|C H A P T E R 5|
This chapter provides reference information about using, adding, modifying, and removing finish scripts. This chapter describes the scripts used by the Solaris Security Toolkit software to harden and minimize Solaris OS systems.
The default scripts in the Solaris Security Toolkit software disable all services, including network services, not required for the OS to function. This action might not be appropriate for your environment. Evaluate which security modifications are required for your system, then make adjustments by using the information in this chapter.
This chapter contains the following topics:
Finish scripts serve as the heart of the Solaris Security Toolkit software. These scripts collectively implement the majority of security modifications. The finish scripts isolate related changes into single files that can be combined and grouped in any number of ways, depending on the design of the security profile (driver).
This section provides instructions and recommendations for customizing existing finish scripts and creating new finish scripts. This section also provides guidelines for using finish script functions.
Note - Consider submitting a bug report or request for enhancement if you think that the change could benefit a wider audience. The Solaris Security Toolkit development team is always looking for ways to improve the software to better support its users.
Just as with Solaris Security Toolkit drivers, you can customize finish scripts. Do not modify scripts that are supplied with the Solaris Security Toolkit software. Always modify a copy of the finish script and not the original script directly. Failure to do so might result in a loss of changes upon Solaris Security Toolkit software upgrade or removal. Wherever possible, try to minimize and document the modifications made to scripts.
Customize finish scripts by using environment variables. The behavior of most finish scripts included in the Solaris Security Toolkit can be tailored using this technique, thereby eliminating the need to modify the actual script. If this is not possible, then you might find it necessary to modify the code.
For a list of all environment variables and guidelines for defining them, see Chapter 7.
Note - When you install the Solaris Security Toolkit software on a JumpStart server, the finish scripts run from a memory-resident miniroot running on the JumpStart client. The miniroot contains almost all of the Solaris OS functions. If you create finish scripts, it is sometimes necessary to execute commands using the chroot command, because the client disk is mounted on /a. This limitation is not present during a stand-alone mode execution of the Solaris Security Toolkit software.
Use the following steps to customize a finish script so that new versions of the original files do not overwrite your customized versions. Furthermore, these files are not removed if the software is removed using the pkgrm command.
1. Copy the script and the related files that you want to customize.
2. Rename the copies with names that identify the files as custom scripts and files.
For naming guidelines, refer to "Configuring and Customizing the Solaris Security Toolkit Software", Chapter 1, Solaris Security Toolkit 4.2 Administration Guide.
3. Modify your custom script and files accordingly.
CODE EXAMPLE 5-1 shows how to automate software installation using install-openssh.fin. In this example, the code expects the version of OpenSSH to be "2.5.2p2", however, the current version of OpenSSH is "3.5p1". Obviously, the version to install varies depending on when the software is installed. This script can also be altered to support a commercial version of the Secure Shell product.
In this case, the only way to adjust this script to support a different version of OpenSSH is to modify it directly. After completing the changes, be sure to change the security profile that uses this script, to account for its new name.
Note - As noted previously, this method of modifying a script directly should rarely be necessary, because most of the Solaris Security Toolkit software's functionality can be customized through variables.
Note - For systems running the Solaris 10 OS and for services that have been fully converted in the Solaris 10 OS to smf(5), the following section does not apply. These init.d scripts are not longer used, instead svc.startd(1M) controls these functions. For these services, the Solaris Security Toolkit does not use the JASS_KILL_SCRIPT_DISABLE variable at all on the Solaris 10 OS. Since SMF handles all startups and shutdowns, the separation of start and stop scripts is no longer required.
Finish scripts that begin with the keyword disable are typically responsible for disabling services. Many of these scripts modify shell scripts that are located in the run-control directories (/etc/rc*.d). In most cases, run-control scripts are of two flavors: start and kill scripts. As their name implies, start scripts start services and kill scripts stop services. The start scripts begin with the capital letter S and kill scripts begin with the capital letter K.
Kill scripts are most often used to prepare a system for shutting down or rebooting. These scripts shut down services in a logical order so that changes are not lost and the system state is maintained. Typically, both start and kill scripts are hard links to files in the /etc/init.d directory, although this is not always the case.
The default action of the Solaris Security Toolkit software is to disable both start and kill scripts. This behavior can be altered using the JASS_KILL_SCRIPT_DISABLE environment variable. By default, this variable is set to 1, instructing the Solaris Security Toolkit software to disable both start and kill scripts.
There are times when this action is not preferred. For example, kill scripts are often used to stop services that were manually started by an administrator. If these scripts are disabled by the Solaris Security Toolkit software, then these services might not be stopped properly or in the correct sequence. To prevent kill scripts from being disabled, simply set the JASS_KILL_SCRIPT_DISABLE environment variable to 0 in the user.init file or in the relevant driver.
You can create new finish scripts and integrate them into your deployment of the Solaris Security Toolkit software. Because most finish scripts must be developed in the Bourne shell, it is relatively easy to add new functionality. On the Solaris 10 OS, Perl is available during stand-alone audit and hardening, so Solaris Security Toolkit scripts for system running the Solaris 10 OS can be written in Perl. For those who are less experienced in UNIX shell scripting, examine existing finish scripts that perform similar functions to gain an understanding of how to accomplish a given task and to understand the correct sequence of actions.
Consider the following conventions when developing new finish scripts. Understanding these conventions ensures that the scripts are functional in stand-alone mode and JumpStart mode.
Whenever adding new finish scripts, be sure to add a companion audit script. Audit scripts are used to determine the state of changes made on an existing system. For more information, see Chapter 6.
The scripts must not be configured to rely on the fact that the / directory is the actual root directory of the system. Incorrect configuration prevents the script from working in JumpStart mode when the target's actual root directory is /a. This convention is easily implemented using the JASS_ROOT_DIR environment variable. For more information about this and other environment variables, see Chapter 7.
In some cases, the program used in a finish script might not support a relocated root directory. In these cases, it might be necessary to use the chroot(1M) command to force the command to run within a relative root directory, such as that described previously. For example, the usermod(1M) command does not allow the user to specify an alternate root directory. In this case, it is necessary to use the chroot(1M) command as follows.
The Solaris Security Toolkit software automatically detects the location of the platform's real root directory and assigns that value to the JASS_ROOT_DIR variable. Use this variable in place of hard-coding a specific path for the root file system. For example, in place of using /etc/default/login within the finish script, use JASS_ROOT_DIR/etc/default/login.
Using the framework functions ensures that the changes made by a new script are consistent with those done elsewhere, and that they can be safely undone. For a list of framework functions, see Chapter 2.
Examples of framework functions that ensure correct and consistent operation of all Solaris Security Toolkit capabilities are as follows:
For example, programs like usermod(1M) are preferred over directly modifying the /etc/passwd file. This preference is necessary to make the software as flexible as possible and to make the resulting finish scripts as OS-version independent as possible. Complicated or obscure ways of configuring a system could actually be harder to debug or maintain over the life of a script. For an example of methods on supportable ways in which changes can be made, refer to the Sun BluePrints OnLine article titled "Solaris Operating Environment Security: Updated for Solaris Operating Environment 9."
If a particular function is not needed on a version of the OS, then do not attempt to use it. This approach helps to make the software backward compatible with existing releases and more likely to support future releases. Furthermore, by making finish scripts OS-version aware, the number of warning and error messages can be dramatically reduced. The Solaris Security Toolkit software's finish directory contains example scripts that are aware of the OS on which they are being used and that only make changes when necessary. Some sample scripts that use this capability are as follows:
To make this process simpler for software developers, the framework includes the following two functions:
For detailed information about these functions, see Chapter 2.
The finish scripts must be able to detect whether a change actually needs to be made.
For example, the enable-rfc1948.fin script checks to see if the /etc/default/inetinit script already has the setting TCP_STRONG_ISS=2. If this setting is present, there is no need to back up files or make other changes.
This technique not only reduces the number of unnecessary backup files, but also helps prevent errors and confusion resulting from multiple, redundant changes made in the same files. By implementing this functionality, you also are well on your way toward developing the code necessary to implement the finish script's companion audit script.
Finish scripts perform system modifications and updates during hardening runs. These scripts are not used in any other runs or operations of the software.
The finish.init handles all finish script configuration variables. You can override the default variables by modifying the user.init file. This file is heavily commented to explain each variable, its impact, and its use in finish scripts. Additionally, see Chapter 7 for a description of each variable.
Using variables found in the finish.init script, you can customize most of the finish scripts to suit your organization's security policy and requirements. You can customize nearly every aspect of the Solaris Security Toolkit software through variables, without needing to alter the source code. The use of this script is strongly recommended so as to minimize migration issues with new Solaris Security Toolkit software releases.
This section describes the standard finish scripts, which are in the Finish directory. Each of the scripts in the Finish directory is organized into the following categories:
In addition to these standard finish scripts, the Solaris Security Toolkit software provides product-specific finish scripts. For a list of product-specific finish scripts, see Using Product-Specific Finish Scripts.
The following disable finish scripts are described in this section:
This script prevents the AnswerBook2 (ab2) server from starting. The ab2 server software is distributed on the Documentation CD in the Solaris OS Server pack.
This script prevents the Apache Web server, shipped with Solaris OS versions 8 and 9 distribution packages only, from starting. This script does not impact other Apache distributions installed on the system. For more information on this service, refer to the apache(1M) manual page.
This script prevents the Apache 2 service, shipped with Solaris 10 OS distribution package only, from starting. This script does not impact other Apache distributions installed on the system. For more information on this service, refer to the apache(1M) manual page.
This script prevents the Sun Java Application Server, shipped with the Solaris 10 Operating System distribution package, from starting.
Note - Use this script only on Solaris OS versions 2.5.1 through 8. For Solaris OS versions 9 and 10, this service has been replaced with the PPP service and is disabled using the disable-ppp.fin finish script.
This script disables the Asynchronous Point-to-Point Protocol (ASPPP) service from starting. This service implements the functionality described in Remote Function Call (RFC) 1331, the Point-to-Point Protocol (PPP) for the transmission of multi-protocol datagrams over Point-to-Point links. For more information on this functionality, refer to the aspppd(1M) manual page.
Caution - Do notuse the disable-autoinst.finscript if there might be a need to use the functionality provided by the sys-unconfig(1M) program to restore a system's configuration to an as-manufactured state.
Caution - If you are using a JumpStart environment, disable the run-control or startup scripts mentioned in the following paragraph to help prevent an intruder from reconfiguring the system. These run-control scripts are neverused in a JumpStart environment.
This script prevents a system from being re-installed, by disabling the run-control scripts associated with automatic configuration. These scripts are used only if the /etc/.UNCONFIGURED or /AUTOINSTALL files are created. After initial installation and configuration, there is generally little reason for these scripts to remain available.
This script disables the NFS automount service. The automount service answers file system mount and unmount requests from the autofs file system. When this script is used, the NFS automount service is disabled and all forms of automount maps are affected. For more information on this functionality, refer to the automountd(1M) manual page.
This script disables the Dynamic Host Configuration Protocol (DHCP) server included in Solaris OS versions 8, 9, and 10. For more information on this server, refer to the dhcpd(1M) manual page.
This script prevents the Sun Java System Directory server, formerly the Sun ONE Directory server, from starting. This script does not affect either the unbundled product or the Sun Java System Directory server software provided with Solaris OS versions other than 9 and 10. By default, the Solaris Security Toolkit software disables only the services supplied with the Solaris OS. For more information on this server, refer to the directoryserver(1M) manual page.
This script prevents the Desktop Management Interface (DMI) from starting. For more information on this service, refer to the dmispd(1M) and snmpXdmid(1M) manual pages.
