« A Radio ad for Sun's... | Main | How did Solaris 10... »

Monday Jul 30, 2007

Using the Solaris Security toolkit to implement DISA security guidelines

You might remember my earlier blog entry about DoD security guidelines for Solaris.  As a result of Sun Federal's recent contract award from DISA for Capacity Computing services, I've been working to implement the DISA Security Technical Implementation Guidelines (STIGs) using the Solaris Security Toolkit (Wow, what a mouthful).

I started with some customization work that was done by the DISA GCCS program office.  I modified and updated it to meet most of the current STIG requirements.  I've heard many horror stories about how long it takes to secure a system properly and obtain "Authority To Connect" to a DoD network.

 I'm happy to say that the profile I've built runs in about 2 minutes on my Acer Ferrari 3400 laptop.

 First, some background!

What is the Solaris Security Toolkit?

The SST is a toolkit produced and supported by Sun to simplify and automate the process of securing a Solaris system.  The current version 4.2 support Solaris 8, 9 and 10.  It includes audit and undo modes in addition to the hardening mode.  If you plan to use it, make sure that you also apply the latest patch 122608 from sunsolve.sun.com.  It is very customizable for your site requirements.  I have been trying to get the DISA Field Security Office to adopt and customize the SST for over two years but have not yet succeeded.

What are the STIGs?

These are security guidelines provided by the DISA Field Security Office to DoD users for securing Solaris and other Unix/Linux platforms.  Most of the recommendations make sense but there are a few silly ones.  There is a detailed book as well as a checklist and somewhat automated set of Security Readiness Review (SRR) scripts to check the work that you've done.  The scripts are NOT perfect and sometime provide false findings.  More on that later.

What were your results?

I downloaded and ran the latest DISA SRR scripts from March 2007 before applying the SST and afterward. I also ran the little script below to finish up the final few operations. During the "Manual Review" portion, I answered "Not a finding" for all the questions.  This means that the differences listed here are those detected by the automated portion of the SRR. 

Before
Finding Counts:
CAT I = 5/123, CAT II = 53/340, CAT III = 11/57, CAT IV = 1/5

After:
Finding Counts:
CAT I = 4/123, CAT II = 13/340, CAT III = 4/57, CAT IV = 0/5

Some of the remaining findings are false positives or out of the scope of the toolkit.  Some examples include:

 FindingCategory (1 is highest)
Explanation
 Recommended patches not installed
2
They are but the script doesn't appear to  detect them properly
Core Dumps not disabled
 3
 They are but the script doesn't detect properly
inetd disabled
 2
 It's enabled but the script looks in inetd.conf which is no longer used in Solaris 10
Various Sendmail configuration file issues
 1 and 2
 Sendmail is disabled with svcadm
IP forwarding should be disabled
 2
 Script looks for /etc/notrouter which is no longer used.  Solaris 10 uses routeadm.

 Great, I want it now, what do I do?

  1. Install Solaris
  2. Install the latest recommended patches for Solaris (SunSolve access required)
  3. Download and install the Solaris Security toolkit
  4. Download and install the SST patch 122608. (SunSolve access required)
  5. Download this tarball containing the customized files and User Guide (please read the User Guide)
  6. cd /opt/SUNWjass
  7. tar xvf <path to tar file>
  8. Execute: time /opt/SUNWjass/bin/jass-execute -d /opt/SUNWjass/Drivers/GCCS.secure.driver -o <output file>
  9. Reboot your system
  10. Run the SRR scripts

Caveats

  • I have NOT tested this in a production DoD site or run it with a DISA security officer observing.  I have only tested it on my laptop using Solaris 10 11/06.
  • Use this profile at your own risk.  I am providing it for your convenience and provide no warranty.
  • The SST profile cannot automate everything or install anti-virus software as required.
  • I have an additional script that does some final items. (see below)

Benefits of the Solaris Security toolkit

  • Because it is automated, it can produce repeatable, predictable results
  • Because is supports Solaris 8, 9 and 10, (on both Sparc and X64/86 platforms) it can be used throughout your enterprise
  • Because it is provided, supported and updated by Sun, it can be depended upon to "do the right thing" as Solaris is updated.
  • It can be used in the global or non-global zones of Solaris 10.
  • It is easily customized for your particular site requirements.
  • It has an "undo" feature
  • Speed and accuracy.  The toolkit can complete in a few minutes what would normally take hours of error prone text editing.
  • Simple.  A single command does all the work.

Feedback

I'm interested in your feedback on how it worked for you, where my errors are and what additional capabilities you have given it.  Add a comment below. 

A quick script to do a little more.

Because of a lack of knowledge of the tool and lack of time, this script completes the last few operations

# This script attempts to complete the processes not done by the JASS toolkit
# items here are those documented in the User's guide
# They are here because I have not yet implemented them as part
# of th STIG toolkit
# 12/21/06 jlaurent

# tighten permissions on the Man pages
echo "Current man page permissions"
ls -ld /usr/share/man
ls -ld /usr/share/info
ls -ld /usr/share/infopa
ls -ld /usr/sfw/share/man
echo "Setting man page perms to 644"

find /usr/share/man -type f -exec chmod 644 `{}` \;
find /usr/share/info -type f -exec chmod 644 `{}` \;
find /usr/share/infopa -type f -exec chmod 644 `{}` \;
find /usr/sfw/share/man -type f -exec chmod 644 `{}` \;
echo "New man page permissions"
ls -ld /usr/share/man
ls -ld /usr/share/info
ls -ld /usr/share/infopa
ls -ld /usr/sfw/share/man

#same for various other files and directories
echo "Current /var/audit permissions "
ls -ld /var/audit
echo "Setting /var/audit perms to 700"
chmod 700 /var/audit
echo "New /var/audit permissions "
ls -ld /var/audit

#same for various other files and directories
echo "Current /etc/ftpd/ftpusers permissions"
ls -ld /etc/ftpd/ftpusers
echo "Setting /etc/ftpd/ftpusers perms to 640"
chmod 640 /etc/ftpd/ftpusers
echo "New /etc/ftpd/ftpusers "
ls -ld /etc/ftpd/ftpusers

echo "Current permissions for at.deny, at.allow, cron.deny, cron.allow"
ls -l /etc/cron.d/at.deny /etc/cron.d/at.allow /etc/cron.d/cron.deny /etc/cron.d/cron.allow
echo "Set permissions at.deny, at.allow, cron.deny, cron.allow for to 600"
chmod 600 /etc/cron.d/at.deny /etc/cron.d/at.allow /etc/cron.d/cron.deny /etc/cron.d/cron.allow
echo "New permissions for at.deny, at.allow, cron.deny, cron.allow"
ls -l /etc/cron.d/at.deny /etc/cron.d/at.allow /etc/cron.d/cron.deny /etc/cron.d/cron.allow

echo "Current traceroute permissions "
ls -l /usr/sbin/traceroute
echo "Setting traceroute perms to 4700"
chmod 4700 /usr/sbin/traceroute
echo "New traceroute permissions "
ls -l /usr/sbin/traceroute

echo "Current /etc/inet/inetd.conf permissions "
ls -l /etc/inet/inetd.conf
echo "Setting /etc/inet/inetd.conf perms to 440"
chmod 440 /etc/inet/inetd.conf
echo "New /etc/inet/inetd.conf permissions "
ls -l /etc/inet/inetd.conf

echo "Current /etc/syslog.conf permissions "
ls -l /etc/syslog.conf
echo "Setting /etc/syslog.conf perms to 640"
chmod 640 /etc/syslog.conf
echo "New /etc/syslog.conf permissions "
ls -l /etc/syslog.conf

echo "Current /var/crash permissions "
ls -ld /var/crash
echo "Setting /var/crash perms to 700"
chmod 700 /var/crash
echo "New /var/crash permissions "
ls -ld /var/crash

