Taking the Fast Track
This section provides a fast track approach to using the Solaris Security Toolkit software. Although we strongly recommend that you follow the standard methods presented in "Taking the Recommended Track" on page 41, we empathize with users who are terminally impatient and want to execute the Solaris Security Toolkit software immediately to see what happens. Review the following key considerations to determine if this characterization fits you:
The approach in this section assumes that you are willing to break things and are able to fix them.
Because there are potentially serious consequences that could result, it is important that you read and carefully consider the notes, cautions, and recommendations in this section.
Only notes and cautions critical to successfully installing and configuring the Solaris Security Toolkit software are included in this section. Refer to "Taking the Recommended Track" on page 41 for complete information on configuring and executing the Solaris Security Toolkit software.
Evaluate your security policy and requirements against the default drivers before executing the Solaris Security Toolkit software.
We strongly recommend that you have console access.
A reboot is required for the changes to take affect.
If you run into problems with a hardening run, use the undo feature. For detailed information, refer to Chapter 4.
The information in this section applies to using the Solaris Security Toolkit software in standalone mode only. For details on the differences between standalone mode and JumpStart mode, refer to "Determine Which Mode to Use" on page 42.
This section contains the following topics:
"Download Software" on page 64
"Install and Execute the Software" on page 66
The following instructions use filenames that do not reference the version number. Always download the latest version available from the Web site.
To Download the Solaris Security Toolkit Software
The Solaris Security Toolkit software is distributed in Solaris OE package format, in addition to the traditional compressed tar archive. The same software is included in both archives. Choose the format most appropriate for your scenario. Downloading and installing these two different archive types are addressed in the following procedures.
To Download the pkg Version
Download the software distribution file (SUNWjass-n.n.pkg.Z).
The source file is located at:
Extract the software distribution file into a directory on the server by using the uncompress command:
# uncompress SUNWjass-n.n.pkg.Z
Install the software distribution file into a directory on the server using the pkgadd command as shown:
# pkgadd -d SUNWjass-n.n.pkg SUNWjass
Executing this command creates the SUNWjass directory in /opt. This subdirectory contains all the Solaris Security Toolkit directories and associated files.
To Download the tar Version
Download the software distribution file (jass-n.n.tar.Z).
The source file is located at the following Web site:
Extract the software distribution file into a directory on the server using the zcat and tar commands as shown:
# zcat jass-n.n.tar.Z | tar xvf -
Where n.n is the most current version that you downloaded.
Executing this command creates the jass-n.n subdirectory in the current working directory. This subdirectory contains all the Solaris Security Toolkit directories and associated files.
Throughout the rest of this document, the JASS_HOME_DIR environment variable refers to the root directory of the Solaris Security Toolkit software. When the Solaris Security Toolkit software is installed from the tar archive, JASS_HOME_DIR is defined to be the path up to, and including, jass-n.n
If you invoke the command from the /opt directory, then the JASS_HOME_DIR variable is defined as /opt/jass-n.n, where n.n is the Solaris Security Toolkit version.
To Download Additional Security Software
In "Taking the Recommended Track" on page 41, we provide instructions for downloading other security software. Of the software described, the Recommended and Security Patch Cluster, FixModes, and MD5 software are required. We strongly recommend that you use a Secure Shell product on the internal servers to protect user and administrative network traffic from disclosure, modification, and hijacking.
Refer to "Taking the Recommended Track" on page 41 for instructions if you want to download the additional security software at this time.
Install and Execute the Software
After you download the Solaris Security Toolkit software, install it on the server you are hardening in standalone mode.
The Solaris Security Toolkit software provides a default driver named secure.driver for automating the implementation of Solaris OE modifications and installation of security software. This default driver implements Solaris OE security modifications based on the recommendations in Sun BluePrint OnLine articles. Also, if you downloaded the additional security software, it performs the following tasks:
Installs the Recommended and Security Patch Cluster software
Installs and executes the FixModes software to tighten file system permissions
Installs the MD5 software
During the modifications implemented in this section, all nonencrypted access mechanisms to the system being hardenedsuch as Telnet and FTPare disabled. The hardening steps do not disable console access over serial ports, or directly attached video cards, monitors, and keyboards.
In addition to the default secure.driver driver, we provide product-specific drivers. You can use the default driver, use any of the product-specific drivers, or customize and create your own drivers. For more information, refer to Chapter 10.
To Install Downloaded Software and Implement Changes
A Solaris Security Toolkit standalone run, on a pre-existing system, should only be performed after the machine has been backed up and rebooted to verify that it is in a known, working, and consistent configuration. Any errors or warnings detected during this preliminary reboot should be corrected or noted.
From the list of hardening drivers, choose the one that applies to your system and purpose.
For a complete and up-to-date listing of available drivers, download the most recent version of the Solaris Security Toolkit software from the following Web site:
Refer to Chapter 10 for information about standard and product-specific drivers. For the most current listing of drivers, refer to the Drivers directory.
Execute the secure.driver (or a product-specific such as sunfire_15k_sc-secure.driver) as follows.
Example 3-9. Executing a Driver
# cd /opt/SUNWjass # ./jass-execute -d sunfire_15k_sc-secure.driver [NOTE] Executing driver, sunfire_15k_sc-secure.driver ========================================================== sunfire_15k_sc-secure.driver: Driver started. ========================================================== ========================================================== JASS Version: 4.0 Node name: ufudu Host ID: 8085816e Host address: 10.8.31.115 MAC address: 8:0:20:85:81:6e OS version: 5.9 Date: Tue Dec 31 16:28:24 EST 2002 ========================================================== [...]
The secure.driver disables all remote access capabilities, such as Telnet, RSH, and RLOGIN, with the exception of Secure Shell in the Solaris 9 OE. Do not reboot the system without at least one of those services being enabled, having serial or console access to the system, or having an alternate remote access mechanism available such as Secure Shell.
After running the Solaris Security Toolkit software on a system, reboot the system to implement the changes.
During hardening, a variety of modifications are made to the configuration of the client. These modifications could include disabling startup scripts for services, disabling options for services, and installing new binaries or libraries through patches. Until the client is restarted, these modifications might not be effective.
After rebooting the system, verify the correctness and completeness of the modifications. (Refer to "Validate the System Modifications" on page 61.)
If any errors are encountered, fix them and run the Solaris Security Toolkit software again.