solaris 11 security - a live demo in slides
TRANSCRIPT
c0t0d0s0org1
Solaris 11 Security - a live demo in slides -
by Joerg bdquoc0t0d0s0orgldquo Moumlllenkamp
c0t0d0s0org
This slideset was made to have a fallback for a live demo at a series of Oracle Breakfast events in Germanyas the presentation diverted a lot in the first location
in the light of recent events around privacy and security
However most information is in the voice track that wasnlsquot recordedSo this presentation may be not that useful
If you need the voice track ask your Oracle sales rep that he ask his managerto ask my manager to let me doing the presentation in your country )
c0t0d0s0org
Primarily i used example from my practical work and from my own bloghowever i would like to thank two colleagues
Glenn Faden for ldquoOracle Solaris Extended Policy and MySQLldquohttpsblogsoraclecomgfadenentryoracle_solaris_extended_policy_and
Darren Moffat for ldquoCompliance reporting with SCAPldquohttpsblogsoraclecomdarrenentrycompliance_reporting_with_scapldquo
I directly reused their blog entries for this presentation
c0t0d0s0org4
Certifications
c0t0d0s0org
Solaris 10 Common Criteria Evaluationhas been certified on EAL4+ level
c0t0d0s0org
We have a common Criteria CertificationFor Solaris 10 at the moment For Solaris 11 in the future
However the common criteria certification doesnlsquot certify security
c0t0d0s0org
Solaris 10 Trusted Extensions Common Criteria Evaluationhas been certified on EAL4+ level
httpwwworaclecomtechnetworktopicssecurityoracle-cc-evalsolaris-083233htmlsol10U3TX
The following protection profiles were usedConditional Access Protection ProfileRole Based Access Control Protection ProfileLabel Security Protection Profiles
c0t0d0s0org
Solaris 111 is currently in certification
httpwwworaclecomtechnetworktopicssecuritysecurity-evaluations-099357htmlInEvaluated
c0t0d0s0org9
Is it really a Solaris 11 binary
c0t0d0s0org10
jmoekampserver~$ elfsign verify -v usrbinoscapelfsign verification of usrbinoscap passedformat rsa_md5_sha1signer CN=SunOS 510 OU=Solaris Signed Execution O=Sun Microsystems Inc
c0t0d0s0org11
Sandboxing applications on Solaris 111
c0t0d0s0org12
rootsolaris profiles -p MySQL ServiceMySQL Servicegt set desc=Locking down the MySQL ServiceMySQL Servicegt add cmd=libsvcmethodmysql_51MySQL Servicemysql_51gt set privs=basicMySQL Servicemysql_51gt add privs=net_privaddr3306tcpMySQL Servicemysql_51gt add privs=file_writevarmysql51dataMySQL Servicemysql_51gt add privs=file_writetmpmysqlsockMySQL Servicemysql_51gt add privs=file_writevartmpibMySQL Servicemysql_51gt endMySQL Servicegt set uid=mysqlMySQL Servicegt set gid=mysqlMySQL Servicegt exit rootsolaris
c0t0d0s0org13
rootsolaris svccfg -s mysqlversion_51svcapplicationdatabasemysqlversion_51gt setprop method_contextprofile=MySQL Servicesvcapplicationdatabasemysqlversion_51gt setprop method_contextuse_profile=truesvcapplicationdatabasemysqlversion_51gt refreshsvcapplicationdatabasemysqlversion_51gt exit
c0t0d0s0org14
rootsolaris ipadm set-prop -p extra_priv_ports+=3306 tcprootsolaris ipadm show-prop -p extra_priv_ports tcpPROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLEtcp extra_priv_ports rw 20494045 -- 20494045 1-65535 3306
c0t0d0s0org15
svcadm enable mysqlversion_51
c0t0d0s0org16
rootsolaris ppriv $(pgrep mysql)103697 usrmysql51binmysqld --basedir=usrmysql51 --datadir=varmysqflags = PRIV_XPOLICY Extended policies net_privaddr3306tcp file_writevarmysql51data file_writetmpmysqlsock file_writevartmpib E basicfile_write I basicfile_write P basicfile_write L all103609 binsh usrmysql51binmysqld_safe --user=mysql --datadir=varmysflags = PRIV_XPOLICY Extended policies net_privaddr3306tcp file_writevarmysql51data file_writetmpmysqlsock file_writevartmpib E basicfile_write I basicfile_write P basicfile_write L all
c0t0d0s0org17
Find more information regarding this feature athttpsblogsoraclecomgfadenentryoracle_solaris_extended_policy_and
c0t0d0s0org18
Passwords
c0t0d0s0org19
rootclientetcsecurity cat etcsecuritycryptconf Copyright 2008 Sun Microsystems Inc All rights reserved Use is subject to license termsident ZM I E SMI The algorithm name __unix__ is reserved
1 crypt_bsdmd5so12a crypt_bsdbfso1md5 crypt_sunmd5so15 crypt_sha256so16 crypt_sha512so1
c0t0d0s0org20
rootclientetcsecurity cat etcsecuritypolicyconf | egrep ^CRYPT_DEFAULTCRYPT_DEFAULT=5rootclientetcsecurity cat etcshadow | grep juniorjunior$5$4aKvDFqA$2kL8GpuXjrdf8XpanqhylEP5lDhy1DF5uo1ZYx74f3159291440
c0t0d0s0org21
rootclientetcsecurity cat etcdefaultpasswd | grep -v | egrep -v ^$|^$ident ZM I E SMIMAXWEEKS=MINWEEKS=PASSLENGTH=6NAMECHECK=NOHISTORY=0MINDIFF=3MINALPHA=2MINNONALPHA=1MINUPPER=0MINLOWER=0MAXREPEATS=0MINSPECIAL=0MINDIGIT=0WHITESPACE=YESDICTIONLIST=DICTIONDBDIR=varpasswd
c0t0d0s0org22
rootclient mkpwdict -s usrsharelibdictwordsmkpwdict using default database location varpasswd
oder
rootclient mkpwdict -s usrsharelibdictwords -d varpasswd
c0t0d0s0org23
Address Space Layout Randomization
c0t0d0s0org24
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1914 usrbinpmap self1914 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org25
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1915 usrbinpmap self1915 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org26
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1917 usrbinpmap self1917 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap00000005D6666000 36K rw--- [ heap ]00007FF669C70000 216K r-x-- libamd64libprocso100007FF669CB6000 8K rw--- libamd64libprocso100007FF669CC0000 4K rw--- [ anon ]00007FF669CD0000 24K rwx-- [ anon ]00007FF669CE0000 4K rw--- [ anon ]00007FF669CF0000 1764K r-x-- libamd64libcso100007FF669EB9000 64K rw--- libamd64libcso100007FF669EC9000 12K rw--- libamd64libcso100007FF669ED0000 4K rw--- [ anon ]00007FF669EE0000 4K rw--- [ anon ]00007FF669EF0000 4K rw--- [ anon ]00007FF669EF2000 4K r--s- [ anon ]00007FF669EFC000 340K r-x-- libamd64ldso100007FF669F61000 12K rwx-- libamd64ldso100007FF669F64000 8K rwx-- libamd64ldso1FFFF80DDA254F000 16K rw--- [ stack ] total 2564K
c0t0d0s0org27
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1918 usrbinpmap self1918 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap000000065B76D000 36K rw--- [ heap ]00007FFAACFC0000 216K r-x-- libamd64libprocso100007FFAAD006000 8K rw--- libamd64libprocso100007FFAAD010000 4K rw--- [ anon ]00007FFAAD020000 24K rwx-- [ anon ]00007FFAAD030000 4K rw--- [ anon ]00007FFAAD040000 1764K r-x-- libamd64libcso100007FFAAD209000 64K rw--- libamd64libcso100007FFAAD219000 12K rw--- libamd64libcso100007FFAAD220000 4K rw--- [ anon ]00007FFAAD230000 4K rw--- [ anon ]00007FFAAD240000 4K rw--- [ anon ]00007FFAAD242000 4K r--s- [ anon ]00007FFAAD24D000 340K r-x-- libamd64ldso100007FFAAD2B2000 12K rwx-- libamd64ldso100007FFAAD2B5000 8K rwx-- libamd64ldso1FFFF80DE1559E000 12K rw--- [ stack ]
c0t0d0s0org28
rootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) system default (default)
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x2 ENABLE
rootsolaris elfedit -e dynsunw_aslr disable usrbinpmap
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x1 DISABLE
c0t0d0s0org29
rootsolaris sxadm enable -c model=all aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (all) enabled (all)
rootsolaris sxadm disable aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr disabled disabled
rootsolaris sxadm enable -c model=tagged-files aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) enabled (tagged-files)
c0t0d0s0org30
pfedit
c0t0d0s0org31
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt set auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt set desc=Edit httpdprofileshttpd editgt exit
c0t0d0s0org32
roottemplateetcapache222 usermod -P +httpd edit junior
c0t0d0s0org33
juniortemplate~$ profiles httpd edit Basic Solaris User All
c0t0d0s0org34
juniortemplate~$ vi etcapache222httpdconf
c0t0d0s0org35
juniortemplate~$ pfedit etcapache222httpdconfpfedit etcapache222httpdconf has been updated
c0t0d0s0org36
juniortemplate~$ pfedit etcapache222mimetypespfedit User junior is not authorized to edit the file etcapache222mimetypes
c0t0d0s0org37
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt info name=httpd edit desc=Edit httpd auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt add auths=solarisadmineditetcapache222mimetypes
c0t0d0s0org38
juniortemplate~$ pfedit etcapache222mimetypespfedit no changes for etcapache222mimetypes
c0t0d0s0org39
profiles -p httpd configureprofileshttpd configuregt add always_audit=asprofileshttpd configuregt info name=httpd configure desc=Configure httpd auths=solarisadmineditetcapache222httpdconfsolarisadmineditetcapache222mimetypes always_audit=as never_audit=noprofileshttpd configuregt exitroottemplate~
c0t0d0s0org40
roottemplate~ auditreduce -c as | praudit
c0t0d0s0org41
[]header4862edit administrative filefe80a0027fffea633cb2013-08-12 074552306 +0000subjectjuniorjuniorstaffjuniorstaff4212447467166369 136704 MacBook-Pro-of-c0t0d0s0fritzboxpathetcapache222httpdconfuse of authorizationsolarisadmineditetcapache222httpdconftext--- etcapache222httpdconf Mo Aug 12 074500 2013 +++ etcapache222httpdconfpfedit1BaGoi Mo Aug 12 074552 2013 -15 +16 Test Test 2 + Test 3 This is the main Apache HTTP server configuration file It contains the configuration directives that give the server its instructions
returnsuccess0
c0t0d0s0org42
Delegating privilege to restartservices(so you can keep the root password)
c0t0d0s0org43
juniortemplate~$ svcadm refresh apache22svcadm svcnetworkhttpapache22 Permission denied
c0t0d0s0org44
svcs -a | grep apache22online 153029 svcnetworkhttpapache22
c0t0d0s0org45
auths add -t Apache22 value solarissmfvaluehttpapache22 auths add -t Apache22 action solarissmfactionhttpapache22
c0t0d0s0org46
svccfg -s apache22 setprop generalvalue_authorization= astring solarissmfvaluehttpapache22 svccfg -s apache22 setprop generalaction_authorization= astring solarissmfactionhttpapache22
c0t0d0s0org47
profiles -p httpd edit add auths=solarissmfactionhttpapache22
c0t0d0s0org48
juniortemplate~$ svcadm refresh apache22juniortemplate~$
c0t0d0s0org49
Privileges
c0t0d0s0org50
$ ls -l usrsbintraceroute-r-sr-xr-x 1 root bin 42324 Nov 21 0009 usrsbintraceroute$ ls -l usrsbinping-r-sr-xr-x 1 root bin 51396 Nov 18 1931 usrsbinping
set-id to root ping needs it to work
c0t0d0s0org51
chmod -s sbinping exit
$ ping -s 1921681132ping socket Permission denied
Remove the set-uid and ping will stop to work
c0t0d0s0org52
jmoekampdaddelkiste~$ ppriv $$2153 -bashflags = ltnonegt E basic I basic P basic L all
c0t0d0s0org53
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org54
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
All privileges in their entirety assigned to one user are
(almost)
c0t0d0s0org55
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Neat extension inSolaris 11The ability to use networking is now a
privilege Itlsquos part of the default default set of privileges
but you can remove it
c0t0d0s0org56
moekampdaddelkiste~$ ppriv -v $$2153 -bashflags = ltnonegt E file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info I file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info P file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info L contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org57
rootdaddelkiste~ ppriv $$2183 -bashflags = ltnonegt E all I basic P all L all
c0t0d0s0org58
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace failed to initialize dtrace DTrace requires additional privileges
c0t0d0s0org59
rootdaddelkiste~ usermod -K defaultpriv=basicdtrace_kerneldtrace_procdtrace_user juniorUX usermod junior is currently logged in some changes may not take effect until next login
c0t0d0s0org60
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace description syscallentry matched 211 probes^C
automountd 1 sshd 24 dtrace 544 auditd 564
c0t0d0s0org61
ps -ef | grep kcfd daemon 125 1 0 142419 000 usrlibcryptokcfdroot 734 728 0 155408 pts1 000 grep kcfd ppriv -v 125125 usrlibcryptokcfdflags = PRIV_AWAREE file_ownerproc_priocntlsys_devicesI noneP file_ownerproc_priocntlsys_devicesL none
c0t0d0s0org62
svcadm -v enable -s apache2svcnetworkhttpapache2 enabled
c0t0d0s0org63
jmoekampclient~$ ps -ef | grep httpwebservd 1978 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1979 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1980 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1984 1975 0 122002 000 usrapache222binhttpd -k start root 1975 1 0 121914 001 usrapache222binhttpd -k startwebservd 1977 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1976 1975 0 121915 000 usrapache222binhttpd -k start
c0t0d0s0org64
rootclient~ ppriv 19771977 usrapache222binhttpd -k startflags = ltnonegt E basic I basic P basic L allrootclient~ ppriv 19751975 usrapache222binhttpd -k startflags = ltnonegt E all I basic P all L allrootclient~
c0t0d0s0org65
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The apache process as root has the following privileges
c0t0d0s0org66
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The other processes have the following privileges
c0t0d0s0org67
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Apache really needs
c0t0d0s0org68
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
So you grant a large number of privileges to one process Apache donlsquot need
c0t0d0s0org69
svcadm -v disable -s apache2svcnetworkhttpapache2 disabled
c0t0d0s0org70
rootclient~ svccfg -s apache22svcnetworkhttpapache22gt setprop startuser = astring webservdsvcnetworkhttpapache22gt setprop startgroup = astring webservdsvcnetworkhttpapache22gt setprop startprivileges = astring basicproc_sessionproc_infofile_link_anynet_privaddrsvcnetworkhttpapache22gt setprop startlimit_privileges = astring defaultsvcnetworkhttpapache22gt setprop startuse_profile = boolean falsesvcnetworkhttpapache22gt setprop startsupp_groups = astring defaultsvcnetworkhttpapache22gt setprop startworking_directory = astring defaultsvcnetworkhttpapache22gt setprop startproject = astring defaultsvcnetworkhttpapache22gt setprop startresource_pool = astring defaultsvcnetworkhttpapache22gt endrootclient~ svcadm -v refresh apache22Action refresh set for svcnetworkhttpapache22
c0t0d0s0org71
echo LockFile varapache222logsacceptlock gtgt etcapache222httpdconf echo PidFile varapache222runhttpdpid gtgt etcapache222httpdconf mkdir -p -m 755 varapache222run chown webservdwebservd varapache222run svcadm enable apache22
c0t0d0s0org72
webservd 3064 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3062 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3063 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3066 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3061 1 0 164917 000 usrapache222binhttpd -k startwebservd 3065 3061 0 164918 000 usrapache222binhttpd -k start
c0t0d0s0org73
Read-only zone root
c0t0d0s0org
74
zonecfgtestzonegt set file-mac-profile=none
zonecfgtestzonegt set file-mac-profile=strict
zonecfgtestzonegt set file-mac-profile=fixed-configuration
zonecfgtestzonegt set file-mac-profile=flexible-configuration
Standard read-write non-global zone with no additional protection beyond the existing zones boundaries
Permits updates to var directories with the exception of directories that contain system configuration components
Read-only file system no exceptions
Permits modification of files in etc directories changes to roots home directory and updates to var directories This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone
c0t0d0s0org75
in-kernel SSL Proxy
c0t0d0s0org76
mkdir etckeys cd etckeys openssl req -x509 -nodes -days 365 -subj C=DEST=HamburgL=HamburgCN=server -newkey rsa1024 -keyout etckeysmykeypem -out etckeysmycertpem cat mycertpem mykeypem gt mypem chown 600
c0t0d0s0org77
echo pass gt etckeysmypass ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass server 443
c0t0d0s0org78
ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass -c rsa_aes_256_cbc_sharsa_aes_128_cbc_sharsa_rc4_128_sharsa_rc4_128_md5 server 443
c0t0d0s0org79
svcs -a | grep ksslonline 90333 svcnetworksslproxykssl-server-443
c0t0d0s0org80
svcadm disable apache22 echo Listen 1921681781088080 gtgt etcapache222httpdconf svcadm enable apache22
Portnumber and IP-Number have do be defined in httpdconf otherwise it will not work
c0t0d0s0org81
openssl s_client -connect server443CONNECTED(00000004)depth=0 C=DEST=HamburgL=HamburgCN=serververify errornum=18self signed certificateverify return1depth=0 C=DEST=HamburgL=HamburgCN=serververify return1---Certificate chain0 sC=DEST=HamburgL=HamburgCN=serveriC=DEST=HamburgL=HamburgCN=server---Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj[]V5jX3MU=-----END CERTIFICATE-----subject=C=DEST=HamburgL=HamburgCN=serverissuer=C=DEST=HamburgL=HamburgCN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328 bytes---New TLSv1SSLv3 Cipher is RC4-SHAServer public key is 1024 bitCompression NONEExpansion NONESSL-SessionProtocol TLSv1
Cipher RC4-SHASession-ID 32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD113915B99DBE9812Session-ID-ctx Master-Key 1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21EKey-Arg NoneStart Time 1242985143Timeout 300 (sec)Verify return code 18 (self signed certificate)---GET HTTP10
HTTP11 200 OKDate Fri 22 May 2009 093913 GMTServer Apache2211 (Unix) mod_ssl2211 OpenSSL098a DAV2Last-Modified Thu 21 May 2009 212630 GMTETag 341f3-2c-46a72cc211a8fAccept-Ranges bytesContent-Length 44Connection closeContent-Type texthtml
lthtmlgtltbodygtlth1gtIt workslth1gtltbodygtlthtmlgtreaderrno=0
c0t0d0s0org82
ZFS Encryption
c0t0d0s0org83
zfs create -o encryption=on rpoolexportproject
c0t0d0s0org84
wrapping key (user setable)
encryption keyrandomnot user setable)
prompt file https pkcs11
c0t0d0s0org85
aes-128-ccm (=on) aes-192-ccmaes-256-ccmaes-128-gcmaes-192-gcmaes-256-gcm
c0t0d0s0org86
zfs set checksum=sha256+mac ltdatasetgt
If encryption=off something like automatic
occurs This property is read-only from now on
c0t0d0s0org87
pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykeyEnter PIN for Sun Software PKCS11 softtoken zfs create -o encryption=on -o keysource=rawpkcs11object=mykey tankprojectCEnter PKCS11 token PIN for tankprojectC
c0t0d0s0org88
zfs create -o encryption=on -o keysource=rawhttpskeysexamplecommykey tankprojectR cp myservercertpem etccertsCA svcadm refresh ca-certificates
c0t0d0s0org89
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
c0t0d0s0org90
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
Changing the wrapping key
c0t0d0s0org91
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key
c0t0d0s0org92
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key for data written form now
Creates a new data encryption key Data written in the clone uses the new data encryption key which is distinct from its original snapshot
c0t0d0s0org93
Solaris Cryptographic Framework
c0t0d0s0org94
As soon as Solaris detects hardware acceleration for cryptography Solaris will use it (and applications using the Oracle supplied openssl library or direct interfaces)bull on-chip crypto accelerator in T and current M series chipsbull instruction set extensions in Intel procs (AES-NI)bull supported crypto accelerator cards
c0t0d0s0org95
Just a side-note T-series crypto acceleration and Intel x86 acceleration have pretty much different performance characteristics
T-Series Acceleration by offloading crypto outside pipelineIntel x86 Acceleration by offering special in-pipeline instructions to accelerate execution
Sounds like splitting hairs
c0t0d0s0org
c0t0d0s0org
c0t0d0s0org98
Using ZFS to do two-factor encryption
c0t0d0s0org99
jmoekampsolaris~$ rmformatLooking for devices 1 Logical Node devrdskc10t0d0p0 Physical Node pci00pci8086265cbstorage2disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected() 3 Logical Node devrdskc9t0d0p0 Physical Node pci00pci8086265cbstorage1disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected
c0t0d0s0org100
rootsolaris zpool create a_keystore_usbstick devdskc10t0d0p0rootsolaris zpool create datastore devdskc9t0d0p0
c0t0d0s0org101
rootsolaris zfs create -o encryption=on a_keystore_usbstickkeysEnter passphrase for a_keystore_usbstickkeys supersecret Enter again supersecret
c0t0d0s0org102
rootsolaris pktool genkey keystore=file keytype=aes keylen=128 outkey=a_keystore_usbstickkeysjoergsdatastickkey
c0t0d0s0org103
rootsolaris zfs create -o encryption=on -o keysource=rawfilea_keystore_usbstickkeysjoergsdatastickkey datastickjoergssecrets
c0t0d0s0org104
rootsolarisdatastickjoergssecrets mv homejmoekamphighlyconfidential_nda_presostgz
c0t0d0s0org105
rootsolaris zpool export a_keystore_usbstickrootsolaris zpool export datastick
c0t0d0s0org106
rootsolaris zpool import a_keystore_usbstickEnter passphrase for a_keystore_usbstickkeys supersecretrootsolaris
c0t0d0s0org107
rootsolaris zpool import datastickrootsolaris cd datastickjoergssecretsrootsolarisdatastickjoergssecrets ls highconfidential_nda_presostgz
c0t0d0s0org108
Basic Auditing and Reporting Tool
c0t0d0s0org109
mkdir bart-files bart create -R etc gt bart-filesetccontrolmanifest
c0t0d0s0org110
cat etccontrolmanifest | grep nsswitchnisplusnsswitchnisplus F 2525 100644 userrw-groupr--maskr--otherr-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
c0t0d0s0org111
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org112
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org113
bart create -R etc gt bart-filesetccheck20130911manifest
c0t0d0s0org114
cd bart-files bart compare etccontrolmanifest etccheck20130911manifest
nsswitchfilesmode control100644 test100777acl controluserrw-groupr--maskr--otherr-- testuserrwxgrouprwxmaskrwxotherrwxnsswitchnisplussize control2525 test2538mtime control473976b5 test47a44862contents control79e8fd689a5221d1cd059e5077da71b8 test3f79176ec352441db11ec8a3d02ef67cthisisjustatestadd
c0t0d0s0org115
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives4069-Less-known-Solaris-features-BARThtml
c0t0d0s0org116
Apropos Auditing
c0t0d0s0org117
Auditing is activated by default
c0t0d0s0org118
rootclient~ auditconfig -getflagsactive user default audit flags = lo(0x10000x1000)configured user default audit flags = lo(0x10000x1000)rootclient~ auditconfig -getnaflagsactive non-attributable audit flags = lo(0x10000x1000)configured non-attributable audit flags = lo(0x10000x1000)
c0t0d0s0org119
rootclient~ auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt
Policy regarding auditing (explanation on the next slide)
c0t0d0s0org120
rootclient~ auditconfig -lspolicypolicy string descriptionahlt halt machine if it can not record an async eventall all policiesarge include exec environment args in audit recsargv include exec command line args in audit recscnt when no more space drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recswindata_down include downgraded window information in audit recswindata_up include upgraded window information in audit recszonename include zonename token in audit recs
Which degree of detail What happens with full disks
c0t0d0s0org121
rootclient~ auditconfig -getpluginPlugin audit_binfile (active) Attributes p_dir=varauditp_fsize=0p_minfree=1
Plugin audit_syslog (inactive) Attributes p_flags=
Plugin audit_remote (inactive) Attributes p_hosts=p_retries=3p_timeout=5
c0t0d0s0org122
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
c0t0d0s0org123
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
lo and na are the only sensibleflags for non-attributable
c0t0d0s0org124
rootclient~ usermod -K audit_flags=fwas junior
c0t0d0s0org125
rootclient~ auditconfig -lsevent | grep lo AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh accessAUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lockAUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff
c0t0d0s0org126
rootclient~ auditconfig -lsevent | grep ps AUE_EXIT 1 ps exit(2)AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)rootclient~ auditconfig -lsevent | grep fw AUE_OPEN_W 76 fw open(2) - write
c0t0d0s0org127
auditreduce -c ps varaudit20130912183630not_terminatedclient | praudit
header1392execve(2)client2013-09-12 184055924 +0000pathusrsbinauditreduceattribute100555rootbin655386587518446744073709551615subjectjmoekamprootrootrootroot205414400809562480 202240 192168101returnsuccess0
c0t0d0s0org128
rootclient~ auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff0xffffffffffffffff)
Not always (in the sense of never) a good idea
Useful after trying out - starting a new audit filerootclient~ audit -n
c0t0d0s0org129
rootclient~ auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system
c0t0d0s0org130
SSH and X509
c0t0d0s0org131
rootca~ CApl -newcaCA certificate filename (or enter to create)
Making CA certificate Generating a 1024 bit RSA private key++++++++++++writing new private key to etcopensslprivatecakeypemEnter PEM pass phrase supersecret1Verifying - Enter PEM pass phrase supersecret1-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Security DepartmentCommon Name (eg server FQDN or YOUR name) []CAEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Using configuration from etcopensslopensslcnf
Enter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade878 Validity Not Before Sep 26 101109 2013 GMT Not After Sep 25 101109 2016 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony organizationName = c0t0d0s0org organizationalUnitName = Security Department commonName = CA X509v3 extensions X509v3 Subject Key Identifier 5B1F2F7186123040501552818D525AA5597E3644 X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
X509v3 Basic Constraints CATRUECertificate is to be certified until Sep 25 101109 2016 GMT (1095 days)
Write out database with 1 new entriesData Base Updated
c0t0d0s0org132
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org133
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org134
rootca~server CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade879 Validity Not Before Sep 26 102912 2013 GMT Not After Sep 26 102912 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = Server Certificates commonName = server X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A7DC03DEB3D5FBF9C006F11A55A9AD04C49C10FA X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 102912 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpemrootca~server ls -ltotal 15-rw-r--r-- 1 root root 3196 Sep 26 1229 newcertpem-rw-r--r-- 1 root root 1041 Sep 26 1228 newkeypem-rw-r--r-- 1 root root 680 Sep 26 1228 newreqpem
c0t0d0s0org135
rootca~junior CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phraseVerifying - Enter PEM pass phraseVerify failureEnter PEM pass phrase supersecret3Verifying - Enter PEM pass phrase supersecret3-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []User certificates
Common Name (eg server FQDN or YOUR name) []juniorEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org136
rootca~junior CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypemCheck that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade87a Validity Not Before Sep 26 110929 2013 GMT Not After Sep 26 110929 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = User certificates commonName = junior X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A1F2FC9D8AE2AD9AF52903F5B714933C64628E9C X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 110929 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpem
c0t0d0s0org137
rootserver~ useradd -m junior80 blocksrootserver~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for juniorrootserver~
rootclient~ useradd -m junior80 blocksrootclient~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for junior
c0t0d0s0org138
rootserver~ echo 1921681051 server gtgt etchostsrootserver~ echo 1921681052 client gtgt etchosts
rootclient~ echo 1921681051 server gtgt etchostsrootclient~ echo 1921681052 client gtgt etchosts
c0t0d0s0org139
rootca~server scp etcopensslcacertpem jmoekamp1921681109exporthomejmoekampPasswordcacertpem 100 || 3011 0000rootca~server scp newcertpem jmoekamp1921681109exporthomejmoekampPasswordnewcertpem 100 || 3196 0000rootca~server scp newkeypem jmoekamp1921681109exporthomejmoekampPasswordnewkeypem 100 || 1041 0000
rootca~junior scp newkeypem juniorclientexporthomejuniorPasswordnewkeypem 100 || 1041 0000rootca~junior scp newcertpem juniorclientexporthomejuniorPasswordnewcertpem 100 || 3190 0000rootca~junior scp etcopensslcacertpem junior1921681104exporthomejuniorPasswordcacertpem 100 || 3011 0000
c0t0d0s0org140
On the Server
c0t0d0s0org141
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org142
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org143
rootserver~ pktool setpinEnter token passphrase changemeCreate new passphrase superserversecretRe-enter new passphrase superserversecretPassphrase changedrootserver~
c0t0d0s0org144
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org145
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org146
rootserver~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cn
c0t0d0s0org147
rootserver~ echo TrustedAnchorKeystore etcsshcert gtgt etcsshsshd_configrootserver~ echo KMFPolicyDatabase etcsshpolicyxml gtgt etcsshsshd_configrootserver~ echo KMFPolicyName ssh gtgt etcsshsshd_configrootserver~ echo HostKey pkcs11object=hosttoken=Sun Metaslotpinfile=etcsshpinfile gtgt etcsshsshd_config
c0t0d0s0org148
rootserver~ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=hostEnter PIN for Sun Software PKCS11 softtoken superserversecret Enter PEM pass phrase supersecret2Importing 1 keys
c0t0d0s0org149
rootserver~ egrep -v ^ |^$|^Cert exporthomejmoekampcacertpem gt etcsshcertcacertcookedpemrootserver~ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemrootserver~ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=hostrootserver~
c0t0d0s0org150
On the client
c0t0d0s0org151
juniorclient~$ ls pemcacertpem newcertpem newkeypem
c0t0d0s0org152
rootclient~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cnrootclient~ egrep -v ^ |^$|^Cert exporthomejuniorcacertpem gt etcsshcertcacertcookedpem
c0t0d0s0org153
juniorclient~$ pktool setpinEnter token passphrase changemeCreate new passphrase superusersecretRe-enter new passphrase superusersecretPassphrase changed
c0t0d0s0org154
juniorclient~$ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=userEnter PIN for Sun Software PKCS11 softtoken superusersecretEnter PEM pass phrase supersecret3Importing 1 keysjuniorclient~$ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemjuniorclient~$ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=user
c0t0d0s0org155
Testing it
c0t0d0s0org156
rootserver~ svcadm disable sshrootserver~ svcadm enable ssh
c0t0d0s0org157
juniorclient~$ cd sshjuniorclient~ssh$ printf superusersecret gtgt pinfilejuniorclient~ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore etcsshcert KMFPolicyDatabase etcsshpolicyxml KMFPolicyName ssh IdentityFile pkcs11object=usertoken=Sun Software PKCS11 softtokenpinfile=exporthomejuniorsshpinfile
c0t0d0s0org158
juniorclient~ssh$ ssh juniorserver-x509Last login Thu Sep 26 200714 2013 from clientOracle Corporation SunOS 511 111 September 2013juniorserver~$
c0t0d0s0org159
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives7659-Using-X509-support-for-SSH-on-Solaris-111html
c0t0d0s0org160
OpenSCAP
c0t0d0s0org161
bdquoThe Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management measurement and policy compliance evaluation (eg FISMA compliance) The National Vulnerability Database(NVD) is the US government content repository for SCAPldquo
httpenwikipediaorgwikiSecurity_Content_Automation_Protocol
c0t0d0s0org162
ftp-bannerxml
ltxml version=10 encoding=UTF-8gtltoval_definitions xmlns=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsxsi=httpwwww3org2001XMLSchema-instance xmlnsoval=httpovalmitreorgXMLSchemaoval-common-5 xmlnsoval-def=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsindependent-def=httpovalmitreorgXMLSchemaoval-definitions-5independent xsischemaLocation=httpovalmitreorgXMLSchemaoval-definitions-5 oval-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-definitions-5independent independent-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-common-5 oval-common-schemaxsdgt
ltgeneratorgt ltovalproduct_namegtEnhanced SCAP Editorltovalproduct_namegt ltovalproduct_versiongt0011ltovalproduct_versiongt ltovalschema_versiongt58ltovalschema_versiongt ltovaltimestampgt2012-10-11T103325ltovaltimestampgt ltgeneratorgt lt--generatedovalbaseidentifier=comoraclesolaris11--gt ltdefinitionsgt ltdefinition id=ovalcomoraclesolaris11def840 version=1 class=compliancegt ltmetadatagt lttitlegtEnable a Warning Banner for the FTP Servicelttitlegt ltaffected family=unixgt ltplatformgtOracle Solaris 11ltplatformgt ltaffectedgt ltdescriptiongtetcproftpdconf contains DisplayConnect etcissueltdescriptiongt ltmetadatagt ltcriteria operator=AND negate=false comment=Single testgt ltcriterion comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot test_ref=ovalcomoraclesolaris11tst8400 negate=falsegt
ltcriteriagt ltdefinitiongt ltdefinitionsgt lttestsgt lttextfilecontent54_test xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11tst8400 version=1 check=all comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot check_existence=all_existgt ltobject object_ref=ovalcomoraclesolaris11obj8400gt lttextfilecontent54_testgt lttestsgt ltobjectsgt lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegt lttextfilecontent54_objectgt ltobjectsgtltoval_definitionsgt
c0t0d0s0org163
lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegtlttextfilecontent54_objectgt
c0t0d0s0org164
$ oscap oval eval ftp-bannerxml Definition ovalcomoraclesolaris11def840 falseEvaluation done
$ oscap oval eval --results resultsxml --report reporthtml ftp-bannerxmlDefinition ovalcomoraclesolaris11def840 falseEvaluation doneOVAL Results are exported correctly
c0t0d0s0org165
c0t0d0s0org166
To create your own OVAL-Files Enhanced SCAP Content Editor
c0t0d0s0org167
Find more information regarding this feature athttpsblogsoraclecomdarrenentrycompliance_reporting_with_scap
c0t0d0s0org
This slideset was made to have a fallback for a live demo at a series of Oracle Breakfast events in Germanyas the presentation diverted a lot in the first location
in the light of recent events around privacy and security
However most information is in the voice track that wasnlsquot recordedSo this presentation may be not that useful
If you need the voice track ask your Oracle sales rep that he ask his managerto ask my manager to let me doing the presentation in your country )
c0t0d0s0org
Primarily i used example from my practical work and from my own bloghowever i would like to thank two colleagues
Glenn Faden for ldquoOracle Solaris Extended Policy and MySQLldquohttpsblogsoraclecomgfadenentryoracle_solaris_extended_policy_and
Darren Moffat for ldquoCompliance reporting with SCAPldquohttpsblogsoraclecomdarrenentrycompliance_reporting_with_scapldquo
I directly reused their blog entries for this presentation
c0t0d0s0org4
Certifications
c0t0d0s0org
Solaris 10 Common Criteria Evaluationhas been certified on EAL4+ level
c0t0d0s0org
We have a common Criteria CertificationFor Solaris 10 at the moment For Solaris 11 in the future
However the common criteria certification doesnlsquot certify security
c0t0d0s0org
Solaris 10 Trusted Extensions Common Criteria Evaluationhas been certified on EAL4+ level
httpwwworaclecomtechnetworktopicssecurityoracle-cc-evalsolaris-083233htmlsol10U3TX
The following protection profiles were usedConditional Access Protection ProfileRole Based Access Control Protection ProfileLabel Security Protection Profiles
c0t0d0s0org
Solaris 111 is currently in certification
httpwwworaclecomtechnetworktopicssecuritysecurity-evaluations-099357htmlInEvaluated
c0t0d0s0org9
Is it really a Solaris 11 binary
c0t0d0s0org10
jmoekampserver~$ elfsign verify -v usrbinoscapelfsign verification of usrbinoscap passedformat rsa_md5_sha1signer CN=SunOS 510 OU=Solaris Signed Execution O=Sun Microsystems Inc
c0t0d0s0org11
Sandboxing applications on Solaris 111
c0t0d0s0org12
rootsolaris profiles -p MySQL ServiceMySQL Servicegt set desc=Locking down the MySQL ServiceMySQL Servicegt add cmd=libsvcmethodmysql_51MySQL Servicemysql_51gt set privs=basicMySQL Servicemysql_51gt add privs=net_privaddr3306tcpMySQL Servicemysql_51gt add privs=file_writevarmysql51dataMySQL Servicemysql_51gt add privs=file_writetmpmysqlsockMySQL Servicemysql_51gt add privs=file_writevartmpibMySQL Servicemysql_51gt endMySQL Servicegt set uid=mysqlMySQL Servicegt set gid=mysqlMySQL Servicegt exit rootsolaris
c0t0d0s0org13
rootsolaris svccfg -s mysqlversion_51svcapplicationdatabasemysqlversion_51gt setprop method_contextprofile=MySQL Servicesvcapplicationdatabasemysqlversion_51gt setprop method_contextuse_profile=truesvcapplicationdatabasemysqlversion_51gt refreshsvcapplicationdatabasemysqlversion_51gt exit
c0t0d0s0org14
rootsolaris ipadm set-prop -p extra_priv_ports+=3306 tcprootsolaris ipadm show-prop -p extra_priv_ports tcpPROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLEtcp extra_priv_ports rw 20494045 -- 20494045 1-65535 3306
c0t0d0s0org15
svcadm enable mysqlversion_51
c0t0d0s0org16
rootsolaris ppriv $(pgrep mysql)103697 usrmysql51binmysqld --basedir=usrmysql51 --datadir=varmysqflags = PRIV_XPOLICY Extended policies net_privaddr3306tcp file_writevarmysql51data file_writetmpmysqlsock file_writevartmpib E basicfile_write I basicfile_write P basicfile_write L all103609 binsh usrmysql51binmysqld_safe --user=mysql --datadir=varmysflags = PRIV_XPOLICY Extended policies net_privaddr3306tcp file_writevarmysql51data file_writetmpmysqlsock file_writevartmpib E basicfile_write I basicfile_write P basicfile_write L all
c0t0d0s0org17
Find more information regarding this feature athttpsblogsoraclecomgfadenentryoracle_solaris_extended_policy_and
c0t0d0s0org18
Passwords
c0t0d0s0org19
rootclientetcsecurity cat etcsecuritycryptconf Copyright 2008 Sun Microsystems Inc All rights reserved Use is subject to license termsident ZM I E SMI The algorithm name __unix__ is reserved
1 crypt_bsdmd5so12a crypt_bsdbfso1md5 crypt_sunmd5so15 crypt_sha256so16 crypt_sha512so1
c0t0d0s0org20
rootclientetcsecurity cat etcsecuritypolicyconf | egrep ^CRYPT_DEFAULTCRYPT_DEFAULT=5rootclientetcsecurity cat etcshadow | grep juniorjunior$5$4aKvDFqA$2kL8GpuXjrdf8XpanqhylEP5lDhy1DF5uo1ZYx74f3159291440
c0t0d0s0org21
rootclientetcsecurity cat etcdefaultpasswd | grep -v | egrep -v ^$|^$ident ZM I E SMIMAXWEEKS=MINWEEKS=PASSLENGTH=6NAMECHECK=NOHISTORY=0MINDIFF=3MINALPHA=2MINNONALPHA=1MINUPPER=0MINLOWER=0MAXREPEATS=0MINSPECIAL=0MINDIGIT=0WHITESPACE=YESDICTIONLIST=DICTIONDBDIR=varpasswd
c0t0d0s0org22
rootclient mkpwdict -s usrsharelibdictwordsmkpwdict using default database location varpasswd
oder
rootclient mkpwdict -s usrsharelibdictwords -d varpasswd
c0t0d0s0org23
Address Space Layout Randomization
c0t0d0s0org24
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1914 usrbinpmap self1914 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org25
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1915 usrbinpmap self1915 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org26
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1917 usrbinpmap self1917 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap00000005D6666000 36K rw--- [ heap ]00007FF669C70000 216K r-x-- libamd64libprocso100007FF669CB6000 8K rw--- libamd64libprocso100007FF669CC0000 4K rw--- [ anon ]00007FF669CD0000 24K rwx-- [ anon ]00007FF669CE0000 4K rw--- [ anon ]00007FF669CF0000 1764K r-x-- libamd64libcso100007FF669EB9000 64K rw--- libamd64libcso100007FF669EC9000 12K rw--- libamd64libcso100007FF669ED0000 4K rw--- [ anon ]00007FF669EE0000 4K rw--- [ anon ]00007FF669EF0000 4K rw--- [ anon ]00007FF669EF2000 4K r--s- [ anon ]00007FF669EFC000 340K r-x-- libamd64ldso100007FF669F61000 12K rwx-- libamd64ldso100007FF669F64000 8K rwx-- libamd64ldso1FFFF80DDA254F000 16K rw--- [ stack ] total 2564K
c0t0d0s0org27
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1918 usrbinpmap self1918 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap000000065B76D000 36K rw--- [ heap ]00007FFAACFC0000 216K r-x-- libamd64libprocso100007FFAAD006000 8K rw--- libamd64libprocso100007FFAAD010000 4K rw--- [ anon ]00007FFAAD020000 24K rwx-- [ anon ]00007FFAAD030000 4K rw--- [ anon ]00007FFAAD040000 1764K r-x-- libamd64libcso100007FFAAD209000 64K rw--- libamd64libcso100007FFAAD219000 12K rw--- libamd64libcso100007FFAAD220000 4K rw--- [ anon ]00007FFAAD230000 4K rw--- [ anon ]00007FFAAD240000 4K rw--- [ anon ]00007FFAAD242000 4K r--s- [ anon ]00007FFAAD24D000 340K r-x-- libamd64ldso100007FFAAD2B2000 12K rwx-- libamd64ldso100007FFAAD2B5000 8K rwx-- libamd64ldso1FFFF80DE1559E000 12K rw--- [ stack ]
c0t0d0s0org28
rootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) system default (default)
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x2 ENABLE
rootsolaris elfedit -e dynsunw_aslr disable usrbinpmap
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x1 DISABLE
c0t0d0s0org29
rootsolaris sxadm enable -c model=all aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (all) enabled (all)
rootsolaris sxadm disable aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr disabled disabled
rootsolaris sxadm enable -c model=tagged-files aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) enabled (tagged-files)
c0t0d0s0org30
pfedit
c0t0d0s0org31
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt set auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt set desc=Edit httpdprofileshttpd editgt exit
c0t0d0s0org32
roottemplateetcapache222 usermod -P +httpd edit junior
c0t0d0s0org33
juniortemplate~$ profiles httpd edit Basic Solaris User All
c0t0d0s0org34
juniortemplate~$ vi etcapache222httpdconf
c0t0d0s0org35
juniortemplate~$ pfedit etcapache222httpdconfpfedit etcapache222httpdconf has been updated
c0t0d0s0org36
juniortemplate~$ pfedit etcapache222mimetypespfedit User junior is not authorized to edit the file etcapache222mimetypes
c0t0d0s0org37
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt info name=httpd edit desc=Edit httpd auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt add auths=solarisadmineditetcapache222mimetypes
c0t0d0s0org38
juniortemplate~$ pfedit etcapache222mimetypespfedit no changes for etcapache222mimetypes
c0t0d0s0org39
profiles -p httpd configureprofileshttpd configuregt add always_audit=asprofileshttpd configuregt info name=httpd configure desc=Configure httpd auths=solarisadmineditetcapache222httpdconfsolarisadmineditetcapache222mimetypes always_audit=as never_audit=noprofileshttpd configuregt exitroottemplate~
c0t0d0s0org40
roottemplate~ auditreduce -c as | praudit
c0t0d0s0org41
[]header4862edit administrative filefe80a0027fffea633cb2013-08-12 074552306 +0000subjectjuniorjuniorstaffjuniorstaff4212447467166369 136704 MacBook-Pro-of-c0t0d0s0fritzboxpathetcapache222httpdconfuse of authorizationsolarisadmineditetcapache222httpdconftext--- etcapache222httpdconf Mo Aug 12 074500 2013 +++ etcapache222httpdconfpfedit1BaGoi Mo Aug 12 074552 2013 -15 +16 Test Test 2 + Test 3 This is the main Apache HTTP server configuration file It contains the configuration directives that give the server its instructions
returnsuccess0
c0t0d0s0org42
Delegating privilege to restartservices(so you can keep the root password)
c0t0d0s0org43
juniortemplate~$ svcadm refresh apache22svcadm svcnetworkhttpapache22 Permission denied
c0t0d0s0org44
svcs -a | grep apache22online 153029 svcnetworkhttpapache22
c0t0d0s0org45
auths add -t Apache22 value solarissmfvaluehttpapache22 auths add -t Apache22 action solarissmfactionhttpapache22
c0t0d0s0org46
svccfg -s apache22 setprop generalvalue_authorization= astring solarissmfvaluehttpapache22 svccfg -s apache22 setprop generalaction_authorization= astring solarissmfactionhttpapache22
c0t0d0s0org47
profiles -p httpd edit add auths=solarissmfactionhttpapache22
c0t0d0s0org48
juniortemplate~$ svcadm refresh apache22juniortemplate~$
c0t0d0s0org49
Privileges
c0t0d0s0org50
$ ls -l usrsbintraceroute-r-sr-xr-x 1 root bin 42324 Nov 21 0009 usrsbintraceroute$ ls -l usrsbinping-r-sr-xr-x 1 root bin 51396 Nov 18 1931 usrsbinping
set-id to root ping needs it to work
c0t0d0s0org51
chmod -s sbinping exit
$ ping -s 1921681132ping socket Permission denied
Remove the set-uid and ping will stop to work
c0t0d0s0org52
jmoekampdaddelkiste~$ ppriv $$2153 -bashflags = ltnonegt E basic I basic P basic L all
c0t0d0s0org53
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org54
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
All privileges in their entirety assigned to one user are
(almost)
c0t0d0s0org55
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Neat extension inSolaris 11The ability to use networking is now a
privilege Itlsquos part of the default default set of privileges
but you can remove it
c0t0d0s0org56
moekampdaddelkiste~$ ppriv -v $$2153 -bashflags = ltnonegt E file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info I file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info P file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info L contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org57
rootdaddelkiste~ ppriv $$2183 -bashflags = ltnonegt E all I basic P all L all
c0t0d0s0org58
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace failed to initialize dtrace DTrace requires additional privileges
c0t0d0s0org59
rootdaddelkiste~ usermod -K defaultpriv=basicdtrace_kerneldtrace_procdtrace_user juniorUX usermod junior is currently logged in some changes may not take effect until next login
c0t0d0s0org60
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace description syscallentry matched 211 probes^C
automountd 1 sshd 24 dtrace 544 auditd 564
c0t0d0s0org61
ps -ef | grep kcfd daemon 125 1 0 142419 000 usrlibcryptokcfdroot 734 728 0 155408 pts1 000 grep kcfd ppriv -v 125125 usrlibcryptokcfdflags = PRIV_AWAREE file_ownerproc_priocntlsys_devicesI noneP file_ownerproc_priocntlsys_devicesL none
c0t0d0s0org62
svcadm -v enable -s apache2svcnetworkhttpapache2 enabled
c0t0d0s0org63
jmoekampclient~$ ps -ef | grep httpwebservd 1978 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1979 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1980 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1984 1975 0 122002 000 usrapache222binhttpd -k start root 1975 1 0 121914 001 usrapache222binhttpd -k startwebservd 1977 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1976 1975 0 121915 000 usrapache222binhttpd -k start
c0t0d0s0org64
rootclient~ ppriv 19771977 usrapache222binhttpd -k startflags = ltnonegt E basic I basic P basic L allrootclient~ ppriv 19751975 usrapache222binhttpd -k startflags = ltnonegt E all I basic P all L allrootclient~
c0t0d0s0org65
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The apache process as root has the following privileges
c0t0d0s0org66
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The other processes have the following privileges
c0t0d0s0org67
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Apache really needs
c0t0d0s0org68
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
So you grant a large number of privileges to one process Apache donlsquot need
c0t0d0s0org69
svcadm -v disable -s apache2svcnetworkhttpapache2 disabled
c0t0d0s0org70
rootclient~ svccfg -s apache22svcnetworkhttpapache22gt setprop startuser = astring webservdsvcnetworkhttpapache22gt setprop startgroup = astring webservdsvcnetworkhttpapache22gt setprop startprivileges = astring basicproc_sessionproc_infofile_link_anynet_privaddrsvcnetworkhttpapache22gt setprop startlimit_privileges = astring defaultsvcnetworkhttpapache22gt setprop startuse_profile = boolean falsesvcnetworkhttpapache22gt setprop startsupp_groups = astring defaultsvcnetworkhttpapache22gt setprop startworking_directory = astring defaultsvcnetworkhttpapache22gt setprop startproject = astring defaultsvcnetworkhttpapache22gt setprop startresource_pool = astring defaultsvcnetworkhttpapache22gt endrootclient~ svcadm -v refresh apache22Action refresh set for svcnetworkhttpapache22
c0t0d0s0org71
echo LockFile varapache222logsacceptlock gtgt etcapache222httpdconf echo PidFile varapache222runhttpdpid gtgt etcapache222httpdconf mkdir -p -m 755 varapache222run chown webservdwebservd varapache222run svcadm enable apache22
c0t0d0s0org72
webservd 3064 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3062 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3063 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3066 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3061 1 0 164917 000 usrapache222binhttpd -k startwebservd 3065 3061 0 164918 000 usrapache222binhttpd -k start
c0t0d0s0org73
Read-only zone root
c0t0d0s0org
74
zonecfgtestzonegt set file-mac-profile=none
zonecfgtestzonegt set file-mac-profile=strict
zonecfgtestzonegt set file-mac-profile=fixed-configuration
zonecfgtestzonegt set file-mac-profile=flexible-configuration
Standard read-write non-global zone with no additional protection beyond the existing zones boundaries
Permits updates to var directories with the exception of directories that contain system configuration components
Read-only file system no exceptions
Permits modification of files in etc directories changes to roots home directory and updates to var directories This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone
c0t0d0s0org75
in-kernel SSL Proxy
c0t0d0s0org76
mkdir etckeys cd etckeys openssl req -x509 -nodes -days 365 -subj C=DEST=HamburgL=HamburgCN=server -newkey rsa1024 -keyout etckeysmykeypem -out etckeysmycertpem cat mycertpem mykeypem gt mypem chown 600
c0t0d0s0org77
echo pass gt etckeysmypass ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass server 443
c0t0d0s0org78
ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass -c rsa_aes_256_cbc_sharsa_aes_128_cbc_sharsa_rc4_128_sharsa_rc4_128_md5 server 443
c0t0d0s0org79
svcs -a | grep ksslonline 90333 svcnetworksslproxykssl-server-443
c0t0d0s0org80
svcadm disable apache22 echo Listen 1921681781088080 gtgt etcapache222httpdconf svcadm enable apache22
Portnumber and IP-Number have do be defined in httpdconf otherwise it will not work
c0t0d0s0org81
openssl s_client -connect server443CONNECTED(00000004)depth=0 C=DEST=HamburgL=HamburgCN=serververify errornum=18self signed certificateverify return1depth=0 C=DEST=HamburgL=HamburgCN=serververify return1---Certificate chain0 sC=DEST=HamburgL=HamburgCN=serveriC=DEST=HamburgL=HamburgCN=server---Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj[]V5jX3MU=-----END CERTIFICATE-----subject=C=DEST=HamburgL=HamburgCN=serverissuer=C=DEST=HamburgL=HamburgCN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328 bytes---New TLSv1SSLv3 Cipher is RC4-SHAServer public key is 1024 bitCompression NONEExpansion NONESSL-SessionProtocol TLSv1
Cipher RC4-SHASession-ID 32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD113915B99DBE9812Session-ID-ctx Master-Key 1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21EKey-Arg NoneStart Time 1242985143Timeout 300 (sec)Verify return code 18 (self signed certificate)---GET HTTP10
HTTP11 200 OKDate Fri 22 May 2009 093913 GMTServer Apache2211 (Unix) mod_ssl2211 OpenSSL098a DAV2Last-Modified Thu 21 May 2009 212630 GMTETag 341f3-2c-46a72cc211a8fAccept-Ranges bytesContent-Length 44Connection closeContent-Type texthtml
lthtmlgtltbodygtlth1gtIt workslth1gtltbodygtlthtmlgtreaderrno=0
c0t0d0s0org82
ZFS Encryption
c0t0d0s0org83
zfs create -o encryption=on rpoolexportproject
c0t0d0s0org84
wrapping key (user setable)
encryption keyrandomnot user setable)
prompt file https pkcs11
c0t0d0s0org85
aes-128-ccm (=on) aes-192-ccmaes-256-ccmaes-128-gcmaes-192-gcmaes-256-gcm
c0t0d0s0org86
zfs set checksum=sha256+mac ltdatasetgt
If encryption=off something like automatic
occurs This property is read-only from now on
c0t0d0s0org87
pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykeyEnter PIN for Sun Software PKCS11 softtoken zfs create -o encryption=on -o keysource=rawpkcs11object=mykey tankprojectCEnter PKCS11 token PIN for tankprojectC
c0t0d0s0org88
zfs create -o encryption=on -o keysource=rawhttpskeysexamplecommykey tankprojectR cp myservercertpem etccertsCA svcadm refresh ca-certificates
c0t0d0s0org89
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
c0t0d0s0org90
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
Changing the wrapping key
c0t0d0s0org91
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key
c0t0d0s0org92
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key for data written form now
Creates a new data encryption key Data written in the clone uses the new data encryption key which is distinct from its original snapshot
c0t0d0s0org93
Solaris Cryptographic Framework
c0t0d0s0org94
As soon as Solaris detects hardware acceleration for cryptography Solaris will use it (and applications using the Oracle supplied openssl library or direct interfaces)bull on-chip crypto accelerator in T and current M series chipsbull instruction set extensions in Intel procs (AES-NI)bull supported crypto accelerator cards
c0t0d0s0org95
Just a side-note T-series crypto acceleration and Intel x86 acceleration have pretty much different performance characteristics
T-Series Acceleration by offloading crypto outside pipelineIntel x86 Acceleration by offering special in-pipeline instructions to accelerate execution
Sounds like splitting hairs
c0t0d0s0org
c0t0d0s0org
c0t0d0s0org98
Using ZFS to do two-factor encryption
c0t0d0s0org99
jmoekampsolaris~$ rmformatLooking for devices 1 Logical Node devrdskc10t0d0p0 Physical Node pci00pci8086265cbstorage2disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected() 3 Logical Node devrdskc9t0d0p0 Physical Node pci00pci8086265cbstorage1disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected
c0t0d0s0org100
rootsolaris zpool create a_keystore_usbstick devdskc10t0d0p0rootsolaris zpool create datastore devdskc9t0d0p0
c0t0d0s0org101
rootsolaris zfs create -o encryption=on a_keystore_usbstickkeysEnter passphrase for a_keystore_usbstickkeys supersecret Enter again supersecret
c0t0d0s0org102
rootsolaris pktool genkey keystore=file keytype=aes keylen=128 outkey=a_keystore_usbstickkeysjoergsdatastickkey
c0t0d0s0org103
rootsolaris zfs create -o encryption=on -o keysource=rawfilea_keystore_usbstickkeysjoergsdatastickkey datastickjoergssecrets
c0t0d0s0org104
rootsolarisdatastickjoergssecrets mv homejmoekamphighlyconfidential_nda_presostgz
c0t0d0s0org105
rootsolaris zpool export a_keystore_usbstickrootsolaris zpool export datastick
c0t0d0s0org106
rootsolaris zpool import a_keystore_usbstickEnter passphrase for a_keystore_usbstickkeys supersecretrootsolaris
c0t0d0s0org107
rootsolaris zpool import datastickrootsolaris cd datastickjoergssecretsrootsolarisdatastickjoergssecrets ls highconfidential_nda_presostgz
c0t0d0s0org108
Basic Auditing and Reporting Tool
c0t0d0s0org109
mkdir bart-files bart create -R etc gt bart-filesetccontrolmanifest
c0t0d0s0org110
cat etccontrolmanifest | grep nsswitchnisplusnsswitchnisplus F 2525 100644 userrw-groupr--maskr--otherr-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
c0t0d0s0org111
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org112
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org113
bart create -R etc gt bart-filesetccheck20130911manifest
c0t0d0s0org114
cd bart-files bart compare etccontrolmanifest etccheck20130911manifest
nsswitchfilesmode control100644 test100777acl controluserrw-groupr--maskr--otherr-- testuserrwxgrouprwxmaskrwxotherrwxnsswitchnisplussize control2525 test2538mtime control473976b5 test47a44862contents control79e8fd689a5221d1cd059e5077da71b8 test3f79176ec352441db11ec8a3d02ef67cthisisjustatestadd
c0t0d0s0org115
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives4069-Less-known-Solaris-features-BARThtml
c0t0d0s0org116
Apropos Auditing
c0t0d0s0org117
Auditing is activated by default
c0t0d0s0org118
rootclient~ auditconfig -getflagsactive user default audit flags = lo(0x10000x1000)configured user default audit flags = lo(0x10000x1000)rootclient~ auditconfig -getnaflagsactive non-attributable audit flags = lo(0x10000x1000)configured non-attributable audit flags = lo(0x10000x1000)
c0t0d0s0org119
rootclient~ auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt
Policy regarding auditing (explanation on the next slide)
c0t0d0s0org120
rootclient~ auditconfig -lspolicypolicy string descriptionahlt halt machine if it can not record an async eventall all policiesarge include exec environment args in audit recsargv include exec command line args in audit recscnt when no more space drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recswindata_down include downgraded window information in audit recswindata_up include upgraded window information in audit recszonename include zonename token in audit recs
Which degree of detail What happens with full disks
c0t0d0s0org121
rootclient~ auditconfig -getpluginPlugin audit_binfile (active) Attributes p_dir=varauditp_fsize=0p_minfree=1
Plugin audit_syslog (inactive) Attributes p_flags=
Plugin audit_remote (inactive) Attributes p_hosts=p_retries=3p_timeout=5
c0t0d0s0org122
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
c0t0d0s0org123
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
lo and na are the only sensibleflags for non-attributable
c0t0d0s0org124
rootclient~ usermod -K audit_flags=fwas junior
c0t0d0s0org125
rootclient~ auditconfig -lsevent | grep lo AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh accessAUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lockAUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff
c0t0d0s0org126
rootclient~ auditconfig -lsevent | grep ps AUE_EXIT 1 ps exit(2)AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)rootclient~ auditconfig -lsevent | grep fw AUE_OPEN_W 76 fw open(2) - write
c0t0d0s0org127
auditreduce -c ps varaudit20130912183630not_terminatedclient | praudit
header1392execve(2)client2013-09-12 184055924 +0000pathusrsbinauditreduceattribute100555rootbin655386587518446744073709551615subjectjmoekamprootrootrootroot205414400809562480 202240 192168101returnsuccess0
c0t0d0s0org128
rootclient~ auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff0xffffffffffffffff)
Not always (in the sense of never) a good idea
Useful after trying out - starting a new audit filerootclient~ audit -n
c0t0d0s0org129
rootclient~ auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system
c0t0d0s0org130
SSH and X509
c0t0d0s0org131
rootca~ CApl -newcaCA certificate filename (or enter to create)
Making CA certificate Generating a 1024 bit RSA private key++++++++++++writing new private key to etcopensslprivatecakeypemEnter PEM pass phrase supersecret1Verifying - Enter PEM pass phrase supersecret1-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Security DepartmentCommon Name (eg server FQDN or YOUR name) []CAEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Using configuration from etcopensslopensslcnf
Enter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade878 Validity Not Before Sep 26 101109 2013 GMT Not After Sep 25 101109 2016 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony organizationName = c0t0d0s0org organizationalUnitName = Security Department commonName = CA X509v3 extensions X509v3 Subject Key Identifier 5B1F2F7186123040501552818D525AA5597E3644 X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
X509v3 Basic Constraints CATRUECertificate is to be certified until Sep 25 101109 2016 GMT (1095 days)
Write out database with 1 new entriesData Base Updated
c0t0d0s0org132
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org133
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org134
rootca~server CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade879 Validity Not Before Sep 26 102912 2013 GMT Not After Sep 26 102912 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = Server Certificates commonName = server X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A7DC03DEB3D5FBF9C006F11A55A9AD04C49C10FA X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 102912 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpemrootca~server ls -ltotal 15-rw-r--r-- 1 root root 3196 Sep 26 1229 newcertpem-rw-r--r-- 1 root root 1041 Sep 26 1228 newkeypem-rw-r--r-- 1 root root 680 Sep 26 1228 newreqpem
c0t0d0s0org135
rootca~junior CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phraseVerifying - Enter PEM pass phraseVerify failureEnter PEM pass phrase supersecret3Verifying - Enter PEM pass phrase supersecret3-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []User certificates
Common Name (eg server FQDN or YOUR name) []juniorEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org136
rootca~junior CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypemCheck that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade87a Validity Not Before Sep 26 110929 2013 GMT Not After Sep 26 110929 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = User certificates commonName = junior X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A1F2FC9D8AE2AD9AF52903F5B714933C64628E9C X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 110929 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpem
c0t0d0s0org137
rootserver~ useradd -m junior80 blocksrootserver~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for juniorrootserver~
rootclient~ useradd -m junior80 blocksrootclient~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for junior
c0t0d0s0org138
rootserver~ echo 1921681051 server gtgt etchostsrootserver~ echo 1921681052 client gtgt etchosts
rootclient~ echo 1921681051 server gtgt etchostsrootclient~ echo 1921681052 client gtgt etchosts
c0t0d0s0org139
rootca~server scp etcopensslcacertpem jmoekamp1921681109exporthomejmoekampPasswordcacertpem 100 || 3011 0000rootca~server scp newcertpem jmoekamp1921681109exporthomejmoekampPasswordnewcertpem 100 || 3196 0000rootca~server scp newkeypem jmoekamp1921681109exporthomejmoekampPasswordnewkeypem 100 || 1041 0000
rootca~junior scp newkeypem juniorclientexporthomejuniorPasswordnewkeypem 100 || 1041 0000rootca~junior scp newcertpem juniorclientexporthomejuniorPasswordnewcertpem 100 || 3190 0000rootca~junior scp etcopensslcacertpem junior1921681104exporthomejuniorPasswordcacertpem 100 || 3011 0000
c0t0d0s0org140
On the Server
c0t0d0s0org141
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org142
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org143
rootserver~ pktool setpinEnter token passphrase changemeCreate new passphrase superserversecretRe-enter new passphrase superserversecretPassphrase changedrootserver~
c0t0d0s0org144
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org145
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org146
rootserver~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cn
c0t0d0s0org147
rootserver~ echo TrustedAnchorKeystore etcsshcert gtgt etcsshsshd_configrootserver~ echo KMFPolicyDatabase etcsshpolicyxml gtgt etcsshsshd_configrootserver~ echo KMFPolicyName ssh gtgt etcsshsshd_configrootserver~ echo HostKey pkcs11object=hosttoken=Sun Metaslotpinfile=etcsshpinfile gtgt etcsshsshd_config
c0t0d0s0org148
rootserver~ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=hostEnter PIN for Sun Software PKCS11 softtoken superserversecret Enter PEM pass phrase supersecret2Importing 1 keys
c0t0d0s0org149
rootserver~ egrep -v ^ |^$|^Cert exporthomejmoekampcacertpem gt etcsshcertcacertcookedpemrootserver~ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemrootserver~ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=hostrootserver~
c0t0d0s0org150
On the client
c0t0d0s0org151
juniorclient~$ ls pemcacertpem newcertpem newkeypem
c0t0d0s0org152
rootclient~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cnrootclient~ egrep -v ^ |^$|^Cert exporthomejuniorcacertpem gt etcsshcertcacertcookedpem
c0t0d0s0org153
juniorclient~$ pktool setpinEnter token passphrase changemeCreate new passphrase superusersecretRe-enter new passphrase superusersecretPassphrase changed
c0t0d0s0org154
juniorclient~$ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=userEnter PIN for Sun Software PKCS11 softtoken superusersecretEnter PEM pass phrase supersecret3Importing 1 keysjuniorclient~$ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemjuniorclient~$ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=user
c0t0d0s0org155
Testing it
c0t0d0s0org156
rootserver~ svcadm disable sshrootserver~ svcadm enable ssh
c0t0d0s0org157
juniorclient~$ cd sshjuniorclient~ssh$ printf superusersecret gtgt pinfilejuniorclient~ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore etcsshcert KMFPolicyDatabase etcsshpolicyxml KMFPolicyName ssh IdentityFile pkcs11object=usertoken=Sun Software PKCS11 softtokenpinfile=exporthomejuniorsshpinfile
c0t0d0s0org158
juniorclient~ssh$ ssh juniorserver-x509Last login Thu Sep 26 200714 2013 from clientOracle Corporation SunOS 511 111 September 2013juniorserver~$
c0t0d0s0org159
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives7659-Using-X509-support-for-SSH-on-Solaris-111html
c0t0d0s0org160
OpenSCAP
c0t0d0s0org161
bdquoThe Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management measurement and policy compliance evaluation (eg FISMA compliance) The National Vulnerability Database(NVD) is the US government content repository for SCAPldquo
httpenwikipediaorgwikiSecurity_Content_Automation_Protocol
c0t0d0s0org162
ftp-bannerxml
ltxml version=10 encoding=UTF-8gtltoval_definitions xmlns=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsxsi=httpwwww3org2001XMLSchema-instance xmlnsoval=httpovalmitreorgXMLSchemaoval-common-5 xmlnsoval-def=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsindependent-def=httpovalmitreorgXMLSchemaoval-definitions-5independent xsischemaLocation=httpovalmitreorgXMLSchemaoval-definitions-5 oval-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-definitions-5independent independent-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-common-5 oval-common-schemaxsdgt
ltgeneratorgt ltovalproduct_namegtEnhanced SCAP Editorltovalproduct_namegt ltovalproduct_versiongt0011ltovalproduct_versiongt ltovalschema_versiongt58ltovalschema_versiongt ltovaltimestampgt2012-10-11T103325ltovaltimestampgt ltgeneratorgt lt--generatedovalbaseidentifier=comoraclesolaris11--gt ltdefinitionsgt ltdefinition id=ovalcomoraclesolaris11def840 version=1 class=compliancegt ltmetadatagt lttitlegtEnable a Warning Banner for the FTP Servicelttitlegt ltaffected family=unixgt ltplatformgtOracle Solaris 11ltplatformgt ltaffectedgt ltdescriptiongtetcproftpdconf contains DisplayConnect etcissueltdescriptiongt ltmetadatagt ltcriteria operator=AND negate=false comment=Single testgt ltcriterion comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot test_ref=ovalcomoraclesolaris11tst8400 negate=falsegt
ltcriteriagt ltdefinitiongt ltdefinitionsgt lttestsgt lttextfilecontent54_test xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11tst8400 version=1 check=all comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot check_existence=all_existgt ltobject object_ref=ovalcomoraclesolaris11obj8400gt lttextfilecontent54_testgt lttestsgt ltobjectsgt lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegt lttextfilecontent54_objectgt ltobjectsgtltoval_definitionsgt
c0t0d0s0org163
lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegtlttextfilecontent54_objectgt
c0t0d0s0org164
$ oscap oval eval ftp-bannerxml Definition ovalcomoraclesolaris11def840 falseEvaluation done
$ oscap oval eval --results resultsxml --report reporthtml ftp-bannerxmlDefinition ovalcomoraclesolaris11def840 falseEvaluation doneOVAL Results are exported correctly
c0t0d0s0org165
c0t0d0s0org166
To create your own OVAL-Files Enhanced SCAP Content Editor
c0t0d0s0org167
Find more information regarding this feature athttpsblogsoraclecomdarrenentrycompliance_reporting_with_scap
c0t0d0s0org
Primarily i used example from my practical work and from my own bloghowever i would like to thank two colleagues
Glenn Faden for ldquoOracle Solaris Extended Policy and MySQLldquohttpsblogsoraclecomgfadenentryoracle_solaris_extended_policy_and
Darren Moffat for ldquoCompliance reporting with SCAPldquohttpsblogsoraclecomdarrenentrycompliance_reporting_with_scapldquo
I directly reused their blog entries for this presentation
c0t0d0s0org4
Certifications
c0t0d0s0org
Solaris 10 Common Criteria Evaluationhas been certified on EAL4+ level
c0t0d0s0org
We have a common Criteria CertificationFor Solaris 10 at the moment For Solaris 11 in the future
However the common criteria certification doesnlsquot certify security
c0t0d0s0org
Solaris 10 Trusted Extensions Common Criteria Evaluationhas been certified on EAL4+ level
httpwwworaclecomtechnetworktopicssecurityoracle-cc-evalsolaris-083233htmlsol10U3TX
The following protection profiles were usedConditional Access Protection ProfileRole Based Access Control Protection ProfileLabel Security Protection Profiles
c0t0d0s0org
Solaris 111 is currently in certification
httpwwworaclecomtechnetworktopicssecuritysecurity-evaluations-099357htmlInEvaluated
c0t0d0s0org9
Is it really a Solaris 11 binary
c0t0d0s0org10
jmoekampserver~$ elfsign verify -v usrbinoscapelfsign verification of usrbinoscap passedformat rsa_md5_sha1signer CN=SunOS 510 OU=Solaris Signed Execution O=Sun Microsystems Inc
c0t0d0s0org11
Sandboxing applications on Solaris 111
c0t0d0s0org12
rootsolaris profiles -p MySQL ServiceMySQL Servicegt set desc=Locking down the MySQL ServiceMySQL Servicegt add cmd=libsvcmethodmysql_51MySQL Servicemysql_51gt set privs=basicMySQL Servicemysql_51gt add privs=net_privaddr3306tcpMySQL Servicemysql_51gt add privs=file_writevarmysql51dataMySQL Servicemysql_51gt add privs=file_writetmpmysqlsockMySQL Servicemysql_51gt add privs=file_writevartmpibMySQL Servicemysql_51gt endMySQL Servicegt set uid=mysqlMySQL Servicegt set gid=mysqlMySQL Servicegt exit rootsolaris
c0t0d0s0org13
rootsolaris svccfg -s mysqlversion_51svcapplicationdatabasemysqlversion_51gt setprop method_contextprofile=MySQL Servicesvcapplicationdatabasemysqlversion_51gt setprop method_contextuse_profile=truesvcapplicationdatabasemysqlversion_51gt refreshsvcapplicationdatabasemysqlversion_51gt exit
c0t0d0s0org14
rootsolaris ipadm set-prop -p extra_priv_ports+=3306 tcprootsolaris ipadm show-prop -p extra_priv_ports tcpPROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLEtcp extra_priv_ports rw 20494045 -- 20494045 1-65535 3306
c0t0d0s0org15
svcadm enable mysqlversion_51
c0t0d0s0org16
rootsolaris ppriv $(pgrep mysql)103697 usrmysql51binmysqld --basedir=usrmysql51 --datadir=varmysqflags = PRIV_XPOLICY Extended policies net_privaddr3306tcp file_writevarmysql51data file_writetmpmysqlsock file_writevartmpib E basicfile_write I basicfile_write P basicfile_write L all103609 binsh usrmysql51binmysqld_safe --user=mysql --datadir=varmysflags = PRIV_XPOLICY Extended policies net_privaddr3306tcp file_writevarmysql51data file_writetmpmysqlsock file_writevartmpib E basicfile_write I basicfile_write P basicfile_write L all
c0t0d0s0org17
Find more information regarding this feature athttpsblogsoraclecomgfadenentryoracle_solaris_extended_policy_and
c0t0d0s0org18
Passwords
c0t0d0s0org19
rootclientetcsecurity cat etcsecuritycryptconf Copyright 2008 Sun Microsystems Inc All rights reserved Use is subject to license termsident ZM I E SMI The algorithm name __unix__ is reserved
1 crypt_bsdmd5so12a crypt_bsdbfso1md5 crypt_sunmd5so15 crypt_sha256so16 crypt_sha512so1
c0t0d0s0org20
rootclientetcsecurity cat etcsecuritypolicyconf | egrep ^CRYPT_DEFAULTCRYPT_DEFAULT=5rootclientetcsecurity cat etcshadow | grep juniorjunior$5$4aKvDFqA$2kL8GpuXjrdf8XpanqhylEP5lDhy1DF5uo1ZYx74f3159291440
c0t0d0s0org21
rootclientetcsecurity cat etcdefaultpasswd | grep -v | egrep -v ^$|^$ident ZM I E SMIMAXWEEKS=MINWEEKS=PASSLENGTH=6NAMECHECK=NOHISTORY=0MINDIFF=3MINALPHA=2MINNONALPHA=1MINUPPER=0MINLOWER=0MAXREPEATS=0MINSPECIAL=0MINDIGIT=0WHITESPACE=YESDICTIONLIST=DICTIONDBDIR=varpasswd
c0t0d0s0org22
rootclient mkpwdict -s usrsharelibdictwordsmkpwdict using default database location varpasswd
oder
rootclient mkpwdict -s usrsharelibdictwords -d varpasswd
c0t0d0s0org23
Address Space Layout Randomization
c0t0d0s0org24
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1914 usrbinpmap self1914 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org25
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1915 usrbinpmap self1915 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org26
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1917 usrbinpmap self1917 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap00000005D6666000 36K rw--- [ heap ]00007FF669C70000 216K r-x-- libamd64libprocso100007FF669CB6000 8K rw--- libamd64libprocso100007FF669CC0000 4K rw--- [ anon ]00007FF669CD0000 24K rwx-- [ anon ]00007FF669CE0000 4K rw--- [ anon ]00007FF669CF0000 1764K r-x-- libamd64libcso100007FF669EB9000 64K rw--- libamd64libcso100007FF669EC9000 12K rw--- libamd64libcso100007FF669ED0000 4K rw--- [ anon ]00007FF669EE0000 4K rw--- [ anon ]00007FF669EF0000 4K rw--- [ anon ]00007FF669EF2000 4K r--s- [ anon ]00007FF669EFC000 340K r-x-- libamd64ldso100007FF669F61000 12K rwx-- libamd64ldso100007FF669F64000 8K rwx-- libamd64ldso1FFFF80DDA254F000 16K rw--- [ stack ] total 2564K
c0t0d0s0org27
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1918 usrbinpmap self1918 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap000000065B76D000 36K rw--- [ heap ]00007FFAACFC0000 216K r-x-- libamd64libprocso100007FFAAD006000 8K rw--- libamd64libprocso100007FFAAD010000 4K rw--- [ anon ]00007FFAAD020000 24K rwx-- [ anon ]00007FFAAD030000 4K rw--- [ anon ]00007FFAAD040000 1764K r-x-- libamd64libcso100007FFAAD209000 64K rw--- libamd64libcso100007FFAAD219000 12K rw--- libamd64libcso100007FFAAD220000 4K rw--- [ anon ]00007FFAAD230000 4K rw--- [ anon ]00007FFAAD240000 4K rw--- [ anon ]00007FFAAD242000 4K r--s- [ anon ]00007FFAAD24D000 340K r-x-- libamd64ldso100007FFAAD2B2000 12K rwx-- libamd64ldso100007FFAAD2B5000 8K rwx-- libamd64ldso1FFFF80DE1559E000 12K rw--- [ stack ]
c0t0d0s0org28
rootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) system default (default)
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x2 ENABLE
rootsolaris elfedit -e dynsunw_aslr disable usrbinpmap
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x1 DISABLE
c0t0d0s0org29
rootsolaris sxadm enable -c model=all aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (all) enabled (all)
rootsolaris sxadm disable aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr disabled disabled
rootsolaris sxadm enable -c model=tagged-files aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) enabled (tagged-files)
c0t0d0s0org30
pfedit
c0t0d0s0org31
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt set auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt set desc=Edit httpdprofileshttpd editgt exit
c0t0d0s0org32
roottemplateetcapache222 usermod -P +httpd edit junior
c0t0d0s0org33
juniortemplate~$ profiles httpd edit Basic Solaris User All
c0t0d0s0org34
juniortemplate~$ vi etcapache222httpdconf
c0t0d0s0org35
juniortemplate~$ pfedit etcapache222httpdconfpfedit etcapache222httpdconf has been updated
c0t0d0s0org36
juniortemplate~$ pfedit etcapache222mimetypespfedit User junior is not authorized to edit the file etcapache222mimetypes
c0t0d0s0org37
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt info name=httpd edit desc=Edit httpd auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt add auths=solarisadmineditetcapache222mimetypes
c0t0d0s0org38
juniortemplate~$ pfedit etcapache222mimetypespfedit no changes for etcapache222mimetypes
c0t0d0s0org39
profiles -p httpd configureprofileshttpd configuregt add always_audit=asprofileshttpd configuregt info name=httpd configure desc=Configure httpd auths=solarisadmineditetcapache222httpdconfsolarisadmineditetcapache222mimetypes always_audit=as never_audit=noprofileshttpd configuregt exitroottemplate~
c0t0d0s0org40
roottemplate~ auditreduce -c as | praudit
c0t0d0s0org41
[]header4862edit administrative filefe80a0027fffea633cb2013-08-12 074552306 +0000subjectjuniorjuniorstaffjuniorstaff4212447467166369 136704 MacBook-Pro-of-c0t0d0s0fritzboxpathetcapache222httpdconfuse of authorizationsolarisadmineditetcapache222httpdconftext--- etcapache222httpdconf Mo Aug 12 074500 2013 +++ etcapache222httpdconfpfedit1BaGoi Mo Aug 12 074552 2013 -15 +16 Test Test 2 + Test 3 This is the main Apache HTTP server configuration file It contains the configuration directives that give the server its instructions
returnsuccess0
c0t0d0s0org42
Delegating privilege to restartservices(so you can keep the root password)
c0t0d0s0org43
juniortemplate~$ svcadm refresh apache22svcadm svcnetworkhttpapache22 Permission denied
c0t0d0s0org44
svcs -a | grep apache22online 153029 svcnetworkhttpapache22
c0t0d0s0org45
auths add -t Apache22 value solarissmfvaluehttpapache22 auths add -t Apache22 action solarissmfactionhttpapache22
c0t0d0s0org46
svccfg -s apache22 setprop generalvalue_authorization= astring solarissmfvaluehttpapache22 svccfg -s apache22 setprop generalaction_authorization= astring solarissmfactionhttpapache22
c0t0d0s0org47
profiles -p httpd edit add auths=solarissmfactionhttpapache22
c0t0d0s0org48
juniortemplate~$ svcadm refresh apache22juniortemplate~$
c0t0d0s0org49
Privileges
c0t0d0s0org50
$ ls -l usrsbintraceroute-r-sr-xr-x 1 root bin 42324 Nov 21 0009 usrsbintraceroute$ ls -l usrsbinping-r-sr-xr-x 1 root bin 51396 Nov 18 1931 usrsbinping
set-id to root ping needs it to work
c0t0d0s0org51
chmod -s sbinping exit
$ ping -s 1921681132ping socket Permission denied
Remove the set-uid and ping will stop to work
c0t0d0s0org52
jmoekampdaddelkiste~$ ppriv $$2153 -bashflags = ltnonegt E basic I basic P basic L all
c0t0d0s0org53
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org54
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
All privileges in their entirety assigned to one user are
(almost)
c0t0d0s0org55
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Neat extension inSolaris 11The ability to use networking is now a
privilege Itlsquos part of the default default set of privileges
but you can remove it
c0t0d0s0org56
moekampdaddelkiste~$ ppriv -v $$2153 -bashflags = ltnonegt E file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info I file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info P file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info L contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org57
rootdaddelkiste~ ppriv $$2183 -bashflags = ltnonegt E all I basic P all L all
c0t0d0s0org58
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace failed to initialize dtrace DTrace requires additional privileges
c0t0d0s0org59
rootdaddelkiste~ usermod -K defaultpriv=basicdtrace_kerneldtrace_procdtrace_user juniorUX usermod junior is currently logged in some changes may not take effect until next login
c0t0d0s0org60
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace description syscallentry matched 211 probes^C
automountd 1 sshd 24 dtrace 544 auditd 564
c0t0d0s0org61
ps -ef | grep kcfd daemon 125 1 0 142419 000 usrlibcryptokcfdroot 734 728 0 155408 pts1 000 grep kcfd ppriv -v 125125 usrlibcryptokcfdflags = PRIV_AWAREE file_ownerproc_priocntlsys_devicesI noneP file_ownerproc_priocntlsys_devicesL none
c0t0d0s0org62
svcadm -v enable -s apache2svcnetworkhttpapache2 enabled
c0t0d0s0org63
jmoekampclient~$ ps -ef | grep httpwebservd 1978 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1979 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1980 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1984 1975 0 122002 000 usrapache222binhttpd -k start root 1975 1 0 121914 001 usrapache222binhttpd -k startwebservd 1977 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1976 1975 0 121915 000 usrapache222binhttpd -k start
c0t0d0s0org64
rootclient~ ppriv 19771977 usrapache222binhttpd -k startflags = ltnonegt E basic I basic P basic L allrootclient~ ppriv 19751975 usrapache222binhttpd -k startflags = ltnonegt E all I basic P all L allrootclient~
c0t0d0s0org65
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The apache process as root has the following privileges
c0t0d0s0org66
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The other processes have the following privileges
c0t0d0s0org67
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Apache really needs
c0t0d0s0org68
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
So you grant a large number of privileges to one process Apache donlsquot need
c0t0d0s0org69
svcadm -v disable -s apache2svcnetworkhttpapache2 disabled
c0t0d0s0org70
rootclient~ svccfg -s apache22svcnetworkhttpapache22gt setprop startuser = astring webservdsvcnetworkhttpapache22gt setprop startgroup = astring webservdsvcnetworkhttpapache22gt setprop startprivileges = astring basicproc_sessionproc_infofile_link_anynet_privaddrsvcnetworkhttpapache22gt setprop startlimit_privileges = astring defaultsvcnetworkhttpapache22gt setprop startuse_profile = boolean falsesvcnetworkhttpapache22gt setprop startsupp_groups = astring defaultsvcnetworkhttpapache22gt setprop startworking_directory = astring defaultsvcnetworkhttpapache22gt setprop startproject = astring defaultsvcnetworkhttpapache22gt setprop startresource_pool = astring defaultsvcnetworkhttpapache22gt endrootclient~ svcadm -v refresh apache22Action refresh set for svcnetworkhttpapache22
c0t0d0s0org71
echo LockFile varapache222logsacceptlock gtgt etcapache222httpdconf echo PidFile varapache222runhttpdpid gtgt etcapache222httpdconf mkdir -p -m 755 varapache222run chown webservdwebservd varapache222run svcadm enable apache22
c0t0d0s0org72
webservd 3064 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3062 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3063 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3066 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3061 1 0 164917 000 usrapache222binhttpd -k startwebservd 3065 3061 0 164918 000 usrapache222binhttpd -k start
c0t0d0s0org73
Read-only zone root
c0t0d0s0org
74
zonecfgtestzonegt set file-mac-profile=none
zonecfgtestzonegt set file-mac-profile=strict
zonecfgtestzonegt set file-mac-profile=fixed-configuration
zonecfgtestzonegt set file-mac-profile=flexible-configuration
Standard read-write non-global zone with no additional protection beyond the existing zones boundaries
Permits updates to var directories with the exception of directories that contain system configuration components
Read-only file system no exceptions
Permits modification of files in etc directories changes to roots home directory and updates to var directories This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone
c0t0d0s0org75
in-kernel SSL Proxy
c0t0d0s0org76
mkdir etckeys cd etckeys openssl req -x509 -nodes -days 365 -subj C=DEST=HamburgL=HamburgCN=server -newkey rsa1024 -keyout etckeysmykeypem -out etckeysmycertpem cat mycertpem mykeypem gt mypem chown 600
c0t0d0s0org77
echo pass gt etckeysmypass ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass server 443
c0t0d0s0org78
ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass -c rsa_aes_256_cbc_sharsa_aes_128_cbc_sharsa_rc4_128_sharsa_rc4_128_md5 server 443
c0t0d0s0org79
svcs -a | grep ksslonline 90333 svcnetworksslproxykssl-server-443
c0t0d0s0org80
svcadm disable apache22 echo Listen 1921681781088080 gtgt etcapache222httpdconf svcadm enable apache22
Portnumber and IP-Number have do be defined in httpdconf otherwise it will not work
c0t0d0s0org81
openssl s_client -connect server443CONNECTED(00000004)depth=0 C=DEST=HamburgL=HamburgCN=serververify errornum=18self signed certificateverify return1depth=0 C=DEST=HamburgL=HamburgCN=serververify return1---Certificate chain0 sC=DEST=HamburgL=HamburgCN=serveriC=DEST=HamburgL=HamburgCN=server---Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj[]V5jX3MU=-----END CERTIFICATE-----subject=C=DEST=HamburgL=HamburgCN=serverissuer=C=DEST=HamburgL=HamburgCN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328 bytes---New TLSv1SSLv3 Cipher is RC4-SHAServer public key is 1024 bitCompression NONEExpansion NONESSL-SessionProtocol TLSv1
Cipher RC4-SHASession-ID 32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD113915B99DBE9812Session-ID-ctx Master-Key 1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21EKey-Arg NoneStart Time 1242985143Timeout 300 (sec)Verify return code 18 (self signed certificate)---GET HTTP10
HTTP11 200 OKDate Fri 22 May 2009 093913 GMTServer Apache2211 (Unix) mod_ssl2211 OpenSSL098a DAV2Last-Modified Thu 21 May 2009 212630 GMTETag 341f3-2c-46a72cc211a8fAccept-Ranges bytesContent-Length 44Connection closeContent-Type texthtml
lthtmlgtltbodygtlth1gtIt workslth1gtltbodygtlthtmlgtreaderrno=0
c0t0d0s0org82
ZFS Encryption
c0t0d0s0org83
zfs create -o encryption=on rpoolexportproject
c0t0d0s0org84
wrapping key (user setable)
encryption keyrandomnot user setable)
prompt file https pkcs11
c0t0d0s0org85
aes-128-ccm (=on) aes-192-ccmaes-256-ccmaes-128-gcmaes-192-gcmaes-256-gcm
c0t0d0s0org86
zfs set checksum=sha256+mac ltdatasetgt
If encryption=off something like automatic
occurs This property is read-only from now on
c0t0d0s0org87
pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykeyEnter PIN for Sun Software PKCS11 softtoken zfs create -o encryption=on -o keysource=rawpkcs11object=mykey tankprojectCEnter PKCS11 token PIN for tankprojectC
c0t0d0s0org88
zfs create -o encryption=on -o keysource=rawhttpskeysexamplecommykey tankprojectR cp myservercertpem etccertsCA svcadm refresh ca-certificates
c0t0d0s0org89
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
c0t0d0s0org90
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
Changing the wrapping key
c0t0d0s0org91
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key
c0t0d0s0org92
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key for data written form now
Creates a new data encryption key Data written in the clone uses the new data encryption key which is distinct from its original snapshot
c0t0d0s0org93
Solaris Cryptographic Framework
c0t0d0s0org94
As soon as Solaris detects hardware acceleration for cryptography Solaris will use it (and applications using the Oracle supplied openssl library or direct interfaces)bull on-chip crypto accelerator in T and current M series chipsbull instruction set extensions in Intel procs (AES-NI)bull supported crypto accelerator cards
c0t0d0s0org95
Just a side-note T-series crypto acceleration and Intel x86 acceleration have pretty much different performance characteristics
T-Series Acceleration by offloading crypto outside pipelineIntel x86 Acceleration by offering special in-pipeline instructions to accelerate execution
Sounds like splitting hairs
c0t0d0s0org
c0t0d0s0org
c0t0d0s0org98
Using ZFS to do two-factor encryption
c0t0d0s0org99
jmoekampsolaris~$ rmformatLooking for devices 1 Logical Node devrdskc10t0d0p0 Physical Node pci00pci8086265cbstorage2disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected() 3 Logical Node devrdskc9t0d0p0 Physical Node pci00pci8086265cbstorage1disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected
c0t0d0s0org100
rootsolaris zpool create a_keystore_usbstick devdskc10t0d0p0rootsolaris zpool create datastore devdskc9t0d0p0
c0t0d0s0org101
rootsolaris zfs create -o encryption=on a_keystore_usbstickkeysEnter passphrase for a_keystore_usbstickkeys supersecret Enter again supersecret
c0t0d0s0org102
rootsolaris pktool genkey keystore=file keytype=aes keylen=128 outkey=a_keystore_usbstickkeysjoergsdatastickkey
c0t0d0s0org103
rootsolaris zfs create -o encryption=on -o keysource=rawfilea_keystore_usbstickkeysjoergsdatastickkey datastickjoergssecrets
c0t0d0s0org104
rootsolarisdatastickjoergssecrets mv homejmoekamphighlyconfidential_nda_presostgz
c0t0d0s0org105
rootsolaris zpool export a_keystore_usbstickrootsolaris zpool export datastick
c0t0d0s0org106
rootsolaris zpool import a_keystore_usbstickEnter passphrase for a_keystore_usbstickkeys supersecretrootsolaris
c0t0d0s0org107
rootsolaris zpool import datastickrootsolaris cd datastickjoergssecretsrootsolarisdatastickjoergssecrets ls highconfidential_nda_presostgz
c0t0d0s0org108
Basic Auditing and Reporting Tool
c0t0d0s0org109
mkdir bart-files bart create -R etc gt bart-filesetccontrolmanifest
c0t0d0s0org110
cat etccontrolmanifest | grep nsswitchnisplusnsswitchnisplus F 2525 100644 userrw-groupr--maskr--otherr-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
c0t0d0s0org111
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org112
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org113
bart create -R etc gt bart-filesetccheck20130911manifest
c0t0d0s0org114
cd bart-files bart compare etccontrolmanifest etccheck20130911manifest
nsswitchfilesmode control100644 test100777acl controluserrw-groupr--maskr--otherr-- testuserrwxgrouprwxmaskrwxotherrwxnsswitchnisplussize control2525 test2538mtime control473976b5 test47a44862contents control79e8fd689a5221d1cd059e5077da71b8 test3f79176ec352441db11ec8a3d02ef67cthisisjustatestadd
c0t0d0s0org115
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives4069-Less-known-Solaris-features-BARThtml
c0t0d0s0org116
Apropos Auditing
c0t0d0s0org117
Auditing is activated by default
c0t0d0s0org118
rootclient~ auditconfig -getflagsactive user default audit flags = lo(0x10000x1000)configured user default audit flags = lo(0x10000x1000)rootclient~ auditconfig -getnaflagsactive non-attributable audit flags = lo(0x10000x1000)configured non-attributable audit flags = lo(0x10000x1000)
c0t0d0s0org119
rootclient~ auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt
Policy regarding auditing (explanation on the next slide)
c0t0d0s0org120
rootclient~ auditconfig -lspolicypolicy string descriptionahlt halt machine if it can not record an async eventall all policiesarge include exec environment args in audit recsargv include exec command line args in audit recscnt when no more space drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recswindata_down include downgraded window information in audit recswindata_up include upgraded window information in audit recszonename include zonename token in audit recs
Which degree of detail What happens with full disks
c0t0d0s0org121
rootclient~ auditconfig -getpluginPlugin audit_binfile (active) Attributes p_dir=varauditp_fsize=0p_minfree=1
Plugin audit_syslog (inactive) Attributes p_flags=
Plugin audit_remote (inactive) Attributes p_hosts=p_retries=3p_timeout=5
c0t0d0s0org122
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
c0t0d0s0org123
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
lo and na are the only sensibleflags for non-attributable
c0t0d0s0org124
rootclient~ usermod -K audit_flags=fwas junior
c0t0d0s0org125
rootclient~ auditconfig -lsevent | grep lo AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh accessAUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lockAUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff
c0t0d0s0org126
rootclient~ auditconfig -lsevent | grep ps AUE_EXIT 1 ps exit(2)AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)rootclient~ auditconfig -lsevent | grep fw AUE_OPEN_W 76 fw open(2) - write
c0t0d0s0org127
auditreduce -c ps varaudit20130912183630not_terminatedclient | praudit
header1392execve(2)client2013-09-12 184055924 +0000pathusrsbinauditreduceattribute100555rootbin655386587518446744073709551615subjectjmoekamprootrootrootroot205414400809562480 202240 192168101returnsuccess0
c0t0d0s0org128
rootclient~ auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff0xffffffffffffffff)
Not always (in the sense of never) a good idea
Useful after trying out - starting a new audit filerootclient~ audit -n
c0t0d0s0org129
rootclient~ auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system
c0t0d0s0org130
SSH and X509
c0t0d0s0org131
rootca~ CApl -newcaCA certificate filename (or enter to create)
Making CA certificate Generating a 1024 bit RSA private key++++++++++++writing new private key to etcopensslprivatecakeypemEnter PEM pass phrase supersecret1Verifying - Enter PEM pass phrase supersecret1-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Security DepartmentCommon Name (eg server FQDN or YOUR name) []CAEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Using configuration from etcopensslopensslcnf
Enter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade878 Validity Not Before Sep 26 101109 2013 GMT Not After Sep 25 101109 2016 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony organizationName = c0t0d0s0org organizationalUnitName = Security Department commonName = CA X509v3 extensions X509v3 Subject Key Identifier 5B1F2F7186123040501552818D525AA5597E3644 X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
X509v3 Basic Constraints CATRUECertificate is to be certified until Sep 25 101109 2016 GMT (1095 days)
Write out database with 1 new entriesData Base Updated
c0t0d0s0org132
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org133
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org134
rootca~server CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade879 Validity Not Before Sep 26 102912 2013 GMT Not After Sep 26 102912 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = Server Certificates commonName = server X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A7DC03DEB3D5FBF9C006F11A55A9AD04C49C10FA X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 102912 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpemrootca~server ls -ltotal 15-rw-r--r-- 1 root root 3196 Sep 26 1229 newcertpem-rw-r--r-- 1 root root 1041 Sep 26 1228 newkeypem-rw-r--r-- 1 root root 680 Sep 26 1228 newreqpem
c0t0d0s0org135
rootca~junior CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phraseVerifying - Enter PEM pass phraseVerify failureEnter PEM pass phrase supersecret3Verifying - Enter PEM pass phrase supersecret3-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []User certificates
Common Name (eg server FQDN or YOUR name) []juniorEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org136
rootca~junior CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypemCheck that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade87a Validity Not Before Sep 26 110929 2013 GMT Not After Sep 26 110929 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = User certificates commonName = junior X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A1F2FC9D8AE2AD9AF52903F5B714933C64628E9C X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 110929 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpem
c0t0d0s0org137
rootserver~ useradd -m junior80 blocksrootserver~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for juniorrootserver~
rootclient~ useradd -m junior80 blocksrootclient~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for junior
c0t0d0s0org138
rootserver~ echo 1921681051 server gtgt etchostsrootserver~ echo 1921681052 client gtgt etchosts
rootclient~ echo 1921681051 server gtgt etchostsrootclient~ echo 1921681052 client gtgt etchosts
c0t0d0s0org139
rootca~server scp etcopensslcacertpem jmoekamp1921681109exporthomejmoekampPasswordcacertpem 100 || 3011 0000rootca~server scp newcertpem jmoekamp1921681109exporthomejmoekampPasswordnewcertpem 100 || 3196 0000rootca~server scp newkeypem jmoekamp1921681109exporthomejmoekampPasswordnewkeypem 100 || 1041 0000
rootca~junior scp newkeypem juniorclientexporthomejuniorPasswordnewkeypem 100 || 1041 0000rootca~junior scp newcertpem juniorclientexporthomejuniorPasswordnewcertpem 100 || 3190 0000rootca~junior scp etcopensslcacertpem junior1921681104exporthomejuniorPasswordcacertpem 100 || 3011 0000
c0t0d0s0org140
On the Server
c0t0d0s0org141
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org142
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org143
rootserver~ pktool setpinEnter token passphrase changemeCreate new passphrase superserversecretRe-enter new passphrase superserversecretPassphrase changedrootserver~
c0t0d0s0org144
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org145
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org146
rootserver~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cn
c0t0d0s0org147
rootserver~ echo TrustedAnchorKeystore etcsshcert gtgt etcsshsshd_configrootserver~ echo KMFPolicyDatabase etcsshpolicyxml gtgt etcsshsshd_configrootserver~ echo KMFPolicyName ssh gtgt etcsshsshd_configrootserver~ echo HostKey pkcs11object=hosttoken=Sun Metaslotpinfile=etcsshpinfile gtgt etcsshsshd_config
c0t0d0s0org148
rootserver~ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=hostEnter PIN for Sun Software PKCS11 softtoken superserversecret Enter PEM pass phrase supersecret2Importing 1 keys
c0t0d0s0org149
rootserver~ egrep -v ^ |^$|^Cert exporthomejmoekampcacertpem gt etcsshcertcacertcookedpemrootserver~ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemrootserver~ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=hostrootserver~
c0t0d0s0org150
On the client
c0t0d0s0org151
juniorclient~$ ls pemcacertpem newcertpem newkeypem
c0t0d0s0org152
rootclient~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cnrootclient~ egrep -v ^ |^$|^Cert exporthomejuniorcacertpem gt etcsshcertcacertcookedpem
c0t0d0s0org153
juniorclient~$ pktool setpinEnter token passphrase changemeCreate new passphrase superusersecretRe-enter new passphrase superusersecretPassphrase changed
c0t0d0s0org154
juniorclient~$ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=userEnter PIN for Sun Software PKCS11 softtoken superusersecretEnter PEM pass phrase supersecret3Importing 1 keysjuniorclient~$ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemjuniorclient~$ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=user
c0t0d0s0org155
Testing it
c0t0d0s0org156
rootserver~ svcadm disable sshrootserver~ svcadm enable ssh
c0t0d0s0org157
juniorclient~$ cd sshjuniorclient~ssh$ printf superusersecret gtgt pinfilejuniorclient~ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore etcsshcert KMFPolicyDatabase etcsshpolicyxml KMFPolicyName ssh IdentityFile pkcs11object=usertoken=Sun Software PKCS11 softtokenpinfile=exporthomejuniorsshpinfile
c0t0d0s0org158
juniorclient~ssh$ ssh juniorserver-x509Last login Thu Sep 26 200714 2013 from clientOracle Corporation SunOS 511 111 September 2013juniorserver~$
c0t0d0s0org159
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives7659-Using-X509-support-for-SSH-on-Solaris-111html
c0t0d0s0org160
OpenSCAP
c0t0d0s0org161
bdquoThe Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management measurement and policy compliance evaluation (eg FISMA compliance) The National Vulnerability Database(NVD) is the US government content repository for SCAPldquo
httpenwikipediaorgwikiSecurity_Content_Automation_Protocol
c0t0d0s0org162
ftp-bannerxml
ltxml version=10 encoding=UTF-8gtltoval_definitions xmlns=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsxsi=httpwwww3org2001XMLSchema-instance xmlnsoval=httpovalmitreorgXMLSchemaoval-common-5 xmlnsoval-def=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsindependent-def=httpovalmitreorgXMLSchemaoval-definitions-5independent xsischemaLocation=httpovalmitreorgXMLSchemaoval-definitions-5 oval-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-definitions-5independent independent-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-common-5 oval-common-schemaxsdgt
ltgeneratorgt ltovalproduct_namegtEnhanced SCAP Editorltovalproduct_namegt ltovalproduct_versiongt0011ltovalproduct_versiongt ltovalschema_versiongt58ltovalschema_versiongt ltovaltimestampgt2012-10-11T103325ltovaltimestampgt ltgeneratorgt lt--generatedovalbaseidentifier=comoraclesolaris11--gt ltdefinitionsgt ltdefinition id=ovalcomoraclesolaris11def840 version=1 class=compliancegt ltmetadatagt lttitlegtEnable a Warning Banner for the FTP Servicelttitlegt ltaffected family=unixgt ltplatformgtOracle Solaris 11ltplatformgt ltaffectedgt ltdescriptiongtetcproftpdconf contains DisplayConnect etcissueltdescriptiongt ltmetadatagt ltcriteria operator=AND negate=false comment=Single testgt ltcriterion comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot test_ref=ovalcomoraclesolaris11tst8400 negate=falsegt
ltcriteriagt ltdefinitiongt ltdefinitionsgt lttestsgt lttextfilecontent54_test xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11tst8400 version=1 check=all comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot check_existence=all_existgt ltobject object_ref=ovalcomoraclesolaris11obj8400gt lttextfilecontent54_testgt lttestsgt ltobjectsgt lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegt lttextfilecontent54_objectgt ltobjectsgtltoval_definitionsgt
c0t0d0s0org163
lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegtlttextfilecontent54_objectgt
c0t0d0s0org164
$ oscap oval eval ftp-bannerxml Definition ovalcomoraclesolaris11def840 falseEvaluation done
$ oscap oval eval --results resultsxml --report reporthtml ftp-bannerxmlDefinition ovalcomoraclesolaris11def840 falseEvaluation doneOVAL Results are exported correctly
c0t0d0s0org165
c0t0d0s0org166
To create your own OVAL-Files Enhanced SCAP Content Editor
c0t0d0s0org167
Find more information regarding this feature athttpsblogsoraclecomdarrenentrycompliance_reporting_with_scap
c0t0d0s0org4
Certifications
c0t0d0s0org
Solaris 10 Common Criteria Evaluationhas been certified on EAL4+ level
c0t0d0s0org
We have a common Criteria CertificationFor Solaris 10 at the moment For Solaris 11 in the future
However the common criteria certification doesnlsquot certify security
c0t0d0s0org
Solaris 10 Trusted Extensions Common Criteria Evaluationhas been certified on EAL4+ level
httpwwworaclecomtechnetworktopicssecurityoracle-cc-evalsolaris-083233htmlsol10U3TX
The following protection profiles were usedConditional Access Protection ProfileRole Based Access Control Protection ProfileLabel Security Protection Profiles
c0t0d0s0org
Solaris 111 is currently in certification
httpwwworaclecomtechnetworktopicssecuritysecurity-evaluations-099357htmlInEvaluated
c0t0d0s0org9
Is it really a Solaris 11 binary
c0t0d0s0org10
jmoekampserver~$ elfsign verify -v usrbinoscapelfsign verification of usrbinoscap passedformat rsa_md5_sha1signer CN=SunOS 510 OU=Solaris Signed Execution O=Sun Microsystems Inc
c0t0d0s0org11
Sandboxing applications on Solaris 111
c0t0d0s0org12
rootsolaris profiles -p MySQL ServiceMySQL Servicegt set desc=Locking down the MySQL ServiceMySQL Servicegt add cmd=libsvcmethodmysql_51MySQL Servicemysql_51gt set privs=basicMySQL Servicemysql_51gt add privs=net_privaddr3306tcpMySQL Servicemysql_51gt add privs=file_writevarmysql51dataMySQL Servicemysql_51gt add privs=file_writetmpmysqlsockMySQL Servicemysql_51gt add privs=file_writevartmpibMySQL Servicemysql_51gt endMySQL Servicegt set uid=mysqlMySQL Servicegt set gid=mysqlMySQL Servicegt exit rootsolaris
c0t0d0s0org13
rootsolaris svccfg -s mysqlversion_51svcapplicationdatabasemysqlversion_51gt setprop method_contextprofile=MySQL Servicesvcapplicationdatabasemysqlversion_51gt setprop method_contextuse_profile=truesvcapplicationdatabasemysqlversion_51gt refreshsvcapplicationdatabasemysqlversion_51gt exit
c0t0d0s0org14
rootsolaris ipadm set-prop -p extra_priv_ports+=3306 tcprootsolaris ipadm show-prop -p extra_priv_ports tcpPROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLEtcp extra_priv_ports rw 20494045 -- 20494045 1-65535 3306
c0t0d0s0org15
svcadm enable mysqlversion_51
c0t0d0s0org16
rootsolaris ppriv $(pgrep mysql)103697 usrmysql51binmysqld --basedir=usrmysql51 --datadir=varmysqflags = PRIV_XPOLICY Extended policies net_privaddr3306tcp file_writevarmysql51data file_writetmpmysqlsock file_writevartmpib E basicfile_write I basicfile_write P basicfile_write L all103609 binsh usrmysql51binmysqld_safe --user=mysql --datadir=varmysflags = PRIV_XPOLICY Extended policies net_privaddr3306tcp file_writevarmysql51data file_writetmpmysqlsock file_writevartmpib E basicfile_write I basicfile_write P basicfile_write L all
c0t0d0s0org17
Find more information regarding this feature athttpsblogsoraclecomgfadenentryoracle_solaris_extended_policy_and
c0t0d0s0org18
Passwords
c0t0d0s0org19
rootclientetcsecurity cat etcsecuritycryptconf Copyright 2008 Sun Microsystems Inc All rights reserved Use is subject to license termsident ZM I E SMI The algorithm name __unix__ is reserved
1 crypt_bsdmd5so12a crypt_bsdbfso1md5 crypt_sunmd5so15 crypt_sha256so16 crypt_sha512so1
c0t0d0s0org20
rootclientetcsecurity cat etcsecuritypolicyconf | egrep ^CRYPT_DEFAULTCRYPT_DEFAULT=5rootclientetcsecurity cat etcshadow | grep juniorjunior$5$4aKvDFqA$2kL8GpuXjrdf8XpanqhylEP5lDhy1DF5uo1ZYx74f3159291440
c0t0d0s0org21
rootclientetcsecurity cat etcdefaultpasswd | grep -v | egrep -v ^$|^$ident ZM I E SMIMAXWEEKS=MINWEEKS=PASSLENGTH=6NAMECHECK=NOHISTORY=0MINDIFF=3MINALPHA=2MINNONALPHA=1MINUPPER=0MINLOWER=0MAXREPEATS=0MINSPECIAL=0MINDIGIT=0WHITESPACE=YESDICTIONLIST=DICTIONDBDIR=varpasswd
c0t0d0s0org22
rootclient mkpwdict -s usrsharelibdictwordsmkpwdict using default database location varpasswd
oder
rootclient mkpwdict -s usrsharelibdictwords -d varpasswd
c0t0d0s0org23
Address Space Layout Randomization
c0t0d0s0org24
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1914 usrbinpmap self1914 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org25
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1915 usrbinpmap self1915 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org26
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1917 usrbinpmap self1917 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap00000005D6666000 36K rw--- [ heap ]00007FF669C70000 216K r-x-- libamd64libprocso100007FF669CB6000 8K rw--- libamd64libprocso100007FF669CC0000 4K rw--- [ anon ]00007FF669CD0000 24K rwx-- [ anon ]00007FF669CE0000 4K rw--- [ anon ]00007FF669CF0000 1764K r-x-- libamd64libcso100007FF669EB9000 64K rw--- libamd64libcso100007FF669EC9000 12K rw--- libamd64libcso100007FF669ED0000 4K rw--- [ anon ]00007FF669EE0000 4K rw--- [ anon ]00007FF669EF0000 4K rw--- [ anon ]00007FF669EF2000 4K r--s- [ anon ]00007FF669EFC000 340K r-x-- libamd64ldso100007FF669F61000 12K rwx-- libamd64ldso100007FF669F64000 8K rwx-- libamd64ldso1FFFF80DDA254F000 16K rw--- [ stack ] total 2564K
c0t0d0s0org27
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1918 usrbinpmap self1918 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap000000065B76D000 36K rw--- [ heap ]00007FFAACFC0000 216K r-x-- libamd64libprocso100007FFAAD006000 8K rw--- libamd64libprocso100007FFAAD010000 4K rw--- [ anon ]00007FFAAD020000 24K rwx-- [ anon ]00007FFAAD030000 4K rw--- [ anon ]00007FFAAD040000 1764K r-x-- libamd64libcso100007FFAAD209000 64K rw--- libamd64libcso100007FFAAD219000 12K rw--- libamd64libcso100007FFAAD220000 4K rw--- [ anon ]00007FFAAD230000 4K rw--- [ anon ]00007FFAAD240000 4K rw--- [ anon ]00007FFAAD242000 4K r--s- [ anon ]00007FFAAD24D000 340K r-x-- libamd64ldso100007FFAAD2B2000 12K rwx-- libamd64ldso100007FFAAD2B5000 8K rwx-- libamd64ldso1FFFF80DE1559E000 12K rw--- [ stack ]
c0t0d0s0org28
rootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) system default (default)
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x2 ENABLE
rootsolaris elfedit -e dynsunw_aslr disable usrbinpmap
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x1 DISABLE
c0t0d0s0org29
rootsolaris sxadm enable -c model=all aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (all) enabled (all)
rootsolaris sxadm disable aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr disabled disabled
rootsolaris sxadm enable -c model=tagged-files aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) enabled (tagged-files)
c0t0d0s0org30
pfedit
c0t0d0s0org31
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt set auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt set desc=Edit httpdprofileshttpd editgt exit
c0t0d0s0org32
roottemplateetcapache222 usermod -P +httpd edit junior
c0t0d0s0org33
juniortemplate~$ profiles httpd edit Basic Solaris User All
c0t0d0s0org34
juniortemplate~$ vi etcapache222httpdconf
c0t0d0s0org35
juniortemplate~$ pfedit etcapache222httpdconfpfedit etcapache222httpdconf has been updated
c0t0d0s0org36
juniortemplate~$ pfedit etcapache222mimetypespfedit User junior is not authorized to edit the file etcapache222mimetypes
c0t0d0s0org37
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt info name=httpd edit desc=Edit httpd auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt add auths=solarisadmineditetcapache222mimetypes
c0t0d0s0org38
juniortemplate~$ pfedit etcapache222mimetypespfedit no changes for etcapache222mimetypes
c0t0d0s0org39
profiles -p httpd configureprofileshttpd configuregt add always_audit=asprofileshttpd configuregt info name=httpd configure desc=Configure httpd auths=solarisadmineditetcapache222httpdconfsolarisadmineditetcapache222mimetypes always_audit=as never_audit=noprofileshttpd configuregt exitroottemplate~
c0t0d0s0org40
roottemplate~ auditreduce -c as | praudit
c0t0d0s0org41
[]header4862edit administrative filefe80a0027fffea633cb2013-08-12 074552306 +0000subjectjuniorjuniorstaffjuniorstaff4212447467166369 136704 MacBook-Pro-of-c0t0d0s0fritzboxpathetcapache222httpdconfuse of authorizationsolarisadmineditetcapache222httpdconftext--- etcapache222httpdconf Mo Aug 12 074500 2013 +++ etcapache222httpdconfpfedit1BaGoi Mo Aug 12 074552 2013 -15 +16 Test Test 2 + Test 3 This is the main Apache HTTP server configuration file It contains the configuration directives that give the server its instructions
returnsuccess0
c0t0d0s0org42
Delegating privilege to restartservices(so you can keep the root password)
c0t0d0s0org43
juniortemplate~$ svcadm refresh apache22svcadm svcnetworkhttpapache22 Permission denied
c0t0d0s0org44
svcs -a | grep apache22online 153029 svcnetworkhttpapache22
c0t0d0s0org45
auths add -t Apache22 value solarissmfvaluehttpapache22 auths add -t Apache22 action solarissmfactionhttpapache22
c0t0d0s0org46
svccfg -s apache22 setprop generalvalue_authorization= astring solarissmfvaluehttpapache22 svccfg -s apache22 setprop generalaction_authorization= astring solarissmfactionhttpapache22
c0t0d0s0org47
profiles -p httpd edit add auths=solarissmfactionhttpapache22
c0t0d0s0org48
juniortemplate~$ svcadm refresh apache22juniortemplate~$
c0t0d0s0org49
Privileges
c0t0d0s0org50
$ ls -l usrsbintraceroute-r-sr-xr-x 1 root bin 42324 Nov 21 0009 usrsbintraceroute$ ls -l usrsbinping-r-sr-xr-x 1 root bin 51396 Nov 18 1931 usrsbinping
set-id to root ping needs it to work
c0t0d0s0org51
chmod -s sbinping exit
$ ping -s 1921681132ping socket Permission denied
Remove the set-uid and ping will stop to work
c0t0d0s0org52
jmoekampdaddelkiste~$ ppriv $$2153 -bashflags = ltnonegt E basic I basic P basic L all
c0t0d0s0org53
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org54
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
All privileges in their entirety assigned to one user are
(almost)
c0t0d0s0org55
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Neat extension inSolaris 11The ability to use networking is now a
privilege Itlsquos part of the default default set of privileges
but you can remove it
c0t0d0s0org56
moekampdaddelkiste~$ ppriv -v $$2153 -bashflags = ltnonegt E file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info I file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info P file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info L contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org57
rootdaddelkiste~ ppriv $$2183 -bashflags = ltnonegt E all I basic P all L all
c0t0d0s0org58
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace failed to initialize dtrace DTrace requires additional privileges
c0t0d0s0org59
rootdaddelkiste~ usermod -K defaultpriv=basicdtrace_kerneldtrace_procdtrace_user juniorUX usermod junior is currently logged in some changes may not take effect until next login
c0t0d0s0org60
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace description syscallentry matched 211 probes^C
automountd 1 sshd 24 dtrace 544 auditd 564
c0t0d0s0org61
ps -ef | grep kcfd daemon 125 1 0 142419 000 usrlibcryptokcfdroot 734 728 0 155408 pts1 000 grep kcfd ppriv -v 125125 usrlibcryptokcfdflags = PRIV_AWAREE file_ownerproc_priocntlsys_devicesI noneP file_ownerproc_priocntlsys_devicesL none
c0t0d0s0org62
svcadm -v enable -s apache2svcnetworkhttpapache2 enabled
c0t0d0s0org63
jmoekampclient~$ ps -ef | grep httpwebservd 1978 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1979 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1980 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1984 1975 0 122002 000 usrapache222binhttpd -k start root 1975 1 0 121914 001 usrapache222binhttpd -k startwebservd 1977 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1976 1975 0 121915 000 usrapache222binhttpd -k start
c0t0d0s0org64
rootclient~ ppriv 19771977 usrapache222binhttpd -k startflags = ltnonegt E basic I basic P basic L allrootclient~ ppriv 19751975 usrapache222binhttpd -k startflags = ltnonegt E all I basic P all L allrootclient~
c0t0d0s0org65
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The apache process as root has the following privileges
c0t0d0s0org66
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The other processes have the following privileges
c0t0d0s0org67
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Apache really needs
c0t0d0s0org68
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
So you grant a large number of privileges to one process Apache donlsquot need
c0t0d0s0org69
svcadm -v disable -s apache2svcnetworkhttpapache2 disabled
c0t0d0s0org70
rootclient~ svccfg -s apache22svcnetworkhttpapache22gt setprop startuser = astring webservdsvcnetworkhttpapache22gt setprop startgroup = astring webservdsvcnetworkhttpapache22gt setprop startprivileges = astring basicproc_sessionproc_infofile_link_anynet_privaddrsvcnetworkhttpapache22gt setprop startlimit_privileges = astring defaultsvcnetworkhttpapache22gt setprop startuse_profile = boolean falsesvcnetworkhttpapache22gt setprop startsupp_groups = astring defaultsvcnetworkhttpapache22gt setprop startworking_directory = astring defaultsvcnetworkhttpapache22gt setprop startproject = astring defaultsvcnetworkhttpapache22gt setprop startresource_pool = astring defaultsvcnetworkhttpapache22gt endrootclient~ svcadm -v refresh apache22Action refresh set for svcnetworkhttpapache22
c0t0d0s0org71
echo LockFile varapache222logsacceptlock gtgt etcapache222httpdconf echo PidFile varapache222runhttpdpid gtgt etcapache222httpdconf mkdir -p -m 755 varapache222run chown webservdwebservd varapache222run svcadm enable apache22
c0t0d0s0org72
webservd 3064 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3062 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3063 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3066 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3061 1 0 164917 000 usrapache222binhttpd -k startwebservd 3065 3061 0 164918 000 usrapache222binhttpd -k start
c0t0d0s0org73
Read-only zone root
c0t0d0s0org
74
zonecfgtestzonegt set file-mac-profile=none
zonecfgtestzonegt set file-mac-profile=strict
zonecfgtestzonegt set file-mac-profile=fixed-configuration
zonecfgtestzonegt set file-mac-profile=flexible-configuration
Standard read-write non-global zone with no additional protection beyond the existing zones boundaries
Permits updates to var directories with the exception of directories that contain system configuration components
Read-only file system no exceptions
Permits modification of files in etc directories changes to roots home directory and updates to var directories This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone
c0t0d0s0org75
in-kernel SSL Proxy
c0t0d0s0org76
mkdir etckeys cd etckeys openssl req -x509 -nodes -days 365 -subj C=DEST=HamburgL=HamburgCN=server -newkey rsa1024 -keyout etckeysmykeypem -out etckeysmycertpem cat mycertpem mykeypem gt mypem chown 600
c0t0d0s0org77
echo pass gt etckeysmypass ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass server 443
c0t0d0s0org78
ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass -c rsa_aes_256_cbc_sharsa_aes_128_cbc_sharsa_rc4_128_sharsa_rc4_128_md5 server 443
c0t0d0s0org79
svcs -a | grep ksslonline 90333 svcnetworksslproxykssl-server-443
c0t0d0s0org80
svcadm disable apache22 echo Listen 1921681781088080 gtgt etcapache222httpdconf svcadm enable apache22
Portnumber and IP-Number have do be defined in httpdconf otherwise it will not work
c0t0d0s0org81
openssl s_client -connect server443CONNECTED(00000004)depth=0 C=DEST=HamburgL=HamburgCN=serververify errornum=18self signed certificateverify return1depth=0 C=DEST=HamburgL=HamburgCN=serververify return1---Certificate chain0 sC=DEST=HamburgL=HamburgCN=serveriC=DEST=HamburgL=HamburgCN=server---Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj[]V5jX3MU=-----END CERTIFICATE-----subject=C=DEST=HamburgL=HamburgCN=serverissuer=C=DEST=HamburgL=HamburgCN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328 bytes---New TLSv1SSLv3 Cipher is RC4-SHAServer public key is 1024 bitCompression NONEExpansion NONESSL-SessionProtocol TLSv1
Cipher RC4-SHASession-ID 32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD113915B99DBE9812Session-ID-ctx Master-Key 1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21EKey-Arg NoneStart Time 1242985143Timeout 300 (sec)Verify return code 18 (self signed certificate)---GET HTTP10
HTTP11 200 OKDate Fri 22 May 2009 093913 GMTServer Apache2211 (Unix) mod_ssl2211 OpenSSL098a DAV2Last-Modified Thu 21 May 2009 212630 GMTETag 341f3-2c-46a72cc211a8fAccept-Ranges bytesContent-Length 44Connection closeContent-Type texthtml
lthtmlgtltbodygtlth1gtIt workslth1gtltbodygtlthtmlgtreaderrno=0
c0t0d0s0org82
ZFS Encryption
c0t0d0s0org83
zfs create -o encryption=on rpoolexportproject
c0t0d0s0org84
wrapping key (user setable)
encryption keyrandomnot user setable)
prompt file https pkcs11
c0t0d0s0org85
aes-128-ccm (=on) aes-192-ccmaes-256-ccmaes-128-gcmaes-192-gcmaes-256-gcm
c0t0d0s0org86
zfs set checksum=sha256+mac ltdatasetgt
If encryption=off something like automatic
occurs This property is read-only from now on
c0t0d0s0org87
pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykeyEnter PIN for Sun Software PKCS11 softtoken zfs create -o encryption=on -o keysource=rawpkcs11object=mykey tankprojectCEnter PKCS11 token PIN for tankprojectC
c0t0d0s0org88
zfs create -o encryption=on -o keysource=rawhttpskeysexamplecommykey tankprojectR cp myservercertpem etccertsCA svcadm refresh ca-certificates
c0t0d0s0org89
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
c0t0d0s0org90
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
Changing the wrapping key
c0t0d0s0org91
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key
c0t0d0s0org92
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key for data written form now
Creates a new data encryption key Data written in the clone uses the new data encryption key which is distinct from its original snapshot
c0t0d0s0org93
Solaris Cryptographic Framework
c0t0d0s0org94
As soon as Solaris detects hardware acceleration for cryptography Solaris will use it (and applications using the Oracle supplied openssl library or direct interfaces)bull on-chip crypto accelerator in T and current M series chipsbull instruction set extensions in Intel procs (AES-NI)bull supported crypto accelerator cards
c0t0d0s0org95
Just a side-note T-series crypto acceleration and Intel x86 acceleration have pretty much different performance characteristics
T-Series Acceleration by offloading crypto outside pipelineIntel x86 Acceleration by offering special in-pipeline instructions to accelerate execution
Sounds like splitting hairs
c0t0d0s0org
c0t0d0s0org
c0t0d0s0org98
Using ZFS to do two-factor encryption
c0t0d0s0org99
jmoekampsolaris~$ rmformatLooking for devices 1 Logical Node devrdskc10t0d0p0 Physical Node pci00pci8086265cbstorage2disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected() 3 Logical Node devrdskc9t0d0p0 Physical Node pci00pci8086265cbstorage1disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected
c0t0d0s0org100
rootsolaris zpool create a_keystore_usbstick devdskc10t0d0p0rootsolaris zpool create datastore devdskc9t0d0p0
c0t0d0s0org101
rootsolaris zfs create -o encryption=on a_keystore_usbstickkeysEnter passphrase for a_keystore_usbstickkeys supersecret Enter again supersecret
c0t0d0s0org102
rootsolaris pktool genkey keystore=file keytype=aes keylen=128 outkey=a_keystore_usbstickkeysjoergsdatastickkey
c0t0d0s0org103
rootsolaris zfs create -o encryption=on -o keysource=rawfilea_keystore_usbstickkeysjoergsdatastickkey datastickjoergssecrets
c0t0d0s0org104
rootsolarisdatastickjoergssecrets mv homejmoekamphighlyconfidential_nda_presostgz
c0t0d0s0org105
rootsolaris zpool export a_keystore_usbstickrootsolaris zpool export datastick
c0t0d0s0org106
rootsolaris zpool import a_keystore_usbstickEnter passphrase for a_keystore_usbstickkeys supersecretrootsolaris
c0t0d0s0org107
rootsolaris zpool import datastickrootsolaris cd datastickjoergssecretsrootsolarisdatastickjoergssecrets ls highconfidential_nda_presostgz
c0t0d0s0org108
Basic Auditing and Reporting Tool
c0t0d0s0org109
mkdir bart-files bart create -R etc gt bart-filesetccontrolmanifest
c0t0d0s0org110
cat etccontrolmanifest | grep nsswitchnisplusnsswitchnisplus F 2525 100644 userrw-groupr--maskr--otherr-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
c0t0d0s0org111
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org112
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org113
bart create -R etc gt bart-filesetccheck20130911manifest
c0t0d0s0org114
cd bart-files bart compare etccontrolmanifest etccheck20130911manifest
nsswitchfilesmode control100644 test100777acl controluserrw-groupr--maskr--otherr-- testuserrwxgrouprwxmaskrwxotherrwxnsswitchnisplussize control2525 test2538mtime control473976b5 test47a44862contents control79e8fd689a5221d1cd059e5077da71b8 test3f79176ec352441db11ec8a3d02ef67cthisisjustatestadd
c0t0d0s0org115
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives4069-Less-known-Solaris-features-BARThtml
c0t0d0s0org116
Apropos Auditing
c0t0d0s0org117
Auditing is activated by default
c0t0d0s0org118
rootclient~ auditconfig -getflagsactive user default audit flags = lo(0x10000x1000)configured user default audit flags = lo(0x10000x1000)rootclient~ auditconfig -getnaflagsactive non-attributable audit flags = lo(0x10000x1000)configured non-attributable audit flags = lo(0x10000x1000)
c0t0d0s0org119
rootclient~ auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt
Policy regarding auditing (explanation on the next slide)
c0t0d0s0org120
rootclient~ auditconfig -lspolicypolicy string descriptionahlt halt machine if it can not record an async eventall all policiesarge include exec environment args in audit recsargv include exec command line args in audit recscnt when no more space drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recswindata_down include downgraded window information in audit recswindata_up include upgraded window information in audit recszonename include zonename token in audit recs
Which degree of detail What happens with full disks
c0t0d0s0org121
rootclient~ auditconfig -getpluginPlugin audit_binfile (active) Attributes p_dir=varauditp_fsize=0p_minfree=1
Plugin audit_syslog (inactive) Attributes p_flags=
Plugin audit_remote (inactive) Attributes p_hosts=p_retries=3p_timeout=5
c0t0d0s0org122
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
c0t0d0s0org123
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
lo and na are the only sensibleflags for non-attributable
c0t0d0s0org124
rootclient~ usermod -K audit_flags=fwas junior
c0t0d0s0org125
rootclient~ auditconfig -lsevent | grep lo AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh accessAUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lockAUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff
c0t0d0s0org126
rootclient~ auditconfig -lsevent | grep ps AUE_EXIT 1 ps exit(2)AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)rootclient~ auditconfig -lsevent | grep fw AUE_OPEN_W 76 fw open(2) - write
c0t0d0s0org127
auditreduce -c ps varaudit20130912183630not_terminatedclient | praudit
header1392execve(2)client2013-09-12 184055924 +0000pathusrsbinauditreduceattribute100555rootbin655386587518446744073709551615subjectjmoekamprootrootrootroot205414400809562480 202240 192168101returnsuccess0
c0t0d0s0org128
rootclient~ auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff0xffffffffffffffff)
Not always (in the sense of never) a good idea
Useful after trying out - starting a new audit filerootclient~ audit -n
c0t0d0s0org129
rootclient~ auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system
c0t0d0s0org130
SSH and X509
c0t0d0s0org131
rootca~ CApl -newcaCA certificate filename (or enter to create)
Making CA certificate Generating a 1024 bit RSA private key++++++++++++writing new private key to etcopensslprivatecakeypemEnter PEM pass phrase supersecret1Verifying - Enter PEM pass phrase supersecret1-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Security DepartmentCommon Name (eg server FQDN or YOUR name) []CAEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Using configuration from etcopensslopensslcnf
Enter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade878 Validity Not Before Sep 26 101109 2013 GMT Not After Sep 25 101109 2016 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony organizationName = c0t0d0s0org organizationalUnitName = Security Department commonName = CA X509v3 extensions X509v3 Subject Key Identifier 5B1F2F7186123040501552818D525AA5597E3644 X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
X509v3 Basic Constraints CATRUECertificate is to be certified until Sep 25 101109 2016 GMT (1095 days)
Write out database with 1 new entriesData Base Updated
c0t0d0s0org132
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org133
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org134
rootca~server CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade879 Validity Not Before Sep 26 102912 2013 GMT Not After Sep 26 102912 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = Server Certificates commonName = server X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A7DC03DEB3D5FBF9C006F11A55A9AD04C49C10FA X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 102912 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpemrootca~server ls -ltotal 15-rw-r--r-- 1 root root 3196 Sep 26 1229 newcertpem-rw-r--r-- 1 root root 1041 Sep 26 1228 newkeypem-rw-r--r-- 1 root root 680 Sep 26 1228 newreqpem
c0t0d0s0org135
rootca~junior CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phraseVerifying - Enter PEM pass phraseVerify failureEnter PEM pass phrase supersecret3Verifying - Enter PEM pass phrase supersecret3-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []User certificates
Common Name (eg server FQDN or YOUR name) []juniorEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org136
rootca~junior CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypemCheck that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade87a Validity Not Before Sep 26 110929 2013 GMT Not After Sep 26 110929 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = User certificates commonName = junior X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A1F2FC9D8AE2AD9AF52903F5B714933C64628E9C X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 110929 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpem
c0t0d0s0org137
rootserver~ useradd -m junior80 blocksrootserver~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for juniorrootserver~
rootclient~ useradd -m junior80 blocksrootclient~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for junior
c0t0d0s0org138
rootserver~ echo 1921681051 server gtgt etchostsrootserver~ echo 1921681052 client gtgt etchosts
rootclient~ echo 1921681051 server gtgt etchostsrootclient~ echo 1921681052 client gtgt etchosts
c0t0d0s0org139
rootca~server scp etcopensslcacertpem jmoekamp1921681109exporthomejmoekampPasswordcacertpem 100 || 3011 0000rootca~server scp newcertpem jmoekamp1921681109exporthomejmoekampPasswordnewcertpem 100 || 3196 0000rootca~server scp newkeypem jmoekamp1921681109exporthomejmoekampPasswordnewkeypem 100 || 1041 0000
rootca~junior scp newkeypem juniorclientexporthomejuniorPasswordnewkeypem 100 || 1041 0000rootca~junior scp newcertpem juniorclientexporthomejuniorPasswordnewcertpem 100 || 3190 0000rootca~junior scp etcopensslcacertpem junior1921681104exporthomejuniorPasswordcacertpem 100 || 3011 0000
c0t0d0s0org140
On the Server
c0t0d0s0org141
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org142
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org143
rootserver~ pktool setpinEnter token passphrase changemeCreate new passphrase superserversecretRe-enter new passphrase superserversecretPassphrase changedrootserver~
c0t0d0s0org144
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org145
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org146
rootserver~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cn
c0t0d0s0org147
rootserver~ echo TrustedAnchorKeystore etcsshcert gtgt etcsshsshd_configrootserver~ echo KMFPolicyDatabase etcsshpolicyxml gtgt etcsshsshd_configrootserver~ echo KMFPolicyName ssh gtgt etcsshsshd_configrootserver~ echo HostKey pkcs11object=hosttoken=Sun Metaslotpinfile=etcsshpinfile gtgt etcsshsshd_config
c0t0d0s0org148
rootserver~ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=hostEnter PIN for Sun Software PKCS11 softtoken superserversecret Enter PEM pass phrase supersecret2Importing 1 keys
c0t0d0s0org149
rootserver~ egrep -v ^ |^$|^Cert exporthomejmoekampcacertpem gt etcsshcertcacertcookedpemrootserver~ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemrootserver~ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=hostrootserver~
c0t0d0s0org150
On the client
c0t0d0s0org151
juniorclient~$ ls pemcacertpem newcertpem newkeypem
c0t0d0s0org152
rootclient~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cnrootclient~ egrep -v ^ |^$|^Cert exporthomejuniorcacertpem gt etcsshcertcacertcookedpem
c0t0d0s0org153
juniorclient~$ pktool setpinEnter token passphrase changemeCreate new passphrase superusersecretRe-enter new passphrase superusersecretPassphrase changed
c0t0d0s0org154
juniorclient~$ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=userEnter PIN for Sun Software PKCS11 softtoken superusersecretEnter PEM pass phrase supersecret3Importing 1 keysjuniorclient~$ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemjuniorclient~$ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=user
c0t0d0s0org155
Testing it
c0t0d0s0org156
rootserver~ svcadm disable sshrootserver~ svcadm enable ssh
c0t0d0s0org157
juniorclient~$ cd sshjuniorclient~ssh$ printf superusersecret gtgt pinfilejuniorclient~ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore etcsshcert KMFPolicyDatabase etcsshpolicyxml KMFPolicyName ssh IdentityFile pkcs11object=usertoken=Sun Software PKCS11 softtokenpinfile=exporthomejuniorsshpinfile
c0t0d0s0org158
juniorclient~ssh$ ssh juniorserver-x509Last login Thu Sep 26 200714 2013 from clientOracle Corporation SunOS 511 111 September 2013juniorserver~$
c0t0d0s0org159
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives7659-Using-X509-support-for-SSH-on-Solaris-111html
c0t0d0s0org160
OpenSCAP
c0t0d0s0org161
bdquoThe Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management measurement and policy compliance evaluation (eg FISMA compliance) The National Vulnerability Database(NVD) is the US government content repository for SCAPldquo
httpenwikipediaorgwikiSecurity_Content_Automation_Protocol
c0t0d0s0org162
ftp-bannerxml
ltxml version=10 encoding=UTF-8gtltoval_definitions xmlns=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsxsi=httpwwww3org2001XMLSchema-instance xmlnsoval=httpovalmitreorgXMLSchemaoval-common-5 xmlnsoval-def=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsindependent-def=httpovalmitreorgXMLSchemaoval-definitions-5independent xsischemaLocation=httpovalmitreorgXMLSchemaoval-definitions-5 oval-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-definitions-5independent independent-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-common-5 oval-common-schemaxsdgt
ltgeneratorgt ltovalproduct_namegtEnhanced SCAP Editorltovalproduct_namegt ltovalproduct_versiongt0011ltovalproduct_versiongt ltovalschema_versiongt58ltovalschema_versiongt ltovaltimestampgt2012-10-11T103325ltovaltimestampgt ltgeneratorgt lt--generatedovalbaseidentifier=comoraclesolaris11--gt ltdefinitionsgt ltdefinition id=ovalcomoraclesolaris11def840 version=1 class=compliancegt ltmetadatagt lttitlegtEnable a Warning Banner for the FTP Servicelttitlegt ltaffected family=unixgt ltplatformgtOracle Solaris 11ltplatformgt ltaffectedgt ltdescriptiongtetcproftpdconf contains DisplayConnect etcissueltdescriptiongt ltmetadatagt ltcriteria operator=AND negate=false comment=Single testgt ltcriterion comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot test_ref=ovalcomoraclesolaris11tst8400 negate=falsegt
ltcriteriagt ltdefinitiongt ltdefinitionsgt lttestsgt lttextfilecontent54_test xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11tst8400 version=1 check=all comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot check_existence=all_existgt ltobject object_ref=ovalcomoraclesolaris11obj8400gt lttextfilecontent54_testgt lttestsgt ltobjectsgt lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegt lttextfilecontent54_objectgt ltobjectsgtltoval_definitionsgt
c0t0d0s0org163
lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegtlttextfilecontent54_objectgt
c0t0d0s0org164
$ oscap oval eval ftp-bannerxml Definition ovalcomoraclesolaris11def840 falseEvaluation done
$ oscap oval eval --results resultsxml --report reporthtml ftp-bannerxmlDefinition ovalcomoraclesolaris11def840 falseEvaluation doneOVAL Results are exported correctly
c0t0d0s0org165
c0t0d0s0org166
To create your own OVAL-Files Enhanced SCAP Content Editor
c0t0d0s0org167
Find more information regarding this feature athttpsblogsoraclecomdarrenentrycompliance_reporting_with_scap
c0t0d0s0org
Solaris 10 Common Criteria Evaluationhas been certified on EAL4+ level
c0t0d0s0org
We have a common Criteria CertificationFor Solaris 10 at the moment For Solaris 11 in the future
However the common criteria certification doesnlsquot certify security
c0t0d0s0org
Solaris 10 Trusted Extensions Common Criteria Evaluationhas been certified on EAL4+ level
httpwwworaclecomtechnetworktopicssecurityoracle-cc-evalsolaris-083233htmlsol10U3TX
The following protection profiles were usedConditional Access Protection ProfileRole Based Access Control Protection ProfileLabel Security Protection Profiles
c0t0d0s0org
Solaris 111 is currently in certification
httpwwworaclecomtechnetworktopicssecuritysecurity-evaluations-099357htmlInEvaluated
c0t0d0s0org9
Is it really a Solaris 11 binary
c0t0d0s0org10
jmoekampserver~$ elfsign verify -v usrbinoscapelfsign verification of usrbinoscap passedformat rsa_md5_sha1signer CN=SunOS 510 OU=Solaris Signed Execution O=Sun Microsystems Inc
c0t0d0s0org11
Sandboxing applications on Solaris 111
c0t0d0s0org12
rootsolaris profiles -p MySQL ServiceMySQL Servicegt set desc=Locking down the MySQL ServiceMySQL Servicegt add cmd=libsvcmethodmysql_51MySQL Servicemysql_51gt set privs=basicMySQL Servicemysql_51gt add privs=net_privaddr3306tcpMySQL Servicemysql_51gt add privs=file_writevarmysql51dataMySQL Servicemysql_51gt add privs=file_writetmpmysqlsockMySQL Servicemysql_51gt add privs=file_writevartmpibMySQL Servicemysql_51gt endMySQL Servicegt set uid=mysqlMySQL Servicegt set gid=mysqlMySQL Servicegt exit rootsolaris
c0t0d0s0org13
rootsolaris svccfg -s mysqlversion_51svcapplicationdatabasemysqlversion_51gt setprop method_contextprofile=MySQL Servicesvcapplicationdatabasemysqlversion_51gt setprop method_contextuse_profile=truesvcapplicationdatabasemysqlversion_51gt refreshsvcapplicationdatabasemysqlversion_51gt exit
c0t0d0s0org14
rootsolaris ipadm set-prop -p extra_priv_ports+=3306 tcprootsolaris ipadm show-prop -p extra_priv_ports tcpPROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLEtcp extra_priv_ports rw 20494045 -- 20494045 1-65535 3306
c0t0d0s0org15
svcadm enable mysqlversion_51
c0t0d0s0org16
rootsolaris ppriv $(pgrep mysql)103697 usrmysql51binmysqld --basedir=usrmysql51 --datadir=varmysqflags = PRIV_XPOLICY Extended policies net_privaddr3306tcp file_writevarmysql51data file_writetmpmysqlsock file_writevartmpib E basicfile_write I basicfile_write P basicfile_write L all103609 binsh usrmysql51binmysqld_safe --user=mysql --datadir=varmysflags = PRIV_XPOLICY Extended policies net_privaddr3306tcp file_writevarmysql51data file_writetmpmysqlsock file_writevartmpib E basicfile_write I basicfile_write P basicfile_write L all
c0t0d0s0org17
Find more information regarding this feature athttpsblogsoraclecomgfadenentryoracle_solaris_extended_policy_and
c0t0d0s0org18
Passwords
c0t0d0s0org19
rootclientetcsecurity cat etcsecuritycryptconf Copyright 2008 Sun Microsystems Inc All rights reserved Use is subject to license termsident ZM I E SMI The algorithm name __unix__ is reserved
1 crypt_bsdmd5so12a crypt_bsdbfso1md5 crypt_sunmd5so15 crypt_sha256so16 crypt_sha512so1
c0t0d0s0org20
rootclientetcsecurity cat etcsecuritypolicyconf | egrep ^CRYPT_DEFAULTCRYPT_DEFAULT=5rootclientetcsecurity cat etcshadow | grep juniorjunior$5$4aKvDFqA$2kL8GpuXjrdf8XpanqhylEP5lDhy1DF5uo1ZYx74f3159291440
c0t0d0s0org21
rootclientetcsecurity cat etcdefaultpasswd | grep -v | egrep -v ^$|^$ident ZM I E SMIMAXWEEKS=MINWEEKS=PASSLENGTH=6NAMECHECK=NOHISTORY=0MINDIFF=3MINALPHA=2MINNONALPHA=1MINUPPER=0MINLOWER=0MAXREPEATS=0MINSPECIAL=0MINDIGIT=0WHITESPACE=YESDICTIONLIST=DICTIONDBDIR=varpasswd
c0t0d0s0org22
rootclient mkpwdict -s usrsharelibdictwordsmkpwdict using default database location varpasswd
oder
rootclient mkpwdict -s usrsharelibdictwords -d varpasswd
c0t0d0s0org23
Address Space Layout Randomization
c0t0d0s0org24
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1914 usrbinpmap self1914 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org25
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1915 usrbinpmap self1915 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org26
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1917 usrbinpmap self1917 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap00000005D6666000 36K rw--- [ heap ]00007FF669C70000 216K r-x-- libamd64libprocso100007FF669CB6000 8K rw--- libamd64libprocso100007FF669CC0000 4K rw--- [ anon ]00007FF669CD0000 24K rwx-- [ anon ]00007FF669CE0000 4K rw--- [ anon ]00007FF669CF0000 1764K r-x-- libamd64libcso100007FF669EB9000 64K rw--- libamd64libcso100007FF669EC9000 12K rw--- libamd64libcso100007FF669ED0000 4K rw--- [ anon ]00007FF669EE0000 4K rw--- [ anon ]00007FF669EF0000 4K rw--- [ anon ]00007FF669EF2000 4K r--s- [ anon ]00007FF669EFC000 340K r-x-- libamd64ldso100007FF669F61000 12K rwx-- libamd64ldso100007FF669F64000 8K rwx-- libamd64ldso1FFFF80DDA254F000 16K rw--- [ stack ] total 2564K
c0t0d0s0org27
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1918 usrbinpmap self1918 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap000000065B76D000 36K rw--- [ heap ]00007FFAACFC0000 216K r-x-- libamd64libprocso100007FFAAD006000 8K rw--- libamd64libprocso100007FFAAD010000 4K rw--- [ anon ]00007FFAAD020000 24K rwx-- [ anon ]00007FFAAD030000 4K rw--- [ anon ]00007FFAAD040000 1764K r-x-- libamd64libcso100007FFAAD209000 64K rw--- libamd64libcso100007FFAAD219000 12K rw--- libamd64libcso100007FFAAD220000 4K rw--- [ anon ]00007FFAAD230000 4K rw--- [ anon ]00007FFAAD240000 4K rw--- [ anon ]00007FFAAD242000 4K r--s- [ anon ]00007FFAAD24D000 340K r-x-- libamd64ldso100007FFAAD2B2000 12K rwx-- libamd64ldso100007FFAAD2B5000 8K rwx-- libamd64ldso1FFFF80DE1559E000 12K rw--- [ stack ]
c0t0d0s0org28
rootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) system default (default)
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x2 ENABLE
rootsolaris elfedit -e dynsunw_aslr disable usrbinpmap
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x1 DISABLE
c0t0d0s0org29
rootsolaris sxadm enable -c model=all aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (all) enabled (all)
rootsolaris sxadm disable aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr disabled disabled
rootsolaris sxadm enable -c model=tagged-files aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) enabled (tagged-files)
c0t0d0s0org30
pfedit
c0t0d0s0org31
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt set auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt set desc=Edit httpdprofileshttpd editgt exit
c0t0d0s0org32
roottemplateetcapache222 usermod -P +httpd edit junior
c0t0d0s0org33
juniortemplate~$ profiles httpd edit Basic Solaris User All
c0t0d0s0org34
juniortemplate~$ vi etcapache222httpdconf
c0t0d0s0org35
juniortemplate~$ pfedit etcapache222httpdconfpfedit etcapache222httpdconf has been updated
c0t0d0s0org36
juniortemplate~$ pfedit etcapache222mimetypespfedit User junior is not authorized to edit the file etcapache222mimetypes
c0t0d0s0org37
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt info name=httpd edit desc=Edit httpd auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt add auths=solarisadmineditetcapache222mimetypes
c0t0d0s0org38
juniortemplate~$ pfedit etcapache222mimetypespfedit no changes for etcapache222mimetypes
c0t0d0s0org39
