Patch-ID# 122608-03

NOTE:
***********************************************************************
READ THE TERMS OF THE AGREEMENT ("AGREEMENT") IN THE LEGAL_LICENSE.TXT
FILE CAREFULLY BEFORE USING THIS SOFTWARE. BY USING THE SOFTWARE, YOU
AGREE TO THE TERMS OF THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE
TERMS, PROMPTLY DESTROY THE UNUSED SOFTWARE.
***********************************************************************

Keywords: solaris
Synopsis: Solaris Security Toolkit 4.2
Date: Dec/28/2006


Install Requirements: NA                      
                      
Solaris Release: 8 8_x86 9 9_x86 10 10_x86

SunOS Release: 5.8 5.8_x86 5.9 5.9_x86 5.10 5.10_x86

Unbundled Product: Solaris Security Toolkit

Unbundled Release: 4.2

Xref: 

Topic: patch Solaris Security Toolkit 4.2

Relevant Architectures: spac i386

BugId's fixed with this patch: 6306397 6307744 6310948 6314984 6315251 6325774 6341501 6347065 6347513 6350467 6351824 6364993 6390548 6390918 6394832 6428961 6436186 6439352 6442889 6450969 6453754 6453781 6458293 6458743 6458745 6458757 6461299 6461408 6461726 6465325 6465610 6465667 6466210 6466330 6466594 6466795 6466839 6467444 6467445 6467772 6468393 6468718 6468995 6469369 6470741 6471571 6475231 6475337 6478298 6479414 6480257 6482955 6483995 6485080 6488457 6493539 6494690

Changes incorporated in this version: 6351824 6439352 6450969 6453781 6458293 6458743 6458757 6461299 6461408 6461726 6465325 6465610 6465667 6466210 6466330 6466594 6466795 6466839 6467444 6467445 6467772 6468393 6468718 6468995 6469369 6470741 6471571 6475231 6478298 6479414 6480257 6482955 6483995 6485080 6488457 6493539 6494690

Patches accumulated and obsoleted by this patch: 

Patches which conflict with this patch: 

Patches required with this patch: 

Obsoleted by: 

Files included with this patch: 

