Solaris Hardening

rldeshpande · #1 (**permalink**) 2007-03-02

Hi everyone,

I'm pretty new to CP, and have been asked to install and configure CP for testing against some applications.

Well, my solaris box (V210) has no console attached and I use ReflectionX from a win box to connect and install CP. Before I could configure CP, somehow the solaris box was rebooted, and due to the OS hardening that happens during CP install, all communication ports to this solaris box are blocked. Not able to ping, telnet, ssh, nothing.

If I start everything again, is there a way/ option to prevent this hardening that happens during CP install?

I installed R55 on Solaris 8.

Thanks in advance,
~Rahul

abusharif · #2 (**permalink**) 2007-03-02

well i guess its a initial policy after reboot that is blocking.

One way is to push the policy that allows traffic. SIC and policy push is allowed between module and smartcenter.

If u want to disable initial policy for brief time during testing use control_bootsec -r. To put it back control_bootsec -g

rldeshpande · #3 (**permalink**) 2007-03-02

Thank you very much for your reply.

Yes, it's the initial policy. But this policy has nothing but all the implied rules.
And whenever I create a new policy, same implied rules are present there too.
So I dont know how to create a policy which will allow the traffic.

control_bootsec: Could you please tell me how to use it? I mean when I tried it at the command prompt, I got messages as
root# control_bootsec -r
Disabling boot security
Could not successfully remove boot security
root# control_bootsec -g
Enabling boot security
Could not successfully re-enable boot security

~Rahul

abusharif · #4 (**permalink**) 2007-03-02

Quote:

Originally Posted by rldeshpande

Thank you very much for your reply.

Yes, it's the initial policy. But this policy has nothing but all the implied rules.
And whenever I create a new policy, same implied rules are present there too.
So I dont know how to create a policy which will allow the traffic.

control_bootsec: Could you please tell me how to use it? I mean when I tried it at the command prompt, I got messages as
root# control_bootsec -r
Disabling boot security
Could not successfully remove boot security
root# control_bootsec -g
Enabling boot security
Could not successfully re-enable boot security

~Rahul

Hi,

Initial policy is the one that is active when no other policy is pushed to the module and the one that is used during boot up. It means that you need to push a new policy from your smartcenter which includes proper accept rules for your traffic. For example add a rule <src: your mgmt pc> <dst: firewall module> <service: any> <action Accept>. And install this policy on your module via smartdashboard.

control_bootsec is used via cli (just ssh to box or whatever). Its strange that you got errors above that it wasnt able to unload. Remember you have to execute this command on the FIREWALL module, not the smartcenter (since smartcenter dont have any initial policy).

I hope you understand what i mean otw we keep posting :)

rldeshpande · #5 (**permalink**) 2007-03-02

Hey Abusherif,

As you said earlier, I tried to execute the command on the same box by ssh.

Now somehow the system got rebooted, and now all communication ports are blocked. No ssh, no telnet, not even ping. And this boz has no console... cannot logon there physically. I guess I have to start everything again.
:(
~Rahul

seanmac1904 · #6 (**permalink**) 2007-03-05

can you use a serial link ?

connect a serial cable to the ALOM and get the console from there

cheers

Sean

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode