BigAdmin Submitted Article: Hardened Build Example for the Solaris 9 OS

BigAdmin System Administration Portal

Community-Submitted Article

Submit Content | Check BigAdmin Bucks

This content is submitted by a BigAdmin user. It has not been reviewed for technical accuracy by Sun Microsystems, though it may have been lightly edited to improve readability. If you find an error or would like to comment on the article, please contact the submitter or use the comment field at the bottom of the article. Community submissions may not follow Sun trademark guidelines. For information on Sun trademarks, please see http://www.sun.com/suntrademarks/.

Hardened Build Example for the Solaris 9 OS

Ross Moffatt, March 2007

Contents

Overview
Initial Solaris Boot and Install
Mirror the Disks
Harden the Installation
About the Author

Overview

I decided to publish this example build as there are a number of questions along the lines of "How do I harden my host?" A couple of utilities are available, but if you really want to see what is involved to harden a host, read on.

The information in this article has mainly come from the Sun host hardening utility, Solaris Security Toolkit. This build is designed as a hardened build of the Solaris platform, with mirroring. As a result, the build ends up quite small, under 200MB. The philosophy behind this build is:

If you don't need it, don't load it.
If you have to load it, harden it.

Of course this means the server is unfriendly. You will have no man pages, no mail, only ssh available for remote login, no inetd running, and generally which <command> will return <command> not found. This setup is intended to be used to run an application, not user shell access.

This build was done on a Sun Fire V120 server with two 36G drives and 1G of memory, partitioned as follows:

        /		1 GB
        swap		2 GB
        /usr		1 GB
        /var		20 GB
        /var/crash	3 GB
        /opt		7.4 GB
        unassigned	16 MB

The installation will then be hardened. The hardening process includes stopping unused components from running, editing the configuration of components that are running, and changing permissions of files/directories.

Host detail required:

Host Name             <hostname>
IP Address            <ipaddress>
Netmask               <netmask>
Default Router        <defaultrouter>
DNS Domain            <dnsdomain>
Primary Nameserver    <nameserver1>
Secondary Nameserver  <nameserver2>
Primary time server   <timeserver1>
Secondary time server <timeserver2>

CD-ROM list:

Solaris 9 9/05 Software CD 1, English

Solaris 9 9/05 Software CD 2, English

Initial Solaris Boot and Install

Power on the CD-ROM drive and any other external peripherals, including the console. Power on the machine. Open the CD-ROM tray, and insert the "Solaris 9 9/05 Software 1 of 2" CD.

From the console:

Interrupt the boot and get to the ok prompt.

Note: Screen output has been edited.

{1} ok boot cdrom

Select the language you want to use to run the installer: <select your language>

Select a Locale,
Please make a choice (0 - 59), or press h or ? for help: <select your location>

What type of terminal are you using?
Type the number of your choice and press Return: <select your terminal type, I use a DEC VT100>

F2 continue, F2 continue

Network Connectivity
      Networked      [X] Yes

DHCP
      Use DHCP      [X] No

Primary Network Interface
      Primary network interface      [X] eri0

Host Name	<hostname>

IP Address	<ipaddress>

Subnets
      System part of a subnet      [X] Yes

Netmask
<netmask>

IPv6
      Enable IPv6      [X] No

Set a default Route
      [X] Specify one
Default Route IP Address
      Router IP Address: <defaultrouter>

Confirm Information
      F2 continue

Configure Security Policy:
      Configure Kerberos Security      [X] No

Confirm Information
      F2 continue

Name Service
      Name service	      [X] DNS

Domain Name
      <dnsdoamin>

DNS Server Address
      Servers IP Address: <nameserver1>
      Servers IP Address: <nameserver2>
      Servers IP Address:

DNS Search List
      Search Domain:  <dnsdoamin>
      Search Domain:
      Search Domain:
      Search Domain:
      Search Domain:

Confirm Information
      F2 continue

Name Service Error
      Enter new name service information?
      [X] No

Time Zone
      Regions      [X] <select your region>

Time Zone
      Time zones      [X] <select your time zone>

Date and Time
Accept the default date and time or enter new values.

Solaris Interactive Installation
      F4 Initial

Solaris Interactive Installation
      There are two ways to install your Solaris software:
      - "Standard" installs your system from a standard Solaris Distribution.
      F2 Standard

Select Geographic Regions
  Select the geographic regions for which support should be installed.
  V [/] <select your region>
    [X]     <select your locale>
      F2 continue

Select Software
  Select the Solaris software to install on the system.
      [X]  Core System Support 64-bit ................. 728.00 MB

