Sun Fire[TM] 12K/15K/E25K/E20K Servers: nfs.server and tftpboot services may be open on a System Controller that has Solaris[TM] Security Toolkit software installed or System Management Services 1.5 with Secure by Default.

Asset ID:	1-71-1002268.1
Update Date:	2009-09-24
Keywords:

Solution Type Technical Instruction Sure

Solution 1002268.1 : Sun Fire[TM] 12K/15K/E25K/E20K Servers: nfs.server and tftpboot services may be open on a System Controller that has Solaris[TM] Security Toolkit software installed or System Management Services 1.5 with Secure by Default.

Related Items


Sun Fire E25K Server
 Sun Fire E20K Server
 Sun Fire 12K Server
 Sun Fire 15K Server

Related Categories


GCS>Sun Microsystems>Servers>High-End Servers

PreviouslyPublishedAs
203193

Description
This document addresses nfs.server and tftpboot services may be open on a System Controller that has Solaris[TM] Security Toolkit software installed or System Management Services 1.5 with Secure by Default.

After following the Blueprint: "Securing the Sun Fire[TM] 12K and 15K System Controllers" http://www.sun.com/blueprints/browsesubject.html#security, and using the "Solaris[TM] Security Toolkit" http://www.sun.com/software/security/jass/ your System Controller can still be used as your domain's
Operating System installation server, but will leave open tftp and nfs.server until all clients have been removed.

Steps to Follow
Since the Starcat platform has an internal network to each of its domains, the System Controller is the perfect place to create a Solaris JumpStart[TM] software server.
If your platform is secure, you will have no problems using your System
Controller as a boot server, but after you run "add_install_client" for the first
time, this will turn on nfs.server, and tftp. After you are finished with
installing Solaris[TM] Operating System(OS), you can stop these services by
running the rm_client script for each client. This script will remove the
/tftpboot files for this domain and remove the entry from the /etc/bootparams file.

If this domain is the last machine-client the system has, it will also unshare
the installation directory, remove the entry from the dfstab file for nfs.server,
remove the /etc/bootparams file, and remove the /tftpboot directory.

If you do not remove the clients, the System Controller will still run these
services until either this script is run, or the changes are made manually. Even
after system reboots with "Solaris Security Toolkit" installed, these
services will be restarted.

Product
Sun Fire E25K Server
Sun Fire E20K Server
Sun Fire 15K Server
Sun Fire 12K Server

Internal Comments
System Management Services(SMS) 1.5 will be "Secure by Default", so the Solaris Security Toolkit will be already configured out of the box. Most installations do use the System Controller(SC) as a jumpstart server, so this will effect all installations that have SMS 1.5 installed.

starcat, jass, security, jumpstart, secure by default
Previously Published As
79971

Change History
Date: 2005-11-09
User Name: 25440
Action: Approved
Comment: Publishing.
Version: 6
Date: 2005-11-09
User Name: 25440
Action: Accept
Comment:
Version: 0
Date: 2005-11-09
User Name: 27166
Action: Approved
Comment: Document was updated to include SMS 1.5 Secure By Default
reference.
Version: 0
Product_uuid
d842dd03-059b-11d8-84cb-080020a9ed93|Sun Fire E25K Server
1404a2d3-059a-11d8-84cb-080020a9ed93|Sun Fire E20K Server
29e4659c-0a18-11d6-9fa1-e67bbc033df8|Sun Fire 15K Server
077fd4c5-df8f-4320-ad69-7d01603a674d|Sun Fire 12K Server

Attachments

This solution has no attachment