Wednesday, October 27, 2010
JASS: Enable Veritas Netbackup Services in JASS
In this case if you have installed Veritas Netbackup and your host is hardened with JASS you will experience issues with Netbackup services and its TCP wrappers.
You will need to tell JASS to enable and open all Netbackup services related deamons and ports.
From the SUNWjass folder you will need to edit the following files:
./Files/etc/hosts.allow-server:
./Drivers/server-secure.driver:
./Drivers/finish.init:
./Drivers/server-secure.driver:
./Drivers/finish.init:
Grant access to the following Netbackup services, add the following lines to JASS ./Files/etc/hosts.allow-server file:
bpcd: ALL
vnetd: ALL
vopied: ALL
bpjava-msvc: ALL
vnetd: ALL
vopied: ALL
bpjava-msvc: ALL
Update the Finish script and enable the following Netbackup Services. In the ./Drivers/finish.init file locate the JASS_SVCS_ENABLE section and add the following services string in the if statement.
Before:
if [ -z "${JASS_SVCS_ENABLE}" ]; then
JASS_SVCS_ENABLE=""
fi
export JASS_SVCS_ENABLE/logs/error_log
JASS_SVCS_ENABLE=""
fi
export JASS_SVCS_ENABLE/logs/error_log
After:
if [ -z "${JASS_SVCS_ENABLE}" ]; then
JASS_SVCS_ENABLE="
svc:/network/vnetd/tcp:default
svc:/network/bpjava-msvc/tcp:default
svc:/network/bpcd/tcp:default
svc:/network/vopied/tcp:default"
fi
export JASS_SVCS_ENABLE
Update the secure-driver script and also enable the following Netbackup services. In the ./Drivers/server-secure.driver locate the JASS_SVCS_ENABLE variable and add the Netbackup deamons and services
Before:
JASS_SVCS_ENABLE="${JASS_SVCS_ENABLE} dtspc rstatd 100155
svc:/network/rpc/rstat:default
svc:/network/rpc/smserver:default "
svc:/network/rpc/rstat:default
svc:/network/rpc/smserver:default "
After:
JASS_SVCS_ENABLE="${JASS_SVCS_ENABLE} dtspc rstatd 100155 bpcd bpjava-msvc vnetd vopied
svc:/network/rpc/rstat:default
svc:/network/rpc/smserver:default
svc:/network/vnetd/tcp:default
svc:/network/bpjava-msvc/tcp:default
svc:/network/bpcd/tcp:default
svc:/network/vopied/tcp:default "
Run JASS hardening to complete the configuration changes.JASS_SVCS_ENABLE="${JASS_SVCS_ENABLE} dtspc rstatd 100155 bpcd bpjava-msvc vnetd vopied
svc:/network/rpc/rstat:default
svc:/network/rpc/smserver:default
svc:/network/vnetd/tcp:default
svc:/network/bpjava-msvc/tcp:default
svc:/network/bpcd/tcp:default
svc:/network/vopied/tcp:default "
# /opt/SUNWjass/bin/jass-execute -d server-secure.driver
Monday, October 25, 2010
veritas: Disk mirroring using Veritas Volume Manager
In this case you will see that two separate set of Storage Array disks can be mirrored across a single disk group without interruptions.
The following vxprint shows the contents of disk group dgprdnfs. It has a number of small sets of disks and from a single controller/storage c3's . The disks a set across three sets of concatenated volumes volprdnfs1 volprdnfs2 & volprdnfs3.
# vxprint -qhtg dgprdnfs
dg dgprdnfs default default 16000 1106535203.86.eap42
dm c3t0d52 c3t0d52s2 auto 2048 53028096 -
dm c3t0d53 c3t0d53s2 auto 2048 53028096 -
dm c3t0d54 c3t0d54s2 auto 2048 53028096 -
dm c3t0d55 c3t0d55s2 auto 2048 53028096 -
dm c3t0d122 c3t0d122s2 auto 2048 53026176 -
dm c3t0d123 c3t0d123s2 auto 2048 53026176 -
dm c3t0d124 c3t0d124s2 auto 2048 53026176 -
dm c3t0d125 c3t0d125s2 auto 2048 53026176 -
dm c3t0d126 c3t0d126s2 auto 2048 53026176 -
dm c3t0d127 c3t0d127s2 auto 2048 53026176 -
dm c3t0d128 c3t0d128s2 auto 2048 53026176 -
dm c3t0d129 c3t0d129s2 auto 2048 53026176 -
dm c3t0d130 c3t0d130s2 auto 2048 53026176 -
dm c3t0d131 c3t0d131s2 auto 2048 53026176 -
dm c3t0d132 c3t0d132s2 auto 2048 53026176 -
dm c3t0d133 c3t0d133s2 auto 2048 53026176 -