This script prevents any windowing environment from being started at boot time, for example, the Common Desktop Environment (CDE) service. However, this script does not prevent a windowing environment from being started at a later time (for example, after a system is booted). For more information on this service, refer to the dtlogin(1X) and dtconfig(1) manual pages.
The SUNWfac package, Framed Access Command Environment (FACE), includes a world-writable log file /usr/oasys/tmp/TERRLOG. This script removes the Group and Other write permissions, so only the root account can write to the file. In other words, the script changes the permissions on the file from:
Because the log file /usr/oasys/tmp/TERRLOG is under /usr, which is often on the root file system, instead of /var, this can be used for a denial-of-service attack. While FACE logging can be a useful function, it might not be critical for system operation. If this facility is not needed, it should be disabled.
This script prevents the Internet-Intranet Input Method (IIim) daemon and HyperText Transfer (htt) server from starting. The IIim daemon is an htt agent that binds to a port and awaits requests from htt software. Upon receiving a request IIim processes the requests, collects the requested information, performs any requested operations, and, finally, returns information to the requester. IIim is especially useful in transferring information in international languages, such as Korea, Simplified Chinese, or Traditional Chinese.
This script disables the use of IPv6 on specific network interfaces by removing the associated host name files in /etc/hostname6.*. This mechanism also prevents the in.ndpd service from running.
This script prevents the Kerberos Key Distribution Center (KDC) service from starting.
For more information on this service, refer to the krb5kdc(1M) and kdc.conf(4) manual pages.
This script configures the system ignore keyboard abort sequences. Typically, when a keyboard abort sequence is initiated, the operating system is suspended and the console enters the OpenBoot PROM monitor or debugger. Using this script prevents the system from being suspended. For more information on this capability, refer to the kbd(1) manual page.
This script disables the nobody UID access to secure RPC:
For more information on this service, refer to the keyserv(1M) manual page.
This script prevents the Lightweight Directory Access Protocol (LDAP) client daemons from starting on the system. This service provides the directory lookup capability for the system. If the system is acting as an LDAP client or requires the directory lookup capability, then this script should not be used. For more information on this service, refer to the ldap_cachemgr(1M) and ldapclient(1M) manual pages.
This script prevents the line printer (lp) service from starting. Note that in addition to disabling the service, this script removes the lp user's access to the cron subsystem by adding lp to the /etc/cron.d/cron.deny file, and removing all lp commands in the /var/spool/cron/crontabs directory.
This functionality is distinct from the update-cron-deny.fin script, because the lp packages might or might not be installed on a system. In addition, the lp subsystem might be necessary, while the functions removed by the cron-deny-update.fin script are not.
This script prevents the Mobile Internet Protocol (MIP) agents from starting. This service implements the MIP home agent and foreign agent functionality described in RFC 2002, IP Mobility Support. For more information on this service, refer to the mipagent(1M) manual page.
Note - This script is intended to be used only with the Domain Name System (DNS) service shipped with the Solaris OS. Disabling this service does not affect the ability of the system to act as a DNS client.
This script prevents the DNS server from starting using the named(1M) command.
This script prevents the NFS client service from starting. This script also disables the network status monitor (statd) and lock manager (lockd) daemons. Note that an administrator can still mount remote file systems onto the system, even if this script is used. Those file systems, however, do not take advantage of the status monitor or lock manager daemons. For more information on this service, refer to the statd(1M) and lockd(1M) manual pages.
Note - Do not use this script if the system must share its file systems with remote clients. If the NFS server service is required, then this script should not be used. Further, because this service relies on the RPC service, the disable-rpc.fin script also should not be used.
This script prevents the NFS service from starting. This script also disables the daemons that provide support for NFS logging, mounting, access checks, and client service. For more information on this service, refer to the nfsd(1M), mountd(1M), and dfstab(4) manual pages.
This script disables caching for passwd, group, hosts, and ipnodes entries by the Name Service Cache Daemon (NSCD). For the Solaris 8 OS, patch 110386 version 02 at minimum must be applied to fix a bug in the Role-Based Access Control (RBAC) facility, otherwise the Solaris Security Toolkit software generates an error message.
The NSCD provides caching for name service requests. It exists to provide a performance boost to pending requests and reduce name service network traffic. The nscd maintains cache entries for databases such as passwd, group, and hosts. It does not cache the shadow password file for security reasons. All name service requests made through system library calls are routed to nscd. With the addition of IPv6 and RBAC in Solaris 8 OS, the nscd caching capability was expanded to address additional name service databases.
Because caching name service data makes spoofing attacks easier, it is recommended that the configuration of nscd be modified to cache as little data as possible. This task is accomplished by setting the positive time-to-live (ttl) to zero in the /etc/nscd.conf file for the name service requests deemed vulnerable to spoofing attacks. In particular, the configuration should be modified so that passwd, group, and Solaris 8, 9, and 10 OS RBAC information has a positive and negative ttl of zero.
The nscd -g option can be used to view the current nscd configuration on a server and is a helpful resource when tuning nscd.
Disabling nscd entirely is not recommended because applications make name service calls directly, which exposes various bugs in applications and name service backends.
This script prevents the Platform Information and Control Library (PICL) service from starting. Disabling this service could impact the ability of the system to monitor environmental conditions and should, therefore, be used with care. For more information on this service, refer to the picld(1M) manual page.
This script prevents the power management service from starting. (The power management service allows the system to power down monitors, spin down disks, and even power off the system itself.) Using this script disables the power management functionality. Additionally, a noautoshutdown file is created to prevent a system administrator from being asked about the state of power management during an automated JumpStart mode installation. For more information on this service, refer to the powerd(1M), pmconfig(1M), and power.conf(4) manual pages.
This script prevents the Point-to-Point Protocol (PPP) service from starting. This service was introduced in the Solaris 8 OS (7/01) and supplements the older Asynchronous PPP (ASPPP) service. This service provides a method for transmitting datagrams over serial point-to-point links. For more information on this service, refer to the pppd(1M) and pppoed(1M) manual pages.
