Solaris Secure by Default

The Solaris Secure by Default project reduces this attack surface of the Solaris OS by disabling as many network services as possible while still leaving a useful system. In this way, the number of exposed network services (in a default configuration) is dramatically reduced. This project changes the default configuration of the Solaris OS such that ssh is the only network-listening service. Other network services are either disabled or configured to accept requests only from the local system. This project was integrated into Solaris 10 11/06 (Update 3).

The following services are impacted by the Solaris Secure by Default “local only” policy. When running in a secure by default configuration, the following services are set to local only. The following table lists each service, its respective FMRI, as well as the SMF property that controls the local only behavior and its possible values. The value highlighted in bold is the value used in a secure by default configuration:

ServiceFMRIPropertyValues
rpcbind svc:/network/rpc/bind config/local_only true, false
syslog svc:/system/system-log config/log_from_remote true, false
sendmail svc:/network/smtp:sendmail config/local_only true, false
smcwebserver svc:/system/webconsole:console options/tcp_listen true, false
wbem svc:/application/management/wbem options/tcp_listen true, false
X11 svc:/application/x11/x11-server options/tcp_listen true, false
CDE svc:/application/graphical-login/cde-login dtlogin/args [null], -udpPort 0
ToolTalk svc:/network/rpc/cde-ttdbserver:tcp proto tcp, ticotsord
calendar svc:/network/rpc/cde-calendar-manager proto tcp, ticlts
BSD printing svc:/application/print/rfc1179:default bind_attr [null], localhost

References

To read more about the Solaris Secure by Default project, see: