Solaris 10 Administration Topics Workshop 4- Security

Solaris 10 Administration Topics Workshop 4- SecurityBy Peter Baer GalvinFor Usenix Last Revision Apr 2009Copyright 2009 Peter Baer Galvin - All Rights Reserved

Saturday, May 2, 2009

About the SpeakerPeter Baer Galvin - 781 273 4100 [email protected] www.cptech.com [email protected] Blog: www.galvin.info

BioPeter Baer Galvin is the Chief Technologist for Corporate Technologies, Inc., a leading systems integrator and VAR, and was the Systems Manager for Brown University's Computer Science Department. He has written articles for Byte and other magazines. He was contributing editor of the Solaris Corner for SysAdmin Magazine , wrote Pete's Wicked World, the security column for SunWorld magazine, and Petes Super Systems, the systems administration column there. He is now Sun columnist for the Usenix ;login: magazine. Peter is co-author of the Operating Systems Concepts and Applied Operating Systems Concepts texbooks. As a consultant and trainer, Mr. Galvin has taught tutorials in security and system administration and given talks at many conferences and institutions.

Copyright 2009 Peter Baer Galvin - All Rights Reserved

2


ObjectivesExplore the new Solaris 10 security features, from an admin point of view Some app/dev points made to guide developers Convey their current status, usability, and future functionality Help prepare for Solaris 10 deployment Some pre-Solaris 10 coverage when needed


3


PrerequisitesRecommend at least a couple of years of Solaris experience Or at least a few years of other Unix experience Best is a few years of admin experience, mostly on Solaris


4


About the TutorialEvery SysAdmin has a different knowledge set A lot to cover, but notes should make good referenceSo some covered quickly, some in detailSetting base of knowledge

Please ask questionsBut lets take off-topic off-line


5


Fair WarningSites vary Circumstances vary Admin knowledge varies My goals Provide information useful for each of you at your sites Provide opportunity for you to learn from each otherCopyright 2009 Peter Baer Galvin - All Rights Reserved

6


Why Listen to Me?20 Years of Sun experience Seen much as a consultant Hopefully, you've used:My Usenix ;login: column The Solaris Corner @ www.samag.com The Solaris Security FAQ SunWorld Pete's Wicked World SunWorld Pete's Super Systems Unix Secure Programming FAQ (out of date) Operating System Concepts (The Dino Book), now 8th ed Applied Operating System Concepts


7


Slide OwnershipAs indicated per slide, some slides copyright Sun Microsystems Feel free to share all the slides - as long as you dont charge for them or teach from them for fee


8


OverviewLay of the Land



Schedule


10


CoverageSolaris 10 is a moving targetThis tutorial based on FCS (Jan / Mar 05) Plus Nevada build 53 How to get Solaris 10 Download from Sun Media Kits now shipping How to get Solaris 10+ Join Solaris Express for month releases Opensolaris.org for untested releasesCopyright 2009 Peter Baer Galvin - All Rights Reserved

11


OutlineOverview Sun Overview DTrace (lab?) RBAC (lab) Privileges NFS V4 Flash archives and live upgrade Moving from NIS to LDAP FTP client and server enhancements12



OutlinePAM enhancements Auditing enhancements BSM Solaris Cryptographic Framework Smartcard interfaces and APIs Kerberos enhancements Packet ltering BART Trusted Extensions Overall Solaris 10 Security Conclusions ReferencesCopyright 2009 Peter Baer Galvin - All Rights Reserved

13


Your Objectives?


14


Lab PreparationHave device capable of telnet on USENIX network Or have a buddy Learn your magic number Telnet to 131.106.62.100+magic number User root, password lisa Its all very secureCopyright 2009 Peter Baer Galvin - All Rights Reserved15


Lab PreparationOr... Use virtualbox Use your own system Use a remote machine you have legit access to


16


Introduction


17


OverviewSolaris 10 includes lots of new security features Security is important to administrators It usually annoys users Well look at each new feature, how useful, powerful and annoying it is Should provide a good roadmap for what to use, when How can they be used to solve the following problemsCopyright 2009 Peter Baer Galvin - All Rights Reserved

18


Sun Overview

Quick high-level overview of Suns view of Solaris security


19


(From the Solaris 10 Sun Net Talk about Solaris 10 Security)


20




21




22




23




24


(From the Solaris 10 Sun Net Talk about Solaris 10 Security) Copyright 2009 Peter Baer Galvin - All Rights Reserved

25


(From the Solaris 10 Sun Net Talk about Solaris 10 Security)Copyright 2009 Peter Baer Galvin - All Rights Reserved

26


(From the Solaris 10 Sun Net Talk about Solaris 10 Security) Copyright 2009 Peter Baer Galvin - All Rights Reserved

27


S10 Security StatusAccording to Sun:

Solaris 10 11/06 is currently in evaluation at EAL4+, one of the highest level of Common Criteria Certication, with three Protection Proles: Labeled Security Protection Prole (LSPP), Controlled Access Protection Prole (CAPP) and Role-Based Access Control Protection Prole (RBACPP). In addition, Solaris 10 3/05 has completed evaluation at EAL4+ with CAPP and RBACPP.


28


Good Security HygieneChecklist #1 - Use before making a change Is the syntax of the command correct? Is the command the right one to make the change? Is there a better way to make the change? Are the right options entered / selected? Is today Friday? Is today some other day on which it would be exceptionally bad to break something (such as the day before leaving for a vacation or conference)? What are the chances that executing this will break something? If this change would break something, can I undo the action? Is this a documented way to accomplish the task? If this is a new way to make a change, should I document it? And nally, what effect might this action have on security?Copyright 2009 Peter Baer Galvin - All Rights Reserved

29


Virtualization and Security


30


Virtualization OptionsContainers / Zones (more below) Xen (xVM server) - bare metal hypervisor + guests Run other OSes (linux, win) with S10+ has the host Industry semi-standard Para-virtualization, x86 only LDOMs - hard partitions, shipped in May 2007 Run multiple copies of Solaris on the same coolthreads chip (Niagara, Rock in the future) Some resource management - move CPUs and mem VMWare - solaris as a guest, not a host so far, x86 only Traditional Sun Domains - SPARC only, Enterprise servers only


31


Security ImpactLots of security issues around virtualization How many systems are in a given environment? Hidden / unknown systems System audit could involve dozens of OSes! Separately secure HW - servers, storage, devices, etc OS - per-os security regardless of HW Apps Virtualization infrastructure (ESX management, Solaris server, Hypervisor management, and on and on)Copyright 2009 Peter Baer Galvin - All Rights Reserved

32


Zones OverviewThink of them of chroot on steroids Virtualized operating system services Isolated and secure environment for running apps Apps and users (and superusers) in zone cannot see / effect other zonesDelegated admin control

Virtualized device paths, network interfaces, network ports, process space, resource use (via resource manager) Application fault isolation Detach and attach containers between systems Cloning of a zone to create identical new zoneCopyright 2009 Peter Baer Galvin - All Rights Reserved33


Zones Overview - 2Low physical resource useUp to 8192 zones per system!

Differentiated le systemMultiple versions of an app installed and running on a given system

Inter-zone communication is only via network (but short-pathed through the kernel No application changes needed no API or ABI Can restrict disk use of a zone via the loopback le driver (lo) using a le as a le system Can dedicate an Ethernet port to a zone Allowing snooping, rewalling, managing that port by the zoneCopyright 2009 Peter Baer Galvin - All Rights Reserved34


(From System Administration Guide: N1 Grid Containers, Resource Management, and Solaris Zones)


35


(From the Solaris 10 Sun Net Talk about Solaris 10 Security)Copyright 2009 Peter Baer Galvin - All Rights Reserved

36


LDOMsLogical domains Released April 07 Only on Niagara and future CMT chips (Niagara II, Rock) Like enterprise-system domains but within one chip Slice the chip into multiple LDOMs, each with its own OS root, boot independently, et Now can run multiple OSes on 1 SPARC chipCopyright 2009 Peter Baer Galvin - All Rights Reserved37



38


LDOMs - DetailsCan create up to 1 LDOM per thread(!) Best practice seems to be max one LDOM per core i.e. 8 LDOMs on Niagara I and II Nice intro bloghttp://blogs.sun.com/ash/entry/ultrasparc_t2_launched_today

And nice ash demohttp://www.sun.com/servers/coolthreads/ldoms/Copyright 2009 Peter Baer Galvin - All Rights Reserved39


DTrace


40


DTrace and Security

New tool has security implications DTrace so cool we need to take a quick look


41


DTrace OverviewBest tool ever for understanding system behavior Uses language D, based on C Fully dynamic, full probing of kernel and user apps Fully scalable Enabled in Solaris 10 no custom kernel or conguration changes needed Use DTrace today to solve non-S10 problems Move the problem to a test / dev S10 machine, debug, and then back port the solution to the original machine Way to much to cover here So Ill whet your appetite Got example code available at http://users.tpg.com.au/adsln4yb/ dtrace.html All DTrace resources at http://www.sun.com/bigadmin/content/dtrace/


42


DTrace and SecurityDTrace doesnt weaken security model Root with or without DTrace is God But with DTrace easier to be a bad GodWatch ssh typing Watch shell I/O

DTrace disabled in zones by default As of Nevada build 37 (and probably S10 U2), can give DTrace user and process privileges to a zoneZone cant get DTrace kernel priv Cant see outside of the zone # zonecfg -z myzone zonecfg:myzone> set limitpriv=default,dtrace_proc,dtrace_user zonecfg:myzone> ^DCopyright 2009 Peter Baer Galvin - All Rights Reserved

43


DTrace Example - 1connections.d snoop inbound TCP connections as they are established, displaying the server process that accepted the connection

# ./connections.d UID PID IP_SOURCE PORT CMD 0 254 192.168.001.001 23 /usr/sbin/inetd -s 0 254 192.168.001.001 23 /usr/sbin/inetd -s 0 254 192.168.001.001 79 /usr/sbin/inetd -s 0 254 192.168.001.001 21 /usr/sbin/inetd -s 0 254 192.168.001.001 79 /usr/sbin/inetd -s 100 2319 192.168.001.001 6000 /usr/openwin/bin/Xsun :0 nobanner 0 254 192.168.001.001 79 /usr/sbin/inetd -s [...]Copyright 2009 Peter Baer Galvin - All Rights Reserved

44


DTrace Example - 2The following script counts number of write(2) calls by application:

syscall::write:entry { @counts[execname] = count(); }


45


DTrace Example - 4# dtrace -s write-calls-by-app.d dtrace: script 'write-calls-by-app.d' matched 1 probe ^C dtrace login sshd sh telnet w df in.telnetd mixer_applet2 gnome-panel metacity gnome-terminal #Copyright 2009 Peter Baer Galvin - All Rights Reserved

1 1 2 6 6 7 12 25 61 108 125 197

46


DTrace Example - 5Lets have a look at the size of the writes to le descriptor 5, per section of user code (!) syscall::write:entry /execname == "sshd" && arg0 == 5/ { @[ustack()] = quantize(arg2); }47



DTrace Example - 6bash-2.05b# dtrace -s write-sshd-fd-5.d dtrace: script 'write-sshd-fd-5.d' matched 1 probe ^C libc.so.1`_write+0xc sshd`atomicio+0x2d 805b59c sshd`main+0xd59 805b1fa

value 8 |

------------- Distribution ------------- count 0

16 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 1 32 | 0

libc.so.1`_write+0xc sshd`packet_write_poll+0x2e sshd`packet_write_wait+0x23 sshd`userauth_finish+0x19f 805f42e sshd`dispatch_run+0x49 sshd`do_authentication2+0x7c sshd`main+0xdc7 805b1fa

value

------------- Distribution ------------- count


48


DTrace Example - 7#!/usr/sbin/dtrace -s #pragma D option flowindent pid$1::$2:entry { self->trace = 1; } pid$1:::entry, pid$1:::return, fbt::: /self->trace/ { printf("%s", curlwpsinfo->pr_syscall ? "K" : "U"); } pid$1::$2:return /self->trace/ { self->trace = 0; }


49



50


DTrace ToolkitDTrace Toolkit with lots (> 90) of great scripts Includes scripts for Python, Perl, Java, PHP, Ruby, Tcl, Javascript Best starting point for learning DTrace Means you dont have to be DTrace expert to use DTrace (for good or evil)http://www.opensolaris.org/os/community/dtrace/ dtracetoolkit/


51


DTrace Toolkit Hitsdexplorer - run a lot of tools for a few seconds and log output to a le Other key scripts include dtruss, dvmstat, execsnoop, hotkernel, hotuser, errinfo, iopattern, iosnoop, iotop, opensnoop, procsystime, rwsnoop, rwtop, statsnoopCopyright 2009 Peter Baer Galvin - All Rights Reserved52


Snarfed from http://www.solarisinternals.com/wiki/index.php/DTrace_Topics_One_Liners Processes * New processes with arguments, dtrace -n 'proc:::exec-success { trace(curpsinfo->pr_psargs); }' Files * Files opened by process name, dtrace -n 'syscall::open*:entry { printf("%s %s",execname,copyinstr(arg0)); }' * Files created using creat() by process name, dtrace -n 'syscall::creat*:entry { printf("%s %s",execname,copyinstr(arg0)); }' Syscalls * Syscall count by process name, dtrace -n 'syscall:::entry { @num[execname] = count(); }' * Syscall count by syscall, dtrace -n 'syscall:::entry { @num[probefunc] = count(); }' * Syscall count by process ID, dtrace -n 'syscall:::entry { @num[pid,execname] = count(); }' * Read bytes by process name, dtrace -n 'sysinfo:::readch { @bytes[execname] = sum(arg0); }' I/O * Write bytes by process name, dtrace -n 'sysinfo:::writech { @bytes[execname] = sum(arg0); }' * Read size distribution by process name, dtrace -n 'sysinfo:::readch { @dist[execname] = quantize(arg0); }' * Write size distribution by process name, dtrace -n 'sysinfo:::writech { @dist[execname] = quantize(arg0); }' Physical I/O * Disk size by process ID, dtrace -n 'io:::start { printf("%d %s %d",pid,execname,args[0]->b_bcount); }' * Disk size aggregation dtrace -n 'io:::start { @size[execname] = quantize(args[0]->b_bcount); }' * Pages paged in by process name, dtrace -n 'vminfo:::pgpgin { @pg[execname] = sum(arg0); }'

DTrace One-Liners


53


More DTrace One-linersMemory * Minor faults by process name,dtrace -n 'vminfo:::as_fault { @mem[execname] = sum(arg0); }'

User-land * Sample user stack trace of specied process ID at 1001 Hertz

dtrace -n 'profile-1001 /pid == $target/ { @num[ustack()] = count(); }' -p PID dtrace -n 'sched:::off-cpu { @[execname, ustack()] = count(); }'

* Trace why threads are context switching off the CPU, from the user-land perspective, * User stack size for processes

dtrace -n 'sched:::on-cpu { @[execname] = max(curthread->t_procp->p_stksize);}'

dtrace -n 'profile-1001 /!pid/ { @num[stack()] = count(); }' dtrace -n 'sdt:::interrupt-start { @num[cpu] = count(); }' dtrace -n 'sysinfo:::xcalls { @num[execname] = count(); }' dtrace -n 'sched:::off-cpu { @[execname, stack()] = count(); }' dtrace -n 'fbt:::entry { @calls[probemod] = count(); }'

Kernel * Sample kernel stack trace at 1001 Hertz * Interrupts by CPU,

* CPU cross calls by process name,

* Trace why threads are context switching off the CPU, from the kernel perspective, * Kernel function calls by module


54


DTrace Lab (!)Try some one-liners Which work in a non-global zone? Try some of the scripts in /usr/demo/dtrace How useful is non-global zone DTrace?


55


RBAC


56


RBACBeen in Solaris since release 8 Basis for access control on Solaris A bit, um, complicated Quick review here How many of you are using RBAC? Lets take the nickel tour to get up to speed:http://mediacast.sun.com/share/bartbl/ blog-5cent-rbac-tour.mov


57



58


RBAC TerminologyAdministrative Roles (or just roles) for grouping authorizations, proles and commands together as a common set of functions. Think of these as special user accounts to which proles are assigned. Proles -- (also known as "execution proles" or "rights proles") a collection of authorizations, commands, and/or other proles that together provide for performing a set of administrative tasks.Copyright 2009 Peter Baer Galvin - All Rights Reserved

59


RBAC Terminology - 2Authorizations permissions that grant access to restricted actions that are otherwise prohibited by the security policy. These are typically assigned in a prole, but can also be assigned to a user or a role. Think of this as tokens that can be checked by RBAC-aware programs. Rather than checking if UID=0 to allow an action, such programs can check if, for example, the user has authorization token solaris.admin.diskmgr.read. Privileged program a program with security attributes that enables special functions depending on a check of user-id, group-id, privileges, or authorizations. These are setuid or setgid programs, or programs with assigned privileges.


