Written by J. Moellenkamp
on 
Reading time: 3 minutes
English   Solaris   Unix

Remote security assessments in Solaris 11.4 beta

There is a framework to check your system against security rulesets in Solaris 11 for quite some time now. It’s really useful: You can define your own rulesets, but more importantly you can use some rulesets delivered with the operating system (for exampled our bundled PCI-DSS ruleset) already adopted to Solaris 11.


As it is an automated process it’s easy to repeat it often as compliance is a function of time. Just because you are compliant to 100% at one moment, you can’t be sure that you are compliant at a different point in time. So this automatization is really helpful because the check is repeatable with ease at any given moment.

However most often you don’t have a single system, or just a single image of your operating system running. Even when you have those automated checks, you would have to do automate the part that the compliance assessments are actually executed yourself.

Thus it would be really useful to have a method to check other systems or a number of different system with an easy command. In Solaris 11.4 beta such a framework was added into the operating system. There is a way to do periodic compliance checks on your systems. I will describe this in a later blog entry. But perhaps more interesting: You are now able to execute compliance checks remotely and you are even able to execute them on a group of systems.

In this blog entry i want to show you, how you can configure your system in order to use this feature. For the sake of this demo let’s just assume, that we have a user joergcpl that is allowed to do compliance test. We have a central system called server. We want to start our compliance tests from here, and we want to have all assesments stored on th system. Let’s further assume, that we two systems on which we want to do compliance checks, we name them client1 and client2.

We have do do some configuration work on server in order to 

>root@server:~# useradd -c "Compliancinator" -u 1111 -m -s /usr/bin/pfbash -K profiles="Compliance Assessor" -S files joergcpl
80 blocks
root@server:~# echo "10.0.10.2 server" >> /etc/hosts;echo "10.0.10.3 client1" >> /etc/hosts;echo "10.0.10.4 client2" >> /etc/hosts
root@server:~# passwd joergcpl
New Password: 
Re-enter new Password: 
root@server:~# ssh joergcpl@127.0.0.1
joergcpl@server:~$ ssh-keygen -t rsa -P "“
Generating public/private rsa key pair.
Enter file in which to save the key (/export/home/joergcpl/.ssh/id_rsa): 
Created directory '/export/home/joergcpl/.ssh'.
Your identification has been saved in /export/home/joergcpl/.ssh/id_rsa.
Your public key has been saved in /export/home/joergcpl/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:XXXX joergcpl@server
[...]
joergcpl@server:~$ cat .ssh/id_rsa.pub | ssh 10.0.10.2 'cat >> /export/home/joergcpl/.ssh/authorized_keys && echo "Key copied"‘
joergcpl@server:~$ cat .ssh/id_rsa.pub | ssh 10.0.10.3 'cat >> /export/home/joergcpl/.ssh/authorized_keys && echo "Key copied"'

Essentially we create a user with the rights profile Compliance Assessor. This profile contains everything you need to use the compliance toolkit. You will find for example in /etc/security/prof_attr.d/security-compliance:

>Compliance Assessor:RO::\
Perform Compliance Assessments:\
auths=solaris.compliance.assess,\
solaris.smf.manage.compliance,\
solaris.sstore.compliance.write,\
solaris.sstore.compliance.update_res;\
profiles=Compliance Reporter

Afterwards you do the usual ssh stuff and repeat the steps on client1 and client2. At first on client1: 

>root@client1:~# useradd -c "Compliancinator" -u 1111 -m -s /usr/bin/pfbash -K profiles="Compliance Assessor" -S files joergcpl
80 blocks
root@client1:~# echo "10.0.10.2 server" >> /etc/hosts;echo "10.0.10.3 client1" >> /etc/hosts;echo "10.0.10.4 client2" >> /etc/hosts
root@client1:~# passwd joergcpl
New Password: 
Re-enter new Password: 
root@client1:~# ssh joergcpl@127.0.0.1
joergcpl@client1:~$ ssh-keygen -t rsa -P "“
Generating public/private rsa key pair.
Enter file in which to save the key (/export/home/joergcpl/.ssh/id_rsa): 
Created directory '/export/home/joergcpl/.ssh'.
Your identification has been saved in /export/home/joergcpl/.ssh/id_rsa.
Your public key has been saved in /export/home/joergcpl/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:XXXX joergcpl@client1
[...]
joergcpl@client1:~$ cat .ssh/id_rsa.pub | ssh 10.0.10.4 'cat >> /export/home/joergcpl/.ssh/authorized_keys && echo "Key copied"‘
joergcpl@client1:~$ cat .ssh/id_rsa.pub | ssh 10.0.10.2 'cat >> /export/home/joergcpl/.ssh/authorized_keys && echo "Key copied"'

Afterwards on the system client2 as well:

root@client2:~# useradd -c "Compliancinator" -u 1111 -m -s /usr/bin/pfbash -K profiles="Compliance Assessor" -S files joergcpl
80 blocks
root@client2:~# echo "10.0.10.2 server" >> /etc/hosts;echo "10.0.10.3 client1" >> /etc/hosts;echo "10.0.10.4 client2" >> /etc/hosts
root@client2:~# passwd joergcpl
New Password: 
Re-enter new Password: 
root@client2:~# ssh joergcpl@127.0.0.1
joergcpl@client2:~$ ssh-keygen -t rsa -P ""
Generating public/private rsa key pair.
Enter file in which to save the key (/export/home/joergcpl/.ssh/id_rsa): 
Created directory '/export/home/joergcpl/.ssh'.
Your identification has been saved in /export/home/joergcpl/.ssh/id_rsa.
Your public key has been saved in /export/home/joergcpl/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:XXXX joergcpl@client2
[...]
joergcpl@client2:~$ cat .ssh/id_rsa.pub | ssh 10.0.10.3 'cat >> /export/home/joergcpl/.ssh/authorized_keys && echo "Key copied"‘
joergcpl@client2:~$ cat .ssh/id_rsa.pub | ssh 10.0.10.2 'cat >> /export/home/joergcpl/.ssh/authorized_keys && echo "Key copied"'

Afterwards it’s a good practice to login into CPL in all directions in order to accept the identities. If you ever see that the some of the command lines can’t communicate or stops the execution check at first that a password less authentication is possible between the systems and that you have properly configured the resolving of the names.

But not let’s try out what we have configured. 

joergcpl@server:~/.ssh$  pfexec compliance assess -b solaris -N 10.0.10.3
Assessment will be named 'solaris.2018-02-26,17:55'
Remote assessment(s) will be stored via 'ssh://joergcpl@server'

        Package integrity is verified
        OSC-54005
         fail
[...]
        Check all default audit properties
        OSC-02000
         fail

joergcpl@server:~/.ssh$

This output is interesting out of two reasons. At first with the -N 10.0.10.3 we have executed a compliance assessment on a remote system. But, and this is to a part even more interesting, the results of the assessments are stored on the server as well. This really simplifies collecting all the assessment from all the system, because Solaris 11.4 is doing it for you.

However it’s seldomly the way that you just want to do this on one system. Often you have several, sometimes hundred or thousands. And leaving this automation to you would be only half the way, so a feature called compliance roster was introduces in Solaris 11.4. With a compliance roster you can assess whole groups of systems. Let’s create a roster for the two client systems from the start:

>joergcpl@server:~/.ssh$ pfexec compliance roster -r roster-joerg
*** compliance roster: No existing roster: 'roster-joerg', initializing
roster:roster-joerg> add node
roster:roster-joerg/node> node client1
roster:roster-joerg/node:client1> end
roster:roster-joerg> add node 
roster:roster-joerg/node> node client2
roster:roster-joerg/node:client2> end
roster:roster-joerg> info;expand
info:  roster:roster-joerg, 2 node(s)
  node:client1  
  node:client2  
roster:roster-joerg> commit 
roster:roster-joerg> list
        roster-joerg
roster:roster-joerg> exit

