NOTE: All Solaris parameters described over the sections below are not supported by Symantec, they have been technically evaluated however for best direction or support, please contact the vendor directly.
Hardening the Solaris OS
Disable all unnecessary network services, daemons etc.
Comment out all unneeded service entries in the /etc/inetd.conf file
Turn off netstat, systat, tftp and finger services
Turn off rshd, rlogind and rexecd daemons ; disable NFS if possible (rename or remove /etc/rc3.d/S15nfs.server)
Kill and disable dtlogin (run /etc/init.d/dtlogin stop and rename or remove /etc/rc2.d/S99dtlogin)
When multiple network interfaces or multiport NIC's (qfe) are on the system, set the MAC addresses of different interfaces to different values using ifconfig. By default all four interfaces are assigned the same MAC address. Alternatively set the "local-mad-address?" variable in eeprom to true:
When using Sun GigaSwift (ce) Gigabit ethernet network interfaces, force the ce driver to use the 'traditional' STREAMS interface (as opposed to the GigSwift STREAMS interface). Yields significant improvement in throughput:
ce:ce_put_cfg = 1
The disabling of auto-negotiation is done at the operating system level and a tool is needed. The following are thirdy party tools available:
The default values for these settings are: 1, 128, 1024, 240000, 675000 respectively.
Tune the TCP selective acknowledgement (SACK) mechanism In /etc/rc2.d/S69inet:
If you are looking for better security over WAN links:
ndd -set /dev/tcp tcp_sack_permitted 1
If you are looking for better logging performance over WAN links:
ndd -set /dev/tcp tcp_sack_permitted 0
Increase the number of open file descriptors In /etc/system:
set rlim_fd_cur = 32768
set rlim_fd_max = 65535
Change the FSFlush behavior In /etc/system:
set autoup = 300
set tune_t_fsflushr = 5
These variables will control the amount of memory examined on dirty pages in each invocation and also the frequency of the file system sync operations. The default is 30 seconds and usually this setting is recommended to be changed on systems with large amounts of memory thus reducing the amount of memory scanned on each invocation of fsflush.
General tuning parameters In /etc/system:
set maxpgio = 25468
Maxpgio (default 40 or 60) limits the rate at which I/O is queued to the swap devices. It is set to 40 for sunc4c, sun4m and sun4u architectures and 60 for sun4d. If the disks are faster than 7200 rpm, maxpgio can safely be set to 100 times the number of swap disks.
set slowscan = 500
Slowscan defines the minimum number of pages per second that the system looks at when attempting to reclaim memory. The default value is usually 1/2 of fastscan
set maxusers = 2048
This should be set to the same as the available RAM on the server, in this case 2GB.
set ncsize = 34906
The formula for this setting is: 17 x maxusers + 90
set ufs_ninode = 34096
The formula for the least value is: 17 x maxusers + 90 (It is important to note that this setting must be at least the same as ncsize but the recommendation is to be higher)
Imported Document Id
This is machine translated content
Login to Subscribe
Please login to set up your subscription.
Didn't find the article you were looking for? Try these resources.