SUMMARY: Minimal System Configuration...

From: Don Mies <dmies_at_bluekite.com>
Date: Tue Jan 08 2002 - 13:30:21 EST
Thanks to the following for their input:

   Thomas Cannon
   Tim Chipman
   Brian Dunbar
   John Elser
   Paul Foti
   Rick Francis
   Tom Heinrichs
   Brent Killion
   Rich Kulawiec
   Steve Mickeler
   Jedrzej Nasiadek
   Hamid Ouyachi
   John Riddoch
   Craig Scott
   Justin Stringfellow
   John Tan
   Hendrik Visage
   Don Werve
   Anonymous from <sysadmin@astro.su.se>

Several people were curious what our product is.  It's a content 
optimizing web proxy server designed to be used in "slow" end 
user connection type networks such as portable cell phones.  The 
current generation of cell phone operates at 9600-14400 baud 
which makes web surfing very unpleasant.

We sell our servers to the large telecom industry players but we 
have just started offering a service ourselves to end users.

For more information check out:

   bluekite.com

---

Here are the suggestions received kin order of receipt:

---

   Use OpenBSD instead of Solaris 8.

---

   Run the Solaris install and specify "no" to almost everything.

---

   Look at JASS (Solaris Security Toolkit).

---

   lay down the install using minimum configuration option (as
   opposed to full eom version).  test app remove your
   /etc/inetd.conf file.  test app setup secure routes (this
   may cost you dollars).  test app remove startup scripts you
   don't want from /etc/rc2.d and rc3.d.  test app

---

   See the SANS guide:
   Solaris Security: Step-by-Step
   http://www.sansstore.org/Merchant/solaris.htm

---

   Lance Sptizner's 'Armoring' series.

---

   http://www.sans.org
   http://www.linuxsecurity.com
   http://www.packetst0rm.net/armor_solaris.txt
   http://www.usenix.org/sage/sysadmins/solaris/index.html
   http://fixsolaris.sunhelp.org/fixsolaris.txt
   http://www.sun.com/blueprints/1100/minimize-updt1.pdf
   http://www.sun.com/blueprints/1200/network-updt1.pdf
   see "securing public web servers" at
      http://www.cert.org/security-improvement/
   Try the hardening tools at
      http://www.sans.org/
      http://www.cert.org/
      http://www.cisecurity.org/
   specific to solaris:
      http://www.yassp.org/

---

   Do a enduser instalation (The one just below a developer
   installation) choosing some extra stuff like the GNU
   utilities etc. as per you liking.  Then once installed and
   connected, start culling the /etc/rc?.d/S* files and the
   packages that's not needed.

---

   Your best bet is probably to install the core OS which will
   include the base networking you require.  Next, add the
   stuff you need (if you're unsure which package a file is
   in, do a full install elsewhere and grep on
   /var/sadm/install/contents for the file).  Finally do a
   check on pkginfo and pkgrm anything you don't think you
   need.  Test, and add anything which is missing.

---

   There was a Sun paper about that (probably available from
   sun.com) I can send it to you if you want (and if I find it
   among my files :-) Besides I strongly recommend you
   installing IPfilter, block everything and just select which
   communication do you want to pass and which to block.

---

   www.sun.com/blueprints/browsesubject.html

---

   Well you might want to take a look at Sun's Blueprint Docs
   www.sun.com/blueprints. They have a document for a secure
   install of an application (in this case iPlanet. The doc
   title is:  Solaris Operating Environement Minimization for
   Security: A simple Reproducible and Secure Application
   Installation Methodology, by Alex Noordergraaf.

---

    - Try to do a minimal package install
    - Hope I haven't broken a bit of functionality I'll actually need
    - Boot the system
    - Use "ps" to see what's running; adjust /etc/rc* and /etc/inetd.conf
      to turn off as much as possible
    - Use "lsof" and "nmap" (both open-source tools) to figure out
      what ports are open and what's listening on them.  (lsof lists
      which processes have which files open; that includes sockets.
      nmap is a pretty good port scanner.)   Back to /etc/rc* and
      /etc/inetd.conf to turn things off.
    - Remove the daemons and clients for all the things I've turned
      off in previous steps.  Also remove working/spool directories
      such as found in /var.  Also remove any sockets or device entries
      associated with the service.  (This is the step where I tend to
      start making mistakes, because much of the documentation is
      wrong or incomplete.)
    - Remove as much static data as possible.  That means /usr/man/*,
      /usr/include/*, and so on.  This doesn't directly do a lot for
      security, but it does reduce the size of the installed base,
      so that when I put an integrity checker (e.g. tripwire) on the
      system, it will have less to keep track of.
    - Clean out /usr/bin, /usr/sbin, etc. as much as possible.  This
      is another error-prone step, so I tend to move things to temporary
      locations rather than actually delete them.  (That comes after
      I've made sure I still have a working system.)
    - Test requisite functionality to make sure nothing I've done has
      broken the box for the purpose it's going to serve.
    - Repeat as much as necessary.
    - When I'm satisfied, record the system config.  In your case,
      you might want to even consider burning a CD with the very tiniest
      config you can come up with so that your customers can install
      that, then your product, and move on.  (I'm not sure what the
      licensing ramifications of that wrt Sun would be, though.)

---

   I *think* that someone did some work on that sort of
   thing here [at Sun] - it's not an uncommon query. but I
   don't know who.  You may get some mileage from speaking
   to a salesman in case they know some more about it.

---

   http://www.cert.org/security-improvement/implementations/i027.02.html

   To "really" be paranoid, also install host-based firewall
   software on the server as well, so that **ALL** access is
   100% controlled. Makes TCP-Wrappers look like a plaything.
   :-) (SunScreen Lite is free from sun and should do the
   trick. Be warned that IPF (freeware host-based firewall)
   has given us a tiny bit of grief here in the past while --
   mystery system hangs were finally diagnosed to IPF after a
   month of hell) - so alas I am not sure I can recommend IPF
   for solaris at this time.)

   If it is to be a public web server, you could then setup a
   port mapping to grant fully public access against HTTP port
   80, and have *everything* else locked down (ie, other than
   HTTP, have only SSH into the box open from a certain
   priviledged client box, for instance).

---

   I believe there's a Sun blueprint
   (http://www.sun.com/blueprints/) on that topic.

   As a first cut, you could install only the SUNWCreq
   cluster, then add packages only as needed.

   Sun's approach seems to be to install SUNWCuser, then run
   JASS and remove any unneeded stuff. (I'm talking about the
   security-conscious side of Sun; the rest will install
   SUNWCxall as a matter of policy.)

---

   Do the normal disabling of services that you won't run
   (like Portmap), and go the extra mile by chmodding the
   binaries (of things like portmap) to '000'.

---

   Solaris Security by Peter
   Gregory and Hack Proofing Sun Solaris 8 by Wyman Miles, Ed
   Mitchell, William Lynch and Randy Cook.
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Tue Jan 8 12:32:12 2002

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:42:31 EST