Unix Server Build - Sun Solaris

Company-Document Unix Server Build Sun Solaris Ver. 1.
1
UNIX Server Build Document
- Sun SPARC Solaris 8/9
Document Control
Document Information
Author Yogesh Tamkhade Date 07/10/05
Controlled Source
"\\punfs\SDATA\T!"\T!" # $une
%perat&ons\T!"#'005\Ser(er )asel&ne #
'005\Ser(er )u&ld Document\*+!, Ser(er
)u&ld\*n&- Ser(er )u&ld.Sun Solar&s/doc"
Document 0ef/
Document History
1er/ +o Date Changed 23 Comments
1/1 07/10/05 Comp&led and sent for comments
Distribution
+ame Dept !n(ol(ement
A2h&4&t $radhan T!" # %perat&on %perat&on !n#charge
Shr&pad $&lkhane T!" # %perat&on Sr/ $ro4ect "anager
Appro(ed
23
Date S&gned
Page 1 of !
Company-Document Unix Server Build Sun Solaris Ver. 1.1
Contents
A] SYSTEM CONFIG!ATION"""""""""""""""""""""""""""""""""#
$%& Solaris ' ()&$ Installation"""""""""""""""""""""""""""""#
*%& Enablin+ DNS""""""""""""""""""""""""""""""""""""""",
#%& Confi+urin+ t-e Default Gate.ay"""""""""""""""""""""",
/%& A00e0 F1DN to )etc)-osts""""""""""""""""""""""""""""2
,%& Installin+ Sun 3atc-es"""""""""""""""""""""""""""""""2
2%& Installin+ GCC""""""""""""""""""""""""""""""""""""""2
4] SEC!ITY CONFIG!ATIONS""""""""""""""""""""""""""""""(
(%& Installin+ SSH""""""""""""""""""""""""""""""""""""""(
'%& Disablin+ nnecessary Ser5ices in )etc)inet0%conf""""""$$
6%& E0itin+ Start7u8 Scri8ts"""""""""""""""""""""""""""""$*
$&%& Enablin+ 9arnin+ 4anners for lo+in: Telnet an0 FT3""""$/
$$%& Disablin+ !oot ;o+ins"""""""""""""""""""""""""""""$,
$*%& Im8lementin+ Security 3olicy"""""""""""""""""""""""$,
$#%& Confi+urin+ ;o+in Failure Attem8t"""""""""""""""""""$2
$/%& !emo5in+ or Disablin+ nnecessary Accounts""""""""$2
$,%& !estrictin+ FT3 sa+e"""""""""""""""""""""""""""""$2
$2%& Disablin+ t-e rlo+in Comman0""""""""""""""""""""""$(
$(%& ;oc<in+ Do.n !emote Access Files"""""""""""""""""$(
$'%& Disablin+ =olume Mana+ement"""""""""""""""""""""$(
$6%& Disablin+ n.ante0 Ser5ices""""""""""""""""""""""$(
*&%& 3re5entin+ TC3 s8oofin+""""""""""""""""""""""""""*$
*$%& 3re5entin+ o5erflo. 8rotection"""""""""""""""""""""**
C] !E4OOTED THE SYSTEM""""""""""""""""""""""""""""""""*#
D] 4AC>ED 3 THE SYSTEM""""""""""""""""""""""""""""""""*#
A88en0i? A"""""""""""""""""""""""""""""""""""""""""""""""*/
Page of !
A] System Confi+uration
3ur8ose
Th&s document deta&ls the conf&gurat&on5 harden&ng5 and (ulnera2&l&t3 assessment of the Solar&s
operat&ng s3stem/ !t can also 2e used as a conf&gurat&on standard5 pro(&d&ng a 2asel&ne to aud&t
aga&nst/ !t &s &mportant to understand the conf&gurat&ons at a granular le(el to trou2leshoot
outages/
$%& Solaris ' ()&$ Installation
!t &s assumed that after each select&on cho&ce &s made the user 6&ll press the appropr&ate 2utton to
cont&nue on through the &nstallat&on program5 7&/e/ press&ng 8nter5 Cl&ck&ng on Cont&nue or cl&ck&ng
on +e-t9/
1/ 8nsure that the correct hard d&sks are &nstalled &n the mach&ne
'/ Turn on "ach&ne and 6a&t unt&l &t has 2ooted/
:/ !nsert Solar&s ; D&sk 1 of '< 7/01/
=/ $ress @Sto8A an0 @AA on the S*+ ke32oard/
5/ At the %> prompt 2oot the CD#0%" at and 6a&t for mach&ne to re2oot/
boot cdrom
?/ At the Cho&ce of @anguage $rompt select & for 8ngl&sh
7/ The ne-t opt&on menu ASelect a @ocaleB
;/ The mach&ne takes a couple of m&nutes to conf&gure &n&t&al sett&ngs/ You 6&ll then 2e presented
6&th some &nfo screens Clic< on Continue to proceed/ 7The Solar&s !nstallat&on $rogram and
!dent&f3 Th&s S3stem screens9/
C/ Select Yes for +et6ork Connect&(&t3/
10/ The S3stem has a Stat&c !$ Address so No should 2e selected for DDC$/
11/ 8nter the mach&nes host name 7as per the pro4ect reEu&rement9
1'/ 8nter the mach&nes !$ Address/
1:/ The S3stem 6&ll 2e part of a su2net so make sure that Yes &s selected for Su2nets/
1=/ 8nter the +etmask of *,,%*,,%*/&%&
15/ Select No for !$(?/
1?/ Conf&rm the conf&gurat&on cho&ces that ha(e 2een made/ !f 3ou are happ3 6&th then
Continue on/
17/ Select No for the Conf&gure Secur&t3 $ol&c3/
1;/ Then conf&rm that 23 select&ng Continue/
1C/ Select None for +ame Ser(&ce/
'0/ Then conf&rm that 23 select&ng Continue/
'1/ Select Geo+ra8-ic re+ion for T&me Fone/
''/ "ake sure that the Date and T&me are Set correctl3
':/ Conf&rm those select&ons 6&th Continue/
'=/ At the ne-t screen select Initial for Solar&s !nteract&(e !nstallat&on/
'5/ %n the ne-t screen select Continue/
'?/ %n the Select Geograph&c 0eg&on screen keep the default select&on 23 select&ng
Continue/
'7/ Select the De5elo8er System Su88ort Soft6are group and make sure that the Solaris
2/ 4it Su88ort &s selected 7&/e/ the 2o- &s 2lack9/
Page " of !
';/ Select the &rst D&sk 7e/g/ c0t0d09 and make sure &t &s &n the Selected D&sks 2o-/ 8nsure
2oth d&sks are selected/ Then Continue/
'C/ Select Continue on the $reser(e DataH Screen/ 7Ie do not 6&sh to preser(e an3 data on
the d&sk9/
:0/ Select Manual ;ayout on the Automat&call3 @a3out &le S3stemsH Screen/
:1/ Chose CustomiBeC on the &le S3stem and D&sk @a3out screen/
:'/ !n the Custom&Je D&sks Screen Cl&ck on the l&ttle 2o- a2o(e the 0 7Th&s allo6s us to
ass&gn d&sk space (&a c3l&nders5 6h&ch &s a more accurate less 6asteful 6a3 of ass&gn&ng
space9/
::/ The Custom&Je D&sks 23 C3l&nders screen should appear/ *se Table $ and Table * for
the correct part&t&on la3 out and s&Je/
:=/ Conf&rm the select&ons made/ %nl3 make entr&es on 3our chosen 2oot D&sk/
:5/ %n the "ount 0emote &le S3stemH Screen select Continue/
:?/ The $rof&le Screen &s d&spla3ed sho6&ng the select&ons made pre(&ousl3/ Cl&ck on 4e+in
Installation/
Slice File System SiBe
0 / ''1?
1 Swap 5170
' Overlap
: /var 5170
= /opt 10;:0
5
? :
7 /export/home 1':1
Table $% *?#2 Gi+abyte Dis<s 3artitionin+
Slice File System SiBe
0 / 1070
1 Swap '?70
' Overlap
: /var 1070
= /opt '1=0
5
? :
7 /export/home 5';
Table *% *?$' Gi+abyte Dis<s 3artitionin+
:7/ S6ap should 2e eEual to t6&ce the s&Je of the memor3 &nstalled on the ser(er/
To determ&ne the amount of s3stem memor35 use
A/usr/platform/sun4u/sbin/prtdiag vB/
:;/ Chose Auto !eboot: so that after !nstallat&on the s3stem re2oots automat&call3/
:C/ The !nstallat&on process takes some t&me/ Dalf6a3 through the s3stem 6&ll re2oot/ Ihen
the s3stem comes up aga&n &t 6&ll ask for a 0oot $ass6ord to 2e entered t6&ce/
=0/ The s3stem 6&ll then ask a2out the energ3 conser(at&on opt&ons/ Select n so that the
automat&c po6er#sa(&ng shutdo6n &s not on/ 7!f &t 6ere on the ser(er could shutdo6n 23 &tself9/
=1/ Then select n/ Th&s t&me to stop the s3stem ask&ng a2out energ3 conser(at&on aga&n/
='/ You 6&ll no6 2e asked to spec&f3 the med&a for Solar&s ; Soft6are ' of '/ Select CD/
=:/ !nsert the CD &nto the no6 open D&sk Tra35 then Cl&ck O>/
==/ The ne-t sect&on aga&n takes some t&me to completeK once &t &s &nstalled 3ou 6&ll 2e
sho6n a screen of the Solar&s ; Soft6are ' !nstallat&on Status/ Cl&ck on Ne?t to proceed/
=5/ !nstallat&on &s no6 complete/ Cl&ck !eboot No. to re2oot/ 7@ea(e Solar&s ; Soft6are ' of
' CD &n the dr&(e as &t &s needed for the ne-t sect&on9/
=?/ @og &nto the S3stem as root/
Page # of !
=7/ Th&s +e-t Sect&on &nstalls $ackages that are needed not &nstalled 6&th the De(eloper
S3stem/
=;/ 7%pt&onal9 To !nstall Solst&ce D&sk Su&te 7used for "&rror&ng9/ rom a Console Screen t3pe
# cd /cdrom/cdrom0/Solaris_8/!/products/"is#Suite_4$%$&
# $/installer
=C/ Cl&ck Ne?t
50/ Cl&ck Ne?t
51/ "ake sure Default Install &s selected then Cl&ck Ne?t/
5'/ Cl&ck Install No./
5:/ %nce &t &s &nstalled cl&ck Ne?t then E?it/
5=/ DonDt !eboot
55/ To !nstall the )ash 7the )ourne aga&n shell that 6&ll 2e used as a preference95 GJ&p and
@ess 3ou need to unJ&p certa&n f&les5 and add the packages to the s3stem/ To do so t3pe the
follo6&ng commands/
# cd $$/$$/$$/'roduct
# p#gadd d $ S()*bash This adds the package onto the system.
5?/ Ihen asked &f 3ou 6&sh to cont&nue t3pe y
# p#gadd d $ S()*g+ip This adds the package onto the system.
57/ Ihen asked &f 3ou 6&sh to cont&nue t3pe y/
# p#gadd d $ S()*less This adds the package onto the system.
5;/ Ihen asked &f 3ou 6&sh to cont&nue t3pe y/
5C/ +e-t 6e need to create an account that 6e can log &nto the s3stem 6&th 7root log&n has
2een d&sa2led completel39/
# admintool , (The easiest way to do this is using admintool).
?0/ Select 8d&t Add 7To add a ne6 user9/
?1/ Then f&ll &n the *ser +ame L b<8user
?'/ @og&n Shell L Ot-er M )usr)bin)bas-
?:/ $ass6ord L Normal 3ass.or0N
?=/ Dome D&rector3 $ath< )e?8ort)-ome)b<8user 7make sure the create d&rector3 2utton &s
selected9
?5/ Then close do6n all the adm&ntool 6&ndo6s/
# shutdown i- g0 . 7to re2oot the s3stem and allo6 the changes to take effect9/
*%& Enablin+ DNS
# vi /etc/nsswitch.conf
hosts/ files dns
# vi /etc/resolv.conf
domain mahindrabt$com
nameserver &0$0$0$&0
nameserver &0$0$0$%&&
search mahindrabt$com
Page ! of !
#%& Confi+urin+ t-e Default Gate.ay
# vi /etc/defaultrouter
&0$0$0$%04
/%& A00e0 F1DN to )etc)-osts
# vi /etc/hosts
&0$0$0$& sunsrv0&$mahindrabt$com sunsrv0& loghost
Added full3 Eual&f&ed doma&n name to /etc/hosts to pre(ent sendma&l errors
,%& Installin+ Sun 3atc-es
1/ !nsert Solar&s ; $atches d&sk &nto dr&(e and allo6 Solar&s to mount the CD#0%"/
# cp /cdrom/cdrom0/1 /tmp
# cd /tmp
# un+ip 8_1 7unJ&ps the ;.recomm/J&p f&le9
# cd 8_2ecommended
# $/install_cluster
'/ Ans6er y to cont&nue 6&th &nstall/
:/ Some of the patches 6&ll fa&l 6&th certa&n return codes/ ' and ; are not a pro2lem 2ut &f an3
fa&l 6&th 5 or '5 then th&s needs to 2e sorted at the end/ The onl3 patch that ma3 fa&l &s
10;;?C#1;/ Th&s &s due to a 2ug &n(ol(&ng space f&les/ The other J&p f&le on the /tmp d&rector3
that 6as cop&ed across 6&ll then need to 2e &nstalled to f&- th&s pro2lem/ The procedure for
f&-&ng and then re&nstall&ng 10;;?C#1; &s sho6n 2elo6/ A88en0i? C e-pla&ns all the e-&t codes
mean&ngs that could 2e outputted dur&ng the cluster &nstall/

# cd $$
# un+ip &&0344_&$+ip
# patchadd &&03445&& 7Th&s f&-Os for a pro2lem 6&th space f&les that can affect other
patches9/
=/ %nce th&s patch &s &nstalled the fa&led patch needs to 2e re&nstalled/
# cd 8_2ecommended
# patchadd &088-35&8
5/ %nce th&s &s done the s3stem needs to 2e re2ooted aga&n for the patches to take effect/
2%& Installin+ GCC
GCC &s the G+* C Comp&ler and &s necessar3 for comp&l&ng programs such as SSD5 6h&ch are
onl3 a(a&la2le &n source form/ !nstall&ng &t also has the s&de effect of &nstall&ng the G+* C l&2rar&es
that are needed 23 some of the ut&l&t&es 6e 6&ll 2e &nstall&ng later/
Page $ of !
Ie are &nstall&ng GCC as a th&rd part3 pre#comp&led package us&ng the Sun $ackage "anager
The f&rst step &s to cop3 the f&le onto the s3stem for e-ample us&ng T$/ The f&le &s called gcc-
3.2.2-sol8-sparc-local.gz ! ha(e assumed that the f&le &s placed &n /tmp for the rest of th&s
e-ample/
The f&rst step &s to unpack the f&le
#gun+ip /tmp/gcc54$%$%5sol85sparc5local$g+
The f&les should ha(e lost &tOs P/gJO e-tens&on and 6&ll 2e cons&dera2l3 larger/
Ie must 2e root to add packages to the s3stem/ So no6 su to root/
#su 5
+o6 6e must add &t to the s3stem/ &rst change to the d&rector3 6here the f&le &s
#cd /tmp
+o6 6e can add the package5 as th&s &s a spooled packaged 7&/e/ all &n one f&le and not &n a
d&rector39 6e om&t the P/O after the P#dO/
#p#gadd d gcc54$%$%5sol85sparc5local
Ans6er 3es 6hen 3ou are asked &f 3ou 6ant to add the GCC package/
You ha(e no6 &nstalled the package/ You can conf&rm th&s us&ng the Ppkg&nfoO command<
#p#ginfo S67gcc
3ou should see output s&m&lar to 2elo6< #
8root9pepp. tmp:# p#ginfo S67gcc
application S67gcc gcc
4] SEC!ITY CONFIG!ATIONS
(%& Installin+ SSH
SSD &s a secure encr3pted replacement for the Telnet and T$ protocols/ !t encr3pts all traff&c
2et6een the cl&ent and host that &s 2e&ng connected to and also uses pu2l&c/pr&(ate ke3 pa&rs to
pre(ent the spoof&ng of connect&ons/ Ie are &nstall&ng open SSD 6h&ch &s an open source
&mplementat&on of the protocol 6h&ch came a2out as part of the %pen)SD pro4ect/
3rereEuisites
Ie are &nstall&ng SSD 23 2u&ld&ng &t from source/ Therefore for th&s &nstallat&on to 6ork 3ou must
ha(e alread3 &nstalled GCC as descr&2ed earl&er &n th&s document/ SSD also needs the J#l&2rar&es
to 6ork so &f 3ou ha(enOt &nstalled 8macs 3et 3ou need to do that as 6ell/ &nall3 for SSD to 6ork
Page % of !
securel3 &t must ha(e a good source of random num2ers5 Solar&s does not ha(e /de(/random as
standard 2ut &t &s a(a&la2le as patch no/ 11'=:;#01/ You must &nstall th&s patch and re#2oot the
s3stem 2efore attempt&ng to &nstall %penSS@ or %penSSD/
O8enSS;
%penSSD makes use of %penSS@ 7another sp&n#off of %pen)SD9 to pro(&de some of &tOs
funct&onal&t3 therefore 2efore %pen SSD can 2e &nstalled %penSS@ must 2e &nstalled/ Th&s &s
relat&(el3 eas3 as %penSS@ comes 6&th a good makef&le/
&rst cop3 the %penSS@ tar2all onto 3our s3stem us&ng a method such as T$/ $lace &t a
locat&on such as /tmp/

)ecome the root user
;su
Change to the locat&on that 3ou ha(e place the d&str&2ut&on tar2all &n 7! ha(e assumed /tmp9<
#cd /tmp
The f&les must 2e unpacked 2efore 3ou are read3 to 2u&ld them/ &rst 3ou must un#gJ&p them
and then un#tar them.
#gun+ip openssl50$3$<a$tar$g+
#tar xf openssl50$3$<a$tar
You should no6 ha(e a ne6 d&rector3 called Popenssl#0/C/7aO &n the current d&rector3/ Change
&nto &t<
#cd openssl50$3$<a
At the moment 3ou donOt ha(e make or gcc &n the root command path/ Th&s 6&ll cause the
conf&gure scr&pt to fa&l/ Therefore 6e need to temporar&l3 add &t<
#'!=>?;'!=>//usr/ccs/bin//usr/local/bin
#export '!=>
%penSS@ uses make to automate &tOs comp&lat&on and &nstallat&on/ Do6e(er %penSS@ &s
des&gned to 6ork on man3 d&fferent *n&- (ar&ants all of 6h&ch reEu&re &t to 2e 2u&lt &n d&fferent
6a3s therefore a scr&pt called Pconf&gO &s pro(&ded that sets up the make f&le to 2e correct for
our s3stems/ 0un th&s scr&pt<
#$/config
+o6 3ou must comp&le %penSS@/ T3pe follo6&ng to do th&s/ The comp&lat&on 6&ll take a
relat&(el3 long t&me to compete/
Qmake
+o6 3ou ha(e comp&led %penSS@ the 2&nar&es 3ou ha(e made must 2e placed &n the correct
places on the s3stem/ To do th&s t3pe the follo6&ng
#ma#e install
Page & of !
&nall3 test %penSS@/ !f 3ou make &t to the end of the test scr&pt 6&th the f&nal l&ne read&ng PAll
targets up to dateO e(er3th&ng &s f&ne/
#ma#e test
%penSS@ should no6 2e &nstalled and 6ork&ng/
O8enSSH
Ie are no6 read3 to &nstall %penSSD/ Th&s &s done &n much the same manner as &nstall&ng
%penSS@/
&rst cop3 the %penSSD tar2all 7%penSSD#:/5p1/tar/gJ9 and the startup scr&pt 7sshd9 onto
3our s3stem us&ng a method such as T$/ $lace &t a locat&on such as /tmp/

)ecome the root user
;su
At the moment 3ou donOt ha(e make or gcc &n the root command path/ Th&s 6&ll cause the
conf&gure scr&pt to fa&l/ Therefore 6e need to temporar&l3 add &t<
#'!=>?;'!=>//usr/ccs/bin//usr/local/bin
#export '!=>
Create a locked user account for the SSD daemon to run as/ Th&s user should ha(e no home
d&rector3 and the account should 2e locked5 6e also set the shell to 2e /usr/2&n/false so that
e(en &f someone acc&dentall3 unlocks the account &t st&ll 6onOt 2e usa2le/
#useradd s /etc/bin/false sshd
#passwd l sshd
Change to the locat&on that 3ou ha(e place the d&str&2ut&on tar2all &n 7! ha(e assumed /tmp9<
#cd /tmp
The f&les must 2e unpacked 2efore 3ou are read3 to 2u&ld them/ &rst 3ou must un#gJ&p them
and then un#tar them/
#gun+ip openssh54$0p&$tar$g+
#tar xf openssh54$0p&$tar
You should no6 ha(e a ne6 d&rector3 called PsshO &n the current d&rector3/ Change &nto &t<
#cd openssh54$0p&
%penSSD uses make to automate &tOs comp&lat&on and &nstallat&on/ Do6e(er %penSSD &s
des&gned to 6ork on man3 d&fferent *n&- (ar&ants all of 6h&ch reEu&re &t to 2e 2u&lt &n d&fferent
6a3s therefore a scr&pt called PConf&gureO &s pro(&ded that sets up the make f&le to 2e correct
for our s3stems/ 0un th&s scr&pt<
#$/7onfigure
Page ' of !
+o6 3ou must comp&le %penSSD/ T3pe follo6&ng to do th&s/ The comp&lat&on 6&ll take a
relat&(el3 long t&me to compete/
#ma#e
+o6 3ou ha(e comp&led %penSSD the 2&nar&es 3ou ha(e made must 2e placed &n the correct
places on the s3stem/ To do th&s t3pe the follo6&ng
#ma#e install
+o6 3ou must con&gure the mach&ne so that the SSD Daemon &s started 6hene(er the
mach&ne &s 2ooted/ To do th&s 6e must cop3 the startup scr&pt &nto /etc/&n&t/d and l&nk &t &nto
rc'/d and rcS/d/
Cop3 the startup scr&pt from /tmp to /etc/&n&t/d
#cp /tmp/sshd /etc/init$d
+o6 6e must make the f&le perm&ss&ons the same as for all f&les &n th&s d&rector3
#chown root /etc/init$d/sshd
#chmod a5w /etc/init$d/sshd
#chmod a5x /etc/init$d/sshd
#chmod a@r /etc/init$d/sshd
#chmod u@x /etc/init$d/sshd
#chmod u@w /etc/init$d/sshd
+o6 6e need to l&nk the scr&pt so that &t &s run 6hen the 2o- starts up or shuts do6n<
#ln /etc/init$d/sshd /etc/rc%$d/S-3sshd
#ln /etc/init$d/sshd /etc/rc&$d/A-3sshd
&nall3 6e need to turn off the old &nsecure T$ and Telnet Daemons/ Th&s &s done 23
ed&t&ng /etc/&net/&netd/conf/ Aga&n 6e need to change the f&le perm&ss&ons so that 6e can 6r&te
to the f&le/
#chmod u@w /etc/inet/inetd$conf
+o6 6e can ed&t the f&le/ *se an ed&tor such as (&<
#vi /etc/inet/inetd$conf
Comment out the follo6&ng l&nes 23 &nsert&ng a PQO at the 2eg&nn&ng of the l&ne< #
ftp stream tcp- nowait root /usr/sbin/in$ftpd in$ftpd
telnet stream tcp- nowait root /usr/sbin/in$telnetd in$telnetd
Sa(e the f&le and Eu&t the ed&tor
Change the perm&ss&ons 2ack to the 6a3 the3 should 2e<
#chmod u5w /etc/inet/inetd$conf
Page 1( of !
+o6 2efore 3ou restart &netd &t m&ght 2e a good &dea to test 3our SSD conf&gurat&on as &f &tOs
not 6ork&ng and 3ou stop telnet access 3ouOre go&ng to 2e &n trou2leR &rst start the SSD
daemon 23 hand<
#/usr/local/sbin/sshd
+o6 attempt to ssh to 3our o6n mach&ne/ The ssh cl&ent 6&ll 6arn that &t doesnOt kno6 the
fore&gn mach&ne/ Sust ans6er 3es to sa3 3ou trust &t and that 3ou 6ant to accept &tOs
authent&cat&on ke3/ You 6&ll ha(e to do th&s as another user as the SSD daemon 6onOt allo6
root log&ns/ The e-ample has 2een done as user PtestO<
8test9pepp. sam:; ssh localhost
)*e aut*enticity of *ost +local*ost ,1%.(.(.1-+ can+t .e esta.lis*ed.
2S! #e. fingerprint is
30/&4/%a/b4/a8/%f/43/0&/80/0b/8d/f0/4f/&f/8d/8c$
!re .ou sure .ou want to continue connecting B.es/noCD yes
*arning/ 'ermanentl. added ElocalhostE B2S!C to the list of #nown
hosts$
test9localhostEs password/ ********
Fast login/ *ed Geb %- &-/%8/04 %004 from &0$44$&00$%08
Sun 6icros.stems Hnc$ SunOS 0$8 Ieneric Gebruar. %000
8test9pepp. sam:; logout
7onnection to localhost closed$
8test9pepp. sam:;
!f the a2o(e 6orked 3ou no6 ha(e SSD &nstalled and 6ork&ng/ +e-t t&me 3ou re#2oot the 2o-
6&ll onl3 allo6 remote access (&a SSD and Secure T$/ Do6e(er5 as se(eral of the changes
l&sted &n th&s document also reEu&re a re2oot th&s does not need to 2e done &mmed&atel3/ To
re2oot the mach&ne use the follo6&ng< #
#init -
'%& Disablin+ nnecessary Ser5ices in )etc)inet0%conf
By default t*e Solaris /net Daemon runs a lot of unnecessary services. )*ese *ave t*e potential to cause
security pro.lems and t*erefore 0e need to turn t*em off. )o do t*is 0e edit 1etc1inet1inetd.conf and t*en
signal t*e daemon to re-read it2s settings
Become root3
;su
The /etc/&net/&netd/conf f&le &s not 6r&ta2le 23 default to pre(ent acc&dental damage to &tOs
sett&ngs so 6e must change &t
Page 11 of !
#chmod u@w /etc/inet/inetd$conf
+o6 open the f&le &n 3our ed&tor of cho&ce5 for e-ample (&<
#vi /etc/inet/inetd$conf
Comment out the follo6&ng l&nes 23 &nsert&ng a PQO s3m2ol at the 2eg&nn&ng of the f&le
name dgram udp wait root /usr/sbin/in$tnamed in$tnamed
finger stream tcp- nowait nobod. /usr/sbin/in$fingerd in$fingerd
shell stream tcp nowait root /usr/sbin/in$rshd in$rshd
shell stream tcp- nowait root /usr/sbin/in$rshd in$rshd
login stream tcp- nowait root /usr/sbin/in$rlogind in$rlogind
exec stream tcp nowait root /usr/sbin/in$rexecd in$rexecd
exec stream tcp- nowait root /usr/sbin/in$rexecd in$rexecd
comsat dgram udp wait root /usr/sbin/in$comsat in$comsat
tal# dgram udp wait root /usr/sbin/in$tal#d in$tal#d
uucp stream tcp nowait root /usr/sbin/in$uucpd in$uucpd
echo stream tcp- nowait root internal
echo dgram udp- wait root internal
discard stream tcp- nowait root internal
discard dgram udp- wait root internal
da.time stream tcp- nowait root internal
da.time dgram udp- wait root internal
chargen stream tcp- nowait root internal
chargen dgram udp- wait root internal
rJuotad/& tli rpc/datagram_v wait root /usr/lib/nfs/rJuotad rJuotad
rusersd/%54 tli rpc/datagram_vKcircuit_v wait root /usr/lib/netsvc/rusers/rpc$rusersd
rpc$rusersd
spra.d/& tli rpc/datagram_v wait root /usr/lib/netsvc/spra./rpc$spra.d rpc$spra.d
walld/& tli rpc/datagram_v wait root /usr/lib/netsvc/rwall/rpc$rwalld rpc$rwalld
&00&44/& tli rpc/ticotsord wait root /usr/lib/#rb0/#t#t_warnd #t#t_warnd
printer stream tcp- nowait root /usr/lib/print/in$lpd in$lpd
&00&00/& tli rpc/ticotsord wait root /usr/sbin/ocfserv ocfserv
dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd
&000-8/%50 dgram rpc/udp wait root /usr/dt/bin/rpc$cmsd rpc$cmsd
fs stream tcp wait nobod. /usr/openwin/lib/fs$auto fs
&00%40/& tli rpc/tcp wait root /usr/lib/fs/cachefs/cachefsd cachefsd
&00084/& tli rpc/tcp wait root /usr/dt/bin/rpc$ttdbserverd rpc$ttdbserverd
Change the perm&ss&ons 2ack to the 6a3 that 6e found them
#chmod w /etc/inet/inetd$conf
S&gnal the !net Daemon to re#read &tOs sett&ngs
#p#ill >(' inetd
6%& E0itin+ Start7u8 Scri8ts
)3 Default Solar&s Starts a num2er of unnecessar3 programs and daemons/ These 6aste
resources and &n some cases present secur&t3 pro2lems/ Therefore 6e are go&ng to stop them
2e&ng started/
!un ;e5el #
&rstl3 6e are go&ng to deal 6&th programs started 6hen the s3stem enters run le(el :/
)ecome root<
Page 1 of !
#su
+o6 change to the /etc/rc:/d d&rector3 7th&s &s 6here the startup scr&pts for run le(el : res&de9<
#cd /etc/rc4$d/
Ie are go&ng to stop : scr&pts 2e&ng e-ecuted/ To do th&s 6e s&mpl3 rename them so that the3
do not start 6&th an PSO an3 more<
#mv S&0nfs$server noS&0nfs$server
#mv S<-snmpdx noS-<snmpdx
#mv S<<dmi noS<<dmi
!un ;e5el *
+o6 6e are go&ng to deal 6&th run le(el '
!f 3ou are not st&ll root su to &t<
#su
+o6 Change to the /etc/rc'/s d&rector3 7th&s &s 6here the startup scr&pts for run le(el ' res&de9<
#cd /etc/rc%$d/
Ie are go&ng to stop 5 scr&pts 2e&ng e-ecuted aga&n to do th&s 6e s&mpl3 rename them<
#mv S<&ldap$client noS<&ldap$client
#mv S<4nfs$client noS<4nfs$client
#mv S80lp noS80lp
#mv S80power noS80power
#mv S33dtlogin noS33dtlogin
#mv S<4cachefs$daemon noS<4cachefs$daemon
#mv S<4autofs noS<4autofs
NOTEF Stopp&ng Pdtlog&nO from 2e&ng run 6&ll pre(ent remote ,D"C$ 7graph&cal9 log&ns5
Therefore &f 3ou are not ph3s&call3 located at a local term&nal access from th&s
po&nt 6&ll 2e 23 telnet 7and later SSD9 onl3/
or th&s change to ha(e an effect the mach&ne must 2e restarted/ Do6e(er as se(eral of the
changes l&sted &n th&s document also reEu&re a re2oot th&s does not need to 2e done
&mmed&atel3/ To re2oot the mach&ne use the follo6&ng< #
#init -
Page 1" of !
$&%& Enablin+ 9arnin+ 4anners for lo+in: Telnet an0 FT3%
These conf&gurat&ons replace the operat&ng s3stem (ers&on 6&th a 6arn&ng 2anner d&spla3ed
dur&ng the log&n process/
;o+inF
# vi /etc/motd 7replaced operat&ng s3stem (ers&on 6&th a 6arn&ng 2anner9
4444444444444444444444444444444444444444444444444444444444444444444444444444444444
5678/893 ): P7:);C) S<S);=S >7:= U86U)?:7/@;D US; 68D ): ;8SU7; )?6)
)?; S<S);= /S >U8C)/:8/89 P7:P;7A<B 6C)/V/)/;S :8 )?/S S<S);= 67;
=:8/):7;D 68D 7;C:7D;D 68D SUBC;C) ): 6UD/). US; :> )?/S S<S);= /S
;DP7;SS;D C:8S;8) ): SUC? =:8/):7/89 68D 7;C:7D/89. 68< U86U)?:7/@;D
6CC;SS :7 US; :> )?/S S<S);= /S P7:?/B/);D 68D C:UAD B; SUBC;C) ):
C7/=/86A 68D C/V/A P;86A)/;S.
4444444444444444444444444444444444444444444444444444444444444444444444444444444444
# cp /etc/motd /etc/issue
Telnet G FT3F
)3 default Solar&s &dent&f&es &ts (ers&on
1
&n the 2anner d&spla3ed 6hen a Telnet or T$ sess&on &s
&n&t&ated/
Th&s &s relat&(el3 eas3 to ach&e(e the steps that need to 2e taken are e-actl3 the same for 2oth
daemons therefore 6eOll do the conf&gurat&on for 2oth at once< #
)ecome root
#su 5
Create the f&les /etc/default/ftpd and /etc/default/telnetd/
#touch /etc/default/ftpd
#touch /etc/default/telnetd
# vi /etc/default/telnetd
(6!SA?0%%
L!))2?Mcat /etc/motdM
# chown root:sys /etc/default/telnetd
# chmod 444 /etc/default/telnetd
# vi /etc/default/ftpd
(6!SA?0%%
L!))2?Mcat /etc/motdM
1
The te-t d&spla3ed &s eEu&(alent to the output of Puname TsrO
Page 1# of !
# chown root:sys /etc/default/ftpd
# chmod 444 /etc/default/ftpd
$$%& Disablin+ !oot ;o+ins
As per the secur&t3 pol&c3 no users 6&ll e(er 2e a2le to log&n d&rectl3 as root/ Ihen root access &s
reEu&red &t 6&ll 2e ach&e(ed (&a the PsuO command5 as th&s 6&ll allo6 aud&t&ng of 6ho has made use
of root pr&(&leges/ Th&s &s ach&e(ed 23 ed&t&ng /etc/default/log&n/
9A!NINGF
You are about to mo0ify t-e confi+uration of your mac-ine so t-at you cannot lo+in as
root% After a stan0ar0 install t-is is t-e only .or<in+ account on t-e system: t-erefore by
0isablin+ it you .ill effecti5ely loc< yourself out of t-e system% You must create an account
for yourself so t-at you can +et bac< in before attem8tin+ t-is 8roce0ure%
)3 default /etc/default/log&n &s not 6r&ta2le to pre(ent acc&dental damage to &tOs contents/
Therefore 6e must f&rst change &tOs perm&ss&ons so that 6e can alter &t/
#chmod u@w /etc/default/login
+o6 open the f&le 6&th 3our ed&tor of cho&ce5 for e-ample (&/
&nd the PconsoleO l&ne 23 default th&s &s commented out 6&th a Q and 6&ll look as follo6s
#7O)SOF?/dev/console
Change th&s l&ne to look as follo6s3
7O)SOF?
Th&s 6orks as follo6sK &f the console (ar&a2le &s set 3ou can onl3 log &n as root from the log&cal
de(&ces that are spec&f&ed so 23 default as console &s commented out 3ou can log &n as root from
an36here/ )3 re#ena2l&ng the l&ne and sett&ng console to 2e noth&ng 6e are effect&(el3 sa3&ng that
root log&ns are allo6ed from no6here
Change the perm&ss&ons 2ack to the&r or&g&nal state
#chmod w /etc/default/login
$*%& Im8lementin+ Security 3olicy
# vi /etc/default/passwd
)efore<
=6D5;;ESF
=/85;;ESF
P6SSA;89)?F$
Page 1! of !
After<
6!N*AS?8
6H)*AS?&
'!SSF)I=>?8
*!2)*AS?&
0oot and user pass6ords are set to e-p&re at the : month mark/ !f the root pass6ord e-p&res5
&t must 2e reset from the
s3stem console/ To a(o&d lockout5 reset the root pass6ords at the ' month mark/
DefinitionsF
"A,I88>S # "a-&mum t&me per&od that a pass6ord &s (al&d/
"!+I88>S # "&n&mum t&me per&od 2efore a pass6ord can 2e changed/
$ASS@8+GTD # "&n&mum length of a pass6ord5 &n characters/
IA0+I88>S # T&me per&od unt&l 6arn&ng of date of pass6ordUs ensu&ng e-p&rat&on/
$*%& Confi+urin+ ;o+in Failure Attem8t
# vi /etc/default/login
# "isconnect users after three login failures
2=2HS?4
NOTEF )3 default5 Solar&s 6&ll term&nate a connect&on after 5 consecut&(e log&n fa&lures/ Set retr&es
to :/ Th&s &s an &ndustr3
standard 7e/g/ : str&kes 3ouOre out9/
# =he SOSFOI_G!HF"_FOIH)S variable is used to determine how man.
failed
# login attempts will be allowed b. the s.stem before a failed login
# message is loggedK using the s.slogB4C FOI_)O=H7 facilit.$ Gor
exampleK
# if the variable is set to 0K login will log 5all5 failed login
attempts$
#
SOSFOI_G!HF"_FOIH)S?4
$#%& !emo5in+ or Disablin+ nnecessary Accounts
# passwd l adm
# passwd l bin
# passwd l daemon
# passwd l listen
# passwd l lp
# passwd l nobody
# passwd l noaccess
# passwd l nuucp
# passwd l sys
# passwd l uucp
The no2od3= account &s no longer needed/
# userdel nobody4
Page 1$ of !
$,%& !estrictin+ FT3 sa+e
8nsured /etc/ftpusers conta&ned the follo6&ng accounts<
# vi /etc/ftpusers
root
adm
bin
daemon
listen
lp
nobod.
noaccess
nobod.4
nuucp
smtp
s.s
uucp
These s3stem accounts no longer ha(e the a2&l&t3 to T$ &nto the ser(er/ An3 add&t&onal
adm&n&strat&(e accounts should 2e
added as 6ell 7&/e/ oracle5 6e2adm&n5 etc9/
$2%& Disablin+ t-e rlo+in Comman0
Commented out the follo6&ng l&nes &n /etc/pam/conf<
#rlogin auth sufficient /usr/lib/securit./pam_rhosts_auth$so$&
#rlogin auth reJuired /usr/lib/securit./pam_unix$so$&
#rsh auth reJuired /usr/lib/securit./pam_rhosts_auth$so$&
Th&s conf&gurat&on forces users to use the&r pass6ords 6&th the rlog&n command/
$(%& ;oc<in+ Do.n !emote Access Files
These f&les pro(&de AtrustedB users remote access 6&thout the use of pass6ords/ An alternat&(e
6ould 2e to ensure that the3 do not e-&st and use mon&tor&ng soft6are to not&f3 &f the3 are created/
# /usr/bin/touch /.rhosts /.netrc /etc/hosts.equiv
# /usr/bin/chmod 0 /.rhosts /.netrc /etc/hosts.equiv
$'%& Disablin+ =olume Mana+ement
# cd /etc/rc2.d
# mv !2volmgt s!2volmgt
After th&s conf&gurat&on5 CD#0%"s 6&ll not 2e automat&call3 mounted/ To manuall3 mount a CD#
0%" use<
# mount "# hsfs "o ro /dev/ds$/c0t%d0s0 /mnt
Page 1% of !
$6%& Disablin+ n.ante0 Ser5ices
Disablin+ !3C
Dtlog&n &s d&sa2led &f the ser(er &s not &ntended to run the Common Desktop 8n(&ronment 7CD89
or G*!s/
# cd /etc/rc2.d
# mv !!dtlogin s!!dtlogin
Disablin+ 3rintin+
# /usr/lib/lpshut
# cd /etc/rc2.d
# mv &0lp s&0lp
Disablin+ !3C
0$C &s d&sa2led &f the ser(er &s not &ntended to run CD8/ To determ&ne 6hat &s us&ng rcp5 use
Arpcinfo pB/
# cd /etc/rc2.d
# mv /etc/rc2.d/'(rpc /etc/rc2.d/s'(rpc
Disablin+ t-e NFS Client
# /etc/init.d/nfs.client stop
# cd /etc/rc2.d
# mv ')nfs.client s')nfs.client
Disablin+ t-e NFS Ser5er
# /etc/init.d/nfs.server stop
# cd /etc/rc).d
# mv (*nfs.server s(*nfs.server
Disablin+ C3
# cd /etc/rc2.d
# mv '0uucp s'0uucp
Disablin+ t-e ;DA3 Client
# cd /etc/rc2.d
# mv '(ldap.client s'(ldap.client
Disablin+ t-e Auto Mounter
# /etc/init.d/autofs stop
# cd /etc/rc2.d
# mv '4autofs s'4autofs
Disablin+ t-e Net.or< Time Daemon
# /etc/init.d/+ntpd stop
# cd /etc/rc2.d
# mv '4+ntpd s'4+ntpd
Disablin+ t-e ;o+ical ;in< Control Dri5er
# cd /etc/rc2.d
# ./40llc2 stop
Page 1& of !
# mv 40llc2 s40llc2
Disablin+ Auto Install
# cd /etc/rc2.d
# mv '2autoinstall s'2autoinstall
Disablin+ Cac-efs Daemon
# cd /etc/rc2.d
# mv ')cachefs.daemon s')cachefs.daemon
Disablin+ Async-ronous 333 Daemon
# cd /etc/rc2.d
# mv 4'pppd s4'pppd
Disablin+ t-e Sen0mail Daemon
The s3stem cont&nues to send ma&l out/ !t does not rece&(e ma&l &n to the ser(er/ Th&s el&m&nates a
s&gn&f&cant secur&t3
(ulnera2&l&t3/
# /etc/init.d/sendmail stop
$re(ented sendma&l from start&ng at 2oot<
# cd /etc/rc2.d
# mv &&sendmail s&&sendmail
Ensurin+ t-e sen0mail Eueue is cleane0 outF
# crontab e
# =he Sendmail daemon is not running 5 =his tells it to send mail out
00K%0K40K00 1 1 1 1 /usr/lib/sendmail J
Definin+ 3ATH: S3ATH an0 MAS> in )etc)0efault)lo+in
# vi /etc/default/login
'!=>?/usr/sbin//usr/bin
S('!=>?/usr/sbin//usr/bin
(6!SA?0%<
Disablin+ 9orl0 Access in Default mas<
Added "umask 0'7" to the follo6&ng f&les<
/etc/profile 7change9
/etc/$login 7add9
/etc/s#el/local$profile 7add9
/etc/s#el/local$login 7add9
/etc/s#el/local$cshrc 7change9
Ensure0 no Alternate ID & Accounts E?ist
# more /etc/passwd
8nsure that root &s the onl3 account 6&th a *!D of 0 &n the :rd f&eld of the /etc/pass6ord f&le/ *!D 0
&dent&f&es an account as
root to the operat&ng s3stem/ An3 alternate account 6&th a *!D of 0 &s g&(en /usr/s2&n/noshell as a
log&n shell/
Ensure0 all Accounts -a5e 3ass.or0s
# logins "p
*se the command log&ns #p to check for accounts that do not reEu&re a pass6ord to log &n/
!estricte0 Access to t-e HatH an0 HcrontabH Comman0s
Page 1' of !
These accesses should 2e g&(en out on an as needed 2as&s/
Determ&ne 6ho has a cronta2 f&le<
# ls /var/spool/cron/crontabs
0estr&ct the use of "at" and "cronta2B/ %nl3 users l&sted &n these f&les 6&ll 2e allo6ed to use "at"
and "cronta2"/ Start 6&th
the root user/ Add s3s for performance logg&ng and lp for pr&nt Eueue ma&ntenance<
# vi /etc/cron.d/cron.allow
# chmod %00 /etc/cron.d/cron.allow
# cp p /etc/cron.d/cron.allow /etc/cron.d/at.allow
Create an /etc/cron/d/cron/den3 f&le/ *sers l&sted &n th&s f&le 6&ll not ha(e access to AatB and
Acronta2B<
# cat /etc/passwd , cut "f( "d: , grep "v root --
/etc/cron.d/cron.deny
# chmod %00 /etc/cron.d/cron.deny
Create an /etc/cron/d/at/den3 f&le<
# cp "p /etc/cron.d/cron.deny /etc/cron.d/at.deny
!e8licatin+ Syslo+ to t-e Monitorin+ Console
0epl&cat&ng s3slog to a central s3stem makes &t d&ff&cult for an &ntruder to ent&rel3 h&de the&r tracks/
As s3slog entr&es are
created locall35 the3 are &mmed&atel3 cop&ed to the central s3slog ser(er/ Da&l3 re(&e6 of the
central&Jed logs &s also an
effect&(e 6a3 to detect s3stem anomal&es 7&/e/ hard6are fa&lures5 soft6are errors5 etc9/
# /etc/init.d/syslog stop
# vi /etc/hosts
)efore<
&3%$&-8$&$&0& sunsrv0&$domain$com sunsrv0& loghost
After<
&3%$&-8$&$&0& sunsrv0&$domain$com sunsrv0&
&3%$&-8$&$&0% sunsrv0% loghost
# cp /etc/syslog.conf /etc/syslog.conf.orig
# vi /etc/syslog.conf
# next % lines added for s.slog replication
1$errP#ern$noticePauth$noticePuser$none 9loghost
1$errP#ern$debugPdaemon$noticePmail$critPuser$none 9loghost
NOTEF The entr&es must 2e separated 23 ta2s/
# /etc/init.d/syslog start
Enablin+ ;o++in+ of t-e su Comman0
Th&s conf&gurat&on logs 2oth success and fa&lure of su command usage/
+%T8< Th&s conf&gurat&on &s reEu&red 23 the root log&n not&f&cat&on scr&pt 72elo69/
# vi /etc/default/su
S(FOI?/var/adm/sulog 7uncommented9
# cd /var/adm
# touch sulog
# chgrp sys sulog
# chmod %00 sulog
Enablin+ ATH ;o++in+
The auth fac&l&t3 controls account access 6&th log&n5 su5 etc/
auth$info /var/log/authlog
auth$notice /var/log/authlog
Page ( of !
Enablin+ ;o++in+ of nsuccessful ;o+in Attem8ts
The log&nlog f&le records consecut&(e fa&led log&n attempts/
# cd /var/adm
# touch loginlog
# chgrp sys loginlog
# chmod %00 loginlog
Enablin+ ;o++in+ of Successful ;o+ins
# cd /var/log
# touch logins
# chgrp sys logins
# chmod %00 logins
# log successful logins
local0$info /var/log/logins
Added the follo6&ng entr3 to /etc/prof&le and /etc//log&n<
logger 5p local0$info Q(ser ;FOI)!6 has logged inQ
Enablin+ ;o++in+ of CDE ;o+in Attem8ts
!dded RPauth$debugPuser$debugS to the line that logs successful
logins
# log successful logins
local0$infoPauth$debugPuser$debug /var/log/logins
;o+ Incomin+ Connections for TC3 Ser5ices
# log incoming connections for =7' services
daemon$notice /var/log/s.slog
# vi /etc/rc2.d/'2inetsvc
7change the follo6&ng entr3<9
/usr/sbin/inetd s 7to read<9
Page 1 of !
*&%& 3re5entin+ TC3 s8oofin+
TC$ spoof&ng &s a techn&Eue 6here23 Crackers 6&ll attempt to guess TC$ seEuence num2ers &n
order to appear to 2e a trusted host/ )3 default Solar&s TC$ seEuence num2ers are relat&(el3
eas3 to guess/ Do6e(er5 Solar&s can 2e set to use a more secure method of generat&ng seEuence
num2ers/ Ih&lst th&s 6&ll not el&m&nate the poss&2&l&t3 of connect&ons 2e&ng spoofed &t 6&ll greatl3
reduce the chances of &t happen&ng/ 8na2l&ng support for th&s &n(ol(es ed&t&ng the
/etc/default/&net&n&t f&le/
)ecome root
#su
To pre(ent acc&dental damage to the sett&ngs conta&ned &n the f&le &tOs perm&ss&ons are set so
that &t &s non#6r&ta2le/ Therefore 6e must f&rst make the f&le temporar&l3 6r&ta2le/
#chmod u@w /etc/default/inetinit
+o6 open the f&le for ed&t&ng 6&th an ed&tor such as (&
#vi /etc/default/inetinit
Change the (alue &f the TC$.ST0%+G.!SS (ar&a2le from 1 to '5 sa(e the f&le and e-&t the
ed&tor
0eset the f&les perm&ss&ons to the 6a3 the3 6ere 6hen 6e started
#chmod w /etc/default/inetinit
#init -
*$%& 3re5entin+ o5erflo. 8rotection
)uffer o(erflo6 attacks 7a/k/a/ PSmash&ng the StackO5 P)ust&ng the StackO etc9 are one of the mot
common t3pes of e-plo&ts used to 2reach *n&- s3stems/ A full e-planat&on of ho6 the3 6ork &s
2e3ond the scope of th&s document as &t reEu&res an understand&ng of relat&(el3 lo6#le(el
programm&ng concepts/ !t suff&ces to sa3 that Solar&s attempts to pre(ent some of these attacks
23 mak&ng areas of memor3 ass&gned to appl&cat&on stacks un#e-ecuta2le/ Ie 6&ll also conf&gure
the kernel so that an3 attempt to make use of these e-plo&ts &s logged/
"ak&ng the reEu&red changes &n(ol(es mod&f3&ng some >ernel parameters &n /etc/s3stem and then
re#2oot&ng the s3stem/
Page of !
)ecome root<
;su 5
%pen the /etc/s3stem f&le &n a te-t ed&tor such as (&<
#vi /etc/s.stem
Add the follo6&ng l&nes to /etc/s3stem
set noexec_user_stac# ? &
set noexec_user_stac#_log ? &
Sa(e and close the f&le
#init -
C] RB!!"D "# S$S"%
A re2oot &s reEu&red for the sett&ngs to take effect/
# /usr/sbin/shutdown i% g0 "y
D] BAC&D UP "# S$S"%
!nstall the 2ackup agent and restore a fe6 f&les from 2ackup/
Page " of !
A''endi( A ) Solaris Patc* Return Codes
Solaris 3atc- !eturn Co0es
Ihen add&ng patched to a solar&s 2o- 3ou somet&me get these error messages esp/ ' and ; and
somet&mes 5 and '5/ DereUs 6hat the all mean/
E?it co0e Meanin+
0 +o error
1 *sage error
' Attempt to appl3 a patch thatUs alread3 2een appl&ed
: 8ffect&(e *!D &s not root
= Attempt to sa(e or&g&nal f&les fa&led
5 pkgadd fa&led
? $atch &s o2solete
7 !n(al&d package d&rector3
; Attempt&ng to patch a package that &s not &nstalled
C Cannot access /usr/s2&n/pkgadd 7cl&ent pro2lem9
10 $ackage (al&dat&on errors
11 8rror add&ng patch to root template
1' $atch scr&pt term&nated due to s&gnal
1: S3m2ol&c l&nk &ncluded &n patch
1= +%T *S8D
15 The prepatch scr&pt had a return code other than 0/
1? The postpatch scr&pt had a return code other than 0/
17 "&smatch of the #d opt&on 2et6een a pre(&ous patch &nstall and the current one/
1; +ot enough space &n the f&le s3stems that are targets of the patch/
1C VS%T!+%/!+ST.08@8AS8 f&le not found
'0 A d&rect &nstance patch 6as reEu&red 2ut not found
'1 The reEu&red patches ha(e not 2een &nstalled on the manager
'' A progress&(e &nstance patch 6as reEu&red 2ut not found
': A restr&cted patch &s alread3 appl&ed to the package
'= An &ncompat&2le patch &s appl&ed
'5 A reEu&red patch &s not appl&ed
'? The user spec&f&ed 2ackout data canUt 2e found
'7 The relat&(e d&rector3 suppl&ed canUt 2e found
'; A pkg&nfo f&le &s corrupt or m&ss&ng
'C )ad patch !D format
Page # of !
:0 Dr3run fa&lure7s9
:1 $ath g&(en for #C opt&on &s &n(al&d
:' "ust 2e runn&ng Solar&s '/? or greater
:: )ad formatted patch f&le or patch f&le not found
:= The appropr&ate kernel 4um2o patch needs to 2e &nstalled
Page ! of !

Unix Server Build - Sun Solaris

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Unix Server Build - Sun Solaris

Hochgeladen von

Copyright:

Verfügbare Formate

Company-Document Unix Server Build Sun Solaris Ver. 1.

Das könnte Ihnen auch gefallen