C H A P T E R  5

Audit Scripts

This chapter provides reference information on using, adding, modifying, and removing audit scripts. Audit scripts provide an easy method for periodically checking the security posture of a system. Check your systems regularly to make sure that their security matches your security profile.

The standard audit scripts confirm that modifications controlled by finish scripts were made to the system, and they report any discrepancies that occurred since the hardening run. Audit scripts use the same name as their correlating finish script, except they have a different suffix. Audit scripts use the .aud suffix instead of .fin.

This chapter contains the following topics:


Customizing Audit Scripts

This section provides instructions and recommendations for customizing existing audit scripts or creating new audit scripts. In addition, guidelines are provided for using audit script functions.

Customize Standard Audit Scripts

Just as with Solaris Security Toolkit drivers and finish scripts, you can customize audit scripts. Be careful when modifying scripts that are supplied with the Solaris Security Toolkit software. Always modify a copy of the script and not the original. Failure to do so may result in a loss of functionality during Solaris Security Toolkit software upgrade or removal. Also, make as few changes as necessary to the code whenever possible and document those changes.

Use environment variables to customize audit scripts. The behavior of most scripts can be tailored by using environment variables, which eliminates the need to modify the script directly. If this is not possible, you may find it necessary to modify the code. For a list of all environment variables and guidelines for defining them, see Chapter 6.



caution icon

Caution - Whenever you customize the standard finish scripts or develop new ones, be sure to make the corresponding changes to related audit scripts.





Note - Consider submitting a bug report or request for enhancement if you think that the change could benefit a wider audience. The Solaris Security Toolkit development team is always looking for ways to improve the software to better support its users.




procedure icon  To Customize An Audit Script

Use the following steps to customize a standard audit script for your system and environment. Use these instructions so that newer versions of the original files do not overwrite your customized versions. Note that these files are not removed if you use the pkgrm command tor remove the software.

1. Copy the audit script and related files that you want to customize.

Refer to Chapter 6 in the Solaris Security Toolkit 4.1 Administration Guide for information about audit scripts and their related files.

2. Rename the copies with names that identify the files as custom scripts and files.

For naming guidelines, refer to "Guidelines", Chapter 1, Solaris Security Toolkit 4.1 Administration Guide.

3. Modify your custom script and files accordingly.

The finish.init file provides all audit script configuration variables. You can override the default variables by modifying the user.init file. This file is heavily commented to explain each variable, its impact, and its use in audit scripts. For more information about this file and modifying its variables, see Chapter 2. Or, if you want the change to be localized rather than to apply to all drivers, modify the driver.

When you customize audit scripts, it is critical to the accuracy of the audit functionality that both finish and audit scripts are able to access your customization. This goal is most easily and effectively achieved by modifying environment variables in the user.init script instead of modifying other init files or modifying scripts directly.

CODE EXAMPLE 5-1 shows how to customize the install-openssh.aud script to validate software installation. In this example, these checks ensure that the software package is installed, configured, and set up to run whenever the system reboots.


CODE EXAMPLE 5-1 Sample install-openssh.aud Script
# 
#!/bin/sh
# Copyright (c) 2002 by Sun Microsystems, Inc.
# All rights reserved.
#
#ident  "@(#)install-openssh.aud        1.3     02/12/03        SMI"
#
# ***************************************************************
# Service definition section.
# ***************************************************************
#--------------------------------------------------------------
service="OpenSSH"
servfil="install-openssh.aud"
servhdr_txt="
#Rationale for Verification Check:
#This script will attempt to determine if the OpenSSH software is
#installed, configured and running on the system. Note that this
#script expects the OpenSSH software to be installed in package
#form in accordance with the install-openssh.fin Finish script.
 
#Determination of Compliance:
 
#It indicates a failure if the OpenSSH package is not installed,
#configured, or running on the system.
"
 
#--------------------------------------------------------------
 
servpkg="
   OBSDssh
"
 
#--------------------------------------------------------------
 
servsrc="
   ${JASS_ROOT_DIR}/etc/rc3.d/S25openssh.server
"
 
#--------------------------------------------------------------
 
servcfg="
   ${JASS_ROOT_DIR}/etc/sshd_config
"
 
#--------------------------------------------------------------
 
servcmd="
   /opt/OBSDssh/sbin/sshd
"
 
# ****************************************************************
# Check processing section.
# ****************************************************************
 
start_audit "${servfil}" "${service}" "${servhdr_txt}"
 
logMessage "${JASS_MSG_SOFTWARE_INSTALLED}"
 
if check_packageExists "${servpkg}" 1 LOG ; then
 pkgName="`pkgparam -R ${JASS_ROOT_DIR} ${servpkg} NAME`"
 pkgVersion="`pkgparam -R ${JASS_ROOT_DIR} ${servpkg} VERSION`"
 pkgBaseDir="`pkgparam -R ${JASS_ROOT_DIR} ${servpkg} BASEDIR`"
 pkgContact="`pkgparam -R ${JASS_ROOT_DIR} ${servpkg} EMAIL`"
 
 logNotice "Package has description '${pkgName}'"
 logNotice "Package has version '${pkgVersion}'"
 logNotice "Package has base directory '${pkgBaseDir}'"
 logNotice "Package has contact '${pkgContact}'"
 
 logMessage "\n${JASS_MSG_SOFTWARE_CONFIGURED}"
 check_startScriptExists "${servsrc}" 1 LOG
 check_serviceConfigExists "${servcfg}" 1 LOG
 
 logMessage "\n${JASS_MSG_SOFTWARE_RUNNING}"
 check_processExists "${servcmd}" 1 LOG
fi
 
finish_audit

Create New Audit Scripts

You can create new audit scripts and integrate them into your deployment of the Solaris Security Toolkit software. Because scripts are commonly developed in Bourne shell, it is relatively easy to add new functionality. For those who are less experienced in UNIX shell scripting, examine existing audit scripts that perform similar functions to gain an understanding of how to accomplish a given task and to understand the correct sequence of actions.

The same conventions for developing new finish scripts apply to developing new audit scripts. For these conventions, see Customizing Finish Scripts.

Audit and finish scripts work together. Whenever you add new audit scripts, be sure to add their companion finish scripts.


Using Standard Audit Scripts

Audit scripts provide an automated way within the Solaris Security Toolkit software to validate a security posture by comparing it to a predefined security profile. Use audit scripts to validate that security modifications were made correctly, and to obtain reports on any discrepancies between a system's security posture and your security profile. For details on using audit scripts to validate system security, refer to Chapter 6 in the Solaris Security Toolkit 4.1 Administration Guide.

This section describes the standard audit scripts, which are in the Audit directory. Only the functionality performed by the audit scripts is described.

Each of the scripts in the Audit directory is organized into the following categories, which mirror those of the finish scripts in the Finish directory:

In addition to these standard audit scripts, Solaris Security Toolkit software provides product-specific audit scripts. For a list of product-specific audit scripts, see Using Product-Specific Audit Scripts.

Disable Audit Scripts

The following disable audit scripts are described in this section:

disable-ab2.aud



Note - This script is necessary only for systems running the Solaris OS versions 2.5.1 through 8, because the AnswerBook2 software is no longer used in Solaris OS version 9.



This script determines if the AnswerBook2 service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system.

disable-apache.aud



Note - Note that this script checks only for the Apache Web Server that was packaged by Sun and shipped as part of Solaris OS versions 8 and 9.



This script determines if the Apache Web Server is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run (via a run-control script), or running on the system.

disable-asppp.aud



Note - This script applies only to Solaris OS versions 2.5.1 through 8. For Solaris 9 OS, this service was replaced with the PPP service and is verified using the disable-ppp.aud script.



This script determines if the ASPPP service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run (via a run-control script), or running on the system.

disable-autoinst.aud

This script determines if automated installation functionality is installed or enabled on the system. It indicates a failure if the software is installed or configured to run (via a run-control script).

disable-automount.aud



Note - If this service is required, then do not use this script. Also, because this service relies on the RPC service, the disable-rpc.aud script also should also not be used.



This script determines if the automount service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run (via a run-control script), or running on the system.

disable-dhcpd.aud



Note - This script applies only to the DHCP server included in Solaris OS versions 8 and 9.



This script determines if the DHCP service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run (via a run-control script), or running on the system.

disable-directory.aud



Note - This audit script checks only for the Solaris 9 OS-bundled Sun Java System Directory Server. This script does not audit either the unbundled product or the Sun Java System Directory Server software provided with other Solaris OS versions.



This script determines if the Sun Java System Directory service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run (via a run-control script), or running on the system.

disable-dmi.aud



Note - This script is appropriate only for systems running Solaris OS versions 2.6 through 9.



This script determines if the DMI service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run (via a run-control script), or running on the system.

disable-dtlogin.aud



Note - This script is necessary only for systems running Solaris OS versions 2.6 through 9.



This script determines if the CDE login server, or dtlogin, is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run (via a run-control script), or running on the system.

disable-ipv6.aud



Note - This script is necessary only for systems running the Solaris OS versions 8 and 9.



This script checks for the absence of the IPv6 host name files, /etc/hostname6.*, that cause IPv6 interfaces to be plumbed. This script checks if the in.ndpd service is started. It indicates a failure if any IPv6 interfaces are configured, plumbed, or if the service is running.

disable-kdc.aud



caution icon

Caution - If JASS_DISABLE_MODEis set to conf, the kdc.conffile is disabled, thus determining the ability of the system to act as both a Kerberos client and KDC server. Do not use this script in that manner if the system must act as a Kerberos client.





Note - This script is necessary only for systems running the Solaris 9 OS.



This script determines if the KDC service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run (via a run-control script), or running on the system.

disable-keyboard-abort.aud



Note - This script is used only in Solaris OS versions 2.6 through 9.





Note - Some systems feature key switches with a secure position. On these systems, setting the key switch to the secure position overrides any software default set with the kdb command.



This script determines if the system is configured to ignore keyboard abort sequences. Typically, when a keyboard abort sequence is initiated, the operating system is suspended and the console enters the OpenBoot PROM monitor or debugger. This script determines if the system can be suspended in this way.

disable-keyserv-uid-nobody.aud

This script determines if the keyserv service is not configured to prevent the use of default keys for the user nobody. This script indicates a failure if the keyserv process is not running with the -d flag and the ENABLE_NOBODY_KEYS parameter is not set to NO (for Solaris OS version 9).

disable-ldap-client.aud



Note - This script applies to Solaris OS versions 8 and 9.



This script determines if the LDAP client service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run (via a run-control script), or running on the system.

disable-lp.aud

This script determines if the line printer (lp) service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run (via a run-control script), or running on the system. This script indicates a failure if the lp user is permitted to use the cron facility or has a crontab file installed.

disable-mipagent.aud



Note - This script is necessary only for Solaris OS versions 8 and 9.



This script determines if the Mobile IP service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run (via a run-control script), or running on the system.

disable-named.aud



Note - Disabling this service does not affect the ability of the system to act as a Domain Name System (DNS) client.



This script determines if the DNS is installed, configured, or running on the system. This script indicates a failure if the software is installed, configured to run (through a configuration file), or actually running on the system.

This script checks only for the DNS server that was packaged by Sun Microsystems and shipped as part of the Solaris OS.

disable-nfs-client.aud



caution icon

Caution - If this service is required, then do not use this script. Also, because this service relies on the RPC service, the disable-rpc.audscript should notbe used.



This script determines if the NFS client service is configured or running on the system. It indicates a failure if the software is configured to run or is running on the system.

disable-nfs-server.aud



caution icon

Caution - If this service is required, then do not use this script. Also, because this service relies on the RPC service, the disable-rpc.audscript should notbe used.



This script determines if the NFS service is configured or running on the system. It indicates a failure if the software is configured to run or is running on the system.

disable-nscd-caching.aud

This script determines if any of the passwd, group, host, or ipnodes services have a positive-time-to-live or negative-time-to-live value that is not set to 0. It indicates a failure if the value is not 0.

disable-picld.aud



Note - This script is necessary only for systems running Solaris OS versions 8 and 9.



This script determines if the PICL service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run (via a run-control script), or running on the system.

disable-power-mgmt.aud



Note - This script is necessary only for systems running Solaris OS versions 2.6 through 9.



This script determines if the power management service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run (via a run-control script), or running on the system.

disable-ppp.aud



Note - This service was introduced in Solaris 8 OS (7/01) and supplements the older ASPPP service. This script is necessary only for systems running Solaris OS versions 8 and 9.



This script determines if the PPP service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run (via a run-control script), or running on the system.

disable-preserve.aud

This script determines if the preserve functionality is enabled through its run-control script. If enabled, a failure is indicated.

disable-remote-root-login.aud



Note - Other mechanisms to access systems, such as the use of Solaris Secure Shell, that do not use /bin/login might still provide direct root access, even if the system passes this test.



This script determines if a root user is permitted to directly log in to or execute commands on a system remotely through programs using /bin/login such as Telnet. It indicates a failure if this is correct.

disable-rhosts.aud



Note - This script is necessary only for Solaris OS versions 2.6 through 9.



This script determines if the rhosts and hosts.equiv functionality is enabled through PAM configuration in /etc/pam.conf. It indicates a failure if this functionality is enabled using the pam_rhosts_auth.so.1 module in the /etc/pam.conf file.

disable-rpc.aud



caution icon

Caution - The RPC port mapper function should not be disabled if any of the following services are used on the system: automount, NFS, NIS, NIS+, CDE, and volume management (Solaris 9 OS only).



This script determines if the RPC service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run (via a run-control script), or running on the system. In addition, this script indicates a failure for each service registered with the rpcbind port mapper.

disable-samba.aud

This script determines if the Samba service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run (via a run-control script), or running on the system. Only Samba services included in the Solaris OS distribution are verified as being disabled. This script does not impact other Samba distributions installed on the system.

disable-sendmail.aud



Note - The Solaris Security Toolkit software modifications verify only that a Solaris OS system is not configured to receive email. Outgoing email is still processed normally.



