Sun Microsystems Solaris Security Toolkit Reference Manual
Solaris™ Security Toolkit 4.2
Reference Manual
Sun Microsystems, Inc.
www.sun.com
Part No. 819-1503-10
July 2005, Revision A
Submit comments about this document at: http://www.sun.com/hwdocs/feedback
Copyright 2005 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A. All rights reserved.
Sun Microsystems, Inc. has intellectual property rights relating to technology that is described in this document. In particular, and without
limitation, these intellectual property rights may include one or more of the U.S. patents listed at http://www.sun.com/patents and one or
more additional patents or pending patent applications in the U.S. and in other countries.
This document and the product to which it pertains are distributed under licenses restricting their use, copying, distribution, and
decompilation. No part of the product or of this document may be reproduced in any form by any means without prior written authorization of
Sun and its licensors, if any.
Third-party software, including font technology, is copyrighted and licensed from Sun suppliers.
Parts of the product may be derived from Berkeley BSD systems, licensed from the University of California. UNIX is a registered trademark in
the U.S. and in other countries, exclusively licensed through X/Open Company, Ltd.
Sun, Sun Microsystems, the Sun logo, Sun BluePrints, Solaris, SunOS, Java, iPlanet, JumpStart, SunSolve, AnswerBook2, Sun Enterprise, Sun
Enterprise Authentication Mechanism, Sun Fire, SunSoft, SunSHIELD, OpenBoot, and Solstice DiskSuite are trademarks or registered
trademarks of Sun Microsystems, Inc. in the U.S. and in other countries.
All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the U.S. and in other
countries. Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc. ORACLE is a registered
trademark of Oracle Corporation.
The OPEN LOOK and Sun™ Graphical User Interface was developed by Sun Microsystems, Inc. for its users and licensees. Sun acknowledges
the pioneering efforts of Xerox in researching and developing the concept of visual or graphical user interfaces for the computer industry. Sun
holds a non-exclusive license from Xerox to the Xerox Graphical User Interface, which license also covers Sun’s licensees who implement OPEN
LOOK GUIs and otherwise comply with Sun’s written license agreements.
U.S. Government Rights—Commercial use. Government users are subject to the Sun Microsystems, Inc. standard license agreement and
applicable provisions of the FAR and its supplements.
DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES,
INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,
ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.
Copyright 2005 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, Californie 95054, Etats-Unis. Tous droits réservés.
Sun Microsystems, Inc. a les droits de propriété intellectuels relatants à la technologie qui est décrit dans ce document. En particulier, et sans la
limitation, ces droits de propriété intellectuels peuvent inclure un ou plus des brevets américains énumérés à http://www.sun.com/patents et
un ou les brevets plus supplémentaires ou les applications de brevet en attente dans les Etats-Unis et dans les autres pays.
Ce produit ou document est protégé par un copyright et distribué avec des licences qui en restreignent l’utilisation, la copie, la distribution, et la
décompilation. Aucune partie de ce produit ou document ne peut être reproduite sous aucune forme, par quelque moyen que ce soit, sans
l’autorisation préalable et écrite de Sun et de ses bailleurs de licence, s’il y en a.
Le logiciel détenu par des tiers, et qui comprend la technologie relative aux polices de caractères, est protégé par un copyright et licencié par des
fournisseurs de Sun.
Des parties de ce produit pourront être dérivées des systèmes Berkeley BSD licenciés par l’Université de Californie. UNIX est une marque
déposée aux Etats-Unis et dans d’autres pays et licenciée exclusivement par X/Open Company, Ltd.
Sun, Sun Microsystems, le logo Sun, Sun BluePrints, Solaris, SunOS, Java, iPlanet, JumpStart, SunSolve, AnswerBook2, Sun Enterprise, Sun
Enterprise Authentication Mechanism, Sun Fire, SunSoft, SunSHIELD, OpenBoot, and Solstice DiskSuite sont des marques de fabrique ou des
marques déposées de Sun Microsystems, Inc. aux Etats-Unis et dans d’autres pays.
Toutes les marques SPARC sont utilisées sous licence et sont des marques de fabrique ou des marques déposées de SPARC International, Inc.
aux Etats-Unis et dans d’autres pays. Les produits portant les marques SPARC sont basés sur une architecture développée par Sun
Microsystems, Inc. ORACLE est une marque déposée registre de Oracle Corporation.