/opt/SUNWjass/Audit/disable-dmi.aud
/opt/SUNWjass/Audit/disable-dtlogin.aud
/opt/SUNWjass/Audit/disable-keyserv-uid-nobody.aud
/opt/SUNWjass/Audit/disable-nfs-client.aud
/opt/SUNWjass/Audit/disable-rpc.aud
/opt/SUNWjass/Audit/disable-sendmail.aud
/opt/SUNWjass/Audit/disable-sma.aud
/opt/SUNWjass/Audit/disable-smcwebserver.aud
/opt/SUNWjass/Audit/disable-snmp.aud
/opt/SUNWjass/Audit/disable-syslogd-listen.aud
/opt/SUNWjass/Audit/disable-system-accounts.aud
/opt/SUNWjass/Audit/disable-uucp.aud
/opt/SUNWjass/Audit/disable-vold.aud
/opt/SUNWjass/Audit/disable-wbem.aud
/opt/SUNWjass/Audit/disable-xserver-listen.aud
/opt/SUNWjass/Audit/enable-coreadm.aud
/opt/SUNWjass/Audit/enable-ftp-syslog.aud
/opt/SUNWjass/Audit/enable-ftpaccess.aud
/opt/SUNWjass/Audit/enable-inetd-syslog.aud
/opt/SUNWjass/Audit/enable-ipfilter.aud
/opt/SUNWjass/Audit/enable-ldmd.aud
/opt/SUNWjass/Audit/enable-ssh-root-login.aud
/opt/SUNWjass/Audit/install-ftpusers.aud
/opt/SUNWjass/Audit/install-jass.aud
/opt/SUNWjass/Audit/install-ldm.aud
/opt/SUNWjass/Audit/print-jumpstart-environment.aud
/opt/SUNWjass/Audit/set-banner-ftpd.aud
/opt/SUNWjass/Audit/set-banner-sshd.aud
/opt/SUNWjass/Audit/set-banner-telnetd.aud
/opt/SUNWjass/Audit/set-calendar-localonly.aud
/opt/SUNWjass/Audit/set-calendar-open.aud
/opt/SUNWjass/Audit/set-dtlogin-localonly.aud
/opt/SUNWjass/Audit/set-dtlogin-open.aud
/opt/SUNWjass/Audit/set-flexible-crypt.aud
/opt/SUNWjass/Audit/set-ftpd-umask.aud
/opt/SUNWjass/Audit/set-lp-localonly.aud
/opt/SUNWjass/Audit/set-lp-open.aud
/opt/SUNWjass/Audit/set-rpc-localonly.aud
/opt/SUNWjass/Audit/set-rpc-open.aud
/opt/SUNWjass/Audit/set-smcwebserver-localonly.aud
/opt/SUNWjass/Audit/set-smcwebserver-open.aud
/opt/SUNWjass/Audit/set-sys-suspend-restrictions.aud
/opt/SUNWjass/Audit/set-ttdb-localonly.aud
/opt/SUNWjass/Audit/set-ttdb-open.aud
/opt/SUNWjass/Audit/set-wbem-localonly.aud
/opt/SUNWjass/Audit/set-wbem-open.aud
/opt/SUNWjass/Audit/update-at-deny.aud
/opt/SUNWjass/Documentation/INSTALL
/opt/SUNWjass/Drivers/audit_private.funcs
/opt/SUNWjass/Drivers/audit_public.funcs
/opt/SUNWjass/Drivers/clean.run
/opt/SUNWjass/Drivers/common_log.funcs
/opt/SUNWjass/Drivers/driver.run
/opt/SUNWjass/Drivers/driver_private.funcs
/opt/SUNWjass/Drivers/driver_public.funcs
/opt/SUNWjass/Drivers/finish.init
/opt/SUNWjass/Drivers/hardening.driver
/opt/SUNWjass/Drivers/ldm_control-config.driver
/opt/SUNWjass/Drivers/ldm_control-hardening.driver
/opt/SUNWjass/Drivers/ldm_control-secure.driver
/opt/SUNWjass/Drivers/server-secure.driver
/opt/SUNWjass/Drivers/suncluster3x-secure.driver
/opt/SUNWjass/Drivers/undo.run
/opt/SUNWjass/Files/etc/hosts.allow-ldm_control
/opt/SUNWjass/Files/etc/ipf/ipf.conf
/opt/SUNWjass/Files/etc/ipf/ipf.conf-15k_sc
/opt/SUNWjass/Files/etc/ipf/ipf.conf-ldm_control
/opt/SUNWjass/Files/etc/ipf/ipf.conf-server
/opt/SUNWjass/Files/etc/security/audit_class+5.10
/opt/SUNWjass/Files/etc/security/audit_control
/opt/SUNWjass/Files/etc/security/audit_event+5.10
/opt/SUNWjass/Files/etc/ssh/sshd_config-ldm_control
/opt/SUNWjass/Finish/disable-autoinst.fin
/opt/SUNWjass/Finish/disable-dmi.fin
/opt/SUNWjass/Finish/disable-dtlogin.fin
/opt/SUNWjass/Finish/disable-keyboard-abort.fin
/opt/SUNWjass/Finish/disable-lp.fin
/opt/SUNWjass/Finish/disable-nfs-client.fin
/opt/SUNWjass/Finish/disable-remote-root-login.fin
/opt/SUNWjass/Finish/disable-rpc.fin
/opt/SUNWjass/Finish/disable-sendmail.fin
/opt/SUNWjass/Finish/disable-sma.fin
/opt/SUNWjass/Finish/disable-smcwebserver.fin
/opt/SUNWjass/Finish/disable-snmp.fin
/opt/SUNWjass/Finish/disable-ssh-root-login.fin
/opt/SUNWjass/Finish/disable-syslogd-listen.fin
/opt/SUNWjass/Finish/disable-system-accounts.fin
/opt/SUNWjass/Finish/disable-uucp.fin
/opt/SUNWjass/Finish/disable-vold.fin
/opt/SUNWjass/Finish/disable-wbem.fin
/opt/SUNWjass/Finish/disable-xserver-listen.fin
/opt/SUNWjass/Finish/enable-coreadm.fin
/opt/SUNWjass/Finish/enable-ipfilter.fin
/opt/SUNWjass/Finish/enable-ldmd.fin
/opt/SUNWjass/Finish/enable-process-accounting.fin
/opt/SUNWjass/Finish/enable-ssh-root-login.fin
/opt/SUNWjass/Finish/enable-stack-protection.fin
/opt/SUNWjass/Finish/install-jass.fin
/opt/SUNWjass/Finish/install-ldm.fin
/opt/SUNWjass/Finish/install-security-mode.fin
/opt/SUNWjass/Finish/print-jumpstart-environment.fin
/opt/SUNWjass/Finish/print-rhosts.fin
/opt/SUNWjass/Finish/set-banner-ftpd.fin
/opt/SUNWjass/Finish/set-banner-sendmail.fin
/opt/SUNWjass/Finish/set-banner-sshd.fin
/opt/SUNWjass/Finish/set-banner-telnetd.fin
/opt/SUNWjass/Finish/set-calendar-localonly.fin
/opt/SUNWjass/Finish/set-calendar-open.fin
/opt/SUNWjass/Finish/set-dtlogin-localonly.fin
/opt/SUNWjass/Finish/set-dtlogin-open.fin
/opt/SUNWjass/Finish/set-flexible-crypt.fin
/opt/SUNWjass/Finish/set-ftpd-umask.fin
/opt/SUNWjass/Finish/set-lp-localonly.fin
/opt/SUNWjass/Finish/set-lp-open.fin
/opt/SUNWjass/Finish/set-power-restrictions.fin
/opt/SUNWjass/Finish/set-root-password.fin
/opt/SUNWjass/Finish/set-rpc-localonly.fin
/opt/SUNWjass/Finish/set-rpc-open.fin
/opt/SUNWjass/Finish/set-smcwebserver-localonly.fin
/opt/SUNWjass/Finish/set-smcwebserver-open.fin
/opt/SUNWjass/Finish/set-sys-suspend-restrictions.fin
/opt/SUNWjass/Finish/set-ttdb-localonly.fin
/opt/SUNWjass/Finish/set-ttdb-open.fin
/opt/SUNWjass/Finish/set-user-password-reqs.fin
/opt/SUNWjass/Finish/set-user-umask.fin
/opt/SUNWjass/Finish/set-wbem-localonly.fin
/opt/SUNWjass/Finish/set-wbem-open.fin
/opt/SUNWjass/Finish/update-at-deny.fin
/opt/SUNWjass/Finish/update-cron-log-size.fin
/opt/SUNWjass/Finish/update-inetd-conf.fin
/opt/SUNWjass/Sysidcfg/Solaris_10/sysidcfg
/opt/SUNWjass/Sysidcfg/Solaris_9/sysidcfg
/opt/SUNWjass/bin/jass-execute
/opt/SUNWjass/lib/locale/C/LC_MESSAGES/jass.po

