Hardened OpenSolaris 2009.06 on Amazon EC2 Released

AMI ID: ami-e56e8f8c
AMI Manifest: sun-opensolaris-2009-06/hardened_opensolaris_2009.06_32_1.2.img.manifest.xml
AKI/ARI ID:
aki-1783627e / ari-9d6889f4
License: Public

Description:

Sun Microsystems Inc. is pleased to announce the release of Hardened OpenSolaris 2009.06 on Amazon EC2's cloud computing service. This 32-bit AMI gives you the power and security of OpenSolaris combined with the flexibility of Amazon's cloud computing service, and is optimized for Amazon EC2's cloud computing environment.

The OpenSolaris system configuration has been adjusted to comply with the recommendations published by Sun and the Center for Internet Security, a non-profit organization chartered to develop and encourage widespread use of security configuration benchmarks developed through a global consensus process involving participants from academia, industry and government. 

Working together for more than six years, Sun and the Center for Internet Security have consistently developed best-in-class, supportable and complete security hardening guidance for the Solaris operating system.

The latest version developed for the Solaris 10 operating system was completed with substantial contributions from Sun, CIS, the U.S. National Security Agency (NSA), as well as the U.S. Defense Information Systems Agency (DISA).

Building upon this foundation, Sun and the Center for Internet Security collaborated to adapt the security recommendations published in the Solaris 10 Benchmark to the OpenSolaris operating system and document those changes specific to virtual machine images such as those available on Amazon EC2. 

All of the specific changes made to the base OpenSolaris 2009.06 AMI are discussed on the Sun OpenSolaris AMI Hardening Wiki : http://wikis.sun.com/display/ISC/OpenSolaris+Security+Hardening

For more information on the Center for Internet Security's Solaris 10 Benchmark, see:
http://www.cisecurity.org/bench_solaris.html

New features introduced with this latest release of Hardened Security AMI are "Encrypted swap memory" and "auditing".

More information on "Encrypted Swap Memory" feature is available at
http://blogs.sun.com/gbrunett/entry/encrypted_swap_in_opensolaris_2009 


This project is affiliated with the Immutable Service Container project whose goal is to develop security reinforced virtual machine images. The Immutable Service Container project developed the code used by this AMI to implement hardening, encrypted swap and auditing.  Additional information regarding Immutable Service Containers can be found at:
http://kenai.com/projects/isc/pages/OpenSolaris


The root file system is ZFS in this AMI and includes the pre-installed packages and tools necessary to get started with using OpenSolaris on Amazon EC2. You can obtain more details about the OpenSolaris project at http://www.opensolaris.org.

Also, just like in our previous AMIs, the "pkg image-update" command updates the kernel and ramdisk which is not allowed in Amazon EC2. Therefore, in order to prevent your instances from becoming non-compatible with the Amazon EC2 environment, we have disabled this command.

More details including re-bundling instructions can be found in the Getting Started Guide.

Rebundling Changes:

 You must disable auditing during re-bundling. You can execute following commands in your clean up tasks before executing "ec2-bundle-image" command.

bash # audit -t
bash # > /var/log/auditlog
bash # rm -f /var/audit/\*

 As you can see we have introduced the new ARI (ari-9d6889f4) with this AMI, make sure you use the correct ARI with the "ec2-bundle-image" command as given below.

bash # ec2-bundle-image -c $EC2_CERT -k $EC2_PRIVATE_KEY \\
 --kernel aki-1783627e --ramdisk ari-9d6889f4 \\
 --block-device-mapping "root=rpool/56@0,ami=0,ephemeral0=1" \\
 --user <userid> --arch i386 \\
 -i $DIRECTORY/$IMAGE -d $DIRECTORY/parts

You can restart the audit daemon on the instance where you disabled it temporarily for re-bundling with following command.

bash # audit -s


Support:

Comments:

Is a 64-bit hardened/EC2 optimized image in the works?

Posted by Ben Jencks on August 21, 2009 at 01:38 AM PDT #

Post a Comment:
Comments are closed for this entry.
About

Information about Solaris and OpenSolaris on Amazon Web Services (AWS) EC2. Look here for the latest information on the program and any late breaking information on (Open)Solaris on EC2.

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today