Hardening Procedure for Solaris Systems

The provided text is a detailed configuration and audit log for a Solaris (or OpenSolaris) system, specifically focused on security hardening using the SUNWjass (JASS - Java Application Security Suite) framework. It includes:

• A list of JASS script files (*.fin) with their permissions and timestamps.
• Configuration details for password policies via set-user-password-reqs.fin.
• System-level security settings (e.g., disabling services like sendmail, rpc, ssh-root-login, etc.).
• Audit trail of changes made by scripts.
• Commands and outputs from shell sessions (e.g., pwd, cat, ls).
• Hardcoded security policies, such as:
  • Minimum password age (MINWEEKS)
  • Maximum password age (MAXWEEKS)
  • Warning before expiry (WARNWEEKS)
  • Minimum password length (PASSLENGTH)
• Use of JASS environment variables like:
  • JASS_AGING_MINWEEKS
  • JASS_PASS_LENGTH
  • JASS_ROOT_DIR

🔐 Key Security Configuration: set-user-password-reqs.fin#

This script enforces user password policies in /etc/default/passwd.

✅ Policy Enforcement (from script)#

# From the script:
JASS_AGING_MINWEEKS=2
JASS_AGING_MAXWEEKS=104
JASS_AGING_WARNWEEKS=14
JASS_PASS_LENGTH=8

This means:

✅ These values are enforced by JASS if the environment variables are set.

🛠️ How It Works#

• The script reads /etc/default/passwd.
• Compares current values with JASS_* environment variables.
• If mismatched, updates the file and logs the change.
• Uses backup_file to preserve old config.
• Applies strict permissions (0444, root:sys).
• Uses egrep -v to remove old entries before writing new ones.

🛡️ Other Critical Security Settings (from *.fin files)#

📂 File System & Audit Trail#

• All scripts are in:

  /opt/SUNWjass/Finish/

• Permissions: 0444 (read-only), owned by root:sys
• Modified: Aug 22 2008 — over 15 years ago, but still in use
• Logs show:

  [ ?0 dc5sfshrapp01 root 1 !542 0 22:47:39 ]

  → This appears to be a terminal session log (likely from script or tmux), showing a user root executing commands at 22:47:39.

🔍 Observations & Risks#

✅ Best Practices Demonstrated (Positive)#

• ✅ Audit trail via logMessage and backup_file.
• ✅ Idempotent scripts — safe to re-run.
• ✅ Minimal permissions (0444) on config files.
• ✅ Disables unnecessary services (sendmail, rpc, etc.).
• ✅ Enables BSM (audit) — critical for compliance (e.g., FISMA, HIPAA).

✅ Recommendations#

1. Migrate from JASS to modern tools:

   # Replace JASS with:
   pam_pwquality.so retry=3 minlen=8
   # And use:
   /etc/ssh/sshd_config
   /etc/security/policy.conf

2. Use configuration management:

   # Example: Use Ansible
   - name: Harden password policy
     lineinfile:
       path: /etc/default/passwd
       line: "PASSLENGTH=8"
       regexp: "^PASSLENGTH="
       backup: yes

3. Enable logging to syslog or SIEM:

   # Ensure BSM logs go to central server
   audit -s 1

4. Remove unused scripts:

   • If disable-ssh-root-login.fin exists, ensure PermitRootLogin no is in sshd_config.

✅ Summary#

This document is a legacy but still functional security hardening script set from 2008, using JASS to enforce:

• Strong password policies
• Disable dangerous services
• Enable auditing (BSM)
• Enforce strict file permissions

While effective, it’s old, brittle, and not maintainable.

🛠 Action: Replace with modern tools (PAM, Ansible, SaltStack) and remove JASS — but keep the security principles.

Let me know if you want:

• A modernized version of set-user-password-reqs.fin
• A YAML/Ansible playbook for this policy
• A diff comparing old vs. new config

I’m ready to help.