1.

Running Solaris in 32 or 64 Bit mode

1) Finding the running mode
# isainfo -v
64-bit sparcv9 applications
32-bit sparc applications
Booting in 32 bit mode
ok> boot kernel/unix
# eeprom boot-file=kernel/unix
Booting in 64 bit mode
OK>boot kernel/sparcv9/unix
# eeprom boot-file=kernel/sparcv9/unix
...reboot the system
Edit /platform/platform-name/boot.conf uncomment line with the variable named
ALLOW_64BIT_KERNEL_ON_UltraSPARC_1_CPU set to the value true.
ALLOW_64BIT_KERNEL_ON_UltraSPARC_1_CPU=true
... reboot the system.
If diag switch is set to true following needs to be set
for 32 bit
# /usr/sbin/eeprom diag-file="kernel/unix"
for 64 bit
# /usr/sbin/eeprom diag-file="kernel/sparcv9/unix"
2. Backup commands - ufsdump, tar, cpio
ufsdump
1. Used for complete file system backup.
2. It copies every thing from regular files in a file system to special character and block device
files.
3. It can work on mounted or unmounted file systems.
Tar:
1. Used for single or multiple files backup .
2. Can't backup special character & block device files.
3. Works only on mounted file system.
Identifying the tape device
dmesg | grep st
Checking the status of the tape drive
mt -f /dev/rmt/0 status
Backup file system using ufsdump
ufsdump 0cvf /dev/rmt/0 /dev/rdsk/c0t0d0s0
or
ufsdump 0cvf /dev/rmt/0 /usr

To restore a dump with ufsrestore

ufsrestore rvf /dev/rmt/0
ufsrestore in interactive mode allowing selection of individual files and directories using add , ls ,
cd , pwd and extract commands .
ufsrestore -i /dev/rmt/0
Making a copy of a disk slice using ufsdump
ufsdump 0f - /dev/rdsk/c0t0d0s7 | (cd /mnt/backup ;ufsrestore xf -)
Backing up all files in a directory including subdirectories to a tape device (/dev/rmt/0),
tar cvf /dev/rmt/0 *
Viewing a tar backup on a tape
tar tvf /dev/rmt/0
Extracting tar backup from the tape
tar xvf /dev/rmt/0
(Restoration will go to present directory or original backup path depending on relative or
absolute path names used for backup )
Backup using cpio
find . -depth -print | cpio -ovcB > /dev/rmt/0
Viewing cpio files on a tape
cpio -ivtB < /dev/rmt/0
Restoring a cpio backup
cpio -ivcB < /dev/rmt/0
Compressing a file
compress -v file_name
gzip filename
To uncompress a file
uncompress file_name.Z
or
gunzip filename
3. Setting up ethernet card speed, duplex mode in Solaris
Command Line: Changes are lost on system reboots.
- set the device instance (for multiport cards)
ndd -set /dev/hme instance 0 this makes the next commands apply to hme0.
- Query parameters for the set instance:
ndd -get /dev/hme link_status 0 = link up, 1 = link down
ndd -get /dev/hme link_speed 0 = 10MBit, 1 = 100MBit
ndd -get /dev/hme link_mode 0 = half duplex, 1 = full duplex
ndd -get /dev/hme adv_autoneg_cap 0 = no autonegotiation, 1 = autoneg. Enabled
- set parameters, e.g.
ndd -set /dev/hme instance 0
ndd -set /dev/hme adv_autoneg_cap 1 to enable autonegotiation for hme0

2. Permanant Changes: changes are not lost on reboot.

Edit the /etc/system file and add these parameters .The sequence number matters.
set hme:hme_adv_autoneg_cap=0
set hme:hme_adv_100T4_cap=0
set hme:hme_adv_100fdx_cap=1
set hme:hme_adv_100hdx_cap=0
set hme:hme_adv_10fdx_cap=0
set hme:hme_adv_10hdx_cap=0
4. Ethernet mode setting in x86 is done in drivers .conf file.
100Mb Full Duplex on elxl0 in Solaris x86
edit /kernel/drv/elxl.conf:
#ident "@ (#) elxl.conf 1.3 98/02/23 SMI"
#
# Copyright (c) 1998, by Sun Microsystems, Inc.
# All rights reserved.
#
# Driver.conf file for the 3Com 3C90x
#
# To force full duplex operation, uncomment the following line:
# full-duplex=1;
#
# To force half duplex operation, uncomment the following line:
# full-duplex=0;
#
# To force 10Mbps operation, uncomment the following line:
# speed=10;
#
# To force 100Mbps operation, uncomment the following line:
# speed=100;
#
5. List highest disk space users in /home directory
sort -nr sorts the output in numerical reverse order giving highest at the top.
du -k /home | sort -nr | pg

System security
1. Latest patches
Any operating system might have security bugs, which are detected only when system is used in
a real time environment. Apply whatever patches are available as of to date to plug the already
discovered security loopholes and look for the information about new security related bugs
Generally it takes some time when security loophole is discovered and its patch is developed . So
the best strategy against such situations is to keep informed by reading security related bulletin of
the OS vendor and disabling the affected service or constantly monitoring it and applying patches
whenever its available.

