Solaris fingerprint database companion and solaris fingerprint database sidekick. Theres general information about securing solaris, patches to know about, tools to use. Sun microsystems will next month launch a utility to make it easier to manage security patches issued for its solaris 9 operating system. To avoid these bugs, apply the available patches that fix the bugs. Latest solaris 10 patch bundles i dont know if its just my own ignorance or oracle purposely obfuscating the latest patch bundles for solaris but i recently had a hell of a time finding the january 2017 patch bundle for solaris 10. Solaris security today and tomorrow technical deep dive updated for solaris 10 0509, solaris next, and solaris furure. If youre using solaris 7 or solaris 8 in 64bit mode, ipfilter can be relatively difficult to compile correctly.
Solaris patches installation error codes solaris blog. For solaris 79 releases, refer to the man pages for instructions on. It does not necessarily apply to some applications embedded in solaris, such as staroffice. For a very secure system, replace the standard nf with one that just. I need to check latest kernel version in solaris 10 container. One of the most useful guides to the currently available patches for solaris 9 is the sunsolve patch report. Some of the latest patches released for solaris 9 include the following.
Hi unix experts, im told to install websphere mq on sun 5. The nf file tells inetd which ports to listen to and what server to start for each port the first thing to look at as soon as you put your linux. You have more than one command option that you can use. Building a secure sun jumpstart environment using the solaris. The solaris system automated security enhancement tool aset configurable parameters in the asetenv file must be correct. After that, therell be no new solaris 8 or solaris 9 patches created. There are no predictable symptoms that would show the described issue has been exploited to gain root privileges. Use the service management facility smf to modify the standard internet services or to have additional services started by the inetd daemon use the following smf commands to manage services started by inetd. They can be released by sun because of previously identified bugs which have been fixed, or because a security exploit has been discovered in a piece of software, and a simple workaround is inadequate to prevent intrusion or disruption of normal system activity. Appendix a solaris 9 905 hw operating system patch list solaris. Now i need to know how to check latest kernel version in solaris 10 container.
If this service is present and enabled, the system is vulnerable. May 19, 2009 solaris 10 patch return codes may 19, 2009 by gleb reys 4 comments now that some of the systems i have to regularly patch are solaris 10 ones, i have to get used to the new patch return codes which one can see when applying one of the suns recommended patchsets. Sun solaris 7, 8 and 9, and trusted solaris 7, 8 and 9 default installations of the sadmind daemon may allow a local or remote attacker to execute code with elevated privileges on the system. Sun blade 100150 flash prom update 11129217 obsoleted by. Solaris 8 patch 11028609 solaris 9 patch 11280802 intel solaris 2. Sol chapter 9 9 securing solaris, linux, and apache 338 introduction default. There are three workarounds that are advised until patches are. This post is for the system admins who still wants to use the traditional method of patching for whatever reason they want to. Patches contains sun recommended and security patch. Solaris 9 oe implements an etcdefaultinetd to control the use of tcp. The tftpd daemon is configured in nf and called by the. Sites which have sadmind1m enabled in nf4 with strong. With smf, system administrators can use simple command line utilities to easily identify, observe, and manage both the services provided by the system and the system itself. Correct, its not possible to get solaris 10 patches with out a valid support contract.
However, popular packages are updated frequently and by subscriber request, more up to date packages may be also be present for other versions of solaris. What are the solaris 9 patches needed for oracle 8i 8. I can ssh into all of them if i ran ssh from a box that has ssh client. Solaris os patching has been moved far away from the traditional methods from solaris 10 onwards. The inetd daemon starts up internet standard services when a system boots, and can restart a service while a system is running. Dec, 2006 for every application that is installed on your server, you should make sure that you have the correct scripts in etcrc x. Each marketing release of solaris has its own set of patches. Solaris 9 exiting extended support period oracle solaris. Like many others, i am a big fan of live upgrade when it comes to upgradingpatching solaris.
