- Alexander Leidinger - http://www.leidinger.net/blog -

Rants about JASS (Solaris Secu­rity Toolkit)

Posted By netchild On August 10, 2011 @ 21:00 In @Work,Commercial,Software,Solaris | 2 Comments

Recently I switched to a new client where the Solaris [1] Secu­rity [2] Toolkit (JASS) is exten­sively used. I am now in the process of updat­ing some things, among them are JET and JASS. As part of this work I reeval­u­ate the local JASS mod­i­fi­ca­tions. Pre­vi­ously a cus­tom JASS pack­age was used, but in case JASS is updated by Ora­cle at some point in time [3] (and an update is really needed, see below), this would need some amount of work to find out the dif­fer­ences and to for­ward port [4] them to the new ver­sion. If every­thing is well doc­u­mented, this should not be hard to do, but the per­son doing the work also needs to find the up-to-date docs [5].

To make it more easy I decided to change this. I now install the offi­cial JASS pack­age via JET together with the lat­est patch for it, and then let JET copy our mod­i­fi­ca­tions over the installed pack­age. Instead of mod­i­fy­ing exist­ing dri­vers, I cre­ated our own dri­vers with a ref­er­ence to the dri­ver which served as a base.

While doing this I encoun­tered sev­eral short­com­ings of JASS on Solaris [6] 10.

There are sev­eral FS based checks which do not make sense to do for the FS of zones in a global zone (at least not the way I use JASS, so maybe a con­fig­urable way of chang­ing the behav­ior should serve for every­one). If zones are installed in /zones, you do not need to check for files with­out valid UIDs (you surely find a lot of files, as the users are defined inside the zones and not in the global zone) or sim­i­lar things (even not for world writable [7] files, as the zones are installed in a root-access-only sub­tree and inside the zones there may be other secu­rity con­straints [8] con­fig­ured inside JASS, read: it is the respon­si­bil­ity of JASS inside the zone to do this). An easy solu­tion [9] would be to exclude those FS which con­tain zones (and as we only have one sub­tree, I just hard­coded this in sev­eral scripts).

I also miss the pos­si­bil­ity (maybe I over­looked a sim­ple way) for the ssh check to limit the Allow­Root­Lo­gin to spe­cific hosts. JASS only checks yes or no, but can not limit it to spe­cific hosts (e.g. via “Match IP/hostname”). Often you do not need to per­mit root-logins (RBAC/sudo/…), but some­times it is the only way to han­dle a par­tic­u­lar edge-case (or to speed up an action dra­mat­i­cally), and in such cases you do not want to allow root-logins more than necessary.

GD Star Rat­ing
load­ing…
GD Star Rat­ing
load­ing…
Share [15]

2 Comments (Open | Close)

2 Comments To "Rants about JASS (Solaris Secu­rity Toolkit)"

#1 Comment By Jason Call­away On August 11, 2011 @ 14:50

Alexan­der,

You bring up some good points. If you have made any cus­tomiza­tions to the JASS code base, feel free to send them over, and I’ll see if we can inte­grate them into the next ver­sion. FYI, SUN­W­jass 4.2.2 is avail­able here ( [16]). If you get a chance to test it, please let me know how it goes.

Thanks,
~Jason

GD Star Rating
loading...
GD Star Rating
loading...

#2 Comment By netchild On August 11, 2011 @ 16:34

I will send you some­thing I can share later (maybe tomor­row). For things I can not share, I will give a description.

GD Star Rating
loading...
GD Star Rating
loading...

Article printed from Alexander Leidinger: http://www.leidinger.net/blog

URL to article: http://www.leidinger.net/blog/2011/08/10/rants-about-jass-solaris-security-toolkit/

URLs in this post:

[1] Solaris: http://www.oracle.com/us/products/servers-storage/solaris/index.html

[2] Secu­rity: http://www.leidinger.net/blog/category/security/

[3] point in time: http://www.leidinger.net/blog/tag/point-in-time/

[4] for­ward port: http://www.leidinger.net/blog/tag/forward-port/

[5] docs: http://www.leidinger.net/blog/category/freebsd/docs/

[6] Solaris: http://www.leidinger.net/blog/category/solaris/

[7] world writable: http://www.leidinger.net/blog/tag/world-writable/

[8] secu­rity con­straints: http://www.leidinger.net/blog/tag/security-constraints/

[9] easy solu­tion: http://www.leidinger.net/blog/tag/easy-solution/

[10] Projects: http://www.leidinger.net/blog/projects/

[11] Tun­ing guide in the wiki: http://www.leidinger.net/blog/2011/12/22/tuning-guide-in-the-wiki/

[12] FreeNAS & Sen­sors for FreeBSD: http://www.leidinger.net/blog/2009/12/06/freenas-sensors-for-freebsd/

[13] Forc­ing a route in Solaris?: http://www.leidinger.net/blog/2011/09/30/forcing-a-route-in-solaris/

[14] Rant about Berke­leyDB docs: http://www.leidinger.net/blog/2010/10/11/rant-about-berkeleydb-docs/

[15] Image: http://www.addtoany.com/share_save

[16] : http://hub.opensolaris.org/bin/download/Project+sst/files/SUNWjass-4.2.2.pkg.gz

Copyright © 2009 Alexander Leidinger. All rights reserved.