Solaris Security: An introduction to Packages, Clusters, Software Groups

When you purchase a car, you usually are presented with the base package. You can either choose additional options, or purchase a set of options grouped together in a single package. The base package can be considered as the minimum needed to legally and actually drive the car. Other options, such as air conditioning, anti-lock breaks, automatic transmition, etc. are optional packages and are purchased in addition to the base package. A higher-end model of the same car is usually a group of options (packages) lumped together. For example, a "Luxury Edition" usually consists of the base package, and a series of pre-configured options such as a larger engine, leather seats, climate control, and fancy speaker system.

You can think of Solaris in the same way. The Solaris Operating System consists of packages. When you install Solaris interactively, instead of having to pick and choose between hundreds of packages (options), Sun has simplified things by letting you choose between five pre-configured "distributions" (car models):

Entire Distribution plus OEM support ....... 1288.00 MB
Entire Distribution ........................ 1263.00 MB Developer System Support ................... 1215.00 MB End User System Support .................... 923.00 MB Core System Support ........................ 344.00 MB
 

These distributions are cumulative: when you install the End User Distribution, all of the packages in the Core Distribution are installed, along with others. Similarly, the Developer distribution contains all of the packages of the end-user software distribution, plus those of interest to software developers.

Core System Support
This Solaris software group is the most secure; it only contains the minimum software required to boot and run the Solaris operating environment on a system. It includes some networking software and the drivers required to run a GUI (graphical user interface, such as the Common Desktop Environment (CDE) or OpenWindows desktop). It does not include the GUI.

End User System Support
A Solaris software group that contains the Core software group plus the recommended software for an end user, including OpenWindows or the Common Desktop Environment (CDE) and DeskSet software.

Entire Distribution
A Solaris software group that contains the entire Solaris 8 release. This contains all packages that may be relevant to your system, many of which you will probably never use.

Entire Distribution Plus OEM Support
A Solaris software group that contains the entire Solaris 8 release, plus additional hardware support for OEMs. The additional stuff installed may not be relevant to your hardware configuration.

Solaris Packages: Detail

A "package" is a functional grouping of files and directories that form a software application. Packages from Sun seem to start with "SUNW". For example, the SUNWesu package contains programs such as lastcomm, banner, etc.

A "cluster" is a logical grouping of software packages. Clusters start with "SUNWC". The Cluster called "SUNWCdtusr" are really a group of packages (SUNWdtezt, SUNWdthe,SUNWdthev, SUNWdthez, SUNWdticn, SUNWdtim, etc) containing CDE End User Software. All of Sun's clusters seem to start with the letters SUNWC.

A "Software Group" is a logical grouping of the Solaris software (clusters and packages) grouped together in order to simplify the Solaris installation. During a Solaris installation, you can install one of the distributions (software groups) mentioned earlier: : Core, End User System Support, Developer System Support, or Entire Distribution, and (for SPARC systems only,) Entire Distribution Plus OEM Support. When you install an entire `Software Group, you don't have to worry about package dependencies, where one package depends on another one, and need to be installed at the same time.

You may end up purchasing a "Luxury Edition" of a car because you really wanted the high-end stereo. However, you also ended up with the leather seats, climate control, and a bunch of other options that you really didn't want. The same is true when you install a SOftware Group-you will probably be installing packages you don't need, which may also contain known exploits.

The names "Software Group", "OS Packages", "Metacluster", "Distribution", "Installation Cluster", "Configuration Clusters", and even "Cluster" (and probably others) seem to be used interchangably, even by Sun. For example, other names for the Core Distribution are: Core Metacluster, Core Software Group, Core Installation, Core OS Package, Core System Support Group, Core Package etc. (Perhaps the other names are from older Solaris versions). We are going to attempt to use the name Software Group or metacluster as much as possible, but I'm sure there will be slip-ups....

The Core Distribution is actually the metacluster called SUNWCreq; The End User distribution is actually the metacluster called SUNWCuser; The Developer Distribution is actually the metacluster called SUNWCprog; The Entire Distribution is actually the metacluster called SUNWCall; and the SUNWCxall metacluster is another name for Entire Distribution plus OEM Extensions.