A perl script - patchk - is available at sunsolve.sun.com which can be used to identify & compare
the existing patches and download the latest ones.
2. Access to the system
Limit Root Access
Limit the direct root access by making sure console entry in /etc/default/login is not commented
out. Edit sshd.config and ssh.config to disable root access
If secure shell is being used to access the systems.
Sshd.config
Permit root login no
Permit empty password no
Allow hosts <host list>
Allow users <user list>
Ssh.config
Forward x11 no
Password authentication no
Host based authentication is more secure as it is based on private keys and public keys and only
user with the keys are allowed to connect. Password authentication is less secure as they can be
guessed or cracked by some programs.
Limit su capabilities
Allow only a few selected members of a group to use su to prevent any unauthorized access by
guessing the root password. Create a system administrators group and change su owner to root
and group to administrators group. Change su permissions to allow only member of this group an
execute permission.
Remote Access files
.rhosts ,.netrc hosts.equivalent are the files that provides access to the remote systems and
should be monitored carefully .They should be checked regularly for any unauthorized entry or if
not needed can be made with zero permission - chmod 0 . This will not allow creation of new file
by the same name and put entries to gain access.
Keep access log:
sulog file gives information about su login attempts to the system similarly a loginlog file can be
created by touching /etc/loginlog which keeps all the login information . Besides last command
also give useful information about the persons accessing the system.

3. Run level and network services

Stop unnecessary services at run levels:
/etc/rc2.d and /etc/rc3.d directories have scripts starting at the booting time or when run level is
changed. By default a number of services are started out of which only a few might be required.
In most of the cases, particularly in production environment certain services are not required at all
but provides various ports for gaining entry to the system
Evaluate your system requirements and look at the rc scripts, disable the files that are not
required by making letter capital in the beginning ass. System requirements may vary from
system to system but you should check if you dont need following services & can disable them.

Enabled

Disabled

s71ldap.client
S71ldap.client
s72autoinstall
S72autoinstall
s72slpd
S72slpd
s88sendmail
S88sendmail
s73nfs.client
S72nfs.client
s1574autofs
S74autofs S99dtlogin
s99dtlogin
S15nfs.server
s15nfs.server
Stop unnecessary and insecure network services:
/etc/inetd.conf has entry for about fifty network services and most of them are started by default.
While some of these services are not secure telnet, ftp, some of it are not required at all . These
services can allow an intruder to get in by providing system information and ports. Services such
as finger, sysstat & netstat provide useful information about the users, system and network.
Depending on the applications requirement some of these services should be stopped by
commenting out corresponding entry in /etc/inetd.conf
ftp should be disabled and secure copy ,scp , should be used instead . But if you must use ftp
then limit the users which can do an ftp to the system. /etc/ftpusers file can be created to keep the
ftp user list.
4. ip module
Control the IP Behavior:
IP module can be tuned to prevent forwarding, redirecting of packets and request for information
from the system. These parameters can be set using ndd with the given value to limit these
features.
ndd -set /dev/ip ip_forward_directed_broadcasts 0
ndd -set /dev/ip ip_forward_src_routed 0
ndd -set /dev/ip ip_ignore_redirect 1
ndd -set /dev/ip ip_ire_flush_interval 60000
ndd -set /dev/ip ip_ire_arp_interval 60000
ndd -set /dev/ip ip_respond_to_echo_broadcast 0

ndd -set /dev/ip ip_respond_to_timestamp 0

ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
ndd -set /dev/ip ip_send_redirects 0
To see a list of all parameter for a particular driver
#ndd /dev/ip <enter>
name to get/set ? ?
To get value of a particular parameter:
#ndd -get /dev/ip ip_respond_to_timestamp_broadcast
5. System file, /etc/system
Add the following lines to /etc/system file to prevent the buffer overflow in a possible attack to
execute some malicious code on your machine.
set noexec_user_stack=1
set noexec_user_stack_log=1
Depending upon the requirement all or a combination of all the above suggestions can be
implemented. Certain application software, web servers etc have there own parameters for
securing access and data. So besides Solaris those parameters may have to be taken in
consideration in addition to Solaris parameters to secure system completely.
6. sadmind daemon vulnerability :
The sadmind daemon is used for distributed system administration operations in the Solstice
AdminSuite applications. In its default configuration sadmind uses a set of clear text Remote
Procedure Calls (RPC) to authenticate between two machines. An attacker can construct RPC
packets that allow them r to forge a valid client identity and get it validated. Once the sadmind
client has authenticated, the hacker can perform any command on the remote system even with
root privileges.
Protecting against sadmind vulnerability
sadmind is controlled through the file /etc/inetd.conf as per the following entry :
100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind
In this configuration, sadmind uses cleartext hostnames and authentication credentials as the
security level is default no security level.
There are two ways to deal with this situation:
1. Completely disable the sadmind in the inted.conf if not required by commenting out the
sadmind line or removing it altogather.
#100232/10 tli rpc/udp waits root /usr/sbin/sadmind sadmind

Restart inetd:
# /usr/bin/pkill -HUP inetd
2. Increase the level of security by requiring DES encryption for your authentication
mechanism by adding the '-S 2' flag to the end of the sadmind line in inetd.conf:
100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind -S 2
Restart inetd:
# /usr/bin/pkill -HUP inetd
7. Root Kit :
The hackers in some cases install a "root" kit which changes various files in the system in order
to gain super user privileges and to conceal the compromise.
You can determine with pkgchk command if certain files have changed:
/bin/su
/usr/sbin/ping
/usr/bin/du
/usr/bin/passwd
/usr/bin/find
/bin/ls
/bin/netstat
/usr/bin/strings
If there is any error reported on any of these files then system is compromised. The best resort in
these cases is to take system off the network and do a fresh operating system installation.
srload:
srload is a part of root kit which is used to get the non-standard SSH port access by the
attackers . Compromised systems have an entry in /etc/inittab of following line
SV:23:respawn:/usr/bin/srload -D -q
and may have the following file modified along with other files :
/etc/rcS.d/S30rootusr.sh
The immediate action for this is to disable the srload command by removing it from /etc/inittab
after booting in single user mode and removing srload command binary from /usr/bin or any other
location.

Error messages
fsck is a Unix utility for checking and repairing file system inconsistencies . File system can
become inconsistent due to several reasons and the most common is abnormal shutdown due to
hardware failure, power failure or switching off the system without proper shutdown. Due to these
reasons the superblock in a file system is not updated and has mismatched information relating to
system data blocks, free blocks and inodes .
Modes of operation:
fsck operates in two modes interactive and non interactive :
Interactive: the fsck examines the file system and stops at each error it finds in the file system
and gives the problem description and asks for user response usually whether to correct the
problem or continue without making any change to the file system.
noninteractive :fsck tries to repair all the problems it finds in a file system without stopping for
user response useful in case of a large number of inconsistencies in a file system but has the
disadvantage of removing some useful files which are detected to be corrupt .
If file system is found to have problem at the booting time non interactive fsck fsck is run and all
errors which are considered safe to correct are corrected. But if still file system has problems the
system boots in single user mode asking for user to manually run the fsck to correct the problems
in file system
Running fsck :
fsck should always be run in a single user mode which ensures proper repair of file system . If it
is run in a busy system where the file system is changing constantly fsck may see the changes as
inconsistencies and may corrupt the file system.
If the system can not be brought in a single user mode fsck should be run on the partitions, other
than root & usr, after unmounting them. Root & usr partitions can not be uncounted. If the system
fails to come up due to root/usr files system corruption the system can booted with CD and
root/usr partitions can be repaired using fsck.
Command syntax:
fsck [ -F fstype] [-V]
-F fstype

[-yY]

[-o options] special

type of file system to be repaired (ufs, vxfs etc)

-V verifies the command line syntax but do not run the command
-Y or -y Run the command in non interactive mode - repair all errors encountered without waiting
for user response.
-o options Three options can be specified with -o flag

b=n where n is the number of next super block if primary super block is corrupted in a file
system.
p option used to make safe repair options during the booting process.
f

force the file system check regardless of its clean flag.

special - Block or character device name of the file system to be

checked/repaired - for
example /dev/rdsk/c0t3d0s4 .Character device should be used for consistencies check & repair
phases:
fsck checks the file system in a series of 5 pages and checks a specific functionality of file system
in each phase.
** phase 1 - Check Blocks and Sizes
** phase 2 - Check Pathnames
** phase 3 - Check Connectivity
** phase 4 - Check Reference Counts
** phase 5 - Check Cylinder Groups
Error messages & Corrective action:
1. Corrupted superblock - fsck fails to run
If the superblock is corrupted the file system still can be repaired using alternate superblock
which is formed while making new file system.
The first alternate superblock number is 32 and others superblock numbers can be found using
the following command:
newfs -N /dev/rdsk/c0t0d0s6
For example to run fsck using first alternate superblock following command is used
fsck -F ufs -o b=32 /dev/rdsk/c0t0d0s6
2.Link counter adjustment : fsck finds mismatch between directory inode link counts and actual
directory links and prompts for adjustment in case of interactive operation .Link count adjustments
are considered to be a safe operation in a file system and should be repaired by giving 'y'
response to the adjust ? Prompt during fsck.
3. Free Block count salvage: During fsck the number of free blocks listed in a superblock and
actual unallocated free blocks count does not match. fsck inform this mismatch and asks to
salvage free block count to synchronize the superblock count. This error can be corrected without
any potential problem to the file system or files.
4. Unreferenced file reconnection: While checking connectivity fsck finds some inodes which
are allocated but not referenced -not attached to any directory. Answering y to reconnect
message by fsck links these files to the lost+found directory with their inode number as their
name.

To get more info about the files in lost+found 'file' command can be used to see the type of files
and subsequently they can be opened in their applications or text editors to find out about their
contents. If the file is found to be correct it can be used after copying to some other directory and
renaming it.