Openssh installing openssh is not needed on solaris 9 or 10. Id like to upgrade the version of kerberos to a more recent version, but was unsure whether updates to kerberos are provided by applying a solaris patch or whether i would need to go to the mit website. Solaris init scripts dont recognise restart, you have to do a stop and start if you really want to stopstart inetd without effecting other services do. Send the inetd 1m process a hangup signal sighup to that inetd will reread the inetd. Administrators are advised to inspect the etcnf file to determine if the rpc. A sample etcservices file, shown below, defines port numbers for most of the commonly used services tcpmux 1tcp echo 7tcp echo 7udp discard 9tcp sink null discard 9udp sink null systat 11tcp users daytime tcp daytime udp netstat 15tcp chargen 19tcp ttytst source chargen 19udp ttytst source ftpdata. Solaris 9 can be installed with tcp wrappers in the default installation. Use the service management facility smf to modify the standard internet services or to have additional services started by the inetd daemon. Package names that are nonbold andor with no version number, are not currently available for this version of solaris. Solaris 10 container deployed from solaris 10 global zone to solaris 11 global zone. There were a total of 24 solaris 10 patches, including kernel updates, and 4 patchsets released on mos. The sun solaris sadmind daemon is included in the solstice adminsuite of tools and is used to manage distributed systems.
Solaris operating system service management facility how. We no need to bring down the server to single user mode if you are using live upgrade method during pathing and b efore choosing live upgrade,make sure you are using zfs as a root filesystem. Now that some of the systems i have to regularly patch are solaris 10 ones, i have to get used to the new patch return codes which one can see when applying one of the suns recommended patchsets. Many applications that use rpc services add entries to the etc inetd. Comments or proposed revisions to this document should be sent via email to the following address. Solaris 10 extended support will run thru january 2021. Solaris security today and tomorrow penn state college. For you information,from solaris 11 onward,zfs will be the default root filesystem. Note the oracle solaris 10 910 software contains scriptspecial patches which do not deliver bug fixes or new features, but deliver changes that are required as a result of issues with the creation of the update image. These release notes also include endofsoftware support statements, documentation issues, and a list of integrated patches. Its similar to the solaris 89 patchset installation codes, but there are more codes added to the list. I am planning to do solaris 11 global zone patching having solaris 10 branded zone. Solaris security today and tomorrow technical deep dive updated for solaris 10 0509, solaris next, and solaris furure dr. Solaris 9 oe no longer installs a fully populated etcnf.
Kerberosenabled versions of telnet, r commands, and more are available as a free download from the sun download center. If settings in the asetenv file have been modified, then system vulnerabilities may not be detected. Another tool, sun patch check, can be run to obtain a listing of available patches, but provides little diagnostic capabilities. We discuss considerations for installation, patching the os, and the basics for. Solaris is usually used as a server operating system. Md5 the md5 software is not needed for systems running the solaris 10 os, because the digest1m command now includes md5 functionality. Verify the root password on this system is set correctly.
The solaris enterprise authentication mechanism server and client is included in the solaris 9 os to provide single signon capabilities for servers and applications. On almost all servers, the rpc services in etcnf can be removed. Apply patches at least download and install suns recommended patch cluster also check patch report file for additional security patches patches must be maintained on an ongoing basis. However it appears you dont need solaris 10 patches since youre running solaris express. Solaris operating system service management facility how to. The resulting new nf file may reenable services that were previously disabled e.
The solaris patch manager tool, a fullfeatured patch management tool, also provides details regarding patches. Most of the solaris administrators will search for solaris 11 os patch bundle like how we use to get for solaris 10 but you wont get it. Sun solaris sadmind arbitrary command execution vulnerability. So you could clean the save directory for 10966704 when 109667 hits say rev 07. Security vulnerability in the authentication mechanism for. Solaris 9 now includes the tcp wrappers distribution as part of the operating system. I installed patch manager but in its read me file i found out that its only for solaris 8 and there is some update manager for solaris 9. On almost all servers, the rpc services in etc inetd. Edna has put together a handy document on patching solaris using.
