by Ginny Henningsen
How to improve configuration security and accelerate audits
Incidents of fraud, intrusion, and data compromise are reported by the news media on an almost daily basis. Costs stemming from such incidents—including lost business, restitution, penalties, and fines—make IT systems security an overwhelming and strategic business concern. IT organizations must comply with internal policies and mandates as well as applicable government and regulatory standards. Standards—such as the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes Oxley (SOX), and the Payment Card Industry-Data Security Standard (PCI DSS)—specify strict requirements for business processes, practices, and IT system configurations. These standards also typically mandate formal external compliance audits to detect and remediate vulnerabilities and reveal signs of intrusion, tampering, or data exposure. In between formal audits, IT organizations normally conduct internal reviews to prepare for formal assessments, maintain compliance, and safeguard systems and data.
Along with well-defined security policy and best practices, operating system configuration is a key element in achieving security standards compliance. For servers that store and process sensitive information, automated tools that validate configurations can accelerate internal reviews and make formal audits go more smoothly. More importantly, such tools help to identify weaknesses that can be remediated to prevent compromise. Oracle Solaris 11 supplies a security compliance framework based on the Security Content Automation Protocol (SCAP), a NIST standard. The framework includes the
compliance(1M) utility, which invokes an implementation of the OpenSCAP toolkit (
compliance tool automates the process of security assessments, providing an easy way for administrators to check running Oracle Solaris system configurations against defined policy.
This article describes how to use
compliance to validate Oracle Solaris configurations and generate compliance reports. It discusses how to approach remediation when an assessment detects weaknesses and how to customize assessments to align with security policy. It also highlights best practices and strategies to protect Oracle Solaris systems and simplify the challenges of maintaining compliant systems.
First released in Oracle Solaris 11.2,
compliance produces assessments against a set of rules defined in a specific benchmark profile. At this time, the utility executes locally on a single system image; to assess multiple zones on a system, it must be run in each zone.
The rules for compliance checks follow a standard content format for system vulnerability assessments called OVAL (Open Vulnerability Assessment Language). The rules are written in XCCDF (Extensible Configuration Checklist Description Format), which is expressed as XML. The
compliance framework in Oracle Solaris supplies preconfigured groups of rules organized into the following benchmarks:
solaris benchmark, which has two profiles—
Baseline profile reflects a starting point for secure system configurations while the
Recommended profile defines more exacting security requirements, such as encrypted swap and non-root file systems and stricter password rules (including boot passwords and 14-character length, password aging, and digit and capitalized letter requirements). In addition, the
Recommended profile requires non-executable stacks and BIOS or EEPROM passwords to prevent unauthorized booting.
pci-dss benchmark specifies system configuration requirements to meet the Payment Card Industry Data Security Standard (PCI DSS). This standard has strict requirements aimed at protecting sensitive identity and financial data. Oracle has also published a white paper that describes how Oracle Solaris systems can be configured to comply with the 12 requirement areas in the PCI DSS standard.
Benchmark configurations for the compliance script are stored in the repository
/usr/lib/compliance/benchmarks; rules are stored in the directory
compliance framework and tools are a part of the
security/compliance software package, which must be installed prior to use. The first command given below reports whether the required package is already installed while the second installs it:
# pkg info -r compliance# pkg install security/compliance
Conducting Compliance Assessments
compliance script features a number of subcommands:
# compliance --helpUsage: compliance list [-v] [-p] compliance list -b [-v] [-p] [benchmark ...] compliance list -a [-v] [assessment ...] compliance guide [-p profile] [-b benchmark] [-o file] compliance guide -a compliance assess [-p profile] [-b benchmark] [-a assessment] compliance assess -t tailoring [-a assessment] compliance report [-f format] [-s what] [-a assessment] [-o file] compliance delete assessment compliance tailor [-t tailoring] [subcommand]
tailor subcommand—new in Oracle Solaris 11.3—adds the ability to customize benchmarks and produce a
tailoring file that can be used to perform assessments (a discussion of customizing assessments follows after some basic usage examples).
list subcommand displays available benchmarks and profiles:
# compliance list -bpBenchmarks: pci-dss: Solaris_PCI-DSS solaris: Baseline, Recommended
assess subcommand runs the specified compliance benchmark or profile. For example, this command performs an assessment using the
Baseline profile of the
# compliance assess -p BaselineAssessment will be named 'solaris.Baseline.2015-08-28,13:42' Title Package integrity is verified Rule OSC-54005 Result fail Title The OS version is current Rule OSC-53005 Result pass ...
As the assessment runs,
compliance outputs a title describing each rule, a numeric identifier, and the pass/fail result. In Oracle Solaris 11.3, each rule is labeled with a unique identifier ("Rule Test_1.1" in Oracle Solaris 11.2 is now "OSC-54005"). Numeric labels support the ability to tailor benchmarks, allowing modifications to be captured to a
tailoring file that can persist after an operating system update.
Note that a user requires certain rights to run assessments (specifically solaris.compliance.assess) and to generate reports from previously executed assessments (solaris.compliance.report). An administrator responsible for User Management can assign these rights. For example, this
usermod command adds Compliance Assessor and Compliance Reporter rights profiles to the user
# usermod -P "Compliance Assessor" jdoe# profiles jdoejdoe: Compliance Assessor Compliance Reporter Basic Solaris User All
Viewing Assessment Reports
compliance script records test results in an assessment directory named (by default) with the name of the benchmark profile and the date and time of execution. The
list -a option shows the name of the assessment just completed. The assessment directory with that name contains three files:
# compliance list -asolaris.Baseline.2015-08-28,13:42 # ls /var/share/compliance/assessments/solaris.Baseline.2015-08-28,13:42log report.html results.xccdf.xml
log file simply captures the console output from the assessment. The
results.xccdf.xml file contains all information and results related to the assessment. To view pass/fail results of tests executed during the assessment, load the HTML file (
report.html) into a browser. Figure 1 shows the HTML report, which indicates seven failures for this assessment.
Figure 1. Default HTML output for the
It is expected that the operating system will not pass all tests after it is initially installed. In an assessment, failures highlight the OS areas that require attention and intervention to reach compliance. Oracle recommends that administrators use the
compliance output to configure Oracle Solaris systems to meet specific compliance and deployment requirements. In addition to remediation steps, administrators should tailor benchmarks and run the compliance script repeatedly until requirements are met and successful test results are achieved.
It's easy to scroll through the HTML results and view system configuration details that require further attention. To display failures from an assessment, select just the fail checkbox in the Rule Overview section (Figure 2).
Figure 2. Selecting only "fail" displays just the failed rules.
Drilling down into each rule displays more detail about the rule and the pass/fail result. For example, clicking the "Package integrity is verified" rule shows details for this check including the reason for the failure, the severity rating, and suggested remediation steps (Figure 3).
Figure 3. Rule details from an assessment, including remediation steps.
Viewing Previous Assessment Results
compliance report command supplies a way to generate results from previous assessments.
# compliance report -s -pass,fail -a solaris.Baseline.2015-08-28,13:42 \-o ./fails.html
-s argument works only for HTML and takes a comma-delimited list of test results to exclude or include. In the command above, tests that pass are excluded and tests that fail are included in the results. (See the
compliance(1M) man page for more options for the
compliance tool can also create compliance guides that document how Oracle Solaris configurations map to benchmark standards. A guide can be useful in training administrators about configuring Oracle Solaris systems, because it contains the rationale for each security check and the steps to fix a failed check. Some standards, such as PCI DSS, stipulate a requirement to document system configuration decisions, and a guide can help to meet documentation requirements.
This command generates a compliance guide based on the PCI DSS benchmark:
# compliance guide -b pci-dss/var/share/compliance/guides/pci-dss.html
Using a report (such as the HTML report showing failed tests in Figure 2), an administrator can easily step through each test and determine whether the suggested remediation steps are appropriate and relevant. Remediation steps for the "Package integrity is verified" rule (Figure 3) suggest running
pkg verify, evaluating the errors, and running
pkg fix. After performing these steps, rerunning the same assessment shows a "pass" result for this rule (Figure 4).
Figure 4. After performing the suggested remediation steps and rerunning the assessment, this rule achieves a "pass" result.
Tailoring a Benchmark
In some cases failures might not be relevant to a particular deployment or to your specific corporate security policy. In these cases, it might make sense to customize an existing benchmark profile, excluding or including rules to better match policy.
Suppose corporate policy dictates that passwords should have a minimum length of eight characters. The default rule in the
solaris.Baseline profile stipulates that passwords should have a minimum length of six characters. While it's possible to modify the XML for the default rule, an update to Oracle Solaris could overwrite the modified XML file, causing any changes to be lost. Oracle Solaris 11.3 adds the ability to tailor a profile based on an installed benchmark. Because the compliance rules have unique identifiers that are consistent across operating system updates, a tailored profile provides a way to modify a benchmark and capture site-specific changes.
compliance tailor command allows an administrator with solaris.compliance.assess rights to perform benchmark tailoring. Entering the command shows the available subcommands. Subcommand help is also provided:
# compliance tailorDocumented commands (type help <topic>): ======================================== clear delete exit include list pick commit exclude export info load set Miscellaneous help topics: ========================== tailoring tailoring> help exportSyntax: export [-x] [-o output-file] print the current tailoring to standard output. The -o option will direct the output to the specified file. The default output form is suitable for use with the tailor -f option. The -x option selects an xml format suitable for installation. tailoring>
To tailor the
solaris.Baseline profile interactively and configure a password length of eight characters instead of six, first set the properties for the tailoring (the tailoring name, the benchmark, and the profile):
tailoring> set tailoring=mypolicytailoring:mypolicy> set benchmark=solaristailoring:mypolicy> set profile=Baselinetailoring:mypolicy> pick
pick subcommand brings up a curses-based display. Rules marked with
x are excluded from the profile while
> _ indicates included rules.
Figure 5. The
pick screen displays the rule base for compliance assessments.
Scrolling down to the user configuration section, rule OSC-46006 (which stipulates six-character passwords) is marked by
> _, meaning the rule is included in the default Baseline profile. Pressing the space key or the x key deselects the rule; selecting OSC-46008 instead (as shown in Figure 6) causes the eight-character password rule to be included.
Figure 6. Selecting the rule OSC-46008 instead of OSC-46006 tailors the benchmark profile.
When the changes are complete, entering the
commit subcommand writes out an XCCDF/XML tailoring file to
load subcommand allows additional changes to be made to a previously committed tailoring:
tailoring> load mypolicytailoring:mypolicy> infoProperties: tailoring=mypolicy benchmark=solaris profile=Baseline tailoring:mypolicy>
To port the tailoring file to another Oracle Solaris 11.3 server, create an output file for the active tailoring using the
tailoring:mypolicy> export -o mypolicy.tailoring.outtailoring:mypolicy> exit
The output file shows the properties and customizations for the tailoring:
set tailoring=mypolicy # version=2015-08-31T22:40:56.000+00:00 set benchmark=solaris set profile=Baseline # OSC-46006: Passwords require at least six characters exclude OSC-46006 # OSC-46008: Passwords require at least eight characters include OSC-46008
To import the customized tailoring to another Oracle Solaris 11.3 server, specify the exported filename:
host2# compliance tailor -f mypolicy.tailoring.outtailoring:mypolicy> infoProperties: tailoring=mypolicy benchmark=solaris profile=Baseline tailoring:mypolicy>
An administrator can conduct additional testing or make other customizations. To run an assessment using the customized tailoring, specify the tailoring option with
host2# compliance assess -t mypolicyAssessment will be named mypolicy.2015-09-01,15:37' Title Package integrity is verified Rule OSC-54005 Result pass ...
Conducting Periodic Assessments
Good security practice includes the practice of conducting internal reviews on a regular schedule. Certain standards (notably PCI DSS) stipulate recurring internal assessments in addition to formal security audits. By running the Oracle Solaris
compliance tool periodically and carefully reviewing the results, administrators can systematically evaluate configurations, discover weaknesses, and potentially identify signs of intrusion.
compliance as a
cron job on a weekly or monthly basis is one way to conduct periodic assessments. But Oracle Solaris 11.3 features a new capability in its Service Management Facility (SMF) framework—Periodic and Scheduled Services—that's ideal for executing regularly scheduled events such as automatic compliance checks. Setting up
compliance as an SMF scheduled service offers advantages over
cron in that it provides a means of managing the full service lifecycle (start, stop, restart, and so on). In addition, SMF can perform dependency checking, making sure other required services are in place and restarting them if necessary.
Note that a scheduled service is a special case of a periodic service—the difference is simply that a periodic service starts at a time relative to its last invocation (such as 24 hours from when the service last ran) while a scheduled service starts at an absolute time (such as 5:00 a.m. on the first day of every month).
To set up
compliance as a periodic or scheduled service, refer to the instructions in the documentation (Developing System Services in Oracle Solaris 11.3). A start method is required to run an assessment, such as this simple example created as
#!/usr/sbin/sh # case "$1" in *) compliance assess -t mypolicy ;; esac exit 0
svcbundle is an easy way to create a manifest for the new service:
# svcbundle -o /tmp/compl_sched.xml -s service-name=site/compl_sched \ -s start-method=/lib/svc/method/compl_sched -s interval=day
The XML manifest contains a
scheduled_method section that specifies the interval setting for the service. The example below specifies that the start method
compl_sched should be run every day at 5:00 a.m.:
<scheduled_method recover="true" timeout_seconds="0" interval="day" hour="5" exec="/lib/svc/method/compl_sched"/>
After the manifest is configured, validated, and copied to the appropriate directory, it can be imported to start the service:
# svccfg validate /tmp/compl_sched.xml# cp /tmp/compl_sched.xml /lib/svc/manifest/site/compl_sched.xml# svcadm restart manifest-importLoading smf(5) service descriptions: 1/1 # svcs compl_schedSTATE STIME FMRI online 10:47:08 svc:/site/compl_sched:default
compliance list command shows assessments at scheduled intervals resulting from the scheduled service:
# compliance list -amypolicy.2015-09-03,05:00 mypolicy.2015-09-02,05:00 pci-dss.Solaris_PCI-DSS.2015-08-31,16:34 solaris.Baseline.2015-08-28,13:42 solaris.Baseline.2015-08-28,16:42 solaris.Recommended.2015-08-31,16:16
Locking Down a Compliant System Configuration
Once a system passes the required compliance checks and security auditors have validated compliance, an administrator can lock down the configuration using immutable zones. Immutable zones are read-only root environments in Oracle Solaris 11 that can be configured for both non-global and global zones. The
file-mac-profile property, which an administrator sets as a part of zone configuration, determines the zone's write policy. This property controls write access to the root file system, making it completely read-only or enabling write privileges for specific directories (such as
/etc). In this way, an administrator can lock down zone configuration, preventing software installation or modifications to all or parts of the root file system.
The article "How to Ensure Secure, Compliant Application Deployment with Oracle Solaris 11" describes how to use immutable zones to lock down an application environment. The article also covers how to use Oracle Solaris 11 Unified Archives to clone a zone or even a complete system. By capturing an approved configuration in an archive, it's possible to propagate secure and compliant server configurations more easily. A blog by Darren Moffat ("Immutable Zones on Encrypted ZFS") describes how to combine the use of ZFS encryption with immutable zones to protect data written to a file system as well as protecting the system configuration from malicious or accidental tampering.
compliance framework in Oracle Solaris 11 simplifies the administrative burden of conducting system assessments to meet corporate security requirements and compliance standards. Compliance checks should be a standard component in enterprise security best practices:
- At initial installation and configuration of Oracle Solaris 11 servers,
compliance testing can pinpoint configuration weaknesses so that they can be addressed. Tailoring assessments allows administrators to match rules against site and application security requirements.
- Conducting assessments at regular intervals can reveal potential weaknesses and help formal audits go more quickly. Setting up compliance checks as periodic or scheduled SMF services automates this administrative task.
- Generating guides that document system configuration decisions can clarify security practices for new administrators and provide documentation for formal audit requirements.
- Implementing other Oracle Solaris 11 features—immutable zones, Unified Archives, and file system encryption—can make it easier to deploy and replicate compliant system configurations.
As a part of the Oracle Secure Configuration Initiative, Oracle continues to invest in software assurance programs and technologies that help customers deploy Oracle products securely. The Oracle Solaris 11
compliance framework reflects Oracle's commitment to enterprise system security and compliance with industry best practices and standards.
About the Author
Ginny Henningsen has worked for the last 18 years as a freelance writer developing technical collateral and documentation for high-tech companies. Prior to that, Ginny worked for Sun Microsystems, Inc. as a Systems Engineer in King of Prussia, PA and Milwaukee, WI. Ginny has a BA from Carnegie-Mellon University and an MSCS from Villanova University.
| Revision 1.0, 09/23/2015 |
Blog | Facebook | Twitter | YouTube