Principles of Unix System Management - Solaris 8 - PowerPoint PPT Presentation

principles of unix system management solaris 8 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Principles of Unix System Management - Solaris 8 PowerPoint Presentation
Download Presentation
Principles of Unix System Management - Solaris 8

play fullscreen
1 / 186
Principles of Unix System Management - Solaris 8
575 Views
Download Presentation
Thomas
Download Presentation

Principles of Unix System Management - Solaris 8

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Principles of Unix System Management - Solaris 8 Randy Marchany VA Tech Computing Center Blacksburg, VA 24060 540-231-9523 email: randy.marchany@vt.edu Copyright 1999, Marchany

  2. System Administration Duties 1. Installing System Patches 2. Making System Checklists 3. Editing system configuration files 4. Keeping track of SUID/SGID programs 5. Recording device file permissions 6. Keep track of world, group writable files, directories 7. Record encrypted checksum of all system binaries 8. Verify password strength for system, user accounts 9. Expiring inactive accounts 10. Restrict root access to the system console Copyright 1999, Marchany

  3. System Administration Duties 11. Allow no guest accounts, no multiple users/account, 1 user/account 12. Disable r-commands 13. Monitor NFS usage using nfsstat, nfswatch. Check /etc/exports 14. Monitor NIS system usage 15. Monitor modem file device permissions 16. Disable UUCP or verify the computer hangs up the phone correctly 17. Install the LATEST version of Sendmail (8.9.x) 18. Disable tftp services 19 Verify FTP client and server configurations 20. Setup an email alias for the FTP account Copyright 1999, Marchany

  4. System Administration Duties 21. Set correct system-wide umask 22. Allow no .rhost, .netrc files 23. Verify backup/restore procedures 24. Check sticky bit file permissions 25. Check cron and at job files for completeness 26. Enable system accounting, system auditing functions 27. Check system-wide path definitions 28. Install tools: portsentry, logcheck, TCPWrappers, tripwire,lsof, CIS Security Benchmark document 29. Check for IP forwarding in the kernel 30. Check X Windows security Copyright 1999, Marchany

  5. SysAdmin Tricks/Hints 1. Get a good idea of what is normal activity on your system. Use Unix performance command/scripts to monitor your system. Check user login times to get a feel for what is normal activity for a user. 2. Obtain checklists at irregular intervals. Never do your monitoring at regular intervals. Store the checklists offline. 3. Remember that 1 megabyte doesn't necessarily equal 1 megabyte. gigabyte gigabyte Real math tells us 1Mb = 2**20= 1,048,576 bytes 1Gb = 2**30= 1,073,741,824 bytes BUT to vendors, 1MB = 1,000,000 bytes and 1GB= 1,000,000,000 bytes. So, you may not be missing space. A vendor 1Gb disk gives you only 93.1% of expected capacity. Cute vendor trick! Copyright 1999, Marchany

  6. SysAdmin Tricks/Hints 4. Monitor your disk space. Why are we concerned? Because hackers can hide data in hidden dirs and this is one way to see if your usage totals add up. 5. System Things to Remember - keep hard copy logs in a secure place with limited access. Be able to account for their whereabouts EXACTLY. - restrict root access - Do your backups and checklists - log internet activity by using TCP wrappers - Keep accurate physical network/system maps/contact people - Publicize problems AND solutions. Security through ignorance can backfire on you. - Educate your user community. - Install all relevant security patches, OS revision patches asap. - Limit physical access to the machines if possible. Copyright 1999, Marchany

  7. SysAdmin Tricks/Hints 6. Some free third party system management tools to get: perl - language for scanning text files, extracting data from them and formatting reports. Written by Larry Wall. top - provides continuous, customizable display of system process status. Written by Phil LeFebvre. lsof - finds out who has open files on a FS that prevent you from dismounting the FS. nfswatch - dynamically charts NFS traffic on a host. Written by Dave Curry. tcpdump - packet monitoring program for displaying packets to/from a system. Copyright 1999, Marchany

  8. SysAdmin Tricks/Hints More Tools (cont'd) Tripwire - system auditing package that runs a series of checks for basic system security. Written by Dan Farmer. Crack - very powerful password cracking program that works on Unix systems that don't have shadow password files. Written by Alec Muffet. 7. Useful Unix commands In addtion to commands like: find, ls, diff, last, lastcomm, ps, vmstat, iostat, su and the above mentioned tools, the 'strings' command is a useful tool to examine binary files for ascii strings. Copyright 1999, Marchany

  9. Steps for Workstation Configuration - General steps to set up your workstation systems 1. MAIL - install correct versions of sendmail.cf on the server and clients. The config files should reflect the mail environment at your site. 2. NIS - define the servers and clients. Do NOT make the NIS domain name the same as your Internet domain name. 3. NFS - define the servers and clients. 4. Userids - Make sure all UID, GID values are unique across your ENTIRE network. Use Kerberos for more secure control. Use PID for UID value if possible. Require your users to get a PID first. 5. Encryption - Kerberize/ssh/PGP login, passwd, ftp, any application programs. Define the Kerberos/SSH master, slave and client machines. 6. NTP - install NTP daemon on all machines to synchronize system clocks. Copyright 1999, Marchany

  10. Steps for Workstation Configuration 7. Install TCP wrappers - decide on the level of monitoring/restriction that is appropriate for your site. 8. SYSLOGS - modify syslog.conf files on machines to log what you want and route the logs to some central machine. 9. UNIX Software Consortiums - The CC maintains Unix software consortiums (Site Licenses) that provide you with OS and compilers for “free” to you. Check www.cc.vt.edu for more information. 10. Printer configuration - Best to use HP network printers. Use the JetAdmin utility (provided free by HP) to manage these printers. 11. Third Party Software - install software in common areas. 12. License Software - install FLEXLM clients/server code. Copyright 1999, Marchany

  11. High Level Checklist - I 1. Major Areas to consider - System Checklist - Superuser Access - Login/password/user administration - Monitoring suid/sgid programs - System/User file/directory permissions 2. Hardware Inventory - Record serial numbers of all systems, peripherals, network interfaces, personnel access privileges. - Bootable tapes/CD? A set for each system and where are they stored? - Is an install server available? Where is it? Where is the boot server? Copyright 1999, Marchany

  12. High Level Checklist - II 3. Software Inventory - get kernel information - list system software products that are installed on the system (pkginfo) - list system configuration information (sysdef, prtconf, sysinfo) - list machine name, node name, OS release, OS version (uname -a) - list the machine architecture - list all the hardware the OS thinks is connected to the system (prtconf, sysinfo) - list NFS status - list inet services available on each machine (/etc/inetd.conf) - list host table entries (/etc/hosts) - list nameserver entries (/etc/resolv.conf) - list network status (netstat -a, netstat -nr) - list user/group definitions (/etc/group) - list passwd information (/etc/passwd, /etc/shadow) - list shadow passwd information (/etc/shadow) - search for /etc/hosts.equiv, /.rhosts, /etc/hosts.lpd - determine what internet services are provided (/etc/inetd.conf, /etc/services) Copyright 1999, Marchany

  13. High Level Checklist - III - Software Inventory (cont'd) - NFS/NIS subsystems - active? server? client? (ps -ef |grep nisd) - what directories are exported? What directories are mounted? (/etc/dfs/dfstab) which ones come up at boot? (/etc/vfstab) - what systems are exporting directories (showmount -e) - what is the NIS domain name? (domainname, /etc/domainname) 4. Superuser access - list of users who have root access - su command audited? - crontab file permissions? - can root login directly? - where is the sulog? - what users have root privileges? Copyright 1999, Marchany

  14. High Level Checklist - IV 5. Login/password/user administration - what are the default password characteristics? Length? TTL? (/etc/default/*) - How do you handle initial passwords? - review passwd, shadow passwd files - NIS? If so, check master passwd file. This could defeat shadow passwd. - Idle timeout feature enabled? - what is the adduser procedure? audit trail? - what is the removeuser procedure? audit trail? file removal? NIS db? - is the system running Kerberos? - when was the last login for a user? 6. SUID/SGID programs - review all suid/sgid programs owned by root, daemon, bin or the groups bin, kmem, mail. - compare against initial checklist - minimum permission: 511 - maintain updated list of ALL suid/sgid programs Copyright 1999, Marchany

  15. High Level Checklist - V 6. System/user file/directory permissions - system dir permissions should be minimum: 755 - system dirs used by root should be owned by root - UUCP, cron table, syslogs, system source code should be closed to general users. - monitor checksums for: login, su, passwd, cu, crypt, tip, rlogin - check device file permissions for disk, tape, network, ttys. Check device ownership - search for hidden directories, check all hidden files (.files) - find all writable directories - check user home dirs for minimum permissions: 710. Check .login, .profile permissions - what is the default umask? - what are default X setup commands? - find all unowned files - check all 'at' jobs owned by root and verify their function - restrict r-command usage Copyright 1999, Marchany

  16. High Level Checklist - VI 7. General Steps - - check /etc/host minimum permission: 660 - Eliminate .netrc files - verify active inetd services. Actively monitor or restrict rshd, rlogind, tftpd, rlogin, rcp, rsh, tftp, trpt. - use netstat -p tcp to check for failed network connections - enable logging on ftp accesses (in addition to TCP wrappers) - set permission of exported directories to be as limited as possible - OS audit tools in place? what are the audit classes? where is the audit log? - create checklist of all files in the system on a periodic basis. - monitor any attempt to change IFS in .profile or .login files - use 'strings' command to check any suspicious files. Use it to check dbms files. - Are syslogs routed to a central machine? Are syslogs archived? Copyright 1999, Marchany

  17. High Level Checklist - VII - General Information (Cont'd) - is NTP running on the machine? where are the config files? - what are the Incident Response Team duties? who's on it? - are NFS netgroups used? how are they organized? who maintains them? - NIS mail aliases? how often are they monitored? Copyright 1999, Marchany

  18. Boot/Shutdown Overview • When to boot • After installing new HW • powerfail • Shutdown commands: init, shutdown • Servers • Use shutdown command. It notifies users. • Systems • Use init or shutdown to do a clean shutdown Copyright 1999, Marchany

  19. Solaris 8 Installation I • Preparing to Install • Determine System Type • OS Server - typically an NIS or NFS server • Standalone - has local disks (standard) • Determine Required HW • 32MB RAM, 500MB disk • How much of Solaris do you want to install • Core - min. software needed to run the OS • End User - Core+Openwindows • Developer - EndUser+lib, man pages. • Entire - the whole thing. Recommended. Copyright 1999, Marchany

  20. Solaris 8 Installation II • 3 Types of Installation • JumpStart - basic factory install. Not recommended because the default partition sizes are too small. • Interactive - You boot and configure the system. GUI menus guide you thru the whole process. Recommended . • Custom JumpStart - You boot and identify what type of system you have. The boot server loads a predefined version of the OS. Recommended for lab environments. • You can set up a single system to be a Boot/Install Server. This speeds up installation times (20 minutes). The Boot server must be on the same subnet as the target. The Install Server doesn’t have to be. A single system can be a Boot and Install server. Copyright 1999, Marchany

  21. Solaris 8 Installation III • Need to know this before installation • hostname - use fully qualified if not in NIS mode • network connectivity - primary network i/f, IP addr. • Type of Name service to be used - • NIS, NIS+, other (DNS) - use DNS to resolve hostname not NIS. • domain name - NIS domain name • DNS server IP addr., IP host name • Subnet mask, netmask, time zone, • Which software group to install? End user, Developer, Entire, entire + OEM support. Recommend last one since you can always remove software later. Copyright 1999, Marchany

  22. Solaris 8 Installation IV • More Need to know stuff • What disks to install Solaris? • Auto-layout the FS? No, since the defaults are never big enough. Lay them out manually. • Preserve existing data? Recommend initial installation. Backup/restore system specific stuff. • Accept the FS layout • Mount remote FS? Can do this later. • Reboot after installation? Also, pick the root password. • Sample Custom Jumpstart Installation • Sample site: 2 subnets, 1 in the CC, 1 in EE • The CC has the install/boot server, EE has a boot server Copyright 1999, Marchany

  23. Solaris 8 Installation V • Create a JumpStart Dir • holds the JumpStart installation files. Copy the template from the Solaris installation CD. • cp -r /export/Solaris_2.6/Misc/jumpstart_sample /jumpstart • Share the JumpStart Dir • Create the CC profile • Create /jumpstart/cc_profile. Specify in this file the install_type, system_type, partitioning, cluster and swap FS • Create /jumpstart/ee_profile with similar info. • Edit /jumpstart/rules • specify the subnet and rules file that applies to it Copyright 1999, Marchany

  24. Solaris 8 Installation VI • Execute the check script to verify rules syntax • cd /jumpstart • ./check • check creates a rules.ok file. • Setup the CC systems for installation • Setup the install server to download the appropriate OS • cd /export/install • ./add_install_client -c server:/jumpstart host_cc sun4c • Setup the CE systems for installation • ./add_install_client -c server:/jumpstart host_ee sun4c • Boot the systems and install the OS • from the OK prompt, enter: boot net - install Copyright 1999, Marchany

  25. Solaris Patch Administration • Sun releases patches regularly • You MUST maintain current patch levels. Review Solaris Patch Report available from Sunsolve. • Determine Patch Status: • showrev -p shows all applied patches • pkgparam pkgid PATCHLIST shows patches applied to the package pkgid Copyright 1999, Marchany

  26. Solaris Patch Administration • Use the patchadd, patchrm commands to install or remove patches • These commands replace installpatch, backoutpatch commands • They cannot be used for Solaris 1 systems Copyright 1999, Marchany

  27. Solaris Patch Administration • Patches are available from http://sunsolve.sun.com • Hackers read the Patch Reports. You must install the recommended and security patches! Copyright 1999, Marchany

  28. Solaris 8 - sys-unconfig • Use when you need to change the host name of the machine. • Use when you move a machines from one building to another. • It wipes out all of the pertinent host/TCP/IP control files • It restore the system to the out-of-box state BUT it does NOT affect any user data files! It only modifies the TCP/IP pertinent files. • Run the command, it will shutdown the system when it’s finished. • You’ll be asked to re-enter the new TCP/IP info at the next reboot. Copyright 1999, Marchany

  29. Solaris Software Administration • Installing, removing software from standalone systems, servers • Software is delivered in packages. • A collection of files/dirs in a defined format • Format: Application Binary Interface (ABI), a supplement to the System V Interface Definition • Pkgadd, pkgrm commands add/remove packages • Pkginfo commands lists the software installed on the system • Admintool is the GUI I/F • Adding a Package • Pkgadd uncompresses, copies files from the installation source to a local system disk • Log info is stored in /var/sadm Copyright 1999, Marchany

  30. Solaris Software Administration • Package Naming Convention - Sun products begin with SUNW, 3rd party packages use their own prefix (hpnp) • Most Sun software packages tell where they are installed • Example: SUNWvolr is installed in /. The “r” stands for root. SUNWvolu is installed in /usr • Best way to determine where it’s installed • Look in the SUNW_PKGTYPE parm which is set in the package’s pkginfo file • Some Sun Packages (compilers) install in /opt • Always use pkgrm to remove software • Set up a spool directory if you want to install from it. • Pkgadd -d device -s spooldir pkgid ……. Copyright 1999, Marchany

  31. Solaris 8 - Boot Process • The Boot Process • BOOT PROM Phase • Runs self-test diagnostics • Loads the bootblk program. This program loads the secondary boot program located in the ufs on the default boot device. • BOOT PROGRAMS Phase • Loads the ufsboot program which loads the kernel • KERNEL INITIALIZATION PHASE • Kernel is initialized • Loads modules needed to mount / • INIT Phase • Kernel starts the init process • The init process starts the rc scripts Copyright 1999, Marchany

  32. Solaris 8 Boot Process • Run Levels Determine System State • 0 - halt state • 6 - reboot • 3 - all system services w/networking • 1 - single user • 3 types of boot • Interactive - you tell it where/which type • Reconfiguration - after adding/deleting HW • Recovery - hung system Copyright 1999, Marchany

  33. Solaris 8 Boot Process • System Run Levels (who -r) • AKA init state, tells what services/resources are available to users • 0 - shutdown state, safe to power off system • 1 - single user, the term you issued this command becomes the system console • 2 - multiuser - all services except NFS server, syslog • 3 - multiuser - normal run state, all services available • 4 - alternate multiuser - N/A • 5 - power-down state, - like 0 but will power off automatically • 6 - reboot - go to level 0 then level 3 or whatever level is the default in /etc/inittab • S, s - single-user Copyright 1999, Marchany

