SUMMARY: Minimal System Configuration...
2007-12-24 21:33:00
Thomas Cannon
Tim Chipman
Brian Dunbar
John Elser
Paul Foti
Rick Francis
Tom Heinrichs
Brent Killion
Rich Kulawiec
Steve Mickeler
Jedrzej Nasiadek
Hamid Ouyachi
John Riddoch
Craig Scott
Justin Stringfellow
John Tan
Hendrik Visage
Don Werve
Anonymous from <sysadmin at astro.su.se>
Several people were curious what our product is. It's a content
optimizing web proxy server designed to be used in "slow" end
user connection type networks such as portable cell phones. The
current generation of cell phone operates at 9600-14400 baud
which makes web surfing very unpleasant.
We sell our servers to the large telecom industry players but we
have just started offering a service ourselves to end users.
For more information check out:
bluekite.com
---
Here are the suggestions received kin order of receipt:
---
Use OpenBSD instead of Solaris 8.
---
Run the Solaris install and specify "no" to almost everything.
---
Look at JASS (Solaris Security Toolkit).
---
lay down the install using minimum configuration option (as
opposed to full eom version). test app remove your
/etc/inetd.conf file. test app setup secure routes (this
may cost you dollars). test app remove startup scripts you
don't want from /etc/rc2.d and rc3.d. test app
---
See the SANS guide:
Solaris Security: Step-by-Step
http://www.sansstore.org/Merchant/solaris.htm
---
Lance Sptizner's 'Armoring' series.
---
http://www.sans.org
http://www.linuxsecurity.com
http://www.packetst0rm.net/armor_solaris.txt
http://www.usenix.org/sage/sysadmins/solaris/index.html
http://fixsolaris.sunhelp.org/fixsolaris.txt
http://www.sun.com/blueprints/1100/minimize-updt1.pdf
http://www.sun.com/blueprints/1200/network-updt1.pdf
see "securing public web servers" at
http://www.cert.org/security-improvement/
Try the hardening tools at
http://www.sans.org/
http://www.cert.org/
http://www.cisecurity.org/
specific to solaris:
http://www.yassp.org/
---
Do a enduser instalation (The one just below a developer
installation) choosing some extra stuff like the GNU
utilities etc. as per you liking. Then once installed and
connected, start culling the /etc/rc?.d/S* files and the
packages that's not needed.
---
Your best bet is probably to install the core OS which will
include the base networking you require. Next, add the
stuff you need (if you're unsure which package a file is
in, do a full install elsewhere and grep on
/var/sadm/install/contents for the file). Finally do a
check on pkginfo and pkgrm anything you don't think you
need. Test, and add anything which is missing.
---
There was a Sun paper about that (probably available from
sun.com) I can send it to you if you want (and if I find it
among my files :-) Besides I strongly recommend you
installing IPfilter, block everything and just select which
communication do you want to pass and which to block.
---
www.sun.com/blueprints/browsesubject.html
---
Well you might want to take a look at Sun's Blueprint Docs
www.sun.com/blueprints. They have a document for a secure
install of an application (in this case iPlanet. The doc
title is: Solaris Operating Environement Minimization for
Security: A simple Reproducible and Secure Application
Installation Methodology, by Alex Noordergraaf.
---
- Try to do a minimal package install
- Hope I haven't broken a bit of functionality I'll actually need
- Boot the system
- Use "ps" to see what's running; adjust /etc/rc* and /etc/inetd.conf
to turn off as much as possible
- Use "lsof" and "nmap" (both open-source tools) to figure out
what ports are open and what's listening on them. (lsof lists
which processes have which files open; that includes sockets.
nmap is a pretty good port scanner.) Back to /etc/rc* and
/etc/inetd.conf to turn things off.
- Remove the daemons and clients for all the things I've turned
off in previous steps. Also remove working/spool directories
such as found in /var. Also remove any sockets or device entries
associated with the service. (This is the step where I tend to
start making mistakes, because much of the documentation is
wrong or incomplete.)
- Remove as much static data as possible. That means /usr/man/*,
/usr/include/*, and so on. This doesn't directly do a lot for
security, but it does reduce the size of the installed base,
so that when I put an integrity checker (e.g. tripwire) on the
system, it will have less to keep track of.
- Clean out /usr/bin, /usr/sbin, etc. as much as possible. This
is another error-prone step, so I tend to move things to temporary
locations rather than actually delete them. (That comes after
I've made sure I still have a working system.)
- Test requisite functionality to make sure nothing I've done has
broken the box for the purpose it's going to serve.
- Repeat as much as necessary.
- When I'm satisfied, record the system config. In your case,
you might want to even consider burning a CD with the very tiniest
config you can come up with so that your customers can install
that, then your product, and move on. (I'm not sure what the
licensing ramifications of that wrt Sun would be, though.)
---
I *think* that someone did some work on that sort of
thing here [at Sun] - it's not an uncommon query. but I
don't know who. You may get some mileage from speaking
to a salesman in case they know some more about it.
---
http://www.cert.org/security-improvement/implementations/i027.02.html
To "really" be paranoid, also install host-based firewall
software on the server as well, so that **ALL** access is
100% controlled. Makes TCP-Wrappers look like a plaything.
:-) (SunScreen Lite is free from sun and should do the
trick. Be warned that IPF (freeware host-based firewall)
has given us a tiny bit of grief here in the past while --
mystery system hangs were finally diagnosed to IPF after a
month of hell) - so alas I am not sure I can recommend IPF
for solaris at this time.)
If it is to be a public web server, you could then setup a
port mapping to grant fully public access against HTTP port
80, and have *everything* else locked down (ie, other than
HTTP, have only SSH into the box open from a certain
priviledged client box, for instance).
---
I believe there's a Sun blueprint
(http://www.sun.com/blueprints/) on that topic.
As a first cut, you could install only the SUNWCreq
cluster, then add packages only as needed.
Sun's approach seems to be to install SUNWCuser, then run
JASS and remove any unneeded stuff. (I'm talking about the
security-conscious side of Sun; the rest will install
SUNWCxall as a matter of policy.)
---
Do the normal disabling of services that you won't run
(like Portmap), and go the extra mile by chmodding the
binaries (of things like portmap) to '000'.
---
Solaris Security by Peter
Gregory and Hack Proofing Sun Solaris 8 by Wyman Miles, Ed
Mitchell, William Lynch and Randy Cook.
Comments
Got something to say?
You must be logged in to post a comment.
