SUMMARY: Hardening Solaris 8 with Oracle

From: Colin Haffenden <Chaffend_at_msxi-euro.com>
Date: Mon Sep 13 2004 - 04:10:15 EDT
Thanks to John Christian, Tony Schloss and Luc I. Suryo

There replies below, in the order they came to me !

John gave me some info on whether the DBA's would need to use any GUI
tools, his message is below....

Hi Colin,
 
Oh yea, Oracle *not* offering a CLI install is a new trend. However,
you might consider un-installing (or disabling) all X-related services
after the installation is complete. Check with the DBA to see if there
are any GUI tools they plan to use long term. Depending on local network
security/performance, they could X back to their desktops. This would
reduce the need to have X servers running and listening on the server
itself.
 
My reason for asking about Oracle Reports Server was a recent issue I
encountered on a database server. The ORS *requires* an X-display be
available to connect to in order to run reports. Even if the reports are
batch jobs not viewed live by anyone, ORS still needs an X server to
function. A nice solution is available by setting up a virtual frame
buffer using Xvfb and twm. This config allows ORS to run on headless
hosts without the display having to be sent back to the developer's
workstation. (We were just thrilled the day we found out the giant,
redundant, report server hinged on a tenuous X session connected to some
developer's Windows PC.) Lemme know if you're interested in the Xvfb and
twm config we used.
 
-John Christian

Tony Schloss sent me a link to a document he wrote for his SANS
configuration that hit the nail right on the head and is exactly what I
was looking for, so and big thanks to Tony...

I did this as my project for my SANS certification way back; the paper
is 
a bit old now, but if you're still using Solaris 8, it should still be

good.  Note that it was written for a specific client, and written in
the 
way that client liked procedures/instructions written, so it may not
look 
very good from your perspective.  The steps, however elementary, are
still 
valid.

Anyway, hope this help; if you can't get the link for some reason, let
me 
know and I'll email it to you (I think it's in PDF).  The title is 
"Instructions For Installing and Configuring a Hardened Version of the

Solaris 8 Operating System for Use as an Oracle Database Server" --
which 
sounds a bit like what you're looking for <g>.
        http://www.giac.org/practical/Tony_Schloss_GCUX.zip 

Good luck.
Tony

Luc I Suryo said that he uses JASS to install servers with Solaris 8
and Oracle and kindly sent me the profile....


yup we have... we indeed use JASS

> 
> I have a requirement for a webserver and Oracle 9i. All our current
> webservers are hardened via Jass and this website
> http://www.spitzner.net/ 
> 
> What I want to know is, has anyone hardened a Solaris 8 box running
> Oracle 9i (or even earlier versions ?).
> 
> If so what are the minimum packages required to run Oracle ?
I worked with the JASS ppl. couple years ago and here what works for
me
(solaris 8 tested with both Oracle 8 and Oracle 9)

Below is our profile.. you could delete the raid and freeware stuff
hope this may help abit:

-ls

#
# This for Base server
#

# install_type MUST be first
install_type    initial_install

# install system as standalone
system_type     standalone

# start with the minimal required number of packages
cluster         SUNWCreq

# To Support X-Application need the LibC library
package		SUNWlibC	add
package		SUNWlibCx	add

# To support 64 bit
package		SUNWcarx	add
package		SUNWcslx	add
package		SUNWcslx	add
package		SUNWcsxu	add
package		SUNWesxu	add
package		SUNWhmdx	add
package		SUNWkvmx	add
package		SUNWlmsx	add
package		SUNWlocx	add
package		SUNWpdx		add

# Manual Pages
package		SUNWman		add
package		SUNWesu		add
package		SUNWdoc		add

# To Support NIS
package         SUNWypr         add
package         SUNWypu         add
package		SUNWsprot	add
package		SUNWnisr	add
package		SUNWnisu	add

# To support the Network Time Protocol
package		SUNWntpr	add
package		SUNWntpu	add

# To use SunOS tools
package		SUNWscpu	add
package		SUNWbcp		add

# To support Simple Mail Transport Protcol 
package		SUNWsndmu	add
package		SUNWsndmr	add

# To support truss
package		SUNWtoo		add
package		SUNWtoox	add

# To support snoop
package		SUNWfns		add
package		SUNWfnsx	add

# To support Secure Shell X Tunneling
package		SUNWxcu4	add
package		SUNWxcu4x	add
package		SUNWxcu4t	add
package		SUNWxwplt	add
package		SUNWxwplx	add
package		SUNWxwrtl	add
package		SUNWxwrtx	add

