3.1) how much disk space do

8/14/2019 3.1) How Much Disk Space Do

1/28

3.1) How much disk space do I need to install Solaris 2?

3.2) How can I convert all my local changes that I've made over the years into their

corresponding forms on Solaris 2?

3.3) What are "packages"?

3.4) Why can't I write in/mount over /home?

3.5) Why can't I access CDs or floppies? 3.6) Why are there no passwords in /etc/passwd?

3.7) Why can't I rlogin/telnet in as root?

3.8) Why can't I ssh in as root?

3.9) How can I have a user without a password?

3.10) How can I have a "su-only" user?

3.11) How can I set up anonymous FTP?

3.12) How can I print from a Solaris 2 (or any System V Release 4) system to aSunOS4.x (or any other BSD) system?

3.13) How can I print to a non-Postscript/non-ascii printer?

3.14) How can I print to a networked printer?

3.15) Why does lp complain about invalid content types? 3.16) My jobs stay in the queue after printing.

3.17) Are there any alternatives to the system V spooler?

3.18) What happened to /dev/MAKEDEV? How do I add devices?

3.19) Why isn't my tape/cd player or new disk/device recognized?

3.20) What happened to /etc/rc and /etc/rc.local?

3.21) What happened to /etc/rc?.d/*?

3.22) Can't I have /etc/rc.local back?

3.23) Why are there two versions of shutdown?

3.24) When will somebody publish a package of the BSD (4.3BSD Net2) "init","getty", and "rc/rc.local", so we can go back to life in the good old days?

3.25) What has happened to getty? What is pmadm and how do you use it? 3.26) How do I get the screen to blank when nobody's using it?

3.27) And what about screendump, screenload and clear_colormap?

3.28) Where did etherfind go?

3.29) Can I run SunOS 4.1.x on my SPARC Classic, LX, SS5, SS4, SS20, Voyager,SS1000, SC2000, CS6400, Ultra?

3.30) The "find" program complains that my root directory doesn't exist?

3.31) I'm having troubles with high-speed input on the Sparc serial ports. What

should I do?

3.32) How do I make ksh or csh be the login shell for root?

3.33) What is this message: "automount: No network locking on host, contact

administrator to install server change."?

3.34) I have all kinds of problems with SCSI disks/RAIDs under Solaris 2.x They

worked fine under SunOS 4.x.

3.35) How do I make Solaris2 use my old ADAPTEC ACB-4000 and Emulex MD-21disk controllers?

3.36) Should I wait installing the latest Solaris release until there are enough patches?

3.37) Why are there so many patches for Solaris 2.x?

3.38) What are the ``mandatory'' patches I keep hearing about?
http://www.science.uva.nl/pub/solaris/solaris2/Q3.1.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.2.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.2.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.3.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.4.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.5.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.6.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.7.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.8.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.9.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.10.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.11.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.12.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.12.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.13.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.14.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.15.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.16.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.17.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.18.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.19.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.20.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.21.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.22.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.23.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.24.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.24.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.25.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.26.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.27.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.28.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.29.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.29.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.30.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.31.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.31.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.32.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.33.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.33.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.34.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.34.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.35.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.35.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.36.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.37.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.38.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.1.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.2.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.2.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.3.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.4.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.5.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.6.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.7.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.8.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.9.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.10.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.11.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.12.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.12.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.13.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.14.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.15.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.16.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.17.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.18.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.19.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.20.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.21.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.22.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.23.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.24.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.24.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.25.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.26.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.27.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.28.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.29.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.29.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.30.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.31.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.31.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.32.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.33.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.33.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.34.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.34.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.35.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.35.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.36.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.37.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.38.html


2/28


3/28

3.82) How do I secure my Solaris system?

4. NETWORKING

4.1) How do I use DNS w/o using NIS or NIS+?

4.2) What is /etc/nsswitch.conf? 4.3) What does [NOTFOUND=return] in nsswitch.conf mean?

4.4) Can I run a nis/yp server under Solaris 2.x?

4.5) Can I run NIS+ under Solaris 1 (SunOS 4.1.x)

4.6) With NIS+ how do I find out which machine a client is bound to?

4.7) Ypcat doesn't work on the netgroup table on a NIS+ server, why?

4.8) Why is rpc.nisd such a memory pig according to ps?

4.9) How do I tell my NIS+ server to service DNS requests from 4.x clients?

4.10) How can I have multiple addresses per interface?

4.11) Solaris 2+ supports filesystem sizes up to 16TB. Will this give interoperabilityproblems with NFS?

4.12) Where can I get an SNMP agent for Solaris? 4.13) How can I use full-duplex ethernet?

4.14) Where can I get BOOTP/DHCP for Solaris?

4.15) What kind of multicast support does Solaris have?

4.16) How can I have NAT or a firewall on Solaris?

4.17) Where can I get an IPv6 capable version of tcp wrapper?

5. TROUBLE SHOOTING

5.1) The Solaris 2.x application XX fails with a mysterious error condition.

5.2) In Solaris 2.5 nm is slow or dumps core. 5.3) Why can't I run Answerbook on a standalone machine?

5.4) Why can't I display Answerbook remotely?

5.5) Why can't I run filemgr, I get ``mknod: permission denied''?

5.6) Why do I get isinf undefined when linking with libdps on Solaris 2.3?

5.7) I can't get PPP to work between Solaris 2.3 and other platforms.

5.8) Using compat mode for passwd doesn't work in 2.3?

5.9) Why do I get __builtin_va_alist or __builtin_va_arg_incr undefined?

5.10) When compiling, I get "No DATAMODEL_NATIVE specified"?

5.11) My machine hangs during the boot process. It seems related to ps.

5.12) Syslogd doesn't seem to log anything.

5.13) Syslogd in 2.6 runs with -z -n, what's up?

5.14) I get ``Invalid client credential'' when mounting filesystem on Solaris client

from non-Sun fileserver.

5.15) After upgrade to 2.4, ls on NFS mounted directories hangs.

5.16) After installing patch 101945-xx, I have NFS problems (ksh looping).

5.17) I messed up /etc/system, now I can't boot.

5.18) The /etc/path_to_inst file is corrupted, I can't boot.

5.19) TCP/IP connections time out too soon, especially on slow links.
http://www.science.uva.nl/pub/solaris/solaris2/Q3.82.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q4.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q4.1.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q4.2.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q4.3.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q4.4.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q4.5.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q4.6.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q4.7.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q4.8.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q4.9.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q4.10.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q4.11.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q4.11.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q4.12.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q4.13.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q4.14.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q4.15.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q4.16.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q4.17.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.1.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.2.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.3.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.4.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.5.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.6.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.7.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.8.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.9.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.10.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.11.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.12.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.13.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.14.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.14.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.15.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.16.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.17.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.18.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.19.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q3.82.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q4.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q4.1.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q4.2.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q4.3.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q4.4.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q4.5.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q4.6.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q4.7.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q4.8.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q4.9.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q4.10.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q4.11.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q4.11.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q4.12.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q4.13.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q4.14.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q4.15.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q4.16.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q4.17.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.1.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.2.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.3.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.4.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.5.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.6.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.7.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.8.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.9.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.10.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.11.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.12.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.13.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.14.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.14.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.15.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.16.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.17.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.18.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.19.html


4/28

5.20) Sendmail connection to non-Unix hosts don't work.

5.21) Solaris 2.x can't set up any TCP/IP connections to certain hosts.

5.22) I read 5.21, but I still have connectivity problems.

5.23) When reading mail on non-Solaris clients of a Solaris mail server, or with non-

Solaris mail readers, some messages get split into multiple messages.

5.24) Mail/mailx often send reply to wrong user or show wrong sender. 5.25) One of my users can't login (one some machines).

5.26) My clients with remote /var (/var/adm) partitions won't boot.

5.27) Vacation doesn't work reliably in a mixed Solaris/SunOS environment.

5.28) I have a lot of processes. How do I get rid of them?

5.29) I get /dev/ptmx: No such device when attempting to telnet/rlogin in.

5.30) I get Could not grant slave pty on telnet/rlogin

5.31) ld bails out with msync errors.

5.32) su responds with "Sorry" and doesn't prompt for a password.

5.33) Why can't I install 2.4 from a non-Sun CD while I could do so with 2.3?

5.34) ifconfig can't find my network interface

5.35) I have an application that compiled fine, but when I run it I get: fatal:libfoo.so.2: can't open file: errno=2 or No such file or directory

5.36) Motif programs dump core almost immediately.

5.37) cc complains that "language optional software package not installed".

5.38) thr_create/pthread_create and other thread functions always return -1

5.39) Solaris 2.4 is getting slower over time/seems to have a kernel memory leak.

5.40) Why do I get ``Unable to install/attach driver 'xxx''' messages?

5.41) I can't run nfs: netdir_getbyname failure, /dev/udp: bind problem

5.42) Why do I get ``named[]: rt_malloc: memdebug overflow'' errors?

5.43) The ld command dumps core on Solaris/x86

5.44) In Solaris 2.4 my TCP performance is extremely poor.

5.45) Solaris 2.4 in.tftpd is terribly slow.

5.46) I get "df: Could not find mount point ..."

5.47) I changed root's shell, forgotten root's password, and I can't login.

5.48) How do I boot single user from CD?

5.49) How do I interrupt the system boot sequence on SPARC?

5.50) How do I reset the NVRAM to factory defaults?

5.51) When linking C++ programs, I get "_ex_keylock" undefined.

5.52) My NFS server hangs when I get filesystem full/over quota errors.

5.53) OpenWindows fails with "Binding Unix Socket: Invalid argument"

5.54) Why is Xsun such a memory pig, especially on the SX, S24 and FFB?

5.55) Solaris 2.5 and Solaris 2.4 patch 101945-34+ have poor TCP performance over

slow links.

5.56) After install x86 patch 101946-29, I have problems with sockets and TCP/IP

throughput.

5.57) The commands du and ls show funny block counts on NFSv3 filesystems.

5.58) When I halt/reboot my system I get "INIT: failed write of utmpx entry"

5.59) Patch installation often fails with "checkinstall" errors.

5.60) Why do I get a CPU-bound rpc.ttdbserverd process?

5.61) What is /proc? Can I safely remove the large files there?
http://www.science.uva.nl/pub/solaris/solaris2/Q5.20.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.21.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.22.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.23.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.23.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.24.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.25.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.26.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.27.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.28.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.29.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.30.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.31.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.32.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.33.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.34.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.35.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.35.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.36.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.37.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.38.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.39.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.40.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.41.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.42.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.43.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.44.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.45.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.46.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.47.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.48.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.49.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.50.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.51.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.52.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.53.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.54.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.55.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.55.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.56.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.56.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.57.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.58.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.59.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.60.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.61.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.20.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.21.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.22.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.23.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.23.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.24.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.25.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.26.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.27.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.28.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.29.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.30.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.31.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.32.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.33.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.34.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.35.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.35.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.36.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.37.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.38.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.39.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.40.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.41.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.42.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.43.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.44.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.45.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.46.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.47.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.48.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.49.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.50.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.51.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.52.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.53.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.54.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.55.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.55.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.56.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.56.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.57.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.58.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.59.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.60.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.61.html


5/28

5.62) What does "named[XX]: Lame server on 'hostname' ...." mean?

5.63) I installed Solaris on a new/big disk, but now booting fails.

5.64) I have a problem with large disk drives.

5.65) When I try a network install I get: "WARNING: using boot version 8, expected

9"

5.66) My Ultra shuts down with "WARNING: THERMAL WARNINGDETECTED!!!"

5.67) Power management shuts down my monitor, but it never comes back.

5.68) I can't seem to disable power management in 2.6!

5.69) Power management no longer kicks in when xlock runs

5.70) Orainst 7.3.2 dumps core in 2.5.1 with patches and in 2.6.

5.71) My dial-on-demand link keeps dialing out, seems DNS related.

5.72) Processes hang in door_call(), hostname lookups hang.

5.73) When using Solaris 2.6, many fonts don't show up properly in Netscape 4.

5.74) When using virtual interfaces in 2.6, the system picks a random source address.

How can I fix this?

5.75) A downloaded binary complains "libresolv.so.2: can't open file" 5.76) Ypserv/NIS w/ DNS is very unreliable in Solaris 2.6.

5.77) When trying to install Solaris 2.x on an Ultra-5/Ultra-10/Ultra-60, it can't find"kernel/unix".

5.78) After the system has been up for a while, freemem is only a couple of MB.

5.79) A device driver that worked fine under S2.6 stopped loading under S7

5.80) I get a lot of "late collisions", what are those?

5.81) I can't mount an NFS filesystem, I get "RPC: Program not registered".

5.82) How do I automatically NFS share inserted CD-Roms?

5.83) I cannot run remote tooltalk sessions on Solaris 8 displays and recently patchedolder systems.

5.84) Where is all my memory in use?

5.85) Tcpd prints "connect (refused) from 0.0.0.0" in Solaris 8 and later?

5.86) The permissions on /tmp are wrong after a reboot?

5.87) After upgrading to Solaris 9 vold no longer mounts CDs.

.1) How secure is Solaris 2?

Solaris 2 is relatively secure, considering that it is a general-purpose, time-sharing,multi-user operating system. Such systems are inherently full of compromises.Solaris 2 is a version of Unix which was not designed for security. However, Sunactively fixes security holes. Additionally, there are facilities that can increase the

security of Solaris (see section 3).

