va-scancopyright 2002, marchany securing solaris systems randy marchany va tech computing center...

va-scan Copyright 2002, Marchany

Securing Solaris Systems

Randy MarchanyVA Tech Computing Center

[email protected]


Course Outline OS Installation Tips Cleaning System Scripts Kernel settings Testing & Verification CIS Benchmarks TITAN JASS


OS Installation Tips

Basic Tips During OS Installation


OS Installation Tips Core – base OS, 50Mb in size End-user – CDE/X Windows, UCB support,

NIS/NIS+/LDAP Developer – man pages, include

files(/usr/include), compiler libraries, make, ar, ld commands

Full OEM – everything on the install CD Make sure SUNWter is installed. This adds

xterm and other term support. Remote administration requires this package.


OS Installation- Disk Partitions

Solaris 2.x no longer require as much swap space as memory but it doesn’t hurt

/var should be large - > 2GB /opt should be large - > 2GB. Compilers and

other Sun packages install here by default. DiskSuite requires 5MB on each disk for

configuration information Veritas requires 2 free partitions to

encapsulate and mirror the root drive


OS Package Dependencies NTP

SUNWntpr SUNWntpu

Perl SUNWlibm SUNWlibms

Oracle SUNWarc, SUNWbtool, SUNWsprot, SUNWtoo,

SUNWlibCf Man Pages

SUNWlibC, SUNWdoc, SUNWman


OS Package Dependencies Developer Tools

SUNWhea, SUNWtnfc, SUNWarc, SUNWsprot, SUNWbtool, SUNWtoo, SUNWhmdu, SUNWlibm, SUNWlibC, SUNWlibCf, SUNWtnfd

X Client (not X Server) SUNWxwrtl, SUNWxilow, SUNWxwplt,

SUNWxwfnt, SUNWxwice, SUNWmfrun, SUNWtltk, SUNWxilrl, SUNWxildh

Virtual Adrian SUNWsprot


Determining Which Package Pomeranz Method

Attempt to install or run app Find missing file(s) via error and/or truss Check /var/sadm/install/contents of full

OS system, grep for file. This file contains the package name

Add the needed package Add appropriate dependencies Repeat until done


Patches Available from sunsolve.sun.com 2 install tools

Patchdiag – available from sunsolve.sun.com

GASP – available from discovery.cc.vt.edu and Brian Reilly at Georgetown U

GUI front end to patchdiag Patchdiag is required


Patches - GASP Build from kit. Create a /tmp/patches Modify the patchadd command to keep

backout option if you want it. Start: xgasp Click on Generate Patch Report

Enter sunsolve userid/password You can select individual patches or

all of them for download


Patches - Sunsolve Go to http://sunsolve.sun.com Login as vtsug/sunsucks Use the search tools to find the patches

you need. At a minimum, installed recommended

and security patches. This is NOT the complete answer

Install all patches then the applications Do NOT install Sun sendmail patches if

you are using the VT sendmail.


OS Settings Console Security (SPARC only)

Prevents someone from using console commands

Disable STOP-A sequence Command Mode

Prevents EEPROM changes w/o proper password


OS Settings Full Mode

Same as command mode with extras: Can’t boot system w/o EEPROM password

Use eeprom command from shell # eeprom security-mode=full

Use setenv command from OK prompt OK setenv security-mode full


OS Settings Disable keyboard abort sequence

Change the following line in /etc/default/kbd from

#KEYBOARD_ABORT=enable KEYBOARD_ABORT=disable

CAUTION: system will have to powered down to reset. No crash dumps from the PROM on a running system for analysis.


Cleaning System Scripts

Some Startup and Boot Scripts to Check


Create umask for System Daemons Solaris 7

echo ‘umask 022’ > /etc/init.d/umask.sh chmod 744 /etc/init.d/umask.sh for dir in /etc/rc?.d do ln –s ../init.d/umask $dir/S00umask.sh done

Solaris 8 Set CMASK in /etc/default/init


Mount Options Mount filesystems with nosuid, read-

only options /usr can be mounted read-only /var can be mounted nosuid / can’t

/ is mounted RO at boot and then remounted RW. The second mount cancels the nosuid.

Note: FS mounted in 1 mode and changed to another requires a reboot.


