I noticed over the weekend that Sun's N1 Service
Provisioning System (SPS) was featured on www.sun.com. The title of the feature was Accelerate Deployment from Days to Minutes. This feature reminded me that I had been wanting to talk about a proof of concept that Dave Walker, Peter Charpentier, and I did with SPS and the Solaris Security Toolkit (aka JASS). So, I guess now is as good a time as any!
For those who may not know, the Solaris Security Toolkit is an officially
supported Sun product that can be used to improve the security of Solaris
systems running Solaris 2.5.1 through 9 (with support for Solaris 10 on
the way). The Toolkit supports SPARC, Intel and AMD platforms as well as
Trusted Solaris 8.
The Toolkit also supports three modes of operation: hardening (apply),
undo, and audit. Lastly, the Toolkit can be used to create a security
profile (based on your own security policies and standards) that can
then be (re-)applied to systems. You can even use the Toolkit to assess
a system against a known profile to determine its degree of compliance.
So what does this have to do with SPS? Well, for sites
with tens, hundreds or even thousands of systems, keeping them secure
and validating that they are all in compliance with their expected
security profiles can be a daunting process. Rather than individually
securing (or validating) each system, you can use SPS to do it all for
you at the click of a button!
Whether you have a single security profile or many, you
can still use SPS to automatically harden your systems (at
installation/provisioning time) as well as later in their lifecycle
(perhaps after patch or application installation) - all from a
centralized management platform. Auditing is made easy as well since
you can evaluate all of your systems against the same (or different)
profile almost simultaneously. You can even use the SPS command line
interface for this functionality so that you can include pre- or
post-process the output so that you can automatically create reports
from the results. Given that the Solaris Security Toolkit supports 5
levels of verbosity, you can select the one that most fits your needs.
For example, often for large sites, you may want to
select a low level of verbosity such as "level 0" which will simply
report whether an entire audit run passed or failed (along with a
number indicating the failure count). For example, something like:
# ./jass-execute -a hardening.driver -V 0
[FAIL] Grand Total: 6 Errors
For assessment runs that result in at least one failure, you could
have SPS automatically re-run the report on that system using a higher
level of verbosity to see exactly what the failures were. For
example, you could get information like this:
# env JASS_LOG_SUCCESS=0 JASS_LOG_NOTICE=0 ./jass-execute -a hardening.driver -V 2
[FAIL] Service lrc:/etc/rc3_d/S77dmi was installed.
[FAIL] Process /usr/lib/dmi/dmispd:430:root was found.
[FAIL] Process /usr/lib/dmi/dmispd:1240:root was found.
[FAIL] Process /usr/lib/dmi/dmispd:1135:root was found.
[FAIL] Process /usr/lib/dmi/snmpXdmid:433:root was found.
[FAIL] Process /usr/lib/dmi/snmpXdmid:1141:root was found.
[FAIL] Script Total: 6 Errors
[FAIL] Driver Total: 6 Errors
[FAIL] Grand Total: 6 Errors
This helps reduce the amount of information that an analyst would need
to sift through in order to diagnose and fix problems. In this
case, the fix could be to simply ensure that the disable-dmi.fin Finish
script was in the security profile of the system before running the
Toolkit in hardening (apply) mode. Further, once the fix was
completed, you could use SPS to reassess the system to verify that the
fix was correctly implemented (by just using the Toolkit again in audit
You can even use SPS to upgrade the Toolkit software or add,
remove or modify security profiles used by the Toolkit. The number of
ways you can use SPS is really bounded by your imagination. In addition
to the Solaris Security Toolkit, you could use SPS to automate the
installation, configuration and use of other security controls like the
Basic Auditing and Reporting Toolkit (BART) found in Solaris 10.
If this is a topic of interest to you, please let me know. If we get
enough replies then perhaps we will do a more detailed "how-to" article
describing how all of this works and could be deployed in an actual
data center environment.