Big Bubbles (no troubles)

What sucks, who sucks and you suck

The Solaris Security Toolkit (JASS)

(No. 1 in an uncharacteristic and occasional series of potentially useful tech notes. :-)

If you’re installing the JASS toolkit on Solaris, there are a few extras that the docs don’t clearly mention.

Solaris has had JumpStart automated installation for years (since 2.2 if I remember correctly - and it worked too, as I discovered when I built a teaching lab of twenty Classics simply by booting them :-). It’s only recently that they’ve begun to capitalise on this feature by providing tools and support that make use of it. The Security Toolkit, as well as providing an automated method of hardening your systems, also forms a ready-rolled JumpStart server setup.

However, there are some additional tools available from the tools section of Sun Blueprints that you should also install. Fetch the following: * FixModes.tar.Z * md5.tar.Z Move them into the Packages/ subdirectory of your JASS/JumpStart install directory. If they’re present, then the JASS scripts will automatically install them and run fix-modes to tighten the default file permissions. (Also, if you copy the original SUNWjass package into this directory then it too will be installed on the client should you wish to run it again later. But see below for reasons why you mght not want to do this.)

The standard secure.driver script is too restrictive for desktop systems; use desktop-secure.driver instead. Be warned though that this leaves telnet & FTP enabled. You can edit the driver scripts to fix this, but this becomes messy:

The SUNWjass package installs into /opt/SUNWjass. However, this is unlikely to be your chosen JumpStart directory so you’ll probably copy it elsewhere as the docs show. Then you’ll make changes, such as to the user.init file or those listed above. Now, to keep your local package version in sync, you’ll have to replicate those changes back to it. But if you’ve been installing JASS locally on your JumpStart clients, you’ll also need to replicate the changes to those. And if you install a new version of JASS, you may overwrite your changes.

Sack it. I suggest you use JASS to perform consistent, baseline secure installs and then use Cfengine to perform any post-installation tweaks and ensure that each system continues to conform to the baseline. Don’t bother installing JASS anywhere other than your JumpStart server.

JASS is a great package, but the administrative requirements haven’t been thought out - which is not unusual from a vendor. Ideally, user-specific changes or overrides should be maintained outside the standard install tree and included separately on execution. And it’s arguable whether the package model (with no obvious relocation mechanism) suits a package that needs to be identical in two locations on the server and on every client.