Less Known Solaris features: Jumpstart Enterprise Toolkit - Part 12: Automatic hardening with SST
It´s a best practice to harden a system before you place it into your production network to reduce possible attack vectors. Sun developed the Solaris Security Toolkit for this task to collect all the knowledge about hardening Solaris in a tool thats simple to use. I´ve wrote already about the usage of the toolkit in another installment of the LessKnownSolarisFeatures series.
It would be really neat to have an automatized hardening of new systems. The Jumpstart Enterprise Toolkit can do exactly this with the help of JASS
module.
Preparing the Jumpstart for installation
At fist you uncompress and untar the JASS distribution.
Okay, but we have to do another step. There is a patch for the version 4.2.0 of the Solaris Security Toolkit: 122608-xx
. At first we have to tell JET that there is a patch for this product and version. We have to modify the file patch.matrix
in /opt/SUNWjet/Products/jass
:
Now it´s easy to integrate the patch. I´ve unpacked the patch in the directory \verb=/export/home/jmoekamp/patch_jass= before:
Configuring the template
Okay, you have to configure only a few basic variables to trigger the automatic hardining of your new installation.
It´s important to know, that the above configuration installed the SUNWjass
package on the system, patches it there and then run runs the toolkit installed on the system.
The hardening of the system is started in the background.After a while you will recognize the work of the script. The backup files of the Solaris Security Toolkit are dispersed all over the directories.
After the completion of the background JASS run, you have a automatically installed, patched, customized, mirrored and hardened system.