Automating security enforcement and audit with N1 SPS
By gbrunett-Oracle on May 31, 2005
I noticed over the weekend that Sun's N1 Service Provisioning System (SPS) was featured on www.sun.com. The title of the feature was Accelerate Deployment from Days to Minutes. This feature reminded me that I had been wanting to talk about a proof of concept that Dave Walker, Peter Charpentier, and I did with SPS and the Solaris Security Toolkit (aka JASS). So, I guess now is as good a time as any!
For those who may not know, the Solaris Security Toolkit is an officially supported Sun product that can be used to improve the security of Solaris systems running Solaris 2.5.1 through 9 (with support for Solaris 10 on the way). The Toolkit supports SPARC, Intel and AMD platforms as well as Trusted Solaris 8. The Toolkit also supports three modes of operation: hardening (apply), undo, and audit. Lastly, the Toolkit can be used to create a security profile (based on your own security policies and standards) that can then be (re-)applied to systems. You can even use the Toolkit to assess a system against a known profile to determine its degree of compliance.
So what does this have to do with SPS? Well, for sites with tens, hundreds or even thousands of systems, keeping them secure and validating that they are all in compliance with their expected security profiles can be a daunting process. Rather than individually securing (or validating) each system, you can use SPS to do it all for you at the click of a button!
Whether you have a single security profile or many, you can still use SPS to automatically harden your systems (at installation/provisioning time) as well as later in their lifecycle (perhaps after patch or application installation) - all from a centralized management platform. Auditing is made easy as well since you can evaluate all of your systems against the same (or different) profile almost simultaneously. You can even use the SPS command line interface for this functionality so that you can include pre- or post-process the output so that you can automatically create reports from the results. Given that the Solaris Security Toolkit supports 5 levels of verbosity, you can select the one that most fits your needs.
For example, often for large sites, you may want to select a low level of verbosity such as "level 0" which will simply report whether an entire audit run passed or failed (along with a number indicating the failure count). For example, something like:
# ./jass-execute -a hardening.driver -V 0
hardening.driver [FAIL] Grand Total: 6 Errors
For assessment runs that result in at least one failure, you could have SPS automatically re-run the report on that system using a higher level of verbosity to see exactly what the failures were. For example, you could get information like this:
# env JASS_LOG_SUCCESS=0 JASS_LOG_NOTICE=0 ./jass-execute -a hardening.driver -V 2
disable-dmi [FAIL] Service lrc:/etc/rc3_d/S77dmi was installed.
disable-dmi [FAIL] Process /usr/lib/dmi/dmispd:430:root was found.
disable-dmi [FAIL] Process /usr/lib/dmi/dmispd:1240:root was found.
disable-dmi [FAIL] Process /usr/lib/dmi/dmispd:1135:root was found.
disable-dmi [FAIL] Process /usr/lib/dmi/snmpXdmid:433:root was found.
disable-dmi [FAIL] Process /usr/lib/dmi/snmpXdmid:1141:root was found.
disable-dmi [FAIL] Script Total: 6 Errors
hardening.driver [FAIL] Driver Total: 6 Errors
hardening.driver [FAIL] Grand Total: 6 Errors
This helps reduce the amount of information that an analyst would need to sift through in order to diagnose and fix problems. In this case, the fix could be to simply ensure that the disable-dmi.fin Finish script was in the security profile of the system before running the Toolkit in hardening (apply) mode. Further, once the fix was completed, you could use SPS to reassess the system to verify that the fix was correctly implemented (by just using the Toolkit again in audit mode).
You can even use SPS to upgrade the Toolkit software or add, remove or modify security profiles used by the Toolkit. The number of ways you can use SPS is really bounded by your imagination. In addition to the Solaris Security Toolkit, you could use SPS to automate the installation, configuration and use of other security controls like the Basic Auditing and Reporting Toolkit (BART) found in Solaris 10.
If this is a topic of interest to you, please let me know. If we get enough replies then perhaps we will do a more detailed "how-to" article describing how all of this works and could be deployed in an actual data center environment.