SUMMARY: Minimizing the Solaris Operating Environment for Security...sol10 version

From: Beck, Joseph <>
Date: Fri Sep 08 2006 - 21:08:48 EDT
Sorry for the slow most of you I'm forced to jump from
one hot item to the next at the drop of a hat.

I did not find what I was looking for, which is a modern/sol10 version
of an article Lance Spitzner wrote years ago called something like
armoring solaris (see, but I did get some
good information.

Many suggested this site:


#2 regarding which initial install, someone suggested using the reduced
network cluster for installation...alan

#3 insight into just how small you can make an initial Solaris

-this email had other worthwhile info (posted at bottom)

#4 I also found excellent material in an internal document that a former
consultant was working on...I'll have to scrub it & send it out (focus
on banking & financials).

Some interesting sections from the doc:

Implement the following reqs:

As an example, Solaris 10 includes over 75 public domain software
packages in /usr/sfw including such software packages as MySQL, gcc, TCL
and TK.  Many of these packages are subject to exploitations which often
times elevate a user's privileges within the server.

At a minimum, the following software should never be installed onto
production servers:

*     Compilers (GNU gcc or Sun's SUNWspro)

*     Java development kits including java compilers (SUNWj3dev,
SUNWj5dev, etc.)

*     Database access tools (except on database servers themselves)

o     SQL*Net

o     Interpreted software (perl, python, etc.) database access modules
(e.g. perl's DBO for oracle).

*     Point-to-point protocol (PPP) drivers and configuration

*     Directory (LDAP) Server

*     Mobile IP

*     Apache Server

*     DHCP Software

*     Sun's Java Application Server

*     StarOffice

*     tcpdump

Note, 3rd party software should be checked to insure applications such
as compilers are not included.

In addition, Pzone servers should be further hardened by removing
network intrusive applications such as:

*     snoop(1M)

Minimize System Services

Many of the default system services (time, echo, discard, NFS, NIS,
etc.) are not required and are often a target for exploitation.

Internet Services

Internet services are managed by the inetd daemon.  The following inetd
services should be disabled:

*     chargen

*     in.comsat

*     daytime

*     discard

*     dtspc

*     echo

*     exec

*     finger

*     fs

*     ftp (see below)

*     krb5_prop

*     login

*     name

*     netstat

*     printer

*     rquotad

*     rstatd

*     rusersd

*     shell

*     sprayd

*     sun-dr

*     systat

*     talk

*     telnet

*     tftp

*     time

*     uucp

*     walld

Solaris Security Toolkit:

Solaris Fingerprint Database:

Sun's Kerberos Information

Role-Based Access Control (RBAC) white paper:

OpenSSH white paper, NTP white paper, information on kernel (ndd)
settings, et al:

System Integrity Solutions

Commercial Tripwire (enterprise ready):

Open Source Tripwire:

Basic Audit and Reporting Tool (BART):

***download this doc & get something basic setup & cron'd***

Other Miscellaneous Documentation

Various documentation on Solaris security issues:

On BSM Audit flags:

On hiding information in Solaris extended attributes:

Discussion of "locked" vs. "blocked" accounts:

Primary source for information on NTP -

Information on MIT Kerberos -

Apache "Security Tips" document:

Information on Sendmail and DNS:


Pre-compiled software packages for Solaris:

LogSurfer+ (real time log monitoring):

Open Source Sendmail (email server) distributions:

#3 complete email:

This may not be exactly what you want, and it does have an x86 Solaris
slant however, it is a fascinating insight into just how small you can
make an initial Solaris installtion:

The thread has seemingly petered out now but if you haven't come across
it before, I think you'll find it worth the read.

I initially installed a Sol10 test box on SPARC hardware using the
Reduced Net Core cluster as the starting point and I seem to recall it
came out at under 90 packages.

The only relevant notes I can find now are these:


These are needed for compilation

Already Installed

system      SUNWlibmsr     Math & Microtasking Libraries        CD1

system      SUNWlibms      Math & Microtasking Libraries        CD1

Needed to be added

system      SUNWarc        Lint Libraries                       CD4

system      SUNWbtool      CCS tools bundled with SunOS         CD4

system      SUNWhea        SunOS Header Files                   CD4

system      SUNWtoo        Programming tools                    CD1

system      SUNWlibmr      Math Library Lint Files              CD4

system      SUNWlibm       Math & Microtasking Library Headers  CD4

system      SUNWsprot      Solaris Bundled tools                CD4

and possibly these to get a working compiler

system      SUNWgcmn       gcmn - Common GNU package            CD2

system      SUNWgccruntime GCC Runtime libraries                CD2

system      SUNWgcc        gcc - The GNU C compiler             CD4

system      SUNWbinutils   binutils - GNU binutils              CD4

After this a "gcc hello.c" works (gcc is in /usr/sfw/bin)

Maybe these will be need later (Eric Boutillier's blog)

  SUNWxcu4         XCU4 Utilities

  SUNWscpr         Source Compatibility, (Root)

  SUNWscpu         Source Compatibility, (Usr)


If you want any more info, I could try and find some more notes but I
/didn't take it all that far/haven't taken yet it any futher/, however I
would think that following your nose from the thread above will be all
you'ld need to get a minimal installtion.

Joe Beck Ciber Inc. - a consultant to SEI  One Freedom Valley Drive/ 100
Cider Mill Road| Oaks, PA 19456 | p: 610.676.2258 |

-----Original Message-----
From: Dave Mitchell []
Sent: Tuesday, August 29, 2006 1:03 PM
To: Beck, Joseph
Subject: Re: Minimizing the Solaris Operating Environment for
Security...sol10 version

On Tue, Aug 29, 2006 at 12:04:34PM -0400, Beck, Joseph wrote:

> Anyone seen such a document yet?


> I have a need to start building some web servers that will be solaris

> 10. I have the beginngings of a document and wanted to leverage any

> previous work in deciding things such as which initial (metacluster)

> install & which pkgs to remove after, which services, etc...I had to

> this years ago, but was dealing with sol6 & sol7 at the time.


SCO - a train crash in slow motion
sunmanagers mailing list
Received on Fri Sep 8 21:09:30 2006

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:44:00 EST