Caution - Do NOT disable the NFS server service on the master control domain (the primary domain of the first PDomain), because this service is required for I/O domain creation. |
The NFS server service handles client file system requests over NFS versions 2, 3, and 4. If this system is not an NFS server, disable the service.
# svcadm disable svc:/network/nfs/server
The Federated file system (FedFS) client service manages defaults and connection information for LDAP servers that store FedFS information.
# svcadm disable svc:/network/nfs/fedfs-client
The remote quota server returns quotas for a user of a local file system which is mounted over NFS. The results are used by quota command to display user quotas for remote file systems. The rquotad daemon is normally invoked by inetd command. The daemon provides information about the network to potentially malicious users. For more information, refer to the Oracle Solaris quota(1M) man page, the rquotad(1M) man page, or the inetd(1M) man page.
# svcadm disable svc:/network/nfs/rquota
The cbd service manages communication endpoints for the NFS Version 4 protocol. The nfs4cbd daemon runs on the NFS Version 4 client and creates a listener port for callbacks. For more information, refer to the Oracle Solaris nfs4cbd(1M) man page.
# svcadm disable svc:/network/nfs/cbd
The NFS user and group ID mapping daemon service maps to and from NFS version 4 owner and owner_group identification attributes and local UID and GID numbers used by both the NFS version 4 client and server.
# svcadm disable svc:/network/nfs/mapid
The FTP service provides unencrypted file transfer service and uses plain text authentication. Use the secure copy scp program instead of ftp, because it provides encrypted authentication and file transfer. For more information, refer to the Oracle Solaris scp(1) man page.
# svcadm disable svc:/network/ftp:default
The removable volume manager is a HAL-aware volume manager that can automatically mount and unmount removable media and hot-pluggable storage. Users might import malicious programs, or transfer sensitive data off the system. For more information, refer to the Oracle Solaris rmvolmgr(1M) man page.
This service only runs in the Oracle Solaris global zone.
# svcadm disable svc:/system/filesystem/rmvolmgr
The smserver service is used to access removable media devices.
# svcadm disable rpc/smserver:default
By default, legacy services such as the r-protocols, rlogin and rsh, are not installed. These services, however, are defined in /etc/pam.d file. If you remove the service definitions from the /etc/pam.d file, the services use the other services (SSH, for example) in the event that the legacy services are enabled. For more information, refer to the Oracle Solaris rlogin(1) man page or the rsh(1) man page.
# cd /etc/pam.d # cp rlogin rlogin.orig # pfedit rlogin auth definitive pam_deny.so.1 auth sufficient pam_deny.so.1 auth required pam_deny.so.1 # cp rsh rsh.orig # pfedit rsh auth definitive pam_deny.so.1 auth sufficient pam_deny.so.1 auth required pam_deny.so.1
The keyserv service cannot use the nobody user key. The value of ENABLE_NOBODY_KEYS is YES by default.
# pfedit /etc/default/keyserv . . . ENABLE_NOBODY_KEYS=NO
FTP file transfers must not be available to all users, and must require qualified users to supply their names and password. In general, system users should not be allowed to use FTP. This check verifies that system accounts are included in the /etc/ftpd/ftpusers file, so that they are not allowed to use FTP.
The file /etc/ftpd/ftpusers is used to prohibit users from using the FTP service. As a minimum, include all system users, such as root, bin, adm, and so on.
# pfedit /etc/ftpd/ftpusers .... root daemon bin ...
The FTP server does not necessarily use the user's system file creation mask. Setting the FTP umask ensures that the files transmitted over FTP use a strong file creation umask.
# pfedit /etc/proftpd.conf Umask 027
It is important to disable responses to echo requests. ICMP requests are managed using the ipadm command.
These settings prevent the dissemination of information about the network topology.
# ipadm set-prop -p _respond_to_echo_multicast=0 ipv4 # ipadm set-prop -p _respond_to_echo_broadcast=0 ip
Routers use ICMP redirect messages to inform hosts of more direct routes to a destination. An illicit ICMP redirect message can result in a man-in-the-middle attack.
# ipadm set-prop -p _ignore_redirect=1 ipv4
# mesg -n
For more information, refer to the Oracle Solaris mesg(1) man page, the talk(1) man page, and the write(1) man page.
By default, ssh is the only network service that can send and receive network packets. For more information, refer to the Oracle Solaris ssh(1) man page.
# svcadm disable FMRI_of_unneeded_service