Solaris Security Toolkit Customization
By danx on Jul 29, 2005
Customizing Solaris Security Toolkit
The Solaris Security Toolkit provides a flexible way to harden a Solaris system, making it more secure from malicious attack. This software may be installed during a unattended Solaris JumpStart install, or installed after Solaris is installed and booted. Solaris Security Toolkit supports Solaris 8, 9, and 10 on SPARC and x86 systems. Solaris 2.5.1, 2.6, and 7 can be used, but are not supported.
One size does not fit all. The degree of hardening depends on your site requirements. For that reason, pre-canned scripts provide various levels of hardening. The secure.driver closes all ports except for ssh. The server-secure.driver leaves frequently-used server services open. The following discusses customizing the server-secure.driver to your site-specific needs. Once customized, your systems can be hardened in an automated way using one or more configurations you established.
Usage and Customization Example
I won't go into all the details of use and customization of Solaris Security Toolkit, but I'll give enough details to get you started. I'm only covering interactive use in this example. For unattended JumpStart installs, see the Administration Guide.
- First, download the SUNWjass package, available at no cost at http://www.sun.com/software/security/jass/. You don't need the MD5 (SUNBEmd5) or fixmodes (SUNBEfixm) packages, as the functionality is incorporated in Solaris 10.
- If SUNWjass is already installed, remove it with pkgrm (back up any modified files first)
Uncompress and install the package to /opt/SUNWjass:
# uncompress SUNWjass.pkg.Z # pkgadd -d SUNWjass.pkg
Run a driver in "apply" mode. In this example, we use
This takes a few minutes. Other drivers are covered in the security_drivers(7) man page and Reference Manual.
# /opt/SUNWjass/bin/jass-execute -d server-secure.driver
Check the summary output for failures and errors:
[SUMMARY] Results Summary for APPLY run of server-secure.driver [SUMMARY] The run completed with a total of 85 scripts run. [SUMMARY] There were Failures in 0 Scripts [SUMMARY] There were Errors in 0 Scripts [SUMMARY] There were Warnings in 2 Scripts [SUMMARY] There were Notes in 68 Scripts
Reboot and login again:
You can verify the previous run of jass-execute ("audit" mode) was correct:
This takes a few minutes and produces a summary at the end:
# /opt/SUNWjass/bin/jass-execute -a server-secure.driver
Verify there are no failures. If any failures are found, look at the script output to see if there are any unexpected problems. In the example above, I see the failure is from set-root-home-dir.aud because I provided a created a custom .profile script:
[SUMMARY] Results Summary for AUDIT run of server-secure.driver [SUMMARY] The run completed with a total of 85 scripts run. [SUMMARY] There was a Failure in 1 Script [SUMMARY] There were Errors in 0 Scripts [SUMMARY] There was a Warning in 1 Script [SUMMARY] There were Notes in 20 Scripts [SUMMARY] Failure Scripts listed in: /var/opt/SUNWjass/run/20050721092746/jass-script-failures.txt
I can ignore the error or fix it by removing my custom .profile file, or modifying the .profile in Solaris Security Toolkit (under /opt/SUNWjass/Files).
[FAIL] Template /root/.profile does not match target on system.
- Determine if any services have been disabled that you may need or if you wish to disable more services. Use tools such as netstat -an, svcs, and nmap. See the Administration Guide for a detailed approach.
In this example, we see telnet is running from svcs and wish to disable it:
# svcs telnet STATE STIME FMRI online 9:06:31 svc:/network/telnet:default
To disable telnet, add the FMRI
to JASS_SVCS_DISABLE in /opt/SUNWjass/Drivers/user.init
Use the package-provided file user.init.SAMPLE as a template
To enable a service that was disabled, use JASS_SVCS_ENABLE (if the service was listed in JASS_SVCS_DISABLE) or disable the appropriate finish script in /opt/SUNWjass/Finish/\*.fin. For details see the Reference Manual and Administration Guide.
# cd /opt/SUNWjass/Drivers # cp user.init.SAMPLE user.init # cat >>user.init JASS_SVCS_DISABLE="svc:/network/telnet:default" export JASS_SVCS_DISABLE \^D
To apply the change run jass-execute in apply mode again and reboot:
If you want a service enabled that was previously enabled, you need to undo the previous run of jass-execute in Apply mode. To do run this and reboot:
# /opt/SUNWjass/bin/jass-execute -d server-secure.driver
# /opt/SUNWjass/bin/jass-execute -u
It's a good idea to periodically run jass-execute -a (Audit mode) to verify disabled services are still disabled. If a service becomes enabled (say, because of admin error, a patch, or installing other software), run jass-execute -d (Apply mode) again to lock down the service.
Customizing changes for multiple systems
Sometimes you may want to apply the same customized changes you made with Solaris Security Toolkit to multiple systems, or you want to save the changes you made off the system. To do this, you create "customized" package JASScustm with the following command:
This creates this package, which may be installed in lieu of SUNWjass. Customized changes such as user.init are included in the package at /opt/SUNWjass/JASScustm.pkg
New Solaris Security Toolkit 4.2 Features For Solaris 10New features supported in Solaris Security Toolkit 4.2 (aka JASS) are:
- Solaris 10 support
- Flexible Crypt, password history, and strict password checking support
- Service Management Facility (SMF) aware
- Solaris Zones support
- Summary output at end of jass-execute run
- Auditing of file changes through BART (Basic Auditing and Reporting Tool)
- Root home directory changed from / to /root
- ipfilter firewall enabled
- TCP Wrappers (hosts.allow, hosts.deny)
- Continued support for Solaris 8 and 9. Solaris Security Toolkit may still be used on Solaris 2.5.1, 2.6, and 7, but support is not available.
- Solaris Security Toolkit supports SPARC (64-bit only) and x86 (32- and 64-bit).
- Full and official details of changes are available at "Solaris Security Toolkit 4.2 Release Notes." (see below)
Downloads and Documentation
Solaris Security Toolkit downloads and documentation is available at http://www.sun.com/software/security/jass/ These documents are available:
- Solaris Security Toolkit 4.2 Release Notes, July 2005 (part # 819-1504-10)
- Solaris Security Toolkit 4.2 Administration Guide, July 2005 (part # 819-1402-10)
- Solaris Security Toolkit 4.2 Reference Manual, July 2005 (part # 819-1503-10)
- Solaris Security Toolkit 4.2 Man Page Guide, July 2005 (part # 819-1505-10)
- Sun BluePrints OnLine has several documents on security, including Solaris Security Toolkit, at http://www.sun.com/blueprints/browsesubject.html#security