Solaris Security Toolkit AKA JASS

[kHz]

Can you implemenet the Solaris Security Toolkit with Jumpstart even though the server is already built? Or is it better to implement it on a standalone basis?

If the former, how would this be done? Also, any comments or recommendations or gotchas to watch for with the Toolkit?

Thanks.

 

[ponetguy2]

i don't have much experience w/ jass, but i've recently installed and configured jass on an existing server.

Here is my installation and configuration notes:

JASS INSTALLATION/CONFIGURATION
===============================

1. Installed Jass (pkgadd)

2. Copied custom drivers x-config.driver, x-hardening.driver, and x-secure.driver
from an existing jass installation to opt/SUNWjass/Drivers

# ls -la x*
-r--r--r-- 1 root other 1000 Nov 2 11:03 x-config.driver
-r--r--r-- 1 root other 3308 Nov 2 11:03
x-hardening.driver
-r--r--r-- 1 root other 408 Nov 2 11:03 x-secure.driver
# pwd
/opt/SUNWjass/Drivers

3. Changed permission to chmod 444 on custom drivers (read-only for owner, group, and everyone)

#pwd /opt/SUNWjass/Drivers
#chmod 444 x-*


4. Copied and uncompressed SUNBEfixm[1].pkg and SUNBEmd5[1].pkg to
/opt/SUNWjass/Packages

SUNBEmd5.pkg:
The MD5 software validates MD5 digital fingerprints on the Sun Fire
domains. Validating the integrity
of Solaris OE binaries provides a robust mechanism to detect system
binaries that are altered or trojaned
(hidden inside something that appears safe) by unauthorized users. By
modifying system binaries,
attackers provide themselves with backdoor access onto a system; they
hide their presence and cause systems
to operate in unstable manners
(

http://www.phptr.com/articles/article.asp?p=169673&seqNum=3).

SUNBEfixm.pkg:
FixModes is a software package that tightens the default Solaris OE
directory and file permissions.
Tightening these permissions can significantly improve overall security
of Sun Fire domains. More restrictive
permissions make it even more difficult for malicious users to gain
privileges on a system
(

http://www.phptr.com/articles/article.asp?p=169673&seqNum=3).

# ls -la
total 394
drwxr-xr-x 2 root root 512 Nov 2 11:08 .
drwxr-xr-x 15 root other 512 Nov 2 10:55 ..
-rw-r--r-- 1 root other 135168 Nov 2 11:07 SUNBEfixm[1].pkg
-rw-r--r-- 1 root other 50176 Nov 2 11:07 SUNBEmd5[1].pkg
-r--r--r-- 1 root root 296 Nov 22 2004 noask_pkgadd
-r--r--r-- 1 root root 295 Nov 22 2004 noask_pkgrm
# pwd
/opt/SUNWjass/Packages

5. Rename SUNBEfixm[1].pkg to SUNBEfixm.pkg and SUNBEmd5[1].pkg to
SUNBEmd5.pkg.

#pwd /opt/SUNWjass/Packages
#mv SUNBEfixm[1].pkg SUNBEfixm.pkg
#mv SUNBEmd5[1].pkg SUNBEmd5.pkg

6. Created symbolic link in /opt/SUNWjass/Patches to
/opt/install/patch (personal pref. for placing software on our severs):

# ls -la
total 10
drwxr-xr-x 2 root root 512 Nov 2 11:38 .
drwxr-xr-x 15 root other 512 Nov 2 10:55 ..
lrwxrwxrwx 1 root other 32 Nov 2 11:37 9_Recommended ->
/opt/install/patch/9_Recommended
lrwxrwxrwx 1 root other 43 Nov 2 11:37
9_SunAlert_Patch_Cluster -> /opt/install/patch/9_SunAlert_Patch_Cluster
lrwxrwxrwx 1 root other 45 Nov 2 11:38
J2SE_Solaris_9_Recommended -> /opt/install/patch/J2SE_Solaris_9_Recommended
# pwd
/opt/SUNWjass/Patches



7. Set environment variable (ksh shell/bourne shell)

ksh
export JASS_NOVICE_USER=0

bourne shell
set
JASS_NOVICE_USER=0

8. Configure:
cd /opt/SUNWjass/bin
./jass-execute -d ../Drivers/xt-secure.driver -o ../output.date.txt

Note:

./jass-execute -a ../Drivers/xt-secure.driver -o ../output.date.txt

-a: audit

9. Once JASS configuration is complete (20 to 30 minutes), do a boot -r:

#init 0 (logged-in as root)
ok boot -r