Securing a Solaris Server - Install Necessary Third Party Packages
On my SPARCstation LX, the same packages were added, but the descriptions were slightly different.GNUbison GNU bison 1.28 i86pc Solaris 8 GNUgcc GNU gcc 2.95.2 i86pc Solaris 8 GNUgroff GNU groff 1.15 i86pc Solaris 8 GNUm4 GNU m4 1.4 i86pc Solaris 8 GNUmake GNU make 3.78.1 i86pc Solaris 8
NOTE: The specific packages above are only examples. I installed them on my system, as I prefer to use source releases, whenever possible.
NOTE: Some people prefer to not build packages on the server, but to build them elsewhere, and transfer the installed files. If you have the ability to find every file installed by the package, and a spare system with the same architecture, to do the builds on, this is probably a better idea.
In addition, there are many packages that are available in source form, but are not available precompiled for Solaris. There may also be packages that are available precompiled for Solaris, but with options set that aren't optimum for your installation. In these cases, you will have to locate and download the source package, and compile, test and install it.
When looking for a source package, it is useful to go to the origin site. This is because additional information on the package may be there. The actual package may be retrieved from mirror sites, if it's convenient, as long as the version number is current.
To make upgrades, and patch installation easier, I strongly suggest that you save the commands that you enter to build the packages. Some of these packages are quite complex to build. An example of this is the command sequence I used to build GAS:
There are several packages that, for security reasons, I suggest be installed on any system. These are:#! /bin/sh echo Building GAS if [ -d binutils-2.10.1 ] then rm -rf binutils-2.10.1 fi cp dist/src/binutils-2.10.1.tar.gz . gunzip binutils-2.10.1.tar.gz tar xf binutils-2.10.1.tar rm binutils-2.10.1.tar cd binutils-2.10.1 ./configure cd bfd make cd ../libiberty make cd ../gas make make install cd ../.. echo GAS Complete
Another version is available from OpenSSH. There is an excellent paper out (12) that covers the installation of OpenSSH on a Solaris system.
Before building TCP Wrappers, change LOG_MAIL to LOG_AUTH, everywhere in the Makefile (it's in several places).
To allow extended option processing, the make command must contain the option STYLE=-DPROCESS_OPTIONS.
The minimum configuration only needs the /etc/hosts.allow file. The first line of the file should be ALL:localhost:ALLOW. The last line should be ALL:ALL:DENY. Placing the line ALL:ALL:DENY into the /etc/hosts.deny file can slightly increase your security.
If you have any comments or suggestions, please E-mail firstname.lastname@example.org
© 2004 - Ashford Computer Consulting Service