From: <Saved by Microsoft Internet Explorer 5>
Subject: Securing SNMP on Solaris
Date: Wed, 14 Nov 2001 08:35:53 +0100
MIME-Version: 1.0
Content-Type: multipart/related;
	boundary="----=_NextPart_000_0009_01C16CE7.5F656410";
	type="multipart/alternative"
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200

This is a multi-part message in MIME format.

------=_NextPart_000_0009_01C16CE7.5F656410
Content-Type: image/gif
Content-Transfer-Encoding: base64
Content-Location: http://ist.uwaterloo.ca/ISTlogo.gif

R0lGODlhYABfALMAAP///wAAAJ2dnYAGHPDm6F1dXSwsLNK3vKJJWkZGRv7+/saQmrNreIKCgpIq
PeHM0CH5BAEAAAAALAAAAABgAF8AAAT+EMhJq7046827/2AojmRpnmiqrmzrvuZxbAoB3yAzT8ww
MJPHAOHY4Y4SI2AxUCQHB6ZzCR0ikUKGDXCASoSL3rQHcAAzhMP2SmIOtorfhFnkaQcLjcMhZ48I
CE0TCGcbBGsXe10Pfh0EOhMEPkonj10OD4iNFwd7A4wSCwdTKZKieJsbCAt7DqQuXT6gCpSpAAoO
C4SaLWmgAEK/jWu4XpsMDo+8OIF5Eq9sTg5EdVcKrM22EmY+DNDMA8nI32wPZsJHgEXhBOTat3vL
KQqBMgju2g9drDfF6O8UOmHDh4LAAoLvEARyoaAQQA7XaqFghfDhhUcM/oWQhMrih2v+PpyZIMDH
oUcNgfZU9HBA40kLZm693KQPxQMG3jIcaMCTp4cHDwQIHSpgCwGiSJMOlXgCFx8EGQQEmBrAgKEC
BqhqnbpD6tavXwtguKlFhBBaDqJuzaCgAditOw68nRtArIU4Q6BuDBcTg9epVi8oSECXatfCYO1W
MCVFxIFV+P5WxVAAMdcklrcqrpAr3EoRAgyINpDgguTCcUUnUJ1V62rSohtgeLTA5QVR8kQQaE21
AFMNbqkGhkHkUwq5WmWPCA4YRycfuU4wn/rZwvThH/SJ3BDl8W8JAlav3iyhcu8S10HgDQdLK/by
WsmDSA9ClLncJCS/B2B+qvwP9H3+cAAyxqygn3Xu4QeceyHQYdwGQoTEwYEVnNZAdRQECMIDCnHQ
BU7fgcfgYl8ZUFQIGjriQx8aCKTGhCNW0N9WBhRwIgcpdoBbBz1MAqNwF/E2l4345OgCUAoCQKEF
u2XWwDJGarMkk9PRZQAvUWpwyAtTXhQeYldWkGUG65g0G5IexmjITqu9pdwEXXJAEgNEbMDHitv5
peYHRwlJXYZ7yllSWijhtEBtPzZHwmBbCQAokCHgVBMLcYJAgGaPKupRpSDMWNoEY27CKYBqhtrI
qB5MaaofqHag4ao2VdQqB55mOlkID2D4WJ6cbJUkW1u9CQCsc5hR3T4IKRBsCTP+BqDErIv15cEh
tlFAWHzV3nWAnwG8QuwzW76A3FfKKcAabOi6KWagDzXr3zOZJbgupC8xiikAl8Z72byaspGkAs3a
pWy8Bmi06iMotERIBwdcW5cE+SKWgADurLqPCXixku0EtAiwgwJKIZUrhEjJqU+BIxSxh5kzwbTi
gyMUg0nLNGgn7QgMHEQzWxTgEmJ29+xMwS5BqBCLzjs35AMCvwoYThZCd/EIOytcQ09HNEuyBxMb
R4r1zo/lnEwvOxiURyYPDbgGMk2TEMgPN6eCDB9tV4JHLHWrAAcUwfg7Dd1yuyJBOGz7MXUt7Rxx
Mb5EN0LLBcgskLfXk18x9Q94lWNACyhaC91D4aV44sxjmePQOQtMAFCn0KEUiI1tq0MchRVUsMLy
TBR98UNjSzROhC42aN2DDdeYUbotHwZiw4c4SfB5R9OYwnoH9CjifBNrDwBAH2KsMv20I+M7RB9S
9PUA0t//IUMkB6Gd/vvwxy///PTXz0EEADs=

