C H A P T E R 6

Audit Scripts

This chapter provides reference information on using, adding, modifying, and removing audit scripts. Audit scripts provide an easy method for periodically checking the security posture of a system. Check your systems regularly to make sure that their security matches your security profile.

The standard audit scripts confirm that modifications controlled by finish scripts were made to the system, and they report any discrepancies that occurred since the hardening run. Audit scripts use the same name as their correlating finish script, except they have a different suffix. Audit scripts use the .aud suffix instead of .fin.

This chapter contains the following topics:

Customizing Audit Scripts

Using Standard Audit Scripts

Using Product-Specific Audit Scripts

Customizing Audit Scripts

This section provides instructions and recommendations for customizing existing audit scripts or creating new audit scripts. In addition, guidelines are provided for using audit script functions.

Customize Standard Audit Scripts

Just as with Solaris Security Toolkit drivers and finish scripts, you can customize audit scripts.

Caution - Be careful when modifying scripts that are supplied with the Solaris Security Toolkit software. Alwaysmodify a copyof the script and not the original. Failure to do so may result in a loss of functionality during Solaris Security Toolkit software upgrade or removal.

Make as few changes as necessary to the code whenever possible and document those changes.

Use environment variables to customize an audit script. The behavior of most scripts can be significantly altered through environment variables, thereby eliminating the need to modify the script's code directly. If this is not possible, you may find it necessary to modify the function by developing a customized one for use in the user.run script. For a list of all environment variables and guidelines for defining them, see Chapter 7.

Caution - Whenever you customize the standard finish scripts or develop new ones, be sure to make the corresponding changes to related audit scripts.

Note - Consider submitting a bug report or request for enhancement if you think that the change could benefit a wider audience. The Solaris Security Toolkit development team is always looking for ways to improve the software to better support its users.

To Customize An Audit Script

Use the following steps to customize a standard audit script for your system and environment. Use these instructions so that newer versions of the original files do not overwrite your customized versions. Note that these files are not removed if you use the pkgrm command to remove the Solaris Security Toolkit software.

1. Copy the audit script and related files that you want to customize.

Refer to Chapter 6 in the Solaris Security Toolkit 4.2 Administration Guide for information about audit scripts and their related files.

2. Rename the copies with names that identify the files as custom scripts and files.

For naming guidelines, refer to "Guidelines," Chapter 1, Solaris Security Toolkit 4.2 Administration Guide.

3. Modify your custom script and files accordingly.

The finish.init file provides all audit script configuration variables. You can override the variable's default value specified in the finish.init file by adding the variable and its correct value to the user.init file. This file is heavily commented to explain each variable, its impact, and its use in audit scripts. For more information about this file and modifying its variables, see Chapter 3. If you want the change to be localized rather than to apply to all drivers, modify the driver.

When you customize audit scripts, it is critical to the accuracy of the audit functionality that both finish and audit scripts are able to access your customization. This goal is most easily and effectively achieved by modifying environment variables in the user.init script instead of modifying other init files or modifying scripts directly.

CODE EXAMPLE 6-1 shows how the install-openssh.audit script validates a correct software installation by checking whether the software package is installed, configured, and set up to run whenever the system reboots. In this example, these checks ensure that the software package is installed, configured, and set up to run whenever the system reboots.

CODE EXAMPLE 6-1 Sample `install-openssh.aud` Script
# #!/bin/sh # Copyright (c) 2005 by Sun Microsystems, Inc. # All rights reserved. # #ident "@(#)install-openssh.aud 1.3 07/12/05 SMI" # # ************************************************************* # Service definition section. # *********************************************************** #-------------------------------------------------------------- service="OpenSSH" servfil="install-openssh.aud" servhdr_txt=" #Rationale for Verification Check: #This script will attempt to determine if the OpenSSH software is #installed, configured and running on the system. Note that this #script expects the OpenSSH software to be installed in package #form in accordance with the install-openssh.fin Finish script. #Determination of Compliance: #It indicates a failure if the OpenSSH package is not installed, #configured, or running on the system. " #-------------------------------------------------------------- servpkg=" OBSDssh " #-------------------------------------------------------------- servsrc=" ${JASS_ROOT_DIR}/etc/rc3.d/S25openssh.server " #-------------------------------------------------------------- servcfg=" ${JASS_ROOT_DIR}/etc/sshd_config " #-------------------------------------------------------------- servcmd=" /opt/OBSDssh/sbin/sshd " # ************************************************************ # Check processing section. # ************************************************************** start_audit "${servfil}" "${service}" "${servhdr_txt}" logMessage "${JASS_MSG_SOFTWARE_INSTALLED}" if check_packageExists "${servpkg}" 1 LOG ; then pkgName="`pkgparam -R ${JASS_ROOT_DIR} ${servpkg} NAME`" pkgVersion="`pkgparam -R ${JASS_ROOT_DIR} ${servpkg} VERSION`" pkgBaseDir="`pkgparam -R ${JASS_ROOT_DIR} ${servpkg} BASEDIR`" pkgContact="`pkgparam -R ${JASS_ROOT_DIR} ${servpkg} EMAIL`" logNotice "Package has description '${pkgName}'" logNotice "Package has version '${pkgVersion}'" logNotice "Package has base directory '${pkgBaseDir}'" logNotice "Package has contact '${pkgContact}'" logMessage "\n${JASS_MSG_SOFTWARE_CONFIGURED}" check_startScriptExists "${servsrc}" 1 LOG check_serviceConfigExists "${servcfg}" 1 LOG logMessage "\n${JASS_MSG_SOFTWARE_RUNNING}" check_processExists "${servcmd}" 1 LOG fi finish_audit

CODE EXAMPLE 6-1 Sample install-openssh.aud Script

#!/bin/sh

# Copyright (c) 2005 by Sun Microsystems, Inc.

# All rights reserved.

#ident  "@(#)install-openssh.aud        1.3     07/12/05 SMI"

# ***************************************************************

# Service definition section.

# ***************************************************************

#--------------------------------------------------------------

service="OpenSSH"

servfil="install-openssh.aud"

servhdr_txt="

#Rationale for Verification Check:

#This script will attempt to determine if the OpenSSH software is

#installed, configured and running on the system. Note that this

#script expects the OpenSSH software to be installed in package

#form in accordance with the install-openssh.fin Finish script.

#Determination of Compliance:

#It indicates a failure if the OpenSSH package is not installed,

#configured, or running on the system.

#--------------------------------------------------------------

servpkg="

   OBSDssh

#--------------------------------------------------------------

servsrc="

   ${JASS_ROOT_DIR}/etc/rc3.d/S25openssh.server

#--------------------------------------------------------------

servcfg="

   ${JASS_ROOT_DIR}/etc/sshd_config

#--------------------------------------------------------------

servcmd="

   /opt/OBSDssh/sbin/sshd

# ****************************************************************

# Check processing section.

# ****************************************************************

start_audit "${servfil}" "${service}" "${servhdr_txt}"

logMessage "${JASS_MSG_SOFTWARE_INSTALLED}"

if check_packageExists "${servpkg}" 1 LOG ; then

 pkgName="`pkgparam -R ${JASS_ROOT_DIR} ${servpkg} NAME`"

 pkgVersion="`pkgparam -R ${JASS_ROOT_DIR} ${servpkg} VERSION`"

 pkgBaseDir="`pkgparam -R ${JASS_ROOT_DIR} ${servpkg} BASEDIR`"

 pkgContact="`pkgparam -R ${JASS_ROOT_DIR} ${servpkg} EMAIL`"

 logNotice "Package has description '${pkgName}'"

 logNotice "Package has version '${pkgVersion}'"

 logNotice "Package has base directory '${pkgBaseDir}'"

 logNotice "Package has contact '${pkgContact}'"

 logMessage "\n${JASS_MSG_SOFTWARE_CONFIGURED}"

 check_startScriptExists "${servsrc}" 1 LOG

 check_serviceConfigExists "${servcfg}" 1 LOG

 logMessage "\n${JASS_MSG_SOFTWARE_RUNNING}"

 check_processExists "${servcmd}" 1 LOG

fi

finish_audit

Create New Audit Scripts

You can create new audit scripts and integrate them into your deployment of the Solaris Security Toolkit software. Because scripts are developed in Bourne shell or Perl on the Solaris 10 OS, it is relatively easy to add new functionality. For those who are less experienced in UNIX shell scripting, examine existing audit scripts that perform similar functions to gain an understanding of how to accomplish a given task and to understand the correct sequence of actions.

The same conventions for developing new finish scripts apply to developing new audit scripts. For these conventions, see Customizing Finish Scripts.

Note - Audit and finish scripts work together. Whenever you add new audit scripts, be sure to add their companion finish scripts.

Using Standard Audit Scripts

Audit scripts provide an automated way within the Solaris Security Toolkit software to validate a security posture by comparing it to a predefined security profile. Use audit scripts to validate that security modifications were made correctly, and to obtain reports on any discrepancies between a system's security posture and your security profile. For details on using audit scripts to validate system security, refer to Chapter 6 in the Solaris Security Toolkit 4.2 Administration Guide.

This section describes the standard audit scripts, which are in the Audit directory. Only the functionality performed by the audit scripts is described.

Each of the scripts in the Audit directory is organized into the following categories, which mirror those of the finish scripts in the Finish directory:

disable

enable

install

minimize

print

remove

set

update

In addition to these standard audit scripts, Solaris Security Toolkit software provides product-specific audit scripts. For a list of product-specific audit scripts, see Using Product-Specific Audit Scripts.

Disable Audit Scripts

The following disable audit scripts are described in this section:

disable-ab2.aud

disable-apache.aud

disable-apache2.aud

disable-appserv.aud

disable-asppp.aud

disable-autoinst.aud

disable-automount.aud

disable-dhcpd.aud

disable-directory.aud

disable-dmi.aud

disable-dtlogin.aud

disable-face-log.aud

disable-IIim.aud

disable-ipv6.aud

disable-kdc.aud

disable-keyboard-abort.aud

disable-keyserv-uid-nobody.aud

disable-ldap-client.aud

disable-lp.aud

disable-mipagent.aud

disable-named.aud

disable-nfs-client.aud

disable-nfs-server.aud

disable-nscd-caching.aud

disable-picld.aud

disable-power-mgmt.aud

disable-ppp.aud

disable-preserve.aud

disable-remote-root-login.aud

disable-rhosts.aud

disable-routing.aud

disable-rpc.aud

disable-samba.aud

disable-sendmail.aud

disable-slp.aud

disable-sma.aud

disable-snmp.aud

disable-spc.aud

disable-ssh-root-login.aud

disable-syslogd-listen.aud

disable-system-accounts.aud

disable-uucp.aud

disable-vold.aud

disable-wbem.aud

disable-xfs.aud

disable-xserver.listen.aud

`disable-ab2.aud`

Note - Use this script only for systems running the Solaris OS versions 2.5.1 through 8, because the AnswerBook2 software is no longer used in Solaris OS versions 9 and 10.

This script determines if the AnswerBook2 service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system.

`disable-apache.aud`

Note - This script checks only for the Apache Web Server that was packaged by Sun and shipped as part of Solaris OS versions 8 and 9.

This script determines if the Apache Web Server is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system.

`disable-apache2.aud`

Note - Use this script only for systems running the Solaris 10 OS.

This script determines if the Apache 2 service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system.

`disable-appserv.aud`

Note - Use this script only for systems running the Solaris 10 OS.

This script determines if the Sun Java Application Server is installed, configured, or running on the system. The script indicates a failure if the software is installed or configured to run.

`disable-asppp.aud`

Note - Use this script only for systems running Solaris OS versions 2.5.1 through 8. For Solaris 9 and 10 OS, this service was replaced with the PPP service and is verified using the disable-ppp.aud script.

This script determines if the ASPPP service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system.

`disable-autoinst.aud`

This script determines if automated installation functionality is installed or enabled on the system. It indicates a failure if the software is installed or configured to run.

`disable-automount.aud`

Note - If the automount service is required, then do not use this script. Because this service also relies on the RPC service, do not use the disable-rpc.aud script.

This script determines if the automount service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system.

`disable-dhcpd.aud`

Note - Use this script only on the DHCP server included in Solaris OS versions 8 through 10.

This script determines if the DHCP service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system.

