Sun Microsystems Solaris Security Toolkit Reference Manual

Download

Solaris™ Security Toolkit 4.2

Reference Manual

Sun Microsystems, Inc. www.sun.com

Part No. 819-1503-10 July 2005, Revision A

Submit comments about this document at: http://www.sun.com/hwdocs/feedback

Copyright 2005 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, U.S.A. All rights reserved. Sun Microsystems, Inc. has intellectual property rights relating to technology that is described in this document. In particular, and without

limitation, these intellectual property rights may include one or more of the U.S. patents listed at http://www.sun.com/patents and one or more additional patents or pending patent applications in the U.S. and in other countries.

This document and the product to which it pertains are distributed under licenses restricting their use, copying, distribution, and decompilation. No part of the product or of this document may be reproduced in any form by any means without prior written authorization of Sun and its licensors, if any.

Third-party software, including font technology, is copyrighted and licensed from Sun suppliers. Parts of the product may be derived from Berkeley BSD systems, licensed from the University of California. UNIX is a registered trademark in

the U.S. and in other countries, exclusively licensed through X/Open Company, Ltd. Sun, Sun Microsystems, the Sun logo, Sun BluePrints, Solaris, SunOS, Java, iPlanet, JumpStart, SunSolve, AnswerBook2, Sun Enterprise, Sun

Enterprise Authentication Mechanism, Sun Fire, SunSoft, SunSHIELD, OpenBoot, and Solstice DiskSuite are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and in other countries.

All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the U.S. and in other countries. Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc. ORACLE is a registered trademark of Oracle Corporation.

The OPEN LOOK and Sun™ Graphical User Interface was developed by Sun Microsystems, Inc. for its users and licensees. Sun acknowledges the pioneering efforts of Xerox in researching and developing the concept of visual or graphical user interfaces for the computer industry. Sun holds a non-exclusive license from Xerox to the Xerox Graphical User Interface, which license also covers Sun’s licensees who implement OPEN LOOK GUIs and otherwise comply with Sun’s written license agreements.

U.S. Government Rights—Commercial use. Government users are subject to the Sun Microsystems, Inc. standard license agreement and applicable provisions of the FAR and its supplements.

DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.

Copyright 2005 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, Californie 95054, Etats-Unis. Tous droits réservés. Sun Microsystems, Inc. a les droits de propriété intellectuels relatants à la technologie qui est décrit dans ce document. En particulier, et sans la

limitation, ces droits de propriété intellectuels peuvent inclure un ou plus des brevets américains énumérés à http://www.sun.com/patents et un ou les brevets plus supplémentaires ou les applications de brevet en attente dans les Etats-Unis et dans les autres pays.

Ce produit ou document est protégé par un copyright et distribué avec des licences qui en restreignent l’utilisation, la copie, la distribution, et la décompilation. Aucune partie de ce produit ou document ne peut être reproduite sous aucune forme, par quelque moyen que ce soit, sans l’autorisation préalable et écrite de Sun et de ses bailleurs de licence, s’il y en a.

Le logiciel détenu par des tiers, et qui comprend la technologie relative aux polices de caractères, est protégé par un copyright et licencié par des fournisseurs de Sun.

Des parties de ce produit pourront être dérivées des systèmes Berkeley BSD licenciés par l’Université de Californie. UNIX est une marque déposée aux Etats-Unis et dans d’autres pays et licenciée exclusivement par X/Open Company, Ltd.

Sun, Sun Microsystems, le logo Sun, Sun BluePrints, Solaris, SunOS, Java, iPlanet, JumpStart, SunSolve, AnswerBook2, Sun Enterprise, Sun Enterprise Authentication Mechanism, Sun Fire, SunSoft, SunSHIELD, OpenBoot, and Solstice DiskSuite sont des marques de fabrique ou des marques déposées de Sun Microsystems, Inc. aux Etats-Unis et dans d’autres pays.

Toutes les marques SPARC sont utilisées sous licence et sont des marques de fabrique ou des marques déposées de SPARC International, Inc. aux Etats-Unis et dans d’autres pays. Les produits portant les marques SPARC sont basés sur une architecture développée par Sun Microsystems, Inc. ORACLE est une marque déposée registre de Oracle Corporation.

L’interface d’utilisation graphique OPEN LOOK et Sun™ a été développée par Sun Microsystems, Inc. pour ses utilisateurs et licenciés. Sun reconnaît les efforts de pionniers de Xerox pour la recherche et le développement du concept des interfaces d’utilisation visuelle ou graphique pour l’industrie de l’informatique. Sun détient une license non exclusive de Xerox sur l’interface d’utilisation graphique Xerox, cette licence couvrant également les licenciées de Sun qui mettent en place l’interface d’utilisation graphique OPEN LOOK et qui en outre se conforment aux licences écrites de Sun.

LA DOCUMENTATION EST FOURNIE "EN L’ÉTAT" ET TOUTES AUTRES CONDITIONS, DECLARATIONS ET GARANTIES EXPRESSES OU TACITES SONT FORMELLEMENT EXCLUES, DANS LA MESURE AUTORISEE PAR LA LOI APPLICABLE, Y COMPRIS NOTAMMENT TOUTE GARANTIE IMPLICITE RELATIVE A LA QUALITE MARCHANDE, A L’APTITUDE A UNE UTILISATION PARTICULIERE OU A L’ABSENCE DE CONTREFAÇON.

Preface xxxi

1. Introduction to Solaris 10 Operating System Support 1

Using Perl With Solaris Security Toolkit 4.2 Software 1

SMF and Legacy Services on Solaris 10 OS 2

Scripts That Use the SMF-Ready Services Interface 3

Scripts That SMF Recognizes as Legacy Services 4

New Scripts for Solaris Security Toolkit 4.2 Release 5

Scripts Not Used for Solaris 10 6

Environment Variables Not Used for Solaris 10 6

Using Solaris 10 OS Zones 7

Sequence Matters in Hardening Global and Non-Global Zones 7

Harden a Non-Global Zone From Within That Zone 7

Some Scripts Are Not Relevant to Non-Global Zones 8

Audits of Non-Global Zones Are Separate and Distinct From Audits of Global

Zones 8

Zone-Aware Finish and Audit Scripts 9

Some Zone-Aware Scripts Require Action Before Use in Non-Global Zones 9

rpcbind Disabled or Enabled Based on Drivers 10

▼ To Enable rpcbind 10

iii

Using TCP Wrappers 11

TCP Wrappers Configuration for secure.driver 12

TCP Wrappers Configuration for

server-secure.driver 12

TCP Wrappers Configuration for

suncluster3x-secure.driver 12

TCP Wrappers Configuration for

sunfire_15k_sc-secure.driver 13

Defining Environment Variables 13

Earlier Solaris Security Toolkit Versions 13

Solaris Security Toolkit 4.2 14

2. Framework Functions 15

Customizing Framework Functions 15

Using Common Log Functions 17

logBanner 18

logDebug 19

logError 19

logFailure 20

logFileContentsExist and

logFileContentsNotExist 20

logFileExists and

logFileNotExists 21

logFileGroupMatch and

logFileGroupNoMatch 22

logFileModeMatch and

logFileModeNoMatch 22

logFileNotFound 23

logFileOwnerMatch and

logFileOwnerNoMatch 24

logFileTypeMatch and

logFileTypeNoMatch 25

iv Solaris Security Toolkit 4.2 Reference Manual • July 2005

logFinding 26

logFormattedMessage 27

logInvalidDisableMode 27

logInvalidOSRevision 28

logMessage 28

logNotGlobalZone 29

logNotice 29

logPackageExists and

logPackageNotExists 30

logPatchExists and

logPatchNotExists 30

logProcessArgsMatch and

logProcessArgsNoMatch 31

logProcessExists and

logProcessNotExists 32

logProcessNotFound 32

logScore 33

logScriptFailure 33

logServiceConfigExists and

logServiceConfigNotExists 34

logServiceDisabled and logServiceEnabled 34

logServiceInstalled and logServiceNotInstalled 35

logServiceOptionDisabled and logServiceOptionEnabled 36

logServiceProcessList 36

logServicePropDisabled and logServicePropEnabled 37

logServiceRunning and logServiceNotRunning 37

logStartScriptExists and

logStartScriptNotExists 38

logStopScriptExists and

logStopScriptNotExists 39

logSuccess 39

Contents v

logSummary 40

logUserLocked and logUserNotLocked 40

logUndoBackupWarning 41

logWarning 41

Using Common Miscellaneous Functions 42

adjustScore 42

checkLogStatus 43

clean_path 43

extractComments 44

get_driver_report 44

get_lists_conjunction 44

get_lists_disjunction 45

invalidVulnVal 45

isNumeric 46

printPretty 46

printPrettyPath 46

strip_path 47

Using Driver Functions 47

add_crontab_entry_if_missing 48

add_option_to_ftpd_property 49

add_patch 50

add_pkg 50

add_to_manifest 51

backup_file 53

backup_file_in_safe_directory 54

change_group 54

change_mode 54

change_owner 55

vi Solaris Security Toolkit 4.2 Reference Manual • July 2005

check_and_log_change_needed 55

check_os_min_version 56

check_os_revision 57

check_readOnlyMounted 58

checksum 58

convert_inetd_service_to_frmi 58

copy_a_dir 59

copy_a_file 59

copy_a_symlink 59

copy_files 60

create_a_file 62

create_file_timestamp 63

disable_conf_file 63

disable_file 63

disable_rc_file 64

disable_service 65

enable_service 65

find_sst_run_with 65

get_expanded_file_name 66

get_stored_keyword_val 66

get_users_with_retries_set 67

is_patch_applied and is_patch_not_applied 67

is_service_enabled 68

is_service_installed 68

is_service_running 69

is_user_account_extant 69

is_user_account_locked 70

is_user_account_login_not_set 70

Contents vii

is_user_account_passworded 71

lock_user_account 71

make_link 71

mkdir_dashp 72

move_a_file 72

rm_pkg 73

set_service_property_value 73

set_stored_keyword_val 73

unlock_user_account 74

update_inetconv_in_upgrade 74

warn_on_default_files 75

write_val_to_file 75

Using Audit Functions 76

check_fileContentsExist and

check_fileContentsNotExist 77

check_fileExists and

check_fileNotExists 77

check_fileGroupMatch and

check_fileGroupNoMatch 78

check_fileModeMatch and

check_fileModeNoMatch 79

check_fileOwnerMatch and

check_fileOwnerNoMatch 80

check_fileTemplate 80

check_fileTypeMatch and

check_fileTypeNoMatch 81

check_if_crontab_entry_present 82

check_keyword_value_pair 82

check_minimized 83

check_minimized_service 83

viii Solaris Security Toolkit 4.2 Reference Manual • July 2005

check_packageExists and

check_packageNotExists 84

check_patchExists and

check_patchNotExists 85

check_processArgsMatch and

check_processArgsNoMatch 85

check_processExists and

check_processNotExists 86

check_serviceConfigExists and

check_serviceConfigNotExists 87

check_serviceDisabled and

check_serviceEnabled 87

check_serviceInstalled and

check_serviceNotInstalled 88

check_serviceOptionEnabled and

check_serviceOptionDisabled 88

check_servicePropDisabled 89

check_serviceRunning and

check_serviceNotRunning 89

check_startScriptExists and

check_startScriptNotExists 89

check_stopScriptExists and

check_stopScriptNotExists 90

check_userLocked and

check_userNotLocked 91

finish_audit 91

get_cmdFromService 91

start_audit 92

3. File Templates 93

Customizing File Templates 93

▼ To Customize a File Template 94

Understanding Criteria for How Files Are Copied 95

Contents ix

Using Configuration Files 96

driver.init 97

finish.init 97

user.init.SAMPLE 98

▼ To Add a New Variable to the user.init script 99

▼ To Append Entries to Variables Using the user.init File 100

Using File Templates 100

.cshrc 101

.profile 102

etc/default/sendmail 102

etc/dt/config/Xaccess 102

etc/ftpd/banner.msg 103

etc/hosts.allow and

etc/hosts.deny 103

etc/hosts.allow-15k_sc 104

etc/hosts.allow-server 104

etc/hosts.allow-suncluster 104

etc/init.d/nddconfig 105

etc/init.d/set-tmp-permissions 105

etc/init.d/sms_arpconfig 105

etc/init.d/swapadd 105

etc/issue and

etc/motd 106

etc/notrouter 106

etc/opt/ipf/ipf.conf 106

etc/opt/ipf/ipf.conf-15k_sc 106

etc/opt/ipf/ipf.conf-server 107

etc/rc2.d/S00set-tmp-permissions and

etc/rc2.d/S07set-tmp-permissions 107

etc/rc2.d/S70nddconfig 107

x Solaris Security Toolkit 4.2 Reference Manual • July 2005

etc/rc2.d/S73sms_arpconfig 108

etc/rc2.d/S77swapadd 108

etc/security/audit_control 108

etc/security/audit_class+5.8 and

etc/security/audit_event+5.8 108

etc/security/audit_class+5.9 and

etc/security/audit_event+5.9 109

etc/sms_domain_arp and

/etc/sms_sc_arp 109

etc/syslog.conf 109

root/.cshrc 110

root/.profile 110

var/opt/SUNWjass/BART/rules 110

var/opt/SUNWjass/BART/rules-secure 111

4. Drivers 113

Understanding Driver Functions and Processes 113

Load Functionality Files 114

Perform Basic Checks 115

Load User Functionality Overrides 115

Mount File Systems to JumpStart Client 115

Copy or Audit Files 116

Execute Scripts 116

Compute Total Score for the Run 117

Unmount File Systems From JumpStart Client 117

Customizing Drivers 118

▼ To Customize a Driver 119

Using Standard Drivers 122

config.driver 122

hardening.driver 123

Contents xi

secure.driver 126

Using Product-Specific Drivers 127

server-secure.driver 128

suncluster3x-secure.driver 128

sunfire_15k_sc-secure.driver 129

5. Finish Scripts 131

Customizing Finish Scripts 131

Customize Existing Finish Scripts 132

▼ To Customize a Finish Script 132

Prevent kill Scripts From Being Disabled 134

Create New Finish Scripts 134

Using Standard Finish Scripts 137

Disable Finish Scripts 138

disable-ab2.fin 139

disable-apache.fin 139

disable-apache2.fin 139

disable-appserv.fin 140

disable-asppp.fin 140

disable-autoinst.fin 140

disable-automount.fin 141

disable-dhcp.fin 141

disable-directory.fin 141

disable-dmi.fin 142

disable-dtlogin.fin 142

disable-face-log.fin 142

disable-IIim.fin 143

disable-ipv6.fin 143

disable-kdc.fin 143

xii Solaris Security Toolkit 4.2 Reference Manual • July 2005

disable-keyboard-abort.fin 144

disable-keyserv-uid-nobody.fin 144

disable-ldap-client.fin 144

disable-lp.fin 145

disable-mipagent.fin 145

disable-named.fin 145

disable-nfs-client.fin 145

disable-nfs-server.fin 146

disable-nscd-caching.fin 146

disable-picld.fin 147

disable-power-mgmt.fin 147

disable-ppp.fin 147

disable-preserve.fin 148

disable-remote-root-login.fin 148

disable-rhosts.fin 148

disable-routing.fin 148

disable-rpc.fin 149

disable-samba.fin 149

disable-sendmail.fin 149

disable-slp.fin 150

disable-sma.fin 150

disable-snmp.fin 150

disable-spc.fin 151

disable-ssh-root-login.fin 151

disable-syslogd-listen.fin 151

disable-system-accounts.fin. 152

disable-uucp.fin 152

disable-vold.fin 152

Contents xiii

disable-wbem.fin 153

disable-xfs-fin 153

disable-xserver.listen.fin 153

Enable Finish Scripts 153

enable-account-lockout.fin 154

enable-bart.fin 154

enable-bsm.fin 156

enable-coreadm.fin 156

enable-ftpaccess.fin 157

enable-ftp-syslog.fin 157

enable-inetd-syslog.fin 157

enable-ipfilter.fin 158

enable-password-history.fin 159

enable-priv-nfs-ports.fin 160

enable-process-accounting.fin 160

enable-rfc1948.fin 160

enable-stack-protection.fin 161

enable-tcpwrappers.fin 161

Install Finish Scripts 162

install-at-allow.fin 162

install-fix-modes.fin 163

install-ftpusers.fin 163

install-jass.fin 163

install-loginlog.fin 164

install-md5.fin 164

install-nddconfig.fin 164

install-newaliases.fin 164

install-openssh.fin 165

xiv Solaris Security Toolkit 4.2 Reference Manual • July 2005

install-recommended-patches.fin 165

install-sadmind-options.fin 165

install-security-mode.fin 165

install-shells.fin 166

install-strong-permissions.fin 166

install-sulog.fin 166

install-templates.fin 167

Print Finish Scripts 167

print-jass-environment.fin 167

print-jumpstart-environment.fin 167

print-rhosts.fin 168

print-sgid-files.fin 168

print-suid-files.fin 168

print-unowned-objects.fin 168

print-world-writable-objects.fin 168

Remove Finish Script 169

remove-unneeded-accounts.fin 169

Set Finish Scripts 169

set-banner-dtlogin.fin 170

set-banner-ftpd.fin 170

set-banner-sendmail.fin 170

set-banner-sshd.fin 171

set-banner-telnet.fin 171

set-flexible-crypt.fin 171

set-ftpd-umask.fin 172

set-login-retries.fin 173

set-power-restrictions.fin 173

set-rmmount-nosuid.fin 173

Contents xv

set-root-group.fin 174

set-root-home-dir.fin 174

set-root-password.fin 175

set-strict-password-checks.fin 175

set-sys-suspend-restrictions.fin 175

set-system-umask.fin 176

set-term-type.fin 176

set-tmpfs-limit.fin 176

set-user-password-reqs.fin 176

set-user-umask.fin 177

Update Finish Scripts 177

update-at-deny.fin 178

update-cron-allow.fin 178

update-cron-deny.fin 178

update-cron-log-size.fin 178

update-inetd-conf.fin 179

Using Product-Specific Finish Scripts 179

suncluster3x-set-nsswitch-conf.fin 180

s15k-static-arp.fin 180

s15k-exclude-domains.fin 180

s15k-sms-secure-failover.fin 181

6. Audit Scripts 183

Customizing Audit Scripts 183

Customize Standard Audit Scripts 183

▼ To Customize An Audit Script 184

Create New Audit Scripts 187

Using Standard Audit Scripts 187

Disable Audit Scripts 188

xvi Solaris Security Toolkit 4.2 Reference Manual • July 2005

disable-ab2.aud 189

disable-apache.aud 189

disable-apache2.aud 189

disable-appserv.aud 190

disable-asppp.aud 190

disable-autoinst.aud 190

disable-automount.aud 190

disable-dhcpd.aud 191

disable-directory.aud 191

disable-dmi.aud 191

disable-dtlogin.aud 191

disable-face-log.aud 192

disable-IIim.aud 192

disable-ipv6.aud 192

disable-kdc.aud 192

disable-keyboard-abort.aud 193

disable-keyserv-uid-nobody.aud 193

disable-ldap-client.aud 193

disable-lp.aud 193

disable-mipagent.aud 194

disable-named.aud 194

disable-nfs-client.aud 194

disable-nfs-server.aud 194

disable-nscd-caching.aud 195

disable-picld.aud 195

disable-power-mgmt.aud 195

disable-ppp.aud 195

disable-preserve.aud 195

Contents xvii

disable-remote-root-login.aud 196

disable-rhosts.aud 196

disable-routing.aud 196

disable-rpc.aud 196

disable-samba.aud 197

disable-sendmail.aud 197

disable-slp.aud 198

disable-sma.aud 198

disable-snmp.aud 198

disable-spc.aud 198

disable-ssh-root-login.aud 199

disable-syslogd-listen.aud 199

disable-system-accounts.aud 199

disable-uucp.aud 199

disable-vold.aud 200

disable-wbem.aud 200

disable-xfs.aud 200

disable-xserver.listen.aud 200

Enable Audit Scripts 201

enable-account-lockout.aud 201

enable-bart.aud 201

enable-bsm.aud 202

enable-coreadm.aud 202

enable-ftp-syslog.aud 202

enable-ftpaccess.aud 203

enable-inetd-syslog.aud 203

enable-ipfilter.aud 203

enable-password-history.aud 204

xviii Solaris Security Toolkit 4.2 Reference Manual • July 2005

enable-priv-nfs-ports.aud 204

enable-process-accounting.aud 204

enable-rfc1948.aud 204

enable-stack-protection.aud 205

enable-tcpwrappers.aud 205

Install Audit Scripts 205

install-at-allow.aud 206

install-fix-modes.aud 206

install-ftpusers.aud 206

install-jass.aud 206

install-loginlog.aud 207

install-md5.aud 207

install-nddconfig.aud 207

install-newaliases.aud 207

install-openssh.aud 208

install-recommended-patches.aud 208

install-sadmind-options.aud 208

install-security-mode.aud 208

install-shells.aud 209

install-strong-permissions.aud 209

install-sulog.aud 210

install-templates.aud 210

Print Audit Scripts 210

print-jass-environment.aud 210

print-jumpstart-environment.aud 210

print-rhosts.aud 211

print-sgid-files.aud 211

print-suid-files.aud 211

Contents xix

print-unowned-objects.aud 211

print-world-writable-objects.aud 211

Remove Audit Script 211

remove-unneeded-accounts.aud 212

Set Audit Scripts 212

set-banner-dtlogin.aud 212

set-banner-ftpd.aud 213

set-banner-sendmail.aud 213

set-banner-sshd.aud 213

set-banner-telnet.aud 213

set-flexible-crypt.aud 214

set-ftpd-umask.aud 214

set-login-retries.aud 214

set-power-restrictions.aud 214

set-rmmount-nosuid.aud 215

set-root-group.aud 215

set-root-home-dir.aud 215

set-root-password.aud 215

set-strict-password-checks.aud 216

set-sys-suspend-restrictions.aud 216

set-system-umask.aud 216

set-term-type.aud 216

set-tmpfs-limit.aud 216

set-user-password-reqs.aud 217

set-user-umask.aud 217

Update Audit Scripts 217

update-at-deny.aud 218

update-cron-allow.aud 218

xx Solaris Security Toolkit 4.2 Reference Manual • July 2005

update-cron-deny.aud 218

update-cron-log-size.aud 219

update-inetd-conf.aud 219

Using Product-Specific Audit Scripts 220

suncluster3x-set-nsswitch-conf.aud 220

s15k-static-arp.aud 221

s15k-exclude-domains.aud 221

s15k-sms-secure-failover.aud 221

7. Environment Variables 223

Customizing and Assigning Variables 223

Assigning Static Variables 224

Assigning Dynamic Variables 225

Assigning Complex Substitution Variables 225

Assigning Global and Profile-Based Variables 227

Creating Environment Variables 227

Using Environment Variables 228

Defining Framework Variables 229

JASS_AUDIT_DIR 231

JASS_CHECK_MINIMIZED 231

JASS_CONFIG_DIR 231

JASS_DISABLE_MODE 232

JASS_DISPLAY_HOST_LENGTH 232

JASS_DISPLAY_HOSTNAME 233

JASS_DISPLAY_SCRIPT_LENGTH 233

JASS_DISPLAY_SCRIPTNAME 233

JASS_DISPLAY_TIME_LENGTH 233

JASS_DISPLAY_TIMESTAMP 234

JASS_FILE_COPY_KEYWORD 234

Contents xxi

JASS_FILES 234

JASS_FILES_DIR 237

JASS_FINISH_DIR 238

JASS_HOME_DIR 238

JASS_HOSTNAME 238

JASS_ISA_CAPABILITY 238

JASS_LOG_BANNER 239

JASS_LOG_ERROR 239

JASS_LOG_FAILURE 239

JASS_LOG_NOTICE 240

JASS_LOG_SUCCESS 240

JASS_LOG_SUMMARY 240

JASS_LOG_WARNING 240

JASS_MODE 241

JASS_OS_REVISION 241

JASS_OS_TYPE 241

JASS_PACKAGE_DIR 242

JASS_PATCH_DIR 242

JASS_PKG 242

JASS_REPOSITORY 242

JASS_ROOT_DIR 243

JASS_ROOT_HOME_DIR 243

JASS_RUN_AUDIT_LOG 243

JASS_RUN_CHECKSUM 244

JASS_RUN_CLEAN_LOG 244

JASS_RUN_FINISH_LIST 245

JASS_RUN_INSTALL_LOG 245

JASS_RUN_MANIFEST 245

xxii Solaris Security Toolkit 4.2 Reference Manual • July 2005

JASS_RUN_SCRIPT_LIST 245

JASS_RUN_UNDO_LOG 246

JASS_RUN_VALUES 246

JASS_RUN_VERSION 246

JASS_SAVE_BACKUP 247

JASS_SCRIPT 247

JASS_SCRIPT_ERROR_LOG 247

JASS_SCRIPT_FAIL_LOG 248

JASS_SCRIPT_NOTE_LOG 248

JASS_SCRIPT_WARN_LOG 248

JASS_SCRIPTS 248

JASS_STANDALONE 250

JASS_SUFFIX 250

JASS_TIMESTAMP 251

JASS_UNAME 251

JASS_UNDO_TYPE 251

JASS_USER_DIR 252

JASS_VERBOSITY 252

JASS_VERSION 253

JASS_ZONE_NAME 254

Define Script Behavior Variables 254

JASS_ACCT_DISABLE 256

JASS_ACCT_REMOVE 257

JASS_AGING_MAXWEEKS 257

JASS_AGING_MINWEEKS 257

JASS_AGING_WARNWEEKS 257

JASS_AT_ALLOW 258

JASS_AT_DENY 258

Contents xxiii

JASS_BANNER_DTLOGIN 259

JASS_BANNER_FTPD 259

JASS_BANNER_SENDMAIL 259

JASS_BANNER_SSHD 259

JASS_BANNER_TELNETD 260

JASS_CORE_PATTERN 260

JASS_CPR_MGT_USER 260

JASS_CRON_ALLOW 260

JASS_CRON_DENY 261

JASS_CRON_LOG_SIZE 261

JASS_CRYPT_ALGORITHMS_ALLOW 262

JASS_CRYPT_DEFAULT 262

JASS_CRYPT_FORCE_EXPIRE 262

JASS_FIXMODES_DIR 262

JASS_FIXMODES_OPTIONS 263

JASS_FTPD_UMASK 263

JASS_FTPUSERS 263

JASS_KILL_SCRIPT_DISABLE 264

JASS_LOGIN_RETRIES 264

JASS_MD5_DIR 264

JASS_NOVICE_USER 265

JASS_PASS_ Environment Variables 265

JASS_PASS_DICTIONDBDIR 265

JASS_PASS_DICTIONLIST 265

JASS_PASS_HISTORY 266

JASS_PASS_LENGTH 266

JASS_PASS_MAXREPEATS 266

JASS_PASS_MINALPHA 266

xxiv Solaris Security Toolkit 4.2 Reference Manual • July 2005

JASS_PASS_MINDIFF 267

JASS_PASS_MINDIGIT 267

JASS_PASS_MINLOWER 268

JASS_PASS_MINNONALPHA 268

JASS_PASS_MINSPECIAL 268

JASS_PASS_MINUPPER 269

JASS_PASS_NAMECHECK 269

JASS_PASS_WHITESPACE 269

JASS_PASSWD 270

JASS_POWER_MGT_USER 270

JASS_REC_PATCH_OPTIONS 270

JASS_RHOSTS_FILE 270

JASS_ROOT_GROUP 271

JASS_ROOT_PASSWORD 271

JASS_SADMIND_OPTIONS 271

JASS_SENDMAIL_MODE 272

JASS_SGID_FILE 272

JASS_SHELLS 272

JASS_SUID_FILE 273

JASS_SUSPEND_PERMS 273

JASS_SVCS_DISABLE 274

JASS_SVCS_ENABLE 275

JASS_TMPFS_SIZE 276

JASS_UMASK 276

JASS_UNOWNED_FILE 276

JASS_WRITABLE_FILE 276

Define JumpStart Mode Variables 277

JASS_PACKAGE_MOUNT 277

Contents xxv

JASS_PATCH_MOUNT 278

Glossary 279

Index 287

xxvi Solaris Security Toolkit 4.2 Reference Manual • July 2005

Tables

TABLE 1-1 Solaris Security Toolkit Scripts That Use the SMF-Ready Services Interface 3

TABLE 1-2 Solaris Security Toolkit Scripts That SMF Recognizes as Legacy Services 4

TABLE 1-3 Solaris Security Toolkit Scripts Not Used for Solaris 10 6

TABLE 1-4 Solaris Security Toolkit 4.2 Zone-Aware Finish and Audit Scripts 9

TABLE 2-1 File Types Detected by Using the check_fileTypeMatch

Function 25

TABLE 2-2 Options for add_patch Finish Script Function 50

TABLE 2-3 Options for add_pkg Function 50

TABLE 2-4 add_to_manifest Options and Sample Manifest Entries 52

TABLE 2-5 create_a_file Command Options 62

TABLE 2-6 rm_pkg Function Options 73

TABLE 2-7 File Types Detected by the check_fileTypeMatch Function 81

TABLE 4-1 Product-Specific Drivers 127

TABLE 5-1 Product-Specific Finish Scripts 179

TABLE 6-1 List of Shells Defined by JASS_SHELLS 209

TABLE 6-2 Sample Output of JASS_SVCS_DISABLE 219

TABLE 6-3 Product-Specific Audit Scripts 220

TABLE 7-1 Supporting OS Versions in the JASS_FILES Variable 235

TABLE 7-2 Supporting OS Versions in the JASS_SCRIPTS Variable 249

TABLE 7-3 Verbosity Levels for Audit Runs 253

xxvii

xxviii Solaris Security Toolkit 4.2 Reference Manual • July 2005

Code Samples

CODE EXAMPLE 1-1 Hardening a Non-Global Zone 8

CODE EXAMPLE 1-2 TCP Wrappers Configuration for secure.driver in Solaris 10 OS 12

CODE EXAMPLE 1-3 TCP Wrappers Configuration for server-secure.driver in Solaris 10 OS 12

CODE EXAMPLE 1-4 TCP Wrappers Configuration for suncluster3x-secure.driver in Solaris 10 OS 12

CODE EXAMPLE 1-5 TCP Wrappers Configuration for

sunfire_15k_sc-secure.driver in Solaris 10 OS 13

CODE EXAMPLE 2-1 Extending Functionality by Customizing the Framework 16

CODE EXAMPLE 2-2 Sample Banner Message 18

CODE EXAMPLE 2-3 Detecting Functionality That Exists in Multiple OS Releases 56

CODE EXAMPLE 2-4 Checking for a Specific OS Revision or Range 57

CODE EXAMPLE 2-5 Checksum Output From MD5 in Solaris 10 OS 58

CODE EXAMPLE 3-1 Adding a User-Defined Variable 99

CODE EXAMPLE 3-2 Appending Entries to Variables Using user.init File 100

CODE EXAMPLE 4-1 Creating a Nested or Hierarchical Security Profile 121

CODE EXAMPLE 4-2 Having a Driver Implement Its Own Functionality 121

CODE EXAMPLE 4-3 Exempt From config.driver 123

CODE EXAMPLE 4-4 secure.driver Contents 126

CODE EXAMPLE 5-1 Sample install-openssh.fin Script 133

CODE EXAMPLE 5-2 Default BART rules-secure File 155

CODE EXAMPLE 5-3 Default BART rules File 155

CODE EXAMPLE 5-4 secure.driver Default IP Filter Rules File 158

xxix

CODE EXAMPLE 5-5 server-secure.driver Default IP Filter Rules File 158

CODE EXAMPLE 5-6 sunfire_15k_sc-secure.driver Default IP Filter Rules File 159

CODE EXAMPLE 5-7 Password Encryption Tunables for Solaris Security Toolkit Drivers 172

CODE EXAMPLE 6-1 Sample install-openssh.aud Script 185

CODE EXAMPLE 7-1 Variable Assignment Based on OS Version 226

CODE EXAMPLE 7-2 Adding rlogin to JASS_SVCS_ENABLE list 275

xxx Solaris Security Toolkit 4.2 Reference Manual • July 2005

Preface

This Solaris™ Security Toolkit 4.2 Reference Manual contains reference information for understanding and using the internals of the Solaris Security Toolkit software. This manual is primarily intended for persons who use the Solaris Security Toolkit software to secure Solaris™ Operating System (OS) versions 2.5.1 through 10, such as administrators, consultants, and others, who are deploying new Sun systems or securing deployed systems. The instructions apply to using the software in either its JumpStart™ mode or stand-alone mode.

Following are terms used in this manual that are important to understand:

■ Hardening – Modifying Solaris OS configurations to improve a system’s security.

■ Auditing – Determining if a system’s configuration is in compliance with a

predefined security profile.

■ Scoring – Counting the number of failures uncovered during an audit run. If no

failures (of any kind) are found, then the resulting score is 0. The Solaris Security Toolkit increments the score (also known as a vulnerability value) by 1 whenever a failure is detected.

Before You Read This Book

You should be a Sun Certified System Administrator for Solaris™ or Sun Certified Network Administrator for Solaris™. You should also have an understanding of standard network protocols and topologies.

Because this book is designed to be useful to people with varying degrees of experience or knowledge of security, your experience and knowledge will determine how you use this book.

xxxi

How This Book Is Organized

This manual contains reference information about the software components and is structured as follows:

Chapter 1 is an introduction to how to use Solaris Security Toolkit 4.2 software with

the Solaris 10 OS.

Chapter 2 provides reference information for using, adding, modifying, and

removing framework functions. Framework functions provide flexibility for you to change the behavior of the Solaris Security Toolkit software without modifying source code.

Chapter 3 provides reference information about for using, modifying, and

customizing the file templates included in the Solaris Security Toolkit software.

Chapter 4 provides reference information about using, adding, modifying, and

removing drivers. This chapter describes the drivers used by the Solaris Security Toolkit software to harden, minimize, and audit Solaris OS systems.

Chapter 5 provides reference information about using, adding, modifying, and

removing finish scripts. This chapter describes the scripts used by the Solaris Security Toolkit software to harden and minimize Solaris OS systems.

Chapter 6 provides reference information for using, adding, modifying, and

removing audit scripts.

Chapter 7 provides reference information about using environment variables. This

chapter describes all of the variables used by the Solaris Security Toolkit software and provides tips and techniques for customizing their values.

Using UNIX Commands

This document might not contain information on basic UNIX® commands and procedures such as shutting down the system, booting the system, and configuring devices. Refer to the following for this information:

■ Software documentation that you received with your system

■ Solaris Operating System documentation, which is at

http://docs.sun.com

xxxii Solaris Security Toolkit 4.2 Reference Manual • July 2005

Shell Prompts

Shell Prompt

C shell machine-name%

C shell superuser machine-name#

Bourne shell and Korn shell $

Bourne shell and Korn shell superuser #

Typographic Conventions

Typeface

AaBbCc123 The names of commands, files,

AaBbCc123

AaBbCc123 Book titles, new words or terms,

1 The settings on your browser might differ from these settings.

Meaning Examples

Edit your.login file. and directories; on-screen computer output

What you type, when contrasted with on-screen computer output

words to be emphasized. Replace command-line variables with real names or values.

Use ls -a to list all files.

% You have mail.

% su

Password:

Read Chapter 6 in the User’s Guide.

These are called class options.

You must be superuser to do this.

To delete a file, type rm filename.

Using Generic Terms for Hardware Models

Sun Fire™ high-end systems refers to these model numbers:

■ E25K

■ E20K

Preface xxxiii

■ 15K

■ 12K

Sun Fire midrange systems refer to these model numbers:

■ E6900

■ E4900

■ 6800

■ 4810

■ 4800

■ 3800

Sun Fire entry-level midrange systems refer to these model numbers:

■ E2900

■ Netra 1280

■ V1280

■ V890

■ V880

■ V490

■ V480

Supported Hardware Systems

Solaris Security Toolkit 4.2 software supports SPARC®, 64-bit only, and x86 systems.

Supported Solaris OS Versions

Sun support for Solaris Security Toolkit software is available only for its use in the Solaris 8, Solaris 9, and Solaris 10 Operating Systems.

Note – For Solaris Security Toolkit 4.2 software, Solaris 10 can be used only on Sun

Fire high-end systems domains, not on the system controller (SC).

While the software can be used in the Solaris 2.5.1, Solaris 2.6, and Solaris 7 Operating Systems, Sun support is not available for its use in those operating systems.

xxxiv Solaris Security Toolkit 4.2 Reference Manual • July 2005

The Solaris Security Toolkit software automatically detects which version of the Solaris Operating System software is installed, then runs tasks appropriate for that operating system version.

Note in examples provided throughout this document that when a script checks for a version of the OS, it checks for 5.x, the SunOS™ versions, instead of 2.x, 7, 8, 9, or 10, the Solaris OS versions.

TABLE P-1 shows the correlation between SunOS and

Solaris OS versions.

TABLE P-1 Correlation Between SunOS and Solaris OS Versions

SunOS Version Solaris OS Version

5.5.1 2.5.1

5.6 2.6

5.7 7

5.8 8

5.9 9

5.10 10

Supported SMS Versions

If you are using System Management Services (SMS) to run the system controller (SC) on your Sun Fire high-end systems, then Solaris Security Toolkit 4.2 software is supported on all Solaris 8 and 9 OS versions when used with SMS versions 1.3, 1.4.1, and 1.5. No version of SMS is supported on Solaris 10 OS with Solaris Security Toolkit 4.2 software.

Note – For Solaris Security Toolkit 4.2 software, Solaris 10 can be used only on

domains, not on the system controller (SC).

Preface xxxv

SMF and Legacy Services on Solaris 10 OS

Some of the services under the Internet services daemon (inetd) control that you might want to put in a list to enable or disable are converted to the Service Management Facility and use Fault Management Resource Identifiers (FMRIs), and some services under inetd control are not converted.

■ SMF-Ready Services – If you want to create lists of SMF-ready services under

inetd control to enable or disable, use JASS_SVCS_ENABLE or JASS_SVCS_DISABLE. The JASS_SVCS_DISABLE script disables all services on

the list that are SMF ready and that are installed on the system. those Solaris Security Toolkit scripts that are SMF ready.

Note – The lists of SMF-ready services are valid only for the Solaris 10 Operating

System.

■ Legacy Services – If you want to create lists of legacy, or unconverted, services

under inetd control to enable or disable, you can use JASS_SVCS_ENABLE or JASS_SVCS_DISABLE in the same manner you have been using them in earlier versions of the toolkit. not converted and, therefore, SMF recognizes as legacy services. See

“JASS_SVCS_DISABLE” on page 274 and “JASS_SVCS_ENABLE” on page 275 for

more information.

TABLE 1-2 lists those Solaris Security Toolkit scripts that are

TABLE 1-1 lists

If you are using the Solaris 10 Operating System, the JASS_SVCS_DISABLE script disables all services listed on the JASS_SVCS_DISABLE list if they are in the inetd.conf file. Therefore, if a service was valid for the Solaris 9 Operating System under inetd, but no longer uses the inetd.conf file for the Solaris 10 Operating System, modifying the JASS_SVCS_DISABLE environment variable makes no changes to that service.

The Solaris Security Toolkit issues a warning message if either the JASS_SVCS_ENABLE or JASS_SVCS_DISABLE environment variable contains either an FMRI or an inetd service name which does not exist on the system.

2 Solaris Security Toolkit 4.2 Reference Manual • July 2005

Scripts That Use the SMF-Ready Services Interface

TABLE 1-1 lists the Solaris Security Toolkit scripts that use the SMF-ready services

interface, their Fault Management Resource Identifiers (FMRIs), and the start or stop scripts used for the Solaris 9 OS.

TABLE 1-1 Solaris Security Toolkit Scripts That Use the SMF-Ready Services Interface

Script Name Fault Management Resource Identifier (FMRI) Start/Stop Script for Solaris 9 OS

disable-apache2

disable-automount svc:/system/filesystem/autofs:

disable-dhcpd svc:/network/dhcp-server:default /etc/rc3.d/S24dhcp

disable-kdc svc:/network/security/krb5kdc:de

disable-ldap-client svc:/network/ldap/client:default /etc/rc2.d/S71dap.client

disable-lp svc:/application/print/server:

disable-named svc:/network/dns/server:default /etc/named.boot

disable-nfs-client svc:/network/nfs/client:default

disable-nfs-server svc:/network/nfs/server:default /etc/rc3.d/S15nfs

disable-power-mgmt svc:/system/power:default /etc/rc2.d/S85power

disable-rpc svc:/network/rpc/bind:default

disable-sendmail svc:/network/smtp/sendmail:

disable-slp svc:/network/slp:default /etc/rc2.d/S72slpd

disable-spc svc:/application/print/cleanup:

svc:/network/http:apache2 None

/etc/rc2.d/S74autofs

default

/etc/rd3.d/S13kdc.master

fault

default svc:/application/print/ipp-

listener:default svc:/application/print/rfc1179:

default

svc:/network/nfs/status:default svc:/network/nfs/nlocmgr:default

svc:/network/rpc/keyserv:default

default

/etc/rd3.d/S14kdc

/etc/rc2.d/S80lp

/etc/rc2.d/S73nfs.client

/etc/rc2.d/S71rpc

/etc/rc2.d/S99sendmail

/etc/rc2.d/S80spc

Chapter 1 Introduction to Solaris 10 Operating System Support 3

TABLE 1-1 Solaris Security Toolkit Scripts That Use the SMF-Ready Services Interface

Script Name Fault Management Resource Identifier (FMRI) Start/Stop Script for Solaris 9 OS

disable-ssh-root-login svc:/network/ssh:default Use pkginfo -q -r SUNWsshdr

disable-uucp svc:/network/uucp:default /etc/rc2.d/S70uucp

enable-ftpaccess svc:/network/ftp:default /etc/inet/inetd.conf

enable-inetd-syslog svc:/network/inetd:default /etc/default/inetd

enable-tcpwrappers svc:/network/inetd:default /etc/default/inetd

install-ftpusers svc:/network/ftp:default Use pkginfo -q -R SUNWftpr

set-banner-ftpd svc:/network/ftp:default Use pkginfo -q -R SUNWsshdr

set-banner-sshd svc:/network/ssh:default Use pkginfo -q -R SUNWftpr

set-ftpd-unmask svc:/network/ftp:default Use pkginfo -q -r SUNWftpr

1 Solaris 10 only

(Continued)

Scripts That SMF Recognizes as Legacy Services

TABLE 1-2 lists the Solaris Security Toolkit scripts that are not SMF ready, but that

SMF recognizes as legacy services. Although the legacy services can be represented in FMRI format, SMF does not have the ability to enable or disable them.

TABLE 1-2 Solaris Security Toolkit Scripts That SMF Recognizes as Legacy Services

Script Name Fault Management Resource Identifier (FMRI)

disable-apache lrc:/etc/rc3_d/S50apache

disable-appserv lrc:/etc/rc2_d/S84appserv

disable-autoinst lrc:/etc/rc2_d/S72autoinstall

disable-directory lrc:/etc/rc2_d/S72directory

disable-dmi lrc:/etc/rc3_d/S77dmi

disable-dtlogin lrc:/etc/rc2_d/S99dtlogin

disable-IIim lrc:/etc/rc2_d/S95IIim

disable-mipagent lrc:/etc/rc3_d/S80mipagent

4 Solaris Security Toolkit 4.2 Reference Manual • July 2005

TABLE 1-2 Solaris Security Toolkit Scripts That SMF Recognizes as Legacy Services

(Continued)

Script Name Fault Management Resource Identifier (FMRI)

disable-ppp lrc:/etc/rc2_d/S47pppd

disable-preserve lrc:/etc/rc2_d/S89PRESERVE

disable-samba lrc:/etc/rc3_d/S90samba

disable-snmp lrc:/etc/rc3_d/S76snmpdx

disable-uucp lrc:/etc/rc2_d/S70uucp

disable-vold lrc:/etc/rc3_d/S81volmgt

disable-wbem lrc:/etc/rc2_d/S90wbem

set-banner-dtlogin lrc:/etc/rc2_d/S99dtlogin

New Scripts for Solaris Security Toolkit

4.2 Release

Following are new scripts for the Solaris Security Toolkit 4.2 release:

■ disable-apache2.{fin|aud}

■ disable-appserv.{fin|aud}

■ disable-IIim.{fin|aud}

■ disable-routing.{fin|aud}

■ enable-account-lockout.{fin|aud}

■ enable-bart.{fin|aud}

■ enable-ipfilter.{fin|aud}

■ enable-password-history.{fin|aud}

■ set-root-home-dir.{fin|aud}

■ set-strict-password-checks.{fin|aud}

The functions of finish (.fin) scripts are explained in Chapter 5, and the functions of audit (.aud) scripts are explained in Chapter 6.

Chapter 1 Introduction to Solaris 10 Operating System Support 5

Scripts Not Used for Solaris 10

TABLE 1-3 lists the Solaris Security Toolkit Scripts that are not used when you are

hardening the Solaris 10 Operating System.

TABLE 1-3 Solaris Security Toolkit Scripts Not Used for Solaris 10

Script Name Applicable Operating System

disable-ab2 Solaris 2.5.1 through 8

disable-aspp Solaris 2.5.1 through 8

disable-picld Solaris 8 and 9

install-fix-modes Solaris 2.5.1 through 9

install-newaliases Solaris 2.5.1 through 8

install-openssh Solaris 2.5.1 through 8

install-sadmind-options Solaris 2.5.1 through 9

install-strong-permissions Solaris 2.5.1 through 9

remove-unneeded-accounts Solaris 2.5.1 through 9

Environment Variables Not Used for Solaris 10

The following environment variables are not used for the Solaris 10 Operating System:

■ JASS_ISA_CAPABILITY (removed from Solaris Security Toolkit 4.2 software)

■ JASS_DISABLE_MODE

6 Solaris Security Toolkit 4.2 Reference Manual • July 2005

Using Solaris 10 OS Zones

The Solaris Security Toolkit 4.2 software can be used to harden a zone, or Sun Network One (N1) grid container, for systems using the Solaris 10 OS. All Solaris Security Toolkit profiles (hardening, audit, and undo) function in Solaris 10 zones in the same manner as in non-zoned systems for the most part. Any differences are noted in this section.

Sequence Matters in Hardening Global and NonGlobal Zones

If the global zone has been hardened before the non-global zone (NGZ) is installed, certain modifications made by the Solaris Security Toolkit 4.2 software are carried into the new zone, but many others are not. To ensure that a newly created zone is properly secured, the Solaris Security Toolkit 4.2 software should be applied in both hardening and audit modes immediately after the zone’s installation. Once a nonglobal zone is installed, hardening and unhardening in the global zone does not effect the NGZ, and vice versa.

Harden a Non-Global Zone From Within That Zone

Caution – Because of security risks, you should never access a non-global zone file

system from outside that zone. A path that is not dangerous in a non-global zone can be dangerous in the global zone. For example, a non-global zone administrator can link the /etc/shadow file to the ../../../shadow file. Inside the non-global zone, this is harmless, but modifications to the file from the global zone, using the path /opt/testzone/etc/shadow, would edit the global zone’s /etc/passwd file. Again, a non-global zone should never be hardened, undone, cleaned, or even audited unless you are logged into that zone.

Chapter 1 Introduction to Solaris 10 Operating System Support 7

If your Solaris Security Toolkit 4.2 installation is in the standard /opt/SUNWjass directory, you can harden a zone by using the Solaris 10 OS zlogin(1) command to log in to, or enter, that zone to run the Solaris Security Toolkit.

CODE EXAMPLE 1-1 Hardening a Non-Global Zone

# zlogin myzone /opt/SUNWjass/bin/jass-execute -d my.driver

The variable myzone is your non-global zone, and the variable my.driver is the name of the driver you are using.

Some Scripts Are Not Relevant to Non-Global Zones

Some of the Solaris Security Toolkit scripts are not relevant to a non-global zone; for example, those that modify kernel parameters using /etc/system. When these scripts are run in a non-global zone, the scripts log the fact that they are not required for a non-global zone as a [NOTE].

If you are writing your own script, you might want to use the logNotGlobalZone function (see standard way. To test whether or not you are in a non-global zone in a Solaris Security Toolkit script, you can check the Solaris Security Toolkit 4.2 environment variable JASS_ZONE_NAME to see if it contains global. This variable is set to global in OS versions prior to the Solaris 10 OS. For more information about the variable, see

“logNotGlobalZone” on page 29) to issue such a message in a

“JASS_ZONE_NAME” on page 254.

Audits of Non-Global Zones Are Separate and Distinct From Audits of Global Zones

Running processes, installed software, and the configurations of non-global zones are audited separately from those of the global zone. For example, an audit of an NGZ, which detected an unauthorized process running, would trigger an NGZ audit failure, not a global zone audit failure. Similarly, when a global zone is audited, any security violations detected would generate global zone security violations, not NGZ violations.

The only overlap between a global and non-global zone audit occurs during a BART review of the global zone. File systems of the NGZ are mounted on the global zone and might be reviewed by the BART manifest files included in the Solaris Security Toolkit. When reviewing these NGZ file systems from the global zone, security

8 Solaris Security Toolkit 4.2 Reference Manual • July 2005

violations relevant to the NGZ might be reported on the global zone. To avoid this situation, ensure that any NGZ file systems mounted on the global zone are excluded from the BART manifest file.

Zone-Aware Finish and Audit Scripts

Toolkit scripts that are not to be run in a zone because of insufficient privileges for operation, check to see if they are in the global zone using the environment variable JASS_ZONE_NAME (see Security Toolkit scripts are not running in the global zone, the scripts log that information with the logNotGlobalZone function and finish.

TABLE 1-4 lists the Finish and Audit scripts that are zone aware.

TABLE 1-4 Solaris Security Toolkit 4.2 Zone-Aware Finish and Audit Scripts

Base Script Name Reason for Zone Awareness Zone Behavior

disable-power-mgmt Power functions cannot be used in a zone. log

enable-bsm Zones cannot enable BSM, although they can use BSM.

Before you can enable the ability to use BSM in a NGZ, you first must enable the ability to use BSM in the global zone.

enable-ipfilter Zones cannot change IP Filter. log

enable-priv-ngs-ports Zones cannot be NFS servers. log

enable-rfc1948 Zones cannot affect the /dev/ip stack. log

enable-stack-protection Zones cannot change the kernel parameters. log

install-nddconfig Zones cannot affect the /dev/ip stack. log

install-security-mode Zones cannot access the EEPROM. log

“JASS_ZONE_NAME” on page 254). If the Solaris

log

Some Zone-Aware Scripts Require Action Before Use in Non-Global Zones

Some Solaris Security Toolkit scripts that are zone aware, such as enable-bsm.fin, might require actions to be taken in the global zone prior to their full use in a nonglobal zone. If you run such scripts without taking these actions, you are prompted and given instructions to take the required actions to make full use of these capabilities. In other words, some actions require a kernel module to work. In this case, you need to load the module from the global zone, and then you can use it in the non-global zone. Until you do that, the actions are not performed.

Chapter 1 Introduction to Solaris 10 Operating System Support 9

rpcbind Disabled or Enabled Based on Drivers

In the Solaris 10 Operating System, there are services which depend on rpcbind such as the Fault Manager Daemon (FMD), Network Information Services (NIS), the Network File System (NFS), and window managers, such as Common Desktop Environment (CDE) and Solaris Security Toolkit 4.2 software either disables or enables rpcbind based on the driver as follows:

■ secure.driver: rpcbind disabled by default

■ server-secure.driver: rpcbind enabled by default

■ suncluster3x-secure.driver: rpcbind enabled by default

■ sunfire_15k_sc-secure.driver: rpcbind disabled by default

You might need to configure rpcbind to start manually, depending on your system’s configuration. Refer to the Solaris 10 OS Administration documentation for details on how to use SMF.

rpcbind in the Solaris 10 OS uses TCP Wrappers and the uses of both are closely related. See auto-configure TCP Wrappers.

“Using TCP Wrappers” on page 11 for details on how each of the drivers

▼ To Enable rpcbind

GNU Network Object Model Environment (GNOME). The

1. Unharden the system.

2. Verify that rpcbind is running by using the pgrep command.

# pgrep rpcbind

process-id

Use the following form of the pgrep command for systems running the Solaris 10 OS where you have a global zone with child zones, so that you do not receive child zone processes.

# pgrep -z zone-name rpcbind process-id

If you receive a process-id you know that rpcbind is running.

10 Solaris Security Toolkit 4.2 Reference Manual • July 2005

3. Copy and rename the secure.driver and hardening.driver to new-

secure.driver and new-hardening.driver.

4. Edit new-secure.driver to replace the reference to hardening.driver with new-

hardening.driver.

5. Comment out the disable-rpc.fin script from new-hardening.driver.

6. Re-run hardening with your customized copy drivers by running the Solaris

Security Toolkit with new-secure.driver.

7. Reboot the system.

Caution – After enabling the rpcbind service, additional services may be started

automatically and their corresponding ports opened. The Solaris Security Toolkit audit flags these additional services as failures.

Using TCP Wrappers

For the Solaris 10 OS, the following TCP Wrappers configurations are used for the following drivers. The configuration information is in the /etc/hosts.allow and /etc/hosts.deny files.

Note – The arguments for these configurations are case-sensitive. For example, in

CODE EXAMPLE 1-2, LOCAL and ALL must be entered in all capital letters, and

localhost must be entered in lower-case letters.

Chapter 1 Introduction to Solaris 10 Operating System Support 11

TCP Wrappers Configuration for

secure.driver

CODE EXAMPLE 1-2 TCP Wrappers Configuration for secure.driver in Solaris 10 OS

secure.driver: tcpwrappers enabled by default with the following: hosts.allow sshd: LOCAL sendmail: localhost hosts.deny ALL: ALL # rpcbind: ALL

TCP Wrappers Configuration for

server-secure.driver

CODE EXAMPLE 1-3 TCP Wrappers Configuration for server-secure.driver in

server-secure.driver: tcpwrappers enabled by default with the following:

hosts.allow ALL: localhost sshd: ALL hosts.deny ALL: ALL

Solaris 10 OS

TCP Wrappers Configuration for

suncluster3x-secure.driver

CODE EXAMPLE 1-4 TCP Wrappers Configuration for suncluster3x-secure.driver

suncluster3x-secure.driver: tcpwrappers enabled by default with the following:

hosts.allow <need to allow other cluster members access> ALL: localhost sshd: ALL

in Solaris 10 OS

12 Solaris Security Toolkit 4.2 Reference Manual • July 2005

CODE EXAMPLE 1-4 TCP Wrappers Configuration for suncluster3x-secure.driver

hosts.deny ALL: ALL NOTE: need to warn if not configured properly by adding

entries to hosts.allow

in Solaris 10 OS (Continued)

TCP Wrappers Configuration for

sunfire_15k_sc-secure.driver

CODE EXAMPLE 1-5 TCP Wrappers Configuration for

sunfire_15k_sc-secure.driver in Solaris 10 OS

sunfire_15k_sc-secure.driver: tcpwrappers enabled by default with the following:

hosts.allow <need to allow other SC sshd access> sendmail: localhost hosts.deny ALL: ALL NOTE: need to warn if not configured properly by adding

entries to hosts.allow

Defining Environment Variables

There is a change in the sequence in which driver-specific environment variables are set.

Earlier Solaris Security Toolkit Versions

In previous versions of Solaris Security Toolkit, the sequence in which environment variables were set was as follows:

1. <driver-name>.driver

2. driver.init

a.user.init

Chapter 1 Introduction to Solaris 10 Operating System Support 13

b. finish.init

3. <driver-name>.driver (after driver.init)

4. framework variables (driver files)

5. finish script variable definitions

Solaris Security Toolkit 4.2

In Solaris Security Toolkit 4.2 software, the sequence in which environment variables are set is as follows:

1. jass-execute calls

a.driver-init

b. user-init

c. finish.init

d. *secure*

i. driver.init

ii. user.init

iii. finish.init

iv. *config*

v. *hardening*

In step d, some variables could be set before step i or after step iii.

Note – In spite of a change in sequence in which driver-specific variables are set in

Solaris Security Toolkit 4.2, your ability to use user.init to override is unchanged from previous versions.

14 Solaris Security Toolkit 4.2 Reference Manual • July 2005

CHAPTER

Framework Functions

This chapter provides reference information on using, adding, modifying, and removing framework functions. Framework functions provide flexibility for you to change the behavior of the Solaris Security Toolkit software without modifying source code.

Use framework functions to limit the amount of coding that is needed to develop new finish and audit scripts, and to keep common functionality consistent. For example, by using the common logging functions, you can configure the reporting mechanism without needing to develop or alter any additional source code. Similarly, by using this modular code for common functions, bugs and enhancements can be more systematically addressed.

In addition, framework functions support the undo option. For example, using the framework function backup_file in place of a cp or mv command allows that operation to be reversed during an undo run.

This chapter contains the following topics:

■ “Customizing Framework Functions” on page 15

■ “Using Common Log Functions” on page 17

■ “Using Common Miscellaneous Functions” on page 42

■ “Using Driver Functions” on page 47

■ “Using Audit Functions” on page 76

Customizing Framework Functions

The Solaris Security Toolkit software is based on a modular framework that allows you to combine features in various ways to suit your organization’s needs. Sometimes, however, the standard features provided by the Solaris Security Toolkit software might not meet your site’s needs. You can supplement the standard features by customizing framework functions to enhance and extend the functionality

provided by the Solaris Security Toolkit software. The framework functions configure how the Solaris Security Toolkit software runs, define the functions that it uses, and initialize environment variables.

In most cases, you can easily copy standard framework function files and scripts, and then customize their functionality for your use. For example, using the user.run file, you can add, modify, replace, or extend the standard framework functions. The user.run file is similar in purpose to the user.init file, except that you use the user.init file to add or modify environment variables.

In some cases, you might need to develop new framework functions. In this case, use similar framework functions as a guide or template for coding, and be sure to follow the recommendations provided in this book. Development should only be undertaken by users who are familiar with the Solaris Security Toolkit software’s design and implementation.

Caution – Take extreme care when developing your own framework functions.

Incorrect programming might compromise the Solaris Security Toolkit software’s ability to properly implement or undo changes or to audit a system’s configuration. Furthermore, changes made to the software could adversely impact the target platform on which the software is run.

CODE EXAMPLE 2-1 show how Solaris Security Toolkit functionality can be extended

by customizing the standard framework. In this example, the mount_filesystems function is modified to enable the developer to mount additional file systems during a JumpStart installation. The mount_filesystems function is copied directly from the driver_private.funcs script into the user.run file. The modifications to it are in lines 8 and 9.

CODE EXAMPLE 2-1 Extending Functionality by Customizing the Framework

1 mount_filesystems() 2 { 3 if [ "${JASS_STANDALONE}" = "0" ]; then 4 mount_fs ${JASS_PACKAGE_MOUNT} ${JASS_ROOT_DIR} \ 5 ${JASS_PACKAGE_DIR} 6 mount_fs ${JASS_PATCH_MOUNT} ${JASS_ROOT_DIR} \ 7 ${JASS_PATCH_DIR} 8 mount_fs 192.168.0.1:/apps01/oracle \ 9 ${JASS_ROOT_DIR}/tmp/apps-oracle 10 fi 11 }

For the sake of simplicity, the variable used to mount the new file system is not converted to Solaris Security Toolkit environment variables. To aid in portability and flexibility, abstract the actual values using environment variables. This approach

16 Solaris Security Toolkit 4.2 Reference Manual • July 2005

allows changes to be made consistently, because the software is deployed into environments with different requirements, such as production, quality assurance, and development.

Note – You could implement the same functionality within a finish script that uses

this mount point, so that the mounting, use, and unmounting of the file system is self-contained within the script. However, it might be more effective and efficient to mount the file system using mount_filesystems when a single file system is used by more than one script.

Caution – A disadvantage to modifying mount_filesystems is that when you

install updates of the Solaris Security Toolkit software, you might need to modify the mount_filesystems again.

Using Common Log Functions

These functions control all logging and reporting functions and are located in the Drivers directory in a file called common_log.funcs. The logging and reporting functions are used in all of the Solaris Security Toolkit software’s operational modes; therefore, they are considered common functions. Common functions such as logWarning and logError are in this file.

This section describes the following common log functions.

■ “logBanner” on page 18

■ “logDebug” on page 19

■ “logError” on page 19

■ “logFailure” on page 20

■ “logFileContentsExist and logFileContentsNotExist” on page 20

■ “logFileExists and logFileNotExists” on page 21

■ “logFileGroupMatch and logFileGroupNoMatch” on page 22

■ “logFileModeMatch and logFileModeNoMatch” on page 22

■ “logFileNotFound” on page 23

■ “logFileOwnerMatch and logFileOwnerNoMatch” on page 24

■ “logFileTypeMatch and logFileTypeNoMatch” on page 25

■ “logFinding” on page 26

■ “logFormattedMessage” on page 27

■ “logInvalidDisableMode” on page 27

■ “logInvalidOSRevision” on page 28

■ “logMessage” on page 28

■ “logNotGlobalZone” on page 29

Chapter 2 Framework Functions 17

■ “logNotice” on page 29

■ “logPackageExists and logPackageNotExists” on page 30

■ “logPatchExists and logPatchNotExists” on page 30

■ “logProcessArgsMatch and logProcessArgsNoMatch” on page 31

■ “logProcessExists and logProcessNotExists” on page 32

■ “logProcessNotFound” on page 32

■ “logScore” on page 33

■ “logScriptFailure” on page 33

■ “logServiceConfigExists and logServiceConfigNotExists” on page 34

■ “logServiceDisabled and logServiceEnabled” on page 34

■ “logServiceInstalled and logServiceNotInstalled” on page 35

■ “logServiceOptionDisabled and logServiceOptionEnabled” on page 36

■ “logServiceProcessList” on page 36

■ “logServicePropDisabled and logServicePropEnabled” on page 37

■ “logServiceRunning and logServiceNotRunning” on page 37

■ “logStartScriptExists and logStartScriptNotExists” on page 38

■ “logStopScriptExists and logStopScriptNotExists” on page 39

■ “logSuccess” on page 39

■ “logSummary” on page 40

■ “logUserLocked and logUserNotLocked” on page 40

■ “logUndoBackupWarning” on page 41

■ “logWarning” on page 41

logBanner

This function displays banner messages. These messages typically precede driver, finish, or audit script run output. Banner messages also are used at the start and end of a run. They are displayed only if the logging verbosity is at least 3 (Full). For more information on verbosity levels, see

Banner messages take one of two forms. If you pass an empty string to this function, then a single line separator is displayed. This line is often used to force a “break” in the displayed output. If you enter a single string value, then the output is displayed between a pair of single line separators. banner message.

CODE EXAMPLE 2-2 Sample Banner Message

================================================================ Solaris Security Toolkit Version: 4.2 Node name: imbulu Zone name: global Host ID: 8085816e Host address: 192.168.0.1 MAC address: 0:0:80:85:81:6e

18 Solaris Security Toolkit 4.2 Reference Manual • July 2005

Chapter 7.

CODE EXAMPLE 2-2 shows a sample of a

CODE EXAMPLE 2-2 Sample Banner Message (Continued)

OS version: 5.10 Date: Fri Jul 1 22:27:15 EST 2005 ================================================================

You can control the display of banner messages using the JASS_LOG_BANNER environment variable. For more information on this environment variable, see

Chapter 7.

logDebug

This function displays debugging messages. Debugging messages have no type prefix, such as [FAIL] or [PASS]. Debugging messages are displayed only if the verbosity is at least 4 (Debug). The default is to not print debugging messages. For more information about verbosity levels, see

Arguments: $1 - String to print

Returns: None

Example Usage:

logDebug “Print first message for debugging.”

Chapter 7.

logError

This function displays error messages. Error messages are those that contain the string [ERR ].

Arguments: $1 - String to display as an error message

Returns: None

Example Usage:

logError “getScore: Score value is not defined.”

Example Output:

[ERR ] getScore: Score value is not defined.

Chapter 2 Framework Functions 19

You can control the display of error messages using the JASS_LOG_ERROR environment variable. For more information on this environment variable, see

Chapter 7.

logFailure

This function displays failure messages. Failure messages are those that contain the string [FAIL].

Arguments: $1 - String to display as an failure message

Returns: None

Example Usage:

logFailure "Package SUNWatfsr is installed."

Example Output:

[FAIL] Package SUNWatfsr is installed.

You can control the display of failure messages using the JASS_LOG_FAILURE environment variable. For more information on this environment variable, see

Chapter 7.

logFileContentsExist and logFileContentsNotExist

Use these functions to log messages associated with the results of file contents checks. These functions are used primarily by the check_fileContentsExist and check_fileContentsNotExist functions, although they can be used independently if necessary.

Arguments: $1 - File to test (string value)

$2 - Search pattern (string value) $3 - Vulnerability value (non-negative integer) $4 - Related information that you want displayed for users after a

PASS or FAIL message (optional)

20 Solaris Security Toolkit 4.2 Reference Manual • July 2005

Returns: Success or failure messages. You can control the display of these

messages using the JASS_LOG_FAILURE and JASS_LOG_SUCCESS environment variables. For more information on these environment variables, see Chapter 7.

Example Usage:

logFileContentsExist /etc/default/inetinit "TCP_STRONG_ISS=2" 0

Example Output:

[PASS] File /etc/default/inetinit has content matching TCP_STRONG_ISS=2.

logFileExists and logFileNotExists

Use these functions to log messages associated with the results of file checks. These functions are primarily used with the check_fileExists and check_fileNotExists functions, although they can be used independently if necessary.

Arguments: $1 - File to test (string value)

$2 - Vulnerability value (non-negative integer). If this argument is

passed a null string value, then the function reports the result in the form of a notice using the logNotice function. If the argument is 0, it reports the result as a pass with the logSuccess

function, otherwise as a failure with logFailure function.

$3 - Related information that you want displayed for users after a

PASS, FAIL, or NOTE message (optional).

Returns: Success or failure messages. You can control the display of these

messages using the JASS_LOG_FAILURE and JASS_LOG_SUCCESS environment variables. For more information on these environment variables, see Chapter 7.

Example Usage:

logFileExists /etc/issue

Chapter 2 Framework Functions 21

Example Output:

[NOTE] File /etc/issue was found.

logFileGroupMatch and logFileGroupNoMatch

Use these functions to log messages associated with the results of file group membership checks. These functions are used primarily by the check_fileGroupMatch and check_fileGroupNoMatch functions, although they can be used independently if necessary.

Arguments: $1 - File to test (string value)

$2 - Group to check $3 - Vulnerability value (non-negative integer) $4 - Related information that you want displayed for users after a

PASS or FAIL message (optional).

Returns: Success or failure messages. You can control the display of these

messages using the JASS_LOG_FAILURE and JASS_LOG_SUCCESS environment variables. For more information on these environment variables, see Chapter 7.

Example Usage:

logFileGroupMatch /etc/motd sys 0

Example Output:

[PASS] File /etc/motd has group sys.

logFileModeMatch and logFileModeNoMatch

Use these functions to log messages associated with the results of file permissions checks. These functions are used primarily by the check_fileModeMatch and check_fileModeNoMatch functions, although they can be used independently if necessary.

You can supply the following arguments to these functions:

22 Solaris Security Toolkit 4.2 Reference Manual • July 2005

Arguments: $1 - File to test (string value)

$2 - Permissions to check $3 - Vulnerability value (non-negative integer) $4 - Related information that you want displayed for users after a

PASS or FAIL message (optional).

Returns: Success or failure messages. You can control the display of these

messages using the JASS_LOG_FAILURE and JASS_LOG_SUCCESS environment variables. For more information on these environment variables, see Chapter 7.

Example Usage:

logFileModeMatch /etc/motd 0644 0

Example Output:

[PASS] File /etc/motd has mode 0644.

logFileNotFound

This function is used by the software to display “file not found” messages. This function is used in the Solaris Security Toolkit code in both hardening and audit runs to provide a standard message when a designated file was not found on the system.

You can supply the following arguments to this function:

■ String value representing the name of the file to test

■ Non-negative integer representing the vulnerability value result

If this argument is passed a null string value, then this function reports the result in the form of a notice using the logNotice function. Otherwise, it reports the result as a failure using the logFailure function.

■ String value representing related information that you want displayed for users

after a FAIL or NOTE message (optional)

Example Usage:

logFileNotFound /etc/motd

Chapter 2 Framework Functions 23

Example Output:

[NOTE] File /etc/issue was not found.

You can control the display of notice and failure messages using the JASS_LOG_NOTICE and JASS_LOG_FAILURE environment variables, respectively. For more information on these environment variables, see

Chapter 7.

logFileOwnerMatch and logFileOwnerNoMatch

Use these functions to log the messages associated with the results of file ownership checks. These functions are used primarily by the check_fileOwnerMatch and check_fileOwnerNoMatch functions, although they can be used independently if necessary.

You can supply the following arguments to these functions:

■ String value representing the name of the file to test

■ String value representing the ownership to check

■ Non-negative integer representing the vulnerability value result

■ String value representing related information that you want displayed for users

after a PASS or FAIL message (optional)

Example Usage:

logFileOwnerMatch /etc/motd root 0

Example Output:

[PASS] File /etc/motd has owner root.

These functions display either success or failure messages. You can control the display of these messages using the JASS_LOG_FAILURE and JASS_LOG_SUCCESS environment variables. For more information on these environment variables, see

Chapter 7.

24 Solaris Security Toolkit 4.2 Reference Manual • July 2005

logFileTypeMatch and logFileTypeNoMatch

Use these functions to log the messages associated with the results of file type checks. These functions are used primarily by the check_fileTypeMatch and check_fileTypeNoMatch functions, although they can be used independently if necessary.

You can supply the following arguments to these functions:

■ String value representing the name of the file to test

■ String value representing the file type to check

TABLE 2-1 lists the file types detected by the software:

TABLE 2-1 File Types Detected by Using the check_fileTypeMatch

Function

File Type Description

b Block special file

c Character special file

d Directory

D Door

f Regular file

l Symbolic link

p Named pipe (fifo)

s Socket

■ Non-negative integer representing the vulnerability value result

■ String value representing related information that you want displayed for users

after a PASS or FAIL message (optional)

Example Usage:

logFileTypeMatch /etc/motd f 0

Example Output:

[PASS] File /etc/motd is a regular file.

Chapter 2 Framework Functions 25

Chapter 7.

logFinding

This function displays audit finding messages. This function accepts a single string argument to be displayed as a message. The input for this function is processed by the printPrettyPath function prior to display. In addition, if the verbosity level is 2 (Brief) or higher, then optional tags are prepended to the message. The following are the optional tags that you can prepend using this function:

■ Timestamp – By default JASS_DISPLAY_TIMESTAMP is not defined. If the

JASS_DISPLAY_TIMESTAMP environment variable is 1 and if JASS_VERBOSITY is less than 3, then the timestamp as defined by the JASS_TIMESTAMP environment variable prepends to the finding message.

■ Target Host Name – By default JASS_DISPLAY_HOSTNAME is not defined. If the

JASS_DISPLAY_HOSTNAME environment variable is 1 and if JASS_VERBOSITY is

less than 3, then the target’s host name as defined by the JASS_HOSTNAME environment variable prepends to the finding message.

■ Current Script Name – By default JASS_DISPLAY_SCRIPTNAME is not defined. If

the JASS_DISPLAY_SCRIPTNAME environment variable is 1 and if JASS_VERBOSITY is less than 3, then the name of the current audit script prepends to the finding message.

Note – If the finding occurs outside of an audit script, such as within the flow of the

driver.run script, then the name of the driver is used.

You can use all three output tags collectively or independently. The order of the position in the resulting output line is as you listed them in the input line. For more information on this function and verbosity levels, see

Example Usage:

logFinding "/etc/motd"

Example Output:

test-script /etc/motd

26 Solaris Security Toolkit 4.2 Reference Manual • July 2005

Chapter 7.

logFormattedMessage

Use this function to generate formatted audit script headers that display information such as the script name, purpose, and rationale for the check. This function accepts a single string value and formats the message that is passed to the function.

These messages are reformatted as follows:

■ Maximum width of 75 characters

■ Prepended with the string “ # ” (pound symbol with a space before and after it)

■ Duplicate slashes in path names are removed

Formatted messages are displayed only when the verbosity level is at least 3 (Full). For more information on this function and verbosity levels, see

Example Usage:

logFormattedMessage "Check system controller secure shell configuration."

