best practices for keeping your oracle solaris workloads ... · pdf filecommitment to deliver...
Post on 14-Mar-2018
219 Views
Preview:
TRANSCRIPT
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Best Practices for keeping your Oracle Solaris workloads secureCON6298
Darren J MoffatSenior Principal EngineerOracle Solaris EngineeringOctober, 2017
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Safe Harbor Statement
The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.
3
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Continuous Security 3 Axis of Risk needs 3 Axis of Control
4
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Threat #1:Stolen privileged user credentialsPeople
5
Copyright © 2017 Oracle and/or its affiliates. All rights reserved. |
100%Of investigated data breaches involved stolen credentials
Privileged User Access needs more control than a simple 8 character password
Administrators have too many passwords
6
Source: Mandiant Threat Report, 2015
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Oracle Solaris Helps mitigate Credential Abuse/Misuse
Time & Location Based Delegation
Activity-based profiles delivered with Solaris.
Not just a framework
Built in Multi-Factor Authentication
Smartcard & Standards based One Time Password
Secure Remote Audit and Logging
7
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Authentication/Account Management
• UNIX pam_unix_{auth,cred,account}– Password (using strong hashes)
– Time/Day based Access
• LDAP
• Kerberos
• One Time Password (New in Solaris 11.3 SRU)– IETF Standards Based HOTP or TOTP
– Compatible with Google Authenticator, Yubikey and many others
• Smartcard pam_pkcs11 + PC/SC + USB CCID (New in Solaris 11.3 SRU)
Core PAM modules
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Control Where & When
• Qualification of profile assignments to: user/host/netgroup– LDAP lookup order:
• Host specific
• Netgroup specific
• Unqualified
• Allows granting a user rights on a subset of hosts
• Use in conjunction with Time Based control & Multi-factor
• For Example:– Network Management only granted Mon-Fri 9-5 on development hosts
– Require use of Password + OTP
Scoping RBAC Profiles
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Authentication
• Authentication policy set per system:
– /etc/security/policy.conf:PAM_POLICY=ldap
• Per User authentication policy overrides
– Policy stored with RBAC data
# usermod –S ldap –K pam_policy=krb5 darrenm
# usermod –S ldap –q @prod_db_hosts –K pam_policy=otp darrenm
# usermod –S ldap –q @dev_web_hosts –K pam_policy=unix darrenm
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Granting administrator rights
# usermod –S ldap –q @dev –K profiles+=”Network Management” darrenm
$ pfexec ipadm create-addr …
# usermod –K auth_profiles+=”Network Management” darrenm
$ ipadm create-addr …
Re-authentication by darrenm is required to use profile:
Network Management
(Use ^C to cancel)
Password: ************
OTP Code: ******
Directly assigned to users, alternative to using shared account roles
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Auditing
• First introduced with SunOS 3.5 as unbundled extra
• On by default in Solaris 11
• Events generated by privileged programs, syscalls, kernel subsystems
• Events grouped into Classes
• Upload events to Oracle Audit Vault, or send binary trail over secure transport or use syslog
• Session Annotation (at login and privilege elevation) planned for 11.4
Who, What, When, Where, Why
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Threat #2:Unpatched and misconfigured systemsPlatform
13
Copyright © 2017 Oracle and/or its affiliates. All rights reserved. |
99.9%Of the exploited vulnerabilities were compromised more than a year after the CVE was published
14
Source: Verizon Data Breach Investigations Report, 2015
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Exploited Vulnerabilities Compromised
15
74%
OF ORGANIZATIONSTAKE 3 MONTHS+
TO PATCH
Source: Verizon Data Breach Investigations Report, 2015; IIOUG Data Security Survey, 2014
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
• If it isn’t installed– You don’t need to patch the security
vulnerabilities– Your auditor won’t get false positives on
versions– It can’t be configured in a non-compliant way
• Group packages as starting points– Add only what you need– Packages removed from a group stay removed
unless required in future for a dependency.– Better to start small & add than start big &
remove
• Signed packages using secure transport from boot loader onwards
Install Compliant Minimized Oracle Solaris
16
• pkg:/group/system/solaris-minimal-server– Minimal supported installation
• pkg:/group/system/solaris-small-server– Adds major features such as Oracle Solaris Zones
• pkg:/group/system/solaris-large-server– Adds most features including automated installer, many
more services
• pkg:/group/prerequisite/oracle/oracle-rdbms-server-12-1-preinstall– Oracle Database dependencies
• pkg:/group/prerequisite/oracle/oracle-ebs-server-R12-preinstall– Oracle E-Buisiness Server R12 dependencies
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
One Step Security Patching
# pkg update solaris-11-cpu@latest
The solaris-11-cpu IPS package contains the CVE number to package version mapping.
Integrated with Compliance Reporting
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Simple AdministrationMajor Financial Customer’s Experiences Patching Oracle Solaris vs. Red Hat
18
Red HatEnterprise Linux
Solaris 1116X
Servers/AdminMANAGE
4000300020001000
250
4000
Machines/Administrator
1-Step Security Patching
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Exploit Mitigation
• Prevent or reduce the ability of an attacker to take advantage of a bug
• Study attackers techniques, deploy counter measures
• Tradeoff between performance, usability and security
• Not all scenarios/mitigations are the same
– Some require hardware support
–Others require compiler support
– The best are runtime defences the OS gives you without performance impact
–NONE are full proof
Introduction
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Exploit Mitigation
• Support of Architecture-provided protections
– Intel SMEP (Supervisor Mode Execution Prevention)
– SPARC fully separated user/kernel address space
• Reduced Kernel information leaking– /proc wchan, netstat socket addresses, modinfo module addresses…
• Per process/binary software mitigations
Architectural features
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Exploit mitigation features: sxadm(8)
NXSTACKNon Executable Stack
Been around since Solaris 2.6 but now controlled via sxadm(8)Now on by defaultTag at build time with: -z nxstack=enable|disable
NXHEAPNon Executable Heap
New in 11.3, not enabled system wide by default since there are a small number of legitimate uses for an executable HEAP.Tag binaries at build time with: -z nxheap=enable|disable
ASLR Address Space Layout Randomisation
Added 11.1Not enabled system wide by default
sxadm delcust Go back to vendor delivered defaults
Install Time Policy svccfg extract security-extensions
21
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Silicon Secured MemoryAvailable in Oracle SPARC S7, T7, M7, T8, M8 systems
• First hardware based memory protection
• Stops attackers from accessing application memory inappropriately
• Always on without compromise
• Improved efficiency & more secure and higher available applications
• Compatible with current applications
• Public API in libadi or system allocator
22
Application Memory
Pointer “B” GO
M7 Processor
Pointer “A”GO
Pointer “Y”
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Oracle SPARC Exploit Mitigation with SSM planned for 11.4
ADISTACKNon Executable Stack
Automatic detection of buffer overflows that overwrite the register save area of a stack frame when the save area contains valid contents.
ADIHEAPNon Executable Heap
Heap allocators (such as malloc() in libc) may use this feature to reliably detect adjacent buffer overflows and statistically defend against stray pointers and use-after-free.
Kernel ADIKernel Heap Memory and buffer tag protection.Not able to be disabled so doesn’t show up in sxadm.
23
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Tamper Resistant Immutable Systems
– Reduce risk of establishing a foothold
– Prevent administrator mistakes
– Update even though it’s un-writable by admin users and applications
Tamper Evident Software
– Firmware to Applications
– Install only known, trusted software
– Verified Boot
24
Continuous Security Protection
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Immutable System
• Lock down a system with preconfigured security profiles
• Trusted Services via SMF planned for 11.4
25
Strict
Full read only root file system, log and audit remotely
Fixed Configuration
write to most of /var, local audit/log trail
Flexible
modify configuration, binaries still read-only
Dynamic-zones
As Fixed but allows add/remove of zones
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Lifecycle: Immutable Zones Example
# zonecfg -z myzone 'set file-mac-profile=fixed-configuration’
# zoneadm -z myzone boot
# zlogin myzone
[Connected to zone 'myzone' pts/3]
myzone# rm /etc/passwd
rm: /etc/passwd: override protection 644 (yes/no)? y
rm: /etc/passwd not removed: Read-only file system
myzone# pkg install emacs
pkg install: Could not complete the operation on /var/pkg/lock:
read-only filesystem.
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Sandboxing Applications
• File read & write privileges take pathnames
– {file_write}:/var/log/my-app-errors.log
• net_privaddr: Port number ranges and protocol
– {net_privaddr}:443/tcp
• proc_setid: username or uid range
• proc_exec: pathname
• File and proc_exec can use wildcards in last path component eg:– {proc_exec}:/usr/bin/*
Control Privileged and Non Privileged Applications
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
My auditor says delete all the setuid root programs!
• The setuid bit for a root owned file is now just a marker
• Kernel upcalls to pfexecd asking for privilege specification
• Examples:• Forced Privilege:solaris:cmd:RO::/usr/lib/utmp_update:\
• privs={zone}\:/system/volatile/utmp*
• Forced Privilege:solaris:cmd:RO::/usr/sbin/ping:\
• privs=net_icmpaccess,sys_ip_config
• Forced Privilege:solaris:cmd:RO::/usr/sbin/traceroute:\
• privs=net_icmpaccess,net_rawaccess
• Forced Privilege:solaris:cmd:RO::/usr/sbin/whodo:privs=proc_owner
Sandboxing setuid root programs
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Compliance Reporting
• Auditors want comprehensive reports– Don’t always have deep knowledge of OS, Application, Deployment Context
– Auditors often use tools which use wrong interfaces for OS release
• Configuration reporting is a low value activity for expensive staff
• Provide correct compliance check interfaces for OS release
• Provide vendor interpretation of security controls (> 200 Checks in 11.3)
• Don’t force customers to use 3rd party products –– Integrate with them using standard data formats SCAP/OVAL/XCCDF
• Integrates with Oracle Enterprise Manager Compliance Pack
Why Solaris Compliance reporting?
29
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Simple, Tailor-able Compliance Reporting
30
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Threat #3:Direct data accessData
31
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
52%
34%
11%
4%
Database
Network
Application
Middleware
IT Layers Most Vulnerable To Attacks
67%
15%
15%
3%
Database
Network
Application
Middleware
Allocation of Resources To Secure IT Layer
Source: CSO Online MarketPulse, 2013
Network Security is Not Enough: Protect the Data!
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Data at Rest Encryption with ZFS
• High Performance hardware accelerated crypto on SPARC & Intel platforms
• FIPS 140-2 validated cryptography
• ZFS Online key wrapping key and data key change
• ZFS encryption works with compression and deduplication
• All ZFS filesystem data & metadata encrypted
• Available in Solaris & Oracle ZFS Storage Appliance
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Standards Based Key Management
• Key Management Interoperability Protocol
– Standardised by OASIS
– Several Oracle product groups are active participants or hold key roles
• Delivered in Solaris 11.3 SRU– Libkmip, pkcs11_kmip, kmipcfg
• Provides integration to Oracle Key Vault (OKV) for Solaris
– eg, ZFS data set encryption & Oracle Database TDE wrapping keys in OKV
KMIP
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Install and Maintain Security & ComplianceTraditional or DevOps Deployment
Develop & Test
Lock Down
VM
Create Unified Archive
Securely Deploy into Production
Generate Reports for Compliance
Lock DownRead-OnlyOracle Solaris Zones
Unified Archive
35
Generate Reports for Compliance
Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |
Leading Crypto Performance. Easiest to use, best integrated Security,
Compliance and data protection. Combined with best of breed open source security tools, Compliance Auditor Friendly
All Supported at least until 2034
36
top related