L’interface d’utilisation graphique OPEN LOOK et Sun™ a été développée par Sun Microsystems, Inc. pour ses utilisateurs et licenciés. Sun
reconnaît les efforts de pionniers de Xerox pour la recherche et le développement du concept des interfaces d’utilisation visuelle ou graphique
pour l’industrie de l’informatique. Sun détient une license non exclusive de Xerox sur l’interface d’utilisation graphique Xerox, cette licence
couvrant également les licenciées de Sun qui mettent en place l’interface d’utilisation graphique OPEN LOOK et qui en outre se conforment aux
licences écrites de Sun.
LA DOCUMENTATION EST FOURNIE "EN L’ÉTAT" ET TOUTES AUTRES CONDITIONS, DECLARATIONS ET GARANTIES EXPRESSES
OU TACITES SONT FORMELLEMENT EXCLUES, DANS LA MESURE AUTORISEE PAR LA LOI APPLICABLE, Y COMPRIS NOTAMMENT
TOUTE GARANTIE IMPLICITE RELATIVE A LA QUALITE MARCHANDE, A L’APTITUDE A UNE UTILISATION PARTICULIERE OU A
L’ABSENCE DE CONTREFAÇON.
Contents
Preface xxxi
1. Introduction to Solaris 10 Operating System Support 1
Using Perl With Solaris Security Toolkit 4.2 Software 1
SMF and Legacy Services on Solaris 10 OS 2
Scripts That Use the SMF-Ready Services Interface 3
Scripts That SMF Recognizes as Legacy Services 4
New Scripts for Solaris Security Toolkit 4.2 Release 5
Scripts Not Used for Solaris 10 6
Environment Variables Not Used for Solaris 10 6
Using Solaris 10 OS Zones 7
Sequence Matters in Hardening Global and Non-Global Zones 7
Harden a Non-Global Zone From Within That Zone 7
Some Scripts Are Not Relevant to Non-Global Zones 8
Audits of Non-Global Zones Are Separate and Distinct From Audits of Global
Zones 8
Zone-Aware Finish and Audit Scripts 9
Some Zone-Aware Scripts Require Action Before Use in Non-Global Zones 9
rpcbind Disabled or Enabled Based on Drivers 10
▼ To Enable rpcbind 10
iii
Using TCP Wrappers 11
TCP Wrappers Configuration for secure.driver 12
TCP Wrappers Configuration for
server-secure.driver 12
TCP Wrappers Configuration for
suncluster3x-secure.driver 12
TCP Wrappers Configuration for
sunfire_15k_sc-secure.driver 13
Defining Environment Variables 13
Earlier Solaris Security Toolkit Versions 13
Solaris Security Toolkit 4.2 14
2. Framework Functions 15
Customizing Framework Functions 15
Using Common Log Functions 17
logBanner 18
logDebug 19
logError 19
logFailure 20
logFileContentsExist and
logFileContentsNotExist 20
logFileExists and
logFileNotExists 21
logFileGroupMatch and
logFileGroupNoMatch 22
logFileModeMatch and
logFileModeNoMatch 22
logFileNotFound 23
logFileOwnerMatch and
logFileOwnerNoMatch 24
logFileTypeMatch and
logFileTypeNoMatch 25
iv Solaris Security Toolkit 4.2 Reference Manual • July 2005
logFinding 26
logFormattedMessage 27
logInvalidDisableMode 27
logInvalidOSRevision 28
logMessage 28
logNotGlobalZone 29
logNotice 29
logPackageExists and
logPackageNotExists 30
logPatchExists and
logPatchNotExists 30
logProcessArgsMatch and
logProcessArgsNoMatch 31
logProcessExists and
logProcessNotExists 32
logProcessNotFound 32
logScore 33
logScriptFailure 33
logServiceConfigExists and
logServiceConfigNotExists 34
logServiceDisabled and logServiceEnabled 34
logServiceInstalled and logServiceNotInstalled 35
logServiceOptionDisabled and logServiceOptionEnabled 36
logServiceProcessList 36
logServicePropDisabled and logServicePropEnabled 37
logServiceRunning and logServiceNotRunning 37
logStartScriptExists and
logStartScriptNotExists 38
logStopScriptExists and
logStopScriptNotExists 39
logSuccess 39
Contents v
logSummary 40
logUserLocked and logUserNotLocked 40
logUndoBackupWarning 41
logWarning 41
Using Common Miscellaneous Functions 42
adjustScore 42
checkLogStatus 43
clean_path 43
extractComments 44
get_driver_report 44
get_lists_conjunction 44
get_lists_disjunction 45
invalidVulnVal 45
isNumeric 46
printPretty 46
printPrettyPath 46
strip_path 47
Using Driver Functions 47
add_crontab_entry_if_missing 48
add_option_to_ftpd_property 49
add_patch 50
add_pkg 50
add_to_manifest 51
backup_file 53
backup_file_in_safe_directory 54
change_group 54
change_mode 54
change_owner 55
vi Solaris Security Toolkit 4.2 Reference Manual • July 2005
check_and_log_change_needed 55
check_os_min_version 56
check_os_revision 57
check_readOnlyMounted 58
checksum 58
convert_inetd_service_to_frmi 58
copy_a_dir 59
copy_a_file 59
copy_a_symlink 59
copy_files 60
create_a_file 62
create_file_timestamp 63
disable_conf_file 63
disable_file 63
disable_rc_file 64
disable_service 65
enable_service 65
find_sst_run_with 65
get_expanded_file_name 66
get_stored_keyword_val 66
get_users_with_retries_set 67
is_patch_applied and is_patch_not_applied 67
is_service_enabled 68
is_service_installed 68
is_service_running 69
is_user_account_extant 69
is_user_account_locked 70
is_user_account_login_not_set 70
Contents vii
is_user_account_passworded 71
lock_user_account 71
make_link 71
mkdir_dashp 72
move_a_file 72
rm_pkg 73
set_service_property_value 73
set_stored_keyword_val 73
unlock_user_account 74
update_inetconv_in_upgrade 74
warn_on_default_files 75
write_val_to_file 75
Using Audit Functions 76
check_fileContentsExist and
check_fileContentsNotExist 77
check_fileExists and
check_fileNotExists 77
check_fileGroupMatch and
check_fileGroupNoMatch 78
check_fileModeMatch and
check_fileModeNoMatch 79
check_fileOwnerMatch and
check_fileOwnerNoMatch 80
check_fileTemplate 80
check_fileTypeMatch and
check_fileTypeNoMatch 81
check_if_crontab_entry_present 82
check_keyword_value_pair 82
check_minimized 83
check_minimized_service 83
viii Solaris Security Toolkit 4.2 Reference Manual • July 2005
check_packageExists and
check_packageNotExists 84
check_patchExists and
check_patchNotExists 85
check_processArgsMatch and
check_processArgsNoMatch 85
check_processExists and
check_processNotExists 86
check_serviceConfigExists and
check_serviceConfigNotExists 87
check_serviceDisabled and
check_serviceEnabled 87
check_serviceInstalled and
check_serviceNotInstalled 88
check_serviceOptionEnabled and
check_serviceOptionDisabled 88
check_servicePropDisabled 89
check_serviceRunning and
check_serviceNotRunning 89
check_startScriptExists and
check_startScriptNotExists 89
check_stopScriptExists and
check_stopScriptNotExists 90
check_userLocked and
check_userNotLocked 91
finish_audit 91
get_cmdFromService 91
start_audit 92
3. File Templates 93
Customizing File Templates 93
▼ To Customize a File Template 94
Understanding Criteria for How Files Are Copied 95
Contents ix
Using Configuration Files 96
driver.init 97
finish.init 97
user.init.SAMPLE 98
▼ To Add a New Variable to the user.init script 99
▼ To Append Entries to Variables Using the user.init File 100
Using File Templates 100
.cshrc 101
.profile 102
etc/default/sendmail 102
etc/dt/config/Xaccess 102
etc/ftpd/banner.msg 103
etc/hosts.allow and
etc/hosts.deny 103
etc/hosts.allow-15k_sc 104
etc/hosts.allow-server 104
etc/hosts.allow-suncluster 104
etc/init.d/nddconfig 105
etc/init.d/set-tmp-permissions 105
etc/init.d/sms_arpconfig 105
etc/init.d/swapadd 105
etc/issue and
etc/motd 106
etc/notrouter 106
etc/opt/ipf/ipf.conf 106
etc/opt/ipf/ipf.conf-15k_sc 106
etc/opt/ipf/ipf.conf-server 107
etc/rc2.d/S00set-tmp-permissions and
etc/rc2.d/S07set-tmp-permissions 107
etc/rc2.d/S70nddconfig 107
x Solaris Security Toolkit 4.2 Reference Manual • July 2005
etc/rc2.d/S73sms_arpconfig 108
etc/rc2.d/S77swapadd 108
etc/security/audit_control 108
etc/security/audit_class+5.8 and
etc/security/audit_event+5.8 108
etc/security/audit_class+5.9 and
etc/security/audit_event+5.9 109
etc/sms_domain_arp and
/etc/sms_sc_arp 109
etc/syslog.conf 109
root/.cshrc 110
root/.profile 110
var/opt/SUNWjass/BART/rules 110
var/opt/SUNWjass/BART/rules-secure 111
4. Drivers 113
Understanding Driver Functions and Processes 113
Load Functionality Files 114
Perform Basic Checks 115
Load User Functionality Overrides 115
Mount File Systems to JumpStart Client 115
Copy or Audit Files 116
Execute Scripts 116
Compute Total Score for the Run 117
Unmount File Systems From JumpStart Client 117
Customizing Drivers 118
▼ To Customize a Driver 119
Using Standard Drivers 122
config.driver 122
hardening.driver 123
Contents xi
secure.driver 126
Using Product-Specific Drivers 127
server-secure.driver 128
suncluster3x-secure.driver 128
sunfire_15k_sc-secure.driver 129
5. Finish Scripts 131
Customizing Finish Scripts 131
Customize Existing Finish Scripts 132
▼ To Customize a Finish Script 132
Prevent kill Scripts From Being Disabled 134
Create New Finish Scripts 134
Using Standard Finish Scripts 137
Disable Finish Scripts 138
disable-ab2.fin 139
disable-apache.fin 139
disable-apache2.fin 139
disable-appserv.fin 140
disable-asppp.fin 140
disable-autoinst.fin 140
disable-automount.fin 141
disable-dhcp.fin 141
disable-directory.fin 141
disable-dmi.fin 142
disable-dtlogin.fin 142
disable-face-log.fin 142
disable-IIim.fin 143
disable-ipv6.fin 143
disable-kdc.fin 143
xii Solaris Security Toolkit 4.2 Reference Manual • July 2005
disable-keyboard-abort.fin 144
disable-keyserv-uid-nobody.fin 144
disable-ldap-client.fin 144
disable-lp.fin 145
disable-mipagent.fin 145
disable-named.fin 145
disable-nfs-client.fin 145
disable-nfs-server.fin 146
disable-nscd-caching.fin 146
disable-picld.fin 147
disable-power-mgmt.fin 147
disable-ppp.fin 147
disable-preserve.fin 148
disable-remote-root-login.fin 148
disable-rhosts.fin 148
disable-routing.fin 148
disable-rpc.fin 149
disable-samba.fin 149
disable-sendmail.fin 149
disable-slp.fin 150
disable-sma.fin 150
disable-snmp.fin 150
disable-spc.fin 151
disable-ssh-root-login.fin 151
disable-syslogd-listen.fin 151
disable-system-accounts.fin. 152
disable-uucp.fin 152
disable-vold.fin 152
Contents xiii
disable-wbem.fin 153
disable-xfs-fin 153
disable-xserver.listen.fin 153
Enable Finish Scripts 153
enable-account-lockout.fin 154
enable-bart.fin 154
enable-bsm.fin 156
enable-coreadm.fin 156
enable-ftpaccess.fin 157
enable-ftp-syslog.fin 157
enable-inetd-syslog.fin 157
enable-ipfilter.fin 158
enable-password-history.fin 159
enable-priv-nfs-ports.fin 160
enable-process-accounting.fin 160
enable-rfc1948.fin 160
enable-stack-protection.fin 161
enable-tcpwrappers.fin 161
Install Finish Scripts 162
install-at-allow.fin 162
install-fix-modes.fin 163
install-ftpusers.fin 163
install-jass.fin 163
install-loginlog.fin 164
install-md5.fin 164
install-nddconfig.fin 164
install-newaliases.fin 164
install-openssh.fin 165
xiv Solaris Security Toolkit 4.2 Reference Manual • July 2005
install-recommended-patches.fin 165
install-sadmind-options.fin 165
install-security-mode.fin 165
install-shells.fin 166
install-strong-permissions.fin 166
install-sulog.fin 166
install-templates.fin 167
Print Finish Scripts 167
print-jass-environment.fin 167
print-jumpstart-environment.fin 167
print-rhosts.fin 168
print-sgid-files.fin 168
print-suid-files.fin 168
print-unowned-objects.fin 168
print-world-writable-objects.fin 168
Remove Finish Script 169
remove-unneeded-accounts.fin 169
Set Finish Scripts 169
set-banner-dtlogin.fin 170
set-banner-ftpd.fin 170
set-banner-sendmail.fin 170
set-banner-sshd.fin 171
set-banner-telnet.fin 171
set-flexible-crypt.fin 171
set-ftpd-umask.fin 172
set-login-retries.fin 173
set-power-restrictions.fin 173
set-rmmount-nosuid.fin 173
Contents xv
set-root-group.fin 174
set-root-home-dir.fin 174
set-root-password.fin 175
set-strict-password-checks.fin 175
set-sys-suspend-restrictions.fin 175
set-system-umask.fin 176
set-term-type.fin 176
set-tmpfs-limit.fin 176
set-user-password-reqs.fin 176
set-user-umask.fin 177
Update Finish Scripts 177
update-at-deny.fin 178
update-cron-allow.fin 178
update-cron-deny.fin 178
update-cron-log-size.fin 178
update-inetd-conf.fin 179
Using Product-Specific Finish Scripts 179
suncluster3x-set-nsswitch-conf.fin 180
s15k-static-arp.fin 180
s15k-exclude-domains.fin 180
s15k-sms-secure-failover.fin 181
6. Audit Scripts 183
Customizing Audit Scripts 183
Customize Standard Audit Scripts 183
▼ To Customize An Audit Script 184
Create New Audit Scripts 187
Using Standard Audit Scripts 187
Disable Audit Scripts 188
xvi Solaris Security Toolkit 4.2 Reference Manual • July 2005
disable-ab2.aud 189
disable-apache.aud 189
disable-apache2.aud 189
disable-appserv.aud 190
disable-asppp.aud 190
disable-autoinst.aud 190
disable-automount.aud 190
disable-dhcpd.aud 191
disable-directory.aud 191
disable-dmi.aud 191
disable-dtlogin.aud 191
disable-face-log.aud 192
disable-IIim.aud 192
disable-ipv6.aud 192
