NEW: OpenSolaris Immutable Service Containers

While the need for security and integrity is well-recognized, it is less often well-implemented. Security assessments and industry reports regularly show how sporadic and inconsistent security configurations become for organizations both large and small. Published recommended security practices and settings remain unused in many environments and existing, once secured, deployments suffer from atrophy due to neglect.

Why is this? There is no one answer. Some organizations are simply unaware of the security recommendations, tools, and techniques available to them. Others lack the necessary skill and experience to implement the guidance and maintain secured configurations. It is not uncommon for these organizations to feel overwhelmed by the sheer number of recommendations, settings and options. Still others may feel that security is not an issue in their environment. The list goes on and on, yet the need for security and integrity has never been more important.

Interestingly, the evolution and convergence of technology is cultivating new ideas and solutions to help organizations better protect their services and data. One such idea is being demonstrated by the Immutable Service Container (ISC) project. Immutable Service Containers are an architectural deployment pattern used to describe a platform for highly secure service delivery. Building upon concepts and functionality enabled by operating systems, hypervisors, virtualization, and networking, ISCs provide a secured container into which a service or set of services is deployed. Each ISC embodies at its core the key principles inherent in the Sun Systemic Security framework including: self-preservation, defense in depth, least privilege, compartmentalization and proportionality. Further, ISC design borrows from Cloud Computing principles such as service abstraction, micro-virtualization, automation, and "fail in place".

By designing service delivery platforms using the Immutable Service Containers mode, a number of significant security benefits:

  • For application owners:
    • ISCs help to protect applications and services from tampering
    • ISCs provide a consistent set of security interfaces and resources for applications and services to use
  • For system administrators:
    • ISCs isolate services from one another to avoid contamination
    • ISCs separate service delivery from security enforcement/monitoring
    • ISCs can be (mostly) pre-configured by security experts
  • For IT managers:
    • ISCs creation can be automated, pre-integrating security functionality making them faster and easier to build and deploy
    • ISCs leverage industry accepted security practices making them easier to audit and support

It is expected that Immutable Service Containers will form the most basic architectural building block for more complex, highly dynamic and autonomic architectures. The goal of the ISC project is to more fully describe the architecture and attributes of ISCs, their inherent benefits, their construction as well as to document practical examples using various software applications.

While the notion of ISCs is not based upon any one product or technology, an instantiation has been recently developed using OpenSolaris 2009.06. This instantiation offers a pre-integrated configuration leveraging OpenSolaris security recommended practices and settings. With ISCs, you are not starting from a blank slate, but rather you can now build upon the security expertise of others. Let's look at the OpenSolaris-based ISC more closely.

In an ISC configuration, the global zone is treated as a system controller and exposed services are deployed (only) into their own non-global zones. From a networking perspective, however, the entire environment is viewed as a single entity (one IP address) where the global zone acts as a security monitoring and arbitration point for all of the services running in non-global zones.

As a foundation, this highly optimized environment is pre-configured with:

Further, the default OpenSolaris ISC uses:

  • Non-Global Zone. Exposed services are deployed in a non-global zone. There they can take advantage of the core security benefits enabled by OpenSolaris non-global zones such as restricted access to the kernel, memory, devices, etc. For more information on non-global zone security capabilities, see the Sun BluePrint titled "Understanding the Security Capabilities of Solaris Zones Software". Using a fresh ISC, you can simply install your service into the provided non -global zone as you normally would.

    Further in the ISC model, each non-global zone has its own encrypted scratch space (w/its own ephemeral key), its own persistent storage location, as well as a pre-configured auditing and networking configuration that matches that of the global zone. You do not need to use the encrypted scratch space or persistent storage, but it is there if you want to take advantage of it. Obviously, additional resource controls (CPU, memory, etc.) can be added as necessary. These are not pre-configured due to the variability of service payloads.

  • Solaris Auditing. A default audit policy is implemented in the global zone and all non-global zones that tracks login and logout events, administrative events as well as all commands (and command line arguments) executed on the system. The audit configuration and audit trail are kept in the global zone where they cannot be accessed by any of the non-global zones. The audit trail is also pre-configure d to be delivered by SYSLOG (by default this information is captured in /var/log/auditlog).
  • Private Virtual Network. A private virtual network is configured by default for all of the non-global zones. This network isolates each non-global zone to its own virtual NIC. By default, the global and non-global zones can freely initiate external communications, although this can be restricted if needed. A non-global zone is not permitted to accept connections, by default. Non-global zone service s can be exposed through the global zone IP address by adjusting the IP Filter and IP NAT policies (below).
  • Solaris IP NAT. Each non-global zone is pre-configured to have a private address assigned to its virtual NIC. To allow the non -global zone to communicate with external systems and networks, an IP NAT policy is implemented. Outgoing connections are masked using the IP address of the global zone. Incoming connections are redirected based upon the port used to communicate. Beyond simple hardening of the non-global zone (a state which can be altered from within the non-global zone itself), this mechanism ensures that the global zone can control which services are exposed by the non-global zone and on which ports.
  • Solaris IP Filter. A default packet filtering policy is implemented in the global zone allowing only DHCP (for the exposed network interface) and SSH (to the global zone). Additional rules are available (but disabled) to allow access to non-global zones on an as-needed basis. Further, rules are implemented to deny external access to any non-global zone that has changed its pre-assigned (private) IP address. Packet filtering is pre-configured to log packets to SYSLOG (by default this information is captured in /var/log/ipflog).

So what does all of this really mean? Using the ISC model, you can deploy your services in a micro-virtualized environment that offers protection against kernel-based root kits (and some forms of user-land root kits), offers flexible file system immutability (based upon read-only file systems mounted into the non-global zone), can take advantage of process least privilege and resource controls, and is operated in a hardened environment where there is a packet filtering, NAT and auditing policy that is effectively out of the reach of the deployed service. This means that should a service be compromised in a non-global zone, it will not be able to impact the integrity or validity of the auditing, packet filtering, and NAT configuration or logs. While you may not be able to stop every form of attack, having reliable audit trails can significantly help to determine the extent of the breach and facilitate recovery.

The following diagram puts all of the pieces together:

Additional private virtual networking models are also being considered. All in all, the ISC model offers a very compelling deployment model. The accessiblity and attractiveness of this model is further enhanced by the availability of an ISC construction kit that allows you to take an OpenSolaris 2009.06 system and convert it to the ISC model with a single command. Sound interesting? Give it a try, come join the project and be sure to send along your feedback !

Technorati Tag:

Comments:

this is a very interesting news, i'm also pleased audit is enabled by default and even more pleased that audit information is being sent to syslog, is there something like linux' pam_tty_audit?
http://linux.die.net/man/8/pam_tty_audit
also, do you happen to know what happened with the audit_remote plugin?

Posted by nacho on July 01, 2009 at 12:29 PM EDT #

Nacho,

As I understand it, Solaris does not need pam_tty_audit as all of our default login services (telnet, SSH, rlogin, etc.) are audit aware and will properly set the audit context for an interactive login. Is this not what you need? As far as audit_remote, I believe you mean PSARC/2009/208. That project is not yet integrated, but it is one that I am tracking and will try to use once it is available. Thanks for your feedback!

Glenn

Posted by Glenn Brunette on July 01, 2009 at 01:10 PM EDT #

no, you're confusing pam_audit_tty with pam_loginuid, the former is used to do keystroke auditting. For example with the current configuration of opensolaris ISC, you would know if an user ran python interactively, but nothing more. in RedHat with pam_audit_tty you could know exactly what he typed. There is a downside though, you'd know also all the passwords, PINs,etc your users typed. Thanks for the information, these blogs make us users feel a lot closer to the engineers

Posted by nacho on July 01, 2009 at 01:32 PM EDT #

Thank you for the clarification. There is no keystroke logging functionality in OpenSolaris today although you can use DTrace to collect that kind of information. Not exactly what you are looking for however. Thanks again for your feedback! Keep it coming!

Posted by Glenn Brunette on July 01, 2009 at 01:43 PM EDT #

Coolness

Posted by dave on July 02, 2009 at 12:48 PM EDT #

It is possible to enable keystroke logging in Solaris by slightly modifying the source code of the "script" binary (some commenting out of lines and a single line to force every keytroke to be witten to a logfile), integrating it into the O/S as the default login shell, and writing a script to monitor the continuous running of the shell so as to know when a user tries to delete his logs or kill his session.
Then just offload the logs to a remote syslogd server as part of the script(s).

Posted by Wim Olivier on July 02, 2009 at 07:45 PM EDT #

that sounds a lot like a dig bad hack. and in any case, the good thing about pam_audit_tty is that keystrokes are not stored randomly, they are associated to a session, so you can reconstruct everything a given user did. it probably takes up a lot of space but i was told it was less demanding than auditing every execve call.
This feature is useful in the following case, suppose you're renting servers with tools to do things like penetration testing attacks, obviously, you're responsible for whatever they do with your servers so you need a way to know who did what in those servers, execve logging is not enough because any of those users could call perl or python interactively and you would never know what they did with those tools

Posted by nacho on July 03, 2009 at 01:46 AM EDT #

Post a Comment:
Comments are closed for this entry.
About

gbrunett

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today