Choosing an Installation Cluster
The Solaris OE installation process requires the selection of one of four installation clusters:
Core Installs the smallest Solaris OE image. Only packages that may be required for any SPARC™ or Solaris OE Intel Platform Edition system are installed.
End User Builds on the Core cluster by installing the window managers included with the Solaris OE (OpenWindows™ and CDE).
Developer Includes additional libraries, header files, and software packages that may be needed on systems used as compile and development servers.
Entire Distribution Also referred to as the OEM cluster, includes all Solaris OE software on the installation CDs.
Each installation cluster represents a group of packages. The cluster groups simplify the installation of the OS for the mass market. Because each of these installation clusters contains support for a variety of hardware platforms (for example, microSPARC™, UltraSPARC™, UltraSPARC II, and more) and software requirements (for example, NIS, NIS+, DNS, OpenWindows, Common Desktop Environment [CDE], development, computer aided design [CAD], and more), far more packages are installed than are normally used and required on a single Solaris OE.
The size of the clusters varies significantly. The following table shows the increasing packages and size of each cluster:
Cluster |
Solaris 2.6 OE Packages/Size |
Solaris 7 OE Packages/Size |
Solaris 8 OE Packages/Size |
Solaris 9 OE Packages/Size |
Core |
33/38 MB | 39/52 MB | 62/61 MB | 94/116 MB |
End User |
131/182 MB | 142/242 MB | 313/471 MB | 346/525 MB |
Entire Distribution |
204/369 MB | 235/493 MB | 390/679 MB | 468/850 MB |
OEM |
261/461 MB | 387/692 MB | 459/711 MB | 544/985 MB |
NOTE
The package and size information was obtained through installations performed on a Netra t1 and Netra t 1125. Results for other hardware platforms may vary.
Experience shows that, in many cases, a secure web server requires less than 20 Solaris OE packages and uses as little as 36 MBytes of disk space.
Installing unnecessary services, packages, and applications can severely compromise system security. One example of this is the OpenWindows Calendar Manager Server Daemon (rpc.cmsd), which is unnecessary on many data center systems. This daemon is installed and started by default when the End User, Developer, or Entire Distribution cluster is chosen during the installation process.
There have been known bugs filed against and fixed within the rpc.cmsd subsystem of OpenWindows/CDE, and at least two CERT/CC advisories (CA-99-08, CA-96-09) issued. Scanners for rpc.cmsd are included in the most common scanning tools available on the Internet.
The best protection against unknown rpc.cmsd vulnerabilities is to not install the daemon at all, thus preventing it from being accidentally enabled. This problem is well known in the computer industry; there are hundreds of similar examples. Not surprisingly, almost every security reference book addresses the need to perform "minimal OS installations" [Garfinkel]. Unfortunately, this is easier said than done. Other than the occasional firewall, no software applications are shipped with lists of their package requirements, and there is no easy way of determining this information other than through trial and error.
Because it is so difficult to determine the minimal set of necessary packages, system administrators commonly just install the Entire Distribution cluster. While this may be the easiest to do from the short-term perspective of getting a system up and running, it makes it considerably more difficult to secure the system.
The remainder of this article presents a methodology for determining the minimal set of packages required to successfully install and run a particular applicationthe Sun ONE Web Server in this case.