Version 1.4
1/5/2004

Securing a Solaris Server - Install Necessary Third Party Packages

  1. Introduction
  2. History of this Web Page
  3. Overview
  4. Network Topology
  5. System Hardware Configuration
  6. Initial Installation
  7. Minimizing Solaris
  8. Minimizing Network Services
  9. Remove the Solaris Installation Leftovers
  10. Install Necessary Third Party Packages
  11. Close the Doors
  12. Obscure the Tracks
  13. Post the Warnings
  14. Perform System Backups
  15. Watch for Changes
  16. Sources of Tools
  17. Bibliography

---------------

 
Purchase Policies Contact ACCS Aout ACCS Home Papers & Projects Services Products

10. Install Necessary Third Party Packages

Most servers need to have software installed on them that is not part of Solaris, many of which are available as precompiled packages. These can be found on various Internet sites. If you're not sure you can trust the site where you found the package, don't install it. On my Solaris 8 x86 system, the following precompiled packages were added:
GNUbison       GNU bison 1.28 i86pc Solaris 8
GNUgcc         GNU gcc 2.95.2 i86pc Solaris 8
GNUgroff       GNU groff 1.15 i86pc Solaris 8
GNUm4          GNU m4 1.4 i86pc Solaris 8
GNUmake        GNU make 3.78.1 i86pc Solaris 8
On my SPARCstation LX, the same packages were added, but the descriptions were slightly different.

NOTE: The specific packages above are only examples. I installed them on my system, as I prefer to use source releases, whenever possible.

NOTE: Some people prefer to not build packages on the server, but to build them elsewhere, and transfer the installed files. If you have the ability to find every file installed by the package, and a spare system with the same architecture, to do the builds on, this is probably a better idea.

In addition, there are many packages that are available in source form, but are not available precompiled for Solaris. There may also be packages that are available precompiled for Solaris, but with options set that aren't optimum for your installation. In these cases, you will have to locate and download the source package, and compile, test and install it.

When looking for a source package, it is useful to go to the origin site. This is because additional information on the package may be there. The actual package may be retrieved from mirror sites, if it's convenient, as long as the version number is current.

To make upgrades, and patch installation easier, I strongly suggest that you save the commands that you enter to build the packages. Some of these packages are quite complex to build. An example of this is the command sequence I used to build GAS:

#! /bin/sh
echo Building GAS
if [ -d binutils-2.10.1 ]
then
    rm -rf binutils-2.10.1
fi
cp dist/src/binutils-2.10.1.tar.gz .
gunzip binutils-2.10.1.tar.gz
tar xf binutils-2.10.1.tar
rm binutils-2.10.1.tar
cd binutils-2.10.1
./configure
cd bfd
make
cd ../libiberty
make
cd ../gas
make
make install
cd ../..
echo GAS Complete
There are several packages that, for security reasons, I suggest be installed on any system. These are:
LSOF
This package is very useful for tracking down possible problems in a system.

SSH
This package (from SSH Communications Security) can be used to replace both telnet and FTP (along with the remote commands: rlogin, rexec, rcp and rsh). It uses fully encrypted sessions. It also allows ports to be forwarded through it, allowing encrypted remote X-11 access.

Another version is available from OpenSSH. There is an excellent paper out (12) that covers the installation of OpenSSH on a Solaris system.

SUDO
This package allows a system administrator to give limited super-user permissions to individual users.

TCP Wrappers
This package can be used to filter access to a system, based on the service being requested, and the client host.

Before building TCP Wrappers, change LOG_MAIL to LOG_AUTH, everywhere in the Makefile (it's in several places).

To allow extended option processing, the make command must contain the option STYLE=-DPROCESS_OPTIONS.

The minimum configuration only needs the /etc/hosts.allow file. The first line of the file should be ALL:localhost:ALLOW. The last line should be ALL:ALL:DENY. Placing the line ALL:ALL:DENY into the /etc/hosts.deny file can slightly increase your security.

Prev Index Next

If you have any comments or suggestions, please E-mail webmaster@accs.com

© 2004 - Ashford Computer Consulting Service