2009 04.s10-admin-topics4

Copyright 2009 Peter Baer Galvin - All Rights Reserved

Solaris 10 Administration Topics Workshop4- Security

By Peter Baer Galvin

For Usenix Last Revision Apr 2009

Saturday, May 2, 2009


About the SpeakerPeter Baer Galvin - 781 273 4100

[email protected]

www.cptech.com

[email protected]

My Blog: www.galvin.info

Bio

Peter Baer Galvin is the Chief Technologist for Corporate Technologies, Inc., a leading systems integrator and VAR, and was the Systems Manager for Brown University's Computer Science Department. He has written articles for Byte and other magazines. He was contributing editor of the Solaris Corner for SysAdmin Magazine , wrote Pete's Wicked World, the security column for SunWorld magazine, and Pete’s Super Systems, the systems administration column there. He is now Sun columnist for the Usenix ;login: magazine. Peter is co-author of the Operating Systems Concepts and Applied Operating Systems Concepts texbooks. As a consultant and trainer, Mr. Galvin has taught tutorials in security and system administration and given talks at many conferences and institutions.

2



Objectives

Explore the new Solaris 10 security features, from an admin point of view

Some app/dev points made to guide developers

Convey their current status, usability, and future functionalityHelp prepare for Solaris 10 deploymentSome pre-Solaris 10 coverage when needed

3



Prerequisites

Recommend at least a couple of years of Solaris experience

Or at least a few years of other Unix experience

Best is a few years of admin experience, mostly on Solaris

4



About the Tutorial

Every SysAdmin has a different knowledge setA lot to cover, but notes should make good reference

So some covered quickly, some in detailSetting base of knowledge

Please ask questionsBut let’s take off-topic off-line

5



Fair Warning

Sites varyCircumstances varyAdmin knowledge variesMy goals

Provide information useful for each of you at your sitesProvide opportunity for you to learn from each other

6



Why Listen to Me?

20 Years of Sun experienceSeen much as a consultantHopefully, you've used:

My Usenix ;login: columnThe Solaris Corner @ www.samag.comThe Solaris Security FAQSunWorld “Pete's Wicked World”SunWorld “Pete's Super Systems”Unix Secure Programming FAQ (out of date)Operating System Concepts (The Dino Book), now 8th edApplied Operating System Concepts

7



Slide Ownership

As indicated per slide, some slides copyright Sun Microsystems

Feel free to share all the slides - as long as you don’t charge for them or teach from them for fee

8



OverviewLay of the Land



Schedule

10



Coverage

Solaris 10 is a moving targetThis tutorial based on FCS (Jan / Mar 05)Plus “Nevada” build 53

How to get Solaris 10Download from SunMedia Kits now shipping

How to get Solaris 10+Join Solaris Express for month releasesOpensolaris.org for “untested” releases

11



Outline

OverviewSun OverviewDTrace (lab?)RBAC (lab)PrivilegesNFS V4Flash archives and live upgradeMoving from NIS to LDAPFTP client and server enhancements

12



OutlinePAM enhancements Auditing enhancementsBSMSolaris Cryptographic FrameworkSmartcard interfaces and APIsKerberos enhancementsPacket filteringBARTTrusted ExtensionsOverall Solaris 10 SecurityConclusionsReferences

13



Your Objectives?

14



Lab PreparationHave device capable of telnet on USENIX network

Or have a buddy

Learn your “magic number”

Telnet to 131.106.62.100+”magic number”

User “root, password “lisa”

It’s all very secure

15



Lab Preparation

Or...

Use virtualbox

Use your own system

Use a remote machine you have legit access to

16



Introduction

17



OverviewSolaris 10 includes lots of new security features

Security is important to administrators

It usually annoys users

We’ll look at each new feature, how useful, powerful and annoying it is

Should provide a good roadmap for what to use, when

How can they be used to solve the following problems

18



Sun Overview

Quick high-level overview of Sun’s view of Solaris security

19



(From the Solaris 10 Sun Net Talk about Solaris 10 Security)

20




21




22




23




24




25




26




27



S10 Security Status

According to Sun:Solaris 10 11/06 is currently in evaluation at EAL4+, one of the highest level of Common Criteria Certification, with three Protection Profiles: Labeled Security Protection Profile (LSPP), Controlled Access Protection Profile (CAPP) and Role-Based Access Control Protection Profile (RBACPP). In addition, Solaris 10 3/05 has completed evaluation at EAL4+ with CAPP and RBACPP.

28



Good Security HygieneChecklist #1 - Use before making a change

Is the syntax of the command correct?Is the command the right one to make the change?Is there a better way to make the change?Are the right options entered / selected?Is today Friday? Is today some other day on which it would be exceptionally bad to break something (such as the day before leaving for a vacation or conference)?What are the chances that executing this will break something?If this change would break something, can I undo the action?Is this a documented way to accomplish the task?If this is a new way to make a change, should I document it?And finally, what effect might this action have on security?

29



Virtualization and Security

30



Virtualization Options

Containers / Zones (more below)

Xen (xVM server) - bare metal hypervisor + guests

Run other OSes (linux, win) with S10+ has the host

Industry semi-standard

Para-virtualization, x86 only

LDOMs - hard partitions, shipped in May 2007

Run multiple copies of Solaris on the same coolthreads chip (Niagara, Rock in the future)

Some resource management - move CPUs and mem

VMWare - solaris as a guest, not a host so far, x86 only

Traditional Sun Domains - SPARC only, Enterprise servers only

31



Security ImpactLots of security issues around virtualization

How many “systems” are in a given environment?

Hidden / unknown systems

“System” audit could involve dozens of OSes!

Separately secure

HW - servers, storage, devices, etc

OS - per-os security regardless of HW

Apps

Virtualization infrastructure (ESX management, Solaris server, Hypervisor management, and on and on)

32



Zones OverviewThink of them of chroot on steroids

Virtualized operating system services

Isolated and “secure” environment for running apps

Apps and users (and superusers) in zone cannot see / effect other zones

Delegated admin control

Virtualized device paths, network interfaces, network ports, process space, resource use (via resource manager)

Application fault isolation

Detach and attach containers between systems

Cloning of a zone to create identical new zone

33



Zones Overview - 2Low physical resource use

Up to 8192 zones per system!

Differentiated file system

Multiple versions of an app installed and running on a given system

Inter-zone communication is only via network (but short-pathed through the kernel

No application changes needed – no API or ABI

Can restrict disk use of a zone via the loopback file driver (lofi) using a file as a file system

Can dedicate an Ethernet port to a zone

Allowing snooping, firewalling, managing that port by the zone

34



(From System Administration Guide: N1 Grid Containers, Resource Management, and Solaris Zones)35


Copyright 2009 Peter Baer Galvin - All Rights Reserved(From the Solaris 10 Sun Net Talk about Solaris 10 Security)

36



LDOMsLogical domains

Released April ’07

Only on Niagara and future CMT chips (Niagara II, Rock)

Like enterprise-system domains but within one chip

Slice the chip into multiple LDOMs, each with its own OS root, boot independently, et

Now can run multiple OSes on 1 SPARC chip

37


Copyright 2009 Peter Baer Galvin - All Rights Reserved 38



LDOMs - DetailsCan create up to 1 LDOM per thread(!)

Best practice seems to be max one LDOM per core

i.e. 8 LDOMs on Niagara I and II

Nice intro bloghttp://blogs.sun.com/ash/entry/ultrasparc_t2_launched_today

And nice flash demohttp://www.sun.com/servers/coolthreads/ldoms/

39



DTrace

40



DTrace and Security

New tool has security implicationsDTrace so cool we need to take a quick look

41



DTrace OverviewBest tool ever for understanding system behavior

Uses language D, based on C

Fully dynamic, full probing of kernel and user apps

Fully scalable

Enabled in Solaris 10 – no custom kernel or configuration changes needed

Use DTrace today to solve non-S10 problems

Move the “problem” to a test / dev S10 machine, debug, and then back port the solution to the original machine

Way to much to cover here

So I’ll whet your appetite

Got example code available at http://users.tpg.com.au/adsln4yb/dtrace.html

All DTrace resources at http://www.sun.com/bigadmin/content/dtrace/

42



DTrace and SecurityDTrace doesn’t “weaken” security model

Root with or without DTrace is God

But with DTrace easier to be a bad God

Watch ssh typing

Watch shell I/O

DTrace disabled in zones by default

As of Nevada build 37 (and probably S10 U2), can give DTrace user and process privileges to a zone

Zone can’t get DTrace kernel priv

Can’t see outside of the zone

# zonecfg -z myzone

zonecfg:myzone> set limitpriv=default,dtrace_proc,dtrace_user

zonecfg:myzone> ^D

43



DTrace Example - 1connections.d snoop inbound TCP connections as they are established, displaying the server process that accepted the connection

