solaris

Linux security basics aka don’t do this!

I mention Linux security in the title but these best practices apply to any operating system.

There are many excellent 3rd party security tools out there for you to install on your system. Prior to installing these though you should review the tools that are already on your system. There is probably already a package included with the system that will accomplish what you need.

Why not use these tools? The major Linux distributions have gone to considerable expense to test these tools and make sure that they will not break anything on your system. When you consider the many 3rd party applications that are certified for a distribution such as Lotus Domino and JBoss this becomes even more critical. These applications are generally installed because they are mission critical. You don’t want to install a non certified security application only to find that it breaks or creates a security flaw in your certified mission critical application. Don’t do this.

A pet peeve of mine has always been the idea of “point and click and know not what I just did” that many administrators perform. While this seems to be more prevalent in the Windows world it exists in the *nix world as well. Generally the idea of text configuration files can overcome this but not always. Take, for example, the website securecentos.com (not affiliated with CentOS). One of the things that they want you to do is patch your kernel with a patch from http://www.grsecurity.com/. Doing something like this should raise a red flag immediately. Do you know what the patch is fixing and/or how it is making your machine more secure? If you can’t answer yes to this then don’t do it with this or any other patch except one from your vendor.

Aside from that when your vendor releases a kernel update you are going to have to go and redo the whole process again. This can quite quickly become heavy with administrative costs. If your machines are duplicated across the network now you have to go and install this on all of them. And again when you run a kernel update. Don’t do this.

You should never download a configuration file that affects the core of your machine without knowing exactly what it does. Using the same site above they have many configuration files that they want you to download and put into production on your machine(s). There is even a sysctl.conf file which affects many core processes of your machine and how they operate. At the time of this post comments in this file are non existent. This amounts to the notion of “point and click and know not what I just did” mentioned above. Don’t do this.

I don’t mean to single out securecentos.com. It just happens to be the one that I ran across today among the many out there asking administrators to do some things that they should think twice about.. I’m sure that they mean well. If I got out my sysctl manual I could find out what each of those changes would to do to my machine. However I’m not going to..if they want me to use their product/advice then those should be clearly documented either in the file or with a url embedded in the file that leads to that information.

Be smart with your machines! Don’t go putting configuration files in service, clicking on buttons that affect the security or core services of your machine or installing 3rd party applications that may already have the equivalent tested on your machine without knowing exactly what other files and applications they are going to affect.

-j

Learning Sun Solaris at the Sun Open Learning Center

I admit I have become intrigued with OpenSolaris and Sun Solaris. Sun has made it extremely easy to get started learning these two operating systems with their Sun Open Learning Center.

The SOLC is free to use for just getting a Sun account. The curriculum at the beginner level include Desktop Components, File Systems and Directories, Working with Process, Working with the Shell and Archiving Files and Remote Transfer.

The SOLC includes an intermediate level which is currently in beta. The curriculum here includes Intermediate Booting SPARC and x86 Based Systems, Installing Solaris 10 and Safely Shutting Down a Solaris System. Sun promises more to come at this level.

You can also join the Sun community at the Solaris Campus at Second Life. Here they have various times setup for “live” classroom learning via the Second Life application.

According to Sun the curriculum should prepare you for a Solaris Certified System Administrator. I have taken the first course as was quite impressed with it although it is at very beginning level.

The application works beautifully walking you through the subjects and giving you some brief tests at the end to check your learning. The course takes some time to get through so you will probably need to shutdown or close your browser before you are done. When you log back into the application it will ask you if you want to start where you left off. You can click yes and go directly to the lesson where you stopped. If you need to back up a few pages for review and start from their just click the back button.

Given the cost of certification materials and classes this is a giant step for Sun, should help them get more certified admins, while taking it easy on your wallet. You should go try one of the courses today.

-j

Inventory tracking with the Sun Inventory Application

Sun has a unique application on their web site called Sun Inventory that will track hardware, software and operating systems. It is unique in that it is, more or less, a cloud application. You can access your inventory anywhere that you have internet access.

The Sun Inventory application tracks these items by installing a small application on the machine that you want to inventory. Initially it will report back the hardware and operating system. As qualified applications are installed the agent will report these back to the Sun Inventory application without any interaction on your part.

Getting started is simple. Go here to get started. If you don’t have a Sun account go ahead and sign up. Once you are signed in it is a 3 step process to get started.

Step one is to download what are known as service tags. This is the application that you will install to “tag” your inventory so that it can be put into the application. Tags are available for Red Hat Enterprise Linux, Suse Enterprise Linux, Solaris and Windows. Download the appropriate tag for your operating system and install it on the machine on which you want to inventory. The tagging also works on Virtualized Machines from Red Hat Virtualization and from VMs using Virtual Box. I didn’t check any other virtualization applications.

Steps two and three are discovering and registering your “gear” as Sun calls it. This downloads a small java program onto your machine to help in finding and registering tag ready machines. With this application you can find your machines in various ways such as hostname, subnet and ip address. Below is a screen shot of the information that you can use to find your tagged your machines.

Once you have done this a screen will pop up showing the gear that the registration client found. You will then login to your Sun Account and choose which products that you want to register. Once they are registered what you will see is like the following screen shot.

As you can see I have my 1u server tagged along with the host and virtual operatings systems. The OpenSolaris machine is running on Virtual Box. The OpenOffice application was installed after I tagged and registered the machine. Since the tag runs as a service it picked up the OpenOffice application and registered it as part of the OpenSolaris machine.

This is a great way to get your machines and related software inventoried and get control of it.

-j

Convert your dpkg, rpm, tgz and slp applications to another package with alien

alien is software that allows you to convert an rpm package to dpkg or vice versa. It can also convert a .tgz package to the rpm or dpkg format allowing you to use software that has been packaged for a different package manager on your machine.

The latest version release is 8.72. The author of the software states that even though the version number is high alien should be considered experimental software and should not be used to convert or replace important system packages. That said alien has been in use many years and converted many packages.

The CentOS repositories don’t show an alien package. Apparently this seems to be a debian thing. Never fear though, alien to the rescue before ever installing the package!

First obtain the source package, unpack it and cd into that directory:

wget http://ftp.de.debian.org/debian/pool/mai…
tar xzvf alien_8.72.tar.gz
cd alien


Don’t install it! We get to have that fun here in a couple of steps. Now get the alien*deb package and download it into the source directory which you just unpacked. Once that is done we’ll convert the deb package to rpm and install it.

wget http://http.us.debian.org/debian/pool/ma…
./alien.pl -r alien_8.72_all.deb
alien-8.72-2.noarch.rpm generated
ls
Alien alien_8.72_all.deb alien.lsm.in alien.spec debian GPL Makefile.PL README
alien-8.72-2.noarch.rpm
rpm -ivh alien-8.72-2.noarch.rpm
Preparing… ########################################### [100%]
1:alien ########################################### [100%]
which alien
/usr/bin/alien


There you have it! You now have alien and can convert your favorite rpm packages to deb or deb packages to rpm. Enjoy!

-j