Hardening - Setting Solaris 11 Security Settings using the compliance command

The  compliance program produces security assessments and reports. Essentially an evaluation of the security  configuration  of  a system, conducted against a benchmark.

No more having a list of things you have to check and having to follow some doc to implement the settings. The compliance command makes things easy peasy.

If you don't find the compliance command, install pkg:/security/compliance.

First off, list the assessments available.

# compliance list -p
Benchmarks:
pci-dss:        Solaris_PCI-DSS
solaris:        Baseline, Recommended
Assessments:
        No assessments available

I recommend running the solaris Recommended check (if you've got cardholder information on your system, you'll need to be doing the pci-dss check instead).

compliance assess -b solaris -p Recommended
compliance report -a solaris.Recommended.2016-09-05,15:33

This outputs an html file that I usually mail myself. If you rock a GUI, then just view the html file in a browser.

Tadaaa! You now have a document that not only tells you what needs to be done - but also how to do it. And when everything in your report is green - now you have a report to forward onto the relevant people.

---

Some of you will end up with reports with some red in it because there are settings you don't want to/can't  change. For example, on the SuperCluster, you're going to need NFS to access your storage. Luckily compliance gives you the ability to customise its assessments.

First list the rules we want to exclude:

Service svc:/network/nfs/status is disabled or not installed OSC-40010

Service svc:/network/nfs/nlockmgr is disabled or not installed OSC-38510

Service svc:/network/nfs/server is disabled or not installed OSC-39510

Service svc:/network/nfs/rquota is disabled or not installed OSC-39010

Service svc:/network/nfs/cbd is disabled or not installed OSC-37010

Service svc:/network/nfs/mapid is disabled or not installed OSC-38010

ssh(1) is the only service binding a listener to non-loopback addresses OSC-73505

Next we create a custom assessment:

compliance tailor -t MySecurityPolicy 'set benchmark=solaris; set profile=Recommended; exclude OSC-40010; exclude OSC-38510; exclude OSC-39510; exclude OSC-39010; exclude OSC-37010; exclude OSC-38010; exclude OSC-73505; export'

You can, of course, use "include" if you needed to.

And then we run our custom security assessment:

compliance assess -t MySecurityPolicy
compliance report -a yadayadayada 

And that's it folks, I went a step further and wrote a script to output the commands I need to implement the hardening, but I'm tired of writing this post. It's getting too long so here it ends.

SuperCluster DR Procedure for App Zones

NOTE: This is a procedure for testing failing over from one SuperCluster to another at a different site - not for the occurrence of an actual DR situation.

This doc is a work in progress - process is still a bit finicky

Pre-work

i) Set up zfs replication isci zone lun and nfs shares

ii) Make sure zone root zpool has different name on source and destination system

iii) Add same IB IP as zfs-sa at source to zfs-sa at destination

iv) Set up key authentication to zfs-sa at destination
v) Create script at source to periodically save zone configs

1. Snap ZFS pool

2. Snap zfs project/shares

3. Share zpool lun

On DR:

a. Create a project to put your clones under

b. List the snapshots on the zpool lun

c. Create the clone off the appropriate snap

4. Share zfs projects/shares

Do this in the GUI, for each project:

- click on Shares

- underneath Shares click on Projects

- underneath Projects click on Replica

- move the mouse over the relevant project and a pencil and trash bin icon will show on the right, click on the pencil

- Click on Replication

- below Replication should be a bunch of icons

- click on the + icon ("Clone most recently received project snapshot")

-  You might get an error at this point. Just try again and again.

- When you get to the screen asking for new project name, use the current project name and add "_DR" and click on Continue.

Or in an actual DR situation:

Instead of the + icon, you break replication. Afterwards you will need to reverse replication before failing back.

5. Import zpool

On destination server:

cfgadm -alv

devfsadm -Cv

zpool import -R / zones

6. Recreate zone

Configure zones

Attach zones

Boot zones

Copying a SuperCluster Zone

1. Snapshot the original zone

zfs snapshot -r zones/zone1@copy

2. Copy the snap across to the destination zoneroot

zfs send -vr zones/zone1@copy | zfs recv -v zones/zone2

3. Export the zone config and copy it across to the new zone. (use IB if possible)

4. Edit the zone config to reflect new address and new zonepath

5. Create the new zone

6. Attach and boot the new zone

7. Configure the new zone

Name

Solaris 11

sysconfig create-profile -g identity -o config.xml

sysconfig configure -g identity -c config.xml

Solaris 10

Sysunconfig

Edit /etc/nodename, /etc/hostname.*, /etc/hosts

Host files

vi /etc/hosts

IP

Solaris 11

ipadm delete-addr ipmp0/v4

ipadm delete-addr ipmp1/v4

ipadm create-addr -T static -a 23.88.34.157/24 ipmp0

ipadm create-addr -T static -a 192.168.55.61/22 ipmp1

ipadm set-ifprop -p standby=on -m ip net2

route -p add default 23.88.34.1

Solaris 10

vi /etc/hostname.*

vi /etc/defaultrouter

reboot

Samba config

vi /etc/samba/smb.conf

net join -U user -S ADservername

rm /export/home/samba/*/.ssh/known_hosts

Reboot

8. Configure the storage from the ZFS

Log into the appropriate zfs head:

Shares -> Projects: Add new project

Edit Project:

Under General set Mountpoint to /export/projectname

Under protocols:

Share mode=none

Add NFS Exception: Network - IB IP of zone/32 - Read/write - tick root access

Under shares, add shares needed

Go into each share and set quota

vi /etc/vfstab

mount -a

Change ownership of each mountpoint

9. Put key authentication into place between original and copy.

10. Rsync the NFS shares from original to new zone

rsync -azh /u01 192.168.55.61:/

Setting up Samba Auditing

1. Define the output file

  vi /etc/syslog.conf and add the line:

local5.notice                                   /var/log/samba/audit.log

  Note: Use tabs for spacing!

2. Make sure the output file is rotated

logadm -A 6w -S5g -z 0 -c -p 1w -w /var/log/samba/audit.log

Where:

                        -A 6w means Delete files older than 6 weeks

                        -S 5g means delete files so that all versions are less than 5g

                        -z 0 means compress all previous versions

                        -c mean rotate copying & truncating the logfile to zero length, rather than renaming

                        -p 1w means rotate after 1 week

-w means write to settings to logadm.conf

3. Change the samba settings for the shares.

  vi /etc/samba/smb.conf

  To the [global] section add the lines:

        full_audit:prefix = %U|%I|%u|%S

        full_audit:failure = connect

        full_audit:success = connect disconnect mkdir rmdir read pread write pwrite sendfile rename unlink chmod fchmod chown fchown ftruncate lock symlink readlink link mknod

        full_audit:facility = LOCAL5

        full_audit:priority = notice

  For each of the shares you want to audit, add the line:

        vfs object = full_audit

  Note: If you want to audit all shares, add this line to the global section.

  In case you're wondering what file creates and deletes show up in the log as:
    create=pwrite

    delete=unlink

4. svcadm restart samba