profiles -p httpd configureprofileshttpd configuregt add always_audit=asprofileshttpd configuregt info name=httpd configure desc=Configure httpd auths=solarisadmineditetcapache222httpdconfsolarisadmineditetcapache222mimetypes always_audit=as never_audit=noprofileshttpd configuregt exitroottemplate~
c0t0d0s0org40
roottemplate~ auditreduce -c as | praudit
c0t0d0s0org41
[]header4862edit administrative filefe80a0027fffea633cb2013-08-12 074552306 +0000subjectjuniorjuniorstaffjuniorstaff4212447467166369 136704 MacBook-Pro-of-c0t0d0s0fritzboxpathetcapache222httpdconfuse of authorizationsolarisadmineditetcapache222httpdconftext--- etcapache222httpdconf Mo Aug 12 074500 2013 +++ etcapache222httpdconfpfedit1BaGoi Mo Aug 12 074552 2013 -15 +16 Test Test 2 + Test 3 This is the main Apache HTTP server configuration file It contains the configuration directives that give the server its instructions
returnsuccess0
c0t0d0s0org42
Delegating privilege to restartservices(so you can keep the root password)
c0t0d0s0org43
juniortemplate~$ svcadm refresh apache22svcadm svcnetworkhttpapache22 Permission denied
c0t0d0s0org44
svcs -a | grep apache22online 153029 svcnetworkhttpapache22
c0t0d0s0org45
auths add -t Apache22 value solarissmfvaluehttpapache22 auths add -t Apache22 action solarissmfactionhttpapache22
c0t0d0s0org46
svccfg -s apache22 setprop generalvalue_authorization= astring solarissmfvaluehttpapache22 svccfg -s apache22 setprop generalaction_authorization= astring solarissmfactionhttpapache22
c0t0d0s0org47
profiles -p httpd edit add auths=solarissmfactionhttpapache22
c0t0d0s0org48
juniortemplate~$ svcadm refresh apache22juniortemplate~$
c0t0d0s0org49
Privileges
c0t0d0s0org50
$ ls -l usrsbintraceroute-r-sr-xr-x 1 root bin 42324 Nov 21 0009 usrsbintraceroute$ ls -l usrsbinping-r-sr-xr-x 1 root bin 51396 Nov 18 1931 usrsbinping
set-id to root ping needs it to work
c0t0d0s0org51
chmod -s sbinping exit
$ ping -s 1921681132ping socket Permission denied
Remove the set-uid and ping will stop to work
c0t0d0s0org52
jmoekampdaddelkiste~$ ppriv $$2153 -bashflags = ltnonegt E basic I basic P basic L all
c0t0d0s0org53
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org54
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
All privileges in their entirety assigned to one user are
(almost)
c0t0d0s0org55
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Neat extension inSolaris 11The ability to use networking is now a
privilege Itlsquos part of the default default set of privileges
but you can remove it
c0t0d0s0org56
moekampdaddelkiste~$ ppriv -v $$2153 -bashflags = ltnonegt E file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info I file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info P file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info L contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org57
rootdaddelkiste~ ppriv $$2183 -bashflags = ltnonegt E all I basic P all L all
c0t0d0s0org58
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace failed to initialize dtrace DTrace requires additional privileges
c0t0d0s0org59
rootdaddelkiste~ usermod -K defaultpriv=basicdtrace_kerneldtrace_procdtrace_user juniorUX usermod junior is currently logged in some changes may not take effect until next login
c0t0d0s0org60
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace description syscallentry matched 211 probes^C
automountd 1 sshd 24 dtrace 544 auditd 564
c0t0d0s0org61
ps -ef | grep kcfd daemon 125 1 0 142419 000 usrlibcryptokcfdroot 734 728 0 155408 pts1 000 grep kcfd ppriv -v 125125 usrlibcryptokcfdflags = PRIV_AWAREE file_ownerproc_priocntlsys_devicesI noneP file_ownerproc_priocntlsys_devicesL none
c0t0d0s0org62
svcadm -v enable -s apache2svcnetworkhttpapache2 enabled
c0t0d0s0org63
jmoekampclient~$ ps -ef | grep httpwebservd 1978 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1979 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1980 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1984 1975 0 122002 000 usrapache222binhttpd -k start root 1975 1 0 121914 001 usrapache222binhttpd -k startwebservd 1977 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1976 1975 0 121915 000 usrapache222binhttpd -k start
c0t0d0s0org64
rootclient~ ppriv 19771977 usrapache222binhttpd -k startflags = ltnonegt E basic I basic P basic L allrootclient~ ppriv 19751975 usrapache222binhttpd -k startflags = ltnonegt E all I basic P all L allrootclient~
c0t0d0s0org65
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The apache process as root has the following privileges
c0t0d0s0org66
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The other processes have the following privileges
c0t0d0s0org67
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Apache really needs
c0t0d0s0org68
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
So you grant a large number of privileges to one process Apache donlsquot need
c0t0d0s0org69
svcadm -v disable -s apache2svcnetworkhttpapache2 disabled
c0t0d0s0org70
rootclient~ svccfg -s apache22svcnetworkhttpapache22gt setprop startuser = astring webservdsvcnetworkhttpapache22gt setprop startgroup = astring webservdsvcnetworkhttpapache22gt setprop startprivileges = astring basicproc_sessionproc_infofile_link_anynet_privaddrsvcnetworkhttpapache22gt setprop startlimit_privileges = astring defaultsvcnetworkhttpapache22gt setprop startuse_profile = boolean falsesvcnetworkhttpapache22gt setprop startsupp_groups = astring defaultsvcnetworkhttpapache22gt setprop startworking_directory = astring defaultsvcnetworkhttpapache22gt setprop startproject = astring defaultsvcnetworkhttpapache22gt setprop startresource_pool = astring defaultsvcnetworkhttpapache22gt endrootclient~ svcadm -v refresh apache22Action refresh set for svcnetworkhttpapache22
c0t0d0s0org71
echo LockFile varapache222logsacceptlock gtgt etcapache222httpdconf echo PidFile varapache222runhttpdpid gtgt etcapache222httpdconf mkdir -p -m 755 varapache222run chown webservdwebservd varapache222run svcadm enable apache22
c0t0d0s0org72
webservd 3064 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3062 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3063 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3066 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3061 1 0 164917 000 usrapache222binhttpd -k startwebservd 3065 3061 0 164918 000 usrapache222binhttpd -k start
c0t0d0s0org73
Read-only zone root
c0t0d0s0org
74
zonecfgtestzonegt set file-mac-profile=none
zonecfgtestzonegt set file-mac-profile=strict
zonecfgtestzonegt set file-mac-profile=fixed-configuration
zonecfgtestzonegt set file-mac-profile=flexible-configuration
Standard read-write non-global zone with no additional protection beyond the existing zones boundaries
Permits updates to var directories with the exception of directories that contain system configuration components
Read-only file system no exceptions
Permits modification of files in etc directories changes to roots home directory and updates to var directories This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone
c0t0d0s0org75
in-kernel SSL Proxy
c0t0d0s0org76
mkdir etckeys cd etckeys openssl req -x509 -nodes -days 365 -subj C=DEST=HamburgL=HamburgCN=server -newkey rsa1024 -keyout etckeysmykeypem -out etckeysmycertpem cat mycertpem mykeypem gt mypem chown 600
c0t0d0s0org77
echo pass gt etckeysmypass ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass server 443
c0t0d0s0org78
ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass -c rsa_aes_256_cbc_sharsa_aes_128_cbc_sharsa_rc4_128_sharsa_rc4_128_md5 server 443
c0t0d0s0org79
svcs -a | grep ksslonline 90333 svcnetworksslproxykssl-server-443
c0t0d0s0org80
svcadm disable apache22 echo Listen 1921681781088080 gtgt etcapache222httpdconf svcadm enable apache22
Portnumber and IP-Number have do be defined in httpdconf otherwise it will not work
c0t0d0s0org81
openssl s_client -connect server443CONNECTED(00000004)depth=0 C=DEST=HamburgL=HamburgCN=serververify errornum=18self signed certificateverify return1depth=0 C=DEST=HamburgL=HamburgCN=serververify return1---Certificate chain0 sC=DEST=HamburgL=HamburgCN=serveriC=DEST=HamburgL=HamburgCN=server---Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj[]V5jX3MU=-----END CERTIFICATE-----subject=C=DEST=HamburgL=HamburgCN=serverissuer=C=DEST=HamburgL=HamburgCN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328 bytes---New TLSv1SSLv3 Cipher is RC4-SHAServer public key is 1024 bitCompression NONEExpansion NONESSL-SessionProtocol TLSv1
Cipher RC4-SHASession-ID 32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD113915B99DBE9812Session-ID-ctx Master-Key 1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21EKey-Arg NoneStart Time 1242985143Timeout 300 (sec)Verify return code 18 (self signed certificate)---GET HTTP10
HTTP11 200 OKDate Fri 22 May 2009 093913 GMTServer Apache2211 (Unix) mod_ssl2211 OpenSSL098a DAV2Last-Modified Thu 21 May 2009 212630 GMTETag 341f3-2c-46a72cc211a8fAccept-Ranges bytesContent-Length 44Connection closeContent-Type texthtml
lthtmlgtltbodygtlth1gtIt workslth1gtltbodygtlthtmlgtreaderrno=0
c0t0d0s0org82
ZFS Encryption
c0t0d0s0org83
zfs create -o encryption=on rpoolexportproject
c0t0d0s0org84
wrapping key (user setable)
encryption keyrandomnot user setable)
prompt file https pkcs11
c0t0d0s0org85
aes-128-ccm (=on) aes-192-ccmaes-256-ccmaes-128-gcmaes-192-gcmaes-256-gcm
c0t0d0s0org86
zfs set checksum=sha256+mac ltdatasetgt
If encryption=off something like automatic
occurs This property is read-only from now on
c0t0d0s0org87
pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykeyEnter PIN for Sun Software PKCS11 softtoken zfs create -o encryption=on -o keysource=rawpkcs11object=mykey tankprojectCEnter PKCS11 token PIN for tankprojectC
c0t0d0s0org88
zfs create -o encryption=on -o keysource=rawhttpskeysexamplecommykey tankprojectR cp myservercertpem etccertsCA svcadm refresh ca-certificates
c0t0d0s0org89
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
c0t0d0s0org90
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
Changing the wrapping key
c0t0d0s0org91
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key
c0t0d0s0org92
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key for data written form now
Creates a new data encryption key Data written in the clone uses the new data encryption key which is distinct from its original snapshot
c0t0d0s0org93
Solaris Cryptographic Framework
c0t0d0s0org94
As soon as Solaris detects hardware acceleration for cryptography Solaris will use it (and applications using the Oracle supplied openssl library or direct interfaces)bull on-chip crypto accelerator in T and current M series chipsbull instruction set extensions in Intel procs (AES-NI)bull supported crypto accelerator cards
c0t0d0s0org95
Just a side-note T-series crypto acceleration and Intel x86 acceleration have pretty much different performance characteristics
T-Series Acceleration by offloading crypto outside pipelineIntel x86 Acceleration by offering special in-pipeline instructions to accelerate execution
Sounds like splitting hairs
c0t0d0s0org
c0t0d0s0org
c0t0d0s0org98
Using ZFS to do two-factor encryption
c0t0d0s0org99
jmoekampsolaris~$ rmformatLooking for devices 1 Logical Node devrdskc10t0d0p0 Physical Node pci00pci8086265cbstorage2disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected() 3 Logical Node devrdskc9t0d0p0 Physical Node pci00pci8086265cbstorage1disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected
c0t0d0s0org100
rootsolaris zpool create a_keystore_usbstick devdskc10t0d0p0rootsolaris zpool create datastore devdskc9t0d0p0
c0t0d0s0org101
rootsolaris zfs create -o encryption=on a_keystore_usbstickkeysEnter passphrase for a_keystore_usbstickkeys supersecret Enter again supersecret
c0t0d0s0org102
rootsolaris pktool genkey keystore=file keytype=aes keylen=128 outkey=a_keystore_usbstickkeysjoergsdatastickkey
c0t0d0s0org103
rootsolaris zfs create -o encryption=on -o keysource=rawfilea_keystore_usbstickkeysjoergsdatastickkey datastickjoergssecrets
c0t0d0s0org104
rootsolarisdatastickjoergssecrets mv homejmoekamphighlyconfidential_nda_presostgz
c0t0d0s0org105
rootsolaris zpool export a_keystore_usbstickrootsolaris zpool export datastick
c0t0d0s0org106
rootsolaris zpool import a_keystore_usbstickEnter passphrase for a_keystore_usbstickkeys supersecretrootsolaris
c0t0d0s0org107
rootsolaris zpool import datastickrootsolaris cd datastickjoergssecretsrootsolarisdatastickjoergssecrets ls highconfidential_nda_presostgz
c0t0d0s0org108
Basic Auditing and Reporting Tool
c0t0d0s0org109
mkdir bart-files bart create -R etc gt bart-filesetccontrolmanifest
c0t0d0s0org110
cat etccontrolmanifest | grep nsswitchnisplusnsswitchnisplus F 2525 100644 userrw-groupr--maskr--otherr-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
c0t0d0s0org111
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org112
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org113
bart create -R etc gt bart-filesetccheck20130911manifest
c0t0d0s0org114
cd bart-files bart compare etccontrolmanifest etccheck20130911manifest
nsswitchfilesmode control100644 test100777acl controluserrw-groupr--maskr--otherr-- testuserrwxgrouprwxmaskrwxotherrwxnsswitchnisplussize control2525 test2538mtime control473976b5 test47a44862contents control79e8fd689a5221d1cd059e5077da71b8 test3f79176ec352441db11ec8a3d02ef67cthisisjustatestadd
c0t0d0s0org115
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives4069-Less-known-Solaris-features-BARThtml
c0t0d0s0org116
Apropos Auditing
c0t0d0s0org117
Auditing is activated by default
c0t0d0s0org118
rootclient~ auditconfig -getflagsactive user default audit flags = lo(0x10000x1000)configured user default audit flags = lo(0x10000x1000)rootclient~ auditconfig -getnaflagsactive non-attributable audit flags = lo(0x10000x1000)configured non-attributable audit flags = lo(0x10000x1000)
c0t0d0s0org119
rootclient~ auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt
Policy regarding auditing (explanation on the next slide)
c0t0d0s0org120
rootclient~ auditconfig -lspolicypolicy string descriptionahlt halt machine if it can not record an async eventall all policiesarge include exec environment args in audit recsargv include exec command line args in audit recscnt when no more space drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recswindata_down include downgraded window information in audit recswindata_up include upgraded window information in audit recszonename include zonename token in audit recs
Which degree of detail What happens with full disks
c0t0d0s0org121
rootclient~ auditconfig -getpluginPlugin audit_binfile (active) Attributes p_dir=varauditp_fsize=0p_minfree=1
Plugin audit_syslog (inactive) Attributes p_flags=
Plugin audit_remote (inactive) Attributes p_hosts=p_retries=3p_timeout=5
c0t0d0s0org122
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
c0t0d0s0org123
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
lo and na are the only sensibleflags for non-attributable
c0t0d0s0org124
rootclient~ usermod -K audit_flags=fwas junior
c0t0d0s0org125
rootclient~ auditconfig -lsevent | grep lo AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh accessAUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lockAUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff
c0t0d0s0org126
rootclient~ auditconfig -lsevent | grep ps AUE_EXIT 1 ps exit(2)AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)rootclient~ auditconfig -lsevent | grep fw AUE_OPEN_W 76 fw open(2) - write
c0t0d0s0org127
auditreduce -c ps varaudit20130912183630not_terminatedclient | praudit
header1392execve(2)client2013-09-12 184055924 +0000pathusrsbinauditreduceattribute100555rootbin655386587518446744073709551615subjectjmoekamprootrootrootroot205414400809562480 202240 192168101returnsuccess0
c0t0d0s0org128
rootclient~ auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff0xffffffffffffffff)
Not always (in the sense of never) a good idea
Useful after trying out - starting a new audit filerootclient~ audit -n
c0t0d0s0org129
rootclient~ auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system
c0t0d0s0org130
SSH and X509
c0t0d0s0org131
rootca~ CApl -newcaCA certificate filename (or enter to create)
Making CA certificate Generating a 1024 bit RSA private key++++++++++++writing new private key to etcopensslprivatecakeypemEnter PEM pass phrase supersecret1Verifying - Enter PEM pass phrase supersecret1-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Security DepartmentCommon Name (eg server FQDN or YOUR name) []CAEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Using configuration from etcopensslopensslcnf
Enter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade878 Validity Not Before Sep 26 101109 2013 GMT Not After Sep 25 101109 2016 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony organizationName = c0t0d0s0org organizationalUnitName = Security Department commonName = CA X509v3 extensions X509v3 Subject Key Identifier 5B1F2F7186123040501552818D525AA5597E3644 X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
X509v3 Basic Constraints CATRUECertificate is to be certified until Sep 25 101109 2016 GMT (1095 days)
Write out database with 1 new entriesData Base Updated
c0t0d0s0org132
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org133
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org134
rootca~server CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade879 Validity Not Before Sep 26 102912 2013 GMT Not After Sep 26 102912 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = Server Certificates commonName = server X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A7DC03DEB3D5FBF9C006F11A55A9AD04C49C10FA X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 102912 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpemrootca~server ls -ltotal 15-rw-r--r-- 1 root root 3196 Sep 26 1229 newcertpem-rw-r--r-- 1 root root 1041 Sep 26 1228 newkeypem-rw-r--r-- 1 root root 680 Sep 26 1228 newreqpem
c0t0d0s0org135
rootca~junior CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phraseVerifying - Enter PEM pass phraseVerify failureEnter PEM pass phrase supersecret3Verifying - Enter PEM pass phrase supersecret3-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []User certificates
Common Name (eg server FQDN or YOUR name) []juniorEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org136
rootca~junior CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypemCheck that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade87a Validity Not Before Sep 26 110929 2013 GMT Not After Sep 26 110929 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = User certificates commonName = junior X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A1F2FC9D8AE2AD9AF52903F5B714933C64628E9C X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 110929 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpem
c0t0d0s0org137
rootserver~ useradd -m junior80 blocksrootserver~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for juniorrootserver~
rootclient~ useradd -m junior80 blocksrootclient~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for junior
c0t0d0s0org138
rootserver~ echo 1921681051 server gtgt etchostsrootserver~ echo 1921681052 client gtgt etchosts
rootclient~ echo 1921681051 server gtgt etchostsrootclient~ echo 1921681052 client gtgt etchosts
c0t0d0s0org139
rootca~server scp etcopensslcacertpem jmoekamp1921681109exporthomejmoekampPasswordcacertpem 100 || 3011 0000rootca~server scp newcertpem jmoekamp1921681109exporthomejmoekampPasswordnewcertpem 100 || 3196 0000rootca~server scp newkeypem jmoekamp1921681109exporthomejmoekampPasswordnewkeypem 100 || 1041 0000
rootca~junior scp newkeypem juniorclientexporthomejuniorPasswordnewkeypem 100 || 1041 0000rootca~junior scp newcertpem juniorclientexporthomejuniorPasswordnewcertpem 100 || 3190 0000rootca~junior scp etcopensslcacertpem junior1921681104exporthomejuniorPasswordcacertpem 100 || 3011 0000
c0t0d0s0org140
On the Server
c0t0d0s0org141
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org142
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org143
rootserver~ pktool setpinEnter token passphrase changemeCreate new passphrase superserversecretRe-enter new passphrase superserversecretPassphrase changedrootserver~
c0t0d0s0org144
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org145
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org146
rootserver~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cn
c0t0d0s0org147
rootserver~ echo TrustedAnchorKeystore etcsshcert gtgt etcsshsshd_configrootserver~ echo KMFPolicyDatabase etcsshpolicyxml gtgt etcsshsshd_configrootserver~ echo KMFPolicyName ssh gtgt etcsshsshd_configrootserver~ echo HostKey pkcs11object=hosttoken=Sun Metaslotpinfile=etcsshpinfile gtgt etcsshsshd_config
c0t0d0s0org148
rootserver~ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=hostEnter PIN for Sun Software PKCS11 softtoken superserversecret Enter PEM pass phrase supersecret2Importing 1 keys
c0t0d0s0org149
rootserver~ egrep -v ^ |^$|^Cert exporthomejmoekampcacertpem gt etcsshcertcacertcookedpemrootserver~ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemrootserver~ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=hostrootserver~
c0t0d0s0org150
On the client
c0t0d0s0org151
juniorclient~$ ls pemcacertpem newcertpem newkeypem
c0t0d0s0org152
rootclient~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cnrootclient~ egrep -v ^ |^$|^Cert exporthomejuniorcacertpem gt etcsshcertcacertcookedpem
c0t0d0s0org153
juniorclient~$ pktool setpinEnter token passphrase changemeCreate new passphrase superusersecretRe-enter new passphrase superusersecretPassphrase changed
c0t0d0s0org154
juniorclient~$ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=userEnter PIN for Sun Software PKCS11 softtoken superusersecretEnter PEM pass phrase supersecret3Importing 1 keysjuniorclient~$ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemjuniorclient~$ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=user
c0t0d0s0org155
Testing it
c0t0d0s0org156
rootserver~ svcadm disable sshrootserver~ svcadm enable ssh
c0t0d0s0org157
juniorclient~$ cd sshjuniorclient~ssh$ printf superusersecret gtgt pinfilejuniorclient~ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore etcsshcert KMFPolicyDatabase etcsshpolicyxml KMFPolicyName ssh IdentityFile pkcs11object=usertoken=Sun Software PKCS11 softtokenpinfile=exporthomejuniorsshpinfile
c0t0d0s0org158
juniorclient~ssh$ ssh juniorserver-x509Last login Thu Sep 26 200714 2013 from clientOracle Corporation SunOS 511 111 September 2013juniorserver~$
c0t0d0s0org159
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives7659-Using-X509-support-for-SSH-on-Solaris-111html
c0t0d0s0org160
OpenSCAP
c0t0d0s0org161
bdquoThe Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management measurement and policy compliance evaluation (eg FISMA compliance) The National Vulnerability Database(NVD) is the US government content repository for SCAPldquo
httpenwikipediaorgwikiSecurity_Content_Automation_Protocol
c0t0d0s0org162
ftp-bannerxml
ltxml version=10 encoding=UTF-8gtltoval_definitions xmlns=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsxsi=httpwwww3org2001XMLSchema-instance xmlnsoval=httpovalmitreorgXMLSchemaoval-common-5 xmlnsoval-def=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsindependent-def=httpovalmitreorgXMLSchemaoval-definitions-5independent xsischemaLocation=httpovalmitreorgXMLSchemaoval-definitions-5 oval-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-definitions-5independent independent-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-common-5 oval-common-schemaxsdgt
ltgeneratorgt ltovalproduct_namegtEnhanced SCAP Editorltovalproduct_namegt ltovalproduct_versiongt0011ltovalproduct_versiongt ltovalschema_versiongt58ltovalschema_versiongt ltovaltimestampgt2012-10-11T103325ltovaltimestampgt ltgeneratorgt lt--generatedovalbaseidentifier=comoraclesolaris11--gt ltdefinitionsgt ltdefinition id=ovalcomoraclesolaris11def840 version=1 class=compliancegt ltmetadatagt lttitlegtEnable a Warning Banner for the FTP Servicelttitlegt ltaffected family=unixgt ltplatformgtOracle Solaris 11ltplatformgt ltaffectedgt ltdescriptiongtetcproftpdconf contains DisplayConnect etcissueltdescriptiongt ltmetadatagt ltcriteria operator=AND negate=false comment=Single testgt ltcriterion comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot test_ref=ovalcomoraclesolaris11tst8400 negate=falsegt
ltcriteriagt ltdefinitiongt ltdefinitionsgt lttestsgt lttextfilecontent54_test xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11tst8400 version=1 check=all comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot check_existence=all_existgt ltobject object_ref=ovalcomoraclesolaris11obj8400gt lttextfilecontent54_testgt lttestsgt ltobjectsgt lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegt lttextfilecontent54_objectgt ltobjectsgtltoval_definitionsgt
c0t0d0s0org163
lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegtlttextfilecontent54_objectgt
c0t0d0s0org164
$ oscap oval eval ftp-bannerxml Definition ovalcomoraclesolaris11def840 falseEvaluation done
$ oscap oval eval --results resultsxml --report reporthtml ftp-bannerxmlDefinition ovalcomoraclesolaris11def840 falseEvaluation doneOVAL Results are exported correctly
c0t0d0s0org165
c0t0d0s0org166
To create your own OVAL-Files Enhanced SCAP Content Editor
c0t0d0s0org167
Find more information regarding this feature athttpsblogsoraclecomdarrenentrycompliance_reporting_with_scap
c0t0d0s0org
We have a common Criteria CertificationFor Solaris 10 at the moment For Solaris 11 in the future
However the common criteria certification doesnlsquot certify security
c0t0d0s0org
Solaris 10 Trusted Extensions Common Criteria Evaluationhas been certified on EAL4+ level
httpwwworaclecomtechnetworktopicssecurityoracle-cc-evalsolaris-083233htmlsol10U3TX
The following protection profiles were usedConditional Access Protection ProfileRole Based Access Control Protection ProfileLabel Security Protection Profiles
c0t0d0s0org
Solaris 111 is currently in certification
httpwwworaclecomtechnetworktopicssecuritysecurity-evaluations-099357htmlInEvaluated
c0t0d0s0org9
Is it really a Solaris 11 binary
c0t0d0s0org10
jmoekampserver~$ elfsign verify -v usrbinoscapelfsign verification of usrbinoscap passedformat rsa_md5_sha1signer CN=SunOS 510 OU=Solaris Signed Execution O=Sun Microsystems Inc
c0t0d0s0org11
Sandboxing applications on Solaris 111
c0t0d0s0org12
rootsolaris profiles -p MySQL ServiceMySQL Servicegt set desc=Locking down the MySQL ServiceMySQL Servicegt add cmd=libsvcmethodmysql_51MySQL Servicemysql_51gt set privs=basicMySQL Servicemysql_51gt add privs=net_privaddr3306tcpMySQL Servicemysql_51gt add privs=file_writevarmysql51dataMySQL Servicemysql_51gt add privs=file_writetmpmysqlsockMySQL Servicemysql_51gt add privs=file_writevartmpibMySQL Servicemysql_51gt endMySQL Servicegt set uid=mysqlMySQL Servicegt set gid=mysqlMySQL Servicegt exit rootsolaris
c0t0d0s0org13
rootsolaris svccfg -s mysqlversion_51svcapplicationdatabasemysqlversion_51gt setprop method_contextprofile=MySQL Servicesvcapplicationdatabasemysqlversion_51gt setprop method_contextuse_profile=truesvcapplicationdatabasemysqlversion_51gt refreshsvcapplicationdatabasemysqlversion_51gt exit
c0t0d0s0org14
rootsolaris ipadm set-prop -p extra_priv_ports+=3306 tcprootsolaris ipadm show-prop -p extra_priv_ports tcpPROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLEtcp extra_priv_ports rw 20494045 -- 20494045 1-65535 3306
c0t0d0s0org15
svcadm enable mysqlversion_51
c0t0d0s0org16
rootsolaris ppriv $(pgrep mysql)103697 usrmysql51binmysqld --basedir=usrmysql51 --datadir=varmysqflags = PRIV_XPOLICY Extended policies net_privaddr3306tcp file_writevarmysql51data file_writetmpmysqlsock file_writevartmpib E basicfile_write I basicfile_write P basicfile_write L all103609 binsh usrmysql51binmysqld_safe --user=mysql --datadir=varmysflags = PRIV_XPOLICY Extended policies net_privaddr3306tcp file_writevarmysql51data file_writetmpmysqlsock file_writevartmpib E basicfile_write I basicfile_write P basicfile_write L all
c0t0d0s0org17
Find more information regarding this feature athttpsblogsoraclecomgfadenentryoracle_solaris_extended_policy_and
c0t0d0s0org18
Passwords
c0t0d0s0org19
rootclientetcsecurity cat etcsecuritycryptconf Copyright 2008 Sun Microsystems Inc All rights reserved Use is subject to license termsident ZM I E SMI The algorithm name __unix__ is reserved
1 crypt_bsdmd5so12a crypt_bsdbfso1md5 crypt_sunmd5so15 crypt_sha256so16 crypt_sha512so1
c0t0d0s0org20
rootclientetcsecurity cat etcsecuritypolicyconf | egrep ^CRYPT_DEFAULTCRYPT_DEFAULT=5rootclientetcsecurity cat etcshadow | grep juniorjunior$5$4aKvDFqA$2kL8GpuXjrdf8XpanqhylEP5lDhy1DF5uo1ZYx74f3159291440
c0t0d0s0org21
rootclientetcsecurity cat etcdefaultpasswd | grep -v | egrep -v ^$|^$ident ZM I E SMIMAXWEEKS=MINWEEKS=PASSLENGTH=6NAMECHECK=NOHISTORY=0MINDIFF=3MINALPHA=2MINNONALPHA=1MINUPPER=0MINLOWER=0MAXREPEATS=0MINSPECIAL=0MINDIGIT=0WHITESPACE=YESDICTIONLIST=DICTIONDBDIR=varpasswd
c0t0d0s0org22
rootclient mkpwdict -s usrsharelibdictwordsmkpwdict using default database location varpasswd
oder
rootclient mkpwdict -s usrsharelibdictwords -d varpasswd
c0t0d0s0org23
Address Space Layout Randomization
c0t0d0s0org24
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1914 usrbinpmap self1914 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org25
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1915 usrbinpmap self1915 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org26
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1917 usrbinpmap self1917 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap00000005D6666000 36K rw--- [ heap ]00007FF669C70000 216K r-x-- libamd64libprocso100007FF669CB6000 8K rw--- libamd64libprocso100007FF669CC0000 4K rw--- [ anon ]00007FF669CD0000 24K rwx-- [ anon ]00007FF669CE0000 4K rw--- [ anon ]00007FF669CF0000 1764K r-x-- libamd64libcso100007FF669EB9000 64K rw--- libamd64libcso100007FF669EC9000 12K rw--- libamd64libcso100007FF669ED0000 4K rw--- [ anon ]00007FF669EE0000 4K rw--- [ anon ]00007FF669EF0000 4K rw--- [ anon ]00007FF669EF2000 4K r--s- [ anon ]00007FF669EFC000 340K r-x-- libamd64ldso100007FF669F61000 12K rwx-- libamd64ldso100007FF669F64000 8K rwx-- libamd64ldso1FFFF80DDA254F000 16K rw--- [ stack ] total 2564K
c0t0d0s0org27
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1918 usrbinpmap self1918 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap000000065B76D000 36K rw--- [ heap ]00007FFAACFC0000 216K r-x-- libamd64libprocso100007FFAAD006000 8K rw--- libamd64libprocso100007FFAAD010000 4K rw--- [ anon ]00007FFAAD020000 24K rwx-- [ anon ]00007FFAAD030000 4K rw--- [ anon ]00007FFAAD040000 1764K r-x-- libamd64libcso100007FFAAD209000 64K rw--- libamd64libcso100007FFAAD219000 12K rw--- libamd64libcso100007FFAAD220000 4K rw--- [ anon ]00007FFAAD230000 4K rw--- [ anon ]00007FFAAD240000 4K rw--- [ anon ]00007FFAAD242000 4K r--s- [ anon ]00007FFAAD24D000 340K r-x-- libamd64ldso100007FFAAD2B2000 12K rwx-- libamd64ldso100007FFAAD2B5000 8K rwx-- libamd64ldso1FFFF80DE1559E000 12K rw--- [ stack ]
c0t0d0s0org28
rootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) system default (default)
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x2 ENABLE
rootsolaris elfedit -e dynsunw_aslr disable usrbinpmap
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x1 DISABLE
c0t0d0s0org29
rootsolaris sxadm enable -c model=all aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (all) enabled (all)
rootsolaris sxadm disable aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr disabled disabled
rootsolaris sxadm enable -c model=tagged-files aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) enabled (tagged-files)
c0t0d0s0org30
pfedit
c0t0d0s0org31
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt set auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt set desc=Edit httpdprofileshttpd editgt exit
c0t0d0s0org32
roottemplateetcapache222 usermod -P +httpd edit junior
c0t0d0s0org33
juniortemplate~$ profiles httpd edit Basic Solaris User All
c0t0d0s0org34
juniortemplate~$ vi etcapache222httpdconf
c0t0d0s0org35
juniortemplate~$ pfedit etcapache222httpdconfpfedit etcapache222httpdconf has been updated
c0t0d0s0org36
juniortemplate~$ pfedit etcapache222mimetypespfedit User junior is not authorized to edit the file etcapache222mimetypes
c0t0d0s0org37
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt info name=httpd edit desc=Edit httpd auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt add auths=solarisadmineditetcapache222mimetypes
c0t0d0s0org38
juniortemplate~$ pfedit etcapache222mimetypespfedit no changes for etcapache222mimetypes
c0t0d0s0org39
profiles -p httpd configureprofileshttpd configuregt add always_audit=asprofileshttpd configuregt info name=httpd configure desc=Configure httpd auths=solarisadmineditetcapache222httpdconfsolarisadmineditetcapache222mimetypes always_audit=as never_audit=noprofileshttpd configuregt exitroottemplate~
c0t0d0s0org40
roottemplate~ auditreduce -c as | praudit
c0t0d0s0org41
[]header4862edit administrative filefe80a0027fffea633cb2013-08-12 074552306 +0000subjectjuniorjuniorstaffjuniorstaff4212447467166369 136704 MacBook-Pro-of-c0t0d0s0fritzboxpathetcapache222httpdconfuse of authorizationsolarisadmineditetcapache222httpdconftext--- etcapache222httpdconf Mo Aug 12 074500 2013 +++ etcapache222httpdconfpfedit1BaGoi Mo Aug 12 074552 2013 -15 +16 Test Test 2 + Test 3 This is the main Apache HTTP server configuration file It contains the configuration directives that give the server its instructions
returnsuccess0
c0t0d0s0org42
Delegating privilege to restartservices(so you can keep the root password)
c0t0d0s0org43
juniortemplate~$ svcadm refresh apache22svcadm svcnetworkhttpapache22 Permission denied
c0t0d0s0org44
svcs -a | grep apache22online 153029 svcnetworkhttpapache22
c0t0d0s0org45
auths add -t Apache22 value solarissmfvaluehttpapache22 auths add -t Apache22 action solarissmfactionhttpapache22
c0t0d0s0org46
svccfg -s apache22 setprop generalvalue_authorization= astring solarissmfvaluehttpapache22 svccfg -s apache22 setprop generalaction_authorization= astring solarissmfactionhttpapache22
c0t0d0s0org47
profiles -p httpd edit add auths=solarissmfactionhttpapache22
c0t0d0s0org48
juniortemplate~$ svcadm refresh apache22juniortemplate~$
c0t0d0s0org49
Privileges
c0t0d0s0org50
$ ls -l usrsbintraceroute-r-sr-xr-x 1 root bin 42324 Nov 21 0009 usrsbintraceroute$ ls -l usrsbinping-r-sr-xr-x 1 root bin 51396 Nov 18 1931 usrsbinping
set-id to root ping needs it to work
c0t0d0s0org51
chmod -s sbinping exit
$ ping -s 1921681132ping socket Permission denied
Remove the set-uid and ping will stop to work
c0t0d0s0org52
jmoekampdaddelkiste~$ ppriv $$2153 -bashflags = ltnonegt E basic I basic P basic L all
c0t0d0s0org53
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org54
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
All privileges in their entirety assigned to one user are
(almost)
c0t0d0s0org55
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Neat extension inSolaris 11The ability to use networking is now a
privilege Itlsquos part of the default default set of privileges
but you can remove it
c0t0d0s0org56
moekampdaddelkiste~$ ppriv -v $$2153 -bashflags = ltnonegt E file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info I file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info P file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info L contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org57
rootdaddelkiste~ ppriv $$2183 -bashflags = ltnonegt E all I basic P all L all
c0t0d0s0org58
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace failed to initialize dtrace DTrace requires additional privileges
c0t0d0s0org59
rootdaddelkiste~ usermod -K defaultpriv=basicdtrace_kerneldtrace_procdtrace_user juniorUX usermod junior is currently logged in some changes may not take effect until next login
c0t0d0s0org60
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace description syscallentry matched 211 probes^C
automountd 1 sshd 24 dtrace 544 auditd 564
c0t0d0s0org61
ps -ef | grep kcfd daemon 125 1 0 142419 000 usrlibcryptokcfdroot 734 728 0 155408 pts1 000 grep kcfd ppriv -v 125125 usrlibcryptokcfdflags = PRIV_AWAREE file_ownerproc_priocntlsys_devicesI noneP file_ownerproc_priocntlsys_devicesL none
c0t0d0s0org62
svcadm -v enable -s apache2svcnetworkhttpapache2 enabled
c0t0d0s0org63
jmoekampclient~$ ps -ef | grep httpwebservd 1978 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1979 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1980 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1984 1975 0 122002 000 usrapache222binhttpd -k start root 1975 1 0 121914 001 usrapache222binhttpd -k startwebservd 1977 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1976 1975 0 121915 000 usrapache222binhttpd -k start
c0t0d0s0org64
rootclient~ ppriv 19771977 usrapache222binhttpd -k startflags = ltnonegt E basic I basic P basic L allrootclient~ ppriv 19751975 usrapache222binhttpd -k startflags = ltnonegt E all I basic P all L allrootclient~
c0t0d0s0org65
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The apache process as root has the following privileges
c0t0d0s0org66
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The other processes have the following privileges
c0t0d0s0org67
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Apache really needs
c0t0d0s0org68
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
So you grant a large number of privileges to one process Apache donlsquot need
c0t0d0s0org69
svcadm -v disable -s apache2svcnetworkhttpapache2 disabled
c0t0d0s0org70
rootclient~ svccfg -s apache22svcnetworkhttpapache22gt setprop startuser = astring webservdsvcnetworkhttpapache22gt setprop startgroup = astring webservdsvcnetworkhttpapache22gt setprop startprivileges = astring basicproc_sessionproc_infofile_link_anynet_privaddrsvcnetworkhttpapache22gt setprop startlimit_privileges = astring defaultsvcnetworkhttpapache22gt setprop startuse_profile = boolean falsesvcnetworkhttpapache22gt setprop startsupp_groups = astring defaultsvcnetworkhttpapache22gt setprop startworking_directory = astring defaultsvcnetworkhttpapache22gt setprop startproject = astring defaultsvcnetworkhttpapache22gt setprop startresource_pool = astring defaultsvcnetworkhttpapache22gt endrootclient~ svcadm -v refresh apache22Action refresh set for svcnetworkhttpapache22
c0t0d0s0org71
echo LockFile varapache222logsacceptlock gtgt etcapache222httpdconf echo PidFile varapache222runhttpdpid gtgt etcapache222httpdconf mkdir -p -m 755 varapache222run chown webservdwebservd varapache222run svcadm enable apache22
c0t0d0s0org72
webservd 3064 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3062 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3063 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3066 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3061 1 0 164917 000 usrapache222binhttpd -k startwebservd 3065 3061 0 164918 000 usrapache222binhttpd -k start
c0t0d0s0org73
Read-only zone root
c0t0d0s0org
74
zonecfgtestzonegt set file-mac-profile=none
zonecfgtestzonegt set file-mac-profile=strict
zonecfgtestzonegt set file-mac-profile=fixed-configuration
zonecfgtestzonegt set file-mac-profile=flexible-configuration
Standard read-write non-global zone with no additional protection beyond the existing zones boundaries
Permits updates to var directories with the exception of directories that contain system configuration components
Read-only file system no exceptions
Permits modification of files in etc directories changes to roots home directory and updates to var directories This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone
c0t0d0s0org75
in-kernel SSL Proxy
c0t0d0s0org76
mkdir etckeys cd etckeys openssl req -x509 -nodes -days 365 -subj C=DEST=HamburgL=HamburgCN=server -newkey rsa1024 -keyout etckeysmykeypem -out etckeysmycertpem cat mycertpem mykeypem gt mypem chown 600
c0t0d0s0org77
echo pass gt etckeysmypass ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass server 443
c0t0d0s0org78
ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass -c rsa_aes_256_cbc_sharsa_aes_128_cbc_sharsa_rc4_128_sharsa_rc4_128_md5 server 443
c0t0d0s0org79
svcs -a | grep ksslonline 90333 svcnetworksslproxykssl-server-443
c0t0d0s0org80
svcadm disable apache22 echo Listen 1921681781088080 gtgt etcapache222httpdconf svcadm enable apache22
Portnumber and IP-Number have do be defined in httpdconf otherwise it will not work
c0t0d0s0org81
openssl s_client -connect server443CONNECTED(00000004)depth=0 C=DEST=HamburgL=HamburgCN=serververify errornum=18self signed certificateverify return1depth=0 C=DEST=HamburgL=HamburgCN=serververify return1---Certificate chain0 sC=DEST=HamburgL=HamburgCN=serveriC=DEST=HamburgL=HamburgCN=server---Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj[]V5jX3MU=-----END CERTIFICATE-----subject=C=DEST=HamburgL=HamburgCN=serverissuer=C=DEST=HamburgL=HamburgCN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328 bytes---New TLSv1SSLv3 Cipher is RC4-SHAServer public key is 1024 bitCompression NONEExpansion NONESSL-SessionProtocol TLSv1
Cipher RC4-SHASession-ID 32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD113915B99DBE9812Session-ID-ctx Master-Key 1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21EKey-Arg NoneStart Time 1242985143Timeout 300 (sec)Verify return code 18 (self signed certificate)---GET HTTP10
HTTP11 200 OKDate Fri 22 May 2009 093913 GMTServer Apache2211 (Unix) mod_ssl2211 OpenSSL098a DAV2Last-Modified Thu 21 May 2009 212630 GMTETag 341f3-2c-46a72cc211a8fAccept-Ranges bytesContent-Length 44Connection closeContent-Type texthtml
lthtmlgtltbodygtlth1gtIt workslth1gtltbodygtlthtmlgtreaderrno=0
c0t0d0s0org82
ZFS Encryption
c0t0d0s0org83
zfs create -o encryption=on rpoolexportproject
c0t0d0s0org84
wrapping key (user setable)
encryption keyrandomnot user setable)
prompt file https pkcs11
c0t0d0s0org85
aes-128-ccm (=on) aes-192-ccmaes-256-ccmaes-128-gcmaes-192-gcmaes-256-gcm
c0t0d0s0org86
zfs set checksum=sha256+mac ltdatasetgt
If encryption=off something like automatic
occurs This property is read-only from now on
c0t0d0s0org87
pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykeyEnter PIN for Sun Software PKCS11 softtoken zfs create -o encryption=on -o keysource=rawpkcs11object=mykey tankprojectCEnter PKCS11 token PIN for tankprojectC
c0t0d0s0org88
zfs create -o encryption=on -o keysource=rawhttpskeysexamplecommykey tankprojectR cp myservercertpem etccertsCA svcadm refresh ca-certificates
c0t0d0s0org89
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
c0t0d0s0org90
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
Changing the wrapping key
c0t0d0s0org91
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key
c0t0d0s0org92
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key for data written form now
Creates a new data encryption key Data written in the clone uses the new data encryption key which is distinct from its original snapshot
c0t0d0s0org93
Solaris Cryptographic Framework
c0t0d0s0org94
As soon as Solaris detects hardware acceleration for cryptography Solaris will use it (and applications using the Oracle supplied openssl library or direct interfaces)bull on-chip crypto accelerator in T and current M series chipsbull instruction set extensions in Intel procs (AES-NI)bull supported crypto accelerator cards
c0t0d0s0org95
Just a side-note T-series crypto acceleration and Intel x86 acceleration have pretty much different performance characteristics
T-Series Acceleration by offloading crypto outside pipelineIntel x86 Acceleration by offering special in-pipeline instructions to accelerate execution
Sounds like splitting hairs
c0t0d0s0org
c0t0d0s0org
c0t0d0s0org98
Using ZFS to do two-factor encryption
c0t0d0s0org99
jmoekampsolaris~$ rmformatLooking for devices 1 Logical Node devrdskc10t0d0p0 Physical Node pci00pci8086265cbstorage2disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected() 3 Logical Node devrdskc9t0d0p0 Physical Node pci00pci8086265cbstorage1disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected
c0t0d0s0org100
rootsolaris zpool create a_keystore_usbstick devdskc10t0d0p0rootsolaris zpool create datastore devdskc9t0d0p0
c0t0d0s0org101
rootsolaris zfs create -o encryption=on a_keystore_usbstickkeysEnter passphrase for a_keystore_usbstickkeys supersecret Enter again supersecret
c0t0d0s0org102
rootsolaris pktool genkey keystore=file keytype=aes keylen=128 outkey=a_keystore_usbstickkeysjoergsdatastickkey
c0t0d0s0org103
rootsolaris zfs create -o encryption=on -o keysource=rawfilea_keystore_usbstickkeysjoergsdatastickkey datastickjoergssecrets
c0t0d0s0org104
rootsolarisdatastickjoergssecrets mv homejmoekamphighlyconfidential_nda_presostgz
c0t0d0s0org105
rootsolaris zpool export a_keystore_usbstickrootsolaris zpool export datastick
c0t0d0s0org106
rootsolaris zpool import a_keystore_usbstickEnter passphrase for a_keystore_usbstickkeys supersecretrootsolaris
c0t0d0s0org107
rootsolaris zpool import datastickrootsolaris cd datastickjoergssecretsrootsolarisdatastickjoergssecrets ls highconfidential_nda_presostgz
c0t0d0s0org108
Basic Auditing and Reporting Tool
c0t0d0s0org109
mkdir bart-files bart create -R etc gt bart-filesetccontrolmanifest
c0t0d0s0org110
cat etccontrolmanifest | grep nsswitchnisplusnsswitchnisplus F 2525 100644 userrw-groupr--maskr--otherr-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
c0t0d0s0org111
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org112
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org113
bart create -R etc gt bart-filesetccheck20130911manifest
c0t0d0s0org114
cd bart-files bart compare etccontrolmanifest etccheck20130911manifest
nsswitchfilesmode control100644 test100777acl controluserrw-groupr--maskr--otherr-- testuserrwxgrouprwxmaskrwxotherrwxnsswitchnisplussize control2525 test2538mtime control473976b5 test47a44862contents control79e8fd689a5221d1cd059e5077da71b8 test3f79176ec352441db11ec8a3d02ef67cthisisjustatestadd
c0t0d0s0org115
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives4069-Less-known-Solaris-features-BARThtml
c0t0d0s0org116
Apropos Auditing
c0t0d0s0org117
Auditing is activated by default
c0t0d0s0org118
rootclient~ auditconfig -getflagsactive user default audit flags = lo(0x10000x1000)configured user default audit flags = lo(0x10000x1000)rootclient~ auditconfig -getnaflagsactive non-attributable audit flags = lo(0x10000x1000)configured non-attributable audit flags = lo(0x10000x1000)
c0t0d0s0org119
rootclient~ auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt
Policy regarding auditing (explanation on the next slide)
c0t0d0s0org120
rootclient~ auditconfig -lspolicypolicy string descriptionahlt halt machine if it can not record an async eventall all policiesarge include exec environment args in audit recsargv include exec command line args in audit recscnt when no more space drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recswindata_down include downgraded window information in audit recswindata_up include upgraded window information in audit recszonename include zonename token in audit recs
Which degree of detail What happens with full disks
c0t0d0s0org121
rootclient~ auditconfig -getpluginPlugin audit_binfile (active) Attributes p_dir=varauditp_fsize=0p_minfree=1
Plugin audit_syslog (inactive) Attributes p_flags=
Plugin audit_remote (inactive) Attributes p_hosts=p_retries=3p_timeout=5
c0t0d0s0org122
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
c0t0d0s0org123
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
lo and na are the only sensibleflags for non-attributable
c0t0d0s0org124
rootclient~ usermod -K audit_flags=fwas junior
c0t0d0s0org125
rootclient~ auditconfig -lsevent | grep lo AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh accessAUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lockAUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff
c0t0d0s0org126
rootclient~ auditconfig -lsevent | grep ps AUE_EXIT 1 ps exit(2)AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)rootclient~ auditconfig -lsevent | grep fw AUE_OPEN_W 76 fw open(2) - write
c0t0d0s0org127
auditreduce -c ps varaudit20130912183630not_terminatedclient | praudit
header1392execve(2)client2013-09-12 184055924 +0000pathusrsbinauditreduceattribute100555rootbin655386587518446744073709551615subjectjmoekamprootrootrootroot205414400809562480 202240 192168101returnsuccess0
c0t0d0s0org128
rootclient~ auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff0xffffffffffffffff)
Not always (in the sense of never) a good idea
Useful after trying out - starting a new audit filerootclient~ audit -n
c0t0d0s0org129
rootclient~ auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system
c0t0d0s0org130
SSH and X509
c0t0d0s0org131
rootca~ CApl -newcaCA certificate filename (or enter to create)
Making CA certificate Generating a 1024 bit RSA private key++++++++++++writing new private key to etcopensslprivatecakeypemEnter PEM pass phrase supersecret1Verifying - Enter PEM pass phrase supersecret1-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Security DepartmentCommon Name (eg server FQDN or YOUR name) []CAEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Using configuration from etcopensslopensslcnf
Enter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade878 Validity Not Before Sep 26 101109 2013 GMT Not After Sep 25 101109 2016 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony organizationName = c0t0d0s0org organizationalUnitName = Security Department commonName = CA X509v3 extensions X509v3 Subject Key Identifier 5B1F2F7186123040501552818D525AA5597E3644 X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
X509v3 Basic Constraints CATRUECertificate is to be certified until Sep 25 101109 2016 GMT (1095 days)
Write out database with 1 new entriesData Base Updated
c0t0d0s0org132
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org133
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org134
rootca~server CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade879 Validity Not Before Sep 26 102912 2013 GMT Not After Sep 26 102912 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = Server Certificates commonName = server X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A7DC03DEB3D5FBF9C006F11A55A9AD04C49C10FA X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 102912 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpemrootca~server ls -ltotal 15-rw-r--r-- 1 root root 3196 Sep 26 1229 newcertpem-rw-r--r-- 1 root root 1041 Sep 26 1228 newkeypem-rw-r--r-- 1 root root 680 Sep 26 1228 newreqpem
c0t0d0s0org135
rootca~junior CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phraseVerifying - Enter PEM pass phraseVerify failureEnter PEM pass phrase supersecret3Verifying - Enter PEM pass phrase supersecret3-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []User certificates
Common Name (eg server FQDN or YOUR name) []juniorEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org136
rootca~junior CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypemCheck that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade87a Validity Not Before Sep 26 110929 2013 GMT Not After Sep 26 110929 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = User certificates commonName = junior X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A1F2FC9D8AE2AD9AF52903F5B714933C64628E9C X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 110929 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpem
c0t0d0s0org137
rootserver~ useradd -m junior80 blocksrootserver~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for juniorrootserver~
rootclient~ useradd -m junior80 blocksrootclient~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for junior
c0t0d0s0org138
rootserver~ echo 1921681051 server gtgt etchostsrootserver~ echo 1921681052 client gtgt etchosts
rootclient~ echo 1921681051 server gtgt etchostsrootclient~ echo 1921681052 client gtgt etchosts
c0t0d0s0org139
rootca~server scp etcopensslcacertpem jmoekamp1921681109exporthomejmoekampPasswordcacertpem 100 || 3011 0000rootca~server scp newcertpem jmoekamp1921681109exporthomejmoekampPasswordnewcertpem 100 || 3196 0000rootca~server scp newkeypem jmoekamp1921681109exporthomejmoekampPasswordnewkeypem 100 || 1041 0000
rootca~junior scp newkeypem juniorclientexporthomejuniorPasswordnewkeypem 100 || 1041 0000rootca~junior scp newcertpem juniorclientexporthomejuniorPasswordnewcertpem 100 || 3190 0000rootca~junior scp etcopensslcacertpem junior1921681104exporthomejuniorPasswordcacertpem 100 || 3011 0000
c0t0d0s0org140
On the Server
c0t0d0s0org141
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org142
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org143
rootserver~ pktool setpinEnter token passphrase changemeCreate new passphrase superserversecretRe-enter new passphrase superserversecretPassphrase changedrootserver~
c0t0d0s0org144
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org145
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org146
rootserver~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cn
c0t0d0s0org147
rootserver~ echo TrustedAnchorKeystore etcsshcert gtgt etcsshsshd_configrootserver~ echo KMFPolicyDatabase etcsshpolicyxml gtgt etcsshsshd_configrootserver~ echo KMFPolicyName ssh gtgt etcsshsshd_configrootserver~ echo HostKey pkcs11object=hosttoken=Sun Metaslotpinfile=etcsshpinfile gtgt etcsshsshd_config
c0t0d0s0org148
rootserver~ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=hostEnter PIN for Sun Software PKCS11 softtoken superserversecret Enter PEM pass phrase supersecret2Importing 1 keys
c0t0d0s0org149
rootserver~ egrep -v ^ |^$|^Cert exporthomejmoekampcacertpem gt etcsshcertcacertcookedpemrootserver~ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemrootserver~ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=hostrootserver~
c0t0d0s0org150
On the client
c0t0d0s0org151
juniorclient~$ ls pemcacertpem newcertpem newkeypem
c0t0d0s0org152
rootclient~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cnrootclient~ egrep -v ^ |^$|^Cert exporthomejuniorcacertpem gt etcsshcertcacertcookedpem
c0t0d0s0org153
juniorclient~$ pktool setpinEnter token passphrase changemeCreate new passphrase superusersecretRe-enter new passphrase superusersecretPassphrase changed
c0t0d0s0org154
juniorclient~$ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=userEnter PIN for Sun Software PKCS11 softtoken superusersecretEnter PEM pass phrase supersecret3Importing 1 keysjuniorclient~$ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemjuniorclient~$ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=user
c0t0d0s0org155
Testing it
c0t0d0s0org156
rootserver~ svcadm disable sshrootserver~ svcadm enable ssh
c0t0d0s0org157
juniorclient~$ cd sshjuniorclient~ssh$ printf superusersecret gtgt pinfilejuniorclient~ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore etcsshcert KMFPolicyDatabase etcsshpolicyxml KMFPolicyName ssh IdentityFile pkcs11object=usertoken=Sun Software PKCS11 softtokenpinfile=exporthomejuniorsshpinfile
c0t0d0s0org158
juniorclient~ssh$ ssh juniorserver-x509Last login Thu Sep 26 200714 2013 from clientOracle Corporation SunOS 511 111 September 2013juniorserver~$
c0t0d0s0org159
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives7659-Using-X509-support-for-SSH-on-Solaris-111html
c0t0d0s0org160
OpenSCAP
c0t0d0s0org161
bdquoThe Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management measurement and policy compliance evaluation (eg FISMA compliance) The National Vulnerability Database(NVD) is the US government content repository for SCAPldquo
httpenwikipediaorgwikiSecurity_Content_Automation_Protocol
c0t0d0s0org162
ftp-bannerxml
ltxml version=10 encoding=UTF-8gtltoval_definitions xmlns=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsxsi=httpwwww3org2001XMLSchema-instance xmlnsoval=httpovalmitreorgXMLSchemaoval-common-5 xmlnsoval-def=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsindependent-def=httpovalmitreorgXMLSchemaoval-definitions-5independent xsischemaLocation=httpovalmitreorgXMLSchemaoval-definitions-5 oval-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-definitions-5independent independent-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-common-5 oval-common-schemaxsdgt
ltgeneratorgt ltovalproduct_namegtEnhanced SCAP Editorltovalproduct_namegt ltovalproduct_versiongt0011ltovalproduct_versiongt ltovalschema_versiongt58ltovalschema_versiongt ltovaltimestampgt2012-10-11T103325ltovaltimestampgt ltgeneratorgt lt--generatedovalbaseidentifier=comoraclesolaris11--gt ltdefinitionsgt ltdefinition id=ovalcomoraclesolaris11def840 version=1 class=compliancegt ltmetadatagt lttitlegtEnable a Warning Banner for the FTP Servicelttitlegt ltaffected family=unixgt ltplatformgtOracle Solaris 11ltplatformgt ltaffectedgt ltdescriptiongtetcproftpdconf contains DisplayConnect etcissueltdescriptiongt ltmetadatagt ltcriteria operator=AND negate=false comment=Single testgt ltcriterion comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot test_ref=ovalcomoraclesolaris11tst8400 negate=falsegt
ltcriteriagt ltdefinitiongt ltdefinitionsgt lttestsgt lttextfilecontent54_test xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11tst8400 version=1 check=all comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot check_existence=all_existgt ltobject object_ref=ovalcomoraclesolaris11obj8400gt lttextfilecontent54_testgt lttestsgt ltobjectsgt lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegt lttextfilecontent54_objectgt ltobjectsgtltoval_definitionsgt
c0t0d0s0org163
lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegtlttextfilecontent54_objectgt
c0t0d0s0org164
$ oscap oval eval ftp-bannerxml Definition ovalcomoraclesolaris11def840 falseEvaluation done
$ oscap oval eval --results resultsxml --report reporthtml ftp-bannerxmlDefinition ovalcomoraclesolaris11def840 falseEvaluation doneOVAL Results are exported correctly
c0t0d0s0org165
c0t0d0s0org166
To create your own OVAL-Files Enhanced SCAP Content Editor
c0t0d0s0org167
Find more information regarding this feature athttpsblogsoraclecomdarrenentrycompliance_reporting_with_scap
c0t0d0s0org
Solaris 10 Trusted Extensions Common Criteria Evaluationhas been certified on EAL4+ level
httpwwworaclecomtechnetworktopicssecurityoracle-cc-evalsolaris-083233htmlsol10U3TX
The following protection profiles were usedConditional Access Protection ProfileRole Based Access Control Protection ProfileLabel Security Protection Profiles
c0t0d0s0org
Solaris 111 is currently in certification
httpwwworaclecomtechnetworktopicssecuritysecurity-evaluations-099357htmlInEvaluated
c0t0d0s0org9
Is it really a Solaris 11 binary
c0t0d0s0org10
jmoekampserver~$ elfsign verify -v usrbinoscapelfsign verification of usrbinoscap passedformat rsa_md5_sha1signer CN=SunOS 510 OU=Solaris Signed Execution O=Sun Microsystems Inc
c0t0d0s0org11
Sandboxing applications on Solaris 111
c0t0d0s0org12
rootsolaris profiles -p MySQL ServiceMySQL Servicegt set desc=Locking down the MySQL ServiceMySQL Servicegt add cmd=libsvcmethodmysql_51MySQL Servicemysql_51gt set privs=basicMySQL Servicemysql_51gt add privs=net_privaddr3306tcpMySQL Servicemysql_51gt add privs=file_writevarmysql51dataMySQL Servicemysql_51gt add privs=file_writetmpmysqlsockMySQL Servicemysql_51gt add privs=file_writevartmpibMySQL Servicemysql_51gt endMySQL Servicegt set uid=mysqlMySQL Servicegt set gid=mysqlMySQL Servicegt exit rootsolaris
c0t0d0s0org13
rootsolaris svccfg -s mysqlversion_51svcapplicationdatabasemysqlversion_51gt setprop method_contextprofile=MySQL Servicesvcapplicationdatabasemysqlversion_51gt setprop method_contextuse_profile=truesvcapplicationdatabasemysqlversion_51gt refreshsvcapplicationdatabasemysqlversion_51gt exit
c0t0d0s0org14
rootsolaris ipadm set-prop -p extra_priv_ports+=3306 tcprootsolaris ipadm show-prop -p extra_priv_ports tcpPROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLEtcp extra_priv_ports rw 20494045 -- 20494045 1-65535 3306
c0t0d0s0org15
svcadm enable mysqlversion_51
c0t0d0s0org16
rootsolaris ppriv $(pgrep mysql)103697 usrmysql51binmysqld --basedir=usrmysql51 --datadir=varmysqflags = PRIV_XPOLICY Extended policies net_privaddr3306tcp file_writevarmysql51data file_writetmpmysqlsock file_writevartmpib E basicfile_write I basicfile_write P basicfile_write L all103609 binsh usrmysql51binmysqld_safe --user=mysql --datadir=varmysflags = PRIV_XPOLICY Extended policies net_privaddr3306tcp file_writevarmysql51data file_writetmpmysqlsock file_writevartmpib E basicfile_write I basicfile_write P basicfile_write L all
c0t0d0s0org17
Find more information regarding this feature athttpsblogsoraclecomgfadenentryoracle_solaris_extended_policy_and
c0t0d0s0org18
Passwords
c0t0d0s0org19
rootclientetcsecurity cat etcsecuritycryptconf Copyright 2008 Sun Microsystems Inc All rights reserved Use is subject to license termsident ZM I E SMI The algorithm name __unix__ is reserved
1 crypt_bsdmd5so12a crypt_bsdbfso1md5 crypt_sunmd5so15 crypt_sha256so16 crypt_sha512so1
c0t0d0s0org20
rootclientetcsecurity cat etcsecuritypolicyconf | egrep ^CRYPT_DEFAULTCRYPT_DEFAULT=5rootclientetcsecurity cat etcshadow | grep juniorjunior$5$4aKvDFqA$2kL8GpuXjrdf8XpanqhylEP5lDhy1DF5uo1ZYx74f3159291440
c0t0d0s0org21
rootclientetcsecurity cat etcdefaultpasswd | grep -v | egrep -v ^$|^$ident ZM I E SMIMAXWEEKS=MINWEEKS=PASSLENGTH=6NAMECHECK=NOHISTORY=0MINDIFF=3MINALPHA=2MINNONALPHA=1MINUPPER=0MINLOWER=0MAXREPEATS=0MINSPECIAL=0MINDIGIT=0WHITESPACE=YESDICTIONLIST=DICTIONDBDIR=varpasswd
c0t0d0s0org22
rootclient mkpwdict -s usrsharelibdictwordsmkpwdict using default database location varpasswd
oder
rootclient mkpwdict -s usrsharelibdictwords -d varpasswd
c0t0d0s0org23
Address Space Layout Randomization
c0t0d0s0org24
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1914 usrbinpmap self1914 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org25
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1915 usrbinpmap self1915 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org26
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1917 usrbinpmap self1917 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap00000005D6666000 36K rw--- [ heap ]00007FF669C70000 216K r-x-- libamd64libprocso100007FF669CB6000 8K rw--- libamd64libprocso100007FF669CC0000 4K rw--- [ anon ]00007FF669CD0000 24K rwx-- [ anon ]00007FF669CE0000 4K rw--- [ anon ]00007FF669CF0000 1764K r-x-- libamd64libcso100007FF669EB9000 64K rw--- libamd64libcso100007FF669EC9000 12K rw--- libamd64libcso100007FF669ED0000 4K rw--- [ anon ]00007FF669EE0000 4K rw--- [ anon ]00007FF669EF0000 4K rw--- [ anon ]00007FF669EF2000 4K r--s- [ anon ]00007FF669EFC000 340K r-x-- libamd64ldso100007FF669F61000 12K rwx-- libamd64ldso100007FF669F64000 8K rwx-- libamd64ldso1FFFF80DDA254F000 16K rw--- [ stack ] total 2564K
c0t0d0s0org27
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1918 usrbinpmap self1918 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap000000065B76D000 36K rw--- [ heap ]00007FFAACFC0000 216K r-x-- libamd64libprocso100007FFAAD006000 8K rw--- libamd64libprocso100007FFAAD010000 4K rw--- [ anon ]00007FFAAD020000 24K rwx-- [ anon ]00007FFAAD030000 4K rw--- [ anon ]00007FFAAD040000 1764K r-x-- libamd64libcso100007FFAAD209000 64K rw--- libamd64libcso100007FFAAD219000 12K rw--- libamd64libcso100007FFAAD220000 4K rw--- [ anon ]00007FFAAD230000 4K rw--- [ anon ]00007FFAAD240000 4K rw--- [ anon ]00007FFAAD242000 4K r--s- [ anon ]00007FFAAD24D000 340K r-x-- libamd64ldso100007FFAAD2B2000 12K rwx-- libamd64ldso100007FFAAD2B5000 8K rwx-- libamd64ldso1FFFF80DE1559E000 12K rw--- [ stack ]
c0t0d0s0org28
rootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) system default (default)
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x2 ENABLE
rootsolaris elfedit -e dynsunw_aslr disable usrbinpmap
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x1 DISABLE
c0t0d0s0org29
rootsolaris sxadm enable -c model=all aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (all) enabled (all)
rootsolaris sxadm disable aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr disabled disabled
rootsolaris sxadm enable -c model=tagged-files aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) enabled (tagged-files)
c0t0d0s0org30
pfedit
c0t0d0s0org31
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt set auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt set desc=Edit httpdprofileshttpd editgt exit
c0t0d0s0org32
roottemplateetcapache222 usermod -P +httpd edit junior
c0t0d0s0org33
juniortemplate~$ profiles httpd edit Basic Solaris User All
c0t0d0s0org34
juniortemplate~$ vi etcapache222httpdconf
c0t0d0s0org35
juniortemplate~$ pfedit etcapache222httpdconfpfedit etcapache222httpdconf has been updated
c0t0d0s0org36
juniortemplate~$ pfedit etcapache222mimetypespfedit User junior is not authorized to edit the file etcapache222mimetypes
c0t0d0s0org37
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt info name=httpd edit desc=Edit httpd auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt add auths=solarisadmineditetcapache222mimetypes
c0t0d0s0org38
juniortemplate~$ pfedit etcapache222mimetypespfedit no changes for etcapache222mimetypes
c0t0d0s0org39
profiles -p httpd configureprofileshttpd configuregt add always_audit=asprofileshttpd configuregt info name=httpd configure desc=Configure httpd auths=solarisadmineditetcapache222httpdconfsolarisadmineditetcapache222mimetypes always_audit=as never_audit=noprofileshttpd configuregt exitroottemplate~
c0t0d0s0org40
roottemplate~ auditreduce -c as | praudit
c0t0d0s0org41
[]header4862edit administrative filefe80a0027fffea633cb2013-08-12 074552306 +0000subjectjuniorjuniorstaffjuniorstaff4212447467166369 136704 MacBook-Pro-of-c0t0d0s0fritzboxpathetcapache222httpdconfuse of authorizationsolarisadmineditetcapache222httpdconftext--- etcapache222httpdconf Mo Aug 12 074500 2013 +++ etcapache222httpdconfpfedit1BaGoi Mo Aug 12 074552 2013 -15 +16 Test Test 2 + Test 3 This is the main Apache HTTP server configuration file It contains the configuration directives that give the server its instructions
returnsuccess0
c0t0d0s0org42
Delegating privilege to restartservices(so you can keep the root password)
c0t0d0s0org43
juniortemplate~$ svcadm refresh apache22svcadm svcnetworkhttpapache22 Permission denied
c0t0d0s0org44
svcs -a | grep apache22online 153029 svcnetworkhttpapache22
c0t0d0s0org45
auths add -t Apache22 value solarissmfvaluehttpapache22 auths add -t Apache22 action solarissmfactionhttpapache22
c0t0d0s0org46
svccfg -s apache22 setprop generalvalue_authorization= astring solarissmfvaluehttpapache22 svccfg -s apache22 setprop generalaction_authorization= astring solarissmfactionhttpapache22
c0t0d0s0org47
profiles -p httpd edit add auths=solarissmfactionhttpapache22
c0t0d0s0org48
juniortemplate~$ svcadm refresh apache22juniortemplate~$
c0t0d0s0org49
Privileges
c0t0d0s0org50
$ ls -l usrsbintraceroute-r-sr-xr-x 1 root bin 42324 Nov 21 0009 usrsbintraceroute$ ls -l usrsbinping-r-sr-xr-x 1 root bin 51396 Nov 18 1931 usrsbinping
set-id to root ping needs it to work
c0t0d0s0org51
chmod -s sbinping exit
$ ping -s 1921681132ping socket Permission denied
Remove the set-uid and ping will stop to work
c0t0d0s0org52
jmoekampdaddelkiste~$ ppriv $$2153 -bashflags = ltnonegt E basic I basic P basic L all
c0t0d0s0org53
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org54
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
All privileges in their entirety assigned to one user are
(almost)
c0t0d0s0org55
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Neat extension inSolaris 11The ability to use networking is now a
privilege Itlsquos part of the default default set of privileges
but you can remove it
c0t0d0s0org56
moekampdaddelkiste~$ ppriv -v $$2153 -bashflags = ltnonegt E file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info I file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info P file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info L contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org57
rootdaddelkiste~ ppriv $$2183 -bashflags = ltnonegt E all I basic P all L all
c0t0d0s0org58
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace failed to initialize dtrace DTrace requires additional privileges
c0t0d0s0org59
rootdaddelkiste~ usermod -K defaultpriv=basicdtrace_kerneldtrace_procdtrace_user juniorUX usermod junior is currently logged in some changes may not take effect until next login
c0t0d0s0org60
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace description syscallentry matched 211 probes^C
automountd 1 sshd 24 dtrace 544 auditd 564
c0t0d0s0org61
ps -ef | grep kcfd daemon 125 1 0 142419 000 usrlibcryptokcfdroot 734 728 0 155408 pts1 000 grep kcfd ppriv -v 125125 usrlibcryptokcfdflags = PRIV_AWAREE file_ownerproc_priocntlsys_devicesI noneP file_ownerproc_priocntlsys_devicesL none
c0t0d0s0org62
svcadm -v enable -s apache2svcnetworkhttpapache2 enabled
c0t0d0s0org63
jmoekampclient~$ ps -ef | grep httpwebservd 1978 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1979 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1980 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1984 1975 0 122002 000 usrapache222binhttpd -k start root 1975 1 0 121914 001 usrapache222binhttpd -k startwebservd 1977 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1976 1975 0 121915 000 usrapache222binhttpd -k start
c0t0d0s0org64
rootclient~ ppriv 19771977 usrapache222binhttpd -k startflags = ltnonegt E basic I basic P basic L allrootclient~ ppriv 19751975 usrapache222binhttpd -k startflags = ltnonegt E all I basic P all L allrootclient~
c0t0d0s0org65
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The apache process as root has the following privileges
c0t0d0s0org66
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The other processes have the following privileges
c0t0d0s0org67
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Apache really needs
c0t0d0s0org68
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
So you grant a large number of privileges to one process Apache donlsquot need
c0t0d0s0org69
svcadm -v disable -s apache2svcnetworkhttpapache2 disabled
c0t0d0s0org70
rootclient~ svccfg -s apache22svcnetworkhttpapache22gt setprop startuser = astring webservdsvcnetworkhttpapache22gt setprop startgroup = astring webservdsvcnetworkhttpapache22gt setprop startprivileges = astring basicproc_sessionproc_infofile_link_anynet_privaddrsvcnetworkhttpapache22gt setprop startlimit_privileges = astring defaultsvcnetworkhttpapache22gt setprop startuse_profile = boolean falsesvcnetworkhttpapache22gt setprop startsupp_groups = astring defaultsvcnetworkhttpapache22gt setprop startworking_directory = astring defaultsvcnetworkhttpapache22gt setprop startproject = astring defaultsvcnetworkhttpapache22gt setprop startresource_pool = astring defaultsvcnetworkhttpapache22gt endrootclient~ svcadm -v refresh apache22Action refresh set for svcnetworkhttpapache22
c0t0d0s0org71
echo LockFile varapache222logsacceptlock gtgt etcapache222httpdconf echo PidFile varapache222runhttpdpid gtgt etcapache222httpdconf mkdir -p -m 755 varapache222run chown webservdwebservd varapache222run svcadm enable apache22
c0t0d0s0org72
webservd 3064 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3062 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3063 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3066 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3061 1 0 164917 000 usrapache222binhttpd -k startwebservd 3065 3061 0 164918 000 usrapache222binhttpd -k start
c0t0d0s0org73
Read-only zone root
c0t0d0s0org
74
zonecfgtestzonegt set file-mac-profile=none
zonecfgtestzonegt set file-mac-profile=strict
zonecfgtestzonegt set file-mac-profile=fixed-configuration
zonecfgtestzonegt set file-mac-profile=flexible-configuration
Standard read-write non-global zone with no additional protection beyond the existing zones boundaries
Permits updates to var directories with the exception of directories that contain system configuration components
Read-only file system no exceptions
Permits modification of files in etc directories changes to roots home directory and updates to var directories This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone
c0t0d0s0org75
in-kernel SSL Proxy
c0t0d0s0org76
mkdir etckeys cd etckeys openssl req -x509 -nodes -days 365 -subj C=DEST=HamburgL=HamburgCN=server -newkey rsa1024 -keyout etckeysmykeypem -out etckeysmycertpem cat mycertpem mykeypem gt mypem chown 600
c0t0d0s0org77
echo pass gt etckeysmypass ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass server 443
c0t0d0s0org78
ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass -c rsa_aes_256_cbc_sharsa_aes_128_cbc_sharsa_rc4_128_sharsa_rc4_128_md5 server 443
c0t0d0s0org79
svcs -a | grep ksslonline 90333 svcnetworksslproxykssl-server-443
c0t0d0s0org80
svcadm disable apache22 echo Listen 1921681781088080 gtgt etcapache222httpdconf svcadm enable apache22
Portnumber and IP-Number have do be defined in httpdconf otherwise it will not work
c0t0d0s0org81
openssl s_client -connect server443CONNECTED(00000004)depth=0 C=DEST=HamburgL=HamburgCN=serververify errornum=18self signed certificateverify return1depth=0 C=DEST=HamburgL=HamburgCN=serververify return1---Certificate chain0 sC=DEST=HamburgL=HamburgCN=serveriC=DEST=HamburgL=HamburgCN=server---Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj[]V5jX3MU=-----END CERTIFICATE-----subject=C=DEST=HamburgL=HamburgCN=serverissuer=C=DEST=HamburgL=HamburgCN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328 bytes---New TLSv1SSLv3 Cipher is RC4-SHAServer public key is 1024 bitCompression NONEExpansion NONESSL-SessionProtocol TLSv1
Cipher RC4-SHASession-ID 32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD113915B99DBE9812Session-ID-ctx Master-Key 1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21EKey-Arg NoneStart Time 1242985143Timeout 300 (sec)Verify return code 18 (self signed certificate)---GET HTTP10
HTTP11 200 OKDate Fri 22 May 2009 093913 GMTServer Apache2211 (Unix) mod_ssl2211 OpenSSL098a DAV2Last-Modified Thu 21 May 2009 212630 GMTETag 341f3-2c-46a72cc211a8fAccept-Ranges bytesContent-Length 44Connection closeContent-Type texthtml
lthtmlgtltbodygtlth1gtIt workslth1gtltbodygtlthtmlgtreaderrno=0
c0t0d0s0org82
ZFS Encryption
c0t0d0s0org83
zfs create -o encryption=on rpoolexportproject
c0t0d0s0org84
wrapping key (user setable)
encryption keyrandomnot user setable)
prompt file https pkcs11
c0t0d0s0org85
aes-128-ccm (=on) aes-192-ccmaes-256-ccmaes-128-gcmaes-192-gcmaes-256-gcm
c0t0d0s0org86
zfs set checksum=sha256+mac ltdatasetgt
If encryption=off something like automatic
occurs This property is read-only from now on
c0t0d0s0org87
pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykeyEnter PIN for Sun Software PKCS11 softtoken zfs create -o encryption=on -o keysource=rawpkcs11object=mykey tankprojectCEnter PKCS11 token PIN for tankprojectC
c0t0d0s0org88
zfs create -o encryption=on -o keysource=rawhttpskeysexamplecommykey tankprojectR cp myservercertpem etccertsCA svcadm refresh ca-certificates
c0t0d0s0org89
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
c0t0d0s0org90
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
Changing the wrapping key
c0t0d0s0org91
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key
c0t0d0s0org92
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key for data written form now
Creates a new data encryption key Data written in the clone uses the new data encryption key which is distinct from its original snapshot
c0t0d0s0org93
Solaris Cryptographic Framework
c0t0d0s0org94
As soon as Solaris detects hardware acceleration for cryptography Solaris will use it (and applications using the Oracle supplied openssl library or direct interfaces)bull on-chip crypto accelerator in T and current M series chipsbull instruction set extensions in Intel procs (AES-NI)bull supported crypto accelerator cards
c0t0d0s0org95
Just a side-note T-series crypto acceleration and Intel x86 acceleration have pretty much different performance characteristics
T-Series Acceleration by offloading crypto outside pipelineIntel x86 Acceleration by offering special in-pipeline instructions to accelerate execution
Sounds like splitting hairs
c0t0d0s0org
c0t0d0s0org
c0t0d0s0org98
Using ZFS to do two-factor encryption
c0t0d0s0org99
jmoekampsolaris~$ rmformatLooking for devices 1 Logical Node devrdskc10t0d0p0 Physical Node pci00pci8086265cbstorage2disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected() 3 Logical Node devrdskc9t0d0p0 Physical Node pci00pci8086265cbstorage1disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected
c0t0d0s0org100
rootsolaris zpool create a_keystore_usbstick devdskc10t0d0p0rootsolaris zpool create datastore devdskc9t0d0p0
c0t0d0s0org101
rootsolaris zfs create -o encryption=on a_keystore_usbstickkeysEnter passphrase for a_keystore_usbstickkeys supersecret Enter again supersecret
c0t0d0s0org102
rootsolaris pktool genkey keystore=file keytype=aes keylen=128 outkey=a_keystore_usbstickkeysjoergsdatastickkey
c0t0d0s0org103
rootsolaris zfs create -o encryption=on -o keysource=rawfilea_keystore_usbstickkeysjoergsdatastickkey datastickjoergssecrets
c0t0d0s0org104
rootsolarisdatastickjoergssecrets mv homejmoekamphighlyconfidential_nda_presostgz
c0t0d0s0org105
rootsolaris zpool export a_keystore_usbstickrootsolaris zpool export datastick
c0t0d0s0org106
rootsolaris zpool import a_keystore_usbstickEnter passphrase for a_keystore_usbstickkeys supersecretrootsolaris
c0t0d0s0org107
rootsolaris zpool import datastickrootsolaris cd datastickjoergssecretsrootsolarisdatastickjoergssecrets ls highconfidential_nda_presostgz
c0t0d0s0org108
Basic Auditing and Reporting Tool
c0t0d0s0org109
mkdir bart-files bart create -R etc gt bart-filesetccontrolmanifest
c0t0d0s0org110
cat etccontrolmanifest | grep nsswitchnisplusnsswitchnisplus F 2525 100644 userrw-groupr--maskr--otherr-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
c0t0d0s0org111
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org112
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org113
bart create -R etc gt bart-filesetccheck20130911manifest
c0t0d0s0org114
cd bart-files bart compare etccontrolmanifest etccheck20130911manifest
nsswitchfilesmode control100644 test100777acl controluserrw-groupr--maskr--otherr-- testuserrwxgrouprwxmaskrwxotherrwxnsswitchnisplussize control2525 test2538mtime control473976b5 test47a44862contents control79e8fd689a5221d1cd059e5077da71b8 test3f79176ec352441db11ec8a3d02ef67cthisisjustatestadd
c0t0d0s0org115
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives4069-Less-known-Solaris-features-BARThtml
c0t0d0s0org116
Apropos Auditing
c0t0d0s0org117
Auditing is activated by default
c0t0d0s0org118
rootclient~ auditconfig -getflagsactive user default audit flags = lo(0x10000x1000)configured user default audit flags = lo(0x10000x1000)rootclient~ auditconfig -getnaflagsactive non-attributable audit flags = lo(0x10000x1000)configured non-attributable audit flags = lo(0x10000x1000)
c0t0d0s0org119
rootclient~ auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt
Policy regarding auditing (explanation on the next slide)
c0t0d0s0org120
rootclient~ auditconfig -lspolicypolicy string descriptionahlt halt machine if it can not record an async eventall all policiesarge include exec environment args in audit recsargv include exec command line args in audit recscnt when no more space drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recswindata_down include downgraded window information in audit recswindata_up include upgraded window information in audit recszonename include zonename token in audit recs
Which degree of detail What happens with full disks
c0t0d0s0org121
rootclient~ auditconfig -getpluginPlugin audit_binfile (active) Attributes p_dir=varauditp_fsize=0p_minfree=1
Plugin audit_syslog (inactive) Attributes p_flags=
Plugin audit_remote (inactive) Attributes p_hosts=p_retries=3p_timeout=5
c0t0d0s0org122
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
c0t0d0s0org123
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
lo and na are the only sensibleflags for non-attributable
c0t0d0s0org124
rootclient~ usermod -K audit_flags=fwas junior
c0t0d0s0org125
rootclient~ auditconfig -lsevent | grep lo AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh accessAUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lockAUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff
c0t0d0s0org126
rootclient~ auditconfig -lsevent | grep ps AUE_EXIT 1 ps exit(2)AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)rootclient~ auditconfig -lsevent | grep fw AUE_OPEN_W 76 fw open(2) - write
c0t0d0s0org127
auditreduce -c ps varaudit20130912183630not_terminatedclient | praudit
header1392execve(2)client2013-09-12 184055924 +0000pathusrsbinauditreduceattribute100555rootbin655386587518446744073709551615subjectjmoekamprootrootrootroot205414400809562480 202240 192168101returnsuccess0
c0t0d0s0org128
rootclient~ auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff0xffffffffffffffff)
Not always (in the sense of never) a good idea
Useful after trying out - starting a new audit filerootclient~ audit -n
c0t0d0s0org129
rootclient~ auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system
c0t0d0s0org130
SSH and X509
c0t0d0s0org131
rootca~ CApl -newcaCA certificate filename (or enter to create)
Making CA certificate Generating a 1024 bit RSA private key++++++++++++writing new private key to etcopensslprivatecakeypemEnter PEM pass phrase supersecret1Verifying - Enter PEM pass phrase supersecret1-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Security DepartmentCommon Name (eg server FQDN or YOUR name) []CAEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Using configuration from etcopensslopensslcnf
Enter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade878 Validity Not Before Sep 26 101109 2013 GMT Not After Sep 25 101109 2016 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony organizationName = c0t0d0s0org organizationalUnitName = Security Department commonName = CA X509v3 extensions X509v3 Subject Key Identifier 5B1F2F7186123040501552818D525AA5597E3644 X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
X509v3 Basic Constraints CATRUECertificate is to be certified until Sep 25 101109 2016 GMT (1095 days)
Write out database with 1 new entriesData Base Updated
c0t0d0s0org132
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org133
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org134
rootca~server CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade879 Validity Not Before Sep 26 102912 2013 GMT Not After Sep 26 102912 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = Server Certificates commonName = server X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A7DC03DEB3D5FBF9C006F11A55A9AD04C49C10FA X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 102912 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpemrootca~server ls -ltotal 15-rw-r--r-- 1 root root 3196 Sep 26 1229 newcertpem-rw-r--r-- 1 root root 1041 Sep 26 1228 newkeypem-rw-r--r-- 1 root root 680 Sep 26 1228 newreqpem
c0t0d0s0org135
rootca~junior CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phraseVerifying - Enter PEM pass phraseVerify failureEnter PEM pass phrase supersecret3Verifying - Enter PEM pass phrase supersecret3-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []User certificates
Common Name (eg server FQDN or YOUR name) []juniorEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org136
rootca~junior CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypemCheck that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade87a Validity Not Before Sep 26 110929 2013 GMT Not After Sep 26 110929 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = User certificates commonName = junior X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A1F2FC9D8AE2AD9AF52903F5B714933C64628E9C X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 110929 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpem
c0t0d0s0org137
rootserver~ useradd -m junior80 blocksrootserver~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for juniorrootserver~
rootclient~ useradd -m junior80 blocksrootclient~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for junior
c0t0d0s0org138
rootserver~ echo 1921681051 server gtgt etchostsrootserver~ echo 1921681052 client gtgt etchosts
rootclient~ echo 1921681051 server gtgt etchostsrootclient~ echo 1921681052 client gtgt etchosts
c0t0d0s0org139
rootca~server scp etcopensslcacertpem jmoekamp1921681109exporthomejmoekampPasswordcacertpem 100 || 3011 0000rootca~server scp newcertpem jmoekamp1921681109exporthomejmoekampPasswordnewcertpem 100 || 3196 0000rootca~server scp newkeypem jmoekamp1921681109exporthomejmoekampPasswordnewkeypem 100 || 1041 0000
rootca~junior scp newkeypem juniorclientexporthomejuniorPasswordnewkeypem 100 || 1041 0000rootca~junior scp newcertpem juniorclientexporthomejuniorPasswordnewcertpem 100 || 3190 0000rootca~junior scp etcopensslcacertpem junior1921681104exporthomejuniorPasswordcacertpem 100 || 3011 0000
c0t0d0s0org140
On the Server
c0t0d0s0org141
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org142
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org143
rootserver~ pktool setpinEnter token passphrase changemeCreate new passphrase superserversecretRe-enter new passphrase superserversecretPassphrase changedrootserver~
c0t0d0s0org144
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org145
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org146
rootserver~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cn
c0t0d0s0org147
rootserver~ echo TrustedAnchorKeystore etcsshcert gtgt etcsshsshd_configrootserver~ echo KMFPolicyDatabase etcsshpolicyxml gtgt etcsshsshd_configrootserver~ echo KMFPolicyName ssh gtgt etcsshsshd_configrootserver~ echo HostKey pkcs11object=hosttoken=Sun Metaslotpinfile=etcsshpinfile gtgt etcsshsshd_config
c0t0d0s0org148
rootserver~ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=hostEnter PIN for Sun Software PKCS11 softtoken superserversecret Enter PEM pass phrase supersecret2Importing 1 keys
c0t0d0s0org149
rootserver~ egrep -v ^ |^$|^Cert exporthomejmoekampcacertpem gt etcsshcertcacertcookedpemrootserver~ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemrootserver~ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=hostrootserver~
c0t0d0s0org150
On the client
c0t0d0s0org151
juniorclient~$ ls pemcacertpem newcertpem newkeypem
c0t0d0s0org152
rootclient~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cnrootclient~ egrep -v ^ |^$|^Cert exporthomejuniorcacertpem gt etcsshcertcacertcookedpem
c0t0d0s0org153
juniorclient~$ pktool setpinEnter token passphrase changemeCreate new passphrase superusersecretRe-enter new passphrase superusersecretPassphrase changed
c0t0d0s0org154
juniorclient~$ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=userEnter PIN for Sun Software PKCS11 softtoken superusersecretEnter PEM pass phrase supersecret3Importing 1 keysjuniorclient~$ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemjuniorclient~$ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=user
c0t0d0s0org155
Testing it
c0t0d0s0org156
rootserver~ svcadm disable sshrootserver~ svcadm enable ssh
c0t0d0s0org157
juniorclient~$ cd sshjuniorclient~ssh$ printf superusersecret gtgt pinfilejuniorclient~ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore etcsshcert KMFPolicyDatabase etcsshpolicyxml KMFPolicyName ssh IdentityFile pkcs11object=usertoken=Sun Software PKCS11 softtokenpinfile=exporthomejuniorsshpinfile
c0t0d0s0org158
juniorclient~ssh$ ssh juniorserver-x509Last login Thu Sep 26 200714 2013 from clientOracle Corporation SunOS 511 111 September 2013juniorserver~$
c0t0d0s0org159
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives7659-Using-X509-support-for-SSH-on-Solaris-111html
c0t0d0s0org160
OpenSCAP
c0t0d0s0org161
bdquoThe Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management measurement and policy compliance evaluation (eg FISMA compliance) The National Vulnerability Database(NVD) is the US government content repository for SCAPldquo
httpenwikipediaorgwikiSecurity_Content_Automation_Protocol
c0t0d0s0org162
ftp-bannerxml
ltxml version=10 encoding=UTF-8gtltoval_definitions xmlns=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsxsi=httpwwww3org2001XMLSchema-instance xmlnsoval=httpovalmitreorgXMLSchemaoval-common-5 xmlnsoval-def=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsindependent-def=httpovalmitreorgXMLSchemaoval-definitions-5independent xsischemaLocation=httpovalmitreorgXMLSchemaoval-definitions-5 oval-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-definitions-5independent independent-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-common-5 oval-common-schemaxsdgt
ltgeneratorgt ltovalproduct_namegtEnhanced SCAP Editorltovalproduct_namegt ltovalproduct_versiongt0011ltovalproduct_versiongt ltovalschema_versiongt58ltovalschema_versiongt ltovaltimestampgt2012-10-11T103325ltovaltimestampgt ltgeneratorgt lt--generatedovalbaseidentifier=comoraclesolaris11--gt ltdefinitionsgt ltdefinition id=ovalcomoraclesolaris11def840 version=1 class=compliancegt ltmetadatagt lttitlegtEnable a Warning Banner for the FTP Servicelttitlegt ltaffected family=unixgt ltplatformgtOracle Solaris 11ltplatformgt ltaffectedgt ltdescriptiongtetcproftpdconf contains DisplayConnect etcissueltdescriptiongt ltmetadatagt ltcriteria operator=AND negate=false comment=Single testgt ltcriterion comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot test_ref=ovalcomoraclesolaris11tst8400 negate=falsegt
ltcriteriagt ltdefinitiongt ltdefinitionsgt lttestsgt lttextfilecontent54_test xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11tst8400 version=1 check=all comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot check_existence=all_existgt ltobject object_ref=ovalcomoraclesolaris11obj8400gt lttextfilecontent54_testgt lttestsgt ltobjectsgt lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegt lttextfilecontent54_objectgt ltobjectsgtltoval_definitionsgt
c0t0d0s0org163
lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegtlttextfilecontent54_objectgt
c0t0d0s0org164
$ oscap oval eval ftp-bannerxml Definition ovalcomoraclesolaris11def840 falseEvaluation done
$ oscap oval eval --results resultsxml --report reporthtml ftp-bannerxmlDefinition ovalcomoraclesolaris11def840 falseEvaluation doneOVAL Results are exported correctly
c0t0d0s0org165
c0t0d0s0org166
To create your own OVAL-Files Enhanced SCAP Content Editor
c0t0d0s0org167
Find more information regarding this feature athttpsblogsoraclecomdarrenentrycompliance_reporting_with_scap
c0t0d0s0org
Solaris 111 is currently in certification
httpwwworaclecomtechnetworktopicssecuritysecurity-evaluations-099357htmlInEvaluated
c0t0d0s0org9
Is it really a Solaris 11 binary
c0t0d0s0org10
jmoekampserver~$ elfsign verify -v usrbinoscapelfsign verification of usrbinoscap passedformat rsa_md5_sha1signer CN=SunOS 510 OU=Solaris Signed Execution O=Sun Microsystems Inc
c0t0d0s0org11
Sandboxing applications on Solaris 111
c0t0d0s0org12
rootsolaris profiles -p MySQL ServiceMySQL Servicegt set desc=Locking down the MySQL ServiceMySQL Servicegt add cmd=libsvcmethodmysql_51MySQL Servicemysql_51gt set privs=basicMySQL Servicemysql_51gt add privs=net_privaddr3306tcpMySQL Servicemysql_51gt add privs=file_writevarmysql51dataMySQL Servicemysql_51gt add privs=file_writetmpmysqlsockMySQL Servicemysql_51gt add privs=file_writevartmpibMySQL Servicemysql_51gt endMySQL Servicegt set uid=mysqlMySQL Servicegt set gid=mysqlMySQL Servicegt exit rootsolaris
c0t0d0s0org13
rootsolaris svccfg -s mysqlversion_51svcapplicationdatabasemysqlversion_51gt setprop method_contextprofile=MySQL Servicesvcapplicationdatabasemysqlversion_51gt setprop method_contextuse_profile=truesvcapplicationdatabasemysqlversion_51gt refreshsvcapplicationdatabasemysqlversion_51gt exit
c0t0d0s0org14
rootsolaris ipadm set-prop -p extra_priv_ports+=3306 tcprootsolaris ipadm show-prop -p extra_priv_ports tcpPROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLEtcp extra_priv_ports rw 20494045 -- 20494045 1-65535 3306
c0t0d0s0org15
svcadm enable mysqlversion_51
c0t0d0s0org16
rootsolaris ppriv $(pgrep mysql)103697 usrmysql51binmysqld --basedir=usrmysql51 --datadir=varmysqflags = PRIV_XPOLICY Extended policies net_privaddr3306tcp file_writevarmysql51data file_writetmpmysqlsock file_writevartmpib E basicfile_write I basicfile_write P basicfile_write L all103609 binsh usrmysql51binmysqld_safe --user=mysql --datadir=varmysflags = PRIV_XPOLICY Extended policies net_privaddr3306tcp file_writevarmysql51data file_writetmpmysqlsock file_writevartmpib E basicfile_write I basicfile_write P basicfile_write L all
c0t0d0s0org17
Find more information regarding this feature athttpsblogsoraclecomgfadenentryoracle_solaris_extended_policy_and
c0t0d0s0org18
Passwords
c0t0d0s0org19
rootclientetcsecurity cat etcsecuritycryptconf Copyright 2008 Sun Microsystems Inc All rights reserved Use is subject to license termsident ZM I E SMI The algorithm name __unix__ is reserved
1 crypt_bsdmd5so12a crypt_bsdbfso1md5 crypt_sunmd5so15 crypt_sha256so16 crypt_sha512so1
c0t0d0s0org20
rootclientetcsecurity cat etcsecuritypolicyconf | egrep ^CRYPT_DEFAULTCRYPT_DEFAULT=5rootclientetcsecurity cat etcshadow | grep juniorjunior$5$4aKvDFqA$2kL8GpuXjrdf8XpanqhylEP5lDhy1DF5uo1ZYx74f3159291440
c0t0d0s0org21
rootclientetcsecurity cat etcdefaultpasswd | grep -v | egrep -v ^$|^$ident ZM I E SMIMAXWEEKS=MINWEEKS=PASSLENGTH=6NAMECHECK=NOHISTORY=0MINDIFF=3MINALPHA=2MINNONALPHA=1MINUPPER=0MINLOWER=0MAXREPEATS=0MINSPECIAL=0MINDIGIT=0WHITESPACE=YESDICTIONLIST=DICTIONDBDIR=varpasswd
c0t0d0s0org22
rootclient mkpwdict -s usrsharelibdictwordsmkpwdict using default database location varpasswd
oder
rootclient mkpwdict -s usrsharelibdictwords -d varpasswd
c0t0d0s0org23
Address Space Layout Randomization
c0t0d0s0org24
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1914 usrbinpmap self1914 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org25
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1915 usrbinpmap self1915 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org26
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1917 usrbinpmap self1917 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap00000005D6666000 36K rw--- [ heap ]00007FF669C70000 216K r-x-- libamd64libprocso100007FF669CB6000 8K rw--- libamd64libprocso100007FF669CC0000 4K rw--- [ anon ]00007FF669CD0000 24K rwx-- [ anon ]00007FF669CE0000 4K rw--- [ anon ]00007FF669CF0000 1764K r-x-- libamd64libcso100007FF669EB9000 64K rw--- libamd64libcso100007FF669EC9000 12K rw--- libamd64libcso100007FF669ED0000 4K rw--- [ anon ]00007FF669EE0000 4K rw--- [ anon ]00007FF669EF0000 4K rw--- [ anon ]00007FF669EF2000 4K r--s- [ anon ]00007FF669EFC000 340K r-x-- libamd64ldso100007FF669F61000 12K rwx-- libamd64ldso100007FF669F64000 8K rwx-- libamd64ldso1FFFF80DDA254F000 16K rw--- [ stack ] total 2564K
c0t0d0s0org27
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1918 usrbinpmap self1918 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap000000065B76D000 36K rw--- [ heap ]00007FFAACFC0000 216K r-x-- libamd64libprocso100007FFAAD006000 8K rw--- libamd64libprocso100007FFAAD010000 4K rw--- [ anon ]00007FFAAD020000 24K rwx-- [ anon ]00007FFAAD030000 4K rw--- [ anon ]00007FFAAD040000 1764K r-x-- libamd64libcso100007FFAAD209000 64K rw--- libamd64libcso100007FFAAD219000 12K rw--- libamd64libcso100007FFAAD220000 4K rw--- [ anon ]00007FFAAD230000 4K rw--- [ anon ]00007FFAAD240000 4K rw--- [ anon ]00007FFAAD242000 4K r--s- [ anon ]00007FFAAD24D000 340K r-x-- libamd64ldso100007FFAAD2B2000 12K rwx-- libamd64ldso100007FFAAD2B5000 8K rwx-- libamd64ldso1FFFF80DE1559E000 12K rw--- [ stack ]
c0t0d0s0org28
rootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) system default (default)
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x2 ENABLE
rootsolaris elfedit -e dynsunw_aslr disable usrbinpmap
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x1 DISABLE
c0t0d0s0org29
rootsolaris sxadm enable -c model=all aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (all) enabled (all)
rootsolaris sxadm disable aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr disabled disabled
rootsolaris sxadm enable -c model=tagged-files aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) enabled (tagged-files)
c0t0d0s0org30
pfedit
c0t0d0s0org31
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt set auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt set desc=Edit httpdprofileshttpd editgt exit
c0t0d0s0org32
roottemplateetcapache222 usermod -P +httpd edit junior
c0t0d0s0org33
juniortemplate~$ profiles httpd edit Basic Solaris User All
c0t0d0s0org34
juniortemplate~$ vi etcapache222httpdconf
c0t0d0s0org35
juniortemplate~$ pfedit etcapache222httpdconfpfedit etcapache222httpdconf has been updated
c0t0d0s0org36
juniortemplate~$ pfedit etcapache222mimetypespfedit User junior is not authorized to edit the file etcapache222mimetypes
c0t0d0s0org37
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt info name=httpd edit desc=Edit httpd auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt add auths=solarisadmineditetcapache222mimetypes
c0t0d0s0org38
juniortemplate~$ pfedit etcapache222mimetypespfedit no changes for etcapache222mimetypes
c0t0d0s0org39
profiles -p httpd configureprofileshttpd configuregt add always_audit=asprofileshttpd configuregt info name=httpd configure desc=Configure httpd auths=solarisadmineditetcapache222httpdconfsolarisadmineditetcapache222mimetypes always_audit=as never_audit=noprofileshttpd configuregt exitroottemplate~
c0t0d0s0org40
roottemplate~ auditreduce -c as | praudit
c0t0d0s0org41
[]header4862edit administrative filefe80a0027fffea633cb2013-08-12 074552306 +0000subjectjuniorjuniorstaffjuniorstaff4212447467166369 136704 MacBook-Pro-of-c0t0d0s0fritzboxpathetcapache222httpdconfuse of authorizationsolarisadmineditetcapache222httpdconftext--- etcapache222httpdconf Mo Aug 12 074500 2013 +++ etcapache222httpdconfpfedit1BaGoi Mo Aug 12 074552 2013 -15 +16 Test Test 2 + Test 3 This is the main Apache HTTP server configuration file It contains the configuration directives that give the server its instructions
returnsuccess0
c0t0d0s0org42
Delegating privilege to restartservices(so you can keep the root password)
c0t0d0s0org43
juniortemplate~$ svcadm refresh apache22svcadm svcnetworkhttpapache22 Permission denied
c0t0d0s0org44
svcs -a | grep apache22online 153029 svcnetworkhttpapache22
c0t0d0s0org45
auths add -t Apache22 value solarissmfvaluehttpapache22 auths add -t Apache22 action solarissmfactionhttpapache22
c0t0d0s0org46
svccfg -s apache22 setprop generalvalue_authorization= astring solarissmfvaluehttpapache22 svccfg -s apache22 setprop generalaction_authorization= astring solarissmfactionhttpapache22
c0t0d0s0org47
profiles -p httpd edit add auths=solarissmfactionhttpapache22
c0t0d0s0org48
juniortemplate~$ svcadm refresh apache22juniortemplate~$
c0t0d0s0org49
Privileges
c0t0d0s0org50
$ ls -l usrsbintraceroute-r-sr-xr-x 1 root bin 42324 Nov 21 0009 usrsbintraceroute$ ls -l usrsbinping-r-sr-xr-x 1 root bin 51396 Nov 18 1931 usrsbinping
set-id to root ping needs it to work
c0t0d0s0org51
chmod -s sbinping exit
$ ping -s 1921681132ping socket Permission denied
Remove the set-uid and ping will stop to work
c0t0d0s0org52
jmoekampdaddelkiste~$ ppriv $$2153 -bashflags = ltnonegt E basic I basic P basic L all
c0t0d0s0org53
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org54
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
All privileges in their entirety assigned to one user are
(almost)
c0t0d0s0org55
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Neat extension inSolaris 11The ability to use networking is now a
privilege Itlsquos part of the default default set of privileges
but you can remove it
c0t0d0s0org56
moekampdaddelkiste~$ ppriv -v $$2153 -bashflags = ltnonegt E file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info I file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info P file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info L contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org57
rootdaddelkiste~ ppriv $$2183 -bashflags = ltnonegt E all I basic P all L all
c0t0d0s0org58
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace failed to initialize dtrace DTrace requires additional privileges
c0t0d0s0org59
rootdaddelkiste~ usermod -K defaultpriv=basicdtrace_kerneldtrace_procdtrace_user juniorUX usermod junior is currently logged in some changes may not take effect until next login
c0t0d0s0org60
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace description syscallentry matched 211 probes^C
automountd 1 sshd 24 dtrace 544 auditd 564
c0t0d0s0org61
ps -ef | grep kcfd daemon 125 1 0 142419 000 usrlibcryptokcfdroot 734 728 0 155408 pts1 000 grep kcfd ppriv -v 125125 usrlibcryptokcfdflags = PRIV_AWAREE file_ownerproc_priocntlsys_devicesI noneP file_ownerproc_priocntlsys_devicesL none
c0t0d0s0org62
svcadm -v enable -s apache2svcnetworkhttpapache2 enabled
c0t0d0s0org63
jmoekampclient~$ ps -ef | grep httpwebservd 1978 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1979 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1980 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1984 1975 0 122002 000 usrapache222binhttpd -k start root 1975 1 0 121914 001 usrapache222binhttpd -k startwebservd 1977 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1976 1975 0 121915 000 usrapache222binhttpd -k start
c0t0d0s0org64
rootclient~ ppriv 19771977 usrapache222binhttpd -k startflags = ltnonegt E basic I basic P basic L allrootclient~ ppriv 19751975 usrapache222binhttpd -k startflags = ltnonegt E all I basic P all L allrootclient~
c0t0d0s0org65
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The apache process as root has the following privileges
c0t0d0s0org66
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The other processes have the following privileges
c0t0d0s0org67
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Apache really needs
c0t0d0s0org68
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
So you grant a large number of privileges to one process Apache donlsquot need
c0t0d0s0org69
svcadm -v disable -s apache2svcnetworkhttpapache2 disabled
c0t0d0s0org70
rootclient~ svccfg -s apache22svcnetworkhttpapache22gt setprop startuser = astring webservdsvcnetworkhttpapache22gt setprop startgroup = astring webservdsvcnetworkhttpapache22gt setprop startprivileges = astring basicproc_sessionproc_infofile_link_anynet_privaddrsvcnetworkhttpapache22gt setprop startlimit_privileges = astring defaultsvcnetworkhttpapache22gt setprop startuse_profile = boolean falsesvcnetworkhttpapache22gt setprop startsupp_groups = astring defaultsvcnetworkhttpapache22gt setprop startworking_directory = astring defaultsvcnetworkhttpapache22gt setprop startproject = astring defaultsvcnetworkhttpapache22gt setprop startresource_pool = astring defaultsvcnetworkhttpapache22gt endrootclient~ svcadm -v refresh apache22Action refresh set for svcnetworkhttpapache22
c0t0d0s0org71
echo LockFile varapache222logsacceptlock gtgt etcapache222httpdconf echo PidFile varapache222runhttpdpid gtgt etcapache222httpdconf mkdir -p -m 755 varapache222run chown webservdwebservd varapache222run svcadm enable apache22
c0t0d0s0org72
webservd 3064 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3062 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3063 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3066 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3061 1 0 164917 000 usrapache222binhttpd -k startwebservd 3065 3061 0 164918 000 usrapache222binhttpd -k start
c0t0d0s0org73
Read-only zone root
c0t0d0s0org
74
zonecfgtestzonegt set file-mac-profile=none
zonecfgtestzonegt set file-mac-profile=strict
zonecfgtestzonegt set file-mac-profile=fixed-configuration
zonecfgtestzonegt set file-mac-profile=flexible-configuration
Standard read-write non-global zone with no additional protection beyond the existing zones boundaries
Permits updates to var directories with the exception of directories that contain system configuration components
Read-only file system no exceptions
Permits modification of files in etc directories changes to roots home directory and updates to var directories This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone
c0t0d0s0org75
in-kernel SSL Proxy
c0t0d0s0org76
mkdir etckeys cd etckeys openssl req -x509 -nodes -days 365 -subj C=DEST=HamburgL=HamburgCN=server -newkey rsa1024 -keyout etckeysmykeypem -out etckeysmycertpem cat mycertpem mykeypem gt mypem chown 600
c0t0d0s0org77
echo pass gt etckeysmypass ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass server 443
c0t0d0s0org78
ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass -c rsa_aes_256_cbc_sharsa_aes_128_cbc_sharsa_rc4_128_sharsa_rc4_128_md5 server 443
c0t0d0s0org79
svcs -a | grep ksslonline 90333 svcnetworksslproxykssl-server-443
c0t0d0s0org80
svcadm disable apache22 echo Listen 1921681781088080 gtgt etcapache222httpdconf svcadm enable apache22
Portnumber and IP-Number have do be defined in httpdconf otherwise it will not work
c0t0d0s0org81
openssl s_client -connect server443CONNECTED(00000004)depth=0 C=DEST=HamburgL=HamburgCN=serververify errornum=18self signed certificateverify return1depth=0 C=DEST=HamburgL=HamburgCN=serververify return1---Certificate chain0 sC=DEST=HamburgL=HamburgCN=serveriC=DEST=HamburgL=HamburgCN=server---Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj[]V5jX3MU=-----END CERTIFICATE-----subject=C=DEST=HamburgL=HamburgCN=serverissuer=C=DEST=HamburgL=HamburgCN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328 bytes---New TLSv1SSLv3 Cipher is RC4-SHAServer public key is 1024 bitCompression NONEExpansion NONESSL-SessionProtocol TLSv1
Cipher RC4-SHASession-ID 32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD113915B99DBE9812Session-ID-ctx Master-Key 1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21EKey-Arg NoneStart Time 1242985143Timeout 300 (sec)Verify return code 18 (self signed certificate)---GET HTTP10
HTTP11 200 OKDate Fri 22 May 2009 093913 GMTServer Apache2211 (Unix) mod_ssl2211 OpenSSL098a DAV2Last-Modified Thu 21 May 2009 212630 GMTETag 341f3-2c-46a72cc211a8fAccept-Ranges bytesContent-Length 44Connection closeContent-Type texthtml
lthtmlgtltbodygtlth1gtIt workslth1gtltbodygtlthtmlgtreaderrno=0
c0t0d0s0org82
ZFS Encryption
c0t0d0s0org83
zfs create -o encryption=on rpoolexportproject
c0t0d0s0org84
wrapping key (user setable)
encryption keyrandomnot user setable)
prompt file https pkcs11
c0t0d0s0org85
aes-128-ccm (=on) aes-192-ccmaes-256-ccmaes-128-gcmaes-192-gcmaes-256-gcm
c0t0d0s0org86
zfs set checksum=sha256+mac ltdatasetgt
If encryption=off something like automatic
occurs This property is read-only from now on
c0t0d0s0org87
pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykeyEnter PIN for Sun Software PKCS11 softtoken zfs create -o encryption=on -o keysource=rawpkcs11object=mykey tankprojectCEnter PKCS11 token PIN for tankprojectC
c0t0d0s0org88
zfs create -o encryption=on -o keysource=rawhttpskeysexamplecommykey tankprojectR cp myservercertpem etccertsCA svcadm refresh ca-certificates
c0t0d0s0org89
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
c0t0d0s0org90
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
Changing the wrapping key
c0t0d0s0org91
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key
c0t0d0s0org92
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key for data written form now
Creates a new data encryption key Data written in the clone uses the new data encryption key which is distinct from its original snapshot
c0t0d0s0org93
Solaris Cryptographic Framework
c0t0d0s0org94
As soon as Solaris detects hardware acceleration for cryptography Solaris will use it (and applications using the Oracle supplied openssl library or direct interfaces)bull on-chip crypto accelerator in T and current M series chipsbull instruction set extensions in Intel procs (AES-NI)bull supported crypto accelerator cards
c0t0d0s0org95
Just a side-note T-series crypto acceleration and Intel x86 acceleration have pretty much different performance characteristics
T-Series Acceleration by offloading crypto outside pipelineIntel x86 Acceleration by offering special in-pipeline instructions to accelerate execution
Sounds like splitting hairs
c0t0d0s0org
c0t0d0s0org
c0t0d0s0org98
Using ZFS to do two-factor encryption
c0t0d0s0org99
jmoekampsolaris~$ rmformatLooking for devices 1 Logical Node devrdskc10t0d0p0 Physical Node pci00pci8086265cbstorage2disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected() 3 Logical Node devrdskc9t0d0p0 Physical Node pci00pci8086265cbstorage1disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected
c0t0d0s0org100
rootsolaris zpool create a_keystore_usbstick devdskc10t0d0p0rootsolaris zpool create datastore devdskc9t0d0p0
c0t0d0s0org101
rootsolaris zfs create -o encryption=on a_keystore_usbstickkeysEnter passphrase for a_keystore_usbstickkeys supersecret Enter again supersecret
c0t0d0s0org102
rootsolaris pktool genkey keystore=file keytype=aes keylen=128 outkey=a_keystore_usbstickkeysjoergsdatastickkey
c0t0d0s0org103
rootsolaris zfs create -o encryption=on -o keysource=rawfilea_keystore_usbstickkeysjoergsdatastickkey datastickjoergssecrets
c0t0d0s0org104
rootsolarisdatastickjoergssecrets mv homejmoekamphighlyconfidential_nda_presostgz
c0t0d0s0org105
rootsolaris zpool export a_keystore_usbstickrootsolaris zpool export datastick
c0t0d0s0org106
rootsolaris zpool import a_keystore_usbstickEnter passphrase for a_keystore_usbstickkeys supersecretrootsolaris
c0t0d0s0org107
rootsolaris zpool import datastickrootsolaris cd datastickjoergssecretsrootsolarisdatastickjoergssecrets ls highconfidential_nda_presostgz
c0t0d0s0org108
Basic Auditing and Reporting Tool
c0t0d0s0org109
mkdir bart-files bart create -R etc gt bart-filesetccontrolmanifest
c0t0d0s0org110
cat etccontrolmanifest | grep nsswitchnisplusnsswitchnisplus F 2525 100644 userrw-groupr--maskr--otherr-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
c0t0d0s0org111
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org112
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org113
bart create -R etc gt bart-filesetccheck20130911manifest
c0t0d0s0org114
cd bart-files bart compare etccontrolmanifest etccheck20130911manifest
nsswitchfilesmode control100644 test100777acl controluserrw-groupr--maskr--otherr-- testuserrwxgrouprwxmaskrwxotherrwxnsswitchnisplussize control2525 test2538mtime control473976b5 test47a44862contents control79e8fd689a5221d1cd059e5077da71b8 test3f79176ec352441db11ec8a3d02ef67cthisisjustatestadd
c0t0d0s0org115
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives4069-Less-known-Solaris-features-BARThtml
c0t0d0s0org116
Apropos Auditing
c0t0d0s0org117
Auditing is activated by default
c0t0d0s0org118
rootclient~ auditconfig -getflagsactive user default audit flags = lo(0x10000x1000)configured user default audit flags = lo(0x10000x1000)rootclient~ auditconfig -getnaflagsactive non-attributable audit flags = lo(0x10000x1000)configured non-attributable audit flags = lo(0x10000x1000)
c0t0d0s0org119
rootclient~ auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt
Policy regarding auditing (explanation on the next slide)
c0t0d0s0org120
rootclient~ auditconfig -lspolicypolicy string descriptionahlt halt machine if it can not record an async eventall all policiesarge include exec environment args in audit recsargv include exec command line args in audit recscnt when no more space drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recswindata_down include downgraded window information in audit recswindata_up include upgraded window information in audit recszonename include zonename token in audit recs
Which degree of detail What happens with full disks
c0t0d0s0org121
rootclient~ auditconfig -getpluginPlugin audit_binfile (active) Attributes p_dir=varauditp_fsize=0p_minfree=1
Plugin audit_syslog (inactive) Attributes p_flags=
Plugin audit_remote (inactive) Attributes p_hosts=p_retries=3p_timeout=5
c0t0d0s0org122
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
c0t0d0s0org123
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
lo and na are the only sensibleflags for non-attributable
c0t0d0s0org124
rootclient~ usermod -K audit_flags=fwas junior
c0t0d0s0org125
rootclient~ auditconfig -lsevent | grep lo AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh accessAUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lockAUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff
c0t0d0s0org126
rootclient~ auditconfig -lsevent | grep ps AUE_EXIT 1 ps exit(2)AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)rootclient~ auditconfig -lsevent | grep fw AUE_OPEN_W 76 fw open(2) - write
c0t0d0s0org127
auditreduce -c ps varaudit20130912183630not_terminatedclient | praudit
header1392execve(2)client2013-09-12 184055924 +0000pathusrsbinauditreduceattribute100555rootbin655386587518446744073709551615subjectjmoekamprootrootrootroot205414400809562480 202240 192168101returnsuccess0
c0t0d0s0org128
rootclient~ auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff0xffffffffffffffff)
Not always (in the sense of never) a good idea
Useful after trying out - starting a new audit filerootclient~ audit -n
c0t0d0s0org129
rootclient~ auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system
c0t0d0s0org130
SSH and X509
c0t0d0s0org131
rootca~ CApl -newcaCA certificate filename (or enter to create)
Making CA certificate Generating a 1024 bit RSA private key++++++++++++writing new private key to etcopensslprivatecakeypemEnter PEM pass phrase supersecret1Verifying - Enter PEM pass phrase supersecret1-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Security DepartmentCommon Name (eg server FQDN or YOUR name) []CAEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Using configuration from etcopensslopensslcnf
Enter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade878 Validity Not Before Sep 26 101109 2013 GMT Not After Sep 25 101109 2016 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony organizationName = c0t0d0s0org organizationalUnitName = Security Department commonName = CA X509v3 extensions X509v3 Subject Key Identifier 5B1F2F7186123040501552818D525AA5597E3644 X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
X509v3 Basic Constraints CATRUECertificate is to be certified until Sep 25 101109 2016 GMT (1095 days)
Write out database with 1 new entriesData Base Updated
c0t0d0s0org132
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org133
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org134
rootca~server CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade879 Validity Not Before Sep 26 102912 2013 GMT Not After Sep 26 102912 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = Server Certificates commonName = server X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A7DC03DEB3D5FBF9C006F11A55A9AD04C49C10FA X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 102912 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpemrootca~server ls -ltotal 15-rw-r--r-- 1 root root 3196 Sep 26 1229 newcertpem-rw-r--r-- 1 root root 1041 Sep 26 1228 newkeypem-rw-r--r-- 1 root root 680 Sep 26 1228 newreqpem
c0t0d0s0org135
rootca~junior CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phraseVerifying - Enter PEM pass phraseVerify failureEnter PEM pass phrase supersecret3Verifying - Enter PEM pass phrase supersecret3-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []User certificates
Common Name (eg server FQDN or YOUR name) []juniorEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org136
rootca~junior CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypemCheck that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade87a Validity Not Before Sep 26 110929 2013 GMT Not After Sep 26 110929 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = User certificates commonName = junior X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A1F2FC9D8AE2AD9AF52903F5B714933C64628E9C X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 110929 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpem
c0t0d0s0org137
rootserver~ useradd -m junior80 blocksrootserver~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for juniorrootserver~
rootclient~ useradd -m junior80 blocksrootclient~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for junior
c0t0d0s0org138
rootserver~ echo 1921681051 server gtgt etchostsrootserver~ echo 1921681052 client gtgt etchosts
rootclient~ echo 1921681051 server gtgt etchostsrootclient~ echo 1921681052 client gtgt etchosts
c0t0d0s0org139
rootca~server scp etcopensslcacertpem jmoekamp1921681109exporthomejmoekampPasswordcacertpem 100 || 3011 0000rootca~server scp newcertpem jmoekamp1921681109exporthomejmoekampPasswordnewcertpem 100 || 3196 0000rootca~server scp newkeypem jmoekamp1921681109exporthomejmoekampPasswordnewkeypem 100 || 1041 0000
rootca~junior scp newkeypem juniorclientexporthomejuniorPasswordnewkeypem 100 || 1041 0000rootca~junior scp newcertpem juniorclientexporthomejuniorPasswordnewcertpem 100 || 3190 0000rootca~junior scp etcopensslcacertpem junior1921681104exporthomejuniorPasswordcacertpem 100 || 3011 0000
c0t0d0s0org140
On the Server
c0t0d0s0org141
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org142
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org143
rootserver~ pktool setpinEnter token passphrase changemeCreate new passphrase superserversecretRe-enter new passphrase superserversecretPassphrase changedrootserver~
c0t0d0s0org144
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org145
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org146
rootserver~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cn
c0t0d0s0org147
rootserver~ echo TrustedAnchorKeystore etcsshcert gtgt etcsshsshd_configrootserver~ echo KMFPolicyDatabase etcsshpolicyxml gtgt etcsshsshd_configrootserver~ echo KMFPolicyName ssh gtgt etcsshsshd_configrootserver~ echo HostKey pkcs11object=hosttoken=Sun Metaslotpinfile=etcsshpinfile gtgt etcsshsshd_config
c0t0d0s0org148
rootserver~ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=hostEnter PIN for Sun Software PKCS11 softtoken superserversecret Enter PEM pass phrase supersecret2Importing 1 keys
c0t0d0s0org149
rootserver~ egrep -v ^ |^$|^Cert exporthomejmoekampcacertpem gt etcsshcertcacertcookedpemrootserver~ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemrootserver~ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=hostrootserver~
c0t0d0s0org150
On the client
c0t0d0s0org151
juniorclient~$ ls pemcacertpem newcertpem newkeypem
c0t0d0s0org152
rootclient~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cnrootclient~ egrep -v ^ |^$|^Cert exporthomejuniorcacertpem gt etcsshcertcacertcookedpem
c0t0d0s0org153
juniorclient~$ pktool setpinEnter token passphrase changemeCreate new passphrase superusersecretRe-enter new passphrase superusersecretPassphrase changed
c0t0d0s0org154
juniorclient~$ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=userEnter PIN for Sun Software PKCS11 softtoken superusersecretEnter PEM pass phrase supersecret3Importing 1 keysjuniorclient~$ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemjuniorclient~$ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=user
c0t0d0s0org155
Testing it
c0t0d0s0org156
rootserver~ svcadm disable sshrootserver~ svcadm enable ssh
c0t0d0s0org157
juniorclient~$ cd sshjuniorclient~ssh$ printf superusersecret gtgt pinfilejuniorclient~ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore etcsshcert KMFPolicyDatabase etcsshpolicyxml KMFPolicyName ssh IdentityFile pkcs11object=usertoken=Sun Software PKCS11 softtokenpinfile=exporthomejuniorsshpinfile
c0t0d0s0org158
juniorclient~ssh$ ssh juniorserver-x509Last login Thu Sep 26 200714 2013 from clientOracle Corporation SunOS 511 111 September 2013juniorserver~$
c0t0d0s0org159
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives7659-Using-X509-support-for-SSH-on-Solaris-111html
c0t0d0s0org160
OpenSCAP
c0t0d0s0org161
bdquoThe Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management measurement and policy compliance evaluation (eg FISMA compliance) The National Vulnerability Database(NVD) is the US government content repository for SCAPldquo
httpenwikipediaorgwikiSecurity_Content_Automation_Protocol
c0t0d0s0org162
ftp-bannerxml
ltxml version=10 encoding=UTF-8gtltoval_definitions xmlns=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsxsi=httpwwww3org2001XMLSchema-instance xmlnsoval=httpovalmitreorgXMLSchemaoval-common-5 xmlnsoval-def=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsindependent-def=httpovalmitreorgXMLSchemaoval-definitions-5independent xsischemaLocation=httpovalmitreorgXMLSchemaoval-definitions-5 oval-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-definitions-5independent independent-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-common-5 oval-common-schemaxsdgt
ltgeneratorgt ltovalproduct_namegtEnhanced SCAP Editorltovalproduct_namegt ltovalproduct_versiongt0011ltovalproduct_versiongt ltovalschema_versiongt58ltovalschema_versiongt ltovaltimestampgt2012-10-11T103325ltovaltimestampgt ltgeneratorgt lt--generatedovalbaseidentifier=comoraclesolaris11--gt ltdefinitionsgt ltdefinition id=ovalcomoraclesolaris11def840 version=1 class=compliancegt ltmetadatagt lttitlegtEnable a Warning Banner for the FTP Servicelttitlegt ltaffected family=unixgt ltplatformgtOracle Solaris 11ltplatformgt ltaffectedgt ltdescriptiongtetcproftpdconf contains DisplayConnect etcissueltdescriptiongt ltmetadatagt ltcriteria operator=AND negate=false comment=Single testgt ltcriterion comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot test_ref=ovalcomoraclesolaris11tst8400 negate=falsegt
ltcriteriagt ltdefinitiongt ltdefinitionsgt lttestsgt lttextfilecontent54_test xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11tst8400 version=1 check=all comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot check_existence=all_existgt ltobject object_ref=ovalcomoraclesolaris11obj8400gt lttextfilecontent54_testgt lttestsgt ltobjectsgt lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegt lttextfilecontent54_objectgt ltobjectsgtltoval_definitionsgt
c0t0d0s0org163
lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegtlttextfilecontent54_objectgt
c0t0d0s0org164
$ oscap oval eval ftp-bannerxml Definition ovalcomoraclesolaris11def840 falseEvaluation done
$ oscap oval eval --results resultsxml --report reporthtml ftp-bannerxmlDefinition ovalcomoraclesolaris11def840 falseEvaluation doneOVAL Results are exported correctly
c0t0d0s0org165
c0t0d0s0org166
To create your own OVAL-Files Enhanced SCAP Content Editor
c0t0d0s0org167
Find more information regarding this feature athttpsblogsoraclecomdarrenentrycompliance_reporting_with_scap
c0t0d0s0org9
Is it really a Solaris 11 binary
c0t0d0s0org10
jmoekampserver~$ elfsign verify -v usrbinoscapelfsign verification of usrbinoscap passedformat rsa_md5_sha1signer CN=SunOS 510 OU=Solaris Signed Execution O=Sun Microsystems Inc
c0t0d0s0org11
Sandboxing applications on Solaris 111
c0t0d0s0org12
rootsolaris profiles -p MySQL ServiceMySQL Servicegt set desc=Locking down the MySQL ServiceMySQL Servicegt add cmd=libsvcmethodmysql_51MySQL Servicemysql_51gt set privs=basicMySQL Servicemysql_51gt add privs=net_privaddr3306tcpMySQL Servicemysql_51gt add privs=file_writevarmysql51dataMySQL Servicemysql_51gt add privs=file_writetmpmysqlsockMySQL Servicemysql_51gt add privs=file_writevartmpibMySQL Servicemysql_51gt endMySQL Servicegt set uid=mysqlMySQL Servicegt set gid=mysqlMySQL Servicegt exit rootsolaris
c0t0d0s0org13
rootsolaris svccfg -s mysqlversion_51svcapplicationdatabasemysqlversion_51gt setprop method_contextprofile=MySQL Servicesvcapplicationdatabasemysqlversion_51gt setprop method_contextuse_profile=truesvcapplicationdatabasemysqlversion_51gt refreshsvcapplicationdatabasemysqlversion_51gt exit
c0t0d0s0org14
rootsolaris ipadm set-prop -p extra_priv_ports+=3306 tcprootsolaris ipadm show-prop -p extra_priv_ports tcpPROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLEtcp extra_priv_ports rw 20494045 -- 20494045 1-65535 3306
c0t0d0s0org15
svcadm enable mysqlversion_51
c0t0d0s0org16
rootsolaris ppriv $(pgrep mysql)103697 usrmysql51binmysqld --basedir=usrmysql51 --datadir=varmysqflags = PRIV_XPOLICY Extended policies net_privaddr3306tcp file_writevarmysql51data file_writetmpmysqlsock file_writevartmpib E basicfile_write I basicfile_write P basicfile_write L all103609 binsh usrmysql51binmysqld_safe --user=mysql --datadir=varmysflags = PRIV_XPOLICY Extended policies net_privaddr3306tcp file_writevarmysql51data file_writetmpmysqlsock file_writevartmpib E basicfile_write I basicfile_write P basicfile_write L all
c0t0d0s0org17
Find more information regarding this feature athttpsblogsoraclecomgfadenentryoracle_solaris_extended_policy_and
c0t0d0s0org18
Passwords
c0t0d0s0org19
rootclientetcsecurity cat etcsecuritycryptconf Copyright 2008 Sun Microsystems Inc All rights reserved Use is subject to license termsident ZM I E SMI The algorithm name __unix__ is reserved
1 crypt_bsdmd5so12a crypt_bsdbfso1md5 crypt_sunmd5so15 crypt_sha256so16 crypt_sha512so1
c0t0d0s0org20
rootclientetcsecurity cat etcsecuritypolicyconf | egrep ^CRYPT_DEFAULTCRYPT_DEFAULT=5rootclientetcsecurity cat etcshadow | grep juniorjunior$5$4aKvDFqA$2kL8GpuXjrdf8XpanqhylEP5lDhy1DF5uo1ZYx74f3159291440
c0t0d0s0org21
rootclientetcsecurity cat etcdefaultpasswd | grep -v | egrep -v ^$|^$ident ZM I E SMIMAXWEEKS=MINWEEKS=PASSLENGTH=6NAMECHECK=NOHISTORY=0MINDIFF=3MINALPHA=2MINNONALPHA=1MINUPPER=0MINLOWER=0MAXREPEATS=0MINSPECIAL=0MINDIGIT=0WHITESPACE=YESDICTIONLIST=DICTIONDBDIR=varpasswd
c0t0d0s0org22
rootclient mkpwdict -s usrsharelibdictwordsmkpwdict using default database location varpasswd
oder
rootclient mkpwdict -s usrsharelibdictwords -d varpasswd
c0t0d0s0org23
Address Space Layout Randomization
c0t0d0s0org24
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1914 usrbinpmap self1914 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org25
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1915 usrbinpmap self1915 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org26
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1917 usrbinpmap self1917 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap00000005D6666000 36K rw--- [ heap ]00007FF669C70000 216K r-x-- libamd64libprocso100007FF669CB6000 8K rw--- libamd64libprocso100007FF669CC0000 4K rw--- [ anon ]00007FF669CD0000 24K rwx-- [ anon ]00007FF669CE0000 4K rw--- [ anon ]00007FF669CF0000 1764K r-x-- libamd64libcso100007FF669EB9000 64K rw--- libamd64libcso100007FF669EC9000 12K rw--- libamd64libcso100007FF669ED0000 4K rw--- [ anon ]00007FF669EE0000 4K rw--- [ anon ]00007FF669EF0000 4K rw--- [ anon ]00007FF669EF2000 4K r--s- [ anon ]00007FF669EFC000 340K r-x-- libamd64ldso100007FF669F61000 12K rwx-- libamd64ldso100007FF669F64000 8K rwx-- libamd64ldso1FFFF80DDA254F000 16K rw--- [ stack ] total 2564K
c0t0d0s0org27
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1918 usrbinpmap self1918 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap000000065B76D000 36K rw--- [ heap ]00007FFAACFC0000 216K r-x-- libamd64libprocso100007FFAAD006000 8K rw--- libamd64libprocso100007FFAAD010000 4K rw--- [ anon ]00007FFAAD020000 24K rwx-- [ anon ]00007FFAAD030000 4K rw--- [ anon ]00007FFAAD040000 1764K r-x-- libamd64libcso100007FFAAD209000 64K rw--- libamd64libcso100007FFAAD219000 12K rw--- libamd64libcso100007FFAAD220000 4K rw--- [ anon ]00007FFAAD230000 4K rw--- [ anon ]00007FFAAD240000 4K rw--- [ anon ]00007FFAAD242000 4K r--s- [ anon ]00007FFAAD24D000 340K r-x-- libamd64ldso100007FFAAD2B2000 12K rwx-- libamd64ldso100007FFAAD2B5000 8K rwx-- libamd64ldso1FFFF80DE1559E000 12K rw--- [ stack ]
c0t0d0s0org28
rootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) system default (default)
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x2 ENABLE
rootsolaris elfedit -e dynsunw_aslr disable usrbinpmap
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x1 DISABLE
c0t0d0s0org29
rootsolaris sxadm enable -c model=all aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (all) enabled (all)
rootsolaris sxadm disable aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr disabled disabled
rootsolaris sxadm enable -c model=tagged-files aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) enabled (tagged-files)
c0t0d0s0org30
pfedit
c0t0d0s0org31
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt set auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt set desc=Edit httpdprofileshttpd editgt exit
c0t0d0s0org32
roottemplateetcapache222 usermod -P +httpd edit junior
c0t0d0s0org33
juniortemplate~$ profiles httpd edit Basic Solaris User All
c0t0d0s0org34
juniortemplate~$ vi etcapache222httpdconf
c0t0d0s0org35
juniortemplate~$ pfedit etcapache222httpdconfpfedit etcapache222httpdconf has been updated
c0t0d0s0org36
juniortemplate~$ pfedit etcapache222mimetypespfedit User junior is not authorized to edit the file etcapache222mimetypes
c0t0d0s0org37
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt info name=httpd edit desc=Edit httpd auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt add auths=solarisadmineditetcapache222mimetypes
c0t0d0s0org38
juniortemplate~$ pfedit etcapache222mimetypespfedit no changes for etcapache222mimetypes
c0t0d0s0org39
profiles -p httpd configureprofileshttpd configuregt add always_audit=asprofileshttpd configuregt info name=httpd configure desc=Configure httpd auths=solarisadmineditetcapache222httpdconfsolarisadmineditetcapache222mimetypes always_audit=as never_audit=noprofileshttpd configuregt exitroottemplate~
c0t0d0s0org40
roottemplate~ auditreduce -c as | praudit
c0t0d0s0org41
[]header4862edit administrative filefe80a0027fffea633cb2013-08-12 074552306 +0000subjectjuniorjuniorstaffjuniorstaff4212447467166369 136704 MacBook-Pro-of-c0t0d0s0fritzboxpathetcapache222httpdconfuse of authorizationsolarisadmineditetcapache222httpdconftext--- etcapache222httpdconf Mo Aug 12 074500 2013 +++ etcapache222httpdconfpfedit1BaGoi Mo Aug 12 074552 2013 -15 +16 Test Test 2 + Test 3 This is the main Apache HTTP server configuration file It contains the configuration directives that give the server its instructions
returnsuccess0
c0t0d0s0org42
Delegating privilege to restartservices(so you can keep the root password)
c0t0d0s0org43
juniortemplate~$ svcadm refresh apache22svcadm svcnetworkhttpapache22 Permission denied
c0t0d0s0org44
svcs -a | grep apache22online 153029 svcnetworkhttpapache22
c0t0d0s0org45
auths add -t Apache22 value solarissmfvaluehttpapache22 auths add -t Apache22 action solarissmfactionhttpapache22
c0t0d0s0org46
svccfg -s apache22 setprop generalvalue_authorization= astring solarissmfvaluehttpapache22 svccfg -s apache22 setprop generalaction_authorization= astring solarissmfactionhttpapache22
c0t0d0s0org47
profiles -p httpd edit add auths=solarissmfactionhttpapache22
c0t0d0s0org48
juniortemplate~$ svcadm refresh apache22juniortemplate~$
c0t0d0s0org49
Privileges
c0t0d0s0org50
$ ls -l usrsbintraceroute-r-sr-xr-x 1 root bin 42324 Nov 21 0009 usrsbintraceroute$ ls -l usrsbinping-r-sr-xr-x 1 root bin 51396 Nov 18 1931 usrsbinping
set-id to root ping needs it to work
c0t0d0s0org51
chmod -s sbinping exit
$ ping -s 1921681132ping socket Permission denied
Remove the set-uid and ping will stop to work
c0t0d0s0org52
jmoekampdaddelkiste~$ ppriv $$2153 -bashflags = ltnonegt E basic I basic P basic L all
c0t0d0s0org53
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org54
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
All privileges in their entirety assigned to one user are
(almost)
c0t0d0s0org55
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Neat extension inSolaris 11The ability to use networking is now a
privilege Itlsquos part of the default default set of privileges
but you can remove it
c0t0d0s0org56
moekampdaddelkiste~$ ppriv -v $$2153 -bashflags = ltnonegt E file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info I file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info P file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info L contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org57
rootdaddelkiste~ ppriv $$2183 -bashflags = ltnonegt E all I basic P all L all
c0t0d0s0org58
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace failed to initialize dtrace DTrace requires additional privileges
c0t0d0s0org59
rootdaddelkiste~ usermod -K defaultpriv=basicdtrace_kerneldtrace_procdtrace_user juniorUX usermod junior is currently logged in some changes may not take effect until next login
c0t0d0s0org60
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace description syscallentry matched 211 probes^C
automountd 1 sshd 24 dtrace 544 auditd 564
c0t0d0s0org61
ps -ef | grep kcfd daemon 125 1 0 142419 000 usrlibcryptokcfdroot 734 728 0 155408 pts1 000 grep kcfd ppriv -v 125125 usrlibcryptokcfdflags = PRIV_AWAREE file_ownerproc_priocntlsys_devicesI noneP file_ownerproc_priocntlsys_devicesL none
c0t0d0s0org62
svcadm -v enable -s apache2svcnetworkhttpapache2 enabled
c0t0d0s0org63
jmoekampclient~$ ps -ef | grep httpwebservd 1978 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1979 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1980 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1984 1975 0 122002 000 usrapache222binhttpd -k start root 1975 1 0 121914 001 usrapache222binhttpd -k startwebservd 1977 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1976 1975 0 121915 000 usrapache222binhttpd -k start
c0t0d0s0org64
rootclient~ ppriv 19771977 usrapache222binhttpd -k startflags = ltnonegt E basic I basic P basic L allrootclient~ ppriv 19751975 usrapache222binhttpd -k startflags = ltnonegt E all I basic P all L allrootclient~
c0t0d0s0org65
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The apache process as root has the following privileges
c0t0d0s0org66
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The other processes have the following privileges
c0t0d0s0org67
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Apache really needs
c0t0d0s0org68
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
So you grant a large number of privileges to one process Apache donlsquot need
c0t0d0s0org69
svcadm -v disable -s apache2svcnetworkhttpapache2 disabled
c0t0d0s0org70
rootclient~ svccfg -s apache22svcnetworkhttpapache22gt setprop startuser = astring webservdsvcnetworkhttpapache22gt setprop startgroup = astring webservdsvcnetworkhttpapache22gt setprop startprivileges = astring basicproc_sessionproc_infofile_link_anynet_privaddrsvcnetworkhttpapache22gt setprop startlimit_privileges = astring defaultsvcnetworkhttpapache22gt setprop startuse_profile = boolean falsesvcnetworkhttpapache22gt setprop startsupp_groups = astring defaultsvcnetworkhttpapache22gt setprop startworking_directory = astring defaultsvcnetworkhttpapache22gt setprop startproject = astring defaultsvcnetworkhttpapache22gt setprop startresource_pool = astring defaultsvcnetworkhttpapache22gt endrootclient~ svcadm -v refresh apache22Action refresh set for svcnetworkhttpapache22
c0t0d0s0org71
echo LockFile varapache222logsacceptlock gtgt etcapache222httpdconf echo PidFile varapache222runhttpdpid gtgt etcapache222httpdconf mkdir -p -m 755 varapache222run chown webservdwebservd varapache222run svcadm enable apache22
c0t0d0s0org72
webservd 3064 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3062 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3063 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3066 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3061 1 0 164917 000 usrapache222binhttpd -k startwebservd 3065 3061 0 164918 000 usrapache222binhttpd -k start
c0t0d0s0org73
Read-only zone root
c0t0d0s0org
74
zonecfgtestzonegt set file-mac-profile=none
zonecfgtestzonegt set file-mac-profile=strict
zonecfgtestzonegt set file-mac-profile=fixed-configuration
zonecfgtestzonegt set file-mac-profile=flexible-configuration
Standard read-write non-global zone with no additional protection beyond the existing zones boundaries
Permits updates to var directories with the exception of directories that contain system configuration components
Read-only file system no exceptions
Permits modification of files in etc directories changes to roots home directory and updates to var directories This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone
c0t0d0s0org75
in-kernel SSL Proxy
c0t0d0s0org76
mkdir etckeys cd etckeys openssl req -x509 -nodes -days 365 -subj C=DEST=HamburgL=HamburgCN=server -newkey rsa1024 -keyout etckeysmykeypem -out etckeysmycertpem cat mycertpem mykeypem gt mypem chown 600
c0t0d0s0org77
echo pass gt etckeysmypass ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass server 443
c0t0d0s0org78
ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass -c rsa_aes_256_cbc_sharsa_aes_128_cbc_sharsa_rc4_128_sharsa_rc4_128_md5 server 443
c0t0d0s0org79
svcs -a | grep ksslonline 90333 svcnetworksslproxykssl-server-443
c0t0d0s0org80
svcadm disable apache22 echo Listen 1921681781088080 gtgt etcapache222httpdconf svcadm enable apache22
Portnumber and IP-Number have do be defined in httpdconf otherwise it will not work
c0t0d0s0org81
openssl s_client -connect server443CONNECTED(00000004)depth=0 C=DEST=HamburgL=HamburgCN=serververify errornum=18self signed certificateverify return1depth=0 C=DEST=HamburgL=HamburgCN=serververify return1---Certificate chain0 sC=DEST=HamburgL=HamburgCN=serveriC=DEST=HamburgL=HamburgCN=server---Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj[]V5jX3MU=-----END CERTIFICATE-----subject=C=DEST=HamburgL=HamburgCN=serverissuer=C=DEST=HamburgL=HamburgCN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328 bytes---New TLSv1SSLv3 Cipher is RC4-SHAServer public key is 1024 bitCompression NONEExpansion NONESSL-SessionProtocol TLSv1
Cipher RC4-SHASession-ID 32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD113915B99DBE9812Session-ID-ctx Master-Key 1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21EKey-Arg NoneStart Time 1242985143Timeout 300 (sec)Verify return code 18 (self signed certificate)---GET HTTP10
HTTP11 200 OKDate Fri 22 May 2009 093913 GMTServer Apache2211 (Unix) mod_ssl2211 OpenSSL098a DAV2Last-Modified Thu 21 May 2009 212630 GMTETag 341f3-2c-46a72cc211a8fAccept-Ranges bytesContent-Length 44Connection closeContent-Type texthtml
lthtmlgtltbodygtlth1gtIt workslth1gtltbodygtlthtmlgtreaderrno=0
c0t0d0s0org82
ZFS Encryption
c0t0d0s0org83
zfs create -o encryption=on rpoolexportproject
c0t0d0s0org84
wrapping key (user setable)
encryption keyrandomnot user setable)
prompt file https pkcs11
c0t0d0s0org85
aes-128-ccm (=on) aes-192-ccmaes-256-ccmaes-128-gcmaes-192-gcmaes-256-gcm
c0t0d0s0org86
zfs set checksum=sha256+mac ltdatasetgt
If encryption=off something like automatic
occurs This property is read-only from now on
c0t0d0s0org87
pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykeyEnter PIN for Sun Software PKCS11 softtoken zfs create -o encryption=on -o keysource=rawpkcs11object=mykey tankprojectCEnter PKCS11 token PIN for tankprojectC
c0t0d0s0org88
zfs create -o encryption=on -o keysource=rawhttpskeysexamplecommykey tankprojectR cp myservercertpem etccertsCA svcadm refresh ca-certificates
c0t0d0s0org89
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
c0t0d0s0org90
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
Changing the wrapping key
c0t0d0s0org91
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key
c0t0d0s0org92
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key for data written form now
Creates a new data encryption key Data written in the clone uses the new data encryption key which is distinct from its original snapshot
c0t0d0s0org93
Solaris Cryptographic Framework
c0t0d0s0org94
As soon as Solaris detects hardware acceleration for cryptography Solaris will use it (and applications using the Oracle supplied openssl library or direct interfaces)bull on-chip crypto accelerator in T and current M series chipsbull instruction set extensions in Intel procs (AES-NI)bull supported crypto accelerator cards
c0t0d0s0org95
Just a side-note T-series crypto acceleration and Intel x86 acceleration have pretty much different performance characteristics
T-Series Acceleration by offloading crypto outside pipelineIntel x86 Acceleration by offering special in-pipeline instructions to accelerate execution
Sounds like splitting hairs
c0t0d0s0org
c0t0d0s0org
c0t0d0s0org98
Using ZFS to do two-factor encryption
c0t0d0s0org99
jmoekampsolaris~$ rmformatLooking for devices 1 Logical Node devrdskc10t0d0p0 Physical Node pci00pci8086265cbstorage2disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected() 3 Logical Node devrdskc9t0d0p0 Physical Node pci00pci8086265cbstorage1disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected
c0t0d0s0org100
rootsolaris zpool create a_keystore_usbstick devdskc10t0d0p0rootsolaris zpool create datastore devdskc9t0d0p0
c0t0d0s0org101
rootsolaris zfs create -o encryption=on a_keystore_usbstickkeysEnter passphrase for a_keystore_usbstickkeys supersecret Enter again supersecret
c0t0d0s0org102