# changing root umask to 077 in /root/.profile and /root/.cshrc
echo "Changing root umask to 077 in /root/.profile and /root/.cshrc"
cat /root/.profile |sed "s/umask .../umask 077/g" > /root/.profile.tmp
mv /root/.profile.tmp /root/.profile
cat /root/.cshrc |sed "s/umask .../umask 077/g" > /root/.cshrc.tmp
mv  /root/.cshrc.tmp /root/.cshrc

echo "Please review the umask for .profile"
grep umask /root/.profile
echo "Please review the umask for .cshrc"
grep umask /root/.cshrc


# disable core dumps
echo "Original core configuration"
coreadm

echo "Disabling core dumps"
coreadm -d global
echo "New core configuration"
coreadm

Why should you care?

 Securing a computer for use on the DoD networks can be a difficult and time-consuming task.  These tools will help you deliver you mission faster, more reliably and securely.

 

Posted at 02:08PM Jul 30, 2007 by jimlaurent in Sun Federal Business | Comments[31] | Permalink

Comments:

Jim, Wished I would have had this two weeks ago! I just went through a DISA inspection, but I plan to run your scripts against a test system and compare yours to the one we run and see what I get. Now if we can get DISA to minimize the manual checks .... Thanks.

Posted by Robert Escue on July 30, 2007 at 03:46 PM EDT #

Robert, I'm glad that you can use it. Feel free to post your results and satisfaction (or disatisfaction) with it. You can also email me direction at jim dot laurent at sun dot com.

Posted by Jim Laurent on July 30, 2007 at 05:38 PM EDT #

Thanks for the info. I forwarded a link to the sys admins that do this work for us. Fran

Posted by Fran Horan on July 31, 2007 at 08:27 AM EDT #

Hi Jim,
Taking a look at SST/JASS has been on my to-do list for a while (not making it to the top thanks to the new "secure by default" solaris approach which is great). Anyway, when I happened across your post it caught my eye. As I read and got interested I feared that I would get to the end and find no actual profile or config file to download. Thanks for the pleasant surprise!

I'm a little curious about why you lock down the man pages the way you do. Without execute priv's on the directories users will not be able to read man pages... Was this your intent or is there some vulnerability you are trying to avoid? (Certainly the man pages are not a secret -- docs.sun.com etc.)
Oh, and on an unrelated note, I share your pain with regards to the idiotic requirement to run Mcafee on all my Solaris servers. :-)

Thanks again for posting something usable rather than just a narrative.

Posted by Chris Johnson on July 31, 2007 at 11:15 AM EDT #

Jim- Good stuff here. I work at a government site and several months ago we were asked to re-stig all of our servers. This prompted us to do the same thing, automating as much as possible for the STIG. One thing that we did that is in your script, but caused problems was carelessness with the chmod -R on the man pages. The result was we removed execute permissions from the directory and then no one could read from that directory. I would either add a -type f to that find or I would run a second find for the directories to reset the permissions to be 755. Besides that this looks really good.

Posted by Drew Severson on July 31, 2007 at 11:19 AM EDT #

Thanks to all of you for your comments and testing. Sometimes when you are a blogger, it's good to know someone is actually reading what you write.

I've made the suggested changes to the man page script but not tested them. Let me know if you like these better.

