Unix Server Build_Sun Solaris.doc

8/10/2019 Unix Server Build_Sun Solaris.doc

1/25


2/25

Company-Document Unix Server Build Sun Solaris Ver. 1.1

Contents

A] SYSTEM CONFIG!ATION"""""""""""""""""""""""""""""""""#

$%& Solaris ' ()&$ Installation"""""""""""""""""""""""""""""#

*%& Enablin+ DNS""""""""""""""""""""""""""""""""""""""",

#%& Confi+urin+ t-e Default Gate.ay"""""""""""""""""""""",

/%& A00e0 F1DN to )etc)-osts""""""""""""""""""""""""""""2

,%& Installin+ Sun 3atc-es"""""""""""""""""""""""""""""""2

2%& Installin+ GCC""""""""""""""""""""""""""""""""""""""2

4] SEC!ITY CONFIG!ATIONS""""""""""""""""""""""""""""""(

(%& Installin+ SSH""""""""""""""""""""""""""""""""""""""('%& Disablin+ nnecessary Ser5ices in )etc)inet0%conf""""""$$

6%& E0itin+ Start7u8 Scri8ts"""""""""""""""""""""""""""""$*

$&%& Enablin+ 9arnin+ 4anners for lo+in: Telnet an0 FT3""""$/

$$%& Disablin+ !oot ;o+ins"""""""""""""""""""""""""""""$,

$*%& Im8lementin+ Security 3olicy"""""""""""""""""""""""$,

$#%& Confi+urin+ ;o+in Failure Attem8t"""""""""""""""""""$2

$/%& !emo5in+ or Disablin+ nnecessary Accounts""""""""$2

$,%& !estrictin+ FT3 sa+e"""""""""""""""""""""""""""""$2

$2%& Disablin+ t-e rlo+in Comman0""""""""""""""""""""""$(

$(%& ;oc


3/25


A] System Confi+uration

3ur8ose

Th&s document deta&ls the conf&gurat&on harden&ng and (ulnera2&l&t3 assessment of the Solar&soperat&ng s3stem !t can also 2e used as a conf&gurat&on standard pro(&d&ng a 2asel&ne to aud&taga&nst !t &s &mportant to understand the conf&gurat&ons at a granular le(el to trou2leshootoutages

$%& Solaris ' ()&$ Installation

!t &s assumed that after each select&on cho&ce &s made the user 6&ll press the appropr&ate 2utton tocont&nue on through the &nstallat&on program &e press&ng 8nter Cl&ck&ng on Cont&nue or cl&ck&ngon +e-t9

1 8nsure that the correct hard d&sks are &nstalled &n the mach&ne' Turn on ach&ne and 6a&t unt&l &t has 2ooted: !nsert Solar&s ; D&sk 1 of '< 7/01= $ress @Sto8 an0 @Aon the S*+ ke32oard5 At the %> prompt 2oot the CD#% at and 6a&t for mach&ne to re2oot

boot cdrom

? At the Cho&ce of @anguage $rompt select &for 8ngl&sh7 The ne-t opt&on menu Select a @ocaleB; The mach&ne takes a couple of m&nutes to conf&gure &n&t&al sett&ngs You 6&ll then 2e presented

6&th some &nfo screens Clic< on Continueto proceed The Solar&s !nstallat&on $rogram and!dent&f3 Th&s S3stem screens9

SelectYesfor +et6ork Connect&(&t310 The S3stem has a Stat&c !$ Address so Noshould 2e selected for DC$11 8nter the mach&nes host name as per the pro4ect reEu&rement91' 8nter the mach&nes !$ Address1: The S3stem 6&ll 2e part of a su2net so make sure thatYes&s selected for Su2nets1= 8nter the +etmask of *,,%*,,%*/&%&15 Select Nofor !$(?1? Conf&rm the conf&gurat&on cho&ces that ha(e 2een made !f 3ou are happ3 6&th then

Continueon17 Select Nofor the Conf&gure Secur&t3 $ol&c31; Then conf&rm that 23 select&ng Continue1 Select Nonefor +ame Ser(&ce'0 Then conf&rm that 23 select&ng Continue

'1 Select Geo+ra8-ic re+ionfor T&me Fone'' ake sure that the Date and T&me are Set correctl3': Conf&rm those select&ons 6&th Continue'= At the ne-t screen select Initialfor Solar&s !nteract&(e !nstallat&on'5 %n the ne-t screen select Continue'? %n the Select Geograph&c eg&on screen keep the default select&on 23 select&ng

Continue'7 Select the De5elo8er System Su88ortSoft6are group and make sure that the Solaris

2/ 4it Su88ort&s selected &e the 2o- &s 2lack9

Page " of !


4/25


'; Select the &rst D&sk eg c0t0d09 and make sure &t &s &n the Selected D&sks 2o- 8nsure2oth d&sks are selected Then Continue

' Select Continueon the $reser(e DataH Screen Ie do not 6&sh to preser(e an3 data onthe d&sk9

:0 Select Manual ;ayouton the Automat&call3 @a3out &le S3stemsH Screen:1 Chose CustomiBeon the &le S3stem and D&sk @a3out screen:' !n the Custom&Je D&sks Screen Cl&ck on the l&ttle 2o- a2o(e the 0 Th&s allo6s us to

ass&gn d&sk space (&a c3l&nders 6h&ch &s a more accurate less 6asteful 6a3 of ass&gn&ngspace9

:: The Custom&Je D&sks 23 C3l&nders screen should appear *se Table $and Table * forthe correct part&t&on la3 out and s&Je

:= Conf&rm the select&ons made %nl3 make entr&es on 3our chosen 2oot D&sk:5 %n the ount emote &le S3stemH Screen select Continue:? The $rof&le Screen &s d&spla3ed sho6&ng the select&ons made pre(&ousl3 Cl&ck on 4e+in

Installation

Slice File System SiBe

0 / ''1?1 Swap 5170' Overlap

: /var 5170= /opt 10;:05? :7 /export/home 1':1Table $% *?#2 Gi+abyte Dis== The ne-t sect&on aga&n takes some t&me to completeK once &t &s &nstalled 3ou 6&ll 2e

sho6n a screen of the Solar&s ; Soft6are ' !nstallat&on Status Cl&ck on Ne?tto proceed=5 !nstallat&on &s no6 complete Cl&ck !eboot No.to re2oot @ea(e Solar&s ; Soft6are ' of

' CD &n the dr&(e as &t &s needed for the ne-t sect&on9=? @og &nto the S3stem as root

Page # of !


5/25


=7 Th&s +e-t Sect&on &nstalls $ackages that are needed not &nstalled 6&th the De(eloperS3stem

=; %pt&onal9 To !nstall Solst&ce D&sk Su&te used for &rror&ng9 rom a Console Screen t3pe

# cd /cdrom/cdrom0/Solaris_8/!/products/"isSuite_4$%$ $/installer

= Cl&ck Ne?t50 Cl&ck Ne?t51 ake sure Default Install&s selected then Cl&ck Ne?t5' Cl&ck Install No.5: %nce &t &s &nstalled cl&ck Ne?tthen E?it5= Dont !eboot55 To !nstall the )ash the )ourne aga&n shell that 6&ll 2e used as a preference9 GJ&p and

@ess 3ou need to unJ&p certa&n f&les and add the packages to the s3stem To do so t3pe thefollo6&ng commands

# cd $$/$$/$$/'roduct

# pgadd d $ S()*bash This adds the package onto the system.

5? Ihen asked &f 3ou 6&sh to cont&nue t3pe y

# pgadd d $ S()*g+ip This adds the package onto the system.

57 Ihen asked &f 3ou 6&sh to cont&nue t3pe y

# pgadd d $ S()*less This adds the package onto the system.

5; Ihen asked &f 3ou 6&sh to cont&nue t3pe y5 +e-t 6e need to create an account that 6e can log &nto the s3stem 6&th root log&n has

2een d&sa2led completel39

# admintool , (The easiest way to do this is using admintool).

?0 Select 8d&tAdd To add a ne6 user9?1 Then f&ll &n the *ser +ame L b


6/25


#%& Confi+urin+ t-e Default Gate.ay

# vi /etc/defaultrouter&0$$0$%4

/%& A00e0 F1DN to )etc)-osts

# vi /etc/hosts&0$$0$& sunsrv0&$mahindrabt$com sunsrv0& loghost

Added full3 Eual&f&ed doma&n name to /etc/hosts to pre(ent sendma&l errors

,%& Installin+ Sun 3atc-es

1 !nsert Solar&s ; $atches d&sk &nto dr&(e and allo6 Solar&s to mount the CD#%

# cp /cdrom/cdrom0/1 /tmp# cd /tmp

# un+ip 8_1unJ&ps the ;.recommJ&p f&le9# cd 8_2ecommended# $/install_cluster

' Ans6er yto cont&nue 6&th &nstall: Some of the patches 6&ll fa&l 6&th certa&n return codes ' and ; are not a pro2lem 2ut &f an3

fa&l 6&th 5 or '5 then th&s needs to 2e sorted at the end The onl3 patch that ma3 fa&l &s10;;?#1; Th&s &s due to a 2ug &n(ol(&ng space f&les The other J&p f&le on the /tmp d&rector3that 6as cop&ed across 6&ll then need to 2e &nstalled to f&- th&s pro2lem The procedure for

f&-&ng and then re&nstall&ng 10;;?#1; &s sho6n 2elo6 A88en0i? Ce-pla&ns all the e-&t codesmean&ngs that could 2e outputted dur&ng the cluster &nstall

