Solaris 10 Security-Sun.v1.3
-
Upload
mkirkland63 -
Category
Documents
-
view
27 -
download
3
Transcript of Solaris 10 Security-Sun.v1.3
1
Solaris 10 Security Workshop
Peter Baer GalvinFor Usenix 2005
Last Revision Apr 2005
2
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
2
About the SpeakerPeter Baer [email protected]@petergalvin.infowww.petergalvin.info781 273 4100
BioPeter Baer Galvin is the Chief Technologist for Corporate Technologies, Inc., a systems integrator and VAR, and was the Systems Manager for Brown University's Computer Science Department. He has written articles for Byte and other magazines. He wrote Pete's Wicked World, the security column for SunWorld magazine, Pete’s Super Systems, the systems administration column there. He is now contributing editor of the Solaris Corner for SysAdminMagazine. Peter is co-author of the Operating Systems Concepts and Applied Operating Systems Concepts texbooks. As a consultant and trainer, Mr. Galvin has taught tutorials in security and system administration and given talks at many conferences and institutions.
3
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
3
Objectives
Explore the new Solaris 10 security features, from an admin point of view
Some app/dev points made to guide developers
Convey their current status, usability, and future functionalityHelp prepare for Solaris 10 deploymentSome pre-Solaris 10 coverage when needed
4
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
4
Prerequisites
Recommend at least a couple of years of Solaris experience
Or at least a few years of other Unix experience
Best is a few years of admin experience, mostly on Solaris
5
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
5
About the Tutorial
Every SysAdmin has a different knowledge setA lot to cover, but notes should make good reference
So some covered quickly, some in detailSetting base of knowledge
Please ask questionsBut let’s take off-topic off-line
6
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
6
Fair Warning
Sites varyCircumstances varyAdmin knowledge variesMy goals
Provide information useful for each of you at your sitesProvide opportunity for you to learn from each other
7
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
7
Why Listen to Me?
20 Years of Sun experienceSeen much as a consultantHopefully, you've used:
The Solaris Corner @ www.samag.com/SolarisThe Solaris Security FAQSunWorld “Pete's Wicked World”SunWorld “Pete's Super Systems”Unix Secure Programming FAQOperating System Concepts (The Dino Book)Applied Operating System Concepts
8
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
8
Schedule
Eat / Drink / Be Merry5:00pm
Eat/Drink3:00pm
Learn1:30pm
Eat / Drink12:00pm
Learn10:30am
Eat/Drink10:00am
Learn8:30am
9
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
9
Coverage
Solaris 10 is a moving targetThis tutorial based on FCS (Jan / Mar 05)
How to get Solaris 10Download from SunMedia Kits now shipping
How to get Solaris 10+Join Solaris Express
10
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
10
OutlineOverviewN1 Grid Containers (aka Zones) (lab)RBAC (lab)PrivilegesNFS V4Flash archives and live upgradeMoving from NIS to LDAPDTraceFTP client and server enhancementsPAM enhancements Auditing enhancementsBSMService Management Facility (lab)Solaris Cryptographic FrameworkSmartcard interfaces and APIsKerberos enhancementsPacket filteringBART
11
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
11
Your Objectives?
12
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
12
Overview
13
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
13
Overview
Solaris 10 includes lots of new security features
Security is important to administratorsIt usually annoys users
We’ll look at each new feature, how useful, powerful and annoying it is
Should provide a good roadmap for what to use, whenHow can they be used to solve the following problems
14
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
14
Sun Overview
Quick high-level overview of Sun’s view of Solaris security
15
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
15
(From the Solaris 10 Sun Net Talk about Solaris 10 Security)
16
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
16
(From the Solaris 10 Sun Net Talk about Solaris 10 Security)
17
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
17
(From the Solaris 10 Sun Net Talk about Solaris 10 Security)
18
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
18
(From the Solaris 10 Sun Net Talk about Solaris 10 Security)
19
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
19
(From the Solaris 10 Sun Net Talk about Solaris 10 Security)
20
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
20(From the Solaris 10 Sun Net Talk about Solaris 10 Security)
21
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
21(From the Solaris 10 Sun Net Talk about Solaris 10 Security)
22
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
22
(From the Solaris 10 Sun Net Talk about Solaris 10 Security)
23
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
23
N1 Grid Containers (aka Zones)
24
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
24
Zones Overview
Virtualized operating system servicesIsolated and “secure” environment for running appsApps and users (and superusers) in zone cannot see / effect other zones
Delegated admin controlVirtualized device paths, network interfaces, network ports, process space, resource user (via resource manager)Application fault isolation
25
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
25
Zones Overview - 2
Low physical resource useUp to 8192 zones per system!
Differentiated file systemMultiple versions of an app installed and running on a given system
Inter-zone communication is only via network (but short-pathed through the kernelNo application changes needed – no API or ABICan restrict disk use of a zone via the loopback file driver (lofi) using a file as a file system
26
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
26(From the Solaris 10 Sun Net Talk about Solaris 10 Security)
27
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
27
Zone Limits
Only one OS installed on a systemOne set of OS patchesOnly one /etc/system
Although Sun working to move as many settings as possible out of /etc/system
System crash / OS crash -> all zones crashZones cannot be moved between systems (yet)Each zone uses
~ 100MB of disksome VM and physical memory (for processes and daemons running in the zone) - ~40MB PM
28
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
28(From System Administration Guide: N1 Grid Containers, Resource Management, and Solaris Zones)
29
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
29
Global Zone
Aka the usual systemGlobal Is assigned ID 0 by the systemProvides the single instance of the Solaris kernel that is bootable and running on the systemContains a complete installation of the Solaris system software packagesCan contain additional software packages or additional software, directories, files, and other data not installed through packages
30
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
30
Global Zone - 2Provides a complete and consistent product database that contains information about all software components installed in the global zoneHolds configuration information specific to the global zone only, such as the global zone host name and file system tableIs the only zone that is aware of all devices and all file systemsIs the only zone with knowledge of non-global zone existence and configurationIs the only zone from which a non-global zone can be configured, installed, managed, or uninstalled
31
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
31
Non-global Zones
Non-Global Is assigned a zone ID by the system when the zone is bootedShares operation under the Solaris kernel booted from the global zoneContains an installed subset of the complete Solaris Operating System software packagesContains Solaris software packages shared from the global zoneCan contain additional installed software packages not shared from the global zone
32
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
32
Non-global Zones -2Can contain additional software, directories, files, and other data created on the non-global zone that are not installed through packages or shared from the global zoneHas a complete and consistent product database that contains information about all software components installed on the zone, whether present on the non-global zone or shared read-only from the global zone Is not aware of the existence of any other zonesCannot install, manage, or uninstall other zones, including itselfHas configuration information specific to that non-global zone only, such as the non-global zone host name and file system table
33
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
33
Non-global Zone StatesConfigured - The zone’s configuration is complete and committed tostable storage, not initially bootedIncomplete - During an install or uninstall operationInstalled - The zone’s configuration is instantiated on the system but no virtual platformReady - The virtual platform for the zone is established. The kernel creates the zsched process, network interfaces are plumbed, file systems are mounted, and devices are configured. A unique zone ID is assigned by the system, no processes associated with the zone have been started.Running - User processes associated with the zone application environment are running. Shutting down and Down - These states are transitional states that are visible while the zone is being halted. However, a zone that is unable to shut down for any reason will stop in one of these states.
