Solaris Webserver Security Checklist

• Keep the system disconnected from the network until all is ready.
• Install just the core operating system, adding only necessary packages.
• Install recommended and security patches.
• Strip down the OS by removing startup files (carefully!)
• Disable IP forwarding in /etc/init.d/inetinit .
• Add a script to system startup to fix /tmp permissions.
• Verify that fewe processes are running via ps.
• Invoke sendmail from cron to process queued mail occasionally.
• install and condigure tcp_wrappers, S/Key, wu-ftp, and tripwire as appropriate to your environment.
• Remove all but wu-ftp and telnet from /etc/inetd.conf, and edit /etc/hosts.allow to limit the machines that can use these daemons.
• Enable logging of all telnet access to the system via syslog.
• Mount filesystems read-only and no-suid as appropriate.
• Make /noshell the default shell for all accounts except root and access.
• Remove /etc/auto_*, /etc/dfs/dfstab, p/var/spool/cron/crontabs/* (except root).
• Use static routing.
• Test your system thoroughly, including allowed access and denied access, and event logging.
• Consider replacing sendmail, syslog, bind, and crontab with more secure versions.
• Install xntp for accurate time stamping.
• Consider enabling system accounting.
• Keep monitoring and testing the Web server.