|C H A P T E R 5|
Configuring and Managing JumpStart Servers
This chapter provides information for configuring and managing JumpStart servers to use the Solaris Security Toolkit software. JumpStart technology, which is Sun's network-based Solaris OS installation mechanism, can run Solaris Security Toolkit software during the installation process.
The Solaris Security Toolkit's JumpStart mode is based on JumpStart technology, available for the Solaris OS product since version 2.1. JumpStart technology helps you manage complexity by fully automating the Solaris OS and system software installation, facilitating the correctness and standardization of systems. It provides a way to meet the requirements of rapidly installing and deploying systems.
The advantages of using JumpStart technology are apparent in the area of system security. By using JumpStart technology with the Solaris Security Toolkit software, you can secure systems during automated Solaris OS installations. This practice helps ensure that system security is standardized and addressed at the time of system installation. To obtain the JumpStart Enterprise Toolkit (JET), which facilitates JumpStart-based installations and includes modules to support hardening with the Solaris Security Toolkit, go to the Sun Software Download site at:
For more information about JumpStart technology, refer to the Sun BluePrints book JumpStart Technology: Effective Use in the Solaris Operating Environment.
This chapter contains the following topics:
For use in a JumpStart environment, install the Solaris Security Toolkit source in /opt/SUNWjass (for pkg downloads) into the base directory of the JumpStart server. The default directory is /jumpstart on a JumpStart server. After this task is done, JASS_HOME_DIR becomes the base directory of the JumpStart server.
This section assumes that the reader is familiar with JumpStart technology and has an existing JumpStart environment available.
Only a few steps are required to integrate the Solaris Security Toolkit software into a JumpStart architecture.
1. Install the Solaris Security Toolkit source into the root directory of the JumpStart server.
The Solaris Security Toolkit could be installed into JASS_REPOSITORY, which is /jumpstart in this case, as shown in the following example:
Typically, the Solaris Security Toolkit software is installed in the SI_CONFIG_DIR of the JumpStart server, which would normally also be JASS_HOME_DIR.
2. If you make any modifications to the Solaris 2.5.1 OS sysidcfg file, make them to the one in the JASS_HOME_DIR/Sysidcfg/Solaris_2.5.1 directory.
If you are using Solaris 2.5.1 OS, the sysidcfg file in JASS_HOME_DIR/Sysidcfg/Solaris_2.5.1 cannot be used directly because this version of Solaris only supports sysidcfg files in SI_CONFIG_DIR and not in separate subdirectories. To address this limitation on Solaris 2.5.1 OS, the Solaris Security Toolkit software has SI_CONFIG_DIR/sysidcfg, which is linked to the JASS_HOME_DIR/Sysidcfg/Solaris_2.5.1/sysidcfg file.
3. Copy the JASS_HOME_DIR/Drivers/user.init.SAMPLE to JASS_HOME_DIR/Drivers/user.init with the following command:
4. If you want to install the Solaris Security Toolkit package onto the target system during a JumpStart install, you must place the package in the JASS_PACKAGE_MOUNT directory defined in your user.init file. For example:
5. If you experience problems with a multihomed JumpStart server, modify the two entries for JASS_PACKAGE_MOUNT and JASS_PATCH_MOUNT to the correct path to the JASS_HOME_DIR/Patches and JASS_HOME_DIR/Packages directories.
6. If you want to install the Solaris Security Toolkit software under a subdirectory of SI_CONFIG_DIR, such as SI_CONFIG_DIR/path/to/JASS, then add the following to the user.init file:
7. Select or create a Solaris Security Toolkit driver (for example, the default secure.driver).
Caution - Nevermodify the original scripts included with the Solaris Security Toolkit software. To allow for efficient migration to new releases of the Solaris Security Toolkit software, maintain the original files and your custom files separately.
8. After completing the driver, make the correct entry in the rules file.
The entry should be similar to the following:
One other modification might be required to successfully integrate the Solaris Security Toolkit software into the existing JumpStart environment.
9. If you use the sysidcfg files provided with the Solaris Security Toolkit software to automate the JumpStart client installation, review them for applicability.
If the JumpStart server encounters any errors while parsing the sysidcfg file, the entire content of the file is ignored.
After completing all the configuration steps in this section, you can use JumpStart technology to install the Solaris OS on the client, and successfully harden or minimize the OS during the installation process.