34
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
34
(From System Administration Guide: N1Grid Containers, Resource Management, and Solaris Zones)
35
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
35
Zone ConfigurationData from the following are not referenced or copied when a zone is installed:
Non-installed packagesPatchesData on CDs and DVDsNetwork installation imagesAny prototype or other instance of a zone
In addition, the following types of information, if present in the global zone, are not copied into a zone that is being installed:
New or changed users in the /etc/passwd fileNew or changed groups in the /etc/group fileConfigurations for networking services such as DHCP address assignment, UUCP, or sendmailConfigurations for network services such as naming servicesNew or changed crontab, printer, and mail filesSystem log, message, and accounting files
36
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
36
Zone Configuration
Zlogin –C logs in to a just-boot virgin zoneOnly root can zlogin – normal zone access is via network
The usual sysidconfig questions are asked (hostname, name service, timezone, kerberos)Zone reboots to put configuration changes into effect (a few seconds)
Messages look like a system reboot (within your window)
37
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
37
Zone Configuration - 2# zonecfg -z app1app1: No such zone configuredUse 'create' to begin configuring a new zone.zonecfg:app1> createzonecfg:app1> set zonepath=/opt/zone/app1zonecfg:app1> set autoboot=falsezonecfg:app1> add netzonecfg:app1:net> set physical=pnc0zonecfg:app1:net> set address=192.168.118.140zonecfg:app1:net> endzonecfg:app1> add fszonecfg:app1:fs> set dir=/export/homezonecfg:app1:fs> set special=/export/homezonecfg:app1:fs> set type=lofszonecfg:app1> add inherit-package-dirzonecfg:app1:inherit-pkg-dir> set dir=/opt/sfwzonecfg:app1:inherit-pkg-dir> endzonecfg:app1> verifyzonecfg:app1> commitzonecfg:app1> exit
38
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
38
Zone Configuration - 3# df -kFilesystem kbytes used avail capacity Mounted on/dev/dsk/c0d0s0 5678823 2689099 2932936 48% //devices 0 0 0 0% /devices/dev/dsk/c0d0p0:boot 10296 1401 8895 14% /bootproc 0 0 0 0% /procmnttab 0 0 0 0% /etc/mnttabfd 0 0 0 0% /dev/fdswap 600780 28 600752 1% /var/runswap 600776 24 600752 1% /tmp/dev/dsk/c0d0s7 4030684 32853 3957525 1% /export/home# zoneadm -z app1 verifyWARNING: /opt/zone/app1 does not exist, so it cannot be verified.When 'zoneadm install' is run, 'install' will try to create/opt/zone/app1, and 'verify' will be tried again,but the 'verify' may fail if:the parent directory of /opt/zone/app1 is group- or other-writableor/opt/zone/app1 overlaps with any other installed zones.could not verify net address=192.168.118.140 physical=pnc0: No such device or
addresszoneadm: zone app1 failed to verify
39
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
39
Zone Configuration - 4# ls -l /opt/zonetotal 2drwx------ 4 root other 512 Aug 21 12:44 test# mkdir /opt/zone/app1# chmod 700 /opt/zone/app1# ls -l /opt/zonetotal 4drwx------ 2 root other 512 Sep 16 15:14 app1drwx------ 4 root other 512 Aug 21 12:44 test# zonadm -z app1 verifycould not verify net address=192.168.118.140 physical=pnc0: No
such device or addresszoneadm: zone app1 failed to verify# zonecfg -z app1zonecfg:app1> infozonepath: /opt/zone/app1autoboot: false
40
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
40
Zone Configuration - 5net:
address: 192.168.118.140physical: pnc0
zonecfg:app1> remove physical=pnc0zonecfg:app1> add netzonecfg:app1:net> set physical=pcn0zonecfg:app1:net> set address=192.168.118.140zonecfg:app1:net> endzonecfg:app1> exit# zoneadm -z app1 verify# zoneadm -z app1 installPreparing to install zone <app1>.Creating list of files to copy from the global zone.Copying <2199> files to the zone.Initializing zone product registry.Determining zone package initialization order.Preparing to initialize <779> packages on the zone.Initializing package <0> of <779>: percent complete: 0%. . .
41
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
41
Zone Configuration -6Zone <app1> is initialized.The file </opt/zone/app1/root/var/sadm/system/logs/install_log>
contains a log of the zone installation.
# zoneadm list -vID NAME STATUS PATH 0 global running / 1 test running /opt/zone/test
# df -kFilesystem kbytes used avail capacity Mounted on/dev/dsk/c0d0s0 5678823 2766177 2855858 50% //devices 0 0 0 0% /devices/dev/dsk/c0d0p0:boot 10296 1401 8895 14% /bootproc 0 0 0 0% /procmnttab 0 0 0 0% /etc/mnttabfd 0 0 0 0% /dev/fdswap 594332 32 594300 1% /var/runswap 594500 200 594300 1% /tmp/dev/dsk/c0d0s7 4030684 32853 3957525 1% /export/home
42
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
42
Zone Configuration -7
# zoneadm -z app1 bootzoneadm: zone 'app1': WARNING: pcn0:2: no matching subnet found in netmasks(4) for
192.168.118.131; using default of 192.168.118.131.# zoneadm list -v
ID NAME STATUS PATH 0 global running / 1 test running /opt/zone/test 2 app1 running /opt/zone/app1
# telnet 192.168.118.140Trying 192.168.118.140...telnet: Unable to connect to remote host: Connection refused
# zlogin -C app1[Connected to zone 'app1' console]
Select a Locale
0. English (C - 7-bit ASCII)1. U.S.A. (UTF-8)2. Go Back to Previous Screen
Please make a choice (0 - 2), or press h or ? for help: 0
. . .
43
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
43
Zone Configuration -8
rebooting system due to change(s) in /etc/default/init
[NOTICE: Zone rebooting]
SunOS Release 5.10 Version s10_63 32-bitCopyright 1983-2004 Sun Microsystems, Inc. All rights reserved.Use is subject to license terms.Hostname: zone-app1The system is coming up. Please wait.starting rpc services: rpcbind done.syslog service starting.Sep 16 15:48:24 zone-app1 sendmail[7567]: My unqualified host name
(zone-app1) unknown; sleeping for retrySep 16 15:49:24 zone-app1 sendmail[7567]: unable to qualify my own
domain name (zone-app1) -- using short nameWARNING: local host name (zone-app1) is not qualified; see cf/README:
WHO AM I?/etc/mail/aliases: 12 aliases, longest 10 bytes, 138 bytes total
44
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
44
Zone Configuration -9STSF Font Server Daemon.
Standard Type Services Framework 0.11.1Copyright (c) 2001-2004 Sun Microsystems, Inc. All Rights Reserved.STSF is Open Source Software. http://stsf.freedesktop.org
Creating new rsa public/private host key pairCreating new dsa public/private host key pairThe system is ready.zone-app1 console login: rootPassword: Sep 16 15:51:08 zone-app1 login: ROOT LOGIN /dev/consoleSun Microsystems Inc. SunOS 5.10 s10_63 May 2004# cat /etc/passwdroot:x:0:1:Super-User:/:/sbin/shdaemon:x:1:1::/:bin:x:2:2::/usr/bin:. . .noaccess:x:60002:60002:No Access User:/:nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:
45
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
45
Zone Configuration -10# useradd -u 101 -g 14 -d /export/home/pbg -s /bin/bash pbg# passwd pbgNew Password: Re-enter new Password: passwd: password successfully changed for pbg# zoneadm list -v
ID NAME STATUS PATH 3 app1 running /
# exitzone-app1 console login: ~.[Connection to zone 'app1' console closed]
# zoneadm list -vID NAME STATUS PATH 0 global running / 1 test running /opt/zone/test 3 app1 running /opt/zone/app1
# uptime3:53pm up 5:14, 1 user, load average: 0.23, 0.34, 0.43
# telnet 192.168.118.140Trying 192.168.118.140…Connected to 192.168.118.140.Escape character is ‘^]’.Login: pbgPassword:. . .
46
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
46
Zone Scriptcreate -bset zonepath=/opt/zones/zone0set autoboot=falseadd inherit-pkg-dirset dir=/libendadd inherit-pkg-dirset dir=/platformendadd inherit-pkg-dirset dir=/sbinendadd inherit-pkg-dirset dir=/usrendadd inherit-pkg-dirset dir=/opt/sfwendadd netset address=192.168.128.200set physical=pcn0endadd rctlset name=zone.cpu-sharesadd value (priv=privileged,limit=1,action=none)end
47
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
47
Life in a Zone# ifconfig -alo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000lo0:1: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1
zone testinet 127.0.0.1 netmask ff000000
lo0:2: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1zone app1inet 127.0.0.1 netmask ff000000
pcn0: flags=1004843<UP,BROADCAST,RUNNING,MULTICAST,DHCP,IPv4> mtu 1500 index 2inet 192.168.80.128 netmask ffffff00 broadcast 192.168.80.255ether 0:c:29:44:a9:df
pcn0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2zone testinet 192.168.80.139 netmask ffffff00 broadcast 192.168.80.255
pcn0:2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2zone app1inet 192.168.80.140 netmask ffffff00 broadcast 192.168.80.255
48
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
48
Life in a Zone - 2$ telnet 192.168.80.140. . .$ df -kFilesystem kbytes used avail capacity Mounted on/ 9515147 1894908 7525088 21% //dev 9515147 1894908 7525088 21% /dev/export/home 10076926 10369 9965788 1% /export/home/lib 9515147 1894908 7525088 21% /lib/platform 9515147 1894908 7525088 21% /platform/sbin 9515147 1894908 7525088 21% /sbin/usr 9515147 1894908 7525088 21% /usrproc 0 0 0 0% /procmnttab 0 0 0 0% /etc/mnttabfd 0 0 0 0% /dev/fdswap 1043072 16 1043056 1% /var/runswap 1043056 0 1043056 0% /tmp$ touch /usr/footouch: /usr/foo cannot create
Note that virtual memory (and therefore swap) are global resources
49
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
49
Life in a Zone - 3$ ps -ef
UID PID PPID C STIME TTY TIME CMDroot 11120 11120 0 11:00:35 ? 0:00 zschedpbg 11377 11347 0 11:01:28 pts/8 0:00 ps -ef
root 11229 11120 0 11:00:40 ? 0:00 /usr/sbin/cronroot 11341 11120 0 11:00:46 ? 0:00 /usr/sfw/sbin/snmpdroot 11266 11120 0 11:00:41 ? 0:00 /usr/lib/im/htt -port 9010 -s
yslog -message_locale Croot 11339 11336 0 11:00:46 ? 0:00 /usr/lib/saf/ttymonroot 11250 11120 0 11:00:41 ? 0:00 /usr/lib/utmpdroot 11264 11261 0 11:00:41 ? 0:00 /usr/sadm/lib/smc/bin/smcbootroot 11261 11120 0 11:00:41 ? 0:00 /usr/sadm/lib/smc/bin/smcbootroot 11227 11120 0 11:00:40 ? 0:00 /usr/sbin/nscdroot 11218 11120 0 11:00:40 ? 0:00 /usr/lib/autofs/automountdroot 11325 11120 0 11:00:45 ? 0:00 /usr/lib/dmi/snmpXdmid -s zon
e-app1root 11239 11120 0 11:00:40 ? 0:00 /usr/lib/sendmail -bd -q15mroot 11265 11261 0 11:00:41 ? 0:00 /usr/sadm/lib/smc/bin/smcbootroot 11230 11120 0 11:00:40 ? 0:00 /usr/sbin/inetd -sroot 11273 11266 0 11:00:42 ? 0:00 htt_server -port 9010 -syslog
-message_locale Croot 11129 11120 0 11:00:36 ? 0:00 init
50
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
50
Life in a Zone - 4root 11323 11120 0 11:00:45 ? 0:00 /usr/lib/dmi/dmispd
daemon 11152 11120 0 11:00:37 ? 0:00 /usr/lib/crypto/kcfdroot 11241 11120 0 11:00:41 ? 0:00 /usr/lib/sendmail -Ac -q15mroot 11214 11120 0 11:00:39 ? 0:00 /usr/sbin/syslogdroot 11299 11120 0 11:00:44 ? 0:00 /usr/dt/bin/dtlogin-daemonroot 11317 11120 0 11:00:45 ? 0:00 /usr/lib/snmp/snmpdx-y -c /e
tc/snmp/confroot 11337 11129 0 11:00:45 console 0:00 /usr/lib/saf/ttymon-g -h -p
zone-app1 console login: -T dtterm -d /dev/consoldaemon 11177 11120 0 11:00:38 ? 0:00 /usr/sbin/rpcbindroot 11343 11120 0 11:00:47 ? 0:00 /usr/lib/ssh/sshdpbg 11347 11344 1 11:00:50 pts/8 0:00 -bashroot 11344 11230 0 11:00:50 ? 0:00 in.telnetdroot 11336 11129 0 11:00:45 ? 0:00 /usr/lib/saf/sac -t 300
51
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
51
Life in a Zone - 5$ mount -p-bash: mount: command not found$ su -Password:Sun Microsystems Inc. SunOS 5.10 s10_63 May 2004# mount -p/ - / ufs - no rw,intr,largefiles,logging,xattr,onerror=panic/dev - /dev lofs - no zonedevfs/export/home - /export/home lofs - no/lib - /lib lofs - no ro,nodevices,nosub/platform - /platform lofs - no ro,nodevices,nosub/sbin - /sbin lofs - no ro,nodevices,nosub/usr - /usr lofs - no ro,nodevices,nosubproc - /proc proc - no nodevices,zone=app1mnttab - /etc/mnttab mntfs - no nodevices,zone=app1fd - /dev/fd fd - no rw,nodevices,zone=app1swap - /var/run tmpfs - no nodevices,xattr,zone=app1swap - /tmp tmpfs - no nodevices,xattr,zone=app1# hostnamezone-app1# zonenameapp1
52
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
52
Other Cool Zone Stuff
ps –Z shows zone in which each process is runningCan use resource manager with zonesZones can use global naming services
Use features to enable or disable accounts per zone
Interzone networking executed via loopbackfor performance
53
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
53
Zones and Resource ManagementLoad the fair share schedule as the default schedule class
dispadmin –d fssMove all processes into the FSS class
priocntl -s -c FSS -i class TSGive the global zone some (2) shares
prctl -n zone.cpu-shares -v 2 -r -i zone globalCheck the shares of the global zone
prctl -n zone.cpu-shares -i zone globalAdd a zone-wide resource control (1 share) to a zone (within zonecfg)
zonecfg:my-zone> add rctlzonecfg:my-zone:rctl> set name=zone.cpu-shareszonecfg:my-zone:rctl> add value \(priv=privileged,limit=1,action=none)zonecfg:my-zone:rctl> end
54
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
54
Zone IssuesZone cannot reside on NFS
But zone can be NFS clientEach zone normally has a “sparse” installation of a package, if package is from “inherit-package-dir”directory treeBy default, a package installed in global zone is installed in all existing non-global zones
Unless the pkgadd –G or –Z options are usedSee also SUNW_PKG_ALLZONES and SUNW_PKG_HOLLOW package parameters
By default, patch installed in global zone is installed in all non-global zones
If any zone does not match patch dependencies, patch not installed
55
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
55
Zone issues - contUpgrading the global zone to a new Solaris release upgrades the non-global zones (but only by using live upgrade)Best practice is to keep packages and patches synced between global and all non-global zonesBest practice – prebuild a bunch of zones, even if you won’t need them
Packages and patches stay in sync or as in generic initial systemLow resource useUse one of them for all applications & non-sys admin users
Watch out for giving users root in a zone – could violate policy or regulations
56
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
56
Zones and Packages# pkgadd -d screen*
The following packages are available:1 SMCscreen screen
(intel) 4.0.2
Select package(s) you wish to process (or 'all' to processall packages). (default: all) [?,??,q]:## Not processing zone <zone10>: the zone is not running and cannot be booted## Booting non-running zone <zone0> into administrative state## waiting for zone <zone0> to enter single user mode...## Verifying package <SMCscreen> dependencies in zone <zone0>## Restoring state of global zone <zone0>## Booting non-running zone <zone1> into administrative state## waiting for zone <zone1> to enter single user mode.... . .## Booting non-running zone <zone0> into administrative state## waiting for zone <zone0> to enter single user mode...## waiting for zone <zone0> to enter single user mode...## Installing package <SMCscreen> in zone <zone0>
57
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
57
Zones and Packages (Cont.)
screen(intel) 4.0.2Using </usr/local> as the package base directory.## Processing package information.## Processing system information.
86 package pathnames are already properly installed.
Installing screen as <SMCscreen>
## Installing part 1 of 1.[ verifying class <none> ]
Installation of <SMCscreen> on zone <zone0> was successful.## Restoring state of global zone <zone0>
. . .
58
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
58
Labs
Explore your zone – what can you do and see, what can’t you?What is your view of file systems?What packages are installed?What patches?What is your life like in a zone?How are zones different from domains? From vmware?
59
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
59
RBAC
60
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
60
RBAC
Been in Solaris since release 8Basis for access control on SolarisA bit, um, complicatedQuick review here
How many of you are using RBAC?