F4 Customize
Shown here is software to select, all other packages are left unselected.
Some other LAN drives may need to be selected depending upon the LAN card installed.
  [X] Audio Drivers (64-bit).......................................  0.61 MB
V [/] Audio drivers and applications                                 0.42 MB
  [X]     Audio Drivers............................................  0.42 MB
  [X] Basic IP commands (Usr)......................................  0.14 MB
  [!] Core Architecture (Kvm) (64-bit).............................  0.39 MB
  [!] Core Architecture, (Kvm).....................................  1.24 MB
  [!] Core Architecture, (Root).................................... 11.14 MB
  [!] Core Architecture, (Root) (64-bit)........................... 19.89 MB
V [!] Core Solaris                                                  51.07 MB
  [!]     Core Solaris Devices.....................................  0.04 MB
  [!]     Core Solaris, (Root)..................................... 18.43 MB
  [!]     Core Solaris, (Shared Libs)..............................  9.86 MB
  [!]     Core Solaris, (Usr)...................................... 22.73 MB
  [!] Core Solaris (Usr) (64-bit)..................................  2.13 MB
  [!] Core Solaris Libraries (64-bit)..............................  9.30 MB
  [!] Extended System Utilities....................................  1.49 MB
  [!] Forte Developer Bundled 64-bit shared libm...................  0.50 MB
V [X] Freeware Compression Utilities                                 0.58 MB
  [!]     The bzip compression utility.............................  0.16 MB
  [X]     The GNU Zip (gzip) compression utility...................  0.09 MB
  [X]     The Info-Zip (zip) compression utility...................  0.18 MB
  [X]     The Zip compression library..............................  0.14 MB
V [X] Freeware Compression Utilities (64-bit)                        0.21 MB
  [X]     The bzip compression library (64-bit)....................  0.11 MB
  [X]     The Zip compression library (64-bit).....................  0.10 MB
  [X] FTP Server, (Usr)............................................  0.28 MB
  [!] Install and Patch Utilities..................................  0.44 MB
  [!] Keyboard configuration tables................................  0.33 MB
  [!] Network File System (NFS) client support (Root) (64-bit).....  0.70 MB
  [!] Network File System (NFS) server support (Root) (64-bit).....  0.19 MB
V [X] Network File System client support (NFS client)                1.61 MB
  [X]     Network File System (NFS) client support (Root)..........  1.40 MB
  [X]     Network File System (NFS) client support (Usr)...........  0.21 MB
V [X] Network File System server support (NFS server)                0.47 MB
  [X]     Network File System (NFS) server support (Root)..........  0.19 MB
  [X]     Network File System (NFS) server support (Usr)...........  0.27 MB
[X] Network Time Protocol........................................  0.00 MB
V [/] PCI Drivers                                                    0.51 MB
  [!]     PCI Drivers..............................................  0.51 MB
  [!] PCI Drivers (64-bit).........................................  0.61 MB
V [/] Perl 5                                                        10.43 MB
  [!]     Perl 5.6.1 (core)........................................  4.48 MB
  [!]     Perl 5.6.1 (non-core)....................................  5.96 MB
V [/] Programming tools and libraries                                0.48 MB
  [!]     Forte Developer Bundled shared libm......................  0.48 MB
  [X]     Solaris cpp..............................................  0.11 MB
  [X] SCSI Enclosure Services Device Driver........................  0.07 MB
  [X] SCSI Enclosure Services Device Driver (64-bit)...............  0.07 MB
  [X] Solaris Desktop /usr/dt filesystem anchor....................  0.01 MB
  [!] Solaris Naming Enabler.......................................  0.01 MB
V [X] Solaris Volume Manager                                         9.37 MB
  [X]     Solaris Volume Manager, (Root)...........................  7.92 MB
  [X]     Solaris Volume Manager, (Usr)............................  1.45 MB
V [X] Solaris Volume Manager drivers (64-bit)                        1.24 MB
  [X]     Solaris Volume Manager Drivers, (64-bit).................  1.24 MB
  [X] SPARCstorage Array Drivers...................................  0.35 MB
  [X] SPARCstorage Array Drivers (64-bit)..........................  0.42 MB
  [X] SUN Davicom 10/100M Ethernet Driver (64-bit).................  0.01 MB
  [!] Sun Enterprise Network Array firmware and utilities..........  0.88 MB
  [!] Sun Enterprise Network Array libraries (64-bit)..............  0.27 MB
[!] Sun Fibre Channel Transport Software.........................  0.44 MB
[!] Sun Fibre Channel Transport Software (64-bit)................  0.55 MB
  [X] Sun Gigabit Ethernet Adapter Driver (64-bit).................  0.21 MB
V [/] Sun Gigabit Ethernet Adapter Software                          0.17 MB
  [X]     Sun Gigabit Ethernet Adapter Driver......................  0.17 MB
V [/] Sun Gigaswift Ethernet Adapter Software                        0.47 MB
  [!]     Sun GigaSwift Ethernet Adapter (32-bit Driver)...........  0.47 MB
V [/] Sun Gigaswift Ethernet Adapter Software (64-bit)               0.57 MB
  [!]     Sun GigaSwift Ethernet Adapter (64-bit Driver)...........  0.57 MB
  [X] Sun Quad FastEthernet Adapter Driver (64-bit)................  0.19 MB
V [/] Sun Quad FastEthernet PCI/SBus Adapter Software                0.15 MB
  [X]     Sun Quad FastEthernet Adapter Driver.....................  0.15 MB
  [!] Sun RIO 10/100 Mb Ethernet Drivers (64-bit)..................  0.15 MB
  [X] Sun4u FLASH PROM update generic components, (Root)...........  0.02 MB
  [X] Sun4u FLASH PROM Update generic components, (Usr)............  0.05 MB
V [/] SunFastEthernet/FastWideSCSI-2 Adapter Drivers                 0.17 MB
  [!]     SunSwift Adapter Drivers.................................  0.17 MB
  [!] SunSwift Adapter Drivers (64-bit)............................  0.23 MB
V [/] System and Network Admin                                       0.04 MB
  [!]     System & Network Administration Root.....................  0.04 MB
  [!] System Localization..........................................  0.38 MB
  [!] System Localization (64-bit).................................  0.08 MB
  [!] USB Device Drivers (64-bit)..................................  2.01 MB
V [/] Universal Serial Bus Software                                  1.69 MB
  [!]     USB Device Drivers.......................................  1.69 MB
  [!] WAN boot support.............................................  3.42 MB
V [/] X Window System Runtime Environment                           36.83 MB
  [X]     X Window System kernel modules...........................  0.03 MB
  [X]     X Windows System Window Drivers..........................  0.04 MB
V [/] X Window System Runtime Environment (64-bit)                   0.08 MB
  [X]     X Window System kernel modules (64-bit)..................  0.03 MB
  [X]     X Windows System Window Drivers (64-bit).................  0.04 MB

F2 OK

Select Software
      F2 continue

Dependencies <there may be unresolved dependencies that can be ignored>
F2 OK

Select Disks
      Disk Device (Size)        Available Space
      =============================================
      [X] c1t0d0   (34730 MB) boot disk    34730 MB  (F4 to edit)
      F2 Continue

Preserve Data?
      F2 Continue

Automatically Layout File Systems?
      F4 Manual Layout
      F4 Customize

File System and Disk Layout	F4 Customize

Entry:                            Recommended:      MB     Minimum:      MB
=============================================================================
  Slice  Mount Point                 Size (MB)
     0   /                                1000
     1   swap                             2000
     2   overlap                         34730
     3   /usr                             1000
     4   /var                            20000
     5   /var/crash                       3000
     6   /opt                             7400
     7                                      16
=============================================================================
      F2 OK

File System and Disk Layout
      F2 continue

Mount Remote File Systems?
	F2_Continue

Profile
	F2_Continue

Reboot After Installation?
	[X] Auto Reboot
	F2 Begin Installation

<some time passes>
rebooting...

The system is ready.
console login: root

Disable keyboard abort.

Edit /etc/default/kbd.

Uncomment the following line:

#KEYBOARD_ABORT=disable

Save the file then reread the file.

kbd -i

Root environment setup

Change the root account password.

passwd root

Create the root user's profile.

TERM=vt100;export TERM
mkdir roothome
cd roothome
vi .profile

Create this file as follows.

Note: If you have your own .profile, use that here.

  stty erase \^h
  l() { ls -la $* | more ; }
  ll() { ls -la $* ; }
  EDITOR=vi;export EDITOR
  FCEDIT=vi;export FCEDIT
  TERM=vt100;export TERM
  DISPLAY=`who -m | cut -c 39- | cut -d\) -f 1`:0.0
  export DISPLAY
  # Reset prompt for superuser
  #
      PS1="`hostname`/$LOGNAME # "
      export PS1
   echo "WARNING:  YOU ARE SUPERUSER !!\n

Add a user, suser, to the password and shadow files.

vi /etc/passwd

Edit the file to look like this:

root:x:0:1:Super-User:/superuser:/sbin/sh
daemon:x:1:1::/:
bin:x:2:2::/usr/bin:
sys:x:3:3::/:
adm:x:4:4:Admin:/var/adm:
lp:x:71:8:Line Printer Admin:/usr/spool/lp:
uucp:x:5:5:uucp Admin:/usr/lib/uucp:
nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico
smmsp:x:25:25:SendMail Message Submission Program:/:
listen:x:37:4:Network Admin:/usr/net/nls:
suser:x:500:10:Super-user:/roothome:/sbin/sh
nobody:x:60001:60001:Nobody:/:
noaccess:x:60002:60002:No Access User:/:
nobody4:x:65534:65534:SunOS 4.x Nobody:/:

Save the file, then do the following:

vi /etc/shadow

Edit the file to look like this:

root:aabbccddee:13403::::::
daemon:*LK*:6445::::::
bin:*LK*:6445::::::
sys:*LK*:6445::::::
adm:*LK*:6445::::::
lp:*LK*:6445::::::
uucp:*LK*:6445::::::
nuucp:*LK*:6445::::::
smmsp:*LK*:6445::::::
suser::13403::::::
listen:*LK*:::::::
nobody:*LK*:6445::::::
noaccess:*LK*:6445::::::
nobody4:*LK*:6445::::::

Save the file, then do the following:

vi /etc/group

Edit the file to look like this:

root::0:root
other::1:
bin::2:root,bin,daemon
sys::3:root,bin,sys,adm
adm::4:root,adm,daemon
uucp::5:root,uucp
mail::6:root
tty::7:root,adm
lp::8:root,lp,adm
nuucp::9:root,nuucp
staff::10:
daemon::12:root,daemon
sysadmin::14:
smmsp::25:smmsp
nobody::60001:
noaccess::60002:
nogroup::65534:

Use the passwd utility to set the passwords for root and suser. Log out and log in as root to pick up the profile.

