SOLARIS 8 BUILD DOCUMENT TABLE OF CONTENTS

4575 users shared this document! click

1 SOLARIS 8 BUILD DOCUMENT TABLE OF CONTENTS SYSTEM CONFIGURATIONS .................................................................................................................................... 4 P URPOSE ................................................................................................................................................................ 4 I NSTALLED S OLARIS 8................................................................................................................................................ 4 I NSTALLED A P ATCH C LUSTER .................................................................................................................................... 5 E NABLED DNS ......................................................................................................................................................... 5 C ONFIGURED THE D EFAULT G ATEWAY ......................................................................................................................... 5 A DDED FQDN TO / ETC / HOSTS .................................................................................................................................... 5 A DDED A DDITIONAL IP A DDRESSES ............................................................................................................................. 5 F ORCED NIC TO 100 M BPS F ULL D UPLEX .................................................................................................................... 6 I NSTALLED R OOT S TARTUP F ILES ................................................................................................................................ 8 C REATED THE MAN D ATABASE .................................................................................................................................... 8 C REATED E- MAIL A LIASES .......................................................................................................................................... 8 F ORWARDED M AIL TO THE M AIL S ERVER ...................................................................................................................... 9 C REATED R OOT S . FORWARD F ILE ............................................................................................................................... 9 C REATED H OME D IRECTORIES .................................................................................................................................... 9 C REATED A DMINISTRATION D IRECTORIES ..................................................................................................................... 9 C REATED A L IST OF V ALID S HELLS IN / ETC / SHELLS ......................................................................................................... 9 E NSURED THE S YSTEM D OES NOT ACT AS A R OUTER ....................................................................................................10 E NABLED P ERFORMANCE L OGGING ............................................................................................................................10 D ISABLED A UTO B OOT ..............................................................................................................................................10 C ONFIGURED U NIQUE MAC A DDRESSES .....................................................................................................................10 SECURITY CONFIGURATIONS ................................................................................................................................10 I NSTALLED SSH ......................................................................................................................................................10 R ESTRICTED R OOT A CCESS TO THE C ONSOLE OR SU ....................................................................................................11 R ESTRICTED A CCESS TO THE SU C OMMAND .................................................................................................................11 Created the Wheel Group ...................................................................................................................................11
Added Administrators to the System ....................................................................................................................11
Changed Ownership of the su Command.............................................................................................................12 S ET THE P ASSWORD P OLICY .....................................................................................................................................12 C ONFIGURED D ISCONNECT A FTER 3 L OGIN F AILURES ...................................................................................................12 D ISABLED THE RLOGIN C OMMAND ...............................................................................................................................13 L OCKED D OWN R EMOTE A CCESS F ILES ......................................................................................................................13 R EMOVED OR D ISABLED U NNECESSARY A CCOUNTS ......................................................................................................13 A SSIGNED D ISABLED A CCOUNTS AN I NVALID S HELL ......................................................................................................13 R ESTRICTED FTP U SAGE .........................................................................................................................................14 S ECURED THE IP M ODULE ........................................................................................................................................15 R ANDOMIZED THE I NITIAL S EQUENCE N UMBER OF ALL TCP C ONNECTIONS .......................................................................15 D ISABLED U NNECESSARY S ERVICES IN / ETC / INETD . CONF ...............................................................................................15 D ISABLED S TART S CRIPTS ........................................................................................................................................16 Disabled Volume Management............................................................................................................................16
Disabled Dtlogin .................................................................................................................................................16
Disabled Printing................................................................................................................................................16
Disabled RPC....................................................................................................................................................16
Disabled the NFS Client......................................................................................................................................16
Disabled the NFS Server ....................................................................................................................................16
Disabled UUCP ..................................................................................................................................................17
Disabled the LDAP Client ...................................................................................................................................17
Disabled the Auto Mounter..................................................................................................................................17
Disabled the Network Time Daemon....................................................................................................................17
Disabled the Logical Link Control Driver...............................................................................................................17 2 Disabled Auto Install...........................................................................................................................................17
Disabled Cachefs Daemon .................................................................................................................................17
Disabled Asynchronous PPP Daemon.................................................................................................................17
Disabled cacheos.finish Script.............................................................................................................................18
Disabled Preservation of Files Killed by Vi ...........................................................................................................18
Disabled Power Management .............................................................................................................................18
Disabled Flash Prom Update ..............................................................................................................................18
Disabled Buttons n Dials-Setup.........................................................................................................................18
Disabled Spc .....................................................................................................................................................18
Disabled Sun Management Center......................................................................................................................18
Disabled Network Cache and Accelerator ............................................................................................................18
Disabled Mobile IP Agent ....................................................................................................................................19
Disabled SNMP ..................................................................................................................................................19
Disabled Apache................................................................................................................................................19
Disabled DMI .....................................................................................................................................................19 D ISABLED THE S ENDMAIL D AEMON .............................................................................................................................19 D ISABLED M ULTICASTING ..........................................................................................................................................19 D ISABLED THE S ERIAL P ORT L ISTENERS ......................................................................................................................20 A DDED W ARNING B ANNERS ......................................................................................................................................20 D EFINED PATH, SUPATH AND UMASK IN / ETC / DEFAULT / LOGIN ....................................................................................21 D ISABLED W ORLD A CCESS IN D EFAULT U MASK ............................................................................................................21 E NSURED NO A LTERNATE UID 0 A CCOUNTS E XIST .......................................................................................................21 E NSURED ALL A CCOUNTS HAVE P ASSWORDS ...............................................................................................................21 R ESTRICTED A CCESS TO THE " AT " AND " CRONTAB " C OMMANDS ......................................................................................21 R EPLICATED S YSLOG TO THE M ONITORING C ONSOLE ....................................................................................................22 F ORWARDED R OOT A CCESS A TTEMPTS TO THE S YSTEM C ONSOLE .................................................................................22 E NABLED L OGGING OF THE SU C OMMAND ....................................................................................................................22 E NABLED AUTH L OGGING ........................................................................................................................................23 E NABLED L OGGING OF U NSUCCESSFUL L OGIN A TTEMPTS ..............................................................................................23 E NABLED L OGGING OF S UCCESSFUL L OGINS ...............................................................................................................23 E NABLED L OGGING OF CDE L OGIN A TTEMPTS .............................................................................................................24 L OG I NCOMING C ONNECTIONS FOR TCP S ERVICES .......................................................................................................24 E NABLED A UDITING ..................................................................................................................................................24 Enabled BSM.....................................................................................................................................................25
Configured the Classes of Events to Log .............................................................................................................25
Audit all Actions Taken by Root ...........................................................................................................................25
Installed a Log Rotation Script .............................................................................................................................25
Run the Script Nightly from Cron .........................................................................................................................26 INSTALLED MONITORING SCRIPTS .......................................................................................................................27 R OOT L OGIN N OTIFICATION S CRIPT ( RTLGN . SH ) ...........................................................................................................27 S YSTEM B OOT N OTIFICATION S CRIPT (S99 NOTIFY ).......................................................................................................29 I NSTALLED L OG S ENTRY ............................................................................................................................................29 F ILE S YSTEM M ONITORING S CRIPT ( MON _ FS . SH )..........................................................................................................30 P ROCESS M ONITORING S CRIPT ( MON _ PROCS . SH ) ........................................................................................................31 S ERVER M ONITORING S CRIPT ( MON _ SRV . SH ) ..............................................................................................................32 U SER D ISK S PACE M ONITORING S CRIPT ( MAILDU . SH ) ....................................................................................................33 P ERFORMANCE M ONITORING S CRIPT ( MON _ PRF . SH ) .....................................................................................................34 V ERITAS C LUSTER F AILURE N OTIFICATION S CRIPT ( RESFAULT ) .......................................................................................37 INSTALLED REPORTING / LOGGING SCRIPTS.......................................................................................................38 S YSTEM S TATUS S CRIPT ( STATUS . SH ) ........................................................................................................................38 H ARDWARE A UDIT S CRIPT ( HRDWSPECS . SH ) ...............................................................................................................41 P ERFORMANCE L OGGING S CRIPT ( PERF _ LOG . SH ).........................................................................................................43 L OG C ENTRALIZATION S CRIPT ( WEB _ PULL . SH ) .............................................................................................................45 V OLUME M ANAGER C ONFIGURATION S CRIPT ( VMCONFIG . SH )..........................................................................................48 3 I NSTALL S ECURITY A UDIT S CRIPT ( SEC _ AUDIT . SH ) ........................................................................................................49 A DDED THE M ONITORING /L OGGING S CRIPTS TO C RONTAB .............................................................................................51 C REATED A PPLICATION S TART S CRIPTS ......................................................................................................................52 REBOOTED THE SYSTEM.......................................................................................................................................52 BACKED UP THE SYSTEM ......................................................................................................................................52 ADDITIONAL CONSIDERATIONS ............................................................................................................................52 S OLARIS H ARDENING T OOLS .....................................................................................................................................52 F IX M ODES .............................................................................................................................................................52 TCP W RAPPERS .....................................................................................................................................................52 T RIPWIRE ...............................................................................................................................................................53 CHKROOTKIT ...........................................................................................................................................................53 S OLARIS R OLE -B ASED A CCESS C ONTROL (RBAC) .......................................................................................................53 S OLARIS IP M ULTIPATHING ........................................................................................................................................53 R EMOTE S YSTEM C ONTROL C ARDS ............................................................................................................................53 S OLARIS F INGERPRINT D ATABASE ..............................................................................................................................54 T HE C ORONERS T OOLKIT ..........................................................................................................................................54 H ARDEN A PPLICATIONS ............................................................................................................................................54 P ATCHING ..............................................................................................................................................................54 M ONITORING ...........................................................................................................................................................54 S YSTEM O PERATIONS G UIDE .....................................................................................................................................54 REFERENCES .........................................................................................................................................................55 4 SOLARIS 8 BUILD DOCUMEN T
AUTHORED BY:

Gideon Rasmussen, CISSP
Information Security Manager
Infostruct L.L.C.
Celebration, FL gideon@infostruct.net

DISCLAIMER:

All information and files are provided to you free of charge, "as is" and without warranty of any kind. Do not use any of the
confi gurations, programs, or suggestions from this document without thoroughly testing them first on a non-production
server. In no event will Gideon Rasmussen be liable for your inability to access information or for any damage you suffer,
including, but not limited to, destruction of data or damage to your equipment, whether such damage is direct, incidental
or consequential, and whether caused by mistake, omission, interruption, deletion of files or messages, errors, defects,
delays in operation or transmission, failure of equipment or performance, negligence or otherwise. You agree to indemnify
and hold me harmless against any and all claims or liabilities arising out of use of any information provided from this
document by you or by anyone directly or indirectly obtaining such information through you. Not one of the documents
configurations or suggestions is guaranteed to be suitable for a particular purpose.

SYSTEM CONFIGURATIONS Purpose

This document details the configuration, hardening, monitoring and vulnerability assessment of the Solaris operating
system. It can also be used as a configuration standard, providing a baseline to audit against. It is important to understand
the configurations at a granular level to troubleshoot outages. Installs and hardening can be automated with Jumpstart
and the Solaris Security Toolkit (respectively).
Installed Solaris 8 Installed Solaris 8 using the following file systems: File System Size Partition / (root) 4 GB c0t0d0s0 swap See below c0t0d0s1 /usr 4 GB c0t0d0s3 /var 4 GB c0t0d0s4 /opt 7 GB c0t0d0s5 /export/home 5 GB c0t0d0s6 /app 12 GB c0t0d0s7 Swap should be equal to twice the size of the memory installed on the server. To determine the amount of system
memory, use /usr/platform/sun4u/sbin/prtdiag v .
Volume Manager configurations are outside of the scope of this document. 5 Installed a Patch Cluster Installed the latest recommended and security patch cluster from http://sunsolve.sun.com . Searched for hardware specific patches as well. # cd /tmp
# unzip 8_Recommended.zip
# cd 8_Recommended
# ./install_cluster
# /usr/sbin/shutdown i6 g0 y Enabled DNS # vi /etc/nsswitch.conf hosts: files dns # vi /etc/resolv.conf
domain domain.com
nameserver 192.168.1.105
nameserver 192.168.1.106
search domain.com Configured the Default Gateway Configured on-line: # route add net default 192.168.1.1 1 ("1" at the end signifies how many hops. It should be set to 1 because the first thing the server hits is the NIC card)
Configured for reboot: # vi /etc/defaultrouter
192.168.1.1 Added FQDN to /etc/hosts # vi /etc/hosts

192.168.1.101 sunsrv01.domain.com sunsrv01 loghost Added fully qualified domain name to /etc/hosts to prevent sendmail errors (My unqualified host name (hostname)
unknown; sleeping for retry) Added Additional IP Addresses # vi /etc/hosts
192.168.1.15 proj</i>qa
192.168.1.16 proj</i>dev 6 # vi hostname.eri0:1
projqa
# vi hostname.eri0:2
proj</i>dev
# ifconfig eri0:1 plumb
# ifconfig eri0:1 inet 192.168.1.15 broadcast 192.168.1.255 netmask 255.255.255.0
trailers
# ifconfig eri0:1 up
# ifconfig eri0:2 plumb
# ifconfig eri0:2 inet 192.168.1.16 broadcast 192.168.1.255 netmask 255.255.255.0
trailers
# ifconfig eri0:2 up
# ifconfig -a
lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
eri0: flags=1000863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 192.168.1.14 netmask ffffff00 broadcast 192.168.1.255
ether 0:3:ba:b:3:f5
eri0:1: flags=1000863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 192.168.1.15 netmask ffffff00 broadcast 192.168.1.255
eri0:2: flags=1000863<UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 192.168.1.16 netmask ffffff00 broadcast 192.168.1.255 Forced NIC to 100 Mbps Full Duplex

To prevent issues with auto negotiation, forced both the network switch and the systems NIC cards to 100 Mbps, full
duplex.

Determined which interfaces are available:
# ifconfig -a
Configured on-line (use only the interfaces found on the system): hme: # ndd -set /dev/hme instance 0
# ndd -set /dev/hme adv_100fdx_cap 1
# ndd -set /dev/hme adv_autoneg_cap 0
qfe: # ndd -set /dev/qfe instance 0
# ndd -set /dev/qfe adv_100fdx_cap 1
# ndd -set /dev/qfe adv_autoneg_cap 0
eri: # ndd -set /dev/eri instance 0
# ndd -set /dev/eri adv_100fdx_cap 1
# ndd -set /dev/eri adv_autoneg_cap 0
ce: # ndd -set /dev/ce instance 0
# ndd -set /dev/ce link_master 0
# ndd -set /dev/ce adv_1000fdx_cap 0
# ndd -set /dev/ce adv_1000hdx_cap 0
# ndd -set /dev/ce adv_100fdx_cap 1 7 # ndd -set /dev/ce adv_100hdx_cap 0
# ndd -set /dev/ce adv_10fdx_cap 0
# ndd -set /dev/ce adv_10hdx_cap 0
# ndd -set /dev/ce adv_autoneg_cap 0

Configured for reboot (use only the interfaces found on the system):

hme, qfe & eri: # vi /etc/system (ensure there are no blank lines) * Force hme into 100 Mbps full duplex mode
set hme:hme_adv_100fdx_cap=1
* Don't negotiate operation mode with the network hub
set hme:hme_adv_autoneg_cap=0
* Force qfe into 100 Mbps full duplex mode
set qfe:qfe_adv_100fdx_cap=1
* Don't negotiate operation mode with the network hub
set qfe:qfe_adv_autoneg_cap=0
* Force eri into 100 Mbps full duplex mode
set eri:adv_100fdx_cap=1
* Don't negotiate operation mode with the network hub
set eri:adv_autoneg_cap=0
ce: # vi /etc/rc2.d/S99net-tune
#!/sbin/sh
# Set NIC to 100 Mbps full duplex
ndd -set /dev/ce instance 0
ndd -set /dev/ce link_master 0
ndd -set /dev/ce adv_1000fdx_cap 0
ndd -set /dev/ce adv_1000hdx_cap 0
ndd -set /dev/ce adv_100fdx_cap 1
ndd -set /dev/ce adv_100hdx_cap 0
ndd -set /dev/ce adv_10fdx_cap 0
ndd -set /dev/ce adv_10hdx_cap 0
ndd -set /dev/ce adv_autoneg_cap 0
exit 0

# chmod 700 /etc/rc2.d/S99net-tune

Confirmed settings:

hme, qfe and eri:
# ifconfig -a
ce:
# netstat -k ce0 | grep link_speed
link_speed 100 link_duplex 2 link_asmpause 0 link_pause 0
link_speed - speed in Mbps
link_duplex - 1 half duplex, 2 full duplex, 0 down
8 Installed Root Startup Files # vi /etc/profile

if [ "$LOGNAME" = "root" ]; then
PATH=/usr/sbin:/usr/bin:/usr/local/bin:/usr/ucb
HISTFILE=/.sh_history
HISTSIZE=200
MANPATH=/usr/share/man:/usr/local/man:/opt/VRTSvmsa/man:/opt/VRTSvxvm/man
EDITOR=vi
PS1="ROOT@`/usr/ucb/hostname`# "
ENV=/.kshrc
umask 077
export PATH HISTFILE HISTSIZE MANPATH EDITOR PS1 ENV
fi
TERM=vt100
export TERM
logger -p local0.info "User $LOGNAME has logged in"
trap 2 3

# touch /.profile
# chmod 700 /.profile

# vi /.kshrc
#
# This file is read upon execution of the korn shell
# /.profile is read before this
#
HNAME=`uname -n`
PS1="$HNAME "'$PWD'" > "; export PS1

set -o vi
set -o noclobber
alias rm='rm -i'
stty erase ^h

# chmod 700 /.kshrc Created the man Database # catman w After this change, man k will allow users to search for commands using keywords. Created E-mail Aliases # vi /etc/aliases
# status sends to Administrator e-mail accounts
status:jsmith@domain.com,bsmith@domain.com
# monitor sends to Administrator e-mail accounts and cell phones
monitor: jsmith@domain.com,bsmith@domain.com,6085551212@pagenet.net # operations sends to the 24 hour operations staff
operations:operator@domain.com
9 # newaliases
/etc/mail/aliases: 6 aliases, longest 32 bytes, 170 bytes total NOTE: By default, the scripts included within this document send notification to the status and monitor e-mail aliases. Forwarded Mail to the Mail Server
# vi /etc/mail/sendmail.cf
#DSmailhost.$m
DS<i>hostname.domain.com Used the fully qualified name of the mail server.
Created Roots .forward File # vi /.forward
status All mail is forwarded to the e-mail account specified in a .forward file. No mail remains on the server. If mail is relayed to
LAN e-mail accounts, administrators and users will notice it earlier than if it remains on the server. Multiple accounts can
be separated by commas. Created Home Directories # ls -ld export
drwxrwxr-x 3 root sys 512 Aug 3 13:38 export/
# chmod 755 export
# cd /export
# mkdir home
# ls ld /export/home
drwxr-x--- 4 root other 512 Aug 3 13:39 /export/home/ The rationale behind this configuration is to allow sendmail to use users .forward files to send mail to their LAN e-mail
accounts. The following section is from the sendmail man page:

Additional restrictions have been put in place on .forward and :include: files. These files and the directory structure
that they are placed in cannot be group or world-writable directories. Created Administration Directories # mkdir p /var/adm/log/backup
# mkdir p /var/adm/log/mon_perf
# mkdir p /var/adm/log/perf_log
# mkdir p /opt/admin/downloads
# mkdir p /opt/admin/scripts/funcs Created a List of Valid Shells in /etc/shells
# vi /etc/shells
/bin/sh 10 /bin/ksh
/bin/csh
/bin/bash

