Inception: Secure By Default, Phase 1 (2004/368) Submitter: Craig Payne Owner: Gary Winiger Interest: sbd-core@sun.com SUMMARY ======= * Project team will fix the issue so that the install screen points to the manual. * Project team will provide more information on which ports are less opened. ISSUES ====== jdc-1 Exactly which network-listening services are disabled? Is it just the list in 20q13? (Assume this list will be provided by commitment.) * No, this is not just about the ON. The list that is given is the complete one though. * Jim: YOu either completely rip the wire out of the wall or you know that there is a security issue here. * EdG: What is the policy we're really trying to comply with? - We're trying to minimize outside attacks. jdc-2 It doesn't sound like this delivers "by default" behavior, despite the name, and instead provides a profile. Why shouldn't "no network" just be the system default? (And do we really want yet another install-time question?) * My understanding was that We cannot change the default in an update. If there is a way to change this, the project team is willing to make that change. - At install time, you can always choose this default profile... - This could change in Nevada. * Jim: I don't like the install asking a bunch of useless questions... jdc-3 What's a "hostile network," and how is success judged? * Which ports are less opened? - The project team will provide this information for commitment. * Jim: I would suggest to file bugs against Solaris. jdc-4 20q4: are you coordinating with the network approachability group? This project sounds like it treads on a lot of the same ground that a13y and install do. * You need to talk with at least John Beck on this issue, - Gary contacted him already. jdc-5 20q19: I'm not wild about conflating installation with configuration, as it just makes administration more difficult. I see no problem with making rnet imply "no network," but it shouldn't be the only way to invoke the profile. * The project team just wants to re-use the name... - Gary: Rather than creating a new name, the project team was going to re-use what is already there... gw-0 What's changed since last time? If this is phase 1, what's phase 2? Not much. Last time was a rush to discuss what was happening with the project since it was thought that it would be pushed into S10 FCS. PSARC/2004/781 "generic_limited_net smf(5) profile, SBD Phase 0" did deliver a limited networking profile that could be chosen post install. Now it's ready for inception. The case is not yet complete. Phase 2 or later allowing that selection not only for initial install, but also for Upgrade, having all Sun delivered software meet the requirements of installing and operating securely by default (not likely to be this I Team). This project is intended to stand on its own and have a patch release binding. * This was answered by Gary. - Answer seems ok by project team. * Shudong: what eventually will this become? - The traditional mode will probalby be provided. The administrator can choose between any of the profiles. - Install will allow you to pick which profiles to run. - This is not an irreversable decision. If the user decides to change their services, they can go ahead and enable those services. * I would suggest that the project team come back to commitment about this on the install screen point to the manual. gw-1 20Q#19 -- is this OK? * I think that having 2 profiles would confuse customers... - Much more will be disabled in the limited profile. Philisophically, nothing is changing... gw-2 20Q#10 -- ssh to allow root login. * The project team kicked around whether or not to allow ssh and allow it to log in as root or not...the last position was to not allow it. - The project team should provide more information on this issue for commitment (finding and easier way of turning on root login) - Bill: I think that we should really consider remote root login as root install gw-3 only 1 exported interface? Install keyword. What about any new FRMIs or properties or config files or profiles? What about the new install question? What cases export them? * This can be taken offline for discussion gw-4 Nit LSARC/2004/811 "CDE daemons conversion to SMF" was mistakenly put back to the Nevada CDE consolidation. The case is not yet closed at LSARC. When it does close, probably new/modified manifests and methods will replace those presently integrated. wes-1 How will you ensure that the "secure by default" property is preserved going forward? * Maintaining secure by default? - Craig: ONe of the things that JES has been providing is the ability to audit the security stance on the machine. They are talking about adding properties... wes-2 20Q8: "material improvement to RAS" question: are you sure it's "No"? Likewise for boot time. Disabled services can't fail, and can't cause other services to fail. Quantifying this is difficult. * This is just a suggestion but quantifying this will be tricky. - This will be explained later. wes-3 How are we going to finish the project and secure-by-default the rest of the WOS? * Everything on the DVD will be turned off by default. wes-4 What open ports will turn up in an external port scan? What technical obstacles stand in the way of making the spurious false positives (e.g., rpcbind) go away? Will portscan and other audit tools will be used to see if there's a measureable difference? (Eliminating false positives from common audit tools is an exercise akin to making the kernel lint clean -- many of the warnings are harmless, and making them go away often feels like make-work, but reducing the noise floor makes it easier to spot new ones..) * Piggybacks on jdc-3 wes-5 What's the default actually going to be? i.e., if I take a jumpstart profile which works with the WOS as of before this project integrates, and use it with the WOS as of right after this project integrates, will I see a change? If not, why not? * For Nevada you get the SBD, for Solaris you don't. sz-1 What about DHCP security for netinstall? * Project team will look into this. White Board: ------------ KB-1 Searing the net-boot: what mechanism? What boot? * This will be put into the issues file. KB-2 Reliance on ssh: how will the exposure and the initial...in the middle attack? By delivering an original trusted cert? * My install is being read through the CD... - There would be a general install question here... NEXT STEP ========= * Project team will go back and resolve all issues.