Installing Extra Packages

Load the following packages from the Software 1 of 2 CD.

mkdir /cdrom
mount -F hsfs -r /dev/dsk/c0t0d0s0 /cdrom
cd /cdrom/Solaris_9/Product
pkgadd -d . SUNWxwfnt SUNWi1of SUNWlibC SUNWlibCx  SUNWadmr
pkgadd -d . SUNWadmfw SUNWadmc SUNWdtcor SUNWuxflr.u SUNWuxflu.u
cd
umount /cdrom

Load the following packages from the Software 2 of 2 CD.

mount -F hsfs -r /dev/dsk/c0t0d0s0 /cdrom
cd /cdrom/Solaris_9/Product
pkgadd -d . SUNWaccu SUNWsshcu SUNWsshdr SUNWsshdu SUNWsshr SUNWsshu
cd
umount /cdrom

Download SunExplorer.tar.Z from the Sun web site and copy it to /tmp.

cd /tmp
zcat SunExplorer.tar.Z | tar -xf -
pkgadd -d . SUNWexplo SUNWexplu

Here is the list of packages installed.

pkginfo
system      SUNWadmc       System administration core libraries
system      SUNWadmfw      System & Network Administration Framework
system      SUNWadmr       System & Network Administration Root
system      SUNWauaos      Australasia OS Support
system      SUNWauaow      Australasia OW Support
system      SUNWauaox      Australasia 64-bit OS Support
system      SUNWaudd       Audio Drivers
system      SUNWauddx      Audio Drivers (64-bit)
system      SUNWbip        Basic IP commands (Usr)
system      SUNWbzip       The bzip compression utility
system      SUNWcar        Core Architecture, (Root)
system      SUNWcarx       Core Architecture, (Root) (64-bit)
system      SUNWced        Sun GigaSwift Ethernet Adapter (32-bit Driver)
system      SUNWcedx       Sun GigaSwift Ethernet Adapter (64-bit Driver)
system      SUNWcsd        Core Solaris Devices
system      SUNWcsl        Core Solaris, (Shared Libs)
system      SUNWcslx       Core Solaris Libraries (64-bit)
system      SUNWcsr        Core Solaris, (Root)
system      SUNWcsu        Core Solaris, (Usr)
system      SUNWcsxu       Core Solaris (Usr) (64-bit)
system      SUNWdmfex      Sun Davicom 10/100Mb Ethernet Driver (64-bit)
system      SUNWdtcor      Solaris Desktop /usr/dt filesystem anchor
system      SUNWeridx      Sun RIO 10/100 Mb Ethernet Drivers (64-bit)
system      SUNWesu        Extended System Utilities
system      SUNWfcip       Sun FCIP IP/ARP over FibreChannel Device Driver
system      SUNWfcipx      Sun FCIP IP/ARP over FibreChannel Device Driver (64-bit)
system      SUNWfcp        Sun FCP SCSI Device Driver
system      SUNWfcpx       Sun FCP SCSI Device Driver (64-bit)
system      SUNWfctl       Sun Fibre Channel Transport layer
system      SUNWfctlx      Sun Fibre Channel Transport layer (64-bit)
system      SUNWftpu       FTP Server, (Usr)
system      SUNWged        Sun Gigabit Ethernet Adapter Driver
system      SUNWgedx       Sun Gigabit Ethernet Adapter Driver (64-bit)
system      SUNWhmd        SunSwift Adapter Drivers
system      SUNWhmdx       SunSwift Adapter Drivers (64-bit)
system      SUNWi1cs       X11 ISO8859-1 Codeset Support
system      SUNWi1of       ISO-8859-1 (Latin-1) Optional Fonts
system      SUNWkey        Keyboard configuration tables
system      SUNWkvm        Core Architecture, (Kvm)
system      SUNWkvmx       Core Architecture (Kvm) (64-bit)
system      SUNWlibC       Sun Workshop Compilers Bundled libC
system      SUNWlibCx      Sun WorkShop Bundled 64-bit libC
system      SUNWlibms      Forte Developer Bundled shared libm
system      SUNWlmsx       Forte Developer Bundled 64-bit shared libm
system      SUNWloc        System Localization
system      SUNWlocx       System Localization (64-bit)
system      SUNWluxop      Sun Enterprise Network Array firmware and utilities
system      SUNWluxox      Sun Enterprise Network Array libraries (64-bit)
system      SUNWmdi        Sun Multipath I/O Drivers
system      SUNWmdix       Sun Multipath I/O Drivers (64-bit)
system      SUNWmdr        Solaris Volume Manager, (Root)
system      SUNWmdu        Solaris Volume Manager, (Usr)
system      SUNWmdx        Solaris Volume Manager Drivers, (64-bit)
system      SUNWnfscr      Network File System (NFS) client support (Root)
system      SUNWnfscu      Network File System (NFS) client support (Usr)
system      SUNWnfscx      Network File System (NFS) client support (Root) (64-bit)
system      SUNWnfssr      Network File System (NFS) server support (Root)
system      SUNWnfssu      Network File System (NFS) server support (Usr)
system      SUNWnfssx      Network File System (NFS) server support (Root) (64-bit)
system      SUNWntpr       NTP, (Root)
system      SUNWntpu       NTP, (Usr)
system      SUNWpd         PCI Drivers
system      SUNWpdx        PCI Drivers (64-bit)
system      SUNWpl5u       Perl 5.6.1 (core)
system      SUNWpl5v       Perl 5.6.1 (non-core)
system      SUNWqfed       Sun Quad FastEthernet Adapter Driver
system      SUNWqfedx      Sun Quad FastEthernet Adapter Driver (64-bit)
system      SUNWses        SCSI Enclosure Services Device Driver
system      SUNWsesx       SCSI Enclosure Services Device Driver (64-bit)
system      SUNWsolnm      Solaris Naming Enabler
system      SUNWssad       SPARCstorage Array Drivers
system      SUNWssadx      SPARCstorage Array Drivers (64-bit)
system      SUNWsshcu      SSH Common, (Usr)
system      SUNWsshdr      SSH Server, (Root)
system      SUNWsshdu      SSH Server, (Usr)
system      SUNWsshr       SSH Client and utilities, (Root)
system      SUNWsshu       SSH Client and utilities, (Usr)
system      SUNWswmt       Install and Patch Utilities
system      SUNWusb        USB Device Drivers
system      SUNWusbx       USB Device Drivers (64-bit)
system      SUNWuxflr      Sun4u FLASH PROM update generic components, (Root)
system      SUNWuxflu      Sun4u FLASH PROM Update generic components, (Usr)
system      SUNWwbsup      WAN boot support
system      SUNWxwdv       X Windows System Window Drivers
system      SUNWxwdvx      X Windows System Window Drivers (64-bit)
system      SUNWxwfnt      X Window System platform required fonts
system      SUNWxwmod      X Window System kernel modules
system      SUNWxwmox      X Window System kernel modules (64-bit)
system      SUNWzlib       The Zip compression library

Mirror the Disks

Set up partitions on disks.

prtvtoc /dev/rdsk/c1t0d0s2 | fmthard -s - /dev/rdsk/c1t1d0s2

Create the state database replicas.

metadb -a -f -c 3 /dev/dsk/c1t0d0s7
metadb -a -c 3 /dev/dsk/c1t1d0s7

Create the submirrors for the / (root) file system.

metainit -f d10 1 1 c1t0d0s0
d10: Concat/Stripe is setup
metainit -f d20 1 1 c1t1d0s0
d20: Concat/Stripe is setup
metainit d0 -m d10
d0: Mirror is setup

Update the root to be the mirror.

