C H A P T E R 6 |
Audit Scripts |
This chapter provides reference information on using, adding, modifying, and removing audit scripts. Audit scripts provide an easy method for periodically checking the security posture of a system. Check your systems regularly to make sure that their security matches your security profile.
The standard audit scripts confirm that modifications controlled by finish scripts were made to the system, and they report any discrepancies that occurred since the hardening run. Audit scripts use the same name as their correlating finish script, except they have a different suffix. Audit scripts use the .aud suffix instead of .fin.
This chapter contains the following topics:
This section provides instructions and recommendations for customizing existing audit scripts or creating new audit scripts. In addition, guidelines are provided for using audit script functions.
Just as with Solaris Security Toolkit drivers and finish scripts, you can customize audit scripts.
Make as few changes as necessary to the code whenever possible and document those changes.
Use environment variables to customize an audit script. The behavior of most scripts can be significantly altered through environment variables, thereby eliminating the need to modify the script's code directly. If this is not possible, you may find it necessary to modify the function by developing a customized one for use in the user.run script. For a list of all environment variables and guidelines for defining them, see Chapter 7.
Caution - Whenever you customize the standard finish scripts or develop new ones, be sure to make the corresponding changes to related audit scripts. |
To Customize An Audit Script |
Use the following steps to customize a standard audit script for your system and environment. Use these instructions so that newer versions of the original files do not overwrite your customized versions. Note that these files are not removed if you use the pkgrm command to remove the Solaris Security Toolkit software.
1. Copy the audit script and related files that you want to customize.
Refer to Chapter 6 in the Solaris Security Toolkit 4.2 Administration Guide for information about audit scripts and their related files.
2. Rename the copies with names that identify the files as custom scripts and files.
For naming guidelines, refer to "Guidelines," Chapter 1, Solaris Security Toolkit 4.2 Administration Guide.
3. Modify your custom script and files accordingly.
The finish.init file provides all audit script configuration variables. You can override the variable's default value specified in the finish.init file by adding the variable and its correct value to the user.init file. This file is heavily commented to explain each variable, its impact, and its use in audit scripts. For more information about this file and modifying its variables, see Chapter 3. If you want the change to be localized rather than to apply to all drivers, modify the driver.
When you customize audit scripts, it is critical to the accuracy of the audit functionality that both finish and audit scripts are able to access your customization. This goal is most easily and effectively achieved by modifying environment variables in the user.init script instead of modifying other init files or modifying scripts directly.
CODE EXAMPLE 6-1 shows how the install-openssh.audit script validates a correct software installation by checking whether the software package is installed, configured, and set up to run whenever the system reboots. In this example, these checks ensure that the software package is installed, configured, and set up to run whenever the system reboots.
You can create new audit scripts and integrate them into your deployment of the Solaris Security Toolkit software. Because scripts are developed in Bourne shell or Perl on the Solaris 10 OS, it is relatively easy to add new functionality. For those who are less experienced in UNIX shell scripting, examine existing audit scripts that perform similar functions to gain an understanding of how to accomplish a given task and to understand the correct sequence of actions.
The same conventions for developing new finish scripts apply to developing new audit scripts. For these conventions, see Customizing Finish Scripts.
Note - Audit and finish scripts work together. Whenever you add new audit scripts, be sure to add their companion finish scripts. |
Audit scripts provide an automated way within the Solaris Security Toolkit software to validate a security posture by comparing it to a predefined security profile. Use audit scripts to validate that security modifications were made correctly, and to obtain reports on any discrepancies between a system's security posture and your security profile. For details on using audit scripts to validate system security, refer to Chapter 6 in the Solaris Security Toolkit 4.2 Administration Guide.
This section describes the standard audit scripts, which are in the Audit directory. Only the functionality performed by the audit scripts is described.
Each of the scripts in the Audit directory is organized into the following categories, which mirror those of the finish scripts in the Finish directory:
In addition to these standard audit scripts, Solaris Security Toolkit software provides product-specific audit scripts. For a list of product-specific audit scripts, see Using Product-Specific Audit Scripts.
The following disable audit scripts are described in this section:
Note - Use this script only for systems running the Solaris OS versions 2.5.1 through 8, because the AnswerBook2 software is no longer used in Solaris OS versions 9 and 10. |
This script determines if the AnswerBook2 service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system.
Note - This script checks only for the Apache Web Server that was packaged by Sun and shipped as part of Solaris OS versions 8 and 9. |
This script determines if the Apache Web Server is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system.
Note - Use this script only for systems running the Solaris 10 OS. |
This script determines if the Apache 2 service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system.
Note - Use this script only for systems running the Solaris 10 OS. |
This script determines if the Sun Java Application Server is installed, configured, or running on the system. The script indicates a failure if the software is installed or configured to run.
This script determines if the ASPPP service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system.
This script determines if automated installation functionality is installed or enabled on the system. It indicates a failure if the software is installed or configured to run.
Note - If the automount service is required, then do not use this script. Because this service also relies on the RPC service, do not use the disable-rpc.aud script. |
This script determines if the automount service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system.
Note - Use this script only on the DHCP server included in Solaris OS versions 8 through 10. |
This script determines if the DHCP service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system.
This script determines if the Sun Java System Directory service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system.
Note - Use this script only for systems running Solaris OS versions 2.6 through 10. |
This script determines if the DMI service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system.
Note - Use this script only for systems running Solaris OS versions 2.6 through 10. |
This script determines if the CDE login server, or dtlogin, is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system.
Note - Use this script only for systems running the Solaris 10 OS. |
This script verifies that the /usr/oasys/tmp/TERRLOG file is present and has no write permissions for Group and Other. The script indicates a failure if the file has global write permissions by Group or Other.
Note - Use this script only for systems running Solaris OS versions 9 and 10. |
This script determines if the IIim service is installed, configured, or running on the system. The script indicates a failure if the software is installed, configured to run, or actually running on the system.
Note - Use this script only for systems running Solaris OS versions 8, 9, and 10. |
This script checks for the absence of the IPv6 host name files, /etc/hostname6.*, that cause IPv6 interfaces to be plumbed. This script checks if the in.ndpd service is started. It indicates a failure if any IPv6 interfaces are configured, plumbed, or if the service is running.
Note - Use this script only for systems running Solaris OS versions 9 and 10. |
This script determines if the KDC service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system.
Note - Use this script only on systems running Solaris OS versions 2.6 through 10. |
Note - Some systems feature key switches with a secure position. On these systems, setting the key switch to the secure position overrides any software default set with the kdb command. |
This script determines if the system is configured to ignore keyboard abort sequences. Typically, when a keyboard abort sequence is initiated, the operating system is suspended and the console enters the OpenBoot PROM monitor or debugger. This script determines if the system can be suspended in this way.
This script determines if the keyserv service is not configured to prevent the use of default keys for the user nobody. This script indicates a failure if the keyserv process is not running with the -d flag and the ENABLE_NOBODY_KEYS parameter is not set to NO (for Solaris OS versions 9 and 10).
Note - Use this script only on systems running Solaris OS versions 8 through 10. |
This script determines if the LDAP client service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system.
This script determines if the line printer (lp) service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system. This script also indicates a failure if the lp user is permitted to use the cron facility or has a crontab file installed.
Note - Use this script only for Solaris OS versions 8 through 10. |
This script determines if the Mobile IP service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system.
Note - Disabling this service does not affect the ability of the system to act as a Domain Name System (DNS) client. |
This script determines if the DNS server is installed, configured, or running on the system. This script indicates a failure if the software is installed, configured to run (through a configuration file), or actually running on the system.
This script checks only for the DNS server that was packaged by Sun Microsystems and shipped as part of the Solaris OS.
