C H A P T E R 3 |
Upgrading, Installing, and Running Security Software |
This chapter provides instructions for downloading, upgrading or installing, and running the Solaris Security Toolkit software and other security-related software. Included are instructions for configuring your environment for either stand-alone or JumpStart mode, and for obtaining support.
Follow the instructions and process provided in this section to upgrade or install, configure, and execute the software. These instructions include downloading additional security software, helpful examples, and guidelines.
Although the Solaris Security Toolkit software is a stand-alone product, it is most effective when used with the additional security software provided for downloading. This software includes the latest Recommended and Security Patch Cluster from SunSolve OnLine, Secure Shell software for Solaris OS releases that do not include it, permission and ownership modification software to tighten Solaris OS and third-party software permissions, and integrity validation binaries to validate the integrity of Sun files and executables.
This chapter contains the following tasks:
Proper planning is key to successfully using the Solaris Security Toolkit software to secure systems. See Chapter 2 for detailed information about planning before you install the software.
If you are installing the software on a deployed system, see Performing Preinstallation Tasks for information about performing preinstallation tasks prior to installing the software on deployed systems.
The Solaris Security Toolkit 4.2 software depends upon the SUNWloc package. The absence of this package causes the Solaris Security Toolkit to fail.
See Supported Solaris OS Versions for information about supported versions of the Solaris Operating System.
See Supported SMS Versions for information about supported versions of the System Management Services (SMS) software.
Harden systems during or immediately after the OS installation, to limit the period a system might be exposed to attack while in an unsecured state. Before using the Solaris Security Toolkit software to secure a system, configure the Solaris Security Toolkit software to run properly in your environment.
The Solaris Security Toolkit software has a modular framework. If you are not using the JumpStart product, the flexibility of the Solaris Security Toolkit software's framework enables you to efficiently prepare for using JumpStart later. If you are using JumpStart, you benefit from the Solaris Security Toolkit software's ability to integrate into existing JumpStart architectures.
The following sections describe the stand-alone and JumpStart modes.
The Solaris Security Toolkit software runs directly from a Solaris OS shell prompt in stand-alone mode. This mode enables you to use the Solaris Security Toolkit software on those systems that require security modifications or updates, yet cannot be taken out of service to reinstall the OS from scratch. However, whenever possible, operating systems should be reinstalled from scratch prior to being secured.
Stand-alone mode is particularly useful when hardening a system after installing patches or third-party software. You can run the Solaris Security Toolkit software multiple times on a system with no ill effects. Patches might overwrite or modify files the Solaris Security Toolkit software has modified; by rerunning the Solaris Security Toolkit software, any security modifications negated by the patch installation can be reimplemented.
Note - In production environments, stage patches in test and development environments before installing the patches in live environments. |
The stand-alone mode is one of the best options to harden a deployed system as quickly as possible. No special steps are required to integrate the Solaris Security Toolkit software into an architecture without JumpStart, other than those steps in the downloading and installing instructions provided in Downloading Security Software.
JumpStart technology, which is Sun's network-based Solaris OS installation mechanism, can run Solaris Security Toolkit scripts during the installation process. This book assumes that the reader is familiar with JumpStart technology and has an existing JumpStart environment available. For more information about JumpStart technology, refer to the Sun BluePrints book JumpStart Technology: Effective Use in the Solaris Operating Environment.
The Solaris Security Toolkit 4.2 package is relocatable, so that it can be installed to whatever directory you want by using the correct options to the pkgadd command. JASS_HOME_DIR becomes the base directory of the JumpStart server.
Only a few steps are required to integrate the Solaris Security Toolkit software into a JumpStart architecture. See Chapter 5 for instructions on how to configure a JumpStart server.
This section contains information about how to upgrade your system from Solaris Security Toolkit 4.0 and 4.1 software to Solaris Security Toolkit 4.2 software, with and without upgrading your Solaris OS. The system is hardened by using the Solaris Security Toolkit software on your Solaris operating system. The procedures are the same whether upgrading from version 4.0 or 4.1. The procedures given here are very important to use as prescribed, because they will prevent you from overwriting all your prior customizing.
Caution - Only one version of the Solaris Security Toolkit can be installed at any one time. |
The Solaris Security Toolkit 4.2 software provides a new enhancement to the pkgrm command. With this release, the first step in the pkgrm command checks the integrity of all files included in the distribution. If any files are different, the pkgrm command exits with an error message that tells the system administrator either to put the correct file in place or to remove the modified file.
The drivers are in the Drivers subdirectory where Solaris Security Toolkit is installed. User-written drivers are placed there, too. When removing SUNWjass with the pkgrm command, it removes the Solaris Security Toolkit-provided drivers and user-modified drivers, but leaves any custom drivers the user have added, assuming the custom drivers have different names than Solaris Security Toolkit-provided drivers.
To Upgrade Solaris Security Toolkit Software and the Solaris Operating System |
1. Follow the best practice that is available for upgrading your system; that is, backing it up or using Solaris upgrade.
2. Uninstall the previous version of Solaris Security Toolkit software.
3. Install Solaris Security Toolkit 4.2 software.
4. Run Solaris Security Toolkit 4.2 software in audit mode against the upgraded system using the previous Solaris Security Toolkit drivers and user-specified drivers.
User-specified drivers must be in the Drivers directory. If they are, then they can be specified for a jass-execute or hardening run.
a. If there are no errors, go to step 6.
b. If errors are generated during the run (for examples, a non-installed run control script is modified, or a service should be controlled using an FMRI), fix those errors, and repeat steps 4 and 5 until no more errors are generated.
6. Compare your customized driver against the secure.driver to determine if any new finish or audit scripts should be added to your customized driver.
a. If no scripts are missing, go to step 8.
b. If any scripts are missing, add those missing scripts, and repeat steps 4, 5, 6, and 7 until all necessary scripts are included.
8. Run Solaris Security Toolkit 4.2 in hardening mode.
9. Run Solaris Security Toolkit 4.2 in audit mode, and ensure there are no errors.
10. Review the security configuration and posture of the system to determine if it complies with security requirements.
a. If the system is compliant, go to step 12.
b. If the system is not compliant, update the driver being used, and return to step 8.
12. Fully test the system to ensure that the system provides required network services and all applications are fully functional.
13. If any errors are encountered, update the driver being used, and return to step 8.
To Upgrade Solaris Security Toolkit Software Only |
1. Uninstall the previous version of Solaris Security Toolkit software.
2. Install Solaris Security Toolkit 4.2 software.
3. Go to step 4 of To Upgrade Solaris Security Toolkit Software and the Solaris Operating System.
If you are only upgrading the Solaris OS and already have Solaris Security Toolkit 4.2 software installed (for example, upgrading from Solaris 8 OS to Solaris 10 OS), you do not need to uninstall the Solaris Security Toolkit 4.2 software. After you finish the Solaris OS upgrade, run Solaris Security Toolkit 4.2 in audit mode, and review the system security configuration to ensure there are no errors.
The first stage in hardening a system requires downloading additional software security packages onto the system you want to secure. This section covers the following tasks:
The Solaris Security Toolkit software is distributed in Solaris OS package format. First download the Solaris Security Toolkit software, then install it on the server on which you are using the Solaris Security Toolkit software in stand-alone mode or on a JumpStart server for JumpStart mode.
Note - The following instructions use file names that do not reference the version number. Always download the latest version from the web site. |
Throughout the rest of this guide, the JASS_HOME_DIR environment variable refers to the root directory of the Solaris Security Toolkit software, which is by default /opt/SUNWjass.
To Download the pkg Version |
1. Download the software distribution file (SUNWjass-n.n.pkg.tar.Z).
The source file is located at:
http://www.sun.com/security/jass
Note - If you encounter difficulty downloading the software, use your browser's Save As option. |
2. Extract the software distribution file into a directory on the server by using the uncompress command:
3. Untar the software distribution package by using the tar command:
4. Install the software distribution file into a directory on the server using the pkgadd command as shown:
where n.n is the most current version that you are downloading.
Executing this command creates the SUNWjass directory in /opt. This subdirectory contains all the Solaris Security Toolkit directories and associated files.
Patches are released by Sun to provide Solaris OS fixes for performance, stability, functionality, and security. It is critical to the security of a system that the most up-to-date patch cluster is installed. To ensure that the latest Solaris OS Recommended and Security Patch Cluster is installed on your system, this section describes how to download the latest patch cluster.
Note - Before installing any patches, evaluate and test them on nonproduction systems or during scheduled maintenance windows. |
To Download Recommended Patch Cluster Software |
Before you install a patch cluster, review individual patch README files and other information provided. The information often contains suggestions and information helpful to know before installing a patch cluster.
1. Download the latest patch cluster from the SunSolve OnLine web site at:
2. Click the Patches link on the right-hand navigation bar.
3. Click the Recommended Patch Clusters link.
4. Select the appropriate Solaris OS version in the Recommended Solaris Patch Clusters box.
In our example, we select Solaris 10 OS.
5. Select the best download option, either HTTP or FTP, with the associated radio button, then click Go.
A Save As dialog box is displayed in your browser window.
7. Move the file securely to the system being hardened.
Use the secure copy command, scp(1), or another method that provides secure file transfer.
Use the scp command as follows:
8. Move the file to the /opt/SUNWjass/Patches directory and uncompress it.
The patch cluster software is installed automatically after you download the other security packages and execute the Solaris Security Toolkit software.
FixModes is a software package that tightens the default Solaris OS directory and file permissions. Tightening these permissions can significantly improve overall security. More restrictive permissions make it even more difficult for malicious users to gain privileges on a system.
To Download FixModes Software |
1. Download the FixModes precompiled binaries from:
http://www.sun.com/security/jass
The FixModes software is distributed as a precompiled and compressed package version file formatted for Solaris OS systems. The file name is SUNBEfixm.pkg.Z.
2. Move the file securely to the system being hardened by using the scp command, or another method that provides secure file transfer.
Use the scp command as follows:
3. Uncompress and save the file, SUNBEfixm.pkg.Z, in the Solaris Security Toolkit Packages directory in /opt/SUNWjass/Packages, with the following commands:
Later, the FixModes software is installed automatically after downloading all the other security packages and executing the Solaris Security Toolkit software.
In any secured environment, the use of encryption in combination with strong authentication is required to protect user-interactive sessions. At a minimum, network access must be encrypted.
The tool most commonly used to implement encryption is Secure Shell software, either a version bundled with the Solaris OS, a third-party commercial version, or a freeware version. To implement all the security modifications performed by the Solaris Security Toolkit software, you must include a Secure Shell software product.
Executing the Solaris Security Toolkit software disables all unencrypted user-interactive services and daemons on the system, in particular daemons such as in.telnetd, in.ftpd, in.rshd, and in.rlogind.
Secure Shell enables you to gain access to the system as you would using Telnet and FTP.
To Download OpenSSH Software |
Obtain the following Sun BluePrints OnLine article or Sun BluePrints book, and use the instructions for downloading the software:
After downloading all the other security packages and executing the Solaris Security Toolkit software, the OpenSSH software is installed automatically.
The MD5 software generates MD5 digital fingerprints on the system being hardened. Generate the digital fingerprints, then compare them with what Sun has published as correct, to detect system binaries that are altered or hidden inside something that appears safe (trojaned) by unauthorized users. By modifying system binaries, attackers provide themselves with backdoor access onto a system; they hide their presence and could cause systems to operate in unstable manners.
Note - If the server is running the Solaris 10 OS, you can use the bundled /usr/bin/digest command and skip the MD5 installation steps that follow in this section. |
To Download the MD5 Software |
1. Download the MD5 binaries from the following web site:
http://www.sun.com/security/jass
The MD5 programs are distributed as a compressed package version file.
2. Move the file SUNBEmd5.pkg.Z securely to the system being hardened with the scp command, or another method that provides secure file transfer.
Use the scp command as follows:
3. Uncompress and move the file to the Solaris Security Toolkit Packages directory in /opt/SUNWjass/Packages, using a command similar to the following:
After the MD5 software is saved to the /opt/SUNWjass/Packages directory, the execution of the Solaris Security Toolkit software installs the software.
After the MD5 binaries are installed, you can use them to verify the integrity of executables on the system through the Solaris fingerprint database. More information on the Solaris fingerprint database is available in the Sun BluePrints OnLine article titled "The Solaris Fingerprint Database -- A Security Tool for Solaris Software and Files."
4. (Optional) Download and install Solaris Fingerprint Database Companion and Solaris Fingerprint Database Sidekick software from the Sun BluePrint web site at:
http://www.sun.com/blueprints/tools
Note - Even though step 4 is marked optional, it highly beneficial to use it on all operating systems. |
Install and use these optional tools with the MD5 software. These tools simplify the process of validating system binaries against the database of MD5 checksums. Use these tools frequently to validate the integrity of the Solaris OS binaries and files on a secured system.
These tools and instructions for downloading them are in the Sun BluePrints OnLine article titled "The Solaris Fingerprint Database -- A Security Tool for Solaris Software and Files."
The integrity of the security tools downloaded should be verified. Before installing and running the Solaris Security Toolkit software and additional security software, validate integrity by using MD5 checksums. On the download page of the Solaris Security Toolkit, MD5 checksums are available for this purpose.