Specifically, Solaris has been designed to meet the TCSEC (Orange Book C2) levelfor security. According to Sun, Solaris 2.4SE is ITSEC E2/F-C2-certified. Solaris 2.6 iscurrently undergoing both the ITSEC E3/F-C2 and TCSEC C2 certification processes.Current information can be found at http://www.sun.com/solaris/2.6/ds-security.html.
http://www.science.uva.nl/pub/solaris/solaris2/Q5.62.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.63.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.64.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.65.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.65.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.66.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.66.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.67.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.68.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.69.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.70.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.71.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.72.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.73.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.74.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.74.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.75.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.76.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.77.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.77.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.78.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.79.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.80.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.81.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.82.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.83.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.83.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.84.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.85.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.86.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.87.htmlhttp://www.sun.com/solaris/2.6/ds-security.htmlhttp://www.sun.com/solaris/2.6/ds-security.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.62.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.63.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.64.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.65.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.65.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.66.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.66.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.67.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.68.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.69.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.70.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.71.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.72.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.73.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.74.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.74.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.75.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.76.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.77.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.77.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.78.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.79.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.80.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.81.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.82.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.83.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.83.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.84.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.85.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.86.htmlhttp://www.science.uva.nl/pub/solaris/solaris2/Q5.87.htmlhttp://www.sun.com/solaris/2.6/ds-security.htmlhttp://www.sun.com/solaris/2.6/ds-security.html


6/28

In order to build a system that actually meets the evaluation there are a number ofpatches that must be installed. A bundle of the exact patches used for the evaluationcan be obtained directly from Sun.

For those that need more security than provided by C2 Sun provides a version ofSolaris that meets was designed to meet the TCSEC CMW (Compartmented Mode

Workstation) level, which exceeds B1.

Trusted Solaris 1.2 F-B1/E3 (Based on SunOS 4.1.3_U1)

Trusted Solaris 2.5.1 F-B1/E3 (Based on Solaris 2.5.1 11/97)

1.2) What version of Solaris should I run?

Where security is concerned? Each subsequent release of Solaris has been animprovement over its predecessor. Solaris 2.7 is currently the latest release, andalso the most secure.

1.3) Can I just install a machine and ignore it?

Most installed machines suffer from entropy: They lack a current OS release, and up-to-date patches and tools. It's important to install the latest patches, at the least, tobe sure that all known security holes are filled.

1.4) What is the single most important step I can take to secure a Solaris machine?

Keep the security patches up-to-date. According to CERT, many systems arecompromised by exploiting known bugs for which patches exist. Simply keepingpatches up-to-date, especially on "exposed" machines, will greatly decrease thechance of a break-in.

2) How can I configure Solaris to make it more secure?

2.2) How should I change root user configuration?

Be sure root has a umask setting of 077 or 027.

Be sure root has a safe search path, as in/usr/bin:/sbin:/usr/sbin

2.3) How should I change startup files?

Generally, examine all "S" files in/etc/rc2.dand/etc/rc3.d. Any files that start

unneeded facilities should be renamed (be sure the new names don't start with "S").Test all boot files changes by rebooting, examining/var/adm/messages, andchecking for extraneous processes in ps -elf output.

2.4) How can I disable network root logins?

Make sure the to enable the "CONSOLE" line in/etc/default/login. To disable use offtp by root, add "root" to/etc/ftpusers.
http://www.cert.org/http://www.cert.org/


7/28

2.5) How do I disable rlogin/rsh access?

Remove/etc/hosts.equiv, /.rhosts, and all of the "r" commands from/etc/inetd.confDo a kill -HUP of the inetd process.

2.6) What accounts are unnecessary?

Remove, lock, or comment out unnecessary accounts, including "sys", "uucp","nuucp", and "listen". The cleanest way to shut them down is to put "*LK*" in thepassword field of the/etc/shadowfile. Also consider using the noshell program tolog attempts to use secured accounts.

2.7) How to I protect devices?

The file/etc/logindevperm contains configuration information to tell the system thepermissions to set on devices associated with login (console, keyboard, etc). Checkthe values in this file and modify them to give different permissions.

For removable media the BSM subsystem provides the allocate and deallocatecommands that ensure that only a single user can access removable media (such astapes) at any one time.

2.8) What permissions should I change in/etc?

No file in/etcneeds to be group writeable. Remove group write permission via thecommand chmod -R g-w /etc

2.9) Why do Solaris machines act as routers?

By default, if a Solaris machine has more than one network interface, Solaris willroute packets between the multiple interfaces. This behavior is controlled by/etc/init.d/inetinit. To turn of routing on a Solaris 2.4 (or lesser) machine, add ndd-set /dev/ip ip_forwarding 0 at the end of/etc/init.d/inetinit. For Solaris 2.5,

simply touch /etc/notrouter. Be aware that there is a small window ofvulnerability during startup when the machine may route, before the routing isturned off.

2.10) How do I disable automounter?

Automounter is controlled by the/etc/auto_* configuration files. To disableautomounter, remove those files, and/or disable the/etc/rc2.d/S74autofs.

2.11) How to I disable NFS service?

NFS exports are controlled by the/etc/dfs/dfstab file. Remove this file. To disable theNFS server daemon, rename/etc/rc3.d/S15nfs.server. To prevent a machine frombeing an NFS client, rename/etc/rc2.d/S73nfs.client. When renaming startup files,be sure to name them with a starting letter other than "S".

2.12) Do I need to worry about cron jobs?


8/28

Review all the cron jobs by reading the cron file of every system account in/var/spool/cron/crontabs. Consider logging all cron activities by setting"CRONLOG=yes" in/etc/default/cron.

2.13) Are there any risks to using dynamic routes?

Machines using a dynamic route-receiving daemon like in.routed and in.rdisc arevulnerable to receiving incorrect routes. These routes can disable some or allconnectivity to other networks. When possible, use static routes (routes added viathe route commands in startup files, rather than the routing daemons.

2.14) When and how should I use static ARP?

ARP is the protocol used to associate IP and Ethernet addresses. Machines that sharea wire (and have no routers between them) know each others ARP addresses. If onemachine is replaced with another, the ARP addresses are usually different. Bydefault, Solaris machines dynamically determine ARP addresses. The arp command

can be used to statically set ARP table entries and flush all other entries. This facility

is best used when there are few, unchanging systems on a network and themachines need to be assured of each other's identities.

2.15) Is it unsecure to run rpcbind?

rpcbind is the program that allows rpc callers and rpc service provides to find eachother. Unfortunately, standard rpc is unsecure. It uses "AUTH_UNIX" authentication,which means it depends on the remote system's IP address and the remote user'sUID for identification. Both of these forms of identification can be easily forged orchanged. General-purpose systems usually need rpc running to keep users happy.Special purpose systems (web servers, ftp servers, mail servers, etc) can usuallyhave rpc disabled. Be sure to test all the facilities that you depend on to be sure they

aren't affected if you turn off rpc. To disable rpc, rename/etc/rc2.d/S71RPC.

