SLUUG Wiki

User Tools

Site Tools

Trace: netras
netras

This is an old revision of the document!

Introduction

Craig has donated a pair of Netra T105s to the group. This is the documentation on their build.

The first (to be known as ultra.sluug.org) has the following configuration:

Netra t1 (UltraSPARC-IIi 360MHz), No Keyboard
OpenBoot 3.10.25 ME, 320 MB memory installed, Serial #14255536.
Ethernet address 8:0:20:d9:85:b0, Host ID: 80d985b0.
/pci@1f,0/pci@1,1/scsi@2
Target 0
Unit 0 Disk FUJITSU MAJ3182MC 5509
Target 1
Unit 0 Disk FUJITSU MAJ3182M SUN18G 0804

The second (to be known as busch.sluug.org):

Netra t1 (UltraSPARC-IIi 360MHz), No Keyboard
OpenBoot 3.10.23 ME, 512 MB memory installed, Serial #11065274.
Ethernet address 8:0:20:a8:d7:ba, Host ID: 80a8d7ba.

Because busch has a cd-rom, we will build an image on it first and then jumpstart ultra using that image.

Build Process for busch

Base Install

Boot off of the CD-ROM. Use the serial console (there is no keyboard input). Select '0' (English) when asked about the language selection Select '3' (VT100) when asked for your console type. The system is networked. Identify hme0 with the public IP which we will use (206.196.99.165) and hme1 with a private IP (192.168.1.30) Do not select dhcp or IPv6. The subnet on hme0 is 255.255.255.240 and default gateway is 206.196.99.161. For hme1, use another hostname.

Do not configure kerberos or name services (we will come back to these after the install, and we don't want to confuse the installer by not being connected to any of these networks.)

Select Americas, United States, Central Time.

Select "no" for network services. This will leave ssh as the only enabled service.

Select a "standard" install and let the CDs automatically eject. Select auto reboot.

Accept the license. For localization support, choose the USA unicode options, but choose posix C as the default.

Don't install any additional software or web start ready software. Choose "entire distribution".

Use c0t0d0 as the boot disk. It has 8749M available. Manually lay out the partition table.

Slice Mount Point Size
0 / 6084M
1 swap 1024M
3 /var 1640M

It would be nice to leave space on the primary disk for live upgrade, but a 9G drive just isn't big enough.

Don't mount software from a remote server. Choose "Begin Installation".

When the install has completed, add a user, being careful to keep UID's in sync with other systems.

Create a couple of directories (mode 770, root:sysadmin): /usr/local/patches and /usr/local/src.

Configure IPF

Uncomment the hme line in /etc/ipf/pfil.ap. Then run 

#svcadm -v refresh pfil

Edit /etc/ipf/ipf.conf to allow incoming SSH connections, loopback traffic, and outbound traffic on hme0 and hme1 both. Either unplumb and plumb the interfaces, or just reboot. Should you make more changes, this next command will flush the rules and install the new ruleset: 

#ipf -Fa -f /etc/ipf/ipf.conf
Disable unnecessary services
# svcadm -v disable svc:/network/rpc-100235_1/rpc_ticotsord:default svc:/application/font/stfsloader:default svc:/network/rpc/cde-calendar-manager:default svc:/application/cde-printinfo:default svc:/application/graphical-login/cde-login:default svc:/application/font/fc-cache:default svc:/application/management/wbem:default  svc:/system/sac:default svc:/system/filesystem/autofs:default  svc:/system/name-service-cache:default  svc:/network/security/ktkt_warn:default svc:/application/print/cleanup:default svc:/network/rpc/gss:default

Verify that you haven't accidentally disabled anything else - Solaris is picky about the order in which services are disabled due to dependencies. 

#svcs -xv
Patching

We are using Martin Paul's outstanding pca (Patch Check Advanced, available from http://www.par.univie.ac.at/solaris/pca/) script to simplify patching. Because Sun keeps changing its website and patch availability policy, we currently need to download the patchdiag.xref file manually from sunsolve.

Harden With JASS

Download JASS (also known as the Sun Security Toolkit) from Sun's site. Extract it and add the resulting package: 

  #/usr/sfw/bin/gtar -xvzf SUNWjass-4.2.0.pkg.tar.Z
  #pkgadd -d .
  #/opt/SUNWjass/bin/jass-execute secure.driver

This will further lock down services, set PermitRootLogin to "No" in SSH, harden the FTP server configuration, tighten permissions, configure log rotation, set up TCP wrappers, enforce password complexity rules, and generally do Useful Things to keep the system secure. JASS does a couple of overly-secure things, like restrict SSH logins to machines on the local domain, so in /etc/hosts.allow, we'll need to change the sshd line to read "all".

Enable Binary Auditing

Edit /etc/security/audit_control to read: 

dir:/var/audit
flags:lo,ap,ss,ua,am,pc
minfree:20
naflags:lo,ap,ss,ua.am,pc

Then run: 

/etc/security/bsmconv

and reboot. Binary logs (similar to pacct logs) will now be written to /var/audit and will be readable via praudit(1).

Once rebooted, run 

auditconfig -setpolicy +argv

which will enable recording of process arguments.

Jumpstart

Before setting up jumpstart, we need a place to put the install files. Put all of c0t1d0 on one partition, and then create a zfs pool and filesystem: 

 #zpool  creaate  -f sluug c0t1d0
 #zfs create sluug/jumpstart
 #zfs set mountpoint=/jumpstart sluug/jumpstart

Use vold to mount the first cdrom.

netras.1187660891.txt.gz · Last modified: 2007/08/20 20:48 by 75.132.107.251

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki