Beruflich Dokumente
Kultur Dokumente
Solaris 11 Security
- a live demo in slides -
by Joerg c0t0d0s0.org Mllenkamp
c0t0d0s0//org
This slideset was made to have a fallback for a live demo
at a series of Oracle Breakfast events in Germany,
as the presentation diverted a lot in the first location
in the light of recent events around privacy and security.
However most information is in the voice track that wasnt recorded.
So this presentation may be not that useful.
If you need the voice track, ask your Oracle sales rep that he ask his manager
to ask my manager to let me doing the presentation in your country ;)
c0t0d0s0//org
Primarily i used example from my practical work and from my own blog
however i would like to thank two colleagues:
Glenn Faden for Oracle Solaris Extended Policy and MySQL
https://blogs.oracle.com/gfaden/entry/oracle_solaris_extended_policy_and
Darren Moffat for Compliance reporting with SCAP
https://blogs.oracle.com/darren/entry/compliance_reporting_with_scap
I directly reused their blog entries for this presentation.
c0t0d0s0//org 4
Certifications
c0t0d0s0//org
Solaris 10 Common Criteria Evaluation
has been certified on EAL4+ level
c0t0d0s0//org
We have a common Criteria Certification.
For Solaris 10 at the moment. For Solaris 11 in the future.
However the common criteria certification doesnt certify security.
c0t0d0s0//org
Solaris 10 Trusted Extensions Common Criteria Evaluation
has been certified on EAL4+ level
http://www.oracle.com/technetwork/topics/security
/oracle-cc-evalsolaris-083233.html#sol10U3TX
The following protection profiles were used:
Conditional Access Protection Profile
Role Based Access Control Protection Profile
Label Security Protection Profiles
c0t0d0s0//org
Solaris 11.1 is currently in certification.
http://www.oracle.com/technetwork/topics/security/security-evaluations-099357.html#InEvaluated
c0t0d0s0//org 9
Is it really a Solaris 11
binary?
c0t0d0s0//org 10
jmoekamp@server:~$ elfsign verify -v /usr/bin/oscap
elfsign: verification of /usr/bin/oscap passed.
format: rsa_md5_sha1.
signer: CN=SunOS 5.10, OU=Solaris Signed Execution, O=Sun Microsystems Inc.
c0t0d0s0//org 11
Sandboxing applications on
Solaris 11.1
c0t0d0s0//org 12
root@solaris# profiles -p "MySQL Service"
MySQL Service> set desc="Locking down the MySQL Service"
MySQL Service> add cmd=/lib/svc/method/mysql_51
MySQL Service:mysql_51> set privs=basic
MySQL Service:mysql_51> add privs={net_privaddr}:3306/tcp
MySQL Service:mysql_51> add privs={file_write}:/var/mysql/5.1/data/*
MySQL Service:mysql_51> add privs={file_write}:/tmp/mysql.sock
MySQL Service:mysql_51> add privs={file_write}:/var/tmp/ib*
MySQL Service:mysql_51> end
MySQL Service> set uid=mysql
MySQL Service> set gid=mysql
MySQL Service> exit
root@solaris#
c0t0d0s0//org 13
root@solaris# svccfg -s mysql:version_51
svc:/application/database/mysql:version_51> setprop method_context/profile="MySQL Service"
svc:/application/database/mysql:version_51> setprop method_context/use_profile=true
svc:/application/database/mysql:version_51> refresh
svc:/application/database/mysql:version_51> exit
c0t0d0s0//org 14
root@solaris# ipadm set-prop -p extra_priv_ports+=3306 tcp
root@solaris# ipadm show-prop -p extra_priv_ports tcp
PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE
tcp extra_priv_ports rw 2049,4045, -- 2049,4045 1-65535
3306
c0t0d0s0//org 15
# svcadm enable mysql:version_51
c0t0d0s0//org 16
root@solaris# ppriv $(pgrep mysql)
103697: /usr/mysql/5.1/bin/mysqld --basedir=/usr/mysql/5.1 --datadir=/var/mysq
flags = PRIV_XPOLICY
Extended policies:
{net_privaddr}:3306/tcp
{file_write}:/var/mysql/5.1/data/*
{file_write}:/tmp/mysql.sock
{file_write}:/var/tmp/ib*
E: basic,!file_write
I: basic,!file_write
P: basic,!file_write
L: all
103609: /bin/sh /usr/mysql/5.1/bin/mysqld_safe --user=mysql --datadir=/var/mys
flags = PRIV_XPOLICY
Extended policies:
{net_privaddr}:3306/tcp
{file_write}:/var/mysql/5.1/data/*
{file_write}:/tmp/mysql.sock
{file_write}:/var/tmp/ib*
E: basic,!file_write
I: basic,!file_write
P: basic,!file_write
L: all
c0t0d0s0//org 17
Find more information regarding this feature at:
https://blogs.oracle.com/gfaden/entry/oracle_solaris_extended_policy_and
c0t0d0s0//org 18
Passwords
c0t0d0s0//org 19
root@client:/etc/security# cat /etc/security/crypt.conf
#
# Copyright 2008 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
#ident "%Z%%M% %I% %E% SMI"
