Home > Articles > Operating Systems, Server > Solaris

This chapter is from the book

This chapter is from the book

Solaris 10 Security EssentialsSolaris 10 Security Essentials

Learn More Buy

This chapter is from the book

This chapter is from the book

Solaris 10 Security EssentialsSolaris 10 Security Essentials

Learn More Buy

3.3 Modifying Solaris Services Defaults

On a Solaris system that is hardened by the limited profile, network services that you might want to run on particular systems are disabled (hardening is discussed in Chapter 2, "Hardening Solaris Systems"). For example, the ftp service is disabled, as is NFS file sharing. Services that require configuration, such as IPfilter and IPsec, are disabled by default.

The following sections provide examples of using SMF to configure a system for a particular purpose. Once you have configured the system, the manifest is in the repository. When the system reboots, that configuration is restored. The examples illustrate the following points.

  • Services that must be configured in configuration files are enabled after the files are configured. If you did not configure the file, or if the file cannot be read, the problem is recorded in the log file.
  • You might want to try different configurations of a service. By using different configuration files, you can create testing environments. The final configuration state is restored at reboot.
  • Some services, such as FTP, are necessary but might require monitoring. You can set up monitoring services before bringing them online, thereby ensuring that the service is in compliance with site security policy for its first use.
  • You might want to limit the attack surface on a network service. The Apache2 Web service can be configured to use RBAC to limit the privileges that the service uses. You can also require a more limited account than root to run the service.

3.3.1 Configuring the NFS Service

To configure a service that requires you to customize a configuration file, you perform the following steps.

  1. List the status of the service.
  2. Modify or create the configuration file.
  3. Enable the service.
  4. Verify that the service is online.
  5. If the system reports an error, read the service log and then fix the error.
  6. Test and use the service.

In the following example, you configure a system to serve help documents. The files must be shared read-only.

# svcs -a | grep nfs
...
disabled        Jan_10 svc:/network/nfs/server:default
# vi /etc/dfs/dfstab
...
share -F nfs -o ro /export/helpdocs
...
# svcadm enable svc:/network/nfs/server
# svcs -x svc:/network/nfs/server:default
State: online since Tue Jan 20 5:15:05 2009
  See: nfsd(1M)
  See: /var/svc/log/network-nfs-server:default.log
Impact: None

If you try to enable a service without its supporting files, view the log file to determine the problem:

# svcs -x svc:/network/nfs/server:default (NFS server)
 State: disabled since Tue Jan 20 5:10:10 2009
Reason: Temporarily disabled by an administrator.
   See: http://sun.com/msg/SMF-8000-1S
   See: nfsd(1M)
   See: /var/svc/log/network-nfs-server:default.log
Impact: This service is not running.
# vi /var/svc/log/network-nfs-server:default.log
...
No NFS filesystems are shared
...

3.3.2 Configuring the IP Filter Service

Like the NFS service, the IP filter service cannot be enabled until you create a configuration file. Your site's security requirements dictate what configuration rules you place in the file. Some services, such as IPsec, require that each communicating system has a configuration file. To enable a service that requires a configuration file involves the following steps.

  1. Create the configuration file. Use the man page for the service name if you do not know the name of the configuration file. Then read the configuration file man page for the syntax.
  2. If syntax verification is available, verify the syntax of the file.
  3. If the service needs to run on both systems, such as the IPsec service, configure the second system.
  4. Enable the service on one or both systems.
  5. Enable the service.
  6. Verify that the service is running.

In the following examples, you protect a system that includes non-global zones. The IP filter rules protect the global zone and the Web server zone. You first create and add rules to the /etc/ipf/ipf.conf configuration file.

# vi /etc/ipf/ipf.conf
set intercept_loopback true;
# *** GLOBAL ZONE: (IN: TCP/22, OUT: ANYTHING)
pass in quick proto tcp from any to global-zone port = 22
keep state keep frags
pass out quick from global-zone to any keep state keep frags
# *** Web Server ZONE: (IN: TCP/80, OUT: NOTHING)
pass in quick proto tcp from any to websvc port = 80
keep state keep frags
block out quick from websvc to any

# *** DEFAULT DENY
block in log all
block in from any to 255.255.255.255
block in from any to 127.0.0.1/32

Then you verify the syntax of the configuration file before enabling the service.

# ipf /etc/ipf/ipf.conf
# svcs -a | grep ipf
disabled       Dec_10   svc:/network/ipfilter:default
# svcadm enable svc:/network/ipfilter:default
# svcs ipfilter
enabled       Jan_10   svc:/network/ipfilter:default

To test a different configuration, you create another configuration file, verify the syntax of the file, and change the config/entities property to point to the new file. This test file adds rules for the Web data zone.

