« Reduce Downtime with rsync
6 Basic Information Resources for a Solaris Sysadmin »

Solaris, Secure by Default

If you know about OpenBSD (and you really should, it is a great OS) you may also know that one of their slogans are “Secure by Default” which now also Solaris is adopting. OpenBSD is one of the few operating systems you can put directly on the Internet and be quite sure that I won’t be hacked. By default only ssh is running and listening on a port. If you need any additional services to run you need to enable them yourself. This is of course common sense but OpenBSD was most likely first and they are doing an excellent job with regards to that. In addition they also provide a number of other great security features but I won’t go into them in this article.

Look at a default Solaris 10 install and you will see it is shipped with a number of ports open and listening and just waiting to be hacked. Fortunately the Solaris team has taken a different look at Solaris network security and you can now easily switch off every services with one simple command (if you are running Solaris 10 11/06 or recent releases of Solaris Express). This is the command you need to run.


SMF supports profiles which basically are preset lists of which services to run and which should be disabled. You can look in /var/svc/profile to see what profiles are available. To switch of everything except ssh you need to apply the generic_limited_net.xml file. You do this with this command

# svccfg apply /var/svc/profile/generic_limited_net.xml

That is it. Simpel isn’t it?

This profile will turn off every service that listens on a network port except for ssh (they will be turned off at the same time you apply the profile). You are now Secure by Default. I hope that in future releases of Solaris 10 this will be the default setting.

The good news is that they have also extended sysidcfg(4) with a new keyword, service_profile. By using that you can enable this limited profile already in the jumpstart so that the new system will have the correct configuration from the very start. The new entry looks like this

service_profile=limited_net

docs.sun.com has more information about it in Solaris 10 11/06 Installation Guide: Network-Based Installations.

For further information the new profles have look at docs.sun.com for Managing SMF Services.

[?]
Do you need system administration assistance? If you like what you are reading please consider subscribing to the RSS feed. If you have feedback or if you find the article useful please leave a comment below.

This entry was posted on Monday, July 9th, 2007 at 5:47 am and is filed under OpenSolaris, SMF, Security, Solaris. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

9 Responses to “Solaris, Secure by Default”

  1. There is actually simpler way how to apply a pre-defined profile: see netservices(1M)

  2. If you’ve got to change something you can’t really claim that it’s “secure by default”. Just wanted to point that out…

  3. You should maybe look up the term default :) Sun should adopt the term “Secure after changing one thing”. I would also like to point out that this one thing isn’t simple at all. Why? Well, consider someone who has been using *BSD or Linux for years and decides to try Solaris. How is that person supposed to know that exact command? So I am sorry but what you just wrote about is not “secure by default” nor simple, unless you are a Solaris user/hacker who is up to date when it comes to documentation and changes.

  4. Well, the title may be a bit misleading :-). I believe the generic_limited_net will be default in the next releases.

    When it comes to the differences in commands. If you use a new operating system you must know the differences between them. Not everything that works on Linux works on OpenBSD or the other way around. The same goes for Linux and Solaris. I don’t see this as a real problem except that people expect that everything works as in Linux.

  5. Vlad, thanks a lot for your comment. netservices are indeed a simpler command but the last sentence in the man page tells me

    “Note that the netservices command has an interface stability of Obsolete.”

    so I assume netservices will go away. That is why I decided to write about profiles instead. But I may be wrong.

  6. The article says OpenBSD comes by default with only sshd enabled. Unless my memory fails me completely this time around, in fact the OpenBSD installer asks you whether you want to enable sshd or not and defaults to not enabling it.

    So it’s likely the default is in fact *no* services running, but most of us will want sshd running on boxes we do not usually have direct physical interaction with, possibly with some restrictions on where you can ssh in from.

  7. Peter, yes you are right. In newer versions of OpenBSD there is such a question. Thanks for pointing it out.

  8. In Solaris 10 release 11/06 and later, there is an option given during install to make this happen, before you boot the server for the first time. See “Planning Network Security” from the Solaris 10 11/06 Installation Guide:
    http://docs.sun.com/app/docs/doc/819-6764/6n8onr7pd

  9. Leandro Vanden Bosch on July 9th, 2008 at 8:32 pm

    What Mark says it’s called Remote Services in the interactive installation.
    If you disable it, the only remote service by default is SSH and all the other essential network services are bound to the loopback interface (except for 111-sunrpc, I think).

Leave a Reply