Solaris Minimalization and Security:
Packages, Clusters, Software Groups

SUNWreq install

The following is a summary of different packages installed during my Netra T1 North American SUNWreq installation, and whether or not some of the "experts" believe it could be removed to as part of a minimalization process to harden the system and improve system security. If there is a 64-bit version of a core package, then I've also included it here even though they are at present not part of the SUNWreq metacluster I installed. (I performed the install before the latest Solaris 8 distribution, which installs 64-bit packages.) For my own sanity, I devided it up into packages installed that are part of the SUNWreq metacluster, Localization packages,and OEM packages and clusters

As you expect, there is no consensus as to which packages should be removed as part of the Solaris lockdown process. If a cell is empty, it is because the author did not explicitly mention whether or not to keep or remove the package. Remember, the authors did not all use the same hardware platform and OS version. Each system is different, so your individual results may vary, especially in regards to the OEM packages. (For example, Lance Spitzner's included a bunch of fibre-channel packages which were not part of my install, such as SUNWfcip, SUNWfctl, etc.)

Note: Lance Spitzner has just released another excellent paper, "How to armor Solaris 2.8 for FW-1 NG", which is the latest update of his "Hardening solaris for FW-1" series. In this paper, he recommend's using JASS's package list. I've included Lance's original paper as well as the JASS package list below.

These packages are in the actual SUNWreq metacluster:


Package
Desc
Spitzner		 sec
focus 		solar
minim 		JASS
Toolkit
Comments
SUNWadmr System & Network Administration Root rem keep keep rem rem Any known exploits?
SUNWatfsr AutoFS, (Root) rem rem   rem rem Mount cds manually
SUNWatfsu AutoFS, (Usr) rem rem   rem rem  
SUNWauda Audio Applications rem rem   rem rem No audio on servers
SUNWaudd Audio Drivers rem rem   rem rem  
?SUNWaudxx Audio Drivers 64 bit         rem  
SUNWcar Core Architecture, (Root) keep keep keep keep ??  
SUNWcar Core Architecture, (Root) keep keep keep keep keep/install  
SUNWcg6 GX (cg6) Device Driver keep keep   rem rem Any known exploits?
SUNWcg6x GX (cg6) Device Driver (64-bit)         rem
if installed		 Any known exploits?
SUNWcsd Core Solaris Devices keep keep keep keep keep  
SUNWcsl Core Solaris, (Shared Libs) keep keep keep keep keep  
SUNWcslx Core Solaris, (Shared Libs 64-bit) keep keep keep keep keep  
SUNWcsr Core Solaris, (Root) keep keep keep keep keep Lots of rc files which need to be disabled
SUNWcsu Core Solaris, (Usr) keep keep keep keep keep  
SUNWcsux Core Solaris, (Usr)(64 bit) keep keep keep keep keep  
SUNWdfb Dumb Frame Buffer Device Drivers keep keep keep rem rem  
SUNWdtcor Solaris Desktop /usr/dt filesystem anchor keep rem   rem rem No dt on servers
SUNWesu Extended System Utilities keep keep keep keep keep  
SUNWftpr FTP Server, (Root) rem keep   rem rem if removed: consider ssh or instead. if keep:install tcp wrappers & wuftp
SUNWftpu FTP Server, (Usr) rem keep   rem rem  
SUNWhmd SunSwift SBus Adapter Drivers keep keep keep keep keep  
SUNWhmdx SunSwift SBus Adapter Drivers (64 bit) keep keep keep keep keep  
SUNWkey Keyboard configuration tables keep keep keep rem rem  
SUNWkvm Core Architecture, (Kvm) keep keep keep keep keep  
SUNWkvmx Core Architecture, (Kvm) (64 bit) keep keep keep keep keep  
SUNWlibms Sun WorkShop Bundled shared libm keep keep keep keep keep  
SUNWlmsx Sun WorkShop Bundled 64-bit shared libm keep keep keep keep keep  
SUNWloc System Localization keep keep keep keep keep 
SUNWlocx System Localization (64-bit) keep keep keep keep keep 
SUNWluxop Sun Enterprise Network Array firmware and utilities keep rem   rem rem hardware dependent?
SUNWluxop Sun Enterprise Network Array firmware and utilities (64-bit) keep rem   rem rem hardware dependent?
SUNWnisr Network Information System, (Root) rem rem   rem rem no NIS
SUNWnisu Network Information System, (Usr) rem rem   rem rem no NIS
SUNWpcelx 3COM EtherLink III PCMCIA Ethernet Driver rem rem   rem rem No pcmcia. Why does this end with an "x"?
SUNWpcmci PCMCIA Card Services, (Root) rem rem   rem rem No pcmcia
SUNWpcmcu PCMCIA Card Services, (Usr) rem rem   rem rem No pcmcia
SUNWpcmem PCMCIA memory card driver rem rem   rem rem No pcmcia
SUNWpcser PCMCIA serial card driver rem rem   rem rem No pcmcia
SUNWpd PCI Drivers keep   keep keep keep hardware dependent?
SUNWpdx PCI Drivers (64 bit) keep   keep keep keep hardware dependent?
SUNWpl5u Perl 5.005_03 rem keep   rem rem May want to keep for scripting
SUNWpsdpr PCMCIA ATA card driver rem rem   rem rem No pcmcia (why didn’t sun call it SUNWpcmata?
SUNWqfed Sun Quad FastEthernet Adapter Driver keep rem   rem keep remove if no quad ethernet card
SUNWqfed Sun Quad FastEthernet Adapter Driver (64-bit) keep rem   rem keep remove if no quad ethernet card
SUNWrmodu Realmode Modules, (Usr) keep keep   rem rem  
SUNWses SCSI Enclosure Services Device Driver keep     rem rem hardware dependent?
SUNWsesx SCSI Enclosure Services Device Driver (64-bit) keep     rem rem hardware dependent?
SUNWsndmr Sendmail root rem rem   rem rem  
SUNWsndmu Sendmail user rem rem   rem rem  
SUNWsolnm Solaris Naming Enabler rem keep keep rem rem Any known exploits?
SUNWswmt Install and Patch Utilities keep keep keep keep keep  
SUNWudf Universal Disk Format 1.50, (Usr) keep keep   rem rem  
SUNWudfr Universal Disk Format 1.50 keep keep   rem rem  
SUNWudfrx Universal Disk Format 1.50 (64-bit) keep keep   rem rem  
SUNWusb USB Device Drivers keep     rem rem  
SUNWusbx USB Device Drivers (64-bit) keep     rem rem  
SUNWxwdv X Windows System Window Drivers rem rem   rem rem Not running xwindows server
SUNWxwdvx X Windows System Window Drivers (64-bit) rem rem   rem rem Not running xwindows server
SUNWxwmod OpenWindows kernel modules rem rem   rem rem  
SUNWxwmodx OpenWindows kernel modules (64-bit) rem rem   rem rem  

 

Locale Packages
(According to the.clustertoc file, the following packages do not belong to any metacluster, but they seem to get installed as part of a locale support. I performed a typical US/North American English install)


Package
Desc
Spitzner		 sec
focus 		lockit
down		 solar
minim
JASS
Comments
SUNWnamos North American OS Support   keep   keep keep  
SUNWnamow North American OW Support   rem   rem rem  
SUNWtleu Thai Locale Environment User Files   rem       Why is this installed?
SUNWi15cs X11 ISO08859-15 Codeset Support   rem     rem  
SUNWi1cs X11 ISO8859-1 Codeset Support   rem     rem  

 

Platform-specific (OEM)
The following packages were also installed as part of my "Core" install of a Netra T1, are listed as part of the "SUNWCXall" metacluster


Package
Desc
Spitzner		 sec
focus 		lockit
down		 solar
minim
JASS
Comments
SMEvplr SME platform links       keep    
SMEvplu SME usr/platform links       keep    
SUNWensqr Ensoniq ES1370/1371/1373 Audio DeviceDriver (32-bit), (Root)       keep    
SUNWglmr Symbios 875/876 SCSI device driver, (Root)       keep    
SUNWidecr IDE device drivers       keep    
SUNWider IDE Device Driver, (Root)       keep    
SUNWi2cr Device drivers for I2C devices, (Root, 32-bit)       keep   ???
SUNWigsr IGS CyberPro2010 Device Driver (ROOT)           ?
SUNWigsu IGS CyberPro2010 DDX (OW) Driver and Utilities           ??
SUNWkmp2r PS/2 Keyboard and Mouse Device Drivers, (Root, 32-bit)            
SUNWsior SuperIO 307 (plug-n-play) device drivers, (Root)           ??
SUNWxwkey X Windows software, PC keytables           ??




Application-Specific Package Dependencies

There will be additional application-dependent packages you will need to install. For example, SUNWlibC, SUNWter, and SUNWscpu are required for fw1 (Source: Spitzner).Ip filter will require SUNWhea, SUNWsrh, SUNWbtool, SUNWscpu, SUNWtoo, SUNWlibm, SUNWsprot, and SUNWarc (Source: Unix Circle).

Removing Packages

Use pkgrm to remove any package that not being used. For example, if the is no PCMCIA in your sytem, just remove the individual packages which belong to the SUNWCpcmc cluster. Example:


    # pkgrm SUNWpcelx SUNWpcmci SUNWpcmcu SUNWpcmem SUNWpcser SUNWpsdpr
(Is there a way to remove a package by their cluster name via the command line (ie pkgrm SUNWCpcmc?). If there is, please let me know ...) Lance Spitzner has a script which removes the unneed packages for preparing Solaris 8 64-bit for CheckPoint FireWall-1 NG (modify for your environment).

Startup Files

Many of the packages you left on the system install services which you may not need. For example, SUNWcsr installs sscripts which start up services Such as cachefs and NFS upon startup. If you do not need these services, you should disable these startup files. (For more information, visit: Securityfocus, roble Univ of Waterloo (which has a good discussion of services, also a script to shut them off), sage sabernet, or study one of the hardening programs, such as Titan.

References

Spitzner: http://www.enteract.com/~lspitz/core8.txt, http://www.enteract.com/~lspitz/minimize-firewall.fin.txt

Security Focus: http://www.securityfocus.com/focus/sun/articles/install.html

Lockit Down: http://lockitdown.com/solaris/solaris.html

Solaris Minimization: http://www.sun.com/software/solutions/blueprints/1100/minimize-updt1.pdf

Roble: http://www.roble.com/docs/secure_solaris.html

Sage: http://www.usenix.org/sage/sysadmins/solaris/solaris/os.html#minimal

Unix Circle: http://www.unixcircle.com/features/BuildingSolarisFW.php
Back to Index





MGMG Articles:
(C)Copyright 2002 David Glosser
mgmg_interactive12345@hotmail.com (remove all numbers from email address).
Please read disclaimer.
Back to Index
About MGMG Interactive