# vi /etc/ipf/testipf.conf
set intercept_loopback true;
# *** GLOBAL ZONE: (IN: TCP/22, OUT: ANYTHING)
pass in quick proto tcp from any to global-zone port = 22
keep state keep frags
pass out quick from global-zone to any keep state keep frags

# *** Web Server ZONE: (IN: TCP/80, OUT: NOTHING)
pass in quick proto tcp from any to websvc port = 80
keep state keep frags
block out quick from websvc to any
# *** Web Data ZONE: (IN: TCP/22, OUT: ANYTHING)
pass in quick proto tcp from any to webdat port = 22
keep state keep frags
pass out quick from webdat to any keep state keep frags
# *** DEFAULT DENY
block in log all
block in from any to 255.255.255.255
block in from any to 127.0.0.1/32
# ipf /etc/ipf/testipf.conf
# svcprop ipfilter | grep config
config/entities fmri file://localhost/etc/ipf/ipf.conf
config/grouping astring require_all
config/restart_on astring restart
config/type astring path
# svccfg -s /network/ipfilter \
setprop config/entities=file://localhost/etc/ipf/testipf.conf

After you refresh and restart the service, you then verify that the property has been set.

# svcadm refresh ipfilter
# svcadm restart ipfilter
# svcprop ipfilter | grep etc
config/entities fmri file://localhost/etc/ipf/testipf.conf

After testing is complete, you can restore the original file.

# svccfg -s /network/ipfilter \
setprop config/entities=file://localhost/etc/ipf/ipf.conf
# svcadm refresh ipfilter
# svcadm restart ipfilter
# svcprop ipfilter | grep etc
config/entities fmri file://localhost/etc/ipf/ipf.conf

3.3.3 Configuring the ftp Service

The ftp service is controlled by the inetd command. Often, site security policy requires that an FTP server log detailed records of all FTP connections. In the following two examples, you configure properties of the ftp service that log transactions and turn on debugging.

To configure a service that requires you to change service properties, you perform the following steps.

  1. List the status of the service.
  2. List the properties of the service.
  3. Change one or more properties of the service.
  4. Verify that the service property is changed.
  5. Enable the service.
  6. Verify that the property change is effective.

In the first part of this example, you configure FTP to log every login on System A, the FTP server. Note that the ftp service is initially disabled on System A.

A # svcs ftp
STATE          STIME    FMRI
disabled       Jan_10   svc:/network/ftp:default
A # inetadm -l svc:/network/ftp:default
SCOPE    NAME=VALUE
         name="ftp"
         endpoint_type="stream"
         proto="tcp6"
         isrpc=FALSE
         wait=FALSE
         exec="/usr/sbin/in.ftpd -a"
         user="root"
...
default  tcp_trace=FALSE
default  tcp_wrappers=FALSE
default  connection_backlog=10

The login log property for the ftp service is tcp_trace. You change the value from FALSE to TRUE, then enable the service and verify that the service is online.

A # inetadm -m svc:/network/ftp:default tcp_trace=TRUE
A # inetadm -l svc:/network/ftp:default
SCOPE    NAME=VALUE
         name="ftp"
...
         tcp_trace=TRUE
...
A # svcadm enable svc:/network/ftp:default
A # svcs ftp
STATE          STIME    FMRI
online         07:07:07 svc:/network/ftp:default

Then, as a regular user, run the ftp command from machine B.

B $ ftp A
Connected to A.
220 A FTP server ready.
Name (A:testftp):
331 Password required for testftp.
Password:
230 User testftp logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

As superuser, examine the login record in the log file on machine A.

A # tail -1 /var/adm/messages
Jan 10 07:20:20 A inetd[16208]: [ID 317013 daemon.notice] ftp[6036] from B 49822

To continue with this example, disable the service. You want to establish monitoring before the service is online.

A # svcadm disable ftp
A # svcs -x ftp
svc:/network/ftp:default (FTP server)
 State: disabled since January 20, 2009  07:20:22 AM PST
Reason: Disabled by an administrator.
   See: http://sun.com/msg/SMF-8000-05
   See: in.ftpd(1M)
   See: ftpd(1M)
Impact: This service is not running.

The exec property for the ftp service contains the command that is executed to start the service. The man page for that command describes the arguments that the command accepts. You can select arguments to add to the exec property so that the command runs with those arguments when the service starts. Therefore, to modify the command that runs a service, you perform the following steps.

  1. List the exec property of the service.
  2. From the man page, determine the arguments to the service's exec command.
  3. Add selected arguments to the exec property of the service.
  4. Verify that the exec property is changed.
  5. Enable the service.
  6. Test and use the service.

In the following example, you modify the ftp service to provide debugging information and a detailed log of each transaction. To modify the exec property of the ftp service, first list the exec property, then read the man page of the exec command to determine which arguments to pass to the command.

# inetadm -l svc:/network/ftp:default | grep exec
         exec="/usr/sbin/in.ftpd -a"
# man in.ftpd

From the in.ftpd(1M) man page, select the options that provide detailed information.

  • -v Write debugging information to syslogd(1M).
  • -w Record each user login and logout in the wtmpx(4) file.
  • -i Log the names of all files received by the FTP Server to xferlog(4).

Modify the exec property for the service and verify that the property is changed.

# inetadm -m ftp exec="/usr/sbin/in.ftpd -a -i -v -w"
# inetadm -l ftp | grep exec
       exec="/usr/sbin/in.ftpd -a -i -v -w"

Test that the property change is effective. First, enable the service. Then, as a regular user, transfer a file. Finally, verify that the log file was updated.

A # svcadm enable svc:/network/ftp:default
A # svcs ftp
STATE          STIME    FMRI
online         07:07:07 svc:/network/ftp:default

As a regular user, try to put a file in the FTP repository.

B $ ftp A
Connected to A.
220 A FTP server ready.
Name (A:testftp):
331 Password required for testftp.
Password:
230 User testftp logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> mput design.tar
mput design.tar? y
200 PORT command successful.
150 Opening BINARY mode data connection for design.tar.
226 Transfer complete.
^D
ftp> 221-You have transferred 0 bytes in 0 files.
221-Total traffic for this session was 361 bytes in 0 transfers.
221-Thank you for using the FTP service on A.
221 Goodbye.
B $

As superuser, examine the record in the xferlog file. The log indicates that the user's attempt to transfer the design.tar file from B to A was unsuccessful.

A # cat /var/log/xferlog
Sat Jan 20 07:18:10 2009 1 B.mydomain.com 0 /home/test/design.tar b _ i r test ftp 0 * c

3.3.4 Configuring the Apache2 Web Service

The Apache2 Web server program is offered as part of the Solaris OS. Web servers are frequently the targets of attackers. You can use RBAC to limit the server's vulnerability to attack. Other Solaris features, such as zones, are also useful when setting up network services.

To configure a service with RBAC, you perform some of the following steps.

  1. List the properties of the service.
  2. Create a rights profile, or a role, or authorizations for the service.
  3. Add privileges to or remove privileges from the service.
  4. Verify that the service properties are changed.
  5. Enable the service.
  6. Verify that the property change is effective.

The Apache2 Web server program is provided in the SUNWapch2r and SUNWapch2u packages. By default, the Apache2 service is disabled.

# svcs apache2
disabled 11:11:10 svc:/network/http:apache2

By default, services are started with the root account. However, the http.conf file for the Apache2 service creates a daemon, webservd, to run the service. When you configure the service with the default files, the service starts under the root account, switches to the webservd account, and runs with all privileges.

To reduce the privileges of the Apache2 server and start the service with webservd, do the following.

  • Remove basic privileges that the service does not need, proc_session, proc_info, and file_link_any.
  • Add the network privilege the service needs to use a privileged port, net_privaddr.
  • Do not change the limit set.
  • Set the user and group to webservd. When the user and group are set in the SMF manifest, the service starts as webservd, not as root.
# svccfg -s apache2
... apache2> setprop start/user = astring: webservd
... apache2> setprop start/group = astring: webservd
... apache2> setprop start/privileges = astring:
basic,!proc_session,!proc_info,!file_link_any,net_privaddr
... apache2> end
# svcadm -v refresh apache2
Action refresh set for svc:/network/http:apache2.

To verify that this configuration has been set, examine the service's start properties.

# svcprop -v -p start apache2
start/exec astring /lib/svc/method/http-apache2\ start
...
start/user astring webservd
start/group astring webservd
start/privileges astring
basic,!proc_session,!proc_info,!file_link_any,net_privaddr
start/limit_privileges astring :default
start/use_profile boolean false
...

NOTE

If you had created a rights profile that included the privileges for the service, you could type the name of the rights profile as the value for the use_profile property, rather than setting the privileges.

You can now enable the service. Verify that the service starts under webservd and has a limited set of privileges.

# svcadm -v enable -s apache2
svc:/network/http:apache2 enabled.
# svcs apache2
STATE STIME FMRI
online 12:02:21 svc:/network/http:apache2
# ps -aef | grep apache | grep -v grep
webservd 5568 5559 0 12:02:22 ? 0:00 /usr/apache2/bin/httpd -k start
...
# ppriv -S 5559
5559: /usr/apache2/bin/httpd -k start
flags = <none>
E: net_privaddr,proc_exec,proc_fork
I: net_privaddr,proc_exec,proc_fork
P: net_privaddr,proc_exec,proc_fork
L: limit

For more examples of using RBAC in SMF manifests, see Chapter 5, "Privileges and Role-Based Access Control."

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020