Solaris 11 Security hardening verification

Any Operating System, Hardening  process is very time consuming  process.More and more security vulnerabilities are reported every now and then. Security baseline of Operating system is a must for every company.There are considerable effort required for hardening OS  as per the security guidelines. So its always better to do scripted method for security implementation and verification.

For Solaris 11  one of the best security Hardening guidelines available in CIS Security Benchmarks  CIS Security benchmark. 

Implementing and verifying  each and every security element is very time consuming activity.I have written a script for  implementation and verification . I'm just publishing  a script for security verification. based on the comments  , I can publish the implementation script  as well.  

Here is the script Link  Solaris11_Security_Verification

Sar Monthly graph data

This script is my first perl script . This can be used for plotting a monthly SAR graph. I have not included graph plotting routine .Out file will be in.csv format.
Can be use excel to plot the graph from this csv or use custom graph tools
This script is specifically written for Solaris .Modify filtering lines in the script accordingly for other platforms



script is in placed in http://www.4shared.com/file/W3vLjM-v/Sar-monthly-data.html


Sample output data will be like this

Date,cpu_avg%,cpu_max%,runq_avg,runq_max,mem_min_MB,mem_max_MB,avserv,avserv_max
08/31/2011,3,3,1.8,3.0,326,326,0.6,0.8
09/18/2011,2,3,1.9,2.8,600,603,0.7,1.1
09/19/2011,2,3,1.7,2.3,599,602,0.9,1.1
09/20/2011,2,2,1.6,2.2,595,596,0.5,1.0
09/21/2011,2,2,1.8,2.4,597,598,1.1,2.0
09/22/2011,2,2,1.7,4.0,597,597,0.6,0.9
...
...

Monthly Summary
HOST,cpu_avg%,cpu_max%,runq_avg,runq_max,mem_min_MB,mem_max_MB,avserv,avserv_max
LABSERVER,2,4,1.7,2.9,524,525,1.0,1.6

Oracle/Sun Proxy server -Self signed certificate Installation

Oracle proxy server doesn't offer self signed certificate installation via GUI Admin console.
For creating a self signed certificate following method can be used


Change to instance config directory


Labserver# cd /opt/proxyserver40/proxy-server1/config


create certificate store

give a certificate store password

Labserver# /opt/proxyserver40/bin/proxy/admin/bin/certutil -N -d .
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password:
Re-enter password:


Generate Self signed certificate

Replace -n MYCERT with your instance Name or FQDN of the site

Labserver# /opt/proxyserver40bin/proxy/admin/bin/certutil -S -x -s "CN=www.telstra.com.au" -n MYCERT -x -t "C,C,C" -d .
Enter Password or Pin for "NSS Certificate DB":

A random seed must be generated that will be used in the
creation of your key. One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter
is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!


Continue typing until the progress meter is full:

|************************************************************|

Finished. Press enter to continue:


Generating key. This may take a few moments...


List self signed certificate

Labserver# /opt/proxyserver40/bin/proxy/admin/bin/certutil -L -d .

Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI

MYCERT Cu,Cu,Cu


Copy certificate to original certificate location

Labserver# ls -l *.db
-rw------- 1 root root 65536 Oct 4 23:21 cert8.db
-rw------- 1 root root 32768 Oct 4 23:21 key3.db
-rw------- 1 root root 32768 Oct 4 23:18 secmod.db
Labserver#

Stop proxy server

Labserver# ./stop
server has been shutdown

Copy Certificate to original Certificate location

cp cert8.db /opt/proxyserver40/alias/proxy-server1-Labserver-cert8.db
cp key3.db /opt/proxyserver40/alias/proxy-server1-Labserver-key3.db


Restart Proxy server

Labserver# /opt/proxyserver40/proxy-server1/start
Oracle iPlanet Proxy Server 4.0.14 B06/08/2010 05:46
Please enter password for "internal" token:
info: HTTP3072: [LS ls1] http://192.25.10.1:7081 ready to accept requests
startup: server started successfully
Labserver#

I had to write a script to check sudden CPU spike occured everyday Which is not getting captured in sar logs,or other performance tool .I dont want to change default monitoring tool collection delay . I wanted extact process id and various performance related parameters during that particular time.

Below script came in handy .I ran it for 24 hours and i could capture the culprit with full details

nohup ./psmon.sh 24 &

script will create a file named hostname.cpu.stat.date +%m%d file in current directory



#!/bin/bash
# Collect Process information
#
# psmon.sh
#
# (c)Dhanesh
# usage : ./psmon.sh nn nn is in hours
#


DATE=`date +%m%d`
LOGFILE="`uname -n`.cpu.stat.${DATE}"
if [ "$#" -lt 1 ]
then
echo " Usage : $0 nn "
echo " nn is in Hours "
exit
fi

echo "Logfile: $LOGFILE"

#Time calculation
#Start time in seconds
TIME=` expr ${1} \* 3600 `
CTIME=`perl -e 'print time()'`
ETIME=$(( $TIME + $CTIME ))

echo "Process Monitor `uname -n` Start Time : `date` "

while [ ${CTIME} -le ${ETIME} ]
do
prstat -Tc 5 2 >> ${LOGFILE}
echo "`date` : `uptime`" >> ${LOGFILE}
vmstat 2 2 | perl -e 'while (<>) { print localtime() . ": $_"; }' >> ${LOGFILE}
prstat -t 1 1 >> ${LOGFILE}
prstat -Z 1 1 >> ${LOGFILE}

# Find Current time in seconds
CTIME=`perl -e 'print time()'`

# find ptree of the proceess which is > 30% cpu time
PID=`prstat -c 1 1 | egrep "[3-9][0-9]%|100%" | awk '{print $1}'`
if [ "${PID}" != "" ]
then
ptree ${PID} >> ${LOGFILE}
vmstat 2 2 | perl -e 'while (<>) { print localtime() . ": $_"; }' >> ${LOGFILE}
iostat -xtc >> ${LOGFILE}
netstat -i | perl -e 'while (<>) { print localtime() . ": $_"; }' >> ${LOGFILE}

fi
# put collection Delay
#
sleep 20

done

echo "Process Monitor `uname -n` Start END Time : `date` "

Weblogic startup problem after database password change

Weblogic startup problem after database password change

Database availability is very critical to Weblogic. Weblogic wont starup If any problem with database connectivity. Database password must be set to non expiry for this purpose.

In our environment I have faced problem because of password expiry settings for weblogic 10gr2 dBuser .

DBA has set password as normal and after our initial test and verification suddenly one day weblogic failed to startup. During investigation found database password has been expired.

When I changed the db user password, Weblogic couldn’t start at all.

This procedure came in handy during this situation

Generate encrypted password

You can generate new encrypted password using encrypt .change to your domain folder

Change to your domain folder

Appserver $ cd /opt/bea/domains/wl_apps_portal/

Appserver$ java weblogic.security.Encrypt portal1 ----- Specify your new db password here

{3DES}QWm1bT1xncGKUAp7+KQ==

Modify all jdbc/*.xml with new encryption

Copy and modify encrypted password on /opt/bea/domains/ wl_apps_portal /jdbc/*.xml.

Typical entry will be like below .replace tag value with newly generated one

After modifying all jdbc/*.xml start your weblogic domain

Disable Anonymous FTP in Solaris 9

By default Anonymous FTP is enabled in Solaris 9/10 server .
in order to disable anonymous FTP just add guestserver keyword to /etc/ftpd/ftpaccess file
no need to bounce services .Changes will take place immediate

echo "guestserver" >> /etc/ftpd/ftpaccess

Then try ftp as anonymous ,you will get error message like below

$ftp serverip
Connected to T2000 FTP server ready
User (129.227.159.23:(none)): anonymous
530 Guest login not allowed on this machine.
Connection closed by remote host.

$

Introduction to ZFS Administration

This presentation gives you a brief introduction to SUN ZFS file system.
http://www.4shared.com/dir/6679470/2ef45125/SUN.html