Example Output:

# Check system controller secure shell configuration.

Chapter 7.

logInvalidDisableMode

Use this function to display an error message when the JASS_DISABLE_MODE environment variable is set to an invalid value. This utility function reports on the state of the JASS_DISABLE_MODE environment variable. For more information on this environment variable, see

This function takes no arguments and generates the following output:

[ERR ] The JASS_DISABLE_MODE parameter has an invalid value: [...] [ERR ] value must either be “script” or “conf”.

Chapter 7.

Chapter 2 Framework Functions 27

logInvalidOSRevision

Use this function when either the check_os_revision or check_os_min_revision functions fail their checks. This utility function reports

when a function is being called on a version of the Solaris OS for which it does not apply. For example, use this function when there is an attempt to use a Solaris 10 OS script with the Solaris 8 OS.

Example Usage:

logInvalidOSRevision "5.10"

Example Output:

[NOTE] This script is only applicable for Solaris version 5.10.

To specify multiple versions, enter a hyphen (-) between versions, for example, “5.8-5.9.”

This function displays notice messages. You can control the display of messages using the JASS_LOG_NOTICE environment variable.

Note – Do not use the JASS_LOG_NOTICE environment variable on systems

running the Solaris 10 OS.

For more information on this environment variable, see Chapter 7.

logMessage

Use this function to display any message that you want to display to users. Use this function for messages that do not have any tags associated with them. This function is similar to the logFormattedMessage function, but displays an unformatted message. This function accepts a single string value that is displayed as is, with no modification.

Unformatted messages are only displayed if the verbosity level is at least 3 (Full). For more information on this function and verbosity levels, see

Example Usage:

logMessage "Verify system controller static ARP configuration."

28 Solaris Security Toolkit 4.2 Reference Manual • July 2005

Chapter 7.

Example Output:

Verify system controller static ARP configuration.

logNotGlobalZone

This function logs a message using logNotice that a script will not be run, because it must run in the global zone. In other words, the script cannot run in non-global zones.

Argument: None

Return: None

Example Usage:

logNotGlobalZone

logNotice

Use this function to display notice messages. This function accepts a single string value that is displayed as a notice message. Notice messages are those that contain the string [NOTE].

Example Usage:

logNotice "Service ${svc} does not exist in ${INETD}."

Example Output:

[NOTE] Service telnet does not exist in /etc/inetd.conf.

You can control the display of notice messages using the JASS_LOG_NOTICE environment variable. For more information on this environment variable, see

Chapter 7.

Chapter 2 Framework Functions 29

logPackageExists and logPackageNotExists

Use these functions to log the messages associated with the results of checks that determine if software packages are installed. These functions are used primarily by the check_packageExists and check_packageNotExists functions, although they can be used independently if necessary.

You can supply the following arguments to these functions:

■ String value representing the name of the software package to test

■ Non-negative integer representing the vulnerability value result

■ String value representing related information that you want displayed for users

after a PASS or FAIL message (optional)

Example Usage:

logPackageExists SUNWcsr 0

Example Output:

[PASS] Package SUNWcsr is installed.

Chapter 7.

logPatchExists and logPatchNotExists

Use these functions to log the messages associated with the results of checks that determine if software patches are installed. These functions are used primarily by the check_patchExists and check_patchNotExists functions, although they can be used independently if necessary.

You can supply the following arguments to these functions:

■ String value representing the patch identifier (number) to test

■ Non-negative integer representing the vulnerability value result

■ String value representing related information that you want displayed for users

after a PASS or FAIL message (optional)

30 Solaris Security Toolkit 4.2 Reference Manual • July 2005

Example Usage:

logPatchExists 123456-01 0

Example Output:

[PASS] Patch ID 123456-01 or higher is installed.

Chapter 7.

logProcessArgsMatch and logProcessArgsNoMatch

Use these functions to log the messages associated with the results of checks for runtime process arguments. These functions are used primarily by the check_processArgsMatch and check_processArgsNoMatch functions, although they can be used independently if necessary.

You can supply the following arguments to these functions:

■ String value representing the name of the process to test

■ String value representing the argument search pattern

■ Non-negative integer representing the vulnerability value result

■ String value representing related information that you want displayed for users

after a PASS or FAIL message (optional)

Example Usage:

logProcessArgsMatch inetd "-t" 0

Example Output:

[PASS] Process inetd found with argument -t.

Chapter 2 Framework Functions 31

Chapter 7.

logProcessExists and logProcessNotExists

Use these functions to log the messages associated with the results of checks for processes. These functions are used primarily by the check_processExists and check_processNotExists functions, although they can be used independently if necessary.

Arguments: $1 - Process name (string)

$2 - Vulnerability value (numeric) $3 - Related information that you want displayed for users after a

PASS or FAIL message (optional).

Example Usage:

logProcessExists nfsd 0

Example Output:

[PASS] Process nfsd was found.

Chapter 7.

logProcessNotFound

Use this function to log a FAIL message for any process that is not found. This function displays a standard “process not found” message when a designated process cannot be found on a system.

Arguments: $1 - Process name (string)

$2 - Related information that you want displayed for users after a

PASS or FAIL message (optional).

32 Solaris Security Toolkit 4.2 Reference Manual • July 2005

Example Usage:

logProcessNotFound inetd

Example Output:

[FAIL] Process inetd was not found.

You can control the display of these messages using the JASS_LOG_FAILURE environment variable. For more information on this environment variable, see

Chapter 7.

logScore

Use this function to report the number of errors found during an audit run.

Argument: $1 - String to associate with the report

$2 - Number of errors (string)

Returns: Number of errors found during an audit run.

Example Usage:

logScore “Script Total:” “0”

Example Output:

[PASS] Script Total: 0 Errors

logScriptFailure

Use this function to record a script failure to the corresponding script failure log.

Arguments: $1 - Type of failure:

“error” “warning” “note” “failure”

$2 - Count of the type of failure recorded (string).

Chapter 2 Framework Functions 33

Example Usage:

logScriptFailure “failure” 1

This example would record one failure to the ${JASS_REPOSITORY}/${JASS_TIMESTAMP}/jass-script-failures.txt file.

logServiceConfigExists and logServiceConfigNotExists

Use these functions to log the messages associated with the results of checks that determine if configuration files exist. These functions are used primarily by the check_serviceConfigExists and check_serviceConfigNotExists functions, although they can be used independently if necessary.

Arguments: $1 - Service name (string)

$2 - Vulnerability value (numeric) $3 - Related information that you want displayed for users after a

PASS or FAIL message (optional).

Example Usage:

logServiceConfigExists /etc/apache/httpd.conf 0

Example Output:

[PASS] Service Config File /etc/apache/httpd.conf was found.

Chapter 7.

logServiceDisabled and logServiceEnabled

Use these functions to log that the specified service was enabled or disabled in a uniform manner.

34 Solaris Security Toolkit 4.2 Reference Manual • July 2005

Arguments: $1 - Service name (string)

$2 - Vulnerability value (numeric) $3 - Related information that you want displayed for users after a

PASS or FAIL message (optional).

Example Usage:

logServiceDisabled “svc:/network/telnet:default” 0 ““

Example Output:

[PASS] Service svc:/network/telnet:default was not enabled.

logServiceInstalled and logServiceNotInstalled

Use these functions to log that the specified service was installed or not installed in a uniform manner. These functions are primarily used with the check_serviceEnabled and check_serviceDisabled functions, although they can be used independently if necessary.

Arguments: $1 - Service name (string)

$2 - Vulnerability value (numeric) $3 - Related information that you want displayed for users after a

PASS or FAIL message (optional).

Example Usage:

logServiceInstalled “svc:/network/telnet:default” 1 ““

Example Output:

[FAIL] Service svc:/network/telnet:default was installed.

Chapter 2 Framework Functions 35

logServiceOptionDisabled and logServiceOptionEnabled

Use this function to log whether a service had a specified option set to a particular value. This function is used with the check_serviceOptionDisabled and check_serviceOption Enabled functions.

Arguments: $1 - Process name (string)

$2 - Service property name (string) $3 - Service name (string) $4 - Service property value (string) $5 - Vulnerability value (numeric) $6 - Related information that you want displayed for users after a

PASS or FAIL message (optional)

Example Usage:

logServiceOptionEnabled “in.ftpd” “inetd_start/exec” “svc:/network/ftp” “-1” 0 ““

Example Output:

[PASS] Service in.ftpd of svc:/network/ftp property inetd_start/exec has option -1.

logServiceProcessList

Use this function to print a list of processes associated with an SMF service. For each process, three items are printed: the process ID, process user ID, and process command.

Arguments: $1 - SMF service

$2 - PASS or FAIL $3 - List of associated processes with process ID (pid), process user ID

(user), and process command (command).

Example Usage:

logServiceProcessList svc:/network/telnet 0 “245 root in.telnetd”

36 Solaris Security Toolkit 4.2 Reference Manual • July 2005

Example Output:

[PASS] Service svc:/network/telnet was found running (pid 245, user root, command in.telnetd).

logServicePropDisabled and logServicePropEnabled

Use this function to log whether a service had a specified option set to enabled or disabled. These functions are primarily used with the check_serviceOptionEnabled and check_serviceOptionDisabled functions, although they can be used independently if necessary.

Arguments: $1 - Service name (string)

$2 - Property name (string) $3 - Property value (string) $4 - Vulnerability value (numeric) $5 - Related information that you want displayed for users after a

PASS or FAIL message (optional)

Example Usage:

logServicePropDisabled svc:/network/ftp enable_tcpwrappers enabled 1 ““

Example Output:

[FAIL] Service svc:/network/ftp property enable_tcpwrappers was enabled.

logServiceRunning and logServiceNotRunning

Use this function to log whether a specific service is running. These functions are primarily used with the check_serviceRunning and check_serviceNotRunning functions, although they can be used independently if necessary

Chapter 2 Framework Functions 37

Arguments: $1 - Service name (string)

$2 - Vulnerability value (numeric) $3 - Process list (optional) $4 - Related information that you want displayed for users after a

PASS or FAIL message (optional)

Example Usage:

logServiceRunning svc:/network/ftp 1

Example Output:

[FAIL] Service svc:/network/ftp was not running.

logStartScriptExists and logStartScriptNotExists

Use these functions to log the messages associated with the results of checks that determine if run-control start scripts exist. These functions are used primarily by the check_startScriptExists and check_startScriptNotExists functions, although they can be used independently if necessary.

Arguments: $1 - Start script to test (string)

$2 - Vulnerability value (numeric) $3 - Related information that you want displayed for users after a

PASS or FAIL message (optional).

Example Usage:

logStartScriptExists /etc/rc3.d/S89sshd 0

Example Output:

[PASS] Start Script /etc/rc3.d/S89sshd was found.

Chapter 7.

38 Solaris Security Toolkit 4.2 Reference Manual • July 2005

logStopScriptExists and logStopScriptNotExists

Use these functions to log the messages associated with the results of checks that determine if run-control stop scripts exist. These functions are used primarily by the check_stopScriptExists and check_stopScriptNotExists functions, although they can be used independently if necessary.

Arguments: $1 - Stop script to test (string)

$2 - Vulnerability value (numeric) $3 - Related information that you want displayed for users after a

PASS or FAIL message (optional).

Example Usage:

logStopScriptExists /etc/rc2.d/K03sshd 0

Example Output:

[PASS] Stop Script /etc/rc2.d/K03sshd was found.

Chapter 7.

logSuccess

Use this function to display success messages. This function accepts a single string value that is displayed as an audit success message. Success messages are those that contain the string [PASS].

Example Usage:

logSuccess "Package SUNWsshdr is installed."

Example Output:

[PASS] Package SUNWsshdr is installed.

Chapter 2 Framework Functions 39

You can control the display of success messages using the JASS_LOG_SUCCESS environment variable. For more information on this environment variable, see

Chapter 7.

logSummary

Use this function to display summary information from a Solaris Security Toolkit run. The function takes arguments of the driver to compare the run against, and the number of scripts run.

Example Usage:

logSummary undo.driver 61

Example Output:

============================================================================== [SUMMARY] Results Summary for UNDO run of jass-execute [SUMMARY] The run completed with a total of 91 scripts run. [SUMMARY] There were Failures in 0 Scripts [SUMMARY] There were Errors in 0 Scripts [SUMMARY] There was a Warning in 1 Script [SUMMARY] There were Notes in 61 Scripts

[SUMMARY] Warning Scripts listed in: /var/opt/SUNWjass/run/20050616052247/jass-undo-script-warnings.txt [SUMMARY] Notes Scripts listed in: /var/opt/SUNWjass/run/20050616052247/jass-undo-script-notes.txt ==============================================================================

logUserLocked and logUserNotLocked

Use this function to log whether the specific user account was locked. These functions are used primarily by the check_userLocked and check_userNotLocked functions, although they can be used independently if necessary.

Arguments: $1 - User name (string)

$2 - Vulnerability value (numeric) $3 - Related information that you want displayed for users after a

PASS or FAIL message (optional)

40 Solaris Security Toolkit 4.2 Reference Manual • July 2005

Example Usage:

logUserLocked “uucp” 1

Example Output:

[FAIL] User uucp was not locked.

logUndoBackupWarning

Use this function to log a general warning about the consequences of an undo run.

Example Usage:

logUndoBackupWarning

Example Output:

[WARN] Creating backup copies of some files may cause unintended effects. [WARN] This is particularly true of /etc/hostname.[interface] files as well as crontab files in /var/spool/cron/crontabs.

logWarning

Use this function to display warning messages. This function accepts a single sting value that is displayed as a warning message. Warning messages are those that contain the string [WARN].

Example Usage:

logWarning "User ${acct} is not listed in ${JASS_PASSWD}."

Example Output:

[WARN] User abc is not listed in /etc/passwd.

Chapter 2 Framework Functions 41

You can control the display of warning messages using the JASS_LOG_WARNING environment variable. For more information on this environment variable, see

Chapter 7.

Using Common Miscellaneous Functions

These functions are for common miscellaneous functions that are used within several areas of the Solaris Security Toolkit software and are not specific to functionality provided by other framework functions (files ending with the .funcs suffix). These functions are in the Drivers directory in a file called

common_misc.funcs. Common utility functions, such as isNumeric and printPretty, are included in this file.

This section describes the common miscellaneous functions.

■ “adjustScore” on page 42

■ “checkLogStatus” on page 43

■ “clean_path” on page 43

■ “extractComments” on page 44

■ “get_driver_report” on page 44

■ “get_lists_conjunction” on page 44

■ “get_lists_disjunction” on page 45

■ “invalidVulnVal” on page 45

■ “isNumeric” on page 46

■ “printPretty” on page 46

■ “printPrettyPath” on page 46

■ “strip_path” on page 47

adjustScore

Note – This function applies only to audit runs.

Use this function to increase the score outside of the methods provided by the functions defined in the audit_public.funcs file. For example, there might be times when only the audit script can determine a failure. In those cases, use this function to adjust the score, accounting for the failure. If you do not supply a value, the function logs an error message and does not adjust the score.

Argument: $1 - Value to add to current score for an audit script (positive integer)

42 Solaris Security Toolkit 4.2 Reference Manual • July 2005

Return: None

Example Usage:

adjustScore 1

checkLogStatus

Note – This function applies only to audit operations.

Use this function to determine whether the calling function is requesting to log its results.

Argument: $1 - Value of the logging parameter

Return: 0 - No output is requested to be logged by the calling function

1 - Value is LOG, indicating calling function requests to log its results

Example Usage:

checkLogStatus “${_logParameter}”

clean_path

Use this function to remove redundant forward slash characters (/) from a file name. This function is used to clean up path names before they are displayed to the user or before they are placed in logs.

Argument: $1 - Path to be cleaned

Return: Returns value in $1 after any duplicate forward slash characters (/)

have been removed.

Example Usage:

newPath=‘clean_path “${oldPath}”‘

Chapter 2 Framework Functions 43

extractComments

Use this function to remove comments from a file or script. This function defines a comment as any substring of text that begins with a number symbol (#) and continues to the end of the line.

Arguments: $1 - List of tokens, such as script names or file names

Return: Removes any text that is commented out.

Example Usage:

FinishScripts=‘extractComments “${JASS_FILES}”‘

get_driver_report

Use this function to read a log file and return the number of scripts that reported an error or warning.

Argument: $1 - Log file to check

Returns: 255 - Unspecified failure

0 - Success 1 - Log file was not readable

Example Usage:

failures=‘get_driver_report “{JASS_SCRIPT_FAIL_LOG}”‘

get_lists_conjunction

Use this function to take lists A and B, and return list C consisting of elements in both A and B.

Arguments: $1 - listA, consisting of white-space–separated tokens

$2 - listB, consisting of white-space–separated tokens

Returns: List C containing all elements in both List A and List B.

44 Solaris Security Toolkit 4.2 Reference Manual • July 2005

Example Usage:

SvcsToLog=‘get_lists_conjunction “${JASS_SVCS_DISABLE}” “${JASS_SVCS_ENABLE}”‘

get_lists_disjunction

Use this function to take lists A and B, and return list C consisting of those elements in list A that are not present in list B.

Arguments: $1 - listA, consisting of white-space–separated tokens

$2 - listB, consisting of white-space–separated tokens

Returns: List C containing those elements in list A that are not present in list B.

Example Usage:

SvcsToDisable=‘get_lists_disjunction “${JASS_SVCS_DISABLE}” “${JASS_SVCS_ENABLE}”‘

invalidVulnVal

Note – This function applies only to audit operations.

Use this function to determine if vulnerability value arguments are positive integers. This function logs an error message for each failure. This function is necessary to determine where there might be an invalid argument supplied to a function as a vulnerability value. In all other aspects, this function behaves like its isNumeric counterpart.

Argument: $1 - Vulnerability to be checked

Returns: 0 - Vulnerability is positive integer

1 - Vulnerability is not positive integer

Example Usage:

invalidVulnVal “${testVulnerability}”

Chapter 2 Framework Functions 45

isNumeric

Use this function to determine if string arguments are positive integers. It is used throughout the software by helper functions whenever input must be validated to ensure that it consists of a single positive integer. If the value is a positive integer, this function displays 0, otherwise it displays 1.

Argument: $1 - String to be checked

Returns: 0 - String is positive integer

1 - String is not positive integer

Example Usage:

isNumeric “${testString}”

printPretty

Use this function to format printed output so that it is easier to read. This function accepts an unformatted input string and processes it. The resulting string is wrapped at 72 characters, with each line of output indented by three characters.

Argument: $1 - String to be printed

Returns: None

Example Usage:

printPretty “${CommentHeader}”

printPrettyPath

Use this function to format path names. This function accepts as input an unformatted path name. This function strips any redundant forward slashes from the input string, then displays the result. If the string is empty, then the keyword <No Value> is displayed in its place.

Argument: $1 - String to be printed

Returns: None

46 Solaris Security Toolkit 4.2 Reference Manual • July 2005

Example Usage:

printPrettyPath “${PathToLogFile}”

strip_path

Use this function to remove the JASS_ROOT_DIR prefix from the file name. This function accepts as input a single string argument and returns the same value after removing the JASS_ROOT_DIR prefix and replacing it with a single forward slash character (/). This function is used with the add_to_manifest function when storing path names in the JASS manifest file.

Argument: $1 - File path to be cleaned

Returns: None

Example Usage:

StrippedString=‘strip_path “${JASS_ROOT_DIR}/etc/motd”‘

Using Driver Functions

These functions are for driver functionality. These functions are in the

driver_public.funcs file, located in the Drivers directory. Functions such as add_pkg and copy_a_file are in this file.

When customizing or creating scripts, use the following functions to perform standard operations.

■ “add_crontab_entry_if_missing” on page 48

■ “add_option_to_ftpd_property” on page 49

■ “add_patch” on page 50

■ “add_pkg” on page 50

■ “add_to_manifest” on page 51

■ “backup_file” on page 53

■ “backup_file_in_safe_directory” on page 54

■ “change_group” on page 54

■ “change_mode” on page 54

■ “change_owner” on page 55

■ “check_and_log_change_needed” on page 55

■ “check_os_min_version” on page 56

Chapter 2 Framework Functions 47

■ “check_os_revision” on page 57

■ “check_readOnlyMounted” on page 58

■ “checksum” on page 58

■ “convert_inetd_service_to_frmi” on page 58

■ “copy_a_dir” on page 59

■ “copy_a_file” on page 59

■ “copy_a_symlink” on page 59

■ “copy_files” on page 60

■ “create_a_file” on page 62

■ “create_file_timestamp” on page 63

■ “disable_conf_file” on page 63

■ “disable_file” on page 63

■ “disable_rc_file” on page 64

■ “disable_service” on page 65

■ “enable_service” on page 65

■ “find_sst_run_with” on page 65

■ “get_expanded_file_name” on page 66

■ “get_stored_keyword_val” on page 66

■ “get_users_with_retries_set” on page 67

■ “is_patch_applied and is_patch_not_applied” on page 67

■ “is_service_enabled” on page 68

■ “is_service_installed” on page 68

■ “is_service_running” on page 69

■ “is_user_account_extant” on page 69

■ “is_user_account_locked” on page 70

■ “is_user_account_login_not_set” on page 70

■ “is_user_account_passworded” on page 71

■ “lock_user_account” on page 71

■ “make_link” on page 71

■ “mkdir_dashp” on page 72

■ “move_a_file” on page 72

■ “rm_pkg” on page 73

■ “set_service_property_value” on page 73

■ “set_stored_keyword_val” on page 73

■ “unlock_user_account” on page 74

■ “update_inetconv_in_upgrade” on page 74

■ “warn_on_default_files” on page 75

■ “write_val_to_file” on page 75

add_crontab_entry_if_missing

Note – This function is used only for SMF in the Solaris 10 OS.

48 Solaris Security Toolkit 4.2 Reference Manual • July 2005

Use this function to add crontab line $3 to the crontab if program $2 is not in user’s $1 crontab. If $4 is zero, backs up the crontab file before modifying (see Example Usage). The function ignores crontab comment lines.

Arguments: $1 - User ID of crontab to be modified

$2 - Program to add to crontab (full path name) $3 - crontab line to add if $2 is not present in the crontab file $4 - If zero, call backup_file before modifying (else the file was

created or already backed up.)

Returns: 1 - If the crontab file was backed up; otherwise, passes back the

argument $4 unmodified.)

Example Usage:

add_crontab_entry_if_missing ’root’ ’/usr/lib/acct/dodisk’ ’0 2 * * 4 /usr/lib/acct/dodisk’ 0

add_option_to_ftpd_property

Note – This function is used only for SMF in Solaris 10 and applies to the ftp

daemon only (options -1 or -a).

Caution – If you find the function add_option_to_gl_property or

add_option_to_smf_property, rename the function to add_option_to_ftpd_property.

Use this function to add an option to the SMF-enabled in.ftpd service property value in Solaris 10 OS. Only call this function for a hardening operation. This function writes to the Solaris Security Toolkit manifest file for an undo operation.

Argument: $1 - Option to add to the start command: a or 1 (for use with

ftpaccess(4) and log ftp session, respectively)

Returns: None

Example Usage:

add_option_to_ftpd_property “a”

Chapter 2 Framework Functions 49

add_patch

Use this function to add Solaris OS patches to the system. By default, this function expects that the patches installed are located in the JASS_PATCH_DIR directory.

TABLE 2-2 lists the options for this function.

TABLE 2-2 Options for add_patch Finish Script Function

Option Description

-o options Options to be passed on

-M patchdir Fully qualified path to the source directory

patchlist List of patches or name of file containing a list of patches to apply

Example Usage:

add_patch 123456-01 add_patch -M ${JASS_PATCH_DIR}/OtherPatches patch_list.txt

add_pkg

Use this function to add Solaris OS packages to the system. By default, this function expects that the packages are located in the JASS_PACKAGE_DIR directory and that these packages are in one of the standard Sun formats, spooled directories, or package stream files. This function automatically adds the necessary manifest entries to permit this operation to be reversed during an undo run. During an undo run, packages added using this function are removed from the system. options for this function.

TABLE 2-3 lists the

TABLE 2-3 Options for add_pkg Function

Option Description

-a ask_file pkgadd ask file name. By default, the pkgadd ask file, noask_pkgadd, is used if no other file is specified.

-d src_loc Fully qualified path to the source package (streams or directory) to

be installed

-o options pkgadd command options

package Package to be installed

50 Solaris Security Toolkit 4.2 Reference Manual • July 2005

Example Usage:

add_pkg ABCtest add_pkg -d ${JASS_ROOT_DIR}/${JASS_PACKAGE_DIR}/SUNWjass.pkg SUNWjass

add_to_manifest

Use this function to manually insert entries into a manifest file during hardening runs without calling one of the helper functions. This approach is most often used when a command must be executed for the undo operation to complete. Use this option with care to protect the integrity of the system and the Solaris Security Toolkit repository.

The add_to_manifest command uses the following syntax:

add_to_manifest operation src dst args

This command puts an entry in the JASS_RUN_MANIFEST file in JASS_REPOSITORY/jass-manifest.txt, which is critical to the ability to undo

the changes made by a finish script.

Note – Not all of the operations used by the Solaris Security Toolkit support each of

these arguments. The meaning of the options for src, dst, and args can differ based on the operation selected, as discussed in TABLE 2-4.

The operations supported by the add_to_manifest function are listed in TABLE 2-4. This table includes a sample resulting manifest entry after each option.

Chapter 2 Framework Functions 51

Caution – Exercise extreme caution when using the X manifest option. The

commands specified by this operation are executed during an undo run of the Solaris Security Toolkit as the root user. If you are not careful, you could cause data loss or render a target system unstable. For example, an X manifest entry of rm -rf/ would delete the system’s root partition during an undo run.

TABLE 2-4 add_to_manifest Options and Sample Manifest Entries

Option Description

C Indicates a file was copied. In this case, the src and dst parameters represent

the original and copied file names, respectively. No other arguments are used.

install-templates.fin /etc/syslog.conf /etc/ \ syslog.conf.JASS.20020823230626

D Indicates a directory was created. In this case, the src parameter represents the

name of the newly created directory. No other arguments are used.

disable-lp.fin /var/spool/cron/crontabs.JASS

J Indicates a new file was created on the system. This operation is used only when

the file specified by the src parameter does not exist on the system. During an undo run, files tagged with this operation code are removed. This operation uses both the src and dst parameters to represent the original name of the file and its saved file name (which must include the JASS_SUFFIX).

disable-power-mgmt.fin /noautoshutdown \ /noautoshutdown.JASS.20020823230629

M Indicates a file was moved. In this case, the src and dst parameters represent

the original and moved file names, respectively. No other arguments are used.

disable-ldap-client.fin /etc/rcS.d/K41ldap.client \ /etc/rcS.d/_K41ldap.client.JASS.20020823230628

52 Solaris Security Toolkit 4.2 Reference Manual • July 2005

TABLE 2-4 add_to_manifest Options and Sample Manifest Entries (Continued)

Option Description

R Indicates a file was removed from the system. In this case, the src parameter

represents the name of the file that was removed. Files marked with this operation code cannot be restored using the Solaris Security Toolkit undo command.

S Indicates a symbolic link was created. In this case, the src and dst parameters

represent the source and target file names, respectively. During an undo run, the symbolic links for files tagged with this operation are removed from the system.

install-templates.fin ../init.d/nddconfig /etc/rc2.d/ \ S70nddconfig

X Indicates a command was defined that should be run when the Solaris Security

Toolkit processes a manifest entry that has this operation code. A special operation, this one is most often used to execute complex commands that go beyond the standard operations. For example, in the install-fix-modes.fin finish script, the following manifest entry is added to instruct the software to undo changes made by the Fix Modes program:

/opt/FixModes/fix-modes -u This command instructs the software to run the fix-modes program with the -u

option. Note that all commands processed by this operation code should be specified using an absolute path to the program.

backup_file

Use this function to back up an existing file system object. This function backs up the original file using a standard naming convention. The convention appends JASS_SUFFIX to the original file name. This function automatically adds the necessary manifest entries to permit this operation to be reversed during an undo run.

The JASS_SAVE_BACKUP variable specifies if the Solaris Security Toolkit software saves or does not save backup copies of files modified during a run. If this environment variable is set to 0, then this function does not save backup files on the system. If files are not saved, then the run cannot be reversed by using the undo command.

Example Usage:

backup_file /etc/motd

Chapter 2 Framework Functions 53

backup_file_in_safe_directory

Use this function to disable files that cannot be stored in their original directory (see

“disable_file” on page 63 for more information) and to leave a copy of the files

in place for further editing, as well as moving the originals. This includes all files in directories /etc/skel/, /var/spool/cron/crontabs/, /etc/init.d/, and /etc/rcx.d/.

Arguments: $1 - Fully qualified path to source file

$2 - If set to “-u” for an undo file, the prior timestamp is

stripped from the file name.

Returns: None

Example Usage:

backup_file_in_safe_directory ${JASS_ROOT_DIR}etc/rcS.d/S42coreadm

change_group

Use this function to change the file group ownership. This function automatically adds the necessary manifest entries to be reversed during an undo run.

