The 5 Minute Guide to Securing Solaris
Posted by Sam
Disclaimer
This is a super quick guide to securing a Solaris server. It's not in depth and I highly recommend taking a deeper look at the technologies that are used.
Install Solaris Security Toolkit (formerly called JASS)
- Download Solaris Security Toolkit
- install and run
# pkgadd -d . SUNWjass
# /opt/SUNWjass/bin
# ./jass-execute secure.driver
A ton of stuff will scroll by. If you need remote access be sure to edit the tcp wrappers allow file otherwise you'll be locked out of the box. Also, if you remotely log in to SSH as root you'll need to allow root access and restart SSH. I always double check that I can remotely log in before closing the current console.
Links for Solaris Security Toolkit
Activate BSM Auditing
Auditing will let you watch as little or as much as you want on your box. It's also zone aware so you can see exactly what's going on in a specific zone. Here's a quick run through on how to turn it on and what I'm monitoring on my boxes. Keep in mind if you have a busy box these settings can produce some very large logs and slow down your system. Take a look at the links to learn exactly what these settings do and then decide how much logging you need.
- Edit /etc/security/audit_control so that it looks like this:
dir:/var/audit
flags:lo,ex,ad,pc,fm,fw,-fc,-fd,-fr
minfree:10
naflags:lo,ex,ad - Edit /etc/security/audit_startup so it looks like this:
/usr/bin/echo "Starting BSM services."
/usr/sbin/auditconfig -setpolicy +cnt
/usr/sbin/auditconfig -setpolicy +argv,arge
/usr/sbin/auditconfig -setpolicy +zonename
/usr/sbin/auditconfig -conf
/usr/sbin/auditconfig -aconf
- Run the bsmconv script
/etc/security/bsmconf - Add the following line to the crontab
0 0 * * * /usr/sbin/audit -n - Reboot and check out your newly created logs in /var/audit
Links for BSM Auditing
Showing Blastwave Packages with Upgrades Available
Posted by Sam
I love love love Blastwave. I couldn't imagine using Solaris without it. One of the annoying things though is if you want to see if newer packages are available you have to wade through every package that they have. And they have a lot. So here is a super simple one liner for showing just the packages that need to be upgraded.
pkg-get -c | grep -v "Not installed" | grep -v SAME | \
mailx -s "Blastwave Updates" yourname@example.com
And since you are probably using Solaris Zones here is a simple script that will look in all non-global zones and email out a report. Currently this sends one email per zone but that could easily be changed to send one email per physical box.
#!/usr/bin/sh
for zone in `/usr/sbin/zoneadm list | /usr/bin/grep -v global`; do
zlogin $zone "/opt/csw/bin/pkg-get -c | \
/usr/bin/grep -v \"Not installed\" | \
/usr/bin/grep -v SAME | \
/usr/bin/mailx -s \"Blastwave Updates for $zone\" yourname@example.com"
done
Tags: solaris
Zone Manager Screencast
Posted by Sam
Sometimes it's hard to understand just how simple something is without seeing it first hand. In an attempt to show people just how powerful and extremely awesome Zone Manager is (not to mention Solaris Zones) I thought I would create a screencast. Screencasts are all the rage these days and for good reason. Running commands from the command line isn't sexy, but watching a video where I create an entirely new server in well under two minutes is dead sexy! And so without further ado I present Zonemgr!
Limiting Bandwidth for Solaris Zones
Posted by Sam
I love Solaris. I mean I really love it. Using zones and ZFS is like a breath of fresh air. If I had one complaint it's that Solaris is sometimes over-documented. I know that seems strange at first, but case in point is trying to setup IPQoS to simply limit the bandwidth on a particular zone. This week I decided that I need to take some time and figure out how to limit a zone to only using 1mb of bandwidth. So I started by looking around on the web and there was nothing. It was a ghost town. Some people were talking about, but nobody had a simple example of how to implement it. In the Linux world there would be a million how-tos. More than half of which are out of date and of questionable quality, but they are out there none the less.