`disable-directory.aud`

Note - This audit script checks only for the Solaris 9 or 10 OS-bundled Sun Java System Directory Server. This script does not audit either the unbundled product or the Sun Java System Directory Server software provided with other Solaris OS versions.

This script determines if the Sun Java System Directory service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system.

`disable-dmi.aud`

Note - Use this script only for systems running Solaris OS versions 2.6 through 10.

This script determines if the DMI service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system.

`disable-dtlogin.aud`

Note - Use this script only for systems running Solaris OS versions 2.6 through 10.

This script determines if the CDE login server, or dtlogin, is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system.

`disable-face-log.aud`

Note - Use this script only for systems running the Solaris 10 OS.

This script verifies that the /usr/oasys/tmp/TERRLOG file is present and has no write permissions for Group and Other. The script indicates a failure if the file has global write permissions by Group or Other.

`disable-IIim.aud`

Note - Use this script only for systems running Solaris OS versions 9 and 10.

This script determines if the IIim service is installed, configured, or running on the system. The script indicates a failure if the software is installed, configured to run, or actually running on the system.

`disable-ipv6.aud`

Note - Use this script only for systems running Solaris OS versions 8, 9, and 10.

This script checks for the absence of the IPv6 host name files, /etc/hostname6.*, that cause IPv6 interfaces to be plumbed. This script checks if the in.ndpd service is started. It indicates a failure if any IPv6 interfaces are configured, plumbed, or if the service is running.

`disable-kdc.aud`

Caution - On the Solaris 9 OS, if JASS_DISABLE_MODEis set to conf, the kdc.conffile is disabled, thus determining the ability of the system to act as both a Kerberos client and KDC server. Do notuse this script in that manner if the system must act as a Kerberos client.

Note - Use this script only for systems running Solaris OS versions 9 and 10.

This script determines if the KDC service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system.

`disable-keyboard-abort.aud`

Note - Use this script only on systems running Solaris OS versions 2.6 through 10.

Note - Some systems feature key switches with a secure position. On these systems, setting the key switch to the secure position overrides any software default set with the kdb command.

This script determines if the system is configured to ignore keyboard abort sequences. Typically, when a keyboard abort sequence is initiated, the operating system is suspended and the console enters the OpenBoot PROM monitor or debugger. This script determines if the system can be suspended in this way.

`disable-keyserv-uid-nobody.aud`

This script determines if the keyserv service is not configured to prevent the use of default keys for the user nobody. This script indicates a failure if the keyserv process is not running with the -d flag and the ENABLE_NOBODY_KEYS parameter is not set to NO (for Solaris OS versions 9 and 10).

`disable-ldap-client.aud`

Note - Use this script only on systems running Solaris OS versions 8 through 10.

This script determines if the LDAP client service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system.

`disable-lp.aud`

This script determines if the line printer (lp) service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system. This script also indicates a failure if the lp user is permitted to use the cron facility or has a crontab file installed.

`disable-mipagent.aud`

Note - Use this script only for Solaris OS versions 8 through 10.

This script determines if the Mobile IP service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system.

`disable-named.aud`

Note - Disabling this service does not affect the ability of the system to act as a Domain Name System (DNS) client.

This script determines if the DNS server is installed, configured, or running on the system. This script indicates a failure if the software is installed, configured to run (through a configuration file), or actually running on the system.

This script checks only for the DNS server that was packaged by Sun Microsystems and shipped as part of the Solaris OS.

`disable-nfs-client.aud`

Caution - If the NFS client service is required, then do notuse this script. Because this service also relies on the RPC service, do notuse the disable-rpc.audscript.

This script determines if the NFS client service is configured or running on the system. It indicates a failure if the software is configured to run or is running on the system.

`disable-nfs-server.aud`

Caution - If the NFS service is required, then do notuse this script. Because this service also relies on the RPC service, do notuse the disable-rpc.audscript.

This script determines if the NFS service is configured or running on the system. It indicates a failure if the software is configured to run or is running on the system.

`disable-nscd-caching.aud`

This script determines if any of the passwd, group, host, or ipnodes services have a positive time-to-live or negative time-to-live value that is not set to 0. The script indicates a failure if the value is not 0.

`disable-picld.aud`

Note - Use this script only for systems running Solaris OS versions 8 and 9.

This script determines if the PICL service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system.

`disable-power-mgmt.aud`

Note - Use this script only for systems running Solaris OS versions 2.6 through 10.

This script determines if the power management service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system.

`disable-ppp.aud`

Note - This service was introduced in Solaris 8 OS (7/01) and supplements the older ASPPP service. Use this script only for systems running Solaris OS versions 8 through 10.

This script determines if the PPP service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system.

`disable-preserve.aud`

This script determines if the preserve functionality is enabled. If enabled, a failure is indicated.

`disable-remote-root-login.aud`

Note - Other mechanisms to access systems, such as the use of Solaris Secure Shell, that do not use /bin/login might still provide direct root access, even if the system passes this test.

This script determines, and indicates a failure, if a root user is permitted to directly log in to or execute commands on a system remotely through programs using /bin/login, such as telnet.

`disable-rhosts.aud`

Note - Use this script only for systems running Solaris OS versions 2.6 through 10.

This script determines if the rhosts and hosts.equiv functionality is enabled through PAM configuration in /etc/pam.conf. The script indicates a failure if this functionality is enabled using the pam_rhosts_auth.so.1 module in the /etc/pam.conf file.

`disable-routing.aud`

Note - Use this script only for systems running Solaris OS versions 5.51 through 10.

This script determines if routing, or packet forwarding, of network packets from one network to another is disabled.

`disable-rpc.aud`

Caution - The RPC port mapper function should notbe disabled if any of the following services are used on the system: automount, NFS, NIS, NIS+, CDE, and volume management (Solaris 9 and 10 OS only).

This script determines if the RPC service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system. In addition, this script indicates a failure for each service registered with the rpcbind port mapper.

`disable-samba.aud`

Note - Use this script only for systems running Solaris OS versions 9 and 10.

This script determines if the Samba service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system. Only Samba services included in the Solaris OS distribution are verified as being disabled. This script does not impact other Samba distributions installed on the system.

`disable-sendmail.aud`

Note - The Solaris Security Toolkit software modifications verify only that a Solaris OS system is not configured to receive email. Outgoing email is still processed normally.

By default, the sendmail service is configured to both forward local mail and to receive incoming mail from remote sources. If a system is not intended to be a mail server, then the sendmail service can be configured not to accept incoming messages. This script checks that the sendmail service is configured not to accept incoming messages.

This check is performed in a variety of ways depending on the version of the Solaris OS used.

For Solaris OS versions 9 and 10, this script checks for the existence of the following in the /etc/mail/sendmail.cf file:

Name=NoMTA4, Family=inet, Addr=127.0.0.1

For Solaris 8 OS, this script checks the /etc/default/sendmail file to determine if the MODE parameter is set to "" (nothing).

For earlier versions of the Solaris OS, this script determines if the sendmail run-control scripts are disabled and an entry added to the root user's crontab file to automate the processing of queued mail.

This script indicates a failure if the sendmail service is not disabled in accordance with the checks specific to the Solaris OS version.

`disable-slp.aud`

Note - Use this script only for systems running Solaris OS versions 8, 9, and 10.

This script determines if the SLP service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system.

`disable-sma.aud`

Note - Use this script only for systems running the Solaris 10 OS.

This script determines if the SMA service is installed, configured, or running on the system. This script indicates a failure if the software is called, configured to run, or actually running on the system.

`disable-snmp.aud`

Note - This script checks only the SNMP agent provided in Solaris OS versions 2.6 through 10.

This script determines if the SNMP service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system. This script does not verify whether third-party SNMP agents are functioning on the system.

`disable-spc.aud`

Note - Use this script only for systems running Solaris OS versions 2.6 through 10.

This script determines if the SPC service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system.

`disable-ssh-root-login.aud`

Note - Use this script only for systems running at Solaris 9 or 10 OS with the Solaris Secure Shell packages installed and enabled.

This script indicates a failure if the Solaris Secure Shell service distributed in the Solaris OS versions 9 and 10 does not restrict access to the root account.

`disable-syslogd-listen.aud`

Note - Do not use this script on a SYSLOG server, because a SYSLOG server's function is to accept remotely generated SYSLOG log messages. Use this script only for systems running the Solaris OS versions 8 through 10.

The script sets options to disallow the remote logging functionality of the syslogd process. This script determines if the SYSLOG service is configured to accept remote log connections. The script indicates a failure if the syslogd process is not running with the -t flag (Solaris 8 OS) and the LOG_FROM_REMOTE parameter is not set to NO (Solaris OS versions 9 and 10).

`disable-system-accounts.aud`

For each account name listed in the JASS_ACCT_DISABLE environment variable, this script indicates a failure for each account that is not configured to use the shell defined by the JASS_SHELL_DISABLE variable. This script also indicates a failure if the shell program listed in the JASS_SHELL_DISABLE variable does not exist on the system.

Note - This script only checks accounts that are listed in the /etc/passwd file. It does not check for accounts listed in any other naming service (NIS, NIS+, or LDAP).

`disable-uucp.aud`

This script determines if the UUCP service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system. This script also indicates a failure if the nuucp user exists (Solaris 9 OS and earlier), or is not locked (Solaris 10), if in.uucpd exists in /etc/inetd.conf, or if a uucp crontab file is installed.

`disable-vold.aud`

Note - Do not use this script if the systems needs automatic mounting and unmounting of removable media, such as diskettes and CD-ROMs.

This script determines if the VOLD service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or is running on the system.

`disable-wbem.aud`

Note - If the WBEM service is required, then do not use this script. Because this service also relies on the RPC service, do not use the disable-rpc.fin script. Do not use this script if you use the Solaris Management Console. Use this script only for systems running Solaris OS versions 8 through 10.

This script determines if the WBEM service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system.

`disable-xfs.aud`

Note - Use this script only for systems running the Solaris 10 OS.

This script determines if the xfs service is installed, enabled, or running on the system. This script indicates a failure if the software is enabled to run or actually running on the system.

`disable-xserver.listen.aud`

Note - Use this script only for systems running Solaris OS versions 9 and 10.

This script indicates a failure if the X11 server is configured to accept client connections using the TCP transport. In addition, it indicates a failure if the X11 server is running in a configuration that permits use of the TCP transport.

Enable Audit Scripts

The following enable audit scripts are described in this section:

enable-account-lockout.aud

enable-bart.aud

enable-bsm.aud

enable-coreadm.aud

enable-ftp-syslog.aud

enable-ftpaccess.aud

enable-inetd-syslog.aud

enable-ipfilter.aud

enable-password-history.aud

enable-priv-nfs-ports.aud

enable-process-accounting.aud

enable-rfc1948.aud

enable-stack-protection.aud

enable-tcpwrappers.aud

`enable-account-lockout.aud`

Note - Use this script only for systems running the Solaris 10 OS.

This script verifies that the value of LOCK_AFTER_RETRIES is defined correctly in the /etc/security/policy.conf file. In addition, this script checks to ensure that no users have a different value than LOCK_AFTER_RETRIES specified in /etc/user_attr.

`enable-bart.aud`

Note - Use this script only for systems running the Solaris 10 OS.

This script verifies that BART has been run and compares BART rules and manifests files.

The script determines if a BART rules file is present, and if so, determines if its configuration is consistent with the driver being run and its BART rules file. If the BART rules file configuration is not consistent with the driver being run and its BART rules file, the script copies a rules file from $JASS_FILES/var/opt/SUNWjass/bart/rules. This script also creates a new manifest in /var/opt/SUNWjass/BART/manifests named JASS_TIMESTAMP.txt; for example, 20050711152248.txt.

The script also reports any differences between the new and most recent manifest files, generates audit messages containing the names of the BART manifests used, and suggests that the user check against earlier manifest files or the FingerPrint Database for any issues found.

Note - Errors reported by the enable-bart.aud script are not necessarily cause for alarm. Errors are reported whenever changes are found in the directories the script checks, such as added, deleted, or modified files, or file permissions. However, the output produced by the enable-bart.aud script does need to be reviewed for any potential problems.

`enable-bsm.aud`

Note - Use this script only for systems running Solaris OS versions 8 through 10.

This script determines if the SunSHIELD Solaris Basic Security Module (Solaris BSM) auditing functionality is enabled and running on the system, if the service is loaded in the /etc/system file, and if the audit_warn alias is defined in /etc/mail/aliases. If one or more of these checks fail, then the script indicates a failure.

`enable-coreadm.aud`

Note - Use this script only for systems running Solaris OS versions 7 through 10.

This script verifies that the system stores generated core files under the directory specified by JASS_CORE_DIR. It indicates a failure if the coreadm functionality present in the Solaris OS versions 7 through 10 is not configured. An error condition also is generated if core files are not tagged with the specification denoted by JASS_CORE_PATTERN.

`enable-ftp-syslog.aud`

This script determines if the FTP service is not configured to log session and connection information. A failure is indicated if the FTP service logging is not enabled.

`enable-ftpaccess.aud`

Note - Use this script only for systems running Solaris OS versions 9 and 10.

This script determines if the FTP service is configured to use the /etc/ftpd/ftpaccess file. A failure is indicated if FTP is not configured properly.

`enable-inetd-syslog.aud`

This script determines if the Internet services daemon (inetd) service is configured to log session and connection information:

For the Solaris 9 OS, this script checks that the -t option was added to the inetd command line and that the ENABLE_CONNECTION_LOGGING variable in the /etc/default/inetd file is set to YES. A failure is indicated if either of these checks fail.

For the Solaris 10 OS, this script checks whether the defaults/tcp-trace property is defined for the FMRI svc:/network/inetd. The script also checks any running inetd processes that have the -t option specified.

`enable-ipfilter.aud`

Note - Use this script only for systems running the Solaris 10 OS.

This script reviews the ipfilter configuration of all available network interfaces and verifies that the correct IP Filter rule set is installed. The script does the following:

Parses /etc/ipf/pfil.ap to determine if any network interfaces are commented out. If some network interfaces are commented out, the script generates a security policy violation message.

Reviews the existing /etc/ip/ipf.conf file on the system to see if it is the same as the keyword-specific driver. If it is not, the script generates a security policy violation message.

Verifies that the network/ipfilter service is enabled. If it is not, the script generates a security policy violation.

`enable-password-history.aud`

Note - Use this script only for systems running the Solaris 10 OS.

This script verifies the correct configuration of password history on the system. The script checks the /etc/default/passwd file to determine if a HISTORY value is specified:

If a HISTORY value is specified in the /etc/default/passwd file, the script checks it against the value in the JASS_PASS_HISTORY environment variable to see if it is correct.

If the HISTORY value is not correct as specified in the JASS_PASS_HISTORY environment variable, the script corrects the value.

If the HISTORY value is not set properly, the script corrects the value and issues an audit security violation.

`enable-priv-nfs-ports.aud`

This script determines if the NFS service is configured to accept only client communication that originates from a port in the privileged range below 1024. A failure is indicated if the NFS service is not configured properly.

`enable-process-accounting.aud`

This script determines if the processing accounting software is installed, enabled, or running on the system. A failure is indicated if this is not true.

`enable-rfc1948.aud`

Note - Use this script only on systems running Solaris OS versions 2.6 through 10.

This script determines if the system is configured to use RFC 1948 for its TCP sequence number generation. This script checks both the stored configuration and the actual runtime setting. A failure is displayed if the system is not configured to use RFC 1948-compliant TCP sequence number generation.

`enable-stack-protection.aud`

Note - Use this script only on systems running Solaris OS versions 2.6 through 10.

This script determines if the noexec_user_stack and noexec_user_stack_log options are set in the /etc/system file to enable stack protections and exception logging. If these options are not enabled, a failure is reported.

`enable-tcpwrappers.aud`

Note - Use this script only on systems running Solaris OS versions 9 and 10 using the bundled TCP wrapper packages.

This script determines if TCP wrappers are not installed or configured using the hosts.allow|deny templates included with the Solaris Security Toolkit software or enabled by using the ENABLE_TCPWRAPPERS variable. A failure is reported if the system is not using TCP wrappers.

For Solaris 10 OS only:

In addition, this script:

Verifies that inetd is using tcp_wrappers

Verifies that rpcbind is using tcp_wrappers

Verifies the contents of the related keyword-specific hosts.allow|deny by using the function check_fileContentsexist to compare the keyword-specific file in $JASS_FILES against the hosts.allow|deny on the system to determine if the contents match. If the contents do not match, the script logs an error.

Install Audit Scripts

The following install audit scripts are described in this section:

install-at-allow.aud

install-fix-modes.aud

install-ftpusers.aud

install-jass.aud

install-loginlog.aud

install-md5.aud

install-nddconfig.aud

install-newaliases.aud

install-openssh.aud

install-recommended-patches.aud

install-sadmind-options.aud

install-security-mode.aud

install-shells.aud

install-strong-permissions.aud

install-sulog.aud

install-templates.aud

`install-at-allow.aud`

This script determines if a user name is listed in the JASS_AT_ALLOW variable and does not exist in the /etc/cron.d/at.allow file. The list of user names defined by JASS_AT_ALLOW is empty by default. To pass this check, each user name must exist in both the /etc/passwd file and the /etc/cron.d/at.allow file. Furthermore, a user name should not be in the /etc/cron.d/at.deny file. A failure is displayed if a user name is not listed in both files.

`install-fix-modes.aud`

Note - Use this script only on systems running Solaris OS versions 2.5.1 through 9.

This script determines if the Fix Modes program was installed and run on the system. It indicates a failure if the software is not installed or has not been run. Further, this script uses Fix Modes in debug mode to determine if any additional file system objects should be adjusted.

`install-ftpusers.aud`

This script determines if a user name listed in the JASS_FTPUSERS parameter does not exist in the ftpusers file.

`install-jass.aud`

This script determines if the Solaris Security Toolkit (SUNWjass) package is installed on the system. A failure is reported if this package is not installed.

`install-loginlog.aud`

This script checks for the existence, proper ownership, and permissions for the /var/adm/loginlog file. It indicates a failure if the file does not exist, has invalid permissions, or is not owned by the root account.

`install-md5.aud`

This script determines if the MD5 software is installed on the system. A failure is reported if the software is not installed.

`install-nddconfig.aud`

This script determines if the nddconfig run-control script files identified in the Sun BluePrints OnLine article, Solaris Operating Environment Network Settings for Security and included with the Solaris Security Toolkit, have been copied to, and their settings made active on, the target system.

The script performs the following checks per object:

1. Tests to ensure that the source and target file types (regular file, symbolic link, or directory) match

2. Tests to ensure that the source and target file type contents are the same

This script also verifies that the settings defined by the nddconfig script are actually in place on the running system. This script uses its own copy of the nddconfig script in the Solaris Security Toolkit to provide more accurate reporting of results, especially in cases where the script name has changed or where other scripts are used to implement the same effects.

This script gives a failure when any of the checks described above are found to be false.

`install-newaliases.aud`

Note - Use this script only on systems running Solaris OS versions 2.5.1 through 8.

This script checks for the existence of the /usr/bin/newaliases program. It indicates a failure if this file does not exist or is not a symbolic link.

`install-openssh.aud`

Note - Use this script only for systems running Solaris OS versions 2.5.1 through 8. Solaris 9 and 10 OS includes a version of the Secure Shell software; therefore, do not use this script if you install Solaris 9 and 10 OS.

This script determines if the OpenSSH package specified by the script is installed and configured. A failure is reported if the package is not installed.

`install-recommended-patches.aud`

This script determines if the patches listed in the Recommended and Security Patch Cluster file are installed on the system. The patch information is collected from JASS_HOME_DIR/Patches directory, based on the Solaris OS version of the system being tested. A failure is displayed if one or more of these patches are not installed.

Note that this script indicates success if the version of the patch installed is equal to or greater than the version listed in the patch order file.

`install-sadmind-options.aud`

Note - Use this script only for systems running Solaris OS versions 2.5.1 through 9.

This script determines if the sadmind service exists in the /etc/inet/inetd.conf file. If it does, this script checks to ensure that options are set to those defined by the JASS_SADMIND_OPTIONS variable. The default setting is -S 2.

`install-security-mode.aud`

This script checks the status of the EEPROM security mode. It displays a warning if the mode is not command or full. In addition, this script checks the PROM failed login counter and displays a warning if it is not zero.

Note - Because the install-security-mode.fin script cannot change the security mode of the system, this script only indicates a warning for noncompliance rather than reporting a failure.

`install-shells.aud`

This script determines if any shell defined by the JASS_SHELLS parameter is not listed in the shells file. TABLE 6-1 lists the shells defined by JASS_SHELLS.

TABLE 6-1 List of Shells Defined by `JASS_SHELLS`
`/usr/bin/sh`	`/usr/bin/csh`
`/usr/bin/ksh`	`/usr/bin/jsh`
`/bin/sh`	`/bin/csh`
`/bin/ksh`	`/bin/jsh`
`/sbin/sh`	`/sbin/jsh`
`/bin/bash`	`/bin/pfcsh`
`/bin/pfksh`	`/bin/pfsh`
`/bin/tcsh`	`/bin/zsh`
`/usr/bin/bash`	`/usr/bin/pfcsh`
`/usr/bin/pfksh`	`/usr/bin/pfsh`
`/usr/bin/tcsh`	`/usr/bin/zsh`

A failure is displayed if any shells listed in JASS_SHELLS are not also listed in the shells file.

`install-strong-permissions.aud`

Note - Do not use this script for systems running the Solaris 10 OS.

This script determines if any of the modifications recommended by the install-strong-permissions.fin script were not implemented. A failure is displayed if any of these modifications were not made.

This script is not used for the Solaris 10 OS, because the Solaris 10 OS has incorporated many permission and ownership changes. This script is not undoable, and the resulting support impact is no longer worth the security improvement given the changes to the Solaris 10 OS.

`install-sulog.aud`

This script checks for the proper ownership and permissions of the /var/adm/sulog file. The script indicates a failure if the file does not exist, has invalid permissions, or is not owned by the root account.

`install-templates.aud`

This script determines if the files defined by the JASS_FILES variable were successfully copied to the target system. It indicates a failure if either of the two following checks fail: a test to ensure that the source and target file types match (regular file, symbolic link, or directory) and a test to ensure that their contents are the same.

Print Audit Scripts

The following print audit scripts are described in this section:

print-jass-environment.aud

print-jumpstart-environment.aud

print-rhosts.aud

print-sgid-files.aud

print-suid-files.aud

print-unowned-objects.aud

print-world-writable-objects.aud

These scripts perform the same functions as the print finish scripts, except that they are customized for audit use.

`print-jass-environment.aud`

Note - Do not use this script for systems running the Solaris 10 OS.

This script displays the variables and their content used by the Solaris Security Toolkit. It does not perform any validation or other checks on the content.

`print-jumpstart-environment.aud`

This script is for JumpStart mode only. It is used to print out JumpStart environment variable settings. This script does not perform any audit checks.

`print-rhosts.aud`

Note - The print-rhosts.aud script needs to be enabled manually if the extra processing time the script requires is acceptable.

This script displays a notice for any files found with the name of .rhosts or hosts.equiv. Further, this script displays the contents of those files for further inspection.

`print-sgid-files.aud`

This script displays a notice for any files that have the set-gid bit set, and it provides a full (long) listing for further review.

`print-suid-files.aud`

This script displays a notice for any files that have the set-uid bit set, and it provides a full (long) listing for further review.

`print-unowned-objects.aud`

This script displays a notice for any files that are not assigned to a valid user and group, and it provides a full (long) listing for further review.

`print-world-writable-objects.aud`

This script displays a notice for any matching files that are world-writable, and it provides a full (long) listing for further review.

Remove Audit Script

The following remove audit script is described in this section:

remove-unneeded-accounts.aud

`remove-unneeded-accounts.aud`

Note - Use this script only for systems running Solaris OS versions 2.5.1 through 9.

The remove-unneeded-accounts.aud script validates that unused Solaris OS accounts, defined by the JASS_ACCT_REMOVE variable, were removed from the system.

Set Audit Scripts

The following set audit scripts are described in this section:

set-banner-dtlogin.aud

set-banner-ftpd.aud

set-banner-sendmail.aud

set-banner-sshd.aud

set-banner-telnet.aud

set-flexible-crypt.aud

set-ftpd-umask.aud

set-login-retries.aud

set-power-restrictions.aud

set-rmmount-nosuid.aud

set-root-group.aud

set-root-home-dir.aud

set-root-password.aud

set-strict-password-checks.aud

set-sys-suspend-restrictions.aud

set-system-umask.aud

set-term-type.aud

set-tmpfs-limit.aud

set-user-password-reqs.aud

set-user-umask.aud

`set-banner-dtlogin.aud`

Note - Use this script only for systems running Solaris OS versions 2.6 through 10.

This script verifies that a service banner for the CDE or dtlogin service is defined. This script verifies that the system displays the contents of /etc/motd by listing it in the file template JASS_ROOT_DIR/etc/dt/config/Xsession.d/0050.warning.

`set-banner-ftpd.aud`

Note - Use this script only for systems running Solaris OS versions 2.6 through 10.

This script checks that the FTP service banner matches the value defined by the JASS_BANNER_FTPD variable. It indicates a failure if the service banner does not match. The value of the variable is Authorized Use Only.

`set-banner-sendmail.aud`

Note - Use this script only for systems running Solaris OS versions 9 and 10.

This script verifies that the sendmail service is configured to display the service banner as defined by the JASS_BANNER_SENDMAIL environment variable. This banner is displayed to all clients connecting to the sendmail service over the network.

`set-banner-sshd.aud`

Note - Use this script only for systems running Solaris OS versions 9 and 10.

This script verifies that the Secure Shell service banner is displayed by ensuring that the Secure Shell service displays the contents of /etc/issue to the user prior to authenticating access to the system.

`set-banner-telnet.aud`

Note - Use this script only for systems running Solaris OS versions 2.6 through 10.

This script checks that the Telnet service banner matches the value defined by the JASS_BANNER_TELNETD variable It indicates a failure if the service banner does not match. The value of the variable is Authorized Use Only.

`set-flexible-crypt.aud`

Note - Use this script only for systems running the Solaris 10 OS.

This script verifies the use of strong passwords by checking that the changes described in "Invalid Cross-Reference Format" for each of the Solaris Security Toolkit drivers have been made correctly.

If Perl is installed on the system during an audit by this script, the Solaris Security Toolkit 4.2 software attempts to use it. If Perl is not on the system, the script issues an error.

`set-ftpd-umask.aud`

Note - Use this script only for systems running Solaris OS versions 2.6 through 10.

This script checks that the FTP service banner matches the value defined by the JASS_FTPD_UMASK variable. It indicates a failure if the file creation mask value does not match. The value of variable is 022.

`set-login-retries.aud`

This script determines if the login RETRIES parameter is assigned the value defined by the JASS_LOGIN_RETRIES variable. The variable default is set to 3. A failure is displayed if the variable is not set to the default.

`set-power-restrictions.aud`

Note - Use this script only for systems running Solaris OS versions 2.6 through 10.

This script checks the /etc/default/power file and indicates a failure if the PMCHANGEPERM and CPRCHANGEPERM parameters do not have a hyphen "-" as their values.

`set-rmmount-nosuid.aud`

Note - Use this script only for systems running Solaris OS versions 2.6 through 10. Solaris OS versions 8 through 10 are configured to mount removable media with the nosuid option by default. This script performs the necessary checks regardless of the default settings.

This script determines if the /etc/rmmount.conf file restricts the mounting of a removable Unix File System (UFS) or a High Sierra File System (HSFS) by enforcing the nosuid parameter. A failure is displayed if this restriction is not defined in the /etc/rmmount.conf file.

`set-root-group.aud`

This script determines if the root account's primary group is set to the value defined by the JASS_ROOT_GROUP variable. A failure is displayed if it is not defined properly.

`set-root-home-dir.aud`

Note - Use this script only for systems running the Solaris 10 OS.

This script checks to see if the root account has a home directory of / in the /etc/passwd file:

If the home directory is /, the script generates an audit error.

If the home directory is /root, the script checks the following:

Directory ownership should be root:root

Directory permissions should be 0700

Dot files (/.cshrc, /.profile, /llogin, /.ssh) are moved from / to /root

Dot file permissions should all be 0700

If the home directory is neither / nor /root, the script generates a warning, but not an audit error.

`set-root-password.aud`

This script checks the password of the root account. It indicates a failure if the value is the same as that of the JASS_ROOT_PASSWORD variable. This check is done to encourage users to change the root password from the value defined by JASS_ROOT_PASSWORD as soon as possible.

`set-strict-password-checks.aud`

Note - Use this script only for systems running the Solaris 10 OS.

This script verifies that the correct values for the various password checks are defined correctly in the /etc/default/passwd file.

`set-sys-suspend-restrictions.aud`

Note - Use this script only for systems running Solaris OS versions 2.6 through 10.

This script checks the /etc/default/sys-suspend file. It indicates a failure if the PERMS parameter does not have a hyphen "-" as its value.

`set-system-umask.aud`

This script determines if the system's default file creation mask is set to the value defined by the JASS_UMASK variable. The default value is set to 022. A failure is displayed if the variable is not properly defined.

`set-term-type.aud`

This script determines if the /etc/profile and the /etc/login files set the default terminal type to vt100. A failure is displayed if the default terminal type is not defined properly. This script is provided as a convenience only, and a failure does not impact the security of a system.

`set-tmpfs-limit.aud`

Note - The set-tmpfs-limit.aud script does not run under Solaris 2.5.1 OS, where this functionality is unsupported.

This script determines if any tmpfs file systems are defined in the /etc/vfstab file without their size being limited to the JASS_TMPFS_SIZE variable, which is set to a default of 512 megabytes. A failure is reported if the tmpfs file system size does not comply with the JASS_TMPFS_SIZE value.

`set-user-password-reqs.aud`

This script reviews the password policy settings on the system as defined previously. It indicates an error if the values do not match the following default values defined by the Solaris Security Toolkit:

MINWEEKS - 1

MAXWEEKS - 8

WARNWEEKS - 1

PASSLENGTH - 8

The default values are contained in the following environment variables:

JASS_AGING_MINWEEKS

JASS_AGING_MAXWEEKS

JASS_AGING_WARNWEEKS

JASS_PASS_LENGTH

`set-user-umask.aud`

This script determines if any of the following files do not set the umask parameter to the value defined by the JASS_UMASK variable, whose default value is set to022.

/etc/.login

/etc/profile

/etc/skel/local.cshrc

/etc/skel/local.login

/etc/skel/local.profile

/etc/default/login

A failure is displayed if these files do not set the umask parameter appropriately.

Update Audit Scripts

The following update audit scripts are described in this section:

update-at-deny.aud

update-cron-allow.aud

update-cron-deny.aud

update-cron-log-size.aud

update-inetd-conf.aud

`update-at-deny.aud`

This script determines if a user account is listed in the JASS_AT_DENY variable and is not listed in the /etc/cron.d/at.deny file. The list of user accounts defined by the JASS_AT_DENY variable is as follows:

root

daemon

bin

sys

adm

lp

uucp

smmsp

nobody

noaccess

To pass this check, each user account must exist in both the /etc/passwd file and the /etc/cron.d/at.deny file. The user account must not exist in the /etc/cron.d/at.allow file, because it would override the setting (due to precedence). A failure is displayed if any of these checks fail.

`update-cron-allow.aud`

This script determines if a user account is listed in the JASS_CRON_ALLOW variable and not in /etc/cron.d/cron.allow file. By default, the value is only the root user. A failure is displayed if this check fails.

`update-cron-deny.aud`

This script determines if a user account is listed in the JASS_CRON_DENY variable and not in the /etc/cron.d/cron.deny file. The list of user accounts defined by the JASS_CRON_DENY variable is as follows:

daemon

bin

sys

adm

lp

uucp

smmsp

nobody

noaccess

To pass this check, each user account must exist in both the /etc/passwd file and the /etc/cron.d/cron.deny file. Furthermore, the user account must not exist in the /etc/cron.d/cron.allow file, because it would override this setting (due to precedence). A failure is displayed if any of these checks fail.

`update-cron-log-size.aud`

Note - Use this script only for systems running Solaris OS versions 2.6 through 10.

This script determines if the cron facility is configured to increase its default size limit for log files. The check method is based on the version of the Solaris OS and the value of the JASS_CRON_LOG_SIZE variable. The size limit defined by the JASS_CRON_LOG_SIZE variable is 20480 kilobytes. A failure is displayed if the size limitation is not correct.

`update-inetd-conf.aud`

This script determines if any of the services listed in the JASS_SVCS_DISABLE variable are disabled in /etc/inetd.conf. This script also checks to ensure that services listed in the JASS_SVCS_ENABLE variable are enabled in the /etc/inetd.conf file. If a service is listed in both variables, then the service is left enabled by the JASS_SVCS_ENABLE variable. A failure is displayed if any of these checks fail.

The JASS_SVCS_DISABLE parameter is populated as shown in TABLE 6-2.

TABLE 6-2 Sample Output of `JASS_SVCS_DISABLE`
`100068`	`100083`	`100087`	`100134`	`100146`	`100147`
`100150`	`100155`	`100166`	`100221`	`100229`	`100230`
`100232`	`100234`	`100235`	`100242`	`100424`	`300326`
`536870916`	`chargen`	`comsat`	`daytime`	`discard`	`dtspc`
`echo`	`eklogin`	`exec`	`finger`	`fs`	`ftp`
`kerbd`	`klogin`	`kshell`	`login`	`name`	`netstat`
`printer`	`rexd`	`rquotad`	`rstatd`	`rusersd`	`rwalld`
`shell`	`smtp`	`sprayd`	`sun-dr`	`systat`	`talk`
`telnet`	`tftp`	`time`	`ufsd`	`uucp`	`uuidgen`
`walld`	`xaudio`

The JASS_SVCS_ENABLE variable is, by default, empty. Some drivers may use it, such as the suncluster3x-secure.driver.

Using Product-Specific Audit Scripts

TABLE 6-3 lists product-specific audit scripts for specific Sun products. These scripts are in the Audit directory.

New audit scripts are released periodically for new and updated Sun products. For the latest list of scripts, refer to the Security Web site:

http://www.sun.com/security/jass

TABLE 6-3 Product-Specific Audit Scripts
Product	Driver Name
Sun Cluster 3.x software	`suncluster3x-set-nsswitch-conf.aud`
Sun Fire high-end systems domains	`s15k-static-arp.aud`
Sun Fire high-end systems system controllers	`s15k-static-arp.aud` `s15k-exclude-domains.aud` `s15k-sms-secure-failover.aud`

`suncluster3x-set-nsswitch-conf.aud`

Note - This script applies only to Sun Cluster 3.x systems and should not be executed on other systems.

This script determines if the /etc/nsswitch.conf file lists the cluster keyword as the first source for the host's database. A failure is displayed if this is not true.

For more information, refer to the Sun BluePrints OnLine article titled "Securing Sun Cluster 3.x Software."

`s15k-static-arp.aud`

For System Management Services (SMS) versions 1.2 through 1.4.1, this script verifies that the static ARP configuration files are installed on Sun Fire high-end systems system controllers (SCs) and domains. For system controllers, the file is /etc/sms_sc_arp. For domains, the file is /etc/sms_domain_arp.

This script checks that all existing domains have Ethernet addresses as listed in the SC static ARP startup script and corresponding data file.

For more information, refer to the Sun BluePrints OnLine article titled "Securing the Sun Fire 12K and 15K System Controller" and "Securing the Sun Fire 12K and 15K Domains."

`s15k-exclude-domains.aud`

For SMS versions 1.2 and newer, this script determines if the /etc/opt/SUNWSMS/SMS/config/MAN.cf file exists. If it does, this script checks to ensure that all the domains listed are excluded from the I1 MAN. The script excludes all domains from the I1 MAN. If the site has altered the script to exclude only a subset of the domains, this script issues a warning about each domain that is still part of the I1 MAN.

For more information, refer to the Sun BluePrints OnLine article titled "Securing the Sun Fire 12K and 15K System Controller."

`s15k-sms-secure-failover.aud`

For SMS versions 1.2 through 1.4.1, this script determines if the Sun Fire high-end systems system controller is configured based on the recommendations in the Sun BluePrints OnLine article titled "Securing the Sun Fire 12K and 15K System Controller." It indicates a failure if any of the services listed in the SMS_SVCS_DISABLE variable are enabled in /etc/inet/inetd.conf.