# ./connections.d UID PID IP_SOURCE PORT CMD 0 254 192.168.001.001 23 /usr/sbin/inetd -s 0 254 192.168.001.001 23 /usr/sbin/inetd -s 0 254 192.168.001.001 79 /usr/sbin/inetd -s 0 254 192.168.001.001 21 /usr/sbin/inetd -s 0 254 192.168.001.001 79 /usr/sbin/inetd -s 100 2319 192.168.001.001 6000 /usr/openwin/bin/Xsun :0 -

nobanner

0 254 192.168.001.001 79 /usr/sbin/inetd -s [...] 44



DTrace Example - 2

The following script counts number of write(2) calls by application:

syscall::write:entry{@counts[execname] = count();}

45



DTrace Example - 4# dtrace -s write-calls-by-app.ddtrace: script 'write-calls-by-app.d' matched 1 probe^C

dtrace 1 login 1 sshd 2 sh 6 telnet 6 w 7 df 12 in.telnetd 25 mixer_applet2 61 gnome-panel 108 metacity 125 gnome-terminal 197#

46



DTrace Example - 5

Let’s have a look at the size of the writes to file descriptor 5, per section of user code (!)

syscall::write:entry/execname == "sshd" && arg0 == 5/{@[ustack()] = quantize(arg2);}

47



DTrace Example - 6bash-2.05b# dtrace -s write-sshd-fd-5.d

dtrace: script 'write-sshd-fd-5.d' matched 1 probe

^C

libc.so.1`_write+0xc

sshd`atomicio+0x2d

805b59c

sshd`main+0xd59

805b1fa

value ------------- Distribution ------------- count

8 | 0

16 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 1

32 | 0

libc.so.1`_write+0xc

sshd`packet_write_poll+0x2e

sshd`packet_write_wait+0x23

sshd`userauth_finish+0x19f

805f42e

sshd`dispatch_run+0x49

sshd`do_authentication2+0x7c

sshd`main+0xdc7

805b1fa

value ------------- Distribution ------------- count

48



DTrace Example - 7#!/usr/sbin/dtrace -s

#pragma D option flowindent

pid$1::$2:entry

{

self->trace = 1;

}

pid$1:::entry, pid$1:::return, fbt:::

/self->trace/

{

printf("%s", curlwpsinfo->pr_syscall ?

"K" : "U");

}

pid$1::$2:return

/self->trace/

{

self->trace = 0;

}

49





DTrace Toolkit

DTrace Toolkit with lots (> 90) of great scripts

Includes scripts for Python, Perl, Java, PHP, Ruby, Tcl, Javascript

Best starting point for learning DTrace

Means you don’t have to be DTrace expert to use DTrace (for good or evil)http://www.opensolaris.org/os/community/dtrace/dtracetoolkit/

51



DTrace Toolkit Hits

dexplorer - run a lot of tools for a few seconds and log output to a file

Other key scripts include

dtruss, dvmstat, execsnoop, hotkernel, hotuser, errinfo, iopattern, iosnoop, iotop, opensnoop, procsystime, rwsnoop, rwtop, statsnoop

52



DTrace One-LinersSnarfed from http://www.solarisinternals.com/wiki/index.php/DTrace_Topics_One_Liners

Processes * New processes with arguments, dtrace -n 'proc:::exec-success { trace(curpsinfo->pr_psargs); }'Files * Files opened by process name, dtrace -n 'syscall::open*:entry { printf("%s %s",execname,copyinstr(arg0)); }' * Files created using creat() by process name, dtrace -n 'syscall::creat*:entry { printf("%s %s",execname,copyinstr(arg0)); }'Syscalls * Syscall count by process name, dtrace -n 'syscall:::entry { @num[execname] = count(); }' * Syscall count by syscall, dtrace -n 'syscall:::entry { @num[probefunc] = count(); }' * Syscall count by process ID, dtrace -n 'syscall:::entry { @num[pid,execname] = count(); }' * Read bytes by process name, dtrace -n 'sysinfo:::readch { @bytes[execname] = sum(arg0); }'I/O * Write bytes by process name, dtrace -n 'sysinfo:::writech { @bytes[execname] = sum(arg0); }' * Read size distribution by process name, dtrace -n 'sysinfo:::readch { @dist[execname] = quantize(arg0); }' * Write size distribution by process name, dtrace -n 'sysinfo:::writech { @dist[execname] = quantize(arg0); }'Physical I/O * Disk size by process ID, dtrace -n 'io:::start { printf("%d %s %d",pid,execname,args[0]->b_bcount); }' * Disk size aggregation dtrace -n 'io:::start { @size[execname] = quantize(args[0]->b_bcount); }' * Pages paged in by process name, dtrace -n 'vminfo:::pgpgin { @pg[execname] = sum(arg0); }'

53



More DTrace One-linersMemory * Minor faults by process name, dtrace -n 'vminfo:::as_fault { @mem[execname] = sum(arg0); }'User-land * Sample user stack trace of specified process ID at 1001 Hertz dtrace -n 'profile-1001 /pid == $target/ { @num[ustack()] = count(); }' -p PID * Trace why threads are context switching off the CPU, from the user-land perspective, dtrace -n 'sched:::off-cpu { @[execname, ustack()] = count(); }' * User stack size for processes dtrace -n 'sched:::on-cpu { @[execname] = max(curthread->t_procp->p_stksize);}' Kernel * Sample kernel stack trace at 1001 Hertz dtrace -n 'profile-1001 /!pid/ { @num[stack()] = count(); }' * Interrupts by CPU, dtrace -n 'sdt:::interrupt-start { @num[cpu] = count(); }' * CPU cross calls by process name, dtrace -n 'sysinfo:::xcalls { @num[execname] = count(); }' * Trace why threads are context switching off the CPU, from the kernel perspective, dtrace -n 'sched:::off-cpu { @[execname, stack()] = count(); }' * Kernel function calls by module dtrace -n 'fbt:::entry { @calls[probemod] = count(); }'

54



DTrace Lab (!)

Try some one-linersWhich work in a non-global zone?

Try some of the scripts in /usr/demo/dtraceHow useful is non-global zone DTrace?

55



RBAC

56



RBAC

Been in Solaris since release 8Basis for access control on SolarisA bit, um, complicatedQuick review here

How many of you are using RBAC?Let’s take the nickel tour to get up to speed:

http://mediacast.sun.com/share/bartbl/blog-5cent-rbac-tour.mov

57





RBAC TerminologyAdministrative Roles – (or just “roles”) for grouping authorizations, profiles and commands together as a common set of functions. Think of these as special user accounts to which profiles are assigned.Profiles -- (also known as "execution profiles" or "rights profiles") a collection of authorizations, commands, and/or other profiles that together provide for performing a set of administrative tasks.

59



RBAC Terminology - 2

Authorizations – permissions that grant access to restricted actions that are otherwise prohibited by the security policy. These are typically assigned in a profile, but can also be assigned to a user or a role. Think of this as tokens that can be checked by RBAC-aware programs. Rather than checking if UID=0 to allow an action, such programs can check if, for example, the user has authorization token “solaris.admin.diskmgr.read”.

Privileged program – a program with security attributes that enables special functions depending on a check of user-id, group-id, privileges, or authorizations. These are setuid or setgid programs, or programs with assigned privileges.

60





RBAC UseUser assumes a role - placed in a special profile-understanding shell

pfcsh, pfksh, and pfsh

Shells know how to read through the various config files in /etc/security (and /etc/user_attr)

Determines the rights profiles of the role and the components of those profiles, enforces them

I.e., if a role had the Name Service Security rights profile, then user would be allowed to run /usr/bin/nischown with the effective user-id of 0 (from /etc/security/exec_attr)

The administrator creates a profile of authorizations and privileged commands for task or tasks

Can be assigned directly to a user or to (better) a role

Without authorizations, user is prevented from executing a privileged application, or prevented from performing operations within a privileged application

62



RBAC Use - 2

Easiest RBAC admin is to use the Solaris Management Console (smc)User is allowed to assume zero or more roles by knowing the password of the roles

Similar to using the su command

When the user assumes a role, the capabilities of the role are available

List of roles available to that user is displayed by the roles command

User su’s to an available role to accomplish privileged tasks

No default roles

63



/etc/security/exec_attr

# head exec_attr

Application Server Management:suser:cmd:::/usr/appserver/bin/asadmin:

