# # Copyright (c) 2000-2002 by Sun Microsystems, Inc. # All rights reserved. # #ident "@(#)CHANGES 2.36 02/03/06 SMI" # This is the CHANGES list for the Solaris Security Toolkit (formerly the Jumpstart(tm) Architecture and Security Scripts ["JASS"] Toolkit): version 0.3.5: - added starfire_ssp-[*].drivers from BluePrint article titled 'Securing Sun Enterprise 10000 System Service Processors' published March, 02 - a new JASS parameter, JASS_DISABLE_MODE, has been implemented in order to determine how services should be disabled. This setting has two modes: "conf" and "script". If the variable is set to "conf" then wherever possible configuration files will be moved aside in place of the actual run-control scripts. Note: not all run-control scripts rely on the existance of configuration files and are therefore not capable of using this functionality. - added the following new functions to driver.funcs: - check_os_revision : this function checks for an OE version or version range match - check_os_min_revision : this function checks for a minimum version of the OE - disable_conf_file : this function is the same as disable_rc_file at this time. - The following Finish scripts have been updated to incorporate functionality specific for the Solaris 9 OE: - disable-keyserv-uid-nobody.fin - disable-syslogd-listen.fin - enable-inetd-syslog.fin - install-ftpusers.fin - install-recommended-patches.fin - install-iPlanetWS.fin - set-banner-ftpd.fin - set-ftpd-umask.fin - update-cron-log-size.fin - The following Finish scripts were created in this release to handle functionality specific for the Solaris 9 OE: - disable-directory.fin - disable-kdc.fin - disable-samba.fin - disable-xserver-listen.fin - enable-ftpaccess.fin - modified add-client to support the use of alternate sysidcfg entries based off the JASS_HOME/Sysidcfg tree. This can be used to create host-based (or other special case) sysidcfg files. A JumpStart requirement is that these files must be named "sysidcfg" and stored under unique directories as in JASS_HOME/Sysidcfg/Host/alpha/sysidcfg. - added "ipnodes" to the list of entities affected by the disable-nscd-caching.fin script for Solaris 8+. - modified several of the existing Finish scripts to permit more efficient command execution (less fork/execs, simplified logic or better detection of changes appropriate for specific versions of the Solaris OE). - enhanced comments in several of the Finish scripts and updated the copyright headers in all of the scripts for (CY2002). - the Finish script disable-core-generation.fin was removed from the distribution as it did not perform the required function. - fixed a bug in distribution packaging that prevented the inclusion of certain dot files under the Files/ tree. This problem was only relevant for the distribution created for version 0.3.4. - fixed a bug in make-jass-pkg that prevented default inclusion of the OS, Patches, and Packages directories when building custom packages. This can still be overriden on the command line. - fixed a bug in undo functionality that did not properly recognize files created by JASS (create_a_file) when using the "-n" option. - fixed a bug in undo functionality that prevented the "force" functionality from being disabled on the command line using the "-n" option to "jass-execute". - fixed a bug in "jass-execute" that prevented the use of alternate root directories. Updated the '-r' option to also require '-v' (Solaris OE version) option as well. The '-v' option argument format is the same as the output of 'uname -r'. Note that at this time a JASS run must still be "undone" from the client. version 0.3.4: - added sunfire_15k_domain-[*].drivers from BluePrint article titled 'Securing Sun Fire 15K Domains' published Jan, 02 - forced locale to "C" as the code is not fully internationalized. - added set-root-group.fin script to set the root user's primary group to the value defined by JASS_ROOT_GROUP. This will help prevent that user sharing a common group identifier with non-privileged users. - added JASS_ISA_CAPABILITY as a variable to indicate the ability of a system to operate in either 32 or 64-bit mode. - modified make-jass-pkg to automatically determine JASS version from driver.init and to support "quiet" operation. version 0.3.3: - added suncluster30u2-[*].drivers from BluePrint article titled 'SunCluster 3.0 12/01 Security: with the Apache and iPlanet Web and Messaging Servers' - added desktop-[*].drivers as first cut on what hardening can be done to a desktop without impacting its functionality. Note that this functionality is specific to desktops