The configurator Toolkit

The configurator program is a tool I developed to help me during testing of the new edition of the Solaris Security: Step-by-Step guide which I maintain for The SANS Institute (the guide is now in it's second edition as of January, 2001). The booklet describes a procedure for "hardening" the Solaris operating system to produce a "bastion host" type platform suitable for use as an Internet-connected server (Web server, mail server, firewall, etc.). Both SANS and I regularly get requests for an automated tool for performing the "recipe" from the Step-by-Step guide, so I figured it would help a few people if I made my tools available.

The tool was designed originally to be run as part of a custom Jumpstart environment (for more information on Solaris Jumpstart, see my personal Jumpstart page). However, the configurator script can also be run manually on a newly installed system. Note that it is probably dangerous to use this tool on systems which are already in production-- you may end up taking your system down or rendering it unusable!

For more information about configurator, check out the README file. Instructions for installing and using the tool can be found here.

Center for Internet Security Solaris Benchmark

As of 5/14/01, the configurator tool now includes optional configuration files which can be used to perform the steps from the Center for Internet Security's Solaris Benchmark document. See the scripts/README.CIS-benchmark file for more information.

Other Hardening Tools

Several other automatic hardening tools exist for Solaris:

A tool from Sun for performing system hardening as part of a custom Jumpstart environment. Developed largely by Alex Noordergraaf and Glenn Brunette from Sun Professional Services.

Written by Brad Powell, Dan Farmer, and Matt Archibald, TITAN not only allows administrators to tighten down their system, but can also be used as an integrity-checking tool of sorts. TITAN looks to be branching out to support other operating systems in addition to Solaris.

YASSP was originally developed by Jean Chouanard (and Jean is still the primary maintainer). YASSP is unique in that it uses Sun's pkgadd mechanism as an engine for performing system customizations. This is handy in that it is possible to simply pgkrm the YASSP configuration to remove it from your system at some future date.

In addition, Bastille is a similar system for hardening Linux systems. Rumor has it that the Bastille folks are thinking about supporting other OS flavors, including Solaris.

Hal Pomeranz, 5/14/2001

Return to: Deer Run Home > Hal's Homepage > Hal's Jumpstart Page >