Arguments: $1 - Group ID of file owner

$2 - One or more files for which to change group ownership (must be

a regular or special file or directory, not a soft link.

Returns: 0 - If the file now has the correct group ownership

non-zero - If no file or file permission was specified, or chown failed

Example Usage:

change_group root ${JASS_ROOT_DIR}var/core

change_mode

Use this function to change the permissions mode of a file. This function automatically adds the necessary manifest entries to be reversed during an undo run.

54 Solaris Security Toolkit 4.2 Reference Manual • July 2005

Arguments: $1 - File permissions in octal chmod(1) format (for example, 0700)

$2 - One or more files for which to chmod (must be a regular or special

file or directory, not a soft link.

Returns: 0 - If the file now has the correct ownership

non-zero - If no file or file permission was specified, or chown failed

Example Usage:

change_mode 0700 ${JASS_ROOT_DIR}var/core

change_owner

Use this function to change the file ownership and, optionally, the group. This function automatically adds the necessary manifest entries to be reversed during an undo run.

Arguments: $1 - User ID of file owner

$2 - One or more files for which to change ownership (must be a

regular or special file or directory, not a soft link.

Returns: 0 - If the file now has the correct ownership

non-zero - If no file or file permission was specified, or chown failed

Example Usage:

change_owner root:root ${JASS_ROOT_DIR}var/core change_owner root ${JASS_ROOT_DIR}var/core

check_and_log_change_needed

Use this function to keep your finish scripts clean by moving a common operation, checking and storing the current value in a file, into a framework function. This function is most useful to you if you are a finish script writer and will be repeatedly checking variables in a single file.

This function checks and logs a parameter separated by an equal sign (=) in a file. If the new value is set, the global variable new_var is set to the new value. Otherwise, new_var is set to the value currently existing in the file. If the most recent value is different from the previous value, a log message is printed, and the global variable change_needed is incremented.

Chapter 2 Framework Functions 55

Use this function with the write_val_to_file function (see

“write_val_to_file” on page 75).

Arguments: $1 - File name

$2 - Keyword in the file $3 - New value

Returns: Sets the global environment variable new_var to the new value,

unless it is empty, in which case it is set to the value in the file, or ““ if it is not set.

Example Usage:

change_needed="0" check_and_log_change_needed "/etc/default/passwd" "MINALPHA" "${JASS_PASS_MINALPHA}" minalpha="${new_var}" check_and_log_change_needed "/etc/default/passwd" "MINLOWER" "${JASS_PASS_MINLOWER}" minlower="${new_var}"

if [ "${change_needed}" != "0" ]; then ...

check_os_min_version

Use this function to detect functionality that exists in multiple releases of the Solaris OS. This function takes only one argument, indicating the minimal OS release version. If the actual release of the OS on the target platform is greater than or equal to the argument, then the function returns 0, otherwise this function returns 1. If an error is encountered, then this function returns 255.

For example, this function can be used as shown in CODE EXAMPLE 2-3.

CODE EXAMPLE 2-3 Detecting Functionality That Exists in Multiple OS Releases

if check_os_min_revision 5.10 ; then disable_service svc:/network/dns/server:default elif check_os_min_revision 5.7 ; then disable_conf_file ${JASS_ROOT_DIR}etc named.conf else disable_conf_file ${JASS_ROOT_DIR}etc named.boot fi

56 Solaris Security Toolkit 4.2 Reference Manual • July 2005

In this example, Domain Name System (DNS) service is disabled with an SMF FMRI, which was first available in the Solaris 10 OS. Otherwise, DNS is disabled by renaming /etc/named.conf for the Solaris 7 OS and /etc/named.boot for the Solaris 2.6 OS or earlier.

check_os_revision

Use this function to check for a specific OS revision or range of values. This function can take either one or two arguments. If one argument is supplied, then the script returns 0 only if the target operating system revision is the same as the argument, otherwise it returns 1.

Similarly, if two arguments are provided, the target operating system revision must be between the two values inclusively for the result to be 0. In either case, if an error is encountered, this function returns a value of 255.

For example, this function can be used as shown in CODE EXAMPLE 2-4.

CODE EXAMPLE 2-4 Checking for a Specific OS Revision or Range

if check_os_revision 5.5.1 5.8; then if [ "${JASS_DISABLE_MODE}" = "conf" ]; then disable_conf_file ${JASS_ROOT_DIR}/etc asppp.cf elif [ "${JASS_DISABLE_MODE}" = "script" ]; then if [ "${JASS_KILL_SCRIPT_DISABLE}" = "1" ]; then disable_rc_file ${JASS_ROOT_DIR}/etc/rcS.d K50asppp disable_rc_file ${JASS_ROOT_DIR}/etc/rc0.d K47asppp disable_rc_file ${JASS_ROOT_DIR}/etc/rc0.d K50asppp disable_rc_file ${JASS_ROOT_DIR}/etc/rc1.d K47asppp disable_rc_file ${JASS_ROOT_DIR}/etc/rc1.d K50asppp fi disable_rc_file ${JASS_ROOT_DIR}/etc/rc2.d S47asppp fi else logInvalidOSRevision "5.5.1-5.8" fi

In this example, the script disables only its scripts or configuration files, based on the value of JASS_DISABLE_MODE, when the target OS revision is or falls between Solaris OS versions 2.5.1 (SunOS 5.1) and 8 (SunOS 5.8) inclusively.

Chapter 2 Framework Functions 57

check_readOnlyMounted

Use this function to determine whether the file specified is mounted on a read-only file system.

Argument: $1 - File to check

Returns: 255 - Error occurred

0 - File system that file $1 is in is mounted as read only. 1 - File system that file $1 is in is not mounted as read only

Example Usage:

check_readOnlyMounted /usr/bin/ls

checksum

Use this function to calculate the checksum for a file. This function takes a single string value that represents the file for which the checksum is being calculated.

■ For the Solaris 10 OS, this function uses the Solaris digest program to calculate the

MD5 checksum.

■ For the Solaris 9 OS or earlier, this function uses the Solaris cksum program to

calculate the checksum, then outputs a value in the format checksum:number of octets.

CODE EXAMPLE 2-5 Checksum Output From MD5 in Solaris 10 OS

checksum file-name

5b7dff9afe0ed2593f04caa578a303ba

convert_inetd_service_to_frmi

Use this function to convert an inetd service name in the /etc/inet/inetd.conf file to an SMF FMRI for use by the inetconv(1M) command. This function only uses legacy inetd service names in /etc/inet/inetd.conf, not on SMF FMRIs. The converted FMRI prints to standard output.

Argument: $1 - inetd service name to be converted.

Returns: 0 - Success

1 - Failure

58 Solaris Security Toolkit 4.2 Reference Manual • July 2005

Example Usage:

tooltalk_fmri=‘convert_inetd_service_to_fmri 100083‘

copy_a_dir

Use this function to recursively copy the contents of a directory. This function takes two arguments, a source directory name and a destination directory name. This function copies the contents of the source directory to the directory specified by the destination parameter. This function creates the new directory if it does not already exist. This function automatically adds the necessary manifest entries to permit this operation to be reversed during an undo run.

Example Usage:

copy_a_dir /tmp/test1 /tmp/test2

copy_a_file

Use this function to copy exactly one regular file. This function takes two arguments: a source file name and a destination file name. This function copies the contents of the source file to the file name specified by the destination parameter. This function automatically adds the necessary manifest entries to permit this operation to be reversed during an undo run.

Example Usage:

copy_a_file /tmp/test-file-a /tmp/test-file-b

copy_a_symlink

Use this function to copy a symbolic link to the target platform. This function takes two arguments: a source link name and a destination file name. This function creates a new symbolic link based on the source link specified using the new file name passed as the destination parameter. This function automatically adds the necessary manifest entries to permit this operation to be reversed during an undo run.

Chapter 2 Framework Functions 59

Example Usage:

copy_a_symlink /tmp/test-link-a /tmp/test-link-b

copy_files

Use this function to copy a set of file system objects from the JASS_HOME_DIR/Files directory tree to a target system. This function uses the following copy functions to ensure that the changes made can be reversed during an undo run:

■ copy_a_dir

■ copy_a_file

■ copy_a_symlink

This function is capable of copying regular files, directories, and symbolic links.

Example Usages:

copy_files /etc/init.d/nddconfig

copy_files "/etc/init.d/nddconfig /etc/motd /etc/issue"

This function extends capability by permitting the selective copy of files based on tags appended to their file names that contain the values specified by environment variables. (See

Chapter 7 for detailed information about all of the environment

variables.)

The files that are copied by this function are selected by the following criteria, which are listed in the order of precedence used to match. For example, if a host-specific and generic file both exist, the host-specific file is used if the name of a target system matches the host name defined by the host-specific file. The following examples use /opt/SUNWjass as the home directory specified in the JASS_HOME_DIR environment variable, but you might have specified a different home directory. In our examples, the directory tree being searched is /opt/SUNWjass/Files/.

Note – The copy_files function ignores any objects listed that are not found in the

JASS_HOME_DIR/Files directory tree.

1.Host-speciﬁc version - /opt/SUNWjass/Files/file.JASS_HOSTNAME

60 Solaris Security Toolkit 4.2 Reference Manual • July 2005

In this option, the software copies the file only if the name of the host target platform matches the value specified by the JASS_HOSTNAME environment variable. For example, if the file name is etc/issue and the JASS_HOSTNAME is

eng1, a file copied under this criteria would be:

/opt/SUNWjass/Files/etc/issue.eng1

2. Keyword + OS-specific version -

/opt/SUNWjass/Files/file-JASS_FILE_COPY_KEYWORD+ JASS_OS_VERSION

In this option, the software copies the file only if the name of the keyword and OS version match the values specified by the JASS_FILE_COPY_KEYWORD and the JASS_OS_VERSION environment variables.

For example, if the file being searched for is /etc/hosts.allow,

JASS_FILE_COPY_KEYWORD is “secure” (for secure.driver), and the JASS_OS_VERSION is 5.10, a file copied under this criteria could be:

/opt/SUNWjass/Files/etc/hosts.allow-secure+5.10

3. Keyword-specific version -

/opt/SUNWjass/Files/file-JASS_FILE_COPY_KEYWORD

In this option, the software copies the file only if the keyword matches the value specified by the JASS_FILE_COPY_KEYWORD environment variable. For example, if the JASS_FILE_COPY_KEYWORD is “server”, a file copied under this criteria could be:

/opt/SUNWjass/Files/etc/hosts.allow-server

4. OS-specific version - /opt/SUNWjass/Files/file+JASS_OS_REVISION In this option, the software copies the file only if the OS revision of the target

platform matches the value specified by the JASS_OS_REVISION environment variable. For example, if the file being searched for is /etc/hosts.allow and

JASS_OS_REVISION is “5.10”, a file copied under this criteria could be:

/opt/SUNWjass/Files/etc/hosts.allow+5.10

5. Generic version - /opt/SUNWjass/Files/file In this option, the software copies the file to a target system. For example, if the file name is etc/hosts.allow, a file copied under this

criteria would be:

/opt/SUNWjass/Files/etc/hosts.allow

6. Source file is of size 0 - When the file length/size is zero, the file is not copied to the system.

Chapter 2 Framework Functions 61

create_a_file

Use this function to create an empty file on a target system. This function uses a combination of the touch, chown, and chmod commands to create an empty file with a specific owner, group, and set of permissions.

Note – This function does not adjust permissions or ownerships on a file that exists.

This function creates a file with specific permissions.

Example Usage:

create_a_file -o guppy:staff -m 750 /usr/local/testing

In this example, a file called testing is created in the /usr/local directory, owned by guppy and group of staff, with permissions 750. This function accepts the options listed in

TABLE 2-5 create_a_file Command Options

Option Valid Input

[-o user[:group]] Follows syntax of chown(1) and accepts user

[-m perms] Follows syntax of chmod(1) and accepts perms

/some/fully/qualified/path/file The fully qualified path to the file

TABLE 2-5.

and user:group

Example Usages:

create_a_file /usr/local/testing

create_a_file -o root /usr/local/testing

create_a_file -o root:sys /usr/local/testing

create_a_file -o root -m 0750 /usr/local/testing

62 Solaris Security Toolkit 4.2 Reference Manual • July 2005

Sun Microsystems Solaris Security Toolkit Reference Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Contents

Tables

Code Samples

Preface

SMF and Legacy Services on Solaris 10 OS

Scripts That Use the SMF-Ready Services Interface

Scripts That SMF Recognizes as Legacy Services

Scripts Not Used for Solaris 10

Environment Variables Not Used for Solaris 10

Using Solaris 10 OS Zones

Harden a Non-Global Zone From Within That Zone

Some Scripts Are Not Relevant to Non-Global Zones

Audits of Non-Global Zones Are Separate and Distinct From Audits of Global Zones

Zone-Aware Finish and Audit Scripts

Some Zone-Aware Scripts Require Action Before Use in Non-Global Zones

rpcbind Disabled or Enabled Based on Drivers

Using TCP Wrappers

CODE EXAMPLE 1-4 TCP Wrappers Configuration for suncluster3x-secure.driver

Defining Environment Variables

Earlier Solaris Security Toolkit Versions

Solaris Security Toolkit 4.2

Framework Functions

Customizing Framework Functions

Using Common Log Functions

logBanner

logDebug

logError

logFailure

logFileContentsExist and logFileContentsNotExist

logFileExists and logFileNotExists

logFileGroupMatch and logFileGroupNoMatch

logFileModeMatch and logFileModeNoMatch

logFileNotFound

logFileOwnerMatch and logFileOwnerNoMatch

logFileTypeMatch and logFileTypeNoMatch

logFinding

logFormattedMessage

logInvalidDisableMode

logInvalidOSRevision

logMessage

logNotGlobalZone

logNotice

logPackageExists and logPackageNotExists

logPatchExists and logPatchNotExists

logProcessArgsMatch and logProcessArgsNoMatch

logProcessExists and logProcessNotExists

logProcessNotFound

logScore

logScriptFailure

logServiceConfigExists and logServiceConfigNotExists

logServiceDisabled and logServiceEnabled

logServiceInstalled and logServiceNotInstalled

logServiceOptionDisabled and logServiceOptionEnabled

logServiceProcessList

logServicePropDisabled and logServicePropEnabled

logServiceRunning and logServiceNotRunning

logStartScriptExists and logStartScriptNotExists

logStopScriptExists and logStopScriptNotExists

logSuccess

logSummary

logUserLocked and logUserNotLocked

logUndoBackupWarning

logWarning

Using Common Miscellaneous Functions

adjustScore

checkLogStatus

clean_path

extractComments

get_driver_report

get_lists_conjunction

get_lists_disjunction

invalidVulnVal

isNumeric

printPretty

printPrettyPath

strip_path