Version 1.4
1/5/2004

Securing a Solaris Server - Minimizing Solaris

  1. Introduction
  2. History of this Web Page
  3. Overview
  4. Network Topology
  5. System Hardware Configuration
  6. Initial Installation
  7. Minimizing Solaris
  8. Minimizing Network Services
  9. Remove the Solaris Installation Leftovers
  10. Install Necessary Third Party Packages
  11. Close the Doors
  12. Obscure the Tracks
  13. Post the Warnings
  14. Perform System Backups
  15. Watch for Changes
  16. Sources of Tools
  17. Bibliography

---------------

 
Purchase Policies Contact ACCS Aout ACCS Home Papers & Projects Services Products

7. Minimizing Solaris

The CORE installation loads many packages that are not needed for a server to function. Among them are several X11 and OpenWindows packages. Alex Noordergraaf wrote a fairly good paper on how to minimize Solaris (2).

Minimizing Solaris is a simple way of removing potential security issues. As an example, if a hacker knew of a security hole in a specific daemon that's not running, they might try to get it started. If it's not there, then they'd have to find another way in.

The most important thing to consider is that you don't want to remove any packages that are critical to your system. A great amount of care should be taken in removing driver packages. Also, you should have a good understanding of the needs of your application. If a package is needed by your application, it shouldn't be removed. When in doubt, leave it.

As an example, I have a PC with Solaris 8 installed. The almost minimized package list is as follows (I didn't take the time to try to minimize further):

NCRos86r    NCR Platform Support, OS Functionality (Root)
SUNWadmr    System & Network Administration Root
SUNWadp     Adaptec 29xx/39/xx/78xx Family of SCSI HBA
SUNWcar     Core Architecture, (Root)
SUNWcsd     Core Solaris Devices
SUNWcsl     Core Solaris, (Shared Libs)
SUNWcsr     Core Solaris, (Root)
SUNWcsu     Core Solaris, (Usr)
SUNWdfb     Dumb Frame Buffer Device Drivers (deprecated)
SUNWesu     Extended System Utilities
SUNWkey     Keyboard configuration tables
SUNWkvm     Core Architecture, (Kvm)
SUNWlibms   Sun WorkShop Bundled shared libm
SUNWloc     System Localization
SUNWnamos   Northern America OS Support
SUNWos86r   Platform Support, OS Functionality (Root)
SUNWos86u   Platform Support, OS Functionality (Usr)
SUNWpsdcr   Platform Support, Bus-independent Device Drivers (Root)
SUNWpsdir   Platform Support, ISA Bus Device Drivers, (Root)
SUNWrmodr   Realmode Modules, (Root)
SUNWrmodu   Realmode Modules, (Usr)
SUNWswm    Install and Patch Utilities
I also have a SPARCstation LX with Solaris 8 installed. The almost minimized package list is as follows (again, I didn't take the time to minimize further):
SUNWadmr    System & Network Administration Root
SUNWcar     Core Architecture, (Root)
SUNWcg6     GX (cg6) Device Driver
SUNWcsd     Core Solaris Devices
SUNWcsl     Core Solaris, (Shared Libs)
SUNWcsr     Core Solaris, (Root)
SUNWcsu     Core Solaris, (Usr)
SUNWdfb     Dumb Frame Buffer Device Drivers
SUNWesu     Extended System Utilities
SUNWkey     Keyboard configuration tables
SUNWkvm     Core Architecture, (Kvm)
SUNWlibms   Sun WorkShop Bundled shared libm
SUNWloc     System Localization
SUNWnamos   Northern America OS Support
SUNWrmodu   Realmode Modules, (Usr)
SUNWswmt    Install and Patch Utilities
Install the minimum number of Solaris packages necessary to perform the required tasks. I added the following packages. Installation of other Solaris or third-party packages may require additional Solaris operating system packages to be installed.
On-line manual pages
SUNWdoc     Documentation Tools
SUNWlibC    Sun Workshop Compilers Bundled libC
SUNWman     On-Line Manual Pages
Network Time Protocol
SUNWntpr    NTP, (Root)
SUNWntpu    NTP, (Usr)
GNU tools
SUNWbash    GNU Bourne-Again shell (bash)
SUNWgpch    The GNU Patch utility
SUNWgzip    The GNU Zip (gzip) compression utility
SUNWless    The GNU pager (less)
Various shells
SUNWtcsh    Tenex C-shell (tcsh)
SUNWzsh     Z shell (zsh)
Needed to build many source packages
SUNWarc     Archive Libraries
SUNWbtool   CCS tools bundled with SunOS
SUNWhea     SunOS Header Files
SUNWsprot   Solaris Bundled tools
SUNWtoo     Programming Tools
SUNWxcu4    XCU4 Utilities
SUNWxcu4t   XCU4 make and sccs utilities
Needed to build Bind
SUNWscpu    Source Compatibility, (Usr)
Needed to build SSH
SUNWlibm    Sun WorkShop Bundled libm
Needed to build PostgresSQL
SUNWipc     Interprocess Communications
SUNWlldap   LDAP Libraries
Misc. system maintenance stuff
SUNWaccr    System Accounting, (Root)
SUNWaccu    System Accounting, (Usr)
SUNWadmc    System administration core libraries
SUNWadmfw   System & Network Administration Framework
SUNWspl     Spell Checking Engine - Base Release (English)
SUNWsutl    Static Utilities
SUNWter     Terminal Information

It should be noted that there are some decisions to be made here. If a package is needed, and the package is available as source (sendmail, NTP, perl, Apache and FTP being examples), it is necessary to decide whether to use the vendor package, or to build from source.

Building from source gives more flexibility in configuration, at the expense of greater system administration time and effort. Also, upgrades and security patches are usually available for source packages sooner.

Prev Index Next

If you have any comments or suggestions, please E-mail webmaster@accs.com

© 2004 - Ashford Computer Consulting Service