By default, the sendmail service is configured to both forward local mail and to receive incoming mail from remote sources. If a system is not intended to be a mail server, then the sendmail service can be configured not to accept incoming messages. This script checks that the sendmail service is configured in such a manner.

This check is performed in a variety of ways depending on the version of the Solaris OS used. For Solaris OS version 9, this script checks for the existence of the following in the /etc/mail/sendmail.cf file:


Name=NoMTA4, Family=inet, Addr=127.0.0.1

For Solaris 8 OS, this script checks the /etc/default/sendmail file to determine if the MODE parameter is set to "" (nothing). For earlier versions of the Solaris OS, this script determines if the sendmail run-control scripts are disabled and an entry added to the root user's crontab file to automate the processing of queued mail.

This script indicates a failure if the sendmail service is not disabled in accordance with the checks unique to the Solaris OS version.

disable-slp.aud



Note - This script is necessary only for systems running Solaris OS versions 8 and 9.



This script determines if the SLP service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run (via a run-control script), or running on the system.

disable-sma.aud

This script determines if the SMA service is installed, configured, or running on the system. This script indicates a failure if the software is called, configured to run (through a run-control script), or actually running on the system.

disable-snmp.aud



Note - This script checks only the SNMP agent provided in Solaris OS versions 2.6 through 9.



This script determines if the SNMP service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run (via a run-control script), or running on the system. This script verifies whether third-party SNMP agents are functioning on the system.

disable-spc.aud



Note - This script is necessary only for systems running Solaris OS versions 2.6 through 9.



This script determines if the SPC service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run (via a run-control script), or running on the system.

disable-ssh-root-login.aud

This script indicates a failure if the Solaris Secure Shell service distributed in the Solaris OS version 9 does not restrict access to the root account. This script is necessary only for systems running at minimum Solaris OS version 9 with the Solaris Secure Shell packages installed and enabled.

disable-syslogd-listen.aud



Note - Do not use this script on a SYSLOG server, because a SYSLOG server's function is to log remotely.



The script sets options to disallow the remote logging functionality of the syslogd process. This script determines if the SYSLOG service is configured to accept remote log connections. It indicates a failure if the syslogd process is not running with the -t flag and the LOG_FROM_REMOTE parameter is not set to NO (for the Solaris OS version 9).

disable-system-accounts.aud

For each account name listed in the JASS_ACCT_DISABLE environment variable, this script indicates a failure for each account that is not configured to use the shell defined by the JASS_SHELL_DISABLE variable. Also, this script indicates a failure if the shell program listed in the JASS_SHELL_DISABLE variable does not exist on the system.

Note that this script only checks accounts that are listed in the /etc/passwd file. It does not check for accounts listed in any other naming service (NIS, NIS+, or LDAP).

disable-uucp.aud

This script determines if the UUCP service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run (via a run-control script), or running on the system. Also, it indicates a failure if the nuucp user exists, if in.uucpd exists in /etc/inetd.conf, or if a uucp crontab file is installed.

disable-vold.aud



Note - Do not use this script if automatic mounting and unmounting of removable media (such as diskettes and CD-ROMs) is needed.



This script determines if the VOLD service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run (via a run-control script), or is running on the system.

disable-wbem.aud



Note - If this service is required, then do not use this script. Also, because this service relies on the RPC service, the disable-rpc.fin script should not be used either. Do not use this script if you use Solaris Management Console.





Note - This script is necessary only for systems running Solaris OS versions 8 and 9.



This script determines if the WBEM service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run (via a run-control script), or running on the system.

disable-xserver.listen.aud



Note - This script is applicable only to the Solaris OS version 9.



It indicates a failure if the X11 server is configured to accept client connections using the TCP transport. In addition, it indicates a failure if the X11 server is running in a configuration that permits use of the TCP transport.

Enable Audit Scripts

The following enable audit scripts are described in this section:

enable-32bit-kernel.aud

This script determines if the system is configured to run in 32-bit mode or is running in 32-bit mode. It is valid only for Solaris OS versions 7, 8, and 9. Note that this script gives a failure if the system is running in 32-bit mode and is also running Solaris OS versions 7, 8, or 9. For Solaris OS versions 2.5.1 and 2.6, note that all systems run in 32-bit mode only.

enable-bsm.aud

This script determines if the SunSHIELD Solaris Basic Security Module (Solaris BSM) auditing functionality is enabled and running on the system, if the service is loaded in the /etc/system file, and if the audit_warn alias is defined in /etc/mail/aliases. If one or more of these checks fail, then the script indicates a failure.

enable-coreadm.aud

This script verifies that the system stores generated core files under the directory specified by JASS_CORE_DIR. It indicates a failure if the coreadm functionality present in the Solaris OS versions 7, 8, or 9 is not configured. Also, an error condition is generated if core files are not tagged with the specification denoted by JASS_CORE_PATTERN.

enable-ftp-syslog.aud

This script determines if the FTP service is not configured to log session and connection information. A failure is indicated if the FTP service logging is not enabled.

enable-ftpaccess.aud



Note - This script is necessary only on systems running the Solaris OS version 9.