#
# The algorithm name __unix__ is reserved.
1 crypt_bsdmd5.so.1
2a crypt_bsdbf.so.1
md5 crypt_sunmd5.so.1
5 crypt_sha256.so.1
6 crypt_sha512.so.1
c0t0d0s0//org 20
root@client:/etc/security# cat /etc/security/policy.conf | egrep "^CRYPT_DEFAULT"
CRYPT_DEFAULT=5
root@client:/etc/security# cat /etc/shadow | grep junior
junior:$5$4aKvDFqA$2kL8GpuXjrd.f8XpanqhylEP5lDhy1DF5uo1ZYx74f3:15929::::::1440
c0t0d0s0//org 21
root@client:/etc/security# cat /etc/default/passwd | grep -v "# " | egrep -v "^#$|^$"
#ident "%Z%%M% %I% %E% SMI"
MAXWEEKS=
MINWEEKS=
PASSLENGTH=6
#NAMECHECK=NO
#HISTORY=0
#MINDIFF=3
#MINALPHA=2
#MINNONALPHA=1
#MINUPPER=0
#MINLOWER=0
#MAXREPEATS=0
#MINSPECIAL=0
#MINDIGIT=0
#WHITESPACE=YES
#DICTIONLIST=
#DICTIONDBDIR=/var/passwd
c0t0d0s0//org 22
root@client:/# mkpwdict -s /usr/share/lib/dict/words
mkpwdict: using default database location: /var/passwd.
oder:
root@client:/# mkpwdict -s /usr/share/lib/dict/words -d /var/passwd
c0t0d0s0//org 23
Address Space
Layout Randomization
c0t0d0s0//org 24
root@solaris:/# sxadm exec -s aslr=disable /usr/bin/pmap self
1914: /usr/bin/pmap self
1914: /usr/bin/pmap self
0000000000400000 28K r-x-- /usr/bin/pmap
0000000000417000 4K rw--- /usr/bin/pmap
0000000000418000 40K rw--- [ heap ]
FFFF80FFBDDD0000 216K r-x-- /lib/amd64/libproc.so.1
FFFF80FFBDE16000 8K rw--- /lib/amd64/libproc.so.1
FFFF80FFBF430000 1764K r-x-- /lib/amd64/libc.so.1
FFFF80FFBF5F9000 64K rw--- /lib/amd64/libc.so.1
FFFF80FFBF609000 12K rw--- /lib/amd64/libc.so.1
FFFF80FFBF740000 4K rw--- [ anon ]
FFFF80FFBF750000 24K rwx-- [ anon ]
FFFF80FFBF760000 4K rw--- [ anon ]
FFFF80FFBF770000 4K rw--- [ anon ]
FFFF80FFBF780000 4K rw--- [ anon ]
FFFF80FFBF790000 4K rw--- [ anon ]
FFFF80FFBF792000 4K r--s- [ anon ]
FFFF80FFBF795000 340K r-x-- /lib/amd64/ld.so.1
FFFF80FFBF7FA000 12K rwx-- /lib/amd64/ld.so.1
FFFF80FFBF7FD000 8K rwx-- /lib/amd64/ld.so.1
FFFF80FFBFFFD000 12K rw--- [ stack ]
total 2556K
c0t0d0s0//org 25
root@solaris:/# sxadm exec -s aslr=disable /usr/bin/pmap self
1915: /usr/bin/pmap self
1915: /usr/bin/pmap self
0000000000400000 28K r-x-- /usr/bin/pmap
0000000000417000 4K rw--- /usr/bin/pmap
0000000000418000 40K rw--- [ heap ]
FFFF80FFBDDD0000 216K r-x-- /lib/amd64/libproc.so.1
FFFF80FFBDE16000 8K rw--- /lib/amd64/libproc.so.1
FFFF80FFBF430000 1764K r-x-- /lib/amd64/libc.so.1
FFFF80FFBF5F9000 64K rw--- /lib/amd64/libc.so.1
FFFF80FFBF609000 12K rw--- /lib/amd64/libc.so.1
FFFF80FFBF740000 4K rw--- [ anon ]
FFFF80FFBF750000 24K rwx-- [ anon ]
FFFF80FFBF760000 4K rw--- [ anon ]
FFFF80FFBF770000 4K rw--- [ anon ]
FFFF80FFBF780000 4K rw--- [ anon ]
FFFF80FFBF790000 4K rw--- [ anon ]
FFFF80FFBF792000 4K r--s- [ anon ]
FFFF80FFBF795000 340K r-x-- /lib/amd64/ld.so.1
FFFF80FFBF7FA000 12K rwx-- /lib/amd64/ld.so.1
FFFF80FFBF7FD000 8K rwx-- /lib/amd64/ld.so.1
FFFF80FFBFFFD000 12K rw--- [ stack ]
total 2556K
c0t0d0s0//org 26
root@solaris:/# sxadm exec -s aslr=enable /usr/bin/pmap self
1917: /usr/bin/pmap self
1917: /usr/bin/pmap self
0000000000400000 28K r-x-- /usr/bin/pmap
0000000000417000 4K rw--- /usr/bin/pmap
0000000000418000 8K rw--- /usr/bin/pmap
00000005D6666000 36K rw--- [ heap ]
00007FF669C70000 216K r-x-- /lib/amd64/libproc.so.1
00007FF669CB6000 8K rw--- /lib/amd64/libproc.so.1
00007FF669CC0000 4K rw--- [ anon ]
00007FF669CD0000 24K rwx-- [ anon ]
00007FF669CE0000 4K rw--- [ anon ]
00007FF669CF0000 1764K r-x-- /lib/amd64/libc.so.1
00007FF669EB9000 64K rw--- /lib/amd64/libc.so.1
00007FF669EC9000 12K rw--- /lib/amd64/libc.so.1
00007FF669ED0000 4K rw--- [ anon ]
00007FF669EE0000 4K rw--- [ anon ]
00007FF669EF0000 4K rw--- [ anon ]
00007FF669EF2000 4K r--s- [ anon ]
00007FF669EFC000 340K r-x-- /lib/amd64/ld.so.1
00007FF669F61000 12K rwx-- /lib/amd64/ld.so.1
00007FF669F64000 8K rwx-- /lib/amd64/ld.so.1
FFFF80DDA254F000 16K rw--- [ stack ]
total 2564K
c0t0d0s0//org 27
root@solaris:/# sxadm exec -s aslr=enable /usr/bin/pmap self
1918: /usr/bin/pmap self
1918: /usr/bin/pmap self
0000000000400000 28K r-x-- /usr/bin/pmap
0000000000417000 4K rw--- /usr/bin/pmap
0000000000418000 8K rw--- /usr/bin/pmap
000000065B76D000 36K rw--- [ heap ]
00007FFAACFC0000 216K r-x-- /lib/amd64/libproc.so.1
00007FFAAD006000 8K rw--- /lib/amd64/libproc.so.1
00007FFAAD010000 4K rw--- [ anon ]
00007FFAAD020000 24K rwx-- [ anon ]
00007FFAAD030000 4K rw--- [ anon ]
00007FFAAD040000 1764K r-x-- /lib/amd64/libc.so.1
00007FFAAD209000 64K rw--- /lib/amd64/libc.so.1
00007FFAAD219000 12K rw--- /lib/amd64/libc.so.1
00007FFAAD220000 4K rw--- [ anon ]
00007FFAAD230000 4K rw--- [ anon ]
00007FFAAD240000 4K rw--- [ anon ]
00007FFAAD242000 4K r--s- [ anon ]
00007FFAAD24D000 340K r-x-- /lib/amd64/ld.so.1
00007FFAAD2B2000 12K rwx-- /lib/amd64/ld.so.1
00007FFAAD2B5000 8K rwx-- /lib/amd64/ld.so.1
FFFF80DE1559E000 12K rw--- [ stack ]
c0t0d0s0//org 28
root@solaris:/# sxadm info
EXTENSION STATUS CONFIGURATION
aslr enabled (tagged-files) system default (default)
root@solaris:/# elfdump -d /usr/bin/pmap | grep "ASLR"
[33] SUNW_ASLR 0x2 ENABLE
root@solaris:/# elfedit -e 'dyn:sunw_aslr disable' /usr/bin/pmap
root@solaris:/# elfdump -d /usr/bin/pmap | grep "ASLR"
[33] SUNW_ASLR 0x1 DISABLE
c0t0d0s0//org 29
root@solaris:/# sxadm enable -c model=all aslr
root@solaris:/# sxadm info
EXTENSION STATUS CONFIGURATION
aslr enabled (all) enabled (all)
root@solaris:/# sxadm disable aslr
root@solaris:/# sxadm info
EXTENSION STATUS CONFIGURATION
aslr disabled disabled
root@solaris:/# sxadm enable -c model=tagged-files aslr
root@solaris:/# sxadm info
EXTENSION STATUS CONFIGURATION
aslr enabled (tagged-files) enabled (tagged-files)
c0t0d0s0//org 30
pfedit
c0t0d0s0//org 31
root@template:/etc/apache2/2.2# profiles -p "httpd edit"
profiles:httpd edit> set auths=solaris.admin.edit/etc/apache2/2.2/
httpd.conf
profiles:httpd edit> set desc="Edit httpd"
profiles:httpd edit> exit
c0t0d0s0//org 32
root@template:/etc/apache2/2.2# usermod -P +"httpd edit" junior
c0t0d0s0//org 33
junior@template:~$ profiles
httpd edit
Basic Solaris User
All
c0t0d0s0//org 34
junior@template:~$ vi /etc/apache2/2.2/httpd.conf
c0t0d0s0//org 35
junior@template:~$ pfedit /etc/apache2/2.2/httpd.conf
pfedit: /etc/apache2/2.2/httpd.conf has been updated.
c0t0d0s0//org 36
junior@template:~$ pfedit /etc/apache2/2.2/mime.types
pfedit: User junior is not authorized to edit the file /etc/
apache2/2.2/mime.types.
c0t0d0s0//org 37
root@template:/etc/apache2/2.2# profiles -p "httpd edit"
profiles:httpd edit> info
name=httpd edit
desc=Edit httpd
auths=solaris.admin.edit/etc/apache2/2.2/httpd.conf
profiles:httpd edit> add auths=solaris.admin.edit/etc/apache2/2.2/
mime.types
c0t0d0s0//org 38
junior@template:~$ pfedit /etc/apache2/2.2/mime.types
pfedit: no changes for /etc/apache2/2.2/mime.types.