disable-kdc.aud 192
disable-keyboard-abort.aud 193
disable-keyserv-uid-nobody.aud 193
disable-ldap-client.aud 193
disable-lp.aud 193
disable-mipagent.aud 194
disable-named.aud 194
disable-nfs-client.aud 194
disable-nfs-server.aud 194
disable-nscd-caching.aud 195
disable-picld.aud 195
disable-power-mgmt.aud 195
disable-ppp.aud 195
disable-preserve.aud 195
Contents xvii
disable-remote-root-login.aud 196
disable-rhosts.aud 196
disable-routing.aud 196
disable-rpc.aud 196
disable-samba.aud 197
disable-sendmail.aud 197
disable-slp.aud 198
disable-sma.aud 198
disable-snmp.aud 198
disable-spc.aud 198
disable-ssh-root-login.aud 199
disable-syslogd-listen.aud 199
disable-system-accounts.aud 199
disable-uucp.aud 199
disable-vold.aud 200
disable-wbem.aud 200
disable-xfs.aud 200
disable-xserver.listen.aud 200
Enable Audit Scripts 201
enable-account-lockout.aud 201
enable-bart.aud 201
enable-bsm.aud 202
enable-coreadm.aud 202
enable-ftp-syslog.aud 202
enable-ftpaccess.aud 203
enable-inetd-syslog.aud 203
enable-ipfilter.aud 203
enable-password-history.aud 204
xviii Solaris Security Toolkit 4.2 Reference Manual • July 2005
enable-priv-nfs-ports.aud 204
enable-process-accounting.aud 204
enable-rfc1948.aud 204
enable-stack-protection.aud 205
enable-tcpwrappers.aud 205
Install Audit Scripts 205
install-at-allow.aud 206
install-fix-modes.aud 206
install-ftpusers.aud 206
install-jass.aud 206
install-loginlog.aud 207
install-md5.aud 207
install-nddconfig.aud 207
install-newaliases.aud 207
install-openssh.aud 208
install-recommended-patches.aud 208
install-sadmind-options.aud 208
install-security-mode.aud 208
install-shells.aud 209
install-strong-permissions.aud 209
install-sulog.aud 210
install-templates.aud 210
Print Audit Scripts 210
print-jass-environment.aud 210
print-jumpstart-environment.aud 210
print-rhosts.aud 211
print-sgid-files.aud 211
print-suid-files.aud 211
Contents xix
print-unowned-objects.aud 211
print-world-writable-objects.aud 211
Remove Audit Script 211
remove-unneeded-accounts.aud 212
Set Audit Scripts 212
set-banner-dtlogin.aud 212
set-banner-ftpd.aud 213
set-banner-sendmail.aud 213
set-banner-sshd.aud 213
set-banner-telnet.aud 213
set-flexible-crypt.aud 214
set-ftpd-umask.aud 214
set-login-retries.aud 214
set-power-restrictions.aud 214
set-rmmount-nosuid.aud 215
set-root-group.aud 215
set-root-home-dir.aud 215
set-root-password.aud 215
set-strict-password-checks.aud 216
set-sys-suspend-restrictions.aud 216
set-system-umask.aud 216
set-term-type.aud 216
set-tmpfs-limit.aud 216
set-user-password-reqs.aud 217
set-user-umask.aud 217
Update Audit Scripts 217
update-at-deny.aud 218
update-cron-allow.aud 218
xx Solaris Security Toolkit 4.2 Reference Manual • July 2005
update-cron-deny.aud 218
update-cron-log-size.aud 219
update-inetd-conf.aud 219
Using Product-Specific Audit Scripts 220
suncluster3x-set-nsswitch-conf.aud 220
s15k-static-arp.aud 221
s15k-exclude-domains.aud 221
s15k-sms-secure-failover.aud 221
7. Environment Variables 223
Customizing and Assigning Variables 223
Assigning Static Variables 224
Assigning Dynamic Variables 225
