It´s a best practice to harden a system before you place it into your production network to reduce possible attack vectors. Sun developed the Solaris Security Toolkit for this task to collect all the knowledge about hardening Solaris in a tool thats simple to use. I´ve wrote already about the usage of the toolkit in
another installment of the LessKnownSolarisFeatures series.
It would be really neat to have an automatized hardening of new systems. The Jumpstart Enterprise Toolkit can do exactly this with the help of
JASS module.
Preparing the Jumpstart for installation
At fist you uncompress and untar the JASS distribution.
# copy_product_media jass 4.2.0 /export/home/jmoekamp i386
Transferring package instance
Packges copied.
Okay, but we have to do another step. There is a patch for the version 4.2.0 of the Solaris Security Toolkit:
122608-xx. At first we have to tell JET that there is a patch for this product and version. We have to modify the file
patch.matrix in
/opt/SUNWjet/Products/jass:
#
# Patch matrix for Solaris Security Toolkit (JASS)
#
# :::
#
10:i386:4.2.0:122608
Now it´s easy to integrate the patch. I´ve unpacked the patch in the directory \verb=/export/home/jmoekamp/patch_jass= before:
# copy_product_patches jass 4.2.0 /export/home/jmoekamp/patch_jass i386
Patches copied.
Configuring the template
Okay, you have to configure only a few basic variables to trigger the automatic hardining of your new installation.
base_config_products=" custom sbd sds jass"
jass_product_version="4.2.0"
jass_execute="secure.driver"
Please refer to the
SST tutorial about the inner mechanisms and the concept of drivers in the Solaris Security Toolkit.
After Jumpstarting
Okay, it´s time to reboot the machine we want to install again. At first, all is like at the runs before. But then we see some further lines in the logfile.
JASS: Installing jass....
JASS: Installing Solaris Security Toolkit (JASS) 4.2.0...
JASS: Installing SUNWjass from: /a/var/opt/sun/jet/js_media/pkg/jass/4.2.0/i386
Installation of was successful.
JASS: SUNWjass installation complete
JASS: Register postinstall script 'postinstall' for boot z
It´s important to know, that the above configuration installed the
SUNWjass package on the system, patches it there and then run runs the toolkit installed on the system.
The hardening of the system is started in the background.After a while you will recognize the work of the script. The backup files of the Solaris Security Toolkit are dispersed all over the directories.
bash-3.00$ ls -l /etc/*.JASS*
-rw-r--r-- 1 root other 372 May 23 19:48 /etc/coreadm.conf.JASS.20080523195314
[...]
-rw-r--r-- 1 root sys 362 May 23 19:43 /etc/vfstab.JASS.20080523195420
bash-3.00$
After the completion of the background JASS run, you have a automatically installed, patched, customized, mirrored and hardened system.
I knew him only from the S
UN youtube posts. And they wer
e very good. very sad
I forgot to post the conclusion and the table of content when i published the JET tutorial some weeks ago. Okay ... here they are. This is a real long tutorial. 16 Parts in total. Part 1: Introduction Part 2: Basic Jumpstart Part 3: Files controlling
Tracked: Aug 19, 18:09