Since I couldn't get any love from the internet at large I decided to look at the documentation that Sun provides. Sun's documentation is great, but often times it's overkill. Or they expect that you've been to some training class and already have a pretty decent understanding of what you are doing. The documentation for IPQoS was no different. It came in at 72 pages when printed and was not at all helpful. Ugh! Finally, I put together a solution and I thought I would share it here. Hopefully it will help others as well.
In Solaris 10 update 4 there are three example files for QoS in the /etc/inet directory so I created a new file there. Here are the contents of the file.
fmt_version 1.0
The important parts of the file are committed_rate, committed_burst and peak_burst. Basically this tells IPQoS that it should start dropping packets whenever the bandwidth exceeds 1 megabit (1,048,576 bits). In the example above I have a class named web1 and a filter that's also named web1 that points to the class web1. These can be named anything you like, but make sure that filter > class has the same name as class > name.
action {
module ipgpc
name ipgpc.classify
params {
global_stats TRUE
}
class {
name web1
next_action cap
enable_stats FALSE
}
filter {
name web1
daddr 10.1.1.5
class web1
}
}
action {
module tokenmt
name cap
params {
committed_rate 1048576
committed_burst 1048576
peak_burst 1048576
red_action_name drop
green_action_name continue
yellow_action_name continue
global_stats TRUE
}
}
After you create the file above you can active it by using ipqosconf like so:
bash-3.00# ipqosconf -a ipqos.conf
Be sure to substitute the name of the file above for ipqos.conf. Assuming you don't have any errors you should be good to go!
Easy and Fast Solaris Zone Creation
Posted by Sam
Want to automate the creation of Solaris zones or just want to create zones faster? Using Zone Manager you can save yourself several steps and even some time. As I'll show below you can easily create a brand new zone in less than two minutes with one command. Grab Zone Manager and stick it in your path. I put mine in /usr/sbin. Here's an example:
bash-3.00# time zonemgr -a add \
> -n web1 \
> -z /opt/zones \
> -P secret \
> -I "10.100.1.1|bge0|255.255.255.0|web1" \
> -C /etc/resolv.conf \
> -C /etc/nsswitch.conf
Checking to see if the zone IP address (10.100.1.1) is already in use...IP is available.
Preparing to install zone < web1 >.
Creating list of files to copy from the global zone.
Copying <297> files to the zone.
Initializing zone product registry.
Determining zone package initialization order.
Preparing to initialize <205> packages on the zone.
Initialized <205> packages on zone.
Zone < web1 > is initialized.
The file contains a log of the zone installation.
Creating the sysidcfg file for automated zone configuration.
Copying (/etc/resolv.conf) from the global zone to (/etc/resolv.conf) in the non-global zone.
Copying (/etc/nsswitch.conf) from the global zone to (/etc/nsswitch.conf) in the non-global zone.
Copy completed.
Booting zone for the first time.
Waiting for first boot tasks to complete.
Updating netmask information.
Copying (/etc/nsswitch.conf) from the global zone to (/etc/nsswitch.conf) in the non-global zone.
Copy completed.
Updating /etc/inet/hosts of the global zone with the webshell IP information.
Zone web1 is ready.
real 1m52.449s
user 0m12.063s
sys 0m16.275s
What we did
Here's what we did, line by line.
- Add the zone
- Name the zone web1
- Create the zone in /opt/zones/web1
- Set the password to secret
- Set the IP address, ethernet adaptor, subnet mask and hostname
- Copy the resolv.conf file from the global zone
- Copy the nsswitch.conf file from the global zone
That's it! With one command and in less than two minutes you have a brand new, fully functional zone. For more information on Zone Manager check out the docs. You can also subscribe to the Zone Manager blog. To see how much time and how many steps that saves check out this blog. Happy Zoning!