| Solaris Security Toolkit 4.1 Administration Guide |    
|
| Solaris Security Toolkit 4.1 Administration Guide |
|
| C H A P T E R 3 |
|
Installing and Running Security Software |
This chapter provides instructions for downloading, installing, and running the Solaris Security Toolkit software and other security-related software. Included are instructions for configuring your environment for either standalone or JumpStart mode, and for obtaining support.
Follow the instructions and process provided in this section to install, configure, and execute the software. These instructions include downloading additional security software, helpful examples, and guidelines.
Although the Solaris Security Toolkit software is a standalone product, it is most effective when used with the additional security software provided for downloading. This software includes the latest Recommended and Security Patch Cluster from SunSolve OnLine, Secure Shell software for Solaris OS releases that do not include it, permission and ownership modification software to tighten Solaris OS and third-party software permissions, and integrity validation binaries to validate the integrity of Sun files and executables.
This section contains the following tasks:
Proper planning is key to successfully using the Solaris Security Toolkit software to secure systems. See Chapter 2 for detailed information about planning before you install the software.
If you are installing the software on a deployed system, see Performing Preinstallation Tasks, for information about performing preinstallation tasks prior to installing the software on deployed systems.
Solaris Security Toolkit 4.1 software has few dependencies.
See Running Supported Solaris OS Versions for information about supported versions of the Solaris Operating System.
The Solaris Security Toolkit 4.1 software depends upon SUNWloc package. The absence of this package will cause the Solaris Security Toolkit to fail.
See Running Supported SMS Versions for information about supported versions of the System Managements Services (SMS) software.
Harden systems during or immediately after installation, to limit the period a system might be exposed to attack while in an unsecured state. Before using the Solaris Security Toolkit software to secure a system, configure the Solaris Security Toolkit software to run properly in your environment.
The Solaris Security Toolkit software has a modular framework. If you are not using the JumpStart product, the flexibility of the Solaris Security Toolkit software's framework enables you to efficiently prepare for using JumpStart later. If you are using JumpStart, you benefit from the Solaris Security Toolkit software's ability to integrate into existing JumpStart architectures.
The following sections describe the standalone and JumpStart modes.
The Solaris Security Toolkit software runs directly from a Solaris OS shell prompt in standalone mode. This mode enables you to use the Solaris Security Toolkit software on those systems that require security modifications or updates, yet cannot be taken out of service to re-install the OS from scratch. However, systems should be reinstalled from scratch to secure them, if possible.
Standalone mode is particularly useful when hardening a system after installing patches. You can run the Solaris Security Toolkit software multiple times on a system with no ill effects. Patches might overwrite or modify files the Solaris Security Toolkit software has modified; by rerunning the Solaris Security Toolkit software, any security modifications negated by the patch installation can be reimplemented.
|
Note - In production environments, stage patches in test and development environments before installing the patches in live environments. |
The standalone mode is one of the best options to harden a deployed system as quickly as possible. No special steps are required to integrate the Solaris Security Toolkit software into an architecture without JumpStart, other than those steps in the downloading and installing instructions provided in Downloading Security Software.
JumpStart technology, which is Sun's network-based Solaris OS installation mechanism, can run Solaris Security Toolkit scripts during the installation process. This book assumes that the reader is familiar with JumpStart technology and has an existing JumpStart environment available. For more information about JumpStart technology, refer to the Sun BluePrints book JumpStart Technology: Effective Use in the Solaris Operating Environment.
For use in a JumpStart environment, copy the Solaris Security Toolkit source in either the JASS_HOME_DIR (for tar downloads) or /opt/SUNWjass (for pkg downloads) into the base directory of the JumpStart server. The default is /jumpstart on the JumpStart server. JASS_HOME_DIR becomes the base directory of the JumpStart server.
Only a few steps are required to integrate the Solaris Security Toolkit software into a JumpStart architecture. See Chapter 5 for instructions on how to configure a JumpStart server.
The first stage in hardening a system requires downloading additional software security packages onto the system you want to secure. This section covers the following tasks:
First download the Solaris Security Toolkit software, then install it on the server on which you are using the Solaris Security Toolkit software in standalone mode or on a JumpStart server for JumpStart mode.
|
Note - The following instructions use filenames that do not reference the version number. Always download the latest version from the web site. |
Throughout the rest of this guide, the JASS_HOME_DIR environment variable refers to the root directory of the Solaris Security Toolkit software. When the Solaris Security Toolkit software is installed from the tar archive, JASS_HOME_DIR is defined to be the path up to, and including, jass-n.n. If you install the tar version of the distribution in the /opt directory, the JASS_HOME_DIR environment variable is defined as /opt/jass-n.n.
The Solaris Security Toolkit software is distributed in Solaris OS package format, in addition to the traditional compressed tar archive. The same software is included in both archives.
Choose the format most appropriate for your situation. The pkg format is best for clients, and the tar is best for JumpStart systems and for developing custom packages.
Procedures for downloading and installing these two different archive types are provided in the following sections.
|
1. Download the software distribution file (jass-n.n.tar.Z).
The source file is located at the following web site:
http://www.sun.com/security/jass
2. Extract the software distribution file into a directory on the server using the zcat and tar commands as shown:
Where n.n is the most current version that you are downloading.
Executing this command creates the jass-n.n subdirectory in the current working directory. This subdirectory contains all the Solaris Security Toolkit directories and associated files.
|
1. Download the software distribution file (SUNWjass-n.n.pkg.Z).
The source file is located at:
http://www.sun.com/security/jass
|
Note - If you encounter difficulty downloading the software, use your browser's integrated Save As option. |
2. Extract the software distribution file into a directory on the server by using the uncompress command:
3. Install the software distribution file into a directory on the server using the pkgadd command as shown:
Where n.n is the most current version that you are downloading.
Executing this command creates the SUNWjass directory in /opt. This subdirectory contains all the Solaris Security Toolkit directories and associated files.
Patches are released by Sun to provide Solaris OS fixes for performance, stability, functionality, and security. It is critical to the security of a system that the most up-to-date patch cluster is installed. To ensure that the latest Solaris OS Recommended and Security Patch Cluster is installed on your system, this section describes how to download the latest patch cluster.
|
Note - Before installing any patches, evaluate and test them on nonproduction systems or during scheduled maintenance windows. |
|
Before you install a patch cluster, review individual patch README files and other information provided. The information often contains suggestions and information helpful to know before installing a patch cluster.
1. Download the latest patch cluster from the SunSolve OnLine Web site at:
2. Click the Patches link at the top of the left navigation bar.
3. Click the Recommended Patch Clusters link.
The license agreement is displayed.
4. Select the appropriate Solaris OS version in the Recommended Solaris Patch Clusters box.
In our example, we select Solaris 8 OS.
5. Select the best download option, either HTTP or FTP, with the associated radio button, then click Go.
A Save As dialog box is displayed in your browser window.
7. Move the file securely to the system being hardened.
Use the scp (scp(1)- secure copy (remote copy program)) command, or another method that provides secure file transfer.
Use the scp command as follows:
8. Move the file to the /opt/SUNWjass/Patches directory and uncompress it.
The patch cluster software is installed automatically after you download the other security packages and execute the Solaris Security Toolkit software.
FixModes is a software package that tightens the default Solaris OS directory and file permissions. Tightening these permissions can significantly improve overall security. More restrictive permissions make it even more difficult for malicious users to gain privileges on a system.
|
1. Download the FixModes precompiled binaries from:
http://www.sun.com/security/jass
The FixModes software is distributed as a precompiled and compressed package version file formatted for Solaris OS systems. The file name is SUNBEfixm.pkg.Z.
2. Move the file securely to the system being hardened by using the scp command, or another method that provides secure file transfer.
Use the scp command as follows:
3. Uncompress and save the file, SUNBEfixm.pkg.Z, in the Solaris Security Toolkit Packages directory in /opt/SUNWjass/Packages, with the following commands:
Later, the FixModes software is installed automatically after downloading all the other security packages and executing the Solaris Security Toolkit software.