61
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
61
RBAC Terminology
Administrative Roles – (or just “roles”) for grouping authorizations, profiles and commands together as a common set of functions. Think of these as special user accounts to which profiles are assigned.Profiles -- (also known as "execution profiles" or "rights profiles") a collection of authorizations, commands, and/or other profiles that together provide for performing a set of administrative tasks.
62
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
62
RBAC Terminology - 2Authorizations – permissions that grant access to restricted actions that are otherwise prohibited by the security policy. These are typically assigned in a profile, but can also be assigned to a user or a role. Think of this as tokens that can be checked by RBAC-aware programs. Rather than checking if UID=0 to allow an action, such programs can check if, for example, the user has authorization token “solaris.admin.diskmgr.read”.Privileged program – a program with security attributes that enables special functions depending on a check of user-id, group-id, privileges, or authorizations. These are setuid or setgid programs, or programs with assigned privileges.
63
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
63
64
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
64
RBAC UseUser assumes a role - placed in a special profile-understanding shell
pfcsh, pfksn, and pfshShells know how to read through the various config files in /etc/security (and /etc/user_attr) Determines the rights profiles of the role and the components ofthose profiles, enforces themI.e., if a role had the Name Service Security rights profile, then user would be allowed to run /usr/bin/nischown with the effective user-id of 0 (from /etc/security/exec_attr)
The administrator creates a profile of authorizations and privileged commands for task or tasks
Can be assigned directly to a user or to (better) a role Without authorizations, user is prevented from executing a privileged application, or prevented from performing operations within a privileged application
65
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
65
RBAC Use - 2Easiest RBAC admin is to use the Solaris Management Console (smc)User is allowed to assume zero or more roles by knowing the password of the roles
Similar to using the su commandWhen the user assumes a role, the capabilities of the role are availableList of roles available to that user is displayed by the roles commandUser su’s to an available role to accomplish privileged tasksNo default roles
66
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
66
/etc/security/exec_attr
# head exec_attrApplication Server
Management:suser:cmd:::/usr/appserver/bin/asadmin:Software Installation:suser:cmd:::/usr/bin/pkgparam:uid=0Network Management:suser:cmd:::/usr/sbin/in.named:uid=0File System Management:suser:cmd:::/usr/sbin/mount:uid=0Software Installation:suser:cmd:::/usr/bin/pkgtrans:uid=0Name Service Security:suser:cmd:::/usr/bin/nisaddcred:euid=0Mail Management:suser:cmd:::/usr/sbin/makemap:euid=0FTP Management:suser:cmd:::/usr/sbin/ftprestart:euid=0File System
Management:solaris:cmd:::/sbin/mount:privs=sys_mountSoftware Installation:suser:cmd:::/usr/sbin/install:euid=0
67
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
67
Roles
Typical types of roles:primary administrator - the traditional superuser, with all privileges, system administrator – an administrator without security-modification privileges,operator – an administrator with a limited, specific set of privileges,advanced user – a user with privileges to debug and fix her own system or programs
68
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
68
Solaris Privileges
69
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
69
PrivilegesReally known as “least privilege”
Only the minimum privileges to get a job done should be available
Alternative to being root or no oneDone at the API level
SetUID programs can dictate fine grain access to kernel featuresCan limit what privs children haveShould further help can buffer overflows and other privilege escalation methods
Done at the user or role levelAll specific users to perform specific operations regardless of the programs being run
70
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
70
Privileges - 2
New level of management of rights within a Solaris 10 systemFine-grained privileges that can be assigned to entitiesThe kernel enforces the new requirement that, to perform a special function, the entity must have the privilege to do so. Can work in parallel with traditional superuserfunctionality for backward compatibility.
71
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
71
Privilege Sets
E - Effective privilege set – the current set of privileges that are in effectI - Inheritable privilege set – the set of privileges that a process can inherit across an exec()P - Permitted privilege set - the set of privileges that are available for useL - Limit privilege set – the outside limit of what privileges are available to a process and its children
Used to shrink the “I” set when a child is created, for example
72
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
72
Privileges ExampleTraceroute is now privilege enabled
$ ls -l /usr/sbin/traceroute-r-sr-xr-x 1 root bin 35392 Jul 3 14:42
/usr/sbin/traceroute
$ /usr/sbin/traceroute 1.2.3.4 &[2] 7841# pcred 78417841: e/r/suid=101 e/r/sgid=14
73
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
73
Privileges Example - 2# ppriv -v 78417841: /usr/sbin/traceroute 1.2.3.4flags = PRIV_AWAREE:
file_link_any,proc_exec,proc_fork,proc_info,proc_session
I: file_link_any,proc_exec,proc_fork,proc_info,proc_session
P: file_link_any,net_icmpaccess,net_rawaccess,proc_exec,proc_fork,proc_info,proc_session
L: noneNote exploit needs to execute fully in the context of traceroute to make use of its privileges because the "Limit“set is empty
74
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
74
Privileged Daemon Example# ppriv `pgrep rpcbind`153: /usr/sbin/rpcbindflags = PRIV_AWARE
E: basic,!file_link_any,net_privaddr,!proc_exec,!proc_info,!proc_session,sys_nfs
I: basic,!file_link_any,!proc_exec,!proc_fork,!proc_info,!proc_session
P: basic,!file_link_any,net_privaddr,!proc_exec,!proc_info,!proc_session,sys_nfs
L: basic,!file_link_any,!proc_exec,!proc_fork,!proc_info,!proc_session
75
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
75
RBAC and PrivilegesUse RBAC to assign specific privs to roles or usersBy default, all non-setuid processes have the “basic”set of privileges assignedCreate a role with that privilege and then allow the user to assume that role
The list of available privileges is available in the privileges(5), and via the all important pprivcommand (the “-lv” options)Divided into categories, including file, ipc, net, proc, and sys privileges
For example, enable users in role “test” to do process management and use DTrace features
Create “test” role in /etc/user_attr
76
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
76
RBAC and Privileges - 2# roleadd -u 201 -d /export/home/test -P "Process Management" test
# rolemod -K defaultpriv=basic,dtrace_proc,dtrace_user,dtrace_kernel test
# grep test /etc/user_attrtest::::type=role;defaultpriv=basic,dtrace_proc,dtrace_user,dtrace_kernel;profiles=Process Management
The user would need to switch to the role “test” to use DTrace
77
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
77
RBAC and Privileges - 2$ ppriv $$10897: -bashflags = <none>
E: basicI: basicP: basicL: all
$ dtrace -s bitesize.ddtrace: failed to initialize dtrace: DTrace requires
additional privileges$ su testPassword:Roles can only be assumed by authorized userssu: Sorry# usermod –R test pbg(then login as pbg)
78
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
78
RBAC and Privileges - 3$ rolestest$su testpassword:$ ppriv $$11022: pfshflags = <none>
E: basic,dtrace_kernel,dtrace_proc,dtrace_userI: basic,dtrace_kernel,dtrace_proc,dtrace_userP: basic,dtrace_kernel,dtrace_proc,dtrace_userL: all
$ dtrace –s bitesize.d. . .
Alternately, privileges can be directly assigned to users, as in:pbg::::type=normal;roles=primary_administrator,test; \defaultpriv=basic,dtrace_proc,dtrace_user,dtrace_kernel
79
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
79
Privilege Assignment
To add a privilege to a specific user, use the usermod command to add the privilege to the user’s default privileges, as in
# usermod –K defaultpriv=basic,proc_clock_high_res jdoeUnfortunately, to be able to assign a specific privilege to a specific command, the command must be written to be privilege aware
80
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
80
Privilege Assignment - 2
Currently, native system programs are becoming privilege aware and having a limited set of privileges assigned to them
Includes most setuid-root and network daemonsAPI available with privileges to allow Solaris programmers to write privilege aware programsppriv command can be used on a program that is failing due to a lack of privilege, to determine exactly the privileges that the program needs to succeedAppropriate privileges can be assigned to the program, or assigned to a role or user to allow that program to run properly when the appropriate set of users runs it
81
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
81
/etc/passwd
# cat /etc/passwdroot:x:0:1:Super-User:/:/sbin/shdaemon:x:1:1::/:bin:x:2:2::/usr/bin:sys:x:3:3::/:adm:x:4:4:Admin:/var/adm:lp:x:71:8:Line Printer Admin:/usr/spool/lp:uucp:x:5:5:uucp Admin:/usr/lib/uucp:nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucicosmmsp:x:25:25:SendMail Message Submission Program:/:listen:x:37:4:Network Admin:/usr/net/nls:gdm:x:50:50:GDM Reserved UID:/:webservd:x:80:80:WebServer Reserved UID:/:nobody:x:60001:60001:NFS Anonymous Access User:/:noaccess:x:60002:60002:No Access User:/:nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:pbg:x:101:14::/export/home/pbg:/bin/bashtest:x:201:1::/export/home/test:/bin/pfsh
82
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
82
/etc/user_attr# cat /etc/user_attr## Copyright (c) 2003 by Sun Microsystems, Inc. All rights
reserved.## /etc/user_attr## user attributes. see user_attr(4)##pragma ident "@(#)user_attr 1.1 03/07/09 SMI"#adm::::profiles=Log Managementlp::::profiles=Printer Managementroot::::auths=solaris.*,solaris.grant;profiles=Web Console
Management,All;lock_after_retries=notest::::type=role;defaultpriv=basic,dtrace_proc,dtrace_user,dt
race_kernel;profiles=Process Managementpbg::::type=normal;roles=test
83
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
83
LabsCreate new user “foo”Create new role “operator”Find list of profilesAdd some profiles to role “operator”Add user foo to role “operator”Find list of privilegesAdd some privileges to role “operator”Add some privileges to user “foo”Test user foo in role “operator”Test user “foo” privilegesExplore the system to find all of the changes associated with the new user and role
84
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
84
NFS V4
85
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
85
NFS V4 OverviewStateful rather than statelessAll traffic uses one port number (2049) Can negotiate security authentication protocol, including using Kerberos (SEAM) and DESThe /etc/default/nfs file uses keywords to control the NFS protocols that are used by both the client and the serverUses the string representations to identify the owner or group_owner via the nfsmapid daemonSupports mandatory locking (multiple lock types) When you unshare a file system, all the state for any open files or file locks in that file system is destroyedServers use a pseudo file system to provide clients with access to exported objects on the server
Server provides a view that just includes the exported file systems
86
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
86
NFS V4 Overview - 2Supports client and server recovery from a crashSupports client failover between multiple replicated copies of afile system on different serversSupports volatile file handlesDelegation, a technique by which the server delegates the management of a file to a client, is supported on both the client and the server.
I.e. the server could grant either a read delegation or a write delegation to a client.
Does not use the following daemons:lockdmountdnfslogdstatd
87
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
87
NFS V4 Use
Enable it via NFS_CLIENT_VERSMIN and NFS_CLIENT_VERSMAX in the /etc/default/nfs file
88
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
88
Solaris Flash Archives
89
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
89
System Build Technology
What does it have to do with security?Capture state of system just after virgin buildFast restoreUseful for comparisonAlso good for DR / BC
This is available pre-Solaris 10, but generally under-utilized
90
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
90
Flash Archives
Create master system – single reference installationThen replicate master to clone systems
Initial install overwrites all filesystems on target cloneUpdate only includes differences between two system images (on master and clone)Differential update changes only specified files of a clone based on a master
91
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
91
Flash Archives Initial Install1. Install master server however you’d like2. (Optional) Prepare customization scripts to reconfigure or customize
the clone system before or after installation3. Create the Solaris Flash archive. The Solaris Flash archive contains a
copy of all of the files on the master system, unless you excluded some nonessential files
4. Install the Solaris Flash archive on clone systems1. Master and clone system must have the same kernel architecture2. Can run scripts to customize clone or install extra packages using
custom jumpstart5. (Optional) Save a copy of the master image
1. If you plan to create a differential archive, the master image must be available and identical to the image installed on the clone systems
Note – best to start from Entire Plus OEM install image to get all drives clones might need
92
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
92
Flash Archives DeploymentCreate archive after full master install but before software configuration
I.E. No Solaris Volume Manager configMaster should be as inactive as possibleCreate archive with flar create –n name options path/filename
Save it to disk or tapeMake a copy for differential archive creationCan keep multiple archives – just costs disk
Can compress archivesTo install from an archive, select Solaris Flash installation during standard installation procedures
93
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
93
94
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
94
Updating Clone with Flash Differential Archive1. Start from master identical to clone2. Prepare the master system with changes3. (Optional) Prepare customization scripts to reconfigure or customize
the clone system before or after installation4. Mount the directory of a copy of the saved-unchanged master image
1. Second image is to be used to compare the two system images2. Mount it from a Solaris Live Upgrade boot environment3. Mount it from a clone system over NFS4. Restore from backup using the ufsrestore command
5. Create the differential archive with the -A option of the flar create command
6. Install the differential archive on clone systems with custom JumpStart1. Or, use Solaris Live Upgrade to install the differential archive on an
inactive boot environment
95
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
95
Moving from NIS to LDAP
96
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
96
Why Move?NIS is old, limited, not secure
Weak authenticationNot much encryptionNonstandard
NIS+ is complicated and EOLSorry if you already moved to itDon’t move to NIS+ if you haven’t already
LDAP is the wave of the future“Standard”Full featuresExpandable, flexible, interoperable
97
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
97
NIS to LDAP OverviewThe NIS–to–LDAP transition service (N2L service) replaces existing NIS daemons on the NIS master server with NIS–to–LDAP transition daemonsThe N2L service also creates a NIS–to–LDAP mapping file on that server
Specifies the mapping between NIS map entries and equivalent Directory Information Tree (DIT) entries in LDAPA transitioned server is called an N2L serverSlave servers do not have an NISLDAPmapping file, so they continue as usualThe slave servers periodically update their data from N2L server
98
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
98
NIS to LDAP Overview - 2Behavior of the N2L service is controlled by the ypserv and NISLDAPmapping configuration files
A script, inityp2l, assists with initial setup of configurationfiles. Once N2L server has been established, you can maintain N2L by editing configuration files
The N2L service supports:Import of NIS maps into LDAP DITClient access to DIT information with speed and extensibility of NIS
When using N2L LDAP directory is source of authoritative dataEventually, all NIS clients can be replaced by Solaris LDAP naming services clientsMany gory details in SysAdmin Guide to Naming and Directory Services
99
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
99
DTrace
100
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
100
DTrace and Security
No real linkDTrace so cool we need to take a quick look
101
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
101
DTrace OverviewBest tool ever for understanding system behaviorUses language D, based on CFully dynamic, full probing of kernel and user appsFully scalableEnabled in Solaris 10 – no custom kernel or configuration changes neededUse DTrace today to solve non-S10 problems
Move the “problem” to a test / dev S10 machine, debug, and then back port the solution to the original machine
Way to much to cover hereSo I’ll whet your appetiteGot example code available at http://users.tpg.com.au/adsln4yb/dtrace.htmlAll DTrace resources athttp://www.sun.com/bigadmin/content/dtrace/
102
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
102
DTrace Example - 1
connections.d snoop inbound TCP connections as they are established, displaying the server process that accepted the connection.
# ./connections.dUID PID IP_SOURCE PORT CMD 0 254 192.168.001.001 23 /usr/sbin/inetd -s 0 254 192.168.001.001 23 /usr/sbin/inetd -s 0 254 192.168.001.001 79 /usr/sbin/inetd -s 0 254 192.168.001.001 21 /usr/sbin/inetd -s 0 254 192.168.001.001 79 /usr/sbin/inetd -s 100 2319 192.168.001.001 6000 /usr/openwin/bin/Xsun :0 -nobanner
0 254 192.168.001.001 79 /usr/sbin/inetd -s [...]
103
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
103
DTrace Example - 2
The following script counts number of write(2) calls by application:
syscall::write:entry
{
@counts[execname] = count();}
104
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
104
DTrace Example - 4# dtrace -s write-calls-by-app.ddtrace: script 'write-calls-by-app.d' matched 1 probe^C
dtrace 1login 1sshd 2sh 6telnet 6w 7df 12in.telnetd 25mixer_applet2 61gnome-panel 108metacity 125gnome-terminal 197
#
105
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
105
DTrace Example - 5
Let’s have a look at the size of the writes to file descriptor 5, per section of user code (!)
syscall::write:entry
/execname == "sshd" && arg0 == 5/
{@[ustack()] = quantize(arg2);
}
106
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
106
DTrace Example - 6bash-2.05b# dtrace -s write-sshd-fd-5.ddtrace: script 'write-sshd-fd-5.d' matched 1 probe^C
libc.so.1`_write+0xcsshd`atomicio+0x2d805b59csshd`main+0xd59805b1fa
value ------------- Distribution ------------- count8 | 016 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 132 | 0
libc.so.1`_write+0xcsshd`packet_write_poll+0x2esshd`packet_write_wait+0x23sshd`userauth_finish+0x19f805f42esshd`dispatch_run+0x49sshd`do_authentication2+0x7csshd`main+0xdc7805b1fa
value ------------- Distribution ------------- count16 | 032 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 164 | 0
107
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
107
DTrace Example - 7#!/usr/sbin/dtrace -s#pragma D option flowindentpid$1::$2:entry{self->trace = 1;}pid$1:::entry, pid$1:::return, fbt:::/self->trace/{printf("%s", curlwpsinfo->pr_syscall ?"K" : "U");}pid$1::$2:return/self->trace/{self->trace = 0;}
108
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
108
109
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
109
FTP Server Enhancements
110
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
110
FTP Server EnhancementsThe sendfile() function is used for binary downloadsNew capabilities supported in the ftpaccess file
flush-wait controls the behavior at the end of a download or directory listingipcos sets the IP Class of Service for either the control or data connectionpassive ports can be configured so that the kernel selects the TCP port to listen onquota-info enables retrieval of quota informationrecvbuf sets the receive (upload) buffer size used for binary transfersrhostlookup allows or disallows the lookup of the remote hosts namesendbuf sets the send (download) buffer size used for binary transfersxferlog format customizes the format of the transfer log entry-4 option which makes the FTP server only listen for connections on an IPv4 socket when running in standalone mode
111
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
111
FTP Server Enhancements - 2
ftpcount and ftpwho now support the -voption, which displays user counts and process information for FTP server classes defined in virtual host ftpaccess filesThe FTP client and server now support Kerberos
112
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
112
PAM Enhancements
113
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
113
PAM EnhancementsPluggable Authentication Module (PAM) framework enhancementsThe pam_authtok_check module now allows for strict password checking using new tunable parameters in the /etc/default/passwd file. The new parameters define:
A list of comma separated dictionary files used for checking common dictionary words in a passwordThe minimum differences required between a new password and an old passwordThe minimum number of alphabetic or nonalphabeticcharacters that must be used in a new passwordThe minimum number of uppercase or lowercase letters that must be used in a new passwordThe number of allowable consecutive repeating characters
114
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
114
PAM Enhancements - 2The pam_unix_auth module implements account locking for local users. Account locking is enabled by the LOCK_AFTER_RETRIES parameter in /etc/security/policy.conf and the lock_after-retries key in /etc/user_attrThe pam_unix module has been removed and replaced by a set of service modulesof equivalent or greater functionality. Many of these modules were introduced in the Solaris 9 release. Here is a list of the replacement modules:
pam_authtok_checkpam_authtok_getpam_authtok_storepam_dhkeyspam_passwd_authpam_unix_accountpam_unix_authpam_unix_credpam_unix_session
115
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
115
PAM Enhancements - 3
The functionality of the pam_unix_auth module has been split into two modules. The pam_unix_auth module now verifies that the password is correct for the user. The new pam_unix_cred module provides functions that establish user credential information.Additions to the pam_krb5 module have been made to manage the Kerberos credentials cache using the PAM framework.
A new pam_deny module has been added. The module can be used to deny access to services. By default, the pam_deny module is not used
116
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
116
/etc/default/passwd
$ cat /etc/default/passwd#ident "@(#)passwd.dfl 1.7 04/04/22 SMI"## Copyright 2004 Sun Microsystems, Inc. All rights reserved.# Use is subject to license terms.#MAXWEEKS=MINWEEKS=PASSLENGTH=6
# NAMECHECK enables/disables login name checking.# The default is to do login name checking.# Specifying a value of "NO" will disable login name checking.##NAMECHECK=NO
117
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
117
/etc/default/passwd - 2
# HISTORY sets the number of prior password changes to keep and
# check for a user when changing passwords. Setting the HISTORY
# value to zero (0), or removing/commenting out the flag will# cause all users' prior password history to be discarded at
the# next password change by any user. No password history will# be checked if the flag is not present or has zero value.# The maximum value of HISTORY is 26.## This flag is only enforced for user accounts defined in the# local passwd(4)/shadow(4) files.##HISTORY=0#
118
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
118
/etc/default/passwd - 3
# Password complexity tunables. The values listed are the defaults
# which are compatible with previous releases of passwd.# See passwd(1) and pam_authtok_check(5) for use warnings and# discussion of the use of these options.##MINDIFF=3#MINALPHA=2#MINNONALPHA=1#MINUPPER=0#MINLOWER=0#MAXREPEATS=0#MINSPECIAL=0#MINDIGIT=0#WHITESPACE=YES
119
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
119
/etc/default/passwd - 4
### passwd performs dictionary lookups if DICTIONLIST or DICTIONDBDIR
# is defined. If the password database does not yet exist, it is
# created by passwd. See passwd(1), pam_authtok_check(5) and
# mkdict(1) for more information.##DICTIONLIST=#DICTIONDBDIR=/var/passwd
120
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
120
BSM
121
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
121
BSM
Solaris Basic Security ModuleAlso known as Solaris auditingPart of Solaris for a while, but little usedVery detailed accounting of system / user activitiesCan be too much – want your disk spaceGood article at http://www.deer-run.com/~hal/sysadmin/SolarisBSMAuditing.html
Except for disk space, not very resource intensive
122
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
122
BSM Setup
BSM not enabled by defaultbsmconv configures BSMCreates files in /etc/securityaudit_startup runs at startup, configuring auditing via auditconfig commands/usr/bin/echo "Starting BSM services."/usr/sbin/auditconfig -setpolicy +cnt/usr/sbin/auditconfig -conf/usr/sbin/auditconfig -aconf
123
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
123
BSM Setup – contaudit_control is primary config filedir:/var/auditflags:minfree:20naflags:lo
flags defines audit events to pay attention tonaflags defines non-attributable events to pay attention to
audit_event can fine-tune auditing (defines events and divides them into classes)audit_class defines masks for accessing classes
124
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
124
BSM Setup - contRun audit –n out of cron to cycle the (otherwise infinite) log file:
0 * * * * /usr/sbin/audit –nCompress and move the audit log to secure storageDo so rapidly on security-conscious machines (i.e. web servers)
auditreduce can extract specific info from and audit logpraudit can dump native audit binary data for readability
125
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
125
BSM Tuning Recommended auditing settings for more security-conscious systems from http://www.cisecurity.com/bench_solaris.htmlGenerated via this awk script:awk 'BEGIN { FS = ":"; OFS = ":" }($4 ~ /fm/) && ! ($2 ~ /MCTL|FCNTL|FLOCK|UTIME/) \
{ $4 = $4 ",cc" }($4 ~ /p[cms]/) && \! ($2 ~ /FORK|CHDIR|KILL|VTRACE|SETGROUPS|SETPGRP/) \
{ $4 = $4 ",cc" }{ print }' audit_event >audit_event.new
And associated audit_control configuration:dir:/var/auditminfree:20flags:lo,ad,ccnaflags:lo,ad,ex
126
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
126
Auditing Enhancements
127
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
127
Auditing EnhancementsCan use the syslog utility to store audit records in text format
Enable and configure in/etc/security/audit_control
dir:/var/auditflags: lo,ad,-fmminfree:20naflags:lo,adplugin: name=audit_syslog.so;p_flags=lo,+ad;\qsize=512
Add audit.notice /var/adm/auditlog to /etc/syslog.conftouch /var/adm/auditlogUse logadm to manage the logs
The praudit –x creates output formatted in XML
128
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
128
Auditing Enhancements - 2Audit metaclasses provide an umbrella for finer-grained audit classesThe bsmconv command no longer disables the use of the Stop-A key
The Stop-A event can be auditedThe timestamp in audit records now displays in ISO 8601 formatThree audit policy options have been added:
public – Public objects are no longer audited for read-only events, reducing the audit log sizeperzone – A separate audit daemon runs in each zonezonename – The name of the Solaris zone in which an audit event occurred can be included in audit records
129
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
129
Auditing Enhancements - 3
Five audit tokens have been added:The cmd token records the list of arguments and the list of environment variables that are associated with a commandThe path_attr token records the sequence of attribute file objects that are below the path token objectThe privilege token records the use of privilege on a processThe uauth token records the use of authorization with a command or actionThe zonename token records the name of the non-global zone in which an audit event occurred
130
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
130
Service Management Facility
131
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
131
Solaris 10 Service Management Facility (SMF)
Part of larger predictive self-healing facility (Build 69 and beyond)Replacing inetd, changing use of /etc/rc files, etcMuch more sophisticated management of system startup and daemons
Builds reference tree of which processes need which, and order to start them inIf service fails, knows how to restart the service and all that depended on itStartup to login prompt much faster with multithreadingSnapshotting of service status, reversion to previous status
132
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
132
SMF - 2Booting now much “quieter”Each service has its own log in /var/svc/log (/etc/svc/volatile)Services that would have hung boot now debuggablein maintenance modeNew boot –m verbose to display message per serviceProcesses will automatically restart by svc.startdor be placed in maintenance mode (watch out for kill -9)
133
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
133
svcsDisplays services and stati
# svcsSTATE STIME FMRIlegacy_run Feb_28 lrc:/etc/rcS_d/S50sk98sollegacy_run Feb_28 lrc:/etc/rc2_d/S10lulegacy_run Feb_28 lrc:/etc/rc2_d/S20sysetuplegacy_run Feb_28 lrc:/etc/rc2_d/S40llc2. . .legacy_run Feb_28 lrc:/etc/rc3_d/S84appservlegacy_run Feb_28 lrc:/etc/rc3_d/S90sambaonline Feb_28 svc:/system/svc/restarter:defaultonline Feb_28 svc:/network/pfil:defaultonline Feb_28 svc:/system/filesystem/root:defaultonline Feb_28 svc:/network/loopback:defaultonline Feb_28 svc:/milestone/name-services:default. . .
134
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
134
svcs (cont)
Displays details about services (i.e. what failed)
# svcs -xsvc:/application/print/server:default (LP print server)State: disabled since Mon Feb 28 11:01:34 2005
Reason: Disabled by an administrator.See: http://sun.com/msg/SMF-8000-05See: lpsched(1M)
Impact: 2 dependent services are not running. (Use -v for list.)
135
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
135
svcs (cont)
Displays details about services (i.e. what depends on what)
# svcs –xv sshSTATE STIME FMRIonline Feb_28 svc:/network/ssh:default
Feb_28 366 sshd
136
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
136
svcadm
Changes service states permanently (unless –t option used)
# svcs sendmailSTATE STIME FMRIonline Feb_28 svc:/network/smtp:sendmail
# svcadm disable sendmail# svcs sendmail
STATE STIME FMRIdisabled 17:46:01 svc:/network/smtp:sendmail
137
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
137
SMF NotesChanges to inetd.conf are still effective, but only if inetconv is run after the changeUse SMF instead of RC script changes if at all possible“Manifests” contain service descriptions in /var/svc/manifest
Changes to services can be made hereWon’t be reflected until service restarted or refreshed
svcs –a shows all services, no matter the stateAlso of interest
svcadm restart – restart the servicesvcadm refresh – reread the service configurationsvcs –d FMRI – shows named service and parentssvcs –D FMRI – shows named service and dependentsboot –m milestone – boots to named milestonesvcadm milestone – transitions to named milestonesvccfg apply /var/svc/profile/generic_limited_net.xml –disables generic extraneous network daemons
138
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
138
LabsWhat services are running?
How do you parse the output of svcs?Which are disabled? Failed?What does inetd.conf look like?What is in the rc directories?What do the service log files show?Kill of an unimportant service via kill
What happenedDisable it via SMFWhere is the SMF configuration information stored?How would you change the parameters of a service?What does an RPC service look like now?What run level are we at?
139
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
139
Solaris Cryptographic Framework
140
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
140
Crypto FrameworkProvides common store of crypto algorithms and PKCS #11 libraries optimized for SPARC and x86
PKCS #11 – public key crypto standard defining technology-independent API for crypto devices
Currently provides IPSec and Kerberos to kernel, libsasl and IKE to users via plugins:
User-level plugins – Shared objects that provide services by using PKCS #11 libraries, such as pkcs11_softtoken.so.1Kernel-level plugins – Kernel modules that provide implementations of cryptographic algorithms in software, such as AESHardware plugins – Device drivers and their associated hardware accelerators i.e. Sun Crypto Accelerator 1000 board
Framework implements a standard interface, the PKCS #11, v2.11 library, for user-level providers. Can be used by third-party applications to reach providers
Third parties can add signed libraries, signed kernel algorithmmodules, and signed device drivers to the framework
plugins are added when the pkgadd utility installs the third-party software
141
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
141
Figure 8–1 Overview of the Solaris Cryptographic Framework
(From Solaris 10 Solaris Security for Developers Guide)
142
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
142
Crypto Framework AdminAdministration via cryptoadm command:
$ cryptoadm list
user-level providers:/usr/lib/security/$ISA/pkcs11_kernel.so/usr/lib/security/$ISA/pkcs11_softtoken.so
kernel software providers:desaesarcfourblowfishsha1md5rsaswrand
kernel hardware providers:
143
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
143
Crypto Framework User Commandsdigest– Computes a message digest for one or more files or for stdin. A digest is useful for verifying the integrity of a file. SHA1 and MD5 are examples of digest functions.mac – Computes a message authentication code (MAC) for one or more files or for stdin. A MAC associates data with an authenticated message. A MAC enables a receiver to verify that the message came from the sender and that the message has not been tampered with.The sha1_mac and md5_hmac mechanisms can compute a MAC.encrypt – Encrypts files or stdin with a symmetric cipher. The encrypt -l command lists the algorithms that are available. Mechanisms that are listed under a user-level library are available to the encrypt command. The framework provides AES, DES, 3DES (Triple-DES), and ARCFOUR mechanisms for user encryption.decrypt – Decrypts files or stdin that were encrypted with the encrypt command. The decrypt command uses the identical key and mechanism that were used to encrypt the original file.
144
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
144
Key GenerationFor MAC and encryption, need symmetric key
Determine algorithm to use and length of key needed$ encrypt -lAlgorithm Keysize: Min Max (bits)------------------------------------------aes 128 128arcfour 8 128des 64 643des 192 192$ mac -lAlgorithm Keysize: Min Max (bits)------------------------------------------des_mac 64 64sha1_hmac 8 512md5_hmac 8 512
145
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
145
Key Generation - 2Use a random number generator, or dd
Note that bs is in bytes, so device bits by 8$ dd if=/dev/urandom of=keyfile bs=n count=1
Protect the key in the keyfile$ chmod 400 keyfile
Example for AES:$ dd if=/dev/urandom of=$HOME/keyf/05.07.aes16 bs=16 count=1$ chmod 400 ~/keyf/05.07.aes16
Now use the key to create an MD5 MAC:$ mac -v -a md5_hmac -k $HOME/keyf/05.07.mack64 email.attachmd5_hmac (email.attach) = 02df6eb6c123ff25d78877eb1d55710c % echo "md5_hmac (email.attach) =
02df6eb6c123ff25d78877eb1d55710c" \ >> ~/mac.daily.05.07Use AES for encryption using a keyphrase
$ encrypt -a aes \ -i ticket.to.ride -o ~/enc/e.ticket.to.ride
Enter key: <Type passphrase>
146
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
146
Kerberos Enhancements
147
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
147
Kerberos EnhancementsThe KDC software, the user commands and applications now support TCPSupport for IPv6 was added to kinit, klist and kprop commands. Support for IPv6 addresses is provided by default. There are no configuration parameters to change to enable IPv6 support. No IPv6 support is available for the kadmin and kadmindcommands.A new PAM module called pam_krb5_migrate has been introduced. Helps in the automatic migration of users to the local Kerberos realm, if they do not already have Kerberos accounts. The ~/.k5login file can now be used with the GSS applications ftp and sshThe kproplog utility has been updated to output all attribute names per log entry
148
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
148
Kerberos Enhancements - 2
Kerberos protocol support is provided in remote applications, such as ftp, rcp, rdist, rlogin, rsh, ssh, and telnetThe Kerberos principal database can now be transferred by incremental update instead of by transferring the entire database each time
Increased database consistencies across serversThe need for fewer resources (network, CPU, and so forth)Much more timely propagation of updatesAn automated method of propagation
149
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
149
Kerberos Enhancements - 3A new script to help automatically configure a Kerberos clientSeveral new encryption types have been added to the Kerberos service
The AES encryption type can be used for high speed, high security encryption of Kerberos sessions. The use of AES is enabled through the Cryptographic Framework. ARCFOUR-HMAC provides better compatibility with other Kerberos versions.Triple DES (3DES) with SHA1 increases security. This encryption type also enhances interoperability with other Kerberos implementations that support this encryption type.
150
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
150
Kerberos Enhancements - 4A new -e option has been included to several subcommands of the kadmin command. This new option allows for the selection of the encryption type during the creation of principals.Additions to the pam_krb5 module manage the Kerberos credentials cache by using the PAM framework. Support is provided for auto-discovery of the Kerberos KDC, admin server, kpasswd server, and host or domain name-to-realm mappings by using DNS lookupsA new configuration file option makes the strict TGT verification feature optionally configurable on a per-realm basis
151
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
151
Kerberos Enhancements - 5Extensions to the password-changing utilities enable the Solaris Kerberos V5 administration server to accept password change requests from clients that do not run Solaris software.The default location of the replay cache has been moved from RAM-based file systems to persistent storage in /var/krb5/rcacheThe GSS credential table is no longer necessary for the Kerberos GSS mechanismThe Kerberos utilities, kinit and ktutil, are now based on MIT Kerberos version 1.2.1The Solaris Kerberos Key Distribution Center (KDC) is now based on MIT Kerberos version 1.2.1
152
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
152
Packet Filtering
153
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
153
Packet Filtering Overview
Solaris used to have nothing, then SunScreen was commercial, then SunScreen was included, now ipfilter is standardSolaris IP Filter is a host-based firewall that is derived from the open source IP Filter code, developed and maintained by Darren Reed
Based on version 4.0.33 of the open source IP FilterUses the STREAMS module, pfil, to intercept packetsBy default, pfil is not autopushed onto network interface cards (NICs). Autopush of pfil is disabled for all drivers
154
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
154
Packet Filtering Overview - 2Provides packet filtering and network address translation (NAT), based upon a user-configurable policy
Rules are configurable to filter either statefully or statelesslyCommand line interface only
ipf for loading or clearing packet filter rulesipnat for loading or clearing NAT rulesippool for managing address pools associated with IP rulesipfstat for viewing per-interface statisticsipmon for viewing of logged packets
Good info at http://www.obfuscation.org/ipf/ Only works in the global zone (so far)
155
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
155
ipfilter DetailsCan match on the following IP header fields
Source or destination IP address (including inverted matches) IP protocolTOS (Type of Service)IP options or IP security classesFragment
In addition it can:Distinguish between various interfacesReturn an ICMP error or TCP reset for denied packetsKeep packet state information for TCP, UDP, and ICMP packet flowsKeep fragment state information for any IP packet, applying the same rule to all fragments in that packetUse redirection to set up true transparent proxy connectionsProvide packet header details to a user program for authenticationProvide temporary storage of pre-authenticated rules for passing packets
156
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
156
ipfilter Details - 2
Special provision is made for the three most common Internet protocols, TCP, UDP and ICMP. Can match based on:
TCP or UDP packets by port number or a port number rangeICMP packets by type or codeEstablished TCP packet sessionsAny arbitrary combination of TCP flags
Note IPMP only supports stateless packet filtering
157
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
157
Enable ipfilter
Disabled by defaultAssume a role that includes the Network Management rights profile, or become superuserEdit /etc/ipf/pfil.ap
Uncomment the interface(s) to filter onPut filter rules in /etc/ipf/ipf.conf for automatic use at bootPut NAT rules in /etc/ipf/ipnat.conffor automatic use at bootPut config info in /etc/ipf/ippool.conf
158
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
158
/etc/ipf/ipf.conf
Rules processed top to bottomEntire ruleset is run, not just until a match
Last matching rule always has precedence“quick” rule option says to stop processing if match
pass in quick on lo0 all pass out quick on lo0 all block in log all block out all pass in quick proto tcp from any to any port = 113
flags S keep state pass in quick proto tcp from any to any port = 22
flags S keep state pass in quick proto tcp from any port = 20 to any port
39999 >< 45000 flags S keep state pass out quick proto icmp from any to any keep statepass out quick proto tcp/udp from any to any keep
state keep frags
159
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
159
/etc/ipf/ipnat.conf
Very feature rich translation of address and portsSome examples:
map eri1 192.168.1.0/24 -> 20.20.20.1/32 map eri1 192.168.1.0/24 -> 0/32 portmaptcp/udp auto
map eri1 192.168.1.0/24 -> 20.20.20.1/32 proxy port ftp ftp/tcp
rdr eri1 20.20.20.5/32 port 80 -> 192.168.0.5, 192.168.0.6, port 8000
160
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
160
/etc/ipf/ippool.conf
Pool of addresses used by ipfilterUsed for defining a single object that contains multiple IP address / netmask pairs
Then rule can be applied to a poolipf rule: pass in from pool/100 to any
table role = ipf type = tree number = 100
{ 1.1.1.1/32, 2.2.0.0/16, !2.2.2.0/24 };
161
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
161
ipfilter status
ipfstat –io shows current filter rulesipfstat shows the current state tableipfstat –s shows state statisticsipfstat –t shows top-like status informationippool –s shows pool statisticsipnat –s shows NAT statisticsndd -get /dev/pfil qif_status shows pfilstatistics in the kernelipmon –a shows the ipfilter log
162
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
162
BART
163
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
163
BARTBasic Auditing and Reporting ToolQuick and easy way to collect info on filesystemobject and attributes
Then use to look for changesMuch like tripwire, but integral to Solaris 10
Create and compare modesCreate
Entire system, specific dirs, subset of files, or specific rules basedCreates manifest
CompareTake two manifests and optional rules and output comparison information
164
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
164
BART
Good info on centralizing, securing, and automating use of BART from http://blogs.sun.com/roller/page/gbrunett/20041001#automating_solaris_10_file_integrity
Information on tying BART together with the Solaris Fingerprint Database (available for free from SunSolve -http://www.sun.com/blueprints/0501/Fingerprint.
pdf ) to find changed to files shipped by Sun available fromhttp://www.securitydocs.com/library/2693
165
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
165
Conclusions
166
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
166
Conclusions
Lots of new security features in Solaris 10Zones possibly most powerful for adminsPrivileges most powerful for system softwareMoves to become more industry-compatible
ipfilterKerberosNIS to LDAP
Powerful new APIsSolaris Crypto Framework
167
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
167
Conclusions - 2
SMF allows finegrain service control, debuggingStill use security best practices (host lockdown, good passwords, etc)Not new, but be sure sendmail is preventing relaying
http://www.sun.com/bigadmin/features/articles/config_sendmail.html
Other interesting features not covered hereSmart Card APISASL
168
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
168
ReferencesSun Security Home Page
http://www.sun.com/securitySolaris Patches & Finger Print Database
http://sunsolve.sun.com/Sun Security Coordination Team
http://sunsolve.sun.com/securitySun BluePrints for Security
http://www.sun.com/blueprintsDeveloping a Security PolicyTrust Modelling for Security Arch. DevelopmentBuilding Secure n-Tier EnvironmentsHow Hackers Do It: Tricks, Tips and Techniques
Solaris OE Securityhttp://www.sun.com/solarishttp://www.sun.com/security/jass
Trusted Solaris OEhttp://www.sun.com/solaris/trustedsolaris
Java Securityhttp://java.sun.com/security
Network and Security Productshttp://www.sun.com/servers/entry/checkpointhttp://www.sun.com/networking
http://docs.sun.com Solaris 10 collection
Some slides copyright Sun Microsystems, all rights reserved