Solaris 10 Security-Sun.v1.3

Solaris 10 Security Workshop
Peter Baer Galvin For Usenix 2005

Last Revision Apr 2005
About the Speaker

Peter Baer Galvin Pbg@cptech.com www.cptech.com Pbg@petergalvin.info www.petergalvin.info 781 273 4100 Bio
Peter Baer Galvin is the Chief Technologist for Corporate Technologies, Inc., a systems integrator and VAR, and was the Systems Manager for Brown University's Computer Science Department. He has written articles for Byte and other magazines. He wrote Pete's Wicked World, the security column for SunWorld magazine, Petes Super Systems, the systems administration column there. He is now contributing editor of the Solaris Corner for SysAdmin Magazine. Peter is co-author of the Operating Systems Concepts and Applied Operating Systems Concepts texbooks. As a consultant and trainer, Mr. Galvin has taught tutorials in security and system administration and given talks at many conferences and institutions.
Apr-05
Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
Objectives
Explore the new Solaris 10 security features,
from an admin point of view

Some app/dev points made to guide developers
Convey their current status, usability, and
future functionality Help prepare for Solaris 10 deployment Some pre-Solaris 10 coverage when needed
Apr-05
Prerequisites
Recommend at least a couple of years of
Solaris experience
Or at least a few years of other Unix experience
Best is a few years of admin experience,
mostly on Solaris
Apr-05
About the Tutorial

Every SysAdmin has a different knowledge
set A lot to cover, but notes should make good reference So some covered quickly, some in detail
Setting base of knowledge But lets take off-topic off-line
Please ask questions

Apr-05
Fair Warning
Sites vary Circumstances vary Admin knowledge varies My goals
Provide information useful for each of you at your sites Provide opportunity for you to learn from each other
Apr-05
Why Listen to Me?

20 Years of Sun experience Seen much as a consultant Hopefully, you've used: The Solaris Corner @ www.samag.com/Solaris The Solaris Security FAQ SunWorld Pete's Wicked World SunWorld Pete's Super Systems Unix Secure Programming FAQ Operating System Concepts (The Dino Book) Applied Operating System Concepts
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved 7
Schedule
8:30am 10:00am 10:30am 12:00pm 1:30pm 3:00pm 5:00pm Learn Eat/Drink Learn Eat / Drink Learn Eat/Drink Eat / Drink / Be Merry
Apr-05
Coverage
Solaris 10 is a moving target This tutorial based on FCS (Jan / Mar 05)
How to get Solaris 10
Download from Sun Media Kits now shipping

How to get Solaris 10+

Join Solaris Express
Apr-05
Outline

Overview N1 Grid Containers (aka Zones) (lab) RBAC (lab) Privileges NFS V4 Flash archives and live upgrade Moving from NIS to LDAP DTrace FTP client and server enhancements PAM enhancements Auditing enhancements BSM Service Management Facility (lab) Solaris Cryptographic Framework Smartcard interfaces and APIs Kerberos enhancements Packet filtering BART
Copyright 2004-2005 Peter Baer Galvin All Rights Reserved 10
Apr-05
10
Your Objectives?

11
Overview
Apr-05
12
12
Overview
Solaris 10 includes lots of new security
features

Security is important to administrators It usually annoys users
Well look at each new feature, how useful,
powerful and annoying it is

Should provide a good roadmap for what to use, when How can they be used to solve the following problems

13
Sun Overview
Quick high-level overview of Suns view of
Solaris security
Apr-05
14
14
(From the Solaris 10 Sun Net Talk about Solaris 10 Security)

15

16

17

18

19

20

Apr-05
21
21

22
N1 Grid Containers (aka Zones)
Apr-05
23
23
Zones Overview
Virtualized operating system services Isolated and secure environment for running
apps Apps and users (and superusers) in zone cannot see / effect other zones
Delegated admin control
Virtualized device paths, network interfaces,
network ports, process space, resource user (via resource manager) Application fault isolation
24
Zones Overview - 2
Low physical resource use Up to 8192 zones per system! Differentiated file system Multiple versions of an app installed and running on a given system Inter-zone communication is only via network (but
short-pathed through the kernel

No application changes needed no API or ABI Can restrict disk use of a zone via the loopback file
driver (lofi) using a file as a file system

25
Apr-05
(From the Solaris 10 Sun2004-2005 Net Talk Solaris 10 Security) Copyright Peter about Baer Galvin
All Rights Reserved
26
26
Zone Limits
Only one OS installed on a system One set of OS patches Only one /etc/system
Although Sun working to move as many settings as possible out of /etc/system
System crash / OS crash -> all zones crash Zones cannot be moved between systems (yet) Each zone uses ~ 100MB of disk some VM and physical memory (for processes and daemons running in the zone) - ~40MB PM
27
(From System Administration Guide: N1 Grid Containers, Resource Management, and Solaris Zones)
28
Global Zone
Aka the usual system Global Is assigned ID 0 by the system Provides the single instance of the Solaris
kernel that is bootable and running on the system Contains a complete installation of the Solaris system software packages Can contain additional software packages or additional software, directories, files, and other data not installed through packages
29
Global Zone - 2
Provides a complete and consistent product

database that contains information about all software components installed in the global zone Holds configuration information specific to the global zone only, such as the global zone host name and file system table Is the only zone that is aware of all devices and all file systems Is the only zone with knowledge of non-global zone existence and configuration Is the only zone from which a non-global zone can be configured, installed, managed, or uninstalled
Apr-05
30
Non-global Zones
Non-Global Is assigned a zone ID by the
system when the zone is booted Shares operation under the Solaris kernel booted from the global zone Contains an installed subset of the complete Solaris Operating System software packages Contains Solaris software packages shared from the global zone Can contain additional installed software packages not shared from the global zone
31
Non-global Zones -2
Can contain additional software, directories, files, and
other data created on the non-global zone that are not installed through packages or shared from the global zone Has a complete and consistent product database that contains information about all software components installed on the zone, whether present on the nonglobal zone or shared read-only from the global zone Is not aware of the existence of any other zones Cannot install, manage, or uninstall other zones, including itself Has configuration information specific to that nonglobal zone only, such as the non-global zone host name and file system table
32
Non-global Zone States

Configured - The zones configuration is complete and committed to stable storage, not initially booted Incomplete - During an install or uninstall operation Installed - The zones configuration is instantiated on the system but no virtual platform Ready - The virtual platform for the zone is established. The kernel creates the zsched process, network interfaces are plumbed, file systems are mounted, and devices are configured. A unique zone ID is assigned by the system, no processes associated with the zone have been started. Running - User processes associated with the zone application environment are running. Shutting down and Down - These states are transitional states that are visible while the zone is being halted. However, a zone that is unable to shut down for any reason will stop in one of these states.
Apr-05
33
33
(From System Administration Guide: N1Grid Containers, Resource Management, and Solaris Zones)
34
Zone Configuration
Data from the following are not referenced or copied when a zone is
installed:

Non-installed packages Patches Data on CDs and DVDs Network installation images Any prototype or other instance of a zone New or changed users in the /etc/passwd file New or changed groups in the /etc/group file Configurations for networking services such as DHCP address assignment, UUCP, or sendmail Configurations for network services such as naming services New or changed crontab, printer, and mail files System log, message, and accounting files
In addition, the following types of information, if present in the global
zone, are not copied into a zone that is being installed:

Apr-05
35
35
Zone Configuration
Zlogin C logs in to a just-boot virgin zone Only root can zlogin normal zone access is via network The usual sysidconfig questions are
asked (hostname, name service, timezone, kerberos) Zone reboots to put configuration changes into effect (a few seconds)
Messages look like a system reboot (within your window)

Apr-05
36
Zone Configuration - 2
# zonecfg -z app1 app1: No such zone configured Use 'create' to begin configuring a new zone. zonecfg:app1> create zonecfg:app1> set zonepath=/opt/zone/app1 zonecfg:app1> set autoboot=false zonecfg:app1> add net zonecfg:app1:net> set physical=pnc0 zonecfg:app1:net> set address=192.168.118.140 zonecfg:app1:net> end zonecfg:app1> add fs zonecfg:app1:fs> set dir=/export/home zonecfg:app1:fs> set special=/export/home zonecfg:app1:fs> set type=lofs zonecfg:app1> add inherit-package-dir zonecfg:app1:inherit-pkg-dir> set dir=/opt/sfw zonecfg:app1:inherit-pkg-dir> end zonecfg:app1> verify zonecfg:app1> commit zonecfg:app1> exit
Apr-05
37
37
# df -k Filesystem kbytes used avail capacity Mounted on /dev/dsk/c0d0s0 5678823 2689099 2932936 48% / /devices 0 0 0 0% /devices /dev/dsk/c0d0p0:boot 10296 1401 8895 14% /boot proc 0 0 0 0% /proc mnttab 0 0 0 0% /etc/mnttab fd 0 0 0 0% /dev/fd swap 600780 28 600752 1% /var/run swap 600776 24 600752 1% /tmp /dev/dsk/c0d0s7 4030684 32853 3957525 1% /export/home # zoneadm -z app1 verify WARNING: /opt/zone/app1 does not exist, so it cannot be verified. When 'zoneadm install' is run, 'install' will try to create /opt/zone/app1, and 'verify' will be tried again, but the 'verify' may fail if: the parent directory of /opt/zone/app1 is group- or other-writable or /opt/zone/app1 overlaps with any other installed zones. could not verify net address=192.168.118.140 physical=pnc0: No such device or address zoneadm: zone app1 failed to verify
Apr-05
38
38
# ls -l /opt/zone total 2 drwx-----4 root other 512 Aug # mkdir /opt/zone/app1 # chmod 700 /opt/zone/app1 # ls -l /opt/zone total 4 drwx-----2 root other 512 Sep drwx-----4 root other 512 Aug # zonadm -z app1 verify could not verify net address=192.168.118.140 such device or address zoneadm: zone app1 failed to verify # zonecfg -z app1 zonecfg:app1> info zonepath: /opt/zone/app1 autoboot: false 21 12:44 test
16 15:14 app1 21 12:44 test physical=pnc0: No
Apr-05
39
39
net: address: 192.168.118.140 physical: pnc0 zonecfg:app1> remove physical=pnc0 zonecfg:app1> add net zonecfg:app1:net> set physical=pcn0 zonecfg:app1:net> set address=192.168.118.140 zonecfg:app1:net> end zonecfg:app1> exit # zoneadm -z app1 verify # zoneadm -z app1 install Preparing to install zone <app1>. Creating list of files to copy from the global zone. Copying <2199> files to the zone. Initializing zone product registry. Determining zone package initialization order. Preparing to initialize <779> packages on the zone. Initializing package <0> of <779>: percent complete: 0%
. . .
40
Zone Configuration -6
Zone <app1> is initialized. The file </opt/zone/app1/root/var/sadm/system/logs/install_log> contains a log of the zone installation. # zoneadm list -v ID NAME 0 global 1 test
STATUS running running
PATH / /opt/zone/test
# df -k Filesystem kbytes used avail capacity /dev/dsk/c0d0s0 5678823 2766177 2855858 50% /devices 0 0 0 0% /dev/dsk/c0d0p0:boot 10296 1401 8895 14% proc 0 0 0 0% mnttab 0 0 0 0% fd 0 0 0 0% swap 594332 32 594300 1% swap 594500 200 594300 1% /dev/dsk/c0d0s7 4030684 32853 3957525 1%
Mounted on / /devices /boot /proc /etc/mnttab /dev/fd /var/run /tmp /export/home
Apr-05
41
41
# zoneadm -z app1 boot zoneadm: zone 'app1': WARNING: pcn0:2: no matching subnet found in netmasks(4) for 192.168.118.131; using default of 192.168.118.131. # zoneadm list -v ID NAME STATUS PATH 0 global running / 1 test running /opt/zone/test 2 app1 running /opt/zone/app1 # telnet 192.168.118.140 Trying 192.168.118.140... telnet: Unable to connect to remote host: Connection refused # zlogin -C app1 [Connected to zone 'app1' console] Select a Locale 0. English (C - 7-bit ASCII) 1. U.S.A. (UTF-8) 2. Go Back to Previous Screen Please make a choice (0 - 2), or press h or ? for help: 0 . . .
42
rebooting system due to change(s) in /etc/default/init [NOTICE: Zone rebooting] SunOS Release 5.10 Version s10_63 32-bit Copyright 1983-2004 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. Hostname: zone-app1 The system is coming up. Please wait. starting rpc services: rpcbind done. syslog service starting. Sep 16 15:48:24 zone-app1 sendmail[7567]: My unqualified host name (zone-app1) unknown; sleeping for retry Sep 16 15:49:24 zone-app1 sendmail[7567]: unable to qualify my own domain name (zone-app1) -- using short name WARNING: local host name (zone-app1) is not qualified; see cf/README: WHO AM I? /etc/mail/aliases: 12 aliases, longest 10 bytes, 138 bytes total
Apr-05
43
43
STSF Font Server Daemon. Standard Type Services Framework 0.11.1 Copyright (c) 2001-2004 Sun Microsystems, Inc. All Rights Reserved. STSF is Open Source Software. http://stsf.freedesktop.org Creating new rsa public/private host key pair Creating new dsa public/private host key pair The system is ready. zone-app1 console login: root Password: Sep 16 15:51:08 zone-app1 login: ROOT LOGIN /dev/console Sun Microsystems Inc. SunOS 5.10 s10_63 May 2004 # cat /etc/passwd root:x:0:1:Super-User:/:/sbin/sh daemon:x:1:1::/: bin:x:2:2::/usr/bin: . . . noaccess:x:60002:60002:No Access User:/: nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:
Apr-05
44
44

