Solaris Security Toolkit 4.2 Administration Guide

This chapter provides instructions for downloading, upgrading or installing, and running the Solaris Security Toolkit software and other security-related software. Included are instructions for configuring your environment for either stand-alone or JumpStart mode, and for obtaining support.

Follow the instructions and process provided in this section to upgrade or install, configure, and execute the software. These instructions include downloading additional security software, helpful examples, and guidelines.

Although the Solaris Security Toolkit software is a stand-alone product, it is most effective when used with the additional security software provided for downloading. This software includes the latest Recommended and Security Patch Cluster from SunSolve OnLine, Secure Shell software for Solaris OS releases that do not include it, permission and ownership modification software to tighten Solaris OS and third-party software permissions, and integrity validation binaries to validate the integrity of Sun files and executables.

This chapter contains the following tasks:

• Performing Planning and Preinstallation Tasks
• Software Dependencies
• Determining Which Mode to Use
• Upgrading Procedures
• Downloading Security Software
• Customizing Security Profiles
• Installing and Executing the Software
• Validating the System Modifications

---

Performing Planning and Preinstallation Tasks

Proper planning is key to successfully using the Solaris Security Toolkit software to secure systems. See Chapter 2 for detailed information about planning before you install the software.

If you are installing the software on a deployed system, see Performing Preinstallation Tasks for information about performing preinstallation tasks prior to installing the software on deployed systems.

---

Software Dependencies

The Solaris Security Toolkit 4.2 software depends upon the SUNWloc package. The absence of this package causes the Solaris Security Toolkit to fail.

See Supported Solaris OS Versions for information about supported versions of the Solaris Operating System.

See Supported SMS Versions for information about supported versions of the System Management Services (SMS) software.

---

Determining Which Mode to Use

Harden systems during or immediately after the OS installation, to limit the period a system might be exposed to attack while in an unsecured state. Before using the Solaris Security Toolkit software to secure a system, configure the Solaris Security Toolkit software to run properly in your environment.

The Solaris Security Toolkit software has a modular framework. If you are not using the JumpStart product, the flexibility of the Solaris Security Toolkit software's framework enables you to efficiently prepare for using JumpStart later. If you are using JumpStart, you benefit from the Solaris Security Toolkit software's ability to integrate into existing JumpStart architectures.

The following sections describe the stand-alone and JumpStart modes.

Stand-alone Mode

The Solaris Security Toolkit software runs directly from a Solaris OS shell prompt in stand-alone mode. This mode enables you to use the Solaris Security Toolkit software on those systems that require security modifications or updates, yet cannot be taken out of service to reinstall the OS from scratch. However, whenever possible, operating systems should be reinstalled from scratch prior to being secured.

Stand-alone mode is particularly useful when hardening a system after installing patches or third-party software. You can run the Solaris Security Toolkit software multiple times on a system with no ill effects. Patches might overwrite or modify files the Solaris Security Toolkit software has modified; by rerunning the Solaris Security Toolkit software, any security modifications negated by the patch installation can be reimplemented.

The stand-alone mode is one of the best options to harden a deployed system as quickly as possible. No special steps are required to integrate the Solaris Security Toolkit software into an architecture without JumpStart, other than those steps in the downloading and installing instructions provided in Downloading Security Software.

JumpStart Mode

JumpStart technology, which is Sun's network-based Solaris OS installation mechanism, can run Solaris Security Toolkit scripts during the installation process. This book assumes that the reader is familiar with JumpStart technology and has an existing JumpStart environment available. For more information about JumpStart technology, refer to the Sun BluePrints book JumpStart Technology: Effective Use in the Solaris Operating Environment.

The Solaris Security Toolkit 4.2 package is relocatable, so that it can be installed to whatever directory you want by using the correct options to the pkgadd command. JASS_HOME_DIR becomes the base directory of the JumpStart server.

Only a few steps are required to integrate the Solaris Security Toolkit software into a JumpStart architecture. See Chapter 5 for instructions on how to configure a JumpStart server.