As mentioned earlier, these metaclusters are cumulative: when you install the SUNWCuser metacluster, all of the packages in SUNWCreq are installed, along with others. Similarly, SUNWprog metacluster contains all of the packages in SUNWuser, plus others, and so on.

When you perform an interactive installation of Solaris and choose a distribution, you are actually installing one of the metaclusters. You can check the /var/sadm/system/admin/CLUSTER file to see which clusters and packages are actually installed on a system.

I think the truth is a little more complicated. I believe that when you perform a Solaris install of a metacluster, three things actually happen:

1. The actual metacluster is installed.

2. Localization packages are installed: SUNWnamos, SUNWnamow, and SUNWnamox were installed on my Netra during a Core install (SUNWCreq) but they don't seem to belong to any particular metacluster.

3. OEM packages and clusters specific for your hardware configuration are installed: SUNWglmr, SUNWidecr, SUNWider, and others were installed on my Netra, but are actually part of the SUNWCxall metacluster.

I guess that Solaris is smart enough to automagically choose and install the correct locale and OEM packages as part of any metacluster install.

Solaris Software Groups--revisited as metaclusters:

SUNWCreq MetaCluster(Core System Support):
This Solaris metacluster contains the minimum software and drivers required to boot and run a base Solaris operating environment. According to the /var/sadm/system/admin/.clustertoc file, SUNWreq is "A pre-defined software configuration consisting of the minimum required software for a standalone, non-networked workstation", which is a bit confusing, as the machine will run on a tcp/ip network.

For the security-minded, there are packages that can be removed from even a Core installation. SUNWreq doesn't install CDE or Openwindows, but it installs software and drivers required for CDE or OpenWindows (SUNWxwdv, SUNWxwmod, SUNWdtcor). Since it contains the least number of packages, it is the most secure and will require the least hardening.

Until Solaris 8 distribution 04/01, 64 bit support was not included in the Core installation, even if you choose that option at installation time! This distribution which automatically includes 64-bit support with the Core installation. If you have an older distribution, you will have to manually add the 64-bit package equivalent for each 32-bit package install (more on this later).

SUNWCuser metacluster (End User System Support):
This metacluster that builds on the Core software group by also installing end user software, such as OpenWindows and CDE window managers, compatability for SunOS 4.x, and other end-user goodies. It is described by sun as "A pre-defined software configuration consisting of the typical software required by end-users ru ning the OpenWindows DeskTop and using applications developed for Solaris 1.0 (previously known as SunOS 4.X).". It can be installed with and without 64 bit support.

SUNWCprog metacluster (Developer System Support):
This metacluster contains "A pre-defined software configuration consisting of the typical software used by software developers". This metacluster consists of all of the packages in the Core and End User System Support metacluster, plus the libraries, include files, and tools needed to develop Solaris software.

SUNWCall metacluster (Entire Distribution):
This metacluster contains the entire Solaris 8 release. The official description: "A pre-defined software configuration consisting of all software included in the Solaris 2.0 operating system release.the entire Solaris 2.5 environment. This metacluster consists of all of the packages in the Developer System Support metacluster, plus other programs such as apache, aset, and System Accounting, etc. This contains all packages that may be relevant to your hardware, many of which you will probably never use...

SUNWCXall metacluster (Entire Distribution plus OEM support):
A software group that contains the entire Solaris 8 release, plus additional hardware support for OEMs. SUNWCXall consists of SUNWCall and all Solaris OEM software. For some reason, on sun's site, SUNCXWall is described as follows: "This software group is recommended when installing Solaris software on SPARC based servers. " I don't understand this at all. I'm under the impression that this should only be installed for Solaris boot and jumpstart servers

Just when I thought I understood perfectly, I discovered that clusters can span metaclusters: for example, the SUNWCadm cluster contains the SUNadmr (System & Network Administration Root) package, which is part of SUNWCreq metacluster, but also contains the SUNWadmap, SUNWadmc, SUNWadmfw packages (which are system and network administration utilities & libraries), which are part of the SUNWCuser metacluster. I don't know what happens if you install a cluster that spans metaclusters.

The files in /var/sadm/system/admin will tell you more than you ever need to know about Solaris packages and clusters.

There are other Goodies on the Solaris CD, including SunScreen Lite, which you can manually install.

Which Software Group to Load

The first step is to select an installation option (eg which Distribution/Software Group/OS Package/metacluster to install.) The general rule is to install as few packages as possible while maintaining maximum efficiency. By minimizing the number of OS packagess installed on a server, overall system security is improved by reducing the sheer number of potential vulnerabilities. Minimizing the number of packages that reside on the box reduces the number of components that have to be patched and made secure--which means fewer potential security exploits or holes you have to worry about. The less packages a system contains, the easier it will be to harden the system.

A secondary benefit of package minimalization is the freeing up of cpu cycles and disk space. On a Netra T1, a SUNWreq core install (32 bit) takes up 344 MB of disk space while a SUNWxall (Entire Distribution plus OEM support) install takes up 1288.00 MB of disk space. (You will be using that extra disk space for additional logging.)

Because it is so difficult to determine the minimal set of necessary packages, many of us just install the Entire Distribution cluster. While this may be the easiest to do from the short-term perspective of getting a system up and running, it makes it considerably more difficult to secure the system. Of course you should resist this temptation to install everything and then removing packages you do not need later. There's always something else to do, and sometimes later is never. And if you do somehow find the time, securing a system after it is already in production is a pain-you'll probably end up breaking things that previously worked.

For example, if this is a headless server (such as a Netra), you don't have to install CDE or graphic packages, which means you sh probably will be able to install the Core Software Group (SUNWCreq) with a few additions/deletions. (If you adventerous, you can specify which individual packages to install or not install during the Solaris Installation.)

If you don't install CDE or xwindows server, make sure you have easy access to a console. Purchase a console server that has ssh access, and use a box that has an a gui (such as a Linux box), set your display, and run xwindows remotely... A cheap PC with a cable connected to the com port (ethernet cable for most Suns; Rollover cable for Netra series) with terraterm and VNC/pc-anywhere also works. (Make sure you turn enhance security on the console box.)

64 bit support

Older versions of the Solaris 8 SUNWreq Core metacluster install does not install any 64-bit packages (even if you select 64-bit support) Therefore, if your hardware supports it, you should consider adding all 64-bit packages that have 32-bit counterparts. To see if you can run the 64-bit version of Solaris, you need to be running an UltraSPARC system (uname -m for this). The command isainfo -v will display what kernel is running.

Removing Packages

Adding Packages

• http://www.mgmg-interactive.com/
  Solaris, Cisco, Firewall, Security Resources
  
• http://www.mgmg-interactive.com/packages1.html
  An introduction to Solaris OS Installation options: Solaris Packages, Clusters, Software Groups
  
• http://www.mgmg-interactive.com/packages2.html
  A meta-analysis of the extra Solaris packages that several experts suggest you should install (not part of Core Install)
• http://www.mgmg-interactive.com/packages3.html
  An examination the packages installed with the Solaris SUNWCreq "end user" installation, and a meta-analysis of which packages the experts suggest you remove as part of the minimalization process in order to enhance system security.
• http://www.mgmg-interactive.com/solaris_startup_files.html
  An analysis of Solaris 8 startup files: Even if you performed a minimal Solaris install, there are a bunch of startup files which need to be disabled as part of your hardening routine. This paper lists each Solaris startup file along with its associated package, as well as checklists and scripts to delete (and modify/add) startup files designed to increase system security.
• http://www.mgmg-interactive.com/malware.html
  This paper describes the increasing problem of adware infections on corporate networks and how those adware infections can be identified on a remote desktop by scanning the network for the presence of unauthorized Browser Helper Objects (BHOs). It also announces a new freeware (open source) network malware scanner, which scans remote registries for the presence of unauthorized Browser Helper Objects (BHOs).