In preparation for a forthcoming public trial of a new web service powered by Solaris, we recently spent some time investigating some different ways to lock down the system down. Here is an overview of our findings.
If you have the option of (re)installing Solaris, then take it. And in doing so, be sure to choose the Solaris Core installation cluster (SUNWCreq) as this is the most secure (mainly due to reduced number of packages that it includes). Of course this cluster will almost certainly not provide you with everything that you need (and you will have to manually install several packages thereafter) but it is generally worth while as you will know exactly what is and is not installed on your system.
Useful Tools and Utilities
I found the following utilities very useful:
The first is natively available on Solaris and the other two can be downloaded from the sunfreeware.com website. The combination of these utilities make it very to diagnose which ports are open (by which process) on a system. Refer to some of the articles below to see some good ways in which you can do this.
Solaris Security Toolkit
If you want to, you can manually lock down your system using the netstat, svcs and svcadm commands but you really need to know what you are doing. However, there is a far simpler way to do this and that is to use the Solaris Security Toolkit (SUNWjass). This is a very powerful (and extremely well documented) utility that is pretty easy to use, to very good effect. It is also free.
All you need to do is run one simple command (there are 16 variations to choose from depending on paranoid you are) and the SST will do the rest – disabling all the appropriate services, setting file permissions, creating hosts.allow and hosts.deny files and even invalidating non-root user passwords in certain cases. So be sure that you have console access to your system before you run it.
You can even run it again in analyse mode to ensure that the system is still locked down the same degree as it was when you first ran it (although I have not tested this).
Here are some good postings on the Solaris Security Toolkit