60



61


RBAC UseUser assumes a role - placed in a special prole-understanding shell pfcsh, pfksh, and pfsh Shells know how to read through the various cong les in /etc/ security (and /etc/user_attr) Determines the rights proles of the role and the components of those proles, enforces them I.e., if a role had the Name Service Security rights prole, then user would be allowed to run /usr/bin/nischown with the effective user-id of 0 (from /etc/security/exec_attr) The administrator creates a prole of authorizations and privileged commands for task or tasks Can be assigned directly to a user or to (better) a role Without authorizations, user is prevented from executing a privileged application, or prevented from performing operations within a privileged application 62



RBAC Use - 2Easiest RBAC admin is to use the Solaris Management Console (smc) User is allowed to assume zero or more roles by knowing the password of the rolesSimilar to using the su command When the user assumes a role, the capabilities of the role are available List of roles available to that user is displayed by the roles command User sus to an available role to accomplish privileged tasks No default rolesCopyright 2009 Peter Baer Galvin - All Rights Reserved

63


/etc/security/exec_attr# head exec_attr Application Server Management:suser:cmd:::/usr/appserver/bin/ asadmin: Software Installation:suser:cmd:::/usr/bin/pkgparam:uid=0 Network Management:suser:cmd:::/usr/sbin/in.named:uid=0 File System Management:suser:cmd:::/usr/sbin/mount:uid=0 Software Installation:suser:cmd:::/usr/bin/pkgtrans:uid=0 Name Service Security:suser:cmd:::/usr/bin/nisaddcred:euid=0 Mail Management:suser:cmd:::/usr/sbin/makemap:euid=0 FTP Management:suser:cmd:::/usr/sbin/ftprestart:euid=0 File System Management:solaris:cmd:::/sbin/ mount:privs=sys_mount Software Installation:suser:cmd:::/usr/sbin/install:euid=0


64


RolesTypical types of roles: primary administrator - the traditional superuser, with all privileges, system administrator an administrator without securitymodication privileges, operator an administrator with a limited, specic set of privileges, advanced user a user with privileges to debug and x her own system or programsCopyright 2009 Peter Baer Galvin - All Rights Reserved

65


Solaris Privileges


66


PrivilegesReally known as least privilegeOnly the minimum privileges to get a job done should be available

Alternative to being root or no one Done at the API levelSetUID programs can dictate ne grain access to kernel features Can limit what privs children have Should further help can buffer overows and other privilege escalation methods

Done at the user or role levelAll specic users to perform specic operations regardless of the programs being runCopyright 2009 Peter Baer Galvin - All Rights Reserved

67


Privileges - 2New level of management of rights within a Solaris 10 system Fine-grained privileges that can be assigned to entities The kernel enforces the new requirement that, to perform a special function, the entity must have the privilege to do so. Can work in parallel with traditional superuser functionality for backward compatibility.Copyright 2009 Peter Baer Galvin - All Rights Reserved

68


Privilege SetsE - Effective privilege set the current set of privileges that are in effect I - Inheritable privilege set the set of privileges that a process can inherit across an exec() P - Permitted privilege set - the set of privileges that are available for use L - Limit privilege set the outside limit of what privileges are available to a process and its childrenUsed to shrink the I set when a child is created, for example


69


Privileges Exampletraceroute is now privilege enabled $ ls -l /usr/sbin/traceroute-r-sr-xr-x 1 root bin 14:42 /usr/sbin/traceroute 35392 Jul 3

$ /usr/sbin/traceroute 1.2.3.4 & [2] 7841 # pcred 7841 7841: e/r/suid=101 e/r/sgid=14


70


Privileges Example - 2# ppriv -v 7841 7841: /usr/sbin/traceroute 1.2.3.4 flags = PRIV_AWARE E: file_link_any,proc_exec,proc_fork,proc_info,proc_sess ion I: file_link_any,proc_exec,proc_fork,proc_info,proc_sess ion P: file_link_any,net_icmpaccess,net_rawaccess,proc_exec, proc_fork,proc_info,proc_session L: none Note exploit needs to execute fully in the context of traceroute to make use of its privileges because the "Limit set is empty71



Privileged Daemon Example# ppriv `pgrep rpcbind` 153: /usr/sbin/rpcbind flags = PRIV_AWARE E: basic,!file_link_any,net_privaddr,! proc_exec,!proc_info,!proc_session,sys_nfs I: basic,!file_link_any,!proc_exec,! proc_fork,!proc_info,!proc_session P: basic,!file_link_any,net_privaddr,! proc_exec,!proc_info,!proc_session,sys_nfs L: basic,!file_link_any,!proc_exec,! proc_fork,!proc_info,!proc_session


72


RBAC and PrivilegesUse RBAC to assign specic privs to roles or users By default, all non-setuid processes have the basic set of privileges assigned Create a role with that privilege and then allow the user to assume that roleThe list of available privileges is available in the privileges(5), and via the all important ppriv command (the -lv options) Divided into categories, including le, ipc, net, proc, and sys privileges

For example, enable users in role test to do process management and use DTrace featuresCreate test role in /etc/user_attrCopyright 2009 Peter Baer Galvin - All Rights Reserved

73


RBAC and Privileges - 2# roleadd -u 201 -d /export/home/test -P \ "Process Management" test # rolemod -K \ defaultpriv=basic,dtrace_proc,dtrace_user,\ dtrace_kernel test # grep test /etc/user_attr test::::type=role;defaultpriv=basic,dtrace_ proc,dtrace_user,dtrace_kernel;profiles=Pr ocess Management # passwd test New password: Re-enter new password: # mkdir -p /export/home/test The user would need to switch to the role test to useCopyright 2009 Peter Baer Galvin - All Rights Reserved

74


RBAC and Privileges - 3$ ppriv $$ 10897: -bash flags = E: basic I: basic P: basic L: all $ dtrace -s bitesize.d dtrace: failed to initialize dtrace: DTrace requires additional privileges $ su - test password: Roles can only be assumed by authorized users su: Sorry # usermod R test pbg (then login as pbg)Copyright 2009 Peter Baer Galvin - All Rights Reserved

75


RBAC and Privileges - 4$ roles test $su test password: $ ppriv $$ 11022: pfsh flags = E: basic,dtrace_kernel,dtrace_proc,dtrace_user I: basic,dtrace_kernel,dtrace_proc,dtrace_user P: basic,dtrace_kernel,dtrace_proc,dtrace_user L: all $ dtrace s bitesize.d . . . Alternately, privileges can be directly assigned to users, as in: pbg::::type=normal;roles=primary_administrator,test; \ defaultpriv=basic,dtrace_proc,dtrace_user,dtrace_kernelCopyright 2009 Peter Baer Galvin - All Rights Reserved

76


Privilege AssignmentTo add a privilege to a specic user, use the usermod command to add the privilege to the users default privileges, as in # usermod K defaultpriv=basic,proc_clock_high_res jdoe Unfortunately, to be able to assign a specic privilege to a specic command, the command must be written to be privilege awareCopyright 2009 Peter Baer Galvin - All Rights Reserved

77


Privilege Assignment - 2Currently, native system programs are becoming privilege aware and having a limited set of privileges assigned to them Includes most setuid-root and network daemons API available with privileges to allow Solaris programmers to write privilege aware programs ppriv command can be used on a program that is failing due to a lack of privilege, to determine exactly the privileges that the program needs to succeed Appropriate privileges can be assigned to the program, or assigned to a role or user to allow that program to run properly when the appropriate set of users runs it Good white paper by Sun about privilege-enabling an arbitrary set-UID program: http://www.sun.com/blueprints/

0406/819-6320.pdf


78


Final Privilege Notesppriv allows examination of a command to determine what privileges it would need $ ppriv -e -D cat /etc/shadow cat[418]: missing privilege "file_dac_read" (euid = 21782),needed at ufs_access +0x3c cat: cannot open /etc/shadow ppriv -l lists all available privileges -v does so with detailsCopyright 2009 Peter Baer Galvin - All Rights Reserved

79


/etc/passwd# cat /etc/passwd root:x:0:1:Super-User:/:/sbin/sh daemon:x:1:1::/: bin:x:2:2::/usr/bin: sys:x:3:3::/: adm:x:4:4:Admin:/var/adm: lp:x:71:8:Line Printer Admin:/usr/spool/lp: uucp:x:5:5:uucp Admin:/usr/lib/uucp: nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico smmsp:x:25:25:SendMail Message Submission Program:/: listen:x:37:4:Network Admin:/usr/net/nls: gdm:x:50:50:GDM Reserved UID:/: webservd:x:80:80:WebServer Reserved UID:/: nobody:x:60001:60001:NFS Anonymous Access User:/: noaccess:x:60002:60002:No Access User:/: nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/: pbg:x:101:14::/export/home/pbg:/bin/bash test:x:201:1::/export/home/test:/bin/pfshCopyright 2009 Peter Baer Galvin - All Rights Reserved

80


/etc/user_attr# cat /etc/user_attr # # Copyright (c) 2003 by Sun Microsystems, Inc. All rights reserved. # # /etc/user_attr # # user attributes. see user_attr(4) # #pragma ident "@(#)user_attr 1.1 03/07/09 SMI" # adm::::profiles=Log Management lp::::profiles=Printer Management root::::auths=solaris.*,solaris.grant;profiles=Web Console Management,All;lock_after_retries=no test::::type=role;defaultpriv=basic,dtrace_proc,dtrace_user,dtr ace_kernel;profiles=Process Management pbg::::type=normal;roles=testCopyright 2009 Peter Baer Galvin - All Rights Reserved

81


LabsCreate new user foo Create new role operator Find list of proles Add some proles to role operator Add user foo to role operator Find list of privileges Add some privileges to role operator Add some privileges to user foo Test user foo in role operator Test user foo privileges Explore the system to nd all of the changes associated with the new user and role What le would you need to look in during an audit to check a user for more privileges?Copyright 2009 Peter Baer Galvin - All Rights Reserved

82


NFS V4


83


NFS V4 OverviewStateful rather than stateless All trafc uses one port number (2049) Can negotiate security authentication protocol, including using Kerberos (SEAM) and DES The /etc/default/nfs le uses keywords to control the NFS protocols that are used by both the client and the server Uses the string representations to identify the owner or group_owner via the nfsmapid daemon Supports mandatory locking (multiple lock types) When you unshare a le system, all the state for any open les or le locks in that le system is destroyed Servers use a pseudo le system to provide clients with access to exported objects on the server Server provides a view that just includes the exported le systemsCopyright 2009 Peter Baer Galvin - All Rights Reserved

84


NFS V4 Overview - 2Supports client and server recovery from a crash Supports client fail-over between multiple replicated copies of a le system on different servers Supports volatile le handles Delegation, a technique by which the server delegates the management of a le to a client, is supported on both the client and the server. I.e. the server could grant either a read delegation or a write delegation to a client. Does not use the following daemons: lockd mountd nfslogd statdCopyright 2009 Peter Baer Galvin - All Rights Reserved

85


NFS V4 Use

Enable it via NFS_CLIENT_VERSMIN and NFS_CLIENT_VERSMAX in the /etc/ default/nfs le


86


Solaris Flash Archives


87


System Build TechnologyWhat does it have to do with security? Capture state of system just after virgin build Fast restore Useful for comparison Also good for DR / BC This is available pre-Solaris 10, but generally under-utilizedCopyright 2009 Peter Baer Galvin - All Rights Reserved

88


Flash ArchivesCreate master system single reference installation Then replicate master to clone systems Initial install overwrites all lesystems on target clone Update only includes differences between two system images (on master and clone) Differential update changes only specied les of a clone based on a masterCopyright 2009 Peter Baer Galvin - All Rights Reserved

89


Flash Archives Initial InstallInstall master server however youd like (Optional) Prepare customization scripts to recongure or customize the clone system before or after installation Create the Solaris Flash archive. The Solaris Flash archive contains a copy of all of the les on the master system, unless you excluded some nonessential les Install the Solaris Flash archive on clone systems Master and clone system must have the same kernel architecture Can run scripts to customize clone or install extra packages using custom jumpstart (Optional) Save a copy of the master image If you plan to create a differential archive, the master image must be available and identical to the image installed on the clone systems Note best to start from Entire Plus OEM install image to get all drivers clones might needCopyright 2009 Peter Baer Galvin - All Rights Reserved

90


Flash Archives DeploymentCreate archive after full master install but before software congurationI.E. No Solaris Volume Manager cong

Master should be as inactive as possible Create archive with flar create n name options path/filenameSave it to disk or tape Make a copy for differential archive creation Can keep multiple archives just costs diskCan compress archives

To install from an archive, select Solaris Flash installation during standard installation proceduresCopyright 2009 Peter Baer Galvin - All Rights Reserved

91



92


Updating Clone with Flash Differential Archive1. 2. 3.

Start from master identical to clone Prepare the master system with changes (Optional) Prepare customization scripts to recongure or customize the clone system before or after installation Mount the directory of a copy of the saved-unchanged master image1. 2. 3. 4.

4.

Second image is to be used to compare the two system images Mount it from a Solaris Live Upgrade boot environment Mount it from a clone system over NFS Restore from backup using the ufsrestore command

5.

Create the differential archive with the -A option of the flar create command Install the differential archive on clone systems with custom JumpStart1.

6.

Or, use Solaris Live Upgrade to install the differential archive on an inactive boot environmentCopyright 2009 Peter Baer Galvin - All Rights Reserved

93


Moving from NIS to LDAP


94


Why Move?NIS is old, limited, not secureWeak authentication Not much encryption Nonstandard

NIS+ is complicated and EOLSorry if you already moved to it Dont move to NIS+ if you havent already

LDAP is the wave of the futureStandard Full features Expandable, exible, interoperableCopyright 2009 Peter Baer Galvin - All Rights Reserved

95


NIS to LDAP OverviewThe NIStoLDAP transition service (N2L service) replaces existing NIS daemons on the NIS master server with NISto LDAP transition daemons The N2L service also creates a NIStoLDAP mapping le on that serverSpecies the mapping between NIS map entries and equivalent Directory Information Tree (DIT) entries in LDAP A transitioned server is called an N2L server Slave servers do not have an NISLDAPmapping le, so they continue as usual The slave servers periodically update their data from N2L serverCopyright 2009 Peter Baer Galvin - All Rights Reserved

96


NIS to LDAP Overview - 2Behavior of the N2L service is controlled by the ypserv and NISLDAPmapping conguration les A script, inityp2l, assists with initial setup of conguration les. Once N2L server has been established, you can maintain N2L by editing conguration les The N2L service supports: Import of NIS maps into LDAP DIT Client access to DIT information with speed and extensibility of NIS When using N2L LDAP directory is source of authoritative data Eventually, all NIS clients can be replaced by Solaris LDAP naming services clients Many gory details in SysAdmin Guide to Naming and Directory ServicesCopyright 2009 Peter Baer Galvin - All Rights Reserved

97


FTP Server Enhancements


98


FTP Server EnhancementsThe sendfile() function is used for binary downloads New capabilities supported in the ftpaccess le flush-wait controls the behavior at the end of a download or directory listing ipcos sets the IP Class of Service for either the control or data connection passive ports can be congured so that the kernel selects the TCP port to listen on quota-info enables retrieval of quota information recvbuf sets the receive (upload) buffer size used for binary transfers rhostlookup allows or disallows the lookup of the remote hosts name sendbuf sets the send (download) buffer size used for binary transfers xferlog format customizes the format of the transfer log entry -4 option which makes the FTP server only listen for connections on an IPv4 socket when running in standalone modeCopyright 2009 Peter Baer Galvin - All Rights Reserved

99


FTP Server Enhancements - 2ftpcount and ftpwho now support the -v option, which displays user counts and process information for FTP server classes dened in virtual host ftpaccess les The FTP client and server now support Kerberos


100


PAM Enhancements


101


PAM EnhancementsPluggable Authentication Module (PAM) framework enhancements The pam_authtok_check module now allows for strict password checking using new tunable parameters in the /etc/default/passwd le. The new parameters dene: A list of comma separated dictionary les used for checking common dictionary words in a password The minimum differences required between a new password and an old password The minimum number of alphabetic or nonalphabetic characters that must be used in a new password The minimum number of uppercase or lowercase letters that must be used in a new password The number of allowable consecutive repeating charactersCopyright 2009 Peter Baer Galvin - All Rights Reserved

102


PAM Enhancements - 2The pam_unix_auth module implements account locking for local users. Account locking is enabled by the LOCK_AFTER_RETRIES parameter in /etc/ security/policy.conf and the lock_after-retries key in /etc/user_attrThe pam_unix module has been removed and replaced by a set of service modules of equivalent or greater functionality. Many of these modules were introduced in the Solaris 9 release. Here is a list of the replacement modules:

pam_authtok_check pam_authtok_get pam_authtok_store pam_dhkeys pam_passwd_auth pam_unix_account pam_unix_auth pam_unix_cred pam_unix_session103



PAM Enhancements - 3The functionality of the pam_unix_auth module has been split into two modules. The pam_unix_auth module now veries that the password is correct for the user. The new pam_unix_cred module provides functions that establish user credential information.

Additions to the pam_krb5 module have been made to manage the Kerberos credentials cache using the PAM framework. A new pam_deny module has been added. The module can be used to deny access to services. By default, the pam_deny module is not used


104


/etc/default/passwd$ cat /etc/default/passwd #ident "@(#)passwd.dfl 1.7 04/04/22 SMI" # # Copyright 2004 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # MAXWEEKS= MINWEEKS= PASSLENGTH=6 # NAMECHECK enables/disables login name checking. # The default is to do login name checking. # Specifying a value of "NO" will disable login name checking. # #NAMECHECK=NOCopyright 2009 Peter Baer Galvin - All Rights Reserved

105


/etc/default/passwd - 2# HISTORY sets the number of prior password changes to keep and # check for a user when changing passwords. Setting the HISTORY # value to zero (0), or removing/commenting out the flag will # cause all users' prior password history to be discarded at the # next password change by any user. No password history will # be checked if the flag is not present or has zero value. # The maximum value of HISTORY is 26. # # This flag is only enforced for user accounts defined in the # local passwd(4)/shadow(4) files. # #HISTORY=0 #


106


/etc/default/passwd - 3# Password complexity tunables. The values listed are the defaults # which are compatible with previous releases of passwd. # See passwd(1) and pam_authtok_check(5) for use warnings and # discussion of the use of these options. # #MINDIFF=3 #MINALPHA=2 #MINNONALPHA=1 #MINUPPER=0 #MINLOWER=0 #MAXREPEATS=0 #MINSPECIAL=0 #MINDIGIT=0 #WHITESPACE=YES


