Wednesday Jul 22, 2009

Open Source and the US Government

Sun has long been an advocate in the use of Open source software in the government (both US and abroad).  In fact, Sun Federal President and COO Bill Vass has created a series of blog entries about why the government can benefit from open source.  These reasons include:

Now, Sun and a broad array of industry giants have created the Open Source for America Consortium. In addition to Sun, founding members include Oracle, Google, Red Hat, Gnome foundation, Mozilla, Collabnet and others.  The board of advisors includes a number of industry and government luminaries that I've had the pleasure of working with in the past including:

  • Dawn Meyeriecks (formerly of DISA as well as AOL)
  • Marv Langston (former DoD Deputy CIO)
  • Bill Vass
  • Art Money (former DoD CIO)
  • Simon Phipps (Sun's Chief Open Source Officer)
From the OSA web site:

The mission of OSA is to educate decision makers in the U.S. Federal government about the advantages of using free and open source software; to encourage the Federal agencies to give equal priority to procuring free and open source software in all of their procurement decisions; and generally provide an effective voice to the U.S. Federal government on behalf of the open source software community, private industry, academia, and other non-profits. The mission incorporates three goals: (1) to effectuate changes in U.S. Federal government policies and practices so that all the government may more fully benefit from and utilize free and open source software; (2) to help coordinate these communities to collaborate with the Federal government on technology requirements; and (3) to raise awareness and create understanding among federal government leaders in the executive and legislative branches about the values and implications of open source software. OSA may also participate in standards development and other activities that may support its open source mission.

While some consider the "open source" movement to be a religion or political agenda designed to socialize software or kill proprietary vendors, what it really boils down to is simply developing software outside the company firewall so that you can take advantage of the strengths of the community.  To quote Bill Joy (former Sun co-founder), "Innovation often happens elsewhere."

Sun offers a wide variety of supported, enterprise class open source projects including MySQL, OpenSolaris, OpenSSO, Glassfish and more.  Download some open source Sun software today and you too can start experiencing the benefits of open source.

Federal Government customers can contact Sun's sales office in McLean VA by calling 703 204 4100.


Tuesday Apr 01, 2008

Solaris 10 receives DoD IPv6 certification

Solaris 10 has become the first Unix or Linux Operating System to receive IPv6 Certification from the DoD Joint Interoperability and Test Command (JITC).  JITC is the DoD organization responsible for validating products for use in the US DoD.  This most recent certifcation of Solaris for IPv6 standards extends our earlier IPv6 logo certification performed at the University of New Hampshire Interoperabity Lab.

Solaris is the ONLY product currently listed in the "Advanced Server" Category.  Testing was completed on SPARC as well as x86/x64 platforms.

Why should you care?

Sun's continuing commitment to standards in support of the Federal Government means that our customers will be able to move quickly into their transition to the next generation of the internet.

If you'd like to try out Solaris 10 or our next generation of Solaris, known as Solaris Express, they are both available via free downloads and include free right-to-use license.  If you are not sure of the difference between the various Solaris editions, please see my earlier blog entry.


Wednesday Dec 19, 2007

Trip Report: DoD Open Conference sponsored by AFEI

Last week I attended:

3rd Annual DoD Open Conference
Sponsored by AFEI in McLean VA.  December 11-12th
Sun Attendees:  Jim Laurent, Tom Syster, Bill Vass (Keynote speaker) Paul Tatum
Agenda:  http://www.afei.org/brochure/8a03/index.cfm

This is an annual conference attended by government, industry and consultants (Mitre/IDA) to discuss open source technology, open systems and open development methodologies.  Approximately 100 people in attendance.  The President and COO of Sun Federal Bill Vass was one of the keynote speakers.

It's clear from attending this conference again (this is my third time) that there is no avoiding the use of open source tools in the Federal Government.  Whether it is something as simple as glassfish and openssh or more advanced technologies like the UltraSPARC T1 and T2 processors, open source is everywhere in the DoD.

Nick Guertin, Directory Open Arch. PEO IWS Navy

Discussed the Navy's open architecture designed to achieve modularity, interoperability, standards compliance.
Discussed business issues and licensing issues around open source

Mark Tolliver, President of Palamida SW.  (formerly of Sun Micro)

Palamdia delivers auditing and compliance software that compares your software build to existing DB of open source projects providing you with an audit of which OSS you are using, there versions etc.

His experience in code analysis indicates that most projects consist of 30-50% open source components.  Many of these are often found to be below rev and have security vulnerabilities.  Most projects have 50% to 300% MORE OSS than they think they do.

Primary message:  Control your SW supply chain through:
    Policy
    Education
    Transparency
    Compliance (his SW can help, of course)

Mentioned Solaris/OpenSolaris


Bill Vass discussed the value of OSS and Sun's use of it.

OSS is unstoppable because of:
    Security benefits
    Cost
    No vendor lockin

Bill reviewed Sun's strong position in the open source communities and our benefits derived from open sourcing Solaris, Glassfish, OpenOffice etc.  Handed out complete JES CD kits to all attending.  (Sun was a platinum sponsor for the conference.)

He then lead a panel for Q and A including Dewey Houck of Boeing and Bob Gourley, former CIO of DIA.  Intelligence agencies a big proponent of open source.  There was active participation from the audience.

I received feedback from several people during the breaks at the Sun table that they didn't know Sun was so active and aggressive in the OSS community.


Terry Bollinger ASD/NII discussed open Source Governance including:

Evaluation of OSS
    Creating policy
    Auditing
    Education
    Monitoring

Don Adams of Tibco discussed their Open AJAX toolkit known as Bossie.

Eric Pugh of OpenSource Connections discussed the use of the "Agile Methodology" and open source development for thePathFinder program, NGIC and GCGS-A.   www.agilemanifesto.org

Chris Runge of Red Hat provided two case studies of how open source technologies allowed something to happen that was "impossible otherwise."

NSA dev of SE Linux being incorporated into productions OSes such as RHAT and Suse.  First MLS OS that is part of the standard OS distribution

Real-time Linux enhancements working with IBM, and DDG-1000 (aka DDX program) in the Navy.
RHEL 4 + Real time kernel + IBM RT Java + Blade servers

Coming Soon:  Red Hat MRG = RHEL 5.1 = Messaging toolkit + Real time + Grid technologies
Important in financial/trading communities

Nick Weatherby of the Open Source Software Initiative discussed how industry is trying to facilitate OSS adoption by working with Government.

Created Government Technology Task Force to help accelerate and clear out obstancles in standards, procurement, legal issues.  Working with DISA, DoNavy, Army, AF, OSD, JFCOM, DHS, Justice, etc

Example:  FIPS 140-2 validation of the Open SSH libraries

working on IAVA security validation and Common Criteria process for Open Source

Ball Aerospace rep provided a case study of how they took a GeoSpatial toolkit developed for the government through the process of putting it on a public open source project.  Goal was to increase adoption of their framework thereby increasing their bus. oppty for consulting services.
Obstacles included ITAR approvals, Legal, internal politics, ownership issues.

Ed Beck of CSC in NJ

discussed how they used open source modules to reduce costs and increase speed in their deployment of an AEGIS missile update for Display console and systems management tools
Display console now 60% open source based
Sys. Mgt. tools now 40% OSS based

#1 issue was licensing.  DoD is very sensitive about the fact that using the GPL license might mean giving away technology to the bad guys.  Tools used included tcl/tk, Flex/Bison, XPM, Mozilla, etc

BG Gen. Nick Justice of the US Army

discussed value and benefit of OSS in the DoD including acceleration of mission apps, lower cost, increased security etc.  Mentioned Red Hat several times.  FBPC2 is a huge RH deployment.  Future Combat System (FCS) is apparently also going to RHEL.

General Justice is a very engaging and entertaining speaker.  By all means, if you get a chance to here him speak, do it.  He is one of the few high level military people who runs Linux on is laptop.

Andre Boisvert of Pentaho SW (formerly at Oracle, IBM and SAS institute)

Discussed how he had worked at various proprietary, closed source companies and has invested money in 3 new ventures using only open source.
OSS provides:
    Better Code
    Faster innovation
    Self policing of quality, security
Pentaho provides OSS business intelligence including ETL, OLAP etc
Zenoss provides OSS Systems management based on Python
Compiere for OSS ERP SW
Described OSS as a "disruptive force in the SW industry."

KS Shanker of IBM Federal

discussed the security aspects of open source and how he took the linux community through the Common Criteria eval process even though they didn't think it mattered originally.

David Wheeler of Institute for Defense Analysis discussed the security aspects of OSS
Vendor lockin = a security problem.
Open design is a fundamental in creating a secure systems
"Would the Trojan Horse have worked if it had been made of glass?"

Not ALL OSS is secure:
    Developers need to have security skills
    Needs to be widely used and reviewed
    Problems must be fixed on demand when found.

When I asked him when IBM was going to release its huge software portfolio (Tivoli, z-OS, ClearCase, AIX, WebSphere) to the open source community, he responded by pointing out that Websphere has incorporated Apache as its web server.  That sound to me like taking from the OSS community rather than giving.

Booz Allen Hamilton rep discussed the use of an Open Source Security Test Methodology.

Tuesday Nov 27, 2007

U.S. Navy saves money with Sun Ray thin clients

If you've never heard of our Sun Ray thin client technology, you are missing the opportunity to save some real money while increasing your data security. You can read more about Sun Ray thin clients in my previous blog entry.  You don't have to believe me, however, see for yourself how the Navy's Integrated Warfare Systems Laboratory deployed 270 Sun Rays.

Some of the benefits they experienced include:

  • Improved performance over previous X terminal solution
  • Exceeded capabilities of existing, aging solution
  • Provided a solution that complied with security requirements
  • Reduced client deployment time by 80%
  • Simplified maintenance, updating only four servers instead of hundreds of desktops
  • Reduced cost per client by 50% to approximately $500 with a savings of about $500 per client

Why should you care?

Saves you money.  Enough said! 

Monday Jul 30, 2007

Using the Solaris Security toolkit to implement DISA security guidelines

Update: 8/16/12  This is a very old blog entry. However, I've had several requests to update the link for my Security Toolkit profile for Solaris 10.  Caveat.  This is based on a very old version of the DISA STIG and older versions of Solaris.  I do not warrant that this will make your system STIG compliant with the current STIG but it can be a baseline for your own customizations.  The Toolkit itself must be downloaded from My Oracle Support. (document ID 1004565.1)

Download my SST profile from 2007

You might remember my earlier blog entry about DoD security guidelines for Solaris.  As a result of Sun Federal's recent contract award from DISA for Capacity Computing services, I've been working to implement the DISA Security Technical Implementation Guidelines (STIGs) using the Solaris Security Toolkit (Wow, what a mouthful).

I started with some customization work that was done by the DISA GCCS program office.  I modified and updated it to meet most of the current STIG requirements.  I've heard many horror stories about how long it takes to secure a system properly and obtain "Authority To Connect" to a DoD network.

 I'm happy to say that the profile I've built runs in about 2 minutes on my Acer Ferrari 3400 laptop.

 First, some background!

What is the Solaris Security Toolkit?

The SST is a toolkit produced and supported by Sun to simplify and automate the process of securing a Solaris system.  The current version 4.2 support Solaris 8, 9 and 10.  It includes audit and undo modes in addition to the hardening mode.  If you plan to use it, make sure that you also apply the latest patch 122608 from sunsolve.sun.com.  It is very customizable for your site requirements.  I have been trying to get the DISA Field Security Office to adopt and customize the SST for over two years but have not yet succeeded.

What are the STIGs?

These are security guidelines provided by the DISA Field Security Office to DoD users for securing Solaris and other Unix/Linux platforms.  Most of the recommendations make sense but there are a few silly ones.  There is a detailed book as well as a checklist and somewhat automated set of Security Readiness Review (SRR) scripts to check the work that you've done.  The scripts are NOT perfect and sometime provide false findings.  More on that later.

What were your results?

I downloaded and ran the latest DISA SRR scripts from March 2007 before applying the SST and afterward. I also ran the little script below to finish up the final few operations. During the "Manual Review" portion, I answered "Not a finding" for all the questions.  This means that the differences listed here are those detected by the automated portion of the SRR. 

Before
Finding Counts:
CAT I = 5/123, CAT II = 53/340, CAT III = 11/57, CAT IV = 1/5

After:
Finding Counts:
CAT I = 4/123, CAT II = 13/340, CAT III = 4/57, CAT IV = 0/5

Some of the remaining findings are false positives or out of the scope of the toolkit.  Some examples include:

 

 Finding Category (1 is highest)
Explanation
 Recommended patches not installed
2
They are but the script doesn't appear to  detect them properly
Core Dumps not disabled
3
They are but the script doesn't detect properly
inetd disabled
2
It's enabled but the script looks in inetd.conf which is no longer used in Solaris 10
Various Sendmail configuration file issues
1 and 2
Sendmail is disabled with svcadm
IP forwarding should be disabled
2
Script looks for /etc/notrouter which is no longer used.  Solaris 10 uses routeadm.

 

 Great, I want it now, what do I do?

  1. Install Solaris
  2. Install the latest recommended patches for Solaris (SunSolve access required)
  3. Download and install the Solaris Security toolkit
  4. Download and install the SST patch 122608. (SunSolve access required)
  5. Download this tarball containing the customized files and User Guide (please read the User Guide)
  6. cd /opt/SUNWjass
  7. tar xvf <path to tar file>
  8. Execute: time /opt/SUNWjass/bin/jass-execute -d /opt/SUNWjass/Drivers/GCCS.secure.driver -o <output file>
  9. Reboot your system
  10. Run the SRR scripts

Caveats

  • I have NOT tested this in a production DoD site or run it with a DISA security officer observing.  I have only tested it on my laptop using Solaris 10 11/06.
  • Use this profile at your own risk.  I am providing it for your convenience and provide no warranty.
  • The SST profile cannot automate everything or install anti-virus software as required.
  • I have an additional script that does some final items. (see below)

Benefits of the Solaris Security toolkit

  • Because it is automated, it can produce repeatable, predictable results
  • Because is supports Solaris 8, 9 and 10, (on both Sparc and X64/86 platforms) it can be used throughout your enterprise
  • Because it is provided, supported and updated by Sun, it can be depended upon to "do the right thing" as Solaris is updated.
  • It can be used in the global or non-global zones of Solaris 10.
  • It is easily customized for your particular site requirements.
  • It has an "undo" feature
  • Speed and accuracy.  The toolkit can complete in a few minutes what would normally take hours of error prone text editing.
  • Simple.  A single command does all the work.

Feedback

I'm interested in your feedback on how it worked for you, where my errors are and what additional capabilities you have given it.  Add a comment below. 

A quick script to do a little more.

Because of a lack of knowledge of the tool and lack of time, this script completes the last few operations

# This script attempts to complete the processes not done by the JASS toolkit
# items here are those documented in the User's guide
# They are here because I have not yet implemented them as part
# of th STIG toolkit
# 12/21/06 jlaurent

# tighten permissions on the Man pages
echo "Current man page permissions"
ls -ld /usr/share/man
ls -ld /usr/share/info
ls -ld /usr/share/infopa
ls -ld /usr/sfw/share/man
echo "Setting man page perms to 644"

find /usr/share/man -type f -exec chmod 644 `{}` \\;
find /usr/share/info -type f -exec chmod 644 `{}` \\;
find /usr/share/infopa -type f -exec chmod 644 `{}` \\;
find /usr/sfw/share/man -type f -exec chmod 644 `{}` \\;
echo "New man page permissions"
ls -ld /usr/share/man
ls -ld /usr/share/info
ls -ld /usr/share/infopa
ls -ld /usr/sfw/share/man

#same for various other files and directories
echo "Current /var/audit permissions "
ls -ld /var/audit
echo "Setting /var/audit perms to 700"
chmod 700 /var/audit
echo "New /var/audit permissions "
ls -ld /var/audit

#same for various other files and directories
echo "Current /etc/ftpd/ftpusers permissions"
ls -ld /etc/ftpd/ftpusers
echo "Setting /etc/ftpd/ftpusers perms to 640"
chmod 640 /etc/ftpd/ftpusers
echo "New /etc/ftpd/ftpusers "
ls -ld /etc/ftpd/ftpusers

echo "Current permissions for at.deny, at.allow, cron.deny, cron.allow"
ls -l /etc/cron.d/at.deny /etc/cron.d/at.allow /etc/cron.d/cron.deny /etc/cron.d/cron.allow
echo "Set permissions at.deny, at.allow, cron.deny, cron.allow for to 600"
chmod 600 /etc/cron.d/at.deny /etc/cron.d/at.allow /etc/cron.d/cron.deny /etc/cron.d/cron.allow
echo "New permissions for at.deny, at.allow, cron.deny, cron.allow"
ls -l /etc/cron.d/at.deny /etc/cron.d/at.allow /etc/cron.d/cron.deny /etc/cron.d/cron.allow

echo "Current traceroute permissions "
ls -l /usr/sbin/traceroute
echo "Setting traceroute perms to 4700"
chmod 4700 /usr/sbin/traceroute
echo "New traceroute permissions "
ls -l /usr/sbin/traceroute

echo "Current /etc/inet/inetd.conf permissions "
ls -l /etc/inet/inetd.conf
echo "Setting /etc/inet/inetd.conf perms to 440"
chmod 440 /etc/inet/inetd.conf
echo "New /etc/inet/inetd.conf permissions "
ls -l /etc/inet/inetd.conf

echo "Current /etc/syslog.conf permissions "
ls -l /etc/syslog.conf
echo "Setting /etc/syslog.conf perms to 640"
chmod 640 /etc/syslog.conf
echo "New /etc/syslog.conf permissions "
ls -l /etc/syslog.conf

echo "Current /var/crash permissions "
ls -ld /var/crash
echo "Setting /var/crash perms to 700"
chmod 700 /var/crash
echo "New /var/crash permissions "
ls -ld /var/crash

# changing root umask to 077 in /root/.profile and /root/.cshrc
echo "Changing root umask to 077 in /root/.profile and /root/.cshrc"
cat /root/.profile |sed "s/umask .../umask 077/g" > /root/.profile.tmp
mv /root/.profile.tmp /root/.profile
cat /root/.cshrc |sed "s/umask .../umask 077/g" > /root/.cshrc.tmp
mv  /root/.cshrc.tmp /root/.cshrc

echo "Please review the umask for .profile"
grep umask /root/.profile
echo "Please review the umask for .cshrc"
grep umask /root/.cshrc


# disable core dumps
echo "Original core configuration"
coreadm

echo "Disabling core dumps"
coreadm -d global
echo "New core configuration"
coreadm


Why should you care?

 Securing a computer for use on the DoD networks can be a difficult and time-consuming task.  These tools will help you deliver you mission faster, more reliably and securely.

Monday Jun 25, 2007

Solaris Trusted Extensions vs. Red Hat EL 5 and the Common Criteria

Red Hat and IBM recently announced the completion of an EAL4+ CC evaluation.  Those who follow my blog religiously (I know that you're out there), know that I have discussed the Common Criteria several times before here and here.  What most don't know is that there are a wide range of features that can result in a completed CC evaluation.

RH and IBM indeed have the same certification tests done on paper that Sun plans to achieve for the Open Source Solaris 10 with Trusted Extensions; however, WHAT they tested and WHAT customers can use and be in compliance with the test parameters is NOT AT ALL on par with what we are doing in Solaris 10 with Trusted Extensions.

The most important part of a CC Evaluation is the "Security Target."  The ST defines what will and what will NOT be considered part of the evaluation.  Red Hat and IBM's Security Target eliminates a number of key features and significantly reduces the functions available to the user.

The evaluation doesn't tell the whole story at all. Each evaluation must be looked at very closely to see exactly what was tested and what was claimed.

  • Red Hat's LSPP security policy file can be hundreds or thousands of lines long and thus potential prone to more error. Solaris Trusted Extensions uses a series of small, easily verified files and enforcement of the policy always take place, even with administrative processes.
  • Solaris Trusted Extensions include the Solaris Management Console GUI for configuration.
  • Sun's Solaris with Trusted Extensions can be deployed very rapidly using existing applications in a matter of minutes. This keeps the security policy simple and easy to verify and the protection provided is automatic regardless of the application being deployed.
  • RHEL 5 with it's LSPP security policy has some serious, practical deployment issues that customers need to be aware of including:
    • The GUI and X-Windows components are excluded from the security target.  This is a server and command line offering ONLY.
    • No multi-level GUI. Solaris with Trusted Extensions provides both Trusted Java Desktop System (GNOME-based) and Trusted CDE
    • No multi-level file sharing. Solaris with Trusted Extensions provides multi-level NFS file sharing
    • No easy interoperability with other non-labeled OSs, such as MS Windows, Mac OS X, etc. Solaris with Trusted Extensions works in multi-platform environments without issue - we do not require communication only with other 'trusted' OSs.
    • No guarantee of application compatibility for non-Label-aware applications. Solaris with Trusted Extensions will run all existing applications, even allowing them to run in a 'multi-level' manner without modification to the code.
    • Hot Pluggable storage devices (USB and Firewire) are excluded from the evaluation.  Solaris Trusted Extensions includes these devices in our evaluation.
    • Network Printers are excluded.  Solaris Trusted Extensions supports the labeling of network printers.
    • No use of LDAP as a naming service for centralized management of user identities. Solaris Trusted Extensions supports industry standard LDAP protocols for centrally managing user id and security policy information.
    • The RHEL evaluation only applies to IBM hardware.  Sun's certifications include a variety of AMD-64 and Sparc-based plaforms. 
    • The RHEL evaluation only supports the ext3 and selinuxfs file systems.  Sun's evaluation for Solaris Trusted Extensions supports UFS, ZFS, PCFS. NFS, lofs, hsfs.  In addition, Solaris allows you to use QFS and VXFS as well although these were not part of the evaluated platform.

Sun has achieved CAPP & RBACPP @ EAL 4+ for Solaris 10 3/05 and is about to announce Solaris 10 11/06 has repeated this achievement and we will have our LSPP certification by the end of the CY 07.

For other comparisons, please review these useful links:

Comparing the Multilevel Security Policies of Solaris Trusted Extensions and Red Hat Enterprise Linux
http://www.sun.com/bigadmin/features/hub_articles/mls_trusted_exts.jsp

Sun Solaris Security Web Site :
www.sun.com/solaris/security/

Comparative Study of Containment Technology : a Thesis from Sweden :
http://opensolaris.org/os/community/security/news/20070601-thesis-bs-eriksson-palmroos.pdf

Glenn Faden's Blog : Chief Architect of Solaris Trusted Extensions (and Trusted Solaris 8):
http://blogs.sun.com/gfaden/

Thanks to Mark Thacker and Jane Medefesser for input to this article 

Why should you care?

Sun believes that when you deploy a OS in a secure, multi-level environment, that you will want all the features, third party software and support to be the same as a standard environment.  We believe that Solaris 10 with Trusted Extensions provides a  richer, more capable, easier to use platform for our security minded customers.  It is a deployment platform developed in an open source methodology, that supports a wide variety of Sparc, Intel and AMD based platforms and is freely available.

 

Monday May 14, 2007

Anti virus software for Solaris? What are they thinking?

Recently, the US DoD introduced an updated version of their "Security Technical Implementation Guide" Checklist (aka STIG) for Unix platforms.  They added a requirement for Anti-Virus software to be installed and rated it as a Category I (highest) requirement.  Within the DoD, you must follow this checklist in order to get "Authority to Connect" to the network.  It is EXTREMELY difficult to get a waiver to ignore a Category I finding.

To quote the most recent (March 2007) checklist:

GEN006640 – Virus Protection Software

Check for the existence of the Mcafee command line scan tool to be executed weekly in the cron file.  The Mcafee command line scanner is available for most Unix/Linux operating systems.  Additional tools specific for each operating system are also available and will have to be manually reviewed if they are installed.  In addition, the defintions file should not be older than 14 days.

 I have been researching the offerings of  major (and minor) AV vendors.  Please feel free to make corrections or additions to this list via the "Comments" feature of blogs.sun.com

  • TrendMicro
    • No host-based anti-virus software for Solaris (either platform)
  • Symantec
    • No host-based anti-virus software for Solaris (either platform)
  • McAfee
    • Command Line anti-virus for Solaris 10 (Sparc) and plans for X64 platform
  • F-Prot
    • Has anti-virus for Solaris on Sparc and X64 platforms.  F-Prot is based in Iceland. I'm not sure if the DoD can use their software.
  • CA
    • Web site claims support for Sun Solaris 8 and greater.  Unclear on Sparc/X64 platforms.
  • Central Command
    • Reports supporting Sun Solaris 9 or SunOS 5.9 on Sparc only
  • Avast
    • Reports having anti-virus scanner for Solaris 8-10 on Sparc and X64 platforms.  Based in Prague, Czech Republic.
  • Clam AV Open source project.  Now owned by SourceFire.
    • Has binary build for Solaris on Sparc and X64 platforms at blastwave.org
  • CyberSoft
    • VFind has support for Solaris 2.5.1, 2.6, 7, 8, 9 and 10 on Sparc and X64. Based in Conshohocken, PA.

I have also perused their virus databases in an attempt to prove with data what I know in my heart, ie. there are really no damaging Solaris viruses.

  • McAfee
    • Two "malware" findings.  Each rated as low threat. One requires that telnet port be open which most enterprises close
  • Symantec
    • 11 Total findings, most of which are vulnerabilities rather than viruses.  These vulnerabilities can all be dealt with via existing Solaris patches.
  • Trend Micro
    • 13 finding, most of which were vulnerabilities and DoS warnings some of which were over 7 years old.
  • F-Prot
    • Lists only 2 Unix viruses that affect Apache on BSD and Linux platforms dated from 2002.

 
A similar search of the McAfee "malware" database for Windows XP returned 5300 results.

Apparently this requirement is derived from the NISPOM as evidenced by this email from a customer:

The NISPOM, referenced in the DSS scenario below is the _National Industrial Security Program Operation Manual_ (DoD 5220.22M - Feb 28, 2006)
 
Chapter 8 of the NISPOM deals with Information System (IS) Security.
 
    8-103. The information Systems Security Manager (ISSM) shall:
 
    8-103.f.(5) Implement security features for the detection of malicious code, viruses, and intruders (hackers), as appropriate.
 
    8-305 Malicious Code. Policies and procedures to detect and deter incidents caused by malicious code, such as viruses or unauthorized modification to software shall be implemented.  All files must be checked for viruses before being introduced to an IS and checked for other malicious code as feasible. The use of personal or public domain software is strongly discouraged. Each installation of such software must be approved by the ISSM. 

