I'm a solaris rookie, and I'm trying to learn more from it.
I've and old Ultra 10, running solaris 10u7 and I'd like to put it
directly connected to Internet, to test some of features of solaris.
But I'm concercened about my network security. I would like to know
how can I be aware about solaris security issues, and if there are
some tool to automatically update those security issues and update
solaris version.
Thanks in advance,
Leonardo Marques.
>Hi guys,
You can run "/usr/sbin/netservices limited"; this takes down most
internet faced services.
Also, make sure that you properly configure ipfilter.
Casper
--
Expressed in this posting are my opinions. They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.
Notices of Security Patches/Updates are usually posted here and in other
Sun/Solaris related newsgroups. I think Sun's web site might have
useful information as well.
I would suggest NOT connecting your system "directly" to the internet.
Doing so is an invitation to "Zombie" your computer and put it to work
sending Spam!!
You should be going through a device called a router. An example is the
Linksys BEFSR41 or BEFSR81. The first is a router with a four port
switch and the latter is a router with an eight port switch.
These routers keep your internal network traffic inside your home. If,
for example, you are using your networked LaserJet to print checks, the
payees, amounts, etc. will never leave your home network. They also
block any incoming traffic that is not a response to an outgoing message.
You can buy the necessary hardware at Office Max. PC Connection and CDW
also offer such hardware. The latter two can supply some technical
support if you need it. Don't forget to buy a couple of Ethernet "patch
cords". You will use these to connect your router to your modem and to
connect your router to your computer(s).
I appreciate your concern, but I think you misunderstood me. I'll
connect it in my University network, there are severall firewall,
routers, switches etc before my machine, and sure I'll set up a kind a
of firewall on my machine, nowadays I'm able to use iptables and also
pf (from OpenBSD). I think, solaris uses ipfilter, but it, I think,
won't be hard to set simple rules like block everything incoming,
release some ports like 22, and let outgoing traffic flow ok.
My main concern at this moment is with the updates, because it doesn't
matter if you have well configured firewall meanwhile you have old
buggy ssh version or apache that can be easily exploited by script
kiddies over the net.
Things that I'm looking for:
- Apply patches for interversion releases.
- Update from a major release to another: e.g. From 10u7 to 10u8
- Update sunfreware.
And would be cool, if exists some automated tools to do this tasks,
since of it's very tedious recompile everything at each new version
releases.
Again, I do really appreciate your concerns, thanks.
> Things that I'm looking for:
> - Apply patches for interversion releases.
> - Update from a major release to another: e.g. From 10u7 to 10u8
> - Update sunfreware.
>
> And would be cool, if exists some automated tools to do this tasks,
> since of it's very tedious recompile everything at each new version
> releases.
If you have registered the box/vm at Sun and have at least a free
SunSolve account, you can download recommended and security patches for
free. The absolute best way of downloading and applying patches is to
use Martin Paul's pca script.
<http://www.par.univie.ac.at/solaris/pca/>
You can pay Sun to get access to more patches at SunSolve. (Which is
sunsolve.sun.com BTW)
You should also consider setting up your Solaris 10 system so that you
can use Live Upgrade when patching, which gives you a way back if a
patch causes problems.
--
Chris
Look for "PCA" "Patch Check Advanced". This is a script that will
inventory the patches you have installed and then go online to see if
there are any more that you need. If it finds any it will download and
install them. The author is, I believe, Martin Paul.
> Things that I'm looking for:
> - Apply patches for interversion releases.
> - Update from a major release to another: e.g. From 10u7 to 10u8
> - Update sunfreware.
As other people have said: look for PCA, it is the king of Solaris
patching (much better than any Tool Sun have)
<SNIP>
> I appreciate your concern, but I think you misunderstood me. I'll
> connect it in my University network, there are severall firewall,
> routers, switches etc before my machine, and sure I'll set up a kind a
> of firewall on my machine, nowadays I'm able to use iptables and also
> pf (from OpenBSD). I think, solaris uses ipfilter, but it, I think,
> won't be hard to set simple rules like block everything incoming,
> release some ports like 22, and let outgoing traffic flow ok.
Be aware, your system admin at the university, who I assume is not a rookie,
might not like you connecting a Sun to a university network. If your machine
does get compromised, that is likely to be the machine used to attack local
computers.
At least all the university system admins I've come across (and I spent many
years as a post-doc researcher at university), would be less than keen on that.
