Home > Articles > Operating Systems, Server > Solaris

  • Print
  • + Share This
Like this article? We recommend

Using Options and Controlling Audit Output

This section describes the options available for executing an audit run and the options for controlling output. This section contains the following topics:

  • "Command Line Options" on page 6

  • "Banners and Messages Output" on page 10

  • "Host Name, Script Name, and Timestamp Output" on page 12

Command Line Options

Example usage to audit a system against a security profile:

# jass-execute -a driver [ -V verbosity ] [ -q | -o output_file ] [ -m e-mail_address ]

When executing the Solaris Security Toolkit software audit command, you can use the following options listed in TABLE 0-1.

TABLE 0-1 Using Command Line Options With the Audit Command

Option

Description

-h

Displays the jass-execute help message, which provides an overview of the available options.

-m

Mails output to an email address.

-o

Directs output into a file.

-q

Prevents the display of output to the console. Also known as the quiet option.

-V

Specifies the verbosity level for an audit run.


For detailed information about the options available with jass-execute -a command, refer to the following sections:

  • "Display Help Option" on page 7

  • "Email Notification Option" on page 8

  • "Output File Option" on page 8

  • "Quiet Option" on page 9

  • "Verbosity Option" on page 9

Display Help Option

The -h option displays the jass-execute help message, which provides an overview of the available options.

The -h option produces output similar to the following:

CODE EXAMPLE 0-1 Sample -h Option Output

# ./jass-execute -h

To apply this Toolkit to a system, using the syntax:
  ./jass-execute [-r root_directory -p os_version ] 
[ -q | -o output_file ] [ -m e-mail_address ] [-d] driver

To undo a previous application of the Toolkit from a system:
  ./jass-execute -u [ -n ] [ -q | -o output_file ] 
[ -m e-mail_address ]

To audit a system against a pre-defined profile:
  ./jass-execute -a driver [ -V verbosity ] 
[ -q | -o output_file ] [ -m e-mail_address ]

To display the history of Toolkit applications on a system:
  ./jass-execute -H 

To display the last application of the Toolkit on a system:
  ./jass-execute -l 

To display this help message:
  ./jass-execute -h 

Email Notification Option

The -m <email address> option provides a mechanism by which standalone hardening and undo output can be emailed automatically by the Solaris Security Toolkit software when the run completes. The email report is in addition to any logs generated on the system using other options.

A Solaris Security Toolkit run calling sunfire_15k_sc-config.driver using the email option would be similar to the following:

# ./jass-execute -m root -d sunfire_15k_sc-config.driver 
[...]

Output File Option

The -o <output_file> option redirects the console output of jass-execute runs to a separate file, output_file.

This option has no effect on the logs kept in the JASS_REPOSITORY directory. This option is particularly helpful when performed over a slow terminal connection, because there is a significant amount of output generated by a Solaris Security Toolkit run.

This option can be used with either the -d, -u, or -a options.

The -o option produces output similar to the following:

CODE EXAMPLE 0-2 Sample -o Option Output

# ./jass-execute -o jass-output.txt -d secure.driver 
[NOTE] Executing driver, secure.driver
[NOTE] Recording output to jass-output.txt

Quiet Option

The -q option disables Solaris Security Toolkit output to standard input output (stdio) stream during a hardening run.

This option has no effect on the logs kept in the JASS_REPOSITORY directory. Similar to the -o option, this option is particularly helpful when running the Solaris Security Toolkit software through a cron job or over slow network connections.

This option can be used with either the -d, -u, or -a options.

The -q option produces output similar to the following:

CODE EXAMPLE 0-3 Sample -q Option Output

# ./jass-execute -q -d secure.driver
[NOTE] Executing driver, secure.driver

Verbosity Option

The -V option specifies the verbosity level for an audit run. This option is only available for auditing. Verbosity levels provide a highly flexible way of displaying the results of an audit run. For example, if you have 100 machines to audit, you may want to limit the output to a single line for each machine to simply determine which machines pass or fail. Then, for the machines that fail, you might want to run an audit that produces expanded output, to focus on the problem areas.

The five verbosity levels (0 through 4) are controlled by the -V option. Each incremental level provides additional detail that you can use to more fully understand which checks are passing and which are failing. TABLE 0-2 describes the verbosity levels.

TABLE 0-2 Audit Verbosity Levels

Level

Output

0

Single line indicating pass or fail.

1

For each script, a single line indicating pass or fail. One grand total score line below all the script lines.

2

For each script, provides results of all checks.

3

Multiple lines providing full output, including banner and header messages.

4

Multiple lines (all data provided from level 3) plus all entries that are generated by the logDebug logging function. This level is for debugging.


NOTE

The default verbosity level for the jass-execute -V command is 3.

For complete descriptions of the verbosity levels, refer to Chapter 13, "JASS_VERBOSITY" on page 320.

Banners and Messages Output

You can configure the Solaris Security Toolkit audit option to report or omit banners and messages. The JASS_LOG_BANNER variable cannot be used with verbosity levels 0-2. These output options apply to verbosity levels 3 and 4. For example, you might want to eliminate pass messages (JASS_LOG_SUCCESS variable) from the output so you can report and focus only on fail messages (JASS_LOG_FAILURE variable).

TABLE 0-3 lists the banners and messages that you can control through logging variables. (For detailed information about logging variables, refer to Chapter 13.) If the logging variable is set to 0, then no output is generated for messages of that type. Conversely, if the logging variable is set to 1, then messages are displayed. The default action for each of these variables is to display the output. TABLE 0-3 describes the logging variables.

TABLE 0-3 Displaying Banners and Messages in Audit Output

Logging Variable

Log Prefix

Description

JASS_LOG_BANNER

All Banner Output

This parameter controls the display of banner messages. These messages are usually surrounded by separators comprised of either equal sign ("=") or dash ("-") characters.

JASS_LOG_ERROR

[ERR]

This parameter controls the display of error messages. If set to 0, no error messages will be generated.

JASS_LOG_FAILURE

[FAIL]

This parameter controls the display of failure messages. If set to 0, no failure messages will be generated.

JASS_LOG_NOTICE

[NOTE]

This parameter controls the display of notice messages. If set to 0, no notice messages will be generated.

JASS_LOG_SUCCESS

[PASS]

This parameter controls the display of success or passing status messages. If set to 0, no success messages will be generated.

JASS_LOG_WARNING

[WARN]

This parameter controls the display of warning messages. If set to 0, no warning messages will be generated.


Using these options is very useful when you only need to view specific messages. By setting these options, you can minimize output, yet still focus on areas you deem critical. For example, by setting all logging variables to 0 except for JASS_LOG_FAILURE (leave it at the default of 1), the audit reports only on failures generated by the logFailure function.

CODE EXAMPLE 0-4 Sample Output of Reporting Only Audit Failures# JASS_LOG_FAILURE=1

# export JASS_LOG_FAILURE
[setting of other parameters to 0 omitted]
# ./jass-execute -a secure.driver -V 2
update-at-deny    [FAIL] User test is not listed in 
  /etc/cron.d/at.deny.
update-at-deny    [FAIL] Audit Check Total : 1 Error(s)
update-inetd-conf   [FAIL] Service ftp is enabled in 
  /etc/inet/inetd.conf.
update-inetd-conf   [FAIL] Service telnet is enabled in 
  /etc/inet/inetd.conf.
update-inetd-conf   [FAIL] Service rstatd is enabled in 
  /etc/inet/inetd.conf.
update-inetd-conf   [FAIL] Audit Check Total : 3 Error(s)

Host Name, Script Name, and Timestamp Output

You can configure the Solaris Security Toolkit audit option to include host name, script name, and timestamp information for verbosity levels 0-2. For example, if you have many machines to audit, you may want to be able to sort the output by host name, script name, or timestamp. TABLE 0-4 lists the variables.

TABLE 0-4 Displaying Host Name, Script Name, and Timestamp Audit Output

Variable Name

Variable Description

JASS_DISPLAY_HOSTNAME

Setting this parameter to 1 causes the Solaris Security Toolkit software to prepend each log entry with the host name of the system. This information is based on the JASS_HOSTNAME parameter. By default, this parameter is empty, so the Toolkit will not display this information.

JASS_DISPLAY_SCRIPTNAME

By default, this parameter is set to 1, so the Solaris Security Toolkit software prepends each log entry with the name of the audit script currently being run. Setting this parameter to any other value causes the Toolkit to not display this information.

JASS_DISPLAY_TIMESTAMP

Setting this parameter to 1 causes the Solaris Security Toolkit software to prepend each log entry with the timestamp associated with the audit run. This information is based on the JASS_TIMESTAMP parameter. By default, this parameter is empty, so the software does not display this information.


By configuring the Solaris Security Toolkit software to prepend host, script, and timestamp information, you can combine many runs from either a single system or group of systems and sort them based on the key data. You can use the information to look for problems that span several systems or that are symptomatic of deployment processes. For example, using the information in this way, an administrator can tell if every system build using a given process always has the same failed checks.

For example, by setting the JASS_DISPLAY_TIMESTAMP parameter to 1 and setting the JASS_DISPLAY_SCRIPTNAME value at 0, output similar to the following would be generated.

CODE EXAMPLE 0-5 Sample Output of Auditing Log Entries

# JASS_DISPLAY_SCRIPTNAME=0
# JASS_DISPLAY_TIMESTAMP=1
# export JASS_DISPLAY_SCRIPTNAME JASS_DISPLAY_TIMESTAMP
# ./jass-execute -a secure.driver -V 2
20030101233525 [FAIL] User test is not listed in 
  /etc/cron.d/at.deny.
20030101233525 [FAIL] Audit Check Total : 1 Error(s)
20030101233525 [FAIL] Service ftp is enabled in 
  /etc/inet/inetd.conf.
20030101233525 [FAIL] Service telnet is enabled in 
  /etc/inet/inetd.conf.
20030101233525 [FAIL] Service rstatd is enabled in 
  /etc/inet/inetd.conf.
20030101233525 [FAIL] Audit Check Total : 3 Error(s)
  • + Share This
  • 🔖 Save To Your Account