va-scancopyright 2002, marchany securing solaris systems randy marchany va tech computing center...
TRANSCRIPT
va-scan Copyright 2002, Marchany
Securing Solaris Systems
Randy MarchanyVA Tech Computing Center
va-scan Copyright 2002, Marchany
Course Outline OS Installation Tips Cleaning System Scripts Kernel settings Testing & Verification CIS Benchmarks TITAN JASS
va-scan Copyright 2002, Marchany
OS Installation Tips Core – base OS, 50Mb in size End-user – CDE/X Windows, UCB support,
NIS/NIS+/LDAP Developer – man pages, include
files(/usr/include), compiler libraries, make, ar, ld commands
Full OEM – everything on the install CD Make sure SUNWter is installed. This adds
xterm and other term support. Remote administration requires this package.
va-scan Copyright 2002, Marchany
OS Installation- Disk Partitions
Solaris 2.x no longer require as much swap space as memory but it doesn’t hurt
/var should be large - > 2GB /opt should be large - > 2GB. Compilers and
other Sun packages install here by default. DiskSuite requires 5MB on each disk for
configuration information Veritas requires 2 free partitions to
encapsulate and mirror the root drive
va-scan Copyright 2002, Marchany
OS Package Dependencies NTP
SUNWntpr SUNWntpu
Perl SUNWlibm SUNWlibms
Oracle SUNWarc, SUNWbtool, SUNWsprot, SUNWtoo,
SUNWlibCf Man Pages
SUNWlibC, SUNWdoc, SUNWman
va-scan Copyright 2002, Marchany
OS Package Dependencies Developer Tools
SUNWhea, SUNWtnfc, SUNWarc, SUNWsprot, SUNWbtool, SUNWtoo, SUNWhmdu, SUNWlibm, SUNWlibC, SUNWlibCf, SUNWtnfd
X Client (not X Server) SUNWxwrtl, SUNWxilow, SUNWxwplt,
SUNWxwfnt, SUNWxwice, SUNWmfrun, SUNWtltk, SUNWxilrl, SUNWxildh
Virtual Adrian SUNWsprot
va-scan Copyright 2002, Marchany
Determining Which Package Pomeranz Method
Attempt to install or run app Find missing file(s) via error and/or truss Check /var/sadm/install/contents of full
OS system, grep for file. This file contains the package name
Add the needed package Add appropriate dependencies Repeat until done
va-scan Copyright 2002, Marchany
Patches Available from sunsolve.sun.com 2 install tools
Patchdiag – available from sunsolve.sun.com
GASP – available from discovery.cc.vt.edu and Brian Reilly at Georgetown U
GUI front end to patchdiag Patchdiag is required
va-scan Copyright 2002, Marchany
Patches - GASP Build from kit. Create a /tmp/patches Modify the patchadd command to keep
backout option if you want it. Start: xgasp Click on Generate Patch Report
Enter sunsolve userid/password You can select individual patches or
all of them for download
va-scan Copyright 2002, Marchany
Patches - Sunsolve Go to http://sunsolve.sun.com Login as vtsug/sunsucks Use the search tools to find the patches
you need. At a minimum, installed recommended
and security patches. This is NOT the complete answer
Install all patches then the applications Do NOT install Sun sendmail patches if
you are using the VT sendmail.
va-scan Copyright 2002, Marchany
OS Settings Console Security (SPARC only)
Prevents someone from using console commands
Disable STOP-A sequence Command Mode
Prevents EEPROM changes w/o proper password
va-scan Copyright 2002, Marchany
OS Settings Full Mode
Same as command mode with extras: Can’t boot system w/o EEPROM password
Use eeprom command from shell # eeprom security-mode=full
Use setenv command from OK prompt OK setenv security-mode full
va-scan Copyright 2002, Marchany
OS Settings Disable keyboard abort sequence
Change the following line in /etc/default/kbd from
#KEYBOARD_ABORT=enable KEYBOARD_ABORT=disable
CAUTION: system will have to powered down to reset. No crash dumps from the PROM on a running system for analysis.
va-scan Copyright 2002, Marchany
Create umask for System Daemons Solaris 7
echo ‘umask 022’ > /etc/init.d/umask.sh chmod 744 /etc/init.d/umask.sh for dir in /etc/rc?.d do ln –s ../init.d/umask $dir/S00umask.sh done
Solaris 8 Set CMASK in /etc/default/init
va-scan Copyright 2002, Marchany
Mount Options Mount filesystems with nosuid, read-
only options /usr can be mounted read-only /var can be mounted nosuid / can’t
/ is mounted RO at boot and then remounted RW. The second mount cancels the nosuid.
Note: FS mounted in 1 mode and changed to another requires a reboot.
va-scan Copyright 2002, Marchany
Securing /etc/vfstab Protect OS binaries in /usr
ro – FS is mounted Read Only Prevent rogue SUID programs
nosuid – SUID bit is ignored in FS Allow other software to be installed remount option allows you to apply
options because some FS are mounted early in the boot process mount –o remount, ro /usr
va-scan Copyright 2002, Marchany
Securing /etc/vfstab nosuid caution
Implies nodev which means files in /dev/ and /devices will not function in a nosuid FS
/ cannot be mounted nosuid. Solaris ignores this option for root FS
Creating a separate /devices and mounting the rest of the / nosuid doesn’t work. /devices doesn’t get mounted at boot so the kernel panics.
Anon FTP areas require device files and must not be mounted nosuid
va-scan Copyright 2002, Marchany
The logging feature Logging option for FS creates transaction
log, allows faster reboots but slower file writes and more disk space for logs
Prevents physical access attack Continuously crash system until / is corrupted
then the OS asks you to fsck /. At that point, you have a root shell and can install backdoors, etc
Logging prevents this from happening so we’re a little safer from a physical access attack.
Solaris 8 allows logging on /. Enable this if possible!
va-scan Copyright 2002, Marchany
/etc/rmmount.conf Add to /etc/rmmount.conf
mount hsfs –o nosuid mount ufs –o nosuid
Prevents SUID programs from being loaded from removable media. Default in Solaris 8
Common attack is to create SUID shell on CD or floppy, use this to get root on system you have physical access
va-scan Copyright 2002, Marchany
/etc/ftpusers Lists users NOT allowed to FTP Include root in /etc/ftpusers touch /etc/ftpusers for user in root daemon bin sys nobody\ noaccess nobody4 uucp adm lp smtp \ listen
do echo $user >> /etc/ftpusers done chown root /etc/ftpusers; chgrp root \ /etc/ftpusers;chmod 600 /etc/ftpusers
va-scan Copyright 2002, Marchany
.rhosts Remove rhosts_auth from /etc/pam.conf Causes system to ignore .rhosts
authentication grep –v rhosts_auth > /etc/pam.conf >\ /etc/pam.new
mv /etc/pam.new /etc/pam.conf chmod 644 /etc/pam.conf
va-scan Copyright 2002, Marchany
Crontab Limit use by adding appropriate
users to /etc/cron.d/cron.allow Only users listed in *.allow files can
modify cron/at jobs Cron can still run jobs as other
users
va-scan Copyright 2002, Marchany
More Scripts to Check Syslog
-t flag stops syslogd from listening on port 514/udp. Keeps the system from being a syslog server
Devfsadm (Solaris 7 or later) Solaris >=7 supports hot swap devices Solaris 8 device daemons also control
dynamic pty allocation. If you don’t have hot swap devices, you can disable this script
va-scan Copyright 2002, Marchany
More Cleanup /etc/inittab
Remove sc:234:respawn:/usr/lib/saf/sac –t 300 Disables listener on serial ports Login prompt will still appear on the console
rm /etc/inetd.conf and add only what you need
rm adm lp sys from /var/spool/cron/crontabs rm /etc/auto_* /etc/dfs/dfstab if not
using NFS
va-scan Copyright 2002, Marchany
Finding Trojans: Fingerprints Use Solaris Fingerprint database to check
for trojans Verifies local MD5 checksums of systems
files with known checksums at the SunSolve site.
sfbDB maps a digital fingerprint to a path name, package version/identifier and product name.
Contains 1M entries used in Solaris OE, Solaris OE patches and unbundled products.
va-scan Copyright 2002, Marchany
Finding Trojans: Fingerprints Installation
Download MD5 binaries from http://sunsolve.sun.com/md5/md5.tar.Z
zcat md5.tar.Z |tar xvf – Creates a md5 directory with the binaries md5-sparc and md5-x86 chmod 700 md5/* chown root:root md5/*
va-scan Copyright 2002, Marchany
Finding Trojans: Fingerprints Create MD5 Digital fingerprint
md5/md5-sparc <file name> … Use to create fingerprints of files
that have changed recently find /usr/bin –type f –mtime –1 –print | xargs –n100 md5/md5-sparc > /tmp/md5s.txt
va-scan Copyright 2002, Marchany
Finding Trojans: Fingerprints Testing a Digital Fingerprint
Go to http://sunsolve.sun.com, login using vtsug userid, click on Security Information, click on Solaris Fingerprints.
Paste your digital fingerprints into the www form. Click submit.
Wait a few and then view the results.
va-scan Copyright 2002, Marchany
Finding Trojans: Fingerprints Advantages
Massive checksum DB of binaries WWW interface Easy to create file of checksums
Disadvantages Need net access to Sun www site Doesn’t read input from a file 256 queries at a time
va-scan Copyright 2002, Marchany
Solaris Fingerprint Database Developed by Sun to help find
trojan programs installed by hackers
MD5 checksum of 1 million Sun binaries used in OE, Patches, unbundled products
Need MD5 program http://sunsolve.sun.com/md5/md5.tar.
Z Do the chmod, chown on /opt/md5
va-scan Copyright 2002, Marchany
Solaris Fingerprint Database Create local MD5
/opt/md5/md5-sparc /usr/bin/sufind /usr/bin –type f –mtime –1 –print\ \ | xargs –n100 /opt/md5/md5-sparc > \ /tmp/md5s.txt
Compare MD5 list to Sun’s FPD http://sunsolve.sun.com/pub-cgi/fileFingerpri
nts.pl Copy/paste MD5 into web form, press
submit. 256 entries max at one time
va-scan Copyright 2002, Marchany
Solaris Fingerprint Database Database Companion automates
the process of collecting and checking MD5 against the SFD
Database Sidekick checks a system for known rootkits. It maintains a list of commonly trojaned Solaris binaries.
va-scan Copyright 2002, Marchany
Tripwire Available from www.tripwire.com First of the file integrity checkers Unix and NT versions available
Network capable versions available Academic version is free.
Commercial and NT versions are not.
Useful in finding trojan programs
va-scan Copyright 2002, Marchany
Tripwire Generates a “signature” for each file
based on checksums and other characteristics.
These signatures are stored in a database file that should be kept offline.
This is the baseline. Latest threat involves dynamic exec
redirection. This is part of the newer Kernel Module Rootkits.
va-scan Copyright 2002, Marchany
Tripwire List of files to check: tw.config
All files in a directory will be checked. Can prune directories from the check
step. Can examine just the directory and
nothing else. Can check by access time but not
recommended since you’ll get a report of everything that changed. Everything!
va-scan Copyright 2002, Marchany
Tripwire To initialize the DB: tripwire –initialize
Update DB interactively: tripwire -interactive
Non-interactive DB update: tripwire – update
<FN>
va-scan Copyright 2002, Marchany
Tripwire Security Issues
Need to protect the DB Need to protect the vulnerable executables
Advantages Simple interface, good choice of crypto hash
functions, good all-around tool Disadvantages
Kernel mod attacks, initial tw.config takes some time to customize, NT version is good but costs $$$, no network security
va-scan Copyright 2002, Marchany
User Accounts Some accounts can be deleted
smtp, nuucp, listen passmgmt –d <account name>
JASS toolkit contains a noshell command that will generate a syslog entry when someone tries to login a disabled account.
va-scan Copyright 2002, Marchany
User Accounts Lock userids: passwd –l <userid> Modify accounts: passwd –e <userid> System accounts in /etc/passwd have
no shell assigned to them They also have NP in the password field
of /etc/shadow UID/GID pairs must be unique
across NFS. Recommend using the PID # as a UID
va-scan Copyright 2002, Marchany
at, cron, batch Access to these commands can be
restricted using the at.allow, at.deny, cron.deny and cron.allow files in /usr/lib/cron
If neither file exists, then only root can run cron or at commands
va-scan Copyright 2002, Marchany
Init System services controlled by the /etc/rcX.d directories where X=0 : shutdown X=S : single user mode X=1 : start X=2 : multi-user, no network services X=3 : multi-user (default) X=4 : unused X=5 : shutdown and power off X=6 : shutdown and reboot
va-scan Copyright 2002, Marchany
Init Start up scripts : SxxService Kill scripts : KxxService Main scripts live in /etc/init.d Symlinks are in the /etc/rcX.d
directories
va-scan Copyright 2002, Marchany
RC Scripts Create S99local
Startup ssh, portsentry, etc. Some of the startup scripts can be
disabled. Caution: your mileage will vary tremendously. Some examples: S80lp, S73nfs.*, S74autofs,
S88sendmail
va-scan Copyright 2002, Marchany
Kernel Adjustments
Kernel Settings to Help Protect Your System From
Network Attacks
va-scan Copyright 2002, Marchany
Kernel Adjustments ndd command display/sets kernel
parms on the fly ndd /dev/arp \? ndd /dev/icmp \? ndd /dev/ip \? ndd /dev/tcp \?
\? = list all driver parms and status: RO, RW Response of 0 means the option is disabled
ndd –set <driver> <option> <value> to set a parameter
va-scan Copyright 2002, Marchany
Kernel Adjustments /etc/system contains kernel parameters Some kernel parameters can be adjusted
to improve performance and security NFS Server
Set nfssrv:nfs_portmon = 1 Forces NFS server to accept client requests
from privileged port range (port<1024) May break file sharing with older versions of
Linux, SCO Unix
va-scan Copyright 2002, Marchany
Kernel Adjustments Executable Stacks
set noexec_user_stack = 1 set noexec_user_stack_log = 1 Helps defend against stack overflow
attacks. Logs the attempt as well. All 64 bit Solaris use non-executable
stacks by default
va-scan Copyright 2002, Marchany
Kernel Adjustments Core Files
set sys:coredumpsize = 0 Prevents the creation of core files.
Beware! Use the coreadm command to define
target directories and file name patterns for core files. Useful in creating a central core repository.
SUID/SGID will be prevented from creating core files if the above is set.
va-scan Copyright 2002, Marchany
Kernel Adjustments No ndd parameter documentation Parameter names may change
with new releases Be Very Careful
va-scan Copyright 2002, Marchany
ARP Kernel Defense 2 types of ARP attacks
DOS Local
Attacker inserts bogus info into ARP cache Remote
Attacker feeds remote sys bogus info (cache poisoning
Spoofing Used to compromise remote systems on
the local network
va-scan Copyright 2002, Marchany
ARP Kernel Defense ARP entries can be deleted or they time
out in the cache Default TO is 5 minutes Default IP Routing Table TO is 20 minutes
Change the Intervalsndd –set /dev/arp \ arp_cleanup_interval 60000
ndd –set /dev/ip \ ip_ire_flush_interval 60000
Units are in milliseconds. 60000 = 1 minute Only slows the attack
va-scan Copyright 2002, Marchany
IP Defense IP forwarding routes packets between
network interfaces on one system Multihomed systems has several
network I/F, each with a separate IP address Not intended to route/forward packets Used for NFS servers on multiple nets –
server response is faster when connected to same net as clients
va-scan Copyright 2002, Marchany
IP Defense /etc/notrouter disables IP
forwarding at boot time /etc/init.d/inetinit determines the
configuration at boot To dynamically disable IP forwarding:
ndd -set /dev/ip ip_forwarding 0 Solaris 8 allows you to set this per I/F
va-scan Copyright 2002, Marchany
IP Defense Strict Destination multihoming prevents
packet spoofing on nonforwarding multihomed systems
System will ignore packets sent to an interface from which it didn’t arrive
ndd –set /dev/ip \ip_forwarding 0
ndd -set /dev/ip \ ip_strict_dest_multihoming 1
va-scan Copyright 2002, Marchany
IP Defense – Multicast RoutingUsed to send data to multiple systems
simultaneously using only 1 net address Solaris 7: comment out from
/etc/init.d/inetsvc mcastif=`/sbin/dchpinfo Yiaddr` to /usr/sbin/route add –interface –netmask “244.0.0.0” “224.0.0.0” “$mcastif”
Solaris 8: (if [ “$_INIT_NET_STRATEGY….) to the /usr/sbin/route line
va-scan Copyright 2002, Marchany
IP Defense Eliminate DCHP, named startup
support and multicast support. This leaves /etc/init.d/inetsvc script:
#!/bin/sh/usr/sbin/ifconfig –au netmask + broadcast +
/usr/sbin/inetd –s -t
va-scan Copyright 2002, Marchany
IP Defense – Directed Broadcast Directed broadcast is sent from a remote
machine to all systems on another net Used by “smurf” attack. CNS router rules
limit smurf to the same subnet Forged ICMP echo request sent to broadcast
w/ target source address
ndd -set /dev/ip \ ip_forward_directed_broadcasts 0 Default is 1
va-scan Copyright 2002, Marchany
IP Defense – Src Route Packet Source routed packet contains a
specific path the packet should take to get to a target
Bypasses router decisions Enabled by default Disable:
ndd –set /dev/ip \ ip_forward_src_routed 0
va-scan Copyright 2002, Marchany
ICMP Defense Usually safe to disable ICMP broadcasts All systems configured to respond to
broadcast echo request will send an echo reply
Disable: ndd -set /dev/ip \ ip_respond_to_echo_broadcast 0
This breaks PING. You won’t be able to ping this system
va-scan Copyright 2002, Marchany
ICMP Defense Individual timestamp requests are ok. No
reason for broadcast request. Disable:
ndd –set /dev/ip \ ip_respond_to_timestamp_broadcast 0
ndd –set /dev/ip \ ip_respond_to_timestamp 0 (unicast)
Address mask used to get netmask. Printers, X-term use this. Solaris disables by default ndd – set /dev/ip ip_respond_to_address_mask_broadcast 0
va-scan Copyright 2002, Marchany
TCP Defense Syn Floods work on unestablished
connections 2 queues
Q for established connections Q for unestablished connections Increase size on unestablished connect Q
ndd –set /dev/tcp \ tcp_conn_req_max_q0 4096
ndd –set /dev/tcp \tcp_ip_abort_cinterval 60000
va-scan Copyright 2002, Marchany
TCP Defense Connection Exhaustion Attack Works on established connections OS has max # connect limit. Attacker
exceeds this limit Default Q is 128. Increase to 1024
ndd –set \ /dev/tcp tcp_conn_req_max_q 1024 This increases the amount of memory
needed to process all TCP connections
va-scan Copyright 2002, Marchany
TCP Defense IP Spoofing uses TCP Hijacking based on ISN
prediction RFC 1498 defines better way to generate
ISN 3 types: 0 – predictable; 1 – improved with
random increment; 2 – RFC 1498 method Solaris 8 uses 2, modify Solaris 7 by
editing /etc/default/inetinit and add line: TCP_STRONG_ISS=2
va-scan Copyright 2002, Marchany
TCP Defense Privileged Ports can only be acquired by
root owned processes NFS uses 2049, 4045. Hacker can set up
fake NFS server listening on these ports Extend port range:
ndd –set /dev/tcp \ tcp_smallest_nonpriv_port 2050
Add individual ports: ndd –set /dev/tcp \ tcp_extra_priv_ports_add 6112
va-scan Copyright 2002, Marchany
ICMP Defense Redirect errors used to tell a system to
use a different router Can be used in Man-in-the-Middle to
install bogus routes Disable incoming:
ndd –set /dev/ip ip_ignore_redirect 1 Disable outgoing:
ndd –set /dev/ip ip_send_redirects 0
va-scan Copyright 2002, Marchany
System Logs /etc/syslog.conf Program I/F: syslog() System command: logger Log files defined in /etc/syslog.conf
/var/adm/messages (default) /var/log/syslog (default) /var/log/authlog (disabled by default)
/usr/lib/newsyslog rotates logs every 7 days
/var/adm/loginlog records failed login attempts
va-scan Copyright 2002, Marchany
Syslog Strategies Create a central syslog server Auth.debug @central-logger.vt.edu
Install logcheck Create additional syslogs
Auth.notice ifdef(‘LOGHOST’. /var/log/Today/auth.log, @loghost)
Make sure your system is defined at LOGHOST in /etc/hosts
va-scan Copyright 2002, Marchany
Application Logs
/var/adm/sulog /usr/bin/su cat, more
/var/adm/vold.log
/usr/sbin/vold cat, more
/var/adm/wtmpx /usr/bin/login last
/var/adm/loginlog
/usr/bin/login Must touch 1st
/var/cron/log /usr/sbin/cron
va-scan Copyright 2002, Marchany
System Accounting Use the sar command to gather system
resource usage data: Cpu, memory, disk, file I/O, system calls
Archives stored in /var/adm/sa vmstat command collects data in a real-
time data Need SUNWaccr, SUNWaccu, uncomment:
/etc/init.d/perf, /var/spool/cron/crontabs sys Reset default shell for user: sys
passmgmt –m –s /sbin/sh sys
va-scan Copyright 2002, Marchany
System Accounting Run it every 20 minutes Archive data longer than 1 month
Edit /etc/init.d/perf and scripts in /usr/lib/sa
Change calls like `date +%d` to ‘date +%Y%m%d` sar command will still be looking for files
in the old naming so you need to use the –f option to point to correct file
/usr/lib/sa/sa2 purges raw data after 1 week. Remove the find command at the end of the sa2 script.
va-scan Copyright 2002, Marchany
Process Accounting You can tell the kernel to log data about
every process on the system Can be selective enabled/disabled using the accton command Specify where the log file is
/usr/lib/acct/accton /var/adm/pacct Once enabled, the kernel logs 40 bytes of
data for each process that runs to completion Use acctcom to examine the logs
Process accounting can cause 10-20% degradation
va-scan Copyright 2002, Marchany
RPC Services Rpcbind – central RPC service agent
New RPC service registers with rpcbind Rpcbind maintains table of RPC services
(program #) and the ports they listen Client contacts rpcbind first with a
program # to determine the port to connect to its requestor
Used by Disksuite, NFS, NIS+, Kerberos
va-scan Copyright 2002, Marchany
RPC Services - /etc/inetd.conf Testsvc, sadmind, rquotad,
rpc.ruserd, rpc.sprayd, rpc.rwalld, rpc.rstatd, rpc.rexd, kcms.server, ufsd, cachefs, kerbd, xaudio, rpc.cmsd, rpcttdbserverd
Remove all of these services unless specifically required
va-scan Copyright 2002, Marchany
RPC Services – Startup scripts /etc/rc2.d/S71rpc, /etc/rc3.d/S71rpc
Rpcbind, keyserv, rpc.nisd, nis_cachmgr, rpc.nipasswdd
Used by rpcbind, NIS/NIS+, NFS client/server NFS Server
/etc/rc2.d/S73nfs.server, /etc/rc3.d/S15nfs.server
Explicitly list client hosts, no world access Export lowest level dir only and RO Synchronize UID/GID between pairs Use strong authentication if possible (AUTH_DES,
AUTH_KERB)
va-scan Copyright 2002, Marchany
Sendmail Use sendmail kit available from
ftp://ftp.vt.edu/pub/cc/Solaris/sendmailX.tar.Z
Sendmail kit built by VT with anti-relay and anti-spam filters
Contains install and backout scripts
va-scan Copyright 2002, Marchany
Sendmail Tailor as necessary
Solaris 8 undocumented way to have sendmail handle mail w/o cron
echo “MODE=“””” > /etc/default/sendmail
Sendmail will only process outgoing mail and no accept incoming connections. Useful if you forward mail to [email protected]
See Sun Blueprint tools page (www.sun.com/blueprints/tools) for replacement /etc/default/sendmail
va-scan Copyright 2002, Marchany
Name Service Caching (nscd) Provides caching for NS requests Performance boost, all NS requests made
by system library call routed to nscd Sun recommends caching as little as
possible Do not disable. NIS/NIS+ and some
versions of Netscape break nscd – g : see current configuration
va-scan Copyright 2002, Marchany
Banner Files /etc/motd /etc/issue /etc/default/telnetd
BANNER=“place your text here” /etc/default/fptd
BANNER=“place your text here” /etc/sendmail.cf
SmtpGreetingMessage=Put Warning here
va-scan Copyright 2002, Marchany
More on /etc/default /etc/default/cron
CRONLOG=yes tells cron to log to /var/cron/log for each cron job.
Roll this log often – see /etc/cron.d/logchecker /etc/default/su
Defines PATH, SUPATH for su command /etc/default/passwd
Set password aging, password length /etc/default/kbd
Disable STOP-A on systems
va-scan Copyright 2002, Marchany
/etc/default/login CONSOLE – root logins allowed only on
this device usually the console PATH, SUPATH – uncomment and set UMASK – uncomment and set RETRIES – number of failed logins
before login exits SYSLOG_FAILED_LOGINS – number of
failed logins before message logged to /var/adm/loginlog (Solaris 8)
va-scan Copyright 2002, Marchany
Additional Login Files Set UMASK, PATH in /etc/profile, /etc/.login
Default files for userid creation in /etc/skel. These files are used by useradd or admintool programs
Can be overridden by users
va-scan Copyright 2002, Marchany
Fix-modes Program Corrects insecure system file/directory
perms: Removes group/world write permissions Makes most files owned by root
Uses /var/sadm/install/contents for list of programs to check User files NOT installed with pkgadd will not be
affected Core files in Solaris 8 are fixed. Things like
CDE aren’t
va-scan Copyright 2002, Marchany
Building TCP Wrappers Available from
ftp://ftp.porcupine.org/pub/security/index.html
Modify the Makefile Set REAL_DAEMON_DIR Send logging to LOG_AUTH
Download the IPv6 version for Solaris 8
Use the advanced installation method
va-scan Copyright 2002, Marchany
Building OpenSSH OpenSSH implements SSH1, SSH2 Maintained by OpenBSD Tested on Solaris 2.6 5/98 Sparc,
Solaris 7 11/99 Sparc, Solaris 8 4/01 Sparc with ForteDeveloper 6 update 1 and gcc 2.95.2
va-scan Copyright 2002, Marchany
Building OpenSSH Prerequisite Components
OpenSSH 2.9p2 from http://www.openssh.com/portable.html
Zlib 1.1.3 from http://www.freesoftware.com/pub/infozip/zlib
Solaris 8 CD – package format OpenSSL 0.9.6b from
http://www.openssl.org/source PRNGD 0.9.19 from http://www.aet.tu-
cottbus.de/personen/jaenicke/postfix_tls/prngd.html (pseudo random number generator)
va-scan Copyright 2002, Marchany
Building OpenSSH Building zlib
cd zlib-1.1.3 ./configure (for gcc) env CC=cc CFLAGS=“-xo4 –KPIC” ./configure
make make install ls –l /usr/local/lib/libza.a
va-scan Copyright 2002, Marchany
Building OpenSSH Building OpenSSL
cd openssl-0.9.6b./Configure <compiler>makemake installls –l /usr/local/ssl/lib
Building PRNGDcd prngd-0.9.19make CC=gcc CFLAGS=“-O3 –DSOLARIS” SYSLIBS=“-lsocket –lnsl”
make CC=cc CFLAGS=“-x04 –DSOLARIS –KPIC” SYSLIBS=“-lsocket –lnsl”
va-scan Copyright 2002, Marchany
Building OpenSSH Building PRNGD (cont’d)
cp prngd /usr/local/sbin/prngdchown root:bin /usr/local/sbin/prngdchmod 755 /usr/local/sbin/prngdcp contrib/Solaris7/prngd.conf.solaris-7 /etc/prngd.conf
cat /var/log/syslog > /etc/prngd-seed
va-scan Copyright 2002, Marchany
Building OpenSSH Building OpenSSH
gcc version./configure –prefix=/opt/OBSDssh –with-pam –without-rsh –disable-suid-sh –sysconfdir=/etc \ --with-prngd-socket=/var/spool/prngd/pool
makemake installls –l /opt/OBSDssh/bin/ssh
Start: /etc/init.d/openssh.server start
va-scan Copyright 2002, Marchany
Building OpenSSH http://www.sun.com/blueprints/
tools/makeOpenSSHPackage.ksh builds a Solaris package containing OpenSSH
./makeOpenSSHPackage.kshpkgadd –d OBSDssh.pkg OBSDssh
va-scan Copyright 2002, Marchany
/etc/sshd_config Guidelines ListenAddress – used to set up SSH
servers on virtual I/F Protocol 2,1 – try v2 first then v1 SyslogFacility AUTH – send logging
messages to LOG_AUTH like TCP Wrappers CheckMail, PrintMotd – done by SSH or
login, your choice KeepAlive – send a heartbeat packet to
verify the host is still reachable. Good for keeping hung sessions down
va-scan Copyright 2002, Marchany
/etc/sshd_config Guidelines IgnoreRhosts yes – disable all
types of rhosts authentication PermitRootLogin no – forces
people to su to root Be careful. This also prevents remote
command execution and copying files from one system to another via scp
va-scan Copyright 2002, Marchany
SSH: Using RSA Authentication Generate your key pair using
something like PGP Copy public key to remote system Remote system authenticates user
by encrypting message w/public key
User decrypts using private key and send it back to remote system
va-scan Copyright 2002, Marchany
SSH RSA Example
% ssh-keygen –b 1024 –f ~/.ssh/identity[…]Enter passphrase: XXXXXXXXEnter the same passphrase again: XXXXXXXX[…]% scp ~/.ssh/identity.pub \
remotehost:~/.ssh/authorized_keys rcm@remotehost password: YYYYYYYIdentity.pub | 0 KB| 0.3kB/s| ETA: 00:00| 100%% ssh remotehostEnter passphrase for RSA key rcm@thishost : KKKKKKK
va-scan Copyright 2002, Marchany
Testing & Verification
Minimum Security Benchmark Procedures and Toolkits for
Testing and Verifying System Security
va-scan Copyright 2002, Marchany
Testing & Verification Pomeranz Test
Can get here from there Can’t get here from there Can’t get here as Superuser What’s Running? Can’t write in /usr Can’t run SUID from /var/tmp Check your logs
va-scan Copyright 2002, Marchany
Can Get Here From There ssh userid@securehost Reasons for failure
Localhost isn’t in securehost’s hosts.allow TCP Wrappers in sshd can’t find localhost’s
name from its IP address sshd can’t read hosts.allow, hosts.deny The userid doesn’t exist on securehost RSA identity certificate not properly
installed
va-scan Copyright 2002, Marchany
Can’t Get Here From There From badhost: ssh securehost Root should be getting an email if
logcheck and syslog are working Reasons the connection might work
hosts.allow is too permissive Reasons for failure
Securehost may have an invalid sendmail.cf file
va-scan Copyright 2002, Marchany
Can’t Get Here As Superuser ssh –l root securehost Reason for success
/etc/sshd-config is incorrect You shouldn’t allow direct root
logins
va-scan Copyright 2002, Marchany
What’s Running? Do a ‘ps –ef’ or lsof on an idle system Reasons you might see different
output: You’re logged in multiple times You logged in on the console Forgot to remove all recommended files
from /etc/rc*.d /etc/defaultrouter doesn’t exist
va-scan Copyright 2002, Marchany
Can’t Write in /usr touch /usr/bin/BAD Should generate an error message. Reasons for success:
Forgot to reboot/remount /usr in RO mode
Incorrect configuration of /etc/vfstab
va-scan Copyright 2002, Marchany
Can’t Run SUID from /var/tmp
# cd /var/tmp# cp /usr/bin/ps .# chmod 4111 ps^D$ /usr/bin/ps –ef$ /var/tmp/ps –ef
Reasons for Success: 1) still running as root 2) running wrongVersion of ps 3) misconfigured /etc/vfstab
va-scan Copyright 2002, Marchany
Check Your Logs Reasons for failure
/etc/syslog.conf has no auth.* entries Files/devices listed in /etc/syslog.conf
are invalid Loghost is unreachable or misconfigured Forgot to modify TCP Wrapper’s Makefile
to send logging messages to LOG_AUTH /etc/sshd_config is misconfigured
va-scan Copyright 2002, Marchany
Backups Have a complete level 0 dump of all file
systems] Set up an alternate boot disk Lock it up and don’t re-use the tape/disk Make another dump every time you
make significant changes Should you use network backup for
sensitive servers? In our environment, it’s ok because of
network topology
va-scan Copyright 2002, Marchany
Alternate Boot Disk Setup Install 2 identical internal disks Install OS on primary disk Partition 2nd disk identical to primary Format the secondary disk Create filesystems on secondary disk dd copy from primary to secondary Install ufs bootblock in s0 of secondary Modify /broot/etc/vfstab to mount secondary
as /, change auto bootup device in EEPROM
va-scan Copyright 2002, Marchany
Security Benchmarks
Tools and Benchmark Documents for Securing
Solaris Systems
va-scan Copyright 2002, Marchany
Configurator http://www.deer-run.com/~hal/
jumpstart/configurator Testing tool for SANS “Securing Solaris”
and CIS “Solaris Security Benchmark” docs
Will CHANGE your system setting to conform with the above docs
Can be integrated into Jumpstart server or run in standalone mode
va-scan Copyright 2002, Marchany
CIS Solaris Benchmark Minimum actions to harden your
system Configurator script available from
http://www.deer-run.com/~hal/jumpstart/configurator
Can be used to configure according to CIS benchmark or SANS Securing Solaris
va-scan Copyright 2002, Marchany
SANS Benchmark Available from
http://security.vt.edu in the Online Books section. Need PID to get it.