If you have not asked permission, I suggest you do so. You are more likely to
get permission than if you worked in a bank, but even at a uni, I would not be
surprised if you were not allowed to do it. Or if you are allowed to do it, it
could only be accessed directly from inside the university network, and not to
anyone on the Internet.
--
I respectfully request that this message is not archived by companies as
unscrupulous as 'Experts Exchange' . In case you are unaware,
'Experts Exchange' take questions posted on the web and try to find
idiots stupid enough to pay for the answers, which were posted freely
by others. They are leeches.
I AM a university system admin... and though I may not be representative of
the entire species, I can at least say that for me the OS on the system is
completely irrelevant, so long as it's kept up to date with patches, and
any Unix-based systems are at least minimally hardened.
Handing out accounts to non-university staff/faculty is also not kosher,
but there's nothing to indicate the original poster wants to do that.
--
Brandon Hume - hume -> BOFH.Ca, http://WWW.BOFH.Ca/
It would only be polite to ask though - as you say, you may not be
representative of the entire species. I've met many that would not like that.
> Handing out accounts to non-university staff/faculty is also not kosher,
> but there's nothing to indicate the original poster wants to do that.
Agreed, though that is not alway true!
I have root access on some machines at the University of Washington, despite the
fact I live 5000+ miles away in the UK! I can create accounts for non-university
staff and do so on a regular basis. Any *serious* developer of software used in Sage
can have an account on a Sun T5240 and several other machines. I've offered
accounts to the GCC developers, but so far none have taken up the offer! Perhaps
if they did, GCC would not be such a pig to build on Solaris.
But developers of other software (ATLAS, Autoconf, MPFR, MPIR, ECL, PolyBoRi,
SCons, to name but a few) do have accounts.
Since Sun offers its own C compiler at no charge along with other
development tools why would you need GCC? I believe the Sun development
tools are available for download and you can also purchase a DVD for a
nominal charge.
>> I have root access on some machines at the University of Washington,
>> despite the fact I live 5000+ miles away in the UK! I can create
>> accounts for non-university staff and do so on a regular basis. Any
>> *serious* developer of software used in Sage
>>
>> http://www.sagemath.org/
>>
>> can have an account on a Sun T5240 and several other machines. I've
>> offered accounts to the GCC developers, but so far none have taken up
>> the offer! Perhaps if they did, GCC would not be such a pig to build
>> on Solaris.
>>
>
> Since Sun offers its own C compiler at no charge along with other
> development tools why would you need GCC? I believe the Sun development
> tools are available for download and you can also purchase a DVD for a
> nominal charge.
Since a very large proportion of code in use will not build with Sun Studio.
The latest Sage source code is 258 MB (compressed). Sorting out all the GNUisms
in that is no easy task. If you wish to help, you are welcome to!
Dave
> Since a very large proportion of code in use will not build with Sun Studio.
> The latest Sage source code is 258 MB (compressed). Sorting out all the GNUisms
> in that is no easy task. If you wish to help, you are welcome to!
>
> Dave
So....
C is a different language than Gnu C?
One other reason to consider GCC instead of the native Sun Studio compiler:
Can the Sun Studio compiler be used in a cross compiler mode to generate
code for, say, a ARM system or a Coldfire system ?
One of the things about GCC is that it can be built as a cross compiler
for embedded work for a wide range of platforms. I personally use gcc
(under Linux) to do embedded projects on ARM boards and AVR
microcontrollers.
Simon.
--
Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
Microsoft: Bringing you 1980's technology to a 21st century world
ISTR that there is an ANSI Standard for C. This has not stopped people
from adding bells and whistles! Of course there is no universal
agreement on the additional non-standard features.
How many developers (outside of us embedded programmers) actually want
to cross compile?
> One of the things about GCC is that it can be built as a cross compiler
> for embedded work for a wide range of platforms. I personally use gcc
> (under Linux) to do embedded projects on ARM boards and AVR
> microcontrollers.
That's still no reason not to write portable code.
--
Ian Collins
> Since Sun offers its own C compiler at no charge along with other
> development tools why would you need GCC? I believe the Sun development
> tools are available for download and you can also purchase a DVD for a
> nominal charge.
To give you some specific issues in Sage
which means it builds with gcc, but not with the Sun compiler, here is 18 bugs.
There are probably others too. Since if package X fails, and Y depends on X,
there is no way to check Y.