Securing /etc/vfstab Protect OS binaries in /usr

ro – FS is mounted Read Only Prevent rogue SUID programs

nosuid – SUID bit is ignored in FS Allow other software to be installed remount option allows you to apply

options because some FS are mounted early in the boot process mount –o remount, ro /usr


Securing /etc/vfstab nosuid caution

Implies nodev which means files in /dev/ and /devices will not function in a nosuid FS

/ cannot be mounted nosuid. Solaris ignores this option for root FS

Creating a separate /devices and mounting the rest of the / nosuid doesn’t work. /devices doesn’t get mounted at boot so the kernel panics.

Anon FTP areas require device files and must not be mounted nosuid


The logging feature Logging option for FS creates transaction

log, allows faster reboots but slower file writes and more disk space for logs

Prevents physical access attack Continuously crash system until / is corrupted

then the OS asks you to fsck /. At that point, you have a root shell and can install backdoors, etc

Logging prevents this from happening so we’re a little safer from a physical access attack.

Solaris 8 allows logging on /. Enable this if possible!


/etc/rmmount.conf Add to /etc/rmmount.conf

mount hsfs –o nosuid mount ufs –o nosuid

Prevents SUID programs from being loaded from removable media. Default in Solaris 8

Common attack is to create SUID shell on CD or floppy, use this to get root on system you have physical access


/etc/ftpusers Lists users NOT allowed to FTP Include root in /etc/ftpusers touch /etc/ftpusers for user in root daemon bin sys nobody\ noaccess nobody4 uucp adm lp smtp \ listen

do echo $user >> /etc/ftpusers done chown root /etc/ftpusers; chgrp root \ /etc/ftpusers;chmod 600 /etc/ftpusers


.rhosts Remove rhosts_auth from /etc/pam.conf Causes system to ignore .rhosts

authentication grep –v rhosts_auth > /etc/pam.conf >\ /etc/pam.new

mv /etc/pam.new /etc/pam.conf chmod 644 /etc/pam.conf


Crontab Limit use by adding appropriate

users to /etc/cron.d/cron.allow Only users listed in *.allow files can

modify cron/at jobs Cron can still run jobs as other

users


More Scripts to Check Syslog

-t flag stops syslogd from listening on port 514/udp. Keeps the system from being a syslog server

Devfsadm (Solaris 7 or later) Solaris >=7 supports hot swap devices Solaris 8 device daemons also control

dynamic pty allocation. If you don’t have hot swap devices, you can disable this script


More Cleanup /etc/inittab

Remove sc:234:respawn:/usr/lib/saf/sac –t 300 Disables listener on serial ports Login prompt will still appear on the console

rm /etc/inetd.conf and add only what you need

rm adm lp sys from /var/spool/cron/crontabs rm /etc/auto_* /etc/dfs/dfstab if not

using NFS


Finding Trojans: Fingerprints Use Solaris Fingerprint database to check

for trojans Verifies local MD5 checksums of systems

files with known checksums at the SunSolve site.

sfbDB maps a digital fingerprint to a path name, package version/identifier and product name.

Contains 1M entries used in Solaris OE, Solaris OE patches and unbundled products.


Finding Trojans: Fingerprints Installation

Download MD5 binaries from http://sunsolve.sun.com/md5/md5.tar.Z

zcat md5.tar.Z |tar xvf – Creates a md5 directory with the binaries md5-sparc and md5-x86 chmod 700 md5/* chown root:root md5/*


Finding Trojans: Fingerprints Create MD5 Digital fingerprint

md5/md5-sparc <file name> … Use to create fingerprints of files

that have changed recently find /usr/bin –type f –mtime –1 –print | xargs –n100 md5/md5-sparc > /tmp/md5s.txt


Finding Trojans: Fingerprints Testing a Digital Fingerprint

Go to http://sunsolve.sun.com, login using vtsug userid, click on Security Information, click on Solaris Fingerprints.

Paste your digital fingerprints into the www form. Click submit.

Wait a few and then view the results.


Finding Trojans: Fingerprints Advantages

Massive checksum DB of binaries WWW interface Easy to create file of checksums

Disadvantages Need net access to Sun www site Doesn’t read input from a file 256 queries at a time


Solaris Fingerprint Database Developed by Sun to help find

trojan programs installed by hackers

MD5 checksum of 1 million Sun binaries used in OE, Patches, unbundled products

Need MD5 program http://sunsolve.sun.com/md5/md5.tar.

Z Do the chmod, chown on /opt/md5


Solaris Fingerprint Database Create local MD5

/opt/md5/md5-sparc /usr/bin/sufind /usr/bin –type f –mtime –1 –print\ \ | xargs –n100 /opt/md5/md5-sparc > \ /tmp/md5s.txt

Compare MD5 list to Sun’s FPD http://sunsolve.sun.com/pub-cgi/fileFingerpri

nts.pl Copy/paste MD5 into web form, press

submit. 256 entries max at one time


Solaris Fingerprint Database Database Companion automates

the process of collecting and checking MD5 against the SFD

Database Sidekick checks a system for known rootkits. It maintains a list of commonly trojaned Solaris binaries.


Tripwire Available from www.tripwire.com First of the file integrity checkers Unix and NT versions available

Network capable versions available Academic version is free.

Commercial and NT versions are not.

Useful in finding trojan programs


Tripwire Generates a “signature” for each file

based on checksums and other characteristics.

These signatures are stored in a database file that should be kept offline.

This is the baseline. Latest threat involves dynamic exec

redirection. This is part of the newer Kernel Module Rootkits.


Tripwire List of files to check: tw.config

All files in a directory will be checked. Can prune directories from the check

step. Can examine just the directory and

nothing else. Can check by access time but not

recommended since you’ll get a report of everything that changed. Everything!


Tripwire To initialize the DB: tripwire –initialize

Update DB interactively: tripwire -interactive

Non-interactive DB update: tripwire – update

<FN>


Tripwire Security Issues

Need to protect the DB Need to protect the vulnerable executables

Advantages Simple interface, good choice of crypto hash

functions, good all-around tool Disadvantages

Kernel mod attacks, initial tw.config takes some time to customize, NT version is good but costs $$$, no network security


User Accounts Some accounts can be deleted

smtp, nuucp, listen passmgmt –d <account name>

JASS toolkit contains a noshell command that will generate a syslog entry when someone tries to login a disabled account.


User Accounts Lock userids: passwd –l <userid> Modify accounts: passwd –e <userid> System accounts in /etc/passwd have

no shell assigned to them They also have NP in the password field

of /etc/shadow UID/GID pairs must be unique

across NFS. Recommend using the PID # as a UID


at, cron, batch Access to these commands can be

restricted using the at.allow, at.deny, cron.deny and cron.allow files in /usr/lib/cron

If neither file exists, then only root can run cron or at commands


Init System services controlled by the /etc/rcX.d directories where X=0 : shutdown X=S : single user mode X=1 : start X=2 : multi-user, no network services X=3 : multi-user (default) X=4 : unused X=5 : shutdown and power off X=6 : shutdown and reboot


Init Start up scripts : SxxService Kill scripts : KxxService Main scripts live in /etc/init.d Symlinks are in the /etc/rcX.d

directories


RC Scripts Create S99local

Startup ssh, portsentry, etc. Some of the startup scripts can be

disabled. Caution: your mileage will vary tremendously. Some examples: S80lp, S73nfs.*, S74autofs,

S88sendmail


Kernel Adjustments

Kernel Settings to Help Protect Your System From

Network Attacks


Kernel Adjustments ndd command display/sets kernel

parms on the fly ndd /dev/arp \? ndd /dev/icmp \? ndd /dev/ip \? ndd /dev/tcp \?

\? = list all driver parms and status: RO, RW Response of 0 means the option is disabled

ndd –set <driver> <option> <value> to set a parameter


Kernel Adjustments /etc/system contains kernel parameters Some kernel parameters can be adjusted

to improve performance and security NFS Server

Set nfssrv:nfs_portmon = 1 Forces NFS server to accept client requests

from privileged port range (port<1024) May break file sharing with older versions of

Linux, SCO Unix


Kernel Adjustments Executable Stacks

set noexec_user_stack = 1 set noexec_user_stack_log = 1 Helps defend against stack overflow

attacks. Logs the attempt as well. All 64 bit Solaris use non-executable

stacks by default


Kernel Adjustments Core Files

set sys:coredumpsize = 0 Prevents the creation of core files.

Beware! Use the coreadm command to define

target directories and file name patterns for core files. Useful in creating a central core repository.

SUID/SGID will be prevented from creating core files if the above is set.


Kernel Adjustments No ndd parameter documentation Parameter names may change

with new releases Be Very Careful


ARP Kernel Defense 2 types of ARP attacks

DOS Local

Attacker inserts bogus info into ARP cache Remote

Attacker feeds remote sys bogus info (cache poisoning

Spoofing Used to compromise remote systems on

the local network


ARP Kernel Defense ARP entries can be deleted or they time

out in the cache Default TO is 5 minutes Default IP Routing Table TO is 20 minutes

Change the Intervalsndd –set /dev/arp \ arp_cleanup_interval 60000

ndd –set /dev/ip \ ip_ire_flush_interval 60000

Units are in milliseconds. 60000 = 1 minute Only slows the attack


IP Defense IP forwarding routes packets between

network interfaces on one system Multihomed systems has several

network I/F, each with a separate IP address Not intended to route/forward packets Used for NFS servers on multiple nets –

server response is faster when connected to same net as clients


IP Defense /etc/notrouter disables IP

forwarding at boot time /etc/init.d/inetinit determines the

configuration at boot To dynamically disable IP forwarding:

ndd -set /dev/ip ip_forwarding 0 Solaris 8 allows you to set this per I/F


IP Defense Strict Destination multihoming prevents

packet spoofing on nonforwarding multihomed systems

System will ignore packets sent to an interface from which it didn’t arrive

ndd –set /dev/ip \ip_forwarding 0

ndd -set /dev/ip \ ip_strict_dest_multihoming 1


IP Defense – Multicast RoutingUsed to send data to multiple systems

simultaneously using only 1 net address Solaris 7: comment out from

/etc/init.d/inetsvc mcastif=`/sbin/dchpinfo Yiaddr` to /usr/sbin/route add –interface –netmask “244.0.0.0” “224.0.0.0” “$mcastif”

Solaris 8: (if [ “$_INIT_NET_STRATEGY….) to the /usr/sbin/route line


IP Defense Eliminate DCHP, named startup

support and multicast support. This leaves /etc/init.d/inetsvc script:

#!/bin/sh/usr/sbin/ifconfig –au netmask + broadcast +

/usr/sbin/inetd –s -t


IP Defense – Directed Broadcast Directed broadcast is sent from a remote

machine to all systems on another net Used by “smurf” attack. CNS router rules

limit smurf to the same subnet Forged ICMP echo request sent to broadcast

w/ target source address

ndd -set /dev/ip \ ip_forward_directed_broadcasts 0 Default is 1


IP Defense – Src Route Packet Source routed packet contains a

specific path the packet should take to get to a target

Bypasses router decisions Enabled by default Disable:

ndd –set /dev/ip \ ip_forward_src_routed 0


ICMP Defense Usually safe to disable ICMP broadcasts All systems configured to respond to

broadcast echo request will send an echo reply

Disable: ndd -set /dev/ip \ ip_respond_to_echo_broadcast 0

This breaks PING. You won’t be able to ping this system


ICMP Defense Individual timestamp requests are ok. No

reason for broadcast request. Disable:

ndd –set /dev/ip \ ip_respond_to_timestamp_broadcast 0

ndd –set /dev/ip \ ip_respond_to_timestamp 0 (unicast)

Address mask used to get netmask. Printers, X-term use this. Solaris disables by default ndd – set /dev/ip ip_respond_to_address_mask_broadcast 0


TCP Defense Syn Floods work on unestablished

connections 2 queues

Q for established connections Q for unestablished connections Increase size on unestablished connect Q

ndd –set /dev/tcp \ tcp_conn_req_max_q0 4096

ndd –set /dev/tcp \tcp_ip_abort_cinterval 60000


TCP Defense Connection Exhaustion Attack Works on established connections OS has max # connect limit. Attacker

exceeds this limit Default Q is 128. Increase to 1024

ndd –set \ /dev/tcp tcp_conn_req_max_q 1024 This increases the amount of memory

needed to process all TCP connections


TCP Defense IP Spoofing uses TCP Hijacking based on ISN

prediction RFC 1498 defines better way to generate

ISN 3 types: 0 – predictable; 1 – improved with

random increment; 2 – RFC 1498 method Solaris 8 uses 2, modify Solaris 7 by

editing /etc/default/inetinit and add line: TCP_STRONG_ISS=2


TCP Defense Privileged Ports can only be acquired by

root owned processes NFS uses 2049, 4045. Hacker can set up

fake NFS server listening on these ports Extend port range:

ndd –set /dev/tcp \ tcp_smallest_nonpriv_port 2050

Add individual ports: ndd –set /dev/tcp \ tcp_extra_priv_ports_add 6112


ICMP Defense Redirect errors used to tell a system to

use a different router Can be used in Man-in-the-Middle to

install bogus routes Disable incoming:

ndd –set /dev/ip ip_ignore_redirect 1 Disable outgoing:

ndd –set /dev/ip ip_send_redirects 0


System Logs /etc/syslog.conf Program I/F: syslog() System command: logger Log files defined in /etc/syslog.conf

/var/adm/messages (default) /var/log/syslog (default) /var/log/authlog (disabled by default)

/usr/lib/newsyslog rotates logs every 7 days

/var/adm/loginlog records failed login attempts


Syslog Strategies Create a central syslog server Auth.debug @central-logger.vt.edu

Install logcheck Create additional syslogs

Auth.notice ifdef(‘LOGHOST’. /var/log/Today/auth.log, @loghost)

Make sure your system is defined at LOGHOST in /etc/hosts


Application Logs

/var/adm/sulog /usr/bin/su cat, more

/var/adm/vold.log

/usr/sbin/vold cat, more

/var/adm/wtmpx /usr/bin/login last

/var/adm/loginlog

/usr/bin/login Must touch 1st

/var/cron/log /usr/sbin/cron


System Accounting Use the sar command to gather system

resource usage data: Cpu, memory, disk, file I/O, system calls

Archives stored in /var/adm/sa vmstat command collects data in a real-

time data Need SUNWaccr, SUNWaccu, uncomment:

/etc/init.d/perf, /var/spool/cron/crontabs sys Reset default shell for user: sys

passmgmt –m –s /sbin/sh sys


System Accounting Run it every 20 minutes Archive data longer than 1 month

Edit /etc/init.d/perf and scripts in /usr/lib/sa

Change calls like `date +%d` to ‘date +%Y%m%d` sar command will still be looking for files

in the old naming so you need to use the –f option to point to correct file

/usr/lib/sa/sa2 purges raw data after 1 week. Remove the find command at the end of the sa2 script.


Process Accounting You can tell the kernel to log data about

every process on the system Can be selective enabled/disabled using the accton command Specify where the log file is

/usr/lib/acct/accton /var/adm/pacct Once enabled, the kernel logs 40 bytes of

data for each process that runs to completion Use acctcom to examine the logs

Process accounting can cause 10-20% degradation


RPC Services Rpcbind – central RPC service agent

New RPC service registers with rpcbind Rpcbind maintains table of RPC services

(program #) and the ports they listen Client contacts rpcbind first with a

program # to determine the port to connect to its requestor

Used by Disksuite, NFS, NIS+, Kerberos


RPC Services - /etc/inetd.conf Testsvc, sadmind, rquotad,

rpc.ruserd, rpc.sprayd, rpc.rwalld, rpc.rstatd, rpc.rexd, kcms.server, ufsd, cachefs, kerbd, xaudio, rpc.cmsd, rpcttdbserverd

Remove all of these services unless specifically required


RPC Services – Startup scripts /etc/rc2.d/S71rpc, /etc/rc3.d/S71rpc

Rpcbind, keyserv, rpc.nisd, nis_cachmgr, rpc.nipasswdd

Used by rpcbind, NIS/NIS+, NFS client/server NFS Server

/etc/rc2.d/S73nfs.server, /etc/rc3.d/S15nfs.server

Explicitly list client hosts, no world access Export lowest level dir only and RO Synchronize UID/GID between pairs Use strong authentication if possible (AUTH_DES,

AUTH_KERB)


Sendmail Use sendmail kit available from

ftp://ftp.vt.edu/pub/cc/Solaris/sendmailX.tar.Z

Sendmail kit built by VT with anti-relay and anti-spam filters

Contains install and backout scripts


Sendmail Tailor as necessary

Solaris 8 undocumented way to have sendmail handle mail w/o cron

echo “MODE=“””” > /etc/default/sendmail

Sendmail will only process outgoing mail and no accept incoming connections. Useful if you forward mail to [email protected]

See Sun Blueprint tools page (www.sun.com/blueprints/tools) for replacement /etc/default/sendmail


Name Service Caching (nscd) Provides caching for NS requests Performance boost, all NS requests made

by system library call routed to nscd Sun recommends caching as little as

possible Do not disable. NIS/NIS+ and some

versions of Netscape break nscd – g : see current configuration


Banner Files /etc/motd /etc/issue /etc/default/telnetd

BANNER=“place your text here” /etc/default/fptd

BANNER=“place your text here” /etc/sendmail.cf

SmtpGreetingMessage=Put Warning here


More on /etc/default /etc/default/cron

CRONLOG=yes tells cron to log to /var/cron/log for each cron job.

Roll this log often – see /etc/cron.d/logchecker /etc/default/su

Defines PATH, SUPATH for su command /etc/default/passwd

Set password aging, password length /etc/default/kbd

Disable STOP-A on systems


/etc/default/login CONSOLE – root logins allowed only on

this device usually the console PATH, SUPATH – uncomment and set UMASK – uncomment and set RETRIES – number of failed logins

before login exits SYSLOG_FAILED_LOGINS – number of

failed logins before message logged to /var/adm/loginlog (Solaris 8)


Additional Login Files Set UMASK, PATH in /etc/profile, /etc/.login

Default files for userid creation in /etc/skel. These files are used by useradd or admintool programs

Can be overridden by users


Fix-modes Program Corrects insecure system file/directory

perms: Removes group/world write permissions Makes most files owned by root

Uses /var/sadm/install/contents for list of programs to check User files NOT installed with pkgadd will not be

affected Core files in Solaris 8 are fixed. Things like

CDE aren’t


Building TCP Wrappers Available from

ftp://ftp.porcupine.org/pub/security/index.html

Modify the Makefile Set REAL_DAEMON_DIR Send logging to LOG_AUTH

Download the IPv6 version for Solaris 8

Use the advanced installation method


Building OpenSSH OpenSSH implements SSH1, SSH2 Maintained by OpenBSD Tested on Solaris 2.6 5/98 Sparc,

Solaris 7 11/99 Sparc, Solaris 8 4/01 Sparc with ForteDeveloper 6 update 1 and gcc 2.95.2


Building OpenSSH Prerequisite Components

OpenSSH 2.9p2 from http://www.openssh.com/portable.html

Zlib 1.1.3 from http://www.freesoftware.com/pub/infozip/zlib

Solaris 8 CD – package format OpenSSL 0.9.6b from

http://www.openssl.org/source PRNGD 0.9.19 from http://www.aet.tu-

cottbus.de/personen/jaenicke/postfix_tls/prngd.html (pseudo random number generator)


Building OpenSSH Building zlib

cd zlib-1.1.3 ./configure (for gcc) env CC=cc CFLAGS=“-xo4 –KPIC” ./configure

make make install ls –l /usr/local/lib/libza.a


Building OpenSSH Building OpenSSL

cd openssl-0.9.6b./Configure <compiler>makemake installls –l /usr/local/ssl/lib

Building PRNGDcd prngd-0.9.19make CC=gcc CFLAGS=“-O3 –DSOLARIS” SYSLIBS=“-lsocket –lnsl”

make CC=cc CFLAGS=“-x04 –DSOLARIS –KPIC” SYSLIBS=“-lsocket –lnsl”


Building OpenSSH Building PRNGD (cont’d)

cp prngd /usr/local/sbin/prngdchown root:bin /usr/local/sbin/prngdchmod 755 /usr/local/sbin/prngdcp contrib/Solaris7/prngd.conf.solaris-7 /etc/prngd.conf

cat /var/log/syslog > /etc/prngd-seed


Building OpenSSH Building OpenSSH

gcc version./configure –prefix=/opt/OBSDssh –with-pam –without-rsh –disable-suid-sh –sysconfdir=/etc \ --with-prngd-socket=/var/spool/prngd/pool

makemake installls –l /opt/OBSDssh/bin/ssh

Start: /etc/init.d/openssh.server start


Building OpenSSH http://www.sun.com/blueprints/

tools/makeOpenSSHPackage.ksh builds a Solaris package containing OpenSSH

./makeOpenSSHPackage.kshpkgadd –d OBSDssh.pkg OBSDssh


/etc/sshd_config Guidelines ListenAddress – used to set up SSH

servers on virtual I/F Protocol 2,1 – try v2 first then v1 SyslogFacility AUTH – send logging

messages to LOG_AUTH like TCP Wrappers CheckMail, PrintMotd – done by SSH or

login, your choice KeepAlive – send a heartbeat packet to

verify the host is still reachable. Good for keeping hung sessions down


/etc/sshd_config Guidelines IgnoreRhosts yes – disable all

types of rhosts authentication PermitRootLogin no – forces

people to su to root Be careful. This also prevents remote

command execution and copying files from one system to another via scp


SSH: Using RSA Authentication Generate your key pair using

something like PGP Copy public key to remote system Remote system authenticates user

by encrypting message w/public key

User decrypts using private key and send it back to remote system


SSH RSA Example

% ssh-keygen –b 1024 –f ~/.ssh/identity[…]Enter passphrase: XXXXXXXXEnter the same passphrase again: XXXXXXXX[…]% scp ~/.ssh/identity.pub \

remotehost:~/.ssh/authorized_keys rcm@remotehost password: YYYYYYYIdentity.pub | 0 KB| 0.3kB/s| ETA: 00:00| 100%% ssh remotehostEnter passphrase for RSA key rcm@thishost : KKKKKKK


Testing & Verification

Minimum Security Benchmark Procedures and Toolkits for

Testing and Verifying System Security


Testing & Verification Pomeranz Test

Can get here from there Can’t get here from there Can’t get here as Superuser What’s Running? Can’t write in /usr Can’t run SUID from /var/tmp Check your logs


Can Get Here From There ssh userid@securehost Reasons for failure

Localhost isn’t in securehost’s hosts.allow TCP Wrappers in sshd can’t find localhost’s

name from its IP address sshd can’t read hosts.allow, hosts.deny The userid doesn’t exist on securehost RSA identity certificate not properly

installed


Can’t Get Here From There From badhost: ssh securehost Root should be getting an email if

logcheck and syslog are working Reasons the connection might work

hosts.allow is too permissive Reasons for failure

Securehost may have an invalid sendmail.cf file


Can’t Get Here As Superuser ssh –l root securehost Reason for success

/etc/sshd-config is incorrect You shouldn’t allow direct root

logins


What’s Running? Do a ‘ps –ef’ or lsof on an idle system Reasons you might see different

output: You’re logged in multiple times You logged in on the console Forgot to remove all recommended files

from /etc/rc*.d /etc/defaultrouter doesn’t exist


Can’t Write in /usr touch /usr/bin/BAD Should generate an error message. Reasons for success:

Forgot to reboot/remount /usr in RO mode

Incorrect configuration of /etc/vfstab


Can’t Run SUID from /var/tmp

# cd /var/tmp# cp /usr/bin/ps .# chmod 4111 ps^D$ /usr/bin/ps –ef$ /var/tmp/ps –ef

Reasons for Success: 1) still running as root 2) running wrongVersion of ps 3) misconfigured /etc/vfstab


Check Your Logs Reasons for failure

/etc/syslog.conf has no auth.* entries Files/devices listed in /etc/syslog.conf

are invalid Loghost is unreachable or misconfigured Forgot to modify TCP Wrapper’s Makefile

to send logging messages to LOG_AUTH /etc/sshd_config is misconfigured


Backups Have a complete level 0 dump of all file

systems] Set up an alternate boot disk Lock it up and don’t re-use the tape/disk Make another dump every time you

make significant changes Should you use network backup for

sensitive servers? In our environment, it’s ok because of

network topology


Alternate Boot Disk Setup Install 2 identical internal disks Install OS on primary disk Partition 2nd disk identical to primary Format the secondary disk Create filesystems on secondary disk dd copy from primary to secondary Install ufs bootblock in s0 of secondary Modify /broot/etc/vfstab to mount secondary

as /, change auto bootup device in EEPROM


Security Benchmarks

Tools and Benchmark Documents for Securing

Solaris Systems


Configurator http://www.deer-run.com/~hal/

jumpstart/configurator Testing tool for SANS “Securing Solaris”

and CIS “Solaris Security Benchmark” docs

Will CHANGE your system setting to conform with the above docs

Can be integrated into Jumpstart server or run in standalone mode


CIS Solaris Benchmark Minimum actions to harden your

system Configurator script available from

http://www.deer-run.com/~hal/jumpstart/configurator

Can be used to configure according to CIS benchmark or SANS Securing Solaris


SANS Benchmark Available from

http://security.vt.edu in the Online Books section. Need PID to get it.

Contains step-by-step instructions in a manner similar to the CIS benchmark

Systems can be configured using Hal Pomer


JASS Free from www.sun.com/blueprints/tools Set of scripts to secure your system Can be used as part of a Jumpstart

install Useful for lab situations

It’s an “officially endorsed” Sun item JASS doesn’t secure systems enough


YASSP http://www.yassp.org Jean Chouanard took an early version of

the SANS Securing Solaris course Went home and wrote YASSP Comes in pkgadd format Endorsed by SANS Runs on Solaris 2.6, 7, 8(beta) Mailing list: secure-sol-

[email protected]


YASSP Pros/Cons Pro

pkgadd format very useful Works on Core, end-user, developer,

Full Automatically installs security tools

Con Not very modular /etc/yassp.conf hard to understand


TITAN Collection of programs/scripts

which either fix or tighten security problems

Not a replacement for anything. It’s a supplement to your system security toolkit.

http://www.fish.com/titan


TITAN Pros/Cons Pro

Modular and extensible Verification function Linux version in beta test

Con Writing modules can be complex


Conclusions Keep an eye on your system Build minimal functionality then

add what you need Mount FS RO or NOSUID Use SSH Verify everything Send Randy log excerpts of probes


Appendix 1

Portsentry, IP Filter, logcheck configuration guidelines


Portsentry Available from www.psionic.com Monitors ports and performs an

action when an attempt to access the port is made.

Usually access is denied to the probing systems.

Monitors TCP and UDP traffic. A little more flexible than TCP Wrappers


Portsentry Configuration Files Portsentry.conf contains the list of

ports to be monitored. 3 levels of paranoia


Logcheck Available from www.psionic.com Syslog keyword scanner When it matches something, it

does something Send email Page someone Run a command


logcheck.violations

These keywords denote a problem and are flagged bylogcheck.


logcheck.ignore

Phrases listed in this file are ignored by the logcheck program.


logcheck.hacking

Keywords in this file indicatean attack is taking place


IP Filter Software package that can do NAT or

basic firewall services. Designed to be used as a loadable

kernel module but can be incorporated into a Unix kernel

Can be configured to do IP Accounting (count # bytes), IP Filtering or IP authentication or NAT.

http://coombs.anu.edu.au/~avalon/ip-filter.html


IP Filter Can explicitly allow/deny any packet. Distinguishes between multiple

interfaces. Filters by IP network, hosts or protocol. Filters by port number or port range. Logs the following:

TCP/UDP/ICMP/IP packet headers First 128 bytes Pass or blocked status


IP Filter Statistics collected include:

Packets blocked Packets used for accounting (packet

count) Packets passed Packets logged Inbound/outbound packet information


IP Filter Log Format

Jul 30 01:46:52 myhost.vt.edu ipmon[147]: [ID 702911local0.warning] 01:46:52.196772 hme0 @0:5 b 194.143.66.126,21 ->198.82.255.255,21 PR tcp len 20 40 -S IN




WWW Sites Sendmail

ftp.vt.edu/pub/cc/Solaris/sendmail* ftp.sendmail.org/pub/sendmail

Fix-modes ftp.science.uva.nl/pub/solaris/fix-

modes.tar.gz OpenSSH

Solaris 8 Installation CD http://www.openssh.com/portable.html


WWW Sites OpenSSL

www.openssl.org/source/ Zlib

ftp.freesoftware.com/pub/infozip/zlib/ TCP Wrappers, rpcbind replacement

ftp.porcupine.org/pub/security/index.html

YASSP www.yassp.org


WWW Sites TITAN

www.fish.com/titan JASS

www.sun.com/blueprints/tools Bastille

http://bastille-linux.sourceforge.net David Brumley’s comparison

document www.theorygroup.com/Theory


WWW Sites Jason Rhoads’ Documents

www.sabernet.net/papers Sean Boran’s Security Documents

www.boran.com/security/sp/Solaris_hardening_tool

Solaris Blueprints On-line www.sun.com/blueprints/browsesubject.html

Hal Pomeranz’s site www.deer-run.com/~hal/jumpstart

Solaris Adv. Installation Guide Docs.sun.com/ab2/coll.214.7/SPARCINSTALL