In any secured environment, the use of encryption in combination with strong authentication is required to protect user-interactive sessions. At a minimum, network access must be encrypted.
The tool most commonly used to implement encryption is Secure Shell software, either a version bundled with the Solaris OS, a third-party commercial version, or a freeware version. To implement all the security modifications performed by the Solaris Security Toolkit software, you must include a Secure Shell software product.
Information on where to obtain commercial versions of Secure Shell is provided in Related Resources.
The Solaris Security Toolkit software disables all unencrypted user-interactive services and daemons on the system, in particular daemons such as in.telnetd, in.ftpd, in.rshd, and in.rlogind.
Secure Shell enables you to gain access to the system as you would using Telnet and FTP.
|
|
Note - If the server is running Solaris 9 OS, you can use the bundled Secure Shell software and skip the OpenSSH installation steps in this section. |
Obtain the following Sun BluePrints OnLine article, and use the instructions in the article for downloading the software.
A Sun BluePrints OnLine article about how to compile and deploy OpenSSH titled "Building and Deploying OpenSSH on the Solaris Operating Environment" is available at:
Or obtain the Sun BluePrints publication Secure Shell in the Enterprise, which is available at book stores.
After downloading all the other security packages and executing the Solaris Security Toolkit software, the OpenSSH software is installed automatically.
The MD5 software generates MD5 digital fingerprints on the system being hardened. Generate the digital fingerprints, then compare them with what Sun has published as correct, to detect system binaries that are altered or trojaned (hidden inside something that appears safe) by unauthorized users. By modifying system binaries, attackers provide themselves with backdoor access onto a system; they hide their presence and could cause systems to operate in unstable manners.
|
1. Download the MD5 binaries from the following web site:
http://www.sun.com/security/jass
The MD5 programs are distributed as a compressed package version file.
2. Move the file SUNBEmd5.pkg.Z securely to the system being hardened with the scp command, or another method that provides secure file transfer.
Use the scp command as follows:
3. Uncompress and move the file to the Solaris Security Toolkit Packages directory in /opt/SUNWjass/Packages, using a command similar to the following:
After the MD5 software is saved to the /opt/SUNWjass/Packages directory, the execution of the Solaris Security Toolkit software installs the software.
After the MD5 binaries are installed, you can use them to verify the integrity of executables on the system through the Solaris fingerprint database. More information on the Solaris fingerprint database is available in the Sun BluePrints OnLine article titled "The Solaris Fingerprint Database -- A Security Tool for Solaris Software and Files."
4. (Optional) Download and install Solaris Fingerprint Database Companion and Solaris Fingerprint Database Sidekick software from the Sun BluePrint web site at:
http://www.sun.com/blueprints/tools
Install and use these optional tools with the MD5 software. These tools simplify the process of validating system binaries against the database of MD5 checksums. Use these tools frequently to validate the integrity of the Solaris OS binaries and files on a secured system.
These tools and instructions for downloading them are in the Sun BluePrints OnLine article titled "The Solaris Fingerprint Database -- A Security Tool for Solaris Software and Files."
The integrity of the security tools downloaded should be verified. Before installing and running the Solaris Security Toolkit software and additional security software, validate integrity by using MD5 checksums. On the download page of the Solaris Security Toolkit, MD5 checksums are available for this purpose.
A variety of security profile templates are included with the Solaris Security Toolkit software distribution as drivers. As mentioned in the previous chapter, the default security profile and changes made by these drivers might not be appropriate for your systems. The security profiles implemented by these drivers disable services that are not required and enable optional security features disabled by default.
Before running the Solaris Security Toolkit software, review and customize the default security profiles for your environment, or develop new ones. Techniques and guidelines for customizing security profiles are provided in the Solaris Security Toolkit 4.1 Reference Manual.
It is important that the following preliminary tasks be completed prior to executing the Solaris Security Toolkit software. Most of the hardening is done automatically when you execute the Solaris Security Toolkit software.
You can execute the Solaris Security Toolkit software directly from the command line or a JumpStart server.