Once youve decided exactly which pieces of the operating system you wish to. The following is a list of questions that are frequently asked about solaris 2. It contains entries for the most commonly used internet services. Sun has released updated patches at the following links. Cde tooltalk database server multiple vulnerabilities. A sample etcservices file, shown below, defines port numbers for most of the commonly used services tcpmux 1tcp echo 7tcp echo 7udp discard 9 tcp sink null discard 9 udp sink null systat 11tcp users daytime tcp daytime udp netstat 15tcp chargen 19tcp ttytst source chargen 19udp ttytst source ftpdata. Solaris 10 os patching using liveupgrade unixarena. A supported release means that someone will answer the phone, and that patches for problems are available. We no need to bring down the server to single user mode if you are using live upgrade method during pathing and before choosing live upgrade,make sure you are using zfs as a root filesystem. I have a doubts on step 8 specially can someone clear my step 8 doubts or if. The solaris 9 sparc security technical implementation guide stig is published as a tool to improve the security of department of defense dod information systems.
Solaris 10, start inetd in a zone not working unix and linux forums. However, patches cannot be backed out of the solaris 9 905 hw release. The following applies to core solaris packages and patches. Say something like clean up save folders for patch rev obsolete patches after patch is two revisions ahead. The inetd nf file from securing and optimizing linux by gerhard mourani old red hat inetd configuration is like solaris. Before i install it, my task is to find out what os patches have already installed on the box. Cve20040790, cve20040791, and cve20041060 have been split based. List of patches and date installed my understanding is that showrev p would show patches but not the date they were installed.
After examining the possible client ftp commands and server response codes, lets see how this transactional system actually works in practice on solaris. Many applications that use rpc services add entries to the etcnf in addition to using one of the rpcbased daemons. Solaris 9 oe no longer installs a fully populated etc inetd. How can i stop the telnet service in solaris 8 and 9. Thanked 0 times in 0 posts list of patches and date installed. The sun solaris sadmind daemon is included in the solstice adminsuite of tools and is used to manage distributed systems an attacker may submit malicious rpc requests to forge a new client identity.
There is also a replacement for inetd, called xinetd that includes builtin tcp wrapper functionality. The first step is to make a connection to a remote host from the local system by using the standard client. With smf, system administrators can use simple command line utilities to easily identify, observe, and manage both the services provided by. Security issue involving the solaris sadmind1m daemon oracle. Scott lynn put together a very informative blog on solaris 10. This article is going to explain that how to update the solaris 11. To determine if sadmind1m is enabled on the system, the following command can be run. In solaris 11, oracle removed the word called patches from their dictionary. Hi, i have a solaris 10 device which has quite a dated version of kerberos 5 installed.
Patches are binary code modifications that affect the way sunsupplied software operates. Jul 03, 2012 solaris os patching has been moved far away from the traditional methods from solaris 10 onwards. You can even run solaris 10 guest domains under a solaris 11 control domain and run solaris 8 and solaris 9 branded zones in your solaris 10 guest domains if you really want to. Solaris 9 without patch 11645401 sites which have sadmind1m enabled in inetd. Many inetd services must be mapped to a specific port number. I tried pkginfo i command but it gives all of the packages installed.
Because of this, you want to make sure that you shut the system down as gracefully as possible to ensure there isnt any data loss. Sun solaris 8 sun solaris 9 sun solaris 10 operating system multiple tcpip and icmp implementations allow remote attackers to cause a denial of service network throughput reduction for tcp connections via a blind throughputreduction attack using spoofed source quench packets, aka the icmp source quench attack. The server will house the software requirements for solaris 9, to be used for all new server builds. Does anyone know the easiestquickest way to search all the available solaris 9 patches to find out if they update a certain library or not. The solaris 10 release notes documents important installation and runtime issues and bugs.
A guide for system administrators february 2006 international technical support organization sg24718600. Patches are a separate software change control mechanism distinct from package versions in solaris. Security issue involving the solaris sadmind1m daemon. Securing network services solaris operating environment.