# chown root:other /etc/shells
# chmod 644 /etc/shells
If a users shell is not included here, they may be unable to use FTP. Ensure that all shells are represented in this file. Ensured the System Does not act as a Router # touch /etc/notrouter
# chown root:sys /etc/notrouter
# chmod 444 /etc/notrouter Enabled Performance Logging # su sys
# EDITOR=vi; export EDITOR
# crontab e

# The sys crontab should be used to do performance collection. See cron
# and performance manual pages for details on startup.
#
0 * * * 0-6 /usr/lib/sa/sa1
20,40 6-22 * * 1-5 /usr/lib/sa/sa1
5 18 * * 1-5 /usr/lib/sa/sa2 -s 8:00 -e 18:01 -i 1200 -A Disabled Auto Boot # eeprom auto-boot?=false When the server boots from a powered off state, it will stop at the OK prompt. Configured Unique MAC Addresses

Solaris assigns the same MAC address to all NICs by default. This configuration has the potential to cause problems. (i.e.
collisions and low performance). To avoid this risk, accomplish the following: # eeprom local-mac-address\?=true SECURITY CONFIGURATIONS Installed SSH Telnet and FTP pass user ids and passwords in the clear. This sensitive information can be picked up by a sniffer. SSH
encrypts traffic, effectively replacing telnet and FTP. I still recommend hardening telnet and FTP as defense in depth
measures. 11
Commercial SSH: http://www.ssh.com SSH Freeware: http://www.openssh.org Restricted Root Access to the Console or su
Telnet:
# vi /etc/default/login

CONSOLE=/dev/console Ensured that the CONSOLE entry is not commented out. To enhance accountability of administrative access, direct logon
to the root account should be denied. This configuration forces users to login to their account and use the su command to
access root. Root can still be accessed directly at the system console.
SSH:
# vi /etc/sshd_config
PermitRootLogin no

# ps -ef | grep sshd
# kill -HUP <sshd PID> Restricted Access to the su Command

After these configurations, root access requires 4 elements: the user id and password of an account belonging to the
group wheel and the root password.
Created the Wheel Group
# groupadd wheel
Added Administrators to the System
# useradd -c "John Smith" -d /export/home/jsmith -m -u 1001 -g wheel -s /bin/ksh jsmith
NOTE: "-g" determines the default group from /etc/group (use GID or group name)
-u" must be a unique UID from /etc/passwd
# passwd jsmith (set the user's password)
# passwd -f jsmith (forced the user to change the password)
# vi /export/home/jsmith/.forward (forwards user's e-mail)
jsmith@domain.com

# chown jsmith:wheel /export/home/jsmith/.forward
12 Changed Ownership of the su Command
# cd /usr/bin
# ls -al su
-r-sr-xr-x 1 root sys 17976 Oct 6 1998 su
# /usr/bin/chgrp wheel su
# /usr/bin/chmod 4750 su
# ls -al su
-rwsr-x--- 1 root wheel 17976 Oct 6 1998 su
# cd /sbin
# ls -al su.static
-r-xr-xr-x 1 root sys 473808 Sep 1 1998 su.static
# /usr/bin/chgrp wheel su.static
# /usr/bin/chmod 4750 su.static
# ls -al su.static
-rwsr-x--- 1 root wheel 473808 Sep 1 1998 su.static
* From Lance Spitzers Armoring Solaris Set the Password Policy
# vi /etc/default/passwd
Before: MAXWEEKS=
MINWEEKS=
PASSLENGTH=6
After: MAXWEEKS=8
MINWEEKS=1
PASSLENGTH=8
WARNWEEKS=1
Root and user passwords are set to expire at the 3 month mark. If the root password expires, it must be reset from the
system console. To avoid lockout, reset the root passwords at the 2 month mark.

Definitions:

MAXWEEKS - Maximum time period that a password is valid.

MINWEEKS - Minimum time period before a password can be changed.

PASSLENGTH - Minimum length of a password, in characters.

WARNWEEKS - Time period until warning of date of password's ensuing expiration.
Configured Disconnect After 3 Login Failures
# vi /etc/default/login

# Disconnect users after three login failures 13 RETRIES=3 NOTE: By default, Solaris will terminate a connection after 5 consecutive login failures. Set retries to 3. This is an industry
standard (e.g. 3 strikes youre out).
# The SYSLOG_FAILED_LOGINS variable is used to determine how many failed
# login attempts will be allowed by the system before a failed login
# message is logged, using the syslog(3) LOG_NOTICE facility. For example,
# if the variable is set to 0, login will log -all- failed login attempts.
#
SYSLOG_FAILED_LOGINS=3
Disabled the rlogin Command Commented out the following lines in /etc/pam.conf: #rlogin auth sufficient /usr/lib/security/pam_rhosts_auth.so.1
#rlogin auth required /usr/lib/security/pam_unix.so.1
#rsh auth required /usr/lib/security/pam_rhosts_auth.so.1 This configuration forces users to use their passwords with the rlogin command. Locked Down Remote Access Files # /usr/bin/touch /.rhosts /.netrc /etc/hosts.equiv
# /usr/bin/chmod 0 /.rhosts /.netrc /etc/hosts.equiv
* From Lance Spitzers Armoring Solaris

These files provide trusted users remote access without the use of passwords. An alternative would be to ensure that
they do not exist and use monitoring software to notify if they are created.
Removed or Disabled Unnecessary Accounts # passwd l adm
# passwd l bin
# passwd l daemon
# passwd l listen
# passwd l lp
# passwd l nobody
# passwd l noaccess
# passwd l nuucp
# passwd l sys
# passwd l uucp The nobody4 account is no longer needed. # userdel nobody4 Assigned Disabled Accounts an Invalid Shell 14 # vi /sbin/noshell
#!/bin/sh
#
# Solaris 2.X Disabled Account Access Script
# Purpose: Sends notification when someone attempts
# to access an account that has been disabled.
# Usage: Save as /sbin/noshell. Use as the shell in
# /etc/passwd for accounts that have been disabled.
# Dependencies: None
# Outputs: e-mail and syslog
# Author: Unknown (perhaps originating from Titan scripts)
# Modifications: Added notification via e-mail gtr
#****************************************************************
#:
trap "" 1 2 3 4 5 6 7 8 9 10 12 15 19

HOSTNAME=`uname -n`
USER=`id | awk '{print \$1}'`
logger -i -p auth.err "Attempted access by $USER on host $HOSTNAME"

# The next variable can be set for multiple addresses
# (i.e. jsmith@yahoo.com,jsmith@hotmail.com)
MAILADD=monitor

mail $MAILADD <<EOF
From: $0
To: $MAILADD
Subject: Unauthorized Access Attempt on $HOSTNAME
Someone has attempted to access a disabled account ($USER)
on $HOSTNAME. Please investigate immediately.

