DOWNLOAD – Hardening Procedure for Solaris Systems
|
The hardening policies are defined as follows:
In those cases where Solaris Containers are implemented, the same security mechanisms are utilized with the virtualized instances of the operating system. |
|
JASS provides a set of templates to customize the security profiles. The one utilized is secure.driver. No scripts are customized (user.init) but some of the scripts in the hardening.driver file, are disabled or enabled to fit the requirements in the environment. Below are the template being used and a brief description of which scripts are intentionally disabled/enabled. |
JASS_SCRIPTS=”
disable-ab2.fin
disable-apache.fin
disable-apache2.fin
disable-appserv.fin
disable-asppp.fin
disable-autoinst.fin
disable-automount.fin
disable-dhcpd.fin
disable-directory.fin
disable-dmi.fin
disable-dtlogin.fin
disable-face-log.fin
disable-ipv6.fin
disable-IIim.fin
disable-kdc.fin
disable-keyboard-abort.fin ### This script was intentionally enabled.
disable-keyserv-uid-nobody.fin
disable-ldap-client.fin
disable-lp.fin
disable-mipagent.fin
disable-named.fin
disable-nfs-client.fin
disable-nfs-server.fin
disable-nscd-caching.fin
# disable-picld.fin
disable-ppp.fin
disable-preserve.fin
disable-power-mgmt.fin
disable-remote-root-login.fin
disable-rhosts.fin
disable-routing.fin
disable-rpc.fin
disable-samba.fin
disable-sendmail.fin
disable-slp.fin
disable-sma.fin
disable-smcwebserver.fin
disable-snmp.fin
disable-spc.fin
disable-ssh-root-login.fin
disable-syslogd-listen.fin
disable-system-accounts.fin
disable-uucp.fin
disable-vold.fin
disable-wbem.fin
disable-xfs.fin
disable-xserver-listen.fin
enable-account-lockout.fin
enable-coreadm.fin
# enable-ftpaccess.fin ### This script was intentionally disabled.
enable-ftp-syslog.fin
enable-inetd-syslog.fin
# enable-ipfilter.fin ### This script was intentionally disabled.
enable-password-history.fin
enable-priv-nfs-ports.fin
# enable-process-accounting.fin ### This script was intentionally disabled.
enable-rfc1948.fin
enable-stack-protection.fin
enable-tcpwrappers.fin
install-at-allow.fin
install-ftpusers.fin
install-loginlog.fin
install-md5.fin
install-nddconfig.fin
install-newaliases.fin
install-sadmind-options.fin
install-security-mode.fin
install-shells.fin
install-sulog.fin
print-rhosts.fin ### This script was intentionally enabled.
remove-unneeded-accounts.fin
set-banner-dtlogin.fin
set-banner-ftpd.fin
set-banner-sendmail.fin
set-banner-sshd.fin
set-banner-telnetd.fin
set-flexible-crypt.fin
set-ftpd-umask.fin
set-login-retries.fin
set-power-restrictions.fin
set-rmmount-nosuid.fin
set-root-group.fin
set-strict-password-checks.fin
set-sys-suspend-restrictions.fin
set-system-umask.fin
set-tmpfs-limit.fin
set-user-password-reqs.fin
set-user-umask.fin
update-at-deny.fin
update-cron-allow.fin
update-cron-deny.fin
update-cron-log-size.fin
update-inetd-conf.fin
enable-bsm.fin ### This script was intentionally enabled.
install-fix-modes.fin
install-strong-permissions.fin ### This script was intentionally enabled.
