FOCUS on Sun: Installing Solaris
SecurityFocus 2000-11-29

Installing Sun Solaris

Solaris is an extremely feature rich, robust and thoroughly modern OS. These features in some ways come at a cost; sometimes it is necessary to trade security for features. While in some circles this is certainly acceptable, any user desiring to install a Solaris machine in a networked environment, or on the Internet, needs to take action to remedy these problems. With over 500 packages, and well in excess of 100 setuid programs, Solaris isn't exactly as tight as a drum. One approach would be to install the system, and then go through and decide just what setuid programs belong, and which don't. Sound painful? Not only is it time consuming, but binaries which might seem harmless are installed which could later lead to security problems.. Only by starting with the smallest install footprint is it effective to spend time locking down a machine.

The first task when installing a machine is to determine what role it will be serving. Will a developer be sitting at it? Will it be a multi-user shell machine? Web or other service server? Firewall? There are a lot of different roles a machine can play; unfortunately we can't possibly go into every variant. So determine exactly and precisely the services needed on the machine. These should include the service the machine is being used for, and possibly a mechanism for remote access. Nothing more. Take the time to write down what is needed, who needs access to the machine, how they're going to gain access to it. Having a well defined game plan makes it much easier to proceed.

It would seem that the best way to discuss a secure installation of Solaris would be to walk through an actual installation, step by step. This article actually is in two pieces. The first portion discusses the actual installation procedure. We start with the insertion of a CD, and finish up with the addition of a couple of packages. The second article will begin with removing a few services, and finish up with the deployment of the server. The machine we're installing on is a Sparc Station 20/612, with 256 megs of ram, and about 4.5 gigs of drive space. Once upon a time, this machine was pretty cutting edge; now it serves nicely for the role this machine will be built as. In somewhat of a contrived setup, this machine will be serving as an SMTP server, a web server, and a caching nameserver. We will ultimately be using Apache+mod_perl+Embperl, and qmail and dnscache by Dan Bernstein. We will be installing the Early Access of Solaris 8. Installation for prior versions is extremely similar.

Each step has a box next to it. If you like, print out this article, and use it as a checklist, so you don't miss any steps. Even one mistake can result in problems.

With out further hesitation, we begin.

Openboot Password and Security



Obviously, every installation begins with the insertion of a Solaris CD. Before installing Solaris, however, its worthwhile to discuss the merits of an eeprom password. This will prevent random people from executing commands in the eeprom. security-mode should be set to command, or full, and a security-password should be set. These are set using the "setenv" command at the OK prompt

ok setenv security-mode full
security-mode = full
ok setenv security-password
security-password =

Make sure to set both the security mode and password.

ok boot cdrom



The Solaris install procedure begins.



Select proper language and locale. For American English, the choices are 0 on both screens. This has no security relevance.
OpenWindows will then start up, and displays a primary dialog about the install procedure. Continue.

Network Configuration



The system identification then commences. This is where network identification will take place. If you need to use DHCP, or NIS, you'll need to plug your ethernet in now. You'll be able to unplug it shortly. You'll next select an IP or DHCP, and in the case of Solaris 8, whether or not you'll be enabling IPv6. Only enable it if you'll use it; while Sun suggests that everything will work fine if you option to install it and don't use it, configuring services and networks you don't need could prove damaging in the future -- err on the side of caution.

Name Service Configuration



Next are the options for a naming service. If you're in a NIS environment, configure NIS. If possible, specify the NIS servers you'll be using, rather than having the installation broadcast for them. Not running NIS? You can select DNS, but be aware that if you're following this article, it won't be configured upon a reboot like it should be; the installation will try to verify the DNS servers after they are entered, and upon failure, will not configure DNS. If you must, plug in the ethernet for this portion, and remove it as soon as the DNS configuration portions are through.

Netmask and Time



You next get to configure your subnet information, and set the time on the machine.

Package selection



Finally, we reach the important part of the installation, the actual selection of packages to install. People are often tempted to install everything. It's easier, they protest, to install everything right off the bat, and worry about removing packages afterwards. When they realize they've installed in excess of 400 packages, any intentions they may have had to remove things are quickly tossed away. From a security perspective, this is not the best idea. For these reasons, select to install the Core System Support group. Once selected, choose to customize the install.

