Comparison of Solaris Hardening Scripts

Yassp, SECUR, Titan, Bastille, Jass...

By Seán Boran

Note: This material is a bit old, for the latest on Yassp, see
"Hardening Solaris with Yassp"
Solaris_hardening3.html

The idea of this rough draft was a comparison of hardening tools available, so we could see what Yassp needs to do.... Your feedback is most welcome, email me at sean at boran.com. All updates are documented in the section Changes

Contents:

  1. Summary and recommendations
  2. General Improvements (all Tools)
  3. JASS (sun)
  4. YASSP: Goodies, Disadvantages, Suggested Improvements
  5. SECUR: Goodies, Disadvantages, Suggested Improvements, Questions
  6. Titan: Goodies, Disadvantages, Suggested Improvements
  7. Bastille (for Linux)
  8. Sean's Guidelines
  9. Chris's  harden script
  10. References
  11. Changes to this document

Summary and Recommendations

Many people have obviously put in a huge amount of work to produce the various packages. All make hardening solaris much easier than before and all improve security.

The short term goal is to produce script that have our consensus and can be published at SANS.
The long term goal is a tool what is cross-platform, modular, extensible and includes the best of all current hardening scripts & knowledge.

My personal opinion:

Are the TITAN authors listening? Perhaps they could voice their opinions?
What do you think? Some feedback from the Bastille people would be nice.


 

General Improvements (all Tools)

The Target audience seems to be divided into those who want to:

  1. harden bastion hosts (like myself), and
  2. those who have large numbers of workstations and servers where security needs to be improved without reducing functionality or incurring additional support problems...

The focus for Yassp is on SPARC rather than x86 Solaris.


Jass

Sun has released JASS v0.11, a hardening tool for Solaris. here, we take it for a test drive.
http://www.sun.com/blueprints/tools

JASS stands JumpStart Architecture and Security Scripts (Toolkit). The primary goal behind the development of this Toolkit was to simplify and automate the process of securing Solaris systems through JumpStart or in a standalone mode. It implements the recommendations Sun's BluePrints OnLine security articles:
http://www.sun.com/blueprints/browsesubject.html#security

First off, checking out the license, we find it's pretty restrictive:

Distribution: Only Sun or an authorized Sun VAR may distribute the Toolkit......
License grant: Sun hereby grants a non-exclusive, non-transferable and royalty free license to use, reproduce, and modify the Toolkit for the following internal purposes only (no license is granted for any other purpose):
1. Your internal research use;
2. Your internal evaluation of the Toolkit;
3. Your internal use only, for the purposes of running your business or otherwise.

So it's not very 'free'.

Installation

Jass come in a small 50k tar file that extracts to the current directory (not that it does NOT create a subdirectory and put all files there). This test involved as simple installation on a brand new Solaris 8 installation.

 

Jass Goodies
Jass disadvantages
Jass - suggested improvements

YASSP

Jean Chouanard's Yet Another Solaris Security Package [0] is a set of scripts used internally by Xerox that are being offered to the world for free. Jean is trying to make the scripts more general, to make them more useful outside of Xerox. The first version appeared in summer 1999 and adheres to the SANS Solaris Guide [5], but goes much further. We now have an improved yassp beta 3 that allows more individual tuning.

YASSP Goodies
Yassp disadvantages
Yassp - suggested improvements
Pkg db cleaning

What is the big advantage in having the PKG DB clean?  Jean says :


SECUR

Alberto has also produced a fine set of hardening scripts [8] based on the SANS guidelines [5]. They are new to me, I've only just spend a few hours going through them.

Be careful how you run it as it does not stop on errors. Study the readme carefully. The following results are from a Solaris 2.7/SPARC box with an "end user" install bundle.

secur Goodies
secur disadvantages
secur - suggested improvements

I like interaction/automation and structure, but there is room for improvement.

secur questions (for Alberto)

 

Titan

Titan v3.2.2 [2] has some interesting concepts that appeal immediately.... it was tested on a SPARC4 with a virgin "End User Bundle" running Solaris 2.7.

 

Titan Goodies
Titan disadvantages
Titan - suggested improvements

Bastille Linux

I had a quick install of RedHat 6.1 on SPARC and used the Bastille script [7] to harden it. It was interesting, because it's exactly what we want to do on Solaris.

It has the advantage of being a tar ball + interactive script + logging of actions, errors and options taken, but it is a bit difficult to automate, and I don't think it can be undone. It's written in Perl, which is nice.

It has some interesting features like chrooting DNS, setting up user accounts, logging, email, etc..


 

Sean's Guidelines

I published a set of Guidelines as part of an article for SecurityPortal [1]. Whereas I don't provide automated install scripts, it is a step-by-step approach and provides quite a few scripts and example config files. The approach is also a bit more global than just OS hardening.

I will update these Guidelines to include Yassp and feel they are complementary to both Jean's and Alberto's work.


 

Chris's  harden script

Chris Calabrese also wrote a hardening script [10], originally for UNIXWARE. he says:

It is nicely flexible, allowing you to do several stock configs plus customizations at package install time. On the other hand, it's fairly out of date, covers mostly stuff covered by other scripts, is not very modular, and Solaris support isn't it's strong suit (the original package was for UnixWare).

Hopefully this process will produce something much better and make it a non issue, but until then it's probably worth looking at.

I'll do my best to look at it after Titan (or maybe someone on the list can do it and send a summary to include here??)


 

References

[0] Jean Chouanard's YASSP www.yassp.org

[1] Sean's Hardening Solaris Guidelines
  - Original 'manual' version
  - New verison integrating YASSP

[2] The Titan Project

[3] tcp tuning under solaris by Jens-S. Vöckler

[4] Casper's fixmode

[5] "Solaris Security Step by Step", by Hal Pomeranz and 27 other professionals, is available in paper or PDF form from SANS. You have to pay for it... but it's a good investment.

[6] The email discussion list has the address secure-sol@parc.xerox.com. To register, send e-mail to secure-sol-request@parc.xerox.com with a 'subscribe' in the Subject line or in the message body.

[7] www.bastille-linux.org

[8] Alberto Begliomini's SECUR ftp.coldstone.com/secur

[9] "All about SSH, part I/II" on SecurityPortal or here.

[10] Chris Calabrese's Harden script. ftp.freebird.org/unixware/freebird/internet/systools/harden


 

Changes to this document

28.Feb.'00 First Publication
28.Feb.'00 Evening: Added Chris's  harden script.

01.Mar.00: Add Titan and feedback from Alberto on SECUR section, create new General Improvements section. Update Summary.
03.Mar.00: Added Feedback from Jean+ Minor fix.
20.Mar'00: Updated after testing yassp beta 1.
13.Apr'00: Updated after testing yassp beta 3 on Solaris7/8 SPARC. Remove resources section..


Seán Boran Last Update: 24 November, 2000

© Copyright 2000, SecurityPortal Inc. & Seán Boran,
Freely usable by the secure-sol@parc.xerox.com developers list.