Update /etc/vfstab.

vi /etc/vfstab

Change from this:

#device         device          mount           FS      fsck    mount   mount
#to mount       to fsck         point           type    pass    at boot options
#
fd      -       /dev/fd fd      -       no      -
/proc   -       /proc   proc    -       no      -
/dev/dsk/c1t0d0s1       -       -       swap    -       no      -
/dev/md/dsk/d0  /dev/md/rdsk/d0 /       ufs     1       no      -
/dev/dsk/c1t0d0s3       /dev/rdsk/c1t0d0s3      /usr    ufs     1       no      -
/dev/dsk/c1t0d0s4       /dev/rdsk/c1t0d0s4      /var    ufs     1       no      -
/dev/dsk/c1t0d0s5       /dev/rdsk/c1t0d0s5      /var/crash      ufs     2       yes     -
/dev/dsk/c1t0d0s6       /dev/rdsk/c1t0d0s6      /opt    ufs     2       yes      -
swap    -       /tmp    tmpfs   -       yes     -

Change to this:

#device         device          mount           FS      fsck    mount   mount
#to mount       to fsck         point           type    pass    at boot options
#
fd      -       /dev/fd fd      -       no      -
/proc   -       /proc   proc    -       no      -
/dev/md/dsk/d1       -       -       swap    -       no      -
/dev/md/dsk/d0  /dev/md/rdsk/d0 /       ufs     1       no      -
/dev/md/dsk/d3       /dev/md/rdsk/d3      /usr    ufs     1       no      -
/dev/md/dsk/d4       /dev/md/rdsk/d4      /var    ufs     1       no      -
/dev/md/dsk/d5       /dev/md/rdsk/d5      /var/crash      ufs     2       yes     -
/dev/md/dsk/d6       /dev/md/rdsk/d6      /opt    ufs     2       yes      -
swap    -       /tmp    tmpfs   -       yes     -

Do the following:

init 6

Attaching the Mirrors

metattach d0 d20
d0: submirror d20 is attached
metattach d1 d21
d1: submirror d21 is attached
metattach d3 d23
d3: submirror d23 is attached
metattach d4 d24
d4: submirror d24 is attached
metattach d5 d25
d5: submirror d25 is attached
metattach d6 d26
d5: submirror d25 is attached

Use metastat to check the status of the mirrors.

metastat

Edit the system file so the system will boot even if only one boot disk is available.

echo "set md:mirrored_root_flag=1" >> /etc/system

Operating System Configuration

dumpadm -d /dev/md/dsk/d1
      Dump content: kernel pages
       Dump device: /dev/md/dsk/d1 (swap)
Savecore directory: /var/crash/<hostname>
  Savecore enabled: yes


mkdir /etc/ntp

vi /etc/inet/ntp.conf

Create this file as follows.

server <timeserver1> key 0 prefer
server <timeserver2> key 0

Check and/or patch the server firmware.

Download the latest OpenBoot PROM (OBP) patch, unpack, and follow the installation instructions.

Patch the installation.

mkdir /var/tmp/sol9patches
cd /var/tmp/sol9patches
ftp <somewhere>
  ftp> bi
  ftp> get 9_SunAlert_Patch_Cluster.zip
  ftp> bye
unzip *
cd 9_SunAlert_Patch_Cluster
../install_cluster
init 6

Harden the Installation

Stop functions from starting on boot (as root).

mv /etc/rc2.d/S72autoinstall /etc/rc2.d/K72autoinstall
mv /etc/rc2.d/S71sysid.sys /etc/rc2.d/K71sysid.sys
mv /etc/rc2.d/S30sysid.net /etc/rc2.d/K30sysid.net
mv /etc/rc3.d/S15nfs.server /etc/rc3.d/K15nfs.server
mv /etc/rc2.d/S89PRESERVE /etc/rc2.d/K89PRESERVE
mv /etc/rc2.d/S71ldap.client /etc/rc2.d/K71ldap.client
mv /etc/rc2.d/S72inetsvc /etc/rc2.d/K72inetsvc
mv /etc/rc2.d/S71rpc /etc/rc2.d/K71rpc
mv /etc/rc2.d/S73nfs.client /etc/rc2.d/K73nfs.client

Add functions to start on boot.

vi /etc/rc2.d/S73swapadd

Create this file as follows.

Save the file.

chmod 744 /etc/rc2.d/S73swapadd

vi /etc/init.d/nddconfig

Create this file as follows.

#!/sbin/sh
#
# Copyright 2005 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# ident	"@(#)nddconfig	2.23	05/07/22 SMI"
#
# INTRODUCTION
#
#  This script sets network driver parameters to prevent some network
#  attacks.  Install this script to make changes at system boot.  For
#  further information on the parameters set in this script, see
#  the Sun Blueprints(tm) OnLine article entitled "Solaris Operating
#  Environment Network Settings for Security - Updated for the Solaris
#  9 Operating Environment."
#
#	http://www.sun.com/blueprints/0603/816-5240.pdf
#
#  The latest version of this script is available from the Blueprints
#  OnLine tools area at:
#
#	http://www.sun.com/blueprints/tools/
#
#  This script is written for the Solaris 2.5.1, 2.6, 7, 8, 9, and 10
#  Operating System releases.
#
# WARNING
#
#  This script makes changes to the system default network driver
#  parameters.  The settings included in this script are considered safe
#  in terms of security.  However, some settings may not work in your
#  environment.  The comments provided for each parameter explain the
#  effect the setting has.
#
# INSTALLATION
#
#	# cp <script> /etc/init.d/nddconfig
#	# chmod 744 /etc/init.d/nddconfig
#	# chown root:sys /etc/init.d/nddconfig
#	# ln /etc/init.d/nddconfig /etc/rc2.d/S70nddconfig
#
# WARNING MESSAGES
#
#  When adding specific privileged ports ({tcp|udp}_extra_priv_ports_add),
#  if a specific port number has already been applied, the following
#  warning message is displayed:
#
#	operation failed, File exists
#
#  This is a very poor ndd warning message.  It can be safely ignored.
#

PATH=/usr/bin:/usr/sbin

#
# A note about parameter values:
#     '0' == false/off/disable
#     '1' == true/on/enable
#

#
# verbose
#
#  This option enables verbose output generated by this script.
#

if [ -z "${NDDCONFIG_VERBOSE}" ]; then
   verbose="0"
else
   verbose="${NDDCONFIG_VERBOSE}"
fi

#
# arp_cleanup_interval
#
#  This option determines the period of time the Address Resolution
#  Protocol (ARP) cache maintains entries. ARP attacks may be effective
#  with the default interval. Shortening the timeout interval should
#  reduce the effectiveness of such an attack.
#  The default value is 300000 milliseconds (5 minutes).
#
arp_cleanup_interval=L:60000

#
# ip_forward_directed_broadcasts
#
#  This option determines whether to forward broadcast packets directed
#  to a specific net or subnet, if that net or subnet is directly
#  connected to the machine. If the system is acting as a router, this
#  option can be exploited to generate a great deal of broadcast network
#  traffic. Turning this option off will help prevent broadcast traffic
#  attacks.
#  The default value is 1 (true).
#
ip_forward_directed_broadcasts=E:0

#
# ip_forward_src_routed
# ip6_forward_src_routed (Solaris 8 OS and above)
#
#  This option determines whether to forward packets that are source
#  routed. These packets define the path the packet should take instead
#  of allowing network routers to define the path.
#  The default value is 1 (true).
#
ip_forward_src_routed=E:0
ip6_forward_src_routed=E:0

#
# ip_ignore_redirect
# ip6_ignore_redirect (Solaris 8 OS and above)
#
#  This option determines whether to ignore Internet Control Message
#  Protocol (ICMP) packets that define new routes. If the system is
#  acting as a router, an attacker may send redirect messages to alter
#  routing tables as part of a sophisticated attack (man-in-the-middle
#  attack) or a simple denial of service.
#  The default value is 0 (false).
#
ip_ignore_redirect=E:1
ip6_ignore_redirect=E:1

#
# ip_ire_flush_interval (Solaris 2.5.1, 2.6, and 7 OS releases)
# ip_ire_arp_interval   (Solaris 8 OS and above)
#
#  This option determines the period of time at which a specific route
#  will be kept, even if currently in use. ARP attacks may be effective
#  with the default interval. Shortening the time interval may reduce
#  the effectiveness of attacks.
#  The default interval is 1200000 milliseconds (20 minutes).
#
ip_ire_flush_interval=L:60000
ip_ire_arp_interval=L:60000

#
# ip_respond_to_address_mask_broadcast
#
#  This option determines whether to respond to ICMP netmask requests,
#  which are typically sent by diskless clients when booting. An
#  attacker may use the netmask information for determining network
#  topology or the broadcast address for the subnet.
#  The default value is 0 (false).
#
ip_respond_to_address_mask_broadcast=E:0

#
# ip_respond_to_echo_broadcast
# ip_respond_to_echo_multicast  (Solaris 9 OS)
# ip6_respond_to_echo_multicast (Solaris 8 OS and above)
#
#  This option determines whether to respond to ICMP broadcast (or
#  multicast) echo requests (ping). An attacker may try to create a
#  denial-of-service attack on subnets by sending many broadcast (or
#  multicast) echo requests to which all systems will respond. This
#  also provides information on systems that are available on the
#  network. The default value is 1 (true).
#
ip_respond_to_echo_broadcast=E:0
ip_respond_to_echo_multicast=E:0
ip6_respond_to_echo_multicast=E:0

#
# ip_respond_to_timestamp
#
#  This option determines whether to respond to ICMP timestamp requests,
#  which some systems use to discover the time on a remote system. An
#  attacker may use the time information to schedule an attack at a
#  period of time when the system may run a cron job (or other time-
#  based event) or otherwise be busy. It may also be possible to predict
#  ID or sequence numbers that are based on the time of day for spoofing
#  services.
#  The default value is 1 (true).
#
ip_respond_to_timestamp=E:0

#
# ip_respond_to_timestamp_broadcast
#
#  This option determines whether to respond to ICMP broadcast timestamp
#  requests that are used to discover the time on all systems in the
#  broadcast range. This option is dangerous for the same reasons as
#  responding to a single timestamp request. Additionally, an attacker
#  may try to create a denial-of-service attack by generating many
#  broadcast timestamp requests.
#  The default value is 1 (true).
#
ip_respond_to_timestamp_broadcast=E:0

#
# ip_send_redirects
# ip6_send_redirects (Solaris 8 OS and above)
#
#  This option determines whether to send ICMP redirect messages, which
#  can introduce changes into a remote system's routing table. It should
#  only be used on systems that act as routers.
#  The default value is 1 (true).
#
ip_send_redirects=E:0
ip6_send_redirects=E:0

#
# ip_strict_dst_multihoming
# ip6_strict_dst_multihoming (Solaris 8 OS and above)
#
#  This option determines whether to enable strict destination
#  multihoming. If this is set to 1 and ip_forwarding is set to 0, then
#  a packet sent to an interface from which it did not arrive will be
#  dropped. This setting prevents an attacker from passing packets across
#  a machine with multiple interfaces that is not acting as a router.
#  The default value is 0 (false).
#
#  NOTE: Strict destination multihoming may prevent SunCluster 2.x
#  systems from operating as intended. This script will NOT enable
#  strict destination multihoming if SunCluster 2.x software is installed.
#
ip_strict_dst_multihoming=E:1
ip6_strict_dst_multihoming=E:1

#
# ip_def_ttl
#
#  This option sets the default time to live (TTL) value for IP packets.
#  Normally, this should not be altered from the default value.
#  Changing it to a different value may fool some OS "fingerprinting"
#  tools such as queso or nmap.
#  The default value is 255.
#
ip_def_ttl=E:255

#
# tcp_conn_req_max_q0
#
#  This option sets the size of the queue containing unestablished
#  connections. This queue is part of a protection mechanism against
#  SYN flood attacks. The queue size default is adequate for most
#  systems but should be increased for busy servers.
#  The default value is 1024.
#
tcp_conn_req_max_q0=G:4096

#
# tcp_conn_req_max_q
#
#  This option sets the maximum number of fully established connections.
#  Increasing the size of this queue provides some limited protection
#  against resource consumption attacks. The queue size default is
#  adequate for most systems but should be increased for busy servers.
#  The default value is 128.
#
tcp_conn_req_max_q=G:1024

#
# tcp_rev_src_routes (Solaris 8 OS and above)
#
#  This option determines whether the specified route in a source
#  routed packet will be used in returned packets. TCP source routed
#  packets may be used in spoofing attacks, so the reverse route should
#  not be used.
#  The default value is 0 (false).
#
tcp_rev_src_routes=E:0

#
# Adding specific privileged ports (Solaris 2.6 OS and above)
#
#  These options define additional TCP and UDP privileged ports outside
#  of the 1-1023 range. Any program that attempts to bind the ports
#  listed here must run as root. This prevents normal users from
#  starting server processes on specific ports. Multiple ports can be
#  specified by quoting and separating them with spaces.
#
#  Defaults values:
#	tcp_extra_priv_ports: 2049 (nfsd) 4045 (lockd)
#	udp_extra_priv_ports: 2049 (nfsd) 4045 (lockd)
#
tcp_extra_priv_ports_add=S:"6112"
udp_extra_priv_ports_add=S:""

#
# Ephemeral port range adjustment
#
#  These options define the upper and lower bounds on ephemeral ports.
#  Ephemeral (means short-lived) ports are used when establishing
#  outbound network connections.
#
#  Defaults values:
#	tcp_smallest_anon_port=32768
#	tcp_largest_anon_port=65535
#	udp_smallest_anon_port=32768
#	udp_largest_anon_port=65535
#
tcp_smallest_anon_port=G:32768
tcp_largest_anon_port=L:65535
udp_smallest_anon_port=G:32768
udp_largest_anon_port=L:65535

#
# Nonprivileged port range adjustment
#
#  These options define the start of nonprivileged TCP and UDP ports.
#  The nonprivileged port range normally starts at 1024. Any program
#  that attempts to bind a nonprivileged port does not have to run as
#  root.
#
#  Defaults values:
#	tcp_smallest_nonpriv_port=1024
#	udp_smallest_nonpriv_port=1024
#
tcp_smallest_nonpriv_port=G:1024
udp_smallest_nonpriv_port=G:1024

#		+-----------------------------------------+
#		| No modification needed below this line. |
#		+-----------------------------------------+

#
# base parameters (the same across Solaris release 2.5.1 and above)
#
base_parameters="arp_cleanup_interval \
		 ip_forward_directed_broadcasts \
		 ip_forward_src_routed \
		 ip_ignore_redirect \
		 ip_respond_to_address_mask_broadcast \
		 ip_respond_to_echo_broadcast \
		 ip_respond_to_timestamp \
		 ip_respond_to_timestamp_broadcast \
		 ip_send_redirects \
		 ip_strict_dst_multihoming \
		 ip_def_ttl \
		 tcp_conn_req_max_q0 \
		 tcp_conn_req_max_q \
		 tcp_smallest_anon_port \
		 tcp_largest_anon_port \
		 udp_smallest_anon_port \
		 udp_largest_anon_port \
		 tcp_smallest_nonpriv_port \
		 udp_smallest_nonpriv_port"

#
# OS_revision specific parameters
#

# Solaris 2.5.1 specific parameters
SunOS5_5_1="ip_ire_flush_interval"

# Solaris 2.6 specific parameters
SunOS5_6="ip_ire_flush_interval \
	  tcp_extra_priv_ports_add \
	  udp_extra_priv_ports_add"

# Solaris 7 specific parameters
SunOS5_7="ip_ire_flush_interval \
	  tcp_extra_priv_ports_add \
	  udp_extra_priv_ports_add"

# Solaris 8 specific parameters
SunOS5_8="ip_ire_arp_interval \
	  tcp_extra_priv_ports_add \
	  udp_extra_priv_ports_add \
	  tcp_rev_src_routes"

# Solaris 9 specific parameters
SunOS5_9="ip_ire_arp_interval \
          ip_respond_to_echo_multicast \
	  tcp_extra_priv_ports_add \
	  udp_extra_priv_ports_add \
	  tcp_rev_src_routes"

# Solaris 10 specific parameters
SunOS5_10="ip_ire_arp_interval \
           ip_respond_to_echo_multicast \
	   tcp_extra_priv_ports_add \
	   udp_extra_priv_ports_add \
	   tcp_rev_src_routes"