dm c3t0d203 c3t0d203s2 auto 2048 53026176 -
dm dgprdnfs01 c3t0d12s2 auto 2048 53028096 -
dm dgprdnfs02 c3t0d13s2 auto 2048 53028096 -
dm dgprdnfs03 c3t0d14s2 auto 2048 53028096 -
dm dgprdnfs04 c3t0d18s2 auto 2048 53028096 NOHOTUSE
v volprdnfs1 - ENABLED ACTIVE 943718400 SELECT - fsgen
pl volprdnfs1-01 volprdnfs1 ENABLED ACTIVE 943718400 CONCAT - RW
sd dgprdnfs01-01 volprdnfs1-01 dgprdnfs01 0 53028096 0 c3t0d12 ENA
sd dgprdnfs02-01 volprdnfs1-01 dgprdnfs02 0 9886464 53028096 c3t0d13 ENA
sd dgprdnfs02-03 volprdnfs1-01 dgprdnfs02 19772928 33255168 62914560 c3t0d13 ENA
sd dgprdnfs04-01 volprdnfs1-01 dgprdnfs04 0 39544576 96169728 c3t0d18 ENA
sd c3t0d52-01 volprdnfs1-01 c3t0d52 0 53028096 135714304 c3t0d52 ENA
sd c3t0d53-01 volprdnfs1-01 c3t0d53 0 53028096 188742400 c3t0d53 ENA
sd c3t0d54-01 volprdnfs1-01 c3t0d54 0 53028096 241770496 c3t0d54 ENA
sd c3t0d55-01 volprdnfs1-01 c3t0d55 0 50630912 294798592 c3t0d55 ENA
sd c3t0d126-02 volprdnfs1-01 c3t0d126 53024 48247168 345429504 c3t0d126 ENA
sd c3t0d127-01 volprdnfs1-01 c3t0d127 0 53026176 393676672 c3t0d127 ENA
sd c3t0d128-01 volprdnfs1-01 c3t0d128 0 53026176 446702848 c3t0d128 ENA
sd c3t0d129-01 volprdnfs1-01 c3t0d129 0 53026176 499729024 c3t0d129 ENA
sd c3t0d130-01 volprdnfs1-01 c3t0d130 0 53026176 552755200 c3t0d130 ENA
sd c3t0d131-01 volprdnfs1-01 c3t0d131 0 53026176 605781376 c3t0d131 ENA
sd c3t0d132-01 volprdnfs1-01 c3t0d132 0 53026176 658807552 c3t0d132 ENA
sd c3t0d133-01 volprdnfs1-01 c3t0d133 0 53026176 711833728 c3t0d133 ENA
sd dgprdnfs04-02 volprdnfs1-01 dgprdnfs04 39544576 13483520 764859904 c3t0d18 ENA
sd c3t0d55-02 volprdnfs1-01 c3t0d55 50630912 1898016 778343424 c3t0d55 ENA
sd c3t0d123-03 volprdnfs1-01 c3t0d123 132064 52894112 780241440 c3t0d123 ENA
sd c3t0d124-03 volprdnfs1-01 c3t0d124 130320 52895856 833135552 c3t0d124 ENA
sd c3t0d125-02 volprdnfs1-01 c3t0d125 65168 52961008 886031408 c3t0d125 ENA
sd c3t0d126-03 volprdnfs1-01 c3t0d126 48300192 4725984 938992416 c3t0d126 ENA
v volprdnfs2 - ENABLED ACTIVE 115343360 SELECT - fsgen
pl volprdnfs2-01 volprdnfs2 ENABLED ACTIVE 115343360 CONCAT - RW
sd dgprdnfs02-02 volprdnfs2-01 dgprdnfs02 9886464 9886464 0 c3t0d13 ENA
sd dgprdnfs03-01 volprdnfs2-01 dgprdnfs03 0 53028096 9886464 c3t0d14 ENA
sd c3t0d203-01 volprdnfs2-01 c3t0d203 0 52428800 62914560 c3t0d203 ENA
v volprdnfs3 - ENABLED ACTIVE 53026176 SELECT - fsgen
pl volprdnfs3-01 volprdnfs3 ENABLED ACTIVE 53026176 CONCAT - RW
sd c3t0d122-01 volprdnfs3-01 c3t0d122 0 53026176 0 c3t0d122 ENA
To start the mirroring process I have been given a set of of new disks. These sets of disks need to be equal or large enough to complete the mirroring process. Notice how these disks are on a separate controller/storage c4's.
# vxdisk -o alldgs list|grep c4
c4t2d1s2 auto:none - - online invalid
c4t2d2s2 auto:none - - online invalid
c4t2d3s2 auto:none - - online invalid
c4t2d1s2 auto:none - - online invalid
c4t2d2s2 auto:none - - online invalid
c4t2d3s2 auto:none - - online invalid
Add new disks for mirroring to the same disk group as source.
# vxdg -g dgprdnfs adddisk c4t2d1=c4t2d1s2
# vxdg -g dgprdnfs adddisk c4t2d2=c4t2d2s2
# vxdg -g dgprdnfs adddisk c4t2d3=c4t2d3s2
# vxdg -g dgprdnfs adddisk c4t2d2=c4t2d2s2
# vxdg -g dgprdnfs adddisk c4t2d3=c4t2d3s2
# vxdisk -o alldgs list|grep c4
c4t2d1s2 auto:cdsdisk c4t2d1 dgprdnfs online
c4t2d2s2 auto:cdsdisk c4t2d2 dgprdnfs online
c4t2d3s2 auto:cdsdisk c4t2d3 dgprdnfs online
c4t2d1s2 auto:cdsdisk c4t2d1 dgprdnfs online
c4t2d2s2 auto:cdsdisk c4t2d2 dgprdnfs online
c4t2d3s2 auto:cdsdisk c4t2d3 dgprdnfs online
Execute and Create mirror specifying the new disks to mirror each volume.