# enable-bart.fin ### This script was intentionally disabled.
# print-sgid-files
# print-suid-files
# print-unowned-objects
# print-world-writable-objects
|
|
The scripts which are commented out won’t be executed. |
Brief description of some outstanding scripts:
enable-account-lockout.fin: This is to enable lock accounting.
enable-coreadm.fin: This enable the core environment.
enable-ftpaccess.fin: We set the ftp access disabled, also blocked on IPFilters.
enable-ftp-syslog.fin: Also trace ftp activity in syslog.
enable-inetd-syslog.fin: This script configures the Internet Services Daemon (INETD) to log all incoming connections.
enable-ipfilter.fin: This enable IPFilters environment (with no active rules by default).
enable-password-history.fin: Enable password history.
enable-priv-nfs-ports.fin: This is to allow NFS to accept connections from privileged ports only (below port 1024).
enable-process-accounting.fin: We don’t enable process accounting as it is not useful in our environment.
enable-rfc1948.fin: This script will create/modify the /etc/default/inetinit file to enable support of RFC 1948. This RFC defines unique-per-connection ID sequence number generation. For more information, refer to # http://RF.Cx/rfc1948.html.
enable-stack-protection.fin: Enable stack and logging protection.
enable-tcpwrappers.fin: Create hosts.allow and hosts.deny files to wrap all TCP connections.
|
|
|
|
Audit Configuration |
The Basic Security Module (BSM) provides two security features. The first feature is an auditing mechanism, which includes tools to assist with the analysis of the auditing data. The second feature is a device-allocation mechanism, which provides the required object-reuse characteristics for removable devices or assignable devices. The auditing mechanism helps you detect potential security breaches by revealing suspicious or abnormal patterns of system usage. The auditing mechanism also provides a means to trace suspect actions back to a particular user, thus serving as a deterrent. If users know that their activities are likely to be audited, they might be less likely to attempt malicious activities. The audit subsystem is configured to log the audit activity locally and in a remote Syslog server. Audit Control file: dir:/var/audit flags:lo,ex minfree:20 naflags:lo,ex plugin: name=audit_syslog.so;p_flags=lo,ex Audit Startup file: /usr/sbin/auditconfig -setpolicy +cnt /usr/sbin/auditconfig -setpolicy +zonename /usr/sbin/auditconfig -setpolicy +argv /usr/sbin/auditconfig -conf /usr/sbin/auditconfig -aconf Entry on the /etc/syslog.conf audit.notice;auth.debug @dc5sfsecsyslog01
|
|
Authentication is only provided in the Solaris box is by using RSA. Steps to be followed for implementing RSA is as following:
|
|
Tripwire is a browser-based configuration audit and control tool which monitors file servers. It baseline’s the files using a set of rules that specify what directories, files should be monitored. The data collected as a result of running the rules becomes the benchmark against which future checks are measured. Steps to install TWeagent (Tripwire Enterprise Agent (INTEL) 7.1.0) in Solaris box are as following:
|
|
A zone is a single instance of the Solaris Operating System, in which processes are isolated from the rest of the system. There are two types of zones: global zone and non-global zone. Every Solaris system contains a global zone. The global zone is the only zone from which a non-global zone can be configured, installed, managed, or uninstalled. Only the global zone is bootable from the system hardware. A non-global zone can be thought of as a box. To enforce basic process isolation, a process can see only those processes that exist in the same zone. Basic communication between zones is accomplished by giving each zone at least one logical network interface. An application running in one zone cannot observe the network traffic of another zone. This isolation is maintained even though the respective streams of packets travel through the same physical interface. Each zone is given a portion of the file system hierarchy. Because each zone is confined to its subtree of the file system hierarchy, a workload running in a particular zone cannot access the on-disk data of another workload running in a different zone. There are two types of non-global zone root file system models: sparse and whole root. The whole root zone model provides the maximum configurability. All of the required and any selected optional Solaris packages are installed into the private file systems of the zone. The sparse root zone model has only a subset of the root packages are installed We run most applications in non-global zones except the databases. Zones are hardened to ensure high-level security. The practices are:
We will apply the hardening methods to the zones accordingly
We will apply the hardening methods to the zones accordingly
We will apply the hardening methods to the zones accordingly
We will apply the hardening methods to the zones accordingly
<?xml version=”1.0″ encoding=”UTF-8″?> <!DOCTYPE zone PUBLIC “-//Sun Microsystems Inc//DTD Zones//EN” “file:///usr/share/lib/xml/dtd/zonecfg.dtd.1”> <!– DO NOT EDIT THIS FILE. Use zonecfg(1M) instead. –> <zone name=”dc5sfapp01a” zonepath=”/zones/dc5sfapp01a” autoboot=”true”> <inherited-pkg-dir directory=”/lib”/> <inherited-pkg-dir directory=”/platform”/> <inherited-pkg-dir directory=”/sbin”/> <inherited-pkg-dir directory=”/usr”/> <inherited-pkg-dir directory=”/usr/sfw”/> <inherited-pkg-dir directory=”/export/home/apache-ant-1.6.1″/> <inherited-pkg-dir directory=”/export/home/jdk1.6.0_13″/> <network address=”10.5.30.14″ physical=”nge0″/> </zone>
<?xml version=”1.0″ encoding=”UTF-8″?> <!DOCTYPE zone PUBLIC “-//Sun Microsystems Inc//DTD Zones//EN” “file:///usr/share/lib/xml/dtd/zonecfg.dtd.1”> <!– DO NOT EDIT THIS FILE. Use zonecfg(1M) instead. –> <zone name=”dc5sfsmnsageapp01″ zonepath=”/zones/dc5sfsmnsageapp01″ autoboot=”true”> <network address=”10.5.35.14″ physical=”nge0″/> </zone>
<?xml version=”1.0″ encoding=”UTF-8″?> <!DOCTYPE zone PUBLIC “-//Sun Microsystems Inc//DTD Zones//EN” “file:///usr/share/lib/xml/dtd/zonecfg.dtd.1”> <!– DO NOT EDIT THIS FILE. Use zonecfg(1M) instead. –> <zone name=”dc5sfsmnsageweb01″ zonepath=”/zones/dc5sfsmnsageweb01″ autoboot=”true” ip-type=”exclusive”> <network address=”” physical=”nge2″/> </zone>
|
|
|
