Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Save to My Library
Look up keyword or section
Like this
3Activity

Table Of Contents

Preface
CHAPTER1
Introduction to Solaris 10 Operating System Support
Using Perl With Solaris Security Toolkit 4.2 Software
SMF and Legacy Services on Solaris 10 OS
Scripts That Use the SMF-Ready Services Interface
Scripts That SMF Recognizes as Legacy Services
New Scripts for Solaris Security Toolkit 4.2 Release
Scripts Not Used for Solaris 10
Environment Variables Not Used for Solaris 10
Using Solaris 10 OS Zones
Sequence Matters in Hardening Global and Non- Global Zones
Harden a Non-Global Zone From Within That Zone
Some Scripts Are Not Relevant to Non-Global Zones
Audits of Non-Global Zones Are Separate and Distinct From Audits of Global Zones
Zone-Aware Finish and Audit Scripts
Some Zone-Aware Scripts Require Action Before Use in Non-Global Zones
Using TCP Wrappers
TCP Wrappers Configuration for
Defining Environment Variables
Earlier Solaris Security Toolkit Versions
Solaris Security Toolkit 4.2
CHAPTER2
Framework Functions
■“Customizing Framework Functions” on page15
Customizing Framework Functions
Using Common Log Functions
logBanner
logDebug
logError
logFailure
logFileNotFound
logFinding
logFormattedMessage
logInvalidDisableMode
logInvalidOSRevision
logMessage
logNotice
logNotGlobalZone
logProcessNotFound
logScore
logScriptFailure
logServiceProcessList
logSuccess
invalidVulnVal
isNumeric
printPretty
printPrettyPath
strip_path
Using Driver Functions
add_crontab_entry_if_missing
add_option_to_ftpd_property
add_patch
add_pkg
TABLE2-3 Options for add_pkg Function
add_to_manifest
TABLE2-4 add_to_manifest Options and Sample Manifest Entries
backup_file
backup_file_in_safe_directory
change_group
change_mode
change_owner
check_and_log_change_needed
check_os_min_version
check_os_revision
CODEEXAMPLE2-4 Checking for a Specific OS Revision or Range
check_readOnlyMounted
checksum
convert_inetd_service_to_frmi
CODEEXAMPLE2-5 Checksum Output From MD5 in Solaris 10 OS
copy_a_dir
copy_a_file
copy_a_symlink
copy_files
create_a_file
create_file_timestamp
disable_conf_file
disable_file
disable_rc_file
disable_service
enable_service
find_sst_run_with
get_expanded_file_name
get_stored_keyword_val
get_users_with_retries_set
is_service_enabled
is_service_installed
is_service_running
is_user_account_extant
is_user_account_locked
is_user_account_login_not_set
is_user_account_passworded
lock_user_account
make_link
mkdir_dashp
move_a_file
rm_pkg
set_service_property_value
set_stored_keyword_val
unlock_user_account
update_inetconv_in_upgrade
warn_on_default_files
write_val_to_file
Using Audit Functions
check_fileTemplate
check_if_crontab_entry_present
check_keyword_value_pair
check_minimized
check_minimized_service
finish_audit
start_audit
CHAPTER3
File Templates
■“Customizing File Templates” on page93
Customizing File Templates
▼ To Customize a File Template
Understanding Criteria for How Files Are Copied
Using Configuration Files
driver.init
finish.init
user.init.SAMPLE
▼ To Add a New Variable to the user.init script
▼ To Append Entries to Variables Using the
Using File Templates
.cshrc
.profile
etc/default/sendmail
etc/dt/config/Xaccess
etc/ftpd/banner.msg
etc/hosts.allow-15k_sc
etc/hosts.allow-server
etc/hosts.allow-suncluster
etc/init.d/nddconfig
etc/init.d/set-tmp-permissions
etc/init.d/sms_arpconfig
etc/init.d/swapadd
etc/notrouter
etc/opt/ipf/ipf.conf
etc/opt/ipf/ipf.conf-15k_sc
etc/opt/ipf/ipf.conf-server
etc/rc2.d/S00set-tmp-permissions and etc/rc2.d/S07set-tmp-permissions
etc/rc2.d/S70nddconfig
etc/rc2.d/S73sms_arpconfig
etc/rc2.d/S77swapadd
etc/security/audit_control
etc/security/audit_class+5.8 and etc/security/audit_event+5.8
etc/security/audit_class+5.9 and etc/security/audit_event+5.9
etc/syslog.conf
root/.cshrc
root/.profile
var/opt/SUNWjass/BART/rules
var/opt/SUNWjass/BART/rules-secure
CHAPTER4
Drivers
■“Understanding Driver Functions and Processes” on page113
Understanding Driver Functions and Processes
Load Functionality Files
Perform Basic Checks
Load User Functionality Overrides
Mount File Systems to JumpStart Client
Copy or Audit Files
Execute Scripts
Compute Total Score for the Run
Unmount File Systems From JumpStart Client
Customizing Drivers
▼ To Customize a Driver
Using Standard Drivers
■“config.driver” on page122
config.driver
hardening.driver
secure.driver
Using Product-Specific Drivers
TABLE4-1 Product-Specific Drivers
server-secure.driver
suncluster3x-secure.driver
sunfire_15k_sc-secure.driver
CHAPTER5
Finish Scripts
■“Customizing Finish Scripts” on page131
Customizing Finish Scripts
Customize Existing Finish Scripts
▼ To Customize a Finish Script
Create New Finish Scripts
Using Standard Finish Scripts
disable-kdc.fin
disable-keyboard-abort.fin
disable-keyserv-uid-nobody.fin
disable-ldap-client.fin
disable-lp.fin
disable-mipagent.fin
disable-named.fin
disable-nfs-client.fin
disable-nfs-server.fin
disable-nscd-caching.fin
disable-picld.fin
disable-power-mgmt.fin
disable-ppp.fin
disable-preserve.fin
disable-remote-root-login.fin
disable-rhosts.fin
disable-routing.fin
disable-rpc.fin
disable-samba.fin
disable-sendmail.fin
enable-bart.fin
enable-bsm.fin
enable-coreadm.fin
enable-ftpaccess.fin
enable-ftp-syslog.fin
enable-inetd-syslog.fin
enable-ipfilter.fin
CODEEXAMPLE5-4 secure.driver Default IP Filter Rules File
CODEEXAMPLE5-5 server-secure.driver Default IP Filter Rules File
enable-password-history.fin
enable-priv-nfs-ports.fin
enable-process-accounting.fin
enable-rfc1948.fin
enable-stack-protection.fin
enable-tcpwrappers.fin
Install Finish Scripts
■ “install-at-allow.fin” on page162
■ “install-md5.fin” on page164
install-at-allow.fin
install-fix-modes.fin
install-ftpusers.fin
install-jass.fin
install-loginlog.fin
install-md5.fin
install-nddconfig.fin
install-newaliases.fin
install-openssh.fin
install-recommended-patches.fin
install-sadmind-options.fin
install-security-mode.fin
install-shells.fin
install-strong-permissions.fin
install-sulog.fin
install-templates.fin
Print Finish Scripts
■ “print-jass-environment.fin” on page167
■ “print-jumpstart-environment.fin” on page167
print-jass-environment.fin
print-jumpstart-environment.fin
print-rhosts.fin
print-sgid-files.fin
print-suid-files.fin
print-unowned-objects.fin
print-world-writable-objects.fin
Remove Finish Script
■“remove-unneeded-accounts.fin” on page169
remove-unneeded-accounts.fin
Set Finish Scripts
set-banner-dtlogin.fin
set-banner-ftpd.fin
set-banner-sendmail.fin
set-banner-sshd.fin
set-banner-telnet.fin
set-flexible-crypt.fin
set-ftpd-umask.fin
set-login-retries.fin
set-power-restrictions.fin
set-rmmount-nosuid.fin
set-root-group.fin
set-root-home-dir.fin
set-root-password.fin
set-strict-password-checks.fin
set-sys-suspend-restrictions.fin
set-system-umask.fin
set-term-type.fin
set-tmpfs-limit.fin
set-user-password-reqs.fin
■Minimum password length
set-user-umask.fin
Update Finish Scripts
update-at-deny.fin
update-cron-allow.fin
update-cron-deny.fin
update-cron-log-size.fin
update-inetd-conf.fin
Using Product-Specific Finish Scripts
TABLE5-1 Product-Specific Finish Scripts
suncluster3x-set-nsswitch-conf.fin
s15k-static-arp.fin
s15k-exclude-domains.fin
s15k-sms-secure-failover.fin
CHAPTER6
Audit Scripts
■“Customizing Audit Scripts” on page183
Customizing Audit Scripts
Customize Standard Audit Scripts
▼ To Customize An Audit Script
Create New Audit Scripts
Using Standard Audit Scripts
Disable Audit Scripts
disable-ab2.aud
disable-apache.aud
disable-apache2.aud
disable-appserv.aud
disable-asppp.aud
disable-autoinst.aud
disable-automount.aud
disable-dhcpd.aud
disable-directory.aud
disable-dmi.aud
disable-dtlogin.aud
disable-face-log.aud
disable-IIim.aud
disable-ipv6.aud
disable-kdc.aud
disable-keyboard-abort.aud
disable-keyserv-uid-nobody.aud
disable-ldap-client.aud
disable-lp.aud
disable-mipagent.aud
disable-named.aud
disable-nfs-client.aud
disable-nfs-server.aud
disable-nscd-caching.aud
disable-picld.aud
disable-power-mgmt.aud
disable-ppp.aud
disable-preserve.aud
disable-remote-root-login.aud
disable-rhosts.aud
disable-routing.aud
disable-rpc.aud
disable-samba.aud
disable-sendmail.aud
disable-slp.aud
disable-sma.aud
disable-snmp.aud
disable-spc.aud
disable-ssh-root-login.aud
disable-syslogd-listen.aud
disable-system-accounts.aud
disable-uucp.aud
disable-vold.aud
disable-wbem.aud
disable-xfs.aud
disable-xserver.listen.aud
Enable Audit Scripts
■“enable-account-lockout.aud” on page201
■“enable-bart.aud” on page201
enable-account-lockout.aud
enable-bart.aud
enable-bsm.aud
enable-coreadm.aud
enable-ftp-syslog.aud
enable-ftpaccess.aud
enable-inetd-syslog.aud
enable-ipfilter.aud
enable-password-history.aud
enable-priv-nfs-ports.aud
enable-process-accounting.aud
enable-rfc1948.aud
enable-stack-protection.aud
enable-tcpwrappers.aud
Install Audit Scripts
install-at-allow.aud
install-fix-modes.aud
install-ftpusers.aud
install-jass.aud
install-loginlog.aud
install-md5.aud
install-nddconfig.aud
install-newaliases.aud
install-openssh.aud
install-recommended-patches.aud
install-sadmind-options.aud
install-security-mode.aud
install-shells.aud
install-strong-permissions.aud
install-sulog.aud
install-templates.aud
Print Audit Scripts
■ “print-jass-environment.aud” on page210
■ “print-jumpstart-environment.aud” on page210
print-jass-environment.aud
print-jumpstart-environment.aud
print-rhosts.aud
print-sgid-files.aud
print-suid-files.aud
print-unowned-objects.aud
print-world-writable-objects.aud
Remove Audit Script
remove-unneeded-accounts.aud
Set Audit Scripts
■ “set-banner-dtlogin.aud” on page212
set-banner-dtlogin.aud
set-banner-ftpd.aud
set-banner-sendmail.aud
set-banner-sshd.aud
set-banner-telnet.aud
set-flexible-crypt.aud
set-ftpd-umask.aud
set-login-retries.aud
set-power-restrictions.aud
set-rmmount-nosuid.aud
set-root-group.aud
set-root-home-dir.aud
set-root-password.aud
set-strict-password-checks.aud
set-sys-suspend-restrictions.aud
set-system-umask.aud
set-term-type.aud
set-tmpfs-limit.aud
set-user-password-reqs.aud
set-user-umask.aud
Update Audit Scripts
update-at-deny.aud
update-cron-allow.aud
update-cron-deny.aud
update-cron-log-size.aud
update-inetd-conf.aud
Using Product-Specific Audit Scripts
suncluster3x-set-nsswitch-conf.aud
TABLE6-3 Product-Specific Audit Scripts
s15k-static-arp.aud
s15k-exclude-domains.aud
s15k-sms-secure-failover.aud
CHAPTER7
Environment Variables
■“Customizing and Assigning Variables” on page223
Customizing and Assigning Variables
■Finish and audit script variables
■“Assigning Static Variables” on page224
Assigning Static Variables
Assigning Dynamic Variables
Assigning Complex Substitution Variables
Assigning Global and Profile-Based Variables
Creating Environment Variables
Using Environment Variables
■“Defining Framework Variables” on page229
Defining Framework Variables
JASS_AUDIT_DIR
JASS_CHECK_MINIMIZED
JASS_CONFIG_DIR
JASS_DISABLE_MODE
JASS_DISPLAY_HOST_LENGTH
JASS_DISPLAY_HOSTNAME
JASS_DISPLAY_SCRIPT_LENGTH
JASS_DISPLAY_SCRIPTNAME
JASS_DISPLAY_TIME_LENGTH
JASS_DISPLAY_TIMESTAMP
JASS_FILE_COPY_KEYWORD
JASS_FILES
JASS_FILES_DIR
JASS_FINISH_DIR
JASS_HOME_DIR
JASS_HOSTNAME
JASS_ISA_CAPABILITY
JASS_LOG_BANNER
JASS_LOG_ERROR
JASS_LOG_FAILURE
JASS_LOG_NOTICE
JASS_LOG_SUCCESS
JASS_LOG_SUMMARY
JASS_LOG_WARNING
JASS_MODE
JASS_OS_REVISION
JASS_OS_TYPE
JASS_PACKAGE_DIR
JASS_PATCH_DIR
JASS_PKG
JASS_REPOSITORY
JASS_ROOT_DIR
JASS_ROOT_HOME_DIR
JASS_RUN_AUDIT_LOG
JASS_RUN_CHECKSUM
JASS_RUN_CLEAN_LOG
JASS_RUN_FINISH_LIST
JASS_RUN_INSTALL_LOG
JASS_RUN_MANIFEST
JASS_RUN_SCRIPT_LIST
JASS_RUN_UNDO_LOG
JASS_RUN_VALUES
JASS_RUN_VERSION
JASS_SAVE_BACKUP
JASS_SCRIPT
JASS_SCRIPT_ERROR_LOG
JASS_SCRIPT_FAIL_LOG
JASS_SCRIPT_NOTE_LOG
JASS_SCRIPT_WARN_LOG
JASS_SCRIPTS
TABLE7-2 Supporting OS Versions in the JASS_SCRIPTS Variable
JASS_STANDALONE
JASS_SUFFIX
JASS_TIMESTAMP
JASS_UNAME
JASS_UNDO_TYPE
JASS_USER_DIR
JASS_VERBOSITY
JASS_VERSION
JASS_ZONE_NAME
Define Script Behavior Variables
JASS_ACCT_DISABLE
JASS_ACCT_REMOVE
JASS_AGING_MAXWEEKS
JASS_AGING_MINWEEKS
JASS_AGING_WARNWEEKS
JASS_AT_ALLOW
JASS_AT_DENY
JASS_BANNER_DTLOGIN
JASS_BANNER_FTPD
JASS_BANNER_SENDMAIL
JASS_BANNER_SSHD
JASS_BANNER_TELNETD
JASS_CORE_PATTERN
JASS_CPR_MGT_USER
JASS_CRON_ALLOW
JASS_CRON_DENY
JASS_CRON_LOG_SIZE
JASS_CRYPT_ALGORITHMS_ALLOW
JASS_CRYPT_DEFAULT
JASS_CRYPT_FORCE_EXPIRE
JASS_FIXMODES_DIR
JASS_FIXMODES_OPTIONS
JASS_FTPD_UMASK
JASS_FTPUSERS
JASS_KILL_SCRIPT_DISABLE
JASS_LOGIN_RETRIES
JASS_MD5_DIR
JASS_NOVICE_USER
JASS_PASS_DICTIONDBDIR
JASS_PASS_DICTIONLIST
JASS_PASS_HISTORY
JASS_PASS_LENGTH
JASS_PASS_MAXREPEATS
JASS_PASS_MINALPHA
JASS_PASS_MINDIFF
JASS_PASS_MINDIGIT
JASS_PASS_MINLOWER
JASS_PASS_MINNONALPHA
JASS_PASS_MINSPECIAL
JASS_PASS_MINUPPER
JASS_PASS_NAMECHECK
JASS_PASS_WHITESPACE
JASS_PASSWD
JASS_POWER_MGT_USER
JASS_REC_PATCH_OPTIONS
JASS_RHOSTS_FILE
JASS_ROOT_GROUP
JASS_ROOT_PASSWORD
JASS_SADMIND_OPTIONS
JASS_SENDMAIL_MODE
JASS_SGID_FILE
JASS_SHELLS
JASS_SUID_FILE
JASS_SUSPEND_PERMS
JASS_SVCS_DISABLE
JASS_SVCS_ENABLE
JASS_TMPFS_SIZE
JASS_UMASK
JASS_UNOWNED_FILE
JASS_WRITABLE_FILE
Define JumpStart Mode Variables
■“JASS_PACKAGE_MOUNT” on page277
JASS_PACKAGE_MOUNT
JASS_PATCH_MOUNT
Glossary
Index
0 of .
Results for:
No results containing your search query
P. 1
Os Solaris Jass

Os Solaris Jass

Ratings: (0)|Views: 600 |Likes:
Published by dramesh

More info:

Published by: dramesh on Nov 19, 2010
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

11/28/2012

pdf

text

original

You're Reading a Free Preview
Pages 7 to 77 are not shown in this preview.
You're Reading a Free Preview
Pages 84 to 123 are not shown in this preview.
You're Reading a Free Preview
Pages 130 to 175 are not shown in this preview.
You're Reading a Free Preview
Pages 182 to 187 are not shown in this preview.
You're Reading a Free Preview
Pages 194 to 344 are not shown in this preview.

Activity (3)

You've already reviewed this. Edit your review.
1 hundred reads
1 thousand reads
s0laris11 liked this

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->