Secure by Default
Design Specification
Overview
The Secure by Default project hardens the default configuration of
Solaris systems by disabling network services. The effect of the
project is summarized by the following sample "flag day" message that
could be sent to describe its integration in Solaris Nevada.
Today's integration of the Secure by Default project represents a minor
flag day for anyone who does a fresh install of Solaris Nevada. There
is no effect by default on those who upgrade or bfu existing systems.
On newly installed systems, all network services (except for ssh) that
were previously enabled by default are now either disabled or
constrained to respond to local requests only. This change minimizes
the attack surface for an installed system and provides a base for
customers to enable only the services they require.
All of the affected services are controlled by the Service Management
Framework (SMF). Any individual service can be enabled using the normal
svcadm(1M) and svccfg(1M) commands.
Disabling network services can also be achieved manually by running the
netservices(1M) command. This can be used on upgraded systems,
where no changes are made by default, or to re-establish the hardened
state after enabling individual services.
The intent of this project is to satisfy a long-standing customer
demand to reduce the attack surface by disabling as many network
services as possible while still leaving a useful system. To that end,
some infrastructure "services" are not affected. In particular,
routed will still accept
routing packets, and kernel networking services such as
arp and
icmp will not be disabled.
As described above, all of the service configuration changes are made
using SMF. Therefore, the project consists of the following major items:
- conversion of services to SMF control
- additional SMF properties for existing service FMRI's
- a command and SMF profile to put the system in the hardened state
- install changes to allow the user to select the default behavior
(Solaris 10 only)
SMF Service Changes
The project converts the services below to SMF with the indicated
FMRI's.
Service
|
FMRI
|
Action Taken
|
dtprintinfo
|
svc:/application/cde-printinfo |
disabled
|
CDE subprocess control
|
svc:/network/cde-spc |
disabled
|
DMI
|
svc:/application/management/dmi
|
disabled
|
SNMP
|
svc:/application/management/sma
|
disabled
|
Solstice Enterprise Agent
|
svc:/application/management/snmpdx
|
disabled
|
Seaport
|
svc:/application/management/seaport |
disabled
|
The project adds additional properties to the following existing
services.
Service
|
FMRI
|
Property
|
Action Taken
|
rpcbind
|
svc:/network/rpc/bind |
config/local_only
|
limit to local connections
|
| syslogd |
svc:/system/system-log |
config/log_from_remote |
limit to local connections |
sendmail
|
svc:/network/smtp:sendmail |
config/local_only
|
limit to local connections
|
| smcwebserver |
svc:/system/webconsole:console |
options/tcp_listen |
limit to local connections
|
| WBEM |
svc:/application/management/wbem |
options/tcp_listen
|
limit to local connections |
Contents of Limited Networking profile
The project adds to the existing generic_limited_net profile defined in
PSARC 2004/781. This
profile includes all of the settings described above for new SMF
services plus the settings described below for existing services.
Service
|
FMRI
|
Property
|
Action Taken
|
X server
|
svc:/application/x11/x11-server
|
options/tcp_listen
|
limit to local connections |
X font server
|
svc:/application/x11/xfs |
|
disabled
|
dtlogin
|
svc:/application/graphical-login/cde-login |
dtlogin/args
|
limit to local connections
|
| ToolTalk |
svc:/network/rpc/cde-ttdbserver:tcp |
proto=ticotsord |
limit to local connections |
dtcm
|
svc:/network/rpc/cde-calendar-manager |
proto=ticlts
|
limit to local connections |
BSD print
|
svc:/application/print/rfc1179:default
|
bind_addr=localhost
|
limit to local connections
|
Internet print protocol
|
svc:/application/print/ipp-listener:default
|
|
disabled
|
SVM remote metaset
|
svc:/network/rpc/meta |
|
disabled
|
SVM remote mediator
|
svc:/network/rpc/metamed |
|
disabled
|
SVM remote multihost disk
|
svc:/network/rpc/metamh |
|
disabled
|
SVM communication
|
svc:/network/rpc/mdcomm |
|
disabled
|
rstatd
|
svc:/network/rpc/rstat:default |
|
disabled
|
rusersd
|
svc:/network/rpc/rusers:default
|
|
disabled |
telnetd
|
svc:/network/telnet:default |
|
disabled |
statd
|
svc:/network/nfs/status |
|
disabled |
lockd
|
svc:/network/nfs/nlockmgr |
|
disabled |
NFS client
|
svc:/network/nfs/client |
|
disabled |
NFS server
|
svc:/network/nfs/server |
|
disabled |
rquotad
|
svc:/network/nfs/rquota |
|
disabled |
NFS v4 callback daemon
|
svc:/network/nfs/cbd |
|
disabled
|
NFS id mapping
|
svc:/network/nfs/mapid |
|
disabled
|
ftpd
|
svc:/network/ftp:default |
|
disabled |
fingerd
|
svc:/network/finger:default |
|
disabled |
rlogind
|
svc:/network/login:rlogin |
|
disabled |
rshd
|
svc:/network/shell:default |
|
disabled |
Secure Shell
|
svc:/network/ssh:default |
|
enabled
|
Ideally, the property settings listed above would also be included in
the same profile. However, SMF profiles do not currently permit setting
service properties. When that feature is added to SMF, the property
settings will be added to the generic_limited_net profile. In the
meantime, the project will deliver a shell script called
netservices(1M) that uses svccfg(1M) to apply the
generic_limited_net profile and then set the remaining properties.
Install Changes
For Solaris Nevada, the hardening changes are automatically applied
whenever a fresh install is performed. This effect is achieved by
invoking netservices(1M) from the SMF upgrade file found in
/var/svc/profile. Behavior is unchanged if
the system is upgraded.
For Solaris 10 updates, the default for fresh installs and upgrades is
to leave services enabled as they are today. This is because the
disabled services represent a slightly incompatible change which, while
acceptable in a minor release like Solaris Nevada, does not strictly
meet the compatibility assurances for Solaris update releases. Feedback
from a small sample of customers has shown that they are generally in
favor of a more secure configuration but would prefer an install
question to allow them to select the desired behavior.
The following question will be added during a fresh install:
Would you like to enable network services for use by remote clients?
[x] Yes
[ ] No
Note: Selecting "No" provides a more secure configuration in which
Secure Shell is the only network service provided to remote clients.
Selecting "Yes" enables a larger set of services as in previous Solaris
releases. If in doubt, it is safe to select "No" as any services can
be individually enabled after installation.
For Jumpstart
installs, sysidsys(1M) will be answer this question using a new keyword
in sysidcfg(4) with the following defined values:
service_profile=limited_net
service_profile=open
If the keyword is not present in the sysidcfg(4) file, it will
default
to traditional, and no changes will be made.
This project will remove the
/var/svc/profile/generic.xml
symlink from the SUNWcsr prototype file and instead create it at
install time to point to either
generic_open.xml
or
generic_limited_net.xml,
depending on whether the limited_net profile is to be applied or not.
Miniroot Changes
The miniroot configuration will be altered for both Solaris Nevada and
Solaris 10 updates to disable all network services during install. This
allows the system to run in a hardened configuration for the entire
period from the beginning of installation until services are explicitly
enabled by the administrator.
Scott Rotondo
June 22, 2006