HomeProductsSupportServicesTrainingPartnersCompanyContact     


assuriaONLINE Customer and Partner resources Logon / register
     

 

 
 Title:                        SUN Solaris 10 – Release notice

 Number:                  Date:    20th February 2006
 

 

Title.

SUN Solaris 10 – Release notice – Level 1 support available

 

Contents

Introduction

Platform Support levels

Some Changes in Solaris 10 - likely to affect assuria auditor (not in any particular order)

Summary of status of checks on SOLARIS 10

 

 

Introduction

Assuria announces the Level 1 availability of Assuria Auditor / ISS System Scanner support for SUN Solaris 10 provided by the current agent for Solaris 9.    The support levels are described below and at http://www.assuria.com/platform-support-levels.htm.

 

This Assuria Bulletin summarises the known issues with running the current System Scanner agent for Sun Solaris 9 on Sun Solaris 10.   The purpose of this document is to identify checks that do not perform as expected on SUN Solaris 10 Systems when running the Solaris 9 agent.  Assuria will release a SUN Solaris 10 agent in the future, expected availability will be announced shortly.

 

 

The issues with the Solaris 9 checks on Solaris 10 have been identified as a result of the first stage of porting to Solaris 10, that is the testing of the current agent on Solaris 10.

 

Areas that have changed or are new in SUN Solaris 10 that are likely to impact System Scanner / Assuria Auditor (not in any particular order) include:

 

·          Internet services/SMF

·          (N1 grid) containers (zones)

·          Process rights

·          User rights (RBAC)

·          Cryptographic framework

·          Secure execution/file integrity

·          IP filter firewall

·          Patch control tool

·          Password encryption

·          SASL (Simple Authentication and Security Level)

·          SPNEGO (Simple and Protected GSS-API Negotiation Mechanism)

·          Per-zone auditing

 

 

Platform Support levels

Level 0 Support – Agent installs and runs

Assuria has installed and run the checker (agent). The result is that Assuria knows that the checker installs and runs on the platform, but Assuria can offer no warrant about the accuracy of the checks.

Action: Assuria would advise customers who ask about the platform that the agent  has been checked but the checks have not been validated.

Level 1 Support - Check existing agent on new version / service pack.

Assuria has validated that the existing agent and checks run correctly. The result is that Assuria knows that the existing checks run and (where appropriate) correctly. No new checks are yet available for new issues introduced by this platform version.

Action: Assuria issue a Bulletin advising that the existing agent and checks have been validated on the new version.

Level 2 Support - New checks written and tested for platform

Assuria has, where appropriate, produced new content and checks that have fully tested for this platform.

Action: Assuria announce via a Bulletin that the agent and content and checks have been updated and validated on the new version

Level 3 Support - Ongoing platform maintenance.

One month after release the updated agent would automatically move to Level 3, that is the agent is now on ongoing platform maintenance and is a fully supported platform

 

 

 

 

Some Changes in Solaris 10 - likely to affect assuria auditor (not in any particular order)

 

INTERNET SERVICES

The way in which internet services are controlled has changed significantly. The new system, replacing “inetd”, is called SMF (Service Management Facility). The /etc/inet/inetd.conf file is superseded (a vestige remains) by a new “database”. There are a series of new commands to manage the services.

RPC SERVICES

These are (partially) affected by SMF changes.

 

MEMORY DEVICE(S)

There is a now a memory device /dev/allkmem.

 

FILES IN /kernel

The /kernel/genunix file is no longer present. There is an entry for this file in userconf/fpdb (and userconf/fpfiles) which causes check (policy) oo-misplaced-files (fpdb) to give a false positive.

 

NFS

There is a small change to an option of the share command, as used in the /etc/dfs/dfstab file.

 

ADMIN. USERS

Some further special/admin users could be added to policy sys-accs  for checks user-admin-not-locked and user-admin-shell-not-locked.

 

LOGINLOG

By default, /var/adm/loginlog does not exist  If loginlog exists then bin/autoconf sets SM_FILE_LOGINLOG to point to it.

