Securing Solaris Systems

Securing Solaris Systems
Randy Marchany
VA Tech Computing Center
Marchany@vt.edu
va-scan Copyright 2002, Marchany

Course Outline
 OS Installation Tips
 Cleaning System Scripts
 Kernel settings
 Testing & Verification
 CIS Benchmarks
 TITAN
 JASS
OS Installation Tips
Basic Tips During OS Installation

OS Installation Tips
 Core – base OS, 50Mb in size
 End-user – CDE/X Windows, UCB support,
NIS/NIS+/LDAP
 Developer – man pages, include
files(/usr/include), compiler libraries, make, ar,
ld commands
 Full OEM – everything on the install CD
 Make sure SUNWter is installed. This adds
xterm and other term support. Remote
administration requires this package.

OS Installation- Disk Partitions
 Solaris 2.x no longer require as much swap space

as memory but it doesn’t hurt
 /var should be large - > 2GB
 /opt should be large - > 2GB. Compilers and
other Sun packages install here by default.
 DiskSuite requires 5MB on each disk for
configuration information
 Veritas requires 2 free partitions to encapsulate
and mirror the root drive

OS Package Dependencies
 NTP
 SUNWntpr
 SUNWntpu
 Perl
 SUNWlibm
 SUNWlibms
 Oracle
 SUNWarc, SUNWbtool, SUNWsprot, SUNWtoo, SUNWlibCf
 Man Pages
 SUNWlibC, SUNWdoc, SUNWman

OS Package Dependencies
 Developer Tools
 SUNWhea, SUNWtnfc, SUNWarc, SUNWsprot,
SUNWbtool, SUNWtoo, SUNWhmdu, SUNWlibm,
SUNWlibC, SUNWlibCf, SUNWtnfd
 X Client (not X Server)
 SUNWxwrtl, SUNWxilow, SUNWxwplt, SUNWxwfnt,
SUNWxwice, SUNWmfrun, SUNWtltk, SUNWxilrl,
SUNWxildh
 Virtual Adrian
 SUNWsprot

Determining Which Package
 Pomeranz Method
 Attempt to install or run app
 Find missing file(s) via error and/or truss
 Check /var/sadm/install/contents of full
OS system, grep for file. This file contains the
package name
 Add the needed package
 Add appropriate dependencies
 Repeat until done

Patches
 Available from sunsolve.sun.com
 2 install tools
 Patchdiag – available from
sunsolve.sun.com
 GASP – available from discovery.cc.vt.edu
and Brian Reilly at Georgetown U
 GUI front end to patchdiag
 Patchdiag is required

Patches - GASP
 Build from kit. Create a /tmp/patches
 Modify the patchadd command to keep
backout option if you want it.
 Start: xgasp
 Click on Generate Patch Report
 Enter sunsolve userid/password
 You can select individual patches or all
of them for download

Patches - Sunsolve
 Go to http://sunsolve.sun.com
 Login as vtsug/sunsucks
 Use the search tools to find the patches you
need.
 At a minimum, installed recommended and
security patches. This is NOT the complete
answer
 Install all patches then the applications
 Do NOT install Sun sendmail patches if you are
using the VT sendmail.

OS Settings
 Console Security (SPARC only)
 Prevents someone from using console
commands
 Disable STOP-A sequence
 Command Mode
 Prevents EEPROM changes w/o proper
password

OS Settings
 Full Mode
 Same as command mode with extras:
 Can’t boot system w/o EEPROM password
 Use eeprom command from shell
 # eeprom security-mode=full
 Use setenv command from OK prompt
 OK setenv security-mode full

OS Settings
 Disable keyboard abort sequence
 Change the following line in
/etc/default/kbd from
 #KEYBOARD_ABORT=enable
 KEYBOARD_ABORT=disable
 CAUTION: system will have to powered
down to reset. No crash dumps from the
PROM on a running system for analysis.

Cleaning System Scripts
Some Startup and Boot Scripts to

Check

Create umask for System
Daemons
 Solaris 7
echo ‘umask 022’ > /etc/init.d/umask.sh
chmod 744 /etc/init.d/umask.sh
for dir in /etc/rc?.d
do
ln –s ../init.d/umask $dir/S00umask.sh
done
 Solaris 8
 Set CMASK in /etc/default/init

Mount Options
 Mount filesystems with nosuid, read-
only options
 /usr can be mounted read-only
 /var can be mounted nosuid
 / can’t
 / is mounted RO at boot and then remounted
RW. The second mount cancels the nosuid.
 Note: FS mounted in 1 mode and
changed to another requires a reboot.
Securing /etc/vfstab
 Protect OS binaries in /usr
 ro – FS is mounted Read Only
 Prevent rogue SUID programs
 nosuid – SUID bit is ignored in FS
 Allow other software to be installed
 remount option allows you to apply options
because some FS are mounted early in the
boot process
 mount –o remount, ro /usr

Securing /etc/vfstab
 nosuid caution
 Implies nodev which means files in /dev/ and
/devices will not function in a nosuid FS
 / cannot be mounted nosuid. Solaris ignores this
option for root FS
 Creating a separate /devices and mounting the
rest of the / nosuid doesn’t work. /devices
doesn’t get mounted at boot so the kernel panics.
 Anon FTP areas require device files and must not
be mounted nosuid

The logging feature
 Logging option for FS creates transaction log,
allows faster reboots but slower file writes and
more disk space for logs
 Prevents physical access attack
 Continuously crash system until / is corrupted then
the OS asks you to fsck /. At that point, you have a
root shell and can install backdoors, etc
 Logging prevents this from happening so we’re a little
safer from a physical access attack.
 Solaris 8 allows logging on /. Enable this if
possible!

/etc/rmmount.conf
 Add to /etc/rmmount.conf
 mount hsfs –o nosuid
 mount ufs –o nosuid
 Prevents SUID programs from being loaded
from removable media. Default in Solaris 8
 Common attack is to create SUID shell on CD
or floppy, use this to get root on system you
have physical access

/etc/ftpusers
 Lists users NOT allowed to FTP
 Include root in /etc/ftpusers
touch /etc/ftpusers
for user in root daemon bin sys nobody\
noaccess nobody4 uucp adm lp smtp \ listen
do
echo $user >> /etc/ftpusers
done
chown root /etc/ftpusers; chgrp root \
/etc/ftpusers;chmod 600 /etc/ftpusers

.rhosts
 Remove rhosts_auth from
/etc/pam.conf
 Causes system to ignore .rhosts
authentication
grep –v rhosts_auth > /etc/pam.conf >\
/etc/pam.new
mv /etc/pam.new /etc/pam.conf
chmod 644 /etc/pam.conf

Crontab
 Limit use by adding appropriate users
to /etc/cron.d/cron.allow
 Only users listed in *.allow files can
modify cron/at jobs
 Cron can still run jobs as other users

More Scripts to Check
 Syslog
 -t flag stops syslogd from listening on port
514/udp. Keeps the system from being a syslog
server
 Devfsadm (Solaris 7 or later)
 Solaris >=7 supports hot swap devices
 Solaris 8 device daemons also control dynamic pty
allocation. If you don’t have hot swap devices,
you can disable this script

More Cleanup
 /etc/inittab
 Remove sc:234:respawn:/usr/lib/saf/sac –t 300
 Disables listener on serial ports
 Login prompt will still appear on the console
 rm /etc/inetd.conf and add only what you
need
 rm adm lp sys from
/var/spool/cron/crontabs
 rm /etc/auto_* /etc/dfs/dfstab if not
using NFS

Finding Trojans: Fingerprints
 Use Solaris Fingerprint database to check for
trojans
 Verifies local MD5 checksums of systems files
with known checksums at the SunSolve site.
 sfbDB maps a digital fingerprint to a path
name, package version/identifier and product
name.
 Contains 1M entries used in Solaris OE,
Solaris OE patches and unbundled products.

 Installation
 Download MD5 binaries from
http://sunsolve.sun.com/md5/md5.tar.Z
 zcat md5.tar.Z |tar xvf –
 Creates a md5 directory with the binaries
 md5-sparc and md5-x86
 chmod 700 md5/*
 chown root:root md5/*

 Create MD5 Digital fingerprint
 md5/md5-sparc <file name> …
 Use to create fingerprints of files that
have changed recently
 find /usr/bin –type f –mtime –1
–print | xargs –n100 md5/md5-
sparc > /tmp/md5s.txt

 Testing a Digital Fingerprint
 Go to http://sunsolve.sun.com, login using
vtsug userid, click on Security Information,
click on Solaris Fingerprints.
 Paste your digital fingerprints into the www
form. Click submit.
 Wait a few and then view the results.

 Advantages
 Massive checksum DB of binaries
 WWW interface
 Easy to create file of checksums
 Disadvantages
 Need net access to Sun www site
 Doesn’t read input from a file
 256 queries at a time

Solaris Fingerprint Database
 Developed by Sun to help find trojan
programs installed by hackers
 MD5 checksum of 1 million Sun binaries
used in OE, Patches, unbundled
products
 Need MD5 program
 http://sunsolve.sun.com/md5/md5.tar.Z
 Do the chmod, chown on /opt/md5

 Create local MD5
/opt/md5/md5-sparc /usr/bin/su
find /usr/bin –type f –mtime –1 –print\
\ | xargs –n100 /opt/md5/md5-sparc
> \ /tmp/md5s.txt
 Compare MD5 list to Sun’s FPD
 http://sunsolve.sun.com/pub-cgi/fileFingerprints.pl
 Copy/paste MD5 into web form, press submit. 256
entries max at one time

 Database Companion automates the
process of collecting and checking MD5
against the SFD
 Database Sidekick checks a system for
known rootkits. It maintains a list of
commonly trojaned Solaris binaries.

Tripwire
 Available from www.tripwire.com
 First of the file integrity checkers
 Unix and NT versions available
 Network capable versions available
 Academic version is free. Commercial
and NT versions are not.
 Useful in finding trojan programs

Tripwire
 Generates a “signature” for each file based on
checksums and other characteristics.
 These signatures are stored in a database file
that should be kept offline.
 This is the baseline.
 Latest threat involves dynamic exec
redirection. This is part of the newer Kernel
Module Rootkits.

Tripwire
 List of files to check: tw.config
 All files in a directory will be checked.
 Can prune directories from the check step.
 Can examine just the directory and nothing
else.
 Can check by access time but not
recommended since you’ll get a report of
everything that changed. Everything!

Tripwire
 To initialize the DB:
tripwire –initialize
 Update DB interactively:
tripwire -interactive
 Non-interactive DB update:
tripwire – update <FN>

Tripwire
 Security Issues
 Need to protect the DB
 Need to protect the vulnerable executables
 Advantages
 Simple interface, good choice of crypto hash
functions, good all-around tool
 Disadvantages
 Kernel mod attacks, initial tw.config takes some
time to customize, NT version is good but costs $$
$, no network security

User Accounts
 Some accounts can be deleted
 smtp, nuucp, listen
 passmgmt –d <account name>
 JASS toolkit contains a noshell
command that will generate a syslog
entry when someone tries to login a
disabled account.

User Accounts
 Lock userids: passwd –l <userid>
 Modify accounts: passwd –e <userid>
 System accounts in /etc/passwd have no
shell assigned to them
 They also have NP in the password field of
/etc/shadow
 UID/GID pairs must be unique across
NFS. Recommend using the PID # as a
UID

at, cron, batch
 Access to these commands can be
restricted using the at.allow,
at.deny, cron.deny and
cron.allow files in /usr/lib/cron
 If neither file exists, then only root can
run cron or at commands

Init
 System services controlled by the
/etc/rcX.d directories where
 X=0 : shutdown
 X=S : single user mode
 X=1 : start
 X=2 : multi-user, no network services
 X=3 : multi-user (default)
 X=4 : unused
 X=5 : shutdown and power off
 X=6 : shutdown and reboot

Init
 Start up scripts : SxxService
 Kill scripts : KxxService
 Main scripts live in /etc/init.d
 Symlinks are in the /etc/rcX.d
directories

RC Scripts
 Create S99local
 Startup ssh, portsentry, etc.
 Some of the startup scripts can be
disabled. Caution: your mileage will
vary tremendously. Some examples:
 S80lp, S73nfs.*, S74autofs, S88sendmail

Kernel Adjustments
Kernel Settings to Help Protect

Your System From Network
Attacks

Kernel Adjustments
 ndd command display/sets kernel parms on
the fly
 ndd /dev/arp \?
 ndd /dev/icmp \?
 ndd /dev/ip \?
 ndd /dev/tcp \?
 \? = list all driver parms and status: RO, RW
 Response of 0 means the option is disabled
 ndd –set <driver> <option> <value>
to set a parameter

Kernel Adjustments
 /etc/system contains kernel parameters
 Some kernel parameters can be adjusted to
improve performance and security
 NFS Server
 Set nfssrv:nfs_portmon = 1
 Forces NFS server to accept client requests from
privileged port range (port<1024)
 May break file sharing with older versions of
Linux, SCO Unix

Kernel Adjustments
 Executable Stacks
 set noexec_user_stack = 1
 set noexec_user_stack_log = 1
 Helps defend against stack overflow
attacks. Logs the attempt as well.
 All 64 bit Solaris use non-executable stacks
by default

Kernel Adjustments
 Core Files
 set sys:coredumpsize = 0
 Prevents the creation of core files. Beware!
 Use the coreadm command to define
target directories and file name patterns
for core files. Useful in creating a central
core repository.
 SUID/SGID will be prevented from creating
core files if the above is set.

Kernel Adjustments
 No ndd parameter documentation
 Parameter names may change with new
releases
 Be Very Careful

ARP Kernel Defense
 2 types of ARP attacks
 DOS
 Local
 Attacker inserts bogus info into ARP cache
 Remote
 Attacker feeds remote sys bogus info (cache
poisoning
 Spoofing
 Used to compromise remote systems on the
local network

ARP Kernel Defense
 ARP entries can be deleted or they time out in
the cache
 Default TO is 5 minutes
 Default IP Routing Table TO is 20 minutes
 Change the Intervals
ndd –set /dev/arp \ arp_cleanup_interval
60000
ndd –set /dev/ip \ ip_ire_flush_interval
60000
 Units are in milliseconds. 60000 = 1 minute
 Only slows the attack

IP Defense
 IP forwarding routes packets between
network interfaces on one system
 Multihomed systems has several
network I/F, each with a separate IP
address
 Not intended to route/forward packets
 Used for NFS servers on multiple nets –
server response is faster when connected
to same net as clients
IP Defense
 /etc/notrouter disables IP
forwarding at boot time
 /etc/init.d/inetinit determines the
configuration at boot
 To dynamically disable IP forwarding:
 ndd -set /dev/ip ip_forwarding
0
 Solaris 8 allows you to set this per I/F

IP Defense
 Strict Destination multihoming prevents packet
spoofing on nonforwarding multihomed systems
 System will ignore packets sent to an interface
from which it didn’t arrive
ndd –set /dev/ip \
ip_forwarding 0
ndd -set /dev/ip \
ip_strict_dest_multihoming 1

IP Defense – Multicast Routing
Used to send data to multiple systems
simultaneously using only 1 net address
 Solaris 7: comment out from
/etc/init.d/inetsvc
 mcastif=`/sbin/dchpinfo Yiaddr` to
/usr/sbin/route add –interface –
netmask “244.0.0.0” “224.0.0.0”
“$mcastif”
 Solaris 8: (if [ “$_INIT_NET_STRATEGY….)
to the /usr/sbin/route line

IP Defense
 Eliminate DCHP, named startup support
and multicast support. This leaves
/etc/init.d/inetsvc script:
#!/bin/sh
/usr/sbin/ifconfig –au netmask +
broadcast +
/usr/sbin/inetd –s -t

IP Defense – Directed
Broadcast
 Directed broadcast is sent from a remote
machine to all systems on another net
 Used by “smurf” attack. CNS router rules limit
smurf to the same subnet
 Forged ICMP echo request sent to broadcast w/
target source address
ndd -set /dev/ip \
ip_forward_directed_broadcasts 0
 Default is 1

IP Defense – Src Route Packet
 Source routed packet contains a specific
path the packet should take to get to a
target
 Bypasses router decisions
 Enabled by default
 Disable:
ip_forward_src_routed 0

ICMP Defense
 Usually safe to disable ICMP broadcasts
 All systems configured to respond to
broadcast echo request will send an echo
reply
 Disable:
ndd -set /dev/ip \
ip_respond_to_echo_broadcast 0
 This breaks PING. You won’t be able to ping this
system

ICMP Defense
 Individual timestamp requests are ok. No reason
for broadcast request.
 Disable:
ip_respond_to_timestamp_broadcast 0
ip_respond_to_timestamp 0 (unicast)
 Address mask used to get netmask. Printers, X-
term use this. Solaris disables by default
ndd – set /dev/ip
ip_respond_to_address_mask_broadcast 0

TCP Defense
 Syn Floods work on unestablished
connections
 2 queues
 Q for established connections
 Q for unestablished connections
 Increase size on unestablished connect Q
ndd –set /dev/tcp \ tcp_conn_req_max_q0
4096
ndd –set /dev/tcp \
tcp_ip_abort_cinterval 60000

TCP Defense
 Connection Exhaustion Attack
 Works on established connections
 OS has max # connect limit. Attacker exceeds
this limit
 Default Q is 128. Increase to 1024
ndd –set \
/dev/tcp tcp_conn_req_max_q 1024
 This increases the amount of memory needed to
process all TCP connections

TCP Defense
 IP Spoofing uses TCP Hijacking based on ISN
prediction
 RFC 1498 defines better way to generate ISN
 3 types: 0 – predictable; 1 – improved with
random increment; 2 – RFC 1498 method
 Solaris 8 uses 2, modify Solaris 7 by editing
/etc/default/inetinit and add line:
 TCP_STRONG_ISS=2

TCP Defense
 Privileged Ports can only be acquired by root
owned processes
 NFS uses 2049, 4045. Hacker can set up fake
NFS server listening on these ports
 Extend port range:
tcp_smallest_nonpriv_port 2050
 Add individual ports:
tcp_extra_priv_ports_add 6112

ICMP Defense
 Redirect errors used to tell a system to use a
different router
 Can be used in Man-in-the-Middle to install
bogus routes
 Disable incoming:
ndd –set /dev/ip ip_ignore_redirect 1
 Disable outgoing:
ndd –set /dev/ip ip_send_redirects 0

System Logs
 /etc/syslog.conf
 Program I/F: syslog()
 System command: logger
 Log files defined in /etc/syslog.conf
 /var/adm/messages (default)
 /var/log/syslog (default)
 /var/log/authlog (disabled by default)
 /usr/lib/newsyslog rotates logs every 7 days
 /var/adm/loginlog records failed login
attempts

Syslog Strategies
 Create a central syslog server
Auth.debug @central-logger.vt.edu
 Install logcheck
 Create additional syslogs
Auth.notice ifdef(‘LOGHOST’.
/var/log/Today/auth.log, @loghost)
 Make sure your system is defined at
LOGHOST in /etc/hosts

Application Logs
/var/adm/sulog /usr/bin/su cat, more
/var/adm/vold.log /usr/sbin/vold cat, more
/var/adm/wtmpx /usr/bin/login last
/var/adm/loginlog /usr/bin/login Must touch 1st
/var/cron/log /usr/sbin/cron

System Accounting
 Use the sar command to gather system
resource usage data:
 Cpu, memory, disk, file I/O, system calls
 Archives stored in /var/adm/sa
 vmstat command collects data in a real-time
data
 Need SUNWaccr, SUNWaccu, uncomment:
 /etc/init.d/perf, /var/spool/cron/crontabs sys
 Reset default shell for user: sys
passmgmt –m –s /sbin/sh sys

System Accounting
 Run it every 20 minutes
 Archive data longer than 1 month
 Edit /etc/init.d/perf and scripts in /usr/lib/sa
 Change calls like `date +%d` to ‘date +%Y%m%d`
 sar command will still be looking for files in the
old naming so you need to use the –f option to
point to correct file
 /usr/lib/sa/sa2 purges raw data after 1
week. Remove the find command at the end of
the sa2 script.

Process Accounting
 You can tell the kernel to log data about every
process on the system
 Can be selective enabled/disabled using the
accton command
 Specify where the log file is
 /usr/lib/acct/accton /var/adm/pacct
 Once enabled, the kernel logs 40 bytes of data
for each process that runs to completion
 Use acctcom to examine the logs
 Process accounting can cause 10-20% degradation

RPC Services
 Rpcbind – central RPC service agent
 New RPC service registers with rpcbind
 Rpcbind maintains table of RPC services
(program #) and the ports they listen
 Client contacts rpcbind first with a program
# to determine the port to connect to its
requestor
 Used by Disksuite, NFS, NIS+, Kerberos

RPC Services - /etc/inetd.conf
 Testsvc, sadmind, rquotad, rpc.ruserd,
rpc.sprayd, rpc.rwalld, rpc.rstatd,
rpc.rexd, kcms.server, ufsd, cachefs,
kerbd, xaudio, rpc.cmsd, rpcttdbserverd
 Remove all of these services unless
specifically required

RPC Services – Startup scripts
 /etc/rc2.d/S71rpc, /etc/rc3.d/S71rpc
 Rpcbind, keyserv, rpc.nisd, nis_cachmgr,
rpc.nipasswdd
 Used by rpcbind, NIS/NIS+, NFS client/server
 NFS Server
 /etc/rc2.d/S73nfs.server,
/etc/rc3.d/S15nfs.server
 Explicitly list client hosts, no world access
 Export lowest level dir only and RO
 Synchronize UID/GID between pairs
 Use strong authentication if possible (AUTH_DES,
AUTH_KERB)

Sendmail
 Use sendmail kit available from
ftp://ftp.vt.edu/pub/cc/Solaris/sendmail
X.tar.Z
 Sendmail kit built by VT with anti-relay
and anti-spam filters
 Contains install and backout scripts

Sendmail
 Tailor as necessary
 Solaris 8 undocumented way to have
sendmail handle mail w/o cron
 echo “MODE=“””” > /etc/default/sendmail
 Sendmail will only process outgoing mail and
no accept incoming connections. Useful if you
forward mail to PID@vt.edu
 See Sun Blueprint tools page (
www.sun.com/blueprints/tools) for replacement
/etc/default/sendmail

Name Service Caching (nscd)
 Provides caching for NS requests
 Performance boost, all NS requests made by
system library call routed to nscd
 Sun recommends caching as little as possible
 Do not disable. NIS/NIS+ and some versions
of Netscape break
 nscd – g : see current configuration

Banner Files
 /etc/motd
 /etc/issue
 /etc/default/telnetd
 BANNER=“place your text here”
 /etc/default/fptd
 BANNER=“place your text here”
 /etc/sendmail.cf
 SmtpGreetingMessage=Put Warning here
More on /etc/default
 /etc/default/cron
 CRONLOG=yes tells cron to log to /var/cron/log for
each cron job.
 Roll this log often – see /etc/cron.d/logchecker
 /etc/default/su
 Defines PATH, SUPATH for su command
 /etc/default/passwd
 Set password aging, password length
 /etc/default/kbd
 Disable STOP-A on systems

/etc/default/login
 CONSOLE – root logins allowed only on this
device usually the console
 PATH, SUPATH – uncomment and set
 UMASK – uncomment and set
 RETRIES – number of failed logins before
login exits
 SYSLOG_FAILED_LOGINS – number of failed
logins before message logged to
/var/adm/loginlog (Solaris 8)

Additional Login Files
 Set UMASK, PATH in
/etc/profile, /etc/.login
 Default files for userid creation in
/etc/skel. These files are used by
useradd or admintool programs
 Can be overridden by users

Fix-modes Program
 Corrects insecure system file/directory perms:
 Removes group/world write permissions
 Makes most files owned by root
 Uses /var/sadm/install/contents for
list of programs to check
 User files NOT installed with pkgadd will not be
affected
 Core files in Solaris 8 are fixed. Things like
CDE aren’t
Building TCP Wrappers
 Available from
ftp://ftp.porcupine.org/pub/security/ind
ex.html
 Modify the Makefile
 Set REAL_DAEMON_DIR
 Send logging to LOG_AUTH
 Download the IPv6 version for Solaris 8
 Use the advanced installation method

Building OpenSSH
 OpenSSH implements SSH1, SSH2
 Maintained by OpenBSD
 Tested on Solaris 2.6 5/98 Sparc,
Solaris 7 11/99 Sparc, Solaris 8 4/01
Sparc with ForteDeveloper 6 update 1
and gcc 2.95.2

Building OpenSSH
 Prerequisite Components
 OpenSSH 2.9p2 from
http://www.openssh.com/portable.html
 Zlib 1.1.3 from
http://www.freesoftware.com/pub/infozip/zlib
 Solaris 8 CD – package format
 OpenSSL 0.9.6b from
http://www.openssl.org/source
 PRNGD 0.9.19 from http://www.aet.tu-
cottbus.de/personen/jaenicke/postfix_tls/prngd.ht
ml (pseudo random number generator)

Building OpenSSH
 Building zlib
 cd zlib-1.1.3
 ./configure (for gcc)
 env CC=cc CFLAGS=“-xo4 –
KPIC” ./configure
 make
 make install
 ls –l /usr/local/lib/libza.a
Building OpenSSH
 Building OpenSSL
cd openssl-0.9.6b
./Configure <compiler>
make
make install
ls –l /usr/local/ssl/lib
 Building PRNGD
cd prngd-0.9.19
make CC=gcc CFLAGS=“-O3 –DSOLARIS” SYSLIBS=“-
lsocket –lnsl”
make CC=cc CFLAGS=“-x04 –DSOLARIS –KPIC”
SYSLIBS=“-lsocket –lnsl”

Building OpenSSH
 Building PRNGD (cont’d)
cp prngd /usr/local/sbin/prngd
chown root:bin /usr/local/sbin/prngd
chmod 755 /usr/local/sbin/prngd
cp contrib/Solaris7/prngd.conf.solaris-
7 /etc/prngd.conf
cat /var/log/syslog > /etc/prngd-seed

Building OpenSSH
 Building OpenSSH
 gcc version
./configure –prefix=/opt/OBSDssh –with-
pam –without-rsh –disable-suid-sh –
sysconfdir=/etc \ --with-prngd-
socket=/var/spool/prngd/pool
make
make install
ls –l /opt/OBSDssh/bin/ssh
 Start: /etc/init.d/openssh.server start

Building OpenSSH
http://www.sun.com/blueprints/tools/m
akeOpenSSHPackage.ksh builds a
Solaris package containing OpenSSH
./makeOpenSSHPackage.ksh
pkgadd –d OBSDssh.pkg OBSDssh

/etc/sshd_config Guidelines
 ListenAddress – used to set up SSH servers
on virtual I/F
 Protocol 2,1 – try v2 first then v1
 SyslogFacility AUTH – send logging
messages to LOG_AUTH like TCP Wrappers
 CheckMail, PrintMotd – done by SSH or
login, your choice
 KeepAlive – send a heartbeat packet to verify
the host is still reachable. Good for keeping
hung sessions down

/etc/sshd_config Guidelines
 IgnoreRhosts yes – disable all types
of rhosts authentication
 PermitRootLogin no – forces
people to su to root
 Be careful. This also prevents remote
command execution and copying files from
one system to another via scp

SSH: Using RSA
Authentication
 Generate your key pair using something
like PGP
 Copy public key to remote system
 Remote system authenticates user by
encrypting message w/public key
 User decrypts using private key and
send it back to remote system

SSH RSA Example
% ssh-keygen –b 1024 –f ~/.ssh/identity
[…]
Enter passphrase: XXXXXXXX
Enter the same passphrase again: XXXXXXXX
[…]
% scp ~/.ssh/identity.pub \
remotehost:~/.ssh/authorized_keys
rcm@remotehost password: YYYYYYY
Identity.pub | 0 KB| 0.3kB/s| ETA: 00:00| 100%
% ssh remotehost
Enter passphrase for RSA key rcm@thishost : KKKKKKK
Testing & Verification
Minimum Security Benchmark

Procedures and Toolkits for
Testing and Verifying System
Security

Testing & Verification
 Pomeranz Test
 Can get here from there
 Can’t get here from there
 Can’t get here as Superuser
 What’s Running?
 Can’t write in /usr
 Can’t run SUID from /var/tmp
 Check your logs

Can Get Here From There
 ssh userid@securehost
 Reasons for failure
 Localhost isn’t in securehost’s hosts.allow
 TCP Wrappers in sshd can’t find localhost’s name
from its IP address
 sshd can’t read hosts.allow, hosts.deny
 The userid doesn’t exist on securehost
 RSA identity certificate not properly installed

Can’t Get Here From There
 From badhost: ssh securehost
 Root should be getting an email if
logcheck and syslog are working
 Reasons the connection might work
 hosts.allow is too permissive
 Securehost may have an invalid
sendmail.cf file

Can’t Get Here As Superuser
 ssh –l root securehost
 Reason for success
 /etc/sshd-config is incorrect
 You shouldn’t allow direct root logins 

What’s Running?
 Do a ‘ps –ef’ or lsof on an idle system
 Reasons you might see different output:
 You’re logged in multiple times
 You logged in on the console
 Forgot to remove all recommended files
from /etc/rc*.d
 /etc/defaultrouter doesn’t exist

Can’t Write in /usr
 touch /usr/bin/BAD
 Should generate an error message.
 Reasons for success:
 Forgot to reboot/remount /usr in RO mode
 Incorrect configuration of /etc/vfstab

Can’t Run SUID from /var/tmp
# cd /var/tmp
# cp /usr/bin/ps .
# chmod 4111 ps
^D
$ /usr/bin/ps –ef
$ /var/tmp/ps –ef
Reasons for Success: 1) still running as root 2) running wrong

Version of ps 3) misconfigured /etc/vfstab

Check Your Logs
 /etc/syslog.conf has no auth.*
entries
 Files/devices listed in /etc/syslog.conf
are invalid
 Loghost is unreachable or misconfigured
 Forgot to modify TCP Wrapper’s Makefile to
send logging messages to LOG_AUTH
 /etc/sshd_config is misconfigured

Backups
 Have a complete level 0 dump of all file
systems]
 Set up an alternate boot disk
 Lock it up and don’t re-use the tape/disk
 Make another dump every time you make
significant changes
 Should you use network backup for sensitive
servers?
 In our environment, it’s ok because of network
topology

Alternate Boot Disk Setup
 Install 2 identical internal disks
 Install OS on primary disk
 Partition 2nd disk identical to primary
 Format the secondary disk
 Create filesystems on secondary disk
 dd copy from primary to secondary
 Install ufs bootblock in s0 of secondary
 Modify /broot/etc/vfstab to mount secondary as /,
change auto bootup device in EEPROM

Security Benchmarks
Tools and Benchmark Documents

for Securing Solaris Systems

Configurator
 http://www.deer-
run.com/~hal/jumpstart/configurator
 Testing tool for SANS “Securing Solaris” and
CIS “Solaris Security Benchmark” docs
 Will CHANGE your system setting to conform
with the above docs
 Can be integrated into Jumpstart server or
run in standalone mode

CIS Solaris Benchmark
 Minimum actions to harden your system
 Configurator script available from
 http://www.deer-
run.com/~hal/jumpstart/configurator
 Can be used to configure according to
CIS benchmark or SANS Securing
Solaris

SANS Benchmark
 Available from http://security.vt.edu in
the Online Books section. Need PID to
get it.
 Contains step-by-step instructions in a
manner similar to the CIS benchmark
 Systems can be configured using Hal
Pomer

JASS
 Free from
www.sun.com/blueprints/tools
 Set of scripts to secure your system
 Can be used as part of a Jumpstart
install
 Useful for lab situations
 It’s an “officially endorsed” Sun item
 JASS doesn’t secure systems enough
YASSP
 http://www.yassp.org
 Jean Chouanard took an early version of the
SANS Securing Solaris course
 Went home and wrote YASSP
 Comes in pkgadd format
 Endorsed by SANS
 Runs on Solaris 2.6, 7, 8(beta)
 Mailing list: secure-sol-
request@parc.xerox.com

YASSP Pros/Cons
 Pro
 pkgadd format very useful
 Works on Core, end-user, developer, Full
 Automatically installs security tools
 Con
 Not very modular
 /etc/yassp.conf hard to understand

TITAN
 Collection of programs/scripts which
either fix or tighten security problems
 Not a replacement for anything. It’s a
supplement to your system security
toolkit.
 http://www.fish.com/titan

TITAN Pros/Cons
 Pro
 Modular and extensible
 Verification function
 Linux version in beta test
 Con
 Writing modules can be complex

Conclusions
 Keep an eye on your system
 Build minimal functionality then add
what you need
 Mount FS RO or NOSUID
 Use SSH
 Verify everything
 Send Randy log excerpts of probes
Appendix 1
Portsentry, IP Filter, logcheck

configuration guidelines

Portsentry
 Available from www.psionic.com
 Monitors ports and performs an action
when an attempt to access the port is
made.
 Usually access is denied to the probing
systems.
 Monitors TCP and UDP traffic. A little
more flexible than TCP Wrappers

Portsentry Configuration Files
 Portsentry.conf contains the list of ports
to be monitored.
 3 levels of paranoia 

Logcheck
 Available from www.psionic.com
 Syslog keyword scanner
 When it matches something, it does
something
 Send email
 Page someone
 Run a command

logcheck.violations
These keywords denote a

problem and are flagged by
logcheck.

logcheck.ignore
Phrases listed in this file

are ignored by the
logcheck program.

logcheck.hacking
Keywords in this file indicate

an attack is taking place

IP Filter
 Software package that can do NAT or basic
firewall services.
 Designed to be used as a loadable kernel
module but can be incorporated into a Unix
kernel
 Can be configured to do IP Accounting (count
# bytes), IP Filtering or IP authentication or
NAT.
 http://coombs.anu.edu.au/~avalon/ip-
filter.html
IP Filter
 Can explicitly allow/deny any packet.
 Distinguishes between multiple interfaces.
 Filters by IP network, hosts or protocol.
 Filters by port number or port range.
 Logs the following:
 TCP/UDP/ICMP/IP packet headers
 First 128 bytes
 Pass or blocked status

IP Filter
 Statistics collected include:
 Packets blocked
 Packets used for accounting (packet count)
 Packets passed
 Packets logged
 Inbound/outbound packet information

IP Filter Log Format
Jul 30 01:46:52 myhost.vt.edu ipmon[147]: [ID
702911local0.warning] 01:46:52.196772 hme0 @0:5 b
194.143.66.126,21 ->198.82.255.255,21 PR tcp len 20 40 -S IN

194.143.66.126,21 ->198.82.255.255,21 PR tcp len 20 40 -S IN

203.90.84.163,1781 ->198.82.255.255,21 PR tcp len 20 60 -S IN
WWW Sites
 Sendmail
 ftp.vt.edu/pub/cc/Solaris/sendmail*
 ftp.sendmail.org/pub/sendmail
 Fix-modes
 ftp.science.uva.nl/pub/solaris/fix-modes.tar.gz
 OpenSSH
 Solaris 8 Installation CD
 http://www.openssh.com/portable.html

WWW Sites
 OpenSSL
 www.openssl.org/source/
 Zlib
 ftp.freesoftware.com/pub/infozip/zlib/
 TCP Wrappers, rpcbind replacement
 ftp.porcupine.org/pub/security/index.html
 YASSP
 www.yassp.org

WWW Sites
 TITAN
 www.fish.com/titan
 JASS
 www.sun.com/blueprints/tools
 Bastille
 http://bastille-linux.sourceforge.net
 David Brumley’s comparison document
 www.theorygroup.com/Theory

WWW Sites
 Jason Rhoads’ Documents
 www.sabernet.net/papers
 Sean Boran’s Security Documents
 www.boran.com/security/sp/Solaris_hardening_tool
 Solaris Blueprints On-line
 www.sun.com/blueprints/browsesubject.html
 Hal Pomeranz’s site
 www.deer-run.com/~hal/jumpstart
 Solaris Adv. Installation Guide
 Docs.sun.com/ab2/coll.214.7/SPARCINSTALL

Securing Solaris Systems

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Securing Solaris Systems

Hochgeladen von

Copyright:

Verfügbare Formate

Securing Solaris Systems

va-scan Copyright 2002, Marchany

Basic Tips During OS Installation

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

 Solaris 2.x no longer require as much swap space

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

Some Startup and Boot Scripts to

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

Kernel Settings to Help Protect

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

 Only slows the attack

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany

va-scan Copyright 2002, Marchany