Less Known Solaris features: Jumpstart Enterprise Toolkit - Part 12: Automatic hardening with SST

It´s a best practice to harden a system before you place it into your production network to reduce possible attack vectors. Sun developed the Solaris Security Toolkit for this task to collect all the knowledge about hardening Solaris in a tool thats simple to use. I´ve wrote already about the usage of the toolkit in another installment of the LessKnownSolarisFeatures series. It would be really neat to have an automatized hardening of new systems. The Jumpstart Enterprise Toolkit can do exactly this with the help of JASS module.

Preparing the Jumpstart for installation

At fist you uncompress and untar the JASS distribution.

# copy_product_media jass 4.2.0 /export/home/jmoekamp i386<br />
Transferring <SUNWjass> package instance
Packges copied.

Okay, but we have to do another step. There is a patch for the version 4.2.0 of the Solaris Security Toolkit: 122608-xx. At first we have to tell JET that there is a patch for this product and version. We have to modify the file patch.matrix in /opt/SUNWjet/Products/jass:

#<br />
# Patch matrix for Solaris Security Toolkit (JASS)<br />
#<br />
# <os>:<arch>:<version>:
#<br />

Now it´s easy to integrate the patch. I´ve unpacked the patch in the directory \verb=/export/home/jmoekamp/patch_jass= before:

# copy_product_patches jass 4.2.0 /export/home/jmoekamp/patch_jass i386         
Patches copied.

Configuring the template

Okay, you have to configure only a few basic variables to trigger the automatic hardining of your new installation.

base_config_products=" custom sbd sds jass"<br />
jass_product_version="4.2.0"<br />
Please refer to the <a href="http://www.c0t0d0s0.org/archives/4308-Less-known-Solaris-Feature-Solaris-Security-Toolkit.html">SST tutorial</a> about the inner mechanisms and the concept of drivers in the Solaris Security Toolkit.
<h3>After Jumpstarting</h3>
Okay, it´s time to reboot the machine we want to install again. At first, all is like at the runs before. But then we see some further lines in the logfile.<br />
<blockquote><code>JASS: Installing jass....<br />
JASS: Installing Solaris Security Toolkit (JASS) 4.2.0...<br />
JASS: Installing SUNWjass from: /a/var/opt/sun/jet/js_media/pkg/jass/4.2.0/i386
Installation of <SUNWjass> was successful.<br />
JASS: SUNWjass installation complete<br />
JASS: Register postinstall script 'postinstall' for boot z

It´s important to know, that the above configuration installed the SUNWjass package on the system, patches it there and then run runs the toolkit installed on the system. The hardening of the system is started in the background.After a while you will recognize the work of the script. The backup files of the Solaris Security Toolkit are dispersed all over the directories.

bash-3.00$ ls -l /etc/*.JASS*<br />
-rw-r--r--   1 root     other        372 May 23 19:48 /etc/coreadm.conf.JASS.20080523195314<br />
[...]<br />
-rw-r--r--   1 root     sys          362 May 23 19:43 /etc/vfstab.JASS.20080523195420<br />

After the completion of the background JASS run, you have a automatically installed, patched, customized, mirrored and hardened system.