Security 11 Solaris

c0t0d0s0//org 1
Solaris 11 Security
- a live demo in slides -
by Joerg c0t0d0s0.org Mllenkamp
c0t0d0s0//org
This slideset was made to have a fallback for a live demo
at a series of Oracle Breakfast events in Germany,
as the presentation diverted a lot in the first location
in the light of recent events around privacy and security.
However most information is in the voice track that wasnt recorded.
So this presentation may be not that useful.
If you need the voice track, ask your Oracle sales rep that he ask his manager
to ask my manager to let me doing the presentation in your country ;)
c0t0d0s0//org
Primarily i used example from my practical work and from my own blog
however i would like to thank two colleagues:
Glenn Faden for Oracle Solaris Extended Policy and MySQL
https://blogs.oracle.com/gfaden/entry/oracle_solaris_extended_policy_and
Darren Moffat for Compliance reporting with SCAP
https://blogs.oracle.com/darren/entry/compliance_reporting_with_scap
I directly reused their blog entries for this presentation.
c0t0d0s0//org 4
Certifications
c0t0d0s0//org
Solaris 10 Common Criteria Evaluation
has been certified on EAL4+ level
c0t0d0s0//org
We have a common Criteria Certification.
For Solaris 10 at the moment. For Solaris 11 in the future.
However the common criteria certification doesnt certify security.
c0t0d0s0//org
Solaris 10 Trusted Extensions Common Criteria Evaluation
has been certified on EAL4+ level
http://www.oracle.com/technetwork/topics/security
/oracle-cc-evalsolaris-083233.html#sol10U3TX
The following protection profiles were used:
Conditional Access Protection Profile
Role Based Access Control Protection Profile
Label Security Protection Profiles
c0t0d0s0//org
Solaris 11.1 is currently in certification.
http://www.oracle.com/technetwork/topics/security/security-evaluations-099357.html#InEvaluated
c0t0d0s0//org 9
Is it really a Solaris 11
binary?
c0t0d0s0//org 10
jmoekamp@server:~$ elfsign verify -v /usr/bin/oscap
elfsign: verification of /usr/bin/oscap passed.
format: rsa_md5_sha1.
signer: CN=SunOS 5.10, OU=Solaris Signed Execution, O=Sun Microsystems Inc.
c0t0d0s0//org 11
Sandboxing applications on
Solaris 11.1
c0t0d0s0//org 12
root@solaris# profiles -p "MySQL Service"
MySQL Service> set desc="Locking down the MySQL Service"
MySQL Service> add cmd=/lib/svc/method/mysql_51
MySQL Service:mysql_51> set privs=basic
MySQL Service:mysql_51> add privs={net_privaddr}:3306/tcp
MySQL Service:mysql_51> add privs={file_write}:/var/mysql/5.1/data/*
MySQL Service:mysql_51> add privs={file_write}:/tmp/mysql.sock
MySQL Service:mysql_51> add privs={file_write}:/var/tmp/ib*
MySQL Service:mysql_51> end
MySQL Service> set uid=mysql
MySQL Service> set gid=mysql
MySQL Service> exit
root@solaris#
c0t0d0s0//org 13
root@solaris# svccfg -s mysql:version_51
svc:/application/database/mysql:version_51> setprop method_context/profile="MySQL Service"
svc:/application/database/mysql:version_51> setprop method_context/use_profile=true
svc:/application/database/mysql:version_51> refresh
svc:/application/database/mysql:version_51> exit
c0t0d0s0//org 14
root@solaris# ipadm set-prop -p extra_priv_ports+=3306 tcp
root@solaris# ipadm show-prop -p extra_priv_ports tcp
PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE
tcp extra_priv_ports rw 2049,4045, -- 2049,4045 1-65535
3306
c0t0d0s0//org 15
# svcadm enable mysql:version_51
c0t0d0s0//org 16
root@solaris# ppriv $(pgrep mysql)
103697: /usr/mysql/5.1/bin/mysqld --basedir=/usr/mysql/5.1 --datadir=/var/mysq
flags = PRIV_XPOLICY
Extended policies:
{net_privaddr}:3306/tcp
{file_write}:/var/mysql/5.1/data/*
{file_write}:/tmp/mysql.sock
{file_write}:/var/tmp/ib*
E: basic,!file_write
I: basic,!file_write
P: basic,!file_write
L: all
103609: /bin/sh /usr/mysql/5.1/bin/mysqld_safe --user=mysql --datadir=/var/mys
flags = PRIV_XPOLICY
Extended policies:
{net_privaddr}:3306/tcp
{file_write}:/var/mysql/5.1/data/*
{file_write}:/tmp/mysql.sock
{file_write}:/var/tmp/ib*
E: basic,!file_write
I: basic,!file_write
P: basic,!file_write
L: all
c0t0d0s0//org 17
Find more information regarding this feature at:
https://blogs.oracle.com/gfaden/entry/oracle_solaris_extended_policy_and
c0t0d0s0//org 18
Passwords
c0t0d0s0//org 19
root@client:/etc/security# cat /etc/security/crypt.conf
#
# Copyright 2008 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
#ident "%Z%%M% %I% %E% SMI"
#
# The algorithm name __unix__ is reserved.
1 crypt_bsdmd5.so.1
2a crypt_bsdbf.so.1
md5 crypt_sunmd5.so.1
5 crypt_sha256.so.1
6 crypt_sha512.so.1
c0t0d0s0//org 20
root@client:/etc/security# cat /etc/security/policy.conf | egrep "^CRYPT_DEFAULT"
CRYPT_DEFAULT=5
root@client:/etc/security# cat /etc/shadow | grep junior
junior:$5$4aKvDFqA$2kL8GpuXjrd.f8XpanqhylEP5lDhy1DF5uo1ZYx74f3:15929::::::1440
c0t0d0s0//org 21
root@client:/etc/security# cat /etc/default/passwd | grep -v "# " | egrep -v "^#$|^$"
#ident "%Z%%M% %I% %E% SMI"
MAXWEEKS=
MINWEEKS=
PASSLENGTH=6
#NAMECHECK=NO
#HISTORY=0
#MINDIFF=3
#MINALPHA=2
#MINNONALPHA=1
#MINUPPER=0
#MINLOWER=0
#MAXREPEATS=0
#MINSPECIAL=0
#MINDIGIT=0
#WHITESPACE=YES
#DICTIONLIST=
#DICTIONDBDIR=/var/passwd
c0t0d0s0//org 22
root@client:/# mkpwdict -s /usr/share/lib/dict/words
mkpwdict: using default database location: /var/passwd.
oder:
root@client:/# mkpwdict -s /usr/share/lib/dict/words -d /var/passwd
c0t0d0s0//org 23
Address Space
Layout Randomization
c0t0d0s0//org 24
root@solaris:/# sxadm exec -s aslr=disable /usr/bin/pmap self
1914: /usr/bin/pmap self
0000000000400000 28K r-x-- /usr/bin/pmap
0000000000417000 4K rw--- /usr/bin/pmap
0000000000418000 40K rw--- [ heap ]
FFFF80FFBDDD0000 216K r-x-- /lib/amd64/libproc.so.1
FFFF80FFBDE16000 8K rw--- /lib/amd64/libproc.so.1
FFFF80FFBF430000 1764K r-x-- /lib/amd64/libc.so.1
FFFF80FFBF5F9000 64K rw--- /lib/amd64/libc.so.1
FFFF80FFBF609000 12K rw--- /lib/amd64/libc.so.1
FFFF80FFBF740000 4K rw--- [ anon ]
FFFF80FFBF750000 24K rwx-- [ anon ]
FFFF80FFBF792000 4K r--s- [ anon ]
FFFF80FFBF795000 340K r-x-- /lib/amd64/ld.so.1
FFFF80FFBF7FA000 12K rwx-- /lib/amd64/ld.so.1
FFFF80FFBF7FD000 8K rwx-- /lib/amd64/ld.so.1
FFFF80FFBFFFD000 12K rw--- [ stack ]
total 2556K
c0t0d0s0//org 25
root@solaris:/# sxadm exec -s aslr=disable /usr/bin/pmap self
0000000000400000 28K r-x-- /usr/bin/pmap
0000000000417000 4K rw--- /usr/bin/pmap
0000000000418000 40K rw--- [ heap ]
FFFF80FFBDDD0000 216K r-x-- /lib/amd64/libproc.so.1
FFFF80FFBDE16000 8K rw--- /lib/amd64/libproc.so.1
FFFF80FFBF430000 1764K r-x-- /lib/amd64/libc.so.1
FFFF80FFBF5F9000 64K rw--- /lib/amd64/libc.so.1
FFFF80FFBF609000 12K rw--- /lib/amd64/libc.so.1
FFFF80FFBF750000 24K rwx-- [ anon ]
FFFF80FFBF792000 4K r--s- [ anon ]
FFFF80FFBF795000 340K r-x-- /lib/amd64/ld.so.1
FFFF80FFBF7FA000 12K rwx-- /lib/amd64/ld.so.1
FFFF80FFBF7FD000 8K rwx-- /lib/amd64/ld.so.1
FFFF80FFBFFFD000 12K rw--- [ stack ]
total 2556K
c0t0d0s0//org 26
root@solaris:/# sxadm exec -s aslr=enable /usr/bin/pmap self
0000000000400000 28K r-x-- /usr/bin/pmap
0000000000417000 4K rw--- /usr/bin/pmap
0000000000418000 8K rw--- /usr/bin/pmap
00000005D6666000 36K rw--- [ heap ]
00007FF669C70000 216K r-x-- /lib/amd64/libproc.so.1
00007FF669CB6000 8K rw--- /lib/amd64/libproc.so.1
00007FF669CC0000 4K rw--- [ anon ]
00007FF669CD0000 24K rwx-- [ anon ]
00007FF669CE0000 4K rw--- [ anon ]
00007FF669CF0000 1764K r-x-- /lib/amd64/libc.so.1
00007FF669EB9000 64K rw--- /lib/amd64/libc.so.1
00007FF669EC9000 12K rw--- /lib/amd64/libc.so.1
00007FF669ED0000 4K rw--- [ anon ]
00007FF669EE0000 4K rw--- [ anon ]
00007FF669EF0000 4K rw--- [ anon ]
00007FF669EF2000 4K r--s- [ anon ]
00007FF669EFC000 340K r-x-- /lib/amd64/ld.so.1
00007FF669F61000 12K rwx-- /lib/amd64/ld.so.1
00007FF669F64000 8K rwx-- /lib/amd64/ld.so.1
FFFF80DDA254F000 16K rw--- [ stack ]
total 2564K
c0t0d0s0//org 27
root@solaris:/# sxadm exec -s aslr=enable /usr/bin/pmap self
0000000000400000 28K r-x-- /usr/bin/pmap
0000000000417000 4K rw--- /usr/bin/pmap
0000000000418000 8K rw--- /usr/bin/pmap
000000065B76D000 36K rw--- [ heap ]
00007FFAACFC0000 216K r-x-- /lib/amd64/libproc.so.1
00007FFAAD006000 8K rw--- /lib/amd64/libproc.so.1
00007FFAAD010000 4K rw--- [ anon ]
00007FFAAD020000 24K rwx-- [ anon ]
00007FFAAD030000 4K rw--- [ anon ]
00007FFAAD040000 1764K r-x-- /lib/amd64/libc.so.1
00007FFAAD209000 64K rw--- /lib/amd64/libc.so.1
00007FFAAD219000 12K rw--- /lib/amd64/libc.so.1
00007FFAAD220000 4K rw--- [ anon ]
00007FFAAD230000 4K rw--- [ anon ]
00007FFAAD240000 4K rw--- [ anon ]
00007FFAAD242000 4K r--s- [ anon ]
00007FFAAD24D000 340K r-x-- /lib/amd64/ld.so.1
00007FFAAD2B2000 12K rwx-- /lib/amd64/ld.so.1
00007FFAAD2B5000 8K rwx-- /lib/amd64/ld.so.1
FFFF80DE1559E000 12K rw--- [ stack ]
c0t0d0s0//org 28
root@solaris:/# sxadm info
EXTENSION STATUS CONFIGURATION
aslr enabled (tagged-files) system default (default)
root@solaris:/# elfdump -d /usr/bin/pmap | grep "ASLR"
[33] SUNW_ASLR 0x2 ENABLE
root@solaris:/# elfedit -e 'dyn:sunw_aslr disable' /usr/bin/pmap
root@solaris:/# elfdump -d /usr/bin/pmap | grep "ASLR"
[33] SUNW_ASLR 0x1 DISABLE
c0t0d0s0//org 29
root@solaris:/# sxadm enable -c model=all aslr
aslr enabled (all) enabled (all)
root@solaris:/# sxadm disable aslr
aslr disabled disabled
root@solaris:/# sxadm enable -c model=tagged-files aslr
aslr enabled (tagged-files) enabled (tagged-files)
c0t0d0s0//org 30
pfedit
c0t0d0s0//org 31
root@template:/etc/apache2/2.2# profiles -p "httpd edit"
profiles:httpd edit> set auths=solaris.admin.edit/etc/apache2/2.2/
httpd.conf
profiles:httpd edit> set desc="Edit httpd"
profiles:httpd edit> exit
c0t0d0s0//org 32
root@template:/etc/apache2/2.2# usermod -P +"httpd edit" junior
c0t0d0s0//org 33
junior@template:~$ profiles
httpd edit
Basic Solaris User
All
c0t0d0s0//org 34
junior@template:~$ vi /etc/apache2/2.2/httpd.conf
c0t0d0s0//org 35
junior@template:~$ pfedit /etc/apache2/2.2/httpd.conf
pfedit: /etc/apache2/2.2/httpd.conf has been updated.
c0t0d0s0//org 36
junior@template:~$ pfedit /etc/apache2/2.2/mime.types
pfedit: User junior is not authorized to edit the file /etc/
apache2/2.2/mime.types.
