Securing Solaris 10 with JASS, and installing with JET?
Hello,
Has anyone tried running the latest JASS on Solaris 10? What are your experiences?
How will it handle the new Predictive self healing features? (ie scripts/init.d etc)
Should we all just wait for JASS to catch up, or is it ready to run on the upcoming final release of Solaris 10?
A way to fool JASS would be running 'sloggi', but I'm afraid to break something.
This is an interesting way of minimizing services (not JASS related):
# svccfg apply /var/svc/profile/generic_limited_net.xml
I'm also planning to integrate JET (Jumpstart Enterprise Toolkit) with JASS, Solaris 10. Has anyone done that?
Thanks
/Magnus
[692 byte] By [
snejk] at [2007-11-26 0:44:22]
# 1
I've tested JET 3.4.0 with Solaris 10 b72. It works fine. The only oddity I noticed is that you have to force any files copied over in the custom module to take place after the first reboot. As for locking things down, I've added to my finish script the commands to enable/disable services and features. So things like telnet, ftp, etc I disable with the inetadm command. For things managed by SMF, I use the svcadm command to shut things down.
A couple of things have changed. For example, to enable TCP Wrappers and TCP tracing for inetd, you do the following:
inetadm -M tcp_trace=true
inetadm -M tcp_wrappers=true
Something a little more complicated would be enabling TCP wrappers for rpcbind:
svccfg
svc:> select /network/rpc/bind
svc:/network/rpc/bind> setprop config/enable_tcpwrappers = boolean: "true"
svc:/network/rpc/bind> setprop config/verbose_logging = boolean: "true"
You can the commands to svccfg from the command line:)
I have not tested out JASS for a while. I'll have to look at that, but I'd assume that it can't handle this stuff yet.
# 2
Interesting! I will try that.
I'm setting up a jumpstart server with JET on my laptop. I've tried installing Solaris 10 b72 from it, works OK too. Had to make some modifications though.
The only thing that annoys me are the package dependencies. I want to mark packages for removal but it doesn't allow me to.
The most minimal configuration you can choose is SUNWrnet, and it isn't possible to deselect packages from it because they're considered 'core'.
The problem is old. Read this post:
http://aa11.cjb.net/sun_managers/2000/11/msg00286.html
Here's an old article discussing JASS on Jumpstart:
http://www.securityfocus.com/infocus/1601
Anyone who has written custom postinstall scripts for JET on Solaris 10, please share it! I'm also interested in JASS config user.init scripts, and any modifications done to make it work on 10!
Thanks.
snejk at 2007-7-5 19:39:57 >