In my mind, the key portion of this excerpt would be the phrase, "as appropriate."  While it is certainly "appropriate" to install anti-virus software on a MS Windows platform, I can't see where it would be appropriate for a Solaris platform.

 I am doing all of this work in an attempt to get the DISA Field Security Office to eliminate the requirement or at best, reduce its severity.  If you are also running into this issue, please email me or add a comment to my blog.  At this time, I understand that DISA is planning to lower the rating of this finding to Category II.  I don't know when this change might occur.

Solaris has a number of features that can help secure your system without anti-virus software including:

  • Signed binaries
  • Basic Audit and Reporting Tool (BART)
  • No stack execution
  • Mandatory Access Control (when Trusted Extensions are enabled)
  • Solaris Containers
A white paper on Solaris security is available.  The Solaris Security Toolkit supports the hardening of Solaris 10.

Why you should care.

Solaris is known for its security.  Placing a requirement for anti-virus software on Solaris is preventing some customers from deploying it because of the paperwork required to get a waiver.  In particular, requiring Solaris users to install software that specifically searches for malware that primarily attacks a competitive platform (Windows) would appear to put Sun at a competitive disadvantage.

Wednesday Mar 07, 2007

FAQ: Securing Solaris for use in the US DoD

As an OS Ambassador at Sun who works very closely with the US DoD, I'm frequently asked how one secures Solaris for use in the DoD. The definitive source for this information is the DISA Field Security office "Security Technical Implementation Guide" (aka STIG). DISA owns and operates the data centers and neworks for the US DoD. Security checklists and about 500 pages of documentation are included. 

They can be downloaded at: http://iase.disa.mil/stigs/stig/index.html

In addition, DISA provides "Security Readiness Review" scripts which audit your system and report discrepancies.  They were last updated in January 2007 and include S10 support.  The SRRs are available at: http://iase.disa.mil/stigs/SRR/index.html

Some DoD organizations have created a Solaris Security Toolkit profile which accomplishes about 90% of what the STIGs require. The SST is Sun's supported "security lockdown tool" that is a free download and easily customizable. It typically executes in about 4 minutes drastically reducing the time required to secure a system and providing automated, reproducible  results.  The SST also include "undo" and "audit"  functions. The SST can significantly reduce the time that it take you to reach "Authority to Operate" status on a DoD network.

The DISA STIGs require a wide variety of changes to the Solaris OS including:

  • Solaris auditing enabled with specific items being audited.
  • Basic Auditing and Reporting Tool enabled
  • root home directory changed to /root
  • McAfee antivirus installed (yes, even though it really only checks for Windows viruses)
  • Massive permissions and umask changes
  • TCPwrappers enabled
  • certain services must be disabled (FTP, Telnet etc)
  • Certain commands must be disabled (snooop, rsh, rexec etc)
  • Password history, lockout and construction settings
  • Banner page changes
  • PROM password settings
  • etc.

Other documents that might be of interest for security conscious customers include:

Why should you care?

 The US DoD takes computer security very seriously.  Their STIG documents provide a detailed definition of all the activities required to secure a Sun Solaris system.  Utilization of their tools and method can result in a highly secure data center operation.

The Solaris Security Toolkit can simply this process and make to predictable, repeatable and faster than a manual process.

For the highest level of security (equivalent to the old NSA B1 level) Solaris 10 11/06 includes the capability to at Trusted Extensions to your environment. Solaris Trusted Extensions provide full label aware services to meet the most stringent multi-level OS requirements.


 



About

Jim Laurent is an Oracle Sales consultant based in Reston, Virginia. He supports US DoD customers as part of the North American Public Sector hardware organization. With over 17 years experience at Sun and Oracle, he specializes in Solaris and server technologies. Prior to Oracle, Jim worked 11 years for Gould Computer Systems (later known as Encore).

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today