---

Upgrading Procedures

This section contains information about how to upgrade your system from Solaris Security Toolkit 4.0 and 4.1 software to Solaris Security Toolkit 4.2 software, with and without upgrading your Solaris OS. The system is hardened by using the Solaris Security Toolkit software on your Solaris operating system. The procedures are the same whether upgrading from version 4.0 or 4.1. The procedures given here are very important to use as prescribed, because they will prevent you from overwriting all your prior customizing.

Caution - Only one version of the Solaris Security Toolkit can be installed at any one time.

The Solaris Security Toolkit 4.2 software provides a new enhancement to the pkgrm command. With this release, the first step in the pkgrm command checks the integrity of all files included in the distribution. If any files are different, the pkgrm command exits with an error message that tells the system administrator either to put the correct file in place or to remove the modified file.

The drivers are in the Drivers subdirectory where Solaris Security Toolkit is installed. User-written drivers are placed there, too. When removing SUNWjass with the pkgrm command, it removes the Solaris Security Toolkit-provided drivers and user-modified drivers, but leaves any custom drivers the user have added, assuming the custom drivers have different names than Solaris Security Toolkit-provided drivers.

Caution - If a driver was modified, it mustbe saved before upgrading. Nevermodify the original files distributed with the Solaris Security Toolkit software. Instead of modifying a driver file, copy the driver file to a new file, then modify the new file.

1. Follow the best practice that is available for upgrading your system; that is, backing it up or using Solaris upgrade.

2. Uninstall the previous version of Solaris Security Toolkit software.

3. Install Solaris Security Toolkit 4.2 software.

4. Run Solaris Security Toolkit 4.2 software in audit mode against the upgraded system using the previous Solaris Security Toolkit drivers and user-specified drivers.

User-specified drivers must be in the Drivers directory. If they are, then they can be specified for a jass-execute or hardening run.

5. Do one of the following:

a. If there are no errors, go to step 6.

b. If errors are generated during the run (for examples, a non-installed run control script is modified, or a service should be controlled using an FMRI), fix those errors, and repeat steps 4 and 5 until no more errors are generated.

6. Compare your customized driver against the secure.driver to determine if any new finish or audit scripts should be added to your customized driver.

7. Do one of the following:

a. If no scripts are missing, go to step 8.

b. If any scripts are missing, add those missing scripts, and repeat steps 4, 5, 6, and 7 until all necessary scripts are included.

8. Run Solaris Security Toolkit 4.2 in hardening mode.

9. Run Solaris Security Toolkit 4.2 in audit mode, and ensure there are no errors.

10. Review the security configuration and posture of the system to determine if it complies with security requirements.

11. Do one of the following:

a. If the system is compliant, go to step 12.

b. If the system is not compliant, update the driver being used, and return to step 8.

12. Fully test the system to ensure that the system provides required network services and all applications are fully functional.

13. If any errors are encountered, update the driver being used, and return to step 8.

This completes the upgrade.

1. Uninstall the previous version of Solaris Security Toolkit software.

2. Install Solaris Security Toolkit 4.2 software.

3. Go to step 4 of To Upgrade Solaris Security Toolkit Software and the Solaris Operating System.

Upgrading the Solaris OS Only

If you are only upgrading the Solaris OS and already have Solaris Security Toolkit 4.2 software installed (for example, upgrading from Solaris 8 OS to Solaris 10 OS), you do not need to uninstall the Solaris Security Toolkit 4.2 software. After you finish the Solaris OS upgrade, run Solaris Security Toolkit 4.2 in audit mode, and review the system security configuration to ensure there are no errors.

---

Downloading Security Software

The first stage in hardening a system requires downloading additional software security packages onto the system you want to secure. This section covers the following tasks:

• Downloading Solaris Security Toolkit Software
• Downloading Recommended Patch Cluster Software
• Downloading FixModes Software
• Downloading OpenSSH Software
• Downloading the MD5 Software

Downloading Solaris Security Toolkit Software

The Solaris Security Toolkit software is distributed in Solaris OS package format. First download the Solaris Security Toolkit software, then install it on the server on which you are using the Solaris Security Toolkit software in stand-alone mode or on a JumpStart server for JumpStart mode.

Throughout the rest of this guide, the JASS_HOME_DIR environment variable refers to the root directory of the Solaris Security Toolkit software, which is by default /opt/SUNWjass.

1. Download the software distribution file (SUNWjass-n.n.pkg.tar.Z).

The source file is located at:

http://www.sun.com/security/jass

2. Extract the software distribution file into a directory on the server by using the uncompress command:

# uncompress SUNWjass-n.n.pkg.tar.Z

3. Untar the software distribution package by using the tar command:

# tar -xvf SUNWjass-n.n.pkg.tar

4. Install the software distribution file into a directory on the server using the pkgadd command as shown:

# pkgadd -d SUNWjass-n.n.pkg SUNWjass

where n.n is the most current version that you are downloading.

Executing this command creates the SUNWjass directory in /opt. This subdirectory contains all the Solaris Security Toolkit directories and associated files.

Downloading Recommended Patch Cluster Software

Patches are released by Sun to provide Solaris OS fixes for performance, stability, functionality, and security. It is critical to the security of a system that the most up-to-date patch cluster is installed. To ensure that the latest Solaris OS Recommended and Security Patch Cluster is installed on your system, this section describes how to download the latest patch cluster.

Before you install a patch cluster, review individual patch README files and other information provided. The information often contains suggestions and information helpful to know before installing a patch cluster.

1. Download the latest patch cluster from the SunSolve OnLine web site at:

http://sunsolve.sun.com

2. Click the Patches link on the right-hand navigation bar.

3. Click the Recommended Patch Clusters link.

4. Select the appropriate Solaris OS version in the Recommended Solaris Patch Clusters box.

In our example, we select Solaris 10 OS.

5. Select the best download option, either HTTP or FTP, with the associated radio button, then click Go.

A Save As dialog box is displayed in your browser window.

6. Save the file locally.

7. Move the file securely to the system being hardened.

Use the secure copy command, scp(1), or another method that provides secure file transfer.

Use the scp command as follows:

# scp 10_Recommended.zip target01:

8. Move the file to the /opt/SUNWjass/Patches directory and uncompress it.

For example:

# cd /opt/SUNWjass/Patches

# mv /directory in which file was saved/10_Recommended.zip .

# unzip 10_Recommended.zip

Archive:     10_Recommended.zip

   creating: 10_Recommended/

  inflating: 10_Recommended/CLUSTER_README 

  inflating: 10_Recommended/copyright 

  inflating: 10_Recommended/install_cluster 

[. . .]

The patch cluster software is installed automatically after you download the other security packages and execute the Solaris Security Toolkit software.

Downloading FixModes Software

FixModes is a software package that tightens the default Solaris OS directory and file permissions. Tightening these permissions can significantly improve overall security. More restrictive permissions make it even more difficult for malicious users to gain privileges on a system.

1. Download the FixModes precompiled binaries from:

http://www.sun.com/security/jass

The FixModes software is distributed as a precompiled and compressed package version file formatted for Solaris OS systems. The file name is SUNBEfixm.pkg.Z.

2. Move the file securely to the system being hardened by using the scp command, or another method that provides secure file transfer.

Use the scp command as follows:

# scp SUNBEfixm.pkg.Z target01:

3. Uncompress and save the file, SUNBEfixm.pkg.Z, in the Solaris Security Toolkit Packages directory in /opt/SUNWjass/Packages, with the following commands:

# uncompress SUNBEfixm.pkg.Z

# mv SUNBEfixm.pkg /opt/SUNWjass/Packages/

Later, the FixModes software is installed automatically after downloading all the other security packages and executing the Solaris Security Toolkit software.

Downloading OpenSSH Software

In any secured environment, the use of encryption in combination with strong authentication is required to protect user-interactive sessions. At a minimum, network access must be encrypted.

The tool most commonly used to implement encryption is Secure Shell software, either a version bundled with the Solaris OS, a third-party commercial version, or a freeware version. To implement all the security modifications performed by the Solaris Security Toolkit software, you must include a Secure Shell software product.

Executing the Solaris Security Toolkit software disables all unencrypted user-interactive services and daemons on the system, in particular daemons such as in.telnetd, in.ftpd, in.rshd, and in.rlogind.

Secure Shell enables you to gain access to the system as you would using Telnet and FTP.

Obtain the following Sun BluePrints OnLine article or Sun BluePrints book, and use the instructions for downloading the software:

• A Sun BluePrints OnLine article about how to compile and deploy OpenSSH titled "Building and Deploying OpenSSH on the Solaris Operating Environment" is available at:

http://www.sun.com/blueprints

• The Sun BluePrints publication Secure Shell in the Enterprise is available at book stores.

After downloading all the other security packages and executing the Solaris Security Toolkit software, the OpenSSH software is installed automatically.

Caution - Do notcompile OpenSSH on the system being hardened, and do notinstall the compilers on the system being hardened. Use a separate Solaris OS system--running the same Solaris OS version, architecture, and mode (for example, Solaris 8 OS, Sun4U(sun4u), and 64-bit)--to compile OpenSSH. If you implement a commercial version of SSH, no compilation is required. The goal is to limit the availability of compilers to potential intruders. However, refraining from installing compilers locally on a system does notprovide significant protection against determined attackers, because they can still install precompiled tools.

Downloading the MD5 Software

The MD5 software generates MD5 digital fingerprints on the system being hardened. Generate the digital fingerprints, then compare them with what Sun has published as correct, to detect system binaries that are altered or hidden inside something that appears safe (trojaned) by unauthorized users. By modifying system binaries, attackers provide themselves with backdoor access onto a system; they hide their presence and could cause systems to operate in unstable manners.

1. Download the MD5 binaries from the following web site:

http://www.sun.com/security/jass

The MD5 programs are distributed as a compressed package version file.

2. Move the file SUNBEmd5.pkg.Z securely to the system being hardened with the scp command, or another method that provides secure file transfer.

Use the scp command as follows:

# scp SUNBEmd5.pkg.Z target01:

3. Uncompress and move the file to the Solaris Security Toolkit Packages directory in /opt/SUNWjass/Packages, using a command similar to the following:

# uncompress SUNBEmd5.pkg.Z

# mv SUNBEmd5.pkg /opt/SUNWjass/Packages/

After the MD5 software is saved to the /opt/SUNWjass/Packages directory, the execution of the Solaris Security Toolkit software installs the software.

After the MD5 binaries are installed, you can use them to verify the integrity of executables on the system through the Solaris fingerprint database. More information on the Solaris fingerprint database is available in the Sun BluePrints OnLine article titled "The Solaris Fingerprint Database -- A Security Tool for Solaris Software and Files."

4. (Optional) Download and install Solaris Fingerprint Database Companion and Solaris Fingerprint Database Sidekick software from the Sun BluePrint web site at:

http://www.sun.com/blueprints/tools

Install and use these optional tools with the MD5 software. These tools simplify the process of validating system binaries against the database of MD5 checksums. Use these tools frequently to validate the integrity of the Solaris OS binaries and files on a secured system.

These tools and instructions for downloading them are in the Sun BluePrints OnLine article titled "The Solaris Fingerprint Database -- A Security Tool for Solaris Software and Files."

The integrity of the security tools downloaded should be verified. Before installing and running the Solaris Security Toolkit software and additional security software, validate integrity by using MD5 checksums. On the download page of the Solaris Security Toolkit, MD5 checksums are available for this purpose.

---

Customizing Security Profiles

A variety of security profile templates are included with the Solaris Security Toolkit software distribution as drivers. The security profiles implemented by these drivers disable services that are not required and enable optional security features disabled by the secure.driver. As mentioned in the previous chapter, the default security profile and changes made by these drivers might not be appropriate for your systems.

Before running the Solaris Security Toolkit software, review and customize the default security profiles for your environment, or develop new ones. Techniques and guidelines for customizing security profiles are provided in the Solaris Security Toolkit 4.2 Reference Manual.

---

Installing and Executing the Software

It is important that the following preliminary tasks be completed prior to executing the Solaris Security Toolkit software. Most of the hardening is done automatically when you execute the Solaris Security Toolkit software.

• Download the additional security software and the Solaris Security Toolkit software on the system you want to harden or on the JumpStart server. See Downloading Security Software.
• Configure your system for stand-alone or JumpStart mode. See Determining Which Mode to Use.
• Customize the Solaris Security Toolkit software for your environment, if needed.
• Before installing and running the Solaris Security Toolkit software and additional security software, validate their integrity through the use of MD5 checksums.

