Securing the Sun Fire 12K/15K Domains
This Sun BluePrints TM OnLine article documents security modifications that you can implement on Sun Fire TM 12K and 15K domains without adversely affecting its behavior. The configuration changes described in this article enable Solaris TM Operating Environment (OE) security features and disable other potentially insecure services and daemons. This article was updated for System Management Services (SMS) 1.4 software.
This article is one in a series that provides recommendations for enhancing the security of a Sun Fire system. Before securing the domains, we recommend that you use the Sun BluePrints OnLine article "Securing the Sun Fire 12K and 15K System Controllers" to secure Sun Fire 12K and 15K System Controllers.
This article contains the following topics:
"Goal" on page 2
"Background Information" on page 3
"Securing Sun Fire Domains" on page 12
"Verifying Domain Hardening" on page 24
"About the Authors" on page 28
"Related Resources" on page 29
The Sun Fire 12K and 15K servers are the largest Sun servers currently sold and are used for projects and deployments ranging from server-consolidation projects in financial institutions to extremely sensitive data-storage applications at government agencies. Such deployments require that systems be secured against unauthorized access and misuse by malicious individuals.
Sun Fire domains introduce a variable to Solaris OE systems through platform-specific software components (for example, daemons) and services. These platform-specific software components impact the processes and procedures that must be used to secure the Solaris OE configuration running on Sun Fire domains. To properly secure Sun Fire domains, you must understand the impact of these new software components and have access to a well-documented and well-supported configuration to identify which modifications are appropriate and which would not be appropriate.
The goal of this Sun BluePrints OnLine article is to provide a sample baseline security configuration for Sun Fire domains by describing and implementing all supported Solaris OE security modifications. After reading about the Sun tested and supported configuration in this article, you'll understand how the configuration of a secured Sun Fire domain differs from the secured configurations of other Sun systems.
If your system requires any of the services that we recommend disabling, then the sample configuration in this article may not be appropriate. Other configurations that do not implement all of the security modifications in this article are acceptable. However, we recommend that you carefully evaluate services and daemons not disabled to verify that they are required and that they are carefully protected against misuse.
To automate the installation of security software and implementation of security modifications, we provide a customized driver in the Solaris TM Security Toolkit.