#!/bin/ksh

# BANNER
echo "################################################################################" > /etc/issue
echo "#  Unauthorized access is not allowed, all logins are logged due the security  #" >> /etc/issue
echo "#                                                                              #" >> /etc/issue
echo "#  Max process limit per username on all systems is 1024.                      #" >> /etc/issue
echo "################################################################################" >> /etc/issue

# DISABLED SERVICES

svcadm disable smtp
svcadm disable sendmail
svcadm disable sendmail-client
svcadm disable smtp-notify
svcadm disable ocm
svcadm disable texinfo-update:default
svcadm disable net-snmp:default
svcadm disable snmp-notify:default
netadm enable -p ncp DefaultFixed

# DISABLED SENDMAIL CLIENT, ENABLE SMART HOST CONFIG
sed "s/DS/DSserver1/" /etc/mail/submit.cf > /tmp/submit.cf
mv -f /tmp/submit.cf /etc/mail/submit.cf

# NTP SETTINGS
cp -p /etc/inet/ntp.client /etc/inet/ntp.conf
echo "slewalways yes" >> /etc/inet/ntp.conf
echo "disable pll" >> /etc/inet/ntp.conf
echo "server 1.1.1.34" >> /etc/inet/ntp.conf
echo "server 1.1.2.25" >> /etc/inet/ntp.conf

/usr/sbin/svccfg <<-EOF
select svc:/network/ntp:default
setprop config/slew_always = true
refresh
validate
exit
EOF
svcadm enable svc:/network/ntp:default

# APP MEM RESERVATION
echo "* app memory reservation" >> /etc/system
echo "set user_reserve_hint_pct=50" >> /etc/system

# DISK QUEUE LENGTH ve IO_TIME AYARLANIYOR
echo "* disk queue length and io_time settings" >> /etc/system
echo "set sd:sd_io_time=0x3c" >> /etc/system
echo "set ssd:ssd_io_time=0x3c" >> /etc/system
echo "set sd:sd_max_throttle=0x32" >> /etc/system
echo "set ssd:ssd_max_throttle=0x32" >> /etc/system
echo "set zfs:zfs_vdev_max_pending=50" >> /etc/system


# /TMP LIMIT
cp -p /etc/vfstab /etc/vfstab.orig
cat /etc/vfstab | grep -v tmpfs > /tmp/vfstab
echo "swap            -               /tmp            tmpfs   -       yes     size=4096m" >> /tmp/vfstab
mv -f /tmp/vfstab /etc/vfstab

# /ETC/PROFILE SETTINGS
cp -p /etc/profile /etc/profile.orig
echo "alias tsmdir='cd /opt/tivoli/tsm/client/ba/bin'" >> /etc/profile
echo "if [ \$PS1 ]; then" >> /etc/profile
echo "  if [ \"\$BASH\" ]; then" >> /etc/profile
echo "          if [ \`id |cut -c5\` == 0 ]; then" >> /etc/profile
echo "                PS1='\[\e[0;32m\][\h]\[\e[0m\]\[\e[1;30m\]\w\$\[\e[0m\]'" >> /etc/profile
echo "          else" >> /etc/profile
echo "                  PS1='\[\e[0;34m\][\h]\[\e[0m\]\[\e[1;30m\]\w\$\[\e[0m\]'" >> /etc/profile
echo "        fi" >> /etc/profile
echo "  else" >> /etc/profile
echo "    if [ "\`id -u\`" -eq 0 ]; then" >> /etc/profile
echo "      PS1='# '" >> /etc/profile
echo "    else" >> /etc/profile
echo "      PS1='$ '" >> /etc/profile
echo "    fi" >> /etc/profile
echo "  fi" >> /etc/profile
echo "fi" >> /etc/profile
echo "alias rm='rm -i'" >> /etc/profile
echo "" >> /etc/profile
echo "HISTTIMEFORMAT='%d.%m.%y - %H:%M:%S: '" >> /etc/profile
echo "HISTSIZE=5000" >> /etc/profile
echo "" >> /etc/profile
echo "PATH=$PATH:/usr/local/bin:/usr/sfw/bin:/usr/local/sbin" >> /etc/profile
echo "export PATH" >> /etc/profile
echo "" >> /etc/profile
echo "LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/sfw/lib/:/usr/local/samba/lib/" >> /etc/profile
echo "export LD_LIBRARY_PATH" >> /etc/profile
echo "" >> /etc/profile
echo "export TERM=vt100" >> /etc/profile
echo "export EDITOR=vi" >> /etc/profile