# vxassist -g dgprdnfs -b mirror volprdnfs1 alloc=c4t2d1
# vxassist -g dgprdnfs -b mirror volprdnfs2 alloc=c4t2d2
# vxassist -g dgprdnfs -b mirror volprdnfs3 alloc=c4t2d3
# vxassist -g dgprdnfs -b mirror volprdnfs2 alloc=c4t2d2
# vxassist -g dgprdnfs -b mirror volprdnfs3 alloc=c4t2d3
After the above steps the following vxprint shows the new set of c4 disks attached to dgprdnfs disk group. Notice the sectored size of each disk, which must equal or be larger than the total volume size will are mirroring.
With the above vxassist command along with the mirror option we have executed the mirroring process, notice it has created a new plex for each volume volprdnfs1-02 volprdnfs2-02 volprdnfs3-02, each new plex is in TEMPRMSD state , which means an attached new temporary plex state, its copying the volume contents to the existing new plex, it wont be considered enabled once the process has completed.# vxprint -qhtg dgprdnfs
dg dgprdnfs default default 16000 1106535203.86.eap42
dm c3t0d52 c3t0d52s2 auto 2048 53028096 -
dm c3t0d53 c3t0d53s2 auto 2048 53028096 -
dm c3t0d54 c3t0d54s2 auto 2048 53028096 -
dm c3t0d55 c3t0d55s2 auto 2048 53028096 -
dm c3t0d122 c3t0d122s2 auto 2048 53026176 -
dm c3t0d123 c3t0d123s2 auto 2048 53026176 -
dm c3t0d124 c3t0d124s2 auto 2048 53026176 -
dm c3t0d125 c3t0d125s2 auto 2048 53026176 -
dm c3t0d126 c3t0d126s2 auto 2048 53026176 -
dm c3t0d127 c3t0d127s2 auto 2048 53026176 -
dm c3t0d128 c3t0d128s2 auto 2048 53026176 -
dm c3t0d129 c3t0d129s2 auto 2048 53026176 -
dm c3t0d130 c3t0d130s2 auto 2048 53026176 -
dm c3t0d131 c3t0d131s2 auto 2048 53026176 -
dm c3t0d132 c3t0d132s2 auto 2048 53026176 -
dm c3t0d133 c3t0d133s2 auto 2048 53026176 -
dm c3t0d203 c3t0d203s2 auto 2048 53026176 -
dm c4t2d1 c4t2d1s2 auto 2048 964654848 -
dm c4t2d2 c4t2d2s2 auto 2048 125821696 -
dm c4t2d3 c4t2d3s2 auto 2048 62909696 -
dm dgprdnfs01 c3t0d12s2 auto 2048 53028096 -
dm dgprdnfs02 c3t0d13s2 auto 2048 53028096 -
dm dgprdnfs03 c3t0d14s2 auto 2048 53028096 -
dm dgprdnfs04 c3t0d18s2 auto 2048 53028096 NOHOTUSE
v volprdnfs1 - ENABLED ACTIVE 943718400 SELECT - fsgen
pl volprdnfs1-01 volprdnfs1 ENABLED ACTIVE 943718400 CONCAT - RW
sd dgprdnfs01-01 volprdnfs1-01 dgprdnfs01 0 53028096 0 c3t0d12 ENA
sd dgprdnfs02-01 volprdnfs1-01 dgprdnfs02 0 9886464 53028096 c3t0d13 ENA
sd dgprdnfs02-03 volprdnfs1-01 dgprdnfs02 19772928 33255168 62914560 c3t0d13 ENA
sd dgprdnfs04-01 volprdnfs1-01 dgprdnfs04 0 39544576 96169728 c3t0d18 ENA
sd c3t0d52-01 volprdnfs1-01 c3t0d52 0 53028096 135714304 c3t0d52 ENA
sd c3t0d53-01 volprdnfs1-01 c3t0d53 0 53028096 188742400 c3t0d53 ENA
sd c3t0d54-01 volprdnfs1-01 c3t0d54 0 53028096 241770496 c3t0d54 ENA
sd c3t0d55-01 volprdnfs1-01 c3t0d55 0 50630912 294798592 c3t0d55 ENA
sd c3t0d126-02 volprdnfs1-01 c3t0d126 53024 48247168 345429504 c3t0d126 ENA
sd c3t0d127-01 volprdnfs1-01 c3t0d127 0 53026176 393676672 c3t0d127 ENA
sd c3t0d128-01 volprdnfs1-01 c3t0d128 0 53026176 446702848 c3t0d128 ENA
