Monday Apr 15, 2013

DoD customer receives authority to operate SparcSupercluster

Recently, one of our good U.S. DoD customers purchased a SPARC SuperCluster system and received their "Interim Authority to Operate" on the DoD network.  Why is this a big deal?  First, allow me provide an overview of the SPARC SuperCluster system.

SPARC SuperCluster is a relatively new engineered system from Oracle consisting of:

This engineered system is designed to provide extremely high performance on database and applications while also reducing "time to mission" and cost of operations.  Because it is engineered in the factory by Oracle, it reduces the amount of vendor finger pointing, tuning, integration and incompatibilities.  It is also 100% compatible with Solaris/SPARC applications written for Solaris 11, 10, 9 and 8.

Getting the authority to operate on a DoD network means that our customer showed to their security auditors that they can properly and securely operate this large, complex, virtualized super-server in compliance with DoD standards. 

To my knowledge, this is the first instance of Solaris 11 being accredited in the US DoD.  As readers of my blog may know, the Defense Information Systems Agency (DISA) creates Security Technical Implementation Guides (STIGs) for various products and technologies.  You can find the Solaris 10 STIG documents at the DISA site, for example.  There is currently no DISA STIG document written for Solaris 11 although I am working to create one with DISA.  Because they are going through a lengthy transition from scripted compliance auditing to SCAP based auditing, the STIG for Solaris 11 is being re-written from scratch using their new Security Resource Guide for Operating systems as a baseline requirement.  Watch this site for updates on the Solaris 11 STIG process.

If there is no STIG for Solaris 11, how did this customer complete their accreditation?  DISA's guidance has alway's been, "In the absence of a DISA provided STIG, the customer may use vendor or industry recommended security practices." There are several resources publicly available for Solaris 11 and the SPARC SuperCluster:

In addition, with the help of my colleague, Kevin Rohan, I have been able to provide customers with two additional resources:

  • A spreadsheet mapping the current Solaris 10 STIG to Solaris 11 features
  • A set of scripts that can be used to configure the most common security settings.  This tool take advantage of advance Solaris 11 features such as alternate boot environments, Image Packaging System (IPS) and System Management Facility (SMF).

These tools are available from the Oracle DoD hardware sales team and not publicly posted at this time.

To summarize, I would like to remind our customers that:

  • A DISA STIG is not required to complete accreditation.
  • Solaris 11 and the SPARC SuperCluster has received an IATO from the DoD  
  • Other DoD customers have received accreditation for Exadata, Exalogic and Database Appliance engineered systems
  • Oracle can provide support to help you complete accreditation for SuperCluster, Exadata, Exalogic and Oracle Database Appliance.
  • Oracle's Engineered systems can help you reduce costs, speed time to mission and simply your operations.

Please contact me: jim dot laurent at oracle dot com for additional information.

Tuesday Sep 11, 2012

Oracle SPARC SuperCluster and US DoD Security guidelines

I've worked in the past to help our government customers understand how best to secure Solaris.  For my customer base that means complying with Security Technical Implementation Guides (STIGs) from the Defense Information Systems Agency (DISA).  I recently worked with a team to apply both the Solaris and Oracle 11gR2 database STIGs to a SPARC SuperCluster.  The results have been published in an Oracle White paper.

The SPARC SuperCluster is a highly available, high performance platform that incorporates:

  • SPARC T4-4 servers
  • Exadata Storage Servers and software
  • ZFS Storage appliance
  • InfiniBand interconnect
  • Flash Cache 
  • Oracle Solaris 11
  • Oracle VM for SPARC
  • Oracle Database 11gR2

It is targeted towards large, mission critical database, middleware and general purpose workloads. 

Using the Oracle Solution Center we configured a SSC applied DoD security guidance and confirmed functionality and performance of the system.  The white paper reviews our findings and includes a number of security recommendations.  In addition, customers can contact me for the itemized spreadsheets with our detailed STIG reports.

Some notes:

  • There is no DISA STIG  documentation for Solaris 11.  Oracle is working to help DISA create one using their new process. As a result, our report follows the Solaris 10 STIG document and applies it to Solaris 11 where applicable.
  • In my conversations over the years with DISA Field Security Office they have repeatedly told me, "The absence of a DISA written STIG should not prevent a product from being used.  Customer may apply vendor or industry security recommendations to receive accreditation."

Thanks to the core team: Kevin Rohan, Gary Jensen and Rich Qualls as well as the staff of the Oracle Solution Center and Glenn Brunette for their help in creating the document.  You should also review SPARC SuperCluster T4-4 Platform Security Principles and Capabilities by Glenn and others in Oracle's Enterprise Solution Group.

Friday Jan 07, 2011

Solaris 11 Express and US DoD Security guides

Disclaimer

This article should not be construed as a statement of compliance by Oracle or by DISA.  It is simply the result of a casual review of Solaris 11 against current DISA Security Guidelines

With the release of Solaris 11 Express, I decided to compare it against the current US DoD Security Technical Implementation Guidelines (STIGs) as maintained by my customer DISA. Solaris 11 Express is a production ready and fully supported OS from Oracle.  It was released in September 2010 at Oracle OpenWorld and provides a preview to the features and capabilities that will be available later this year in Solaris 11.  It supports SPARC and X86 platforms from Oracle as well as other vendors.  See the Hardware Compatibility List for options.

DISA owns and operates the DoD datacenters, develops a number of command and control applications, runs the DoD networks and is responsible for enforcing DoD security mandates.  The STIG checklist is a comprehensive set of requirements that system adminstrators are expected to follow in order to attach and maintain a system on DoD networks.  There are STIG documents for enclaves, dabatases, firewalls, web servers and more, but obviously, I'm only concerning myself here with the STIG document for Unix/Linux operating systems.

The DISA STIG checklist is a public document that describes specific permissions settings, password policies, administrative record keeping and more. Section 3 is 546 pages long and is where all the specific requirements can be found. There is a collection of Security Readiness Review (SRR) scripts that automate portions of the review process to assist a system administrator in evaluating the completion of the process.  These are not publicly available.

For my review, I downloaded the documents and the SRR scripts.  I then compared Solaris 11 Express feature sets to the checklist, ran the scripts and documented where Solaris 11 Express was in compliance as well as the areas in which it differed from Solaris 10.  

Some items of note:

  • The SRR scripts will sometimes generate false positive or negative results because they are looking at files that are no longer used in Solaris 11.
  • Solaris 11 features the root home directory in /root therefore complying without any extra action
  • Solaris 11 auditing is managed as an SMF service making it easier to use but causing problems in the SRR scripts
  • Solaris 11 includes a native in-kernel CIFS service rather than using Samba
  • The default ZFS root file system currently does NOT allow /var to be mounted as a separate filesystem as required by one of the STIG items.  I have made Solaris engineering aware of this requirement.
  • I had to modify only one line of the SRR scripts to allow it to run on Solaris 11.
  • Solaris 11 has a number of new privileged user accounts that cause false finding in the SRR scripts.
  • Solaris 11 by default does NOT allow a user to login as root.  root is a role.
  • Solaris 11 implements "Secure by default" upon installation allowing only SSH access.

In summary, with the exception of the /var filesystem issue, it should be possible to bring a Solaris 11 express system in compliance with DISA STIGs. Download the detailed document.  As always, comments, clarifications and corrections are welcome!

For those who are still running Solaris 10, please refer to my earlier blog entry on using the Solaris Security toolkit to facilitate the STIG process. 

About

Jim Laurent is an Oracle Sales consultant based in Reston, Virginia. He supports US DoD customers as part of the North American Public Sector hardware organization. With over 17 years experience at Sun and Oracle, he specializes in Solaris and server technologies. Prior to Oracle, Jim worked 11 years for Gould Computer Systems (later known as Encore).

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today