User's Manual
Solaris 9 Security CX-310-301 70
You should note that not all SST actions can be undone, only those that are called by a script. This needs to
be borne in mind when trying to undo SST, because you might get some unexpected results and residual
security implementations left over.
Verifying SST
Earlier release of SST called this an Audit run, but it is now known as a verify run. This option does not
actually make any changes, but runs checks against the items that would be changed so it can identify what
needs to be done. Each check the run makes is marked either “PASS” or “FAIL”, a “PASS” indicating that
the security feature is already implemented. The two sets of output below show partial results for the same
checks, the first one before SST was run and the second one after it has been run and the system rebooted:
Before:
# Checking the nscd time-to-live parameters.
[FAIL] positive-time-to-live for 'passwd' is not '0'.
[FAIL] negative-time-to-live for 'passwd' is not '0'.
[FAIL] positive-time-to-live for 'group' is not '0'.
[FAIL] negative-time-to-live for 'group' is not '0'.
[FAIL] positive-time-to-live for 'hosts' is not '0'.
[FAIL] negative-time-to-live for 'hosts' is not '0'.
[FAIL] positive-time-to-live for 'ipnodes' is not '0'.
[FAIL] negative-time-to-live for 'ipnodes' is not '0'.
After:
# Checking the nscd time-to-live parameters.
[PASS] positive-time-to-live for 'passwd' is '0'.
[PASS] negative-time-to-live for 'passwd' is '0'.
[PASS] positive-time-to-live for 'group' is '0'.
[PASS] negative-time-to-live for 'group' is '0'.
[PASS] positive-time-to-live for 'hosts' is '0'.
[PASS] negative-time-to-live for 'hosts' is '0'.
[PASS] positive-time-to-live for 'ipnodes' is '0'.
[PASS] negative-time-to-live for 'ipnodes' is '0'.
At the end of the verify run, the total number of failures is indicated. After the SST run, nearly all of these
will relate to packages being installed. You can remove these packages using the pkgrm command if they
are not going to be used.