Recovery from another hiatus; an smf(5) one-liner

I was out with sick children last week and have been engaged in a form of mental wrestling learning the Dvorak keyboard for the past two—both impediments to concentration, and thus to smooth blogging. Everybody is on the mend; evening wakeups are on the decline. I no longer want to hurl my keyboard across the office; my brain is remapping favourite commands and key sequences. (slrn and ls, which use the fourth and fifth fingers of the right hand (or only the fifth), feel very awkward still.)

There were some interesting smf(5)-related asides in some Slashdot discussions last week. One requires a separate, detailed reply. The other—a request for a single command that hardens your Solaris system—can be answered briefly. There are two answers: one a flip one-liner, one responsible.

The glib smf(5) one-liner answer is:

# svccfg apply /var/svc/profile/generic_limited_net.xml
which applies the "limited networking" profile to your system. This profile deactivates about three dozen services that are active in the traditional install case, including all passwords-in-the-clear login services. There are still RPC and likely other services active on the system that serious system auditors will want to examine. (The limited networking profile was written by members of the Solaris Security Technology group and will be present in the initial release of Solaris 10. And we're now working to make that initial install initially and increasingly secure.)

The more responsible answer is to point out that system hardening requires both minimization and reconfiguration (beyond service deactivation) and that there is a productized distillation of security practices for Solaris in the form of the Solaris Security Toolkit. Although its use might exceed a one line constraint, the toolkit makes fungible years of Solaris hardening experience.

(I'll refrain from describing how the now-integrated IPFilter or tcpwrapper support can reduce the exposure of some of the remaining services. But I will point out that the combination of the least privileges feature and the smf(5) service description's ability to define the appropriate privileges for a service lead to an rpcbind(1M) that cannot successfully call exec(2) (among other things):

# ppriv `pgrep -z global rpcbind`
100220: /usr/sbin/rpcbind
flags = PRIV_AWARE
        E: basic,!file_link_any,net_privaddr,!proc_exec,!proc_info,!proc_session,sys_nfs
        I: basic,!file_link_any,!proc_exec,!proc_fork,!proc_info,!proc_session
        P: basic,!file_link_any,net_privaddr,!proc_exec,!proc_info,!proc_session,sys_nfs
        L: basic,!file_link_any,!proc_exec,!proc_fork,!proc_info,!proc_session
As I noted: increasingly secure.)

Comments:

I am from TAIWAN I'm a collge student. My majority is computer science. I am a freshman. I want to learn unix kernel. I find a book"Lion's Commentary on UNIX 6th Edition"in our college's library. please tell me how to learn UNIX kernel. Do you have any friend who is kernel developer in SUN ? could they give me a direction? THANKS you for tolerating my poor english

Posted by tsj on January 25, 2005 at 01:59 AM PST #

@tsj: The Lions' book is an excellent exposition of the Unix kernel at that time. I'm not sure I would recommend it as a "first text"—perhaps Tanenbaum or Silberschatz et al's operating systems textbooks would be a better place to start. After that, I like Vahalia's <em>Unix internals: the new frontiers</em>, although there are also other BSD, System V, and Linux books that examine more recent kernel implementations. (Including MacDougall and Mauro's <em>Solaris internals</em>.) — Stephen

Posted by Stephen on January 25, 2005 at 02:32 PM PST #

Post a Comment:
Comments are closed for this entry.
About

sch

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today
External blogs