This script determines if the FTP service is configured to use the /etc/ftpd/ftpaccess file. A failure is indicated if FTP is not configured properly.

enable-inetd-syslog.aud

This script determines if the Internet services daemon (inetd) service is configured to log session and connection information. Note that for Solaris OS version 9, this script checks that the -t option was added to the inetd command line and that the ENABLE_CONNECTION_LOGGING variable in the /etc/default/inetd file is set to YES. A failure is indicated if either of these checks fail.

enable-priv-nfs-ports.aud

This script determines if the NFS service is configured to accept only client communication that originates from a port in the privileged range below 1024. A failure is indicated if the NFS service is not configured properly.

enable-process-accounting.aud

This script determines if the processing accounting software is installed, enabled, or running on the system. A failure is indicated if this is not true.

enable-rfc1948.aud



Note - This script is necessary only on systems running Solaris OS versions 2.6 through 9.



This script determines if the system is configured to use RFC 1948 for its TCP sequence number generation. This script checks both the stored configuration and the actual runtime setting. A failure is displayed if the system is not configured to use RFC 1948-compliant TCP sequence number generation.

enable-stack-protection.aud



Note - This script is necessary only on systems running the Solaris OS versions 2.6 through 9.



This script determines if the noexec_user_stack and noexec_user_stack_log options are set in the /etc/system file to enable stack protections and exception logging. If these options are not enabled, a failure is reported.

enable-tcpwrappers.aud



Note - This script applies only to Solaris OS version 9 using the bundled TCP wrapper packages.



This script determines if TCP wrappers are not installed or configured using the hosts.allow|deny templates included with the Solaris Security Toolkit software or enabled by using the ENABLE_TCPWRAPPERS variable. A failure is reported if the system is not using TCP wrappers.

Install Audit Scripts

The following install audit scripts are described in this section:

install-at-allow.aud

This script determines if a user name is listed in the JASS_AT_ALLOW variable and does not exist in the /etc/cron.d/at.allow file. The list of user names defined by JASS_AT_ALLOW is, by default, empty. To pass this check, each user name must exist in both the /etc/passwd file and the /etc/cron.d/at.allow file. Furthermore, a user name should not be in the /etc/cron.d/at.deny file. A failure is displayed if a user name is not listed in both files.

install-fix-modes.aud

This script determines if the Fix Modes program was installed and run on the system. It indicates a failure if the software is not installed or has not been run. Further, this script uses Fix Modes in debug mode to determine if any additional file system objects should be adjusted.

install-ftpusers.aud

This script determines if a user name listed in the JASS_FTPUSERS parameter does not exist in the ftpusers file.

install-jass.aud

This script determines if the Solaris Security Toolkit (SUNWjass) package is installed on the system. A failure is reported if this package is not installed.

install-loginlog.aud

This script checks for the existence and proper ownership and permissions for the /var/adm/loginlog file. It indicates a failure if the file does not exist, has invalid permissions, or is not owned by the root account.

install-md5.aud

This script determines if the MD5 software is installed on the system. A failure is reported if the software is not installed.

install-nddconfig.aud

This script determines if the nddconfig run-control script files identified in the Sun BluePrints OnLine article, Solaris Operating Environment Network Settings for Security and included with the Solaris Security Toolkit, have been copied to and their settings made active on the target system.

The script performs the following checks per object:

1. Test to ensure that the source and target file types (regular file, symbolic link, or directory) match

2. Test to ensure that the source and target file type contents are the same

This script also verifies that the settings defined by the nddconfig script are actually in place on the running system. This script uses its own copy of the nddconfig script in the Solaris Security Toolkit to provide more accurate reporting of results, especially in cases where the script name has changed or where other scripts are used to implement the same effects.

This script gives a failure when any of the checks described above are found to be false.

install-newaliases.aud

This script checks for the existence of the /usr/bin/newaliases program. It indicates a failure if this file does not exist or is not a symbolic link.

install-openssh.aud



Note - Solaris 9 OS includes a version of the Secure Shell software; therefore, this script is not used if you install Solaris 9 OS.



