root@solaris:~# useradd johnjayroot@solaris:~# passwd johnjayNew Password:Re-enter new Password:passwd: password successfully changed for johnjayroot@solaris:~# rolemod -p "Network Administrator,All,Stop" johnjayUX: rolemod: ERROR: Users must be modified with 'usermod'.root@solaris:~#

Once basic networking has been achieved, there is something called the Location Profile that loads system-wide network configuration information. This includes:

- Condition under which it is activated

- Naming service to use

- Domain name

- IP Filter rules

- IPsec policy

Incorrect:

Not A: The Automatic NCP is a system-defined profile and cannot be modified by a user. It contains one Link NCU and one Interface NCU for each physical link on the system. For this particular profile, Physical links take precedence over Wireless links when it is time to activate an NCU. This profile changes dynamically when new links are inserted or removed from the system.

* The following directives cause audit_binfile.so to be loaded, specify the directories for writing audit logs, and specify the percentage of required free space per directory.

auditconfig -setplugin audit_binfile active \

"p_dir=/var/audit/jedgar/eggplant,/var/audit/jedgar.aux/eggplant,

/var/audit/global/eggplant;p_minfree=20;p_fsize=4.5GB"

* The attributes specifying the configuration of audit_binfile plugin include:

p_dir

dir1[,dir2],.. [,dirn]

A list of directories, where the audit files will be created. Any valid writable directory can be specified.

p_fsize

The p_fsize attribute defines the maximum size that an audit file can become before it is automatically closed and a new audit file is opened. This is equivalent to an administrator issuing an audit -ncommand when the audit file size equals the value specified by the administrator. The default size is zero (0), which allows the file to grow without bound.

audit_remote

- send Solaris audit logs to a remote server

The audit_remote plugin module for Solaris audit, /usr/lib/security/audit_remote.so, sends binary audit records (audit.log) to audit servers as they are configured with auditconfig.

The audit_remote plugin is loaded by auditd if the plugin is configured as an active via auditconfig. Use the auditconfig -setplugin option to change all the plugin related configuration parameters.

Incorrect:

not D: Audit policy determines the characteristics of the audit records for the local host. When auditing is enabled, the contents of the /etc/security/audit_startup file determine the audit policy.

The following list provides a brief description of each default checkpoint in the order the checkpoints are executed in most manifests.

transfer-ips-install – At this checkpoint, the distribution constructor contacts the IPS publishers and adds to the image the packages that are listed in the software_data element of the manifest.

set-ips-attributes – At this checkpoint, the constructor sets the publisher to be used by the installed system. The values set by this checkpoint are not relevant if you are building an automated installation image.

pre-pkg-img-mod – At this checkpoint, the constructor imports into the image the SMF service files that were specified in the configuration element of the manifest. Also, the constructor modifies some files to optimize the image.

B: Link aggregations provide high availability and higher throughput by aggregating multiple interfaces at the MAC layer. IP Multipathing (IPMP) provides features such as higher availability at the IP layer. Both IPMP and Link Aggregation are based on the grouping of network interfaces, and some of their features overlap, such as higher availability. These technologies are however implemented at different layers of the stack, and have different strengths and weaknesses.

E: Internet Protocol Network Multipathing (IPMP) provides fault-tolerance and load balancing across multiple network interface cards. By using IPMP, you can configure one or more interfaces into an IP multipathing group. After configuring IPMP, the system automatically monitors the interfaces in the IPMP group for failure. If an interface in the group fails or is removed for maintenance, IPMP automatically migrates, or fails over, the failed interface's IP addresses

Incorrect:

Not A: The same (non-null) character string IPMP group name identifies all interfaces in the group. You can place interfaces from NICs of different speeds within the same IPMP group, as long as the NICs are of the same type.

Not C:If LACP (Link Aggregation Control Protocol) cannot aggregate all the ports that are compatible (for example, the remote system might have more restrictive hardware limitations), then all the ports that cannot be actively included in the channel are put in hot standby state and are used only if one of the channeled ports fails.

Not D: MP is built into Oracle Solaris and does not require any special hardware. Any interface that is supported by Oracle Solaris can be used with IPMP. However, IPMP does impose the following requirements on your network configuration and topology:

/All interfaces in an IPMP group must have unique MAC addresses.

/ All interfaces in an IPMP group must be of the same media type.

/ All interfaces in an IPMP group must be on the same IP link

C: You can use the scheduling-class property in zonecfg to set the scheduling class for the zone.

D: When you explicitly set the cpu-shares property, the fair share scheduler (FSS) will be used as the scheduling class for that zone. However, the preferred way to use FSS in this case is to set FSS to be the system default scheduling class with the dispadmin command. That way, all zones will benefit from getting a fair share of the system CPU resources. If cpu-shares is not set for a zone, the zone will use the system default scheduling class.

E: You can set the scheduling class for a zone through the resource pools facility. If the zone is associated with a pool that has its pool.scheduler property set to a valid scheduling class, then processes running in the zone run in that scheduling class by default.

URL: http://www.oracle.com/technetwork/articles/servers-storage-admin/o11-118-s11-script-zones-524499.html

How to Create a Virtual Network Interface

This procedure shows how to create a virtual network interface card (VNIC).

1. Create a VNIC over a datalink.

# dladm create-vnic -l link vnic

link is the name of the datalink over which the VNIC is configured.

vnic is the VNIC which you can label with a customized name as well.

2. Create a VNIC IP interface over the link.

# ipadm create-ip vnic

3. Configure the VNIC with a valid IP address.

If you are assigning a static IP address, use the following syntax:

# ipadm create-addr -T static -a address addrobj

where addrobj uses the naming format interface/user-defined-string, such as e1000g0/v4globalz.

* policy.conf

policy.conf– configuration file for security policy.

The policy.conf file provides the security policy configuration for user-level attributes.

* Example: Modifying Every User's Basic Privilege Set

In this example, the security administrator of a large Sun Ray installation does not want regular users to view the processes of other Sun Ray users. Therefore, on every system that is configured with Trusted Extensions, the root role removes proc_info from the basic set of privileges. The PRIV_DEFAULT setting in the /etc/policy.conf file is uncommented and modified as follows:

PRIV_DEFAULT=basic,!proc_info

Set the default scheduler for the system to be the FSS.

# dispadmin -d FSS

The ps command prints information about active processes.

Without options, ps prints information about processes asso-

ciated with the controlling terminal. The output contains

only the process ID, terminal identifier, cumulative execu-

tion time, and the command name. Otherwise, the information

that is displayed is controlled by the options.

NCPs define a set of data links and IP interfaces as Network Configuration Units (NCUs).

Example:

root@solaris:~# netadm list

TYPE PROFILE STATE

ncp acme.corp.ncp online

ncu:phys net0 online

ncu:ip net0 online

ncp Automatic disabled

loc acme.corp.loc online

loc Automatic offline

loc NoNet offline

loc User disableda

Global Monitoring of Resource Control Events

Often, the resource consumption of processes is unknown. To get more information, try using the global resource control actions that are available with the rctladm command. Use rctladm to establish a syslog action on a resource control. Then, if any entity managed by that resource control encounters a threshold value, a system message is logged at the configured logging level.

root@solaris:~# zfs snapshot pool1/sales/qrreports@qrreportroot@solaris:~# zfs list -t snapshot -r pool1/sales/qrreportsNAME USED AVAIL REFER MOUNTPOINTpool1/sales/qrreports@qrreport 0 - 31K -root@solaris:~# zfs send -i pool1/sales/qrreports@qrreport pool1/sales/qrreports@mth2qtrreportError: Stream can not be written to a terminal.You must redirect standard output.

All interfaces in the same group must have the same STREAMS modules configured in the same order.

Example:

In Solaris 11 the “grant” authorization is no longer used, rather a set of authentication have been defined for that

purpose. The authentication strings can be found in /etc/security/prof_attr.d/core-os file.

solaris.auth.:RO::Authorizations::help=AuthorizationHeader.html

solaris.auth.assign:RO::Assign any authorization::help=AuthAssign.html

solaris.auth.delegate:RO::Assign owned authorizations::help=AuthDelegate.html

solaris.auth.manage:RO::Manage authorizations::help=AuthManage.html

Note: You no longer need to use the visual editor to add your own site specific entries to the Role Based Access Controls framework in Oracle Solaris 11. The profile command has been modified to support creation, modification and removal of Rights Profiles