|
|
Secure By Default
Secure by Default
Traditionally Solaris systems have provided a large number of
network services by default. This open approach is convenient, but
it also makes it easy for remote attackers to exploit any vulnerabilities
that may exist in the software providing the network services.
The Secure by Default project reduces this attack surface by disabling as many network services as possible while still leaving a useful system.
This project changes the default configuration of Solaris
so that ssh is the only network-listening service. Other network services are
either disabled or configured to accept requests only from the local
system.
Secure by Default uses the Solaris Service Management Facility
(SMF) to control the affected network services. The key elements of the
project are:
- conversion of some existing services to SMF control
- additional properties for existing SMF services to provide for local-only operation
- an SMF profile to configure the system in the hardened state
- a new netservices(1M) command to apply the SMF profile and set related SMF properties
More detailed information about the implementation, including the
affected service and property names, is included in the design specification.
Customizing Services
Fresh installations of Solaris will be configured with network
services disabled as described above. This initial configuration
can be customized using existing SMF commands.
Any individual service can be enabled using the normal
svcadm(1M) and svccfg(1M) commands.
Disabling network services can be achieved manually by running
# netservices limited
This can be used on upgraded systems, where no changes are made by
default, or to re-establish the hardened state after enabling
individual services. Similarly, default services can be enabled as they
were in previous Solaris releases by running
# netservices open
Availability
This project is integrated in Nevada build 42 and Solaris Express 7/06.
Documents
Terms of Use
|
Privacy
|
Trademarks
|
Copyright Policy
|
Site Guidelines
|
Site Map
|
Help
Your use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Use.
© 2012, Oracle Corporation and/or its affiliates.