This script prevents the moving of saved files (that were previously edited) to /usr/preserve when a system is rebooted. These files are typically created by editors that are abruptly terminated due to a system crash or loss of a session. These files are normally located in /var/tmp with names beginning with Ex.
This script changes the CONSOLE variable in the /etc/default/login file to prevent direct remote root logins. Although this was the default behavior for the Solaris OS since the final update of 2.5.1, it is included to ensure that this setting has not been altered. Note that this setting has no impact on programs, such as Secure Shell, that can be configured to not use the /bin/login program to grant access to a system. For more information on this capability, refer to the login(1) manual page.
This script disables rhosts authentication for rlogin and rsh by modifying the Pluggable Authentication Module (PAM) configuration in /etc/pam.conf.
The disable-rlogin-rhosts.fin finish script was renamed disable-rhosts.fin to be more indicative of its actions. In addition, both rsh and rlogin entries are commented out in the /etc/pam.conf file to ensure that rhosts authentication is not enabled for either service.
For more information on this capability, refer to the in.rshd(1M), in.rlogind(1M), and pam.conf(4) manual pages.
This script disables routing, or packet forwarding, of network packets from one network to another.
Caution - The RPCport mapper function should notbe disabled if any of the following services are used on the system: automount, NFS, Network Information Services (NIS), NIS+, CDE, and volume management (Solaris OS versions 9 and 10 only).
This script prevents the remote procedure call (RPC) service from starting. Note that disabling this service impacts bundled services such as NFS and CDE, and unbundled services such as Sun Cluster software. Some third-party software packages also expect that this service is available. Before disabling this service, verify that no services or tools require RPC services. For more information on this service, refer to the rpcbind(1M) manual page.
Caution - A system secured using the secure.driverwill not be able to use JumpStart or NIS, because the disable-rpc.finscript is included. Instead, a new driver must be created which does not include the disable-rpc.finscript.
This script prevents the Samba file and print sharing service from starting. This script disables only the Samba services included in the Solaris OS distribution. This script does not impact other Samba distributions installed on the system. For more information on this service, refer to the smbd(1M), nmbd(1M), and smb.conf(4) manual pages.
This script disables various sendmail options depending on the Solaris OS version the system is running:
This script prevents the Service Location Protocol (SLP) service from starting. This service provides common server functionality for the SLP versions 1 and 2, as defined by the Internet Engineering Task Force (IETF) in RFC 2165 and RFC 2608. SLP provides a scalable framework for the discovery and selection of network services. For more information on this service, refer to the slpd(1M) manual page.
This script prevents the System Management Agent (SMA) service, based on the NET-SNMP service, from starting.
This script prevents the Simple Network Management Protocol (SNMP) service from starting. This script does not prevent third-party SNMP agents from functioning on the system. This script only affects the SNMP agent provided in the Solaris OS distribution package. For more information on this service, refer to the snmpdx(1M) and mibiisa(1M) manual pages.
This script disables all SunSoft Print Client startup scripts.
This script configures the Secure Shell service distributed in the Solaris OS versions 9 and 10 to restrict remote access to the root account. By default, remote root access is denied using the version of Secure Shell shipped with the Solaris 9 and 10 OS. This script verifies that functionality, thereby implementing a mechanism similar to that of the disable-remote-root-login.fin script. The script sets the PermitRootLogin parameter in /etc/ssh/sshd_config to no. For more information on this capability, refer to the sshd_config(4) manual page.
Note - Do not use this script on a SYSLOG server, because a SYSLOG server must be able to listen and receive SYSLOG messages for other machines on the network and that ability is disabled by this finish script. Use this script only on systems running Solaris OS versions 8, 9, and 10.
This script prevents the log system messages (syslogd) service from accepting remote log messages:
This script prevents the daemon from listening on User Diagram Protocol (UDP) port 514. This script is useful for systems that either store SYSLOG messages locally or forward their SYSLOG messages to another network-accessible system.
This script disables specific unused system accounts other than root. The list of accounts to be disabled on the system are explicitly enumerated in the JASS_ACCT_DISABLE variable.
This script disables the UNIX-to-UNIX Copy (UUCP) startup script. In addition, the nuucp system account is removed with the uucp crontab entries in the /var/spool/cron/crontabs directory. For more information on this service, refer to the uucp(1C) and uucico(1M) manual pages.
Note - Do not use this script if the VOLD service is required in the Solaris 9 OS. Further, because this service relies on both the RPC and the rpc.smserverd services, do not disable them either. Similarly, to prevent the rpc.smserverd service from being disabled, its RPC service number, 100155 (or svc:/network/rpc/smserver:default for the Solaris 10 OS), must be added to the JASS_SVCS_ENABLE environment variable to ensure the service is not mistakenly disabled.
This script prevents the Volume Management Daemon (VOLD) from starting. The vold creates and maintains a file system image rooted at /vol, by default, that contains symbolic names for diskettes, CD-ROMs, and other removable media devices. For more information on this service, refer to the vold(1M) manual page.
Note - Do not use this script if the WBEM service is required, or if the use of the Solaris Management Console is needed. Because this service also relies on the RPC service, the disable-rpc.fin script should not be used.
This script prevents the Web-Based Enterprise Management (WBEM) service from starting. The WBEM is a set of management and Internet-related technologies that unify management of enterprise computing environments. Developed by the Distributed Management Task Force (DMTF), the WBEM enables organizations to deliver an integrated set of standards-based management tools that support and promote World Wide Web technology. For more information on this service, refer to the wbem(5) manual page.
This script disables the X Font Server (XFS), a TCP/IP-based service that serves font files to its clients. XFS is not needed to run a X-based graphical user interface (GUI).
This script disables the X11 server's ability to listen to and accept requests over TCP on port 6000. This script adds the option -nolisten TCP to the X server configuration line in the /etc/dt/config/Xservers file. If this file does not exist, it is copied from the master location at /usr/dt/config/Xservers. For more information on this capability, refer to the Xserver(1) manual page.