Software Installation:suser:cmd:::/usr/bin/pkgparam:uid=0

Network Management:suser:cmd:::/usr/sbin/in.named:uid=0

File System Management:suser:cmd:::/usr/sbin/mount:uid=0

Software Installation:suser:cmd:::/usr/bin/pkgtrans:uid=0

Name Service Security:suser:cmd:::/usr/bin/nisaddcred:euid=0

Mail Management:suser:cmd:::/usr/sbin/makemap:euid=0

FTP Management:suser:cmd:::/usr/sbin/ftprestart:euid=0

File System Management:solaris:cmd:::/sbin/mount:privs=sys_mount

Software Installation:suser:cmd:::/usr/sbin/install:euid=0

64



RolesTypical types of roles:

primary administrator - the traditional superuser, with all privileges, system administrator – an administrator without security-modification privileges,operator – an administrator with a limited, specific set of privileges,advanced user – a user with privileges to debug and fix her own system or programs

65



Solaris Privileges

66



PrivilegesReally known as “least privilege”

Only the minimum privileges to get a job done should be available

Alternative to being root or no one

Done at the API levelSetUID programs can dictate fine grain access to kernel features

Can limit what privs children have

Should further help can buffer overflows and other privilege escalation methods

Done at the user or role levelAll specific users to perform specific operations regardless of the programs being run

67



Privileges - 2New level of management of rights within a Solaris 10 systemFine-grained privileges that can be assigned to entitiesThe kernel enforces the new requirement that, to perform a special function, the entity must have the privilege to do so. Can work in parallel with traditional superuser functionality for backward compatibility.

68



Privilege Sets

E - Effective privilege set – the current set of privileges that are in effectI - Inheritable privilege set – the set of privileges that a process can inherit across an exec()P - Permitted privilege set - the set of privileges that are available for useL - Limit privilege set – the outside limit of what privileges are available to a process and its children

Used to shrink the “I” set when a child is created, for example

69



Privileges Example

traceroute is now privilege enabled$ ls -l /usr/sbin/traceroute-r-sr-xr-x 1 root bin 35392 Jul 3 14:42 /usr/sbin/traceroute

$ /usr/sbin/traceroute 1.2.3.4 &[2] 7841# pcred 78417841: e/r/suid=101 e/r/sgid=14

70



Privileges Example - 2# ppriv -v 78417841: /usr/sbin/traceroute 1.2.3.4flags = PRIV_AWAREE: file_link_any,proc_exec,proc_fork,proc_info,proc_session

I: file_link_any,proc_exec,proc_fork,proc_info,proc_session

P: file_link_any,net_icmpaccess,net_rawaccess,proc_exec,proc_fork,proc_info,proc_session

L: none

Note exploit needs to execute fully in the context of traceroute to make use of its privileges because the "Limit“ set is empty

71



Privileged Daemon Example

# ppriv `pgrep rpcbind`153: /usr/sbin/rpcbindflags = PRIV_AWARE E: basic,!file_link_any,net_privaddr,!proc_exec,!proc_info,!proc_session,sys_nfs

I: basic,!file_link_any,!proc_exec,!proc_fork,!proc_info,!proc_session

P: basic,!file_link_any,net_privaddr,!proc_exec,!proc_info,!proc_session,sys_nfs

L: basic,!file_link_any,!proc_exec,!proc_fork,!proc_info,!proc_session

72



RBAC and PrivilegesUse RBAC to assign specific privs to roles or users

By default, all non-setuid processes have the “basic” set of privileges assigned

Create a role with that privilege and then allow the user to assume that role

The list of available privileges is available in the privileges(5), and via the all important ppriv command (the “-lv” options)

Divided into categories, including file, ipc, net, proc, and sys privileges

For example, enable users in role “test” to do process management and use DTrace features

Create “test” role in /etc/user_attr

73



RBAC and Privileges - 2# roleadd -u 201 -d /export/home/test -P \ "Process Management" test

# rolemod -K \defaultpriv=basic,dtrace_proc,dtrace_user,\dtrace_kernel test# grep test /etc/user_attrtest::::type=role;defaultpriv=basic,dtrace_proc,dtrace_user,dtrace_kernel;profiles=Process Management

# passwd testNew password:Re-enter new password:# mkdir -p /export/home/test

The user would need to switch to the role “test” to use

74



RBAC and Privileges - 3$ ppriv $$

10897: -bash

flags = <none>

E: basic

I: basic

P: basic

L: all

$ dtrace -s bitesize.d

dtrace: failed to initialize dtrace: DTrace requires additional privileges

$ su - test

password:

Roles can only be assumed by authorized users

su: Sorry

# usermod –R test pbg

(then login as pbg)

75



RBAC and Privileges - 4$ roles

test

$su test

password:

$ ppriv $$

11022: pfsh

flags = <none>

E: basic,dtrace_kernel,dtrace_proc,dtrace_user

I: basic,dtrace_kernel,dtrace_proc,dtrace_user

P: basic,dtrace_kernel,dtrace_proc,dtrace_user

L: all

$ dtrace –s bitesize.d

. . .

Alternately, privileges can be directly assigned to users, as in:

pbg::::type=normal;roles=primary_administrator,test; \

defaultpriv=basic,dtrace_proc,dtrace_user,dtrace_kernel

76



Privilege Assignment

To add a privilege to a specific user, use the usermod command to add the privilege to the user’s default privileges, as in

# usermod –K defaultpriv=basic,proc_clock_high_res jdoe

Unfortunately, to be able to assign a specific privilege to a specific command, the command must be written to be privilege aware

77



Privilege Assignment - 2Currently, native system programs are becoming privilege aware and having a limited set of privileges assigned to them

Includes most setuid-root and network daemons

API available with privileges to allow Solaris programmers to write privilege aware programs

ppriv command can be used on a program that is failing due to a lack of privilege, to determine exactly the privileges that the program needs to succeed

Appropriate privileges can be assigned to the program, or assigned to a role or user to allow that program to run properly when the appropriate set of users runs it

Good white paper by Sun about privilege-enabling an arbitrary set-UID program: http://www.sun.com/blueprints/0406/819-6320.pdf

78



Final Privilege Notes

ppriv allows examination of a command to determine what privileges it would need$ ppriv -e -D cat /etc/shadowcat[418]: missing privilege "file_dac_read" (euid = 21782),needed at ufs_access+0x3ccat: cannot open /etc/shadowppriv -l lists all available privileges-v does so with details

79



/etc/passwd# cat /etc/passwd

root:x:0:1:Super-User:/:/sbin/sh

daemon:x:1:1::/:

bin:x:2:2::/usr/bin:

sys:x:3:3::/:

adm:x:4:4:Admin:/var/adm:

lp:x:71:8:Line Printer Admin:/usr/spool/lp:

uucp:x:5:5:uucp Admin:/usr/lib/uucp:

nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico

smmsp:x:25:25:SendMail Message Submission Program:/:

listen:x:37:4:Network Admin:/usr/net/nls:

gdm:x:50:50:GDM Reserved UID:/:

webservd:x:80:80:WebServer Reserved UID:/:

nobody:x:60001:60001:NFS Anonymous Access User:/:

noaccess:x:60002:60002:No Access User:/:

nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:

pbg:x:101:14::/export/home/pbg:/bin/bash

test:x:201:1::/export/home/test:/bin/pfsh

80



/etc/user_attr# cat /etc/user_attr

#

# Copyright (c) 2003 by Sun Microsystems, Inc. All rights reserved.

#

# /etc/user_attr

#

# user attributes. see user_attr(4)

#

#pragma ident "@(#)user_attr 1.1 03/07/09 SMI"

#

adm::::profiles=Log Management

lp::::profiles=Printer Management

root::::auths=solaris.*,solaris.grant;profiles=Web Console Management,All;lock_after_retries=no

test::::type=role;defaultpriv=basic,dtrace_proc,dtrace_user,dtrace_kernel;profiles=Process Management

pbg::::type=normal;roles=test

81



LabsCreate new user “foo”

Create new role “operator”

Find list of profiles

Add some profiles to role “operator”

Add user foo to role “operator”

Find list of privileges

Add some privileges to role “operator”

Add some privileges to user “foo”

Test user foo in role “operator”

Test user “foo” privileges

Explore the system to find all of the changes associated with the new user and role

What file would you need to look in during an audit to check a user for more privileges?

82



NFS V4

83



NFS V4 OverviewStateful rather than stateless

All traffic uses one port number (2049)

Can negotiate security authentication protocol, including using Kerberos (SEAM) and DES

The /etc/default/nfs file uses keywords to control the NFS protocols that are used by both the client and the server

Uses the string representations to identify the owner or group_owner via the nfsmapid daemon

Supports mandatory locking (multiple lock types)

When you unshare a file system, all the state for any open files or file locks in that file system is destroyed

Servers use a pseudo file system to provide clients with access to exported objects on the server

Server provides a view that just includes the exported file systems

84



NFS V4 Overview - 2Supports client and server recovery from a crash

Supports client fail-over between multiple replicated copies of a file system on different servers

Supports volatile file handles

Delegation, a technique by which the server delegates the management of a file to a client, is supported on both the client and the server.

I.e. the server could grant either a read delegation or a write delegation to a client.

Does not use the following daemons:

lockd

mountd

nfslogd

statd

85



NFS V4 Use

Enable it via NFS_CLIENT_VERSMIN and NFS_CLIENT_VERSMAX in the /etc/default/nfs file

86



Solaris Flash Archives

87



System Build Technology

What does it have to do with security?Capture state of system just after virgin buildFast restoreUseful for comparisonAlso good for DR / BC

This is available pre-Solaris 10, but generally under-utilized

88



Flash ArchivesCreate master system – single reference installationThen replicate master to clone systems

Initial install overwrites all filesystems on target cloneUpdate only includes differences between two system images (on master and clone)Differential update changes only specified files of a clone based on a master

89



Flash Archives Initial InstallInstall master server however you’d like

(Optional) Prepare customization scripts to reconfigure or customize the clone system before or after installation

Create the Solaris Flash archive. The Solaris Flash archive contains a copy of all of the files on the master system, unless you excluded some nonessential files

Install the Solaris Flash archive on clone systems

Master and clone system must have the same kernel architecture

Can run scripts to customize clone or install extra packages using custom jumpstart

(Optional) Save a copy of the master image

If you plan to create a differential archive, the master image must be available and identical to the image installed on the clone systems

Note – best to start from Entire Plus OEM install image to get all drivers clones might need

90



Flash Archives DeploymentCreate archive after full master install but before software configuration

I.E. No Solaris Volume Manager config

Master should be as inactive as possible

Create archive with flar create –n name options path/filename

Save it to disk or tape

Make a copy for differential archive creation

Can keep multiple archives – just costs disk

Can compress archives

To install from an archive, select Solaris Flash installation during standard installation procedures

91





Updating Clone with Flash Differential Archive

1. Start from master identical to clone

2. Prepare the master system with changes

3. (Optional) Prepare customization scripts to reconfigure or customize the clone system before or after installation

4. Mount the directory of a copy of the saved-unchanged master image

1. Second image is to be used to compare the two system images

2. Mount it from a Solaris Live Upgrade boot environment

3. Mount it from a clone system over NFS

4. Restore from backup using the ufsrestore command

5. Create the differential archive with the -A option of the flar create command

6. Install the differential archive on clone systems with custom JumpStart

1. Or, use Solaris Live Upgrade to install the differential archive on an inactive boot environment

93



Moving from NIS to LDAP

94



Why Move?NIS is old, limited, not secure

Weak authentication

Not much encryption

Nonstandard

NIS+ is complicated and EOL

Sorry if you already moved to it

Don’t move to NIS+ if you haven’t already

LDAP is the wave of the future

“Standard”

Full features

Expandable, flexible, interoperable

95



NIS to LDAP OverviewThe NIS–to–LDAP transition service (N2L service) replaces existing NIS daemons on the NIS master server with NIS–to–LDAP transition daemons

The N2L service also creates a NIS–to–LDAP mapping file on that server

Specifies the mapping between NIS map entries and equivalent Directory Information Tree (DIT) entries in LDAP

A transitioned server is called an N2L server

Slave servers do not have an NISLDAPmapping file, so they continue as usual

The slave servers periodically update their data from N2L server

96



NIS to LDAP Overview - 2Behavior of the N2L service is controlled by the ypserv and NISLDAPmapping configuration files

A script, inityp2l, assists with initial setup of configuration files.

Once N2L server has been established, you can maintain N2L by editing configuration files

The N2L service supports:

Import of NIS maps into LDAP DIT

Client access to DIT information with speed and extensibility of NIS

When using N2L LDAP directory is source of authoritative data

Eventually, all NIS clients can be replaced by Solaris LDAP naming services clients

Many gory details in SysAdmin Guide to Naming and Directory Services

97



FTP Server Enhancements

98



FTP Server EnhancementsThe sendfile() function is used for binary downloads

New capabilities supported in the ftpaccess file

flush-wait controls the behavior at the end of a download or directory listing

ipcos sets the IP Class of Service for either the control or data connection

passive ports can be configured so that the kernel selects the TCP port to listen on

quota-info enables retrieval of quota information

recvbuf sets the receive (upload) buffer size used for binary transfers

rhostlookup allows or disallows the lookup of the remote hosts name

sendbuf sets the send (download) buffer size used for binary transfers

xferlog format customizes the format of the transfer log entry

-4 option which makes the FTP server only listen for connections on an IPv4 socket when running in standalone mode

99



FTP Server Enhancements - 2

ftpcount and ftpwho now support the -v option, which displays user counts and process information for FTP server classes defined in virtual host ftpaccess filesThe FTP client and server now support Kerberos

100



PAM Enhancements

101



PAM EnhancementsPluggable Authentication Module (PAM) framework enhancements

The pam_authtok_check module now allows for strict password checking using new tunable parameters in the /etc/default/passwd file. The new parameters define:

A list of comma separated dictionary files used for checking common dictionary words in a password

The minimum differences required between a new password and an old password

The minimum number of alphabetic or nonalphabetic characters that must be used in a new password

The minimum number of uppercase or lowercase letters that must be used in a new password

The number of allowable consecutive repeating characters

102



PAM Enhancements - 2The pam_unix_auth module implements account locking for local users. Account locking is enabled by the LOCK_AFTER_RETRIES parameter in /etc/security/policy.conf and the lock_after-retries key in /etc/user_attr

The pam_unix module has been removed and replaced by a set of service modules of equivalent or greater functionality. Many of these modules were introduced in the Solaris 9 release. Here is a list of the replacement modules:

pam_authtok_checkpam_authtok_getpam_authtok_storepam_dhkeyspam_passwd_authpam_unix_accountpam_unix_authpam_unix_credpam_unix_session

103



PAM Enhancements - 3

The functionality of the pam_unix_auth module has been split into two modules. The pam_unix_auth module now verifies that the password is correct for the user. The new pam_unix_cred module provides functions that establish user credential information.Additions to the pam_krb5 module have been made to manage the Kerberos credentials cache using the PAM framework.

A new pam_deny module has been added. The module can be used to deny access to services. By default, the pam_deny module is not used

104



/etc/default/passwd$ cat /etc/default/passwd

#ident "@(#)passwd.dfl 1.7 04/04/22 SMI"

#

# Copyright 2004 Sun Microsystems, Inc. All rights reserved.

# Use is subject to license terms.

#

MAXWEEKS=

MINWEEKS=

PASSLENGTH=6

# NAMECHECK enables/disables login name checking.

# The default is to do login name checking.

# Specifying a value of "NO" will disable login name checking.

#

#NAMECHECK=NO

105



/etc/default/passwd - 2

# HISTORY sets the number of prior password changes to keep and

# check for a user when changing passwords. Setting the HISTORY

# value to zero (0), or removing/commenting out the flag will

# cause all users' prior password history to be discarded at the

# next password change by any user. No password history will

# be checked if the flag is not present or has zero value.

# The maximum value of HISTORY is 26.

#

# This flag is only enforced for user accounts defined in the

# local passwd(4)/shadow(4) files.

#

#HISTORY=0

#

106




# Password complexity tunables. The values listed are the defaults

# which are compatible with previous releases of passwd.

# See passwd(1) and pam_authtok_check(5) for use warnings and

# discussion of the use of these options.

#

#MINDIFF=3

#MINALPHA=2

#MINNONALPHA=1

#MINUPPER=0

#MINLOWER=0

#MAXREPEATS=0

#MINSPECIAL=0

#MINDIGIT=0

#WHITESPACE=YES

107




### passwd performs dictionary lookups if DICTIONLIST or

DICTIONDBDIR# is defined. If the password database does not yet

exist, it is# created by passwd. See passwd(1), pam_authtok_check(5)

and# mkdict(1) for more information.##DICTIONLIST=#DICTIONDBDIR=/var/passwd

108



Stronger Password Crypto

Modify /etc/security/policy.conf to use stronger password crypto

CRYPT_DEFAULT=md5Passwords less likely to be “crack”ed if found encrypted

109



BSM

110



BSM

Solaris Basic Security ModuleAlso known as Solaris auditingPart of Solaris for a while, but little usedVery detailed accounting of system / user activitiesCan be too much – watch your disk spaceGood article at http://www.deer-run.com/~hal/sysadmin/SolarisBSMAuditing.html

Except for disk space, not very resource intensive

111



BSM Setup

BSM not enabled by defaultbsmconv configures BSMCreates files in /etc/securityaudit_startup runs at startup, configuring auditing via auditconfig commands

