Performing a Security Audit
Performing a security assessment periodically on your systems provides a benchmark of how closely the security matches the security profile you implemented. The most common scenario for performing security assessments is as a security maintenance task sometime after hardening new installations. We designed the security assessment option so that you simply execute the same hardening driver(s) that you used to harden the system, but that now you use the -a option to check the current state compared to the security profile implemented during hardening. This design eliminates complexity and provides flexibility. For example, when you update your security profile, subsequent security assessments use the updated security profile.
Another possible scenario is that you are responsible for securing systems that are already deployed, and before you harden them, you want to perform a security assessment. In this scenario, you would define your own security profile, customize a Solaris Security Toolkit security profile template, or use one of the security profile templates as is.
To Perform a Security Audit
Before performing an audit, you need to define or choose a security profile. For more information, refer to "Preparing to Audit Security" on page 5.
If you are performing a security assessment on a deployed system that you did not harden previously, we recommend that you first back up the machine and reboot it to verify that it is in a known, working, and consistent configuration. Any errors or warnings detected during this preliminary reboot should be corrected or noted before proceeding with security assessment.
Choose the security profile (hardening driver) that you want to use:
If you hardened the system previously, use the same security profile.
For example, secure.driver.
If you have not hardened the system, use one of the standard security profiles or your own.
For example, secure.driver or abccorp-secure.driver.
For a complete and up-to-date listing of available drivers, download the most recent version of the Solaris Security Toolkit software from the following web site:
Refer to Chapter 10 for information about standard and product-specific drivers. For the most current listing of drivers, refer to the Drivers directory.
Determine the command line options you want and how you want to control the output. (Refer to "Using Options and Controlling Audit Output" on page 6.)
Enter the jass-execute -a command, the name of the security profile, and the options you want.
The following is a sample audit run using the sunfire_15k_sc-
CODE EXAMPLE 0-6 Sample Output of Audit Run
# ./jass-execute -a sunfire_15k_sc-secure.driver [NOTE] Executing driver, sunfire_15k_sc-secure.driver [...] ================================================================ sunfire_15k_sc-secure.driver: Audit script: enable-rfc1948.aud ================================================================ #--------------------------------------------------------------- # RFC 1948 Sequence Number Generation # # Rationale for Audit: # # The purpose of this script is to audit that the system is # configured and is in fact using RFC 1948 for its TCP sequence # number generation algorithm (unique-per-connection ID). This is # configured by setting the 'TCP_STRONG_ISS' parameter to '2' in # the /etc/default/inetinit file. # # Determination of Compliance: # [...] #--------------------------------------------------------------- [PASS] TCP_STRONG_ISS is set to '2' in /etc/default/inetinit. [PASS] System is running with tcp_strong_iss=2. # The following is the vulnerability total for this audit script. [PASS] Audit Check Total : 0 Error(s) ================================================================ # The following is the vulnerability total for this driver profile. [PASS] Driver Total : 0 Error(s) ================================================================ sunfire_15k_sc-secure.driver: Driver finished. ================================================================ [PASS] Grand Total : 0 Error(s)
When an audit run is initiated, the Solaris Security Toolkit software accesses files from the JASS_HOME_DIR/Audit directory. Although the files in both the JASS_HOME_DIR/Audit and JASS_HOME_DIR/Finish directories share the same base file names, they have different file name suffixes. The driver.run script automatically translates the finish scripts defined by the JASS_SCRIPTS variable into audit scripts, by changing their suffixes from .fin to .aud.
The audit run starts and initializes the state of the Solaris Security Toolkit software. Each driver that is accessed during the run evaluates the state of all of its file templates and audit scripts. Each check results in a state of success or failure, represented by a vulnerability value of either zero or nonzero, respectively. In most cases, failure is represented by a number 1. Each script that is run produces a total security score, based on the total vulnerability value of each check contained within a script. Furthermore, the total vulnerability value result for each driver is displayed at the completion of a driver's assessment. Lastly, a grand total of all scores is presented at the end of the run.
The security assessment option provides a comprehensive view of the state of a system at the time the assessment run is initiated. The Solaris Security Toolkit software checks the stored state of the system by inspecting configuration files and checks the running state of the system by inspecting process table information, device driver information, etc. The Solaris Security Toolkit software checks not only for the existence of each file or service, but it checks if the software associated with a service is installed, configured, enabled, and running. This holistic approach yields an accurate snapshot of the current state of a system.