C H A P T E R 2 - Security Considerations

C H A P T E R 2

Security Considerations

For SMS 1.6, the Solaris Operating System is automatically hardened on the system controllers after a fresh installation. As a result, the system controllers are secure by default. This hardening takes effect after you install the SMS packages with the smsinstall script and reboot the system controllers.

If you are upgrading to SMS 1.6 from a previous version of SMS using the smsupgrade script, automatic hardening does not occur. You must manually harden the Solaris OS after the smsupgrade script completes.

This chapter discusses the security considerations for both types of SMS installations:

Solaris Security Toolkit Software Requirements

Security After Installation

Security After Upgrade

Chapter 3 outlines the procedures for each type of installation.

Solaris Security Toolkit Software Requirements

Solaris Security Toolkit 4.2 software works with either Solaris 9 OS or Solaris 10 OS. If you have an earlier version of the Solaris Security Toolkit, you must remove it. Otherwise, the installation and upgrade scripts terminate. Instructions are provided in Chapter 3.

Security After Installation

Security measures vary according to the type of installation.

Systems that ship from the factory with SMS 1.6 installed arrive with Solaris Security Toolkit 4.2 already installed and the operating system already hardened. You do not need to implement additional security measures.

Systems that are upgraded to SMS 1.6 by Sun Support arrive with the Solaris Security Toolkit already installed, but might or might not be hardened. Contact Sun Support to find out whether or not your system will arrive hardened.

If you install SMS 1.6 on new hardware by using the smsinstall command, Solaris Security Toolkit is installed on your system, and your system is hardened. You must reboot the system following the installation of SMS packages for the hardening to take effect. See Chapter 3 for instructions.

If you upgrade from a major release of the Solaris OS to another major release (for example, from Solaris 9 OS to Solaris 10 OS), you must upgrade SMS. You can use the smsupgrade command to perform the reinstallation procedure, and the SCs are automatically hardened after a reboot.

If you upgrade from a minor release of the Solaris OS to another release (for example, from Solaris 9 4/04 OS to Solaris 9 9/04 OS), you do not need to reinstall SMS.

In each of these cases, once the SCs are hardened, you can access the system only through console login, the serial port, or remotely through ssh. Other services from the SCs, such as network file system (NFS) server services, are disabled. Client services that you invoke externally from the SC still function, however. You can re-enable services as needed, but doing so is not recommended.

Note - The ssh daemon is part of Solaris 9 OS and Solaris 10 OS, and is installed when you install the Solaris 9 OS or Solaris 10 OS.

Security After Upgrade

You can upgrade to SMS 1.6 using the smsupgrade script (procedures summarized in TABLE 3-1). After the upgrade, you must harden the SCs manually. If you are running Solaris 9 OS and the script finds Solaris Security Toolkit 4.1.1 software on your system, the script leaves it. Otherwise, the script installs the Solaris Security Toolkit 4.2 software, but does not perform hardening. If you have a version of the Solaris Security Toolkit earlier than 4.1.1 with Solaris 9 OS or earlier than 4.2 with Solaris 10 OS, you must remove it before beginning the upgrade.

After the upgrade is complete, the system displays the manual hardening instructions.

Caution - Once you reboot and the system is hardened, you cannot log in to an SC remotely. If you want someone to be able to log in to an SC remotely, you must change your /etc/hosts.allowfile in the Solaris Security Toolkit to ALLbefore you reboot. For more information, see To Upgrade SMS Software on the Spare SCor To Upgrade SMS Software on the Main SC.