Friday, February 10, 2012

Modifying Network Parameters in Solaris 10

My reference: The Center for Internet Security (Solaris 10 Benchmarks v4.0).  To get the SMF service to run correctly, do the following:

mkdir -m 755 /var/svc/method
chown root:sys /var/svc/method
cd /var/svc/method

cat > cis_netconfig.sh << END
#!/sbin/sh
#IPv4 source route forwarding is disabled
ndd -set /dev/ip ip_forward_src_routed 0
#IPv6 source route forwarding is disabled
ndd -set /dev/ip ip6_forward_src_routed 0
#Reverse source routed packets are disabled
ndd -set /dev/tcp tcp_rev_src_routes 0
#Forwarding broadcasts are disabled
ndd -set /dev/ip ip_forward_directed_broadcasts 0
#Unestablished tcp connection queue are disabled
ndd -set /dev/tcp tcp_conn_req_max_q0 4096
#Established tcp connection queue are disabled
ndd -set /dev/tcp tcp_conn_req_max_q 1024
#Respond to ICMP timestamp request are disabled
ndd -set /dev/ip ip_respond_to_timestamp 0
#Respond to ICMP broadcast timestamp request is disabled
ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
#Respond to ICMP netmask request is disabled
ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0
#Respond to ICMP echo broadcast is disabled
ndd -set /dev/ip ip_respond_to_echo_broadcast 0
#The ARP cache cleanup interval is disabled
ndd -set /dev/arp arp_cleanup_interval 60000
#The ARP IRE scan rate is set to 60000 (milliseconds "1 min")
ndd -set /dev/ip ip_ire_arp_interval 60000
#The IPv4 ICMP redirect is disabled
ndd -set /dev/ip ip_ignore_redirect 1
#The IPv6 ICMP redirect is disabled
ndd -set /dev/ip ip6_ignore_redirect 1
#Extended TCP reserved ports is set to port 6112
ndd -set /dev/tcp tcp_extra_priv_ports_add 6112
#IPv4 strict multihoming system drops any packets that appear to originate from a network attached to another interface
ndd -set /dev/ip ip_strict_dst_multihoming 1
#IPv6 strict multihoming system drops any packets that appear to originate from a network attached to another interface
ndd -set /dev/ip ip6_strict_dst_multihoming 1
#ICMPv4 redirects are disabled
ndd -set /dev/ip ip_send_redirects 0
#ICMPv6 redirects are enabled
ndd -set /dev/ip ip6_send_redirects 1
END

chown root:sys ./*
chmod 555 ./*

Now create the service manifest for /var/svc/method/cis_netconfig.sh

cat > cis_netconfig.xml << END
<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM
"/usr/share/lib/xml/dtd/service_bundle.dtd.1">

<service_bundle type='manifest' name='CIS:cis_netconfig'>

<service
  name='site/cis_netconfig'
  type='service'
  version='1'>

  <create_default_instance enabled='true' />

  <single_instance />

  <dependency
    name='usr'
    type='service'
    grouping='require_all'
    restart_on='none'>
    <service_fmri value='svc:/system/filesystem/minimal' />
  </dependency>

<!-- Run ndd commands after network/physical is plumbed. -->
  <dependency
    name='network-physical'
    grouping='require_all'
    restart_on='none'
    type='service'>
    <service_fmri value='svc:/network/physical' />
  </dependency>

<!-- but run the commands before network/initial -->
  <dependent
    name='ndd_network-initial'
    grouping='optional_all'
    restart_on='none'>
    <service_fmri value='svc:/network/initial' />
  </dependent>

  <exec_method
    type='method'
    name='start'
    exec='/var/svc/method/cis_netconfig.sh'
    timeout_seconds='60' />

  <exec_method
    type='method'
    name='stop'
    exec=':true'
    timeout_seconds='60' />

  <property_group name='startd' type='framework'>
    <propval name='duration' type='astring' value='transient' />
  </property_group>

  <stability value='Unstable' />

  <template>
    <common_name>
      <loctext xml:lang='C'>
          CIS Network Parameter Set
      </loctext>
    </common_name>
  </template>
</service>

</service_bundle>
END

Now it is time to import the SMF service, by performing the following: svccfg import cis_netconfig.xml.

When the system is rebooted, the cis_netconfig.sh script will be executed and the appropriate network parameters will be updated. Store the file in /var/svc/manifest/site if it has to be re-imported into the system at a later date.

Note that we are creating a new script that will be executed at boot time to reconfigure various network parameters.

The file cis_netconfig.xml is an SMF manifest for the cis_netconfig service. Once imported into the SMF database, the cis_netconfig.sh will run on every system reboot to set the network parameters appropriately.

If this hinders functionality, disable this service by perform the following: svcadm -v disable svc:/site/cis_netconfig:default

No comments:

Post a Comment