| Solaris Security Toolkit 4.1 Reference Manual
|
   
|
This Solaris
Security Toolkit 4.1 Reference Manual contains reference information for understanding and using the internals of the Solaris Security Toolkit software. This manual is primarily intended for persons who use the Solaris Security Toolkit software to secure Solaris Operating System (OS) versions 2.5.1 through 9, such as administrators, consultants, and others, who are deploying new Sun systems or securing deployed systems. The instructions apply to using the software in either its JumpStart mode or standalone mode.
Following are terms used in this manual that are important to understand:
- Hardening - The modification of Solaris OS configurations to improve the security of a system.
- Minimizing - The removal of Solaris OS packages that are not needed on a particular system. (Because each system's requirements vary, what is deemed unnecessary also varies and has to be evaluated.) This removal reduces the number of components to be patched and made secure, which in turn reduces entry points available to a possible intruder.
- Auditing - The process of determining if a system's configuration is in compliance with a predefined security profile.
- Scoring - A score is a value associated with the number of failures uncovered during an audit run. So, if no failures (of any kind) are found, then the resulting score is 0. The Solaris Security Toolkit increments the score (also known as a vulnerability value) by 1 whenever a failure is detected.
Before You Read This Book
You should be a Sun Certified System Administrator for Solaris or Sun Certified Network Administrator for Solaris Operating System. You should also have an understanding of standard network protocols and topologies.
Because this book is designed to be useful to people with varying degrees of experience or knowledge of security, your experience and knowledge determine how you use this book.
How This Book Is Organized
This manual contains reference information about the software components and is structured as follows:
Chapter 1 provides reference information for using, adding, modifying, and removing framework functions. Framework functions provide flexibility for you to change the behavior of the Solaris Security Toolkit software without modifying source code.
Chapter 2 provides reference information about how to use, modify, and customize the file templates included in the Solaris Security Toolkit software.
Chapter 3 provides reference information about using, adding, modifying, and removing drivers. This chapter describes the drivers used by the Solaris Security Toolkit software to harden, minimize, and audit Solaris OS systems.
Chapter 4 provides reference information about using, adding, modifying, and removing finish scripts. This chapter describes the scripts used by the Solaris Security Toolkit software to harden and minimize Solaris OS systems.
Chapter 5 provides reference information for using, adding, modifying, and removing audit scripts.
Chapter 6 provides reference information about using environment variables. This chapter describes all of the variables used by the Solaris Security Toolkit software and provides tips and techniques for customizing their values.
Using UNIX® Commands
This document might not contain information on basic UNIX® commands and procedures such as shutting down the system, booting the system, and configuring devices. Refer to the following for this information:
- Software documentation that you received with your system
- Solaris Operating System documentation, which is at
http://docs.sun.com
Shell Prompts
|
Shell
|
Prompt
|
|
C shell
|
machine-name%
|
|
C shell superuser
|
machine-name#
|
|
Bourne shell and Korn shell
|
$
|
|
Bourne shell and Korn shell superuser
|
#
|
Typographic Conventions
|
Typeface
|
Meaning
|
Examples
|
|
AaBbCc123
|
The names of commands, files, and directories; on-screen computer output
|
Edit your.login file.
Use ls -a to list all files.
% You have mail.
|
|
AaBbCc123
|
What you type, when contrasted with on-screen computer output
|
% su
Password:
|
|
AaBbCc123
|
Book titles, new words or terms, words to be emphasized. Replace command-line variables with real names or values.
|
Read Chapter 6 in the User's Guide.
These are called class options.
You must be superuser to do this.
To delete a file, type rm filename.
|
Accessing Sun Documentation
You can view, print, or purchase a broad selection of Sun documentation, including localized versions, at:
http://www.sun.com/documentation
Third-Party Web Sites
Sun is not responsible for the availability of third-party web sites mentioned in this document. Sun does not endorse and is not responsible or liable for any content, advertising, products, or other materials that are available on or through such sites or resources. Sun will not be responsible or liable for any actual or alleged damage or loss caused by or in connection with the use of or reliance on any such content, goods, or services that are available on or through such sites or resources.
Related Resources
Related publications and web sites are listed in this section.
Publications
- Andert, Donna, Wakefield, Robin, and Weise, Joel. "Trust Modeling for Security Architecture Development," Sun BluePrints OnLine, December 2002, http://www.sun.com/blueprints/1202/817-0775.pdf.
- Dasan, Vasanthan, Noordergraaf, Alex, and Ordica, Lou. "The Solaris Fingerprint Database - A Security Tool for Solaris Software and Files," Sun BluePrints OnLine, May 2001, http://www.sun.com/blueprints/0501/Fingerprint.pdf.
- Englund, Martin, "Securing Systems with Host-Based Firewalls - Implemented With SunScreen Lite 3.1 Software," Sun BluePrints OnLine, September 2001,
http://sun.com/blueprints/0901/sunscreenlite.pdf.
- Garfinkel, Simon, and Spafford, Gene. Practical UNIX and Internet Security, 2nd Edition, O'Reilly & Associates, April 1996.
- Howard, John S., and Noordergraaf, Alex. JumpStart Technology: Effective Use in the Solaris Operating Environment, The Official Sun Microsystems Resource Series, Prentice Hall, October 2001.
- Moffat, Darren J., FOCUS on SUN: Solaris BSM Auditing, http://www.securityfocus.com/infocus/1362
- Noordergraaf, Alex. "Solaris Operating Environment Minimization for Security: A Simple, Reproducible and Secure Application Installation Methodology Updated for Solaris 8 Operating Environment," Sun BluePrints OnLine, November 2000, http://sun.com/blueprints/1100/minimize-updt1.pdf.