The following enable finish scripts are described in this section:
This script ensures that the value of the LOCK_AFTER_RETRIES variable in the /etc/security/policy.conf file is defined correctly. Once defined, if an account exceeds the value specified by LOCK_AFTER_RETRIES, it is locked and requires administrator assistance to unlock.
The Basic Auditing and Report Tool (BART) is a file tracking tool that operates entirely at the file system level. Using BART allows you to quickly, easily, and reliably gather information about the components of the software stack that is installed on deployed systems. Using BART can greatly reduce the costs of administering a network of systems by simplifying time-consuming administrative tasks.
BART enables you to determine what file-level changes have occurred on a system, relative to a known baseline. The bart create command creates a baseline or control manifest from a fully installed and configured system. The bart compare command compares this baseline with a snapshot of the system at a later time, generating a report that lists file-level changes that have occurred on the system since it was installed.
Note - Sometimes the bart compare command fails because svc edits some files under /etc that are not under Solaris Security Toolkit control. These failures actually might not be failures, but you need to review the log.
The Solaris Security Toolkit 4.2 software installs two BART rules files:
Output from a BART file-level check of the system is stored in the /var/opt/SUNWjass/BART/manifests directory in the JASS_TIMESTAMP.txt file..
This enable-bart.fin script enables BART. It determines if a BART rules file is present, and if so, determines if its configuration is consistent with the driver being run and its BART rules files.
If the BART rules file configuration is not consistent with the driver being run and its BART rules file, the script copies the rules file from $JASS_FILES/var/opt/SUNWjass/bart/. Once the correct BART configuration file is in place, the script executes BART to generate a new manifest file in /var/opt/SUNWjass/BART/manifests named JASS_TIMESTAMP.txt; for example, 20050711152248.txt.
This script enables the SunSHIELD Solaris Basic Security Module (BSM) auditing service. Additionally, this script installs a default audit configuration that is described in the Sun BluePrints OnLine article titled "Auditing in the Solaris 8 Operating Environment." An audit_warn alias is added, if necessary, and assigned to the root account, and the abort disable code is overridden to permit abort sequences. This setting is most often used in a lights-out data center environment, where physical access to the platform is not always possible. After the system is rebooted, the Solaris BSM subsystem is enabled and auditing begins. For more information on this service, refer to the bsmconv(1M) manual page.
This script configures the coreadm functionality that is present in the Solaris OS versions 7 through 10. The script configures the system to store generated core files under the directory specified by JASS_CORE_DIR. Further, each of the core files are tagged with a specification denoted by the JASS_CORE_PATTERN so that information about the core files can be collected. Typically, the information collected includes the process identifier, effective user identifier, and effective group identifiers of the process, as well as name of the process executable and time the core file was generated. For more information on this capability, refer to the coreadm(1M) manual page.
This script enables the ftpaccess functionality for the FTP service in the Solaris 9 and Solaris 10 OS. This functionality is necessary so that security modifications made by the set-banner-ftp.fin and set-ftpd-umask.fin scripts are used. For example, modifications to set the default greeting, file creation mask, and other parameters are documented in ftpaccess(4) manual pages.
For more information, refer to the in.ftpd(1M) manual page.
This script forces the in.ftpd daemon to log all File Transfer Protocol (FTP) access attempts through the SYSLOG subsystem.
For more information, refer to the in.ftpd(1M) manual page.
This script configures the Internet services daemon (INETD) to log all incoming TCP connection requests. That is, a log entry occurs through SYSLOG if a connection is made to any TCP service for which the inetd daemon is listening.
For more information, refer to the inetd.conf(4) manual page.
The Solaris 10 OS provides an integrated firewall capability by integrating the freeware IP Filter (ipfilter), which filters IP packets by content. This script enables ipfilter for all available network interfaces and creates a default set of rules specific to the driver being run. These preconfigured rules files use the file_copy keyword suffix to differentiate which files are associated with which drivers.
The following preconfigured IPF rules are included with the Solaris Security Toolkit in the $JASS/FILES/etc/opt/ipf directory:
The enable-ipfilter.fin script does the following:
This script enables password history checks on the system by permitting the definition of different HISTORY values based on a driver's JASS_PASS_HISTORY environment value. The script checks the /etc/default/passwd file to determine if a HISTORY value is specified.
This script modifies the /etc/system file to enable restricted NFS port access. After setting the variable, only NFS requests originating from ports less than 1024 are accepted.
If the keyword value pair is defined incorrectly in the /etc/system file, the value is rewritten in the file. Otherwise, the keyword value pair is appended to the file.
If the required Solaris OS packages (currently SUNWaccr and SUNWaccu) are installed on the system, this script enables Solaris OS process accounting. For more information on this service, refer to the acct(1M) manual page.
This script creates or modifies the /etc/default/inetinit file to enable support of RFC 1948. (This RFC defines unique-per-connection ID sequence number generation.) The script sets the variable TCP_STRONG_ISS to 2 in the /etc/default/inetinit file. For more information, refer to http://ietf.org/rfc1948.html.
For SPARC systems only, this script modifies the /etc/system file to enable stack protections and exception logging. These options are enabled by adding the noexec_user_stack and noexec_user_stack_log to the /etc/system file.
If the key word value pairs are already defined in the /etc/system file, their values are rewritten in the file to verify that they are set properly. Otherwise, the keyword value pairs are appended to the file. After the system is rebooted with these variables set, the system denies attempts to execute the stack directly, and logs any stack execution attempt through SYSLOG. This facility is enabled to protect the system against common buffer overflow attacks.
In Solaris OS versions 9 and 10, many of the core Solaris executables are linked against a map file (/usr/lib/ld/map.noexstk). This map file provides functionality similar to the script by making the program's stack non-executable. Using the script is still recommended, however, because its changes are global to the system.