c0t0d0s0//org 37
root@template:/etc/apache2/2.2# profiles -p "httpd edit"
profiles:httpd edit> info
name=httpd edit
desc=Edit httpd
auths=solaris.admin.edit/etc/apache2/2.2/httpd.conf
profiles:httpd edit> add auths=solaris.admin.edit/etc/apache2/2.2/
mime.types
c0t0d0s0//org 38
junior@template:~$ pfedit /etc/apache2/2.2/mime.types
pfedit: no changes for /etc/apache2/2.2/mime.types.
c0t0d0s0//org 39
# profiles -p "httpd configure"
profiles:httpd configure> add always_audit=as
profiles:httpd configure> info
name=httpd configure
desc=Configure httpd
auths=solaris.admin.edit/etc/apache2/2.2/
httpd.conf,solaris.admin.edit/etc/apache2/2.2/mime.types
always_audit=as
never_audit=no
profiles:httpd configure> exit
root@template:~#
c0t0d0s0//org 40
root@template:~# auditreduce -c as | praudit
c0t0d0s0//org 41
[..]
header,486,2,edit administrative file,,fe80::a00:27ff:fea6:33cb,
2013-08-12 07:45:52.306 +00:00
subject,junior,junior,staff,junior,staff,4212,447467166,369 136704
MacBook-Pro-of-c0t0d0s0.fritz.box
path,/etc/apache2/2.2/httpd.conf
use of authorization,solaris.admin.edit/etc/apache2/2.2/httpd.conf
text,--- /etc/apache2/2.2/httpd.conf Mo. Aug 12 07:45:00 2013
+++ /etc/apache2/2.2/httpd.conf.pfedit.1BaGoi Mo. Aug 12
07:45:52 2013
@@ -1,5 +1,6 @@
# Test
# Test 2:
+# Test 3:
#
# This is the main Apache HTTP server configuration file. It
contains the
# configuration directives that give the server its instructions.
return,success,0
c0t0d0s0//org 42
Delegating privilege to restart
services
(so you can keep the root
password)
c0t0d0s0//org 43
junior@template:~$ svcadm refresh apache22
svcadm: svc:/network/http:apache22: Permission denied.
c0t0d0s0//org 44
# svcs -a | grep "apache22"
online 15:30:29 svc:/network/http:apache22
c0t0d0s0//org 45
# auths add -t "Apache22 value" solaris.smf.value.http.apache22
# auths add -t "Apache22 action" solaris.smf.action.http.apache22
c0t0d0s0//org 46
# svccfg -s apache22 setprop general/value_authorization=
astring: solaris.smf.value.http.apache22
# svccfg -s apache22 setprop general/action_authorization=
astring: solaris.smf.action.http.apache22
c0t0d0s0//org 47
# profiles -p "httpd edit" \
add auths=solaris.smf.action.http.apache22
c0t0d0s0//org 48
junior@template:~$ svcadm refresh apache22
junior@template:~$
c0t0d0s0//org 49
Privileges
c0t0d0s0//org 50
$ ls -l /usr/sbin/traceroute
-r-sr-xr-x 1 root bin 42324 Nov 21 00:09 /usr/sbin/traceroute
$ ls -l /usr/sbin/ping
-r-sr-xr-x 1 root bin 51396 Nov 18 19:31 /usr/sbin/ping
set-id to root, ping needs it to work ...
c0t0d0s0//org 51
# chmod -s /sbin/ping
# exit
$ ping -s 192.168.1.132
ping: socket Permission denied
Remove the set-uid and ping will stop to work ...
c0t0d0s0//org 52
jmoekamp@daddelkiste:~$ ppriv $$
2153: -bash
flags = <none>
E: basic
I: basic
P: basic
L: all
c0t0d0s0//org 53
contract_event,contract_identity,contract_observer,cpc_cpu,dtrac
e_kernel,dtrace_proc,dtrace_user,file_chown,file_chown_self,file
_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_d
owngrade_sl,file_flag_set,file_link_any,file_owner,file_read,fil
e_setid,file_upgrade_sl,file_write,graphics_access,graphics_map,
ipc_dac_read,ipc_dac_write,ipc_owner,net_access,net_bindmlp,net_
icmpaccess,net_mac_aware,net_mac_implicit,net_observability,net_
privaddr,net_rawaccess,proc_audit,proc_chroot,proc_clock_highres
,proc_exec,proc_fork,proc_info,proc_lock_memory,proc_owner,proc_
priocntl,proc_session,proc_setid,proc_taskid,proc_zone,sys_acct,
sys_admin,sys_audit,sys_config,sys_devices,sys_dl_config,sys_flo
w_config,sys_ib_config,sys_ib_info,sys_ip_config,sys_ipc_config,
sys_iptun_config,sys_linkdir,sys_mount,sys_net_config,sys_nfs,sy
s_ppp_config,sys_res_bind,sys_res_config,sys_resource,sys_share,
sys_smb,sys_suser_compat,sys_time,sys_trans_label,win_colormap,w
in_config,win_dac_read,win_dac_write,win_devices,win_dga,win_dow
ngrade_sl,win_fontpath,win_mac_read,win_mac_write,win_selection,
win_upgrade_sl
c0t0d0s0//org 54
win_upgrade_sl
All privileges in their entirety
assigned to one user are
#
(almost)
c0t0d0s0//org 55
win_upgrade_sl
Neat extension inSolaris 11:
The ability to use networking is now a
privilege.
Its part of the default default set of privileges,
but you can remove it.
c0t0d0s0//org 56
moekamp@daddelkiste:~$ ppriv -v $$
2153: -bash
flags = <none>
E:
file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_session,sys_ib_info
I:
P:
L:
contract_event,contract_identity,contract_observer,cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,file_chown,
file_chown_self,file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_downgrade_sl,file_flag_se
t,file_link_any,file_owner,file_read,file_setid,file_upgrade_sl,file_write,graphics_access,graphics_map,ipc_
dac_read,ipc_dac_write,ipc_owner,net_access,net_bindmlp,net_icmpaccess,net_mac_aware,net_mac_implicit,net_ob
servability,net_privaddr,net_rawaccess,proc_audit,proc_chroot,proc_clock_highres,proc_exec,proc_fork,proc_in
fo,proc_lock_memory,proc_owner,proc_priocntl,proc_session,proc_setid,proc_taskid,proc_zone,sys_acct,sys_admi
n,sys_audit,sys_config,sys_devices,sys_dl_config,sys_flow_config,sys_ib_config,sys_ib_info,sys_ip_config,sys
_ipc_config,sys_iptun_config,sys_linkdir,sys_mount,sys_net_config,sys_nfs,sys_ppp_config,sys_res_bind,sys_re
s_config,sys_resource,sys_share,sys_smb,sys_suser_compat,sys_time,sys_trans_label,win_colormap,win_config,wi
n_dac_read,win_dac_write,win_devices,win_dga,win_downgrade_sl,win_fontpath,win_mac_read,win_mac_write,win_se
lection,win_upgrade_sl
c0t0d0s0//org 57
root@daddelkiste:~# ppriv $$
2183: -bash
flags = <none>
E: all
I: basic
P: all
L: all
c0t0d0s0//org 58
junior@daddelkiste:~$ dtrace -n 'syscall:::entry { @num[execname]
= count(); }'
dtrace: failed to initialize dtrace: DTrace requires additional
privileges
c0t0d0s0//org 59
root@daddelkiste:~# usermod -K
defaultpriv=basic,dtrace_kernel,dtrace_proc,dtrace_user junior
UX: usermod: junior is currently logged in, some changes may not
take effect until next login.
c0t0d0s0//org 60
junior@daddelkiste:~$ dtrace -n 'syscall:::entry { @num[execname]
= count(); }'
dtrace: description 'syscall:::entry ' matched 211 probes
^C
automountd 1
sshd 24
dtrace 544
auditd 564
c0t0d0s0//org 61
# ps -ef | grep "kcfd"
daemon 125 1 0 14:24:19 ? 0:00 /usr/lib/crypto/kcfd
root 734 728 0 15:54:08 pts/1 0:00 grep kcfd
# ppriv -v 125
125: /usr/lib/crypto/kcfd
flags = PRIV_AWARE
E: file_owner,proc_priocntl,sys_devices
I: none
P: file_owner,proc_priocntl,sys_devices
L: none
c0t0d0s0//org 62
# svcadm -v enable -s apache2
svc:/network/http:apache2 enabled.
c0t0d0s0//org 63
jmoekamp@client:~$ ps -ef | grep "http"
webservd 1978 1975 0 12:19:15 ? 0:00 /usr/apache2/2.2/bin/httpd -k start
root 1975 1 0 12:19:14 ? 0:01 /usr/apache2/2.2/bin/httpd -k start
c0t0d0s0//org 64
root@client:~# ppriv 1977
1977: /usr/apache2/2.2/bin/httpd -k start
flags = <none>
E: basic
I: basic
P: basic
L: all
root@client:~# ppriv 1975
1975: /usr/apache2/2.2/bin/httpd -k start
flags = <none>
E: all
I: basic
P: all
L: all
root@client:~#
c0t0d0s0//org
65
contract_event,contract_identity,contract_observer,cpc_cpu,dtrace_k
ernel,dtrace_proc,dtrace_user,file_chown,file_chown_self,file_dac_e
xecute,file_dac_read,file_dac_search,file_dac_write,file_downgrade_
sl,file_flag_set,file_link_any,file_owner,file_read,file_setid,file
_upgrade_sl,file_write,graphics_access,graphics_map,ipc_dac_read,ip
c_dac_write,ipc_owner,net_access,net_bindmlp,net_icmpaccess,net_mac
_aware,net_mac_implicit,net_observability,net_privaddr,net_rawacces
s,proc_audit,proc_chroot,proc_clock_highres,proc_exec,proc_fork,pro
c_info,proc_lock_memory,proc_owner,proc_priocntl,proc_session,proc_
setid,proc_taskid,proc_zone,sys_acct,sys_admin,sys_audit,sys_config
,sys_devices,sys_dl_config,sys_flow_config,sys_ib_config,sys_ib_inf
o,sys_ip_config,sys_ipc_config,sys_iptun_config,sys_linkdir,sys_mou
nt,sys_net_config,sys_nfs,sys_ppp_config,sys_res_bind,sys_res_confi
g,sys_resource,sys_share,sys_smb,sys_suser_compat,sys_time,sys_tran
s_label,win_colormap,win_config,win_dac_read,win_dac_write,win_devi
ces,win_dga,win_downgrade_sl,win_fontpath,win_mac_read,win_mac_writ
e,win_selection,win_upgrade_sl
The apache process as root has the following privileges:
c0t0d0s0//org 66
The other processes have the following privileges:
c0t0d0s0//org 67
Apache really needs:
c0t0d0s0//org 68
So you grant a large number of privileges to one process , Apache dont
need.
c0t0d0s0//org 69
svcadm -v disable -s apache2
svc:/network/http:apache2 disabled.
c0t0d0s0//org 70
root@client:~# svccfg -s apache22
svc:/network/http:apache22> setprop start/user = astring: webservd
svc:/network/http:apache22> setprop start/group = astring: webservd
svc:/network/http:apache22> setprop start/privileges = astring: basic,!proc_session,
!proc_info,!file_link_any,net_privaddr
svc:/network/http:apache22> setprop start/limit_privileges = astring: :default
svc:/network/http:apache22> setprop start/use_profile = boolean: false
svc:/network/http:apache22> setprop start/supp_groups = astring: :default
svc:/network/http:apache22> setprop start/working_directory = astring: :default
svc:/network/http:apache22> setprop start/project = astring: :default
svc:/network/http:apache22> setprop start/resource_pool = astring: :default
svc:/network/http:apache22> end
root@client:~# svcadm -v refresh apache22
Action refresh set for svc:/network/http:apache22.
c0t0d0s0//org 71
# echo "LockFile /var/apache2/2.2/logs/accept.lock" >> /etc/apache2/2.2/httpd.conf
# echo "PidFile /var/apache2/2.2/run/httpd.pid" >> /etc/apache2/2.2/httpd.conf
# mkdir -p -m 755 /var/apache2/2.2/run
# chown webservd:webservd /var/apache2/2.2/run
# svcadm enable apache22
c0t0d0s0//org 72
c0t0d0s0//org 73
Read-only zone root
c0t0d0s0//org
74
zonecfg:testzone> set file-mac-profile=none
zonecfg:testzone> set file-mac-profile=strict
zonecfg:testzone> set file-mac-profile=fixed-configuration
zonecfg:testzone> set file-mac-profile=flexible-configuration
Standard, read-write, non-global zone, with no additional protection beyond
the existing zones boundaries.
Permits updates to /var/* directories,
with the exception of directories that contain system configuration components.
Read-only file system, no exceptions.
Permits modification of files in /etc/* directories, changes to root's home directory,
and updates to /var/* directories. This configuration provides closest functionality
to the Oracle Solaris 10 native sparse root zone
c0t0d0s0//org 75
in-kernel SSL Proxy
c0t0d0s0//org 76
# mkdir /etc/keys
# cd /etc/keys
# openssl req -x509 -nodes -days 365 -subj "/C=DE/ST=Hamburg/L=Hamburg/
CN=server" -newkey rsa:1024 -keyout /etc/keys/mykey.pem -out /etc/keys/
mycert.pem
# cat mycert.pem mykey.pem > my.pem
# chown 600 *
c0t0d0s0//org 77
# echo "pass" > /etc/keys/my.pass
# ksslcfg create -f pem -i /etc/keys/my.pem -x 8080 -p /etc/keys/my.pass server 443
c0t0d0s0//org 78
ksslcfg create -f pem -i /etc/keys/my.pem -x 8080 \
-p /etc/keys/my.pass \
-c "rsa_aes_256_cbc_sha,rsa_aes_128_cbc_sha,rsa_rc4_128_sha,rsa_rc4_128_md5" \
server 443
c0t0d0s0//org 79
# svcs -a | grep "kssl"
online 9:03:33 svc:/network/ssl/proxy:kssl-
server-443
c0t0d0s0//org 80
# svcadm disable apache22
# echo "Listen 192.168.178.108:8080" >> /etc/apache2/2.2/httpd.conf
# svcadm enable apache22
Portnumber and IP-Number have do be defined in httpd.conf
... otherwise it will not work.
c0t0d0s0//org 81
# openssl s_client -connect server:443
CONNECTED(00000004)
depth=0 /C=DE/ST=Hamburg/L=Hamburg/CN=server
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=DE/ST=Hamburg/L=Hamburg/CN=server
verify return:1
---
Certificate chain
0 s:/C=DE/ST=Hamburg/L=Hamburg/CN=server
i:/C=DE/ST=Hamburg/L=Hamburg/CN=server
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICoTCCAgqgAwIBAgIJAKyJdj/
[...]
V5jX3MU=
-----END CERTIFICATE-----
subject=/C=DE/ST=Hamburg/L=Hamburg/CN=server
issuer=/C=DE/ST=Hamburg/L=Hamburg/CN=server
---
No client certificate CA names sent
---
SSL handshake has read 817 bytes and written 328
bytes
---
New, TLSv1/SSLv3, Cipher is RC4-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-SHA
Session-ID:
32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD1139
15B99DBE9812
Session-ID-ctx:
Master-Key:
1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B
503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21E
Key-Arg : None
Start Time: 1242985143
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
---
GET / HTTP/1.0
HTTP/1.1 200 OK
Date: Fri, 22 May 2009 09:39:13 GMT
Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/
0.9.8a DAV/2
Last-Modified: Thu, 21 May 2009 21:26:30 GMT
ETag: "341f3-2c-46a72cc211a8f"
Accept-Ranges: bytes
Content-Length: 44
Connection: close
Content-Type: text/html
<html><body><h1>It works!</h1></body></
html>read:errno=0
c0t0d0s0//org 82
ZFS Encryption
c0t0d0s0//org 83
# zfs create -o encryption=on rpool/export/project
c0t0d0s0//org 84
wrapping key (user setable)
encryption key
random
not user setable)
prompt le https pkcs#11
c0t0d0s0//org 85
aes-128-ccm (=on)
aes-192-ccm
aes-256-ccm
aes-128-gcm
aes-192-gcm
aes-256-gcm
c0t0d0s0//org 86
zfs set checksum=sha256+mac <dataset>
If encryption!=off, something like automatic
occurs. This property is read-only from now on.
c0t0d0s0//org 87
# pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykey
Enter PIN for Sun Software PKCS#11 softtoken:
# zfs create -o encryption=on -o keysource=raw,pkcs11:object=mykey
tank/project/C
Enter PKCS#11 token PIN for 'tank/project/C':
c0t0d0s0//org 88
# zfs create -o encryption=on -o keysource=raw,https://keys.example.com/mykey tank/project/R
# cp myservercert.pem /etc/certs/CA/
# svcadm refresh ca-certificates
c0t0d0s0//org 89
$ zfs key -c rpool/export/project
Enter new passphrase for 'rpool/export/project':
c0t0d0s0//org 90
$ zfs key -c rpool/export/project
Enter new passphrase for 'rpool/export/project':
Changing the wrapping key
c0t0d0s0//org 91
# zfs key -K tank/project/A
# zfs clone -K tank/project/A@montag tank/project/D
Changing the encryption key
c0t0d0s0//org 92
# zfs key -K tank/project/A
# zfs clone -K tank/project/A@montag tank/project/D
Changing the encryption key for data written form now.
Creates a new data encryption key. Data written in the
clone uses the new data encryption key, which is distinct
from its original snapshot.
c0t0d0s0//org 93
Solaris
Cryptographic Framework
c0t0d0s0//org 94
As soon as Solaris detects hardware acceleration for
cryptography, Solaris will use it (and applications using the
Oracle supplied openssl library or direct interfaces):
on-chip crypto accelerator in T and current M series chips
instruction set extensions in Intel procs (AES-NI)
supported crypto accelerator cards

c0t0d0s0//org 95
Just a side-note: T-series crypto acceleration and Intel x86
acceleration have pretty much different performance
characteristics.
T-Series: Acceleration by offloading crypto outside pipeline
Intel x86: Acceleration by offering special in-pipeline
instructions to accelerate execution
Sounds like splitting hairs ....
c0t0d0s0//org
c0t0d0s0//org
c0t0d0s0//org 98
Using ZFS to do two-factor
encryption
c0t0d0s0//org 99
jmoekamp@solaris:~$ rmformat
Looking for devices...
1. Logical Node: /dev/rdsk/c10t0d0p0
Physical Node: /pci@0,0/pci8086,265c@b/storage@2/disk@0,0
Connected Device: SanDisk U3 Cruzer Micro 8.02
Device Type: Removable
Bus: USB
Size: 3.8 GB
Label:
Access permissions: Medium is not write protected.
(...)
3. Logical Node: /dev/rdsk/c9t0d0p0
Physical Node: /pci@0,0/pci8086,265c@b/storage@1/disk@0,0
Connected Device: SanDisk U3 Cruzer Micro 8.02
Device Type: Removable
Bus: USB
Size: 3.8 GB
Label:
Access permissions: Medium is not write protected.
c0t0d0s0//org 100
root@solaris:/# zpool create a_keystore_usbstick /dev/dsk/c10t0d0p0
root@solaris:/# zpool create datastore /dev/dsk/c9t0d0p0
c0t0d0s0//org 101
root@solaris:/# zfs create -o encryption=on a_keystore_usbstick/keys
Enter passphrase for 'a_keystore_usbstick/keys': supersecret
Enter again: supersecret
c0t0d0s0//org 102
root@solaris:/# pktool genkey keystore=file keytype=aes keylen=128
outkey=/a_keystore_usbstick/keys/joergsdatastick.key
c0t0d0s0//org 103
root@solaris:/# zfs create -o encryption=on -o keysource=raw,file:///
a_keystore_usbstick/keys/joergsdatastick.key datastick/joergssecrets
c0t0d0s0//org 104
root@solaris:/datastick/joergssecrets# mv /home/jmoekamp/
highlyconfidential_nda_presos.tgz .
c0t0d0s0//org 105
root@solaris:/# zpool export a_keystore_usbstick
root@solaris:/# zpool export datastick
c0t0d0s0//org 106
root@solaris:/# zpool import a_keystore_usbstick
Enter passphrase for 'a_keystore_usbstick/keys': supersecret
root@solaris:/#
c0t0d0s0//org 107
root@solaris:/# zpool import datastick
root@solaris:/# cd datastick/joergssecrets
root@solaris:/datastick/joergssecrets# ls highconfidential_nda_presos.tgz
c0t0d0s0//org 108
Basic Auditing
and Reporting Tool
c0t0d0s0//org 109
# mkdir /bart-files
# bart create -R /etc > /bart-files/etc.control.manifest
c0t0d0s0//org 110
# cat etc.control.manifest | grep "/nsswitch.nisplus"
/nsswitch.nisplus F 2525 100644 user::rw-,group::r--,mask:r--,other:r--
473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
c0t0d0s0//org 111
# touch /etc/thisisjustatest
# chmod 777 /etc/nsswitch.files
# echo "#just a test" >> /etc/nsswitch.nisplus
c0t0d0s0//org 112
# touch /etc/thisisjustatest
# chmod 777 /etc/nsswitch.files
# echo "#just a test" >> /etc/nsswitch.nisplus
c0t0d0s0//org 113
# bart create -R /etc > /bart-files/etc.check20130911.manifest
c0t0d0s0//org 114
# cd /bart-files
# bart compare etc.control.manifest etc.check20130911.manifest
/nsswitch.files:
mode control:100644 test:100777
acl control:user::rw-,group::r--,mask:r--,other:r--
test:user::rwx,group::rwx,mask:rwx,other:rwx
/nsswitch.nisplus:
size control:2525 test:2538
mtime control:473976b5 test:47a44862
contents control:79e8fd689a5221d1cd059e5077da71b8 test:
3f79176ec352441db11ec8a3d02ef67c
/thisisjustatest:
add
c0t0d0s0//org 115
http://www.c0t0d0s0.org/archives/4069-Less-known-Solaris-features-BART.html#
c0t0d0s0//org 116
Apropos Auditing
c0t0d0s0//org 117
Auditing is activated by default
c0t0d0s0//org 118
root@client:~# auditconfig -getflags
active user default audit flags = lo(0x1000,0x1000)
configured user default audit flags = lo(0x1000,0x1000)
root@client:~# auditconfig -getnaflags
active non-attributable audit flags = lo(0x1000,0x1000)
configured non-attributable audit flags = lo(0x1000,0x1000)
c0t0d0s0//org 119
root@client:~# auditconfig -getpolicy
configured audit policies = cnt
active audit policies = cnt
Policy regarding auditing ... (explanation on the next slide)
c0t0d0s0//org 120
root@client:~# auditconfig -lspolicy
policy string description:
ahlt halt machine if it can not record an async event
all all policies
arge include exec environment args in audit recs
argv include exec command line args in audit recs
cnt when no more space, drop recs and keep a cnt
group include supplementary groups in audit recs
none no policies
path allow multiple paths per event
perzone use a separate queue and auditd per zone
public audit public files
seq include a sequence number in audit recs
trail include trailer token in audit recs
windata_down include downgraded window information in audit recs
windata_up include upgraded window information in audit recs
zonename include zonename token in audit recs
Which degree of detail? What happens with full disks?
c0t0d0s0//org 121
root@client:~# auditconfig -getplugin
Plugin: audit_binfile (active)
Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=1
Plugin: audit_syslog (inactive)
Attributes: p_flags=
Plugin: audit_remote (inactive)
Attributes: p_hosts=;p_retries=3;p_timeout=5
c0t0d0s0//org 122
root@client:~# auditconfig -setflags lo,ps,fw
user default audit flags = ps,lo,fw(0x101002,0x101002)
root@client:~# auditconfig -setnaflags lo,na
non-attributable audit flags = lo,na(0x1400,0x1400)
c0t0d0s0//org 123
root@client:~# auditconfig -setflags lo,ps,fw
user default audit flags = ps,lo,fw(0x101002,0x101002)
root@client:~# auditconfig -setnaflags lo,na
non-attributable audit flags = lo,na(0x1400,0x1400)
lo and na are the only sensible
flags for non-attributable
c0t0d0s0//org 124
root@client:~# usermod -K audit_flags=fw:as junior
c0t0d0s0//org 125
root@client:~# auditconfig -lsevent | grep " lo "
AUE_login 6152 lo login - local
AUE_logout 6153 lo logout
AUE_telnet 6154 lo login - telnet
AUE_rlogin 6155 lo login - rlogin
AUE_rshd 6158 lo rsh access
AUE_su 6159 lo su
AUE_rexecd 6162 lo rexecd
AUE_passwd 6163 lo passwd
AUE_rexd 6164 lo rexd
AUE_ftpd 6165 lo ftp access
AUE_ftpd_logout 6171 lo ftp logout
AUE_ssh 6172 lo login - ssh
AUE_role_login 6173 lo role login
AUE_rad_login 6174 lo connect to RAD
AUE_newgrp_login 6212 lo newgrp login
AUE_admin_authenticate 6213 lo admin login
AUE_screenlock 6221 lo screenlock - lock
AUE_screenunlock 6222 lo screenlock - unlock
AUE_zlogin 6227 lo login - zlogin
AUE_su_logout 6228 lo su logout
AUE_role_logout 6229 lo role logout
AUE_smbd_session 6244 lo smbd(1m) session setup
AUE_smbd_logoff 6245 lo smbd(1m) session logoff
c0t0d0s0//org 126
root@client:~# auditconfig -lsevent | grep " ps "
AUE_EXIT 1 ps exit(2)
AUE_FORKALL 2 ps forkall(2)
AUE_VFORK 25 ps vfork(2)
AUE_FORK1 241 ps fork1(2)
root@client:~# auditconfig -lsevent | grep " fw "
AUE_OPEN_W 76 fw open(2) - write
c0t0d0s0//org 127
# auditreduce -c ps /var/audit/20130912183630.not_terminated.client | praudit
header,139,2,execve(2),,client,2013-09-12 18:40:55.924 +00:00
path,/usr/sbin/auditreduce
attribute,100555,root,bin,65538,65875,18446744073709551615
subject,jmoekamp,root,root,root,root,2054,1440080956,2480 202240 192.168.10.1
return,success,0
c0t0d0s0//org 128
root@client:~# auditconfig -setflags all
user default audit flags = all(0xffffffffffffffff,0xffffffffffffffff)
Not always (in the sense of: never) a good idea:
Useful after trying out - starting a new audit file
root@client:~# audit -n
c0t0d0s0//org 129
root@client:~# auditstat
gen nona kern aud ctl enq wrtn wblk rblk drop tot mem
38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system:
c0t0d0s0//org 130
SSH and X.509
c0t0d0s0//org 131
root@ca:~# CA.pl -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 1024 bit RSA private key
...............++++++
..++++++
writing new private key to '/etc/openssl/private/cakey.pem'
Enter PEM pass phrase: supersecret1
Verifying - Enter PEM pass phrase: supersecret1
-----
You are about to be asked to enter information that will be
incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished
Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:DE
State or Province Name (full name) []:Lower Saxony
Locality Name (eg, city) []:Lueneburg
Organization Name (eg, company) []:c0t0d0s0.org
Organizational Unit Name (eg, section) []:Security Department
Common Name (e.g. server FQDN or YOUR name) []:CA
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openssl/openssl.cnf
Enter pass phrase for /etc/openssl/private/cakey.pem:
supersecret1
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
b3:54:80:88:66:ad:e8:78
Validity
Not Before: Sep 26 10:11:09 2013 GMT
Not After : Sep 25 10:11:09 2016 GMT
Subject:
countryName = DE
stateOrProvinceName = Lower Saxony
organizationName = c0t0d0s0.org
organizationalUnitName = Security Department
commonName = CA
X509v3 extensions:
X509v3 Subject Key Identifier:
5B:1F:2F:71:86:12:30:40:50:15:52:81:8D:
52:5A:A5:59:7E:36:44
X509v3 Authority Key Identifier:
keyid:5B:1F:2F:71:86:12:30:40:50:15:52:81:8D:
52:5A:A5:59:7E:36:44
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Sep 25 10:11:09 2016 GMT
(1095 days)
Write out database with 1 new entries
Data Base Updated
#
c0t0d0s0//org 132
root@ca:~# mkdir server
root@ca:~# cd server
root@ca:~/server# CA.pl -newreq
.....++++++
..................++++++
writing new private key to 'newkey.pem'
-----
You are about to be asked to enter information that
will be incorporated
What you are about to enter is what is called a
Distinguished Name or a DN.
There are quite a few fields but you can leave some
blank
-----
Organizational Unit Name (eg, section) []:Server
Certificates
Common Name (e.g. server FQDN or YOUR name)
[]:server
Email Address []:
Request is in newreq.pem, private key is in
newkey.pem
c0t0d0s0//org 133
root@ca:~# mkdir server
root@ca:~# cd server
root@ca:~/server# CA.pl -newreq
.....++++++
..................++++++
-----
blank
-----
Organizational Unit Name (eg, section) []:Server
Certificates
[]:server
Email Address []:
newkey.pem
c0t0d0s0//org 134
root@ca:~/server# CA.pl -signreq
Enter pass phrase for /etc/openssl/private/
cakey.pem: supersecret1
Signature ok
Serial Number:
b3:54:80:88:66:ad:e8:79
Validity
Not After : Sep 26 10:29:12 2014 GMT
Subject:
countryName = DE
localityName = Lueneburg
organizationalUnitName = Server
Certificates
commonName = server
X509v3 extensions:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
A7:DC:03:DE:B3:D5:FB:F9:C0:06:F1:1A:
55:A9:AD:04:C4:9C:10:FA
keyid:5B:1F:2F:
71:86:12:30:40:50:15:52:81:8D:52:5A:A5:59:7E:36:44
Certificate is to be certified until Sep 26 10:29:12
2014 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit?
[y/n]y
Data Base Updated
Signed certificate is in newcert.pem
root@ca:~/server# ls -l
total 15
-rw-r--r-- 1 root root 3196 Sep 26
12:29 newcert.pem
12:28 newkey.pem
12:28 newreq.pem
c0t0d0s0//org 135
root@ca:~/junior# CA.pl -newreq
..........++++++
......++++++
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
Verify failure
-----
blank
-----
Organizational Unit Name (eg, section) []:User
certificates
[]:junior
Email Address []:
newkey.pem
c0t0d0s0//org 136
root@ca:~/junior# CA.pl -signreq
Enter pass phrase for /etc/openssl/private/
cakey.pem:
Signature ok
Serial Number:
b3:54:80:88:66:ad:e8:7a
Validity
Not After : Sep 26 11:09:29 2014 GMT
Subject:
countryName = DE
localityName = Lueneburg
organizationalUnitName = User
certificates
commonName = junior
X509v3 extensions:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
A1:F2:FC:9D:8A:E2:AD:
9A:F5:29:03:F5:B7:14:93:3C:64:62:8E:9C
keyid:5B:1F:2F:
71:86:12:30:40:50:15:52:81:8D:52:5A:A5:59:7E:36:44
Certificate is to be certified until Sep 26 11:09:29
2014 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit?
[y/n]y
Data Base Updated
Signed certificate is in newcert.pem
#
c0t0d0s0//org 137
root@server:~# useradd -m junior
80 blocks
root@server:~# passwd junior
New Password:
Re-enter new Password:
passwd: password successfully changed for junior
root@server:~#
root@client:~# useradd -m junior
80 blocks
root@client:~# passwd junior
New Password:
Re-enter new Password:
passwd: password successfully changed for junior
c0t0d0s0//org 138
root@server:~# echo "192.168.10.51 server" >> /etc/hosts
root@server:~# echo "192.168.10.52 client" >> /etc/hosts
root@client:~# echo "192.168.10.51 server" >> /etc/hosts
root@client:~# echo "192.168.10.52 client" >> /etc/hosts
c0t0d0s0//org 139
root@ca:~/server# scp /etc/openssl/cacert.pem jmoekamp@192.168.1.109:/export/home/jmoekamp
Password:
cacert.pem 100% |****************************************| 3011 00:00
root@ca:~/server# scp newcert.pem jmoekamp@192.168.1.109:/export/home/jmoekamp
Password:
newcert.pem 100% |****************************************| 3196 00:00
root@ca:~/server# scp newkey.pem jmoekamp@192.168.1.109:/export/home/jmoekamp
Password:
newkey.pem 100% |****************************************| 1041 00:00
root@ca:~/junior# scp newkey.pem junior@client:/export/home/junior
Password:
newkey.pem 100% |****************************************| 1041 00:00
root@ca:~/junior# scp newcert.pem junior@client:/export/home/junior
Password:
newcert.pem 100% |****************************************| 3190 00:00
root@ca:~/junior# scp /etc/openssl/cacert.pem junior@192.168.1.104:/export/home/junior
Password:
cacert.pem 100% |****************************************| 3011 00:00
c0t0d0s0//org 140
On the Server
c0t0d0s0//org 141
root@server:~# ls
cacert.pem newcert.pem newkey.pem
c0t0d0s0//org 142
root@server:~# ls
c0t0d0s0//org 143
root@server:~# pktool setpin
Enter token passphrase: changeme
Create new passphrase: superserversecret
Re-enter new passphrase: superserversecret
Passphrase changed.
root@server:~#
c0t0d0s0//org 144
root@server:~# printf "superserversecret" > /etc/ssh/pinfile
c0t0d0s0//org 145
root@server:~# printf "superserversecret" > /etc/ssh/pinfile
c0t0d0s0//org 146
root@server:~# kmfcfg create dbfile=/etc/ssh/policy.xml policy=ssh ta-
name=search mapper-name=cn
c0t0d0s0//org 147
root@server:~# echo "TrustedAnchorKeystore /etc/ssh/cert" >> /etc/ssh/sshd_config
root@server:~# echo "KMFPolicyDatabase /etc/ssh/policy.xml" >> /etc/ssh/sshd_config
root@server:~# echo "KMFPolicyName ssh" >> /etc/ssh/sshd_config
root@server:~# echo "HostKey pkcs11:object=host;token=Sun Metaslot;pinfile=/etc/ssh/pinfile"
>> /etc/ssh/sshd_config
c0t0d0s0//org 148
root@server:~# pktool import keystore=pkcs11 infile=newkey.pem objtype=key label=host
Enter PIN for Sun Software PKCS#11 softtoken: superserversecret
Importing 1 keys
c0t0d0s0//org 149
root@server:~# egrep -v "^ |^$|^Cert" /export/home/jmoekamp/cacert.pem > /etc/ssh/cert/
cacert.cooked.pem
root@server:~# egrep -v "^ |^$|^Cert" newcert.pem > newcert.cooked.pem
root@server:~# pktool import keystore=pkcs11 infile=newcert.cooked.pem objtype=cert label=host
root@server:~#
c0t0d0s0//org 150
On the client
c0t0d0s0//org 151
junior@client:~$ ls *.pem
c0t0d0s0//org 152
root@client:~# kmfcfg create dbfile=/etc/ssh/policy.xml policy=ssh ta-name=search mapper-name=cn
root@client:~# egrep -v "^ |^$|^Cert" /export/home/junior/cacert.pem > /etc/ssh/cert/
cacert.cooked.pem
c0t0d0s0//org 153
junior@client:~$ pktool setpin
Enter token passphrase: changeme
Create new passphrase: superusersecret
Re-enter new passphrase: superusersecret
Passphrase changed.
c0t0d0s0//org 154
junior@client:~$ pktool import keystore=pkcs11 infile=newkey.pem objtype=key label=user
Enter PIN for Sun Software PKCS#11 softtoken: superusersecret
Importing 1 keys
junior@client:~$ egrep -v "^ |^$|^Cert" newcert.pem > newcert.cooked.pem
junior@client:~$ pktool import keystore=pkcs11 infile=newcert.cooked.pem objtype=cert label=user
c0t0d0s0//org 155
Testing it
c0t0d0s0//org 156
root@server:~# svcadm disable ssh
root@server:~# svcadm enable ssh
c0t0d0s0//org 157
junior@client:~$ cd .ssh
junior@client:~/.ssh$ printf "superusersecret" >> pinfile
junior@client:~/.ssh$ cat config
Host server-x509
Hostname server
TrustedAnchorKeystore /etc/ssh/cert
KMFPolicyDatabase /etc/ssh/policy.xml
KMFPolicyName ssh
IdentityFile pkcs11:object=user;token=Sun Software PKCS#11
softtoken;pinfile=/export/home/junior/.ssh/pinfile
c0t0d0s0//org 158
junior@client:~/.ssh$ ssh junior@server-x509
Last login: Thu Sep 26 20:07:14 2013 from client
Oracle Corporation SunOS 5.11 11.1 September 2013
junior@server:~$
c0t0d0s0//org 159
http://www.c0t0d0s0.org/archives/7659-Using-X.509-support-for-SSH-on-Solaris-11.1.html
c0t0d0s0//org 160
OpenSCAP
c0t0d0s0//org 161
The Security Content Automation Protocol (SCAP) is a method for using specic standards to enable automated
vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance). The National
Vulnerability Database(NVD) is the U.S. government content repository for SCAP.
http://en.wikipedia.org/wiki/Security_Content_Automation_Protocol
c0t0d0s0//org 162
ftp-banner.xml:
<?xml version="1.0" encoding="UTF-8"?>
<oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-
definitions-5"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5"
xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5"
xmlns:independent-def="http://oval.mitre.org/XMLSchema/oval-
definitions-5#independent"
xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5
oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-
definitions-5#independent
independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/
oval-common-5 oval-common-schema.xsd">
<generator>
<oval:product_name>Enhanced SCAP Editor</oval:product_name>
<oval:product_version>0.0.11</oval:product_version>
<oval:schema_version>5.8</oval:schema_version>
<oval:timestamp>2012-10-11T10:33:25</oval:timestamp>
</generator>

<definitions>
<definition id="oval:com.oracle.solaris11:def:840" version="1"
class="compliance">
<metadata>
<title>Enable a Warning Banner for the FTP Service</title>
<affected family="unix">
<platform>Oracle Solaris 11</platform>
</affected>
<description>/etc/proftpd.conf contains "DisplayConnect /etc/
issue"</description>
</metadata>
<criteria operator="AND" negate="false" comment="Single test">
<criterion comment="/etc/proftpd.conf contains
"DisplayConnect /etc/issue""
test_ref="oval:com.oracle.solaris11:tst:8400" negate="false"/
>
</criteria>
</definition>
</definitions>
<tests>
<textfilecontent54_test
xmlns="http://oval.mitre.org/XMLSchema/oval-
id="oval:com.oracle.solaris11:tst:8400" version="1" check="all"
comment="/etc/proftpd.conf contains "DisplayConnect /etc/
issue""
check_existence="all_exist">
<object object_ref="oval:com.oracle.solaris11:obj:8400"/>
</textfilecontent54_test>
</tests>
<objects>
<textfilecontent54_object
xmlns="http://oval.mitre.org/XMLSchema/oval-
id="oval:com.oracle.solaris11:obj:8400" version="1"
comment="/etc/proftpd.conf contains "DisplayConnect /etc/
issue"">
<path datatype="string" operation="equals">/etc</path>
<filename datatype="string" operation="equals">proftpd.conf</
filename>
<pattern datatype="string"
operation="pattern match">^DisplayConnect\s/etc/issue\s$</
pattern>
<instance datatype="int" operation="greater than or equal">1</
instance>
</textfilecontent54_object>
</objects>
</oval_definitions>
c0t0d0s0//org 163
<textfilecontent54_object
xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"
id="oval:com.oracle.solaris11:obj:8400" version="1"
comment="/etc/proftpd.conf contains "DisplayConnect /etc/issue"">
<path datatype="string" operation="equals">/etc</path>
<filename datatype="string" operation="equals">proftpd.conf</filename>
<pattern datatype="string"
operation="pattern match">^DisplayConnect\s/etc/issue\s$</pattern>
<instance datatype="int" operation="greater than or equal">1</instance>
</textfilecontent54_object>
c0t0d0s0//org 164
$ oscap oval eval ftp-banner.xml
Definition oval:com.oracle.solaris11:def:840: false
Evaluation done.
$ oscap oval eval --results results.xml --report report.html ftp-banner.xml
Definition oval:com.oracle.solaris11:def:840: false
Evaluation done.
OVAL Results are exported correctly.
c0t0d0s0//org 165
c0t0d0s0//org 166
To create your own OVAL-Files Enhanced SCAP Content Editor:
c0t0d0s0//org 167
https://blogs.oracle.com/darren/entry/compliance_reporting_with_scap

Security 11 Solaris

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Security 11 Solaris

Hochgeladen von

Copyright:

Verfügbare Formate

c0t0d0s0//org 1

on-chip crypto accelerator in T and current M series chips

instruction set extensions in Intel procs (AES-NI)

supported crypto accelerator cards

Das könnte Ihnen auch gefallen