107


/etc/default/passwd - 4# # # passwd performs dictionary lookups if DICTIONLIST or DICTIONDBDIR # is defined. If the password database does not yet exist, it is # created by passwd. See passwd(1), pam_authtok_check(5) and # mkdict(1) for more information. # #DICTIONLIST= #DICTIONDBDIR=/var/passwd


108


Stronger Password CryptoModify /etc/security/policy.conf to use stronger password crypto CRYPT_DEFAULT=md5 Passwords less likely to be cracked if found encrypted


109


BSM


110


BSMSolaris Basic Security Module Also known as Solaris auditing Part of Solaris for a while, but little used Very detailed accounting of system / user activities Can be too much watch your disk space Good article at http://www.deer-run.com/~hal/sysadmin/SolarisBSMAuditing.html

Except for disk space, not very resource intensiveCopyright 2009 Peter Baer Galvin - All Rights Reserved

111


BSM SetupBSM not enabled by default bsmconv congures BSM Creates les in /etc/security audit_startup runs at startup, conguring auditing via auditconfig commands /usr/bin/echo "Starting BSM services." /usr/sbin/auditconfig -setpolicy +cnt /usr/sbin/auditconfig -conf /usr/sbin/auditconfig -aconf


112


BSM Setup contdir:/var/audit flags: minfree:20 naflags:lo flags denes audit events to pay attention

audit_control is primary cong le

to

naflags denes non-attributable events to

audit_event can ne-tune auditing (denes events and divides them into classes) audit_class denes masks for accessing classesCopyright 2009 Peter Baer Galvin - All Rights Reserved

pay attention to

113


BSM Setup - contRun audit n out of cron to cycle the (otherwise innite) log le: 0 * * * * /usr/sbin/audit n Compress and move the audit log to secure storage Do so rapidly on security-conscious machines (i.e. web servers) auditreduce can extract specic info from and audit

log

praudit can dump native audit binary data for

readability


114


BSM TuningRecommended auditing settings for more security-conscious systems from http://www.cisecurity.com/bench_solaris.html Generated via this awk script:awk 'BEGIN { FS = ":"; OFS = ":" } ($4 ~ /fm/) && ! ($2 ~ /MCTL|FCNTL|FLOCK|UTIME/) \ { $4 = $4 ",cc" } ($4 ~ /p[cms]/) && \ ! ($2 ~ /FORK|CHDIR|KILL|VTRACE|SETGROUPS|SETPGRP/) \ { $4 = $4 ",cc" } { print }' audit_event >audit_event.new

And associated audit_control conguration:dir:/var/audit minfree:20 flags:lo,ad,cc naflags:lo,ad,exCopyright 2009 Peter Baer Galvin - All Rights Reserved

115


Auditing Enhancements


116


Auditing EnhancementsCan use the syslog utility to store audit records in text format Enable and congure in /etc/security/audit_controldir:/var/audit flags: lo,ad,-fm minfree:20 naflags:lo,ad plugin: name=audit_syslog.so;p_flags=lo,+ad;\ qsize=512

Add audit.notice /var/adm/auditlog to /etc/ syslog.conf touch /var/adm/auditlog Use logadm to manage the logs The praudit x creates output formatted in XMLCopyright 2009 Peter Baer Galvin - All Rights Reserved

117


Auditing Enhancements - 2Audit metaclasses provide an umbrella for ner-grained audit classes The bsmconv command no longer disables the use of the Stop-A keyThe Stop-A event can be audited

The timestamp in audit records now displays in ISO 8601 format Three audit policy options have been added:public Public objects are no longer audited for read-only events, reducing the audit log size perzone A separate audit daemon runs in each zone zonename The name of the Solaris zone in which an audit event occurred can be included in audit recordsCopyright 2009 Peter Baer Galvin - All Rights Reserved

118


Auditing Enhancements - 3Five audit tokens have been added:The cmd token records the list of arguments and the list of environment variables that are associated with a command The path_attr token records the sequence of attribute le objects that are below the path token object

The privilege token records the use of privilege on a process The uauth token records the use of authorization with a command or action The zonename token records the name of the non-global zone in which an audit event occurred


119


Solaris Cryptographic Framework


120


Crypto FrameworkProvides common store of crypto algorithms and PKCS #11 libraries optimized for SPARC and x86 PKCS #11 public key crypto standard dening technology-independent API for crypto devices Currently provides IPSec and Kerberos to kernel, libsasl and IKE to users via plugins: User-level plugins Shared objects that provide services by using PKCS #11 libraries, such as pkcs11_softtoken.so.1 Kernel-level plugins Kernel modules that provide implementations of cryptographic algorithms in software, such as AES Hardware plugins Device drivers and their associated hardware accelerators i.e. Sun Crypto Accelerator 1000 board Framework implements a standard interface, the PKCS #11, v2.11 library, for user-level providers. Can be used by third-party applications to reach providers Third parties can add signed libraries, signed kernel algorithm modules, and signed device drivers to the frameworkplugins are added when the pkgadd utility installs the third-party software


121


Figure 81 Overview of the Solaris Cryptographic Framework

(From Solaris 10 Solaris Security for Developers Guide) Copyright 2009 Peter Baer Galvin - All Rights Reserved

122


Crypto Framework AdminAdministration via cryptoadm command: $ cryptoadm list user-level providers: /usr/lib/security/$ISA/pkcs11_kernel.so /usr/lib/security/$ISA/pkcs11_softtoken.so kernel software providers: des aes arcfour blowfish sha1 md5 rsa swrand kernel hardware providers:Copyright 2009 Peter Baer Galvin - All Rights Reserved

123


Crypto Framework User Commandsdigest Computes a message digest for one or more les or for stdin. A digest is useful for verifying the integrity of a le. SHA1 and MD5 are examples of digest functions. mac Computes a message authentication code (MAC) for one or more les or for stdin. A MAC associates data with an authenticated message. A MAC enables a receiver to verify that the message came from the sender and that the message has not been tampered with. The sha1_mac and md5_hmac mechanisms can compute a MAC. encrypt Encrypts les or stdin with a symmetric cipher. The encrypt -l command lists the algorithms that are available. Mechanisms that are listed under a user-level library are available to the encrypt command. The framework provides AES, DES, 3DES (Triple-DES), and ARCFOUR mechanisms for user encryption. decrypt Decrypts les or stdin that were encrypted with the encrypt command. The decrypt command uses the identical key and mechanism that were used to encrypt the original le.Copyright 2009 Peter Baer Galvin - All Rights Reserved

124


Key GenerationFor MAC and encryption, need symmetric key Determine algorithm to use and length of key needed $ encrypt -l Algorithm Keysize: Min Max (bits) -----------------------------------------aes 128 128 arcfour 8 128 des 64 64 3des 192 192 $ mac -l Algorithm Keysize: Min Max (bits) -----------------------------------------des_mac 64 64 sha1_hmac 8 512 md5_hmac 8 512Copyright 2009 Peter Baer Galvin - All Rights Reserved

125


EncryptingUse a random number generator, or dd to create a keyNote that bs is in bytes, so divide bits by 8

$ dd if=/dev/random of=keyfile bs=n count=1 Protect the key in the keyle $ chmod 400 keyfile Example for AES: $ dd if=/dev/random of=$HOME/keyf/05.07.aes16 bs=16 count=1 $ chmod 400 ~/keyf/05.07.aes16 Now use the key to create an MD5 MAC: $ mac -v -a md5_hmac -k $HOME/keyf/05.07.mack64 email.attach md5_hmac (email.attach) = 02df6eb6c123ff25d78877eb1d55710c % echo "md5_hmac (email.attach) = 02df6eb6c123ff25d78877eb1d55710c" \ >> ~/mac.daily.05.07


126


Decrypting and verifyingExample - Use AES for encryption using a keyphrase$

encrypt -a aes -i ticket.to.ride \ -o ~/enc/e.ticket.to.ride

Enter key:

The opposite of encrypt is decrypt:$ decrypt a aes i ~/enc/e.ticket.to.ride Enter Key:


127


LabsPick an encryption algorithm and key length and encrypt and decrypt a sample message How do we use the MAC shown in the above slides? Compute a MAC or digest, modify a sample message, and then recompute


128


Kerberos Enhancements


129


Kerberos EnhancementsThe KDC software, the user commands and applications now support TCP Support for IPv6 was added to kinit, klist and kprop commands. Support for IPv6 addresses is provided by default. There are no conguration parameters to change to enable IPv6 support. No IPv6 support is available for the kadmin and kadmind commands. A new PAM module called pam_krb5_migrate has been introduced. Helps in the automatic migration of users to the local Kerberos realm, if they do not already have Kerberos accounts. The ~/.k5login le can now be used with the GSS applications ftp and ssh The kproplog utility has been updated to output all attribute names per log entryCopyright 2009 Peter Baer Galvin - All Rights Reserved

130


Kerberos Enhancements - 2Kerberos protocol support is provided in remote applications, such as ftp, rcp, rdist, rlogin, rsh, ssh, and telnet The Kerberos principal database can now be transferred by incremental update instead of by transferring the entire database each timeIncreased database consistencies across servers The need for fewer resources (network, CPU, and so forth) Much more timely propagation of updates An automated method of propagation


131


Kerberos Enhancements - 3A new script to help automatically congure a Kerberos client Several new encryption types have been added to the Kerberos serviceThe AES encryption type can be used for high speed, high security encryption of Kerberos sessions. The use of AES is enabled through the Cryptographic Framework. ARCFOUR-HMAC provides better compatibility with other Kerberos versions. Triple DES (3DES) with SHA1 increases security. This encryption type also enhances interoperability with other Kerberos implementations that support this encryption type.


