Hardening security on Solaris 10

Similar Messages

• Samba security on solaris 10

  Is samba now considered a secure way to allow access to files on solaris 10?
  When ever we have had security reports done on servers in the past, they always seem to complain that it is not a secure way to transfer files and advise that it is turned off.
  We have always tried to use scripts using sftp where possible.
  Is the general feeling that sftp/scp is the preferred method to samba?
  Thank you.

  Dear Fieropunk,
  Now I have problem with wget utility below with the same URL, please kindly help to check to check and give advice.
  If access with URL below is can receive data
  #./wget no-check-certificate private-key=/cert/data.pem --certificate=/cert/data.crt "https://server1.com.kh"
  10:29:13 https://server1.com.kh
  => `index.html'
  Resolving https://server1.com.kh... 172.168.100.67
  Connecting to https://server1.com.kh. connected.
  WARNING: Certificate verification error for https://server1.com.kh: self signed certificate in certificate chain
  HTTP request sent, awaiting response... 200 OK
  Length: 285 [text/html]
  100%[====================================>] 285 --.--K/s
  10:29:13 (8.85 MB/s) - `index.html' saved [285/285]
  If I access with long URL below is cannot receive data too but on Linux OS(Debian) can receive data
  #./wget no-check-certificate private-key=/cert/data.pem --certificate=/cert/data.crt "https://server1.com.kh/data/?action=datano;datano=aaaa"
  10:38:56 https://server1.com.kh/data/?action=datano;datano=aaaa
  => `index.html?action=datano;datano=aaaa'
  Resolving server1.com.kh... 172.168.100.67
  Connecting to server1.com.kh|172.168.100.67|:443... connected.
  WARNING: Certificate verification error for server1.com.kh: self signed certificate in certificate chain
  HTTP request sent, awaiting response... No data received.
  Retrying.
  Note: this domain (server1.com.kh) is running on CentOS
  Please kindly give advice,
  Thanks and regards,
  Heng

• Secure Solaris 7 or 8 Installation

  Hello,
  i am looking for a tool to secure my solaris core installation. Does anybody know where i can get such thing or some information about?
  Thanks a lot.
  R-Richter

  Hi,
  What do you mean by 'secure'? Take the machine offline than do the install, that is secure. If you mean you want the OS configured so that there are no security holes, then you need to look for a guide on hardening a solaris install. I have found that the best ones are at sans.org
  ~James

• Security: Zone vs. Change Root

  Hi,
  can someone tell me the security benefits I gain by using zones instead of using change root?
  I'm in the process of setting up a couple of DMZ machines. I was playing around with zones to increase the security. I have the feeling I will decrease security instead of increasing it because a zone has far too many features. I can't really install a tiny minimal Solaris with just a couple of files, and if an attacker got me he can use the zone itself to attack other systems. Correct?
  BTW.: Is there a Solaris list of minimal required packages? I removed all packages I could but I found still thinks like ssh, NIS, perl, .. After changing manually SUNW_PKG_ALLZONES I could remove a couple more until the zone crashed.
  Right now I see two possibilities to go forward:
  1.) Use a zone and change root the application. The zone part looks for me like an awful lot of work.
  2.) Forget about zones and install and change root the application directly to the global zone. This will minimize the maintenance, only one system to harden, much faster to set up.
  Do you agree or do I miss something?
  What are you doing to increase the security on Solaris 10 (in opposition to Solaris 9).
  Are there some guidelines how to securely setup zones?
  I really like to hear some other thoughts about this.
  Thanks for reading and consideration
  Matthias

  First I want to say that I fully agree with Darren here. You can gain a little increase in security by applying tools, but nothing can beat having some basic understanding of the system you're working with.
  But, to try and answer your questions..
  can someone tell me the security benefits I gain by
  using zones instead of using change root? I have no idea what so ever what a "change root" maybe. If you refer to a chroot then the answer is simple: security. Breaking out of a chroot is rather trivial (just search google for "breaking out chroot" and see for yourself). One of the stories I kinda like is http://www.bpfh.net/simes/computing/chroot-break.html.
  A zone is much more than a mere chroot, its a whole new (controllable) process.
  I have the feeling I will decrease
  security instead of increasing it because a zone has
  far too many features. I can't really install a tiny
  minimal Solaris with just a couple of files, and if
  an attacker got me he can use the zone itself to
  attack other systems. Correct?Wrong. It depends on how you set it up. And even if you use the default (which directory inheritage) you can still disable most of the services.
  But its perfectly possible to install a zone and then start removing all but the core packages.
  What are you doing to increase the security on
  Solaris 10 (in opposition to Solaris 9).What Darren already said.
  Are there some guidelines how to securely setup
  zones? docs.sun.com, and I'd say in particular:
  http://docs.sun.com/app/docs/doc/817-1592
  http://docs.sun.com/app/docs/doc/816-4557
  >
  I really like to hear some other thoughts about
  this.
  Thanks for reading and consideration
  Matthias

• HOWTO: Create 2-node Solaris Cluster 4.1/Solaris 11.1(x64) using VirtualBox

  I did this on VirtualBox 4.1 on Windows 7 and VirtualBox 4.2 on Linux.X64. Basic pre-requisites are : 40GB disk space, 8GB RAM, 64-bit guest capable VirtualBox.
  Please read all the descriptive messages/prompts shown by 'scinstall' and 'clsetup' before answering.
  0) Download from OTN
  - Solaris 11.1 Live Media for x86(~966 MB)
  - Complete Solaris 11.1 IPS Repository Image (total 7GB)
  - Oracle Solaris Cluster 4.1 IPS Repository image (~73MB)
  1) Run VirtualBox Console, create VM1 : 3GB RAM, 30GB HDD
  2) The new VM1 has 1 NIC, add 2 more NICs (total 3). Setting the NIC to any type should be okay, 'VirtualBox Host Only Adapter' worked fine for me.
  3) Start VM1, point the "Select start-up disk" to the Solaris 11.1 Live Media ISO.
  4) Select "Oracle Solaris 11.1" in the GRUB menu. Select Keyboard layout and Language.
  VM1 will boot and the Solaris 11.1 Live Desktop screen will appear.
  5) Click <Install Oracle Solaris> from the desktop, supply necessary inputs.
  Default Disk Discovery (iSCSI not needed) and Disk Selection are fine.
  Disable the "Support Registration" connection info
  6) The alternate user created during the install has root privileges (sudo). Set appropriate VM1 name
  7) When the VM has to be rebooted after the installation is complete, make sure the Solaris 11.1 Live ISO is ejected or else the VM will again boot from the Live CD.
  8) Repeat steps 1-6, create VM2 and install Solaris.
  9) FTP(secure) the Solaris 11.1 Repository IPS and Solaris Cluster 4.1 IPS onto both the VMs e.g under /home/user1/
  10) We need to setup both the packages: Solaris 11.1 Repository and Solaris Cluster 4.1
  11) All commands now to be run as root
  12) By default the 'solaris' repository is of type online (pkg.oracle.com), that needs to be updated to the local ISO we downloaded :-
  +$ sudo sh+
  +# lofiadm -a /home/user1/sol-11_1-repo-full.iso+
  +//output : /dev/lofi/N+
  +# mount -F hsfs /dev/lofi/N /mnt+
  +# pkg set-publisher -G '*' -M '*' -g /mnt/repo solaris+
  13) Setup the ha-cluster package :-
  +# lofiadm -a /home/user1/osc-4_1-ga-repo-full.iso+
  +//output : /dev/lofi/N+
  +# mkdir /mnt2+
  +# mount -f hsfs /dev/lofi/N /mnt2+
  +# pkg set-publisher -g file:///mnt2/repo ha-cluster+
  14) Verify both packages are fine :-
  +# pkg publisher+
  PUBLISHER                   TYPE     STATUS P LOCATION
  solaris                     origin   online F file:///mnt/repo/
  ha-cluster                  origin   online F file:///mnt2/repo/
  15) Install the complete SC4.1 package by installing 'ha-cluster-full'
  +# pkg install ha-cluster-full+
  14) Repeat steps 12-15 on VM2.
  15) Now both VMs have the OS and SC4.1 installed.
  16) By default the 3 NICs are in the "Automatic" profile and have DHCP configured. We need to activate the Fixed profile and put the 3 NICs into it. Only 1 interface, the public interface, needs to be
  configured. The other 2 are for the cluster interconnect and will be automatically configured by scinstall. Execute the following commands :-
  +# netadm enable -p ncp defaultfixed+
  +//verify+
  +# netadm list -p ncp defaultfixed+
  +#Configure the public-interface+
  +#Verify none of the interfaces are listed, add all the 3+
  +# ipadm show-if+
  +# run dladm show-phys or dladm show-link to check interface names : must be net0/net1/net2+
  +# ipadm create-ip net0+
  +# ipadm create-ip net1+
  +# ipadm create-ip net2+
  +# ipadm show-if+
  +//select proper IP and configure the public interface. I have used 192.168.56.171 & 172+
  +# ipadm create-addr -T static -a 192.168.56.171/24 net0/publicip+
  +#IP plumbed, restart+
  +# ipadm down-addr -t net0/publicip+
  +# ipadm up-addr -t net0/publicip+
  +//Verify publicip is fine by pinging the host+
  +# ping 192.168.56.1+
  +//Verify, net0 should be up, net1/net2 should be down+
  +# ipadm+
  17) Repeat step 16 on VM2
  18) Verify both VMs can ping each other using the public IP. Add entries to each other's /etc/hosts
  Now we are ready to run scinstall and create/configure the 2-node cluster
  19)
  +# cd /usr/cluster/bin+
  +# ./scinstall+
  select 1) Create a new cluster ...
  select 1) Create a new cluster
  select 2) Custom in "Typical or Custom Mode"
  Enter cluster name : mycluster1 (e.g)
  Add the 2 nodes : solvm1 & solvm2 and press <ctrl-d>
  Accept default "No" for <Do you need to use DES authentication>"
  Accept default "Yes" for <Should this cluster use at least two private networks>
  Enter "No" for <Does this two-node cluster use switches>
  Select "1)net1" for "Select the first cluster transport adapter"
  If there is warning of unexpected traffic on "net"1, ignore it
  Enter "net1" when it asks corresponding adapter on "solvm2"
  Select "2)net2" for "Select the second cluster transport adapter"
  Enter "net2" when it asks corresponding adapter on "solvm2"
  Select "Yes" for "Is it okay to accept the default network address"
