Auditing System Security
Editor's Note This article is the complete sixth chapter of the Sun BluePrints™ book, Securing Systems With the Solaris Security Toolkit, by Alex Noodergraaf and Glenn Brunette (ISBN 0-13-141071-7), which is available through http://www.sun.com/books, amazon.com, and Barnes & Noble bookstores in late June or early July.
This chapter describes how to audit (validate) a system's security using the Solaris Security Toolkit software. Use the information and procedures in this chapter for maintaining an established security profile after hardening. For systems that are already deployed, you may want to use the information in this chapter to assess security before hardening.
The term audit is used in this chapter and book to define the Solaris Security Toolkit software's automated process of validating a security posture by comparing it with a predefined security profile. The use of this term in this publication does not represent a guarantee that a system is completely secure after using the audit option.
This chapter contains the following topics:
"Maintaining Security" on page 2
"Reviewing Security Prior to Hardening" on page 3
"Customizing Security Audits" on page 3
"Preparing to Audit Security" on page 5
"Using Options and Controlling Audit Output" on page 6
"Performing a Security Audit" on page 13
Maintaining security is an ongoing process and is something that must be reviewed and revisited periodically. Maintaining a secure system requires vigilance, because the default security configuration for any system tends to become increasingly open over time. (For more information about maintaining security, refer to Chapter 2, "Maintaining System Security" on page 36.)
Based upon user experience and requests, we developed an automated method for the Solaris Security Toolkit software to audit the security posture of a system, by determining its level of compliance with a specified security profile.
This method is only available in standalone mode using the jass-execute -a command and cannot be used during a JumpStart installation.
We recommend that you audit the security posture of your systems periodically, either manually or automatically (for example, via cron job or an rc script). For example, after hardening a new installation, execute the Solaris Security Toolkit software audit command (jass-execute -a <driver-name>) five days later to determine if the system security has changed from the state defined by the security profile.
How often you audit security depends on the criticality of the environment and your security policy. Some users run an audit every hour, every day, or only once a month. Some users run a mini-scan (limited number of checks) every hour, and a full scan (with all the possible checks) once a day.
Consider auditing an essential component to maintain the security posture of deployed systems. If security posture is not periodically audited, then configurations often drift over time due to entropy or modifications that unknowingly or maliciously change the desired security posture. Without periodic review, these changes go undetected and corrective measures are not taken. The result is a system that becomes less secure and, correspondingly, more vulnerable.
In addition to periodic audits, we recommend that you perform audits after upgrades, patches, and other significant system configuration changes.