Solaris Security Toolkit 4.2 Release Notes
|
|
Solaris Security Toolkit 4.2 Release Notes
|
This guide contains release notes for the 4.2 release of the Solaris Security Toolkit software, also known as JumpStart Architecture and Security Scripts (JASS), and contains the following topics:
- Changes for the Solaris Security Toolkit 4.2 Release
- Solaris 10 OS Support Details
- Supported Hardware Systems
- Supported Solaris OS Versions
- Supported SMS Versions
- Solaris Security Toolkit 4.2 Known Limitations
- General Notes and Issues
- Bugs in Solaris Security Toolkit 4.2 Software
- Bugs Affecting Solaris Security Toolkit 4.2 Software
Changes for the Solaris Security Toolkit 4.2 Release
This section of the release notes describes the major changes that have been made for the Solaris Security Toolkit 4.2 software release. For more information and details about those changes, refer to the Solaris Security Toolkit 4.2 Reference Manual.
Note - The CHANGES file that was supplied with the Documentation directory in previous releases of the Solaris Security Toolkit software is no longer supplied. Instead the changes are recorded in this document.
|
Solaris 10 OS Support Changes
This Solaris Security Toolkit 4.2 software release provides support for the Solaris 10 Operating System (OS).
Using the Solaris Security Toolkit 4.2 software, you can harden and audit the security of systems in a similar manner as earlier versions. You can also use this release of software either in JumpStart or standalone mode, as in earlier versions.
Following are the major changes made for this release to support the Solaris 10 OS. See Solaris 10 OS Support Details for more information.
- SMF-Ready Services - provides the capability for many Solaris Security Toolkit scripts to use the Service Management Facility (SMF) services interface, the Fault Management Resource Identifiers (FMRIs), and the start and stop scripts.
- Legacy Services - provides the capability for SMF to recognize as legacy services some of the Solaris Security Toolkit scripts that are not SMF-ready.
- Zones - provides the capability to harden and audit zones in the Solaris 10 OS.
- TCP Wrappers - provides Transmission Control Protocol (TCP) Wrappers configurations for Solaris Security Toolkit drivers.
- MD5 - provides support of the Solaris 10 OS message_digest 5 (md5) algorithm functionality through the digest -a md5 command, which renders the SUNBEmd5 package unnecessary on Solaris 10 OS systems.
- Manage Routing - provides new scripts to manage routing in the Solaris 10 OS.
- New Home Root Directory - provides a new home root directory of /root instead of the standard / for the root directory.
- IP Filter - provides an integrated firewall capability through integration of the freeware Internet Protocol (IP) Filter.
- BART - provides support for the Basic Audit Reporting Tool (BART), which enables you to determine file-level changes that have occurred on your systems, among other functions.
- Flexible Crypt - provides support for using several new tunables in the Solaris 10 OS, which control the algorithms used for password encryption.
- Account Locking - provides support for the Solaris 10 OS ability to lock an account after a pre-defined set of failed login attempts.
- Parameterized Password Checking - provides support for the Solaris 10 OS strict password checking.
- Password History - provides support for password safety checks that have been added to the Solaris 10 OS.
- RPC BIND - provides support for disabling or enabling the Remote Procedure Call from the Berkeley Internet Name Domain (rpcbind).
- Perl - provides support for creating Solaris Security Toolkit scripts in the Practical Extraction and Report Language (Perl) for use with the Solaris 10 OS.
- XFS - provides support for disabling or enabling the X Font Server. XFS clients connect to the server to request a font set, and the server reads the font files from the disk and serves them to the clients. The X Font Server daemon is managed by the SMF.
- GNOME - provides support for disabling or enabling support for GNU Network Object Model Environment (GNOME) as well as the Common Development Environment (CDE).
Generic Changes
In addition to the changes made for this release to support the Solaris 10 OS, the following generic changes have also been made for this release:
- Relocatable Package - provides a relocatable Solaris Security Toolkit 4.2 package, so that it can be installed to whatever directory you want by using the correct options to the pkgadd command.
- Removing Backup Files - provides the capability to remove Solaris Security Toolkit backup files
- Combining Driver Functionality - incorporates the functionality of the desktop-{secure|config|hardening}.driver, sunfire_15k_domain-{secure|config|hardening}.driver, and jumpstart-{secure|config|hardening}.driver into server-{secure|config|hardening}.driver
- Intelligent Defaults - provides support for intelligent defaults; that is, allows the user to press Return to specify a default where feasible.
- Verbosity - supports reduced verbosity output for jass-execute and jass-check-sum commands.
- IIim - provides support for disabling and enabling the Internet-Intranet Input Method (IIim), which handles Asian input for Solaris OS software.
- Consistent Return Values and Help Output - provides consistent return values and help output for all Solaris Security Toolkit commands.
- Apache 2 - provides support for apache2.
Solaris 10 OS Support Details
The following section contains some further details of Solaris 10 OS support changes in this release.
New Framework Functions for Solaris Security Toolkit 4.2 Release
The following functions are new in this release and can be used only on systems running the Solaris 10 OS. Functions are explained in Chapter 2 of the Solaris Security Toolkit 4.2 Reference Manual.
These common log functions were added to Solaris Security Toolkit 4.2 software:
- logNotGlobalZone
- logScore
- logScriptFailure
- logServiceDisabled and logServiceEnabled
- logServiceInstalled and logServiceNotInstalled
- logServiceOptionDisabled and logServiceOptionEnabled
- logServiceProcessList
- logServicePropDisabled and logServicePropEnabled
- logServiceRunning and logServiceNotRunning
- logUserLocked and logUserNotlocked
- logUndoBackupWarning
These common miscellaneous functions were added to Solaris Security 4.2 software:
- get_driver_report
- get_lists_conjunction
- get_lists_disjunction
These public driver functions were created to support SMF in the Solaris Security Toolkit 4.2 framework:
- add_option_to_ftpd_property
- change_group
- change_mode
- change_owner
- check_serviceDisabled
- check_serviceEnabled
- check_serviceInstalled
- check_serviceNotInstalled
- check_serviceNotRunning
- check_serviceOptionEnabled
- check_servicePropDisabled
- check_serviceRunning
- check_serviceOptionDisabled
- check_userLocked
- check_userNotLocked
- convert_inetd_service_to_fmri
- disable_service
- enable_service
- is_service_enabled
- is_service_installed
- is_service_running
- is_user-account_extant
- is_user_account_locked
- is_user_account_login_not_set
- lock_user_account
- make_link
- set_service_property_value
- set_stored_keyword_val
- unlock_user_account
- update_inetcon_in_upgrade
New Scripts for Solaris Security Toolkit 4.2 Release
Following are the new finish and audit scripts for the Solaris Security Toolkit 4.2 release. The functions of finish (.fin) scripts are explained in Chapter 5 of the Solaris Security Toolkit 4.2 Reference Manual, and the functions of audit (.aud) scripts are explained in Chapter 6 of the Solaris Security Toolkit 4.2 Reference Manual.
- disable-apache2.{fin|aud}
- disable-appserv.{fin|aud}
- disable-IIim.{fin|aud}
- disable-routing.{fin|aud}
- enable-account-lockout.{fin|aud}
- enable-bart.{fin|aud}
- enable-ipfilter.{fin|aud}
- enable-password-history.{fin|aud}
- set-root-home-dir.{fin|aud}
- set-strict-password-checks.{fin|aud}
Scripts Not Used for Solaris 10 OS
TABLE 1 lists the Solaris Security Toolkit scripts that are not used when you are hardening the Solaris 10 OS.
TABLE 1 Solaris Security Toolkit Scripts Not Used for Solaris 10 OS
Script Name
|
Applicable Operating System
|
disable-ab2
|
Solaris 2.5.1 through 8
|
disable-aspp
|
Solaris 2.5.1 through 8
|
disable-picld
|
Solaris 8 and 9
|
install-fix-modes
|
Solaris 2.5.1 through 9
|
install-newaliases
|
Solaris 2.5.1 through 8
|
install-openssh
|
Solaris 2.5.1 through 8
|
install-sadmind-options
|
Solaris 2.5.1 through 9
|
install-strong-permissions
|
Solaris 2.5.1 through 9
|
remove-unneeded-accounts
|
Solaris 2.5.1 through 9
|
New Environment Variables for Solaris Security Toolkit 4.2 Release
This section lists the framework and script behavior environment variables that are new in this release and can be used only on systems running the Solaris 10 OS. The functions of environment variables are explained in Chapter 7 of the Solaris Security Toolkit 4.2 Reference Manual.
New Framework Variables
- JASS_DISPLAY_HOST_LENGTH
- JASS_DISPLAY_SCRIPT_LENGTH
- JASS_DISPLAY_TIME_LENGTH
- JASS_FILE_COPY_KEYWORD
- JASS_ROOT_HOME_DIR
- JASS_RUN_CLEAN_LOG
- JASS_RUN_VALUES
- JASS_SAVED_BACKUP
- JASS_SCRIPT
- JASS_SCRIPT_FAIL_LOG
- JASS_SCRIPT_NOTE_LOG
- JASS_SCRIPT_WARN_LOG
- JASS_UNDO_TYPE
New Script Behavior Variables
- JASS_CRYPT_ALGORITHMS_ALLOW
- JASS_CRYPT_ALGORITHMS_DEFAULT
- JASS_CRYPT_DEFAULT
- JASS_CRYPT_FORCE_EXPIRE
- JASS_PASS_DICTIONLIST
- JASS_PASS_DICTIONDBDIR
- JASS_PASS_HISTORY
- JASS_PASS_MAX_REPEATS
- JASS_PASS_MIN_ALPHA
- JASS_PASS_MINDIFF
- JASS_PASS_MINDIGIT
- JASS_PASS_MINLOWER
- JASS_PASS_MINNONALPHA
- JASS_PASS_MINSPECIAL
- JASS_PASS_MINUPPER
- JASS_PASS_NAMECHECK
- JASS_PASS_WHITESPACE
- JASS_ZONE_NAME
Environment Variables Not Used for Solaris 10 OS
The following environment variables are not used for the Solaris 10 OS:
- JASS_ISA_CAPABILITY (removed from Solaris Security Toolkit 4.2 software)
- JASS_DISABLE_MODE
Functions Removed from Solaris Security Toolkit 4.2 Release
The files and scripts relating to the following functions have been removed from the Solaris Security Toolkit 4.2 software as they are no longer needed:
- Installing the misc/klmmod kernel module on domains for Sun Fire high-end systems
- Installing the Sun ONE Web Server
- sunfire_mf_msp-{secure|config|hardening}.driver
- 32-bit functionality
- Sun Enterprise 1000 (Starfire), as the product is now at end of life.
rpcbind Automatically Disabled
The secure.driver and the sunfire-15k_sc-secure.driver in the Solaris Security Toolkit 4.2 software disabled rpcbind as previous versions of the toolkit have done. However, in the Solaris 10 OS, there are services which depend on rpcbind such as Network Information Services (NIS), the Network File System (NFS), and window managers, such as the Common Desktop Environment (CDE), and the GNU Network Object Model Environment (GNOME). By default, the configuration of the secure.driver and the sunfire-15k_sc-secure.driver disabled these services, so you must enable rpcbind to use them.
Note - The server-secure.driver and the suncluster3x-secure.driver do not disable rpcbind.
|
To Enable rpcbind
|
1. Unharden the system.
2. Copy and rename the secure.driver and hardening.driver to new-secure.driver and new-hardening.driver, where new-secure.driver is the name you choose for your new customized secure.driver, and new-hardening.driver is the name you choose for your new customized hardening.driver.
3. Edit new-secure.driver to replace the reference to hardening.driver with new-hardening.driver.
4. Comment out the disable-rpc.fin script from new-hardening.driver.
5. Re-run hardening with your customized copy drivers by running the Solaris Security Toolkit with new-secure.driver.
6. Reboot the system.
|
Caution - After enabling the rpcbindservice, additional services may be started automatically and their corresponding ports opened. The Solaris Security Toolkit audit flags these additional services as failures.
|
Supported Hardware Systems
Solaris Security Toolkit 4.2 software supports SPARC®, 64-bit only, and x86 systems.
Supported Solaris OS Versions
Sun support for Solaris Security Toolkit software is available only for its use in the Solaris 8, Solaris 9, and Solaris 10 Operating Systems.
Note - For Solaris Security Toolkit 4.2 software, the Solaris 10 OS can be used only on Sun Fire high-end systems domains, not on the system controller (SC).
|
While the software can be used in the Solaris 2.5.1, Solaris 2.6, and Solaris 7 Operating Systems, Sun support is not available for its use in those operating systems.
The Solaris Security Toolkit software automatically detects which version of the Solaris Operating System software is installed, then runs tasks appropriate for that operating system version.
You will note in examples provided throughout this document that when a script checks for a version of the OS, it checks for 5.x, the SunOS versions, instead of 2.x, 7, 8, 9, or 10, the Solaris OS versions. TABLE 2 shows the correlation between SunOS and Solaris OS versions.
TABLE 2 Correlation Between SunOS and Solaris OS Versions
SunOS Version
|
Solaris OS Version
|
5.5.1
|
2.5.1
|
5.6
|
2.6
|
5.7
|
7
|
5.8
|
8
|
5.9
|
9
|
5.10
|
10
|
Supported SMS Versions
If you are using System Management Services (SMS) to run the system controller (SC) on your Sun Fire high-end systems, then Solaris Security Toolkit 4.2 software is supported on all Solaris 8 and 9 OS versions when used with SMS versions 1.4, 1.4.1, and 1.5. No version of SMS is supported on Solaris 10 OS with Solaris Security Toolkit 4.2 software.
Note - For Solaris Security Toolkit 4.2 software, the Solaris 10 OS can be used only on domains, not on the system controller (SC).
|
Solaris Security Toolkit Known Limitations
This section contains known limitations for the Solaris Security Toolkit 4.2 software:
- While the Solaris Security Toolkit 4.2 software maintains its functionality for disabling system accounts (see the finish script disable-system-accounts.fin), it no longer modifies the system to record login attempts to those disabled accounts.
General Notes and Issues
This section contains general notes and issues that involve the Solaris Security Toolkit 4.2 software.
Release Distributed Only in Package Format
The Solaris Security Toolkit 4.2 release is distributed only in package format.
SUNWjass and JASScustm Packages Are Now Relocatable
As of this Solaris Security Toolkit 4.2 release, the SUNWjass and JASScustm packages are relocatable, making them consistent with Sun's packaging standards. You can relocate these packages using the pkgadd(1M) -R command.
Solaris Security Toolkit and CTRL-C
Performing a CTRL-C during Solaris Security Toolkit hardening and undo operations could result in an inconsistent system state. Hardening operations should be allowed to complete and then a subsequent undo operation performed instead of interrupting the hardening operation. Do not use CTRL-C for error handling or to interrupt a toolkit run. Wait until the operation has finished and then re-perform hardening or undo operations.
Bugs in Solaris Security Toolkit 4.2 Software
This section summarizes the bugs that you might encounter that have not been fixed in the Solaris Security Toolkit 4.2 software.
