Solaris CQA

Requirements :

  1. check if OS hardening and our standards are still intact
  2. extra checks of other services
  3. check if deployer's tasks are already done
  4. handle exceptions
  5. do log all that you do separatelly and keep <= 30 days
  6. all your findings should be traceable in SYSLOG
  7. daily tickets should be raised based on the SYSLOG entries

check if OS hardening and our standards are still intact


OS hardening is done with SST (Solaris Security Toolkit, old name JASS) and should be checked with it as well.
  • this is accomplished through Audit scripts, located in the Audit directory under /opt/SUNjass/ 
  • some of our standards are also inforced via SST  and included in the build

extra checks of other services

Many needed services are checked through the SST but some should be extra checked in the jb_cqa (netbackup for example, or if the NFS, ftp or telnet SMF services are disabled).

check if deployer's tasks are already done

Some tasks should be done by deployer of the server and are therefore checked as well, for example:

  • set OR repsonsible
  • set server status to operational
  • set backup policy
  • set ERPM passwd
  • ..

handle exceptions

Exceptions are handled via the local file:

  /jb/jb_cqa/cqa_excludes_list on each server


This file is delivered by the BJBcqa package to make sure that some tests are skiped on some of the servers (for example NFS solhome server should not be checked for disabled NFS SMF service).

do log all that you do separatelly and keep <= 30 days

  • SST (JASS) logs are kept in /var/tmp/jass_audit_logs/ with the names as follows :

  sb1.2-secure_qg_sol10.driver.audit.log_20160531160909


  • jb_cqa logs are kept in /var/log/ with the names as follows :

  cqa.log.20160531160909


  • jb_cqa script does a logs cleanup on it's own, removing all the logs older then 30 days

all your findings should be traceable in SYSLOG

root@shp00385so# jb_cqa -h


  Usage: /usr/bin/jb_cqa [options]


           -n, --notify_tivoli                 default is without tivoli

            -j, --jass_should_run         default is without jass

           -d, --dry_run                        only IGNORE entries in the messages log, no tickets

           -h, --help


root@shp00385so#


daily tickets should be raised based on the SYSLOG entries

For this task, cron entries are created during the installation of the BJBcqa pkg:


root@shp00385so# crontab -l | grep BJBcqa

30 7 * * * [ -x /jb/jb_cqa/jb_cqa ] && /jb/jb_cqa/jb_cqa --jass_should_run --notify_tivoli >/dev/null 2>&1 #BJBcqa

root@shp00385so#


Also, if the package is removed, cron entries are removed as well.

Create a presentation like this one
Share it on social medias
Share it on your own
Share it on social medias
Share it on your own

How to export your presentation

Please use Google Chrome to obtain the best export results.


How to export your presentation

CQA Solaris

by mladenplavsic

7 views

Public - 5/31/16, 6:51 PM