Assigning Complex Substitution Variables 225
Assigning Global and Profile-Based Variables 227
Creating Environment Variables 227
Using Environment Variables 228
Defining Framework Variables 229
JASS_AUDIT_DIR 231
JASS_CHECK_MINIMIZED 231
JASS_CONFIG_DIR 231
JASS_DISABLE_MODE 232
JASS_DISPLAY_HOST_LENGTH 232
JASS_DISPLAY_HOSTNAME 233
JASS_DISPLAY_SCRIPT_LENGTH 233
JASS_DISPLAY_SCRIPTNAME 233
JASS_DISPLAY_TIME_LENGTH 233
JASS_DISPLAY_TIMESTAMP 234
JASS_FILE_COPY_KEYWORD 234
Contents xxi
JASS_FILES 234
JASS_FILES_DIR 237
JASS_FINISH_DIR 238
JASS_HOME_DIR 238
JASS_HOSTNAME 238
JASS_ISA_CAPABILITY 238
JASS_LOG_BANNER 239
JASS_LOG_ERROR 239
JASS_LOG_FAILURE 239
JASS_LOG_NOTICE 240
JASS_LOG_SUCCESS 240
JASS_LOG_SUMMARY 240
JASS_LOG_WARNING 240
JASS_MODE 241
JASS_OS_REVISION 241
JASS_OS_TYPE 241
JASS_PACKAGE_DIR 242
JASS_PATCH_DIR 242
JASS_PKG 242
JASS_REPOSITORY 242
JASS_ROOT_DIR 243
JASS_ROOT_HOME_DIR 243
JASS_RUN_AUDIT_LOG 243
JASS_RUN_CHECKSUM 244
JASS_RUN_CLEAN_LOG 244
JASS_RUN_FINISH_LIST 245
JASS_RUN_INSTALL_LOG 245
JASS_RUN_MANIFEST 245
xxii Solaris Security Toolkit 4.2 Reference Manual • July 2005
JASS_RUN_SCRIPT_LIST 245
JASS_RUN_UNDO_LOG 246
JASS_RUN_VALUES 246
JASS_RUN_VERSION 246
JASS_SAVE_BACKUP 247
JASS_SCRIPT 247
JASS_SCRIPT_ERROR_LOG 247
JASS_SCRIPT_FAIL_LOG 248
JASS_SCRIPT_NOTE_LOG 248
JASS_SCRIPT_WARN_LOG 248
JASS_SCRIPTS 248
JASS_STANDALONE 250
JASS_SUFFIX 250
JASS_TIMESTAMP 251
JASS_UNAME 251
JASS_UNDO_TYPE 251
JASS_USER_DIR 252
JASS_VERBOSITY 252
JASS_VERSION 253
JASS_ZONE_NAME 254
Define Script Behavior Variables 254
JASS_ACCT_DISABLE 256
JASS_ACCT_REMOVE 257
JASS_AGING_MAXWEEKS 257
JASS_AGING_MINWEEKS 257
JASS_AGING_WARNWEEKS 257
JASS_AT_ALLOW 258
JASS_AT_DENY 258
Contents xxiii
JASS_BANNER_DTLOGIN 259
JASS_BANNER_FTPD 259
JASS_BANNER_SENDMAIL 259
JASS_BANNER_SSHD 259
JASS_BANNER_TELNETD 260
JASS_CORE_PATTERN 260
JASS_CPR_MGT_USER 260
JASS_CRON_ALLOW 260
JASS_CRON_DENY 261
JASS_CRON_LOG_SIZE 261
JASS_CRYPT_ALGORITHMS_ALLOW 262
JASS_CRYPT_DEFAULT 262
JASS_CRYPT_FORCE_EXPIRE 262
JASS_FIXMODES_DIR 262
JASS_FIXMODES_OPTIONS 263
JASS_FTPD_UMASK 263
JASS_FTPUSERS 263
JASS_KILL_SCRIPT_DISABLE 264
JASS_LOGIN_RETRIES 264
JASS_MD5_DIR 264
JASS_NOVICE_USER 265
JASS_PASS_ Environment Variables 265
JASS_PASS_DICTIONDBDIR 265
JASS_PASS_DICTIONLIST 265
JASS_PASS_HISTORY 266
JASS_PASS_LENGTH 266
JASS_PASS_MAXREPEATS 266
JASS_PASS_MINALPHA 266
xxiv Solaris Security Toolkit 4.2 Reference Manual • July 2005
JASS_PASS_MINDIFF 267
JASS_PASS_MINDIGIT 267
JASS_PASS_MINLOWER 268
JASS_PASS_MINNONALPHA 268
JASS_PASS_MINSPECIAL 268
JASS_PASS_MINUPPER 269
JASS_PASS_NAMECHECK 269
JASS_PASS_WHITESPACE 269
JASS_PASSWD 270
JASS_POWER_MGT_USER 270
JASS_REC_PATCH_OPTIONS 270
JASS_RHOSTS_FILE 270
JASS_ROOT_GROUP 271
JASS_ROOT_PASSWORD 271
JASS_SADMIND_OPTIONS 271
JASS_SENDMAIL_MODE 272
JASS_SGID_FILE 272
JASS_SHELLS 272
JASS_SUID_FILE 273
JASS_SUSPEND_PERMS 273
JASS_SVCS_DISABLE 274
JASS_SVCS_ENABLE 275
JASS_TMPFS_SIZE 276
JASS_UMASK 276
JASS_UNOWNED_FILE 276
JASS_WRITABLE_FILE 276
Define JumpStart Mode Variables 277
JASS_PACKAGE_MOUNT 277
Contents xxv
JASS_PATCH_MOUNT 278
Glossary 279
Index 287
xxvi Solaris Security Toolkit 4.2 Reference Manual • July 2005
Tables
TABLE 1-1 Solaris Security Toolkit Scripts That Use the SMF-Ready Services Interface 3
TABLE 1-2 Solaris Security Toolkit Scripts That SMF Recognizes as Legacy Services 4
TABLE 1-3 Solaris Security Toolkit Scripts Not Used for Solaris 10 6
TABLE 1-4 Solaris Security Toolkit 4.2 Zone-Aware Finish and Audit Scripts 9
TABLE 2-1 File Types Detected by Using the check_fileTypeMatch
Function 25
TABLE 2-2 Options for add_patch Finish Script Function 50
TABLE 2-3 Options for add_pkg Function 50
TABLE 2-4 add_to_manifest Options and Sample Manifest Entries 52
TABLE 2-5 create_a_file Command Options 62
TABLE 2-6 rm_pkg Function Options 73
TABLE 2-7 File Types Detected by the check_fileTypeMatch Function 81
TABLE 4-1 Product-Specific Drivers 127
TABLE 5-1 Product-Specific Finish Scripts 179
TABLE 6-1 List of Shells Defined by JASS_SHELLS 209
TABLE 6-2 Sample Output of JASS_SVCS_DISABLE 219
TABLE 6-3 Product-Specific Audit Scripts 220
TABLE 7-1 Supporting OS Versions in the JASS_FILES Variable 235
TABLE 7-2 Supporting OS Versions in the JASS_SCRIPTS Variable 249
TABLE 7-3 Verbosity Levels for Audit Runs 253
xxvii
xxviii Solaris Security Toolkit 4.2 Reference Manual • July 2005
Code Samples
CODE EXAMPLE 1-1 Hardening a Non-Global Zone 8
CODE EXAMPLE 1-2 TCP Wrappers Configuration for secure.driver in Solaris 10 OS 12
CODE EXAMPLE 1-3 TCP Wrappers Configuration for server-secure.driver in Solaris 10 OS 12
CODE EXAMPLE 1-4 TCP Wrappers Configuration for suncluster3x-secure.driver in Solaris 10 OS 12
CODE EXAMPLE 1-5 TCP Wrappers Configuration for
sunfire_15k_sc-secure.driver in Solaris 10 OS 13
CODE EXAMPLE 2-1 Extending Functionality by Customizing the Framework 16
CODE EXAMPLE 2-2 Sample Banner Message 18
CODE EXAMPLE 2-3 Detecting Functionality That Exists in Multiple OS Releases 56
CODE EXAMPLE 2-4 Checking for a Specific OS Revision or Range 57
CODE EXAMPLE 2-5 Checksum Output From MD5 in Solaris 10 OS 58
CODE EXAMPLE 3-1 Adding a User-Defined Variable 99
CODE EXAMPLE 3-2 Appending Entries to Variables Using user.init File 100
CODE EXAMPLE 4-1 Creating a Nested or Hierarchical Security Profile 121
CODE EXAMPLE 4-2 Having a Driver Implement Its Own Functionality 121
CODE EXAMPLE 4-3 Exempt From config.driver 123
CODE EXAMPLE 4-4 secure.driver Contents 126
CODE EXAMPLE 5-1 Sample install-openssh.fin Script 133
CODE EXAMPLE 5-2 Default BART rules-secure File 155
CODE EXAMPLE 5-3 Default BART rules File 155
CODE EXAMPLE 5-4 secure.driver Default IP Filter Rules File 158
xxix
CODE EXAMPLE 5-5 server-secure.driver Default IP Filter Rules File 158
CODE EXAMPLE 5-6 sunfire_15k_sc-secure.driver Default IP Filter Rules File 159
CODE EXAMPLE 5-7 Password Encryption Tunables for Solaris Security Toolkit Drivers 172
CODE EXAMPLE 6-1 Sample install-openssh.aud Script 185
CODE EXAMPLE 7-1 Variable Assignment Based on OS Version 226
CODE EXAMPLE 7-2 Adding rlogin to JASS_SVCS_ENABLE list 275
xxx Solaris Security Toolkit 4.2 Reference Manual • July 2005
Loading...