# useradd -u 101 -g 14 -d /export/home/pbg -s /bin/bash pbg # passwd pbg New Password: Re-enter new Password: passwd: password successfully changed for pbg # zoneadm list -v ID NAME STATUS PATH 3 app1 running / # exit zone-app1 console login: ~. [Connection to zone 'app1' console closed] # zoneadm list -v ID NAME STATUS PATH 0 global running / 1 test running /opt/zone/test 3 app1 running /opt/zone/app1 # uptime 3:53pm up 5:14, 1 user, load average: 0.23, 0.34, 0.43 # telnet 192.168.118.140 Trying 192.168.118.140 Connected to 192.168.118.140. Escape character is ^]. Login: pbg Password: . . . Copyright 2004-2005 Peter Baer Galvin Apr-05
All Rights Reserved
45
45
Zone Script
create -b set zonepath=/opt/zones/zone0 set autoboot=false add inherit-pkg-dir set dir=/lib end add inherit-pkg-dir set dir=/platform end add inherit-pkg-dir set dir=/sbin end add inherit-pkg-dir set dir=/usr end add inherit-pkg-dir set dir=/opt/sfw end add net set address=192.168.128.200 set physical=pcn0 end add rctl set name=zone.cpu-shares add value (priv=privileged,limit=1,action=none) end
Apr-05
46
46
Life in a Zone
# ifconfig -a lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 lo0:1: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 zone test inet 127.0.0.1 netmask ff000000 lo0:2: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1 zone app1 inet 127.0.0.1 netmask ff000000 pcn0: flags=1004843<UP,BROADCAST,RUNNING,MULTICAST,DHCP,IPv4> mtu 1500 index 2 inet 192.168.80.128 netmask ffffff00 broadcast 192.168.80.255 ether 0:c:29:44:a9:df pcn0:1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 zone test inet 192.168.80.139 netmask ffffff00 broadcast 192.168.80.255 pcn0:2: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2 zone app1 inet 192.168.80.140 netmask ffffff00 broadcast 192.168.80.255
Apr-05
47
47
Life in a Zone - 2
$ telnet 192.168.80.140 . . . $ df -k Filesystem kbytes used avail capacity / 9515147 1894908 7525088 21% /dev 9515147 1894908 7525088 21% /export/home 10076926 10369 9965788 1% /lib 9515147 1894908 7525088 21% /platform 9515147 1894908 7525088 21% /sbin 9515147 1894908 7525088 21% /usr 9515147 1894908 7525088 21% proc 0 0 0 0% mnttab 0 0 0 0% fd 0 0 0 0% swap 1043072 16 1043056 1% swap 1043056 0 1043056 0% $ touch /usr/foo touch: /usr/foo cannot create Mounted on / /dev /export/home /lib /platform /sbin /usr /proc /etc/mnttab /dev/fd /var/run /tmp
Note that virtual memory (and therefore swap) are global
resources
Apr-05
48
48
Life in a Zone - 3
$ ps -ef UID PID PPID C STIME TTY root 11120 11120 0 11:00:35 ? pbg 11377 11347 0 11:01:28 pts/8 root 11229 11120 0 11:00:40 ? root 11341 11120 0 11:00:46 ? root 11266 11120 0 11:00:41 ? yslog -message_locale C root 11339 11336 0 11:00:46 ? root 11250 11120 0 11:00:41 ? root 11264 11261 0 11:00:41 ? root 11261 11120 0 11:00:41 ? root 11227 11120 0 11:00:40 ? root 11218 11120 0 11:00:40 ? root 11325 11120 0 11:00:45 ? e-app1 root 11239 11120 0 11:00:40 ? root 11265 11261 0 11:00:41 ? root 11230 11120 0 11:00:40 ? root 11273 11266 0 11:00:42 ? -message_locale C root 11129 11120 0 11:00:36 ? TIME 0:00 0:00 0:00 0:00 0:00 0:00 0:00 0:00 0:00 0:00 0:00 0:00 0:00 0:00 0:00 0:00 CMD zsched ps -ef /usr/sbin/cron /usr/sfw/sbin/snmpd /usr/lib/im/htt -port 9010 -s /usr/lib/saf/ttymon /usr/lib/utmpd /usr/sadm/lib/smc/bin/smcboot /usr/sadm/lib/smc/bin/smcboot /usr/sbin/nscd /usr/lib/autofs/automountd /usr/lib/dmi/snmpXdmid -s zon /usr/lib/sendmail -bd -q15m /usr/sadm/lib/smc/bin/smcboot /usr/sbin/inetd -s htt_server -port 9010 -syslog
0:00 init
Apr-05
49
49
Life in a Zone - 4
root 11323 11120 0 daemon 11152 11120 0 root 11241 11120 0 Ac -q15m root 11214 11120 0 root 11299 11120 0 -daemon root 11317 11120 0 -y -c /e tc/snmp/conf root 11337 11129 0 -g -h -p zone-app1 console login: daemon 11177 11120 0 root 11343 11120 0 pbg 11347 11344 1 root 11344 11230 0 root 11336 11129 0 300 11:00:45 ? 11:00:37 ? 11:00:41 ? 11:00:39 ? 11:00:44 ? 11:00:45 ? 0:00 /usr/lib/dmi/dmispd 0:00 /usr/lib/crypto/kcfd 0:00 /usr/lib/sendmail 0:00 /usr/sbin/syslogd 0:00 /usr/dt/bin/dtlogin 0:00 /usr/lib/snmp/snmpdx
11:00:45 console
0:00 /usr/lib/saf/ttymon
-T dtterm -d /dev/consol 11:00:38 ? 0:00 11:00:47 ? 0:00 11:00:50 pts/8 0:00 11:00:50 ? 0:00 11:00:45 ? 0:00
/usr/sbin/rpcbind /usr/lib/ssh/sshd -bash in.telnetd /usr/lib/saf/sac -t
Apr-05
50
50
Life in a Zone - 5
$ mount -p -bash: mount: command not found $ su Password: Sun Microsystems Inc. SunOS 5.10 s10_63 May 2004 # mount -p / - / ufs - no rw,intr,largefiles,logging,xattr,onerror=panic /dev - /dev lofs - no zonedevfs /export/home - /export/home lofs - no /lib - /lib lofs - no ro,nodevices,nosub /platform - /platform lofs - no ro,nodevices,nosub /sbin - /sbin lofs - no ro,nodevices,nosub /usr - /usr lofs - no ro,nodevices,nosub proc - /proc proc - no nodevices,zone=app1 mnttab - /etc/mnttab mntfs - no nodevices,zone=app1 fd - /dev/fd fd - no rw,nodevices,zone=app1 swap - /var/run tmpfs - no nodevices,xattr,zone=app1 swap - /tmp tmpfs - no nodevices,xattr,zone=app1 # hostname zone-app1 # zonename app1
Apr-05
51
51
Other Cool Zone Stuff

ps Z shows zone in which each process is
running Can use resource manager with zones Zones can use global naming services
Use features to enable or disable accounts per zone
Interzone networking executed via loopback
for performance
Apr-05
52
52
Zones and Resource Management

Load the fair share schedule as the default schedule class

dispadmin d fss priocntl -s -c FSS -i class TS prctl -n zone.cpu-shares -v 2 -r -i zone global prctl -n zone.cpu-shares -i zone global zonecfg:my-zone> add rctl zonecfg:my-zone:rctl> set name=zone.cpu-shares
Move all processes into the FSS class Give the global zone some (2) shares Check the shares of the global zone Add a zone-wide resource control (1 share) to a zone (within zonecfg)

zonecfg:my-zone:rctl> add value \ (priv=privileged,limit=1,action=none) zonecfg:my-zone:rctl> end
Apr-05
53
53
Zone Issues
Zone cannot reside on NFS But zone can be NFS client Each zone normally has a sparse installation of a
package, if package is from inherit-package-dir directory tree By default, a package installed in global zone is installed in all existing non-global zones

Unless the pkgadd G or Z options are used See also SUNW_PKG_ALLZONES and SUNW_PKG_HOLLOW package parameters
By default, patch installed in global zone is installed
in all non-global zones

Apr-05
If any zone does not match patch dependencies, patch not installed
54
Zone issues - cont

Upgrading the global zone to a new Solaris release
upgrades the non-global zones (but only by using live upgrade) Best practice is to keep packages and patches synced between global and all non-global zones Best practice prebuild a bunch of zones, even if you wont need them

Packages and patches stay in sync or as in generic initial system Low resource use Use one of them for all applications & non-sys admin users
Watch out for giving users root in a zone could
violate policy or regulations

55
Zones and Packages

# pkgadd -d screen* The following packages are available: 1 SMCscreen screen (intel) 4.0.2 Select package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,q]: ## Not processing zone <zone10>: the zone is not running and cannot be booted ## Booting non-running zone <zone0> into administrative state ## waiting for zone <zone0> to enter single user mode... ## Verifying package <SMCscreen> dependencies in zone <zone0> ## Restoring state of global zone <zone0> ## Booting non-running zone <zone1> into administrative state ## waiting for zone <zone1> to enter single user mode... ... ## Booting non-running zone <zone0> into administrative state ## waiting for zone <zone0> to enter single user mode... ## waiting for zone <zone0> to enter single user mode... ## Installing package <SMCscreen> in zone <zone0>
Apr-05
56
56
Zones and Packages (Cont.)

screen(intel) 4.0.2 Using </usr/local> as the package base directory. ## Processing package information. ## Processing system information. 86 package pathnames are already properly installed. Installing screen as <SMCscreen> ## Installing part 1 of 1. [ verifying class <none> ] Installation of <SMCscreen> on zone <zone0> was successful. ## Restoring state of global zone <zone0>
...
57
Labs
Explore your zone what can you do and
see, what cant you? What is your view of file systems? What packages are installed? What patches? What is your life like in a zone? How are zones different from domains? From vmware?
58
RBAC
Apr-05
59
59
RBAC
Been in Solaris since release 8 Basis for access control on Solaris A bit, um, complicated Quick review here
How many of you are using RBAC?
Apr-05
60
60
RBAC Terminology
Administrative Roles (or just roles) for
grouping authorizations, profiles and commands together as a common set of functions. Think of these as special user accounts to which profiles are assigned. Profiles -- (also known as "execution profiles" or "rights profiles") a collection of authorizations, commands, and/or other profiles that together provide for performing a set of administrative tasks.
61
RBAC Terminology - 2
Authorizations permissions that grant access to
restricted actions that are otherwise prohibited by the security policy. These are typically assigned in a profile, but can also be assigned to a user or a role. Think of this as tokens that can be checked by RBAC-aware programs. Rather than checking if UID=0 to allow an action, such programs can check if, for example, the user has authorization token solaris.admin.diskmgr.read. Privileged program a program with security attributes that enables special functions depending on a check of user-id, group-id, privileges, or authorizations. These are setuid or setgid programs, or programs with assigned privileges.
62
Apr-05
63
63
RBAC Use
User assumes a role - placed in a special profile-understanding
shell pfcsh, pfksn, and pfsh Shells know how to read through the various config files in /etc/security (and /etc/user_attr) Determines the rights profiles of the role and the components of those profiles, enforces them I.e., if a role had the Name Service Security rights profile, then user would be allowed to run /usr/bin/nischown with the effective user-id of 0 (from /etc/security/exec_attr) The administrator creates a profile of authorizations and privileged commands for task or tasks Can be assigned directly to a user or to (better) a role Without authorizations, user is prevented from executing a privileged application, or prevented from performing operations within a privileged application
64
RBAC Use - 2
Easiest RBAC admin is to use the Solaris
Management Console (smc)

User is allowed to assume zero or more roles by
knowing the password of the roles

Similar to using the su command When the user assumes a role, the capabilities of the role are available List of roles available to that user is displayed by the roles command User sus to an available role to accomplish privileged tasks No default roles
Apr-05
65
65
/etc/security/exec_attr
# head exec_attr Application Server Management:suser:cmd:::/usr/appserver/bin/asadmin: Software Installation:suser:cmd:::/usr/bin/pkgparam:uid=0 Network Management:suser:cmd:::/usr/sbin/in.named:uid=0 File System Management:suser:cmd:::/usr/sbin/mount:uid=0 Software Installation:suser:cmd:::/usr/bin/pkgtrans:uid=0 Name Service Security:suser:cmd:::/usr/bin/nisaddcred:euid=0 Mail Management:suser:cmd:::/usr/sbin/makemap:euid=0 FTP Management:suser:cmd:::/usr/sbin/ftprestart:euid=0 File System Management:solaris:cmd:::/sbin/mount:privs=sys_mount Software Installation:suser:cmd:::/usr/sbin/install:euid=0
Apr-05
66
66
Roles
Typical types of roles:
primary administrator - the traditional superuser, with all privileges, system administrator an administrator without security-modification privileges, operator an administrator with a limited, specific set of privileges, advanced user a user with privileges to debug and fix her own system or programs

67
Solaris Privileges
Apr-05
68
68
Privileges
Really known as least privilege Only the minimum privileges to get a job done should be available Alternative to being root or no one Done at the API level SetUID programs can dictate fine grain access to kernel features Can limit what privs children have Should further help can buffer overflows and other privilege escalation methods Done at the user or role level All specific users to perform specific operations regardless of the programs being run
69
Privileges - 2
New level of management of rights within a
Solaris 10 system Fine-grained privileges that can be assigned to entities The kernel enforces the new requirement that, to perform a special function, the entity must have the privilege to do so. Can work in parallel with traditional superuser functionality for backward compatibility.
70
Privilege Sets
E - Effective privilege set the current set of
privileges that are in effect I - Inheritable privilege set the set of privileges that a process can inherit across an exec() P - Permitted privilege set - the set of privileges that are available for use L - Limit privilege set the outside limit of what privileges are available to a process and its children
Used to shrink the I set when a child is created, for example
Apr-05
71
71
Privileges Example
Traceroute is now privilege enabled
$ ls -l /usr/sbin/traceroute
-r-sr-xr-x 1 root bin /usr/sbin/traceroute 35392 Jul 3 14:42
$ /usr/sbin/traceroute 1.2.3.4 & [2] 7841 # pcred 7841 7841: e/r/suid=101 e/r/sgid=14
Apr-05
72
72
Privileges Example - 2
# ppriv -v 7841 7841: /usr/sbin/traceroute 1.2.3.4 flags = PRIV_AWARE E: file_link_any,proc_exec,proc_fork,proc_info,pro c_session I: file_link_any,proc_exec,proc_fork,proc_info,pro c_session P: file_link_any,net_icmpaccess,net_rawaccess,proc _exec,proc_fork,proc_info,proc_session L: none Note exploit needs to execute fully in the context of traceroute to make use of its privileges because the "Limit set is empty
73
Privileged Daemon Example

# ppriv `pgrep rpcbind` 153: /usr/sbin/rpcbind flags = PRIV_AWARE E: basic,!file_link_any,net_privaddr,!proc_exec,!p roc_info,!proc_session,sys_nfs I: basic,!file_link_any,!proc_exec,!proc_fork,!pro c_info,!proc_session P: basic,!file_link_any,net_privaddr,!proc_exec,!p roc_info,!proc_session,sys_nfs L: basic,!file_link_any,!proc_exec,!proc_fork,!pro c_info,!proc_session
Apr-05
74
74
RBAC and Privileges

Use RBAC to assign specific privs to roles or users By default, all non-setuid processes have the basic
set of privileges assigned

Create a role with that privilege and then allow the
user to assume that role

The list of available privileges is available in the privileges(5), and via the all important ppriv command (the -lv options) Divided into categories, including file, ipc, net, proc, and sys privileges
For example, enable users in role test to do process
management and use DTrace features

Create test role in /etc/user_attr

Apr-05
75
RBAC and Privileges - 2

# roleadd -u 201 -d /export/home/test -P "Process Management" test # rolemod -K defaultpriv=basic,dtrace_proc,dtrace_us er,dtrace_kernel test # grep test /etc/user_attr test::::type=role;defaultpriv=basic,dtrac e_proc,dtrace_user,dtrace_kernel;profil es=Process Management
The user would need to switch to the role test to
use DTrace
76

$ ppriv $$ 10897: -bash flags = <none> E: basic I: basic P: basic L: all $ dtrace -s bitesize.d dtrace: failed to initialize dtrace: DTrace requires additional privileges $ su test Password: Roles can only be assumed by authorized users su: Sorry # usermod R test pbg (then login as pbg)
77

$ roles test $su test password: $ ppriv $$ 11022: pfsh flags = <none> E: basic,dtrace_kernel,dtrace_proc,dtrace_user I: basic,dtrace_kernel,dtrace_proc,dtrace_user P: basic,dtrace_kernel,dtrace_proc,dtrace_user L: all $ dtrace s bitesize.d . . . Alternately, privileges can be directly assigned to users, as in: pbg::::type=normal;roles=primary_administrator,test; \ defaultpriv=basic,dtrace_proc,dtrace_user,dtrace_kernel
78
Privilege Assignment
To add a privilege to a specific user, use the
usermod command to add the privilege to the users default privileges, as in # usermod K defaultpriv=basic,proc_clock_high_ res jdoe Unfortunately, to be able to assign a specific privilege to a specific command, the command must be written to be privilege aware
79
Privilege Assignment - 2
Currently, native system programs are becoming
privilege aware and having a limited set of privileges assigned to them

Includes most setuid-root and network daemons API available with privileges to allow Solaris programmers to write privilege aware programs ppriv command can be used on a program that is failing due to a lack of privilege, to determine exactly the privileges that the program needs to succeed Appropriate privileges can be assigned to the program, or assigned to a role or user to allow that program to run properly when the appropriate set of users runs it
Apr-05
80
/etc/passwd
# cat /etc/passwd root:x:0:1:Super-User:/:/sbin/sh daemon:x:1:1::/: bin:x:2:2::/usr/bin: sys:x:3:3::/: adm:x:4:4:Admin:/var/adm: lp:x:71:8:Line Printer Admin:/usr/spool/lp: uucp:x:5:5:uucp Admin:/usr/lib/uucp: nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico smmsp:x:25:25:SendMail Message Submission Program:/: listen:x:37:4:Network Admin:/usr/net/nls: gdm:x:50:50:GDM Reserved UID:/: webservd:x:80:80:WebServer Reserved UID:/: nobody:x:60001:60001:NFS Anonymous Access User:/: noaccess:x:60002:60002:No Access User:/: nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/: pbg:x:101:14::/export/home/pbg:/bin/bash test:x:201:1::/export/home/test:/bin/pfsh
Apr-05
81
81
/etc/user_attr
# cat /etc/user_attr # # Copyright (c) 2003 by Sun Microsystems, Inc. All rights reserved. # # /etc/user_attr # # user attributes. see user_attr(4) # #pragma ident "@(#)user_attr 1.1 03/07/09 SMI" # adm::::profiles=Log Management lp::::profiles=Printer Management root::::auths=solaris.*,solaris.grant;profiles=Web Console Management,All;lock_after_retries=no test::::type=role;defaultpriv=basic,dtrace_proc,dtrace_user,dt race_kernel;profiles=Process Management pbg::::type=normal;roles=test
82
Labs

Create new user foo Create new role operator Find list of profiles Add some profiles to role operator Add user foo to role operator Find list of privileges Add some privileges to role operator Add some privileges to user foo Test user foo in role operator Test user foo privileges Explore the system to find all of the changes associated with the new user and role
Apr-05
83
NFS V4
Apr-05
84
84
NFS V4 Overview
Stateful rather than stateless All traffic uses one port number (2049) Can negotiate security authentication protocol, including using
Kerberos (SEAM) and DES

The /etc/default/nfs file uses keywords to control the NFS
protocols that are used by both the client and the server
Uses the string representations to identify the owner or
group_owner via the nfsmapid daemon

Supports mandatory locking (multiple lock types) When you unshare a file system, all the state for any open files
or file locks in that file system is destroyed

Servers use a pseudo file system to provide clients with access
to exported objects on the server Server provides a view that just includes the exported file systems
85
NFS V4 Overview - 2
Supports client and server recovery from a crash Supports client failover between multiple replicated copies of a
file system on different servers