------=_NextPart_000_0009_01C16CE7.5F656410
Content-Type: multipart/alternative;
	boundary="----=_NextPart_001_000C_01C16CE7.5F656410"


------=_NextPart_001_000C_01C16CE7.5F656410
Content-Type: text/html;
	charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
Content-Location: http://ist.uwaterloo.ca/security/howto/2000-10-04/

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!-- $Id: index.html,v 1.4 2001/03/19 14:50:04 reggers Exp $ =
--><HTML><HEAD><TITLE>Securing SNMP on Solaris</TITLE>
<META content=3D"text/html; charset=3Dwindows-1252" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.3315.2870" =
name=3DGENERATOR></HEAD><FRAMESET border=3Dno=20
cols=3D15%,* frameBorder=3D0 frameSpacing=3D0><FRAME scrolling=3Dno=20
src=3D"http://ist.uwaterloo.ca/security/howto/2000-10-04/content.html"><F=
RAME=20
name=3DView=20
src=3D"http://ist.uwaterloo.ca/security/howto/2000-10-04/recommend.html">=
<NOFRAMES>=0A=
<body>=0A=
Oops! Your browser doesn't support frames. Try starting at the=0A=
<A HREF=3D"content.html">Table of Contents</A>.=0A=
</body>=0A=
</NOFRAMES></FRAMESET></HTML>

------=_NextPart_001_000C_01C16CE7.5F656410
Content-Type: text/html;
	charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
Content-Location: http://ist.uwaterloo.ca/security/howto/2000-10-04/content.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!-- $Id: content.html,v 1.3 2001/03/19 15:08:09 reggers Exp $ =
--><HTML><HEAD><TITLE>Contents: Solaris Network Hardening</TITLE>
<META content=3D"text/html; charset=3Dwindows-1252" =
http-equiv=3DContent-Type>
<META content=3D"MSHTML 5.00.3315.2870" name=3DGENERATOR></HEAD>
<BODY bgColor=3Dwhite>
<DIV><A href=3D"http://ist.uwaterloo.ca/" target=3D_top><IMG =
align=3Dcenter alt=3D[IST]=20
border=3D0 height=3D75 src=3D"http://ist.uwaterloo.ca/ISTlogo.gif" =
width=3D75></A>=20
</DIV>
<P><SMALL><BR><A=20
href=3D"http://ist.uwaterloo.ca/security/howto/2000-10-04/synopsis.html" =

target=3DView>Synopsis</A> <BR><BR><A=20
href=3D"http://ist.uwaterloo.ca/security/howto/2000-10-04/problem.html"=20
target=3DView>The Problem</A> <BR><A=20
href=3D"http://ist.uwaterloo.ca/security/howto/2000-10-04/learned.html"=20
target=3DView>What We Learned</A> <BR><A=20
href=3D"http://ist.uwaterloo.ca/security/howto/2000-10-04/recommend.html"=
=20
target=3DView>Recommendation</A> <BR><A=20
href=3D"http://ist.uwaterloo.ca/security/howto/2000-10-04/postscript.html=
"=20
target=3DView>Postscript</A> <BR><BR><A=20
href=3D"http://ist.uwaterloo.ca/security/howto/2000-10-04/refs.html"=20
target=3DView>References</A> </SMALL></P></BODY></HTML>

------=_NextPart_001_000C_01C16CE7.5F656410--

------=_NextPart_000_0009_01C16CE7.5F656410
Content-Type: image/gif
Content-Transfer-Encoding: base64
Content-Location: http://ist.uwaterloo.ca/icons/hand.right.gif

R0lGODlhFAAWAMIAAP/////Mmcz//5lmMwAAAAAAAAAAAAAAACH+TlRoaXMgYXJ0IGlzIGluIHRo
ZSBwdWJsaWMgZG9tYWluLiBLZXZpbiBIdWdoZXMsIGtldmluaEBlaXQuY29tLCBTZXB0ZW1iZXIg
MTk5NQAh+QQBAAACACwAAAAAFAAWAAADTCi63P4wykkdubiSwDuRVydi5CWEYjBsKbe2rDjMdMwR
w1iaaZx7jcDm8nOpVsFjsSh0CFuq46fxko0eKOtsiu0UuRHfVlOqmM9oSgIAOw==

