SUN: Generic installation checklist

Standard disclaimer: Use the information that follows at your own risk. If you screw up a system, don't blame it on me...
mailto: dkoleary@olearycomputers.com

The purpose of this document is not to be the end-all installation checklist for every site. That's clearly impossible. Rather, I'm hoping this will document "best practices"; things that should be done at most sites.

If you see any glaring mistakes, things that should be added, or things that should be deleted, please send me an email

  1. Data collection:
    1. General
      1. Host name
      2. Installation type
        1. core
        2. End User
        3. Developer
        4. etc
      3. Installation source
        1. net (boot/install svr?)
        2. cdrom
    2. Networking
      1. System IP(s)
      2. Is the system going to route IP?
      3. Default gateway
      4. Nameserver precedence
      5. NIS
        1. domainname
        2. NIS servers
      6. DNS
        1. Domain
        2. DNS server(s)
        3. Searchlist, if appropriate
      7. Required networking services
        1. ftp
        2. telnet
      8. tcp_wrappers vs inetd logging
    3. User/Groups
      1. Password timeframes (min, max, inactivity, etc)
      2. Default paths
    4. System logging
      1. Where will your log files be stashed?
      2. What facilities and severities will be monitored?
    5. Kernel tweaks required for appls (Oracle, for example)

  2. Install the operating system and appropriate patch bundles. Please see the appropriate installation guide on docs.sun.com

  3. Update the /etc/* files:
    1. touch /etc/notrouter if appropriate
    2. echo ${default_gateway} > /etc/defaultrouter
    3. Copy appropriate nsswitch.conf template and make necessary changes.
    4. Create/update /etc/resolv.conf
    5. Create /etc/issue. For example:

      You are connected to ${HOSTNAME}. Unauthorized use of this resource is prohibited. This system is routinely monitored for security and performance reasons. Logging into and use of this system constitutes acceptance of that monitoring. Any actions taken in violation of ${COMPANY}'s Acceptable Use Policy will result in appropriate disciplinary and/or legal action

    6. Update the /etc/inetd.conf:
      1. Remove any unnecessary services (finger, chargen, etc)
      2. Configure appropriate inetd logging:
        1. tcp_wrappers
          1. wrap telnet, rlogin, and ftp at a minimum - preferably all allowed services.
          2. Update /etc/hosts.allow and /etc/hosts.deny as appropriate - or leave blank for logging purposes.
        2. inetd: Update call to inetd in /etc/rc2.d/S72inetsvc to reflect /usr/sbin/inetd -s -t
    7. Remove group/other write capability to all files under /etc. chmod -R go-w /etc
    8. Confirm network configuration files
      1. /etc/hosts
      2. /etc/nodename
      3. /etc/hostname.${interface}

  4. Update /etc/default files:
    1. /etc/default/inetinit: Set strong initial sequence numbers (TCP_STRONG_ISS=2)
    2. /etc/defualt/passwd: Set appropriate times as identified above.
    3. /etc/dfault/login
      1. Set appropriate paths (PATH/SUPATH)
      2. UMASK 022 @ a minimum
      3. SYSLOG=YES # logs good logins @ auth.notice and bad ones @ auth.crit
      4. touch /var/adm/loginlog
        chown root:sys /var/adm/loginlog
        chmod 600 /var/adm/loginlog
    4. /etc/default/su
      1. SULOG=${log_dir}/sulog
      2. SUPATH (Should probably be the same thing id'ed in /etc/default/login)
      3. touch ${log_dir}/sulog
    5. /etc/default/telnetd: Turn off the banner (BANNER="")

  5. Users:
    1. Modify system configuration files as appropriate
      1. /etc/profile
      2. CDE configuration files
    2. Remove user nobody4
    3. Lock all NP accounts

  6. Logging: Please see the Syslog daemon configuration page.

  7. Kernel updates:
    1. Make a backup copy of /etc/system
      cp /etc/system /etc/system.000803
    2. Edit the /etc/system
      1. set noexec_user_stack=1 Please see Solars FAQ, Q7.2
      2. set noexec_user_stack_log=1 Please see Solars FAQ, Q7.2
      3. set priority_paging=1
        1. Turns on priority paging.
        2. Please see sun-on-net white paper, Priority Paging
        3. Install on Solaris 7 and earlier, not on 8 or above!
      4. Any other kernel tweaks needed by applications.

  8. Run level services:
    1. Run level 2
      1. Disable any unneeded services
        mv /etc/rc2.d/S70uucp /etc/rc2.d/s70uucp
      2. Prevent system from responding to incoming broadcast packets (unless needed for something like DHCP) and to incoming redirection packets.
        1. echo "ndd -set /dev/ip ip_respond_to_echo_broadcast 0" >> /etc/rc2.d/S69inet
        2. echo "ndd -set /dev/ip ip_ignore_redirect 1" >> /etc/rc2.d/S69inet
    2. Run level 3: Disable any unneeded services.

  9. Configure NIS as needed.
    1. ypinit -c
    2. ypinit -s ${master}
    3. ypinit -m

  10. Download & install appropriate packages:
    1. GNU & other utilities:
      1. gnutar
      2. gnnuzip
      3. gcc
      4. ssh 1.2.27
    2. Any other applications needed for the system (Oracle, for example)

  11. Configure sar as appropriate. Please see Performance Monitoring

Well, that's it. Please let me know what you think. Thanks.

Doug O'Leary
Document:
URL:
Last updated: