C H A P T E R 3 |
File Templates |
This chapter provides reference information about how to use, modify, and customize the file templates included in the Solaris Security Toolkit software. This chapter also describes how drivers process functions and other information that is stored in file templates.
This chapter contains the following topics:
File templates are an integral part of the Solaris Security Toolkit software. These files provide a mechanism for you to customize and distribute scripts easily through environment variables, OS version numbers, keywords, and client host names. You can leverage the contents of the Files directory in combination with finish and audit scripts to isolate related changes, depending on the design of your security profile (driver).
This section provides instructions and recommendations for customizing file templates, including instructions for creating new files in the Files directory.
For information about customizing drivers, finish scripts, and audit scripts, see the following chapters:
To Customize a File Template |
Use the following steps to customize file templates (files) so that your custom versions are available and not overwritten if newer versions of software are released and installed on your systems.
1. Copy the files and any related files that you want to customize.
2. Rename the copies with names that identify the files as custom files.
For recommendations, refer to "Configuring and Customizing the Solaris Security Toolkit Software", Chapter 1, Solaris Security Toolkit 4.2 Administration Guide.
3. If necessary, modify your custom drivers to call the uniquely named files.
The following code sample shows a modification to the JASS_FILES environment variable that customizes which files are copied to a particular host.
In this case, a customized hardening driver called abccorp-server-hardening.driver uses a custom nddconfig file. Instead of modifying the nddconfig original file, which could be overwritten with an updated Solaris Security Toolkit software release, create a custom nddconfig script by appending the host name of the destination system to the file name in the Files directory. The following example shows a custom nddconfig script that has the host name of the destination system in the script file name.
where hostname099 is the host name of the system.
Files are copied automatically by the software from the JASS_HOME_DIR/Files directory based on the way you define certain environment variables, such as JASS_FILES and JASS_FILE_OS_VERSION environment variables. For information about all environment variables, see Chapter 7.
The Solaris Security Toolkit software differentiates between multiple files in the JASS_HOME_DIR/Files directory and the definitions in the environment variables, such as JASS_FILES and JASS_FILE_OS_VERSION.
The files that are copied by this function are selected by the following criteria, which are listed in the order of precedence used to match. For example, if a host-specific and generic file both exist, the host-specific file is used if the name of a target system matches the host name defined by the host-specific file. The following examples use /opt/SUNWjass as the home directory specified in the JASS_HOME_DIR environment variable, but you might have specified a different home directory. In our examples, the directory tree being searched is /opt/SUNWjass/Files/.
Note - The copy_files function ignores any objects listed that are not found in the JASS_HOME_DIR/Files directory tree. |
1. Host-specific version - /opt/SUNWjass/Files/file.JASS_HOSTNAME
In this option, the software copies the file only if the name of the host target platform matches the value specified by the JASS_HOSTNAME environment variable. For example, if the file name is etc/issue and the JASS_HOSTNAME is eng1, a file copied under this criteria would be:
/opt/SUNWjass/Files/etc/issue.eng1
2. Keyword + OS-specific version - /opt/SUNWjass/Files/file+JASS_FILE_COPY_KEYWORD+JASS_OS_VERSION
In this option, the software copies the file only if the name of the keyword and OS version match the values specified by the JASS_FILE_COPY_KEYWORD and the JASS_OS_VERSION environment variables.
For example, if the file being searched for is /etc/hosts.allow, JASS_FILE_COPY_KEYWORD is "secure" (for secure.driver), and the JASS_OS_VERSION is 5.10, a file copied under this criteria could be:
/opt/SUNWjass/Files/etc/hosts.allow-secure+5.10
3. Keyword-specific version - /opt/SUNWjass/Files/file+JASS_FILE_COPY_KEYWORD
In this option, the software copies the file only if the keyword matches the value specified by the JASS_FILE_COPY_KEYWORD environment variable. For example, if the JASS_FILE_COPY_KEYWORD is "server", a file copied under this criteria could be:
/opt/SUNWjass/Files/etc/hosts.allow-server
4. OS-specific version - /opt/SUNWjass/Files/file+JASS_OS_REVISION
In this option, the software copies the file only if the OS revision of the target platform matches the value specified by the JASS_OS_REVISION environment variable. For example, if the file being searched for is /etc/hosts.allow and JASS_OS_REVISION is "5.10", a file copied under this criteria could be:
/opt/SUNWjass/Files/etc/hosts.allow+5.10
5. Generic version - /opt/SUNWjass/Files/file
In this option, the software copies the file to a target system.