------=_NextPart_000_0009_01C16CE7.5F656410
Content-Type: text/html;
	charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
Content-Location: http://ist.uwaterloo.ca/security/howto/2000-10-04/recommend.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!-- $Id: recommend.html,v 1.2 2001/03/19 15:15:51 reggers Exp $ =
--><HTML><HEAD><TITLE>Securing SNMP on Solaris</TITLE>
<META content=3D"text/html; charset=3Dwindows-1252" =
http-equiv=3DContent-Type>
<META content=3D"solaris network security snmp dmi hardening" =
name=3Dkeywords><LINK=20
href=3D"mailto:reggers@ist.uwaterloo.ca" rev=3Dmade>
<META content=3D"MSHTML 5.00.3315.2870" name=3DGENERATOR></HEAD>
<BODY bgColor=3Dwhite>
<H3 align=3Dright>Security Review: Securing SNMP on Solaris =
<BR>Information=20
Systems and Technology <BR>University of Waterloo </H3>
<HR>

<H3><A name=3DRECOMMEND>Recommendation</A></H3>
<BLOCKQUOTE>To configure public <SMALL>SNMP</SMALL> services on a =
Solaris 8=20
  server and restrict the service to a short list of managers we =
recommend:=20
  <OL>
    <LI>First, make sure you have configured <B>syslogd(1M)</B> to be =
far more=20
    verbose about logging what's happening. We recommend a very verbose =
audit=20
    (at least during the install):=20
    <P><PRE><SMALL>[2:39 wally] <B>grep /syslog /etc/syslog.conf</B>
#mail.debug          ifdef(`LOGHOST', /var/log/syslog, @loghost)
*.debug              ifdef(`LOGHOST', /var/log/syslog, @loghost)
</SMALL></PRE>
    <P>The default configuration is to log everything wrt. mail services =
at the=20
    debug level to the file <B>/var/log/syslog</B>. We recommend you log =

    everything to the same file. When things go wrong, as they sometimes =
do, a=20
    good audit trail will be important.=20
    <P></P>
    <LI>Stop the vendor provided <SMALL>SNMP</SMALL> and =
<SMALL>DMI</SMALL>=20
    services on your system:=20
    <P><PRE><SMALL>[2:40pm wally]# <B>cd /etc/init.d</B>
[2:40pm wally]# <B>./init.dmi stop</B>
[2:40pm wally]# <B>./init.snmpdx stop</B>
</SMALL></PRE>
    <P>If you want to restart those services run the shell scripts with =
a=20
    "start" option instead. You <EM><B>may</B></EM> find these scripts =
with=20
    different names on other versions of Solaris (but I suspect not).=20
    <P></P>
    <LI>Configure the boot sequence so the vendor provided =
<SMALL>SNMP</SMALL>=20
    and <SMALL>DMI</SMALL> services aren't restarted at next reboot:=20
    <P><PRE><SMALL>[2:41pm wally]# <B>cd /etc/rc3.d</B>
[2:41pm wally]# <B>mv S76snmpdx No.S76snmpdx</B>
[2:41pm wally]# <B>mv S77dmi No.S77dmi</B>
</SMALL></PRE>
    <P>Renaming the startup scripts effectively removes them from the =
boot=20
    sequence. You <EM><B>may</B></EM> find these scripts with different =
names on=20
    other versions of Solaris (but I suspect not).=20
    <P></P>
    <LI>Configure the "managers" that can send <SMALL>SNMP</SMALL> =
requests to=20
    the <B>mibiisa(1)</B> server -- edit the <B>snmpd.conf</B> file. =
Here's what=20
    we use (note that we've filled in the "system" information, =
restricted the=20
    service to only "public" information, tossed anything to do with =
"traps" and=20
    restricted the managers to just <B>ratbert</B>):=20
    <P><PRE><SMALL>[2:43pm wally]# <B>cd /etc/snmp/conf</B>
[2:43pm wally]# <B>egrep -v '^$|^#' snmpd.conf </B>
sysdescr        Sun SNMP Agent, SPARCstation-10
syscontact      dilbert@ist.uwaterloo.ca
sysLocation     IST Machine Room, Rack 4, Tray 3
system-group-read-community     public=20
read-community  public=20
managers        ratbert
</SMALL></PRE>
    <P>The "grep" in the example tosses all commentary and empty lines =
--=20
    there's not much to the file. Note the configuration shown only =
allows=20
    <B>ratbert</B> to query <B>wally</B>. It's a very simple =
configuration --=20
    we've even tossed the traps that we didn't need. We've updated the =
"system"=20
    information so we can find the system (it's physical location) and =
the=20
    support person.=20
    <P></P>
    <LI>Configure your boot sequence to bring up only the =
<B>mibiisa(1M)</B>=20
    daemon and none of the others. Make sure you bring it up in =
read-only mode.=20
    Here's a sample configuration you might wish to use:=20
    <P><PRE><SMALL>#!/sbin/sh
#
# $Id: recommend.html,v 1.2 2001/03/19 15:15:51 reggers Exp $
#
# Start the minimal SNMP services required for select managers to get =
public
# data. Install as /etc/rc3.d/S99mibiisa (or insert into your favorite =
local
# boottime script). Make sure you disable S76snmpdx and S77dmi in the =
same
# directory.
#
# Reg Quinton &lt;reggers@ist.uwaterloo.ca&gt;; 5-Oct-2000

case "$1" in
'start')
	/usr/lib/snmp/mibiisa -r &lt;/dev/null &gt;/dev/null 2&gt;&gt;&amp;1 =
&amp;
	;;

'stop')
	/usr/bin/pkill -9 -x -u 0 'mibiisa'
	;;

*)
	echo "Usage: $0 { start | stop }"
	exit 1
	;;
esac
exit 0
</SMALL></PRE>
    <P>The script should be installed in <B>/etc/rc3.d</B> and made =
executable.=20
    <P></P>
    <LI>Finally, you can start the daemon by hand (it will be started=20
    automatically at next reboot if you installed the script in=20
    <B>/etc/rc3.d</B>):=20
    <P><PRE><SMALL>[2:45pm wally]# <B>./S99mibiisa start</B>
[2:45pm wally]# <B>ps -ef | grep mibiisa</B>
    root 19762     1  0 11:55:35 ?        0:00 /usr/lib/snmp/mibiisa -r
[2:45pm wally]# <B>lsof -i | grep snmp</B>
mibiisa   19762    root    2u  IPv4 0x300011f8660       0t0  UDP *:snmp =
(Idle)
</SMALL></PRE>
    <P>If the daemon fails to start you should check the audit trail in=20
    <B>/var/log/syslog</B>. </P></LI></OL>If you follow these =
recommendations you=20
  will have eliminated three daemons (<B>snmpdx(1M)</B>, =
<B>dmispd(1M)</B> and=20
  <B>snmpXdmid(1M)</B>) and nine network entry points. You'll now have =
only one=20
  daemon (<B>mibiisa(1M)</B>) and one network entry point -- the =
<B>snmp</B>=20
  port serviced by that daemon. You will have made your system more =
secure.=20
</BLOCKQUOTE><IMG alt=3DNB: =
src=3D"http://ist.uwaterloo.ca/icons/hand.right.gif">=20
<B>Caution:</B> We suspect that this configuration may not answer as =
many=20
<SMALL>SNMP</SMALL> requests as the default vendor configuration -- no =
doubt=20
there are <EM>some</EM> requests which were answered in the vendor =
configuration=20
by querying the <SMALL>DMI</SMALL> daemons we have eliminated. =
<EM><B>There may=20
be additional security provided by the snmpdx(1M) daemon which we have=20
eliminated!</B></EM>=20
<P>
<HR>

<DIV align=3Dright><SMALL><I><A href=3D"http://uwaterloo.ca/~reggers"=20
target=3D_top>Reg Quinton</A>, <A href=3D"http://ist.uwaterloo.ca/"=20
target=3D_top>Information Systems and Technology</A> <BR>2000/10/04 -=20
2001/03/19</I> </SMALL></DIV></BODY></HTML>

------=_NextPart_000_0009_01C16CE7.5F656410--