International Standard ISO/IEC 17799 Information Technology – Security Techniques – Code Of Practice For Information Security Management |
/opt/SUNWjass/Finish # ls -lrt
total 834
-r–r–r– 1 root root 697 Jul 26 2005 disable-ab2.fin
-r–r–r– 1 root root 892 Jul 26 2005 disable-IIim.fin
-r–r–r– 1 root root 1103 Jul 26 2005 disable-directory.fin
-r–r–r– 1 root root 1560 Jul 26 2005 disable-dhcpd.fin
-r–r–r– 1 root root 888 Jul 26 2005 disable-automount.fin
-r–r–r– 1 root root 1023 Jul 26 2005 disable-asppp.fin
-r–r–r– 1 root root 566 Jul 26 2005 disable-appserv.fin
-r–r–r– 1 root root 532 Jul 26 2005 disable-apache2.fin
-r–r–r– 1 root root 1159 Jul 26 2005 disable-apache.fin
-r–r–r– 1 root root 644 Jul 26 2005 disable-named.fin
-r–r–r– 1 root root 1013 Jul 26 2005 disable-mipagent.fin
-r–r–r– 1 root root 999 Jul 26 2005 disable-ldap-client.fin
-r–r–r– 1 root root 2460 Jul 26 2005 disable-keyserv-uid-nobody.fin
-r–r–r– 1 root root 1850 Jul 26 2005 disable-kdc.fin
-r–r–r– 1 root root 797 Jul 26 2005 disable-ipv6.fin
-r–r–r– 1 root root 935 Jul 26 2005 disable-face-log.fin
-r–r–r– 1 root root 1869 Jul 26 2005 disable-routing.fin
-r–r–r– 1 root root 1454 Jul 26 2005 disable-rhosts.fin
-r–r–r– 1 root root 1361 Jul 26 2005 disable-preserve.fin
-r–r–r– 1 root root 1070 Jul 26 2005 disable-ppp.fin
-r–r–r– 1 root root 2229 Jul 26 2005 disable-power-mgmt.fin
-r–r–r– 1 root root 847 Jul 26 2005 disable-picld.fin
-r–r–r– 1 root root 1865 Jul 26 2005 disable-nscd-caching.fin
-r–r–r– 1 root root 984 Jul 26 2005 disable-nfs-server.fin
-r–r–r– 1 root root 825 Jul 26 2005 disable-spc.fin
-r–r–r– 1 root root 949 Jul 26 2005 disable-slp.fin
-r–r–r– 1 root root 1854 Jul 26 2005 enable-password-history.fin
-r–r–r– 1 root root 2823 Jul 26 2005 enable-inetd-syslog.fin
-r–r–r– 1 root root 1352 Jul 26 2005 enable-ftpaccess.fin
-r–r–r– 1 root root 1124 Jul 26 2005 enable-ftp-syslog.fin
-r–r–r– 1 root root 2166 Jul 26 2005 enable-bart.fin
-r–r–r– 1 root root 2639 Jul 26 2005 enable-account-lockout.fin
-r–r–r– 1 root root 1165 Jul 26 2005 enable-32bit-kernel.fin
-r–r–r– 1 root root 434 Jul 26 2005 disable-xfs.fin
-r–r–r– 1 root root 2253 Jul 26 2005 install-ftpusers.fin
-r–r–r– 1 root root 4418 Jul 26 2005 install-fix-modes.fin
-r–r–r– 1 root root 1570 Jul 26 2005 install-at-allow.fin
-r–r–r– 1 root root 1290 Jul 26 2005 install-Sun_ONE-WS.fin
-r–r–r– 1 root root 2104 Jul 26 2005 enable-tcpwrappers.fin
-r–r–r– 1 root root 1572 Jul 26 2005 enable-priv-nfs-ports.fin
-r–r–r– 1 root root 1374 Jul 26 2005 install-shells.fin
-r–r–r– 1 root root 1965 Jul 26 2005 install-sadmind-options.fin
-r–r–r– 1 root root 1959 Jul 26 2005 install-recommended-patches.fin
-r–r–r– 1 root root 1911 Jul 26 2005 install-openssh.fin
-r–r–r– 1 root root 1040 Jul 26 2005 install-newaliases.fin
-r–r–r– 1 root root 3073 Jul 26 2005 install-md5.fin
-r–r–r– 1 root root 1330 Jul 26 2005 print-unowned-objects.fin
-r–r–r– 1 root root 1188 Jul 26 2005 print-suid-files.fin
-r–r–r– 1 root root 1188 Jul 26 2005 print-sgid-files.fin
-r–r–r– 1 root root 3942 Jul 26 2005 minimize-Sun_ONE-WS.fin
-r–r–r– 1 root root 570 Jul 26 2005 install-templates.fin
-r–r–r– 1 root root 2329 Jul 26 2005 set-banner-dtlogin.fin
-r–r–r– 1 root root 1122 Jul 26 2005 remove-unneeded-accounts.fin
-r–r–r– 1 root root 1564 Jul 26 2005 print-world-writable-objects.fin
-r–r–r– 1 root root 1877 Jul 26 2005 set-term-type.fin
-r–r–r– 1 root root 1699 Jul 26 2005 set-system-umask.fin
-r–r–r– 1 root root 4421 Jul 26 2005 set-strict-password-checks.fin
-r–r–r– 1 root root 1086 Jul 26 2005 set-root-group.fin
-r–r–r– 1 root root 2266 Jul 26 2005 set-rmmount-nosuid.fin
-r–r–r– 1 root root 1380 Jul 26 2005 set-login-retries.fin
-r–r–r– 1 root root 2087 Jul 26 2005 update-cron-deny.fin
-r–r–r– 1 root root 1740 Jul 26 2005 update-cron-allow.fin
-r–r–r– 1 root root 1225 Jul 26 2005 suncluster3x-set-nsswitch-conf.fin
-r–r–r– 1 root root 2084 Jul 26 2005 set-tmpfs-limit.fin
-r–r–r– 1 root root 2048 Aug 22 2008 disable-dtlogin.fin
-r–r–r– 1 root root 1286 Aug 22 2008 disable-dmi.fin
-r–r–r– 1 root root 1155 Aug 22 2008 disable-autoinst.fin
-r–r–r– 1 root root 678 Aug 22 2008 disable-serial-login.fin
-r–r–r– 1 root root 6428 Aug 22 2008 disable-sendmail.fin
-r–r–r– 1 root root 1102 Aug 22 2008 disable-samba.fin
-r–r–r– 1 root root 1636 Aug 22 2008 disable-rpc.fin
-r–r–r– 1 root root 1174 Aug 22 2008 disable-remote-root-login.fin
-r–r–r– 1 root root 451 Aug 22 2008 disable-nis-client.fin
-r–r–r– 1 root root 1369 Aug 22 2008 disable-nfs-client.fin
-r–r–r– 1 root root 1018 Aug 22 2008 disable-mesg.fin
-r–r–r– 1 root root 2149 Aug 22 2008 disable-lp.fin
-r–r–r– 1 root root 1400 Aug 22 2008 disable-keyboard-abort.fin
-r–r–r– 1 root root 1948 Aug 22 2008 enable-ssh-root-login.fin
-r–r–r– 1 root root 1774 Aug 22 2008 enable-sar.fin
-r–r–r– 1 root root 1555 Aug 22 2008 enable-rfc1948.fin
-r–r–r– 1 root root 3804 Aug 22 2008 enable-process-accounting.fin
-r–r–r– 1 root root 2031 Aug 22 2008 enable-password-changes.fin
-r–r–r– 1 root root 690 Aug 22 2008 enable-ldmd.fin
-r–r–r– 1 root root 3805 Aug 22 2008 enable-ipfilter.fin
-r–r–r– 1 root root 1122 Aug 22 2008 enable-ftp-debuglog.fin
-r–r–r– 1 root root 1217 Aug 22 2008 enable-cronlog.fin
-r–r–r– 1 root root 3368 Aug 22 2008 enable-coreadm.fin
-r–r–r– 1 root root 6862 Aug 22 2008 enable-bsm.fin
-r–r–r– 1 root root 2118 Aug 22 2008 disable-xserver-listen.fin
-r–r–r– 1 root root 4306 Aug 22 2008 disable-xdmcp.fin
-r–r–r– 1 root root 997 Aug 22 2008 disable-wbem.fin
-r–r–r– 1 root root 1461 Aug 22 2008 disable-vold.fin
-r–r–r– 1 root root 1608 Aug 22 2008 disable-uucp.fin
-r–r–r– 1 root root 3851 Aug 22 2008 disable-system-accounts.fin
-r–r–r– 1 root root 2986 Aug 22 2008 disable-syslogd-listen.fin
-r–r–r– 1 root root 1938 Aug 22 2008 disable-ssh-root-login.fin
-r–r–r– 1 root root 1324 Aug 22 2008 disable-snmp.fin
-r–r–r– 1 root root 535 Aug 22 2008 disable-smcwebserver.fin
-r–r–r– 1 root root 1237 Aug 22 2008 disable-sma.fin
-r–r–r– 1 root root 1292 Aug 22 2008 install-loginlog.fin
-r–r–r– 1 root root 2084 Aug 22 2008 install-local-syslog.fin
-r–r–r– 1 root root 2563 Aug 22 2008 install-ldm.fin
-r–r–r– 1 root root 2904 Aug 22 2008 install-jass.fin
-r–r–r– 1 root root 1527 Aug 22 2008 install-connlog.fin
-r–r–r– 1 root root 1573 Aug 22 2008 install-authlog.fin
-r–r–r– 1 root root 3095 Aug 22 2008 enable-xscreensaver.fin
-r–r–r– 1 root root 3773 Aug 22 2008 enable-stack-protection.fin