sd c3t0d129-01 volprdnfs1-01 c3t0d129 0 53026176 499729024 c3t0d129 ENA
sd c3t0d130-01 volprdnfs1-01 c3t0d130 0 53026176 552755200 c3t0d130 ENA
sd c3t0d131-01 volprdnfs1-01 c3t0d131 0 53026176 605781376 c3t0d131 ENA
sd c3t0d132-01 volprdnfs1-01 c3t0d132 0 53026176 658807552 c3t0d132 ENA
sd c3t0d133-01 volprdnfs1-01 c3t0d133 0 53026176 711833728 c3t0d133 ENA
sd dgprdnfs04-02 volprdnfs1-01 dgprdnfs04 39544576 13483520 764859904 c3t0d18 ENA
sd c3t0d55-02 volprdnfs1-01 c3t0d55 50630912 1898016 778343424 c3t0d55 ENA
sd c3t0d123-03 volprdnfs1-01 c3t0d123 132064 52894112 780241440 c3t0d123 ENA
sd c3t0d124-03 volprdnfs1-01 c3t0d124 130320 52895856 833135552 c3t0d124 ENA
sd c3t0d125-02 volprdnfs1-01 c3t0d125 65168 52961008 886031408 c3t0d125 ENA
sd c3t0d126-03 volprdnfs1-01 c3t0d126 48300192 4725984 938992416 c3t0d126 ENA
pl volprdnfs1-02 volprdnfs1 ENABLED TEMPRMSD 943718400 CONCAT - WO
sd c4t2d1-01 volprdnfs1-02 c4t2d1 0 943718400 0 c4t2d1 ENA
v volprdnfs2 - ENABLED ACTIVE 115343360 SELECT - fsgen
pl volprdnfs2-01 volprdnfs2 ENABLED ACTIVE 115343360 CONCAT - RW
sd dgprdnfs02-02 volprdnfs2-01 dgprdnfs02 9886464 9886464 0 c3t0d13 ENA
sd dgprdnfs03-01 volprdnfs2-01 dgprdnfs03 0 53028096 9886464 c3t0d14 ENA
sd c3t0d203-01 volprdnfs2-01 c3t0d203 0 52428800 62914560 c3t0d203 ENA
pl volprdnfs2-02 volprdnfs2 ENABLED TEMPRMSD 115343360 CONCAT - WO
sd c4t2d2-01 volprdnfs2-02 c4t2d2 0 115343360 0 c4t2d2 ENA
v volprdnfs3 - ENABLED ACTIVE 53026176 SELECT - fsgen
pl volprdnfs3-01 volprdnfs3 ENABLED ACTIVE 53026176 CONCAT - RW
sd c3t0d122-01 volprdnfs3-01 c3t0d122 0 53026176 0 c3t0d122 ENA
pl volprdnfs3-02 volprdnfs3 ENABLED TEMPRMSD 53026176 CONCAT - WO
sd c4t2d3-01 volprdnfs3-02 c4t2d3 0 53026176 0 c4t2d3 ENA
Monitor the synchronization process using the vxtask command.
# vxtask list
TASKID PTID TYPE/STATE PCT PROGRESS
161 ATCOPY/R 21.47% 0/53026176/11386880 PLXATT volprdnfs3 volprdnfs3-02 dgprdnfs
163 ATCOPY/R 05.95% 0/115343360/6862848 PLXATT volprdnfs2 volprdnfs2-02 dgprdnfs
164 ATCOPY/R 00.52% 0/943718400/4921344 PLXATT volprdnfs1 volprdnfs1-02 dgprdnfs
TASKID PTID TYPE/STATE PCT PROGRESS
161 ATCOPY/R 21.47% 0/53026176/11386880 PLXATT volprdnfs3 volprdnfs3-02 dgprdnfs
163 ATCOPY/R 05.95% 0/115343360/6862848 PLXATT volprdnfs2 volprdnfs2-02 dgprdnfs
164 ATCOPY/R 00.52% 0/943718400/4921344 PLXATT volprdnfs1 volprdnfs1-02 dgprdnfs
Once the synchronization process has completed, you are safe to remove the old plexes from the original source copy, or in this case the plexes which contain the c3's subdisks.
# vxplex -g dgprdnfs -o rm dis volprdnfs1-01
# vxplex -g dgprdnfs -o rm dis volprdnfs2-01
# vxplex -g dgprdnfs -o rm dis volprdnfs3-01
# vxplex -g dgprdnfs -o rm dis volprdnfs2-01
# vxplex -g dgprdnfs -o rm dis volprdnfs3-01
Now the mirroring is complete, the following vxprint shows the end result. Disk group dgprdnfs is no longer dependent on controller c3 subdisks and now runs on a new set of storage subdisks c4's .
