In build 75, I would disable Xend HTTP server which listens on all interface:
svccfg -s xvm/xend setprop config/xend-http-server = boolean: false svcadm refresh xvm/xend svcadm restart xvm/xend I reported it on the xen discussion list and one of the xvm dev said it was a mistake and it will be corrected in subsequent builds. I don't need any of the services launched in rc3: rm /etc/rc3.d/S52imq rm /etc/rc3.d/S50apache rm /etc/rc3.d/S84appserv rm /etc/rc3.d/S16boot.server I also don't need the web console svcadm disable svc:/system/webconsole:console I don't need any of the RPC services unless this is a NFS server. By default, there has been a lot of improvement in Solaris Express and now most of the services only listen on the loopback interface. However, if one of these services is compromised, then the other services listening on localhost could be exploited to gain more privileges. Sun should find a way to improve the way it handles security bugs in the developer and community edition as more and more people are running Solaris Express in semi-production environment. For example, the pygrub security hole which would let a compromised domU execute arbitrary code in the dom0 domain as root was not patch in build 75, one month after the bug was publicized: http://www.opensolaris.org/jive/message.jspa?messageID=167967#167967 Darren, I am actually trying to help here and I started compiling a set of hardening guidelines for Solaris Express. I have posted most security problems I have encountered along with possible workarounds when possible. In the future I will cc this list. On 04/12/2007, at 11:41 AM, Darren Reed wrote: > Hi, > > OpenSolaris should install with "secure by default" resulting in > very few active services. What services are left enabled, with > a secure by default install, that you believe could also be disabled? > > Darren > > Kugutsumen wrote: >> Hi, >> >> I would like to disable a lot of unwanted services on a minimal >> solaris install. >> >> When I disable inetd (I am not using any rpc or inetd services on >> this machine...) the removable media management fails to start... >> >> I should just disable smserver but what I don't understand is why >> svc:/milestone/multi-user-server:default depends on smserver. >> svc:/network/rpc/smserver:default (removable media management) >> State: uninitialized since Fri Nov 30 15:37:21 2007 >> Reason: Restarter svc:/network/inetd:default is not running. >> See: http://sun.com/msg/SMF-8000-5H >> See: man -M /usr/share/man -s 1M rpc.smserverd >> Impact: 3 dependent services are not running: >> svc:/milestone/multi-user-server:default >> svc:/system/basicreg:default >> svc:/system/zones:default >> >> When I look at the manifest for multi-user-server milestone, it >> says I shouldn't edit it. >> >> Is there any practical to disable this useless dependencies? There >> is no reason to prevent the execution of init level 3 scripts >> because smserver is disable. >> This message posted from opensolaris.org >> _______________________________________________ >> security-discuss mailing list >> security-discuss at opensolaris.org >>