 

BIND/NAMED

The version of bind/named has changed. On Solaris 9 it was 8.3.3. On Solaris 10 it is 9.2.4. This has an impact on various “bind” checks.

 

APACHE/HTTP

This product (server) now seems to be installed as standard with Solaris, but in a different location to the default used for other systems.

 

SSH

The sshd_config file is in a different location to the default (as used for other systems).

 

 

 

 

SUMMARY OF STATUS OF CHECKS on SOLARIS 10

 

 

 

There are (currently) 460 checks with the Assuria “Solaris 9” Agent. Of those checks 339 have been tested and do work correctly on Solaris 10.

 

 

   Checks which do work                             339 / 460           =73.7 %

   Checks which do not work correctly        57 / 460            =12.4 %

   Checks which may not work correctly      27 / 460            =  5.9 %

   Checks which partially work                    15 / 460            =  3.3 %

   Checks which may be redundant             10 / 460            =  2.2 %

   Checks no longer used / required           12 / 460            =  2.6 %

                                                             ---------------------------------

   (Sub-total)                                               121 / 460           =26.3 %

                                                             ---------------------------------

 

These figures exclude the 4 ISS diagnostic checks, 6 administrative checks (for creating/updating baselines), plus unarchiveCheck and unarchivePolicy (used for ExpressUpdates).

 

 

 

 

 

 

 

 

 

KEY:

 

 

 

 

 “  “  (Blank)

= check works OK 

 

 

 

X

= check does not work 

 

 

 

?

= check partially works, may not work, may be redundant or no longer used

 
           

 

 

 

 

Check-name

 

Status

 

 

anonftp-dir-owner

 

 

anonftp-dir-perms

 

 

anonftp-file-owner

 

 

anonftp-file-perms

 

 

anonftp-group

 

 

anonftp-home-owner

 

 

anonftp-home-perms

 

 

anonftp-mail

 

 

anonftp-passwd

 

 

anonftp-shadow

 

 

apache-401-cgi

X

 

apache-403-cgi

X

 

apache-413-cgi

X

 

apache-500-cgi

X

 

apache-cgi-handler

X

 

apache-cgi-modules

X

 

apache-cgi-scriptalias

X

 

apache-contentroot

X

 

apache-default-content

X

 

apache-indexing

X

 

apache-modules

X

 

apache-serversignature

X

 

apache-servertokens

X

 

apache-servertokenvalue

X

 

apache-ssi

X

 

apache-symlinks

X

 

apache-user

X

 

asset-export-list

 

 

automountd-dos

?

 

bind-banner

X

 

bind-enabled

 

 

bind-fetch-glue

X

 

bind-opt-rr-dos

X

 

bind-query

X

 

bind-recursion

X

 

bind-sig-rr-bo

X

 

bind-version

X

 

bind-zone-xfer

X

 

bo-fdformat

?

 

bo-ffbconfig

?

 

bo-rdist

?

 

bo-realpath

?

 

bo-rlogin

?

 

bo-splitvt

?

 

bo-syslog

?

 

bo-xmcd

?

 

bo-xterm

?

 

crontab-invalid

 

 

crontab-owner-01

 

 

crontab-perms-01

 

 

crontab-perms-02

 

 

crontab-relative

 

 

etc-profile-umask

 

 

etc-writable-dir

 

 

file-added

 

 

file-all-01

 

 

file-all-02

 

 

file-all-03

 

 

file-all-04

 

 

file-all-05

 

 

file-all-06

 

 

file-all-07

 

 

file-all-08

 

 

file-all-09

 

 

file-all-10

 

 

file-all-11

 

 

file-all-12

 

 

file-all-13

 

 

file-all-14

 

 

file-all-15

 

 

file-all-16

 

 

file-all-17

 

 

file-all-19

 

 

file-all-20

 

 

file-all-21

 

 

file-all-22

 

 

file-all-23

 

 

file-bin-not-stripped

 

&nbs