Host Configuration Software Overview (Solaris ISP Server 2.0 Administration Guide)

Solaris ISP Server 2.0 Administration Guide

Host Configuration Software Overview

The Solaris ISP Server host configuration software provides the following functionality:

Software installation. Administrators install, uninstall, and upgrade all Solaris ISP Server software using the host configuration software. Administrators can save installation scenarios for use in a JumpStart^TM finish script to repeat installations automatically.
Solaris foundation security hardening. To improve security and conserve resources, unneeded Solaris services are disabled. Security-related components of Solaris are configured appropriately for an ISP environment.
Intrusion detection. Periodically, the intrusion detector checks its log file, determining whether any failed log-on attempts have occurred since the last check. If an intrusion attempt has occurred, the detector collects the logged data and passes it to the user-specified notification mechanism (such as electronic mail). The period for the intrusion check is configurable.
Log file management. Audit and syslog logs are cycled daily. The log file management daemon archives logs weekly and deletes any archive older than one month. See the hclfmd(1m) man page for details.
Server process management. This cron job ensures that server processes (such as news servers) are indeed running. If any server has stopped abnormally, the server process manager starts that server.

How Solaris ISP Server Installs

Because the typical UNIX server must run a variety of applications, the default Solaris installation assumes that most UNIX services are needed. ISPs focus more narrowly on providing specific services in a public environment. They have heavy performance and security requirements.

To configure Solaris to their needs, ISP administrators typically perform elaborate hardening tasks. They disable unneeded Solaris services and change file permissions to close security vulnerabilities. This process can take hours.

The host configuration software in Solaris ISP Server automates this hardening process for the administrator. In addition to copying the necessary software packages to their proper locations, it hardens the underlying Solaris foundation, changing file owners and modes where appropriate as well as configuring Solaris security and logging mechanisms. The final step in this process is selectively disabling standard Solaris services (such as finger or rlogin) when they do not support the purpose of a given host machine. The administrator controls which services are disabled.

Solaris ISP Server host configuration can be performed interactively by using its graphical user interface, or repeatably and non-interactively using JumpStart.

Host Configuration Model

The configuration process works by building a scenario of the current state of the system, what software components are available to be installed, and what the user has selected for install or uninstall.

Figure 1-7 Solaris ISP Server Host Configuration Process

The host configuration software can also be used to reconfigure a host after installation, adding and removing services as needed.

Repeatable Configuration

Interactive host configuration (using the graphical user interface) provides the option to save a configuration scenario (in the form of a binary and some associated files). By creating and saving a scenario, the ISP administrator can use it in a JumpStart finish script, forming a non-interactive, one-step installation. Such JumpStart installations are repeatable and can be used to configure multiple machines identically.

JumpStart is a part of the Solaris operating system that can perform customized, repeatable installations of Solaris both locally and remotely. See the Solaris Advanced Installation Guide for details on how to create a custom JumpStart installation. See the Solaris ISP Server Installation Guide and the hcjump(1M) man page for information on how to use a scenario file in a finish script for a custom JumpStart installation.

Log File Management and Intrusion Detection

The host configuration software includes a resident daemon, hclfmd, that performs log file management. This daemon runs as root. It starts at boot time and performs the following functions:

It parses the list of log files in /etc/syslog.conf for file paths that do not start with /dev (files associated with system devices) and performs a cleanup, journal, and cycle pass every day.

For every log file written by syslogd, it performs the following functions:
- It renames the existing log file and creates a new daily log.
- It sends the restart signal (-HUP) to the syslog daemon to create a new daily log.
- It generates a weekly archive by compressing daily log files every week and stores it as name.YYYYMMDD-YYYYMMDD.tar.Z.
- It discards weekly archives that are more than a month old.
It obtains the location of audit logs from /etc/security/audit_control and performs a cleanup, journal, and cycle pass every day.

It performs the following functions for every locally mounted audit directory:
- It executes audit -n to create a new daily log. This signals the audit directory to close the current audit file and open a new audit file in the current audit directory.
- It generates a weekly archive by compressing daily log files every week and stores it as audit.YYYYMMDD-YYYYMMDD.tar.Z.
- It discards weekly archives that are more than a month old.
It performs an intrusion detection check on the interval set by the user. For details, see hclfmd(4).
- It detects and reports every failed authorization entry in syslog files.
- By default, /etc/opt/SUNWisp/hc/hclfmd.conf is configured to send mail to root for every failed authorization attempt entered in syslog.
  
  Note -
  You can reconfigure this file. By default, it is configured as follows: /var/log/badauth:/usr/bin/mailx -s "%f" root < %c where:
  - /var/log/badauth is the file where the entries are made.
  - /usr/bin/mailx -s is the command to send mail to root.
  - "%f" is the subject-line of the mail, containing the name of the file where the entries were detected.
  - "%c" is the new content of the syslog file.