Solaris Security Toolkit 4.2 Reference Manual Table Of ContentsPrevious ChapterNext ChapterBook Index


Sun Logo


Solaris Security Toolkit 4.2 Reference Manual

819-1503-10


Contents

Tables

Code Samples

Preface

1. Introduction to Solaris 10 Operating System Support

Using Perl With Solaris Security Toolkit 4.2 Software

SMF and Legacy Services on Solaris 10 OS

Scripts That Use the SMF-Ready Services Interface

Scripts That SMF Recognizes as Legacy Services

New Scripts for Solaris Security Toolkit 4.2 Release

Scripts Not Used for Solaris 10

Environment Variables Not Used for Solaris 10

Using Solaris 10 OS Zones

Sequence Matters in Hardening Global and Non-Global Zones

Harden a Non-Global Zone From Within That Zone

Some Scripts Are Not Relevant to Non-Global Zones

Audits of Non-Global Zones Are Separate and Distinct From Audits of Global Zones

Zone-Aware Finish and Audit Scripts

Some Zone-Aware Scripts Require Action Before Use in Non-Global Zones

rpcbind Disabled or Enabled Based on Drivers

procedure iconsmall spaceTo Enable rpcbind

Using TCP Wrappers

TCP Wrappers Configuration for secure.driver

TCP Wrappers Configuration for server-secure.driver

TCP Wrappers Configuration for suncluster3x-secure.driver

TCP Wrappers Configuration for sunfire_15k_sc-secure.driver

Defining Environment Variables

Earlier Solaris Security Toolkit Versions

Solaris Security Toolkit 4.2

2. Framework Functions

Customizing Framework Functions

Using Common Log Functions

logBanner

logDebug

logError

logFailure

logFileContentsExist and logFileContentsNotExist

logFileExists and logFileNotExists

logFileGroupMatch and logFileGroupNoMatch

logFileModeMatch and logFileModeNoMatch

logFileNotFound

logFileOwnerMatch and logFileOwnerNoMatch

logFileTypeMatch and logFileTypeNoMatch

logFinding

logFormattedMessage

logInvalidDisableMode

logInvalidOSRevision

logMessage

logNotGlobalZone

logNotice

logPackageExists and logPackageNotExists

logPatchExists and logPatchNotExists

logProcessArgsMatch and logProcessArgsNoMatch

logProcessExists and logProcessNotExists

logProcessNotFound

logScore

logScriptFailure

logServiceConfigExists and logServiceConfigNotExists

logServiceDisabled and logServiceEnabled

logServiceInstalled and logServiceNotInstalled

logServiceOptionDisabled and logServiceOptionEnabled

logServiceProcessList

logServicePropDisabled and logServicePropEnabled

logServiceRunning and logServiceNotRunning

logStartScriptExists and logStartScriptNotExists

logStopScriptExists and logStopScriptNotExists

logSuccess

logSummary

logUserLocked and logUserNotLocked

logUndoBackupWarning

logWarning

Using Common Miscellaneous Functions

adjustScore

checkLogStatus

clean_path

extractComments

get_driver_report

get_lists_conjunction

get_lists_disjunction

invalidVulnVal

isNumeric

printPretty

printPrettyPath

strip_path

Using Driver Functions

add_crontab_entry_if_missing

add_option_to_ftpd_property

add_patch

add_pkg

add_to_manifest

backup_file

backup_file_in_safe_directory

change_group

change_mode

change_owner

check_and_log_change_needed

check_os_min_version

check_os_revision

check_readOnlyMounted

checksum

convert_inetd_service_to_frmi

copy_a_dir

copy_a_file

copy_a_symlink

copy_files

create_a_file

create_file_timestamp

disable_conf_file

disable_file

disable_rc_file

disable_service

enable_service

find_sst_run_with

get_expanded_file_name

get_stored_keyword_val

get_users_with_retries_set

is_patch_applied and is_patch_not_applied

is_service_enabled

is_service_installed

is_service_running

is_user_account_extant

is_user_account_locked

is_user_account_login_not_set

is_user_account_passworded

lock_user_account

make_link

mkdir_dashp

move_a_file

rm_pkg

set_service_property_value

set_stored_keyword_val

unlock_user_account

update_inetconv_in_upgrade

warn_on_default_files

write_val_to_file

Using Audit Functions

check_fileContentsExist and check_fileContentsNotExist