  34. Solaris 8 - /etc/inittab • /etc/inittab contains a list of processes to start , monitor or restart whenever the system boots or changes run levels. • Format: ID:Run-level:ACTION:PROCESS • ID - unique identifies for the entry • RUN-level - run level the system must be to run the process • ACTION - keyword defines how the process is to be run • Initdefault - first process to run • Sysinit - special initializations that must be run before logins • Powerfail - run process only during powerfail cycle • Wait - wait for process to finish before starting next one • Respawn - restart it if it’s not there. OW, continue • PROCESS - the actual command to execute Copyright 1999, Marchany

  35. Solaris 8 - Run Level 3 • What Happens When Moving to Run Level 3 • Init is started. /etc/default/init contains the environment variables. • Init reads /etc/inittab to find the initdefault entry and run it • Init reads /etc/inittab to run any processes that have sysinit in the the action field. Any initializations that need to be run before users login are run now. • Init read /etc/inittab to run any processes that have 3 in the rstate field. • Commands that can be run at run level 3 • /usr/sbin/shutdown - run only if init has received the powerfail signal • /sbin/rc2 - defines the TZ, starts standard system processes, moves to run level 2 • /sbin/rc3 - starts NFS resource sharing • /usr/lib/saf/sac -t 30 - starts port monitors, UUCP network access • /usr/lib/saf/ttymon - starts the ttymon process that monitors the console for login attempts. Restarted if it fails. Copyright 1999, Marchany

  36. Solaris 8 - Run Level Scripts • Each run level has a set of scripts in /sbin. (rc0, rc1, rc2, rc3, rc5, rc6, rcS. • For each /sbin/rcX script, there’s an /etc/rcX.d directory that contains the scripts used in that run level. /etc/init.d files are linked to the corresponding /etc/rcX.d dirs. • Scripts are run in ascii sort order. Names are of form: KXXname or SXXname where xx is the numeric order the process is run and S denotes a process startup script, K denotes a process kill script. • Adding an RC script • Add the script to /etc/init.d - cp FN /etc/init.d • Create links to appropriate /etc/rcX.d - cd /etc/init.d; ln FN /etc/rc2.d/SxxFN; ln FN /etc/rcn.d/KxxFN • Removing an RC Script • Cd /etc/rcX.d; mv FN .FN Copyright 1999, Marchany

  37. Solaris 8 - RC Script Actions • /sbin/rc0 - /etc/rc0.d • Stops system services, daemons • Terminates all running processes • Unmounts all filesystems • /sbin/rc1 - /etc/rc1.d • Same as /sbin/rc0 • Brings the system up to single-user mode • /sbin/rc2 - /etc/rc2.d • Mounts all local FS • Enables disk quotas if 1 FS was mounted w/quota option • Saves vi temp files in /usr/preserve • Removes any files in /tmp • Rebuilds device entries for reconfiguration boot • Configures system accounting Copyright 1999, Marchany

  38. Solaris 8 - RC Script Actions • /sbin/rc2 • Configures the default router • Sets NIS domain and ifconfig netmask • Reboots the system from install media or boot server if either /.PREINSTAL or /AUTOINSTALL files exis • Starts inetd, rpcbind, named • Starts Kerberos client, kerbd • Starts either NIS (ypbind) or NIS+(rpc.nisd) • Starts keyserv, statd, lockd, xntpd, utmpd • Mounts all NFS entries • Starts ncsd (name service cache daemon) • Starts automount, cron, LP, sendmail, utmpd, vold Copyright 1999, Marchany

  39. Solaris 8 - RC Script Duties • /sbin/rc3 - /etc/rc3.d • Clean up sharetab • Start nfsd • Start mountd • If the system is a boot server, starts rarpd, rpc, bootparamd, rpld • Starts snmpdx • /sbin/rc5 - /etc/rc0.d • Kills the printer and syslog daemons • Unmounts local and NFS FS • Stops NFS server and client processes • Stops NIS, RPC and cron services • Kills all active processes and initiates an interactive boot Copyright 1999, Marchany

  40. Solaris 8 - RC Script Actions • /sbin/rc6 - /etc/rc0.d • Runs the /etc/rc0.d/K* scripts to stop system processes • Kills all active processes • Unmounts all FS • Runs the initdefault entries in /etc/inittab • /sbin/rcS - /etc/rcS.d • Set up a minimum network • Mount /usr • set the system name • Mounts /proc and /dev/fd • rebuilds the device entries for reconfig boots • Mounts FS needed for single user mode Copyright 1999, Marchany

  41. Solaris 8 Boot Process • Reconfiguration Boot • Adding new devices (tape drives, disk drives, etc.) • Su • Add the device driver • Load driver CD/tape • Pkgadd -d devicename package-name • Touch /reconfigure • If you don’t do this, use the boot -r console command • Shutdown the system • Shutdown -i0 -gX -y • Determine the SCSI address of connected devices • Ok> probe-scsi-all • Make sure you have an available SCSI address • Install new device with proper SCSI address set Copyright 1999, Marchany

  42. Solaris 8 - Reconfig Boot • Adding a Peripheral • Power up all peripherals. Power up the CPU unit last • From the OK prompt, enter: probe-scsi-all • If ok, enter: boot -r or boot (if you created /reconfigure) • Adding a disk drive\ • System Disk - contains / and /usr • If damaged, two ways to recover • Reinstall entire OS from CD • Replace system disk and restore from backups Copyright 1999, Marchany

  43. Solaris 2.5 Boot Process • Using the Boot Prom • Use STOP-A keys to get boot prompt • 2 types of prompt (OK, >). Use the ‘n’ command to get the OK prompt • How to find out the PROM release level • banner • Changing the Default Boot Device • probe-scsi-all prints all SCSI device #’s • setenv boot-device disk[n] • printenv boot-device to verify the change • reset saves the new information Copyright 1999, Marchany

  44. Solaris 8 Boot Process • Run Level 3 (normal) Boot • boot • Single User Boot • boot -s • Must enter root password to complete boot • Interactive Boot • boot -a • Need to know the kernel FN, kernel dir, kernel config file, root file device name Copyright 1999, Marchany

  45. Solaris 8 Boot Process • Recovery Boot • Use when critical file (/etc/passwd) dies • Must use Solaris Install CD • Mount the CD then: boot cdrom -s • mount the problem disk: mount <dev> /a • cd /a/<problem dir> • Set term type: export TERM=sun • Remove the invalid entry • cd / ; umount /a; init 6 Copyright 1999, Marchany

  46. Solaris 8 - Shutdown • Shutdown commands • /usr/sbin/shutdown, init (0 1 2 3 6 S s), reboot, halt • Rebooting the system • /usr/sbin/shutdown -i6 -gX -y • Shutdown the system • init 0 • /usr/sbin/shutdown -i0 -gX -y Copyright 1999, Marchany

  47. Solaris 8 Disks I • format Utility • main tool for maintaining, partitioning disks • Searches for all attached disk drives • Analyzes, repairs, formats, partitions, labels disks • When to use? • Display partition info, partition a disk • Adding a drive to the system • prtvtoc command • use to read the disk label. This contains partition information. Copyright 1999, Marchany

  48. Solaris 8 Disks II • 1 filesystem/partition unless you use the DiskSuite facility. Solaris calls disk partitions: disk slices. • Name Format: cXtYd0sZ • CX - disk controller X, tY - SCSI id Y, sZ - slice Z • Solaris numbers partitions rather than lettering them. 0-7 -> a-h • Default Partitions: • 0 - root Kernel, OS files/dirs • 1 - swap Solaris swap space • 2 - the whole disk, use in non-system • 3 - /export used for server systems Copyright 1999, Marchany

  49. Solaris 8 Disks III • Default disk partitions (cont’d) • 4 - /export/swap - used for diskless clients • 5 - /opt - Solaris unbundled software • 6 - /usr - system executables • 7 - /home - user home dirs • Multiple disk configuration • split system disk from user/data disk • makes recovery simpler • can add multiple swap space to improve perf. Copyright 1999, Marchany

  50. Solaris 8 Disks IV • Partition Fields • Number - partition/slice number • tag - usually FS name • flags - wm - writable & mountable - wu - writable & umountable (defines swap) - rm - R/O, mountable • Cylinders - start/end cylinder # • size - partition size in Mb • blocks - total # cyls, blocks in slice Copyright 1999, Marchany