# vxprint -qhtg dgprdnfs
dg dgprdnfs default default 16000 1106535203.86.eap42
dm c4t2d1 c4t2d1s2 auto 2048 964654848 -
dm c4t2d2 c4t2d2s2 auto 2048 125821696 -
dm c4t2d3 c4t2d3s2 auto 2048 62909696 -
v volprdnfs1 - ENABLED ACTIVE 943718400 SELECT - fsgen
pl volprdnfs1-02 volprdnfs1 ENABLED ACTIVE 943718400 CONCAT - RW
sd c4t2d1-01 volprdnfs1-02 c4t2d1 0 943718400 0 c4t2d1 ENA
v volprdnfs2 - ENABLED ACTIVE 115343360 SELECT - fsgen
pl volprdnfs2-02 volprdnfs2 ENABLED ACTIVE 115343360 CONCAT - RW
sd c4t2d2-01 volprdnfs2-02 c4t2d2 0 115343360 0 c4t2d2 ENA
v volprdnfs3 - ENABLED ACTIVE 53026176 SELECT - fsgen
pl volprdnfs3-02 volprdnfs3 ENABLED ACTIVE 53026176 CONCAT - RW
sd c4t2d3-01 volprdnfs3-02 c4t2d3 0 53026176 0 c4t2d3 ENA
Wednesday, October 20, 2010
lsof: Use lsof to Find PID on Port
No need for large scripts to find process ID with Port. If you have the lsof binary available in your system including tr, you can easily find the process ID using the UDP or TCP socket.
In this example will will locate the process ID using the TCP 1080 port.
# lsof -i tcp:1080 -Fp | tr -d p
Monday, October 18, 2010
veritas: VCS Java Console Logs showing wrong date & timezone
I have a number of Veritas clustered environments that I maintain. I monitor these clusters through the Veritas Cluster Manager JAVA console running on my Windows 7 workstation.
For the last couple of weeks, I have noticed the VCS logs where showing the wrong date and time. Here is a screen shot showing the time I logged in. At the time it was 1 day and almost 12 hours behind.
For the last couple of weeks, I have noticed the VCS logs where showing the wrong date and time. Here is a screen shot showing the time I logged in. At the time it was 1 day and almost 12 hours behind.
Beginning in 2007 the U.S.A. and other countries changed the way Daylight Savings Time is scheduled. The Symantec provided Java Runtime Environments (JREs), VRTSjre, and VRTSjre15, are affected by the changes in DST. This will cause the time reported internally by the JRE to be off by 1 hour for 4 weeks each year, causing incorrect date and time processing for Symantec applications relying on these JREs. The new DST rules will went into effect in March 2007. To comply with the DST changes, updates to the JREs must be provided. This is done by either by applying an update to your Symantec product or with a JRE update tool provided by the vendor as described below.
This affects VRTSjre (Java 1.4), VRTSjre15 (Java 1.5), and 3.2 / 3.3 versions of Veritas Enterprise Administrator (VEA) on all platforms currently supported by these components.
This affects VRTSjre (Java 1.4), VRTSjre15 (Java 1.5), and 3.2 / 3.3 versions of Veritas Enterprise Administrator (VEA) on all platforms currently supported by these components.
1. To investigate this issue you will need to ensure first if the primary VRTSvcs log from the host is also not showing the wrong date and time:
Log location: /var/VRTSvcs/log/engine.log_A
2. Also you can double check by running an X Windows session , exporting your DISPLAY variables and run the hagui locally from the primary host. Then ensure the VCS logs dont also show the wrong date and time.
# DISPLAY=ip-address:0;export DISPLAY
# hagui &
# hagui &
By running through the above two basic steps you can confirm which JRE session is having the issue.
Either from your Workstation or the Primary Host.
In my Case the issue was coming from my Windows 7 Workstation.The following steps will show you how to apply the Java Runtime Environment Timezone Database Update tool to the VRTSjre and Veritas Enterprise Administrator for Daylight Saving Time (DST) changes.
1. You will need to download the latest tzupdater tool to update my JRE timezone running on your workstation.
You should be able to download it from the following link: http://java.sun.com/javase/tzupdater_README.html2. You must log in using a valid Sun Online account to download. There is an option to register and create a new account if needed. Log in using your Sun Online account
3. Once you are logged in, agree to the license. This is required to download the tool
4. Click on the Java Standard Edition (SE) download section, and click on the timezone tool download.
5. Once downloaded extract the files to a temporary directory on your workstation,
6. Update the implementation of the JRE as follows:
For Windows systems, bring up a command prompt session and run the following:
# cd C:\Program Files\Common Files\VERITAS Shared\VRTSjre\jre1.5\bin\
java -jar C:\javatz\tzupdater.jar -f -bc -v
java -jar C:\javatz\tzupdater.jar -f -bc -v
To verify:
# java -jar C:\javatz\tzupdater.jar -t -v
# cd c:\Program Files\VERITAS\VERITAS Object Bus\jre\bin
java -jar C:\javatz\tzupdater.jar -f -bc -v
java -jar C:\javatz\tzupdater.jar -f -bc -v
To verify:
# java -jar C:\javatz\tzupdater.jar -f -bc -v
7. Once you have applied the update to the Java Runtime Environment , you can start a new Veritas Cluster Management JAVA console and ensure the VCS logs have the correct date and time.
8. If you continue to experience issues I suggest to uninstall the Veritas Cluster Management JAVA console, upgrade to the latest version which at time of this post is 5.1.00.2.
