Like this article? We recommend
Like this article? We recommend
Like this article? We recommend
Domain Solaris OE Configuration
This section describes the additional packages, daemons, startup scripts, and other configuration modifications that are specific to a Sun Fire 15K domain. While not all of these daemons affect the security of the system directly, from a security perspective, you should always be aware of them and their impact on the system.
The following Sun Fire 15K domain-specific packages are installed as part of the SUNWCall cluster:
system SUNWdrcrx Dynamic Reconfiguration Modules for Sun Fire 15000 (64-bit) system SUNWsckmr Init script & links for Sun Fire 15000 Key Management daemon system SUNWsckmu Key Management daemon for Sun Fire 15000 system SUNWsckmx Key Management Modules for Sun Fire 15000 (64-Bit) |
The Sun Fire 15K domain software does not change /etc/passwd, /etc/shadow, or /etc/group files. This is unlike the Sun Fire 15K SMS software on the System Controller (SC) which does modify these files.
The Sun Fire 15K domain-specific daemons are:
root 11 1 0 17:28:32 ? 0:00 /platform/SUNW,Sun-Fire-15000/lib/cvcd root 121 1 0 17:28:46 ? 0:00 /usr/platform/SUNW,Sun-Fire-15000/lib/sckmd |
While they are not Sun Fire 15K domain-specific, the following daemons are used for Dynamic Reconfiguration on Sun Fire 15K domains and should not be disabled:
root 324 1 0 07:47:24 ? 0:00 /usr/lib/efcode/sparcv9/efdaemon root 58 1 0 05:32:57 ? 0:00 /usr/lib/sysevent/syseventd root 60 1 0 05:32:57 ? 0:00 /usr/lib/sysevent/syseventconfd root 65 1 0 05:32:59 ? 0:00 devfsadmd root 371 1 0 05:33:12 ? 0:00 /usr/lib/saf/sac -t 300 root 631 295 0 16:30:34 ? 0:00 /usr/lib/dcs |
Sun Fire 15K daemons are started by several different startup scripts including the /etc/init.d/cvc and /etc/init.d/sckm scripts.
The additional network used on a Sun Fire 15K domain to communicate with the Sun Fire 15K SC is defined similarly to regular network connections through an /etc/hostname.* entry. A typical Sun Fire 15K domain has a file that is similar to the following /etc file:
# more /etc/hostname.dman0 192.168.103.2 netmask 255.255.255.224 private up |
The /etc/hostname.dman0 entry sets up the I1 or domain to the SC Management Network (MAN). This IP address, 192.168.103.2, is used for point-to-point communication between the domain and the SC. This network connection is implemented through the internal Sun Fire 15K MAN. No external wiring is utilized.
The network configuration appears as follows:
dman0: flags=1008843<UP,BROADCAST,RUNNING,MULTICAST,PRIVATE,IPv4> mtu 1500 index 2 inet 192.168.103.2 netmask ffffffe0 broadcast 192.168.103.31 ether 8:0:20:be:f8:f4 |
While the dman0 network supports regular Internet Protocol (IP)-based network traffic, it should only be used by Sun Fire 15K management traffic. Any other use of this internal network may affect the reliability, availability, and serviceability (RAS) of the entire platform. Refer to the scman (7D) and dman (7D) man pages for more information.
Additionally, all Sun Fire 15K SC-to-domain communication over the MAN network is encrypted through the use of IPsec. The IPsec protocol suite is used to provide privacy and authentication services at the IP layer as defined by the Internet Engineering Task Force (IETF). For additional information about IPsec, refer to RFC 2411 at http://www.ietf.org.
Attempts to access Sun Fire 15K domain and SC daemons from non-MAN networks will generate syslog messages indicating that an access attempt was made. A log message appears as follows:
Sep 20 08:04:26 xc17p13-b5 ip: [ID 993989 kern.error] ip_fanout_tcp_listen: Policy Failure for the incoming packet (not secure); Source 192.168.181.252, Destination 010.001.073.042. |
NOTE
Do not use MAN networks for anything other than Sun Fire 15K management traffic. These are Sun Fire 15K specific networks and they are not for general-purpose use.