Note - The sample hosts.allow and hosts.deny files should be customized prior to their use to ensure that their configuration is appropriate for your organization. File templates are available in JASS_ROOT_DIR/Files/etc.
This script configures the system to use TCP wrappers. Included with late updates to the Solaris 9 OS and all releases of the Solaris 10 OS, TCP wrappers allow an administrator to restrict access to TCP services. By default, all services in /etc/inet/inetd.conf that are defined as stream, nowait are protected. This script configures the /etc/default/inetd file to set the ENABLE_TCPWRAPPERS parameter to YES. Further, this script installs sample /etc/hosts.allow and /etc/hosts.deny files that control access to services protected by TCP wrappers.
For Solaris 10 OS only:
The following install finish scripts are described in this section:
This script restricts the at command execution by creating an at.allow file in /etc/cron.d. The file is then populated with the list of users defined in the JASS_AT_ALLOW variable. All users who require at access must be added to the at.allow file. This script should be used with the update-at-deny.fin script to determine access to the at and batch facilities. For more information on this capability, refer to the at(1) manual page.
Note - Use this script only on systems running Solaris OS versions 2.5.1 through 9. Although the changes implemented by the FixModes software are integrated into the Solaris 9 OS, the use of FixModes is still recommended because many unbundled and third-party applications benefit from its use.
This script both copies the fix-modes software from the JASS_PACKAGE_DIR directory to the client, then executes the program. Use the FixModes software to tighten permissions of a Solaris system.
This script creates or modifies the ftpusers file that is used to restrict access to the FTP service. This script adds users listed in the JASS_FTPUSERS variable to the ftpusers file. This script adds a user to the file only if the user's name is not already in the file.
A default ftpusers file is included with Solaris OS versions 8, 9, and 10. The path to the file varies:
All accounts not allowed to use the incoming FTP service should be specified in this file. At a minimum, this should include all system accounts (for example, bin, uucp, smtp, sys, and so forth) in addition to the root account. These accounts are often targets of intruders and individuals attempting to gain unauthorized access. Frequently, root access to a server over Telnet is disabled and root FTP access is not. This configuration provides a back door for intruders who might modify the system's configuration by uploading modified configuration files.
This script automates the installation of the Solaris Security Toolkit software onto a JumpStart client when the Solaris Security Toolkit software is being run. Use this approach so that the Solaris Security Toolkit software is available to be run after initial installation of the client. The installation is performed by installing the Solaris Security Toolkit software package distribution with the Solaris OS command pkgadd. This script expects the Solaris Security Toolkit software to be installed in the JASS_PACKAGE_DIR directory. The Solaris Security Toolkit software package SUNWjass is installed by default in the /opt directory.
This script creates the /var/adm/loginlog file used by the system to log unsuccessful login attempts. The failed logins are logged after the maximum number of failed logins is exceeded. This number is specified in the RETRIES variable, set in the /etc/default/login configuration file. See also the set-login-retries.fin script. For more information, refer to the loginlog(4) manual page.
This script automates the installation of the message-digest 5 (MD5) algorithm software. This software is used for creating digital fingerprints of file system objects and is referenced in the Sun BluePrints OnLine article titled "The Solaris Fingerprint Database - A Security Tool for Solaris Software and Files." By default, the MD5 software is installed in the directory specified by the JASS_MD5_DIR parameter.
This script installs the nddconfig file that is used to set more secure values for various networking parameters, based on the Sun BluePrints OnLine article, "Solaris Operating Environment Network Settings for Security."
This script adds the newaliases symbolic link to the /usr/lib/sendmail program. This link is required in some cases of minimized installations if the SUNWnisu package is not installed or is removed. This link is necessary for systems running the Solaris OSs 2.5.1 through 8, where the newaliases was a part of the SUNWnisu package.
Note - Use this script only for systems running Solaris OS versions 2.5.1 through 8. Solaris 9 and 10 OS includes a version of the Secure Shell software, therefore this script is not used if you install Solaris 9 or 10 OS.
This script installs the OpenBSD version of OpenSSH into /opt/OBSDssh. The distribution for which this script is written is based on the Sun BluePrints OnLine article titled "Configuring OpenSSH for the Solaris Operating Environment." This script does not overwrite host keys if they exist.
The installation is based on having a Solaris OS, stream-formatted package called OBSDssh-3.5p1-sparc-sun4u-5.8.pkg in the JASS_PACKAGE_DIR directory.
This script installs patches from the JASS_HOME_DIR/Patches directory on the JumpStart server. The Recommended and Security Patch Clusters must be downloaded and extracted to the JASS_HOME_DIR/Patches directory for the script to execute properly.
This script adds the options specified in the JASS_SADMIND_OPTIONS environment variable to the sadmind daemon entry in /etc/inet/inetd.conf. For more information on this service, refer to the sadmind(1M) manual page.
This script displays the current status of the OpenBoot PROM security mode. This script does not set the EEPROM password directly; it is not possible to script the setting of the EEPROM password during a JumpStart installation. The output of the script provides instructions on how to set the EEPROM password from the command line. For more information on this capability, refer to the eeprom(1M) manual page.
This script adds the user shells specified in the JASS_SHELLS environment variable to the /etc/shells file. The Solaris OS function getusershell(3C) is the primary user that the /etc/shells file uses to determine valid shells on a system. For more information, refer to the shells(4) manual page. For more information about the JASS_SHELLS environment variable, see JASS_SHELLS.
Caution - Exercise care when using this script, because its changes cannotbe undone automatically by the Solaris Security Toolkit software. Alwaysensure that the permissions set by this script are correct for your environment and applications.
This script changes a variety of permissions and ownerships to enhance security by restricting group and user access on a system.
This script is not used for the Solaris 10 OS, because the Solaris 10 OS has incorporated many permission and ownership changes. This script is not undoable, and the resulting support impact is no longer worth the security improvement given the changes to the Solaris 10 OS.
