Thursday, October 14, 2010
JASS: Permanently Disabling Services using JASS
1. Determine what services you wish to disable that you may no longer need. Especially on a WEB farm architecture you would wish to harden/disable uneeded OS services that could potentially be a security threat.
Here is an example of what you can consider.
- all NFS services (client AND server)
- autofs/automounter
- cde-login and all cde/graphical login components
- drd (only needed for logical domains)
- Sun ServiceTags (They are usually used to provide discovery of systems and software on the LAN, but I think this is not appropriate for a web host)
- stosreg and sthwreg services.
CDE and font server
svc:/application/graphical-login/cde-login
svc:/network/rpc/cde-calendar-manager
svc:/network/rpc/cde-ttdbserver
svc:/application/cde-printinfo
Logical Domains (T series only)
svc:/platform/sun4v/drd
NFS and automounter
svc:/network/nfs/cbd
svc:/network/nfs/client
svc:/network/nfs/server
svc:/network/nfs/mapid
svc:/network/nfs/status
svc:/network/nfs/nlockmgr
svc:/network/nfs/rquota
svc:/system/filesystem/autofs
Service Tags
svc:/network/stdiscover:default
svc:/network/stlisten:default
Removal of the above should leave a nice clean OS with minimal external ports open.
2. To disable such services you will need to use the JASS_SVCS_DISABLE JASS variable in /opt/SUNWjass/Drivers/user.init Use the package-provided file user.init.SAMPLE as a template
# cd /opt/SUNWjass/Drivers
# cp user.init.SAMPLE user.init
# vi user.init
# cp user.init.SAMPLE user.init
# vi user.init
Add the following lines of services to disable.
JASS_SVCS_DISABLE="${JASS_SVCS_DISABLE}
svc:/network/telnet:default
svc:/network/ftp:default
svc:/application/management/webmin:default
svc:/system/webconsole:console
svc:/application/management/snmpdx:default
svc:/application/management/dmi:default
svc:/application/management/wbem:default
svc:/application/graphical-login/cde-login
svc:/network/rpc/cde-calendar-manager
svc:/network/rpc/cde-ttdbserver
svc:/application/cde-printinfo
svc:/application/font/fc-cache:default
svc:/platform/sun4v/drd:default
svc:/network/nfs/cbd
svc:/network/nfs/client
svc:/network/nfs/server
svc:/network/nfs/mapid
svc:/network/nfs/status
svc:/network/nfs/nlockmgr
svc:/network/nfs/rquota
svc:/system/filesystem/autofs
svc:/network/stdiscover:default
svc:/network/stlisten:default "
export JASS_SVCS_DISABLE
JASS_SVCS_DISABLE="${JASS_SVCS_DISABLE}
svc:/network/telnet:default
svc:/network/ftp:default
svc:/application/management/webmin:default
svc:/system/webconsole:console
svc:/application/management/snmpdx:default
svc:/application/management/dmi:default
svc:/application/management/wbem:default
svc:/application/graphical-login/cde-login
svc:/network/rpc/cde-calendar-manager
svc:/network/rpc/cde-ttdbserver
svc:/application/cde-printinfo
svc:/application/font/fc-cache:default
svc:/platform/sun4v/drd:default
svc:/network/nfs/cbd
svc:/network/nfs/client
svc:/network/nfs/server
svc:/network/nfs/mapid
svc:/network/nfs/status
svc:/network/nfs/nlockmgr
svc:/network/nfs/rquota
svc:/system/filesystem/autofs
svc:/network/stdiscover:default
svc:/network/stlisten:default "
export JASS_SVCS_DISABLE
3. To apply the changes run jass-execute in apply mode again and reboot:
# /opt/SUNWjass/bin/jass-execute -d server-secure.driver
No comments:
Post a Comment