WWW.NOGNOG.COM

Solaris 10 - インストール直後の私的設定手順

Solaris 10 のインストール直後に、まず実施する初期設定の作業手順をまとめました。

tcsh環境設定

# vi /.tcshrc



set path = (/usr/local/bin /usr/local/sbin /usr/sfw/bin /usr/sfw/sbin /opt/sfw/bin /opt/sfw/sbin /usr/xpg6/bin /usr/xpg4/bin /usr/ccs/bin /usr/bin /usr/sbin /usr/sadm/admin/bin /usr/sadm/bin /bin /sbin /usr/openwin/bin /usr/dt/bin /usr/ucb)
set prompt="[%W/%D %P `whoami`@%m]# "
setenv LANG C
setenv TERM xterm
setenv EDITOR vi
setenv MANPATH /usr/local/man:/usr/local/share/man:/usr/sfw/man:/opt/sfw/man:/usr/share/man:/usr/openwin/man:/usr/dt/man
setenv PKG_CONFIG_PATH /usr/local/lib/pkgconfig:/usr/sfw/lib/pkgconfig:/usr/lib/pkgconfig
setenv GZIP "-9"
alias ls "/usr/bin/ls -F"
alias la "ls -al"
alias h "history 100"
alias ping6 ping -A inet6
unset autologout

bash環境設定

# vi /.bash_profile



. /.bashrc


# vi /.bashrc



export PS1="[`date '+%m/%d %H:%M:%S'` \u@`hostname`]# "
export PATH=/usr/local/bin:/usr/local/sbin:/usr/sfw/bin:/usr/sfw/sbin:/opt/sfw/bin:/opt/sfw/sbin:/usr/xpg6/bin:/usr/xpg4/bin:/usr/ccs/bin:/usr/bin:/usr/sbin:/usr/sadm/admin/bin:/usr/sadm/bin:/bin:/sbin:/usr/openwin/bin:/usr/dt/bin:/usr/ucb
export LANG=C
export TERM=xterm
export EDITOR=vi
export MANPATH=/usr/local/man:/usr/local/share/man:/usr/sfw/man:/opt/sfw/man:/usr/share/man:/usr/openwin/man:/usr/dt/man
export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig:/usr/sfw/lib/pkgconfig:/usr/lib/pkgconfig
export GZIP="-9"
alias ls="ls -F"
alias la="ls -al"
alias h="history 100"
alias ping6="ping -A inet6"
unset autologout

loginパラメータ編集

# vi /etc/default/login



--- login.orig  Sat Apr 23 01:29:09 2005
+++ login       Sat Apr 23 01:30:29 2005
@@ -27,11 +27,11 @@
 
 # PATH sets the initial shell PATH variable
 #
-#PATH=/usr/bin:
+PATH=/usr/local/bin:/usr/local/sbin:/usr/sfw/bin:/usr/sfw/sbin:/opt/sfw/bin:/opt/sfw/sbin:/usr/xpg6/bin:/usr/xpg4/bin:/usr/ccs/bin:/usr/bin:/usr/sbin:/usr/sadm/admin/bin:/usr/sadm/bin:/bin:/sbin:/usr/openwin/bin:/usr/dt/bin:/usr/ucb
 
 # SUPATH sets the initial shell PATH variable for root
 #
-#SUPATH=/usr/sbin:/usr/bin
+SUPATH=/usr/local/bin:/usr/local/sbin:/usr/sfw/bin:/usr/sfw/sbin:/opt/sfw/bin:/opt/sfw/sbin:/usr/xpg6/bin:/usr/xpg4/bin:/usr/ccs/bin:/usr/bin:/usr/sbin:/usr/sadm/admin/bin:/usr/sadm/bin:/bin:/sbin:/usr/openwin/bin:/usr/dt/bin:/usr/ucb
 
 # TIMEOUT sets the number of seconds (between 0 and 900) to wait before
 # abandoning a login session.
@@ -53,7 +53,7 @@
 # bad password is provided.  The range is limited from
 # 0 to 5 seconds.
 #
-#SLEEPTIME=4
+SLEEPTIME=0
 
 # DISABLETIME  If present, and greater than zero, the number of seconds
 # login will wait after RETRIES failed attempts or the PAM framework returns
@@ -74,4 +74,4 @@
 # message is logged, using the syslog(3) LOG_NOTICE facility.  For example,
 # if the variable is set to 0, login will log -all- failed login attempts.
 #
-#SYSLOG_FAILED_LOGINS=5
+SYSLOG_FAILED_LOGINS=0

suパラメータ編集

# vi /etc/default/su



--- su.orig     Fri Nov 10 01:48:08 2006
+++ su  Sun Dec 31 23:04:11 2006
@@ -7,15 +7,15 @@
 # CONSOLE determines whether attempts to su to root should be logged
 # to the named device
 #
-#CONSOLE=/dev/console
+CONSOLE=/dev/console
 
 # PATH sets the initial shell PATH variable
 #
-#PATH=/usr/bin:
+PATH=/usr/local/bin:/usr/local/sbin:/usr/sfw/bin:/usr/sfw/sbin:/usr/xpg6/bin:/usr/xpg4/bin:/usr/ccs/bin:/usr/bin:/usr/sbin:/usr/sadm/admin/bin:/usr/sadm/bin:/bin:/sbin:/usr/openwin/bin:/usr/dt/bin:/usr/ucb
 
 # SUPATH sets the initial shell PATH variable for root
 #
-#SUPATH=/usr/sbin:/usr/bin
+SUPATH=/usr/local/bin:/usr/local/sbin:/usr/sfw/bin:/usr/sfw/sbin:/usr/xpg6/bin:/usr/xpg4/bin:/usr/ccs/bin:/usr/bin:/usr/sbin:/usr/sadm/admin/bin:/usr/sadm/bin:/bin:/sbin:/usr/openwin/bin:/usr/dt/bin:/usr/ucb
 
 # SYSLOG determines whether the syslog(3) LOG_AUTH facility should be used
 # to log all su attempts.  LOG_NOTICE messages are generated for su's to

passwdパラメータ編集

# vi /etc/default/passwd



--- passwd.orig 2006-11-10 01:48:08.000000000 +0900
+++ passwd      2007-07-25 14:30:16.703587000 +0900
@@ -5,7 +5,7 @@
 #
 MAXWEEKS=
 MINWEEKS=
-PASSLENGTH=6
+PASSLENGTH=8

 # NAMECHECK enables/disables login name checking.
 # The default is to do login name checking.
@@ -47,5 +47,5 @@
 # created by passwd. See passwd(1), pam_authtok_check(5) and
 # mkdict(1) for more information.
 #
-#DICTIONLIST=
-#DICTIONDBDIR=/var/passwd
+DICTIONLIST=/usr/share/lib/dict/words
+DICTIONDBDIR=/var/passwd

passwdアルゴリズム変更（DES ⇒ md5）

# vi /etc/security/policy.conf



--- /etc/security/policy.conf.orig      2005-01-22 07:52:12.000000000 +0900
+++ /etc/security/policy.conf   2008-02-27 14:24:33.648824000 +0900
@@ -28,7 +28,7 @@
 # listed in crypt.conf(4) since it is internal to libc.  The reserved
 # name __unix__ is used to refer to it.
 #
-CRYPT_DEFAULT=__unix__
+CRYPT_DEFAULT=1
 #
 # These settings determine the default privileges users have.  If not set,
 # the default privileges are taken from the inherited set.

ライブラリ検索パス設定

# crle -c /var/ld/ld.config -l /usr/local/lib/mysql:/usr/local/lib:/usr/sfw/lib:/usr/lib:/lib:/usr/openwin/lib:/usr/dt/lib:/usr/xpg4/lib:/usr/ccs/lib:/usr/ucblib

coreダンプ設定

# coreadm -g /var/core/core.%f.%p.%t -e global -e process -e global-setid -e proc-setid -e log
# mkdir -p /var/core
# coreadm -u

システム動作の監視 (sar)

# svcadm -v enable svc:/system/sar:default
# crontab -e sys



--- /var/spool/cron/crontabs/sys.orig   Sat Jun  2 03:40:23 2007
+++ /var/spool/cron/crontabs/sys        Thu Jun 28 17:23:49 2007
@@ -24,6 +24,6 @@
 # The sys crontab should be used to do performance collection. See cron
 # and performance manual pages for details on startup.
 #
-# 0 * * * 0-6 /usr/lib/sa/sa1
-# 20,40 8-17 * * 1-5 /usr/lib/sa/sa1
-# 5 18 * * 1-5 /usr/lib/sa/sa2 -s 8:00 -e 18:01 -i 1200 -A
+0 * * * 0-6 /usr/lib/sa/sa1
+20,40 8-17 * * 1-5 /usr/lib/sa/sa1
+5 18 * * 1-5 /usr/lib/sa/sa2 -s 8:00 -e 18:01 -i 1200 -A

