Log-in | en

Secure by Default  Design Specification

Overview

 The Secure by Default project hardens the default configuration of Solaris systems by disabling network services. The effect of the project is summarized by the following sample "flag day" message that could be sent to describe its integration in Solaris Nevada.

Today's integration of the Secure by Default project represents a minor
flag day for anyone who does a fresh install of Solaris Nevada. There
is no effect by default on those who upgrade or bfu existing systems.

On newly installed systems, all network services (except for ssh) that
were previously enabled by default are now either disabled or
constrained to respond to local requests only. This change minimizes
the attack surface for an installed system and provides a base for
customers to enable only the services they require.

All of the affected services are controlled by the Service Management
Framework (SMF). Any individual service can be enabled using the normal
svcadm(1M) and svccfg(1M) commands.

Disabling network services can also be achieved manually by running the
netservices(1M) command. This can be used on upgraded systems,
where no changes are made by default, or to re-establish the hardened
state after enabling individual services.

 The intent of this project is to satisfy a long-standing customer demand to reduce the attack surface by disabling as many network services as possible while still leaving a useful system. To that end, some infrastructure "services" are not affected. In particular, routed will still accept routing packets, and kernel networking services such as arp and icmp will not be disabled.
 As described above, all of the service configuration changes are made using SMF. Therefore, the project consists of the following major items:

  • conversion of services to SMF control
  • additional SMF properties for existing service FMRI's
  • a command and SMF profile to put the system in the hardened state
  • install changes to allow the user to select the default behavior (Solaris 10 only)

SMF Service Changes

 The project converts the services below to SMF with the indicated FMRI's.

Service
FMRI
Action Taken
dtprintinfo
 svc:/application/cde-printinfo disabled
CDE subprocess control
 svc:/network/cde-spc disabled
DMI
 svc:/application/management/dmi disabled
SNMP
 svc:/application/management/sma disabled
Solstice Enterprise Agent
svc:/application/management/snmpdx disabled
Seaport
svc:/application/management/seaportdisabled

 The project adds additional properties to the following existing services.

Service
FMRI
Property
Action Taken
rpcbind
 svc:/network/rpc/bind config/local_only
limit to local connections
syslogd svc:/system/system-log config/log_from_remotelimit to local connections
sendmail
 svc:/network/smtp:sendmail config/local_only
limit to local connections
smcwebserver svc:/system/webconsole:console options/tcp_listenlimit to local connections
WBEMsvc:/application/management/wbemoptions/tcp_listen
limit to local connections

Contents of Limited Networking profile

 The project adds to the existing generic_limited_net profile defined in PSARC 2004/781. This profile includes all of the settings described above for new SMF services plus the settings described below for existing services.

Service
FMRI
Property
Action Taken
X server
 svc:/application/x11/x11-server options/tcp_listen
limit to local connections
X font server
 svc:/application/x11/xfs 
disabled
dtlogin
svc:/application/graphical-login/cde-logindtlogin/args
limit to local connections
ToolTalksvc:/network/rpc/cde-ttdbserver:tcpproto=ticotsordlimit to local connections
dtcm
svc:/network/rpc/cde-calendar-managerproto=ticlts
limit to local connections
BSD print
svc:/application/print/rfc1179:default bind_addr=localhost
limit to local connections
Internet print protocol
svc:/application/print/ipp-listener:default 
disabled
SVM remote metaset
 svc:/network/rpc/meta 
disabled
SVM remote mediator
 svc:/network/rpc/metamed 
disabled
SVM remote multihost disk
 svc:/network/rpc/metamh 
disabled
SVM communication
svc:/network/rpc/mdcomm
disabled
rstatd
 svc:/network/rpc/rstat:default 
disabled
rusersd
 svc:/network/rpc/rusers:default 
disabled
telnetd
 svc:/network/telnet:default 
disabled
statd
 svc:/network/nfs/status 
disabled
lockd
 svc:/network/nfs/nlockmgr 
disabled
NFS client
 svc:/network/nfs/client 
disabled
NFS server
 svc:/network/nfs/server 
disabled
rquotad
 svc:/network/nfs/rquota 
disabled
NFS v4 callback daemon
 svc:/network/nfs/cbd
disabled
NFS id mapping
 svc:/network/nfs/mapid
disabled
ftpd
 svc:/network/ftp:default 
disabled
fingerd
 svc:/network/finger:default 
disabled
rlogind
 svc:/network/login:rlogin 
disabled
rshd
 svc:/network/shell:default 
disabled
Secure Shell
 svc:/network/ssh:default 
enabled

 Ideally, the property settings listed above would also be included in the same profile. However, SMF profiles do not currently permit setting service properties. When that feature is added to SMF, the property settings will be added to the generic_limited_net profile. In the meantime, the project will deliver a shell script called netservices(1M) that uses svccfg(1M) to apply the generic_limited_net profile and then set the remaining properties.

Install Changes

 For Solaris Nevada, the hardening changes are automatically applied whenever a fresh install is performed. This effect is achieved by invoking netservices(1M) from the SMF upgrade file found in /var/svc/profile. Behavior is unchanged if the system is upgraded.
 For Solaris 10 updates, the default for fresh installs and upgrades is to leave services enabled as they are today. This is because the disabled services represent a slightly incompatible change which, while acceptable in a minor release like Solaris Nevada, does not strictly meet the compatibility assurances for Solaris update releases. Feedback from a small sample of customers has shown that they are generally in favor of a more secure configuration but would prefer an install question to allow them to select the desired behavior.
 The following question will be added during a fresh install:

Would you like to enable network services for use by remote clients?

        [x] Yes
        [ ] No

Note: Selecting "No" provides a more secure configuration in which
Secure Shell is the only network service provided to remote clients.
Selecting "Yes" enables a larger set of services as in previous Solaris
releases. If in doubt, it is safe to select "No" as any services can
be individually enabled after installation.
        • For Jumpstart installs, sysidsys(1M) will be answer this question using a new keyword in sysidcfg(4) with the following defined values:
service_profile=limited_net
service_profile=open

 If the keyword is not present in the sysidcfg(4) file, it will default to traditional, and no changes will be made.
 This project will remove the /var/svc/profile/generic.xml symlink from the SUNWcsr prototype file and instead create it at install time to point to either generic_open.xml or generic_limited_net.xml, depending on whether the limited_net profile is to be applied or not.

Miniroot Changes

 The miniroot configuration will be altered for both Solaris Nevada and Solaris 10 updates to disable all network services during install. This allows the system to run in a hardened configuration for the entire period from the beginning of installation until services are explicitly enabled by the administrator.

Scott Rotondo
 June 22, 2006

last modified by admin on 2009/10/26 12:10
 
Collectives
Project

Subsites
Code Reviews
Code Repositories
Package Search
Bugster
Bugzilla
Test Machines
Planet
Mailing Lists
Elections & Polls
ARC Case Logs
Source Juicer
Package Factory
User Authentication
Community Group security Pages

© Sun Microsystems Inc. 2009
XWiki Enterprise 1.8.2.19075 - Documentation
Terms Of Use | Privacy | Trademarks | Copyright Policy | Site Guidelines | Site map | Help
Your use of this web site or any of its content or software indicates your agreement to be bound by these Terms of Use.