how to make Unix box secure

[Bridge]

Is there any way to find out who actully login to the Solaris box?
Suppose the person knows the root passwd and su to root. If the person
removed utmp and wtmp file, is there still any way to find out what
the person did?

How to make the Solais box secure, I mean how to find out what other
persons did on the box?

Many thanks!!

[John]

you can install a Host-IDS that will help you to do these .

"Bridge" <bridge_xue@yahoo.com> ????
news:3e949365.0307281855.56440fa4@posting.google.c om...

> Is there any way to find out who actully login to the Solaris box?
> Suppose the person knows the root passwd and su to root. If the person
> removed utmp and wtmp file, is there still any way to find out what
> the person did?
>
> How to make the Solais box secure, I mean how to find out what other
> persons did on the box?
>
> Many thanks!!

[Sam N]

"Bridge" <bridge_xue@yahoo.com> wrote in message
news:3e949365.0307281855.56440fa4@posting.google.c om...

> Is there any way to find out who actully login to the Solaris box?
> Suppose the person knows the root passwd and su to root. If the person
> removed utmp and wtmp file, is there still any way to find out what
> the person did?
>
> How to make the Solais box secure, I mean how to find out what other
> persons did on the box?
>
> Many thanks!!

There are myriad things you can do to make your Solaris boxes secure, and to
describe a comprehensive list would be far outside the remit of a NG post. A
few *simple* things you can do however (and I'd recommend as any baseline),
are:

0: Who actually needs access to the box? Do you want to be able to log in
from public interfaces? Use a management net and access from a -secure
jump-off box or similar.

1: Harden the box: turn off all the crap in /etc/inet/inetd.conf that you
don't need. Remove any accounts that you don't need. Tidy up permissions on
files. This can be time consuming and it's easy to miss things, so get a
hardening script. I recommend Sun's JASS
[url]http://wwws.sun.com/software/security/jass/index.html[/url] - once set up, this is
great. There's a demo output of what it can do at
[url]http://www.unix.ms/secure.txt[/url] - If you're really concerned, why not consider
Trusted Solaris?
[url]http://wwws.sun.com/software/solaris/trustedsolaris/index.html[/url]

2: He who logs longest laughs last. Turn up your logging! man syslog. (Also,
set your syslog server up to be a dot matrix printer with the line-feed
reverse disabled - any jeffk's trying to root you won't be able to delete
these logs unless they have physical access. )

3: Consider Access Control Lists - this way you can assign users to specific
jobs and vice versa - much safer than having numerous people knowing your
root password. Remember, if you have root, you are effectively God. man
setfacl, facl, getfacl.

4: Consider the physical security of the box. Where is it located? Is it
locked away, or can anyone access it?. You'd be surprised how many sysadmins
fail to consider the consequences of a physical breach of security. Social
engineering attacks are all too common - are you sure that guy fixing the
aircon in the lab isn't working for your competitor?

It's not only the machine itself you need to think about securing, it's your
whole environment. Think of security not as something you paste over the top
of an existing installation, but build it in at the design stage. Security
In Depth, I think it's called (apologies Alec :) )

I'm sure this thread will have many more replies - the concept of what
constitutes "secure" is of course entirely subjective. For me a box is
secure if it only does *exactly* what I want it to do, and nothing else.
Surprises are bad, mmkay.

Sun's Professional Services people come highly recommended if you want some
top advice :)

cheers

Sam N

[Remco]

Some tips and tricks i found:

Enable unsuccesful login attempts:

# cd /var/adm ; touch loginlog ; chgrp sys loginlog ; chmod 600 loginlog

Enable succesful login :
# cd /var/adm/ ; touch logins ; chgrp sys logins ; chmod 600 logins

And vi /etc/syslog.conf
add:
local0.info /var/adm/logins

Hth

Remco


"Bridge" <bridge_xue@yahoo.com> wrote in message
news:3e949365.0307281855.56440fa4@posting.google.c om...

> Is there any way to find out who actully login to the Solaris box?
> Suppose the person knows the root passwd and su to root. If the person
> removed utmp and wtmp file, is there still any way to find out what
> the person did?
>
> How to make the Solais box secure, I mean how to find out what other
> persons did on the box?
>
> Many thanks!!

[Remco]

forgot the final part:

Restart syslog !

and add the folling part to /etc/profile and /etc/.login:

logger -p local0.info "user $LOGNAME has logged in"



"Remco" <Boarddude@zonnet.nl> wrote in message
news:3f2a184f$0$45393$1b62eedf@news.wanadoo.nl...

> Some tips and tricks i found:
>
> Enable unsuccesful login attempts:
>
> # cd /var/adm ; touch loginlog ; chgrp sys loginlog ; chmod 600 loginlog
>
> Enable succesful login :
> # cd /var/adm/ ; touch logins ; chgrp sys logins ; chmod 600 logins
>
> And vi /etc/syslog.conf
> add:
> local0.info /var/adm/logins
>
> Hth
>
> Remco
>
>
> "Bridge" <bridge_xue@yahoo.com> wrote in message
> news:3e949365.0307281855.56440fa4@posting.google.c om...

> > Is there any way to find out who actully login to the Solaris box?
> > Suppose the person knows the root passwd and su to root. If the person
> > removed utmp and wtmp file, is there still any way to find out what
> > the person did?
> >
> > How to make the Solais box secure, I mean how to find out what other
> > persons did on the box?
> >
> > Many thanks!!

>
>