5.1 Veritas Cluster Management Console version is backwards compatible. And can be downloaded from the following location:
http://www.symantec.com/business/support/index?page=content&id=TECH78415
Thursday, October 14, 2010
JASS: Permanently Disabling Services using JASS
1. Determine what services you wish to disable that you may no longer need. Especially on a WEB farm architecture you would wish to harden/disable uneeded OS services that could potentially be a security threat.
Here is an example of what you can consider.
- all NFS services (client AND server)
- autofs/automounter
- cde-login and all cde/graphical login components
- drd (only needed for logical domains)
- Sun ServiceTags (They are usually used to provide discovery of systems and software on the LAN, but I think this is not appropriate for a web host)
- stosreg and sthwreg services.
CDE and font server
svc:/application/graphical-login/cde-login
svc:/network/rpc/cde-calendar-manager
svc:/network/rpc/cde-ttdbserver
svc:/application/cde-printinfo
Logical Domains (T series only)
svc:/platform/sun4v/drd
NFS and automounter
svc:/network/nfs/cbd
svc:/network/nfs/client
svc:/network/nfs/server
svc:/network/nfs/mapid
svc:/network/nfs/status
svc:/network/nfs/nlockmgr
svc:/network/nfs/rquota
svc:/system/filesystem/autofs
Service Tags
svc:/network/stdiscover:default
svc:/network/stlisten:default
Removal of the above should leave a nice clean OS with minimal external ports open.
2. To disable such services you will need to use the JASS_SVCS_DISABLE JASS variable in /opt/SUNWjass/Drivers/user.init Use the package-provided file user.init.SAMPLE as a template
# cd /opt/SUNWjass/Drivers
# cp user.init.SAMPLE user.init
# vi user.init
# cp user.init.SAMPLE user.init
# vi user.init
Add the following lines of services to disable.
JASS_SVCS_DISABLE="${JASS_SVCS_DISABLE}
svc:/network/telnet:default
svc:/network/ftp:default
svc:/application/management/webmin:default
svc:/system/webconsole:console
svc:/application/management/snmpdx:default
svc:/application/management/dmi:default
svc:/application/management/wbem:default
svc:/application/graphical-login/cde-login
svc:/network/rpc/cde-calendar-manager
svc:/network/rpc/cde-ttdbserver
svc:/application/cde-printinfo
svc:/application/font/fc-cache:default
svc:/platform/sun4v/drd:default
svc:/network/nfs/cbd
svc:/network/nfs/client
svc:/network/nfs/server
svc:/network/nfs/mapid
svc:/network/nfs/status
svc:/network/nfs/nlockmgr
svc:/network/nfs/rquota
svc:/system/filesystem/autofs
svc:/network/stdiscover:default
svc:/network/stlisten:default "
export JASS_SVCS_DISABLE
JASS_SVCS_DISABLE="${JASS_SVCS_DISABLE}
svc:/network/telnet:default
svc:/network/ftp:default
svc:/application/management/webmin:default
svc:/system/webconsole:console
svc:/application/management/snmpdx:default
svc:/application/management/dmi:default
svc:/application/management/wbem:default
svc:/application/graphical-login/cde-login
svc:/network/rpc/cde-calendar-manager
svc:/network/rpc/cde-ttdbserver
svc:/application/cde-printinfo
svc:/application/font/fc-cache:default
svc:/platform/sun4v/drd:default
svc:/network/nfs/cbd
svc:/network/nfs/client
svc:/network/nfs/server
svc:/network/nfs/mapid
svc:/network/nfs/status
svc:/network/nfs/nlockmgr
svc:/network/nfs/rquota
svc:/system/filesystem/autofs
svc:/network/stdiscover:default
svc:/network/stlisten:default "
export JASS_SVCS_DISABLE
3. To apply the changes run jass-execute in apply mode again and reboot:
# /opt/SUNWjass/bin/jass-execute -d server-secure.driver
Monday, October 11, 2010
JASS: Installing the Solaris Security Toolkit JASS
The degree of hardening depends on your architectural requirements. I've been happily using JASS for the last year now, I have my own specific JASS build packages for various environments, I also run audits on a weekly basis to ensure there have been no malicious system or software changes.
The server-secure.driver leaves frequently-used server services open. The following discusses customizing the server-secure.driver to your site-specific needs. Once customized, your systems can be hardened in an automated way using one or more configurations you established.
Here I'll give enough details to get you started. I'm only covering interactive use in this example.
1. First, download the SUNWjass 4.2.0 package, available at http://www.sun.com/software/security/jass/. You don't need the MD5 (SUNBEmd5) or fixmodes (SUNBEfixm) packages, as the functionality is incorporated in Solaris 10.
2. If SUNWjass is already installed, remove it with pkgrm (back up any modified files first)
3. Uncompress and install the package to /opt/SUNWjass
# uncompress SUNWjass.pkg.Z
# pkgadd -d SUNWjass.pkg
# pkgadd -d SUNWjass.pkg
4. Run a driver in "apply" mode. In this example, we use server-secure.driver This takes a few minutes.
# /opt/SUNWjass/bin/jass-execute -d server-secure.driver
5. Check the summary output for failures and errors:
[SUMMARY] Results Summary for APPLY run of server-secure.driver
[SUMMARY] The run completed with a total of 85 scripts run.
[SUMMARY] There were Failures in 0 Scripts
[SUMMARY] There were Errors in 0 Scripts
[SUMMARY] There were Warnings in 2 Scripts
[SUMMARY] There were Notes in 68 Scripts
[SUMMARY] Results Summary for APPLY run of server-secure.driver
[SUMMARY] The run completed with a total of 85 scripts run.
[SUMMARY] There were Failures in 0 Scripts
[SUMMARY] There were Errors in 0 Scripts
[SUMMARY] There were Warnings in 2 Scripts
[SUMMARY] There were Notes in 68 Scripts
6. Reboot and login again:
7. You can verify the previous run of jass-execute and manually run audit of the system
# /opt/SUNWjass/bin/jass-execute -a server-secure.driver
This takes a few minutes and produces a summary at the end:
[SUMMARY] Results Summary for AUDIT run of server-secure.driver
[SUMMARY] The run completed with a total of 85 scripts run.
[SUMMARY] There was a Failure in 1 Script
[SUMMARY] There were Errors in 0 Scripts
[SUMMARY] There was a Warning in 1 Script
[SUMMARY] There were Notes in 20 Scripts
[SUMMARY] Failure Scripts listed in:
/var/opt/SUNWjass/run/20050721092746/jass-script-failures.txt
[SUMMARY] Results Summary for AUDIT run of server-secure.driver
[SUMMARY] The run completed with a total of 85 scripts run.
[SUMMARY] There was a Failure in 1 Script
[SUMMARY] There were Errors in 0 Scripts
[SUMMARY] There was a Warning in 1 Script
[SUMMARY] There were Notes in 20 Scripts
[SUMMARY] Failure Scripts listed in:
/var/opt/SUNWjass/run/20050721092746/jass-script-failures.txt
Verify there are no failures. If any failures are found as in this case, look at the script output to see if there are any unexpected problems. In the example above, I see the failure is from set-root-home-dir.aud because I provided and created a custom .profile script:
[FAIL] Template /root/.profile does not match target on system.
Change the root .profile to your desire from the following location /opt/SUNWjass/Files/root/.profile
Then run another hardening:
# /opt/SUNWjass/bin/jass-execute -d server-secure.driver
Then run another audit to confirm there are no errors this time.
# /opt/SUNWjass/bin/jass-execute -a server-secure.driver
[SUMMARY] Results Summary for AUDIT run of server-secure.driver
[SUMMARY] The run completed with a total of 85 scripts run.
[SUMMARY] There was a Failure in 0 Script
[SUMMARY] There were Errors in 0 Scripts
[SUMMARY] There was a Warning in 1 Script
[SUMMARY] There were Notes in 20 Scripts
Friday, October 8, 2010
coreadm: dumpadm: Crash Dump Defined
Two types of core files:
1)Per-process core file - owned by user mode 600
2)Global core file - not created by default ; owned by root mode 600
To change the Core File Configuration use the coreadm command to modify /etc/coreadm.conf file.
# coreadm -p pattern pid
# coreadm -i pattern ;survives reboot
# coreadm -e global/process/global-setid/proc-setid/log ;enable options
# coreadm -d ;disables corefile option
# coreadm -u ;updates
# coreadm -g ;sets the global core file name pattern
%p ; PID
%u ; uid
%g ; gid
%f ; executable filename
%n ; system node name uname -n
%m ; machine hardware name = uname -m
%t ; time in seconds since 1970,1,1.
%d ; executable file directory/name
%z ; zonename
%% ; % itself
Examples:
# coreadm -p core.%f.%p $$ ; $$ pid of the current shell
# coreadm -p $HOME/corefiles/%n.%f.%p $$
# coreadm -g /var/core/core.%f.%p -e global ;
# coreadm 228 507
# coreadm -p /var/core/usr/bin ; listing corefiles for pid
# coreadm -G all -g /var/core/%d/%f %p %n
The dumpadm, stores a dump of memory, the /etc/dumpadm.conf stores coredump configurations. Don't edit this file. use dumpadm command instead.
The default dump area is the swap space
/var/crash/host-name/vmcore.0 - memory content
/var/crash/host-name/unix.0 - symbol table
savecore command is a utility that saves crushdump into a file on reboot.
# dumpadm
# dumpadm -c curproc -d swap ; Modify the dump configuration so it dumps Kernel memory pages and its
processes to swap memory
# dumpadm -n ; turn off savecore
# dumpadm -u ; update kernel from /etc/dumpadm.conf
# dumpadm -y ; turn on savecore, default
# dumpadm -c ; specify the dump content - kernel,all or curproc
# dumpadm -d ; specify the dump device
# dumpadm -m minK ; set a mininum space savecore should reserve,normally,in /var/crash/host1/
filesystem.