rootsolaris pktool genkey keystore=file keytype=aes keylen=128 outkey=a_keystore_usbstickkeysjoergsdatastickkey
c0t0d0s0org103
rootsolaris zfs create -o encryption=on -o keysource=rawfilea_keystore_usbstickkeysjoergsdatastickkey datastickjoergssecrets
c0t0d0s0org104
rootsolarisdatastickjoergssecrets mv homejmoekamphighlyconfidential_nda_presostgz
c0t0d0s0org105
rootsolaris zpool export a_keystore_usbstickrootsolaris zpool export datastick
c0t0d0s0org106
rootsolaris zpool import a_keystore_usbstickEnter passphrase for a_keystore_usbstickkeys supersecretrootsolaris
c0t0d0s0org107
rootsolaris zpool import datastickrootsolaris cd datastickjoergssecretsrootsolarisdatastickjoergssecrets ls highconfidential_nda_presostgz
c0t0d0s0org108
Basic Auditing and Reporting Tool
c0t0d0s0org109
mkdir bart-files bart create -R etc gt bart-filesetccontrolmanifest
c0t0d0s0org110
cat etccontrolmanifest | grep nsswitchnisplusnsswitchnisplus F 2525 100644 userrw-groupr--maskr--otherr-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
c0t0d0s0org111
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org112
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org113
bart create -R etc gt bart-filesetccheck20130911manifest
c0t0d0s0org114
cd bart-files bart compare etccontrolmanifest etccheck20130911manifest
nsswitchfilesmode control100644 test100777acl controluserrw-groupr--maskr--otherr-- testuserrwxgrouprwxmaskrwxotherrwxnsswitchnisplussize control2525 test2538mtime control473976b5 test47a44862contents control79e8fd689a5221d1cd059e5077da71b8 test3f79176ec352441db11ec8a3d02ef67cthisisjustatestadd
c0t0d0s0org115
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives4069-Less-known-Solaris-features-BARThtml
c0t0d0s0org116
Apropos Auditing
c0t0d0s0org117
Auditing is activated by default
c0t0d0s0org118
rootclient~ auditconfig -getflagsactive user default audit flags = lo(0x10000x1000)configured user default audit flags = lo(0x10000x1000)rootclient~ auditconfig -getnaflagsactive non-attributable audit flags = lo(0x10000x1000)configured non-attributable audit flags = lo(0x10000x1000)
c0t0d0s0org119
rootclient~ auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt
Policy regarding auditing (explanation on the next slide)
c0t0d0s0org120
rootclient~ auditconfig -lspolicypolicy string descriptionahlt halt machine if it can not record an async eventall all policiesarge include exec environment args in audit recsargv include exec command line args in audit recscnt when no more space drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recswindata_down include downgraded window information in audit recswindata_up include upgraded window information in audit recszonename include zonename token in audit recs
Which degree of detail What happens with full disks
c0t0d0s0org121
rootclient~ auditconfig -getpluginPlugin audit_binfile (active) Attributes p_dir=varauditp_fsize=0p_minfree=1
Plugin audit_syslog (inactive) Attributes p_flags=
Plugin audit_remote (inactive) Attributes p_hosts=p_retries=3p_timeout=5
c0t0d0s0org122
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
c0t0d0s0org123
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
lo and na are the only sensibleflags for non-attributable
c0t0d0s0org124
rootclient~ usermod -K audit_flags=fwas junior
c0t0d0s0org125
rootclient~ auditconfig -lsevent | grep lo AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh accessAUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lockAUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff
c0t0d0s0org126
rootclient~ auditconfig -lsevent | grep ps AUE_EXIT 1 ps exit(2)AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)rootclient~ auditconfig -lsevent | grep fw AUE_OPEN_W 76 fw open(2) - write
c0t0d0s0org127
auditreduce -c ps varaudit20130912183630not_terminatedclient | praudit
header1392execve(2)client2013-09-12 184055924 +0000pathusrsbinauditreduceattribute100555rootbin655386587518446744073709551615subjectjmoekamprootrootrootroot205414400809562480 202240 192168101returnsuccess0
c0t0d0s0org128
rootclient~ auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff0xffffffffffffffff)
Not always (in the sense of never) a good idea
Useful after trying out - starting a new audit filerootclient~ audit -n
c0t0d0s0org129
rootclient~ auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system
c0t0d0s0org130
SSH and X509
c0t0d0s0org131
rootca~ CApl -newcaCA certificate filename (or enter to create)
Making CA certificate Generating a 1024 bit RSA private key++++++++++++writing new private key to etcopensslprivatecakeypemEnter PEM pass phrase supersecret1Verifying - Enter PEM pass phrase supersecret1-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Security DepartmentCommon Name (eg server FQDN or YOUR name) []CAEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Using configuration from etcopensslopensslcnf
Enter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade878 Validity Not Before Sep 26 101109 2013 GMT Not After Sep 25 101109 2016 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony organizationName = c0t0d0s0org organizationalUnitName = Security Department commonName = CA X509v3 extensions X509v3 Subject Key Identifier 5B1F2F7186123040501552818D525AA5597E3644 X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
X509v3 Basic Constraints CATRUECertificate is to be certified until Sep 25 101109 2016 GMT (1095 days)
Write out database with 1 new entriesData Base Updated
c0t0d0s0org132
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org133
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org134
rootca~server CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade879 Validity Not Before Sep 26 102912 2013 GMT Not After Sep 26 102912 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = Server Certificates commonName = server X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A7DC03DEB3D5FBF9C006F11A55A9AD04C49C10FA X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 102912 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpemrootca~server ls -ltotal 15-rw-r--r-- 1 root root 3196 Sep 26 1229 newcertpem-rw-r--r-- 1 root root 1041 Sep 26 1228 newkeypem-rw-r--r-- 1 root root 680 Sep 26 1228 newreqpem
c0t0d0s0org135
rootca~junior CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phraseVerifying - Enter PEM pass phraseVerify failureEnter PEM pass phrase supersecret3Verifying - Enter PEM pass phrase supersecret3-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []User certificates
Common Name (eg server FQDN or YOUR name) []juniorEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org136
rootca~junior CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypemCheck that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade87a Validity Not Before Sep 26 110929 2013 GMT Not After Sep 26 110929 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = User certificates commonName = junior X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A1F2FC9D8AE2AD9AF52903F5B714933C64628E9C X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 110929 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpem
c0t0d0s0org137
rootserver~ useradd -m junior80 blocksrootserver~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for juniorrootserver~
rootclient~ useradd -m junior80 blocksrootclient~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for junior
c0t0d0s0org138
rootserver~ echo 1921681051 server gtgt etchostsrootserver~ echo 1921681052 client gtgt etchosts
rootclient~ echo 1921681051 server gtgt etchostsrootclient~ echo 1921681052 client gtgt etchosts
c0t0d0s0org139
rootca~server scp etcopensslcacertpem jmoekamp1921681109exporthomejmoekampPasswordcacertpem 100 || 3011 0000rootca~server scp newcertpem jmoekamp1921681109exporthomejmoekampPasswordnewcertpem 100 || 3196 0000rootca~server scp newkeypem jmoekamp1921681109exporthomejmoekampPasswordnewkeypem 100 || 1041 0000
rootca~junior scp newkeypem juniorclientexporthomejuniorPasswordnewkeypem 100 || 1041 0000rootca~junior scp newcertpem juniorclientexporthomejuniorPasswordnewcertpem 100 || 3190 0000rootca~junior scp etcopensslcacertpem junior1921681104exporthomejuniorPasswordcacertpem 100 || 3011 0000
c0t0d0s0org140
On the Server
c0t0d0s0org141
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org142
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org143
rootserver~ pktool setpinEnter token passphrase changemeCreate new passphrase superserversecretRe-enter new passphrase superserversecretPassphrase changedrootserver~
c0t0d0s0org144
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org145
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org146
rootserver~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cn
c0t0d0s0org147
rootserver~ echo TrustedAnchorKeystore etcsshcert gtgt etcsshsshd_configrootserver~ echo KMFPolicyDatabase etcsshpolicyxml gtgt etcsshsshd_configrootserver~ echo KMFPolicyName ssh gtgt etcsshsshd_configrootserver~ echo HostKey pkcs11object=hosttoken=Sun Metaslotpinfile=etcsshpinfile gtgt etcsshsshd_config
c0t0d0s0org148
rootserver~ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=hostEnter PIN for Sun Software PKCS11 softtoken superserversecret Enter PEM pass phrase supersecret2Importing 1 keys
c0t0d0s0org149
rootserver~ egrep -v ^ |^$|^Cert exporthomejmoekampcacertpem gt etcsshcertcacertcookedpemrootserver~ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemrootserver~ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=hostrootserver~
c0t0d0s0org150
On the client
c0t0d0s0org151
juniorclient~$ ls pemcacertpem newcertpem newkeypem
c0t0d0s0org152
rootclient~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cnrootclient~ egrep -v ^ |^$|^Cert exporthomejuniorcacertpem gt etcsshcertcacertcookedpem
c0t0d0s0org153
juniorclient~$ pktool setpinEnter token passphrase changemeCreate new passphrase superusersecretRe-enter new passphrase superusersecretPassphrase changed
c0t0d0s0org154
juniorclient~$ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=userEnter PIN for Sun Software PKCS11 softtoken superusersecretEnter PEM pass phrase supersecret3Importing 1 keysjuniorclient~$ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemjuniorclient~$ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=user
c0t0d0s0org155
Testing it
c0t0d0s0org156
rootserver~ svcadm disable sshrootserver~ svcadm enable ssh
c0t0d0s0org157
juniorclient~$ cd sshjuniorclient~ssh$ printf superusersecret gtgt pinfilejuniorclient~ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore etcsshcert KMFPolicyDatabase etcsshpolicyxml KMFPolicyName ssh IdentityFile pkcs11object=usertoken=Sun Software PKCS11 softtokenpinfile=exporthomejuniorsshpinfile
c0t0d0s0org158
juniorclient~ssh$ ssh juniorserver-x509Last login Thu Sep 26 200714 2013 from clientOracle Corporation SunOS 511 111 September 2013juniorserver~$
c0t0d0s0org159
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives7659-Using-X509-support-for-SSH-on-Solaris-111html
c0t0d0s0org160
OpenSCAP
c0t0d0s0org161
bdquoThe Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management measurement and policy compliance evaluation (eg FISMA compliance) The National Vulnerability Database(NVD) is the US government content repository for SCAPldquo
httpenwikipediaorgwikiSecurity_Content_Automation_Protocol
c0t0d0s0org162
ftp-bannerxml
ltxml version=10 encoding=UTF-8gtltoval_definitions xmlns=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsxsi=httpwwww3org2001XMLSchema-instance xmlnsoval=httpovalmitreorgXMLSchemaoval-common-5 xmlnsoval-def=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsindependent-def=httpovalmitreorgXMLSchemaoval-definitions-5independent xsischemaLocation=httpovalmitreorgXMLSchemaoval-definitions-5 oval-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-definitions-5independent independent-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-common-5 oval-common-schemaxsdgt
ltgeneratorgt ltovalproduct_namegtEnhanced SCAP Editorltovalproduct_namegt ltovalproduct_versiongt0011ltovalproduct_versiongt ltovalschema_versiongt58ltovalschema_versiongt ltovaltimestampgt2012-10-11T103325ltovaltimestampgt ltgeneratorgt lt--generatedovalbaseidentifier=comoraclesolaris11--gt ltdefinitionsgt ltdefinition id=ovalcomoraclesolaris11def840 version=1 class=compliancegt ltmetadatagt lttitlegtEnable a Warning Banner for the FTP Servicelttitlegt ltaffected family=unixgt ltplatformgtOracle Solaris 11ltplatformgt ltaffectedgt ltdescriptiongtetcproftpdconf contains DisplayConnect etcissueltdescriptiongt ltmetadatagt ltcriteria operator=AND negate=false comment=Single testgt ltcriterion comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot test_ref=ovalcomoraclesolaris11tst8400 negate=falsegt
ltcriteriagt ltdefinitiongt ltdefinitionsgt lttestsgt lttextfilecontent54_test xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11tst8400 version=1 check=all comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot check_existence=all_existgt ltobject object_ref=ovalcomoraclesolaris11obj8400gt lttextfilecontent54_testgt lttestsgt ltobjectsgt lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegt lttextfilecontent54_objectgt ltobjectsgtltoval_definitionsgt
c0t0d0s0org163
lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegtlttextfilecontent54_objectgt
c0t0d0s0org164
$ oscap oval eval ftp-bannerxml Definition ovalcomoraclesolaris11def840 falseEvaluation done
$ oscap oval eval --results resultsxml --report reporthtml ftp-bannerxmlDefinition ovalcomoraclesolaris11def840 falseEvaluation doneOVAL Results are exported correctly
c0t0d0s0org165
c0t0d0s0org166
To create your own OVAL-Files Enhanced SCAP Content Editor
c0t0d0s0org167
Find more information regarding this feature athttpsblogsoraclecomdarrenentrycompliance_reporting_with_scap
c0t0d0s0org10
jmoekampserver~$ elfsign verify -v usrbinoscapelfsign verification of usrbinoscap passedformat rsa_md5_sha1signer CN=SunOS 510 OU=Solaris Signed Execution O=Sun Microsystems Inc
c0t0d0s0org11
Sandboxing applications on Solaris 111
c0t0d0s0org12
rootsolaris profiles -p MySQL ServiceMySQL Servicegt set desc=Locking down the MySQL ServiceMySQL Servicegt add cmd=libsvcmethodmysql_51MySQL Servicemysql_51gt set privs=basicMySQL Servicemysql_51gt add privs=net_privaddr3306tcpMySQL Servicemysql_51gt add privs=file_writevarmysql51dataMySQL Servicemysql_51gt add privs=file_writetmpmysqlsockMySQL Servicemysql_51gt add privs=file_writevartmpibMySQL Servicemysql_51gt endMySQL Servicegt set uid=mysqlMySQL Servicegt set gid=mysqlMySQL Servicegt exit rootsolaris
c0t0d0s0org13
rootsolaris svccfg -s mysqlversion_51svcapplicationdatabasemysqlversion_51gt setprop method_contextprofile=MySQL Servicesvcapplicationdatabasemysqlversion_51gt setprop method_contextuse_profile=truesvcapplicationdatabasemysqlversion_51gt refreshsvcapplicationdatabasemysqlversion_51gt exit
c0t0d0s0org14
rootsolaris ipadm set-prop -p extra_priv_ports+=3306 tcprootsolaris ipadm show-prop -p extra_priv_ports tcpPROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLEtcp extra_priv_ports rw 20494045 -- 20494045 1-65535 3306
c0t0d0s0org15
svcadm enable mysqlversion_51
c0t0d0s0org16
rootsolaris ppriv $(pgrep mysql)103697 usrmysql51binmysqld --basedir=usrmysql51 --datadir=varmysqflags = PRIV_XPOLICY Extended policies net_privaddr3306tcp file_writevarmysql51data file_writetmpmysqlsock file_writevartmpib E basicfile_write I basicfile_write P basicfile_write L all103609 binsh usrmysql51binmysqld_safe --user=mysql --datadir=varmysflags = PRIV_XPOLICY Extended policies net_privaddr3306tcp file_writevarmysql51data file_writetmpmysqlsock file_writevartmpib E basicfile_write I basicfile_write P basicfile_write L all
c0t0d0s0org17
Find more information regarding this feature athttpsblogsoraclecomgfadenentryoracle_solaris_extended_policy_and
c0t0d0s0org18
Passwords
c0t0d0s0org19
rootclientetcsecurity cat etcsecuritycryptconf Copyright 2008 Sun Microsystems Inc All rights reserved Use is subject to license termsident ZM I E SMI The algorithm name __unix__ is reserved
1 crypt_bsdmd5so12a crypt_bsdbfso1md5 crypt_sunmd5so15 crypt_sha256so16 crypt_sha512so1
c0t0d0s0org20
rootclientetcsecurity cat etcsecuritypolicyconf | egrep ^CRYPT_DEFAULTCRYPT_DEFAULT=5rootclientetcsecurity cat etcshadow | grep juniorjunior$5$4aKvDFqA$2kL8GpuXjrdf8XpanqhylEP5lDhy1DF5uo1ZYx74f3159291440
c0t0d0s0org21
rootclientetcsecurity cat etcdefaultpasswd | grep -v | egrep -v ^$|^$ident ZM I E SMIMAXWEEKS=MINWEEKS=PASSLENGTH=6NAMECHECK=NOHISTORY=0MINDIFF=3MINALPHA=2MINNONALPHA=1MINUPPER=0MINLOWER=0MAXREPEATS=0MINSPECIAL=0MINDIGIT=0WHITESPACE=YESDICTIONLIST=DICTIONDBDIR=varpasswd
c0t0d0s0org22
rootclient mkpwdict -s usrsharelibdictwordsmkpwdict using default database location varpasswd
oder
rootclient mkpwdict -s usrsharelibdictwords -d varpasswd
c0t0d0s0org23
Address Space Layout Randomization
c0t0d0s0org24
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1914 usrbinpmap self1914 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org25
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1915 usrbinpmap self1915 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org26
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1917 usrbinpmap self1917 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap00000005D6666000 36K rw--- [ heap ]00007FF669C70000 216K r-x-- libamd64libprocso100007FF669CB6000 8K rw--- libamd64libprocso100007FF669CC0000 4K rw--- [ anon ]00007FF669CD0000 24K rwx-- [ anon ]00007FF669CE0000 4K rw--- [ anon ]00007FF669CF0000 1764K r-x-- libamd64libcso100007FF669EB9000 64K rw--- libamd64libcso100007FF669EC9000 12K rw--- libamd64libcso100007FF669ED0000 4K rw--- [ anon ]00007FF669EE0000 4K rw--- [ anon ]00007FF669EF0000 4K rw--- [ anon ]00007FF669EF2000 4K r--s- [ anon ]00007FF669EFC000 340K r-x-- libamd64ldso100007FF669F61000 12K rwx-- libamd64ldso100007FF669F64000 8K rwx-- libamd64ldso1FFFF80DDA254F000 16K rw--- [ stack ] total 2564K
c0t0d0s0org27
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1918 usrbinpmap self1918 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap000000065B76D000 36K rw--- [ heap ]00007FFAACFC0000 216K r-x-- libamd64libprocso100007FFAAD006000 8K rw--- libamd64libprocso100007FFAAD010000 4K rw--- [ anon ]00007FFAAD020000 24K rwx-- [ anon ]00007FFAAD030000 4K rw--- [ anon ]00007FFAAD040000 1764K r-x-- libamd64libcso100007FFAAD209000 64K rw--- libamd64libcso100007FFAAD219000 12K rw--- libamd64libcso100007FFAAD220000 4K rw--- [ anon ]00007FFAAD230000 4K rw--- [ anon ]00007FFAAD240000 4K rw--- [ anon ]00007FFAAD242000 4K r--s- [ anon ]00007FFAAD24D000 340K r-x-- libamd64ldso100007FFAAD2B2000 12K rwx-- libamd64ldso100007FFAAD2B5000 8K rwx-- libamd64ldso1FFFF80DE1559E000 12K rw--- [ stack ]
c0t0d0s0org28
rootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) system default (default)
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x2 ENABLE
rootsolaris elfedit -e dynsunw_aslr disable usrbinpmap
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x1 DISABLE
c0t0d0s0org29
rootsolaris sxadm enable -c model=all aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (all) enabled (all)
rootsolaris sxadm disable aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr disabled disabled
rootsolaris sxadm enable -c model=tagged-files aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) enabled (tagged-files)
c0t0d0s0org30
pfedit
c0t0d0s0org31
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt set auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt set desc=Edit httpdprofileshttpd editgt exit
c0t0d0s0org32
roottemplateetcapache222 usermod -P +httpd edit junior
c0t0d0s0org33
juniortemplate~$ profiles httpd edit Basic Solaris User All
c0t0d0s0org34
juniortemplate~$ vi etcapache222httpdconf
c0t0d0s0org35
juniortemplate~$ pfedit etcapache222httpdconfpfedit etcapache222httpdconf has been updated
c0t0d0s0org36
juniortemplate~$ pfedit etcapache222mimetypespfedit User junior is not authorized to edit the file etcapache222mimetypes
c0t0d0s0org37
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt info name=httpd edit desc=Edit httpd auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt add auths=solarisadmineditetcapache222mimetypes
c0t0d0s0org38
juniortemplate~$ pfedit etcapache222mimetypespfedit no changes for etcapache222mimetypes
c0t0d0s0org39
profiles -p httpd configureprofileshttpd configuregt add always_audit=asprofileshttpd configuregt info name=httpd configure desc=Configure httpd auths=solarisadmineditetcapache222httpdconfsolarisadmineditetcapache222mimetypes always_audit=as never_audit=noprofileshttpd configuregt exitroottemplate~
c0t0d0s0org40
roottemplate~ auditreduce -c as | praudit
c0t0d0s0org41
[]header4862edit administrative filefe80a0027fffea633cb2013-08-12 074552306 +0000subjectjuniorjuniorstaffjuniorstaff4212447467166369 136704 MacBook-Pro-of-c0t0d0s0fritzboxpathetcapache222httpdconfuse of authorizationsolarisadmineditetcapache222httpdconftext--- etcapache222httpdconf Mo Aug 12 074500 2013 +++ etcapache222httpdconfpfedit1BaGoi Mo Aug 12 074552 2013 -15 +16 Test Test 2 + Test 3 This is the main Apache HTTP server configuration file It contains the configuration directives that give the server its instructions
returnsuccess0
c0t0d0s0org42
Delegating privilege to restartservices(so you can keep the root password)
c0t0d0s0org43
juniortemplate~$ svcadm refresh apache22svcadm svcnetworkhttpapache22 Permission denied
c0t0d0s0org44
svcs -a | grep apache22online 153029 svcnetworkhttpapache22
c0t0d0s0org45
auths add -t Apache22 value solarissmfvaluehttpapache22 auths add -t Apache22 action solarissmfactionhttpapache22
c0t0d0s0org46
svccfg -s apache22 setprop generalvalue_authorization= astring solarissmfvaluehttpapache22 svccfg -s apache22 setprop generalaction_authorization= astring solarissmfactionhttpapache22
c0t0d0s0org47
profiles -p httpd edit add auths=solarissmfactionhttpapache22
c0t0d0s0org48
juniortemplate~$ svcadm refresh apache22juniortemplate~$
c0t0d0s0org49
Privileges
c0t0d0s0org50
$ ls -l usrsbintraceroute-r-sr-xr-x 1 root bin 42324 Nov 21 0009 usrsbintraceroute$ ls -l usrsbinping-r-sr-xr-x 1 root bin 51396 Nov 18 1931 usrsbinping
set-id to root ping needs it to work
c0t0d0s0org51
chmod -s sbinping exit
$ ping -s 1921681132ping socket Permission denied
Remove the set-uid and ping will stop to work
c0t0d0s0org52
jmoekampdaddelkiste~$ ppriv $$2153 -bashflags = ltnonegt E basic I basic P basic L all
c0t0d0s0org53
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org54
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
All privileges in their entirety assigned to one user are
(almost)
c0t0d0s0org55
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Neat extension inSolaris 11The ability to use networking is now a
privilege Itlsquos part of the default default set of privileges
but you can remove it
c0t0d0s0org56
moekampdaddelkiste~$ ppriv -v $$2153 -bashflags = ltnonegt E file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info I file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info P file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info L contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org57
rootdaddelkiste~ ppriv $$2183 -bashflags = ltnonegt E all I basic P all L all
c0t0d0s0org58
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace failed to initialize dtrace DTrace requires additional privileges
c0t0d0s0org59
rootdaddelkiste~ usermod -K defaultpriv=basicdtrace_kerneldtrace_procdtrace_user juniorUX usermod junior is currently logged in some changes may not take effect until next login
c0t0d0s0org60
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace description syscallentry matched 211 probes^C
automountd 1 sshd 24 dtrace 544 auditd 564
c0t0d0s0org61
ps -ef | grep kcfd daemon 125 1 0 142419 000 usrlibcryptokcfdroot 734 728 0 155408 pts1 000 grep kcfd ppriv -v 125125 usrlibcryptokcfdflags = PRIV_AWAREE file_ownerproc_priocntlsys_devicesI noneP file_ownerproc_priocntlsys_devicesL none
c0t0d0s0org62
svcadm -v enable -s apache2svcnetworkhttpapache2 enabled
c0t0d0s0org63
jmoekampclient~$ ps -ef | grep httpwebservd 1978 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1979 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1980 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1984 1975 0 122002 000 usrapache222binhttpd -k start root 1975 1 0 121914 001 usrapache222binhttpd -k startwebservd 1977 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1976 1975 0 121915 000 usrapache222binhttpd -k start
c0t0d0s0org64
rootclient~ ppriv 19771977 usrapache222binhttpd -k startflags = ltnonegt E basic I basic P basic L allrootclient~ ppriv 19751975 usrapache222binhttpd -k startflags = ltnonegt E all I basic P all L allrootclient~
c0t0d0s0org65
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The apache process as root has the following privileges
c0t0d0s0org66
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The other processes have the following privileges
c0t0d0s0org67
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Apache really needs
c0t0d0s0org68
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
So you grant a large number of privileges to one process Apache donlsquot need
c0t0d0s0org69
svcadm -v disable -s apache2svcnetworkhttpapache2 disabled
c0t0d0s0org70
rootclient~ svccfg -s apache22svcnetworkhttpapache22gt setprop startuser = astring webservdsvcnetworkhttpapache22gt setprop startgroup = astring webservdsvcnetworkhttpapache22gt setprop startprivileges = astring basicproc_sessionproc_infofile_link_anynet_privaddrsvcnetworkhttpapache22gt setprop startlimit_privileges = astring defaultsvcnetworkhttpapache22gt setprop startuse_profile = boolean falsesvcnetworkhttpapache22gt setprop startsupp_groups = astring defaultsvcnetworkhttpapache22gt setprop startworking_directory = astring defaultsvcnetworkhttpapache22gt setprop startproject = astring defaultsvcnetworkhttpapache22gt setprop startresource_pool = astring defaultsvcnetworkhttpapache22gt endrootclient~ svcadm -v refresh apache22Action refresh set for svcnetworkhttpapache22
c0t0d0s0org71
echo LockFile varapache222logsacceptlock gtgt etcapache222httpdconf echo PidFile varapache222runhttpdpid gtgt etcapache222httpdconf mkdir -p -m 755 varapache222run chown webservdwebservd varapache222run svcadm enable apache22
c0t0d0s0org72
webservd 3064 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3062 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3063 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3066 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3061 1 0 164917 000 usrapache222binhttpd -k startwebservd 3065 3061 0 164918 000 usrapache222binhttpd -k start
c0t0d0s0org73
Read-only zone root
c0t0d0s0org
74
zonecfgtestzonegt set file-mac-profile=none
zonecfgtestzonegt set file-mac-profile=strict
zonecfgtestzonegt set file-mac-profile=fixed-configuration
zonecfgtestzonegt set file-mac-profile=flexible-configuration
Standard read-write non-global zone with no additional protection beyond the existing zones boundaries
Permits updates to var directories with the exception of directories that contain system configuration components
Read-only file system no exceptions
Permits modification of files in etc directories changes to roots home directory and updates to var directories This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone
c0t0d0s0org75
in-kernel SSL Proxy
c0t0d0s0org76
mkdir etckeys cd etckeys openssl req -x509 -nodes -days 365 -subj C=DEST=HamburgL=HamburgCN=server -newkey rsa1024 -keyout etckeysmykeypem -out etckeysmycertpem cat mycertpem mykeypem gt mypem chown 600
c0t0d0s0org77
echo pass gt etckeysmypass ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass server 443
c0t0d0s0org78
ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass -c rsa_aes_256_cbc_sharsa_aes_128_cbc_sharsa_rc4_128_sharsa_rc4_128_md5 server 443
c0t0d0s0org79
svcs -a | grep ksslonline 90333 svcnetworksslproxykssl-server-443
c0t0d0s0org80
svcadm disable apache22 echo Listen 1921681781088080 gtgt etcapache222httpdconf svcadm enable apache22
Portnumber and IP-Number have do be defined in httpdconf otherwise it will not work
c0t0d0s0org81
openssl s_client -connect server443CONNECTED(00000004)depth=0 C=DEST=HamburgL=HamburgCN=serververify errornum=18self signed certificateverify return1depth=0 C=DEST=HamburgL=HamburgCN=serververify return1---Certificate chain0 sC=DEST=HamburgL=HamburgCN=serveriC=DEST=HamburgL=HamburgCN=server---Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj[]V5jX3MU=-----END CERTIFICATE-----subject=C=DEST=HamburgL=HamburgCN=serverissuer=C=DEST=HamburgL=HamburgCN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328 bytes---New TLSv1SSLv3 Cipher is RC4-SHAServer public key is 1024 bitCompression NONEExpansion NONESSL-SessionProtocol TLSv1
Cipher RC4-SHASession-ID 32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD113915B99DBE9812Session-ID-ctx Master-Key 1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21EKey-Arg NoneStart Time 1242985143Timeout 300 (sec)Verify return code 18 (self signed certificate)---GET HTTP10
HTTP11 200 OKDate Fri 22 May 2009 093913 GMTServer Apache2211 (Unix) mod_ssl2211 OpenSSL098a DAV2Last-Modified Thu 21 May 2009 212630 GMTETag 341f3-2c-46a72cc211a8fAccept-Ranges bytesContent-Length 44Connection closeContent-Type texthtml
lthtmlgtltbodygtlth1gtIt workslth1gtltbodygtlthtmlgtreaderrno=0
c0t0d0s0org82
ZFS Encryption
c0t0d0s0org83
zfs create -o encryption=on rpoolexportproject
c0t0d0s0org84
wrapping key (user setable)
encryption keyrandomnot user setable)
prompt file https pkcs11
c0t0d0s0org85
aes-128-ccm (=on) aes-192-ccmaes-256-ccmaes-128-gcmaes-192-gcmaes-256-gcm
c0t0d0s0org86
zfs set checksum=sha256+mac ltdatasetgt
If encryption=off something like automatic
occurs This property is read-only from now on
c0t0d0s0org87
pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykeyEnter PIN for Sun Software PKCS11 softtoken zfs create -o encryption=on -o keysource=rawpkcs11object=mykey tankprojectCEnter PKCS11 token PIN for tankprojectC
c0t0d0s0org88
zfs create -o encryption=on -o keysource=rawhttpskeysexamplecommykey tankprojectR cp myservercertpem etccertsCA svcadm refresh ca-certificates
c0t0d0s0org89
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
c0t0d0s0org90
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
Changing the wrapping key
c0t0d0s0org91
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key
c0t0d0s0org92
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key for data written form now
Creates a new data encryption key Data written in the clone uses the new data encryption key which is distinct from its original snapshot
c0t0d0s0org93
Solaris Cryptographic Framework
c0t0d0s0org94
As soon as Solaris detects hardware acceleration for cryptography Solaris will use it (and applications using the Oracle supplied openssl library or direct interfaces)bull on-chip crypto accelerator in T and current M series chipsbull instruction set extensions in Intel procs (AES-NI)bull supported crypto accelerator cards
c0t0d0s0org95
Just a side-note T-series crypto acceleration and Intel x86 acceleration have pretty much different performance characteristics
T-Series Acceleration by offloading crypto outside pipelineIntel x86 Acceleration by offering special in-pipeline instructions to accelerate execution
Sounds like splitting hairs
c0t0d0s0org
c0t0d0s0org
c0t0d0s0org98
Using ZFS to do two-factor encryption
c0t0d0s0org99
jmoekampsolaris~$ rmformatLooking for devices 1 Logical Node devrdskc10t0d0p0 Physical Node pci00pci8086265cbstorage2disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected() 3 Logical Node devrdskc9t0d0p0 Physical Node pci00pci8086265cbstorage1disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected
c0t0d0s0org100
rootsolaris zpool create a_keystore_usbstick devdskc10t0d0p0rootsolaris zpool create datastore devdskc9t0d0p0
c0t0d0s0org101
rootsolaris zfs create -o encryption=on a_keystore_usbstickkeysEnter passphrase for a_keystore_usbstickkeys supersecret Enter again supersecret
c0t0d0s0org102
rootsolaris pktool genkey keystore=file keytype=aes keylen=128 outkey=a_keystore_usbstickkeysjoergsdatastickkey
c0t0d0s0org103
rootsolaris zfs create -o encryption=on -o keysource=rawfilea_keystore_usbstickkeysjoergsdatastickkey datastickjoergssecrets
c0t0d0s0org104
rootsolarisdatastickjoergssecrets mv homejmoekamphighlyconfidential_nda_presostgz
c0t0d0s0org105
rootsolaris zpool export a_keystore_usbstickrootsolaris zpool export datastick
c0t0d0s0org106
rootsolaris zpool import a_keystore_usbstickEnter passphrase for a_keystore_usbstickkeys supersecretrootsolaris
c0t0d0s0org107
rootsolaris zpool import datastickrootsolaris cd datastickjoergssecretsrootsolarisdatastickjoergssecrets ls highconfidential_nda_presostgz
c0t0d0s0org108
Basic Auditing and Reporting Tool
c0t0d0s0org109
mkdir bart-files bart create -R etc gt bart-filesetccontrolmanifest
c0t0d0s0org110
cat etccontrolmanifest | grep nsswitchnisplusnsswitchnisplus F 2525 100644 userrw-groupr--maskr--otherr-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
c0t0d0s0org111
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org112
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org113
bart create -R etc gt bart-filesetccheck20130911manifest
c0t0d0s0org114
cd bart-files bart compare etccontrolmanifest etccheck20130911manifest
nsswitchfilesmode control100644 test100777acl controluserrw-groupr--maskr--otherr-- testuserrwxgrouprwxmaskrwxotherrwxnsswitchnisplussize control2525 test2538mtime control473976b5 test47a44862contents control79e8fd689a5221d1cd059e5077da71b8 test3f79176ec352441db11ec8a3d02ef67cthisisjustatestadd
c0t0d0s0org115
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives4069-Less-known-Solaris-features-BARThtml
c0t0d0s0org116
Apropos Auditing
c0t0d0s0org117
Auditing is activated by default
c0t0d0s0org118
rootclient~ auditconfig -getflagsactive user default audit flags = lo(0x10000x1000)configured user default audit flags = lo(0x10000x1000)rootclient~ auditconfig -getnaflagsactive non-attributable audit flags = lo(0x10000x1000)configured non-attributable audit flags = lo(0x10000x1000)
c0t0d0s0org119
rootclient~ auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt
Policy regarding auditing (explanation on the next slide)
c0t0d0s0org120
rootclient~ auditconfig -lspolicypolicy string descriptionahlt halt machine if it can not record an async eventall all policiesarge include exec environment args in audit recsargv include exec command line args in audit recscnt when no more space drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recswindata_down include downgraded window information in audit recswindata_up include upgraded window information in audit recszonename include zonename token in audit recs
Which degree of detail What happens with full disks
c0t0d0s0org121
rootclient~ auditconfig -getpluginPlugin audit_binfile (active) Attributes p_dir=varauditp_fsize=0p_minfree=1
Plugin audit_syslog (inactive) Attributes p_flags=
Plugin audit_remote (inactive) Attributes p_hosts=p_retries=3p_timeout=5
c0t0d0s0org122
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
c0t0d0s0org123
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
lo and na are the only sensibleflags for non-attributable
c0t0d0s0org124
rootclient~ usermod -K audit_flags=fwas junior
c0t0d0s0org125
rootclient~ auditconfig -lsevent | grep lo AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh accessAUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lockAUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff
c0t0d0s0org126
rootclient~ auditconfig -lsevent | grep ps AUE_EXIT 1 ps exit(2)AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)rootclient~ auditconfig -lsevent | grep fw AUE_OPEN_W 76 fw open(2) - write
c0t0d0s0org127
auditreduce -c ps varaudit20130912183630not_terminatedclient | praudit
header1392execve(2)client2013-09-12 184055924 +0000pathusrsbinauditreduceattribute100555rootbin655386587518446744073709551615subjectjmoekamprootrootrootroot205414400809562480 202240 192168101returnsuccess0
c0t0d0s0org128
rootclient~ auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff0xffffffffffffffff)
Not always (in the sense of never) a good idea
Useful after trying out - starting a new audit filerootclient~ audit -n
c0t0d0s0org129
rootclient~ auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system
c0t0d0s0org130
SSH and X509
c0t0d0s0org131
rootca~ CApl -newcaCA certificate filename (or enter to create)
Making CA certificate Generating a 1024 bit RSA private key++++++++++++writing new private key to etcopensslprivatecakeypemEnter PEM pass phrase supersecret1Verifying - Enter PEM pass phrase supersecret1-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Security DepartmentCommon Name (eg server FQDN or YOUR name) []CAEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Using configuration from etcopensslopensslcnf
Enter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade878 Validity Not Before Sep 26 101109 2013 GMT Not After Sep 25 101109 2016 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony organizationName = c0t0d0s0org organizationalUnitName = Security Department commonName = CA X509v3 extensions X509v3 Subject Key Identifier 5B1F2F7186123040501552818D525AA5597E3644 X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
X509v3 Basic Constraints CATRUECertificate is to be certified until Sep 25 101109 2016 GMT (1095 days)
Write out database with 1 new entriesData Base Updated
c0t0d0s0org132
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org133
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org134
rootca~server CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade879 Validity Not Before Sep 26 102912 2013 GMT Not After Sep 26 102912 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = Server Certificates commonName = server X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A7DC03DEB3D5FBF9C006F11A55A9AD04C49C10FA X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 102912 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpemrootca~server ls -ltotal 15-rw-r--r-- 1 root root 3196 Sep 26 1229 newcertpem-rw-r--r-- 1 root root 1041 Sep 26 1228 newkeypem-rw-r--r-- 1 root root 680 Sep 26 1228 newreqpem
c0t0d0s0org135
rootca~junior CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phraseVerifying - Enter PEM pass phraseVerify failureEnter PEM pass phrase supersecret3Verifying - Enter PEM pass phrase supersecret3-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []User certificates
Common Name (eg server FQDN or YOUR name) []juniorEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org136
rootca~junior CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypemCheck that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade87a Validity Not Before Sep 26 110929 2013 GMT Not After Sep 26 110929 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = User certificates commonName = junior X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A1F2FC9D8AE2AD9AF52903F5B714933C64628E9C X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 110929 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpem
c0t0d0s0org137
rootserver~ useradd -m junior80 blocksrootserver~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for juniorrootserver~
rootclient~ useradd -m junior80 blocksrootclient~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for junior
c0t0d0s0org138
rootserver~ echo 1921681051 server gtgt etchostsrootserver~ echo 1921681052 client gtgt etchosts
rootclient~ echo 1921681051 server gtgt etchostsrootclient~ echo 1921681052 client gtgt etchosts
c0t0d0s0org139
rootca~server scp etcopensslcacertpem jmoekamp1921681109exporthomejmoekampPasswordcacertpem 100 || 3011 0000rootca~server scp newcertpem jmoekamp1921681109exporthomejmoekampPasswordnewcertpem 100 || 3196 0000rootca~server scp newkeypem jmoekamp1921681109exporthomejmoekampPasswordnewkeypem 100 || 1041 0000
rootca~junior scp newkeypem juniorclientexporthomejuniorPasswordnewkeypem 100 || 1041 0000rootca~junior scp newcertpem juniorclientexporthomejuniorPasswordnewcertpem 100 || 3190 0000rootca~junior scp etcopensslcacertpem junior1921681104exporthomejuniorPasswordcacertpem 100 || 3011 0000
c0t0d0s0org140
On the Server
c0t0d0s0org141
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org142
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org143
rootserver~ pktool setpinEnter token passphrase changemeCreate new passphrase superserversecretRe-enter new passphrase superserversecretPassphrase changedrootserver~
c0t0d0s0org144
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org145
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org146
rootserver~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cn
c0t0d0s0org147
rootserver~ echo TrustedAnchorKeystore etcsshcert gtgt etcsshsshd_configrootserver~ echo KMFPolicyDatabase etcsshpolicyxml gtgt etcsshsshd_configrootserver~ echo KMFPolicyName ssh gtgt etcsshsshd_configrootserver~ echo HostKey pkcs11object=hosttoken=Sun Metaslotpinfile=etcsshpinfile gtgt etcsshsshd_config
c0t0d0s0org148
rootserver~ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=hostEnter PIN for Sun Software PKCS11 softtoken superserversecret Enter PEM pass phrase supersecret2Importing 1 keys
c0t0d0s0org149
rootserver~ egrep -v ^ |^$|^Cert exporthomejmoekampcacertpem gt etcsshcertcacertcookedpemrootserver~ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemrootserver~ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=hostrootserver~
c0t0d0s0org150
On the client
c0t0d0s0org151
juniorclient~$ ls pemcacertpem newcertpem newkeypem
c0t0d0s0org152
rootclient~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cnrootclient~ egrep -v ^ |^$|^Cert exporthomejuniorcacertpem gt etcsshcertcacertcookedpem
c0t0d0s0org153
juniorclient~$ pktool setpinEnter token passphrase changemeCreate new passphrase superusersecretRe-enter new passphrase superusersecretPassphrase changed
c0t0d0s0org154
juniorclient~$ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=userEnter PIN for Sun Software PKCS11 softtoken superusersecretEnter PEM pass phrase supersecret3Importing 1 keysjuniorclient~$ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemjuniorclient~$ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=user
c0t0d0s0org155
Testing it
c0t0d0s0org156
rootserver~ svcadm disable sshrootserver~ svcadm enable ssh
c0t0d0s0org157
juniorclient~$ cd sshjuniorclient~ssh$ printf superusersecret gtgt pinfilejuniorclient~ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore etcsshcert KMFPolicyDatabase etcsshpolicyxml KMFPolicyName ssh IdentityFile pkcs11object=usertoken=Sun Software PKCS11 softtokenpinfile=exporthomejuniorsshpinfile
c0t0d0s0org158
juniorclient~ssh$ ssh juniorserver-x509Last login Thu Sep 26 200714 2013 from clientOracle Corporation SunOS 511 111 September 2013juniorserver~$
c0t0d0s0org159
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives7659-Using-X509-support-for-SSH-on-Solaris-111html
c0t0d0s0org160
OpenSCAP
c0t0d0s0org161
bdquoThe Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management measurement and policy compliance evaluation (eg FISMA compliance) The National Vulnerability Database(NVD) is the US government content repository for SCAPldquo
httpenwikipediaorgwikiSecurity_Content_Automation_Protocol
c0t0d0s0org162
ftp-bannerxml
ltxml version=10 encoding=UTF-8gtltoval_definitions xmlns=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsxsi=httpwwww3org2001XMLSchema-instance xmlnsoval=httpovalmitreorgXMLSchemaoval-common-5 xmlnsoval-def=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsindependent-def=httpovalmitreorgXMLSchemaoval-definitions-5independent xsischemaLocation=httpovalmitreorgXMLSchemaoval-definitions-5 oval-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-definitions-5independent independent-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-common-5 oval-common-schemaxsdgt
ltgeneratorgt ltovalproduct_namegtEnhanced SCAP Editorltovalproduct_namegt ltovalproduct_versiongt0011ltovalproduct_versiongt ltovalschema_versiongt58ltovalschema_versiongt ltovaltimestampgt2012-10-11T103325ltovaltimestampgt ltgeneratorgt lt--generatedovalbaseidentifier=comoraclesolaris11--gt ltdefinitionsgt ltdefinition id=ovalcomoraclesolaris11def840 version=1 class=compliancegt ltmetadatagt lttitlegtEnable a Warning Banner for the FTP Servicelttitlegt ltaffected family=unixgt ltplatformgtOracle Solaris 11ltplatformgt ltaffectedgt ltdescriptiongtetcproftpdconf contains DisplayConnect etcissueltdescriptiongt ltmetadatagt ltcriteria operator=AND negate=false comment=Single testgt ltcriterion comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot test_ref=ovalcomoraclesolaris11tst8400 negate=falsegt
ltcriteriagt ltdefinitiongt ltdefinitionsgt lttestsgt lttextfilecontent54_test xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11tst8400 version=1 check=all comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot check_existence=all_existgt ltobject object_ref=ovalcomoraclesolaris11obj8400gt lttextfilecontent54_testgt lttestsgt ltobjectsgt lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegt lttextfilecontent54_objectgt ltobjectsgtltoval_definitionsgt
c0t0d0s0org163
lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegtlttextfilecontent54_objectgt
c0t0d0s0org164
$ oscap oval eval ftp-bannerxml Definition ovalcomoraclesolaris11def840 falseEvaluation done
$ oscap oval eval --results resultsxml --report reporthtml ftp-bannerxmlDefinition ovalcomoraclesolaris11def840 falseEvaluation doneOVAL Results are exported correctly
c0t0d0s0org165
c0t0d0s0org166
To create your own OVAL-Files Enhanced SCAP Content Editor
c0t0d0s0org167
Find more information regarding this feature athttpsblogsoraclecomdarrenentrycompliance_reporting_with_scap
c0t0d0s0org11
Sandboxing applications on Solaris 111
c0t0d0s0org12
rootsolaris profiles -p MySQL ServiceMySQL Servicegt set desc=Locking down the MySQL ServiceMySQL Servicegt add cmd=libsvcmethodmysql_51MySQL Servicemysql_51gt set privs=basicMySQL Servicemysql_51gt add privs=net_privaddr3306tcpMySQL Servicemysql_51gt add privs=file_writevarmysql51dataMySQL Servicemysql_51gt add privs=file_writetmpmysqlsockMySQL Servicemysql_51gt add privs=file_writevartmpibMySQL Servicemysql_51gt endMySQL Servicegt set uid=mysqlMySQL Servicegt set gid=mysqlMySQL Servicegt exit rootsolaris
c0t0d0s0org13
rootsolaris svccfg -s mysqlversion_51svcapplicationdatabasemysqlversion_51gt setprop method_contextprofile=MySQL Servicesvcapplicationdatabasemysqlversion_51gt setprop method_contextuse_profile=truesvcapplicationdatabasemysqlversion_51gt refreshsvcapplicationdatabasemysqlversion_51gt exit
c0t0d0s0org14
rootsolaris ipadm set-prop -p extra_priv_ports+=3306 tcprootsolaris ipadm show-prop -p extra_priv_ports tcpPROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLEtcp extra_priv_ports rw 20494045 -- 20494045 1-65535 3306
c0t0d0s0org15
svcadm enable mysqlversion_51
c0t0d0s0org16
rootsolaris ppriv $(pgrep mysql)103697 usrmysql51binmysqld --basedir=usrmysql51 --datadir=varmysqflags = PRIV_XPOLICY Extended policies net_privaddr3306tcp file_writevarmysql51data file_writetmpmysqlsock file_writevartmpib E basicfile_write I basicfile_write P basicfile_write L all103609 binsh usrmysql51binmysqld_safe --user=mysql --datadir=varmysflags = PRIV_XPOLICY Extended policies net_privaddr3306tcp file_writevarmysql51data file_writetmpmysqlsock file_writevartmpib E basicfile_write I basicfile_write P basicfile_write L all
c0t0d0s0org17
Find more information regarding this feature athttpsblogsoraclecomgfadenentryoracle_solaris_extended_policy_and
c0t0d0s0org18
Passwords
c0t0d0s0org19
rootclientetcsecurity cat etcsecuritycryptconf Copyright 2008 Sun Microsystems Inc All rights reserved Use is subject to license termsident ZM I E SMI The algorithm name __unix__ is reserved
1 crypt_bsdmd5so12a crypt_bsdbfso1md5 crypt_sunmd5so15 crypt_sha256so16 crypt_sha512so1
c0t0d0s0org20
rootclientetcsecurity cat etcsecuritypolicyconf | egrep ^CRYPT_DEFAULTCRYPT_DEFAULT=5rootclientetcsecurity cat etcshadow | grep juniorjunior$5$4aKvDFqA$2kL8GpuXjrdf8XpanqhylEP5lDhy1DF5uo1ZYx74f3159291440
c0t0d0s0org21
rootclientetcsecurity cat etcdefaultpasswd | grep -v | egrep -v ^$|^$ident ZM I E SMIMAXWEEKS=MINWEEKS=PASSLENGTH=6NAMECHECK=NOHISTORY=0MINDIFF=3MINALPHA=2MINNONALPHA=1MINUPPER=0MINLOWER=0MAXREPEATS=0MINSPECIAL=0MINDIGIT=0WHITESPACE=YESDICTIONLIST=DICTIONDBDIR=varpasswd
c0t0d0s0org22
rootclient mkpwdict -s usrsharelibdictwordsmkpwdict using default database location varpasswd
oder
rootclient mkpwdict -s usrsharelibdictwords -d varpasswd
c0t0d0s0org23
Address Space Layout Randomization
c0t0d0s0org24
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1914 usrbinpmap self1914 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org25
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1915 usrbinpmap self1915 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org26
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1917 usrbinpmap self1917 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap00000005D6666000 36K rw--- [ heap ]00007FF669C70000 216K r-x-- libamd64libprocso100007FF669CB6000 8K rw--- libamd64libprocso100007FF669CC0000 4K rw--- [ anon ]00007FF669CD0000 24K rwx-- [ anon ]00007FF669CE0000 4K rw--- [ anon ]00007FF669CF0000 1764K r-x-- libamd64libcso100007FF669EB9000 64K rw--- libamd64libcso100007FF669EC9000 12K rw--- libamd64libcso100007FF669ED0000 4K rw--- [ anon ]00007FF669EE0000 4K rw--- [ anon ]00007FF669EF0000 4K rw--- [ anon ]00007FF669EF2000 4K r--s- [ anon ]00007FF669EFC000 340K r-x-- libamd64ldso100007FF669F61000 12K rwx-- libamd64ldso100007FF669F64000 8K rwx-- libamd64ldso1FFFF80DDA254F000 16K rw--- [ stack ] total 2564K
c0t0d0s0org27
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1918 usrbinpmap self1918 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap000000065B76D000 36K rw--- [ heap ]00007FFAACFC0000 216K r-x-- libamd64libprocso100007FFAAD006000 8K rw--- libamd64libprocso100007FFAAD010000 4K rw--- [ anon ]00007FFAAD020000 24K rwx-- [ anon ]00007FFAAD030000 4K rw--- [ anon ]00007FFAAD040000 1764K r-x-- libamd64libcso100007FFAAD209000 64K rw--- libamd64libcso100007FFAAD219000 12K rw--- libamd64libcso100007FFAAD220000 4K rw--- [ anon ]00007FFAAD230000 4K rw--- [ anon ]00007FFAAD240000 4K rw--- [ anon ]00007FFAAD242000 4K r--s- [ anon ]00007FFAAD24D000 340K r-x-- libamd64ldso100007FFAAD2B2000 12K rwx-- libamd64ldso100007FFAAD2B5000 8K rwx-- libamd64ldso1FFFF80DE1559E000 12K rw--- [ stack ]
c0t0d0s0org28
rootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) system default (default)
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x2 ENABLE
rootsolaris elfedit -e dynsunw_aslr disable usrbinpmap
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x1 DISABLE
c0t0d0s0org29
rootsolaris sxadm enable -c model=all aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (all) enabled (all)
rootsolaris sxadm disable aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr disabled disabled
rootsolaris sxadm enable -c model=tagged-files aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) enabled (tagged-files)
c0t0d0s0org30
pfedit
c0t0d0s0org31
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt set auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt set desc=Edit httpdprofileshttpd editgt exit
c0t0d0s0org32
roottemplateetcapache222 usermod -P +httpd edit junior
c0t0d0s0org33
juniortemplate~$ profiles httpd edit Basic Solaris User All
c0t0d0s0org34
juniortemplate~$ vi etcapache222httpdconf
c0t0d0s0org35
juniortemplate~$ pfedit etcapache222httpdconfpfedit etcapache222httpdconf has been updated
c0t0d0s0org36
juniortemplate~$ pfedit etcapache222mimetypespfedit User junior is not authorized to edit the file etcapache222mimetypes
c0t0d0s0org37
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt info name=httpd edit desc=Edit httpd auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt add auths=solarisadmineditetcapache222mimetypes
c0t0d0s0org38
juniortemplate~$ pfedit etcapache222mimetypespfedit no changes for etcapache222mimetypes
c0t0d0s0org39
profiles -p httpd configureprofileshttpd configuregt add always_audit=asprofileshttpd configuregt info name=httpd configure desc=Configure httpd auths=solarisadmineditetcapache222httpdconfsolarisadmineditetcapache222mimetypes always_audit=as never_audit=noprofileshttpd configuregt exitroottemplate~
c0t0d0s0org40
roottemplate~ auditreduce -c as | praudit
c0t0d0s0org41
[]header4862edit administrative filefe80a0027fffea633cb2013-08-12 074552306 +0000subjectjuniorjuniorstaffjuniorstaff4212447467166369 136704 MacBook-Pro-of-c0t0d0s0fritzboxpathetcapache222httpdconfuse of authorizationsolarisadmineditetcapache222httpdconftext--- etcapache222httpdconf Mo Aug 12 074500 2013 +++ etcapache222httpdconfpfedit1BaGoi Mo Aug 12 074552 2013 -15 +16 Test Test 2 + Test 3 This is the main Apache HTTP server configuration file It contains the configuration directives that give the server its instructions
returnsuccess0
c0t0d0s0org42
Delegating privilege to restartservices(so you can keep the root password)
c0t0d0s0org43
juniortemplate~$ svcadm refresh apache22svcadm svcnetworkhttpapache22 Permission denied
c0t0d0s0org44
svcs -a | grep apache22online 153029 svcnetworkhttpapache22
c0t0d0s0org45
auths add -t Apache22 value solarissmfvaluehttpapache22 auths add -t Apache22 action solarissmfactionhttpapache22
c0t0d0s0org46
svccfg -s apache22 setprop generalvalue_authorization= astring solarissmfvaluehttpapache22 svccfg -s apache22 setprop generalaction_authorization= astring solarissmfactionhttpapache22
c0t0d0s0org47
profiles -p httpd edit add auths=solarissmfactionhttpapache22
c0t0d0s0org48
juniortemplate~$ svcadm refresh apache22juniortemplate~$
c0t0d0s0org49
Privileges
c0t0d0s0org50
$ ls -l usrsbintraceroute-r-sr-xr-x 1 root bin 42324 Nov 21 0009 usrsbintraceroute$ ls -l usrsbinping-r-sr-xr-x 1 root bin 51396 Nov 18 1931 usrsbinping
set-id to root ping needs it to work
c0t0d0s0org51
chmod -s sbinping exit
$ ping -s 1921681132ping socket Permission denied
Remove the set-uid and ping will stop to work
c0t0d0s0org52
jmoekampdaddelkiste~$ ppriv $$2153 -bashflags = ltnonegt E basic I basic P basic L all
c0t0d0s0org53
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org54
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
All privileges in their entirety assigned to one user are
(almost)
c0t0d0s0org55
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Neat extension inSolaris 11The ability to use networking is now a
privilege Itlsquos part of the default default set of privileges
but you can remove it
c0t0d0s0org56
moekampdaddelkiste~$ ppriv -v $$2153 -bashflags = ltnonegt E file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info I file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info P file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info L contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org57
rootdaddelkiste~ ppriv $$2183 -bashflags = ltnonegt E all I basic P all L all
c0t0d0s0org58
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace failed to initialize dtrace DTrace requires additional privileges
c0t0d0s0org59
rootdaddelkiste~ usermod -K defaultpriv=basicdtrace_kerneldtrace_procdtrace_user juniorUX usermod junior is currently logged in some changes may not take effect until next login
c0t0d0s0org60
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace description syscallentry matched 211 probes^C
automountd 1 sshd 24 dtrace 544 auditd 564
c0t0d0s0org61
ps -ef | grep kcfd daemon 125 1 0 142419 000 usrlibcryptokcfdroot 734 728 0 155408 pts1 000 grep kcfd ppriv -v 125125 usrlibcryptokcfdflags = PRIV_AWAREE file_ownerproc_priocntlsys_devicesI noneP file_ownerproc_priocntlsys_devicesL none
c0t0d0s0org62
svcadm -v enable -s apache2svcnetworkhttpapache2 enabled
c0t0d0s0org63
jmoekampclient~$ ps -ef | grep httpwebservd 1978 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1979 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1980 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1984 1975 0 122002 000 usrapache222binhttpd -k start root 1975 1 0 121914 001 usrapache222binhttpd -k startwebservd 1977 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1976 1975 0 121915 000 usrapache222binhttpd -k start
c0t0d0s0org64
rootclient~ ppriv 19771977 usrapache222binhttpd -k startflags = ltnonegt E basic I basic P basic L allrootclient~ ppriv 19751975 usrapache222binhttpd -k startflags = ltnonegt E all I basic P all L allrootclient~
c0t0d0s0org65
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The apache process as root has the following privileges
c0t0d0s0org66
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The other processes have the following privileges
c0t0d0s0org67
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Apache really needs
c0t0d0s0org68
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
So you grant a large number of privileges to one process Apache donlsquot need
c0t0d0s0org69
svcadm -v disable -s apache2svcnetworkhttpapache2 disabled
c0t0d0s0org70
rootclient~ svccfg -s apache22svcnetworkhttpapache22gt setprop startuser = astring webservdsvcnetworkhttpapache22gt setprop startgroup = astring webservdsvcnetworkhttpapache22gt setprop startprivileges = astring basicproc_sessionproc_infofile_link_anynet_privaddrsvcnetworkhttpapache22gt setprop startlimit_privileges = astring defaultsvcnetworkhttpapache22gt setprop startuse_profile = boolean falsesvcnetworkhttpapache22gt setprop startsupp_groups = astring defaultsvcnetworkhttpapache22gt setprop startworking_directory = astring defaultsvcnetworkhttpapache22gt setprop startproject = astring defaultsvcnetworkhttpapache22gt setprop startresource_pool = astring defaultsvcnetworkhttpapache22gt endrootclient~ svcadm -v refresh apache22Action refresh set for svcnetworkhttpapache22
c0t0d0s0org71
echo LockFile varapache222logsacceptlock gtgt etcapache222httpdconf echo PidFile varapache222runhttpdpid gtgt etcapache222httpdconf mkdir -p -m 755 varapache222run chown webservdwebservd varapache222run svcadm enable apache22
c0t0d0s0org72
webservd 3064 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3062 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3063 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3066 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3061 1 0 164917 000 usrapache222binhttpd -k startwebservd 3065 3061 0 164918 000 usrapache222binhttpd -k start
c0t0d0s0org73
Read-only zone root
c0t0d0s0org
74
zonecfgtestzonegt set file-mac-profile=none
zonecfgtestzonegt set file-mac-profile=strict
zonecfgtestzonegt set file-mac-profile=fixed-configuration
zonecfgtestzonegt set file-mac-profile=flexible-configuration
Standard read-write non-global zone with no additional protection beyond the existing zones boundaries
Permits updates to var directories with the exception of directories that contain system configuration components
Read-only file system no exceptions
Permits modification of files in etc directories changes to roots home directory and updates to var directories This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone
c0t0d0s0org75
in-kernel SSL Proxy
c0t0d0s0org76
mkdir etckeys cd etckeys openssl req -x509 -nodes -days 365 -subj C=DEST=HamburgL=HamburgCN=server -newkey rsa1024 -keyout etckeysmykeypem -out etckeysmycertpem cat mycertpem mykeypem gt mypem chown 600
c0t0d0s0org77
echo pass gt etckeysmypass ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass server 443
c0t0d0s0org78
ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass -c rsa_aes_256_cbc_sharsa_aes_128_cbc_sharsa_rc4_128_sharsa_rc4_128_md5 server 443
c0t0d0s0org79
svcs -a | grep ksslonline 90333 svcnetworksslproxykssl-server-443
c0t0d0s0org80
svcadm disable apache22 echo Listen 1921681781088080 gtgt etcapache222httpdconf svcadm enable apache22
Portnumber and IP-Number have do be defined in httpdconf otherwise it will not work
c0t0d0s0org81
openssl s_client -connect server443CONNECTED(00000004)depth=0 C=DEST=HamburgL=HamburgCN=serververify errornum=18self signed certificateverify return1depth=0 C=DEST=HamburgL=HamburgCN=serververify return1---Certificate chain0 sC=DEST=HamburgL=HamburgCN=serveriC=DEST=HamburgL=HamburgCN=server---Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj[]V5jX3MU=-----END CERTIFICATE-----subject=C=DEST=HamburgL=HamburgCN=serverissuer=C=DEST=HamburgL=HamburgCN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328 bytes---New TLSv1SSLv3 Cipher is RC4-SHAServer public key is 1024 bitCompression NONEExpansion NONESSL-SessionProtocol TLSv1
Cipher RC4-SHASession-ID 32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD113915B99DBE9812Session-ID-ctx Master-Key 1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21EKey-Arg NoneStart Time 1242985143Timeout 300 (sec)Verify return code 18 (self signed certificate)---GET HTTP10
HTTP11 200 OKDate Fri 22 May 2009 093913 GMTServer Apache2211 (Unix) mod_ssl2211 OpenSSL098a DAV2Last-Modified Thu 21 May 2009 212630 GMTETag 341f3-2c-46a72cc211a8fAccept-Ranges bytesContent-Length 44Connection closeContent-Type texthtml
lthtmlgtltbodygtlth1gtIt workslth1gtltbodygtlthtmlgtreaderrno=0
c0t0d0s0org82
ZFS Encryption
c0t0d0s0org83
zfs create -o encryption=on rpoolexportproject
c0t0d0s0org84
wrapping key (user setable)
encryption keyrandomnot user setable)
prompt file https pkcs11
c0t0d0s0org85
aes-128-ccm (=on) aes-192-ccmaes-256-ccmaes-128-gcmaes-192-gcmaes-256-gcm
c0t0d0s0org86
zfs set checksum=sha256+mac ltdatasetgt
If encryption=off something like automatic
occurs This property is read-only from now on
c0t0d0s0org87
pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykeyEnter PIN for Sun Software PKCS11 softtoken zfs create -o encryption=on -o keysource=rawpkcs11object=mykey tankprojectCEnter PKCS11 token PIN for tankprojectC
c0t0d0s0org88
zfs create -o encryption=on -o keysource=rawhttpskeysexamplecommykey tankprojectR cp myservercertpem etccertsCA svcadm refresh ca-certificates
c0t0d0s0org89
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
c0t0d0s0org90
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
Changing the wrapping key
c0t0d0s0org91
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key
c0t0d0s0org92
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key for data written form now
Creates a new data encryption key Data written in the clone uses the new data encryption key which is distinct from its original snapshot
c0t0d0s0org93
Solaris Cryptographic Framework
c0t0d0s0org94
As soon as Solaris detects hardware acceleration for cryptography Solaris will use it (and applications using the Oracle supplied openssl library or direct interfaces)bull on-chip crypto accelerator in T and current M series chipsbull instruction set extensions in Intel procs (AES-NI)bull supported crypto accelerator cards
c0t0d0s0org95
Just a side-note T-series crypto acceleration and Intel x86 acceleration have pretty much different performance characteristics
T-Series Acceleration by offloading crypto outside pipelineIntel x86 Acceleration by offering special in-pipeline instructions to accelerate execution
Sounds like splitting hairs
c0t0d0s0org
c0t0d0s0org
c0t0d0s0org98
Using ZFS to do two-factor encryption
c0t0d0s0org99
jmoekampsolaris~$ rmformatLooking for devices 1 Logical Node devrdskc10t0d0p0 Physical Node pci00pci8086265cbstorage2disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected() 3 Logical Node devrdskc9t0d0p0 Physical Node pci00pci8086265cbstorage1disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected
c0t0d0s0org100
rootsolaris zpool create a_keystore_usbstick devdskc10t0d0p0rootsolaris zpool create datastore devdskc9t0d0p0
c0t0d0s0org101
rootsolaris zfs create -o encryption=on a_keystore_usbstickkeysEnter passphrase for a_keystore_usbstickkeys supersecret Enter again supersecret
c0t0d0s0org102
rootsolaris pktool genkey keystore=file keytype=aes keylen=128 outkey=a_keystore_usbstickkeysjoergsdatastickkey
c0t0d0s0org103
rootsolaris zfs create -o encryption=on -o keysource=rawfilea_keystore_usbstickkeysjoergsdatastickkey datastickjoergssecrets
c0t0d0s0org104
rootsolarisdatastickjoergssecrets mv homejmoekamphighlyconfidential_nda_presostgz
c0t0d0s0org105
rootsolaris zpool export a_keystore_usbstickrootsolaris zpool export datastick
c0t0d0s0org106
rootsolaris zpool import a_keystore_usbstickEnter passphrase for a_keystore_usbstickkeys supersecretrootsolaris
c0t0d0s0org107
rootsolaris zpool import datastickrootsolaris cd datastickjoergssecretsrootsolarisdatastickjoergssecrets ls highconfidential_nda_presostgz
c0t0d0s0org108
Basic Auditing and Reporting Tool
c0t0d0s0org109
mkdir bart-files bart create -R etc gt bart-filesetccontrolmanifest
c0t0d0s0org110
cat etccontrolmanifest | grep nsswitchnisplusnsswitchnisplus F 2525 100644 userrw-groupr--maskr--otherr-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
c0t0d0s0org111
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org112
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org113
bart create -R etc gt bart-filesetccheck20130911manifest
c0t0d0s0org114
cd bart-files bart compare etccontrolmanifest etccheck20130911manifest
nsswitchfilesmode control100644 test100777acl controluserrw-groupr--maskr--otherr-- testuserrwxgrouprwxmaskrwxotherrwxnsswitchnisplussize control2525 test2538mtime control473976b5 test47a44862contents control79e8fd689a5221d1cd059e5077da71b8 test3f79176ec352441db11ec8a3d02ef67cthisisjustatestadd
c0t0d0s0org115
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives4069-Less-known-Solaris-features-BARThtml
c0t0d0s0org116
Apropos Auditing
c0t0d0s0org117
Auditing is activated by default
c0t0d0s0org118
rootclient~ auditconfig -getflagsactive user default audit flags = lo(0x10000x1000)configured user default audit flags = lo(0x10000x1000)rootclient~ auditconfig -getnaflagsactive non-attributable audit flags = lo(0x10000x1000)configured non-attributable audit flags = lo(0x10000x1000)
c0t0d0s0org119
rootclient~ auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt
Policy regarding auditing (explanation on the next slide)
c0t0d0s0org120
rootclient~ auditconfig -lspolicypolicy string descriptionahlt halt machine if it can not record an async eventall all policiesarge include exec environment args in audit recsargv include exec command line args in audit recscnt when no more space drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recswindata_down include downgraded window information in audit recswindata_up include upgraded window information in audit recszonename include zonename token in audit recs
Which degree of detail What happens with full disks
c0t0d0s0org121
rootclient~ auditconfig -getpluginPlugin audit_binfile (active) Attributes p_dir=varauditp_fsize=0p_minfree=1
Plugin audit_syslog (inactive) Attributes p_flags=
Plugin audit_remote (inactive) Attributes p_hosts=p_retries=3p_timeout=5
c0t0d0s0org122
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
c0t0d0s0org123
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
lo and na are the only sensibleflags for non-attributable
c0t0d0s0org124
rootclient~ usermod -K audit_flags=fwas junior
c0t0d0s0org125
rootclient~ auditconfig -lsevent | grep lo AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh accessAUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lockAUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff
c0t0d0s0org126
rootclient~ auditconfig -lsevent | grep ps AUE_EXIT 1 ps exit(2)AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)rootclient~ auditconfig -lsevent | grep fw AUE_OPEN_W 76 fw open(2) - write
c0t0d0s0org127
auditreduce -c ps varaudit20130912183630not_terminatedclient | praudit
header1392execve(2)client2013-09-12 184055924 +0000pathusrsbinauditreduceattribute100555rootbin655386587518446744073709551615subjectjmoekamprootrootrootroot205414400809562480 202240 192168101returnsuccess0
c0t0d0s0org128
rootclient~ auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff0xffffffffffffffff)
Not always (in the sense of never) a good idea
Useful after trying out - starting a new audit filerootclient~ audit -n
c0t0d0s0org129
rootclient~ auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system
c0t0d0s0org130
SSH and X509
c0t0d0s0org131
rootca~ CApl -newcaCA certificate filename (or enter to create)
Making CA certificate Generating a 1024 bit RSA private key++++++++++++writing new private key to etcopensslprivatecakeypemEnter PEM pass phrase supersecret1Verifying - Enter PEM pass phrase supersecret1-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Security DepartmentCommon Name (eg server FQDN or YOUR name) []CAEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Using configuration from etcopensslopensslcnf
Enter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade878 Validity Not Before Sep 26 101109 2013 GMT Not After Sep 25 101109 2016 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony organizationName = c0t0d0s0org organizationalUnitName = Security Department commonName = CA X509v3 extensions X509v3 Subject Key Identifier 5B1F2F7186123040501552818D525AA5597E3644 X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
X509v3 Basic Constraints CATRUECertificate is to be certified until Sep 25 101109 2016 GMT (1095 days)
Write out database with 1 new entriesData Base Updated
c0t0d0s0org132
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org133
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org134
rootca~server CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade879 Validity Not Before Sep 26 102912 2013 GMT Not After Sep 26 102912 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = Server Certificates commonName = server X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A7DC03DEB3D5FBF9C006F11A55A9AD04C49C10FA X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 102912 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpemrootca~server ls -ltotal 15-rw-r--r-- 1 root root 3196 Sep 26 1229 newcertpem-rw-r--r-- 1 root root 1041 Sep 26 1228 newkeypem-rw-r--r-- 1 root root 680 Sep 26 1228 newreqpem
c0t0d0s0org135
rootca~junior CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phraseVerifying - Enter PEM pass phraseVerify failureEnter PEM pass phrase supersecret3Verifying - Enter PEM pass phrase supersecret3-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []User certificates
Common Name (eg server FQDN or YOUR name) []juniorEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org136
rootca~junior CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypemCheck that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade87a Validity Not Before Sep 26 110929 2013 GMT Not After Sep 26 110929 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = User certificates commonName = junior X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A1F2FC9D8AE2AD9AF52903F5B714933C64628E9C X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 110929 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpem
c0t0d0s0org137
rootserver~ useradd -m junior80 blocksrootserver~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for juniorrootserver~
rootclient~ useradd -m junior80 blocksrootclient~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for junior
c0t0d0s0org138
rootserver~ echo 1921681051 server gtgt etchostsrootserver~ echo 1921681052 client gtgt etchosts
rootclient~ echo 1921681051 server gtgt etchostsrootclient~ echo 1921681052 client gtgt etchosts
c0t0d0s0org139
rootca~server scp etcopensslcacertpem jmoekamp1921681109exporthomejmoekampPasswordcacertpem 100 || 3011 0000rootca~server scp newcertpem jmoekamp1921681109exporthomejmoekampPasswordnewcertpem 100 || 3196 0000rootca~server scp newkeypem jmoekamp1921681109exporthomejmoekampPasswordnewkeypem 100 || 1041 0000
rootca~junior scp newkeypem juniorclientexporthomejuniorPasswordnewkeypem 100 || 1041 0000rootca~junior scp newcertpem juniorclientexporthomejuniorPasswordnewcertpem 100 || 3190 0000rootca~junior scp etcopensslcacertpem junior1921681104exporthomejuniorPasswordcacertpem 100 || 3011 0000
c0t0d0s0org140
On the Server
c0t0d0s0org141
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org142
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org143
rootserver~ pktool setpinEnter token passphrase changemeCreate new passphrase superserversecretRe-enter new passphrase superserversecretPassphrase changedrootserver~
c0t0d0s0org144
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org145
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org146
rootserver~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cn
c0t0d0s0org147
rootserver~ echo TrustedAnchorKeystore etcsshcert gtgt etcsshsshd_configrootserver~ echo KMFPolicyDatabase etcsshpolicyxml gtgt etcsshsshd_configrootserver~ echo KMFPolicyName ssh gtgt etcsshsshd_configrootserver~ echo HostKey pkcs11object=hosttoken=Sun Metaslotpinfile=etcsshpinfile gtgt etcsshsshd_config
c0t0d0s0org148
rootserver~ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=hostEnter PIN for Sun Software PKCS11 softtoken superserversecret Enter PEM pass phrase supersecret2Importing 1 keys
c0t0d0s0org149
rootserver~ egrep -v ^ |^$|^Cert exporthomejmoekampcacertpem gt etcsshcertcacertcookedpemrootserver~ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemrootserver~ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=hostrootserver~
c0t0d0s0org150
On the client
c0t0d0s0org151
juniorclient~$ ls pemcacertpem newcertpem newkeypem
c0t0d0s0org152
rootclient~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cnrootclient~ egrep -v ^ |^$|^Cert exporthomejuniorcacertpem gt etcsshcertcacertcookedpem
c0t0d0s0org153
juniorclient~$ pktool setpinEnter token passphrase changemeCreate new passphrase superusersecretRe-enter new passphrase superusersecretPassphrase changed
c0t0d0s0org154
juniorclient~$ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=userEnter PIN for Sun Software PKCS11 softtoken superusersecretEnter PEM pass phrase supersecret3Importing 1 keysjuniorclient~$ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemjuniorclient~$ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=user
c0t0d0s0org155
Testing it
c0t0d0s0org156
rootserver~ svcadm disable sshrootserver~ svcadm enable ssh
c0t0d0s0org157
juniorclient~$ cd sshjuniorclient~ssh$ printf superusersecret gtgt pinfilejuniorclient~ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore etcsshcert KMFPolicyDatabase etcsshpolicyxml KMFPolicyName ssh IdentityFile pkcs11object=usertoken=Sun Software PKCS11 softtokenpinfile=exporthomejuniorsshpinfile
c0t0d0s0org158
juniorclient~ssh$ ssh juniorserver-x509Last login Thu Sep 26 200714 2013 from clientOracle Corporation SunOS 511 111 September 2013juniorserver~$
c0t0d0s0org159
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives7659-Using-X509-support-for-SSH-on-Solaris-111html
c0t0d0s0org160
OpenSCAP
c0t0d0s0org161
bdquoThe Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management measurement and policy compliance evaluation (eg FISMA compliance) The National Vulnerability Database(NVD) is the US government content repository for SCAPldquo
httpenwikipediaorgwikiSecurity_Content_Automation_Protocol
c0t0d0s0org162
ftp-bannerxml
ltxml version=10 encoding=UTF-8gtltoval_definitions xmlns=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsxsi=httpwwww3org2001XMLSchema-instance xmlnsoval=httpovalmitreorgXMLSchemaoval-common-5 xmlnsoval-def=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsindependent-def=httpovalmitreorgXMLSchemaoval-definitions-5independent xsischemaLocation=httpovalmitreorgXMLSchemaoval-definitions-5 oval-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-definitions-5independent independent-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-common-5 oval-common-schemaxsdgt
ltgeneratorgt ltovalproduct_namegtEnhanced SCAP Editorltovalproduct_namegt ltovalproduct_versiongt0011ltovalproduct_versiongt ltovalschema_versiongt58ltovalschema_versiongt ltovaltimestampgt2012-10-11T103325ltovaltimestampgt ltgeneratorgt lt--generatedovalbaseidentifier=comoraclesolaris11--gt ltdefinitionsgt ltdefinition id=ovalcomoraclesolaris11def840 version=1 class=compliancegt ltmetadatagt lttitlegtEnable a Warning Banner for the FTP Servicelttitlegt ltaffected family=unixgt ltplatformgtOracle Solaris 11ltplatformgt ltaffectedgt ltdescriptiongtetcproftpdconf contains DisplayConnect etcissueltdescriptiongt ltmetadatagt ltcriteria operator=AND negate=false comment=Single testgt ltcriterion comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot test_ref=ovalcomoraclesolaris11tst8400 negate=falsegt
ltcriteriagt ltdefinitiongt ltdefinitionsgt lttestsgt lttextfilecontent54_test xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11tst8400 version=1 check=all comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot check_existence=all_existgt ltobject object_ref=ovalcomoraclesolaris11obj8400gt lttextfilecontent54_testgt lttestsgt ltobjectsgt lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegt lttextfilecontent54_objectgt ltobjectsgtltoval_definitionsgt
c0t0d0s0org163
lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegtlttextfilecontent54_objectgt
c0t0d0s0org164
$ oscap oval eval ftp-bannerxml Definition ovalcomoraclesolaris11def840 falseEvaluation done
$ oscap oval eval --results resultsxml --report reporthtml ftp-bannerxmlDefinition ovalcomoraclesolaris11def840 falseEvaluation doneOVAL Results are exported correctly
c0t0d0s0org165
c0t0d0s0org166
To create your own OVAL-Files Enhanced SCAP Content Editor
c0t0d0s0org167
Find more information regarding this feature athttpsblogsoraclecomdarrenentrycompliance_reporting_with_scap
c0t0d0s0org12
rootsolaris profiles -p MySQL ServiceMySQL Servicegt set desc=Locking down the MySQL ServiceMySQL Servicegt add cmd=libsvcmethodmysql_51MySQL Servicemysql_51gt set privs=basicMySQL Servicemysql_51gt add privs=net_privaddr3306tcpMySQL Servicemysql_51gt add privs=file_writevarmysql51dataMySQL Servicemysql_51gt add privs=file_writetmpmysqlsockMySQL Servicemysql_51gt add privs=file_writevartmpibMySQL Servicemysql_51gt endMySQL Servicegt set uid=mysqlMySQL Servicegt set gid=mysqlMySQL Servicegt exit rootsolaris
c0t0d0s0org13
rootsolaris svccfg -s mysqlversion_51svcapplicationdatabasemysqlversion_51gt setprop method_contextprofile=MySQL Servicesvcapplicationdatabasemysqlversion_51gt setprop method_contextuse_profile=truesvcapplicationdatabasemysqlversion_51gt refreshsvcapplicationdatabasemysqlversion_51gt exit
c0t0d0s0org14
rootsolaris ipadm set-prop -p extra_priv_ports+=3306 tcprootsolaris ipadm show-prop -p extra_priv_ports tcpPROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLEtcp extra_priv_ports rw 20494045 -- 20494045 1-65535 3306
c0t0d0s0org15
svcadm enable mysqlversion_51
c0t0d0s0org16
rootsolaris ppriv $(pgrep mysql)103697 usrmysql51binmysqld --basedir=usrmysql51 --datadir=varmysqflags = PRIV_XPOLICY Extended policies net_privaddr3306tcp file_writevarmysql51data file_writetmpmysqlsock file_writevartmpib E basicfile_write I basicfile_write P basicfile_write L all103609 binsh usrmysql51binmysqld_safe --user=mysql --datadir=varmysflags = PRIV_XPOLICY Extended policies net_privaddr3306tcp file_writevarmysql51data file_writetmpmysqlsock file_writevartmpib E basicfile_write I basicfile_write P basicfile_write L all
c0t0d0s0org17
Find more information regarding this feature athttpsblogsoraclecomgfadenentryoracle_solaris_extended_policy_and
c0t0d0s0org18
Passwords
c0t0d0s0org19
rootclientetcsecurity cat etcsecuritycryptconf Copyright 2008 Sun Microsystems Inc All rights reserved Use is subject to license termsident ZM I E SMI The algorithm name __unix__ is reserved
1 crypt_bsdmd5so12a crypt_bsdbfso1md5 crypt_sunmd5so15 crypt_sha256so16 crypt_sha512so1
c0t0d0s0org20
rootclientetcsecurity cat etcsecuritypolicyconf | egrep ^CRYPT_DEFAULTCRYPT_DEFAULT=5rootclientetcsecurity cat etcshadow | grep juniorjunior$5$4aKvDFqA$2kL8GpuXjrdf8XpanqhylEP5lDhy1DF5uo1ZYx74f3159291440
c0t0d0s0org21
rootclientetcsecurity cat etcdefaultpasswd | grep -v | egrep -v ^$|^$ident ZM I E SMIMAXWEEKS=MINWEEKS=PASSLENGTH=6NAMECHECK=NOHISTORY=0MINDIFF=3MINALPHA=2MINNONALPHA=1MINUPPER=0MINLOWER=0MAXREPEATS=0MINSPECIAL=0MINDIGIT=0WHITESPACE=YESDICTIONLIST=DICTIONDBDIR=varpasswd
c0t0d0s0org22
rootclient mkpwdict -s usrsharelibdictwordsmkpwdict using default database location varpasswd
oder
rootclient mkpwdict -s usrsharelibdictwords -d varpasswd
c0t0d0s0org23
Address Space Layout Randomization
c0t0d0s0org24
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1914 usrbinpmap self1914 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org25
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1915 usrbinpmap self1915 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org26
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1917 usrbinpmap self1917 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap00000005D6666000 36K rw--- [ heap ]00007FF669C70000 216K r-x-- libamd64libprocso100007FF669CB6000 8K rw--- libamd64libprocso100007FF669CC0000 4K rw--- [ anon ]00007FF669CD0000 24K rwx-- [ anon ]00007FF669CE0000 4K rw--- [ anon ]00007FF669CF0000 1764K r-x-- libamd64libcso100007FF669EB9000 64K rw--- libamd64libcso100007FF669EC9000 12K rw--- libamd64libcso100007FF669ED0000 4K rw--- [ anon ]00007FF669EE0000 4K rw--- [ anon ]00007FF669EF0000 4K rw--- [ anon ]00007FF669EF2000 4K r--s- [ anon ]00007FF669EFC000 340K r-x-- libamd64ldso100007FF669F61000 12K rwx-- libamd64ldso100007FF669F64000 8K rwx-- libamd64ldso1FFFF80DDA254F000 16K rw--- [ stack ] total 2564K
c0t0d0s0org27
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1918 usrbinpmap self1918 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap000000065B76D000 36K rw--- [ heap ]00007FFAACFC0000 216K r-x-- libamd64libprocso100007FFAAD006000 8K rw--- libamd64libprocso100007FFAAD010000 4K rw--- [ anon ]00007FFAAD020000 24K rwx-- [ anon ]00007FFAAD030000 4K rw--- [ anon ]00007FFAAD040000 1764K r-x-- libamd64libcso100007FFAAD209000 64K rw--- libamd64libcso100007FFAAD219000 12K rw--- libamd64libcso100007FFAAD220000 4K rw--- [ anon ]00007FFAAD230000 4K rw--- [ anon ]00007FFAAD240000 4K rw--- [ anon ]00007FFAAD242000 4K r--s- [ anon ]00007FFAAD24D000 340K r-x-- libamd64ldso100007FFAAD2B2000 12K rwx-- libamd64ldso100007FFAAD2B5000 8K rwx-- libamd64ldso1FFFF80DE1559E000 12K rw--- [ stack ]
c0t0d0s0org28
rootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) system default (default)
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x2 ENABLE
rootsolaris elfedit -e dynsunw_aslr disable usrbinpmap
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x1 DISABLE
c0t0d0s0org29
rootsolaris sxadm enable -c model=all aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (all) enabled (all)
rootsolaris sxadm disable aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr disabled disabled
rootsolaris sxadm enable -c model=tagged-files aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) enabled (tagged-files)
c0t0d0s0org30
pfedit
c0t0d0s0org31
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt set auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt set desc=Edit httpdprofileshttpd editgt exit
c0t0d0s0org32
roottemplateetcapache222 usermod -P +httpd edit junior
c0t0d0s0org33
juniortemplate~$ profiles httpd edit Basic Solaris User All
c0t0d0s0org34
juniortemplate~$ vi etcapache222httpdconf
c0t0d0s0org35
juniortemplate~$ pfedit etcapache222httpdconfpfedit etcapache222httpdconf has been updated
c0t0d0s0org36
juniortemplate~$ pfedit etcapache222mimetypespfedit User junior is not authorized to edit the file etcapache222mimetypes
c0t0d0s0org37
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt info name=httpd edit desc=Edit httpd auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt add auths=solarisadmineditetcapache222mimetypes
c0t0d0s0org38
juniortemplate~$ pfedit etcapache222mimetypespfedit no changes for etcapache222mimetypes
c0t0d0s0org39
profiles -p httpd configureprofileshttpd configuregt add always_audit=asprofileshttpd configuregt info name=httpd configure desc=Configure httpd auths=solarisadmineditetcapache222httpdconfsolarisadmineditetcapache222mimetypes always_audit=as never_audit=noprofileshttpd configuregt exitroottemplate~
c0t0d0s0org40
roottemplate~ auditreduce -c as | praudit
c0t0d0s0org41
[]header4862edit administrative filefe80a0027fffea633cb2013-08-12 074552306 +0000subjectjuniorjuniorstaffjuniorstaff4212447467166369 136704 MacBook-Pro-of-c0t0d0s0fritzboxpathetcapache222httpdconfuse of authorizationsolarisadmineditetcapache222httpdconftext--- etcapache222httpdconf Mo Aug 12 074500 2013 +++ etcapache222httpdconfpfedit1BaGoi Mo Aug 12 074552 2013 -15 +16 Test Test 2 + Test 3 This is the main Apache HTTP server configuration file It contains the configuration directives that give the server its instructions
returnsuccess0
c0t0d0s0org42
Delegating privilege to restartservices(so you can keep the root password)
c0t0d0s0org43
juniortemplate~$ svcadm refresh apache22svcadm svcnetworkhttpapache22 Permission denied
c0t0d0s0org44
svcs -a | grep apache22online 153029 svcnetworkhttpapache22
c0t0d0s0org45
auths add -t Apache22 value solarissmfvaluehttpapache22 auths add -t Apache22 action solarissmfactionhttpapache22
c0t0d0s0org46
svccfg -s apache22 setprop generalvalue_authorization= astring solarissmfvaluehttpapache22 svccfg -s apache22 setprop generalaction_authorization= astring solarissmfactionhttpapache22
c0t0d0s0org47
profiles -p httpd edit add auths=solarissmfactionhttpapache22
c0t0d0s0org48
juniortemplate~$ svcadm refresh apache22juniortemplate~$
c0t0d0s0org49
Privileges
c0t0d0s0org50
$ ls -l usrsbintraceroute-r-sr-xr-x 1 root bin 42324 Nov 21 0009 usrsbintraceroute$ ls -l usrsbinping-r-sr-xr-x 1 root bin 51396 Nov 18 1931 usrsbinping
set-id to root ping needs it to work
c0t0d0s0org51
chmod -s sbinping exit
$ ping -s 1921681132ping socket Permission denied
Remove the set-uid and ping will stop to work
c0t0d0s0org52
jmoekampdaddelkiste~$ ppriv $$2153 -bashflags = ltnonegt E basic I basic P basic L all
c0t0d0s0org53
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org54
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
All privileges in their entirety assigned to one user are
(almost)
c0t0d0s0org55
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Neat extension inSolaris 11The ability to use networking is now a
privilege Itlsquos part of the default default set of privileges
but you can remove it
c0t0d0s0org56
moekampdaddelkiste~$ ppriv -v $$2153 -bashflags = ltnonegt E file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info I file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info P file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info L contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org57
rootdaddelkiste~ ppriv $$2183 -bashflags = ltnonegt E all I basic P all L all
c0t0d0s0org58
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace failed to initialize dtrace DTrace requires additional privileges
c0t0d0s0org59
rootdaddelkiste~ usermod -K defaultpriv=basicdtrace_kerneldtrace_procdtrace_user juniorUX usermod junior is currently logged in some changes may not take effect until next login
c0t0d0s0org60
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace description syscallentry matched 211 probes^C
automountd 1 sshd 24 dtrace 544 auditd 564
c0t0d0s0org61
ps -ef | grep kcfd daemon 125 1 0 142419 000 usrlibcryptokcfdroot 734 728 0 155408 pts1 000 grep kcfd ppriv -v 125125 usrlibcryptokcfdflags = PRIV_AWAREE file_ownerproc_priocntlsys_devicesI noneP file_ownerproc_priocntlsys_devicesL none
c0t0d0s0org62
svcadm -v enable -s apache2svcnetworkhttpapache2 enabled
c0t0d0s0org63
jmoekampclient~$ ps -ef | grep httpwebservd 1978 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1979 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1980 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1984 1975 0 122002 000 usrapache222binhttpd -k start root 1975 1 0 121914 001 usrapache222binhttpd -k startwebservd 1977 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1976 1975 0 121915 000 usrapache222binhttpd -k start
c0t0d0s0org64
rootclient~ ppriv 19771977 usrapache222binhttpd -k startflags = ltnonegt E basic I basic P basic L allrootclient~ ppriv 19751975 usrapache222binhttpd -k startflags = ltnonegt E all I basic P all L allrootclient~
c0t0d0s0org65
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The apache process as root has the following privileges
c0t0d0s0org66
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The other processes have the following privileges
c0t0d0s0org67
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Apache really needs
c0t0d0s0org68
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
So you grant a large number of privileges to one process Apache donlsquot need
c0t0d0s0org69
svcadm -v disable -s apache2svcnetworkhttpapache2 disabled
c0t0d0s0org70
rootclient~ svccfg -s apache22svcnetworkhttpapache22gt setprop startuser = astring webservdsvcnetworkhttpapache22gt setprop startgroup = astring webservdsvcnetworkhttpapache22gt setprop startprivileges = astring basicproc_sessionproc_infofile_link_anynet_privaddrsvcnetworkhttpapache22gt setprop startlimit_privileges = astring defaultsvcnetworkhttpapache22gt setprop startuse_profile = boolean falsesvcnetworkhttpapache22gt setprop startsupp_groups = astring defaultsvcnetworkhttpapache22gt setprop startworking_directory = astring defaultsvcnetworkhttpapache22gt setprop startproject = astring defaultsvcnetworkhttpapache22gt setprop startresource_pool = astring defaultsvcnetworkhttpapache22gt endrootclient~ svcadm -v refresh apache22Action refresh set for svcnetworkhttpapache22
c0t0d0s0org71
echo LockFile varapache222logsacceptlock gtgt etcapache222httpdconf echo PidFile varapache222runhttpdpid gtgt etcapache222httpdconf mkdir -p -m 755 varapache222run chown webservdwebservd varapache222run svcadm enable apache22
c0t0d0s0org72
webservd 3064 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3062 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3063 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3066 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3061 1 0 164917 000 usrapache222binhttpd -k startwebservd 3065 3061 0 164918 000 usrapache222binhttpd -k start
c0t0d0s0org73
Read-only zone root
c0t0d0s0org
74
zonecfgtestzonegt set file-mac-profile=none
zonecfgtestzonegt set file-mac-profile=strict
zonecfgtestzonegt set file-mac-profile=fixed-configuration
zonecfgtestzonegt set file-mac-profile=flexible-configuration
Standard read-write non-global zone with no additional protection beyond the existing zones boundaries
Permits updates to var directories with the exception of directories that contain system configuration components
Read-only file system no exceptions
Permits modification of files in etc directories changes to roots home directory and updates to var directories This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone
c0t0d0s0org75
in-kernel SSL Proxy
c0t0d0s0org76
mkdir etckeys cd etckeys openssl req -x509 -nodes -days 365 -subj C=DEST=HamburgL=HamburgCN=server -newkey rsa1024 -keyout etckeysmykeypem -out etckeysmycertpem cat mycertpem mykeypem gt mypem chown 600
c0t0d0s0org77
echo pass gt etckeysmypass ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass server 443
c0t0d0s0org78
ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass -c rsa_aes_256_cbc_sharsa_aes_128_cbc_sharsa_rc4_128_sharsa_rc4_128_md5 server 443
c0t0d0s0org79
svcs -a | grep ksslonline 90333 svcnetworksslproxykssl-server-443
c0t0d0s0org80
svcadm disable apache22 echo Listen 1921681781088080 gtgt etcapache222httpdconf svcadm enable apache22
Portnumber and IP-Number have do be defined in httpdconf otherwise it will not work
c0t0d0s0org81
openssl s_client -connect server443CONNECTED(00000004)depth=0 C=DEST=HamburgL=HamburgCN=serververify errornum=18self signed certificateverify return1depth=0 C=DEST=HamburgL=HamburgCN=serververify return1---Certificate chain0 sC=DEST=HamburgL=HamburgCN=serveriC=DEST=HamburgL=HamburgCN=server---Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj[]V5jX3MU=-----END CERTIFICATE-----subject=C=DEST=HamburgL=HamburgCN=serverissuer=C=DEST=HamburgL=HamburgCN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328 bytes---New TLSv1SSLv3 Cipher is RC4-SHAServer public key is 1024 bitCompression NONEExpansion NONESSL-SessionProtocol TLSv1
Cipher RC4-SHASession-ID 32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD113915B99DBE9812Session-ID-ctx Master-Key 1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21EKey-Arg NoneStart Time 1242985143Timeout 300 (sec)Verify return code 18 (self signed certificate)---GET HTTP10
HTTP11 200 OKDate Fri 22 May 2009 093913 GMTServer Apache2211 (Unix) mod_ssl2211 OpenSSL098a DAV2Last-Modified Thu 21 May 2009 212630 GMTETag 341f3-2c-46a72cc211a8fAccept-Ranges bytesContent-Length 44Connection closeContent-Type texthtml
lthtmlgtltbodygtlth1gtIt workslth1gtltbodygtlthtmlgtreaderrno=0
c0t0d0s0org82
ZFS Encryption
c0t0d0s0org83
zfs create -o encryption=on rpoolexportproject
c0t0d0s0org84
wrapping key (user setable)
encryption keyrandomnot user setable)
prompt file https pkcs11
c0t0d0s0org85
aes-128-ccm (=on) aes-192-ccmaes-256-ccmaes-128-gcmaes-192-gcmaes-256-gcm
c0t0d0s0org86
zfs set checksum=sha256+mac ltdatasetgt
If encryption=off something like automatic
occurs This property is read-only from now on
c0t0d0s0org87
pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykeyEnter PIN for Sun Software PKCS11 softtoken zfs create -o encryption=on -o keysource=rawpkcs11object=mykey tankprojectCEnter PKCS11 token PIN for tankprojectC
c0t0d0s0org88
zfs create -o encryption=on -o keysource=rawhttpskeysexamplecommykey tankprojectR cp myservercertpem etccertsCA svcadm refresh ca-certificates
c0t0d0s0org89
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
c0t0d0s0org90
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
Changing the wrapping key
c0t0d0s0org91
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key
c0t0d0s0org92
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key for data written form now
Creates a new data encryption key Data written in the clone uses the new data encryption key which is distinct from its original snapshot
c0t0d0s0org93
Solaris Cryptographic Framework
c0t0d0s0org94
As soon as Solaris detects hardware acceleration for cryptography Solaris will use it (and applications using the Oracle supplied openssl library or direct interfaces)bull on-chip crypto accelerator in T and current M series chipsbull instruction set extensions in Intel procs (AES-NI)bull supported crypto accelerator cards
c0t0d0s0org95
Just a side-note T-series crypto acceleration and Intel x86 acceleration have pretty much different performance characteristics
T-Series Acceleration by offloading crypto outside pipelineIntel x86 Acceleration by offering special in-pipeline instructions to accelerate execution
Sounds like splitting hairs
c0t0d0s0org
c0t0d0s0org
c0t0d0s0org98
Using ZFS to do two-factor encryption
c0t0d0s0org99
jmoekampsolaris~$ rmformatLooking for devices 1 Logical Node devrdskc10t0d0p0 Physical Node pci00pci8086265cbstorage2disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected() 3 Logical Node devrdskc9t0d0p0 Physical Node pci00pci8086265cbstorage1disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected
c0t0d0s0org100
rootsolaris zpool create a_keystore_usbstick devdskc10t0d0p0rootsolaris zpool create datastore devdskc9t0d0p0
c0t0d0s0org101
rootsolaris zfs create -o encryption=on a_keystore_usbstickkeysEnter passphrase for a_keystore_usbstickkeys supersecret Enter again supersecret
c0t0d0s0org102
rootsolaris pktool genkey keystore=file keytype=aes keylen=128 outkey=a_keystore_usbstickkeysjoergsdatastickkey
c0t0d0s0org103
rootsolaris zfs create -o encryption=on -o keysource=rawfilea_keystore_usbstickkeysjoergsdatastickkey datastickjoergssecrets
c0t0d0s0org104
rootsolarisdatastickjoergssecrets mv homejmoekamphighlyconfidential_nda_presostgz
c0t0d0s0org105
rootsolaris zpool export a_keystore_usbstickrootsolaris zpool export datastick
c0t0d0s0org106
rootsolaris zpool import a_keystore_usbstickEnter passphrase for a_keystore_usbstickkeys supersecretrootsolaris
c0t0d0s0org107
rootsolaris zpool import datastickrootsolaris cd datastickjoergssecretsrootsolarisdatastickjoergssecrets ls highconfidential_nda_presostgz
c0t0d0s0org108
Basic Auditing and Reporting Tool
c0t0d0s0org109
mkdir bart-files bart create -R etc gt bart-filesetccontrolmanifest
c0t0d0s0org110
cat etccontrolmanifest | grep nsswitchnisplusnsswitchnisplus F 2525 100644 userrw-groupr--maskr--otherr-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
c0t0d0s0org111
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org112
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org113
bart create -R etc gt bart-filesetccheck20130911manifest
c0t0d0s0org114
cd bart-files bart compare etccontrolmanifest etccheck20130911manifest
nsswitchfilesmode control100644 test100777acl controluserrw-groupr--maskr--otherr-- testuserrwxgrouprwxmaskrwxotherrwxnsswitchnisplussize control2525 test2538mtime control473976b5 test47a44862contents control79e8fd689a5221d1cd059e5077da71b8 test3f79176ec352441db11ec8a3d02ef67cthisisjustatestadd
c0t0d0s0org115
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives4069-Less-known-Solaris-features-BARThtml
c0t0d0s0org116
Apropos Auditing
c0t0d0s0org117
Auditing is activated by default
c0t0d0s0org118
rootclient~ auditconfig -getflagsactive user default audit flags = lo(0x10000x1000)configured user default audit flags = lo(0x10000x1000)rootclient~ auditconfig -getnaflagsactive non-attributable audit flags = lo(0x10000x1000)configured non-attributable audit flags = lo(0x10000x1000)
c0t0d0s0org119
rootclient~ auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt
Policy regarding auditing (explanation on the next slide)
c0t0d0s0org120
rootclient~ auditconfig -lspolicypolicy string descriptionahlt halt machine if it can not record an async eventall all policiesarge include exec environment args in audit recsargv include exec command line args in audit recscnt when no more space drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recswindata_down include downgraded window information in audit recswindata_up include upgraded window information in audit recszonename include zonename token in audit recs
Which degree of detail What happens with full disks
c0t0d0s0org121
rootclient~ auditconfig -getpluginPlugin audit_binfile (active) Attributes p_dir=varauditp_fsize=0p_minfree=1
Plugin audit_syslog (inactive) Attributes p_flags=
Plugin audit_remote (inactive) Attributes p_hosts=p_retries=3p_timeout=5
c0t0d0s0org122
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
c0t0d0s0org123
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
lo and na are the only sensibleflags for non-attributable
c0t0d0s0org124
rootclient~ usermod -K audit_flags=fwas junior
c0t0d0s0org125
rootclient~ auditconfig -lsevent | grep lo AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh accessAUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lockAUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff
c0t0d0s0org126
rootclient~ auditconfig -lsevent | grep ps AUE_EXIT 1 ps exit(2)AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)rootclient~ auditconfig -lsevent | grep fw AUE_OPEN_W 76 fw open(2) - write
c0t0d0s0org127
auditreduce -c ps varaudit20130912183630not_terminatedclient | praudit
header1392execve(2)client2013-09-12 184055924 +0000pathusrsbinauditreduceattribute100555rootbin655386587518446744073709551615subjectjmoekamprootrootrootroot205414400809562480 202240 192168101returnsuccess0
c0t0d0s0org128
rootclient~ auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff0xffffffffffffffff)
Not always (in the sense of never) a good idea
Useful after trying out - starting a new audit filerootclient~ audit -n
c0t0d0s0org129
rootclient~ auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system
c0t0d0s0org130
SSH and X509
c0t0d0s0org131
rootca~ CApl -newcaCA certificate filename (or enter to create)
Making CA certificate Generating a 1024 bit RSA private key++++++++++++writing new private key to etcopensslprivatecakeypemEnter PEM pass phrase supersecret1Verifying - Enter PEM pass phrase supersecret1-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Security DepartmentCommon Name (eg server FQDN or YOUR name) []CAEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Using configuration from etcopensslopensslcnf
Enter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade878 Validity Not Before Sep 26 101109 2013 GMT Not After Sep 25 101109 2016 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony organizationName = c0t0d0s0org organizationalUnitName = Security Department commonName = CA X509v3 extensions X509v3 Subject Key Identifier 5B1F2F7186123040501552818D525AA5597E3644 X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
X509v3 Basic Constraints CATRUECertificate is to be certified until Sep 25 101109 2016 GMT (1095 days)
Write out database with 1 new entriesData Base Updated
c0t0d0s0org132
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org133
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org134
rootca~server CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade879 Validity Not Before Sep 26 102912 2013 GMT Not After Sep 26 102912 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = Server Certificates commonName = server X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A7DC03DEB3D5FBF9C006F11A55A9AD04C49C10FA X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 102912 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpemrootca~server ls -ltotal 15-rw-r--r-- 1 root root 3196 Sep 26 1229 newcertpem-rw-r--r-- 1 root root 1041 Sep 26 1228 newkeypem-rw-r--r-- 1 root root 680 Sep 26 1228 newreqpem
c0t0d0s0org135
rootca~junior CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phraseVerifying - Enter PEM pass phraseVerify failureEnter PEM pass phrase supersecret3Verifying - Enter PEM pass phrase supersecret3-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []User certificates
Common Name (eg server FQDN or YOUR name) []juniorEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org136
rootca~junior CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypemCheck that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade87a Validity Not Before Sep 26 110929 2013 GMT Not After Sep 26 110929 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = User certificates commonName = junior X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A1F2FC9D8AE2AD9AF52903F5B714933C64628E9C X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 110929 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpem
c0t0d0s0org137
rootserver~ useradd -m junior80 blocksrootserver~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for juniorrootserver~
rootclient~ useradd -m junior80 blocksrootclient~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for junior
c0t0d0s0org138
rootserver~ echo 1921681051 server gtgt etchostsrootserver~ echo 1921681052 client gtgt etchosts
rootclient~ echo 1921681051 server gtgt etchostsrootclient~ echo 1921681052 client gtgt etchosts
c0t0d0s0org139
rootca~server scp etcopensslcacertpem jmoekamp1921681109exporthomejmoekampPasswordcacertpem 100 || 3011 0000rootca~server scp newcertpem jmoekamp1921681109exporthomejmoekampPasswordnewcertpem 100 || 3196 0000rootca~server scp newkeypem jmoekamp1921681109exporthomejmoekampPasswordnewkeypem 100 || 1041 0000
rootca~junior scp newkeypem juniorclientexporthomejuniorPasswordnewkeypem 100 || 1041 0000rootca~junior scp newcertpem juniorclientexporthomejuniorPasswordnewcertpem 100 || 3190 0000rootca~junior scp etcopensslcacertpem junior1921681104exporthomejuniorPasswordcacertpem 100 || 3011 0000
c0t0d0s0org140
On the Server
c0t0d0s0org141
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org142
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org143
rootserver~ pktool setpinEnter token passphrase changemeCreate new passphrase superserversecretRe-enter new passphrase superserversecretPassphrase changedrootserver~
c0t0d0s0org144
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org145
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org146
rootserver~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cn
c0t0d0s0org147
rootserver~ echo TrustedAnchorKeystore etcsshcert gtgt etcsshsshd_configrootserver~ echo KMFPolicyDatabase etcsshpolicyxml gtgt etcsshsshd_configrootserver~ echo KMFPolicyName ssh gtgt etcsshsshd_configrootserver~ echo HostKey pkcs11object=hosttoken=Sun Metaslotpinfile=etcsshpinfile gtgt etcsshsshd_config
c0t0d0s0org148
rootserver~ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=hostEnter PIN for Sun Software PKCS11 softtoken superserversecret Enter PEM pass phrase supersecret2Importing 1 keys
c0t0d0s0org149
rootserver~ egrep -v ^ |^$|^Cert exporthomejmoekampcacertpem gt etcsshcertcacertcookedpemrootserver~ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemrootserver~ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=hostrootserver~
c0t0d0s0org150
On the client
c0t0d0s0org151
juniorclient~$ ls pemcacertpem newcertpem newkeypem
c0t0d0s0org152
rootclient~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cnrootclient~ egrep -v ^ |^$|^Cert exporthomejuniorcacertpem gt etcsshcertcacertcookedpem
c0t0d0s0org153
juniorclient~$ pktool setpinEnter token passphrase changemeCreate new passphrase superusersecretRe-enter new passphrase superusersecretPassphrase changed
c0t0d0s0org154
juniorclient~$ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=userEnter PIN for Sun Software PKCS11 softtoken superusersecretEnter PEM pass phrase supersecret3Importing 1 keysjuniorclient~$ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemjuniorclient~$ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=user
c0t0d0s0org155
Testing it
c0t0d0s0org156
rootserver~ svcadm disable sshrootserver~ svcadm enable ssh
c0t0d0s0org157
juniorclient~$ cd sshjuniorclient~ssh$ printf superusersecret gtgt pinfilejuniorclient~ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore etcsshcert KMFPolicyDatabase etcsshpolicyxml KMFPolicyName ssh IdentityFile pkcs11object=usertoken=Sun Software PKCS11 softtokenpinfile=exporthomejuniorsshpinfile
c0t0d0s0org158
juniorclient~ssh$ ssh juniorserver-x509Last login Thu Sep 26 200714 2013 from clientOracle Corporation SunOS 511 111 September 2013juniorserver~$
c0t0d0s0org159
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives7659-Using-X509-support-for-SSH-on-Solaris-111html
c0t0d0s0org160
OpenSCAP
c0t0d0s0org161
bdquoThe Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management measurement and policy compliance evaluation (eg FISMA compliance) The National Vulnerability Database(NVD) is the US government content repository for SCAPldquo
httpenwikipediaorgwikiSecurity_Content_Automation_Protocol
c0t0d0s0org162
ftp-bannerxml
ltxml version=10 encoding=UTF-8gtltoval_definitions xmlns=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsxsi=httpwwww3org2001XMLSchema-instance xmlnsoval=httpovalmitreorgXMLSchemaoval-common-5 xmlnsoval-def=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsindependent-def=httpovalmitreorgXMLSchemaoval-definitions-5independent xsischemaLocation=httpovalmitreorgXMLSchemaoval-definitions-5 oval-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-definitions-5independent independent-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-common-5 oval-common-schemaxsdgt
ltgeneratorgt ltovalproduct_namegtEnhanced SCAP Editorltovalproduct_namegt ltovalproduct_versiongt0011ltovalproduct_versiongt ltovalschema_versiongt58ltovalschema_versiongt ltovaltimestampgt2012-10-11T103325ltovaltimestampgt ltgeneratorgt lt--generatedovalbaseidentifier=comoraclesolaris11--gt ltdefinitionsgt ltdefinition id=ovalcomoraclesolaris11def840 version=1 class=compliancegt ltmetadatagt lttitlegtEnable a Warning Banner for the FTP Servicelttitlegt ltaffected family=unixgt ltplatformgtOracle Solaris 11ltplatformgt ltaffectedgt ltdescriptiongtetcproftpdconf contains DisplayConnect etcissueltdescriptiongt ltmetadatagt ltcriteria operator=AND negate=false comment=Single testgt ltcriterion comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot test_ref=ovalcomoraclesolaris11tst8400 negate=falsegt
ltcriteriagt ltdefinitiongt ltdefinitionsgt lttestsgt lttextfilecontent54_test xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11tst8400 version=1 check=all comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot check_existence=all_existgt ltobject object_ref=ovalcomoraclesolaris11obj8400gt lttextfilecontent54_testgt lttestsgt ltobjectsgt lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegt lttextfilecontent54_objectgt ltobjectsgtltoval_definitionsgt
c0t0d0s0org163
lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegtlttextfilecontent54_objectgt
c0t0d0s0org164
$ oscap oval eval ftp-bannerxml Definition ovalcomoraclesolaris11def840 falseEvaluation done
$ oscap oval eval --results resultsxml --report reporthtml ftp-bannerxmlDefinition ovalcomoraclesolaris11def840 falseEvaluation doneOVAL Results are exported correctly
c0t0d0s0org165
c0t0d0s0org166
To create your own OVAL-Files Enhanced SCAP Content Editor
c0t0d0s0org167
Find more information regarding this feature athttpsblogsoraclecomdarrenentrycompliance_reporting_with_scap
c0t0d0s0org13
rootsolaris svccfg -s mysqlversion_51svcapplicationdatabasemysqlversion_51gt setprop method_contextprofile=MySQL Servicesvcapplicationdatabasemysqlversion_51gt setprop method_contextuse_profile=truesvcapplicationdatabasemysqlversion_51gt refreshsvcapplicationdatabasemysqlversion_51gt exit
c0t0d0s0org14
rootsolaris ipadm set-prop -p extra_priv_ports+=3306 tcprootsolaris ipadm show-prop -p extra_priv_ports tcpPROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLEtcp extra_priv_ports rw 20494045 -- 20494045 1-65535 3306
c0t0d0s0org15
svcadm enable mysqlversion_51
c0t0d0s0org16
rootsolaris ppriv $(pgrep mysql)103697 usrmysql51binmysqld --basedir=usrmysql51 --datadir=varmysqflags = PRIV_XPOLICY Extended policies net_privaddr3306tcp file_writevarmysql51data file_writetmpmysqlsock file_writevartmpib E basicfile_write I basicfile_write P basicfile_write L all103609 binsh usrmysql51binmysqld_safe --user=mysql --datadir=varmysflags = PRIV_XPOLICY Extended policies net_privaddr3306tcp file_writevarmysql51data file_writetmpmysqlsock file_writevartmpib E basicfile_write I basicfile_write P basicfile_write L all
c0t0d0s0org17
Find more information regarding this feature athttpsblogsoraclecomgfadenentryoracle_solaris_extended_policy_and
c0t0d0s0org18
Passwords
c0t0d0s0org19
rootclientetcsecurity cat etcsecuritycryptconf Copyright 2008 Sun Microsystems Inc All rights reserved Use is subject to license termsident ZM I E SMI The algorithm name __unix__ is reserved
1 crypt_bsdmd5so12a crypt_bsdbfso1md5 crypt_sunmd5so15 crypt_sha256so16 crypt_sha512so1
c0t0d0s0org20
rootclientetcsecurity cat etcsecuritypolicyconf | egrep ^CRYPT_DEFAULTCRYPT_DEFAULT=5rootclientetcsecurity cat etcshadow | grep juniorjunior$5$4aKvDFqA$2kL8GpuXjrdf8XpanqhylEP5lDhy1DF5uo1ZYx74f3159291440
c0t0d0s0org21
rootclientetcsecurity cat etcdefaultpasswd | grep -v | egrep -v ^$|^$ident ZM I E SMIMAXWEEKS=MINWEEKS=PASSLENGTH=6NAMECHECK=NOHISTORY=0MINDIFF=3MINALPHA=2MINNONALPHA=1MINUPPER=0MINLOWER=0MAXREPEATS=0MINSPECIAL=0MINDIGIT=0WHITESPACE=YESDICTIONLIST=DICTIONDBDIR=varpasswd
c0t0d0s0org22
rootclient mkpwdict -s usrsharelibdictwordsmkpwdict using default database location varpasswd
oder
rootclient mkpwdict -s usrsharelibdictwords -d varpasswd
c0t0d0s0org23
Address Space Layout Randomization
c0t0d0s0org24
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1914 usrbinpmap self1914 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org25
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1915 usrbinpmap self1915 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org26
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1917 usrbinpmap self1917 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap00000005D6666000 36K rw--- [ heap ]00007FF669C70000 216K r-x-- libamd64libprocso100007FF669CB6000 8K rw--- libamd64libprocso100007FF669CC0000 4K rw--- [ anon ]00007FF669CD0000 24K rwx-- [ anon ]00007FF669CE0000 4K rw--- [ anon ]00007FF669CF0000 1764K r-x-- libamd64libcso100007FF669EB9000 64K rw--- libamd64libcso100007FF669EC9000 12K rw--- libamd64libcso100007FF669ED0000 4K rw--- [ anon ]00007FF669EE0000 4K rw--- [ anon ]00007FF669EF0000 4K rw--- [ anon ]00007FF669EF2000 4K r--s- [ anon ]00007FF669EFC000 340K r-x-- libamd64ldso100007FF669F61000 12K rwx-- libamd64ldso100007FF669F64000 8K rwx-- libamd64ldso1FFFF80DDA254F000 16K rw--- [ stack ] total 2564K
c0t0d0s0org27
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1918 usrbinpmap self1918 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap000000065B76D000 36K rw--- [ heap ]00007FFAACFC0000 216K r-x-- libamd64libprocso100007FFAAD006000 8K rw--- libamd64libprocso100007FFAAD010000 4K rw--- [ anon ]00007FFAAD020000 24K rwx-- [ anon ]00007FFAAD030000 4K rw--- [ anon ]00007FFAAD040000 1764K r-x-- libamd64libcso100007FFAAD209000 64K rw--- libamd64libcso100007FFAAD219000 12K rw--- libamd64libcso100007FFAAD220000 4K rw--- [ anon ]00007FFAAD230000 4K rw--- [ anon ]00007FFAAD240000 4K rw--- [ anon ]00007FFAAD242000 4K r--s- [ anon ]00007FFAAD24D000 340K r-x-- libamd64ldso100007FFAAD2B2000 12K rwx-- libamd64ldso100007FFAAD2B5000 8K rwx-- libamd64ldso1FFFF80DE1559E000 12K rw--- [ stack ]
c0t0d0s0org28
rootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) system default (default)
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x2 ENABLE
rootsolaris elfedit -e dynsunw_aslr disable usrbinpmap
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x1 DISABLE
c0t0d0s0org29
rootsolaris sxadm enable -c model=all aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (all) enabled (all)
rootsolaris sxadm disable aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr disabled disabled
rootsolaris sxadm enable -c model=tagged-files aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) enabled (tagged-files)
c0t0d0s0org30
pfedit
c0t0d0s0org31
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt set auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt set desc=Edit httpdprofileshttpd editgt exit
c0t0d0s0org32
roottemplateetcapache222 usermod -P +httpd edit junior
c0t0d0s0org33
juniortemplate~$ profiles httpd edit Basic Solaris User All
c0t0d0s0org34
juniortemplate~$ vi etcapache222httpdconf
c0t0d0s0org35
juniortemplate~$ pfedit etcapache222httpdconfpfedit etcapache222httpdconf has been updated
c0t0d0s0org36
juniortemplate~$ pfedit etcapache222mimetypespfedit User junior is not authorized to edit the file etcapache222mimetypes
c0t0d0s0org37
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt info name=httpd edit desc=Edit httpd auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt add auths=solarisadmineditetcapache222mimetypes
c0t0d0s0org38
juniortemplate~$ pfedit etcapache222mimetypespfedit no changes for etcapache222mimetypes
c0t0d0s0org39
profiles -p httpd configureprofileshttpd configuregt add always_audit=asprofileshttpd configuregt info name=httpd configure desc=Configure httpd auths=solarisadmineditetcapache222httpdconfsolarisadmineditetcapache222mimetypes always_audit=as never_audit=noprofileshttpd configuregt exitroottemplate~
c0t0d0s0org40
roottemplate~ auditreduce -c as | praudit
c0t0d0s0org41
[]header4862edit administrative filefe80a0027fffea633cb2013-08-12 074552306 +0000subjectjuniorjuniorstaffjuniorstaff4212447467166369 136704 MacBook-Pro-of-c0t0d0s0fritzboxpathetcapache222httpdconfuse of authorizationsolarisadmineditetcapache222httpdconftext--- etcapache222httpdconf Mo Aug 12 074500 2013 +++ etcapache222httpdconfpfedit1BaGoi Mo Aug 12 074552 2013 -15 +16 Test Test 2 + Test 3 This is the main Apache HTTP server configuration file It contains the configuration directives that give the server its instructions
returnsuccess0
c0t0d0s0org42
Delegating privilege to restartservices(so you can keep the root password)
c0t0d0s0org43
juniortemplate~$ svcadm refresh apache22svcadm svcnetworkhttpapache22 Permission denied
c0t0d0s0org44
svcs -a | grep apache22online 153029 svcnetworkhttpapache22
c0t0d0s0org45
auths add -t Apache22 value solarissmfvaluehttpapache22 auths add -t Apache22 action solarissmfactionhttpapache22
c0t0d0s0org46
svccfg -s apache22 setprop generalvalue_authorization= astring solarissmfvaluehttpapache22 svccfg -s apache22 setprop generalaction_authorization= astring solarissmfactionhttpapache22
c0t0d0s0org47
profiles -p httpd edit add auths=solarissmfactionhttpapache22
c0t0d0s0org48
juniortemplate~$ svcadm refresh apache22juniortemplate~$
c0t0d0s0org49
Privileges
c0t0d0s0org50
$ ls -l usrsbintraceroute-r-sr-xr-x 1 root bin 42324 Nov 21 0009 usrsbintraceroute$ ls -l usrsbinping-r-sr-xr-x 1 root bin 51396 Nov 18 1931 usrsbinping
set-id to root ping needs it to work
c0t0d0s0org51
chmod -s sbinping exit
$ ping -s 1921681132ping socket Permission denied
Remove the set-uid and ping will stop to work
c0t0d0s0org52
jmoekampdaddelkiste~$ ppriv $$2153 -bashflags = ltnonegt E basic I basic P basic L all
c0t0d0s0org53
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org54
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
All privileges in their entirety assigned to one user are
(almost)
c0t0d0s0org55
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Neat extension inSolaris 11The ability to use networking is now a
privilege Itlsquos part of the default default set of privileges
but you can remove it
c0t0d0s0org56
moekampdaddelkiste~$ ppriv -v $$2153 -bashflags = ltnonegt E file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info I file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info P file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info L contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org57
rootdaddelkiste~ ppriv $$2183 -bashflags = ltnonegt E all I basic P all L all
c0t0d0s0org58
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace failed to initialize dtrace DTrace requires additional privileges
c0t0d0s0org59
rootdaddelkiste~ usermod -K defaultpriv=basicdtrace_kerneldtrace_procdtrace_user juniorUX usermod junior is currently logged in some changes may not take effect until next login
c0t0d0s0org60
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace description syscallentry matched 211 probes^C
automountd 1 sshd 24 dtrace 544 auditd 564
c0t0d0s0org61
ps -ef | grep kcfd daemon 125 1 0 142419 000 usrlibcryptokcfdroot 734 728 0 155408 pts1 000 grep kcfd ppriv -v 125125 usrlibcryptokcfdflags = PRIV_AWAREE file_ownerproc_priocntlsys_devicesI noneP file_ownerproc_priocntlsys_devicesL none
c0t0d0s0org62
svcadm -v enable -s apache2svcnetworkhttpapache2 enabled
c0t0d0s0org63
jmoekampclient~$ ps -ef | grep httpwebservd 1978 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1979 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1980 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1984 1975 0 122002 000 usrapache222binhttpd -k start root 1975 1 0 121914 001 usrapache222binhttpd -k startwebservd 1977 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1976 1975 0 121915 000 usrapache222binhttpd -k start
c0t0d0s0org64
rootclient~ ppriv 19771977 usrapache222binhttpd -k startflags = ltnonegt E basic I basic P basic L allrootclient~ ppriv 19751975 usrapache222binhttpd -k startflags = ltnonegt E all I basic P all L allrootclient~
c0t0d0s0org65
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The apache process as root has the following privileges
c0t0d0s0org66
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The other processes have the following privileges
c0t0d0s0org67
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Apache really needs
c0t0d0s0org68
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
So you grant a large number of privileges to one process Apache donlsquot need
c0t0d0s0org69
svcadm -v disable -s apache2svcnetworkhttpapache2 disabled
c0t0d0s0org70
rootclient~ svccfg -s apache22svcnetworkhttpapache22gt setprop startuser = astring webservdsvcnetworkhttpapache22gt setprop startgroup = astring webservdsvcnetworkhttpapache22gt setprop startprivileges = astring basicproc_sessionproc_infofile_link_anynet_privaddrsvcnetworkhttpapache22gt setprop startlimit_privileges = astring defaultsvcnetworkhttpapache22gt setprop startuse_profile = boolean falsesvcnetworkhttpapache22gt setprop startsupp_groups = astring defaultsvcnetworkhttpapache22gt setprop startworking_directory = astring defaultsvcnetworkhttpapache22gt setprop startproject = astring defaultsvcnetworkhttpapache22gt setprop startresource_pool = astring defaultsvcnetworkhttpapache22gt endrootclient~ svcadm -v refresh apache22Action refresh set for svcnetworkhttpapache22
c0t0d0s0org71
echo LockFile varapache222logsacceptlock gtgt etcapache222httpdconf echo PidFile varapache222runhttpdpid gtgt etcapache222httpdconf mkdir -p -m 755 varapache222run chown webservdwebservd varapache222run svcadm enable apache22
c0t0d0s0org72
webservd 3064 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3062 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3063 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3066 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3061 1 0 164917 000 usrapache222binhttpd -k startwebservd 3065 3061 0 164918 000 usrapache222binhttpd -k start
c0t0d0s0org73
Read-only zone root
c0t0d0s0org
74
zonecfgtestzonegt set file-mac-profile=none
zonecfgtestzonegt set file-mac-profile=strict
zonecfgtestzonegt set file-mac-profile=fixed-configuration
zonecfgtestzonegt set file-mac-profile=flexible-configuration
Standard read-write non-global zone with no additional protection beyond the existing zones boundaries
Permits updates to var directories with the exception of directories that contain system configuration components
Read-only file system no exceptions
Permits modification of files in etc directories changes to roots home directory and updates to var directories This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone
c0t0d0s0org75
in-kernel SSL Proxy
c0t0d0s0org76
mkdir etckeys cd etckeys openssl req -x509 -nodes -days 365 -subj C=DEST=HamburgL=HamburgCN=server -newkey rsa1024 -keyout etckeysmykeypem -out etckeysmycertpem cat mycertpem mykeypem gt mypem chown 600
c0t0d0s0org77
echo pass gt etckeysmypass ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass server 443
c0t0d0s0org78
ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass -c rsa_aes_256_cbc_sharsa_aes_128_cbc_sharsa_rc4_128_sharsa_rc4_128_md5 server 443
c0t0d0s0org79
svcs -a | grep ksslonline 90333 svcnetworksslproxykssl-server-443
c0t0d0s0org80
svcadm disable apache22 echo Listen 1921681781088080 gtgt etcapache222httpdconf svcadm enable apache22
Portnumber and IP-Number have do be defined in httpdconf otherwise it will not work
c0t0d0s0org81
openssl s_client -connect server443CONNECTED(00000004)depth=0 C=DEST=HamburgL=HamburgCN=serververify errornum=18self signed certificateverify return1depth=0 C=DEST=HamburgL=HamburgCN=serververify return1---Certificate chain0 sC=DEST=HamburgL=HamburgCN=serveriC=DEST=HamburgL=HamburgCN=server---Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj[]V5jX3MU=-----END CERTIFICATE-----subject=C=DEST=HamburgL=HamburgCN=serverissuer=C=DEST=HamburgL=HamburgCN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328 bytes---New TLSv1SSLv3 Cipher is RC4-SHAServer public key is 1024 bitCompression NONEExpansion NONESSL-SessionProtocol TLSv1
Cipher RC4-SHASession-ID 32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD113915B99DBE9812Session-ID-ctx Master-Key 1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21EKey-Arg NoneStart Time 1242985143Timeout 300 (sec)Verify return code 18 (self signed certificate)---GET HTTP10
HTTP11 200 OKDate Fri 22 May 2009 093913 GMTServer Apache2211 (Unix) mod_ssl2211 OpenSSL098a DAV2Last-Modified Thu 21 May 2009 212630 GMTETag 341f3-2c-46a72cc211a8fAccept-Ranges bytesContent-Length 44Connection closeContent-Type texthtml
lthtmlgtltbodygtlth1gtIt workslth1gtltbodygtlthtmlgtreaderrno=0
c0t0d0s0org82
ZFS Encryption
c0t0d0s0org83
zfs create -o encryption=on rpoolexportproject
c0t0d0s0org84
wrapping key (user setable)
encryption keyrandomnot user setable)
prompt file https pkcs11
c0t0d0s0org85
aes-128-ccm (=on) aes-192-ccmaes-256-ccmaes-128-gcmaes-192-gcmaes-256-gcm
c0t0d0s0org86
zfs set checksum=sha256+mac ltdatasetgt
If encryption=off something like automatic
occurs This property is read-only from now on
c0t0d0s0org87
pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykeyEnter PIN for Sun Software PKCS11 softtoken zfs create -o encryption=on -o keysource=rawpkcs11object=mykey tankprojectCEnter PKCS11 token PIN for tankprojectC
c0t0d0s0org88
zfs create -o encryption=on -o keysource=rawhttpskeysexamplecommykey tankprojectR cp myservercertpem etccertsCA svcadm refresh ca-certificates
c0t0d0s0org89
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
c0t0d0s0org90
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
Changing the wrapping key
c0t0d0s0org91
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key
c0t0d0s0org92
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key for data written form now
Creates a new data encryption key Data written in the clone uses the new data encryption key which is distinct from its original snapshot
c0t0d0s0org93
Solaris Cryptographic Framework
c0t0d0s0org94
As soon as Solaris detects hardware acceleration for cryptography Solaris will use it (and applications using the Oracle supplied openssl library or direct interfaces)bull on-chip crypto accelerator in T and current M series chipsbull instruction set extensions in Intel procs (AES-NI)bull supported crypto accelerator cards
c0t0d0s0org95
Just a side-note T-series crypto acceleration and Intel x86 acceleration have pretty much different performance characteristics
T-Series Acceleration by offloading crypto outside pipelineIntel x86 Acceleration by offering special in-pipeline instructions to accelerate execution
Sounds like splitting hairs
c0t0d0s0org
c0t0d0s0org
c0t0d0s0org98
Using ZFS to do two-factor encryption
c0t0d0s0org99
jmoekampsolaris~$ rmformatLooking for devices 1 Logical Node devrdskc10t0d0p0 Physical Node pci00pci8086265cbstorage2disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected() 3 Logical Node devrdskc9t0d0p0 Physical Node pci00pci8086265cbstorage1disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected
c0t0d0s0org100
rootsolaris zpool create a_keystore_usbstick devdskc10t0d0p0rootsolaris zpool create datastore devdskc9t0d0p0
c0t0d0s0org101
rootsolaris zfs create -o encryption=on a_keystore_usbstickkeysEnter passphrase for a_keystore_usbstickkeys supersecret Enter again supersecret
c0t0d0s0org102
rootsolaris pktool genkey keystore=file keytype=aes keylen=128 outkey=a_keystore_usbstickkeysjoergsdatastickkey
c0t0d0s0org103
rootsolaris zfs create -o encryption=on -o keysource=rawfilea_keystore_usbstickkeysjoergsdatastickkey datastickjoergssecrets
c0t0d0s0org104
rootsolarisdatastickjoergssecrets mv homejmoekamphighlyconfidential_nda_presostgz
c0t0d0s0org105
rootsolaris zpool export a_keystore_usbstickrootsolaris zpool export datastick
c0t0d0s0org106
rootsolaris zpool import a_keystore_usbstickEnter passphrase for a_keystore_usbstickkeys supersecretrootsolaris
c0t0d0s0org107
rootsolaris zpool import datastickrootsolaris cd datastickjoergssecretsrootsolarisdatastickjoergssecrets ls highconfidential_nda_presostgz
c0t0d0s0org108
Basic Auditing and Reporting Tool
c0t0d0s0org109
mkdir bart-files bart create -R etc gt bart-filesetccontrolmanifest
c0t0d0s0org110
cat etccontrolmanifest | grep nsswitchnisplusnsswitchnisplus F 2525 100644 userrw-groupr--maskr--otherr-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
c0t0d0s0org111
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org112
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org113
bart create -R etc gt bart-filesetccheck20130911manifest
c0t0d0s0org114
cd bart-files bart compare etccontrolmanifest etccheck20130911manifest
nsswitchfilesmode control100644 test100777acl controluserrw-groupr--maskr--otherr-- testuserrwxgrouprwxmaskrwxotherrwxnsswitchnisplussize control2525 test2538mtime control473976b5 test47a44862contents control79e8fd689a5221d1cd059e5077da71b8 test3f79176ec352441db11ec8a3d02ef67cthisisjustatestadd
c0t0d0s0org115
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives4069-Less-known-Solaris-features-BARThtml
c0t0d0s0org116
Apropos Auditing
c0t0d0s0org117
Auditing is activated by default
c0t0d0s0org118
rootclient~ auditconfig -getflagsactive user default audit flags = lo(0x10000x1000)configured user default audit flags = lo(0x10000x1000)rootclient~ auditconfig -getnaflagsactive non-attributable audit flags = lo(0x10000x1000)configured non-attributable audit flags = lo(0x10000x1000)
c0t0d0s0org119
rootclient~ auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt
Policy regarding auditing (explanation on the next slide)
c0t0d0s0org120
rootclient~ auditconfig -lspolicypolicy string descriptionahlt halt machine if it can not record an async eventall all policiesarge include exec environment args in audit recsargv include exec command line args in audit recscnt when no more space drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recswindata_down include downgraded window information in audit recswindata_up include upgraded window information in audit recszonename include zonename token in audit recs
Which degree of detail What happens with full disks
c0t0d0s0org121
rootclient~ auditconfig -getpluginPlugin audit_binfile (active) Attributes p_dir=varauditp_fsize=0p_minfree=1
Plugin audit_syslog (inactive) Attributes p_flags=
Plugin audit_remote (inactive) Attributes p_hosts=p_retries=3p_timeout=5
c0t0d0s0org122
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
c0t0d0s0org123
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
lo and na are the only sensibleflags for non-attributable
c0t0d0s0org124
rootclient~ usermod -K audit_flags=fwas junior
c0t0d0s0org125
rootclient~ auditconfig -lsevent | grep lo AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh accessAUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lockAUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff
c0t0d0s0org126
rootclient~ auditconfig -lsevent | grep ps AUE_EXIT 1 ps exit(2)AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)rootclient~ auditconfig -lsevent | grep fw AUE_OPEN_W 76 fw open(2) - write
c0t0d0s0org127
auditreduce -c ps varaudit20130912183630not_terminatedclient | praudit
header1392execve(2)client2013-09-12 184055924 +0000pathusrsbinauditreduceattribute100555rootbin655386587518446744073709551615subjectjmoekamprootrootrootroot205414400809562480 202240 192168101returnsuccess0
c0t0d0s0org128
rootclient~ auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff0xffffffffffffffff)
Not always (in the sense of never) a good idea
Useful after trying out - starting a new audit filerootclient~ audit -n
c0t0d0s0org129
rootclient~ auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system
c0t0d0s0org130
SSH and X509
c0t0d0s0org131
rootca~ CApl -newcaCA certificate filename (or enter to create)
Making CA certificate Generating a 1024 bit RSA private key++++++++++++writing new private key to etcopensslprivatecakeypemEnter PEM pass phrase supersecret1Verifying - Enter PEM pass phrase supersecret1-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Security DepartmentCommon Name (eg server FQDN or YOUR name) []CAEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Using configuration from etcopensslopensslcnf
Enter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade878 Validity Not Before Sep 26 101109 2013 GMT Not After Sep 25 101109 2016 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony organizationName = c0t0d0s0org organizationalUnitName = Security Department commonName = CA X509v3 extensions X509v3 Subject Key Identifier 5B1F2F7186123040501552818D525AA5597E3644 X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
X509v3 Basic Constraints CATRUECertificate is to be certified until Sep 25 101109 2016 GMT (1095 days)
Write out database with 1 new entriesData Base Updated
c0t0d0s0org132
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org133
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org134
rootca~server CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade879 Validity Not Before Sep 26 102912 2013 GMT Not After Sep 26 102912 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = Server Certificates commonName = server X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A7DC03DEB3D5FBF9C006F11A55A9AD04C49C10FA X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 102912 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpemrootca~server ls -ltotal 15-rw-r--r-- 1 root root 3196 Sep 26 1229 newcertpem-rw-r--r-- 1 root root 1041 Sep 26 1228 newkeypem-rw-r--r-- 1 root root 680 Sep 26 1228 newreqpem
c0t0d0s0org135
rootca~junior CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phraseVerifying - Enter PEM pass phraseVerify failureEnter PEM pass phrase supersecret3Verifying - Enter PEM pass phrase supersecret3-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []User certificates
Common Name (eg server FQDN or YOUR name) []juniorEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org136
rootca~junior CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypemCheck that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade87a Validity Not Before Sep 26 110929 2013 GMT Not After Sep 26 110929 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = User certificates commonName = junior X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A1F2FC9D8AE2AD9AF52903F5B714933C64628E9C X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 110929 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpem
c0t0d0s0org137
rootserver~ useradd -m junior80 blocksrootserver~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for juniorrootserver~
rootclient~ useradd -m junior80 blocksrootclient~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for junior
c0t0d0s0org138
rootserver~ echo 1921681051 server gtgt etchostsrootserver~ echo 1921681052 client gtgt etchosts
rootclient~ echo 1921681051 server gtgt etchostsrootclient~ echo 1921681052 client gtgt etchosts
c0t0d0s0org139
rootca~server scp etcopensslcacertpem jmoekamp1921681109exporthomejmoekampPasswordcacertpem 100 || 3011 0000rootca~server scp newcertpem jmoekamp1921681109exporthomejmoekampPasswordnewcertpem 100 || 3196 0000rootca~server scp newkeypem jmoekamp1921681109exporthomejmoekampPasswordnewkeypem 100 || 1041 0000
rootca~junior scp newkeypem juniorclientexporthomejuniorPasswordnewkeypem 100 || 1041 0000rootca~junior scp newcertpem juniorclientexporthomejuniorPasswordnewcertpem 100 || 3190 0000rootca~junior scp etcopensslcacertpem junior1921681104exporthomejuniorPasswordcacertpem 100 || 3011 0000
c0t0d0s0org140
On the Server
c0t0d0s0org141
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org142
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org143
rootserver~ pktool setpinEnter token passphrase changemeCreate new passphrase superserversecretRe-enter new passphrase superserversecretPassphrase changedrootserver~
c0t0d0s0org144
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org145
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org146
rootserver~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cn
c0t0d0s0org147
rootserver~ echo TrustedAnchorKeystore etcsshcert gtgt etcsshsshd_configrootserver~ echo KMFPolicyDatabase etcsshpolicyxml gtgt etcsshsshd_configrootserver~ echo KMFPolicyName ssh gtgt etcsshsshd_configrootserver~ echo HostKey pkcs11object=hosttoken=Sun Metaslotpinfile=etcsshpinfile gtgt etcsshsshd_config
c0t0d0s0org148
rootserver~ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=hostEnter PIN for Sun Software PKCS11 softtoken superserversecret Enter PEM pass phrase supersecret2Importing 1 keys
c0t0d0s0org149
rootserver~ egrep -v ^ |^$|^Cert exporthomejmoekampcacertpem gt etcsshcertcacertcookedpemrootserver~ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemrootserver~ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=hostrootserver~
c0t0d0s0org150
On the client
c0t0d0s0org151
juniorclient~$ ls pemcacertpem newcertpem newkeypem
c0t0d0s0org152
rootclient~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cnrootclient~ egrep -v ^ |^$|^Cert exporthomejuniorcacertpem gt etcsshcertcacertcookedpem
c0t0d0s0org153
juniorclient~$ pktool setpinEnter token passphrase changemeCreate new passphrase superusersecretRe-enter new passphrase superusersecretPassphrase changed
c0t0d0s0org154
juniorclient~$ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=userEnter PIN for Sun Software PKCS11 softtoken superusersecretEnter PEM pass phrase supersecret3Importing 1 keysjuniorclient~$ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemjuniorclient~$ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=user
c0t0d0s0org155
Testing it
c0t0d0s0org156
rootserver~ svcadm disable sshrootserver~ svcadm enable ssh
c0t0d0s0org157
juniorclient~$ cd sshjuniorclient~ssh$ printf superusersecret gtgt pinfilejuniorclient~ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore etcsshcert KMFPolicyDatabase etcsshpolicyxml KMFPolicyName ssh IdentityFile pkcs11object=usertoken=Sun Software PKCS11 softtokenpinfile=exporthomejuniorsshpinfile
c0t0d0s0org158
juniorclient~ssh$ ssh juniorserver-x509Last login Thu Sep 26 200714 2013 from clientOracle Corporation SunOS 511 111 September 2013juniorserver~$
c0t0d0s0org159
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives7659-Using-X509-support-for-SSH-on-Solaris-111html
c0t0d0s0org160
OpenSCAP
c0t0d0s0org161
bdquoThe Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management measurement and policy compliance evaluation (eg FISMA compliance) The National Vulnerability Database(NVD) is the US government content repository for SCAPldquo
httpenwikipediaorgwikiSecurity_Content_Automation_Protocol
c0t0d0s0org162
ftp-bannerxml
ltxml version=10 encoding=UTF-8gtltoval_definitions xmlns=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsxsi=httpwwww3org2001XMLSchema-instance xmlnsoval=httpovalmitreorgXMLSchemaoval-common-5 xmlnsoval-def=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsindependent-def=httpovalmitreorgXMLSchemaoval-definitions-5independent xsischemaLocation=httpovalmitreorgXMLSchemaoval-definitions-5 oval-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-definitions-5independent independent-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-common-5 oval-common-schemaxsdgt
ltgeneratorgt ltovalproduct_namegtEnhanced SCAP Editorltovalproduct_namegt ltovalproduct_versiongt0011ltovalproduct_versiongt ltovalschema_versiongt58ltovalschema_versiongt ltovaltimestampgt2012-10-11T103325ltovaltimestampgt ltgeneratorgt lt--generatedovalbaseidentifier=comoraclesolaris11--gt ltdefinitionsgt ltdefinition id=ovalcomoraclesolaris11def840 version=1 class=compliancegt ltmetadatagt lttitlegtEnable a Warning Banner for the FTP Servicelttitlegt ltaffected family=unixgt ltplatformgtOracle Solaris 11ltplatformgt ltaffectedgt ltdescriptiongtetcproftpdconf contains DisplayConnect etcissueltdescriptiongt ltmetadatagt ltcriteria operator=AND negate=false comment=Single testgt ltcriterion comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot test_ref=ovalcomoraclesolaris11tst8400 negate=falsegt
ltcriteriagt ltdefinitiongt ltdefinitionsgt lttestsgt lttextfilecontent54_test xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11tst8400 version=1 check=all comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot check_existence=all_existgt ltobject object_ref=ovalcomoraclesolaris11obj8400gt lttextfilecontent54_testgt lttestsgt ltobjectsgt lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegt lttextfilecontent54_objectgt ltobjectsgtltoval_definitionsgt
c0t0d0s0org163
lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegtlttextfilecontent54_objectgt
c0t0d0s0org164
$ oscap oval eval ftp-bannerxml Definition ovalcomoraclesolaris11def840 falseEvaluation done
$ oscap oval eval --results resultsxml --report reporthtml ftp-bannerxmlDefinition ovalcomoraclesolaris11def840 falseEvaluation doneOVAL Results are exported correctly
c0t0d0s0org165
c0t0d0s0org166
To create your own OVAL-Files Enhanced SCAP Content Editor
c0t0d0s0org167
Find more information regarding this feature athttpsblogsoraclecomdarrenentrycompliance_reporting_with_scap
c0t0d0s0org14
rootsolaris ipadm set-prop -p extra_priv_ports+=3306 tcprootsolaris ipadm show-prop -p extra_priv_ports tcpPROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLEtcp extra_priv_ports rw 20494045 -- 20494045 1-65535 3306
c0t0d0s0org15
svcadm enable mysqlversion_51
c0t0d0s0org16
rootsolaris ppriv $(pgrep mysql)103697 usrmysql51binmysqld --basedir=usrmysql51 --datadir=varmysqflags = PRIV_XPOLICY Extended policies net_privaddr3306tcp file_writevarmysql51data file_writetmpmysqlsock file_writevartmpib E basicfile_write I basicfile_write P basicfile_write L all103609 binsh usrmysql51binmysqld_safe --user=mysql --datadir=varmysflags = PRIV_XPOLICY Extended policies net_privaddr3306tcp file_writevarmysql51data file_writetmpmysqlsock file_writevartmpib E basicfile_write I basicfile_write P basicfile_write L all
c0t0d0s0org17
Find more information regarding this feature athttpsblogsoraclecomgfadenentryoracle_solaris_extended_policy_and
c0t0d0s0org18
Passwords
c0t0d0s0org19
rootclientetcsecurity cat etcsecuritycryptconf Copyright 2008 Sun Microsystems Inc All rights reserved Use is subject to license termsident ZM I E SMI The algorithm name __unix__ is reserved
1 crypt_bsdmd5so12a crypt_bsdbfso1md5 crypt_sunmd5so15 crypt_sha256so16 crypt_sha512so1
c0t0d0s0org20
rootclientetcsecurity cat etcsecuritypolicyconf | egrep ^CRYPT_DEFAULTCRYPT_DEFAULT=5rootclientetcsecurity cat etcshadow | grep juniorjunior$5$4aKvDFqA$2kL8GpuXjrdf8XpanqhylEP5lDhy1DF5uo1ZYx74f3159291440
c0t0d0s0org21
rootclientetcsecurity cat etcdefaultpasswd | grep -v | egrep -v ^$|^$ident ZM I E SMIMAXWEEKS=MINWEEKS=PASSLENGTH=6NAMECHECK=NOHISTORY=0MINDIFF=3MINALPHA=2MINNONALPHA=1MINUPPER=0MINLOWER=0MAXREPEATS=0MINSPECIAL=0MINDIGIT=0WHITESPACE=YESDICTIONLIST=DICTIONDBDIR=varpasswd
c0t0d0s0org22
rootclient mkpwdict -s usrsharelibdictwordsmkpwdict using default database location varpasswd
oder
rootclient mkpwdict -s usrsharelibdictwords -d varpasswd
c0t0d0s0org23
Address Space Layout Randomization
c0t0d0s0org24
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1914 usrbinpmap self1914 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org25
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1915 usrbinpmap self1915 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org26
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1917 usrbinpmap self1917 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap00000005D6666000 36K rw--- [ heap ]00007FF669C70000 216K r-x-- libamd64libprocso100007FF669CB6000 8K rw--- libamd64libprocso100007FF669CC0000 4K rw--- [ anon ]00007FF669CD0000 24K rwx-- [ anon ]00007FF669CE0000 4K rw--- [ anon ]00007FF669CF0000 1764K r-x-- libamd64libcso100007FF669EB9000 64K rw--- libamd64libcso100007FF669EC9000 12K rw--- libamd64libcso100007FF669ED0000 4K rw--- [ anon ]00007FF669EE0000 4K rw--- [ anon ]00007FF669EF0000 4K rw--- [ anon ]00007FF669EF2000 4K r--s- [ anon ]00007FF669EFC000 340K r-x-- libamd64ldso100007FF669F61000 12K rwx-- libamd64ldso100007FF669F64000 8K rwx-- libamd64ldso1FFFF80DDA254F000 16K rw--- [ stack ] total 2564K
c0t0d0s0org27
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1918 usrbinpmap self1918 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap000000065B76D000 36K rw--- [ heap ]00007FFAACFC0000 216K r-x-- libamd64libprocso100007FFAAD006000 8K rw--- libamd64libprocso100007FFAAD010000 4K rw--- [ anon ]00007FFAAD020000 24K rwx-- [ anon ]00007FFAAD030000 4K rw--- [ anon ]00007FFAAD040000 1764K r-x-- libamd64libcso100007FFAAD209000 64K rw--- libamd64libcso100007FFAAD219000 12K rw--- libamd64libcso100007FFAAD220000 4K rw--- [ anon ]00007FFAAD230000 4K rw--- [ anon ]00007FFAAD240000 4K rw--- [ anon ]00007FFAAD242000 4K r--s- [ anon ]00007FFAAD24D000 340K r-x-- libamd64ldso100007FFAAD2B2000 12K rwx-- libamd64ldso100007FFAAD2B5000 8K rwx-- libamd64ldso1FFFF80DE1559E000 12K rw--- [ stack ]
c0t0d0s0org28
rootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) system default (default)
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x2 ENABLE
rootsolaris elfedit -e dynsunw_aslr disable usrbinpmap
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x1 DISABLE
c0t0d0s0org29
rootsolaris sxadm enable -c model=all aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (all) enabled (all)
rootsolaris sxadm disable aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr disabled disabled
rootsolaris sxadm enable -c model=tagged-files aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) enabled (tagged-files)
c0t0d0s0org30
pfedit
c0t0d0s0org31
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt set auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt set desc=Edit httpdprofileshttpd editgt exit
c0t0d0s0org32
roottemplateetcapache222 usermod -P +httpd edit junior
c0t0d0s0org33
juniortemplate~$ profiles httpd edit Basic Solaris User All
c0t0d0s0org34
juniortemplate~$ vi etcapache222httpdconf
c0t0d0s0org35
juniortemplate~$ pfedit etcapache222httpdconfpfedit etcapache222httpdconf has been updated
c0t0d0s0org36
juniortemplate~$ pfedit etcapache222mimetypespfedit User junior is not authorized to edit the file etcapache222mimetypes
c0t0d0s0org37
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt info name=httpd edit desc=Edit httpd auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt add auths=solarisadmineditetcapache222mimetypes
c0t0d0s0org38
juniortemplate~$ pfedit etcapache222mimetypespfedit no changes for etcapache222mimetypes
c0t0d0s0org39
profiles -p httpd configureprofileshttpd configuregt add always_audit=asprofileshttpd configuregt info name=httpd configure desc=Configure httpd auths=solarisadmineditetcapache222httpdconfsolarisadmineditetcapache222mimetypes always_audit=as never_audit=noprofileshttpd configuregt exitroottemplate~
c0t0d0s0org40
roottemplate~ auditreduce -c as | praudit
c0t0d0s0org41
[]header4862edit administrative filefe80a0027fffea633cb2013-08-12 074552306 +0000subjectjuniorjuniorstaffjuniorstaff4212447467166369 136704 MacBook-Pro-of-c0t0d0s0fritzboxpathetcapache222httpdconfuse of authorizationsolarisadmineditetcapache222httpdconftext--- etcapache222httpdconf Mo Aug 12 074500 2013 +++ etcapache222httpdconfpfedit1BaGoi Mo Aug 12 074552 2013 -15 +16 Test Test 2 + Test 3 This is the main Apache HTTP server configuration file It contains the configuration directives that give the server its instructions
returnsuccess0
c0t0d0s0org42
Delegating privilege to restartservices(so you can keep the root password)
c0t0d0s0org43
juniortemplate~$ svcadm refresh apache22svcadm svcnetworkhttpapache22 Permission denied
c0t0d0s0org44
svcs -a | grep apache22online 153029 svcnetworkhttpapache22
c0t0d0s0org45
auths add -t Apache22 value solarissmfvaluehttpapache22 auths add -t Apache22 action solarissmfactionhttpapache22
c0t0d0s0org46
svccfg -s apache22 setprop generalvalue_authorization= astring solarissmfvaluehttpapache22 svccfg -s apache22 setprop generalaction_authorization= astring solarissmfactionhttpapache22
c0t0d0s0org47
profiles -p httpd edit add auths=solarissmfactionhttpapache22
c0t0d0s0org48
juniortemplate~$ svcadm refresh apache22juniortemplate~$
c0t0d0s0org49
Privileges
c0t0d0s0org50
$ ls -l usrsbintraceroute-r-sr-xr-x 1 root bin 42324 Nov 21 0009 usrsbintraceroute$ ls -l usrsbinping-r-sr-xr-x 1 root bin 51396 Nov 18 1931 usrsbinping
set-id to root ping needs it to work
c0t0d0s0org51
chmod -s sbinping exit
$ ping -s 1921681132ping socket Permission denied
Remove the set-uid and ping will stop to work
c0t0d0s0org52
jmoekampdaddelkiste~$ ppriv $$2153 -bashflags = ltnonegt E basic I basic P basic L all
c0t0d0s0org53
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org54
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
All privileges in their entirety assigned to one user are
(almost)
c0t0d0s0org55
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Neat extension inSolaris 11The ability to use networking is now a
privilege Itlsquos part of the default default set of privileges
but you can remove it
c0t0d0s0org56
moekampdaddelkiste~$ ppriv -v $$2153 -bashflags = ltnonegt E file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info I file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info P file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info L contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org57
rootdaddelkiste~ ppriv $$2183 -bashflags = ltnonegt E all I basic P all L all
c0t0d0s0org58
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace failed to initialize dtrace DTrace requires additional privileges
c0t0d0s0org59
rootdaddelkiste~ usermod -K defaultpriv=basicdtrace_kerneldtrace_procdtrace_user juniorUX usermod junior is currently logged in some changes may not take effect until next login
c0t0d0s0org60
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace description syscallentry matched 211 probes^C
automountd 1 sshd 24 dtrace 544 auditd 564
c0t0d0s0org61
ps -ef | grep kcfd daemon 125 1 0 142419 000 usrlibcryptokcfdroot 734 728 0 155408 pts1 000 grep kcfd ppriv -v 125125 usrlibcryptokcfdflags = PRIV_AWAREE file_ownerproc_priocntlsys_devicesI noneP file_ownerproc_priocntlsys_devicesL none
c0t0d0s0org62
svcadm -v enable -s apache2svcnetworkhttpapache2 enabled
c0t0d0s0org63
jmoekampclient~$ ps -ef | grep httpwebservd 1978 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1979 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1980 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1984 1975 0 122002 000 usrapache222binhttpd -k start root 1975 1 0 121914 001 usrapache222binhttpd -k startwebservd 1977 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1976 1975 0 121915 000 usrapache222binhttpd -k start
c0t0d0s0org64
rootclient~ ppriv 19771977 usrapache222binhttpd -k startflags = ltnonegt E basic I basic P basic L allrootclient~ ppriv 19751975 usrapache222binhttpd -k startflags = ltnonegt E all I basic P all L allrootclient~
c0t0d0s0org65
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The apache process as root has the following privileges
c0t0d0s0org66
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The other processes have the following privileges
c0t0d0s0org67
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Apache really needs
c0t0d0s0org68
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
So you grant a large number of privileges to one process Apache donlsquot need
c0t0d0s0org69
svcadm -v disable -s apache2svcnetworkhttpapache2 disabled
c0t0d0s0org70
rootclient~ svccfg -s apache22svcnetworkhttpapache22gt setprop startuser = astring webservdsvcnetworkhttpapache22gt setprop startgroup = astring webservdsvcnetworkhttpapache22gt setprop startprivileges = astring basicproc_sessionproc_infofile_link_anynet_privaddrsvcnetworkhttpapache22gt setprop startlimit_privileges = astring defaultsvcnetworkhttpapache22gt setprop startuse_profile = boolean falsesvcnetworkhttpapache22gt setprop startsupp_groups = astring defaultsvcnetworkhttpapache22gt setprop startworking_directory = astring defaultsvcnetworkhttpapache22gt setprop startproject = astring defaultsvcnetworkhttpapache22gt setprop startresource_pool = astring defaultsvcnetworkhttpapache22gt endrootclient~ svcadm -v refresh apache22Action refresh set for svcnetworkhttpapache22
c0t0d0s0org71
echo LockFile varapache222logsacceptlock gtgt etcapache222httpdconf echo PidFile varapache222runhttpdpid gtgt etcapache222httpdconf mkdir -p -m 755 varapache222run chown webservdwebservd varapache222run svcadm enable apache22
c0t0d0s0org72
webservd 3064 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3062 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3063 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3066 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3061 1 0 164917 000 usrapache222binhttpd -k startwebservd 3065 3061 0 164918 000 usrapache222binhttpd -k start
c0t0d0s0org73
Read-only zone root
c0t0d0s0org
74
zonecfgtestzonegt set file-mac-profile=none
zonecfgtestzonegt set file-mac-profile=strict
zonecfgtestzonegt set file-mac-profile=fixed-configuration
zonecfgtestzonegt set file-mac-profile=flexible-configuration
Standard read-write non-global zone with no additional protection beyond the existing zones boundaries
Permits updates to var directories with the exception of directories that contain system configuration components
Read-only file system no exceptions
Permits modification of files in etc directories changes to roots home directory and updates to var directories This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone
c0t0d0s0org75
in-kernel SSL Proxy
c0t0d0s0org76
mkdir etckeys cd etckeys openssl req -x509 -nodes -days 365 -subj C=DEST=HamburgL=HamburgCN=server -newkey rsa1024 -keyout etckeysmykeypem -out etckeysmycertpem cat mycertpem mykeypem gt mypem chown 600
c0t0d0s0org77
echo pass gt etckeysmypass ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass server 443
c0t0d0s0org78
ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass -c rsa_aes_256_cbc_sharsa_aes_128_cbc_sharsa_rc4_128_sharsa_rc4_128_md5 server 443
c0t0d0s0org79
svcs -a | grep ksslonline 90333 svcnetworksslproxykssl-server-443
c0t0d0s0org80
svcadm disable apache22 echo Listen 1921681781088080 gtgt etcapache222httpdconf svcadm enable apache22
Portnumber and IP-Number have do be defined in httpdconf otherwise it will not work
c0t0d0s0org81
openssl s_client -connect server443CONNECTED(00000004)depth=0 C=DEST=HamburgL=HamburgCN=serververify errornum=18self signed certificateverify return1depth=0 C=DEST=HamburgL=HamburgCN=serververify return1---Certificate chain0 sC=DEST=HamburgL=HamburgCN=serveriC=DEST=HamburgL=HamburgCN=server---Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj[]V5jX3MU=-----END CERTIFICATE-----subject=C=DEST=HamburgL=HamburgCN=serverissuer=C=DEST=HamburgL=HamburgCN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328 bytes---New TLSv1SSLv3 Cipher is RC4-SHAServer public key is 1024 bitCompression NONEExpansion NONESSL-SessionProtocol TLSv1
Cipher RC4-SHASession-ID 32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD113915B99DBE9812Session-ID-ctx Master-Key 1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21EKey-Arg NoneStart Time 1242985143Timeout 300 (sec)Verify return code 18 (self signed certificate)---GET HTTP10
HTTP11 200 OKDate Fri 22 May 2009 093913 GMTServer Apache2211 (Unix) mod_ssl2211 OpenSSL098a DAV2Last-Modified Thu 21 May 2009 212630 GMTETag 341f3-2c-46a72cc211a8fAccept-Ranges bytesContent-Length 44Connection closeContent-Type texthtml
lthtmlgtltbodygtlth1gtIt workslth1gtltbodygtlthtmlgtreaderrno=0
c0t0d0s0org82
ZFS Encryption
c0t0d0s0org83
zfs create -o encryption=on rpoolexportproject
c0t0d0s0org84
wrapping key (user setable)
encryption keyrandomnot user setable)
prompt file https pkcs11
c0t0d0s0org85
aes-128-ccm (=on) aes-192-ccmaes-256-ccmaes-128-gcmaes-192-gcmaes-256-gcm
c0t0d0s0org86
zfs set checksum=sha256+mac ltdatasetgt
If encryption=off something like automatic
occurs This property is read-only from now on
c0t0d0s0org87
pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykeyEnter PIN for Sun Software PKCS11 softtoken zfs create -o encryption=on -o keysource=rawpkcs11object=mykey tankprojectCEnter PKCS11 token PIN for tankprojectC
c0t0d0s0org88
zfs create -o encryption=on -o keysource=rawhttpskeysexamplecommykey tankprojectR cp myservercertpem etccertsCA svcadm refresh ca-certificates
c0t0d0s0org89
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
c0t0d0s0org90
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
Changing the wrapping key
c0t0d0s0org91
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key
c0t0d0s0org92
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key for data written form now
Creates a new data encryption key Data written in the clone uses the new data encryption key which is distinct from its original snapshot
c0t0d0s0org93
Solaris Cryptographic Framework
c0t0d0s0org94
As soon as Solaris detects hardware acceleration for cryptography Solaris will use it (and applications using the Oracle supplied openssl library or direct interfaces)bull on-chip crypto accelerator in T and current M series chipsbull instruction set extensions in Intel procs (AES-NI)bull supported crypto accelerator cards
c0t0d0s0org95
Just a side-note T-series crypto acceleration and Intel x86 acceleration have pretty much different performance characteristics
T-Series Acceleration by offloading crypto outside pipelineIntel x86 Acceleration by offering special in-pipeline instructions to accelerate execution
Sounds like splitting hairs
c0t0d0s0org
c0t0d0s0org
c0t0d0s0org98
Using ZFS to do two-factor encryption
c0t0d0s0org99
jmoekampsolaris~$ rmformatLooking for devices 1 Logical Node devrdskc10t0d0p0 Physical Node pci00pci8086265cbstorage2disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected() 3 Logical Node devrdskc9t0d0p0 Physical Node pci00pci8086265cbstorage1disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected
c0t0d0s0org100
rootsolaris zpool create a_keystore_usbstick devdskc10t0d0p0rootsolaris zpool create datastore devdskc9t0d0p0
c0t0d0s0org101
rootsolaris zfs create -o encryption=on a_keystore_usbstickkeysEnter passphrase for a_keystore_usbstickkeys supersecret Enter again supersecret
c0t0d0s0org102
rootsolaris pktool genkey keystore=file keytype=aes keylen=128 outkey=a_keystore_usbstickkeysjoergsdatastickkey
c0t0d0s0org103
rootsolaris zfs create -o encryption=on -o keysource=rawfilea_keystore_usbstickkeysjoergsdatastickkey datastickjoergssecrets
c0t0d0s0org104
rootsolarisdatastickjoergssecrets mv homejmoekamphighlyconfidential_nda_presostgz
c0t0d0s0org105
rootsolaris zpool export a_keystore_usbstickrootsolaris zpool export datastick
c0t0d0s0org106
rootsolaris zpool import a_keystore_usbstickEnter passphrase for a_keystore_usbstickkeys supersecretrootsolaris
c0t0d0s0org107
rootsolaris zpool import datastickrootsolaris cd datastickjoergssecretsrootsolarisdatastickjoergssecrets ls highconfidential_nda_presostgz
c0t0d0s0org108
Basic Auditing and Reporting Tool
c0t0d0s0org109
mkdir bart-files bart create -R etc gt bart-filesetccontrolmanifest
c0t0d0s0org110
cat etccontrolmanifest | grep nsswitchnisplusnsswitchnisplus F 2525 100644 userrw-groupr--maskr--otherr-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
c0t0d0s0org111
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org112
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org113
bart create -R etc gt bart-filesetccheck20130911manifest
c0t0d0s0org114
cd bart-files bart compare etccontrolmanifest etccheck20130911manifest
nsswitchfilesmode control100644 test100777acl controluserrw-groupr--maskr--otherr-- testuserrwxgrouprwxmaskrwxotherrwxnsswitchnisplussize control2525 test2538mtime control473976b5 test47a44862contents control79e8fd689a5221d1cd059e5077da71b8 test3f79176ec352441db11ec8a3d02ef67cthisisjustatestadd
c0t0d0s0org115
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives4069-Less-known-Solaris-features-BARThtml
c0t0d0s0org116
Apropos Auditing
c0t0d0s0org117
Auditing is activated by default
c0t0d0s0org118
rootclient~ auditconfig -getflagsactive user default audit flags = lo(0x10000x1000)configured user default audit flags = lo(0x10000x1000)rootclient~ auditconfig -getnaflagsactive non-attributable audit flags = lo(0x10000x1000)configured non-attributable audit flags = lo(0x10000x1000)
c0t0d0s0org119
rootclient~ auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt
Policy regarding auditing (explanation on the next slide)
c0t0d0s0org120
rootclient~ auditconfig -lspolicypolicy string descriptionahlt halt machine if it can not record an async eventall all policiesarge include exec environment args in audit recsargv include exec command line args in audit recscnt when no more space drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recswindata_down include downgraded window information in audit recswindata_up include upgraded window information in audit recszonename include zonename token in audit recs
Which degree of detail What happens with full disks
c0t0d0s0org121
rootclient~ auditconfig -getpluginPlugin audit_binfile (active) Attributes p_dir=varauditp_fsize=0p_minfree=1
Plugin audit_syslog (inactive) Attributes p_flags=
Plugin audit_remote (inactive) Attributes p_hosts=p_retries=3p_timeout=5
c0t0d0s0org122
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
c0t0d0s0org123
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
lo and na are the only sensibleflags for non-attributable
c0t0d0s0org124
rootclient~ usermod -K audit_flags=fwas junior
c0t0d0s0org125
rootclient~ auditconfig -lsevent | grep lo AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh accessAUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lockAUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff
c0t0d0s0org126
rootclient~ auditconfig -lsevent | grep ps AUE_EXIT 1 ps exit(2)AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)rootclient~ auditconfig -lsevent | grep fw AUE_OPEN_W 76 fw open(2) - write
c0t0d0s0org127
auditreduce -c ps varaudit20130912183630not_terminatedclient | praudit
header1392execve(2)client2013-09-12 184055924 +0000pathusrsbinauditreduceattribute100555rootbin655386587518446744073709551615subjectjmoekamprootrootrootroot205414400809562480 202240 192168101returnsuccess0
c0t0d0s0org128
rootclient~ auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff0xffffffffffffffff)
Not always (in the sense of never) a good idea
Useful after trying out - starting a new audit filerootclient~ audit -n
c0t0d0s0org129
rootclient~ auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system
c0t0d0s0org130
SSH and X509
c0t0d0s0org131
rootca~ CApl -newcaCA certificate filename (or enter to create)
Making CA certificate Generating a 1024 bit RSA private key++++++++++++writing new private key to etcopensslprivatecakeypemEnter PEM pass phrase supersecret1Verifying - Enter PEM pass phrase supersecret1-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Security DepartmentCommon Name (eg server FQDN or YOUR name) []CAEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Using configuration from etcopensslopensslcnf
Enter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade878 Validity Not Before Sep 26 101109 2013 GMT Not After Sep 25 101109 2016 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony organizationName = c0t0d0s0org organizationalUnitName = Security Department commonName = CA X509v3 extensions X509v3 Subject Key Identifier 5B1F2F7186123040501552818D525AA5597E3644 X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
X509v3 Basic Constraints CATRUECertificate is to be certified until Sep 25 101109 2016 GMT (1095 days)
Write out database with 1 new entriesData Base Updated
c0t0d0s0org132
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org133
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org134
rootca~server CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade879 Validity Not Before Sep 26 102912 2013 GMT Not After Sep 26 102912 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = Server Certificates commonName = server X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A7DC03DEB3D5FBF9C006F11A55A9AD04C49C10FA X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 102912 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpemrootca~server ls -ltotal 15-rw-r--r-- 1 root root 3196 Sep 26 1229 newcertpem-rw-r--r-- 1 root root 1041 Sep 26 1228 newkeypem-rw-r--r-- 1 root root 680 Sep 26 1228 newreqpem
c0t0d0s0org135
rootca~junior CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phraseVerifying - Enter PEM pass phraseVerify failureEnter PEM pass phrase supersecret3Verifying - Enter PEM pass phrase supersecret3-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []User certificates
Common Name (eg server FQDN or YOUR name) []juniorEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org136
rootca~junior CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypemCheck that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade87a Validity Not Before Sep 26 110929 2013 GMT Not After Sep 26 110929 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = User certificates commonName = junior X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A1F2FC9D8AE2AD9AF52903F5B714933C64628E9C X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 110929 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpem
c0t0d0s0org137
rootserver~ useradd -m junior80 blocksrootserver~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for juniorrootserver~
rootclient~ useradd -m junior80 blocksrootclient~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for junior
c0t0d0s0org138
rootserver~ echo 1921681051 server gtgt etchostsrootserver~ echo 1921681052 client gtgt etchosts
rootclient~ echo 1921681051 server gtgt etchostsrootclient~ echo 1921681052 client gtgt etchosts
c0t0d0s0org139
rootca~server scp etcopensslcacertpem jmoekamp1921681109exporthomejmoekampPasswordcacertpem 100 || 3011 0000rootca~server scp newcertpem jmoekamp1921681109exporthomejmoekampPasswordnewcertpem 100 || 3196 0000rootca~server scp newkeypem jmoekamp1921681109exporthomejmoekampPasswordnewkeypem 100 || 1041 0000
rootca~junior scp newkeypem juniorclientexporthomejuniorPasswordnewkeypem 100 || 1041 0000rootca~junior scp newcertpem juniorclientexporthomejuniorPasswordnewcertpem 100 || 3190 0000rootca~junior scp etcopensslcacertpem junior1921681104exporthomejuniorPasswordcacertpem 100 || 3011 0000
c0t0d0s0org140
On the Server
c0t0d0s0org141
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org142
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org143
rootserver~ pktool setpinEnter token passphrase changemeCreate new passphrase superserversecretRe-enter new passphrase superserversecretPassphrase changedrootserver~
c0t0d0s0org144
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org145
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org146
rootserver~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cn
c0t0d0s0org147
rootserver~ echo TrustedAnchorKeystore etcsshcert gtgt etcsshsshd_configrootserver~ echo KMFPolicyDatabase etcsshpolicyxml gtgt etcsshsshd_configrootserver~ echo KMFPolicyName ssh gtgt etcsshsshd_configrootserver~ echo HostKey pkcs11object=hosttoken=Sun Metaslotpinfile=etcsshpinfile gtgt etcsshsshd_config
c0t0d0s0org148
rootserver~ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=hostEnter PIN for Sun Software PKCS11 softtoken superserversecret Enter PEM pass phrase supersecret2Importing 1 keys
c0t0d0s0org149
rootserver~ egrep -v ^ |^$|^Cert exporthomejmoekampcacertpem gt etcsshcertcacertcookedpemrootserver~ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemrootserver~ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=hostrootserver~
c0t0d0s0org150
On the client
c0t0d0s0org151
juniorclient~$ ls pemcacertpem newcertpem newkeypem
c0t0d0s0org152
rootclient~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cnrootclient~ egrep -v ^ |^$|^Cert exporthomejuniorcacertpem gt etcsshcertcacertcookedpem
c0t0d0s0org153
juniorclient~$ pktool setpinEnter token passphrase changemeCreate new passphrase superusersecretRe-enter new passphrase superusersecretPassphrase changed
c0t0d0s0org154
juniorclient~$ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=userEnter PIN for Sun Software PKCS11 softtoken superusersecretEnter PEM pass phrase supersecret3Importing 1 keysjuniorclient~$ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemjuniorclient~$ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=user
c0t0d0s0org155
Testing it
c0t0d0s0org156
rootserver~ svcadm disable sshrootserver~ svcadm enable ssh
c0t0d0s0org157
juniorclient~$ cd sshjuniorclient~ssh$ printf superusersecret gtgt pinfilejuniorclient~ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore etcsshcert KMFPolicyDatabase etcsshpolicyxml KMFPolicyName ssh IdentityFile pkcs11object=usertoken=Sun Software PKCS11 softtokenpinfile=exporthomejuniorsshpinfile
c0t0d0s0org158
juniorclient~ssh$ ssh juniorserver-x509Last login Thu Sep 26 200714 2013 from clientOracle Corporation SunOS 511 111 September 2013juniorserver~$
c0t0d0s0org159
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives7659-Using-X509-support-for-SSH-on-Solaris-111html
c0t0d0s0org160
OpenSCAP
c0t0d0s0org161
bdquoThe Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management measurement and policy compliance evaluation (eg FISMA compliance) The National Vulnerability Database(NVD) is the US government content repository for SCAPldquo
httpenwikipediaorgwikiSecurity_Content_Automation_Protocol
c0t0d0s0org162
ftp-bannerxml
ltxml version=10 encoding=UTF-8gtltoval_definitions xmlns=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsxsi=httpwwww3org2001XMLSchema-instance xmlnsoval=httpovalmitreorgXMLSchemaoval-common-5 xmlnsoval-def=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsindependent-def=httpovalmitreorgXMLSchemaoval-definitions-5independent xsischemaLocation=httpovalmitreorgXMLSchemaoval-definitions-5 oval-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-definitions-5independent independent-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-common-5 oval-common-schemaxsdgt
ltgeneratorgt ltovalproduct_namegtEnhanced SCAP Editorltovalproduct_namegt ltovalproduct_versiongt0011ltovalproduct_versiongt ltovalschema_versiongt58ltovalschema_versiongt ltovaltimestampgt2012-10-11T103325ltovaltimestampgt ltgeneratorgt lt--generatedovalbaseidentifier=comoraclesolaris11--gt ltdefinitionsgt ltdefinition id=ovalcomoraclesolaris11def840 version=1 class=compliancegt ltmetadatagt lttitlegtEnable a Warning Banner for the FTP Servicelttitlegt ltaffected family=unixgt ltplatformgtOracle Solaris 11ltplatformgt ltaffectedgt ltdescriptiongtetcproftpdconf contains DisplayConnect etcissueltdescriptiongt ltmetadatagt ltcriteria operator=AND negate=false comment=Single testgt ltcriterion comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot test_ref=ovalcomoraclesolaris11tst8400 negate=falsegt
ltcriteriagt ltdefinitiongt ltdefinitionsgt lttestsgt lttextfilecontent54_test xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11tst8400 version=1 check=all comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot check_existence=all_existgt ltobject object_ref=ovalcomoraclesolaris11obj8400gt lttextfilecontent54_testgt lttestsgt ltobjectsgt lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegt lttextfilecontent54_objectgt ltobjectsgtltoval_definitionsgt
c0t0d0s0org163
lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegtlttextfilecontent54_objectgt
c0t0d0s0org164
$ oscap oval eval ftp-bannerxml Definition ovalcomoraclesolaris11def840 falseEvaluation done
$ oscap oval eval --results resultsxml --report reporthtml ftp-bannerxmlDefinition ovalcomoraclesolaris11def840 falseEvaluation doneOVAL Results are exported correctly
c0t0d0s0org165
c0t0d0s0org166
To create your own OVAL-Files Enhanced SCAP Content Editor
c0t0d0s0org167
Find more information regarding this feature athttpsblogsoraclecomdarrenentrycompliance_reporting_with_scap
c0t0d0s0org15
svcadm enable mysqlversion_51
c0t0d0s0org16
rootsolaris ppriv $(pgrep mysql)103697 usrmysql51binmysqld --basedir=usrmysql51 --datadir=varmysqflags = PRIV_XPOLICY Extended policies net_privaddr3306tcp file_writevarmysql51data file_writetmpmysqlsock file_writevartmpib E basicfile_write I basicfile_write P basicfile_write L all103609 binsh usrmysql51binmysqld_safe --user=mysql --datadir=varmysflags = PRIV_XPOLICY Extended policies net_privaddr3306tcp file_writevarmysql51data file_writetmpmysqlsock file_writevartmpib E basicfile_write I basicfile_write P basicfile_write L all
c0t0d0s0org17
Find more information regarding this feature athttpsblogsoraclecomgfadenentryoracle_solaris_extended_policy_and
c0t0d0s0org18
Passwords
c0t0d0s0org19
rootclientetcsecurity cat etcsecuritycryptconf Copyright 2008 Sun Microsystems Inc All rights reserved Use is subject to license termsident ZM I E SMI The algorithm name __unix__ is reserved
1 crypt_bsdmd5so12a crypt_bsdbfso1md5 crypt_sunmd5so15 crypt_sha256so16 crypt_sha512so1
c0t0d0s0org20
rootclientetcsecurity cat etcsecuritypolicyconf | egrep ^CRYPT_DEFAULTCRYPT_DEFAULT=5rootclientetcsecurity cat etcshadow | grep juniorjunior$5$4aKvDFqA$2kL8GpuXjrdf8XpanqhylEP5lDhy1DF5uo1ZYx74f3159291440
c0t0d0s0org21
rootclientetcsecurity cat etcdefaultpasswd | grep -v | egrep -v ^$|^$ident ZM I E SMIMAXWEEKS=MINWEEKS=PASSLENGTH=6NAMECHECK=NOHISTORY=0MINDIFF=3MINALPHA=2MINNONALPHA=1MINUPPER=0MINLOWER=0MAXREPEATS=0MINSPECIAL=0MINDIGIT=0WHITESPACE=YESDICTIONLIST=DICTIONDBDIR=varpasswd
c0t0d0s0org22
rootclient mkpwdict -s usrsharelibdictwordsmkpwdict using default database location varpasswd
oder
rootclient mkpwdict -s usrsharelibdictwords -d varpasswd
c0t0d0s0org23
Address Space Layout Randomization
c0t0d0s0org24
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1914 usrbinpmap self1914 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org25
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1915 usrbinpmap self1915 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org26
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1917 usrbinpmap self1917 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap00000005D6666000 36K rw--- [ heap ]00007FF669C70000 216K r-x-- libamd64libprocso100007FF669CB6000 8K rw--- libamd64libprocso100007FF669CC0000 4K rw--- [ anon ]00007FF669CD0000 24K rwx-- [ anon ]00007FF669CE0000 4K rw--- [ anon ]00007FF669CF0000 1764K r-x-- libamd64libcso100007FF669EB9000 64K rw--- libamd64libcso100007FF669EC9000 12K rw--- libamd64libcso100007FF669ED0000 4K rw--- [ anon ]00007FF669EE0000 4K rw--- [ anon ]00007FF669EF0000 4K rw--- [ anon ]00007FF669EF2000 4K r--s- [ anon ]00007FF669EFC000 340K r-x-- libamd64ldso100007FF669F61000 12K rwx-- libamd64ldso100007FF669F64000 8K rwx-- libamd64ldso1FFFF80DDA254F000 16K rw--- [ stack ] total 2564K
c0t0d0s0org27
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1918 usrbinpmap self1918 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap000000065B76D000 36K rw--- [ heap ]00007FFAACFC0000 216K r-x-- libamd64libprocso100007FFAAD006000 8K rw--- libamd64libprocso100007FFAAD010000 4K rw--- [ anon ]00007FFAAD020000 24K rwx-- [ anon ]00007FFAAD030000 4K rw--- [ anon ]00007FFAAD040000 1764K r-x-- libamd64libcso100007FFAAD209000 64K rw--- libamd64libcso100007FFAAD219000 12K rw--- libamd64libcso100007FFAAD220000 4K rw--- [ anon ]00007FFAAD230000 4K rw--- [ anon ]00007FFAAD240000 4K rw--- [ anon ]00007FFAAD242000 4K r--s- [ anon ]00007FFAAD24D000 340K r-x-- libamd64ldso100007FFAAD2B2000 12K rwx-- libamd64ldso100007FFAAD2B5000 8K rwx-- libamd64ldso1FFFF80DE1559E000 12K rw--- [ stack ]
c0t0d0s0org28
rootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) system default (default)
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x2 ENABLE
rootsolaris elfedit -e dynsunw_aslr disable usrbinpmap
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x1 DISABLE
c0t0d0s0org29
rootsolaris sxadm enable -c model=all aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (all) enabled (all)
rootsolaris sxadm disable aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr disabled disabled
rootsolaris sxadm enable -c model=tagged-files aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) enabled (tagged-files)
c0t0d0s0org30
pfedit
c0t0d0s0org31
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt set auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt set desc=Edit httpdprofileshttpd editgt exit
c0t0d0s0org32
roottemplateetcapache222 usermod -P +httpd edit junior
c0t0d0s0org33
juniortemplate~$ profiles httpd edit Basic Solaris User All
c0t0d0s0org34
juniortemplate~$ vi etcapache222httpdconf
c0t0d0s0org35
juniortemplate~$ pfedit etcapache222httpdconfpfedit etcapache222httpdconf has been updated
c0t0d0s0org36
juniortemplate~$ pfedit etcapache222mimetypespfedit User junior is not authorized to edit the file etcapache222mimetypes
c0t0d0s0org37
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt info name=httpd edit desc=Edit httpd auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt add auths=solarisadmineditetcapache222mimetypes
c0t0d0s0org38
juniortemplate~$ pfedit etcapache222mimetypespfedit no changes for etcapache222mimetypes
c0t0d0s0org39
profiles -p httpd configureprofileshttpd configuregt add always_audit=asprofileshttpd configuregt info name=httpd configure desc=Configure httpd auths=solarisadmineditetcapache222httpdconfsolarisadmineditetcapache222mimetypes always_audit=as never_audit=noprofileshttpd configuregt exitroottemplate~
c0t0d0s0org40
roottemplate~ auditreduce -c as | praudit
c0t0d0s0org41
[]header4862edit administrative filefe80a0027fffea633cb2013-08-12 074552306 +0000subjectjuniorjuniorstaffjuniorstaff4212447467166369 136704 MacBook-Pro-of-c0t0d0s0fritzboxpathetcapache222httpdconfuse of authorizationsolarisadmineditetcapache222httpdconftext--- etcapache222httpdconf Mo Aug 12 074500 2013 +++ etcapache222httpdconfpfedit1BaGoi Mo Aug 12 074552 2013 -15 +16 Test Test 2 + Test 3 This is the main Apache HTTP server configuration file It contains the configuration directives that give the server its instructions
returnsuccess0
c0t0d0s0org42
Delegating privilege to restartservices(so you can keep the root password)
c0t0d0s0org43
juniortemplate~$ svcadm refresh apache22svcadm svcnetworkhttpapache22 Permission denied
c0t0d0s0org44
svcs -a | grep apache22online 153029 svcnetworkhttpapache22
c0t0d0s0org45
auths add -t Apache22 value solarissmfvaluehttpapache22 auths add -t Apache22 action solarissmfactionhttpapache22
c0t0d0s0org46
svccfg -s apache22 setprop generalvalue_authorization= astring solarissmfvaluehttpapache22 svccfg -s apache22 setprop generalaction_authorization= astring solarissmfactionhttpapache22
c0t0d0s0org47
profiles -p httpd edit add auths=solarissmfactionhttpapache22
c0t0d0s0org48
juniortemplate~$ svcadm refresh apache22juniortemplate~$
c0t0d0s0org49
Privileges
c0t0d0s0org50
$ ls -l usrsbintraceroute-r-sr-xr-x 1 root bin 42324 Nov 21 0009 usrsbintraceroute$ ls -l usrsbinping-r-sr-xr-x 1 root bin 51396 Nov 18 1931 usrsbinping
set-id to root ping needs it to work
c0t0d0s0org51
chmod -s sbinping exit
$ ping -s 1921681132ping socket Permission denied
Remove the set-uid and ping will stop to work
c0t0d0s0org52
jmoekampdaddelkiste~$ ppriv $$2153 -bashflags = ltnonegt E basic I basic P basic L all
c0t0d0s0org53
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org54
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
All privileges in their entirety assigned to one user are
(almost)
c0t0d0s0org55
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Neat extension inSolaris 11The ability to use networking is now a
privilege Itlsquos part of the default default set of privileges
but you can remove it
c0t0d0s0org56
moekampdaddelkiste~$ ppriv -v $$2153 -bashflags = ltnonegt E file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info I file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info P file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info L contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org57
rootdaddelkiste~ ppriv $$2183 -bashflags = ltnonegt E all I basic P all L all
c0t0d0s0org58
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace failed to initialize dtrace DTrace requires additional privileges
c0t0d0s0org59
rootdaddelkiste~ usermod -K defaultpriv=basicdtrace_kerneldtrace_procdtrace_user juniorUX usermod junior is currently logged in some changes may not take effect until next login
c0t0d0s0org60
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace description syscallentry matched 211 probes^C
automountd 1 sshd 24 dtrace 544 auditd 564
c0t0d0s0org61
ps -ef | grep kcfd daemon 125 1 0 142419 000 usrlibcryptokcfdroot 734 728 0 155408 pts1 000 grep kcfd ppriv -v 125125 usrlibcryptokcfdflags = PRIV_AWAREE file_ownerproc_priocntlsys_devicesI noneP file_ownerproc_priocntlsys_devicesL none
c0t0d0s0org62
svcadm -v enable -s apache2svcnetworkhttpapache2 enabled
c0t0d0s0org63
jmoekampclient~$ ps -ef | grep httpwebservd 1978 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1979 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1980 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1984 1975 0 122002 000 usrapache222binhttpd -k start root 1975 1 0 121914 001 usrapache222binhttpd -k startwebservd 1977 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1976 1975 0 121915 000 usrapache222binhttpd -k start
c0t0d0s0org64
rootclient~ ppriv 19771977 usrapache222binhttpd -k startflags = ltnonegt E basic I basic P basic L allrootclient~ ppriv 19751975 usrapache222binhttpd -k startflags = ltnonegt E all I basic P all L allrootclient~
c0t0d0s0org65
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The apache process as root has the following privileges
c0t0d0s0org66
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The other processes have the following privileges
c0t0d0s0org67
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Apache really needs
c0t0d0s0org68
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
So you grant a large number of privileges to one process Apache donlsquot need
c0t0d0s0org69
svcadm -v disable -s apache2svcnetworkhttpapache2 disabled
c0t0d0s0org70
rootclient~ svccfg -s apache22svcnetworkhttpapache22gt setprop startuser = astring webservdsvcnetworkhttpapache22gt setprop startgroup = astring webservdsvcnetworkhttpapache22gt setprop startprivileges = astring basicproc_sessionproc_infofile_link_anynet_privaddrsvcnetworkhttpapache22gt setprop startlimit_privileges = astring defaultsvcnetworkhttpapache22gt setprop startuse_profile = boolean falsesvcnetworkhttpapache22gt setprop startsupp_groups = astring defaultsvcnetworkhttpapache22gt setprop startworking_directory = astring defaultsvcnetworkhttpapache22gt setprop startproject = astring defaultsvcnetworkhttpapache22gt setprop startresource_pool = astring defaultsvcnetworkhttpapache22gt endrootclient~ svcadm -v refresh apache22Action refresh set for svcnetworkhttpapache22
c0t0d0s0org71
echo LockFile varapache222logsacceptlock gtgt etcapache222httpdconf echo PidFile varapache222runhttpdpid gtgt etcapache222httpdconf mkdir -p -m 755 varapache222run chown webservdwebservd varapache222run svcadm enable apache22
c0t0d0s0org72
webservd 3064 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3062 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3063 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3066 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3061 1 0 164917 000 usrapache222binhttpd -k startwebservd 3065 3061 0 164918 000 usrapache222binhttpd -k start
c0t0d0s0org73
Read-only zone root
c0t0d0s0org
74
zonecfgtestzonegt set file-mac-profile=none
zonecfgtestzonegt set file-mac-profile=strict
zonecfgtestzonegt set file-mac-profile=fixed-configuration
zonecfgtestzonegt set file-mac-profile=flexible-configuration
Standard read-write non-global zone with no additional protection beyond the existing zones boundaries
Permits updates to var directories with the exception of directories that contain system configuration components
Read-only file system no exceptions
Permits modification of files in etc directories changes to roots home directory and updates to var directories This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone
c0t0d0s0org75
in-kernel SSL Proxy
c0t0d0s0org76
mkdir etckeys cd etckeys openssl req -x509 -nodes -days 365 -subj C=DEST=HamburgL=HamburgCN=server -newkey rsa1024 -keyout etckeysmykeypem -out etckeysmycertpem cat mycertpem mykeypem gt mypem chown 600
c0t0d0s0org77
echo pass gt etckeysmypass ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass server 443
c0t0d0s0org78
ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass -c rsa_aes_256_cbc_sharsa_aes_128_cbc_sharsa_rc4_128_sharsa_rc4_128_md5 server 443
c0t0d0s0org79
svcs -a | grep ksslonline 90333 svcnetworksslproxykssl-server-443
c0t0d0s0org80
svcadm disable apache22 echo Listen 1921681781088080 gtgt etcapache222httpdconf svcadm enable apache22
Portnumber and IP-Number have do be defined in httpdconf otherwise it will not work
c0t0d0s0org81
openssl s_client -connect server443CONNECTED(00000004)depth=0 C=DEST=HamburgL=HamburgCN=serververify errornum=18self signed certificateverify return1depth=0 C=DEST=HamburgL=HamburgCN=serververify return1---Certificate chain0 sC=DEST=HamburgL=HamburgCN=serveriC=DEST=HamburgL=HamburgCN=server---Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj[]V5jX3MU=-----END CERTIFICATE-----subject=C=DEST=HamburgL=HamburgCN=serverissuer=C=DEST=HamburgL=HamburgCN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328 bytes---New TLSv1SSLv3 Cipher is RC4-SHAServer public key is 1024 bitCompression NONEExpansion NONESSL-SessionProtocol TLSv1
Cipher RC4-SHASession-ID 32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD113915B99DBE9812Session-ID-ctx Master-Key 1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21EKey-Arg NoneStart Time 1242985143Timeout 300 (sec)Verify return code 18 (self signed certificate)---GET HTTP10
HTTP11 200 OKDate Fri 22 May 2009 093913 GMTServer Apache2211 (Unix) mod_ssl2211 OpenSSL098a DAV2Last-Modified Thu 21 May 2009 212630 GMTETag 341f3-2c-46a72cc211a8fAccept-Ranges bytesContent-Length 44Connection closeContent-Type texthtml
lthtmlgtltbodygtlth1gtIt workslth1gtltbodygtlthtmlgtreaderrno=0
c0t0d0s0org82
ZFS Encryption
c0t0d0s0org83
zfs create -o encryption=on rpoolexportproject
c0t0d0s0org84
wrapping key (user setable)
encryption keyrandomnot user setable)
prompt file https pkcs11
c0t0d0s0org85
aes-128-ccm (=on) aes-192-ccmaes-256-ccmaes-128-gcmaes-192-gcmaes-256-gcm
c0t0d0s0org86
zfs set checksum=sha256+mac ltdatasetgt
If encryption=off something like automatic
occurs This property is read-only from now on
c0t0d0s0org87
pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykeyEnter PIN for Sun Software PKCS11 softtoken zfs create -o encryption=on -o keysource=rawpkcs11object=mykey tankprojectCEnter PKCS11 token PIN for tankprojectC
c0t0d0s0org88
zfs create -o encryption=on -o keysource=rawhttpskeysexamplecommykey tankprojectR cp myservercertpem etccertsCA svcadm refresh ca-certificates
c0t0d0s0org89
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
c0t0d0s0org90
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
Changing the wrapping key
c0t0d0s0org91
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key
c0t0d0s0org92
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key for data written form now
Creates a new data encryption key Data written in the clone uses the new data encryption key which is distinct from its original snapshot
c0t0d0s0org93
Solaris Cryptographic Framework
c0t0d0s0org94
As soon as Solaris detects hardware acceleration for cryptography Solaris will use it (and applications using the Oracle supplied openssl library or direct interfaces)bull on-chip crypto accelerator in T and current M series chipsbull instruction set extensions in Intel procs (AES-NI)bull supported crypto accelerator cards
c0t0d0s0org95
Just a side-note T-series crypto acceleration and Intel x86 acceleration have pretty much different performance characteristics
T-Series Acceleration by offloading crypto outside pipelineIntel x86 Acceleration by offering special in-pipeline instructions to accelerate execution
Sounds like splitting hairs
c0t0d0s0org
c0t0d0s0org
c0t0d0s0org98
Using ZFS to do two-factor encryption
c0t0d0s0org99
jmoekampsolaris~$ rmformatLooking for devices 1 Logical Node devrdskc10t0d0p0 Physical Node pci00pci8086265cbstorage2disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected() 3 Logical Node devrdskc9t0d0p0 Physical Node pci00pci8086265cbstorage1disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected
c0t0d0s0org100
rootsolaris zpool create a_keystore_usbstick devdskc10t0d0p0rootsolaris zpool create datastore devdskc9t0d0p0
c0t0d0s0org101
rootsolaris zfs create -o encryption=on a_keystore_usbstickkeysEnter passphrase for a_keystore_usbstickkeys supersecret Enter again supersecret
c0t0d0s0org102
rootsolaris pktool genkey keystore=file keytype=aes keylen=128 outkey=a_keystore_usbstickkeysjoergsdatastickkey
c0t0d0s0org103
rootsolaris zfs create -o encryption=on -o keysource=rawfilea_keystore_usbstickkeysjoergsdatastickkey datastickjoergssecrets
c0t0d0s0org104
rootsolarisdatastickjoergssecrets mv homejmoekamphighlyconfidential_nda_presostgz
c0t0d0s0org105
rootsolaris zpool export a_keystore_usbstickrootsolaris zpool export datastick
c0t0d0s0org106
rootsolaris zpool import a_keystore_usbstickEnter passphrase for a_keystore_usbstickkeys supersecretrootsolaris
c0t0d0s0org107
rootsolaris zpool import datastickrootsolaris cd datastickjoergssecretsrootsolarisdatastickjoergssecrets ls highconfidential_nda_presostgz
c0t0d0s0org108
Basic Auditing and Reporting Tool
c0t0d0s0org109
mkdir bart-files bart create -R etc gt bart-filesetccontrolmanifest
c0t0d0s0org110
cat etccontrolmanifest | grep nsswitchnisplusnsswitchnisplus F 2525 100644 userrw-groupr--maskr--otherr-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
c0t0d0s0org111
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org112
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org113
bart create -R etc gt bart-filesetccheck20130911manifest
c0t0d0s0org114
cd bart-files bart compare etccontrolmanifest etccheck20130911manifest
nsswitchfilesmode control100644 test100777acl controluserrw-groupr--maskr--otherr-- testuserrwxgrouprwxmaskrwxotherrwxnsswitchnisplussize control2525 test2538mtime control473976b5 test47a44862contents control79e8fd689a5221d1cd059e5077da71b8 test3f79176ec352441db11ec8a3d02ef67cthisisjustatestadd
c0t0d0s0org115
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives4069-Less-known-Solaris-features-BARThtml
c0t0d0s0org116
Apropos Auditing
c0t0d0s0org117
Auditing is activated by default
c0t0d0s0org118
rootclient~ auditconfig -getflagsactive user default audit flags = lo(0x10000x1000)configured user default audit flags = lo(0x10000x1000)rootclient~ auditconfig -getnaflagsactive non-attributable audit flags = lo(0x10000x1000)configured non-attributable audit flags = lo(0x10000x1000)
c0t0d0s0org119
rootclient~ auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt
Policy regarding auditing (explanation on the next slide)
c0t0d0s0org120
rootclient~ auditconfig -lspolicypolicy string descriptionahlt halt machine if it can not record an async eventall all policiesarge include exec environment args in audit recsargv include exec command line args in audit recscnt when no more space drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recswindata_down include downgraded window information in audit recswindata_up include upgraded window information in audit recszonename include zonename token in audit recs
Which degree of detail What happens with full disks
c0t0d0s0org121
rootclient~ auditconfig -getpluginPlugin audit_binfile (active) Attributes p_dir=varauditp_fsize=0p_minfree=1
Plugin audit_syslog (inactive) Attributes p_flags=
Plugin audit_remote (inactive) Attributes p_hosts=p_retries=3p_timeout=5
c0t0d0s0org122
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
c0t0d0s0org123
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
lo and na are the only sensibleflags for non-attributable
c0t0d0s0org124
rootclient~ usermod -K audit_flags=fwas junior
c0t0d0s0org125
rootclient~ auditconfig -lsevent | grep lo AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh accessAUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lockAUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff
c0t0d0s0org126
rootclient~ auditconfig -lsevent | grep ps AUE_EXIT 1 ps exit(2)AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)rootclient~ auditconfig -lsevent | grep fw AUE_OPEN_W 76 fw open(2) - write
c0t0d0s0org127
auditreduce -c ps varaudit20130912183630not_terminatedclient | praudit
header1392execve(2)client2013-09-12 184055924 +0000pathusrsbinauditreduceattribute100555rootbin655386587518446744073709551615subjectjmoekamprootrootrootroot205414400809562480 202240 192168101returnsuccess0
c0t0d0s0org128
rootclient~ auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff0xffffffffffffffff)
Not always (in the sense of never) a good idea
Useful after trying out - starting a new audit filerootclient~ audit -n
c0t0d0s0org129
rootclient~ auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system
c0t0d0s0org130
SSH and X509
c0t0d0s0org131
rootca~ CApl -newcaCA certificate filename (or enter to create)
Making CA certificate Generating a 1024 bit RSA private key++++++++++++writing new private key to etcopensslprivatecakeypemEnter PEM pass phrase supersecret1Verifying - Enter PEM pass phrase supersecret1-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Security DepartmentCommon Name (eg server FQDN or YOUR name) []CAEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Using configuration from etcopensslopensslcnf
Enter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade878 Validity Not Before Sep 26 101109 2013 GMT Not After Sep 25 101109 2016 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony organizationName = c0t0d0s0org organizationalUnitName = Security Department commonName = CA X509v3 extensions X509v3 Subject Key Identifier 5B1F2F7186123040501552818D525AA5597E3644 X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
X509v3 Basic Constraints CATRUECertificate is to be certified until Sep 25 101109 2016 GMT (1095 days)
Write out database with 1 new entriesData Base Updated
c0t0d0s0org132
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org133
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org134
rootca~server CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade879 Validity Not Before Sep 26 102912 2013 GMT Not After Sep 26 102912 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = Server Certificates commonName = server X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A7DC03DEB3D5FBF9C006F11A55A9AD04C49C10FA X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 102912 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpemrootca~server ls -ltotal 15-rw-r--r-- 1 root root 3196 Sep 26 1229 newcertpem-rw-r--r-- 1 root root 1041 Sep 26 1228 newkeypem-rw-r--r-- 1 root root 680 Sep 26 1228 newreqpem
c0t0d0s0org135
rootca~junior CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phraseVerifying - Enter PEM pass phraseVerify failureEnter PEM pass phrase supersecret3Verifying - Enter PEM pass phrase supersecret3-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []User certificates
Common Name (eg server FQDN or YOUR name) []juniorEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org136
rootca~junior CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypemCheck that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade87a Validity Not Before Sep 26 110929 2013 GMT Not After Sep 26 110929 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = User certificates commonName = junior X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A1F2FC9D8AE2AD9AF52903F5B714933C64628E9C X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 110929 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpem
c0t0d0s0org137
rootserver~ useradd -m junior80 blocksrootserver~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for juniorrootserver~
rootclient~ useradd -m junior80 blocksrootclient~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for junior
c0t0d0s0org138
rootserver~ echo 1921681051 server gtgt etchostsrootserver~ echo 1921681052 client gtgt etchosts
rootclient~ echo 1921681051 server gtgt etchostsrootclient~ echo 1921681052 client gtgt etchosts
c0t0d0s0org139
rootca~server scp etcopensslcacertpem jmoekamp1921681109exporthomejmoekampPasswordcacertpem 100 || 3011 0000rootca~server scp newcertpem jmoekamp1921681109exporthomejmoekampPasswordnewcertpem 100 || 3196 0000rootca~server scp newkeypem jmoekamp1921681109exporthomejmoekampPasswordnewkeypem 100 || 1041 0000
rootca~junior scp newkeypem juniorclientexporthomejuniorPasswordnewkeypem 100 || 1041 0000rootca~junior scp newcertpem juniorclientexporthomejuniorPasswordnewcertpem 100 || 3190 0000rootca~junior scp etcopensslcacertpem junior1921681104exporthomejuniorPasswordcacertpem 100 || 3011 0000
c0t0d0s0org140
On the Server
c0t0d0s0org141
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org142
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org143
rootserver~ pktool setpinEnter token passphrase changemeCreate new passphrase superserversecretRe-enter new passphrase superserversecretPassphrase changedrootserver~
c0t0d0s0org144
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org145
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org146
rootserver~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cn
c0t0d0s0org147
rootserver~ echo TrustedAnchorKeystore etcsshcert gtgt etcsshsshd_configrootserver~ echo KMFPolicyDatabase etcsshpolicyxml gtgt etcsshsshd_configrootserver~ echo KMFPolicyName ssh gtgt etcsshsshd_configrootserver~ echo HostKey pkcs11object=hosttoken=Sun Metaslotpinfile=etcsshpinfile gtgt etcsshsshd_config
c0t0d0s0org148
rootserver~ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=hostEnter PIN for Sun Software PKCS11 softtoken superserversecret Enter PEM pass phrase supersecret2Importing 1 keys
c0t0d0s0org149
rootserver~ egrep -v ^ |^$|^Cert exporthomejmoekampcacertpem gt etcsshcertcacertcookedpemrootserver~ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemrootserver~ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=hostrootserver~
c0t0d0s0org150
On the client
c0t0d0s0org151
juniorclient~$ ls pemcacertpem newcertpem newkeypem
c0t0d0s0org152
rootclient~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cnrootclient~ egrep -v ^ |^$|^Cert exporthomejuniorcacertpem gt etcsshcertcacertcookedpem
c0t0d0s0org153
juniorclient~$ pktool setpinEnter token passphrase changemeCreate new passphrase superusersecretRe-enter new passphrase superusersecretPassphrase changed
c0t0d0s0org154
juniorclient~$ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=userEnter PIN for Sun Software PKCS11 softtoken superusersecretEnter PEM pass phrase supersecret3Importing 1 keysjuniorclient~$ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemjuniorclient~$ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=user
c0t0d0s0org155
Testing it
c0t0d0s0org156
rootserver~ svcadm disable sshrootserver~ svcadm enable ssh
c0t0d0s0org157
juniorclient~$ cd sshjuniorclient~ssh$ printf superusersecret gtgt pinfilejuniorclient~ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore etcsshcert KMFPolicyDatabase etcsshpolicyxml KMFPolicyName ssh IdentityFile pkcs11object=usertoken=Sun Software PKCS11 softtokenpinfile=exporthomejuniorsshpinfile
c0t0d0s0org158
juniorclient~ssh$ ssh juniorserver-x509Last login Thu Sep 26 200714 2013 from clientOracle Corporation SunOS 511 111 September 2013juniorserver~$
c0t0d0s0org159
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives7659-Using-X509-support-for-SSH-on-Solaris-111html
c0t0d0s0org160
OpenSCAP
c0t0d0s0org161
bdquoThe Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management measurement and policy compliance evaluation (eg FISMA compliance) The National Vulnerability Database(NVD) is the US government content repository for SCAPldquo
httpenwikipediaorgwikiSecurity_Content_Automation_Protocol
c0t0d0s0org162
ftp-bannerxml
ltxml version=10 encoding=UTF-8gtltoval_definitions xmlns=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsxsi=httpwwww3org2001XMLSchema-instance xmlnsoval=httpovalmitreorgXMLSchemaoval-common-5 xmlnsoval-def=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsindependent-def=httpovalmitreorgXMLSchemaoval-definitions-5independent xsischemaLocation=httpovalmitreorgXMLSchemaoval-definitions-5 oval-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-definitions-5independent independent-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-common-5 oval-common-schemaxsdgt
ltgeneratorgt ltovalproduct_namegtEnhanced SCAP Editorltovalproduct_namegt ltovalproduct_versiongt0011ltovalproduct_versiongt ltovalschema_versiongt58ltovalschema_versiongt ltovaltimestampgt2012-10-11T103325ltovaltimestampgt ltgeneratorgt lt--generatedovalbaseidentifier=comoraclesolaris11--gt ltdefinitionsgt ltdefinition id=ovalcomoraclesolaris11def840 version=1 class=compliancegt ltmetadatagt lttitlegtEnable a Warning Banner for the FTP Servicelttitlegt ltaffected family=unixgt ltplatformgtOracle Solaris 11ltplatformgt ltaffectedgt ltdescriptiongtetcproftpdconf contains DisplayConnect etcissueltdescriptiongt ltmetadatagt ltcriteria operator=AND negate=false comment=Single testgt ltcriterion comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot test_ref=ovalcomoraclesolaris11tst8400 negate=falsegt
ltcriteriagt ltdefinitiongt ltdefinitionsgt lttestsgt lttextfilecontent54_test xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11tst8400 version=1 check=all comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot check_existence=all_existgt ltobject object_ref=ovalcomoraclesolaris11obj8400gt lttextfilecontent54_testgt lttestsgt ltobjectsgt lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegt lttextfilecontent54_objectgt ltobjectsgtltoval_definitionsgt
c0t0d0s0org163
lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegtlttextfilecontent54_objectgt
c0t0d0s0org164
$ oscap oval eval ftp-bannerxml Definition ovalcomoraclesolaris11def840 falseEvaluation done
$ oscap oval eval --results resultsxml --report reporthtml ftp-bannerxmlDefinition ovalcomoraclesolaris11def840 falseEvaluation doneOVAL Results are exported correctly
c0t0d0s0org165
c0t0d0s0org166
To create your own OVAL-Files Enhanced SCAP Content Editor
c0t0d0s0org167
Find more information regarding this feature athttpsblogsoraclecomdarrenentrycompliance_reporting_with_scap
c0t0d0s0org16
rootsolaris ppriv $(pgrep mysql)103697 usrmysql51binmysqld --basedir=usrmysql51 --datadir=varmysqflags = PRIV_XPOLICY Extended policies net_privaddr3306tcp file_writevarmysql51data file_writetmpmysqlsock file_writevartmpib E basicfile_write I basicfile_write P basicfile_write L all103609 binsh usrmysql51binmysqld_safe --user=mysql --datadir=varmysflags = PRIV_XPOLICY Extended policies net_privaddr3306tcp file_writevarmysql51data file_writetmpmysqlsock file_writevartmpib E basicfile_write I basicfile_write P basicfile_write L all
c0t0d0s0org17
Find more information regarding this feature athttpsblogsoraclecomgfadenentryoracle_solaris_extended_policy_and
c0t0d0s0org18
Passwords
c0t0d0s0org19
rootclientetcsecurity cat etcsecuritycryptconf Copyright 2008 Sun Microsystems Inc All rights reserved Use is subject to license termsident ZM I E SMI The algorithm name __unix__ is reserved
1 crypt_bsdmd5so12a crypt_bsdbfso1md5 crypt_sunmd5so15 crypt_sha256so16 crypt_sha512so1
c0t0d0s0org20
rootclientetcsecurity cat etcsecuritypolicyconf | egrep ^CRYPT_DEFAULTCRYPT_DEFAULT=5rootclientetcsecurity cat etcshadow | grep juniorjunior$5$4aKvDFqA$2kL8GpuXjrdf8XpanqhylEP5lDhy1DF5uo1ZYx74f3159291440
c0t0d0s0org21
rootclientetcsecurity cat etcdefaultpasswd | grep -v | egrep -v ^$|^$ident ZM I E SMIMAXWEEKS=MINWEEKS=PASSLENGTH=6NAMECHECK=NOHISTORY=0MINDIFF=3MINALPHA=2MINNONALPHA=1MINUPPER=0MINLOWER=0MAXREPEATS=0MINSPECIAL=0MINDIGIT=0WHITESPACE=YESDICTIONLIST=DICTIONDBDIR=varpasswd
c0t0d0s0org22
rootclient mkpwdict -s usrsharelibdictwordsmkpwdict using default database location varpasswd
oder
rootclient mkpwdict -s usrsharelibdictwords -d varpasswd
c0t0d0s0org23
Address Space Layout Randomization
c0t0d0s0org24
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1914 usrbinpmap self1914 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org25
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1915 usrbinpmap self1915 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org26
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1917 usrbinpmap self1917 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap00000005D6666000 36K rw--- [ heap ]00007FF669C70000 216K r-x-- libamd64libprocso100007FF669CB6000 8K rw--- libamd64libprocso100007FF669CC0000 4K rw--- [ anon ]00007FF669CD0000 24K rwx-- [ anon ]00007FF669CE0000 4K rw--- [ anon ]00007FF669CF0000 1764K r-x-- libamd64libcso100007FF669EB9000 64K rw--- libamd64libcso100007FF669EC9000 12K rw--- libamd64libcso100007FF669ED0000 4K rw--- [ anon ]00007FF669EE0000 4K rw--- [ anon ]00007FF669EF0000 4K rw--- [ anon ]00007FF669EF2000 4K r--s- [ anon ]00007FF669EFC000 340K r-x-- libamd64ldso100007FF669F61000 12K rwx-- libamd64ldso100007FF669F64000 8K rwx-- libamd64ldso1FFFF80DDA254F000 16K rw--- [ stack ] total 2564K
c0t0d0s0org27
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1918 usrbinpmap self1918 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap000000065B76D000 36K rw--- [ heap ]00007FFAACFC0000 216K r-x-- libamd64libprocso100007FFAAD006000 8K rw--- libamd64libprocso100007FFAAD010000 4K rw--- [ anon ]00007FFAAD020000 24K rwx-- [ anon ]00007FFAAD030000 4K rw--- [ anon ]00007FFAAD040000 1764K r-x-- libamd64libcso100007FFAAD209000 64K rw--- libamd64libcso100007FFAAD219000 12K rw--- libamd64libcso100007FFAAD220000 4K rw--- [ anon ]00007FFAAD230000 4K rw--- [ anon ]00007FFAAD240000 4K rw--- [ anon ]00007FFAAD242000 4K r--s- [ anon ]00007FFAAD24D000 340K r-x-- libamd64ldso100007FFAAD2B2000 12K rwx-- libamd64ldso100007FFAAD2B5000 8K rwx-- libamd64ldso1FFFF80DE1559E000 12K rw--- [ stack ]
c0t0d0s0org28
rootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) system default (default)
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x2 ENABLE
rootsolaris elfedit -e dynsunw_aslr disable usrbinpmap
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x1 DISABLE
c0t0d0s0org29
rootsolaris sxadm enable -c model=all aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (all) enabled (all)
rootsolaris sxadm disable aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr disabled disabled
rootsolaris sxadm enable -c model=tagged-files aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) enabled (tagged-files)
c0t0d0s0org30
pfedit
c0t0d0s0org31
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt set auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt set desc=Edit httpdprofileshttpd editgt exit
c0t0d0s0org32
roottemplateetcapache222 usermod -P +httpd edit junior
c0t0d0s0org33
juniortemplate~$ profiles httpd edit Basic Solaris User All
c0t0d0s0org34
juniortemplate~$ vi etcapache222httpdconf
c0t0d0s0org35
juniortemplate~$ pfedit etcapache222httpdconfpfedit etcapache222httpdconf has been updated
c0t0d0s0org36
juniortemplate~$ pfedit etcapache222mimetypespfedit User junior is not authorized to edit the file etcapache222mimetypes
c0t0d0s0org37
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt info name=httpd edit desc=Edit httpd auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt add auths=solarisadmineditetcapache222mimetypes
c0t0d0s0org38
juniortemplate~$ pfedit etcapache222mimetypespfedit no changes for etcapache222mimetypes
c0t0d0s0org39
profiles -p httpd configureprofileshttpd configuregt add always_audit=asprofileshttpd configuregt info name=httpd configure desc=Configure httpd auths=solarisadmineditetcapache222httpdconfsolarisadmineditetcapache222mimetypes always_audit=as never_audit=noprofileshttpd configuregt exitroottemplate~
c0t0d0s0org40
roottemplate~ auditreduce -c as | praudit
c0t0d0s0org41
[]header4862edit administrative filefe80a0027fffea633cb2013-08-12 074552306 +0000subjectjuniorjuniorstaffjuniorstaff4212447467166369 136704 MacBook-Pro-of-c0t0d0s0fritzboxpathetcapache222httpdconfuse of authorizationsolarisadmineditetcapache222httpdconftext--- etcapache222httpdconf Mo Aug 12 074500 2013 +++ etcapache222httpdconfpfedit1BaGoi Mo Aug 12 074552 2013 -15 +16 Test Test 2 + Test 3 This is the main Apache HTTP server configuration file It contains the configuration directives that give the server its instructions
returnsuccess0
c0t0d0s0org42
Delegating privilege to restartservices(so you can keep the root password)
c0t0d0s0org43
juniortemplate~$ svcadm refresh apache22svcadm svcnetworkhttpapache22 Permission denied
c0t0d0s0org44
svcs -a | grep apache22online 153029 svcnetworkhttpapache22
c0t0d0s0org45
auths add -t Apache22 value solarissmfvaluehttpapache22 auths add -t Apache22 action solarissmfactionhttpapache22
c0t0d0s0org46
svccfg -s apache22 setprop generalvalue_authorization= astring solarissmfvaluehttpapache22 svccfg -s apache22 setprop generalaction_authorization= astring solarissmfactionhttpapache22
c0t0d0s0org47
profiles -p httpd edit add auths=solarissmfactionhttpapache22
c0t0d0s0org48
juniortemplate~$ svcadm refresh apache22juniortemplate~$
c0t0d0s0org49
Privileges
c0t0d0s0org50
$ ls -l usrsbintraceroute-r-sr-xr-x 1 root bin 42324 Nov 21 0009 usrsbintraceroute$ ls -l usrsbinping-r-sr-xr-x 1 root bin 51396 Nov 18 1931 usrsbinping
set-id to root ping needs it to work
c0t0d0s0org51
chmod -s sbinping exit
$ ping -s 1921681132ping socket Permission denied
Remove the set-uid and ping will stop to work
c0t0d0s0org52
jmoekampdaddelkiste~$ ppriv $$2153 -bashflags = ltnonegt E basic I basic P basic L all
c0t0d0s0org53
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org54
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
All privileges in their entirety assigned to one user are
(almost)
c0t0d0s0org55
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Neat extension inSolaris 11The ability to use networking is now a
privilege Itlsquos part of the default default set of privileges
but you can remove it
c0t0d0s0org56
moekampdaddelkiste~$ ppriv -v $$2153 -bashflags = ltnonegt E file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info I file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info P file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info L contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org57
rootdaddelkiste~ ppriv $$2183 -bashflags = ltnonegt E all I basic P all L all
c0t0d0s0org58
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace failed to initialize dtrace DTrace requires additional privileges
c0t0d0s0org59
rootdaddelkiste~ usermod -K defaultpriv=basicdtrace_kerneldtrace_procdtrace_user juniorUX usermod junior is currently logged in some changes may not take effect until next login
c0t0d0s0org60
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace description syscallentry matched 211 probes^C
automountd 1 sshd 24 dtrace 544 auditd 564
c0t0d0s0org61
ps -ef | grep kcfd daemon 125 1 0 142419 000 usrlibcryptokcfdroot 734 728 0 155408 pts1 000 grep kcfd ppriv -v 125125 usrlibcryptokcfdflags = PRIV_AWAREE file_ownerproc_priocntlsys_devicesI noneP file_ownerproc_priocntlsys_devicesL none
c0t0d0s0org62
svcadm -v enable -s apache2svcnetworkhttpapache2 enabled
c0t0d0s0org63
jmoekampclient~$ ps -ef | grep httpwebservd 1978 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1979 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1980 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1984 1975 0 122002 000 usrapache222binhttpd -k start root 1975 1 0 121914 001 usrapache222binhttpd -k startwebservd 1977 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1976 1975 0 121915 000 usrapache222binhttpd -k start
c0t0d0s0org64
rootclient~ ppriv 19771977 usrapache222binhttpd -k startflags = ltnonegt E basic I basic P basic L allrootclient~ ppriv 19751975 usrapache222binhttpd -k startflags = ltnonegt E all I basic P all L allrootclient~
c0t0d0s0org65
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The apache process as root has the following privileges
c0t0d0s0org66
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The other processes have the following privileges
c0t0d0s0org67
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Apache really needs
c0t0d0s0org68
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
So you grant a large number of privileges to one process Apache donlsquot need
c0t0d0s0org69
svcadm -v disable -s apache2svcnetworkhttpapache2 disabled
c0t0d0s0org70
rootclient~ svccfg -s apache22svcnetworkhttpapache22gt setprop startuser = astring webservdsvcnetworkhttpapache22gt setprop startgroup = astring webservdsvcnetworkhttpapache22gt setprop startprivileges = astring basicproc_sessionproc_infofile_link_anynet_privaddrsvcnetworkhttpapache22gt setprop startlimit_privileges = astring defaultsvcnetworkhttpapache22gt setprop startuse_profile = boolean falsesvcnetworkhttpapache22gt setprop startsupp_groups = astring defaultsvcnetworkhttpapache22gt setprop startworking_directory = astring defaultsvcnetworkhttpapache22gt setprop startproject = astring defaultsvcnetworkhttpapache22gt setprop startresource_pool = astring defaultsvcnetworkhttpapache22gt endrootclient~ svcadm -v refresh apache22Action refresh set for svcnetworkhttpapache22
c0t0d0s0org71
echo LockFile varapache222logsacceptlock gtgt etcapache222httpdconf echo PidFile varapache222runhttpdpid gtgt etcapache222httpdconf mkdir -p -m 755 varapache222run chown webservdwebservd varapache222run svcadm enable apache22
c0t0d0s0org72
webservd 3064 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3062 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3063 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3066 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3061 1 0 164917 000 usrapache222binhttpd -k startwebservd 3065 3061 0 164918 000 usrapache222binhttpd -k start
c0t0d0s0org73
Read-only zone root
c0t0d0s0org
74
zonecfgtestzonegt set file-mac-profile=none
zonecfgtestzonegt set file-mac-profile=strict
zonecfgtestzonegt set file-mac-profile=fixed-configuration
zonecfgtestzonegt set file-mac-profile=flexible-configuration
Standard read-write non-global zone with no additional protection beyond the existing zones boundaries
Permits updates to var directories with the exception of directories that contain system configuration components
Read-only file system no exceptions
Permits modification of files in etc directories changes to roots home directory and updates to var directories This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone
c0t0d0s0org75
in-kernel SSL Proxy
c0t0d0s0org76
mkdir etckeys cd etckeys openssl req -x509 -nodes -days 365 -subj C=DEST=HamburgL=HamburgCN=server -newkey rsa1024 -keyout etckeysmykeypem -out etckeysmycertpem cat mycertpem mykeypem gt mypem chown 600
c0t0d0s0org77
echo pass gt etckeysmypass ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass server 443
c0t0d0s0org78
ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass -c rsa_aes_256_cbc_sharsa_aes_128_cbc_sharsa_rc4_128_sharsa_rc4_128_md5 server 443
c0t0d0s0org79
svcs -a | grep ksslonline 90333 svcnetworksslproxykssl-server-443
c0t0d0s0org80
svcadm disable apache22 echo Listen 1921681781088080 gtgt etcapache222httpdconf svcadm enable apache22
Portnumber and IP-Number have do be defined in httpdconf otherwise it will not work
c0t0d0s0org81
openssl s_client -connect server443CONNECTED(00000004)depth=0 C=DEST=HamburgL=HamburgCN=serververify errornum=18self signed certificateverify return1depth=0 C=DEST=HamburgL=HamburgCN=serververify return1---Certificate chain0 sC=DEST=HamburgL=HamburgCN=serveriC=DEST=HamburgL=HamburgCN=server---Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj[]V5jX3MU=-----END CERTIFICATE-----subject=C=DEST=HamburgL=HamburgCN=serverissuer=C=DEST=HamburgL=HamburgCN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328 bytes---New TLSv1SSLv3 Cipher is RC4-SHAServer public key is 1024 bitCompression NONEExpansion NONESSL-SessionProtocol TLSv1
Cipher RC4-SHASession-ID 32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD113915B99DBE9812Session-ID-ctx Master-Key 1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21EKey-Arg NoneStart Time 1242985143Timeout 300 (sec)Verify return code 18 (self signed certificate)---GET HTTP10
HTTP11 200 OKDate Fri 22 May 2009 093913 GMTServer Apache2211 (Unix) mod_ssl2211 OpenSSL098a DAV2Last-Modified Thu 21 May 2009 212630 GMTETag 341f3-2c-46a72cc211a8fAccept-Ranges bytesContent-Length 44Connection closeContent-Type texthtml
lthtmlgtltbodygtlth1gtIt workslth1gtltbodygtlthtmlgtreaderrno=0
c0t0d0s0org82
ZFS Encryption
c0t0d0s0org83
zfs create -o encryption=on rpoolexportproject
c0t0d0s0org84
wrapping key (user setable)
encryption keyrandomnot user setable)
prompt file https pkcs11
c0t0d0s0org85
aes-128-ccm (=on) aes-192-ccmaes-256-ccmaes-128-gcmaes-192-gcmaes-256-gcm
c0t0d0s0org86
zfs set checksum=sha256+mac ltdatasetgt
If encryption=off something like automatic
occurs This property is read-only from now on
c0t0d0s0org87
pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykeyEnter PIN for Sun Software PKCS11 softtoken zfs create -o encryption=on -o keysource=rawpkcs11object=mykey tankprojectCEnter PKCS11 token PIN for tankprojectC
c0t0d0s0org88
zfs create -o encryption=on -o keysource=rawhttpskeysexamplecommykey tankprojectR cp myservercertpem etccertsCA svcadm refresh ca-certificates
c0t0d0s0org89
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
c0t0d0s0org90
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
Changing the wrapping key
c0t0d0s0org91
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key
c0t0d0s0org92
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key for data written form now
Creates a new data encryption key Data written in the clone uses the new data encryption key which is distinct from its original snapshot
c0t0d0s0org93
Solaris Cryptographic Framework
c0t0d0s0org94
As soon as Solaris detects hardware acceleration for cryptography Solaris will use it (and applications using the Oracle supplied openssl library or direct interfaces)bull on-chip crypto accelerator in T and current M series chipsbull instruction set extensions in Intel procs (AES-NI)bull supported crypto accelerator cards
c0t0d0s0org95
Just a side-note T-series crypto acceleration and Intel x86 acceleration have pretty much different performance characteristics
T-Series Acceleration by offloading crypto outside pipelineIntel x86 Acceleration by offering special in-pipeline instructions to accelerate execution
Sounds like splitting hairs
c0t0d0s0org
c0t0d0s0org
c0t0d0s0org98
Using ZFS to do two-factor encryption
c0t0d0s0org99
jmoekampsolaris~$ rmformatLooking for devices 1 Logical Node devrdskc10t0d0p0 Physical Node pci00pci8086265cbstorage2disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected() 3 Logical Node devrdskc9t0d0p0 Physical Node pci00pci8086265cbstorage1disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected
c0t0d0s0org100
rootsolaris zpool create a_keystore_usbstick devdskc10t0d0p0rootsolaris zpool create datastore devdskc9t0d0p0
c0t0d0s0org101
rootsolaris zfs create -o encryption=on a_keystore_usbstickkeysEnter passphrase for a_keystore_usbstickkeys supersecret Enter again supersecret
c0t0d0s0org102
rootsolaris pktool genkey keystore=file keytype=aes keylen=128 outkey=a_keystore_usbstickkeysjoergsdatastickkey
c0t0d0s0org103
rootsolaris zfs create -o encryption=on -o keysource=rawfilea_keystore_usbstickkeysjoergsdatastickkey datastickjoergssecrets
c0t0d0s0org104
rootsolarisdatastickjoergssecrets mv homejmoekamphighlyconfidential_nda_presostgz
c0t0d0s0org105
rootsolaris zpool export a_keystore_usbstickrootsolaris zpool export datastick
c0t0d0s0org106
rootsolaris zpool import a_keystore_usbstickEnter passphrase for a_keystore_usbstickkeys supersecretrootsolaris
c0t0d0s0org107
rootsolaris zpool import datastickrootsolaris cd datastickjoergssecretsrootsolarisdatastickjoergssecrets ls highconfidential_nda_presostgz
c0t0d0s0org108
Basic Auditing and Reporting Tool
c0t0d0s0org109
mkdir bart-files bart create -R etc gt bart-filesetccontrolmanifest
c0t0d0s0org110
cat etccontrolmanifest | grep nsswitchnisplusnsswitchnisplus F 2525 100644 userrw-groupr--maskr--otherr-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
c0t0d0s0org111
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org112
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org113
bart create -R etc gt bart-filesetccheck20130911manifest
c0t0d0s0org114
cd bart-files bart compare etccontrolmanifest etccheck20130911manifest
nsswitchfilesmode control100644 test100777acl controluserrw-groupr--maskr--otherr-- testuserrwxgrouprwxmaskrwxotherrwxnsswitchnisplussize control2525 test2538mtime control473976b5 test47a44862contents control79e8fd689a5221d1cd059e5077da71b8 test3f79176ec352441db11ec8a3d02ef67cthisisjustatestadd
c0t0d0s0org115
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives4069-Less-known-Solaris-features-BARThtml
c0t0d0s0org116
Apropos Auditing
c0t0d0s0org117
Auditing is activated by default
c0t0d0s0org118
rootclient~ auditconfig -getflagsactive user default audit flags = lo(0x10000x1000)configured user default audit flags = lo(0x10000x1000)rootclient~ auditconfig -getnaflagsactive non-attributable audit flags = lo(0x10000x1000)configured non-attributable audit flags = lo(0x10000x1000)
c0t0d0s0org119
rootclient~ auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt
Policy regarding auditing (explanation on the next slide)
c0t0d0s0org120
rootclient~ auditconfig -lspolicypolicy string descriptionahlt halt machine if it can not record an async eventall all policiesarge include exec environment args in audit recsargv include exec command line args in audit recscnt when no more space drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recswindata_down include downgraded window information in audit recswindata_up include upgraded window information in audit recszonename include zonename token in audit recs
Which degree of detail What happens with full disks
c0t0d0s0org121
rootclient~ auditconfig -getpluginPlugin audit_binfile (active) Attributes p_dir=varauditp_fsize=0p_minfree=1
Plugin audit_syslog (inactive) Attributes p_flags=
Plugin audit_remote (inactive) Attributes p_hosts=p_retries=3p_timeout=5
c0t0d0s0org122
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
c0t0d0s0org123
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
lo and na are the only sensibleflags for non-attributable
c0t0d0s0org124
rootclient~ usermod -K audit_flags=fwas junior
c0t0d0s0org125
rootclient~ auditconfig -lsevent | grep lo AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh accessAUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lockAUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff
c0t0d0s0org126
rootclient~ auditconfig -lsevent | grep ps AUE_EXIT 1 ps exit(2)AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)rootclient~ auditconfig -lsevent | grep fw AUE_OPEN_W 76 fw open(2) - write
c0t0d0s0org127
auditreduce -c ps varaudit20130912183630not_terminatedclient | praudit
header1392execve(2)client2013-09-12 184055924 +0000pathusrsbinauditreduceattribute100555rootbin655386587518446744073709551615subjectjmoekamprootrootrootroot205414400809562480 202240 192168101returnsuccess0
c0t0d0s0org128
rootclient~ auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff0xffffffffffffffff)
Not always (in the sense of never) a good idea
Useful after trying out - starting a new audit filerootclient~ audit -n
c0t0d0s0org129
rootclient~ auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system
c0t0d0s0org130
SSH and X509
c0t0d0s0org131
rootca~ CApl -newcaCA certificate filename (or enter to create)
Making CA certificate Generating a 1024 bit RSA private key++++++++++++writing new private key to etcopensslprivatecakeypemEnter PEM pass phrase supersecret1Verifying - Enter PEM pass phrase supersecret1-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Security DepartmentCommon Name (eg server FQDN or YOUR name) []CAEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Using configuration from etcopensslopensslcnf
Enter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade878 Validity Not Before Sep 26 101109 2013 GMT Not After Sep 25 101109 2016 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony organizationName = c0t0d0s0org organizationalUnitName = Security Department commonName = CA X509v3 extensions X509v3 Subject Key Identifier 5B1F2F7186123040501552818D525AA5597E3644 X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
X509v3 Basic Constraints CATRUECertificate is to be certified until Sep 25 101109 2016 GMT (1095 days)
Write out database with 1 new entriesData Base Updated
c0t0d0s0org132
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org133
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org134
rootca~server CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade879 Validity Not Before Sep 26 102912 2013 GMT Not After Sep 26 102912 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = Server Certificates commonName = server X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A7DC03DEB3D5FBF9C006F11A55A9AD04C49C10FA X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 102912 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpemrootca~server ls -ltotal 15-rw-r--r-- 1 root root 3196 Sep 26 1229 newcertpem-rw-r--r-- 1 root root 1041 Sep 26 1228 newkeypem-rw-r--r-- 1 root root 680 Sep 26 1228 newreqpem
c0t0d0s0org135
rootca~junior CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phraseVerifying - Enter PEM pass phraseVerify failureEnter PEM pass phrase supersecret3Verifying - Enter PEM pass phrase supersecret3-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []User certificates
Common Name (eg server FQDN or YOUR name) []juniorEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org136
rootca~junior CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypemCheck that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade87a Validity Not Before Sep 26 110929 2013 GMT Not After Sep 26 110929 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = User certificates commonName = junior X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A1F2FC9D8AE2AD9AF52903F5B714933C64628E9C X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 110929 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpem
c0t0d0s0org137
rootserver~ useradd -m junior80 blocksrootserver~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for juniorrootserver~
rootclient~ useradd -m junior80 blocksrootclient~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for junior
c0t0d0s0org138
rootserver~ echo 1921681051 server gtgt etchostsrootserver~ echo 1921681052 client gtgt etchosts
rootclient~ echo 1921681051 server gtgt etchostsrootclient~ echo 1921681052 client gtgt etchosts
c0t0d0s0org139
rootca~server scp etcopensslcacertpem jmoekamp1921681109exporthomejmoekampPasswordcacertpem 100 || 3011 0000rootca~server scp newcertpem jmoekamp1921681109exporthomejmoekampPasswordnewcertpem 100 || 3196 0000rootca~server scp newkeypem jmoekamp1921681109exporthomejmoekampPasswordnewkeypem 100 || 1041 0000
rootca~junior scp newkeypem juniorclientexporthomejuniorPasswordnewkeypem 100 || 1041 0000rootca~junior scp newcertpem juniorclientexporthomejuniorPasswordnewcertpem 100 || 3190 0000rootca~junior scp etcopensslcacertpem junior1921681104exporthomejuniorPasswordcacertpem 100 || 3011 0000
c0t0d0s0org140
On the Server
c0t0d0s0org141
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org142
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org143
rootserver~ pktool setpinEnter token passphrase changemeCreate new passphrase superserversecretRe-enter new passphrase superserversecretPassphrase changedrootserver~
c0t0d0s0org144
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org145
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org146
rootserver~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cn
c0t0d0s0org147
rootserver~ echo TrustedAnchorKeystore etcsshcert gtgt etcsshsshd_configrootserver~ echo KMFPolicyDatabase etcsshpolicyxml gtgt etcsshsshd_configrootserver~ echo KMFPolicyName ssh gtgt etcsshsshd_configrootserver~ echo HostKey pkcs11object=hosttoken=Sun Metaslotpinfile=etcsshpinfile gtgt etcsshsshd_config
c0t0d0s0org148
rootserver~ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=hostEnter PIN for Sun Software PKCS11 softtoken superserversecret Enter PEM pass phrase supersecret2Importing 1 keys
c0t0d0s0org149
rootserver~ egrep -v ^ |^$|^Cert exporthomejmoekampcacertpem gt etcsshcertcacertcookedpemrootserver~ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemrootserver~ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=hostrootserver~
c0t0d0s0org150
On the client
c0t0d0s0org151
juniorclient~$ ls pemcacertpem newcertpem newkeypem
c0t0d0s0org152
rootclient~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cnrootclient~ egrep -v ^ |^$|^Cert exporthomejuniorcacertpem gt etcsshcertcacertcookedpem
c0t0d0s0org153
juniorclient~$ pktool setpinEnter token passphrase changemeCreate new passphrase superusersecretRe-enter new passphrase superusersecretPassphrase changed
c0t0d0s0org154
juniorclient~$ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=userEnter PIN for Sun Software PKCS11 softtoken superusersecretEnter PEM pass phrase supersecret3Importing 1 keysjuniorclient~$ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemjuniorclient~$ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=user
c0t0d0s0org155
Testing it
c0t0d0s0org156
rootserver~ svcadm disable sshrootserver~ svcadm enable ssh
c0t0d0s0org157
juniorclient~$ cd sshjuniorclient~ssh$ printf superusersecret gtgt pinfilejuniorclient~ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore etcsshcert KMFPolicyDatabase etcsshpolicyxml KMFPolicyName ssh IdentityFile pkcs11object=usertoken=Sun Software PKCS11 softtokenpinfile=exporthomejuniorsshpinfile
c0t0d0s0org158
juniorclient~ssh$ ssh juniorserver-x509Last login Thu Sep 26 200714 2013 from clientOracle Corporation SunOS 511 111 September 2013juniorserver~$
c0t0d0s0org159
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives7659-Using-X509-support-for-SSH-on-Solaris-111html
c0t0d0s0org160
OpenSCAP
c0t0d0s0org161
bdquoThe Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management measurement and policy compliance evaluation (eg FISMA compliance) The National Vulnerability Database(NVD) is the US government content repository for SCAPldquo
httpenwikipediaorgwikiSecurity_Content_Automation_Protocol
c0t0d0s0org162
ftp-bannerxml
ltxml version=10 encoding=UTF-8gtltoval_definitions xmlns=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsxsi=httpwwww3org2001XMLSchema-instance xmlnsoval=httpovalmitreorgXMLSchemaoval-common-5 xmlnsoval-def=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsindependent-def=httpovalmitreorgXMLSchemaoval-definitions-5independent xsischemaLocation=httpovalmitreorgXMLSchemaoval-definitions-5 oval-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-definitions-5independent independent-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-common-5 oval-common-schemaxsdgt
ltgeneratorgt ltovalproduct_namegtEnhanced SCAP Editorltovalproduct_namegt ltovalproduct_versiongt0011ltovalproduct_versiongt ltovalschema_versiongt58ltovalschema_versiongt ltovaltimestampgt2012-10-11T103325ltovaltimestampgt ltgeneratorgt lt--generatedovalbaseidentifier=comoraclesolaris11--gt ltdefinitionsgt ltdefinition id=ovalcomoraclesolaris11def840 version=1 class=compliancegt ltmetadatagt lttitlegtEnable a Warning Banner for the FTP Servicelttitlegt ltaffected family=unixgt ltplatformgtOracle Solaris 11ltplatformgt ltaffectedgt ltdescriptiongtetcproftpdconf contains DisplayConnect etcissueltdescriptiongt ltmetadatagt ltcriteria operator=AND negate=false comment=Single testgt ltcriterion comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot test_ref=ovalcomoraclesolaris11tst8400 negate=falsegt
ltcriteriagt ltdefinitiongt ltdefinitionsgt lttestsgt lttextfilecontent54_test xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11tst8400 version=1 check=all comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot check_existence=all_existgt ltobject object_ref=ovalcomoraclesolaris11obj8400gt lttextfilecontent54_testgt lttestsgt ltobjectsgt lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegt lttextfilecontent54_objectgt ltobjectsgtltoval_definitionsgt
c0t0d0s0org163
lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegtlttextfilecontent54_objectgt
c0t0d0s0org164
$ oscap oval eval ftp-bannerxml Definition ovalcomoraclesolaris11def840 falseEvaluation done
$ oscap oval eval --results resultsxml --report reporthtml ftp-bannerxmlDefinition ovalcomoraclesolaris11def840 falseEvaluation doneOVAL Results are exported correctly
c0t0d0s0org165
c0t0d0s0org166
To create your own OVAL-Files Enhanced SCAP Content Editor
c0t0d0s0org167
Find more information regarding this feature athttpsblogsoraclecomdarrenentrycompliance_reporting_with_scap
c0t0d0s0org17
Find more information regarding this feature athttpsblogsoraclecomgfadenentryoracle_solaris_extended_policy_and
c0t0d0s0org18
Passwords
c0t0d0s0org19
rootclientetcsecurity cat etcsecuritycryptconf Copyright 2008 Sun Microsystems Inc All rights reserved Use is subject to license termsident ZM I E SMI The algorithm name __unix__ is reserved
1 crypt_bsdmd5so12a crypt_bsdbfso1md5 crypt_sunmd5so15 crypt_sha256so16 crypt_sha512so1
c0t0d0s0org20
rootclientetcsecurity cat etcsecuritypolicyconf | egrep ^CRYPT_DEFAULTCRYPT_DEFAULT=5rootclientetcsecurity cat etcshadow | grep juniorjunior$5$4aKvDFqA$2kL8GpuXjrdf8XpanqhylEP5lDhy1DF5uo1ZYx74f3159291440
c0t0d0s0org21
rootclientetcsecurity cat etcdefaultpasswd | grep -v | egrep -v ^$|^$ident ZM I E SMIMAXWEEKS=MINWEEKS=PASSLENGTH=6NAMECHECK=NOHISTORY=0MINDIFF=3MINALPHA=2MINNONALPHA=1MINUPPER=0MINLOWER=0MAXREPEATS=0MINSPECIAL=0MINDIGIT=0WHITESPACE=YESDICTIONLIST=DICTIONDBDIR=varpasswd
c0t0d0s0org22
rootclient mkpwdict -s usrsharelibdictwordsmkpwdict using default database location varpasswd
oder
rootclient mkpwdict -s usrsharelibdictwords -d varpasswd
c0t0d0s0org23
Address Space Layout Randomization
c0t0d0s0org24
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1914 usrbinpmap self1914 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org25
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1915 usrbinpmap self1915 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org26
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1917 usrbinpmap self1917 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap00000005D6666000 36K rw--- [ heap ]00007FF669C70000 216K r-x-- libamd64libprocso100007FF669CB6000 8K rw--- libamd64libprocso100007FF669CC0000 4K rw--- [ anon ]00007FF669CD0000 24K rwx-- [ anon ]00007FF669CE0000 4K rw--- [ anon ]00007FF669CF0000 1764K r-x-- libamd64libcso100007FF669EB9000 64K rw--- libamd64libcso100007FF669EC9000 12K rw--- libamd64libcso100007FF669ED0000 4K rw--- [ anon ]00007FF669EE0000 4K rw--- [ anon ]00007FF669EF0000 4K rw--- [ anon ]00007FF669EF2000 4K r--s- [ anon ]00007FF669EFC000 340K r-x-- libamd64ldso100007FF669F61000 12K rwx-- libamd64ldso100007FF669F64000 8K rwx-- libamd64ldso1FFFF80DDA254F000 16K rw--- [ stack ] total 2564K
c0t0d0s0org27
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1918 usrbinpmap self1918 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap000000065B76D000 36K rw--- [ heap ]00007FFAACFC0000 216K r-x-- libamd64libprocso100007FFAAD006000 8K rw--- libamd64libprocso100007FFAAD010000 4K rw--- [ anon ]00007FFAAD020000 24K rwx-- [ anon ]00007FFAAD030000 4K rw--- [ anon ]00007FFAAD040000 1764K r-x-- libamd64libcso100007FFAAD209000 64K rw--- libamd64libcso100007FFAAD219000 12K rw--- libamd64libcso100007FFAAD220000 4K rw--- [ anon ]00007FFAAD230000 4K rw--- [ anon ]00007FFAAD240000 4K rw--- [ anon ]00007FFAAD242000 4K r--s- [ anon ]00007FFAAD24D000 340K r-x-- libamd64ldso100007FFAAD2B2000 12K rwx-- libamd64ldso100007FFAAD2B5000 8K rwx-- libamd64ldso1FFFF80DE1559E000 12K rw--- [ stack ]
c0t0d0s0org28
rootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) system default (default)
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x2 ENABLE
rootsolaris elfedit -e dynsunw_aslr disable usrbinpmap
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x1 DISABLE
c0t0d0s0org29
rootsolaris sxadm enable -c model=all aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (all) enabled (all)
rootsolaris sxadm disable aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr disabled disabled
rootsolaris sxadm enable -c model=tagged-files aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) enabled (tagged-files)
c0t0d0s0org30
pfedit
c0t0d0s0org31
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt set auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt set desc=Edit httpdprofileshttpd editgt exit
c0t0d0s0org32
roottemplateetcapache222 usermod -P +httpd edit junior
c0t0d0s0org33
juniortemplate~$ profiles httpd edit Basic Solaris User All
c0t0d0s0org34
juniortemplate~$ vi etcapache222httpdconf
c0t0d0s0org35
juniortemplate~$ pfedit etcapache222httpdconfpfedit etcapache222httpdconf has been updated
c0t0d0s0org36
juniortemplate~$ pfedit etcapache222mimetypespfedit User junior is not authorized to edit the file etcapache222mimetypes
c0t0d0s0org37
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt info name=httpd edit desc=Edit httpd auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt add auths=solarisadmineditetcapache222mimetypes
c0t0d0s0org38
juniortemplate~$ pfedit etcapache222mimetypespfedit no changes for etcapache222mimetypes
c0t0d0s0org39
profiles -p httpd configureprofileshttpd configuregt add always_audit=asprofileshttpd configuregt info name=httpd configure desc=Configure httpd auths=solarisadmineditetcapache222httpdconfsolarisadmineditetcapache222mimetypes always_audit=as never_audit=noprofileshttpd configuregt exitroottemplate~
c0t0d0s0org40
roottemplate~ auditreduce -c as | praudit
c0t0d0s0org41
[]header4862edit administrative filefe80a0027fffea633cb2013-08-12 074552306 +0000subjectjuniorjuniorstaffjuniorstaff4212447467166369 136704 MacBook-Pro-of-c0t0d0s0fritzboxpathetcapache222httpdconfuse of authorizationsolarisadmineditetcapache222httpdconftext--- etcapache222httpdconf Mo Aug 12 074500 2013 +++ etcapache222httpdconfpfedit1BaGoi Mo Aug 12 074552 2013 -15 +16 Test Test 2 + Test 3 This is the main Apache HTTP server configuration file It contains the configuration directives that give the server its instructions
returnsuccess0
c0t0d0s0org42
Delegating privilege to restartservices(so you can keep the root password)
c0t0d0s0org43
juniortemplate~$ svcadm refresh apache22svcadm svcnetworkhttpapache22 Permission denied
c0t0d0s0org44
svcs -a | grep apache22online 153029 svcnetworkhttpapache22
c0t0d0s0org45
auths add -t Apache22 value solarissmfvaluehttpapache22 auths add -t Apache22 action solarissmfactionhttpapache22
c0t0d0s0org46
svccfg -s apache22 setprop generalvalue_authorization= astring solarissmfvaluehttpapache22 svccfg -s apache22 setprop generalaction_authorization= astring solarissmfactionhttpapache22
c0t0d0s0org47
profiles -p httpd edit add auths=solarissmfactionhttpapache22
c0t0d0s0org48
juniortemplate~$ svcadm refresh apache22juniortemplate~$
c0t0d0s0org49
Privileges
c0t0d0s0org50
$ ls -l usrsbintraceroute-r-sr-xr-x 1 root bin 42324 Nov 21 0009 usrsbintraceroute$ ls -l usrsbinping-r-sr-xr-x 1 root bin 51396 Nov 18 1931 usrsbinping
set-id to root ping needs it to work
c0t0d0s0org51
chmod -s sbinping exit
$ ping -s 1921681132ping socket Permission denied
Remove the set-uid and ping will stop to work
c0t0d0s0org52
jmoekampdaddelkiste~$ ppriv $$2153 -bashflags = ltnonegt E basic I basic P basic L all
c0t0d0s0org53
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org54
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
All privileges in their entirety assigned to one user are
(almost)
c0t0d0s0org55
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Neat extension inSolaris 11The ability to use networking is now a
privilege Itlsquos part of the default default set of privileges
but you can remove it
c0t0d0s0org56
moekampdaddelkiste~$ ppriv -v $$2153 -bashflags = ltnonegt E file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info I file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info P file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info L contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org57
rootdaddelkiste~ ppriv $$2183 -bashflags = ltnonegt E all I basic P all L all
c0t0d0s0org58
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace failed to initialize dtrace DTrace requires additional privileges
c0t0d0s0org59
rootdaddelkiste~ usermod -K defaultpriv=basicdtrace_kerneldtrace_procdtrace_user juniorUX usermod junior is currently logged in some changes may not take effect until next login
c0t0d0s0org60
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace description syscallentry matched 211 probes^C
automountd 1 sshd 24 dtrace 544 auditd 564
c0t0d0s0org61
ps -ef | grep kcfd daemon 125 1 0 142419 000 usrlibcryptokcfdroot 734 728 0 155408 pts1 000 grep kcfd ppriv -v 125125 usrlibcryptokcfdflags = PRIV_AWAREE file_ownerproc_priocntlsys_devicesI noneP file_ownerproc_priocntlsys_devicesL none
c0t0d0s0org62
svcadm -v enable -s apache2svcnetworkhttpapache2 enabled
c0t0d0s0org63
jmoekampclient~$ ps -ef | grep httpwebservd 1978 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1979 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1980 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1984 1975 0 122002 000 usrapache222binhttpd -k start root 1975 1 0 121914 001 usrapache222binhttpd -k startwebservd 1977 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1976 1975 0 121915 000 usrapache222binhttpd -k start
c0t0d0s0org64
rootclient~ ppriv 19771977 usrapache222binhttpd -k startflags = ltnonegt E basic I basic P basic L allrootclient~ ppriv 19751975 usrapache222binhttpd -k startflags = ltnonegt E all I basic P all L allrootclient~
c0t0d0s0org65
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The apache process as root has the following privileges
c0t0d0s0org66
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The other processes have the following privileges
c0t0d0s0org67
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Apache really needs
c0t0d0s0org68
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
So you grant a large number of privileges to one process Apache donlsquot need
c0t0d0s0org69
svcadm -v disable -s apache2svcnetworkhttpapache2 disabled
c0t0d0s0org70
rootclient~ svccfg -s apache22svcnetworkhttpapache22gt setprop startuser = astring webservdsvcnetworkhttpapache22gt setprop startgroup = astring webservdsvcnetworkhttpapache22gt setprop startprivileges = astring basicproc_sessionproc_infofile_link_anynet_privaddrsvcnetworkhttpapache22gt setprop startlimit_privileges = astring defaultsvcnetworkhttpapache22gt setprop startuse_profile = boolean falsesvcnetworkhttpapache22gt setprop startsupp_groups = astring defaultsvcnetworkhttpapache22gt setprop startworking_directory = astring defaultsvcnetworkhttpapache22gt setprop startproject = astring defaultsvcnetworkhttpapache22gt setprop startresource_pool = astring defaultsvcnetworkhttpapache22gt endrootclient~ svcadm -v refresh apache22Action refresh set for svcnetworkhttpapache22
c0t0d0s0org71
echo LockFile varapache222logsacceptlock gtgt etcapache222httpdconf echo PidFile varapache222runhttpdpid gtgt etcapache222httpdconf mkdir -p -m 755 varapache222run chown webservdwebservd varapache222run svcadm enable apache22
c0t0d0s0org72
webservd 3064 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3062 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3063 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3066 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3061 1 0 164917 000 usrapache222binhttpd -k startwebservd 3065 3061 0 164918 000 usrapache222binhttpd -k start
c0t0d0s0org73
Read-only zone root
c0t0d0s0org
74
zonecfgtestzonegt set file-mac-profile=none
zonecfgtestzonegt set file-mac-profile=strict
zonecfgtestzonegt set file-mac-profile=fixed-configuration
zonecfgtestzonegt set file-mac-profile=flexible-configuration
Standard read-write non-global zone with no additional protection beyond the existing zones boundaries
Permits updates to var directories with the exception of directories that contain system configuration components
Read-only file system no exceptions
Permits modification of files in etc directories changes to roots home directory and updates to var directories This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone
c0t0d0s0org75
in-kernel SSL Proxy
c0t0d0s0org76
mkdir etckeys cd etckeys openssl req -x509 -nodes -days 365 -subj C=DEST=HamburgL=HamburgCN=server -newkey rsa1024 -keyout etckeysmykeypem -out etckeysmycertpem cat mycertpem mykeypem gt mypem chown 600
c0t0d0s0org77
echo pass gt etckeysmypass ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass server 443
c0t0d0s0org78
ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass -c rsa_aes_256_cbc_sharsa_aes_128_cbc_sharsa_rc4_128_sharsa_rc4_128_md5 server 443
c0t0d0s0org79
svcs -a | grep ksslonline 90333 svcnetworksslproxykssl-server-443
c0t0d0s0org80
svcadm disable apache22 echo Listen 1921681781088080 gtgt etcapache222httpdconf svcadm enable apache22
Portnumber and IP-Number have do be defined in httpdconf otherwise it will not work
c0t0d0s0org81
openssl s_client -connect server443CONNECTED(00000004)depth=0 C=DEST=HamburgL=HamburgCN=serververify errornum=18self signed certificateverify return1depth=0 C=DEST=HamburgL=HamburgCN=serververify return1---Certificate chain0 sC=DEST=HamburgL=HamburgCN=serveriC=DEST=HamburgL=HamburgCN=server---Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj[]V5jX3MU=-----END CERTIFICATE-----subject=C=DEST=HamburgL=HamburgCN=serverissuer=C=DEST=HamburgL=HamburgCN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328 bytes---New TLSv1SSLv3 Cipher is RC4-SHAServer public key is 1024 bitCompression NONEExpansion NONESSL-SessionProtocol TLSv1
Cipher RC4-SHASession-ID 32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD113915B99DBE9812Session-ID-ctx Master-Key 1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21EKey-Arg NoneStart Time 1242985143Timeout 300 (sec)Verify return code 18 (self signed certificate)---GET HTTP10
HTTP11 200 OKDate Fri 22 May 2009 093913 GMTServer Apache2211 (Unix) mod_ssl2211 OpenSSL098a DAV2Last-Modified Thu 21 May 2009 212630 GMTETag 341f3-2c-46a72cc211a8fAccept-Ranges bytesContent-Length 44Connection closeContent-Type texthtml
lthtmlgtltbodygtlth1gtIt workslth1gtltbodygtlthtmlgtreaderrno=0
c0t0d0s0org82
ZFS Encryption
c0t0d0s0org83
zfs create -o encryption=on rpoolexportproject
c0t0d0s0org84
wrapping key (user setable)
encryption keyrandomnot user setable)
prompt file https pkcs11
c0t0d0s0org85
aes-128-ccm (=on) aes-192-ccmaes-256-ccmaes-128-gcmaes-192-gcmaes-256-gcm
c0t0d0s0org86
zfs set checksum=sha256+mac ltdatasetgt
If encryption=off something like automatic
occurs This property is read-only from now on
c0t0d0s0org87
pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykeyEnter PIN for Sun Software PKCS11 softtoken zfs create -o encryption=on -o keysource=rawpkcs11object=mykey tankprojectCEnter PKCS11 token PIN for tankprojectC
c0t0d0s0org88
zfs create -o encryption=on -o keysource=rawhttpskeysexamplecommykey tankprojectR cp myservercertpem etccertsCA svcadm refresh ca-certificates
c0t0d0s0org89
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
c0t0d0s0org90
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
Changing the wrapping key
c0t0d0s0org91
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key
c0t0d0s0org92
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key for data written form now
Creates a new data encryption key Data written in the clone uses the new data encryption key which is distinct from its original snapshot
c0t0d0s0org93
Solaris Cryptographic Framework
c0t0d0s0org94
As soon as Solaris detects hardware acceleration for cryptography Solaris will use it (and applications using the Oracle supplied openssl library or direct interfaces)bull on-chip crypto accelerator in T and current M series chipsbull instruction set extensions in Intel procs (AES-NI)bull supported crypto accelerator cards
c0t0d0s0org95
Just a side-note T-series crypto acceleration and Intel x86 acceleration have pretty much different performance characteristics
T-Series Acceleration by offloading crypto outside pipelineIntel x86 Acceleration by offering special in-pipeline instructions to accelerate execution
Sounds like splitting hairs
c0t0d0s0org
c0t0d0s0org
c0t0d0s0org98
Using ZFS to do two-factor encryption
c0t0d0s0org99
jmoekampsolaris~$ rmformatLooking for devices 1 Logical Node devrdskc10t0d0p0 Physical Node pci00pci8086265cbstorage2disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected() 3 Logical Node devrdskc9t0d0p0 Physical Node pci00pci8086265cbstorage1disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected
c0t0d0s0org100
rootsolaris zpool create a_keystore_usbstick devdskc10t0d0p0rootsolaris zpool create datastore devdskc9t0d0p0
c0t0d0s0org101
rootsolaris zfs create -o encryption=on a_keystore_usbstickkeysEnter passphrase for a_keystore_usbstickkeys supersecret Enter again supersecret
c0t0d0s0org102
rootsolaris pktool genkey keystore=file keytype=aes keylen=128 outkey=a_keystore_usbstickkeysjoergsdatastickkey
c0t0d0s0org103
rootsolaris zfs create -o encryption=on -o keysource=rawfilea_keystore_usbstickkeysjoergsdatastickkey datastickjoergssecrets
c0t0d0s0org104
rootsolarisdatastickjoergssecrets mv homejmoekamphighlyconfidential_nda_presostgz
c0t0d0s0org105
rootsolaris zpool export a_keystore_usbstickrootsolaris zpool export datastick
c0t0d0s0org106
rootsolaris zpool import a_keystore_usbstickEnter passphrase for a_keystore_usbstickkeys supersecretrootsolaris
c0t0d0s0org107
rootsolaris zpool import datastickrootsolaris cd datastickjoergssecretsrootsolarisdatastickjoergssecrets ls highconfidential_nda_presostgz
c0t0d0s0org108
Basic Auditing and Reporting Tool
c0t0d0s0org109
mkdir bart-files bart create -R etc gt bart-filesetccontrolmanifest
c0t0d0s0org110
cat etccontrolmanifest | grep nsswitchnisplusnsswitchnisplus F 2525 100644 userrw-groupr--maskr--otherr-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
c0t0d0s0org111
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org112
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org113
bart create -R etc gt bart-filesetccheck20130911manifest
c0t0d0s0org114
cd bart-files bart compare etccontrolmanifest etccheck20130911manifest
nsswitchfilesmode control100644 test100777acl controluserrw-groupr--maskr--otherr-- testuserrwxgrouprwxmaskrwxotherrwxnsswitchnisplussize control2525 test2538mtime control473976b5 test47a44862contents control79e8fd689a5221d1cd059e5077da71b8 test3f79176ec352441db11ec8a3d02ef67cthisisjustatestadd
c0t0d0s0org115
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives4069-Less-known-Solaris-features-BARThtml
c0t0d0s0org116
Apropos Auditing
c0t0d0s0org117
Auditing is activated by default
c0t0d0s0org118
rootclient~ auditconfig -getflagsactive user default audit flags = lo(0x10000x1000)configured user default audit flags = lo(0x10000x1000)rootclient~ auditconfig -getnaflagsactive non-attributable audit flags = lo(0x10000x1000)configured non-attributable audit flags = lo(0x10000x1000)
c0t0d0s0org119
rootclient~ auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt
Policy regarding auditing (explanation on the next slide)
c0t0d0s0org120
rootclient~ auditconfig -lspolicypolicy string descriptionahlt halt machine if it can not record an async eventall all policiesarge include exec environment args in audit recsargv include exec command line args in audit recscnt when no more space drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recswindata_down include downgraded window information in audit recswindata_up include upgraded window information in audit recszonename include zonename token in audit recs
Which degree of detail What happens with full disks
c0t0d0s0org121
rootclient~ auditconfig -getpluginPlugin audit_binfile (active) Attributes p_dir=varauditp_fsize=0p_minfree=1
Plugin audit_syslog (inactive) Attributes p_flags=
Plugin audit_remote (inactive) Attributes p_hosts=p_retries=3p_timeout=5
c0t0d0s0org122
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
c0t0d0s0org123
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
lo and na are the only sensibleflags for non-attributable
c0t0d0s0org124
rootclient~ usermod -K audit_flags=fwas junior
c0t0d0s0org125
rootclient~ auditconfig -lsevent | grep lo AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh accessAUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lockAUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff
c0t0d0s0org126
rootclient~ auditconfig -lsevent | grep ps AUE_EXIT 1 ps exit(2)AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)rootclient~ auditconfig -lsevent | grep fw AUE_OPEN_W 76 fw open(2) - write
c0t0d0s0org127
auditreduce -c ps varaudit20130912183630not_terminatedclient | praudit
header1392execve(2)client2013-09-12 184055924 +0000pathusrsbinauditreduceattribute100555rootbin655386587518446744073709551615subjectjmoekamprootrootrootroot205414400809562480 202240 192168101returnsuccess0
c0t0d0s0org128
rootclient~ auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff0xffffffffffffffff)
Not always (in the sense of never) a good idea
Useful after trying out - starting a new audit filerootclient~ audit -n
c0t0d0s0org129
rootclient~ auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system
c0t0d0s0org130
SSH and X509
c0t0d0s0org131
rootca~ CApl -newcaCA certificate filename (or enter to create)
Making CA certificate Generating a 1024 bit RSA private key++++++++++++writing new private key to etcopensslprivatecakeypemEnter PEM pass phrase supersecret1Verifying - Enter PEM pass phrase supersecret1-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Security DepartmentCommon Name (eg server FQDN or YOUR name) []CAEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Using configuration from etcopensslopensslcnf
Enter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade878 Validity Not Before Sep 26 101109 2013 GMT Not After Sep 25 101109 2016 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony organizationName = c0t0d0s0org organizationalUnitName = Security Department commonName = CA X509v3 extensions X509v3 Subject Key Identifier 5B1F2F7186123040501552818D525AA5597E3644 X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
X509v3 Basic Constraints CATRUECertificate is to be certified until Sep 25 101109 2016 GMT (1095 days)
Write out database with 1 new entriesData Base Updated
c0t0d0s0org132
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org133
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org134
rootca~server CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade879 Validity Not Before Sep 26 102912 2013 GMT Not After Sep 26 102912 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = Server Certificates commonName = server X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A7DC03DEB3D5FBF9C006F11A55A9AD04C49C10FA X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 102912 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpemrootca~server ls -ltotal 15-rw-r--r-- 1 root root 3196 Sep 26 1229 newcertpem-rw-r--r-- 1 root root 1041 Sep 26 1228 newkeypem-rw-r--r-- 1 root root 680 Sep 26 1228 newreqpem
c0t0d0s0org135
rootca~junior CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phraseVerifying - Enter PEM pass phraseVerify failureEnter PEM pass phrase supersecret3Verifying - Enter PEM pass phrase supersecret3-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []User certificates
Common Name (eg server FQDN or YOUR name) []juniorEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org136
rootca~junior CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypemCheck that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade87a Validity Not Before Sep 26 110929 2013 GMT Not After Sep 26 110929 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = User certificates commonName = junior X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A1F2FC9D8AE2AD9AF52903F5B714933C64628E9C X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 110929 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpem
c0t0d0s0org137
rootserver~ useradd -m junior80 blocksrootserver~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for juniorrootserver~
rootclient~ useradd -m junior80 blocksrootclient~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for junior
c0t0d0s0org138
rootserver~ echo 1921681051 server gtgt etchostsrootserver~ echo 1921681052 client gtgt etchosts
rootclient~ echo 1921681051 server gtgt etchostsrootclient~ echo 1921681052 client gtgt etchosts
c0t0d0s0org139
rootca~server scp etcopensslcacertpem jmoekamp1921681109exporthomejmoekampPasswordcacertpem 100 || 3011 0000rootca~server scp newcertpem jmoekamp1921681109exporthomejmoekampPasswordnewcertpem 100 || 3196 0000rootca~server scp newkeypem jmoekamp1921681109exporthomejmoekampPasswordnewkeypem 100 || 1041 0000
rootca~junior scp newkeypem juniorclientexporthomejuniorPasswordnewkeypem 100 || 1041 0000rootca~junior scp newcertpem juniorclientexporthomejuniorPasswordnewcertpem 100 || 3190 0000rootca~junior scp etcopensslcacertpem junior1921681104exporthomejuniorPasswordcacertpem 100 || 3011 0000
c0t0d0s0org140
On the Server
c0t0d0s0org141
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org142
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org143
rootserver~ pktool setpinEnter token passphrase changemeCreate new passphrase superserversecretRe-enter new passphrase superserversecretPassphrase changedrootserver~
c0t0d0s0org144
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org145
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org146
rootserver~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cn
c0t0d0s0org147
rootserver~ echo TrustedAnchorKeystore etcsshcert gtgt etcsshsshd_configrootserver~ echo KMFPolicyDatabase etcsshpolicyxml gtgt etcsshsshd_configrootserver~ echo KMFPolicyName ssh gtgt etcsshsshd_configrootserver~ echo HostKey pkcs11object=hosttoken=Sun Metaslotpinfile=etcsshpinfile gtgt etcsshsshd_config
c0t0d0s0org148
rootserver~ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=hostEnter PIN for Sun Software PKCS11 softtoken superserversecret Enter PEM pass phrase supersecret2Importing 1 keys
c0t0d0s0org149
rootserver~ egrep -v ^ |^$|^Cert exporthomejmoekampcacertpem gt etcsshcertcacertcookedpemrootserver~ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemrootserver~ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=hostrootserver~
c0t0d0s0org150
On the client
c0t0d0s0org151
juniorclient~$ ls pemcacertpem newcertpem newkeypem
c0t0d0s0org152
rootclient~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cnrootclient~ egrep -v ^ |^$|^Cert exporthomejuniorcacertpem gt etcsshcertcacertcookedpem
c0t0d0s0org153
juniorclient~$ pktool setpinEnter token passphrase changemeCreate new passphrase superusersecretRe-enter new passphrase superusersecretPassphrase changed
c0t0d0s0org154
juniorclient~$ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=userEnter PIN for Sun Software PKCS11 softtoken superusersecretEnter PEM pass phrase supersecret3Importing 1 keysjuniorclient~$ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemjuniorclient~$ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=user
c0t0d0s0org155
Testing it
c0t0d0s0org156
rootserver~ svcadm disable sshrootserver~ svcadm enable ssh
c0t0d0s0org157
juniorclient~$ cd sshjuniorclient~ssh$ printf superusersecret gtgt pinfilejuniorclient~ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore etcsshcert KMFPolicyDatabase etcsshpolicyxml KMFPolicyName ssh IdentityFile pkcs11object=usertoken=Sun Software PKCS11 softtokenpinfile=exporthomejuniorsshpinfile
c0t0d0s0org158
juniorclient~ssh$ ssh juniorserver-x509Last login Thu Sep 26 200714 2013 from clientOracle Corporation SunOS 511 111 September 2013juniorserver~$
c0t0d0s0org159
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives7659-Using-X509-support-for-SSH-on-Solaris-111html
c0t0d0s0org160
OpenSCAP
c0t0d0s0org161
bdquoThe Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management measurement and policy compliance evaluation (eg FISMA compliance) The National Vulnerability Database(NVD) is the US government content repository for SCAPldquo
httpenwikipediaorgwikiSecurity_Content_Automation_Protocol
c0t0d0s0org162
ftp-bannerxml
ltxml version=10 encoding=UTF-8gtltoval_definitions xmlns=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsxsi=httpwwww3org2001XMLSchema-instance xmlnsoval=httpovalmitreorgXMLSchemaoval-common-5 xmlnsoval-def=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsindependent-def=httpovalmitreorgXMLSchemaoval-definitions-5independent xsischemaLocation=httpovalmitreorgXMLSchemaoval-definitions-5 oval-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-definitions-5independent independent-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-common-5 oval-common-schemaxsdgt
ltgeneratorgt ltovalproduct_namegtEnhanced SCAP Editorltovalproduct_namegt ltovalproduct_versiongt0011ltovalproduct_versiongt ltovalschema_versiongt58ltovalschema_versiongt ltovaltimestampgt2012-10-11T103325ltovaltimestampgt ltgeneratorgt lt--generatedovalbaseidentifier=comoraclesolaris11--gt ltdefinitionsgt ltdefinition id=ovalcomoraclesolaris11def840 version=1 class=compliancegt ltmetadatagt lttitlegtEnable a Warning Banner for the FTP Servicelttitlegt ltaffected family=unixgt ltplatformgtOracle Solaris 11ltplatformgt ltaffectedgt ltdescriptiongtetcproftpdconf contains DisplayConnect etcissueltdescriptiongt ltmetadatagt ltcriteria operator=AND negate=false comment=Single testgt ltcriterion comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot test_ref=ovalcomoraclesolaris11tst8400 negate=falsegt
ltcriteriagt ltdefinitiongt ltdefinitionsgt lttestsgt lttextfilecontent54_test xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11tst8400 version=1 check=all comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot check_existence=all_existgt ltobject object_ref=ovalcomoraclesolaris11obj8400gt lttextfilecontent54_testgt lttestsgt ltobjectsgt lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegt lttextfilecontent54_objectgt ltobjectsgtltoval_definitionsgt
c0t0d0s0org163
lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegtlttextfilecontent54_objectgt
c0t0d0s0org164
$ oscap oval eval ftp-bannerxml Definition ovalcomoraclesolaris11def840 falseEvaluation done
$ oscap oval eval --results resultsxml --report reporthtml ftp-bannerxmlDefinition ovalcomoraclesolaris11def840 falseEvaluation doneOVAL Results are exported correctly
c0t0d0s0org165
c0t0d0s0org166
To create your own OVAL-Files Enhanced SCAP Content Editor
c0t0d0s0org167
Find more information regarding this feature athttpsblogsoraclecomdarrenentrycompliance_reporting_with_scap
c0t0d0s0org18
Passwords
c0t0d0s0org19
rootclientetcsecurity cat etcsecuritycryptconf Copyright 2008 Sun Microsystems Inc All rights reserved Use is subject to license termsident ZM I E SMI The algorithm name __unix__ is reserved
1 crypt_bsdmd5so12a crypt_bsdbfso1md5 crypt_sunmd5so15 crypt_sha256so16 crypt_sha512so1
c0t0d0s0org20
rootclientetcsecurity cat etcsecuritypolicyconf | egrep ^CRYPT_DEFAULTCRYPT_DEFAULT=5rootclientetcsecurity cat etcshadow | grep juniorjunior$5$4aKvDFqA$2kL8GpuXjrdf8XpanqhylEP5lDhy1DF5uo1ZYx74f3159291440
c0t0d0s0org21
rootclientetcsecurity cat etcdefaultpasswd | grep -v | egrep -v ^$|^$ident ZM I E SMIMAXWEEKS=MINWEEKS=PASSLENGTH=6NAMECHECK=NOHISTORY=0MINDIFF=3MINALPHA=2MINNONALPHA=1MINUPPER=0MINLOWER=0MAXREPEATS=0MINSPECIAL=0MINDIGIT=0WHITESPACE=YESDICTIONLIST=DICTIONDBDIR=varpasswd
c0t0d0s0org22
rootclient mkpwdict -s usrsharelibdictwordsmkpwdict using default database location varpasswd
oder
rootclient mkpwdict -s usrsharelibdictwords -d varpasswd
c0t0d0s0org23
Address Space Layout Randomization
c0t0d0s0org24
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1914 usrbinpmap self1914 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org25
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1915 usrbinpmap self1915 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org26
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1917 usrbinpmap self1917 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap00000005D6666000 36K rw--- [ heap ]00007FF669C70000 216K r-x-- libamd64libprocso100007FF669CB6000 8K rw--- libamd64libprocso100007FF669CC0000 4K rw--- [ anon ]00007FF669CD0000 24K rwx-- [ anon ]00007FF669CE0000 4K rw--- [ anon ]00007FF669CF0000 1764K r-x-- libamd64libcso100007FF669EB9000 64K rw--- libamd64libcso100007FF669EC9000 12K rw--- libamd64libcso100007FF669ED0000 4K rw--- [ anon ]00007FF669EE0000 4K rw--- [ anon ]00007FF669EF0000 4K rw--- [ anon ]00007FF669EF2000 4K r--s- [ anon ]00007FF669EFC000 340K r-x-- libamd64ldso100007FF669F61000 12K rwx-- libamd64ldso100007FF669F64000 8K rwx-- libamd64ldso1FFFF80DDA254F000 16K rw--- [ stack ] total 2564K
c0t0d0s0org27
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1918 usrbinpmap self1918 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap000000065B76D000 36K rw--- [ heap ]00007FFAACFC0000 216K r-x-- libamd64libprocso100007FFAAD006000 8K rw--- libamd64libprocso100007FFAAD010000 4K rw--- [ anon ]00007FFAAD020000 24K rwx-- [ anon ]00007FFAAD030000 4K rw--- [ anon ]00007FFAAD040000 1764K r-x-- libamd64libcso100007FFAAD209000 64K rw--- libamd64libcso100007FFAAD219000 12K rw--- libamd64libcso100007FFAAD220000 4K rw--- [ anon ]00007FFAAD230000 4K rw--- [ anon ]00007FFAAD240000 4K rw--- [ anon ]00007FFAAD242000 4K r--s- [ anon ]00007FFAAD24D000 340K r-x-- libamd64ldso100007FFAAD2B2000 12K rwx-- libamd64ldso100007FFAAD2B5000 8K rwx-- libamd64ldso1FFFF80DE1559E000 12K rw--- [ stack ]
c0t0d0s0org28
rootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) system default (default)
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x2 ENABLE
rootsolaris elfedit -e dynsunw_aslr disable usrbinpmap
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x1 DISABLE
c0t0d0s0org29
rootsolaris sxadm enable -c model=all aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (all) enabled (all)
rootsolaris sxadm disable aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr disabled disabled
rootsolaris sxadm enable -c model=tagged-files aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) enabled (tagged-files)
c0t0d0s0org30
pfedit
c0t0d0s0org31
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt set auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt set desc=Edit httpdprofileshttpd editgt exit
c0t0d0s0org32
roottemplateetcapache222 usermod -P +httpd edit junior
c0t0d0s0org33
juniortemplate~$ profiles httpd edit Basic Solaris User All
c0t0d0s0org34
juniortemplate~$ vi etcapache222httpdconf
c0t0d0s0org35
juniortemplate~$ pfedit etcapache222httpdconfpfedit etcapache222httpdconf has been updated
c0t0d0s0org36
juniortemplate~$ pfedit etcapache222mimetypespfedit User junior is not authorized to edit the file etcapache222mimetypes
c0t0d0s0org37
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt info name=httpd edit desc=Edit httpd auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt add auths=solarisadmineditetcapache222mimetypes
c0t0d0s0org38
juniortemplate~$ pfedit etcapache222mimetypespfedit no changes for etcapache222mimetypes
c0t0d0s0org39
profiles -p httpd configureprofileshttpd configuregt add always_audit=asprofileshttpd configuregt info name=httpd configure desc=Configure httpd auths=solarisadmineditetcapache222httpdconfsolarisadmineditetcapache222mimetypes always_audit=as never_audit=noprofileshttpd configuregt exitroottemplate~
c0t0d0s0org40
roottemplate~ auditreduce -c as | praudit
c0t0d0s0org41
[]header4862edit administrative filefe80a0027fffea633cb2013-08-12 074552306 +0000subjectjuniorjuniorstaffjuniorstaff4212447467166369 136704 MacBook-Pro-of-c0t0d0s0fritzboxpathetcapache222httpdconfuse of authorizationsolarisadmineditetcapache222httpdconftext--- etcapache222httpdconf Mo Aug 12 074500 2013 +++ etcapache222httpdconfpfedit1BaGoi Mo Aug 12 074552 2013 -15 +16 Test Test 2 + Test 3 This is the main Apache HTTP server configuration file It contains the configuration directives that give the server its instructions
returnsuccess0
c0t0d0s0org42
Delegating privilege to restartservices(so you can keep the root password)
c0t0d0s0org43
juniortemplate~$ svcadm refresh apache22svcadm svcnetworkhttpapache22 Permission denied
c0t0d0s0org44
svcs -a | grep apache22online 153029 svcnetworkhttpapache22
c0t0d0s0org45
auths add -t Apache22 value solarissmfvaluehttpapache22 auths add -t Apache22 action solarissmfactionhttpapache22
c0t0d0s0org46
svccfg -s apache22 setprop generalvalue_authorization= astring solarissmfvaluehttpapache22 svccfg -s apache22 setprop generalaction_authorization= astring solarissmfactionhttpapache22
c0t0d0s0org47
profiles -p httpd edit add auths=solarissmfactionhttpapache22
c0t0d0s0org48
juniortemplate~$ svcadm refresh apache22juniortemplate~$
c0t0d0s0org49
Privileges
c0t0d0s0org50
$ ls -l usrsbintraceroute-r-sr-xr-x 1 root bin 42324 Nov 21 0009 usrsbintraceroute$ ls -l usrsbinping-r-sr-xr-x 1 root bin 51396 Nov 18 1931 usrsbinping
set-id to root ping needs it to work
c0t0d0s0org51
chmod -s sbinping exit
$ ping -s 1921681132ping socket Permission denied
Remove the set-uid and ping will stop to work
c0t0d0s0org52
jmoekampdaddelkiste~$ ppriv $$2153 -bashflags = ltnonegt E basic I basic P basic L all
c0t0d0s0org53
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org54
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
All privileges in their entirety assigned to one user are
(almost)
c0t0d0s0org55
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Neat extension inSolaris 11The ability to use networking is now a
privilege Itlsquos part of the default default set of privileges
but you can remove it
c0t0d0s0org56
moekampdaddelkiste~$ ppriv -v $$2153 -bashflags = ltnonegt E file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info I file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info P file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info L contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org57
rootdaddelkiste~ ppriv $$2183 -bashflags = ltnonegt E all I basic P all L all
c0t0d0s0org58
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace failed to initialize dtrace DTrace requires additional privileges
c0t0d0s0org59
rootdaddelkiste~ usermod -K defaultpriv=basicdtrace_kerneldtrace_procdtrace_user juniorUX usermod junior is currently logged in some changes may not take effect until next login
c0t0d0s0org60
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace description syscallentry matched 211 probes^C
automountd 1 sshd 24 dtrace 544 auditd 564
c0t0d0s0org61
ps -ef | grep kcfd daemon 125 1 0 142419 000 usrlibcryptokcfdroot 734 728 0 155408 pts1 000 grep kcfd ppriv -v 125125 usrlibcryptokcfdflags = PRIV_AWAREE file_ownerproc_priocntlsys_devicesI noneP file_ownerproc_priocntlsys_devicesL none
c0t0d0s0org62
svcadm -v enable -s apache2svcnetworkhttpapache2 enabled
c0t0d0s0org63
jmoekampclient~$ ps -ef | grep httpwebservd 1978 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1979 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1980 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1984 1975 0 122002 000 usrapache222binhttpd -k start root 1975 1 0 121914 001 usrapache222binhttpd -k startwebservd 1977 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1976 1975 0 121915 000 usrapache222binhttpd -k start
c0t0d0s0org64
rootclient~ ppriv 19771977 usrapache222binhttpd -k startflags = ltnonegt E basic I basic P basic L allrootclient~ ppriv 19751975 usrapache222binhttpd -k startflags = ltnonegt E all I basic P all L allrootclient~
c0t0d0s0org65
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The apache process as root has the following privileges
c0t0d0s0org66
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The other processes have the following privileges
c0t0d0s0org67
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Apache really needs
c0t0d0s0org68
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
So you grant a large number of privileges to one process Apache donlsquot need
c0t0d0s0org69
svcadm -v disable -s apache2svcnetworkhttpapache2 disabled
c0t0d0s0org70
rootclient~ svccfg -s apache22svcnetworkhttpapache22gt setprop startuser = astring webservdsvcnetworkhttpapache22gt setprop startgroup = astring webservdsvcnetworkhttpapache22gt setprop startprivileges = astring basicproc_sessionproc_infofile_link_anynet_privaddrsvcnetworkhttpapache22gt setprop startlimit_privileges = astring defaultsvcnetworkhttpapache22gt setprop startuse_profile = boolean falsesvcnetworkhttpapache22gt setprop startsupp_groups = astring defaultsvcnetworkhttpapache22gt setprop startworking_directory = astring defaultsvcnetworkhttpapache22gt setprop startproject = astring defaultsvcnetworkhttpapache22gt setprop startresource_pool = astring defaultsvcnetworkhttpapache22gt endrootclient~ svcadm -v refresh apache22Action refresh set for svcnetworkhttpapache22
c0t0d0s0org71
echo LockFile varapache222logsacceptlock gtgt etcapache222httpdconf echo PidFile varapache222runhttpdpid gtgt etcapache222httpdconf mkdir -p -m 755 varapache222run chown webservdwebservd varapache222run svcadm enable apache22
c0t0d0s0org72
webservd 3064 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3062 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3063 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3066 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3061 1 0 164917 000 usrapache222binhttpd -k startwebservd 3065 3061 0 164918 000 usrapache222binhttpd -k start
c0t0d0s0org73
Read-only zone root
c0t0d0s0org
74
zonecfgtestzonegt set file-mac-profile=none
zonecfgtestzonegt set file-mac-profile=strict
zonecfgtestzonegt set file-mac-profile=fixed-configuration
zonecfgtestzonegt set file-mac-profile=flexible-configuration
Standard read-write non-global zone with no additional protection beyond the existing zones boundaries
Permits updates to var directories with the exception of directories that contain system configuration components
Read-only file system no exceptions
Permits modification of files in etc directories changes to roots home directory and updates to var directories This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone
c0t0d0s0org75
in-kernel SSL Proxy
c0t0d0s0org76
mkdir etckeys cd etckeys openssl req -x509 -nodes -days 365 -subj C=DEST=HamburgL=HamburgCN=server -newkey rsa1024 -keyout etckeysmykeypem -out etckeysmycertpem cat mycertpem mykeypem gt mypem chown 600
c0t0d0s0org77
echo pass gt etckeysmypass ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass server 443
c0t0d0s0org78
ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass -c rsa_aes_256_cbc_sharsa_aes_128_cbc_sharsa_rc4_128_sharsa_rc4_128_md5 server 443
c0t0d0s0org79
svcs -a | grep ksslonline 90333 svcnetworksslproxykssl-server-443
c0t0d0s0org80
svcadm disable apache22 echo Listen 1921681781088080 gtgt etcapache222httpdconf svcadm enable apache22
Portnumber and IP-Number have do be defined in httpdconf otherwise it will not work
c0t0d0s0org81
openssl s_client -connect server443CONNECTED(00000004)depth=0 C=DEST=HamburgL=HamburgCN=serververify errornum=18self signed certificateverify return1depth=0 C=DEST=HamburgL=HamburgCN=serververify return1---Certificate chain0 sC=DEST=HamburgL=HamburgCN=serveriC=DEST=HamburgL=HamburgCN=server---Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj[]V5jX3MU=-----END CERTIFICATE-----subject=C=DEST=HamburgL=HamburgCN=serverissuer=C=DEST=HamburgL=HamburgCN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328 bytes---New TLSv1SSLv3 Cipher is RC4-SHAServer public key is 1024 bitCompression NONEExpansion NONESSL-SessionProtocol TLSv1
Cipher RC4-SHASession-ID 32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD113915B99DBE9812Session-ID-ctx Master-Key 1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21EKey-Arg NoneStart Time 1242985143Timeout 300 (sec)Verify return code 18 (self signed certificate)---GET HTTP10
HTTP11 200 OKDate Fri 22 May 2009 093913 GMTServer Apache2211 (Unix) mod_ssl2211 OpenSSL098a DAV2Last-Modified Thu 21 May 2009 212630 GMTETag 341f3-2c-46a72cc211a8fAccept-Ranges bytesContent-Length 44Connection closeContent-Type texthtml
lthtmlgtltbodygtlth1gtIt workslth1gtltbodygtlthtmlgtreaderrno=0
c0t0d0s0org82
ZFS Encryption
c0t0d0s0org83
zfs create -o encryption=on rpoolexportproject
c0t0d0s0org84
wrapping key (user setable)
encryption keyrandomnot user setable)
prompt file https pkcs11
c0t0d0s0org85
aes-128-ccm (=on) aes-192-ccmaes-256-ccmaes-128-gcmaes-192-gcmaes-256-gcm
c0t0d0s0org86
zfs set checksum=sha256+mac ltdatasetgt
If encryption=off something like automatic
occurs This property is read-only from now on
c0t0d0s0org87
pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykeyEnter PIN for Sun Software PKCS11 softtoken zfs create -o encryption=on -o keysource=rawpkcs11object=mykey tankprojectCEnter PKCS11 token PIN for tankprojectC
c0t0d0s0org88
zfs create -o encryption=on -o keysource=rawhttpskeysexamplecommykey tankprojectR cp myservercertpem etccertsCA svcadm refresh ca-certificates
c0t0d0s0org89
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
c0t0d0s0org90
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
Changing the wrapping key
c0t0d0s0org91
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key
c0t0d0s0org92
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key for data written form now
Creates a new data encryption key Data written in the clone uses the new data encryption key which is distinct from its original snapshot
c0t0d0s0org93
Solaris Cryptographic Framework
c0t0d0s0org94
As soon as Solaris detects hardware acceleration for cryptography Solaris will use it (and applications using the Oracle supplied openssl library or direct interfaces)bull on-chip crypto accelerator in T and current M series chipsbull instruction set extensions in Intel procs (AES-NI)bull supported crypto accelerator cards
c0t0d0s0org95
Just a side-note T-series crypto acceleration and Intel x86 acceleration have pretty much different performance characteristics
T-Series Acceleration by offloading crypto outside pipelineIntel x86 Acceleration by offering special in-pipeline instructions to accelerate execution
Sounds like splitting hairs
c0t0d0s0org
c0t0d0s0org
c0t0d0s0org98
Using ZFS to do two-factor encryption
c0t0d0s0org99
jmoekampsolaris~$ rmformatLooking for devices 1 Logical Node devrdskc10t0d0p0 Physical Node pci00pci8086265cbstorage2disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected() 3 Logical Node devrdskc9t0d0p0 Physical Node pci00pci8086265cbstorage1disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected
c0t0d0s0org100
rootsolaris zpool create a_keystore_usbstick devdskc10t0d0p0rootsolaris zpool create datastore devdskc9t0d0p0
c0t0d0s0org101
rootsolaris zfs create -o encryption=on a_keystore_usbstickkeysEnter passphrase for a_keystore_usbstickkeys supersecret Enter again supersecret
c0t0d0s0org102
rootsolaris pktool genkey keystore=file keytype=aes keylen=128 outkey=a_keystore_usbstickkeysjoergsdatastickkey
c0t0d0s0org103
rootsolaris zfs create -o encryption=on -o keysource=rawfilea_keystore_usbstickkeysjoergsdatastickkey datastickjoergssecrets
c0t0d0s0org104
rootsolarisdatastickjoergssecrets mv homejmoekamphighlyconfidential_nda_presostgz
c0t0d0s0org105
rootsolaris zpool export a_keystore_usbstickrootsolaris zpool export datastick
c0t0d0s0org106
rootsolaris zpool import a_keystore_usbstickEnter passphrase for a_keystore_usbstickkeys supersecretrootsolaris
c0t0d0s0org107
rootsolaris zpool import datastickrootsolaris cd datastickjoergssecretsrootsolarisdatastickjoergssecrets ls highconfidential_nda_presostgz
c0t0d0s0org108
Basic Auditing and Reporting Tool
c0t0d0s0org109
mkdir bart-files bart create -R etc gt bart-filesetccontrolmanifest
c0t0d0s0org110
cat etccontrolmanifest | grep nsswitchnisplusnsswitchnisplus F 2525 100644 userrw-groupr--maskr--otherr-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
c0t0d0s0org111
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org112
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org113
bart create -R etc gt bart-filesetccheck20130911manifest
c0t0d0s0org114
cd bart-files bart compare etccontrolmanifest etccheck20130911manifest
nsswitchfilesmode control100644 test100777acl controluserrw-groupr--maskr--otherr-- testuserrwxgrouprwxmaskrwxotherrwxnsswitchnisplussize control2525 test2538mtime control473976b5 test47a44862contents control79e8fd689a5221d1cd059e5077da71b8 test3f79176ec352441db11ec8a3d02ef67cthisisjustatestadd
c0t0d0s0org115
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives4069-Less-known-Solaris-features-BARThtml
c0t0d0s0org116
Apropos Auditing
c0t0d0s0org117
Auditing is activated by default
c0t0d0s0org118
rootclient~ auditconfig -getflagsactive user default audit flags = lo(0x10000x1000)configured user default audit flags = lo(0x10000x1000)rootclient~ auditconfig -getnaflagsactive non-attributable audit flags = lo(0x10000x1000)configured non-attributable audit flags = lo(0x10000x1000)
c0t0d0s0org119
rootclient~ auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt
Policy regarding auditing (explanation on the next slide)
c0t0d0s0org120
rootclient~ auditconfig -lspolicypolicy string descriptionahlt halt machine if it can not record an async eventall all policiesarge include exec environment args in audit recsargv include exec command line args in audit recscnt when no more space drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recswindata_down include downgraded window information in audit recswindata_up include upgraded window information in audit recszonename include zonename token in audit recs
Which degree of detail What happens with full disks
c0t0d0s0org121
rootclient~ auditconfig -getpluginPlugin audit_binfile (active) Attributes p_dir=varauditp_fsize=0p_minfree=1
Plugin audit_syslog (inactive) Attributes p_flags=
Plugin audit_remote (inactive) Attributes p_hosts=p_retries=3p_timeout=5
c0t0d0s0org122
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
c0t0d0s0org123
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
lo and na are the only sensibleflags for non-attributable
c0t0d0s0org124
rootclient~ usermod -K audit_flags=fwas junior
c0t0d0s0org125
rootclient~ auditconfig -lsevent | grep lo AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh accessAUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lockAUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff
c0t0d0s0org126
rootclient~ auditconfig -lsevent | grep ps AUE_EXIT 1 ps exit(2)AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)rootclient~ auditconfig -lsevent | grep fw AUE_OPEN_W 76 fw open(2) - write
c0t0d0s0org127
auditreduce -c ps varaudit20130912183630not_terminatedclient | praudit
header1392execve(2)client2013-09-12 184055924 +0000pathusrsbinauditreduceattribute100555rootbin655386587518446744073709551615subjectjmoekamprootrootrootroot205414400809562480 202240 192168101returnsuccess0
c0t0d0s0org128
rootclient~ auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff0xffffffffffffffff)
Not always (in the sense of never) a good idea
Useful after trying out - starting a new audit filerootclient~ audit -n
c0t0d0s0org129
rootclient~ auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system
c0t0d0s0org130
SSH and X509
c0t0d0s0org131
rootca~ CApl -newcaCA certificate filename (or enter to create)
Making CA certificate Generating a 1024 bit RSA private key++++++++++++writing new private key to etcopensslprivatecakeypemEnter PEM pass phrase supersecret1Verifying - Enter PEM pass phrase supersecret1-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Security DepartmentCommon Name (eg server FQDN or YOUR name) []CAEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Using configuration from etcopensslopensslcnf
Enter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade878 Validity Not Before Sep 26 101109 2013 GMT Not After Sep 25 101109 2016 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony organizationName = c0t0d0s0org organizationalUnitName = Security Department commonName = CA X509v3 extensions X509v3 Subject Key Identifier 5B1F2F7186123040501552818D525AA5597E3644 X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
X509v3 Basic Constraints CATRUECertificate is to be certified until Sep 25 101109 2016 GMT (1095 days)
Write out database with 1 new entriesData Base Updated
c0t0d0s0org132
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org133
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org134
rootca~server CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade879 Validity Not Before Sep 26 102912 2013 GMT Not After Sep 26 102912 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = Server Certificates commonName = server X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A7DC03DEB3D5FBF9C006F11A55A9AD04C49C10FA X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 102912 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpemrootca~server ls -ltotal 15-rw-r--r-- 1 root root 3196 Sep 26 1229 newcertpem-rw-r--r-- 1 root root 1041 Sep 26 1228 newkeypem-rw-r--r-- 1 root root 680 Sep 26 1228 newreqpem
c0t0d0s0org135
rootca~junior CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phraseVerifying - Enter PEM pass phraseVerify failureEnter PEM pass phrase supersecret3Verifying - Enter PEM pass phrase supersecret3-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []User certificates
Common Name (eg server FQDN or YOUR name) []juniorEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org136
rootca~junior CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypemCheck that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade87a Validity Not Before Sep 26 110929 2013 GMT Not After Sep 26 110929 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = User certificates commonName = junior X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A1F2FC9D8AE2AD9AF52903F5B714933C64628E9C X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 110929 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpem
c0t0d0s0org137
rootserver~ useradd -m junior80 blocksrootserver~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for juniorrootserver~
rootclient~ useradd -m junior80 blocksrootclient~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for junior
c0t0d0s0org138
rootserver~ echo 1921681051 server gtgt etchostsrootserver~ echo 1921681052 client gtgt etchosts
rootclient~ echo 1921681051 server gtgt etchostsrootclient~ echo 1921681052 client gtgt etchosts
c0t0d0s0org139
rootca~server scp etcopensslcacertpem jmoekamp1921681109exporthomejmoekampPasswordcacertpem 100 || 3011 0000rootca~server scp newcertpem jmoekamp1921681109exporthomejmoekampPasswordnewcertpem 100 || 3196 0000rootca~server scp newkeypem jmoekamp1921681109exporthomejmoekampPasswordnewkeypem 100 || 1041 0000
rootca~junior scp newkeypem juniorclientexporthomejuniorPasswordnewkeypem 100 || 1041 0000rootca~junior scp newcertpem juniorclientexporthomejuniorPasswordnewcertpem 100 || 3190 0000rootca~junior scp etcopensslcacertpem junior1921681104exporthomejuniorPasswordcacertpem 100 || 3011 0000
c0t0d0s0org140
On the Server
c0t0d0s0org141
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org142
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org143
rootserver~ pktool setpinEnter token passphrase changemeCreate new passphrase superserversecretRe-enter new passphrase superserversecretPassphrase changedrootserver~
c0t0d0s0org144
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org145
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org146
rootserver~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cn
c0t0d0s0org147
rootserver~ echo TrustedAnchorKeystore etcsshcert gtgt etcsshsshd_configrootserver~ echo KMFPolicyDatabase etcsshpolicyxml gtgt etcsshsshd_configrootserver~ echo KMFPolicyName ssh gtgt etcsshsshd_configrootserver~ echo HostKey pkcs11object=hosttoken=Sun Metaslotpinfile=etcsshpinfile gtgt etcsshsshd_config
c0t0d0s0org148
rootserver~ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=hostEnter PIN for Sun Software PKCS11 softtoken superserversecret Enter PEM pass phrase supersecret2Importing 1 keys
c0t0d0s0org149
rootserver~ egrep -v ^ |^$|^Cert exporthomejmoekampcacertpem gt etcsshcertcacertcookedpemrootserver~ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemrootserver~ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=hostrootserver~
c0t0d0s0org150
On the client
c0t0d0s0org151
juniorclient~$ ls pemcacertpem newcertpem newkeypem
c0t0d0s0org152
rootclient~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cnrootclient~ egrep -v ^ |^$|^Cert exporthomejuniorcacertpem gt etcsshcertcacertcookedpem
c0t0d0s0org153
juniorclient~$ pktool setpinEnter token passphrase changemeCreate new passphrase superusersecretRe-enter new passphrase superusersecretPassphrase changed
c0t0d0s0org154
juniorclient~$ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=userEnter PIN for Sun Software PKCS11 softtoken superusersecretEnter PEM pass phrase supersecret3Importing 1 keysjuniorclient~$ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemjuniorclient~$ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=user
c0t0d0s0org155
Testing it
c0t0d0s0org156
rootserver~ svcadm disable sshrootserver~ svcadm enable ssh
c0t0d0s0org157
juniorclient~$ cd sshjuniorclient~ssh$ printf superusersecret gtgt pinfilejuniorclient~ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore etcsshcert KMFPolicyDatabase etcsshpolicyxml KMFPolicyName ssh IdentityFile pkcs11object=usertoken=Sun Software PKCS11 softtokenpinfile=exporthomejuniorsshpinfile
c0t0d0s0org158
juniorclient~ssh$ ssh juniorserver-x509Last login Thu Sep 26 200714 2013 from clientOracle Corporation SunOS 511 111 September 2013juniorserver~$
c0t0d0s0org159
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives7659-Using-X509-support-for-SSH-on-Solaris-111html
c0t0d0s0org160
OpenSCAP
c0t0d0s0org161
bdquoThe Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management measurement and policy compliance evaluation (eg FISMA compliance) The National Vulnerability Database(NVD) is the US government content repository for SCAPldquo
httpenwikipediaorgwikiSecurity_Content_Automation_Protocol
c0t0d0s0org162
ftp-bannerxml
ltxml version=10 encoding=UTF-8gtltoval_definitions xmlns=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsxsi=httpwwww3org2001XMLSchema-instance xmlnsoval=httpovalmitreorgXMLSchemaoval-common-5 xmlnsoval-def=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsindependent-def=httpovalmitreorgXMLSchemaoval-definitions-5independent xsischemaLocation=httpovalmitreorgXMLSchemaoval-definitions-5 oval-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-definitions-5independent independent-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-common-5 oval-common-schemaxsdgt
ltgeneratorgt ltovalproduct_namegtEnhanced SCAP Editorltovalproduct_namegt ltovalproduct_versiongt0011ltovalproduct_versiongt ltovalschema_versiongt58ltovalschema_versiongt ltovaltimestampgt2012-10-11T103325ltovaltimestampgt ltgeneratorgt lt--generatedovalbaseidentifier=comoraclesolaris11--gt ltdefinitionsgt ltdefinition id=ovalcomoraclesolaris11def840 version=1 class=compliancegt ltmetadatagt lttitlegtEnable a Warning Banner for the FTP Servicelttitlegt ltaffected family=unixgt ltplatformgtOracle Solaris 11ltplatformgt ltaffectedgt ltdescriptiongtetcproftpdconf contains DisplayConnect etcissueltdescriptiongt ltmetadatagt ltcriteria operator=AND negate=false comment=Single testgt ltcriterion comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot test_ref=ovalcomoraclesolaris11tst8400 negate=falsegt
ltcriteriagt ltdefinitiongt ltdefinitionsgt lttestsgt lttextfilecontent54_test xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11tst8400 version=1 check=all comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot check_existence=all_existgt ltobject object_ref=ovalcomoraclesolaris11obj8400gt lttextfilecontent54_testgt lttestsgt ltobjectsgt lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegt lttextfilecontent54_objectgt ltobjectsgtltoval_definitionsgt
c0t0d0s0org163
lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegtlttextfilecontent54_objectgt
c0t0d0s0org164
$ oscap oval eval ftp-bannerxml Definition ovalcomoraclesolaris11def840 falseEvaluation done
$ oscap oval eval --results resultsxml --report reporthtml ftp-bannerxmlDefinition ovalcomoraclesolaris11def840 falseEvaluation doneOVAL Results are exported correctly
c0t0d0s0org165
c0t0d0s0org166
To create your own OVAL-Files Enhanced SCAP Content Editor
c0t0d0s0org167
Find more information regarding this feature athttpsblogsoraclecomdarrenentrycompliance_reporting_with_scap
c0t0d0s0org19
rootclientetcsecurity cat etcsecuritycryptconf Copyright 2008 Sun Microsystems Inc All rights reserved Use is subject to license termsident ZM I E SMI The algorithm name __unix__ is reserved
1 crypt_bsdmd5so12a crypt_bsdbfso1md5 crypt_sunmd5so15 crypt_sha256so16 crypt_sha512so1
c0t0d0s0org20
rootclientetcsecurity cat etcsecuritypolicyconf | egrep ^CRYPT_DEFAULTCRYPT_DEFAULT=5rootclientetcsecurity cat etcshadow | grep juniorjunior$5$4aKvDFqA$2kL8GpuXjrdf8XpanqhylEP5lDhy1DF5uo1ZYx74f3159291440
c0t0d0s0org21
rootclientetcsecurity cat etcdefaultpasswd | grep -v | egrep -v ^$|^$ident ZM I E SMIMAXWEEKS=MINWEEKS=PASSLENGTH=6NAMECHECK=NOHISTORY=0MINDIFF=3MINALPHA=2MINNONALPHA=1MINUPPER=0MINLOWER=0MAXREPEATS=0MINSPECIAL=0MINDIGIT=0WHITESPACE=YESDICTIONLIST=DICTIONDBDIR=varpasswd
c0t0d0s0org22
rootclient mkpwdict -s usrsharelibdictwordsmkpwdict using default database location varpasswd
oder
rootclient mkpwdict -s usrsharelibdictwords -d varpasswd
c0t0d0s0org23
Address Space Layout Randomization
c0t0d0s0org24
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1914 usrbinpmap self1914 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org25
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1915 usrbinpmap self1915 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org26
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1917 usrbinpmap self1917 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap00000005D6666000 36K rw--- [ heap ]00007FF669C70000 216K r-x-- libamd64libprocso100007FF669CB6000 8K rw--- libamd64libprocso100007FF669CC0000 4K rw--- [ anon ]00007FF669CD0000 24K rwx-- [ anon ]00007FF669CE0000 4K rw--- [ anon ]00007FF669CF0000 1764K r-x-- libamd64libcso100007FF669EB9000 64K rw--- libamd64libcso100007FF669EC9000 12K rw--- libamd64libcso100007FF669ED0000 4K rw--- [ anon ]00007FF669EE0000 4K rw--- [ anon ]00007FF669EF0000 4K rw--- [ anon ]00007FF669EF2000 4K r--s- [ anon ]00007FF669EFC000 340K r-x-- libamd64ldso100007FF669F61000 12K rwx-- libamd64ldso100007FF669F64000 8K rwx-- libamd64ldso1FFFF80DDA254F000 16K rw--- [ stack ] total 2564K
c0t0d0s0org27
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1918 usrbinpmap self1918 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap000000065B76D000 36K rw--- [ heap ]00007FFAACFC0000 216K r-x-- libamd64libprocso100007FFAAD006000 8K rw--- libamd64libprocso100007FFAAD010000 4K rw--- [ anon ]00007FFAAD020000 24K rwx-- [ anon ]00007FFAAD030000 4K rw--- [ anon ]00007FFAAD040000 1764K r-x-- libamd64libcso100007FFAAD209000 64K rw--- libamd64libcso100007FFAAD219000 12K rw--- libamd64libcso100007FFAAD220000 4K rw--- [ anon ]00007FFAAD230000 4K rw--- [ anon ]00007FFAAD240000 4K rw--- [ anon ]00007FFAAD242000 4K r--s- [ anon ]00007FFAAD24D000 340K r-x-- libamd64ldso100007FFAAD2B2000 12K rwx-- libamd64ldso100007FFAAD2B5000 8K rwx-- libamd64ldso1FFFF80DE1559E000 12K rw--- [ stack ]
c0t0d0s0org28
rootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) system default (default)
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x2 ENABLE
rootsolaris elfedit -e dynsunw_aslr disable usrbinpmap
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x1 DISABLE
c0t0d0s0org29
rootsolaris sxadm enable -c model=all aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (all) enabled (all)
rootsolaris sxadm disable aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr disabled disabled
rootsolaris sxadm enable -c model=tagged-files aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) enabled (tagged-files)
c0t0d0s0org30
pfedit
c0t0d0s0org31
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt set auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt set desc=Edit httpdprofileshttpd editgt exit
c0t0d0s0org32
roottemplateetcapache222 usermod -P +httpd edit junior
c0t0d0s0org33
juniortemplate~$ profiles httpd edit Basic Solaris User All
c0t0d0s0org34
juniortemplate~$ vi etcapache222httpdconf
c0t0d0s0org35
juniortemplate~$ pfedit etcapache222httpdconfpfedit etcapache222httpdconf has been updated
c0t0d0s0org36
juniortemplate~$ pfedit etcapache222mimetypespfedit User junior is not authorized to edit the file etcapache222mimetypes
c0t0d0s0org37
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt info name=httpd edit desc=Edit httpd auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt add auths=solarisadmineditetcapache222mimetypes
c0t0d0s0org38
juniortemplate~$ pfedit etcapache222mimetypespfedit no changes for etcapache222mimetypes
c0t0d0s0org39
profiles -p httpd configureprofileshttpd configuregt add always_audit=asprofileshttpd configuregt info name=httpd configure desc=Configure httpd auths=solarisadmineditetcapache222httpdconfsolarisadmineditetcapache222mimetypes always_audit=as never_audit=noprofileshttpd configuregt exitroottemplate~
c0t0d0s0org40
roottemplate~ auditreduce -c as | praudit
c0t0d0s0org41
[]header4862edit administrative filefe80a0027fffea633cb2013-08-12 074552306 +0000subjectjuniorjuniorstaffjuniorstaff4212447467166369 136704 MacBook-Pro-of-c0t0d0s0fritzboxpathetcapache222httpdconfuse of authorizationsolarisadmineditetcapache222httpdconftext--- etcapache222httpdconf Mo Aug 12 074500 2013 +++ etcapache222httpdconfpfedit1BaGoi Mo Aug 12 074552 2013 -15 +16 Test Test 2 + Test 3 This is the main Apache HTTP server configuration file It contains the configuration directives that give the server its instructions
returnsuccess0
c0t0d0s0org42
Delegating privilege to restartservices(so you can keep the root password)
c0t0d0s0org43
juniortemplate~$ svcadm refresh apache22svcadm svcnetworkhttpapache22 Permission denied
c0t0d0s0org44
svcs -a | grep apache22online 153029 svcnetworkhttpapache22
c0t0d0s0org45
auths add -t Apache22 value solarissmfvaluehttpapache22 auths add -t Apache22 action solarissmfactionhttpapache22
c0t0d0s0org46
svccfg -s apache22 setprop generalvalue_authorization= astring solarissmfvaluehttpapache22 svccfg -s apache22 setprop generalaction_authorization= astring solarissmfactionhttpapache22
c0t0d0s0org47
profiles -p httpd edit add auths=solarissmfactionhttpapache22
c0t0d0s0org48
juniortemplate~$ svcadm refresh apache22juniortemplate~$
c0t0d0s0org49
Privileges
c0t0d0s0org50
$ ls -l usrsbintraceroute-r-sr-xr-x 1 root bin 42324 Nov 21 0009 usrsbintraceroute$ ls -l usrsbinping-r-sr-xr-x 1 root bin 51396 Nov 18 1931 usrsbinping
set-id to root ping needs it to work
c0t0d0s0org51
chmod -s sbinping exit
$ ping -s 1921681132ping socket Permission denied
Remove the set-uid and ping will stop to work
c0t0d0s0org52
jmoekampdaddelkiste~$ ppriv $$2153 -bashflags = ltnonegt E basic I basic P basic L all
c0t0d0s0org53
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org54
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
All privileges in their entirety assigned to one user are
(almost)
c0t0d0s0org55
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Neat extension inSolaris 11The ability to use networking is now a
privilege Itlsquos part of the default default set of privileges
but you can remove it
c0t0d0s0org56
moekampdaddelkiste~$ ppriv -v $$2153 -bashflags = ltnonegt E file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info I file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info P file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info L contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org57
rootdaddelkiste~ ppriv $$2183 -bashflags = ltnonegt E all I basic P all L all
c0t0d0s0org58
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace failed to initialize dtrace DTrace requires additional privileges
c0t0d0s0org59
rootdaddelkiste~ usermod -K defaultpriv=basicdtrace_kerneldtrace_procdtrace_user juniorUX usermod junior is currently logged in some changes may not take effect until next login
c0t0d0s0org60
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace description syscallentry matched 211 probes^C
automountd 1 sshd 24 dtrace 544 auditd 564
c0t0d0s0org61
ps -ef | grep kcfd daemon 125 1 0 142419 000 usrlibcryptokcfdroot 734 728 0 155408 pts1 000 grep kcfd ppriv -v 125125 usrlibcryptokcfdflags = PRIV_AWAREE file_ownerproc_priocntlsys_devicesI noneP file_ownerproc_priocntlsys_devicesL none
c0t0d0s0org62
svcadm -v enable -s apache2svcnetworkhttpapache2 enabled
c0t0d0s0org63
jmoekampclient~$ ps -ef | grep httpwebservd 1978 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1979 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1980 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1984 1975 0 122002 000 usrapache222binhttpd -k start root 1975 1 0 121914 001 usrapache222binhttpd -k startwebservd 1977 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1976 1975 0 121915 000 usrapache222binhttpd -k start
c0t0d0s0org64
rootclient~ ppriv 19771977 usrapache222binhttpd -k startflags = ltnonegt E basic I basic P basic L allrootclient~ ppriv 19751975 usrapache222binhttpd -k startflags = ltnonegt E all I basic P all L allrootclient~
c0t0d0s0org65
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The apache process as root has the following privileges
c0t0d0s0org66
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The other processes have the following privileges
c0t0d0s0org67
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Apache really needs
c0t0d0s0org68
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
So you grant a large number of privileges to one process Apache donlsquot need
c0t0d0s0org69
svcadm -v disable -s apache2svcnetworkhttpapache2 disabled
c0t0d0s0org70
rootclient~ svccfg -s apache22svcnetworkhttpapache22gt setprop startuser = astring webservdsvcnetworkhttpapache22gt setprop startgroup = astring webservdsvcnetworkhttpapache22gt setprop startprivileges = astring basicproc_sessionproc_infofile_link_anynet_privaddrsvcnetworkhttpapache22gt setprop startlimit_privileges = astring defaultsvcnetworkhttpapache22gt setprop startuse_profile = boolean falsesvcnetworkhttpapache22gt setprop startsupp_groups = astring defaultsvcnetworkhttpapache22gt setprop startworking_directory = astring defaultsvcnetworkhttpapache22gt setprop startproject = astring defaultsvcnetworkhttpapache22gt setprop startresource_pool = astring defaultsvcnetworkhttpapache22gt endrootclient~ svcadm -v refresh apache22Action refresh set for svcnetworkhttpapache22
c0t0d0s0org71
echo LockFile varapache222logsacceptlock gtgt etcapache222httpdconf echo PidFile varapache222runhttpdpid gtgt etcapache222httpdconf mkdir -p -m 755 varapache222run chown webservdwebservd varapache222run svcadm enable apache22
c0t0d0s0org72
webservd 3064 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3062 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3063 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3066 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3061 1 0 164917 000 usrapache222binhttpd -k startwebservd 3065 3061 0 164918 000 usrapache222binhttpd -k start
c0t0d0s0org73
Read-only zone root
c0t0d0s0org
74
zonecfgtestzonegt set file-mac-profile=none
zonecfgtestzonegt set file-mac-profile=strict
zonecfgtestzonegt set file-mac-profile=fixed-configuration
zonecfgtestzonegt set file-mac-profile=flexible-configuration
Standard read-write non-global zone with no additional protection beyond the existing zones boundaries
Permits updates to var directories with the exception of directories that contain system configuration components
Read-only file system no exceptions
Permits modification of files in etc directories changes to roots home directory and updates to var directories This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone
c0t0d0s0org75
in-kernel SSL Proxy
c0t0d0s0org76
mkdir etckeys cd etckeys openssl req -x509 -nodes -days 365 -subj C=DEST=HamburgL=HamburgCN=server -newkey rsa1024 -keyout etckeysmykeypem -out etckeysmycertpem cat mycertpem mykeypem gt mypem chown 600
c0t0d0s0org77
echo pass gt etckeysmypass ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass server 443
c0t0d0s0org78
ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass -c rsa_aes_256_cbc_sharsa_aes_128_cbc_sharsa_rc4_128_sharsa_rc4_128_md5 server 443
c0t0d0s0org79
svcs -a | grep ksslonline 90333 svcnetworksslproxykssl-server-443
c0t0d0s0org80
svcadm disable apache22 echo Listen 1921681781088080 gtgt etcapache222httpdconf svcadm enable apache22
Portnumber and IP-Number have do be defined in httpdconf otherwise it will not work
c0t0d0s0org81
openssl s_client -connect server443CONNECTED(00000004)depth=0 C=DEST=HamburgL=HamburgCN=serververify errornum=18self signed certificateverify return1depth=0 C=DEST=HamburgL=HamburgCN=serververify return1---Certificate chain0 sC=DEST=HamburgL=HamburgCN=serveriC=DEST=HamburgL=HamburgCN=server---Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj[]V5jX3MU=-----END CERTIFICATE-----subject=C=DEST=HamburgL=HamburgCN=serverissuer=C=DEST=HamburgL=HamburgCN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328 bytes---New TLSv1SSLv3 Cipher is RC4-SHAServer public key is 1024 bitCompression NONEExpansion NONESSL-SessionProtocol TLSv1
Cipher RC4-SHASession-ID 32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD113915B99DBE9812Session-ID-ctx Master-Key 1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21EKey-Arg NoneStart Time 1242985143Timeout 300 (sec)Verify return code 18 (self signed certificate)---GET HTTP10
HTTP11 200 OKDate Fri 22 May 2009 093913 GMTServer Apache2211 (Unix) mod_ssl2211 OpenSSL098a DAV2Last-Modified Thu 21 May 2009 212630 GMTETag 341f3-2c-46a72cc211a8fAccept-Ranges bytesContent-Length 44Connection closeContent-Type texthtml
lthtmlgtltbodygtlth1gtIt workslth1gtltbodygtlthtmlgtreaderrno=0
c0t0d0s0org82
ZFS Encryption
c0t0d0s0org83
zfs create -o encryption=on rpoolexportproject
c0t0d0s0org84
wrapping key (user setable)
encryption keyrandomnot user setable)
prompt file https pkcs11
c0t0d0s0org85
aes-128-ccm (=on) aes-192-ccmaes-256-ccmaes-128-gcmaes-192-gcmaes-256-gcm
c0t0d0s0org86
zfs set checksum=sha256+mac ltdatasetgt
If encryption=off something like automatic
occurs This property is read-only from now on
c0t0d0s0org87
pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykeyEnter PIN for Sun Software PKCS11 softtoken zfs create -o encryption=on -o keysource=rawpkcs11object=mykey tankprojectCEnter PKCS11 token PIN for tankprojectC
c0t0d0s0org88
zfs create -o encryption=on -o keysource=rawhttpskeysexamplecommykey tankprojectR cp myservercertpem etccertsCA svcadm refresh ca-certificates
c0t0d0s0org89
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
c0t0d0s0org90
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
Changing the wrapping key
c0t0d0s0org91
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key
c0t0d0s0org92
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key for data written form now
Creates a new data encryption key Data written in the clone uses the new data encryption key which is distinct from its original snapshot
c0t0d0s0org93
Solaris Cryptographic Framework
c0t0d0s0org94
As soon as Solaris detects hardware acceleration for cryptography Solaris will use it (and applications using the Oracle supplied openssl library or direct interfaces)bull on-chip crypto accelerator in T and current M series chipsbull instruction set extensions in Intel procs (AES-NI)bull supported crypto accelerator cards
c0t0d0s0org95
Just a side-note T-series crypto acceleration and Intel x86 acceleration have pretty much different performance characteristics
T-Series Acceleration by offloading crypto outside pipelineIntel x86 Acceleration by offering special in-pipeline instructions to accelerate execution
Sounds like splitting hairs
c0t0d0s0org
c0t0d0s0org
c0t0d0s0org98
Using ZFS to do two-factor encryption
c0t0d0s0org99
jmoekampsolaris~$ rmformatLooking for devices 1 Logical Node devrdskc10t0d0p0 Physical Node pci00pci8086265cbstorage2disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected() 3 Logical Node devrdskc9t0d0p0 Physical Node pci00pci8086265cbstorage1disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected
c0t0d0s0org100
rootsolaris zpool create a_keystore_usbstick devdskc10t0d0p0rootsolaris zpool create datastore devdskc9t0d0p0
c0t0d0s0org101
rootsolaris zfs create -o encryption=on a_keystore_usbstickkeysEnter passphrase for a_keystore_usbstickkeys supersecret Enter again supersecret
c0t0d0s0org102
rootsolaris pktool genkey keystore=file keytype=aes keylen=128 outkey=a_keystore_usbstickkeysjoergsdatastickkey
c0t0d0s0org103
rootsolaris zfs create -o encryption=on -o keysource=rawfilea_keystore_usbstickkeysjoergsdatastickkey datastickjoergssecrets
c0t0d0s0org104
rootsolarisdatastickjoergssecrets mv homejmoekamphighlyconfidential_nda_presostgz
c0t0d0s0org105
rootsolaris zpool export a_keystore_usbstickrootsolaris zpool export datastick
c0t0d0s0org106
rootsolaris zpool import a_keystore_usbstickEnter passphrase for a_keystore_usbstickkeys supersecretrootsolaris
c0t0d0s0org107
rootsolaris zpool import datastickrootsolaris cd datastickjoergssecretsrootsolarisdatastickjoergssecrets ls highconfidential_nda_presostgz
c0t0d0s0org108
Basic Auditing and Reporting Tool
c0t0d0s0org109
mkdir bart-files bart create -R etc gt bart-filesetccontrolmanifest
c0t0d0s0org110
cat etccontrolmanifest | grep nsswitchnisplusnsswitchnisplus F 2525 100644 userrw-groupr--maskr--otherr-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
c0t0d0s0org111
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org112
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org113
bart create -R etc gt bart-filesetccheck20130911manifest
c0t0d0s0org114
cd bart-files bart compare etccontrolmanifest etccheck20130911manifest
nsswitchfilesmode control100644 test100777acl controluserrw-groupr--maskr--otherr-- testuserrwxgrouprwxmaskrwxotherrwxnsswitchnisplussize control2525 test2538mtime control473976b5 test47a44862contents control79e8fd689a5221d1cd059e5077da71b8 test3f79176ec352441db11ec8a3d02ef67cthisisjustatestadd
c0t0d0s0org115
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives4069-Less-known-Solaris-features-BARThtml
c0t0d0s0org116
Apropos Auditing
c0t0d0s0org117
Auditing is activated by default
c0t0d0s0org118
rootclient~ auditconfig -getflagsactive user default audit flags = lo(0x10000x1000)configured user default audit flags = lo(0x10000x1000)rootclient~ auditconfig -getnaflagsactive non-attributable audit flags = lo(0x10000x1000)configured non-attributable audit flags = lo(0x10000x1000)
c0t0d0s0org119
rootclient~ auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt
Policy regarding auditing (explanation on the next slide)
c0t0d0s0org120
rootclient~ auditconfig -lspolicypolicy string descriptionahlt halt machine if it can not record an async eventall all policiesarge include exec environment args in audit recsargv include exec command line args in audit recscnt when no more space drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recswindata_down include downgraded window information in audit recswindata_up include upgraded window information in audit recszonename include zonename token in audit recs
Which degree of detail What happens with full disks
c0t0d0s0org121
rootclient~ auditconfig -getpluginPlugin audit_binfile (active) Attributes p_dir=varauditp_fsize=0p_minfree=1
Plugin audit_syslog (inactive) Attributes p_flags=
Plugin audit_remote (inactive) Attributes p_hosts=p_retries=3p_timeout=5
c0t0d0s0org122
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
c0t0d0s0org123
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
lo and na are the only sensibleflags for non-attributable
c0t0d0s0org124
rootclient~ usermod -K audit_flags=fwas junior
c0t0d0s0org125
rootclient~ auditconfig -lsevent | grep lo AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh accessAUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lockAUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff
c0t0d0s0org126
rootclient~ auditconfig -lsevent | grep ps AUE_EXIT 1 ps exit(2)AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)rootclient~ auditconfig -lsevent | grep fw AUE_OPEN_W 76 fw open(2) - write
c0t0d0s0org127
auditreduce -c ps varaudit20130912183630not_terminatedclient | praudit
header1392execve(2)client2013-09-12 184055924 +0000pathusrsbinauditreduceattribute100555rootbin655386587518446744073709551615subjectjmoekamprootrootrootroot205414400809562480 202240 192168101returnsuccess0
c0t0d0s0org128
rootclient~ auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff0xffffffffffffffff)
Not always (in the sense of never) a good idea
Useful after trying out - starting a new audit filerootclient~ audit -n
c0t0d0s0org129
rootclient~ auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system
c0t0d0s0org130
SSH and X509
c0t0d0s0org131
rootca~ CApl -newcaCA certificate filename (or enter to create)
Making CA certificate Generating a 1024 bit RSA private key++++++++++++writing new private key to etcopensslprivatecakeypemEnter PEM pass phrase supersecret1Verifying - Enter PEM pass phrase supersecret1-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Security DepartmentCommon Name (eg server FQDN or YOUR name) []CAEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Using configuration from etcopensslopensslcnf
Enter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade878 Validity Not Before Sep 26 101109 2013 GMT Not After Sep 25 101109 2016 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony organizationName = c0t0d0s0org organizationalUnitName = Security Department commonName = CA X509v3 extensions X509v3 Subject Key Identifier 5B1F2F7186123040501552818D525AA5597E3644 X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
X509v3 Basic Constraints CATRUECertificate is to be certified until Sep 25 101109 2016 GMT (1095 days)
Write out database with 1 new entriesData Base Updated
c0t0d0s0org132
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org133
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org134
rootca~server CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade879 Validity Not Before Sep 26 102912 2013 GMT Not After Sep 26 102912 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = Server Certificates commonName = server X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A7DC03DEB3D5FBF9C006F11A55A9AD04C49C10FA X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 102912 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpemrootca~server ls -ltotal 15-rw-r--r-- 1 root root 3196 Sep 26 1229 newcertpem-rw-r--r-- 1 root root 1041 Sep 26 1228 newkeypem-rw-r--r-- 1 root root 680 Sep 26 1228 newreqpem
c0t0d0s0org135
rootca~junior CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phraseVerifying - Enter PEM pass phraseVerify failureEnter PEM pass phrase supersecret3Verifying - Enter PEM pass phrase supersecret3-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []User certificates
Common Name (eg server FQDN or YOUR name) []juniorEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org136
rootca~junior CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypemCheck that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade87a Validity Not Before Sep 26 110929 2013 GMT Not After Sep 26 110929 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = User certificates commonName = junior X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A1F2FC9D8AE2AD9AF52903F5B714933C64628E9C X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 110929 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpem
c0t0d0s0org137
rootserver~ useradd -m junior80 blocksrootserver~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for juniorrootserver~
rootclient~ useradd -m junior80 blocksrootclient~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for junior
c0t0d0s0org138
rootserver~ echo 1921681051 server gtgt etchostsrootserver~ echo 1921681052 client gtgt etchosts
rootclient~ echo 1921681051 server gtgt etchostsrootclient~ echo 1921681052 client gtgt etchosts
c0t0d0s0org139
rootca~server scp etcopensslcacertpem jmoekamp1921681109exporthomejmoekampPasswordcacertpem 100 || 3011 0000rootca~server scp newcertpem jmoekamp1921681109exporthomejmoekampPasswordnewcertpem 100 || 3196 0000rootca~server scp newkeypem jmoekamp1921681109exporthomejmoekampPasswordnewkeypem 100 || 1041 0000
rootca~junior scp newkeypem juniorclientexporthomejuniorPasswordnewkeypem 100 || 1041 0000rootca~junior scp newcertpem juniorclientexporthomejuniorPasswordnewcertpem 100 || 3190 0000rootca~junior scp etcopensslcacertpem junior1921681104exporthomejuniorPasswordcacertpem 100 || 3011 0000
c0t0d0s0org140
On the Server
c0t0d0s0org141
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org142
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org143
rootserver~ pktool setpinEnter token passphrase changemeCreate new passphrase superserversecretRe-enter new passphrase superserversecretPassphrase changedrootserver~
c0t0d0s0org144
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org145
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org146
rootserver~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cn
c0t0d0s0org147
rootserver~ echo TrustedAnchorKeystore etcsshcert gtgt etcsshsshd_configrootserver~ echo KMFPolicyDatabase etcsshpolicyxml gtgt etcsshsshd_configrootserver~ echo KMFPolicyName ssh gtgt etcsshsshd_configrootserver~ echo HostKey pkcs11object=hosttoken=Sun Metaslotpinfile=etcsshpinfile gtgt etcsshsshd_config
c0t0d0s0org148
rootserver~ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=hostEnter PIN for Sun Software PKCS11 softtoken superserversecret Enter PEM pass phrase supersecret2Importing 1 keys
c0t0d0s0org149
rootserver~ egrep -v ^ |^$|^Cert exporthomejmoekampcacertpem gt etcsshcertcacertcookedpemrootserver~ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemrootserver~ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=hostrootserver~
c0t0d0s0org150
On the client
c0t0d0s0org151
juniorclient~$ ls pemcacertpem newcertpem newkeypem
c0t0d0s0org152
rootclient~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cnrootclient~ egrep -v ^ |^$|^Cert exporthomejuniorcacertpem gt etcsshcertcacertcookedpem
c0t0d0s0org153
juniorclient~$ pktool setpinEnter token passphrase changemeCreate new passphrase superusersecretRe-enter new passphrase superusersecretPassphrase changed
c0t0d0s0org154
juniorclient~$ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=userEnter PIN for Sun Software PKCS11 softtoken superusersecretEnter PEM pass phrase supersecret3Importing 1 keysjuniorclient~$ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemjuniorclient~$ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=user
c0t0d0s0org155
Testing it
c0t0d0s0org156
rootserver~ svcadm disable sshrootserver~ svcadm enable ssh
c0t0d0s0org157
juniorclient~$ cd sshjuniorclient~ssh$ printf superusersecret gtgt pinfilejuniorclient~ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore etcsshcert KMFPolicyDatabase etcsshpolicyxml KMFPolicyName ssh IdentityFile pkcs11object=usertoken=Sun Software PKCS11 softtokenpinfile=exporthomejuniorsshpinfile
c0t0d0s0org158
juniorclient~ssh$ ssh juniorserver-x509Last login Thu Sep 26 200714 2013 from clientOracle Corporation SunOS 511 111 September 2013juniorserver~$
c0t0d0s0org159
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives7659-Using-X509-support-for-SSH-on-Solaris-111html
c0t0d0s0org160
OpenSCAP
c0t0d0s0org161
bdquoThe Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management measurement and policy compliance evaluation (eg FISMA compliance) The National Vulnerability Database(NVD) is the US government content repository for SCAPldquo
httpenwikipediaorgwikiSecurity_Content_Automation_Protocol
c0t0d0s0org162
ftp-bannerxml
ltxml version=10 encoding=UTF-8gtltoval_definitions xmlns=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsxsi=httpwwww3org2001XMLSchema-instance xmlnsoval=httpovalmitreorgXMLSchemaoval-common-5 xmlnsoval-def=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsindependent-def=httpovalmitreorgXMLSchemaoval-definitions-5independent xsischemaLocation=httpovalmitreorgXMLSchemaoval-definitions-5 oval-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-definitions-5independent independent-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-common-5 oval-common-schemaxsdgt
ltgeneratorgt ltovalproduct_namegtEnhanced SCAP Editorltovalproduct_namegt ltovalproduct_versiongt0011ltovalproduct_versiongt ltovalschema_versiongt58ltovalschema_versiongt ltovaltimestampgt2012-10-11T103325ltovaltimestampgt ltgeneratorgt lt--generatedovalbaseidentifier=comoraclesolaris11--gt ltdefinitionsgt ltdefinition id=ovalcomoraclesolaris11def840 version=1 class=compliancegt ltmetadatagt lttitlegtEnable a Warning Banner for the FTP Servicelttitlegt ltaffected family=unixgt ltplatformgtOracle Solaris 11ltplatformgt ltaffectedgt ltdescriptiongtetcproftpdconf contains DisplayConnect etcissueltdescriptiongt ltmetadatagt ltcriteria operator=AND negate=false comment=Single testgt ltcriterion comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot test_ref=ovalcomoraclesolaris11tst8400 negate=falsegt
ltcriteriagt ltdefinitiongt ltdefinitionsgt lttestsgt lttextfilecontent54_test xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11tst8400 version=1 check=all comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot check_existence=all_existgt ltobject object_ref=ovalcomoraclesolaris11obj8400gt lttextfilecontent54_testgt lttestsgt ltobjectsgt lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegt lttextfilecontent54_objectgt ltobjectsgtltoval_definitionsgt
c0t0d0s0org163
lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegtlttextfilecontent54_objectgt
c0t0d0s0org164
$ oscap oval eval ftp-bannerxml Definition ovalcomoraclesolaris11def840 falseEvaluation done
$ oscap oval eval --results resultsxml --report reporthtml ftp-bannerxmlDefinition ovalcomoraclesolaris11def840 falseEvaluation doneOVAL Results are exported correctly
c0t0d0s0org165
c0t0d0s0org166
To create your own OVAL-Files Enhanced SCAP Content Editor
c0t0d0s0org167
Find more information regarding this feature athttpsblogsoraclecomdarrenentrycompliance_reporting_with_scap
c0t0d0s0org20
rootclientetcsecurity cat etcsecuritypolicyconf | egrep ^CRYPT_DEFAULTCRYPT_DEFAULT=5rootclientetcsecurity cat etcshadow | grep juniorjunior$5$4aKvDFqA$2kL8GpuXjrdf8XpanqhylEP5lDhy1DF5uo1ZYx74f3159291440
c0t0d0s0org21
rootclientetcsecurity cat etcdefaultpasswd | grep -v | egrep -v ^$|^$ident ZM I E SMIMAXWEEKS=MINWEEKS=PASSLENGTH=6NAMECHECK=NOHISTORY=0MINDIFF=3MINALPHA=2MINNONALPHA=1MINUPPER=0MINLOWER=0MAXREPEATS=0MINSPECIAL=0MINDIGIT=0WHITESPACE=YESDICTIONLIST=DICTIONDBDIR=varpasswd
c0t0d0s0org22
rootclient mkpwdict -s usrsharelibdictwordsmkpwdict using default database location varpasswd
oder
rootclient mkpwdict -s usrsharelibdictwords -d varpasswd
c0t0d0s0org23
Address Space Layout Randomization
c0t0d0s0org24
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1914 usrbinpmap self1914 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org25
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1915 usrbinpmap self1915 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org26
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1917 usrbinpmap self1917 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap00000005D6666000 36K rw--- [ heap ]00007FF669C70000 216K r-x-- libamd64libprocso100007FF669CB6000 8K rw--- libamd64libprocso100007FF669CC0000 4K rw--- [ anon ]00007FF669CD0000 24K rwx-- [ anon ]00007FF669CE0000 4K rw--- [ anon ]00007FF669CF0000 1764K r-x-- libamd64libcso100007FF669EB9000 64K rw--- libamd64libcso100007FF669EC9000 12K rw--- libamd64libcso100007FF669ED0000 4K rw--- [ anon ]00007FF669EE0000 4K rw--- [ anon ]00007FF669EF0000 4K rw--- [ anon ]00007FF669EF2000 4K r--s- [ anon ]00007FF669EFC000 340K r-x-- libamd64ldso100007FF669F61000 12K rwx-- libamd64ldso100007FF669F64000 8K rwx-- libamd64ldso1FFFF80DDA254F000 16K rw--- [ stack ] total 2564K
c0t0d0s0org27
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1918 usrbinpmap self1918 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap000000065B76D000 36K rw--- [ heap ]00007FFAACFC0000 216K r-x-- libamd64libprocso100007FFAAD006000 8K rw--- libamd64libprocso100007FFAAD010000 4K rw--- [ anon ]00007FFAAD020000 24K rwx-- [ anon ]00007FFAAD030000 4K rw--- [ anon ]00007FFAAD040000 1764K r-x-- libamd64libcso100007FFAAD209000 64K rw--- libamd64libcso100007FFAAD219000 12K rw--- libamd64libcso100007FFAAD220000 4K rw--- [ anon ]00007FFAAD230000 4K rw--- [ anon ]00007FFAAD240000 4K rw--- [ anon ]00007FFAAD242000 4K r--s- [ anon ]00007FFAAD24D000 340K r-x-- libamd64ldso100007FFAAD2B2000 12K rwx-- libamd64ldso100007FFAAD2B5000 8K rwx-- libamd64ldso1FFFF80DE1559E000 12K rw--- [ stack ]
c0t0d0s0org28
rootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) system default (default)
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x2 ENABLE
rootsolaris elfedit -e dynsunw_aslr disable usrbinpmap
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x1 DISABLE
c0t0d0s0org29
rootsolaris sxadm enable -c model=all aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (all) enabled (all)
rootsolaris sxadm disable aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr disabled disabled
rootsolaris sxadm enable -c model=tagged-files aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) enabled (tagged-files)
c0t0d0s0org30
pfedit
c0t0d0s0org31
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt set auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt set desc=Edit httpdprofileshttpd editgt exit
c0t0d0s0org32
roottemplateetcapache222 usermod -P +httpd edit junior
c0t0d0s0org33
juniortemplate~$ profiles httpd edit Basic Solaris User All
c0t0d0s0org34
juniortemplate~$ vi etcapache222httpdconf
c0t0d0s0org35
juniortemplate~$ pfedit etcapache222httpdconfpfedit etcapache222httpdconf has been updated
c0t0d0s0org36
juniortemplate~$ pfedit etcapache222mimetypespfedit User junior is not authorized to edit the file etcapache222mimetypes
c0t0d0s0org37
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt info name=httpd edit desc=Edit httpd auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt add auths=solarisadmineditetcapache222mimetypes
c0t0d0s0org38
juniortemplate~$ pfedit etcapache222mimetypespfedit no changes for etcapache222mimetypes
c0t0d0s0org39
profiles -p httpd configureprofileshttpd configuregt add always_audit=asprofileshttpd configuregt info name=httpd configure desc=Configure httpd auths=solarisadmineditetcapache222httpdconfsolarisadmineditetcapache222mimetypes always_audit=as never_audit=noprofileshttpd configuregt exitroottemplate~
c0t0d0s0org40
roottemplate~ auditreduce -c as | praudit
c0t0d0s0org41
[]header4862edit administrative filefe80a0027fffea633cb2013-08-12 074552306 +0000subjectjuniorjuniorstaffjuniorstaff4212447467166369 136704 MacBook-Pro-of-c0t0d0s0fritzboxpathetcapache222httpdconfuse of authorizationsolarisadmineditetcapache222httpdconftext--- etcapache222httpdconf Mo Aug 12 074500 2013 +++ etcapache222httpdconfpfedit1BaGoi Mo Aug 12 074552 2013 -15 +16 Test Test 2 + Test 3 This is the main Apache HTTP server configuration file It contains the configuration directives that give the server its instructions
returnsuccess0
c0t0d0s0org42
Delegating privilege to restartservices(so you can keep the root password)
c0t0d0s0org43
juniortemplate~$ svcadm refresh apache22svcadm svcnetworkhttpapache22 Permission denied
c0t0d0s0org44
svcs -a | grep apache22online 153029 svcnetworkhttpapache22
c0t0d0s0org45
auths add -t Apache22 value solarissmfvaluehttpapache22 auths add -t Apache22 action solarissmfactionhttpapache22
c0t0d0s0org46
svccfg -s apache22 setprop generalvalue_authorization= astring solarissmfvaluehttpapache22 svccfg -s apache22 setprop generalaction_authorization= astring solarissmfactionhttpapache22
c0t0d0s0org47
profiles -p httpd edit add auths=solarissmfactionhttpapache22
c0t0d0s0org48
juniortemplate~$ svcadm refresh apache22juniortemplate~$
c0t0d0s0org49
Privileges
c0t0d0s0org50
$ ls -l usrsbintraceroute-r-sr-xr-x 1 root bin 42324 Nov 21 0009 usrsbintraceroute$ ls -l usrsbinping-r-sr-xr-x 1 root bin 51396 Nov 18 1931 usrsbinping
set-id to root ping needs it to work
c0t0d0s0org51
chmod -s sbinping exit
$ ping -s 1921681132ping socket Permission denied
Remove the set-uid and ping will stop to work
c0t0d0s0org52
jmoekampdaddelkiste~$ ppriv $$2153 -bashflags = ltnonegt E basic I basic P basic L all
c0t0d0s0org53
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org54
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
All privileges in their entirety assigned to one user are
(almost)
c0t0d0s0org55
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Neat extension inSolaris 11The ability to use networking is now a
privilege Itlsquos part of the default default set of privileges
but you can remove it
c0t0d0s0org56
moekampdaddelkiste~$ ppriv -v $$2153 -bashflags = ltnonegt E file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info I file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info P file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info L contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org57
rootdaddelkiste~ ppriv $$2183 -bashflags = ltnonegt E all I basic P all L all
c0t0d0s0org58
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace failed to initialize dtrace DTrace requires additional privileges
c0t0d0s0org59
rootdaddelkiste~ usermod -K defaultpriv=basicdtrace_kerneldtrace_procdtrace_user juniorUX usermod junior is currently logged in some changes may not take effect until next login
c0t0d0s0org60
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace description syscallentry matched 211 probes^C
automountd 1 sshd 24 dtrace 544 auditd 564
c0t0d0s0org61
ps -ef | grep kcfd daemon 125 1 0 142419 000 usrlibcryptokcfdroot 734 728 0 155408 pts1 000 grep kcfd ppriv -v 125125 usrlibcryptokcfdflags = PRIV_AWAREE file_ownerproc_priocntlsys_devicesI noneP file_ownerproc_priocntlsys_devicesL none
c0t0d0s0org62
svcadm -v enable -s apache2svcnetworkhttpapache2 enabled
c0t0d0s0org63
jmoekampclient~$ ps -ef | grep httpwebservd 1978 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1979 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1980 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1984 1975 0 122002 000 usrapache222binhttpd -k start root 1975 1 0 121914 001 usrapache222binhttpd -k startwebservd 1977 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1976 1975 0 121915 000 usrapache222binhttpd -k start
c0t0d0s0org64
rootclient~ ppriv 19771977 usrapache222binhttpd -k startflags = ltnonegt E basic I basic P basic L allrootclient~ ppriv 19751975 usrapache222binhttpd -k startflags = ltnonegt E all I basic P all L allrootclient~
c0t0d0s0org65
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The apache process as root has the following privileges
c0t0d0s0org66
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The other processes have the following privileges
c0t0d0s0org67
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Apache really needs
c0t0d0s0org68
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
So you grant a large number of privileges to one process Apache donlsquot need
c0t0d0s0org69
svcadm -v disable -s apache2svcnetworkhttpapache2 disabled
c0t0d0s0org70
rootclient~ svccfg -s apache22svcnetworkhttpapache22gt setprop startuser = astring webservdsvcnetworkhttpapache22gt setprop startgroup = astring webservdsvcnetworkhttpapache22gt setprop startprivileges = astring basicproc_sessionproc_infofile_link_anynet_privaddrsvcnetworkhttpapache22gt setprop startlimit_privileges = astring defaultsvcnetworkhttpapache22gt setprop startuse_profile = boolean falsesvcnetworkhttpapache22gt setprop startsupp_groups = astring defaultsvcnetworkhttpapache22gt setprop startworking_directory = astring defaultsvcnetworkhttpapache22gt setprop startproject = astring defaultsvcnetworkhttpapache22gt setprop startresource_pool = astring defaultsvcnetworkhttpapache22gt endrootclient~ svcadm -v refresh apache22Action refresh set for svcnetworkhttpapache22
c0t0d0s0org71
echo LockFile varapache222logsacceptlock gtgt etcapache222httpdconf echo PidFile varapache222runhttpdpid gtgt etcapache222httpdconf mkdir -p -m 755 varapache222run chown webservdwebservd varapache222run svcadm enable apache22
c0t0d0s0org72
webservd 3064 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3062 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3063 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3066 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3061 1 0 164917 000 usrapache222binhttpd -k startwebservd 3065 3061 0 164918 000 usrapache222binhttpd -k start
c0t0d0s0org73
Read-only zone root
c0t0d0s0org
74
zonecfgtestzonegt set file-mac-profile=none
zonecfgtestzonegt set file-mac-profile=strict
zonecfgtestzonegt set file-mac-profile=fixed-configuration
zonecfgtestzonegt set file-mac-profile=flexible-configuration
Standard read-write non-global zone with no additional protection beyond the existing zones boundaries
Permits updates to var directories with the exception of directories that contain system configuration components
Read-only file system no exceptions
Permits modification of files in etc directories changes to roots home directory and updates to var directories This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone
c0t0d0s0org75
in-kernel SSL Proxy
c0t0d0s0org76
mkdir etckeys cd etckeys openssl req -x509 -nodes -days 365 -subj C=DEST=HamburgL=HamburgCN=server -newkey rsa1024 -keyout etckeysmykeypem -out etckeysmycertpem cat mycertpem mykeypem gt mypem chown 600
c0t0d0s0org77
echo pass gt etckeysmypass ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass server 443
c0t0d0s0org78
ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass -c rsa_aes_256_cbc_sharsa_aes_128_cbc_sharsa_rc4_128_sharsa_rc4_128_md5 server 443
c0t0d0s0org79
svcs -a | grep ksslonline 90333 svcnetworksslproxykssl-server-443
c0t0d0s0org80
svcadm disable apache22 echo Listen 1921681781088080 gtgt etcapache222httpdconf svcadm enable apache22
Portnumber and IP-Number have do be defined in httpdconf otherwise it will not work
c0t0d0s0org81
openssl s_client -connect server443CONNECTED(00000004)depth=0 C=DEST=HamburgL=HamburgCN=serververify errornum=18self signed certificateverify return1depth=0 C=DEST=HamburgL=HamburgCN=serververify return1---Certificate chain0 sC=DEST=HamburgL=HamburgCN=serveriC=DEST=HamburgL=HamburgCN=server---Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj[]V5jX3MU=-----END CERTIFICATE-----subject=C=DEST=HamburgL=HamburgCN=serverissuer=C=DEST=HamburgL=HamburgCN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328 bytes---New TLSv1SSLv3 Cipher is RC4-SHAServer public key is 1024 bitCompression NONEExpansion NONESSL-SessionProtocol TLSv1
Cipher RC4-SHASession-ID 32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD113915B99DBE9812Session-ID-ctx Master-Key 1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21EKey-Arg NoneStart Time 1242985143Timeout 300 (sec)Verify return code 18 (self signed certificate)---GET HTTP10
HTTP11 200 OKDate Fri 22 May 2009 093913 GMTServer Apache2211 (Unix) mod_ssl2211 OpenSSL098a DAV2Last-Modified Thu 21 May 2009 212630 GMTETag 341f3-2c-46a72cc211a8fAccept-Ranges bytesContent-Length 44Connection closeContent-Type texthtml
lthtmlgtltbodygtlth1gtIt workslth1gtltbodygtlthtmlgtreaderrno=0
c0t0d0s0org82
ZFS Encryption
c0t0d0s0org83
zfs create -o encryption=on rpoolexportproject
c0t0d0s0org84
wrapping key (user setable)
encryption keyrandomnot user setable)
prompt file https pkcs11
c0t0d0s0org85
aes-128-ccm (=on) aes-192-ccmaes-256-ccmaes-128-gcmaes-192-gcmaes-256-gcm
c0t0d0s0org86
zfs set checksum=sha256+mac ltdatasetgt
If encryption=off something like automatic
occurs This property is read-only from now on
c0t0d0s0org87
pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykeyEnter PIN for Sun Software PKCS11 softtoken zfs create -o encryption=on -o keysource=rawpkcs11object=mykey tankprojectCEnter PKCS11 token PIN for tankprojectC
c0t0d0s0org88
zfs create -o encryption=on -o keysource=rawhttpskeysexamplecommykey tankprojectR cp myservercertpem etccertsCA svcadm refresh ca-certificates
c0t0d0s0org89
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
c0t0d0s0org90
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
Changing the wrapping key
c0t0d0s0org91
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key
c0t0d0s0org92
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key for data written form now
Creates a new data encryption key Data written in the clone uses the new data encryption key which is distinct from its original snapshot
c0t0d0s0org93
Solaris Cryptographic Framework
c0t0d0s0org94
As soon as Solaris detects hardware acceleration for cryptography Solaris will use it (and applications using the Oracle supplied openssl library or direct interfaces)bull on-chip crypto accelerator in T and current M series chipsbull instruction set extensions in Intel procs (AES-NI)bull supported crypto accelerator cards
c0t0d0s0org95
Just a side-note T-series crypto acceleration and Intel x86 acceleration have pretty much different performance characteristics
T-Series Acceleration by offloading crypto outside pipelineIntel x86 Acceleration by offering special in-pipeline instructions to accelerate execution
Sounds like splitting hairs
c0t0d0s0org
c0t0d0s0org
c0t0d0s0org98
Using ZFS to do two-factor encryption
c0t0d0s0org99
jmoekampsolaris~$ rmformatLooking for devices 1 Logical Node devrdskc10t0d0p0 Physical Node pci00pci8086265cbstorage2disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected() 3 Logical Node devrdskc9t0d0p0 Physical Node pci00pci8086265cbstorage1disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected
c0t0d0s0org100
rootsolaris zpool create a_keystore_usbstick devdskc10t0d0p0rootsolaris zpool create datastore devdskc9t0d0p0
c0t0d0s0org101
rootsolaris zfs create -o encryption=on a_keystore_usbstickkeysEnter passphrase for a_keystore_usbstickkeys supersecret Enter again supersecret
c0t0d0s0org102
rootsolaris pktool genkey keystore=file keytype=aes keylen=128 outkey=a_keystore_usbstickkeysjoergsdatastickkey
c0t0d0s0org103
rootsolaris zfs create -o encryption=on -o keysource=rawfilea_keystore_usbstickkeysjoergsdatastickkey datastickjoergssecrets
c0t0d0s0org104
rootsolarisdatastickjoergssecrets mv homejmoekamphighlyconfidential_nda_presostgz
c0t0d0s0org105
rootsolaris zpool export a_keystore_usbstickrootsolaris zpool export datastick
c0t0d0s0org106
rootsolaris zpool import a_keystore_usbstickEnter passphrase for a_keystore_usbstickkeys supersecretrootsolaris
c0t0d0s0org107
rootsolaris zpool import datastickrootsolaris cd datastickjoergssecretsrootsolarisdatastickjoergssecrets ls highconfidential_nda_presostgz
c0t0d0s0org108
Basic Auditing and Reporting Tool
c0t0d0s0org109
mkdir bart-files bart create -R etc gt bart-filesetccontrolmanifest
c0t0d0s0org110
cat etccontrolmanifest | grep nsswitchnisplusnsswitchnisplus F 2525 100644 userrw-groupr--maskr--otherr-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
c0t0d0s0org111
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org112
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org113
bart create -R etc gt bart-filesetccheck20130911manifest
c0t0d0s0org114
cd bart-files bart compare etccontrolmanifest etccheck20130911manifest
nsswitchfilesmode control100644 test100777acl controluserrw-groupr--maskr--otherr-- testuserrwxgrouprwxmaskrwxotherrwxnsswitchnisplussize control2525 test2538mtime control473976b5 test47a44862contents control79e8fd689a5221d1cd059e5077da71b8 test3f79176ec352441db11ec8a3d02ef67cthisisjustatestadd
c0t0d0s0org115
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives4069-Less-known-Solaris-features-BARThtml
c0t0d0s0org116
Apropos Auditing
c0t0d0s0org117
Auditing is activated by default
c0t0d0s0org118
rootclient~ auditconfig -getflagsactive user default audit flags = lo(0x10000x1000)configured user default audit flags = lo(0x10000x1000)rootclient~ auditconfig -getnaflagsactive non-attributable audit flags = lo(0x10000x1000)configured non-attributable audit flags = lo(0x10000x1000)
c0t0d0s0org119
rootclient~ auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt
Policy regarding auditing (explanation on the next slide)
c0t0d0s0org120
rootclient~ auditconfig -lspolicypolicy string descriptionahlt halt machine if it can not record an async eventall all policiesarge include exec environment args in audit recsargv include exec command line args in audit recscnt when no more space drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recswindata_down include downgraded window information in audit recswindata_up include upgraded window information in audit recszonename include zonename token in audit recs
Which degree of detail What happens with full disks
c0t0d0s0org121
rootclient~ auditconfig -getpluginPlugin audit_binfile (active) Attributes p_dir=varauditp_fsize=0p_minfree=1
Plugin audit_syslog (inactive) Attributes p_flags=
Plugin audit_remote (inactive) Attributes p_hosts=p_retries=3p_timeout=5
c0t0d0s0org122
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
c0t0d0s0org123
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
lo and na are the only sensibleflags for non-attributable
c0t0d0s0org124
rootclient~ usermod -K audit_flags=fwas junior
c0t0d0s0org125
rootclient~ auditconfig -lsevent | grep lo AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh accessAUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lockAUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff
c0t0d0s0org126
rootclient~ auditconfig -lsevent | grep ps AUE_EXIT 1 ps exit(2)AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)rootclient~ auditconfig -lsevent | grep fw AUE_OPEN_W 76 fw open(2) - write
c0t0d0s0org127
auditreduce -c ps varaudit20130912183630not_terminatedclient | praudit
header1392execve(2)client2013-09-12 184055924 +0000pathusrsbinauditreduceattribute100555rootbin655386587518446744073709551615subjectjmoekamprootrootrootroot205414400809562480 202240 192168101returnsuccess0
c0t0d0s0org128
rootclient~ auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff0xffffffffffffffff)
Not always (in the sense of never) a good idea
Useful after trying out - starting a new audit filerootclient~ audit -n
c0t0d0s0org129
rootclient~ auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system
c0t0d0s0org130
SSH and X509
c0t0d0s0org131
rootca~ CApl -newcaCA certificate filename (or enter to create)
Making CA certificate Generating a 1024 bit RSA private key++++++++++++writing new private key to etcopensslprivatecakeypemEnter PEM pass phrase supersecret1Verifying - Enter PEM pass phrase supersecret1-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Security DepartmentCommon Name (eg server FQDN or YOUR name) []CAEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Using configuration from etcopensslopensslcnf
Enter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade878 Validity Not Before Sep 26 101109 2013 GMT Not After Sep 25 101109 2016 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony organizationName = c0t0d0s0org organizationalUnitName = Security Department commonName = CA X509v3 extensions X509v3 Subject Key Identifier 5B1F2F7186123040501552818D525AA5597E3644 X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
X509v3 Basic Constraints CATRUECertificate is to be certified until Sep 25 101109 2016 GMT (1095 days)
Write out database with 1 new entriesData Base Updated
c0t0d0s0org132
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org133
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org134
rootca~server CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade879 Validity Not Before Sep 26 102912 2013 GMT Not After Sep 26 102912 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = Server Certificates commonName = server X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A7DC03DEB3D5FBF9C006F11A55A9AD04C49C10FA X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 102912 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpemrootca~server ls -ltotal 15-rw-r--r-- 1 root root 3196 Sep 26 1229 newcertpem-rw-r--r-- 1 root root 1041 Sep 26 1228 newkeypem-rw-r--r-- 1 root root 680 Sep 26 1228 newreqpem
c0t0d0s0org135
rootca~junior CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phraseVerifying - Enter PEM pass phraseVerify failureEnter PEM pass phrase supersecret3Verifying - Enter PEM pass phrase supersecret3-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []User certificates
Common Name (eg server FQDN or YOUR name) []juniorEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org136
rootca~junior CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypemCheck that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade87a Validity Not Before Sep 26 110929 2013 GMT Not After Sep 26 110929 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = User certificates commonName = junior X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A1F2FC9D8AE2AD9AF52903F5B714933C64628E9C X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 110929 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpem
c0t0d0s0org137
rootserver~ useradd -m junior80 blocksrootserver~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for juniorrootserver~
rootclient~ useradd -m junior80 blocksrootclient~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for junior
c0t0d0s0org138
rootserver~ echo 1921681051 server gtgt etchostsrootserver~ echo 1921681052 client gtgt etchosts
rootclient~ echo 1921681051 server gtgt etchostsrootclient~ echo 1921681052 client gtgt etchosts
c0t0d0s0org139
rootca~server scp etcopensslcacertpem jmoekamp1921681109exporthomejmoekampPasswordcacertpem 100 || 3011 0000rootca~server scp newcertpem jmoekamp1921681109exporthomejmoekampPasswordnewcertpem 100 || 3196 0000rootca~server scp newkeypem jmoekamp1921681109exporthomejmoekampPasswordnewkeypem 100 || 1041 0000
rootca~junior scp newkeypem juniorclientexporthomejuniorPasswordnewkeypem 100 || 1041 0000rootca~junior scp newcertpem juniorclientexporthomejuniorPasswordnewcertpem 100 || 3190 0000rootca~junior scp etcopensslcacertpem junior1921681104exporthomejuniorPasswordcacertpem 100 || 3011 0000
c0t0d0s0org140
On the Server
c0t0d0s0org141
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org142
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org143
rootserver~ pktool setpinEnter token passphrase changemeCreate new passphrase superserversecretRe-enter new passphrase superserversecretPassphrase changedrootserver~
c0t0d0s0org144
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org145
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org146
rootserver~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cn
c0t0d0s0org147
rootserver~ echo TrustedAnchorKeystore etcsshcert gtgt etcsshsshd_configrootserver~ echo KMFPolicyDatabase etcsshpolicyxml gtgt etcsshsshd_configrootserver~ echo KMFPolicyName ssh gtgt etcsshsshd_configrootserver~ echo HostKey pkcs11object=hosttoken=Sun Metaslotpinfile=etcsshpinfile gtgt etcsshsshd_config
c0t0d0s0org148
rootserver~ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=hostEnter PIN for Sun Software PKCS11 softtoken superserversecret Enter PEM pass phrase supersecret2Importing 1 keys
c0t0d0s0org149
rootserver~ egrep -v ^ |^$|^Cert exporthomejmoekampcacertpem gt etcsshcertcacertcookedpemrootserver~ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemrootserver~ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=hostrootserver~
c0t0d0s0org150
On the client
c0t0d0s0org151
juniorclient~$ ls pemcacertpem newcertpem newkeypem
c0t0d0s0org152
rootclient~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cnrootclient~ egrep -v ^ |^$|^Cert exporthomejuniorcacertpem gt etcsshcertcacertcookedpem
c0t0d0s0org153
juniorclient~$ pktool setpinEnter token passphrase changemeCreate new passphrase superusersecretRe-enter new passphrase superusersecretPassphrase changed
c0t0d0s0org154
juniorclient~$ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=userEnter PIN for Sun Software PKCS11 softtoken superusersecretEnter PEM pass phrase supersecret3Importing 1 keysjuniorclient~$ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemjuniorclient~$ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=user
c0t0d0s0org155
Testing it
c0t0d0s0org156
rootserver~ svcadm disable sshrootserver~ svcadm enable ssh
c0t0d0s0org157
juniorclient~$ cd sshjuniorclient~ssh$ printf superusersecret gtgt pinfilejuniorclient~ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore etcsshcert KMFPolicyDatabase etcsshpolicyxml KMFPolicyName ssh IdentityFile pkcs11object=usertoken=Sun Software PKCS11 softtokenpinfile=exporthomejuniorsshpinfile
c0t0d0s0org158
juniorclient~ssh$ ssh juniorserver-x509Last login Thu Sep 26 200714 2013 from clientOracle Corporation SunOS 511 111 September 2013juniorserver~$
c0t0d0s0org159
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives7659-Using-X509-support-for-SSH-on-Solaris-111html
c0t0d0s0org160
OpenSCAP
c0t0d0s0org161
bdquoThe Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management measurement and policy compliance evaluation (eg FISMA compliance) The National Vulnerability Database(NVD) is the US government content repository for SCAPldquo
httpenwikipediaorgwikiSecurity_Content_Automation_Protocol
c0t0d0s0org162
ftp-bannerxml
ltxml version=10 encoding=UTF-8gtltoval_definitions xmlns=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsxsi=httpwwww3org2001XMLSchema-instance xmlnsoval=httpovalmitreorgXMLSchemaoval-common-5 xmlnsoval-def=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsindependent-def=httpovalmitreorgXMLSchemaoval-definitions-5independent xsischemaLocation=httpovalmitreorgXMLSchemaoval-definitions-5 oval-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-definitions-5independent independent-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-common-5 oval-common-schemaxsdgt
ltgeneratorgt ltovalproduct_namegtEnhanced SCAP Editorltovalproduct_namegt ltovalproduct_versiongt0011ltovalproduct_versiongt ltovalschema_versiongt58ltovalschema_versiongt ltovaltimestampgt2012-10-11T103325ltovaltimestampgt ltgeneratorgt lt--generatedovalbaseidentifier=comoraclesolaris11--gt ltdefinitionsgt ltdefinition id=ovalcomoraclesolaris11def840 version=1 class=compliancegt ltmetadatagt lttitlegtEnable a Warning Banner for the FTP Servicelttitlegt ltaffected family=unixgt ltplatformgtOracle Solaris 11ltplatformgt ltaffectedgt ltdescriptiongtetcproftpdconf contains DisplayConnect etcissueltdescriptiongt ltmetadatagt ltcriteria operator=AND negate=false comment=Single testgt ltcriterion comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot test_ref=ovalcomoraclesolaris11tst8400 negate=falsegt
ltcriteriagt ltdefinitiongt ltdefinitionsgt lttestsgt lttextfilecontent54_test xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11tst8400 version=1 check=all comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot check_existence=all_existgt ltobject object_ref=ovalcomoraclesolaris11obj8400gt lttextfilecontent54_testgt lttestsgt ltobjectsgt lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegt lttextfilecontent54_objectgt ltobjectsgtltoval_definitionsgt
c0t0d0s0org163
lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegtlttextfilecontent54_objectgt
c0t0d0s0org164
$ oscap oval eval ftp-bannerxml Definition ovalcomoraclesolaris11def840 falseEvaluation done
$ oscap oval eval --results resultsxml --report reporthtml ftp-bannerxmlDefinition ovalcomoraclesolaris11def840 falseEvaluation doneOVAL Results are exported correctly
c0t0d0s0org165
c0t0d0s0org166
To create your own OVAL-Files Enhanced SCAP Content Editor
c0t0d0s0org167
Find more information regarding this feature athttpsblogsoraclecomdarrenentrycompliance_reporting_with_scap
c0t0d0s0org21
rootclientetcsecurity cat etcdefaultpasswd | grep -v | egrep -v ^$|^$ident ZM I E SMIMAXWEEKS=MINWEEKS=PASSLENGTH=6NAMECHECK=NOHISTORY=0MINDIFF=3MINALPHA=2MINNONALPHA=1MINUPPER=0MINLOWER=0MAXREPEATS=0MINSPECIAL=0MINDIGIT=0WHITESPACE=YESDICTIONLIST=DICTIONDBDIR=varpasswd
c0t0d0s0org22
rootclient mkpwdict -s usrsharelibdictwordsmkpwdict using default database location varpasswd
oder
rootclient mkpwdict -s usrsharelibdictwords -d varpasswd
c0t0d0s0org23
Address Space Layout Randomization
c0t0d0s0org24
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1914 usrbinpmap self1914 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org25
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1915 usrbinpmap self1915 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org26
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1917 usrbinpmap self1917 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap00000005D6666000 36K rw--- [ heap ]00007FF669C70000 216K r-x-- libamd64libprocso100007FF669CB6000 8K rw--- libamd64libprocso100007FF669CC0000 4K rw--- [ anon ]00007FF669CD0000 24K rwx-- [ anon ]00007FF669CE0000 4K rw--- [ anon ]00007FF669CF0000 1764K r-x-- libamd64libcso100007FF669EB9000 64K rw--- libamd64libcso100007FF669EC9000 12K rw--- libamd64libcso100007FF669ED0000 4K rw--- [ anon ]00007FF669EE0000 4K rw--- [ anon ]00007FF669EF0000 4K rw--- [ anon ]00007FF669EF2000 4K r--s- [ anon ]00007FF669EFC000 340K r-x-- libamd64ldso100007FF669F61000 12K rwx-- libamd64ldso100007FF669F64000 8K rwx-- libamd64ldso1FFFF80DDA254F000 16K rw--- [ stack ] total 2564K
c0t0d0s0org27
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1918 usrbinpmap self1918 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap000000065B76D000 36K rw--- [ heap ]00007FFAACFC0000 216K r-x-- libamd64libprocso100007FFAAD006000 8K rw--- libamd64libprocso100007FFAAD010000 4K rw--- [ anon ]00007FFAAD020000 24K rwx-- [ anon ]00007FFAAD030000 4K rw--- [ anon ]00007FFAAD040000 1764K r-x-- libamd64libcso100007FFAAD209000 64K rw--- libamd64libcso100007FFAAD219000 12K rw--- libamd64libcso100007FFAAD220000 4K rw--- [ anon ]00007FFAAD230000 4K rw--- [ anon ]00007FFAAD240000 4K rw--- [ anon ]00007FFAAD242000 4K r--s- [ anon ]00007FFAAD24D000 340K r-x-- libamd64ldso100007FFAAD2B2000 12K rwx-- libamd64ldso100007FFAAD2B5000 8K rwx-- libamd64ldso1FFFF80DE1559E000 12K rw--- [ stack ]
c0t0d0s0org28
rootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) system default (default)
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x2 ENABLE
rootsolaris elfedit -e dynsunw_aslr disable usrbinpmap
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x1 DISABLE
c0t0d0s0org29
rootsolaris sxadm enable -c model=all aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (all) enabled (all)
rootsolaris sxadm disable aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr disabled disabled
rootsolaris sxadm enable -c model=tagged-files aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) enabled (tagged-files)
c0t0d0s0org30
pfedit
c0t0d0s0org31
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt set auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt set desc=Edit httpdprofileshttpd editgt exit
c0t0d0s0org32
roottemplateetcapache222 usermod -P +httpd edit junior
c0t0d0s0org33
juniortemplate~$ profiles httpd edit Basic Solaris User All
c0t0d0s0org34
juniortemplate~$ vi etcapache222httpdconf
c0t0d0s0org35
juniortemplate~$ pfedit etcapache222httpdconfpfedit etcapache222httpdconf has been updated
c0t0d0s0org36
juniortemplate~$ pfedit etcapache222mimetypespfedit User junior is not authorized to edit the file etcapache222mimetypes
c0t0d0s0org37
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt info name=httpd edit desc=Edit httpd auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt add auths=solarisadmineditetcapache222mimetypes
c0t0d0s0org38
juniortemplate~$ pfedit etcapache222mimetypespfedit no changes for etcapache222mimetypes
c0t0d0s0org39
profiles -p httpd configureprofileshttpd configuregt add always_audit=asprofileshttpd configuregt info name=httpd configure desc=Configure httpd auths=solarisadmineditetcapache222httpdconfsolarisadmineditetcapache222mimetypes always_audit=as never_audit=noprofileshttpd configuregt exitroottemplate~
c0t0d0s0org40
roottemplate~ auditreduce -c as | praudit
c0t0d0s0org41
[]header4862edit administrative filefe80a0027fffea633cb2013-08-12 074552306 +0000subjectjuniorjuniorstaffjuniorstaff4212447467166369 136704 MacBook-Pro-of-c0t0d0s0fritzboxpathetcapache222httpdconfuse of authorizationsolarisadmineditetcapache222httpdconftext--- etcapache222httpdconf Mo Aug 12 074500 2013 +++ etcapache222httpdconfpfedit1BaGoi Mo Aug 12 074552 2013 -15 +16 Test Test 2 + Test 3 This is the main Apache HTTP server configuration file It contains the configuration directives that give the server its instructions
returnsuccess0
c0t0d0s0org42
Delegating privilege to restartservices(so you can keep the root password)
c0t0d0s0org43
juniortemplate~$ svcadm refresh apache22svcadm svcnetworkhttpapache22 Permission denied
c0t0d0s0org44
svcs -a | grep apache22online 153029 svcnetworkhttpapache22
c0t0d0s0org45
auths add -t Apache22 value solarissmfvaluehttpapache22 auths add -t Apache22 action solarissmfactionhttpapache22
c0t0d0s0org46
svccfg -s apache22 setprop generalvalue_authorization= astring solarissmfvaluehttpapache22 svccfg -s apache22 setprop generalaction_authorization= astring solarissmfactionhttpapache22
c0t0d0s0org47
profiles -p httpd edit add auths=solarissmfactionhttpapache22
c0t0d0s0org48
juniortemplate~$ svcadm refresh apache22juniortemplate~$
c0t0d0s0org49
Privileges
c0t0d0s0org50
$ ls -l usrsbintraceroute-r-sr-xr-x 1 root bin 42324 Nov 21 0009 usrsbintraceroute$ ls -l usrsbinping-r-sr-xr-x 1 root bin 51396 Nov 18 1931 usrsbinping
set-id to root ping needs it to work
c0t0d0s0org51
chmod -s sbinping exit
$ ping -s 1921681132ping socket Permission denied
Remove the set-uid and ping will stop to work
c0t0d0s0org52
jmoekampdaddelkiste~$ ppriv $$2153 -bashflags = ltnonegt E basic I basic P basic L all
c0t0d0s0org53
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org54
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
All privileges in their entirety assigned to one user are
(almost)
c0t0d0s0org55
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Neat extension inSolaris 11The ability to use networking is now a
privilege Itlsquos part of the default default set of privileges
but you can remove it
c0t0d0s0org56
moekampdaddelkiste~$ ppriv -v $$2153 -bashflags = ltnonegt E file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info I file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info P file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info L contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org57
rootdaddelkiste~ ppriv $$2183 -bashflags = ltnonegt E all I basic P all L all
c0t0d0s0org58
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace failed to initialize dtrace DTrace requires additional privileges
c0t0d0s0org59
rootdaddelkiste~ usermod -K defaultpriv=basicdtrace_kerneldtrace_procdtrace_user juniorUX usermod junior is currently logged in some changes may not take effect until next login
c0t0d0s0org60
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace description syscallentry matched 211 probes^C
automountd 1 sshd 24 dtrace 544 auditd 564
c0t0d0s0org61
ps -ef | grep kcfd daemon 125 1 0 142419 000 usrlibcryptokcfdroot 734 728 0 155408 pts1 000 grep kcfd ppriv -v 125125 usrlibcryptokcfdflags = PRIV_AWAREE file_ownerproc_priocntlsys_devicesI noneP file_ownerproc_priocntlsys_devicesL none
c0t0d0s0org62
svcadm -v enable -s apache2svcnetworkhttpapache2 enabled
c0t0d0s0org63
jmoekampclient~$ ps -ef | grep httpwebservd 1978 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1979 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1980 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1984 1975 0 122002 000 usrapache222binhttpd -k start root 1975 1 0 121914 001 usrapache222binhttpd -k startwebservd 1977 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1976 1975 0 121915 000 usrapache222binhttpd -k start
c0t0d0s0org64
rootclient~ ppriv 19771977 usrapache222binhttpd -k startflags = ltnonegt E basic I basic P basic L allrootclient~ ppriv 19751975 usrapache222binhttpd -k startflags = ltnonegt E all I basic P all L allrootclient~
c0t0d0s0org65
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The apache process as root has the following privileges
c0t0d0s0org66
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The other processes have the following privileges
c0t0d0s0org67
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Apache really needs
c0t0d0s0org68
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
So you grant a large number of privileges to one process Apache donlsquot need
c0t0d0s0org69
svcadm -v disable -s apache2svcnetworkhttpapache2 disabled
c0t0d0s0org70
rootclient~ svccfg -s apache22svcnetworkhttpapache22gt setprop startuser = astring webservdsvcnetworkhttpapache22gt setprop startgroup = astring webservdsvcnetworkhttpapache22gt setprop startprivileges = astring basicproc_sessionproc_infofile_link_anynet_privaddrsvcnetworkhttpapache22gt setprop startlimit_privileges = astring defaultsvcnetworkhttpapache22gt setprop startuse_profile = boolean falsesvcnetworkhttpapache22gt setprop startsupp_groups = astring defaultsvcnetworkhttpapache22gt setprop startworking_directory = astring defaultsvcnetworkhttpapache22gt setprop startproject = astring defaultsvcnetworkhttpapache22gt setprop startresource_pool = astring defaultsvcnetworkhttpapache22gt endrootclient~ svcadm -v refresh apache22Action refresh set for svcnetworkhttpapache22
c0t0d0s0org71
echo LockFile varapache222logsacceptlock gtgt etcapache222httpdconf echo PidFile varapache222runhttpdpid gtgt etcapache222httpdconf mkdir -p -m 755 varapache222run chown webservdwebservd varapache222run svcadm enable apache22
c0t0d0s0org72
webservd 3064 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3062 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3063 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3066 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3061 1 0 164917 000 usrapache222binhttpd -k startwebservd 3065 3061 0 164918 000 usrapache222binhttpd -k start
c0t0d0s0org73
Read-only zone root
c0t0d0s0org
74
zonecfgtestzonegt set file-mac-profile=none
zonecfgtestzonegt set file-mac-profile=strict
zonecfgtestzonegt set file-mac-profile=fixed-configuration
zonecfgtestzonegt set file-mac-profile=flexible-configuration
Standard read-write non-global zone with no additional protection beyond the existing zones boundaries
Permits updates to var directories with the exception of directories that contain system configuration components
Read-only file system no exceptions
Permits modification of files in etc directories changes to roots home directory and updates to var directories This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone
c0t0d0s0org75
in-kernel SSL Proxy
c0t0d0s0org76
mkdir etckeys cd etckeys openssl req -x509 -nodes -days 365 -subj C=DEST=HamburgL=HamburgCN=server -newkey rsa1024 -keyout etckeysmykeypem -out etckeysmycertpem cat mycertpem mykeypem gt mypem chown 600
c0t0d0s0org77
echo pass gt etckeysmypass ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass server 443
c0t0d0s0org78
ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass -c rsa_aes_256_cbc_sharsa_aes_128_cbc_sharsa_rc4_128_sharsa_rc4_128_md5 server 443
c0t0d0s0org79
svcs -a | grep ksslonline 90333 svcnetworksslproxykssl-server-443
c0t0d0s0org80
svcadm disable apache22 echo Listen 1921681781088080 gtgt etcapache222httpdconf svcadm enable apache22
Portnumber and IP-Number have do be defined in httpdconf otherwise it will not work
c0t0d0s0org81
openssl s_client -connect server443CONNECTED(00000004)depth=0 C=DEST=HamburgL=HamburgCN=serververify errornum=18self signed certificateverify return1depth=0 C=DEST=HamburgL=HamburgCN=serververify return1---Certificate chain0 sC=DEST=HamburgL=HamburgCN=serveriC=DEST=HamburgL=HamburgCN=server---Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj[]V5jX3MU=-----END CERTIFICATE-----subject=C=DEST=HamburgL=HamburgCN=serverissuer=C=DEST=HamburgL=HamburgCN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328 bytes---New TLSv1SSLv3 Cipher is RC4-SHAServer public key is 1024 bitCompression NONEExpansion NONESSL-SessionProtocol TLSv1
Cipher RC4-SHASession-ID 32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD113915B99DBE9812Session-ID-ctx Master-Key 1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21EKey-Arg NoneStart Time 1242985143Timeout 300 (sec)Verify return code 18 (self signed certificate)---GET HTTP10
HTTP11 200 OKDate Fri 22 May 2009 093913 GMTServer Apache2211 (Unix) mod_ssl2211 OpenSSL098a DAV2Last-Modified Thu 21 May 2009 212630 GMTETag 341f3-2c-46a72cc211a8fAccept-Ranges bytesContent-Length 44Connection closeContent-Type texthtml
lthtmlgtltbodygtlth1gtIt workslth1gtltbodygtlthtmlgtreaderrno=0
c0t0d0s0org82
ZFS Encryption
c0t0d0s0org83
zfs create -o encryption=on rpoolexportproject
c0t0d0s0org84
wrapping key (user setable)
encryption keyrandomnot user setable)
prompt file https pkcs11
c0t0d0s0org85
aes-128-ccm (=on) aes-192-ccmaes-256-ccmaes-128-gcmaes-192-gcmaes-256-gcm
c0t0d0s0org86
zfs set checksum=sha256+mac ltdatasetgt
If encryption=off something like automatic
occurs This property is read-only from now on
c0t0d0s0org87
pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykeyEnter PIN for Sun Software PKCS11 softtoken zfs create -o encryption=on -o keysource=rawpkcs11object=mykey tankprojectCEnter PKCS11 token PIN for tankprojectC
c0t0d0s0org88
zfs create -o encryption=on -o keysource=rawhttpskeysexamplecommykey tankprojectR cp myservercertpem etccertsCA svcadm refresh ca-certificates
c0t0d0s0org89
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
c0t0d0s0org90
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
Changing the wrapping key
c0t0d0s0org91
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key
c0t0d0s0org92
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key for data written form now
Creates a new data encryption key Data written in the clone uses the new data encryption key which is distinct from its original snapshot
c0t0d0s0org93
Solaris Cryptographic Framework
c0t0d0s0org94
As soon as Solaris detects hardware acceleration for cryptography Solaris will use it (and applications using the Oracle supplied openssl library or direct interfaces)bull on-chip crypto accelerator in T and current M series chipsbull instruction set extensions in Intel procs (AES-NI)bull supported crypto accelerator cards
c0t0d0s0org95
Just a side-note T-series crypto acceleration and Intel x86 acceleration have pretty much different performance characteristics
T-Series Acceleration by offloading crypto outside pipelineIntel x86 Acceleration by offering special in-pipeline instructions to accelerate execution
Sounds like splitting hairs
c0t0d0s0org
c0t0d0s0org
c0t0d0s0org98
Using ZFS to do two-factor encryption
c0t0d0s0org99
jmoekampsolaris~$ rmformatLooking for devices 1 Logical Node devrdskc10t0d0p0 Physical Node pci00pci8086265cbstorage2disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected() 3 Logical Node devrdskc9t0d0p0 Physical Node pci00pci8086265cbstorage1disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected
c0t0d0s0org100
rootsolaris zpool create a_keystore_usbstick devdskc10t0d0p0rootsolaris zpool create datastore devdskc9t0d0p0
c0t0d0s0org101
rootsolaris zfs create -o encryption=on a_keystore_usbstickkeysEnter passphrase for a_keystore_usbstickkeys supersecret Enter again supersecret
c0t0d0s0org102
rootsolaris pktool genkey keystore=file keytype=aes keylen=128 outkey=a_keystore_usbstickkeysjoergsdatastickkey
c0t0d0s0org103
rootsolaris zfs create -o encryption=on -o keysource=rawfilea_keystore_usbstickkeysjoergsdatastickkey datastickjoergssecrets
c0t0d0s0org104
rootsolarisdatastickjoergssecrets mv homejmoekamphighlyconfidential_nda_presostgz
c0t0d0s0org105
rootsolaris zpool export a_keystore_usbstickrootsolaris zpool export datastick
c0t0d0s0org106
rootsolaris zpool import a_keystore_usbstickEnter passphrase for a_keystore_usbstickkeys supersecretrootsolaris
c0t0d0s0org107
rootsolaris zpool import datastickrootsolaris cd datastickjoergssecretsrootsolarisdatastickjoergssecrets ls highconfidential_nda_presostgz
c0t0d0s0org108
Basic Auditing and Reporting Tool
c0t0d0s0org109
mkdir bart-files bart create -R etc gt bart-filesetccontrolmanifest
c0t0d0s0org110
cat etccontrolmanifest | grep nsswitchnisplusnsswitchnisplus F 2525 100644 userrw-groupr--maskr--otherr-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
c0t0d0s0org111
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org112
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org113
bart create -R etc gt bart-filesetccheck20130911manifest
c0t0d0s0org114
cd bart-files bart compare etccontrolmanifest etccheck20130911manifest
nsswitchfilesmode control100644 test100777acl controluserrw-groupr--maskr--otherr-- testuserrwxgrouprwxmaskrwxotherrwxnsswitchnisplussize control2525 test2538mtime control473976b5 test47a44862contents control79e8fd689a5221d1cd059e5077da71b8 test3f79176ec352441db11ec8a3d02ef67cthisisjustatestadd
c0t0d0s0org115
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives4069-Less-known-Solaris-features-BARThtml
c0t0d0s0org116
Apropos Auditing
c0t0d0s0org117
Auditing is activated by default
c0t0d0s0org118
rootclient~ auditconfig -getflagsactive user default audit flags = lo(0x10000x1000)configured user default audit flags = lo(0x10000x1000)rootclient~ auditconfig -getnaflagsactive non-attributable audit flags = lo(0x10000x1000)configured non-attributable audit flags = lo(0x10000x1000)
c0t0d0s0org119
rootclient~ auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt
Policy regarding auditing (explanation on the next slide)
c0t0d0s0org120
rootclient~ auditconfig -lspolicypolicy string descriptionahlt halt machine if it can not record an async eventall all policiesarge include exec environment args in audit recsargv include exec command line args in audit recscnt when no more space drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recswindata_down include downgraded window information in audit recswindata_up include upgraded window information in audit recszonename include zonename token in audit recs
Which degree of detail What happens with full disks
c0t0d0s0org121
rootclient~ auditconfig -getpluginPlugin audit_binfile (active) Attributes p_dir=varauditp_fsize=0p_minfree=1
Plugin audit_syslog (inactive) Attributes p_flags=
Plugin audit_remote (inactive) Attributes p_hosts=p_retries=3p_timeout=5
c0t0d0s0org122
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
c0t0d0s0org123
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
lo and na are the only sensibleflags for non-attributable
c0t0d0s0org124
rootclient~ usermod -K audit_flags=fwas junior
c0t0d0s0org125
rootclient~ auditconfig -lsevent | grep lo AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh accessAUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lockAUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff
c0t0d0s0org126
rootclient~ auditconfig -lsevent | grep ps AUE_EXIT 1 ps exit(2)AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)rootclient~ auditconfig -lsevent | grep fw AUE_OPEN_W 76 fw open(2) - write
c0t0d0s0org127
auditreduce -c ps varaudit20130912183630not_terminatedclient | praudit
header1392execve(2)client2013-09-12 184055924 +0000pathusrsbinauditreduceattribute100555rootbin655386587518446744073709551615subjectjmoekamprootrootrootroot205414400809562480 202240 192168101returnsuccess0
c0t0d0s0org128
rootclient~ auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff0xffffffffffffffff)
Not always (in the sense of never) a good idea
Useful after trying out - starting a new audit filerootclient~ audit -n
c0t0d0s0org129
rootclient~ auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system
c0t0d0s0org130
SSH and X509
c0t0d0s0org131
rootca~ CApl -newcaCA certificate filename (or enter to create)
Making CA certificate Generating a 1024 bit RSA private key++++++++++++writing new private key to etcopensslprivatecakeypemEnter PEM pass phrase supersecret1Verifying - Enter PEM pass phrase supersecret1-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Security DepartmentCommon Name (eg server FQDN or YOUR name) []CAEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Using configuration from etcopensslopensslcnf
Enter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade878 Validity Not Before Sep 26 101109 2013 GMT Not After Sep 25 101109 2016 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony organizationName = c0t0d0s0org organizationalUnitName = Security Department commonName = CA X509v3 extensions X509v3 Subject Key Identifier 5B1F2F7186123040501552818D525AA5597E3644 X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
X509v3 Basic Constraints CATRUECertificate is to be certified until Sep 25 101109 2016 GMT (1095 days)
Write out database with 1 new entriesData Base Updated
c0t0d0s0org132
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org133
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org134
rootca~server CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade879 Validity Not Before Sep 26 102912 2013 GMT Not After Sep 26 102912 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = Server Certificates commonName = server X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A7DC03DEB3D5FBF9C006F11A55A9AD04C49C10FA X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 102912 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpemrootca~server ls -ltotal 15-rw-r--r-- 1 root root 3196 Sep 26 1229 newcertpem-rw-r--r-- 1 root root 1041 Sep 26 1228 newkeypem-rw-r--r-- 1 root root 680 Sep 26 1228 newreqpem
c0t0d0s0org135
rootca~junior CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phraseVerifying - Enter PEM pass phraseVerify failureEnter PEM pass phrase supersecret3Verifying - Enter PEM pass phrase supersecret3-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []User certificates
Common Name (eg server FQDN or YOUR name) []juniorEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org136
rootca~junior CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypemCheck that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade87a Validity Not Before Sep 26 110929 2013 GMT Not After Sep 26 110929 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = User certificates commonName = junior X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A1F2FC9D8AE2AD9AF52903F5B714933C64628E9C X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 110929 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpem
c0t0d0s0org137
rootserver~ useradd -m junior80 blocksrootserver~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for juniorrootserver~
rootclient~ useradd -m junior80 blocksrootclient~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for junior
c0t0d0s0org138
rootserver~ echo 1921681051 server gtgt etchostsrootserver~ echo 1921681052 client gtgt etchosts
rootclient~ echo 1921681051 server gtgt etchostsrootclient~ echo 1921681052 client gtgt etchosts
c0t0d0s0org139
rootca~server scp etcopensslcacertpem jmoekamp1921681109exporthomejmoekampPasswordcacertpem 100 || 3011 0000rootca~server scp newcertpem jmoekamp1921681109exporthomejmoekampPasswordnewcertpem 100 || 3196 0000rootca~server scp newkeypem jmoekamp1921681109exporthomejmoekampPasswordnewkeypem 100 || 1041 0000
rootca~junior scp newkeypem juniorclientexporthomejuniorPasswordnewkeypem 100 || 1041 0000rootca~junior scp newcertpem juniorclientexporthomejuniorPasswordnewcertpem 100 || 3190 0000rootca~junior scp etcopensslcacertpem junior1921681104exporthomejuniorPasswordcacertpem 100 || 3011 0000
c0t0d0s0org140
On the Server
c0t0d0s0org141
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org142
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org143
rootserver~ pktool setpinEnter token passphrase changemeCreate new passphrase superserversecretRe-enter new passphrase superserversecretPassphrase changedrootserver~
c0t0d0s0org144
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org145
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org146
rootserver~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cn
c0t0d0s0org147
rootserver~ echo TrustedAnchorKeystore etcsshcert gtgt etcsshsshd_configrootserver~ echo KMFPolicyDatabase etcsshpolicyxml gtgt etcsshsshd_configrootserver~ echo KMFPolicyName ssh gtgt etcsshsshd_configrootserver~ echo HostKey pkcs11object=hosttoken=Sun Metaslotpinfile=etcsshpinfile gtgt etcsshsshd_config
c0t0d0s0org148
rootserver~ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=hostEnter PIN for Sun Software PKCS11 softtoken superserversecret Enter PEM pass phrase supersecret2Importing 1 keys
c0t0d0s0org149
rootserver~ egrep -v ^ |^$|^Cert exporthomejmoekampcacertpem gt etcsshcertcacertcookedpemrootserver~ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemrootserver~ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=hostrootserver~
c0t0d0s0org150
On the client
c0t0d0s0org151
juniorclient~$ ls pemcacertpem newcertpem newkeypem
c0t0d0s0org152
rootclient~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cnrootclient~ egrep -v ^ |^$|^Cert exporthomejuniorcacertpem gt etcsshcertcacertcookedpem
c0t0d0s0org153
juniorclient~$ pktool setpinEnter token passphrase changemeCreate new passphrase superusersecretRe-enter new passphrase superusersecretPassphrase changed
c0t0d0s0org154
juniorclient~$ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=userEnter PIN for Sun Software PKCS11 softtoken superusersecretEnter PEM pass phrase supersecret3Importing 1 keysjuniorclient~$ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemjuniorclient~$ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=user
c0t0d0s0org155
Testing it
c0t0d0s0org156
rootserver~ svcadm disable sshrootserver~ svcadm enable ssh
c0t0d0s0org157
juniorclient~$ cd sshjuniorclient~ssh$ printf superusersecret gtgt pinfilejuniorclient~ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore etcsshcert KMFPolicyDatabase etcsshpolicyxml KMFPolicyName ssh IdentityFile pkcs11object=usertoken=Sun Software PKCS11 softtokenpinfile=exporthomejuniorsshpinfile
c0t0d0s0org158
juniorclient~ssh$ ssh juniorserver-x509Last login Thu Sep 26 200714 2013 from clientOracle Corporation SunOS 511 111 September 2013juniorserver~$
c0t0d0s0org159
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives7659-Using-X509-support-for-SSH-on-Solaris-111html
c0t0d0s0org160
OpenSCAP
c0t0d0s0org161
bdquoThe Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management measurement and policy compliance evaluation (eg FISMA compliance) The National Vulnerability Database(NVD) is the US government content repository for SCAPldquo
httpenwikipediaorgwikiSecurity_Content_Automation_Protocol
c0t0d0s0org162
ftp-bannerxml
ltxml version=10 encoding=UTF-8gtltoval_definitions xmlns=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsxsi=httpwwww3org2001XMLSchema-instance xmlnsoval=httpovalmitreorgXMLSchemaoval-common-5 xmlnsoval-def=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsindependent-def=httpovalmitreorgXMLSchemaoval-definitions-5independent xsischemaLocation=httpovalmitreorgXMLSchemaoval-definitions-5 oval-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-definitions-5independent independent-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-common-5 oval-common-schemaxsdgt
ltgeneratorgt ltovalproduct_namegtEnhanced SCAP Editorltovalproduct_namegt ltovalproduct_versiongt0011ltovalproduct_versiongt ltovalschema_versiongt58ltovalschema_versiongt ltovaltimestampgt2012-10-11T103325ltovaltimestampgt ltgeneratorgt lt--generatedovalbaseidentifier=comoraclesolaris11--gt ltdefinitionsgt ltdefinition id=ovalcomoraclesolaris11def840 version=1 class=compliancegt ltmetadatagt lttitlegtEnable a Warning Banner for the FTP Servicelttitlegt ltaffected family=unixgt ltplatformgtOracle Solaris 11ltplatformgt ltaffectedgt ltdescriptiongtetcproftpdconf contains DisplayConnect etcissueltdescriptiongt ltmetadatagt ltcriteria operator=AND negate=false comment=Single testgt ltcriterion comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot test_ref=ovalcomoraclesolaris11tst8400 negate=falsegt
ltcriteriagt ltdefinitiongt ltdefinitionsgt lttestsgt lttextfilecontent54_test xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11tst8400 version=1 check=all comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot check_existence=all_existgt ltobject object_ref=ovalcomoraclesolaris11obj8400gt lttextfilecontent54_testgt lttestsgt ltobjectsgt lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegt lttextfilecontent54_objectgt ltobjectsgtltoval_definitionsgt
c0t0d0s0org163
lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegtlttextfilecontent54_objectgt
c0t0d0s0org164
$ oscap oval eval ftp-bannerxml Definition ovalcomoraclesolaris11def840 falseEvaluation done
$ oscap oval eval --results resultsxml --report reporthtml ftp-bannerxmlDefinition ovalcomoraclesolaris11def840 falseEvaluation doneOVAL Results are exported correctly
c0t0d0s0org165
c0t0d0s0org166
To create your own OVAL-Files Enhanced SCAP Content Editor
c0t0d0s0org167
Find more information regarding this feature athttpsblogsoraclecomdarrenentrycompliance_reporting_with_scap
c0t0d0s0org22
rootclient mkpwdict -s usrsharelibdictwordsmkpwdict using default database location varpasswd
oder
rootclient mkpwdict -s usrsharelibdictwords -d varpasswd
c0t0d0s0org23
Address Space Layout Randomization
c0t0d0s0org24
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1914 usrbinpmap self1914 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org25
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1915 usrbinpmap self1915 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org26
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1917 usrbinpmap self1917 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap00000005D6666000 36K rw--- [ heap ]00007FF669C70000 216K r-x-- libamd64libprocso100007FF669CB6000 8K rw--- libamd64libprocso100007FF669CC0000 4K rw--- [ anon ]00007FF669CD0000 24K rwx-- [ anon ]00007FF669CE0000 4K rw--- [ anon ]00007FF669CF0000 1764K r-x-- libamd64libcso100007FF669EB9000 64K rw--- libamd64libcso100007FF669EC9000 12K rw--- libamd64libcso100007FF669ED0000 4K rw--- [ anon ]00007FF669EE0000 4K rw--- [ anon ]00007FF669EF0000 4K rw--- [ anon ]00007FF669EF2000 4K r--s- [ anon ]00007FF669EFC000 340K r-x-- libamd64ldso100007FF669F61000 12K rwx-- libamd64ldso100007FF669F64000 8K rwx-- libamd64ldso1FFFF80DDA254F000 16K rw--- [ stack ] total 2564K
c0t0d0s0org27
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1918 usrbinpmap self1918 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap000000065B76D000 36K rw--- [ heap ]00007FFAACFC0000 216K r-x-- libamd64libprocso100007FFAAD006000 8K rw--- libamd64libprocso100007FFAAD010000 4K rw--- [ anon ]00007FFAAD020000 24K rwx-- [ anon ]00007FFAAD030000 4K rw--- [ anon ]00007FFAAD040000 1764K r-x-- libamd64libcso100007FFAAD209000 64K rw--- libamd64libcso100007FFAAD219000 12K rw--- libamd64libcso100007FFAAD220000 4K rw--- [ anon ]00007FFAAD230000 4K rw--- [ anon ]00007FFAAD240000 4K rw--- [ anon ]00007FFAAD242000 4K r--s- [ anon ]00007FFAAD24D000 340K r-x-- libamd64ldso100007FFAAD2B2000 12K rwx-- libamd64ldso100007FFAAD2B5000 8K rwx-- libamd64ldso1FFFF80DE1559E000 12K rw--- [ stack ]
c0t0d0s0org28
rootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) system default (default)
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x2 ENABLE
rootsolaris elfedit -e dynsunw_aslr disable usrbinpmap
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x1 DISABLE
c0t0d0s0org29
rootsolaris sxadm enable -c model=all aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (all) enabled (all)
rootsolaris sxadm disable aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr disabled disabled
rootsolaris sxadm enable -c model=tagged-files aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) enabled (tagged-files)
c0t0d0s0org30
pfedit
c0t0d0s0org31
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt set auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt set desc=Edit httpdprofileshttpd editgt exit
c0t0d0s0org32
roottemplateetcapache222 usermod -P +httpd edit junior
c0t0d0s0org33
juniortemplate~$ profiles httpd edit Basic Solaris User All
c0t0d0s0org34
juniortemplate~$ vi etcapache222httpdconf
c0t0d0s0org35
juniortemplate~$ pfedit etcapache222httpdconfpfedit etcapache222httpdconf has been updated
c0t0d0s0org36
juniortemplate~$ pfedit etcapache222mimetypespfedit User junior is not authorized to edit the file etcapache222mimetypes
c0t0d0s0org37
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt info name=httpd edit desc=Edit httpd auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt add auths=solarisadmineditetcapache222mimetypes
c0t0d0s0org38
juniortemplate~$ pfedit etcapache222mimetypespfedit no changes for etcapache222mimetypes
c0t0d0s0org39
profiles -p httpd configureprofileshttpd configuregt add always_audit=asprofileshttpd configuregt info name=httpd configure desc=Configure httpd auths=solarisadmineditetcapache222httpdconfsolarisadmineditetcapache222mimetypes always_audit=as never_audit=noprofileshttpd configuregt exitroottemplate~
c0t0d0s0org40
roottemplate~ auditreduce -c as | praudit
c0t0d0s0org41
[]header4862edit administrative filefe80a0027fffea633cb2013-08-12 074552306 +0000subjectjuniorjuniorstaffjuniorstaff4212447467166369 136704 MacBook-Pro-of-c0t0d0s0fritzboxpathetcapache222httpdconfuse of authorizationsolarisadmineditetcapache222httpdconftext--- etcapache222httpdconf Mo Aug 12 074500 2013 +++ etcapache222httpdconfpfedit1BaGoi Mo Aug 12 074552 2013 -15 +16 Test Test 2 + Test 3 This is the main Apache HTTP server configuration file It contains the configuration directives that give the server its instructions
returnsuccess0
c0t0d0s0org42
Delegating privilege to restartservices(so you can keep the root password)
c0t0d0s0org43
juniortemplate~$ svcadm refresh apache22svcadm svcnetworkhttpapache22 Permission denied
c0t0d0s0org44
svcs -a | grep apache22online 153029 svcnetworkhttpapache22
c0t0d0s0org45
auths add -t Apache22 value solarissmfvaluehttpapache22 auths add -t Apache22 action solarissmfactionhttpapache22
c0t0d0s0org46
svccfg -s apache22 setprop generalvalue_authorization= astring solarissmfvaluehttpapache22 svccfg -s apache22 setprop generalaction_authorization= astring solarissmfactionhttpapache22
c0t0d0s0org47
profiles -p httpd edit add auths=solarissmfactionhttpapache22
c0t0d0s0org48
juniortemplate~$ svcadm refresh apache22juniortemplate~$
c0t0d0s0org49
Privileges
c0t0d0s0org50
$ ls -l usrsbintraceroute-r-sr-xr-x 1 root bin 42324 Nov 21 0009 usrsbintraceroute$ ls -l usrsbinping-r-sr-xr-x 1 root bin 51396 Nov 18 1931 usrsbinping
set-id to root ping needs it to work
c0t0d0s0org51
chmod -s sbinping exit
$ ping -s 1921681132ping socket Permission denied
Remove the set-uid and ping will stop to work
c0t0d0s0org52
jmoekampdaddelkiste~$ ppriv $$2153 -bashflags = ltnonegt E basic I basic P basic L all
c0t0d0s0org53
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org54
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
All privileges in their entirety assigned to one user are
(almost)
c0t0d0s0org55
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Neat extension inSolaris 11The ability to use networking is now a
privilege Itlsquos part of the default default set of privileges
but you can remove it
c0t0d0s0org56
moekampdaddelkiste~$ ppriv -v $$2153 -bashflags = ltnonegt E file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info I file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info P file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info L contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org57
rootdaddelkiste~ ppriv $$2183 -bashflags = ltnonegt E all I basic P all L all
c0t0d0s0org58
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace failed to initialize dtrace DTrace requires additional privileges
c0t0d0s0org59
rootdaddelkiste~ usermod -K defaultpriv=basicdtrace_kerneldtrace_procdtrace_user juniorUX usermod junior is currently logged in some changes may not take effect until next login
c0t0d0s0org60
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace description syscallentry matched 211 probes^C
automountd 1 sshd 24 dtrace 544 auditd 564
c0t0d0s0org61
ps -ef | grep kcfd daemon 125 1 0 142419 000 usrlibcryptokcfdroot 734 728 0 155408 pts1 000 grep kcfd ppriv -v 125125 usrlibcryptokcfdflags = PRIV_AWAREE file_ownerproc_priocntlsys_devicesI noneP file_ownerproc_priocntlsys_devicesL none
c0t0d0s0org62
svcadm -v enable -s apache2svcnetworkhttpapache2 enabled
c0t0d0s0org63
jmoekampclient~$ ps -ef | grep httpwebservd 1978 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1979 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1980 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1984 1975 0 122002 000 usrapache222binhttpd -k start root 1975 1 0 121914 001 usrapache222binhttpd -k startwebservd 1977 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1976 1975 0 121915 000 usrapache222binhttpd -k start
c0t0d0s0org64
rootclient~ ppriv 19771977 usrapache222binhttpd -k startflags = ltnonegt E basic I basic P basic L allrootclient~ ppriv 19751975 usrapache222binhttpd -k startflags = ltnonegt E all I basic P all L allrootclient~
c0t0d0s0org65
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The apache process as root has the following privileges
c0t0d0s0org66
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The other processes have the following privileges
c0t0d0s0org67
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Apache really needs
c0t0d0s0org68
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
So you grant a large number of privileges to one process Apache donlsquot need
c0t0d0s0org69
svcadm -v disable -s apache2svcnetworkhttpapache2 disabled
c0t0d0s0org70
rootclient~ svccfg -s apache22svcnetworkhttpapache22gt setprop startuser = astring webservdsvcnetworkhttpapache22gt setprop startgroup = astring webservdsvcnetworkhttpapache22gt setprop startprivileges = astring basicproc_sessionproc_infofile_link_anynet_privaddrsvcnetworkhttpapache22gt setprop startlimit_privileges = astring defaultsvcnetworkhttpapache22gt setprop startuse_profile = boolean falsesvcnetworkhttpapache22gt setprop startsupp_groups = astring defaultsvcnetworkhttpapache22gt setprop startworking_directory = astring defaultsvcnetworkhttpapache22gt setprop startproject = astring defaultsvcnetworkhttpapache22gt setprop startresource_pool = astring defaultsvcnetworkhttpapache22gt endrootclient~ svcadm -v refresh apache22Action refresh set for svcnetworkhttpapache22
c0t0d0s0org71
echo LockFile varapache222logsacceptlock gtgt etcapache222httpdconf echo PidFile varapache222runhttpdpid gtgt etcapache222httpdconf mkdir -p -m 755 varapache222run chown webservdwebservd varapache222run svcadm enable apache22
c0t0d0s0org72
webservd 3064 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3062 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3063 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3066 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3061 1 0 164917 000 usrapache222binhttpd -k startwebservd 3065 3061 0 164918 000 usrapache222binhttpd -k start
c0t0d0s0org73
Read-only zone root
c0t0d0s0org
74
zonecfgtestzonegt set file-mac-profile=none
zonecfgtestzonegt set file-mac-profile=strict
zonecfgtestzonegt set file-mac-profile=fixed-configuration
zonecfgtestzonegt set file-mac-profile=flexible-configuration
Standard read-write non-global zone with no additional protection beyond the existing zones boundaries
Permits updates to var directories with the exception of directories that contain system configuration components
Read-only file system no exceptions
Permits modification of files in etc directories changes to roots home directory and updates to var directories This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone
c0t0d0s0org75
in-kernel SSL Proxy
c0t0d0s0org76
mkdir etckeys cd etckeys openssl req -x509 -nodes -days 365 -subj C=DEST=HamburgL=HamburgCN=server -newkey rsa1024 -keyout etckeysmykeypem -out etckeysmycertpem cat mycertpem mykeypem gt mypem chown 600
c0t0d0s0org77
echo pass gt etckeysmypass ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass server 443
c0t0d0s0org78
ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass -c rsa_aes_256_cbc_sharsa_aes_128_cbc_sharsa_rc4_128_sharsa_rc4_128_md5 server 443
c0t0d0s0org79
svcs -a | grep ksslonline 90333 svcnetworksslproxykssl-server-443
c0t0d0s0org80
svcadm disable apache22 echo Listen 1921681781088080 gtgt etcapache222httpdconf svcadm enable apache22
Portnumber and IP-Number have do be defined in httpdconf otherwise it will not work
c0t0d0s0org81
openssl s_client -connect server443CONNECTED(00000004)depth=0 C=DEST=HamburgL=HamburgCN=serververify errornum=18self signed certificateverify return1depth=0 C=DEST=HamburgL=HamburgCN=serververify return1---Certificate chain0 sC=DEST=HamburgL=HamburgCN=serveriC=DEST=HamburgL=HamburgCN=server---Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj[]V5jX3MU=-----END CERTIFICATE-----subject=C=DEST=HamburgL=HamburgCN=serverissuer=C=DEST=HamburgL=HamburgCN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328 bytes---New TLSv1SSLv3 Cipher is RC4-SHAServer public key is 1024 bitCompression NONEExpansion NONESSL-SessionProtocol TLSv1
Cipher RC4-SHASession-ID 32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD113915B99DBE9812Session-ID-ctx Master-Key 1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21EKey-Arg NoneStart Time 1242985143Timeout 300 (sec)Verify return code 18 (self signed certificate)---GET HTTP10
HTTP11 200 OKDate Fri 22 May 2009 093913 GMTServer Apache2211 (Unix) mod_ssl2211 OpenSSL098a DAV2Last-Modified Thu 21 May 2009 212630 GMTETag 341f3-2c-46a72cc211a8fAccept-Ranges bytesContent-Length 44Connection closeContent-Type texthtml
lthtmlgtltbodygtlth1gtIt workslth1gtltbodygtlthtmlgtreaderrno=0
c0t0d0s0org82
ZFS Encryption
c0t0d0s0org83
zfs create -o encryption=on rpoolexportproject
c0t0d0s0org84
wrapping key (user setable)
encryption keyrandomnot user setable)
prompt file https pkcs11
c0t0d0s0org85
aes-128-ccm (=on) aes-192-ccmaes-256-ccmaes-128-gcmaes-192-gcmaes-256-gcm
c0t0d0s0org86
zfs set checksum=sha256+mac ltdatasetgt
If encryption=off something like automatic
occurs This property is read-only from now on
c0t0d0s0org87
pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykeyEnter PIN for Sun Software PKCS11 softtoken zfs create -o encryption=on -o keysource=rawpkcs11object=mykey tankprojectCEnter PKCS11 token PIN for tankprojectC
c0t0d0s0org88
zfs create -o encryption=on -o keysource=rawhttpskeysexamplecommykey tankprojectR cp myservercertpem etccertsCA svcadm refresh ca-certificates
c0t0d0s0org89
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
c0t0d0s0org90
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
Changing the wrapping key
c0t0d0s0org91
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key
c0t0d0s0org92
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key for data written form now
Creates a new data encryption key Data written in the clone uses the new data encryption key which is distinct from its original snapshot
c0t0d0s0org93
Solaris Cryptographic Framework
c0t0d0s0org94
As soon as Solaris detects hardware acceleration for cryptography Solaris will use it (and applications using the Oracle supplied openssl library or direct interfaces)bull on-chip crypto accelerator in T and current M series chipsbull instruction set extensions in Intel procs (AES-NI)bull supported crypto accelerator cards
c0t0d0s0org95
Just a side-note T-series crypto acceleration and Intel x86 acceleration have pretty much different performance characteristics
T-Series Acceleration by offloading crypto outside pipelineIntel x86 Acceleration by offering special in-pipeline instructions to accelerate execution
Sounds like splitting hairs
c0t0d0s0org
c0t0d0s0org
c0t0d0s0org98
Using ZFS to do two-factor encryption
c0t0d0s0org99
jmoekampsolaris~$ rmformatLooking for devices 1 Logical Node devrdskc10t0d0p0 Physical Node pci00pci8086265cbstorage2disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected() 3 Logical Node devrdskc9t0d0p0 Physical Node pci00pci8086265cbstorage1disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected
c0t0d0s0org100
rootsolaris zpool create a_keystore_usbstick devdskc10t0d0p0rootsolaris zpool create datastore devdskc9t0d0p0
c0t0d0s0org101
rootsolaris zfs create -o encryption=on a_keystore_usbstickkeysEnter passphrase for a_keystore_usbstickkeys supersecret Enter again supersecret
c0t0d0s0org102
rootsolaris pktool genkey keystore=file keytype=aes keylen=128 outkey=a_keystore_usbstickkeysjoergsdatastickkey
c0t0d0s0org103
rootsolaris zfs create -o encryption=on -o keysource=rawfilea_keystore_usbstickkeysjoergsdatastickkey datastickjoergssecrets
c0t0d0s0org104
rootsolarisdatastickjoergssecrets mv homejmoekamphighlyconfidential_nda_presostgz
c0t0d0s0org105
rootsolaris zpool export a_keystore_usbstickrootsolaris zpool export datastick
c0t0d0s0org106
rootsolaris zpool import a_keystore_usbstickEnter passphrase for a_keystore_usbstickkeys supersecretrootsolaris
c0t0d0s0org107
rootsolaris zpool import datastickrootsolaris cd datastickjoergssecretsrootsolarisdatastickjoergssecrets ls highconfidential_nda_presostgz
c0t0d0s0org108
Basic Auditing and Reporting Tool
c0t0d0s0org109
mkdir bart-files bart create -R etc gt bart-filesetccontrolmanifest
c0t0d0s0org110
cat etccontrolmanifest | grep nsswitchnisplusnsswitchnisplus F 2525 100644 userrw-groupr--maskr--otherr-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
c0t0d0s0org111
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org112
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org113
bart create -R etc gt bart-filesetccheck20130911manifest
c0t0d0s0org114
cd bart-files bart compare etccontrolmanifest etccheck20130911manifest
nsswitchfilesmode control100644 test100777acl controluserrw-groupr--maskr--otherr-- testuserrwxgrouprwxmaskrwxotherrwxnsswitchnisplussize control2525 test2538mtime control473976b5 test47a44862contents control79e8fd689a5221d1cd059e5077da71b8 test3f79176ec352441db11ec8a3d02ef67cthisisjustatestadd
c0t0d0s0org115
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives4069-Less-known-Solaris-features-BARThtml
c0t0d0s0org116
Apropos Auditing
c0t0d0s0org117
Auditing is activated by default
c0t0d0s0org118
rootclient~ auditconfig -getflagsactive user default audit flags = lo(0x10000x1000)configured user default audit flags = lo(0x10000x1000)rootclient~ auditconfig -getnaflagsactive non-attributable audit flags = lo(0x10000x1000)configured non-attributable audit flags = lo(0x10000x1000)
c0t0d0s0org119
rootclient~ auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt
Policy regarding auditing (explanation on the next slide)
c0t0d0s0org120
rootclient~ auditconfig -lspolicypolicy string descriptionahlt halt machine if it can not record an async eventall all policiesarge include exec environment args in audit recsargv include exec command line args in audit recscnt when no more space drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recswindata_down include downgraded window information in audit recswindata_up include upgraded window information in audit recszonename include zonename token in audit recs
Which degree of detail What happens with full disks
c0t0d0s0org121
rootclient~ auditconfig -getpluginPlugin audit_binfile (active) Attributes p_dir=varauditp_fsize=0p_minfree=1
Plugin audit_syslog (inactive) Attributes p_flags=
Plugin audit_remote (inactive) Attributes p_hosts=p_retries=3p_timeout=5
c0t0d0s0org122
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
c0t0d0s0org123
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
lo and na are the only sensibleflags for non-attributable
c0t0d0s0org124
rootclient~ usermod -K audit_flags=fwas junior
c0t0d0s0org125
rootclient~ auditconfig -lsevent | grep lo AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh accessAUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lockAUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff
c0t0d0s0org126
rootclient~ auditconfig -lsevent | grep ps AUE_EXIT 1 ps exit(2)AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)rootclient~ auditconfig -lsevent | grep fw AUE_OPEN_W 76 fw open(2) - write
c0t0d0s0org127
auditreduce -c ps varaudit20130912183630not_terminatedclient | praudit
header1392execve(2)client2013-09-12 184055924 +0000pathusrsbinauditreduceattribute100555rootbin655386587518446744073709551615subjectjmoekamprootrootrootroot205414400809562480 202240 192168101returnsuccess0
c0t0d0s0org128
rootclient~ auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff0xffffffffffffffff)
Not always (in the sense of never) a good idea
Useful after trying out - starting a new audit filerootclient~ audit -n
c0t0d0s0org129
rootclient~ auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system
c0t0d0s0org130
SSH and X509
c0t0d0s0org131
rootca~ CApl -newcaCA certificate filename (or enter to create)
Making CA certificate Generating a 1024 bit RSA private key++++++++++++writing new private key to etcopensslprivatecakeypemEnter PEM pass phrase supersecret1Verifying - Enter PEM pass phrase supersecret1-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Security DepartmentCommon Name (eg server FQDN or YOUR name) []CAEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Using configuration from etcopensslopensslcnf
Enter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade878 Validity Not Before Sep 26 101109 2013 GMT Not After Sep 25 101109 2016 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony organizationName = c0t0d0s0org organizationalUnitName = Security Department commonName = CA X509v3 extensions X509v3 Subject Key Identifier 5B1F2F7186123040501552818D525AA5597E3644 X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
X509v3 Basic Constraints CATRUECertificate is to be certified until Sep 25 101109 2016 GMT (1095 days)
Write out database with 1 new entriesData Base Updated
c0t0d0s0org132
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org133
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org134
rootca~server CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade879 Validity Not Before Sep 26 102912 2013 GMT Not After Sep 26 102912 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = Server Certificates commonName = server X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A7DC03DEB3D5FBF9C006F11A55A9AD04C49C10FA X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 102912 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpemrootca~server ls -ltotal 15-rw-r--r-- 1 root root 3196 Sep 26 1229 newcertpem-rw-r--r-- 1 root root 1041 Sep 26 1228 newkeypem-rw-r--r-- 1 root root 680 Sep 26 1228 newreqpem
c0t0d0s0org135
rootca~junior CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phraseVerifying - Enter PEM pass phraseVerify failureEnter PEM pass phrase supersecret3Verifying - Enter PEM pass phrase supersecret3-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []User certificates
Common Name (eg server FQDN or YOUR name) []juniorEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org136
rootca~junior CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypemCheck that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade87a Validity Not Before Sep 26 110929 2013 GMT Not After Sep 26 110929 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = User certificates commonName = junior X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A1F2FC9D8AE2AD9AF52903F5B714933C64628E9C X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 110929 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpem
c0t0d0s0org137
rootserver~ useradd -m junior80 blocksrootserver~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for juniorrootserver~
rootclient~ useradd -m junior80 blocksrootclient~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for junior
c0t0d0s0org138
rootserver~ echo 1921681051 server gtgt etchostsrootserver~ echo 1921681052 client gtgt etchosts
rootclient~ echo 1921681051 server gtgt etchostsrootclient~ echo 1921681052 client gtgt etchosts
c0t0d0s0org139
rootca~server scp etcopensslcacertpem jmoekamp1921681109exporthomejmoekampPasswordcacertpem 100 || 3011 0000rootca~server scp newcertpem jmoekamp1921681109exporthomejmoekampPasswordnewcertpem 100 || 3196 0000rootca~server scp newkeypem jmoekamp1921681109exporthomejmoekampPasswordnewkeypem 100 || 1041 0000
rootca~junior scp newkeypem juniorclientexporthomejuniorPasswordnewkeypem 100 || 1041 0000rootca~junior scp newcertpem juniorclientexporthomejuniorPasswordnewcertpem 100 || 3190 0000rootca~junior scp etcopensslcacertpem junior1921681104exporthomejuniorPasswordcacertpem 100 || 3011 0000
c0t0d0s0org140
On the Server
c0t0d0s0org141
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org142
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org143
rootserver~ pktool setpinEnter token passphrase changemeCreate new passphrase superserversecretRe-enter new passphrase superserversecretPassphrase changedrootserver~
c0t0d0s0org144
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org145
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org146
rootserver~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cn
c0t0d0s0org147
rootserver~ echo TrustedAnchorKeystore etcsshcert gtgt etcsshsshd_configrootserver~ echo KMFPolicyDatabase etcsshpolicyxml gtgt etcsshsshd_configrootserver~ echo KMFPolicyName ssh gtgt etcsshsshd_configrootserver~ echo HostKey pkcs11object=hosttoken=Sun Metaslotpinfile=etcsshpinfile gtgt etcsshsshd_config
c0t0d0s0org148
rootserver~ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=hostEnter PIN for Sun Software PKCS11 softtoken superserversecret Enter PEM pass phrase supersecret2Importing 1 keys
c0t0d0s0org149
rootserver~ egrep -v ^ |^$|^Cert exporthomejmoekampcacertpem gt etcsshcertcacertcookedpemrootserver~ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemrootserver~ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=hostrootserver~
c0t0d0s0org150
On the client
c0t0d0s0org151
juniorclient~$ ls pemcacertpem newcertpem newkeypem
c0t0d0s0org152
rootclient~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cnrootclient~ egrep -v ^ |^$|^Cert exporthomejuniorcacertpem gt etcsshcertcacertcookedpem
c0t0d0s0org153
juniorclient~$ pktool setpinEnter token passphrase changemeCreate new passphrase superusersecretRe-enter new passphrase superusersecretPassphrase changed
c0t0d0s0org154
juniorclient~$ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=userEnter PIN for Sun Software PKCS11 softtoken superusersecretEnter PEM pass phrase supersecret3Importing 1 keysjuniorclient~$ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemjuniorclient~$ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=user
c0t0d0s0org155
Testing it
c0t0d0s0org156
rootserver~ svcadm disable sshrootserver~ svcadm enable ssh
c0t0d0s0org157
juniorclient~$ cd sshjuniorclient~ssh$ printf superusersecret gtgt pinfilejuniorclient~ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore etcsshcert KMFPolicyDatabase etcsshpolicyxml KMFPolicyName ssh IdentityFile pkcs11object=usertoken=Sun Software PKCS11 softtokenpinfile=exporthomejuniorsshpinfile
c0t0d0s0org158
juniorclient~ssh$ ssh juniorserver-x509Last login Thu Sep 26 200714 2013 from clientOracle Corporation SunOS 511 111 September 2013juniorserver~$
c0t0d0s0org159
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives7659-Using-X509-support-for-SSH-on-Solaris-111html
c0t0d0s0org160
OpenSCAP
c0t0d0s0org161
bdquoThe Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management measurement and policy compliance evaluation (eg FISMA compliance) The National Vulnerability Database(NVD) is the US government content repository for SCAPldquo
httpenwikipediaorgwikiSecurity_Content_Automation_Protocol
c0t0d0s0org162
ftp-bannerxml
ltxml version=10 encoding=UTF-8gtltoval_definitions xmlns=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsxsi=httpwwww3org2001XMLSchema-instance xmlnsoval=httpovalmitreorgXMLSchemaoval-common-5 xmlnsoval-def=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsindependent-def=httpovalmitreorgXMLSchemaoval-definitions-5independent xsischemaLocation=httpovalmitreorgXMLSchemaoval-definitions-5 oval-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-definitions-5independent independent-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-common-5 oval-common-schemaxsdgt
ltgeneratorgt ltovalproduct_namegtEnhanced SCAP Editorltovalproduct_namegt ltovalproduct_versiongt0011ltovalproduct_versiongt ltovalschema_versiongt58ltovalschema_versiongt ltovaltimestampgt2012-10-11T103325ltovaltimestampgt ltgeneratorgt lt--generatedovalbaseidentifier=comoraclesolaris11--gt ltdefinitionsgt ltdefinition id=ovalcomoraclesolaris11def840 version=1 class=compliancegt ltmetadatagt lttitlegtEnable a Warning Banner for the FTP Servicelttitlegt ltaffected family=unixgt ltplatformgtOracle Solaris 11ltplatformgt ltaffectedgt ltdescriptiongtetcproftpdconf contains DisplayConnect etcissueltdescriptiongt ltmetadatagt ltcriteria operator=AND negate=false comment=Single testgt ltcriterion comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot test_ref=ovalcomoraclesolaris11tst8400 negate=falsegt
ltcriteriagt ltdefinitiongt ltdefinitionsgt lttestsgt lttextfilecontent54_test xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11tst8400 version=1 check=all comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot check_existence=all_existgt ltobject object_ref=ovalcomoraclesolaris11obj8400gt lttextfilecontent54_testgt lttestsgt ltobjectsgt lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegt lttextfilecontent54_objectgt ltobjectsgtltoval_definitionsgt
c0t0d0s0org163
lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegtlttextfilecontent54_objectgt
c0t0d0s0org164
$ oscap oval eval ftp-bannerxml Definition ovalcomoraclesolaris11def840 falseEvaluation done
$ oscap oval eval --results resultsxml --report reporthtml ftp-bannerxmlDefinition ovalcomoraclesolaris11def840 falseEvaluation doneOVAL Results are exported correctly
c0t0d0s0org165
c0t0d0s0org166
To create your own OVAL-Files Enhanced SCAP Content Editor
c0t0d0s0org167
Find more information regarding this feature athttpsblogsoraclecomdarrenentrycompliance_reporting_with_scap
c0t0d0s0org23
Address Space Layout Randomization
c0t0d0s0org24
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1914 usrbinpmap self1914 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org25
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1915 usrbinpmap self1915 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org26
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1917 usrbinpmap self1917 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap00000005D6666000 36K rw--- [ heap ]00007FF669C70000 216K r-x-- libamd64libprocso100007FF669CB6000 8K rw--- libamd64libprocso100007FF669CC0000 4K rw--- [ anon ]00007FF669CD0000 24K rwx-- [ anon ]00007FF669CE0000 4K rw--- [ anon ]00007FF669CF0000 1764K r-x-- libamd64libcso100007FF669EB9000 64K rw--- libamd64libcso100007FF669EC9000 12K rw--- libamd64libcso100007FF669ED0000 4K rw--- [ anon ]00007FF669EE0000 4K rw--- [ anon ]00007FF669EF0000 4K rw--- [ anon ]00007FF669EF2000 4K r--s- [ anon ]00007FF669EFC000 340K r-x-- libamd64ldso100007FF669F61000 12K rwx-- libamd64ldso100007FF669F64000 8K rwx-- libamd64ldso1FFFF80DDA254F000 16K rw--- [ stack ] total 2564K
c0t0d0s0org27
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1918 usrbinpmap self1918 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap000000065B76D000 36K rw--- [ heap ]00007FFAACFC0000 216K r-x-- libamd64libprocso100007FFAAD006000 8K rw--- libamd64libprocso100007FFAAD010000 4K rw--- [ anon ]00007FFAAD020000 24K rwx-- [ anon ]00007FFAAD030000 4K rw--- [ anon ]00007FFAAD040000 1764K r-x-- libamd64libcso100007FFAAD209000 64K rw--- libamd64libcso100007FFAAD219000 12K rw--- libamd64libcso100007FFAAD220000 4K rw--- [ anon ]00007FFAAD230000 4K rw--- [ anon ]00007FFAAD240000 4K rw--- [ anon ]00007FFAAD242000 4K r--s- [ anon ]00007FFAAD24D000 340K r-x-- libamd64ldso100007FFAAD2B2000 12K rwx-- libamd64ldso100007FFAAD2B5000 8K rwx-- libamd64ldso1FFFF80DE1559E000 12K rw--- [ stack ]
c0t0d0s0org28
rootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) system default (default)
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x2 ENABLE
rootsolaris elfedit -e dynsunw_aslr disable usrbinpmap
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x1 DISABLE
c0t0d0s0org29
rootsolaris sxadm enable -c model=all aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (all) enabled (all)
rootsolaris sxadm disable aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr disabled disabled
rootsolaris sxadm enable -c model=tagged-files aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) enabled (tagged-files)
c0t0d0s0org30
pfedit
c0t0d0s0org31
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt set auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt set desc=Edit httpdprofileshttpd editgt exit
c0t0d0s0org32
roottemplateetcapache222 usermod -P +httpd edit junior
c0t0d0s0org33
juniortemplate~$ profiles httpd edit Basic Solaris User All
c0t0d0s0org34
juniortemplate~$ vi etcapache222httpdconf
c0t0d0s0org35
juniortemplate~$ pfedit etcapache222httpdconfpfedit etcapache222httpdconf has been updated
c0t0d0s0org36
juniortemplate~$ pfedit etcapache222mimetypespfedit User junior is not authorized to edit the file etcapache222mimetypes
c0t0d0s0org37
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt info name=httpd edit desc=Edit httpd auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt add auths=solarisadmineditetcapache222mimetypes
c0t0d0s0org38
juniortemplate~$ pfedit etcapache222mimetypespfedit no changes for etcapache222mimetypes
c0t0d0s0org39
profiles -p httpd configureprofileshttpd configuregt add always_audit=asprofileshttpd configuregt info name=httpd configure desc=Configure httpd auths=solarisadmineditetcapache222httpdconfsolarisadmineditetcapache222mimetypes always_audit=as never_audit=noprofileshttpd configuregt exitroottemplate~
c0t0d0s0org40
roottemplate~ auditreduce -c as | praudit
c0t0d0s0org41
[]header4862edit administrative filefe80a0027fffea633cb2013-08-12 074552306 +0000subjectjuniorjuniorstaffjuniorstaff4212447467166369 136704 MacBook-Pro-of-c0t0d0s0fritzboxpathetcapache222httpdconfuse of authorizationsolarisadmineditetcapache222httpdconftext--- etcapache222httpdconf Mo Aug 12 074500 2013 +++ etcapache222httpdconfpfedit1BaGoi Mo Aug 12 074552 2013 -15 +16 Test Test 2 + Test 3 This is the main Apache HTTP server configuration file It contains the configuration directives that give the server its instructions
returnsuccess0
c0t0d0s0org42
Delegating privilege to restartservices(so you can keep the root password)
c0t0d0s0org43
juniortemplate~$ svcadm refresh apache22svcadm svcnetworkhttpapache22 Permission denied
c0t0d0s0org44
svcs -a | grep apache22online 153029 svcnetworkhttpapache22
c0t0d0s0org45
auths add -t Apache22 value solarissmfvaluehttpapache22 auths add -t Apache22 action solarissmfactionhttpapache22
c0t0d0s0org46
svccfg -s apache22 setprop generalvalue_authorization= astring solarissmfvaluehttpapache22 svccfg -s apache22 setprop generalaction_authorization= astring solarissmfactionhttpapache22
c0t0d0s0org47
profiles -p httpd edit add auths=solarissmfactionhttpapache22
c0t0d0s0org48
juniortemplate~$ svcadm refresh apache22juniortemplate~$
c0t0d0s0org49
Privileges
c0t0d0s0org50
$ ls -l usrsbintraceroute-r-sr-xr-x 1 root bin 42324 Nov 21 0009 usrsbintraceroute$ ls -l usrsbinping-r-sr-xr-x 1 root bin 51396 Nov 18 1931 usrsbinping
set-id to root ping needs it to work
c0t0d0s0org51
chmod -s sbinping exit
$ ping -s 1921681132ping socket Permission denied
Remove the set-uid and ping will stop to work
c0t0d0s0org52
jmoekampdaddelkiste~$ ppriv $$2153 -bashflags = ltnonegt E basic I basic P basic L all
c0t0d0s0org53
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org54
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
All privileges in their entirety assigned to one user are
(almost)
c0t0d0s0org55
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Neat extension inSolaris 11The ability to use networking is now a
privilege Itlsquos part of the default default set of privileges
but you can remove it
c0t0d0s0org56
moekampdaddelkiste~$ ppriv -v $$2153 -bashflags = ltnonegt E file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info I file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info P file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info L contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org57
rootdaddelkiste~ ppriv $$2183 -bashflags = ltnonegt E all I basic P all L all
c0t0d0s0org58
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace failed to initialize dtrace DTrace requires additional privileges
c0t0d0s0org59
rootdaddelkiste~ usermod -K defaultpriv=basicdtrace_kerneldtrace_procdtrace_user juniorUX usermod junior is currently logged in some changes may not take effect until next login
c0t0d0s0org60
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace description syscallentry matched 211 probes^C
automountd 1 sshd 24 dtrace 544 auditd 564
c0t0d0s0org61
ps -ef | grep kcfd daemon 125 1 0 142419 000 usrlibcryptokcfdroot 734 728 0 155408 pts1 000 grep kcfd ppriv -v 125125 usrlibcryptokcfdflags = PRIV_AWAREE file_ownerproc_priocntlsys_devicesI noneP file_ownerproc_priocntlsys_devicesL none
c0t0d0s0org62
svcadm -v enable -s apache2svcnetworkhttpapache2 enabled
c0t0d0s0org63
jmoekampclient~$ ps -ef | grep httpwebservd 1978 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1979 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1980 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1984 1975 0 122002 000 usrapache222binhttpd -k start root 1975 1 0 121914 001 usrapache222binhttpd -k startwebservd 1977 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1976 1975 0 121915 000 usrapache222binhttpd -k start
c0t0d0s0org64
rootclient~ ppriv 19771977 usrapache222binhttpd -k startflags = ltnonegt E basic I basic P basic L allrootclient~ ppriv 19751975 usrapache222binhttpd -k startflags = ltnonegt E all I basic P all L allrootclient~
c0t0d0s0org65
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The apache process as root has the following privileges
c0t0d0s0org66
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The other processes have the following privileges
c0t0d0s0org67
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Apache really needs
c0t0d0s0org68
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
So you grant a large number of privileges to one process Apache donlsquot need
c0t0d0s0org69
svcadm -v disable -s apache2svcnetworkhttpapache2 disabled
c0t0d0s0org70
rootclient~ svccfg -s apache22svcnetworkhttpapache22gt setprop startuser = astring webservdsvcnetworkhttpapache22gt setprop startgroup = astring webservdsvcnetworkhttpapache22gt setprop startprivileges = astring basicproc_sessionproc_infofile_link_anynet_privaddrsvcnetworkhttpapache22gt setprop startlimit_privileges = astring defaultsvcnetworkhttpapache22gt setprop startuse_profile = boolean falsesvcnetworkhttpapache22gt setprop startsupp_groups = astring defaultsvcnetworkhttpapache22gt setprop startworking_directory = astring defaultsvcnetworkhttpapache22gt setprop startproject = astring defaultsvcnetworkhttpapache22gt setprop startresource_pool = astring defaultsvcnetworkhttpapache22gt endrootclient~ svcadm -v refresh apache22Action refresh set for svcnetworkhttpapache22
c0t0d0s0org71
echo LockFile varapache222logsacceptlock gtgt etcapache222httpdconf echo PidFile varapache222runhttpdpid gtgt etcapache222httpdconf mkdir -p -m 755 varapache222run chown webservdwebservd varapache222run svcadm enable apache22
c0t0d0s0org72
webservd 3064 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3062 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3063 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3066 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3061 1 0 164917 000 usrapache222binhttpd -k startwebservd 3065 3061 0 164918 000 usrapache222binhttpd -k start
c0t0d0s0org73
Read-only zone root
c0t0d0s0org
74
zonecfgtestzonegt set file-mac-profile=none
zonecfgtestzonegt set file-mac-profile=strict
zonecfgtestzonegt set file-mac-profile=fixed-configuration
zonecfgtestzonegt set file-mac-profile=flexible-configuration
Standard read-write non-global zone with no additional protection beyond the existing zones boundaries
Permits updates to var directories with the exception of directories that contain system configuration components
Read-only file system no exceptions
Permits modification of files in etc directories changes to roots home directory and updates to var directories This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone
c0t0d0s0org75
in-kernel SSL Proxy
c0t0d0s0org76
mkdir etckeys cd etckeys openssl req -x509 -nodes -days 365 -subj C=DEST=HamburgL=HamburgCN=server -newkey rsa1024 -keyout etckeysmykeypem -out etckeysmycertpem cat mycertpem mykeypem gt mypem chown 600
c0t0d0s0org77
echo pass gt etckeysmypass ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass server 443
c0t0d0s0org78
ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass -c rsa_aes_256_cbc_sharsa_aes_128_cbc_sharsa_rc4_128_sharsa_rc4_128_md5 server 443
c0t0d0s0org79
svcs -a | grep ksslonline 90333 svcnetworksslproxykssl-server-443
c0t0d0s0org80
svcadm disable apache22 echo Listen 1921681781088080 gtgt etcapache222httpdconf svcadm enable apache22
Portnumber and IP-Number have do be defined in httpdconf otherwise it will not work
c0t0d0s0org81
openssl s_client -connect server443CONNECTED(00000004)depth=0 C=DEST=HamburgL=HamburgCN=serververify errornum=18self signed certificateverify return1depth=0 C=DEST=HamburgL=HamburgCN=serververify return1---Certificate chain0 sC=DEST=HamburgL=HamburgCN=serveriC=DEST=HamburgL=HamburgCN=server---Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj[]V5jX3MU=-----END CERTIFICATE-----subject=C=DEST=HamburgL=HamburgCN=serverissuer=C=DEST=HamburgL=HamburgCN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328 bytes---New TLSv1SSLv3 Cipher is RC4-SHAServer public key is 1024 bitCompression NONEExpansion NONESSL-SessionProtocol TLSv1
Cipher RC4-SHASession-ID 32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD113915B99DBE9812Session-ID-ctx Master-Key 1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21EKey-Arg NoneStart Time 1242985143Timeout 300 (sec)Verify return code 18 (self signed certificate)---GET HTTP10
HTTP11 200 OKDate Fri 22 May 2009 093913 GMTServer Apache2211 (Unix) mod_ssl2211 OpenSSL098a DAV2Last-Modified Thu 21 May 2009 212630 GMTETag 341f3-2c-46a72cc211a8fAccept-Ranges bytesContent-Length 44Connection closeContent-Type texthtml
lthtmlgtltbodygtlth1gtIt workslth1gtltbodygtlthtmlgtreaderrno=0
c0t0d0s0org82
ZFS Encryption
c0t0d0s0org83
zfs create -o encryption=on rpoolexportproject
c0t0d0s0org84
wrapping key (user setable)
encryption keyrandomnot user setable)
prompt file https pkcs11
c0t0d0s0org85
aes-128-ccm (=on) aes-192-ccmaes-256-ccmaes-128-gcmaes-192-gcmaes-256-gcm
c0t0d0s0org86
zfs set checksum=sha256+mac ltdatasetgt
If encryption=off something like automatic
occurs This property is read-only from now on
c0t0d0s0org87
pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykeyEnter PIN for Sun Software PKCS11 softtoken zfs create -o encryption=on -o keysource=rawpkcs11object=mykey tankprojectCEnter PKCS11 token PIN for tankprojectC
c0t0d0s0org88
zfs create -o encryption=on -o keysource=rawhttpskeysexamplecommykey tankprojectR cp myservercertpem etccertsCA svcadm refresh ca-certificates
c0t0d0s0org89
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
c0t0d0s0org90
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
Changing the wrapping key
c0t0d0s0org91
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key
c0t0d0s0org92
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key for data written form now
Creates a new data encryption key Data written in the clone uses the new data encryption key which is distinct from its original snapshot
c0t0d0s0org93
Solaris Cryptographic Framework
c0t0d0s0org94
As soon as Solaris detects hardware acceleration for cryptography Solaris will use it (and applications using the Oracle supplied openssl library or direct interfaces)bull on-chip crypto accelerator in T and current M series chipsbull instruction set extensions in Intel procs (AES-NI)bull supported crypto accelerator cards
c0t0d0s0org95
Just a side-note T-series crypto acceleration and Intel x86 acceleration have pretty much different performance characteristics
T-Series Acceleration by offloading crypto outside pipelineIntel x86 Acceleration by offering special in-pipeline instructions to accelerate execution
Sounds like splitting hairs
c0t0d0s0org
c0t0d0s0org
c0t0d0s0org98
Using ZFS to do two-factor encryption
c0t0d0s0org99
jmoekampsolaris~$ rmformatLooking for devices 1 Logical Node devrdskc10t0d0p0 Physical Node pci00pci8086265cbstorage2disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected() 3 Logical Node devrdskc9t0d0p0 Physical Node pci00pci8086265cbstorage1disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected
c0t0d0s0org100
rootsolaris zpool create a_keystore_usbstick devdskc10t0d0p0rootsolaris zpool create datastore devdskc9t0d0p0
c0t0d0s0org101
rootsolaris zfs create -o encryption=on a_keystore_usbstickkeysEnter passphrase for a_keystore_usbstickkeys supersecret Enter again supersecret
c0t0d0s0org102
rootsolaris pktool genkey keystore=file keytype=aes keylen=128 outkey=a_keystore_usbstickkeysjoergsdatastickkey
c0t0d0s0org103
rootsolaris zfs create -o encryption=on -o keysource=rawfilea_keystore_usbstickkeysjoergsdatastickkey datastickjoergssecrets
c0t0d0s0org104
rootsolarisdatastickjoergssecrets mv homejmoekamphighlyconfidential_nda_presostgz
c0t0d0s0org105
rootsolaris zpool export a_keystore_usbstickrootsolaris zpool export datastick
c0t0d0s0org106
rootsolaris zpool import a_keystore_usbstickEnter passphrase for a_keystore_usbstickkeys supersecretrootsolaris
c0t0d0s0org107
rootsolaris zpool import datastickrootsolaris cd datastickjoergssecretsrootsolarisdatastickjoergssecrets ls highconfidential_nda_presostgz
c0t0d0s0org108
Basic Auditing and Reporting Tool
c0t0d0s0org109
mkdir bart-files bart create -R etc gt bart-filesetccontrolmanifest
c0t0d0s0org110
cat etccontrolmanifest | grep nsswitchnisplusnsswitchnisplus F 2525 100644 userrw-groupr--maskr--otherr-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
c0t0d0s0org111
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org112
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org113
bart create -R etc gt bart-filesetccheck20130911manifest
c0t0d0s0org114
cd bart-files bart compare etccontrolmanifest etccheck20130911manifest
nsswitchfilesmode control100644 test100777acl controluserrw-groupr--maskr--otherr-- testuserrwxgrouprwxmaskrwxotherrwxnsswitchnisplussize control2525 test2538mtime control473976b5 test47a44862contents control79e8fd689a5221d1cd059e5077da71b8 test3f79176ec352441db11ec8a3d02ef67cthisisjustatestadd
c0t0d0s0org115
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives4069-Less-known-Solaris-features-BARThtml
c0t0d0s0org116
Apropos Auditing
c0t0d0s0org117
Auditing is activated by default
c0t0d0s0org118
rootclient~ auditconfig -getflagsactive user default audit flags = lo(0x10000x1000)configured user default audit flags = lo(0x10000x1000)rootclient~ auditconfig -getnaflagsactive non-attributable audit flags = lo(0x10000x1000)configured non-attributable audit flags = lo(0x10000x1000)
c0t0d0s0org119
rootclient~ auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt
Policy regarding auditing (explanation on the next slide)
c0t0d0s0org120
rootclient~ auditconfig -lspolicypolicy string descriptionahlt halt machine if it can not record an async eventall all policiesarge include exec environment args in audit recsargv include exec command line args in audit recscnt when no more space drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recswindata_down include downgraded window information in audit recswindata_up include upgraded window information in audit recszonename include zonename token in audit recs
Which degree of detail What happens with full disks
c0t0d0s0org121
rootclient~ auditconfig -getpluginPlugin audit_binfile (active) Attributes p_dir=varauditp_fsize=0p_minfree=1
Plugin audit_syslog (inactive) Attributes p_flags=
Plugin audit_remote (inactive) Attributes p_hosts=p_retries=3p_timeout=5
c0t0d0s0org122
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
c0t0d0s0org123
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
lo and na are the only sensibleflags for non-attributable
c0t0d0s0org124
rootclient~ usermod -K audit_flags=fwas junior
c0t0d0s0org125
rootclient~ auditconfig -lsevent | grep lo AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh accessAUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lockAUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff
c0t0d0s0org126
rootclient~ auditconfig -lsevent | grep ps AUE_EXIT 1 ps exit(2)AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)rootclient~ auditconfig -lsevent | grep fw AUE_OPEN_W 76 fw open(2) - write
c0t0d0s0org127
auditreduce -c ps varaudit20130912183630not_terminatedclient | praudit
header1392execve(2)client2013-09-12 184055924 +0000pathusrsbinauditreduceattribute100555rootbin655386587518446744073709551615subjectjmoekamprootrootrootroot205414400809562480 202240 192168101returnsuccess0
c0t0d0s0org128
rootclient~ auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff0xffffffffffffffff)
Not always (in the sense of never) a good idea
Useful after trying out - starting a new audit filerootclient~ audit -n
c0t0d0s0org129
rootclient~ auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system
c0t0d0s0org130
SSH and X509
c0t0d0s0org131
rootca~ CApl -newcaCA certificate filename (or enter to create)
Making CA certificate Generating a 1024 bit RSA private key++++++++++++writing new private key to etcopensslprivatecakeypemEnter PEM pass phrase supersecret1Verifying - Enter PEM pass phrase supersecret1-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Security DepartmentCommon Name (eg server FQDN or YOUR name) []CAEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Using configuration from etcopensslopensslcnf
Enter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade878 Validity Not Before Sep 26 101109 2013 GMT Not After Sep 25 101109 2016 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony organizationName = c0t0d0s0org organizationalUnitName = Security Department commonName = CA X509v3 extensions X509v3 Subject Key Identifier 5B1F2F7186123040501552818D525AA5597E3644 X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
X509v3 Basic Constraints CATRUECertificate is to be certified until Sep 25 101109 2016 GMT (1095 days)
Write out database with 1 new entriesData Base Updated
c0t0d0s0org132
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org133
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org134
rootca~server CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade879 Validity Not Before Sep 26 102912 2013 GMT Not After Sep 26 102912 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = Server Certificates commonName = server X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A7DC03DEB3D5FBF9C006F11A55A9AD04C49C10FA X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 102912 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpemrootca~server ls -ltotal 15-rw-r--r-- 1 root root 3196 Sep 26 1229 newcertpem-rw-r--r-- 1 root root 1041 Sep 26 1228 newkeypem-rw-r--r-- 1 root root 680 Sep 26 1228 newreqpem
c0t0d0s0org135
rootca~junior CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phraseVerifying - Enter PEM pass phraseVerify failureEnter PEM pass phrase supersecret3Verifying - Enter PEM pass phrase supersecret3-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []User certificates
Common Name (eg server FQDN or YOUR name) []juniorEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org136
rootca~junior CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypemCheck that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade87a Validity Not Before Sep 26 110929 2013 GMT Not After Sep 26 110929 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = User certificates commonName = junior X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A1F2FC9D8AE2AD9AF52903F5B714933C64628E9C X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 110929 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpem
c0t0d0s0org137
rootserver~ useradd -m junior80 blocksrootserver~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for juniorrootserver~
rootclient~ useradd -m junior80 blocksrootclient~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for junior
c0t0d0s0org138
rootserver~ echo 1921681051 server gtgt etchostsrootserver~ echo 1921681052 client gtgt etchosts
rootclient~ echo 1921681051 server gtgt etchostsrootclient~ echo 1921681052 client gtgt etchosts
c0t0d0s0org139
rootca~server scp etcopensslcacertpem jmoekamp1921681109exporthomejmoekampPasswordcacertpem 100 || 3011 0000rootca~server scp newcertpem jmoekamp1921681109exporthomejmoekampPasswordnewcertpem 100 || 3196 0000rootca~server scp newkeypem jmoekamp1921681109exporthomejmoekampPasswordnewkeypem 100 || 1041 0000
rootca~junior scp newkeypem juniorclientexporthomejuniorPasswordnewkeypem 100 || 1041 0000rootca~junior scp newcertpem juniorclientexporthomejuniorPasswordnewcertpem 100 || 3190 0000rootca~junior scp etcopensslcacertpem junior1921681104exporthomejuniorPasswordcacertpem 100 || 3011 0000
c0t0d0s0org140
On the Server
c0t0d0s0org141
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org142
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org143
rootserver~ pktool setpinEnter token passphrase changemeCreate new passphrase superserversecretRe-enter new passphrase superserversecretPassphrase changedrootserver~
c0t0d0s0org144
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org145
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org146
rootserver~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cn
c0t0d0s0org147
rootserver~ echo TrustedAnchorKeystore etcsshcert gtgt etcsshsshd_configrootserver~ echo KMFPolicyDatabase etcsshpolicyxml gtgt etcsshsshd_configrootserver~ echo KMFPolicyName ssh gtgt etcsshsshd_configrootserver~ echo HostKey pkcs11object=hosttoken=Sun Metaslotpinfile=etcsshpinfile gtgt etcsshsshd_config
c0t0d0s0org148
rootserver~ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=hostEnter PIN for Sun Software PKCS11 softtoken superserversecret Enter PEM pass phrase supersecret2Importing 1 keys
c0t0d0s0org149
rootserver~ egrep -v ^ |^$|^Cert exporthomejmoekampcacertpem gt etcsshcertcacertcookedpemrootserver~ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemrootserver~ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=hostrootserver~
c0t0d0s0org150
On the client
c0t0d0s0org151
juniorclient~$ ls pemcacertpem newcertpem newkeypem
c0t0d0s0org152
rootclient~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cnrootclient~ egrep -v ^ |^$|^Cert exporthomejuniorcacertpem gt etcsshcertcacertcookedpem
c0t0d0s0org153
juniorclient~$ pktool setpinEnter token passphrase changemeCreate new passphrase superusersecretRe-enter new passphrase superusersecretPassphrase changed
c0t0d0s0org154
juniorclient~$ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=userEnter PIN for Sun Software PKCS11 softtoken superusersecretEnter PEM pass phrase supersecret3Importing 1 keysjuniorclient~$ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemjuniorclient~$ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=user
c0t0d0s0org155
Testing it
c0t0d0s0org156
rootserver~ svcadm disable sshrootserver~ svcadm enable ssh
c0t0d0s0org157
juniorclient~$ cd sshjuniorclient~ssh$ printf superusersecret gtgt pinfilejuniorclient~ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore etcsshcert KMFPolicyDatabase etcsshpolicyxml KMFPolicyName ssh IdentityFile pkcs11object=usertoken=Sun Software PKCS11 softtokenpinfile=exporthomejuniorsshpinfile
c0t0d0s0org158
juniorclient~ssh$ ssh juniorserver-x509Last login Thu Sep 26 200714 2013 from clientOracle Corporation SunOS 511 111 September 2013juniorserver~$
c0t0d0s0org159
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives7659-Using-X509-support-for-SSH-on-Solaris-111html
c0t0d0s0org160
OpenSCAP
c0t0d0s0org161
bdquoThe Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management measurement and policy compliance evaluation (eg FISMA compliance) The National Vulnerability Database(NVD) is the US government content repository for SCAPldquo
httpenwikipediaorgwikiSecurity_Content_Automation_Protocol
c0t0d0s0org162
ftp-bannerxml
ltxml version=10 encoding=UTF-8gtltoval_definitions xmlns=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsxsi=httpwwww3org2001XMLSchema-instance xmlnsoval=httpovalmitreorgXMLSchemaoval-common-5 xmlnsoval-def=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsindependent-def=httpovalmitreorgXMLSchemaoval-definitions-5independent xsischemaLocation=httpovalmitreorgXMLSchemaoval-definitions-5 oval-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-definitions-5independent independent-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-common-5 oval-common-schemaxsdgt
ltgeneratorgt ltovalproduct_namegtEnhanced SCAP Editorltovalproduct_namegt ltovalproduct_versiongt0011ltovalproduct_versiongt ltovalschema_versiongt58ltovalschema_versiongt ltovaltimestampgt2012-10-11T103325ltovaltimestampgt ltgeneratorgt lt--generatedovalbaseidentifier=comoraclesolaris11--gt ltdefinitionsgt ltdefinition id=ovalcomoraclesolaris11def840 version=1 class=compliancegt ltmetadatagt lttitlegtEnable a Warning Banner for the FTP Servicelttitlegt ltaffected family=unixgt ltplatformgtOracle Solaris 11ltplatformgt ltaffectedgt ltdescriptiongtetcproftpdconf contains DisplayConnect etcissueltdescriptiongt ltmetadatagt ltcriteria operator=AND negate=false comment=Single testgt ltcriterion comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot test_ref=ovalcomoraclesolaris11tst8400 negate=falsegt
ltcriteriagt ltdefinitiongt ltdefinitionsgt lttestsgt lttextfilecontent54_test xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11tst8400 version=1 check=all comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot check_existence=all_existgt ltobject object_ref=ovalcomoraclesolaris11obj8400gt lttextfilecontent54_testgt lttestsgt ltobjectsgt lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegt lttextfilecontent54_objectgt ltobjectsgtltoval_definitionsgt
c0t0d0s0org163
lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegtlttextfilecontent54_objectgt
c0t0d0s0org164
$ oscap oval eval ftp-bannerxml Definition ovalcomoraclesolaris11def840 falseEvaluation done
$ oscap oval eval --results resultsxml --report reporthtml ftp-bannerxmlDefinition ovalcomoraclesolaris11def840 falseEvaluation doneOVAL Results are exported correctly
c0t0d0s0org165
c0t0d0s0org166
To create your own OVAL-Files Enhanced SCAP Content Editor
c0t0d0s0org167
Find more information regarding this feature athttpsblogsoraclecomdarrenentrycompliance_reporting_with_scap
c0t0d0s0org24
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1914 usrbinpmap self1914 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org25
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1915 usrbinpmap self1915 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org26
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1917 usrbinpmap self1917 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap00000005D6666000 36K rw--- [ heap ]00007FF669C70000 216K r-x-- libamd64libprocso100007FF669CB6000 8K rw--- libamd64libprocso100007FF669CC0000 4K rw--- [ anon ]00007FF669CD0000 24K rwx-- [ anon ]00007FF669CE0000 4K rw--- [ anon ]00007FF669CF0000 1764K r-x-- libamd64libcso100007FF669EB9000 64K rw--- libamd64libcso100007FF669EC9000 12K rw--- libamd64libcso100007FF669ED0000 4K rw--- [ anon ]00007FF669EE0000 4K rw--- [ anon ]00007FF669EF0000 4K rw--- [ anon ]00007FF669EF2000 4K r--s- [ anon ]00007FF669EFC000 340K r-x-- libamd64ldso100007FF669F61000 12K rwx-- libamd64ldso100007FF669F64000 8K rwx-- libamd64ldso1FFFF80DDA254F000 16K rw--- [ stack ] total 2564K
c0t0d0s0org27
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1918 usrbinpmap self1918 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap000000065B76D000 36K rw--- [ heap ]00007FFAACFC0000 216K r-x-- libamd64libprocso100007FFAAD006000 8K rw--- libamd64libprocso100007FFAAD010000 4K rw--- [ anon ]00007FFAAD020000 24K rwx-- [ anon ]00007FFAAD030000 4K rw--- [ anon ]00007FFAAD040000 1764K r-x-- libamd64libcso100007FFAAD209000 64K rw--- libamd64libcso100007FFAAD219000 12K rw--- libamd64libcso100007FFAAD220000 4K rw--- [ anon ]00007FFAAD230000 4K rw--- [ anon ]00007FFAAD240000 4K rw--- [ anon ]00007FFAAD242000 4K r--s- [ anon ]00007FFAAD24D000 340K r-x-- libamd64ldso100007FFAAD2B2000 12K rwx-- libamd64ldso100007FFAAD2B5000 8K rwx-- libamd64ldso1FFFF80DE1559E000 12K rw--- [ stack ]
c0t0d0s0org28
rootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) system default (default)
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x2 ENABLE
rootsolaris elfedit -e dynsunw_aslr disable usrbinpmap
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x1 DISABLE
c0t0d0s0org29
rootsolaris sxadm enable -c model=all aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (all) enabled (all)
rootsolaris sxadm disable aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr disabled disabled
rootsolaris sxadm enable -c model=tagged-files aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) enabled (tagged-files)
c0t0d0s0org30
pfedit
c0t0d0s0org31
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt set auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt set desc=Edit httpdprofileshttpd editgt exit
c0t0d0s0org32
roottemplateetcapache222 usermod -P +httpd edit junior
c0t0d0s0org33
juniortemplate~$ profiles httpd edit Basic Solaris User All
c0t0d0s0org34
juniortemplate~$ vi etcapache222httpdconf
c0t0d0s0org35
juniortemplate~$ pfedit etcapache222httpdconfpfedit etcapache222httpdconf has been updated
c0t0d0s0org36
juniortemplate~$ pfedit etcapache222mimetypespfedit User junior is not authorized to edit the file etcapache222mimetypes
c0t0d0s0org37
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt info name=httpd edit desc=Edit httpd auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt add auths=solarisadmineditetcapache222mimetypes
c0t0d0s0org38
juniortemplate~$ pfedit etcapache222mimetypespfedit no changes for etcapache222mimetypes
c0t0d0s0org39
profiles -p httpd configureprofileshttpd configuregt add always_audit=asprofileshttpd configuregt info name=httpd configure desc=Configure httpd auths=solarisadmineditetcapache222httpdconfsolarisadmineditetcapache222mimetypes always_audit=as never_audit=noprofileshttpd configuregt exitroottemplate~
c0t0d0s0org40
roottemplate~ auditreduce -c as | praudit
c0t0d0s0org41
[]header4862edit administrative filefe80a0027fffea633cb2013-08-12 074552306 +0000subjectjuniorjuniorstaffjuniorstaff4212447467166369 136704 MacBook-Pro-of-c0t0d0s0fritzboxpathetcapache222httpdconfuse of authorizationsolarisadmineditetcapache222httpdconftext--- etcapache222httpdconf Mo Aug 12 074500 2013 +++ etcapache222httpdconfpfedit1BaGoi Mo Aug 12 074552 2013 -15 +16 Test Test 2 + Test 3 This is the main Apache HTTP server configuration file It contains the configuration directives that give the server its instructions
returnsuccess0
c0t0d0s0org42
Delegating privilege to restartservices(so you can keep the root password)
c0t0d0s0org43
juniortemplate~$ svcadm refresh apache22svcadm svcnetworkhttpapache22 Permission denied
c0t0d0s0org44
svcs -a | grep apache22online 153029 svcnetworkhttpapache22
c0t0d0s0org45
auths add -t Apache22 value solarissmfvaluehttpapache22 auths add -t Apache22 action solarissmfactionhttpapache22
c0t0d0s0org46
svccfg -s apache22 setprop generalvalue_authorization= astring solarissmfvaluehttpapache22 svccfg -s apache22 setprop generalaction_authorization= astring solarissmfactionhttpapache22
c0t0d0s0org47
profiles -p httpd edit add auths=solarissmfactionhttpapache22
c0t0d0s0org48
juniortemplate~$ svcadm refresh apache22juniortemplate~$
c0t0d0s0org49
Privileges
c0t0d0s0org50
$ ls -l usrsbintraceroute-r-sr-xr-x 1 root bin 42324 Nov 21 0009 usrsbintraceroute$ ls -l usrsbinping-r-sr-xr-x 1 root bin 51396 Nov 18 1931 usrsbinping
set-id to root ping needs it to work
c0t0d0s0org51
chmod -s sbinping exit
$ ping -s 1921681132ping socket Permission denied
Remove the set-uid and ping will stop to work
c0t0d0s0org52
jmoekampdaddelkiste~$ ppriv $$2153 -bashflags = ltnonegt E basic I basic P basic L all
c0t0d0s0org53
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org54
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
All privileges in their entirety assigned to one user are
(almost)
c0t0d0s0org55
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Neat extension inSolaris 11The ability to use networking is now a
privilege Itlsquos part of the default default set of privileges
but you can remove it
c0t0d0s0org56
moekampdaddelkiste~$ ppriv -v $$2153 -bashflags = ltnonegt E file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info I file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info P file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info L contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org57
rootdaddelkiste~ ppriv $$2183 -bashflags = ltnonegt E all I basic P all L all
c0t0d0s0org58
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace failed to initialize dtrace DTrace requires additional privileges
c0t0d0s0org59
rootdaddelkiste~ usermod -K defaultpriv=basicdtrace_kerneldtrace_procdtrace_user juniorUX usermod junior is currently logged in some changes may not take effect until next login
c0t0d0s0org60
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace description syscallentry matched 211 probes^C
automountd 1 sshd 24 dtrace 544 auditd 564
c0t0d0s0org61
ps -ef | grep kcfd daemon 125 1 0 142419 000 usrlibcryptokcfdroot 734 728 0 155408 pts1 000 grep kcfd ppriv -v 125125 usrlibcryptokcfdflags = PRIV_AWAREE file_ownerproc_priocntlsys_devicesI noneP file_ownerproc_priocntlsys_devicesL none
c0t0d0s0org62
svcadm -v enable -s apache2svcnetworkhttpapache2 enabled
c0t0d0s0org63
jmoekampclient~$ ps -ef | grep httpwebservd 1978 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1979 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1980 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1984 1975 0 122002 000 usrapache222binhttpd -k start root 1975 1 0 121914 001 usrapache222binhttpd -k startwebservd 1977 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1976 1975 0 121915 000 usrapache222binhttpd -k start
c0t0d0s0org64
rootclient~ ppriv 19771977 usrapache222binhttpd -k startflags = ltnonegt E basic I basic P basic L allrootclient~ ppriv 19751975 usrapache222binhttpd -k startflags = ltnonegt E all I basic P all L allrootclient~
c0t0d0s0org65
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The apache process as root has the following privileges
c0t0d0s0org66
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The other processes have the following privileges
c0t0d0s0org67
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Apache really needs
c0t0d0s0org68
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
So you grant a large number of privileges to one process Apache donlsquot need
c0t0d0s0org69
svcadm -v disable -s apache2svcnetworkhttpapache2 disabled
c0t0d0s0org70
rootclient~ svccfg -s apache22svcnetworkhttpapache22gt setprop startuser = astring webservdsvcnetworkhttpapache22gt setprop startgroup = astring webservdsvcnetworkhttpapache22gt setprop startprivileges = astring basicproc_sessionproc_infofile_link_anynet_privaddrsvcnetworkhttpapache22gt setprop startlimit_privileges = astring defaultsvcnetworkhttpapache22gt setprop startuse_profile = boolean falsesvcnetworkhttpapache22gt setprop startsupp_groups = astring defaultsvcnetworkhttpapache22gt setprop startworking_directory = astring defaultsvcnetworkhttpapache22gt setprop startproject = astring defaultsvcnetworkhttpapache22gt setprop startresource_pool = astring defaultsvcnetworkhttpapache22gt endrootclient~ svcadm -v refresh apache22Action refresh set for svcnetworkhttpapache22
c0t0d0s0org71
echo LockFile varapache222logsacceptlock gtgt etcapache222httpdconf echo PidFile varapache222runhttpdpid gtgt etcapache222httpdconf mkdir -p -m 755 varapache222run chown webservdwebservd varapache222run svcadm enable apache22
c0t0d0s0org72
webservd 3064 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3062 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3063 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3066 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3061 1 0 164917 000 usrapache222binhttpd -k startwebservd 3065 3061 0 164918 000 usrapache222binhttpd -k start
c0t0d0s0org73
Read-only zone root
c0t0d0s0org
74
zonecfgtestzonegt set file-mac-profile=none
zonecfgtestzonegt set file-mac-profile=strict
zonecfgtestzonegt set file-mac-profile=fixed-configuration
zonecfgtestzonegt set file-mac-profile=flexible-configuration
Standard read-write non-global zone with no additional protection beyond the existing zones boundaries
Permits updates to var directories with the exception of directories that contain system configuration components
Read-only file system no exceptions
Permits modification of files in etc directories changes to roots home directory and updates to var directories This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone
c0t0d0s0org75
in-kernel SSL Proxy
c0t0d0s0org76
mkdir etckeys cd etckeys openssl req -x509 -nodes -days 365 -subj C=DEST=HamburgL=HamburgCN=server -newkey rsa1024 -keyout etckeysmykeypem -out etckeysmycertpem cat mycertpem mykeypem gt mypem chown 600
c0t0d0s0org77
echo pass gt etckeysmypass ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass server 443
c0t0d0s0org78
ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass -c rsa_aes_256_cbc_sharsa_aes_128_cbc_sharsa_rc4_128_sharsa_rc4_128_md5 server 443
c0t0d0s0org79
svcs -a | grep ksslonline 90333 svcnetworksslproxykssl-server-443
c0t0d0s0org80
svcadm disable apache22 echo Listen 1921681781088080 gtgt etcapache222httpdconf svcadm enable apache22
Portnumber and IP-Number have do be defined in httpdconf otherwise it will not work
c0t0d0s0org81
openssl s_client -connect server443CONNECTED(00000004)depth=0 C=DEST=HamburgL=HamburgCN=serververify errornum=18self signed certificateverify return1depth=0 C=DEST=HamburgL=HamburgCN=serververify return1---Certificate chain0 sC=DEST=HamburgL=HamburgCN=serveriC=DEST=HamburgL=HamburgCN=server---Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj[]V5jX3MU=-----END CERTIFICATE-----subject=C=DEST=HamburgL=HamburgCN=serverissuer=C=DEST=HamburgL=HamburgCN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328 bytes---New TLSv1SSLv3 Cipher is RC4-SHAServer public key is 1024 bitCompression NONEExpansion NONESSL-SessionProtocol TLSv1
Cipher RC4-SHASession-ID 32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD113915B99DBE9812Session-ID-ctx Master-Key 1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21EKey-Arg NoneStart Time 1242985143Timeout 300 (sec)Verify return code 18 (self signed certificate)---GET HTTP10
HTTP11 200 OKDate Fri 22 May 2009 093913 GMTServer Apache2211 (Unix) mod_ssl2211 OpenSSL098a DAV2Last-Modified Thu 21 May 2009 212630 GMTETag 341f3-2c-46a72cc211a8fAccept-Ranges bytesContent-Length 44Connection closeContent-Type texthtml
lthtmlgtltbodygtlth1gtIt workslth1gtltbodygtlthtmlgtreaderrno=0
c0t0d0s0org82
ZFS Encryption
c0t0d0s0org83
zfs create -o encryption=on rpoolexportproject
c0t0d0s0org84
wrapping key (user setable)
encryption keyrandomnot user setable)
prompt file https pkcs11
c0t0d0s0org85
aes-128-ccm (=on) aes-192-ccmaes-256-ccmaes-128-gcmaes-192-gcmaes-256-gcm
c0t0d0s0org86
zfs set checksum=sha256+mac ltdatasetgt
If encryption=off something like automatic
occurs This property is read-only from now on
c0t0d0s0org87
pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykeyEnter PIN for Sun Software PKCS11 softtoken zfs create -o encryption=on -o keysource=rawpkcs11object=mykey tankprojectCEnter PKCS11 token PIN for tankprojectC
c0t0d0s0org88
zfs create -o encryption=on -o keysource=rawhttpskeysexamplecommykey tankprojectR cp myservercertpem etccertsCA svcadm refresh ca-certificates
c0t0d0s0org89
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
c0t0d0s0org90
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
Changing the wrapping key
c0t0d0s0org91
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key
c0t0d0s0org92
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key for data written form now
Creates a new data encryption key Data written in the clone uses the new data encryption key which is distinct from its original snapshot
c0t0d0s0org93
Solaris Cryptographic Framework
c0t0d0s0org94
As soon as Solaris detects hardware acceleration for cryptography Solaris will use it (and applications using the Oracle supplied openssl library or direct interfaces)bull on-chip crypto accelerator in T and current M series chipsbull instruction set extensions in Intel procs (AES-NI)bull supported crypto accelerator cards
c0t0d0s0org95
Just a side-note T-series crypto acceleration and Intel x86 acceleration have pretty much different performance characteristics
T-Series Acceleration by offloading crypto outside pipelineIntel x86 Acceleration by offering special in-pipeline instructions to accelerate execution
Sounds like splitting hairs
c0t0d0s0org
c0t0d0s0org
c0t0d0s0org98
Using ZFS to do two-factor encryption
c0t0d0s0org99
jmoekampsolaris~$ rmformatLooking for devices 1 Logical Node devrdskc10t0d0p0 Physical Node pci00pci8086265cbstorage2disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected() 3 Logical Node devrdskc9t0d0p0 Physical Node pci00pci8086265cbstorage1disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected
c0t0d0s0org100
rootsolaris zpool create a_keystore_usbstick devdskc10t0d0p0rootsolaris zpool create datastore devdskc9t0d0p0
c0t0d0s0org101
rootsolaris zfs create -o encryption=on a_keystore_usbstickkeysEnter passphrase for a_keystore_usbstickkeys supersecret Enter again supersecret
c0t0d0s0org102
rootsolaris pktool genkey keystore=file keytype=aes keylen=128 outkey=a_keystore_usbstickkeysjoergsdatastickkey
c0t0d0s0org103
rootsolaris zfs create -o encryption=on -o keysource=rawfilea_keystore_usbstickkeysjoergsdatastickkey datastickjoergssecrets
c0t0d0s0org104
rootsolarisdatastickjoergssecrets mv homejmoekamphighlyconfidential_nda_presostgz
c0t0d0s0org105
rootsolaris zpool export a_keystore_usbstickrootsolaris zpool export datastick
c0t0d0s0org106
rootsolaris zpool import a_keystore_usbstickEnter passphrase for a_keystore_usbstickkeys supersecretrootsolaris
c0t0d0s0org107
rootsolaris zpool import datastickrootsolaris cd datastickjoergssecretsrootsolarisdatastickjoergssecrets ls highconfidential_nda_presostgz
c0t0d0s0org108
Basic Auditing and Reporting Tool
c0t0d0s0org109
mkdir bart-files bart create -R etc gt bart-filesetccontrolmanifest
c0t0d0s0org110
cat etccontrolmanifest | grep nsswitchnisplusnsswitchnisplus F 2525 100644 userrw-groupr--maskr--otherr-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
c0t0d0s0org111
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org112
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org113
bart create -R etc gt bart-filesetccheck20130911manifest
c0t0d0s0org114
cd bart-files bart compare etccontrolmanifest etccheck20130911manifest
nsswitchfilesmode control100644 test100777acl controluserrw-groupr--maskr--otherr-- testuserrwxgrouprwxmaskrwxotherrwxnsswitchnisplussize control2525 test2538mtime control473976b5 test47a44862contents control79e8fd689a5221d1cd059e5077da71b8 test3f79176ec352441db11ec8a3d02ef67cthisisjustatestadd
c0t0d0s0org115
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives4069-Less-known-Solaris-features-BARThtml
c0t0d0s0org116
Apropos Auditing
c0t0d0s0org117
Auditing is activated by default
c0t0d0s0org118
rootclient~ auditconfig -getflagsactive user default audit flags = lo(0x10000x1000)configured user default audit flags = lo(0x10000x1000)rootclient~ auditconfig -getnaflagsactive non-attributable audit flags = lo(0x10000x1000)configured non-attributable audit flags = lo(0x10000x1000)
c0t0d0s0org119
rootclient~ auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt
Policy regarding auditing (explanation on the next slide)
c0t0d0s0org120
rootclient~ auditconfig -lspolicypolicy string descriptionahlt halt machine if it can not record an async eventall all policiesarge include exec environment args in audit recsargv include exec command line args in audit recscnt when no more space drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recswindata_down include downgraded window information in audit recswindata_up include upgraded window information in audit recszonename include zonename token in audit recs
Which degree of detail What happens with full disks
c0t0d0s0org121
rootclient~ auditconfig -getpluginPlugin audit_binfile (active) Attributes p_dir=varauditp_fsize=0p_minfree=1
Plugin audit_syslog (inactive) Attributes p_flags=
Plugin audit_remote (inactive) Attributes p_hosts=p_retries=3p_timeout=5
c0t0d0s0org122
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
c0t0d0s0org123
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
lo and na are the only sensibleflags for non-attributable
c0t0d0s0org124
rootclient~ usermod -K audit_flags=fwas junior
c0t0d0s0org125
rootclient~ auditconfig -lsevent | grep lo AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh accessAUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lockAUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff
c0t0d0s0org126
rootclient~ auditconfig -lsevent | grep ps AUE_EXIT 1 ps exit(2)AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)rootclient~ auditconfig -lsevent | grep fw AUE_OPEN_W 76 fw open(2) - write
c0t0d0s0org127
auditreduce -c ps varaudit20130912183630not_terminatedclient | praudit
header1392execve(2)client2013-09-12 184055924 +0000pathusrsbinauditreduceattribute100555rootbin655386587518446744073709551615subjectjmoekamprootrootrootroot205414400809562480 202240 192168101returnsuccess0
c0t0d0s0org128
rootclient~ auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff0xffffffffffffffff)
Not always (in the sense of never) a good idea
Useful after trying out - starting a new audit filerootclient~ audit -n
c0t0d0s0org129
rootclient~ auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system
c0t0d0s0org130
SSH and X509
c0t0d0s0org131
rootca~ CApl -newcaCA certificate filename (or enter to create)
Making CA certificate Generating a 1024 bit RSA private key++++++++++++writing new private key to etcopensslprivatecakeypemEnter PEM pass phrase supersecret1Verifying - Enter PEM pass phrase supersecret1-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Security DepartmentCommon Name (eg server FQDN or YOUR name) []CAEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Using configuration from etcopensslopensslcnf
Enter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade878 Validity Not Before Sep 26 101109 2013 GMT Not After Sep 25 101109 2016 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony organizationName = c0t0d0s0org organizationalUnitName = Security Department commonName = CA X509v3 extensions X509v3 Subject Key Identifier 5B1F2F7186123040501552818D525AA5597E3644 X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
X509v3 Basic Constraints CATRUECertificate is to be certified until Sep 25 101109 2016 GMT (1095 days)
Write out database with 1 new entriesData Base Updated
c0t0d0s0org132
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org133
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org134
rootca~server CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade879 Validity Not Before Sep 26 102912 2013 GMT Not After Sep 26 102912 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = Server Certificates commonName = server X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A7DC03DEB3D5FBF9C006F11A55A9AD04C49C10FA X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 102912 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpemrootca~server ls -ltotal 15-rw-r--r-- 1 root root 3196 Sep 26 1229 newcertpem-rw-r--r-- 1 root root 1041 Sep 26 1228 newkeypem-rw-r--r-- 1 root root 680 Sep 26 1228 newreqpem
c0t0d0s0org135
rootca~junior CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phraseVerifying - Enter PEM pass phraseVerify failureEnter PEM pass phrase supersecret3Verifying - Enter PEM pass phrase supersecret3-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []User certificates
Common Name (eg server FQDN or YOUR name) []juniorEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org136
rootca~junior CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypemCheck that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade87a Validity Not Before Sep 26 110929 2013 GMT Not After Sep 26 110929 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = User certificates commonName = junior X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A1F2FC9D8AE2AD9AF52903F5B714933C64628E9C X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 110929 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpem
c0t0d0s0org137
rootserver~ useradd -m junior80 blocksrootserver~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for juniorrootserver~
rootclient~ useradd -m junior80 blocksrootclient~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for junior
c0t0d0s0org138
rootserver~ echo 1921681051 server gtgt etchostsrootserver~ echo 1921681052 client gtgt etchosts
rootclient~ echo 1921681051 server gtgt etchostsrootclient~ echo 1921681052 client gtgt etchosts
c0t0d0s0org139
rootca~server scp etcopensslcacertpem jmoekamp1921681109exporthomejmoekampPasswordcacertpem 100 || 3011 0000rootca~server scp newcertpem jmoekamp1921681109exporthomejmoekampPasswordnewcertpem 100 || 3196 0000rootca~server scp newkeypem jmoekamp1921681109exporthomejmoekampPasswordnewkeypem 100 || 1041 0000
rootca~junior scp newkeypem juniorclientexporthomejuniorPasswordnewkeypem 100 || 1041 0000rootca~junior scp newcertpem juniorclientexporthomejuniorPasswordnewcertpem 100 || 3190 0000rootca~junior scp etcopensslcacertpem junior1921681104exporthomejuniorPasswordcacertpem 100 || 3011 0000
c0t0d0s0org140
On the Server
c0t0d0s0org141
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org142
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org143
rootserver~ pktool setpinEnter token passphrase changemeCreate new passphrase superserversecretRe-enter new passphrase superserversecretPassphrase changedrootserver~
c0t0d0s0org144
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org145
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org146
rootserver~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cn
c0t0d0s0org147
rootserver~ echo TrustedAnchorKeystore etcsshcert gtgt etcsshsshd_configrootserver~ echo KMFPolicyDatabase etcsshpolicyxml gtgt etcsshsshd_configrootserver~ echo KMFPolicyName ssh gtgt etcsshsshd_configrootserver~ echo HostKey pkcs11object=hosttoken=Sun Metaslotpinfile=etcsshpinfile gtgt etcsshsshd_config
c0t0d0s0org148
rootserver~ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=hostEnter PIN for Sun Software PKCS11 softtoken superserversecret Enter PEM pass phrase supersecret2Importing 1 keys
c0t0d0s0org149
rootserver~ egrep -v ^ |^$|^Cert exporthomejmoekampcacertpem gt etcsshcertcacertcookedpemrootserver~ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemrootserver~ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=hostrootserver~
c0t0d0s0org150
On the client
c0t0d0s0org151
juniorclient~$ ls pemcacertpem newcertpem newkeypem
c0t0d0s0org152
rootclient~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cnrootclient~ egrep -v ^ |^$|^Cert exporthomejuniorcacertpem gt etcsshcertcacertcookedpem
c0t0d0s0org153
juniorclient~$ pktool setpinEnter token passphrase changemeCreate new passphrase superusersecretRe-enter new passphrase superusersecretPassphrase changed
c0t0d0s0org154
juniorclient~$ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=userEnter PIN for Sun Software PKCS11 softtoken superusersecretEnter PEM pass phrase supersecret3Importing 1 keysjuniorclient~$ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemjuniorclient~$ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=user
c0t0d0s0org155
Testing it
c0t0d0s0org156
rootserver~ svcadm disable sshrootserver~ svcadm enable ssh
c0t0d0s0org157
juniorclient~$ cd sshjuniorclient~ssh$ printf superusersecret gtgt pinfilejuniorclient~ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore etcsshcert KMFPolicyDatabase etcsshpolicyxml KMFPolicyName ssh IdentityFile pkcs11object=usertoken=Sun Software PKCS11 softtokenpinfile=exporthomejuniorsshpinfile
c0t0d0s0org158
juniorclient~ssh$ ssh juniorserver-x509Last login Thu Sep 26 200714 2013 from clientOracle Corporation SunOS 511 111 September 2013juniorserver~$
c0t0d0s0org159
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives7659-Using-X509-support-for-SSH-on-Solaris-111html
c0t0d0s0org160
OpenSCAP
c0t0d0s0org161
bdquoThe Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management measurement and policy compliance evaluation (eg FISMA compliance) The National Vulnerability Database(NVD) is the US government content repository for SCAPldquo
httpenwikipediaorgwikiSecurity_Content_Automation_Protocol
c0t0d0s0org162
ftp-bannerxml
ltxml version=10 encoding=UTF-8gtltoval_definitions xmlns=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsxsi=httpwwww3org2001XMLSchema-instance xmlnsoval=httpovalmitreorgXMLSchemaoval-common-5 xmlnsoval-def=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsindependent-def=httpovalmitreorgXMLSchemaoval-definitions-5independent xsischemaLocation=httpovalmitreorgXMLSchemaoval-definitions-5 oval-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-definitions-5independent independent-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-common-5 oval-common-schemaxsdgt
ltgeneratorgt ltovalproduct_namegtEnhanced SCAP Editorltovalproduct_namegt ltovalproduct_versiongt0011ltovalproduct_versiongt ltovalschema_versiongt58ltovalschema_versiongt ltovaltimestampgt2012-10-11T103325ltovaltimestampgt ltgeneratorgt lt--generatedovalbaseidentifier=comoraclesolaris11--gt ltdefinitionsgt ltdefinition id=ovalcomoraclesolaris11def840 version=1 class=compliancegt ltmetadatagt lttitlegtEnable a Warning Banner for the FTP Servicelttitlegt ltaffected family=unixgt ltplatformgtOracle Solaris 11ltplatformgt ltaffectedgt ltdescriptiongtetcproftpdconf contains DisplayConnect etcissueltdescriptiongt ltmetadatagt ltcriteria operator=AND negate=false comment=Single testgt ltcriterion comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot test_ref=ovalcomoraclesolaris11tst8400 negate=falsegt
ltcriteriagt ltdefinitiongt ltdefinitionsgt lttestsgt lttextfilecontent54_test xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11tst8400 version=1 check=all comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot check_existence=all_existgt ltobject object_ref=ovalcomoraclesolaris11obj8400gt lttextfilecontent54_testgt lttestsgt ltobjectsgt lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegt lttextfilecontent54_objectgt ltobjectsgtltoval_definitionsgt
c0t0d0s0org163
lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegtlttextfilecontent54_objectgt
c0t0d0s0org164
$ oscap oval eval ftp-bannerxml Definition ovalcomoraclesolaris11def840 falseEvaluation done
$ oscap oval eval --results resultsxml --report reporthtml ftp-bannerxmlDefinition ovalcomoraclesolaris11def840 falseEvaluation doneOVAL Results are exported correctly
c0t0d0s0org165
c0t0d0s0org166
To create your own OVAL-Files Enhanced SCAP Content Editor
c0t0d0s0org167
Find more information regarding this feature athttpsblogsoraclecomdarrenentrycompliance_reporting_with_scap
c0t0d0s0org25
rootsolaris sxadm exec -s aslr=disable usrbinpmap self1915 usrbinpmap self1915 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- libamd64libprocso1FFFF80FFBDE16000 8K rw--- libamd64libprocso1FFFF80FFBF430000 1764K r-x-- libamd64libcso1FFFF80FFBF5F9000 64K rw--- libamd64libcso1FFFF80FFBF609000 12K rw--- libamd64libcso1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- libamd64ldso1FFFF80FFBF7FA000 12K rwx-- libamd64ldso1FFFF80FFBF7FD000 8K rwx-- libamd64ldso1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
c0t0d0s0org26
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1917 usrbinpmap self1917 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap00000005D6666000 36K rw--- [ heap ]00007FF669C70000 216K r-x-- libamd64libprocso100007FF669CB6000 8K rw--- libamd64libprocso100007FF669CC0000 4K rw--- [ anon ]00007FF669CD0000 24K rwx-- [ anon ]00007FF669CE0000 4K rw--- [ anon ]00007FF669CF0000 1764K r-x-- libamd64libcso100007FF669EB9000 64K rw--- libamd64libcso100007FF669EC9000 12K rw--- libamd64libcso100007FF669ED0000 4K rw--- [ anon ]00007FF669EE0000 4K rw--- [ anon ]00007FF669EF0000 4K rw--- [ anon ]00007FF669EF2000 4K r--s- [ anon ]00007FF669EFC000 340K r-x-- libamd64ldso100007FF669F61000 12K rwx-- libamd64ldso100007FF669F64000 8K rwx-- libamd64ldso1FFFF80DDA254F000 16K rw--- [ stack ] total 2564K
c0t0d0s0org27
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1918 usrbinpmap self1918 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap000000065B76D000 36K rw--- [ heap ]00007FFAACFC0000 216K r-x-- libamd64libprocso100007FFAAD006000 8K rw--- libamd64libprocso100007FFAAD010000 4K rw--- [ anon ]00007FFAAD020000 24K rwx-- [ anon ]00007FFAAD030000 4K rw--- [ anon ]00007FFAAD040000 1764K r-x-- libamd64libcso100007FFAAD209000 64K rw--- libamd64libcso100007FFAAD219000 12K rw--- libamd64libcso100007FFAAD220000 4K rw--- [ anon ]00007FFAAD230000 4K rw--- [ anon ]00007FFAAD240000 4K rw--- [ anon ]00007FFAAD242000 4K r--s- [ anon ]00007FFAAD24D000 340K r-x-- libamd64ldso100007FFAAD2B2000 12K rwx-- libamd64ldso100007FFAAD2B5000 8K rwx-- libamd64ldso1FFFF80DE1559E000 12K rw--- [ stack ]
c0t0d0s0org28
rootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) system default (default)
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x2 ENABLE
rootsolaris elfedit -e dynsunw_aslr disable usrbinpmap
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x1 DISABLE
c0t0d0s0org29
rootsolaris sxadm enable -c model=all aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (all) enabled (all)
rootsolaris sxadm disable aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr disabled disabled
rootsolaris sxadm enable -c model=tagged-files aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) enabled (tagged-files)
c0t0d0s0org30
pfedit
c0t0d0s0org31
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt set auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt set desc=Edit httpdprofileshttpd editgt exit
c0t0d0s0org32
roottemplateetcapache222 usermod -P +httpd edit junior
c0t0d0s0org33
juniortemplate~$ profiles httpd edit Basic Solaris User All
c0t0d0s0org34
juniortemplate~$ vi etcapache222httpdconf
c0t0d0s0org35
juniortemplate~$ pfedit etcapache222httpdconfpfedit etcapache222httpdconf has been updated
c0t0d0s0org36
juniortemplate~$ pfedit etcapache222mimetypespfedit User junior is not authorized to edit the file etcapache222mimetypes
c0t0d0s0org37
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt info name=httpd edit desc=Edit httpd auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt add auths=solarisadmineditetcapache222mimetypes
c0t0d0s0org38
juniortemplate~$ pfedit etcapache222mimetypespfedit no changes for etcapache222mimetypes
c0t0d0s0org39
profiles -p httpd configureprofileshttpd configuregt add always_audit=asprofileshttpd configuregt info name=httpd configure desc=Configure httpd auths=solarisadmineditetcapache222httpdconfsolarisadmineditetcapache222mimetypes always_audit=as never_audit=noprofileshttpd configuregt exitroottemplate~
c0t0d0s0org40
roottemplate~ auditreduce -c as | praudit
c0t0d0s0org41
[]header4862edit administrative filefe80a0027fffea633cb2013-08-12 074552306 +0000subjectjuniorjuniorstaffjuniorstaff4212447467166369 136704 MacBook-Pro-of-c0t0d0s0fritzboxpathetcapache222httpdconfuse of authorizationsolarisadmineditetcapache222httpdconftext--- etcapache222httpdconf Mo Aug 12 074500 2013 +++ etcapache222httpdconfpfedit1BaGoi Mo Aug 12 074552 2013 -15 +16 Test Test 2 + Test 3 This is the main Apache HTTP server configuration file It contains the configuration directives that give the server its instructions
returnsuccess0
c0t0d0s0org42
Delegating privilege to restartservices(so you can keep the root password)
c0t0d0s0org43
juniortemplate~$ svcadm refresh apache22svcadm svcnetworkhttpapache22 Permission denied
c0t0d0s0org44
svcs -a | grep apache22online 153029 svcnetworkhttpapache22
c0t0d0s0org45
auths add -t Apache22 value solarissmfvaluehttpapache22 auths add -t Apache22 action solarissmfactionhttpapache22
c0t0d0s0org46
svccfg -s apache22 setprop generalvalue_authorization= astring solarissmfvaluehttpapache22 svccfg -s apache22 setprop generalaction_authorization= astring solarissmfactionhttpapache22
c0t0d0s0org47
profiles -p httpd edit add auths=solarissmfactionhttpapache22
c0t0d0s0org48
juniortemplate~$ svcadm refresh apache22juniortemplate~$
c0t0d0s0org49
Privileges
c0t0d0s0org50
$ ls -l usrsbintraceroute-r-sr-xr-x 1 root bin 42324 Nov 21 0009 usrsbintraceroute$ ls -l usrsbinping-r-sr-xr-x 1 root bin 51396 Nov 18 1931 usrsbinping
set-id to root ping needs it to work
c0t0d0s0org51
chmod -s sbinping exit
$ ping -s 1921681132ping socket Permission denied
Remove the set-uid and ping will stop to work
c0t0d0s0org52
jmoekampdaddelkiste~$ ppriv $$2153 -bashflags = ltnonegt E basic I basic P basic L all
c0t0d0s0org53
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org54
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
All privileges in their entirety assigned to one user are
(almost)
c0t0d0s0org55
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Neat extension inSolaris 11The ability to use networking is now a
privilege Itlsquos part of the default default set of privileges
but you can remove it
c0t0d0s0org56
moekampdaddelkiste~$ ppriv -v $$2153 -bashflags = ltnonegt E file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info I file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info P file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info L contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org57
rootdaddelkiste~ ppriv $$2183 -bashflags = ltnonegt E all I basic P all L all
c0t0d0s0org58
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace failed to initialize dtrace DTrace requires additional privileges
c0t0d0s0org59
rootdaddelkiste~ usermod -K defaultpriv=basicdtrace_kerneldtrace_procdtrace_user juniorUX usermod junior is currently logged in some changes may not take effect until next login
c0t0d0s0org60
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace description syscallentry matched 211 probes^C
automountd 1 sshd 24 dtrace 544 auditd 564
c0t0d0s0org61
ps -ef | grep kcfd daemon 125 1 0 142419 000 usrlibcryptokcfdroot 734 728 0 155408 pts1 000 grep kcfd ppriv -v 125125 usrlibcryptokcfdflags = PRIV_AWAREE file_ownerproc_priocntlsys_devicesI noneP file_ownerproc_priocntlsys_devicesL none
c0t0d0s0org62
svcadm -v enable -s apache2svcnetworkhttpapache2 enabled
c0t0d0s0org63
jmoekampclient~$ ps -ef | grep httpwebservd 1978 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1979 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1980 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1984 1975 0 122002 000 usrapache222binhttpd -k start root 1975 1 0 121914 001 usrapache222binhttpd -k startwebservd 1977 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1976 1975 0 121915 000 usrapache222binhttpd -k start
c0t0d0s0org64
rootclient~ ppriv 19771977 usrapache222binhttpd -k startflags = ltnonegt E basic I basic P basic L allrootclient~ ppriv 19751975 usrapache222binhttpd -k startflags = ltnonegt E all I basic P all L allrootclient~
c0t0d0s0org65
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The apache process as root has the following privileges
c0t0d0s0org66
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The other processes have the following privileges
c0t0d0s0org67
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Apache really needs
c0t0d0s0org68
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
So you grant a large number of privileges to one process Apache donlsquot need
c0t0d0s0org69
svcadm -v disable -s apache2svcnetworkhttpapache2 disabled
c0t0d0s0org70
rootclient~ svccfg -s apache22svcnetworkhttpapache22gt setprop startuser = astring webservdsvcnetworkhttpapache22gt setprop startgroup = astring webservdsvcnetworkhttpapache22gt setprop startprivileges = astring basicproc_sessionproc_infofile_link_anynet_privaddrsvcnetworkhttpapache22gt setprop startlimit_privileges = astring defaultsvcnetworkhttpapache22gt setprop startuse_profile = boolean falsesvcnetworkhttpapache22gt setprop startsupp_groups = astring defaultsvcnetworkhttpapache22gt setprop startworking_directory = astring defaultsvcnetworkhttpapache22gt setprop startproject = astring defaultsvcnetworkhttpapache22gt setprop startresource_pool = astring defaultsvcnetworkhttpapache22gt endrootclient~ svcadm -v refresh apache22Action refresh set for svcnetworkhttpapache22
c0t0d0s0org71
echo LockFile varapache222logsacceptlock gtgt etcapache222httpdconf echo PidFile varapache222runhttpdpid gtgt etcapache222httpdconf mkdir -p -m 755 varapache222run chown webservdwebservd varapache222run svcadm enable apache22
c0t0d0s0org72
webservd 3064 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3062 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3063 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3066 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3061 1 0 164917 000 usrapache222binhttpd -k startwebservd 3065 3061 0 164918 000 usrapache222binhttpd -k start
c0t0d0s0org73
Read-only zone root
c0t0d0s0org
74
zonecfgtestzonegt set file-mac-profile=none
zonecfgtestzonegt set file-mac-profile=strict
zonecfgtestzonegt set file-mac-profile=fixed-configuration
zonecfgtestzonegt set file-mac-profile=flexible-configuration
Standard read-write non-global zone with no additional protection beyond the existing zones boundaries
Permits updates to var directories with the exception of directories that contain system configuration components
Read-only file system no exceptions
Permits modification of files in etc directories changes to roots home directory and updates to var directories This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone
c0t0d0s0org75
in-kernel SSL Proxy
c0t0d0s0org76
mkdir etckeys cd etckeys openssl req -x509 -nodes -days 365 -subj C=DEST=HamburgL=HamburgCN=server -newkey rsa1024 -keyout etckeysmykeypem -out etckeysmycertpem cat mycertpem mykeypem gt mypem chown 600
c0t0d0s0org77
echo pass gt etckeysmypass ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass server 443
c0t0d0s0org78
ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass -c rsa_aes_256_cbc_sharsa_aes_128_cbc_sharsa_rc4_128_sharsa_rc4_128_md5 server 443
c0t0d0s0org79
svcs -a | grep ksslonline 90333 svcnetworksslproxykssl-server-443
c0t0d0s0org80
svcadm disable apache22 echo Listen 1921681781088080 gtgt etcapache222httpdconf svcadm enable apache22
Portnumber and IP-Number have do be defined in httpdconf otherwise it will not work
c0t0d0s0org81
openssl s_client -connect server443CONNECTED(00000004)depth=0 C=DEST=HamburgL=HamburgCN=serververify errornum=18self signed certificateverify return1depth=0 C=DEST=HamburgL=HamburgCN=serververify return1---Certificate chain0 sC=DEST=HamburgL=HamburgCN=serveriC=DEST=HamburgL=HamburgCN=server---Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj[]V5jX3MU=-----END CERTIFICATE-----subject=C=DEST=HamburgL=HamburgCN=serverissuer=C=DEST=HamburgL=HamburgCN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328 bytes---New TLSv1SSLv3 Cipher is RC4-SHAServer public key is 1024 bitCompression NONEExpansion NONESSL-SessionProtocol TLSv1
Cipher RC4-SHASession-ID 32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD113915B99DBE9812Session-ID-ctx Master-Key 1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21EKey-Arg NoneStart Time 1242985143Timeout 300 (sec)Verify return code 18 (self signed certificate)---GET HTTP10
HTTP11 200 OKDate Fri 22 May 2009 093913 GMTServer Apache2211 (Unix) mod_ssl2211 OpenSSL098a DAV2Last-Modified Thu 21 May 2009 212630 GMTETag 341f3-2c-46a72cc211a8fAccept-Ranges bytesContent-Length 44Connection closeContent-Type texthtml
lthtmlgtltbodygtlth1gtIt workslth1gtltbodygtlthtmlgtreaderrno=0
c0t0d0s0org82
ZFS Encryption
c0t0d0s0org83
zfs create -o encryption=on rpoolexportproject
c0t0d0s0org84
wrapping key (user setable)
encryption keyrandomnot user setable)
prompt file https pkcs11
c0t0d0s0org85
aes-128-ccm (=on) aes-192-ccmaes-256-ccmaes-128-gcmaes-192-gcmaes-256-gcm
c0t0d0s0org86
zfs set checksum=sha256+mac ltdatasetgt
If encryption=off something like automatic
occurs This property is read-only from now on
c0t0d0s0org87
pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykeyEnter PIN for Sun Software PKCS11 softtoken zfs create -o encryption=on -o keysource=rawpkcs11object=mykey tankprojectCEnter PKCS11 token PIN for tankprojectC
c0t0d0s0org88
zfs create -o encryption=on -o keysource=rawhttpskeysexamplecommykey tankprojectR cp myservercertpem etccertsCA svcadm refresh ca-certificates
c0t0d0s0org89
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
c0t0d0s0org90
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
Changing the wrapping key
c0t0d0s0org91
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key
c0t0d0s0org92
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key for data written form now
Creates a new data encryption key Data written in the clone uses the new data encryption key which is distinct from its original snapshot
c0t0d0s0org93
Solaris Cryptographic Framework
c0t0d0s0org94
As soon as Solaris detects hardware acceleration for cryptography Solaris will use it (and applications using the Oracle supplied openssl library or direct interfaces)bull on-chip crypto accelerator in T and current M series chipsbull instruction set extensions in Intel procs (AES-NI)bull supported crypto accelerator cards
c0t0d0s0org95
Just a side-note T-series crypto acceleration and Intel x86 acceleration have pretty much different performance characteristics
T-Series Acceleration by offloading crypto outside pipelineIntel x86 Acceleration by offering special in-pipeline instructions to accelerate execution
Sounds like splitting hairs
c0t0d0s0org
c0t0d0s0org
c0t0d0s0org98
Using ZFS to do two-factor encryption
c0t0d0s0org99
jmoekampsolaris~$ rmformatLooking for devices 1 Logical Node devrdskc10t0d0p0 Physical Node pci00pci8086265cbstorage2disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected() 3 Logical Node devrdskc9t0d0p0 Physical Node pci00pci8086265cbstorage1disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected
c0t0d0s0org100
rootsolaris zpool create a_keystore_usbstick devdskc10t0d0p0rootsolaris zpool create datastore devdskc9t0d0p0
c0t0d0s0org101
rootsolaris zfs create -o encryption=on a_keystore_usbstickkeysEnter passphrase for a_keystore_usbstickkeys supersecret Enter again supersecret
c0t0d0s0org102
rootsolaris pktool genkey keystore=file keytype=aes keylen=128 outkey=a_keystore_usbstickkeysjoergsdatastickkey
c0t0d0s0org103
rootsolaris zfs create -o encryption=on -o keysource=rawfilea_keystore_usbstickkeysjoergsdatastickkey datastickjoergssecrets
c0t0d0s0org104
rootsolarisdatastickjoergssecrets mv homejmoekamphighlyconfidential_nda_presostgz
c0t0d0s0org105
rootsolaris zpool export a_keystore_usbstickrootsolaris zpool export datastick
c0t0d0s0org106
rootsolaris zpool import a_keystore_usbstickEnter passphrase for a_keystore_usbstickkeys supersecretrootsolaris
c0t0d0s0org107
rootsolaris zpool import datastickrootsolaris cd datastickjoergssecretsrootsolarisdatastickjoergssecrets ls highconfidential_nda_presostgz
c0t0d0s0org108
Basic Auditing and Reporting Tool
c0t0d0s0org109
mkdir bart-files bart create -R etc gt bart-filesetccontrolmanifest
c0t0d0s0org110
cat etccontrolmanifest | grep nsswitchnisplusnsswitchnisplus F 2525 100644 userrw-groupr--maskr--otherr-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
c0t0d0s0org111
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org112
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org113
bart create -R etc gt bart-filesetccheck20130911manifest
c0t0d0s0org114
cd bart-files bart compare etccontrolmanifest etccheck20130911manifest
nsswitchfilesmode control100644 test100777acl controluserrw-groupr--maskr--otherr-- testuserrwxgrouprwxmaskrwxotherrwxnsswitchnisplussize control2525 test2538mtime control473976b5 test47a44862contents control79e8fd689a5221d1cd059e5077da71b8 test3f79176ec352441db11ec8a3d02ef67cthisisjustatestadd
c0t0d0s0org115
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives4069-Less-known-Solaris-features-BARThtml
c0t0d0s0org116
Apropos Auditing
c0t0d0s0org117
Auditing is activated by default
c0t0d0s0org118
rootclient~ auditconfig -getflagsactive user default audit flags = lo(0x10000x1000)configured user default audit flags = lo(0x10000x1000)rootclient~ auditconfig -getnaflagsactive non-attributable audit flags = lo(0x10000x1000)configured non-attributable audit flags = lo(0x10000x1000)
c0t0d0s0org119
rootclient~ auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt
Policy regarding auditing (explanation on the next slide)
c0t0d0s0org120
rootclient~ auditconfig -lspolicypolicy string descriptionahlt halt machine if it can not record an async eventall all policiesarge include exec environment args in audit recsargv include exec command line args in audit recscnt when no more space drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recswindata_down include downgraded window information in audit recswindata_up include upgraded window information in audit recszonename include zonename token in audit recs
Which degree of detail What happens with full disks
c0t0d0s0org121
rootclient~ auditconfig -getpluginPlugin audit_binfile (active) Attributes p_dir=varauditp_fsize=0p_minfree=1
Plugin audit_syslog (inactive) Attributes p_flags=
Plugin audit_remote (inactive) Attributes p_hosts=p_retries=3p_timeout=5
c0t0d0s0org122
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
c0t0d0s0org123
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
lo and na are the only sensibleflags for non-attributable
c0t0d0s0org124
rootclient~ usermod -K audit_flags=fwas junior
c0t0d0s0org125
rootclient~ auditconfig -lsevent | grep lo AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh accessAUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lockAUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff
c0t0d0s0org126
rootclient~ auditconfig -lsevent | grep ps AUE_EXIT 1 ps exit(2)AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)rootclient~ auditconfig -lsevent | grep fw AUE_OPEN_W 76 fw open(2) - write
c0t0d0s0org127
auditreduce -c ps varaudit20130912183630not_terminatedclient | praudit
header1392execve(2)client2013-09-12 184055924 +0000pathusrsbinauditreduceattribute100555rootbin655386587518446744073709551615subjectjmoekamprootrootrootroot205414400809562480 202240 192168101returnsuccess0
c0t0d0s0org128
rootclient~ auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff0xffffffffffffffff)
Not always (in the sense of never) a good idea
Useful after trying out - starting a new audit filerootclient~ audit -n
c0t0d0s0org129
rootclient~ auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system
c0t0d0s0org130
SSH and X509
c0t0d0s0org131
rootca~ CApl -newcaCA certificate filename (or enter to create)
Making CA certificate Generating a 1024 bit RSA private key++++++++++++writing new private key to etcopensslprivatecakeypemEnter PEM pass phrase supersecret1Verifying - Enter PEM pass phrase supersecret1-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Security DepartmentCommon Name (eg server FQDN or YOUR name) []CAEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Using configuration from etcopensslopensslcnf
Enter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade878 Validity Not Before Sep 26 101109 2013 GMT Not After Sep 25 101109 2016 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony organizationName = c0t0d0s0org organizationalUnitName = Security Department commonName = CA X509v3 extensions X509v3 Subject Key Identifier 5B1F2F7186123040501552818D525AA5597E3644 X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
X509v3 Basic Constraints CATRUECertificate is to be certified until Sep 25 101109 2016 GMT (1095 days)
Write out database with 1 new entriesData Base Updated
c0t0d0s0org132
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org133
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org134
rootca~server CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade879 Validity Not Before Sep 26 102912 2013 GMT Not After Sep 26 102912 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = Server Certificates commonName = server X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A7DC03DEB3D5FBF9C006F11A55A9AD04C49C10FA X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 102912 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpemrootca~server ls -ltotal 15-rw-r--r-- 1 root root 3196 Sep 26 1229 newcertpem-rw-r--r-- 1 root root 1041 Sep 26 1228 newkeypem-rw-r--r-- 1 root root 680 Sep 26 1228 newreqpem
c0t0d0s0org135
rootca~junior CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phraseVerifying - Enter PEM pass phraseVerify failureEnter PEM pass phrase supersecret3Verifying - Enter PEM pass phrase supersecret3-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []User certificates
Common Name (eg server FQDN or YOUR name) []juniorEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org136
rootca~junior CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypemCheck that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade87a Validity Not Before Sep 26 110929 2013 GMT Not After Sep 26 110929 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = User certificates commonName = junior X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A1F2FC9D8AE2AD9AF52903F5B714933C64628E9C X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 110929 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpem
c0t0d0s0org137
rootserver~ useradd -m junior80 blocksrootserver~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for juniorrootserver~
rootclient~ useradd -m junior80 blocksrootclient~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for junior
c0t0d0s0org138
rootserver~ echo 1921681051 server gtgt etchostsrootserver~ echo 1921681052 client gtgt etchosts
rootclient~ echo 1921681051 server gtgt etchostsrootclient~ echo 1921681052 client gtgt etchosts
c0t0d0s0org139
rootca~server scp etcopensslcacertpem jmoekamp1921681109exporthomejmoekampPasswordcacertpem 100 || 3011 0000rootca~server scp newcertpem jmoekamp1921681109exporthomejmoekampPasswordnewcertpem 100 || 3196 0000rootca~server scp newkeypem jmoekamp1921681109exporthomejmoekampPasswordnewkeypem 100 || 1041 0000
rootca~junior scp newkeypem juniorclientexporthomejuniorPasswordnewkeypem 100 || 1041 0000rootca~junior scp newcertpem juniorclientexporthomejuniorPasswordnewcertpem 100 || 3190 0000rootca~junior scp etcopensslcacertpem junior1921681104exporthomejuniorPasswordcacertpem 100 || 3011 0000
c0t0d0s0org140
On the Server
c0t0d0s0org141
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org142
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org143
rootserver~ pktool setpinEnter token passphrase changemeCreate new passphrase superserversecretRe-enter new passphrase superserversecretPassphrase changedrootserver~
c0t0d0s0org144
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org145
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org146
rootserver~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cn
c0t0d0s0org147
rootserver~ echo TrustedAnchorKeystore etcsshcert gtgt etcsshsshd_configrootserver~ echo KMFPolicyDatabase etcsshpolicyxml gtgt etcsshsshd_configrootserver~ echo KMFPolicyName ssh gtgt etcsshsshd_configrootserver~ echo HostKey pkcs11object=hosttoken=Sun Metaslotpinfile=etcsshpinfile gtgt etcsshsshd_config
c0t0d0s0org148
rootserver~ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=hostEnter PIN for Sun Software PKCS11 softtoken superserversecret Enter PEM pass phrase supersecret2Importing 1 keys
c0t0d0s0org149
rootserver~ egrep -v ^ |^$|^Cert exporthomejmoekampcacertpem gt etcsshcertcacertcookedpemrootserver~ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemrootserver~ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=hostrootserver~
c0t0d0s0org150
On the client
c0t0d0s0org151
juniorclient~$ ls pemcacertpem newcertpem newkeypem
c0t0d0s0org152
rootclient~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cnrootclient~ egrep -v ^ |^$|^Cert exporthomejuniorcacertpem gt etcsshcertcacertcookedpem
c0t0d0s0org153
juniorclient~$ pktool setpinEnter token passphrase changemeCreate new passphrase superusersecretRe-enter new passphrase superusersecretPassphrase changed
c0t0d0s0org154
juniorclient~$ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=userEnter PIN for Sun Software PKCS11 softtoken superusersecretEnter PEM pass phrase supersecret3Importing 1 keysjuniorclient~$ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemjuniorclient~$ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=user
c0t0d0s0org155
Testing it
c0t0d0s0org156
rootserver~ svcadm disable sshrootserver~ svcadm enable ssh
c0t0d0s0org157
juniorclient~$ cd sshjuniorclient~ssh$ printf superusersecret gtgt pinfilejuniorclient~ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore etcsshcert KMFPolicyDatabase etcsshpolicyxml KMFPolicyName ssh IdentityFile pkcs11object=usertoken=Sun Software PKCS11 softtokenpinfile=exporthomejuniorsshpinfile
c0t0d0s0org158
juniorclient~ssh$ ssh juniorserver-x509Last login Thu Sep 26 200714 2013 from clientOracle Corporation SunOS 511 111 September 2013juniorserver~$
c0t0d0s0org159
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives7659-Using-X509-support-for-SSH-on-Solaris-111html
c0t0d0s0org160
OpenSCAP
c0t0d0s0org161
bdquoThe Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management measurement and policy compliance evaluation (eg FISMA compliance) The National Vulnerability Database(NVD) is the US government content repository for SCAPldquo
httpenwikipediaorgwikiSecurity_Content_Automation_Protocol
c0t0d0s0org162
ftp-bannerxml
ltxml version=10 encoding=UTF-8gtltoval_definitions xmlns=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsxsi=httpwwww3org2001XMLSchema-instance xmlnsoval=httpovalmitreorgXMLSchemaoval-common-5 xmlnsoval-def=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsindependent-def=httpovalmitreorgXMLSchemaoval-definitions-5independent xsischemaLocation=httpovalmitreorgXMLSchemaoval-definitions-5 oval-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-definitions-5independent independent-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-common-5 oval-common-schemaxsdgt
ltgeneratorgt ltovalproduct_namegtEnhanced SCAP Editorltovalproduct_namegt ltovalproduct_versiongt0011ltovalproduct_versiongt ltovalschema_versiongt58ltovalschema_versiongt ltovaltimestampgt2012-10-11T103325ltovaltimestampgt ltgeneratorgt lt--generatedovalbaseidentifier=comoraclesolaris11--gt ltdefinitionsgt ltdefinition id=ovalcomoraclesolaris11def840 version=1 class=compliancegt ltmetadatagt lttitlegtEnable a Warning Banner for the FTP Servicelttitlegt ltaffected family=unixgt ltplatformgtOracle Solaris 11ltplatformgt ltaffectedgt ltdescriptiongtetcproftpdconf contains DisplayConnect etcissueltdescriptiongt ltmetadatagt ltcriteria operator=AND negate=false comment=Single testgt ltcriterion comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot test_ref=ovalcomoraclesolaris11tst8400 negate=falsegt
ltcriteriagt ltdefinitiongt ltdefinitionsgt lttestsgt lttextfilecontent54_test xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11tst8400 version=1 check=all comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot check_existence=all_existgt ltobject object_ref=ovalcomoraclesolaris11obj8400gt lttextfilecontent54_testgt lttestsgt ltobjectsgt lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegt lttextfilecontent54_objectgt ltobjectsgtltoval_definitionsgt
c0t0d0s0org163
lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegtlttextfilecontent54_objectgt
c0t0d0s0org164
$ oscap oval eval ftp-bannerxml Definition ovalcomoraclesolaris11def840 falseEvaluation done
$ oscap oval eval --results resultsxml --report reporthtml ftp-bannerxmlDefinition ovalcomoraclesolaris11def840 falseEvaluation doneOVAL Results are exported correctly
c0t0d0s0org165
c0t0d0s0org166
To create your own OVAL-Files Enhanced SCAP Content Editor
c0t0d0s0org167
Find more information regarding this feature athttpsblogsoraclecomdarrenentrycompliance_reporting_with_scap
c0t0d0s0org26
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1917 usrbinpmap self1917 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap00000005D6666000 36K rw--- [ heap ]00007FF669C70000 216K r-x-- libamd64libprocso100007FF669CB6000 8K rw--- libamd64libprocso100007FF669CC0000 4K rw--- [ anon ]00007FF669CD0000 24K rwx-- [ anon ]00007FF669CE0000 4K rw--- [ anon ]00007FF669CF0000 1764K r-x-- libamd64libcso100007FF669EB9000 64K rw--- libamd64libcso100007FF669EC9000 12K rw--- libamd64libcso100007FF669ED0000 4K rw--- [ anon ]00007FF669EE0000 4K rw--- [ anon ]00007FF669EF0000 4K rw--- [ anon ]00007FF669EF2000 4K r--s- [ anon ]00007FF669EFC000 340K r-x-- libamd64ldso100007FF669F61000 12K rwx-- libamd64ldso100007FF669F64000 8K rwx-- libamd64ldso1FFFF80DDA254F000 16K rw--- [ stack ] total 2564K
c0t0d0s0org27
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1918 usrbinpmap self1918 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap000000065B76D000 36K rw--- [ heap ]00007FFAACFC0000 216K r-x-- libamd64libprocso100007FFAAD006000 8K rw--- libamd64libprocso100007FFAAD010000 4K rw--- [ anon ]00007FFAAD020000 24K rwx-- [ anon ]00007FFAAD030000 4K rw--- [ anon ]00007FFAAD040000 1764K r-x-- libamd64libcso100007FFAAD209000 64K rw--- libamd64libcso100007FFAAD219000 12K rw--- libamd64libcso100007FFAAD220000 4K rw--- [ anon ]00007FFAAD230000 4K rw--- [ anon ]00007FFAAD240000 4K rw--- [ anon ]00007FFAAD242000 4K r--s- [ anon ]00007FFAAD24D000 340K r-x-- libamd64ldso100007FFAAD2B2000 12K rwx-- libamd64ldso100007FFAAD2B5000 8K rwx-- libamd64ldso1FFFF80DE1559E000 12K rw--- [ stack ]
c0t0d0s0org28
rootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) system default (default)
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x2 ENABLE
rootsolaris elfedit -e dynsunw_aslr disable usrbinpmap
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x1 DISABLE
c0t0d0s0org29
rootsolaris sxadm enable -c model=all aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (all) enabled (all)
rootsolaris sxadm disable aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr disabled disabled
rootsolaris sxadm enable -c model=tagged-files aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) enabled (tagged-files)
c0t0d0s0org30
pfedit
c0t0d0s0org31
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt set auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt set desc=Edit httpdprofileshttpd editgt exit
c0t0d0s0org32
roottemplateetcapache222 usermod -P +httpd edit junior
c0t0d0s0org33
juniortemplate~$ profiles httpd edit Basic Solaris User All
c0t0d0s0org34
juniortemplate~$ vi etcapache222httpdconf
c0t0d0s0org35
juniortemplate~$ pfedit etcapache222httpdconfpfedit etcapache222httpdconf has been updated
c0t0d0s0org36
juniortemplate~$ pfedit etcapache222mimetypespfedit User junior is not authorized to edit the file etcapache222mimetypes
c0t0d0s0org37
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt info name=httpd edit desc=Edit httpd auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt add auths=solarisadmineditetcapache222mimetypes
c0t0d0s0org38
juniortemplate~$ pfedit etcapache222mimetypespfedit no changes for etcapache222mimetypes
c0t0d0s0org39
profiles -p httpd configureprofileshttpd configuregt add always_audit=asprofileshttpd configuregt info name=httpd configure desc=Configure httpd auths=solarisadmineditetcapache222httpdconfsolarisadmineditetcapache222mimetypes always_audit=as never_audit=noprofileshttpd configuregt exitroottemplate~
c0t0d0s0org40
roottemplate~ auditreduce -c as | praudit
c0t0d0s0org41
[]header4862edit administrative filefe80a0027fffea633cb2013-08-12 074552306 +0000subjectjuniorjuniorstaffjuniorstaff4212447467166369 136704 MacBook-Pro-of-c0t0d0s0fritzboxpathetcapache222httpdconfuse of authorizationsolarisadmineditetcapache222httpdconftext--- etcapache222httpdconf Mo Aug 12 074500 2013 +++ etcapache222httpdconfpfedit1BaGoi Mo Aug 12 074552 2013 -15 +16 Test Test 2 + Test 3 This is the main Apache HTTP server configuration file It contains the configuration directives that give the server its instructions
returnsuccess0
c0t0d0s0org42
Delegating privilege to restartservices(so you can keep the root password)
c0t0d0s0org43
juniortemplate~$ svcadm refresh apache22svcadm svcnetworkhttpapache22 Permission denied
c0t0d0s0org44
svcs -a | grep apache22online 153029 svcnetworkhttpapache22
c0t0d0s0org45
auths add -t Apache22 value solarissmfvaluehttpapache22 auths add -t Apache22 action solarissmfactionhttpapache22
c0t0d0s0org46
svccfg -s apache22 setprop generalvalue_authorization= astring solarissmfvaluehttpapache22 svccfg -s apache22 setprop generalaction_authorization= astring solarissmfactionhttpapache22
c0t0d0s0org47
profiles -p httpd edit add auths=solarissmfactionhttpapache22
c0t0d0s0org48
juniortemplate~$ svcadm refresh apache22juniortemplate~$
c0t0d0s0org49
Privileges
c0t0d0s0org50
$ ls -l usrsbintraceroute-r-sr-xr-x 1 root bin 42324 Nov 21 0009 usrsbintraceroute$ ls -l usrsbinping-r-sr-xr-x 1 root bin 51396 Nov 18 1931 usrsbinping
set-id to root ping needs it to work
c0t0d0s0org51
chmod -s sbinping exit
$ ping -s 1921681132ping socket Permission denied
Remove the set-uid and ping will stop to work
c0t0d0s0org52
jmoekampdaddelkiste~$ ppriv $$2153 -bashflags = ltnonegt E basic I basic P basic L all
c0t0d0s0org53
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org54
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
All privileges in their entirety assigned to one user are
(almost)
c0t0d0s0org55
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Neat extension inSolaris 11The ability to use networking is now a
privilege Itlsquos part of the default default set of privileges
but you can remove it
c0t0d0s0org56
moekampdaddelkiste~$ ppriv -v $$2153 -bashflags = ltnonegt E file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info I file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info P file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info L contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org57
rootdaddelkiste~ ppriv $$2183 -bashflags = ltnonegt E all I basic P all L all
c0t0d0s0org58
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace failed to initialize dtrace DTrace requires additional privileges
c0t0d0s0org59
rootdaddelkiste~ usermod -K defaultpriv=basicdtrace_kerneldtrace_procdtrace_user juniorUX usermod junior is currently logged in some changes may not take effect until next login
c0t0d0s0org60
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace description syscallentry matched 211 probes^C
automountd 1 sshd 24 dtrace 544 auditd 564
c0t0d0s0org61
ps -ef | grep kcfd daemon 125 1 0 142419 000 usrlibcryptokcfdroot 734 728 0 155408 pts1 000 grep kcfd ppriv -v 125125 usrlibcryptokcfdflags = PRIV_AWAREE file_ownerproc_priocntlsys_devicesI noneP file_ownerproc_priocntlsys_devicesL none
c0t0d0s0org62
svcadm -v enable -s apache2svcnetworkhttpapache2 enabled
c0t0d0s0org63
jmoekampclient~$ ps -ef | grep httpwebservd 1978 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1979 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1980 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1984 1975 0 122002 000 usrapache222binhttpd -k start root 1975 1 0 121914 001 usrapache222binhttpd -k startwebservd 1977 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1976 1975 0 121915 000 usrapache222binhttpd -k start
c0t0d0s0org64
rootclient~ ppriv 19771977 usrapache222binhttpd -k startflags = ltnonegt E basic I basic P basic L allrootclient~ ppriv 19751975 usrapache222binhttpd -k startflags = ltnonegt E all I basic P all L allrootclient~
c0t0d0s0org65
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The apache process as root has the following privileges
c0t0d0s0org66
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The other processes have the following privileges
c0t0d0s0org67
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Apache really needs
c0t0d0s0org68
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
So you grant a large number of privileges to one process Apache donlsquot need
c0t0d0s0org69
svcadm -v disable -s apache2svcnetworkhttpapache2 disabled
c0t0d0s0org70
rootclient~ svccfg -s apache22svcnetworkhttpapache22gt setprop startuser = astring webservdsvcnetworkhttpapache22gt setprop startgroup = astring webservdsvcnetworkhttpapache22gt setprop startprivileges = astring basicproc_sessionproc_infofile_link_anynet_privaddrsvcnetworkhttpapache22gt setprop startlimit_privileges = astring defaultsvcnetworkhttpapache22gt setprop startuse_profile = boolean falsesvcnetworkhttpapache22gt setprop startsupp_groups = astring defaultsvcnetworkhttpapache22gt setprop startworking_directory = astring defaultsvcnetworkhttpapache22gt setprop startproject = astring defaultsvcnetworkhttpapache22gt setprop startresource_pool = astring defaultsvcnetworkhttpapache22gt endrootclient~ svcadm -v refresh apache22Action refresh set for svcnetworkhttpapache22
c0t0d0s0org71
echo LockFile varapache222logsacceptlock gtgt etcapache222httpdconf echo PidFile varapache222runhttpdpid gtgt etcapache222httpdconf mkdir -p -m 755 varapache222run chown webservdwebservd varapache222run svcadm enable apache22
c0t0d0s0org72
webservd 3064 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3062 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3063 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3066 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3061 1 0 164917 000 usrapache222binhttpd -k startwebservd 3065 3061 0 164918 000 usrapache222binhttpd -k start
c0t0d0s0org73
Read-only zone root
c0t0d0s0org
74
zonecfgtestzonegt set file-mac-profile=none
zonecfgtestzonegt set file-mac-profile=strict
zonecfgtestzonegt set file-mac-profile=fixed-configuration
zonecfgtestzonegt set file-mac-profile=flexible-configuration
Standard read-write non-global zone with no additional protection beyond the existing zones boundaries
Permits updates to var directories with the exception of directories that contain system configuration components
Read-only file system no exceptions
Permits modification of files in etc directories changes to roots home directory and updates to var directories This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone
c0t0d0s0org75
in-kernel SSL Proxy
c0t0d0s0org76
mkdir etckeys cd etckeys openssl req -x509 -nodes -days 365 -subj C=DEST=HamburgL=HamburgCN=server -newkey rsa1024 -keyout etckeysmykeypem -out etckeysmycertpem cat mycertpem mykeypem gt mypem chown 600
c0t0d0s0org77
echo pass gt etckeysmypass ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass server 443
c0t0d0s0org78
ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass -c rsa_aes_256_cbc_sharsa_aes_128_cbc_sharsa_rc4_128_sharsa_rc4_128_md5 server 443
c0t0d0s0org79
svcs -a | grep ksslonline 90333 svcnetworksslproxykssl-server-443
c0t0d0s0org80
svcadm disable apache22 echo Listen 1921681781088080 gtgt etcapache222httpdconf svcadm enable apache22
Portnumber and IP-Number have do be defined in httpdconf otherwise it will not work
c0t0d0s0org81
openssl s_client -connect server443CONNECTED(00000004)depth=0 C=DEST=HamburgL=HamburgCN=serververify errornum=18self signed certificateverify return1depth=0 C=DEST=HamburgL=HamburgCN=serververify return1---Certificate chain0 sC=DEST=HamburgL=HamburgCN=serveriC=DEST=HamburgL=HamburgCN=server---Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj[]V5jX3MU=-----END CERTIFICATE-----subject=C=DEST=HamburgL=HamburgCN=serverissuer=C=DEST=HamburgL=HamburgCN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328 bytes---New TLSv1SSLv3 Cipher is RC4-SHAServer public key is 1024 bitCompression NONEExpansion NONESSL-SessionProtocol TLSv1
Cipher RC4-SHASession-ID 32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD113915B99DBE9812Session-ID-ctx Master-Key 1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21EKey-Arg NoneStart Time 1242985143Timeout 300 (sec)Verify return code 18 (self signed certificate)---GET HTTP10
HTTP11 200 OKDate Fri 22 May 2009 093913 GMTServer Apache2211 (Unix) mod_ssl2211 OpenSSL098a DAV2Last-Modified Thu 21 May 2009 212630 GMTETag 341f3-2c-46a72cc211a8fAccept-Ranges bytesContent-Length 44Connection closeContent-Type texthtml
lthtmlgtltbodygtlth1gtIt workslth1gtltbodygtlthtmlgtreaderrno=0
c0t0d0s0org82
ZFS Encryption
c0t0d0s0org83
zfs create -o encryption=on rpoolexportproject
c0t0d0s0org84
wrapping key (user setable)
encryption keyrandomnot user setable)
prompt file https pkcs11
c0t0d0s0org85
aes-128-ccm (=on) aes-192-ccmaes-256-ccmaes-128-gcmaes-192-gcmaes-256-gcm
c0t0d0s0org86
zfs set checksum=sha256+mac ltdatasetgt
If encryption=off something like automatic
occurs This property is read-only from now on
c0t0d0s0org87
pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykeyEnter PIN for Sun Software PKCS11 softtoken zfs create -o encryption=on -o keysource=rawpkcs11object=mykey tankprojectCEnter PKCS11 token PIN for tankprojectC
c0t0d0s0org88
zfs create -o encryption=on -o keysource=rawhttpskeysexamplecommykey tankprojectR cp myservercertpem etccertsCA svcadm refresh ca-certificates
c0t0d0s0org89
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
c0t0d0s0org90
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
Changing the wrapping key
c0t0d0s0org91
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key
c0t0d0s0org92
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key for data written form now
Creates a new data encryption key Data written in the clone uses the new data encryption key which is distinct from its original snapshot
c0t0d0s0org93
Solaris Cryptographic Framework
c0t0d0s0org94
As soon as Solaris detects hardware acceleration for cryptography Solaris will use it (and applications using the Oracle supplied openssl library or direct interfaces)bull on-chip crypto accelerator in T and current M series chipsbull instruction set extensions in Intel procs (AES-NI)bull supported crypto accelerator cards
c0t0d0s0org95
Just a side-note T-series crypto acceleration and Intel x86 acceleration have pretty much different performance characteristics
T-Series Acceleration by offloading crypto outside pipelineIntel x86 Acceleration by offering special in-pipeline instructions to accelerate execution
Sounds like splitting hairs
c0t0d0s0org
c0t0d0s0org
c0t0d0s0org98
Using ZFS to do two-factor encryption
c0t0d0s0org99
jmoekampsolaris~$ rmformatLooking for devices 1 Logical Node devrdskc10t0d0p0 Physical Node pci00pci8086265cbstorage2disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected() 3 Logical Node devrdskc9t0d0p0 Physical Node pci00pci8086265cbstorage1disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected
c0t0d0s0org100
rootsolaris zpool create a_keystore_usbstick devdskc10t0d0p0rootsolaris zpool create datastore devdskc9t0d0p0
c0t0d0s0org101
rootsolaris zfs create -o encryption=on a_keystore_usbstickkeysEnter passphrase for a_keystore_usbstickkeys supersecret Enter again supersecret
c0t0d0s0org102
rootsolaris pktool genkey keystore=file keytype=aes keylen=128 outkey=a_keystore_usbstickkeysjoergsdatastickkey
c0t0d0s0org103
rootsolaris zfs create -o encryption=on -o keysource=rawfilea_keystore_usbstickkeysjoergsdatastickkey datastickjoergssecrets
c0t0d0s0org104
rootsolarisdatastickjoergssecrets mv homejmoekamphighlyconfidential_nda_presostgz
c0t0d0s0org105
rootsolaris zpool export a_keystore_usbstickrootsolaris zpool export datastick
c0t0d0s0org106
rootsolaris zpool import a_keystore_usbstickEnter passphrase for a_keystore_usbstickkeys supersecretrootsolaris
c0t0d0s0org107
rootsolaris zpool import datastickrootsolaris cd datastickjoergssecretsrootsolarisdatastickjoergssecrets ls highconfidential_nda_presostgz
c0t0d0s0org108
Basic Auditing and Reporting Tool
c0t0d0s0org109
mkdir bart-files bart create -R etc gt bart-filesetccontrolmanifest
c0t0d0s0org110
cat etccontrolmanifest | grep nsswitchnisplusnsswitchnisplus F 2525 100644 userrw-groupr--maskr--otherr-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
c0t0d0s0org111
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org112
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org113
bart create -R etc gt bart-filesetccheck20130911manifest
c0t0d0s0org114
cd bart-files bart compare etccontrolmanifest etccheck20130911manifest
nsswitchfilesmode control100644 test100777acl controluserrw-groupr--maskr--otherr-- testuserrwxgrouprwxmaskrwxotherrwxnsswitchnisplussize control2525 test2538mtime control473976b5 test47a44862contents control79e8fd689a5221d1cd059e5077da71b8 test3f79176ec352441db11ec8a3d02ef67cthisisjustatestadd
c0t0d0s0org115
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives4069-Less-known-Solaris-features-BARThtml
c0t0d0s0org116
Apropos Auditing
c0t0d0s0org117
Auditing is activated by default
c0t0d0s0org118
rootclient~ auditconfig -getflagsactive user default audit flags = lo(0x10000x1000)configured user default audit flags = lo(0x10000x1000)rootclient~ auditconfig -getnaflagsactive non-attributable audit flags = lo(0x10000x1000)configured non-attributable audit flags = lo(0x10000x1000)
c0t0d0s0org119
rootclient~ auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt
Policy regarding auditing (explanation on the next slide)
c0t0d0s0org120
rootclient~ auditconfig -lspolicypolicy string descriptionahlt halt machine if it can not record an async eventall all policiesarge include exec environment args in audit recsargv include exec command line args in audit recscnt when no more space drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recswindata_down include downgraded window information in audit recswindata_up include upgraded window information in audit recszonename include zonename token in audit recs
Which degree of detail What happens with full disks
c0t0d0s0org121
rootclient~ auditconfig -getpluginPlugin audit_binfile (active) Attributes p_dir=varauditp_fsize=0p_minfree=1
Plugin audit_syslog (inactive) Attributes p_flags=
Plugin audit_remote (inactive) Attributes p_hosts=p_retries=3p_timeout=5
c0t0d0s0org122
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
c0t0d0s0org123
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
lo and na are the only sensibleflags for non-attributable
c0t0d0s0org124
rootclient~ usermod -K audit_flags=fwas junior
c0t0d0s0org125
rootclient~ auditconfig -lsevent | grep lo AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh accessAUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lockAUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff
c0t0d0s0org126
rootclient~ auditconfig -lsevent | grep ps AUE_EXIT 1 ps exit(2)AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)rootclient~ auditconfig -lsevent | grep fw AUE_OPEN_W 76 fw open(2) - write
c0t0d0s0org127
auditreduce -c ps varaudit20130912183630not_terminatedclient | praudit
header1392execve(2)client2013-09-12 184055924 +0000pathusrsbinauditreduceattribute100555rootbin655386587518446744073709551615subjectjmoekamprootrootrootroot205414400809562480 202240 192168101returnsuccess0
c0t0d0s0org128
rootclient~ auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff0xffffffffffffffff)
Not always (in the sense of never) a good idea
Useful after trying out - starting a new audit filerootclient~ audit -n
c0t0d0s0org129
rootclient~ auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system
c0t0d0s0org130
SSH and X509
c0t0d0s0org131
rootca~ CApl -newcaCA certificate filename (or enter to create)
Making CA certificate Generating a 1024 bit RSA private key++++++++++++writing new private key to etcopensslprivatecakeypemEnter PEM pass phrase supersecret1Verifying - Enter PEM pass phrase supersecret1-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Security DepartmentCommon Name (eg server FQDN or YOUR name) []CAEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Using configuration from etcopensslopensslcnf
Enter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade878 Validity Not Before Sep 26 101109 2013 GMT Not After Sep 25 101109 2016 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony organizationName = c0t0d0s0org organizationalUnitName = Security Department commonName = CA X509v3 extensions X509v3 Subject Key Identifier 5B1F2F7186123040501552818D525AA5597E3644 X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
X509v3 Basic Constraints CATRUECertificate is to be certified until Sep 25 101109 2016 GMT (1095 days)
Write out database with 1 new entriesData Base Updated
c0t0d0s0org132
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org133
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org134
rootca~server CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade879 Validity Not Before Sep 26 102912 2013 GMT Not After Sep 26 102912 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = Server Certificates commonName = server X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A7DC03DEB3D5FBF9C006F11A55A9AD04C49C10FA X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 102912 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpemrootca~server ls -ltotal 15-rw-r--r-- 1 root root 3196 Sep 26 1229 newcertpem-rw-r--r-- 1 root root 1041 Sep 26 1228 newkeypem-rw-r--r-- 1 root root 680 Sep 26 1228 newreqpem
c0t0d0s0org135
rootca~junior CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phraseVerifying - Enter PEM pass phraseVerify failureEnter PEM pass phrase supersecret3Verifying - Enter PEM pass phrase supersecret3-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []User certificates
Common Name (eg server FQDN or YOUR name) []juniorEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org136
rootca~junior CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypemCheck that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade87a Validity Not Before Sep 26 110929 2013 GMT Not After Sep 26 110929 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = User certificates commonName = junior X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A1F2FC9D8AE2AD9AF52903F5B714933C64628E9C X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 110929 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpem
c0t0d0s0org137
rootserver~ useradd -m junior80 blocksrootserver~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for juniorrootserver~
rootclient~ useradd -m junior80 blocksrootclient~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for junior
c0t0d0s0org138
rootserver~ echo 1921681051 server gtgt etchostsrootserver~ echo 1921681052 client gtgt etchosts
rootclient~ echo 1921681051 server gtgt etchostsrootclient~ echo 1921681052 client gtgt etchosts
c0t0d0s0org139
rootca~server scp etcopensslcacertpem jmoekamp1921681109exporthomejmoekampPasswordcacertpem 100 || 3011 0000rootca~server scp newcertpem jmoekamp1921681109exporthomejmoekampPasswordnewcertpem 100 || 3196 0000rootca~server scp newkeypem jmoekamp1921681109exporthomejmoekampPasswordnewkeypem 100 || 1041 0000
rootca~junior scp newkeypem juniorclientexporthomejuniorPasswordnewkeypem 100 || 1041 0000rootca~junior scp newcertpem juniorclientexporthomejuniorPasswordnewcertpem 100 || 3190 0000rootca~junior scp etcopensslcacertpem junior1921681104exporthomejuniorPasswordcacertpem 100 || 3011 0000
c0t0d0s0org140
On the Server
c0t0d0s0org141
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org142
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org143
rootserver~ pktool setpinEnter token passphrase changemeCreate new passphrase superserversecretRe-enter new passphrase superserversecretPassphrase changedrootserver~
c0t0d0s0org144
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org145
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org146
rootserver~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cn
c0t0d0s0org147
rootserver~ echo TrustedAnchorKeystore etcsshcert gtgt etcsshsshd_configrootserver~ echo KMFPolicyDatabase etcsshpolicyxml gtgt etcsshsshd_configrootserver~ echo KMFPolicyName ssh gtgt etcsshsshd_configrootserver~ echo HostKey pkcs11object=hosttoken=Sun Metaslotpinfile=etcsshpinfile gtgt etcsshsshd_config
c0t0d0s0org148
rootserver~ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=hostEnter PIN for Sun Software PKCS11 softtoken superserversecret Enter PEM pass phrase supersecret2Importing 1 keys
c0t0d0s0org149
rootserver~ egrep -v ^ |^$|^Cert exporthomejmoekampcacertpem gt etcsshcertcacertcookedpemrootserver~ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemrootserver~ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=hostrootserver~
c0t0d0s0org150
On the client
c0t0d0s0org151
juniorclient~$ ls pemcacertpem newcertpem newkeypem
c0t0d0s0org152
rootclient~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cnrootclient~ egrep -v ^ |^$|^Cert exporthomejuniorcacertpem gt etcsshcertcacertcookedpem
c0t0d0s0org153
juniorclient~$ pktool setpinEnter token passphrase changemeCreate new passphrase superusersecretRe-enter new passphrase superusersecretPassphrase changed
c0t0d0s0org154
juniorclient~$ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=userEnter PIN for Sun Software PKCS11 softtoken superusersecretEnter PEM pass phrase supersecret3Importing 1 keysjuniorclient~$ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemjuniorclient~$ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=user
c0t0d0s0org155
Testing it
c0t0d0s0org156
rootserver~ svcadm disable sshrootserver~ svcadm enable ssh
c0t0d0s0org157
juniorclient~$ cd sshjuniorclient~ssh$ printf superusersecret gtgt pinfilejuniorclient~ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore etcsshcert KMFPolicyDatabase etcsshpolicyxml KMFPolicyName ssh IdentityFile pkcs11object=usertoken=Sun Software PKCS11 softtokenpinfile=exporthomejuniorsshpinfile
c0t0d0s0org158
juniorclient~ssh$ ssh juniorserver-x509Last login Thu Sep 26 200714 2013 from clientOracle Corporation SunOS 511 111 September 2013juniorserver~$
c0t0d0s0org159
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives7659-Using-X509-support-for-SSH-on-Solaris-111html
c0t0d0s0org160
OpenSCAP
c0t0d0s0org161
bdquoThe Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management measurement and policy compliance evaluation (eg FISMA compliance) The National Vulnerability Database(NVD) is the US government content repository for SCAPldquo
httpenwikipediaorgwikiSecurity_Content_Automation_Protocol
c0t0d0s0org162
ftp-bannerxml
ltxml version=10 encoding=UTF-8gtltoval_definitions xmlns=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsxsi=httpwwww3org2001XMLSchema-instance xmlnsoval=httpovalmitreorgXMLSchemaoval-common-5 xmlnsoval-def=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsindependent-def=httpovalmitreorgXMLSchemaoval-definitions-5independent xsischemaLocation=httpovalmitreorgXMLSchemaoval-definitions-5 oval-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-definitions-5independent independent-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-common-5 oval-common-schemaxsdgt
ltgeneratorgt ltovalproduct_namegtEnhanced SCAP Editorltovalproduct_namegt ltovalproduct_versiongt0011ltovalproduct_versiongt ltovalschema_versiongt58ltovalschema_versiongt ltovaltimestampgt2012-10-11T103325ltovaltimestampgt ltgeneratorgt lt--generatedovalbaseidentifier=comoraclesolaris11--gt ltdefinitionsgt ltdefinition id=ovalcomoraclesolaris11def840 version=1 class=compliancegt ltmetadatagt lttitlegtEnable a Warning Banner for the FTP Servicelttitlegt ltaffected family=unixgt ltplatformgtOracle Solaris 11ltplatformgt ltaffectedgt ltdescriptiongtetcproftpdconf contains DisplayConnect etcissueltdescriptiongt ltmetadatagt ltcriteria operator=AND negate=false comment=Single testgt ltcriterion comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot test_ref=ovalcomoraclesolaris11tst8400 negate=falsegt
ltcriteriagt ltdefinitiongt ltdefinitionsgt lttestsgt lttextfilecontent54_test xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11tst8400 version=1 check=all comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot check_existence=all_existgt ltobject object_ref=ovalcomoraclesolaris11obj8400gt lttextfilecontent54_testgt lttestsgt ltobjectsgt lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegt lttextfilecontent54_objectgt ltobjectsgtltoval_definitionsgt
c0t0d0s0org163
lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegtlttextfilecontent54_objectgt
c0t0d0s0org164
$ oscap oval eval ftp-bannerxml Definition ovalcomoraclesolaris11def840 falseEvaluation done
$ oscap oval eval --results resultsxml --report reporthtml ftp-bannerxmlDefinition ovalcomoraclesolaris11def840 falseEvaluation doneOVAL Results are exported correctly
c0t0d0s0org165
c0t0d0s0org166
To create your own OVAL-Files Enhanced SCAP Content Editor
c0t0d0s0org167
Find more information regarding this feature athttpsblogsoraclecomdarrenentrycompliance_reporting_with_scap
c0t0d0s0org27
rootsolaris sxadm exec -s aslr=enable usrbinpmap self1918 usrbinpmap self1918 usrbinpmap self0000000000400000 28K r-x-- usrbinpmap0000000000417000 4K rw--- usrbinpmap0000000000418000 8K rw--- usrbinpmap000000065B76D000 36K rw--- [ heap ]00007FFAACFC0000 216K r-x-- libamd64libprocso100007FFAAD006000 8K rw--- libamd64libprocso100007FFAAD010000 4K rw--- [ anon ]00007FFAAD020000 24K rwx-- [ anon ]00007FFAAD030000 4K rw--- [ anon ]00007FFAAD040000 1764K r-x-- libamd64libcso100007FFAAD209000 64K rw--- libamd64libcso100007FFAAD219000 12K rw--- libamd64libcso100007FFAAD220000 4K rw--- [ anon ]00007FFAAD230000 4K rw--- [ anon ]00007FFAAD240000 4K rw--- [ anon ]00007FFAAD242000 4K r--s- [ anon ]00007FFAAD24D000 340K r-x-- libamd64ldso100007FFAAD2B2000 12K rwx-- libamd64ldso100007FFAAD2B5000 8K rwx-- libamd64ldso1FFFF80DE1559E000 12K rw--- [ stack ]
c0t0d0s0org28
rootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) system default (default)
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x2 ENABLE
rootsolaris elfedit -e dynsunw_aslr disable usrbinpmap
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x1 DISABLE
c0t0d0s0org29
rootsolaris sxadm enable -c model=all aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (all) enabled (all)
rootsolaris sxadm disable aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr disabled disabled
rootsolaris sxadm enable -c model=tagged-files aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) enabled (tagged-files)
c0t0d0s0org30
pfedit
c0t0d0s0org31
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt set auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt set desc=Edit httpdprofileshttpd editgt exit
c0t0d0s0org32
roottemplateetcapache222 usermod -P +httpd edit junior
c0t0d0s0org33
juniortemplate~$ profiles httpd edit Basic Solaris User All
c0t0d0s0org34
juniortemplate~$ vi etcapache222httpdconf
c0t0d0s0org35
juniortemplate~$ pfedit etcapache222httpdconfpfedit etcapache222httpdconf has been updated
c0t0d0s0org36
juniortemplate~$ pfedit etcapache222mimetypespfedit User junior is not authorized to edit the file etcapache222mimetypes
c0t0d0s0org37
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt info name=httpd edit desc=Edit httpd auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt add auths=solarisadmineditetcapache222mimetypes
c0t0d0s0org38
juniortemplate~$ pfedit etcapache222mimetypespfedit no changes for etcapache222mimetypes
c0t0d0s0org39
profiles -p httpd configureprofileshttpd configuregt add always_audit=asprofileshttpd configuregt info name=httpd configure desc=Configure httpd auths=solarisadmineditetcapache222httpdconfsolarisadmineditetcapache222mimetypes always_audit=as never_audit=noprofileshttpd configuregt exitroottemplate~
c0t0d0s0org40
roottemplate~ auditreduce -c as | praudit
c0t0d0s0org41
[]header4862edit administrative filefe80a0027fffea633cb2013-08-12 074552306 +0000subjectjuniorjuniorstaffjuniorstaff4212447467166369 136704 MacBook-Pro-of-c0t0d0s0fritzboxpathetcapache222httpdconfuse of authorizationsolarisadmineditetcapache222httpdconftext--- etcapache222httpdconf Mo Aug 12 074500 2013 +++ etcapache222httpdconfpfedit1BaGoi Mo Aug 12 074552 2013 -15 +16 Test Test 2 + Test 3 This is the main Apache HTTP server configuration file It contains the configuration directives that give the server its instructions
returnsuccess0
c0t0d0s0org42
Delegating privilege to restartservices(so you can keep the root password)
c0t0d0s0org43
juniortemplate~$ svcadm refresh apache22svcadm svcnetworkhttpapache22 Permission denied
c0t0d0s0org44
svcs -a | grep apache22online 153029 svcnetworkhttpapache22
c0t0d0s0org45
auths add -t Apache22 value solarissmfvaluehttpapache22 auths add -t Apache22 action solarissmfactionhttpapache22
c0t0d0s0org46
svccfg -s apache22 setprop generalvalue_authorization= astring solarissmfvaluehttpapache22 svccfg -s apache22 setprop generalaction_authorization= astring solarissmfactionhttpapache22
c0t0d0s0org47
profiles -p httpd edit add auths=solarissmfactionhttpapache22
c0t0d0s0org48
juniortemplate~$ svcadm refresh apache22juniortemplate~$
c0t0d0s0org49
Privileges
c0t0d0s0org50
$ ls -l usrsbintraceroute-r-sr-xr-x 1 root bin 42324 Nov 21 0009 usrsbintraceroute$ ls -l usrsbinping-r-sr-xr-x 1 root bin 51396 Nov 18 1931 usrsbinping
set-id to root ping needs it to work
c0t0d0s0org51
chmod -s sbinping exit
$ ping -s 1921681132ping socket Permission denied
Remove the set-uid and ping will stop to work
c0t0d0s0org52
jmoekampdaddelkiste~$ ppriv $$2153 -bashflags = ltnonegt E basic I basic P basic L all
c0t0d0s0org53
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org54
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
All privileges in their entirety assigned to one user are
(almost)
c0t0d0s0org55
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Neat extension inSolaris 11The ability to use networking is now a
privilege Itlsquos part of the default default set of privileges
but you can remove it
c0t0d0s0org56
moekampdaddelkiste~$ ppriv -v $$2153 -bashflags = ltnonegt E file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info I file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info P file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info L contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org57
rootdaddelkiste~ ppriv $$2183 -bashflags = ltnonegt E all I basic P all L all
c0t0d0s0org58
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace failed to initialize dtrace DTrace requires additional privileges
c0t0d0s0org59
rootdaddelkiste~ usermod -K defaultpriv=basicdtrace_kerneldtrace_procdtrace_user juniorUX usermod junior is currently logged in some changes may not take effect until next login
c0t0d0s0org60
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace description syscallentry matched 211 probes^C
automountd 1 sshd 24 dtrace 544 auditd 564
c0t0d0s0org61
ps -ef | grep kcfd daemon 125 1 0 142419 000 usrlibcryptokcfdroot 734 728 0 155408 pts1 000 grep kcfd ppriv -v 125125 usrlibcryptokcfdflags = PRIV_AWAREE file_ownerproc_priocntlsys_devicesI noneP file_ownerproc_priocntlsys_devicesL none
c0t0d0s0org62
svcadm -v enable -s apache2svcnetworkhttpapache2 enabled
c0t0d0s0org63
jmoekampclient~$ ps -ef | grep httpwebservd 1978 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1979 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1980 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1984 1975 0 122002 000 usrapache222binhttpd -k start root 1975 1 0 121914 001 usrapache222binhttpd -k startwebservd 1977 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1976 1975 0 121915 000 usrapache222binhttpd -k start
c0t0d0s0org64
rootclient~ ppriv 19771977 usrapache222binhttpd -k startflags = ltnonegt E basic I basic P basic L allrootclient~ ppriv 19751975 usrapache222binhttpd -k startflags = ltnonegt E all I basic P all L allrootclient~
c0t0d0s0org65
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The apache process as root has the following privileges
c0t0d0s0org66
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The other processes have the following privileges
c0t0d0s0org67
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Apache really needs
c0t0d0s0org68
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
So you grant a large number of privileges to one process Apache donlsquot need
c0t0d0s0org69
svcadm -v disable -s apache2svcnetworkhttpapache2 disabled
c0t0d0s0org70
rootclient~ svccfg -s apache22svcnetworkhttpapache22gt setprop startuser = astring webservdsvcnetworkhttpapache22gt setprop startgroup = astring webservdsvcnetworkhttpapache22gt setprop startprivileges = astring basicproc_sessionproc_infofile_link_anynet_privaddrsvcnetworkhttpapache22gt setprop startlimit_privileges = astring defaultsvcnetworkhttpapache22gt setprop startuse_profile = boolean falsesvcnetworkhttpapache22gt setprop startsupp_groups = astring defaultsvcnetworkhttpapache22gt setprop startworking_directory = astring defaultsvcnetworkhttpapache22gt setprop startproject = astring defaultsvcnetworkhttpapache22gt setprop startresource_pool = astring defaultsvcnetworkhttpapache22gt endrootclient~ svcadm -v refresh apache22Action refresh set for svcnetworkhttpapache22
c0t0d0s0org71
echo LockFile varapache222logsacceptlock gtgt etcapache222httpdconf echo PidFile varapache222runhttpdpid gtgt etcapache222httpdconf mkdir -p -m 755 varapache222run chown webservdwebservd varapache222run svcadm enable apache22
c0t0d0s0org72
webservd 3064 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3062 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3063 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3066 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3061 1 0 164917 000 usrapache222binhttpd -k startwebservd 3065 3061 0 164918 000 usrapache222binhttpd -k start
c0t0d0s0org73
Read-only zone root
c0t0d0s0org
74
zonecfgtestzonegt set file-mac-profile=none
zonecfgtestzonegt set file-mac-profile=strict
zonecfgtestzonegt set file-mac-profile=fixed-configuration
zonecfgtestzonegt set file-mac-profile=flexible-configuration
Standard read-write non-global zone with no additional protection beyond the existing zones boundaries
Permits updates to var directories with the exception of directories that contain system configuration components
Read-only file system no exceptions
Permits modification of files in etc directories changes to roots home directory and updates to var directories This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone
c0t0d0s0org75
in-kernel SSL Proxy
c0t0d0s0org76
mkdir etckeys cd etckeys openssl req -x509 -nodes -days 365 -subj C=DEST=HamburgL=HamburgCN=server -newkey rsa1024 -keyout etckeysmykeypem -out etckeysmycertpem cat mycertpem mykeypem gt mypem chown 600
c0t0d0s0org77
echo pass gt etckeysmypass ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass server 443
c0t0d0s0org78
ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass -c rsa_aes_256_cbc_sharsa_aes_128_cbc_sharsa_rc4_128_sharsa_rc4_128_md5 server 443
c0t0d0s0org79
svcs -a | grep ksslonline 90333 svcnetworksslproxykssl-server-443
c0t0d0s0org80
svcadm disable apache22 echo Listen 1921681781088080 gtgt etcapache222httpdconf svcadm enable apache22
Portnumber and IP-Number have do be defined in httpdconf otherwise it will not work
c0t0d0s0org81
openssl s_client -connect server443CONNECTED(00000004)depth=0 C=DEST=HamburgL=HamburgCN=serververify errornum=18self signed certificateverify return1depth=0 C=DEST=HamburgL=HamburgCN=serververify return1---Certificate chain0 sC=DEST=HamburgL=HamburgCN=serveriC=DEST=HamburgL=HamburgCN=server---Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj[]V5jX3MU=-----END CERTIFICATE-----subject=C=DEST=HamburgL=HamburgCN=serverissuer=C=DEST=HamburgL=HamburgCN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328 bytes---New TLSv1SSLv3 Cipher is RC4-SHAServer public key is 1024 bitCompression NONEExpansion NONESSL-SessionProtocol TLSv1
Cipher RC4-SHASession-ID 32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD113915B99DBE9812Session-ID-ctx Master-Key 1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21EKey-Arg NoneStart Time 1242985143Timeout 300 (sec)Verify return code 18 (self signed certificate)---GET HTTP10
HTTP11 200 OKDate Fri 22 May 2009 093913 GMTServer Apache2211 (Unix) mod_ssl2211 OpenSSL098a DAV2Last-Modified Thu 21 May 2009 212630 GMTETag 341f3-2c-46a72cc211a8fAccept-Ranges bytesContent-Length 44Connection closeContent-Type texthtml
lthtmlgtltbodygtlth1gtIt workslth1gtltbodygtlthtmlgtreaderrno=0
c0t0d0s0org82
ZFS Encryption
c0t0d0s0org83
zfs create -o encryption=on rpoolexportproject
c0t0d0s0org84
wrapping key (user setable)
encryption keyrandomnot user setable)
prompt file https pkcs11
c0t0d0s0org85
aes-128-ccm (=on) aes-192-ccmaes-256-ccmaes-128-gcmaes-192-gcmaes-256-gcm
c0t0d0s0org86
zfs set checksum=sha256+mac ltdatasetgt
If encryption=off something like automatic
occurs This property is read-only from now on
c0t0d0s0org87
pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykeyEnter PIN for Sun Software PKCS11 softtoken zfs create -o encryption=on -o keysource=rawpkcs11object=mykey tankprojectCEnter PKCS11 token PIN for tankprojectC
c0t0d0s0org88
zfs create -o encryption=on -o keysource=rawhttpskeysexamplecommykey tankprojectR cp myservercertpem etccertsCA svcadm refresh ca-certificates
c0t0d0s0org89
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
c0t0d0s0org90
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
Changing the wrapping key
c0t0d0s0org91
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key
c0t0d0s0org92
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key for data written form now
Creates a new data encryption key Data written in the clone uses the new data encryption key which is distinct from its original snapshot
c0t0d0s0org93
Solaris Cryptographic Framework
c0t0d0s0org94
As soon as Solaris detects hardware acceleration for cryptography Solaris will use it (and applications using the Oracle supplied openssl library or direct interfaces)bull on-chip crypto accelerator in T and current M series chipsbull instruction set extensions in Intel procs (AES-NI)bull supported crypto accelerator cards
c0t0d0s0org95
Just a side-note T-series crypto acceleration and Intel x86 acceleration have pretty much different performance characteristics
T-Series Acceleration by offloading crypto outside pipelineIntel x86 Acceleration by offering special in-pipeline instructions to accelerate execution
Sounds like splitting hairs
c0t0d0s0org
c0t0d0s0org
c0t0d0s0org98
Using ZFS to do two-factor encryption
c0t0d0s0org99
jmoekampsolaris~$ rmformatLooking for devices 1 Logical Node devrdskc10t0d0p0 Physical Node pci00pci8086265cbstorage2disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected() 3 Logical Node devrdskc9t0d0p0 Physical Node pci00pci8086265cbstorage1disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected
c0t0d0s0org100
rootsolaris zpool create a_keystore_usbstick devdskc10t0d0p0rootsolaris zpool create datastore devdskc9t0d0p0
c0t0d0s0org101
rootsolaris zfs create -o encryption=on a_keystore_usbstickkeysEnter passphrase for a_keystore_usbstickkeys supersecret Enter again supersecret
c0t0d0s0org102
rootsolaris pktool genkey keystore=file keytype=aes keylen=128 outkey=a_keystore_usbstickkeysjoergsdatastickkey
c0t0d0s0org103
rootsolaris zfs create -o encryption=on -o keysource=rawfilea_keystore_usbstickkeysjoergsdatastickkey datastickjoergssecrets
c0t0d0s0org104
rootsolarisdatastickjoergssecrets mv homejmoekamphighlyconfidential_nda_presostgz
c0t0d0s0org105
rootsolaris zpool export a_keystore_usbstickrootsolaris zpool export datastick
c0t0d0s0org106
rootsolaris zpool import a_keystore_usbstickEnter passphrase for a_keystore_usbstickkeys supersecretrootsolaris
c0t0d0s0org107
rootsolaris zpool import datastickrootsolaris cd datastickjoergssecretsrootsolarisdatastickjoergssecrets ls highconfidential_nda_presostgz
c0t0d0s0org108
Basic Auditing and Reporting Tool
c0t0d0s0org109
mkdir bart-files bart create -R etc gt bart-filesetccontrolmanifest
c0t0d0s0org110
cat etccontrolmanifest | grep nsswitchnisplusnsswitchnisplus F 2525 100644 userrw-groupr--maskr--otherr-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
c0t0d0s0org111
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org112
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org113
bart create -R etc gt bart-filesetccheck20130911manifest
c0t0d0s0org114
cd bart-files bart compare etccontrolmanifest etccheck20130911manifest
nsswitchfilesmode control100644 test100777acl controluserrw-groupr--maskr--otherr-- testuserrwxgrouprwxmaskrwxotherrwxnsswitchnisplussize control2525 test2538mtime control473976b5 test47a44862contents control79e8fd689a5221d1cd059e5077da71b8 test3f79176ec352441db11ec8a3d02ef67cthisisjustatestadd
c0t0d0s0org115
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives4069-Less-known-Solaris-features-BARThtml
c0t0d0s0org116
Apropos Auditing
c0t0d0s0org117
Auditing is activated by default
c0t0d0s0org118
rootclient~ auditconfig -getflagsactive user default audit flags = lo(0x10000x1000)configured user default audit flags = lo(0x10000x1000)rootclient~ auditconfig -getnaflagsactive non-attributable audit flags = lo(0x10000x1000)configured non-attributable audit flags = lo(0x10000x1000)
c0t0d0s0org119
rootclient~ auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt
Policy regarding auditing (explanation on the next slide)
c0t0d0s0org120
rootclient~ auditconfig -lspolicypolicy string descriptionahlt halt machine if it can not record an async eventall all policiesarge include exec environment args in audit recsargv include exec command line args in audit recscnt when no more space drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recswindata_down include downgraded window information in audit recswindata_up include upgraded window information in audit recszonename include zonename token in audit recs
Which degree of detail What happens with full disks
c0t0d0s0org121
rootclient~ auditconfig -getpluginPlugin audit_binfile (active) Attributes p_dir=varauditp_fsize=0p_minfree=1
Plugin audit_syslog (inactive) Attributes p_flags=
Plugin audit_remote (inactive) Attributes p_hosts=p_retries=3p_timeout=5
c0t0d0s0org122
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
c0t0d0s0org123
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
lo and na are the only sensibleflags for non-attributable
c0t0d0s0org124
rootclient~ usermod -K audit_flags=fwas junior
c0t0d0s0org125
rootclient~ auditconfig -lsevent | grep lo AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh accessAUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lockAUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff
c0t0d0s0org126
rootclient~ auditconfig -lsevent | grep ps AUE_EXIT 1 ps exit(2)AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)rootclient~ auditconfig -lsevent | grep fw AUE_OPEN_W 76 fw open(2) - write
c0t0d0s0org127
auditreduce -c ps varaudit20130912183630not_terminatedclient | praudit
header1392execve(2)client2013-09-12 184055924 +0000pathusrsbinauditreduceattribute100555rootbin655386587518446744073709551615subjectjmoekamprootrootrootroot205414400809562480 202240 192168101returnsuccess0
c0t0d0s0org128
rootclient~ auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff0xffffffffffffffff)
Not always (in the sense of never) a good idea
Useful after trying out - starting a new audit filerootclient~ audit -n
c0t0d0s0org129
rootclient~ auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system
c0t0d0s0org130
SSH and X509
c0t0d0s0org131
rootca~ CApl -newcaCA certificate filename (or enter to create)
Making CA certificate Generating a 1024 bit RSA private key++++++++++++writing new private key to etcopensslprivatecakeypemEnter PEM pass phrase supersecret1Verifying - Enter PEM pass phrase supersecret1-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Security DepartmentCommon Name (eg server FQDN or YOUR name) []CAEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Using configuration from etcopensslopensslcnf
Enter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade878 Validity Not Before Sep 26 101109 2013 GMT Not After Sep 25 101109 2016 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony organizationName = c0t0d0s0org organizationalUnitName = Security Department commonName = CA X509v3 extensions X509v3 Subject Key Identifier 5B1F2F7186123040501552818D525AA5597E3644 X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
X509v3 Basic Constraints CATRUECertificate is to be certified until Sep 25 101109 2016 GMT (1095 days)
Write out database with 1 new entriesData Base Updated
c0t0d0s0org132
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org133
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org134
rootca~server CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade879 Validity Not Before Sep 26 102912 2013 GMT Not After Sep 26 102912 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = Server Certificates commonName = server X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A7DC03DEB3D5FBF9C006F11A55A9AD04C49C10FA X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 102912 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpemrootca~server ls -ltotal 15-rw-r--r-- 1 root root 3196 Sep 26 1229 newcertpem-rw-r--r-- 1 root root 1041 Sep 26 1228 newkeypem-rw-r--r-- 1 root root 680 Sep 26 1228 newreqpem
c0t0d0s0org135
rootca~junior CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phraseVerifying - Enter PEM pass phraseVerify failureEnter PEM pass phrase supersecret3Verifying - Enter PEM pass phrase supersecret3-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []User certificates
Common Name (eg server FQDN or YOUR name) []juniorEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org136
rootca~junior CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypemCheck that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade87a Validity Not Before Sep 26 110929 2013 GMT Not After Sep 26 110929 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = User certificates commonName = junior X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A1F2FC9D8AE2AD9AF52903F5B714933C64628E9C X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 110929 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpem
c0t0d0s0org137
rootserver~ useradd -m junior80 blocksrootserver~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for juniorrootserver~
rootclient~ useradd -m junior80 blocksrootclient~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for junior
c0t0d0s0org138
rootserver~ echo 1921681051 server gtgt etchostsrootserver~ echo 1921681052 client gtgt etchosts
rootclient~ echo 1921681051 server gtgt etchostsrootclient~ echo 1921681052 client gtgt etchosts
c0t0d0s0org139
rootca~server scp etcopensslcacertpem jmoekamp1921681109exporthomejmoekampPasswordcacertpem 100 || 3011 0000rootca~server scp newcertpem jmoekamp1921681109exporthomejmoekampPasswordnewcertpem 100 || 3196 0000rootca~server scp newkeypem jmoekamp1921681109exporthomejmoekampPasswordnewkeypem 100 || 1041 0000
rootca~junior scp newkeypem juniorclientexporthomejuniorPasswordnewkeypem 100 || 1041 0000rootca~junior scp newcertpem juniorclientexporthomejuniorPasswordnewcertpem 100 || 3190 0000rootca~junior scp etcopensslcacertpem junior1921681104exporthomejuniorPasswordcacertpem 100 || 3011 0000
c0t0d0s0org140
On the Server
c0t0d0s0org141
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org142
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org143
rootserver~ pktool setpinEnter token passphrase changemeCreate new passphrase superserversecretRe-enter new passphrase superserversecretPassphrase changedrootserver~
c0t0d0s0org144
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org145
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org146
rootserver~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cn
c0t0d0s0org147
rootserver~ echo TrustedAnchorKeystore etcsshcert gtgt etcsshsshd_configrootserver~ echo KMFPolicyDatabase etcsshpolicyxml gtgt etcsshsshd_configrootserver~ echo KMFPolicyName ssh gtgt etcsshsshd_configrootserver~ echo HostKey pkcs11object=hosttoken=Sun Metaslotpinfile=etcsshpinfile gtgt etcsshsshd_config
c0t0d0s0org148
rootserver~ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=hostEnter PIN for Sun Software PKCS11 softtoken superserversecret Enter PEM pass phrase supersecret2Importing 1 keys
c0t0d0s0org149
rootserver~ egrep -v ^ |^$|^Cert exporthomejmoekampcacertpem gt etcsshcertcacertcookedpemrootserver~ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemrootserver~ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=hostrootserver~
c0t0d0s0org150
On the client
c0t0d0s0org151
juniorclient~$ ls pemcacertpem newcertpem newkeypem
c0t0d0s0org152
rootclient~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cnrootclient~ egrep -v ^ |^$|^Cert exporthomejuniorcacertpem gt etcsshcertcacertcookedpem
c0t0d0s0org153
juniorclient~$ pktool setpinEnter token passphrase changemeCreate new passphrase superusersecretRe-enter new passphrase superusersecretPassphrase changed
c0t0d0s0org154
juniorclient~$ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=userEnter PIN for Sun Software PKCS11 softtoken superusersecretEnter PEM pass phrase supersecret3Importing 1 keysjuniorclient~$ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemjuniorclient~$ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=user
c0t0d0s0org155
Testing it
c0t0d0s0org156
rootserver~ svcadm disable sshrootserver~ svcadm enable ssh
c0t0d0s0org157
juniorclient~$ cd sshjuniorclient~ssh$ printf superusersecret gtgt pinfilejuniorclient~ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore etcsshcert KMFPolicyDatabase etcsshpolicyxml KMFPolicyName ssh IdentityFile pkcs11object=usertoken=Sun Software PKCS11 softtokenpinfile=exporthomejuniorsshpinfile
c0t0d0s0org158
juniorclient~ssh$ ssh juniorserver-x509Last login Thu Sep 26 200714 2013 from clientOracle Corporation SunOS 511 111 September 2013juniorserver~$
c0t0d0s0org159
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives7659-Using-X509-support-for-SSH-on-Solaris-111html
c0t0d0s0org160
OpenSCAP
c0t0d0s0org161
bdquoThe Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management measurement and policy compliance evaluation (eg FISMA compliance) The National Vulnerability Database(NVD) is the US government content repository for SCAPldquo
httpenwikipediaorgwikiSecurity_Content_Automation_Protocol
c0t0d0s0org162
ftp-bannerxml
ltxml version=10 encoding=UTF-8gtltoval_definitions xmlns=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsxsi=httpwwww3org2001XMLSchema-instance xmlnsoval=httpovalmitreorgXMLSchemaoval-common-5 xmlnsoval-def=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsindependent-def=httpovalmitreorgXMLSchemaoval-definitions-5independent xsischemaLocation=httpovalmitreorgXMLSchemaoval-definitions-5 oval-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-definitions-5independent independent-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-common-5 oval-common-schemaxsdgt
ltgeneratorgt ltovalproduct_namegtEnhanced SCAP Editorltovalproduct_namegt ltovalproduct_versiongt0011ltovalproduct_versiongt ltovalschema_versiongt58ltovalschema_versiongt ltovaltimestampgt2012-10-11T103325ltovaltimestampgt ltgeneratorgt lt--generatedovalbaseidentifier=comoraclesolaris11--gt ltdefinitionsgt ltdefinition id=ovalcomoraclesolaris11def840 version=1 class=compliancegt ltmetadatagt lttitlegtEnable a Warning Banner for the FTP Servicelttitlegt ltaffected family=unixgt ltplatformgtOracle Solaris 11ltplatformgt ltaffectedgt ltdescriptiongtetcproftpdconf contains DisplayConnect etcissueltdescriptiongt ltmetadatagt ltcriteria operator=AND negate=false comment=Single testgt ltcriterion comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot test_ref=ovalcomoraclesolaris11tst8400 negate=falsegt
ltcriteriagt ltdefinitiongt ltdefinitionsgt lttestsgt lttextfilecontent54_test xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11tst8400 version=1 check=all comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot check_existence=all_existgt ltobject object_ref=ovalcomoraclesolaris11obj8400gt lttextfilecontent54_testgt lttestsgt ltobjectsgt lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegt lttextfilecontent54_objectgt ltobjectsgtltoval_definitionsgt
c0t0d0s0org163
lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegtlttextfilecontent54_objectgt
c0t0d0s0org164
$ oscap oval eval ftp-bannerxml Definition ovalcomoraclesolaris11def840 falseEvaluation done
$ oscap oval eval --results resultsxml --report reporthtml ftp-bannerxmlDefinition ovalcomoraclesolaris11def840 falseEvaluation doneOVAL Results are exported correctly
c0t0d0s0org165
c0t0d0s0org166
To create your own OVAL-Files Enhanced SCAP Content Editor
c0t0d0s0org167
Find more information regarding this feature athttpsblogsoraclecomdarrenentrycompliance_reporting_with_scap
c0t0d0s0org28
rootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) system default (default)
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x2 ENABLE
rootsolaris elfedit -e dynsunw_aslr disable usrbinpmap
rootsolaris elfdump -d usrbinpmap | grep ASLR [33] SUNW_ASLR 0x1 DISABLE
c0t0d0s0org29
rootsolaris sxadm enable -c model=all aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (all) enabled (all)
rootsolaris sxadm disable aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr disabled disabled
rootsolaris sxadm enable -c model=tagged-files aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) enabled (tagged-files)
c0t0d0s0org30
pfedit
c0t0d0s0org31
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt set auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt set desc=Edit httpdprofileshttpd editgt exit
c0t0d0s0org32
roottemplateetcapache222 usermod -P +httpd edit junior
c0t0d0s0org33
juniortemplate~$ profiles httpd edit Basic Solaris User All
c0t0d0s0org34
juniortemplate~$ vi etcapache222httpdconf
c0t0d0s0org35
juniortemplate~$ pfedit etcapache222httpdconfpfedit etcapache222httpdconf has been updated
c0t0d0s0org36
juniortemplate~$ pfedit etcapache222mimetypespfedit User junior is not authorized to edit the file etcapache222mimetypes
c0t0d0s0org37
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt info name=httpd edit desc=Edit httpd auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt add auths=solarisadmineditetcapache222mimetypes
c0t0d0s0org38
juniortemplate~$ pfedit etcapache222mimetypespfedit no changes for etcapache222mimetypes
c0t0d0s0org39
profiles -p httpd configureprofileshttpd configuregt add always_audit=asprofileshttpd configuregt info name=httpd configure desc=Configure httpd auths=solarisadmineditetcapache222httpdconfsolarisadmineditetcapache222mimetypes always_audit=as never_audit=noprofileshttpd configuregt exitroottemplate~
c0t0d0s0org40
roottemplate~ auditreduce -c as | praudit
c0t0d0s0org41
[]header4862edit administrative filefe80a0027fffea633cb2013-08-12 074552306 +0000subjectjuniorjuniorstaffjuniorstaff4212447467166369 136704 MacBook-Pro-of-c0t0d0s0fritzboxpathetcapache222httpdconfuse of authorizationsolarisadmineditetcapache222httpdconftext--- etcapache222httpdconf Mo Aug 12 074500 2013 +++ etcapache222httpdconfpfedit1BaGoi Mo Aug 12 074552 2013 -15 +16 Test Test 2 + Test 3 This is the main Apache HTTP server configuration file It contains the configuration directives that give the server its instructions
returnsuccess0
c0t0d0s0org42
Delegating privilege to restartservices(so you can keep the root password)
c0t0d0s0org43
juniortemplate~$ svcadm refresh apache22svcadm svcnetworkhttpapache22 Permission denied
c0t0d0s0org44
svcs -a | grep apache22online 153029 svcnetworkhttpapache22
c0t0d0s0org45
auths add -t Apache22 value solarissmfvaluehttpapache22 auths add -t Apache22 action solarissmfactionhttpapache22
c0t0d0s0org46
svccfg -s apache22 setprop generalvalue_authorization= astring solarissmfvaluehttpapache22 svccfg -s apache22 setprop generalaction_authorization= astring solarissmfactionhttpapache22
c0t0d0s0org47
profiles -p httpd edit add auths=solarissmfactionhttpapache22
c0t0d0s0org48
juniortemplate~$ svcadm refresh apache22juniortemplate~$
c0t0d0s0org49
Privileges
c0t0d0s0org50
$ ls -l usrsbintraceroute-r-sr-xr-x 1 root bin 42324 Nov 21 0009 usrsbintraceroute$ ls -l usrsbinping-r-sr-xr-x 1 root bin 51396 Nov 18 1931 usrsbinping
set-id to root ping needs it to work
c0t0d0s0org51
chmod -s sbinping exit
$ ping -s 1921681132ping socket Permission denied
Remove the set-uid and ping will stop to work
c0t0d0s0org52
jmoekampdaddelkiste~$ ppriv $$2153 -bashflags = ltnonegt E basic I basic P basic L all
c0t0d0s0org53
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org54
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
All privileges in their entirety assigned to one user are
(almost)
c0t0d0s0org55
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Neat extension inSolaris 11The ability to use networking is now a
privilege Itlsquos part of the default default set of privileges
but you can remove it
c0t0d0s0org56
moekampdaddelkiste~$ ppriv -v $$2153 -bashflags = ltnonegt E file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info I file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info P file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info L contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org57
rootdaddelkiste~ ppriv $$2183 -bashflags = ltnonegt E all I basic P all L all
c0t0d0s0org58
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace failed to initialize dtrace DTrace requires additional privileges
c0t0d0s0org59
rootdaddelkiste~ usermod -K defaultpriv=basicdtrace_kerneldtrace_procdtrace_user juniorUX usermod junior is currently logged in some changes may not take effect until next login
c0t0d0s0org60
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace description syscallentry matched 211 probes^C
automountd 1 sshd 24 dtrace 544 auditd 564
c0t0d0s0org61
ps -ef | grep kcfd daemon 125 1 0 142419 000 usrlibcryptokcfdroot 734 728 0 155408 pts1 000 grep kcfd ppriv -v 125125 usrlibcryptokcfdflags = PRIV_AWAREE file_ownerproc_priocntlsys_devicesI noneP file_ownerproc_priocntlsys_devicesL none
c0t0d0s0org62
svcadm -v enable -s apache2svcnetworkhttpapache2 enabled
c0t0d0s0org63
jmoekampclient~$ ps -ef | grep httpwebservd 1978 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1979 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1980 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1984 1975 0 122002 000 usrapache222binhttpd -k start root 1975 1 0 121914 001 usrapache222binhttpd -k startwebservd 1977 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1976 1975 0 121915 000 usrapache222binhttpd -k start
c0t0d0s0org64
rootclient~ ppriv 19771977 usrapache222binhttpd -k startflags = ltnonegt E basic I basic P basic L allrootclient~ ppriv 19751975 usrapache222binhttpd -k startflags = ltnonegt E all I basic P all L allrootclient~
c0t0d0s0org65
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The apache process as root has the following privileges
c0t0d0s0org66
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The other processes have the following privileges
c0t0d0s0org67
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Apache really needs
c0t0d0s0org68
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
So you grant a large number of privileges to one process Apache donlsquot need
c0t0d0s0org69
svcadm -v disable -s apache2svcnetworkhttpapache2 disabled
c0t0d0s0org70
rootclient~ svccfg -s apache22svcnetworkhttpapache22gt setprop startuser = astring webservdsvcnetworkhttpapache22gt setprop startgroup = astring webservdsvcnetworkhttpapache22gt setprop startprivileges = astring basicproc_sessionproc_infofile_link_anynet_privaddrsvcnetworkhttpapache22gt setprop startlimit_privileges = astring defaultsvcnetworkhttpapache22gt setprop startuse_profile = boolean falsesvcnetworkhttpapache22gt setprop startsupp_groups = astring defaultsvcnetworkhttpapache22gt setprop startworking_directory = astring defaultsvcnetworkhttpapache22gt setprop startproject = astring defaultsvcnetworkhttpapache22gt setprop startresource_pool = astring defaultsvcnetworkhttpapache22gt endrootclient~ svcadm -v refresh apache22Action refresh set for svcnetworkhttpapache22
c0t0d0s0org71
echo LockFile varapache222logsacceptlock gtgt etcapache222httpdconf echo PidFile varapache222runhttpdpid gtgt etcapache222httpdconf mkdir -p -m 755 varapache222run chown webservdwebservd varapache222run svcadm enable apache22
c0t0d0s0org72
webservd 3064 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3062 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3063 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3066 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3061 1 0 164917 000 usrapache222binhttpd -k startwebservd 3065 3061 0 164918 000 usrapache222binhttpd -k start
c0t0d0s0org73
Read-only zone root
c0t0d0s0org
74
zonecfgtestzonegt set file-mac-profile=none
zonecfgtestzonegt set file-mac-profile=strict
zonecfgtestzonegt set file-mac-profile=fixed-configuration
zonecfgtestzonegt set file-mac-profile=flexible-configuration
Standard read-write non-global zone with no additional protection beyond the existing zones boundaries
Permits updates to var directories with the exception of directories that contain system configuration components
Read-only file system no exceptions
Permits modification of files in etc directories changes to roots home directory and updates to var directories This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone
c0t0d0s0org75
in-kernel SSL Proxy
c0t0d0s0org76
mkdir etckeys cd etckeys openssl req -x509 -nodes -days 365 -subj C=DEST=HamburgL=HamburgCN=server -newkey rsa1024 -keyout etckeysmykeypem -out etckeysmycertpem cat mycertpem mykeypem gt mypem chown 600
c0t0d0s0org77
echo pass gt etckeysmypass ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass server 443
c0t0d0s0org78
ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass -c rsa_aes_256_cbc_sharsa_aes_128_cbc_sharsa_rc4_128_sharsa_rc4_128_md5 server 443
c0t0d0s0org79
svcs -a | grep ksslonline 90333 svcnetworksslproxykssl-server-443
c0t0d0s0org80
svcadm disable apache22 echo Listen 1921681781088080 gtgt etcapache222httpdconf svcadm enable apache22
Portnumber and IP-Number have do be defined in httpdconf otherwise it will not work
c0t0d0s0org81
openssl s_client -connect server443CONNECTED(00000004)depth=0 C=DEST=HamburgL=HamburgCN=serververify errornum=18self signed certificateverify return1depth=0 C=DEST=HamburgL=HamburgCN=serververify return1---Certificate chain0 sC=DEST=HamburgL=HamburgCN=serveriC=DEST=HamburgL=HamburgCN=server---Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj[]V5jX3MU=-----END CERTIFICATE-----subject=C=DEST=HamburgL=HamburgCN=serverissuer=C=DEST=HamburgL=HamburgCN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328 bytes---New TLSv1SSLv3 Cipher is RC4-SHAServer public key is 1024 bitCompression NONEExpansion NONESSL-SessionProtocol TLSv1
Cipher RC4-SHASession-ID 32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD113915B99DBE9812Session-ID-ctx Master-Key 1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21EKey-Arg NoneStart Time 1242985143Timeout 300 (sec)Verify return code 18 (self signed certificate)---GET HTTP10
HTTP11 200 OKDate Fri 22 May 2009 093913 GMTServer Apache2211 (Unix) mod_ssl2211 OpenSSL098a DAV2Last-Modified Thu 21 May 2009 212630 GMTETag 341f3-2c-46a72cc211a8fAccept-Ranges bytesContent-Length 44Connection closeContent-Type texthtml
lthtmlgtltbodygtlth1gtIt workslth1gtltbodygtlthtmlgtreaderrno=0
c0t0d0s0org82
ZFS Encryption
c0t0d0s0org83
zfs create -o encryption=on rpoolexportproject
c0t0d0s0org84
wrapping key (user setable)
encryption keyrandomnot user setable)
prompt file https pkcs11
c0t0d0s0org85
aes-128-ccm (=on) aes-192-ccmaes-256-ccmaes-128-gcmaes-192-gcmaes-256-gcm
c0t0d0s0org86
zfs set checksum=sha256+mac ltdatasetgt
If encryption=off something like automatic
occurs This property is read-only from now on
c0t0d0s0org87
pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykeyEnter PIN for Sun Software PKCS11 softtoken zfs create -o encryption=on -o keysource=rawpkcs11object=mykey tankprojectCEnter PKCS11 token PIN for tankprojectC
c0t0d0s0org88
zfs create -o encryption=on -o keysource=rawhttpskeysexamplecommykey tankprojectR cp myservercertpem etccertsCA svcadm refresh ca-certificates
c0t0d0s0org89
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
c0t0d0s0org90
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
Changing the wrapping key
c0t0d0s0org91
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key
c0t0d0s0org92
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key for data written form now
Creates a new data encryption key Data written in the clone uses the new data encryption key which is distinct from its original snapshot
c0t0d0s0org93
Solaris Cryptographic Framework
c0t0d0s0org94
As soon as Solaris detects hardware acceleration for cryptography Solaris will use it (and applications using the Oracle supplied openssl library or direct interfaces)bull on-chip crypto accelerator in T and current M series chipsbull instruction set extensions in Intel procs (AES-NI)bull supported crypto accelerator cards
c0t0d0s0org95
Just a side-note T-series crypto acceleration and Intel x86 acceleration have pretty much different performance characteristics
T-Series Acceleration by offloading crypto outside pipelineIntel x86 Acceleration by offering special in-pipeline instructions to accelerate execution
Sounds like splitting hairs
c0t0d0s0org
c0t0d0s0org
c0t0d0s0org98
Using ZFS to do two-factor encryption
c0t0d0s0org99
jmoekampsolaris~$ rmformatLooking for devices 1 Logical Node devrdskc10t0d0p0 Physical Node pci00pci8086265cbstorage2disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected() 3 Logical Node devrdskc9t0d0p0 Physical Node pci00pci8086265cbstorage1disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected
c0t0d0s0org100
rootsolaris zpool create a_keystore_usbstick devdskc10t0d0p0rootsolaris zpool create datastore devdskc9t0d0p0
c0t0d0s0org101
rootsolaris zfs create -o encryption=on a_keystore_usbstickkeysEnter passphrase for a_keystore_usbstickkeys supersecret Enter again supersecret
c0t0d0s0org102
rootsolaris pktool genkey keystore=file keytype=aes keylen=128 outkey=a_keystore_usbstickkeysjoergsdatastickkey
c0t0d0s0org103
rootsolaris zfs create -o encryption=on -o keysource=rawfilea_keystore_usbstickkeysjoergsdatastickkey datastickjoergssecrets
c0t0d0s0org104
rootsolarisdatastickjoergssecrets mv homejmoekamphighlyconfidential_nda_presostgz
c0t0d0s0org105
rootsolaris zpool export a_keystore_usbstickrootsolaris zpool export datastick
c0t0d0s0org106
rootsolaris zpool import a_keystore_usbstickEnter passphrase for a_keystore_usbstickkeys supersecretrootsolaris
c0t0d0s0org107
rootsolaris zpool import datastickrootsolaris cd datastickjoergssecretsrootsolarisdatastickjoergssecrets ls highconfidential_nda_presostgz
c0t0d0s0org108
Basic Auditing and Reporting Tool
c0t0d0s0org109
mkdir bart-files bart create -R etc gt bart-filesetccontrolmanifest
c0t0d0s0org110
cat etccontrolmanifest | grep nsswitchnisplusnsswitchnisplus F 2525 100644 userrw-groupr--maskr--otherr-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
c0t0d0s0org111
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org112
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org113
bart create -R etc gt bart-filesetccheck20130911manifest
c0t0d0s0org114
cd bart-files bart compare etccontrolmanifest etccheck20130911manifest
nsswitchfilesmode control100644 test100777acl controluserrw-groupr--maskr--otherr-- testuserrwxgrouprwxmaskrwxotherrwxnsswitchnisplussize control2525 test2538mtime control473976b5 test47a44862contents control79e8fd689a5221d1cd059e5077da71b8 test3f79176ec352441db11ec8a3d02ef67cthisisjustatestadd
c0t0d0s0org115
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives4069-Less-known-Solaris-features-BARThtml
c0t0d0s0org116
Apropos Auditing
c0t0d0s0org117
Auditing is activated by default
c0t0d0s0org118
rootclient~ auditconfig -getflagsactive user default audit flags = lo(0x10000x1000)configured user default audit flags = lo(0x10000x1000)rootclient~ auditconfig -getnaflagsactive non-attributable audit flags = lo(0x10000x1000)configured non-attributable audit flags = lo(0x10000x1000)
c0t0d0s0org119
rootclient~ auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt
Policy regarding auditing (explanation on the next slide)
c0t0d0s0org120
rootclient~ auditconfig -lspolicypolicy string descriptionahlt halt machine if it can not record an async eventall all policiesarge include exec environment args in audit recsargv include exec command line args in audit recscnt when no more space drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recswindata_down include downgraded window information in audit recswindata_up include upgraded window information in audit recszonename include zonename token in audit recs
Which degree of detail What happens with full disks
c0t0d0s0org121
rootclient~ auditconfig -getpluginPlugin audit_binfile (active) Attributes p_dir=varauditp_fsize=0p_minfree=1
Plugin audit_syslog (inactive) Attributes p_flags=
Plugin audit_remote (inactive) Attributes p_hosts=p_retries=3p_timeout=5
c0t0d0s0org122
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
c0t0d0s0org123
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
lo and na are the only sensibleflags for non-attributable
c0t0d0s0org124
rootclient~ usermod -K audit_flags=fwas junior
c0t0d0s0org125
rootclient~ auditconfig -lsevent | grep lo AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh accessAUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lockAUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff
c0t0d0s0org126
rootclient~ auditconfig -lsevent | grep ps AUE_EXIT 1 ps exit(2)AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)rootclient~ auditconfig -lsevent | grep fw AUE_OPEN_W 76 fw open(2) - write
c0t0d0s0org127
auditreduce -c ps varaudit20130912183630not_terminatedclient | praudit
header1392execve(2)client2013-09-12 184055924 +0000pathusrsbinauditreduceattribute100555rootbin655386587518446744073709551615subjectjmoekamprootrootrootroot205414400809562480 202240 192168101returnsuccess0
c0t0d0s0org128
rootclient~ auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff0xffffffffffffffff)
Not always (in the sense of never) a good idea
Useful after trying out - starting a new audit filerootclient~ audit -n
c0t0d0s0org129
rootclient~ auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system
c0t0d0s0org130
SSH and X509
c0t0d0s0org131
rootca~ CApl -newcaCA certificate filename (or enter to create)
Making CA certificate Generating a 1024 bit RSA private key++++++++++++writing new private key to etcopensslprivatecakeypemEnter PEM pass phrase supersecret1Verifying - Enter PEM pass phrase supersecret1-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Security DepartmentCommon Name (eg server FQDN or YOUR name) []CAEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Using configuration from etcopensslopensslcnf
Enter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade878 Validity Not Before Sep 26 101109 2013 GMT Not After Sep 25 101109 2016 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony organizationName = c0t0d0s0org organizationalUnitName = Security Department commonName = CA X509v3 extensions X509v3 Subject Key Identifier 5B1F2F7186123040501552818D525AA5597E3644 X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
X509v3 Basic Constraints CATRUECertificate is to be certified until Sep 25 101109 2016 GMT (1095 days)
Write out database with 1 new entriesData Base Updated
c0t0d0s0org132
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org133
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org134
rootca~server CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade879 Validity Not Before Sep 26 102912 2013 GMT Not After Sep 26 102912 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = Server Certificates commonName = server X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A7DC03DEB3D5FBF9C006F11A55A9AD04C49C10FA X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 102912 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpemrootca~server ls -ltotal 15-rw-r--r-- 1 root root 3196 Sep 26 1229 newcertpem-rw-r--r-- 1 root root 1041 Sep 26 1228 newkeypem-rw-r--r-- 1 root root 680 Sep 26 1228 newreqpem
c0t0d0s0org135
rootca~junior CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phraseVerifying - Enter PEM pass phraseVerify failureEnter PEM pass phrase supersecret3Verifying - Enter PEM pass phrase supersecret3-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []User certificates
Common Name (eg server FQDN or YOUR name) []juniorEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org136
rootca~junior CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypemCheck that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade87a Validity Not Before Sep 26 110929 2013 GMT Not After Sep 26 110929 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = User certificates commonName = junior X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A1F2FC9D8AE2AD9AF52903F5B714933C64628E9C X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 110929 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpem
c0t0d0s0org137
rootserver~ useradd -m junior80 blocksrootserver~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for juniorrootserver~
rootclient~ useradd -m junior80 blocksrootclient~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for junior
c0t0d0s0org138
rootserver~ echo 1921681051 server gtgt etchostsrootserver~ echo 1921681052 client gtgt etchosts
rootclient~ echo 1921681051 server gtgt etchostsrootclient~ echo 1921681052 client gtgt etchosts
c0t0d0s0org139
rootca~server scp etcopensslcacertpem jmoekamp1921681109exporthomejmoekampPasswordcacertpem 100 || 3011 0000rootca~server scp newcertpem jmoekamp1921681109exporthomejmoekampPasswordnewcertpem 100 || 3196 0000rootca~server scp newkeypem jmoekamp1921681109exporthomejmoekampPasswordnewkeypem 100 || 1041 0000
rootca~junior scp newkeypem juniorclientexporthomejuniorPasswordnewkeypem 100 || 1041 0000rootca~junior scp newcertpem juniorclientexporthomejuniorPasswordnewcertpem 100 || 3190 0000rootca~junior scp etcopensslcacertpem junior1921681104exporthomejuniorPasswordcacertpem 100 || 3011 0000
c0t0d0s0org140
On the Server
c0t0d0s0org141
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org142
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org143
rootserver~ pktool setpinEnter token passphrase changemeCreate new passphrase superserversecretRe-enter new passphrase superserversecretPassphrase changedrootserver~
c0t0d0s0org144
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org145
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org146
rootserver~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cn
c0t0d0s0org147
rootserver~ echo TrustedAnchorKeystore etcsshcert gtgt etcsshsshd_configrootserver~ echo KMFPolicyDatabase etcsshpolicyxml gtgt etcsshsshd_configrootserver~ echo KMFPolicyName ssh gtgt etcsshsshd_configrootserver~ echo HostKey pkcs11object=hosttoken=Sun Metaslotpinfile=etcsshpinfile gtgt etcsshsshd_config
c0t0d0s0org148
rootserver~ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=hostEnter PIN for Sun Software PKCS11 softtoken superserversecret Enter PEM pass phrase supersecret2Importing 1 keys
c0t0d0s0org149
rootserver~ egrep -v ^ |^$|^Cert exporthomejmoekampcacertpem gt etcsshcertcacertcookedpemrootserver~ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemrootserver~ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=hostrootserver~
c0t0d0s0org150
On the client
c0t0d0s0org151
juniorclient~$ ls pemcacertpem newcertpem newkeypem
c0t0d0s0org152
rootclient~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cnrootclient~ egrep -v ^ |^$|^Cert exporthomejuniorcacertpem gt etcsshcertcacertcookedpem
c0t0d0s0org153
juniorclient~$ pktool setpinEnter token passphrase changemeCreate new passphrase superusersecretRe-enter new passphrase superusersecretPassphrase changed
c0t0d0s0org154
juniorclient~$ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=userEnter PIN for Sun Software PKCS11 softtoken superusersecretEnter PEM pass phrase supersecret3Importing 1 keysjuniorclient~$ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemjuniorclient~$ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=user
c0t0d0s0org155
Testing it
c0t0d0s0org156
rootserver~ svcadm disable sshrootserver~ svcadm enable ssh
c0t0d0s0org157
juniorclient~$ cd sshjuniorclient~ssh$ printf superusersecret gtgt pinfilejuniorclient~ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore etcsshcert KMFPolicyDatabase etcsshpolicyxml KMFPolicyName ssh IdentityFile pkcs11object=usertoken=Sun Software PKCS11 softtokenpinfile=exporthomejuniorsshpinfile
c0t0d0s0org158
juniorclient~ssh$ ssh juniorserver-x509Last login Thu Sep 26 200714 2013 from clientOracle Corporation SunOS 511 111 September 2013juniorserver~$
c0t0d0s0org159
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives7659-Using-X509-support-for-SSH-on-Solaris-111html
c0t0d0s0org160
OpenSCAP
c0t0d0s0org161
bdquoThe Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management measurement and policy compliance evaluation (eg FISMA compliance) The National Vulnerability Database(NVD) is the US government content repository for SCAPldquo
httpenwikipediaorgwikiSecurity_Content_Automation_Protocol
c0t0d0s0org162
ftp-bannerxml
ltxml version=10 encoding=UTF-8gtltoval_definitions xmlns=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsxsi=httpwwww3org2001XMLSchema-instance xmlnsoval=httpovalmitreorgXMLSchemaoval-common-5 xmlnsoval-def=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsindependent-def=httpovalmitreorgXMLSchemaoval-definitions-5independent xsischemaLocation=httpovalmitreorgXMLSchemaoval-definitions-5 oval-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-definitions-5independent independent-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-common-5 oval-common-schemaxsdgt
ltgeneratorgt ltovalproduct_namegtEnhanced SCAP Editorltovalproduct_namegt ltovalproduct_versiongt0011ltovalproduct_versiongt ltovalschema_versiongt58ltovalschema_versiongt ltovaltimestampgt2012-10-11T103325ltovaltimestampgt ltgeneratorgt lt--generatedovalbaseidentifier=comoraclesolaris11--gt ltdefinitionsgt ltdefinition id=ovalcomoraclesolaris11def840 version=1 class=compliancegt ltmetadatagt lttitlegtEnable a Warning Banner for the FTP Servicelttitlegt ltaffected family=unixgt ltplatformgtOracle Solaris 11ltplatformgt ltaffectedgt ltdescriptiongtetcproftpdconf contains DisplayConnect etcissueltdescriptiongt ltmetadatagt ltcriteria operator=AND negate=false comment=Single testgt ltcriterion comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot test_ref=ovalcomoraclesolaris11tst8400 negate=falsegt
ltcriteriagt ltdefinitiongt ltdefinitionsgt lttestsgt lttextfilecontent54_test xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11tst8400 version=1 check=all comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot check_existence=all_existgt ltobject object_ref=ovalcomoraclesolaris11obj8400gt lttextfilecontent54_testgt lttestsgt ltobjectsgt lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegt lttextfilecontent54_objectgt ltobjectsgtltoval_definitionsgt
c0t0d0s0org163
lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegtlttextfilecontent54_objectgt
c0t0d0s0org164
$ oscap oval eval ftp-bannerxml Definition ovalcomoraclesolaris11def840 falseEvaluation done
$ oscap oval eval --results resultsxml --report reporthtml ftp-bannerxmlDefinition ovalcomoraclesolaris11def840 falseEvaluation doneOVAL Results are exported correctly
c0t0d0s0org165
c0t0d0s0org166
To create your own OVAL-Files Enhanced SCAP Content Editor
c0t0d0s0org167
Find more information regarding this feature athttpsblogsoraclecomdarrenentrycompliance_reporting_with_scap
c0t0d0s0org29
rootsolaris sxadm enable -c model=all aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (all) enabled (all)
rootsolaris sxadm disable aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr disabled disabled
rootsolaris sxadm enable -c model=tagged-files aslrrootsolaris sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) enabled (tagged-files)
c0t0d0s0org30
pfedit
c0t0d0s0org31
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt set auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt set desc=Edit httpdprofileshttpd editgt exit
c0t0d0s0org32
roottemplateetcapache222 usermod -P +httpd edit junior
c0t0d0s0org33
juniortemplate~$ profiles httpd edit Basic Solaris User All
c0t0d0s0org34
juniortemplate~$ vi etcapache222httpdconf
c0t0d0s0org35
juniortemplate~$ pfedit etcapache222httpdconfpfedit etcapache222httpdconf has been updated
c0t0d0s0org36
juniortemplate~$ pfedit etcapache222mimetypespfedit User junior is not authorized to edit the file etcapache222mimetypes
c0t0d0s0org37
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt info name=httpd edit desc=Edit httpd auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt add auths=solarisadmineditetcapache222mimetypes
c0t0d0s0org38
juniortemplate~$ pfedit etcapache222mimetypespfedit no changes for etcapache222mimetypes
c0t0d0s0org39
profiles -p httpd configureprofileshttpd configuregt add always_audit=asprofileshttpd configuregt info name=httpd configure desc=Configure httpd auths=solarisadmineditetcapache222httpdconfsolarisadmineditetcapache222mimetypes always_audit=as never_audit=noprofileshttpd configuregt exitroottemplate~
c0t0d0s0org40
roottemplate~ auditreduce -c as | praudit
c0t0d0s0org41
[]header4862edit administrative filefe80a0027fffea633cb2013-08-12 074552306 +0000subjectjuniorjuniorstaffjuniorstaff4212447467166369 136704 MacBook-Pro-of-c0t0d0s0fritzboxpathetcapache222httpdconfuse of authorizationsolarisadmineditetcapache222httpdconftext--- etcapache222httpdconf Mo Aug 12 074500 2013 +++ etcapache222httpdconfpfedit1BaGoi Mo Aug 12 074552 2013 -15 +16 Test Test 2 + Test 3 This is the main Apache HTTP server configuration file It contains the configuration directives that give the server its instructions
returnsuccess0
c0t0d0s0org42
Delegating privilege to restartservices(so you can keep the root password)
c0t0d0s0org43
juniortemplate~$ svcadm refresh apache22svcadm svcnetworkhttpapache22 Permission denied
c0t0d0s0org44
svcs -a | grep apache22online 153029 svcnetworkhttpapache22
c0t0d0s0org45
auths add -t Apache22 value solarissmfvaluehttpapache22 auths add -t Apache22 action solarissmfactionhttpapache22
c0t0d0s0org46
svccfg -s apache22 setprop generalvalue_authorization= astring solarissmfvaluehttpapache22 svccfg -s apache22 setprop generalaction_authorization= astring solarissmfactionhttpapache22
c0t0d0s0org47
profiles -p httpd edit add auths=solarissmfactionhttpapache22
c0t0d0s0org48
juniortemplate~$ svcadm refresh apache22juniortemplate~$
c0t0d0s0org49
Privileges
c0t0d0s0org50
$ ls -l usrsbintraceroute-r-sr-xr-x 1 root bin 42324 Nov 21 0009 usrsbintraceroute$ ls -l usrsbinping-r-sr-xr-x 1 root bin 51396 Nov 18 1931 usrsbinping
set-id to root ping needs it to work
c0t0d0s0org51
chmod -s sbinping exit
$ ping -s 1921681132ping socket Permission denied
Remove the set-uid and ping will stop to work
c0t0d0s0org52
jmoekampdaddelkiste~$ ppriv $$2153 -bashflags = ltnonegt E basic I basic P basic L all
c0t0d0s0org53
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org54
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
All privileges in their entirety assigned to one user are
(almost)
c0t0d0s0org55
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Neat extension inSolaris 11The ability to use networking is now a
privilege Itlsquos part of the default default set of privileges
but you can remove it
c0t0d0s0org56
moekampdaddelkiste~$ ppriv -v $$2153 -bashflags = ltnonegt E file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info I file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info P file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info L contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org57
rootdaddelkiste~ ppriv $$2183 -bashflags = ltnonegt E all I basic P all L all
c0t0d0s0org58
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace failed to initialize dtrace DTrace requires additional privileges
c0t0d0s0org59
rootdaddelkiste~ usermod -K defaultpriv=basicdtrace_kerneldtrace_procdtrace_user juniorUX usermod junior is currently logged in some changes may not take effect until next login
c0t0d0s0org60
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace description syscallentry matched 211 probes^C
automountd 1 sshd 24 dtrace 544 auditd 564
c0t0d0s0org61
ps -ef | grep kcfd daemon 125 1 0 142419 000 usrlibcryptokcfdroot 734 728 0 155408 pts1 000 grep kcfd ppriv -v 125125 usrlibcryptokcfdflags = PRIV_AWAREE file_ownerproc_priocntlsys_devicesI noneP file_ownerproc_priocntlsys_devicesL none
c0t0d0s0org62
svcadm -v enable -s apache2svcnetworkhttpapache2 enabled
c0t0d0s0org63
jmoekampclient~$ ps -ef | grep httpwebservd 1978 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1979 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1980 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1984 1975 0 122002 000 usrapache222binhttpd -k start root 1975 1 0 121914 001 usrapache222binhttpd -k startwebservd 1977 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1976 1975 0 121915 000 usrapache222binhttpd -k start
c0t0d0s0org64
rootclient~ ppriv 19771977 usrapache222binhttpd -k startflags = ltnonegt E basic I basic P basic L allrootclient~ ppriv 19751975 usrapache222binhttpd -k startflags = ltnonegt E all I basic P all L allrootclient~
c0t0d0s0org65
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The apache process as root has the following privileges
c0t0d0s0org66
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The other processes have the following privileges
c0t0d0s0org67
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Apache really needs
c0t0d0s0org68
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
So you grant a large number of privileges to one process Apache donlsquot need
c0t0d0s0org69
svcadm -v disable -s apache2svcnetworkhttpapache2 disabled
c0t0d0s0org70
rootclient~ svccfg -s apache22svcnetworkhttpapache22gt setprop startuser = astring webservdsvcnetworkhttpapache22gt setprop startgroup = astring webservdsvcnetworkhttpapache22gt setprop startprivileges = astring basicproc_sessionproc_infofile_link_anynet_privaddrsvcnetworkhttpapache22gt setprop startlimit_privileges = astring defaultsvcnetworkhttpapache22gt setprop startuse_profile = boolean falsesvcnetworkhttpapache22gt setprop startsupp_groups = astring defaultsvcnetworkhttpapache22gt setprop startworking_directory = astring defaultsvcnetworkhttpapache22gt setprop startproject = astring defaultsvcnetworkhttpapache22gt setprop startresource_pool = astring defaultsvcnetworkhttpapache22gt endrootclient~ svcadm -v refresh apache22Action refresh set for svcnetworkhttpapache22
c0t0d0s0org71
echo LockFile varapache222logsacceptlock gtgt etcapache222httpdconf echo PidFile varapache222runhttpdpid gtgt etcapache222httpdconf mkdir -p -m 755 varapache222run chown webservdwebservd varapache222run svcadm enable apache22
c0t0d0s0org72
webservd 3064 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3062 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3063 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3066 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3061 1 0 164917 000 usrapache222binhttpd -k startwebservd 3065 3061 0 164918 000 usrapache222binhttpd -k start
c0t0d0s0org73
Read-only zone root
c0t0d0s0org
74
zonecfgtestzonegt set file-mac-profile=none
zonecfgtestzonegt set file-mac-profile=strict
zonecfgtestzonegt set file-mac-profile=fixed-configuration
zonecfgtestzonegt set file-mac-profile=flexible-configuration
Standard read-write non-global zone with no additional protection beyond the existing zones boundaries
Permits updates to var directories with the exception of directories that contain system configuration components
Read-only file system no exceptions
Permits modification of files in etc directories changes to roots home directory and updates to var directories This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone
c0t0d0s0org75
in-kernel SSL Proxy
c0t0d0s0org76
mkdir etckeys cd etckeys openssl req -x509 -nodes -days 365 -subj C=DEST=HamburgL=HamburgCN=server -newkey rsa1024 -keyout etckeysmykeypem -out etckeysmycertpem cat mycertpem mykeypem gt mypem chown 600
c0t0d0s0org77
echo pass gt etckeysmypass ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass server 443
c0t0d0s0org78
ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass -c rsa_aes_256_cbc_sharsa_aes_128_cbc_sharsa_rc4_128_sharsa_rc4_128_md5 server 443
c0t0d0s0org79
svcs -a | grep ksslonline 90333 svcnetworksslproxykssl-server-443
c0t0d0s0org80
svcadm disable apache22 echo Listen 1921681781088080 gtgt etcapache222httpdconf svcadm enable apache22
Portnumber and IP-Number have do be defined in httpdconf otherwise it will not work
c0t0d0s0org81
openssl s_client -connect server443CONNECTED(00000004)depth=0 C=DEST=HamburgL=HamburgCN=serververify errornum=18self signed certificateverify return1depth=0 C=DEST=HamburgL=HamburgCN=serververify return1---Certificate chain0 sC=DEST=HamburgL=HamburgCN=serveriC=DEST=HamburgL=HamburgCN=server---Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj[]V5jX3MU=-----END CERTIFICATE-----subject=C=DEST=HamburgL=HamburgCN=serverissuer=C=DEST=HamburgL=HamburgCN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328 bytes---New TLSv1SSLv3 Cipher is RC4-SHAServer public key is 1024 bitCompression NONEExpansion NONESSL-SessionProtocol TLSv1
Cipher RC4-SHASession-ID 32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD113915B99DBE9812Session-ID-ctx Master-Key 1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21EKey-Arg NoneStart Time 1242985143Timeout 300 (sec)Verify return code 18 (self signed certificate)---GET HTTP10
HTTP11 200 OKDate Fri 22 May 2009 093913 GMTServer Apache2211 (Unix) mod_ssl2211 OpenSSL098a DAV2Last-Modified Thu 21 May 2009 212630 GMTETag 341f3-2c-46a72cc211a8fAccept-Ranges bytesContent-Length 44Connection closeContent-Type texthtml
lthtmlgtltbodygtlth1gtIt workslth1gtltbodygtlthtmlgtreaderrno=0
c0t0d0s0org82
ZFS Encryption
c0t0d0s0org83
zfs create -o encryption=on rpoolexportproject
c0t0d0s0org84
wrapping key (user setable)
encryption keyrandomnot user setable)
prompt file https pkcs11
c0t0d0s0org85
aes-128-ccm (=on) aes-192-ccmaes-256-ccmaes-128-gcmaes-192-gcmaes-256-gcm
c0t0d0s0org86
zfs set checksum=sha256+mac ltdatasetgt
If encryption=off something like automatic
occurs This property is read-only from now on
c0t0d0s0org87
pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykeyEnter PIN for Sun Software PKCS11 softtoken zfs create -o encryption=on -o keysource=rawpkcs11object=mykey tankprojectCEnter PKCS11 token PIN for tankprojectC
c0t0d0s0org88
zfs create -o encryption=on -o keysource=rawhttpskeysexamplecommykey tankprojectR cp myservercertpem etccertsCA svcadm refresh ca-certificates
c0t0d0s0org89
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
c0t0d0s0org90
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
Changing the wrapping key
c0t0d0s0org91
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key
c0t0d0s0org92
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key for data written form now
Creates a new data encryption key Data written in the clone uses the new data encryption key which is distinct from its original snapshot
c0t0d0s0org93
Solaris Cryptographic Framework
c0t0d0s0org94
As soon as Solaris detects hardware acceleration for cryptography Solaris will use it (and applications using the Oracle supplied openssl library or direct interfaces)bull on-chip crypto accelerator in T and current M series chipsbull instruction set extensions in Intel procs (AES-NI)bull supported crypto accelerator cards
c0t0d0s0org95
Just a side-note T-series crypto acceleration and Intel x86 acceleration have pretty much different performance characteristics
T-Series Acceleration by offloading crypto outside pipelineIntel x86 Acceleration by offering special in-pipeline instructions to accelerate execution
Sounds like splitting hairs
c0t0d0s0org
c0t0d0s0org
c0t0d0s0org98
Using ZFS to do two-factor encryption
c0t0d0s0org99
jmoekampsolaris~$ rmformatLooking for devices 1 Logical Node devrdskc10t0d0p0 Physical Node pci00pci8086265cbstorage2disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected() 3 Logical Node devrdskc9t0d0p0 Physical Node pci00pci8086265cbstorage1disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected
c0t0d0s0org100
rootsolaris zpool create a_keystore_usbstick devdskc10t0d0p0rootsolaris zpool create datastore devdskc9t0d0p0
c0t0d0s0org101
rootsolaris zfs create -o encryption=on a_keystore_usbstickkeysEnter passphrase for a_keystore_usbstickkeys supersecret Enter again supersecret
c0t0d0s0org102
rootsolaris pktool genkey keystore=file keytype=aes keylen=128 outkey=a_keystore_usbstickkeysjoergsdatastickkey
c0t0d0s0org103
rootsolaris zfs create -o encryption=on -o keysource=rawfilea_keystore_usbstickkeysjoergsdatastickkey datastickjoergssecrets
c0t0d0s0org104
rootsolarisdatastickjoergssecrets mv homejmoekamphighlyconfidential_nda_presostgz
c0t0d0s0org105
rootsolaris zpool export a_keystore_usbstickrootsolaris zpool export datastick
c0t0d0s0org106
rootsolaris zpool import a_keystore_usbstickEnter passphrase for a_keystore_usbstickkeys supersecretrootsolaris
c0t0d0s0org107
rootsolaris zpool import datastickrootsolaris cd datastickjoergssecretsrootsolarisdatastickjoergssecrets ls highconfidential_nda_presostgz
c0t0d0s0org108
Basic Auditing and Reporting Tool
c0t0d0s0org109
mkdir bart-files bart create -R etc gt bart-filesetccontrolmanifest
c0t0d0s0org110
cat etccontrolmanifest | grep nsswitchnisplusnsswitchnisplus F 2525 100644 userrw-groupr--maskr--otherr-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
c0t0d0s0org111
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org112
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org113
bart create -R etc gt bart-filesetccheck20130911manifest
c0t0d0s0org114
cd bart-files bart compare etccontrolmanifest etccheck20130911manifest
nsswitchfilesmode control100644 test100777acl controluserrw-groupr--maskr--otherr-- testuserrwxgrouprwxmaskrwxotherrwxnsswitchnisplussize control2525 test2538mtime control473976b5 test47a44862contents control79e8fd689a5221d1cd059e5077da71b8 test3f79176ec352441db11ec8a3d02ef67cthisisjustatestadd
c0t0d0s0org115
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives4069-Less-known-Solaris-features-BARThtml
c0t0d0s0org116
Apropos Auditing
c0t0d0s0org117
Auditing is activated by default
c0t0d0s0org118
rootclient~ auditconfig -getflagsactive user default audit flags = lo(0x10000x1000)configured user default audit flags = lo(0x10000x1000)rootclient~ auditconfig -getnaflagsactive non-attributable audit flags = lo(0x10000x1000)configured non-attributable audit flags = lo(0x10000x1000)
c0t0d0s0org119
rootclient~ auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt
Policy regarding auditing (explanation on the next slide)
c0t0d0s0org120
rootclient~ auditconfig -lspolicypolicy string descriptionahlt halt machine if it can not record an async eventall all policiesarge include exec environment args in audit recsargv include exec command line args in audit recscnt when no more space drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recswindata_down include downgraded window information in audit recswindata_up include upgraded window information in audit recszonename include zonename token in audit recs
Which degree of detail What happens with full disks
c0t0d0s0org121
rootclient~ auditconfig -getpluginPlugin audit_binfile (active) Attributes p_dir=varauditp_fsize=0p_minfree=1
Plugin audit_syslog (inactive) Attributes p_flags=
Plugin audit_remote (inactive) Attributes p_hosts=p_retries=3p_timeout=5
c0t0d0s0org122
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
c0t0d0s0org123
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
lo and na are the only sensibleflags for non-attributable
c0t0d0s0org124
rootclient~ usermod -K audit_flags=fwas junior
c0t0d0s0org125
rootclient~ auditconfig -lsevent | grep lo AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh accessAUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lockAUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff
c0t0d0s0org126
rootclient~ auditconfig -lsevent | grep ps AUE_EXIT 1 ps exit(2)AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)rootclient~ auditconfig -lsevent | grep fw AUE_OPEN_W 76 fw open(2) - write
c0t0d0s0org127
auditreduce -c ps varaudit20130912183630not_terminatedclient | praudit
header1392execve(2)client2013-09-12 184055924 +0000pathusrsbinauditreduceattribute100555rootbin655386587518446744073709551615subjectjmoekamprootrootrootroot205414400809562480 202240 192168101returnsuccess0
c0t0d0s0org128
rootclient~ auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff0xffffffffffffffff)
Not always (in the sense of never) a good idea
Useful after trying out - starting a new audit filerootclient~ audit -n
c0t0d0s0org129
rootclient~ auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system
c0t0d0s0org130
SSH and X509
c0t0d0s0org131
rootca~ CApl -newcaCA certificate filename (or enter to create)
Making CA certificate Generating a 1024 bit RSA private key++++++++++++writing new private key to etcopensslprivatecakeypemEnter PEM pass phrase supersecret1Verifying - Enter PEM pass phrase supersecret1-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Security DepartmentCommon Name (eg server FQDN or YOUR name) []CAEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Using configuration from etcopensslopensslcnf
Enter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade878 Validity Not Before Sep 26 101109 2013 GMT Not After Sep 25 101109 2016 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony organizationName = c0t0d0s0org organizationalUnitName = Security Department commonName = CA X509v3 extensions X509v3 Subject Key Identifier 5B1F2F7186123040501552818D525AA5597E3644 X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
X509v3 Basic Constraints CATRUECertificate is to be certified until Sep 25 101109 2016 GMT (1095 days)
Write out database with 1 new entriesData Base Updated
c0t0d0s0org132
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org133
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org134
rootca~server CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade879 Validity Not Before Sep 26 102912 2013 GMT Not After Sep 26 102912 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = Server Certificates commonName = server X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A7DC03DEB3D5FBF9C006F11A55A9AD04C49C10FA X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 102912 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpemrootca~server ls -ltotal 15-rw-r--r-- 1 root root 3196 Sep 26 1229 newcertpem-rw-r--r-- 1 root root 1041 Sep 26 1228 newkeypem-rw-r--r-- 1 root root 680 Sep 26 1228 newreqpem
c0t0d0s0org135
rootca~junior CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phraseVerifying - Enter PEM pass phraseVerify failureEnter PEM pass phrase supersecret3Verifying - Enter PEM pass phrase supersecret3-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []User certificates
Common Name (eg server FQDN or YOUR name) []juniorEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org136
rootca~junior CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypemCheck that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade87a Validity Not Before Sep 26 110929 2013 GMT Not After Sep 26 110929 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = User certificates commonName = junior X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A1F2FC9D8AE2AD9AF52903F5B714933C64628E9C X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 110929 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpem
c0t0d0s0org137
rootserver~ useradd -m junior80 blocksrootserver~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for juniorrootserver~
rootclient~ useradd -m junior80 blocksrootclient~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for junior
c0t0d0s0org138
rootserver~ echo 1921681051 server gtgt etchostsrootserver~ echo 1921681052 client gtgt etchosts
rootclient~ echo 1921681051 server gtgt etchostsrootclient~ echo 1921681052 client gtgt etchosts
c0t0d0s0org139
rootca~server scp etcopensslcacertpem jmoekamp1921681109exporthomejmoekampPasswordcacertpem 100 || 3011 0000rootca~server scp newcertpem jmoekamp1921681109exporthomejmoekampPasswordnewcertpem 100 || 3196 0000rootca~server scp newkeypem jmoekamp1921681109exporthomejmoekampPasswordnewkeypem 100 || 1041 0000
rootca~junior scp newkeypem juniorclientexporthomejuniorPasswordnewkeypem 100 || 1041 0000rootca~junior scp newcertpem juniorclientexporthomejuniorPasswordnewcertpem 100 || 3190 0000rootca~junior scp etcopensslcacertpem junior1921681104exporthomejuniorPasswordcacertpem 100 || 3011 0000
c0t0d0s0org140
On the Server
c0t0d0s0org141
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org142
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org143
rootserver~ pktool setpinEnter token passphrase changemeCreate new passphrase superserversecretRe-enter new passphrase superserversecretPassphrase changedrootserver~
c0t0d0s0org144
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org145
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org146
rootserver~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cn
c0t0d0s0org147
rootserver~ echo TrustedAnchorKeystore etcsshcert gtgt etcsshsshd_configrootserver~ echo KMFPolicyDatabase etcsshpolicyxml gtgt etcsshsshd_configrootserver~ echo KMFPolicyName ssh gtgt etcsshsshd_configrootserver~ echo HostKey pkcs11object=hosttoken=Sun Metaslotpinfile=etcsshpinfile gtgt etcsshsshd_config
c0t0d0s0org148
rootserver~ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=hostEnter PIN for Sun Software PKCS11 softtoken superserversecret Enter PEM pass phrase supersecret2Importing 1 keys
c0t0d0s0org149
rootserver~ egrep -v ^ |^$|^Cert exporthomejmoekampcacertpem gt etcsshcertcacertcookedpemrootserver~ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemrootserver~ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=hostrootserver~
c0t0d0s0org150
On the client
c0t0d0s0org151
juniorclient~$ ls pemcacertpem newcertpem newkeypem
c0t0d0s0org152
rootclient~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cnrootclient~ egrep -v ^ |^$|^Cert exporthomejuniorcacertpem gt etcsshcertcacertcookedpem
c0t0d0s0org153
juniorclient~$ pktool setpinEnter token passphrase changemeCreate new passphrase superusersecretRe-enter new passphrase superusersecretPassphrase changed
c0t0d0s0org154
juniorclient~$ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=userEnter PIN for Sun Software PKCS11 softtoken superusersecretEnter PEM pass phrase supersecret3Importing 1 keysjuniorclient~$ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemjuniorclient~$ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=user
c0t0d0s0org155
Testing it
c0t0d0s0org156
rootserver~ svcadm disable sshrootserver~ svcadm enable ssh
c0t0d0s0org157
juniorclient~$ cd sshjuniorclient~ssh$ printf superusersecret gtgt pinfilejuniorclient~ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore etcsshcert KMFPolicyDatabase etcsshpolicyxml KMFPolicyName ssh IdentityFile pkcs11object=usertoken=Sun Software PKCS11 softtokenpinfile=exporthomejuniorsshpinfile
c0t0d0s0org158
juniorclient~ssh$ ssh juniorserver-x509Last login Thu Sep 26 200714 2013 from clientOracle Corporation SunOS 511 111 September 2013juniorserver~$
c0t0d0s0org159
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives7659-Using-X509-support-for-SSH-on-Solaris-111html
c0t0d0s0org160
OpenSCAP
c0t0d0s0org161
bdquoThe Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management measurement and policy compliance evaluation (eg FISMA compliance) The National Vulnerability Database(NVD) is the US government content repository for SCAPldquo
httpenwikipediaorgwikiSecurity_Content_Automation_Protocol
c0t0d0s0org162
ftp-bannerxml
ltxml version=10 encoding=UTF-8gtltoval_definitions xmlns=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsxsi=httpwwww3org2001XMLSchema-instance xmlnsoval=httpovalmitreorgXMLSchemaoval-common-5 xmlnsoval-def=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsindependent-def=httpovalmitreorgXMLSchemaoval-definitions-5independent xsischemaLocation=httpovalmitreorgXMLSchemaoval-definitions-5 oval-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-definitions-5independent independent-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-common-5 oval-common-schemaxsdgt
ltgeneratorgt ltovalproduct_namegtEnhanced SCAP Editorltovalproduct_namegt ltovalproduct_versiongt0011ltovalproduct_versiongt ltovalschema_versiongt58ltovalschema_versiongt ltovaltimestampgt2012-10-11T103325ltovaltimestampgt ltgeneratorgt lt--generatedovalbaseidentifier=comoraclesolaris11--gt ltdefinitionsgt ltdefinition id=ovalcomoraclesolaris11def840 version=1 class=compliancegt ltmetadatagt lttitlegtEnable a Warning Banner for the FTP Servicelttitlegt ltaffected family=unixgt ltplatformgtOracle Solaris 11ltplatformgt ltaffectedgt ltdescriptiongtetcproftpdconf contains DisplayConnect etcissueltdescriptiongt ltmetadatagt ltcriteria operator=AND negate=false comment=Single testgt ltcriterion comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot test_ref=ovalcomoraclesolaris11tst8400 negate=falsegt
ltcriteriagt ltdefinitiongt ltdefinitionsgt lttestsgt lttextfilecontent54_test xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11tst8400 version=1 check=all comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot check_existence=all_existgt ltobject object_ref=ovalcomoraclesolaris11obj8400gt lttextfilecontent54_testgt lttestsgt ltobjectsgt lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegt lttextfilecontent54_objectgt ltobjectsgtltoval_definitionsgt
c0t0d0s0org163
lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegtlttextfilecontent54_objectgt
c0t0d0s0org164
$ oscap oval eval ftp-bannerxml Definition ovalcomoraclesolaris11def840 falseEvaluation done
$ oscap oval eval --results resultsxml --report reporthtml ftp-bannerxmlDefinition ovalcomoraclesolaris11def840 falseEvaluation doneOVAL Results are exported correctly
c0t0d0s0org165
c0t0d0s0org166
To create your own OVAL-Files Enhanced SCAP Content Editor
c0t0d0s0org167
Find more information regarding this feature athttpsblogsoraclecomdarrenentrycompliance_reporting_with_scap
c0t0d0s0org30
pfedit
c0t0d0s0org31
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt set auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt set desc=Edit httpdprofileshttpd editgt exit
c0t0d0s0org32
roottemplateetcapache222 usermod -P +httpd edit junior
c0t0d0s0org33
juniortemplate~$ profiles httpd edit Basic Solaris User All
c0t0d0s0org34
juniortemplate~$ vi etcapache222httpdconf
c0t0d0s0org35
juniortemplate~$ pfedit etcapache222httpdconfpfedit etcapache222httpdconf has been updated
c0t0d0s0org36
juniortemplate~$ pfedit etcapache222mimetypespfedit User junior is not authorized to edit the file etcapache222mimetypes
c0t0d0s0org37
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt info name=httpd edit desc=Edit httpd auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt add auths=solarisadmineditetcapache222mimetypes
c0t0d0s0org38
juniortemplate~$ pfedit etcapache222mimetypespfedit no changes for etcapache222mimetypes
c0t0d0s0org39
profiles -p httpd configureprofileshttpd configuregt add always_audit=asprofileshttpd configuregt info name=httpd configure desc=Configure httpd auths=solarisadmineditetcapache222httpdconfsolarisadmineditetcapache222mimetypes always_audit=as never_audit=noprofileshttpd configuregt exitroottemplate~
c0t0d0s0org40
roottemplate~ auditreduce -c as | praudit
c0t0d0s0org41
[]header4862edit administrative filefe80a0027fffea633cb2013-08-12 074552306 +0000subjectjuniorjuniorstaffjuniorstaff4212447467166369 136704 MacBook-Pro-of-c0t0d0s0fritzboxpathetcapache222httpdconfuse of authorizationsolarisadmineditetcapache222httpdconftext--- etcapache222httpdconf Mo Aug 12 074500 2013 +++ etcapache222httpdconfpfedit1BaGoi Mo Aug 12 074552 2013 -15 +16 Test Test 2 + Test 3 This is the main Apache HTTP server configuration file It contains the configuration directives that give the server its instructions
returnsuccess0
c0t0d0s0org42
Delegating privilege to restartservices(so you can keep the root password)
c0t0d0s0org43
juniortemplate~$ svcadm refresh apache22svcadm svcnetworkhttpapache22 Permission denied
c0t0d0s0org44
svcs -a | grep apache22online 153029 svcnetworkhttpapache22
c0t0d0s0org45
auths add -t Apache22 value solarissmfvaluehttpapache22 auths add -t Apache22 action solarissmfactionhttpapache22
c0t0d0s0org46
svccfg -s apache22 setprop generalvalue_authorization= astring solarissmfvaluehttpapache22 svccfg -s apache22 setprop generalaction_authorization= astring solarissmfactionhttpapache22
c0t0d0s0org47
profiles -p httpd edit add auths=solarissmfactionhttpapache22
c0t0d0s0org48
juniortemplate~$ svcadm refresh apache22juniortemplate~$
c0t0d0s0org49
Privileges
c0t0d0s0org50
$ ls -l usrsbintraceroute-r-sr-xr-x 1 root bin 42324 Nov 21 0009 usrsbintraceroute$ ls -l usrsbinping-r-sr-xr-x 1 root bin 51396 Nov 18 1931 usrsbinping
set-id to root ping needs it to work
c0t0d0s0org51
chmod -s sbinping exit
$ ping -s 1921681132ping socket Permission denied
Remove the set-uid and ping will stop to work
c0t0d0s0org52
jmoekampdaddelkiste~$ ppriv $$2153 -bashflags = ltnonegt E basic I basic P basic L all
c0t0d0s0org53
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org54
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
All privileges in their entirety assigned to one user are
(almost)
c0t0d0s0org55
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Neat extension inSolaris 11The ability to use networking is now a
privilege Itlsquos part of the default default set of privileges
but you can remove it
c0t0d0s0org56
moekampdaddelkiste~$ ppriv -v $$2153 -bashflags = ltnonegt E file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info I file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info P file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info L contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org57
rootdaddelkiste~ ppriv $$2183 -bashflags = ltnonegt E all I basic P all L all
c0t0d0s0org58
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace failed to initialize dtrace DTrace requires additional privileges
c0t0d0s0org59
rootdaddelkiste~ usermod -K defaultpriv=basicdtrace_kerneldtrace_procdtrace_user juniorUX usermod junior is currently logged in some changes may not take effect until next login
c0t0d0s0org60
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace description syscallentry matched 211 probes^C
automountd 1 sshd 24 dtrace 544 auditd 564
c0t0d0s0org61
ps -ef | grep kcfd daemon 125 1 0 142419 000 usrlibcryptokcfdroot 734 728 0 155408 pts1 000 grep kcfd ppriv -v 125125 usrlibcryptokcfdflags = PRIV_AWAREE file_ownerproc_priocntlsys_devicesI noneP file_ownerproc_priocntlsys_devicesL none
c0t0d0s0org62
svcadm -v enable -s apache2svcnetworkhttpapache2 enabled
c0t0d0s0org63
jmoekampclient~$ ps -ef | grep httpwebservd 1978 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1979 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1980 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1984 1975 0 122002 000 usrapache222binhttpd -k start root 1975 1 0 121914 001 usrapache222binhttpd -k startwebservd 1977 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1976 1975 0 121915 000 usrapache222binhttpd -k start
c0t0d0s0org64
rootclient~ ppriv 19771977 usrapache222binhttpd -k startflags = ltnonegt E basic I basic P basic L allrootclient~ ppriv 19751975 usrapache222binhttpd -k startflags = ltnonegt E all I basic P all L allrootclient~
c0t0d0s0org65
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The apache process as root has the following privileges
c0t0d0s0org66
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The other processes have the following privileges
c0t0d0s0org67
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Apache really needs
c0t0d0s0org68
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
So you grant a large number of privileges to one process Apache donlsquot need
c0t0d0s0org69
svcadm -v disable -s apache2svcnetworkhttpapache2 disabled
c0t0d0s0org70
rootclient~ svccfg -s apache22svcnetworkhttpapache22gt setprop startuser = astring webservdsvcnetworkhttpapache22gt setprop startgroup = astring webservdsvcnetworkhttpapache22gt setprop startprivileges = astring basicproc_sessionproc_infofile_link_anynet_privaddrsvcnetworkhttpapache22gt setprop startlimit_privileges = astring defaultsvcnetworkhttpapache22gt setprop startuse_profile = boolean falsesvcnetworkhttpapache22gt setprop startsupp_groups = astring defaultsvcnetworkhttpapache22gt setprop startworking_directory = astring defaultsvcnetworkhttpapache22gt setprop startproject = astring defaultsvcnetworkhttpapache22gt setprop startresource_pool = astring defaultsvcnetworkhttpapache22gt endrootclient~ svcadm -v refresh apache22Action refresh set for svcnetworkhttpapache22
c0t0d0s0org71
echo LockFile varapache222logsacceptlock gtgt etcapache222httpdconf echo PidFile varapache222runhttpdpid gtgt etcapache222httpdconf mkdir -p -m 755 varapache222run chown webservdwebservd varapache222run svcadm enable apache22
c0t0d0s0org72
webservd 3064 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3062 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3063 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3066 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3061 1 0 164917 000 usrapache222binhttpd -k startwebservd 3065 3061 0 164918 000 usrapache222binhttpd -k start
c0t0d0s0org73
Read-only zone root
c0t0d0s0org
74
zonecfgtestzonegt set file-mac-profile=none
zonecfgtestzonegt set file-mac-profile=strict
zonecfgtestzonegt set file-mac-profile=fixed-configuration
zonecfgtestzonegt set file-mac-profile=flexible-configuration
Standard read-write non-global zone with no additional protection beyond the existing zones boundaries
Permits updates to var directories with the exception of directories that contain system configuration components
Read-only file system no exceptions
Permits modification of files in etc directories changes to roots home directory and updates to var directories This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone
c0t0d0s0org75
in-kernel SSL Proxy
c0t0d0s0org76
mkdir etckeys cd etckeys openssl req -x509 -nodes -days 365 -subj C=DEST=HamburgL=HamburgCN=server -newkey rsa1024 -keyout etckeysmykeypem -out etckeysmycertpem cat mycertpem mykeypem gt mypem chown 600
c0t0d0s0org77
echo pass gt etckeysmypass ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass server 443
c0t0d0s0org78
ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass -c rsa_aes_256_cbc_sharsa_aes_128_cbc_sharsa_rc4_128_sharsa_rc4_128_md5 server 443
c0t0d0s0org79
svcs -a | grep ksslonline 90333 svcnetworksslproxykssl-server-443
c0t0d0s0org80
svcadm disable apache22 echo Listen 1921681781088080 gtgt etcapache222httpdconf svcadm enable apache22
Portnumber and IP-Number have do be defined in httpdconf otherwise it will not work
c0t0d0s0org81
openssl s_client -connect server443CONNECTED(00000004)depth=0 C=DEST=HamburgL=HamburgCN=serververify errornum=18self signed certificateverify return1depth=0 C=DEST=HamburgL=HamburgCN=serververify return1---Certificate chain0 sC=DEST=HamburgL=HamburgCN=serveriC=DEST=HamburgL=HamburgCN=server---Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj[]V5jX3MU=-----END CERTIFICATE-----subject=C=DEST=HamburgL=HamburgCN=serverissuer=C=DEST=HamburgL=HamburgCN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328 bytes---New TLSv1SSLv3 Cipher is RC4-SHAServer public key is 1024 bitCompression NONEExpansion NONESSL-SessionProtocol TLSv1
Cipher RC4-SHASession-ID 32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD113915B99DBE9812Session-ID-ctx Master-Key 1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21EKey-Arg NoneStart Time 1242985143Timeout 300 (sec)Verify return code 18 (self signed certificate)---GET HTTP10
HTTP11 200 OKDate Fri 22 May 2009 093913 GMTServer Apache2211 (Unix) mod_ssl2211 OpenSSL098a DAV2Last-Modified Thu 21 May 2009 212630 GMTETag 341f3-2c-46a72cc211a8fAccept-Ranges bytesContent-Length 44Connection closeContent-Type texthtml
lthtmlgtltbodygtlth1gtIt workslth1gtltbodygtlthtmlgtreaderrno=0
c0t0d0s0org82
ZFS Encryption
c0t0d0s0org83
zfs create -o encryption=on rpoolexportproject
c0t0d0s0org84
wrapping key (user setable)
encryption keyrandomnot user setable)
prompt file https pkcs11
c0t0d0s0org85
aes-128-ccm (=on) aes-192-ccmaes-256-ccmaes-128-gcmaes-192-gcmaes-256-gcm
c0t0d0s0org86
zfs set checksum=sha256+mac ltdatasetgt
If encryption=off something like automatic
occurs This property is read-only from now on
c0t0d0s0org87
pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykeyEnter PIN for Sun Software PKCS11 softtoken zfs create -o encryption=on -o keysource=rawpkcs11object=mykey tankprojectCEnter PKCS11 token PIN for tankprojectC
c0t0d0s0org88
zfs create -o encryption=on -o keysource=rawhttpskeysexamplecommykey tankprojectR cp myservercertpem etccertsCA svcadm refresh ca-certificates
c0t0d0s0org89
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
c0t0d0s0org90
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
Changing the wrapping key
c0t0d0s0org91
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key
c0t0d0s0org92
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key for data written form now
Creates a new data encryption key Data written in the clone uses the new data encryption key which is distinct from its original snapshot
c0t0d0s0org93
Solaris Cryptographic Framework
c0t0d0s0org94
As soon as Solaris detects hardware acceleration for cryptography Solaris will use it (and applications using the Oracle supplied openssl library or direct interfaces)bull on-chip crypto accelerator in T and current M series chipsbull instruction set extensions in Intel procs (AES-NI)bull supported crypto accelerator cards
c0t0d0s0org95
Just a side-note T-series crypto acceleration and Intel x86 acceleration have pretty much different performance characteristics
T-Series Acceleration by offloading crypto outside pipelineIntel x86 Acceleration by offering special in-pipeline instructions to accelerate execution
Sounds like splitting hairs
c0t0d0s0org
c0t0d0s0org
c0t0d0s0org98
Using ZFS to do two-factor encryption
c0t0d0s0org99
jmoekampsolaris~$ rmformatLooking for devices 1 Logical Node devrdskc10t0d0p0 Physical Node pci00pci8086265cbstorage2disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected() 3 Logical Node devrdskc9t0d0p0 Physical Node pci00pci8086265cbstorage1disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected
c0t0d0s0org100
rootsolaris zpool create a_keystore_usbstick devdskc10t0d0p0rootsolaris zpool create datastore devdskc9t0d0p0
c0t0d0s0org101
rootsolaris zfs create -o encryption=on a_keystore_usbstickkeysEnter passphrase for a_keystore_usbstickkeys supersecret Enter again supersecret
c0t0d0s0org102
rootsolaris pktool genkey keystore=file keytype=aes keylen=128 outkey=a_keystore_usbstickkeysjoergsdatastickkey
c0t0d0s0org103
rootsolaris zfs create -o encryption=on -o keysource=rawfilea_keystore_usbstickkeysjoergsdatastickkey datastickjoergssecrets
c0t0d0s0org104
rootsolarisdatastickjoergssecrets mv homejmoekamphighlyconfidential_nda_presostgz
c0t0d0s0org105
rootsolaris zpool export a_keystore_usbstickrootsolaris zpool export datastick
c0t0d0s0org106
rootsolaris zpool import a_keystore_usbstickEnter passphrase for a_keystore_usbstickkeys supersecretrootsolaris
c0t0d0s0org107
rootsolaris zpool import datastickrootsolaris cd datastickjoergssecretsrootsolarisdatastickjoergssecrets ls highconfidential_nda_presostgz
c0t0d0s0org108
Basic Auditing and Reporting Tool
c0t0d0s0org109
mkdir bart-files bart create -R etc gt bart-filesetccontrolmanifest
c0t0d0s0org110
cat etccontrolmanifest | grep nsswitchnisplusnsswitchnisplus F 2525 100644 userrw-groupr--maskr--otherr-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
c0t0d0s0org111
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org112
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org113
bart create -R etc gt bart-filesetccheck20130911manifest
c0t0d0s0org114
cd bart-files bart compare etccontrolmanifest etccheck20130911manifest
nsswitchfilesmode control100644 test100777acl controluserrw-groupr--maskr--otherr-- testuserrwxgrouprwxmaskrwxotherrwxnsswitchnisplussize control2525 test2538mtime control473976b5 test47a44862contents control79e8fd689a5221d1cd059e5077da71b8 test3f79176ec352441db11ec8a3d02ef67cthisisjustatestadd
c0t0d0s0org115
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives4069-Less-known-Solaris-features-BARThtml
c0t0d0s0org116
Apropos Auditing
c0t0d0s0org117
Auditing is activated by default
c0t0d0s0org118
rootclient~ auditconfig -getflagsactive user default audit flags = lo(0x10000x1000)configured user default audit flags = lo(0x10000x1000)rootclient~ auditconfig -getnaflagsactive non-attributable audit flags = lo(0x10000x1000)configured non-attributable audit flags = lo(0x10000x1000)
c0t0d0s0org119
rootclient~ auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt
Policy regarding auditing (explanation on the next slide)
c0t0d0s0org120
rootclient~ auditconfig -lspolicypolicy string descriptionahlt halt machine if it can not record an async eventall all policiesarge include exec environment args in audit recsargv include exec command line args in audit recscnt when no more space drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recswindata_down include downgraded window information in audit recswindata_up include upgraded window information in audit recszonename include zonename token in audit recs
Which degree of detail What happens with full disks
c0t0d0s0org121
rootclient~ auditconfig -getpluginPlugin audit_binfile (active) Attributes p_dir=varauditp_fsize=0p_minfree=1
Plugin audit_syslog (inactive) Attributes p_flags=
Plugin audit_remote (inactive) Attributes p_hosts=p_retries=3p_timeout=5
c0t0d0s0org122
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
c0t0d0s0org123
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
lo and na are the only sensibleflags for non-attributable
c0t0d0s0org124
rootclient~ usermod -K audit_flags=fwas junior
c0t0d0s0org125
rootclient~ auditconfig -lsevent | grep lo AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh accessAUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lockAUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff
c0t0d0s0org126
rootclient~ auditconfig -lsevent | grep ps AUE_EXIT 1 ps exit(2)AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)rootclient~ auditconfig -lsevent | grep fw AUE_OPEN_W 76 fw open(2) - write
c0t0d0s0org127
auditreduce -c ps varaudit20130912183630not_terminatedclient | praudit
header1392execve(2)client2013-09-12 184055924 +0000pathusrsbinauditreduceattribute100555rootbin655386587518446744073709551615subjectjmoekamprootrootrootroot205414400809562480 202240 192168101returnsuccess0
c0t0d0s0org128
rootclient~ auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff0xffffffffffffffff)
Not always (in the sense of never) a good idea
Useful after trying out - starting a new audit filerootclient~ audit -n
c0t0d0s0org129
rootclient~ auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system
c0t0d0s0org130
SSH and X509
c0t0d0s0org131
rootca~ CApl -newcaCA certificate filename (or enter to create)
Making CA certificate Generating a 1024 bit RSA private key++++++++++++writing new private key to etcopensslprivatecakeypemEnter PEM pass phrase supersecret1Verifying - Enter PEM pass phrase supersecret1-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Security DepartmentCommon Name (eg server FQDN or YOUR name) []CAEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Using configuration from etcopensslopensslcnf
Enter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade878 Validity Not Before Sep 26 101109 2013 GMT Not After Sep 25 101109 2016 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony organizationName = c0t0d0s0org organizationalUnitName = Security Department commonName = CA X509v3 extensions X509v3 Subject Key Identifier 5B1F2F7186123040501552818D525AA5597E3644 X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
X509v3 Basic Constraints CATRUECertificate is to be certified until Sep 25 101109 2016 GMT (1095 days)
Write out database with 1 new entriesData Base Updated
c0t0d0s0org132
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org133
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org134
rootca~server CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade879 Validity Not Before Sep 26 102912 2013 GMT Not After Sep 26 102912 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = Server Certificates commonName = server X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A7DC03DEB3D5FBF9C006F11A55A9AD04C49C10FA X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 102912 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpemrootca~server ls -ltotal 15-rw-r--r-- 1 root root 3196 Sep 26 1229 newcertpem-rw-r--r-- 1 root root 1041 Sep 26 1228 newkeypem-rw-r--r-- 1 root root 680 Sep 26 1228 newreqpem
c0t0d0s0org135
rootca~junior CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phraseVerifying - Enter PEM pass phraseVerify failureEnter PEM pass phrase supersecret3Verifying - Enter PEM pass phrase supersecret3-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []User certificates
Common Name (eg server FQDN or YOUR name) []juniorEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org136
rootca~junior CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypemCheck that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade87a Validity Not Before Sep 26 110929 2013 GMT Not After Sep 26 110929 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = User certificates commonName = junior X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A1F2FC9D8AE2AD9AF52903F5B714933C64628E9C X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 110929 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpem
c0t0d0s0org137
rootserver~ useradd -m junior80 blocksrootserver~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for juniorrootserver~
rootclient~ useradd -m junior80 blocksrootclient~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for junior
c0t0d0s0org138
rootserver~ echo 1921681051 server gtgt etchostsrootserver~ echo 1921681052 client gtgt etchosts
rootclient~ echo 1921681051 server gtgt etchostsrootclient~ echo 1921681052 client gtgt etchosts
c0t0d0s0org139
rootca~server scp etcopensslcacertpem jmoekamp1921681109exporthomejmoekampPasswordcacertpem 100 || 3011 0000rootca~server scp newcertpem jmoekamp1921681109exporthomejmoekampPasswordnewcertpem 100 || 3196 0000rootca~server scp newkeypem jmoekamp1921681109exporthomejmoekampPasswordnewkeypem 100 || 1041 0000
rootca~junior scp newkeypem juniorclientexporthomejuniorPasswordnewkeypem 100 || 1041 0000rootca~junior scp newcertpem juniorclientexporthomejuniorPasswordnewcertpem 100 || 3190 0000rootca~junior scp etcopensslcacertpem junior1921681104exporthomejuniorPasswordcacertpem 100 || 3011 0000
c0t0d0s0org140
On the Server
c0t0d0s0org141
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org142
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org143
rootserver~ pktool setpinEnter token passphrase changemeCreate new passphrase superserversecretRe-enter new passphrase superserversecretPassphrase changedrootserver~
c0t0d0s0org144
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org145
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org146
rootserver~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cn
c0t0d0s0org147
rootserver~ echo TrustedAnchorKeystore etcsshcert gtgt etcsshsshd_configrootserver~ echo KMFPolicyDatabase etcsshpolicyxml gtgt etcsshsshd_configrootserver~ echo KMFPolicyName ssh gtgt etcsshsshd_configrootserver~ echo HostKey pkcs11object=hosttoken=Sun Metaslotpinfile=etcsshpinfile gtgt etcsshsshd_config
c0t0d0s0org148
rootserver~ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=hostEnter PIN for Sun Software PKCS11 softtoken superserversecret Enter PEM pass phrase supersecret2Importing 1 keys
c0t0d0s0org149
rootserver~ egrep -v ^ |^$|^Cert exporthomejmoekampcacertpem gt etcsshcertcacertcookedpemrootserver~ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemrootserver~ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=hostrootserver~
c0t0d0s0org150
On the client
c0t0d0s0org151
juniorclient~$ ls pemcacertpem newcertpem newkeypem
c0t0d0s0org152
rootclient~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cnrootclient~ egrep -v ^ |^$|^Cert exporthomejuniorcacertpem gt etcsshcertcacertcookedpem
c0t0d0s0org153
juniorclient~$ pktool setpinEnter token passphrase changemeCreate new passphrase superusersecretRe-enter new passphrase superusersecretPassphrase changed
c0t0d0s0org154
juniorclient~$ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=userEnter PIN for Sun Software PKCS11 softtoken superusersecretEnter PEM pass phrase supersecret3Importing 1 keysjuniorclient~$ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemjuniorclient~$ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=user
c0t0d0s0org155
Testing it
c0t0d0s0org156
rootserver~ svcadm disable sshrootserver~ svcadm enable ssh
c0t0d0s0org157
juniorclient~$ cd sshjuniorclient~ssh$ printf superusersecret gtgt pinfilejuniorclient~ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore etcsshcert KMFPolicyDatabase etcsshpolicyxml KMFPolicyName ssh IdentityFile pkcs11object=usertoken=Sun Software PKCS11 softtokenpinfile=exporthomejuniorsshpinfile
c0t0d0s0org158
juniorclient~ssh$ ssh juniorserver-x509Last login Thu Sep 26 200714 2013 from clientOracle Corporation SunOS 511 111 September 2013juniorserver~$
c0t0d0s0org159
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives7659-Using-X509-support-for-SSH-on-Solaris-111html
c0t0d0s0org160
OpenSCAP
c0t0d0s0org161
bdquoThe Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management measurement and policy compliance evaluation (eg FISMA compliance) The National Vulnerability Database(NVD) is the US government content repository for SCAPldquo
httpenwikipediaorgwikiSecurity_Content_Automation_Protocol
c0t0d0s0org162
ftp-bannerxml
ltxml version=10 encoding=UTF-8gtltoval_definitions xmlns=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsxsi=httpwwww3org2001XMLSchema-instance xmlnsoval=httpovalmitreorgXMLSchemaoval-common-5 xmlnsoval-def=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsindependent-def=httpovalmitreorgXMLSchemaoval-definitions-5independent xsischemaLocation=httpovalmitreorgXMLSchemaoval-definitions-5 oval-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-definitions-5independent independent-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-common-5 oval-common-schemaxsdgt
ltgeneratorgt ltovalproduct_namegtEnhanced SCAP Editorltovalproduct_namegt ltovalproduct_versiongt0011ltovalproduct_versiongt ltovalschema_versiongt58ltovalschema_versiongt ltovaltimestampgt2012-10-11T103325ltovaltimestampgt ltgeneratorgt lt--generatedovalbaseidentifier=comoraclesolaris11--gt ltdefinitionsgt ltdefinition id=ovalcomoraclesolaris11def840 version=1 class=compliancegt ltmetadatagt lttitlegtEnable a Warning Banner for the FTP Servicelttitlegt ltaffected family=unixgt ltplatformgtOracle Solaris 11ltplatformgt ltaffectedgt ltdescriptiongtetcproftpdconf contains DisplayConnect etcissueltdescriptiongt ltmetadatagt ltcriteria operator=AND negate=false comment=Single testgt ltcriterion comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot test_ref=ovalcomoraclesolaris11tst8400 negate=falsegt
ltcriteriagt ltdefinitiongt ltdefinitionsgt lttestsgt lttextfilecontent54_test xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11tst8400 version=1 check=all comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot check_existence=all_existgt ltobject object_ref=ovalcomoraclesolaris11obj8400gt lttextfilecontent54_testgt lttestsgt ltobjectsgt lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegt lttextfilecontent54_objectgt ltobjectsgtltoval_definitionsgt
c0t0d0s0org163
lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegtlttextfilecontent54_objectgt
c0t0d0s0org164
$ oscap oval eval ftp-bannerxml Definition ovalcomoraclesolaris11def840 falseEvaluation done
$ oscap oval eval --results resultsxml --report reporthtml ftp-bannerxmlDefinition ovalcomoraclesolaris11def840 falseEvaluation doneOVAL Results are exported correctly
c0t0d0s0org165
c0t0d0s0org166
To create your own OVAL-Files Enhanced SCAP Content Editor
c0t0d0s0org167
Find more information regarding this feature athttpsblogsoraclecomdarrenentrycompliance_reporting_with_scap
c0t0d0s0org31
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt set auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt set desc=Edit httpdprofileshttpd editgt exit
c0t0d0s0org32
roottemplateetcapache222 usermod -P +httpd edit junior
c0t0d0s0org33
juniortemplate~$ profiles httpd edit Basic Solaris User All
c0t0d0s0org34
juniortemplate~$ vi etcapache222httpdconf
c0t0d0s0org35
juniortemplate~$ pfedit etcapache222httpdconfpfedit etcapache222httpdconf has been updated
c0t0d0s0org36
juniortemplate~$ pfedit etcapache222mimetypespfedit User junior is not authorized to edit the file etcapache222mimetypes
c0t0d0s0org37
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt info name=httpd edit desc=Edit httpd auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt add auths=solarisadmineditetcapache222mimetypes
c0t0d0s0org38
juniortemplate~$ pfedit etcapache222mimetypespfedit no changes for etcapache222mimetypes
c0t0d0s0org39
profiles -p httpd configureprofileshttpd configuregt add always_audit=asprofileshttpd configuregt info name=httpd configure desc=Configure httpd auths=solarisadmineditetcapache222httpdconfsolarisadmineditetcapache222mimetypes always_audit=as never_audit=noprofileshttpd configuregt exitroottemplate~
c0t0d0s0org40
roottemplate~ auditreduce -c as | praudit
c0t0d0s0org41
[]header4862edit administrative filefe80a0027fffea633cb2013-08-12 074552306 +0000subjectjuniorjuniorstaffjuniorstaff4212447467166369 136704 MacBook-Pro-of-c0t0d0s0fritzboxpathetcapache222httpdconfuse of authorizationsolarisadmineditetcapache222httpdconftext--- etcapache222httpdconf Mo Aug 12 074500 2013 +++ etcapache222httpdconfpfedit1BaGoi Mo Aug 12 074552 2013 -15 +16 Test Test 2 + Test 3 This is the main Apache HTTP server configuration file It contains the configuration directives that give the server its instructions
returnsuccess0
c0t0d0s0org42
Delegating privilege to restartservices(so you can keep the root password)
c0t0d0s0org43
juniortemplate~$ svcadm refresh apache22svcadm svcnetworkhttpapache22 Permission denied
c0t0d0s0org44
svcs -a | grep apache22online 153029 svcnetworkhttpapache22
c0t0d0s0org45
auths add -t Apache22 value solarissmfvaluehttpapache22 auths add -t Apache22 action solarissmfactionhttpapache22
c0t0d0s0org46
svccfg -s apache22 setprop generalvalue_authorization= astring solarissmfvaluehttpapache22 svccfg -s apache22 setprop generalaction_authorization= astring solarissmfactionhttpapache22
c0t0d0s0org47
profiles -p httpd edit add auths=solarissmfactionhttpapache22
c0t0d0s0org48
juniortemplate~$ svcadm refresh apache22juniortemplate~$
c0t0d0s0org49
Privileges
c0t0d0s0org50
$ ls -l usrsbintraceroute-r-sr-xr-x 1 root bin 42324 Nov 21 0009 usrsbintraceroute$ ls -l usrsbinping-r-sr-xr-x 1 root bin 51396 Nov 18 1931 usrsbinping
set-id to root ping needs it to work
c0t0d0s0org51
chmod -s sbinping exit
$ ping -s 1921681132ping socket Permission denied
Remove the set-uid and ping will stop to work
c0t0d0s0org52
jmoekampdaddelkiste~$ ppriv $$2153 -bashflags = ltnonegt E basic I basic P basic L all
c0t0d0s0org53
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org54
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
All privileges in their entirety assigned to one user are
(almost)
c0t0d0s0org55
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Neat extension inSolaris 11The ability to use networking is now a
privilege Itlsquos part of the default default set of privileges
but you can remove it
c0t0d0s0org56
moekampdaddelkiste~$ ppriv -v $$2153 -bashflags = ltnonegt E file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info I file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info P file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info L contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org57
rootdaddelkiste~ ppriv $$2183 -bashflags = ltnonegt E all I basic P all L all
c0t0d0s0org58
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace failed to initialize dtrace DTrace requires additional privileges
c0t0d0s0org59
rootdaddelkiste~ usermod -K defaultpriv=basicdtrace_kerneldtrace_procdtrace_user juniorUX usermod junior is currently logged in some changes may not take effect until next login
c0t0d0s0org60
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace description syscallentry matched 211 probes^C
automountd 1 sshd 24 dtrace 544 auditd 564
c0t0d0s0org61
ps -ef | grep kcfd daemon 125 1 0 142419 000 usrlibcryptokcfdroot 734 728 0 155408 pts1 000 grep kcfd ppriv -v 125125 usrlibcryptokcfdflags = PRIV_AWAREE file_ownerproc_priocntlsys_devicesI noneP file_ownerproc_priocntlsys_devicesL none
c0t0d0s0org62
svcadm -v enable -s apache2svcnetworkhttpapache2 enabled
c0t0d0s0org63
jmoekampclient~$ ps -ef | grep httpwebservd 1978 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1979 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1980 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1984 1975 0 122002 000 usrapache222binhttpd -k start root 1975 1 0 121914 001 usrapache222binhttpd -k startwebservd 1977 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1976 1975 0 121915 000 usrapache222binhttpd -k start
c0t0d0s0org64
rootclient~ ppriv 19771977 usrapache222binhttpd -k startflags = ltnonegt E basic I basic P basic L allrootclient~ ppriv 19751975 usrapache222binhttpd -k startflags = ltnonegt E all I basic P all L allrootclient~
c0t0d0s0org65
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The apache process as root has the following privileges
c0t0d0s0org66
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The other processes have the following privileges
c0t0d0s0org67
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Apache really needs
c0t0d0s0org68
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
So you grant a large number of privileges to one process Apache donlsquot need
c0t0d0s0org69
svcadm -v disable -s apache2svcnetworkhttpapache2 disabled
c0t0d0s0org70
rootclient~ svccfg -s apache22svcnetworkhttpapache22gt setprop startuser = astring webservdsvcnetworkhttpapache22gt setprop startgroup = astring webservdsvcnetworkhttpapache22gt setprop startprivileges = astring basicproc_sessionproc_infofile_link_anynet_privaddrsvcnetworkhttpapache22gt setprop startlimit_privileges = astring defaultsvcnetworkhttpapache22gt setprop startuse_profile = boolean falsesvcnetworkhttpapache22gt setprop startsupp_groups = astring defaultsvcnetworkhttpapache22gt setprop startworking_directory = astring defaultsvcnetworkhttpapache22gt setprop startproject = astring defaultsvcnetworkhttpapache22gt setprop startresource_pool = astring defaultsvcnetworkhttpapache22gt endrootclient~ svcadm -v refresh apache22Action refresh set for svcnetworkhttpapache22
c0t0d0s0org71
echo LockFile varapache222logsacceptlock gtgt etcapache222httpdconf echo PidFile varapache222runhttpdpid gtgt etcapache222httpdconf mkdir -p -m 755 varapache222run chown webservdwebservd varapache222run svcadm enable apache22
c0t0d0s0org72
webservd 3064 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3062 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3063 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3066 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3061 1 0 164917 000 usrapache222binhttpd -k startwebservd 3065 3061 0 164918 000 usrapache222binhttpd -k start
c0t0d0s0org73
Read-only zone root
c0t0d0s0org
74
zonecfgtestzonegt set file-mac-profile=none
zonecfgtestzonegt set file-mac-profile=strict
zonecfgtestzonegt set file-mac-profile=fixed-configuration
zonecfgtestzonegt set file-mac-profile=flexible-configuration
Standard read-write non-global zone with no additional protection beyond the existing zones boundaries
Permits updates to var directories with the exception of directories that contain system configuration components
Read-only file system no exceptions
Permits modification of files in etc directories changes to roots home directory and updates to var directories This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone
c0t0d0s0org75
in-kernel SSL Proxy
c0t0d0s0org76
mkdir etckeys cd etckeys openssl req -x509 -nodes -days 365 -subj C=DEST=HamburgL=HamburgCN=server -newkey rsa1024 -keyout etckeysmykeypem -out etckeysmycertpem cat mycertpem mykeypem gt mypem chown 600
c0t0d0s0org77
echo pass gt etckeysmypass ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass server 443
c0t0d0s0org78
ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass -c rsa_aes_256_cbc_sharsa_aes_128_cbc_sharsa_rc4_128_sharsa_rc4_128_md5 server 443
c0t0d0s0org79
svcs -a | grep ksslonline 90333 svcnetworksslproxykssl-server-443
c0t0d0s0org80
svcadm disable apache22 echo Listen 1921681781088080 gtgt etcapache222httpdconf svcadm enable apache22
Portnumber and IP-Number have do be defined in httpdconf otherwise it will not work
c0t0d0s0org81
openssl s_client -connect server443CONNECTED(00000004)depth=0 C=DEST=HamburgL=HamburgCN=serververify errornum=18self signed certificateverify return1depth=0 C=DEST=HamburgL=HamburgCN=serververify return1---Certificate chain0 sC=DEST=HamburgL=HamburgCN=serveriC=DEST=HamburgL=HamburgCN=server---Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj[]V5jX3MU=-----END CERTIFICATE-----subject=C=DEST=HamburgL=HamburgCN=serverissuer=C=DEST=HamburgL=HamburgCN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328 bytes---New TLSv1SSLv3 Cipher is RC4-SHAServer public key is 1024 bitCompression NONEExpansion NONESSL-SessionProtocol TLSv1
Cipher RC4-SHASession-ID 32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD113915B99DBE9812Session-ID-ctx Master-Key 1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21EKey-Arg NoneStart Time 1242985143Timeout 300 (sec)Verify return code 18 (self signed certificate)---GET HTTP10
HTTP11 200 OKDate Fri 22 May 2009 093913 GMTServer Apache2211 (Unix) mod_ssl2211 OpenSSL098a DAV2Last-Modified Thu 21 May 2009 212630 GMTETag 341f3-2c-46a72cc211a8fAccept-Ranges bytesContent-Length 44Connection closeContent-Type texthtml
lthtmlgtltbodygtlth1gtIt workslth1gtltbodygtlthtmlgtreaderrno=0
c0t0d0s0org82
ZFS Encryption
c0t0d0s0org83
zfs create -o encryption=on rpoolexportproject
c0t0d0s0org84
wrapping key (user setable)
encryption keyrandomnot user setable)
prompt file https pkcs11
c0t0d0s0org85
aes-128-ccm (=on) aes-192-ccmaes-256-ccmaes-128-gcmaes-192-gcmaes-256-gcm
c0t0d0s0org86
zfs set checksum=sha256+mac ltdatasetgt
If encryption=off something like automatic
occurs This property is read-only from now on
c0t0d0s0org87
pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykeyEnter PIN for Sun Software PKCS11 softtoken zfs create -o encryption=on -o keysource=rawpkcs11object=mykey tankprojectCEnter PKCS11 token PIN for tankprojectC
c0t0d0s0org88
zfs create -o encryption=on -o keysource=rawhttpskeysexamplecommykey tankprojectR cp myservercertpem etccertsCA svcadm refresh ca-certificates
c0t0d0s0org89
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
c0t0d0s0org90
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
Changing the wrapping key
c0t0d0s0org91
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key
c0t0d0s0org92
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key for data written form now
Creates a new data encryption key Data written in the clone uses the new data encryption key which is distinct from its original snapshot
c0t0d0s0org93
Solaris Cryptographic Framework
c0t0d0s0org94
As soon as Solaris detects hardware acceleration for cryptography Solaris will use it (and applications using the Oracle supplied openssl library or direct interfaces)bull on-chip crypto accelerator in T and current M series chipsbull instruction set extensions in Intel procs (AES-NI)bull supported crypto accelerator cards
c0t0d0s0org95
Just a side-note T-series crypto acceleration and Intel x86 acceleration have pretty much different performance characteristics
T-Series Acceleration by offloading crypto outside pipelineIntel x86 Acceleration by offering special in-pipeline instructions to accelerate execution
Sounds like splitting hairs
c0t0d0s0org
c0t0d0s0org
c0t0d0s0org98
Using ZFS to do two-factor encryption
c0t0d0s0org99
jmoekampsolaris~$ rmformatLooking for devices 1 Logical Node devrdskc10t0d0p0 Physical Node pci00pci8086265cbstorage2disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected() 3 Logical Node devrdskc9t0d0p0 Physical Node pci00pci8086265cbstorage1disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected
c0t0d0s0org100
rootsolaris zpool create a_keystore_usbstick devdskc10t0d0p0rootsolaris zpool create datastore devdskc9t0d0p0
c0t0d0s0org101
rootsolaris zfs create -o encryption=on a_keystore_usbstickkeysEnter passphrase for a_keystore_usbstickkeys supersecret Enter again supersecret
c0t0d0s0org102
rootsolaris pktool genkey keystore=file keytype=aes keylen=128 outkey=a_keystore_usbstickkeysjoergsdatastickkey
c0t0d0s0org103
rootsolaris zfs create -o encryption=on -o keysource=rawfilea_keystore_usbstickkeysjoergsdatastickkey datastickjoergssecrets
c0t0d0s0org104
rootsolarisdatastickjoergssecrets mv homejmoekamphighlyconfidential_nda_presostgz
c0t0d0s0org105
rootsolaris zpool export a_keystore_usbstickrootsolaris zpool export datastick
c0t0d0s0org106
rootsolaris zpool import a_keystore_usbstickEnter passphrase for a_keystore_usbstickkeys supersecretrootsolaris
c0t0d0s0org107
rootsolaris zpool import datastickrootsolaris cd datastickjoergssecretsrootsolarisdatastickjoergssecrets ls highconfidential_nda_presostgz
c0t0d0s0org108
Basic Auditing and Reporting Tool
c0t0d0s0org109
mkdir bart-files bart create -R etc gt bart-filesetccontrolmanifest
c0t0d0s0org110
cat etccontrolmanifest | grep nsswitchnisplusnsswitchnisplus F 2525 100644 userrw-groupr--maskr--otherr-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
c0t0d0s0org111
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org112
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org113
bart create -R etc gt bart-filesetccheck20130911manifest
c0t0d0s0org114
cd bart-files bart compare etccontrolmanifest etccheck20130911manifest
nsswitchfilesmode control100644 test100777acl controluserrw-groupr--maskr--otherr-- testuserrwxgrouprwxmaskrwxotherrwxnsswitchnisplussize control2525 test2538mtime control473976b5 test47a44862contents control79e8fd689a5221d1cd059e5077da71b8 test3f79176ec352441db11ec8a3d02ef67cthisisjustatestadd
c0t0d0s0org115
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives4069-Less-known-Solaris-features-BARThtml
c0t0d0s0org116
Apropos Auditing
c0t0d0s0org117
Auditing is activated by default
c0t0d0s0org118
rootclient~ auditconfig -getflagsactive user default audit flags = lo(0x10000x1000)configured user default audit flags = lo(0x10000x1000)rootclient~ auditconfig -getnaflagsactive non-attributable audit flags = lo(0x10000x1000)configured non-attributable audit flags = lo(0x10000x1000)
c0t0d0s0org119
rootclient~ auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt
Policy regarding auditing (explanation on the next slide)
c0t0d0s0org120
rootclient~ auditconfig -lspolicypolicy string descriptionahlt halt machine if it can not record an async eventall all policiesarge include exec environment args in audit recsargv include exec command line args in audit recscnt when no more space drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recswindata_down include downgraded window information in audit recswindata_up include upgraded window information in audit recszonename include zonename token in audit recs
Which degree of detail What happens with full disks
c0t0d0s0org121
rootclient~ auditconfig -getpluginPlugin audit_binfile (active) Attributes p_dir=varauditp_fsize=0p_minfree=1
Plugin audit_syslog (inactive) Attributes p_flags=
Plugin audit_remote (inactive) Attributes p_hosts=p_retries=3p_timeout=5
c0t0d0s0org122
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
c0t0d0s0org123
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
lo and na are the only sensibleflags for non-attributable
c0t0d0s0org124
rootclient~ usermod -K audit_flags=fwas junior
c0t0d0s0org125
rootclient~ auditconfig -lsevent | grep lo AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh accessAUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lockAUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff
c0t0d0s0org126
rootclient~ auditconfig -lsevent | grep ps AUE_EXIT 1 ps exit(2)AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)rootclient~ auditconfig -lsevent | grep fw AUE_OPEN_W 76 fw open(2) - write
c0t0d0s0org127
auditreduce -c ps varaudit20130912183630not_terminatedclient | praudit
header1392execve(2)client2013-09-12 184055924 +0000pathusrsbinauditreduceattribute100555rootbin655386587518446744073709551615subjectjmoekamprootrootrootroot205414400809562480 202240 192168101returnsuccess0
c0t0d0s0org128
rootclient~ auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff0xffffffffffffffff)
Not always (in the sense of never) a good idea
Useful after trying out - starting a new audit filerootclient~ audit -n
c0t0d0s0org129
rootclient~ auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system
c0t0d0s0org130
SSH and X509
c0t0d0s0org131
rootca~ CApl -newcaCA certificate filename (or enter to create)
Making CA certificate Generating a 1024 bit RSA private key++++++++++++writing new private key to etcopensslprivatecakeypemEnter PEM pass phrase supersecret1Verifying - Enter PEM pass phrase supersecret1-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Security DepartmentCommon Name (eg server FQDN or YOUR name) []CAEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Using configuration from etcopensslopensslcnf
Enter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade878 Validity Not Before Sep 26 101109 2013 GMT Not After Sep 25 101109 2016 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony organizationName = c0t0d0s0org organizationalUnitName = Security Department commonName = CA X509v3 extensions X509v3 Subject Key Identifier 5B1F2F7186123040501552818D525AA5597E3644 X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
X509v3 Basic Constraints CATRUECertificate is to be certified until Sep 25 101109 2016 GMT (1095 days)
Write out database with 1 new entriesData Base Updated
c0t0d0s0org132
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org133
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org134
rootca~server CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade879 Validity Not Before Sep 26 102912 2013 GMT Not After Sep 26 102912 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = Server Certificates commonName = server X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A7DC03DEB3D5FBF9C006F11A55A9AD04C49C10FA X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 102912 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpemrootca~server ls -ltotal 15-rw-r--r-- 1 root root 3196 Sep 26 1229 newcertpem-rw-r--r-- 1 root root 1041 Sep 26 1228 newkeypem-rw-r--r-- 1 root root 680 Sep 26 1228 newreqpem
c0t0d0s0org135
rootca~junior CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phraseVerifying - Enter PEM pass phraseVerify failureEnter PEM pass phrase supersecret3Verifying - Enter PEM pass phrase supersecret3-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []User certificates
Common Name (eg server FQDN or YOUR name) []juniorEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org136
rootca~junior CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypemCheck that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade87a Validity Not Before Sep 26 110929 2013 GMT Not After Sep 26 110929 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = User certificates commonName = junior X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A1F2FC9D8AE2AD9AF52903F5B714933C64628E9C X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 110929 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpem
c0t0d0s0org137
rootserver~ useradd -m junior80 blocksrootserver~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for juniorrootserver~
rootclient~ useradd -m junior80 blocksrootclient~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for junior
c0t0d0s0org138
rootserver~ echo 1921681051 server gtgt etchostsrootserver~ echo 1921681052 client gtgt etchosts
rootclient~ echo 1921681051 server gtgt etchostsrootclient~ echo 1921681052 client gtgt etchosts
c0t0d0s0org139
rootca~server scp etcopensslcacertpem jmoekamp1921681109exporthomejmoekampPasswordcacertpem 100 || 3011 0000rootca~server scp newcertpem jmoekamp1921681109exporthomejmoekampPasswordnewcertpem 100 || 3196 0000rootca~server scp newkeypem jmoekamp1921681109exporthomejmoekampPasswordnewkeypem 100 || 1041 0000
rootca~junior scp newkeypem juniorclientexporthomejuniorPasswordnewkeypem 100 || 1041 0000rootca~junior scp newcertpem juniorclientexporthomejuniorPasswordnewcertpem 100 || 3190 0000rootca~junior scp etcopensslcacertpem junior1921681104exporthomejuniorPasswordcacertpem 100 || 3011 0000
c0t0d0s0org140
On the Server
c0t0d0s0org141
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org142
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org143
rootserver~ pktool setpinEnter token passphrase changemeCreate new passphrase superserversecretRe-enter new passphrase superserversecretPassphrase changedrootserver~
c0t0d0s0org144
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org145
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org146
rootserver~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cn
c0t0d0s0org147
rootserver~ echo TrustedAnchorKeystore etcsshcert gtgt etcsshsshd_configrootserver~ echo KMFPolicyDatabase etcsshpolicyxml gtgt etcsshsshd_configrootserver~ echo KMFPolicyName ssh gtgt etcsshsshd_configrootserver~ echo HostKey pkcs11object=hosttoken=Sun Metaslotpinfile=etcsshpinfile gtgt etcsshsshd_config
c0t0d0s0org148
rootserver~ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=hostEnter PIN for Sun Software PKCS11 softtoken superserversecret Enter PEM pass phrase supersecret2Importing 1 keys
c0t0d0s0org149
rootserver~ egrep -v ^ |^$|^Cert exporthomejmoekampcacertpem gt etcsshcertcacertcookedpemrootserver~ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemrootserver~ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=hostrootserver~
c0t0d0s0org150
On the client
c0t0d0s0org151
juniorclient~$ ls pemcacertpem newcertpem newkeypem
c0t0d0s0org152
rootclient~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cnrootclient~ egrep -v ^ |^$|^Cert exporthomejuniorcacertpem gt etcsshcertcacertcookedpem
c0t0d0s0org153
juniorclient~$ pktool setpinEnter token passphrase changemeCreate new passphrase superusersecretRe-enter new passphrase superusersecretPassphrase changed
c0t0d0s0org154
juniorclient~$ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=userEnter PIN for Sun Software PKCS11 softtoken superusersecretEnter PEM pass phrase supersecret3Importing 1 keysjuniorclient~$ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemjuniorclient~$ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=user
c0t0d0s0org155
Testing it
c0t0d0s0org156
rootserver~ svcadm disable sshrootserver~ svcadm enable ssh
c0t0d0s0org157
juniorclient~$ cd sshjuniorclient~ssh$ printf superusersecret gtgt pinfilejuniorclient~ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore etcsshcert KMFPolicyDatabase etcsshpolicyxml KMFPolicyName ssh IdentityFile pkcs11object=usertoken=Sun Software PKCS11 softtokenpinfile=exporthomejuniorsshpinfile
c0t0d0s0org158
juniorclient~ssh$ ssh juniorserver-x509Last login Thu Sep 26 200714 2013 from clientOracle Corporation SunOS 511 111 September 2013juniorserver~$
c0t0d0s0org159
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives7659-Using-X509-support-for-SSH-on-Solaris-111html
c0t0d0s0org160
OpenSCAP
c0t0d0s0org161
bdquoThe Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management measurement and policy compliance evaluation (eg FISMA compliance) The National Vulnerability Database(NVD) is the US government content repository for SCAPldquo
httpenwikipediaorgwikiSecurity_Content_Automation_Protocol
c0t0d0s0org162
ftp-bannerxml
ltxml version=10 encoding=UTF-8gtltoval_definitions xmlns=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsxsi=httpwwww3org2001XMLSchema-instance xmlnsoval=httpovalmitreorgXMLSchemaoval-common-5 xmlnsoval-def=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsindependent-def=httpovalmitreorgXMLSchemaoval-definitions-5independent xsischemaLocation=httpovalmitreorgXMLSchemaoval-definitions-5 oval-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-definitions-5independent independent-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-common-5 oval-common-schemaxsdgt
ltgeneratorgt ltovalproduct_namegtEnhanced SCAP Editorltovalproduct_namegt ltovalproduct_versiongt0011ltovalproduct_versiongt ltovalschema_versiongt58ltovalschema_versiongt ltovaltimestampgt2012-10-11T103325ltovaltimestampgt ltgeneratorgt lt--generatedovalbaseidentifier=comoraclesolaris11--gt ltdefinitionsgt ltdefinition id=ovalcomoraclesolaris11def840 version=1 class=compliancegt ltmetadatagt lttitlegtEnable a Warning Banner for the FTP Servicelttitlegt ltaffected family=unixgt ltplatformgtOracle Solaris 11ltplatformgt ltaffectedgt ltdescriptiongtetcproftpdconf contains DisplayConnect etcissueltdescriptiongt ltmetadatagt ltcriteria operator=AND negate=false comment=Single testgt ltcriterion comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot test_ref=ovalcomoraclesolaris11tst8400 negate=falsegt
ltcriteriagt ltdefinitiongt ltdefinitionsgt lttestsgt lttextfilecontent54_test xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11tst8400 version=1 check=all comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot check_existence=all_existgt ltobject object_ref=ovalcomoraclesolaris11obj8400gt lttextfilecontent54_testgt lttestsgt ltobjectsgt lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegt lttextfilecontent54_objectgt ltobjectsgtltoval_definitionsgt
c0t0d0s0org163
lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegtlttextfilecontent54_objectgt
c0t0d0s0org164
$ oscap oval eval ftp-bannerxml Definition ovalcomoraclesolaris11def840 falseEvaluation done
$ oscap oval eval --results resultsxml --report reporthtml ftp-bannerxmlDefinition ovalcomoraclesolaris11def840 falseEvaluation doneOVAL Results are exported correctly
c0t0d0s0org165
c0t0d0s0org166
To create your own OVAL-Files Enhanced SCAP Content Editor
c0t0d0s0org167
Find more information regarding this feature athttpsblogsoraclecomdarrenentrycompliance_reporting_with_scap
c0t0d0s0org32
roottemplateetcapache222 usermod -P +httpd edit junior
c0t0d0s0org33
juniortemplate~$ profiles httpd edit Basic Solaris User All
c0t0d0s0org34
juniortemplate~$ vi etcapache222httpdconf
c0t0d0s0org35
juniortemplate~$ pfedit etcapache222httpdconfpfedit etcapache222httpdconf has been updated
c0t0d0s0org36
juniortemplate~$ pfedit etcapache222mimetypespfedit User junior is not authorized to edit the file etcapache222mimetypes
c0t0d0s0org37
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt info name=httpd edit desc=Edit httpd auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt add auths=solarisadmineditetcapache222mimetypes
c0t0d0s0org38
juniortemplate~$ pfedit etcapache222mimetypespfedit no changes for etcapache222mimetypes
c0t0d0s0org39
profiles -p httpd configureprofileshttpd configuregt add always_audit=asprofileshttpd configuregt info name=httpd configure desc=Configure httpd auths=solarisadmineditetcapache222httpdconfsolarisadmineditetcapache222mimetypes always_audit=as never_audit=noprofileshttpd configuregt exitroottemplate~
c0t0d0s0org40
roottemplate~ auditreduce -c as | praudit
c0t0d0s0org41
[]header4862edit administrative filefe80a0027fffea633cb2013-08-12 074552306 +0000subjectjuniorjuniorstaffjuniorstaff4212447467166369 136704 MacBook-Pro-of-c0t0d0s0fritzboxpathetcapache222httpdconfuse of authorizationsolarisadmineditetcapache222httpdconftext--- etcapache222httpdconf Mo Aug 12 074500 2013 +++ etcapache222httpdconfpfedit1BaGoi Mo Aug 12 074552 2013 -15 +16 Test Test 2 + Test 3 This is the main Apache HTTP server configuration file It contains the configuration directives that give the server its instructions
returnsuccess0
c0t0d0s0org42
Delegating privilege to restartservices(so you can keep the root password)
c0t0d0s0org43
juniortemplate~$ svcadm refresh apache22svcadm svcnetworkhttpapache22 Permission denied
c0t0d0s0org44
svcs -a | grep apache22online 153029 svcnetworkhttpapache22
c0t0d0s0org45
auths add -t Apache22 value solarissmfvaluehttpapache22 auths add -t Apache22 action solarissmfactionhttpapache22
c0t0d0s0org46
svccfg -s apache22 setprop generalvalue_authorization= astring solarissmfvaluehttpapache22 svccfg -s apache22 setprop generalaction_authorization= astring solarissmfactionhttpapache22
c0t0d0s0org47
profiles -p httpd edit add auths=solarissmfactionhttpapache22
c0t0d0s0org48
juniortemplate~$ svcadm refresh apache22juniortemplate~$
c0t0d0s0org49
Privileges
c0t0d0s0org50
$ ls -l usrsbintraceroute-r-sr-xr-x 1 root bin 42324 Nov 21 0009 usrsbintraceroute$ ls -l usrsbinping-r-sr-xr-x 1 root bin 51396 Nov 18 1931 usrsbinping
set-id to root ping needs it to work
c0t0d0s0org51
chmod -s sbinping exit
$ ping -s 1921681132ping socket Permission denied
Remove the set-uid and ping will stop to work
c0t0d0s0org52
jmoekampdaddelkiste~$ ppriv $$2153 -bashflags = ltnonegt E basic I basic P basic L all
c0t0d0s0org53
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org54
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
All privileges in their entirety assigned to one user are
(almost)
c0t0d0s0org55
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Neat extension inSolaris 11The ability to use networking is now a
privilege Itlsquos part of the default default set of privileges
but you can remove it
c0t0d0s0org56
moekampdaddelkiste~$ ppriv -v $$2153 -bashflags = ltnonegt E file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info I file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info P file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info L contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org57
rootdaddelkiste~ ppriv $$2183 -bashflags = ltnonegt E all I basic P all L all
c0t0d0s0org58
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace failed to initialize dtrace DTrace requires additional privileges
c0t0d0s0org59
rootdaddelkiste~ usermod -K defaultpriv=basicdtrace_kerneldtrace_procdtrace_user juniorUX usermod junior is currently logged in some changes may not take effect until next login
c0t0d0s0org60
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace description syscallentry matched 211 probes^C
automountd 1 sshd 24 dtrace 544 auditd 564
c0t0d0s0org61
ps -ef | grep kcfd daemon 125 1 0 142419 000 usrlibcryptokcfdroot 734 728 0 155408 pts1 000 grep kcfd ppriv -v 125125 usrlibcryptokcfdflags = PRIV_AWAREE file_ownerproc_priocntlsys_devicesI noneP file_ownerproc_priocntlsys_devicesL none
c0t0d0s0org62
svcadm -v enable -s apache2svcnetworkhttpapache2 enabled
c0t0d0s0org63
jmoekampclient~$ ps -ef | grep httpwebservd 1978 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1979 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1980 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1984 1975 0 122002 000 usrapache222binhttpd -k start root 1975 1 0 121914 001 usrapache222binhttpd -k startwebservd 1977 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1976 1975 0 121915 000 usrapache222binhttpd -k start
c0t0d0s0org64
rootclient~ ppriv 19771977 usrapache222binhttpd -k startflags = ltnonegt E basic I basic P basic L allrootclient~ ppriv 19751975 usrapache222binhttpd -k startflags = ltnonegt E all I basic P all L allrootclient~
c0t0d0s0org65
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The apache process as root has the following privileges
c0t0d0s0org66
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The other processes have the following privileges
c0t0d0s0org67
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Apache really needs
c0t0d0s0org68
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
So you grant a large number of privileges to one process Apache donlsquot need
c0t0d0s0org69
svcadm -v disable -s apache2svcnetworkhttpapache2 disabled
c0t0d0s0org70
rootclient~ svccfg -s apache22svcnetworkhttpapache22gt setprop startuser = astring webservdsvcnetworkhttpapache22gt setprop startgroup = astring webservdsvcnetworkhttpapache22gt setprop startprivileges = astring basicproc_sessionproc_infofile_link_anynet_privaddrsvcnetworkhttpapache22gt setprop startlimit_privileges = astring defaultsvcnetworkhttpapache22gt setprop startuse_profile = boolean falsesvcnetworkhttpapache22gt setprop startsupp_groups = astring defaultsvcnetworkhttpapache22gt setprop startworking_directory = astring defaultsvcnetworkhttpapache22gt setprop startproject = astring defaultsvcnetworkhttpapache22gt setprop startresource_pool = astring defaultsvcnetworkhttpapache22gt endrootclient~ svcadm -v refresh apache22Action refresh set for svcnetworkhttpapache22
c0t0d0s0org71
echo LockFile varapache222logsacceptlock gtgt etcapache222httpdconf echo PidFile varapache222runhttpdpid gtgt etcapache222httpdconf mkdir -p -m 755 varapache222run chown webservdwebservd varapache222run svcadm enable apache22
c0t0d0s0org72
webservd 3064 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3062 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3063 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3066 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3061 1 0 164917 000 usrapache222binhttpd -k startwebservd 3065 3061 0 164918 000 usrapache222binhttpd -k start
c0t0d0s0org73
Read-only zone root
c0t0d0s0org
74
zonecfgtestzonegt set file-mac-profile=none
zonecfgtestzonegt set file-mac-profile=strict
zonecfgtestzonegt set file-mac-profile=fixed-configuration
zonecfgtestzonegt set file-mac-profile=flexible-configuration
Standard read-write non-global zone with no additional protection beyond the existing zones boundaries
Permits updates to var directories with the exception of directories that contain system configuration components
Read-only file system no exceptions
Permits modification of files in etc directories changes to roots home directory and updates to var directories This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone
c0t0d0s0org75
in-kernel SSL Proxy
c0t0d0s0org76
mkdir etckeys cd etckeys openssl req -x509 -nodes -days 365 -subj C=DEST=HamburgL=HamburgCN=server -newkey rsa1024 -keyout etckeysmykeypem -out etckeysmycertpem cat mycertpem mykeypem gt mypem chown 600
c0t0d0s0org77
echo pass gt etckeysmypass ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass server 443
c0t0d0s0org78
ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass -c rsa_aes_256_cbc_sharsa_aes_128_cbc_sharsa_rc4_128_sharsa_rc4_128_md5 server 443
c0t0d0s0org79
svcs -a | grep ksslonline 90333 svcnetworksslproxykssl-server-443
c0t0d0s0org80
svcadm disable apache22 echo Listen 1921681781088080 gtgt etcapache222httpdconf svcadm enable apache22
Portnumber and IP-Number have do be defined in httpdconf otherwise it will not work
c0t0d0s0org81
openssl s_client -connect server443CONNECTED(00000004)depth=0 C=DEST=HamburgL=HamburgCN=serververify errornum=18self signed certificateverify return1depth=0 C=DEST=HamburgL=HamburgCN=serververify return1---Certificate chain0 sC=DEST=HamburgL=HamburgCN=serveriC=DEST=HamburgL=HamburgCN=server---Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj[]V5jX3MU=-----END CERTIFICATE-----subject=C=DEST=HamburgL=HamburgCN=serverissuer=C=DEST=HamburgL=HamburgCN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328 bytes---New TLSv1SSLv3 Cipher is RC4-SHAServer public key is 1024 bitCompression NONEExpansion NONESSL-SessionProtocol TLSv1
Cipher RC4-SHASession-ID 32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD113915B99DBE9812Session-ID-ctx Master-Key 1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21EKey-Arg NoneStart Time 1242985143Timeout 300 (sec)Verify return code 18 (self signed certificate)---GET HTTP10
HTTP11 200 OKDate Fri 22 May 2009 093913 GMTServer Apache2211 (Unix) mod_ssl2211 OpenSSL098a DAV2Last-Modified Thu 21 May 2009 212630 GMTETag 341f3-2c-46a72cc211a8fAccept-Ranges bytesContent-Length 44Connection closeContent-Type texthtml
lthtmlgtltbodygtlth1gtIt workslth1gtltbodygtlthtmlgtreaderrno=0
c0t0d0s0org82
ZFS Encryption
c0t0d0s0org83
zfs create -o encryption=on rpoolexportproject
c0t0d0s0org84
wrapping key (user setable)
encryption keyrandomnot user setable)
prompt file https pkcs11
c0t0d0s0org85
aes-128-ccm (=on) aes-192-ccmaes-256-ccmaes-128-gcmaes-192-gcmaes-256-gcm
c0t0d0s0org86
zfs set checksum=sha256+mac ltdatasetgt
If encryption=off something like automatic
occurs This property is read-only from now on
c0t0d0s0org87
pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykeyEnter PIN for Sun Software PKCS11 softtoken zfs create -o encryption=on -o keysource=rawpkcs11object=mykey tankprojectCEnter PKCS11 token PIN for tankprojectC
c0t0d0s0org88
zfs create -o encryption=on -o keysource=rawhttpskeysexamplecommykey tankprojectR cp myservercertpem etccertsCA svcadm refresh ca-certificates
c0t0d0s0org89
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
c0t0d0s0org90
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
Changing the wrapping key
c0t0d0s0org91
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key
c0t0d0s0org92
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key for data written form now
Creates a new data encryption key Data written in the clone uses the new data encryption key which is distinct from its original snapshot
c0t0d0s0org93
Solaris Cryptographic Framework
c0t0d0s0org94
As soon as Solaris detects hardware acceleration for cryptography Solaris will use it (and applications using the Oracle supplied openssl library or direct interfaces)bull on-chip crypto accelerator in T and current M series chipsbull instruction set extensions in Intel procs (AES-NI)bull supported crypto accelerator cards
c0t0d0s0org95
Just a side-note T-series crypto acceleration and Intel x86 acceleration have pretty much different performance characteristics
T-Series Acceleration by offloading crypto outside pipelineIntel x86 Acceleration by offering special in-pipeline instructions to accelerate execution
Sounds like splitting hairs
c0t0d0s0org
c0t0d0s0org
c0t0d0s0org98
Using ZFS to do two-factor encryption
c0t0d0s0org99
jmoekampsolaris~$ rmformatLooking for devices 1 Logical Node devrdskc10t0d0p0 Physical Node pci00pci8086265cbstorage2disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected() 3 Logical Node devrdskc9t0d0p0 Physical Node pci00pci8086265cbstorage1disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected
c0t0d0s0org100
rootsolaris zpool create a_keystore_usbstick devdskc10t0d0p0rootsolaris zpool create datastore devdskc9t0d0p0
c0t0d0s0org101
rootsolaris zfs create -o encryption=on a_keystore_usbstickkeysEnter passphrase for a_keystore_usbstickkeys supersecret Enter again supersecret
c0t0d0s0org102
rootsolaris pktool genkey keystore=file keytype=aes keylen=128 outkey=a_keystore_usbstickkeysjoergsdatastickkey
c0t0d0s0org103
rootsolaris zfs create -o encryption=on -o keysource=rawfilea_keystore_usbstickkeysjoergsdatastickkey datastickjoergssecrets
c0t0d0s0org104
rootsolarisdatastickjoergssecrets mv homejmoekamphighlyconfidential_nda_presostgz
c0t0d0s0org105
rootsolaris zpool export a_keystore_usbstickrootsolaris zpool export datastick
c0t0d0s0org106
rootsolaris zpool import a_keystore_usbstickEnter passphrase for a_keystore_usbstickkeys supersecretrootsolaris
c0t0d0s0org107
rootsolaris zpool import datastickrootsolaris cd datastickjoergssecretsrootsolarisdatastickjoergssecrets ls highconfidential_nda_presostgz
c0t0d0s0org108
Basic Auditing and Reporting Tool
c0t0d0s0org109
mkdir bart-files bart create -R etc gt bart-filesetccontrolmanifest
c0t0d0s0org110
cat etccontrolmanifest | grep nsswitchnisplusnsswitchnisplus F 2525 100644 userrw-groupr--maskr--otherr-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
c0t0d0s0org111
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org112
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org113
bart create -R etc gt bart-filesetccheck20130911manifest
c0t0d0s0org114
cd bart-files bart compare etccontrolmanifest etccheck20130911manifest
nsswitchfilesmode control100644 test100777acl controluserrw-groupr--maskr--otherr-- testuserrwxgrouprwxmaskrwxotherrwxnsswitchnisplussize control2525 test2538mtime control473976b5 test47a44862contents control79e8fd689a5221d1cd059e5077da71b8 test3f79176ec352441db11ec8a3d02ef67cthisisjustatestadd
c0t0d0s0org115
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives4069-Less-known-Solaris-features-BARThtml
c0t0d0s0org116
Apropos Auditing
c0t0d0s0org117
Auditing is activated by default
c0t0d0s0org118
rootclient~ auditconfig -getflagsactive user default audit flags = lo(0x10000x1000)configured user default audit flags = lo(0x10000x1000)rootclient~ auditconfig -getnaflagsactive non-attributable audit flags = lo(0x10000x1000)configured non-attributable audit flags = lo(0x10000x1000)
c0t0d0s0org119
rootclient~ auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt
Policy regarding auditing (explanation on the next slide)
c0t0d0s0org120
rootclient~ auditconfig -lspolicypolicy string descriptionahlt halt machine if it can not record an async eventall all policiesarge include exec environment args in audit recsargv include exec command line args in audit recscnt when no more space drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recswindata_down include downgraded window information in audit recswindata_up include upgraded window information in audit recszonename include zonename token in audit recs
Which degree of detail What happens with full disks
c0t0d0s0org121
rootclient~ auditconfig -getpluginPlugin audit_binfile (active) Attributes p_dir=varauditp_fsize=0p_minfree=1
Plugin audit_syslog (inactive) Attributes p_flags=
Plugin audit_remote (inactive) Attributes p_hosts=p_retries=3p_timeout=5
c0t0d0s0org122
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
c0t0d0s0org123
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
lo and na are the only sensibleflags for non-attributable
c0t0d0s0org124
rootclient~ usermod -K audit_flags=fwas junior
c0t0d0s0org125
rootclient~ auditconfig -lsevent | grep lo AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh accessAUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lockAUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff
c0t0d0s0org126
rootclient~ auditconfig -lsevent | grep ps AUE_EXIT 1 ps exit(2)AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)rootclient~ auditconfig -lsevent | grep fw AUE_OPEN_W 76 fw open(2) - write
c0t0d0s0org127
auditreduce -c ps varaudit20130912183630not_terminatedclient | praudit
header1392execve(2)client2013-09-12 184055924 +0000pathusrsbinauditreduceattribute100555rootbin655386587518446744073709551615subjectjmoekamprootrootrootroot205414400809562480 202240 192168101returnsuccess0
c0t0d0s0org128
rootclient~ auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff0xffffffffffffffff)
Not always (in the sense of never) a good idea
Useful after trying out - starting a new audit filerootclient~ audit -n
c0t0d0s0org129
rootclient~ auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system
c0t0d0s0org130
SSH and X509
c0t0d0s0org131
rootca~ CApl -newcaCA certificate filename (or enter to create)
Making CA certificate Generating a 1024 bit RSA private key++++++++++++writing new private key to etcopensslprivatecakeypemEnter PEM pass phrase supersecret1Verifying - Enter PEM pass phrase supersecret1-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Security DepartmentCommon Name (eg server FQDN or YOUR name) []CAEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Using configuration from etcopensslopensslcnf
Enter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade878 Validity Not Before Sep 26 101109 2013 GMT Not After Sep 25 101109 2016 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony organizationName = c0t0d0s0org organizationalUnitName = Security Department commonName = CA X509v3 extensions X509v3 Subject Key Identifier 5B1F2F7186123040501552818D525AA5597E3644 X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
X509v3 Basic Constraints CATRUECertificate is to be certified until Sep 25 101109 2016 GMT (1095 days)
Write out database with 1 new entriesData Base Updated
c0t0d0s0org132
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org133
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org134
rootca~server CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade879 Validity Not Before Sep 26 102912 2013 GMT Not After Sep 26 102912 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = Server Certificates commonName = server X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A7DC03DEB3D5FBF9C006F11A55A9AD04C49C10FA X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 102912 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpemrootca~server ls -ltotal 15-rw-r--r-- 1 root root 3196 Sep 26 1229 newcertpem-rw-r--r-- 1 root root 1041 Sep 26 1228 newkeypem-rw-r--r-- 1 root root 680 Sep 26 1228 newreqpem
c0t0d0s0org135
rootca~junior CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phraseVerifying - Enter PEM pass phraseVerify failureEnter PEM pass phrase supersecret3Verifying - Enter PEM pass phrase supersecret3-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []User certificates
Common Name (eg server FQDN or YOUR name) []juniorEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org136
rootca~junior CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypemCheck that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade87a Validity Not Before Sep 26 110929 2013 GMT Not After Sep 26 110929 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = User certificates commonName = junior X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A1F2FC9D8AE2AD9AF52903F5B714933C64628E9C X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 110929 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpem
c0t0d0s0org137
rootserver~ useradd -m junior80 blocksrootserver~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for juniorrootserver~
rootclient~ useradd -m junior80 blocksrootclient~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for junior
c0t0d0s0org138
rootserver~ echo 1921681051 server gtgt etchostsrootserver~ echo 1921681052 client gtgt etchosts
rootclient~ echo 1921681051 server gtgt etchostsrootclient~ echo 1921681052 client gtgt etchosts
c0t0d0s0org139
rootca~server scp etcopensslcacertpem jmoekamp1921681109exporthomejmoekampPasswordcacertpem 100 || 3011 0000rootca~server scp newcertpem jmoekamp1921681109exporthomejmoekampPasswordnewcertpem 100 || 3196 0000rootca~server scp newkeypem jmoekamp1921681109exporthomejmoekampPasswordnewkeypem 100 || 1041 0000
rootca~junior scp newkeypem juniorclientexporthomejuniorPasswordnewkeypem 100 || 1041 0000rootca~junior scp newcertpem juniorclientexporthomejuniorPasswordnewcertpem 100 || 3190 0000rootca~junior scp etcopensslcacertpem junior1921681104exporthomejuniorPasswordcacertpem 100 || 3011 0000
c0t0d0s0org140
On the Server
c0t0d0s0org141
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org142
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org143
rootserver~ pktool setpinEnter token passphrase changemeCreate new passphrase superserversecretRe-enter new passphrase superserversecretPassphrase changedrootserver~
c0t0d0s0org144
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org145
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org146
rootserver~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cn
c0t0d0s0org147
rootserver~ echo TrustedAnchorKeystore etcsshcert gtgt etcsshsshd_configrootserver~ echo KMFPolicyDatabase etcsshpolicyxml gtgt etcsshsshd_configrootserver~ echo KMFPolicyName ssh gtgt etcsshsshd_configrootserver~ echo HostKey pkcs11object=hosttoken=Sun Metaslotpinfile=etcsshpinfile gtgt etcsshsshd_config
c0t0d0s0org148
rootserver~ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=hostEnter PIN for Sun Software PKCS11 softtoken superserversecret Enter PEM pass phrase supersecret2Importing 1 keys
c0t0d0s0org149
rootserver~ egrep -v ^ |^$|^Cert exporthomejmoekampcacertpem gt etcsshcertcacertcookedpemrootserver~ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemrootserver~ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=hostrootserver~
c0t0d0s0org150
On the client
c0t0d0s0org151
juniorclient~$ ls pemcacertpem newcertpem newkeypem
c0t0d0s0org152
rootclient~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cnrootclient~ egrep -v ^ |^$|^Cert exporthomejuniorcacertpem gt etcsshcertcacertcookedpem
c0t0d0s0org153
juniorclient~$ pktool setpinEnter token passphrase changemeCreate new passphrase superusersecretRe-enter new passphrase superusersecretPassphrase changed
c0t0d0s0org154
juniorclient~$ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=userEnter PIN for Sun Software PKCS11 softtoken superusersecretEnter PEM pass phrase supersecret3Importing 1 keysjuniorclient~$ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemjuniorclient~$ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=user
c0t0d0s0org155
Testing it
c0t0d0s0org156
rootserver~ svcadm disable sshrootserver~ svcadm enable ssh
c0t0d0s0org157
juniorclient~$ cd sshjuniorclient~ssh$ printf superusersecret gtgt pinfilejuniorclient~ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore etcsshcert KMFPolicyDatabase etcsshpolicyxml KMFPolicyName ssh IdentityFile pkcs11object=usertoken=Sun Software PKCS11 softtokenpinfile=exporthomejuniorsshpinfile
c0t0d0s0org158
juniorclient~ssh$ ssh juniorserver-x509Last login Thu Sep 26 200714 2013 from clientOracle Corporation SunOS 511 111 September 2013juniorserver~$
c0t0d0s0org159
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives7659-Using-X509-support-for-SSH-on-Solaris-111html
c0t0d0s0org160
OpenSCAP
c0t0d0s0org161
bdquoThe Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management measurement and policy compliance evaluation (eg FISMA compliance) The National Vulnerability Database(NVD) is the US government content repository for SCAPldquo
httpenwikipediaorgwikiSecurity_Content_Automation_Protocol
c0t0d0s0org162
ftp-bannerxml
ltxml version=10 encoding=UTF-8gtltoval_definitions xmlns=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsxsi=httpwwww3org2001XMLSchema-instance xmlnsoval=httpovalmitreorgXMLSchemaoval-common-5 xmlnsoval-def=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsindependent-def=httpovalmitreorgXMLSchemaoval-definitions-5independent xsischemaLocation=httpovalmitreorgXMLSchemaoval-definitions-5 oval-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-definitions-5independent independent-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-common-5 oval-common-schemaxsdgt
ltgeneratorgt ltovalproduct_namegtEnhanced SCAP Editorltovalproduct_namegt ltovalproduct_versiongt0011ltovalproduct_versiongt ltovalschema_versiongt58ltovalschema_versiongt ltovaltimestampgt2012-10-11T103325ltovaltimestampgt ltgeneratorgt lt--generatedovalbaseidentifier=comoraclesolaris11--gt ltdefinitionsgt ltdefinition id=ovalcomoraclesolaris11def840 version=1 class=compliancegt ltmetadatagt lttitlegtEnable a Warning Banner for the FTP Servicelttitlegt ltaffected family=unixgt ltplatformgtOracle Solaris 11ltplatformgt ltaffectedgt ltdescriptiongtetcproftpdconf contains DisplayConnect etcissueltdescriptiongt ltmetadatagt ltcriteria operator=AND negate=false comment=Single testgt ltcriterion comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot test_ref=ovalcomoraclesolaris11tst8400 negate=falsegt
ltcriteriagt ltdefinitiongt ltdefinitionsgt lttestsgt lttextfilecontent54_test xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11tst8400 version=1 check=all comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot check_existence=all_existgt ltobject object_ref=ovalcomoraclesolaris11obj8400gt lttextfilecontent54_testgt lttestsgt ltobjectsgt lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegt lttextfilecontent54_objectgt ltobjectsgtltoval_definitionsgt
c0t0d0s0org163
lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegtlttextfilecontent54_objectgt
c0t0d0s0org164
$ oscap oval eval ftp-bannerxml Definition ovalcomoraclesolaris11def840 falseEvaluation done
$ oscap oval eval --results resultsxml --report reporthtml ftp-bannerxmlDefinition ovalcomoraclesolaris11def840 falseEvaluation doneOVAL Results are exported correctly
c0t0d0s0org165
c0t0d0s0org166
To create your own OVAL-Files Enhanced SCAP Content Editor
c0t0d0s0org167
Find more information regarding this feature athttpsblogsoraclecomdarrenentrycompliance_reporting_with_scap
c0t0d0s0org33
juniortemplate~$ profiles httpd edit Basic Solaris User All
c0t0d0s0org34
juniortemplate~$ vi etcapache222httpdconf
c0t0d0s0org35
juniortemplate~$ pfedit etcapache222httpdconfpfedit etcapache222httpdconf has been updated
c0t0d0s0org36
juniortemplate~$ pfedit etcapache222mimetypespfedit User junior is not authorized to edit the file etcapache222mimetypes
c0t0d0s0org37
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt info name=httpd edit desc=Edit httpd auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt add auths=solarisadmineditetcapache222mimetypes
c0t0d0s0org38
juniortemplate~$ pfedit etcapache222mimetypespfedit no changes for etcapache222mimetypes
c0t0d0s0org39
profiles -p httpd configureprofileshttpd configuregt add always_audit=asprofileshttpd configuregt info name=httpd configure desc=Configure httpd auths=solarisadmineditetcapache222httpdconfsolarisadmineditetcapache222mimetypes always_audit=as never_audit=noprofileshttpd configuregt exitroottemplate~
c0t0d0s0org40
roottemplate~ auditreduce -c as | praudit
c0t0d0s0org41
[]header4862edit administrative filefe80a0027fffea633cb2013-08-12 074552306 +0000subjectjuniorjuniorstaffjuniorstaff4212447467166369 136704 MacBook-Pro-of-c0t0d0s0fritzboxpathetcapache222httpdconfuse of authorizationsolarisadmineditetcapache222httpdconftext--- etcapache222httpdconf Mo Aug 12 074500 2013 +++ etcapache222httpdconfpfedit1BaGoi Mo Aug 12 074552 2013 -15 +16 Test Test 2 + Test 3 This is the main Apache HTTP server configuration file It contains the configuration directives that give the server its instructions
returnsuccess0
c0t0d0s0org42
Delegating privilege to restartservices(so you can keep the root password)
c0t0d0s0org43
juniortemplate~$ svcadm refresh apache22svcadm svcnetworkhttpapache22 Permission denied
c0t0d0s0org44
svcs -a | grep apache22online 153029 svcnetworkhttpapache22
c0t0d0s0org45
auths add -t Apache22 value solarissmfvaluehttpapache22 auths add -t Apache22 action solarissmfactionhttpapache22
c0t0d0s0org46
svccfg -s apache22 setprop generalvalue_authorization= astring solarissmfvaluehttpapache22 svccfg -s apache22 setprop generalaction_authorization= astring solarissmfactionhttpapache22
c0t0d0s0org47
profiles -p httpd edit add auths=solarissmfactionhttpapache22
c0t0d0s0org48
juniortemplate~$ svcadm refresh apache22juniortemplate~$
c0t0d0s0org49
Privileges
c0t0d0s0org50
$ ls -l usrsbintraceroute-r-sr-xr-x 1 root bin 42324 Nov 21 0009 usrsbintraceroute$ ls -l usrsbinping-r-sr-xr-x 1 root bin 51396 Nov 18 1931 usrsbinping
set-id to root ping needs it to work
c0t0d0s0org51
chmod -s sbinping exit
$ ping -s 1921681132ping socket Permission denied
Remove the set-uid and ping will stop to work
c0t0d0s0org52
jmoekampdaddelkiste~$ ppriv $$2153 -bashflags = ltnonegt E basic I basic P basic L all
c0t0d0s0org53
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org54
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
All privileges in their entirety assigned to one user are
(almost)
c0t0d0s0org55
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Neat extension inSolaris 11The ability to use networking is now a
privilege Itlsquos part of the default default set of privileges
but you can remove it
c0t0d0s0org56
moekampdaddelkiste~$ ppriv -v $$2153 -bashflags = ltnonegt E file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info I file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info P file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info L contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org57
rootdaddelkiste~ ppriv $$2183 -bashflags = ltnonegt E all I basic P all L all
c0t0d0s0org58
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace failed to initialize dtrace DTrace requires additional privileges
c0t0d0s0org59
rootdaddelkiste~ usermod -K defaultpriv=basicdtrace_kerneldtrace_procdtrace_user juniorUX usermod junior is currently logged in some changes may not take effect until next login
c0t0d0s0org60
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace description syscallentry matched 211 probes^C
automountd 1 sshd 24 dtrace 544 auditd 564
c0t0d0s0org61
ps -ef | grep kcfd daemon 125 1 0 142419 000 usrlibcryptokcfdroot 734 728 0 155408 pts1 000 grep kcfd ppriv -v 125125 usrlibcryptokcfdflags = PRIV_AWAREE file_ownerproc_priocntlsys_devicesI noneP file_ownerproc_priocntlsys_devicesL none
c0t0d0s0org62
svcadm -v enable -s apache2svcnetworkhttpapache2 enabled
c0t0d0s0org63
jmoekampclient~$ ps -ef | grep httpwebservd 1978 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1979 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1980 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1984 1975 0 122002 000 usrapache222binhttpd -k start root 1975 1 0 121914 001 usrapache222binhttpd -k startwebservd 1977 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1976 1975 0 121915 000 usrapache222binhttpd -k start
c0t0d0s0org64
rootclient~ ppriv 19771977 usrapache222binhttpd -k startflags = ltnonegt E basic I basic P basic L allrootclient~ ppriv 19751975 usrapache222binhttpd -k startflags = ltnonegt E all I basic P all L allrootclient~
c0t0d0s0org65
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The apache process as root has the following privileges
c0t0d0s0org66
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The other processes have the following privileges
c0t0d0s0org67
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Apache really needs
c0t0d0s0org68
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
So you grant a large number of privileges to one process Apache donlsquot need
c0t0d0s0org69
svcadm -v disable -s apache2svcnetworkhttpapache2 disabled
c0t0d0s0org70
rootclient~ svccfg -s apache22svcnetworkhttpapache22gt setprop startuser = astring webservdsvcnetworkhttpapache22gt setprop startgroup = astring webservdsvcnetworkhttpapache22gt setprop startprivileges = astring basicproc_sessionproc_infofile_link_anynet_privaddrsvcnetworkhttpapache22gt setprop startlimit_privileges = astring defaultsvcnetworkhttpapache22gt setprop startuse_profile = boolean falsesvcnetworkhttpapache22gt setprop startsupp_groups = astring defaultsvcnetworkhttpapache22gt setprop startworking_directory = astring defaultsvcnetworkhttpapache22gt setprop startproject = astring defaultsvcnetworkhttpapache22gt setprop startresource_pool = astring defaultsvcnetworkhttpapache22gt endrootclient~ svcadm -v refresh apache22Action refresh set for svcnetworkhttpapache22
c0t0d0s0org71
echo LockFile varapache222logsacceptlock gtgt etcapache222httpdconf echo PidFile varapache222runhttpdpid gtgt etcapache222httpdconf mkdir -p -m 755 varapache222run chown webservdwebservd varapache222run svcadm enable apache22
c0t0d0s0org72
webservd 3064 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3062 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3063 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3066 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3061 1 0 164917 000 usrapache222binhttpd -k startwebservd 3065 3061 0 164918 000 usrapache222binhttpd -k start
c0t0d0s0org73
Read-only zone root
c0t0d0s0org
74
zonecfgtestzonegt set file-mac-profile=none
zonecfgtestzonegt set file-mac-profile=strict
zonecfgtestzonegt set file-mac-profile=fixed-configuration
zonecfgtestzonegt set file-mac-profile=flexible-configuration
Standard read-write non-global zone with no additional protection beyond the existing zones boundaries
Permits updates to var directories with the exception of directories that contain system configuration components
Read-only file system no exceptions
Permits modification of files in etc directories changes to roots home directory and updates to var directories This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone
c0t0d0s0org75
in-kernel SSL Proxy
c0t0d0s0org76
mkdir etckeys cd etckeys openssl req -x509 -nodes -days 365 -subj C=DEST=HamburgL=HamburgCN=server -newkey rsa1024 -keyout etckeysmykeypem -out etckeysmycertpem cat mycertpem mykeypem gt mypem chown 600
c0t0d0s0org77
echo pass gt etckeysmypass ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass server 443
c0t0d0s0org78
ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass -c rsa_aes_256_cbc_sharsa_aes_128_cbc_sharsa_rc4_128_sharsa_rc4_128_md5 server 443
c0t0d0s0org79
svcs -a | grep ksslonline 90333 svcnetworksslproxykssl-server-443
c0t0d0s0org80
svcadm disable apache22 echo Listen 1921681781088080 gtgt etcapache222httpdconf svcadm enable apache22
Portnumber and IP-Number have do be defined in httpdconf otherwise it will not work
c0t0d0s0org81
openssl s_client -connect server443CONNECTED(00000004)depth=0 C=DEST=HamburgL=HamburgCN=serververify errornum=18self signed certificateverify return1depth=0 C=DEST=HamburgL=HamburgCN=serververify return1---Certificate chain0 sC=DEST=HamburgL=HamburgCN=serveriC=DEST=HamburgL=HamburgCN=server---Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj[]V5jX3MU=-----END CERTIFICATE-----subject=C=DEST=HamburgL=HamburgCN=serverissuer=C=DEST=HamburgL=HamburgCN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328 bytes---New TLSv1SSLv3 Cipher is RC4-SHAServer public key is 1024 bitCompression NONEExpansion NONESSL-SessionProtocol TLSv1
Cipher RC4-SHASession-ID 32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD113915B99DBE9812Session-ID-ctx Master-Key 1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21EKey-Arg NoneStart Time 1242985143Timeout 300 (sec)Verify return code 18 (self signed certificate)---GET HTTP10
HTTP11 200 OKDate Fri 22 May 2009 093913 GMTServer Apache2211 (Unix) mod_ssl2211 OpenSSL098a DAV2Last-Modified Thu 21 May 2009 212630 GMTETag 341f3-2c-46a72cc211a8fAccept-Ranges bytesContent-Length 44Connection closeContent-Type texthtml
lthtmlgtltbodygtlth1gtIt workslth1gtltbodygtlthtmlgtreaderrno=0
c0t0d0s0org82
ZFS Encryption
c0t0d0s0org83
zfs create -o encryption=on rpoolexportproject
c0t0d0s0org84
wrapping key (user setable)
encryption keyrandomnot user setable)
prompt file https pkcs11
c0t0d0s0org85
aes-128-ccm (=on) aes-192-ccmaes-256-ccmaes-128-gcmaes-192-gcmaes-256-gcm
c0t0d0s0org86
zfs set checksum=sha256+mac ltdatasetgt
If encryption=off something like automatic
occurs This property is read-only from now on
c0t0d0s0org87
pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykeyEnter PIN for Sun Software PKCS11 softtoken zfs create -o encryption=on -o keysource=rawpkcs11object=mykey tankprojectCEnter PKCS11 token PIN for tankprojectC
c0t0d0s0org88
zfs create -o encryption=on -o keysource=rawhttpskeysexamplecommykey tankprojectR cp myservercertpem etccertsCA svcadm refresh ca-certificates
c0t0d0s0org89
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
c0t0d0s0org90
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
Changing the wrapping key
c0t0d0s0org91
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key
c0t0d0s0org92
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key for data written form now
Creates a new data encryption key Data written in the clone uses the new data encryption key which is distinct from its original snapshot
c0t0d0s0org93
Solaris Cryptographic Framework
c0t0d0s0org94
As soon as Solaris detects hardware acceleration for cryptography Solaris will use it (and applications using the Oracle supplied openssl library or direct interfaces)bull on-chip crypto accelerator in T and current M series chipsbull instruction set extensions in Intel procs (AES-NI)bull supported crypto accelerator cards
c0t0d0s0org95
Just a side-note T-series crypto acceleration and Intel x86 acceleration have pretty much different performance characteristics
T-Series Acceleration by offloading crypto outside pipelineIntel x86 Acceleration by offering special in-pipeline instructions to accelerate execution
Sounds like splitting hairs
c0t0d0s0org
c0t0d0s0org
c0t0d0s0org98
Using ZFS to do two-factor encryption
c0t0d0s0org99
jmoekampsolaris~$ rmformatLooking for devices 1 Logical Node devrdskc10t0d0p0 Physical Node pci00pci8086265cbstorage2disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected() 3 Logical Node devrdskc9t0d0p0 Physical Node pci00pci8086265cbstorage1disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected
c0t0d0s0org100
rootsolaris zpool create a_keystore_usbstick devdskc10t0d0p0rootsolaris zpool create datastore devdskc9t0d0p0
c0t0d0s0org101
rootsolaris zfs create -o encryption=on a_keystore_usbstickkeysEnter passphrase for a_keystore_usbstickkeys supersecret Enter again supersecret
c0t0d0s0org102
rootsolaris pktool genkey keystore=file keytype=aes keylen=128 outkey=a_keystore_usbstickkeysjoergsdatastickkey
c0t0d0s0org103
rootsolaris zfs create -o encryption=on -o keysource=rawfilea_keystore_usbstickkeysjoergsdatastickkey datastickjoergssecrets
c0t0d0s0org104
rootsolarisdatastickjoergssecrets mv homejmoekamphighlyconfidential_nda_presostgz
c0t0d0s0org105
rootsolaris zpool export a_keystore_usbstickrootsolaris zpool export datastick
c0t0d0s0org106
rootsolaris zpool import a_keystore_usbstickEnter passphrase for a_keystore_usbstickkeys supersecretrootsolaris
c0t0d0s0org107
rootsolaris zpool import datastickrootsolaris cd datastickjoergssecretsrootsolarisdatastickjoergssecrets ls highconfidential_nda_presostgz
c0t0d0s0org108
Basic Auditing and Reporting Tool
c0t0d0s0org109
mkdir bart-files bart create -R etc gt bart-filesetccontrolmanifest
c0t0d0s0org110
cat etccontrolmanifest | grep nsswitchnisplusnsswitchnisplus F 2525 100644 userrw-groupr--maskr--otherr-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
c0t0d0s0org111
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org112
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org113
bart create -R etc gt bart-filesetccheck20130911manifest
c0t0d0s0org114
cd bart-files bart compare etccontrolmanifest etccheck20130911manifest
nsswitchfilesmode control100644 test100777acl controluserrw-groupr--maskr--otherr-- testuserrwxgrouprwxmaskrwxotherrwxnsswitchnisplussize control2525 test2538mtime control473976b5 test47a44862contents control79e8fd689a5221d1cd059e5077da71b8 test3f79176ec352441db11ec8a3d02ef67cthisisjustatestadd
c0t0d0s0org115
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives4069-Less-known-Solaris-features-BARThtml
c0t0d0s0org116
Apropos Auditing
c0t0d0s0org117
Auditing is activated by default
c0t0d0s0org118
rootclient~ auditconfig -getflagsactive user default audit flags = lo(0x10000x1000)configured user default audit flags = lo(0x10000x1000)rootclient~ auditconfig -getnaflagsactive non-attributable audit flags = lo(0x10000x1000)configured non-attributable audit flags = lo(0x10000x1000)
c0t0d0s0org119
rootclient~ auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt
Policy regarding auditing (explanation on the next slide)
c0t0d0s0org120
rootclient~ auditconfig -lspolicypolicy string descriptionahlt halt machine if it can not record an async eventall all policiesarge include exec environment args in audit recsargv include exec command line args in audit recscnt when no more space drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recswindata_down include downgraded window information in audit recswindata_up include upgraded window information in audit recszonename include zonename token in audit recs
Which degree of detail What happens with full disks
c0t0d0s0org121
rootclient~ auditconfig -getpluginPlugin audit_binfile (active) Attributes p_dir=varauditp_fsize=0p_minfree=1
Plugin audit_syslog (inactive) Attributes p_flags=
Plugin audit_remote (inactive) Attributes p_hosts=p_retries=3p_timeout=5
c0t0d0s0org122
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
c0t0d0s0org123
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
lo and na are the only sensibleflags for non-attributable
c0t0d0s0org124
rootclient~ usermod -K audit_flags=fwas junior
c0t0d0s0org125
rootclient~ auditconfig -lsevent | grep lo AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh accessAUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lockAUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff
c0t0d0s0org126
rootclient~ auditconfig -lsevent | grep ps AUE_EXIT 1 ps exit(2)AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)rootclient~ auditconfig -lsevent | grep fw AUE_OPEN_W 76 fw open(2) - write
c0t0d0s0org127
auditreduce -c ps varaudit20130912183630not_terminatedclient | praudit
header1392execve(2)client2013-09-12 184055924 +0000pathusrsbinauditreduceattribute100555rootbin655386587518446744073709551615subjectjmoekamprootrootrootroot205414400809562480 202240 192168101returnsuccess0
c0t0d0s0org128
rootclient~ auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff0xffffffffffffffff)
Not always (in the sense of never) a good idea
Useful after trying out - starting a new audit filerootclient~ audit -n
c0t0d0s0org129
rootclient~ auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system
c0t0d0s0org130
SSH and X509
c0t0d0s0org131
rootca~ CApl -newcaCA certificate filename (or enter to create)
Making CA certificate Generating a 1024 bit RSA private key++++++++++++writing new private key to etcopensslprivatecakeypemEnter PEM pass phrase supersecret1Verifying - Enter PEM pass phrase supersecret1-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Security DepartmentCommon Name (eg server FQDN or YOUR name) []CAEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Using configuration from etcopensslopensslcnf
Enter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade878 Validity Not Before Sep 26 101109 2013 GMT Not After Sep 25 101109 2016 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony organizationName = c0t0d0s0org organizationalUnitName = Security Department commonName = CA X509v3 extensions X509v3 Subject Key Identifier 5B1F2F7186123040501552818D525AA5597E3644 X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
X509v3 Basic Constraints CATRUECertificate is to be certified until Sep 25 101109 2016 GMT (1095 days)
Write out database with 1 new entriesData Base Updated
c0t0d0s0org132
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org133
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org134
rootca~server CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade879 Validity Not Before Sep 26 102912 2013 GMT Not After Sep 26 102912 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = Server Certificates commonName = server X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A7DC03DEB3D5FBF9C006F11A55A9AD04C49C10FA X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 102912 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpemrootca~server ls -ltotal 15-rw-r--r-- 1 root root 3196 Sep 26 1229 newcertpem-rw-r--r-- 1 root root 1041 Sep 26 1228 newkeypem-rw-r--r-- 1 root root 680 Sep 26 1228 newreqpem
c0t0d0s0org135
rootca~junior CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phraseVerifying - Enter PEM pass phraseVerify failureEnter PEM pass phrase supersecret3Verifying - Enter PEM pass phrase supersecret3-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []User certificates
Common Name (eg server FQDN or YOUR name) []juniorEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org136
rootca~junior CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypemCheck that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade87a Validity Not Before Sep 26 110929 2013 GMT Not After Sep 26 110929 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = User certificates commonName = junior X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A1F2FC9D8AE2AD9AF52903F5B714933C64628E9C X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 110929 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpem
c0t0d0s0org137
rootserver~ useradd -m junior80 blocksrootserver~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for juniorrootserver~
rootclient~ useradd -m junior80 blocksrootclient~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for junior
c0t0d0s0org138
rootserver~ echo 1921681051 server gtgt etchostsrootserver~ echo 1921681052 client gtgt etchosts
rootclient~ echo 1921681051 server gtgt etchostsrootclient~ echo 1921681052 client gtgt etchosts
c0t0d0s0org139
rootca~server scp etcopensslcacertpem jmoekamp1921681109exporthomejmoekampPasswordcacertpem 100 || 3011 0000rootca~server scp newcertpem jmoekamp1921681109exporthomejmoekampPasswordnewcertpem 100 || 3196 0000rootca~server scp newkeypem jmoekamp1921681109exporthomejmoekampPasswordnewkeypem 100 || 1041 0000
rootca~junior scp newkeypem juniorclientexporthomejuniorPasswordnewkeypem 100 || 1041 0000rootca~junior scp newcertpem juniorclientexporthomejuniorPasswordnewcertpem 100 || 3190 0000rootca~junior scp etcopensslcacertpem junior1921681104exporthomejuniorPasswordcacertpem 100 || 3011 0000
c0t0d0s0org140
On the Server
c0t0d0s0org141
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org142
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org143
rootserver~ pktool setpinEnter token passphrase changemeCreate new passphrase superserversecretRe-enter new passphrase superserversecretPassphrase changedrootserver~
c0t0d0s0org144
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org145
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org146
rootserver~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cn
c0t0d0s0org147
rootserver~ echo TrustedAnchorKeystore etcsshcert gtgt etcsshsshd_configrootserver~ echo KMFPolicyDatabase etcsshpolicyxml gtgt etcsshsshd_configrootserver~ echo KMFPolicyName ssh gtgt etcsshsshd_configrootserver~ echo HostKey pkcs11object=hosttoken=Sun Metaslotpinfile=etcsshpinfile gtgt etcsshsshd_config
c0t0d0s0org148
rootserver~ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=hostEnter PIN for Sun Software PKCS11 softtoken superserversecret Enter PEM pass phrase supersecret2Importing 1 keys
c0t0d0s0org149
rootserver~ egrep -v ^ |^$|^Cert exporthomejmoekampcacertpem gt etcsshcertcacertcookedpemrootserver~ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemrootserver~ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=hostrootserver~
c0t0d0s0org150
On the client
c0t0d0s0org151
juniorclient~$ ls pemcacertpem newcertpem newkeypem
c0t0d0s0org152
rootclient~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cnrootclient~ egrep -v ^ |^$|^Cert exporthomejuniorcacertpem gt etcsshcertcacertcookedpem
c0t0d0s0org153
juniorclient~$ pktool setpinEnter token passphrase changemeCreate new passphrase superusersecretRe-enter new passphrase superusersecretPassphrase changed
c0t0d0s0org154
juniorclient~$ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=userEnter PIN for Sun Software PKCS11 softtoken superusersecretEnter PEM pass phrase supersecret3Importing 1 keysjuniorclient~$ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemjuniorclient~$ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=user
c0t0d0s0org155
Testing it
c0t0d0s0org156
rootserver~ svcadm disable sshrootserver~ svcadm enable ssh
c0t0d0s0org157
juniorclient~$ cd sshjuniorclient~ssh$ printf superusersecret gtgt pinfilejuniorclient~ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore etcsshcert KMFPolicyDatabase etcsshpolicyxml KMFPolicyName ssh IdentityFile pkcs11object=usertoken=Sun Software PKCS11 softtokenpinfile=exporthomejuniorsshpinfile
c0t0d0s0org158
juniorclient~ssh$ ssh juniorserver-x509Last login Thu Sep 26 200714 2013 from clientOracle Corporation SunOS 511 111 September 2013juniorserver~$
c0t0d0s0org159
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives7659-Using-X509-support-for-SSH-on-Solaris-111html
c0t0d0s0org160
OpenSCAP
c0t0d0s0org161
bdquoThe Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management measurement and policy compliance evaluation (eg FISMA compliance) The National Vulnerability Database(NVD) is the US government content repository for SCAPldquo
httpenwikipediaorgwikiSecurity_Content_Automation_Protocol
c0t0d0s0org162
ftp-bannerxml
ltxml version=10 encoding=UTF-8gtltoval_definitions xmlns=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsxsi=httpwwww3org2001XMLSchema-instance xmlnsoval=httpovalmitreorgXMLSchemaoval-common-5 xmlnsoval-def=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsindependent-def=httpovalmitreorgXMLSchemaoval-definitions-5independent xsischemaLocation=httpovalmitreorgXMLSchemaoval-definitions-5 oval-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-definitions-5independent independent-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-common-5 oval-common-schemaxsdgt
ltgeneratorgt ltovalproduct_namegtEnhanced SCAP Editorltovalproduct_namegt ltovalproduct_versiongt0011ltovalproduct_versiongt ltovalschema_versiongt58ltovalschema_versiongt ltovaltimestampgt2012-10-11T103325ltovaltimestampgt ltgeneratorgt lt--generatedovalbaseidentifier=comoraclesolaris11--gt ltdefinitionsgt ltdefinition id=ovalcomoraclesolaris11def840 version=1 class=compliancegt ltmetadatagt lttitlegtEnable a Warning Banner for the FTP Servicelttitlegt ltaffected family=unixgt ltplatformgtOracle Solaris 11ltplatformgt ltaffectedgt ltdescriptiongtetcproftpdconf contains DisplayConnect etcissueltdescriptiongt ltmetadatagt ltcriteria operator=AND negate=false comment=Single testgt ltcriterion comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot test_ref=ovalcomoraclesolaris11tst8400 negate=falsegt
ltcriteriagt ltdefinitiongt ltdefinitionsgt lttestsgt lttextfilecontent54_test xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11tst8400 version=1 check=all comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot check_existence=all_existgt ltobject object_ref=ovalcomoraclesolaris11obj8400gt lttextfilecontent54_testgt lttestsgt ltobjectsgt lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegt lttextfilecontent54_objectgt ltobjectsgtltoval_definitionsgt
c0t0d0s0org163
lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegtlttextfilecontent54_objectgt
c0t0d0s0org164
$ oscap oval eval ftp-bannerxml Definition ovalcomoraclesolaris11def840 falseEvaluation done
$ oscap oval eval --results resultsxml --report reporthtml ftp-bannerxmlDefinition ovalcomoraclesolaris11def840 falseEvaluation doneOVAL Results are exported correctly
c0t0d0s0org165
c0t0d0s0org166
To create your own OVAL-Files Enhanced SCAP Content Editor
c0t0d0s0org167
Find more information regarding this feature athttpsblogsoraclecomdarrenentrycompliance_reporting_with_scap
c0t0d0s0org34
juniortemplate~$ vi etcapache222httpdconf
c0t0d0s0org35
juniortemplate~$ pfedit etcapache222httpdconfpfedit etcapache222httpdconf has been updated
c0t0d0s0org36
juniortemplate~$ pfedit etcapache222mimetypespfedit User junior is not authorized to edit the file etcapache222mimetypes
c0t0d0s0org37
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt info name=httpd edit desc=Edit httpd auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt add auths=solarisadmineditetcapache222mimetypes
c0t0d0s0org38
juniortemplate~$ pfedit etcapache222mimetypespfedit no changes for etcapache222mimetypes
c0t0d0s0org39
profiles -p httpd configureprofileshttpd configuregt add always_audit=asprofileshttpd configuregt info name=httpd configure desc=Configure httpd auths=solarisadmineditetcapache222httpdconfsolarisadmineditetcapache222mimetypes always_audit=as never_audit=noprofileshttpd configuregt exitroottemplate~
c0t0d0s0org40
roottemplate~ auditreduce -c as | praudit
c0t0d0s0org41
[]header4862edit administrative filefe80a0027fffea633cb2013-08-12 074552306 +0000subjectjuniorjuniorstaffjuniorstaff4212447467166369 136704 MacBook-Pro-of-c0t0d0s0fritzboxpathetcapache222httpdconfuse of authorizationsolarisadmineditetcapache222httpdconftext--- etcapache222httpdconf Mo Aug 12 074500 2013 +++ etcapache222httpdconfpfedit1BaGoi Mo Aug 12 074552 2013 -15 +16 Test Test 2 + Test 3 This is the main Apache HTTP server configuration file It contains the configuration directives that give the server its instructions
returnsuccess0
c0t0d0s0org42
Delegating privilege to restartservices(so you can keep the root password)
c0t0d0s0org43
juniortemplate~$ svcadm refresh apache22svcadm svcnetworkhttpapache22 Permission denied
c0t0d0s0org44
svcs -a | grep apache22online 153029 svcnetworkhttpapache22
c0t0d0s0org45
auths add -t Apache22 value solarissmfvaluehttpapache22 auths add -t Apache22 action solarissmfactionhttpapache22
c0t0d0s0org46
svccfg -s apache22 setprop generalvalue_authorization= astring solarissmfvaluehttpapache22 svccfg -s apache22 setprop generalaction_authorization= astring solarissmfactionhttpapache22
c0t0d0s0org47
profiles -p httpd edit add auths=solarissmfactionhttpapache22
c0t0d0s0org48
juniortemplate~$ svcadm refresh apache22juniortemplate~$
c0t0d0s0org49
Privileges
c0t0d0s0org50
$ ls -l usrsbintraceroute-r-sr-xr-x 1 root bin 42324 Nov 21 0009 usrsbintraceroute$ ls -l usrsbinping-r-sr-xr-x 1 root bin 51396 Nov 18 1931 usrsbinping
set-id to root ping needs it to work
c0t0d0s0org51
chmod -s sbinping exit
$ ping -s 1921681132ping socket Permission denied
Remove the set-uid and ping will stop to work
c0t0d0s0org52
jmoekampdaddelkiste~$ ppriv $$2153 -bashflags = ltnonegt E basic I basic P basic L all
c0t0d0s0org53
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org54
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
All privileges in their entirety assigned to one user are
(almost)
c0t0d0s0org55
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Neat extension inSolaris 11The ability to use networking is now a
privilege Itlsquos part of the default default set of privileges
but you can remove it
c0t0d0s0org56
moekampdaddelkiste~$ ppriv -v $$2153 -bashflags = ltnonegt E file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info I file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info P file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info L contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org57
rootdaddelkiste~ ppriv $$2183 -bashflags = ltnonegt E all I basic P all L all
c0t0d0s0org58
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace failed to initialize dtrace DTrace requires additional privileges
c0t0d0s0org59
rootdaddelkiste~ usermod -K defaultpriv=basicdtrace_kerneldtrace_procdtrace_user juniorUX usermod junior is currently logged in some changes may not take effect until next login
c0t0d0s0org60
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace description syscallentry matched 211 probes^C
automountd 1 sshd 24 dtrace 544 auditd 564
c0t0d0s0org61
ps -ef | grep kcfd daemon 125 1 0 142419 000 usrlibcryptokcfdroot 734 728 0 155408 pts1 000 grep kcfd ppriv -v 125125 usrlibcryptokcfdflags = PRIV_AWAREE file_ownerproc_priocntlsys_devicesI noneP file_ownerproc_priocntlsys_devicesL none
c0t0d0s0org62
svcadm -v enable -s apache2svcnetworkhttpapache2 enabled
c0t0d0s0org63
jmoekampclient~$ ps -ef | grep httpwebservd 1978 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1979 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1980 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1984 1975 0 122002 000 usrapache222binhttpd -k start root 1975 1 0 121914 001 usrapache222binhttpd -k startwebservd 1977 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1976 1975 0 121915 000 usrapache222binhttpd -k start
c0t0d0s0org64
rootclient~ ppriv 19771977 usrapache222binhttpd -k startflags = ltnonegt E basic I basic P basic L allrootclient~ ppriv 19751975 usrapache222binhttpd -k startflags = ltnonegt E all I basic P all L allrootclient~
c0t0d0s0org65
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The apache process as root has the following privileges
c0t0d0s0org66
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The other processes have the following privileges
c0t0d0s0org67
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Apache really needs
c0t0d0s0org68
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
So you grant a large number of privileges to one process Apache donlsquot need
c0t0d0s0org69
svcadm -v disable -s apache2svcnetworkhttpapache2 disabled
c0t0d0s0org70
rootclient~ svccfg -s apache22svcnetworkhttpapache22gt setprop startuser = astring webservdsvcnetworkhttpapache22gt setprop startgroup = astring webservdsvcnetworkhttpapache22gt setprop startprivileges = astring basicproc_sessionproc_infofile_link_anynet_privaddrsvcnetworkhttpapache22gt setprop startlimit_privileges = astring defaultsvcnetworkhttpapache22gt setprop startuse_profile = boolean falsesvcnetworkhttpapache22gt setprop startsupp_groups = astring defaultsvcnetworkhttpapache22gt setprop startworking_directory = astring defaultsvcnetworkhttpapache22gt setprop startproject = astring defaultsvcnetworkhttpapache22gt setprop startresource_pool = astring defaultsvcnetworkhttpapache22gt endrootclient~ svcadm -v refresh apache22Action refresh set for svcnetworkhttpapache22
c0t0d0s0org71
echo LockFile varapache222logsacceptlock gtgt etcapache222httpdconf echo PidFile varapache222runhttpdpid gtgt etcapache222httpdconf mkdir -p -m 755 varapache222run chown webservdwebservd varapache222run svcadm enable apache22
c0t0d0s0org72
webservd 3064 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3062 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3063 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3066 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3061 1 0 164917 000 usrapache222binhttpd -k startwebservd 3065 3061 0 164918 000 usrapache222binhttpd -k start
c0t0d0s0org73
Read-only zone root
c0t0d0s0org
74
zonecfgtestzonegt set file-mac-profile=none
zonecfgtestzonegt set file-mac-profile=strict
zonecfgtestzonegt set file-mac-profile=fixed-configuration
zonecfgtestzonegt set file-mac-profile=flexible-configuration
Standard read-write non-global zone with no additional protection beyond the existing zones boundaries
Permits updates to var directories with the exception of directories that contain system configuration components
Read-only file system no exceptions
Permits modification of files in etc directories changes to roots home directory and updates to var directories This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone
c0t0d0s0org75
in-kernel SSL Proxy
c0t0d0s0org76
mkdir etckeys cd etckeys openssl req -x509 -nodes -days 365 -subj C=DEST=HamburgL=HamburgCN=server -newkey rsa1024 -keyout etckeysmykeypem -out etckeysmycertpem cat mycertpem mykeypem gt mypem chown 600
c0t0d0s0org77
echo pass gt etckeysmypass ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass server 443
c0t0d0s0org78
ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass -c rsa_aes_256_cbc_sharsa_aes_128_cbc_sharsa_rc4_128_sharsa_rc4_128_md5 server 443
c0t0d0s0org79
svcs -a | grep ksslonline 90333 svcnetworksslproxykssl-server-443
c0t0d0s0org80
svcadm disable apache22 echo Listen 1921681781088080 gtgt etcapache222httpdconf svcadm enable apache22
Portnumber and IP-Number have do be defined in httpdconf otherwise it will not work
c0t0d0s0org81
openssl s_client -connect server443CONNECTED(00000004)depth=0 C=DEST=HamburgL=HamburgCN=serververify errornum=18self signed certificateverify return1depth=0 C=DEST=HamburgL=HamburgCN=serververify return1---Certificate chain0 sC=DEST=HamburgL=HamburgCN=serveriC=DEST=HamburgL=HamburgCN=server---Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj[]V5jX3MU=-----END CERTIFICATE-----subject=C=DEST=HamburgL=HamburgCN=serverissuer=C=DEST=HamburgL=HamburgCN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328 bytes---New TLSv1SSLv3 Cipher is RC4-SHAServer public key is 1024 bitCompression NONEExpansion NONESSL-SessionProtocol TLSv1
Cipher RC4-SHASession-ID 32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD113915B99DBE9812Session-ID-ctx Master-Key 1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21EKey-Arg NoneStart Time 1242985143Timeout 300 (sec)Verify return code 18 (self signed certificate)---GET HTTP10
HTTP11 200 OKDate Fri 22 May 2009 093913 GMTServer Apache2211 (Unix) mod_ssl2211 OpenSSL098a DAV2Last-Modified Thu 21 May 2009 212630 GMTETag 341f3-2c-46a72cc211a8fAccept-Ranges bytesContent-Length 44Connection closeContent-Type texthtml
lthtmlgtltbodygtlth1gtIt workslth1gtltbodygtlthtmlgtreaderrno=0
c0t0d0s0org82
ZFS Encryption
c0t0d0s0org83
zfs create -o encryption=on rpoolexportproject
c0t0d0s0org84
wrapping key (user setable)
encryption keyrandomnot user setable)
prompt file https pkcs11
c0t0d0s0org85
aes-128-ccm (=on) aes-192-ccmaes-256-ccmaes-128-gcmaes-192-gcmaes-256-gcm
c0t0d0s0org86
zfs set checksum=sha256+mac ltdatasetgt
If encryption=off something like automatic
occurs This property is read-only from now on
c0t0d0s0org87
pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykeyEnter PIN for Sun Software PKCS11 softtoken zfs create -o encryption=on -o keysource=rawpkcs11object=mykey tankprojectCEnter PKCS11 token PIN for tankprojectC
c0t0d0s0org88
zfs create -o encryption=on -o keysource=rawhttpskeysexamplecommykey tankprojectR cp myservercertpem etccertsCA svcadm refresh ca-certificates
c0t0d0s0org89
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
c0t0d0s0org90
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
Changing the wrapping key
c0t0d0s0org91
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key
c0t0d0s0org92
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key for data written form now
Creates a new data encryption key Data written in the clone uses the new data encryption key which is distinct from its original snapshot
c0t0d0s0org93
Solaris Cryptographic Framework
c0t0d0s0org94
As soon as Solaris detects hardware acceleration for cryptography Solaris will use it (and applications using the Oracle supplied openssl library or direct interfaces)bull on-chip crypto accelerator in T and current M series chipsbull instruction set extensions in Intel procs (AES-NI)bull supported crypto accelerator cards
c0t0d0s0org95
Just a side-note T-series crypto acceleration and Intel x86 acceleration have pretty much different performance characteristics
T-Series Acceleration by offloading crypto outside pipelineIntel x86 Acceleration by offering special in-pipeline instructions to accelerate execution
Sounds like splitting hairs
c0t0d0s0org
c0t0d0s0org
c0t0d0s0org98
Using ZFS to do two-factor encryption
c0t0d0s0org99
jmoekampsolaris~$ rmformatLooking for devices 1 Logical Node devrdskc10t0d0p0 Physical Node pci00pci8086265cbstorage2disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected() 3 Logical Node devrdskc9t0d0p0 Physical Node pci00pci8086265cbstorage1disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected
c0t0d0s0org100
rootsolaris zpool create a_keystore_usbstick devdskc10t0d0p0rootsolaris zpool create datastore devdskc9t0d0p0
c0t0d0s0org101
rootsolaris zfs create -o encryption=on a_keystore_usbstickkeysEnter passphrase for a_keystore_usbstickkeys supersecret Enter again supersecret
c0t0d0s0org102
rootsolaris pktool genkey keystore=file keytype=aes keylen=128 outkey=a_keystore_usbstickkeysjoergsdatastickkey
c0t0d0s0org103
rootsolaris zfs create -o encryption=on -o keysource=rawfilea_keystore_usbstickkeysjoergsdatastickkey datastickjoergssecrets
c0t0d0s0org104
rootsolarisdatastickjoergssecrets mv homejmoekamphighlyconfidential_nda_presostgz
c0t0d0s0org105
rootsolaris zpool export a_keystore_usbstickrootsolaris zpool export datastick
c0t0d0s0org106
rootsolaris zpool import a_keystore_usbstickEnter passphrase for a_keystore_usbstickkeys supersecretrootsolaris
c0t0d0s0org107
rootsolaris zpool import datastickrootsolaris cd datastickjoergssecretsrootsolarisdatastickjoergssecrets ls highconfidential_nda_presostgz
c0t0d0s0org108
Basic Auditing and Reporting Tool
c0t0d0s0org109
mkdir bart-files bart create -R etc gt bart-filesetccontrolmanifest
c0t0d0s0org110
cat etccontrolmanifest | grep nsswitchnisplusnsswitchnisplus F 2525 100644 userrw-groupr--maskr--otherr-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
c0t0d0s0org111
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org112
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org113
bart create -R etc gt bart-filesetccheck20130911manifest
c0t0d0s0org114
cd bart-files bart compare etccontrolmanifest etccheck20130911manifest
nsswitchfilesmode control100644 test100777acl controluserrw-groupr--maskr--otherr-- testuserrwxgrouprwxmaskrwxotherrwxnsswitchnisplussize control2525 test2538mtime control473976b5 test47a44862contents control79e8fd689a5221d1cd059e5077da71b8 test3f79176ec352441db11ec8a3d02ef67cthisisjustatestadd
c0t0d0s0org115
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives4069-Less-known-Solaris-features-BARThtml
c0t0d0s0org116
Apropos Auditing
c0t0d0s0org117
Auditing is activated by default
c0t0d0s0org118
rootclient~ auditconfig -getflagsactive user default audit flags = lo(0x10000x1000)configured user default audit flags = lo(0x10000x1000)rootclient~ auditconfig -getnaflagsactive non-attributable audit flags = lo(0x10000x1000)configured non-attributable audit flags = lo(0x10000x1000)
c0t0d0s0org119
rootclient~ auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt
Policy regarding auditing (explanation on the next slide)
c0t0d0s0org120
rootclient~ auditconfig -lspolicypolicy string descriptionahlt halt machine if it can not record an async eventall all policiesarge include exec environment args in audit recsargv include exec command line args in audit recscnt when no more space drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recswindata_down include downgraded window information in audit recswindata_up include upgraded window information in audit recszonename include zonename token in audit recs
Which degree of detail What happens with full disks
c0t0d0s0org121
rootclient~ auditconfig -getpluginPlugin audit_binfile (active) Attributes p_dir=varauditp_fsize=0p_minfree=1
Plugin audit_syslog (inactive) Attributes p_flags=
Plugin audit_remote (inactive) Attributes p_hosts=p_retries=3p_timeout=5
c0t0d0s0org122
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
c0t0d0s0org123
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
lo and na are the only sensibleflags for non-attributable
c0t0d0s0org124
rootclient~ usermod -K audit_flags=fwas junior
c0t0d0s0org125
rootclient~ auditconfig -lsevent | grep lo AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh accessAUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lockAUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff
c0t0d0s0org126
rootclient~ auditconfig -lsevent | grep ps AUE_EXIT 1 ps exit(2)AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)rootclient~ auditconfig -lsevent | grep fw AUE_OPEN_W 76 fw open(2) - write
c0t0d0s0org127
auditreduce -c ps varaudit20130912183630not_terminatedclient | praudit
header1392execve(2)client2013-09-12 184055924 +0000pathusrsbinauditreduceattribute100555rootbin655386587518446744073709551615subjectjmoekamprootrootrootroot205414400809562480 202240 192168101returnsuccess0
c0t0d0s0org128
rootclient~ auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff0xffffffffffffffff)
Not always (in the sense of never) a good idea
Useful after trying out - starting a new audit filerootclient~ audit -n
c0t0d0s0org129
rootclient~ auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system
c0t0d0s0org130
SSH and X509
c0t0d0s0org131
rootca~ CApl -newcaCA certificate filename (or enter to create)
Making CA certificate Generating a 1024 bit RSA private key++++++++++++writing new private key to etcopensslprivatecakeypemEnter PEM pass phrase supersecret1Verifying - Enter PEM pass phrase supersecret1-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Security DepartmentCommon Name (eg server FQDN or YOUR name) []CAEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Using configuration from etcopensslopensslcnf
Enter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade878 Validity Not Before Sep 26 101109 2013 GMT Not After Sep 25 101109 2016 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony organizationName = c0t0d0s0org organizationalUnitName = Security Department commonName = CA X509v3 extensions X509v3 Subject Key Identifier 5B1F2F7186123040501552818D525AA5597E3644 X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
X509v3 Basic Constraints CATRUECertificate is to be certified until Sep 25 101109 2016 GMT (1095 days)
Write out database with 1 new entriesData Base Updated
c0t0d0s0org132
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org133
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org134
rootca~server CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade879 Validity Not Before Sep 26 102912 2013 GMT Not After Sep 26 102912 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = Server Certificates commonName = server X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A7DC03DEB3D5FBF9C006F11A55A9AD04C49C10FA X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 102912 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpemrootca~server ls -ltotal 15-rw-r--r-- 1 root root 3196 Sep 26 1229 newcertpem-rw-r--r-- 1 root root 1041 Sep 26 1228 newkeypem-rw-r--r-- 1 root root 680 Sep 26 1228 newreqpem
c0t0d0s0org135
rootca~junior CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phraseVerifying - Enter PEM pass phraseVerify failureEnter PEM pass phrase supersecret3Verifying - Enter PEM pass phrase supersecret3-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []User certificates
Common Name (eg server FQDN or YOUR name) []juniorEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org136
rootca~junior CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypemCheck that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade87a Validity Not Before Sep 26 110929 2013 GMT Not After Sep 26 110929 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = User certificates commonName = junior X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A1F2FC9D8AE2AD9AF52903F5B714933C64628E9C X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 110929 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpem
c0t0d0s0org137
rootserver~ useradd -m junior80 blocksrootserver~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for juniorrootserver~
rootclient~ useradd -m junior80 blocksrootclient~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for junior
c0t0d0s0org138
rootserver~ echo 1921681051 server gtgt etchostsrootserver~ echo 1921681052 client gtgt etchosts
rootclient~ echo 1921681051 server gtgt etchostsrootclient~ echo 1921681052 client gtgt etchosts
c0t0d0s0org139
rootca~server scp etcopensslcacertpem jmoekamp1921681109exporthomejmoekampPasswordcacertpem 100 || 3011 0000rootca~server scp newcertpem jmoekamp1921681109exporthomejmoekampPasswordnewcertpem 100 || 3196 0000rootca~server scp newkeypem jmoekamp1921681109exporthomejmoekampPasswordnewkeypem 100 || 1041 0000
rootca~junior scp newkeypem juniorclientexporthomejuniorPasswordnewkeypem 100 || 1041 0000rootca~junior scp newcertpem juniorclientexporthomejuniorPasswordnewcertpem 100 || 3190 0000rootca~junior scp etcopensslcacertpem junior1921681104exporthomejuniorPasswordcacertpem 100 || 3011 0000
c0t0d0s0org140
On the Server
c0t0d0s0org141
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org142
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org143
rootserver~ pktool setpinEnter token passphrase changemeCreate new passphrase superserversecretRe-enter new passphrase superserversecretPassphrase changedrootserver~
c0t0d0s0org144
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org145
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org146
rootserver~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cn
c0t0d0s0org147
rootserver~ echo TrustedAnchorKeystore etcsshcert gtgt etcsshsshd_configrootserver~ echo KMFPolicyDatabase etcsshpolicyxml gtgt etcsshsshd_configrootserver~ echo KMFPolicyName ssh gtgt etcsshsshd_configrootserver~ echo HostKey pkcs11object=hosttoken=Sun Metaslotpinfile=etcsshpinfile gtgt etcsshsshd_config
c0t0d0s0org148
rootserver~ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=hostEnter PIN for Sun Software PKCS11 softtoken superserversecret Enter PEM pass phrase supersecret2Importing 1 keys
c0t0d0s0org149
rootserver~ egrep -v ^ |^$|^Cert exporthomejmoekampcacertpem gt etcsshcertcacertcookedpemrootserver~ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemrootserver~ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=hostrootserver~
c0t0d0s0org150
On the client
c0t0d0s0org151
juniorclient~$ ls pemcacertpem newcertpem newkeypem
c0t0d0s0org152
rootclient~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cnrootclient~ egrep -v ^ |^$|^Cert exporthomejuniorcacertpem gt etcsshcertcacertcookedpem
c0t0d0s0org153
juniorclient~$ pktool setpinEnter token passphrase changemeCreate new passphrase superusersecretRe-enter new passphrase superusersecretPassphrase changed
c0t0d0s0org154
juniorclient~$ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=userEnter PIN for Sun Software PKCS11 softtoken superusersecretEnter PEM pass phrase supersecret3Importing 1 keysjuniorclient~$ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemjuniorclient~$ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=user
c0t0d0s0org155
Testing it
c0t0d0s0org156
rootserver~ svcadm disable sshrootserver~ svcadm enable ssh
c0t0d0s0org157
juniorclient~$ cd sshjuniorclient~ssh$ printf superusersecret gtgt pinfilejuniorclient~ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore etcsshcert KMFPolicyDatabase etcsshpolicyxml KMFPolicyName ssh IdentityFile pkcs11object=usertoken=Sun Software PKCS11 softtokenpinfile=exporthomejuniorsshpinfile
c0t0d0s0org158
juniorclient~ssh$ ssh juniorserver-x509Last login Thu Sep 26 200714 2013 from clientOracle Corporation SunOS 511 111 September 2013juniorserver~$
c0t0d0s0org159
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives7659-Using-X509-support-for-SSH-on-Solaris-111html
c0t0d0s0org160
OpenSCAP
c0t0d0s0org161
bdquoThe Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management measurement and policy compliance evaluation (eg FISMA compliance) The National Vulnerability Database(NVD) is the US government content repository for SCAPldquo
httpenwikipediaorgwikiSecurity_Content_Automation_Protocol
c0t0d0s0org162
ftp-bannerxml
ltxml version=10 encoding=UTF-8gtltoval_definitions xmlns=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsxsi=httpwwww3org2001XMLSchema-instance xmlnsoval=httpovalmitreorgXMLSchemaoval-common-5 xmlnsoval-def=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsindependent-def=httpovalmitreorgXMLSchemaoval-definitions-5independent xsischemaLocation=httpovalmitreorgXMLSchemaoval-definitions-5 oval-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-definitions-5independent independent-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-common-5 oval-common-schemaxsdgt
ltgeneratorgt ltovalproduct_namegtEnhanced SCAP Editorltovalproduct_namegt ltovalproduct_versiongt0011ltovalproduct_versiongt ltovalschema_versiongt58ltovalschema_versiongt ltovaltimestampgt2012-10-11T103325ltovaltimestampgt ltgeneratorgt lt--generatedovalbaseidentifier=comoraclesolaris11--gt ltdefinitionsgt ltdefinition id=ovalcomoraclesolaris11def840 version=1 class=compliancegt ltmetadatagt lttitlegtEnable a Warning Banner for the FTP Servicelttitlegt ltaffected family=unixgt ltplatformgtOracle Solaris 11ltplatformgt ltaffectedgt ltdescriptiongtetcproftpdconf contains DisplayConnect etcissueltdescriptiongt ltmetadatagt ltcriteria operator=AND negate=false comment=Single testgt ltcriterion comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot test_ref=ovalcomoraclesolaris11tst8400 negate=falsegt
ltcriteriagt ltdefinitiongt ltdefinitionsgt lttestsgt lttextfilecontent54_test xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11tst8400 version=1 check=all comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot check_existence=all_existgt ltobject object_ref=ovalcomoraclesolaris11obj8400gt lttextfilecontent54_testgt lttestsgt ltobjectsgt lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegt lttextfilecontent54_objectgt ltobjectsgtltoval_definitionsgt
c0t0d0s0org163
lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegtlttextfilecontent54_objectgt
c0t0d0s0org164
$ oscap oval eval ftp-bannerxml Definition ovalcomoraclesolaris11def840 falseEvaluation done
$ oscap oval eval --results resultsxml --report reporthtml ftp-bannerxmlDefinition ovalcomoraclesolaris11def840 falseEvaluation doneOVAL Results are exported correctly
c0t0d0s0org165
c0t0d0s0org166
To create your own OVAL-Files Enhanced SCAP Content Editor
c0t0d0s0org167
Find more information regarding this feature athttpsblogsoraclecomdarrenentrycompliance_reporting_with_scap
c0t0d0s0org35
juniortemplate~$ pfedit etcapache222httpdconfpfedit etcapache222httpdconf has been updated
c0t0d0s0org36
juniortemplate~$ pfedit etcapache222mimetypespfedit User junior is not authorized to edit the file etcapache222mimetypes
c0t0d0s0org37
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt info name=httpd edit desc=Edit httpd auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt add auths=solarisadmineditetcapache222mimetypes
c0t0d0s0org38
juniortemplate~$ pfedit etcapache222mimetypespfedit no changes for etcapache222mimetypes
c0t0d0s0org39
profiles -p httpd configureprofileshttpd configuregt add always_audit=asprofileshttpd configuregt info name=httpd configure desc=Configure httpd auths=solarisadmineditetcapache222httpdconfsolarisadmineditetcapache222mimetypes always_audit=as never_audit=noprofileshttpd configuregt exitroottemplate~
c0t0d0s0org40
roottemplate~ auditreduce -c as | praudit
c0t0d0s0org41
[]header4862edit administrative filefe80a0027fffea633cb2013-08-12 074552306 +0000subjectjuniorjuniorstaffjuniorstaff4212447467166369 136704 MacBook-Pro-of-c0t0d0s0fritzboxpathetcapache222httpdconfuse of authorizationsolarisadmineditetcapache222httpdconftext--- etcapache222httpdconf Mo Aug 12 074500 2013 +++ etcapache222httpdconfpfedit1BaGoi Mo Aug 12 074552 2013 -15 +16 Test Test 2 + Test 3 This is the main Apache HTTP server configuration file It contains the configuration directives that give the server its instructions
returnsuccess0
c0t0d0s0org42
Delegating privilege to restartservices(so you can keep the root password)
c0t0d0s0org43
juniortemplate~$ svcadm refresh apache22svcadm svcnetworkhttpapache22 Permission denied
c0t0d0s0org44
svcs -a | grep apache22online 153029 svcnetworkhttpapache22
c0t0d0s0org45
auths add -t Apache22 value solarissmfvaluehttpapache22 auths add -t Apache22 action solarissmfactionhttpapache22
c0t0d0s0org46
svccfg -s apache22 setprop generalvalue_authorization= astring solarissmfvaluehttpapache22 svccfg -s apache22 setprop generalaction_authorization= astring solarissmfactionhttpapache22
c0t0d0s0org47
profiles -p httpd edit add auths=solarissmfactionhttpapache22
c0t0d0s0org48
juniortemplate~$ svcadm refresh apache22juniortemplate~$
c0t0d0s0org49
Privileges
c0t0d0s0org50
$ ls -l usrsbintraceroute-r-sr-xr-x 1 root bin 42324 Nov 21 0009 usrsbintraceroute$ ls -l usrsbinping-r-sr-xr-x 1 root bin 51396 Nov 18 1931 usrsbinping
set-id to root ping needs it to work
c0t0d0s0org51
chmod -s sbinping exit
$ ping -s 1921681132ping socket Permission denied
Remove the set-uid and ping will stop to work
c0t0d0s0org52
jmoekampdaddelkiste~$ ppriv $$2153 -bashflags = ltnonegt E basic I basic P basic L all
c0t0d0s0org53
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org54
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
All privileges in their entirety assigned to one user are
(almost)
c0t0d0s0org55
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Neat extension inSolaris 11The ability to use networking is now a
privilege Itlsquos part of the default default set of privileges
but you can remove it
c0t0d0s0org56
moekampdaddelkiste~$ ppriv -v $$2153 -bashflags = ltnonegt E file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info I file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info P file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info L contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org57
rootdaddelkiste~ ppriv $$2183 -bashflags = ltnonegt E all I basic P all L all
c0t0d0s0org58
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace failed to initialize dtrace DTrace requires additional privileges
c0t0d0s0org59
rootdaddelkiste~ usermod -K defaultpriv=basicdtrace_kerneldtrace_procdtrace_user juniorUX usermod junior is currently logged in some changes may not take effect until next login
c0t0d0s0org60
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace description syscallentry matched 211 probes^C
automountd 1 sshd 24 dtrace 544 auditd 564
c0t0d0s0org61
ps -ef | grep kcfd daemon 125 1 0 142419 000 usrlibcryptokcfdroot 734 728 0 155408 pts1 000 grep kcfd ppriv -v 125125 usrlibcryptokcfdflags = PRIV_AWAREE file_ownerproc_priocntlsys_devicesI noneP file_ownerproc_priocntlsys_devicesL none
c0t0d0s0org62
svcadm -v enable -s apache2svcnetworkhttpapache2 enabled
c0t0d0s0org63
jmoekampclient~$ ps -ef | grep httpwebservd 1978 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1979 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1980 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1984 1975 0 122002 000 usrapache222binhttpd -k start root 1975 1 0 121914 001 usrapache222binhttpd -k startwebservd 1977 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1976 1975 0 121915 000 usrapache222binhttpd -k start
c0t0d0s0org64
rootclient~ ppriv 19771977 usrapache222binhttpd -k startflags = ltnonegt E basic I basic P basic L allrootclient~ ppriv 19751975 usrapache222binhttpd -k startflags = ltnonegt E all I basic P all L allrootclient~
c0t0d0s0org65
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The apache process as root has the following privileges
c0t0d0s0org66
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The other processes have the following privileges
c0t0d0s0org67
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Apache really needs
c0t0d0s0org68
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
So you grant a large number of privileges to one process Apache donlsquot need
c0t0d0s0org69
svcadm -v disable -s apache2svcnetworkhttpapache2 disabled
c0t0d0s0org70
rootclient~ svccfg -s apache22svcnetworkhttpapache22gt setprop startuser = astring webservdsvcnetworkhttpapache22gt setprop startgroup = astring webservdsvcnetworkhttpapache22gt setprop startprivileges = astring basicproc_sessionproc_infofile_link_anynet_privaddrsvcnetworkhttpapache22gt setprop startlimit_privileges = astring defaultsvcnetworkhttpapache22gt setprop startuse_profile = boolean falsesvcnetworkhttpapache22gt setprop startsupp_groups = astring defaultsvcnetworkhttpapache22gt setprop startworking_directory = astring defaultsvcnetworkhttpapache22gt setprop startproject = astring defaultsvcnetworkhttpapache22gt setprop startresource_pool = astring defaultsvcnetworkhttpapache22gt endrootclient~ svcadm -v refresh apache22Action refresh set for svcnetworkhttpapache22
c0t0d0s0org71
echo LockFile varapache222logsacceptlock gtgt etcapache222httpdconf echo PidFile varapache222runhttpdpid gtgt etcapache222httpdconf mkdir -p -m 755 varapache222run chown webservdwebservd varapache222run svcadm enable apache22
c0t0d0s0org72
webservd 3064 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3062 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3063 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3066 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3061 1 0 164917 000 usrapache222binhttpd -k startwebservd 3065 3061 0 164918 000 usrapache222binhttpd -k start
c0t0d0s0org73
Read-only zone root
c0t0d0s0org
74
zonecfgtestzonegt set file-mac-profile=none
zonecfgtestzonegt set file-mac-profile=strict
zonecfgtestzonegt set file-mac-profile=fixed-configuration
zonecfgtestzonegt set file-mac-profile=flexible-configuration
Standard read-write non-global zone with no additional protection beyond the existing zones boundaries
Permits updates to var directories with the exception of directories that contain system configuration components
Read-only file system no exceptions
Permits modification of files in etc directories changes to roots home directory and updates to var directories This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone
c0t0d0s0org75
in-kernel SSL Proxy
c0t0d0s0org76
mkdir etckeys cd etckeys openssl req -x509 -nodes -days 365 -subj C=DEST=HamburgL=HamburgCN=server -newkey rsa1024 -keyout etckeysmykeypem -out etckeysmycertpem cat mycertpem mykeypem gt mypem chown 600
c0t0d0s0org77
echo pass gt etckeysmypass ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass server 443
c0t0d0s0org78
ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass -c rsa_aes_256_cbc_sharsa_aes_128_cbc_sharsa_rc4_128_sharsa_rc4_128_md5 server 443
c0t0d0s0org79
svcs -a | grep ksslonline 90333 svcnetworksslproxykssl-server-443
c0t0d0s0org80
svcadm disable apache22 echo Listen 1921681781088080 gtgt etcapache222httpdconf svcadm enable apache22
Portnumber and IP-Number have do be defined in httpdconf otherwise it will not work
c0t0d0s0org81
openssl s_client -connect server443CONNECTED(00000004)depth=0 C=DEST=HamburgL=HamburgCN=serververify errornum=18self signed certificateverify return1depth=0 C=DEST=HamburgL=HamburgCN=serververify return1---Certificate chain0 sC=DEST=HamburgL=HamburgCN=serveriC=DEST=HamburgL=HamburgCN=server---Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj[]V5jX3MU=-----END CERTIFICATE-----subject=C=DEST=HamburgL=HamburgCN=serverissuer=C=DEST=HamburgL=HamburgCN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328 bytes---New TLSv1SSLv3 Cipher is RC4-SHAServer public key is 1024 bitCompression NONEExpansion NONESSL-SessionProtocol TLSv1
Cipher RC4-SHASession-ID 32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD113915B99DBE9812Session-ID-ctx Master-Key 1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21EKey-Arg NoneStart Time 1242985143Timeout 300 (sec)Verify return code 18 (self signed certificate)---GET HTTP10
HTTP11 200 OKDate Fri 22 May 2009 093913 GMTServer Apache2211 (Unix) mod_ssl2211 OpenSSL098a DAV2Last-Modified Thu 21 May 2009 212630 GMTETag 341f3-2c-46a72cc211a8fAccept-Ranges bytesContent-Length 44Connection closeContent-Type texthtml
lthtmlgtltbodygtlth1gtIt workslth1gtltbodygtlthtmlgtreaderrno=0
c0t0d0s0org82
ZFS Encryption
c0t0d0s0org83
zfs create -o encryption=on rpoolexportproject
c0t0d0s0org84
wrapping key (user setable)
encryption keyrandomnot user setable)
prompt file https pkcs11
c0t0d0s0org85
aes-128-ccm (=on) aes-192-ccmaes-256-ccmaes-128-gcmaes-192-gcmaes-256-gcm
c0t0d0s0org86
zfs set checksum=sha256+mac ltdatasetgt
If encryption=off something like automatic
occurs This property is read-only from now on
c0t0d0s0org87
pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykeyEnter PIN for Sun Software PKCS11 softtoken zfs create -o encryption=on -o keysource=rawpkcs11object=mykey tankprojectCEnter PKCS11 token PIN for tankprojectC
c0t0d0s0org88
zfs create -o encryption=on -o keysource=rawhttpskeysexamplecommykey tankprojectR cp myservercertpem etccertsCA svcadm refresh ca-certificates
c0t0d0s0org89
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
c0t0d0s0org90
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
Changing the wrapping key
c0t0d0s0org91
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key
c0t0d0s0org92
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key for data written form now
Creates a new data encryption key Data written in the clone uses the new data encryption key which is distinct from its original snapshot
c0t0d0s0org93
Solaris Cryptographic Framework
c0t0d0s0org94
As soon as Solaris detects hardware acceleration for cryptography Solaris will use it (and applications using the Oracle supplied openssl library or direct interfaces)bull on-chip crypto accelerator in T and current M series chipsbull instruction set extensions in Intel procs (AES-NI)bull supported crypto accelerator cards
c0t0d0s0org95
Just a side-note T-series crypto acceleration and Intel x86 acceleration have pretty much different performance characteristics
T-Series Acceleration by offloading crypto outside pipelineIntel x86 Acceleration by offering special in-pipeline instructions to accelerate execution
Sounds like splitting hairs
c0t0d0s0org
c0t0d0s0org
c0t0d0s0org98
Using ZFS to do two-factor encryption
c0t0d0s0org99
jmoekampsolaris~$ rmformatLooking for devices 1 Logical Node devrdskc10t0d0p0 Physical Node pci00pci8086265cbstorage2disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected() 3 Logical Node devrdskc9t0d0p0 Physical Node pci00pci8086265cbstorage1disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected
c0t0d0s0org100
rootsolaris zpool create a_keystore_usbstick devdskc10t0d0p0rootsolaris zpool create datastore devdskc9t0d0p0
c0t0d0s0org101
rootsolaris zfs create -o encryption=on a_keystore_usbstickkeysEnter passphrase for a_keystore_usbstickkeys supersecret Enter again supersecret
c0t0d0s0org102
rootsolaris pktool genkey keystore=file keytype=aes keylen=128 outkey=a_keystore_usbstickkeysjoergsdatastickkey
c0t0d0s0org103
rootsolaris zfs create -o encryption=on -o keysource=rawfilea_keystore_usbstickkeysjoergsdatastickkey datastickjoergssecrets
c0t0d0s0org104
rootsolarisdatastickjoergssecrets mv homejmoekamphighlyconfidential_nda_presostgz
c0t0d0s0org105
rootsolaris zpool export a_keystore_usbstickrootsolaris zpool export datastick
c0t0d0s0org106
rootsolaris zpool import a_keystore_usbstickEnter passphrase for a_keystore_usbstickkeys supersecretrootsolaris
c0t0d0s0org107
rootsolaris zpool import datastickrootsolaris cd datastickjoergssecretsrootsolarisdatastickjoergssecrets ls highconfidential_nda_presostgz
c0t0d0s0org108
Basic Auditing and Reporting Tool
c0t0d0s0org109
mkdir bart-files bart create -R etc gt bart-filesetccontrolmanifest
c0t0d0s0org110
cat etccontrolmanifest | grep nsswitchnisplusnsswitchnisplus F 2525 100644 userrw-groupr--maskr--otherr-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
c0t0d0s0org111
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org112
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org113
bart create -R etc gt bart-filesetccheck20130911manifest
c0t0d0s0org114
cd bart-files bart compare etccontrolmanifest etccheck20130911manifest
nsswitchfilesmode control100644 test100777acl controluserrw-groupr--maskr--otherr-- testuserrwxgrouprwxmaskrwxotherrwxnsswitchnisplussize control2525 test2538mtime control473976b5 test47a44862contents control79e8fd689a5221d1cd059e5077da71b8 test3f79176ec352441db11ec8a3d02ef67cthisisjustatestadd
c0t0d0s0org115
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives4069-Less-known-Solaris-features-BARThtml
c0t0d0s0org116
Apropos Auditing
c0t0d0s0org117
Auditing is activated by default
c0t0d0s0org118
rootclient~ auditconfig -getflagsactive user default audit flags = lo(0x10000x1000)configured user default audit flags = lo(0x10000x1000)rootclient~ auditconfig -getnaflagsactive non-attributable audit flags = lo(0x10000x1000)configured non-attributable audit flags = lo(0x10000x1000)
c0t0d0s0org119
rootclient~ auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt
Policy regarding auditing (explanation on the next slide)
c0t0d0s0org120
rootclient~ auditconfig -lspolicypolicy string descriptionahlt halt machine if it can not record an async eventall all policiesarge include exec environment args in audit recsargv include exec command line args in audit recscnt when no more space drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recswindata_down include downgraded window information in audit recswindata_up include upgraded window information in audit recszonename include zonename token in audit recs
Which degree of detail What happens with full disks
c0t0d0s0org121
rootclient~ auditconfig -getpluginPlugin audit_binfile (active) Attributes p_dir=varauditp_fsize=0p_minfree=1
Plugin audit_syslog (inactive) Attributes p_flags=
Plugin audit_remote (inactive) Attributes p_hosts=p_retries=3p_timeout=5
c0t0d0s0org122
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
c0t0d0s0org123
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
lo and na are the only sensibleflags for non-attributable
c0t0d0s0org124
rootclient~ usermod -K audit_flags=fwas junior
c0t0d0s0org125
rootclient~ auditconfig -lsevent | grep lo AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh accessAUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lockAUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff
c0t0d0s0org126
rootclient~ auditconfig -lsevent | grep ps AUE_EXIT 1 ps exit(2)AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)rootclient~ auditconfig -lsevent | grep fw AUE_OPEN_W 76 fw open(2) - write
c0t0d0s0org127
auditreduce -c ps varaudit20130912183630not_terminatedclient | praudit
header1392execve(2)client2013-09-12 184055924 +0000pathusrsbinauditreduceattribute100555rootbin655386587518446744073709551615subjectjmoekamprootrootrootroot205414400809562480 202240 192168101returnsuccess0
c0t0d0s0org128
rootclient~ auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff0xffffffffffffffff)
Not always (in the sense of never) a good idea
Useful after trying out - starting a new audit filerootclient~ audit -n
c0t0d0s0org129
rootclient~ auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system
c0t0d0s0org130
SSH and X509
c0t0d0s0org131
rootca~ CApl -newcaCA certificate filename (or enter to create)
Making CA certificate Generating a 1024 bit RSA private key++++++++++++writing new private key to etcopensslprivatecakeypemEnter PEM pass phrase supersecret1Verifying - Enter PEM pass phrase supersecret1-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Security DepartmentCommon Name (eg server FQDN or YOUR name) []CAEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Using configuration from etcopensslopensslcnf
Enter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade878 Validity Not Before Sep 26 101109 2013 GMT Not After Sep 25 101109 2016 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony organizationName = c0t0d0s0org organizationalUnitName = Security Department commonName = CA X509v3 extensions X509v3 Subject Key Identifier 5B1F2F7186123040501552818D525AA5597E3644 X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
X509v3 Basic Constraints CATRUECertificate is to be certified until Sep 25 101109 2016 GMT (1095 days)
Write out database with 1 new entriesData Base Updated
c0t0d0s0org132
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org133
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org134
rootca~server CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade879 Validity Not Before Sep 26 102912 2013 GMT Not After Sep 26 102912 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = Server Certificates commonName = server X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A7DC03DEB3D5FBF9C006F11A55A9AD04C49C10FA X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 102912 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpemrootca~server ls -ltotal 15-rw-r--r-- 1 root root 3196 Sep 26 1229 newcertpem-rw-r--r-- 1 root root 1041 Sep 26 1228 newkeypem-rw-r--r-- 1 root root 680 Sep 26 1228 newreqpem
c0t0d0s0org135
rootca~junior CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phraseVerifying - Enter PEM pass phraseVerify failureEnter PEM pass phrase supersecret3Verifying - Enter PEM pass phrase supersecret3-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []User certificates
Common Name (eg server FQDN or YOUR name) []juniorEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org136
rootca~junior CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypemCheck that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade87a Validity Not Before Sep 26 110929 2013 GMT Not After Sep 26 110929 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = User certificates commonName = junior X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A1F2FC9D8AE2AD9AF52903F5B714933C64628E9C X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 110929 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpem
c0t0d0s0org137
rootserver~ useradd -m junior80 blocksrootserver~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for juniorrootserver~
rootclient~ useradd -m junior80 blocksrootclient~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for junior
c0t0d0s0org138
rootserver~ echo 1921681051 server gtgt etchostsrootserver~ echo 1921681052 client gtgt etchosts
rootclient~ echo 1921681051 server gtgt etchostsrootclient~ echo 1921681052 client gtgt etchosts
c0t0d0s0org139
rootca~server scp etcopensslcacertpem jmoekamp1921681109exporthomejmoekampPasswordcacertpem 100 || 3011 0000rootca~server scp newcertpem jmoekamp1921681109exporthomejmoekampPasswordnewcertpem 100 || 3196 0000rootca~server scp newkeypem jmoekamp1921681109exporthomejmoekampPasswordnewkeypem 100 || 1041 0000
rootca~junior scp newkeypem juniorclientexporthomejuniorPasswordnewkeypem 100 || 1041 0000rootca~junior scp newcertpem juniorclientexporthomejuniorPasswordnewcertpem 100 || 3190 0000rootca~junior scp etcopensslcacertpem junior1921681104exporthomejuniorPasswordcacertpem 100 || 3011 0000
c0t0d0s0org140
On the Server
c0t0d0s0org141
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org142
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org143
rootserver~ pktool setpinEnter token passphrase changemeCreate new passphrase superserversecretRe-enter new passphrase superserversecretPassphrase changedrootserver~
c0t0d0s0org144
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org145
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org146
rootserver~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cn
c0t0d0s0org147
rootserver~ echo TrustedAnchorKeystore etcsshcert gtgt etcsshsshd_configrootserver~ echo KMFPolicyDatabase etcsshpolicyxml gtgt etcsshsshd_configrootserver~ echo KMFPolicyName ssh gtgt etcsshsshd_configrootserver~ echo HostKey pkcs11object=hosttoken=Sun Metaslotpinfile=etcsshpinfile gtgt etcsshsshd_config
c0t0d0s0org148
rootserver~ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=hostEnter PIN for Sun Software PKCS11 softtoken superserversecret Enter PEM pass phrase supersecret2Importing 1 keys
c0t0d0s0org149
rootserver~ egrep -v ^ |^$|^Cert exporthomejmoekampcacertpem gt etcsshcertcacertcookedpemrootserver~ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemrootserver~ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=hostrootserver~
c0t0d0s0org150
On the client
c0t0d0s0org151
juniorclient~$ ls pemcacertpem newcertpem newkeypem
c0t0d0s0org152
rootclient~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cnrootclient~ egrep -v ^ |^$|^Cert exporthomejuniorcacertpem gt etcsshcertcacertcookedpem
c0t0d0s0org153
juniorclient~$ pktool setpinEnter token passphrase changemeCreate new passphrase superusersecretRe-enter new passphrase superusersecretPassphrase changed
c0t0d0s0org154
juniorclient~$ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=userEnter PIN for Sun Software PKCS11 softtoken superusersecretEnter PEM pass phrase supersecret3Importing 1 keysjuniorclient~$ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemjuniorclient~$ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=user
c0t0d0s0org155
Testing it
c0t0d0s0org156
rootserver~ svcadm disable sshrootserver~ svcadm enable ssh
c0t0d0s0org157
juniorclient~$ cd sshjuniorclient~ssh$ printf superusersecret gtgt pinfilejuniorclient~ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore etcsshcert KMFPolicyDatabase etcsshpolicyxml KMFPolicyName ssh IdentityFile pkcs11object=usertoken=Sun Software PKCS11 softtokenpinfile=exporthomejuniorsshpinfile
c0t0d0s0org158
juniorclient~ssh$ ssh juniorserver-x509Last login Thu Sep 26 200714 2013 from clientOracle Corporation SunOS 511 111 September 2013juniorserver~$
c0t0d0s0org159
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives7659-Using-X509-support-for-SSH-on-Solaris-111html
c0t0d0s0org160
OpenSCAP
c0t0d0s0org161
bdquoThe Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management measurement and policy compliance evaluation (eg FISMA compliance) The National Vulnerability Database(NVD) is the US government content repository for SCAPldquo
httpenwikipediaorgwikiSecurity_Content_Automation_Protocol
c0t0d0s0org162
ftp-bannerxml
ltxml version=10 encoding=UTF-8gtltoval_definitions xmlns=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsxsi=httpwwww3org2001XMLSchema-instance xmlnsoval=httpovalmitreorgXMLSchemaoval-common-5 xmlnsoval-def=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsindependent-def=httpovalmitreorgXMLSchemaoval-definitions-5independent xsischemaLocation=httpovalmitreorgXMLSchemaoval-definitions-5 oval-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-definitions-5independent independent-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-common-5 oval-common-schemaxsdgt
ltgeneratorgt ltovalproduct_namegtEnhanced SCAP Editorltovalproduct_namegt ltovalproduct_versiongt0011ltovalproduct_versiongt ltovalschema_versiongt58ltovalschema_versiongt ltovaltimestampgt2012-10-11T103325ltovaltimestampgt ltgeneratorgt lt--generatedovalbaseidentifier=comoraclesolaris11--gt ltdefinitionsgt ltdefinition id=ovalcomoraclesolaris11def840 version=1 class=compliancegt ltmetadatagt lttitlegtEnable a Warning Banner for the FTP Servicelttitlegt ltaffected family=unixgt ltplatformgtOracle Solaris 11ltplatformgt ltaffectedgt ltdescriptiongtetcproftpdconf contains DisplayConnect etcissueltdescriptiongt ltmetadatagt ltcriteria operator=AND negate=false comment=Single testgt ltcriterion comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot test_ref=ovalcomoraclesolaris11tst8400 negate=falsegt
ltcriteriagt ltdefinitiongt ltdefinitionsgt lttestsgt lttextfilecontent54_test xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11tst8400 version=1 check=all comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot check_existence=all_existgt ltobject object_ref=ovalcomoraclesolaris11obj8400gt lttextfilecontent54_testgt lttestsgt ltobjectsgt lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegt lttextfilecontent54_objectgt ltobjectsgtltoval_definitionsgt
c0t0d0s0org163
lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegtlttextfilecontent54_objectgt
c0t0d0s0org164
$ oscap oval eval ftp-bannerxml Definition ovalcomoraclesolaris11def840 falseEvaluation done
$ oscap oval eval --results resultsxml --report reporthtml ftp-bannerxmlDefinition ovalcomoraclesolaris11def840 falseEvaluation doneOVAL Results are exported correctly
c0t0d0s0org165
c0t0d0s0org166
To create your own OVAL-Files Enhanced SCAP Content Editor
c0t0d0s0org167
Find more information regarding this feature athttpsblogsoraclecomdarrenentrycompliance_reporting_with_scap
c0t0d0s0org36
juniortemplate~$ pfedit etcapache222mimetypespfedit User junior is not authorized to edit the file etcapache222mimetypes
c0t0d0s0org37
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt info name=httpd edit desc=Edit httpd auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt add auths=solarisadmineditetcapache222mimetypes
c0t0d0s0org38
juniortemplate~$ pfedit etcapache222mimetypespfedit no changes for etcapache222mimetypes
c0t0d0s0org39
profiles -p httpd configureprofileshttpd configuregt add always_audit=asprofileshttpd configuregt info name=httpd configure desc=Configure httpd auths=solarisadmineditetcapache222httpdconfsolarisadmineditetcapache222mimetypes always_audit=as never_audit=noprofileshttpd configuregt exitroottemplate~
c0t0d0s0org40
roottemplate~ auditreduce -c as | praudit
c0t0d0s0org41
[]header4862edit administrative filefe80a0027fffea633cb2013-08-12 074552306 +0000subjectjuniorjuniorstaffjuniorstaff4212447467166369 136704 MacBook-Pro-of-c0t0d0s0fritzboxpathetcapache222httpdconfuse of authorizationsolarisadmineditetcapache222httpdconftext--- etcapache222httpdconf Mo Aug 12 074500 2013 +++ etcapache222httpdconfpfedit1BaGoi Mo Aug 12 074552 2013 -15 +16 Test Test 2 + Test 3 This is the main Apache HTTP server configuration file It contains the configuration directives that give the server its instructions
returnsuccess0
c0t0d0s0org42
Delegating privilege to restartservices(so you can keep the root password)
c0t0d0s0org43
juniortemplate~$ svcadm refresh apache22svcadm svcnetworkhttpapache22 Permission denied
c0t0d0s0org44
svcs -a | grep apache22online 153029 svcnetworkhttpapache22
c0t0d0s0org45
auths add -t Apache22 value solarissmfvaluehttpapache22 auths add -t Apache22 action solarissmfactionhttpapache22
c0t0d0s0org46
svccfg -s apache22 setprop generalvalue_authorization= astring solarissmfvaluehttpapache22 svccfg -s apache22 setprop generalaction_authorization= astring solarissmfactionhttpapache22
c0t0d0s0org47
profiles -p httpd edit add auths=solarissmfactionhttpapache22
c0t0d0s0org48
juniortemplate~$ svcadm refresh apache22juniortemplate~$
c0t0d0s0org49
Privileges
c0t0d0s0org50
$ ls -l usrsbintraceroute-r-sr-xr-x 1 root bin 42324 Nov 21 0009 usrsbintraceroute$ ls -l usrsbinping-r-sr-xr-x 1 root bin 51396 Nov 18 1931 usrsbinping
set-id to root ping needs it to work
c0t0d0s0org51
chmod -s sbinping exit
$ ping -s 1921681132ping socket Permission denied
Remove the set-uid and ping will stop to work
c0t0d0s0org52
jmoekampdaddelkiste~$ ppriv $$2153 -bashflags = ltnonegt E basic I basic P basic L all
c0t0d0s0org53
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org54
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
All privileges in their entirety assigned to one user are
(almost)
c0t0d0s0org55
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Neat extension inSolaris 11The ability to use networking is now a
privilege Itlsquos part of the default default set of privileges
but you can remove it
c0t0d0s0org56
moekampdaddelkiste~$ ppriv -v $$2153 -bashflags = ltnonegt E file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info I file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info P file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info L contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org57
rootdaddelkiste~ ppriv $$2183 -bashflags = ltnonegt E all I basic P all L all
c0t0d0s0org58
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace failed to initialize dtrace DTrace requires additional privileges
c0t0d0s0org59
rootdaddelkiste~ usermod -K defaultpriv=basicdtrace_kerneldtrace_procdtrace_user juniorUX usermod junior is currently logged in some changes may not take effect until next login
c0t0d0s0org60
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace description syscallentry matched 211 probes^C
automountd 1 sshd 24 dtrace 544 auditd 564
c0t0d0s0org61
ps -ef | grep kcfd daemon 125 1 0 142419 000 usrlibcryptokcfdroot 734 728 0 155408 pts1 000 grep kcfd ppriv -v 125125 usrlibcryptokcfdflags = PRIV_AWAREE file_ownerproc_priocntlsys_devicesI noneP file_ownerproc_priocntlsys_devicesL none
c0t0d0s0org62
svcadm -v enable -s apache2svcnetworkhttpapache2 enabled
c0t0d0s0org63
jmoekampclient~$ ps -ef | grep httpwebservd 1978 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1979 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1980 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1984 1975 0 122002 000 usrapache222binhttpd -k start root 1975 1 0 121914 001 usrapache222binhttpd -k startwebservd 1977 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1976 1975 0 121915 000 usrapache222binhttpd -k start
c0t0d0s0org64
rootclient~ ppriv 19771977 usrapache222binhttpd -k startflags = ltnonegt E basic I basic P basic L allrootclient~ ppriv 19751975 usrapache222binhttpd -k startflags = ltnonegt E all I basic P all L allrootclient~
c0t0d0s0org65
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The apache process as root has the following privileges
c0t0d0s0org66
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The other processes have the following privileges
c0t0d0s0org67
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Apache really needs
c0t0d0s0org68
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
So you grant a large number of privileges to one process Apache donlsquot need
c0t0d0s0org69
svcadm -v disable -s apache2svcnetworkhttpapache2 disabled
c0t0d0s0org70
rootclient~ svccfg -s apache22svcnetworkhttpapache22gt setprop startuser = astring webservdsvcnetworkhttpapache22gt setprop startgroup = astring webservdsvcnetworkhttpapache22gt setprop startprivileges = astring basicproc_sessionproc_infofile_link_anynet_privaddrsvcnetworkhttpapache22gt setprop startlimit_privileges = astring defaultsvcnetworkhttpapache22gt setprop startuse_profile = boolean falsesvcnetworkhttpapache22gt setprop startsupp_groups = astring defaultsvcnetworkhttpapache22gt setprop startworking_directory = astring defaultsvcnetworkhttpapache22gt setprop startproject = astring defaultsvcnetworkhttpapache22gt setprop startresource_pool = astring defaultsvcnetworkhttpapache22gt endrootclient~ svcadm -v refresh apache22Action refresh set for svcnetworkhttpapache22
c0t0d0s0org71
echo LockFile varapache222logsacceptlock gtgt etcapache222httpdconf echo PidFile varapache222runhttpdpid gtgt etcapache222httpdconf mkdir -p -m 755 varapache222run chown webservdwebservd varapache222run svcadm enable apache22
c0t0d0s0org72
webservd 3064 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3062 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3063 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3066 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3061 1 0 164917 000 usrapache222binhttpd -k startwebservd 3065 3061 0 164918 000 usrapache222binhttpd -k start
c0t0d0s0org73
Read-only zone root
c0t0d0s0org
74
zonecfgtestzonegt set file-mac-profile=none
zonecfgtestzonegt set file-mac-profile=strict
zonecfgtestzonegt set file-mac-profile=fixed-configuration
zonecfgtestzonegt set file-mac-profile=flexible-configuration
Standard read-write non-global zone with no additional protection beyond the existing zones boundaries
Permits updates to var directories with the exception of directories that contain system configuration components
Read-only file system no exceptions
Permits modification of files in etc directories changes to roots home directory and updates to var directories This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone
c0t0d0s0org75
in-kernel SSL Proxy
c0t0d0s0org76
mkdir etckeys cd etckeys openssl req -x509 -nodes -days 365 -subj C=DEST=HamburgL=HamburgCN=server -newkey rsa1024 -keyout etckeysmykeypem -out etckeysmycertpem cat mycertpem mykeypem gt mypem chown 600
c0t0d0s0org77
echo pass gt etckeysmypass ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass server 443
c0t0d0s0org78
ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass -c rsa_aes_256_cbc_sharsa_aes_128_cbc_sharsa_rc4_128_sharsa_rc4_128_md5 server 443
c0t0d0s0org79
svcs -a | grep ksslonline 90333 svcnetworksslproxykssl-server-443
c0t0d0s0org80
svcadm disable apache22 echo Listen 1921681781088080 gtgt etcapache222httpdconf svcadm enable apache22
Portnumber and IP-Number have do be defined in httpdconf otherwise it will not work
c0t0d0s0org81
openssl s_client -connect server443CONNECTED(00000004)depth=0 C=DEST=HamburgL=HamburgCN=serververify errornum=18self signed certificateverify return1depth=0 C=DEST=HamburgL=HamburgCN=serververify return1---Certificate chain0 sC=DEST=HamburgL=HamburgCN=serveriC=DEST=HamburgL=HamburgCN=server---Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj[]V5jX3MU=-----END CERTIFICATE-----subject=C=DEST=HamburgL=HamburgCN=serverissuer=C=DEST=HamburgL=HamburgCN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328 bytes---New TLSv1SSLv3 Cipher is RC4-SHAServer public key is 1024 bitCompression NONEExpansion NONESSL-SessionProtocol TLSv1
Cipher RC4-SHASession-ID 32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD113915B99DBE9812Session-ID-ctx Master-Key 1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21EKey-Arg NoneStart Time 1242985143Timeout 300 (sec)Verify return code 18 (self signed certificate)---GET HTTP10
HTTP11 200 OKDate Fri 22 May 2009 093913 GMTServer Apache2211 (Unix) mod_ssl2211 OpenSSL098a DAV2Last-Modified Thu 21 May 2009 212630 GMTETag 341f3-2c-46a72cc211a8fAccept-Ranges bytesContent-Length 44Connection closeContent-Type texthtml
lthtmlgtltbodygtlth1gtIt workslth1gtltbodygtlthtmlgtreaderrno=0
c0t0d0s0org82
ZFS Encryption
c0t0d0s0org83
zfs create -o encryption=on rpoolexportproject
c0t0d0s0org84
wrapping key (user setable)
encryption keyrandomnot user setable)
prompt file https pkcs11
c0t0d0s0org85
aes-128-ccm (=on) aes-192-ccmaes-256-ccmaes-128-gcmaes-192-gcmaes-256-gcm
c0t0d0s0org86
zfs set checksum=sha256+mac ltdatasetgt
If encryption=off something like automatic
occurs This property is read-only from now on
c0t0d0s0org87
pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykeyEnter PIN for Sun Software PKCS11 softtoken zfs create -o encryption=on -o keysource=rawpkcs11object=mykey tankprojectCEnter PKCS11 token PIN for tankprojectC
c0t0d0s0org88
zfs create -o encryption=on -o keysource=rawhttpskeysexamplecommykey tankprojectR cp myservercertpem etccertsCA svcadm refresh ca-certificates
c0t0d0s0org89
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
c0t0d0s0org90
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
Changing the wrapping key
c0t0d0s0org91
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key
c0t0d0s0org92
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key for data written form now
Creates a new data encryption key Data written in the clone uses the new data encryption key which is distinct from its original snapshot
c0t0d0s0org93
Solaris Cryptographic Framework
c0t0d0s0org94
As soon as Solaris detects hardware acceleration for cryptography Solaris will use it (and applications using the Oracle supplied openssl library or direct interfaces)bull on-chip crypto accelerator in T and current M series chipsbull instruction set extensions in Intel procs (AES-NI)bull supported crypto accelerator cards
c0t0d0s0org95
Just a side-note T-series crypto acceleration and Intel x86 acceleration have pretty much different performance characteristics
T-Series Acceleration by offloading crypto outside pipelineIntel x86 Acceleration by offering special in-pipeline instructions to accelerate execution
Sounds like splitting hairs
c0t0d0s0org
c0t0d0s0org
c0t0d0s0org98
Using ZFS to do two-factor encryption
c0t0d0s0org99
jmoekampsolaris~$ rmformatLooking for devices 1 Logical Node devrdskc10t0d0p0 Physical Node pci00pci8086265cbstorage2disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected() 3 Logical Node devrdskc9t0d0p0 Physical Node pci00pci8086265cbstorage1disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected
c0t0d0s0org100
rootsolaris zpool create a_keystore_usbstick devdskc10t0d0p0rootsolaris zpool create datastore devdskc9t0d0p0
c0t0d0s0org101
rootsolaris zfs create -o encryption=on a_keystore_usbstickkeysEnter passphrase for a_keystore_usbstickkeys supersecret Enter again supersecret
c0t0d0s0org102
rootsolaris pktool genkey keystore=file keytype=aes keylen=128 outkey=a_keystore_usbstickkeysjoergsdatastickkey
c0t0d0s0org103
rootsolaris zfs create -o encryption=on -o keysource=rawfilea_keystore_usbstickkeysjoergsdatastickkey datastickjoergssecrets
c0t0d0s0org104
rootsolarisdatastickjoergssecrets mv homejmoekamphighlyconfidential_nda_presostgz
c0t0d0s0org105
rootsolaris zpool export a_keystore_usbstickrootsolaris zpool export datastick
c0t0d0s0org106
rootsolaris zpool import a_keystore_usbstickEnter passphrase for a_keystore_usbstickkeys supersecretrootsolaris
c0t0d0s0org107
rootsolaris zpool import datastickrootsolaris cd datastickjoergssecretsrootsolarisdatastickjoergssecrets ls highconfidential_nda_presostgz
c0t0d0s0org108
Basic Auditing and Reporting Tool
c0t0d0s0org109
mkdir bart-files bart create -R etc gt bart-filesetccontrolmanifest
c0t0d0s0org110
cat etccontrolmanifest | grep nsswitchnisplusnsswitchnisplus F 2525 100644 userrw-groupr--maskr--otherr-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
c0t0d0s0org111
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org112
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org113
bart create -R etc gt bart-filesetccheck20130911manifest
c0t0d0s0org114
cd bart-files bart compare etccontrolmanifest etccheck20130911manifest
nsswitchfilesmode control100644 test100777acl controluserrw-groupr--maskr--otherr-- testuserrwxgrouprwxmaskrwxotherrwxnsswitchnisplussize control2525 test2538mtime control473976b5 test47a44862contents control79e8fd689a5221d1cd059e5077da71b8 test3f79176ec352441db11ec8a3d02ef67cthisisjustatestadd
c0t0d0s0org115
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives4069-Less-known-Solaris-features-BARThtml
c0t0d0s0org116
Apropos Auditing
c0t0d0s0org117
Auditing is activated by default
c0t0d0s0org118
rootclient~ auditconfig -getflagsactive user default audit flags = lo(0x10000x1000)configured user default audit flags = lo(0x10000x1000)rootclient~ auditconfig -getnaflagsactive non-attributable audit flags = lo(0x10000x1000)configured non-attributable audit flags = lo(0x10000x1000)
c0t0d0s0org119
rootclient~ auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt
Policy regarding auditing (explanation on the next slide)
c0t0d0s0org120
rootclient~ auditconfig -lspolicypolicy string descriptionahlt halt machine if it can not record an async eventall all policiesarge include exec environment args in audit recsargv include exec command line args in audit recscnt when no more space drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recswindata_down include downgraded window information in audit recswindata_up include upgraded window information in audit recszonename include zonename token in audit recs
Which degree of detail What happens with full disks
c0t0d0s0org121
rootclient~ auditconfig -getpluginPlugin audit_binfile (active) Attributes p_dir=varauditp_fsize=0p_minfree=1
Plugin audit_syslog (inactive) Attributes p_flags=
Plugin audit_remote (inactive) Attributes p_hosts=p_retries=3p_timeout=5
c0t0d0s0org122
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
c0t0d0s0org123
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
lo and na are the only sensibleflags for non-attributable
c0t0d0s0org124
rootclient~ usermod -K audit_flags=fwas junior
c0t0d0s0org125
rootclient~ auditconfig -lsevent | grep lo AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh accessAUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lockAUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff
c0t0d0s0org126
rootclient~ auditconfig -lsevent | grep ps AUE_EXIT 1 ps exit(2)AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)rootclient~ auditconfig -lsevent | grep fw AUE_OPEN_W 76 fw open(2) - write
c0t0d0s0org127
auditreduce -c ps varaudit20130912183630not_terminatedclient | praudit
header1392execve(2)client2013-09-12 184055924 +0000pathusrsbinauditreduceattribute100555rootbin655386587518446744073709551615subjectjmoekamprootrootrootroot205414400809562480 202240 192168101returnsuccess0
c0t0d0s0org128
rootclient~ auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff0xffffffffffffffff)
Not always (in the sense of never) a good idea
Useful after trying out - starting a new audit filerootclient~ audit -n
c0t0d0s0org129
rootclient~ auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system
c0t0d0s0org130
SSH and X509
c0t0d0s0org131
rootca~ CApl -newcaCA certificate filename (or enter to create)
Making CA certificate Generating a 1024 bit RSA private key++++++++++++writing new private key to etcopensslprivatecakeypemEnter PEM pass phrase supersecret1Verifying - Enter PEM pass phrase supersecret1-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Security DepartmentCommon Name (eg server FQDN or YOUR name) []CAEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Using configuration from etcopensslopensslcnf
Enter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade878 Validity Not Before Sep 26 101109 2013 GMT Not After Sep 25 101109 2016 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony organizationName = c0t0d0s0org organizationalUnitName = Security Department commonName = CA X509v3 extensions X509v3 Subject Key Identifier 5B1F2F7186123040501552818D525AA5597E3644 X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
X509v3 Basic Constraints CATRUECertificate is to be certified until Sep 25 101109 2016 GMT (1095 days)
Write out database with 1 new entriesData Base Updated
c0t0d0s0org132
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org133
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org134
rootca~server CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade879 Validity Not Before Sep 26 102912 2013 GMT Not After Sep 26 102912 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = Server Certificates commonName = server X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A7DC03DEB3D5FBF9C006F11A55A9AD04C49C10FA X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 102912 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpemrootca~server ls -ltotal 15-rw-r--r-- 1 root root 3196 Sep 26 1229 newcertpem-rw-r--r-- 1 root root 1041 Sep 26 1228 newkeypem-rw-r--r-- 1 root root 680 Sep 26 1228 newreqpem
c0t0d0s0org135
rootca~junior CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phraseVerifying - Enter PEM pass phraseVerify failureEnter PEM pass phrase supersecret3Verifying - Enter PEM pass phrase supersecret3-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []User certificates
Common Name (eg server FQDN or YOUR name) []juniorEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org136
rootca~junior CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypemCheck that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade87a Validity Not Before Sep 26 110929 2013 GMT Not After Sep 26 110929 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = User certificates commonName = junior X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A1F2FC9D8AE2AD9AF52903F5B714933C64628E9C X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 110929 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpem
c0t0d0s0org137
rootserver~ useradd -m junior80 blocksrootserver~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for juniorrootserver~
rootclient~ useradd -m junior80 blocksrootclient~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for junior
c0t0d0s0org138
rootserver~ echo 1921681051 server gtgt etchostsrootserver~ echo 1921681052 client gtgt etchosts
rootclient~ echo 1921681051 server gtgt etchostsrootclient~ echo 1921681052 client gtgt etchosts
c0t0d0s0org139
rootca~server scp etcopensslcacertpem jmoekamp1921681109exporthomejmoekampPasswordcacertpem 100 || 3011 0000rootca~server scp newcertpem jmoekamp1921681109exporthomejmoekampPasswordnewcertpem 100 || 3196 0000rootca~server scp newkeypem jmoekamp1921681109exporthomejmoekampPasswordnewkeypem 100 || 1041 0000
rootca~junior scp newkeypem juniorclientexporthomejuniorPasswordnewkeypem 100 || 1041 0000rootca~junior scp newcertpem juniorclientexporthomejuniorPasswordnewcertpem 100 || 3190 0000rootca~junior scp etcopensslcacertpem junior1921681104exporthomejuniorPasswordcacertpem 100 || 3011 0000
c0t0d0s0org140
On the Server
c0t0d0s0org141
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org142
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org143
rootserver~ pktool setpinEnter token passphrase changemeCreate new passphrase superserversecretRe-enter new passphrase superserversecretPassphrase changedrootserver~
c0t0d0s0org144
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org145
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org146
rootserver~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cn
c0t0d0s0org147
rootserver~ echo TrustedAnchorKeystore etcsshcert gtgt etcsshsshd_configrootserver~ echo KMFPolicyDatabase etcsshpolicyxml gtgt etcsshsshd_configrootserver~ echo KMFPolicyName ssh gtgt etcsshsshd_configrootserver~ echo HostKey pkcs11object=hosttoken=Sun Metaslotpinfile=etcsshpinfile gtgt etcsshsshd_config
c0t0d0s0org148
rootserver~ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=hostEnter PIN for Sun Software PKCS11 softtoken superserversecret Enter PEM pass phrase supersecret2Importing 1 keys
c0t0d0s0org149
rootserver~ egrep -v ^ |^$|^Cert exporthomejmoekampcacertpem gt etcsshcertcacertcookedpemrootserver~ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemrootserver~ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=hostrootserver~
c0t0d0s0org150
On the client
c0t0d0s0org151
juniorclient~$ ls pemcacertpem newcertpem newkeypem
c0t0d0s0org152
rootclient~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cnrootclient~ egrep -v ^ |^$|^Cert exporthomejuniorcacertpem gt etcsshcertcacertcookedpem
c0t0d0s0org153
juniorclient~$ pktool setpinEnter token passphrase changemeCreate new passphrase superusersecretRe-enter new passphrase superusersecretPassphrase changed
c0t0d0s0org154
juniorclient~$ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=userEnter PIN for Sun Software PKCS11 softtoken superusersecretEnter PEM pass phrase supersecret3Importing 1 keysjuniorclient~$ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemjuniorclient~$ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=user
c0t0d0s0org155
Testing it
c0t0d0s0org156
rootserver~ svcadm disable sshrootserver~ svcadm enable ssh
c0t0d0s0org157
juniorclient~$ cd sshjuniorclient~ssh$ printf superusersecret gtgt pinfilejuniorclient~ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore etcsshcert KMFPolicyDatabase etcsshpolicyxml KMFPolicyName ssh IdentityFile pkcs11object=usertoken=Sun Software PKCS11 softtokenpinfile=exporthomejuniorsshpinfile
c0t0d0s0org158
juniorclient~ssh$ ssh juniorserver-x509Last login Thu Sep 26 200714 2013 from clientOracle Corporation SunOS 511 111 September 2013juniorserver~$
c0t0d0s0org159
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives7659-Using-X509-support-for-SSH-on-Solaris-111html
c0t0d0s0org160
OpenSCAP
c0t0d0s0org161
bdquoThe Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management measurement and policy compliance evaluation (eg FISMA compliance) The National Vulnerability Database(NVD) is the US government content repository for SCAPldquo
httpenwikipediaorgwikiSecurity_Content_Automation_Protocol
c0t0d0s0org162
ftp-bannerxml
ltxml version=10 encoding=UTF-8gtltoval_definitions xmlns=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsxsi=httpwwww3org2001XMLSchema-instance xmlnsoval=httpovalmitreorgXMLSchemaoval-common-5 xmlnsoval-def=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsindependent-def=httpovalmitreorgXMLSchemaoval-definitions-5independent xsischemaLocation=httpovalmitreorgXMLSchemaoval-definitions-5 oval-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-definitions-5independent independent-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-common-5 oval-common-schemaxsdgt
ltgeneratorgt ltovalproduct_namegtEnhanced SCAP Editorltovalproduct_namegt ltovalproduct_versiongt0011ltovalproduct_versiongt ltovalschema_versiongt58ltovalschema_versiongt ltovaltimestampgt2012-10-11T103325ltovaltimestampgt ltgeneratorgt lt--generatedovalbaseidentifier=comoraclesolaris11--gt ltdefinitionsgt ltdefinition id=ovalcomoraclesolaris11def840 version=1 class=compliancegt ltmetadatagt lttitlegtEnable a Warning Banner for the FTP Servicelttitlegt ltaffected family=unixgt ltplatformgtOracle Solaris 11ltplatformgt ltaffectedgt ltdescriptiongtetcproftpdconf contains DisplayConnect etcissueltdescriptiongt ltmetadatagt ltcriteria operator=AND negate=false comment=Single testgt ltcriterion comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot test_ref=ovalcomoraclesolaris11tst8400 negate=falsegt
ltcriteriagt ltdefinitiongt ltdefinitionsgt lttestsgt lttextfilecontent54_test xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11tst8400 version=1 check=all comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot check_existence=all_existgt ltobject object_ref=ovalcomoraclesolaris11obj8400gt lttextfilecontent54_testgt lttestsgt ltobjectsgt lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegt lttextfilecontent54_objectgt ltobjectsgtltoval_definitionsgt
c0t0d0s0org163
lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegtlttextfilecontent54_objectgt
c0t0d0s0org164
$ oscap oval eval ftp-bannerxml Definition ovalcomoraclesolaris11def840 falseEvaluation done
$ oscap oval eval --results resultsxml --report reporthtml ftp-bannerxmlDefinition ovalcomoraclesolaris11def840 falseEvaluation doneOVAL Results are exported correctly
c0t0d0s0org165
c0t0d0s0org166
To create your own OVAL-Files Enhanced SCAP Content Editor
c0t0d0s0org167
Find more information regarding this feature athttpsblogsoraclecomdarrenentrycompliance_reporting_with_scap
c0t0d0s0org37
roottemplateetcapache222 profiles -p httpd editprofileshttpd editgt info name=httpd edit desc=Edit httpd auths=solarisadmineditetcapache222httpdconfprofileshttpd editgt add auths=solarisadmineditetcapache222mimetypes
c0t0d0s0org38
juniortemplate~$ pfedit etcapache222mimetypespfedit no changes for etcapache222mimetypes
c0t0d0s0org39
profiles -p httpd configureprofileshttpd configuregt add always_audit=asprofileshttpd configuregt info name=httpd configure desc=Configure httpd auths=solarisadmineditetcapache222httpdconfsolarisadmineditetcapache222mimetypes always_audit=as never_audit=noprofileshttpd configuregt exitroottemplate~
c0t0d0s0org40
roottemplate~ auditreduce -c as | praudit
c0t0d0s0org41
[]header4862edit administrative filefe80a0027fffea633cb2013-08-12 074552306 +0000subjectjuniorjuniorstaffjuniorstaff4212447467166369 136704 MacBook-Pro-of-c0t0d0s0fritzboxpathetcapache222httpdconfuse of authorizationsolarisadmineditetcapache222httpdconftext--- etcapache222httpdconf Mo Aug 12 074500 2013 +++ etcapache222httpdconfpfedit1BaGoi Mo Aug 12 074552 2013 -15 +16 Test Test 2 + Test 3 This is the main Apache HTTP server configuration file It contains the configuration directives that give the server its instructions
returnsuccess0
c0t0d0s0org42
Delegating privilege to restartservices(so you can keep the root password)
c0t0d0s0org43
juniortemplate~$ svcadm refresh apache22svcadm svcnetworkhttpapache22 Permission denied
c0t0d0s0org44
svcs -a | grep apache22online 153029 svcnetworkhttpapache22
c0t0d0s0org45
auths add -t Apache22 value solarissmfvaluehttpapache22 auths add -t Apache22 action solarissmfactionhttpapache22
c0t0d0s0org46
svccfg -s apache22 setprop generalvalue_authorization= astring solarissmfvaluehttpapache22 svccfg -s apache22 setprop generalaction_authorization= astring solarissmfactionhttpapache22
c0t0d0s0org47
profiles -p httpd edit add auths=solarissmfactionhttpapache22
c0t0d0s0org48
juniortemplate~$ svcadm refresh apache22juniortemplate~$
c0t0d0s0org49
Privileges
c0t0d0s0org50
$ ls -l usrsbintraceroute-r-sr-xr-x 1 root bin 42324 Nov 21 0009 usrsbintraceroute$ ls -l usrsbinping-r-sr-xr-x 1 root bin 51396 Nov 18 1931 usrsbinping
set-id to root ping needs it to work
c0t0d0s0org51
chmod -s sbinping exit
$ ping -s 1921681132ping socket Permission denied
Remove the set-uid and ping will stop to work
c0t0d0s0org52
jmoekampdaddelkiste~$ ppriv $$2153 -bashflags = ltnonegt E basic I basic P basic L all
c0t0d0s0org53
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org54
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
All privileges in their entirety assigned to one user are
(almost)
c0t0d0s0org55
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Neat extension inSolaris 11The ability to use networking is now a
privilege Itlsquos part of the default default set of privileges
but you can remove it
c0t0d0s0org56
moekampdaddelkiste~$ ppriv -v $$2153 -bashflags = ltnonegt E file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info I file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info P file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info L contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org57
rootdaddelkiste~ ppriv $$2183 -bashflags = ltnonegt E all I basic P all L all
c0t0d0s0org58
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace failed to initialize dtrace DTrace requires additional privileges
c0t0d0s0org59
rootdaddelkiste~ usermod -K defaultpriv=basicdtrace_kerneldtrace_procdtrace_user juniorUX usermod junior is currently logged in some changes may not take effect until next login
c0t0d0s0org60
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace description syscallentry matched 211 probes^C
automountd 1 sshd 24 dtrace 544 auditd 564
c0t0d0s0org61
ps -ef | grep kcfd daemon 125 1 0 142419 000 usrlibcryptokcfdroot 734 728 0 155408 pts1 000 grep kcfd ppriv -v 125125 usrlibcryptokcfdflags = PRIV_AWAREE file_ownerproc_priocntlsys_devicesI noneP file_ownerproc_priocntlsys_devicesL none
c0t0d0s0org62
svcadm -v enable -s apache2svcnetworkhttpapache2 enabled
c0t0d0s0org63
jmoekampclient~$ ps -ef | grep httpwebservd 1978 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1979 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1980 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1984 1975 0 122002 000 usrapache222binhttpd -k start root 1975 1 0 121914 001 usrapache222binhttpd -k startwebservd 1977 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1976 1975 0 121915 000 usrapache222binhttpd -k start
c0t0d0s0org64
rootclient~ ppriv 19771977 usrapache222binhttpd -k startflags = ltnonegt E basic I basic P basic L allrootclient~ ppriv 19751975 usrapache222binhttpd -k startflags = ltnonegt E all I basic P all L allrootclient~
c0t0d0s0org65
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The apache process as root has the following privileges
c0t0d0s0org66
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The other processes have the following privileges
c0t0d0s0org67
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Apache really needs
c0t0d0s0org68
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
So you grant a large number of privileges to one process Apache donlsquot need
c0t0d0s0org69
svcadm -v disable -s apache2svcnetworkhttpapache2 disabled
c0t0d0s0org70
rootclient~ svccfg -s apache22svcnetworkhttpapache22gt setprop startuser = astring webservdsvcnetworkhttpapache22gt setprop startgroup = astring webservdsvcnetworkhttpapache22gt setprop startprivileges = astring basicproc_sessionproc_infofile_link_anynet_privaddrsvcnetworkhttpapache22gt setprop startlimit_privileges = astring defaultsvcnetworkhttpapache22gt setprop startuse_profile = boolean falsesvcnetworkhttpapache22gt setprop startsupp_groups = astring defaultsvcnetworkhttpapache22gt setprop startworking_directory = astring defaultsvcnetworkhttpapache22gt setprop startproject = astring defaultsvcnetworkhttpapache22gt setprop startresource_pool = astring defaultsvcnetworkhttpapache22gt endrootclient~ svcadm -v refresh apache22Action refresh set for svcnetworkhttpapache22
c0t0d0s0org71
echo LockFile varapache222logsacceptlock gtgt etcapache222httpdconf echo PidFile varapache222runhttpdpid gtgt etcapache222httpdconf mkdir -p -m 755 varapache222run chown webservdwebservd varapache222run svcadm enable apache22
c0t0d0s0org72
webservd 3064 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3062 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3063 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3066 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3061 1 0 164917 000 usrapache222binhttpd -k startwebservd 3065 3061 0 164918 000 usrapache222binhttpd -k start
c0t0d0s0org73
Read-only zone root
c0t0d0s0org
74
zonecfgtestzonegt set file-mac-profile=none
zonecfgtestzonegt set file-mac-profile=strict
zonecfgtestzonegt set file-mac-profile=fixed-configuration
zonecfgtestzonegt set file-mac-profile=flexible-configuration
Standard read-write non-global zone with no additional protection beyond the existing zones boundaries
Permits updates to var directories with the exception of directories that contain system configuration components
Read-only file system no exceptions
Permits modification of files in etc directories changes to roots home directory and updates to var directories This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone
c0t0d0s0org75
in-kernel SSL Proxy
c0t0d0s0org76
mkdir etckeys cd etckeys openssl req -x509 -nodes -days 365 -subj C=DEST=HamburgL=HamburgCN=server -newkey rsa1024 -keyout etckeysmykeypem -out etckeysmycertpem cat mycertpem mykeypem gt mypem chown 600
c0t0d0s0org77
echo pass gt etckeysmypass ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass server 443
c0t0d0s0org78
ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass -c rsa_aes_256_cbc_sharsa_aes_128_cbc_sharsa_rc4_128_sharsa_rc4_128_md5 server 443
c0t0d0s0org79
svcs -a | grep ksslonline 90333 svcnetworksslproxykssl-server-443
c0t0d0s0org80
svcadm disable apache22 echo Listen 1921681781088080 gtgt etcapache222httpdconf svcadm enable apache22
Portnumber and IP-Number have do be defined in httpdconf otherwise it will not work
c0t0d0s0org81
openssl s_client -connect server443CONNECTED(00000004)depth=0 C=DEST=HamburgL=HamburgCN=serververify errornum=18self signed certificateverify return1depth=0 C=DEST=HamburgL=HamburgCN=serververify return1---Certificate chain0 sC=DEST=HamburgL=HamburgCN=serveriC=DEST=HamburgL=HamburgCN=server---Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj[]V5jX3MU=-----END CERTIFICATE-----subject=C=DEST=HamburgL=HamburgCN=serverissuer=C=DEST=HamburgL=HamburgCN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328 bytes---New TLSv1SSLv3 Cipher is RC4-SHAServer public key is 1024 bitCompression NONEExpansion NONESSL-SessionProtocol TLSv1
Cipher RC4-SHASession-ID 32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD113915B99DBE9812Session-ID-ctx Master-Key 1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21EKey-Arg NoneStart Time 1242985143Timeout 300 (sec)Verify return code 18 (self signed certificate)---GET HTTP10
HTTP11 200 OKDate Fri 22 May 2009 093913 GMTServer Apache2211 (Unix) mod_ssl2211 OpenSSL098a DAV2Last-Modified Thu 21 May 2009 212630 GMTETag 341f3-2c-46a72cc211a8fAccept-Ranges bytesContent-Length 44Connection closeContent-Type texthtml
lthtmlgtltbodygtlth1gtIt workslth1gtltbodygtlthtmlgtreaderrno=0
c0t0d0s0org82
ZFS Encryption
c0t0d0s0org83
zfs create -o encryption=on rpoolexportproject
c0t0d0s0org84
wrapping key (user setable)
encryption keyrandomnot user setable)
prompt file https pkcs11
c0t0d0s0org85
aes-128-ccm (=on) aes-192-ccmaes-256-ccmaes-128-gcmaes-192-gcmaes-256-gcm
c0t0d0s0org86
zfs set checksum=sha256+mac ltdatasetgt
If encryption=off something like automatic
occurs This property is read-only from now on
c0t0d0s0org87
pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykeyEnter PIN for Sun Software PKCS11 softtoken zfs create -o encryption=on -o keysource=rawpkcs11object=mykey tankprojectCEnter PKCS11 token PIN for tankprojectC
c0t0d0s0org88
zfs create -o encryption=on -o keysource=rawhttpskeysexamplecommykey tankprojectR cp myservercertpem etccertsCA svcadm refresh ca-certificates
c0t0d0s0org89
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
c0t0d0s0org90
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
Changing the wrapping key
c0t0d0s0org91
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key
c0t0d0s0org92
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key for data written form now
Creates a new data encryption key Data written in the clone uses the new data encryption key which is distinct from its original snapshot
c0t0d0s0org93
Solaris Cryptographic Framework
c0t0d0s0org94
As soon as Solaris detects hardware acceleration for cryptography Solaris will use it (and applications using the Oracle supplied openssl library or direct interfaces)bull on-chip crypto accelerator in T and current M series chipsbull instruction set extensions in Intel procs (AES-NI)bull supported crypto accelerator cards
c0t0d0s0org95
Just a side-note T-series crypto acceleration and Intel x86 acceleration have pretty much different performance characteristics
T-Series Acceleration by offloading crypto outside pipelineIntel x86 Acceleration by offering special in-pipeline instructions to accelerate execution
Sounds like splitting hairs
c0t0d0s0org
c0t0d0s0org
c0t0d0s0org98
Using ZFS to do two-factor encryption
c0t0d0s0org99
jmoekampsolaris~$ rmformatLooking for devices 1 Logical Node devrdskc10t0d0p0 Physical Node pci00pci8086265cbstorage2disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected() 3 Logical Node devrdskc9t0d0p0 Physical Node pci00pci8086265cbstorage1disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected
c0t0d0s0org100
rootsolaris zpool create a_keystore_usbstick devdskc10t0d0p0rootsolaris zpool create datastore devdskc9t0d0p0
c0t0d0s0org101
rootsolaris zfs create -o encryption=on a_keystore_usbstickkeysEnter passphrase for a_keystore_usbstickkeys supersecret Enter again supersecret
c0t0d0s0org102
rootsolaris pktool genkey keystore=file keytype=aes keylen=128 outkey=a_keystore_usbstickkeysjoergsdatastickkey
c0t0d0s0org103
rootsolaris zfs create -o encryption=on -o keysource=rawfilea_keystore_usbstickkeysjoergsdatastickkey datastickjoergssecrets
c0t0d0s0org104
rootsolarisdatastickjoergssecrets mv homejmoekamphighlyconfidential_nda_presostgz
c0t0d0s0org105
rootsolaris zpool export a_keystore_usbstickrootsolaris zpool export datastick
c0t0d0s0org106
rootsolaris zpool import a_keystore_usbstickEnter passphrase for a_keystore_usbstickkeys supersecretrootsolaris
c0t0d0s0org107
rootsolaris zpool import datastickrootsolaris cd datastickjoergssecretsrootsolarisdatastickjoergssecrets ls highconfidential_nda_presostgz
c0t0d0s0org108
Basic Auditing and Reporting Tool
c0t0d0s0org109
mkdir bart-files bart create -R etc gt bart-filesetccontrolmanifest
c0t0d0s0org110
cat etccontrolmanifest | grep nsswitchnisplusnsswitchnisplus F 2525 100644 userrw-groupr--maskr--otherr-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
c0t0d0s0org111
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org112
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org113
bart create -R etc gt bart-filesetccheck20130911manifest
c0t0d0s0org114
cd bart-files bart compare etccontrolmanifest etccheck20130911manifest
nsswitchfilesmode control100644 test100777acl controluserrw-groupr--maskr--otherr-- testuserrwxgrouprwxmaskrwxotherrwxnsswitchnisplussize control2525 test2538mtime control473976b5 test47a44862contents control79e8fd689a5221d1cd059e5077da71b8 test3f79176ec352441db11ec8a3d02ef67cthisisjustatestadd
c0t0d0s0org115
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives4069-Less-known-Solaris-features-BARThtml
c0t0d0s0org116
Apropos Auditing
c0t0d0s0org117
Auditing is activated by default
c0t0d0s0org118
rootclient~ auditconfig -getflagsactive user default audit flags = lo(0x10000x1000)configured user default audit flags = lo(0x10000x1000)rootclient~ auditconfig -getnaflagsactive non-attributable audit flags = lo(0x10000x1000)configured non-attributable audit flags = lo(0x10000x1000)
c0t0d0s0org119
rootclient~ auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt
Policy regarding auditing (explanation on the next slide)
c0t0d0s0org120
rootclient~ auditconfig -lspolicypolicy string descriptionahlt halt machine if it can not record an async eventall all policiesarge include exec environment args in audit recsargv include exec command line args in audit recscnt when no more space drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recswindata_down include downgraded window information in audit recswindata_up include upgraded window information in audit recszonename include zonename token in audit recs
Which degree of detail What happens with full disks
c0t0d0s0org121
rootclient~ auditconfig -getpluginPlugin audit_binfile (active) Attributes p_dir=varauditp_fsize=0p_minfree=1
Plugin audit_syslog (inactive) Attributes p_flags=
Plugin audit_remote (inactive) Attributes p_hosts=p_retries=3p_timeout=5
c0t0d0s0org122
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
c0t0d0s0org123
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
lo and na are the only sensibleflags for non-attributable
c0t0d0s0org124
rootclient~ usermod -K audit_flags=fwas junior
c0t0d0s0org125
rootclient~ auditconfig -lsevent | grep lo AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh accessAUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lockAUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff
c0t0d0s0org126
rootclient~ auditconfig -lsevent | grep ps AUE_EXIT 1 ps exit(2)AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)rootclient~ auditconfig -lsevent | grep fw AUE_OPEN_W 76 fw open(2) - write
c0t0d0s0org127
auditreduce -c ps varaudit20130912183630not_terminatedclient | praudit
header1392execve(2)client2013-09-12 184055924 +0000pathusrsbinauditreduceattribute100555rootbin655386587518446744073709551615subjectjmoekamprootrootrootroot205414400809562480 202240 192168101returnsuccess0
c0t0d0s0org128
rootclient~ auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff0xffffffffffffffff)
Not always (in the sense of never) a good idea
Useful after trying out - starting a new audit filerootclient~ audit -n
c0t0d0s0org129
rootclient~ auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system
c0t0d0s0org130
SSH and X509
c0t0d0s0org131
rootca~ CApl -newcaCA certificate filename (or enter to create)
Making CA certificate Generating a 1024 bit RSA private key++++++++++++writing new private key to etcopensslprivatecakeypemEnter PEM pass phrase supersecret1Verifying - Enter PEM pass phrase supersecret1-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Security DepartmentCommon Name (eg server FQDN or YOUR name) []CAEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Using configuration from etcopensslopensslcnf
Enter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade878 Validity Not Before Sep 26 101109 2013 GMT Not After Sep 25 101109 2016 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony organizationName = c0t0d0s0org organizationalUnitName = Security Department commonName = CA X509v3 extensions X509v3 Subject Key Identifier 5B1F2F7186123040501552818D525AA5597E3644 X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
X509v3 Basic Constraints CATRUECertificate is to be certified until Sep 25 101109 2016 GMT (1095 days)
Write out database with 1 new entriesData Base Updated
c0t0d0s0org132
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org133
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org134
rootca~server CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade879 Validity Not Before Sep 26 102912 2013 GMT Not After Sep 26 102912 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = Server Certificates commonName = server X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A7DC03DEB3D5FBF9C006F11A55A9AD04C49C10FA X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 102912 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpemrootca~server ls -ltotal 15-rw-r--r-- 1 root root 3196 Sep 26 1229 newcertpem-rw-r--r-- 1 root root 1041 Sep 26 1228 newkeypem-rw-r--r-- 1 root root 680 Sep 26 1228 newreqpem
c0t0d0s0org135
rootca~junior CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phraseVerifying - Enter PEM pass phraseVerify failureEnter PEM pass phrase supersecret3Verifying - Enter PEM pass phrase supersecret3-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []User certificates
Common Name (eg server FQDN or YOUR name) []juniorEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org136
rootca~junior CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypemCheck that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade87a Validity Not Before Sep 26 110929 2013 GMT Not After Sep 26 110929 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = User certificates commonName = junior X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A1F2FC9D8AE2AD9AF52903F5B714933C64628E9C X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 110929 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpem
c0t0d0s0org137
rootserver~ useradd -m junior80 blocksrootserver~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for juniorrootserver~
rootclient~ useradd -m junior80 blocksrootclient~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for junior
c0t0d0s0org138
rootserver~ echo 1921681051 server gtgt etchostsrootserver~ echo 1921681052 client gtgt etchosts
rootclient~ echo 1921681051 server gtgt etchostsrootclient~ echo 1921681052 client gtgt etchosts
c0t0d0s0org139
rootca~server scp etcopensslcacertpem jmoekamp1921681109exporthomejmoekampPasswordcacertpem 100 || 3011 0000rootca~server scp newcertpem jmoekamp1921681109exporthomejmoekampPasswordnewcertpem 100 || 3196 0000rootca~server scp newkeypem jmoekamp1921681109exporthomejmoekampPasswordnewkeypem 100 || 1041 0000
rootca~junior scp newkeypem juniorclientexporthomejuniorPasswordnewkeypem 100 || 1041 0000rootca~junior scp newcertpem juniorclientexporthomejuniorPasswordnewcertpem 100 || 3190 0000rootca~junior scp etcopensslcacertpem junior1921681104exporthomejuniorPasswordcacertpem 100 || 3011 0000
c0t0d0s0org140
On the Server
c0t0d0s0org141
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org142
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org143
rootserver~ pktool setpinEnter token passphrase changemeCreate new passphrase superserversecretRe-enter new passphrase superserversecretPassphrase changedrootserver~
c0t0d0s0org144
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org145
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org146
rootserver~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cn
c0t0d0s0org147
rootserver~ echo TrustedAnchorKeystore etcsshcert gtgt etcsshsshd_configrootserver~ echo KMFPolicyDatabase etcsshpolicyxml gtgt etcsshsshd_configrootserver~ echo KMFPolicyName ssh gtgt etcsshsshd_configrootserver~ echo HostKey pkcs11object=hosttoken=Sun Metaslotpinfile=etcsshpinfile gtgt etcsshsshd_config
c0t0d0s0org148
rootserver~ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=hostEnter PIN for Sun Software PKCS11 softtoken superserversecret Enter PEM pass phrase supersecret2Importing 1 keys
c0t0d0s0org149
rootserver~ egrep -v ^ |^$|^Cert exporthomejmoekampcacertpem gt etcsshcertcacertcookedpemrootserver~ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemrootserver~ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=hostrootserver~
c0t0d0s0org150
On the client
c0t0d0s0org151
juniorclient~$ ls pemcacertpem newcertpem newkeypem
c0t0d0s0org152
rootclient~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cnrootclient~ egrep -v ^ |^$|^Cert exporthomejuniorcacertpem gt etcsshcertcacertcookedpem
c0t0d0s0org153
juniorclient~$ pktool setpinEnter token passphrase changemeCreate new passphrase superusersecretRe-enter new passphrase superusersecretPassphrase changed
c0t0d0s0org154
juniorclient~$ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=userEnter PIN for Sun Software PKCS11 softtoken superusersecretEnter PEM pass phrase supersecret3Importing 1 keysjuniorclient~$ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemjuniorclient~$ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=user
c0t0d0s0org155
Testing it
c0t0d0s0org156
rootserver~ svcadm disable sshrootserver~ svcadm enable ssh
c0t0d0s0org157
juniorclient~$ cd sshjuniorclient~ssh$ printf superusersecret gtgt pinfilejuniorclient~ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore etcsshcert KMFPolicyDatabase etcsshpolicyxml KMFPolicyName ssh IdentityFile pkcs11object=usertoken=Sun Software PKCS11 softtokenpinfile=exporthomejuniorsshpinfile
c0t0d0s0org158
juniorclient~ssh$ ssh juniorserver-x509Last login Thu Sep 26 200714 2013 from clientOracle Corporation SunOS 511 111 September 2013juniorserver~$
c0t0d0s0org159
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives7659-Using-X509-support-for-SSH-on-Solaris-111html
c0t0d0s0org160
OpenSCAP
c0t0d0s0org161
bdquoThe Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management measurement and policy compliance evaluation (eg FISMA compliance) The National Vulnerability Database(NVD) is the US government content repository for SCAPldquo
httpenwikipediaorgwikiSecurity_Content_Automation_Protocol
c0t0d0s0org162
ftp-bannerxml
ltxml version=10 encoding=UTF-8gtltoval_definitions xmlns=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsxsi=httpwwww3org2001XMLSchema-instance xmlnsoval=httpovalmitreorgXMLSchemaoval-common-5 xmlnsoval-def=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsindependent-def=httpovalmitreorgXMLSchemaoval-definitions-5independent xsischemaLocation=httpovalmitreorgXMLSchemaoval-definitions-5 oval-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-definitions-5independent independent-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-common-5 oval-common-schemaxsdgt
ltgeneratorgt ltovalproduct_namegtEnhanced SCAP Editorltovalproduct_namegt ltovalproduct_versiongt0011ltovalproduct_versiongt ltovalschema_versiongt58ltovalschema_versiongt ltovaltimestampgt2012-10-11T103325ltovaltimestampgt ltgeneratorgt lt--generatedovalbaseidentifier=comoraclesolaris11--gt ltdefinitionsgt ltdefinition id=ovalcomoraclesolaris11def840 version=1 class=compliancegt ltmetadatagt lttitlegtEnable a Warning Banner for the FTP Servicelttitlegt ltaffected family=unixgt ltplatformgtOracle Solaris 11ltplatformgt ltaffectedgt ltdescriptiongtetcproftpdconf contains DisplayConnect etcissueltdescriptiongt ltmetadatagt ltcriteria operator=AND negate=false comment=Single testgt ltcriterion comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot test_ref=ovalcomoraclesolaris11tst8400 negate=falsegt
ltcriteriagt ltdefinitiongt ltdefinitionsgt lttestsgt lttextfilecontent54_test xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11tst8400 version=1 check=all comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot check_existence=all_existgt ltobject object_ref=ovalcomoraclesolaris11obj8400gt lttextfilecontent54_testgt lttestsgt ltobjectsgt lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegt lttextfilecontent54_objectgt ltobjectsgtltoval_definitionsgt
c0t0d0s0org163
lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegtlttextfilecontent54_objectgt
c0t0d0s0org164
$ oscap oval eval ftp-bannerxml Definition ovalcomoraclesolaris11def840 falseEvaluation done
$ oscap oval eval --results resultsxml --report reporthtml ftp-bannerxmlDefinition ovalcomoraclesolaris11def840 falseEvaluation doneOVAL Results are exported correctly
c0t0d0s0org165
c0t0d0s0org166
To create your own OVAL-Files Enhanced SCAP Content Editor
c0t0d0s0org167
Find more information regarding this feature athttpsblogsoraclecomdarrenentrycompliance_reporting_with_scap
c0t0d0s0org38
juniortemplate~$ pfedit etcapache222mimetypespfedit no changes for etcapache222mimetypes
c0t0d0s0org39
profiles -p httpd configureprofileshttpd configuregt add always_audit=asprofileshttpd configuregt info name=httpd configure desc=Configure httpd auths=solarisadmineditetcapache222httpdconfsolarisadmineditetcapache222mimetypes always_audit=as never_audit=noprofileshttpd configuregt exitroottemplate~
c0t0d0s0org40
roottemplate~ auditreduce -c as | praudit
c0t0d0s0org41
[]header4862edit administrative filefe80a0027fffea633cb2013-08-12 074552306 +0000subjectjuniorjuniorstaffjuniorstaff4212447467166369 136704 MacBook-Pro-of-c0t0d0s0fritzboxpathetcapache222httpdconfuse of authorizationsolarisadmineditetcapache222httpdconftext--- etcapache222httpdconf Mo Aug 12 074500 2013 +++ etcapache222httpdconfpfedit1BaGoi Mo Aug 12 074552 2013 -15 +16 Test Test 2 + Test 3 This is the main Apache HTTP server configuration file It contains the configuration directives that give the server its instructions
returnsuccess0
c0t0d0s0org42
Delegating privilege to restartservices(so you can keep the root password)
c0t0d0s0org43
juniortemplate~$ svcadm refresh apache22svcadm svcnetworkhttpapache22 Permission denied
c0t0d0s0org44
svcs -a | grep apache22online 153029 svcnetworkhttpapache22
c0t0d0s0org45
auths add -t Apache22 value solarissmfvaluehttpapache22 auths add -t Apache22 action solarissmfactionhttpapache22
c0t0d0s0org46
svccfg -s apache22 setprop generalvalue_authorization= astring solarissmfvaluehttpapache22 svccfg -s apache22 setprop generalaction_authorization= astring solarissmfactionhttpapache22
c0t0d0s0org47
profiles -p httpd edit add auths=solarissmfactionhttpapache22
c0t0d0s0org48
juniortemplate~$ svcadm refresh apache22juniortemplate~$
c0t0d0s0org49
Privileges
c0t0d0s0org50
$ ls -l usrsbintraceroute-r-sr-xr-x 1 root bin 42324 Nov 21 0009 usrsbintraceroute$ ls -l usrsbinping-r-sr-xr-x 1 root bin 51396 Nov 18 1931 usrsbinping
set-id to root ping needs it to work
c0t0d0s0org51
chmod -s sbinping exit
$ ping -s 1921681132ping socket Permission denied
Remove the set-uid and ping will stop to work
c0t0d0s0org52
jmoekampdaddelkiste~$ ppriv $$2153 -bashflags = ltnonegt E basic I basic P basic L all
c0t0d0s0org53
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org54
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
All privileges in their entirety assigned to one user are
(almost)
c0t0d0s0org55
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Neat extension inSolaris 11The ability to use networking is now a
privilege Itlsquos part of the default default set of privileges
but you can remove it
c0t0d0s0org56
moekampdaddelkiste~$ ppriv -v $$2153 -bashflags = ltnonegt E file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info I file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info P file_link_anyfile_readfile_writenet_accessproc_execproc_forkproc_infoproc_sessionsys_ib_info L contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
c0t0d0s0org57
rootdaddelkiste~ ppriv $$2183 -bashflags = ltnonegt E all I basic P all L all
c0t0d0s0org58
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace failed to initialize dtrace DTrace requires additional privileges
c0t0d0s0org59
rootdaddelkiste~ usermod -K defaultpriv=basicdtrace_kerneldtrace_procdtrace_user juniorUX usermod junior is currently logged in some changes may not take effect until next login
c0t0d0s0org60
juniordaddelkiste~$ dtrace -n syscallentry num[execname] = count() dtrace description syscallentry matched 211 probes^C
automountd 1 sshd 24 dtrace 544 auditd 564
c0t0d0s0org61
ps -ef | grep kcfd daemon 125 1 0 142419 000 usrlibcryptokcfdroot 734 728 0 155408 pts1 000 grep kcfd ppriv -v 125125 usrlibcryptokcfdflags = PRIV_AWAREE file_ownerproc_priocntlsys_devicesI noneP file_ownerproc_priocntlsys_devicesL none
c0t0d0s0org62
svcadm -v enable -s apache2svcnetworkhttpapache2 enabled
c0t0d0s0org63
jmoekampclient~$ ps -ef | grep httpwebservd 1978 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1979 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1980 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1984 1975 0 122002 000 usrapache222binhttpd -k start root 1975 1 0 121914 001 usrapache222binhttpd -k startwebservd 1977 1975 0 121915 000 usrapache222binhttpd -k startwebservd 1976 1975 0 121915 000 usrapache222binhttpd -k start
c0t0d0s0org64
rootclient~ ppriv 19771977 usrapache222binhttpd -k startflags = ltnonegt E basic I basic P basic L allrootclient~ ppriv 19751975 usrapache222binhttpd -k startflags = ltnonegt E all I basic P all L allrootclient~
c0t0d0s0org65
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The apache process as root has the following privileges
c0t0d0s0org66
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
The other processes have the following privileges
c0t0d0s0org67
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
Apache really needs
c0t0d0s0org68
contract_eventcontract_identitycontract_observercpc_cpudtrace_kerneldtrace_procdtrace_userfile_chownfile_chown_selffile_dac_executefile_dac_readfile_dac_searchfile_dac_writefile_downgrade_slfile_flag_setfile_link_anyfile_ownerfile_readfile_setidfile_upgrade_slfile_writegraphics_accessgraphics_mapipc_dac_readipc_dac_writeipc_ownernet_accessnet_bindmlpnet_icmpaccessnet_mac_awarenet_mac_implicitnet_observabilitynet_privaddrnet_rawaccessproc_auditproc_chrootproc_clock_highresproc_execproc_forkproc_infoproc_lock_memoryproc_ownerproc_priocntlproc_sessionproc_setidproc_taskidproc_zonesys_acctsys_adminsys_auditsys_configsys_devicessys_dl_configsys_flow_configsys_ib_configsys_ib_infosys_ip_configsys_ipc_configsys_iptun_configsys_linkdirsys_mountsys_net_configsys_nfssys_ppp_configsys_res_bindsys_res_configsys_resourcesys_sharesys_smbsys_suser_compatsys_timesys_trans_labelwin_colormapwin_configwin_dac_readwin_dac_writewin_deviceswin_dgawin_downgrade_slwin_fontpathwin_mac_readwin_mac_writewin_selectionwin_upgrade_sl
So you grant a large number of privileges to one process Apache donlsquot need
c0t0d0s0org69
svcadm -v disable -s apache2svcnetworkhttpapache2 disabled
c0t0d0s0org70
rootclient~ svccfg -s apache22svcnetworkhttpapache22gt setprop startuser = astring webservdsvcnetworkhttpapache22gt setprop startgroup = astring webservdsvcnetworkhttpapache22gt setprop startprivileges = astring basicproc_sessionproc_infofile_link_anynet_privaddrsvcnetworkhttpapache22gt setprop startlimit_privileges = astring defaultsvcnetworkhttpapache22gt setprop startuse_profile = boolean falsesvcnetworkhttpapache22gt setprop startsupp_groups = astring defaultsvcnetworkhttpapache22gt setprop startworking_directory = astring defaultsvcnetworkhttpapache22gt setprop startproject = astring defaultsvcnetworkhttpapache22gt setprop startresource_pool = astring defaultsvcnetworkhttpapache22gt endrootclient~ svcadm -v refresh apache22Action refresh set for svcnetworkhttpapache22
c0t0d0s0org71
echo LockFile varapache222logsacceptlock gtgt etcapache222httpdconf echo PidFile varapache222runhttpdpid gtgt etcapache222httpdconf mkdir -p -m 755 varapache222run chown webservdwebservd varapache222run svcadm enable apache22
c0t0d0s0org72
webservd 3064 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3062 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3063 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3066 3061 0 164918 000 usrapache222binhttpd -k startwebservd 3061 1 0 164917 000 usrapache222binhttpd -k startwebservd 3065 3061 0 164918 000 usrapache222binhttpd -k start
c0t0d0s0org73
Read-only zone root
c0t0d0s0org
74
zonecfgtestzonegt set file-mac-profile=none
zonecfgtestzonegt set file-mac-profile=strict
zonecfgtestzonegt set file-mac-profile=fixed-configuration
zonecfgtestzonegt set file-mac-profile=flexible-configuration
Standard read-write non-global zone with no additional protection beyond the existing zones boundaries
Permits updates to var directories with the exception of directories that contain system configuration components
Read-only file system no exceptions
Permits modification of files in etc directories changes to roots home directory and updates to var directories This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone
c0t0d0s0org75
in-kernel SSL Proxy
c0t0d0s0org76
mkdir etckeys cd etckeys openssl req -x509 -nodes -days 365 -subj C=DEST=HamburgL=HamburgCN=server -newkey rsa1024 -keyout etckeysmykeypem -out etckeysmycertpem cat mycertpem mykeypem gt mypem chown 600
c0t0d0s0org77
echo pass gt etckeysmypass ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass server 443
c0t0d0s0org78
ksslcfg create -f pem -i etckeysmypem -x 8080 -p etckeysmypass -c rsa_aes_256_cbc_sharsa_aes_128_cbc_sharsa_rc4_128_sharsa_rc4_128_md5 server 443
c0t0d0s0org79
svcs -a | grep ksslonline 90333 svcnetworksslproxykssl-server-443
c0t0d0s0org80
svcadm disable apache22 echo Listen 1921681781088080 gtgt etcapache222httpdconf svcadm enable apache22
Portnumber and IP-Number have do be defined in httpdconf otherwise it will not work
c0t0d0s0org81
openssl s_client -connect server443CONNECTED(00000004)depth=0 C=DEST=HamburgL=HamburgCN=serververify errornum=18self signed certificateverify return1depth=0 C=DEST=HamburgL=HamburgCN=serververify return1---Certificate chain0 sC=DEST=HamburgL=HamburgCN=serveriC=DEST=HamburgL=HamburgCN=server---Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj[]V5jX3MU=-----END CERTIFICATE-----subject=C=DEST=HamburgL=HamburgCN=serverissuer=C=DEST=HamburgL=HamburgCN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328 bytes---New TLSv1SSLv3 Cipher is RC4-SHAServer public key is 1024 bitCompression NONEExpansion NONESSL-SessionProtocol TLSv1
Cipher RC4-SHASession-ID 32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD113915B99DBE9812Session-ID-ctx Master-Key 1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21EKey-Arg NoneStart Time 1242985143Timeout 300 (sec)Verify return code 18 (self signed certificate)---GET HTTP10
HTTP11 200 OKDate Fri 22 May 2009 093913 GMTServer Apache2211 (Unix) mod_ssl2211 OpenSSL098a DAV2Last-Modified Thu 21 May 2009 212630 GMTETag 341f3-2c-46a72cc211a8fAccept-Ranges bytesContent-Length 44Connection closeContent-Type texthtml
lthtmlgtltbodygtlth1gtIt workslth1gtltbodygtlthtmlgtreaderrno=0
c0t0d0s0org82
ZFS Encryption
c0t0d0s0org83
zfs create -o encryption=on rpoolexportproject
c0t0d0s0org84
wrapping key (user setable)
encryption keyrandomnot user setable)
prompt file https pkcs11
c0t0d0s0org85
aes-128-ccm (=on) aes-192-ccmaes-256-ccmaes-128-gcmaes-192-gcmaes-256-gcm
c0t0d0s0org86
zfs set checksum=sha256+mac ltdatasetgt
If encryption=off something like automatic
occurs This property is read-only from now on
c0t0d0s0org87
pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykeyEnter PIN for Sun Software PKCS11 softtoken zfs create -o encryption=on -o keysource=rawpkcs11object=mykey tankprojectCEnter PKCS11 token PIN for tankprojectC
c0t0d0s0org88
zfs create -o encryption=on -o keysource=rawhttpskeysexamplecommykey tankprojectR cp myservercertpem etccertsCA svcadm refresh ca-certificates
c0t0d0s0org89
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
c0t0d0s0org90
$ zfs key -c rpoolexportprojectEnter new passphrase for rpoolexportproject
Changing the wrapping key
c0t0d0s0org91
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key
c0t0d0s0org92
zfs key -K tankprojectA zfs clone -K tankprojectAmontag tankprojectD
Changing the encryption key for data written form now
Creates a new data encryption key Data written in the clone uses the new data encryption key which is distinct from its original snapshot
c0t0d0s0org93
Solaris Cryptographic Framework
c0t0d0s0org94
As soon as Solaris detects hardware acceleration for cryptography Solaris will use it (and applications using the Oracle supplied openssl library or direct interfaces)bull on-chip crypto accelerator in T and current M series chipsbull instruction set extensions in Intel procs (AES-NI)bull supported crypto accelerator cards
c0t0d0s0org95
Just a side-note T-series crypto acceleration and Intel x86 acceleration have pretty much different performance characteristics
T-Series Acceleration by offloading crypto outside pipelineIntel x86 Acceleration by offering special in-pipeline instructions to accelerate execution
Sounds like splitting hairs
c0t0d0s0org
c0t0d0s0org
c0t0d0s0org98
Using ZFS to do two-factor encryption
c0t0d0s0org99
jmoekampsolaris~$ rmformatLooking for devices 1 Logical Node devrdskc10t0d0p0 Physical Node pci00pci8086265cbstorage2disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected() 3 Logical Node devrdskc9t0d0p0 Physical Node pci00pci8086265cbstorage1disk00 Connected Device SanDisk U3 Cruzer Micro 802 Device Type Removable Bus USB Size 38 GB Label Access permissions Medium is not write protected
c0t0d0s0org100
rootsolaris zpool create a_keystore_usbstick devdskc10t0d0p0rootsolaris zpool create datastore devdskc9t0d0p0
c0t0d0s0org101
rootsolaris zfs create -o encryption=on a_keystore_usbstickkeysEnter passphrase for a_keystore_usbstickkeys supersecret Enter again supersecret
c0t0d0s0org102
rootsolaris pktool genkey keystore=file keytype=aes keylen=128 outkey=a_keystore_usbstickkeysjoergsdatastickkey
c0t0d0s0org103
rootsolaris zfs create -o encryption=on -o keysource=rawfilea_keystore_usbstickkeysjoergsdatastickkey datastickjoergssecrets
c0t0d0s0org104
rootsolarisdatastickjoergssecrets mv homejmoekamphighlyconfidential_nda_presostgz
c0t0d0s0org105
rootsolaris zpool export a_keystore_usbstickrootsolaris zpool export datastick
c0t0d0s0org106
rootsolaris zpool import a_keystore_usbstickEnter passphrase for a_keystore_usbstickkeys supersecretrootsolaris
c0t0d0s0org107
rootsolaris zpool import datastickrootsolaris cd datastickjoergssecretsrootsolarisdatastickjoergssecrets ls highconfidential_nda_presostgz
c0t0d0s0org108
Basic Auditing and Reporting Tool
c0t0d0s0org109
mkdir bart-files bart create -R etc gt bart-filesetccontrolmanifest
c0t0d0s0org110
cat etccontrolmanifest | grep nsswitchnisplusnsswitchnisplus F 2525 100644 userrw-groupr--maskr--otherr-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
c0t0d0s0org111
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org112
touch etcthisisjustatest chmod 777 etcnsswitchfiles echo just a test gtgt etcnsswitchnisplus
c0t0d0s0org113
bart create -R etc gt bart-filesetccheck20130911manifest
c0t0d0s0org114
cd bart-files bart compare etccontrolmanifest etccheck20130911manifest
nsswitchfilesmode control100644 test100777acl controluserrw-groupr--maskr--otherr-- testuserrwxgrouprwxmaskrwxotherrwxnsswitchnisplussize control2525 test2538mtime control473976b5 test47a44862contents control79e8fd689a5221d1cd059e5077da71b8 test3f79176ec352441db11ec8a3d02ef67cthisisjustatestadd
c0t0d0s0org115
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives4069-Less-known-Solaris-features-BARThtml
c0t0d0s0org116
Apropos Auditing
c0t0d0s0org117
Auditing is activated by default
c0t0d0s0org118
rootclient~ auditconfig -getflagsactive user default audit flags = lo(0x10000x1000)configured user default audit flags = lo(0x10000x1000)rootclient~ auditconfig -getnaflagsactive non-attributable audit flags = lo(0x10000x1000)configured non-attributable audit flags = lo(0x10000x1000)
c0t0d0s0org119
rootclient~ auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt
Policy regarding auditing (explanation on the next slide)
c0t0d0s0org120
rootclient~ auditconfig -lspolicypolicy string descriptionahlt halt machine if it can not record an async eventall all policiesarge include exec environment args in audit recsargv include exec command line args in audit recscnt when no more space drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recswindata_down include downgraded window information in audit recswindata_up include upgraded window information in audit recszonename include zonename token in audit recs
Which degree of detail What happens with full disks
c0t0d0s0org121
rootclient~ auditconfig -getpluginPlugin audit_binfile (active) Attributes p_dir=varauditp_fsize=0p_minfree=1
Plugin audit_syslog (inactive) Attributes p_flags=
Plugin audit_remote (inactive) Attributes p_hosts=p_retries=3p_timeout=5
c0t0d0s0org122
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
c0t0d0s0org123
rootclient~ auditconfig -setflags lopsfwuser default audit flags = pslofw(0x1010020x101002)rootclient~ auditconfig -setnaflags lonanon-attributable audit flags = lona(0x14000x1400)
lo and na are the only sensibleflags for non-attributable
c0t0d0s0org124
rootclient~ usermod -K audit_flags=fwas junior
c0t0d0s0org125
rootclient~ auditconfig -lsevent | grep lo AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh accessAUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lockAUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff
c0t0d0s0org126
rootclient~ auditconfig -lsevent | grep ps AUE_EXIT 1 ps exit(2)AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)rootclient~ auditconfig -lsevent | grep fw AUE_OPEN_W 76 fw open(2) - write
c0t0d0s0org127
auditreduce -c ps varaudit20130912183630not_terminatedclient | praudit
header1392execve(2)client2013-09-12 184055924 +0000pathusrsbinauditreduceattribute100555rootbin655386587518446744073709551615subjectjmoekamprootrootrootroot205414400809562480 202240 192168101returnsuccess0
c0t0d0s0org128
rootclient~ auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff0xffffffffffffffff)
Not always (in the sense of never) a good idea
Useful after trying out - starting a new audit filerootclient~ audit -n
c0t0d0s0org129
rootclient~ auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system
c0t0d0s0org130
SSH and X509
c0t0d0s0org131
rootca~ CApl -newcaCA certificate filename (or enter to create)
Making CA certificate Generating a 1024 bit RSA private key++++++++++++writing new private key to etcopensslprivatecakeypemEnter PEM pass phrase supersecret1Verifying - Enter PEM pass phrase supersecret1-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Security DepartmentCommon Name (eg server FQDN or YOUR name) []CAEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Using configuration from etcopensslopensslcnf
Enter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade878 Validity Not Before Sep 26 101109 2013 GMT Not After Sep 25 101109 2016 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony organizationName = c0t0d0s0org organizationalUnitName = Security Department commonName = CA X509v3 extensions X509v3 Subject Key Identifier 5B1F2F7186123040501552818D525AA5597E3644 X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
X509v3 Basic Constraints CATRUECertificate is to be certified until Sep 25 101109 2016 GMT (1095 days)
Write out database with 1 new entriesData Base Updated
c0t0d0s0org132
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org133
rootca~ mkdir serverrootca~ cd serverrootca~server CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phrase supersecret2Verifying - Enter PEM pass phrase supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []Server Certificates
Common Name (eg server FQDN or YOUR name) []serverEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org134
rootca~server CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypem supersecret1Check that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade879 Validity Not Before Sep 26 102912 2013 GMT Not After Sep 26 102912 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = Server Certificates commonName = server X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A7DC03DEB3D5FBF9C006F11A55A9AD04C49C10FA X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 102912 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpemrootca~server ls -ltotal 15-rw-r--r-- 1 root root 3196 Sep 26 1229 newcertpem-rw-r--r-- 1 root root 1041 Sep 26 1228 newkeypem-rw-r--r-- 1 root root 680 Sep 26 1228 newreqpem
c0t0d0s0org135
rootca~junior CApl -newreqGenerating a 1024 bit RSA private key++++++++++++writing new private key to newkeypemEnter PEM pass phraseVerifying - Enter PEM pass phraseVerify failureEnter PEM pass phrase supersecret3Verifying - Enter PEM pass phrase supersecret3-----You are about to be asked to enter information that will be incorporatedinto your certificate requestWhat you are about to enter is what is called a Distinguished Name or a DNThere are quite a few fields but you can leave some blankFor some fields there will be a default valueIf you enter the field will be left blank-----Country Name (2 letter code) []DEState or Province Name (full name) []Lower SaxonyLocality Name (eg city) []LueneburgOrganization Name (eg company) []c0t0d0s0orgOrganizational Unit Name (eg section) []User certificates
Common Name (eg server FQDN or YOUR name) []juniorEmail Address []
Please enter the following extra attributesto be sent with your certificate requestA challenge password []An optional company name []Request is in newreqpem private key is in newkeypem
c0t0d0s0org136
rootca~junior CApl -signreqUsing configuration from etcopensslopensslcnfEnter pass phrase for etcopensslprivatecakeypemCheck that the request matches the signatureSignature okCertificate Details Serial Number b354808866ade87a Validity Not Before Sep 26 110929 2013 GMT Not After Sep 26 110929 2014 GMT Subject countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0org organizationalUnitName = User certificates commonName = junior X509v3 extensions X509v3 Basic Constraints CAFALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier
A1F2FC9D8AE2AD9AF52903F5B714933C64628E9C X509v3 Authority Key Identifier keyid5B1F2F7186123040501552818D525AA5597E3644
Certificate is to be certified until Sep 26 110929 2014 GMT (365 days)Sign the certificate [yn]y
1 out of 1 certificate requests certified commit [yn]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcertpem
c0t0d0s0org137
rootserver~ useradd -m junior80 blocksrootserver~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for juniorrootserver~
rootclient~ useradd -m junior80 blocksrootclient~ passwd juniorNew PasswordRe-enter new Passwordpasswd password successfully changed for junior
c0t0d0s0org138
rootserver~ echo 1921681051 server gtgt etchostsrootserver~ echo 1921681052 client gtgt etchosts
rootclient~ echo 1921681051 server gtgt etchostsrootclient~ echo 1921681052 client gtgt etchosts
c0t0d0s0org139
rootca~server scp etcopensslcacertpem jmoekamp1921681109exporthomejmoekampPasswordcacertpem 100 || 3011 0000rootca~server scp newcertpem jmoekamp1921681109exporthomejmoekampPasswordnewcertpem 100 || 3196 0000rootca~server scp newkeypem jmoekamp1921681109exporthomejmoekampPasswordnewkeypem 100 || 1041 0000
rootca~junior scp newkeypem juniorclientexporthomejuniorPasswordnewkeypem 100 || 1041 0000rootca~junior scp newcertpem juniorclientexporthomejuniorPasswordnewcertpem 100 || 3190 0000rootca~junior scp etcopensslcacertpem junior1921681104exporthomejuniorPasswordcacertpem 100 || 3011 0000
c0t0d0s0org140
On the Server
c0t0d0s0org141
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org142
rootserver~ lscacertpem newcertpem newkeypem
c0t0d0s0org143
rootserver~ pktool setpinEnter token passphrase changemeCreate new passphrase superserversecretRe-enter new passphrase superserversecretPassphrase changedrootserver~
c0t0d0s0org144
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org145
rootserver~ printf superserversecret gt etcsshpinfile
c0t0d0s0org146
rootserver~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cn
c0t0d0s0org147
rootserver~ echo TrustedAnchorKeystore etcsshcert gtgt etcsshsshd_configrootserver~ echo KMFPolicyDatabase etcsshpolicyxml gtgt etcsshsshd_configrootserver~ echo KMFPolicyName ssh gtgt etcsshsshd_configrootserver~ echo HostKey pkcs11object=hosttoken=Sun Metaslotpinfile=etcsshpinfile gtgt etcsshsshd_config
c0t0d0s0org148
rootserver~ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=hostEnter PIN for Sun Software PKCS11 softtoken superserversecret Enter PEM pass phrase supersecret2Importing 1 keys
c0t0d0s0org149
rootserver~ egrep -v ^ |^$|^Cert exporthomejmoekampcacertpem gt etcsshcertcacertcookedpemrootserver~ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemrootserver~ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=hostrootserver~
c0t0d0s0org150
On the client
c0t0d0s0org151
juniorclient~$ ls pemcacertpem newcertpem newkeypem
c0t0d0s0org152
rootclient~ kmfcfg create dbfile=etcsshpolicyxml policy=ssh ta-name=search mapper-name=cnrootclient~ egrep -v ^ |^$|^Cert exporthomejuniorcacertpem gt etcsshcertcacertcookedpem
c0t0d0s0org153
juniorclient~$ pktool setpinEnter token passphrase changemeCreate new passphrase superusersecretRe-enter new passphrase superusersecretPassphrase changed
c0t0d0s0org154
juniorclient~$ pktool import keystore=pkcs11 infile=newkeypem objtype=key label=userEnter PIN for Sun Software PKCS11 softtoken superusersecretEnter PEM pass phrase supersecret3Importing 1 keysjuniorclient~$ egrep -v ^ |^$|^Cert newcertpem gt newcertcookedpemjuniorclient~$ pktool import keystore=pkcs11 infile=newcertcookedpem objtype=cert label=user
c0t0d0s0org155
Testing it
c0t0d0s0org156
rootserver~ svcadm disable sshrootserver~ svcadm enable ssh
c0t0d0s0org157
juniorclient~$ cd sshjuniorclient~ssh$ printf superusersecret gtgt pinfilejuniorclient~ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore etcsshcert KMFPolicyDatabase etcsshpolicyxml KMFPolicyName ssh IdentityFile pkcs11object=usertoken=Sun Software PKCS11 softtokenpinfile=exporthomejuniorsshpinfile
c0t0d0s0org158
juniorclient~ssh$ ssh juniorserver-x509Last login Thu Sep 26 200714 2013 from clientOracle Corporation SunOS 511 111 September 2013juniorserver~$
c0t0d0s0org159
Find more information regarding this feature athttpwwwc0t0d0s0orgarchives7659-Using-X509-support-for-SSH-on-Solaris-111html
c0t0d0s0org160
OpenSCAP
c0t0d0s0org161
bdquoThe Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management measurement and policy compliance evaluation (eg FISMA compliance) The National Vulnerability Database(NVD) is the US government content repository for SCAPldquo
httpenwikipediaorgwikiSecurity_Content_Automation_Protocol
c0t0d0s0org162
ftp-bannerxml
ltxml version=10 encoding=UTF-8gtltoval_definitions xmlns=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsxsi=httpwwww3org2001XMLSchema-instance xmlnsoval=httpovalmitreorgXMLSchemaoval-common-5 xmlnsoval-def=httpovalmitreorgXMLSchemaoval-definitions-5 xmlnsindependent-def=httpovalmitreorgXMLSchemaoval-definitions-5independent xsischemaLocation=httpovalmitreorgXMLSchemaoval-definitions-5 oval-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-definitions-5independent independent-definitions-schemaxsd httpovalmitreorgXMLSchemaoval-common-5 oval-common-schemaxsdgt
ltgeneratorgt ltovalproduct_namegtEnhanced SCAP Editorltovalproduct_namegt ltovalproduct_versiongt0011ltovalproduct_versiongt ltovalschema_versiongt58ltovalschema_versiongt ltovaltimestampgt2012-10-11T103325ltovaltimestampgt ltgeneratorgt lt--generatedovalbaseidentifier=comoraclesolaris11--gt ltdefinitionsgt ltdefinition id=ovalcomoraclesolaris11def840 version=1 class=compliancegt ltmetadatagt lttitlegtEnable a Warning Banner for the FTP Servicelttitlegt ltaffected family=unixgt ltplatformgtOracle Solaris 11ltplatformgt ltaffectedgt ltdescriptiongtetcproftpdconf contains DisplayConnect etcissueltdescriptiongt ltmetadatagt ltcriteria operator=AND negate=false comment=Single testgt ltcriterion comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot test_ref=ovalcomoraclesolaris11tst8400 negate=falsegt
ltcriteriagt ltdefinitiongt ltdefinitionsgt lttestsgt lttextfilecontent54_test xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11tst8400 version=1 check=all comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquot check_existence=all_existgt ltobject object_ref=ovalcomoraclesolaris11obj8400gt lttextfilecontent54_testgt lttestsgt ltobjectsgt lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegt lttextfilecontent54_objectgt ltobjectsgtltoval_definitionsgt
c0t0d0s0org163
lttextfilecontent54_object xmlns=httpovalmitreorgXMLSchemaoval-definitions-5independent id=ovalcomoraclesolaris11obj8400 version=1 comment=etcproftpdconf contains ampquotDisplayConnect etcissueampquotgt ltpath datatype=string operation=equalsgtetcltpathgt ltfilename datatype=string operation=equalsgtproftpdconfltfilenamegt ltpattern datatype=string operation=pattern matchgt^DisplayConnectsetcissues$ltpatterngt ltinstance datatype=int operation=greater than or equalgt1ltinstancegtlttextfilecontent54_objectgt
c0t0d0s0org164
$ oscap oval eval ftp-bannerxml Definition ovalcomoraclesolaris11def840 falseEvaluation done
$ oscap oval eval --results resultsxml --report reporthtml ftp-bannerxmlDefinition ovalcomoraclesolaris11def840 falseEvaluation doneOVAL Results are exported correctly
c0t0d0s0org165
c0t0d0s0org166
To create your own OVAL-Files Enhanced SCAP Content Editor
c0t0d0s0org167
Find more information regarding this feature athttpsblogsoraclecomdarrenentrycompliance_reporting_with_scap