Supports volatile file handles Delegation, a technique by which the server delegates the

management of a file to a client, is supported on both the client and the server. I.e. the server could grant either a read delegation or a write delegation to a client. Does not use the following daemons: lockd mountd nfslogd statd
Apr-05
86
NFS V4 Use
Enable it via NFS_CLIENT_VERSMIN and
NFS_CLIENT_VERSMAX in the /etc/default/nfs file
Apr-05
87
87
Solaris Flash Archives
Apr-05
88
88
System Build Technology

What does it have to do with security?
Capture state of system just after virgin build Fast restore Useful for comparison Also good for DR / BC
This is available pre-Solaris 10, but generally
under-utilized
Apr-05
89
89
Flash Archives
Create master system single reference
installation Then replicate master to clone systems

Initial install overwrites all filesystems on target clone Update only includes differences between two system images (on master and clone) Differential update changes only specified files of a clone based on a master

90
Flash Archives Initial Install

1. Install master server however youd like 2. (Optional) Prepare customization scripts to reconfigure or customize
the clone system before or after installation

3. Create the Solaris Flash archive. The Solaris Flash archive contains a
copy of all of the files on the master system, unless you excluded some nonessential files 4. Install the Solaris Flash archive on clone systems
1. 2.
Master and clone system must have the same kernel architecture Can run scripts to customize clone or install extra packages using custom jumpstart If you plan to create a differential archive, the master image must be available and identical to the image installed on the clone systems
5. (Optional) Save a copy of the master image

1.
Note best to start from Entire Plus OEM install image to get all drives clones might need
Apr-05
91
91
Flash Archives Deployment

Create archive after full master install but before
software configuration
I.E. No Solaris Volume Manager config
Master should be as inactive as possible Create archive with flar create n name
options path/filename

Save it to disk or tape Make a copy for differential archive creation Can keep multiple archives just costs disk Can compress archives
To install from an archive, select Solaris Flash
installation during standard installation procedures

92
Apr-05
93
93
Updating Clone with Flash Differential Archive

1. Start from master identical to clone 2. Prepare the master system with changes 3. (Optional) Prepare customization scripts to reconfigure or customize
the clone system before or after installation

4. Mount the directory of a copy of the saved-unchanged master image
1. 2. 3. 4.
Second image is to be used to compare the two system images Mount it from a Solaris Live Upgrade boot environment Mount it from a clone system over NFS Restore from backup using the ufsrestore command
5. Create the differential archive with the -A option of the flar create
command
6. Install the differential archive on clone systems with custom JumpStart
1.
Or, use Solaris Live Upgrade to install the differential archive on an inactive boot environment
Apr-05
94
94
Moving from NIS to LDAP
Apr-05
95
95
Why Move?
NIS is old, limited, not secure Weak authentication Not much encryption Nonstandard NIS+ is complicated and EOL Sorry if you already moved to it Dont move to NIS+ if you havent already LDAP is the wave of the future Standard Full features Expandable, flexible, interoperable
96
NIS to LDAP Overview

The NIStoLDAP transition service (N2L service)
replaces existing NIS daemons on the NIS master server with NIStoLDAP transition daemons The N2L service also creates a NIStoLDAP mapping file on that server

Specifies the mapping between NIS map entries and equivalent Directory Information Tree (DIT) entries in LDAP A transitioned server is called an N2L server Slave servers do not have an NISLDAPmapping file, so they continue as usual The slave servers periodically update their data from N2L server
Apr-05
97
NIS to LDAP Overview - 2

Behavior of the N2L service is controlled by the ypserv and

NISLDAPmapping configuration files A script, inityp2l, assists with initial setup of configuration files. Once N2L server has been established, you can maintain N2L by editing configuration files The N2L service supports: Import of NIS maps into LDAP DIT Client access to DIT information with speed and extensibility of NIS When using N2L LDAP directory is source of authoritative data Eventually, all NIS clients can be replaced by Solaris LDAP naming services clients Many gory details in SysAdmin Guide to Naming and Directory Services
Apr-05
98
DTrace
Apr-05
99
99
DTrace and Security

No real link DTrace so cool we need to take a quick look
Apr-05
100
100
DTrace Overview

Best tool ever for understanding system behavior Uses language D, based on C Fully dynamic, full probing of kernel and user apps Fully scalable Enabled in Solaris 10 no custom kernel or configuration changes needed Use DTrace today to solve non-S10 problems
Move the problem to a test / dev S10 machine, debug, and then back port the solution to the original machine
Way to much to cover here

So Ill whet your appetite Got example code available at http://users.tpg.com.au/adsln4yb/dtrace.html All DTrace resources at http://www.sun.com/bigadmin/content/dtrace/
Apr-05
101
101
DTrace Example - 1
connections.d snoop inbound TCP
connections as they are established, displaying the server process that accepted the connection.
# ./connections.d UID PID IP_SOURCE PORT CMD 0 254 192.168.001.001 23 /usr/sbin/inetd -s 0 254 192.168.001.001 23 /usr/sbin/inetd -s 0 254 192.168.001.001 79 /usr/sbin/inetd -s 0 254 192.168.001.001 21 /usr/sbin/inetd -s 0 254 192.168.001.001 79 /usr/sbin/inetd -s 100 2319 192.168.001.001 6000 /usr/openwin/bin/Xsun :0 -nobanner 0 254 192.168.001.001 79 /usr/sbin/inetd -s [...]
Apr-05
102
102
DTrace Example - 2
The following script counts number of write(2)
calls by application: syscall::write:entry { @counts[execname] = count(); }
Apr-05
103
103
DTrace Example - 4
# dtrace -s write-calls-by-app.d dtrace: script 'write-calls-by-app.d' matched 1 probe ^C dtrace login sshd sh telnet w df in.telnetd mixer_applet2 gnome-panel metacity gnome-terminal # 1 1 2 6 6 7 12 25 61 108 125 197
Apr-05
104
104
DTrace Example - 5
Lets have a look at the size of the writes to
file descriptor 5, per section of user code (!) syscall::write:entry /execname == "sshd" && arg0 == 5/ { @[ustack()] = quantize(arg2); }
Apr-05
105
105
DTrace Example - 6
bash-2.05b# dtrace -s write-sshd-fd-5.d dtrace: script 'write-sshd-fd-5.d' matched 1 probe ^C libc.so.1`_write+0xc sshd`atomicio+0x2d 805b59c sshd`main+0xd59 805b1fa value ------------- Distribution ------------8 | 16 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 32 | count 0 1 0
libc.so.1`_write+0xc sshd`packet_write_poll+0x2e sshd`packet_write_wait+0x23 sshd`userauth_finish+0x19f 805f42e sshd`dispatch_run+0x49 sshd`do_authentication2+0x7c sshd`main+0xdc7 805b1fa value ------------- Distribution ------------16 | 32 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 64 | Apr-05 count 0 1 0 106
106
DTrace Example - 7
#!/usr/sbin/dtrace -s #pragma D option flowindent pid$1::$2:entry { self->trace = 1; } pid$1:::entry, pid$1:::return, fbt::: /self->trace/ { printf("%s", curlwpsinfo->pr_syscall ? "K" : "U"); } pid$1::$2:return /self->trace/ { self->trace = 0; }
Apr-05
107
107
Apr-05
108
108
FTP Server Enhancements
Apr-05
109
109
FTP Server Enhancements

The sendfile() function is used for binary downloads New capabilities supported in the ftpaccess file

flush-wait controls the behavior at the end of a download or directory listing ipcos sets the IP Class of Service for either the control or data connection passive ports can be configured so that the kernel selects the TCP port to listen on quota-info enables retrieval of quota information recvbuf sets the receive (upload) buffer size used for binary transfers rhostlookup allows or disallows the lookup of the remote hosts name sendbuf sets the send (download) buffer size used for binary transfers xferlog format customizes the format of the transfer log entry -4 option which makes the FTP server only listen for connections on an IPv4 socket when running in standalone mode
Apr-05
110
FTP Server Enhancements - 2

ftpcount and ftpwho now support the -v
option, which displays user counts and process information for FTP server classes defined in virtual host ftpaccess files
The FTP client and server now support
Kerberos
Apr-05
111
111
PAM Enhancements
Apr-05
112
112
PAM Enhancements
Pluggable Authentication Module (PAM) framework
enhancements
The pam_authtok_check module now allows for strict
password checking using new tunable parameters in the /etc/default/passwd file. The new parameters define: A list of comma separated dictionary files used for checking common dictionary words in a password The minimum differences required between a new password and an old password The minimum number of alphabetic or nonalphabetic characters that must be used in a new password The minimum number of uppercase or lowercase letters that must be used in a new password The number of allowable consecutive repeating characters
113
PAM Enhancements - 2
The pam_unix_auth module implements account locking for local users. Account locking is enabled by the LOCK_AFTER_RETRIES parameter in /etc/security/policy.conf and the lock_after-retries key in /etc/user_attr
The pam_unix module has been removed and replaced by a set of service modules of equivalent or greater functionality. Many of these modules were introduced in the Solaris 9 release. Here is a list of the replacement modules: pam_authtok_check
pam_authtok_get pam_authtok_store pam_dhkeys pam_passwd_auth pam_unix_account pam_unix_auth pam_unix_cred pam_unix_session
Apr-05
114
114
PAM Enhancements - 3
The functionality of the
pam_unix_auth module has
been split into two modules. The pam_unix_auth module now verifies that the password is correct for the user. The new module provides functions that establish user credential information. Additions to the pam_krb5 module have been made to manage the Kerberos credentials cache using the PAM framework.
A new
pam_unix_cred
pam_deny module has been added. The module can be used to deny access to services. By default, the
pam_deny module is not used

115
/etc/default/passwd
$ cat /etc/default/passwd #ident "@(#)passwd.dfl 1.7 04/04/22 SMI" # # Copyright 2004 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # MAXWEEKS= MINWEEKS= PASSLENGTH=6 # NAMECHECK enables/disables login name checking. # The default is to do login name checking. # Specifying a value of "NO" will disable login name checking. # #NAMECHECK=NO
Apr-05
116
116
/etc/default/passwd - 2
# HISTORY sets the number of prior password changes to keep and # check for a user when changing passwords. Setting the HISTORY # value to zero (0), or removing/commenting out the flag will # cause all users' prior password history to be discarded at the # next password change by any user. No password history will # be checked if the flag is not present or has zero value. # The maximum value of HISTORY is 26. # # This flag is only enforced for user accounts defined in the # local passwd(4)/shadow(4) files. # #HISTORY=0 #
Apr-05
117
117
# Password complexity tunables. The values listed are the defaults # which are compatible with previous releases of passwd. # See passwd(1) and pam_authtok_check(5) for use warnings and # discussion of the use of these options. # #MINDIFF=3 #MINALPHA=2 #MINNONALPHA=1 #MINUPPER=0 #MINLOWER=0 #MAXREPEATS=0 #MINSPECIAL=0 #MINDIGIT=0 #WHITESPACE=YES
Apr-05
118
118
# # # passwd performs dictionary lookups if DICTIONLIST or DICTIONDBDIR # is defined. If the password database does not yet exist, it is # created by passwd. See passwd(1), pam_authtok_check(5) and # mkdict(1) for more information. # #DICTIONLIST= #DICTIONDBDIR=/var/passwd
119
BSM
Apr-05
120
120
BSM
Solaris Basic Security Module Also known as Solaris auditing Part of Solaris for a while, but little used Very detailed accounting of system / user activities Can be too much want your disk space Good article at http://www.deerrun.com/~hal/sysadmin/SolarisBSMAuditing.htm l
Except for disk space, not very resource intensive

Apr-05
121
BSM Setup
BSM not enabled by default bsmconv configures BSM Creates files in /etc/security audit_startup runs at startup, configuring auditing via auditconfig commands
/usr/bin/echo "Starting BSM services." /usr/sbin/auditconfig -setpolicy +cnt /usr/sbin/auditconfig -conf /usr/sbin/auditconfig -aconf
Apr-05
122
122
BSM Setup cont

audit_control is primary config file dir:/var/audit flags: minfree:20 naflags:lo

flags defines audit events to pay attention to naflags defines non-attributable events to pay
attention to

Apr-05
audit_event can fine-tune auditing (defines events and divides them into classes) audit_class defines masks for accessing classes
123
BSM Setup - cont

Run audit n out of cron to cycle the (otherwise
infinite) log file: 0 * * * * /usr/sbin/audit n Compress and move the audit log to secure storage Do so rapidly on security-conscious machines (i.e. web servers) auditreduce can extract specific info from and
audit log
praudit can dump native audit binary data for
readability
124
BSM Tuning
Recommended auditing settings for more security-
conscious systems from http://www.cisecurity.com/bench_solaris.html Generated via this awk script:

awk 'BEGIN { FS = ":"; OFS = ":" } ($4 ~ /fm/) && ! ($2 ~ /MCTL|FCNTL|FLOCK|UTIME/) \ { $4 = $4 ",cc" } ($4 ~ /p[cms]/) && \ ! ($2 ~ /FORK|CHDIR|KILL|VTRACE|SETGROUPS|SETPGRP/) \ { $4 = $4 ",cc" } { print }' audit_event >audit_event.new
And associated audit_control configuration:

dir:/var/audit minfree:20 flags:lo,ad,cc naflags:lo,ad,ex
Apr-05
125
125
Auditing Enhancements
Apr-05
126
126
Auditing Enhancements
Can use the syslog utility to store audit records in text format
Enable and configure in /etc/security/audit_control

dir:/var/audit flags: lo,ad,-fm minfree:20 naflags:lo,ad plugin: name=audit_syslog.so;p_flags=lo,+ad;\ qsize=512
Add audit.notice /var/adm/auditlog to /etc/syslog.conf touch /var/adm/auditlog Use logadm to manage the logs The praudit x creates output formatted in XML

127
Auditing Enhancements - 2
Audit metaclasses provide an umbrella for finer-
grained audit classes

The bsmconv command no longer disables the use
of the Stop-A key

The Stop-A event can be audited The timestamp in audit records now displays in ISO
8601 format
Three audit policy options have been added: public Public objects are no longer audited for readonly events, reducing the audit log size perzone A separate audit daemon runs in each zone zonename The name of the Solaris zone in which an audit event occurred can be included in audit records
128
Auditing Enhancements - 3
Five audit tokens have been added: The cmd token records the list of arguments and the list of environment variables that are associated with a command The path_attr token records the sequence of attribute file objects that are below the path token object The privilege token records the use of privilege on a process The uauth token records the use of authorization with a command or action The zonename token records the name of the nonglobal zone in which an audit event occurred
129
Service Management Facility
Apr-05
130
130
Solaris 10 Service Management Facility (SMF)

Part of larger predictive self-healing facility (Build 69
and beyond)
Replacing inetd, changing use of /etc/rc files, etc Much more sophisticated management of system
startup and daemons Builds reference tree of which processes need which, and order to start them in If service fails, knows how to restart the service and all that depended on it Startup to login prompt much faster with multithreading Snapshotting of service status, reversion to previous status
131
SMF - 2
Booting now much quieter Each service has its own log in /var/svc/log
(/etc/svc/volatile)
Services that would have hung boot now debuggable
in maintenance mode
New boot m verbose to display message per
service
Processes will automatically restart by svc.startd
or be placed in maintenance mode (watch out for kill -9)
Apr-05
132
132
svcs
Displays services and stati # svcs STATE STIME legacy_run Feb_28 legacy_run Feb_28 legacy_run Feb_28 legacy_run Feb_28 . . . legacy_run Feb_28 legacy_run Feb_28 online Feb_28 online Feb_28 online Feb_28 online Feb_28 online Feb_28 . . .
FMRI lrc:/etc/rcS_d/S50sk98sol lrc:/etc/rc2_d/S10lu lrc:/etc/rc2_d/S20sysetup lrc:/etc/rc2_d/S40llc2 lrc:/etc/rc3_d/S84appserv lrc:/etc/rc3_d/S90samba svc:/system/svc/restarter:default svc:/network/pfil:default svc:/system/filesystem/root:default svc:/network/loopback:default svc:/milestone/name-services:default
Apr-05
133
133
svcs (cont)
Displays details about services (i.e. what
failed)
# svcs -x svc:/application/print/server:default (LP print server) State: disabled since Mon Feb 28 11:01:34 2005 Reason: Disabled by an administrator. See: http://sun.com/msg/SMF-8000-05 See: lpsched(1M) Impact: 2 dependent services are not running. (Use -v for list.)
Apr-05
134
134
svcs (cont)
Displays details about services (i.e. what
depends on what)
# svcs xv ssh STATE STIME online Feb_28 Feb_28 FMRI svc:/network/ssh:default 366 sshd
Apr-05
135
135
svcadm
Changes service states permanently (unless
t option used)
# svcs sendmail STATE STIME FMRI online Feb_28 svc:/network/smtp:sendmail # svcadm disable sendmail # svcs sendmail STATE STIME FMRI disabled 17:46:01 svc:/network/smtp:sendmail
Apr-05
136
136
SMF Notes

Changes to inetd.conf are still effective, but only if inetconv is run after the change Use SMF instead of RC script changes if at all possible Manifests contain service descriptions in /var/svc/manifest Changes to services can be made here Wont be reflected until service restarted or refreshed svcs a shows all services, no matter the state Also of interest svcadm restart restart the service svcadm refresh reread the service configuration svcs d FMRI shows named service and parents svcs D FMRI shows named service and dependents boot m milestone boots to named milestone svcadm milestone transitions to named milestone svccfg apply /var/svc/profile/generic_limited_net.xml disables generic extraneous network daemons
Apr-05
137
137
Labs
What services are running?
How do you parse the output of svcs? Which are disabled? Failed? What does inetd.conf look like? What is in the rc directories? What do the service log files show? Kill of an unimportant service via kill What happened Disable it via SMF Where is the SMF configuration information stored? How would you change the parameters of a service? What does an RPC service look like now? What run level are we at?
Apr-05
138
Solaris Cryptographic Framework
Apr-05
139
139
Crypto Framework
Provides common store of crypto algorithms and PKCS #11 libraries
optimized for SPARC and x86

PKCS #11 public key crypto standard defining technologyindependent API for crypto devices
Currently provides IPSec and Kerberos to kernel, libsasl and IKE to
users via plugins:

User-level plugins Shared objects that provide services by using PKCS #11 libraries, such as pkcs11_softtoken.so.1 Kernel-level plugins Kernel modules that provide implementations of cryptographic algorithms in software, such as AES Hardware plugins Device drivers and their associated hardware accelerators i.e. Sun Crypto Accelerator 1000 board
Framework implements a standard interface, the PKCS #11, v2.11
library, for user-level providers. Can be used by third-party applications to reach providers
Third parties can add signed libraries, signed kernel algorithm modules, and signed device drivers to the framework
plugins are added when the pkgadd utility installs the third-party software
Apr-05
140
Figure 81 Overview of the Solaris Cryptographic Framework
Apr-05
Copyright 2004-2005 Peter Baer (From Solaris 10 Galvin Solaris Security for Developers Guide) All Rights Reserved
141
141
Crypto Framework Admin

Administration via cryptoadm command: $ cryptoadm list user-level providers: /usr/lib/security/$ISA/pkcs11_kernel.so /usr/lib/security/$ISA/pkcs11_softtoken.so kernel software providers: des aes arcfour blowfish sha1 md5 rsa swrand kernel hardware providers:
142
Crypto Framework User Commands

digest Computes a message digest for one or more files or for stdin.
A digest is useful for verifying the integrity of a file. SHA1 and MD5 are examples of digest functions. mac Computes a message authentication code (MAC) for one or more files or for stdin. A MAC associates data with an authenticated message. A MAC enables a receiver to verify that the message came from the sender and that the message has not been tampered with. The sha1_mac and md5_hmac mechanisms can compute a MAC. encrypt Encrypts files or stdin with a symmetric cipher. The encrypt -l command lists the algorithms that are available. Mechanisms that are listed under a user-level library are available to the encrypt command. The framework provides AES, DES, 3DES (Triple-DES), and ARCFOUR mechanisms for user encryption. decrypt Decrypts files or stdin that were encrypted with the encrypt command. The decrypt command uses the identical key and mechanism that were used to encrypt the original file.
Apr-05
143
143
Key Generation
For MAC and encryption, need symmetric key
Determine algorithm to use and length of key needed $ encrypt -l Algorithm Keysize: Min Max (bits) -----------------------------------------aes 128 128 arcfour 8 128 des 64 64 3des 192 192 $ mac -l Algorithm Keysize: Min Max (bits) -----------------------------------------des_mac 64 64 sha1_hmac 8 512 md5_hmac 8 512
Apr-05
144
144
Key Generation - 2
Use a random number generator, or dd

Note that bs is in bytes, so device bits by 8
$ dd if=/dev/urandom of=keyfile bs=n count=1 Protect the key in the keyfile $ chmod 400 keyfile Example for AES: $ dd if=/dev/urandom of=$HOME/keyf/05.07.aes16 bs=16 count=1 $ chmod 400 ~/keyf/05.07.aes16 Now use the key to create an MD5 MAC: $ mac -v -a md5_hmac -k $HOME/keyf/05.07.mack64 email.attach md5_hmac (email.attach) = 02df6eb6c123ff25d78877eb1d55710c % echo "md5_hmac (email.attach) = 02df6eb6c123ff25d78877eb1d55710c" \ >> ~/mac.daily.05.07 Use AES for encryption using a keyphrase
$ encrypt -a aes \ -i ticket.to.ride -o ~/enc/e.ticket.to.ride Enter key: <Type passphrase>
Apr-05
145
145
Kerberos Enhancements
Apr-05
146
146
Kerberos Enhancements
The KDC software, the user commands and applications now
support TCP
Support for IPv6 was added to kinit, klist and kprop commands.
Support for IPv6 addresses is provided by default. There are no configuration parameters to change to enable IPv6 support. No IPv6 support is available for the kadmin and kadmind commands. A new PAM module called pam_krb5_migrate has been introduced. Helps in the automatic migration of users to the local Kerberos realm, if they do not already have Kerberos accounts. The ~/.k5login file can now be used with the GSS applications ftp and ssh The kproplog utility has been updated to output all attribute names per log entry
147
Kerberos Enhancements - 2
Kerberos protocol support is provided in remote
applications, such as ftp, rcp, rdist, rlogin, rsh, ssh, and telnet The Kerberos principal database can now be transferred by incremental update instead of by transferring the entire database each time

Apr-05
Increased database consistencies across servers The need for fewer resources (network, CPU, and so forth) Much more timely propagation of updates An automated method of propagation
148
A new script to help automatically configure a
Kerberos client
Several new encryption types have been added to
the Kerberos service

The AES encryption type can be used for high speed, high security encryption of Kerberos sessions. The use of AES is enabled through the Cryptographic Framework. ARCFOUR-HMAC provides better compatibility with other Kerberos versions. Triple DES (3DES) with SHA1 increases security. This encryption type also enhances interoperability with other Kerberos implementations that support this encryption type.
Apr-05
149
A new -e option has been included to several
subcommands of the kadmin command. This new option allows for the selection of the encryption type during the creation of principals. Additions to the pam_krb5 module manage the Kerberos credentials cache by using the PAM framework. Support is provided for auto-discovery of the Kerberos KDC, admin server, kpasswd server, and host or domain name-to-realm mappings by using DNS lookups A new configuration file option makes the strict TGT verification feature optionally configurable on a perrealm basis
150
Extensions to the password-changing utilities enable

the Solaris Kerberos V5 administration server to accept password change requests from clients that do not run Solaris software. The default location of the replay cache has been moved from RAM-based file systems to persistent storage in /var/krb5/rcache The GSS credential table is no longer necessary for the Kerberos GSS mechanism The Kerberos utilities, kinit and ktutil, are now based on MIT Kerberos version 1.2.1 The Solaris Kerberos Key Distribution Center (KDC) is now based on MIT Kerberos version 1.2.1
Apr-05
151
Packet Filtering
Apr-05
152
152
Packet Filtering Overview

Solaris used to have nothing, then SunScreen was
commercial, then SunScreen was included, now ipfilter is standard Solaris IP Filter is a host-based firewall that is derived from the open source IP Filter code, developed and maintained by Darren Reed

Based on version 4.0.33 of the open source IP Filter Uses the STREAMS module, pfil, to intercept packets By default, pfil is not autopushed onto network interface cards (NICs). Autopush of pfil is disabled for all drivers
Apr-05
153
Packet Filtering Overview - 2

Provides packet filtering and network address
translation (NAT), based upon a user-configurable policy

Rules are configurable to filter either statefully or statelessly Command line interface only ipf for loading or clearing packet filter rules ipnat for loading or clearing NAT rules ippool for managing address pools associated with IP rules ipfstat for viewing per-interface statistics ipmon for viewing of logged packets
Good info at http://www.obfuscation.org/ipf/

Only works in the global zone (so far)
154
ipfilter Details
Can match on the following IP header fields

Source or destination IP address (including inverted matches) IP protocol TOS (Type of Service) IP options or IP security classes Fragment Distinguish between various interfaces Return an ICMP error or TCP reset for denied packets Keep packet state information for TCP, UDP, and ICMP packet flows Keep fragment state information for any IP packet, applying the same rule to all fragments in that packet Use redirection to set up true transparent proxy connections Provide packet header details to a user program for authentication Provide temporary storage of pre-authenticated rules for passing packets
In addition it can:
Apr-05
155
155
ipfilter Details - 2
Special provision is made for the three most
common Internet protocols, TCP, UDP and ICMP. Can match based on:
TCP or UDP packets by port number or a port number range ICMP packets by type or code Established TCP packet sessions Any arbitrary combination of TCP flags
Note IPMP only supports stateless packet
filtering
156
Enable ipfilter
Disabled by default Assume a role that includes the Network
Management rights profile, or become superuser Edit /etc/ipf/pfil.ap

Uncomment the interface(s) to filter on
Put filter rules in /etc/ipf/ipf.conf for
automatic use at boot Put NAT rules in /etc/ipf/ipnat.conf for automatic use at boot Put config info in /etc/ipf/ippool.conf
Apr-05 Copyright 2004-2005 Peter Baer Galvin All Rights Reserved
157
157
/etc/ipf/ipf.conf
Rules processed top to bottom Entire ruleset is run, not just until a match

Last matching rule always has precedence quick rule option says to stop processing if match pass in quick on lo0 all pass out quick on lo0 all block in log all block out all pass in quick proto tcp from any to any port = 113 flags S keep state pass in quick proto tcp from any to any port = 22 flags S keep state pass in quick proto tcp from any port = 20 to any port 39999 >< 45000 flags S keep state pass out quick proto icmp from any to any keep state pass out quick proto tcp/udp from any to any keep state keep frags
Apr-05
158
/etc/ipf/ipnat.conf
Very feature rich translation of address and ports Some examples:
map eri1 192.168.1.0/24 -> 20.20.20.1/32 map eri1 192.168.1.0/24 -> 0/32 portmap tcp/udp auto map eri1 192.168.1.0/24 -> 20.20.20.1/32 proxy port ftp ftp/tcp rdr eri1 20.20.20.5/32 port 80 -> 192.168.0.5, 192.168.0.6, port 8000
Apr-05
159
159
/etc/ipf/ippool.conf
Pool of addresses used by ipfilter Used for defining a single object that contains
multiple IP address / netmask pairs

Then rule can be applied to a pool
ipf rule: pass in from pool/100 to any

table role = ipf type = tree number = 100 { 1.1.1.1/32, 2.2.0.0/16, !2.2.2.0/24 };
Apr-05
160
160
ipfilter status
ipfstat io shows current filter rules ipfstat shows the current state table ipfstat s shows state statistics ipfstat t shows top-like status information ippool s shows pool statistics ipnat s shows NAT statistics ndd -get /dev/pfil qif_status shows pfil
statistics in the kernel

ipmon a shows the ipfilter log
Apr-05
161
161
BART
Apr-05
162
162
BART
Basic Auditing and Reporting Tool Quick and easy way to collect info on filesystem
object and attributes

Then use to look for changes Much like tripwire, but integral to Solaris 10
Create and compare modes Create Entire system, specific dirs, subset of files, or specific rules based Creates manifest Compare Take two manifests and optional rules and output comparison information
163
BART
Good info on centralizing, securing, and
automating use of BART from

http://blogs.sun.com/roller/page/gbrunett/20041 001#automating_solaris_10_file_integrity
Information on tying BART together with the
Solaris Fingerprint Database (available for free from SunSolve http://www.sun.com/blueprints/0501/Fingerprint. pdf
) to find changed to files shipped by Sun available from

http://www.securitydocs.com/library/2693
Apr-05
164
Conclusions
Apr-05
165
165
Conclusions
Lots of new security features in Solaris 10 Zones possibly most powerful for admins Privileges most powerful for system software Moves to become more industry-compatible
ipfilter Kerberos NIS to LDAP

Powerful new APIs

Apr-05
Solaris Crypto Framework

166
Conclusions - 2
SMF allows finegrain service control, debugging Still use security best practices (host lockdown, good
passwords, etc)
Not new, but be sure sendmail is preventing
relaying
http://www.sun.com/bigadmin/features/article s/config_sendmail.html
Other interesting features not covered here

Smart Card API SASL

Apr-05
167
References

Sun Security Home Page

http://www.sun.com/security http://sunsolve.sun.com/ http://sunsolve.sun.com/security http://www.sun.com/blueprints

Solaris Patches & Finger Print Database Sun Security Coordination Team Sun BluePrints for Security
Developing a Security Policy Trust Modelling for Security Arch. Development Building Secure n-Tier Environments How Hackers Do It: Tricks, Tips and Techniques
Solaris OE Security

http://www.sun.com/solaris http://www.sun.com/security/jass http://www.sun.com/solaris/trustedsolaris http://java.sun.com/security http://www.sun.com/servers/entry/checkpoint http://www.sun.com/networking

Trusted Solaris OE

Java Security Network and Security Products http://docs.sun.com Solaris 10 collection
Some slides copyright Sun Microsystems, all rights reserved
Apr-05
168
168

Solaris 10 Security-Sun.v1.3

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Solaris 10 Security-Sun.v1.3

Uploaded by

Copyright:

Available Formats

Solaris 10 Security Workshop

Peter Baer Galvin For Usenix 2005

About the Speaker

Copyright 2004-2005 Peter Baer Galvin All Rights Reserved

from an admin point of view

Some app/dev points made to guide developers

Convey their current status, usability, and

Copyright 2004-2005 Peter Baer Galvin All Rights Reserved

Or at least a few years of other Unix experience

Best is a few years of admin experience,

Copyright 2004-2005 Peter Baer Galvin All Rights Reserved

About the Tutorial

Setting base of knowledge But lets take off-topic off-line

Please ask questions

Copyright 2004-2005 Peter Baer Galvin All Rights Reserved

Copyright 2004-2005 Peter Baer Galvin All Rights Reserved

Why Listen to Me?

Copyright 2004-2005 Peter Baer Galvin All Rights Reserved

Download from Sun Media Kits now shipping

How to get Solaris 10+

Join Solaris Express

Copyright 2004-2005 Peter Baer Galvin All Rights Reserved

Copyright 2004-2005 Peter Baer Galvin All Rights Reserved

Security is important to administrators It usually annoys users

Well look at each new feature, how useful,

powerful and annoying it is

Copyright 2004-2005 Peter Baer Galvin All Rights Reserved

(From the Solaris 10 Sun Net Talk about Solaris 10 Security)

(From the Solaris 10 Sun Net Talk about Solaris 10 Security)

(From the Solaris 10 Sun Net Talk about Solaris 10 Security)

(From the Solaris 10 Sun Net Talk about Solaris 10 Security)

(From the Solaris 10 Sun Net Talk about Solaris 10 Security)

(From the Solaris 10 Sun Net Talk about Solaris 10 Security)

(From the Solaris 10 Sun Net Talk about Solaris 10 Security)

Copyright 2004-2005 Peter Baer Galvin All Rights Reserved

(From the Solaris 10 Sun Net Talk about Solaris 10 Security)

N1 Grid Containers (aka Zones)

Copyright 2004-2005 Peter Baer Galvin All Rights Reserved

Delegated admin control

Virtualized device paths, network interfaces,

short-pathed through the kernel

driver (lofi) using a file as a file system

Although Sun working to move as many settings as possible out of /etc/system

Non-global Zone States

Copyright 2004-2005 Peter Baer Galvin All Rights Reserved

In addition, the following types of information, if present in the global

zone, are not copied into a zone that is being installed:

Copyright 2004-2005 Peter Baer Galvin All Rights Reserved

Messages look like a system reboot (within your window)

Copyright 2004-2005 Peter Baer Galvin All Rights Reserved

Copyright 2004-2005 Peter Baer Galvin All Rights Reserved

16 15:14 app1 21 12:44 test physical=pnc0: No

Copyright 2004-2005 Peter Baer Galvin All Rights Reserved

STATUS running running

Mounted on / /devices /boot /proc /etc/mnttab /dev/fd /var/run /tmp /export/home

Copyright 2004-2005 Peter Baer Galvin All Rights Reserved

Copyright 2004-2005 Peter Baer Galvin All Rights Reserved

Copyright 2004-2005 Peter Baer Galvin All Rights Reserved

Zone Configuration -10

Copyright 2004-2005 Peter Baer Galvin All Rights Reserved

Copyright 2004-2005 Peter Baer Galvin All Rights Reserved

Note that virtual memory (and therefore swap) are global

Copyright 2004-2005 Peter Baer Galvin All Rights Reserved