Sage will build on Solaris (SPARC) just by typing 'make' (after setting the
environment carefully). But there are numerous issues which prevent it building
with the Sun compiler. Some are not necessarily a result of C/C++/Fortran code
that is not accepted by Sun Studio, but the result of makefiles hard-coding
'gcc', flags specific to GCC being sent to the Sun compiler and countless others.
So while in an ideal world, people would write portable code, which would work
with any half-reasonable compiler, in practice this is not so.
Other issues are the result of people using non-standard options to standard
commands, such as 'uname -p', which is not portable. (It is not in the POSIX
standard, and is not implemented on HP-UX).
Anyway, here is a list of Sun Studio specific problems.
1) "Sun C++ compiler does not accept pynac C++ code"
http://trac.sagemath.org/sage_trac/ticket/7029
2) "modified sage library code' fails at c_lib if /opt/SUNWspro/bin/CC can be
found. (SCons issue)"
http://trac.sagemath.org/sage_trac/ticket/6595
3) "Flint ignores CC and CXX."
http://trac.sagemath.org/sage_trac/ticket/7024
4) "f2c ignores CC and uses gcc anyway"
http://trac.sagemath.org/sage_trac/ticket/7027
5) "symmetrica ignores CC"
http://trac.sagemath.org/sage_trac/ticket/7032
6) "PolyBoRi pass GNU specific options to the Sun compiler"
http://trac.sagemath.org/sage_trac/ticket/7034
7) "singular believes the Sun C++ compiler is broken."
http://trac.sagemath.org/sage_trac/ticket/7031
8) "scipy 0.7.p2 has a GNUism, sending GNU flags to the Sun compiler."
http://trac.sagemath.org/sage_trac/ticket/7072
9) "R sends the correct Sun flags to C and C++ compilers, but not Fortran."
http://trac.sagemath.org/sage_trac/ticket/7035
10) "rubiks ignores CXX and uses g++ even if CXX is Sun compiler"
(This is now fixed, and so will be an issue in the next release, but was an issue)
http://trac.sagemath.org/sage_trac/ticket/7036
11) "libm4ri thinks the C compiler is broken"
http://trac.sagemath.org/sage_trac/ticket/7037
12) "ratpoints 2.1.2.p2 ignores CC and uses gcc whatever"
http://trac.sagemath.org/sage_trac/ticket/7038
13) "ECL snapshot of 13th Sept 2009 fails with Sun Studio 12.1"
http://trac.sagemath.org/sage_trac/ticket/7062
14) "lcalc fails - Sun Studio compiler does not accept code. (I'm not surprised)"
http://trac.sagemath.org/sage_trac/ticket/7065
13) "cddlib 094f fails to build with Sun Studio - fabs() unresolved. Probably
needs -lm"
http://trac.sagemath.org/sage_trac/ticket/7067
14) "gfan 0.3.p4 Shows numerous missing header files with Sun compiler."
http://trac.sagemath.org/sage_trac/ticket/7068
15) "tachyon-0.98beta.p9 ignores CC and uses gcc, so can't build with Sun Studio."
http://trac.sagemath.org/sage_trac/ticket/7069
16) "palp-1.1.p1 ignores CC variable and uses gcc, so fails with Sun Studio."
http://trac.sagemath.org/sage_trac/ticket/7071
17) "scipy_sandbox 20071020.p4 has a GNUism, sending GNU flags to the Sun compiler."
http://trac.sagemath.org/sage_trac/ticket/7073
18) "cvxopt-0.9.p8 sends GNU options to Sun Fortran compiler and has bad C code."
http://trac.sagemath.org/sage_trac/ticket/7074
Entirely too much code assumes gcc-isms, and too many Makefiles assume
gcc options.
C++ shared libraries are incompatible between the two compilers
(different implementation of name mangling, and probably of
virtual functions and who knows what else that affects the binary calling
conventions).
Sometimes it's easier to just use gcc.
For SPARC, one can have gcc with the Sun compiler code generator:
Not many I suspect; but when needed it's still a valid reason for using gcc.
>> One of the things about GCC is that it can be built as a cross compiler
>> for embedded work for a wide range of platforms. I personally use gcc
>> (under Linux) to do embedded projects on ARM boards and AVR
>> microcontrollers.
>
> That's still no reason not to write portable code.
>
You will get no argument from me on that one.