As an OS Ambassador at Sun who works very closely with the US DoD, I'm frequently asked how one secures Solaris for use in the DoD. The definitive source for this information is the DISA Field Security office "Security Technical Implementation Guide" (aka STIG). DISA owns and operates the data centers and neworks for the US DoD. Security checklists and about 500 pages of documentation are included.
They can be downloaded at: http://iase.disa.mil/stigs/stig/index.html
In addition, DISA provides "Security Readiness Review" scripts which
audit your system and report discrepancies. They were last updated in
January 2007 and include S10 support. The SRRs are available at: http://iase.disa.mil/stigs/SRR/index.html
Some DoD organizations have created a Solaris Security Toolkit profile which
accomplishes about 90% of what the STIGs require. The SST is Sun's supported "security lockdown tool" that is a free download and easily customizable. It typically executes in about
4 minutes drastically reducing the time required to secure a system and providing automated, reproducible results. The SST also include "undo" and "audit" functions. The SST can significantly reduce the time that it take you to reach "Authority to Operate" status on a DoD network.
The DISA STIGs require a wide variety of changes to the Solaris OS including:
- Solaris auditing enabled with specific items being audited.
- Basic Auditing and Reporting Tool enabled
- root home directory changed to /root
- McAfee antivirus installed (yes, even though it really only checks for Windows viruses)
- Massive permissions and umask changes
- TCPwrappers enabled
- certain services must be disabled (FTP, Telnet etc)
- Certain commands must be disabled (snooop, rsh, rexec etc)
- Password history, lockout and construction settings
- Banner page changes
- PROM password settings
- etc.
Other documents that might be of interest for security conscious customers include:
- Center for Internet Security Benchmark for Solaris 10
- Glenn Brunette's security blog
- Sun Blueprints on Security
- The Open Solaris Security community features code, discussions, presentations and white papers
- Glenn Faden's Trusted Solaris Blog
Why should you care?
The US DoD takes computer security very seriously. Their STIG documents provide a detailed definition of all the activities required to secure a Sun Solaris system. Utilization of their tools and method can result in a highly secure data center operation.
The Solaris Security Toolkit can simply this process and make to predictable, repeatable and faster than a manual process.
For the highest level of security (equivalent to the old NSA B1 level) Solaris 10 11/06 includes the capability to at Trusted Extensions to your environment. Solaris Trusted Extensions provide full label aware services to meet the most stringent multi-level OS requirements.
Jim,
Great stuff. I would also like to point out that there is a library of white papers and presentations available at the OpenSolaris Security Community. We have been linking more and more of our content there as an aggregation point for people interested in Solaris and OpenSolaris security. Again, great post.
Take care,
g
Posted by Glenn Brunette on March 08, 2007 at 09:39 AM EST #
My issue is how to configure DoD longon banner on Solaris 10 using the Java Desktop System. I've researched on the web but unsuccessful. I appreciate any help.
Ed Q.
Posted by Ed Quismorio on June 12, 2008 at 03:42 PM EDT #
Thanks to Brian Cameron of Sun for providing this answer.....
The best way to do this is to modify the GDM Init script so that it
launches a dialog. If you launch the dialog with "&" then the dialog
will display with the login screen. If you don't launch with "&", then
the user will need to exit the dialog (perhaps by hitting a confirmation
button) before the login screen will display.
The Init script is normally found at /etc/X11/gdm/Init/Default on
Solaris. The location of the file varies across distros, some Linux
distros install it to /etc/gdm/Init/Default, for example.
You can learn more about the GDM Init interface in the GDM docs here:
http://www.gnome.org/projects/gdm/docs/2.20/configuration.html
Posted by Jim Laurent on June 13, 2008 at 06:50 PM EDT #
Thanks to Brian Cameron of Sun for providing this answer.....
The best way to do this is to modify the GDM Init script so that it
launches a dialog. If you launch the dialog with "&" then the dialog
will display with the login screen. If you don't launch with "&", then
the user will need to exit the dialog (perhaps by hitting a confirmation
button) before the login screen will display.
http://www.globalsale.me/Aion-gold-083.aspx
http://www.cheap-gamegold.org
http://www.gamegoldvip.org
http://www.watchrolexshop.com
http://www.gamegoldme.com
Posted by lotro gold on June 24, 2009 at 07:57 AM EDT #
Do Solaris toolkit look for security vulnerability
Posted by Ty Moton on November 19, 2009 at 11:06 AM EST #
If by "look for security vulnerability" you mean find unknown open ports and stack exploitation issues, the answers is "NO."
The SST is designed to implement a local security lockdown policy. For example, if your organization has a policy that requires 15 character passwords, FTP disabled, packages removed and specific banner files, SST can automate that process and audit the system to ensure that the policy is being enforced.
Read about it at:http://www.sun.com/software/security/jass/
Join the Open Source SST community and contribute to it at:
http://hub.opensolaris.org/bin/view/Project+sst/
Posted by Jim Laurent on November 19, 2009 at 11:57 AM EST #