Information and Communication Technologies Imperial College front page
help | registration | services | resources | about ict  | people
search

Setting up Digital Unix Securely


Most systems are not set up to be inherently secure when networked. You are, therefore, strongly advised to follow the recommendations shown in the checklist relevant to your system. This should help to ensure the system is appropriately and securely set up befor3e it is put on the network. You are also advised to consult the CERT notifications.

For Superusers of Compaq Systems ~ OSF, Digital Unix, Tru64 UNIX

1.Latest System Release

2. Latest Patches

Source of Patches

http://ftp1.service.digital.com/public/Digital_UNIX/

anonymous @ ftp.europe.digital.com ~ cd /public/unix

download latest .tar patch files - see README files

Installing Patches

untar patch file ~ tar xf filename.tar

Single patches have installation instructions in a README file - usually for copying the new files into the correct directory after saving copies of the old versions.

Patch Kits are files containing a number of patches, not all security related, which supersedes the previous patch kit for that level of the operating system. They include a tailored patch installation utility call dupatch. When the tar download is extracted a sub-directory is created called patch_kit - within that is the dupatch utility along with a README and installation guides. The utility can be run with the command ./dupatch after moving to the patch_kit directory.

Note that dupatch will only install patches in single-user-mode. Once you are sure that the patch kit has been extracted from the tar file successfully, shutdown the machine to the boot prompt, ">>".

Then boot to single-user-mode with the command boot -fl s.

When the single-user prompt appears, "#", enter the following commands ....

mount -a to mount file systems

swapon -a to open swap

.... then cd to the path_kit directory and enter the command ....

./dupatch to start the utility

The dupatch utility is menu driven and fairly straightforward. Installing a patch kit can be very slow on older systems and can take over an hour. Installing includes an option for reversing the patch installation at a later date. While this is advisable it does use space on the /var file system.

The patch kits, and most other patches, need to have the kernel rebuilt after installation.

Re-Building Kernel

Execute the command doconfig.

This will ask for confirmation of ....

Kernel configuration file name - usually hostname

Possibly ask if OK to overwrite existing configuration file - usually OK

Kernel options to use - if in doubt reply with the ALL option

If kernel configuration file needs to be edited - nearly always NO

The system will build the new kernel - this can take several minutes - and finally give the name of the new-kernel-file before exiting.

Save the current kernel file with the command cp /vmunix /vmunix.old

and replace with mv new-kernel-file /vmunix

Then reboot the machine with either reboot or shutdown -r now

Reinstalling the Operating System from CD-ROM

Note that re-installing will reformat any disk partitions used and all data on these partitions will be lost.

From the boot prompt, ">>", enter show devices to list the devices attached to the machine. Find the cd-rom device in the list and note it's device name - usually beginning with "dk".

Insert the operating system cd into the cd-rom and boot from it with the command boot device_name.

Eventually the installing window will be displayed for setting the installation options. Hard copies of the current /etc/fstab and the Installation Manual for the operating system would be very useful here.

When the installation is complete the system will need to be configured to restore local settings. This will be easier if certain documents and hard copies of certain files are to hand. Here is a general list.

Licence documentation for the system

Installation manuals and licence documentation for any applications

Hard copies of the following files :

/etc/passwd ~ if using a local password base
/etc/hosts
/etc/hosts.equiv
/etc/networks
/etc/group
/etc/rc.config
/etc/services
/etc/printcap
/etc/inetd.conf
/etc/fstab
/etc/exports ~ if exporting file systems to remote machines
/usr/local/samba/lib/smb.conf ~ if Samba configured
/etc/ntp.conf ~ if ntpd daemon in use
/etc/resolv.conf ~ bind name mapper settings
/etc/auto.master, /etc/auto.direct (or those in use) ~ if the

automounter service is running
/var/spool/cron/crontabs/root ~ if local cron jobs are used

and any local files in the /var/yp/src directory if a NIS server

Also keep a hard copies of the output from the following commands :

/usr/sbin/setld -i ~ lists installed subsets & patches

df ~ lists active disk partitions etc

/sbin/disklabel rz?? ~ partition table for each disk

Now complete the post-installation checks: follow this link

 
© 2002 Imperial College of Science, Technology and Medicine.