  Select "Yes" for "Is it okay to accept the default network netmask"Now the IP addresses 172.16.0.0 will be plumbed in the 2 private interfaces
  Select "yes" for "Do you want to turn off global fencing"
  (These are SATA serial disks, so no fencing)
  Enter "Yes" for "Do you want to disable automatic quorum device selection"
  (we will add quorum disks later)
  Enter "Yes" for "Proceed with cluster creation"
  Select "No" for "Interrupt cluster creation for cluster check errors"
  The second node will be configured and 2nd node rebooted
  The first node will be configured and rebootedAfter both nodes have rebooted, verify the cluster has been created and both nodes joined.
  On both nodes :-
  +# cd /usr/cluster/bin+
  +# ./clnode status+
  +//should show both nodes Online.+
  At this point there are no quorum disks, so 1 of the node's will be designated quorum vote. That node VM has to be up for the other node to come up and cluster to be formed.
  To check the current quorum status, run :-
  +# ./clquorum show+
  +//one of the nodes will have 1 vote and other 0(zero).+
  20)
  Now the cluster is in 'Installation Mode' and we need to add a quorum disk.
  Shutdown both the nodes as we will be adding shared disks to both of them
  21)
  Create 2 VirtualBox HDDs (VDI Files) on the host, 1 for quorum and 1 for shared filesystem. I have used a size of 1 GB for each :-
  *$ vboxmanage createhd --filename /scratch/myimages/sc41cluster/sdisk1.vdi --size 1024 --format VDI --variant Fixed*
  *0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100%*
  *Disk image created. UUID: 899147b9-d21f-4495-ad55-f9cf1ae46cc3*
  *$ vboxmanage createhd --filename /scratch/myimages/sc41cluster/sdisk2.vdi --size 1024 --format VDI --variant Fixed*
  *0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100%*
  *Disk image created. UUID: 899147b9-d22f-4495-ad55-f9cf15346caf*
  22)
  Attach these disks to both the VMs as shared type
  *$ vboxmanage storageattach solvm1 --storagectl "SATA" --port 1 --device 0 --type hdd --medium /scratch/myimages/sc41cluster/sdisk1.vdi --mtype shareable*
  *$ vboxmanage storageattach solvm1 --storagectl "SATA" --port 2 --device 0 --type hdd --medium /scratch/myimages/sc41cluster/sdisk2.vdi --mtype shareable*
  *$ vboxmanage storageattach solvm2 --storagectl "SATA" --port 1 --device 0 --type hdd --medium /scratch/myimages/sc41cluster/sdisk1.vdi --mtype shareable*
  *$ vboxmanage storageattach solvm2 --storagectl "SATA" --port 2 --device 0 --type hdd --medium /scratch/myimages/sc41cluster/sdisk2.vdi --mtype shareable*
  The disks are attached to SATA ports 1 & 2 of each VM. On my VirtualBox on Linux, the controller type is "SATA", whereas on Windows it is "SATA Controller".
  The "--mtype shareable' parameter is important
  23)
  Mark both disks as shared :-
  *$ vboxmanage modifyhd /scratch/myimages/sc41cluster/sdisk1.vdi --type shareable*
  *$ vboxmanage modifyhd /scratch/myimages/sc41cluster/sdisk2.vdi --type shareable*
  24) Start both VMs. We need to format the 2 shared disks
  25) From VM1, run format. In my case, the 2 new shared disks show up as 'c7t1d0' and 'c7t2d0'.
  +# format+
  select disk 1 (c7t1d0)
  [disk formated]
  FORMAT MENU
  fdisk
  Type 'y' to accept default partition
  partition
  0
  <enter>
  <enter>
  1
  995mb
  print
  label
  <yes>
  quit
  quit26) Repeat step 25) for the 2nd disk (c7t2d0)
  27) Make sure the shared disks can be used for quorum :-
  On VM1
  +# ./cldevice refresh+
  +# ./cldevice show+
  On VM2
  +# ./cldevice refresh+
  +# ./cldevice show+
  The shared disks should have the same DID (d2,d3,d4 etc). Note down the DID that you are going to use for quorum (e.g d2)
  By default, global fencing is enabled for these disks. We need to turn it off for all disks as these are SATA disks :-
  +# cldevice set -p default_fencing=nofencing-noscrub d1+
  +# cldevice set -p default_fencing=nofencing-noscrub d2+
  +# cldevice set -p default_fencing=nofencing-noscrub d3+
  +# cldevice set -p default_fencing=nofencing-noscrub d4+
  28) It is better to do one more reboot of both VMs, otherwise I got a error when adding the quorum disk
  29) Run clsetup to add quorum disk and to complete cluster configuration :-
  +# ./clsetup+
  === Initial Cluster Setup ===
  Enter 'Yes' for "Do you want to continue"
  Enter 'Yes' for "Do you want add any quorum devices"
  Select '1) Directly Attached Shared Disk' for the type of device
  Enter 'Yes' for "Is it okay to continue"
  Enter 'd2' (or 'd3') for 'Which global device do you want to use'
  Enter 'Yes' for "Is it okay to proceed with the update"
  The command 'clquorum add d2' is run
  Enter 'No' for "Do you want to add another quorum device"
  Enter 'Yes' for "Is it okay to reset "installmode"?"Cluster initialization is complete.!!!
  30) Run 'clquorum status' to confirm both nodes and the quorum disk have 1 vote each
  31) Run other cluster commands to explore!
  I will cover Data services and shared file system in another post. Basically the other shared disk
  can be used to create a UFS filesystem and mount it on all nodes.

