How to Automate Compliance Assessments in Oracle Solaris 11

Version 2

    by Ginny Henningsen

     

    How to improve configuration security and accelerate audits

     

    Introduction

     

    Incidents of fraud, intrusion, and data compromise are reported by the news media on an almost daily basis. Costs stemming from such incidents—including lost business, restitution, penalties, and fines—make IT systems security an overwhelming and strategic business concern. IT organizations must comply with internal policies and mandates as well as applicable government and regulatory standards. Standards—such as the Gramm-Leach-Bliley Act (GLBA), the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes Oxley (SOX), and the Payment Card Industry-Data Security Standard (PCI DSS)—specify strict requirements for business processes, practices, and IT system configurations. These standards also typically mandate formal external compliance audits to detect and remediate vulnerabilities and reveal signs of intrusion, tampering, or data exposure. In between formal audits, IT organizations normally conduct internal reviews to prepare for formal assessments, maintain compliance, and safeguard systems and data.

     

    Along with well-defined security policy and best practices, operating system configuration is a key element in achieving security standards compliance. For servers that store and process sensitive information, automated tools that validate configurations can accelerate internal reviews and make formal audits go more smoothly. More importantly, such tools help to identify weaknesses that can be remediated to prevent compromise. Oracle Solaris 11 supplies a security compliance framework based on the Security Content Automation Protocol (SCAP), a NIST standard. The framework includes the compliance(1M) utility, which invokes an implementation of the OpenSCAP toolkit (oscap). The compliance tool automates the process of security assessments, providing an easy way for administrators to check running Oracle Solaris system configurations against defined policy.

     

    This article describes how to use compliance to validate Oracle Solaris configurations and generate compliance reports. It discusses how to approach remediation when an assessment detects weaknesses and how to customize assessments to align with security policy. It also highlights best practices and strategies to protect Oracle Solaris systems and simplify the challenges of maintaining compliant systems.

     

      

    Standards-Based Benchmarks

     

    First released in Oracle Solaris 11.2, compliance produces assessments against a set of rules defined in a specific benchmark profile. At this time, the utility executes locally on a single system image; to assess multiple zones on a system, it must be run in each zone.

     

    The rules for compliance checks follow a standard content format for system vulnerability assessments called OVAL (Open Vulnerability Assessment Language). The rules are written in XCCDF (Extensible Configuration Checklist Description Format), which is expressed as XML. The compliance framework in Oracle Solaris supplies preconfigured groups of rules organized into the following benchmarks:

     

    • The solaris benchmark, which has two profiles—Baseline and Recommended. The Baseline profile reflects a starting point for secure system configurations while the Recommended profile defines more exacting security requirements, such as encrypted swap and non-root file systems and stricter password rules (including boot passwords and 14-character length, password aging, and digit and capitalized letter requirements). In addition, the Recommended profile requires non-executable stacks and BIOS or EEPROM passwords to prevent unauthorized booting.
    • The pci-dss benchmark specifies system configuration requirements to meet the Payment Card Industry Data Security Standard (PCI DSS). This standard has strict requirements aimed at protecting sensitive identity and financial data. Oracle has also published a white paper that describes how Oracle Solaris systems can be configured to comply with the 12 requirement areas in the PCI DSS standard.

     

    Benchmark configurations for the compliance script are stored in the repository /usr/lib/compliance/benchmarks; rules are stored in the directory /usr/lib/compliance/tests.

     

    The compliance framework and tools are a part of the security/compliance software package, which must be installed prior to use. The first command given below reports whether the required package is already installed while the second installs it:

     

    # pkg info -r compliance
    # pkg install security/compliance

     

    Conducting Compliance Assessments

     

    The compliance script features a number of subcommands:

     

    # compliance --help
    Usage: compliance list [-v] [-p]        compliance list -b [-v] [-p] [benchmark ...]        compliance list -a [-v] [assessment ...]        compliance guide [-p profile] [-b benchmark] [-o file]        compliance guide -a        compliance assess [-p profile] [-b benchmark] [-a assessment]        compliance assess -t tailoring [-a assessment]        compliance report [-f format] [-s what] [-a assessment] [-o file]        compliance delete assessment        compliance tailor [-t tailoring] [subcommand]

     

    The tailor subcommand—new in Oracle Solaris 11.3—adds the ability to customize benchmarks and produce a tailoring file that can be used to perform assessments (a discussion of customizing assessments follows after some basic usage examples).

     

    The list subcommand displays available benchmarks and profiles:

     

    # compliance list -bp
    Benchmarks: pci-dss:   Solaris_PCI-DSS solaris:   Baseline, Recommended

     

    The assess subcommand runs the specified compliance benchmark or profile. For example, this command performs an assessment using the Baseline profile of the solaris benchmark:

     

    # compliance assess -p Baseline
    Assessment will be named 'solaris.Baseline.2015-08-28,13:42' Title       Package integrity is verified Rule        OSC-54005 Result      fail  Title       The OS version is current Rule        OSC-53005 Result      pass  ...

     

    As the assessment runs, compliance outputs a title describing each rule, a numeric identifier, and the pass/fail result. In Oracle Solaris 11.3, each rule is labeled with a unique identifier ("Rule Test_1.1" in Oracle Solaris 11.2 is now "OSC-54005"). Numeric labels support the ability to tailor benchmarks, allowing modifications to be captured to a tailoring file that can persist after an operating system update.

     

    Note that a user requires certain rights to run assessments (specifically solaris.compliance.assess) and to generate reports from previously executed assessments (solaris.compliance.report). An administrator responsible for User Management can assign these rights. For example, this usermod command adds Compliance Assessor and Compliance Reporter rights profiles to the user jdoe:

     

    # usermod -P "Compliance Assessor" jdoe
    # profiles jdoe
    jdoe: Compliance Assessor Compliance Reporter Basic Solaris User All

     

    Viewing Assessment Reports

     

    The compliance script records test results in an assessment directory named (by default) with the name of the benchmark profile and the date and time of execution. The list -a option shows the name of the assessment just completed. The assessment directory with that name contains three files:

     

    # compliance list -a
    solaris.Baseline.2015-08-28,13:42 # ls /var/share/compliance/assessments/solaris.Baseline.2015-08-28,13:42
    log                report.html        results.xccdf.xml

     

    The log file simply captures the console output from the assessment. The results.xccdf.xml file contains all information and results related to the assessment. To view pass/fail results of tests executed during the assessment, load the HTML file (report.html) into a browser. Figure 1 shows the HTML report, which indicates seven failures for this assessment.

     

    f1.gif

    Figure 1.  Default HTML output for the solaris.Baseline profile.

     

    It is expected that the operating system will not pass all tests after it is initially installed. In an assessment, failures highlight the OS areas that require attention and intervention to reach compliance. Oracle recommends that administrators use the compliance output to configure Oracle Solaris systems to meet specific compliance and deployment requirements. In addition to remediation steps, administrators should tailor benchmarks and run the compliance script repeatedly until requirements are met and successful test results are achieved.

     

    It's easy to scroll through the HTML results and view system configuration details that require further attention. To display failures from an assessment, select just the fail checkbox in the Rule Overview section (Figure 2).

     

    f2.gif

    Figure 2.  Selecting only "fail" displays just the failed rules.

     

    Drilling down into each rule displays more detail about the rule and the pass/fail result. For example, clicking the "Package integrity is verified" rule shows details for this check including the reason for the failure, the severity rating, and suggested remediation steps (Figure 3).

     

    f3.gif

    Figure 3. Rule details from an assessment, including remediation steps.

     

    Viewing Previous Assessment Results

     

    The compliance report command supplies a way to generate results from previous assessments.

     

    # compliance report -s -pass,fail -a solaris.Baseline.2015-08-28,13:42 \
    -o ./fails.html

     

    The -s argument works only for HTML and takes a comma-delimited list of test results to exclude or include. In the command above, tests that pass are excluded and tests that fail are included in the results. (See the compliance(1M) man page for more options for the report subcommand.)

     

    Security Guides

     

    The compliance tool can also create compliance guides that document how Oracle Solaris configurations map to benchmark standards. A guide can be useful in training administrators about configuring Oracle Solaris systems, because it contains the rationale for each security check and the steps to fix a failed check. Some standards, such as PCI DSS, stipulate a requirement to document system configuration decisions, and a guide can help to meet documentation requirements.

     

    This command generates a compliance guide based on the PCI DSS benchmark:

     

    # compliance guide -b pci-dss
    /var/share/compliance/guides/pci-dss.html

     

    Remediating Failures

     

    Using a report (such as the HTML report showing failed tests in Figure 2), an administrator can easily step through each test and determine whether the suggested remediation steps are appropriate and relevant. Remediation steps for the "Package integrity is verified" rule (Figure 3) suggest running pkg verify, evaluating the errors, and running pkg fix. After performing these steps, rerunning the same assessment shows a "pass" result for this rule (Figure 4).

     

    f4.gif

    Figure 4. After performing the suggested remediation steps and rerunning the assessment, this rule achieves a "pass" result.

     

    Tailoring a Benchmark

     

    In some cases failures might not be relevant to a particular deployment or to your specific corporate security policy. In these cases, it might make sense to customize an existing benchmark profile, excluding or including rules to better match policy.

     

    Suppose corporate policy dictates that passwords should have a minimum length of eight characters. The default rule in the solaris.Baseline profile stipulates that passwords should have a minimum length of six characters. While it's possible to modify the XML for the default rule, an update to Oracle Solaris could overwrite the modified XML file, causing any changes to be lost. Oracle Solaris 11.3 adds the ability to tailor a profile based on an installed benchmark. Because the compliance rules have unique identifiers that are consistent across operating system updates, a tailored profile provides a way to modify a benchmark and capture site-specific changes.

     

    The compliance tailor command allows an administrator with solaris.compliance.assess rights to perform benchmark tailoring. Entering the command shows the available subcommands. Subcommand help is also provided:

     

    # compliance tailor
    Documented commands (type help <topic>): ======================================== clear   delete   exit    include  list  pick commit  exclude  export  info     load  set   Miscellaneous help topics: ========================== tailoring  tailoring> help export
    Syntax: export [-x] [-o output-file]  print the current tailoring to standard output.  The -o option will direct the output to the specified file.  The default output form is suitable for use with the tailor -f option.  The -x option selects an xml format suitable for installation. tailoring>

     

    To tailor the solaris.Baseline profile interactively and configure a password length of eight characters instead of six, first set the properties for the tailoring (the tailoring name, the benchmark, and the profile):

     

    tailoring> set tailoring=mypolicy
    tailoring:mypolicy> set benchmark=solaris
    tailoring:mypolicy> set profile=Baseline
    tailoring:mypolicy> pick

     

    Entering the pick subcommand brings up a curses-based display. Rules marked with x are excluded from the profile while > _ indicates included rules.

     

    f5.gif

    Figure 5. The pick screen displays the rule base for compliance assessments.

     

    Scrolling down to the user configuration section, rule OSC-46006 (which stipulates six-character passwords) is marked by > _, meaning the rule is included in the default Baseline profile. Pressing the space key or the x key deselects the rule; selecting OSC-46008 instead (as shown in Figure 6) causes the eight-character password rule to be included.

     

    f6.gif

    Figure 6. Selecting the rule OSC-46008 instead of OSC-46006 tailors the benchmark profile.

     

    When the changes are complete, entering the commit subcommand writes out an XCCDF/XML tailoring file to /var/share/compliance/tailorings. The load subcommand allows additional changes to be made to a previously committed tailoring:

     

    tailoring> load mypolicy
    tailoring:mypolicy> info
    Properties: tailoring=mypolicy benchmark=solaris  profile=Baseline tailoring:mypolicy>

     

    To port the tailoring file to another Oracle Solaris 11.3 server, create an output file for the active tailoring using the export subcommand:

     

    tailoring:mypolicy> export -o mypolicy.tailoring.out
    tailoring:mypolicy> exit

     

    The output file shows the properties and customizations for the tailoring:

     

    set tailoring=mypolicy  # version=2015-08-31T22:40:56.000+00:00  set benchmark=solaris  set profile=Baseline  # OSC-46006: Passwords require at least six characters  exclude OSC-46006  # OSC-46008: Passwords require at least eight characters  include OSC-46008

     

    To import the customized tailoring to another Oracle Solaris 11.3 server, specify the exported filename:

     

    host2# compliance tailor -f mypolicy.tailoring.out
    tailoring:mypolicy> info
    Properties: tailoring=mypolicy benchmark=solaris  profile=Baseline tailoring:mypolicy>

     

    An administrator can conduct additional testing or make other customizations. To run an assessment using the customized tailoring, specify the tailoring option with compliance assess:

     

    host2# compliance assess -t mypolicy
    Assessment will be named mypolicy.2015-09-01,15:37' Title       Package integrity is verified Rule        OSC-54005 Result      pass ...

     

    Conducting Periodic Assessments

     

    Good security practice includes the practice of conducting internal reviews on a regular schedule. Certain standards (notably PCI DSS) stipulate recurring internal assessments in addition to formal security audits. By running the Oracle Solaris compliance tool periodically and carefully reviewing the results, administrators can systematically evaluate configurations, discover weaknesses, and potentially identify signs of intrusion.

     

    Running compliance as a cron job on a weekly or monthly basis is one way to conduct periodic assessments. But Oracle Solaris 11.3 features a new capability in its Service Management Facility (SMF) framework—Periodic and Scheduled Services—that's ideal for executing regularly scheduled events such as automatic compliance checks.  Setting up compliance as an SMF scheduled service offers advantages over cron in that it provides a means of managing the full service lifecycle (start, stop, restart, and so on). In addition, SMF can perform dependency checking, making sure other required services are in place and restarting them if necessary.

     

    Note that a scheduled service is a special case of a periodic service—the difference is simply that a periodic service starts at a time relative to its last invocation (such as 24 hours from when the service last ran) while a scheduled service starts at an absolute time (such as 5:00 a.m. on the first day of every month).

     

    To set up compliance as a periodic or scheduled service, refer to the instructions in the documentation (Developing System Services in Oracle Solaris 11.3). A start method is required to run an assessment, such as this simple example created as /lib/svc/method/compl_sched:

     

    #!/usr/sbin/sh # case "$1" in    *)        compliance assess -t mypolicy         ;;  esac exit 0

     

    Using svcbundle is an easy way to create a manifest for the new service:

     

    # svcbundle -o /tmp/compl_sched.xml -s service-name=site/compl_sched \
      -s start-method=/lib/svc/method/compl_sched -s interval=day

     

    The XML manifest contains a scheduled_method section that specifies the interval setting for the service. The example below specifies that the start method compl_sched should be run every day at 5:00 a.m.:

     

    <scheduled_method recover="true" timeout_seconds="0"             interval="day" hour="5" exec="/lib/svc/method/compl_sched"/>

     

    After the manifest is configured, validated, and copied to the appropriate directory, it can be imported to start the service:

     

    # svccfg validate /tmp/compl_sched.xml
    # cp /tmp/compl_sched.xml /lib/svc/manifest/site/compl_sched.xml
    # svcadm restart manifest-import
    Loading smf(5) service descriptions: 1/1 # svcs compl_sched
    STATE          STIME    FMRI online         10:47:08 svc:/site/compl_sched:default

     

    The compliance list command shows assessments at scheduled intervals resulting from the scheduled service:

     

    # compliance list -a
    mypolicy.2015-09-03,05:00 mypolicy.2015-09-02,05:00 pci-dss.Solaris_PCI-DSS.2015-08-31,16:34 solaris.Baseline.2015-08-28,13:42 solaris.Baseline.2015-08-28,16:42 solaris.Recommended.2015-08-31,16:16

     

    Locking Down a Compliant System Configuration

     

    Once a system passes the required compliance checks and security auditors have validated compliance, an administrator can lock down the configuration using immutable zones. Immutable zones are read-only root environments in Oracle Solaris 11 that can be configured for both non-global and global zones. The file-mac-profile property, which an administrator sets as a part of zone configuration, determines the zone's write policy. This property controls write access to the root file system, making it completely read-only or enabling write privileges for specific directories (such as /var and /etc). In this way, an administrator can lock down zone configuration, preventing software installation or modifications to all or parts of the root file system.

     

    The article "How to Ensure Secure, Compliant Application Deployment with Oracle Solaris 11" describes how to use immutable zones to lock down an application environment. The article also covers how to use Oracle Solaris 11 Unified Archives to clone a zone or even a complete system. By capturing an approved configuration in an archive, it's possible to propagate secure and compliant server configurations more easily. A blog by Darren Moffat ("Immutable Zones on Encrypted ZFS") describes how to combine the use of ZFS encryption with immutable zones to protect data written to a file system as well as protecting the system configuration from malicious or accidental tampering.

     

      

    Final Thoughts

     

    The compliance framework in Oracle Solaris 11 simplifies the administrative burden of conducting system assessments to meet corporate security requirements and compliance standards. Compliance checks should be a standard component in enterprise security best practices:

     

    • At initial installation and configuration of Oracle Solaris 11 servers, compliance testing can pinpoint configuration weaknesses so that they can be addressed. Tailoring assessments allows administrators to match rules against site and application security requirements.
    • Conducting assessments at regular intervals can reveal potential weaknesses and help formal audits go more quickly. Setting up compliance checks as periodic or scheduled SMF services automates this administrative task.
    • Generating guides that document system configuration decisions can clarify security practices for new administrators and provide documentation for formal audit requirements.
    • Implementing other Oracle Solaris 11 features—immutable zones, Unified Archives, and file system encryption—can make it easier to deploy and replicate compliant system configurations.

     

    As a part of the Oracle Secure Configuration Initiative, Oracle continues to invest in software assurance programs and technologies that help customers deploy Oracle products securely. The Oracle Solaris 11 compliance framework reflects Oracle's commitment to enterprise system security and compliance with industry best practices and standards.

     

    See Also

     

     

    About the Author

     

    Ginny Henningsen has worked for the last 18 years as a freelance writer developing technical collateral and documentation for high-tech companies. Prior to that, Ginny worked for Sun Microsystems, Inc. as a Systems Engineer in King of Prussia, PA and Milwaukee, WI. Ginny has a BA from Carnegie-Mellon University and an MSCS from Villanova University.

     

    Revision 1.0, 09/23/2015

     

    Follow us:

    Blog | Facebook | Twitter | YouTube