-r–r–r– 1 root root 1080 Aug 22 2008 print-rhosts.fin
-r–r–r– 1 root root 765 Aug 22 2008 print-package-files.fin
-r–r–r– 1 root root 2281 Aug 22 2008 print-jumpstart-environment.fin
-r–r–r– 1 root root 3758 Aug 22 2008 print-jass-environment.fin
-r–r–r– 1 root root 1151 Aug 22 2008 install-sulog.fin
-r–r–r– 1 root root 1384 Aug 22 2008 install-strong-permissions.fin
-r–r–r– 1 root root 1897 Aug 22 2008 install-security-mode.fin
-r–r–r– 1 root root 1347 Aug 22 2008 install-nddconfig.fin
-r–r–r– 1 root root 2089 Aug 22 2008 set-power-restrictions.fin
-r–r–r– 1 root root 1642 Aug 22 2008 set-oem-banner.fin
-r–r–r– 1 root root 768 Aug 22 2008 set-lp-open.fin
-r–r–r– 1 root root 2774 Aug 22 2008 set-lp-localonly.fin
-r–r–r– 1 root root 1202 Aug 22 2008 set-log-file-permissions.fin
-r–r–r– 1 root root 3144 Aug 22 2008 set-grub-password.fin
-r–r–r– 1 root root 4738 Aug 22 2008 set-greeter-warning.fin
-r–r–r– 1 root root 2803 Aug 22 2008 set-ftpd-umask.fin
-r–r–r– 1 root root 4147 Aug 22 2008 set-flexible-crypt.fin
-r–r–r– 1 root root 3437 Aug 22 2008 set-failed-logins.fin
-r–r–r– 1 root root 1664 Aug 22 2008 set-dtlogin-open.fin
-r–r–r– 1 root root 2642 Aug 22 2008 set-dtlogin-localonly.fin
-r–r–r– 1 root root 961 Aug 22 2008 set-calendar-open.fin
-r–r–r– 1 root root 1810 Aug 22 2008 set-calendar-localonly.fin
-r–r–r– 1 root root 1307 Aug 22 2008 set-banner-telnetd.fin
-r–r–r– 1 root root 1829 Aug 22 2008 set-banner-sshd.fin
-r–r–r– 1 root root 2027 Aug 22 2008 set-banner-sendmail.fin
-r–r–r– 1 root root 4350 Aug 22 2008 set-banner-ftpd.fin
-r–r–r– 1 root root 6560 Aug 22 2008 s15k-static-arp.fin
-r–r–r– 1 root root 3460 Aug 22 2008 s15k-sms-secure-failover.fin
-r–r–r– 1 root root 1329 Aug 22 2008 s15k-sms-override.fin
-r–r–r– 1 root root 2010 Aug 22 2008 s15k-exclude-domains.fin
-r–r–r– 1 root root 10195 Aug 22 2008 update-inetd-conf.fin
-r–r–r– 1 root root 4944 Aug 22 2008 update-cron-log-size.fin
-r–r–r– 1 root root 1909 Aug 22 2008 update-at-deny.fin
-r–r–r– 1 root root 663 Aug 22 2008 set-wbem-open.fin
-r–r–r– 1 root root 1323 Aug 22 2008 set-wbem-localonly.fin
-r–r–r– 1 root root 3352 Aug 22 2008 set-user-umask.fin
-r–r–r– 1 root root 3049 Aug 22 2008 set-user-password-reqs.fin
-r–r–r– 1 root root 974 Aug 22 2008 set-ttdb-open.fin
-r–r–r– 1 root root 1635 Aug 22 2008 set-ttdb-localonly.fin
-r–r–r– 1 root root 1558 Aug 22 2008 set-sys-suspend-restrictions.fin
-r–r–r– 1 root root 2584 Aug 22 2008 set-ssh-config.fin
-r–r–r– 1 root root 672 Aug 22 2008 set-smcwebserver-open.fin
-r–r–r– 1 root root 910 Aug 22 2008 set-smcwebserver-localonly.fin
-r–r–r– 1 root root 909 Aug 22 2008 set-rpc-open.fin
-r–r–r– 1 root root 2060 Aug 22 2008 set-rpc-localonly.fin
-r–r–r– 1 root root 1673 Aug 22 2008 set-root-password.fin
-r–r–r– 1 root root 4734 Aug 22 2008 set-root-home-dir.fin
opt/SUNWjass/Finish # pwd
[/opt/SUNWjass/Finish # cat set-user-password-reqs.fin
#!/bin/sh
#
# Copyright 2006 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# ident “@(#)set-user-password-reqs.fin 3.10 06/10/30 SMI”
#
# This script installs some basic password requirements for users. Note
# that this effects local password policy only.
logMessage “Installing user password requirements.”