132


Kerberos Enhancements - 4A new -e option has been included to several subcommands of the kadmin command. This new option allows for the selection of the encryption type during the creation of principals. Additions to the pam_krb5 module manage the Kerberos credentials cache by using the PAM framework. Support is provided for auto-discovery of the Kerberos KDC, admin server, kpasswd server, and host or domain name-to-realm mappings by using DNS lookups A new conguration le option makes the strict TGT verication feature optionally congurable on a per-realm basis


133


Kerberos Enhancements - 5Extensions to the password-changing utilities enable the Solaris Kerberos V5 administration server to accept password change requests from clients that do not run Solaris software. The default location of the replay cache has been moved from RAMbased le systems to persistent storage in /var/krb5/rcache The GSS credential table is no longer necessary for the Kerberos GSS mechanism The Kerberos utilities, kinit and ktutil, are now based on MIT Kerberos version 1.2.1 The Solaris Kerberos Key Distribution Center (KDC) is now based on MIT Kerberos version 1.2.1 Note that Kerberos V5 support means that (theoretically) NFS trafc can now be encrypted134



Packet Filtering


135


Packet Filtering OverviewSolaris used to have nothing, then SunScreen was commercial, then SunScreen was included, now ipfilter is standard Solaris IP Filter is a host-based rewall that is derived from the open source IP Filter code, developed and maintained by Darren ReedBased on version 4.0.33 of the open source IP Filter Uses the STREAMS module, pl, to intercept packets By default, pl is not autopushed onto network interface cards (NICs). Autopush of pl is disabled for all drivers


136


Packet Filtering Overview - 2Provides packet ltering and network address translation (NAT), based upon a user-congurable policyRules are congurable to lter either statefully or statelessly Command line interface only ipf for loading or clearing packet lter rules ipnat for loading or clearing NAT rules ippool for managing address pools associated with IP rules ipfstat for viewing per-interface statistics ipmon for viewing of logged packets

Good info at http://www.obfuscation.org/ipf/ Only works in the global zone (so far)Copyright 2009 Peter Baer Galvin - All Rights Reserved

137


iplter DetailsCan match on the following IP header elds Source or destination IP address (including inverted matches) IP protocol TOS (Type of Service) IP options or IP security classes Fragment In addition it can: Distinguish between various interfaces Return an ICMP error or TCP reset for denied packets Keep packet state information for TCP, UDP, and ICMP packet ows Keep fragment state information for any IP packet, applying the same rule to all fragments in that packet Use redirection to set up true transparent proxy connections Provide packet header details to a user program for authentication Provide temporary storage of pre-authenticated rules for passing packetsCopyright 2009 Peter Baer Galvin - All Rights Reserved

138


iplter Details - 2Special provision is made for the three most common Internet protocols, TCP, UDP and ICMP. Can match based on: TCP or UDP packets by port number or a port number range ICMP packets by type or code Established TCP packet sessions Any arbitrary combination of TCP ags Note IPMP only supports stateless packet lteringCopyright 2009 Peter Baer Galvin - All Rights Reserved

139


Enable iplterDisabled by default Assume a role that includes the Network Management rights prole, or become superuser Edit /etc/ipf/pfil.apUncomment the interface(s) to lter on

Put lter rules in /etc/ipf/ipf.conf for automatic use at boot Put NAT rules in /etc/ipf/ipnat.conf for automatic use at boot Put cong info in /etc/ipf/ippool.conf for pooling of interfaces at boot time Reboot or runsvcadm restart pfil Activate ltering via svcadm enable ipfilter unplumb and replumb the interface(s) to lter (or reboot)

Now enable ipltering Enable ltering: ipf E Activate ltering: ipf -f filename Activate NAT if wanted: ipnat f filename Monitor with ipfstatCopyright 2009 Peter Baer Galvin - All Rights Reserved

140


/etc/ipf/ipf.confRules processed top to bottom Entire ruleset is run, not just until a match Last matching rule always has precedence quick rule option says to stop processing if matchpass in quick on lo0 all pass out quick on lo0 all block in log all block out all pass in quick proto tcp from any to any port = 113 flags S keep state pass in quick proto tcp from any to any port = 22 flags S keep state pass in quick proto tcp from any port = 20 to any port 39999 >< 45000 flags S keep state pass out quick proto icmp from any to any keep state pass out quick proto tcp/udp from any to any keep state keep fragsCopyright 2009 Peter Baer Galvin - All Rights Reserved

141


/etc/ipf/ipnat.confVery feature rich translation of address and ports Some examples:

map eri1 192.168.1.0/24 -> 20.20.20.1/32 map eri1 192.168.1.0/24 -> 0/32 portmap tcp/udp auto map eri1 192.168.1.0/24 -> 20.20.20.1/32 proxy port ftp ftp/tcp rdr eri1 20.20.20.5/32 port 80 -> 192.168.0.5, 192.168.0.6, port 8000


142


/etc/ipf/ippool.confPool of addresses used by iplter Used for dening a single object that contains multiple IP address / netmask pairs Then rule can be applied to a pool ipf rule: pass in from pool/100 to any

table role = ipf type = tree number = 100

{ 1.1.1.1/32, 2.2.0.0/16, !2.2.2.0/24 };


143


ipfilter statusipfstat io shows current lter rules ipfstat shows the current state table ipfstat s shows state statistics ipfstat t shows top-like status information ippool s shows pool statistics ipnat s shows NAT statistics ndd -get /dev/pfil qif_status shows pl statistics in the kernel ipmon a shows the iplter log


144


iplter Lab (only for Global Zone)Install iplters Build a rule to allow everything but nger in Modify the rule to allow everything but ftp out Test the rules Examine the rewall state Examine the log les


145


BART


146


BARTBasic Auditing and Reporting Tool Quick and easy way to collect info on lesystem object and attributesThen use to look for changes Much like tripwire, but integral to Solaris 10

Create and compare modes CreateEntire system, specic dirs, subset of les, or specic rules based Creates manifest

CompareTake two manifests and optional rules and output comparison informationCopyright 2009 Peter Baer Galvin - All Rights Reserved

147


BARTGood info on centralizing, securing, and automating use of BART from http://blogs.sun.com/roller/page/gbrunett/ 20041001#automating_solaris_10_file_inte grity


148


BART Set up AccountsFirst create non-login, prole shell account to collect le system info and create BART manifests

# mkdir -p /export/home # useradd -d /export/home/bartadm -m -s /bin/pfsh bartadm # passwd -N bartadm passwd: password information changed for bartadm


149


BART Setup Security AccessConsider setting up a manager system and doing key and BART manifest management there $ ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/export/home/bartadm/.ssh/ id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /export/home/bartadm/.ssh/ id_dsa. Your public key has been saved in /export/home/bartadm/.ssh/ id_dsa.pub. The key fingerprint is: 42:ca:d7:fa:ab:1c:f8:c0:5b:2c:7b:56:28:85:dc: 65 bartadm@manager Now copy public key (id_dsa.pub) from manager to client system and rename it to authorized_keys And limit SSH via that key to run only one command, add to beginning of authorized_keys: command="/usr/bin/bart create -r -" Copyright 2009 Peter Baer Galvin - All Rights Reserved

150


BART Create Rights ProleAllows bartadm user to run BART with sufcient privs Add to /etc/security/prof_attrFile Integrity:::File Integrity Management: File Integrity:solaris:cmd:::/usr/bin/bart\ :privs=file_dac_read,file_dac_search

Add to /etc/security/exec_attr:

Enable the File Integrity right to user bartadm # usermod -P "File Integrity" bartadm


151


Congure and Run BARTCreate client.rules le on manager to tell BART what to do This example checks /usr/sbin: /usr/sbin CHECK all Now run BART from manager to client$ cat ./client.rules | ssh -T -l bartadm client > ./ client.manifest.1

Periodically rerun that command and BART the differences:$ bart compare -r ./client.rules ./client.manifest.1 ./ client.manifest.2

. . .


152


BART Next StepsInformation on tying BART together with the Solaris Fingerprint Database (available for free from SunSolve - http:// www.sun.com/blueprints/0501/Fingerprint.pdf ) to nd changes to les shipped by Sun available fromhttp://www.securitydocs.com/library/2693


153


Trusted Extensions


154


OverviewUsed to be Trusted Solaris Some of that baked into standard Solaris 10 Some now available as Trusted Extensions Reimplementation of Trusted Solaris 8 based on new security features in Solaris 10 Renamed because delivered as an optional set of extensions to Solaris Extends Solaris security by enforcing a mandatory access control (MAC) policy Meets requirements of Common Criteria Labeled Security Protection Prole (LSPP) and Role-Based Access Protection Prole (RBAC)


155


ComponentsConsists of a set of label-aware services that are derived from Trusted Solaris 8 Labeled Networking Labeled Printing Label-aware Filesystem Mounting and Sharing Labeled Desktops

Java Desktop System

Label Conguration and Translation Label-aware Device Allocation

Common Desktop Environment

Label-aware System Management Tools


156


ImplementationNo app changes, le system changes needed Built on zone technology For each label, entire app environment virtualized within a container Can be multiple instances of each resource and service at each label Very efcient Labels made up of classications (levels) and compartments (categories) Classications are hierarchical, compartments disjoint At least 256 of each allowed Labels can be specied as ranges Admin roles can assign label ranges to users, network attribs, workstations, and devices via the Trusted Path All zones administered from protected global zone to manage Trusted Computing Base (TCB) known as Trusted Path Zones share an LDAP directory containing network-wide policyCopyright 2009 Peter Baer Galvin - All Rights Reserved

157


Implementation - contIPSec is used for source IP authentication and data encryption Loop back mounts and NFS mounts allow for le sharing Zones with matching labels can share r/w access Zone with lower-level label has r/w access, higher labelzone has r/o access One-way guards for tamper-proof logging possible via named pipe loop-back mounted to higher-level zone Mounts automatically labeled by kernel based on zone and host labels Least Privs can be used to modify abilities of zones and processes in zones User interface is CDE or Java DSCopyright 2009 Peter Baer Galvin - All Rights Reserved

158


administrator. Figure 14 shows a typical multilevel Trusted Extensions session on a system that is congured to display labels. The labels and trusted stripe are indicated.Trusted Path menu Window label stripe

Window icon label stripe Front panel Trusted stripe Trusted symbol Workspace labelFIGURE 14 Typical Solaris Trusted Extensions (CDE) Session

(From Solaris Labels Containers andTrusted Extensions Users Guide)Saturday, May 2, 2009

Trusted Extensions uses containers for labeling. Containers are also called zones. The global zone is an administrative zone, so is not available to users. Non-global zones are called labeled zones. Labeled zones are used by users. The global zone shares some system les with users. When these

Enabling Trusted Solaris ExtensionsBuilt into Solaris 10 11/07 and beyondthen Sensitivity labels are automatically applied to all sources of data (networks, lesystems, windows) and consumers of data (user and processes) Access to all data is restricted based on the relationship between the label of the data (object) and the consumer (subject)Copyright 2009 Peter Baer Galvin - All Rights Reserved

Disabled by default in S10, enabled via one bit,

160


Example - Secure Browsing LaptopInstall latest Solaris 10 Create a le system called zone

Enable TX via install DVD commands

In those dirs (read the instructions) and either or Open a terminal window and type:

Solaris_10/ExtraValue/CoBundled/TrustedExtensions or Solaris_11/ExtraValue/CoBundled/TrustedExtensions

Double-click the wizard.class le in the CDE File Manager

# java wizard

Download http://www.opensolaris.org/os/community/laptop/downloads/inetmenu-1.9.pkg.gz and http:// www.opensolaris.org/os/community/security/projects/tx/txlaptop-install/inetmenu-tx.tar for ease of network re-

conguration (i.e. laptop use)Copyright 2009 Peter Baer Galvin - All Rights Reserved

161


Example - Congure NetworkingUncongure your system's network identity Remove any network interface conguration les, such as /etc/hostname.* and /etc/dhcp.* Update your /etc/hosts and /etc/inet/ipnodes as follows: 127.0.0.1 localhost loghost 10.1.2.3 your-hostname Create the /etc/nodename le # hostname >/etc/nodename Add the following entry to the /etc/security/tsol/tnrhdb le: 10.1.2.3:cipso Specify the virtual network interface (VNI) for your system by adding the following to / etc/hostname.vni0 # echo `hostname` all-zones >>/etc/hostname.vni0 Add to LOCAL DEFINITIONS section of /etc/security/tsol/label_encodings: Default Label View is Internal; (Optional) If your system has NIS enabled, disable it by doing the following: # cp /etc/nsswitch.files /etc/nsswitch.conf # mv /var/yp /var/yp.save Reboot the system The system is running the Solaris Trusted Extensions software


162


Example - Congure Trusted Extensions1. Log in to Trusted Extensions CDE as superuser 2. Open a terminal window 3. Verify that the VNI interface is up and that the all-zones option is specified

# ifconfig -a

4. IP address for the vni0 interface should be same as inthe hosts and ipnodes filesvni0 interface should include the all-zones option

5. Start the Solaris Management Console via # smc & 6. From the Toolboxes menu, select the entry for your system that shows Scope=Files,Policy=TSOL

Click Open 7. Add yourself as a normal user From the Navigation bar, select System Configuration, and then double-click the Users icon The login window opens Log in as root Click User Accounts, and then select Add User With Wizard from the Action menu Follow the instructions to add the userCopyright 2009 Peter Baer Galvin - All Rights Reserved

163


Example - Congure Trusted Extensions (cont)

8. After your account is created, double click your user icon to modify settings Open the Trusted Extensions Attributes tab and modify these items: Set the Clearance value to CONFIDENTIAL RESTRICTED Set the Lock Account After Maximum Failed Logins value to No Set the Idle Time value to Forever Click OK 9. Edit the /etc/user_attr file to append the following to your user entry:;roles=root

(temporary workaround until you have verified that your system is working correctly. At that time, you should configure root as a role)


164


Example - Congure Trusted Extensions (cont)10. Create security templates for the public and internal zones From the Navigation bar, select System Configuration, and then double-click the Computers and Networks icon Click Security Templates, and then choose Add Template from the Action menu Specify the template name as public Set the default label to PUBLIC Set the Domain of Interpretation value to 1 Click OK Choose Add Template from the Action menu Specify the template name as internal Set the default label to CONFIDENTIAL : INTERNAL USER ONLY Set the Domain of Interpretation value to 1 Click OK 11.

Manually update the kernel cache with trusted networking parameter values# tnctl -T /etc/security/tsol/tnrhtp

12.

Exit the Solaris Management ConsoleCopyright 2009 Peter Baer Galvin - All Rights Reserved

165


Example - Congure Labeled Zones1. Run the txzonemgr script and follow each of these steps (You must click OK each time to continue) 2. Create a new zone called public Select Create A New Zone and click OK Specify the zone name of public Choose Select_Label and click OK Choose PUBLIC Choose Install to install the public zone A window opens to show you the progress of the zone installation process Choose Initialize to initialize the public zone Choose Zone_Console to open the zone console window Choose Boot to boot the zone The public zone is rebooted automatically The public zone will reboot again automatically


166


Example - Congure Labeled Zones (cont)3. From the zone terminal console window, log in as superuser and run the following commands: Run these commands on a Solaris 10 11/06 system:# rm /etc/auto_home_public # netservices limited # svcadm disable auditd # svcadm disable cde-login # exit

Run these commands on a Solaris Express system:

# rm /etc/auto_home_public # svcadm disable auditd # svcadm disable cde-login # exit


167


Example - Congure Labeled Zones (cont)4. From txzonemgr, create the internal, needtoknow, and restricted zones Choose Halt to halt the public zone Choose Create_Snapshot to create a snapshot of the public zone Choose Boot to boot the public zone Choose Select Another Zone and click OK Choose Create A New Zone and click OK Name the new zone internal Choose Select_Label and specify a value of CONFIDENTIAL : INTERNAL USE ONLY Choose Clone and select zone/public@snapshot Choose Zone_Console to open the zone console for the new zone Choose Boot to boot the new zone Repeat Steps d-j for the needtoknow and restricted zones, which use labels CONFIDENTIAL : NEED TO KNOW and CONFIDENTIAL : RESTRICTED, respectively Choose Exit to exit the txzonemgr program


168


Example - Install and Use inetmenu1. Caution - The inetmenu program might be replaced with another utility in the future 2. Become superuser 2. Change to the /opt/tx directory 4. Unzip and install the inetmenu software

# gunzip inetmenu-1.9.pkg.gz # pkgadd -d inetmenu-1.9.pkg

5. Apply the Trusted Extensions modifications to inetmenu

# cd /; tar xvf /opt/tx/inetmenu-tx.tar

6. Run inetmenu

# inetmenu

7. Select the DHCP-NoNIS option Now, your network should be up with PUBLIC as the default label. You can run the txnetmgr command to verify that it is all-zones.


169


Resources

http://www.opensolaris.org/os/community/ security/projects/tx/TrustedExtensionsArch.pdf http://docs.sun.com/app/docs/coll/175.12 http://opensolaris.org/os/community/security/ projects/tx/tx-laptop-install/


170


JASS / SST


JASS Solaris Security ToolkitAdd-on Security tool to harden Solaris Can be automated Free Supported with support contract Solaris > = 8, but probably works < 8 The Solaris Security Toolkit 4.2 documentation is now available at:http://docs.sun.com/app/docs/coll/sstoolkit4.2

You can also nd extensive Sun BluePrints articles at:http://www.sun.com/software/security/ blueprints/index.htmlCopyright 2009 Peter Baer Galvin - All Rights Reserved172


JASS DetailsSMF, Secure by Default

Understands containers, LDOMS, System controllers, Backs-up every le before it modies the le Can automatically undo all changes Can be run to determine the state of a system compared to a secured state state Can be run periodically to reset a system to a secured Been around for a while (i.e tested and well used) Use integrated with some other Sun toolsCopyright 2009 Peter Baer Galvin - All Rights Reserved173


JASS InstallationGet SUNWjass-4.2 (or current version) pkgadd -d . SUNWjass Tools now in /opt/SUNWjass Lots of scripts, each to harden one aspect of the system Put into use via drivers Important safety tip - have a root connection to the system before running any driverCopyright 2009 Peter Baer Galvin - All Rights Reserved174


JASS Use

Look in /opt/SUNWjass/Drivers Find a driver matching your desires Change the driver to meet your requirements Execute the driver via #cd /opt/SUNWjass/bin/ #jass-execute .driver Can undo what was just done #jass-execute -u Consider creating a .driver for each class of system, using jumpstart to create the systems, and using JASS to harden each class of systemsCopyright 2009 Peter Baer Galvin - All Rights Reserved

175


Overall Solaris 10 Security


Secure By DefaultShipped in S10 8/07 Default set of SMF services congure default hardened state, local-only operation (ssh only default enabled service) netservices command to broadly change network services statushttp://www.opensolaris.org/os/community/ security/projects/sbd/


177


Securing an S10 SystemUse knowledge from tutorial to secure a general purpose portable system See the security Sun Blueprints: http://www.sun.com/blueprints

See especially the Solaris 10 Benchmark published by the Center for Internet Security:http://www.cisecurity.org/ http://blogs.sun.com/ bench_solaris.html

From Glen Brunette blog

gbrunett/category/Solaris+10+Security

See also Clingans approach at http://Copyright 2009 Peter Baer Galvin - All Rights Reserved

blogs.sun.com/jclingan/?entry=securing_my_x2100178


Solaris Security ToolkitSolaris Security Toolkit at http://www.sun.com/software/security/jass/

Tool that can automate system security changes For Solaris 8, 9, 10 Supported if you have a Solaris support contract Download the tool and a patch to update for latest Solaris 10


179


Security Settings - 1Consider automating much of this with SST / JASS Disable ssh - now no services% pfexec svcadm disable ssh % svcs ssh STATE STIME FMRI disabled 21:30:12 svc:/network/ssh:default

Enable iplter

Uncomment or add the network interfaces to /etc/ipf/pl.ap Enable rewalling et al

Install a rewall conguration (next slide) into /etc/ipf/ipf.conf


180


Security Settings - 2# # ipf.conf # # IP Filter rules to be loaded during startup # # See ipf(4) manpage for more information on # IP Filter rules syntax. pass out quick all keep state keep frags # Drop all NETBIOS trafc but don't log it. block in quick from any to any port = 137 #netbios-ns block in quick from any to any port = 138 #netbios-dgm block in quick from any to any port = 139 #netbios-ssn # Allow incoming IKE/IPsec pass in quick proto udp from any to any port = ike pass in quick proto udp from any to any port = 4500 pass in proto esp from any to any # Allow ping # pass in quick proto icmp from any to any icmp-type echo # Allow routing info # pass in quick proto udp from any to port = route # pass in quick proto icmp from any to any icmp-type 9 # routeradvert # pass in quick proto igmp from any to any # Block and log everything else that comes in block in log all block in from any to 255.255.255.255 block in from any to 127.0.0.1/32


181


Security Settings - 3Change the default crypt algorithm in/etc/security/policy.conf% cat /etc/security/policy.confCRYPT_DEFAULT=md5

Enable core dump notications and store them in protected directory:# coreadm global core le pattern: /var/core/core_%n_%f_%u_%g_%t_%p global core le content: default init core le pattern: core init core le content: default global core dumps: enabled per-process core dumps: disabled global setid core dumps: enabled per-process setid core dumps: disabled global core dump logging: enabled


182


Security Settings - 4Set the following parameters, create log les, disable login on serial ports# grep "noexec_user_stack" /etc/system set noexec_user_stack = 1 set noexec_user_stack_log = 1 # grep nfs_portmon /etc/system set nfssrv:nfs_portmon = 1 # grep TCP_STRONG_ISS= /etc/default/inetinit TCP_STRONG_ISS=2 # ls -l /var/adm/loginlog -rw------- 1 root sys # ls -l /var/adm/debug -rw------- 1 root sys # pmadm -d -p zsmon -s ttya # pmadm -d -p zsmon -s ttyb

0 Sep 3 21:16 /var/adm/loginlog 0 Sep 3 21:16 /var/adm/debug


183


Security Settings - 5Change system banners to warn away unauthorized users Change root's home directory, convert root to be a Solaris role, and assigned the rights to assume root to only my local account:$ getent passwd root root:x:0:0:Super-User:/root:/sbin/sh $ grep "^root:" /etc/user_attr root::::type=role;[...] $ roles root

(Have a look in /etc/user_attr to determine if other users have privileges / roles that they shouldnt.) activity monitoring Enable and congured Solaris auditing and BART for Also secure BIOS and GRUBCopyright 2009 Peter Baer Galvin - All Rights Reserved

184


Security Settings - AuditCheck /etc/user_attr et al for security holes Does the system have zones / containers? Audit each of those Does the system have LDOMS? Audit each of those Does the system have a service processor, ILOM, ALOM? Audit each of thoseCopyright 2009 Peter Baer Galvin - All Rights Reserved

185


Solaris Security Benchmark


186


Solaris Security BenchmarkPublished by Center for Internet Security (CIS) Document describing recommended security steps Appendix describing more advanced security steps Tool to test Solaris system and give it a security score (i.e. the benchmark) Note other benchmarks for other OSeshttp://www.cisecurity.org/bench_solaris.htmlCopyright 2009 Peter Baer Galvin - All Rights Reserved

187


Yet Another Security ToolChecklist #2 - Use before trying a new tool Do I already have a better tool? Is it multi-platform or one-off? Does it work, or just cause more work? Is it kept up-to-date? Does it change too-often (causing more work)? How much does it cost? Do I already know it or is it at least easy to learn? Is it likely to break or break something? (Go back to checklist #1.)Copyright 2009 Peter Baer Galvin - All Rights Reserved

188


First StepsFor Solaris 10 11/06 and 8/07, the best starting place is CIS_Solaris_Benchmark_v4.0 Benchmark document containing recommendations Appendix with an overview of Solaris 10 security controls Input from many security experts For each recommendation information about what hardware platforms it pertains to if it is the OS default if the change applies to zones or just the global zone if the Solaris Security Toolkit can be used to make the changeCopyright 2009 Peter Baer Galvin - All Rights Reserved

189



190



191



192


Odds and EndsZFS dataset is hidden from the global zone - be sure to check each zone for data New install cluster reduced networking software group SUNWCrnet Takes ~ 160MB Provides good core for minimal networked Solaris Use pkgrm to remove packages to avoid them being patched (sendmail et al) More details at http://www.securitydocs.com/pdf/2644.PDFCopyright 2009 Peter Baer Galvin - All Rights Reserved

193


Lab

Try these changes in your container What else should be done to secure a system?


194


Conclusions


195


ConclusionsLots of new security features in Solaris 10 Zones possibly most powerful for admins Privileges most powerful for system software Moves to become more industry-compatible iplter Kerberos NIS to LDAP Powerful new APIs Solaris Crypto FrameworkCopyright 2009 Peter Baer Galvin - All Rights Reserved

196


Conclusions - 2SMF allows ne grain service control, debugging Still use security best practices (host lockdown, good passwords, etc) Not new, but be sure sendmail is preventing relayinghttp://www.sun.com/bigadmin/features/ articles/config_sendmail.html

Trusted Extensions complex, powerful, evolving Secure by default mode makes our lives easier Other interesting features not covered here Smart Card API SASLCopyright 2009 Peter Baer Galvin - All Rights Reserved

197


ReferencesSun Security Home Page

http://www.sun.com/securitySolaris Patches & Finger Print Database

http://sunsolve.sun.com/Sun Security Coordination Team

http://sunsolve.sun.com/securitySun BluePrints for Security

http://www.sun.com/blueprintsDeveloping a Security Policy Trust Modelling for Security Arch. Development Building Secure n-Tier Environments How Hackers Do It: Tricks, Tips and Techniques

Solaris OE Security

http://www.sun.com/solaris http://www.sun.com/security/j

Solaris 10 Administration Topics Workshop 4- Security

Documents

Transcript of Solaris 10 Administration Topics Workshop 4- Security