return to Solaris 10 Administration

Solaris 10 Security
on a Sun Enterprise 250

The Sun Enterprise 250 is a SPARC machine. (it has Sun's SPARC processors)
This particular Enterprise 250 has 2x 250MHz processors, 1GB ram, and 6x 9GB drives.


1. Check that the user "root" can not log in remotely - only via the console terminal

# cat /etc/default/login
...
...
# If CONSOLE is set, root can only login on that device.
# Comment this line out to allow remote login by root.
#
CONSOLE=/dev/console              enable this line to prevent remote root logins
...
...
#

2. To prevent all logins, create /etc/nologin

# touch /etc/nologin                 if the file /etc/nologin exists on the system, logins are disabled
#
# vi /etc/nologin                       to create a message that the users will see, edit /etc/nologin
#
# cat /etc/nologin
This system is down for maintenance until 6am Monday.       when a logs in,
                                                                                           the contents of /etc/nologin are displayed,
Please try again at 6am Monday.                                          and the login is terminated
#



3. Monitor logins to the system

# logins                                    only the superuser "root" can run the logins command






4. Create /var/adm/loginlog

# pwd
/var/adm
#
# touch loginlog
#
# chmod 600 loginlog
# chgrp sys loginlog
#
# ls -l loginlog
-rw-------   1 root     sys         0 Aug 13 12:58 loginlog
#
#



A Description of LOGINLOG

# man loginlog
Reformatting page. Please Wait... done

File Formats loginlog(4)

NAME
loginlog - log of failed login attempts

DESCRIPTION
After five unsuccessful login attempts, all the attempts are
logged in the file /var/adm/loginlog. This file contains one
record for each failed attempt. Each record contains the
login name, tty specification, and time.

This is an ASCII file. Each field within each entry is
separated from the next by a colon. Each entry is separated
from the next by a new-line.

By default, loginlog does not exist, so no logging is done.
To enable logging, the log file must be created with read
and write permission for owner only. Owner must be root and
group must be sys.

FILES
/var/adm/loginlog

SEE ALSO
login(1), passwd(1)

SunOS 5.10 Last change: 3 Jul 1990 1

#

 

6. Log all usage of CRON

# cat /etc/default/cron
CRONLOG=YES                  to log all CRON activities
#

9 . Encrypt sensitive information

# crypt filename



#

return to top
home

Copyright © billhance.com.  All rights reserved.