solaris security toolkit: adding additional patches

[ponetguy2]

does anyone know how to add additional patches on a solaris box where jass is
already installed and configured. rolling back and re-running jass is not a
good idea, because i will loose my current configuration since we first ran it.

i found add_patch function from the sun documentation. according to this
function, it will add additional patches to an existing solaris box where
solaris security toolkit is already installed. can i just run this function
without creating a script?

for example:

add_patch 13212-1

please advise.

 

[ponetguy2]

we already have solaris 9_recommended patch cluster installed, and i need to install more patches to accomodate oracle install.

we've made a bunch of changes since the initial execution of jass and i don't want to loose the changes we've made.

i can not do a ./jass-execute -u (undo), and then ./jass-execute -d again, because i'll loose my current configuration.

please help.

 

[Annihilannic]

Enlighten me... what is "jass"?

Is there some reason why you can't use patchadd?

Annihilannic.

 

[ponetguy2]

it's solaris securty toolkit, formerly known as jass.

if i use patchadd, it will install. however, if i run an audit with jass to check for security vulnerabilities, it will freak. i'm still new to this tool. this is the first time i've been working with it.

 

[ponetguy2]

I think I figured out a way to resolve this issue.

I ran the following command (standalone mode)

/usr/SUNWjass/bin

./jass-execute -u -k -o ../undo.output.20030103.txt

-u= undo
-k= keeps everything i've changes since the last hardenging run
-o = directs output to a specified file

with this command, i was able to keep everything that changed since the last hardenging run.

in order to add additional patches, i created a finish script which calls on add_patch function. for example:

#!/bin/sh

add_patch 112233-07

i named this driver add-patch.fin and placed it in the /opt/SUNWjass/Finish directory.

next, i added this driver to blah.config.driver file. for example:

#!/bin/sh
#
# Copyright (c) 2000-2002 by Sun Microsystems, Inc.
# All rights reserved.
#
#ident "@(#)config.driver 3.2 02/08/30 SMI"
#
# The purpose of this script is to perform some basic system
# configuration. This section does not necessarily perform
# security functions (perhaps with the exception of the
# installation of patches). This driver can be used as a
# template for other general system administration functions.

DIR="`/bin/dirname $0`"
export DIR

. ${DIR}/driver.init

JASS_FILES="
/.cshrc
/.profile
"

# Note: install-recommended-patches.fin is generally always the first
# Finish script to run as it establishes the baseline system that
# will be hardened. Since these clusters contain security patches,
# it is important that they be installed before hardening the
# system.

JASS_SCRIPTS="
print-jass-environment.fin
install-recommended-patches.fin
install-jass.fin
# install-openssh.fin
set-root-password.fin
set-term-type.fin
add-patch.fin
"

. ${DIR}/driver.run

Copy the necessary patch directories in to /opt/SUNWjass/Patches.

From here I can re-harden the box w/ the follwing commands:

./jass-execute -d /Drivers/blah-secure.drivers -o out.txt

prior to the command above, i was prompted to enter this env variable:

ksh
export JASS_NOVICE_USER=0

i'll keep this thread posted on my progress. i should be done with this crap by tomorrow. hehehe

 

[ponetguy2]

Patch Installation w/ JASS
(01/05/2006)

1. Download the necessary patches from

http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-access

2. Decompress the patches and copy to /opt/SUNWjass/Patches

Note: unzip with the -q option. For more information, see the man pages.

3. Create a finish script for the patch/patches that needs to be added

Example:

#cd /opt/SUNWjass/Finish
#touch x-patchadd.fin
#vi x-patchadd.fin

x-patchadd.fin script:

#!/bin/sh

add_patch 111722-04

add_patch 113471-08

add_patch 115675-01


Note: add_patch is a functions within JASS, which is used to add Solaris OS patches to the system (1).

6. Edit /opt/SUNWjass/Drivers/x-config.driver and add x-patchadd.fin script to the driver file.

Example of x-config.driver with x-patchadd.fin script:

# more x-config.driver
#!/bin/sh
#
# Copyright (c) 2000-2002 by Sun Microsystems, Inc.
# All rights reserved.
#
#ident "@(#)config.driver 3.2 02/08/30 SMI"
#
# The purpose of this script is to perform some basic system
# configuration. This section does not necessarily perform
# security functions (perhaps with the exception of the
# installation of patches). This driver can be used as a
# template for other general system administration functions.

DIR="`/bin/dirname $0`"
export DIR

. ${DIR}/driver.init

JASS_FILES="
/.cshrc
/.profile
"

# Note: install-recommended-patches.fin is generally always the first
# Finish script to run as it establishes the baseline system that
# will be hardened. Since these clusters contain security patches,
# it is important that they be installed before hardening the
# system.

JASS_SCRIPTS="
print-jass-environment.fin
install-recommended-patches.fin
install-jass.fin
# install-openssh.fin
set-root-password.fin
set-term-type.fin
x-patchadd.fin
"

. ${DIR}/driver.run

7. Backup critical files by renaming them (vfstab to backup.vfstab.date)

a. /opt/SUNWjass/bin/jass-check-sum: This command indicates which files were changed since the last hardening run (2).

Example:

# ./jass-check-sum

Checking for file signature conflicts associated with Toolkit run: 20051130135907

File Name Saved CkSum Current CkSum
------------------------------------------------------------------------------------------------
/etc/logadm.conf 2362963540:1042 1539921394:1131
/etc/vfstab 3049598766:587 2494242351:1031
/etc/passwd 1264154811:361 3250020763:418
/etc/ssh/sshd_config 483895098:5118 2629678587:5120
/etc/shadow 256099546:258 3837770651:277
/etc/syslog.conf 258726615:480 3724897944:644

8. Un-harden the Solaris system.

a. To un-harden a Solaris system with out changing any existing configuration, use the -k option.

Example:

#cd /opt/SUNWjass/bin
#./jass-execute -u -k -o ../undo.out.20060105.txt

b. To un-harden a Solaris system and to change everything since the last hardening run, follow the example below.

Example:

#cd /opt/SUNWjass/bin
#./jass-execute -u -b -o ../undo.out.date.txt

9. Once the undo/un-hardening process has completed, do a boot –r.

Example:

#shutdown -y -g0 -i0
#ok boot -r

10. If the -k option was used, check if the existing configuration/installation has changed and take the appropriate action.

11. Re-harden the Solaris system w/ JASS.

Note: Check patch requirements if it needs to be installed in single user mode. One can go to

http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-access

for more information on specific patches.

Example:

a. #init s (boot in to single user mode)
b. You will be prompted for the root password. Enter the root password.
c. #cd /opt/SUNWjass/bin
d. #./jass-execute -d ../Drivers/xt-secure.driver -o ../out.date.txt
e. Once the hardening run completes, do a boot -r

12. Check if the patches installed successfully

Example:

# patchadd -p | grep 113471-08
Patch: 113471-08 Obsoletes: 115484-01 Requires: Incompatibles: Packages: SUNWcpcu SUNWcsu SUNWcsxu SUNWesu SUNWesxu SUNWmdb SUNWrmwbu SUNWscpu SUNWtnfc SUNWtoo SUNWtoox

YOU HAVE SUCCESSFULLY INSTALLED THE PATCH!!!

Sources:

1. Solaris Security Toolkit 4.1 Reference Manual. “Framework Functions.” Page 24
2. Solaris Security Toolkit 4.1 Reference Manual. “Framework Functions.” Page 176

Additional Sources:

1. Solaris Security Toolkit 4.1 Administration Guide. “Understanding the Software Components.” Page 4
2. Solaris Security Toolkit 4.1 Administration Guide. “Installing the Software.” Page 103
3. Solaris Security Toolkit 4.1 Administration Guide. “Installing and Executing the Software.” Page 47

 

[kHz]

Perhaps I don't quite understand what you are doing. But JASS will harden and minimize Solaris based on the driver script that allows customization.

After JASS has been executed and all findings have been corrected or mitigated and you want to install another patch why not install the patch and then run correct the findings? JASS won't prevent you from installing the patch and will report the findings when you run the audit.

I also use the Center for Internet Security toolkit in conjunction with JASS to harden and minimize my servers, especially those facing the internet.