Zones security with Solaris

The Solaris Zones provide many benefits to the Technological solution that is going to be deployed. One of this benefits is that a Network Service can run inside a Zone, and avoid
a large damage in case of a security breach due a newly discovered exploit or worm. The affected Zone would not affect the other Zones, in the case that the security architecture has been correctly created.
The zones can be monitored by an administrator from the Global Zone.

Introduction to ZFS

ZFS is the new Solaris file System, it include many features and benefits that no other file system has.
Filesystems where historically build over the physical devices. ZFS utilizes virtualized volumes, it aggregates devices into a storage pool. The storage pool has the information of the physical storage (device layout, data redundancy, etc).

Because of its mechanism of managing the operating system transactions, the file system is never corrupted because of a power outage or system crash, this means also that fsck is no more needed.

Sun announced that ZFS was included in the 6/06 update to Solaris 10 in June 2006, one year after the opening of the OpenSolaris community.

ZFS Features:
* Hierarchical file system layout
* Property inheritance
* Automanagement of mount points
* NFS share semantics

To learn more about ZFS, go to docs.sun.com

Keys to control the movement in Solaris Man pages

Following i display the key possibilities to move arround a man page in Solaris.

You can see the uname man page for example:

$ man uname

Reformatting page. Please Wait... done
User Commands uname(1)

NAME
uname - print name of current system

SYNOPSIS
uname [ -aimnprsvX ]

uname [ -S system_name ]

DESCRIPTION
The uname utility prints information about the current system on the standard output. When options are specified, symbols representing one or more system characteristics will be written to the standard output. If no options are specified, uname prints the current operating system's name. The options print selected information returned by uname(2), sysinfo(2), or both.

To move arround a man page these are the keys:
Space bar : Displays the next page of the man page.
Enter : Displays a next line of the man page.
b : Goes back one line
/pattern : Searches a specific pattern in the man page.
n : Searches the next occurence of the pattern, after using the /pattern option
h : displays a help with the movement options in a man page.
q : quits the man page.


Searching a word in the man pages
$ man -k word_to_search

To search for the "calendar" word in the man pages, use this command:

$ man -k calendar
[...]
cal cal (1) - display a calendar
calendar calendar (1) - reminder service
difftime difftime (3c) - computes the difference between two calendar times
mktime mktime (3c) - converts a tm structure to a calendar time

Characteristics of a Solaris password

The passwords protect the system from intruders, the users should change their passwords frequently to avoid no authorized security breaches.

The Solaris operating system passwords should have this characteristics:

- Six (6) to Eight (8) characters
- It should have almost two (2) alphanumeric characters and almost one numeric or special sign.
- It should be different than the username used to login.
- It should be different than the previous password, differing in almost 3 characters.
- It can have spaces.
- It should not be the reverse of the username.

This rules do not apply to the root user, nor any password created by the root user.

Presentation of the Solaris operating system

The UNIX (r) operating system was developed by AT&T Bell Labs in 1969, it was created as a combination of tools by developers for developers.

The developers of the California Berkeley did modifications to the original source code, and it was called Berkeley Software Distribution (BSD) Unix. The most important contribution from the Berkeley developers was the network software, this meant an important improve to the operating system.

The original version from SUN Operating System as known as SunOS, based in BSD Unix v4.2. In that moment the version from AT&T Unix was known as System V. In 1988, BSD, AT&T Unix and other operating system where combined and from that effort appeared System V v4.0 (SVR4) Unix, this effort also created an standard for the operating systems sector. The new SVR4 where converted in the base not only for Sun OS, but also for AT&T Unix, AIX from IBM and HP-UX from Hewlett-Packard.

Disabling services in Solaris 10

To disable a service you have to be root or have a sudo, for example, i want to disable nfs:

-bash-3.00# svcs | grep nfs
online 16:29:25 svc:/network/nfs/status:default
online 16:29:29 svc:/network/nfs/mapid:default
online 16:29:44 svc:/network/nfs/nlockmgr:default
online 16:32:55 svc:/network/nfs/rquota:default
online 18:49:36 svc:/network/nfs/server:default

I will disable the nfs server:
# svcadm disable network/nfs/server

Sharing directories with NFS in Solaris 10

You want to share a directory in Solaris, may be, the home of the users, or a directory with binaries.
With svcs the service status can be checked, so lets check the status of the nfs server:
-bash-3.00# svcs network/nfs/server
STATE STIME FMRI
offline 2:19:03 svc:/network/nfs/server:default

The service is offline, so you have to enable it and start it, lets do it:
-bash-3.00# svcadm enable -r network/nfs/server
-bash-3.00# svcadm enable -s network/nfs/server
-bash-3.00# svcadm restart network/nfs/server

Now it is started:
-bash-3.00# svcs network/nfs/server
STATE STIME FMRI
online 2:29:51 svc:/network/nfs/server:default

Now, to share a directory, edit /etc/dfs/dfstab and add:
share -F nfs /export/test

Save the file and execute:
# shareall -F nfs

Now check the shares:
-bash-3.00# share
- /export/test rw ""

Quiet simple ;-)

Disable graphical login in Solaris

If you want to start solaris in text mode, it is easy:
-bash-3.00# /usr/dt/bin/dtconfig -d

The reboot ;-)

Modifying the ip address of a Server

To modify the ipaddress permanently you have to edit the file:
/etc/hosts or /etc/inet/ipnodes (which is a link to /etc/hosts).

And set there the hostname and the IP address like:
127.0.0.1 localhost
10.10.10.20 solln

Then you have to reboot. You can also change it with ifconfig (like in Linux), first obtain the ethernet card address:
-bash-3.00# ifconfig -a
lo0: flags=2001000849 mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
e1000g0: flags=1000843 mtu 1500 index 2
inet 10.10.10.21 netmask ff000000 broadcast 10.255.255.255
ether 0:c:29:2d:30:5

Then, carefully, modify the address:
# ifconfig e1000g0 10.10.10.20

You will probably loose the connection if you are doing this remotely, so, again, at your own risk.

Creating users in a Solaris Standalone server

In Solaris > 7 if you are going to use it without the NFS, when you want to create a user you may see this error:
# useradd -c "Walter" -m -s /bin/ksh -d /home/walter walter
ERROR: Unable to create the home directory: Operation not applicable.

To stop automount to mount the /home partition edit /etc/auto_master and comment the line
# /home auto_home -nobrowse

Then run "automount". And create your user.

How to reboot or shutdown a Solaris Server

When you have to reboot a Solaris you can use multiple commands as root user.

To reboot:
This command will not ask, you can interrupt it with ^C:
$ reboot

$ shutdown -i6 -g0
-i6 turns to State 6, the state 6 stops the operating system and reboots to the state defined by the initdefault entry in /etc/inittab.
-g0 permits to set a period to shutdown, the default is 60 seconds.
-y would not ask you for Y/N before rebooting.

To shutdown
$ shutdown -i5 -g0
This turns the machine into state 5, which means a state in which the machine can be turned off, and it turns the machine off.

$ poweroff