- Alexander Leidinger - http://www.leidinger.net/blog -
Rants about JASS (Solaris Security Toolkit)
Posted By netchild On August 10, 2011 @ 21:00 In @Work,Commercial,Software,Solaris | 2 Comments
Recently I switched to a new client where the Solaris  Security  Toolkit (JASS) is extensively used. I am now in the process of updating some things, among them are JET and JASS. As part of this work I reevaluate the local JASS modifications. Previously a custom JASS package was used, but in case JASS is updated by Oracle at some point in time  (and an update is really needed, see below), this would need some amount of work to find out the differences and to forward port  them to the new version. If everything is well documented, this should not be hard to do, but the person doing the work also needs to find the up-to-date docs .
To make it more easy I decided to change this. I now install the official JASS package via JET together with the latest patch for it, and then let JET copy our modifications over the installed package. Instead of modifying existing drivers, I created our own drivers with a reference to the driver which served as a base.
While doing this I encountered several shortcomings of JASS on Solaris  10.
There are several FS based checks which do not make sense to do for the FS of zones in a global zone (at least not the way I use JASS, so maybe a configurable way of changing the behavior should serve for everyone). If zones are installed in /zones, you do not need to check for files without valid UIDs (you surely find a lot of files, as the users are defined inside the zones and not in the global zone) or similar things (even not for world writable  files, as the zones are installed in a root-access-only subtree and inside the zones there may be other security constraints  configured inside JASS, read: it is the responsibility of JASS inside the zone to do this). An easy solution  would be to exclude those FS which contain zones (and as we only have one subtree, I just hardcoded this in several scripts).
I also miss the possibility (maybe I overlooked a simple way) for the ssh check to limit the AllowRootLogin to specific hosts. JASS only checks yes or no, but can not limit it to specific hosts (e.g. via “Match IP/hostname”). Often you do not need to permit root-logins (RBAC/sudo/…), but sometimes it is the only way to handle a particular edge-case (or to speed up an action dramatically), and in such cases you do not want to allow root-logins more than necessary.
Article printed from Alexander Leidinger: http://www.leidinger.net/blog
URL to article: http://www.leidinger.net/blog/2011/08/10/rants-about-jass-solaris-security-toolkit/
URLs in this post:
 Solaris: http://www.oracle.com/us/products/servers-storage/solaris/index.html
 Security: http://www.leidinger.net/blog/category/security/
 point in time: http://www.leidinger.net/blog/tag/point-in-time/
 forward port: http://www.leidinger.net/blog/tag/forward-port/
 docs: http://www.leidinger.net/blog/category/freebsd/docs/
 Solaris: http://www.leidinger.net/blog/category/solaris/
 world writable: http://www.leidinger.net/blog/tag/world-writable/
 security constraints: http://www.leidinger.net/blog/tag/security-constraints/
 easy solution: http://www.leidinger.net/blog/tag/easy-solution/
 Projects: http://www.leidinger.net/blog/projects/
 Tuning guide in the wiki: http://www.leidinger.net/blog/2011/12/22/tuning-guide-in-the-wiki/
 FreeNAS & Sensors for FreeBSD: http://www.leidinger.net/blog/2009/12/06/freenas-sensors-for-freebsd/
 Forcing a route in Solaris?: http://www.leidinger.net/blog/2011/09/30/forcing-a-route-in-solaris/
 Rant about BerkeleyDB docs: http://www.leidinger.net/blog/2010/10/11/rant-about-berkeleydb-docs/
 Image: http://www.addtoany.com/share_save
 : http://hub.opensolaris.org/bin/download/Project+sst/files/SUNWjass-4.2.2.pkg.gz
Copyright © 2009 Alexander Leidinger. All rights reserved.