A variety of security profile templates are included with the Solaris Security Toolkit software distribution as drivers. The security profiles implemented by these drivers disable services that are not required and enable optional security features disabled by the secure.driver. As mentioned in the previous chapter, the default security profile and changes made by these drivers might not be appropriate for your systems.
Before running the Solaris Security Toolkit software, review and customize the default security profiles for your environment, or develop new ones. Techniques and guidelines for customizing security profiles are provided in the Solaris Security Toolkit 4.2 Reference Manual.
It is important that the following preliminary tasks be completed prior to executing the Solaris Security Toolkit software. Most of the hardening is done automatically when you execute the Solaris Security Toolkit software.
You can execute the Solaris Security Toolkit software directly from the command line or from a JumpStart server.
For command-line options and other information about executing the software, see one of the following:
CODE EXAMPLE 3-2 shows a sample of command-line usage in stand-alone mode.
TABLE 3-1 lists the command-line options available and describes each.
For detailed information about the options available with jass-execute command in stand-alone mode, see the following sections:
For a complete listing of available drivers, see Drivers Directory. Newer versions of the software might contain additional drivers.
To Execute the Software in Stand-alone Mode |
1. Execute the secure.driver (or a product-specific script such as sunfire_15k_sc-secure.driver) as follows:
For a complete listing of available drivers, see Drivers Directory. Newer versions of the software might contain additional drivers.
2. After running the Solaris Security Toolkit software on a system, reboot the system to implement the changes.
During hardening, a variety of modifications are made to the configuration of the client. These modifications might include disabling startup scripts for services, disabling options for services, and installing new binaries or libraries through patches. Until the client is restarted, these modifications might not be enabled.
3. After rebooting the system, verify the correctness and completeness of the modifications.
See Validating the System Modifications.
4. If any errors are encountered, fix them and run the Solaris Security Toolkit software again in stand-alone mode.
Through the -a option, the Solaris Security Toolkit software can perform an audit run to determine if a system is in compliance with its security profile. This run validates not only if system file modifications made are still active, but also if previously disabled processes are running or removed software packages are reinstalled. For more information on this function, see Chapter 6.
Synopsis of command-line usage to audit a system against a security profile:
The -c option removes saved files from a previous run of the Solaris Security Toolkit. You can use the quiet (-q), output (-o), mail (-m), and verbosity (-V) options with the clean option.
CODE EXAMPLE 3-4 shows an example of using the -c option, which produces output similar to the following:
The -h option displays the jass-execute help message, which provides an overview of the available options.
The -h option produces output similar to the following:
The -d driver option specifies the driver to be run in stand-alone mode.
You must specify a driver with the -d option. The Solaris Security Toolkit software prepends Drivers/ to the name of the script added. You need to enter only the script name on the command line.
Note - Do not use the -d option with the -a, -b, -c, -f, -H, -h, -k, or -u options. |
A jass-execute hardening run using the -d driver option produces output similar to the following:
The -m e-mail_address option provides a mechanism by which stand-alone audit, clean, hardening, and undo output can be emailed automatically by the Solaris Security Toolkit software when the run completes. The email report is in addition to any logs generated on the system using other options and local logs created by the Solaris Security Toolkit software.
A Solaris Security Toolkit run calling sunfire_15k_sc-config.driver using the email option would be similar to the following:
The -H option provides a simple mechanism to determine how many times the Solaris Security Toolkit software has been run on a system. All runs are listed regardless of whether they have been undone.
The -H option produces output similar to the following:
The output indicates that the Solaris Security Toolkit software was run on this system three times and that the most recent run was undone.
The -l option provides a mechanism to determine the most recent run. This is always the most recent run listed by the -H option as well.
The -l option provide output similar to the following:
The -o output_file option redirects the console output of jass-execute runs to a separate output_file. You can specify a fully qualified path name for the output_file.
This option has no effect on the logs kept in the JASS_REPOSITORY directory. This option is particularly helpful when performed over a slow terminal connection. There can be a significant amount of output generated by a Solaris Security Toolkit run depending on the verbosity_level specified.
You can use this option with the -a, -d, or -u options.
The -o option produces output similar to the following:
The -q option disables Solaris Security Toolkit output from going to the console during a hardening run.
This option has no effect on the logs kept in the JASS_REPOSITORY directory. Similar to the -o option, this option is particularly helpful when running the Solaris Security Toolkit software through a cron job or over slow network connections.
You can use this option with the -a, -c, -d, or -u options.
