Solaris can request IP address and other networking information dynamically with DHCP.To permanently make an interface, for example hme0, obtain its IP address through DHCP, use the touch command to create the following two empty files as root: touch /etc/dhcp.hme0 touch /etc/hostname.hme0 When you reboot, the interface will be dynamically configured. To bring up the interface using DHCP without rebooting, use the following command: ifconfig hme0 dhcp start The following commands can be used to display the DHCP lease information and release the DHCP lease, respectively: ifconfig hme0 dhcp status ifconfig hme0 dhcp release... Read More

 IP multipathing consists of grouping two identical network cards together and having a live IP address be able to automatically fail over from one card to the other with no loss or degredation of service. The steps to accomplish this are as follows: 1. Ensure that both cards are seen by the system and have different MAC addresses 2. Group the cards together 3. Add a test ip address to the first card 4. Add a test ip address to the second card 5. Change the hostname.* files to keep these settings after a reboot Before going into each of these steps in detail, a few details should be kept in mind, in regards to assigning IP addresses. When activating IP multipathing on a server, a total of three IP addresses will be used. The private address space that you have typically uses a Class C address space, with only 254 usable addresses, so it is advised that only production servers get multipathed. Also, to keep the IP address space 'clean', the standard that has been adopted for IP assignmen... Read More

 When troubleshooting networking issues, it is often helpful to determine the state of an ethernet interface. Solaris offers access to many configurable networking parameters through ndd.To determine the ethernet interface link status, duplex, and speed on hme0, run the following commands as superuser: ndd -set /dev/hme instance 0 ndd -get /dev/hme link_status ndd -get /dev/hme link_mode ndd -get /dev/hme link_speed If you have only one ethernet interface, you can leave out the instance command. Otherwise, you can specify the hme instance number there. The results of the next three commands are either 1 or 0. In each case, the value means: link_status: 0=down 1=up link_mode: 0=half duplex 1=full duplex link_speed: 0=10Mbps 1=100Mbps... Read More

 Solaris allows multiple virtual or logical interfaces to exist with different IP addresses on the same physical interface. Virtual interfaces are created or plumbed up using the plumb directive in ifconfig. They are unplumbed using the unplumb directive.To remove the virtual interface eri1:7, run the following command as root: ifconfig eri1:7 unplumb See also: Create a virtual interface in Solaris... Read More

 If a network interface was configured with the wrong subnet mask as can happen when the default subnet is selected with a variable length subnet mask, a simple configuration change will fix it.Consider a host that is assigned the IP address 10.50.90.15 in the class C subnet 10.50.90.0/24. The normal subnet mask for a class A 10.* subnet is 255.0.0.0, and this is the value that an operating system will guess given that IP address information alone. To correct this problem permanently so that it will persist after the host reboots, edit the /etc/netmask file and add the following line: 10.50.90.0   255.255.255.0 To reconfigure the interface, say hme0, immediately without rebooting the system, run the following as root: ifconfig hme0 10.50.90.15 netmask 255.255.255.0... Read More

 Get information about the default route (gateway)route get default... Read More

 Add a default route (gateway). Create an /etc/defaultrouter file with the IP to have it set to this for each boot.route add default xxx.xxx.xxx.xxx... Read More

 Virtual interfaces allow a single ethernet interface to listen on additional IP addresses.Given an ethernet interface hme0 (use ifconfig -a to identify the names of your interfaces), you can create a subinterface called hme0:1 with the following command: ifconfig hme0:1 plumb You can set the IP address of the interface to 192.168.1.15 and turn on the interface with the following command: ifconfig hme0:1 192.168.1.15 up Unless you do some additional nonstandard things in your network, all of the subinterfaces on a physical interface need to be in the same subnet. To make the virtual interface persist following a reboot, you can add the ip address or hostame from /etc/hosts in the file /etc/hostname.hme0:1... Read More

