Name: | |
Email: | |
Security Portal Weekly Newsletter |
Weekly Solaris Security Roundup Archive
By Seán Boran, sean AT boran.com, for Security Portal
Contents:
The Rundown
Advisories & Security
Bulletins
News
Mailing lists /Bugtraq
Tip of the Week
A quiet week for Sun, no new advisories or weaknesses.
none this week.
On Sunworld: Techniques and tools for penetration testing is a useful introduction to the subject.
If you're wondering just how free Solaris8 is, consult www.sun.com/software/solaris/binaries/faq.html.
www.SolarisGuide.com has some useful resources:
Novice solaris administrators may find the quickguides useful (but the guide on hardening is a little short).
Useful FAQs, Online Man Pages
Reviews: VirusWall, DNews, Solaris8.
Bugtraq vulnerabilities this week - Solaris:
none
Bugtraq vulnerabilities this week - Applications that run on Solaris:
000-05-24: Qualcomm Qpopper Format String Input Vulnerability
Summary of FOCUS-Sun discussions this week:
05/23/00: Solaris Security Patches - notification formats/methods - latest matrix
05/23/00: "OLD-BROADCAST" traffic
The SecurityPortal "Hardening Solaris" whitepaper has been updated to include Solaris 8 and the latest version of Yassp.
This article presents a concise step-by-step approach to securely installing Solaris for use in a firewall, DMZ, or other sensitive environment, using the YASSP tool and the Sunscreen EFS firewall (with Solaris 8).
The focus is on preparing the Operating System to securely run services, but tips are also provided on the use of free security tools and configuring common services.
SecurityPortal are contributing actively to the evolution of the Yassp hardening tool, which brings together the experience of many Solaris security experts.
Sun Security Resources:
Sun Security Coordination Team sunsolve.sun.com/pub-cgi/show.pl?target=security/sec
Sun security bulletins are available at: sunsolve.sun.com/security
General Sun Security www.sun.com/security
Solaris Security Datasheets www.sun.com/software/solaris/ds/ds-security
Java Security java.sun.com/security
Patches
If you have a maintenance contract, login to sunsolve and get both the PatchDiag tool and it's reference database, sunsolve.sun.com. If you don't, use the SecurityFocus Solaris Patch Calculator: www.securityfocus.com/sun/vulncalc
Sun security patches: sunsolve.sun.com/securitypatch
Public sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-access Patch download tool WGET sunsite.auc.dk/ftp/pub/infosystems/wget
Web Publications & resources
SecurityFocus, Sun section: www.securityfocus.com/sun
Vulnerability database: www.securityfocus.com/vdbSecurity Portal papers:
Hardening Solaris
Review of the Sunscreen EFS3 firewall
All about SSH - Part I
All about SSH - Part IISunworld:
Sunwhere index of resources
Sunworld security columns
Solaris Security FAQ
General discussion resources
News /personal interface to Sun resources: www.sun.com/MySun
BigAdmin discussion forum & FAQs: www.sun.com/bigadmin/home/index.html
Newsgroups:
comp.unix.solaris
comp.sys.sun.admin
comp.sys.sun.hardware
alt.solaris.x86Sun-managers Mailing list: This list has been around for many years and is an invaluable resource to Sun system administrators.
To have your mailing address added to or removed from the mailing list, send a request to "majordomo@sunmanagers.ececs.uc.edu". The request should contain simply one line which says either "subscribe sun-managers" or "unsubscribe sun-managers". You can specify the particular e-mail address to be added after the word "subscribe".SecurityFocus "FOCUS-Sun" list: see www.securityfocus.com/focus/sun/subscribe.html
Focus-Sun is meant to be a resource for Sun users and administrators, looking for that extra little bit of help in securing Sun products, using Sun products in security roles, and getting additional information about the latest in Sun vulnerabilities. Unsure how secure NIS is? Curious as to how to properly use ACL's? Does the latest and greatest Sun RPC bug affect you? Questions like these are all expected and encouraged. The Focus-Sun list is meant to address those questions which are inappropriate or off topic for Bugtraq. In addition, important announcements related to breaking vulnerabilities will be posted, with the details needed to ensure that you have the up to the minute information you need to keep your Sun's secure.