The configurator Toolkit
The configurator program is a tool I developed to help me during
testing of the new edition of the
Security: Step-by-Step guide
which I maintain for The SANS Institute
(the guide is now in it's second edition
as of January, 2001). The booklet describes a procedure for "hardening"
the Solaris operating system to produce a "bastion host" type platform
suitable for use as an Internet-connected server (Web server, mail server,
SANS and I regularly get requests for an
automated tool for performing the "recipe" from the Step-by-Step
guide, so I figured it would help a few people if I made my tools
The tool was designed originally to be run as part of a custom Jumpstart
environment (for more information on Solaris Jumpstart, see my personal
However, the configurator script can also be run manually
on a newly installed system. Note that it is probably dangerous to use this
tool on systems which are already in production-- you may end up taking
your system down or rendering it unusable!
For more information about configurator, check out the
README file. Instructions for installing and
using the tool can be found here.
Center for Internet Security Solaris Benchmark
As of 5/14/01, the configurator tool now includes optional
configuration files which can be used to perform the steps from the
Center for Internet
Security's Solaris Benchmark document. See the
file for more information.
Other Hardening Tools
Several other automatic hardening tools exist for Solaris:
- A tool from Sun for performing system hardening as part of a custom
Jumpstart environment. Developed largely by Alex Noordergraaf and
Glenn Brunette from Sun Professional Services.
- Written by Brad Powell, Dan Farmer, and Matt Archibald, TITAN not only
allows administrators to tighten down their system, but can also be used
as an integrity-checking tool of sorts. TITAN looks to be branching out
to support other operating systems in addition to Solaris.
- YASSP was originally developed by Jean Chouanard (and Jean is still
the primary maintainer). YASSP is unique in
that it uses Sun's pkgadd mechanism as an engine for performing
system customizations. This is handy in that it is possible to simply
pgkrm the YASSP configuration to remove it from your system at
some future date.
In addition, Bastille
is a similar system for hardening Linux systems. Rumor has it that the
Bastille folks are thinking about supporting other OS flavors, including
Hal Pomeranz, 5/14/2001
Deer Run Home >
Hal's Homepage >
Hal's Jumpstart Page >