C H A P T E R 6 - Auditing System Security

This chapter describes how to audit (validate) a system's security using the Solaris Security Toolkit software. Use the information and procedures in this chapter for maintaining an established security profile after hardening. For systems that are already deployed, you might want to use the information in this chapter to assess security before hardening.

Maintaining Security

Maintaining security is an ongoing process that must be reviewed and revisited periodically. Maintaining a secure system requires vigilance, because the default security configuration for any system tends to become increasingly open over time. (For more information about maintaining security, see Maintaining System Security.)

Solaris Security Toolkit provides an automated method to audit the security posture of a system, by determining its level of compliance with a specified security profile.

Audit the security posture of your systems periodically, either manually or automatically (for example, via a cron job or an rc script). For example, after hardening a new installation, execute the Solaris Security Toolkit software audit command (jass-execute -a driver-name) five days later to determine if the system security has changed from the state defined by the security profile.

How often you audit security depends on your security policy and the criticality of the environment. Some users run an audit every hour, every day, or only once a month. Other users run a mini-scan (limited number of checks) every hour, and a full scan (with all the possible checks) once a day. Your security posture should definitely be checked after every system reboot in addition to other audits you do routinely.

Audit all essential components to maintain the security posture of deployed systems. If your security posture is not periodically audited, then configurations often drift over time due to entropy or modifications that unknowingly or maliciously change the desired security posture. Without periodic review, these changes go undetected and corrective measures are not taken. The result is a system that becomes less secure and more vulnerable.

In addition to periodic audits, perform audits after upgrades, patch installations, and other significant system configuration changes.

Reviewing Security Prior to Hardening

In some cases, you might find it useful to review the security posture on deployed systems before hardening them. For example, if you assume responsibility for deployed systems that another person administrated, inspect the state of the systems so that you know their posture and, if necessary, can bring them into compliance with the same security profiles used on your other systems.

Customizing Security Audits

The audit option provides a highly flexible and extensible mechanism for evaluating the state of a system. As with hardening scripts, you can customize the actions of audit scripts. For example, you can customize environment variables, customize framework and helper functions, add new checks, and add functionality to the audit framework.

Most users find that the standard and product-specific audit scripts are suitable as templates from which to customize auditing for their environments. For this scenario, customize audit script actions through drivers, finish scripts, environment variables, and file templates. These custom changes can be made with little effort and without modifying the code. Whatever changes you make for hardening are automatically known by the Solaris Security Toolkit software when you perform auditing.

Some users need to create entirely new proprietary, or site-specific, drivers and scripts. Use the templates and samples as guidelines when coding the new drivers and scripts. Be advised that site-specific drivers, finish scripts, variables, and functions are not automatically known to the Solaris Security Toolkit software when you use the audit option. For example, if you add a site-specific driver named abcc-nj-secure.driver that contains a site-specific finish script, abcc-nj-install-foo.fin, then you need to create a site-specific audit script, abcc-nj-install-foo.aud. Similarly, if you start with only the audit script, you should create the matching finish script.

Occasionally, users find it necessary to add checks or functionality that the Solaris Security Toolkit software does not provide. For this scenario, add the checks or new functionality to the audit script. (You might want to make related changes in the corresponding finish script.) Use extreme care when performing code additions and modifications through the user.run file to avoid introducing bugs and failures.

To customize or create new drivers, scripts, variables, and functions, refer to the Solaris Security Toolkit 4.2 Reference Manual.

For example, you might need to add a patch that the Solaris Security Toolkit software does not install. You can extend one of the standard or product-specific templates, or you can create your own. If you create your own templates, create a finish script to add the patch, then create the corresponding audit script to check for the patch installation.If you use existing finish (.fin) and audit (.aud) scripts as your templates, you must copy both the scripts to new and uniquely named files.

Preparing to Audit Security

To use the instructions and guidelines in this chapter, you need a security profile. For information about developing and implementing a security profile, see Chapter 2.

A variety of security profiles are included with the Solaris Security Toolkit distribution as drivers. As mentioned earlier in this book, the default security profiles and changes made by them might not be appropriate for your systems. Typically, the security profiles implemented are "high-water" marks for security. By this, we mean that they disable services that are not required, and they enable optional security features disabled by the secure.driver.

Many Solaris Security Toolkit software users find that the standard and product-specific security profiles are acceptable for their environments. If this applies to your situation, then determine which security profile is closest to the security posture you want, and use it for both assessing and hardening your systems.

Review and customize the security profile templates for your environment, or develop new ones. Techniques and guidelines for customizing security profiles are provided in the Solaris Security Toolkit 4.2 Reference Manual. This approach provides a security posture tailored for your organization, and it minimizes the number of false errors returned during a security assessment. For example, if you know that Telnet needs to be enabled, you can customize the security profile so that when performing a security assessment, the software does not consider Telnet a vulnerability. Thus, a site using Telnet with Kerberos, for authentication and encryption, would not consider the use of Telnet a vulnerability.

Using Options and Controlling Audit Output

This section describes the options available for executing an audit run and the options for controlling output. This section contains the following topics:

Command-Line Options

The following command-line synopsis shows how to audit a system against a security profile:

# jass-execute -a driver [ -V [0-4]] [ -q | -o output_file ] [ -m e-mail_address ]

When executing the Solaris Security Toolkit software audit command, you can use the options listed in TABLE 6-1.

TABLE 6-1 Using Command-Line Options With the Audit Command
Option	Description
`-a` driver	Determines if a system is in compliance with its security profile.
`-m` e-mail_address	Specifies an email address for in-house support.
`-o` output_file	Specifies a file name for Solaris Security Toolkit run output.
`-q`	Specifies quiet mode. Messages are not displayed while running this command. Output is stored in `JASS_REPOSITORY/`.
`-V` verbosity_level	Specifies the verbosity level (`0`-`4`) for an audit run.

For detailed information about the options available with jass-execute -a command, see the following sections:

Display Help Option

The -h option displays the jass-execute help message, which provides an overview of the available options.

CODE EXAMPLE 6-1 Sample `-h` Option Output
# `./jass-execute -h` To apply this Toolkit to a system, using the syntax: jass-execute [-r root_directory -p os_version ] [ -q \| -o output_file ] [ -m e-mail_address ] [ -V [3\|4] ] [ -d ] driver To undo a previous application of the Toolkit from a system: jass-execute -u [ -b \| -f \| -k ] [ -q \| -o output_file ] [ -m e-mail_address ] [ -V [3\|4] ] To audit a system against a pre-defined profile: jass-execute -a driver [ -V [0-4] ] [ -q \| -o output_file ] [ -m e-mail_address ] To display the history of Toolkit applications on a system: jass-execute -H To display the last application of the Toolkit on a system: jass-execute -l To display this help message: jass-execute -h jass-execute -? To display version information for this program: jass-execute -v

CODE EXAMPLE 6-1 Sample -h Option Output

# ./jass-execute -h

To apply this Toolkit to a system, using the syntax:

  jass-execute [-r root_directory -p os_version ]

  [ -q | -o output_file ] [ -m e-mail_address ]

  [ -V [3|4] ] [ -d ] driver

To undo a previous application of the Toolkit from a system:

  jass-execute -u [ -b | -f | -k ] [ -q | -o output_file ]

     [ -m e-mail_address ] [ -V [3|4] ]

To audit a system against a pre-defined profile:

  jass-execute -a driver [ -V [0-4] ] [ -q | -o output_file ]

     [ -m e-mail_address ]

To display the history of Toolkit applications on a system:

  jass-execute -H

To display the last application of the Toolkit on a system:

  jass-execute -l

To display this help message:

  jass-execute -h

  jass-execute -?

To display version information for this program:

  jass-execute -v

Email Notification Option

The -m email-address option provides a mechanism by which output can be emailed automatically by the Solaris Security Toolkit software when the run completes. The email report is in addition to any logs generated on the system using other options.

A Solaris Security Toolkit run calling sunfire_15k_sc-config.driver using the email option would be similar to the following:

# ./jass-execute -m root -a sunfire_15k_sc-config.driver

[...]

Output File Option

The -o output-file option redirects the console output of jass-execute runs to a separate file, output-file.

This option has no effect on the logs kept in the JASS_REPOSITORY directory. This option is particularly helpful when performed over a slow terminal connection, because there is a significant amount of output generated by a Solaris Security Toolkit run.

