ss_install (Sunscreen v3.1) Screen Type' 'Will this screen be used as a router or will it be used as a bridge providing stealth. This will affect how the interfaces are initialized. For routing Screens, each interface will be set up as an routing interface. For a stealth Screen, there should only be one interface available which will be dedicated to Screen administration.' 1. 'ROUTING' 2. 'STEALTH' 'Screen Type?' (1|2) 2 Administration Interface' 'Select the network interface to be used as the remote administration interface' 'Select Administration Interface from the following list:' le0 le0 Certificate Type' 'There are two types of certificates that you can use: Self-Generated Certificates Certificates Issued by a Certificated Authority' 1. 'SELF' 2. 'ISSUED' 'Select the certificate type you want' (1|2) 1 Generating Screen's key. Directory already exists generating local secret with 1024 modulus size The Screen's certificate ID is 0x448983faa5b77b037cbef69a7cb261a7 Enter the name/hash of the administration station's unsigned Diffie-Hellman key certificate: (do not include leading 0x) 4fd3a1eec3a168e124753fb3a1a78742 The Administration station's certificate ID is 0x4fd3a1eec3a168e124753fb3a1a78742 Please wait while the SKIP key manager is restarted. --Add certs & admin group --Adding interfaces & interface addresses 'SKIP parameters used for administration traffic.' 'Admin's certificate ID: '0x4fd3a1eec3a168e123453fb3a1a78742 'Screen's certificate ID: '0x448966faa5b77b037dgbf69a7cb261a7 'Key encryption algoritm: 'DES-CBC 'Data encryption algorithm: 'DES-CBC 'MAC algorithm: 'MD5 Run the following command on the administration station to configure skip: skiphost -a x1 -r 8 -R 0x448983faa5b77b037cbef69a7cb261a7 -s 8 -S 0x4fd3a1eec3a168e123453fb3a1a78742-k DES-CBC -t DES-CBC -m MD5 Read the file /etc/opt/SUNWicg/SunScreen/AdminSetup.readme 'for information about setting up the Remote Administration Station.' --Initialize 'vars' databases --Initialize 'authuser' & 'proxyuser' databases --Initialize 'logmacro' database --Applying edits --Activating configuration Configuration activated successfully on x1. Harden Screen' 'The hardening of the Solaris OS on the Screen removes unnecessary files and services which might otherwise make the Screen vulnerable. This should only be performed Screens in the stealth configuration which don't route or provide any external services, hardening is irreversible' 1. 'YES' 2. 'NO' 'Do you want to harden the Solaris OS?' (1|2) starting SunScreen ssadm server. 1 Hardening Solaris OS on the screen Reboot the machine now for changes to take effect. # reboot Sep 14 06:07:59 ss3 reboot: rebooted by rootSep 14 06:07:59 sws.efshttpd[174]: [1 httpd.135 0 (SW) NOTICE]: Shutting down server. syncing file systems... done rebooting... Resetting ... screen not found. Can't open input device. Keyboard not present. Using tty for input and output. SPARCstation 20 MP (2 X 390Z55), No Keyboard ROM Rev. 2.22, 240 MB memory installed, Serial #7664460. Ethernet address 8:0:20:74:f3:4c, Host ID: 7274f34c. Initializing Memory Rebooting with command: Boot device: /iommu/sbus/espdma@f,400000/esp@f,800000/sd@3,0 File and args: SunOS Release 5.8 Version Generic_108528-10 32-bit Copyright 1983-2001 Sun Microsystems, Inc. All rights reserved. plumbing SunScreen network interfaces: le0. configuring IPv4 interfaces: le0. Hostname: x1 The system is coming up. Please wait. loading skip keystore. starting skip key manager daemon. Instance efshttpd added. efshttpd : Enabled. Sep 14 06:09:37 sws.efshttpd[162]: [1 admin.195 0 (SW) NOTICE]: Running with SWS Configuration file "/etc/opt/SUNWicg/SunScreen/http/efshttpd.conf". efshttpd : Started successfully. Sep 14 06:09:38 sws.efshttpd[162]: [1 httpd.105 0 (SW) NOTICE]: Sun_WebServer/2.0 server started. Starting IPv4 routing daemon. Setting /dev/arp arp_cleanup_interval to 60000 Setting /dev/ip ip_forward_directed_broadcasts to 0 Setting /dev/ip ip_forward_src_routed to 0 Setting /dev/ip ip_ignore_redirect to 1 Setting /dev/ip ip_respond_to_address_mask_broadcast to 0 Setting /dev/ip ip_respond_to_echo_broadcast to 0 Setting /dev/ip ip_respond_to_timestamp to 0 Setting /dev/ip ip_respond_to_timestamp_broadcast to 0 Setting /dev/ip ip_send_redirects to 0 Setting /dev/ip ip_strict_dst_multihoming to 1 Setting /dev/tcp tcp_conn_req_max_q0 to 4096 Setting /dev/tcp tcp_conn_req_max_q to 1024 Setting /dev/tcp tcp_smallest_anon_port to 32768 Setting /dev/tcp tcp_largest_anon_port to 65535 Setting /dev/udp udp_smallest_anon_port to 32768 Setting /dev/udp udp_largest_anon_port to 65535 Setting /dev/tcp tcp_smallest_nonpriv_port to 1024 Setting /dev/udp udp_smallest_nonpriv_port to 1024 Setting /dev/ip ip_ire_arp_interval to 60000 Setting /dev/tcp tcp_extra_priv_ports_add to 6112 Setting /dev/tcp tcp_rev_src_routes to 0 syslog service starting. cron could not unlink FIFO: No such file or directory cron aborted: cannot create fifo queue ! cannot create fifo queue Fri Sep 14 06:09:47 2001 ! ******* CRON ABORTED ******** Fri Sep 14 06:09:47 2001 volume management starting. starting SunScreen ssadm server. All the enabled instances are already running. The system is ready. ################################################################### # This system is for the use of authorized users only. # # Individuals using this computer system without authority, or in # # excess of their authority, are subject to having all of their # # activities on this system monitored and recorded by system # # personnel. # # # # In the course of monitoring individuals improperly using this # # system, or in the course of system maintenance, the activities # # of authorized users may also be monitored. # # # # Anyone using this system expressly consents to such monitoring # # and is advised that if such monitoring reveals possible # # evidence of criminal activity, system personnel may provide the # # evidence of such monitoring to law enforcement officials. # ################################################################### sunscreen3 console login: root Password: Last login: Fri Sep 14 04:59:57 on console #