Solaris 11 Express and US DoD Security guides
By user12611852 on Jan 07, 2011
This article should not be construed as a statement of compliance by Oracle or by DISA. It is simply the result of a casual review of Solaris 11 against current DISA Security Guidelines
With the release of Solaris 11 Express, I decided to compare it against the current US DoD Security Technical Implementation Guidelines (STIGs) as maintained by my customer DISA. Solaris 11 Express is a production ready and fully supported OS from Oracle. It was released in September 2010 at Oracle OpenWorld and provides a preview to the features and capabilities that will be available later this year in Solaris 11. It supports SPARC and X86 platforms from Oracle as well as other vendors. See the Hardware Compatibility List for options.
DISA owns and operates the DoD datacenters, develops a number of command and control applications, runs the DoD networks and is responsible for enforcing DoD security mandates. The STIG checklist is a comprehensive set of requirements that system adminstrators are expected to follow in order to attach and maintain a system on DoD networks. There are STIG documents for enclaves, dabatases, firewalls, web servers and more, but obviously, I'm only concerning myself here with the STIG document for Unix/Linux operating systems.
The DISA STIG checklist is a public document that describes specific permissions settings, password policies, administrative record keeping and more. Section 3 is 546 pages long and is where all the specific requirements can be found. There is a collection of Security Readiness Review (SRR) scripts that automate portions of the review process to assist a system administrator in evaluating the completion of the process. These are not publicly available.
For my review, I downloaded the documents and the SRR scripts. I then compared Solaris 11 Express feature sets to the checklist, ran the scripts and documented where Solaris 11 Express was in compliance as well as the areas in which it differed from Solaris 10.
Some items of note:
- The SRR scripts will sometimes generate false positive or negative results because they are looking at files that are no longer used in Solaris 11.
- Solaris 11 features the root home directory in /root therefore complying without any extra action
- Solaris 11 auditing is managed as an SMF service making it easier to use but causing problems in the SRR scripts
- Solaris 11 includes a native in-kernel CIFS service rather than using Samba
- The default ZFS root file system currently does NOT allow /var to be mounted as a separate filesystem as required by one of the STIG items. I have made Solaris engineering aware of this requirement.
- I had to modify only one line of the SRR scripts to allow it to run on Solaris 11.
- Solaris 11 has a number of new privileged user accounts that cause false finding in the SRR scripts.
- Solaris 11 by default does NOT allow a user to login as root. root is a role.
- Solaris 11 implements "Secure by default" upon installation allowing only SSH access.
In summary, with the exception of the /var filesystem issue, it should be possible to bring a Solaris 11 express system in compliance with DISA STIGs. Download the detailed document. As always, comments, clarifications and corrections are welcome!
For those who are still running Solaris 10, please refer to my earlier blog entry on using the Solaris Security toolkit to facilitate the STIG process.