Here's the last chance for you to decide this machines role. Will it be on someone's desktop? A firewall? A web server? Define its role, and define it well. This mock installation machine will be functioning as a DNS, mail and webserver. This, of course, is a contrived example, and by no means is an endorsement of installing 3 such critical services on a single machine. From the security point of view, installing services which are critical to the internal network, such as DNS and SMTP, on a machine which serves content to the external world (WWW), is far from a good idea. This, however, is not a topic we will address here. Instead, we'll be installing these services in an attempt to make this article, and the subsequent one, as broadly applicable as possible.

As such, the core components are all we want, and then some. As core is the smallest installation we can do, we'll have to select it. We will remove a large portion of the core installation upon reboot. If you need to install OpenWindows, you can select to install the pieces you need now; large pieces of software like OpenWindows may be easier to install now, via the GUI tools, than via the command line after installation. This is, of course, based on what you feel comfortable with. Chances are you'll have to manually install packages at the command line anyhow, as you discover things which you need are missing.

Disk partitioning



Continuing along, the installation process will give you the option of preserving slices. If you have home directories that you'd rather preserve than restore from backups, this is possible. It's best not to opt to preserve anything that contains prior install binaries, as they still have the potential of being used to elevate privileges if they are accessible upon reboot.

When given options for partitioning the disk, its often easier to let it auto partition, and then adjust the sizes it selects. Traditional wisdom suggests creating a separate /var partition, to prevent logs from filling the root partition, and causing problems. Swap obviously needs to be created. Usually the defaults the installation selects for whatever partitions created are insufficient, and will need to be adjusted. For this installation, the test machine is installed with independent /, /opt and /var partitions. /opt is an independent partition that /usr/local will actually be created in. This allows for easier to manage backups in some cases, as all local changes, in theory, are on the /opt partition. Swap is set to double that of the amount of ram in the system. The more swap you can afford to create, the better off you will be. Make sure to create room to store multiple days worth of logs in /var, and plenty of room for patches in the other partitions. Always err on the side of caution. Disk space is cheap, especially when you consider how frustrating having inadequately sized partitions can be Don't forget to create a sufficient /export/home partition. The numbers the test machine is configured with are 500 megs for /, 700 for /var, 500 for /opt, 500 for swap, and approximately 2 gigs for the /export/home partition. The web server we eventually install will live under this partition, in /export/home/apache.

Mount remote volumes, and install the selected packages



Continue on with the installation, mount remote volumes if need be, and sit back. Installation of the core components are quick, but you should have enough time to sit back and ready yourself for the daunting task of securing your new installation that lies ahead.

Reboot!



Once the machine reboots, log in as root. Don't forget to set a password!

Adding packages



The next thing we need to do is add a few packages. This machine will have to have some services compiled on it, so we need to add the packages required for compiler support. These are:
  • SUNWbtool
  • SUNWsprot
  • SUNWtoo
  • SUNWhea
  • SUNWarc
  • SUNWlibC
  • SUNWlibm
  • SUNWlibms
Disable services



Conventional wisdom would suggest that now is the right time to fetch patches for this machine. Unfortunately, this machine is extremely open to attack at the moment. It would be best, in fact, to disable all services if possible prior to doing this. Go in to /etc/rc2.d, and see what you need and don't. On this installation, we remove the following:
  • S71ldapclient
  • S71rpc
  • S73nfsclient
and comment out the final line of:
  • S72inetsvc (the line that launches inetd)
We also comment everything out from inetd.conf. On the off chance that someone decides to launch inetd, it would be better that no services are running.

Reboot!



Once these packages have been installed, we'll need to reboot the system to ensure sanity of the machine. When the machine returns to run level 3 and is ready for login, be sure to log into the system in console mode, rather than CDE or OpenWindows.

Plug in your ethernet cable



We need network access to pull down the Recommended patches from Sun's ftp site. The cable should be left connected for only a short time, as the system is not ready to face the threats on most networks.

Set a default route, and also place it in the /etc/defaultrouter file, unless you have dynamically assigned routes. From the security perspective, static routes are better. You'll need to manually set the default route this one time. Upon subsequent reboots, the machine will automatically set the default.