Contains step-by-step instructions in a manner similar to the CIS benchmark
Systems can be configured using Hal Pomer
va-scan Copyright 2002, Marchany
JASS Free from www.sun.com/blueprints/tools Set of scripts to secure your system Can be used as part of a Jumpstart
install Useful for lab situations
It’s an “officially endorsed” Sun item JASS doesn’t secure systems enough
va-scan Copyright 2002, Marchany
YASSP http://www.yassp.org Jean Chouanard took an early version of
the SANS Securing Solaris course Went home and wrote YASSP Comes in pkgadd format Endorsed by SANS Runs on Solaris 2.6, 7, 8(beta) Mailing list: secure-sol-
va-scan Copyright 2002, Marchany
YASSP Pros/Cons Pro
pkgadd format very useful Works on Core, end-user, developer,
Full Automatically installs security tools
Con Not very modular /etc/yassp.conf hard to understand
va-scan Copyright 2002, Marchany
TITAN Collection of programs/scripts
which either fix or tighten security problems
Not a replacement for anything. It’s a supplement to your system security toolkit.
http://www.fish.com/titan
va-scan Copyright 2002, Marchany
TITAN Pros/Cons Pro
Modular and extensible Verification function Linux version in beta test
Con Writing modules can be complex
va-scan Copyright 2002, Marchany
Conclusions Keep an eye on your system Build minimal functionality then
add what you need Mount FS RO or NOSUID Use SSH Verify everything Send Randy log excerpts of probes
va-scan Copyright 2002, Marchany
Appendix 1
Portsentry, IP Filter, logcheck configuration guidelines
va-scan Copyright 2002, Marchany
Portsentry Available from www.psionic.com Monitors ports and performs an
action when an attempt to access the port is made.
Usually access is denied to the probing systems.
Monitors TCP and UDP traffic. A little more flexible than TCP Wrappers
va-scan Copyright 2002, Marchany
Portsentry Configuration Files Portsentry.conf contains the list of
ports to be monitored. 3 levels of paranoia
va-scan Copyright 2002, Marchany
Logcheck Available from www.psionic.com Syslog keyword scanner When it matches something, it
does something Send email Page someone Run a command
va-scan Copyright 2002, Marchany
logcheck.violations
These keywords denote a problem and are flagged bylogcheck.
va-scan Copyright 2002, Marchany
logcheck.ignore
Phrases listed in this file are ignored by the logcheck program.
va-scan Copyright 2002, Marchany
logcheck.hacking
Keywords in this file indicatean attack is taking place
va-scan Copyright 2002, Marchany
IP Filter Software package that can do NAT or
basic firewall services. Designed to be used as a loadable
kernel module but can be incorporated into a Unix kernel
Can be configured to do IP Accounting (count # bytes), IP Filtering or IP authentication or NAT.
http://coombs.anu.edu.au/~avalon/ip-filter.html
va-scan Copyright 2002, Marchany
IP Filter Can explicitly allow/deny any packet. Distinguishes between multiple
interfaces. Filters by IP network, hosts or protocol. Filters by port number or port range. Logs the following:
TCP/UDP/ICMP/IP packet headers First 128 bytes Pass or blocked status
va-scan Copyright 2002, Marchany
IP Filter Statistics collected include:
Packets blocked Packets used for accounting (packet
count) Packets passed Packets logged Inbound/outbound packet information
va-scan Copyright 2002, Marchany
IP Filter Log Format
Jul 30 01:46:52 myhost.vt.edu ipmon[147]: [ID 702911local0.warning] 01:46:52.196772 hme0 @0:5 b 194.143.66.126,21 ->198.82.255.255,21 PR tcp len 20 40 -S IN
Jul 30 01:47:03 myhost.vt.edu ipmon[147]: [ID 702911local0.warning] 01:47:03.269595 hme0 @0:5 b 194.143.66.126,21 ->198.82.255.255,21 PR tcp len 20 40 -S IN
Jul 30 05:53:51 myhost.vt.edu ipmon[147]: [ID 702911local0.warning] 05:53:50.699235 hme0 @0:5 b 203.90.84.163,1781 ->198.82.255.255,21 PR tcp len 20 60 -S IN
va-scan Copyright 2002, Marchany
WWW Sites Sendmail
ftp.vt.edu/pub/cc/Solaris/sendmail* ftp.sendmail.org/pub/sendmail
Fix-modes ftp.science.uva.nl/pub/solaris/fix-
modes.tar.gz OpenSSH
Solaris 8 Installation CD http://www.openssh.com/portable.html
va-scan Copyright 2002, Marchany
WWW Sites OpenSSL
www.openssl.org/source/ Zlib
ftp.freesoftware.com/pub/infozip/zlib/ TCP Wrappers, rpcbind replacement
ftp.porcupine.org/pub/security/index.html
YASSP www.yassp.org
va-scan Copyright 2002, Marchany
WWW Sites TITAN
www.fish.com/titan JASS
www.sun.com/blueprints/tools Bastille
http://bastille-linux.sourceforge.net David Brumley’s comparison
document www.theorygroup.com/Theory
va-scan Copyright 2002, Marchany
WWW Sites Jason Rhoads’ Documents
www.sabernet.net/papers Sean Boran’s Security Documents
www.boran.com/security/sp/Solaris_hardening_tool
Solaris Blueprints On-line www.sun.com/blueprints/browsesubject.html
Hal Pomeranz’s site www.deer-run.com/~hal/jumpstart
Solaris Adv. Installation Guide Docs.sun.com/ab2/coll.214.7/SPARCINSTALL