Wednesday Sep 02, 2009

NEW: Security Enhanced OpenSolaris Drupal Stack on EC2

Over the last few months, I have had a number of postings that have talked about security enhanced virtual machine images that we have made available on Amazon Web Services. The goal behind this work was to look at how we could improve baseline security in both virtualized and Cloud Computing computing environments by pre-integrating industry accepted recommended security settings. Organizations leveraging our work would have fewer security steps to undertake as our images were configured to be compliant with the recommendations published by the Center for Internet Security as part of their Solaris Benchmark (adapted for OpenSolaris).

So with this goal in mind, we developed security-enhanced versions of the OpenSolaris 2008.11 and 2009.06 operating systems. The latter went beyond the Center for Internet Security recommendations by also adding support for encrypted swap (as well as enabling auditing and non-executable stacks by default - something that was not done for the 2008.11 version). The next logical step was to validate these images using representative applications and services to illustrate the practiality of having security capabilities pre-integrated into a golden image from which application specific versions can be created.

Building upon the lessons we have learned in the development of the security-enhanced operating system images, today, I am very happy to announce that we have taken a step forward. Using the OpenSolaris 2008.11 image as our foundation, the OpenSolaris on EC2 team with some guidance from Scott Mattoon (all around Drupal Guru!) has installed and pre-configured Drupal (v6.10) along with Apache (v2.2), MySQL (v5.0), and PHP (v5.2). You can read all of the details on the announcement.

There are two things that should be noted about this image. First, no security-relevant changes were necessary to successfully install, configure and test Drupal on this security-enhanced image. While this should likely not come as a surprise, it is an important validation that at least for some (many?) classes of applications, a security tuned golden image can be used as a foundation. This is good news for organizations who are interested in the having a common security baseline for their operating systems. The second thing to note is that MySQL was modified on this image to not listen on the network for connections. This means that the image is compliant with our original security objectives in that it is only exposing required services (e.g., Apache, SSH) and no others by default.

As with all of the others, this is a publicly available AMI (AMI ID: ami-d9ee0eb0) so give it a try and let us know how we can improve it!

Take care!

Technorati Tag:

Wednesday Dec 10, 2008

mod_privileges for Apache HTTPD

Special thanks to Matt Ingenthron for pointing out that mod_privileges has been integrated back in the Apache trunk (manual) recently. For more information check out NIQ's Soapbox posting on the subject.

Looks like I will have to find a new target (I am looking at you MySQL!) for my BluePrints. I have used the Apache with SMF privileges example in a few publications including Limiting Service Privileges in the Solaris 10 Operating System (2005) and Privilege Debugging in the Solaris 10 Operating System (2006). The content of these papers is still relevant in the general sense, but with the introduction of mod_security, some of this content will no longer be as useful for Apache. That said, lots of other services can and do benefit from the techniques described.

If you find yourself ever wanting to do something similar - converting your services to be privilege aware on Solaris 10, check out the Sun BluePrints article Privilege Bracketing in the Solaris 10 Operating System (2006). Also, check out the OpenSolaris Security Community project on Privilege Debugging as it can help you in finding out what privileges your programs and services need.

Until next time!

Glenn

Technorati Tag:

About

gbrunett

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today