# ENABLE SOLARIS HUSHLOGIN

touch /.hushlogin
sed "s/.hushlogin/\/.hushlogin/" /etc/profile > /tmp/profile && mv -f /tmp/profile /etc/profile

# DNS CLIENT SETTINGS

echo "#" > /etc/resolv.conf
echo "# _AUTOGENERATED_FROM_SMF_V1_" >> /etc/resolv.conf
echo "#" >> /etc/resolv.conf
echo "# WARNING: THIS FILE GENERATED FROM SMF DATA." >> /etc/resolv.conf
echo "#   DO NOT EDIT THIS FILE.  EDITS WILL BE LOST." >> /etc/resolv.conf
echo "# See resolv.conf(4) for details." >> /etc/resolv.conf
echo "" >> /etc/resolv.conf
echo "domain  fw.example.com.tr" >> /etc/resolv.conf
echo "search  fw.example.com.tr fw.domain.com.tr" >> /etc/resolv.conf
echo "options timeout:4 attempts:2 rotate" >> /etc/resolv.conf
echo "nameserver      1.1.1.34" >> /etc/resolv.conf
echo "nameserver      1.1.2.25" >> /etc/resolv.conf

nscfg import -f dns/client
svcadm restart dns/client

/usr/sbin/svccfg <<-EOF
select name-service/switch
setprop config/host = astring: "files dns"
select system/name-service/switch:default
refresh
validate
exit
EOF
svcadm restart name-service/switch

# AUTOFS SETTINGS

mkdir /sw
echo "/-              auto_direct     -timeout=60" >> /etc/auto_master
sed "s/\/home/#\/home/" /etc/auto_master > /tmp/auto_master && mv -f /tmp/auto_master /etc/auto_master
echo "/sw     -rw,soft,vers=4         repo.fw.domain.com.tr:/unix" > /etc/auto_direct
svcadm restart autofs
sleep 60

# MAKE DEFAULT HOME /home instead of /export/home
useradd -D -b /home

# CENTRIFY INSTALLATION

poolname="rpool"
zfs create -o mountpoint=/var/log/audit $poolname/audit
zfs set quota=2G $poolname/audit
zfs set devices=off $poolname/audit
zfs set exec=off $poolname/audit
zfs set setuid=off $poolname/audit
zfs set compression=on $poolname/audit
mkdir -p /var/log/audit/kernel
mkdir -p /var/log/audit/centrifydc

cd /sw/centrify/agents/solaris/sparc
./install.sh --ent-suite --enable-da
pkgadd -a /sw/solaris/pkgadd_answer_file -d centrifydc-openssh-7.4p1-5.4.3-sol10-sparc-local all
echo 'dash.allinvoked: true' >> /etc/centrifyda/centrifyda.conf
svcadm disable ssh
svcadm enable centrify-sshd

z=Database
u=centrify
adjoin -f -c "fw.example.com.tr/Unix/Unix Servers" -z "cn=$z,cn=universal,cn=universal,cn=zones,ou=unix,dc=fw,dc=example,dc=com,dc=tr" -u $u@fw.domain.com.tr -p `cat /sw/solaris/.cent` fw.example.com.tr

# TIMEZONE SETTINGS


/usr/sbin/svccfg <<-EOF
select init
setprop environment/TZ=Turkey
refresh
validate
exit
EOF
svcadm restart init

/usr/sbin/svccfg <<-EOF
select svc:/system/timezone:default
setprop timezone/localtime = astring: Turkey
refresh
validate
exit
EOF
svcadm restart timezone


# DUMP DEVICE SETTINGS

zfs set volsize=100m rpool/dump
zfs set refreservation=100m rpool/dump

# SSHD SETTINGS

groupadd nologin

echo "KexAlgorithms diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1" >> /etc/centrifydc/ssh/sshd_config
echo "MACs    hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-md5,hmac-md5-96,hmac-sha1-96" >> /etc/centrifydc/ssh/sshd_config
echo "HostbasedAcceptedKeyTypes ssh-dss,ssh-rsa" >> /etc/centrifydc/ssh/sshd_config
echo "HostKeyAlgorithms ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss" >> /etc/centrifydc/ssh/sshd_config
echo "MaxAuthTries    2" >> /etc/centrifydc/ssh/sshd_config
echo "UseDNS no" >> /etc/centrifydc/ssh/sshd_config
echo "DenyGroups nologin" >> /etc/centrifydc/ssh/sshd_config
echo "TCPKeepAlive yes" >> /etc/centrifydc/ssh/sshd_config
echo "ClientAliveInterval 600" >> /etc/centrifydc/ssh/sshd_config
echo "ClientAliveCountMax 3" >> /etc/centrifydc/ssh/sshd_config
echo "XAuthLocation /usr/bin/xauth" >> /etc/centrifydc/ssh/sshd_config
sed "s/\#X11Forwarding no/X11Forwarding yes/" /etc/centrifydc/ssh/sshd_config > /tmp/sshd_config
mv -f /tmp/sshd_config  /etc/centrifydc/ssh/sshd_config 
svcadm restart centrify-sshd

# PKG REPO SETTINGS

pkg unset-publisher solaris
pkg set-publisher -g file:///sw/solaris/s11_3/repo/ solaris

# PKG INSTALLATIONS

pkg install xclock
pkg install xauth
pkg install fonts-core
pkg install -r motif
pkg install oracle-rdbms-server-12cR1-preinstall
pkg install x11-info-clients


# RSYSLOG SETTINGS

svcadm disable system-log
pkg install rsyslog
cp -p  /etc/rsyslog.conf /etc/rsyslog.conf.orig
cp -p /sw/solaris/rsyslog/rsyslog.conf /etc/rsyslog.conf
svcadm enable rsyslog

# ORACLE USER SETTINGS

groupadd -g 1000 oinstall
groupadd -g 1001 dba
useradd -u 1101 -g oinstall -G dba -d /home/oracle -m oracle
groupadd -g 9000 asmadmin
groupadd -g 9001 asmdba
usermod -G +asmadmin oracle
usermod -G +asmdba oracle

echo "oracle:password" > /tmp/1
cat /tmp/1 | /sw/solaris/cgipaf-1.3.3/changepass 
/bin/rm /tmp/1

usermod -K defaultpriv=basic,dtrace_kernel,dtrace_proc,dtrace_user oracle

touch /home/oracle/.bash_profile
chown oracle:oinstall /home/oracle/.bash_profile
chmod 775 /home/oracle/.bash_profile
echo "export PATH=/usr/sbin:/bin:/usr/X11/bin:/usr/dt/bin:/usr/openwin/bin:/usr/ccs/bin:/usr/local/bin:\$ORACLE_HOME/bin:/usr/local/bin:/home/oracle:." >> /home/oracle/.bash_profile
echo "export LD_LIBRARY_PATH=\$ORACLE_HOME/lib:\$ORACLE_HOME/oracm/lib" >> /home/oracle/.bash_profile
echo "export CLASSPATH=\$ORACLE_HOME/jdbc:\$ORACLE_HOME/jlib:\$ORACLE_HOME/rdbms/jlib$ORACLE_HOME/network/jlib"  >> /home/oracle/.bash_profile
echo "export TEMP=/tmp" >> /home/oracle/.bash_profile
echo "export TMPDIR=/tmp" >> /home/oracle/.bash_profile
echo "ulimit -n 65536" >> /home/oracle/.bash_profile
echo "ulimit -Ss 10240" >> /home/oracle/.bash_profile

usermod -G +nologin oracle

chown -R oracle:oinstall /u01
chmod -R 775 /u01

projadd -c "oracle" 'user.oracle' 
projmod -sK "project.max-shm-memory=(privileged,16G,deny)" user.oracle
projmod -sK "process.max-sem-nsems=(priv,4096,deny)" user.oracle
projmod -sK "project.max-shm-ids=(priv,1024,deny)" user.oracle
projmod -sK "project.max-sem-ids=(priv,1024,deny)" user.oracle


# COPY ORACLE RMAN SCRIPTS

mkdir -p /home/scripts/oracle
cp -rp /sw/solaris/oracle_scripts/oracle/* /home/scripts/oracle/
chown -R oracle:oinstall /home/scripts/oracle/
chmod -R 775 /home/scripts/oracle/

# INSTALL TSM FPS

pkgadd -a /sw/solaris/pkgadd_answer_file -d /sw/solaris/TSM/TSMCLI_SOL/tsmcli/solaris/gsk8cry64.pkg all
pkgadd -a /sw/solaris/pkgadd_answer_file -d /sw/solaris/TSM/TSMCLI_SOL/tsmcli/solaris/gsk8ssl64.pkg all
mkdir -p /opt/tivoli/tsm
pkgadd -a /sw/solaris/pkgadd_answer_file -d /sw/solaris/TSM/TSMCLI_SOL/tsmcli/solaris/TIVsmCapi.pkg all
pkgadd -a /sw/solaris/pkgadd_answer_file -d /sw/solaris/TSM/TSMCLI_SOL/tsmcli/solaris/TIVsmCba.pkg all

