Solaris Secure by Default
The Solaris Secure by Default project reduces this attack surface of the Solaris OS by disabling as many network services as possible while still leaving a useful system. In this way, the number of exposed network services (in a default configuration) is dramatically reduced. This project changes the default configuration of the Solaris OS such that ssh is the only network-listening service. Other network services are either disabled or configured to accept requests only from the local system. This project was integrated into Solaris 10 11/06 (Update 3).
The following services are impacted by the Solaris Secure by Default “local only” policy. When running in a secure by default configuration, the following services are set to local only. The following table lists each service, its respective FMRI, as well as the SMF property that controls the local only behavior and its possible values. The value highlighted in bold is the value used in a secure by default configuration:
Service | FMRI | Property | Values |
---|---|---|---|
rpcbind | svc:/network/rpc/bind | config/local_only | true, false |
syslog | svc:/system/system-log | config/log_from_remote | true, false |
sendmail | svc:/network/smtp:sendmail | config/local_only | true, false |
smcwebserver | svc:/system/webconsole:console | options/tcp_listen | true, false |
wbem | svc:/application/management/wbem | options/tcp_listen | true, false |
X11 | svc:/application/x11/x11-server | options/tcp_listen | true, false |
CDE | svc:/application/graphical-login/cde-login | dtlogin/args | [null], -udpPort 0 |
ToolTalk | svc:/network/rpc/cde-ttdbserver:tcp | proto | tcp, ticotsord |
calendar | svc:/network/rpc/cde-calendar-manager | proto | tcp, ticlts |
BSD printing | svc:/application/print/rfc1179:default | bind_attr | [null], localhost |
References
To read more about the Solaris Secure by Default project, see:
- OpenSolaris Community Project: Secure by Default Project Page: http://www.opensolaris.org/os/community/security/projects/sbd/ Training: http://www.opensolaris.org/os/community/security/projects/sbd/sbd_toi.pdf
- Sun Blog: Solaris Secure by Default Part 1: http://blogs.sun.com/gbrunett/?entry=solaris_secure_by_default_part Part 2: http://blogs.sun.com/gbrunett/?entry=solaris_secure_by_default_part1 Part 3: http://blogs.sun.com/gbrunett/?entry=solaris_secure_by_default_part2