UnixCBT feat.

Solaris 10 Edition
Training Notes 20060801.01
Table of Contents
Apache Web Server - Notes.......................................................................................................................3
BIND DNS Implementation - Notes.......................................................................................................... 6
System Scheduler Cron - Notes.............................................................................................................. 8
File System Management - Notes............................................................................................................ 10
Volume Management - Notes.................................................................................................................. 12
File Transfer Protocol Daemon (FTPD) Implementation - Notes........................................................... 15
GNU Privacy Guard (GPG) - Notes........................................................................................................ 17
MySQL Implementation - Notes..............................................................................................................18
NETSTAT - Notes................................................................................................................................... 19
Network Configuration Overview - Notes...............................................................................................20
Network File System(NFS) - Notes......................................................................................................... 22
AutoFS - Notes.........................................................................................................................................23
Network Mapper Nmap - Notes...............................................................................................................23
Network Time Protocol (NTP) - Notes....................................................................................................24
Quota Implementation & Management - Notes....................................................................................... 25
Samba Windows Integration - Notes.................................................................................................... 25
Remote Desktop Installation - Notes....................................................................................................... 26
Samba Server Configuration - Notes....................................................................................................... 26
System Security Overview - Notes.......................................................................................................... 27
Sendmail MTA Features - Notes............................................................................................................. 27
Snoop Network Sniffer - Notes.............................................................................................................30
TCPDump Network Sniffer - Notes......................................................................................................30
Snort Network Intrusion Detection System (NIDS) - Notes....................................................................31
SYSLOG Implementation - Notes........................................................................................................... 32
Log Rotation using logadm - Notes......................................................................................................... 32
Zettabyte File System (ZFS) - Notes....................................................................................................... 33
Solaris Zones - Notes............................................................................................................................... 34
Apache Web Server - Notes

SAMP - Solaris Apache MySQL PHP/Perl

LAMP - Linux Apache MySQL PHP/Perl/Python

Modular & Reliable

2 Versions (1.3.33 & 2.0.50) are included with Solaris 10

svcs -a | grep -i apache

Note: Apache2 documentation is available @: http://localhost/manual

Steps to invoke Apache on Solaris 10:
1. cp /etc/apache2/httpd.conf-example /etc/apache2/httpd.conf
2. update servername & server admin directives for main server
3. svcadm enable apache2
4. netstat -anP tcp | grep 80 && http://localhost/manual

Note: Typical classes of web server errors:

200 - OK
300 - Redirect
400 - client error
500 - server errors

Note: Apache ALWAYS maintains a DEFAULT HOST. Config is in httpd.conf and outside
of ANY and ALL virtual hosts containers
Note: Apache requires the following info. for the DEFAULT HOST:
1. ServerName linuxcbtsun1.linuxcbt.internal
2. ServerAdmin
3. DocumentRoot - where to serve content from
4. IP Address:Port to bind to - optional
5. Logging information - custom/combined & error logs

Note: Listen directive controls IPs and ports that Apache binds to
Note: specify 'Listen' directive(s) in the DEFAULT HOST(httpd.conf)
Note: You can specify multiple Listen Directives
Note: Apache binds to ALL IP addresses when 'Listen' is specified without an IP
address

DEFAULT HOST(IP:PORT)
-Virtual Host 1
-Virtual Host 2

<Directory "/var/apache2/htdocs">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
<Directory "/var/apache2/htdocs/temp">
Options FollowSymLinks
AllowOverride None

Order allow,deny
Allow from all
</Directory>
Note: <Directory "/var/apache2/htdocs"> - applies to all sub-directories

###Order, Allow, Deny Rules###

Note: Order is specified and Deny or Allow or combination follows
Note: Allow|Deny supports the following attributes
1. IP Address - 127.0.0.1
2. IP Address range
3. IP Subnet Mask using CIDR or Class notation - 192.168.1.0/24 or
192.168.1.0/255.255.255.0
4. 192.168.1
5. ALL
6. Environment variables - referrer, user agents

Used to influence default doc: DirectoryIndex index.html index.html.var

LogFormat is used to define logging keywords that can be referenced

Apache can log to multiple log files, various keywords, simultaneously

###Alias Directive###
Maps webspace location to file system location, usually non-document root

###Files Directive###
Facilitates restrictions on matchings files regardless of location on server
<Files noaccess.html>
Order allow,deny
Deny from all
</Files>
Note: When applied OUTSIDE of <Directory> block, applies to all instances of named
file throughout the web server

Task: Create web-accessible directory, but, restrict access to certain IPs

Steps:
1. mkdir /var/apache2/private
2. Create appropriate Alias - Alias /private/ /var/apache2/private/
3. Create appropriate <Directory> block

###Virtual Hosts Support###

2 Types of Virtual Hosts are supported:
1. IP-based - Each virtual host is associated with a distinct address
2. Name Based - All or a group of Virtual Hosts share a distinct address

###IP-based Virtual Hosting###

Note: System requires multiple IP addresses
Note: Default Apache Host binds to ALL IP addresses on port 80

Steps:
1. Implement appropriate 'Listen' directive
2. Configure Virtual Hosts
3. Restart Apache
4. Test configuration

Listen 192.168.1.50:80
<VirtualHost 192.168.1.50:80>
ServerName linuxcbtsun1.linuxcbt.internal
ServerAdmin unixcbt@linuxcbtsun1.linuxcbt.internal
 DocumentRoot /var/apache2/ipvhost1
ErrorLog /var/apache2/logs/ipvhost1.error.log
CustomLog /var/apache2/logs/ipvhost1.access.log
</VirtualHost>
Note: Apache will serve content from the DocumentRoot of DEFAULT HOST if a request
does NOT match any of the Virtual Hosts

Listen 192.168.1.51:80
<VirtualHost 192.168.1.51:80>
ServerName linuxcbtsun3.linuxcbt.internal
ServerAdmin unixcbt@linuxcbtsun1.linuxcbt.internal
DocumentRoot /var/apache2/ipvhost2
ErrorLog /var/apache2/logs/ipvhost2.error.log
CustomLog /var/apache2/logs/ipvhost2.access.log combined
</VirtualHost>

###NameBased Virtual Hosting###

Facilitates the sharing of 1 IP address by a group of web sites
Steps:
1. Define appropriate Listen directive(s)
2. Define appropriate NameVirtualHost directive(s)
3. Define Virtual Hosts
4. Restart Apache
5. Confirm configuration

Listen 80
NameVirtualHost *:80 - means to permit NameBased Virtual Hosts on ALL IPs
Note: NameVirtualHost directive MUST match VirtualHost directive

<VirtualHost *:80>
ServerName linuxcbtsun1.linuxcbt.internal
ServerAdmin unixcbt@linuxcbtsun1.linuxcbt.internal
DocumentRoot /var/apache2/namevhost1
ErrorLog /var/apache2/logs/namevhost1.error.log
CustomLog /var/apache2/logs/namevhost2.access.log combined
</VirtualHost>
BIND DNS Implementation - Notes

Bind 9.x
SUNWbind(client & server utilities) & SUNWbindr(SMF)

Steps to configure DNS:

1. Create /etc/named.conf - primary named/BIND/DNS configuration file

options {
directory "/var/named";
};

###Special zone indicating the root of the DNS hierarchy###

###Downloaded named.root from: ftp://ftp.rs.internic.net/domain/named.root##
zone "." {
type hint;
file "db.cache";
};

###Reverse Zones###
zone "0.0.127.in-addr.arpa" {
type master;
file "db.127.0.0";
};

zone "1.168.192.in-addr.arpa" {
type master;
file "db.192.168.1";
};
zone "20.16.172.in-addr.arpa" {
type master;
file "db.172.20.16";
};

###Forward Zones###
zone "unixcbt.internal" {
type master;
file "db.unixcbt.internal";
};

###Zone File Syntax###

Note: @ is a variable, which indicates the name of the zone as configured in
/etc/named.conf

svcadm enable dns/server

Note: With or without master domains, BIND functions as a caching-only NS

Our server is configured to be:

1. Caching-Only Server
2. Authoritative Server

###Mail Exchanger(MX) Record Setup###

Note: Implement MX via 2 records
1. IN MX 10 mail.unixcbt.internal
2. mail IN A 192.168.1.197
###Slave DNS Server Configuration###
Note: There really isn't a Slave DNS Server with BIND, however, there is a SLAVE
ZONE

Steps:
1. copy the following files to slave server:
a. db.127.0.0 - houses reverse, loopback zone info.
b. db.cache - houses root hints
c. named.conf - primary DNS BIND configuration file

Note: DNS BIND server can also be a slave server in addtion to caching-only and
authoritative server.
System Scheduler Cron - Notes

Features:
1. Permits scheduling of scripts(shell/perl/python/ruby/PHP/etc.)/tasks on a per-
user basis via individual cron tables.
2. Permits recurring execution of tasks
3. Permits one-time execution of tasks via 'at'
4. Logs results(exit status but can be full output) of executed tasks
5. Facilitates restrictions/permissions via - cron.deny,cron.allow,at.*

Directory Layout for Cron daemon:

/var/spool/cron - and sub-directories of to store cron & at entries
/var/spool/cron/atjobs - houses one-off, atjobs
- 787546321.a - corresponds to a user's atjob

/var/spool/cron/crontabs - houses recurring jobs for users

- username - these files house recurring tasks for each user

Cron command:
crontab - facilitates the management of cron table files
-crontab -l - lists the cron table for current user -
- reads /var/spool/cron/crontabs/root

###Cron table format###

m(0-59) h(0-23) dom(1-31) m(1-12) dow(0-6) command

10 3 * * * /usr/sbin/logadm - 3:10AM - every day
15 3 * * 0 /usr/lib/fs/nfs/nfsfind - 3:15 - every Sunday
30 3 * * * [ -x /usr/lib/gss/gsscred_clean ] && /usr/lib/gss/gsscred_clean
1 2 * * * [ -x /usr/sbin/rtc ] && /usr/sbin/rtc -c > /dev/null 2>&1

m(0-59) h(0-23) dom(1-31) m(1-12) dow(0-6) command

Note: (date/time/command) MUST be on 1 line
m = minute(0-59)
h = hour(0-23)
dom = day of the month(1-31)
m = month(1-12)
dow = day of the week(0-6) - 0=Sunday

Note: each line contains 6 fields/columns - 5 pertain to date & time of execution,
and the 6th pertains to command to execute

#m h dom m dow
10 3 * * * /usr/sbin/logadm - 3:10AM - every day
* * * * * /usr/sbin/logadm - every minute,hour,dom,m,dow
*/5 * * * * /usr/sbin/logadm - every 5 minutes(0,5,10,15...)
1 0-4 * * * /usr/sbin/logadm - 1 minute after the hours 0-4
0 0,2,4,6,9 * * * /usr/sbin/logadm - top of the hours 0,2,4,6,9

1-9 0,2,4,6,9 * * * /usr/sbin/logadm - 1-9 minutes of hours 0,2,4,6,9

Note: Separate columns/fields using whitespace or tabs

###Create crontabs for root & unixcbt###

Note: ALWAYS test commands prior to crontab/at submission
11 * * * * repquota -va >> /reports/`date +%F`.quota.report

Note: set EDITOR variable to desired editor

export EDITOR=vim

###unixcbt - execute quota -v###

#!/usr/bin/bash
HOME=/export/home/unixcbt
quota -v >> $HOME/`date +%F`.unixcbt.quota.report
#END

Note: aim to reference scripts(shell/perl/python/ruby/PHP,etc.) instead of the

various characters

Note:
Default Solaris install creates 'at.deny' & 'cron.deny'
You MUST not be included in either file to be able to submit at & cron entries

Conversely, if cron.allow and at.allow files exist, you MUST belong to either file
to submit at or cron entries
File System Management - Notes

###Recap of steps necessary to partition/slice & create file systems###

Steps:
1. unmount existing file systems
-umount /data2 /data3

2. confirm fdisk partitions via 'format' utility

-format - select disk - select fdisk

3. use partition - modify to create slices on desired drives

DISK1
-slice 0 - /dev/dsk/c0t1d0s0
DISK2
-slice 0 - /dev/dsk/c0t2d0s0

4. Create file system using 'newfs /dev/rdsk/c0t0d0s0'

5. Use 'fsck /dev/rdsk/c0t1d0s0' to verify the consistency of the file system

6. Mount file systems at various mount points

mount /dev/dsk/c0t1d0s0 /data2 && mount /dev/dsk/c0t2d0s0 /data3
7. create entries in Virtual File System Table (/etc/vfstab) file

###How to determine file system associated with device###

1. fstyp /dev/dsk/c0t0d0s0 - returns file system type
2. grep mount point from /etc/vfstab - returns matching line
grep /var /etc/vfstab
3. cat /etc/mnttab - displays currently mounted file system

###Temporary File System (TEMPFS) Implementation###

TempFS provides in-memory (RAM), very fast, storage and boosts application
performance

Steps:
1. Determine available memory and the amount you can spare for TEMPFS
-prtconf
- allocate 100MB
2. Execute mount command:

mkdir /tempdata && chmod 777 /tempdata && mount -F tmpfs -osize=100m swap /tempdata

Note: TEMPFS data does NOT persist/survive across reboots

Note: TEMPFS data is lost when the following occurs:
1. TEMPFS mount point is unmounted: i.e. umount /tempdata
2. System reboot

Modify /etc/vfstab to include the TEMPFS mount point for reboots

swap - /tempdata tmpfs - yes -

###Swap File/Partition Creation###

swap -l | -s - to display swap information

mkfile size location_of_file - to create swap file

mkfile 512m /data2/swap2
swap -a /data2/swap2 - activates swap file

To remove swap file:

swap -d /data2/swap2 - removes swap space from kernel. does NOT remove file
rm -rf /data2/swap2

###Swap Partition Creation###

format - select disk - partition - select slice/modify
swap -a /dev/dsk/c0t2d0s1

Modify /etc/vfstab
Volume Management - Notes
Solaris' Volume Management permits the creation of 5 object types:
1. Volumes(RAID 0(concatenation or stripe)/1(mirroring)/5(striping with parity)
2. Soft partitions - permits the creation of very large storage devices
3. Hot spare pools - facilitates provisioning of spare storage for use when RAID-
1/5 volume has failed
i.e. MIRROR
-DISK1
-DISK2
-DISK3 - spare

4. State database replica - MUST be created prior to volumes

- Contains configuration & status of ALL managed objects (volumes/hot spare
pools/Soft partitions/etc.)

5. Disk sets - used when clustering Solaris in failover mode

Note: Volume Management facilitates the creation of virtual disks

Note: Virtual disks are accessible via: /dev/md/dsk & /dev/md/rdsk
Rules regarding Volumes:
1. State database replicas are required
2. Volumes can be created using dedicated slices
3. Volumes can be created on slices with state database replicas
4. Volumes created by volume manager CANNOT be managed using 'format', however, can
be managed using CLI-tools (metadb, metainit) and GUI tool (SMC)
5. You may use tools such as 'mkfs', 'newfs', 'growfs'
6. You may grow volumes using 'growfs'

###State Database Replicas###

Note: At least 3 replicas are required for a consistent, functional, multi-user
Solaris system.

3 - yields at least 2 replicas in the event of a failure

Note: if replicas are on same slice or media and are lost, then Volume Management
will fail, causing loss of data.
Note: place replicas on as many distinct controllers/disks as possible

Note: Max of 50 replicas per disk set

Note: Volume Management relies upon Majority Consensu Algorithm (MCA) to determine
the consistency of the volume information

3 replicas = 1.5(half) = 1-rounded-down +1 = 2 = MCA(half +1)

Note: try to create an even amount of replicas

4 replicas = 2(half) + 1 = 3

State database replica is approximately 4MB by default - for local storage

Rules regarding storage location of state database replicas:

1. dedicated partition/slice - c0t1d0s3
2. local partition that is to be used in a volume(RAID 0/1/5)
3. UFS logging devices
4. '/', '/usr', 'swap', and other UFS partitions CANNOT be used to store state
database replicas
###Configure slices to accomodate State Database Replicas###
c0t1d0s0 -
c0t2d0s0 -
RAID 0 (STRIPE) - 60GB

###Create RAID 0 (STRIPE) - NOT REDUNDANT###

c0t1d0s0 -
c0t2d0s0 -
RAID 0 (STRIPE) - 60GB - /dev/md/dsk/d0
Note: Volumes can be created using slices from a single or multiple disks
Note: State database replicas serve for ALL volumes managed by Volume Manager

Note: RAID 0 Concatenation - exhausts DISK1 before writing to DISK2

Note: RAID 0 Stripe - distributes data evenly across members
Note: Use the same size slices when using RAID0 with Striping

Note: after defining volume, create file system

newfs /dev/md/rdsk/d0

###Suggested layout for creating volumes using volume manger###

SERVER
-DISK0 - SYSTEM DISK

VOLUME MANAGE SECONDARY DISKS

-DISK1 - SECONDARY DISK
-DISK2 - SECONDARY DISK

##RAID-1 Configuration###
Note: RAID-1 relies upon submirrors or existing RAID-0 volumes
c0t1d0s0 - /dev/md/dsk/d0
c0t2d0s0 - /dev/md/dsk/d1
/dev/md/dsk/d2

d0 - source sub-mirror
d1 - destination sub-mirror

Create file system on mirrored volume '/dev/md/dsk/d2'

newfs /dev/md/rdsk/d2

###RAID-5 Configuration###
Steps:
1. Ensure that 3 components(slices/disks) are available for configuration
2. Ensure that components are identical in size

Slices for RAID-5

c0t1d0s0 - 10GB
c0t1d0s0 - 10GB
c0t2d0s0 - 10GB

/dev/md/dsk/d0 = RAID-5 = 20GB

Note: You may attach components to RAID-5 volume, but they will not store parity
information, however, their data will be protected.

###Using growfs to extend volumes###

growfs extends mounted/unmounted volumes(UFS/ZFS)
Steps to grow a mounted/unmounted file syste
1. Find free slice(s) to add as component(s) to volume using SMC or metattach CLI
2. Add component slice - wait for initialization(concatenation) to complete
3. execute 'growfs -M /d0 /dev/md/rdsk/d0'

Note: Once you've extended a volume, you CANNOT decrease it in size.

Note: Concatenation of RAID-1/5 volumes yields an untrue RAID-1/5 volume.
SLICE1
SLICE2
SLICE3
SLICE4 - Concatenated - NOT a true RAID-1/5 member (no parity is stored)

Note: When extending RAID-1 volumes, extend each sub-mirror first, and then Solaris
will automatically extend the RAID-1 volume. Then run 'growfs.'

###Soft Partitions###
1. Provides an abstracted, extensible partition object
2. Permits virtually unlimited segmentation of disk
c0t1d0 - s0-9 (0-7 except 2, usable)

3. Permits creation of partitions on top of 1 or more slices

Steps:
1. Clean up partitions on existing disks: c0t1d0 & c0t2d0
File Transfer Protocol Daemon (FTPD) Implementation - Notes
wu-ftpd
FTPD binds to TCP port 21 and is running by default
SMF controls service configuration
svcs -l ftp - returns configuration

pkginfo -x | grep -i ftp - returns SUNWftpu|r packages

SUNWftpu - includes useful user packages

ftpcount - dumps count per class
ftpwwho - returns connected users & process information
ftpconfig - used to setup anonymous/guest FTP

SUNWftpr - includes server-side configuration files

/etc/ftpd
- ftpaccess - primary configuration file for wu-ftpd
- ftphosts - allow|deny access to users from hosts
- ftpservers - allows admin to define virtual hosts
- ftpusers - users listed may NOT access the server via FTP
- ftpconversions - facilitates tar, compress, gzip support

wu-ftpd supports both types of FTP connections:

1. PORT - Active FTP
- Client -> TCP:21(Server-Control-Connection)
- Client executes 'ls' -> results in server initiating a connection back to the
client usually on TCP:20(ftp-data)
2. PASV - Passive FTP
- Client -> TCP:21(Server-Control-Connection)
- Client executes 'ls' -> results in server opening a high-port and instructing
the client to source(initiate) a connection to the server.
- Client sources data connection to high-port on server

###Anonymous FTP configuration###

use 'ftpconfig' to provision anonymous access
Note: Guest connections are jailed using chroot()

###FTPD Class Support###

Facilitates the grouping of users for the purpose of assigning directives
3 Default Classes:
1. realusers - CAN login using shell(SSH/Telnet) - CAN browse the entire directory
tree
2. guestusers - Temporary users - see chrooted envrionment
3. anonusers - General public - primarily for download capability

###Guest User Support###

Jailed/chrooted environment

Steps:
1. useradd -d /home/guests/unixcbt4 -s /bin/true
2. mkdir /export/home/guests/unixcbt4
3. chown unixcbt4 /export/home/guests/unixcbt4
4. ftpconfig -d /export/home/guests/unixcbt4 - sets up chrooted environment
5. updated /etc/ftpd/ftpaccess - config file
guestuser unixcbt4
6. restart ftp using svcadm restart ftp
Note: Guest users are similar to real users except guest users are chrooted/jailed.

