Unix: System Administration and Security

- Amol Chiplunkar
Agenda
• The role of a system administrator
• System Administration Tasks
• Summary
 Role of a System Administrator
•Understanding all •Maintaining Authority
aspects of the system, •Providing consistent
and the operating user experience
environment.
•Tracking changes
•Provide an environment
•Crisis management
where users get what
they want. •Disaster management
•They get it in an easy
and efficient manner
 System Administration Tasks
• Administering user accounts and groups
• Administering File Systems
• Administering disk devices
• Packaging
• Securing systems
• Other tasks
Super User
• Super (root) User
Privileged user with unrestricted access to the system
resources.
$ su
Password: Not echoed
# id
uid=0(root) gid=0(root) ...

# su root -c “<command> <params>”

User Administration
• Unix users and groups
• Pseudo users
• /etc/passwd /etc/shadow /etc/group
• CLI administration utilities
• Environment initialization

• RBAC Profiles and Roles

• /etc/security/ prof_attr, exec_attr
Users and Groups
• username and user id. ( identification )
• User database ( /etc/passwd )
username:x:UID:GID:user information:home-directory:login-shell
• Shadow password file
• Group database ( /etc/group )
name:*:GID:additional-users
• Standard users and groups
root, daemon, bin, sys, adm, nobody, noaccess,...
root, bin, sys, adm, mail, daemon, ...
User Management Commands
• Standard Unix
– useradd, usermod, userdel
– groupadd, groupmod, groupdel
– groups
– passwd
– chown, chgrp
• Solaris
– profiles, auths, roles
– Solaris Management Console: User Tools
Environment Initialization
• Home directory and default shell.
• Environment initialization files
– .profile, .login, .cshrc, .bashrc
– Settings PATH, aliases, shell variables
• Administering passwords
– passwd <user>
– Forcing password change, Locking and
unlocking
– Setting expiry, warning about the expiry
Administering File Systems
• File system types
• Solaris File System
• Managing file systems
• Sharing file systems
File System Types
• Disk based filesystems
– ufs, hsfs/cdfs, ...
• Network based filesystems
– nfs
• Virtual file systems
– tmpfss/swap, lofs, ...

• ZFS
File Systems: Details
• Stored in physical media, HDD, CD, DVD
– UFS (bsd and solaris default )
– PCFS( read and write access)
– hsfs/cdfs/iso9660: CD/DVD
• nfs: Uniformly used across all unix flavours
• Virtual File systems
– Mostly memory based, provide access to special
kernel information or facilities. ( e.g. procfs,
– Some can use disk, such as tmpfs
Default Solaris File System
• Hierarchy starting with the '/' directory.
 ZFS
• Immense capacity
– First 128 bit filesystem
• End to end data integrity
– Copy on write transactions
• Easy administration
– Storage pools and not ZFS
volumes ZFS
• Huge Performance gains
– Especially architected for
speed
Storage Pool
Managing File Systems
• Mounting and unmounting
• File system usage ( df, fuser )
• Quotas to limit usage per user
• Filesystem configuration files.
• Automounts
• Validating file systems ( fsck )
Sharing File Systems
• NFS
– Mounting
– /etc/dfs/dfstab on solaris
# share [-F fstype] [ -o options] [-d "<text>"] <pathname> [resource]
# share -F nfs -o rw=engineering -d "home dirs" /export/home2

• Samba
 Partitioning
• Logical separation or demarcation of
physical disk devices into multiple partitions
aka slices
Managing Disk Devices
• Block device files /dev/dsk
– used by commands like mount
– Transfer large blocks of data at a time
• Raw device files /dev/rdsk
– used by commands like newfs
– Transfer smaller chunks of data.
• /dev/[r]dsk/cxtydmsn
Slices and File Systems
• Slices ( logical disk partitions ) are
assigned one or more file systems.
• A file system cannot span across slices.
• Each slice is treated as a separate drive by
the operating system.
• Min 3 slices are recommended
– / for root partition
– /swap for tmpfs, procfs, volatile
– /<backup> partition such as /export/home
Tools and Commands
• format
• fdisk

• mount
• newfs
• mkfs
• fsck
Packaging
Introduction to Packaging
• All unix like os use packages.
• Collection of files such as scripts, binaries,
configuration files, images, ...
• A logical group of files that constitute a
product or a component/feature of a
product.
• Enabled easy management of files.
Managing Solaris Packages
• Adding packages (pkgadd)
– Usually interactive
– Source could be a single file or a directory structure
– pkgtrans
• Removing packages (pkgrm)
• Listing installed packages (pkginfo)
• Checking package integrity
– pkginfo, pkgparam
– pkgchk
Admin File
• File with default installation actions instructions
/var/sadm/install/admin/default
mail=
instance=unique
partial=ask
runlevel=ask
idepend=ask
rdepend=ask
space=ask
setuid=ask
conflict=ask
action=ask
basedir=default
Package Manifest and Other Files
• pkginfo file
• pkgmap file
• install directory
• reloc
Creating a Package
• prototype file
– File and directory entries
– Class
– permissions
• pkgproto command
• pkgmk
Patch Management
• What is a Patch
• Adding patches (patchadd)
• patch pre and post install scripts
• Obsolete patches
• Removing patches (patchrm)
• backout / patchrm scripts
Other Tasks
• OS installation and upgrades
• Configuring services such as mail, printer
and network connectivity etc.
• Booting, halting, reconfiguring the system
• Managing devices in addition to disks
• Backup, restore.
• Occasionally analyze crash dumps
• Just about anything that's related to the
systems
Solaris Security
• Secure installation
– Complete distribution
– Core distribution
• Patch updates.
– http://sunsolve.sun.com
– Recommended and Security Patches
• Auditing
– Audit configuration files
– Audit trail analysis
Solaris Security Toolkit
(JASS) jumpstart architecture and security scripts.
Simplifies the process of

• Hardening the system.

• Minimizing packages
• Auditing
Summary
• A thankless but most vital job.
• All about providing predictable service
levels
• At the same time, maintaining your own
authority and system's integrity.
amol.chiplunkar@sun.com
Thank You !