FAQ: Securing Solaris for use in the US DoD
By user12611852 on Mar 07, 2007
As an OS Ambassador at Sun who works very closely with the US DoD, I'm frequently asked how one secures Solaris for use in the DoD. The definitive source for this information is the DISA Field Security office "Security Technical Implementation Guide" (aka STIG). DISA owns and operates the data centers and neworks for the US DoD. Security checklists and about 500 pages of documentation are included.
They can be downloaded at: http://iase.disa.mil/stigs/stig/index.html
In addition, DISA provides "Security Readiness Review" scripts which audit your system and report discrepancies. They were last updated in January 2007 and include S10 support. The SRRs are available at: http://iase.disa.mil/stigs/SRR/index.html
Some DoD organizations have created a Solaris Security Toolkit profile which accomplishes about 90% of what the STIGs require. The SST is Sun's supported "security lockdown tool" that is a free download and easily customizable. It typically executes in about 4 minutes drastically reducing the time required to secure a system and providing automated, reproducible results. The SST also include "undo" and "audit" functions. The SST can significantly reduce the time that it take you to reach "Authority to Operate" status on a DoD network.
The DISA STIGs require a wide variety of changes to the Solaris OS including:
- Solaris auditing enabled with specific items being audited.
- Basic Auditing and Reporting Tool enabled
- root home directory changed to /root
- McAfee antivirus installed (yes, even though it really only checks for Windows viruses)
- Massive permissions and umask changes
- TCPwrappers enabled
- certain services must be disabled (FTP, Telnet etc)
- Certain commands must be disabled (snooop, rsh, rexec etc)
- Password history, lockout and construction settings
- Banner page changes
- PROM password settings
Other documents that might be of interest for security conscious customers include:
- Center for Internet Security Benchmark for Solaris 10
- Glenn Brunette's security blog
- Sun Blueprints on Security
- The Open Solaris Security community features code, discussions, presentations and white papers
- Glenn Faden's Trusted Solaris Blog
Why should you care?
The US DoD takes computer security very seriously. Their STIG documents provide a detailed definition of all the activities required to secure a Sun Solaris system. Utilization of their tools and method can result in a highly secure data center operation.
The Solaris Security Toolkit can simply this process and make to predictable, repeatable and faster than a manual process.
For the highest level of security (equivalent to the old NSA B1 level) Solaris 10 11/06 includes the capability to at Trusted Extensions to your environment. Solaris Trusted Extensions provide full label aware services to meet the most stringent multi-level OS requirements.