The -q option produces output similar to the following:
# ./jass-execute -q -d secure.driver [NOTE] Executing driver, secure.driver |
The -r root-directory option is for specifying the root directory used during jass-execute runs. Using the -r option also requires using the -p option to specify the platform (OS) version. The format of the -p option is equivalent to that produced by uname -r.
The root directory is / and is defined by the Solaris Security Toolkit environment variable JASS_ROOT_DIR. The Solaris OS being secured is available through /. For example, if you want to secure a separate OS directory, temporarily mounted under /mnt, then use the -r option to specify /mnt. All the scripts are applied to that OS image.
Through the -u option, the Solaris Security Toolkit software can undo system modifications performed during hardening. Each finish script can be undone with the -u option. In addition, the Solaris Security Toolkit's undo ability is tightly integrated with the checksums generated during each run. For more information on this capability, see Chapter 4.
There are three other options you can use with the -u option:
Synopsis of command-line usage of an undo command:
The JumpStart mode is controlled by the Solaris Security Toolkit driver inserted in the rules file on the JumpStart server.
If you have not configured your environment to use JumpStart mode, see Chapter 5.
For more information on the JumpStart technology, refer to the Sun BluePrints book JumpStart Technology: Effective Use in the Solaris Operating Environment.
To Execute the Software in JumpStart Mode |
To execute the Solaris Security Toolkit software in JumpStart mode, it must be integrated into your JumpStart environment and called as part of the finish scripts associated with a JumpStart installation. For information about how to integrate the Solaris Security Toolkit software into your environment, see Chapter 5.
1. After making all of the required modifications to the drivers, install the client using the JumpStart infrastructure.
This task is done using the following command from the client's ok prompt.
Once the installation is completed, the system is rebooted by the JumpStart software.
The system should be in its correct configuration. During hardening, a variety of modifications are made to the configuration of the client. These modifications could include disabling startup scripts for services, disabling options for services, and installing new binaries or libraries through patches. Until the client is restarted, these modifications might not be effective.
2. After the system is rebooted, verify the correctness and completeness of the modifications.
See Validating the System Modifications.
3. If any errors are encountered, fix them and reinstall the client's OS.
After rebooting the system, validate the correctness and completeness of the modifications as described in the following sections.
One of the significant challenges involved in securing systems is determining what OS services must be left enabled for the system to function properly. Solaris OS services might be needed because they are used directly, such as Secure Shell to log into a system. Or they could be used indirectly, such as using the RPC daemon for the graphical user interface (GUI) of third-party software management tools.
Most of these requirements should be determined before running the Solaris Security Toolkit software. (See Determining Application and Service Requirements.) However, the only definitive mechanism is to install and secure the system, then perform thorough testing of its required functionality through quality assurance (QA) testing. A QA plan should be executed for any new system being deployed after the system is hardened. Similarly, for deployed systems being hardened, thorough testing must be performed to ensure that all required and expected functionality is present.
If the QA process uncovers any discrepancies, perform the following:
1. Determine the problem area, based on the guidelines in Chapter 2.
2. Validate that the application runs in the modified configuration.
3. Undo the Solaris Security Toolkit run.
4. Modify the security profile (driver) based on the problem resolution.
5. Run the Solaris Security Toolkit software again.
The end result should be a security profile that can be run on the system without adversely affecting any required functionality.
While validating that the system performs all required functions, also evaluate the security configuration to determine if the system is secured to the desired level. Depending on what hardening or minimization was performed on the system, this might involve different aspects.
At a minimum, the configuration of the system should be reviewed in the following ways:
This review should be considered a minimum for newly built and secured systems. When hardening legacy systems, the underlying OS should be verified to determine if unauthorized modifications were made. Integrity checking of this nature is best done by mounting the system's file system in read-only mode and running integrity checking software from a known OS instance. The tools described in the Sun BluePrints OnLine article titled "The Solaris Fingerprint Database--A Security Tool for Solaris Software and Files" are useful in these scenarios.
After a system is secured and you validate its required services and capabilities, use the audit function to make sure that the security profile was applied properly and completely. This task is critical for two reasons. The first is to ensure that the system is hardened as required. The second is to ensure that the security profile defined for the system is properly reflected in the Solaris Security Toolkit configuration. This check is critical because the configuration information is used to maintain the security profile of the system over its entire deployed life cycle.
For more information about the audit function, see Chapter 6.
If you installed the software on a deployed system, see Performing the Post-installation Task, for information about performing the post-installation task on deployed systems.
Copyright © 2005, Sun Microsystems, Inc. All Rights Reserved.