$DATE

EOF

echo "Sorry"
wait
exit 0

# chmod 755 /sbin/noshell # vi /etc/passwd
daemon:x:1:1::/:/usr/sbin/noshell Assign the shell /sbin/noshell as the shell for accounts that should never be allowed to log in (i.e. daemon, bin, sys, adm,
lp, smtp, uucp, nuucp, listen, nobody, and noaccess).

As an alternative, the noshell binary can be used ( http://www.cert.org/security-improvement/implementations/i049.02.html ). When compared to the script, its benefit is that it is compiled code. Its downside is that administrators do not receive e-
mail notification. Restricted FTP Usage Ensured /etc/ftpusers contained the following accounts: 15
# vi /etc/ftpusers
root
adm
bin
daemon
listen
lp
nobody
noaccess
nobody4
nuucp
smtp
sys
uucp
These system accounts no longer have the ability to FTP into the server. Any additional administrative accounts should be
added as well (i.e. oracle, webadmin, etc). Secured the IP Module Downloaded the latest nddconfig script from: http://wwws.sun.com/blueprints/tools/nddconfig_license.html
# vi /etc/init.d/nddconfig
# chmod 740 /etc/init.d/nddconfig
# chown root:sys /etc/init.d/nddconfig
# ln /etc/init.d/nddconfig /etc/rc2.d/S70nddconfig Randomized the Initial Sequence Number of all TCP Connections

Configured on-line:
# ndd -set /dev/tcp tcp_strong_iss 2
Configured for reboot:
# vi /etc/default/inetinit
TCP_STRONG_ISS=2 Randomizing the initial sequence number of TCP connections protects the system against session hijacking and IP
spoofing.

* From Lance Spitzers Armoring Solaris Disabled Unnecessary Services in /etc/inetd.conf
# vi /etc/inetd.conf
# ps ef | grep inetd
# kill HUP <inetd PID> 16 Commented out all entries including telnet and ftp. Used SSH and scp as replacements. They offer additional security.
Many of these unnecessary services contain easily exploitable security vulnerabilities. Be advised, some programs add
entries to the end of inetd.conf and cannot function without them (Solstice Disk Suite for example). Disabled Start Scripts

In general, disable any unnecessary services. This will address security vulnerabilities and, in some cases, increase
performance. Ensure that you understand the purpose of a service before disabling it. Listed below are the services I
typically disable. With new versions of Solaris, there may be more to consider.
Disabled Volume Management
# cd /etc/rc2.d
# mv S92volmgt s92volmgt
After this configuration, CD-ROMs will not be automatically mounted. To manually mount a CD-ROM use:
# mount -F hsfs -o ro /dev/dsk/c0t6d0s0 /mnt Disabled Dtlogin

Dtlogin is disabled if the server is not intended to run the Common Desktop Environment (CDE) or GUIs.
# cd /etc/rc2.d
# mv S99dtlogin s99dtlogin Disabled Printing # /usr/lib/lpshut
# cd /etc/rc2.d
# mv S80lp s80lp Disabled RPC

RPC is disabled if the server is not intended to run CDE. To determine what is using rcp, use rpcinfo p . # cd /etc/rc2.d
# mv /etc/rc2.d/S71rpc /etc/rc2.d/s71rpc Disabled the NFS Client # /etc/init.d/nfs.client stop
# cd /etc/rc2.d
# mv S73nfs.client s73nfs.client Disabled the NFS Server 17 # /etc/init.d/nfs.server stop
# cd /etc/rc3.d
# mv S15nfs.server s15nfs.server Disabled UUCP # cd /etc/rc2.d
# mv S70uucp s70uucp Disabled the LDAP Client # cd /etc/rc2.d
# mv S71ldap.client s71ldap.client
Disabled the Auto Mounter # /etc/init.d/autofs stop
# cd /etc/rc2.d
# mv S74autofs s74autofs Disabled the Network Time Daemon # /etc/init.d/xntpd stop
# cd /etc/rc2.d
# mv S74xntpd s74xntpd
Disabled the Logical Link Control Driver # cd /etc/rc2.d
# ./S40llc2 stop
# mv S40llc2 s40llc2
Disabled Auto Install # cd /etc/rc2.d
# mv S72autoinstall s72autoinstall
Disabled Cachefs Daemon # cd /etc/rc2.d
# mv S73cachefs.daemon s73cachefs.daemon
Disabled Asynchronous PPP Daemon # cd /etc/rc2.d
# mv S47pppd s47pppd 18 Disabled cacheos.finish Script # cd /etc/rc2.d
# mv S93cacheos.finish s93cacheos.finish
Disabled Preservation of Files Killed by Vi # cd /etc/rc2.d
# mv S80PRESERVE s80PRESERVE
Disabled Power Management # cd /etc/rc2.d
# mv S85power s85power
Disabled Flash Prom Update # cd /etc/rc2.d
# mv S75flashprom s75flashprom
Before attempting to update the eeprom, temporally enable this script.
Disabled Buttons n Dials-Setup # cd /etc/rc2.d
# mv S89bdconfig s89bdconfig
Disabled Spc
# cd /etc/rc2.d
# mv S80spc s80spc
Disabled Sun Management Center # cd /etc/rc2.d
# mv S90wbem s90wbem
Disabled Network Cache and Accelerator # cd /etc/rc2.d
# mv S94ncalogd s94ncalogd
# mv S95ncad s95ncad
Used to increase web server performance 19 Disabled Mobile IP Agent # cd /etc/rc3.d
# mv S80mipagent s80mipagent
Disabled SNMP # cd /etc/rc3.d
# /usr/bin/pkill -9 -x -u 0 '(snmpdx|snmpv2d|mibiisa)'
# mv S76snmpdx s76snmpdx
Disabled Apache # cd /etc/rc3.d
# mv S50apache s50apache
Disabled DMI # cd /etc/rc3.d
# /usr/bin/pkill -9 -x -u 0 '(snmpXdmid|dmispd)'
# mv S77dmi s77dmi
Disabled the Sendmail Daemon The system continues to send mail out. It does not receive mail in to the server. This eliminates a significant security
vulnerability. # /etc/init.d/sendmail stop Prevented sendmail from starting at boot: # cd /etc/rc2.d
# mv S88sendmail s88sendmail Ensured the sendmail queue is cleaned out: # crontab e

# The Sendmail daemon is not running - This tells it to send mail out
05,20,35,50 * * * * /usr/lib/sendmail q
Disabled Multicasting Multicasting is typically used for clustering. Ensure that it is not required by an application.
# vi /etc/init.d/inetsvc

#
# Add a static route for multicast packets out our default interface.
# The default interface is the interface that corresponds to the node name. 20 #
#mcastif=`/sbin/dhcpinfo Yiaddr`
#
#if [ $? -ne 0 ]; then
# mcastif=`uname -n`
#fi
#
#echo "Setting default interface for multicast: \c"
#/usr/sbin/route add -interface -netmask "240.0.0.0" "224.0.0.0" "$mcastif"
Disabled the Serial Port Listeners

This configuration can be accomplished unless there is a modem or console terminal attached to the system.
# vi /etc/inittab
Remove the line with /usr/lib/saf/sac -t 300
# chown root:sys /etc/inittab
# chmod 644 /etc/inittab Added Warning Banners These configurations replace the operating system version with a warning banner displayed during the login process. Login:
# vi /etc/motd (replaced operating system version with a warning banner) Property of Company

WARNING: To protect systems from unauthorized use and to ensure that the
system is functioning properly, activities on this system are monitored and
recorded and subject to audit. Use of this system is expressed consent to such
monitoring and recording. Any unauthorized access or use of this system is
prohibited and could be subject to criminal and civil penalties.