キーボード制御

# kbd -a disable
# vi /etc/default/kbd



--- kbd.orig    Fri Dec 24 18:14:44 2004
+++ kbd Fri Dec 24 18:15:08 2004
@@ -22,7 +22,7 @@
 #
 # Uncomment the following line to disable keyboard or serial device
 # abort sequences:
-#KEYBOARD_ABORT=disable
+KEYBOARD_ABORT=disable
 
 # Uncomment the following line to enable a non-BREAK alternate
 # serial input device abort sequence:

シングルユーザモード設定（シングルユーザモード時にパスワード入力を求めなくする）

# echo "PASSREQ=NO" > /etc/default/sulogin

コマンドパス修正

# mkdir -p /usr/local/bin
# ln -s /usr/bin/gpatch /usr/local/bin/patch
# ln -s /usr/sfw/bin/gmake /usr/local/bin/make
# ln -s /usr/sfw/bin/gtar /usr/local/bin/tar
# ln -s /usr/sfw/bin/gm4 /usr/local/bin/m4
# ln -s /usr/sfw/bin/ggrep /usr/local/bin/grep
# ln -s /usr/sfw/bin/tclsh8.3 /usr/sfw/bin/tclsh

SunFreeWareパッケージ追加

sunsiteからgcc, libiconvパッケージをダウンロードして適用する。

# wget ftp://ftp.sunfreeware.com/pub/freeware/intel/10/gcc-3.4.6-sol10-x86-local.gz
# wget ftp://ftp.sunfreeware.com/pub/freeware/intel/10/libiconv-1.11-sol10-x86-local.gz
# gzip -d *.gz
# pkgadd -d gcc-3.4.6-sol10-x86-local
# pkgadd -d libiconv-1.11-sol10-x86-local

# vi /usr/local/lib/gcc/i386-pc-solaris2.10/3.4.6/install-tools/mkheaders.conf
1行目に「SHELL="/bin/sh"」を追記して下記を実行する。

# /usr/local/libexec/gcc/i386-pc-solaris2.10/3.4.6/install-tools/mkheaders

コンパイル環境修正

# mv /usr/ucb/cc /usr/ucb/cc.orig
# ln -s /usr/local/bin/gcc /usr/ucb/cc
# mv /usr/sfw/bin/gcc /usr/sfw/bin/gcc.orig
# ln -s /usr/local/bin/gcc /usr/sfw/bin/gcc
# vi /usr/sfw/lib/tclConfig.sh



--- /usr/sfw/lib/tclConfig.sh.orig      Sat Jan 14 20:36:13 2006
+++ /usr/sfw/lib/tclConfig.sh   Sat Jan 14 20:36:26 2006
@@ -18,7 +18,7 @@
 TCL_PATCH_LEVEL='.3'
 
 # C compiler to use for compilation.
-TCL_CC='/opt/SUNWspro/bin/cc'
+TCL_CC='/usr/local/bin/gcc'
 
 # -D flags for use with the C compiler.
 TCL_DEFS=' -DHAVE_UNISTD_H=1 -DHAVE_LIMITS_H=1 -DTCL_THREADS=1 -D_REENTRANT=1 -D_THREAD_SAFE=1 -DHAVE_PTHREAD_ATTR_SETSTACKSIZE=1 -DHAVE_GETCWD=1 -DHAVE_OPENDIR=1 -DHAVE_STRSTR=1 -DHAVE_STRTOL=1 -DHAVE_TMPNAM=1 -DHAVE_WAITPID=1 -DHAVE_UNISTD_H=1 -DHAVE_SYS_PARAM_H=1 -DUSE_TERMIOS=1 -DHAVE_SYS_TIME_H=1 -DTIME_WITH_SYS_TIME=1 -DHAVE_TZNAME=1 -DHAVE_TIMEZONE_VAR=1 -DHAVE_ST_BLKSIZE=1 -DSTDC_HEADERS=1 -DNO_UNION_WAIT=1 -DNEED_MATHERR=1 -DHAVE_SIGNED_CHAR=1 -DHAVE_SYS_IOCTL_H=1 -DHAVE_SYS_FILIO_H=1 '


# vi /usr/openwin/lib/config/site.def



--- /usr/openwin/lib/config/site.def.orig       Fri Dec 24 18:16:35 2004
+++ /usr/openwin/lib/config/site.def    Fri Dec 24 18:17:53 2004
@@ -33,17 +33,13 @@
  
 #ifdef BeforeVendorCF
 
-/*
 #ifndef HasGcc2
 #define HasGcc2 YES
 #endif
-*/
 
-/*
 #ifndef HasCplusplus
 #define HasCplusplus YES
 #endif 
-*/
  
 #endif /* BeforeVendorCF */


# vi /usr/openwin/lib/config/sun.cf



--- /usr/openwin/lib/config/sun.cf.orig Fri Dec 24 18:18:54 2004
+++ /usr/openwin/lib/config/sun.cf      Fri Dec 24 18:19:03 2004
@@ -197,7 +197,7 @@
  * if the compiler in use doesn't use standard SVR4 flags
  */
 #if HasSunC || HasCenterLineC
-#define PositionIndependentCFlags -Kpic
+#define PositionIndependentCFlags -fPIC
 #endif
 #if HasSunCplusplus || HasCenterLineCplusplus
 #define PositionIndependentCplusplusFlags -pic

NTP設定

# cp /etc/inet/ntp.server /etc/inet/ntp.conf
# vi /etc/inet/ntp.conf



--- /etc/inet/ntp.server        Sun Apr  7 08:15:27 2002
+++ /etc/inet/ntp.conf  Mon Aug 15 21:05:40 2005
@@ -50,11 +50,11 @@
 
 # Either a peer or server.  Replace "XType" with a value from the
 # table above.
-server 127.127.XType.0
-fudge 127.127.XType.0 stratum 0
-
-broadcast 224.0.1.1 ttl 4
-
+server 210.173.160.27
+server 210.173.160.57
+server 210.173.160.87
+server 127.127.1.0
+fudge 127.127.1.0 stratum 10
 enable auth monitor
 driftfile /var/ntp/ntp.drift
 statsdir /var/ntp/ntpstats/
@@ -62,7 +62,3 @@
 filegen loopstats file loopstats type day enable
 filegen clockstats file clockstats type day enable
 
-keys /etc/inet/ntp.keys
-trustedkey 0
-requestkey 0
-controlkey 0


# touch /var/ntp/ntp.drift

SSH設定

# vi /etc/ssh/sshd_config



--- sshd_config.orig    Sun Dec 26 16:51:13 2004
+++ sshd_config Sun Dec 26 16:54:17 2004
@@ -21,10 +21,10 @@
 # Uncomment ONLY ONE of the following Protocol statements.
 
 # Only v2 (recommended)
-Protocol 2
+#Protocol 2
 
 # Both v1 and v2 (not recommended)
-#Protocol 2,1
+Protocol 2,1
 
 # Only v1 (not recommended)
 #Protocol 1
@@ -42,12 +42,12 @@
 ListenAddress ::
 
 # Port forwarding
-AllowTcpForwarding no
+AllowTcpForwarding yes
 
 # If port forwarding is enabled, specify if the server can bind to INADDR_ANY. 
 # This allows the local port forwarding to work when connections are received
 # from any remote host.
-GatewayPorts no
+GatewayPorts yes
 
 # X11 tunneling options
 X11Forwarding yes
@@ -81,6 +81,7 @@
 
 # Host private key files
 # Must be on a local disk and readable only by the root user (root:sys 600).
+HostKey /etc/ssh/ssh_host_key
 HostKey /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_dsa_key
 
@@ -129,7 +130,7 @@
 # Note that sshd uses pam_authenticate(3PAM) so the root (or any other) user
 # maybe denied access by a PAM module regardless of this setting.
 # Valid options are yes, without-password, no.
-PermitRootLogin no
+PermitRootLogin yes
 
 # sftp subsystem
 Subsystem      sftp    /usr/lib/ssh/sftp-server


# ssh-keygen -f /etc/ssh/ssh_host_key -t rsa1 -N ''

不正ログイン記録設定（telnetやftpでログインに失敗すると記録）

# touch /var/adm/loginlog
# chmod 600 /var/adm/loginlog
# chgrp sys /var/adm/loginlog

FTP,TELNETバナー表示隠匿設定

# echo BANNER="" > /etc/default/telnetd
# echo BANNER="" > /etc/default/ftpd

サービス起動設定

NTPを有効にして、デフォルトで起動するNFS周りのサービス、その他もろもろを disable へ変更する。

# svcadm -v enable svc:/network/ntp:default
# svcadm -v disable svc:/system/name-service-cache
# svcadm -v disable svc:/system/filesystem/volfs:default
# svcadm -v disable svc:/network/rpc/bind:default
# svcadm -v disable svc:/system/power:default
# svcadm -v disable svc:/application/graphical-login/cde-login:default
# svcadm -v disable svc:/system/webconsole:console

一時的に無効化、有効化したい場合は「-t」をつけて

# svcadm -v disable -t svc:/system/power:default

とします。

なお、Solaris 10からは、inetdを含む多くのサービスが、SMF(Service Management Facility)という
新たな実装で制御されるようになりました。
telnetやftpの設定もこれまでの /etc/inetd.conf ではなく、
/var/svc/manifest 以下にxml形式で設定が保存されています。
これには、inetd等のサービス設定も含まれます。
サービスの内容については、下記のコマンドで一覧が確認できますので、
それぞれの運用ポリシーに応じて、svcadmコマンドにてそれぞれ enable, disable を適用します。

# svcs -a

ブロードキャストレスポンス、ソースルーティングの無効化、ほか

# vi /etc/rc2.d/S19mytuning



#!/sbin/sh

/usr/sbin/ndd -set /dev/ip ip_respond_to_address_mask_broadcast 0
/usr/sbin/ndd -set /dev/ip ip_respond_to_echo_broadcast 0
/usr/sbin/ndd -set /dev/ip ip_respond_to_timestamp_broadcast 0
/usr/sbin/ndd -set /dev/ip ip_forward_directed_broadcasts 0
/usr/sbin/ndd -set /dev/ip ip6_respond_to_echo_multicast 0
/usr/sbin/ndd -set /dev/ip ip_forward_src_routed 0
/usr/sbin/ndd -set /dev/ip ip6_forward_src_routed 0
/usr/sbin/ndd -set /dev/tcp tcp_rev_src_routes 0
/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q 1000
/usr/sbin/ndd -set /dev/tcp tcp_conn_req_max_q0 10000
/usr/sbin/ndd -set /dev/tcp tcp_strong_iss 2


# chmod 744 /etc/rc2.d/S19mytuning

RIP(in.routed)の停止

# routeadm -d ipv4-routing
# routeadm -u

実行可能スタックの無効化、ファイルディスクリプタの増加 (SPARC/64bitモードのみ)

# vi /etc/system

最下部に追加



set noexec_user_stack=1
set noexec_user_stack_log=1
set rlim_fd_max=65536
set rlim_fd_cur=65536

アカウンティング有効化（lastcomm）

# ln -s /etc/init.d/acct /etc/rc2.d/S22acct
# ln -s /etc/init.d/acct /etc/rc0.d/K22acct

sendmailパッケージの削除（ソースからインストールするため）

# svcadm -v disable svc:/network/smtp:sendmail
# pkgrm SUNWsndmr SUNWsndmu

各種アプリケーションインストール

• zlib
  
• gawk
  
• autoconf
  
• automake
  
• sed
  
• Diffutils
  
• rcs
  
• gdbm
  
• readline
  
• gettext
  
• libtool
  
• BerkelyDB（OSバンドルの/usr/lib/libdb.so.1が、「DB 1.85 compatibility API」を有効にしてコンパイルされていないため）
• OpenSSL
  
• Coreutils
  
• Zip（OSバンドルの/usr/bin/zipが、encrypt(パスワード付き圧縮)をサポートしていないため）
  
• UnZip（OSバンドルの/usr/bin/unzipが、encrypt(パスワード付き解凍)をサポートしていないため）
  

---

---

Total Access:264179 Today:120 Yesterday:209