22 May 2017

Is my Server Secure? Use the Solaris 11 Compliance Tool

Security Compliance
IT Security is more important than ever. Make sure your systems are up-to-date.
Don't run Services you don't need. Use strong passwords. Protect your files.

Security Compliance checking helps to detect weak and modified configuration.
Solaris 11.3 contains the 'compliance' tool. Using this tool you can create reports against 3 prepared Security Levels.

1. Oracle Solaris Security Benchmark: Baseline
   Matches basically a Secure By Default Installation

2. Oracle Solaris Security Benchmark: Recommended
   Adds Recommended Checks

3. PCI-DSS
   Payment Card Industry - Data Security Standard
  
The Solaris compliance tool creates easy to understand HTML reports.
It even supports customization for individual machines where individual checks may be enabled or disabled if required.

Use this Blog as an introduction with a few examples. You need to invest more time to reach a completely secure system.

Solaris 11 Compliance Samples
To check against the Solaris Baseline Benchmark run the following command on your system:

# compliance assess -b solaris

Check the HTML report
# compliance report
/var/share/compliance/assessments/solaris.Baseline.2017-05-22,10:32/report.html


The HTML report lists the checks in detail including a description how to fix failed checks. On a newly installed system there may be a few failed checks. If you don't use Kerberos you can disable the services to make sure the checks pass.

# svcadm disable svc:/network/nfs/fedfs-client:default
# svcadm disable svc:/network/rpc/gss:default


Next we check against the Solaris Recommended Profile

# compliance assess -b solaris -p Recommended

# compliance report -f log
/var/share/compliance/assessments/solaris.Recommended.2017-05-22,17:18/log# grep fail /var/share/compliance/assessments/solaris.Recommended.2017-05-22,17:18/log | wc -l
      26


To fulfill the Recommended Profile lots of configuration changes would be needed. As a first step we create now an own benchmark, based on the Solaris Baseline, but we add a few additional checks.

If you deploy services, checks like this one may report failed:
OSC-73505 / ssh(1) is the only service binding a listener to non-loopback addresses

On a Solaris Zone I run a Solaris IPS Repository. We create an own tailored benchmark where
this check is disabled.

# compliance tailor -t solaris_jomasoft set benchmark=solaris
# compliance tailor -t solaris_jomasoft set profile=Baseline
# compliance tailor -t solaris_jomasoft exclude OSC-73505  # ssh(1) is the only service binding a listener to non-loopback


Then we add our Password Rules

# compliance tailor -t solaris_jomasoft include OSC-49500  # Passwords require at least 1 upper-case characters
# compliance tailor -t solaris_jomasoft include OSC-47500  # Passwords require at least 1 digits


Change values of existing Checks

# compliance tailor -t solaris_jomasoft value OSCV-46000=8  # Passwords must be at least 8 characters long
# compliance tailor -t solaris_jomasoft value OSCV-48000=1  # Passwords must have at least 1 lower-case characters
# compliance tailor -t solaris_jomasoft value OSCV-49000=1  # Passwords must have at least 1 special characters


Additional Checks

# compliance tailor -t solaris_jomasoft include OSC-93005   # User home directories have appropriate permissions
# compliance tailor -t solaris_jomasoft include OSC-92505   # User home directory ownership is correct


Now we run against our own tailored Benchmark:
# compliance assess -t solaris_jomasoft


A Compliance Report for PCI-DSS is created with
# compliance assess -b pci-dss

To reach PCI-DSS compliance there is some configuration work required.

# compliance report -f log
/var/share/compliance/assessments/pci-dss.Solaris_PCI-DSS.2017-05-22,11:22/log
# grep fail /var/share/compliance/assessments/pci-dss.Solaris_PCI-DSS.2017-05-22,11:22/log | wc -l
      29


Find all details in the Oracle Solaris 11.3 Compliance Guide (PDF)
https://docs.oracle.com/cd/E53394_01/pdf/E54817.pdf

Run your benchmark regularly to detect changes by Administrators and Applications.