Securing a Solaris Server - Minimizing Solaris
Minimizing Solaris is a simple way of removing potential security issues. As an example, if a hacker knew of a security hole in a specific daemon that's not running, they might try to get it started. If it's not there, then they'd have to find another way in.
The most important thing to consider is that you don't want to remove any packages that are critical to your system. A great amount of care should be taken in removing driver packages. Also, you should have a good understanding of the needs of your application. If a package is needed by your application, it shouldn't be removed. When in doubt, leave it.
As an example, I have a PC with Solaris 8 installed. The almost minimized package list is as follows (I didn't take the time to try to minimize further):
I also have a SPARCstation LX with Solaris 8 installed. The almost minimized package list is as follows (again, I didn't take the time to minimize further):NCRos86r NCR Platform Support, OS Functionality (Root) SUNWadmr System & Network Administration Root SUNWadp Adaptec 29xx/39/xx/78xx Family of SCSI HBA SUNWcar Core Architecture, (Root) SUNWcsd Core Solaris Devices SUNWcsl Core Solaris, (Shared Libs) SUNWcsr Core Solaris, (Root) SUNWcsu Core Solaris, (Usr) SUNWdfb Dumb Frame Buffer Device Drivers (deprecated) SUNWesu Extended System Utilities SUNWkey Keyboard configuration tables SUNWkvm Core Architecture, (Kvm) SUNWlibms Sun WorkShop Bundled shared libm SUNWloc System Localization SUNWnamos Northern America OS Support SUNWos86r Platform Support, OS Functionality (Root) SUNWos86u Platform Support, OS Functionality (Usr) SUNWpsdcr Platform Support, Bus-independent Device Drivers (Root) SUNWpsdir Platform Support, ISA Bus Device Drivers, (Root) SUNWrmodr Realmode Modules, (Root) SUNWrmodu Realmode Modules, (Usr) SUNWswm Install and Patch Utilities
Install the minimum number of Solaris packages necessary to perform the required tasks. I added the following packages. Installation of other Solaris or third-party packages may require additional Solaris operating system packages to be installed.SUNWadmr System & Network Administration Root SUNWcar Core Architecture, (Root) SUNWcg6 GX (cg6) Device Driver SUNWcsd Core Solaris Devices SUNWcsl Core Solaris, (Shared Libs) SUNWcsr Core Solaris, (Root) SUNWcsu Core Solaris, (Usr) SUNWdfb Dumb Frame Buffer Device Drivers SUNWesu Extended System Utilities SUNWkey Keyboard configuration tables SUNWkvm Core Architecture, (Kvm) SUNWlibms Sun WorkShop Bundled shared libm SUNWloc System Localization SUNWnamos Northern America OS Support SUNWrmodu Realmode Modules, (Usr) SUNWswmt Install and Patch Utilities
On-line manual pagesNetwork Time ProtocolSUNWdoc Documentation Tools SUNWlibC Sun Workshop Compilers Bundled libC SUNWman On-Line Manual PagesGNU toolsSUNWntpr NTP, (Root) SUNWntpu NTP, (Usr)Various shellsSUNWbash GNU Bourne-Again shell (bash) SUNWgpch The GNU Patch utility SUNWgzip The GNU Zip (gzip) compression utility SUNWless The GNU pager (less)Needed to build many source packagesSUNWtcsh Tenex C-shell (tcsh) SUNWzsh Z shell (zsh)Needed to build BindSUNWarc Archive Libraries SUNWbtool CCS tools bundled with SunOS SUNWhea SunOS Header Files SUNWsprot Solaris Bundled tools SUNWtoo Programming Tools SUNWxcu4 XCU4 Utilities SUNWxcu4t XCU4 make and sccs utilitiesNeeded to build SSHSUNWscpu Source Compatibility, (Usr)Needed to build PostgresSQLSUNWlibm Sun WorkShop Bundled libmMisc. system maintenance stuffSUNWipc Interprocess Communications SUNWlldap LDAP LibrariesSUNWaccr System Accounting, (Root) SUNWaccu System Accounting, (Usr) SUNWadmc System administration core libraries SUNWadmfw System & Network Administration Framework SUNWspl Spell Checking Engine - Base Release (English) SUNWsutl Static Utilities SUNWter Terminal Information
It should be noted that there are some decisions to be made here. If a package is needed, and the package is available as source (sendmail, NTP, perl, Apache and FTP being examples), it is necessary to decide whether to use the vendor package, or to build from source.
Building from source gives more flexibility in configuration, at the expense of greater system administration time and effort. Also, upgrades and security patches are usually available for source packages sooner.
If you have any comments or suggestions, please E-mail email@example.com
© 2004 - Ashford Computer Consulting Service