Comments on: Solaris, Secure by Default http://aspiringsysadmin.com/blog/2007/07/09/solaris-secure-by-default/ How to build an infrastructure based on UNIX Thu, 20 Nov 2008 00:04:50 +0000 http://wordpress.org/?v=2.6.2 By: Leandro Vanden Bosch http://aspiringsysadmin.com/blog/2007/07/09/solaris-secure-by-default/#comment-366 Leandro Vanden Bosch Wed, 09 Jul 2008 20:32:03 +0000 http://aspiringsysadmin.com/blog/2007/07/09/solaris-secure-by-default/#comment-366 What Mark says it's called Remote Services in the interactive installation. If you disable it, the only remote service by default is SSH and all the other essential network services are bound to the loopback interface (except for 111-sunrpc, I think). What Mark says it’s called Remote Services in the interactive installation.
If you disable it, the only remote service by default is SSH and all the other essential network services are bound to the loopback interface (except for 111-sunrpc, I think).

]]> By: Mark http://aspiringsysadmin.com/blog/2007/07/09/solaris-secure-by-default/#comment-186 Mark Thu, 20 Sep 2007 18:14:04 +0000 http://aspiringsysadmin.com/blog/2007/07/09/solaris-secure-by-default/#comment-186 In Solaris 10 release 11/06 and later, there is an option given during install to make this happen, before you boot the server for the first time. See "Planning Network Security" from the Solaris 10 11/06 Installation Guide: http://docs.sun.com/app/docs/doc/819-6764/6n8onr7pd In Solaris 10 release 11/06 and later, there is an option given during install to make this happen, before you boot the server for the first time. See “Planning Network Security” from the Solaris 10 11/06 Installation Guide:
http://docs.sun.com/app/docs/doc/819-6764/6n8onr7pd

]]> By: Nickus http://aspiringsysadmin.com/blog/2007/07/09/solaris-secure-by-default/#comment-108 Nickus Tue, 17 Jul 2007 19:06:32 +0000 http://aspiringsysadmin.com/blog/2007/07/09/solaris-secure-by-default/#comment-108 Peter, yes you are right. In newer versions of OpenBSD there is such a question. Thanks for pointing it out. Peter, yes you are right. In newer versions of OpenBSD there is such a question. Thanks for pointing it out.

]]> By: Peter N. M. Hansteen http://aspiringsysadmin.com/blog/2007/07/09/solaris-secure-by-default/#comment-74 Peter N. M. Hansteen Sun, 15 Jul 2007 11:15:39 +0000 http://aspiringsysadmin.com/blog/2007/07/09/solaris-secure-by-default/#comment-74 The article says OpenBSD comes by default with only sshd enabled. Unless my memory fails me completely this time around, in fact the OpenBSD installer asks you whether you want to enable sshd or not and defaults to not enabling it. So it's likely the default is in fact *no* services running, but most of us will want sshd running on boxes we do not usually have direct physical interaction with, possibly with some restrictions on where you can ssh in from. The article says OpenBSD comes by default with only sshd enabled. Unless my memory fails me completely this time around, in fact the OpenBSD installer asks you whether you want to enable sshd or not and defaults to not enabling it.

So it’s likely the default is in fact *no* services running, but most of us will want sshd running on boxes we do not usually have direct physical interaction with, possibly with some restrictions on where you can ssh in from.

]]> By: Nickus http://aspiringsysadmin.com/blog/2007/07/09/solaris-secure-by-default/#comment-52 Nickus Mon, 09 Jul 2007 15:06:56 +0000 http://aspiringsysadmin.com/blog/2007/07/09/solaris-secure-by-default/#comment-52 Vlad, thanks a lot for your comment. netservices are indeed a simpler command but the last sentence in the man page tells me "Note that the netservices command has an interface stability of Obsolete." so I assume netservices will go away. That is why I decided to write about profiles instead. But I may be wrong. Vlad, thanks a lot for your comment. netservices are indeed a simpler command but the last sentence in the man page tells me

“Note that the netservices command has an interface stability of Obsolete.”

so I assume netservices will go away. That is why I decided to write about profiles instead. But I may be wrong.

]]> By: Nickus http://aspiringsysadmin.com/blog/2007/07/09/solaris-secure-by-default/#comment-51 Nickus Mon, 09 Jul 2007 15:04:44 +0000 http://aspiringsysadmin.com/blog/2007/07/09/solaris-secure-by-default/#comment-51 Well, the title may be a bit misleading :-). I believe the generic_limited_net will be default in the next releases. When it comes to the differences in commands. If you use a new operating system you must know the differences between them. Not everything that works on Linux works on OpenBSD or the other way around. The same goes for Linux and Solaris. I don't see this as a real problem except that people expect that everything works as in Linux. Well, the title may be a bit misleading :-). I believe the generic_limited_net will be default in the next releases.

When it comes to the differences in commands. If you use a new operating system you must know the differences between them. Not everything that works on Linux works on OpenBSD or the other way around. The same goes for Linux and Solaris. I don’t see this as a real problem except that people expect that everything works as in Linux.

]]> By: David http://aspiringsysadmin.com/blog/2007/07/09/solaris-secure-by-default/#comment-49 David Mon, 09 Jul 2007 12:13:59 +0000 http://aspiringsysadmin.com/blog/2007/07/09/solaris-secure-by-default/#comment-49 You should maybe look up the term default :) Sun should adopt the term "Secure after changing one thing". I would also like to point out that this one thing isn't simple at all. Why? Well, consider someone who has been using *BSD or Linux for years and decides to try Solaris. How is that person supposed to know that exact command? So I am sorry but what you just wrote about is not "secure by default" nor simple, unless you are a Solaris user/hacker who is up to date when it comes to documentation and changes. You should maybe look up the term default :) Sun should adopt the term “Secure after changing one thing”. I would also like to point out that this one thing isn’t simple at all. Why? Well, consider someone who has been using *BSD or Linux for years and decides to try Solaris. How is that person supposed to know that exact command? So I am sorry but what you just wrote about is not “secure by default” nor simple, unless you are a Solaris user/hacker who is up to date when it comes to documentation and changes.

]]> By: Samuel http://aspiringsysadmin.com/blog/2007/07/09/solaris-secure-by-default/#comment-48 Samuel Mon, 09 Jul 2007 09:59:44 +0000 http://aspiringsysadmin.com/blog/2007/07/09/solaris-secure-by-default/#comment-48 If you've got to change something you can't really claim that it's "secure by default". Just wanted to point that out... If you’ve got to change something you can’t really claim that it’s “secure by default”. Just wanted to point that out…

]]> By: Vladimir Kotal http://aspiringsysadmin.com/blog/2007/07/09/solaris-secure-by-default/#comment-46 Vladimir Kotal Mon, 09 Jul 2007 08:59:05 +0000 http://aspiringsysadmin.com/blog/2007/07/09/solaris-secure-by-default/#comment-46 There is actually simpler way how to apply a pre-defined profile: see netservices(1M) There is actually simpler way how to apply a pre-defined profile: see netservices(1M)

]]>