c0t0d0s0//org 39
# profiles -p "httpd configure"
profiles:httpd configure> add always_audit=as
profiles:httpd configure> info
name=httpd configure
desc=Configure httpd
auths=solaris.admin.edit/etc/apache2/2.2/
httpd.conf,solaris.admin.edit/etc/apache2/2.2/mime.types
always_audit=as
never_audit=no
profiles:httpd configure> exit
root@template:~#
c0t0d0s0//org 40
root@template:~# auditreduce -c as | praudit
c0t0d0s0//org 41
[..]
header,486,2,edit administrative file,,fe80::a00:27ff:fea6:33cb,
2013-08-12 07:45:52.306 +00:00
subject,junior,junior,staff,junior,staff,4212,447467166,369 136704
MacBook-Pro-of-c0t0d0s0.fritz.box
path,/etc/apache2/2.2/httpd.conf
use of authorization,solaris.admin.edit/etc/apache2/2.2/httpd.conf
text,--- /etc/apache2/2.2/httpd.conf Mo. Aug 12 07:45:00 2013
+++ /etc/apache2/2.2/httpd.conf.pfedit.1BaGoi Mo. Aug 12
07:45:52 2013
@@ -1,5 +1,6 @@
# Test
# Test 2:
+# Test 3:
#
# This is the main Apache HTTP server configuration file. It
contains the
# configuration directives that give the server its instructions.
return,success,0
c0t0d0s0//org 42
Delegating privilege to restart
services
(so you can keep the root
password)
c0t0d0s0//org 43
junior@template:~$ svcadm refresh apache22
svcadm: svc:/network/http:apache22: Permission denied.
c0t0d0s0//org 44
# svcs -a | grep "apache22"
online 15:30:29 svc:/network/http:apache22
c0t0d0s0//org 45
# auths add -t "Apache22 value" solaris.smf.value.http.apache22
# auths add -t "Apache22 action" solaris.smf.action.http.apache22
c0t0d0s0//org 46
# svccfg -s apache22 setprop general/value_authorization=
astring: solaris.smf.value.http.apache22
# svccfg -s apache22 setprop general/action_authorization=
astring: solaris.smf.action.http.apache22
c0t0d0s0//org 47
# profiles -p "httpd edit" \
add auths=solaris.smf.action.http.apache22
c0t0d0s0//org 48
junior@template:~$ svcadm refresh apache22
junior@template:~$
c0t0d0s0//org 49
Privileges
c0t0d0s0//org 50
$ ls -l /usr/sbin/traceroute
-r-sr-xr-x 1 root bin 42324 Nov 21 00:09 /usr/sbin/traceroute
$ ls -l /usr/sbin/ping
-r-sr-xr-x 1 root bin 51396 Nov 18 19:31 /usr/sbin/ping
set-id to root, ping needs it to work ...
c0t0d0s0//org 51
# chmod -s /sbin/ping
# exit
$ ping -s 192.168.1.132
ping: socket Permission denied
Remove the set-uid and ping will stop to work ...
c0t0d0s0//org 52
jmoekamp@daddelkiste:~$ ppriv $$
2153: -bash
flags = <none>
E: basic
I: basic
P: basic
L: all
c0t0d0s0//org 53
contract_event,contract_identity,contract_observer,cpc_cpu,dtrac
e_kernel,dtrace_proc,dtrace_user,file_chown,file_chown_self,file
_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_d
owngrade_sl,file_flag_set,file_link_any,file_owner,file_read,fil
e_setid,file_upgrade_sl,file_write,graphics_access,graphics_map,
ipc_dac_read,ipc_dac_write,ipc_owner,net_access,net_bindmlp,net_
icmpaccess,net_mac_aware,net_mac_implicit,net_observability,net_
privaddr,net_rawaccess,proc_audit,proc_chroot,proc_clock_highres
,proc_exec,proc_fork,proc_info,proc_lock_memory,proc_owner,proc_
priocntl,proc_session,proc_setid,proc_taskid,proc_zone,sys_acct,
sys_admin,sys_audit,sys_config,sys_devices,sys_dl_config,sys_flo
w_config,sys_ib_config,sys_ib_info,sys_ip_config,sys_ipc_config,
sys_iptun_config,sys_linkdir,sys_mount,sys_net_config,sys_nfs,sy
s_ppp_config,sys_res_bind,sys_res_config,sys_resource,sys_share,
sys_smb,sys_suser_compat,sys_time,sys_trans_label,win_colormap,w
in_config,win_dac_read,win_dac_write,win_devices,win_dga,win_dow
ngrade_sl,win_fontpath,win_mac_read,win_mac_write,win_selection,
win_upgrade_sl
c0t0d0s0//org 54
contract_event,contract_identity,contract_observer,cpc_cpu,dtrac
e_kernel,dtrace_proc,dtrace_user,file_chown,file_chown_self,file
_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_d
owngrade_sl,file_flag_set,file_link_any,file_owner,file_read,fil
e_setid,file_upgrade_sl,file_write,graphics_access,graphics_map,
ipc_dac_read,ipc_dac_write,ipc_owner,net_access,net_bindmlp,net_
icmpaccess,net_mac_aware,net_mac_implicit,net_observability,net_
privaddr,net_rawaccess,proc_audit,proc_chroot,proc_clock_highres
,proc_exec,proc_fork,proc_info,proc_lock_memory,proc_owner,proc_
priocntl,proc_session,proc_setid,proc_taskid,proc_zone,sys_acct,
sys_admin,sys_audit,sys_config,sys_devices,sys_dl_config,sys_flo