/usr/bin/echo "Starting BSM services."/usr/sbin/auditconfig -setpolicy +cnt/usr/sbin/auditconfig -conf/usr/sbin/auditconfig -aconf

112



BSM Setup – contaudit_control is primary config file

dir:/var/auditflags:minfree:20naflags:lo

flags defines audit events to pay attention tonaflags defines non-attributable events to pay attention to

audit_event can fine-tune auditing (defines events and divides them into classes)audit_class defines masks for accessing classes

113



BSM Setup - contRun audit –n out of cron to cycle the (otherwise infinite) log file:

0 * * * * /usr/sbin/audit –n

Compress and move the audit log to secure storage

Do so rapidly on security-conscious machines (i.e. web servers)

auditreduce can extract specific info from and audit log

praudit can dump native audit binary data for readability

114



BSM Tuning Recommended auditing settings for more security-conscious systems from http://www.cisecurity.com/bench_solaris.html

Generated via this awk script:awk 'BEGIN { FS = ":"; OFS = ":" }

($4 ~ /fm/) && ! ($2 ~ /MCTL|FCNTL|FLOCK|UTIME/) \

{ $4 = $4 ",cc" }

($4 ~ /p[cms]/) && \

! ($2 ~ /FORK|CHDIR|KILL|VTRACE|SETGROUPS|SETPGRP/) \

{ $4 = $4 ",cc" }

{ print }' audit_event >audit_event.new

And associated audit_control configuration:dir:/var/auditminfree:20flags:lo,ad,ccnaflags:lo,ad,ex

115



Auditing Enhancements

116



Auditing EnhancementsCan use the syslog utility to store audit records in text format

Enable and configure in /etc/security/audit_control

dir:/var/audit

flags: lo,ad,-fm

minfree:20

naflags:lo,ad

plugin: name=audit_syslog.so;p_flags=lo,+ad;\

qsize=512

Add audit.notice /var/adm/auditlog to /etc/syslog.conf

touch /var/adm/auditlog

Use logadm to manage the logs

The praudit –x creates output formatted in XML

117



Auditing Enhancements - 2

Audit metaclasses provide an umbrella for finer-grained audit classes

The bsmconv command no longer disables the use of the Stop-A key

The Stop-A event can be audited

The timestamp in audit records now displays in ISO 8601 format

Three audit policy options have been added:public – Public objects are no longer audited for read-only events, reducing the audit log size

perzone – A separate audit daemon runs in each zone

zonename – The name of the Solaris zone in which an audit event occurred can be included in audit records

118



Auditing Enhancements - 3

Five audit tokens have been added:The cmd token records the list of arguments and the list of environment variables that are associated with a commandThe path_attr token records the sequence of attribute file objects that are below the path token objectThe privilege token records the use of privilege on a processThe uauth token records the use of authorization with a command or actionThe zonename token records the name of the non-global zone in which an audit event occurred

119



Solaris Cryptographic Framework

120



Crypto FrameworkProvides common store of crypto algorithms and PKCS #11 libraries optimized for SPARC and x86

PKCS #11 – public key crypto standard defining technology-independent API for crypto devices

Currently provides IPSec and Kerberos to kernel, libsasl and IKE to users via plugins:

User-level plugins – Shared objects that provide services by using PKCS #11 libraries, such as pkcs11_softtoken.so.1

Kernel-level plugins – Kernel modules that provide implementations of cryptographic algorithms in software, such as AES

Hardware plugins – Device drivers and their associated hardware accelerators i.e. Sun Crypto Accelerator 1000 board

Framework implements a standard interface, the PKCS #11, v2.11 library, for user-level providers. Can be used by third-party applications to reach providers

Third parties can add signed libraries, signed kernel algorithm modules, and signed device drivers to the framework

plugins are added when the pkgadd utility installs the third-party software

121



Figure 8–1 Overview of the Solaris Cryptographic Framework

(From Solaris 10 Solaris Security for Developers Guide)

122



Crypto Framework AdminAdministration via cryptoadm command:

$ cryptoadm list

user-level providers:

/usr/lib/security/$ISA/pkcs11_kernel.so

/usr/lib/security/$ISA/pkcs11_softtoken.so

kernel software providers:

des

aes

arcfour

blowfish

sha1

md5

rsa

swrand

kernel hardware providers:

123



Crypto Framework User Commands

digest– Computes a message digest for one or more files or for stdin. A digest is useful for verifying the integrity of a file. SHA1 and MD5 are examples of digest functions.

mac – Computes a message authentication code (MAC) for one or more files or for stdin. A MAC associates data with an authenticated message. A MAC enables a receiver to verify that the message came from the sender and that the message has not been tampered with. The sha1_mac and md5_hmac mechanisms can compute a MAC.

encrypt – Encrypts files or stdin with a symmetric cipher. The encrypt -l command lists the algorithms that are available. Mechanisms that are listed under a user-level library are available to the encrypt command. The framework provides AES, DES, 3DES (Triple-DES), and ARCFOUR mechanisms for user encryption.

decrypt – Decrypts files or stdin that were encrypted with the encrypt command. The decrypt command uses the identical key and mechanism that were used to encrypt the original file.

124



Key GenerationFor MAC and encryption, need symmetric key

Determine algorithm to use and length of key needed

$ encrypt -l

Algorithm Keysize: Min Max (bits)

------------------------------------------

aes 128 128

arcfour 8 128

des 64 64

3des 192 192

$ mac -l

Algorithm Keysize: Min Max (bits)

------------------------------------------

des_mac 64 64

sha1_hmac 8 512

md5_hmac 8 512

125



EncryptingUse a random number generator, or dd to create a key

Note that bs is in bytes, so divide bits by 8

$ dd if=/dev/random of=keyfile bs=n count=1

Protect the key in the keyfile$ chmod 400 keyfile

Example for AES:$ dd if=/dev/random of=$HOME/keyf/05.07.aes16 bs=16 count=1

$ chmod 400 ~/keyf/05.07.aes16

Now use the key to create an MD5 MAC:$ mac -v -a md5_hmac -k $HOME/keyf/05.07.mack64 email.attach md5_hmac (email.attach) = 02df6eb6c123ff25d78877eb1d55710c % echo "md5_hmac (email.attach) =

02df6eb6c123ff25d78877eb1d55710c" \ >> ~/mac.daily.05.07

126



Decrypting and verifying

Example - Use AES for encryption using a keyphrase

$ encrypt -a aes -i ticket.to.ride \

-o ~/enc/e.ticket.to.ride

Enter key: <Type passphrase>

The opposite of encrypt is decrypt:$ decrypt –a aes –i ~/enc/e.ticket.to.rideEnter Key:<decrypted message is output>

127



Labs

Pick an encryption algorithm and key length and encrypt and decrypt a sample messageHow do we use the MAC shown in the above slides?Compute a MAC or digest, modify a sample message, and then recompute

128



Kerberos Enhancements

129



Kerberos EnhancementsThe KDC software, the user commands and applications now support TCP

Support for IPv6 was added to kinit, klist and kprop commands. Support for IPv6 addresses is provided by default. There are no configuration parameters to change to enable IPv6 support. No IPv6 support is available for the kadmin and kadmind commands.

A new PAM module called pam_krb5_migrate has been introduced. Helps in the automatic migration of users to the local Kerberos realm, if they do not already have Kerberos accounts.

The ~/.k5login file can now be used with the GSS applications ftp and ssh

The kproplog utility has been updated to output all attribute names per log entry

130



Kerberos Enhancements - 2

Kerberos protocol support is provided in remote applications, such as ftp, rcp, rdist, rlogin, rsh, ssh, and telnetThe Kerberos principal database can now be transferred by incremental update instead of by transferring the entire database each time

Increased database consistencies across serversThe need for fewer resources (network, CPU, and so forth)Much more timely propagation of updatesAn automated method of propagation

131




A new script to help automatically configure a Kerberos clientSeveral new encryption types have been added to the Kerberos service

The AES encryption type can be used for high speed, high security encryption of Kerberos sessions. The use of AES is enabled through the Cryptographic Framework.

ARCFOUR-HMAC provides better compatibility with other Kerberos versions.

Triple DES (3DES) with SHA1 increases security. This encryption type also enhances interoperability with other Kerberos implementations that support this encryption type.

132




A new -e option has been included to several subcommands of the kadmin command. This new option allows for the selection of the encryption type during the creation of principals.

Additions to the pam_krb5 module manage the Kerberos credentials cache by using the PAM framework.