  The Solaris Cluster 4.1 Installation and Concepts Guide are available at :-
  http://docs.oracle.com/cd/E29086_01/index.html
  Thanks.

• Solaris 10 shared memory config/ora 11g

  The ora 11 install guide for spark solaris 10 is very confusing wrt shared memory and my system does not seem to using memory correctly, lots of swapping on an 8GB real memory system.
  The doc says to set /etc/system to:
  shmsys:shminfo_shmmax project.max-shm-memory 4294967296
  but infers that this is not used.
  Then, the doc states to set a project shared mem value of 2GB:
  # projmod -sK "project.max-shm-memory=(privileged,2G,deny)" group.dba
  Why is this number different?
  By setting to to 2G as documented oracle did not work at all and so I found Note:429191.1
  on the solaris 10 memory which hints that these numbers should be big:
  % prctl -n project.max-shm-memory -r -v 24GB -i project oracle_dss
  % prctl -n project.max-shm-memory -i project oracle_dss
  project: 101: oracle_dss
  NAME PRIVILEGE VALUE FLAG ACTION RECIPIENT
  project.max-shm-memory
  privileged 24.0GB - deny -
  system 16.0EB max deny
  Is there some logic in how to get solaris 10/ora 11 to hold hands. The install doc does not seem to contain it.

  system does not seem to using memory correctly, lots of swapping on an 8GB real memory system.We could start (for example) with this question - How big is your SGA or how much of 8GB RAM takes your SGA?
  The doc says to set /etc/system to:
  shmsys:shminfo_shmmax project.max-shm-memory 4294967296
  but infers that this is not used.From documentation:
  In Solaris 10, you are not required to make changes to the /etc/system file to implement the System V IPC. Solaris 10 uses the resource control facility for its implementation. However, Oracle recommends that you set both resource control and /etc/system/ parameters. Operating system parameters not replaced by resource controls continue to affect performance and security on Solaris 10 systems.
  Then, the doc states to set a project shared mem value of 2GB:
  # projmod -sK "project.max-shm-memory=(privileged,2G,deny)" group.dba
  Why is this number different?It's an example how "To set the maximum shared memory size to 2 GB"
  By setting to to 2G as documented oracle did not work at all Docs says:
  On Solaris 10, verify that the kernel parameters shown in the following table are set to values greater than or equal to the recommended value shown.
  If your SGA was greater than 2G I'm nor wondering why "oracle did not work at all".
  So for 4GB SGA (for example) you need allow allocation of 4G of shared memory.
  Note: shmsys:shminfo_shmmax != project.max-shm-memory. "project.max-shm-memory" is replacement of "shmsys:shminfo_shmmax" but function of these parameters differs.
  "project.max-shm-memory resource control limits the total amount of shared memory of one project, whereas previously, the shmsys:shminfo_shmmax parameter limited the size of a single shared memory segment."
  Relevant link to Sun docs: http://docs.sun.com/app/docs/doc/819-2724/chapter1-33

• Solaris.smf.modify ? help me

  hi
  hope every one will be fine and enjoying real world of UNIX i am UNISYS in little bit trouble
  i have a service named "mysvc" (let mysvc be the service FRMI) running under user "meunix" and group "other"
  i want to give user "meunix" the privilage to delete the service using commmand
  NOTE : Assume service is already stopped
  #svccfg delete -f mysvc
  but when run this command its prompted
  svccfg: Permission denied
  i have already assign right to the user "meunix" the following rights
  first i added the folling line in the file /etc/security/auth_attr
  solaris.smf.modify.mysvc::My Service RBAC-Management::
  and then i run the command
  usermod -A solaris.smf.modify.mysvc meunix
  but it dos't work
  i have also tried
  solaris.smf.modify.*.mysvc::My Service RBAC-Management::
  usermod -A solaris.smf.modify.mysvc meunix
  but the same thing happend "svccfg:: Permission denied"
  looking forward for +ve responses
  Regards
  UNIX out of Box

  Sorry, but svccfg delete requires solaris.smf.modify, which allows the user to create or
  delete any service or instance. Please file an RFE at bugs.opensolaris.org .