We’ve added to systems to our roster. Of course you can change it afterwards, for example if you want a different roster than the one declared as the default roster for the system (more on this in a different blog entry).

joergcpl@server:~/.ssh$ pfexec compliance roster -r roster-joerg
roster:roster-joerg> select node=client1
roster:roster-joerg/node:client1> policy -b solaris -p Recommended
roster:roster-joerg/node:client1> end
roster:roster-joerg> select node=client2
roster:roster-joerg/node:client2> policy -b solaris -p Recommended
roster:roster-joerg/node:client2> end
roster:roster-joerg> commit
roster:roster-joerg> info
info:  roster:roster-joerg, 2 node(s)
roster:roster-joerg> expand
  node:client1   profile=Recommended benchmark=solaris
  node:client2   profile=Recommended benchmark=solaris
roster:roster-joerg> exit

Now we are ready to use the compliance feature:

>joergcpl@server:~/.ssh$ pfexec compliance assess -r roster-joerg
Assessment will be named 'roster-joerg.2018-02-26,18:07'
Remote assessment(s) will be stored via 'ssh://joergcpl@server'

This command returns immediately. You don’t have to wait for it to execute the compliance assessment on all systems. But how can you check for it. Please note the roster-joerg.2018-02-26,18:07 part. You can use this string to check the state of affairs.

>joergcpl@server:~/.ssh$ compliance list -av 'roster-joerg.2018-02-26,18:07'
        roster-joerg.2018-02-26,18:07
            UUID: f900a9c4-1b1f-11e8-a572-af2c45cb8184
                Benchmark=solaris
                Profile=Recommended
                <b>Status=Running</b>
                Node=client1
                Platform=cpe:/o:oracle:solaris:11
                Architecture=i86pc
                Timestamp=2018-02-26T18:07:57
                Username=joergcpl
                UserID=1111
            UUID: fa8d1cdc-1b1f-11e8-8048-019f68132597
                Benchmark=solaris
                Profile=Recommended
                <b>Status=Running</b>
                Node=client2
                Platform=cpe:/o:oracle:solaris:11
                Architecture=i86pc
                Timestamp=2018-02-26T18:07:59
                Username=joergcpl
                UserID=1111

You see, on both system the compliance assessment is in the Running state. Let’s check it again after a while.

>joergcpl@server:~/.ssh$ compliance list -av 'roster-joerg.2018-02-26,18:07'
        roster-joerg.2018-02-26,18:07
            UUID: f900a9c4-1b1f-11e8-a572-af2c45cb8184
                Benchmark=solaris
                Profile=Recommended
                <b>Status=Complete</b>
                Node=client1
                Platform=cpe:/o:oracle:solaris:11
                Architecture=i86pc
                Timestamp=2018-02-26T18:19:26
                Username=joergcpl
                UserID=1111
            UUID: fa8d1cdc-1b1f-11e8-8048-019f68132597
                Benchmark=solaris
                Profile=Recommended
                <b>Status=Complete</b>
                Node=client2
                Platform=cpe:/o:oracle:solaris:11
                Architecture=i86pc
                Timestamp=2018-02-26T18:19:41
                Username=joergcpl
                UserID=1111

Both assessment have completed. Now you can look for the available assessments.

joergcpl@server:~/.ssh$ compliance list
Benchmarks:
        pci-dss
        solaris
Assessments:
        roster-joerg.2018-02-26,18:07
            UUID: f900a9c4-1b1f-11e8-a572-af2c45cb8184
            UUID: fa8d1cdc-1b1f-11e8-8048-019f68132597
        solaris.2018-02-26,17:55

Besides the assessment of our first remote execution, you will see the assessments from our roster as well. Ready to generate a report from them.