Locate the three main driver files in /opt/SUNWsst/Drivers and make copies, using a prefix for the copies (I am using paul as my prefix but a company or site name may be more appropriate):
# cd /opt/SUNWsst/Drivers
# cp secure.driver paul-secure.driver
# cp config.driver paul-config.driver
# cp hardening.driver paul-hardening.driver
The first file to be called will be the paul-secure.config file. This needs to be edited so it calls the new copies of the other driver files:
# vi paul-config.driver
<output omitted>
. ${DIR}/driver.init
. ${DIR}/paul-config.driver
. ${DIR}/paul-hardening.driver
<output omitted>
The driver.init script will initialise a whole bunch of variables. We don't ever change this file as it may change during upgrades. Changing the values of these variables is done elsewhere and mentioned later.
The paul-config.driver runs scripts to configure the system before it is hardened.
The paul-hardening.driver calls scripts which do the hardening.
The paul-config.driver is the next one to be edited. We can add files to a list of files which will be copied into the correct places and we can add scripts to configure the system. The current file doesn't copy any files and has several configuration scripts:
DIR="`/bin/dirname $0`"
export DIR
. ${DIR}/driver.init
JASS_FILES="
"
JASS_SCRIPTS="
print-jass-environment.fin
install-recommended-patches.fin
install-jass.fin
# install-openssh.fin
set-root-home-dir.fin
set-root-password.fin
set-term-type.fin
"
. ${DIR}/driver.run
To add template files which can be copied into the correct location, add them to the JASS_FILES variable at the top. To add or change the configuration scripts, simply edit the JASS_SCRIPTS variable. My edited file looks like this:
DIR="`/bin/dirname $0`"
export DIR
. ${DIR}/driver.init
JASS_FILES="
/.profile
/.kshrc
/etc/resolv.conf
"
JASS_SCRIPTS="
set-root-home-dir.fin
"
. ${DIR}/driver.run
Then make sure the template files you want copied to the new location, are copied into the correct subdirectory of /opt/SUNWjass/Files :
# echo "domain sun.com
> nameserver 4.2.2.1" >../Files/etc/resolv.conf
# cp /opt/templates/profile ../Files/.profile
# cp /opt/templates/kshrc ../Files/.kshrc
The list of scripts which can be included in the JASS_SCRIPTS variable can be found by listing the contents of the /opt/SUNWjass/Finish directory. They are all described in the SST documentation available here.
The script finishes by calling driver.run which copies the files and runs the configuration scripts.
The next file to edit is the paul-hardening.driver. This file lists more files to copy:
JASS_FILES="
/etc/dt/config/Xaccess
/etc/init.d/set-tmp-permissions
/etc/issue
/etc/motd
/etc/rc2.d/S00set-tmp-permissions
/etc/rc2.d/S07set-tmp-permissions
/etc/syslog.conf
"
...and a huge number of hardening scripts to run:
JASS_SCRIPTS="
disable-ab2.fin
disable-apache.fin
disable-apache2.fin
# disable-appserv.fin
disable-asppp.fin
disable-automount.fin
<output omitted>
Modify this file by commenting out any scripts you don't want to run or adding in any extra scripts. They are all under the ../Finish directory. I have made a simple cut-down paul-hardening.driver example:
DIR="`/bin/dirname $0`"
export DIR
. ${DIR}/driver.init
JASS_FILES="
/etc/issue
/etc/motd
/etc/syslog.conf
"
JASS_SCRIPTS="
disable-apache.fin
disable-apache2.fin
disable-ssh-root-login.fin
disable-syslogd-listen.fin
enable-account-lockout.fin
enable-password-history.fin
set-banner-dtlogin.fin
set-banner-sshd.fin
"
. ${DIR}/driver.run
Lastly, the variable customisation. The finish.init script uses a huge number of variables to configure what the finish scripts do. For example, there may be a script which forces password aging but what values of minweeks and maxweeks will it use? They are all configured in finish.init but can be customised in user.init
There is no user.init by default, so copy the example one:
# cp user.init.SAMPLE user.init
I will use password history as an example. In the paul-hardening.driver file, it lists the enable-password-history.fin script as one which should be run:
enable-account-lockout.fin
enable-password-history.fin
set-banner-dtlogin.fin
The finish.init file has it's own built-in defaults for how many old passwords should be stored:
# ============================================================================
# JASS_PASS_HISTORY
#
# This variable contains a numeric value specifying the number of
# previous passwords kept by the system and checked against when a local user
# changes their password. If a match is found, passwd will exit and not
# change the password.
# This variable is used in the enable-password-history.fin Finish script.
# ============================================================================
if [ -z "${JASS_PASS_HISTORY}" ]; then
JASS_PASS_HISTORY="10"
_JASS_PASS_HISTORY_DEF="1"
export _JASS_PASS_HISTORY_DEF
fi
export JASS_PASS_HISTORY
But notice that it checks first to see if the variable is already defined. If we want a non-default value, then we change it in the user.init file:
JASS_PASS_HISTORY=4
export JASS_PASS_HISTORY
Now the configuration can be tested! Even though SST is able to undo almost all it's changes, make sure you have a backup. Before applying the changes in the driver files, run an audit. This will check your system against the requirements of your driver files and generate a report. Serious mistakes in your driver files may be detected when they are being read.
# cd ../bin
# ./jass-execute -a paul-secure.driver
If the output looks good, run it for real:
# cd ../bin
# ./jass-execute -d paul-secure.driver | tee /opt/SUNWsst/log.txt
The first thing to look for is the summary at the end of the output:
==============================================================================
[SUMMARY] Results Summary for APPLY run of paul-secure.driver
[SUMMARY] The run completed with a total of 12 scripts run.
[SUMMARY] There were Failures in 0 Scripts
[SUMMARY] There were Errors in 0 Scripts
[SUMMARY] There were Warnings in 0 Scripts
[SUMMARY] There were Notes in 10 Scripts
[SUMMARY] Notes Scripts listed in:
/var/opt/SUNWjass/run/20080716212318/jass-script-notes.txt
==============================================================================
Now lets go through the Notes one at a time. The filename is provided in the summary section of the output.
# more /var/opt/SUNWjass/run/20080716212318/jass-script-notes.txt
The first line in the notes file is generated when the files listed in JASS_FILES in paul-config.driver are copied to their new locations:
install-templates.fin
The next lines are detailing each of the JASS_SCRIPTS defined in the paul-config.driver file (my example only had one):
set-root-home-dir.fin
The next line is from the JASS_FILES in the paul-hardening.driver being copied to the correct locations:
install-templates.fin
Then a line of output for each of the JASS_SCRIPTS in the paul-hardening.driver:
disable-apache.fin
disable-apache2.fin
disable-ssh-root-login.fin
disable-syslogd-listen.fin
enable-account-lockout.fin
set-banner-dtlogin.fin
set-banner-sshd.fin
The actual output of the script when it runs is more verbose which is why I always capture it with the tee command at the end.
# ./jass-execute -d paul-secure.driver | tee /opt/SUNWsst/log.txt
Here is the (slightly edited for brevity and anonymity) full output of the jass-execute:
==============================================================================
paul-secure.driver: Driver started.
==============================================================================
Toolkit Version: 4.2.0
Node name: titania
Zone name: global
Host ID: xxxxxxx
Host address: 192.168.0.215
MAC address: 0:c:29:xx:xx:xx
OS version: 5.10
Date: Apr 1 21:23:20 BST 2008
==============================================================================
paul-secure.driver: Finish script: install-templates.fin
==============================================================================
Copying personalized files (templates).
[NOTE] Copying /.profile to /.profile.JASS.20080716212321
[NOTE] Copying /.profile from /opt/SUNWjass/Files/.profile.
[NOTE] Copying /.kshrc to /.kshrc.JASS.20080716212321
[NOTE] Copying /.kshrc from /opt/SUNWjass/Files/.kshrc.
==============================================================================
paul-secure.driver: Finish script: print-jass-environment.fin
==============================================================================
<all the variable values would be listed here>
==============================================================================
paul-secure.driver: Finish script: set-root-home-dir.fin
==============================================================================
Creating /root home directory for the root account.
Setting the home directory for the root account to "/root".
[NOTE] Copying /etc/passwd to /etc/passwd.JASS.20080716212327
Copying .cshrc and .profile files for the root account.
[NOTE] Copying /root/.cshrc from /opt/SUNWjass/Files/root/.cshrc.
==============================================================================
paul-secure.driver: Finish script: install-templates.fin
==============================================================================
Copying personalized files (templates).
[NOTE] Copying /etc/issue from /opt/SUNWjass/Files/etc/issue.
[NOTE] Copying /etc/motd to /etc/motd.JASS.20080716212330
[NOTE] Copying /etc/motd from /opt/SUNWjass/Files/etc/motd.
[NOTE] Copying /etc/syslog.conf to /etc/syslog.conf.JASS.20080716212331
[NOTE] Copying /etc/syslog.conf from /opt/SUNWjass/Files/etc/syslog.conf.
==============================================================================
paul-secure.driver: Finish script: disable-apache.fin
==============================================================================
Disabling the service: Apache
[NOTE] Renaming /etc/rc3.d/S50apache to /etc/rc3.d/_S50apache.JASS.20080716212331
==============================================================================
paul-secure.driver: Finish script: disable-apache2.fin
==============================================================================
Disabling the service: Apache2
[NOTE] Service svc:/network/http:apache2 is already disabled.
==============================================================================
paul-secure.driver: Finish script: disable-ssh-root-login.fin
==============================================================================
Disabling the function: SSH direct, remote login as the "root" account
[NOTE] Copying /etc/ssh/sshd_config to /etc/ssh/sshd_config.JASS.20080716212332
Setting the "PermitRootLogin" parameter to "no" in /etc/ssh/sshd_config.
==============================================================================
paul-secure.driver: Finish script: disable-syslogd-listen.fin
==============================================================================
Disabling the function: SYSLOG (for external log receipt)
[NOTE] Preventing the SYSLOG service from logging remote connections.
[NOTE] The service will no longer accept log messages from other systems.
[NOTE] Copying /etc/default/syslogd to /etc/default/syslogd.JASS.20080716212332
Setting the "LOG_FROM_REMOTE" parameter to "NO" in /etc/default/syslogd.
==============================================================================
paul-secure.driver: Finish script: enable-account-lockout.fin
==============================================================================
Enabling account lockout to lock user accounts with repeated failed entries.
[NOTE] Copying /etc/security/policy.conf to /etc/security/policy.conf.JASS.20080716212333
[NOTE] Setting LOCK_AFTER_RETRIES to YES in /etc/security/policy.conf.
==============================================================================
paul-secure.driver: Finish script: enable-password-history.fin
==============================================================================
Enabling password history checks on the system for local users.
==============================================================================
paul-secure.driver: Finish script: set-banner-dtlogin.fin
==============================================================================
Setting the service banner for the CDE dtlogin service.
[NOTE] Creating a new directory, /etc/dt/config.
[NOTE] Creating a new directory, /etc/dt/config/Xsession.d.
[NOTE] Creating a new file, /etc/dt/config/Xsession.d/0050.warning.
[NOTE] Copying /etc/dt/config/Xsession.d/0050.warning to /etc/dt/config/Xsession.d/0050.warning.JASS.20080716212335
Configuring CDE to display "/etc/motd" at login.
==============================================================================
paul-secure.driver: Finish script: set-banner-sshd.fin
==============================================================================
Setting the service banner for the SSH daemon.
[NOTE] Copying /etc/ssh/sshd_config to /etc/ssh/sshd_config.JASS.20080716212336
Setting "Banner" to "/etc/issue" in /etc/ssh/sshd_config.
==============================================================================
paul-secure.driver: Driver finished.
==============================================================================
[SUMMARY] Results Summary for APPLY run of paul-secure.driver
[SUMMARY] The run completed with a total of 12 scripts run.
[SUMMARY] There were Failures in 0 Scripts
[SUMMARY] There were Errors in 0 Scripts
[SUMMARY] There were Warnings in 0 Scripts
[SUMMARY] There were Notes in 10 Scripts
[SUMMARY] Notes Scripts listed in:
/var/opt/SUNWjass/run/20080716212318/jass-script-notes.txt
==============================================================================
Undoing SST
All changes and files altered by SST can be undone. Any file to be changed will have been copied first and the copies put back in place. Simply execute the jass-execute command with a -u for undo:
# ./jass-execute -u
Executing driver, undo.driver
You will be prompted to select a particular application of SST to undo:
Please select a Solaris Security Toolkit run to restore through:
1. July 16, 2008 at 21:23:18 (/var/opt/SUNWjass/run/20080716212318)
Choice ('q' to exit)? 1
[NOTE] Restoring to previous run from /var/opt/SUNWjass/run/20080716212318
The following examples show modified files being replaced by their pre-SST backups:
==============================================================================
undo.driver: Undoing Finish Script: set-banner-sshd.fin
==============================================================================
[NOTE] Undoing operation COPY.
cp -p /etc/ssh/sshd_config.JASS.20080716212336 /etc/ssh/sshd_config
rm -f /etc/ssh/sshd_config.JASS.20080716212336
==============================================================================
undo.driver: Undoing Finish Script: disable-apache.fin
==============================================================================
[NOTE] Undoing operation MOVE.
mv /etc/rc3.d/_S50apache.JASS.20080716212331 /etc/rc3.d/S50apache
==============================================================================
undo.driver: Undoing Finish Script: set-root-home-dir.fin
==============================================================================
[NOTE] Undoing operation EXECUTE SCRIPT
src = rmdir dest = /root args = || echo '[WARN] Directory /root not removed. Check for configuration files and remove /root manually.'
[NOTE]
Executing command: rmdir /root || echo '[WARN] Directory /root not removed. Check for configuration files and remove /root manually.'
rmdir: directory "/root": Directory not empty
[WARN] Directory /root not removed. Check for configuration files and remove /root manually.
==============================================================================
[SUMMARY] Results Summary for UNDO run of undo.driver
[SUMMARY] The run completed with a total of 12 scripts run.
[SUMMARY] There were Failures in 0 Scripts
[SUMMARY] There were Errors in 0 Scripts
[SUMMARY] There were Warnings in 0 Scripts
[SUMMARY] There were Notes in 9 Scripts
[SUMMARY] Notes Scripts listed in:
/var/opt/SUNWjass/run/20080716212318/jass-undo-script-notes.txt
==============================================================================
