Hardened OpenSolaris 2009.06 on Amazon EC2 Released
By Divyen Patel on Aug 14, 2009
||aki-1783627e / ari-9d6889f4
Sun Microsystems Inc. is pleased to announce the release of Hardened OpenSolaris 2009.06 on Amazon EC2's cloud computing service. This 32-bit AMI gives you the power and security of OpenSolaris combined with the flexibility of Amazon's cloud computing service, and is optimized for Amazon EC2's cloud computing environment.
The OpenSolaris system configuration has been adjusted to comply with the recommendations published by Sun and the Center for Internet Security, a non-profit organization chartered to develop and encourage widespread use of security configuration benchmarks developed through a global consensus process involving participants from academia, industry and government.
Working together for more than six years, Sun and the Center for Internet Security have consistently developed best-in-class, supportable and complete security hardening guidance for the Solaris operating system.
The latest version developed for the Solaris 10 operating system was completed with substantial contributions from Sun, CIS, the U.S. National Security Agency (NSA), as well as the U.S. Defense Information Systems Agency (DISA).
Building upon this foundation, Sun and the Center for Internet Security collaborated to adapt the security recommendations published in the Solaris 10 Benchmark to the OpenSolaris operating system and document those changes specific to virtual machine images such as those available on Amazon EC2.
All of the specific changes made to the base OpenSolaris 2009.06 AMI are discussed on the Sun OpenSolaris AMI Hardening Wiki : http://wikis.sun.com/display/ISC/OpenSolaris+Security+Hardening
For more information on the Center for Internet Security's Solaris 10 Benchmark, see:
New features introduced with this latest release of Hardened Security AMI are "Encrypted swap memory" and "auditing".
More information on "Encrypted Swap Memory" feature is available at
This project is affiliated with the Immutable Service Container project whose goal is to develop security reinforced virtual machine images. The Immutable Service Container project developed the code used by this AMI to implement hardening, encrypted swap and auditing. Additional information regarding Immutable Service Containers can be found at:
The root file system is ZFS in this AMI and includes the pre-installed packages and tools necessary to get started with using OpenSolaris on Amazon EC2. You can obtain more details about the OpenSolaris project at http://www.opensolaris.org.
Also, just like in our previous AMIs, the "pkg
image-update" command updates the kernel and ramdisk which is not
allowed in Amazon EC2. Therefore, in order to prevent your instances from
becoming non-compatible with the Amazon EC2 environment, we have
disabled this command.
More details including re-bundling instructions can be found in the Getting Started Guide.
You must disable auditing during re-bundling. You
can execute following commands in your clean up tasks before executing
bash # audit -t
bash # > /var/log/auditlog
bash # rm -f /var/audit/\*
As you can see we have introduced the new ARI (ari-9d6889f4) with this AMI, make sure you use the correct ARI with the "ec2-bundle-image" command as given below.
bash # ec2-bundle-image -c $EC2_CERT -k $EC2_PRIVATE_KEY \\
--kernel aki-1783627e --ramdisk ari-9d6889f4 \\
--block-device-mapping "root=rpool/56@0,ami=0,ephemeral0=1" \\
--user <userid> --arch i386 \\
-i $DIRECTORY/$IMAGE -d $DIRECTORY/parts
You can restart the audit daemon on the instance where you disabled it temporarily for re-bundling with following command.
bash # audit -s
- For technical support during the Beta period, please contact ec2-solaris-support[AT]SUN[DOT]COM.
- Please check OpenSolaris on Amazon EC2 blog for latest updates and new information about OpenSolaris AMIs.
The "OpenSolaris on Amazon EC2 Getting Started Guide" is located at:
- Register for OpenSolaris AMIs here.