being used on certain corporate networks and may not be suitable for other desktop deployments. version 0.3.2: - removed /etc/syslog.conf from the JASS_FILES definition in the sunfire_15k_sc-hardening.driver file - fixed logical bugs with several files to improve correctness with respect to change verification. The effected files are: - install-at-allow.fin - update-at-deny.fin - update-cron-allow.fin - update-cron-deny.fin, - install-ftpusers.fin - set-user-password-reqs.fin - removed JASS_FILES entry for /etc/nsswitch.conf from undoable-hardening.driver and added comment about it to config.drver. Setting the nsswitch.conf is a system admin task and not a hardening task. - cleaned up /etc/nsswitch.conf usage in hardening and config drivers - added disable-vold.fin to undoable-hardening.driver - added sunfire_15k_sc-[*].drivers from BluePrint article titled 'Securing the Sun Fire 15K System Controller' - added new install-md5.fin script to hardening.driver version 0.3.1: - added sunfire_mf_msp* scripts from BluePrint article titled 'Securing the SunFire Midframe System Controller' - fixed a bug in enable-process-accounting.fin that did not correctly determine if the necessary packages are installed on the system. - renamed "make-pkg" to "make-jass-pkg" to eliminate confusion as to the script's purpose of creating custom JASS packages. - added "-H" option to the jass-execute command to list details regarding the application history of the Toolkit. This command provides details for each run whereas "-l" only lists the last run. - added "-l" option to the jass-execute command to list details regarding the last application of the Toolkit. - added "-q" option to the jass-execute command to provide for "quiet" installation. All logs are still kept in /var/opt/SUNWjass, but no run-time output is provided during the Driver execution for install or undo modes. - added new finish script to disable ipv6 interfaces created by default in Solaris. By disabling ipv6 the in.ndpd daemon will not start. - fixed a bug preventing correct operation of enable-inetd-syslog.fin when the inetd command line is commented out. - fixed a bug for Solaris 2.5.1 in the minimize-iPlanetWS.fin script that allowed the script to be run on that OE version. - removed the file templates for: /etc/default/ftpd and /etc/default/telnetd and replaced them with the Finish scripts: set-banner-ftpd.fin and set-banner-telnetd.fin respectively. These scripts use the variables: JASS_BANNER_FTPD and JASS_BANNER_TELNETD. - revised patch installation process in install-recommended-patches.fin to make the patch process more modular. There is now a generic function in driver.run called add_patch() that can be used by any Finish script. - enhanced the install-recommended-patches.fin script to support the JASS_REC_PATCH_OPTIONS variable. This allows arguments to be passed to the patchadd/installpatch commands. - implemented a patch revision check in the driver.run file. This check is not yet used by any of the Toolkit's functions, but it is provided to allow more granular checks (such as those based on a particular revision of a patch). - the Driver, hardening.driver, has been split into two files to allow users to more easily see those Finish scripts that can be undone. The Driver has been altered to remove all of the undoable components. Those components are now stored in the undoable-hardening.driver Driver file. Normal functionality (prior to version 0.3.1) can be achieved by calling the original file, hardening.driver. - the print-jass-environment.fin Finish script has been updated to support the new environment variables listed above. - fixed a bug that copied directories improperly version 0.3: - added disable-ab2.fin script to disable the AnswerBook 2 server if it was installed. This software should not be installed on servers except under special conditions - added ability to exclude top-level file or directories (those listed in JASS_HOME) from the package build process in make-pkg. This is done by the "-e" option. For more information, see the make-pkg command line help "-h". - added options support to add_pkg() and rm_pkg() functions to support ask files, response files, and alternate source locations. - fixed a bug preventing user.