You can execute the Solaris Security Toolkit software directly from the command line or from a JumpStart server.

For command-line options and other information about executing the software, see one of the following:

• Executing the Software in Stand-alone Mode
• Executing the Software in JumpStart Mode

Executing the Software in Stand-alone Mode

CODE EXAMPLE 3-2 shows a sample of command-line usage in stand-alone mode.

# ./jass-execute -h

usage:

To apply this Toolkit to a system, using the syntax:

   jass-execute [-r root_directory -p os_version ]

      [ -q | -o output_file ] [ -m e-mail_address ]

      [ -V [3|4] ] [ -d ] driver

To undo a previous application of the Toolkit from a system:

   jass-execute -u [ -b | -f | -k ] [ -q | -o output_file ]

      [ -m e-mail_address ] [ -V [3|4] ]

To audit a system against a pre-defined profile:

   jass-execute -a driver [ -V [0-4] ] [ -q | -o output_file ]

      [ -m e-mail_address ]

To remove saved files from a previous run of the Toolkit:

   jass-execute -c [ -q | -o output_file ]

      [ -m e-mail_address ] [ -V [3|4] ]

To display the history of Toolkit applications on a system:

   jass-execute -H

To display the last application of the Toolkit on a system:

   jass-execute -l

To display this help message:

   jass-execute -h

   jass-execute -?

To display version information for this program:

   jass-execute -v

#

TABLE 3-1 lists the command-line options available and describes each.

For detailed information about the options available with jass-execute command in stand-alone mode, see the following sections:

• Audit Option
• Clean Option
• Display Help Option
• Driver Option
• Email Notification Option
• Execute History Option
• Most Recent Execute Option
• Output File Option
• Quiet Output Option
• Root Directory Option
• Undo Option

For a complete listing of available drivers, see Drivers Directory. Newer versions of the software might contain additional drivers.

1. Execute the secure.driver (or a product-specific script such as sunfire_15k_sc-secure.driver) as follows:

# ./jass-execute -d secure.driver

[NOTE] The following prompt can be disabled by setting

JASS_NOVICE_USER to 0.

[WARN] Depending on how the Solaris Security Toolkit is configured,

it is both possible and likely that by default all remote shell

and file transfer access to this system will be disabled upon

reboot effectively locking out any user without console access to

the system.

Are you sure that you want to continue? (YES/NO) [NO]

y

[NOTE] Executing driver, secure.driver

===============================================================

secure.driver: Driver started.

===============================================================

===============================================================

Solaris Security Toolkit Version: 4.2.0

Node name:                        ufudu

Zone name:                        global

Host ID:                          8085816e

Host address:                     10.8.31.115

MAC address:                      8:0:20:85:81:6e

OS version:                       5.10

Date:                             Tue Jul 5 16:28:24 EST 2005

===============================================================

[...]

For a complete listing of available drivers, see Drivers Directory. Newer versions of the software might contain additional drivers.

2. After running the Solaris Security Toolkit software on a system, reboot the system to implement the changes.

During hardening, a variety of modifications are made to the configuration of the client. These modifications might include disabling startup scripts for services, disabling options for services, and installing new binaries or libraries through patches. Until the client is restarted, these modifications might not be enabled.

3. After rebooting the system, verify the correctness and completeness of the modifications.

See Validating the System Modifications.

4. If any errors are encountered, fix them and run the Solaris Security Toolkit software again in stand-alone mode.

Audit Option

Through the -a option, the Solaris Security Toolkit software can perform an audit run to determine if a system is in compliance with its security profile. This run validates not only if system file modifications made are still active, but also if previously disabled processes are running or removed software packages are reinstalled. For more information on this function, see Chapter 6.

Synopsis of command-line usage to audit a system against a security profile:

# jass-execute -a driver [ -V [0-4] ] [ -q | -o output-file ] [ -m email-address ]

Clean Option

The -c option removes saved files from a previous run of the Solaris Security Toolkit. You can use the quiet (-q), output (-o), mail (-m), and verbosity (-V) options with the clean option.

CODE EXAMPLE 3-4 shows an example of using the -c option, which produces output similar to the following:

# bin/jass-execute -c

Executing driver, clean.driver

Please select Solaris Security Toolkit runs to clean:

1.  July 15, 2005 at 11:41:02 (/var/opt/SUNWjass/run/20050715114102)

2.  July 15, 2005 at 11:44:03 (/var/opt/SUNWjass/run/20050715114403)

Choice ('q' to exit)?  2

[NOTE] Cleaning previous run from /var/opt/SUNWjass/run/20050715114403

==============================================================================

clean.driver: Driver started.

==============================================================================

==============================================================================

Toolkit Version: 4.2.0

Node name:       sstzone

Zone name:       sstzone

Host ID:         80cb346c

Host address:    10.8.28.45

MAC address:     8:0:20:cb:34:6c

OS version:      5.10

Date:            Fri Jul 15 11:44:58 PDT 2005

==============================================================================

clean.driver: Performing CLEANUP of /var/opt/SUNWjass/run/20050715114403.

==============================================================================

==============================================================================

clean.driver: Driver finished.

==============================================================================

==============================================================================

[SUMMARY] Results Summary for CLEAN run of clean.driver

[SUMMARY] The run completed with a total of 1 script run.

[SUMMARY] There were  Failures in   0 Scripts

[SUMMARY] There were  Errors   in   0 Scripts

[SUMMARY] There were  Warnings in   0 Scripts

[SUMMARY] There was a Note     in   1 Script

[SUMMARY] Notes Scripts listed in:

          /var/opt/SUNWjass/run/20050715114403/jass-clean-script-notes.txt

==============================================================================

Display Help Option

The -h option displays the jass-execute help message, which provides an overview of the available options.

The -h option produces output similar to the following:

# ./jass-execute -h

To apply this Toolkit to a system, using the syntax:

   jass-execute [-r root_directory -p os_version ]

      [ -q | -o output_file ] [ -m e-mail_address ]

      [ -V [3|4] ] [ -d ] driver

To undo a previous application of the Toolkit from a system:

   jass-execute -u [ -b | -f | -k ] [ -q | -o output_file ]

      [ -m e-mail_address ] [ -V [3|4] ]

To audit a system against a pre-defined profile:

   jass-execute -a driver [ -V [0-4] ] [ -q | -o output_file ]

      [ -m e-mail_address ]

To remove saved files from a previous run of the Toolkit:

   jass-execute -c [ -q | -o output_file ]

      [ -m e-mail_address ] [ -V [3|4] ]

To display the history of Toolkit applications on a system:

   jass-execute -H

To display the last application of the Toolkit on a system:

   jass-execute -l

To display this help message:

   jass-execute -h

   jass-execute -?

To display version information for this program:

   jass-execute -v

Note that just the driver name should be specified when using the

'-d' or '-a' options. A path need not be specified as the script

is assumed to exist in the Drivers directory.

The '-u' undo option is mutually exclusive with the '-d' and '-a'

options. The default undo behavior is to ask the user what to do if

a file to be restored has been modified as the checksum is

incorrect.

The -u option can be combined with the '-k', '-b', or '-f' to

override the default interactive behavior. The use of one of these

options is required when run in quiet mode ('-q').

The '-k' option can be used to always keep the current file and

backup if checksum is incorrect. The 'b' can be used to backup the

current file and restore original if the checksum is incorrect.

The 'f' option will always overwrite the original if the checksum

is incorrect, without saving the modified original.

Driver Option

The -d driver option specifies the driver to be run in stand-alone mode.

You must specify a driver with the -d option. The Solaris Security Toolkit software prepends Drivers/ to the name of the script added. You need to enter only the script name on the command line.

A jass-execute hardening run using the -d driver option produces output similar to the following:

# ./jass-execute -d secure.driver

[...]

[NOTE] Executing driver, secure.driver

===============================================================

secure.driver: Driver started.

===============================================================

===============================================================

Solaris Security Toolkit Version: 4.2.0

Node name:                        ufudu

Zone name:                        global

Host ID:                          8085816e

Host address:                     10.8.31.115

MAC address:                      8:0:20:85:81:6e

OS version:                       5.10

Date:                             Tue Jul 5 16:28:24 EST 2005

===============================================================

[...]

Email Notification Option

The -m e-mail_address option provides a mechanism by which stand-alone audit, clean, hardening, and undo output can be emailed automatically by the Solaris Security Toolkit software when the run completes. The email report is in addition to any logs generated on the system using other options and local logs created by the Solaris Security Toolkit software.

A Solaris Security Toolkit run calling sunfire_15k_sc-config.driver using the email option would be similar to the following:

# ./jass-execute -m root -d sunfire_15k_sc-config.driver 

[...]

Execute History Option

The -H option provides a simple mechanism to determine how many times the Solaris Security Toolkit software has been run on a system. All runs are listed regardless of whether they have been undone.

The -H option produces output similar to the following:

# ./jass-execute -H 

Note: This information is only applicable for applications of

      the Solaris Security Toolkit starting with version 0.3.

The following is a listing of the applications of the Solaris

Security Toolkit on this system. This list is provided in

reverse chronological order:

1.   June 31, 2004 at 12:20:19 (20040631122019) (UNDONE)

2.   June 31, 2004 at 12:10:29 (20040631121029)

3.   June 31, 2004 at 12:04:15 (20040631120415)

The output indicates that the Solaris Security Toolkit software was run on this system three times and that the most recent run was undone.

Most Recent Execute Option

The -l option provides a mechanism to determine the most recent run. This is always the most recent run listed by the -H option as well.

The -l option provide output similar to the following:

# ./jass-execute -l 

Note: This information is only applicable for applications of

      the Solaris Security Toolkit starting with version 4.2.0.

The last application of the Solaris Security Toolkit was:

1.   June 31, 2005 at 12:20:19 (20040631122019) (UNDONE)

Output File Option

The -o output_file option redirects the console output of jass-execute runs to a separate output_file. You can specify a fully qualified path name for the output_file.

This option has no effect on the logs kept in the JASS_REPOSITORY directory. This option is particularly helpful when performed over a slow terminal connection. There can be a significant amount of output generated by a Solaris Security Toolkit run depending on the verbosity_level specified.

You can use this option with the -a, -d, or -u options.

The -o option produces output similar to the following:

# ./jass-execute -o /var/tmp/root/jass-output.txt -d secure.driver 

[NOTE] Executing driver, secure.driver

[NOTE] Recording output to /var/tmp/root/jass-output.txt

Quiet Output Option

The -q option disables Solaris Security Toolkit output from going to the console during a hardening run.

This option has no effect on the logs kept in the JASS_REPOSITORY directory. Similar to the -o option, this option is particularly helpful when running the Solaris Security Toolkit software through a cron job or over slow network connections.

You can use this option with the -a, -c, -d, or -u options.

The -q option produces output similar to the following:

# ./jass-execute -q -d secure.driver

[NOTE] Executing driver, secure.driver

Root Directory Option

The -r root-directory option is for specifying the root directory used during jass-execute runs. Using the -r option also requires using the -p option to specify the platform (OS) version. The format of the -p option is equivalent to that produced by uname -r.

The root directory is / and is defined by the Solaris Security Toolkit environment variable JASS_ROOT_DIR. The Solaris OS being secured is available through /. For example, if you want to secure a separate OS directory, temporarily mounted under /mnt, then use the -r option to specify /mnt. All the scripts are applied to that OS image.

Undo Option

Through the -u option, the Solaris Security Toolkit software can undo system modifications performed during hardening. Each finish script can be undone with the -u option. In addition, the Solaris Security Toolkit's undo ability is tightly integrated with the checksums generated during each run. For more information on this capability, see Chapter 4.

There are three other options you can use with the -u option:

• -b (backup) option, which backs up any files that have been changed manually since the last hardening run, then restores the system to its original state.
• -f (force) option, which reverses changes made during a hardening run without asking you about exceptions, even if files were manually changed after a hardening run.
• -k (keep) option, which keeps any manual changes you made since the last hardening run.

Synopsis of command-line usage of an undo command:

# jass-execute -u [ -b | -f | -k ] [ -q | -o output_file ]

       [ -m e-mail_address ] [ -V [3|4] ]

Executing the Software in JumpStart Mode

The JumpStart mode is controlled by the Solaris Security Toolkit driver inserted in the rules file on the JumpStart server.

