| Solaris Security Toolkit 4.1 Reference Manual |    
|
| Solaris Security Toolkit 4.1 Reference Manual |
|
| C H A P T E R 4 |
|
Finish Scripts |
This chapter provides reference information about using, adding, modifying, and removing finish scripts. This chapter describes the scripts used by the Solaris Security Toolkit software to harden and minimize Solaris OS systems.
The default scripts in the Solaris Security Toolkit software disable all services, including network services, not required for the OS to function. This action might not be appropriate for your environment. Evaluate which security modifications are required for your system, then make adjustments by using the information in this chapter.
This chapter contains the following topics:
Finish scripts serve as the heart of the Solaris Security Toolkit software. These scripts collectively implement the majority of security modifications. The finish scripts isolate related changes into single files that can be combined and grouped in any number of ways, depending on the design of the security profile (driver).
This section provides instructions and recommendations for customizing existing finish scripts and creating new finish scripts. Also, it provides guidelines for using finish script functions.
Just as with Solaris Security Toolkit drivers, you can customize finish scripts. Use great care when modifying scripts that are supplied with the Solaris Security Toolkit software. Always modify a copy of the finish script and not the original script directly. Failure to do so might result in a loss of changes upon Solaris Security Toolkit software upgrade or removal. Also, wherever possible, try to minimize and document the modifications made to scripts.
Customize finish scripts by using environment variables. The behavior of most finish scripts can be tailored using this technique, thereby eliminating the need to modify the actual script. If this is not possible, then you might find it necessary to modify the code.
For a list of all environment variables and guidelines for defining them, see Chapter 6.
|
Use the following steps to customize a finish script so that new versions of the original files do not overwrite your customized versions. Furthermore, these files are not removed if the software is removed using the pkgrm command.
1. Copy the script and the related files that you want to customize.
2. Rename the copies with names that identify the files as custom scripts and files.
For naming guidelines, refer to "Configuring and Customizing the Solaris Security Toolkit Software", Chapter 1, Solaris Security Toolkit 4.1 Administration Guide.
3. Modify your custom script and files accordingly.
CODE EXAMPLE 4-1 shows how to automate software installation using install-openssh.fin. In this example, the code expects the version of OpenSSH to be "2.5.2p2," however, the current version of OpenSSH is "3.5p1." Obviously, the version to install varies depending on when the software is installed. This script can also be altered to support a commercial version of the Secure Shell product.
In this case, the only way to adjust this script to support a different version of OpenSSH is to modify it directly. After completing the changes, be sure to change the security profile that uses this script, to account for its new name.
Finish scripts that begin with the keyword disable are typically responsible for disabling services. Many of these scripts modify shell scripts that are located in the run-control directories (/etc/rc*.d). In most cases, run-control scripts are of two flavors: start and kill scripts. As their name implies, start scripts start services and kill scripts stop services. The start scripts begin with the capital letter S and kill scripts begin with the capital letter K.
Kill scripts are most often used to prepare a system for shutting down or rebooting. These scripts shut down services in a logical order so that changes are not lost and the system state is maintained. Typically, both start and kill scripts are hard links to files in the /etc/init.d directory, although this is not always the case.
The default action of the Solaris Security Toolkit software is to disable both start and kill scripts. This behavior can be altered using the JASS_KILL_SCRIPT_DISABLE environment variable. By default, this variable is set to 1, instructing the Solaris Security Toolkit software to disable both start and kill scripts.
There are times when this action is not preferred. For example, kill scripts are often used to stop services that were manually started by an administrator. If these scripts are disabled by the Solaris Security Toolkit software, then these services might not be stopped properly or in the correct sequence. To prevent kill scripts from being disabled, simply set the JASS_KILL_SCRIPT_DISABLE environment variable to 0 in the user.init file or in the relevant driver.
You can create new finish scripts and integrate them into your deployment of the Solaris Security Toolkit software. Because finish scripts must be developed in Bourne shell, it is relatively easy to add new functionality. For those who are less experienced in UNIX shell scripting, examine existing finish scripts that perform similar functions to gain an understanding of how to accomplish a given task and to understand the correct sequence of actions.
Consider the following conventions when developing new finish scripts. Understanding these conventions ensures that the scripts are functional in standalone mode, JumpStart mode, and undo operations.
Whenever adding new finish scripts, be sure to consider adding a companion audit script. Audit scripts are used to determine the state of changes made on an existing system. For more information, see Chapter 5.
The scripts must not be configured to rely on the fact that the "/" directory is the actual root directory of the system. Incorrect configuration prevents the script from working in JumpStart mode when the target's actual root directory is "/a." This convention is easily implemented using the JASS_ROOT_DIR environment variable. For more information about this and other environment variables, see Chapter 6.
In some cases, the program used in a finish script might not support a relocated root directory. In these cases, it might be necessary to use the chroot(1M) command to force the command to run within a relative root directory, such as that described previously. For example, the usermod(1M) command does not allow the user to specify an alternate root directory. In this case, it is necessary to use the chroot(1M) command as follows.
The Solaris Security Toolkit software automatically detects the location of the platform's real root directory and assigns that value to the JASS_ROOT_DIR variable. Use this variable in place of hard-coding a specific path for the root file system. For example, in place of using /etc/inet/inetd.conf within the finish script, use JASS_ROOT_DIR/etc/inet/inetd.conf.
Using the framework functions ensures that the changes made by a new script are consistent with those done elsewhere, and that they can be safely undone. For a list of framework functions, see Chapter 1.
Examples of framework functions that are compatible with undo are as follows:
For example, programs like usermod(1M) are preferred over directly modifying the /etc/passwd file. This preference is necessary to make the software as flexible as possible and to make the resulting finish scripts as OS-version independent as possible. Also, complicated or obscure ways of configuring a system could actually be harder to debug or maintain over the life of a script. For an example of methods on supportable ways in which changes can be made, refer to the Sun BluePrints OnLine article titled "Solaris Operating Environment Security: Updated for Solaris Operating Environment 9."