# INSTALL TSM TDP

/sw/solaris/TSM/TSMORA_SOL/solaris64/TDPoracle64.bin -i silent

# MAKE TSM FPS CONFIGS

cp /sw/solaris/TSM/*arc* /opt/tivoli/tsm/client/ba/bin/
cp /sw/solaris/TSM/include-exclude /opt/tivoli/tsm/client/ba/bin/
cp /sw/solaris/TSM/tsm /etc/init.d/
cp -p /sw/solaris/TSM/dsm.sys  /usr/bin/dsm.sys 
cp -p /sw/solaris/TSM/tsmmenu*  /usr/bin/
cd /opt/tivoli/tsm/client/ba/bin/
touch arcsched.log
touch arcerror.log
touch oraerror.log
touch dsmwebcl.log
touch dsmsched.log
touch orasched.log
touch dsmerror.log
chown oracle:oinstall ora*.log
chmod 775 *.log

# MAKE TSM TDP CONFIGS

cd /opt/tivoli/tsm/client/oracle/bin64
echo "SE      TSM_ORA" > dsm.opt
cp /sw/tsm/tsmconf/tdpo.opt .
touch tdpoerror.log
chown oracle:oinstall tdpoerror.log
ln -s /opt/tivoli/tsm/client/ba/bin/dsm.sys dsm.sys
chmod 775 /opt/tivoli/tsm/client/oracle/bin64/tdpo.opt
chmod 775 /usr/bin/dsm.sys
chmod 775 /usr/bin/dsm.opt

# RC SCRIPT

echo "#!/bin/sh" > /etc/rc3.d/S99local
echo "# oracle best practice for Oracle DB servers" >>  /etc/rc3.d/S99local
echo "" >> /etc/rc3.d/S99local
echo "/usr/sbin/ndd -set /dev/tcp tcp_smallest_anon_port 9000" >> /etc/rc3.d/S99local
echo "/usr/sbin/ndd -set /dev/tcp tcp_largest_anon_port 65500" >> /etc/rc3.d/S99local
echo "/usr/sbin/ndd -set /dev/udp udp_smallest_anon_port 9000" >> /etc/rc3.d/S99local
echo "/usr/sbin/ndd -set /dev/udp udp_largest_anon_port 65500" >> /etc/rc3.d/S99local
echo "/usr/sbin/ipadm set-prop -p send_buf=65536 udp" >> /etc/rc3.d/S99local
echo "/usr/sbin/ipadm set-prop -p recv_buf=65536 udp" >> /etc/rc3.d/S99local
echo "" >> /etc/rc3.d/S99local
echo "# tcp keepalive value for firewall disconnect issues" >> /etc/rc3.d/S99local
echo "" >> /etc/rc3.d/S99local
echo "/usr/sbin/ndd -set /dev/tcp tcp_keepalive_interval 1200000" >> /etc/rc3.d/S99local
echo "" >> /etc/rc3.d/S99local
echo "/etc/init.d/tsm start" >> /etc/rc3.d/S99local
echo "" >> /etc/rc3.d/S99local
chmod u+x /etc/rc3.d/S99local


# INSTALL SPLUNK

pkg set-publisher -p /sw/solaris/splunkforwarder-7.0.0-c8a78efdd40f-solaris-11-sparc.p5p splunk
pkg install --accept splunkforwarder
pkg unset-publisher splunk
mkdir -p /export/home/uxsplunk
chown -R uxsplunk:uxsplunk /opt/splunkforwarder
chown -R uxsplunk:uxsplunk /export/home/uxsplunk
su - uxsplunk -c "/opt/splunkforwarder/bin/splunk status  --answer-yes --no-prompt --accept-license"
su - uxsplunk -c "/opt/splunkforwarder/bin/splunk set deploy-poll 1.2.2.66:8089 -auth admin:changeme"
/opt/splunkforwarder/bin/splunk enable boot-start -user uxsplunk
su - uxsplunk -c "/opt/splunkforwarder/bin/splunk  start --answer-yes --no-prompt --accept-license"
pkg unset-publisher splunk


# INSTALL GUARDIUM
ln -s /usr/local/guardium/modules/GIM/current/GIM.pm /usr/perl5/site_perl/5.12/GIM.pm
ln -s /usr/local/guardium/modules/GIM/current/GIM.pm /usr/perl5/vendor_perl/5.12/GIM.pm
ip=`ipadm | grep "net0/v4" | awk '{print $5}' | cut -d/ -f1`
/sw/guardium/guard-bundle-GIM-9.0.0_r85844_v90_1-sunos-5.11-solaris-sparc.gim.sh -- --dir /usr/local/guardium --tapip $ip --sqlguardip 1.2.3.4 -q


# MAKE OS UPDATE AND REBOOT
pkg update --accept --require-new-be
init 6