netras
Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
netras [2007/08/11 16:36] 75.132.107.251 |
netras [2007/09/10 11:08] (current) 167.206.189.3 |
||
|---|---|---|---|
| Line 36: | Line 36: | ||
| The system is networked. Identify hme0 with the public IP which we will use (206.196.99.165) and hme1 with a private IP (192.168.1.30) | The system is networked. Identify hme0 with the public IP which we will use (206.196.99.165) and hme1 with a private IP (192.168.1.30) | ||
| Do not select dhcp or IPv6. | Do not select dhcp or IPv6. | ||
| - | The subnet on hme0 is 255.255.255.240 and default gateway is 206.196.99.161. For hme1, use another hostname. | + | The subnet on hme0 is 255.255.255.240 and default gateway is 206.196.99.161. For hme1, use "busch-local". |
| Do not configure kerberos or name services (we will come back to these after the install, and we don't want to confuse the installer by not being connected to any of these networks.) | Do not configure kerberos or name services (we will come back to these after the install, and we don't want to confuse the installer by not being connected to any of these networks.) | ||
| Line 92: | Line 92: | ||
| ==Harden With JASS== | ==Harden With JASS== | ||
| - | Download JASS (also known as the Sun Security Toolkit) from Sun's side. Extract it and add the resulting package: | + | Download JASS (also known as the Sun Security Toolkit) from Sun's site. Extract it and add the resulting package: |
| #/usr/sfw/bin/gtar -xvzf SUNWjass-4.2.0.pkg.tar.Z | #/usr/sfw/bin/gtar -xvzf SUNWjass-4.2.0.pkg.tar.Z | ||
| Line 100: | Line 100: | ||
| This will further lock down services, set PermitRootLogin to "No" in SSH, harden the FTP server configuration, tighten permissions, configure log rotation, set up TCP wrappers, enforce password complexity rules, and generally do Useful Things to keep the system secure. JASS does a couple of overly-secure things, like restrict SSH logins to machines on the local domain, so in /etc/hosts.allow, we'll need to change the sshd line to read "all". | This will further lock down services, set PermitRootLogin to "No" in SSH, harden the FTP server configuration, tighten permissions, configure log rotation, set up TCP wrappers, enforce password complexity rules, and generally do Useful Things to keep the system secure. JASS does a couple of overly-secure things, like restrict SSH logins to machines on the local domain, so in /etc/hosts.allow, we'll need to change the sshd line to read "all". | ||
| - | ==Enable Binary Auditing== | ||
| - | Edit /etc/security/audit_control to read: | ||
| - | dir:/var/audit | ||
| - | flags:lo,ap,ss,ua,am,pc | ||
| - | minfree:20 | ||
| - | naflags:lo,ap,ss,ua.am,pc | ||
| - | Then run: | ||
| - | /etc/security/bsmconv | + | ===Jumpstart=== |
| - | and reboot. Binary logs (similar to pacct logs) will now be written to /var/audit and will be readable via praudit(1). | + | Before setting up jumpstart, we need a place to put the install files. Create a zfs pool and filesystem: |
| - | Once rebooted, run | + | #zpool create -f sluug c0t1d0 |
| + | #zfs create sluug/jumpstart | ||
| + | #zfs set mountpoint=/jumpstart sluug/jumpstart | ||
| - | auditconfig -setpolicy +argv | + | Use vold to mount the first cdrom. Install the first portion of the jumpstart software. |
| + | |||
| + | #cd /cdrom/sol_10_1106_sparc/s0/Solaris_10/Tools/ | ||
| + | #./setup_install_server /jumpstart | ||