For command line options and other information about executing the software, see one of the following:
CODE EXAMPLE 3-2 shows a sample of command line usage in standalone mode.
TABLE 3-1 lists the command-line options available and describes each.
For detailed information about the options available with jass-execute command in standalone mode, see the following sections:
For a complete listing of available drivers, see the Drivers directory. Newer versions of the software may contain additional drivers.
|
1. Execute the secure.driver (or a product specific-script such as sunfire_15k_sc-secure.driver) as follows:
For a complete listing of available drivers, see the Drivers directory. Newer versions of the software may contain additional drivers.
2. After running the Solaris Security Toolkit software on a system, reboot the system to implement the changes.
During hardening, a variety of modifications are made to the configuration of the client. These modifications might include disabling startup scripts for services, disabling options for services, and installing new binaries or libraries through patches. Until the client is restarted, these modifications might not be effective.
3. After rebooting the system, verify the correctness and completeness of the modifications.
See Validating the System Modifications.
4. If any errors are encountered, fix them and run the Solaris Security Toolkit software again in standalone mode.
Through the -a option, the Solaris Security Toolkit software can perform an audit run to determine if a system is in compliance with its security profile. This run validates not only if system file modifications made are still active, but also if previously disabled processes are running or removed software packages are reinstalled. For more information on this function, see Chapter 6.
Example usage to audit a system against a security profile:
The -h option displays the jass-execute help message, which provides an overview of the available options.
The -h option produces output similar to the following:
The -d driver option specifies the driver to be run in standalone mode.
You must specify a driver with the -d option. The Solaris Security Toolkit software prepends Drivers/ to the name of the script added. You need to enter only the script name on the command line.
|
Note - You cannot use the -d option with the -u, -H, -h, or -a options. |
A jass-execute hardening run using the -d driver option produces output similar to the following:
The -m email-address option provides a mechanism by which standalone hardening and undo output can be emailed automatically by the Solaris Security Toolkit software when the run completes. The email report is in addition to any logs generated on the system using other options.
A Solaris Security Toolkit run calling sunfire_15k_sc-config.driver using the email option would be similar to the following:
The -H option provides a simple mechanism to determine how many times the Solaris Security Toolkit software has been run on a system. All runs are listed regardless of whether they have been undone.
The -H option produces output similar to the following:
The output indicates that the Solaris Security Toolkit software was run on this system three times and that the last run was undone.
The -l option provides a mechanism to determine the most recent run. This is always the last run listed by the -H option as well.
The -l option provide outputs similar to the following:
The -o output-file option redirects the console output of jass-execute runs to a separate file, output-file.
This option has no effect on the logs kept in the JASS_REPOSITORY directory. This option is particularly helpful when performed over a slow terminal connection, because there is a significant amount of output generated by a Solaris Security Toolkit run.
This option can be used with either the -d, -u, or -a options.
The -o option produces output similar to the following:
# ./jass-execute -o jass-output.txt -d secure.driver [NOTE] Executing driver, secure.driver [NOTE] Recording output to jass-output.txt |
The -q option disables Solaris Security Toolkit output to standard input output (stdio) stream during a hardening run.
This option has no effect on the logs kept in the JASS_REPOSITORY directory. Similar to the -o option, this option is particularly helpful when running the Solaris Security Toolkit software through a cron job or over slow network connections.
This option can be used with either the -d, -u, or -a options.
The -q option produces output similar to the following:
# ./jass-execute -q -d secure.driver [NOTE] Executing driver, secure.driver |
The -r root-directory option is for specifying the root directory used during jass-execute runs. Using the -r option also requires using the -p option to specify the platform (OS) version. The format of the -p option is equivalent to that produced by uname -r.
By default, the root filesystem directory is /. This root directory is defined by the Solaris Security Toolkit environment variable JASS_ROOT_DIR. The Solaris OS being secured is available through /. For example, if you want to secure a separate OS directory, temporarily mounted under /mnt, then use the -r option to specify /mnt. All the scripts are applied to that OS image.
