_DEPRECATE=__unix__, and change CRYPT_DEFAULT to 1 (one).

Policy

By default, you (and final users too) can define the password you want, but Solaris/PAM provide a framework to let administrator choose how the password will be formed. Just take a look in the /etc/default/passwd file, it's very intuitive, you can see:

MAXWEEKS=
MINWEEKS=
PASSLENGTH=6
#HISTORY=0
#MINDIFF=3
#MINALPHA=2
MINNONALPHA=1
MINUPPER=1
#MINLOWER=0
#MAXREPEATS=0
#MINSPECIAL=0
#MINDIGIT=1
#WHITESPACE=YES
#DICTIONLIST=
#DICTIONDBDIR=/var/passwd

Remember the root password doesn't follow the policy!

Network Services

Before Solaris 10 update 3 (11/06), most of services are enabled by default, that's mean you run a lot of RPC services for example (including rpcbind, nfs server and client, etc.). Just take a look in the output of


# svcs | grep -c 'network'
38


SMF (Service Management Falicity) provides some nice features to disable / enable lot of services using XML profiles, you can download the attached profile which disable all network services (including all RPC!) but SSH.