For example, if the file name is etc/hosts.allow, a file copied under this criteria would be:
/opt/SUNWjass/Files/etc/hosts.allow
6. Source file is of size 0 - When the file length/size is zero, the file is not copied to the system.
You can configure the Solaris Security Toolkit software by editing configuration files that reference environment variables. This feature allows you to use the Solaris Security Toolkit software drivers in different environments, without modifying finish or audit scripts directly.
All Solaris Security Toolkit environment variables are maintained in a set of configuration files. These configuration files are imported by drivers, which make the variables available to finish and audit scripts as they are called by the drivers.
The Solaris Security Toolkit software has three primary configuration files, all of which are stored in the Drivers directory:
This file contains environment variables that define aspects of the Solaris Security Toolkit software framework and overall operation.
Note - Do not alter the driver.init file, because it is overwritten when you upgrade to subsequent versions of the Solaris Security Toolkit software. |
Core environment variables such as JASS_VERSION and JASS_ROOT_DIR are in the driver.init script.
This script loads the user.init script, thereby incorporating any user variables or environment variable overrides. This script also loads the contents of the finish.init file to set any finish script variables that might not have been defined. This script serves as the public interface used by drivers to load all of the variables used by the Solaris Security Toolkit software. None of the other initialization functions are supposed to be directly accessed by any of the driver, finish, or audit scripts.
Each of the environment variables included in this .init script are described in Chapter 7.
This file contains environment variables that define the behavior of the individual finish scripts. The two factors that contribute to how a system is hardened are as follows:
Note - Do not alter the finish.init file, because it is overwritten when you upgrade to subsequent versions of the Solaris Security Toolkit software. |
Each of the environment variables included in this .init script are described in Chapter 7.
You can override variables defined in the driver.init and finish.init files by defining the variables in the user.init file. You can also add user-defined variables in this file. This feature allows administrators to customize the Solaris Security Toolkit software to suit their site needs and requirements without modifying the Solaris Security Toolkit software itself.
A user.init.SAMPLE is included to provide an example of what must be defined for the software to function properly. Copy user.init.SAMPLE to user.init, and then modify it to fit your environment. Because a user.init file is not included with the software, you can create and customize it without it being overwritten during subsequent software upgrades.
The user.init file provides default values for the following environment variables:
The default values for these two variables are JumpStart-server-IP address/jumpstart/Packages and JumpStart-server-IP address/jumpstart/Patches, respectively. These are the recommendations made in Chapter 5, Solaris Security Toolkit 4.2 Administration Guide and in the Sun BluePrints book JumpStart Technology: Effective Use in the Solaris Operating Environment. If you follow the recommendations made in these other sources, then no changes are required in the user.init.SAMPLE file. Simply copy this file to user.init.
However, if you move the JumpStart environment from one site to another, verify these variables, as they must be modified to reference your JumpStart server and directory paths. Each of these environment variables is described in Chapter 7.
You can also make modifications to the JASS_SVCS_ENABLE and JASS_SVCS_DISABLE variables and other environment variables through the user.init file. However, because variables might already be used in specific drivers, care must be taken when modifying the behavior of the Solaris Security Toolkit software.
For example, the suncluster3x-secure.driver uses JASS_SVCS_ENABLE to leave certain services enabled in the /etc/inetd.conf file. If you want other services enabled, create and customize a version of the suncluster3x driver file, comment out the definition of JASS_SVCS_ENABLE, and add a new JASS_SVCS_ENABLE definition to the user.init file.
