The recommendations for securing the SC follow closely with the hardening described in the Solaris Operating Environment Security - Updated for Solaris 8 Operating Environment Sun BluePrints OnLine article.
There are several exceptions to these recommendations due to functionality that is required by the SC and due to supportability constraints.
The in.rshd, in.rlogind, and in.rexecd daemon entries listed in the /etc/inetd.conf are not disabled as the Failover Management Daemon (fomd) requires them.
In order for fomd to effectively use the daemons listed above a /.rhosts file must be present on both of the SCs. This file contains the scman1 network hostname of the other SC and will allow fomd to access the SC, as root, without requiring a password.
The Remote Procedure Call (RPC) system startup script is not disabled because RPC is used by fomd.
The Solaris Basic Security Module (BSM) is not enabled. The BSM subsystem is difficult to optimize for appropriate logging levels and its logs are difficult to interpret. This subsystem should only be enabled in those sites that have the expertise and resources to manage the generation and data reconciliation tasks required to use BSM effectively.
Solaris OE minimization is not currently supported for the SC.
The SC cannot be configured as a Network Time Protocol (NTP) client.
The creation of user accounts and their associated privileges are not discussed in this article. Adding a new user to a Sun Fire 15K requires that they be provided with privileges not only in the Solaris OE but also with SMS domain and platform privileges. The SMS Security chapter in the System Management Services (SMS) 1.1 Administrator Guide referenced in the Bibliography has detailed descriptions of how to define user access to the SMS software appropriately.