Patch Installation w/ JASS
(01/05/2006)
1. Download the necessary patches from
2. Decompress the patches and copy to /opt/SUNWjass/Patches
Note: unzip with the -q option. For more information, see the man pages.
3. Create a finish script for the patch/patches that needs to be added
Example:
#cd /opt/SUNWjass/Finish
#touch x-patchadd.fin
#vi x-patchadd.fin
x-patchadd.fin script:
#!/bin/sh
add_patch 111722-04
add_patch 113471-08
add_patch 115675-01
Note: add_patch is a functions within JASS, which is used to add Solaris OS patches to the system (1).
6. Edit /opt/SUNWjass/Drivers/x-config.driver and add x-patchadd.fin script to the driver file.
Example of x-config.driver with x-patchadd.fin script:
# more x-config.driver
#!/bin/sh
#
# Copyright (c) 2000-2002 by Sun Microsystems, Inc.
# All rights reserved.
#
#ident "@(#)config.driver 3.2 02/08/30 SMI"
#
# The purpose of this script is to perform some basic system
# configuration. This section does not necessarily perform
# security functions (perhaps with the exception of the
# installation of patches). This driver can be used as a
# template for other general system administration functions.
DIR="`/bin/dirname $0`"
export DIR
. ${DIR}/driver.init
JASS_FILES="
/.cshrc
/.profile
"
# Note: install-recommended-patches.fin is generally always the first
# Finish script to run as it establishes the baseline system that
# will be hardened. Since these clusters contain security patches,
# it is important that they be installed before hardening the
# system.
JASS_SCRIPTS="
print-jass-environment.fin
install-recommended-patches.fin
install-jass.fin
# install-openssh.fin
set-root-password.fin
set-term-type.fin
x-patchadd.fin
"
. ${DIR}/driver.run
7. Backup critical files by renaming them (vfstab to backup.vfstab.date)
a. /opt/SUNWjass/bin/jass-check-sum: This command indicates which files were changed since the last hardening run (2).
Example:
# ./jass-check-sum
Checking for file signature conflicts associated with Toolkit run: 20051130135907
File Name Saved CkSum Current CkSum
------------------------------------------------------------------------------------------------
/etc/logadm.conf 2362963540:1042 1539921394:1131
/etc/vfstab 3049598766:587 2494242351:1031
/etc/passwd 1264154811:361 3250020763:418
/etc/ssh/sshd_config 483895098:5118 2629678587:5120
/etc/shadow 256099546:258 3837770651:277
/etc/syslog.conf 258726615:480 3724897944:644
8. Un-harden the Solaris system.
a. To un-harden a Solaris system with out changing any existing configuration, use the -k option.
Example:
#cd /opt/SUNWjass/bin
#./jass-execute -u -k -o ../undo.out.20060105.txt
b. To un-harden a Solaris system and to change everything since the last hardening run, follow the example below.
Example:
#cd /opt/SUNWjass/bin
#./jass-execute -u -b -o ../undo.out.date.txt
9. Once the undo/un-hardening process has completed, do a boot –r.
Example:
#shutdown -y -g0 -i0
#ok boot -r
10. If the -k option was used, check if the existing configuration/installation has changed and take the appropriate action.
11. Re-harden the Solaris system w/ JASS.
Note: Check patch requirements if it needs to be installed in single user mode. One can go to
for more information on specific patches.
Example:
a. #init s (boot in to single user mode)
b. You will be prompted for the root password. Enter the root password.
c. #cd /opt/SUNWjass/bin
d. #./jass-execute -d ../Drivers/xt-secure.driver -o ../out.date.txt
e. Once the hardening run completes, do a boot -r
12. Check if the patches installed successfully
Example:
# patchadd -p | grep 113471-08
Patch: 113471-08 Obsoletes: 115484-01 Requires: Incompatibles: Packages: SUNWcpcu SUNWcsu SUNWcsxu SUNWesu SUNWesxu SUNWmdb SUNWrmwbu SUNWscpu SUNWtnfc SUNWtoo SUNWtoox
YOU HAVE SUCCESSFULLY INSTALLED THE PATCH!!!
Sources:
1. Solaris Security Toolkit 4.1 Reference Manual. “Framework Functions.” Page 24
2. Solaris Security Toolkit 4.1 Reference Manual. “Framework Functions.” Page 176
Additional Sources:
1. Solaris Security Toolkit 4.1 Administration Guide. “Understanding the Software Components.” Page 4
2. Solaris Security Toolkit 4.1 Administration Guide. “Installing the Software.” Page 103
3. Solaris Security Toolkit 4.1 Administration Guide. “Installing and Executing the Software.” Page 47