#
# IPv6 parameters (apply to Solaris 8, 9, and 10 (alpha))
#
ip6_parameters="ip6_forward_src_routed \
		ip6_respond_to_echo_multicast \
		ip6_send_redirects \
		ip6_ignore_redirect \
		ip6_strict_dst_multihoming"

#
# system privilege ports defaults
#
extra_priv_ports_defaults="2049 4045 "

#
# check for the presence of SunCluster 2.x software
#  (disables strict destination multihoming if SunCluster 2.x is installed)
#
if [ -f /opt/SUNWcluster/bin/scconf ]; then
    [ "$verbose" = "1" ] && \
	echo "SunCluster 2.2 detected; disabling IP strict destination multihoming."
    ip_strict_dst_multihoming=0
    ip6_strict_dst_multihoming=0
fi

# check for the presence of SunCluster 3.1u1 software or later
#  (disables strict destination multihoming if SC 3.1u1 is installed
# This check is for SC31u1 for 32-bit and 64-bit mode
# We also need to check for an amd64 driver

if [ -f /kernel/drv/clprivnet -o -f /kernel/drv/sparcv9/clprivnet \
     -o -f /kernel/drv/amd64/clprivnet ]; then
    [ "$verbose" = "1" ] && \
        echo "SunCluster 3.1u1 or later detected; disabling IP strict destination multihoming."
    ip_strict_dst_multihoming=0
    ip6_strict_dst_multihoming=0
fi

#
# get OS name and revision information
#
os=`uname -s`
revision=`uname -r`
OSRev=$os`echo $revision | sed -e 's/\./_/g'`

#
# check if IPv6 is enabled
#
# ip6_interfaces="`echo /etc/hostname6.*[0-9] 2> /dev/null`"
# [ "$ip6_interfaces" != "/etc/hostname6.*[0-9]" ] && ip6_enabled=true
#
# Force IPv6 checks to always be applied. These do not generate an error if
# there are no IPv6 interfaces defined, and the settings will persist if one
# is created at a later point in time.
#

if [ "$revision" = "5.5.1" -o "$revision" = "5.6" -o "$revision" = "5.7" ]; then
   ip6_enabled=false
else
   ip6_enabled=true
fi

#
# check if running from a global zone (zones-enabled systems only)
#

if [ "$revision" = "5.10" ]; then
   if [ -x /usr/bin/zonename ]; then
      zoneName="`/usr/bin/zonename`"
   else
      zoneName="global"
   fi

if [ "${zoneName}" != "global" ]; then
      [ "$verbose" = "1" ] && \
         echo "This script can only be used from within the 'global' zone."
         exit 1
   fi
fi

#
# do_in_order -- This function executes the specified functions with
#   the appropriate parameters for the local OS, revision, and
#   configuration. Currently it acts on a specific base set of
#   parameters, OS and revision specific parameters, and IPv6
#   parameters.
#
do_in_order() { # function_name

function_name=$1

eval OSRev_params=$$OSRev

# develop a complete list of parameters (sorted by name)

param_list="$base_parameters $OSRev_params"
    if [ "$ip6_enabled" = "true" ]; then
       param_list="$param_list $ip6_parameters"
    fi
    sorted_list="`echo $param_list | xargs -n 1 echo | sort -d`"

# handle the parameters
    for param in $sorted_list; do
	$function_name $param
    done
}

#
# set_parameter -- This function uses ndd to set a parameter.
#   The supplied parameter name has a shell variable with the same
#   name which contains the value for the parameter.
#
set_parameter() { # parameter

# definition for local variable
    param=$1

# determine the driver from the first substring in the parameter name
    driver=/dev/`echo $param | sed -e 's/_.*//'`

eval tmpValues=$$param

# strip off any comparison tags (such as "E", "G", or "L"
    values=`echo "${tmpValues}" | cut -d: -f2-`

# First check that a value for the parameter exists. If not, skip it.

ndd $driver $param 2>&1 | egrep -s "name is non-existent for this module" 2>/dev/null
    if [ $? != 0 ]; then
       if [ -n "$values" ]; then
	
          # Some parameters may have multiple values specified in one
          #  assignment further up in the script. ndd only accepts one
          #  parameter at a time.  Loop through and set each value.
          for value in $values; do
             [ "$verbose" = "1" ] && echo "Setting $param to $value"
             ndd -set $driver $param $value
          done
       fi
    fi
}

#
# display_parameter -- This function uses ndd to extract the value of
#   a parameter and display it.
#
display_parameter() { # parameter

# definition for local variable
    param=$1

# hack for the "write only" extra privileged ports parameters
    param=`echo $param | sed -e 's/_add$//'`

# determine the driver from the first substring in the parameter name
    driver=/dev/`echo $param | sed -e 's/_.*//'`

# execute the ndd command to retrieve settings and remove newlines

ndd $driver $param 2>&1 | egrep -s "name is non-existent for this module" 2>/dev/null
    if [ $? != 0 ]; then
       value=`ndd $driver $param | tr -d '\n'`
    else
       # parameter does not exist, so cannot compare.
       return
    fi

# print parameter value
    # echo "   $driver $param = '$value'"
    echo "   $param = '$value'"
}

#
# compare_parameter -- This function uses ndd to extract the value of
#   a parameter. It compares the current parameter value to the one
#   defined in this script.
#
compare_parameter() { # parameter

# definition for local variable
    originalParam="$1"

# hack for the "write only" extra privileged ports parameters
    modifiedParam=`echo $originalParam | sed -e 's/_add$//'`

# determine the driver from the first substring in the parameter name
    driver=/dev/`echo $modifiedParam | sed -e 's/_.*//'`

# execute the ndd command to retrieve settings and remove newlines
    ndd $driver $param 2>&1 | egrep -s "name is non-existent for this module" 2>/dev/null
    if [ $? != 0 ]; then
       currentValue=`ndd $driver $modifiedParam | tr -d '\n'`
    else
       # parameter does not exist, so cannot compare.
       return
    fi

eval tmpIntendedValue="$$originalParam"

# separate the actual value from the comparison tag.  note that the
    # intendedRange parameter is only used when intendedOperator="R".

intendedOperator=`echo "${tmpIntendedValue}" | awk -F: '{ print $1 }'`
    intendedRange=`echo "${tmpIntendedValue}"    | awk -F: '{ print $2 }'`
    intendedValue=`echo "${tmpIntendedValue}"    | awk -F: '{ print $NF }'`

# if the modified parameter name is different from the original
    #  parameter, then we are dealing with the privileged port parameters
    if [ "$modifiedParam" != "$originalParam" ]; then

# the privileged port parameters have system defaults that must
	#  be accounted for in the comparison
	if [ -n "$intendedValue" ]; then
	    intendedValue="$extra_priv_ports_defaults$intendedValue "
	else
	    intendedValue="$extra_priv_ports_defaults"
	fi
        intendedOperator="S"
    fi

# print parameter value and note all deviations
    # echo "   $driver $modifiedParam = '$currentValue'\c"
    echo "   $modifiedParam = '$currentValue'\c"

# perform the strict comparison
    strictOK=0
    [ "${currentValue}" = "${intendedValue}" ] && strictOK=1

# perform the loose comparison. In this case, if the values are within
    # the allowed range (as specified by the "G", "L", or "S" tags), then
    # consider the match a success.