 There isn't a netmask setting available when creating a zone and the /etc/netmasks file isn't consulted when plumbing up zone interfaces. This recipe describes how to force a netmask when creating a zone.To configure an IP address of 10.1.1.12 with a class C subnet mask (255.255.255.0, a 24 bit mask) on physical interface bge0, use these commands when running zonecfg to create the zone (substitute your IP address, netmask length, and physical interface as appropriate): zonecfg:testzone>add net zonecfg:testzone:net>set physical=bge0 zonecfg:testzone:net>set address=10.1.1.12/24 zonecfg:testzone:net>end . . . This configuration is only necessary when using a non-standard netmask.... Read More

 Solaris 8 and 9 have a powerful, integrated mechanism originally available only in trusted environments. Role based access control (RBAC) implements an authorization system based on least privilege. In this model, multiple administrative roles can be created and associated with users such that an individual has only the access necessary to perform their delegated tasks such as restarting privileged services, rebooting the system, or managing the print queue. RBAC allows finer grain control of implementing security policies. This recipe is the first of a series about RBAC and provides an introduction to its components.RBAC Overview: Central to Role Based Access Control is the role. A role is similar to a user in that it has a user id, a password, and even a home directory. Roles also have associations to specific tasks or capabilities assigned to them. A user that is authorized to assume a role simply switches to that role using the su command just as they would traditionally switch use... Read More

 By default , the solaris inetd deamon does not log the IP address of the machines that are connecting to Solaris Server . To enable the logging of all the IP addresses of machines connecting to the server and the connection time ...........By default , the solaris inetd deamon does not log the IP address of the machines that are connecting to Solaris Server . To enable the logging of all the IP addresses of machines connecting to the server and the connection time the following changes can be incorporated 1. cd /etc/init.d 2. vi inetsvc 3. Change the last line in the file, ie /usr/sbin/inetd -s & to /usr/sbin/inetd -s -t & 4. Stop and Start that script ./inetsvc stop ./inetsvc start 5. vi /etc/syslog.conf 6 . Add the following line deamon.notice /var/adm/name_of_log_file ( the two fields should be seperated by tabs ) 7. touch /var/adm/name_of_log_file 8. kill -HUP syslogd After these changes are made all connections that are started through the inetd deamon ( Telnet , FTP ) etc will be... Read More

 According to the Orange Book , the operating system security is evaluated and categorised into different levels such as D, C1, C2, B1 etc ... Normally all operating systems in the market tend to have the C1 level of security while Trusted Solaris 8 is B-level certified .While Solaris OE comes with C1 certification , It can be converted to C2 level certification with minimal effort .......According to the Orange Book , the operating system security is evaluated and categorised into different levels such as D, C1, C2, B1 etc ... Normally all operating systems in the market tend to have the C1 level of security while Trusted Solaris 8 is B-level certified .While Solaris OE comes with C1 certification .It can be converted to C2 level certification with minimal effort Here are the steps for Configuring Solaris to C2 level security ... cd /etc/security There is a script in the directory bsmconv which when executed will convert the C1 level security to C2 level security. ./bsmconv when this s... Read More

 The default banner displayed during a telnet login contains the Solaris version which can be useful to a potential attacker.Create a plain text file called /etc/default/telnetd which contains a line such as: BANNER="Unauthorized access prohibited\n\n" The \n characters encode blank lines.... Read More

 Many tools on the net help to find the OS and the version of the OS that is used and a widely used strategy is first to open a connection to the server and there u have it . This strategy can be used only to defend against tools which uses the banner grabbing strategy to identify systems and will not help against tools such as NMAP etc which uses more advanced schemes for the same .....Many tools on the net help to find the OS and the version of the OS that is used and a widely used strategy is first to open a connection to the server and there u have all the information that is required such as the OS , version of the OS etc ... This strategy can be used only to defend against tools which use the banner grabbing strategy to identify systems and will not help against tools such as NMAP etc which use more advanced schemes for the same ..... The banner info can be stored on the /etc/issue file in Solaris, by default this file is an empty file. Populate the /etc/issue file with the necess... Read More

 Users are typically able to change the owner of a file that they own. If you consider this a security risk or would like to prevent users from doing this for other reasons, follow the instructions in this recipe.To prevent users from changing the ownership of their files, add the following line (or change the line if it already exists) in /etc/system: set rstchown=0 A reboot of the system is required to make the settings take effect. Be careful when editing the /etc/system file as errors in the file can prevent a successful boot. Making a backup of the /etc/system file before making changes can save massive amounts of effort. See this recipe for details. To allow users to change their file ownership, use the following line in /etc/system: set rstchown=1... Read More

