Hardening security on Solaris 10
Dear All,
How to configure hardening on Solaris 10 by enable bsdmconv command and editing files in */etc/security* directory to allow and not allow to access to websites on Solaris 10.
Thanks and regards,
Heng
Dear Fieropunk,
Now I have problem with wget utility below with the same URL, please kindly help to check to check and give advice.
If access with URL below is can receive data
#./wget no-check-certificate private-key=/cert/data.pem --certificate=/cert/data.crt "https://server1.com.kh"
10:29:13 https://server1.com.kh
=> `index.html'
Resolving https://server1.com.kh... 172.168.100.67
Connecting to https://server1.com.kh. connected.
WARNING: Certificate verification error for https://server1.com.kh: self signed certificate in certificate chain
HTTP request sent, awaiting response... 200 OK
Length: 285 [text/html]
100%[====================================>] 285 --.--K/s
10:29:13 (8.85 MB/s) - `index.html' saved [285/285]
If I access with long URL below is cannot receive data too but on Linux OS(Debian) can receive data
#./wget no-check-certificate private-key=/cert/data.pem --certificate=/cert/data.crt "https://server1.com.kh/data/?action=datano;datano=aaaa"
10:38:56 https://server1.com.kh/data/?action=datano;datano=aaaa
=> `index.html?action=datano;datano=aaaa'
Resolving server1.com.kh... 172.168.100.67
Connecting to server1.com.kh|172.168.100.67|:443... connected.
WARNING: Certificate verification error for server1.com.kh: self signed certificate in certificate chain
HTTP request sent, awaiting response... No data received.
Retrying.
Note: this domain (server1.com.kh) is running on CentOS
Please kindly give advice,
Thanks and regards,
Heng
Similar Messages
-
Is samba now considered a secure way to allow access to files on solaris 10?
When ever we have had security reports done on servers in the past, they always seem to complain that it is not a secure way to transfer files and advise that it is turned off.
We have always tried to use scripts using sftp where possible.
Is the general feeling that sftp/scp is the preferred method to samba?
Thank you.Dear Fieropunk,
Now I have problem with wget utility below with the same URL, please kindly help to check to check and give advice.
If access with URL below is can receive data
#./wget no-check-certificate private-key=/cert/data.pem --certificate=/cert/data.crt "https://server1.com.kh"
10:29:13 https://server1.com.kh
=> `index.html'
Resolving https://server1.com.kh... 172.168.100.67
Connecting to https://server1.com.kh. connected.
WARNING: Certificate verification error for https://server1.com.kh: self signed certificate in certificate chain
HTTP request sent, awaiting response... 200 OK
Length: 285 [text/html]
100%[====================================>] 285 --.--K/s
10:29:13 (8.85 MB/s) - `index.html' saved [285/285]
If I access with long URL below is cannot receive data too but on Linux OS(Debian) can receive data
#./wget no-check-certificate private-key=/cert/data.pem --certificate=/cert/data.crt "https://server1.com.kh/data/?action=datano;datano=aaaa"
10:38:56 https://server1.com.kh/data/?action=datano;datano=aaaa
=> `index.html?action=datano;datano=aaaa'
Resolving server1.com.kh... 172.168.100.67
Connecting to server1.com.kh|172.168.100.67|:443... connected.
WARNING: Certificate verification error for server1.com.kh: self signed certificate in certificate chain
HTTP request sent, awaiting response... No data received.
Retrying.
Note: this domain (server1.com.kh) is running on CentOS
Please kindly give advice,
Thanks and regards,
Heng -
Secure Solaris 7 or 8 Installation
Hello,
i am looking for a tool to secure my solaris core installation. Does anybody know where i can get such thing or some information about?
Thanks a lot.
R-RichterHi,
What do you mean by 'secure'? Take the machine offline than do the install, that is secure. If you mean you want the OS configured so that there are no security holes, then you need to look for a guide on hardening a solaris install. I have found that the best ones are at sans.org
~James -
Security: Zone vs. Change Root
Hi,
can someone tell me the security benefits I gain by using zones instead of using change root?
I'm in the process of setting up a couple of DMZ machines. I was playing around with zones to increase the security. I have the feeling I will decrease security instead of increasing it because a zone has far too many features. I can't really install a tiny minimal Solaris with just a couple of files, and if an attacker got me he can use the zone itself to attack other systems. Correct?
BTW.: Is there a Solaris list of minimal required packages? I removed all packages I could but I found still thinks like ssh, NIS, perl, .. After changing manually SUNW_PKG_ALLZONES I could remove a couple more until the zone crashed.
Right now I see two possibilities to go forward:
1.) Use a zone and change root the application. The zone part looks for me like an awful lot of work.
2.) Forget about zones and install and change root the application directly to the global zone. This will minimize the maintenance, only one system to harden, much faster to set up.
Do you agree or do I miss something?
What are you doing to increase the security on Solaris 10 (in opposition to Solaris 9).
Are there some guidelines how to securely setup zones?
I really like to hear some other thoughts about this.
Thanks for reading and consideration
MatthiasFirst I want to say that I fully agree with Darren here. You can gain a little increase in security by applying tools, but nothing can beat having some basic understanding of the system you're working with.
But, to try and answer your questions..
can someone tell me the security benefits I gain by
using zones instead of using change root? I have no idea what so ever what a "change root" maybe. If you refer to a chroot then the answer is simple: security. Breaking out of a chroot is rather trivial (just search google for "breaking out chroot" and see for yourself). One of the stories I kinda like is http://www.bpfh.net/simes/computing/chroot-break.html.
A zone is much more than a mere chroot, its a whole new (controllable) process.
I have the feeling I will decrease
security instead of increasing it because a zone has
far too many features. I can't really install a tiny
minimal Solaris with just a couple of files, and if
an attacker got me he can use the zone itself to
attack other systems. Correct?Wrong. It depends on how you set it up. And even if you use the default (which directory inheritage) you can still disable most of the services.
But its perfectly possible to install a zone and then start removing all but the core packages.
What are you doing to increase the security on
Solaris 10 (in opposition to Solaris 9).What Darren already said.
Are there some guidelines how to securely setup
zones? docs.sun.com, and I'd say in particular:
http://docs.sun.com/app/docs/doc/817-1592
http://docs.sun.com/app/docs/doc/816-4557
>
I really like to hear some other thoughts about
this.
Thanks for reading and consideration
Matthias -
I did this on VirtualBox 4.1 on Windows 7 and VirtualBox 4.2 on Linux.X64. Basic pre-requisites are : 40GB disk space, 8GB RAM, 64-bit guest capable VirtualBox.
Please read all the descriptive messages/prompts shown by 'scinstall' and 'clsetup' before answering.
0) Download from OTN
- Solaris 11.1 Live Media for x86(~966 MB)
- Complete Solaris 11.1 IPS Repository Image (total 7GB)
- Oracle Solaris Cluster 4.1 IPS Repository image (~73MB)
1) Run VirtualBox Console, create VM1 : 3GB RAM, 30GB HDD
2) The new VM1 has 1 NIC, add 2 more NICs (total 3). Setting the NIC to any type should be okay, 'VirtualBox Host Only Adapter' worked fine for me.
3) Start VM1, point the "Select start-up disk" to the Solaris 11.1 Live Media ISO.
4) Select "Oracle Solaris 11.1" in the GRUB menu. Select Keyboard layout and Language.
VM1 will boot and the Solaris 11.1 Live Desktop screen will appear.
5) Click <Install Oracle Solaris> from the desktop, supply necessary inputs.
Default Disk Discovery (iSCSI not needed) and Disk Selection are fine.
Disable the "Support Registration" connection info
6) The alternate user created during the install has root privileges (sudo). Set appropriate VM1 name
7) When the VM has to be rebooted after the installation is complete, make sure the Solaris 11.1 Live ISO is ejected or else the VM will again boot from the Live CD.
8) Repeat steps 1-6, create VM2 and install Solaris.
9) FTP(secure) the Solaris 11.1 Repository IPS and Solaris Cluster 4.1 IPS onto both the VMs e.g under /home/user1/
10) We need to setup both the packages: Solaris 11.1 Repository and Solaris Cluster 4.1
11) All commands now to be run as root
12) By default the 'solaris' repository is of type online (pkg.oracle.com), that needs to be updated to the local ISO we downloaded :-
+$ sudo sh+
+# lofiadm -a /home/user1/sol-11_1-repo-full.iso+
+//output : /dev/lofi/N+
+# mount -F hsfs /dev/lofi/N /mnt+
+# pkg set-publisher -G '*' -M '*' -g /mnt/repo solaris+
13) Setup the ha-cluster package :-
+# lofiadm -a /home/user1/osc-4_1-ga-repo-full.iso+
+//output : /dev/lofi/N+
+# mkdir /mnt2+
+# mount -f hsfs /dev/lofi/N /mnt2+
+# pkg set-publisher -g file:///mnt2/repo ha-cluster+
14) Verify both packages are fine :-
+# pkg publisher+
PUBLISHER TYPE STATUS P LOCATION
solaris origin online F file:///mnt/repo/
ha-cluster origin online F file:///mnt2/repo/
15) Install the complete SC4.1 package by installing 'ha-cluster-full'
+# pkg install ha-cluster-full+
14) Repeat steps 12-15 on VM2.
15) Now both VMs have the OS and SC4.1 installed.
16) By default the 3 NICs are in the "Automatic" profile and have DHCP configured. We need to activate the Fixed profile and put the 3 NICs into it. Only 1 interface, the public interface, needs to be
configured. The other 2 are for the cluster interconnect and will be automatically configured by scinstall. Execute the following commands :-
+# netadm enable -p ncp defaultfixed+
+//verify+
+# netadm list -p ncp defaultfixed+
+#Configure the public-interface+
+#Verify none of the interfaces are listed, add all the 3+
+# ipadm show-if+
+# run dladm show-phys or dladm show-link to check interface names : must be net0/net1/net2+
+# ipadm create-ip net0+
+# ipadm create-ip net1+
+# ipadm create-ip net2+
+# ipadm show-if+
+//select proper IP and configure the public interface. I have used 192.168.56.171 & 172+
+# ipadm create-addr -T static -a 192.168.56.171/24 net0/publicip+
+#IP plumbed, restart+
+# ipadm down-addr -t net0/publicip+
+# ipadm up-addr -t net0/publicip+
+//Verify publicip is fine by pinging the host+
+# ping 192.168.56.1+
+//Verify, net0 should be up, net1/net2 should be down+
+# ipadm+
17) Repeat step 16 on VM2
18) Verify both VMs can ping each other using the public IP. Add entries to each other's /etc/hosts
Now we are ready to run scinstall and create/configure the 2-node cluster
19)
+# cd /usr/cluster/bin+
+# ./scinstall+
select 1) Create a new cluster ...
select 1) Create a new cluster
select 2) Custom in "Typical or Custom Mode"
Enter cluster name : mycluster1 (e.g)
Add the 2 nodes : solvm1 & solvm2 and press <ctrl-d>
Accept default "No" for <Do you need to use DES authentication>"
Accept default "Yes" for <Should this cluster use at least two private networks>
Enter "No" for <Does this two-node cluster use switches>
Select "1)net1" for "Select the first cluster transport adapter"
If there is warning of unexpected traffic on "net"1, ignore it
Enter "net1" when it asks corresponding adapter on "solvm2"
Select "2)net2" for "Select the second cluster transport adapter"
Enter "net2" when it asks corresponding adapter on "solvm2"
Select "Yes" for "Is it okay to accept the default network address"
Select "Yes" for "Is it okay to accept the default network netmask"Now the IP addresses 172.16.0.0 will be plumbed in the 2 private interfaces
Select "yes" for "Do you want to turn off global fencing"
(These are SATA serial disks, so no fencing)
Enter "Yes" for "Do you want to disable automatic quorum device selection"
(we will add quorum disks later)
Enter "Yes" for "Proceed with cluster creation"
Select "No" for "Interrupt cluster creation for cluster check errors"
The second node will be configured and 2nd node rebooted
The first node will be configured and rebootedAfter both nodes have rebooted, verify the cluster has been created and both nodes joined.
On both nodes :-
+# cd /usr/cluster/bin+
+# ./clnode status+
+//should show both nodes Online.+
At this point there are no quorum disks, so 1 of the node's will be designated quorum vote. That node VM has to be up for the other node to come up and cluster to be formed.
To check the current quorum status, run :-
+# ./clquorum show+
+//one of the nodes will have 1 vote and other 0(zero).+
20)
Now the cluster is in 'Installation Mode' and we need to add a quorum disk.
Shutdown both the nodes as we will be adding shared disks to both of them
21)
Create 2 VirtualBox HDDs (VDI Files) on the host, 1 for quorum and 1 for shared filesystem. I have used a size of 1 GB for each :-
*$ vboxmanage createhd --filename /scratch/myimages/sc41cluster/sdisk1.vdi --size 1024 --format VDI --variant Fixed*
*0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100%*
*Disk image created. UUID: 899147b9-d21f-4495-ad55-f9cf1ae46cc3*
*$ vboxmanage createhd --filename /scratch/myimages/sc41cluster/sdisk2.vdi --size 1024 --format VDI --variant Fixed*
*0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100%*
*Disk image created. UUID: 899147b9-d22f-4495-ad55-f9cf15346caf*
22)
Attach these disks to both the VMs as shared type
*$ vboxmanage storageattach solvm1 --storagectl "SATA" --port 1 --device 0 --type hdd --medium /scratch/myimages/sc41cluster/sdisk1.vdi --mtype shareable*
*$ vboxmanage storageattach solvm1 --storagectl "SATA" --port 2 --device 0 --type hdd --medium /scratch/myimages/sc41cluster/sdisk2.vdi --mtype shareable*
*$ vboxmanage storageattach solvm2 --storagectl "SATA" --port 1 --device 0 --type hdd --medium /scratch/myimages/sc41cluster/sdisk1.vdi --mtype shareable*
*$ vboxmanage storageattach solvm2 --storagectl "SATA" --port 2 --device 0 --type hdd --medium /scratch/myimages/sc41cluster/sdisk2.vdi --mtype shareable*
The disks are attached to SATA ports 1 & 2 of each VM. On my VirtualBox on Linux, the controller type is "SATA", whereas on Windows it is "SATA Controller".
The "--mtype shareable' parameter is important
23)
Mark both disks as shared :-
*$ vboxmanage modifyhd /scratch/myimages/sc41cluster/sdisk1.vdi --type shareable*
*$ vboxmanage modifyhd /scratch/myimages/sc41cluster/sdisk2.vdi --type shareable*
24) Start both VMs. We need to format the 2 shared disks
25) From VM1, run format. In my case, the 2 new shared disks show up as 'c7t1d0' and 'c7t2d0'.
+# format+
select disk 1 (c7t1d0)
[disk formated]
FORMAT MENU
fdisk
Type 'y' to accept default partition
partition
0
<enter>
<enter>
1
995mb
print
label
<yes>
quit
quit26) Repeat step 25) for the 2nd disk (c7t2d0)
27) Make sure the shared disks can be used for quorum :-
On VM1
+# ./cldevice refresh+
+# ./cldevice show+
On VM2
+# ./cldevice refresh+
+# ./cldevice show+
The shared disks should have the same DID (d2,d3,d4 etc). Note down the DID that you are going to use for quorum (e.g d2)
By default, global fencing is enabled for these disks. We need to turn it off for all disks as these are SATA disks :-
+# cldevice set -p default_fencing=nofencing-noscrub d1+
+# cldevice set -p default_fencing=nofencing-noscrub d2+
+# cldevice set -p default_fencing=nofencing-noscrub d3+
+# cldevice set -p default_fencing=nofencing-noscrub d4+
28) It is better to do one more reboot of both VMs, otherwise I got a error when adding the quorum disk
29) Run clsetup to add quorum disk and to complete cluster configuration :-
+# ./clsetup+
=== Initial Cluster Setup ===
Enter 'Yes' for "Do you want to continue"
Enter 'Yes' for "Do you want add any quorum devices"
Select '1) Directly Attached Shared Disk' for the type of device
Enter 'Yes' for "Is it okay to continue"
Enter 'd2' (or 'd3') for 'Which global device do you want to use'
Enter 'Yes' for "Is it okay to proceed with the update"
The command 'clquorum add d2' is run
Enter 'No' for "Do you want to add another quorum device"
Enter 'Yes' for "Is it okay to reset "installmode"?"Cluster initialization is complete.!!!
30) Run 'clquorum status' to confirm both nodes and the quorum disk have 1 vote each
31) Run other cluster commands to explore!
I will cover Data services and shared file system in another post. Basically the other shared disk
can be used to create a UFS filesystem and mount it on all nodes.The Solaris Cluster 4.1 Installation and Concepts Guide are available at :-
http://docs.oracle.com/cd/E29086_01/index.html
Thanks. -
Solaris 10 shared memory config/ora 11g
The ora 11 install guide for spark solaris 10 is very confusing wrt shared memory and my system does not seem to using memory correctly, lots of swapping on an 8GB real memory system.
The doc says to set /etc/system to:
shmsys:shminfo_shmmax project.max-shm-memory 4294967296
but infers that this is not used.
Then, the doc states to set a project shared mem value of 2GB:
# projmod -sK "project.max-shm-memory=(privileged,2G,deny)" group.dba
Why is this number different?
By setting to to 2G as documented oracle did not work at all and so I found Note:429191.1
on the solaris 10 memory which hints that these numbers should be big:
% prctl -n project.max-shm-memory -r -v 24GB -i project oracle_dss
% prctl -n project.max-shm-memory -i project oracle_dss
project: 101: oracle_dss
NAME PRIVILEGE VALUE FLAG ACTION RECIPIENT
project.max-shm-memory
privileged 24.0GB - deny -
system 16.0EB max deny
Is there some logic in how to get solaris 10/ora 11 to hold hands. The install doc does not seem to contain it.system does not seem to using memory correctly, lots of swapping on an 8GB real memory system.We could start (for example) with this question - How big is your SGA or how much of 8GB RAM takes your SGA?
The doc says to set /etc/system to:
shmsys:shminfo_shmmax project.max-shm-memory 4294967296
but infers that this is not used.From documentation:
In Solaris 10, you are not required to make changes to the /etc/system file to implement the System V IPC. Solaris 10 uses the resource control facility for its implementation. However, Oracle recommends that you set both resource control and /etc/system/ parameters. Operating system parameters not replaced by resource controls continue to affect performance and security on Solaris 10 systems.
Then, the doc states to set a project shared mem value of 2GB:
# projmod -sK "project.max-shm-memory=(privileged,2G,deny)" group.dba
Why is this number different?It's an example how "To set the maximum shared memory size to 2 GB"
By setting to to 2G as documented oracle did not work at all Docs says:
On Solaris 10, verify that the kernel parameters shown in the following table are set to values greater than or equal to the recommended value shown.
If your SGA was greater than 2G I'm nor wondering why "oracle did not work at all".
So for 4GB SGA (for example) you need allow allocation of 4G of shared memory.
Note: shmsys:shminfo_shmmax != project.max-shm-memory. "project.max-shm-memory" is replacement of "shmsys:shminfo_shmmax" but function of these parameters differs.
"project.max-shm-memory resource control limits the total amount of shared memory of one project, whereas previously, the shmsys:shminfo_shmmax parameter limited the size of a single shared memory segment."
Relevant link to Sun docs: http://docs.sun.com/app/docs/doc/819-2724/chapter1-33 -
Solaris.smf.modify ? help me
hi
hope every one will be fine and enjoying real world of UNIX i am UNISYS in little bit trouble
i have a service named "mysvc" (let mysvc be the service FRMI) running under user "meunix" and group "other"
i want to give user "meunix" the privilage to delete the service using commmand
NOTE : Assume service is already stopped
#svccfg delete -f mysvc
but when run this command its prompted
svccfg: Permission denied
i have already assign right to the user "meunix" the following rights
first i added the folling line in the file /etc/security/auth_attr
solaris.smf.modify.mysvc::My Service RBAC-Management::
and then i run the command
usermod -A solaris.smf.modify.mysvc meunix
but it dos't work
i have also tried
solaris.smf.modify.*.mysvc::My Service RBAC-Management::
usermod -A solaris.smf.modify.mysvc meunix
but the same thing happend "svccfg:: Permission denied"
looking forward for +ve responses
Regards
UNIX out of BoxSorry, but svccfg delete requires solaris.smf.modify, which allows the user to create or
delete any service or instance. Please file an RFE at bugs.opensolaris.org . -
Could not read /etc/netconfig
I get that error message on my console everytime I try to start the rpcbind service. The command svcs -x shows the service is currently in maintenance. Doing svcadm clear bind to try start the service manually produces that error message.
Error started coming up after I installed BIND 9.4.1-P1 and brought over zone files from another server (A Solaris 8 box). The files I brought over were opied via a taf file.This is just a shot in the dark, but by chance was "Secure By Default" enabled when the s10 box was installed? I'm digging my way through a NIST hardening document for Solaris, and throughout the document it talks about how rpcbind is impacted in a number of ways. Particularly in reference to TCP Wrapping.
Dave -
After installing a zone for the first time on a baseline system, I run the 'zlogin -C my-zone' command. I get the typical '[Connected to zone 'my-zone' console]' response, but when I boot the zone using the 'zoneadm -z my-zone boot' command, I do not get the system config questions such as Language, Hostname, Nameservers, etc. I am able to login as root without a password. I tried configuring and installing the same exact zone on a full system install, and I do get the questions on first boot.
What packages are needed to have the questions appear on first boot? The baseline system I'm having problems with is a default CORE install with the following additions:
Core software for resource pools
CPU Performance Counter driver and utilities
Freeware Compression Utilities
GNU Bourne-Again shell (bash)
Install Software
Interprocess Communications
Network Security Services
Network Security Services(64 bit)............................
Network Time Protocol
On-Line Manual Pages
Perl 5
Secure Shell
Solaris Zones
tcpd - access control facility for internet services
J2sdk 32 and 64 bit runtime
Live Upgrade Software
The XML library
X Window System Runtime Environment
X11 Arabic required fonts
X11 ISO-8859-x optional fonts
X11 ISO-8859-x required fonts
CDE application basic runtime environment
Motif RunTime Kit
thanks,
brianI was missing only one of the sysidtool programs, sysidpm. I installed SUNWpmu, which includes sysidpm, and I still had the problem.
JASS 4.0.1 is in the global zone and was run before creating the zone. JASS was installed into the zone (by default), but not run. When I ran the undo on the JASS scripts in the global zone, the problem went away. Here are the basics of the hardening driver that was used:
JASS_FILES="
# /etc/dt/config/Xaccess
/etc/inet/inetd.conf
/etc/init.d/inetsvc
/etc/init.d/nddconfig
/etc/init.d/set-tmp-permissions
/etc/issue
/etc/motd
# /etc/notrouter
/etc/rc2.d/S00set-tmp-permissions
/etc/rc2.d/S07set-tmp-permissions
/etc/rc2.d/S70nddconfig
/etc/syslog.conf
/etc/ipf/ipf.conf
/etc/ipf/pfil.ap
JASS_SCRIPTS="
disable-IIim.fin
disable-ab2.fin
disable-apache.fin
disable-asppp.fin
disable-autoinst.fin
disable-automount.fin
disable-dhcpd.fin
disable-directory.fin
disable-dmi.fin
disable-dtlogin.fin
disable-inetd.fin
disable-ipv6.fin
disable-kdc.fin
# disable-keyboard-abort.fin
disable-keyserv-uid-nobody.fin
disable-ldap-client.fin
disable-lp.fin
disable-mipagent.fin
disable-nfs-client.fin
disable-nfs-server.fin
disable-nscd.fin
disable-nscd-caching.fin
# disable-picld.fin
disable-ppp.fin
disable-preserve.fin
disable-power-mgmt.fin
# disable-remote-root-login.fin
disable-rhosts.fin
disable-rpc.fin
disable-samba.fin
disable-sendmail.fin
# disable-ssh-root-login.fin
disable-slp.fin
disable-snmp.fin
disable-spc.fin
disable-syslogd-listen.fin
disable-system-accounts.fin
disable-uucp.fin
disable-vold.fin
disable-xserver-listen.fin
disable-wbem.fin
enable-coreadm.fin
# enable-ftpaccess.fin
# enable-ftp-syslog.fin
# enable-inetd-syslog.fin
# enable-priv-nfs-ports.fin
# enable-process-accounting.fin
enable-rfc1948.fin
enable-stack-protection.fin
enable-tcpwrappers.fin
install-at-allow.fin
install-ftpusers.fin
install-loginlog.fin
install-newaliases.fin
install-sadmind-options.fin
# install-security-mode.fin
# install-shells.fin
install-sulog.fin
remove-unneeded-accounts.fin
set-banner-dtlogin.fin
set-banner-ftpd.fin
set-banner-sendmail.fin
set-banner-sshd.fin
set-banner-telnetd.fin
set-ftpd-umask.fin
set-login-retries.fin
set-power-restrictions.fin
set-root-group.fin
set-rmmount-nosuid.fin
set-sys-suspend-restrictions.fin
set-system-umask.fin
set-tmpfs-limit.fin
set-user-password-reqs.fin
set-user-umask.fin
update-at-deny.fin
update-cron-allow.fin
update-cron-deny.fin
update-cron-log-size.fin
update-inetd-conf.fin
# enable-bsm.fin
install-md5.fin
install-fix-modes.fin
# install-strong-permissions.fin -
My installation of OAS 4.0.8.1 on Digital Unix
4.0F is failing when it comes to try to
relink something called ntcontab.o
, an apparently missing header file :
cc: Severe: /usr/include/sys/types.h, line 77:
Cannot find file <standards.h> specified in #include directive.
(I did find the header file on the system but in a different place.
I tried a link to make it
appear where it should but that didn't work for
some reason)
My release notes specify 4.0D is required,
maybe thats the problem, though I wouldn't
expect a whole header file to be moved between
minor releases.
Any help very gratefully recieved. I am really
stuck.
Thanks
Alan McCulloch
email : [email protected]
BTW - I'm new to Digital Unix, previously
worked on Solaris. My subjective impression is Digital
Unix is alot less well supported and prevalent
than Solaris, and my feeling is we would
be more secure on Solaris.
Is this at all a valid point of view ? I'd
be very happy to be wrong about this !
nullHi Peter,
I believe that functionality was broken in the field test version of coordinate systems that shipped in 8.1.6 only for transforming data stored in the SDO_POINT type. I'm not sure, but I doubt this will be patched on tru64 unix.
If you need to get this working you might want to try storing your point data using the elem_info_array and the ordinate array rather than the optimized point type.
This problem is fixed in 8.1.7.
Hope this helps,
dan -
Mac OS X Leopard Firewall/default open ports rpcbind?
Hi,
I'm looking into hardening/securing mac os x leopard and noticed that port 111 rpcbind is open. Is rpcbind open by default? What are leopards default open ports on a fresh install?
Also is there any way to run openbsd/freebsd PF firewall?
Thanks!This is what nmap reports:
Starting Nmap 4.76 ( http://nmap.org ) at 2009-03-02 12:28 EST
Warning: Unable to open interface vmnet8 -- skipping it.
Warning: Unable to open interface vmnet1 -- skipping it.
Interesting ports on localhost (127.0.0.1):
Not shown: 993 closed ports
PORT STATE SERVICE
111/tcp open rpcbind
631/tcp open ipp
1021/tcp open unknown
1022/tcp open unknown
1023/tcp open netvenuechat
2049/tcp open nfs
49152/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 10.55 seconds
nestat -a | grep LISTEN confirms:
tcp6 0 0 localhost.ipp . LISTEN
tcp4 0 0 *.49152 . LISTEN
tcp4 0 0 *.1021 . LISTEN
tcp4 0 0 *.1022 . LISTEN
tcp4 0 0 *.sunrpc . LISTEN
tcp4 0 0 *.nfsd . LISTEN
tcp4 0 0 *.1023 . LISTEN
tcp4 0 0 localhost.ipp . LISTEN
tcp6 0 0 localhost.ipp . LISTEN
Not too sure what netvenuechat is and I have no idea why NFS is open/running. I'm not connecting to any NFS shares. How do I lock everything down?
Any suggested IPFW rules?
Here is what 'ipfw show' returns:
3300 36 2160 deny icmp from any to me in icmptypes 8
65535 866558 351141790 allow ip from any to any
Thanks,
Juan -
SHARED MEMORY 문제(ORA-7329, ORA-7331, ORA-7279)
제품 : ORACLE SERVER
작성날짜 : 2004-07-22
SHARED MEMORY 문제(ORA-7329, ORA-7331, ORA-7279)
================================================
PURPOSE
다음은 shared memory 문제가 발생하는 경우(ora-7329,ora-7331,
ora-7279) 에 대해서 알아본다.
Explanation
1. 왜 Problem 이 생기나?
* Oracle 은 Process와 SGA(System Global Area) 간의
Communication를 위해 Shared Memory와 Semaphore 를 사용한다.
Oracle Instance 가 뜰 때 SGA를 Create하기 위해 Main Memory의
임의의 부분을 할당하는데 이 때 Shared Memory 나 Semaphore 가
적절하지 않으면 이에 관련한 Error가 발생한다.
2. 해결 방안
SGA는 Shared Memory 안에 생기므로 Shared Memory 는 각 Process에게
사용 가능해야 한다.
Shared memory 와 Semaphore parameter 는
- SHMMAX = 1개의 shared memory segment 의 maximum size,
SGA 크기 이상
- SHMMIN = 1개의 shared memory segment 의 minimum size, 1 byte
- SHMMNI = shared memory identifier의 숫자, 100 이상
- SHMSEG = 1개의 process에 attach되는 shared memory segment의
maximum 갯수, 10 이상
- SEMMNS = system의 semaphore 갯수, 200 이상
- SEMMNI = 시스템에서 identifier를 setting하는 semaphore 수,
70 이상
- SEMMSL = semaphore set 당 최대 semaphore 갯수,
initSID.ora 의 processes 값 이상
* 추천하는 Semaphore와 Shared Memory Parameter
Operating System Shared Memory Parameters Semaphore
================================================================
Sun OS
SHMSIZE = 32768 SEMMNS = 200
SHMMNI = 50 SEMMNI = 50
Solaris
SHMMAX = 8388608 SEMMNS = 200
SHMSEG = 20 SEMMSL = 50
SHMMNI = 100 SEMMNI = 70
HP/UX
SHMMAX = 0x4000000(64Mb) SEMMNS = 128
SHMSEG = 12 SEMMNI = 10
Digital Unix (DEC Alpha OSF/1)
SHMMAX = 4194304 SEMMNS = 60
SHMSEG = 32 SEMMSL = 25
Ultrix Use System Default SEMNS SEMMSL = 5
AT&T Unix
SHMMAX = RAM-Dependant SEMMNS = 200
8 or 16Mb RAM
SHMMAX = 5 Mb For All RAM
32 Mb RAM
SHMMAX = 8 Mb Values
64 Mb RAM
SHMMAX = 16 Mb
128 Mb RAM
SHMMAX = 32 Mb
256 Mb RAM
SHMMAX = 64 Mb
512 Mb RAM
SHMMAX = 128 Mb
1024 Mb RAM
SHMMAX = 256 Mb
2048 Mb RAM
SHMMAX = 512 Mb
SHMSEG = 6 for all RAM Values
SHMMIN = 1 for all RAM Values
Dynix/PTX
SHMMAX = 11010048 SEMMNS = 200
SHMSEG = 20 SEMMSL = 85
Other Parameter NOFILES = 128
DG/UX
SHMMAX = 4194304 SEMMNS = 200
SHMSEG = 15
Shared Memory 와 Semaphore Parameter는 OS 의 Kernel Configuration
화일에 반드시 지정되어야 하며, File의 위치는 OS마다 차이가 있다.
현재의 Shared Memory 와 Semaphore Configuration 을 알기 위해서는
다음의 Command를 이용한다.
$ sysdef |more
* HP-UX (relevant sections only) 에서의 예:
Semaphore 관련 Parameters
- maximum value for semaphores(semaem)= 16384
- Semaphore map(semmap)= 4098
- number of semaphore identifiers(semmni) = 4096
- total number of semaphores in the system(semmns) = 8192
- number of semaphore undo structures(semmnu) = 1536
- semaphore undo entries per process(semume) = 512
- semaphore maximum value(semvmx) = 32767
Shared Memory 관련 Parameters
- maximum shared memory segment size in bytes(shmmax) = 536870912
- minimum shared memory segment size in bytes(shmmin) = 1
- maximum shared memory segments in system (shmmni) = 512
- maximum shared memory segments per process(shmseg) = 512
NOTE: SHMMAX는 현 system에 8개의 instance가 수행될 수 있는
충분한 값이다.
* Shared memory 또는 semaphore parameters 를 변경하기 위해서는 ...
1. Oracle Instance를 Shutdown 한다.
2. OS의 Kernel Configuration File이 있는 곳으로 간다.
3. System Utility 또는 Editor를 이용해서 필요한 값을 바꾼다.
System Utility는 다음과 같다
| OS | Utility |
| HP/UX | SAM |
| SCO | SYSADMSH |
| AIX | SMIT |
| Solaris | ADMINTOOL |
4. Kernel 을 Reconfigure 한다.
5. System을 Reboot 한다.
6. Oracle Instance를 startup시킨다.
[ 예제 ] Solaris 2.3/2.4 parameters and commands:
1. SQLDBA 에서 :
SQLDBA> shutdown
SQLDBA> exit
2. Superuser(root)로 login 하고 :
# cd /etc
3. /etc/system file 에 다음을 추가 한다:
set shmsys:shminfo_shmmax=8388608
set shmsys:shminfo_shmmin=1
set shmsys:shminfo_shmmni=100
set shmsys:shminfo_shmseg=20
set semsys:seminfo_semmns=200
set semsys:seminfo_semmni=70
4. Kernel을 reconfigure 한다:
# touch /reconfigure
5. Machine 을 reboot 한다:
#init 6
6. SQLDBA 에서 :
SQLDBA> startup
SQLDBA> exit
Oracle의 init<SID>.ora 파라미터 화일에는 SGA에 영향을 주는
Parameter들이 있다. OS의 Shared Momory와 Semaphore Parameter에
연결된 이 Parameter의 setting은 System과 Oracle의 Performance에
중요한 영향을 미친다.
Reference Documents
<Note:1011658.6>system does not seem to using memory correctly, lots of swapping on an 8GB real memory system.We could start (for example) with this question - How big is your SGA or how much of 8GB RAM takes your SGA?
The doc says to set /etc/system to:
shmsys:shminfo_shmmax project.max-shm-memory 4294967296
but infers that this is not used.From documentation:
In Solaris 10, you are not required to make changes to the /etc/system file to implement the System V IPC. Solaris 10 uses the resource control facility for its implementation. However, Oracle recommends that you set both resource control and /etc/system/ parameters. Operating system parameters not replaced by resource controls continue to affect performance and security on Solaris 10 systems.
Then, the doc states to set a project shared mem value of 2GB:
# projmod -sK "project.max-shm-memory=(privileged,2G,deny)" group.dba
Why is this number different?It's an example how "To set the maximum shared memory size to 2 GB"
By setting to to 2G as documented oracle did not work at all Docs says:
On Solaris 10, verify that the kernel parameters shown in the following table are set to values greater than or equal to the recommended value shown.
If your SGA was greater than 2G I'm nor wondering why "oracle did not work at all".
So for 4GB SGA (for example) you need allow allocation of 4G of shared memory.
Note: shmsys:shminfo_shmmax != project.max-shm-memory. "project.max-shm-memory" is replacement of "shmsys:shminfo_shmmax" but function of these parameters differs.
"project.max-shm-memory resource control limits the total amount of shared memory of one project, whereas previously, the shmsys:shminfo_shmmax parameter limited the size of a single shared memory segment."
Relevant link to Sun docs: http://docs.sun.com/app/docs/doc/819-2724/chapter1-33 -
We need to be able to install instances of Oracle on minimally installed, tightly secured Sun Solaris systems.
So far, Oracle seems to need OS headers, Libraries, compiler utilities, and at least a subset of Xwindows - all inappropriate for a secured server. Is there a way to install on a development machine, then create an install image (sans data) for installation on production-mode servers?
I am a sysadmin with peripheral understanding of Oracle.... I have ... dell poweredge 4600 ...
... and ... dell poweredge 2400 ...it is necessary to buy 3 (three) more dell 2550
and Gigabit Ethernet switch ;)
install instruction look
http://gratschew.narod.ru/as2 -
Oracle Utilities CC&B - Infrastructure Scaling
We are using Oracle Utilities CC&B 2.1 with Oracle 10g Database. Can anyone please suggest the optimum Database configuration that is required for a development/production environment.
Also kindly share any documentation for scaling the Infrastructure for a production environment.Answering the originial question about production/development setting and also about scalability for production, there are many choices and options.
Naturally, it is best to split your production workload from your development workload. Separate servers for that. In the early stages, you may just buy development/test servers, later, production servers which (prior to go-live) would be configured for production use (hardened security, limited access etc).
Some customers split database and application. I know of one customer that is splitting database from online app and having separate instances for XAI and batch.
Reporting is always a concern and a separate reporting database which is a replica of the production database as of close of business the day before is useful to have for heavy reports generated by BI or crystal etc.
By thinking about how you can split various aspects of your CC&B prodiuction system (database, online app, XAI, batch, reporting, failover database etc)
you have an easier time should you need to scale certain aspects of your system.
This is a fairly easy way of scaling and separating.
As with all things IT and particularly UNIX the answer is generally "it depends...! " -
Hello,
I need to harden security on my Mac machines, especially 27" iMac 2013.
How does one install VirtualBox on Mac OS X 10.10.2 ? Yosemite
Many thanks,
7m0u9tAN7m0u9tAN wrote:
Running Linux inside VirtualBox on Mac OS X 10.10.2 will be more secure.
More secure than what?
If you want to run Linux, then VirtualBox is a good way to do that. But if you are trying to achieve some other goal, please tell us what it is.
Maybe you are looking for
-
Questions about authorizations of tables/change requests/badis/locks/lang
Hi , Few questions I have not been able to find out . 1) HOw can we ensure that every time we do any change in a table including adding/changing content a change request is generated .Basically to ensure any changes being done are being stored in a
-
5.0 free reader download
I need help. My computer crashed and I lost everything. I'm trying to re-download everything. I have a Compaq with Windows 98 2nd Edition. I THINK I had Adobe 5.0, but can't remember for sure. I installed it when my computer was new back in 2000 and
-
I am trying to forward ports into the router but when I get to the username and password screen it won't work. I have set up a static IP address and I put the default password and pressed ok but then it won't continue and just is not working.
-
Problem connecting weblogic OSB with IBM websphere via foreign JMS
Hi All, I am trying to setup Foreign JMS. My configuration doesn't work. Could you please let me know if I am missing anything . All my configuration details are done as specified in this link http://www.oracle.com/technology/products/integration/ser
-
Msi p55-cd53 random freeze and crash
hi, i have a msi p55-cd53 with intel core i5-750 im using windows 7 home premium 32bits error: -Random freeze when using the pc -Random reboots from dekstop running -crash with blue screen i'm using bios 1.8 My specs: MSI P55-CD53, P55, Socket-1156,