JASS: Installing the Solaris Security Toolkit JASS

The Solaris Security Toolkit provides a flexible way to harden a Solaris system, making it more secure from malicious attack. This software may be installed during a unattended Solaris JumpStart install, or installed after Solaris is installed and booted. 

The degree of hardening depends on your architectural requirements. I've been happily using JASS for the last year now, I have my own specific JASS build packages for various environments, I also run audits on a weekly basis to ensure there have been no malicious system or software changes. 

Pre-canned scripts provide various levels of hardening & auditing. 
The server-secure.driver leaves frequently-used server services open. The following discusses customizing the server-secure.driver to your site-specific needs. Once customized, your systems can be hardened in an automated way using one or more configurations you established.

Here I'll give enough details to get you started. I'm only covering interactive use in this example.

1. First, download the SUNWjass 4.2.0 package, available at http://www.sun.com/software/security/jass/. You don't need the MD5 (SUNBEmd5) or fixmodes (SUNBEfixm) packages, as the functionality is incorporated in Solaris 10. 

2. If SUNWjass is already installed, remove it with pkgrm (back up any modified files first) 

3. Uncompress and install the package to /opt/SUNWjass

 # uncompress SUNWjass.pkg.Z
 # pkgadd -d SUNWjass.pkg

4. Run a driver in "apply" mode. In this example, we use server-secure.driver This takes a few minutes.

 # /opt/SUNWjass/bin/jass-execute -d server-secure.driver

5. Check the summary output for failures and errors:

 [SUMMARY] Results Summary for APPLY run of server-secure.driver
 [SUMMARY] The run completed with a total of 85 scripts run.
 [SUMMARY] There were  Failures in   0 Scripts
 [SUMMARY] There were  Errors   in   0 Scripts
 [SUMMARY] There were  Warnings in   2 Scripts
 [SUMMARY] There were  Notes    in  68 Scripts

6. Reboot and login again:

7. You can verify the previous run of jass-execute and manually run audit of the system

 # /opt/SUNWjass/bin/jass-execute -a server-secure.driver

This takes a few minutes and produces a summary at the end:

 [SUMMARY] Results Summary for AUDIT run of server-secure.driver
 [SUMMARY] The run completed with a total of 85 scripts run.
 [SUMMARY] There was a Failure  in   1 Script
 [SUMMARY] There were  Errors   in   0 Scripts
 [SUMMARY] There was a Warning  in   1 Script
 [SUMMARY] There were  Notes    in  20 Scripts

 [SUMMARY] Failure Scripts listed in:
         /var/opt/SUNWjass/run/20050721092746/jass-script-failures.txt

Verify there are no failures. If any failures are found as in this case, look at the script output to see if there are any unexpected problems. In the example above, I see the failure is from set-root-home-dir.aud because I provided and created a custom .profile script: 

 [FAIL] Template /root/.profile does not match target on system.

You can fix it by removing my custom .profile file, or modifying the .profile in Solaris Security Toolkit (under /opt/SUNWjass/Files).I prefer the later.
Change the root .profile to your desire from the following location  /opt/SUNWjass/Files/root/.profile
Then run another hardening:

 # /opt/SUNWjass/bin/jass-execute -d server-secure.driver

Then run another audit to confirm there are no errors this time.

 # /opt/SUNWjass/bin/jass-execute -a server-secure.driver

 [SUMMARY] Results Summary for AUDIT run of server-secure.driver
 [SUMMARY] The run completed with a total of 85 scripts run.
 [SUMMARY] There was a Failure  in   0 Script
 [SUMMARY] There were  Errors   in   0 Scripts
 [SUMMARY] There was a Warning  in   1 Script
 [SUMMARY] There were  Notes    in  20 Scripts