JumpStart profile templates are files used only with JumpStart mode. The required and optional contents of profiles are described in the Sun BluePrints book JumpStart Technology: Effective Use in the Solaris Operating Environment.
Use the JumpStart profile templates as samples from which to make your individual site modifications. Review the profiles to determine what changes are necessary, if any, to use in your environment.
Make copies of the profiles, then modify them for your site. Do not modify the originals, because updates to the Solaris Security Toolkit software might overwrite your customization.
The following JumpStart profiles are included with the Solaris Security Toolkit software:
The following subsections describe these profiles.
This JumpStart profile installs the smallest Solaris OS cluster, SUNWCreq. Other than specifying that the partitioning of the disk include a root and swap partitions, no other configuration modifications are made.
This JumpStart profile installs the End User Solaris OS cluster, SUNWCuser, and the two Solaris OS packages required for process accounting to work properly. In addition, disk partitioning is defined to include only root and swap partitions.
This JumpStart profile installs the Developer Solaris OS cluster SUNWCprog and the two Solaris OS packages required for process accounting to work properly. As in the core.profile definition, the only other configuration definitions made, in addition to the Solaris OS cluster, are for the disk partitioning to include root and swap.
This JumpStart profile installs the Entire Distribution Solaris OS cluster, SUNWCall. As with the other profiles, disk partitioning is defined to include root and swap partitions.
This JumpStart profile installs the OEM Solaris OS cluster, SUNWCXall. This cluster is a superset of the Entire Distribution cluster, and it installs OEM-provided software.
All the following profiles are based on the Sun BluePrints OnLine article Minimizing Domains for Sun Fire V1280, 12K, and 15K Systems. The following JumpStart profiles are the same as those referenced in the article.
The add-client and rm-client scripts are used to configure a server so that the server can use JumpStart software to perform a network-based installation of a client. The scripts are located in the JASS_HOME_DIR/bin directory. The JumpStart mode is controlled by the Solaris Security Toolkit driver inserted in the rules file on the JumpStart server.
If you have not configured your environment to use JumpStart mode, see Configuring JumpStart Servers and Environments.
For SPARC-based systems, the add-client command installs the JumpStart client and configuration information needed by the Solaris Security Toolkit. The command is executed from the JumpStart server.
For x86/x64 systems, which require Dynamic Host Configuration Protocol (DHCP) clients, you need to use the add_install_client script provided with the Solaris (Install) Media.
To simplify adding clients from JumpStart servers, use this script included with the Solaris Security Toolkit software. The command and options are described in the following paragraphs; however, the underlying JumpStart technology is not. Refer to the Sun BluePrints book JumpStart Technology: Effective Use in the Solaris Operating Environment for information about JumpStart technology.
The add-client script is a wrapper around the add_install_client command and accepts the following arguments.
Synopsis of the add-client command:
TABLE 5-1 describes the valid input for the add-client command.
Version of the Solaris OS, available in the JASS_HOME_DIR/OS directory, which is to be installed on the client. If no value is specified, a list of available Solaris OS versions in the JASS_HOME_DIR/OS directory is displayed.
Optional path name to an alternate directory containing a sysidcfg file that you want to use for system identification and configuration. By default, this value is set to the JASS_HOME_DIR/Sysidcfg/Solaris_version/ directory, where the Solaris-version is extracted from the required -o argument you used. If specifying an optional path name, use a path name relative to the JASS_HOME_DIR directory. Specify only the path to the sysidcfg file.
To add a JumpStart client to called eng1 using defaults, you could do the following:
To add a JumpStart client called eng1 to a JumpStart server called jumpserve1 using Solaris 9 OS (12/03) and the -s sysidcfg option, you could do the following:
To simplify removing clients from JumpStart servers, use this script included with the Solaris Security Toolkit software. The command and options are described in the following paragraphs; however, the underlying JumpStart technology is not. Refer to JumpStart Technology: Effective Use in the Solaris Operating Environment for information about JumpStart technology.
The rm-client script is a wrapper around the rm_install_client command in much the same way as add-client:
Example Usage: rm-client [-c] client
where client is the resolvable host name of the JumpStart client.
TABLE 5-2 describes the valid input for the rm-client command.
To remove a JumpStart client called eng1, use the following rm-client command: