Secure by default
By martin on Jun 14, 2006
First of all, a big happy birthday to OpenSolaris! And then on to a new cool thing which soon will appear in Nevada: secure by default!
A couple of days ago PSARC case 2004/368 integrated into Nevada. Unfortunately the ARC case isn't available on the OpenSolaris site yet, but you can take a look in the putback log and see what files it affected.
The whole thing is about making Solaris install in a mode that is secure out of the box. This should be a no brainer, but since Solaris always strive to be backward compatible it is not easy doing a change like this.
All services which have external interfaces, except those required to boot and login locally, are disabled by default at initial installation time. This includes ensuring that networking services are started in a mode where they will only respond to local connections.
The only exception is Secure Shell (
allows for secure remote access to the newly installed
machine. This enables the administrator to securely access the
machine to complete the configuration of the systems.
This is just phase one of the Secure by Default project, in later phases all Sun Microsystems' bundled and unbundled software will install in a secure mode.
As build 42 isn't even available internally yet, I haven't been able to try it out, but in a few day I expect to have had time to play with it...