valOK=0
    case "${intendedOperator}" in
       E) [ "${currentValue}" -eq "${intendedValue}" ] && valOK=1 ;;
       G) [ "${currentValue}" -ge "${intendedValue}" ] && valOK=1 ;;
       L) [ "${currentValue}" -le "${intendedValue}" ] && valOK=1 ;;
       R)
          lowEnd=`echo "${intendedRange}" | awk -F- '{ print $1 }'`
          highEnd=`echo "${intendedRange}" | awk -F- '{ print $2 }'`
          [ "${currentValue}" -ge "${lowEnd}" -a \
             "${currentValue}" -le "${highEnd}" ] && valOK=1
          ;;
       S)
          valOK=1
          for iEntry in ${intendedValue}; do
             found=0
             for cEntry in ${currentValue}; do
                if [ "${cEntry}" = "${iEntry}" ]; then
                   found=1
                   break
                fi
             done
             if [ ${found} = 0 ]; then
                valOK=0
                break
             fi
          done
          ;;
    esac

if [ "${valOK}" = 0 ]; then
	echo " (fail) [should be '$intendedValue']"
    else
        if [ "${strictOK}" = "1" ]; then
	   echo " (pass) [exact match]"
        else
	   echo " (pass) [loose match]"
        fi
    fi
}

# Process the command argument
case "$1" in

'start')

# set the parameters in the defined order
	do_in_order set_parameter
        [ "$verbose" = "0" ] && \
           echo "Sun BluePrints network security settings applied."
	;;

'show')

echo "Current ndd parameter settings:"
	do_in_order display_parameter
	;;

'compare')

echo "Comparison of ndd parameter settings:"
	do_in_order compare_parameter
	;;

'stop')
	# ignored
	[ "$verbose" = "1" ] && \
	    echo "$0: 'stop' ignored.  No network changes applied."
	;;

*)
	echo "Usage: $0 { start | stop | show | compare }"
	exit 1
	;;
esac

exit 0

Here are the next steps:

chmod 744 /etc/init.d/nddconfig
chown root:sys /etc/init.d/nddconfig
ln /etc/init.d/nddconfig /etc/rc2.d/S70nddconfig

Configuration files to modify (as root):

vi /etc/default/keyserv

Change the following line from:

#ENABLE_NOBODY_KEYS=YES

to:

ENABLE_NOBODY_KEYS=NO

Do the following:

vi /etc/cron.d/cron.deny

Add the following line:

lp

Here's the next step:

vi /etc/nscd.conf

Edit the file to look like this:

#
# Copyright (c) 1994-2001 by Sun Microsystems, Inc.
# All rights reserved.
#
#ident  "@(#)nscd.conf  1.6     01/01/26 SMI"
#

#
#       Currently supported cache names: passwd, group, hosts, ipnodes
#           exec_attr, prof_attr, user_attr
#

#       logfile                 /var/adm/nscd.log
#       enable-cache            hosts           no

debug-level             0

positive-time-to-live   passwd          0
        negative-time-to-live   passwd          0
        suggested-size          passwd          211
        keep-hot-count          passwd          20
        old-data-ok             passwd          no
        check-files             passwd          yes

positive-time-to-live   group           0
        negative-time-to-live   group           0
        suggested-size          group           211
        keep-hot-count          group           20
        old-data-ok             group           no
        check-files             group           yes

positive-time-to-live   hosts           0
        negative-time-to-live   hosts           0
        suggested-size          hosts           211
        keep-hot-count          hosts           20
        old-data-ok             hosts           no
        check-files             hosts           yes

positive-time-to-live   ipnodes         0
        negative-time-to-live   ipnodes         0
        suggested-size          ipnodes         211
        keep-hot-count          ipnodes         20
        old-data-ok             ipnodes         no
        check-files             ipnodes         yes

positive-time-to-live   exec_attr       3600
        negative-time-to-live   exec_attr       300
        suggested-size          exec_attr       211
        keep-hot-count          exec_attr       20
        old-data-ok             exec_attr       no
        check-files             exec_attr       yes

positive-time-to-live   prof_attr       3600
        negative-time-to-live   prof_attr       5
        suggested-size          prof_attr       211
        keep-hot-count          prof_attr       20
        old-data-ok             prof_attr       no
        check-files             prof_attr       yes

positive-time-to-live   user_attr       3600
        negative-time-to-live   user_attr       5
        suggested-size          user_attr       211
        keep-hot-count          user_attr       20
        old-data-ok             user_attr       no
        check-files             user_attr       yes

vi /etc/default/login

Uncomment the following line:

CONSOLE=/dev/console

vi /etc/pam.conf

Edit the file to look like this:

#
#ident  "@(#)pam.conf   1.20    02/01/23 SMI"
#
# Copyright 1996-2002 Sun Microsystems, Inc.  All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_auth.so.1
login   auth required           pam_dial_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
#rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_auth.so.1
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
#rsh     auth sufficient         pam_rhosts_auth.so.1
rsh     auth required           pam_unix_auth.so.1
#
# PPP service (explicit because of pam_dial_auth)
#
ppp     auth requisite          pam_authtok_get.so.1
ppp     auth required           pam_dhkeys.so.1
ppp     auth required           pam_unix_auth.so.1
ppp     auth required           pam_dial_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd  auth required           pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_projects.so.1
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account requisite       pam_roles.so.1
other   account required        pam_projects.so.1
other   account required        pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session required        pam_unix_session.so.1
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password management
#
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password required       pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
#rlogin         auth optional           pam_krb5.so.1 try_first_pass
#login          auth optional           pam_krb5.so.1 try_first_pass
#other          auth optional           pam_krb5.so.1 try_first_pass
#cron           account optional        pam_krb5.so.1
#other          account optional        pam_krb5.so.1
#other          session optional        pam_krb5.so.1
#other          password optional       pam_krb5.so.1 try_first_pass

Save the file, then do the following:

rm /etc/inetd.conf
touch /etc/inetd.conf

vi /etc/logadm.conf

Change

/var/cron/log -c -s 512k -t /var/cron/olog

/var/cron/log -c -s 10240k -t /var/cron/olog

Save the file, then do the following:

vi /etc/default/inetinit

Change the line

TCP_STRONG_ISS=1

TCP_STRONG_ISS=2

Do the following:

echo "set sys:coredumpsize=0" >> /etc/system
echo "set noexec_user_stack=1" >> /etc/system
echo "set noexec_user_stack_log=1" >> /etc/system

rm /etc/cron.d/at.allow
touch /etc/cron.d/at.allow

vi /etc/cron.d/at.deny

Edit the file to look like this:

root
daemon
bin
sys
adm
lp
uucp
smmsp
suser
sonnet
nobody
noaccess
smtp
nuucp
listen

Save the file, then do the following:

vi /etc/cron.d/cron.allow

Edit the file to look like this:

root
adm

Save the file, then do the following:

vi /etc/cron.d/cron.deny

Edit the file to look like this:

daemon
bin
sys
lp
uucp
smmsp
suser
nobody
noaccess
smtp
nuucp
listen

Save the file, then do the following:

vi /etc/default/inetd

Change the following line from:

#ENABLE_TCPWRAPPERS=NO

to:

ENABLE_TCPWRAPPERS=YES

Save the file, then do the following:

vi /etc/ssh/sshd_config

Uncomment the following line:

Banner /etc/issue

Set default term to vt100.

vi /etc/profile

Change the following lines from:

if [ "$TERM" = "" ]
then
        if /bin/i386
        then
                TERM=sun-color
        else
                TERM=sun
        fi
        export TERM
fi

to:

TERM=vt100
export TERM

Save the file, then do the following:

vi /etc/.login

Change the following lines from:

if ( $?TERM == 0 ) then
        if { /bin/i386 } then
                setenv TERM sun-color
        else
                setenv TERM sun
        endif
else
        if ( $TERM == "" ) then
                if { /bin/i386 } then
                        setenv TERM sun-color
                else
                        setenv TERM sun
                endif
        endif
endif

to:

TERM=vt100
export TERM

Save the file, then do the following:

vi /etc/.login

Check that the following line exists, or add it to the beginning of the file.

umask 022

Do the following:

vi /etc/profile

Check that the following line exists, or add it to the beginning of the file.

umask 022

Do the following:

vi /etc/skel/local.cshrc

Check that the following line exists, or add it to the beginning of the file.

