SLOTD: Solaris 10 11/06 "Secure By Default"
By davew on Apr 23, 2007
Before Solaris 10 11/06, a standard out-of-the-box build of Solaris had all services associated with installed packages enabled by default; thus, many applications bound listeners to a system's IP addresses, and a port scan using tools such as nmap revealed a large number of open sockets to connect to.
The usual (and supported) way to address this situation was to harden the system using the Solaris Security Toolkit, which among many other capabilities, would disable the listeners for services which were not required for a system to perform its business function and be managed. In addition, in many cases some per-service configurations could be set, or host-based firewalling could be configured, to prohibit connections to services other than on the interfaces on which they were supposed to listen.
The 11/06 (aka "Update 3") release of Solaris 10 extends the functionality of SMF to include definitions of interfaces which are required to be listened on; thus, on a system for which this profile is configured, only the Solaris Secure Shell binds a listener to a non-loopback address; a port scan shows that only 22/tcp is listening. Full details on the service definition modifications can be found in Scott Rotondo's presentation here.
It is also worth noting that, while "Secure By Default" is actually the default install profile in OpenSolaris and Solaris Express, it is not the default profile for Solaris 10 11/06 (although it can be selected either manually or my Jumpstart profile variable); this is down to the reasoning that if a customer was to use LiveUpgrade or similar to move from an earlier release of Solaris 10 to 11/06, we wouldn't want to unexpectedly remove service listeners.
As Scott's presentation shows, the netservices(1M) command allows the default profile to be changed anyway, and where specific Security Toolkit profiles have been deployed, these continue to work from both a hardening-mode and audit-mode perspective provided patch 122608-3 (or later) is installed. -Dave