# dumpadm -s savecore_dir ; specify the directory where savecore saves
# dumpadm -r root_dir ; specify the relative root dir, default /
dumpadm Examples Tests
# dumpadm
Dump content: kernel pages
Dump device: /dev/dsk/c0t0d0s1 (swap)
Savecore directory: /var/crash/host-name
Savecore enabled: yes
# dumpadm -d /dev/dsk/c1t0d0s5
Dump content: kernel pages
Dump device: /dev/dsk/c1t0d0s5 (dedicated)
Savecore directory: /var/crash/host-name
Savecore enabled: yes
# sync
# savecore -L
dumping to /dev/dsk/c1t0d0s5, offset 65536, content: kernel
100% done: 11679 pages dumped, compression ratio 3.14, dump succeeded
System dump time: Tue Dec 5 13:21:05 2006
Constructing namelist /var/crash/host-name/unix.0
Constructing corefile /var/crash/host-name/vmcore.0
100% done: 11679 of 11679 pages saved
# cd /var/crash/host-name
-rw-r--r-- 1 root root 1201176 Dec 5 13:21 unix.0
-rw-r--r-- 1 root root 97640448 Dec 5 13:21 vmcore.0
-rw-r--r-- 1 root root 1201176 Dec 5 13:21 unix.0
-rw-r--r-- 1 root root 97640448 Dec 5 13:21 vmcore.0
# file vmcore.0
vmcore.0: SunOS 5.10 Generic_118822-25 64-bit SPARC crash dump from host-name
vmcore.0: SunOS 5.10 Generic_118822-25 64-bit SPARC crash dump from host-name
coreadm Examples Tests
# coreadm
global core file pattern:
global core file content: default
init core file pattern: core
init core file content: default
global core dumps: disabled
per-process core dumps: enabled
global setid core dumps: disabled
per-process setid core dumps: disabled
global core dump logging: disabled
# mkdir /var/core
# coreadm -e global -g /var/core/core.%f.%p
# coreadm -e log
# coreadm
global core file pattern: /var/core/core.%f.%p
global core file content: default
init core file pattern: core
init core file content: default
global core dumps: enabled
per-process core dumps: enabled
global setid core dumps: disabled
per-process setid core dumps: disabled
global core dump logging: enabled
# mkdir /var/tmp/dir
# cd /var/tmp/dir
# pwd
/var/tmp/dir
/var/tmp/dir
# ps
PID TTY TIME CMD
1094 pts/6 0:00 ps
1056 pts/6 0:00 ksh
PID TTY TIME CMD
1094 pts/6 0:00 ps
1056 pts/6 0:00 ksh
# kill 8 1056
# ls /var/core
core.ksh.729
core.ksh.893
/var/core/core.ksh.729: ELF 32-bit MSB core file SPARC Version 1, from 'ksh'
/var/core/core.ksh.893: ELF 32-bit MSB core file SPARC Version 1, from 'ksh'
# tail /var/adm/messages
Dec 5 13:21:08 host-name genunix: [ID 851671 kern.notice] dump succeeded
Dec 5 13:21:29 host-name savecore: [ID 748169 auth.error] saving system crash dumpin /var/crash
/host-name/*.0
Dec 5 13:26:29 host-name genunix: [ID 603404 kern.notice] NOTICE: core_log: ksh[893] core dumped:
/var/core/core.ksh.893
Dec 5 13:27:23 host-name genunix: [ID 603404 kern.notice] NOTICE: core_log: ksh[729] core dumped:
/var/core/core.ksh.729
Dec 5 13:21:08 host-name genunix: [ID 851671 kern.notice] dump succeeded
Dec 5 13:21:29 host-name savecore: [ID 748169 auth.error] saving system crash dumpin /var/crash
/host-name/*.0
Dec 5 13:26:29 host-name genunix: [ID 603404 kern.notice] NOTICE: core_log: ksh[893] core dumped:
/var/core/core.ksh.893
Dec 5 13:27:23 host-name genunix: [ID 603404 kern.notice] NOTICE: core_log: ksh[729] core dumped:
/var/core/core.ksh.729
Monday, October 4, 2010
news: Oracle Solaris 10 Update 9 released
So what Solaris 10 U9 includes, let’s take quick tour -
- The most awaited, Oracle Solaris Containers now provide enhanced “P2V” (Physical to Virtual) capabilities to allow customers to seamlessly move from existing Oracle Solaris 10 physical systems to virtual containers quickly and easily. At our project we developed a custom method to perform p2v from Solaris8/9 to Solaris 10 Container and to be honest we was really looking forward for this feature.
- Host ID Emulation - Migration of a physical Solaris 10 machine into a Zone with support for the HostID will allow more network management platforms to be virtualized while still retaining their licensing features.
- Oracle 11g Release 2 Support
- Networking and database optimizations for Oracle Real Application Clusters (Oracle RAC).
- Increased reliability for virtualized Solaris instances when deployed using Oracle VM for SPARC, also known as Logical Domains.
- ZFS device replacement enhancements - namely autoexpand
- some changes to the zpool list command
- Holding ZFS snapshots
- Triple parity RAID-Z (raidz3)
- The logbias property
- Log device removal - at last
- ZFS storage pool recovery
- New ZFS system process – In this release, each storage pool has an associated process, zpool-poolname
- Splitting a mirrored ZFS storage pool (zpool split)
For more information - http://dlc.sun.com/pdf/821-1840/821-1840.pdf
Download - http://www.oracle.com/technetwork/server-storage/solaris/downloads/index.html