Support is provided for auto-discovery of the Kerberos KDC, admin server, kpasswd server, and host or domain name-to-realm mappings by using DNS lookups

A new configuration file option makes the strict TGT verification feature optionally configurable on a per-realm basis

133




Extensions to the password-changing utilities enable the Solaris Kerberos V5 administration server to accept password change requests from clients that do not run Solaris software.

The default location of the replay cache has been moved from RAM-based file systems to persistent storage in /var/krb5/rcache

The GSS credential table is no longer necessary for the Kerberos GSS mechanism

The Kerberos utilities, kinit and ktutil, are now based on MIT Kerberos version 1.2.1

The Solaris Kerberos Key Distribution Center (KDC) is now based on MIT Kerberos version 1.2.1

Note that Kerberos V5 support means that (theoretically) NFS traffic can now be encrypted

134



Packet Filtering

135



Packet Filtering Overview

Solaris used to have nothing, then SunScreen was commercial, then SunScreen was included, now ipfilter is standardSolaris IP Filter is a host-based firewall that is derived from the open source IP Filter code, developed and maintained by Darren Reed

Based on version 4.0.33 of the open source IP FilterUses the STREAMS module, pfil, to intercept packetsBy default, pfil is not autopushed onto network interface cards (NICs). Autopush of pfil is disabled for all drivers

136



Packet Filtering Overview - 2

Provides packet filtering and network address translation (NAT), based upon a user-configurable policy

Rules are configurable to filter either statefully or statelessly

Command line interface only

ipf for loading or clearing packet filter rules

ipnat for loading or clearing NAT rules

ippool for managing address pools associated with IP rules

ipfstat for viewing per-interface statistics

ipmon for viewing of logged packets

Good info at http://www.obfuscation.org/ipf/

Only works in the global zone (so far)

137



ipfilter DetailsCan match on the following IP header fields

Source or destination IP address (including inverted matches)

IP protocol

TOS (Type of Service)

IP options or IP security classes

Fragment

In addition it can:

Distinguish between various interfaces

Return an ICMP error or TCP reset for denied packets

Keep packet state information for TCP, UDP, and ICMP packet flows

Keep fragment state information for any IP packet, applying the same rule to all fragments in that packet

Use redirection to set up true transparent proxy connections

Provide packet header details to a user program for authentication

Provide temporary storage of pre-authenticated rules for passing packets

138



ipfilter Details - 2Special provision is made for the three most common Internet protocols, TCP, UDP and ICMP. Can match based on:

TCP or UDP packets by port number or a port number range

ICMP packets by type or code

Established TCP packet sessions

Any arbitrary combination of TCP flags

Note IPMP only supports stateless packet filtering

139



Enable ipfilterDisabled by default

Assume a role that includes the Network Management rights profile, or become superuser

Edit /etc/ipf/pfil.ap

Uncomment the interface(s) to filter on

Put filter rules in /etc/ipf/ipf.conf for automatic use at boot

Put NAT rules in /etc/ipf/ipnat.conf for automatic use at boot

Put config info in /etc/ipf/ippool.conf for pooling of interfaces at boot time

Reboot or run svcadm restart pfil

Activate filtering via svcadm enable ipfilter

unplumb and replumb the interface(s) to filter (or reboot)

Now enable ipfiltering

Enable filtering: ipf –E

Activate filtering: ipf -f filename

Activate NAT if wanted: ipnat –f filename

Monitor with ipfstat

140



/etc/ipf/ipf.confRules processed top to bottom

Entire ruleset is run, not just until a match

Last matching rule always has precedence

“quick” rule option says to stop processing if matchpass in quick on lo0 all

pass out quick on lo0 all

block in log all

block out all

pass in quick proto tcp from any to any port = 113 flags S keep state

pass in quick proto tcp from any to any port = 22 flags S keep state

pass in quick proto tcp from any port = 20 to any port 39999 >< 45000 flags S keep state

pass out quick proto icmp from any to any keep state

pass out quick proto tcp/udp from any to any keep state keep frags

141



/etc/ipf/ipnat.conf

Very feature rich translation of address and portsSome examples:

map eri1 192.168.1.0/24 -> 20.20.20.1/32 map eri1 192.168.1.0/24 -> 0/32 portmap tcp/udp auto map eri1 192.168.1.0/24 -> 20.20.20.1/32 proxy port ftp

ftp/tcp rdr eri1 20.20.20.5/32 port 80 -> 192.168.0.5,

192.168.0.6, port 8000

142



/etc/ipf/ippool.conf

Pool of addresses used by ipfilterUsed for defining a single object that contains multiple IP address / netmask pairs

Then rule can be applied to a poolipf rule: pass in from pool/100 to any

table role = ipf type = tree number = 100

{ 1.1.1.1/32, 2.2.0.0/16, !2.2.2.0/24 };

143



ipfilter status

ipfstat –io shows current filter rulesipfstat shows the current state tableipfstat –s shows state statisticsipfstat –t shows top-like status informationippool –s shows pool statisticsipnat –s shows NAT statisticsndd -get /dev/pfil qif_status shows pfil statistics in the kernelipmon –a shows the ipfilter log

144



ipfilter Lab (only for Global Zone)

Install ipfiltersBuild a rule to allow everything but finger inModify the rule to allow everything but ftp outTest the rulesExamine the firewall stateExamine the log files

145



BART

146



BARTBasic Auditing and Reporting ToolQuick and easy way to collect info on filesystem object and attributes

Then use to look for changes

Much like tripwire, but integral to Solaris 10

Create and compare modesCreate

Entire system, specific dirs, subset of files, or specific rules based

Creates manifest

CompareTake two manifests and optional rules and output comparison information

147



BART

Good info on centralizing, securing, and

automating use of BART from http://blogs.sun.com/roller/page/gbrunett/20041001#automating_solaris_10_file_integrity

148



BART – Set up Accounts

First create non-login, profile shell account to collect file system info and create BART manifests

# mkdir -p /export/home # useradd -d /export/home/bartadm -m -s /bin/pfsh bartadm# passwd -N bartadm

passwd: password information changed for bartadm

149



BART Setup Security AccessConsider setting up a “manager” system and doing key and BART manifest management there

$ ssh-keygen -t dsa

Generating public/private dsa key pair.

Enter file in which to save the key (/export/home/bartadm/.ssh/id_dsa):

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /export/home/bartadm/.ssh/id_dsa.

Your public key has been saved in /export/home/bartadm/.ssh/id_dsa.pub.

The key fingerprint is: 42:ca:d7:fa:ab:1c:f8:c0:5b:2c:7b:56:28:85:dc:65 bartadm@manager

Now copy public key (id_dsa.pub) from manager to client system and rename it to “authorized_keys”

And limit SSH via that key to run only one command, add to beginning of “authorized_keys”:

command="/usr/bin/bart create -r -" <key>

150



BART Create Rights Profile

Allows “bartadm” user to run BART with sufficient privsAdd to /etc/security/prof_attr

File Integrity:::File Integrity Management: Add to /etc/security/exec_attr:

File Integrity:solaris:cmd:::/usr/bin/bart\:privs=file_dac_read,file_dac_search

Enable the File Integrity right to user “bartadm”# usermod -P "File Integrity" bartadm

151



Configure and Run BART

Create client.rules file on manager to tell BART what to doThis example checks /usr/sbin:

/usr/sbin CHECK all

Now run BART from manager to client$ cat ./client.rules | ssh -T -l bartadm client > ./

client.manifest.1

Periodically rerun that command and BART the differences:$ bart compare -r ./client.rules ./client.manifest.1 ./

client.manifest.2 . . .

152



BART Next Steps

Information on tying BART together with the Solaris Fingerprint Database (available for free from SunSolve - http://www.sun.com/blueprints/0501/Fingerprint.pdf ) to find changes to files shipped by Sun available fromhttp://www.securitydocs.com/library/2693

153



Trusted Extensions

154



Overview

Used to be Trusted SolarisSome of that baked into “standard” Solaris 10Some now available as Trusted ExtensionsReimplementation of Trusted Solaris 8 based on new security features in Solaris 10Renamed because delivered as an optional set of extensions to SolarisExtends Solaris security by enforcing a mandatory access control (MAC) policyMeets requirements of Common Criteria Labeled Security Protection Profile (LSPP) and Role-Based Access Protection Profile (RBAC)

155



ComponentsConsists of a set of label-aware services that are derived from Trusted Solaris 8

Labeled NetworkingLabel-aware Filesystem Mounting and SharingLabeled PrintingLabeled Desktops

Java Desktop SystemCommon Desktop Environment

Label Configuration and TranslationLabel-aware System Management ToolsLabel-aware Device Allocation

156



ImplementationNo app changes, file system changes neededBuilt on zone technology

For each label, entire app environment virtualized within a containerCan be multiple instances of each resource and service at each labelVery efficient

Labels made up of classifications (levels) and compartments (categories)Classifications are hierarchical, compartments disjoint At least 256 of each allowedLabels can be specified as rangesAdmin roles can assign label ranges to users, network attribs, workstations, and devices via the Trusted Path

All zones administered from protected global zone to manage Trusted Computing Base (TCB) known as Trusted PathZones share an LDAP directory containing network-wide policy

157



Implementation - contIPSec is used for source IP authentication and data encryptionLoop back mounts and NFS mounts allow for file sharingZones with matching labels can share r/w accessZone with lower-level label has r/w access, higher label-zone has r/o accessOne-way guards for tamper-proof logging possible via named pipe loop-back mounted to higher-level zoneMounts automatically labeled by kernel based on zone and host labelsLeast Privs can be used to modify abilities of zones and processes in zonesUser interface is CDE or Java DS

158


administrator. Figure 1–4 shows a typical multilevel Trusted Extensions session on a system that isconfigured to display labels. The labels and trusted stripe are indicated.