Based on the order of variable definition, any definitions included in the user.init file overwrite all other definitions of that variable. Even so, it is still a good idea to comment out JASS_SVCS_ENABLE in the suncluster3x-secure.driver, although it is not required.
To Add a New Variable to the user.init script |
You can add environment variables to the user.init script by doing the following.
1. Add the variable declaration with its default value.
1. Export the new variable in the user.init file.
This process provides a global default value that you can subsequently change as needed by overriding it within a security profile (driver).
In the CODE EXAMPLE 3-1, the code adds a new variable JASS_ACCT_DISABLE to the user.init file to disable a list of user accounts. These accounts are disabled when finish scripts are run.
JASS_ACCT_DISABLE="user1 user2 user3"; export JASS_ACCT_DISABLE |
To Append Entries to Variables Using the user.init File |
CODE EXAMPLE 3-2 illustrates how to append entries to variables using the user.init File.
The software uses the Files directory with the JASS_FILES environment variable and the copy_files function. This directory stores file templates that are copied to a JumpStart client during a hardening run.
The following file templates are in the Files directory, and the following subsections describe each of these files:
This configuration file is provided as a sample. It provides some base-level configuration for csh users by setting some common csh variables such as file completion and history. In addition, it sets the kill and erase terminal options, as well as a command-line prompt that includes the path to the current working directory.
This file is installed by the set-root-home-dir.fin script if ROOT_HOME_DIR is a forward slash (/). Otherwise, the Solaris Security Toolkit uses root/.cshrc if the ROOT_HOME_DIR is /root, the default value.
This configuration file is provided as a sample. As distributed with the software, this configuration only defines a UMASK, the PATH, and MANPATH for any root sh started shells.
This file is installed by the set-root-home-dir.fin script if ROOT_HOME_DIR is a forward slash (/). Otherwise, the Solaris Security Toolkit uses root/.profile if the ROOT_HOME_DIR is /root, the default value.
Note - This file is used only for systems running the Solaris 8 OS. |
With the release of Solaris 8 OS, a sendmail configuration file can be used to run sendmail in queue processing mode only. This file is copied only onto Solaris 8 OS systems being hardened by the disable-sendmail.fin script.
The disable-sendmail.fin script is OS-version aware and modifies the behavior of sendmail based on the OS being hardened. For more information, refer to the Sun BluePrints OnLine article titled "Solaris Operating Environment Security: Updated for Solaris 9 OE."
By default, this file is copied by the disable-sendmail.fin to any Solaris 8 OS being hardened.
This file disables all remote access, whether direct or broadcast, to any X server running on the system. Depending on the X support requirements and the environment the Solaris Security Toolkit software is used in, this file might not be appropriate.
By default, this file is copied by the hardening.driver to the system being hardened.
Note - This file is used only on systems running Solaris OS versions 9 and 10. |
This defines the connection banner for the File Transfer Protocol (FTP) service..
By default, this file is copied by the server-secure.driver to the system being hardened by the set-banner-ftpd.fin script.
Note - These two files are used only on systems running Solaris OS versions 9 and 10. |
These two files are installed on the Solaris 9 and 10 OS systems by the finish script enable-tcpwrappers.fin. After installing the hosts.allow and hosts.deny files, the finish script enables Transmission Control Protocol (TCP) wrappers by:
The hosts.allow and hosts.deny files are samples to customize for your security profile based on local policies, procedures, and requirements. The secure driver version of the hosts.allow file defines permitted Solaris Secure Shell (SSH) access to be LOCAL, which means that SSH connections are only permitted from the subnet to which the system is connected. The secure driver version of the hosts.deny file is to deny all connection attempts not permitted in the hosts.allow.
By default, this file is copied by the enable-tcpwrappers.fin to the system being hardened.
Note - This file is used only on systems running Solaris OS versions 9 and 10. |
This hosts.allow file for Sun Fire high-end systems is used to control access using the tcpwrappers(4) command. The file is installed by the enable-tcpwrappers.fin script, and should be configured to meet your site's requirements.
Note - This file is used only on systems running Solaris OS versions 9 and 10. |
This hosts.allow file for Sun servers other than Sun Fire high-end systems is used to control access using the tcpwrappers(4) command. The file is installed by the enable-tcpwrappers.fin script, and should be configured to meet your site's requirements.
Note - This file is used only on systems running Solaris OS versions 9 and 10. |
This hosts.allow file for Sun Cluster systems is used to control access using the tcpwrappers(4) command. The file is installed by the enable-tcpwrappers.fin script, and should be configured to meet your site's requirements.
Caution - After you have applied the suncluster3x-secure.driver, you need to add the fully qualified domain names of the cluster nodes to the hosts.allow-sunclusterfile. |
This file copies over the nddconfig startup script required to implement network settings, which improves security. For information about configuring network settings for security, refer to the Sun BluePrints OnLine article titled "Solaris Operating Environment Network Settings for Security: Updated for the Solaris 9 Operating Environment."
By default, this file is copied by the hardening.driver to the system being hardened.
This file sets the correct permissions on the /tmp and /var/tmp directories when a system is rebooted. If an inconsistency is found, it is displayed to standard output and logged using SYSLOG. This file is installed in /etc/rc2.d twice to permit this check to be performed both before and after the mountall command is run from S01MOUNTFSYS. This check helps ensure that both the mount point and the mounted file system have the correct permissions and ownership.
By default, this file is copied by the hardening.driver to the system being hardened.
This file, in combination with the /etc/rc2.d/S73sms_arpconfig, /etc/sms_domain_arp, and /etc/sms_sc_arp files, is for use on Sun Fire high-end systems to implement static Address Resolution Protocol (ARP) on the internal IP-based management network for additional security. For information about how to use these capabilities, refer to the Sun BluePrints OnLine articles titled "Securing the Sun Fire 12K and 15K System Controllers" and "Securing the Sun Fire 12K and 15K Domains."
By default, this file is copied by the s15k-static-arp.fin to the system being hardened.
This file is used by the disable-nfs-client.[fin|aud] scripts to ensure that swap space is added using the swapadd command even when NFS is disabled.
These files are based on United States government recommendations and provide legal notice that user activities could be monitored. If an organization has specific legal banners, they can be installed into these files.
These files are provided as default templates. Have your legal counsel provide or review notices that apply to your organization.
By default, this file is copied by the hardening.driver to the system being hardened.
Note - Use this file only with systems running the Solaris 9 OS or earlier versions. |
This file is used to disable IP forwarding between interfaces on systems running the Solaris 9 OS and earlier releases by creating an /etc/notrouter file. The client no longer functions as a router regardless of the number of network interfaces.
By default, this file is copied by the hardening.driver to the system being hardened.
This file is a general ipfilter configuration file, used by the ipfilter service (svc:/network/ipfilter:default). This service is enabled by the enable-ipfilter.fin script, and the file is installed. This file should be configured to meet your site's requirements.
This file is an ipfilter configuration file for Sun Fire high-end systems system controllers, used by the ipfilter service (svc:/network/ipfilter:default). This service is enabled by the enable-ipfilter.fin script, and the file is installed. This file should be configured to meet your site's requirements.
This file is an ipfilter configuration file for Sun servers , used by the ipfilter service (svc:/network/ipfilter:default). This service is enabled by the enable-ipfilter.fin script, and the file is installed. This file should be configured to meet your site's requirements.
Note - These files are symbolic links to /etc/init.d/set-tmp-permissions. |
These files set the correct permissions on the /tmp and /var/tmp directories when a system is rebooted. If an inconsistency is found, it is displayed to standard output and logged using SYSLOG. These scripts are installed into /etc/rc2.d twice to permit this check to be performed both before and after the mountall command is run from S01MOUNTFSYS. This check helps ensure that both the mount point and the mounted file system have the correct permissions and ownership.
By default, these files are copied by the hardening.driver to the system being hardened.