Through the -u option, the Solaris Security Toolkit software can undo system modifications performed during hardening. Each finish script can be undone with the -u option. In addition, the Solaris Security Toolkit's undo ability is tightly integrated with the checksums generated during each run. For more information on this capability, see Chapter 4.
Example command line usage of an undo command:
The JumpStart mode is controlled by the Solaris Security Toolkit driver inserted in the rules file on the JumpStart server.
If you have not configured your environment to use JumpStart mode, see Chapter 5.
For more information on the JumpStart technology, refer to the Sun BluePrints book JumpStart Technology: Effective Use in the Solaris Operating Environment.
|
To execute the Solaris Security Toolkit software in JumpStart mode, it must be integrated into your JumpStart environment and called as part of the finish scripts associated with a JumpStart installation. For information about how to integrate the Solaris Security Toolkit software into your environment, see Chapter 5.
1. After making all of the required modifications to the drivers, install the client using the JumpStart infrastructure.
This task is done using the following command from the client's ok prompt.
Once the installation is completed, the system is rebooted by the JumpStart software.
The system should be in its correct configuration. During hardening, a variety of modifications are made to the configuration of the client. These modifications could include disabling startup scripts for services, disabling options for services, and installing new binaries or libraries through patches. Until the client is restarted, these modifications might not be effective.
2. After the system is rebooted, verify the correctness and completeness of the modifications.
See Validating the System Modifications.
3. If any errors are encountered, fix them and reinstall the client's OS.
After rebooting the system, validate the correctness and completeness of the modifications as described in the following sections.
One of the significant challenges involved in securing systems is determining what OS services must be left enabled for the system to function properly. Solaris OS services might be needed because they are used directly, such as Secure Shell to log into a system. Or they could be used indirectly, such as using the Remote Procedure Call (RPC) daemon for the graphical user interface of third-party software management tools.
Most of these requirements should be determined before running the Solaris Security Toolkit software. (See Determining Application and Service Requirements.) However, the only definitive mechanism is to install and secure the system, then perform thorough testing of its required functionality through quality assurance (QA) testing. A QA plan should be executed in place for any new system being deployed after the system is hardened. Similarly, for deployed systems being hardened, thorough testing must be performed to ensure that all required and expected functionality is present.
If the QA process uncovers any discrepancies, perform the following:
1. Determine the problem area, based on the guidelines in Chapter 2.
2. Validate that the application runs in the modified configuration.
3. Undo the Solaris Security Toolkit run.
4. Modify the security profile (driver) based on the problem resolution.
5. Run the Solaris Security Toolkit software again.
The end result should be a security profile that can be run on the system without adversely affecting any required functionality.
While validating that the system performs all required functions, also evaluate the security configuration to determine if the system is secured to the desired level. Depending on what hardening or minimization was performed on the system, this may involve different aspects.
At a minimum, the configuration of the system should be reviewed in the following ways:
This review should be considered a minimum for newly built and secured systems. When hardening legacy systems, the underlying OS should be verified to determine if unauthorized modifications were made. Integrity checking of this nature is best done by mounting the system's file system in read-only mode and running integrity checking software from a known OS instance. The tools described in the Sun BluePrints OnLine article titled "The Solaris Fingerprint Database--A Security Tool for Solaris Software and Files" are useful in these scenarios.
After a system is secured and you validate its required services and capabilities, use the audit function to make sure that the security profile was applied properly and completely. This task is critical for two reasons. The first is to ensure that the system is hardened as required. The second is to ensure that the security profile defined for the system is properly reflected in the Solaris Security Toolkit configuration. This check is critical because the configuration information is used to maintain the security profile of the system over its entire deployed life cycle.
For more information about the audit function, see Chapter 6.
If you installed the software on a deployed system, see Performing Post-Installation Tasks, for information about performing post-installation tasks on deployed systems.
| Solaris Security Toolkit 4.1 Administration Guide | 817-7424-10 |
|
Copyright © 2004, Sun Microsystems, Inc. All Rights Reserved.
To Download the tar Version