Trusted Path menu

Trusted symbol Workspace label

Windowlabel stripe

Front panel

Window iconlabel stripe

Trusted stripe

FIGURE 1–4Typical Solaris Trusted Extensions (CDE) Session

Containers and LabelsTrusted Extensions uses containers for labeling. Containers are also called zones. The global zone isan administrative zone, so is not available to users. Non-global zones are called labeled zones.Labeled zones are used by users. The global zone shares some system files with users.When thesefiles are visible in a labeled zone, the label of these files is ADMIN_LOW.

Network communication is restricted by label. By default, zones cannot communicate with eachother because their labels are different. Therefore, one zone cannot write into another zone.

However, the administrator can configure specific zones to be able to read specific directories fromother zones. The other zones could be on the same host, or the zones could be zones on remotesystems. For example, a user’s home directory in a lower-level zone can bemounted by using theautomount service. By convention, the pathname convention for such lower-level homemountsincludes the zone name:

/zone/name-of-lower-level-zone/home/username

Trusted Extensions ProvidesMandatoryAccess Control

Chapter 1 • Introduction to Solaris Trusted Extensions Software 19

(From Solaris Trusted Extensions User’s Guide)



Enabling Trusted Solaris Extensions

Built into Solaris 10 11/07 and beyondDisabled by default in S10, enabled via one bit, then

Sensitivity labels are automatically applied to all sources of data (networks, filesystems, windows) and consumers of data (user and processes)Access to all data is restricted based on the relationship between the label of the data (object) and the consumer (subject)

160



Example - Secure Browsing Laptop

Install latest Solaris 10Create a file system called “zone” Enable TX via install DVD commands

Solaris_10/ExtraValue/CoBundled/TrustedExtensions

or Solaris_11/ExtraValue/CoBundled/TrustedExtensionsIn those dirs (read the instructions) and either

Double-click the wizard.class file in the CDE File Manageror Open a terminal window and type:

# java wizardDownload http://www.opensolaris.org/os/community/laptop/downloads/inetmenu-1.9.pkg.gz and http://www.opensolaris.org/os/community/security/projects/tx/tx-laptop-install/inetmenu-tx.tar for ease of network re-configuration (i.e. laptop use)

161



Example - Configure Networking

Unconfigure your system's network identityRemove any network interface configuration files, such as /etc/hostname.* and /etc/dhcp.*

Update your /etc/hosts and /etc/inet/ipnodes as follows: 127.0.0.1 localhost loghost 10.1.2.3 your-hostname

Create the /etc/nodename file# hostname >/etc/nodenameAdd the following entry to the /etc/security/tsol/tnrhdb file:10.1.2.3:cipsoSpecify the virtual network interface (VNI) for your system by adding the following to /etc/hostname.vni0# echo `hostname` all-zones >>/etc/hostname.vni0Add to LOCAL DEFINITIONS section of /etc/security/tsol/label_encodings:Default Label View is Internal;(Optional) If your system has NIS enabled, disable it by doing the following:# cp /etc/nsswitch.files /etc/nsswitch.conf# mv /var/yp /var/yp.saveReboot the systemThe system is running the Solaris Trusted Extensions software

162



Example - Configure Trusted Extensions

1. Log in to Trusted Extensions CDE as superuser

2. Open a terminal window

3. Verify that the VNI interface is up and that the all-zones option is specified

# ifconfig -a

4. IP address for the vni0 interface should be same as inthe hosts and ipnodes files

vni0 interface should include the all-zones option

5. Start the Solaris Management Console via # smc &

6. From the Toolboxes menu, select the entry for your system that shows Scope=Files, Policy=TSOL

Click Open

7. Add yourself as a normal user

From the Navigation bar, select System Configuration, and then double-click the Users icon

The login window opens

Log in as root

Click User Accounts, and then select Add User With Wizard from the Action menu

Follow the instructions to add the user

163



Example - Configure Trusted Extensions (cont)

8. After your account is created, double click your user icon to modify settings

Open the Trusted Extensions Attributes tab and modify these items:

Set the Clearance value to CONFIDENTIAL RESTRICTED

Set the Lock Account After Maximum Failed Logins value to No

Set the Idle Time value to Forever

Click OK

9. Edit the /etc/user_attr file to append the following to your user entry:

;roles=root

(temporary workaround until you have verified that your system is working correctly. At that time, you should configure root as a role)

164



Example - Configure Trusted Extensions (cont)

10. Create security templates for the public and internal zones

From the Navigation bar, select System Configuration, and then double-click the Computers and Networks icon

Click Security Templates, and then choose Add Template from the Action menu

Specify the template name as public

Set the default label to PUBLIC

Set the Domain of Interpretation value to 1

Click OK

Choose Add Template from the Action menu

Specify the template name as internal

Set the default label to CONFIDENTIAL : INTERNAL USER ONLY

Set the Domain of Interpretation value to 1

Click OK

11. Manually update the kernel cache with trusted networking parameter values

# tnctl -T /etc/security/tsol/tnrhtp

12. Exit the Solaris Management Console

165



Example - Configure Labeled Zones

1. Run the txzonemgr script and follow each of these steps (You must click OK each time to continue)

2. Create a new zone called public

Select Create A New Zone and click OK

Specify the zone name of public

Choose Select_Label and click OK

Choose PUBLIC

Choose Install to install the public zone

A window opens to show you the progress of the zone installation process

Choose Initialize to initialize the public zone

Choose Zone_Console to open the zone console window

Choose Boot to boot the zone

The public zone is rebooted automatically

The public zone will reboot again automatically

166



Example - Configure Labeled Zones (cont)

3. From the zone terminal console window, log in as superuser and run the following commands:

Run these commands on a Solaris 10 11/06 system:

# rm /etc/auto_home_public

# netservices limited

# svcadm disable auditd

# svcadm disable cde-login

# exit

Run these commands on a Solaris Express system:

# rm /etc/auto_home_public

# svcadm disable auditd

# svcadm disable cde-login

# exit

167



Example - Configure Labeled Zones (cont)

4. From txzonemgr, create the internal, needtoknow, and restricted zones

Choose Halt to halt the public zone

Choose Create_Snapshot to create a snapshot of the public zone

Choose Boot to boot the public zone

Choose Select Another Zone and click OK

Choose Create A New Zone and click OK

Name the new zone internal

Choose Select_Label and specify a value of CONFIDENTIAL : INTERNAL USE ONLY

Choose Clone and select zone/public@snapshot

Choose Zone_Console to open the zone console for the new zone

Choose Boot to boot the new zone

Repeat Steps d-j for the needtoknow and restricted zones, which use labels CONFIDENTIAL : NEED TO KNOW and CONFIDENTIAL : RESTRICTED, respectively

Choose Exit to exit the txzonemgr program

168



Example - Install and Use inetmenu

1. Caution - The inetmenu program might be replaced with another utility in the future

2. Become superuser

2. Change to the /opt/tx directory

4. Unzip and install the inetmenu software

# gunzip inetmenu-1.9.pkg.gz

# pkgadd -d inetmenu-1.9.pkg

5. Apply the Trusted Extensions modifications to inetmenu

# cd /; tar xvf /opt/tx/inetmenu-tx.tar

6. Run inetmenu

# inetmenu

7. Select the DHCP-NoNIS option

Now, your network should be up with PUBLIC as the default label. You can run the txnetmgr command to verify that it is all-zones.

169



Resources

http://www.opensolaris.org/os/community/security/projects/tx/TrustedExtensionsArch.pdfhttp://docs.sun.com/app/docs/coll/175.12http://opensolaris.org/os/community/security/projects/tx/tx-laptop-install/

170


JASS / SST



JASS Solaris Security ToolkitAdd-on Security tool to harden Solaris

Can be automated

Free

Supported with support contract

Solaris > = 8, but probably works < 8

The Solaris Security Toolkit 4.2 documentation is now available at:

http://docs.sun.com/app/docs/coll/sstoolkit4.2

You can also find extensive Sun BluePrints articles at:

http://www.sun.com/software/security/blueprints/index.html

172



JASS DetailsUnderstands containers, LDOMS, System controllers, SMF, Secure by Default

Backs-up every file before it modifies the file

Can automatically undo all changes

Can be run to determine the state of a system compared to a secured state

Can be run periodically to reset a system to a secured state

Been around for a while (i.e tested and well used)

Use integrated with some other Sun tools173



JASS InstallationGet SUNWjass-4.2 (or current version)

pkgadd -d . SUNWjass

Tools now in /opt/SUNWjass

Lots of scripts, each to harden one aspect of the system

Put into use via “drivers”

Important safety tip - have a root connection to the system before running any driver

174



JASS UseLook in /opt/SUNWjass/Drivers

Find a driver matching your desires

Change the driver to meet your requirements

Execute the driver via#cd /opt/SUNWjass/bin/ #jass-execute <your>.driver

Can undo what was just done#jass-execute -u

Consider creating a .driver for each class of system, using jumpstart to create the systems, and using JASS to harden each class of systems

175


Overall Solaris 10 Security



Secure By Default

Shipped in S10 8/07Default set of SMF services configure default hardened state, local-only operation (ssh only default enabled service)netservices command to broadly change network services statushttp://www.opensolaris.org/os/community/security/projects/sbd/

177



Securing an S10 SystemUse knowledge from tutorial to secure a general purpose portable system

See the security Sun Blueprints: http://www.sun.com/blueprints

See especially the Solaris 10 Benchmark published by the Center for Internet Security: http://www.cisecurity.org/bench_solaris.html

From Glen Brunette blog http://blogs.sun.com/gbrunett/category/Solaris+10+Security

See also Clingan’s approach at http://blogs.sun.com/jclingan/?entry=securing_my_x2100

178



Solaris Security Toolkit

Solaris Security Toolkit at http://www.sun.com/software/security/jass/

Tool that can automate system security changesFor Solaris 8, 9, 10Supported if you have a Solaris support contractDownload the tool and a patch to update for latest Solaris 10

179



Security Settings - 1

Consider automating much of this with SST / JASSDisable ssh - now no services

% pfexec svcadm disable ssh% svcs sshSTATE STIME FMRIdisabled 21:30:12 svc:/network/ssh:default

Enable ipfilterUncomment or add the network interfaces to /etc/ipf/pfil.ap

Install a firewall configuration (next slide) into /etc/ipf/ipf.conf

Enable firewalling et al

180



Security Settings - 2## ipf.conf## IP Filter rules to be loaded during startup## See ipf(4) manpage for more information on# IP Filter rules syntax.

pass out quick all keep state keep frags

# Drop all NETBIOS traffic but don't log it.

block in quick from any to any port = 137 #netbios-nsblock in quick from any to any port = 138 #netbios-dgmblock in quick from any to any port = 139 #netbios-ssn

# Allow incoming IKE/IPsec

pass in quick proto udp from any to any port = ikepass in quick proto udp from any to any port = 4500pass in proto esp from any to any

# Allow ping

# pass in quick proto icmp from any to any icmp-type echo

# Allow routing info

# pass in quick proto udp from any to port = route# pass in quick proto icmp from any to any icmp-type 9 # routeradvert# pass in quick proto igmp from any to any

# Block and log everything else that comes in

block in log allblock in from any to 255.255.255.255block in from any to 127.0.0.1/32

181




Change the default crypt algorithm in /etc/security/policy.conf

% cat /etc/security/policy.confCRYPT_DEFAULT=md5

Enable core dump notifications and store them in protected directory:

# coreadm global core file pattern: /var/core/core_%n_%f_%u_%g_%t_%p global core file content: default init core file pattern: core init core file content: default global core dumps: enabled per-process core dumps: disabled global setid core dumps: enabled per-process setid core dumps: disabled global core dump logging: enabled

182




Set the following parameters, create log files, disable login on serial ports

# grep "noexec_user_stack" /etc/systemset noexec_user_stack = 1set noexec_user_stack_log = 1

# grep nfs_portmon /etc/systemset nfssrv:nfs_portmon = 1

# grep TCP_STRONG_ISS= /etc/default/inetinitTCP_STRONG_ISS=2

# ls -l /var/adm/loginlog-rw------- 1 root sys 0 Sep 3 21:16 /var/adm/loginlog# ls -l /var/adm/debug-rw------- 1 root sys 0 Sep 3 21:16 /var/adm/debug

# pmadm -d -p zsmon -s ttya# pmadm -d -p zsmon -s ttyb

183



Security Settings - 5Change system banners to warn away unauthorized usersChange root's home directory, convert root to be a Solaris role, and assigned the rights to assume root to only my local account:

$ getent passwd rootroot:x:0:0:Super-User:/root:/sbin/sh

$ grep "^root:" /etc/user_attrroot::::type=role;[...]

$ rolesroot

(Have a look in /etc/user_attr to determine if other users have privileges / roles that they shouldn’t.)Enable and configured Solaris auditing and BART for activity monitoringAlso secure BIOS and GRUB

184



Security Settings - AuditCheck /etc/user_attr et al for security holesDoes the system have zones / containers?

Audit each of thoseDoes the system have LDOMS?

Audit each of thoseDoes the system have a service processor, ILOM, ALOM?

Audit each of those

185



Solaris Security Benchmark

186



Solaris Security Benchmark

Published by Center for Internet Security (CIS)Document describing recommended security stepsAppendix describing more advanced security stepsTool to test Solaris system and give it a security score (i.e. the “benchmark”)Note other benchmarks for other OSes

http://www.cisecurity.org/bench_solaris.html

187



Yet Another Security ToolChecklist #2 - Use before trying a new tool

Do I already have a better tool?Is it multi-platform or one-off?Does it work, or just cause more work?Is it kept up-to-date?Does it change too-often (causing more work)?How much does it cost?Do I already know it or is it at least easy to learn?Is it likely to break or break something? (Go back to checklist #1.)

188



First StepsFor Solaris 10 11/06 and 8/07, the best starting place is CIS_Solaris_Benchmark_v4.0

Benchmark document containing recommendationsAppendix with an overview of Solaris 10 security controlsInput from many security expertsFor each recommendation

information about what hardware platforms it pertains to if it is the OS defaultif the change applies to zones or just the global zoneif the Solaris Security Toolkit can be used to make the change

189









Odds and EndsZFS “dataset” is hidden from the global zone - be sure to check each zone for dataNew install cluster – reduced networking software group – SUNWCrnet

Takes ~ 160MBProvides good core for minimal networked SolarisUse pkgrm to remove packages to avoid them being patched (sendmail et al)More details at http://www.securitydocs.com/pdf/2644.PDF

193



Lab

Try these changes in your containerWhat else should be done to secure a system?

194



Conclusions

195



ConclusionsLots of new security features in Solaris 10Zones possibly most powerful for adminsPrivileges most powerful for system softwareMoves to become more industry-compatible

ipfilterKerberosNIS to LDAP

Powerful new APIsSolaris Crypto Framework

196



Conclusions - 2

SMF allows fine grain service control, debuggingStill use security best practices (host lockdown, good passwords, etc)Not new, but be sure sendmail is preventing relaying

http://www.sun.com/bigadmin/features/articles/config_sendmail.html

Trusted Extensions complex, powerful, evolvingSecure by default mode makes our lives easierOther interesting features not covered here

Smart Card APISASL

197



ReferencesSun Security Home Page

http://www.sun.com/securitySolaris Patches & Finger Print Database

http://sunsolve.sun.com/Sun Security Coordination Team

http://sunsolve.sun.com/securitySun BluePrints for Security

http://www.sun.com/blueprintsDeveloping a Security Policy

Trust Modelling for Security Arch. Development

Building Secure n-Tier Environments

How Hackers Do It: Tricks, Tips and Techniques

Solaris OE Security

http://www.sun.com/solarishttp://www.sun.com/security/jass

198



ReferencesTrusted Solaris OE

http://www.sun.com/solaris/trustedsolaris

Java Securityhttp://java.sun.com/security

Network and Security Productshttp://www.sun.com/servers/entry/checkpoint

http://www.sun.com/networking

http://docs.sun.com Solaris 10 collection

Sun security blogs portal: http://blogs.sun.com/security/category/general

Privilege Bracketing in Solaris 10http://www.sun.com/blueprints/0406/819-6320.pdf

Some slides copyright Sun Microsystems, all rights reserved199