check_fileExists and check_fileNotExists

check_fileGroupMatch and check_fileGroupNoMatch

check_fileModeMatch and check_fileModeNoMatch

check_fileOwnerMatch and check_fileOwnerNoMatch

check_fileTemplate

check_fileTypeMatch and check_fileTypeNoMatch

check_if_crontab_entry_present

check_keyword_value_pair

check_minimized

check_minimized_service

check_packageExists and check_packageNotExists

check_patchExists and check_patchNotExists

check_processArgsMatch and check_processArgsNoMatch

check_processExists and check_processNotExists

check_serviceConfigExists and check_serviceConfigNotExists

check_serviceDisabled and check_serviceEnabled

check_serviceInstalled and check_serviceNotInstalled

check_serviceOptionEnabled and check_serviceOptionDisabled

check_servicePropDisabled

check_serviceRunning and check_serviceNotRunning

check_startScriptExists and check_startScriptNotExists

check_stopScriptExists and check_stopScriptNotExists

check_userLocked and check_userNotLocked

finish_audit

get_cmdFromService

start_audit

3. File Templates

Customizing File Templates

procedure iconsmall spaceTo Customize a File Template

Understanding Criteria for How Files Are Copied

Using Configuration Files

driver.init

finish.init

user.init.SAMPLE

procedure iconsmall spaceTo Add a New Variable to the user.init script

procedure iconsmall spaceTo Append Entries to Variables Using the user.init File

Using File Templates

.cshrc

.profile

etc/default/sendmail

etc/dt/config/Xaccess

etc/ftpd/banner.msg

etc/hosts.allow and etc/hosts.deny

etc/hosts.allow-15k_sc

etc/hosts.allow-server

etc/hosts.allow-suncluster

etc/init.d/nddconfig

etc/init.d/set-tmp-permissions

etc/init.d/sms_arpconfig

etc/init.d/swapadd

etc/issue and etc/motd

etc/notrouter

etc/opt/ipf/ipf.conf

etc/opt/ipf/ipf.conf-15k_sc

etc/opt/ipf/ipf.conf-server

etc/rc2.d/S00set-tmp-permissions and etc/rc2.d/S07set-tmp-permissions

etc/rc2.d/S70nddconfig

etc/rc2.d/S73sms_arpconfig

etc/rc2.d/S77swapadd

etc/security/audit_control

etc/security/audit_class+5.8 and etc/security/audit_event+5.8

etc/security/audit_class+5.9 and etc/security/audit_event+5.9

etc/sms_domain_arp and /etc/sms_sc_arp

etc/syslog.conf

root/.cshrc

root/.profile

var/opt/SUNWjass/BART/rules

var/opt/SUNWjass/BART/rules-secure

4. Drivers

Understanding Driver Functions and Processes

Load Functionality Files

Perform Basic Checks

Load User Functionality Overrides

Mount File Systems to JumpStart Client

Copy or Audit Files

Execute Scripts

Compute Total Score for the Run

Unmount File Systems From JumpStart Client

Customizing Drivers

procedure iconsmall spaceTo Customize a Driver

Using Standard Drivers

config.driver

hardening.driver

secure.driver

Using Product-Specific Drivers

server-secure.driver

suncluster3x-secure.driver

sunfire_15k_sc-secure.driver

5. Finish Scripts

Customizing Finish Scripts

Customize Existing Finish Scripts

procedure iconsmall spaceTo Customize a Finish Script

Prevent kill Scripts From Being Disabled

Create New Finish Scripts

Using Standard Finish Scripts

Disable Finish Scripts

disable-ab2.fin

disable-apache.fin

disable-apache2.fin

disable-appserv.fin

disable-asppp.fin

disable-autoinst.fin

disable-automount.fin

disable-dhcp.fin

disable-directory.fin

disable-dmi.fin

disable-dtlogin.fin

disable-face-log.fin

disable-IIim.fin

disable-ipv6.fin

disable-kdc.fin

disable-keyboard-abort.fin

disable-keyserv-uid-nobody.fin

disable-ldap-client.fin

disable-lp.fin

disable-mipagent.fin

disable-named.fin

disable-nfs-client.fin

disable-nfs-server.fin

disable-nscd-caching.fin

disable-picld.fin

disable-power-mgmt.fin

disable-ppp.fin

disable-preserve.fin

disable-remote-root-login.fin

disable-rhosts.fin

disable-routing.fin

disable-rpc.fin

disable-samba.fin

disable-sendmail.fin

disable-slp.fin

disable-sma.fin

disable-snmp.fin

disable-spc.fin

disable-ssh-root-login.fin

disable-syslogd-listen.fin

disable-system-accounts.fin.

disable-uucp.fin

disable-vold.fin

disable-wbem.fin

disable-xfs-fin

disable-xserver.listen.fin

Enable Finish Scripts

enable-account-lockout.fin

enable-bart.fin

enable-bsm.fin

enable-coreadm.fin

enable-ftpaccess.fin

enable-ftp-syslog.fin

enable-inetd-syslog.fin

enable-ipfilter.fin

enable-password-history.fin

enable-priv-nfs-ports.fin

enable-process-accounting.fin

enable-rfc1948.fin

enable-stack-protection.fin

enable-tcpwrappers.fin

Install Finish Scripts

install-at-allow.fin

install-fix-modes.fin

install-ftpusers.fin

install-jass.fin

install-loginlog.fin

install-md5.fin

install-nddconfig.fin

install-newaliases.fin

install-openssh.fin

install-recommended-patches.fin

install-sadmind-options.fin

install-security-mode.fin

install-shells.fin

install-strong-permissions.fin

install-sulog.fin

install-templates.fin

Print Finish Scripts

print-jass-environment.fin

print-jumpstart-environment.fin

print-rhosts.fin

print-sgid-files.fin

print-suid-files.fin

print-unowned-objects.fin

print-world-writable-objects.fin

Remove Finish Script

remove-unneeded-accounts.fin

Set Finish Scripts

set-banner-dtlogin.fin

set-banner-ftpd.fin

set-banner-sendmail.fin

set-banner-sshd.fin

set-banner-telnet.fin

set-flexible-crypt.fin

set-ftpd-umask.fin

set-login-retries.fin

set-power-restrictions.fin

set-rmmount-nosuid.fin

set-root-group.fin

set-root-home-dir.fin

set-root-password.fin

set-strict-password-checks.fin

set-sys-suspend-restrictions.fin

set-system-umask.fin

set-term-type.fin

set-tmpfs-limit.fin

set-user-password-reqs.fin

set-user-umask.fin

Update Finish Scripts

update-at-deny.fin

update-cron-allow.fin

update-cron-deny.fin

update-cron-log-size.fin

update-inetd-conf.fin

Using Product-Specific Finish Scripts

suncluster3x-set-nsswitch-conf.fin

s15k-static-arp.fin

s15k-exclude-domains.fin

s15k-sms-secure-failover.fin

6. Audit Scripts

Customizing Audit Scripts

Customize Standard Audit Scripts

procedure iconsmall spaceTo Customize An Audit Script

Create New Audit Scripts

Using Standard Audit Scripts

Disable Audit Scripts

disable-ab2.aud

disable-apache.aud

disable-apache2.aud

disable-appserv.aud

disable-asppp.aud

disable-autoinst.aud

disable-automount.aud

disable-dhcpd.aud

disable-directory.aud

disable-dmi.aud

disable-dtlogin.aud

disable-face-log.aud

disable-IIim.aud

disable-ipv6.aud

disable-kdc.aud

disable-keyboard-abort.aud

disable-keyserv-uid-nobody.aud

disable-ldap-client.aud

disable-lp.aud

disable-mipagent.aud

disable-named.aud

disable-nfs-client.aud

disable-nfs-server.aud

disable-nscd-caching.aud

disable-picld.aud

disable-power-mgmt.aud

disable-ppp.aud

disable-preserve.aud

disable-remote-root-login.aud

disable-rhosts.aud

disable-routing.aud

disable-rpc.aud

disable-samba.aud

disable-sendmail.aud

disable-slp.aud

disable-sma.aud

disable-snmp.aud

disable-spc.aud

disable-ssh-root-login.aud

disable-syslogd-listen.aud

disable-system-accounts.aud

disable-uucp.aud

disable-vold.aud

disable-wbem.aud

disable-xfs.aud

disable-xserver.listen.aud

Enable Audit Scripts

enable-account-lockout.aud

enable-bart.aud

enable-bsm.aud

enable-coreadm.aud

enable-ftp-syslog.aud

enable-ftpaccess.aud

enable-inetd-syslog.aud

enable-ipfilter.aud

enable-password-history.aud

enable-priv-nfs-ports.aud

enable-process-accounting.aud

enable-rfc1948.aud

enable-stack-protection.aud

enable-tcpwrappers.aud

Install Audit Scripts

install-at-allow.aud

install-fix-modes.aud

install-ftpusers.aud

install-jass.aud

install-loginlog.aud

install-md5.aud

install-nddconfig.aud

install-newaliases.aud

install-openssh.aud

install-recommended-patches.aud

install-sadmind-options.aud

install-security-mode.aud

install-shells.aud

install-strong-permissions.aud

install-sulog.aud

install-templates.aud

Print Audit Scripts

print-jass-environment.aud

print-jumpstart-environment.aud

print-rhosts.aud

print-sgid-files.aud

print-suid-files.aud

print-unowned-objects.aud

print-world-writable-objects.aud

Remove Audit Script

remove-unneeded-accounts.aud

Set Audit Scripts

set-banner-dtlogin.aud

set-banner-ftpd.aud

set-banner-sendmail.aud

set-banner-sshd.aud

set-banner-telnet.aud

set-flexible-crypt.aud

set-ftpd-umask.aud

set-login-retries.aud

set-power-restrictions.aud

set-rmmount-nosuid.aud

set-root-group.aud

set-root-home-dir.aud

set-root-password.aud

set-strict-password-checks.aud

set-sys-suspend-restrictions.aud

set-system-umask.aud

set-term-type.aud

set-tmpfs-limit.aud

set-user-password-reqs.aud

set-user-umask.aud

Update Audit Scripts

update-at-deny.aud

update-cron-allow.aud

update-cron-deny.aud

update-cron-log-size.aud

update-inetd-conf.aud

Using Product-Specific Audit Scripts

suncluster3x-set-nsswitch-conf.aud

s15k-static-arp.aud

s15k-exclude-domains.aud

s15k-sms-secure-failover.aud

7. Environment Variables

Customizing and Assigning Variables

Assigning Static Variables

Assigning Dynamic Variables

Assigning Complex Substitution Variables

Assigning Global and Profile-Based Variables

Creating Environment Variables

Using Environment Variables

Defining Framework Variables

JASS_AUDIT_DIR

JASS_CHECK_MINIMIZED

JASS_CONFIG_DIR

JASS_DISABLE_MODE

JASS_DISPLAY_HOST_LENGTH

JASS_DISPLAY_HOSTNAME

JASS_DISPLAY_SCRIPT_LENGTH

JASS_DISPLAY_SCRIPTNAME

JASS_DISPLAY_TIME_LENGTH

JASS_DISPLAY_TIMESTAMP

JASS_FILE_COPY_KEYWORD

JASS_FILES

JASS_FILES_DIR

JASS_FINISH_DIR

JASS_HOME_DIR

JASS_HOSTNAME

JASS_ISA_CAPABILITY

JASS_LOG_BANNER

JASS_LOG_ERROR

JASS_LOG_FAILURE

JASS_LOG_NOTICE

JASS_LOG_SUCCESS

JASS_LOG_SUMMARY

JASS_LOG_WARNING

JASS_MODE

JASS_OS_REVISION

JASS_OS_TYPE

JASS_PACKAGE_DIR

JASS_PATCH_DIR

JASS_PKG

JASS_REPOSITORY

JASS_ROOT_DIR

JASS_ROOT_HOME_DIR

JASS_RUN_AUDIT_LOG

JASS_RUN_CHECKSUM

JASS_RUN_CLEAN_LOG

JASS_RUN_FINISH_LIST

JASS_RUN_INSTALL_LOG

JASS_RUN_MANIFEST

JASS_RUN_SCRIPT_LIST

JASS_RUN_UNDO_LOG

JASS_RUN_VALUES

JASS_RUN_VERSION

JASS_SAVE_BACKUP

JASS_SCRIPT

JASS_SCRIPT_ERROR_LOG

JASS_SCRIPT_FAIL_LOG

JASS_SCRIPT_NOTE_LOG

JASS_SCRIPT_WARN_LOG

JASS_SCRIPTS

JASS_STANDALONE

JASS_SUFFIX

JASS_TIMESTAMP

JASS_UNAME

JASS_UNDO_TYPE

JASS_USER_DIR

JASS_VERBOSITY

JASS_VERSION

JASS_ZONE_NAME

Define Script Behavior Variables

JASS_ACCT_DISABLE

JASS_ACCT_REMOVE

JASS_AGING_MAXWEEKS

JASS_AGING_MINWEEKS

JASS_AGING_WARNWEEKS

JASS_AT_ALLOW

JASS_AT_DENY

JASS_BANNER_DTLOGIN

JASS_BANNER_FTPD

JASS_BANNER_SENDMAIL

JASS_BANNER_SSHD

JASS_BANNER_TELNETD

JASS_CORE_PATTERN

JASS_CPR_MGT_USER

JASS_CRON_ALLOW

JASS_CRON_DENY

JASS_CRON_LOG_SIZE

JASS_CRYPT_ALGORITHMS_ALLOW

JASS_CRYPT_DEFAULT

JASS_CRYPT_FORCE_EXPIRE

JASS_FIXMODES_DIR

JASS_FIXMODES_OPTIONS

JASS_FTPD_UMASK

JASS_FTPUSERS

JASS_KILL_SCRIPT_DISABLE

JASS_LOGIN_RETRIES

JASS_MD5_DIR

JASS_NOVICE_USER

JASS_PASS_ Environment Variables

JASS_PASS_DICTIONDBDIR

JASS_PASS_DICTIONLIST

JASS_PASS_HISTORY

JASS_PASS_LENGTH

JASS_PASS_MAXREPEATS

JASS_PASS_MINALPHA

JASS_PASS_MINDIFF

JASS_PASS_MINDIGIT

JASS_PASS_MINLOWER

JASS_PASS_MINNONALPHA

JASS_PASS_MINSPECIAL

JASS_PASS_MINUPPER

JASS_PASS_NAMECHECK

JASS_PASS_WHITESPACE

JASS_PASSWD

JASS_POWER_MGT_USER

JASS_REC_PATCH_OPTIONS

JASS_RHOSTS_FILE

JASS_ROOT_GROUP

JASS_ROOT_PASSWORD

JASS_SADMIND_OPTIONS

JASS_SENDMAIL_MODE

JASS_SGID_FILE

JASS_SHELLS

JASS_SUID_FILE

JASS_SUSPEND_PERMS

JASS_SVCS_DISABLE

JASS_SVCS_ENABLE

JASS_TMPFS_SIZE

JASS_UMASK

JASS_UNOWNED_FILE

JASS_WRITABLE_FILE

Define JumpStart Mode Variables

JASS_PACKAGE_MOUNT

JASS_PATCH_MOUNT

Glossary

Index



  Solaris Security Toolkit 4.2 Reference Manual 819-1503-10 Table Of ContentsPrevious ChapterNext ChapterBook Index


Copyright © 2005, Sun Microsystems, Inc. All Rights Reserved.