|

Securing Solaris 10

View: New views

5 Messages — Rating Filter: Alert me

	Securing Solaris 10 by James Craig :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I have been playing with Solaris 10 on a few of my machines before letting it loose in the wild (ie, the labs). I am looking for any best-practice guides for services run by smf that can be turned off, and if there is a way that I can create a profile that I could propogate to 150+ machines or through jumpstart .. .. any insight is appreciated. jim craig
	RE: Securing Solaris 10 by Steven Jones-5 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Cis-security.org Regards Steven -----Original Message----- From: James Craig [mailto:jmc@...] Sent: Friday, 5 August 2005 2:06 a.m. To: focus-sun@... Subject: Securing Solaris 10 I have been playing with Solaris 10 on a few of my machines before letting it loose in the wild (ie, the labs). I am looking for any best-practice guides for services run by smf that can be turned off, and if there is a way that I can create a profile that I could propogate to 150+ machines or through jumpstart .. .. any insight is appreciated. jim craig
	Re: Securing Solaris 10 by Alex Noordergraaf :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message James Craig wrote: > > I have been playing with Solaris 10 on a few of my machines before > letting it loose in the wild (ie, the labs). > > I am looking for any best-practice guides for services run by > smf that can be turned off, and if there is a way that I can > create a profile that I could propogate to 150+ machines or > through jumpstart .. > > .. any insight is appreciated. <begin plug> Well, if you are looking for something that can propogate security profiles through JumpStart seems like you should take a look at JASS (aka Solaris Security Toolkit) v4.2. Support for Solaris 10 is included in this release which was just released this past Thursday (7/29). You can integrate it into you JumpStart environment quite easily and push your custom-developed security profiles (aka drivers) that way. URL is http://sun.com/security/jass <end plug> HTH, Alex > > jim craig >
	Re: Securing Solaris 10 by K Kadow :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On 8/4/05, James Craig <jmc@...> wrote: > > > I have been playing with Solaris 10 on a few of my machines before > letting it loose in the wild (ie, the labs). > > I am looking for any best-practice guides for services run by > smf that can be turned off, and if there is a way that I can > create a profile that I could propogate to 150+ machines or > through jumpstart .. > > .. any insight is appreciated. If not for the "no filtering possible on loopback" limitation in Solaris, I'd recommend a generic filter policy using the version of Darren Reed's IP Filter which ships with Solaris 10. With this limitation, packet filters do not provide protection against local attacks. Are you already using generic_limited_net.xml? Do you have a site profile? (/var/svc/profile/site.xml) According to smf-discuss (opensolaris list), the next version of JASS will have SMF support. Kevin Kadow
	Re: Securing Solaris 10 by Sebastian Jaenicke :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi, On Thu, Aug 04, 2005 at 10:05:38AM -0400, James Craig wrote: [..] > I am looking for any best-practice guides for services run by > smf that can be turned off, and if there is a way that I can > create a profile that I could propogate to 150+ machines or > through jumpstart .. Just create a custom site.xml file and use a postinstall script to copy it into /a/var/svc/profile. - Sebastian -- Progress (n.): The process through which Usenet has evolved from smart people in front of dumb terminals to dumb people in front of smart terminals. -- obs@... attachment0 (196 bytes) Download Attachment