There is a framework to check your system against security rulesets in Solaris 11 for quite some time now. It’s really useful: You can define your own rulesets, but more importantly you can use some rulesets delivered with the operating system (for exampled our bundled PCI-DSS ruleset) already adopted to Solaris 11.
As it is an automated process it’s easy to repeat it often as compliance is a function of time. Just because you are compliant to 100% at one moment, you can’t be sure that you are compliant at a different point in time. So this automatization is really helpful because the check is repeatable with ease at any given moment.
However most often you don’t have a single system, or just a single image of your operating system running. Even when you have those automated checks, you would have to do automate the part that the compliance assessments are actually executed yourself.
Thus it would be really useful to have a method to check other systems or a number of different system with an easy command. In Solaris 11.4 beta such a framework was added into the operating system. There is a way to do periodic compliance checks on your systems. I will describe this in a later blog entry. But perhaps more interesting: You are now able to execute compliance checks remotely and you are even able to execute them on a group of systems.
In this blog entry i want to show you, how you can configure your system in order to use this feature. For the sake of this demo let’s just assume, that we have a user joergcpl that is allowed to do compliance test. We have a central system called server. We want to start our compliance tests from here, and we want to have all assesments stored on th system. Let’s further assume, that we two systems on which we want to do compliance checks, we name them client1 and client2.
We have do do some configuration work on server in order to
Essentially we create a user with the rights profile Compliance Assessor. This profile contains everything you need to use the compliance toolkit. You will find for example in /etc/security/prof_attr.d/security-compliance:
Afterwards you do the usual ssh stuff and repeat the steps on client1 and client2. At first on client1:
Afterwards on the system client2 as well:
Afterwards it’s a good practice to login into CPL in all directions in order to accept the identities. If you ever see that the some of the command lines can’t communicate or stops the execution check at first that a password less authentication is possible between the systems and that you have properly configured the resolving of the names.
But not let’s try out what we have configured.
This output is interesting out of two reasons. At first with the -N 10.0.10.3 we have executed a compliance assessment on a remote system. But, and this is to a part even more interesting, the results of the assessments are stored on the server as well. This really simplifies collecting all the assessment from all the system, because Solaris 11.4 is doing it for you.
However it’s seldomly the way that you just want to do this on one system. Often you have several, sometimes hundred or thousands. And leaving this automation to you would be only half the way, so a feature called compliance roster was introduces in Solaris 11.4. With a compliance roster you can assess whole groups of systems. Let’s create a roster for the two client systems from the start:
We’ve added to systems to our roster. Of course you can change it afterwards, for example if you want a different roster than the one declared as the default roster for the system (more on this in a different blog entry).
Now we are ready to use the compliance feature:
This command returns immediately. You don’t have to wait for it to execute the compliance assessment on all systems. But how can you check for it. Please note the roster-joerg.2018-02-26,18:07 part. You can use this string to check the state of affairs.
You see, on both system the compliance assessment is in the Running state. Let’s check it again after a while.
Both assessment have completed. Now you can look for the available assessments.
Besides the assessment of our first remote execution, you will see the assessments from our roster as well. Ready to generate a report from them.