| - | which will enable recording of process arguments. | + | Create a new rules file and a profile for the flash archive we will create later: |
| + | #cd /jumpstart/Solaris_10/Misc/jumpstart_sample | ||
| + | #cp rules rules.orig | ||
| + | |||
| + | Comment out everything in the rules file and add the following line: | ||
| + | network 192.168.1.0 && \ | ||
| + | karch sun4u - flash_profile - | ||
| + | Create a flash_profile file containing the following (you might need to change the IP address to reflect your local network configuration) | ||
| + | install_type flash_install | ||
| + | archive_location nfs://192.168.1.30/jumpstart/sol10u3.flar | ||
| + | partitioning explicit | ||
| + | filesys rootdisk.s0 6036 / | ||
| + | filesys rootdisk.s1 512 swap | ||
| + | filesys rootdisk.s3 2048 /var | ||
| + | Share the /jumpstart directory: | ||
| + | |||
| + | #zfs set sharenfs=ro sluug/jumpstart | ||
| + | #svcadm -v enable nfs/status | ||
| + | #svcadm -v enable nfs/nlockmgr | ||
| + | #svcadm -v enable nfs/server | ||
| + | |||
| + | |||
| + | Create the image of our currently-installed system referred to in the flash_profile file: | ||
| + | |||
| + | #flarcreate -n sluug_sol10u3_img -x /cdrom/ -x /usr/local/patches/ /jumpstart/sol10u3.flar | ||
| + | |||
| + | Generate a rules_ok file: | ||
| + | |||
| + | #./check | ||
| + | |||
| + | Create a file /jumpstart/sysidcfg with the following: | ||
| + | domain_name=sluug.org | ||
| + | name_server=127.0.0.1 | ||
| + | profile=flash_profile | ||
| + | profile_server=192.168.1.30 | ||
| + | network_interface=hme0 | ||
| + | {hostname=ultra.sluug.org | ||
| + | ip_address=206.199.99.164 | ||
| + | netmask=255.255.255.240 | ||
| + | protocol_ipv6=no} | ||
| + | network_interface=hme1 | ||
| + | {hostname=ultra.buildnetwork.domain | ||
| + | ip_address=192.168.1.33 | ||
| + | netmask=255.255.255.0 | ||
| + | protocol_ipv6=no} | ||
| + | system_locale=C | ||
| + | terminal=vt100 | ||
| + | timezone=CST | ||
| + | |||
| + | |||
| + | Add the install client: | ||
| + | cd /jumpstart/Solaris_10/Tools | ||
| + | ./add_install_client -i 192.168.1.33 -e 8:0:20:d9:85:b0 -s busch-local:/jumpstart -c busch-local:/jumpstart -p busch-local:/jumpstart ultra sun4u | ||
| + | |||
| + | You may want to temporarily disable the firewall to avoid problems with tftp and nfs during the jumpstart process. Also, you will need to edit /etc/hosts.allow: | ||
| + | |||
| + | rpcbind: all | ||
| + | |||
| + | In /etc/system, comment out the line reading "set nfssrv:nfs_portmon=1". See http://forum.java.sun.com/thread.jspa?threadID=5096957&messageID=9348465 | ||
| + | |||
| + | Changes to /etc/system require a reboot, so run | ||
| + | |||
| + | init 6 | ||
| + | |||
| + | |||
| + | Then log into ultra via serial console. From the 'ok' prompt: | ||
| + | |||
| + | ok> boot net - install | ||
| + | |||
| + | When the install finishes, be sure to reset the firewall and turn off the extra services required by jumpstart. | ||
| + | |||
| + | ===Racking=== | ||
| + | |||
| + | After racking and cabling the servers, you'll need to copy a resolv.conf off of bud (removing the "127.0.0.1" entry and un-commenting our other name servers). You'll also need to install a new nsswitch.conf: | ||
| + | |||
| + | # cd /etc | ||
| + | # mv nsswitch.conf nsswitch.conf.orig | ||
| + | # cp nsswitch.dns nsswitch.conf | ||
netras.1186868172.txt.gz · Last modified: 2007/08/11 16:36 by 75.132.107.251
Page Tools
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
