Var adm messages not updating
So reboot after applying patches, check carefully that no unexpected daemons are running and consider re-running Jass (it is designed to allow multiple runs). Improving Disksuite Security: Disksuite is a tool bundled with Solaris that allows disks to be mirrored or gathered into RAID sets. The problem is that Disksuite uses RPC (specifically: two programs ## Prune syslog logs weekly, keeping the last 6 months or so: 55 23 * * 6 /secure/rotate_log -n 40 alertlog 55 23 * * 6 /secure/rotate_log -n 40 authlog 55 23 * * 6 /secure/rotate_log -n 20 cronlog 55 23 * * 6 /secure/rotate_log -n 40 daemonlog 55 23 * * 6 /secure/rotate_log -n 40 kernlog 55 23 * * 6 /secure/rotate_log -n 40 local0log 55 23 * * 6 /secure/rotate_log -n 40 local2log 55 23 * * 6 /secure/rotate_log -n 40 local5log 55 23 * * 6 /secure/rotate_log -n 20 newslog 55 23 * * 6 /secure/rotate_log -n 40 userlog 55 23 * * 6 /secure/rotate_log -n 10 lprlog 55 23 * * 6 /secure/rotate_log -n 20 maillog # Solaris 2.x logs: 0 4 * * 6 /secure/rotate_log -L /var/adm -n 30 loginlog 0 4 * * 6 /secure/rotate_log -L /var/adm -n 30 sulog 0 4 * * 6 /secure/rotate_log -L /var/adm -n 2 0 4 * * 6 /secure/rotate_cron (you may prefer NTP, it's more accurate, but complex, uses bandwidth and is an additional security worry). ## Synchronise the time: 0 * * * * /usr/bin/rdate YOURTIMEHOST Files which have the SUID bit set (an "s" where the execute bit for the owner/group is shown in 'ls' listings) allow the user executing the program to assume the identity/group of the owner of the program.RPC services should be avoided on sensitive servers, such as those on the Internet or in a DMZ. This is typically used to allow normal users to access certain function typically only allowed to root, for example binding to low ports, mounting a floppy disk, etc.Package notes: "core" bundle users may wish to add other useful packages now, for example: Terminfo: SUNWter Accounting: SUNWaccr SUNWaccu NTP: SUNWntpr SUNWntpu UCB tools: SUNWscpu Man pages tools: SUNWlib C SUNWdoc Showrev: SUNWadmfw SUNWadmc The user bundle needs extra packages for compiling: SUNWarcx SUNWarc SUNWbtoox SUNWbtool SUNWbtoox SUNWdplx SUNWsprox SUNWhea SUNWlibm SUNWdfbh SUNWcg6h SUNWscpux For Sunscreen 3.1: SUNWeuluf SUNWsprot SUNWmfrun For Sunscreen 3.2: SUNWeulux SUNWapchr SUNWapchu SUNWeu8os SUNWeu8osx SUNWeu8ox b) Installation on an existing system, or where de-installation of the patches must be possible if the patch cluster messes things up (this will take more disk space as copies are saved in /var/sadm/patch). If this happens, boot from cdrom in single user mode, mount the problem disk, correct vfstab and reboot.Patches can only be individually de-installed, there is not "deinstall_cluster" functionality. Oct.01 JASS_AGING_MAXWEEKS="26" JASS_AGING_WARNWEEKS="1" JASS_AGING_MINWEEKS="0" JASS_LOGIN_RETRIES="5" JASS_PASS_LENGTH="6" JASS_SENDMAIL_MODE="\"\"" JASS_TMPFS_SIZE="200m" JASS_UMASK="027" JASS_SHELL_DISABLE="/sbin/noshell" JASS_CRON_LOG_SIZE="20480"; ## v0.3.1 ## Don't save files replaced by patches: JASS_REC_PATCH_OPTIONS="-o -d" . Some examples of vfstab entries are: A simple server with only a root and /var partition, running Solaris 2.8: fd - /dev/fd fd - no - /proc - /proc proc - no - /dev/dsk/c0t3d0s1 - - swap - no logging /dev/dsk/c0t3d0s0 /dev/rdsk/c0t3d0s0 / ufs 1 no logging /dev/dsk/c0t3d0s7 /dev/rdsk/c0t3d0s7 /var ufs 1 no logging,nosuid,noatime swap - /tmp tmpfs - yes size=100mfd - /dev/fd fd - no - /proc - /proc proc - no - swap - /tmp tmpfs - yes size=200m /dev/dsk/c0t8d0s0 /dev/rdsk/c0t8d0s0 / ufs 1 no logging /dev/dsk/c0t8d0s1 - - swap - no - /dev/dsk/c0t8d0s4 /dev/rdsk/c0t8d0s4 /usr ufs 1 no logging /dev/dsk/c0t8d0s6 /dev/rdsk/c0t8d0s6 /var ufs 1 no nosuid,noatime,logging /dev/dsk/c0t8d0s5 /dev/rdsk/c0t8d0s5 /opt ufs 2 yes logging list service common "common" GROUP "tcp all" "udp all" "syslog" "dns" "rpc all" "nfs prog" "icmp all" "rip" "ftp" "rsh" "real audio" "pmap udp all" "pmap tcp all" "rpc tcp all" "nis" "archie" "traceroute" "ping" Let's presume that we are setting up a HTTPD server (on port 80) and intend to manage it via SSH. This sections presents some strategies for handling patches and tools to make life easier.d) If you didn't install the latest recommended patches above, Jass will do it for you, if you extract them into the 'Patches' directory. We also want to allow ping and traceroute for initial trouble shooting. During installation, the Solaris recommend patch bundle was installed.For example the Solaris 8 recommended bundles would be extracted into Patches/8_Recommended. We could then create and active the new firewall policy restricting access to these services as follows # ./ssadm edit Initial edit Finally, we can stop the remote Firewall management GUI. If we are comfortable with the command line "ssadm" then one daemon more and one more configuration interface, that needs to be correctly configured and watched. However, not all security fixes are included in this bundle, and as time goes by you'll have to check regularly for new patches.What is required, is a file integrity checker that uses secure (one-way) hashing algorithms.
Z from the Jass site to # ps -ef UID PID PPID C STIME TTY TIME CMD root 0 0 3 ? For overview of the concepts of Solaris Patching, see "A Sun Solve Patch Primer" of weaknesses and patches can be a threat: if not managed carefully, they will consume too much time or they will be simple ignored.The Toolkit is comprised of a set of scripts and directories implementing the recommendations made in the Sun Blue Prints On Line program.These scripts can be executed on Solaris systems through the Jump Start technology or directly from the command line.By Sen Boran article presents a concise step-by-step approach to securely installing Solaris for use in a firewall DMZ or other sensitive environment, using Sun's We assume that a "manual", as opposed to automated Jumpstart installation is used. Read-only Mounting filesystems read-only provides only a limited protection against Trojans/attackers (if they get root, they can remount read-write).Connect the serial console, switch on, halt to the OK prompt by sending a Stop-A (~#, ~%b, or F5 depending on whether you use packages which take only 110MB), set hostname, terminal, IP parameters, timezone, etc. Don't enable power management, or mount any remote file systems (NFS). It may save time fsck'ing when booting, can improve performance (access times don't need to be updated) and can prevent the sysadmin from making mistakes or help detecting mistakes (accidentally deleting files etc.). an error on the / or /usr lines can render the system unbootable!
Search for var adm messages not updating:
The Toolkit includes scripts to harden, patch, and minimize Solaris Operating Environment systems.