Legal Notices ============= All files, programs, and scripts in this directory are Copyright (C) Hal Pomeranz and Deer Run Associates, 2001. All rights reserved. Permission is granted to distribute, share, and modify these tools for free as long as this Copyright message is preserved. Receiving compensation for the distribution of these tools is expressly forbidden. For further information, contact Hal Pomeranz No warranty is expressed or implied and Hal Pomeranz and Deer Run Associates cannot be held accountable for any damages which may occur as a result of using these tools. About These Tools ================= I'm the primary author and editor of the "Solaris Security: Step-by-Step" guide which is published by the SANS Institute (see http://www.sans.org/newlook/resources/hard_solaris.htm#3). The guide is an easy to follow "recipe" for turning a Solaris machine into a "bastion host" type system which is appropriate for use as an Internet Web server, firewall, mail relay, or other platform which requires high levels of security. At the end of Y2K, I was busily engaged in an update on the guide and needed a way to easily test the various steps in the new "recipe" on all of the different supported OS revisions (Solaris 2.5.1 through Solaris 8). The easiest thing to do, I realized, was to create a set of shell scripts that would automatically perform the "recipe" from the guide without my intervention. By incorporating these scripts into my local Jumpstart environment, I could be doing one thing while the scripts were busily testing themselves in another window. However, I regularly get requests from readers of the "Step-by-Step" guide to provide an automated tool for actually performing the "recipe", so I figured that I'd be releasing the tools at some point in the future (like now). I also do this sort of system hardening for customers as part of my consulting practice, and I know for a fact that one size definitely does not fit all. So, I designed the configuration system to be (a) modular, and (b) easily customizable for different environments (see the conf/00README and scripts/README files for more information). Subsequently, I became a contributor to the Center for Internet Security's effort to produce a scorable baseline security configuration for Solaris systems-- the Center's Solaris benchmark project. There was some interest in having a tool which would automatically perform the configuration steps from the benchmark document. Since there's a lot of overlap between the benchmark and the "Step-by-Step" guide, it was fairly easy to adapt the default configuration of my tool to perform operations mandated by the benchmark (see the conf/CIS-*.conf files and the README.CIS-benchmark files throughout the distribution). Functionality Overview ====================== The primary configuration engine is the bin/configurator script which has five distinct phases of operation: 1) Read in default configuration settings. Most of the behavior of the configurator script is controlled by environment variables which are read from the files in the conf directory. See the conf/00README file for more information on customization. 2) Install recommended patch cluster. The configurator script will automatically install the Sun recommended patch cluster if the appropriate files are installed in the patches directory. See the patches/00README file for installation instructions. 3) Install local packages. The local administrator may have the configurator script install additional packges (in Sun pkgadd format) from the packages subdirectory. This is a good place to install third-part security tools like OpenSSH and tripwire. Packages will only be installed of the $PACKAGES configuration variable is configured properly (see conf/00README). 4) Install local configuration files. The configurator script will install any files found under the files subdirectory (actually the location is customizable by setting the $CONFFILES configuration variable-- see conf/00README). Files are installed by simply tar-ing up the files hierarchy and unpacking it again from the root of the target system. This means that the directory structure in the files area should emulate the local OS-- if you want to install an /etc/resolv.conf file, you need to put it in files/etc/resolv.conf. 5) Run scripts. A couple of dozen scripts are provided which perform the majority of the configuration steps from the "Step-by-Step" guide. Additional scripts can be added to suit local tastes (see the $SCRIPTS environment variable in conf/00README). The behavior of many of the scripts changes based on the setting of environment variables from the conf directory (see scripts/README). Note that not all of the steps from the "Step-by-Step" guide will be performed-- see the scripts/README.Step-by-Step file for more details. The configurator script can either be run by hand on a brand new system or used as part of a custom Jumpstart environment by using the bin/config-trig script as a custom post-install script (see the INSTALL file in this directory for details). Generally, the target system will need to be rebooted after the configurator script is run-- the config-trig script handles this automatically, but the administrator will have to reboot the system if the configurator script is being run manually. Similar Tools ============= There are a fair number of other tools out there for "automatically" securing Solaris systems. Each has different features and benefits. JASS (http://www.sun.com/blueprints/tools/) TITAN (http://www.fish.com/titan/) YASSP (http://www.yassp.org/) Bastille is a similar tool which is available for Linux systems (see http://bastille-linux.sourceforge.net/). Rumor has it that the Bastille folks are thinking about expanding the tool to support Solaris as well. Similarly, the latest TITAN beta release supports Linux systems in addition to Solaris. Help Save the World! ==================== Feedback, bug reports (bug-fixes are always appreciated too), comments and suggestions, and questions are all welcome via email-- contact the author at the address below. I'd particularly like to hear from people who are using the configurator tool to address real problems at their organization. "Thank you" messages, testimonials, hymns of praise, donations of food and alcohol (single malt scotch), cash and other liquid commodities, and large farm animals are especially welcome. OK, I was kidding about the "large farm animals" thing... Enjoy! Hal Pomeranz