• Could not read /etc/netconfig

  I get that error message on my console everytime I try to start the rpcbind service. The command svcs -x shows the service is currently in maintenance. Doing svcadm clear bind to try start the service manually produces that error message.
  Error started coming up after I installed BIND 9.4.1-P1 and brought over zone files from another server (A Solaris 8 box). The files I brought over were opied via a taf file.

  This is just a shot in the dark, but by chance was "Secure By Default" enabled when the s10 box was installed? I'm digging my way through a NIST hardening document for Solaris, and throughout the document it talks about how rpcbind is impacted in a number of ways. Particularly in reference to TCP Wrapping.
  Dave

• Internal Zone Configuration

  After installing a zone for the first time on a baseline system, I run the 'zlogin -C my-zone' command. I get the typical '[Connected to zone 'my-zone' console]' response, but when I boot the zone using the 'zoneadm -z my-zone boot' command, I do not get the system config questions such as Language, Hostname, Nameservers, etc. I am able to login as root without a password. I tried configuring and installing the same exact zone on a full system install, and I do get the questions on first boot.
  What packages are needed to have the questions appear on first boot? The baseline system I'm having problems with is a default CORE install with the following additions:
  Core software for resource pools
  CPU Performance Counter driver and utilities
  Freeware Compression Utilities
  GNU Bourne-Again shell (bash)
  Install Software
  Interprocess Communications
  Network Security Services
  Network Security Services(64 bit)............................
  Network Time Protocol
  On-Line Manual Pages
  Perl 5
  Secure Shell
  Solaris Zones
  tcpd - access control facility for internet services
  J2sdk 32 and 64 bit runtime
  Live Upgrade Software
  The XML library
  X Window System Runtime Environment
  X11 Arabic required fonts
  X11 ISO-8859-x optional fonts
  X11 ISO-8859-x required fonts
  CDE application basic runtime environment
  Motif RunTime Kit
  thanks,
  brian

  I was missing only one of the sysidtool programs, sysidpm. I installed SUNWpmu, which includes sysidpm, and I still had the problem.
  JASS 4.0.1 is in the global zone and was run before creating the zone. JASS was installed into the zone (by default), but not run. When I ran the undo on the JASS scripts in the global zone, the problem went away. Here are the basics of the hardening driver that was used:
  JASS_FILES="
  # /etc/dt/config/Xaccess
  /etc/inet/inetd.conf
  /etc/init.d/inetsvc
  /etc/init.d/nddconfig
  /etc/init.d/set-tmp-permissions
  /etc/issue
  /etc/motd
  # /etc/notrouter
  /etc/rc2.d/S00set-tmp-permissions
  /etc/rc2.d/S07set-tmp-permissions
  /etc/rc2.d/S70nddconfig
  /etc/syslog.conf
  /etc/ipf/ipf.conf
  /etc/ipf/pfil.ap
  JASS_SCRIPTS="
  disable-IIim.fin
  disable-ab2.fin
  disable-apache.fin
  disable-asppp.fin
  disable-autoinst.fin
  disable-automount.fin
  disable-dhcpd.fin
  disable-directory.fin
  disable-dmi.fin
  disable-dtlogin.fin
  disable-inetd.fin
  disable-ipv6.fin
  disable-kdc.fin
  # disable-keyboard-abort.fin
  disable-keyserv-uid-nobody.fin
  disable-ldap-client.fin
  disable-lp.fin
  disable-mipagent.fin
  disable-nfs-client.fin
  disable-nfs-server.fin
  disable-nscd.fin
  disable-nscd-caching.fin
  # disable-picld.fin
  disable-ppp.fin
  disable-preserve.fin
  disable-power-mgmt.fin
  # disable-remote-root-login.fin
  disable-rhosts.fin
  disable-rpc.fin
  disable-samba.fin
  disable-sendmail.fin
  # disable-ssh-root-login.fin
  disable-slp.fin
  disable-snmp.fin
  disable-spc.fin
  disable-syslogd-listen.fin
  disable-system-accounts.fin
  disable-uucp.fin
  disable-vold.fin
  disable-xserver-listen.fin
  disable-wbem.fin
  enable-coreadm.fin
  # enable-ftpaccess.fin
  # enable-ftp-syslog.fin
  # enable-inetd-syslog.fin
  # enable-priv-nfs-ports.fin
  # enable-process-accounting.fin
  enable-rfc1948.fin
  enable-stack-protection.fin
  enable-tcpwrappers.fin
  install-at-allow.fin
  install-ftpusers.fin
  install-loginlog.fin
  install-newaliases.fin
  install-sadmind-options.fin
  # install-security-mode.fin
  # install-shells.fin
  install-sulog.fin
  remove-unneeded-accounts.fin
  set-banner-dtlogin.fin
  set-banner-ftpd.fin
  set-banner-sendmail.fin
  set-banner-sshd.fin
  set-banner-telnetd.fin
  set-ftpd-umask.fin
  set-login-retries.fin
  set-power-restrictions.fin
  set-root-group.fin
  set-rmmount-nosuid.fin
  set-sys-suspend-restrictions.fin
  set-system-umask.fin
  set-tmpfs-limit.fin
  set-user-password-reqs.fin
  set-user-umask.fin
  update-at-deny.fin
  update-cron-allow.fin
  update-cron-deny.fin
  update-cron-log-size.fin
  update-inetd-conf.fin
  # enable-bsm.fin
  install-md5.fin
  install-fix-modes.fin
  # install-strong-permissions.fin

• OAS 4.0.8.1 on Compaq Tru64 UNIX 4.0F (Digital Unix 4.0F) : Help !!!

  My installation of OAS 4.0.8.1 on Digital Unix
  4.0F is failing when it comes to try to
  relink something called ntcontab.o
  , an apparently missing header file :
  cc: Severe: /usr/include/sys/types.h, line 77:
  Cannot find file <standards.h> specified in #include directive.
  (I did find the header file on the system but in a different place.
  I tried a link to make it
  appear where it should but that didn't work for
  some reason)
  My release notes specify 4.0D is required,
  maybe thats the problem, though I wouldn't
  expect a whole header file to be moved between
  minor releases.
  Any help very gratefully recieved. I am really
  stuck.
  Thanks
  Alan McCulloch
  email : [email protected]
  BTW - I'm new to Digital Unix, previously
  worked on Solaris. My subjective impression is Digital
  Unix is alot less well supported and prevalent
  than Solaris, and my feeling is we would
  be more secure on Solaris.
  Is this at all a valid point of view ? I'd
  be very happy to be wrong about this !
  null

  Hi Peter,
  I believe that functionality was broken in the field test version of coordinate systems that shipped in 8.1.6 only for transforming data stored in the SDO_POINT type. I'm not sure, but I doubt this will be patched on tru64 unix.
  If you need to get this working you might want to try storing your point data using the elem_info_array and the ordinate array rather than the optimized point type.
  This problem is fixed in 8.1.7.
  Hope this helps,
  dan

• Mac OS X Leopard Firewall/default open ports rpcbind?

  Hi,
  I'm looking into hardening/securing mac os x leopard and noticed that port 111 rpcbind is open. Is rpcbind open by default? What are leopards default open ports on a fresh install?
  Also is there any way to run openbsd/freebsd PF firewall?
  Thanks!

  This is what nmap reports:
  Starting Nmap 4.76 ( http://nmap.org ) at 2009-03-02 12:28 EST
  Warning: Unable to open interface vmnet8 -- skipping it.
  Warning: Unable to open interface vmnet1 -- skipping it.
  Interesting ports on localhost (127.0.0.1):
  Not shown: 993 closed ports
  PORT STATE SERVICE
  111/tcp open rpcbind
  631/tcp open ipp
  1021/tcp open unknown
  1022/tcp open unknown
  1023/tcp open netvenuechat
  2049/tcp open nfs
  49152/tcp open unknown
  Nmap done: 1 IP address (1 host up) scanned in 10.55 seconds
  nestat -a | grep LISTEN confirms:
  tcp6 0 0 localhost.ipp . LISTEN
  tcp4 0 0 *.49152 . LISTEN
  tcp4 0 0 *.1021 . LISTEN
  tcp4 0 0 *.1022 . LISTEN
  tcp4 0 0 *.sunrpc . LISTEN
  tcp4 0 0 *.nfsd . LISTEN
  tcp4 0 0 *.1023 . LISTEN
  tcp4 0 0 localhost.ipp . LISTEN
  tcp6 0 0 localhost.ipp . LISTEN
  Not too sure what netvenuechat is and I have no idea why NFS is open/running. I'm not connecting to any NFS shares. How do I lock everything down?
  Any suggested IPFW rules?
  Here is what 'ipfw show' returns:
  3300 36 2160 deny icmp from any to me in icmptypes 8
  65535 866558 351141790 allow ip from any to any
  Thanks,
  Juan

• SHARED MEMORY 문제(ORA-7329, ORA-7331, ORA-7279)

