22 May 2017

Is my Server Secure? Use the Solaris 11 Compliance Tool

Security Compliance
IT Security is more important than ever. Make sure your systems are up-to-date.
Don't run Services you don't need. Use strong passwords. Protect your files.

Security Compliance checking helps to detect weak and modified configuration.
Solaris 11.3 contains the 'compliance' tool. Using this tool you can create reports against 3 prepared Security Levels.

1. Oracle Solaris Security Benchmark: Baseline
   Matches basically a Secure By Default Installation

2. Oracle Solaris Security Benchmark: Recommended
   Adds Recommended Checks

3. PCI-DSS
   Payment Card Industry - Data Security Standard
  
The Solaris compliance tool creates easy to understand HTML reports.
It even supports customization for individual machines where individual checks may be enabled or disabled if required.

Use this Blog as an introduction with a few examples. You need to invest more time to reach a completely secure system.

Solaris 11 Compliance Samples
To check against the Solaris Baseline Benchmark run the following command on your system:

# compliance assess -b solaris

Check the HTML report
# compliance report
/var/share/compliance/assessments/solaris.Baseline.2017-05-22,10:32/report.html


The HTML report lists the checks in detail including a description how to fix failed checks. On a newly installed system there may be a few failed checks. If you don't use Kerberos you can disable the services to make sure the checks pass.

# svcadm disable svc:/network/nfs/fedfs-client:default
# svcadm disable svc:/network/rpc/gss:default


Next we check against the Solaris Recommended Profile

# compliance assess -b solaris -p Recommended

# compliance report -f log
/var/share/compliance/assessments/solaris.Recommended.2017-05-22,17:18/log# grep fail /var/share/compliance/assessments/solaris.Recommended.2017-05-22,17:18/log | wc -l
      26


To fulfill the Recommended Profile lots of configuration changes would be needed. As a first step we create now an own benchmark, based on the Solaris Baseline, but we add a few additional checks.

If you deploy services, checks like this one may report failed:
OSC-73505 / ssh(1) is the only service binding a listener to non-loopback addresses

On a Solaris Zone I run a Solaris IPS Repository. We create an own tailored benchmark where
this check is disabled.

# compliance tailor -t solaris_jomasoft set benchmark=solaris
# compliance tailor -t solaris_jomasoft set profile=Baseline
# compliance tailor -t solaris_jomasoft exclude OSC-73505  # ssh(1) is the only service binding a listener to non-loopback


Then we add our Password Rules

# compliance tailor -t solaris_jomasoft include OSC-49500  # Passwords require at least 1 upper-case characters
# compliance tailor -t solaris_jomasoft include OSC-47500  # Passwords require at least 1 digits


Change values of existing Checks

# compliance tailor -t solaris_jomasoft value OSCV-46000=8  # Passwords must be at least 8 characters long
# compliance tailor -t solaris_jomasoft value OSCV-48000=1  # Passwords must have at least 1 lower-case characters
# compliance tailor -t solaris_jomasoft value OSCV-49000=1  # Passwords must have at least 1 special characters


Additional Checks

# compliance tailor -t solaris_jomasoft include OSC-93005   # User home directories have appropriate permissions
# compliance tailor -t solaris_jomasoft include OSC-92505   # User home directory ownership is correct


Now we run against our own tailored Benchmark:
# compliance assess -t solaris_jomasoft


A Compliance Report for PCI-DSS is created with
# compliance assess -b pci-dss

To reach PCI-DSS compliance there is some configuration work required.

# compliance report -f log
/var/share/compliance/assessments/pci-dss.Solaris_PCI-DSS.2017-05-22,11:22/log
# grep fail /var/share/compliance/assessments/pci-dss.Solaris_PCI-DSS.2017-05-22,11:22/log | wc -l
      29


Find all details in the Oracle Solaris 11.3 Compliance Guide (PDF)
https://docs.oracle.com/cd/E53394_01/pdf/E54817.pdf

Run your benchmark regularly to detect changes by Administrators and Applications.

07 April 2017

Is there a performance impact when using Solaris ZFS lz4 compression?

Starting with Solaris 11.3 ZFS supports lz4 compression. Lets verify the impact to performance if we enable lz4 compression with 2 concrete sample files.
First a zip file containing Solaris 11 SRU Updates and second a simple text logfile.

We disable the ZFS Cache to see the impact of I/O and compression
# zfs set primarycache=metadata v0123_db/source
# zfs set primarycache=metadata compressed/fs
# zfs set primarycache=metadata uncompressed/fs


Test 1 - zipped file

# time cp p25604852_1100_Solaris86-64_1of4.zip /uncompressed

real    1m27.571s
user    0m0.002s
sys     0m4.361s

-bash-4.4$ zfs get compression,compressratio,used uncompressed/fs
NAME             PROPERTY       VALUE  SOURCE
uncompressed/fs  compression    off    inherited from uncompressed
uncompressed/fs  compressratio  1.00x  -
uncompressed/fs  used           1.35G  -


# time cp p25604852_1100_Solaris86-64_1of4.zip /compressed

real    1m27.427s
user    0m0.002s
sys     0m4.408s

-bash-4.4$ zfs get compression,compressratio,used compressed/fs
NAME           PROPERTY       VALUE  SOURCE
compressed/fs  compression    lz4    inherited from compressed
compressed/fs  compressratio  1.00x  -
compressed/fs  used           1.34G  -

We see the same duration, no performance loss and because the file is zipped
nearly no space savings.



Test 2 - Log file with Text

# time cp framework.log /uncompressed/

real    0m24.608s
user    0m0.001s
sys     0m1.241s

-bash-4.4$ zfs get compression,compressratio,used uncompressed/fs
NAME             PROPERTY       VALUE  SOURCE
uncompressed/fs  compression    off    inherited from uncompressed
uncompressed/fs  compressratio  1.00x  -
uncompressed/fs  used           390M   -


# time cp framework.log /compressed/

real    0m24.495s
user    0m0.001s
sys     0m1.260s

-bash-4.4$ zfs get compression,compressratio,used compressed/fs
NAME           PROPERTY       VALUE  SOURCE
compressed/fs  compression    lz4    inherited from compressed
compressed/fs  compressratio  6.37x  -
compressed/fs  used           61.4M  -

Good compression (6x). We save 330MB of disk space here.
No impact to duration. The SPARC S7 core is fast enough.


And now Read Performance

# time cp /compressed/framework.log /tmp; time cp /uncompressed/framework.log /tmp

real    0m17.415s
user    0m0.001s
sys     0m1.354s

real    0m24.479s
user    0m0.001s
sys     0m1.389s

Better results from compressed filesystem. CPU decompression is faster than doing I/O. Need to read 6x the data from uncompressed zfs filesystem.


Summary
With above samples we don't see negative impact when enabling lz4 compression. If you use compressable text files you save lots of disk space while gaining read performance. We start using lz4 on our ZPOOLs by default now.

31 October 2016

My Favorite Oracle Solaris Sessions at #doag2016 Conference in Nuremberg

The German Oracle User Group (DOAG) Conference is the largest Oracle Conferene in Europe.
Taking place each Year in Mid November.

Here the links to my favorite Solaris Sessions, Wednesday, 16.11.

11:00 Room Stockholm Oracle Solaris 11 Zonen - Spezialitäten
          Marcel Hofstetter

12:00 Room Budapest Less Known Features of Solaris
          Jörg Möllenkamp

13:00 Room Stockholm Oracle Solaris - The Next Generation
          Joost Pronk & Franz Haberhauer

16:00 RoomStockholm End to End Diagnostics with Oracle Solaris Observability
          Eve Kleinknecht

See you in Nuremberg

08 September 2016

Performance Comparison SPARC T4 and SPARC S7

SPARC S7
JomaSoft replaces the SPARC T4-1 Server with the new SPARC S7-2 Server (with 2 sockets / 8 cores each at 4.26Ghz).

Read more about the SPARC S7-2 Server

Comparison
We created a 3GB / 1 core LDom on our SPARC T4-1 Server running Solaris 11.3 SRU11 with all data stored on a SAN Disk. Inside the LDom we installed our VDCF application and loaded datacenter configuration into the VDCF sqlite database. Next we executed datacenter analysis like patch comparison, calculated migration possibilities and server configuration consistency checks. The analysis are traditional single thread workload.

After the tests on the SPARC T4-1 we migrated our LDom to the new SPARC S7-2 Server. This allowed us to compare the systems using the same Operating System, Setup and Data, to make sure we compare “apple to apple”.

The results for our workload showed a 2x faster performance on the SPARC S7-2 Server. We are very happy with this results. This workload did not use the Software In Silicon features, only performed better because of the new CPU architecture (higher frequency, more and better CPU cache and memory).

In my view the SPARC S7-2 Server is the ideal platform for customers to replace their old SPARC hardware with an excellent price / performance ratio.