This script determines if the OpenSSH package specified by the script is installed and configured. A failure is reported if the package is not installed.

install-recommended-patches.aud

This script determines if the patches listed in the Recommended and Security Patch Cluster file are installed on the system. The patch information is collected from JASS_HOME_DIR/Patches directory, based on Solaris OS version of the system being tested. A failure is displayed if one or more of these patches are not installed.

Note that this script indicates success if the version of the patch installed is equal to or greater than the version listed in the patch order file.

install-sadmind-options.aud

This script determines if the sadmind service exists in the /etc/inet/inetd.conf file. If it does, this script checks to ensure that options are set to those defined by the JASS_SADMIND_OPTIONS variable. The default setting is -S 2.

install-security-mode.aud

This script checks the status of the EEPROM security mode. It displays a warning if the mode is not command or full. In addition, this script checks the PROM failed login counter and displays a warning if it is not zero.

Note that because the install-security-mode.fin script cannot change the security mode of the system, this script only indicates a warning for noncompliance rather than reporting a failure.

install-shells.aud

This script determines if any shell defined by the JASS_SHELLS parameter is not listed in the shells file. TABLE 5-1 lists the shells defined by JASS_SHELLS.


TABLE 5-1 List of shells Defined by JASS_SHELLS

/usr/bin/sh

/usr/bin/csh

/usr/bin/ksh

/usr/bin/jsh

/bin/sh

/bin/csh

/bin/ksh

/bin/jsh

/sbin/sh

/sbin/jsh

/bin/bash

/bin/pfcsh

/bin/pfksh

/bin/pfsh

/bin/tcsh

/bin/zsh

/usr/bin/bash

/usr/bin/pfcsh

/usr/bin/pfksh

/usr/bin/pfsh

/usr/bin/tcsh

/usr/bin/zsh


A failure is displayed if any shells listed in JASS_SHELLS are not also listed in the shells file.

install-strong-permissions.aud

This script determines if any of the modifications recommended by the install-strong-permissions.fin script were not implemented. A failure is displayed if any of these modifications were not made.

install-sulog.aud

This script checks for the proper ownership and permissions of the /var/adm/sulog file. It indicates a failure if the file does not exist, has invalid permissions, or is not owned by the root account.

install-Sun_ONE-WS.aud

This script determines if the Sun Java System, formerly Sun ONE, Web Server is installed on the system in accordance with the install-Sun_ONE-WS.fin script. A failure is reported if the software is not installed correctly.

install-templates.aud

This script determines if the files defined by the JASS_FILES variable was successfully copied to the target system. It indicates a failure if either of the two following checks fail: a test to ensure that the source and target file types match (regular file, symbolic link, or directory) and a test to ensure that their contents are the same.

Minimize Audit Script

This script determines if any nonessential packages exist on the system as defined by the minimization finish script, minimize-Sun_ONE-WS.fin. A failure is displayed if any of the nonessential packages are present on the system.

Print Audit Scripts

The following print audit scripts are described in this section:

These scripts perform the same functions as the print finish scripts, except that they are customized for audit use.

print-jass-environment.aud

This script displays the variables used by the Solaris Security Toolkit. It does not perform any validation or other checks on the content. The variables and their content are displayed.

print-jumpstart-environment.aud

This script is for JumpStart mode only. It is used to print out JumpStart environment variable settings. This script does not perform any audit checks.

print-rhosts.aud

This script displays a notice for any files found with the name of .rhosts or hosts.equiv. Further, this script displays the contents of those files for further inspection.

print-sgid-files.aud

This script displays a notice for any files that have the set-gid bit set, and it provides a full (long) listing for further review.

print-suid-files.aud

This script displays a notice for any files that have the set-uid bit set, and it provides a full (long) listing for further review.

print-unowned-objects.aud

This script displays a notice for any files that are not assigned to a valid user and group, and it provides a full (long) listing for further review.

print-world-writable-objects.aud

This script displays a notice for any matching files that are world-writable, and it provides a full (long) listing for further review.

Remove Audit Script

The remove-unneeded-accounts.aud script validates that unused Solaris OS accounts, defined by the JASS_ACCT_REMOVE variable, were removed from the system.

Set Audit Scripts

The following set audit scripts are described in this section:

set-banner-dtlogin.aud



Note - This script is necessary only for systems running Solaris OS versions 2.6 through 9.



This script verifies that a service banner for the CDE or dtlogin service is defined. This script verifies that the system displays the contents of /etc/motd by listing it in the file template JASS_ROOT_DIR/etc/dt/config/Xsession.d/0050.warning.

set-banner-ftpd.aud



Note - This script is necessary only for systems running the Solaris OS versions 2.6 through 9.



This script checks that the FTP service banner matches the value defined by the JASS_BANNER_FTPD variable. It indicates a failure if the service banner does not match. The value of the variable is Authorized Use Only.

set-banner-sendmail.aud

This script verifies that the sendmail service is configured to display the service banner as defined by the JASS_BANNER_SENDMAIL environment variable. This banner is displayed to all clients connecting to the sendmail service over the network.

set-banner-sshd.aud



Note - This script is used only for systems running Solaris 9 OS.



This script verifies that the Secure Shell service banner is displayed by ensuring that the Secure Shell service displays the contents of /etc/issue to the user prior to authenticating access to the system.

set-banner-telnet.aud



Note - This script is necessary only for systems running Solaris OS versions 2.6 through 9.



This script checks that the Telnet service banner matches the value defined by the JASS_BANNER_TELNETD variable It indicates a failure if the service banner does not match. The value of the variable is Authorized Use Only.

set-ftpd-umask.aud



Note - This script is necessary only for systems running Solaris OS versions 2.6 through 9.



This script checks that the FTP service banner matches the value defined by the JASS_FTPD_UMASK variable. It indicates a failure if the file creation mask value does not match. The value of variable is 022.

set-login-retries.aud

This script determines if the login RETRIES parameter is assigned the value defined by the JASS_LOGIN_RETRIES variable. The variable default is set to 3. A failure is displayed if the variable is not set to the default.

set-power-restrictions.aud



Note - This script is necessary only for systems running Solaris OS versions 2.6 through 9.



This script checks the /etc/default/power file and indicates a failure if the PMCHANGEPERM and CPRCHANGEPERM parameters do not have a hyphen "-" as their values.

set-rmmount-nosuid.aud



Note - Solaris OS versions 8 and 9 are configured to mount removable media with the nosuid option by default. This script performs the necessary checks regardless of the default settings.



This script determines if the /etc/rmmount.conf file restricts the mounting of removable UFS or HSFS file systems by enforcing the nosuid parameter. A failure is displayed if this restriction is not defined in the /etc/rmmount.conf file.

set-root-group.aud

This script determines if the root account's primary group is set to the value defined by the JASS_ROOT_GROUP variable. A failure is displayed if it is not defined properly.

set-root-password.aud

This script checks the password of the root account. It indicates a failure if the value is the same as that of the JASS_ROOT_PASSWORD variable. This check is done to encourage users to change the root password from the value defined by JASS_ROOT_PASSWORD as soon as possible.

set-sys-suspend-restrictions.aud



Note - This script is necessary only for systems running Solaris OS versions 2.6 through 9.



This script checks the /etc/default/sys-suspend file. It indicates a failure if the PERMS parameter does not have a hyphen "-" as its value.

set-system-umask.aud

This script determines if the system's default file creation mask is set to the value defined by the JASS_UMASK variable. The default value is set to 022. A failure is displayed if the variable is not properly defined.

set-term-type.aud

This script determines if the /etc/profile and the /etc/login files set the default terminal type to vt100. A failure is displayed if the default terminal type is not defined properly. This script is provided as a convenience only, and a failure does not impact the security of a system.

set-tmpfs-limit.aud



Note - The set-tmpfs-limit.aud script does not run under Solaris OS version 2.5.1, where this functionality is unsupported.



This script determines if any tmpfs file systems are defined in the /etc/vfstab file without their size being limited to the JASS_TMPFS_SIZE variable, which is set to a default of 512 megabytes. A failure is reported if the tmpfs file system size does not comply with the JASS_TMPFS_SIZE value.

set-user-password-reqs.aud

This script reviews the password policy settings on the system as defined previously. It indicates an error if the values do not match the following default values defined by the Solaris Security Toolkit:

The default values are contained in the following environment variables:

set-user-umask.aud

This script determines if any of the following files do not set the umask parameter to the value defined by the JASS_UMASK variable. The default value is set 022.

A failure is displayed if these files do not set the umask parameter appropriately.

Update Audit Scripts

The following update audit scripts are described in this section:

update-at-deny.aud

This script determines if a user account is listed in the JASS_AT_DENY variable and is not listed in the /etc/cron.d/at.deny file. The list of user accounts defined by the JASS_AT_DENY variable is as follows:

To pass this check, each user account must exist in both the /etc/passwd file and the /etc/cron.d/at.deny file. The user account must not exist in the /etc/cron.d/at.allow file, because it would override the setting (due to precedence). A failure is displayed if any of these checks fail.

update-cron-allow.aud

This script determines if a user account is listed in the JASS_CRON_ALLOW variable and not in /etc/cron.d/cron.allow file. By default, the value is only the root user. A failure is displayed if this check fails.

update-cron-deny.aud

This script determines if a user account is listed in the JASS_CRON_DENY variable and not in the /etc/cron.d/cron.deny file. The list of user accounts defined by the JASS_CRON_DENY variable is as follows:

To pass this check, each user account must exist in both the /etc/passwd file and the /etc/cron.d/cron.deny file. Furthermore, the user account must not exist in the /etc/cron.d/cron.allow file, because it would override this setting (due to precedence). A failure is displayed if any of these checks fail.

update-cron-log-size.aud



Note - This script is not needed for systems running Solaris OS version 2.5.1 because the functionality is not supported.