- Noordergraaf, Alex. "Minimizing the Solaris Operating Environment for Security: Updated for Solaris 9 Operating Environment," Sun BluePrints OnLine, November 2002,http://sun.com/blueprints/1102/816-5241.pdf.
- Noordergraaf, Alex. "Securing the Sun Cluster 3.x Software," Sun BluePrints OnLine article, February 2003, http://www.sun.com/solutions/blueprints/0203/817-1079.pdf.
- Noordergraaf, Alex, "Securing the Sun Enterprise 10000 System Service Processors," Sun BluePrints OnLine article, March 2002, http://www.sun.com/blueprints/0302/securingenter.pdf
- Noordergraaf, Alex, et. al. Enterprise Security: Solaris Operating Environment Security Journal, Solaris Operating Environment Versions 2.5.1, 2.6, 7, and 8, Sun Microsystems, Prentice Hall Press, ISBN 0-13-100092-6, June 2002.
- Noordergraaf, Alex and Nimeh, Dina. "Securing the Sun Fire 12K and 15K Domains," Sun BluePrints OnLine article, February 2003, http://www.sun.com/blueprints/0203/817-1357.pdf.
- Noordergraaf, Alex and Nimeh, Dina. "Securing the Sun Fire 12K and 15K System Controllers," Sun BluePrints OnLine article, February 2003, http://www.sun.com/blueprints/0203/817-1358.pdf.
- Noordergraaf, Alex and Watson, Keith. "Solaris Operating Environment Security: Updated for the Solaris 9 Operating Environment," Sun BluePrints OnLine, December 2002, http://www.sun.com/blueprints/1202/816-5242.pdf.
- Osser, William and Noordergraaf, Alex. "Auditing in the Solaris 8 Operating Environment," Sun BluePrints OnLine, February 2001
http://www.sun.com/blueprints/0201/audit_config.pdf.
- Reid, Jason M. and Watson, Keith. "Building and Deploying OpenSSH in the Solaris Operating Environment," Sun BluePrints OnLine, July 2001, http://sun.com/blueprints/0701/openSSH.pdf.
- Reid, Jason M. "Configuring OpenSSH for the Solaris Operating Environment," Sun BluePrints OnLine article, January 2002, http://www.sun.com/blueprints/0102/configssh.pdf.
- Reid, Jason. Secure Shell in the Enterprise, The Official Sun Microsystems Resource Series, Prentice Hall, June 2003
- Solaris Advanced Installation Guide, Sun Microsystems, http://docs.sun.com.
- SunSHIELD Basic Security Module Guide, Sun Microsystems, Inc., http://docs.sun.com.
- Watson, Keith and Noordergraaf, Alex. "Solaris Operating Environment Network Settings for Security: Updated for Solaris 9 Operating Environment," Sun BluePrints OnLine, June 2003, http://www.sun.com/solutions/blueprints/0603/816-5240.pdf.
- Weise, Joel, and Martin, Charles R. "Developing a Security Policy," Sun BluePrints OnLine article, December 2001, http://www.sun.com/solutions/blueprints/1201/secpolicy.pdf.
Web Sites
- AUSCERT, UNIX Security Checklist,
http://www.auscert.org.au/render.html?it=1935&cid=1920
- CERT/CC at http://www.cert.org is a federally funded research and development center working with computer security issues.
- Chkrootkit, http://www.chkrootkit.org
- Galvin, Peter Baer, The Solaris Security FAQ,
http://www.itworld.com/Comp/2377/security-faq/
- HoneyNet Project, "Know Your Enemy: Motives"
http://project.honeynet.org/papers/motives/
- List open files software,
ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/
- Nmap Port Scanner, http://www.insecure.org
- OpenSSH tool, http://www.openssh.com/
- Pomeranz, Hal, Solaris Security Step by Step, http://www.sans.org/
- Rhoads, Jason, Solaris Security Guide,
http://www.sabernet.net/papers/Solaris.html
- Security Focus at http://www.securityfocus.org is a web site dedicated to discussing pertinent security topics.
- Sendmail Consortium, sendmail configuration information,
http://www.sendmail.org/
- Spitzner, Lance, Armoring Solaris,
http://secinf.net/unix_security/Armoring_Solaris.html
- SSH Communications Security, Secure Shell (SSH) tool, http://www.ssh.com/
- Sun BluePrints OnLine, http://sun.com/blueprints
- Sun BluePrints OnLine Tools for FixModes software and MD5 scripts, http://jsecom15k.sun.com/ECom/EComActionServlet?StoreId=8&PartDetailId=817-0074-10&TransactionId=try&LMLoadBalanced=
- Sun Enterprise Authentication Mechanism information,
http://www.sun.com/software/solaris/ds/ds-seam
- SunSolveSM - http://sunsolve.sun.com
Running Supported Solaris OS Versions
Sun support for Solaris Security Toolkit software is available only for its use in the Solaris 8 and Solaris 9 Operating Systems. While the software can be used in the Solaris 2.5.1, Solaris 2.6 and Solaris 7 Operating Systems, Sun support is not available for its use in those operating systems.
The Solaris Security Toolkit software automatically detects which version of the Solaris Operating System software is installed, then runs tasks appropriate for that operating system version.
Running Supported SMS Versions
If you are using System Management Services (SMS) to run your system controller (SC), Sun support is available for Solaris Security Toolkit 4.1 software if you are using SMS version 1.3 through 1.4.1.
Contacting Sun Technical Support
If you have technical questions about this product that are not answered in this document, go to:
http://www.sun.com/service/contacting
Sun Welcomes Your Comments
Sun is interested in improving its documentation and welcomes your comments and suggestions. You can submit your comments by going to:
http://www.sun.com/hwdocs/feedback
Please include the title and part number of your document with your feedback:
Solaris Security Toolkit 4.1 Reference Manual, part number 817-7750-10