w_config,sys_ib_config,sys_ib_info,sys_ip_config,sys_ipc_config,
sys_iptun_config,sys_linkdir,sys_mount,sys_net_config,sys_nfs,sy
s_ppp_config,sys_res_bind,sys_res_config,sys_resource,sys_share,
sys_smb,sys_suser_compat,sys_time,sys_trans_label,win_colormap,w
in_config,win_dac_read,win_dac_write,win_devices,win_dga,win_dow
ngrade_sl,win_fontpath,win_mac_read,win_mac_write,win_selection,
win_upgrade_sl
All privileges in their entirety
assigned to one user are
#
(almost)
c0t0d0s0//org 55
contract_event,contract_identity,contract_observer,cpc_cpu,dtrac
e_kernel,dtrace_proc,dtrace_user,file_chown,file_chown_self,file
_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_d
owngrade_sl,file_flag_set,file_link_any,file_owner,file_read,fil
e_setid,file_upgrade_sl,file_write,graphics_access,graphics_map,
ipc_dac_read,ipc_dac_write,ipc_owner,net_access,net_bindmlp,net_
icmpaccess,net_mac_aware,net_mac_implicit,net_observability,net_
privaddr,net_rawaccess,proc_audit,proc_chroot,proc_clock_highres
,proc_exec,proc_fork,proc_info,proc_lock_memory,proc_owner,proc_
priocntl,proc_session,proc_setid,proc_taskid,proc_zone,sys_acct,
sys_admin,sys_audit,sys_config,sys_devices,sys_dl_config,sys_flo
w_config,sys_ib_config,sys_ib_info,sys_ip_config,sys_ipc_config,
sys_iptun_config,sys_linkdir,sys_mount,sys_net_config,sys_nfs,sy
s_ppp_config,sys_res_bind,sys_res_config,sys_resource,sys_share,
sys_smb,sys_suser_compat,sys_time,sys_trans_label,win_colormap,w
in_config,win_dac_read,win_dac_write,win_devices,win_dga,win_dow
ngrade_sl,win_fontpath,win_mac_read,win_mac_write,win_selection,
win_upgrade_sl
Neat extension inSolaris 11:
The ability to use networking is now a
privilege.
Its part of the default default set of privileges,
but you can remove it.
c0t0d0s0//org 56
moekamp@daddelkiste:~$ ppriv -v $$
2153: -bash
flags = <none>
E:
file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_session,sys_ib_info
I:
file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_session,sys_ib_info
P:
file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_session,sys_ib_info
L:
contract_event,contract_identity,contract_observer,cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,file_chown,
file_chown_self,file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_downgrade_sl,file_flag_se
t,file_link_any,file_owner,file_read,file_setid,file_upgrade_sl,file_write,graphics_access,graphics_map,ipc_
dac_read,ipc_dac_write,ipc_owner,net_access,net_bindmlp,net_icmpaccess,net_mac_aware,net_mac_implicit,net_ob
servability,net_privaddr,net_rawaccess,proc_audit,proc_chroot,proc_clock_highres,proc_exec,proc_fork,proc_in
fo,proc_lock_memory,proc_owner,proc_priocntl,proc_session,proc_setid,proc_taskid,proc_zone,sys_acct,sys_admi
n,sys_audit,sys_config,sys_devices,sys_dl_config,sys_flow_config,sys_ib_config,sys_ib_info,sys_ip_config,sys
_ipc_config,sys_iptun_config,sys_linkdir,sys_mount,sys_net_config,sys_nfs,sys_ppp_config,sys_res_bind,sys_re
s_config,sys_resource,sys_share,sys_smb,sys_suser_compat,sys_time,sys_trans_label,win_colormap,win_config,wi
n_dac_read,win_dac_write,win_devices,win_dga,win_downgrade_sl,win_fontpath,win_mac_read,win_mac_write,win_se
lection,win_upgrade_sl
c0t0d0s0//org 57
root@daddelkiste:~# ppriv $$
2183: -bash
flags = <none>
E: all
I: basic
P: all
L: all
c0t0d0s0//org 58
junior@daddelkiste:~$ dtrace -n 'syscall:::entry { @num[execname]
= count(); }'
dtrace: failed to initialize dtrace: DTrace requires additional
privileges
c0t0d0s0//org 59
root@daddelkiste:~# usermod -K
defaultpriv=basic,dtrace_kernel,dtrace_proc,dtrace_user junior
UX: usermod: junior is currently logged in, some changes may not
take effect until next login.
c0t0d0s0//org 60
junior@daddelkiste:~$ dtrace -n 'syscall:::entry { @num[execname]
= count(); }'
dtrace: description 'syscall:::entry ' matched 211 probes
^C
automountd 1
sshd 24
dtrace 544
auditd 564
c0t0d0s0//org 61
# ps -ef | grep "kcfd"
daemon 125 1 0 14:24:19 ? 0:00 /usr/lib/crypto/kcfd
root 734 728 0 15:54:08 pts/1 0:00 grep kcfd
# ppriv -v 125
125: /usr/lib/crypto/kcfd
flags = PRIV_AWARE
E: file_owner,proc_priocntl,sys_devices
I: none
P: file_owner,proc_priocntl,sys_devices
L: none
c0t0d0s0//org 62
# svcadm -v enable -s apache2
svc:/network/http:apache2 enabled.
c0t0d0s0//org 63
jmoekamp@client:~$ ps -ef | grep "http"
webservd 1978 1975 0 12:19:15 ? 0:00 /usr/apache2/2.2/bin/httpd -k start
webservd 1979 1975 0 12:19:15 ? 0:00 /usr/apache2/2.2/bin/httpd -k start
webservd 1980 1975 0 12:19:15 ? 0:00 /usr/apache2/2.2/bin/httpd -k start
webservd 1984 1975 0 12:20:02 ? 0:00 /usr/apache2/2.2/bin/httpd -k start
root 1975 1 0 12:19:14 ? 0:01 /usr/apache2/2.2/bin/httpd -k start
webservd 1977 1975 0 12:19:15 ? 0:00 /usr/apache2/2.2/bin/httpd -k start
webservd 1976 1975 0 12:19:15 ? 0:00 /usr/apache2/2.2/bin/httpd -k start
c0t0d0s0//org 64
root@client:~# ppriv 1977
1977: /usr/apache2/2.2/bin/httpd -k start
flags = <none>
E: basic
I: basic
P: basic
L: all
root@client:~# ppriv 1975
1975: /usr/apache2/2.2/bin/httpd -k start
flags = <none>
E: all
I: basic
P: all
L: all
root@client:~#
c0t0d0s0//org
65
contract_event,contract_identity,contract_observer,cpc_cpu,dtrace_k
ernel,dtrace_proc,dtrace_user,file_chown,file_chown_self,file_dac_e
xecute,file_dac_read,file_dac_search,file_dac_write,file_downgrade_
sl,file_flag_set,file_link_any,file_owner,file_read,file_setid,file
_upgrade_sl,file_write,graphics_access,graphics_map,ipc_dac_read,ip
c_dac_write,ipc_owner,net_access,net_bindmlp,net_icmpaccess,net_mac
_aware,net_mac_implicit,net_observability,net_privaddr,net_rawacces
s,proc_audit,proc_chroot,proc_clock_highres,proc_exec,proc_fork,pro
c_info,proc_lock_memory,proc_owner,proc_priocntl,proc_session,proc_
setid,proc_taskid,proc_zone,sys_acct,sys_admin,sys_audit,sys_config
,sys_devices,sys_dl_config,sys_flow_config,sys_ib_config,sys_ib_inf
o,sys_ip_config,sys_ipc_config,sys_iptun_config,sys_linkdir,sys_mou
nt,sys_net_config,sys_nfs,sys_ppp_config,sys_res_bind,sys_res_confi
g,sys_resource,sys_share,sys_smb,sys_suser_compat,sys_time,sys_tran
s_label,win_colormap,win_config,win_dac_read,win_dac_write,win_devi
ces,win_dga,win_downgrade_sl,win_fontpath,win_mac_read,win_mac_writ
e,win_selection,win_upgrade_sl
The apache process as root has the following privileges:
c0t0d0s0//org 66
contract_event,contract_identity,contract_observer,cpc_cpu,dtrace_k
ernel,dtrace_proc,dtrace_user,file_chown,file_chown_self,file_dac_e
xecute,file_dac_read,file_dac_search,file_dac_write,file_downgrade_
sl,file_flag_set,file_link_any,file_owner,file_read,file_setid,file
_upgrade_sl,file_write,graphics_access,graphics_map,ipc_dac_read,ip
c_dac_write,ipc_owner,net_access,net_bindmlp,net_icmpaccess,net_mac
_aware,net_mac_implicit,net_observability,net_privaddr,net_rawacces
s,proc_audit,proc_chroot,proc_clock_highres,proc_exec,proc_fork,pro
c_info,proc_lock_memory,proc_owner,proc_priocntl,proc_session,proc_
setid,proc_taskid,proc_zone,sys_acct,sys_admin,sys_audit,sys_config
,sys_devices,sys_dl_config,sys_flow_config,sys_ib_config,sys_ib_inf
o,sys_ip_config,sys_ipc_config,sys_iptun_config,sys_linkdir,sys_mou
nt,sys_net_config,sys_nfs,sys_ppp_config,sys_res_bind,sys_res_confi
g,sys_resource,sys_share,sys_smb,sys_suser_compat,sys_time,sys_tran
s_label,win_colormap,win_config,win_dac_read,win_dac_write,win_devi
ces,win_dga,win_downgrade_sl,win_fontpath,win_mac_read,win_mac_writ
e,win_selection,win_upgrade_sl
The other processes have the following privileges:
c0t0d0s0//org 67
contract_event,contract_identity,contract_observer,cpc_cpu,dtrace_k
ernel,dtrace_proc,dtrace_user,file_chown,file_chown_self,file_dac_e
xecute,file_dac_read,file_dac_search,file_dac_write,file_downgrade_
sl,file_flag_set,file_link_any,file_owner,file_read,file_setid,file
_upgrade_sl,file_write,graphics_access,graphics_map,ipc_dac_read,ip
c_dac_write,ipc_owner,net_access,net_bindmlp,net_icmpaccess,net_mac
_aware,net_mac_implicit,net_observability,net_privaddr,net_rawacces
s,proc_audit,proc_chroot,proc_clock_highres,proc_exec,proc_fork,pro
c_info,proc_lock_memory,proc_owner,proc_priocntl,proc_session,proc_
setid,proc_taskid,proc_zone,sys_acct,sys_admin,sys_audit,sys_config
,sys_devices,sys_dl_config,sys_flow_config,sys_ib_config,sys_ib_inf
o,sys_ip_config,sys_ipc_config,sys_iptun_config,sys_linkdir,sys_mou
nt,sys_net_config,sys_nfs,sys_ppp_config,sys_res_bind,sys_res_confi
g,sys_resource,sys_share,sys_smb,sys_suser_compat,sys_time,sys_tran
s_label,win_colormap,win_config,win_dac_read,win_dac_write,win_devi
ces,win_dga,win_downgrade_sl,win_fontpath,win_mac_read,win_mac_writ
e,win_selection,win_upgrade_sl
Apache really needs:
c0t0d0s0//org 68
contract_event,contract_identity,contract_observer,cpc_cpu,dtrace_k
ernel,dtrace_proc,dtrace_user,file_chown,file_chown_self,file_dac_e
xecute,file_dac_read,file_dac_search,file_dac_write,file_downgrade_
sl,file_flag_set,file_link_any,file_owner,file_read,file_setid,file
_upgrade_sl,file_write,graphics_access,graphics_map,ipc_dac_read,ip
c_dac_write,ipc_owner,net_access,net_bindmlp,net_icmpaccess,net_mac
_aware,net_mac_implicit,net_observability,net_privaddr,net_rawacces
s,proc_audit,proc_chroot,proc_clock_highres,proc_exec,proc_fork,pro
c_info,proc_lock_memory,proc_owner,proc_priocntl,proc_session,proc_
setid,proc_taskid,proc_zone,sys_acct,sys_admin,sys_audit,sys_config
,sys_devices,sys_dl_config,sys_flow_config,sys_ib_config,sys_ib_inf
o,sys_ip_config,sys_ipc_config,sys_iptun_config,sys_linkdir,sys_mou
nt,sys_net_config,sys_nfs,sys_ppp_config,sys_res_bind,sys_res_confi
g,sys_resource,sys_share,sys_smb,sys_suser_compat,sys_time,sys_tran
s_label,win_colormap,win_config,win_dac_read,win_dac_write,win_devi
ces,win_dga,win_downgrade_sl,win_fontpath,win_mac_read,win_mac_writ
e,win_selection,win_upgrade_sl
So you grant a large number of privileges to one process , Apache dont
need.
c0t0d0s0//org 69
svcadm -v disable -s apache2
svc:/network/http:apache2 disabled.
c0t0d0s0//org 70
root@client:~# svccfg -s apache22
svc:/network/http:apache22> setprop start/user = astring: webservd
svc:/network/http:apache22> setprop start/group = astring: webservd
svc:/network/http:apache22> setprop start/privileges = astring: basic,!proc_session,
!proc_info,!file_link_any,net_privaddr
svc:/network/http:apache22> setprop start/limit_privileges = astring: :default
svc:/network/http:apache22> setprop start/use_profile = boolean: false
svc:/network/http:apache22> setprop start/supp_groups = astring: :default
svc:/network/http:apache22> setprop start/working_directory = astring: :default
svc:/network/http:apache22> setprop start/project = astring: :default
svc:/network/http:apache22> setprop start/resource_pool = astring: :default
svc:/network/http:apache22> end
root@client:~# svcadm -v refresh apache22
Action refresh set for svc:/network/http:apache22.
c0t0d0s0//org 71
# echo "LockFile /var/apache2/2.2/logs/accept.lock" >> /etc/apache2/2.2/httpd.conf
# echo "PidFile /var/apache2/2.2/run/httpd.pid" >> /etc/apache2/2.2/httpd.conf
# mkdir -p -m 755 /var/apache2/2.2/run
# chown webservd:webservd /var/apache2/2.2/run
# svcadm enable apache22
c0t0d0s0//org 72
webservd 3064 3061 0 16:49:18 ? 0:00 /usr/apache2/2.2/bin/httpd -k start
webservd 3062 3061 0 16:49:18 ? 0:00 /usr/apache2/2.2/bin/httpd -k start
webservd 3063 3061 0 16:49:18 ? 0:00 /usr/apache2/2.2/bin/httpd -k start
webservd 3066 3061 0 16:49:18 ? 0:00 /usr/apache2/2.2/bin/httpd -k start
webservd 3061 1 0 16:49:17 ? 0:00 /usr/apache2/2.2/bin/httpd -k start
webservd 3065 3061 0 16:49:18 ? 0:00 /usr/apache2/2.2/bin/httpd -k start
c0t0d0s0//org 73
Read-only zone root
c0t0d0s0//org
74
zonecfg:testzone> set file-mac-profile=none
zonecfg:testzone> set file-mac-profile=strict
zonecfg:testzone> set file-mac-profile=fixed-configuration
zonecfg:testzone> set file-mac-profile=flexible-configuration
Standard, read-write, non-global zone, with no additional protection beyond
the existing zones boundaries.
