Patch-ID# 116144-02 Keywords: ping equal label unlabeled hardened network Synopsis: Trusted_Solaris_8_HW_12/02: inetinit patch Date: Oct/31/2003 Install Requirements: Additional instructions may be listed below Reboot after installation Solaris Release: Trusted_Solaris_8_HW_12/02 SunOS Release: Trusted_Solaris_8_HW_12/02 Unbundled Product: Unbundled Release: Xref: This patch available for x86 as patch 116145 Topic: Trusted_Solaris_8_HW_12/02: inetinit patch Relevant Architectures: sparc BugId's fixed with this patch: 4639031 4894365 4938446 Changes incorporated in this version: 4894365 4938446 Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: Obsoleted by: Files included with this patch: /etc/init.d/inetinit /etc/rc0.d/K43inet /etc/rc1.d/K43inet /etc/rc2.d/S69inet /etc/rcS.d/K43inet Problem Description: 4894365 Request telnet not send - SYN/ACK/Rst downlabel during improper telnet 4938446 Expand "tsol_ping_equal_only" to "tsol_unlab_equal_only", add more protocols. (from 116144-01) 4639031 ping on restricted interfaces can ping to higher label & get response Patch Installation Instructions: -------------------------------- Refer to the man pages for instructions on using 'patchadd' and 'patchrm' scripts provided with Trusted Solaris. Any other special or non-generic installation instructions should be described below as special instructions. For additional examples please see the appropriate man pages. Special Install Instructions: ----------------------------- NOTE 1: Reboot the system after all the patches are installed. NOTE 2: The tsol_ping_equal_only ndd switch in patches 116142-01 and 116144-01 has been renamed to tsol_unlab_equal_only. NOTE 3: To get complete hardening feature for bugs 4639031 and 4938446, one needs to install the following patches: 116142-02 (or newer) ip patch 116144-02 (or newer) inetinit patch 116146-02 (or newer) genunix_policy patch NOTE 4: To activate the complete hardening feature for bug 4639031 and 4938446, you will need to edit /etc/init.d/inetinit after installing the inetinit patch and uncomment the following line, as documented within inetinit: #/usr/sbin/ndd -set /dev/ip tsol_unlab_equal_only 1 This can be done just before reboot after installing the above 3 patches, if desired. NOTE 5: It is recommended to save a copy of the /etc/init.d/inetinit file before removing 116144-01 (or newer). The installation of this patch will not preserve any user modifications made to the /etc/init.d/inetinit file after the patch is installed. A copy of the /etc/init.d/inetinit file is preserved before the patch installation is complete. The user should be aware after the patch is removed, the pre-patch version of /etc/init.d/inetinit file will not be restored to the system. NOTE 6: To get the complete hardening feature for bugs 4894365, one needs to install the following patches: 116142-02 (or newer) ip patch 116144-02 (or newer) inetinit patch 116146-02 (or newer) genunix_policy patch 116405-01 (or newer) tcp patch NOTE 7: To activate the complete hardening feature for bug 4894365: After installing 116144-02 (or newer), update /etc/init.d/inetinit by removing the pound sign (#) from the ndd entry: #/usr/sbin/ndd -set /dev/tcp tcp_strict_syn_policy 1 This file may be updated after all 4 patches have been installed: 116142-02 (or newer) ip patch 116144-02 (or newer) inetinit patch 116146-02 (or newer) genunix_policy patch 116405-01 (or newer) tcp patch NOTE 8: The "tsol_unlab_equal_only" switch, if set to 1 (default is 0) will disable some network communications that some sites depend upon, enable it only if desired per site policy. The steps below assume the patch has been put into an ADMIN_LOW directory in /var/tmp and the patch file label is configured to ADMIN_LOW. Create a role which contains the Software Installation profile (typically admin role is assigned this profile) and whose label range includes the ADMIN_LOW label. All the steps in the patch installation should be executed at ADMIN_LOW. The patch should be owned by this role. 1) Login as a user authorized to assume a role that contains the Software Installation profile; typically the admin role. Assume that role. To verify the profile is assigned to the role, type: "profiles -l | grep patchadd". The result should be: /usr/sbin/patchadd uid=0, privs=all, label=admin_low 2) cd into /var/tmp and install the patch file. # cd /var/tmp # patchadd /var/tmp/ where is the patch number. Special Backout Instructions: ----------------------------- NOTE 1: Reboot the system after all the patches are removed. 1) Login as a user authorized to assume a role that contains the Software Installation profile; typically the admin role. Assume that role. To verify the profile is assigned to the role, type: "profiles -l | grep patchrm". The result should be: /usr/sbin/patchrm uid=0, privs=all, label=admin_low 2) Backout patch by typing: # patchrm where is the patch number. README -- Last modified date: Friday, October 31, 2003