This script creates the /var/adm/sulog file, which enables logging of all superuser (su) attempts. For more information on this capability, refer to the sulog(4) manual page.
This script is automatically called by the driver.run program if the JASS_FILES parameter or any of its OS-specific values is not empty. This script automates the copying of file templates onto a target system. This functionality was originally in the driver.run script, but was separated to better support the verification of file templates. If needed, based on the contents of the JASS_FILES parameter, this script is the first finish script to run.
The following print finish scripts are described in this section:
This script prints out all the environment variables used in the Solaris Security Toolkit software. This script is provided for diagnostic purposes and is often called at the beginning of a driver so that the state of the environment variables can be recorded prior to their use.
This script prints out all the environment variables used by a JumpStart installation. This script is provided for diagnostic purposes to aid in debugging problems encountered during a JumpStart installation.
This script lists all the .rhosts and hosts.equiv files contained in any directory under the JASS_ROOT_DIR directory. The results are displayed on standard output unless the JASS_RHOSTS_FILE variable is defined. If this variable is defined, then all of the results are written to that file.
This script prints all files in any directory under the JASS_ROOT_DIR directory with set group ID permissions. The results are displayed on standard output unless the JASS_SGID_FILE variable is defined. If this variable is defined, all of the results are written to that file.
This script prints all files in any directory under the JASS_ROOT_DIR directory with set user ID permissions. The results are displayed on standard output unless the JASS_SUID_FILE variable is defined. If this variable is defined, all of the results are written to that file.
This script lists all files, directories, and other objects on a system, starting from JASS_ROOT_DIR, that do not have valid users or groups assigned to them. The results are displayed on standard output unless the JASS_UNOWNED_FILE variable is defined. If this variable is defined, then all of the results are written to that file.
This script lists all world-writable objects on a system, starting from JASS_ROOT_DIR. The results are displayed on standard output unless the JASS_WRITABLE_FILE variable is defined. If this variable is defined, then all of the results are written to that file.
The following remove finish script is described in this section:
The remove-unneeded-accounts.fin script removes unused Solaris OS accounts from the /etc/passwd and /etc/shadow files using the passmgmt command. This script removes those accounts defined by the JASS_ACCT_REMOVE variable.
The following set finish scripts are described in this section:
This script installs a service banner for the dtlogin service. This banner is presented to a user after successfully authenticating to a system using a graphical interface, such as is provided by the Common Desktop Environment (CDE) or the GNU Network Object Model Environment (GNOME). This script configures the system to display the contents of a file specified by the file template JASS_ROOT_DIR/etc/dt/config/Xsession.d/0050.warning. By default the contents of the /etc/motd file are displayed.
This script installs the File Transfer Protocol (FTP) service banner:
This script installs the Sendmail service banner defined by the variable JASS_BANNER_SENDMAIL. This banner is defined using the SmtpGreetingMessage or De parameter in the /etc/mail/sendmail.cf file. For Solaris OS versions 9 through 10, the SmtpGreetingMessage parameter is used.
For more information, refer to the sendmail(1M) manual page.
This script installs the Secure Shell service banner by configuring the Secure Shell service to display the contents of /etc/issue to the user prior to authenticating to the system. This task is accomplished by setting the Banner parameter to /etc/issue in the /etc/ssh/sshd_config file. For more information on this functionality, refer to the sshd_config(4) manual page.
This script installs the Telnet service banner defined by the variable JASS_BANNER_TELNET. This banner is defined using the BANNER variable in the /etc/default/telnetd file. For more information, refer to the in.telnetd(1M) manual page.
The Solaris 10 OS introduced several new tunables, which control the algorithms used for password encryption on a system. The new algorithms can be used for local password storage as well as name service-based storage with LDAP, NIS+, and NIS. The steps involved in enabling this feature for name services can be found in the Solaris 10 System Administration Guide: Security Services, "System, File, and Device Security" chapter.
This script enables the use of strong passwords by using different password hashing algorithms for locally stored passwords. Only the secure.driver expires all passwords, so that users are forced to pick new passwords, which are encrypted with the new encryption algorithm.
The tunables are added to the /etc/security/policy.conf files as follows:
The CRYPT_ALGORITHMS_ALLOW values map to the following:
The secure.driver passwords are expired if:
All other drivers display a message stating that passwords will be re-encrypted with the new encryption algorithm when users change their user passwords.
This script sets the default file creation mask for the FTP service:
This script sets the RETRIES variable in the /etc/default/login file to the value defined by the JASS_LOGIN_RETRIES variable. By reducing the logging threshold, additional information might be gained. The install-loginlog.fin script enables the logging of failed login attempts. For more information on this capability, refer to the login(1) manual page.
This script alters the configuration of /etc/default/power to restrict user access to power management functions using the JASS_POWER_MGT_USER and JASS_CPR_MGT_USER variables. As a result, access to the system's power management and suspend/resume functionality is controlled.
Note - Use this script only for systems running Solaris OS versions 2.6 through 10. Solaris OS versions 8 through 10 are configured to mount removable media with the nosuid option by default. This script performs the necessary checks regardless of the default settings.
This script adds two entries to the /etc/rmmount.conf file to disable mounting of Set-UID files. It is important to disable mounting, because someone with access to a system could insert a diskette or CD-ROM and load Set-UID binaries, thereby compromising the system. For more information on this capability, refer to the rmmount.conf(4) manual page.
This script changes the root user's primary group to JASS_ROOT_GROUP from group identifier #1 (GID 1, other) to group identifier #0 (GID 0, root). This script prevents the root user from sharing a common group with non-privileged users.
Many Solaris security hardening scripts and procedures recommend giving the root account a home directory other than a single forward slash (/). Changing the home directory of the root account for the Solaris OS has benefits in security and system management and makes the Solaris OS more compatible with other UNIX systems, including Linux/*BSD:
By changing the root directory to /root, you remove the risk of getting the root user's dot files instead of your own dot files.