Posted by Jim Laurent on July 31, 2007 at 11:47 AM EDT #

Hey Jim,

Just a couple of comments … even though it isn’t the end of the world with things as are:

With the recent change in your blog entry from “chmod –R” to “find … -exec chmod …” you are going to fork/exec thousands of processes (in my /usr/share/man directory alone there are 12,989 files). Yea, no big deal in the grand scheme of things but on principle you might want to do something like this instead: 
      find /usr/share/man –type f –print | xargs chmod 644
However, on my sol 10 11/2006 box I issued a find command from /usr/share and /usr/sfw looking for any file that had group or world write priv's and found none! (except for the test files I had created).
So, on Solaris 10 I would want to know if a man page showed up with a “bad” permission. Also, I would probably vote against just blindly changing every file’s inode modification time for no reason. Consequently, I would probably do this: 
echo “man pages whose permissions will be set to 644:”
TMP=/tmp/.myfind_$$  ; rm –f $TMP

check_dir()
{
    the_dir=$1

    [ -d $the_dir ] || return 0

    find $the_dir \( -type f –a \( -perm 020 –o –perm -002 \) \) –ls > $TMP

    if [ -s $TMP ]
    then
        cat $TMP
        find $the_dir \( -type f –a \( -perm 020 –o –perm -002 \) \) –print | xargs chmod 644 

    fi
}

check_dir /usr/share/man
check_dir /usr/share/info
check_dir /usr/share/infopa
check_dir /usr/sfw/share/man

rm $TMP

I’m all in favor of showing what things are like before one makes a change. (That said, note that with the above code those ‘ls –ld’ commands (both before and after) can go away.)

Presumably in the past sun shipped man pages with “bad” perms so I suppose on some OS versions you might not want to use the above code if it prints out 12,000 file names :) In this case, it might be okay to just execute commands like: 
      find /usr/share/man –type f –print | xargs chmod 644

Caveat: code typed in here has not been syntax checked :-)

Regards,
    Chris

Posted by Chris Johnson on July 31, 2007 at 02:43 PM EDT #

It's been a while since I did all this work, but as I recall, the DISA SRR scripts complained about bad man page permissions which is why I added that part to the script. As you can see, I didn't spend a whole lot of time testing and my primary goal was to make SRR stop complaining. Thanks for the tips.

Posted by Jim Laurent on July 31, 2007 at 02:48 PM EDT #

I installed and used SST against a Blade 2000 that I use for testing. I haven't had an opportunity to dig real deep into what SST has done, I did notice some changes that are GCCS specific in terms of additional logging. It is easy enough to fix, but you might want to consider a non-GCCS config for those of us who do not work with GCCS but have to comply with DISA's requirements. One of the issues that came out of the DISA inspection for us was password length and complexity. I use Solaris 8, 9 and 10 here and it doesn't make much sense to use a nine character password when Solaris 8 and 9 only recognize 8. You changed the encryption from crypt to Linux/BSD MD5, is this going to to be the DISA standard or is this something you chose at random? The reason why I am asking is that the DISA UNIX STIG does not mention alternate password encryption at all with Solaris 10 and there has been no offical word by any DoD security organization that I am aware of as to which one will be used. I just don't want to select one and have it be the wrong one.

Posted by Robert Escue on August 02, 2007 at 12:17 PM EDT #

Thanks for testing this for me. Did you find that it made it easier and faster for you to get through your security review?

As you mentioned, the 9 char password cannot be applied to S8 or S9. We switch the encryption alg. because crypt CANNOT deal with more than 8 chars. I know of no standard encryption requirement at DISA.

Posted by Jim Laurent on August 02, 2007 at 12:28 PM EDT #

Jim,

Using the SST picked up the stuff I haven't had the opportunity to add to the lockdown script we use here. The bigger problem is the Manual Review because most of that can be automated as well.

More on this as I get time to examine the results.

Thanks.

Posted by Robert Escue on August 02, 2007 at 12:59 PM EDT #

Thanks for the information.

Posted by Chan on August 04, 2007 at 01:51 AM EDT #

is anyone working on a script for Red Hat EL 4 ?

Posted by jaws on August 08, 2007 at 08:25 AM EDT #

There are people inside of DISA working to built Bastille profiles for Linux distros to meet the STIG requirements.

email me privately at jim dot laurent at sun dot com and I can send you a name.

Posted by Jim Laurent on August 08, 2007 at 08:27 AM EDT #

Thanks Jim for your efforts. I have been working the same issues at Stewart and I am still having problems trying to stop the SRR from complaining.

I have SOL 10 08/07 on a Sun T2000. I had already created a man page fix but it seemed to take longer than yours did to run when I ran yours on a second identical server.

If anyone is still working on this, I have a couple of questions about some cat I entries.

1. Even though we explicitly disable rexec, the SRR complains that it appears to be enabled. How do you get it to show as disabled instead of "uninitialized"?

2. Does anyone have scripts to disable the sendmail help, decode, expn and vrfy commands?

3. The other issue that it tags as cat I is the SNMP community strings. Does anyone have a script that might change the defaults?

Thanks again,
JB

Posted by James Brannen on April 02, 2008 at 01:10 PM EDT #

If you are a federal government or DoD Employee, the DISA Field Security Operation help desk should be able to help you. DISA has taken my work (which was minimal) and advanced it to be much more STIG aware.

See here:

http://iase.disa.mil/index2.html

Posted by Jim Laurent on April 02, 2008 at 02:47 PM EDT #

Have you updated this recently? I am running the July 08 SRRs on my box, and there are some changes needed on some of the scripts. Just checking, and thanks a lot for this, it's really helped me out.

Posted by Jim Swanson on August 12, 2008 at 03:49 PM EDT #

No,

I haven't updated them at all since posting. You may want to contact the DISA FSO help desk. They have taken the tool in and provided some enhancement to it.

See http://iase.disa.mil for contact information.

Posted by Jim Laurent on August 12, 2008 at 03:54 PM EDT #

Response from DISA-

"Jim Laurent created them and
they were supported by SUN only. Last time I saw Laurent, he stated
that SUN no longer supported/updated those scripts... And it's just as
well. He believes that the SRR scripts "create" a lot of false
positives. I came onboard just before he released his now outdated
scripts which are tailored only for Solaris. We do that and all the
rest. There have been substantial changes/improvements to the SRR
scripts since then.

<Snarky comments>

As you're probably already aware, SUN has substantially changed S10
since Laurent released though scripts. Ergo, see the prior paragraph."

They're not doing anything with this anymore.

Posted by Jim Swanson on September 02, 2008 at 09:50 AM EDT #

Are there any license restrictions on the jimlaurent tarball and standalone script? I'm considering using this as a starting point for a security component on a commercial contract.

Posted by Ron Broberg on September 25, 2008 at 05:00 PM EDT #

No restrictions. Feel free to use, modify and distribute.

Posted by Jim Laurent on September 26, 2008 at 11:20 AM EDT #

Thanks for the great script package - it had made hardening the system for the STIG much easier. Newbie question - after running the hardening, now only the root user can access the GUI (CDE/Java) desktop? Trying to logon as a regular user just kicks back to the GUI logon screen with no errors visible. Is this the intended result? How to rectify so that the SA can access the GUI interface using their own userid login?

thanks -

Posted by Mark Christoph on February 25, 2009 at 06:53 PM EST #

Hmmm..

Good question. I haven't worked with that for about two years.

I can tell you that a DISA person took my work and enhanced it to make it even closer to STIG compliance. He told me that it would be posted on forge.mil as it becomes available.

If you can't find it, email me: jim dot laurent at sun.com

Posted by Jim Laurent on February 25, 2009 at 06:57 PM EST #

Figured it out - the hardening script shut off the service autofs - since the system couldn't automout the home directory of the user attempting to login via GUI, it would kick out back to the CLI. I enabled autofs and it works again. I was under the impression the disable-automount.fin applied only to NFS, but apparently not.

Posted by Mark Christoph on February 26, 2009 at 10:57 AM EST #

It depends on how your home directory entries are listed in /etc/passwd. If the user's located in /home (the default when SMC creates a user) and /home is configured for autofs it is automounted. If it is in a "real" directory such as /export/home, automount isn't needed.

Posted by Jim Laurent on February 26, 2009 at 11:01 AM EST #

A very helpful post - I don't have access to the DOD site with the updated scripts, but this got me most of the way (I don't need to pass a DISA audit, this is a sanity check). One little update - if you add this to SST as a finish script during JumpStart to harden, you'll need to pre-pend the ${JASS_ROOT_DIR} variable to the file paths.

Posted by Bryan Blackwell on May 27, 2009 at 03:59 PM EDT #

vI have purposely not done any comparisons to "Linux" because "Linux" is a source code development project at kernel.org (not too dissimilar from OpenSolaris at opensolaris.org). "Linux" is not a product. Solaris 10 and RHEL 5 are products that customers can buy and get support for.
http://www.globalsale.me/Aion-gold-083.aspx
http://www.cheap-gamegold.org
http://www.gamegoldvip.org
http://www.watchrolexshop.com
http://www.gamegoldme.com

Posted by aion gold on June 24, 2009 at 10:52 PM EDT #

cards for plastic
cards for plastic is a leader and innovator in the cards for plastic industry catering for all your membership cards and any custom size cards for plastic required from small to big quantity. We are a one-stop center for your entire cards for plastic requirement. <a href="http://www.7days-printing.com ">cards for plastic</a>.Have your cards ready in less than 1 hour if necessary in high laminated cards for plastic quality without compromising on quality and durability! The cards for plastic will be highly glossy laminated, very falt, non peeling and very sharp!
[URL=http://www.7days-printing.com]cards for plastic[/URL].We are also the authorized distributor for all range of cards for plastic as well as javelin cards for plastic in malaysia for personalizing the cards for plastic with thermal printing of text and barcode as well as encoding the magnetic stripe and cards for plastic.
custom plastic card
As a leading company in the custom plastic card printing industry, our factory has passed many certificate and produces over two million custom plastic card per year. Our custom plastic card is exactly like the credit cards.
<a href="http://www.7days-plasticcards.co.uk">custom plastic card</a> We produce custom plastic card. our custom plastic card is four color litho printed with heidilberg machines. If you order our custom plastic card, we will offer you the best value for your money without any waste. [URL=http://www.7days-plasticcards.co.uk]custom plastic card[/URL] Ordering custom plastic card from us directly over the phone or internet, we can give you the best price which you can not find elsewhere!Today, custom plastic card is various and the company supplies more than 5oo million custom plastic card annually to customers all over the world. But our custom plastic card has many advantages.
card supplier
As a corporate has card supplier facility manager or security professinal, you meet hundreds of card supplier every day. It’s your job to identify card supplier, but can you be expected to recognize every card supplier in your facility? You’re going to need a little help from identification card supplier, so take your pick: use standard size card supplier like you’ll find at [URL=http://www.7daysprinting.com] card supplier [/URL] or oversized photo ID badges like you’ll find at <a href="http://www.7daysprinting.com"> card supplier </a >to verify identities. Use proximity or card supplier to grant access to unattended building entries and bar codes or magnetic stripe card supplier for accurate time and attendance tracking and more. Fargo systems integrators like us offer complete card supplier personalization systems to help solve these challenges.
hologram company
hologram company is the most fundamental marketing tool that you always have with you. hologram company contains business information about you and your company. hologram company communicate the primary information of your company to your prospective customers- in a compact and simple way. hologram company is a proven method which effectively advertises your business. Whether you are launching a new product or marketing an existing one, a hologram company will always help you do it right.
[URL=http://www.hologram-sticker.co.uk]hologram company[/URL]
hologram company is used for presentation of your marketing materials in a superior way. hologram company ontains multiple pockets inside to hold your marketing materials. By utilizing folders, you can enhance the presentation of your hologram company. <a href="http://www.hologram-sticker.co.uk">hologram company</a>. hologram company is a significant part of any company’s distinctiveness to others.
hologram design
We can supply from stock a complete range of hologram design for use with card printers. <a href="http://www.dynamicworldwide.co.uk">hologram design </a>.The recently updated hologram design fooers all the features required to create and design card layouts with ease of set up and simplified operation. Four editons of hologram design are available from the entry level hologram design which allows for connection to external databases and the encoding of contactless hologram design.
[URL=http://www.dynamicworldwide.co.uk]hologram design[/URL]Whatever your requirement, hologram design has the solution. A hologram design personalisation bureau service is offered, where pre-printed or hologram design can be thermally printed, embossed and encoded to your specific requirements. hologram design can also be produced by digital or litho print methods. Other brands of hologram design can also be supplied and supported.
metal card
Businesses of all sizes rely on a powerful but tiy tool to communicate their business information: the metal card. <a href="http://www.metal-card.co.uk"> metal card </a>
Whether you’re a business behemoth or one-man-brand consultant, the appropriate metal card is a must. metal card printing can be a daunting task because metal card come in all shapes and sizes. There are your standard dorizontal facing metal card, and even metal card with the rounded deges. That depends on what exactly you are trying to communicate with your metal card.The appropriate content is very important for your metal card selection. [URL=http://www.metal-card.co.uk]metal card[/URL]Your customers should be able to easily remember what it is you offer and also be able to contact you from the information on your metal card. The last thing you want to do is hand a potential customer a brilliantly designed metal card that does not help them find you when they need you. metal card printing goes beyong metal card design.
gift bag printing
gift bag printing is the key to promoting your business. gift bag printing also increase the number of new customers coming in to redeem their gifts. gift bag printing offers bring in customers seeking discounts on new purchases. As one of the leading manufacturers of gift bag printing. <a href="http://www.printing-gift.co.uk">gift bag printing</a>Our company has supplied gift bag printing for top retall companies. Generating new gift bag printing is a big benefit to a successful gift bag printing. Not only will your existing customers find gift bag printing appealing, they will in turn tell other new potential customers about gift bag printing. Branding on your new gift bag printing raise awareness.[URL=http://www.printing-gift.co.uk]gift bag printing[/URL] There are many advertising and branding opportunities with gift bag printing. This is because of the many diverse things gift bag printing can be used for today. gift bag printing for business has been increasing in popularity for several years. We offer affordable custom gift bag printing at the lowest prices around.
smart card service
Since our smart card service is produced with unique equipment, you can be sure that your smart card service will be of high quality. In addition, our smart card service options are fully customizable to meet any specific needs. Your smart card service can also be ordered in combination with the convenient key smart card service, which is a smaller version of your smart card service that can be easily attached to a key chain. [URL=http://www.smartcard-supplier.co.uk]smart card service[/URL]Our smart card service helps companies that need a new design creat smart card service. For companies that already have a smart card service, we can print directly from your own supplied smart card service artwork.
<a href="http://www.smartcard-supplier.co.uk"> smart card service</a>
All of our custom printed smart card service offer high resolution graphics. We offer options for smart card service production such as unique smart card service textures or transparent smart card service for or a highly appealing visual appearance.Your customers will truly see your new smart card service as an outstanding them or high value.

Posted by molly on July 27, 2009 at 01:30 AM EDT #

http://www.shanghaimassages.net

Posted by shanghai massage on September 27, 2009 at 11:30 PM EDT #

http://www.jsjyyb.cn

Posted by 涡街流量计 on September 27, 2009 at 11:31 PM EDT #

If you are interested in our high qualities but low price replica watches. Please contact us via www.progiftstore.com.

Posted by progiftstore on October 10, 2009 at 04:23 AM EDT #

Post a Comment:
  • HTML Syntax: NOT allowed

About This Weblog

Author: James Laurent

Archives

« November 2009
SunMonTueWedThuFriSat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
     
       
Today

Feeds

Search

Bookmarks

Other Blog Links

Today's Page Hits: 213