  제품 : ORACLE SERVER
  작성날짜 : 2004-07-22
  SHARED MEMORY 문제(ORA-7329, ORA-7331, ORA-7279)
  ================================================
  PURPOSE
  다음은 shared memory 문제가 발생하는 경우(ora-7329,ora-7331,
  ora-7279) 에 대해서 알아본다.
  Explanation
  1. 왜 Problem 이 생기나?
  * Oracle 은 Process와 SGA(System Global Area) 간의
  Communication를 위해 Shared Memory와 Semaphore 를 사용한다.
  Oracle Instance 가 뜰 때 SGA를 Create하기 위해 Main Memory의
  임의의 부분을 할당하는데 이 때 Shared Memory 나 Semaphore 가
  적절하지 않으면 이에 관련한 Error가 발생한다.
  2. 해결 방안
  SGA는 Shared Memory 안에 생기므로 Shared Memory 는 각 Process에게
  사용 가능해야 한다.
  Shared memory 와 Semaphore parameter 는
  - SHMMAX = 1개의 shared memory segment 의 maximum size,
  SGA 크기 이상
  - SHMMIN = 1개의 shared memory segment 의 minimum size, 1 byte
  - SHMMNI = shared memory identifier의 숫자, 100 이상
  - SHMSEG = 1개의 process에 attach되는 shared memory segment의
  maximum 갯수, 10 이상
  - SEMMNS = system의 semaphore 갯수, 200 이상
  - SEMMNI = 시스템에서 identifier를 setting하는 semaphore 수,
  70 이상
  - SEMMSL = semaphore set 당 최대 semaphore 갯수,
  initSID.ora 의 processes 값 이상
  * 추천하는 Semaphore와 Shared Memory Parameter
  Operating System Shared Memory Parameters Semaphore
  ================================================================
  Sun OS
  SHMSIZE = 32768 SEMMNS = 200
  SHMMNI = 50 SEMMNI = 50
  Solaris
  SHMMAX = 8388608 SEMMNS = 200
  SHMSEG = 20 SEMMSL = 50
  SHMMNI = 100 SEMMNI = 70
  HP/UX
  SHMMAX = 0x4000000(64Mb) SEMMNS = 128
  SHMSEG = 12 SEMMNI = 10
  Digital Unix (DEC Alpha OSF/1)
  SHMMAX = 4194304 SEMMNS = 60
  SHMSEG = 32 SEMMSL = 25
  Ultrix Use System Default     SEMNS SEMMSL = 5
  AT&T Unix
            SHMMAX = RAM-Dependant     SEMMNS = 200
  8 or 16Mb RAM
            SHMMAX = 5 Mb     For All RAM
  32 Mb RAM
            SHMMAX = 8 Mb Values
  64 Mb RAM
            SHMMAX = 16 Mb
  128 Mb RAM
            SHMMAX = 32 Mb
  256 Mb RAM
            SHMMAX = 64 Mb
  512 Mb RAM
            SHMMAX = 128 Mb
  1024 Mb RAM
            SHMMAX = 256 Mb
  2048 Mb RAM
            SHMMAX = 512 Mb
            SHMSEG = 6 for all RAM Values
            SHMMIN = 1 for all RAM Values
  Dynix/PTX
            SHMMAX = 11010048 SEMMNS = 200
            SHMSEG = 20 SEMMSL = 85
  Other Parameter     NOFILES = 128
  DG/UX
            SHMMAX = 4194304 SEMMNS = 200
            SHMSEG = 15
  Shared Memory 와 Semaphore Parameter는 OS 의 Kernel Configuration
  화일에 반드시 지정되어야 하며, File의 위치는 OS마다 차이가 있다.
  현재의 Shared Memory 와 Semaphore Configuration 을 알기 위해서는
  다음의 Command를 이용한다.
  $ sysdef |more
  * HP-UX (relevant sections only) 에서의 예:
  Semaphore 관련 Parameters
  - maximum value for semaphores(semaem)= 16384
  - Semaphore map(semmap)= 4098
  - number of semaphore identifiers(semmni) = 4096
  - total number of semaphores in the system(semmns) = 8192
  - number of semaphore undo structures(semmnu) = 1536
  - semaphore undo entries per process(semume) = 512
  - semaphore maximum value(semvmx) = 32767
  Shared Memory 관련 Parameters
  - maximum shared memory segment size in bytes(shmmax) = 536870912
  - minimum shared memory segment size in bytes(shmmin) = 1
  - maximum shared memory segments in system (shmmni) = 512
  - maximum shared memory segments per process(shmseg) = 512
  NOTE: SHMMAX는 현 system에 8개의 instance가 수행될 수 있는
  충분한 값이다.
  * Shared memory 또는 semaphore parameters 를 변경하기 위해서는 ...
  1. Oracle Instance를 Shutdown 한다.
  2. OS의 Kernel Configuration File이 있는 곳으로 간다.
  3. System Utility 또는 Editor를 이용해서 필요한 값을 바꾼다.
  System Utility는 다음과 같다
  | OS |     Utility     |
  | HP/UX | SAM     |
  | SCO     |     SYSADMSH |
  | AIX     |     SMIT     |
  | Solaris |     ADMINTOOL |
  4. Kernel 을 Reconfigure 한다.
  5. System을 Reboot 한다.
  6. Oracle Instance를 startup시킨다.
  [ 예제 ] Solaris 2.3/2.4 parameters and commands:
  1. SQLDBA 에서 :
  SQLDBA> shutdown
  SQLDBA> exit
  2. Superuser(root)로 login 하고 :
  # cd /etc
  3. /etc/system file 에 다음을 추가 한다:
  set shmsys:shminfo_shmmax=8388608
  set shmsys:shminfo_shmmin=1
  set shmsys:shminfo_shmmni=100
  set shmsys:shminfo_shmseg=20
  set semsys:seminfo_semmns=200
  set semsys:seminfo_semmni=70
  4. Kernel을 reconfigure 한다:
  # touch /reconfigure
  5. Machine 을 reboot 한다:
  #init 6
  6. SQLDBA 에서 :
  SQLDBA> startup
  SQLDBA> exit
  Oracle의 init<SID>.ora 파라미터 화일에는 SGA에 영향을 주는
  Parameter들이 있다. OS의 Shared Momory와 Semaphore Parameter에
  연결된 이 Parameter의 setting은 System과 Oracle의 Performance에
  중요한 영향을 미친다.
  Reference Documents
  <Note:1011658.6>

  system does not seem to using memory correctly, lots of swapping on an 8GB real memory system.We could start (for example) with this question - How big is your SGA or how much of 8GB RAM takes your SGA?
  The doc says to set /etc/system to:
  shmsys:shminfo_shmmax project.max-shm-memory 4294967296
  but infers that this is not used.From documentation:
  In Solaris 10, you are not required to make changes to the /etc/system file to implement the System V IPC. Solaris 10 uses the resource control facility for its implementation. However, Oracle recommends that you set both resource control and /etc/system/ parameters. Operating system parameters not replaced by resource controls continue to affect performance and security on Solaris 10 systems.
  Then, the doc states to set a project shared mem value of 2GB:
  # projmod -sK "project.max-shm-memory=(privileged,2G,deny)" group.dba
  Why is this number different?It's an example how "To set the maximum shared memory size to 2 GB"
  By setting to to 2G as documented oracle did not work at all Docs says:
  On Solaris 10, verify that the kernel parameters shown in the following table are set to values greater than or equal to the recommended value shown.
  If your SGA was greater than 2G I'm nor wondering why "oracle did not work at all".
  So for 4GB SGA (for example) you need allow allocation of 4G of shared memory.
  Note: shmsys:shminfo_shmmax != project.max-shm-memory. "project.max-shm-memory" is replacement of "shmsys:shminfo_shmmax" but function of these parameters differs.
  "project.max-shm-memory resource control limits the total amount of shared memory of one project, whereas previously, the shmsys:shminfo_shmmax parameter limited the size of a single shared memory segment."
  Relevant link to Sun docs: http://docs.sun.com/app/docs/doc/819-2724/chapter1-33

• Installation deployment

  We need to be able to install instances of Oracle on minimally installed, tightly secured Sun Solaris systems.
  So far, Oracle seems to need OS headers, Libraries, compiler utilities, and at least a subset of Xwindows - all inappropriate for a secured server. Is there a way to install on a development machine, then create an install image (sans data) for installation on production-mode servers?
  I am a sysadmin with peripheral understanding of Oracle.

  ... I have ... dell poweredge 4600 ...
  ... and ... dell poweredge 2400 ...it is necessary to buy 3 (three) more dell 2550
  and Gigabit Ethernet switch ;)
  install instruction look
  http://gratschew.narod.ru/as2

• Oracle Utilities CC&B - Infrastructure Scaling

  We are using Oracle Utilities CC&B 2.1 with Oracle 10g Database. Can anyone please suggest the optimum Database configuration that is required for a development/production environment.
  Also kindly share any documentation for scaling the Infrastructure for a production environment.

  Answering the originial question about production/development setting and also about scalability for production, there are many choices and options.
  Naturally, it is best to split your production workload from your development workload. Separate servers for that. In the early stages, you may just buy development/test servers, later, production servers which (prior to go-live) would be configured for production use (hardened security, limited access etc).
  Some customers split database and application. I know of one customer that is splitting database from online app and having separate instances for XAI and batch.
  Reporting is always a concern and a separate reporting database which is a replica of the production database as of close of business the day before is useful to have for heavy reports generated by BI or crystal etc.
  By thinking about how you can split various aspects of your CC&B prodiuction system (database, online app, XAI, batch, reporting, failover database etc)
  you have an easier time should you need to scale certain aspects of your system.
  This is a fairly easy way of scaling and separating.
  As with all things IT and particularly UNIX the answer is generally "it depends...! "

• Install Linux into VirtualBox

  Hello,
  I need to harden security on my Mac machines, especially 27"  iMac  2013.
  How does one install VirtualBox on Mac OS X 10.10.2 ?  Yosemite
  Many thanks,
  7m0u9tAN

  7m0u9tAN wrote:
  Running Linux inside VirtualBox on Mac OS X 10.10.2  will be more secure.
  More secure than what?
  If you want to run Linux, then VirtualBox is a good way to do that. But if you are trying to achieve some other goal, please tell us what it is.