“Like many admins, I use Solaris 7 and 8 extensively for my Web projects, due to their stability and scalability. As such, I was excited by the release of Solaris 9, which promised more of the same, along with many new features and deeper integration with other Sun products.” Read the rest of the article.
Solaris 9: A Secure Server Is an Optimized Server
2002-09-23 Solaris 24 Comments
httpd (unless you are hosting)
if you must use some of the above, consider:
go to sun’s blueprints page or big Admin and download the JASS hardening package. It’s a solid tool for closing up systems.
I must agree with the first poster, it’d be so nice if the Solaris default install didn’t have a few hundred ports open.
sun ships a default install of solaris that’s relatively insecure so they have a nice ‘fear stick’ to beat you with and make you buy the expensive support package. and some sun consultants. it’s all part of uncle scott’s shell game.
never mind that it would save 90% of the cost to the customer if the os were hardened and secured by sun before ship. dell understands things like that. sun doesn’t.
solaris is by and large a good unix. but its evolutionary curve is almost flat. not much interesting happens over any given period of time.
for stability, having a flat evolutionary curve is often an asset. however, for solving new and interesting problems in your enterprise, it leaves much to be desired.
we will see what happens with ‘n1’ and the other sun initiatives. they are a good company and i hope they pull themselves together.
Come on, if you dont have an admin who can turn off services you’d better buy a Sun support deal. Servers don’t run themselves.
sun should do it.
as i said, it would save 90% of the cost.
if you force the admin/customer to be responsible instead of the vendor, there is no compelling reason for sun to make their product better.
sun passes on a huge cost to their customers, that is the point.
Because they are useful, that’s why. Don’t you think that Sun has good enough product and marketing managers to decide what is more important to customers? Except for feeding trolls, I think Sun made the better choice.
Well, I did several Solaris 9 installs so far, and also many Live Upgrades to Solaris 9. No major differences encountered, when compared to Solaris 8, except for the fact that you don’t have to separately install Solstice DiskSuite anymore, it’s part of the main bundle and it’s now called Solaris Volume Manager. And as far as differences between SVM and SDS, they are apparently very few, but one interesting difference is that now the metadevce state db replica allocation is NOT anymore registered in /etc/system. They are patched in the kernel through /kernel/drv/md.conf
In the previous Solaris thread I really tried hard to stay on topic, and it was utterly fruitless. So, let’s start the debate rolling by a new flamewar. Chose your poison:
– Windows sucks (vs. Unix)
– RedHat sucks (vs. other distro)
– Slashdot sucks (vs. OsNews.com)
– MCSEs suck (vs. Unix admins)
I omitted Gnome vs KDE, coz’ it’s not interesting anymore.
Let the party begin ;o)))))))
Sun obviously is having troubles making good choices.
They are floundering in the market and no one on Wall Street understands what they are up to.
As for what Sun is doing in the operating system world, shipping insecure operating systems is one of the bad choices they are making.
It is far easier to start from a secure environment and then enable the few services you need. And that saves the customer the cost of configuring a secure environment.
No matter how you try and spin it, Sun has passed on a huge cost to the customer by making them figure out what’s on, what needs to be turned off, how to turn it off, etc. There is real work there, a lot of it, and that costs money. Sun experts are not cheap.
Most people, including notably risk adverse marketing managers and product managers, do not do anything different than what has been done before.
If Sun is going to succeed with “N1” and some of their other strategies, they had better start thinking differently.
What could have been a great market differentiator (Secure Solaris 8 on the LX50 or Secure Linux 5.0) was squandered.
In order to stay ahead and keep growing, you need to evolve.
Sun is not evolving very fast. And everyone knows it.
Mario, no flamebait please
The Prophet has trouble with:
figure out what’s on
what needs to be turned off
how to turn it off
Nearly there… it’s inetd.conf, BTW:)
There is real work there, a lot of it, and that costs money
If you call this “real work”, I’d love to see what you do on a lazy day . What do you charge for “real work”?
Well, which admin can live without an editor, you for got the:
emacs vs vi
yeah it’s really really unusual to have a lot of crap turned on in a server default install…microsoft doesn’t do that and neither does redhat, etc.
guess what…if you can’t turn off unwanted default services ya shouldn’t be a Solaris admin…or a Win2k admin or a RedHat admin…in fact the only thing you can handle is OpenBSD from the sounds
i don’t really see what the big deal is…since in 99% of all cases it’s actually easier to turn something off than turn something on
like someone else said…all ya gotta do is edit /etc/inetd.conf…guess what, as an admin…that’s whatcha get paid for!
//No matter how you try and spin it, Sun has passed on a huge cost to the customer by making them figure out what’s on, what needs to be turned off, how to turn it off, etc. There is real work there, a lot of it, and that costs money. Sun experts are not cheap.//
Amen to that, brother. I’m not a Sun expert, so my company has to pay for the support each year. And why? Because everything’s veiled in secrecy. Ever try using the Sun support online? It’s a freakin’ joke. Worst support site on the Internet.
I’m testing Microsoft’s .NET Server RC1 …and things *are* locked down by default (finally, you Redmond goofs) … but they’re also *very easy* to turn on, and finding more info on .NET Server/IIS/services in general is a breeze.
Yah, yah, I know the MS vs. UNIX arguments. For us, though, a change may be coming.
I disagree that Sun has the worst support website out there. It’s certainly not the best either, because the best is Novell’s. This is not just because I used to utilize it frequently in my previous life (I.E. before I joined Nokia), but also because other people seem to think so, too, so they awarded Novell for the best support website in 1999. And since then it seems it got just better.
Back to Sun’s support: I don’t know, but I have the impression that Sun is fantastically forthcoming with their customers. If you are a freeloader, you might not enjoy their approach too much, but if you do real business, Sun will go out of their way to satisfy you.
(but to be honest, Sun offers a lot even to freeloaders: what with free Solaris for Sparc, and Intel is only 20 bucks, what with Java, including binaries and sourcecode, and what with all those Sun ONE servers (that now include most of the iPlanet lineup, like LDAP and Webserver…), all free stuff)
Wasn’t this suppose to be secure or something? I scanned looking for additions and was shocked to find these highlights:
TCP wrappers (WOW this thing sounds safe already)
PAM (Every server needs this, and has had it for years i might add)
SSH (this is bleeding edge also, me Tarzan you Jane!)
What about the intricacies of the system, have they done any major security auditing of the code? Done a better job of locking down the default permissions, Anything with the default config for daemons (such as SSH not allowing root login). I have never seriously administered a Solaris box but I know how “very” insecure systems come by default.
This might sound good to someone in a suit who buys any box that has a secure sticker on it but I doubt any of my IT friends will be impressed. Maybe my ignorance is getting the best of me here but if these guys are going to compete with linux aren’t they going to need to invent something linux users haven’t been using for the past 5-10 years?
But so do most other OSes.
It’s quite simple to turn them off. Even if you’re not a Unix admin you can easily search for the info and figure it out.
Also, Solaris is VERY standards-compliant, no funniness.
Another neat tool for hardening is TITAN if I remember correctly.
more and more pop up ads on this site….what a pitty…slashdot…here i come. OS news sucks!!
Well I really don’t care bout pop-up ads since i’m using opera, I think it’s possible to block ’em with mozilla as well. I think this is the best site all ’round.
Sun should at least provide the customer with the option of having the OS hardened with everything turned off when it is installed. Even Microsoft is going in this direction with Win .NET and IIS (it will be the only option available). Why, because it saves admins time, money and headaches. Admins have plenty of work on their plates already, and having one less thing to worry about should put a smile on their faces.
Seriously, JASS is free, it hardens the system, and all you have is a pkgadd and a couple prompts, If you want you can add it into a post-install script.
And if you can’t add a couple of # into etc/services you have bigger issues than open ports.
Customers want service. They don’t want excuses.
Microsoft has this all figured out but the arrogant Unix world seems like it never will.
What’s the big deal? Is Sun too scared to take responsibility for hardening their servers before it sells them and thus leaves it up to the customer to deal with?
If you think a fresh install of Windows is more secure than a fresh install of Solaris, more power to ya. Sun probably doesn’t pre-harden because they figure the customer will re-install the pre-built OS and if they need their systems hardened the needs will be environment specific. If the configuration needs to be reproduced in multiplicity they give you the tools to do it. Fear of responsibility and belief in the knowledge of consumer is quite seperate.
“If you think a fresh install of Windows is more secure than a fresh install of Solaris, more power to ya.”
Yeah, cute. Whatever. I can’t even be bothered to respond to your putting words in my mouth about what I think of Windows security.
“Sun probably doesn’t pre-harden because they figure the customer will re-install the pre-built OS and if they need their systems hardened the needs will be environment specific. If the configuration needs to be reproduced in multiplicity they give you the tools to do it.”
Just sounds like more excuses to me. What Prophet is suggesting is a very reasonable request. Anyway, this thread is going nowhere so this is my last post on it, so don’t bother flaming me, OK?