Note - This file is a symbolic link to /etc/init.d/nddconfig. |
This file copies over the S70nddconfig startup script required to implement network settings, which improves security. Refer to the Sun BluePrints OnLine article titled "Solaris Operating Environment Network Settings for Security: Updated for Solaris 9 Operating Environment."
By default, this file is copied by the hardening.driver to the system being hardened.
Note - This file is a symbolic link to /etc/init.d/sms_arpconfig. |
This file, in combination with the /etc/init.d/sms_arpconfig, /etc/sms_domain_arp, and /etc/sms_sc_arp files, is for use on Sun Fire high-end systems to implement static Address Resolution Protocol (ARP) on the internal IP-based management network for additional security. For information about how to use these capabilities, refer to the Sun BluePrints OnLine articles titled "Securing the Sun Fire 12K and 15K System Controllers" and "Securing the Sun Fire 12K and 15K Domains."
By default, this file is copied by the s15k-static-arp.fin to the system being hardened.
This file is installed when disable-nfs-client.fin runs. As disable-nfs-client.fin normally starts the swap space, this run-control script is added by the Solaris Security Toolkit software to perform this task.
This is a configuration files for the Solaris OS auditing subsystem, also referred to as the Solaris Basic Security Module. If you add this file to a Solaris 8, 9, or 10 OS system, it configures the auditing subsystem.
This files are installed by the Solaris Security Toolkit software on Solaris 8, 9, and 10 OS systems. For more information, refer to the Sun BluePrints OnLine article titled "Auditing in the Solaris 8 Operating Environment."
By default, these files are copied by the enable-bsm.fin to the Solaris 8, 9, or 10 OS being hardened.
These are configuration files for the Solaris OS auditing subsystem, also referred to as the Solaris Basic Security Module. If you add these files to a Solaris 8 OS system, it configures the auditing subsystem.
These files are installed by the Solaris Security Toolkit software on Solaris 8 OS systems. For more information, refer to the Sun BluePrints OnLine article titled "Auditing in the Solaris 8 Operating Environment."
By default, these files are copied by the enable-bsm.fin to the any Solaris 8 OS being hardened.
These are configuration files for the Solaris OS auditing subsystem, also referred to as the Solaris Basic Security Module. If you add these files to a Solaris 9 OS system, it configures the auditing subsystem.
These files are installed by the Solaris Security Toolkit software on Solaris 9 OS systems. For more information, refer to the Sun BluePrints OnLine article titled "Auditing in the Solaris 8 Operating Environment."
By default, these files are copied by the enable-bsm.fin to any Solaris 9 OS being hardened.
These files, in combination with the /etc/init.d/sms_arpconfig and /etc/S70sms_arpconfig files, are for use on Sun Fire high-end systems to implement static Address Resolution Protocol (ARP) on the internal IP-based management network for additional security. For information about how to use these capabilities, refer to the Sun BluePrints OnLine articles titled "Securing the Sun Fire 12K and 15K System Controllers" and "Securing the Sun Fire 12K and 15K Domains."
By default, these files are copied by the s15k-static-arp.fin to the system being hardened.
This file performs additional logging. It serves as a placeholder for organizations to add their own centralized log servers so that proactive log analysis can be done.
By default, this file is copied by the hardening.driver to the system being hardened.
This configuration file is provided as a sample. It provides some base-level configuration for csh users by setting some common csh variables such as file completion and history. In addition, it sets the kill and erase terminal options, as well as a command-line prompt that includes the path to the current working directory.
This configuration file is provided as a sample. As distributed with the software, this configuration only defines a UMASK, the PATH, and MANPATH for any root sh started shells.
This rules file is used by the Basic Auditing and Reporting Tool (BART) in Solaris 10 OS systems in the enable-bart{.fin|aud} scripts. See enable-bart.fin for details of the rules file.
This rules file is used by the secure.driver for the Basic Auditing and Reporting Tool (BART) in Solaris 10 OS systems in the enable-bart{.fin|aud} scripts. See enable-bart.fin for details of the rules file.
Copyright © 2005, Sun Microsystems, Inc. All Rights Reserved.