This article demonstrates three methods for creating, configuring, and managing Oracle Solaris Kernel Zones, a new feature of Oracle Solaris 11.2 that provides all.

Securing the Oracle Solaris 1. Operating System. Solaris 1. 1 is the latest Operating System in the Solaris server OS range from Oracle, previously Sun Microsystems. It incorporates many features from Solaris 1.

How to configure a solaris 10 zones and configure resources like memory, CPU, file system, disk etc. What are the types of zones - whole root zone, sparse root zone.

Service Management Framework, but also pulls a lot from the now defunct Open. Solaris project including a new packaging system and a whole new suite of *adm administrative commands to configure the operating system. This article will cover security configuration of the OS after a standard text- based installation. I’m using Solaris 1.

For full details, review the appropriate CISecurity. Solaris 1. 1. 1, as well as the comprehensive documentation on the operating system available from the Oracle site. I’ll be working along with those benchmarks and covering only the main points (the full benchmark is 9. Operating system hardening is good practice, and will assist in a defense- in- depth architecture by adding another layer of security along with firewalls, well- written code, secure application servers, and so on. It is also a requirement of several financial accreditation standards such as PCI- DSS. This article presumes the reader is proficient at administering the Solaris 1.

1. Standard Modules. The following modules are included as standard with release 1.850 of Webmin. You can also download and re-install any modules from this page that.
2. Solaris Containers cheat sheet. This a quick cheat sheet of the commands that can be used when using zones (containers), for a more complete guide see solaris zones.
3. TITLE OUTPUT; Oracle Solaris 10 8/11 Release Notes Provides late-breaking news, known issues, and similar information. Download : Oracle Solaris 10 8/11 What's New.

Pre- hardening Considerations. Ensure that the system is fully patched prior to starting hardening. This will ensure that all of the latest security errata have been applied. The latest patch cluster can be downloaded and applied to the system, or you can use pkg update.

For more information on patching Solaris 1. Prior to starting the hardening procedure it is recommended that an alternate boot environment be created for backup purposes. Issuing the beadm activate pre- hardening command will activate the environment for future reboots. We can now begin hardening the OS. You may find that some of the hardening is not applicable for your environment – e.

Solaris 1. 1 uses a Secure By Default approach. For example, there is no GUI by default, only a limited set of system services are set to start, Sendmail is configured to listen locally only, and so on.

You can check whether the graphical login manager is running by issuing the following command. Ho state svc: /application/graphical- login/gdm: default. Ho state svc: /application/graphical- login/gdm: default. If you see no output, then try the following.

Reason: Service is incomplete, defined only by profile /etc/svc/profile/generic. If there is output, and it isn’t “disabled“, issue the following command to disable GDM if you’re not planning on using a GUI. Sendmail will be configured to listen locally by default. If you have no need to forward/receive mail, then that configuration is fine and secure. If Sendmail is listening on other interfaces and you don’t need it to be you should set the config/local. You can verify with the following command (note the use of ggrep – GNU grep). We also check that nis/domain is disabled as LDAP is not in use.

We will also check that the NIS client is disabled. Ho state svc: /network/nis/client.

Ho state svc: /network/nis/clientdisabled. If any of these services are enabled, issue the svcadm disable < service. Check that the ktkt.

Let’s disable it. This would allow for the physical introduction of malice, both via incoming means as well as outgoing (stealing sensitive data, perhaps). It’s most often employed to automatically mount NFS file systems from remote file servers when needed, as well as loopback filesystems (user home directories, etc.). If you don’t need it, disable it. Check that the bundled Apache 2.

Ho state svc: /network/http: apache. Ho state svc: /network/http: apache. Configure TCP Wrappers.

TCP Wrappers allows access to various network daemons that support it via administrator- controlled ACLs based upon remote IP addresses. Therefore, we can use this as another layer of security along with network and host- based firewalls – if one layer is compromised there are still other ACL points. It may mean slightly more administration, but it’s a good pay off in terms of security. It also performs syslog logging regarding successful and unsuccessful connection attempts – information that would be vital in determining the source IP address. By default, tcp. The following command will display a report of the tcp.

These are all set to FALSE by default. Configure ACLs in /etc/hosts. The version of SSH that ships with Solaris 1.

TCP Wrappers too if these files exist, so ensure you have a rule for sshd: < network> /< mask> in /etc/hosts. Whilst it doesn’t protect against all types of buffer overflow, it is still a significant security feature and it should be implemented. To check that it is enabled, look for the following.

By default, it’s set to 1 (Improved sequential generation, with random variance in increment), but for a hardened server this should be set to 2 (RFC 1. This will make remote session- hijacking attempts more difficult as well as any attack that relies upon predictable sequence number generation.

There are a myriad of other variables that can be tuned depending upon your needs. A value of 0 is disabled, 1 is enabled. You should set . To Other variables to check the documentation for are . Note that not all of these variables may be present on your system. Again, this provides one less thing to be exploited on the system, and one less thing to administer. Adobe After Effects Cs4 Rar File.

Verify with the following command. X1. 1Forwarding' /etc/ssh/sshd. Disable it. # gsed - i '/^X1. Forwarding/ s/yes/no/' /etc/ssh/sshd.

This setting controls how many times a user can enter incorrect credentials before being forced to reconnect. This can stop many types of brute force attack by disconnecting a malicious login exchange. By default, root is disallowed direct login via sshd which is something we wish to maintain. Permit. Root. Login /etc/ssh/sshd.

There also is configuration available to enforce account locking after a certain number of retries which may be something your site needs – read /etc/security/policy. Access to at/cron. Access to the at and cron commands should be limited to authorised users only. Scheduling jobs should be performed at the discretion of the System Administrator, and perhaps a few delegates and service accounts. If not, appropriate monitoring of user crontab files should be performed to check for errant jobs that could compromise system security or stability. The /etc/cron. d/at. The default configuration is as follows.

It is recommended to perform the following remediation. To configure this, ensure that the CONSOLE variable is set in /etc/default/login as follows. CONSOLE' /etc/default/login. CONSOLE=/dev/console# grep '^CONSOLE' /etc/default/login. CONSOLE=/dev/console. All other access must be made via unprivileged user accounts, and then escalated to root via sudo or su. User Accounts. Solaris has a great number of tunable parameters relating to user accounts, password expiration, password creation policies, and so on.

The logins - ox command displays user and system login information in a parse- able format. For example. .. Warnings will start to be sent to the user 2 weeks before their password expires. Obviously, you will need to change these parameters as per the security policy at your site. Checking logins - ox once again. UP: 1. 12. 31. 3: 7: 7. UP: 1. 12. 31. 3: 7: 7. The last three fields have updated appropriately.

You’ll need to do this for all active users except the root account and any accounts with NL or LK in the fifth- to- last field as they represent non- login and locked accounts respectively. If you have more than a handful of accounts you’d be best to script this operation. Update /etc/default/password.

Every site will have different needs, but here are the NSA/DISA compliant complexity rules. Check man - s 1 passwd for more information on these options, although the variable names are fairly self- descriptive. The default umask for users is 0. It is more desirable to have the default umask set to 0. To do this, modify /etc/default/login.

UMASK=0. 27# vi /etc/default/login.