umask 022

Do the following:

vi /etc/skel/local.login

Check that the following line exists, or add it to the beginning of the file.

umask 022

Do the following:

vi /etc/skel/local.profile

Check that the following line exists, or add it to the beginning of the file.

umask 022

Uncomment the UMASK parameter in default/login.

vi /etc/default/login

Uncomment the following line:

UMASK=022

Here are configuration files to create (as root):

touch /noautoshutdown

Disable IPv4/IPv6 routing.

touch /etc/notrouter

Define what shells can be used on the system.

vi /etc/shells

Create this file as follows:

/usr/bin/sh
/usr/bin/csh
/usr/bin/ksh
/usr/bin/jsh
/bin/sh
/bin/csh
/bin/ksh
/bin/jsh
/sbin/sh
/sbin/jsh
/bin/pfcsh
/bin/pfksh
/bin/pfsh
/usr/bin/pfcsh
/usr/bin/pfksh
/usr/bin/pfsh

Save the file.

vi /etc/issue

Create this file as follows:

Authorized Use Only
|-----------------------------------------------------------------|
| This system is for the use of authorized users only.            |
| Individuals using this computer system without authority, or in |
| excess of their authority, are subject to having all of their   |
| activities on this system monitored and recorded by system      |
| personnel.                                                      |
|                                                                 |
| In the course of monitoring individuals improperly using this   |
| system, or in the course of system maintenance, the activities  |
| of authorized users may also be monitored.                      |
|                                                                 |
| Anyone using this system expressly consents to such monitoring  |
| and is advised that if such monitoring reveals possible         |
| evidence of criminal activity, system personnel may provide the |
| evidence of such monitoring to law enforcement officials.       |
|-----------------------------------------------------------------|

File permissions to change as root.

Review files with vulnerable permissions.

find / -perm -0002 -exec ls -ld {} \; | grep -v lrwxrwxrwx | grep -v crw-rw-rw-
drwxrwxrwt   3 root     mail       512 Oct 14 11:22 /var/mail
drwxrwxrwt   2 root     bin        512 Oct 14 11:22 /var/preserve
drwxrwxrwt   2 root     bin        512 Oct 14 11:22 /var/spool/pkg
drwxrwxrwt   3 root     sys        512 Nov  1 10:26 /var/tmp
drwxrwxrwt   3 root     sys        117 Nov  1 05:58 /tmp

find / -perm -4000 -exec ls -ld {} \;
-r-sr-xr-x   1 root     sys    13252 Jun 18  2004 /usr/bin/sparcv7/newtask
-r-sr-xr-x   2 root     bin    11248 Apr  7  2002 /usr/bin/sparcv7/uptime
-r-sr-xr-x   2 root     bin    11248 Apr  7  2002 /usr/bin/sparcv7/w
-r-sr-xr-x   1 root     sys    18456 Jun 18  2004 /usr/bin/sparcv9/newtask
-r-sr-xr-x   2 root     bin    15296 Apr  7  2002 /usr/bin/sparcv9/uptime
-r-sr-xr-x   2 root     bin    15296 Apr  7  2002 /usr/bin/sparcv9/w
-rwsr-xr-x   1 root     sys    37824 Oct 15  2004 /usr/bin/at
-rwsr-xr-x   1 root     sys    13916 Apr  7  2002 /usr/bin/atq
-rwsr-xr-x   1 root     sys    12836 Apr  7  2002 /usr/bin/atrm
-r-sr-xr-x   1 root     bin    17180 Jul  8 10:00 /usr/bin/crontab
-r-sr-xr-x   1 root     bin    14276 Apr  7  2002 /usr/bin/eject
-r-sr-xr-x   1 root     bin    25964 Apr  7  2002 /usr/bin/fdformat
-r-sr-xr-x   1 root     bin    29368 Apr  8  2005 /usr/bin/login
-rwsr-xr-x   1 root     sys     7908 Dec 17  2004 /usr/bin/newgrp
-r-sr-sr-x   1 root     sys    21964 Apr  7  2002 /usr/bin/passwd
-r-sr-xr-x   1 root     bin     9676 Oct 30  2003 /usr/bin/pfexec
-r-sr-xr-x   1 root     sys    21960 May 11  2004 /usr/bin/su
-r-s--x--x   1 5        bin    54740 Apr  7  2002 /usr/bin/tip
-r-sr-xr-x   1 root     bin    14184 Sep  4  2004 /usr/lib/fs/ufs/quota
-r-sr-xr-x   1 root     bin    87508 May 21 08:52 /usr/lib/fs/ufs/ufsdump
-r-sr-xr-x   1 root     bin  1047992 May 21 08:52 /usr/lib/fs/ufs/ufsrestore
---s--x--x   1 root     bin     4988 Apr  7  2002 /usr/lib/pt_chmod
-r-sr-xr-x   1 root     bin     7452 Apr 23  2003 /usr/lib/utmp_update
-r-sr-xr-x   1 root     bin    11872 Apr  7  2002 /usr/sbin/sparcv7/whodo
-rwsr-xr-x   3 root     bin    16508 Apr  2  2003 /usr/sbin/allocate
-rwsr-xr-x   1 root     sys    22548 Apr  7  2002 /usr/sbin/sacadm
-r-sr-xr-x   1 root     bin    35860 Apr 14  2004 /usr/sbin/traceroute
-rwsr-xr-x   3 root     bin    16508 Apr  2  2003 /usr/sbin/deallocate
-rwsr-xr-x   3 root     bin    16508 Apr  2  2003 /usr/sbin/list_devices
-r-sr-xr-x   1 root     bin    16072 Apr  7  2002 /usr/sbin/sparcv9/whodo
-r-sr-xr-x   1 root     bin    47932 Oct  1  2004 /usr/sbin/ping

find / -perm -2000 -exec ls -ld {} \;
-r-x--s--x   1 root     mail  /usr/bin/mail
-r-x--s--x   1 root     mail  /usr/bin/mailx
-r-xr-sr-x   1 root     sys   /usr/bin/netstat
-r-sr-sr-x   1 root     sys   /usr/bin/passwd
-r-xr-sr-x   1 root     tty   /usr/bin/write
-rwxr-sr-x   1 root     sys   /usr/platform/SUNW,Sun-Fire-V240/sbin/scadm
-r-xr-sr-x   1 root     sys   /usr/platform/sun4u/sbin/eeprom
-rwxr-sr-x   1 root     sys   /usr/platform/sun4u/sbin/prtdiag
-r-xr-sr-x   1 root     sys   /usr/sbin/sparcv7/prtconf
-r-xr-sr-x   1 root     sys   /usr/sbin/sparcv7/swap
-r-xr-sr-x   1 root     sys   /usr/sbin/sparcv7/sysdef
-r-xr-sr-x   1 root     tty   /usr/sbin/wall
-r-xr-sr-x   1 root     sys   /usr/sbin/sparcv9/prtconf
-r-xr-sr-x   1 root     sys   /usr/sbin/sparcv9/swap
-r-xr-sr-x   1 root     sys   /usr/sbin/sparcv9/sysdef

Make /usr a read-only file system.

Edit vfstab and change the mount options in the following lines:

vi /etc/vfstab
/dev/md/dsk/d3     /dev/md/rdsk/d3    /usr    ufs     1       no      ro

Reboot the host for this change to take effect.

init 6

Set up OBP command protection.

Note: This needs to be run only once to install on the Boot PROM.

eeprom "security-#badlogins=3"
eeprom "security-mode=command"
Changing PROM password:
New password: ######
Retype new password: ######

About the Author

Ross Moffatt has been a UNIX System Administrator for more than 10 years and can be contacted at ross.stuff [at] telstra.com.

Unless otherwise licensed, code in all technical manuals herein (including articles, FAQs, samples) is provided under this License.

Search BigAdmin

» Search the HCL

BigAdmin Subscriptions

BigAdmin Areas

BigAdmin Sun Center

BigAdmin Topics

About Oracle | Oracle and Sun |