Thursday, 8 November 2007

New Solaris Security Toolkit patch available

Sun has not released an updated package for the Solaris Security Toolkit (aka JASS) for quite a while now and it remains at version 4.2 on the official web site. Instead they have been releasing patches. The latest (122608-06) of which is now available for download from Sunsolve.

The timing of the patch releases usually coincide with each Solaris 10 update release. It is worthwhile keeping up to date with these patches as they cater for changes made to the OS with each update such as new and/or removed SMF services, Secure By Default, etc.

Wednesday, 7 November 2007

An alternate SMF manifest for Splunk

I recently deployed an enterprise licensed version of Splunk. When an enterprise license is installed Splunk requires users to login before they can start splunking. This protects the Splunk administration pages from anonymous users and removes the need to put Splunk behind an apache reverse proxy for protection.

In order to still be able to access Splunk via HTTP (TCP/IP port 80) or HTTPS (TCP/IP port 443) the SMF manifest I originally wrote needed to be modified to allow the splunk user to open TCP/IP ports less than 1024. This was achieved by adding the “net_privaddr” privilege to the method context in the manifest. The manifest also had to be changed so that Splunk no longer bound sockets to the loop-back address only and was directly accessible.

Once you have loaded this manifest and started Splunk you must initially connect to your splunk server via the web interface and configure it to listen on TCP/IP port 80 or enable SSL and have it listen on TCP/IP port 443. Then restart the service with “svcadm restart splunk”.

Download the complete Splunk SMF manifest. Note that it can be used with both the free and enterprise versions of Splunk.