If you have not configured your environment to use JumpStart mode, see Chapter 5.

For more information on the JumpStart technology, refer to the Sun BluePrints book JumpStart Technology: Effective Use in the Solaris Operating Environment.

To execute the Solaris Security Toolkit software in JumpStart mode, it must be integrated into your JumpStart environment and called as part of the finish scripts associated with a JumpStart installation. For information about how to integrate the Solaris Security Toolkit software into your environment, see Chapter 5.

1. After making all of the required modifications to the drivers, install the client using the JumpStart infrastructure.

This task is done using the following command from the client's ok prompt.

ok> boot net - install

Once the installation is completed, the system is rebooted by the JumpStart software.

The system should be in its correct configuration. During hardening, a variety of modifications are made to the configuration of the client. These modifications could include disabling startup scripts for services, disabling options for services, and installing new binaries or libraries through patches. Until the client is restarted, these modifications might not be effective.

2. After the system is rebooted, verify the correctness and completeness of the modifications.

See Validating the System Modifications.

3. If any errors are encountered, fix them and reinstall the client's OS.

---

Validating the System Modifications

After rebooting the system, validate the correctness and completeness of the modifications as described in the following sections.

Performing QA Checks of Services

One of the significant challenges involved in securing systems is determining what OS services must be left enabled for the system to function properly. Solaris OS services might be needed because they are used directly, such as Secure Shell to log into a system. Or they could be used indirectly, such as using the RPC daemon for the graphical user interface (GUI) of third-party software management tools.

Most of these requirements should be determined before running the Solaris Security Toolkit software. (See Determining Application and Service Requirements.) However, the only definitive mechanism is to install and secure the system, then perform thorough testing of its required functionality through quality assurance (QA) testing. A QA plan should be executed for any new system being deployed after the system is hardened. Similarly, for deployed systems being hardened, thorough testing must be performed to ensure that all required and expected functionality is present.

If the QA process uncovers any discrepancies, perform the following:

1. Determine the problem area, based on the guidelines in Chapter 2.

2. Validate that the application runs in the modified configuration.

3. Undo the Solaris Security Toolkit run.

4. Modify the security profile (driver) based on the problem resolution.

5. Run the Solaris Security Toolkit software again.

The end result should be a security profile that can be run on the system without adversely affecting any required functionality.

Performing Security Assessments of Configuration

While validating that the system performs all required functions, also evaluate the security configuration to determine if the system is secured to the desired level. Depending on what hardening or minimization was performed on the system, this might involve different aspects.

At a minimum, the configuration of the system should be reviewed in the following ways:

• Ensure that all necessary Security and Recommended Patches are installed.
• Verify that only required and relevant processes are running, and that they are running with the correct arguments.
• Ensure that only required daemons are running, and that they are running with the correct arguments.
• Verify that only required ports are open on the system by checking locally (for example, netstat -a) and remotely by using a port scanner such as Nmap, which can determine which ports are available on a network interface.
• Make sure that only required Solaris OS packages were installed if the system was minimized.

This review should be considered a minimum for newly built and secured systems. When hardening legacy systems, the underlying OS should be verified to determine if unauthorized modifications were made. Integrity checking of this nature is best done by mounting the system's file system in read-only mode and running integrity checking software from a known OS instance. The tools described in the Sun BluePrints OnLine article titled "The Solaris Fingerprint Database--A Security Tool for Solaris Software and Files" are useful in these scenarios.

Validating Security Profile

After a system is secured and you validate its required services and capabilities, use the audit function to make sure that the security profile was applied properly and completely. This task is critical for two reasons. The first is to ensure that the system is hardened as required. The second is to ensure that the security profile defined for the system is properly reflected in the Solaris Security Toolkit configuration. This check is critical because the configuration information is used to maintain the security profile of the system over its entire deployed life cycle.

For more information about the audit function, see Chapter 6.

Performing the Post-installation Task

If you installed the software on a deployed system, see Performing the Post-installation Task, for information about performing the post-installation task on deployed systems.

Solaris Security Toolkit 4.2 Administration Guide

819-1402-10

Copyright © 2005, Sun Microsystems, Inc. All Rights Reserved.