# cp /etc/motd /etc/issue
Telnet:
# vi /etc/default/telnetd
UMASK=022
BANNER=""
# chown root:sys /etc/default/telnetd
# chmod 444 /etc/default/telnetd FTP:
# vi /etc/default/ftpd
UMASK=022
BANNER=`cat /etc/motd`
# chown root:sys /etc/default/ftpd
# chmod 444 /etc/default/ftpd 21 Defined PATH, SUPATH and UMASK in /etc/default/login
# vi /etc/default/login

PATH=/usr/sbin:/usr/bin
SUPATH=/usr/sbin:/usr/bin
UMASK=027 Disabled World Access in Default Umask

Added "umask 027" to the following files: /etc/profile (change) /etc/.login (add) /etc/skel/local.profile (add) /etc/skel/local.login (add) /etc/skel/local.cshrc (change) Ensured no Alternate UID 0 Accounts Exist
# more /etc/passwd
Ensure that root is the only account with a UID of 0 in the 3 rd field of the /etc/password file. UID 0 identifies an account as root to the operating system. Any alternate account with a UID of 0 is given /usr/sbin/noshell as a login shell. Ensured all Accounts have Passwords # logins -p Use the command logins -p to check for accounts that do not require a password to log in. Restricted Access to the "at" and "crontab" Commands These accesses should be given out on an as needed basis.

Determine who has a crontab file: # ls /var/spool/cron/crontabs Restrict the use of "at" and "crontab. Only users listed in these files will be allowed to use "at" and "crontab". Start with
the root user. Add sys for performance logging and lp for print queue maintenance: # vi /etc/cron.d/cron.allow
# chmod 600 /etc/cron.d/cron.allow
# cp p /etc/cron.d/cron.allow /etc/cron.d/at.allow
Create an /etc/cron.d/cron.deny file. Users listed in this file will not have access to at and crontab: 22 # cat /etc/passwd | cut -f1 -d: | grep -v root >> /etc/cron.d/cron.deny
# chmod 600 /etc/cron.d/cron.deny Create an /etc/cron.d/at.deny file: # cp -p /etc/cron.d/cron.deny /etc/cron.d/at.deny

Replicated Syslog to the Monitoring Console

Replicating syslog to a central system makes it difficult for an intruder to entirely hide their tracks. As syslog entries are
created locally, they are immediately copied to the central syslog server. Daily review of the centralized logs is also an
effective way to detect system anomalies (i.e. hardware failures, software errors, etc).

# /etc/init.d/syslog stop # vi /etc/hosts
Before: 192.168.1.101 sunsrv01.domain.com sunsrv01 loghost
After:
192.168.1.101 sunsrv01.domain.com sunsrv01 192.168.1.102 sunsrv02 loghost # cp /etc/syslog.conf /etc/syslog.conf.orig
# vi /etc/syslog.conf

# next 2 lines added for syslog replication
*.err;kern.notice;auth.notice;user.none @loghost
*.err;kern.debug;daemon.notice;mail.crit;user.none @loghost
NOTE: The entries must be separated by tabs.
# /etc/init.d/syslog start Forwarded Root Access Attempts to the System Console # vi /etc/default/su CONSOLE=/dev/console (uncommented) Enabled Logging of the su Command This configuration logs both success and failure of su command usage.
NOTE: This configuration is required by the root login notification script (below). # vi /etc/default/su 23 SULOG=/var/adm/sulog (uncommented) # cd /var/adm
# touch sulog
# chgrp sys sulog
# chmod 600 sulog Enabled AUTH Logging

The auth facility controls account access with login, su, etc.
# vi /etc/syslog.conf auth.info /var/log/authlog auth.notice /var/log/authlog NOTE: The entries must be separated by tabs. # /etc/init.d/syslog stop
# /etc/init.d/syslog start Enabled Logging of Unsuccessful Login Attempts The loginlog file records consecutive failed login attempts. # cd /var/adm
# touch loginlog
# chgrp sys loginlog
# chmod 600 loginlog Enabled Logging of Successful Logins # cd /var/log
# touch logins
# chgrp sys logins
# chmod 600 logins

# vi /etc/syslog.conf

# log successful logins
local0.info /var/log/logins
NOTE: The entries must be separated by tabs.

# /etc/init.d/syslog stop
# /etc/init.d/syslog start
Added the following entry to /etc/profile and /etc/.login: 24 logger -p local0.info "User $LOGNAME has logged in"
Enabled Logging of CDE Login Attempts # vi /etc/pam.conf

Added the word debug after the account management entries

#
# Account management
#
login account required /usr/lib/security/$ISA/pam_unix.so.1 debug
dtlogin account required /usr/lib/security/$ISA/pam_unix.so.1 debug
# vi /etc/syslog.conf

Added ;auth.debug;user.debug to the line that logs successful logins

# log successful logins
local0.info;auth.debug;user.debug /var/log/logins
NOTE: The entries must be separated by tabs.
# /etc/init.d/syslog stop
# /etc/init.d/syslog start

Log Incoming Connections for TCP Services
# vi /etc/syslog.conf

# log incoming connections for TCP services
daemon.notice /var/log/syslog NOTE: The entries must be separated by tabs.
# /etc/init.d/syslog stop
# /etc/init.d/syslog start

# vi /etc/rc2.d/S72inetsvc (change the following entry:) /usr/sbin/inetd -s (to read:) /usr/sbin/inetd -s -t

Enabled Auditing

Solaris provides the Basic Security Module (BSM) to audit actions taken by users. There is a relatively small performance
hit associated with its use. BSM provides forensic evidence. For more detail, see Suns article on BSM
( http://www.sun.com/solutions/blueprints/0201/audit_config.pdf ). 25 Enabled BSM
# /etc/security/bsmconv
NOTE: The bsmconv script adds set abort_enable = 0 to the end of the /etc/system file, disabling stop-a functionality. I typically remove it before rebooting the system.
# /usr/sbin/shutdown i6 g0 y Configured the Classes of Events to Log
# vi /etc/security/audit_control
dir:/var/audit
flags:lo,ad,pc,fc,fd,fm
naflags:lo,ad
#
# lo - login/logout events
# ad - administrative actions: mount, exportfs, etc.
# pc - process operations: fork, exec, exit, etc.
# fc - file creation
# fd - file deletion
# fm - change of object attributes: chown, flock, etc.
#
Audit all Actions Taken by Root
# vi /etc/security/audit_user
# log all of the commands that the root user runs
root:lo,ex:
Installed a Log Rotation Script # touch /etc/security/newauditlog.sh
# chmod 700 /etc/security/newauditlog.sh
# mkdir -p /var/audit/logs
# vi /etc/security/newauditlog.sh
#!/bin/ksh
#
# Solaris Basic Security Module (BSM) Log Rotation Script
# newauditlog.sh - Start a new audit file and expire the old logs
#
# Source: Solaris Security Guide
# Modifications: Added log compression and deletion with e-mail
# notification when the log directory grows past a certain size.
# - gtr
#
#*****************************************************************

PATH=/usr/sbin:/usr/bin
AUDIT_EXPIRE=30 26 AUDIT_DIR=/var/audit
LOG_DIR=/var/audit/logs

# Rotate the audit log

/usr/sbin/audit -n

# Move log files to the archive directory and compress

for i in `/usr/bin/ls $AUDIT_DIR | grep -v not_terminated | grep -v logs`
do

compress $AUDIT_DIR/$i
mv $AUDIT_DIR/$i.Z $LOG_DIR/$i.Z

done

# Delete old log files

cd $LOG_DIR # in case it is a link
/usr/bin/find . $LOG_DIR -type f -mtime +$AUDIT_EXPIRE -exec rm {} > /dev/null 2>&1 \;

# Ensure that log files do not take up more than 250MB

# The next variable can be set for multiple addresses
# (i.e. jsmith@yahoo.com,jsmith@hotmail.com)
MAILADD=status

# The maximum size $OUTPUTDIR is allowed to reach before log files
# are deleted. (250000=250MB)
MAXSIZ=250000

LOGDU=`du -sk $LOG_DIR | awk '{ print $1 }`

if [ "$LOGDU" -gt "$MAXSIZ" ]; then
find $LOG_DIR -mtime +21 -exec rm {} \;
mail $MAILADD <<EOF
From: $0
To: $MAILADD
Subject: Security Audit Log Size on `uname -n`
$LOG_DIR was $LOGDU KB. $0 does not
allow more than 250 MB of log files in this directory.
Log files older than 21 days have been deleted.
The current size of $LOG_DIR is `du -sk $LOG_DIR | awk '{ print $1 }` KB.
Thank you.
EOF
fi

exit 0
Run the Script Nightly from Cron # EDITOR=vi; export EDITOR
# crontab e
0 0 * * * /etc/security/newauditlog.sh 27 NOTE: Use the praudit command to convert audit data into ASCII format: # cd /var/audit
# praudit logfile * From the Solaris Security Guide
INSTALLED MONITORING SCRIPTS Root Login Notification Script (rtlgn.sh)
Purpose: Monitors root logins via the su command and directly at the console. Notifies via e-mail. Dependencies: /var/adm/sulog
/etc/aliases status (e-mail addresses of administrators) # vi /opt/admin/scripts/rtlgn.sh
#!/bin/ksh
#
# Solaris 2.X Root Login Notification Script
# Purpose: Sends notification when root logs in
# Usage: Execute from crontab every 15 minutes
# 14,29,44,59 * * * * /opt/admin/scripts/rtlgn.sh > /dev/null
# Dependencies: None
# Outputs: E-mail
#*************************************************************

PATH=/usr/bin:/usr/sbin:/usr/ucb:/bin
SRVNM=`uname -n`
DATE=`date '+%m/%d'`
DAY=`date '+%d'`
HOUR=`date '+%H'`
MONTH=`date '+%m'`
MIN=`date '+%M'`

LOGDIR=/var/adm/log/rtlgn
DATFILE=$LOGDIR/rtlgn.dat

if [ ! -d $LOGDIR ] ; then
mkdir -p $LOGDIR
touch $DATFILE
fi

# Clean out the dat file each day

if [ $HOUR -eq "00" ]; then

if [ $MIN -lt "15" ]; then
> $DATFILE
fi

fi 28

# The next variable can be set for multiple addresses
# (i.e. jsmith@yahoo.com,jsmith@hotmail.com)
MAILADD=monitor

# Check for remote root login (should never happen)
#who

# Check for recent root console login
# Determine if notification has been sent this hour
if [ `grep -c "$DATE $HOUR CONSOLE" $DATFILE` -eq 0 ]
then

if [ `last root console | grep -c "$MONTH $DAY $HOUR" ` -gt 0 ]
then

mail $MAILADD <<EOF
From: $0
To: $MAILADD
Subject: Root Console Login $SRVNM

A root console login has occurred:

`last root console | grep "$MONTH $DAY $HOUR"`

EOF

# Ensure notification only occurs once per hour
print "$DATE $HOUR CONSOLE" >> $DATFILE

fi
fi

# Check for recent su to root
# Determine if notification has been sent this hour
if [ `grep -c "$DATE $HOUR SU" $DATFILE ` -lt 1 ]
then

if [ `grep "$DATE $HOUR" /var/adm/sulog | grep -v root- | grep root | grep -c "+" ` -gt 0
]
then

mail $MAILADD <<EOF
From: $0
To: $MAILADD
Subject: Root Access on $SRVNM

The following root login has occurred:

`grep "$DATE $HOUR" /var/adm/sulog | grep root | grep "+"`

EOF

# Ensure notification only occurs once per hour
print "$DATE $HOUR SU" >> $DATFILE
29 fi
fi

exit 0
# chmod 700 /opt/admin/scripts/rtlgn.sh System Boot Notification Script (S99notify)
Purpose: Sends notification when a server boots.
Dependencies: None
/etc/aliases monitor (administrators e-mail and pagers) # vi /etc/rc2.d/S99notify
#!/bin/ksh
#
# Solaris 2.X Boot Notification Script
# /etc/rc2.d/S99notify - Sends e-mail notification to administrators
# when the system is booted.
#
#*******************************************************************

PATH=/usr/sbin:/usr/bin

SRVNM=`uname -n`

# The next variable can be set for multiple addresses
# (i.e. jsmith@yahoo.com,jsmith@hotmail.com)
MAILADD=monitor

mail $MAILADD <<EOF
From: $0
To: $MAILADD
Subject: Boot of $SRVNM

$SRVNM has booted up.

If this is news to you, please investigate.

`date`

EOF

exit 0
# chmod 700 /etc/rc2.d/S99notify
Installed LogSentry LogSentry parses /var/adm/messages and sends notification based on the hacking and violation files. Customize the
ignore file to reduce false positives. Execute from cron to send a report once per day, with notification sent to
administrators e-mail accounts. It makes sense to centralize syslog to a single server and run LogSentry there. 30 http://www.psionic.com/products/logsentry.html
File System Monitoring Script (mon_fs.sh)
Purpose: Monitors the size of file systems. Notifies via e-mail.
Dependencies: mon_fs.dat Contains which file systems to monitor and how large they can be before a warning is issued.
/etc/aliases status (e-mail addresses of administrators) # vi /opt/admin/scripts/mon_fs.sh
#!/bin/ksh
#
# Solaris 2.X Monitor File Systems Script
# Purpose: Check to see if file systems are filling up
# Usage: Execute from crontab
# Dependencies: mon_fs.dat
# Outputs: E-mail
#*****************************************************

# The directory this script resides in
ADMINDIR=/opt/admin/scripts

# The next variable can be set for multiple addresses
# (i.e. jsmith@yahoo.com,jsmith@hotmail.com)
MAILADD=monitor

# Define the hostname of the server
SRVNM=`uname -n`

while read -r FS MAXCAP
do

CAPACITY=`df -k $FS | grep -v avail | awk {'print $5'} | awk -F% {'print
$1'}`

if test $CAPACITY -gt $MAXCAP; then
mail $MAILADD <<EOF
From: $0
To: $MAILADD
Subject: File System on $SRVNM
$FS is at $CAPACITY% capacity on $SRVNM (Threshold is $MAXCAP%).

`date`

EOF
fi

done < $ADMINDIR/mon_fs.dat

exit 0
# vi /opt/admin/scripts/mon_fs.dat
/ 90 31 /var 90
/opt 90 # chmod 600 /opt/admin/scripts/mon_fs.dat
# chmod 700 /opt/admin/scripts/mon_fs.sh
Process Monitoring Script (mon_procs.sh)
Purpose: Ensures processes are running. Notifies via e-mail.
Dependencies: mon_procs.dat Contains the names of processes
/etc/aliases status (e-mail addresses of administrators) # vi /opt/admin/scripts/mon_procs.sh
#!/bin/ksh
#
# Solaris 2.X Monitor Processes Script
# Purpose: Check to see if processes are running
# Usage: Execute from crontab
# Dependencies: mon_procs.dat
# Outputs: E-mail
#***************************************************

# The directory this script resides in
ADMINDIR=/opt/admin/scripts

# The next variable can be set for multiple addresses
# (i.e. jsmith@yahoo.com,jsmith@hotmail.com)
MAILADD=monitor

SRVNM=`uname -n`

while read PROG
do
ANSWER=`ps -e -o comm | grep $PROG`
if test "$ANSWER" = "$PROG"; then
sleep 1
else
mail $MAILADD <<EOF
From: $0
To: $MAILADD
Subject: Missing process on $SRVNM
Checking $PROG on $SRVNM... not found!

EOF
fi
done < $ADMINDIR/mon_procs.dat

exit 0
# vi /opt/admin/scripts/mon_proc.dat
/usr/sbin/syslogd

# chmod 700 /opt/admin/scripts/mon_procs.sh
# chmod 600 /opt/admin/scripts/mon_procs.dat 32
Server Monitoring Script (mon_srv.sh)
Purpose: Ensures servers respond to ping. Notifies via e-mail.
Dependencies: mon_srv.dat Contains IP addresses, monitor e-mail address, and server names
/etc/aliases monitor (administrators e-mail and pagers) # vi /opt/admin/scripts/mon_srv.sh
#!/bin/ksh
#
# Solaris 2.X Monitor Servers Script
# Purpose: Monitors servers with the ping command
# and notifies via e-mail.
# Usage: Execute from crontab
# Dependencies: /opt/admin/scripts/mon_srv.dat
# Outputs: E-mail
#***************************************************

# The directory this script resides in
ADMINDIR=/opt/admin/scripts

# The next variable can be set for multiple addresses
# (i.e. jsmith@yahoo.com,jsmith@hotmail.com)
MAILADD=monitor

while read -r IP SRVNM
do
if test `/usr/sbin/ping $IP | grep -c "is alive"` -eq 0; then
# Wait 5 minutes before checking again
sleep 300 if test `/usr/sbin/ping $IP | grep -c "is alive"` -eq 0; then
mail $MAILADD <<EOF
From: $0
To: $MAILADD
Subject: $SRVNM Down

$SRVNM is not responding.

EOF
fi fi

done < $ADMINDIR/mon_srv.dat
exit 0
# vi /opt/admin/scripts/mon_srv.dat
192.168.1.103 hostname
# chmod 700 /opt/admin/scripts/mon_srv.sh
# chmod 600 /opt/admin/scripts/mon_srv.dat

33 User Disk Space Monitoring Script (maildu.sh)
Purpose: Notifies users when their home directory reaches over 100 MB. Sends e-mail to LAN accounts.
Dependencies: ~/.forward Contains LAN e-mail addresses of users.
# vi /opt/admin/scripts/maildu.sh #!/bin/ksh
#
# Solaris 2.X Mail Disk Usage Script
# Purpose: Notifies users via e-mail when their home
# directories contain more than 100 MB of files
# Usage: Run this script from crontab. Do not send
# the output to /dev/null. The only output it
# produces is which directories are too large.
# Dependencies: None
# Outputs: E-mail
#***************************************************

PATH=/usr/sbin:/usr/bin:/usr/ucb:/bin:.

# Where the user's home directories reside
HOMEDIR=/export/home

# Define the hostname of the server
SRVNM=`uname -n`

# Ensure that temp files get cleaned up upon exit
trap '/bin/rm -fr $tmp; exit' 0 1 2 3 15
WRKFILE=/tmp/prog$$

# Checks space used by users

cd $HOMEDIR
du -sk * | sort -nr >> $WRKFILE

# Notifies users

while read -r MB NAME
do

# 1 MB = 1024 KB

if [ "$MB" -gt "102400" ]; then
# Notify the root user
print "Mailing Disk Usage reminders out to:\n"
print " $NAME \t$MB KB\n"
# Notify the user
if [ -f $HOMEDIR/$NAME/.forward ]
then
MAILADD=`cat $HOMEDIR/$NAME/.forward`
else
MAILADD=$NAME
fi
mail $MAILADD <<EOF
From: $0
To: $MAILADD
Subject: Disk Usage on $SRVNM 34

Comments