NEW: Security Enhanced OpenSolaris Drupal Stack on EC2

Over the last few months, I have had a number of postings that have talked about security enhanced virtual machine images that we have made available on Amazon Web Services. The goal behind this work was to look at how we could improve baseline security in both virtualized and Cloud Computing computing environments by pre-integrating industry accepted recommended security settings. Organizations leveraging our work would have fewer security steps to undertake as our images were configured to be compliant with the recommendations published by the Center for Internet Security as part of their Solaris Benchmark (adapted for OpenSolaris).

So with this goal in mind, we developed security-enhanced versions of the OpenSolaris 2008.11 and 2009.06 operating systems. The latter went beyond the Center for Internet Security recommendations by also adding support for encrypted swap (as well as enabling auditing and non-executable stacks by default - something that was not done for the 2008.11 version). The next logical step was to validate these images using representative applications and services to illustrate the practiality of having security capabilities pre-integrated into a golden image from which application specific versions can be created.

Building upon the lessons we have learned in the development of the security-enhanced operating system images, today, I am very happy to announce that we have taken a step forward. Using the OpenSolaris 2008.11 image as our foundation, the OpenSolaris on EC2 team with some guidance from Scott Mattoon (all around Drupal Guru!) has installed and pre-configured Drupal (v6.10) along with Apache (v2.2), MySQL (v5.0), and PHP (v5.2). You can read all of the details on the announcement.

There are two things that should be noted about this image. First, no security-relevant changes were necessary to successfully install, configure and test Drupal on this security-enhanced image. While this should likely not come as a surprise, it is an important validation that at least for some (many?) classes of applications, a security tuned golden image can be used as a foundation. This is good news for organizations who are interested in the having a common security baseline for their operating systems. The second thing to note is that MySQL was modified on this image to not listen on the network for connections. This means that the image is compliant with our original security objectives in that it is only exposing required services (e.g., Apache, SSH) and no others by default.

As with all of the others, this is a publicly available AMI (AMI ID: ami-d9ee0eb0) so give it a try and let us know how we can improve it!

Take care!

Technorati Tag:

Comments:

I think it's a great idea to make a security-enhanced Solaris image. But I have a suggestion/question : some other OS like \*BSD or Linux use a very useful feature call ASLR (Address space layout randomization). It's a nice feature to protect from return-into-libc... And I don't find any equivalent on Solaris.

Do you think that Solaris implement that in the futur? It maybe already in the tog`do list I don't know...

Posted by Rascagneres Paul on September 02, 2009 at 09:42 PM EDT #

Glenn - are you planning to publish the "golden image" versions you mentioned in the second paragraph too? In the past we've deployed our S10 boxes just using JASS to secure the system, but I'm often asked about whether there are further hardening measures that we might take. These look like they would do the trick - at least for testing and/or comparison with what we have now.

Posted by Tim @ Home on September 02, 2009 at 11:04 PM EDT #

Paul,

I would love to add additional capabilities such as ASLR into our security-enhanced images, but unfortunately that functionality does not exist in OpenSolaris. As new capabilities emerge, I certainly plan to incorporate them as best I can. A good example is ZFS Crypto. I have a version of an Immutable Service Container (http://kenai.com/projects/isc/pages/OpenSolaris) that uses ZFS Crypto in place of Encrytped LOFI for things like encrypted swap and scratch space. Once ZFS Crypto is widely available, then we can begin using that more broadly in images we publish to EC2, for example. Until then, we need to work with what we have. I would encourage your to go to http://www.opensolaris.org/bug/report.jspa and subject your requests for features and enhancements so that we can better track customer interest in specific capabilities. Thanks for taking the time to share your feedback!

Take care,
g

Posted by Glenn Brunette on September 03, 2009 at 02:34 AM EDT #

Tim,

The images that we publish to Amazon's EC2 service are examples of Golden Images that we have made freely available. Today, we have a security-enhanced images for stock OpenSolaris 2008.11 and OpenSolaris 2009.06 as well as this new one featuring an AMP stack configured with Drupal. It is my hope that as time moves forward we will continue to offer new and different stacks that use (as their foundation) the security-enhanced baseline. In terms of JASS, the changes made to our images should align with the "CIS" driver that ships with JASS. It is not an exact match as there were some changes we needed to make to account for differences between OpenSolaris and Solaris 10 (as well as a couple Amazon EC2 specific deltas). We did publish the hardening scripts as well as everything else as part of the Immutable Service Container project (http://kenai.com/projects/isc/pages/OpenSolaris). If you follow the "Download" steps on that page, you can download the scripts we are using. Also, in terms of "Golden Images", we have published a pre-configured OpenSolaris ISC in Open Virtualization Format (OVF) - also available from the same page. Please let me know if these help!

Take care,
g

Posted by Glenn Brunette on September 03, 2009 at 02:40 AM EDT #

Dear sir,
I want to know about the new sumineats and study in sunmicrosoft and about this program and how I can pertcipet to study and how much the fee of the study

Posted by Marwan Abdulla Ibrahiem Fadhel on September 03, 2009 at 06:40 PM EDT #

I am afraid that I do not understand what you are asking. Are you looking for additional resources for OpenSolaris, OpenSolaris security, or something else. Please let me know and I will try to direct as best I can.

Take care,
Glenn

Posted by Glenn Brunette on September 04, 2009 at 02:08 AM EDT #

Post a Comment:
Comments are closed for this entry.
About

gbrunett

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today