Recently I switched to a new client where the Solaris Security Toolkit (JASS) is extensively used. I am now in the process of updating some things, among them are JET and JASS. As part of this work I reevaluate the local JASS modifications. Previously a custom JASS package was used, but in case JASS is updated by Oracle at some point in time (and an update is really needed, see below), this would need some amount of work to find out the differences and to forward port them to the new version. If everything is well documented, this should not be hard to do, but the person doing the work also needs to find the up-to-date docs.
To make it more easy I decided to change this. I now install the official JASS package via JET together with the latest patch for it, and then let JET copy our modifications over the installed package. Instead of modifying existing drivers, I created our own drivers with a reference to the driver which served as a base.
While doing this I encountered several shortcomings of JASS on Solaris 10.
There are several FS based checks which do not make sense to do for the FS of zones in a global zone (at least not the way I use JASS, so maybe a configurable way of changing the behavior should serve for everyone). If zones are installed in /zones, you do not need to check for files without valid UIDs (you surely find a lot of files, as the users are defined inside the zones and not in the global zone) or similar things (even not for world writable files, as the zones are installed in a root-access-only subtree and inside the zones there may be other security constraints configured inside JASS, read: it is the responsibility of JASS inside the zone to do this). An easy solution would be to exclude those FS which contain zones (and as we only have one subtree, I just hardcoded this in several scripts).
I also miss the possibility (maybe I overlooked a simple way) for the ssh check to limit the AllowRootLogin to specific hosts. JASS only checks yes or no, but can not limit it to specific hosts (e.g. via “Match IP/hostname”). Often you do not need to permit root-logins (RBAC/sudo/…), but sometimes it is the only way to handle a particular edge-case (or to speed up an action dramatically), and in such cases you do not want to allow root-logins more than necessary.
Tags: easy solution, forward port, oracle, point in time, security constraints, shortcomings, solaris 10, solaris security, uids, world writable —