Remote services during Solaris installation

UNIX Solaris
1

I've installed Solaris 10 (05-08) on a SPARC platform

During the installation I was prompted with the question below. I selected yes to enable remote services.

Does anyone know what services this option enables?

  • Enabling remote services ----------------------------------------
    Would you like to enable network services for use by remote clients?
    Selecting "No" provides a more secure configuration in
    which Secure Shell is the only network service provided to
    remote clients. Selecting "Yes" enables a larger set of
    services as in previous Solaris releases. If in doubt, it is
    safe to select "No" as any services can be individually enabled
    after installation.
    Note: This choice only affects initial installs. It doesn't affect upgrades.
    Remote services enabled
    -----------------------
    [X] Yes
    [ ] No
    -------------------------------------------------------------------
    F2_Continue F6_Help
2

have a look with:

# svcs -a | grep -i network

for all enabled services.

3

I believe this will enable services such as rlogin & telnet etc.

4

looking into the script /usr/sbin/netservices (1M) it is:

svc:/system/system-log
svc:/network/rpc/cde-calendar-manager
svc:/network/rpc/bind
svc:/application/x11/x11-server
svc:/network/smtp:sendmail
svc:/application/print/server
svc:/application/print/rfc1179
svc:/application/print/ipp-listener
svc:/network/rpc/cde-ttdbserver
svc:/application/graphical-login/cde-login
svc:/system/webconsole
svc:/application/management/wbem

and for the inetd and services you could have a look into:

/var/svc/profile/generic_open.xml
/var/svc/profile/generic_limited_net.xml

regards

  • PRESSY
5

You can find the specs and presentation here:
Secure By Default at OpenSolaris.org

6

# svcs -a | grep -i network

The following services are "online"

online Nov_05 svc:/network/pfil:default
online Nov_05 svc:/network/tnctl:default
online Nov_05 svc:/network/loopback:default
online Nov_05 svc:/network/physical:default
online Nov_05 svc:/milestone/network:default
online Nov_05 svc:/network/initial:default
online Nov_05 svc:/network/service:default
online Nov_05 svc:/network/ntp:default
online Nov_05 svc:/network/routing-setup:default
online Nov_05 svc:/network/rpc/bind:default
online Nov_05 svc:/network/nfs/mapid:default
online Nov_05 svc:/network/nfs/cbd:default
online Nov_05 svc:/network/nfs/status:default
online Nov_05 svc:/network/nfs/nlockmgr:default
online Nov_05 svc:/network/inetd:default
online Nov_05 svc:/network/rpc/gss:default
online Nov_05 svc:/network/rpc/meta:default
online Nov_05 svc:/network/nfs/client:default
online Nov_05 svc:/network/rpc/rstat:default
online Nov_05 svc:/network/rpc/cde-calendar-manager:default
online Nov_05 svc:/network/rpc/cde-ttdbserver:tcp
online Nov_05 svc:/network/rpc/mdcomm:default
online Nov_05 svc:/network/rpc/metamed:default
online Nov_05 svc:/network/rpc/metamh:default
online Nov_05 svc:/network/rpc/smserver:default
online Nov_05 svc:/network/rpc/rusers:default
online Nov_05 svc:/network/cde-spc:default
online Nov_05 svc:/network/security/ktkt_warn:default
online Nov_05 svc:/network/telnet:default
online Nov_05 svc:/network/nfs/rquota:default
online Nov_05 svc:/network/ftp:default
online Nov_05 svc:/network/finger:default
online Nov_05 svc:/network/login:rlogin
online Nov_05 svc:/network/shell:default
online Nov_05 svc:/network/stdiscover:default
online Nov_05 svc:/network/stlisten:default
online Nov_05 svc:/network/rpc-100235_1/rpc_ticotsord:default
online Nov_05 svc:/network/nfs/server:default
online Nov_05 svc:/network/smtp:sendmail
online Nov_05 svc:/network/ssh:default

Which of these would be a good idea to disable in order to tighten security?

7

netservices will disable most of them. Why not relying on it ?