If a particular function is not needed on a version of the OS, then do not attempt to use it. This approach helps to make the software backward compatible with existing releases and more likely to support future releases. Furthermore, by making finish scripts OS-version aware, the number of warning and error messages can be dramatically reduced. The Solaris Security Toolkit software's finish directory contains example scripts that are aware of the OS on which they are being used and that only make changes when necessary. Some sample scripts that use this capability are as follows:
To make this process simpler for software developers, the framework includes the following two functions:
For detailed information about these functions, see Chapter 1.
The finish scripts must be able to detect whether a change actually needs to be made.
For example, the enable-rfc1948.fin script checks to see if the /etc/default/inetinit script already has the setting TCP_STRONG_ISS=2. If this setting is present, there is no need to back up files or make other changes.
This technique not only reduces the number of unnecessary backup files, but it helps prevent errors and confusion resulting from multiple, redundant changes made in the same files. Also, by implementing this functionality, you are well on your way toward developing the code necessary to implement the finish script's companion audit script.
Finish scripts perform system modifications and updates during hardening runs. These scripts are not used in any other runs or operations of the software.
The finish.init handles all finish script configuration variables. You can override the default variables by modifying the user.init file. This file is heavily commented to explain each variable, its impact, and its use in finish scripts. Additionally, see Chapter 6 for a description of each variable.
Using variables found in the finish.init script, you can customize most of the finish scripts to suit your organization's security policy and requirements. You can customize nearly every aspect of the Solaris Security Toolkit software through variables, without needing to alter the source code. The use of this script is strongly recommended so as to minimize migration issues with new Solaris Security Toolkit software releases.
This section describes the standard finish scripts, which are in the Finish directory. Each of the scripts in the Finish directory is organized into the following categories:
In addition to these standard finish scripts, the Solaris Security Toolkit software provides product-specific finish scripts. For a list of product-specific finish scripts, see Using Product-Specific Finish Scripts.
The following disable finish scripts are described in this section:
This script prevents the AnswerBook2
(ab2) server from starting. The ab2 server software is distributed on the Documentation CD in the Solaris OS Server pack. This script applies only to systems running Solaris OS versions 2.5.1 through 8, because the ab2 software is no longer used in Solaris OS version 9.
This script prevents the Apache Web Server, shipped with Solaris OS versions 8 and 9, from starting. This script disables only the Apache services included in the Solaris OS Distribution package. This script does not impact other Apache distributions installed on the system. For more information on this service, refer to the apache(1M) manual page.
This script disables the Asynchronous Point-to-Point Protocol (ASPPP) service from starting. This service implements the functionality described in Remote Function Call (RFC) 1331, The Point-to-Point Protocol (PPP) for the transmission of multi-protocol datagrams over Point-to-Point links. This script applies only to Solaris OS versions 2.5.1 through 8. For the Solaris 9 OS, this service has been replaced with the PPP service and is disabled using the disable-ppp.fin finish script. For more information on this functionality, refer to the aspppd(1M) manual page.
This script prevents a system from being re-installed, by disabling the run-control scripts associated with automatic configuration. These scripts are used only if the /etc/.UNCONFIGURED or /AUTOINSTALL files are created. After initial installation and configuration, there is generally little reason for these scripts to remain available.
|
Note - Because this service relies on the Remote Procedure Call (RPC) port mapper, if disable-automount.fin is not used, then the disable-rpc.fin script should not be used either. |
This script disables the NFS automount service. The automount service answers file system mount and unmount requests from the autofs file system. When this script is used, the NFS automount service is disabled and all forms of automount maps are affected. For more information on this functionality, refer to the automountd(1M) manual page.
This script disables the Dynamic Host Configuration Protocol (DHCP) Server included in Solaris OS versions 8 and 9. For more information on this server, refer to the dhcpd(1M) manual page.
This script prevents the Sun Java System Directory Server, formerly the Sun ONE Directory Server, (bundled with the Solaris 9 OS) from starting. Note that this script is for use only with the Sun Java System Directory Server. This script does not affect either the unbundled product or the Sun Java System Directory Server software provided with other Solaris OS versions. By default, the Solaris Security Toolkit software disables only the services supplied with the Solaris OS. For more information on this server, refer to the directoryserver(1M) manual page.
This script prevents the Desktop Management Interface (DMI) from starting. This script applies only to systems running Solaris OS versions 2.6 through 9. For more information on this service, refer to the dmispd(1M) and snmpXdmid(1M) manual pages.
|
Note - Because this service relies on the RPC port mapper, if disable-rpc.fin is not used, then the disable-dtlogin.fin script should not be used either. |
This script prevents any windowing environment from being started at boot time, for example, the Common Desktop Environment (CDE) service. However, this script does not prevent a windowing environment from being started at a later time (for example, after a system is booted). This script applies only to systems running the Solaris OS versions 2.6 through 9. For more information on this service, refer to the dtlogin(1X) and dtconfig(1) manual pages.
This script disables the use of IPv6 on specific network interfaces by removing the the associated host name files in /etc/hostname6.*. Also, this mechanism prevents the in.ndpd service from running. This script applies only to systems running the Solaris OS versions 8 and 9. This script should not be used if IPv6 functionality is required on the system.
This script prevents the Kerberos Key Distribution Center (KDC) service from starting. Note that if JASS_DISABLE_MODE is set to conf, the kdc.conf file is disabled, thus impacting the ability to act as a Kerberos client. This script should not be used in that manner if the system must act as a Kerberos client. This script applies only to systems running the Solaris OS version 9. For more information on this service, refer to the krb5kdc(1M) and kdc.conf(4) manual pages.
|
Note - Some systems feature key switches with a secure position. On these systems, setting the key switch to the secure position overrides any software default set with this command. |
This script configures the system ignore keyboard abort sequences. Typically, when a keyboard abort sequence is initiated, the operating system is suspended and the console enters the OpenBoot PROM monitor or debugger. Using this script prevents the system from being suspended. For more information on this capability, refer to the kbd(1) manual page. This script is used only in the Solaris OS versions 2.6 through 9.
This script disables the nobody UID access to secure RPC. In Solaris 9 OS, access is disabled by setting the ENABLE_NOBODY_KEYS variable in the /etc/init.d/rpc to NO. For versions earlier than Solaris OS version 9, access is disabled by adding the -d option to the keyserv command in the /etc/init.d/rpc run-control file. For more information on this service, refer to the keyserv(1M) manual page.
This script prevents the Lightweight Directory Access Protocol (LDAP) client daemons from starting on the system. This service provides the directory lookup capability for the system. If the system is acting as an LDAP client or requires the directory lookup capability, then this script should not be used. This script applies to Solaris OS versions 8 and 9. For more information on this service, refer to the ldap_cachemgr(1M) and ldapclient(1M) manual pages.
This script prevents the line printer (lp) service from starting. Note that in addition to disabling the service, this script removes the lp user's access to the cron subsystem by adding lp to the /etc/cron.d/cron.deny file, and removing all lp commands in the /var/spool/cron/crontabs directory.
This functionality is distinct from the update-cron-deny.fin script, because the lp packages might or might not be installed on a system. In addition, the lp subsystem might be necessary, while the functions removed by the cron-deny-update.fin script are not.
This script prevents the Mobile Internet Protocol (MIP) agents from starting. This service implements the MIP home agent and foreign agent functionality described in RFC 2002, IP Mobility Support. This script applies only to Solaris OS versions 8 and 9. For more information on this service, refer to the mipagent(1M) manual page.
|
Note - Disabling this service does not affect the ability of the system to act as a Domain Name System (DNS) client. |
This script prevents the DNS server from starting using the named(1M) command. Note that this script is intended to be used only with the DNS service shipped with the Solaris OS.
|
Note - If this service is required, then this script should not be used. Further, because this service relies on the RPC service, the disable-rpc.fin script also should not be used. |
This script prevents the NFS client service from starting. Also, this disables the network status monitor (statd) and lock manager (lockd) daemons. Note that an administrator can still mount remote file systems onto the system, even if this script is used. Those file systems, however, do not take advantage of the status monitor or lock manager daemons. For more information on this service, refer to the statd(1M) and lockd(1M) manual pages.
This script prevents the NFS service from starting. Also, this script disables the daemons that provide support for NFS logging, mounting, access checks, and client service. Do not use this script if the system must share its file systems with remote clients. For more information on this service, refer to the nfsd(1M), mountd(1M), and dfstab(4) manual pages.
|
Note - If this service is required, then this script should not be used. Further, because this service relies on the RPC service, the disable-rpc.fin script also should not be used. |
|
Caution - There might be a performance impact on systems that use name services intensively. |
This script disables caching for passwd, group, hosts, and ipnodes entries by the Name Service Cache Daemon (NSCD). For the Solaris 8 OS, patch 110386 version 02 at minimum must be applied to fix a bug in the Role-Based Access Control (RBAC) facility, otherwise the Solaris Security Toolkit software generates an error message.
The NSCD provides caching for name service requests. It exists to provide a performance boost to pending requests and reduce name service network traffic. The nscd maintains cache entries for databases such as passwd, group, and hosts. It does not cache the shadow password file for security reasons. All name service requests made through system library calls are routed to nscd. With the addition of IPv6 and RBAC in Solaris 8 OS, the nscd caching capability was expanded to address additional name service databases.
Because caching name service data makes spoofing attacks easier, it is recommended that the configuration of nscd be modified to cache as little data as possible. This task is accomplished by setting the positive time-to-live (ttl) to zero in the /etc/nscd.conf file for the name service requests deemed vulnerable to spoofing attacks. In particular, the configuration should be modified so that passwd, group, and Solaris 8 and 9 OS RBAC information has a positive and negative ttl of zero.
The nscd -g option can be used to view the current nscd configuration on a server and is a helpful resource when tuning nscd.
Disabling nscd entirely is not recommended because applications make name service calls directly, which exposes various bugs in applications and name service backends.
This script prevents the Platform Information and Control Library (PICL) service from starting. Disabling this service could impact the ability of the system to monitor environmental conditions and should, therefore, be used with care. This script applies only to systems running Solaris OS versions 8 and 9. For more information on this service, refer to the picld(1M) manual page.
This script prevents the power management service from starting. (This service allows the system to power down monitors, spin down disks, and even power off the system itself.) Using this script disables the power management functionality. Additionally, a noautoshutdown file is created to prevent a system administrator from being asked about the state of power management during an automated JumpStart mode installation. This script applies only to systems running Solaris OS versions 2.6 through 9. For more information on this service, refer to the powerd(1M), pmconfig(1M), and power.conf(4) manual pages.
This script prevents the Point-to-Point Protocol (PPP) service from starting. This service was introduced in the Solaris 8 OS (7/01) and supplements the older Asynchronous PPP (ASPPP) service. This service provides a method for transmitting datagrams over serial point-to-point links. This script applies only to systems running the Solaris OS versions 8 and 9. For more information on this service, refer to the pppd(1M) and pppoed(1M) manual pages.
This script prevents the moving of saved files (that were previously edited) to /usr/preserve when a system is rebooted. These files are typically created by editors that are abruptly terminated due to a system crash or loss of a session. These files are normally located in /var/tmp with names beginning with "Ex".
This script changes the CONSOLE variable in the /etc/default/login file to prevent direct remote root logins. Although this was the default behavior for the Solaris OS since the final update of 2.5.1, it is included to ensure that this setting has not been altered. Note that this setting has no impact on programs, such as Secure Shell, that can be configured to not use the /bin/login program to grant access to a system. For more information on this capability, refer to the login(1) manual page.
This script disables rhosts authentication for rlogin and rsh by modifying the Pluggable Authentication Module (PAM) configuration in /etc/pam.conf.
The disable-rlogin-rhosts.fin finish script was renamed disable-rhosts.fin to be more indicative of its actions. In addition, both rsh and rlogin entries are commented out in the /etc/pam.conf file to ensure that rhosts authentication is not enabled for either service.
This script applies only to Solaris OS versions 2.6 through 9. For more information on this capability, refer to the in.rshd(1M), in.rlogind(1M) and pam.conf(4) manual pages.
This script prevents the remote procedure call (RPC) service from starting. Note that disabling this service impacts bundled services such as NFS and CDE, and unbundled services such as Sun Cluster. Also, some third-party software packages expect that this service is available. Before disabling this service, verify that no services or tools require RPC services. For more information on this service, refer to the rpcbind(1M) manual page.
This script prevents the Samba file and print sharing service from starting. This script disables only the Samba services included in the Solaris OS distribution. This script does not impact other Samba distributions installed on the system. For more information on this service, refer to the smbd(1M), nmbd(1M), and smb.conf(4) manual pages.
|
Note - The Solaris Security Toolkit software modifications only prevent a Solaris OS from receiving email. Outgoing email is still processed normally. |
This script disables the sendmail daemon startup and shutdown scripts, and adds an entry to the cron subsystem, which executes sendmail once an hour for Solaris OS versions 2.5.1, 2.6, and 7.
For Solaris 8 OS, the /etc/default/sendmail file is installed, which implements similar functionality. This method of purging outgoing mail is more secure than having the daemon run continually.
Solaris 9 OS implements another sendmail option in which the daemon only listens on the loopback interface. For more information, refer to the Sun BluePrints OnLine article titled "Solaris Operating Environment Security: Updated for Solaris Operating Environment 9."
This script prevents the Service Location Protocol (SLP) service from starting. This service provides common server functionality for the SLP versions 1 and 2, as defined by the Internet Engineering Task Force (IETF) in RFC 2165 and RFC 2608. SLP provides a scalable framework for the discovery and selection of network services. This script applies only to systems running the Solaris OS versions 8 and 9. For more information on this service, refer to the slpd(1M) manual page.
This script prevents the System Management Agent (SMA, based on NET-SNMP) service from starting.
This script prevents the Simple Network Management Protocol (SNMP) service from starting. This script does not prevent third-party SNMP agents from functioning on the system. This script only affects the SNMP agent provided in the Solaris OS. This script applies only to systems running the Solaris OS versions 2.6 through 9. For more information on this service, refer to the snmpdx(1M) and mibiisa(1M) manual pages.
This script disables all SunSoft Print Client startup scripts. This script applies only to systems running the Solaris OS versions 2.6 through 9.
This script configures the Secure Shell service distributed in the Solaris 9 OS to restrict remote access to the root account. By default, remote root access is denied using the version of Secure Shell shipped with the Solaris 9 OS. This script verifies that functionality, thereby implementing a mechanism similar to that of the disable-remote-root-login.fin script. The script sets the PermitRootLogin parameter in /etc/ssh/sshd_config to no. For more information on this capability, refer to the sshd_config(4) manual page.
|
Note - Do no use this script on a SYSLOG server, because a SYSLOG server's function is to log remotely. |
This script prevents the log system messages (syslogd) service from accepting remote log messages. For Solaris OS versions prior to Solaris 9 OS, this scripts adds the -t option to the syslogd(1M) command line. For Solaris 9 OS, this script sets the LOG_FROM_REMOTE variable to NO in the /etc/default/syslogd file. Note that this script prevents the daemon from listening on User Diagram Protocol (UDP) port 514. This script is useful for systems that use system log services and do not need to receive system log messages from remote systems.
This script disables specific unused system accounts other than root. The list of accounts that will be disabled on the system are explicitly enumerated in the JASS_ACCT_DISABLE variable.
This script disables the UNIX-to-UNIX Copy (UUCP) startup script. In addition, the nuucp system account is removed with the uucp crontab entries in the /var/spool/cron/crontabs directory. For more information on this service, refer to the uucp(1C) and uucico(1M) manual pages.
|
Note - Do not use this script if you need the automatic mounting and unmounting of removable media (such as diskettes and CD-ROMs). |
This script prevents the Volume Management Daemon (VOLD) from starting. The vold creates and maintains a file system image rooted at /vol, by default, that contains symbolic names for diskettes, CD-ROMs, and other removable media devices. For more information on this service, refer to the vold(1M) manual page.
|
Note - If this service is required, then do not use this script. Also, because this service relies on the RPC service, the disable-rpc.fin script should not be used. |
This script prevents the Web-Based Enterprise Management (WBEM) service from starting. The WBEM is a set of management and Internet-related technologies that unify management of enterprise computing environments. Developed by the Distributed Management Task Force (DMTF), the WBEM enables organizations to deliver an integrated set of standards-based management tools that support and promote World Wide Web technology. Do not use this script if the use of Solaris Management Console is needed. This script applies only to systems running the Solaris OS versions 8 and 9. For more information on this service, refer to the wbem(5) manual page.
This script disables the X11 server's ability to listen to and accept requests over TCP on port 6000. This script adds the option -nolisten TCP to the X server configuration line in the /etc/dt/config/Xservers file. If this file does not exist, it is copied from the master location at /usr/dt/config/Xservers. This script is applicable only to the Solaris 9 OS. For more information on this capability, refer to the Xserver(1) manual page.
The following enable finish scripts are described in this section:
This script sets the boot-file variable in the EEPROM of Sun SPARC systems to the value of /kernel/unix. This setting forces the system to boot using a 32-bit kernel. It is useful for products that can run on the Solaris OS versions 7, 8, and 9, but must run in 32-bit-only mode. This script applies only to Sun4U systems. This script is included as a convenience for environments using applications that support only 32-bit mode OS.
This script enables the SunSHIELD Solaris Basic Security Module (BSM) auditing service. Additionally, this script installs a default audit configuration that is described in the Sun BluePrints OnLine article titled "Auditing in the Solaris 8 Operating Environment." An audit_warn alias is added, if necessary, and assigned to the root account. And, the abort disable code is overridden to permit abort sequences. This setting is most often used in a lights-out data center environment, where physical access to the platform is not always possible. After the system is rebooted, the Solaris BSM subsystem is enabled and auditing begins. For more information on this service, refer to the bsmconv(1M) manual page.
This script configures the coreadm functionality that is present in the Solaris OS versions 7, 8, and 9. It configures the system to store generated core files under the directory specified by JASS_CORE_DIR. Further, each of the core files are tagged with a specification denoted by the JASS_CORE_PATTERN so that information about the core files can be collected. Typically, the information collected includes the process identifier, effective user identifier, and effective group identifiers of the process, as well as name of the process executable and time the core file was generated. For more information on this capability, refer to the coreadm(1M) manual page.
This script forces the in.ftpd daemon to log all File Transfer Protocol (FTP) access attempts through the SYSLOG subsystem. This option is enabled by adding the -l option to the in.ftpd command in the /etc/inetd/inetd.conf file. For more information, refer to the in.ftpd(1M) manual page.
This script enables the ftpaccess functionality for the FTP service in Solaris 9 OS. This functionality is necessary so that security modifications made by the set-banner-ftp.fin and set-ftpd-umask.fin scripts are used. For example, modifications to set the default greeting, file creation mask, and other parameters documented in ftpaccess(4) manual pages. This script adds the -a argument to the in.ftpd entry in the /etc/inet/inetd.conf file. This script applies only to systems running the Solaris 9 OS.
This script configures the Internet services daemon (INETD) to log all incoming TCP connection requests. That is, a log entry occurs via SYSLOG if a connection is made to any TCP service for which the inetd daemon is listening. For Solaris OS versions prior to Solaris 9 OS, this script enables logging by adding the -t option to the inetd command line. In Solaris 9 OS, the script sets the ENABLE_CONNECTION_LOGGING variable in the /etc/default/inetd file to YES.
This script modifies the /etc/system file to enable restricted NFS port access. After setting the variable, only NFS requests originating from ports less than 1024 are accepted.
If the required Solaris OS packages (currently SUNWaccr and SUNWaccu) are installed on the system, this script enables Solaris OS process accounting. For more information on this service, refer to the acct(1M) manual page.
This script creates or modifies the /etc/default/inetinit file to enable support of RFC 1948. (This RFC defines unique-per-connection ID sequence number generation.) The script sets the variable TCP_STRONG_ISS to 2 in the /etc/default/inetinit file. For more information, refer to http://ietf.org/rfc1948.html. This script applies only to systems running the Solaris OS versions 2.6 through 9.
For SPARC systems only, this script modifies the /etc/system file to enable stack protections and exception logging. These options are enabled by adding the noexec_user_stack and noexec_user_stack_log to the /etc/system file.
If the key word value pairs are already defined in the /etc/system file, their values are rewritten in the file to verify that they are set properly. Otherwise, the keyword value pairs are appended to the file. This script applies only to systems running the Solaris OS versions 2.6 through 9. Enabling this feature makes the system noncompliant with the SPARC version 8 Application Binary Interface (ABI), therefore, it is possible that some applications might fail.
In Solaris OS version 9, many of the core Solaris executables are linked against a map file (/usr/lib/ld/map.noexstk). This map file provides functionality similar to the script by making the program's stack non-executable. Using the script is still recommended, however, because its changes are global to the system.
This script configures the system to use TCP wrappers. Included with the Solaris 9 OS, TCP wrappers allow an administrator to restrict access to TCP services. By default, all services in /etc/inet/inetd.conf that are defined as stream, nowait are protected. This script configures the /etc/default/inetd file to set the ENABLE_TCPWRAPPERS parameter to YES. Further, this script installs sample /etc/hosts.allow and /etc/hosts.deny files that control access to services protected by TCP wrappers.
The following install finish scripts are described in this section:
This script restricts the at command execution by creating an at.allow file in /etc/cron.d. The file is then populated with the list of users defined in the JASS_AT_ALLOW variable. All users who require at access must be added to the at.allow file. This script should be used with the update-at-deny.fin script to determine access to the at and batch facilities. For more information on this capability, refer to the at(1) manual page.
This script both copies the fix-modes software from the JASS_PACKAGE_DIR directory to the client, then executes the program. (The FixModes software was created by Casper Dik; see Related Resources.) Use the FixModes software to tighten permissions of a Solaris system.
This script creates or modifies the ftpusers file that is used to restrict access to the FTP service. This script adds users listed in the JASS_FTPUSERS variable to the ftpusers file. This script only adds a user to the file if the user's name is not already in the file.
A default ftpusers file is included with Solaris OS versions 8 and 9. The path to the file varies. For Solaris OS versions 8 and lower, the file path is /etc. For Solaris 9 OS, the path is /etc/ftpd. All accounts not allowed to use the incoming FTP service should be specified in this file. At a minimum, this should include all system accounts (for example, bin, uucp, smtp, sys, and so forth) in addition to the root account. These accounts are often targets of intruders and individuals attempting to gain unauthorized access. Frequently, root access to a server over Telnet is disabled and root FTP access is not. This configuration provides a back door for intruders who might modify the system's configuration by uploading modified configuration files.
This script installs the Sun Java System Web Server software onto the target platform. This script is provided as a sample of how software installation can be automated using JumpStart technology. For additional information, refer to the Sun BluePrints OnLine article titled "Minimizing the Solaris Operating Environment."
This script automates the installation of the Solaris Security Toolkit software onto a JumpStart client when the Solaris Security Toolkit software is being run. Use this approach so that the Solaris Security Toolkit software is available to be run after patch installations on the client. The installation is performed by installing the Solaris Security Toolkit software package distribution with the Solaris OS command pkgadd. This script expects the Solaris Security Toolkit software to be installed in the JASS_PACKAGE_DIR directory. The Solaris Security Toolkit software package is installed by default in /opt/SUNWjass.
This script creates the /var/adm/loginlog file used by the system to log unsuccessful login attempts. The failed log ins are logged after the maximum number of failed log ins is exceeded. This number is specified in the RETRIES variable, set in the /etc/default/login configuration file. See also the set-login-retries.fin script. For more information, refer to the loginlog(4) manual page.
This script automates the installation of the message-digest 5 (MD5) algorithm software. This software is used for creating digital fingerprints of file system objects and is referenced in the Sun BluePrints OnLine article titled "The Solaris Fingerprint Database - A Security Tool for Solaris Software and Files." By default, the MD5 software is installed in the directory specified by the JASS_MD5_DIR parameter.
This script installs the nddconfig file that is used to set more secure values for various networking parameters, based on the Sun BluePrints OnLine article, "Solaris Operating Environment Network Settings for Security."
This script adds the newaliases symbolic link to the /usr/lib/sendmail program. This link is required in some cases of minimized installations if the SUNWnisu package is not installed or is removed. This link is necessary for systems running the Solaris OS versions 2.5.1 through 8, where the newaliases was a part of the SUNWnisu package.
|
Note - Solaris 9 OS includes a version of the Secure Shell software, therefore this script is not used if you install Solaris 9 OS. |
This script installs the OpenBSD version of OpenSSH into /opt/OBSDssh. The distribution for which this script is written is based on the Sun BluePrints OnLine article titled "Configuring OpenSSH for the Solaris Operating Environment." This script does not overwrite host keys if they exist.
The installation is based on having a Solaris OS, stream-formatted package called OBSDssh-3.5p1-sparc-sun4u-5.8.pkg in the JASS_PACKAGE_DIR directory.
This script installs applicable patches from the JASS_HOME_DIR/Patches directory on the JumpStart server. The appropriate Recommended and Security Patch Clusters must be downloaded and extracted to the JASS_HOME_DIR/Patches directory for the script to execute properly.
This script adds the options specified in the JASS_SADMIND_OPTIONS environment variable to the sadmind daemon entry in /etc/inet/inetd.conf. For more information on this service, refer to the sadmind(1M) manual page.
This script displays the current status of the OpenBoot PROM security mode. This script does not set the EEPROM password directly; it is not possible to script the setting of the EEPROM password during a JumpStart installation. The output of the script provides instructions on how to set the EEPROM password from the command line. This script applies only to systems based on SPARC technology. For more information on this capability, refer to the eeprom(1M) manual page.
|
Note - This script only adds a shell to the /etc/shells file if the shell exists on the system, is executable, and is not in the file. |
This script adds the user shells specified in the JASS_SHELLS environment variable to the /etc/shells file. The Solaris OS function getusershell(3C) is the primary user that the /etc/shells file uses to determine valid shells on a system. For more information, refer to the shells(4) manual page. For more information about the JASS_SHELLS environment variable, see JASS_SHELLS.
This script changes a variety of permissions and ownerships to enhance security by restricting group and user access on a system.
This script creates the /var/adm/sulog file, which enables logging of all superuser (su) attempts. For more information on this capability, refer to the sulog(4) manual page.
This special purpose script should not be called directly by any driver. This script is automatically called by the driver.run program if the JASS_FILES parameter or any of its OS-specific values is not empty. This script automates the copying of file templates onto a target system. This functionality was originally in the driver.run script, but was separated to better support the verification of file templates. If needed, based on the contents of the JASS_FILES parameter, this script is the first finish script to run.
The minimize-Sun_ONE-WS.fin script is provided as an example of how the Solaris OS minimization procedure can be implemented. In this case, this script is used to minimize a system that is used as a web server running the Sun Java System Web Server software.
The following print finish scripts are described in this section:
This script prints out all the environment variables used in the Solaris Security Toolkit software. This script is provided for diagnostic purposes and is often called at the beginning of a driver so that the state of the environment variables can be recorded prior to their use.
This script prints out all the environment variables used by a JumpStart installation. This script is provided for diagnostic purposes to aid in debugging problems encountered during a JumpStart installation.
This script lists all the .rhosts and hosts.equiv files contained in any directory under the JASS_ROOT_DIR directory. The results are displayed on standard output unless the JASS_RHOSTS_FILE variable is defined. If this variable is defined, then all of the results are written to that file.
This script prints all files in any directory under the JASS_ROOT_DIR directory with set group ID permissions. The results are displayed on standard output unless the JASS_SGID_FILE variable is defined. If this variable is defined, all of the results are written to that file.
This script prints all files in any directory under the JASS_ROOT_DIR directory with set user ID permissions. The results are displayed on standard output unless the JASS_SUID_FILE variable is defined. If this variable is defined, all of the results are written to that file.
This script lists all files, directories, and other objects on a system, starting from JASS_ROOT_DIR, that do not have valid users or groups assigned to them. The results are displayed on standard output unless the JASS_UNOWNED_FILE variable is defined.
This script lists all world-writable objects on a system, starting from JASS_ROOT_DIR. The results are displayed on standard output unless the JASS_WRITABLE_FILE variable is defined. If this variable is defined, then all of the results are written to that file.
The remove-unneeded-accounts.fin script removes unused Solaris OS accounts from the /etc/passwd and /etc/shadow files using the passmgmt command. This script removes those accounts defined by the JASS_ACCT_REMOVE variable.
The following set finish scripts are described in this section:
This script installs a service banner for the dtlogin service. This banner is presented to a user after successfully authenticating to a system using a graphical interface, such as is provided by the Common Desktop Environment (CDE). This script configures the system to display the contents of a file specified by the file template JASS_ROOT_DIR/etc/dt/config/Xsession.d/0050.warning. By default the contents of the /etc/motd file are displayed. This script applies only to systems running the Solaris OS versions 2.6 through 9.
This script installs the File Transfer Protocol (FTP) service banner defined by the variable JASS_BANNER_FTPD. For Solaris OS 8 and earlier versions, this banner is defined using the BANNER variable in the /etc/default/ftpd file. For the Solaris OS version 9, this banner is defined using the /etc/ftpd/banner.msg file. For more information, refer to the in.ftpd(1M) or ftpaccess(4) (for Solaris 9 OS) manual pages. This script applies only to systems running the Solaris OS versions 2.6 through 9.
If the install-ftpaccess.fin script is not used, then the change made by this script on a Solaris OS version 9 system does not take effect.
This script installs the Telnet service banner defined by the variable JASS_BANNER_TELNET. This banner is defined using the BANNER variable in the /etc/default/telnetd file. For more information, refer to the in.telnetd(1M) manual page. This script applies only to systems running the Solaris OS versions 2.6 through 9.
This script installs the Sendmail service banner defined by the variable JASS_BANNER_SENDMAIL. This banner is defined using the SmtpGreetingMessage or De parameter in the /etc/mail/sendmail.cf file. For Solaris OS versions 7, 8, and 9, the SmtpGreetingMessage parameter is used. For earlier releases, the De parameter is used to implement this functionality. For more information, refer to the sendmail(1M) manual page.
This script installs the Secure Shell service banner by configuring the Secure Shell service to display the contents of /etc/issue to the user prior to authenticating to the system. This task is accomplished by setting the Banner parameter to /etc/issue in the /etc/ssh/sshd_config file. For more information on this functionality, refer to the sshd_config(4) manual page. This script is used only for systems running the Solaris OS version 9 .
This script sets the default file creation mask for the FTP service. In versions prior to Solaris 9 OS, the script sets the default file creation mask by adding a UMASK value, defined by the JASS_FTPD_UMASK variable, to the /etc/default/ftpd file. For Solaris 9 OS, the script sets the defumask parameter defined in the /etc/ftpd/ftpaccess file. For more information, refer to the in.ftpd(1M) or ftpaccess(4) (for Solaris 9 OS) manual pages. This script applies only to systems running the Solaris OS versions 2.6 through 9.
If the install-ftpaccess.fin script is not used, then the change made by this script on a Solaris OS version 9 system does not take effect.
This script sets the RETRIES variable in the /etc/default/login file to the value defined by the JASS_LOGIN_RETRIES variable. By reducing the logging threshold, additional information might be gained. The install-loginlog.fin script enables the logging of failed login attempts. For more information on this capability, refer to the login(1) manual page.
This script alters the configuration of /etc/default/power to restrict user access to power management functions using the JASS_POWER_MGT_USER and JASS_CPR_MGT_USER variables. As a result, access to the system's power management and suspend/resume functionality is controlled. This script applies only to systems running the Solaris OS versions 2.6 through 9. This script works only on software controllable power supplies, for example, power off at PROM prompt.
|
Note - Solaris OS versions 8 and 9 are configured to mount removable media with the nosuid option by default. This script performs the necessary checks regardless of the default settings. |
This script adds two entries to the /etc/rmmount.conf file to disable mounting of Set-UID files. It is important to disable mounting, because someone with access to a system could insert a diskette or CD-ROM and load Set-UID binaries, thereby compromising the system. For more information on this capability, refer to the rmmount.conf(4) manual page.
This script changes the root user's primary group to JASS_ROOT_GROUP from group identifier #1 (GID 1, other). This script prevents the root user from sharing a common group with non-privileged users.
|
Note - This script executes only during a JumpStart software installation. It does not execute when the Solaris Security Toolkit software is invoked from the command line. |
This script automates setting the root password by setting the password to an initial value as defined by JASS_ROOT_PASSWORD. The password used in this script should only be used during the installation and must be changed immediately after the JumpStart installation process has successfully completed. By default, the password used by the JASS_ROOT_PASSWORD parameter is t00lk1t.
This script alters the configuration of /etc/default/sys-suspend to restrict user access to suspend and resume functionality based on the JASS_SUSPEND_PERMS variable. This script applies only to systems running the Solaris OS versions 2.6 through 9. For more information, refer to the sys-suspend(1M) manual page.
This script ensures that all of the run-control scripts execute with a safe file creation mask based on the setting of JASS_UMASK. This setting is important because using a poorly chosen file creation mask could leave critical files writable by any user.
For versions prior to Solaris 8 OS, this script creates startup scripts at each run level, thereby setting the file creation mask to JASS_UMASK. For Solaris 8 and 9 OS versions, the CMASK variable in /etc/default/init is set to JASS_UMASK. For more information on this capability, refer to the init(1M) manual page.
This script sets a default terminal type of vt100 to avoid issues with systems not recognizing dtterm. This script is mainly for use on systems that do not have graphical consoles and are generally accessed over a terminal console or other serial link. This script is provided as a convenience only and does not impact the security of the system.
This script installs a limit on the disk space that can be used as part of a tmpfs file system. This limit can help prevent memory exhaustion. The usable space is limited by default in this script to the value defined by JASS_TMPFS_LIMIT. The set-tmpfs-limit.fin script does not run under Solaris OS version 2.5.1, where this functionality is unsupported. For more information on this capability, refer to the mount_tmpfs(1M) manual page.
The changes implemented by this script configure the password policy of a system for the next time that passwords are changed on a system. This profile might need to be further tuned to ensure that applications and operational functions are not adversely impacted by the hardening process.
This script enables more strict password requirements by enabling:
This script accomplishes the requirements by using the values defined by the JASS_AGING_MINWEEKS, JASS_AGING_MAXWEEKS, JASS_AGING_WARNWEEKS, and JASS_PASSLENGTH variables to set the appropriate entries in the /etc/default/passwd file. This script is especially recommended for systems with nonprivileged user access.
This script modifies only the settings in the /etc/default/passwd file. It does not enable password aging for any user. The password aging requirements are implemented for each user upon the next password change. To enable password aging for a user without waiting for a password change event, use the passwd(1) command.
This script sets the default file creation mask (UMASK) to the value defined by JASS_UMASK for the following user startup files: /etc/.login, /etc/profile, /etc/skel/local.cshrc, /etc/skel/local.login, /etc/skel/local.profile, and /etc/default/login.
The following update finish scripts are described in this section:
This script adds the accounts listed in JASS_AT_DENY to the /etc/cron.d/at.deny file. This script prevents those users from using at and batch facilities. This script is used with the install-at-allow.fin file to determine access to at and batch facilities. For more information on this capability, refer to the at(1) manual page.
This script adds the accounts listed in JASS_CRON_ALLOW to the /etc/cron.d/cron.allow file. This script allows those users to use the cron facility. This script is used with the update-cron-deny.fin script to determine access to the cron facility. For more information on this capability, refer to the crontab(1) manual page.
This script adds the accounts listed in JASS_CRON_DENY to the /etc/cron.d/cron.deny file. This script prevents those users from accessing the cron facility. This script is used with the update-cron-allow.fin script to determine access to the cron facility. This script does not disable access for the root account user. For more information on this capability, refer to the crontab(1) manual page.
This script adjusts the maximum limit used for storing cron log information. For Solaris OS versions prior to Solaris 9 OS, this script adjusts the LIMIT variable in the /etc/cron.d/logchecker script. For Solaris 9 OS, this script adjusts the -s parameter in the /etc/logadm.conf file (for the /var/cron/log entry).
The size limit used by this script is determined by the JASS_CRON_LOG_SIZE environment variable. By default, the limit defined by the Solaris OS is only 0.5 megabytes.
This script disables all services, started from the inetd, that are defined by the JASS_SVCS_DISABLE variable. This script enables the services listed by the JASS_SVCS_ENABLE variable. If the same service is in both variables, the service is enabled. The JASS_SVCS_ENABLE variable takes precedence.
All services, including common services such as in.telnetd, in.ftpd, and in.rshd, in the base OS are disabled by default in Solaris OS versions 2.5.1 through 9. The services are disabled after the script inserts a # at the start of each line for service entries in the /etc/inet/inetd.conf file. Additional services installed by unbundled or third-party software are not disabled.
This section lists product-specific finish scripts, which are for hardening specific Sun products. These scripts are in the Finish directory. TABLE 4-1 lists product-specific finish scripts.
New finish scripts are released periodically to harden new and updated Sun products. For the latest list of scripts, refer to the Security Web site:
http://www.sun.com/security/jass
This script automates the configuration of a system as a Sun Cluster 3.x node. This script installs the cluster keyword into the /etc/nsswitch.conf file to simplify deploying Sun Cluster 3.x systems. The keyword should be located in the hosts field. This script applies only to Sun Cluster 3.x systems and does not execute on other systems.
For more information, refer to the Sun BluePrints OnLine article titled "Securing Sun Cluster 3.x Software."
|
Note - This script applies only to Sun Fire High-End Systems SCs and domains and does not execute on other systems. |
This script enables static ARP addresses on the I1 MAN network. The I1 MAN network is a network internal to the Sun Fire High-End Systems chassis, which is used for TCP/IP-based communication between the SCs and domains. By using static ARP instead of dynamic ARP, several ARP-based attacks against the SC no longer have any effect.
The following four files are used by the Sun Fire High-End Systems optional s15k-static-arp.fin script:
For more information, refer to the Sun BluePrints OnLine article titled "Securing the Sun Fire 12K and 15K System Controller" and the article titled "Securing the Sun Fire 12K and 15K Domains."
This script disables TCP/IP connectivity between the SC and one or more domains. For more information, refer to the Sun BluePrints OnLine article titled "Securing the Sun Fire 12K and 15K System Controller."
This domain-only script adds a runtime control script, klmmod, which loads the misc/klmmod kernel module during startup of a Sun Fire High-End Systems domain.
This script automates enabling the use of Secure Shell by the failover daemon fomd. This script automates much of the Secure Shell configuration, in addition to disabling the use of legacy r* services. This script applies only to Sun Fire High-End Systems SCs and does not execute on other systems.
For more information, refer to the Sun BluePrints OnLine article titled "Securing the Sun Fire 12K and 15K System Controller."
| Solaris Security Toolkit 4.1 Reference Manual | 817-7750-10 |
|
Copyright © 2004, Sun Microsystems, Inc. All Rights Reserved.
To Customize a Finish Script
