SunSetup

Info needed before starting

 * 1) Hostname, Domain Name,
 * 2) IP address, Subnet/Netmask
 * 3) Default router IP
 * 4) IP’s of DNS servers
 * 5) Time Zone
 * 6) SNMP (disable or new RO password)
 * 7) NTP Server info
 * 8) SMTP mail server FQDN

Install procedure (From CLI install)
For disk layout be sure to create the following partitions:
 * 1) Language: *English*
 * 2) Networked? *Yes *
 * 3) Use DHCP? *No *
 * 4) Hostname: * *
 * IP: * *
 * 1) Part of a subnet? *Yes*
 * 2) Netmask: * *
 * 3) IPv6?* No *
 * 4) Default Route: *specify one*
 * 5) Router IP: **
 * 6) Configure Kerberos? *No*
 * 7) Name Service? *DNS*
 * 8) Domain Name? * *
 * 9) DNS servers? * *
 * 10) Search Domain? *(blank)*
 * 11) NFSv4 domain configuration? *use the NFSv4 domain derived by system*
 * 12) Timezone: * *
 * 13) Set Time
 * 14) Specify root password
 * 15) Enable remote services? *Yes*
 * 16) Installation? *End User*
 * 17) Automatically eject CD/DVD? *Yes*
 * 18) *Auto Reboot*
 * 19) The system is being installed
 * 20) Accept License
 * 21) Select Reigon: Under* North America, choose U.S.A. (UTF-8)*
 * 22) Initial Locale: *Posix C*
 * 23) Aditional Products: *none*
 * 24) Filesystem: *UFS*
 * 25) Select Software: *Core*
 * 26) Select Disks: * *
 * 27) Preserve Existing data? *No*
 * 28) Auto Layout Filesystem? *customize*
 * 29) Create partitions (see below)
 * 30) Mount remote file systems? *No*
 * 31) Beginning install….

/            (8GB)                      {slice 0} /var         (8GB)                      {slice 1} swap         (4GB [per disk])           {slice 3} /home        (~20GB)                    {slice 4} metadb       (100MB)                    {slice 7}

Final partitioning should look something like this:

Part     Tag    Flag     Cylinders         Size            Blocks 0      root    wm       0 -   824        8.01GB    (825/0/0)    16790400 1 unassigned   wm     825 -  1649        8.01GB    (825/0/0)    16790400 2    backup    wu       0 - 14086      136.71GB    (14087/0/0) 286698624 3 unassigned   wm    1650 -  2062        4.01GB    (413/0/0)     8405376 4 unassigned   wm    2063 -  4123       20.00GB    (2061/0/0)   41945472 5 unassigned   wm       0                0         (0/0/0)             0 6 unassigned   wm       0                0         (0/0/0)             0 7 unassigned   wm   14076 - 14086      109.31MB    (11/0/0)       223872

Additional Packages
Additional Packages that probably should manually be installed:

*SUNWman* – The MAN pages *SUNWfwflash* – If you ever need to update the server’s Flash *SUNWaccr* – For SAR *SUNWcdrw** & SUNWdvdrw* – For writing CD/DVD’s if able

Mirroring Root Drive
 NOTE: Some servers (i.e. Txxxx) are mirrored by RAID hardware

For the example here, it is assumed the drive you installed Solaris on is *c1t0d0* and the second drive is *c1t0d1*, and that it is sliced up as described above_.


 * 1) Copy of primary disk format : prtvtoc /dev/rdsk/c1t0d0s2 > /var/tmp/rootdisk
 * 2) Format new disk :  fmthard –s /var/tmp/rootdisk /dev/rdsk/c1t0d1s2
 * 3) Now create the metadb on both drives : metadb –a –c 3 –f c1t0d0s7 c1t0d1s7
 * 4) Encapsulate partitions and put in mirror group

*** Remember – DON’T mirror the metadb partition *(slice 7)* *** metainit –f d11 1 1 c1t0d0s0 ; metainit –f d12 1 1 c1t0d1s0 metainit –f d21 1 1 c1t0d0s1 ; metainit –f d22 1 1 c1t0d1s1 metainit –f d51 1 1 ct10d0s4 ; metainit –f d52 1 1 ct10d1s4 metainit d20 –m d21 metainit d50 –m d51 metainit d10 –m d11 metaroot d10 (automatically updates /etc/system and /etc/vfstab with new devices   using a metadevice as your root disk.) Edit /etc/vfstab and change the /var and /home mount lines to be: /dev/md/dsk/d20 /dev/md/rdsk/d20       /var     ufs     1       no /dev/md/dsk/d50 /dev/md/rdsk/d50        /home    ufs     1       no Then do: reboot metattach d10 d12 *(attaches second disk to mirror set) metattach d20 d22 metattach d50 d52 To check the status of the synchronizations : metastat

Make the mirror disk bootable: installboot /usr/platform/`uname -i`/lib/fs/ufs/bootblk /dev/rdsk/c1t0d1s0

Determine the physical device path of the mirror disk : ls –l /dev/dsk/c1t0d1s0 The output will be something like this: ... /dev/dsk/c0t1d0s0 -> ../../devices/pci@1f,4000/scsi@3/sd@1,0:a

Using the info obtained in the previous step, make a devalias for the mirror eeprom "nvramrc=devalias mirror /pci@1f,4000/scsi@3/disk@1,0" eeprom "use-nvramrc?=true"

Add the mirror device alias to the Open Boot parameter boot-device to prepare the case of a problem with the primary boot device.
 * 1) eeprom "boot-device=disk mirror cdrom net"

Remember to add new swap partition to system
 * 1) swap –a /dev/dsk/c1t0d1s3

And don’t forget to add the new swap partition to the /etc/vfstab file:

/dev/dsk/c1t0d1s3      -       -       swap    -       no

Security
SSH Configuration edit /etc/ssh/sshd_config file put at end of file GatewayPorts no AllowTcpForwarding no KeepAlive yes Protocol 2 port 22

Password Configuration
Check your Information Security Handbook for current guidelines for passwords. The default is 30 days before need to change password, but there are exceptions. Exceptions are granted to the 30 day change requirement on administrative accounts for any account that has one or more of the following mitigating controls:


 * Restriction of that account from being used to obtain direct remote access to the system*Requirement for the use of a two-factor authentication such as SecurID
 * Use of a complex password longer then 14 characters

Generally there are three classifications of passwords:
 * 1) Normal user accounts – Expiration 90 days
 * 2) Service and System Accounts (i.e. never used by a user) – long complex passwords (15+ characters) must be changed once a year
 * 3) User Accounts – expiration 30 days

Edit the appropriate password aging controls in /etc/default/passwd. For example:

MAXWEEKS 13 MINWEEKS 1 PASSLENGTH 7 WARNWEEKS 1

Solaris Security Kit

 * 1) Download and install “Soalris Security Toolkit” (Current version is 4.2) from here


 * 1) CD to /opt/SUNWjass/Drivers/ and edit the hardening.driver file (if doesn’t exist, there use example file in the same directory).


 * 1) Insure the following lines are commented out (unless service will be needed):


 * 1)               disable-keyboard-abort.fin
 * 2)               disable-nfs-client.fin
 * 3)               disable-picld.fin
 * 4)               disable-rpc.fin
 * 5)               disable-sendmail.fin
 * 6)               enable-password-history.fin
 * 7)               print-rhosts.fin
 * 8)                set-user-password-reqs.fin
 * 9)               enable-bsm.fin
 * 10)               install-strong-permissions.fin
 * 11)               enable-bart.fin


 * 1) To run the script: /opt/SUNWjass/bin/jass-execute -d secure.driver
 * 2) To audit: jass -execute -a secure.driver
 * 3) To uninstall: jass -execute –u
 * 4) After running JASS _and before rebooting If you need to be able to SSH into the box while setting it up then in /etc/ssh/sshd_config look for a line PermitRootLogin no and change it to be PermitRootLogin yes. Be sure to set this back to no afterwards.
 * 5) Make sure in /etc/hosts.allow there’s a line sshd:          ALL
 * 6) Reboot the system
 * 7) NOTE: If any user accounts were created before this, it’ll force them to create a new password on next logon. To fix this for all users do passwd –u .

