Special thanks to Kristy Westphal

There are several checklists on the Internet to help you lock down an out-of-the-box installation of Solaris. But, if you have followed any of them, you know how time consuming they can be, especially for a large enterprise. The Solaris community, however, is in luck when it comes to system hardening because a few forward-thinking Sun engineers have built some tools that can help to automate this procedure. In this article, I will discuss two such tools, TITAN and JASS.

Default Installations

Over time, Solaris has improved its default security settings in some areas. However, it still needs additional hardening to secure some default settings. Areas that are fairly loose by default include:

• Unnecessary services enabled by default.
• Warning banners not included with default telnet and ftp services.
• More in-depth auditing not enabled.
• Generic system accounts not well secured.
• Strong password parameters not set.
• File permissions not adequately secure.
• More secure network settings not enabled.

Read the rest of this entry »

I just want to share a link for those who are not subscribe to the official Sun Microsystems’ email newletter.. (what?! You’re not subscribed?!)

Anyway, the link will forward you to a form where you need to fill up some personal information (it’s from Sun, so there will be no selling of email or spamming there). Once you’re done with that, go read and study Solaris Virturalization!

Enjoy!

» Download your free copy of Virtualization for Dummies.

I am subscribe to the official Sun Microsystem newsletter and I got this one directly from my inbox that I want to share to every Solaris SysAdmin out there:

This How-To Guide instructs users, system administrators, and developers unfamiliar with Solaris 10 OS on consolidating applications onto a single server using Solaris Containers technology. The guide starts with a brief overview of Solaris Containers and follows with an example of using Solaris Containers to consolidate two Web server applications and an email server application onto a single server. Users are guided step-by-step through the consolidation process, with code examples and illustrations.

After using this guide, a user should be able to create Solaris Containers by:

* Creating a resource pool
* Defining Solaris Zones
* Assigning CPU usage with the Fair Share Scheduler (FSS)
* Installing and booting a zone
* Configuring access to raw devices from the zone

Read the rest of this entry »

This one is about Solaris Volume Manager and all those meta commands you can think of.. (metadb, metadettach, metattach, metaclear etc)…

Yesterday we had to replace a failed disk that belongs to a mirror. The disk is running in a Sparc Solaris 10 box. It’s a 72GB from Fujitsu

c1t1d0           Soft Errors: 440 Hard Errors: 12 Transport Errors: 124
Vendor: FUJITSU  Product: MAY2073RCSUN72G  Revision: 0501 Serial No: 0711S0935R
Size: 73.40GB <73400057856 bytes>

As you can see from the iostat -En command, the disk is spitting hard errors and must be replaced before it can cause a lot more headache. It’s in c1t1, right.

Here’s what we’re supposed to do:

• we could delete the meta data base that corresponds to the failed disk
• detached the failed disk/slices to the mirror
• clear it
• unconfigure the disk
• replace the disk
• configure the disk
• create new meta device database
• Initialize the disk
• Attached it to mirror
• and sync

Here’s the detailed job:

Read the rest of this entry »

Here’s what we did today on one of our Solaris box that is worth mentioning on this cool super system administrator’s blog ‘o mine! (Don’t you find it cool that SysAds are so funny?!)

Anyhoo, today we re-jumpstarted a laboratory box because the ‘owner’ of it wants it back. Since we pretty much messed it up, I have to jumpstarted a fresh copy.

After installing returned the original /etc/shadow and /etc/passwd back from backup (had a backup file on the laptop).. but unfortunately, the /etc/shadow file is ‘null’.

Restoring File From UFSdump Backup

Here’s the procedure in restoring a particular file from ufs dump backup… Of course if you’re restoring from ufs backup you probably made a ufs backup in the first place, right? Right!

In this example, the files backup.examples and junk are restored from the pubs directory:

Read the rest of this entry »

I’ve writted something about the Zeta file system before… It’s like some sort of an intro to the filesystem.

This post will be the first of series of post in configuring ZFS on a test machine, a Sun-Fire-V240 running Solaris 10.

# uname -a
SunOS sedm3205 5.10 Generic_137111-04 sun4u sparc SUNW,Sun-Fire-V240

Anyhow, first topic will be how to create/build, test, destroy and recreate a mirrored ZFS disk (or file based). Most of the ZFS commands we’ll be using are:

• zpool
• zcreate

That’s it!

Creating the ZFS Mirror

We’ll create two kinds of mirrored partition, one is file based and the other was is physical 175GB disk.

Read the rest of this entry »

This is the first post regarding the On-site training to make MNL SAs up to speed to support the company’s production servers.

This week’s topic… building the server through Jumpstarting (yeah, solaris sparc servers).

Watch-Net and Watch-Net-All Diagnostics

The watch-net and watch-net-all diagnostics monitor Ethernet packets on the Ethernet interfaces connected to the system. Good packets received by the system are indicated by a period (.). Errors such as the framing error and the cyclic redundancy check (CRC) error are indicated with an “X” and an associated error description. The watch-net diagnostic is initialized by typing the watch-net command at the ok prompt and the watch-net-all diagnostic is initialized by typing the watch-net-all command at the ok prompt. The following code example identifies the watch-net diagnostic output message. Example 4-3 identifies the watch-net-all diagnostic output message.

ok watch-net
Hme register test --- succeeded.
Internal loopback test -- succeeded.
Transceiver check  -- Using Onboard Transceiver - Link Up.
passed
Using Onboard Transceiver - Link Up.
Looking for Ethernet Packets.
'.' is a Good Packet.  'X' is
a Bad Packet.
Type any key to stop.
..................................................
................................................................
................................................................
........................................................

ok watch-net-all
/pci@1f,0/pci@1,1/network@1,1
Hme register test --- succeeded.
Internal loopback test -- succeeded.
Transceiver check  -- Using Onboard Transceiver - Link Up.
passed
Using Onboard Transceiver - Link Up.
Looking for Ethernet Packets.
'.' is a Good Packet.  'X' is
a Bad Packet.
Type any key to stop.
........
................................................................
................................................................
................................................................
....................................
ok
ok

Better late to mention than never.. .

Monday, May 5 at 10 a.m. PT is the live webcast from CommunityOne, where Sun will launch the new, free and easy-to-use OpenSolaris OS, a leading-edge open source release with world-class support and unique, innovative features.

Mark your calendar.. sabagay, bukas na eto.. hehehe

Arlo Gilbert

Zettabyte File System (ZFS) is claiming to be “The Most Advanced File System on the Planet”!

What is ZFS?

ZFS is a proprietary file system from Solaris ZFS is a file system designed and developed by Sun MIcrosystem for Solaris Operating System. ZFS or Zettabyte File System will solve all of the problem any administrator encountered in a filesystem.

In a nut shell, a ZFS kind of like represent a virtual storage pool. Virtual meaning you will be able to grow or shrink file systems very easily by simply adding new physical disks to this pool.

Concept is still the same as any virtual logical volume. Virtual logical volume wherein you configure a bunch of disk to be one super big disk and you group it in volumes/partitions to be used by the system. Having added 10 more physical disks to the pool for example, you’ll be able to decide which filesystems you want to grow.

Here are some qoutes quotes from Sun Microsystem documentation about ZFS:

Physical storage can be added to or removed from storage pools dynamically, without interrupting services, providing new levels of flexibility, availability, and performance.

In scalability,

Solaris ZFS is a 128-bit file system. Its theoretical limits are truly mind-boggling —2¹²⁸ bytes of storage, and 2⁶⁴ for everything else such as file systems, snapshots, directory entries, devices, and more.

And the improvement of RAID-5, which is RAID-Z,

… which uses parity, striping, and atomic operations to ensure reconstruction of corrupted data.

Say ‘atomic operations’ ?? Wah that?!

For more info about Solaris ZFS, check out Sun’s page about it.. dowload

Got a page on an error today:

Error, DISK_SPACE:/var – hostname – UNIX – EMAIL – 100% full, 0MB free, 722MB total

Did a quick ‘du’ on /var filesystem and found out the culprit directory:

# du -sk * | sort -rn | more
232013 preserve
222272 tmp
62607 sadm
58204 cfengine
44270 spool
40355 adm
510 cron
503 orca
343 apache

Read the rest of this entry »