* files from being read when in standalone mode. - added Finish/install-jass.fin to install a local copy of the JASS distribution in Sun package stream format onto a JumpStart client. - renamed JASS_CONFIG_DIR to JASS_HOME_DIR - added undo capability for JASS through the jass-execute script using a '-u' option. All finish scripts are undo-able, except those calling other scripts (i.e., fix-modes) or running scripts themselves (i.e., bsm). - added Drivers/hardening-jumpstart.driver to help secure JumpStart servers. Note that some services will be automatically re-enabled by add-install-client. - added /etc/default sendmail file from Solaris Operating Environment Security - updated for Solaris 8 Operating Environment BluePrint. NOTE - this file will only install on Solaris 8 systems. - added /etc/security/audit_* files from the Auditing in the Solaris Operating Environment BluePrint. NOTE - these files will only install on Solaris 8 systems. - The SCRIPTS* and FILES* variables now use the JASS_ prefix for consistency. - The tmpfs size default limit has been increased from 100M to 512M. Also the default profiles now have at least 768M devoted to swap space. - SUNWjass is now a reserved name for the JASS software (pkg format) installation. JASS is now available in this format as well as in the original "tar" format. User's can also now optionally make their own packages using the supplied "make-pkg" script. - Introduced a new data repository in the directory, /var/opt/SUNWjass. This repository saves data on how each JASS run was executed, a manifest of files modified by JASS and the execution log. - Fixed bug related to processing of user variables. JumpStart and Standalone were not performing it in the same way. - Updated "disable-system-accounts.fin" to move /sbin/noshell to the Files/ tree. The file is now installed using copy_files called from this script. - Updated "add-client" to no longer depend on it being installed in /jumpstart. Also, a list of JumpStart interface IP addresses will be provided if not specified. The code was also cleaned up. - Changed 'le0' entry in sysidcfg files for Solaris 2.6, 7, and 8 to be 'primary' for increased hardware portability. - Enhanced the copy_files function in driver.run to support the copy of OS specific files. - Corrected bug involving host-specific FILES when in standalone mode. Created JASS_HOSTNAME variable and updated driver.init and driver.run. - A new configuration file, finish.init, has been added to handle all Finish script configuration variables. These variables still can be overriden by the user in the user.init file. - Most of the Finish scripts can now have their behavoir customized to suit an organization's security policy using variables found in the finish.init script. At this point, nearly every aspect of JASS can be customized using variables (without needing to alter the core script code). - Cleaned up the Finish scripts removing redundancy and adding support to optionally save "kill" scripts from being disabled (in the disable-*.fin scripts). The default is to disable them. - Most of the scripts will not only create a backup if they intend to change the original. There are still a few more that should be changed. - Changed /var/adm/loginlog permissions from 0640 to 0600 and its group from sys to root. - Added Files/.profile and /.profile to config.driver - Changed S00umask symbolic links to hard links in the set-system-umask.fin Finish script. - Removed sendmail package listing from minimal-iPlanetWS-Solaris8-64bit.profile as those two packages are included in SUNWCreq by default. - Removed package 'SUNWcslu' from minimal-iPlanetWS-Solaris8-64bit.profile as it was a typo and doesn't exist. - Added Finish script, enable-process-accounting.fin. Also added this script to the Driver, hardening.driver. - Added the Finish scripts: set-sadmind-options.fin, set-power-restrictions.fin and set-sys-suspend-restrictions.fin, set-ftpd-umask.fin, install-shells.fin, update-cron-log-size.fin - Updated disable-rlogin-rhosts.fin. This file has also been renamed to disable-rhosts.fin to be more indicative of its actions. - Updated disable-sendmail.fin for Solaris 8. - Updated set-tmpfs-limit.fin. It is not supported for Solaris 2.5.1. - Modified Finish script, minimize-iPlanetWS.fin, to correct a few typos and to perform general cleanup of the script. - Modified Finish script, install-strong-permissions.fin, to set /var/cron to mode 700. - Removed duplicate entries in EvilList in the Finish script, update-inetd-conf.fin. - Added better display and processing of services to be disabled in the Finish script, update-inetd-conf.fin version 0.2: - general cleanup of all code was performed in an attempt to make functions more efficient, understandable or more consistent with the rest of the code base. - external variables renamed to have the "JASS_" prefix to prevent namespace collision. All variables in "driver.init" and "user.init" now use this convention. - permit run-time override of the JASS_USER_DIR variable (formerly the USER_DIR variable) - the use of SI_CONFIG_DIR has been related to Jumpstart mode only. This variable is used to set the value for the SI_CONFIG_DIR variable. For standalone use, the variable JASS_CONFIG_DIR should be used. Note that for Jumpstart installations, "/a" is assumed for JASS_ROOT_DIR while for standalone installations "/" is used. - default mount points for JASS_PACKAGE_DIR and JASS_PATCH_DIR have been changed to /tmp/jass-packages and /tmp/jass-patches. - more consistent use of log_* functions in driver.run. adjusted log() funciton to just log basename of file rather than full path. - corrected potential issue with calling a driver using a relative pathname and a Finish script that exits in error - added JASS_SAVE_BACKUP (default to 1). If set to "0", then the original versions of files will be deleted. Note that the disable_rc_script function now supports both modes and the remove_rc_script function is deprecated. Also, wherever the backup_file function is called, the saved file is stored on the JASS_SAVED_LIST list. When each Finish script terminates, the cleanup_files function is called removing all of the files on the JASS_SAVED_LIST if the JASS_SAVE_BACKUP is set to "0". - fixed umask issue at the driver.init/run level - Added file, /etc/dt/config/Xaccess (no direct/broadcast access to CDE) - disable_rc_script now appends a ".JASS." - copy_files (in driver.run) will not copy if it would just copy the same file. this also reduces the number of ".JASS" backups. - fixed a error in the copy_files function dealing with links. - added jass-execute (standalone driver script) This script supports three arguments: -r -d -o - moved noask_pkgadd and noask_pkgrm to Packages/. Updated Drivers/driver.run accordingly - added Driver scripts: audit.driver Contains new print-* scripts - updated Driver scripts: hardening.driver Updated for new scripts - added Finish scripts: disable-apache.fin For Solaris-shipped Apache disable-dhcpd.fin For DHCP daemon/server disable-ldap-client.fin For LDAP client service disable-mipagent.fin For Mobile IP service disable-wbem.fin For Web-based Ent. Mgt. install-ftpusers.fin For /etc/ftpusers print-suid-files.fin Print SUID files print-sgid-files.fin Print SGID files print-rhosts.fin Print rhosts or hosts.equiv print-unowned-objects.fin Print unowned files, dirs, etc. print-world-writable-objects.fin Print o+w files, dirs, etc. - updated Finish scripts: disable-slp.fin Better Solaris 8 support enable-bsm.fin Does not re-run bsmconv install-security-mode.fin Report settings install-strong-permissions.fin Added new settings set-rmmount-nosuid.fin Better Solaris 8 support set-system-umask.fin Updated to use JASS_UMASK set-user-umask.fin Updated to use JASS_UMASK - added Files: etc/dt/config/Xaccess Restrict XDM access - removed Files: etc/ftpusers Replaced by install-ftpusers.fin - updated Files: etc/nsswitch.conf Comment DNS in hosts line - remove Finish script: install-openssh.fin - incorporate minimization for iPlanet Web Server from Sun BluePrint OnLine article titled "Solaris Operating Environment Minimization for Security: A Simple Reproducable and Secure Application Installation Methodology - updated for Solaris 8". It is available from http://sun.com/blueprints/browsesubject.html#security - added Solaris 9 support to following Finish scripts: disable-apache.fin disable-dhcpd.fin disable-ldap-client.fin disable-mipagent.fin disable-slp.fin disable-syslogd-listen.fin disable-wbem.fin - added Solaris 9 support to the following Driver scripts: driver.run - added Solaris 9 sysidcfg in Sysidcfg directory version 0.13: - fixed bug in install-recommended-patches where some patches require /proc to be present version 0.12: - fixed driver.run so that any directory changes made by scripts, who subsequently exit, would not leave the driver.run script in an unexpected location and cause other scripts to fail. This was discovered when running in standalone when the install-recommended-patches.fin script didn't find any patches and exited. version 0.11: - fixed bug in update-cron-deny and install-cron-allow that prevented 'root' from using cron. version 0.1: - includes all functionality discussed in the original onLine BluePrint titled "Solaris Operating Environment Security" available from http://sun.com/blueprints - also includes some Solaris 8 specific functionality in: - disable-syslogd-listen.fin - set-system-umask.fin - set-tmpfs-limit.fin ----- Please send comments and suggestions to jass-feedback@sun.com