###Virtual Hosts###
wu-ftpd - supports 2 forms of virtual hosts:
1. Limited - relies upon primary config files /etc/ftpd{ftpaccess,ftpusers...}
Admin. may define unique attributes including the following:
a. banner
b. logfile
c. hostname
d. email
e. distinct IP address

2. Full - relies upon distinct config files in specified directory

a. offers everything included with limited virtual hosts mode
b. also adds distinct config files
c. Note: Full-mode will use default config files in /etc/ftpd if the full
virtual hosts instance is unable to find a distinct file.

###Limited Virtual Hosts Configuration###

/etc/ftpaccess
virtual 192.168.1.51 root /var/ftp2
virtual 192.168.1.51 hostname linuxcbtdb1.linuxcbt.internal
virtual 192.168.1.51 banner /var/ftp2/.welcome_message.msg
virtual 192.168.1.51 logfile /var/log/ftp2/xferlog
virtual 192.168.1.51 allow unixcbt3

Note: Virtual hosts do not allow real & guest users access by default

###Full Virtual Hosts Configuration###

/etc/ftpd/ftpservers
address configuration_direction
192.168.1.51 /etc/ftpd/ftp2
192.168.1.52 /etc/ftpd/ftp3
GNU Privacy Guard (GPG) - Notes
Features:
1. Public key pair generation & maintenance for all users on system. Keys are
stored in ~/.gunpg
2. Encrypt/Decrypt files - based on communication partner's public key
3. Encrypt/Decrypt E-mails - based on recipient's public key
4. Generate/Manage digital signatures(means of proving identity)

###Install GPG###
1. www.sunfreeware.com
2. gunzip gnupg-1.2.6-sol10-intel-local.gz && pkgadd -d gnupg-1.2.6-sol10-intel-
local

Note: GPG manages by default, 2 key chains:

1. Public - your public key, and potentially others
a. use 'gpg --list-keys' to enumerate public keys
2. Private - your private key(s)

Note: gpg uses recipient's public key to encrypt communications(e-mail/files)

###Create Public/Private Key-Pair###

gpg --gen-key
Note: 'gpg --gen-key' functions similarly to 'ssh-keygen' utility
Note: passphrase is associated with 'private key' of pub/priv pair

Note: GPG is compatible with PGP

###Import other's public keys###

MySQL Implementation - Notes

Included with the Software Companion DVD

pkginfo -x | grep -i mysql

Note: Current version of MySQL is NOT managed by SMF

Steps to Initialization of MySQL:

1. /usr/sfw/bin/mysql_install_db - initializes default DBs & tables
/usr/sfw/bin/mysqladmin -u root password 'abc123'
2. groupadd mysql && useradd -g mysql mysql && echo $?
3. chgrp -R mysql /var/mysql && chmod -R 770 /var/mysql && echo $?
4. installf SUNWmysqlr /var/mysql d 770 root mysql
5. cp /usr/sfw/share/mysql/my-medium.cnf /etc/my.cnf (global configuration)
6. /usr/sfw/sbin/mysqld_safe --user=mysql& - starts MySQL
7. symlink
ln /etc/sfw/mysql/mysql.server /etc/rc3.d/S99mysql
ln /etc/sfw/mysql/mysql.server /etc/rc0.d/K00mysql
ln /etc/sfw/mysql/mysql.server /etc/rc1.d/K00mysql
ln /etc/sfw/mysql/mysql.server /etc/rc2.d/K00mysql
ln /etc/sfw/mysql/mysql.server /etc/rcS.d/K00mysql

Note: MyISAM Tables usually contain at least 3 files:

1. .MYI - Index file
2. .MYD - Data File
3. .FRM - Form file(Describes Table Structure)

Note: Client options specified on command-line override all other instances of the
opion.
Order of options/directives to be processed usually resembles the following:
1. /etc/my.cnf - global config file
2. /var/mysql/my.cnf - data-server specific config file
3. ~/my.cnf - user-specific config file
4. command line options

Note: Drop test database using the following syntax: 'drop database test;'
Note: You CANNOT drop the 'mysql' database because it contains the following
critical information:
1. list of databases to manage
2. user table
3. privileges table

Note: MySQL creates 2 default users: 'root & anonymous'

Note: The anonymous user matches all unmatched users

Create MySQL User using the following command:

grant all privileges on *.* to 'unixcbt'@'localhost' IDENTIFIED BY 'abc123';

Note: After altering privileges, flush them to take effect using:

flush privileges;
NETSTAT - Notes

Lists connections for ALL protocols & address families to and from machine
Address Families (AF) include:
INET - ipv4
INET6 - ipv6
UNIX - Unix Domain Sockets(Solaris/FreeBSD/Linux/etc.)

Protocols Supported in INET/INET6 include:

TCP, IP, ICMP(PING(echo/echo-reply)), IGMP, RAWIP, UDP(DHCP,TFTP,etc.)

Lists routing table

Lists DHCP status for various interfaces
Lists net-to-media table - network to MAC(network card) table

###NETSTAT Usage###
netstat - returns sockets by protocol using /etc/services for lookup
/etc/nssswitch.conf is consulted by netstat to resolve names for IPs

netstat -a - returns ALL protocols for ALL address families (TCP/UDP/UNIX)

netstat -an - -n option disables name resolution of hosts & ports

netstat -i - returns the state of interfaces. pay attention to

errors/collisions/queue columns when troubleshooting performance

netstat -m - returns streams(TCP) statistics

netstat -p - returns net-to-media info (MAC/layer-2 info.) i.e. arp

netstat -P protocol (ip|ipv6|icmp|icmpv6|tcp|udp|rawip|raw|igmp) - returns active

sockets for selected protocol

netstat -r - returns routing table

netstat -D - returns DHCP configuration (lease duration/renewal/etc.)

netstat -an -f address_family

netstat -an -f inet|inet6|unix
netstat -an -f inet - returns ipv4 only information

netstat -n -f inet
netstat -anf inet -P tcp
netstat -anf inet -P udp
Network Configuration Overview - Notes

2-Modes
1. Local Files Mode - config is defined statically via key files
2. Network Client Mode - DHCP is used to auto-config interface(s)

Current Dell PE server has 3 NICs:

1. e1000g0 - plumbed (configured for network client mode)
2. iprb0 - unplumbed
3. iprb1 - unplumbed

1-Virtual Mandatory interface lo0 - loopback

Determine physical interfaces using 'dladm show-dev | show-link'

Determine plumbed and loopback interfaces using 'ifconfig -a'

NIC naming within Solaris OS: i.e. e1000g0 - e1000g(driver name) 0(instance)

Layers 2 & 3 info. - ifconfig -a, or ifconfig e1000g0

Layer 1 info. - dladm show-dev | show-link

###Key network configuration files###

svcs -a | grep physical
svcs -a | grep loopback

1. IP Address - /etc/hostname.e1000g0, /etc/hostname.iprb0 | iprb1

2. Domain name - /etc/defaultdomain - linuxcbt.internal
3. Netmask - /etc/inet/netmasks - 192.168.1.0 255.255.255.0
4. Hosts database - /etc/hosts, /etc/inet/hosts - loopback & ALL interfaces
5. Client DNS resolver file - /etc/resolv.conf
6. Default Gateway - /etc/defaultrouter - 192.168.1.1, 172.16.20.1, 10.0.0.1
7. Node name - /etc/nodename
Name service configuration file - /etc/nsswitch.conf

netstat -D - returns DHCP configuration for ALL interfaces

ifconfig -a - returns configuration for ALL interfaces

Reboot system after transitioning from network client(DHCP) mode to local

files(Static) mode

mv dhcp.e1000g0 to some other name or remove the file so that the DHCP agent is
NOT invoked
echo "linuxcbtsun1" > /etc/nodename

###Plumb/enable the iprb0 100Mb/s interface###

Plumbing interfaces is analagous to enabling interfaces
Note: 172.16.20.11 is a Linux host waiting to communicate with iprb0 interface
Steps:
1. ifconfig iprb0 plumb up - this will enable iprb0 interface
2. ifconfig iprb0 172.16.20.10 netmask 255.255.255.0 - this will enable layer-3
IPv4 address

Steps to Unplumb an interface:

1. ifconfig iprb0 unplumb down
###Ensure that newly-plumbed interface settings persists across reboots###
Steps include updating/creating the following files:
1. echo "172.16.20.10" > /etc/hostname.iprb0
2. create entry in /etc/hosts - 172.16.20.10 linuxcbtsun1
3. echo "172.16.20.0 255.255.255.0" >> /etc/inet/netmasks

Note: To down interface, execute:

ifconfig interface_name down
ifconfig iprb0 down && ifconfig iprb0

###Sub-interfaces/Logical Interfaces###
e1000g0(physical interface) - 192.168.1.50(Primary Apache website)
192.168.1.51(Secondary Apache website)
192.168.1.52(Used for SSH)

iprb0 - 172.16.20.10
iprb1

Use 'ifconfig interface_name addif ip_address <netmask>'

ifconfig e1000g0 addif 192.168.1.51 (RFC-1918 - defaults /24)

Note: This will automatically create an 'e1000g0:1' logical interface

Note: Solaris places new logical interface in DOWN mode by default
Note: use 'ifconfig e1000g0:1 up' to bring the interface up

Note: logical/sub-interfaces are contingent upon physical interfaces

Note: if physical interface is down, so will the logical interface(s)
Note: connections are sourced using IP address of physical interface

###Save logical/sub-interface configuration for persistence across reboots###

1. gedit /etc/hostname.e1000g0:1 - 192.168.1.51

2. gedit /etc/hostname.e1000g0:2 - 192.168.1.52
3. Optionally update /etc/hosts - /etc/inet/hosts
4. Optionally update /etc/inet/netmasks - when subnetting

Note: To remove logical interface execute the following:

ifconfig physical_interface_name removeif ip_address
ifconfig iprb0 removeif 172.16.20.20

###/etc/nsswitch.conf - name service configuration information ###

functions as a policy/rules file for various resolution:
1. DNS
2. passwd(/etc/passwd,/etc/shadow),group(/etc/group)
3. protocols(/etc/inet/protocols)
4. ethers or mac-to-IP mappings
5. hosts - where to look for hostname resolution: files(/etc/hosts)
dns(/etc/resolv.conf)
Network File System(NFS) - Notes

Implemented by most if not all nix-type OSs(Solaris/AIX/Linux/FreeBSD)

NFS seamlessly mounts remote file systems locally

NFS Components include:

1. NFS Client (mount(temporary access), /etc/vfstab)
2. NFS Server
3. AutoFS

NFS versions 3 & higher supports large files (>2GB)

NFS Major versions:

2 - original
3 - improved upon version 2
4 - current version

Note: Solaris 10 simultaneously supports ALL NFS versions

/etc/default/nfs - contains defaults for NFS server & client

Note: client->server NFS connection involves negotiation of NFS version to use

###Steps for mounting remote file systems###

1. ensure that a local mount point exists & is empty
Note: local mount points with files and/or directories will be unavailable while a
remote file system is locally-mounted

2. ensure that NFS server is available and sharing directories

3. mount locally the remote file system.

mount -F nfs -o ro linuxcbtmedia:/tempnfs1 /tempnfs1
Note: use 'man mount' to determine mount options for various FSs

4. setup persistent mounts in /etc/vfstab file

###Steps for sharing local file systems locations###

1. ensure that NFS is running
svcs -a | grep -i nfs
Note: you may enable the NFS server and update share information independently

Start using: svcadm svc:network/nfs/server

Note: NFS Server will NOT start if there are NO directories to share

2. share -F nfs -d test_share /tempnfssun1 - exports for current session. Does NOT
persist across reboots

3. Configure NFS sharing for persistence, using share command

share -F nfs -d test_share /tempnfssun1

shareall

Note: consult 'man share_nfs' for permissions info.

AutoFS - Notes
Features:
1. Just-in-time mounting of file systems
2. Controlled by 'automountd' daemon
3. Managed via autofs service
4. References map files to determine file systems to mount
5. Obviates need to distribute root password to non-privileged users

/etc/default/autofs - contains configuration directives for autofs

###AutoFS Maps###
3 Types:
1. Master map - /etc/auto_master
2. Direct map - /etc/auto_direct - facilitates direct mappings
3. Indirect map - /etc/auto_* - referenced from /etc/auto_master

###/etc/auto_master###
Note: /etc/auto_master is always read by autofs(automountd daemon)
/etc/nsswitch.conf - used to determine lookup location for automount

-hosts - references hosts defined in /etc/hosts & the hosts MUST export shares
using NFS

Note: changes to /etc/auto_master(primary autofs policy file) usually requires a

service restart: svcadm restart autofs

Note: AutoFS defaults to permitting client to browse potential mount points

###Direct mapping example###

Note: Direct mappings seamlessly merge remote exports with local directories
Steps:
1. create auto_direct mapping in /etc/auto_master:
/- auto_direct -vers=3

Network Mapper Nmap - Notes

Performs network reconnaissance/vulnerability testing

www.insecure.org

Compilation Instructions:
1. export PATH=$PATH:/usr/ccs/bin
2. ./configure
3. make || gmake
4. gmake install - copies nmap to /usr/local/bin

Note: nmap can be run by any user on the system, however, only root, may perform
more dangerous functions. i.e. SYN-based scans

###Check ports of hosts###

nmap -v 192.168.1.102 as root, causes a SYN-based scan to occur:
SYN -> SYN-ACK -> Termination
SYN -> SYN-ACK -> ACK - TCP-based scan performed by normal users
Nmap can export to the following file types:
1. Normal
2. XML
3. Greppable

Network Time Protocol (NTP) - Notes

Synchronizes the local system and can be configured to synch any NTP-aware host

Hierarchical in design - 1 through 16 strata

Lower stratum values are more accurate time sources
Stratum 1 servers are connected to external, more accurate time sources such as GPS

Note: Less latency usually results in more accurate time

External Time Source(GPS/Radio/etc.)