Problem Description:

6351824 Kerberos services incorrectly enabled from undoing a SST Jumpstart install
6439352 SST changes for SBD features: sma, snmp, wbem
6450969 expose get_service_property_value
6453781 grub uses a 32 bit kernel for solaris 10u1+ installs and confuses SST
6458293 disable-syslogd-listen.fin,.aud needs to check/set new SBD property config/log_from_remote
6458743 S9u9: disable-system-accounts: illegal password length
6458745 disable-vold.fin shouldn't run in global zone; new FMRI
6458757 New set-smcwebserver.fin,.aud scripts needed
6461299 bug in is_service_installed, fails to match services
6461408 don't expose SWAN network info in example files
6461726 jass exit when user passwd expiration is null
6465325 jass-manifest got created everytime jass is run on a hardened system
6465610 services become uninitialize after running server-secure.driver
6465667 set_property can print random messages to terminal
6466210 check_serviceEnabled is reporting strange states for services
6466330 disable-syslogd-listen audit fails
6466594 set_property_value needs types for properties if they are not already created
6466795 undo prompts about /etc/shadow changing
6466839 Failure on Audit after reboot
6467444 set-dtlogin-localonly uses check_service improperly
6467445 Solaris 10 sysidcfg file should use service_profile keyword
6467772 SST needs set-XXX-open scripts
6468393 open ports in zone for secure.driver
6468718 dmi service conversion leads to audit failures
6468995 multiple run of the same driver results in jass-manifest changed
6469369 secure.driver, nmap scan shows port 6112 open
6470741 A few more services need disabling in s10u3b5a
6471571 Add new ldm_control.driver to support LDoms management domain
6475231 SST needs to correct file permissions in create and Files/ directory
6475337 enable-coreadm script has a silly setting for coreadm
6478298 minor changes for ldm_control-secure.driver
6479414 able-ldmd.fin,.aud should also enable the LDom virtual console service vntsd
6480257 jass does not correctly identify e1000g interfaces
6482955 enable-coreadm should make one expansion pass on JASS_CORE_PATTERN
6483995 install-ldm needs to handle new SUNWldm.v name
6488457 SST produces incomprehensible pass/fail audit messages from checkserviceoption
6485080 disable-system-accounts.fin also needs to disable crontab
6493539 copy_files doesnt always handle symlinks correctly
6494690 enable-coreadm.fin rewrites its config file every usage
 
(From 122608-02)
6306397 enable-process-accounting.fin appears to hang if $VISUAL env variable is set
6310948 JASS: copy_files does not maintain permissions or ownership
6314984 set-ftpd-umask.aud script has incorrect service and servfil settings
6315251 copy_files and symlinks behave unexpectedly with FILE_COPY_KEYWORD
6325774 jass-execute -r must behave more like JASS_STANDALONE=0
6341501 root account should not be added to at.deny file by update-at-deny.fin
6347065 Failure of pkgrm of SUNWjass during undo is not flagged as an error.
6347513 Files saved by backup_file_in_safe_directory() in JumpStart mode cause jass-check-sum to fail
6350467 SST reports audit failures on properties of uninstalled services
6390548 After applying secure.driver & NIS is enabled, root can't login or change password after reboot
6390918 JASS 4.2 & Sun Cluster 3.1: mdcomm service should not be disabled with Multi-owner diskset (oban)
6428961 disable-uucp.fin should not remove /etc/rc2.d/S70uucp
6436186 could not install SST patch during the JumpStart installation
6442889 Handle service conversions in S10U2: vold
6453754 Allow ssh traffic through ipfilter for secure.driver
 
(From 122608-01)
6307744 Sample ipf.conf* files block all udp traffic (ydp typo)
6364993 enable-ipfilter installs config file in the wrong path
6394832 ipfilter fails to start due to "ipf.conf syntax error error at ""

Patch Installation Instructions:
--------------------------------
 
For Solaris 2.0-2.6 releases, refer to the Install.info file and/or
the README within the patch for instructions on using the generic
'installpatch' and 'backoutpatch' scripts provided with each patch.
 
For Solaris 7-10 releases, refer to the man pages for instructions
on using 'patchadd' and 'patchrm' scripts provided with Solaris.
Any other special or non-generic installation instructions should be
described below as special instructions.  The following example
installs a patch to a standalone machine:
 
       example# patchadd /var/spool/patch/122608-02
 
The following example removes a patch from a standalone system:
 
       example# patchrm 122608-02
 
For additional examples please see the appropriate man pages.

Special Install Instructions:
The fix for "6436186 could not install SST patch during the JumpStart 
installation" changes the way that patches are installed by the 
install-recommended-patches.fin script.  In order to install patches to 
SST4.2, itself, through the JumpStart mechanism, perform the following:
1) Create a directory named SST in the ${JASS_PATCH_DIR} directory.
    # mkdir ${JASS_PATCH_DIR}/SST
2) Copy this patch there.
    # cp -r 122608-02 ${JASS_PATCH_DIR}/SST
 
The install-recommended-patches.fin script will check the 
${JASS_PATCH_DIR}/SST directory and install all patches present.  This script 
will continue to install any appropriate Recommended Patch cluster or Security 
Patch cluster that it finds in the ${JASS_PATCH_DIR} directory.

README -- Last modified date:  Thursday, December 28, 2006