Permits updates to /var/* directories,
with the exception of directories that contain system configuration components.
Read-only file system, no exceptions.
Permits modification of files in /etc/* directories, changes to root's home directory,
and updates to /var/* directories. This configuration provides closest functionality
to the Oracle Solaris 10 native sparse root zone
c0t0d0s0//org 75
in-kernel SSL Proxy
c0t0d0s0//org 76
# mkdir /etc/keys
# cd /etc/keys
# openssl req -x509 -nodes -days 365 -subj "/C=DE/ST=Hamburg/L=Hamburg/
CN=server" -newkey rsa:1024 -keyout /etc/keys/mykey.pem -out /etc/keys/
mycert.pem
# cat mycert.pem mykey.pem > my.pem
# chown 600 *
c0t0d0s0//org 77
# echo "pass" > /etc/keys/my.pass
# ksslcfg create -f pem -i /etc/keys/my.pem -x 8080 -p /etc/keys/my.pass server 443
c0t0d0s0//org 78
ksslcfg create -f pem -i /etc/keys/my.pem -x 8080 \
-p /etc/keys/my.pass \
-c "rsa_aes_256_cbc_sha,rsa_aes_128_cbc_sha,rsa_rc4_128_sha,rsa_rc4_128_md5" \
server 443
c0t0d0s0//org 79
# svcs -a | grep "kssl"
online 9:03:33 svc:/network/ssl/proxy:kssl-
server-443
c0t0d0s0//org 80
# svcadm disable apache22
# echo "Listen 192.168.178.108:8080" >> /etc/apache2/2.2/httpd.conf
# svcadm enable apache22
Portnumber and IP-Number have do be defined in httpd.conf
... otherwise it will not work.
c0t0d0s0//org 81
# openssl s_client -connect server:443
CONNECTED(00000004)
depth=0 /C=DE/ST=Hamburg/L=Hamburg/CN=server
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=DE/ST=Hamburg/L=Hamburg/CN=server
verify return:1
---
Certificate chain
0 s:/C=DE/ST=Hamburg/L=Hamburg/CN=server
i:/C=DE/ST=Hamburg/L=Hamburg/CN=server
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICoTCCAgqgAwIBAgIJAKyJdj/
[...]
V5jX3MU=
-----END CERTIFICATE-----
subject=/C=DE/ST=Hamburg/L=Hamburg/CN=server
issuer=/C=DE/ST=Hamburg/L=Hamburg/CN=server
---
No client certificate CA names sent
---
SSL handshake has read 817 bytes and written 328
bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-SHA
Session-ID:
32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD1139
15B99DBE9812
Session-ID-ctx:
Master-Key:
1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B
503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21E
Key-Arg : None
Start Time: 1242985143
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
GET / HTTP/1.0
HTTP/1.1 200 OK
Date: Fri, 22 May 2009 09:39:13 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/
0.9.8a DAV/2
Last-Modified: Thu, 21 May 2009 21:26:30 GMT
ETag: "341f3-2c-46a72cc211a8f"
Accept-Ranges: bytes
Content-Length: 44
Connection: close
Content-Type: text/html
<html><body><h1>It works!</h1></body></
html>read:errno=0
c0t0d0s0//org 82
ZFS Encryption
c0t0d0s0//org 83
# zfs create -o encryption=on rpool/export/project
c0t0d0s0//org 84
wrapping key (user setable)
encryption key
random
not user setable)
prompt le https pkcs#11
c0t0d0s0//org 85
aes-128-ccm (=on)
aes-192-ccm
aes-256-ccm
aes-128-gcm
aes-192-gcm
aes-256-gcm
c0t0d0s0//org 86
zfs set checksum=sha256+mac <dataset>
If encryption!=off, something like automatic
occurs. This property is read-only from now on.
c0t0d0s0//org 87
# pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykey
Enter PIN for Sun Software PKCS#11 softtoken:
# zfs create -o encryption=on -o keysource=raw,pkcs11:object=mykey
tank/project/C
Enter PKCS#11 token PIN for 'tank/project/C':
c0t0d0s0//org 88
# zfs create -o encryption=on -o keysource=raw,https://keys.example.com/mykey tank/project/R
# cp myservercert.pem /etc/certs/CA/
# svcadm refresh ca-certificates
c0t0d0s0//org 89
$ zfs key -c rpool/export/project
Enter new passphrase for 'rpool/export/project':
c0t0d0s0//org 90
$ zfs key -c rpool/export/project
Enter new passphrase for 'rpool/export/project':
Changing the wrapping key
c0t0d0s0//org 91
# zfs key -K tank/project/A
# zfs clone -K tank/project/A@montag tank/project/D
Changing the encryption key
c0t0d0s0//org 92
# zfs key -K tank/project/A
# zfs clone -K tank/project/A@montag tank/project/D
Changing the encryption key for data written form now.
Creates a new data encryption key. Data written in the
clone uses the new data encryption key, which is distinct
from its original snapshot.
c0t0d0s0//org 93
Solaris
Cryptographic Framework
c0t0d0s0//org 94
As soon as Solaris detects hardware acceleration for
cryptography, Solaris will use it (and applications using the
Oracle supplied openssl library or direct interfaces):