This script determines if the cron facility is configured to increase its default size limit for log files. The check method is based on the version of the Solaris OS and the value of the JASS_CRON_LOG_SIZE variable. The size limit defined by the JASS_CRON_LOG_SIZE variable is 20480 kilobytes. A failure is displayed if the size limitation is not correct. This script runs on Solaris OS versions 2.6, 7, 8, or 9.

update-inetd-conf.aud

This script determines if any of the services listed in the JASS_SVCS_DISABLE variable are disabled in /etc/inetd.conf. This script also checks to ensure that services listed in the JASS_SVCS_ENABLE variable are enabled in the /etc/inetd.conf file. If a service is listed in both variables, then the service is left enabled by the JASS_SVCS_ENABLE variable. A failure is displayed if any of these checks fail.

The JASS_SVCS_DISABLE parameter is populated as shown in TABLE 5-2.


TABLE 5-2 Sample Output of JASS_SVCS_DISABLE

100068

100083

100087

100134

100146

100147

100150

100155

100166

100221

100229

100230

100232

100234

100235

100242

100424

300326

536870916

chargen

comsat

daytime

discard

dtspc

echo

eklogin

exec

finger

fs

ftp

kerbd

klogin

kshell

login

name

netstat

printer

rexd

rquotad

rstatd

rusersd

rwalld

shell

smtp

sprayd

sun-dr

systat

talk

telnet

tftp

time

ufsd

uucp

uuidgen

walld

xaudio

 

 

 

 


The JASS_SVCS_ENABLE variable is, by default, empty. Some drivers may use it, such as the suncluster3x-secure.driver.


Using Product-Specific Audit Scripts

TABLE 5-3 lists product-specific audit scripts for specific Sun products. These scripts are in the Audit directory.

New audit scripts are released periodically for new and updated Sun products. For the latest list of scripts, refer to the Security Web site:

http://www.sun.com/security/jass

 


TABLE 5-3 Product-Specific Audit Scripts

Product

Driver Name

Sun Cluster 3.x Software

suncluster3x-set-nsswitch-conf.aud

Sun Fire High-End Systems Domains

s15k-static-arp.aud

s15k-install-klmmod-loader.aud

Sun Fire High-End Systems System Controllers

s15k-static-arp.aud

s15k-exclude-domains.aud

s15k-sms-secure-failover.aud


suncluster3x-set-nsswitch-conf.aud

This script determines if the /etc/nsswitch.conf file lists the cluster keyword as the first source for the host's database. This script applies only to Sun Cluster 3.x systems and should not be executed on other systems. A failure is displayed if this is not true.

For more information, refer to the Sun BluePrints OnLine article titled "Securing Sun Cluster 3.x Software."

s15k-static-arp.aud

For SMS versions 1.2 and newer, this script verifies that the static ARP configuration files are installed on Sun Fire High-End Systems system controllers (SCs) and domains. For system controllers, the file is /etc/sms_sc_arp. For domains, the file is /etc/sms_domain_arp.

This script checks that all existing domains have Ethernet addresses as listed in the SC static ARP startup script and corresponding data file.

For more information, refer to the Sun BluePrints OnLine article titled "Securing the Sun Fire 12K and 15K System Controller" and "Securing the Sun Fire 12K and 15K Domains."

s15k-exclude-domains.aud

For SMS versions 1.2 and newer, this script determines if the /etc/opt/SUNWSMS/SMS/config/MAN.cf file exists. If it does, this script checks to ensure that all the domains listed are excluded from the I1 MAN. The script excludes all domains from the I1 MAN. If the site has altered the script to exclude only a subset of the domains, this script issues a warning about each domain that is still part of the I1 MAN.

For more information, refer to the Sun BluePrints OnLine article titled "Securing the Sun Fire 12K and 15K System Controller."

s15k-install-klmmod-loader.aud

This domain-only script checks whether the misc/klmmod kernel module is loaded on a Sun Fire High-End Systems domain.

s15k-sms-secure-failover.aud

For SMS versions 1.2 through 1.4.1, this script determines if the Sun Fire High-End Systems system controller is configured based on the recommendations in the Sun BluePrints OnLine article titled "Securing the Sun Fire 12K and 15K System Controller." It indicates a failure if any of the services listed in the SMS_SVCS_DISABLE variable are enabled in /etc/inet/inetd.conf.