-NTP - Stratum 1
-NTP Stratum 2 - Solaris Client/Server
-...
Note: A Solaris 10 NTP system can be both client & server

Note: configure NTP clients to synch to 3 or more clocks(time sources)

###Client configuration###
xntpd or the ntp service searches for /etc/inet/ntp.conf

Note: NTP uses UDP 123 in source & destination ports

ntpdate ntp_server - synchronizes, one-off, local clock

Note: ntpdate does NOT update local clock if xntpd is running locally

rdate - relies upon older time service

ntpq - NTP query utility runs interactively & non-interactively

ntpq -np - lists peers without name resolution - non-interactive invocation
ntpq - invokes interactive mode

ntptrace - traces path to time source

ntpq - queries local or remote NTP servers

ntptrace - traces path to external time source
ntpdate - updates local clock
/etc/inet/ntp.conf - (server server_ip)
svcadm enable ntp - starts NTP (Server and/or Client)

NTP Pool Site: www.pool.ntp.org (Derive NTP public servers from their lists)
Quota Implementation & Management - Notes

Features:
Soft Limits - function as stage-1 or warning stage
- if user exceeds soft limit, timer is invoked (default 7-days)
i.e. 100MB - if user exceeds beyond timer, soft limit becomes hard limit

Hard Limits - functions as a storage ceiling - CANNOT be exceeded

- if user meets hard limit, system will not allocate additional storage

File-system perspective of quotas:

2 objects are monitored:
1. BLOCKS
2. INODES

FILE(test.txt) -> 1-INODE -> 1-or-more Data BLOCKS(default 1K)

Quota Tools:
1. edquota - facilitates the creation of quotas for users
2. quotacheck - checks for consistency in usage and quota policy
3. quotaon - enables quotas on file system
4. repquota - displays quota information

###Steps to enable quota support###

1. modify /etc/vfstab - enable quotas per file system
"Mount Options" column - 'rq'
2. create empty 'quotas' file in root of desired file system
touch /export/home/quotas && chmod 600 /export/home/quotas
3. edquota unixcbt
edquota -p unixcbt unixcbt2 unixcbt3 unixcbt4 - copies unixcbt's quota policy to
users unixcbt2,3,4
4. quotacheck -va
5. quota -v unixcbt
6. quotaon -v /dev/dsk/c0t0d0s7 -enable quota support

Samba Windows Integration - Notes

Integrates Unix-type systems with Windows
SMB(139)/CIFS(445) - 2 protocols used to communicate with Windows/Samba servers

Key Client Utilities:

1. smbtree - network neighborhood text utility
It enumerates workgroups, hosts & shares
smbtree -b - relies upon broadcasts for resolving workgroups/hosts
smbtree -D - echoes discovered workgroups using broadcasts/master browser

2. smbclient - provides an FTP-like interface to SMB/CIFS servers

smbclient service_name(//LINUXCBTWIN1/LinuxCBT)

Note: Most, if not all, Samba clients operate in case-insensitive mode

smbclient //linuxcbtwin1/linuxcbt
Note: when in smbclient interactive mode, prefix commands with '!' to execute
locally on client, otherwise commands run on server

smbclient -L linuxcbtwin1 - enumerates the shares on the server\

 smbclient -A ./.smbpaswd //linuxcbtwin1/solaris10

.smbpaswd
username=unixcbt
password=abc123

3. smbtar - facilitates backups of remote shares

smbtar -s linuxcbtwin1 -x solaris10 -t solaris10.tar - backup
smbtar -s linuxcbtwin1 -x solaris10 -r -t solaris10.tar - restore

Remote Desktop Installation - Notes

Requirements - www.sunfreeware.com:
1. libiconv
2. libgcc 3.3.2 or higher
3. libopenssl 0.9.7
4. rdesktop-1.4.1

Features RDesktop support for Remote Desktop Protocol (RDP) versions 4 & 5
Connects to:
1. Windows XP - RDP-5
2. Windows 2000 - RDP-5
3. Windows 2003 - RDP-5
4. Windows NT Server 4 - Terminal Services Edition - RDP-4

###usage###

rdesktop -g 700x500 -a 16 server_name(192.168.1.102)

Samba Server Configuration - Notes

/etc/sfw/smb.conf-example - modify & save as /etc/sfw/smb.conf

smb.conf - is the main configuration file for Samba server & many of the Samba
clients search for key directives from the file.

Features:
1. File & Print sharing
2. Implemented as 2 daemons (smbd & nmbd)
smbd - file & print sharing - connections based on SMB/CIFS protocols
SMB - TCP 139
CIFS - TCP 445
nmbd - handles NETBIOS names using primarily UDP connectivity
Browse list (master browser or derive current list from master browser)
Names of servers - derived using broadcast or WINS
UDP 137 & 138
3. Legacy service - does not currently benefit from SMF
4. Service is located in: /etc/init.d & referenced via run-levels
5. Configuration changes to /etc/sfw/smb.conf are read automatically

###Samba Security Modes###

Default = security = user - relies upon local Unix accounts database & Samba
database to grant or deny access to shared resources
1. /etc/passwd
2. /etc/sfw/smbpasswd - handles translation of Windows auth to Unix auth
3. /etc/sfw/smbusers - provides translation between Unix & Windows users
i.e. translation of Windows' 'guest' user to Unix' 'nobody' user

###User Authentication Mode###

Note: NETBIOS names are restricted to 16 characters, however, 15 characters are
configurable
linuxcbtsun1.linuxcbt.internal = FQDN
Note: smbpasswd -a unixcbt - create permitted samba users in
/etc/sfw/private/smbpasswd file - otherwise, access will be denied

###Samba Web Administration Tool (SWAT)###

Steps to enable Swat:
1. create an /etc/services entry for SWAT - TCP:901
2. create an /etc/inetd.conf entry for SWAT
swat stream tcp nowait root /usr/sfw/sbin/swat swat
3. Convert the inetd entry for SWAT to SMF using 'inetconv'

System Security Overview - Notes

/var/adm/sulog - houses SU attempts
SU TIMESTAMP +||- TTY Switched_User_From_To
SU 06/17 11:13 + pts/4 root-unixcbt

/var/adm/loginlog - Does NOT exist by default

NOte: houses failed logins after threshold(Default of 5)
touch /var/adm/loginlog
/etc/default/login

logins command
logins -x -l unixcbt - returns info. from /etc/{passwd,shadow}
logins -p - lists users without passwords

###Password Generation Encryption Algorithm###

Note: Default in Solaris 10 is UNIX, legacy encryption - The weakest
/etc/security/policy.conf - man policy.conf(4)
Note: password encryption changes take effect at user's next password change

Sendmail MTA Features - Notes

Default configuration runs Sendmail
Runs as 2 daemons
1. queue runner - submits jobs into queue(PHP script/mailx/sendmail/etc.)
a. it runs as a non-privileged user called 'smmsp'
b. places messages into queue directory: /var/spool/mqueue
c. mailq command dumps the current status of the queue(s)

2. MTA mode - message delivery to local/remote recipients

b. it runs as root - to bind to well-known TCP:25

Note: Sendmail works with SMF

svcadm restart sendmail
svcs -l sendmail

Typical Mail Components in distributed mail environments:

1. MTA - Message Transfer Agent (Sendmail/Postfix/qmail)
2. MUA - Mail User Agent (mail, mutt, mailx, MS Outlook, Eudora, etc.)
3. MDA - Mail Delivery Agent (mail.local, procmail, etc.)

Config files:
1. /etc/mail/sendmail.cf - primary config file for Sendmail MTA
2. /etc/mail/submit.cf - primary config file for Sendmail MSP (smmsp)

Config files macros using m4 language:

1. /etc/mail/cf/cf/sendmail.mc
2. /etc/mail/cf/cf/submit.mc

Note: Sendmail does NOT understand m4 files. Use m4 to generate updated .cf files
if necessary

####/etc/aliases - used for local mail delivery###

Contains key aliases for 'postmaster' & system daemons

unixcbt:unixcbt@linuxcbtsun1

unixcbt@localhost
unixcbt@linuxcbtsun1
unixcbt@linuxcbtsun1.linuxcbt.internal
/etc/mail/local-host-names
unixcbt.internal
unixcbt@linuxcbtsun1.unixcbt.internal

newaliases - generates updated DB for aliases

###per-user mail###
1. Sendmail stores mail using the older mbox format, which stores all mail in 1
potentially huge ASCII text files
2. /var/mail/username - flagged with the STICKY bit

###Mail delivery using local tools###

sendmail is monolothic - 1 program does it all (client/server/MSP/MTA)

sendmail -v unixcbt

Note: MSP submits to: /var/spool/clientmqueue

###Virtual Domains/Users Support###

/etc/mail/relay-domains
/etc/mail/local-host-names
unixcbt.internal

Virtual Users:
Create: /etc/mail/virtusertable
Populate with mappings: virtual_email_address local_mailbox|remote_email
unixcbt@unixcbt.internal unixcbt

Configure /etc/mail/sendmail.cf via /etc/mail/cf/cf/sendmail.mc

 - FEATURE(`virtusertable',`hash -o /etc/mail/virtusertable.db')
makemap hash virtusertable - creates the DB file:
/etc/mail/virtusertable.db

###Relay Domains###
/etc/mail/relay-domains
Houses domains that sendmail should relay; local and/or remote
linuxcbt.com
192.168.1.100

###IMAP/POP2|3 Support###
Differences between IMAP & POP
1. IMAP stores messages on server
2. POP downloads messages to client

Note: IMAP server must support mbox mail storage format and optionally Maildir mail
storage format

Download IMAP2004g from sunfreeware.com

###Configure INETD control of IMAP & POP3 services###

/etc/inetd.conf
pop3 stream tcp nowait root /usr/local/sbin/ipop3d ipop3d
imap stream tcp nowait root /usr/local/sbin/imapd imapd

Note: use 'inetconv' to convert INETD entries in /etc/inetd.conf to SMF

###Evolution MUA - Connect to POP3 & IMAP Service###

Installed openssl-0.9.8 to support IMAP2004g
Configure Evolution
Note: Retrieving & Sending messages are distinct functions
1. SMTP - Sending
2. IMAP/POP3/MS Exchange/etc. - Retrieval
Snoop Network Sniffer - Notes
Features:
1. Packet capturing facilities (ALL levels of OSI model, minus physical)
2. Packet playback/replay facility
3. Sniffs on first detected, non-loopback interface - output to STDOUT
4. MUST be executed as root

Note: Try to snoop to output of file as opposed to STDOUT for performance reasons
(to minimize packet loss)

snoop
snoop -o snoop1.out - redirects captured traffic to file named 'snoop1.out'
and returns a packet-count to STDOUT

Note: If connected to a switched environment, MIRROR the traffic to the Sun box in
order for traffic to be available to snoop

snoop -i snoop1.out - reads the captured files

Note: snoop captures packets until killed with CTRL-C or disk runs out of space

snoop -i snoop1.out -p 11573,11577 - extracts packet ranges 11573-11577

snoop -v -i snoop1.out - VERBOSE (ALL OSI layers, 2-7)
snoop -V -i snoop1.out - SUMMARY (Returns interesting packet payload)

Note: snoop supports Boolean primitivies (host,tcp,udp,ip) & Boolean operators

(AND,OR,NOT)

snoop -i snoop1.out tcp port 80

Note: snoop -o output_file - captures layers 2-7

snoop -o snoop1.out udp

snoop -o snoop1.out 192.168.1.50 192.168.1.102

###FTP Traffic Snoop###

snoop -o snoop_ftp_traffic.out host 192.168.1.102 linuxcbtsun1 and tcp and port 21

TCPDump Network Sniffer - Notes

www.tcpdump.org

Packet Capturing - captures packets from network interfaces

Note: 2 major utilities supporting TCPDump's format include:

1. Ethereal - GUI protocol analyzer/Sniffer
2. Snort NIDS - Sniffer/Logger/NIDS

TCPDump supports 3 qualifiers to assist in creating expressions:

1. Type - host|net|port i.e. host 192.168.1.102
2. Direction - src|dst|src or dst|src and dst
3. Protocol - tcp|udp|ip

Syntax:
tcpdump options expression

tcpdump
tcpdump -D - returns available interfaces
tcpdump -i interface_name - binds to specific interface
tcpdump -q suppresses some packet header information
tcpdump -n - avoids name resoltion - improves performance

Snort Network Intrusion Detection System (NIDS) - Notes

Features:
1. Packet Capturing - libpcap.a(tcpdump.org)
2. Packet Logging - Captures are stored to disk (ASCII/TCPDump Formats)
3. Network Intrusion Detection Mode

Note: Software Companion DVD includes Snort 2.0(older version)

Requirements:
1. libpcap
2. libpcre

###Configuring Snort###
./configure --with-libpcap-libraries=/opt/sfw/lib --with-libpcre-
includes=/opt/sfw/include --with-libpcre-libraries=/opt/sfw/lib

Appended to PATH: /usr/sfw/bin:/usr/ccs/bin

make
make install

###Snort as a Sniffer###
snort -v - Dumps link headers(Layers 3(IPs) & 4(Ports) of the OSI Model)
snort -v -i e1000g0
snort -vd -i e1000g0 - Dumps Application Layer (Layer-7 of OSI Model)
snort -ve -i e1000g0 - Dumps data-link layer (Layer-2 of OSI Model)
snort -vde -i e1000g0 - Dumps Layers 2,3,4,7 of OSI Model

###Snort as a Packet Logger###

Note: Identical to sniffer, except, data is directed to file. Improves I/O.
snort -L snortlog.1
Note: Snort defaults to '/var/log/snort' to store binary log and alert file

snort -L snortlog.1 -l ./log

Note: Snort supports TCPDump's Boolean primitives and operators.

Additionally, Snort support Berkeley Packet Filters (BPFs)
snort options BPFs
SYSLOG Implementation - Notes

Note: Syslog is the default logging handler/router in Solaris

Note: Defaults to UDP:514
Note: Segment your Syslog Host(s) on a distinct subnet, protected by ACLs

pkgchk -lP /usr/sbin/syslogd

Syslog can log to the following locations:

1. remote host
2. local file (Suggested destination because of I/O performance)
3. console
4. specific users
5. *

Note: Syslog processes 3 pieces information represented by 2 fields:

/etc/syslog.conf - primary configuration file for Syslog
man syslog.conf

1: selector(*.emerg) 2: action(/dev/console)
*.emerg /dev/console
Selector = facility(user).severity_level(debug)
Action = target for log entry (files, console, remote host)

###Syslog Recognized Facilities###

USER,KERN,MAIL(Postfix,Sendmail),DAEMON(programs),AUTH,LPR,NEWS,CRON,AUDIT
,LOCAL0-7(provides 8 usable facilities),MARK,*

### 8 Syslog Recognized Severity Levels###

1. EMERG - yields least output
2. ALERT
3. CRIT
4. ERROR
5. WARNING
6. NOTICE
7. INFO
8. DEBUG - yields most output

Note: restart syslog after changing /etc/syslog.conf

local0.info /var/log/ciscofirewall1.log
touch /var/log/ciscofirewall1.log
svcadm restart system-log

Log Rotation using logadm - Notes

which logadm
pkgchk -lP /usr/sbin/logadmd - member of SUNWcsu
logadm is configured to run daily in root's crontab
crontab -l
/etc/logadm.conf - default configuration file
Note: don't memorize all parameters. Execute 'logadm -h'
Note: command-line directives override /etc/logadm.conf directives

Note: logadm preserves 10 backups of log files named logname.0-.9

Note: logadm supports shell wildcards '*', '?'

Zettabyte File System (ZFS) - Notes

Features:
1. 256 quadrillion zettabytes (Terabytes - Petabytes - Exabytes - Zettabytes(1024
Exabytes))
2. RAID-0/1 & RAID-Z(RAID-5 with enhancements) (2-required virtual devices)
3. Snapshots - read-only copies of file systems or volumes
4. Creates volumes
5. Uses storage pools to manage storage - aggregates virtual devices
6. File systems attached to pools grow dynamically as storage is added
7. File systems may span multiple physical disks
8. ZFS is transactional
9. Pools & file systems are auto-mounted. No need to maintain /etc/vfstab
10. Supports file system hierarchies: /pool1/{home(5GB),var(10GB),etc.}
11. Supports reservation of storage: /pool1/{home(10GB),var}
12. Provides a secure web-based management tool-https://localhost:6789/zfs

###ZFS - CLI###
zpool list - lists known pools
zpool create pool_name(alphanumeric, _,-,:,.)
Pool Name Constraints (DO NOT USE THESE NAMES FOR YOUR POOL NAMES):
1. mirror
2. raidz

zpool create pool_name device_name1, device_name2, device_name3, etc.

zpool create pool1 c0t1d0|/dev/dsk/c0t1d0

ZFS Pool Statuses:

1. ONLINE
2. DEGRADED
3. FAULTED
4. OFFLINE
5. UNAVAILABLE

zfs list - returns ZFS dataset info.

zfs mount - returns pools and mount points
zpool status - returns virtual devices that constitute pools
Note: ZFS requires a minimum of 128MB virtual device to create a pool

zpool destroy pool1 - Destroys pool and associated file systems

###Create file systems within pool1###

zfs create pool1/home - creates file system named 'home' in pool1
Note: Default action of 'zfs create pool1/home' assigns all storage available to
'pool1', to 'pool1/home'

###Set quota on existing file system###

zfs set quota=10G pool1/home

###Create user-based file system beneath pool1/home###

zfs create pool1/home/unixcbt
Note: ZFS inherits properties from immediate ancestor

zfs get -r compression pool1 - returns compression property for file systems
associated with 'pool1'

###Rename File System###

zfs rename pool1/home/unixcbt pool1/home/unixcbt2

###Extending dynamically, pool storage###

zpool add pool1 c0t2d0

###ZFS Redundancy/Replication###
1. Mirroring - RAID-1
2. RAID-5 - RAID-Z

Virtual Devices:
1. c0t1d0 - 36GB
2. c0t2d0 - 36GB

Note: Redundancy/Replication is associated directly with the pool

zpool create poolmirror1 mirror c0t1d0 c0t2d0

###ZFS Snapshots###
Features:
1. Read-only copies of volumes or file systems
2. Use no additional space, initially

zfs list -t snapshot - returns available snapshots

Solaris Zones - Notes

Features:
1. Virtualization - i.e. VMWare
2. Solaris Zones can host only instances of Solaris. Not other OSs.
3. Limit of 8192 zones per Solaris host
4. Primary zone(global) has access to ALL zones
5. Non-global zones, do NOT have access to other non-global zones
6. Default non-global zones derive packages from global zone
7. Program isolation - zone1(Apache), zone2(MySQL)
8. Provides 'z' commands to manage zones: zlogin, zonename, zoneadm,zonecfg

###Features of GLOBAL zone###

1. Solaris ALWAYS boots(cold/warm) to the global zone
2. Knows about ALL hardware devices attached to the system
3. Knows about ALL non-global zones

###Features of NON-GLOBAL zones###

1. Installed at a location on the filesystem of the GLOBAL zone 'zone root path'
/export/home/zones/{zone1,zone2,zone3,...}
2. Share packages with GLOBAL zone
 3. Manage distinct hostname and tables files
4. Cannot communicate with other non-global zones by default. NIC must be used,
which means, use standard network API(TCP)
5. GLOBAL zone admin. can delegate non-global zone administration

###Zone Configuration###
Use: zonecfg - to configure zones
Note: zonecfg can be run: interactively, non-interactively, command-file modes

Requirements for non-global zones:

1. hostname
2. zone root path. i.e. /export/home/zones/testzone1
3. IP address - bound to logical or physical interface

Zone Types:
1. Sparse Root Zones - share key files with global zone
2. Whole Root Zones - require more storage

Steps for configuring non-global zone:

1. mkdir /export/home/zones/testzone1 && chmod 700 /export/home/zones/testzone1
2. zonecfg -z testzone1
3. create
4. set zonepath=/export/home/zones/testzone1 - sets root of zone
5. add net ; set address=192.168.1.60
6. set physical=e1000g0
7. (optional) set autoboot=true - testzone1 will be started when system boots
8. (optional) add attr ; set name=comment; set type=string; set value="TestZone1"
9. verify zone - verifies zone for errors
10. commit changes - commit

11. Zone Installation - zoneadm -z testzone1 install - places zone, 'testzone1'

into 'installed' state. NOT ready for production
12. zoneadm -z testzone1 boot - boots the zone, changing its state

###Zlogin - is used to login to zones###

Note: each non-global zone maintains a console. Use 'zlogin -C zonename' after
installing zone to complete zone configuration

Note: Zlogin permits login to non-global zone via the following:

1. Interactive - i.e. zlogin -l username zonename
2. Non-interactive - zlogin options command
3. Console mode - zlogin -C zonename
4. Safe mode - zlogin -S

zoneadm -z testzone1 reboot - reboots the zone

zlogin testzone1 shutdown