Solaris Security Toolkit Customization

Customizing Solaris Security Toolkit

The Solaris Security Toolkit provides a flexible way to harden a Solaris system, making it more secure from malicious attack. This software may be installed during a unattended Solaris JumpStart install, or installed after Solaris is installed and booted. Solaris Security Toolkit supports Solaris 8, 9, and 10 on SPARC and x86 systems. Solaris 2.5.1, 2.6, and 7 can be used, but are not supported.

One size does not fit all. The degree of hardening depends on your site requirements. For that reason, pre-canned scripts provide various levels of hardening. The secure.driver closes all ports except for ssh. The server-secure.driver leaves frequently-used server services open. The following discusses customizing the server-secure.driver to your site-specific needs. Once customized, your systems can be hardened in an automated way using one or more configurations you established.

Usage and Customization Example

I won't go into all the details of use and customization of Solaris Security Toolkit, but I'll give enough details to get you started. I'm only covering interactive use in this example. For unattended JumpStart installs, see the Administration Guide.

  1. First, download the SUNWjass package, available at no cost at http://www.sun.com/software/security/jass/. You don't need the MD5 (SUNBEmd5) or fixmodes (SUNBEfixm) packages, as the functionality is incorporated in Solaris 10.
  2. If SUNWjass is already installed, remove it with pkgrm (back up any modified files first)
  3. Uncompress and install the package to /opt/SUNWjass:
    # uncompress SUNWjass.pkg.Z
    # pkgadd -d SUNWjass.pkg
    
  4. Run a driver in "apply" mode. In this example, we use server-secure.driver This takes a few minutes. Other drivers are covered in the security_drivers(7) man page and Reference Manual.
    # /opt/SUNWjass/bin/jass-execute -d server-secure.driver
    
  5. Check the summary output for failures and errors:
    [SUMMARY] Results Summary for APPLY run of server-secure.driver
    [SUMMARY] The run completed with a total of 85 scripts run.
    [SUMMARY] There were  Failures in   0 Scripts
    [SUMMARY] There were  Errors   in   0 Scripts
    [SUMMARY] There were  Warnings in   2 Scripts
    [SUMMARY] There were  Notes    in  68 Scripts
    
  6. Reboot and login again:
    # /usr/sbin/reboot
    
  7. You can verify the previous run of jass-execute ("audit" mode) was correct:
    # /opt/SUNWjass/bin/jass-execute -a server-secure.driver
    
    This takes a few minutes and produces a summary at the end:
    [SUMMARY] Results Summary for AUDIT run of server-secure.driver
    [SUMMARY] The run completed with a total of 85 scripts run.
    [SUMMARY] There was a Failure  in   1 Script
    [SUMMARY] There were  Errors   in   0 Scripts
    [SUMMARY] There was a Warning  in   1 Script
    [SUMMARY] There were  Notes    in  20 Scripts
    
    [SUMMARY] Failure Scripts listed in:
            /var/opt/SUNWjass/run/20050721092746/jass-script-failures.txt
    
    Verify there are no failures. If any failures are found, look at the script output to see if there are any unexpected problems. In the example above, I see the failure is from set-root-home-dir.aud because I provided a created a custom .profile script:
    [FAIL] Template /root/.profile does not match target on system.
    
    I can ignore the error or fix it by removing my custom .profile file, or modifying the .profile in Solaris Security Toolkit (under /opt/SUNWjass/Files).
  8. Determine if any services have been disabled that you may need or if you wish to disable more services. Use tools such as netstat -an, svcs, and nmap. See the Administration Guide for a detailed approach.
  9. In this example, we see telnet is running from svcs and wish to disable it:
    # svcs telnet
    STATE          STIME    FMRI
    online          9:06:31 svc:/network/telnet:default
    
  10. To disable telnet, add the FMRI svc:/network/telnet:default to JASS_SVCS_DISABLE in /opt/SUNWjass/Drivers/user.init Use the package-provided file user.init.SAMPLE as a template
    # cd /opt/SUNWjass/Drivers
    # cp user.init.SAMPLE user.init
    # cat >>user.init
    JASS_SVCS_DISABLE="svc:/network/telnet:default"
    export JASS_SVCS_DISABLE
    \^D
    
    To enable a service that was disabled, use JASS_SVCS_ENABLE (if the service was listed in JASS_SVCS_DISABLE) or disable the appropriate finish script in /opt/SUNWjass/Finish/\*.fin. For details see the Reference Manual and Administration Guide.
  11. To apply the change run jass-execute in apply mode again and reboot:
    # /opt/SUNWjass/bin/jass-execute -d server-secure.driver
    
    If you want a service enabled that was previously enabled, you need to undo the previous run of jass-execute in Apply mode. To do run this and reboot:
    # /opt/SUNWjass/bin/jass-execute -u
    

Periodic Maintenance

It's a good idea to periodically run jass-execute -a (Audit mode) to verify disabled services are still disabled. If a service becomes enabled (say, because of admin error, a patch, or installing other software), run jass-execute -d (Apply mode) again to lock down the service.

Customizing changes for multiple systems

Sometimes you may want to apply the same customized changes you made with Solaris Security Toolkit to multiple systems, or you want to save the changes you made off the system. To do this, you create "customized" package JASScustm with the following command:

 # /opt/SUNWjass/bin/make-jass-pkg

This creates this package, which may be installed in lieu of SUNWjass. Customized changes such as user.init are included in the package at /opt/SUNWjass/JASScustm.pkg

New Solaris Security Toolkit 4.2 Features For Solaris 10

New features supported in Solaris Security Toolkit 4.2 (aka JASS) are:
  • Solaris 10 support
  • Flexible Crypt, password history, and strict password checking support
  • Service Management Facility (SMF) aware
  • Solaris Zones support
  • Summary output at end of jass-execute run
  • Auditing of file changes through BART (Basic Auditing and Reporting Tool)
  • Root home directory changed from / to /root
  • ipfilter firewall enabled
  • TCP Wrappers (hosts.allow, hosts.deny)
  • Continued support for Solaris 8 and 9. Solaris Security Toolkit may still be used on Solaris 2.5.1, 2.6, and 7, but support is not available.
  • Solaris Security Toolkit supports SPARC (64-bit only) and x86 (32- and 64-bit).
  • Full and official details of changes are available at "Solaris Security Toolkit 4.2 Release Notes." (see below)

Downloads and Documentation

Solaris Security Toolkit downloads and documentation is available at http://www.sun.com/software/security/jass/ These documents are available:

  • Solaris Security Toolkit 4.2 Release Notes, July 2005 (part # 819-1504-10)
  • Solaris Security Toolkit 4.2 Administration Guide, July 2005 (part # 819-1402-10)
  • Solaris Security Toolkit 4.2 Reference Manual, July 2005 (part # 819-1503-10)
  • Solaris Security Toolkit 4.2 Man Page Guide, July 2005 (part # 819-1505-10)
  • Sun BluePrints OnLine has several documents on security, including Solaris Security Toolkit, at http://www.sun.com/blueprints/browsesubject.html#security

Technorati Tags:

Comments:

Hi Dan! I have a global zone with 2 sparse root non-global zones. I will be installing SST in the global zone and then later into the non-global zones. Do I need to install it into all three zones? Do you know of any "gotchas" when installing SST in a non-global zone, or a global zone with non-global zones? Thanks for your time.

Posted by Michiel Smit on June 08, 2006 at 06:03 AM PDT #

Michiel, No you don't install in all three zones. You install once in the global zone and it installs in the non-global zone(s) automatically. You can also install in a non-global zone, but it will be only for that zone.

Posted by Dan Anderson on October 31, 2006 at 02:40 AM PST #

Procedure to Disable Firewall in Solaris 10 SPARC

Posted by shruthi bk on February 01, 2009 at 07:41 PM PST #

Shruthi,
If by "Firewall" you mean ipfilter, you can disable it as follows:

# svcadm disable svc:/network/ipfilter:default
# svcs svc:/network/ipfilter:default

ipfilter is disabled by default.

Posted by Daniel Anderson on February 02, 2009 at 02:26 AM PST #

Can u tell me how to enable firewall??

Posted by shruthi on February 02, 2009 at 08:54 PM PST #

Is Posible install SUNWjass in Solaris Cluster 3.3u1?

Posted by guest on September 01, 2011 at 02:24 AM PDT #

I'm not working on JASS (SST) now, as it has been released and is in maintenance mode now, but I know it works with Sun Cluster 3.1. I don't know about Solaris Cluster 3.3u1. You could ask your account representative. Sorry--that's all I know.

Posted by guest on September 01, 2011 at 05:29 AM PDT #

It's somehow ironic that the download link http://www.sun.com/software/security/jass/ is broken and that if you search on the Oracle website for SUNWJass you only get a "We did not find any search results for: SUNWJass - did you mean Sunglass?".

Posted by Alexander W. Janssen on November 30, 2011 at 07:05 PM PST #

Post a Comment:
Comments are closed for this entry.
About

Solaris cryptography and optimization.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today