|
Installing Sun Solaris
Solaris is an extremely feature rich, robust and thoroughly modern OS. These
features in some ways come at a cost; sometimes it is necessary to trade
security for features. While in some circles this is certainly acceptable,
any user desiring to install a Solaris machine in a networked environment, or on
the Internet, needs to take action to remedy these problems.
With over 500 packages, and well in excess
of 100 setuid programs, Solaris isn't exactly as tight as a drum. One approach
would be to install the system, and then go through and decide just what setuid
programs belong, and which don't. Sound painful? Not only is it time
consuming, but binaries which might seem harmless are installed which could later
lead to security problems.. Only by
starting with the smallest install footprint is it effective to spend time
locking down a machine.
The first task when installing a machine is to determine what role it will be
serving. Will a developer be sitting at it? Will it be a multi-user shell
machine? Web or other service server? Firewall? There are a lot of different
roles a machine can play; unfortunately we can't possibly go into every
variant. So determine exactly and precisely the services needed on the machine.
These should include the service the machine is being used for, and possibly a
mechanism for remote access. Nothing more. Take the time to write down what is
needed, who needs access to the machine, how they're going to gain access to it. Having
a well defined game plan makes it much easier to proceed.
It would seem that the best way to discuss a secure installation of Solaris would be to walk through an actual installation,
step by step. This article actually is in two pieces. The first portion discusses the actual installation
procedure. We start with the insertion of a CD, and finish up with the addition of a couple of packages.
The second article will begin with removing a few services, and finish up with the deployment of the server. The
machine we're installing on is a Sparc Station 20/612, with 256 megs of ram, and about 4.5 gigs of drive space. Once
upon a time, this machine was pretty cutting edge; now it serves nicely for the role this machine will be built as.
In somewhat of a contrived setup, this machine will be serving as an SMTP server, a web server, and a caching
nameserver. We will ultimately be using Apache+mod_perl+Embperl, and qmail and dnscache by Dan Bernstein. We will
be installing the Early Access of Solaris 8. Installation for prior versions is extremely similar.
Each step has a box next to it. If you like, print out this article, and use it as a checklist, so
you don't miss any steps. Even one mistake can result in problems.
With out further hesitation, we begin.
 | Openboot Password and Security |
Obviously, every installation begins with the insertion of a Solaris CD. Before installing Solaris, however,
its worthwhile to discuss the merits of an eeprom password. This will prevent random people from executing
commands in the eeprom. security-mode should be set to command, or full, and a security-password should be
set. These are set using the "setenv" command at the OK prompt
ok setenv security-mode full
security-mode = full
ok setenv security-password
security-password =
Make sure to set both the security mode and password.
| ok boot cdrom |
| The Solaris install procedure begins. |
Select proper language and locale. For American English, the choices are 0 on both screens. This has no security
relevance.
OpenWindows will then start up, and displays a primary dialog about the install procedure. Continue.
| Network Configuration |
The system identification then commences. This is where network identification will take place. If you need to
use DHCP, or NIS, you'll need to plug your ethernet in now. You'll be able to unplug it shortly.
You'll next select an IP or DHCP, and in the case of Solaris 8, whether or not you'll be enabling IPv6. Only
enable it if you'll use it; while Sun suggests that everything will work fine if you option to install it and
don't use it, configuring services and networks you don't need could prove damaging in the future -- err on the
side of caution.
| Name Service Configuration |
Next are the options for a naming service. If you're in a NIS environment, configure NIS. If possible, specify
the NIS servers you'll be using, rather than having the installation broadcast for them. Not running NIS? You
can select DNS, but be aware that if you're following this article, it won't be configured upon a reboot like it
should be; the installation will try to verify the DNS servers after they are entered, and upon failure, will not
configure DNS. If you must, plug in the ethernet for this portion, and remove it as soon as the DNS configuration
portions are through.
| Netmask and Time |
You next get to configure your subnet information, and set the time on the machine.
| Package selection |
Finally, we reach the important part of the installation, the actual selection of packages to install. People are
often tempted to install everything. It's easier, they protest, to install everything right off the bat, and worry
about removing packages afterwards. When they realize they've installed in excess of 400 packages, any intentions
they may have had to remove things are quickly tossed away. From a security perspective, this is not the best idea.
For these reasons, select to install the Core System Support group. Once selected, choose to customize the
install.
Here's the last chance for you to decide this machines role. Will it be on someone's desktop? A firewall? A
web server? Define its role, and define it well. This mock installation machine will be functioning as a DNS,
mail and webserver. This, of course, is a contrived example, and by no means is an endorsement of installing
3 such critical services on a single machine. From the security point of view, installing services which are
critical to the internal network, such as DNS and SMTP, on a machine which serves content to the external world
(WWW), is far from a good idea. This, however, is not a topic we will address here. Instead, we'll be installing
these services in an attempt to make this article, and the subsequent one, as broadly applicable as possible.
As such, the core components are all we want, and then some. As core is the smallest installation we can do,
we'll have to select it. We will remove a large portion of the core installation upon reboot. If you need to
install OpenWindows, you can select to install the pieces you need now; large pieces of software like OpenWindows
may be easier to install now, via the GUI tools, than via the command line after installation. This is, of course,
based on what you feel comfortable with. Chances are you'll have to manually install packages at the command line
anyhow, as you discover things which you need are missing.
| Disk partitioning |
Continuing along, the installation process will give you the option of preserving slices. If you have home
directories that you'd rather preserve than restore from backups, this is possible. It's best not to opt to
preserve anything that contains prior install binaries, as they still have the potential of being used to elevate
privileges if they are accessible upon reboot.
When given options for partitioning the disk, its often easier to let it auto partition, and then adjust the sizes
it selects. Traditional wisdom suggests creating a separate /var partition, to prevent logs from filling the
root partition, and causing problems. Swap obviously needs to be created. Usually the defaults the installation
selects for whatever partitions created are insufficient, and will need to be adjusted. For this installation, the
test machine is installed with independent /, /opt and /var partitions. /opt is an independent partition
that /usr/local will actually be created in. This allows for easier to manage backups in some cases, as all local
changes, in theory, are on the /opt partition. Swap is set to double that of the amount of ram in the system. The
more swap you can afford to create, the better off you will be. Make sure to create room to store multiple days
worth of logs in /var, and plenty of room for patches in the other partitions. Always err on the side of caution.
Disk space is cheap, especially when you consider how frustrating having inadequately sized partitions can be
Don't forget to create a sufficient /export/home partition. The numbers the test machine is configured with are
500 megs for /, 700 for /var, 500 for /opt, 500 for swap, and approximately 2 gigs for the /export/home partition.
The web server we eventually install will live under this partition, in /export/home/apache.
| Mount remote volumes, and install the selected packages |
Continue on with the installation, mount remote volumes if need be, and sit back. Installation of the core
components are quick, but you should have enough time to sit back and ready yourself for the daunting task of
securing your new installation that lies ahead.
| Reboot! |
Once the machine reboots, log in as root. Don't forget to set a password!
| Adding packages |
The next thing we need to do is add a few packages. This machine will have
to have some services compiled on it, so we need to add the packages required
for compiler support. These are:
- SUNWbtool
- SUNWsprot
- SUNWtoo
- SUNWhea
- SUNWarc
- SUNWlibC
- SUNWlibm
- SUNWlibms
| Disable services |
Conventional wisdom would suggest that now is the right time to fetch patches for
this machine. Unfortunately, this machine is extremely open to attack at the
moment. It would be best, in fact, to disable all services if possible prior
to doing this. Go in to /etc/rc2.d, and see what you need and don't. On this
installation, we remove the following:
- S71ldapclient
- S71rpc
- S73nfsclient
and comment out the final line of:
- S72inetsvc (the line that launches inetd)
We also comment everything out from inetd.conf. On the off chance that someone
decides to launch inetd, it would be better that no services are running.
| Reboot! |
Once these packages have been installed, we'll need to reboot the system to ensure sanity of the machine. When the machine returns to run level 3 and is ready for login, be sure to log into the system in console mode, rather than CDE or OpenWindows.
| Plug in your ethernet cable |
We need network access to pull down the Recommended patches from Sun's ftp site.
The cable should be left connected for only a short time, as the system is not
ready to face the threats on most networks.
Set a default route, and also place it in the /etc/defaultrouter file, unless
you have dynamically assigned routes. From the security perspective, static
routes are better. You'll need to manually set the default route this one time.
Upon subsequent reboots, the machine will automatically set the default.
| Configure DNS |
The one last thing to do before you can get to sunsolve.sun.com is to set up
DNS. Edit /etc/resolv.conf, and add your nameservers, and edit
/etc/nsswitch.conf, changing the line that reads hosts to the following:
hosts: files dns
If you are running NIS for name service, this is not necessary.
| Get patches! |
Initiate an ftp session to sunsolve.sun.com,
go in the /pub/patches, and get the
recommended patch cluster for the appropriate version of Solaris for this
machine. Don't forget to install it! The patch cluster will include a README
describing the patch installation process.
| Unplug the ethernet cable |
Once the patches have been retrieved, returning the system to it's most defensive posture is recommended. Several services run by default on a Solaris system, many of them vulnerable to exploits that could allow a remote user full access to the system.
| Package removal |
Now, we'll remove a few packages. This machine will not be running NIS. Nor will it be running some of the other packages
the Core Systems Support option seems to install. The following packages were removed; they may not all exist on
versions prior to 8, but it should give you a rough idea of the packages you don't need that may still be lurking.
Packages can be removed with the following syntax:
/usr/sbin/pkgrm
Removed:
- SUNWtleu (Thai localizations. Very odd.)
- SUNWsndmr (No need for audio on this machine)
- SUNWsndmu
- SUNWqfed (No qfe in this machine)
- SUNWpsdpr
- SUNWpcser (No pcmcia on this machine)
- SUNWpcmem
- SUNWpcmcu
- SUNWpcmci
- SUNWpcelx
- SUNWnisu
- SUNWnisr
- SUNWnamox (why did this get installed on a 32bit machine?)
- SUNWnamow (i said no Openwin!)
- SUNWxwmod
- SUNWxwdv
- SUNWplow
- SUNWplow1
- SUNWnamdt (no dt on this machAine)
- SUNWnafos (North Africa support. weird)
- SUNWmeaos (Middle East support)
- SUNWluxop (Sun Enterprise Network Array stuff)
- SUNWatfsr
- SUNWatfsu
- SUNWauda (more audio stuff)
- SUNWaudd
- SUNWdtcor (no dt)
- SUNWi15cs
- SUNWi1cs
Our final package list is as follows:
- system SUNWadmr System & Network Administration Root
- system SUNWcar Core Architecture, (Root)
- system SUNWcg6 GX (cg6) Device Driver
- system SUNWcsd Core Solaris Devices
- system SUNWcsl Core Solaris, (Shared Libs)
- system SUNWcsr Core Solaris, (Root)
- system SUNWcsu Core Solaris, (Usr)
- system SUNWdfb Dumb Frame Buffer Device Drivers
- system SUNWesu Extended System Utilities
- system SUNWftpr FTP Server, (Root)
- system SUNWftpu FTP Server, (Usr)
- system SUNWhmd SunSwift SBus Adapter Drivers
- system SUNWkey Keyboard configuration tables
- system SUNWkvm Core Architecture, (Kvm)
- system SUNWlibms Sun WorkShop Bundled shared libm
- system SUNWloc System Localization
- system SUNWnamos Northern America OS Support
- system SUNWpl5u Perl 5.005_03
- system SUNWrmodu Realmode Modules, (Usr)
- system SUNWsolnm Solaris Naming Enabler
- system SUNWswmt Install and Patch Utilities
- system SUNWudfr Universal Disk Format 1.50
- system SUNWbtool CCS tools bundled with SunOS
- system SUNWarc Archive Libraries
- system SUNWhea SunOS Header Files
- system SUNWlibm Sun WorkShop Bundled libm
- system SUNWlibms Sun WorkShop Bundled shared libm
- system SUNWsprot Solaris Bundled tools
- system SUNWtoo Programming Tools
- system SUNWlibC SPARCompilers Bundled libC
| Plug in the ethernet cable |
Finally, the machine should be ready to sit on the network. With the patches installed, and a minimal set of services running, the machine should be in a position to resist basic intrusion attempts and exploits.
In the next article in this series, we'll discuss locking this machine down
further, and installing the services it will be running.
|
