Friday Jul 29, 2005

JASS supports Solaris 10!

Today is the big day! The Solaris Security Toolkit version 4.2 has been released. The biggest change in this new release is with its support of the Solaris 10 OS (global and local zones). You can read all about the changes in this new update in the Release Notes. With this release, you have a fully documented and supported tool for hardening the Solaris 10 OS (as well as previous releases) on both SPARC, Intel and AMD platforms!

Download and try it out today!

Technorati Tag:

Tuesday May 31, 2005

Automating security enforcement and audit with N1 SPS

I noticed over the weekend that Sun's N1 Service Provisioning System (SPS) was featured on The title of the feature was Accelerate Deployment from Days to Minutes. This feature reminded me that I had been wanting to talk about a proof of concept that Dave Walker, Peter Charpentier, and I did with SPS and the Solaris Security Toolkit (aka JASS). So, I guess now is as good a time as any!

For those who may not know, the Solaris Security Toolkit is an officially supported Sun product that can be used to improve the security of Solaris systems running Solaris 2.5.1 through 9 (with support for Solaris 10 on the way). The Toolkit supports SPARC, Intel and AMD platforms as well as Trusted Solaris 8. The Toolkit also supports three modes of operation: hardening (apply), undo, and audit. Lastly, the Toolkit can be used to create a security profile (based on your own security policies and standards) that can then be (re-)applied to systems. You can even use the Toolkit to assess a system against a known profile to determine its degree of compliance.

So what does this have to do with SPS? Well, for sites with tens, hundreds or even thousands of systems, keeping them secure and validating that they are all in compliance with their expected security profiles can be a daunting process. Rather than individually securing (or validating) each system, you can use SPS to do it all for you at the click of a button!

Whether you have a single security profile or many, you can still use SPS to automatically harden your systems (at installation/provisioning time) as well as later in their lifecycle (perhaps after patch or application installation) - all from a centralized management platform. Auditing is made easy as well since you can evaluate all of your systems against the same (or different) profile almost simultaneously. You can even use the SPS command line interface for this functionality so that you can include pre- or post-process the output so that you can automatically create reports from the results. Given that the Solaris Security Toolkit supports 5 levels of verbosity, you can select the one that most fits your needs.

For example, often for large sites, you may want to select a low level of verbosity such as "level 0" which will simply report whether an entire audit run passed or failed (along with a number indicating the failure count).  For example, something like:

# ./jass-execute -a hardening.driver -V 0
hardening.driver               [FAIL] Grand Total: 6 Errors

For assessment runs that result in at least one failure, you could have SPS automatically re-run the report on that system using a higher level of verbosity to see exactly what the failures were.  For example, you could get information like this:

# env JASS_LOG_SUCCESS=0 JASS_LOG_NOTICE=0 ./jass-execute -a hardening.driver -V 2
disable-dmi                    [FAIL] Service lrc:/etc/rc3_d/S77dmi was installed.
disable-dmi                    [FAIL] Process /usr/lib/dmi/dmispd:430:root was found.
disable-dmi                    [FAIL] Process /usr/lib/dmi/dmispd:1240:root was found.
disable-dmi                    [FAIL] Process /usr/lib/dmi/dmispd:1135:root was found.
disable-dmi                    [FAIL] Process /usr/lib/dmi/snmpXdmid:433:root was found.
disable-dmi                    [FAIL] Process /usr/lib/dmi/snmpXdmid:1141:root was found.
disable-dmi                    [FAIL] Script Total: 6 Errors
hardening.driver               [FAIL] Driver Total: 6 Errors
hardening.driver               [FAIL] Grand Total: 6 Errors

This helps reduce the amount of information that an analyst would need to sift through in order to diagnose and fix problems.  In this case, the fix could be to simply ensure that the disable-dmi.fin Finish script was in the security profile of the system before running the Toolkit in hardening (apply) mode.  Further, once the fix was completed, you could use SPS to reassess the system to verify that the fix was correctly implemented (by just using the Toolkit again in audit mode).

You can even use SPS to upgrade the Toolkit software or add, remove or modify security profiles used by the Toolkit. The number of ways you can use SPS is really bounded by your imagination. In addition to the Solaris Security Toolkit, you could use SPS to automate the installation, configuration and use of other security controls like the Basic Auditing and Reporting Toolkit (BART) found in Solaris 10.

If this is a topic of interest to you, please let me know. If we get enough replies then perhaps we will do a more detailed "how-to" article describing how all of this works and could be deployed in an actual data center environment.

Technorati Tag:

Friday Nov 12, 2004

JASS & me

As many of you may know, over the last 4+ years, I have worked as the lead developer on the Solaris Security Toolkit. It has been a wild ride and a lot of fun. After supporting over 20 releases of the code however, I have decided that it is time for me to try some new things. While I am not leaving Sun, I will no longer be actively developing JASS. Instead, I will be working on a number of other new skunk-works projects that I can only hope will be as useful to our customers and as successful as JASS has been.

The Solaris Security Toolkit has come a long way from its humble beginnings as a skunk-works project. The Toolkit has grown and matured over the years and has been deployed at over 20,000 customer systems across the globe helping to secure Solaris and Trusted Solaris on the SPARC, Intel and AMD platforms. It has been integrated into a number of Sun Client Solutions and iForce offerings as well as Sun Education courses and certification exams. In short, it has become the de facto standard to hardening the Solaris OS.

More recently, the Solaris Security Toolkit has undergone a productization effort and detailed architectural review. JASS has gone a long way from just a "toolkit developed by SunPS". Today, JASS is an official project with dedicated resources for architecture, development, quality assurance, release engineering and documentation. You should start the the fruits of this effort starting with the next release of the Toolkit. Alex Noordergraaf, the co-founder and lead architect of JASS, will continue to drive the project ever forward. This is all great news and will serve to make the Toolkit even better than ever.

I will continue to work with the JASS team in a consultative capacity especially on matters of architecture, Client Solutions integration and support. As many people have in the past sent me JASS related questions and RFEs directly, I would take this opportunity to ask that you forward them to so that they can be properly handled.

Lastly, I just wanted to thank all of the JASS users! Without you, the Toolkit would not be what it is today. This project has succeeded more than I could have ever dreamed. Please accept my heartfelt thanks for your enthusiasm for the project as well as your support and patience (especially for those early releases) ;-)

Take care,


Monday Jul 12, 2004

What happened to JASS?

The Solaris Security Toolkit or just JASS for short is a flexible and extensible collection of scripts that are used to enhance, maintain and audit the platform security posture of the Solaris Operating Environment.

Version 4.0.1 of the Toolkit was released quite some time ago (around February 2004), and I just wanted to provide an update for those that may be interested...

A lot of development and quality assurance work has been put into the next release of the Toolkit. This was done to include more functionality based on customer and SunPS needs as well as to help ensure that changes made by JASS were supportable. A lot of effort also went into a testing cycle that uncovered a number of bugs and inconsistencies that have since been fixed. In all, the next release of the Toolkit should be one of the best ever published.

To give you an idea of some of the changes that have been happening, I will include a few bullet points as a teaser. As always, your feedback is always requested using the methods outlined on the JASS home page.

  • All of the Toolkit software has been updated to allow for localized versions of the Toolkit. At this time however only English is provided. If you are interested in a localized version of the Toolkit, please send us your feedback.
  • The Toolkit includes very preliminary support for the Solaris 10 OS. This means that JASS will run on Solaris 10 (as well as in a zone), but it is not complete nor officially supported at this time. Other Solaris 10 enhancements include support for the new Reduced Networking Meta-Cluster, support for new services added to the OS, use of MD5 fingerprints for file checksums, etc. More changes to support Solaris 10 will follow as that software continues its march to release.
  • The Toolkit includes better support for both Solaris on Intel/AMD as well as Trusted Solaris 8.
  • All of the Toolkit software includes better sanity and consistency checks. This is especially true for command line parsing and several of the JASS helper functions like add_to_manifest.
  • All Toolkit commands provide consistent return values now on exit.
  • Many of the auditing functions were enhanced to support multiple arguments allowing a single command to check multiple items.
  • nddconfig now supports loose checking of settings. It will report either an exact match, a loose match or a failure. This allows sites with stronger ndd configurations to still pass nddconfig audit checks.
  • Column widths are adjustable when using JASS in audit mode with verbosity <= 2.

... and much, much more including many other fixes and enhancements...

The Solaris Security Toolkit development teams looks forward to your feedback concerning what you like, don't like or would like to see included in a future revision of the Toolkit. We hope to have a new release of JASS soon - although we cannot provide a date at this time.

Technorati Tag:


This area of cyberspace is dedicated the goal of raising cybersecurity awareness. This blog will discuss cybersecurity risks, trends, news and best practices with a focus on improving mission assurance.


« February 2017