Monday, October 11, 2010
JASS: Installing the Solaris Security Toolkit JASS
The Solaris Security Toolkit provides a flexible way to harden a Solaris system, making it more secure from malicious attack. This software may be installed during a unattended Solaris JumpStart install, or installed after Solaris is installed and booted.
The degree of hardening depends on your architectural requirements. I've been happily using JASS for the last year now, I have my own specific JASS build packages for various environments, I also run audits on a weekly basis to ensure there have been no malicious system or software changes.
The server-secure.driver leaves frequently-used server services open. The following discusses customizing the server-secure.driver to your site-specific needs. Once customized, your systems can be hardened in an automated way using one or more configurations you established.
Here I'll give enough details to get you started. I'm only covering interactive use in this example.
1. First, download the SUNWjass 4.2.0 package, available at http://www.sun.com/software/security/jass/. You don't need the MD5 (SUNBEmd5) or fixmodes (SUNBEfixm) packages, as the functionality is incorporated in Solaris 10.
2. If SUNWjass is already installed, remove it with pkgrm (back up any modified files first)
3. Uncompress and install the package to /opt/SUNWjass
# uncompress SUNWjass.pkg.Z
# pkgadd -d SUNWjass.pkg
# pkgadd -d SUNWjass.pkg
4. Run a driver in "apply" mode. In this example, we use server-secure.driver This takes a few minutes.
# /opt/SUNWjass/bin/jass-execute -d server-secure.driver
5. Check the summary output for failures and errors:
[SUMMARY] Results Summary for APPLY run of server-secure.driver
[SUMMARY] The run completed with a total of 85 scripts run.
[SUMMARY] There were Failures in 0 Scripts
[SUMMARY] There were Errors in 0 Scripts
[SUMMARY] There were Warnings in 2 Scripts
[SUMMARY] There were Notes in 68 Scripts
[SUMMARY] Results Summary for APPLY run of server-secure.driver
[SUMMARY] The run completed with a total of 85 scripts run.
[SUMMARY] There were Failures in 0 Scripts
[SUMMARY] There were Errors in 0 Scripts
[SUMMARY] There were Warnings in 2 Scripts
[SUMMARY] There were Notes in 68 Scripts
6. Reboot and login again:
7. You can verify the previous run of jass-execute and manually run audit of the system
# /opt/SUNWjass/bin/jass-execute -a server-secure.driver
This takes a few minutes and produces a summary at the end:
[SUMMARY] Results Summary for AUDIT run of server-secure.driver
[SUMMARY] The run completed with a total of 85 scripts run.
[SUMMARY] There was a Failure in 1 Script
[SUMMARY] There were Errors in 0 Scripts
[SUMMARY] There was a Warning in 1 Script
[SUMMARY] There were Notes in 20 Scripts
[SUMMARY] Failure Scripts listed in:
/var/opt/SUNWjass/run/20050721092746/jass-script-failures.txt
[SUMMARY] Results Summary for AUDIT run of server-secure.driver
[SUMMARY] The run completed with a total of 85 scripts run.
[SUMMARY] There was a Failure in 1 Script
[SUMMARY] There were Errors in 0 Scripts
[SUMMARY] There was a Warning in 1 Script
[SUMMARY] There were Notes in 20 Scripts
[SUMMARY] Failure Scripts listed in:
/var/opt/SUNWjass/run/20050721092746/jass-script-failures.txt
Verify there are no failures. If any failures are found as in this case, look at the script output to see if there are any unexpected problems. In the example above, I see the failure is from set-root-home-dir.aud because I provided and created a custom .profile script:
[FAIL] Template /root/.profile does not match target on system.
Change the root .profile to your desire from the following location /opt/SUNWjass/Files/root/.profile
Then run another hardening:
# /opt/SUNWjass/bin/jass-execute -d server-secure.driver
Then run another audit to confirm there are no errors this time.
# /opt/SUNWjass/bin/jass-execute -a server-secure.driver
[SUMMARY] Results Summary for AUDIT run of server-secure.driver
[SUMMARY] The run completed with a total of 85 scripts run.
[SUMMARY] There was a Failure in 0 Script
[SUMMARY] There were Errors in 0 Scripts
[SUMMARY] There was a Warning in 1 Script
[SUMMARY] There were Notes in 20 Scripts
No comments:
Post a Comment