2.16) What permission bits should be set on/etc/utmp?

/etc/utmp can be set to mode 644 without disrupting any service.

2.17) What programs can be un-suid'ed?

Many of the setuid and setgid programs on Solaris are used only by root, or by theuser or group-id to which they are set. They can have setuid and setgid removedwithout diminishing user's abilities to get their work done. Consider each of theseprograms individually as to their use on your system. This is an example list of setuid

programs taken from a Solaris 2.6 system:

# find / -perm -4000 -print

/usr/lib/lp/bin/netpr

/usr/lib/fs/ufs/quota

/usr/lib/fs/ufs/ufsdump

/usr/lib/fs/ufs/ufsrestore

/usr/lib/fs/vxfs/vxdump

/usr/lib/fs/vxfs/vxquota


9/28

/usr/lib/fs/vxfs/vxrestore

/usr/lib/exrecover

/usr/lib/pt_chmod

/usr/lib/sendmail

/usr/lib/utmp_update

/usr/lib/acct/accton

/usr/lib/uucp/remote.unknown

/usr/lib/uucp/uucico/usr/lib/uucp/uusched

/usr/lib/uucp/uuxqt

/usr/lib/sendmail.orig

/usr/openwin/lib/mkcookie

/usr/openwin/bin/xlock

/usr/openwin/bin/ff.core

/usr/openwin/bin/kcms_configure

/usr/openwin/bin/kcms_calibrate

/usr/openwin/bin/sys-suspend

/usr/dt/bin/dtaction

/usr/dt/bin/dtappgather

/usr/dt/bin/sdtcm_convert

/usr/dt/bin/dtprintinfo

/usr/dt/bin/dtsession/usr/bin/at

/usr/bin/atq

/usr/bin/atrm

/usr/bin/crontab

/usr/bin/eject

/usr/bin/fdformat

/usr/bin/login

/usr/bin/newgrp

/usr/bin/passwd

/usr/bin/ps

/usr/bin/rcp

/usr/bin/rdist

/usr/bin/rlogin

/usr/bin/rsh/usr/bin/su

/usr/bin/tip

/usr/bin/uptime

/usr/bin/w

/usr/bin/yppasswd

/usr/bin/admintool

/usr/bin/ct

/usr/bin/cu

/usr/bin/uucp

/usr/bin/uuglist

/usr/bin/uuname

/usr/bin/uustat

/usr/bin/uux

/usr/bin/chkey/usr/bin/nispasswd

/usr/bin/cancel

/usr/bin/lp

/usr/bin/lpset

in/lpstat

/usr/bin/volcheck

/usr/bin/volrmmount

/usr/bin/pppconn

/usr/bin/pppdisc


10/28

/usr/bin/ppptool

/usr/sbin/allocate

/usr/sbin/mkdevalloc

/usr/sbin/mkdevmaps

/usr/sbin/ping

/usr/sbin/sacadm

/usr/sbin/whodo

/usr/sbin/deallocate/usr/sbin/list_devices

/usr/sbin/m64config

/usr/sbin/lpmove

/usr/sbin/pmconfig

/usr/sbin/static/rcp

/usr/sbin/vxprint

/usr/sbin/vxmkcdev

/usr/ucb/ps

/usr/vmsys/bin/chkperm

/etc/lp/alerts/printer

Create a master list of the remaining setuid/setgid programs on your system and

check that the list remains static over time.

2.18) What system facilities can I disable?

Every network on the system should be inspected to determine if the facility that itprovides is appropriate for your environment. If not, disable the facility. Some ofthese facilities are in the system startup files, as discussed in section 2. Other arestarted in/etc/inetd.conf. Comment out the unneeded facilities and kill -HUP the

inetd daemon. Some common facilities are:

tftp systat rexd ypupdated netstat

rstatd rusersd sprayd walld exec

comsat rquotad name uucp

For a very secure system, replace the standard inetd.conf with one that just

includes telnet and ftp (if you need those facilities).

2.19) Should I run in.fingerd?

in.fingerd has had some security problems in the past. If you want to provide thefinger facility, run it as "nobody", not as "root".

2.20) Can syslog be made to be more effective?

By default, syslog provides minimal system logging. Modify the/etc/syslog.conffileto have syslog log more information, and separate to where the information islogged by importance. Anything related to security should be sent to a file that getsencrypted. Unfortunately, syslog must be restarted for it to read the new

configuration file.

More login logging can be enabled by creating the "loginlog" file:


11/28

touch /var/adm/loginlog

chmod 600 /var/adm/loginlog

chgrp sys /var/adm/loginlog

2.21) How can the EEPROM make a system more secure?

Set the EEPROM to "security=command" password-protect all EEPROM commandsexcept "boot" and continue". Set the EEPROM's password so no one else can changeits modes. Unfortunately, this doesn't truly secure the machine. If someone hasphysical access to the machine, they can open the machine and replace its EEPROM.Replacing the machine's EEPROM also changes its hostid. Recording all the hostidsof your machines and checking this list against the machines occasionally to verifythat no EEPROMs have been replaced.

2.22) Is my machine being "promiscuous"?

Under Solaris, there is no way to determine if a machine's network interfaces are in

"promiscuous" mode. Promiscuous mode allows the machine to see all networkpackets, rather than just those packets destined for the machine. This allows themachine to snoop the network and monitor all traffic. An interface should only be inpromiscuous mode if the snoop program, or another network monitor program, is

being run. If you aren't running such a program, and your machine's interface is inpromiscuous mode, then it's likely that a hacker is monitoring your network. Thepublic domain ifstatus command returns a machine's promiscuous state. It iscurrently only ported to Solaris 2.6 and below. (See section 3.)

2.23) If I need to use NFS, how can I make it more secure ?

Any filesystems listed in/etc/dfs/dfstab will be exported to the world, bydefault. Include a list of nfs clients (or a netgroup) with the "-o rw" or "-o ro"options.

Include the "nosuid" option to disable setuid programs on that mount whereapplicable

Don't run nfs mount through rpcbind - the mount daemon will see therequest as being local and allow it. This is the source of known rpcbindvulnerabilities as reported by CERT (section 4). Use the rpcbind replacement

(section 3) that disables request forwarding, or be sure have installed thelatest Sun rpcbind patches which also disable forwarding.

Use secure-RPC if possible. If not, you're using "AUTH_UNIX" authentication,which simply depends on the IP address of the client for identification. Anymachine using the IP address of the ones in your access list can gain accessto NFS.

Disable NFS if possible. NFS traffic flows in clear-text (even when using"AUTH_DES" or "AUTH_KERB" for authentication) so any files transported viaNFS are susceptible to snooping.

Programs can guess the file handle of the root mount point and get any filefrom an NFS server, regardless of any access rights. Use fsirand to

randomize inode numbers on NFS servers.

2.24) How can I secure sendmail


12/28

With each new Solaris release, Sun ships sendmail code updated with the latestfixes. Still, there are new bugs reported monthly. How can sendmail be made more

secure?

Consider running the latest version Berkeley sendmail (see section 3)

Consider using smrsh or other sendmail replacements (section 3)

Remove "decode" from/etc/aliases Set/etc/aliases permissions to 644 Consider using a proxy-based firewall with SMTP filtering to screen out

unnecessary SMTP commands. If the machine needs to receive email (and thus needs an SMTP daemon

running, consider a separate partition for /var/mailto prevent spam attacksfrom filling /var and disabling logging et al.

2.25) Is NIS secure, and how can it be made more secure?

NIS is not a secure distributed name service. NIS+ is more secure when configuredproperly. NIS will give away all the information in its tables if its domain name is

guessable. To close this hole, put trusted host/net addresses to/var/yp/securenets.Also consider using secure RPC or NIS+. Finally, don't include root and other systemaccount information in NIS tables.

2.26) What is needed for secure anonymous ftp service?

Solaris 2.5 ftpd(1M) contains a good set of configuration directions, with the

following exceptions:

cp /etc/nsswitch.conf ~ftp/etc

Make sure that the filesystem containing ~ftp is not mounted with the"nosuid" option

No files under ~ftp should be owned by "ftp" More detailed instructions can be found the anonymous ftp directions (section

4).

2.27) How can X be made more secure?

Use the SUN-DES-1 option to use Secure RPC to pass Xauthentication/authorization information.

Use xhost +user@host when granting access

2.28) How do I turn on SUN-DES-1 authentication?

set DisplayManager*authorize: true

set DisplayManager._0.authName: SUN-DES-1

rm ~/.Xauthority

add access permission for local host via xauth local/unix:0 SUN-DES-1unix.local@nisdomain and xauth local:0 SUN-DES-1unix.local@nisdomain

Start X via xinit -- -auth ~/.Xauthority


13/28

Add yourself and remove all others via xhost +user@+unix.local@nisdomain -local -localhost

Now, to give user "foo" permission to access host "node":

Give "foo" permission on "node" via xhost +foo@

Create appropriate xauthority for "foo" via xauth add node:0 SUN-DES-1unix.node@nisdomain

"foo" can now connect to "node": xload -display node:0

2.29) What patches should I install?

Use showrev -p to list patches installed on the system. Check Sun's patch list(section 4) for current security-related patches for the version you are running.Download and install all pertinent security patches. Recheck the patch list frequently.Not all security patches need be installed on every machine. But protect machines,or those with public access, should be kept up-to-date. The patchdiag program thatis available on the SunSolve CD and at the SunSolve web site will automatically

compare the patch level of a host against the current Sun recommended patch set,and display any differences.

2.30) How can I prevent code from executing in the stack?

There are a whole category of security holes that depend on one system flaw: theability to execute code from the stack. These bugs overflow a buffer such that itwrites into stack space. In that space they put code that they can then execute. Inthis way, the bug can execute arbitrary code on the target system.

To secure your system against stack based buffer overflows, you can add thefollowing to /etc/system:

set noexec_user_stack=1

set noexec_user_stack_log =1

The first line will prevent execution on a stack. Care must be taken though, becausethere are some programs which legitimately try to run code off the stack. Thoseprograms will crash if you implement this option. Generally, if the system is singlepurpose and needs to be secure (i.e. a web server), you should use this option. Thesecond line adds logging when someone does try to run an exploit.

2.31) How can I change the greeting banners?

The banner displayed during a terminal or console login comes from /etc/motd. Thedefault telnet banner can be changed by creating /etc/default/telnetd and addingthe "BANNER" variable, as in: BANNER="\n\nThis is a secured system.Unauthorized access prohibited. All activity is logged.\n\n" The default

ftp banner can be changed via a similar line in /etc/default/ftpd.

2.32) How can I prevent TCP sequence prediction attacks?


14/28

In /etc/default/inetinit, modify the variable setting "TCP_STRONG_ISS=2".

3) What programs should I replace or add?

3.1) inetd?

inetd can be replaced with ftp://qiclab.scn.rain.com/pub/security/xinetd* toadd logging facilities. (This program apparently has not been ported to Solaris.)

3.2) ifstatus?

ifstatuscan determine if your network interfaces are in promiscuous mode. This

program needs to grok the kernel, and has only been updated through Solaris 2.6.Until the author gets access to Solaris 7 and 8 source, or until Sun provides aninterface into the kernel for this information, it will not work on those releases.

3.3) xntp?

xntp is a more secure version of ntp, the network time protocol.

As from Solaris 2.6, Sun ships xntpd with the operating system.

3.4) sendmail?

The most recent (and usually most secure) version ofsendmail is always availablefrom Berkeley. Included in the sendmail package is smrsh, the "sendmail restricted

shell" which can be used to control any programs invoked by sendmail.

Warning: there are Sun specific modifcations that will be lost if you move to a plain

Berkley sendmail. Also, Sun sendmail patches have a tendency to replace Berkeleysendmail with Sun's sendmail. After installing patches, check that the sendmail

version that you want to run is still in place.

Sun is now shipping sendmail 8.9.1b with Solaris 7.

There are numerous replacements for sendmail, most designed with securityinvolved. One of the best is .

3.5) rpcbind?

A more secure rpcbind can be used to replace the standard rpcbind on Solaris

machines. This version includes tcpwrapper-like functionality and disablesforwarding of NFS requests through rpcbind. Sun's latest patches to rpcbind alsosolve this problem.

3.6) Password checking programs?
ftp://qiclab.scn.rain.com/pub/security/ftp://ftp.udel.edu/pub/ntp/ftp://qiclab.scn.rain.com/pub/security/ftp://ftp.udel.edu/pub/ntp/


15/28

Unfortunately, passwd+ and npasswd are not yet released on Solaris. They are

replacements for passwd that disallow "stupid" passwords from being used on Unixsystems.

A program similar to npasswd but for NIS only is available:

ftp://autoinst.acs.uci.edu/pub/uci-yppasswd According to the author (Dan

Stromberg), the code for checking for bad passwords is small, and would be easy tocopy into other programs.

From Solaris 2.6 onwards it is possible to augment or replace the authenticationmechanism used by Solaris using the PAM facility. For more information seehttp://www.sun.com/solaris/pam/.

It is easy to implement a PAM module to ensure that users do not use dictionarywords, or to implement your other local rules.

Using PAM there is no need to replace any components of the OS includingpasswd,login etc.

3.7) crack?

The crack program can be used to break "guessable" passwords in your/etc/shadowfile. It uses a lot of compute cycles, but will generally tell you the passwords of 10%of your accounts the first time it is run.

3.8) ftp?

wu-ftp is a replacement for the standard ftpd daemon. It provides extensivelogging and access control.

Another alternative is the ftp daemon from openBSD. "The OpenBSD projectproduces a FREE, multi-platform 4.4BSD-based UNIX-like operating system. Ourefforts emphasize portability, standardization, correctness, proactive security andintegrated cryptography." It's worth checking out the code and tools that they haveproduced.

3.9) fix_modes?

fix-modes is a shell script that makes extensive changes to the file and directorypermissions on standard Solaris machines.

3.10) noshell?

noshell is a program that can be used as the shell on accounts that are never

supposed to be logged into. It logs the event (and prevents the login). (This programapparently has not been ported to Solaris.)

3.11) bind?
http://www.sun.com/solaris/pam/ftp://sable.ox.ac.uk/pub/comp/security/software/crackers/http://www.cetis.hvu.nl/~koos/wu-ftpd-faq.htmlhttp://www.openbsd.org/http://www.sun.com/solaris/pam/ftp://sable.ox.ac.uk/pub/comp/security/software/crackers/http://www.cetis.hvu.nl/~koos/wu-ftpd-faq.htmlhttp://www.openbsd.org/


16/28

The standard bind on Solaris has known security problems (See CERT in section 4).

This problems are patched over time, but the Solaris bind is generally behind thecurve on patches. The current standard bind release is always available at ISC.

3.12) netcat?

NetCat is a tool that is useful for security managers and crackers alike. It is a flexiblenetwork connection creator, allowing for probes of arbitrary ports between arbitrarysystems.

4) What other useful resources should I know about?

4.1) Sun mailing-list?

Sun provides a security bulletin service via an email list to subscribe send email to"[email protected]" with a subject of "subscribe CWS your-mail-address". Oldbulletins are available at ftp://ftp.uu.net/systems/sun/sun-dist. Phone: (415) 688-9081

4.2) Sun patches?

Sun security patches are available at: http://sunsolve1.sun.com (for people with Suncontracts).

4.3) Other Solaris FAQs?

The excellent Solaris FAQ: http://www.wins.uva.nl/pub/solaris/solaris2/

4.4) Useful newsgroups?

All of the USENET newsgroups with "sun" in their name :-)

comp.security.announce

4.5) Useful mailing-lists?

Sun maintains a "patch club" mailing list that includes details of Sun patch releases.Summaries are mailed weekly. The list also receives "EarlyNotifier Alerts" thatcontain important patch information. To change, add, or delete your email address tothe list send mail to: [email protected]

If you want to be on one security mailing list, consider the best-of-security mailinglist. Send subscription requests to [email protected], or for adigest form to [email protected].

Many security problems are due to bugs in the operating system or applications. Tokeep up-to-date on bug happenings, subscribe to the Bugtraq mailing list. Bugtraq isa full-disclosure UNIX security mailing list, started by Scott Chasin . To subscribe tobugtraq, send mail to [email protected] containing the message body "subscribe
ftp://ftp.isc.org/isc/bind/http://www.l0pht.com/~weld/netcat/mailto:[email protected]://sunsolve1.sun.com/http://www.wins.uva.nl/pub/solaris/solaris2/mailto:[email protected]:[email protected]:[email protected]:[email protected]://ftp.isc.org/isc/bind/http://www.l0pht.com/~weld/netcat/mailto:[email protected]://sunsolve1.sun.com/http://www.wins.uva.nl/pub/solaris/solaris2/mailto:[email protected]:[email protected]:[email protected]:[email protected]


17/28


18/28

CIAC is the U.S. Department of Energy's Computer Incident Advisory Capability.Established to provide computer security services to employees and contractors ofthe United States Department of Energy. It's also useful for the rest of us.

RSA maintains a very useful cryptography FAQ that explains many of the confusingaspects of cryptography.

Another useful cracker site is http://www.geocities.com/Area51/5537/. It's anarchive of information useful to crackers.

5) How do I make my Solaris web server more secure?

There are several steps to installing a "secure" Web server. But what is meant by"secure"? Any machine that is publically accessible is necessarily unsecure. Byputting it directly on the Internet you've already opened the front door and allowedanyone to come in and have a look. It is possible to guard the door and be sure thevisitors hang out in only one room though. By installing the operating systemcarefully, adding tools, and adding monitoring software, your Web server can be

much safer than one that uses a default installation.

How secure does a web server have to be? The answer is, "very secure." There havebeen several embarrassing incidents of graffitti on very public web sites, and worse.Any number of toolkits exist that allow total amateurs to become holy terrors. Thegood news is that if you can beat the popular intrusion toolkits, 90 percent of thebad guys will go bother somebody else who's less secure.

While the following techniques can make a Solaris-based system very secure, theyhave to be combined with a strong network architecture utilizing firewalls or filteringrouters (there's no point in controlling access by IP address if crackers can send youpackets with spoofed addresses). Such a strong architecture can only truly exist

when combined with a comprehensive security policy covering your entireorganization.

Furthermore, no system is ever perfectly secure. The extra services (Web serversand anonymous FTP) that you run on the machine will always impact the overallsecurity of the system. Don't be tempted to install other software not listed in theseinstructions. This machine is supposed to be secure, not convenient to administer.

5.0) Web server security checklist

Use this checklist to be sure your server is installed as securely as possible. Feel freeto add to the checklist for site-specific steps, or to share your additions with us ifthey are general-purpose.

Check out Jean Chouanard's tool, solins. It automates a lot of the steps that aredescribed in this checklist.

Keep the system disconnected from the network until all is ready. Install just the core operating system, adding only necessary packages. Install recommended and security patches. Strip down the OS by removing startup files (carefully!).
http://ciac.llnl.gov/http://www.rsa.com/rsalabs/newfaq/http://www.geocities.com/Area51/5537/ftp://ftp.parc.xerox.com/pub/jean/solins/solins.htmlhttp://ciac.llnl.gov/http://www.rsa.com/rsalabs/newfaq/http://www.geocities.com/Area51/5537/ftp://ftp.parc.xerox.com/pub/jean/solins/solins.html


19/28

Disable IP forwarding in/etc/init.d/inetinit. Add a script to system startup to fix/tmp permissions (except on Solaris 2.5)

and mount it "nosuid". Verify that few processes are running via ps.

Invoke sendmail from cron to process queued mail occasionally.

Install and configure tcp_wrappers, S/Key, wu-ftp, and tripwire as

appropriate to your environment. Remove all but wu-ftp and telnet from/etc/inetd.conf, and edit

/etc/hosts.allowto limit the machines that can use these daemons. Enable logging of all telnet access to the system via syslog .

Mount filesystems read-only and no-suid as appropriate. Make/noshellthe default shell for all accounts except root and access. Remove/etc/auto_*, /etc/dfs/dfstab, p/var/spool/cron/crontabs/* (except

root).

Use static routing. Test your system thoroughly, including allowed access and denied access, and

event logging. Consider replacing sendmail, syslog, bind, and crontab with more secure

versions. Install xntp for accurate time stamping.

Consider enabling system accounting. Keep monitoring and testing the Web server.

Even if you only implement some of these security steps, your Web server will bemuch more secure than a standard server installed with a standard Unixconfiguration. But to be safe, go whole-hog and lock that server down with all ofthese tools and techniques.

5.1) Hardware setup

Don't connect the system to a network before it is installed and secured.Theoretically, some cracker could get in and drop back doors onto your system whileyou are in the process of securing it. There are documented cases of people trying tobreak into machines within five minutes of the machine being connected to theInternet.

You will need a CD-ROM drive to do the install and a tape or floppy drive for loadingbinaries and other files you created on other machines. These instructions areappropriate for Solaris 2.5. If you use a different OS version, the security of theresulting system may vary widely.

5.2) Install the OS

Start with the latest, solid version of Solaris 2.X. Each version of Solaris has beenmore secure than its predecessor.

Solaris is quite flexible and contains many conveniences that make your work easier.Unfortunately, all of this extra functionality also makes it easier for potential crackersto gain access to your system. When attempting to create a secure system, the bestplan is to start with the simplest OS you can and then add packages one-by-one on


20/28


21/28

This list will be larger or smaller depending on if you have a graphics card in themachine, are using Solstice DiskSuite, and so on. Remove the files in/etc/rc3.d.

For Solaris 2.4, edit/etc/init.d/inetinitand add the following lines near the end of thefile:

ndd -set /dev/ip ip_forward_directed_broadcasts 0

ndd -set /dev/ip ip_forward_src_routed 0

ndd -set /dev/ip ip_forwarding 0

These lines turn off a feature called IP forwarding. Nearly any machine that uses IP-based networking is capable of being a router, which means the bad guys couldroute packets through your machine to machines on your internal network or othersecure machines that might trust the machine you are building. Turning off IPforwarding disables this feature. ```

Also consider setting the "ip_strict_dst_multihoming" kernel variable via ndd-set /dev/ip ip_strict_dst_multihoming 1

The solaris machine will then drop packets coming in through one interface that aredestined for another interface. This can prevent host spoofing.

* Under Solaris 2.5, creating a file called/etc/notrouterwill turn off IP forwarding. Toallow routing again, simply remove/etc/notrouterand reboot. It's important to notethat there is a small time window between when this file is created and when routingis disabled, theoretically allowing some routing to take place.

Under Solaris 2.4, add a new script called/etc/init.d/tmpfix:

#!/bin/sh

#ident "@(#)tmpfix 1.0 95/08/14"

if [ -d /tmp ]

then

/usr/bin/chmod 1777 /tmp

/usr/bin/chgrp sys /tmp

/usr/bin/chown root /tmp

and then ln /etc/init.d/tmpfix /etc/rc2.d/S79tmpfix so the script is invokedat boot time. This script prevents an attack that would allow a system cracker to getsuperuser access on your machine. It is not necessary under Solaris 2.5.

Some good advice from Casper Dik. Make sure that all of the startup routes run withthe proper umask, so the files they create and not group or world writeable. Here'san easy method to insure this:

umask 022 # make sure umask.sh gets created with the proper mode

echo "umask 022" > /etc/init.d/umask.sh

for d in /etc/rc?.d


22/28


23/28


24/28

want to allow anybody to telnet or ftp to you system, then simply remove the

appropriate line from inetd.conf, or remove the file altogether and inetd will noteven be started at boot time.

Access control for tcpd is configured using the/etc/hosts.allowand/etc/hosts.deny

files. tcpd looks at hosts.allow first, so you can permit a few machines to have

telnet or ftp access and then deny access to everybody else in hosts.deny (this isoften called a "default deny" policy). Here is a sample hosts.allow file:

ALL: 172.16.3.0/255.255.255.0

This would allow any user on any host on the 172.16.3.0 network to have access toallof the services (telnet and ftp) on your machine. That user will still have tosupply the appropriate password or S/Key response (see below). Always use IPaddresses in the hosts.allow file, because hostname information can be spoofed (ifyou are using the Internet Domain Name Service, or some other name service suchas NIS).

Now we want to disallow access for everybody else. Put the following line into/etc/hosts.deny:

ALL: ALL: /usr/bin/mailx -s "%d: connection attempt from %c"

[email protected]

Not only does this deny access to allservices from allhosts, it causes tcpd to send

an alarm via e-mail that somebody is trying to get access to the machine. Substitutethe e-mail address of somebody who reads e-mail regularly for [email protected] the above line.

Now you want tcpd to log all accesses via syslog. Put the following line in/etc/syslog.conf:

auth.auth.notice;auth.info /var/log/authlog

The white-space on the line above mustbe tabs, or syslog will be unable to properlyparse the file and no logging will happen. Note that the logging facility is aconfigurable parameter when building tcpd, but we recommend using AUTH, as

opposed to any LOCAL* facilities.

Other files in

/etc/init.d. Casper reiterates that the choice of which scripts to takeout of/etc/init.dis highlydependent upon which version of Solaris you are using.The list of files we presented in our article was based on a Solaris 2.4 machine, somake sure you know what you're doing if you try out the directions on a Solaris 2.5machine.

Sendmail. Instead of invoking sendmail from cron you can also run the daemonwithout the -bd option. This will cause the daemon to be a queue-watcher only. We

prefer not to have the daemon running (one less process to worry about on thesystem), but your mileage may vary.


25/28

/etc/syslog.conf. There was a typo and an error in our instructions for configuring/etc/syslog.conffor tcpd. The correct line is

auth.info /var/log/authlog

which will log all auth events with severity info and higher to/var/log/authlog. Don't

forget that the whitespace in this entry mustbe tabs.

5.6) Configure S/Key

You will need the S/Key package for remote, secure access. (Part of the logdaemontoolset). S/Key is a one-time-only password mechanism. Instead of typing in yourpassword over the network, the S/Key software will send you a challenge string, andyou will compute a response on your local machine using the challenge and a secretpassword that you have memorized. If you send the proper response back, theS/Key software gives you access to the machine but the response you gave willnever again be valid for getting access to the machine. This means that if somebodyis using a packet sniffer, they cannot capture the response and use it to break into

your machine. The S/Key software also comes with a version of the su commandthat uses S/Key challenge/response to grant superuser access safely over thenetwork.

To begin using S/Key, create an account that uses/usr/local/bin/keysh as its loginshell. You will login as this user with some reusable password of your choosing andthen keysh will force you to respond to an S/Key challenge before giving you a shellprompt.

You should put

access:x:100:100:Access Account:/tmp:/usr/local/bin/keysh

at the end of/etc/passwdand

access:*LK*:6445::::::

at the end of/etc/shadow. Then use the passwd access command to set thepassword for user access. The password you choose here doesn't have to be a verygood password, since you will be relying on keysh to provide the security for thisaccount.