# To support Secure Shell
package		SUNWxwice	add
package		SUNWxwicx	add

# To Support DiskSuite
package		SUNWctpls	add
package		SUNWmfrun	add

# To support Semaphore control
package		SUNWipc		add
package		SUNWipcx	add

# To Support sar/sag/accounting
package		SUNWaccu	add
package		SUNWaccr	add

# To Support SNMP
package		SUNWmibii	add
package		SUNWsasnm	add
package		SUNWsasnx	add
package		SUNWsadmi	add
package		SUNWsadmx	add
package		SUNWsacom	add

# To Support Fibre Channel/Raid system
package		SUNWses		add
package		SUNWsesx	add
package		SUNWssad	add
package		SUNWssadx	add
package		SUNWssaop	add

package		SUNWfctl	add
package		SUNWfctlx	add
package		SUNWfcip	add
package		SUNWfcipx	add
package		SUNWfcp		add
package		SUNWfcpx	add

package		SUNWluxd	add
package		SUNWluxdx	add
package		SUNWluxl	add
package		SUNWluxop	add
package		SUNWluxox	add

package		SUNWqlc		add
package		SUNWqlcx	add


# To Support Java
package		SUNWj2pi	add
package		SUNWjcom	add
package		SUNWjcomx	add
package		SUNWjmfp	add
package		SUNWjsnmp	add
package		SUNWjvdev	add
package		SUNWjvjit	add
package		SUNWjvman	add
package		SUNWjvrt	add
package		SUNWj2dev	add
package		SUNWj2man	add
package		SUNWj2rt	add
package		SUNWj3dev	add
package		SUNWj3man	add
package		SUNWj3rt	add

# Several Freeware pkgs
package		SUNWzip		add
package		SUNWzlib	add
package		SUNWzlibx	add
package		SUNWzsh		add
package		SUNWbash	add
package		SUNWbash	add
package		SUNWtcsh	add
package		SUNWless	add
package		SUNWbzipx	add
package		SUNWbtool	add
package		SUNWbtoox	add

# To support Quad Fast Ethernet
package		SUNWqfed	add
package		SUNWqfedu	add
package		SUNWqfedx	add

# To have headers file in /usr/include
package		SUNWaudh	add
package		SUNWhea		add
package		SUNWsrh		add
package		SUNWxwhl	add
package		SUNWlibm	add
package		SUNWlibms	add


partitioning	explicit

filesys		c2t0d0s0	2048	/
filesys		c2t0d0s1	2048	swap

# Add for DiskSuite
filesys		c2t0d0s7	10

# rest of disk for export
filesys		c2t0d0s3	free	/export

# If Second disk is installed and DiskSuite
### filesys	c0t1d0s0	free
### filesys	c0t1d0s7	10

# If Third disk is installed and DiskSuite
### filesys	c0t2d0s0	free
### filesys	c0t2d0s7	10

locale		en_US

Original message....

Hi All,

I have a requirement for a webserver and Oracle 9i. All our current
webservers are hardened via Jass and this website
http://www.spitzner.net/ 

What I want to know is, has anyone hardened a Solaris 8 box running
Oracle 9i (or even earlier versions ?).

If so what are the minimum packages required to run Oracle ?

I'm hoping to just install the core cluster and add a few packages (I
know Oracle requires X Windows, but am not sure of which packages).

It would be nice to be able to set this all up on my jumpstart server
so I have a "hardened oracle" image.

I've googled this with no luck...

Any help is greatly appreciated and I will summarise...

Thanks,
Colin.

This Message has been Checked at MSXI for all known Viruses.
You open this at your own risk. Please make sure all replies are 
also virus free.
Also we do not accept or send Attachments of the type .exe, .vbs,
scr, or .bat due to the virus risk they can contain. These types of
attachments will be stripped from the message.

MSXI
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
Received on Mon Sep 13 04:10:04 2004

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:38 EST