When Using NIS, Multiple Reboots Might Result in Audit Errors (Bug ID 6222181)
rpcbind is disabled by default in the secure.driver. If you are using NIS, there are circumstances where rebooting the system leaves all the services that are normally started by inetd in an uninitialized state and legacy services do not work. This shows in the Solaris Security Toolkit as a discrepancy between audit results from before and after a reboot, in services started by inetd.
This bug will be fixed by the Solaris 10 OS Bug ID 6223370. See description of this bug in "Bugs Affecting Solaris Security Toolkit 4.2 Software."
Workarounds:
- If you want to use NIS, enable rpcbind and reboot. Refer to Chapter 1 of the Solaris Security Toolkit 4.2 Reference Manual.
- If you do not want to use NIS, disable NIS. (Refer to the Solaris 10 OS naming service document for how to disable NIS.)
Multiple Reboots Result in Uninitialized svcs and Audit Fail on nddconfig (Bug ID 6284872)
Multiple reboots after hardening result in svcs being uninitialized, and the audit to fail on nddconfig. In other words, the nddconfig audit will not contain zero errors after the system reboots multiple times.
The problem is that milestone/name-services is not able to come online with rpcbind disabled and the system configured to use NIS. Because of this, the /etc/rc2.d (svc:/milestone/multi-user:default) does not run, and so the nddconfig script does not run.
This bug will be fixed by the Solaris 10 OS Bug ID 6223370.
Workarounds:
- If you want to use NIS, enable rpcbind and reboot. Refer to Chapter 1 of the Solaris Security Toolkit 4.2 Reference Manual.
- If you do not want to use NIS, disable NIS. Refer to the Solaris 10 OS naming service document for how to disable NIS.
Bugs Affecting Solaris Security Toolkit 4.2 Software
This section summarizes the bugs that you might encounter that have not been fixed in other software that affects the Solaris Security Toolkit.
Parameter for ip6_send_redirects Might Be Different Between Audits (Bug ID 6222001)
This Solaris 10 OS bug could affect your operation of Solaris Security Toolkit 4.2 software. Sometimes you might see a different parameter for ip6_send_redirects between audits, where it should be the same. For example, you might audit a system that has not been hardened (Audit #1). Then you harden the system, reboot, undo the hardening, and reboot. You audit the system again (Audit #2).
You would expect to see identical audit results except for the timestamp. However, sometimes, you might see a difference in the ip6_send_redirects parameter in the nddconfig file between the first and second audit. In the first audit, the message says the check failed because the parameter is not 0. In the second audit, the message says the check passed because the parameter is 0, which is the correct response.
Workaround: None
/etc/motd Should be Installed as a Volatile File (Bug ID 6222495)
This Solaris 10 OS bug could affect your operation of Solaris Security Toolkit 4.2 software. The file /etc/motd is delivered by the SUNWcsr package with a file type of f. The Solaris Security Toolkit 4.2 drivers replace this file, which can lead to errors and warnings when installing zones and packages within zones.
Workarounds:
You can do one of the following:
- Remove the file from the JASS_FILES list, so it is not installed.
- Modify the file type to v to remove this error.
svc.startd Misses Edge Case for optional_all (Bug ID 6223370)
If you disable rpcbind and reboot, milestone/name-services do not come online, which might cause inetd and other services not to come online. For several ways this Solaris 10 OS bug could affect your operation of Solaris Security Toolkit 4.2 software, see descriptions of Bug ID 6284872 and Bug ID 6222181.
Workarounds:
- If you want to use NIS, enable rpcbind and reboot. Refer to Chapter 1 in the Solaris Security Toolkit 4.2 Reference Manual.
- If you do not want to use NIS, disable NIS. Refer to the Solaris 10 OS naming service document for how to disable NIS.
Solaris Security Toolkit 4.2 Release Notes
|
819-1504-10
|
|
Copyright © 2005, Sun Microsystems, Inc. All Rights Reserved.