This script checks to see if the root account has a home directory of / in the /etc/passwd file, and if it does, the script:
This script automates setting the root password by setting the password to an initial value as defined by JASS_ROOT_PASSWORD. The password used in this script should be used only during installation and must be changed immediately after the JumpStart installation process has successfully completed. By default, the password used by the JASS_ROOT_PASSWORD parameter is t00lk1t.
Caution - When Solaris Security Toolkit runs in JumpStart mode, it sets the rootpassword. If an undo operation is performed later, the rootpassword reverts to its former setting of nopassword. That means anyone could log in to the root account with no password at all. Remember to set the rootpassword with the passwd(1) command if you perform an undo operation immediately after a JumpStart installation.
This script installs stricter password requirements for users in their local environment. The passwd(1) command in the Solaris 10 OS defines a new set of features for stronger user passwords. The Solaris Security Toolkit software sets a number of these values to stronger than the default settings. This script ensures that the correct values for the various password checks are defined correctly in the /etc/default/passwd file in the JASS_PASS_* environment variables. See Chapter 7 for definitions and values of these and other environment variables.
This script alters the configuration of /etc/default/sys-suspend to restrict user access to suspend and resume functionality based on the JASS_SUSPEND_PERMS variable. For more information, refer to the sys-suspend(1M) manual page.
This script ensures that all of the run-control scripts execute with a safe file-creation mask based on the setting of JASS_UMASK. This setting is important because using a poorly chosen file-creation mask could leave critical files writable by any user.
This script sets a default terminal type of vt100 to avoid issues with systems not recognizing dtterm. This script is mainly for use on systems that do not have graphical consoles and are generally accessed over a terminal console or other serial link. This script is provided as a convenience only and does not impact the security of the system.
This script installs a limit on the disk space that can be used as part of a tmpfs file system. This limit can help prevent memory exhaustion. The usable space is limited by default in this script to the value defined by JASS_TMPFS_LIMIT. For more information on this capability, refer to the mount_tmpfs(1M) manual page.
The changes implemented by this script configure the password policy of a system for the next time that passwords are changed on a system. This profile might need to be further tuned to ensure that applications and operational functions are not adversely impacted by the hardening process.
This script enables more strict password requirements by enabling:
This script accomplishes the requirements by using the values defined by the following variables to set the correct entries in the /etc/default/passwd file:
This script is especially recommended for systems with nonprivileged user access.
This script modifies only the settings in the /etc/default/passwd file. It does not enable password aging for any user. The password aging requirements are implemented for each user upon the next password change. To enable password aging for a user without waiting for a password change event, use the passwd(1) command.
This script sets the default file creation mask (UMASK) to the value defined by JASS_UMASK for the following user startup files: /etc/.login, /etc/profile, /etc/skel/local.cshrc, /etc/skel/local.login, /etc/skel/local.profile, and /etc/default/login.
The following update finish scripts are described in this section:
This script adds the accounts listed in JASS_AT_DENY to the /etc/cron.d/at.deny file. This script prevents those users from using at and batch facilities. This script is used with the install-at-allow.fin file to determine access to at and batch facilities. For more information on this capability, refer to the at(1) manual page.
This script adds the accounts listed in JASS_CRON_ALLOW to the /etc/cron.d/cron.allow file. This script allows those users to use the cron facility. This script is used with the update-cron-deny.fin script to determine access to the cron facility. For more information on this capability, refer to the crontab(1) manual page.
This script adds the accounts listed in JASS_CRON_DENY to the /etc/cron.d/cron.deny file. This script prevents those users from accessing the cron facility. This script is used with the update-cron-allow.fin script to determine access to the cron facility. This script does not disable access for the root account user. For more information on this capability, refer to the crontab(1) manual page.
This script adjusts the maximum limit used for storing cron log information:
The size limit used by this script is determined by the JASS_CRON_LOG_SIZE environment variable. By default, the limit defined by the Solaris OS is 0.5 megabytes.
This script disables all services, started from the inetd, that are defined by the JASS_SVCS_DISABLE variable. This script enables the services listed by the JASS_SVCS_ENABLE variable. If the same service is in both variables, the service is enabled. The JASS_SVCS_ENABLE variable takes precedence.
All services, including common services such as in.telnetd, in.ftpd, and in.rshd, in the base OS are disabled by default in Solaris OS versions 2.5.1 through 10.
Product-specific finish scripts are for hardening specific Sun products. These scripts are in the Finish directory. TABLE 5-1 lists product-specific finish scripts.
New finish scripts are released periodically to harden new and updated Sun products. For the latest list of scripts, refer to the Security Web site:
This script automates the configuration of a system as a Sun Cluster 3.x node. This script installs the cluster keyword into the /etc/nsswitch.conf file to simplify deploying Sun Cluster 3.x systems. The keyword should be located in the hosts field. For more information, refer to the Sun BluePrints OnLine article titled "Securing Sun Cluster 3.x Software."
This script enables the use of static ARP addresses on the I1 MAN network. The I1 MAN network is a network internal to the Sun Fire high-end systems chassis, which is used for TCP/IP-based communication between the SCs and domains. By using static ARP instead of dynamic ARP, several ARP-based attacks against the SC no longer have any effect.
The following four files are used by the Sun Fire high-end systems optional s15k-static-arp.fin script:
For more information, refer to the Sun BluePrints OnLine article titled "Securing the Sun Fire 12K and 15K System Controller" and the article titled "Securing the Sun Fire 12K and 15K Domains."
This script disables TCP/IP connectivity between the SC and one or more domains. For more information, refer to the Sun BluePrints OnLine article titled "Securing the Sun Fire 12K and 15K System Controller."
This script automates enabling the use of Secure Shell by the failover daemon fomd. This script automates much of the Secure Shell configuration, in addition to disabling the use of legacy r* services.
For more information, refer to the Sun BluePrints OnLine article titled "Securing the Sun Fire 12K and 15K System Controller."