 Solaris 9 requires some tinkering to play with SANs. This recipe describes the procedure.Note: These steps are not required for Solaris 10 which includes everything you need to connect to a SAN, even to boot from it. If you cannot see your SAN from Solaris 10, check your connections and the SAN (doing a probe-scsi-all from the ok prompt will let you know if the host can see the SAN.. if it can't, then Solaris will never be able to see it). The Sun StorEdge SAN Foundation Suite must be installed first. It's available for download here. Once that is installed and the host is rebooted, don't be sad that you still can't see your SAN. It's downhill from here. Running the cfgadm command allows you to see your system devices and manage them. Here's sample output: # cfgadm -al Ap_Id            Type       Receptacle Occupant     Condition c0               scsi-bus   connected ... Read More

 The prtconf command is a valuable tool for determining the devices attached to a Solaris system. The total system memory is prominently displayed and the devices and peripherals attached to the system are displayed in a tree format.Any user can run /usr/sbin/prtconf and without any options, it displays useful information about the system. At the top of the output are lines like these: System Configuration:  Sun Microsystems  sun4u Memory size: 2048 Megabytes The first line shows the system architecture, sun4u, and the next line shows the total memory in the system. Piping this command through grep like /usr/sbin/prtconf | grep Memory is a quick way to find this value without wading through the device tree that follows. Devices attached to the system are displayed in a hierarchial tree. The list is comprehensive, including potential devices that are not currently attached. Seeing a line ending in "(driver not attached)" indicates that there is not a corresponding devic... Read More

 Solaris 10 supports UFS filesystems up to 16TB (with files up to 1TB in case you get carried away writing the great American novel). To do this, the newfs command needs to be modified when creating the filesystem.Creating a multiterabyte filesystem (assuming you have a disk array with that much storage on hand) can be done by adding the -T option to newfs: newfs -T /dev/rdsk/c0t1d0s1 The -T option forces the fragsize option to be euqal to the logical block size (bsize). Fragsize determines the smallest chunk of disk space that can be used in a file and can usually be a power of two fraction of the block size, but must be equal to the block size for big filesystems. In addition, -T sets the number of bytes per inode (nbpi) to 1MB (1048576). When the filesystem is created, the total size of the filesystem is divided by nbpi to determine the number of inodes to create.... Read More

 A simple command will provide detailed information about the specific memory configuration of a Sun server, information such as the sizes and locations of memory banks. This can prevent cracking open the case and the associated downtime.The [b]prtdiag[b] command displays useful information about the processors, IO devices, and memory attached to the system. The only trick is finding the program. It lives under the /usr/platform directory in a subdirectory corresponding to the hardware platform on which it is running. If you change directory to /usr/platform and look at the directory listing, you'll see a product catalog of Sun hardware and some generic platform types (like sun4u). Identify the platform you are on (uname -i will work nicely), change into that directory, and then into the sbin subdirectory there. For example, on a Sun V210, the path would be /usr/platform/SUNW,Sun-Fire-V210/sbin. Run the command as ./prtdiag (piping it through more wouldn't hurt). Here is a snippet of ou... Read More

 The quot command provides a quick measure of the disk usage of multple users on a filesystem.The quote command must be run as or with the privileges of root. Here is sample output for the quot command: quot /usr /dev/rdsk/c0t0d0s3: 851637  root 690088  bin 25828   daemon 16880   #5115 10025   #317 8568   mailsrv 6326   qmchenry   767   uucp   295   adm   202   nobody    46   lp In this output, the raw device of the filesystem is shown first. The username is provided if known. The numeric uids 5115 and 317 own files but are unassociated with a username in /etc/passwd as is common when files are untarred from another system. The -a option can be used in place of the filesystem to check (/usr in that example) and will make quot iterate through all mounted filesystems. The -f option will add a middle column containing the number of files owned by each user. The q... Read More