Solaris Secure by Default - Part 3
By gbrunett on Jul 19, 2006
Before I begin, I would like to point everyone to a posting by Scott Rotondo, one of the architects behind the Secure by Default project. Check it out and let him know what you think of this new Solaris enhancement!
Today, SBD is an all or nothing proposition - it is either enabled or disabled using the new netservices(1M) command. For many organizations, this is not enough. Very often, they must configure their systems such that some services are "off" or in a "local only" mode while others must be enabled or "open" to support a business or technical requirement. It is important therefore to be able to understand exactly what SBD is doing so that you can better tune the security configuration of your systems based on your specific needs and requirements. As we have noted previously, a SBD configuration is created by (1) disabling services or (2) adjusting service properties to put the service into a "local only" mode.
The enabling and disabling of services is a trivial matter. Simply using the svcadm command with the enable or disable action to adjust the services that interest you. Since this is a very easy matter, this will not be the focus of this posting. For the third and final (for now) installment of Getting to Know - Solaris Secure by Default) (SBD), I would like to focus specifically on those services that are not disabled by default but instead are configured to accept only local connections (originating with the system itself).
Taking a look at the Secure by Default design document, you see that the list of services impacted are (expressed as FMRIs):
|CDE||svc:/application/graphical-login/cde-login||dtlogin/args||[null], -udpPort 0|
|BSD Printing||svc:/application/print/rfc1179:default||bind_addr||[null], localhost|
Pretty easy, right? So, let's say you were running in a SBD mode (after having run netservices limited) and you find that you want to be able to receive syslog messages from another host. All you would need to do is:
# svccfg -s system-log setprop config/log_from_remote = true # svcadm refresh system-log
If you wanted this change to take effect immediately, you should also run:
# svcadm restart system-log
Another cool thing about this is that communication is prevented between non-global zones and the global zone since the service is either bound to localhost or simply will not accept external connections:
# ifconfig hme0 hme0: flags=1000843
mtu 1500 index 2 inet 192.168.1.250 netmask ffffff00 broadcast 192.168.1.255 ether 0:0:0:0:0:0 # rpcinfo -p 192.168.1.250 program vers proto port service 100000 4 tcp 111 rpcbind 100000 3 tcp 111 rpcbind 100000 2 tcp 111 rpcbind 100000 4 udp 111 rpcbind 100000 3 udp 111 rpcbind 100000 2 udp 111 rpcbind # zlogin time ifconfig hme0:2 hme0:2: flags=1000843 mtu 1500 index 2 inet 192.168.1.240 netmask ffffff00 broadcast 192.168.1.255 # zlogin time rpcinfo -p 192.168.1.250 rpcinfo: can't contact portmapper: RPC: Authentication error; why = Failed (unspecified error)
Pretty neat! Well, that's all for this installment. Please let me know what you think or if you have any questions! We love to get feedback and your input is very important to us!