Solaris Security Toolkit 4.2 Reference Manual
|
|
Solaris Security Toolkit 4.2 Reference Manual
819-1503-10
Tables
Code Samples
Preface
1. Introduction to Solaris 10 Operating System Support
Using Perl With Solaris Security Toolkit 4.2 Software
SMF and Legacy Services on Solaris 10 OS
Scripts That Use the SMF-Ready Services Interface
Scripts That SMF Recognizes as Legacy Services
New Scripts for Solaris Security Toolkit 4.2 Release
Scripts Not Used for Solaris 10
Environment Variables Not Used for Solaris 10
Using Solaris 10 OS Zones
Sequence Matters in Hardening Global and Non-Global Zones
Harden a Non-Global Zone From Within That Zone
Some Scripts Are Not Relevant to Non-Global Zones
Audits of Non-Global Zones Are Separate and Distinct From Audits of Global Zones
Zone-Aware Finish and Audit Scripts
Some Zone-Aware Scripts Require Action Before Use in Non-Global Zones
rpcbind Disabled or Enabled Based on Drivers
To Enable rpcbind
Using TCP Wrappers
TCP Wrappers Configuration for secure.driver
TCP Wrappers Configuration for server-secure.driver
TCP Wrappers Configuration for suncluster3x-secure.driver
TCP Wrappers Configuration for sunfire_15k_sc-secure.driver
Defining Environment Variables
Earlier Solaris Security Toolkit Versions
Solaris Security Toolkit 4.2
2. Framework Functions
Customizing Framework Functions
Using Common Log Functions
logBanner
logDebug
logError
logFailure
logFileContentsExist and logFileContentsNotExist
logFileExists and logFileNotExists
logFileGroupMatch and logFileGroupNoMatch
logFileModeMatch and logFileModeNoMatch
logFileNotFound
logFileOwnerMatch and logFileOwnerNoMatch
logFileTypeMatch and logFileTypeNoMatch
logFinding
logFormattedMessage
logInvalidDisableMode
logInvalidOSRevision
logMessage
logNotGlobalZone
logNotice
logPackageExists and logPackageNotExists
logPatchExists and logPatchNotExists
logProcessArgsMatch and logProcessArgsNoMatch
logProcessExists and logProcessNotExists
logProcessNotFound
logScore
logScriptFailure
logServiceConfigExists and logServiceConfigNotExists
logServiceDisabled and logServiceEnabled
logServiceInstalled and logServiceNotInstalled
logServiceOptionDisabled and logServiceOptionEnabled
logServiceProcessList
logServicePropDisabled and logServicePropEnabled
logServiceRunning and logServiceNotRunning
logStartScriptExists and logStartScriptNotExists
logStopScriptExists and logStopScriptNotExists
logSuccess
logSummary
logUserLocked and logUserNotLocked
logUndoBackupWarning
logWarning
Using Common Miscellaneous Functions
adjustScore
checkLogStatus
clean_path
extractComments
get_driver_report
get_lists_conjunction
get_lists_disjunction
invalidVulnVal
isNumeric
printPretty
printPrettyPath
strip_path
Using Driver Functions
add_crontab_entry_if_missing
add_option_to_ftpd_property
add_patch
add_pkg
add_to_manifest
backup_file
backup_file_in_safe_directory
change_group
change_mode
change_owner
check_and_log_change_needed
check_os_min_version
check_os_revision
check_readOnlyMounted
checksum
convert_inetd_service_to_frmi
copy_a_dir
copy_a_file
copy_a_symlink
copy_files
create_a_file
create_file_timestamp
disable_conf_file
disable_file
disable_rc_file
disable_service
enable_service
find_sst_run_with
get_expanded_file_name
get_stored_keyword_val
get_users_with_retries_set
is_patch_applied and is_patch_not_applied
is_service_enabled
is_service_installed
is_service_running
is_user_account_extant
is_user_account_locked
is_user_account_login_not_set
is_user_account_passworded
lock_user_account
make_link
mkdir_dashp
move_a_file
rm_pkg
set_service_property_value
set_stored_keyword_val
unlock_user_account
update_inetconv_in_upgrade
warn_on_default_files
write_val_to_file
Using Audit Functions
check_fileContentsExist and check_fileContentsNotExist
check_fileExists and check_fileNotExists
check_fileGroupMatch and check_fileGroupNoMatch
check_fileModeMatch and check_fileModeNoMatch
check_fileOwnerMatch and check_fileOwnerNoMatch
check_fileTemplate
check_fileTypeMatch and check_fileTypeNoMatch
check_if_crontab_entry_present
check_keyword_value_pair
check_minimized
check_minimized_service
check_packageExists and check_packageNotExists
check_patchExists and check_patchNotExists
check_processArgsMatch and check_processArgsNoMatch
check_processExists and check_processNotExists
check_serviceConfigExists and check_serviceConfigNotExists
check_serviceDisabled and check_serviceEnabled
check_serviceInstalled and check_serviceNotInstalled
check_serviceOptionEnabled and check_serviceOptionDisabled
check_servicePropDisabled
check_serviceRunning and check_serviceNotRunning
check_startScriptExists and check_startScriptNotExists
check_stopScriptExists and check_stopScriptNotExists
check_userLocked and check_userNotLocked
finish_audit
get_cmdFromService
start_audit
3. File Templates
Customizing File Templates
To Customize a File Template
Understanding Criteria for How Files Are Copied
Using Configuration Files
driver.init
finish.init
user.init.SAMPLE
To Add a New Variable to the user.init script
To Append Entries to Variables Using the user.init File
Using File Templates
.cshrc
.profile
etc/default/sendmail
etc/dt/config/Xaccess
etc/ftpd/banner.msg
etc/hosts.allow and etc/hosts.deny
etc/hosts.allow-15k_sc
etc/hosts.allow-server
etc/hosts.allow-suncluster
etc/init.d/nddconfig
etc/init.d/set-tmp-permissions
etc/init.d/sms_arpconfig
etc/init.d/swapadd
etc/issue and etc/motd
etc/notrouter
etc/opt/ipf/ipf.conf
etc/opt/ipf/ipf.conf-15k_sc
etc/opt/ipf/ipf.conf-server
etc/rc2.d/S00set-tmp-permissions and etc/rc2.d/S07set-tmp-permissions
etc/rc2.d/S70nddconfig
etc/rc2.d/S73sms_arpconfig
etc/rc2.d/S77swapadd
etc/security/audit_control
etc/security/audit_class+5.8 and etc/security/audit_event+5.8
etc/security/audit_class+5.9 and etc/security/audit_event+5.9
etc/sms_domain_arp and /etc/sms_sc_arp
etc/syslog.conf
root/.cshrc
root/.profile
var/opt/SUNWjass/BART/rules
var/opt/SUNWjass/BART/rules-secure
4. Drivers
Understanding Driver Functions and Processes
Load Functionality Files
Perform Basic Checks
Load User Functionality Overrides
Mount File Systems to JumpStart Client
Copy or Audit Files
Execute Scripts
Compute Total Score for the Run
Unmount File Systems From JumpStart Client
Customizing Drivers
To Customize a Driver
Using Standard Drivers
config.driver
hardening.driver
secure.driver
Using Product-Specific Drivers
server-secure.driver
suncluster3x-secure.driver
sunfire_15k_sc-secure.driver
5. Finish Scripts
Customizing Finish Scripts
Customize Existing Finish Scripts
To Customize a Finish Script
Prevent kill Scripts From Being Disabled
Create New Finish Scripts
Using Standard Finish Scripts
Disable Finish Scripts
disable-ab2.fin
disable-apache.fin
disable-apache2.fin
disable-appserv.fin
disable-asppp.fin
disable-autoinst.fin
disable-automount.fin
disable-dhcp.fin
disable-directory.fin
disable-dmi.fin
disable-dtlogin.fin
disable-face-log.fin
disable-IIim.fin
disable-ipv6.fin
disable-kdc.fin
disable-keyboard-abort.fin
disable-keyserv-uid-nobody.fin
disable-ldap-client.fin
disable-lp.fin
disable-mipagent.fin
disable-named.fin
disable-nfs-client.fin
disable-nfs-server.fin
disable-nscd-caching.fin
disable-picld.fin
disable-power-mgmt.fin
disable-ppp.fin
disable-preserve.fin
disable-remote-root-login.fin
disable-rhosts.fin
disable-routing.fin
disable-rpc.fin
disable-samba.fin
disable-sendmail.fin
disable-slp.fin
disable-sma.fin
disable-snmp.fin
disable-spc.fin
disable-ssh-root-login.fin
disable-syslogd-listen.fin
disable-system-accounts.fin.
disable-uucp.fin
disable-vold.fin
disable-wbem.fin
disable-xfs-fin
disable-xserver.listen.fin
Enable Finish Scripts
enable-account-lockout.fin
enable-bart.fin
enable-bsm.fin
enable-coreadm.fin
enable-ftpaccess.fin
enable-ftp-syslog.fin
enable-inetd-syslog.fin
enable-ipfilter.fin
enable-password-history.fin
enable-priv-nfs-ports.fin
enable-process-accounting.fin
enable-rfc1948.fin
enable-stack-protection.fin
enable-tcpwrappers.fin
Install Finish Scripts
install-at-allow.fin
install-fix-modes.fin
install-ftpusers.fin
install-jass.fin
install-loginlog.fin
install-md5.fin
install-nddconfig.fin
install-newaliases.fin
install-openssh.fin
install-recommended-patches.fin
install-sadmind-options.fin
install-security-mode.fin
install-shells.fin
install-strong-permissions.fin
install-sulog.fin
install-templates.fin
Print Finish Scripts
print-jass-environment.fin
print-jumpstart-environment.fin
print-rhosts.fin
print-sgid-files.fin
print-suid-files.fin
print-unowned-objects.fin
print-world-writable-objects.fin
Remove Finish Script
remove-unneeded-accounts.fin
Set Finish Scripts
set-banner-dtlogin.fin
set-banner-ftpd.fin
set-banner-sendmail.fin
set-banner-sshd.fin
set-banner-telnet.fin
set-flexible-crypt.fin
set-ftpd-umask.fin
set-login-retries.fin
set-power-restrictions.fin
set-rmmount-nosuid.fin
set-root-group.fin
set-root-home-dir.fin
set-root-password.fin
set-strict-password-checks.fin
set-sys-suspend-restrictions.fin
set-system-umask.fin
set-term-type.fin
set-tmpfs-limit.fin
set-user-password-reqs.fin
set-user-umask.fin
Update Finish Scripts
update-at-deny.fin
update-cron-allow.fin
update-cron-deny.fin
update-cron-log-size.fin
update-inetd-conf.fin
Using Product-Specific Finish Scripts
suncluster3x-set-nsswitch-conf.fin
s15k-static-arp.fin
s15k-exclude-domains.fin
s15k-sms-secure-failover.fin
6. Audit Scripts
Customizing Audit Scripts
Customize Standard Audit Scripts
To Customize An Audit Script
Create New Audit Scripts
Using Standard Audit Scripts
Disable Audit Scripts
disable-ab2.aud
disable-apache.aud
disable-apache2.aud
disable-appserv.aud
disable-asppp.aud
disable-autoinst.aud
disable-automount.aud
disable-dhcpd.aud
disable-directory.aud
disable-dmi.aud
disable-dtlogin.aud
disable-face-log.aud
disable-IIim.aud
disable-ipv6.aud
disable-kdc.aud
disable-keyboard-abort.aud
disable-keyserv-uid-nobody.aud
disable-ldap-client.aud
disable-lp.aud
disable-mipagent.aud
disable-named.aud
disable-nfs-client.aud
disable-nfs-server.aud
disable-nscd-caching.aud
disable-picld.aud
disable-power-mgmt.aud
disable-ppp.aud
disable-preserve.aud
disable-remote-root-login.aud
disable-rhosts.aud
disable-routing.aud
disable-rpc.aud
disable-samba.aud
disable-sendmail.aud
disable-slp.aud
disable-sma.aud
disable-snmp.aud
disable-spc.aud
disable-ssh-root-login.aud
disable-syslogd-listen.aud
disable-system-accounts.aud
disable-uucp.aud
disable-vold.aud
disable-wbem.aud
disable-xfs.aud
disable-xserver.listen.aud
Enable Audit Scripts
enable-account-lockout.aud
enable-bart.aud
enable-bsm.aud
enable-coreadm.aud
enable-ftp-syslog.aud
enable-ftpaccess.aud
enable-inetd-syslog.aud
enable-ipfilter.aud
enable-password-history.aud
enable-priv-nfs-ports.aud
enable-process-accounting.aud
enable-rfc1948.aud
enable-stack-protection.aud
enable-tcpwrappers.aud
Install Audit Scripts
install-at-allow.aud
install-fix-modes.aud
install-ftpusers.aud
install-jass.aud
install-loginlog.aud
install-md5.aud
install-nddconfig.aud
install-newaliases.aud
install-openssh.aud
install-recommended-patches.aud
install-sadmind-options.aud
install-security-mode.aud
install-shells.aud
install-strong-permissions.aud
install-sulog.aud
install-templates.aud
Print Audit Scripts
print-jass-environment.aud
print-jumpstart-environment.aud
print-rhosts.aud
print-sgid-files.aud
print-suid-files.aud
print-unowned-objects.aud
print-world-writable-objects.aud
Remove Audit Script
remove-unneeded-accounts.aud
Set Audit Scripts
set-banner-dtlogin.aud
set-banner-ftpd.aud
set-banner-sendmail.aud
set-banner-sshd.aud
set-banner-telnet.aud
set-flexible-crypt.aud
set-ftpd-umask.aud
set-login-retries.aud
set-power-restrictions.aud
set-rmmount-nosuid.aud
set-root-group.aud
set-root-home-dir.aud
set-root-password.aud
set-strict-password-checks.aud
set-sys-suspend-restrictions.aud
set-system-umask.aud
set-term-type.aud
set-tmpfs-limit.aud
set-user-password-reqs.aud
set-user-umask.aud
Update Audit Scripts
update-at-deny.aud
update-cron-allow.aud
update-cron-deny.aud
update-cron-log-size.aud
update-inetd-conf.aud
Using Product-Specific Audit Scripts
suncluster3x-set-nsswitch-conf.aud
s15k-static-arp.aud
s15k-exclude-domains.aud
s15k-sms-secure-failover.aud
7. Environment Variables
Customizing and Assigning Variables
Assigning Static Variables
Assigning Dynamic Variables
Assigning Complex Substitution Variables
Assigning Global and Profile-Based Variables
Creating Environment Variables
Using Environment Variables
Defining Framework Variables
JASS_AUDIT_DIR
JASS_CHECK_MINIMIZED
JASS_CONFIG_DIR
JASS_DISABLE_MODE
JASS_DISPLAY_HOST_LENGTH
JASS_DISPLAY_HOSTNAME
JASS_DISPLAY_SCRIPT_LENGTH
JASS_DISPLAY_SCRIPTNAME
JASS_DISPLAY_TIME_LENGTH
JASS_DISPLAY_TIMESTAMP
JASS_FILE_COPY_KEYWORD
JASS_FILES
JASS_FILES_DIR
JASS_FINISH_DIR
JASS_HOME_DIR
JASS_HOSTNAME
JASS_ISA_CAPABILITY
JASS_LOG_BANNER
JASS_LOG_ERROR
JASS_LOG_FAILURE
JASS_LOG_NOTICE
JASS_LOG_SUCCESS
JASS_LOG_SUMMARY
JASS_LOG_WARNING
JASS_MODE
JASS_OS_REVISION
JASS_OS_TYPE
JASS_PACKAGE_DIR
JASS_PATCH_DIR
JASS_PKG
JASS_REPOSITORY
JASS_ROOT_DIR
JASS_ROOT_HOME_DIR
JASS_RUN_AUDIT_LOG
JASS_RUN_CHECKSUM
JASS_RUN_CLEAN_LOG
JASS_RUN_FINISH_LIST
JASS_RUN_INSTALL_LOG
JASS_RUN_MANIFEST
JASS_RUN_SCRIPT_LIST
JASS_RUN_UNDO_LOG
JASS_RUN_VALUES
JASS_RUN_VERSION
JASS_SAVE_BACKUP
JASS_SCRIPT
JASS_SCRIPT_ERROR_LOG
JASS_SCRIPT_FAIL_LOG
JASS_SCRIPT_NOTE_LOG
JASS_SCRIPT_WARN_LOG
JASS_SCRIPTS
JASS_STANDALONE
JASS_SUFFIX
JASS_TIMESTAMP
JASS_UNAME
JASS_UNDO_TYPE
JASS_USER_DIR
JASS_VERBOSITY
JASS_VERSION
JASS_ZONE_NAME
Define Script Behavior Variables
JASS_ACCT_DISABLE
JASS_ACCT_REMOVE
JASS_AGING_MAXWEEKS
JASS_AGING_MINWEEKS
JASS_AGING_WARNWEEKS
JASS_AT_ALLOW
JASS_AT_DENY
JASS_BANNER_DTLOGIN
JASS_BANNER_FTPD
JASS_BANNER_SENDMAIL
JASS_BANNER_SSHD
JASS_BANNER_TELNETD
JASS_CORE_PATTERN
JASS_CPR_MGT_USER
JASS_CRON_ALLOW
JASS_CRON_DENY
JASS_CRON_LOG_SIZE
JASS_CRYPT_ALGORITHMS_ALLOW
JASS_CRYPT_DEFAULT
JASS_CRYPT_FORCE_EXPIRE
JASS_FIXMODES_DIR
JASS_FIXMODES_OPTIONS
JASS_FTPD_UMASK
JASS_FTPUSERS
JASS_KILL_SCRIPT_DISABLE
JASS_LOGIN_RETRIES
JASS_MD5_DIR
JASS_NOVICE_USER
JASS_PASS_ Environment Variables
JASS_PASS_DICTIONDBDIR
JASS_PASS_DICTIONLIST
JASS_PASS_HISTORY
JASS_PASS_LENGTH
JASS_PASS_MAXREPEATS
JASS_PASS_MINALPHA
JASS_PASS_MINDIFF
JASS_PASS_MINDIGIT
JASS_PASS_MINLOWER
JASS_PASS_MINNONALPHA
JASS_PASS_MINSPECIAL
JASS_PASS_MINUPPER
JASS_PASS_NAMECHECK
JASS_PASS_WHITESPACE
JASS_PASSWD
JASS_POWER_MGT_USER
JASS_REC_PATCH_OPTIONS
JASS_RHOSTS_FILE
JASS_ROOT_GROUP
JASS_ROOT_PASSWORD
JASS_SADMIND_OPTIONS
JASS_SENDMAIL_MODE
JASS_SGID_FILE
JASS_SHELLS
JASS_SUID_FILE
JASS_SUSPEND_PERMS
JASS_SVCS_DISABLE
JASS_SVCS_ENABLE
JASS_TMPFS_SIZE
JASS_UMASK
JASS_UNOWNED_FILE
JASS_WRITABLE_FILE
Define JumpStart Mode Variables
JASS_PACKAGE_MOUNT
JASS_PATCH_MOUNT
Glossary
Index
Solaris Security Toolkit 4.2 Reference Manual
|
819-1503-10
|
|
Copyright © 2005, Sun Microsystems, Inc. All Rights Reserved.