Sun Microsystems Solaris Security Toolkit Administration Guide
Solaris™ Security Toolkit
4.2 Administration Guide
Sun Microsystems, Inc.
www.sun.com
Part No. 819-1402-10
July 2005, Revision A
Submit comments about this document at: http://www.sun.com/hwdocs/feedback
Copyright 2005 Sun Microsystems, Inc. 4150 Network Circle, Santa Clara, California 95054 U.S.A. All rights reserved.
Sun Microsystems, Inc. has intellectual property rights relating to technology that is described in this document. In particular, and without
limitation, these intellectual property rights may include one or more of the U.S. patents listed at http://www.sun.com/patents and one or
more additional patents or pending patent applications in the U.S. and in other countries.
This document and the product to which it pertains are distributed under licenses restricting their use, copying, distribution, and
decompilation. No part of the product or this document may be reproduced in any form by any means without prior written authorization of
Sun and its licensors, if any.
Third-party software, including font technology, is copyrighted and licensed from Sun suppliers.
Parts of the product may be derived from Berkeley BSD systems, licensed from the University of California. UNIX is a registered trademark in
the U.S. and in other countries, exclusively licensed through X/Open Company, Ltd.
Sun, Sun Microsystems, the Sun logo, Sun BluePrints, Solaris, SunOS, Java, JumpStart, Sun4U, SunDocs, and Solstice DiskSuite are service
marks, trademarks, or registered trademarks of Sun Microsystems, Inc. in the United States and other countries.
All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the U.S. and in other
countries. Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc. ORACLE is a registered
trademark of Oracle Corporation.
The OPEN LOOK and Sun™ Graphical User Interface was developed by Sun Microsystems, Inc. for its users and licensees. Sun acknowledges
the pioneering efforts of Xerox in researching and developing the concept of visual or graphical user interfaces for the computer industry. Sun
holds a non-exclusive license from Xerox to the Xerox Graphical User Interface, which license also covers Sun’s licensees who implement OPEN
LOOK GUIs and otherwise comply with Sun’s written license agreements.
U.S. Government Rights—Commercial use. Government users are subject to the Sun Microsystems, Inc. standard license agreement and
applicable provisions of the FAR and its supplements.
DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES,
INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,
ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID.
Copyright 2005 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, Californie 95054 Etats-Unis. Tous droits réservés.
Sun Microsystems, Inc. a les droits de propriété intellectuels relatants à la technologie qui est décrit dans ce document. En particulier, et sans la
limitation, ces droits de propriété intellectuels peuvent inclure un ou plus des brevets américains énumérés à http://www.sun.com/patents et
un ou les brevets plus supplémentaires ou les applications de brevet en attente dans les Etats-Unis et dans les autres pays.
Ce produit ou document est protégé par un copyright et distribué avec des licences qui en restreignent l’utilisation, la copie, la distribution, et la
décompilation. Aucune partie de ce produit ou document ne peut être reproduite sous aucune forme, par quelque moyen que ce soit, sans
l’autorisation préalable et écrite de Sun et de ses bailleurs de licence, s’il y en a.
Le logiciel détenu par des tiers, et qui comprend la technologie relative aux polices de caractères, est protégé par un copyright et licencié par des
fournisseurs de Sun.
Des parties de ce produit pourront être dérivées des systèmes Berkeley BSD licenciés par l’Université de Californie. UNIX est une marque
déposée aux Etats-Unis et dans d’autres pays et licenciée exclusivement par X/Open Company, Ltd.
Sun, Sun Microsystems, le logo Sun, Sun, Sun BluePrints, Solaris, SunOS, Java, JumpStart, Sun4U, SunDocs, , et Solstice DiskSuite sont des
marques de fabrique ou des marques déposées, ou marques de service, de Sun Microsystems, Inc. aux Etats-Unis et dans d’autres pays.
Toutes les marques SPARC sont utilisées sous licence et sont des marques de fabrique ou des marques déposées de SPARC International, Inc.
aux Etats-Unis et dans d’autres pays. Les produits portant les marques SPARC sont basés sur une architecture développée par Sun
Microsystems, Inc. ORACLE est une marque déposée registre de Oracle Corporation.
L’interface d’utilisation graphique OPEN LOOK et Sun™ a été développée par Sun Microsystems, Inc. pour ses utilisateurs et licenciés. Sun
reconnaît les efforts de pionniers de Xerox pour la recherche et le développement du concept des interfaces d’utilisation visuelle ou graphique
pour l’industrie de l’informatique. Sun détient une license non exclusive de Xerox sur l’interface d’utilisation graphique Xerox, cette licence
couvrant également les licenciées de Sun qui mettent en place l’interface d’utilisation graphique OPEN LOOK et qui en outre se conforment aux
licences écrites de Sun.
LA DOCUMENTATION EST FOURNIE "EN L’ÉTAT" ET TOUTES AUTRES CONDITIONS, DECLARATIONS ET GARANTIES EXPRESSES
OU TACITES SONT FORMELLEMENT EXCLUES, DANS LA MESURE AUTORISEE PAR LA LOI APPLICABLE, Y COMPRIS NOTAMMENT
TOUTE GARANTIE IMPLICITE RELATIVE A LA QUALITE MARCHANDE, A L’APTITUDE A UNE UTILISATION PARTICULIERE OU A
L’ABSENCE DE CONTREFAÇON.
Contents
Preface xvii
1. Introduction 1
Securing Systems With the Solaris Security Toolkit Software 1
JumpStart Mode 2
Stand-alone Mode 3
Understanding the Software Components 3
Directories 5
Audit Directory 5
Documentation Directory 6
man Directory 6
Drivers Directory 6
Files Directory 9
Finish Directory 10
OS Directory 11
Packages Directory 12
Patches Directory 12
Profiles Directory 12
Sysidcfg Directory 13
Data Repository 13
iii
Maintaining Version Control 13
Configuring and Customizing the Solaris Security Toolkit Software 14
Policies and Requirements 15
Guidelines 15
2. Securing Systems: Applying a Methodology 17
Planning and Preparing 17
Considering Risks and Benefits 18
Reviewing Security Policy, Standards, and Related Documentation 19
Example 1 20
Example 2 20
Determining Application and Service Requirements 20
Identifying Application and Operational Service Inventory 21
Determining Service Requirements 21
Developing and Implementing a Solaris Security Toolkit Profile 29
Installing the Software 30
Performing Preinstallation Tasks 30
Backing Up Data 31
Verifying System Stability 31
Performing the Post-installation Task 32
Verifying Application and Service Functionality 32
Verifying Security Profile Installation 32
Verifying Application and Service Functionality 33
Maintaining System Security 33
3. Upgrading, Installing, and Running Security Software 35
Performing Planning and Preinstallation Tasks 36
Software Dependencies 36
Determining Which Mode to Use 36
iv Solaris Security Toolkit 4.2 Administration Guide • July 2005
Stand-alone Mode 37
JumpStart Mode 37
Upgrading Procedures 38
▼ To Upgrade Solaris Security Toolkit Software and the Solaris Operating
System 38
▼ To Upgrade Solaris Security Toolkit Software Only 39
Upgrading the Solaris OS Only 40
Downloading Security Software 40
Downloading Solaris Security Toolkit Software 40
▼ To Download the pkg Version 41
Downloading Recommended Patch Cluster Software 42
▼ To Download Recommended Patch Cluster Software 42
Downloading FixModes Software 43
▼ To Download FixModes Software 44
Downloading OpenSSH Software 44
▼ To Download OpenSSH Software 45
Downloading the MD5 Software 46
▼ To Download the MD5 Software 46
Customizing Security Profiles 47
Installing and Executing the Software 48
Executing the Software in Stand-alone Mode 48
▼ To Execute the Software in Stand-alone Mode 52
Audit Option 53
Clean Option 53
Display Help Option 54
Driver Option 55
Email Notification Option 56
Execute History Option 57
Most Recent Execute Option 57
Contents v
Output File Option 58
Quiet Output Option 58
Root Directory Option 58
Undo Option 59
Executing the Software in JumpStart Mode 59
▼ To Execute the Software in JumpStart Mode 60
Validating the System Modifications 60
Performing QA Checks of Services 60
Performing Security Assessments of Configuration 61
Validating Security Profile 62
Performing the Post-installation Task 62
4. Reversing System Changes 63
Understanding How Changes Are Logged and Reversed 63
Requirements for Undoing System Changes 65
Customizing Scripts to Undo Changes 65
Checking for Files That Were Manually Changed 66
Using Options With the Undo Feature 67
Backup Option 68
Force Option 69
Keep Option 69
Output File Option 69
Quiet Output Option 70
Email Notification Option 70
Undoing System Changes 70
▼ To Undo a Solaris Security Toolkit Run 71
5. Configuring and Managing JumpStart Servers 79
Configuring JumpStart Servers and Environments 80
vi Solaris Security Toolkit 4.2 Administration Guide • July 2005
▼ To Configure for JumpStart Mode 80
Using JumpStart Profile Templates 82
core.profile 83
end-user.profile 83
developer.profile 83
entire-distribution.profile 83
oem.profile 83
minimal-SunFire_Domain*.profile 83
Adding and Removing Clients 84
add-client Script 84
rm-client Script 86
6. Auditing System Security 87
Maintaining Security 87
Reviewing Security Prior to Hardening 88
Customizing Security Audits 89
Preparing to Audit Security 90
Using Options and Controlling Audit Output 90
Command-Line Options 91
Display Help Option 91
Email Notification Option 92
Output File Option 93
Quiet Option 93
Verbosity Option 93
Banners and Messages Output 94
Host Name, Script Name, and Timestamp Output 97
Performing a Security Audit 98
▼ To Perform a Security Audit 99
Contents vii
7. Securing a System 103
Planning and Preparing 103
Assumptions and Limitations 104
System Environment 105
Security Requirements 105
Creating a Security Profile 105
Installing the Software 106
Downloading and Installing Security Software 106
▼ To Download and Install the Security Software 106
Installing Patches 107
▼ To Install Patches 107
Specifying and Installing the OS Cluster 108
▼ To Specify and Install the OS Cluster 108
Configuring the JumpStart Server and Client 109
Preparing the Infrastructure 110
▼ To Prepare the Infrastructure 110
Validating and Checking the Rules File 112
Customizing the Hardening Configuration 114
Enabling FTP Service 115
▼ To Enable FTP Service 115
Installing Secure Shell Software 116
▼ To Install Secure Shell 116
Enabling RPC Service 117
▼ To Enable RPC 118
Customizing the syslog.conf File 118
▼ To Customize the syslog.conf File 118
Installing the Client 119
▼ To Install the Client 120
viii Solaris Security Toolkit 4.2 Administration Guide • July 2005
Testing for Quality Assurance 120
▼ To Verify Profile Installation 120
▼ To Verify Application and Service Functionality 121
Glossary 123
Index 131
Contents ix
x Solaris Security Toolkit 4.2 Administration Guide • July 2005
Figures
FIGURE 1-1 Software Component Structure 4
FIGURE 1-2 Driver Control Flow 8
xi
xii Solaris Security Toolkit 4.2 Administration Guide • July 2005
Tables
TABLE 1-1 Naming Standards for Custom Files 16
TABLE 2-1 Listing Services Recently in Use 28
TABLE 3-1 Using Command-Line Options With jass-execute 49
TABLE 4-1 Using Command-Line Options With Undo Command 68
TABLE 5-1 JumpStart add-client Command 85
TABLE 5-2 JumpStart rm-client Command 86
TABLE 6-1 Using Command-Line Options With the Audit Command 91
TABLE 6-2 Audit Verbosity Levels 94
TABLE 6-3 Displaying Banners and Messages in Audit Output 95
TABLE 6-4 Displaying Host Name, Script Name, and Timestamp Audit Output 97
xiii
xiv Solaris Security Toolkit 4.2 Administration Guide • July 2005
Code Samples
CODE EXAMPLE 1-1 Driver Control Flow Code 9
CODE EXAMPLE 2-1 Obtaining Information About File System Objects 22
CODE EXAMPLE 2-2 Collecting Information From a Running Process 22
CODE EXAMPLE 2-3 Identifying Dynamically Loaded Applications 23
CODE EXAMPLE 2-4 Determining if a Configuration File Is In Use 24
CODE EXAMPLE 2-5 Determining Which Applications Use RPC 25
CODE EXAMPLE 2-6 Validating rusers Service 26
CODE EXAMPLE 2-7 Alternative Method for Determining Applications That Use RPC 27
CODE EXAMPLE 2-8 Determining Which Ports Are Owned by Services or Applications 28
CODE EXAMPLE 2-9 Determining Which Processes Are Using Files and Ports 29
CODE EXAMPLE 3-1 Moving a Patch File to /opt/SUNWjass/Patches Directory 43
CODE EXAMPLE 3-2 Sample Command-Line Usage in Stand-alone Mode 48
CODE EXAMPLE 3-3 Executing the Software in Stand-alone Mode 52
CODE EXAMPLE 3-4 Sample -c Option Output 53
CODE EXAMPLE 3-5 Sample -h Option Output 54
CODE EXAMPLE 3-6 Sample -d driver Option Output 56
CODE EXAMPLE 3-7 Sample -H Option Output 57
CODE EXAMPLE 3-8 Sample -l Option Output 57
CODE EXAMPLE 3-9 Sample -o Option Output 58
CODE EXAMPLE 3-10 Sample -q Option Output 58
xv
CODE EXAMPLE 4-1 Sample Output of Files That Were Manually Changed 67
CODE EXAMPLE 4-2 Sample Output of Runs Available to Undo 72
CODE EXAMPLE 4-3 Sample Output of an Undo Run Processing Multiple Manifest File Entries 73
CODE EXAMPLE 4-4 Sample Output of Undo Exception 74
CODE EXAMPLE 4-5 Sample Output from Choosing Backup Option During Undo 75
CODE EXAMPLE 4-6 Sample Output of Choosing Always Backup Option During Undo 76
CODE EXAMPLE 6-1 Sample -h Option Output 92
CODE EXAMPLE 6-2 Sample -o Option Output 93
CODE EXAMPLE 6-3 Sample -q Option Output 93
CODE EXAMPLE 6-4 Sample Output of Reporting Only Audit Failures 95
CODE EXAMPLE 6-5 Sample Output of Auditing Log Entries 97
CODE EXAMPLE 6-6 Sample Output of Audit Run 99
CODE EXAMPLE 7-1 Adding a Client to the JumpStart Server 110
CODE EXAMPLE 7-2 Creating a Profile 111
CODE EXAMPLE 7-3 Sample Output of Modified Script 111
CODE EXAMPLE 7-4 Checking the rules File for Correctness 112
CODE EXAMPLE 7-5 Sample Output for rules File 113
CODE EXAMPLE 7-6 Sample of Incorrect Script 113
CODE EXAMPLE 7-7 Sample of Correct Script 114
CODE EXAMPLE 7-8 Sample Output of Modified xsp-firewall-hardening.driver 119
CODE EXAMPLE 7-9 Assessing a Security Configuration 121
xvi Solaris Security Toolkit 4.2 Administration Guide • July 2005
Preface
This manual contains reference information for understanding and using Solaris™
Security Toolkit software. This manual is primarily intended for persons who use the
Solaris Security Toolkit software to secure Solaris™ Operating System (OS) versions
8, 9, and 10, such as administrators, consultants, and others, who are deploying new
Sun systems or securing deployed systems. The instructions apply to using the
software in either its JumpStart™ mode or stand-alone mode.
Before You Read This Book
You should be a Sun Certified System Administrator for Solaris™ or Sun Certified
Network Administrator for Solaris™. You should also have an understanding of
standard network protocols and topologies.
Because this book is designed to be useful to people with varying degrees of
experience or knowledge of security, your experience and knowledge will determine
how you use this book.
How This Book Is Organized
This manual serves as a user guide. Its chapters contain information, instructions,
and guidelines for using the software to secure systems. This book is structured as
follows:
Chapter 1 describes the design and purpose of the Solaris Security Toolkit software.
It covers the key components, features, benefits, and supported platforms.
xvii
Chapter 2 provides a methodology for securing systems. You can apply the Solaris
Security Toolkit process before securing your systems using the software.
Chapter 3 provides instructions for downloading, installing, and running the Solaris
Security Toolkit software and other security-related software.
Chapter 4 provides information and procedures for reversing (undoing) the changes
made by the Solaris Security Toolkit software during hardening runs.
Chapter 5 provides information for configuring and managing JumpStart servers to
use the Solaris Security Toolkit software.
Chapter 6 describes how to audit (validate) a system’s security using the Solaris
Security Toolkit software. Use the information and procedures in this chapter for
maintaining an established security profile after hardening.
Chapter 7 describes how to apply the information and expertise provided in earlier
chapters to a realistic scenario for installing and securing a new system.
Using UNIX Commands
This document might not contain information on basic UNIX® commands and
procedures such as shutting down the system, booting the system, and configuring
devices. Refer to the following for this information:
■ Software documentation that you received with your system
■ Solaris Operating System documentation, which is at
http://docs.sun.com
xviii Solaris Security Toolkit 4.2 Administration Guide • July 2005
Shell Prompts
Shell Prompt
C shell machine-name%
C shell superuser machine-name#
Bourne shell and Korn shell $
Bourne shell and Korn shell superuser #
Typographic Conventions
Typeface
AaBbCc123 The names of commands, files,
AaBbCc123
AaBbCc123 Book titles, new words or terms,
* The settings on your browser might differ from these settings.
*
Meaning Examples
Edit your.login file.
and directories; on-screen
computer output
What you type, when contrasted
with on-screen computer output
words to be emphasized.
Replace command-line variables
with real names or values.
Use ls -a to list all files.
% You have mail.
% su
Password:
Read Chapter 6 in the User’s Guide.
These are called class options.
You must be superuser to do this.
To delete a file, type rm filename.
Using Generic Terms for Hardware
Models
Sun Fire™ high-end systems refers to these model numbers:
■ E25K
■ E20K
Preface xix
■ 15K
■ 12K
Sun Fire midrange systems refers to these model numbers:
■ E6900
■ E4900
■ 6800
■ 4810
■ 4800
■ 3800
Sun Fire entry-level midrange systems refers to these model numbers:
■ E2900
■ Netra 1280
■ V1280
■ V890
■ V880
■ V490
■ V480
Supported Hardware Systems
Solaris Security Toolkit 4.2 software supports SPARC®, 64-bit only, and x86/x64
systems running the Solaris 10 OS. Solaris Security Toolkit 4.2 software does support
SPARC 32-bit systems running on Solaris 8 and 9; for example, the Ultra 2 Creator
3D.
Supported Solaris OS Versions
Sun support for Solaris Security Toolkit software is available only for its use in the
Solaris 8, Solaris 9, and Solaris 10 Operating Systems.
Note – For Solaris Security Toolkit 4.2 software, Solaris 10 can be used only on Sun
Fire high-end systems domains, not on the system controller (SC).
xx Solaris Security Toolkit 4.2 Administration Guide • July 2005
While the software can be used in the Solaris 2.5.1, Solaris 2.6, and Solaris 7
Operating Systems, Sun support is not available for its use in those operating
systems.
The Solaris Security Toolkit software automatically detects which version of the
Solaris Operating System software is installed, then runs tasks appropriate for that
operating system version.
Note in examples provided throughout this document that when a script checks for
a version of the OS, it checks for 5.x, the SunOS™ versions, instead of 2.x, 7, 8, 9, or
10, the Solaris OS versions.
TABLE P-1 shows the correlation between SunOS and
Solaris OS versions.
TABLE P-1 Correlation Between SunOS and Solaris OS Versions
SunOS Version Solaris OS Version
5.5.1 2.5.1
5.6 2.6
5.7 7
5.8 8
5.9 9
5.10 10
Supported SMS Versions
If you are using System Management Services (SMS) to run the system controller
(SC) on your Sun Fire high-end systems, then Solaris Security Toolkit 4.2 software is
supported on all Solaris 8 and 9 OS versions when used with SMS versions 1.3, 1.4.1,
and 1.5. No version of SMS is supported on Solaris 10 OS with Solaris Security
Toolkit 4.2 software.
Note – For Solaris Security Toolkit 4.2 software, Solaris 10 can be used only on
domains, not on the system controller (SC).
Preface xxi
Related Documentation
The documents listed as online are available at:
http://www.sun.com/products-n-solutions/hardware/docs/
Software/enterprise_computing/systems_management/sst/index.html
Application Title Part Number Format Location
Release
Notes
Reference Solaris Security Toolkit 4.2 Reference Manual 819-1503-10 PDF
Man Pages Solaris Security Toolkit 4.2 Man Page Guide 819-1505-10 PDF Online
Solaris Security Toolkit 4.2 Release Notes 819-1504-10 PDF
HTML
HTML
Online
Online
Documentation, Support, and Training
Sun Function URL Description
Documentation http://www.sun.com/documentation/ Download PDF and HTML documents,
and order printed documents
Support http://www.sun.com/support/ Obtain technical support and
download patches
Training http://www.sun.com/training/ Learn about Sun courses
Third-Party Web Sites
Sun is not responsible for the availability of third-party web sites mentioned in this
document. Sun does not endorse and is not responsible or liable for any content,
advertising, products, or other materials that are available on or through such sites
or resources. Sun will not be responsible or liable for any actual or alleged damage
or loss caused by or in connection with the use of or reliance on any such content,
goods, or services that are available on or through such sites or resources.
xxii Solaris Security Toolkit 4.2 Administration Guide • July 2005
Sun Welcomes Your Comments
Sun is interested in improving its documentation and welcomes your comments and
suggestions. You can submit your comments by going to:
http://www.sun.com/hwdocs/feedback
Please include the title and part number of your document with your feedback:
Solaris Security Toolkit 4.2 Administration Guide, part number 819-1402-10
Preface xxiii
xxiv Solaris Security Toolkit 4.2 Administration Guide • July 2005
CHAPTER
1
Introduction
This chapter describes the design and purpose of the Solaris Security Toolkit
software. It covers the key components, features, benefits, and supported platforms.
This chapter provides guidelines for maintaining version control of modifications
and deployments, and it sets forth important guidelines for customizing the Solaris
Security Toolkit software.
This chapter contains the following topics:
■ “Securing Systems With the Solaris Security Toolkit Software” on page 1
■ “Understanding the Software Components” on page 3
■ “Maintaining Version Control” on page 13
■ “Configuring and Customizing the Solaris Security Toolkit Software” on page 14
Securing Systems With the Solaris Security Toolkit Software
The Solaris Security Toolkit software, informally known as the JumpStart
Architecture and Security Scripts (JASS) toolkit, provides an automated, extensible,
and scalable mechanism to build and maintain secure Solaris OS systems. Using the
Solaris Security Toolkit software, you can harden and audit the security of systems.
Following are terms used in this guide that are important to understand:
■ Hardening – Modifying Solaris OS configurations to improve a system’s security.
■ Auditing – Determining if a system’s configuration is in compliance with a
predefined security profile.
1
Note – The term audit describes the Solaris Security Toolkit software’s automated
process of validating a security posture by comparing it with a predefined security
profile. The use of this term in this publication does not represent a guarantee that a
system is completely secure after using the audit option.
■ Scoring – Counting the number of failures uncovered during an audit run. If no
failures (of any kind) are found, then the resulting score is 0. The Solaris Security
Toolkit increments the score (also known as a vulnerability value) by 1 whenever
a failure is detected.
There are two modes of installing Solaris Security Toolkit software, which are
described briefly in the latter part of this section:
■ “JumpStart Mode” on page 2
■ “Stand-alone Mode” on page 3
Regardless of how a system is installed, you can use the Solaris Security Toolkit
software to harden and minimize your systems. Then periodically use the Solaris
Security Toolkit software to audit whether the security profile of secured systems
has been accidently or maliciously modified.
JumpStart Mode
System installation and configuration should be as automated as possible (ideally,
100 percent). This includes OS installation and configuration, network configuration,
user accounts, applications, and hardening. One technology available to automate
Solaris OS installations is JumpStart software. The JumpStart software provides a
mechanism to install systems over a network, with little or no human intervention
required. The Solaris Security Toolkit software provides a framework and scripts to
implement and automate most of the tasks associated with hardening Solaris OS
systems in JumpStart software-based installations. To obtain the JumpStart
Enterprise Toolkit (JET), which facilitates JumpStart-based installations and includes
modules to support hardening with the Solaris Security Toolkit, go to the Sun
Software Download site at:
http://www.sun.com/download/
For more information about JumpStart technology, refer to the Sun BluePrints™
book JumpStart Technology: Effective Use in the Solaris Operating Environment.
2 Solaris Security Toolkit 4.2 Administration Guide • July 2005
Stand-alone Mode
In addition, the Solaris Security Toolkit software has a stand-alone mode. This mode
provides the ability to perform all the same hardening functionality as in JumpStart
mode, but on deployed systems. In either mode, the security modifications made
can, and should, be customized to match security requirements for your system.
Regardless of how a system is installed, you can use the Solaris Security Toolkit
software to harden your systems. Then periodically use the Solaris Security Toolkit
software to audit whether the configuration of secured systems have been accidently
or maliciously modified.
Understanding the Software Components
This section provides an overview of the structure of the Solaris Security Toolkit
software components. The Solaris Security Toolkit software is a collection of files and
directories.
FIGURE 1-1 shows an illustration of the structure.
Chapter 1 Introduction 3
JASS_HOME_DIR
/Documentation
/sman1m
/sman4
/sman7
/Drivers
/man
/Finish
/Files
/etc
/root
/var
windex
FIGURE 1-1 Software Component Structure
The following program or command files are in the /bin directory:
■ add-client – JumpStart helper program for adding clients into a JumpStart
environment
■ rm-client – JumpStart helper program for removing clients from a JumpStart
environment
■ make-jass-pkg – Command that provides the ability to create a Solaris OS
package from the contents of the Solaris Security Toolkit directory, to simplify
internal distribution of a customized Solaris Security Toolkit configuration
■ jass-check-sum – Command that provides the ability to determine if any files
modified by the Solaris Security Toolkit software have been changed, based on a
checksum created during each Solaris Security Toolkit run
■ jass-execute – Command that executes most of the functionality of the Solaris
Security Toolkit software
/Solaris_2.5.1
/Solaris_2.6
/Solaris_7
/Solaris_8
/Solaris_9
/Solaris_10
/OS
/Packages/Audit /bin /lib
/Patches
/Profiles
/Sysidcfg
/Solaris_2.5.1
/Solaris_2.6
/Solaris_7
/Solaris_8
/Solaris_9
/Solaris_10
4 Solaris Security Toolkit 4.2 Administration Guide • July 2005
Directories
The components of the Solaris Security Toolkit architecture are organized in the
following directories:
■ /Audit
■ /bin
■ /Documentation
■ /Drivers
■ /Files
■ /Finish
■ /lib
■ /man
■ /OS
■ /Packages
■ /Patches
■ /Profiles
■ /Sysidcfg
Each directory is described in this section. Where relevant, each script, configuration
file, or subdirectory is listed, and references to other chapters are provided for
detailed information.
The Solaris Security Toolkit directory structure is based on the structure in the Sun
BluePrints book JumpStart Technology: Effective Use in the Solaris Operating
Environment.
Audit Directory
This directory contains the audit scripts that evaluate a system’s compliance with a
defined security profile or set of audit scripts. The scripts in this directory are
organized into the following categories:
■ Disable
■ Enable
■ Install
■ Minimize
■ Print
■ Remove
■ Set
■ Update
For detailed listings of the scripts in each of these categories and descriptions of each
script, refer to the Solaris Security Toolkit 4.2 Reference Manual.
Chapter 1 Introduction 5
Documentation Directory
This directory contains text files with information for the user, such as README,
EOL_NOTICE, and INSTALL files.
man Directory
This directory contains subdirectories for the sections of man pages for commands,
functions, and drivers. This directory also contains the windex file, which is an
index of the commands and is provided as a courtesy.
For more information about these man pages, refer to the actual man pages or to the
Solaris Security Toolkit 4.2 Man Page Guide.
Drivers Directory
This directory contains files of configuration information specifying which files are
executed and installed when you run the Solaris Security Toolkit software. This
directory contains drivers, scripts, and configuration files.
The following is an example of the drivers and scripts in the Drivers directory:
■ audit_{private|public}.funcs
■ common_{log|misc}.funcs
■ {config|hardening|secure}.driver
■ driver.{init|run}
■ driver_{private|public}.funcs
■ finish.init
■ server-{config|hardening|secure}.driver
■ suncluster3x-{config|hardening|secure}.driver
■ sunfire_15k_sc-{config|hardening|secure}.driver
■ undo.{funcs|init|run}
■ user.init.SAMPLE
■ user.run.SAMPLE
All drivers included with the Solaris Security Toolkit have three files for each driver:
■ name-{config|hardening|secure}.driver
These three files are indicated in brackets in the previous lists, for example,
sunfire_15k_sc-{config|hardening|secure}.driver. These files are listed
for completeness. Use only the secure.driver or name-secure.driver when
you want to execute a driver. That driver automatically calls the related drivers.
The Solaris Security Toolkit architecture includes configuration information to
enable driver, finish, and audit scripts to be used in different environments, while
not modifying the actual scripts themselves. All variables used in the finish and
6 Solaris Security Toolkit 4.2 Administration Guide • July 2005
Loading...