echo “”
PASSWD=${JASS_ROOT_DIR}etc/default/passwd
if [ ! -f ${PASSWD} ]; then
create_a_file -m 0444 -o root:sys ${PASSWD}
echo “”
fi
changeToBeMade=”0″
# Determine the values to be used. If values are
# already in place, then use them. Otherwise, use the
# defaults that are included below.
minWeeks=`nawk -F= ‘$1==keyword { print $2 }’ keyword=”MINWEEKS” ${PASSWD}`
if [ ! -z “${JASS_AGING_MINWEEKS}” ]; then
if [ “${JASS_AGING_MINWEEKS}” != “${minWeeks}” ]; then
changeToBeMade=”1″
if [ -z “${minWeeks}” ]; then
minWeeks=”NONE”
fi
logMessage ‘Changing MINWEEKS setting from ${minWeeks} to ${JASS_AGING_MINWEEKS}.’
fi
minWeeks=”${JASS_AGING_MINWEEKS}”
fi
maxWeeks=`nawk -F= ‘$1==keyword { print $2 }’ keyword=”MAXWEEKS” ${PASSWD}`
if [ ! -z “${JASS_AGING_MAXWEEKS}” ]; then
if [ “${JASS_AGING_MAXWEEKS}” != “${maxWeeks}” ]; then
changeToBeMade=”1″
if [ -z “${maxWeeks}” ]; then
maxWeeks=”NONE”
fi
logMessage ‘Changing MAXWEEKS setting from ${maxWeeks} to ${JASS_AGING_MAXWEEKS}.’
fi
maxWeeks=”${JASS_AGING_MAXWEEKS}”
fi
warnWeeks=`nawk -F= ‘$1==keyword { print $2 }’ keyword=”WARNWEEKS” ${PASSWD}`
if [ ! -z “${JASS_AGING_WARNWEEKS}” ]; then
if [ “${JASS_AGING_WARNWEEKS}” != “${warnWeeks}” ]; then
changeToBeMade=”1″
if [ -z “${warnWeeks}” ]; then
warnWeeks=”NONE”
fi
logMessage ‘Changing WARNWEEKS setting from ${warnWeeks} to ${JASS_AGING_WARNWEEKS}.’
fi
warnWeeks=”${JASS_AGING_WARNWEEKS}”
fi
passLength=`nawk -F= ‘$1==keyword { print $2 }’ keyword=”PASSLENGTH” ${PASSWD}`
if [ ! -z “${JASS_PASS_LENGTH}” ]; then
if [ “${JASS_PASS_LENGTH}” != “${passLength}” ]; then
changeToBeMade=”1″
if [ -z “${passLength}” ]; then
passLength=”NONE”
fi
logMessage ‘Changing PASSLENGTH setting from ${passLength} to ${JASS_PASS_LENGTH}.’
fi
passLength=”${JASS_PASS_LENGTH}”
fi
if [ “${changeToBeMade}” = “1” ]; then
echo “”
backup_file ${PASSWD}
# Remove the old entries and insert the new ones.
cat ${PASSWD}.${JASS_SUFFIX} |\
egrep -v ‘^MINWEEKS=|^MAXWEEKS=|^WARNWEEKS=|^PASSLENGTH=’ > ${PASSWD}
if [ ! -z “${JASS_AGING_MINWEEKS}” ]; then
echo “MINWEEKS=${minWeeks}” >> ${PASSWD}
fi
if [ ! -z “${JASS_AGING_MAXWEEKS}” ]; then
echo “MAXWEEKS=${maxWeeks}” >> ${PASSWD}
fi
if [ ! -z “${JASS_AGING_WARNWEEKS}” ]; then
echo “WARNWEEKS=${warnWeeks}” >> ${PASSWD}
fi
if [ ! -z “${JASS_PASS_LENGTH}” ]; then
echo “PASSLENGTH=${passLength}” >> ${PASSWD}
fi
change_owner root:sys ${PASSWD}
change_default_perms ${PASSWD}
fi
[ ?0 dc5sfshrapp01 root 1 !542 0 22:47:39 ]
/opt/SUNWjass/Finish #