Caution - If the NFS client service is required, then do notuse this script. Because this service also relies on the RPC service, do notuse the disable-rpc.audscript. |
This script determines if the NFS client service is configured or running on the system. It indicates a failure if the software is configured to run or is running on the system.
Caution - If the NFS service is required, then do notuse this script. Because this service also relies on the RPC service, do notuse the disable-rpc.audscript. |
This script determines if the NFS service is configured or running on the system. It indicates a failure if the software is configured to run or is running on the system.
This script determines if any of the passwd, group, host, or ipnodes services have a positive time-to-live or negative time-to-live value that is not set to 0. The script indicates a failure if the value is not 0.
Note - Use this script only for systems running Solaris OS versions 8 and 9. |
This script determines if the PICL service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system.
Note - Use this script only for systems running Solaris OS versions 2.6 through 10. |
This script determines if the power management service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system.
Note - This service was introduced in Solaris 8 OS (7/01) and supplements the older ASPPP service. Use this script only for systems running Solaris OS versions 8 through 10. |
This script determines if the PPP service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system.
This script determines if the preserve functionality is enabled. If enabled, a failure is indicated.
Note - Other mechanisms to access systems, such as the use of Solaris Secure Shell, that do not use /bin/login might still provide direct root access, even if the system passes this test. |
This script determines, and indicates a failure, if a root user is permitted to directly log in to or execute commands on a system remotely through programs using /bin/login, such as telnet.
Note - Use this script only for systems running Solaris OS versions 2.6 through 10. |
This script determines if the rhosts and hosts.equiv functionality is enabled through PAM configuration in /etc/pam.conf. The script indicates a failure if this functionality is enabled using the pam_rhosts_auth.so.1 module in the /etc/pam.conf file.
Note - Use this script only for systems running Solaris OS versions 5.51 through 10. |
This script determines if routing, or packet forwarding, of network packets from one network to another is disabled.
Caution - The RPC port mapper function should notbe disabled if any of the following services are used on the system: automount, NFS, NIS, NIS+, CDE, and volume management (Solaris 9 and 10 OS only). |
This script determines if the RPC service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system. In addition, this script indicates a failure for each service registered with the rpcbind port mapper.
Note - Use this script only for systems running Solaris OS versions 9 and 10. |
This script determines if the Samba service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system. Only Samba services included in the Solaris OS distribution are verified as being disabled. This script does not impact other Samba distributions installed on the system.
Note - The Solaris Security Toolkit software modifications verify only that a Solaris OS system is not configured to receive email. Outgoing email is still processed normally. |
By default, the sendmail service is configured to both forward local mail and to receive incoming mail from remote sources. If a system is not intended to be a mail server, then the sendmail service can be configured not to accept incoming messages. This script checks that the sendmail service is configured not to accept incoming messages.
This check is performed in a variety of ways depending on the version of the Solaris OS used.
This script indicates a failure if the sendmail service is not disabled in accordance with the checks specific to the Solaris OS version.
Note - Use this script only for systems running Solaris OS versions 8, 9, and 10. |
This script determines if the SLP service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system.
Note - Use this script only for systems running the Solaris 10 OS. |
This script determines if the SMA service is installed, configured, or running on the system. This script indicates a failure if the software is called, configured to run, or actually running on the system.
Note - This script checks only the SNMP agent provided in Solaris OS versions 2.6 through 10. |
This script determines if the SNMP service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system. This script does not verify whether third-party SNMP agents are functioning on the system.
Note - Use this script only for systems running Solaris OS versions 2.6 through 10. |
This script determines if the SPC service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system.
Note - Use this script only for systems running at Solaris 9 or 10 OS with the Solaris Secure Shell packages installed and enabled. |
This script indicates a failure if the Solaris Secure Shell service distributed in the Solaris OS versions 9 and 10 does not restrict access to the root account.
The script sets options to disallow the remote logging functionality of the syslogd process. This script determines if the SYSLOG service is configured to accept remote log connections. The script indicates a failure if the syslogd process is not running with the -t flag (Solaris 8 OS) and the LOG_FROM_REMOTE parameter is not set to NO (Solaris OS versions 9 and 10).
For each account name listed in the JASS_ACCT_DISABLE environment variable, this script indicates a failure for each account that is not configured to use the shell defined by the JASS_SHELL_DISABLE variable. This script also indicates a failure if the shell program listed in the JASS_SHELL_DISABLE variable does not exist on the system.
Note - This script only checks accounts that are listed in the /etc/passwd file. It does not check for accounts listed in any other naming service (NIS, NIS+, or LDAP). |
This script determines if the UUCP service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system. This script also indicates a failure if the nuucp user exists (Solaris 9 OS and earlier), or is not locked (Solaris 10), if in.uucpd exists in /etc/inetd.conf, or if a uucp crontab file is installed.
Note - Do not use this script if the systems needs automatic mounting and unmounting of removable media, such as diskettes and CD-ROMs. |
This script determines if the VOLD service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or is running on the system.
This script determines if the WBEM service is installed, configured, or running on the system. It indicates a failure if the software is installed, configured to run, or running on the system.
Note - Use this script only for systems running the Solaris 10 OS. |
This script determines if the xfs service is installed, enabled, or running on the system. This script indicates a failure if the software is enabled to run or actually running on the system.
Note - Use this script only for systems running Solaris OS versions 9 and 10. |
This script indicates a failure if the X11 server is configured to accept client connections using the TCP transport. In addition, it indicates a failure if the X11 server is running in a configuration that permits use of the TCP transport.
The following enable audit scripts are described in this section:
Note - Use this script only for systems running the Solaris 10 OS. |
This script verifies that the value of LOCK_AFTER_RETRIES is defined correctly in the /etc/security/policy.conf file. In addition, this script checks to ensure that no users have a different value than LOCK_AFTER_RETRIES specified in /etc/user_attr.
Note - Use this script only for systems running the Solaris 10 OS. |
This script verifies that BART has been run and compares BART rules and manifests files.
The script determines if a BART rules file is present, and if so, determines if its configuration is consistent with the driver being run and its BART rules file. If the BART rules file configuration is not consistent with the driver being run and its BART rules file, the script copies a rules file from $JASS_FILES/var/opt/SUNWjass/bart/rules. This script also creates a new manifest in /var/opt/SUNWjass/BART/manifests named JASS_TIMESTAMP.txt; for example, 20050711152248.txt.
The script also reports any differences between the new and most recent manifest files, generates audit messages containing the names of the BART manifests used, and suggests that the user check against earlier manifest files or the FingerPrint Database for any issues found.
Note - Use this script only for systems running Solaris OS versions 8 through 10. |
This script determines if the SunSHIELD Solaris Basic Security Module (Solaris BSM) auditing functionality is enabled and running on the system, if the service is loaded in the /etc/system file, and if the audit_warn alias is defined in /etc/mail/aliases. If one or more of these checks fail, then the script indicates a failure.
Note - Use this script only for systems running Solaris OS versions 7 through 10. |
This script verifies that the system stores generated core files under the directory specified by JASS_CORE_DIR. It indicates a failure if the coreadm functionality present in the Solaris OS versions 7 through 10 is not configured. An error condition also is generated if core files are not tagged with the specification denoted by JASS_CORE_PATTERN.
This script determines if the FTP service is not configured to log session and connection information. A failure is indicated if the FTP service logging is not enabled.
Note - Use this script only for systems running Solaris OS versions 9 and 10. |
This script determines if the FTP service is configured to use the /etc/ftpd/ftpaccess file. A failure is indicated if FTP is not configured properly.
This script determines if the Internet services daemon (inetd) service is configured to log session and connection information:
Note - Use this script only for systems running the Solaris 10 OS. |
This script reviews the ipfilter configuration of all available network interfaces and verifies that the correct IP Filter rule set is installed. The script does the following:
Note - Use this script only for systems running the Solaris 10 OS. |
This script verifies the correct configuration of password history on the system. The script checks the /etc/default/passwd file to determine if a HISTORY value is specified:
This script determines if the NFS service is configured to accept only client communication that originates from a port in the privileged range below 1024. A failure is indicated if the NFS service is not configured properly.
This script determines if the processing accounting software is installed, enabled, or running on the system. A failure is indicated if this is not true.
Note - Use this script only on systems running Solaris OS versions 2.6 through 10. |
This script determines if the system is configured to use RFC 1948 for its TCP sequence number generation. This script checks both the stored configuration and the actual runtime setting. A failure is displayed if the system is not configured to use RFC 1948-compliant TCP sequence number generation.
Note - Use this script only on systems running Solaris OS versions 2.6 through 10. |
This script determines if the noexec_user_stack and noexec_user_stack_log options are set in the /etc/system file to enable stack protections and exception logging. If these options are not enabled, a failure is reported.
Note - Use this script only on systems running Solaris OS versions 9 and 10 using the bundled TCP wrapper packages. |
This script determines if TCP wrappers are not installed or configured using the hosts.allow|deny templates included with the Solaris Security Toolkit software or enabled by using the ENABLE_TCPWRAPPERS variable. A failure is reported if the system is not using TCP wrappers.
The following install audit scripts are described in this section:
This script determines if a user name is listed in the JASS_AT_ALLOW variable and does not exist in the /etc/cron.d/at.allow file. The list of user names defined by JASS_AT_ALLOW is empty by default. To pass this check, each user name must exist in both the /etc/passwd file and the /etc/cron.d/at.allow file. Furthermore, a user name should not be in the /etc/cron.d/at.deny file. A failure is displayed if a user name is not listed in both files.
Note - Use this script only on systems running Solaris OS versions 2.5.1 through 9. |
This script determines if the Fix Modes program was installed and run on the system. It indicates a failure if the software is not installed or has not been run. Further, this script uses Fix Modes in debug mode to determine if any additional file system objects should be adjusted.
This script determines if a user name listed in the JASS_FTPUSERS parameter does not exist in the ftpusers file.
This script determines if the Solaris Security Toolkit (SUNWjass) package is installed on the system. A failure is reported if this package is not installed.
This script checks for the existence, proper ownership, and permissions for the /var/adm/loginlog file. It indicates a failure if the file does not exist, has invalid permissions, or is not owned by the root account.
This script determines if the MD5 software is installed on the system. A failure is reported if the software is not installed.
This script determines if the nddconfig run-control script files identified in the Sun BluePrints OnLine article, Solaris Operating Environment Network Settings for Security and included with the Solaris Security Toolkit, have been copied to, and their settings made active on, the target system.
The script performs the following checks per object:
1. Tests to ensure that the source and target file types (regular file, symbolic link, or directory) match
2. Tests to ensure that the source and target file type contents are the same
This script also verifies that the settings defined by the nddconfig script are actually in place on the running system. This script uses its own copy of the nddconfig script in the Solaris Security Toolkit to provide more accurate reporting of results, especially in cases where the script name has changed or where other scripts are used to implement the same effects.
This script gives a failure when any of the checks described above are found to be false.
Note - Use this script only on systems running Solaris OS versions 2.5.1 through 8. |
This script checks for the existence of the /usr/bin/newaliases program. It indicates a failure if this file does not exist or is not a symbolic link.
This script determines if the OpenSSH package specified by the script is installed and configured. A failure is reported if the package is not installed.
This script determines if the patches listed in the Recommended and Security Patch Cluster file are installed on the system. The patch information is collected from JASS_HOME_DIR/Patches directory, based on the Solaris OS version of the system being tested. A failure is displayed if one or more of these patches are not installed.
Note that this script indicates success if the version of the patch installed is equal to or greater than the version listed in the patch order file.
Note - Use this script only for systems running Solaris OS versions 2.5.1 through 9. |
This script determines if the sadmind service exists in the /etc/inet/inetd.conf file. If it does, this script checks to ensure that options are set to those defined by the JASS_SADMIND_OPTIONS variable. The default setting is -S 2.
This script checks the status of the EEPROM security mode. It displays a warning if the mode is not command or full. In addition, this script checks the PROM failed login counter and displays a warning if it is not zero.
Note - Because the install-security-mode.fin script cannot change the security mode of the system, this script only indicates a warning for noncompliance rather than reporting a failure. |
This script determines if any shell defined by the JASS_SHELLS parameter is not listed in the shells file. TABLE 6-1 lists the shells defined by JASS_SHELLS.
A failure is displayed if any shells listed in JASS_SHELLS are not also listed in the shells file.
Note - Do not use this script for systems running the Solaris 10 OS. |
This script determines if any of the modifications recommended by the install-strong-permissions.fin script were not implemented. A failure is displayed if any of these modifications were not made.
This script is not used for the Solaris 10 OS, because the Solaris 10 OS has incorporated many permission and ownership changes. This script is not undoable, and the resulting support impact is no longer worth the security improvement given the changes to the Solaris 10 OS.
This script checks for the proper ownership and permissions of the /var/adm/sulog file. The script indicates a failure if the file does not exist, has invalid permissions, or is not owned by the root account.
This script determines if the files defined by the JASS_FILES variable were successfully copied to the target system. It indicates a failure if either of the two following checks fail: a test to ensure that the source and target file types match (regular file, symbolic link, or directory) and a test to ensure that their contents are the same.
The following print audit scripts are described in this section:
These scripts perform the same functions as the print finish scripts, except that they are customized for audit use.
Note - Do not use this script for systems running the Solaris 10 OS. |
This script displays the variables and their content used by the Solaris Security Toolkit. It does not perform any validation or other checks on the content.
This script is for JumpStart mode only. It is used to print out JumpStart environment variable settings. This script does not perform any audit checks.
Note - The print-rhosts.aud script needs to be enabled manually if the extra processing time the script requires is acceptable. |
This script displays a notice for any files found with the name of .rhosts or hosts.equiv. Further, this script displays the contents of those files for further inspection.
This script displays a notice for any files that have the set-gid bit set, and it provides a full (long) listing for further review.
This script displays a notice for any files that have the set-uid bit set, and it provides a full (long) listing for further review.
This script displays a notice for any files that are not assigned to a valid user and group, and it provides a full (long) listing for further review.
This script displays a notice for any matching files that are world-writable, and it provides a full (long) listing for further review.
The following remove audit script is described in this section:
Note - Use this script only for systems running Solaris OS versions 2.5.1 through 9. |
The remove-unneeded-accounts.aud script validates that unused Solaris OS accounts, defined by the JASS_ACCT_REMOVE variable, were removed from the system.
The following set audit scripts are described in this section:
Note - Use this script only for systems running Solaris OS versions 2.6 through 10. |
This script verifies that a service banner for the CDE or dtlogin service is defined. This script verifies that the system displays the contents of /etc/motd by listing it in the file template JASS_ROOT_DIR/etc/dt/config/Xsession.d/0050.warning.
Note - Use this script only for systems running Solaris OS versions 2.6 through 10. |
This script checks that the FTP service banner matches the value defined by the JASS_BANNER_FTPD variable. It indicates a failure if the service banner does not match. The value of the variable is Authorized Use Only.
Note - Use this script only for systems running Solaris OS versions 9 and 10. |
This script verifies that the sendmail service is configured to display the service banner as defined by the JASS_BANNER_SENDMAIL environment variable. This banner is displayed to all clients connecting to the sendmail service over the network.
Note - Use this script only for systems running Solaris OS versions 9 and 10. |
This script verifies that the Secure Shell service banner is displayed by ensuring that the Secure Shell service displays the contents of /etc/issue to the user prior to authenticating access to the system.
Note - Use this script only for systems running Solaris OS versions 2.6 through 10. |
This script checks that the Telnet service banner matches the value defined by the JASS_BANNER_TELNETD variable It indicates a failure if the service banner does not match. The value of the variable is Authorized Use Only.
Note - Use this script only for systems running the Solaris 10 OS. |
This script verifies the use of strong passwords by checking that the changes described in "Invalid Cross-Reference Format" for each of the Solaris Security Toolkit drivers have been made correctly.
If Perl is installed on the system during an audit by this script, the Solaris Security Toolkit 4.2 software attempts to use it. If Perl is not on the system, the script issues an error.
Note - Use this script only for systems running Solaris OS versions 2.6 through 10. |
This script checks that the FTP service banner matches the value defined by the JASS_FTPD_UMASK variable. It indicates a failure if the file creation mask value does not match. The value of variable is 022.
This script determines if the login RETRIES parameter is assigned the value defined by the JASS_LOGIN_RETRIES variable. The variable default is set to 3. A failure is displayed if the variable is not set to the default.
Note - Use this script only for systems running Solaris OS versions 2.6 through 10. |
This script checks the /etc/default/power file and indicates a failure if the PMCHANGEPERM and CPRCHANGEPERM parameters do not have a hyphen "-" as their values.
This script determines if the /etc/rmmount.conf file restricts the mounting of a removable Unix File System (UFS) or a High Sierra File System (HSFS) by enforcing the nosuid parameter. A failure is displayed if this restriction is not defined in the /etc/rmmount.conf file.
This script determines if the root account's primary group is set to the value defined by the JASS_ROOT_GROUP variable. A failure is displayed if it is not defined properly.
Note - Use this script only for systems running the Solaris 10 OS. |
This script checks to see if the root account has a home directory of / in the /etc/passwd file:
This script checks the password of the root account. It indicates a failure if the value is the same as that of the JASS_ROOT_PASSWORD variable. This check is done to encourage users to change the root password from the value defined by JASS_ROOT_PASSWORD as soon as possible.
Note - Use this script only for systems running the Solaris 10 OS. |
This script verifies that the correct values for the various password checks are defined correctly in the /etc/default/passwd file.
Note - Use this script only for systems running Solaris OS versions 2.6 through 10. |
This script checks the /etc/default/sys-suspend file. It indicates a failure if the PERMS parameter does not have a hyphen "-" as its value.
This script determines if the system's default file creation mask is set to the value defined by the JASS_UMASK variable. The default value is set to 022. A failure is displayed if the variable is not properly defined.
This script determines if the /etc/profile and the /etc/login files set the default terminal type to vt100. A failure is displayed if the default terminal type is not defined properly. This script is provided as a convenience only, and a failure does not impact the security of a system.
Note - The set-tmpfs-limit.aud script does not run under Solaris 2.5.1 OS, where this functionality is unsupported. |
This script determines if any tmpfs file systems are defined in the /etc/vfstab file without their size being limited to the JASS_TMPFS_SIZE variable, which is set to a default of 512 megabytes. A failure is reported if the tmpfs file system size does not comply with the JASS_TMPFS_SIZE value.
This script reviews the password policy settings on the system as defined previously. It indicates an error if the values do not match the following default values defined by the Solaris Security Toolkit:
The default values are contained in the following environment variables:
This script determines if any of the following files do not set the umask parameter to the value defined by the JASS_UMASK variable, whose default value is set to022.
A failure is displayed if these files do not set the umask parameter appropriately.
The following update audit scripts are described in this section:
This script determines if a user account is listed in the JASS_AT_DENY variable and is not listed in the /etc/cron.d/at.deny file. The list of user accounts defined by the JASS_AT_DENY variable is as follows:
To pass this check, each user account must exist in both the /etc/passwd file and the /etc/cron.d/at.deny file. The user account must not exist in the /etc/cron.d/at.allow file, because it would override the setting (due to precedence). A failure is displayed if any of these checks fail.
This script determines if a user account is listed in the JASS_CRON_ALLOW variable and not in /etc/cron.d/cron.allow file. By default, the value is only the root user. A failure is displayed if this check fails.
This script determines if a user account is listed in the JASS_CRON_DENY variable and not in the /etc/cron.d/cron.deny file. The list of user accounts defined by the JASS_CRON_DENY variable is as follows:
To pass this check, each user account must exist in both the /etc/passwd file and the /etc/cron.d/cron.deny file. Furthermore, the user account must not exist in the /etc/cron.d/cron.allow file, because it would override this setting (due to precedence). A failure is displayed if any of these checks fail.
Note - Use this script only for systems running Solaris OS versions 2.6 through 10. |
This script determines if the cron facility is configured to increase its default size limit for log files. The check method is based on the version of the Solaris OS and the value of the JASS_CRON_LOG_SIZE variable. The size limit defined by the JASS_CRON_LOG_SIZE variable is 20480 kilobytes. A failure is displayed if the size limitation is not correct.
This script determines if any of the services listed in the JASS_SVCS_DISABLE variable are disabled in /etc/inetd.conf. This script also checks to ensure that services listed in the JASS_SVCS_ENABLE variable are enabled in the /etc/inetd.conf file. If a service is listed in both variables, then the service is left enabled by the JASS_SVCS_ENABLE variable. A failure is displayed if any of these checks fail.
The JASS_SVCS_DISABLE parameter is populated as shown in TABLE 6-2.
The JASS_SVCS_ENABLE variable is, by default, empty. Some drivers may use it, such as the suncluster3x-secure.driver.
TABLE 6-3 lists product-specific audit scripts for specific Sun products. These scripts are in the Audit directory.
New audit scripts are released periodically for new and updated Sun products. For the latest list of scripts, refer to the Security Web site:
http://www.sun.com/security/jass
Note - This script applies only to Sun Cluster 3.x systems and should not be executed on other systems. |
This script determines if the /etc/nsswitch.conf file lists the cluster keyword as the first source for the host's database. A failure is displayed if this is not true.
For more information, refer to the Sun BluePrints OnLine article titled "Securing Sun Cluster 3.x Software."
For System Management Services (SMS) versions 1.2 through 1.4.1, this script verifies that the static ARP configuration files are installed on Sun Fire high-end systems system controllers (SCs) and domains. For system controllers, the file is /etc/sms_sc_arp. For domains, the file is /etc/sms_domain_arp.
This script checks that all existing domains have Ethernet addresses as listed in the SC static ARP startup script and corresponding data file.
For more information, refer to the Sun BluePrints OnLine article titled "Securing the Sun Fire 12K and 15K System Controller" and "Securing the Sun Fire 12K and 15K Domains."
For SMS versions 1.2 and newer, this script determines if the /etc/opt/SUNWSMS/SMS/config/MAN.cf file exists. If it does, this script checks to ensure that all the domains listed are excluded from the I1 MAN. The script excludes all domains from the I1 MAN. If the site has altered the script to exclude only a subset of the domains, this script issues a warning about each domain that is still part of the I1 MAN.
For more information, refer to the Sun BluePrints OnLine article titled "Securing the Sun Fire 12K and 15K System Controller."
For SMS versions 1.2 through 1.4.1, this script determines if the Sun Fire high-end systems system controller is configured based on the recommendations in the Sun BluePrints OnLine article titled "Securing the Sun Fire 12K and 15K System Controller." It indicates a failure if any of the services listed in the SMS_SVCS_DISABLE variable are enabled in /etc/inet/inetd.conf.
Copyright © 2005, Sun Microsystems, Inc. All Rights Reserved.