This section includes some suggestions for securing the operating system (OS) on the SGD host.
Install the operating system off-network. Install, patch, and configure your server OS while you are disconnected from the network. This prevents your system from being detected, attacked, and compromised before you have finished OS installation.
Use disk partitions. Use separate partitions for directory structures that may fill up your root file system, which can be a form of a Denial Of Service (DOS) attack.
For example, if you use the default SGD
installation directory, /opt/tarantella
,
you might want to do the following:
Create a separate /opt
partition to
store the SGD binaries and log files.
Relocate the SGD server, Apache, and Tomcat log file locations to separate partitions.
Move the /opt/tarantella/var
directory
to a separate partition.
Minimize OS installation. Only install the software and services that you require.
Do not install tools that an attacker can use to further their
attacks. Such tools include C
compilers,
which can be used to compile root kits, and network utilities
such as ping, nslookup,
and telnet.
Minimize the network services footprint. Eliminate unnecessary network services, to reduce the number of attack points that an attacker may try to exploit.
Oracle Solaris 10 11/06 (update 3) and later provides a Secure By Default option at installation time, which has a reduced network services footprint. This option can also be enabled after installation by using the following command:
# netservices limited
Use Oracle Solaris zones. Create a non-global Oracle Solaris zone to install and run SGD in. Even if an attacker manages to compromise the SGD zone, forensic evidence of the attack should still be available in the global zone.
Use time source synchronization. Using a synchronized time source makes it easier to correlate security event logs. Synchronization of system clocks is also a requirement for SGD arrays, the SGD Gateway, and Kerberos authentication.
If possible, use Network Time Protocol (NTP) software to synchronize clocks. Alternatively, use the rdate command.
Disable Routing and Forwarding. On a multi-homed system, disable all routing functions.