Since/usr/local/bin/keysh is not a standard shell, you have to create an/etc/shellsfile with these lines in it:

/sbin/sh

/usr/local/bin/keysh

Only users whose login shell is one of these two shells are allowed to access themachine.


26/28

Now create an codepty/etc/skeykeys file and make it mode 600 and owned by root:

touch /etc/skeykeys

chmod 600 /etc/skeykeys

chown root /etc/skeykeys

chgrp root /etc/skeykeys

Use the keyinit access command to initialize the S/Key secret for user access. Youhave completed the S/Key setup for user access.

You now want to allow the user access to use the keysu command to become

superuser. First change the entry for group root in/etc/group:

root::0:root,access

Only users listed in this entry are allowed to become superuser using keysu. Now

you have to use thekeyinit root

command to initialize the S/Key secret for thesuperuser. I recommend using a different secret word than you used for user access.

At this point you may be tcodepted to simply remove/bin/su so that users are forcedto use keysu. Unfortunately, many scripts use/bin/su to start processes that do notrequire full superuser access. You should, however, chmod 500 /bin/su so that only

the superuser can run this program.

Note the implicit assumption that access is a group account shared by severaladministrators. You may feel more comfortable giving each administrator a separateaccount with a different S/Key secret so that you have a better audit trail. Thedownside to this approach is it creates more accounts that can have bad passwordson them and allow crackers to gain access. Decide what makes sense for yourorganization.

5.7) Configure wu-ftp

Configuring wu-ftpd is tricky, even for experts. When you compiled wu-ftpd, youspecified a directory where the daemon will look for its configuration files. Thisconfiguration directory will contain apiddirectory and three files. Theftpconversions file should be empty but it must exist. The ftpusers file should

contain a list of all users in the machine's password file who should notbe allowed toftp into the system. This file should contain everyuser in the password file: we willadd a user later who is allowed to ftp into the system. Most especially, root shouldalways be in the ftpusers file.

The last file in the configuration directory is the ftpaccess file. Rather than go intofull detail, here is a file that you can use if you do not want to allow anonymous ftpinto your system, but do want some users to be able to upload files to the machine:

class users real 172.16.3.*


27/28

log commands real

log transfers real inbound,outbound

This allows users to ftp from any host on network 172.16.3.0 and from nowhereelse (which is redundant if you are already using tcpd, but security in depth is aGood Thing). All commands and file transfers will be logged to the log file you

specified when you compiled the daemon (which is why we recommended you put itin/varwhere it has plenty of space to grow).

Configuring anonymous ftp is beyond the scope of this FAQ, but be warned to beverycareful, because it is easy to make a mistake and give away access to yoursystem. Review the documentation that comes with wu-ftpd for information andpointers to other documents on anonymous ftp.

5.8) Limit access to files and file systems

Download and use fix-modes. The programs in this package clean up unsecure

group permissions on some system files and directories.

One way to thwart potential system crackers is to prevent them from running setuidprograms on your machine. The steps you have already taken make it unlikely thatanybody is going to get an unauthorized setuid program onto your machine, but alittle paranoia never hurt anybody in the security business.

Use the nosuid option in/etc/vfstab to prevent setuid programs from being executedon any of your UFS filesystems:

/proc - /proc proc - no -

fd - /dev/fd fd - no -

swap - /tmp tmpfs - yes nosuid

/dev/dsk/c0t3d0s1 - - swap - no -

/dev/dsk/c0t3d0s0 /dev/rdsk/c0t3d0s0 / ufs 1 no

remount,nosuid

/dev/dsk/c0t3d0s4 /dev/rdsk/c0t3d0s4 /usr ufs 1 no ro

/dev/dsk/c0t3d0s5 /dev/rdsk/c0t3d0s5 /var ufs 1 no nosuid

/dev/dsk/c0t3d0s6 /dev/rdsk/c0t3d0s6 /local ufs 2 yes nosuid

Note that/usrcontains some setuid executables (not the least of which are theS/Key binaries in/usr/local/bin), so we mount it read-only instead ofnosuid. Theroot filesystem is mounted by the boot PROM, so it has to be remounted for thenosuid directive to take effect.

You must not apply the nosuid directive to the special filesystems. Note that TMPFStype filesystems (such as/tmp) can be mounted nosuid with no known ill effects.

5.9) Test the configuration

Reboot your system one last time and plug it into the network. Confirm that thefollowing are true:
ftp://ftp.fwi.uva.nl/pub/solaris/fix-modes.tar.gzftp://ftp.fwi.uva.nl/pub/solaris/fix-modes.tar.gz


28/28

You should be able to telnet and ftp to your secure server from the machinesyou configured tcpd to allow.

Trying to access the machine from any other machine should result in a denialof access and an e-mail to the appropriate party.

You should be able to login via telnet and ftp as user access, but not as rootor any other user.

User access should be able to/usr/local/bin/keysu to become superuser. ps -ef should show very few processes; in particular, sendmail and the

various NFS processes should notbe running. touch /usr/FOO should fail with an indication that the filesystem is read-only.

As the superuser, copy the ps command to/, making sure to preserve thesetuid bit. access should not be able to get a process listing with /ps -ef.Remove the /ps binary when you are done.

Congratulations! You have just created a very secure machine.

5.10) Step 10: Other suggestions

There are a number of freely available replacements for common system programsthat are significantly more secure than the versions provided with Solaris. Considerreplacing sendmail with the latest version. Replace the resolver library with the latestversion of bind. Replace syslog and crontab (check your local Archie server).

Your logging information is only as good as the timestamps in your files. Considerrunning XNTP to keep your system clock in synch with accurate clock sources fromthe Internet and with other machines on your networks. If somebody breaks in toyour network, you may have to correlate logs between dozens of systems, so theirclocks had better be in synch.

Before your system goes live on the network, get a copy of tripwire and make adatabase of MD5 checksums for all files on your secure server. Put this database onremovable media (tape or floppy disk) so that somebody who breaks into yoursystem can't modify the data. Run tripwire at random (but frequent) intervals tomake sure nobody is tampering with your files.

Consider running process accounting so that you have a record of every commandexecuted on your system. You will pay a performance penalty (10 to 20%) if youturn on process accounting. See man acct for more information.

Change your S/Key secrets regularly (every 30 days if you can stand it) and choose

good secret words (use non-alphanumeric characters and long secret words).Change the secret words on the system console or use keyinit -s to change thesecret over the network. Do not use the same secret word for both the access androot accounts.
ftp://ftp.cs.berkeley.edu/ucb/sendmail/ftp://ftp.udel.edu/pub/ntp/ftp://ftp.cs.berkeley.edu/ucb/sendmail/ftp://ftp.udel.edu/pub/ntp/

3.1) how much disk space do

Documents