Rants about JASS (Solaris Secu­ri­ty Toolkit)

Recent­ly I switched to a new client where the Solaris Secu­ri­ty Toolk­it (JASS) is exten­sive­ly used. I am now in the process of updat­ing some things, among them are JET and JASS. As part of this work I reeval­u­ate the local JASS mod­i­fi­ca­tions. Pre­vi­ous­ly a cus­tom JASS pack­age was used, but in case JASS is updat­ed by Ora­cle at some point in time (and an update is real­ly need­ed, see below), this would need some amount of work to find out the dif­fer­ences and to for­ward port them to the new ver­sion. If every­thing is well doc­u­ment­ed, this should not be hard to do, but the per­son doing the work also needs to find the up-to-date docs.

To make it more easy I decid­ed to change this. I now install the offi­cial JASS pack­age via JET togeth­er with the lat­est patch for it, and then let JET copy our mod­i­fi­ca­tions over the installed pack­age. Instead of mod­i­fy­ing exist­ing dri­vers, I cre­at­ed our own dri­vers with a ref­er­ence to the dri­ver which served as a base.

While doing this I encoun­tered sev­er­al short­com­ings of JASS on Solaris 10.

There are sev­er­al FS based checks which do not make sense to do for the FS of zones in a glob­al zone (at least not the way I use JASS, so maybe a con­fig­urable way of chang­ing the behav­ior should serve for every­one). If zones are installed in /zones, you do not need to check for files with­out valid UIDs (you sure­ly find a lot of files, as the users are defined inside the zones and not in the glob­al zone) or sim­i­lar things (even not for world writable files, as the zones are installed in a root-access-only sub­tree and inside the zones there may be oth­er secu­ri­ty con­straints con­fig­ured inside JASS, read: it is the respon­si­bil­i­ty of JASS inside the zone to do this). An easy solu­tion would be to exclude those FS which con­tain zones (and as we only have one sub­tree, I just hard­cod­ed this in sev­er­al scripts).

I also miss the pos­si­bil­i­ty (maybe I over­looked a sim­ple way) for the ssh check to lim­it the Allow­Root­Lo­gin to spe­cif­ic hosts. JASS only checks yes or no, but can not lim­it it to spe­cif­ic hosts (e.g. via “Match IP/hostname”). Often you do not need to per­mit root-logins (RBAC/sudo/…), but some­times it is the only way to han­dle a par­tic­u­lar edge-case (or to speed up an action dra­mat­i­cal­ly), and in such cas­es you do not want to allow root-logins more than necessary.