Installing and Configuring Solaris
This section describes how to install and configure Solaris securely.
- Apply all significant security patches to the OS and to services installed with the OS. Please apply these patches selectively, because applying all available updates may install new features and even new OS releases that ACSLS has not been tested with.
- Disable telnet and rlogin. Use ssh instead. Also disable ftp and use sftp instead.
Disable the telnet, rlogin, and ftp services by issuing the following commands as
root.To see all the services, use the
svccommand.To disable telnet, rlogin, and ftp, use the following commands:
svcadm disable telnet svcadm disable rlogin svcadm disable ftp - Do not disable ssh. You want users to remotely login to the ACSLS using ssh, not telnet or rlogin. Also do not disable sftp.
- ACSLS requires rpc-bind. Do not disable it.
If Solaris is installed with the Secure by Default option, you must alter a network configuration property for rpc-bind to permit ACSAPI clients to send requests to ACSLS.
Refer to the ACSLS Installation Guide, "Installing ACSLS on Solaris" chapter, "Installing Solaris" section for details.
- Some Ethernet ports on the ACSLS server need to be open for communication with ACSLS. Client applications use specific Ethernet ports for communication with ACSLS, and ACSLS communicates with specific ports on tape libraries. See Ethernet Ports Used for ACSLS Communication for the ports that need to be available for ACSLS communication. On the ACSLS server ensure that ipfilter is configured to allow traffic to the ports used by ACSLS.
Determine your Solaris auditing policy. The “Auditing in Oracle Solaris” section in "Oracle System Administration: Security Services" can help you plan for what events to audit, where your audit logs should be saved, and how you want to review them.