Patching
Two ways to do patching


 * 1) Download PCA . Note - you will need a Sun account to get all the patches. For syntax run "pca –h". To have it install ALL applicable patches, run "pca –a –i missing" ("-a" asks for sun login / password, "-i" is install). If you only want to do security and recommended patches, do "pca –a –i missingrs".

Other Post Install Tasks

 * 1) If  Oracle will be installed, insure following Solaris packages are installed:

SUNWarc SUNWbtool SUNWhea SUNWlibm SUNWlibms SUNWsprot SUNWsprox SUNWtoo SUNWi1of SUNWxwfnt SUNWi1cs SUNWi15cs


 * 1) Add user account for netalert if needed. Account “netalert”, group “admin”, complex (i.e. 15+ characters) password that doesn’t expire. You will need to later log into the site’s Netalert account and set it up for the site (i.e. to alert you, what to monitor, etc…)
 * 2) Update Site Documentation

Removal of Unnecessary Software and Auditing
svccfg apply /var/svc/profile/generic_limited_net.xml *NOTE*: re-enable SNMP if used: svcadm enable sma
 * 1) To lock down services, run:


 * 1) Search for and uninstall unneeded packages, such as language packs and staroffice. For example, in a bash or korn shell do:

for i in `pkginfo|egrep '(French|Japan|staroffice)'|awk '{print $2}'`;do yes | pkgrm $i done

Install TOP & SUDO
Download & install *TOP *& *SUDO *(and dependencies) from [sunfreeware.com|http://www.sunfreeware.com/]

Install NX
Download *FREE* version of [www.nomachine.com|http://www.nomachine.com NX] client, node, and server.

0 0 * * * cp /dev/null /usr /NX/etc/user.db 2>&1 /dev/null
 * 1) install files (i.e. "pkgadd –d ")
 * 2) add to root's crontab (i.e. "crontab –e") the following:

Configure Sendmail
In /etc/mail, edit sendmail.cf and submit.cf to contain:

Dj DS For example:   Djhosting.BLAH.com DSsmtp-gateway.hosting.BLAH.com

If external DNS doesn’t resolve your server’s name (i.e. you can lookup blah.edu but not server1.blah.edu) and you wish to receive mail from the server, then set the Dj in submit.cf like this: Djblah.edu

Configure Sudo
Add the admin group to sudoers. run */usr/sbin/visudo* and add: %admin     ALL=(ALL)     ALL

Configure SNMP
* The SMF service that SNMP runs from is SMA. * SMA is started by the script /lib/svc/method/svc-sma. * The SNA script uses /etc/sma/snmp/snmpd.conf. You will need to edit this.


 * 1) Change the line: #DISABLE=YES to #DISABLE=NO
 * 2) comment out rwcommunity line
 * 3) change the rocommunity password to either the sitewide community password or to something other than public
 * 4) restart SNMP: svcadm restart sma

Configure NTP
Edit /etc/inet/ntp.conf file to setup NTP server. Usually it’s the IP address of the default gateway. After configured, run "ntpdate" to update system time to current,Then do "svcadm enable ntp" to start ntp.

Configure SAR
0,10,20,30,40,50 * * * * /usr/lib/sa/sa1 5 0 * * * /usr/lib/sa/sa2 -s 8:00 -e 00:05 -i 600 -A
 * Make sure user SYS is in the /etc/cron.d/cron.allow file if exists
 * edit the crontab for user sys: crontab –e sys
 * add the following lines: