As a follow up to our previous blog on JomaSoft VDCF tool for managing Oracle Solaris systems for tasks like virtualization and patch management, we wanted to highlight one of the features from the latest VDCF Jomasoft 8.3 release, which we feel might be helpful and interesting to the customers.
Additional rules for hardening Nodes and vServers
System hardening is the key to make your servers more robust, secure and to minimize the vulnerabilities. The process of hardening your server include enhancing security on your server using a range of techniques to provide a significantly more secure operating environment. And the good news is, we can perform the hardening quickly and simply with minimal efforts using the JomaSoft VDCF platform management framework for the Solaris Operating System.
At present, VDCF supports 59 Hardening Rules. See node -c harden help for details.
Here is an example of how to accomplish this:
1. Assess the running system using the Solaris compliance tooling against the recommended set of rules:
-bash-5.1$ node -c assess name=g0090 benchmark=recommended Assessing Node g0090 using Benchmark recommended Executing compliance assess ... ... Compliance Report for Node g0090 from 2022-10-11T11:46:39+01:00 Score: 69.621498 Total Rules: 186 Passed: 155 Failed: 31 (Error: 1 / High: 1 / Med: 29 / Low: 0 / Info: 0) WARN: Assess Benchmark recommended of Node g0090 was not successful
2. Several rules are reported with ‘failed’
-bash-5.1$ osmon -c show_compliance server=g0090 | grep fail OSC-17000 Non-root ZFS filesystems are encrypted fail OSC-07500 coreadm(8) configuration is correct fail OSC-35000 /etc/motd and /etc/issue contain appropriate policy text fail OSC-12510 Service svc:/network/nfs/fedfs-client:default is in disabled state fail OSC-58510 Service svc:/system/filesystem/rmvolmgr is disabled or not installed fail OSC-42011 Service svc:/network/ntp is enabled and properly configured as a client fail OSC-34010 Service svc:/application/cups/in-lpd:default is in disabled state fail OSC-63005 Service svc:/network/rpc/gss is enabled if and only if Kerberos is configured fail OSC-65510 Service svc:/network/rpc/smserver is disabled or not installed fail OSC-55010 The r-protocols services are disabled in PAM fail OSC-73505 Only approved ports are allowed to be bound to non-loopback addresses fail OSC-74510 ssh(1) does not forward X11 fail OSC-88011 The tcp_wrappers feature is enabled fail OSC-18500 Files written in ftp(1) sessions have a suitable umask fail OSC-99011 Service svc:/system/rad:remote is in enabled state fail OSC-85510 Responses to echo requests on multicast addresses are disabled fail OSC-80510 Responses to ICMP echo requests on broadcast addresses are disabled fail OSC-87500 Strict multihoming is enabled fail OSC-82010 ICMP redirects are disabled fail OSC-84000 The maximum number of half-open TCP connections is at least 4096 fail OSC-44510 Password history logs the last ten passwords fail OSC-45513 Passwords must be changed at least every 13 weeks fail OSC-46000 Passwords must be at least 14 characters long fail OSC-93005 User home directories have appropriate permissions fail OSC-27510 Service svc:/network/firewall is enabled fail OSC-34510 mesg(1) prevents talk(1) and write(1) access to remote terminals fail OSC-25000 Inactive user accounts will be locked after 35 days fail OSC-04511 Booting the system should require a password fail OSC-75561 CVE-2017-5715 (Spectre): SPARC Hardware Branch Target Injection (HW_BTI) Mitigation fail OSC-02001 Audit parameters are set to recommended values fail
3. The VDCF node command can now be used to harden the system based on the failed compliance rules reported above.
-bash-5.1$ node -c harden name=g0090 compliance Hardening profile created: /var/opt/jomasoft/vdcf/conf/compliance/g0090_2022-10-11.hardening Hardening started ... OSC-02001: Audit parameters are set to recommended values - DONE OSC-07500: coreadm(1M) configuration is correct - DONE OSC-12510: Service svc:/network/nfs/fedfs-client:default is in disabled state - DONE OSC-18500: Files written in ftp(1) sessions have a suitable umask - DONE OSC-25000: Inactive user accounts will be locked after 35 days - DONE (changed from 0 to 35) WARN: Update of /etc/firewall/pf.conf required. Only dummy entry added! OSC-27510: Service svc:/network/firewall is enabled - DONE OSC-34010: Service svc:/application/cups/in-lpd:default is in disabled state - DONE OSC-34510: mesg(1) prevents talk(1) and write(1) access to remote terminals - DONE OSC-35000: /etc/motd and /etc/issue contain appropriate policy text - DONE OSC-42011: Service svc:/network/ntp is enabled and properly configured as a client - DONE (changed restrict default to 'ignore') OSC-44510: Password history logs the last ten passwords - DONE OSC-45513: Passwords must be changed at least every 13 weeks - DONE OSC-46000: Passwords must be at least 14 characters long - DONE OSC-55010: The r-protocols services are disabled in PAM - DONE OSC-58510: Service svc:/system/filesystem/rmvolmgr is disabled or not installed - DONE OSC-63005: Service svc:/network/rpc/gss is enabled if and only if Kerberos is configured - DONE OSC-65510: Service svc:/network/rpc/smserver is disabled or not installed - DONE OSC-74510: ssh(1) does not forward X11 - DONE (changed from yes to no) OSC-80510: Responses to ICMP echo requests on broadcast addresses are disabled - DONE OSC-82010: ICMP redirects are disabled - DONE OSC-84000: The maximum number of half-open TCP connections is at least 4096 - DONE (Changed from 1024 to 4096) OSC-85510: Responses to echo requests on multicast addresses are disabled - DONE OSC-87500: Strict multihoming is enabled - DONE OSC-88011: The tcp_wrappers feature is enabled - DONE (only VDCF 192.168.20.69 ssh allowed) OSC-93005: User home directories have appropriate permissions - DONE OSC-99011: Service svc:/system/rad:remote is in enabled state - DONE Hardening of 26 items on Node g0090 was successful
4. Execute the compliance check once again to see what is left over
-bash-5.1$ node -c assess name=g0090 benchmark=recommended Assessing Node g0090 using Benchmark recommended Executing compliance assess ... ... Compliance Report for Node g0090 from 2022-10-11T12:08:39+01:00 Score: 96.190483 Total Rules: 186 Passed: 182 Failed: 4 (Error: 1 / High: 0 / Med: 3 / Low: 0 / Info: 0) WARN: Assess Benchmark recommended of Node g0090 was not successful
5. Deep dive into the failing rules
-bash-5.1$ osmon -c show_compliance server=g0090 | grep fail OSC-17000 Non-root ZFS filesystems are encrypted fail OSC-04511 Booting the system should require a password fail OSC-75561 CVE-2017-5715 (Spectre): SPARC Hardware Branch Target Injection (HW_BTI) Mitigation fail ZFS filesystem encryption must be configured when the filesystems are created. OSC-17000 Non-root ZFS filesystems are encrypted For this rule a password would need to be set using eeprom OSC-04511 Booting the system should require a password We deactivated BTI on our SPARC Server for performance reasons. Because of this setup the following is reported: OSC-75561 CVE-2017-5715 (Spectre): SPARC Hardware Branch Target Injection (HW_BTI) Mitigation
Incase if you’ve missed my earlier blog regarding Jomasoft 8.3 release, please find it here: Jomasoft 8.3 release blog
About JomaSoft VDCF
VDCF (Virtual Datacenter Cloud Framework) is JomaSoft’s CLI platform management and monitoring framework for Oracle Solaris. Using VDCF you deploy and manage bare metal, LDoms and Zones highly automated. VDCF is easy to use and helps to standardize Oracle Solaris Datacenter.
It saves time and reduces human errors. Based on the architecture using SAN LUNs VDCF offers a failover solution.
VDCF is available in two editions. The commercial version includes bug fixes, updates and support services. The free edition is limited to 5 servers and does not include support.
You can find the free edition download here: https://www.jomasoft.ch/downloads/#vdcf-free For additional information or questions contact JomaSoft by eMail: info@jomasoft.ch