- Alexander Leidinger - http://www.leidinger.net/blog -

Rants about JASS (Sol­aris Se­cur­ity Toolkit)

Re­cently I switched to a new cli­ent where the Sol­aris [1] Se­cur­ity [2] Toolkit (JASS) is ex­tens­ively used. I am now in the pro­cess of up­dat­ing some things, among them are JET and JASS. As part of this work I ree­valu­ate the local JASS modi­fic­a­tions. Pre­vi­ously a cus­tom JASS pack­age was used, but in case JASS is up­dated by Or­acle [3] at some point in time (and an up­date is really needed, see be­low), this would need some amount of work to find out the dif­fer­ences and to for­ward port them to the new ver­sion. If everything is well doc­u­mented, this should not be hard to do, but the per­son do­ing the work also needs to find the up-​to-​date docs.

To make it more easy I de­cided to change this. I now in­stall the of­fi­cial JASS pack­age via JET to­gether with the latest patch for it, and then let JET copy our modi­fic­a­tions over the in­stalled pack­age. In­stead of modi­fy­ing ex­ist­ing drivers, I cre­ated our own drivers with a ref­er­ence to the driver which served as a base.

While do­ing this I en­countered sev­eral short­com­ings of JASS on Sol­aris [4] 10.

There are sev­eral FS based checks which do not make sense to do for the FS of zones in a global zone (at least not the way I use JASS, so maybe a con­fig­ur­able way of chan­ging the be­ha­vior should serve for every­one). If zones are in­stalled in /​zones, you do not need to check for files without valid UIDs (you surely find a lot of files, as the users are defined in­side the zones and not in the global zone) or sim­ilar things (even not for world writ­able files, as the zones are in­stalled in a root-​access-​only sub­tree and in­side the zones there may be other se­cur­ity con­straints con­figured in­side JASS, read: it is the re­spons­ib­il­ity of JASS in­side the zone to do this). An easy solu­tion would be to ex­clude those FS which con­tain zones (and as we only have one sub­tree, I just hard­coded this in sev­eral scripts [5]).

I also miss the pos­sib­il­ity (maybe I over­looked a simple way) for the ssh check to limit the Al­low­Root­Lo­gin to spe­cific hosts. JASS only checks yes or no, but can not limit it to spe­cific hosts (e.g. via “Match [6] IP/​hostname”). Of­ten you do not need to per­mit root-​logins (RBAC/​sudo/​…), but some­times it is the only way to handle a par­tic­u­lar edge-​case (or to speed up an ac­tion dra­mat­ic­ally), and in such cases you do not want to al­low root-​logins more than ne­ces­sary.

StumbleUpon [12]XING [13]Balatarin [14]Box.net [15]Digg [16]Google Gmail [17]Netvouz [18]Plurk [19]SiteJot [20]TypePad Post [21]Yahoo Bookmarks [22]VK [23]Slashdot [24]Pocket [25]Hacker News [26]Diigo [27]BuddyMarks [28]Reddit [29]LinkedIn [30]BibSonomy [31]Buffer [32]Email [33]Hatena [34]LiveJournal [35]NewsVine [36]Print [37]Viadeo [38]Yahoo Mail [39]AIM [40]Bitty Browser [41]Care2 News [42]Evernote [43]Mail.Ru [44]PrintFriendly [45]Wanelo [46]Yahoo Messenger [47]Yoolink [48]Webnews [49]Stumpedia [50]Protopage Bookmarks [51]Odnoklassniki [52]Mendeley [53]Instapaper [54]Fark [55]CiteULike [56]Blinklist [57]AOL Mail [58]Twitter [59]Google+ [60]Pinterest [61]Tumblr [62]Amazon Wish List [63]BlogMarks [64]DZone [65]Delicious [66]Flipboard [67]Folkd [68]Jamespot [69]Meneame [70]Mixi [71]Oknotizie [72]Pusha [73]Svejo [74]Symbaloo Feeds [75]WhatsApp [76]YouMob [77]diHITT [78]WordPress [79]Rediff MyPage [80]Outlook.com [81]MySpace [82]Design Float [83]Blogger Post [84]App.net [85]Diary.Ru [86]Kindle It [87]NUjij [88]Segnalo [89]Tuenti [90]Wykop [91]Twiddla [92]Sina Weibo [93]Pinboard [94]Netlog [95]Line [96]Google Bookmarks [97]Diaspora [98]Bookmarks.fr [99]Baidu [100]Facebook [101]Google Classroom [102]Kakao [103]Qzone [104]SMS [105]Telegram [106]Renren [107]Known [108]Yummly [109]Share/​Save [110]
2 Comments (Open | Close)

2 Comments To "Rants about JASS (Sol­aris Se­cur­ity Toolkit)"

#1 Comment By Jason Callaway On August 11, 2011 @ 14:50

Al­ex­an­der,

You bring up some good points. If you have made any cus­tom­iz­a­tions to the JASS code base, feel free to send them over, and I’ll see if we can in­teg­rate them into the next ver­sion. FYI, SUN­W­jass 4.2.2 is avail­able here ( [111]). If you get a chance to test it, please let me know how it goes.

Thanks,
~Jason

#2 Comment By netchild On August 11, 2011 @ 16:34

I will send you some­thing I can share later (maybe to­mor­row). For things I can not share, I will give a de­scrip­tion.