CODE EXAMPLE 6-2 Sample `-o` Option Output
# `./jass-execute -o jass-output.txt -a secure.driver` [NOTE] Executing driver, secure.driver [NOTE] Recording output to jass-output.txt #

Quiet Option

The -q option disables Solaris Security Toolkit output to a standard input/output (stdio) stream during a hardening run.

This option has no effect on the logs kept in the JASS_REPOSITORY directory. Similar to the -o option, this option is particularly helpful when running the Solaris Security Toolkit software through a cron job or over slow network connections.

CODE EXAMPLE 6-3 Sample `-q` Option Output
# `./jass-execute -q -a secure.driver` [NOTE] Executing driver, secure.driver

Verbosity Option

The -V option specifies the verbosity level for an audit run. This option is only available for auditing. Verbosity levels provide a highly flexible way of displaying the results of an audit run. For example, if you have 100 machines to audit, you might want to limit the output to a single line for each machine to simply determine which machines pass or fail. Then, for the machines that fail, you might want to run an audit that produces expanded output, to focus on the problem areas.

The five verbosity levels (0 through 4) are controlled by the -V option. Each incremental level provides additional detail that you can use to more fully understand which checks are passing and which are failing. TABLE 6-2 describes the verbosity levels.

TABLE 6-2 Audit Verbosity Levels
Level	Output
0	Single line indicating pass or fail.
1	For each script, a single line indicating pass or fail, and one grand total score line below all the script lines.
2	For each script, provides results of all checks.
3	Multiple lines providing full output, including banner and header messages. This is the default.
4	Multiple lines (all data provided from level 3) plus all entries that are generated by the `logDebug` logging function. This level is for debugging.

For complete descriptions of the audit verbosity levels, refer to the jass-execute man page or "JASS_VERBOSITY" in Chapter 7 of the Solaris Security Toolkit 4.2 Reference Manual.

Banners and Messages Output

You can configure the Solaris Security Toolkit audit option to report or omit banners and messages. The JASS_LOG_BANNER variable cannot be used with verbosity levels 0 through 2. These output options apply to verbosity levels 3 and 4. For example, you might want to eliminate pass messages (JASS_LOG_SUCCESS variable) from the output so you can report and focus only on fail messages (JASS_LOG_FAILURE variable).

TABLE 6-3 lists the banners and messages that you can control through logging variables. (For detailed information about logging variables, refer to "JASS_LOG_BANNER" in Chapter 7 of the Solaris Security Toolkit 4.2 Reference Manual. For more information about verbosity levels, refer to the jass-execute man page or "JASS_VERBOSITY" in Chapter 7 of the Solaris Security Toolkit 4.2 Reference Manual.) If the logging variable is set to 0, then no output is generated for messages of that type. Conversely, if the logging variable is set to 1, then messages are displayed. The default action for each of these variables is to display the output. TABLE 6-3 describes the logging variables.

TABLE 6-3 Displaying Banners and Messages in Audit Output
Logging Variable	Log Prefix	Description
`JASS_LOG_BANNER`	All Banner Output	This parameter controls the display of banner messages. These messages are usually surrounded by separators containing either equal sign (=) or hyphen (-) characters.
`JASS_LOG_ERROR`	`[ERR]`	This parameter controls the display of error messages. If set to `0`, no error messages are generated.
`JASS_LOG_FAILURE`	`[FAIL]`	This parameter controls the display of failure messages. If set to `0`, no failure messages are generated.
`JASS_LOG_NOTICE`	`[NOTE]`	This parameter controls the display of notice messages. If set to `0`, no notice messages are generated.
`JASS_LOG_SUCCESS`	[PASS]	This parameter controls the display of success or passing status messages. If set to `0`, no success messages are generated.
`JASS_LOG_SUMMARY`	`[SUMMARY]`	This parameter controls the display of summary messages. If set to `0`, no summary messages are displayed.
`JASS_LOG_WARNING`	`[WARN]`	This parameter controls the display of warning messages. If set to `0`, no warning messages are generated.

Using these options is very useful when you need to view specific messages only. By setting these options, you can minimize output, yet still focus on areas you deem critical. For example, by setting all logging variables to 0 except for JASS_LOG_FAILURE (leave it at the default of 1), the audit reports only on failures generated by the logFailure function.

CODE EXAMPLE 6-4 Sample Output of Reporting Only Audit Failures
`#` `JASS_LOG_FAILURE=1` # `export JASS_LOG_FAILURE` # `JASS_LOG_BANNER=0` # `JASS_LOG_ERROR=0` # `JASS_LOG_NOTICE=0` # `JASS_LOG_SUCCESS=0` # `JASS_LOG_SUMMARY=0` # `JASS_LOG_WARNING=0` # `export JASS_LOG_BANNER JASS_LOG_ERROR` # `export JASS_LOG_NOTICE JASS_LOG_SUCCESS` # `export JASS_LOG_WARNING` # `bin/jass-execute -a abc.driver -V2` update-at-deny [FAIL] User adm is not listed in /etc/cron.d/at.deny. update-at-deny [FAIL] User zz999999 is not listed in /etc/cron.d/at.deny. update-at-deny [FAIL] User gdm is not listed in /etc/cron.d/at.deny. update-at-deny [FAIL] User lp is not listed in /etc/cron.d/at.deny. update-at-deny [FAIL] User nobody4 is not listed in /etc/cron.d/at.deny. update-at-deny [FAIL] User root is not listed in /etc/cron.d/at.deny. update-at-deny [FAIL] User smmsp is not listed in /etc/cron.d/at.deny. update-at-deny [FAIL] User sys is not listed in /etc/cron.d/at.deny. update-at-deny [FAIL] User uucp is not listed in /etc/cron.d/at.deny. update-at-deny [FAIL] User webservd is not listed in /etc/cron.d/at.deny. update-at-deny [FAIL] Script Total: 10 Errors update-inetd-conf [FAIL] Service svc:/network/telnet:default was enabled. update-inetd-conf [FAIL] Service svc:/network/ftp:default was enabled. update-inetd-conf [FAIL] Service svc:/network/finger:default was enabled. update-inetd-conf [FAIL] Service svc:/network/login:rlogin was enabled. update-inetd-conf [FAIL] Service svc:/network/shell:default was enabled. update-inetd-conf [FAIL] Service svc:/network/login:eklogin was enabled. update-inetd-conf [FAIL] Service svc:/network/login:klogin was enabled. update-inetd-conf [FAIL] Service svc:/network/shell:kshell was enabled. update-inetd-conf [FAIL] Service svc:/application/font/stfsloader:default was enabled. update-inetd-conf [FAIL] Service svc:/network/security/ktkt_warn:default was enabled. update-inetd-conf [FAIL] Service svc:/network/rpc/smserver:default was enabled. update-inetd-conf [FAIL] Service svc:/network/rpc/rstat:default was enabled. update-inetd-conf [FAIL] Service svc:/network/rpc/rusers:default was enabled. update-inetd-conf [FAIL] Service svc:/network/nfs/rquota:default was enabled. update-inetd-conf [FAIL] Service svc:/network/rpc/gss:default was enabled. update-inetd-conf [FAIL] Service 100235 is enabled in /etc/inet/inetd.conf. update-inetd-conf [FAIL] Service 100083 is enabled in /etc/inet/inetd.conf. update-inetd-conf [FAIL] Service 100068 is enabled in /etc/inet/inetd.conf. update-inetd-conf [FAIL] Script Total: 18 Errors abc.driver [FAIL] Driver Total: 28 Errors abc.driver [FAIL] Grand Total: 28 Errors #

CODE EXAMPLE 6-4 Sample Output of Reporting Only Audit Failures

# JASS_LOG_FAILURE=1

# export JASS_LOG_FAILURE

# JASS_LOG_BANNER=0

# JASS_LOG_ERROR=0

# JASS_LOG_NOTICE=0

# JASS_LOG_SUCCESS=0

# JASS_LOG_SUMMARY=0

# JASS_LOG_WARNING=0

# export JASS_LOG_BANNER JASS_LOG_ERROR

# export JASS_LOG_NOTICE JASS_LOG_SUCCESS

# export JASS_LOG_WARNING

# bin/jass-execute -a abc.driver -V2

update-at-deny     [FAIL] User adm is not listed in /etc/cron.d/at.deny.

update-at-deny     [FAIL] User zz999999 is not listed in /etc/cron.d/at.deny.

update-at-deny     [FAIL] User gdm is not listed in /etc/cron.d/at.deny.

update-at-deny     [FAIL] User lp is not listed in /etc/cron.d/at.deny.

update-at-deny     [FAIL] User nobody4 is not listed in /etc/cron.d/at.deny.

update-at-deny     [FAIL] User root is not listed in /etc/cron.d/at.deny.

update-at-deny     [FAIL] User smmsp is not listed in /etc/cron.d/at.deny.

update-at-deny     [FAIL] User sys is not listed in /etc/cron.d/at.deny.

update-at-deny     [FAIL] User uucp is not listed in /etc/cron.d/at.deny.

update-at-deny     [FAIL] User webservd is not listed in /etc/cron.d/at.deny.

update-at-deny     [FAIL] Script Total: 10 Errors

update-inetd-conf  [FAIL] Service svc:/network/telnet:default was enabled.

update-inetd-conf  [FAIL] Service svc:/network/ftp:default was enabled.

update-inetd-conf  [FAIL] Service svc:/network/finger:default was enabled.

update-inetd-conf  [FAIL] Service svc:/network/login:rlogin was enabled.

update-inetd-conf  [FAIL] Service svc:/network/shell:default was enabled.

update-inetd-conf  [FAIL] Service svc:/network/login:eklogin was enabled.

update-inetd-conf  [FAIL] Service svc:/network/login:klogin was enabled.

update-inetd-conf  [FAIL] Service svc:/network/shell:kshell was enabled.

update-inetd-conf  [FAIL] Service svc:/application/font/stfsloader:default was enabled.

update-inetd-conf  [FAIL] Service svc:/network/security/ktkt_warn:default was enabled.

update-inetd-conf  [FAIL] Service svc:/network/rpc/smserver:default was enabled.

update-inetd-conf  [FAIL] Service svc:/network/rpc/rstat:default was enabled.

update-inetd-conf  [FAIL] Service svc:/network/rpc/rusers:default was enabled.

update-inetd-conf  [FAIL] Service svc:/network/nfs/rquota:default was enabled.

update-inetd-conf  [FAIL] Service svc:/network/rpc/gss:default was enabled.

update-inetd-conf  [FAIL] Service 100235 is enabled in /etc/inet/inetd.conf.

update-inetd-conf  [FAIL] Service 100083 is enabled in /etc/inet/inetd.conf.

update-inetd-conf  [FAIL] Service 100068 is enabled in /etc/inet/inetd.conf.

update-inetd-conf  [FAIL] Script Total: 18 Errors

abc.driver         [FAIL] Driver Total: 28 Errors

abc.driver         [FAIL] Grand Total: 28 Errors

Host Name, Script Name, and Timestamp Output

You can configure the Solaris Security Toolkit audit option to include host name, script name, and timestamp information for verbosity levels 0 through 2. For example, if you have many machines to audit, you might want to be able to sort the output by host name, script name, or timestamp. TABLE 6-4 lists the variables.

TABLE 6-4 Displaying Host Name, Script Name, and Timestamp Audit Output
Variable Name	Variable Description
`JASS_DISPLAY_HOSTNAME`	Setting this parameter to 1 causes the Solaris Security Toolkit software to prepend each log entry with the host name of the system. This information is based on the JASS_HOSTNAME parameter. By default, this parameter is empty, so the Toolkit does not display this information.
`JASS_DISPLAY_SCRIPTNAME`	By default, this parameter is set to 1, so the Solaris Security Toolkit software prepends each log entry with the name of the audit script currently being run. Setting this parameter to any other value causes the Toolkit to not display this information.
`JASS_DISPLAY_TIMESTAMP`	Setting this parameter to 1 causes the Solaris Security Toolkit software to prepend each log entry with the timestamp associated with the audit run. This information is based on the JASS_TIMESTAMP parameter. By default, this parameter is empty, so the software does not display this information.

By configuring the Solaris Security Toolkit software to prepend host, script, and timestamp information, you can combine many runs from either a single system or group of systems and sort them based on the key data. You can use the information to look for problems that span several systems or that are symptomatic of deployment processes. For example, using the information in this way, an administrator can tell if every system built using a given process always has the same failed checks.

By setting the JASS_DISPLAY_TIMESTAMP parameter to 1 and setting the JASS_DISPLAY_SCRIPTNAME value at 0, output similar to the following is generated.

CODE EXAMPLE 6-5 Sample Output of Auditing Log Entries
# `JASS_DISPLAY_TIMESTAMP=1` # `JASS_DISPLAY_SCRIPTNAME=0` # `export JASS_DISPLAY_TIMESTAMP JASS_DISPLAY_SCRIPTNAME` # `bin/jass-execute -a abc.driver -V2` 20050716132908 [FAIL] User adm is not listed in /etc/cron.d/at.deny. 20050716132908 [PASS] User bin is listed in /etc/cron.d/at.deny. 20050716132908 [FAIL] User zz999999 is not listed in /etc/cron.d/at.deny. ... ... ... 20050716132908 [FAIL] Script Total: 18 Errors 20050716132908 [FAIL] Driver Total: 28 Errors 20050716132908 [FAIL] Grand Total: 28 Errors 20050716132908 [SUMMARY] Results Summary for AUDIT run of dan.driver 20050716132908 [SUMMARY] The run completed with a total of 2 scripts run. 20050716132908 [SUMMARY] There were Failures in 2 Scripts 20050716132908 [SUMMARY] There were Errors in 0 Scripts 20050716132908 [SUMMARY] There were Warnings in 0 Scripts 20050716132908 [SUMMARY] There was a Note in 1 Script 20050716132908 [SUMMARY] Failure Scripts listed in: /var/opt/SUNWjass/run/20050716132908/jass-script-failures.txt 20050716132908 [SUMMARY] Notes Scripts listed in: /var/opt/SUNWjass/run/20050716132908/jass-script-notes.txt #

CODE EXAMPLE 6-5 Sample Output of Auditing Log Entries

# JASS_DISPLAY_TIMESTAMP=1

# JASS_DISPLAY_SCRIPTNAME=0

# export JASS_DISPLAY_TIMESTAMP JASS_DISPLAY_SCRIPTNAME

# bin/jass-execute -a abc.driver -V2

20050716132908 [FAIL] User adm is not listed in /etc/cron.d/at.deny.

20050716132908 [PASS] User bin is listed in /etc/cron.d/at.deny.

20050716132908 [FAIL] User zz999999 is not listed in /etc/cron.d/at.deny.

...

...

...

20050716132908 [FAIL] Script Total: 18 Errors

20050716132908 [FAIL] Driver Total: 28 Errors

20050716132908 [FAIL] Grand Total: 28 Errors

20050716132908 [SUMMARY] Results Summary for AUDIT run of dan.driver

20050716132908 [SUMMARY] The run completed with a total of 2 scripts run.

20050716132908 [SUMMARY] There were  Failures in   2 Scripts

20050716132908 [SUMMARY] There were  Errors   in   0 Scripts

20050716132908 [SUMMARY] There were  Warnings in   0 Scripts

20050716132908 [SUMMARY] There was a Note     in   1 Script

20050716132908 [SUMMARY] Failure Scripts listed in:

/var/opt/SUNWjass/run/20050716132908/jass-script-failures.txt

20050716132908 [SUMMARY] Notes Scripts listed in:

/var/opt/SUNWjass/run/20050716132908/jass-script-notes.txt

Performing a Security Audit

Performing a security assessment periodically on your systems provides a benchmark of how closely the security matches the security profile you implemented. The most common scenario for performing security assessments is as a security maintenance task sometime after hardening new installations. The security assessment option is designed so that you simply execute the same hardening drivers that you used to harden the system, but now you use the -a option to check the current state compared to the security profile implemented during hardening. This design eliminates complexity and provides flexibility. For example, when you update your security profile, subsequent security assessments use the updated security profile.

In another possible scenario, you might be responsible for securing systems that are already deployed. Before you harden them, you want to perform a security assessment. In this scenario, you would define your own security profile, customize a Solaris Security Toolkit security profile template, or use one of the security profile templates as is.

Before performing an audit, you need to define or choose a security profile. For more information, see Preparing to Audit Security.

For a complete and up-to-date listings and information about available standard and product-specific drivers, refer to the security_drivers man page or Chapter 4 in the Solaris Security Toolkit 4.2 Reference Manual.

2. Determine the command-line options you want and how you want to control the output.

3. Enter the jass-execute -a command, the name of the security profile, and the options you want.

CODE EXAMPLE 6-6 Sample Output of Audit Run
`#` `./jass-execute -a abc-secure.driver` [NOTE] Executing driver, abc-secure.driver [...] ================================================================ abc-secure.driver: Audit script: enable-rfc1948.aud ================================================================ #--------------------------------------------------------------- # RFC 1948 Sequence Number Generation # # Rationale for Verification Check: # # The purpose of this script is to verify that the system is # configured and is in fact using RFC 1948 for its TCP sequence # number generation algorithm (unique-per-connection ID). This is # configured by setting the 'TCP_STRONG_ISS' parameter to '2' in # the /etc/default/inetinit file. # # Determination of Compliance: # [...] #--------------------------------------------------------------- [PASS] TCP_STRONG_ISS is set to '2' in /etc/default/inetinit. [PASS] System is running with tcp_strong_iss=2. # The following is the vulnerability total for this audit script. [PASS] Audit Check Total : 0 Error(s) ================================================================ # The following is the vulnerability total for this driver profile. [PASS] Driver Total : 0 Error(s) ================================================================ abc-secure.driver: Driver finished. ================================================================ # The following is the vulnerability grand total for this run. [PASS] Grand Total : 0 Error(s)

CODE EXAMPLE 6-6 Sample Output of Audit Run

# ./jass-execute -a abc-secure.driver

[NOTE] Executing driver, abc-secure.driver

[...]

================================================================

abc-secure.driver: Audit script: enable-rfc1948.aud

================================================================

#---------------------------------------------------------------

# RFC 1948 Sequence Number Generation

# Rationale for Verification Check:

# The purpose of this script is to verify that the system is

# configured and is in fact using RFC 1948 for its TCP sequence

# number generation algorithm (unique-per-connection ID). This is

# configured by setting the 'TCP_STRONG_ISS' parameter to '2' in

# the /etc/default/inetinit file.

# Determination of Compliance:

[...]

#---------------------------------------------------------------

[PASS] TCP_STRONG_ISS is set to '2' in /etc/default/inetinit.

[PASS] System is running with tcp_strong_iss=2.

# The following is the vulnerability total for this audit script.

[PASS] Audit Check Total : 0 Error(s)

================================================================

# The following is the vulnerability total for this driver profile.

[PASS] Driver Total : 0 Error(s)

================================================================

abc-secure.driver: Driver finished.

================================================================

# The following is the vulnerability grand total for this run.

[PASS] Grand Total : 0 Error(s)

When an audit run is initiated, the Solaris Security Toolkit software accesses files from the JASS_HOME_DIR/Audit directory. Although the files in both the JASS_HOME_DIR/Audit and JASS_HOME_DIR/Finish directories share the same base file names, they have different file name suffixes. The driver.run script automatically translates the finish scripts defined by the JASS_SCRIPTS variable into audit scripts, by changing their suffixes from .fin to .aud along with pointers to files containing all messages generated at each alert level during the run.

The audit run starts and initializes the state of the Solaris Security Toolkit software. Each driver that is accessed during the run evaluates the state of all of its file templates and audit scripts. Each check results in a state of success or failure, represented by a vulnerability value of either zero or nonzero, respectively. In most cases, failure is represented by a number 1. Each script that is run produces a total security score, based on the total vulnerability value of each check contained within a script. The total vulnerability value result for each driver is displayed at the completion of a driver's assessment. A grand total of all scores is presented at the end of the run.

The security assessment option provides a comprehensive view of the state of a system at the time the assessment run is initiated. The Solaris Security Toolkit software checks the stored state of the system by inspecting configuration files and checks the running state of the system by inspecting process table information, device driver information, and so on. The Solaris Security Toolkit software checks for the existence of each file or service, and checks if the software associated with a service is installed, configured, enabled, and running. This approach yields an accurate snapshot of the current state of a system.