# cd $$# un+ip &&034_&$+ip

# patchadd &&0345&& Th&s f&-Os for a pro2lem 6&th space f&les that can affect otherpatches9

= %nce th&s patch &s &nstalled the fa&led patch needs to 2e re&nstalled

# cd 8_2ecommended# patchadd &088-35&8

5 %nce th&s &s done the s3stem needs to 2e re2ooted aga&n for the patches to take effect

2%& Installin+ GCC

GCC &s the G+* C Comp&ler and &s necessar3 for comp&l&ng programs such as SS 6h&ch areonl3 a(a&la2le &n source form !nstall&ng &t also has the s&de effect of &nstall&ng the G+* C l&2rar&esthat are needed 23 some of the ut&l&t&es 6e 6&ll 2e &nstall&ng later

Page $ of !


7/25


Ie are &nstall&ng GCC as a th&rd part3 pre#comp&led package us&ng the Sun $ackage anager

The f&rst step &s to cop3 the f&le onto the s3stem for e-ample us&ng T$ The f&le &s called gcc-3.2.2-sol8-sparc-local.gz ! ha(e assumed that the f&le &s placed &n /tmp for the rest of th&se-ample

The f&rst step &s to unpack the f&le

#gun+ip /tmp/gcc5$%$%5sol85sparc5local$g+

The f&les should ha(e lost &tOs PgJO e-tens&on and 6&ll 2e cons&dera2l3 larger

Ie must 2e root to add packages to the s3stem So no6 su to root

#su 5

+o6 6e must add &t to the s3stem &rst change to the d&rector3 6here the f&le &s

#cd /tmp

+o6 6e can add the package as th&s &s a spooled packaged &e all &n one f&le and not &n ad&rector39 6e om&t the PO after the P#dO

#pgadd d gcc5$%$%5sol85sparc5local

Ans6er 3es 6hen 3ou are asked &f 3ou 6ant to add the GCC package

You ha(e no6 &nstalled the package You can conf&rm th&s us&ng the Ppkg&nfoO command?;'!=>/usr/ccs/bin/usr/local/bin#export '!=>

Create a locked user account for the SS daemon to run as Th&s user should ha(e no homed&rector3 and the account should 2e locked 6e also set the shell to 2e /usr/2&n/false so thate(en &f someone acc&dentall3 unlocks the account &t st&ll 6onOt 2e usa2le

#useradd s /etc/bin/false sshd

#passwd l sshd

Change to the locat&on that 3ou ha(e place the d&str&2ut&on tar2all &n ! ha(e assumed /tmp9?8*!2)*AS?&

oot and user pass6ords are set to e-p&re at the : month mark !f the root pass6ord e-p&res&t must 2e reset from thes3stem console To a(o&d lockout reset the root pass6ords at the ' month mark

DefinitionsA,I88>S # a-&mum t&me per&od that a pass6ord &s (al&d!+I88>S # &n&mum t&me per&od 2efore a pass6ord can 2e changed$ASS@8+GT # &n&mum length of a pass6ord &n charactersIA+I88>S # T&me per&od unt&l 6arn&ng of date of pass6ordUs ensu&ng e-p&rat&on

$*%& Confi+urin+ ;o+in Failure Attem8t

# vi /etc/default/login

# "isconnect users after three login failures2=2HS?

NOTE )3 default Solar&s 6&ll term&nate a connect&on after 5 consecut&(e log&n fa&lures Set retr&esto : Th&s &s an &ndustr3standard eg : str&kes 3ouOre out9

# =he SSFOI_G!HF"_FOIH)S variable is used to determine how man.failed# login attempts will be allowed b. the s.stem before a failed login# message is loggedK using the s.slogBC FOI_)O=H7 facilit.$ GorexampleK# if the variable is set to 0K login will log 5all5 failed loginattempts$#SSFOI_G!HF"_FOIH)S?

$#%& !emo5in+ or Disablin+ nnecessary Accounts

#passwd l adm#passwd l bin#passwd l daemon#passwd l listen#passwd l lp#passwd l nobody

#passwd l noaccess#passwd l nuucp#passwd l sys#passwd l uucp

The no2od3= account &s no longer needed# userdel nobody4

Page 1$ of !


17/25


$,%& !estrictin+ FT3 sa+e

8nsured /etc/ftpusers conta&ned the follo6&ng accounts?/usr/sbin/usr/bin(6!SA?0%

Documents

Unix Server Build_Sun Solaris.doc