Solaris reclaiming space

From: "Joe" <spaceyjoe2020@xxxxxxxxx>
Date: 16 Oct 2006 07:33:36 -0700

I came across this doc for solaris 8 : Is this doc good to follow for
Solaris10 or Solaris 9?

Remove the Solaris Installation Leftovers
Much of the information for this section came from a security benchmark
by the Center for Internet Security (6).
When the Solaris installation is performed, a significant amount of
unnecessary stuff is left behind, which should be cleaned up, to
minimize unauthorized system access.

Remove reconfiguration scripts.
Three configuration scripts are left behind. The purpose of these
scripts is to allow simple reconfiguration, if necessary. The bad news
is that these scripts can be triggered just by the creation of a file.
Many exploits will allow the creation of such a file. As a result, when
the system is rebooted the next time, the startup will be delayed,
while the reconfiguration scripts run, and wait for input. Also, when
they run, they may destroy some of the previously entered configuration
information.
The following commands will keep the system installation configuration
scripts from being run at boot time: (NOTE: numbers may not be 30, 71
and 72; please check first with ls /etc/rc2.d/S*sysid.net
/etc/rc2.d/S*sysid.sys /etc/rc2.d/S*autoinstall):

mv /etc/rc2.d/S30sysid.net /etc/rc2.d/_S30sysid.net
mv /etc/rc2.d/S71sysid.sys /etc/rc2.d/_S71sysid.sys
mv /etc/rc2.d/S72autoinstall /etc/rc2.d/_S72autoinstall

Remove unneeded accounts
Remove any unnecessary accounts from the system. Usually, this will
include listen, nobody4, nuucp, smtp and uucp. The command to do this
is passmgmt -d ACCOUNT.

Lock system accounts
Any non-root system accounts (UID < 100) should be locked, so that they
can't be used as login accounts. The command to do this is passwd -l
ACCOUNT. The login shell should also be changed on these accounts. The
most secure login shell I know of is /dev/null, but some IDSs use a
special shell to warn of intrusion attempts. The command to change the
login shell is passwd -e ACCOUNT.

Set directories for NULL accounts
The accounts nobody, noaccess and nobody4 should have their login
directories changed to /dev/null. The command to change the login
directory is passmgmt -m -h /dev/null ACCOUNT. The login shell for
these accounts should also be changed, as above.

Adjust /etc/inittab for system console
As distributed, the /etc/inittab file allows logins from both the
console and the serial ports. This should be changed to allow logins on
only one of these. If the keyboard is in use, then the serial ports
should be disabled by commenting out the line containing
/usr/lib/saf/sac. If a serial console is in use, then the keyboard
should be disabled by commenting out the line containing
/usr/lib/saf/ttymon.

Remove cachefs startup
In most servers, there is no need for the cachefs daemon. If this is
the case, the startup script should be disabled. This can be done by
the use of the following commands (NOTE: numbers may not be 73 and 93;
please check first with ls /etc/rc2.d/S*cachefs.daemon and ls
/etc/rc2.d/S*cacheos.finish):
mv /etc/rc2.d/S73cachefs.daemon /etc/rc2.d/_S73cachefs.daemon
mv /etc/rc2.d/S93cacheos.finish /etc/rc2.d/_S93cacheos.finish

Remove preservation of editor sessions
When the system is taken down (or crashes) and an editor (vi) session
is active, the keystroke file is left behind. The startup script
/etc/rc2.d/S80PRESERVE copies these keystroke files to the
/usr/preserve directory, and sends E-mail to the users whose sessions
were saved, informing them of the procedure to recover their sessions.
On most servers, there will be little editing, and this step in the
startup procedure need not be done. The following commands will disable
the saving of keystroke files during startup: (NOTE: number may not be
80; please check first with ls /etc/rc2.d/S*PRESERVE):

mv /etc/rc2.d/S80PRESERVE /etc/rc2.d/_S80PRESERVE

Web address: http://www.accs.com/p_and_p/SolSec/clean.html

Thanks
Joe

.

Follow-Ups:
- Re: Solaris reclaiming space
  - From: Rich Teer

Prev by Date: Re: "no active partition"error (Solaris 10/x86)
Next by Date: Live Upgrade boot-device settings
Previous by thread: solaris on sunpci iii card
Next by thread: Re: Solaris reclaiming space
Index(es):
- Date
- Thread

Relevant Pages

Re: Help with audit/password needs on Solaris 8
... > In Solaris 8, how do you do the following? ... Inactive accounts can be set to expire, but they must be active login ... Password history is a possible feature of a future release of Solaris. ...
(comp.unix.solaris)
Re: Prevent interactive logins but allow accounts to be sud into
... we have accounts that run 7/24 that multiple ... the .login files to check for interactive login and then exiting. ... We are currently using Solaris 8 but will be migrating to Solaris 10 ... So what stops me hitting ^C during that sleep? ...
(comp.unix.solaris)
Prevent interactive logins but allow accounts to be sud into
... We have been directed to remove any "group" accounts from our system. ... we have accounts that run 7/24 that multiple ... the .login files to check for interactive login and then exiting. ... We are currently using Solaris 8 but will be migrating to Solaris 10 ...
(comp.unix.solaris)
Re: Repost: Local logon and Network Access settings
... think require network login since they are over the wire do in fact ... In the default situation, Authenticated Users ... is a member of User on a member machine, and, Users are granted ... user accounts that should be allowed to log into the machines in SomeOU. ...
(microsoft.public.windows.group_policy)
Re: Repost: Local logon and Network Access settings
... > think require network login since they are over the wire do in fact ... In the default situation, Authenticated Users ... > is a member of User on a member machine, and, Users are granted ... > user accounts that should be allowed to log into the machines in SomeOU. ...
(microsoft.public.windows.group_policy)