Configure DNS



The one last thing to do before you can get to sunsolve.sun.com is to set up DNS. Edit /etc/resolv.conf, and add your nameservers, and edit /etc/nsswitch.conf, changing the line that reads hosts to the following:

hosts: files dns

If you are running NIS for name service, this is not necessary.

Get patches!



Initiate an ftp session to sunsolve.sun.com, go in the /pub/patches, and get the recommended patch cluster for the appropriate version of Solaris for this machine. Don't forget to install it! The patch cluster will include a README describing the patch installation process.

Unplug the ethernet cable



Once the patches have been retrieved, returning the system to it's most defensive posture is recommended. Several services run by default on a Solaris system, many of them vulnerable to exploits that could allow a remote user full access to the system.

Package removal



Now, we'll remove a few packages. This machine will not be running NIS. Nor will it be running some of the other packages the Core Systems Support option seems to install. The following packages were removed; they may not all exist on versions prior to 8, but it should give you a rough idea of the packages you don't need that may still be lurking.
Packages can be removed with the following syntax:
/usr/sbin/pkgrm
Removed:
  • SUNWtleu (Thai localizations. Very odd.)
  • SUNWsndmr (No need for audio on this machine)
  • SUNWsndmu
  • SUNWqfed (No qfe in this machine)
  • SUNWpsdpr
  • SUNWpcser (No pcmcia on this machine)
  • SUNWpcmem
  • SUNWpcmcu
  • SUNWpcmci
  • SUNWpcelx
  • SUNWnisu
  • SUNWnisr
  • SUNWnamox (why did this get installed on a 32bit machine?)
  • SUNWnamow (i said no Openwin!)
  • SUNWxwmod
  • SUNWxwdv
  • SUNWplow
  • SUNWplow1
  • SUNWnamdt (no dt on this machAine)
  • SUNWnafos (North Africa support. weird)
  • SUNWmeaos (Middle East support)
  • SUNWluxop (Sun Enterprise Network Array stuff)
  • SUNWatfsr
  • SUNWatfsu
  • SUNWauda (more audio stuff)
  • SUNWaudd
  • SUNWdtcor (no dt)
  • SUNWi15cs
  • SUNWi1cs

Our final package list is as follows:
  • system SUNWadmr System & Network Administration Root
  • system SUNWcar Core Architecture, (Root)
  • system SUNWcg6 GX (cg6) Device Driver
  • system SUNWcsd Core Solaris Devices
  • system SUNWcsl Core Solaris, (Shared Libs)
  • system SUNWcsr Core Solaris, (Root)
  • system SUNWcsu Core Solaris, (Usr)
  • system SUNWdfb Dumb Frame Buffer Device Drivers
  • system SUNWesu Extended System Utilities
  • system SUNWftpr FTP Server, (Root)
  • system SUNWftpu FTP Server, (Usr)
  • system SUNWhmd SunSwift SBus Adapter Drivers
  • system SUNWkey Keyboard configuration tables
  • system SUNWkvm Core Architecture, (Kvm)
  • system SUNWlibms Sun WorkShop Bundled shared libm
  • system SUNWloc System Localization
  • system SUNWnamos Northern America OS Support
  • system SUNWpl5u Perl 5.005_03
  • system SUNWrmodu Realmode Modules, (Usr)
  • system SUNWsolnm Solaris Naming Enabler
  • system SUNWswmt Install and Patch Utilities
  • system SUNWudfr Universal Disk Format 1.50
  • system SUNWbtool CCS tools bundled with SunOS
  • system SUNWarc Archive Libraries
  • system SUNWhea SunOS Header Files
  • system SUNWlibm Sun WorkShop Bundled libm
  • system SUNWlibms Sun WorkShop Bundled shared libm
  • system SUNWsprot Solaris Bundled tools
  • system SUNWtoo Programming Tools
  • system SUNWlibC SPARCompilers Bundled libC
Plug in the ethernet cable



Finally, the machine should be ready to sit on the network. With the patches installed, and a minimal set of services running, the machine should be in a position to resist basic intrusion attempts and exploits.

In the next article in this series, we'll discuss locking this machine down further, and installing the services it will be running.

Relevant Links

 SunSolve FTP
Sun

SunSolve Website
Sun

Privacy Statement
Copyright 2006, SecurityFocus