Securing Solaris Systems - Virginia Alliance for Secure Computing
advertisement
Securing Solaris Systems Randy Marchany VA Tech Computing Center Marchany@vt.edu va-scan Copyright 2002, Marchany Course Outline va-scan OS Installation Tips Cleaning System Scripts Kernel settings Testing & Verification CIS Benchmarks TITAN JASS Copyright 2002, Marchany OS Installation Tips Basic Tips During OS Installation va-scan Copyright 2002, Marchany OS Installation Tips va-scan Core – base OS, 50Mb in size End-user – CDE/X Windows, UCB support, NIS/NIS+/LDAP Developer – man pages, include files(/usr/include), compiler libraries, make, ar, ld commands Full OEM – everything on the install CD Make sure SUNWter is installed. This adds xterm and other term support. Remote administration requires this package. Copyright 2002, Marchany OS Installation- Disk Partitions va-scan Solaris 2.x no longer require as much swap space as memory but it doesn’t hurt /var should be large - > 2GB /opt should be large - > 2GB. Compilers and other Sun packages install here by default. DiskSuite requires 5MB on each disk for configuration information Veritas requires 2 free partitions to encapsulate and mirror the root drive Copyright 2002, Marchany OS Package Dependencies NTP Perl va-scan SUNWlibm SUNWlibms Oracle SUNWntpr SUNWntpu SUNWarc, SUNWbtool, SUNWsprot, SUNWtoo, SUNWlibCf Man Pages SUNWlibC, SUNWdoc, SUNWman Copyright 2002, Marchany OS Package Dependencies Developer Tools X Client (not X Server) SUNWxwrtl, SUNWxilow, SUNWxwplt, SUNWxwfnt, SUNWxwice, SUNWmfrun, SUNWtltk, SUNWxilrl, SUNWxildh Virtual Adrian va-scan SUNWhea, SUNWtnfc, SUNWarc, SUNWsprot, SUNWbtool, SUNWtoo, SUNWhmdu, SUNWlibm, SUNWlibC, SUNWlibCf, SUNWtnfd SUNWsprot Copyright 2002, Marchany Determining Which Package Pomeranz Method va-scan Attempt to install or run app Find missing file(s) via error and/or truss Check /var/sadm/install/contents of full OS system, grep for file. This file contains the package name Add the needed package Add appropriate dependencies Repeat until done Copyright 2002, Marchany Patches Available from sunsolve.sun.com 2 install tools Patchdiag – available from sunsolve.sun.com GASP – available from discovery.cc.vt.edu and Brian Reilly at Georgetown U va-scan GUI front end to patchdiag Patchdiag is required Copyright 2002, Marchany Patches - GASP Build from kit. Create a /tmp/patches Start: xgasp Click on Generate Patch Report va-scan Modify the patchadd command to keep backout option if you want it. Enter sunsolve userid/password You can select individual patches or all of them for download Copyright 2002, Marchany va-scan Copyright 2002, Marchany va-scan Copyright 2002, Marchany va-scan Copyright 2002, Marchany Patches - Sunsolve va-scan Go to http://sunsolve.sun.com Login as vtsug/sunsucks Use the search tools to find the patches you need. At a minimum, installed recommended and security patches. This is NOT the complete answer Install all patches then the applications Do NOT install Sun sendmail patches if you are using the VT sendmail. Copyright 2002, Marchany OS Settings Console Security (SPARC only) Command Mode va-scan Prevents someone from using console commands Disable STOP-A sequence Prevents EEPROM changes w/o proper password Copyright 2002, Marchany OS Settings Full Mode Same as command mode with extras: Use eeprom command from shell # eeprom security-mode=full Use setenv command from OK prompt va-scan Can’t boot system w/o EEPROM password OK setenv security-mode full Copyright 2002, Marchany OS Settings Disable keyboard abort sequence Change the following line in /etc/default/kbd from va-scan #KEYBOARD_ABORT=enable KEYBOARD_ABORT=disable CAUTION: system will have to powered down to reset. No crash dumps from the PROM on a running system for analysis. Copyright 2002, Marchany Cleaning System Scripts Some Startup and Boot Scripts to Check va-scan Copyright 2002, Marchany Create umask for System Daemons Solaris 7 echo ‘umask 022’ > /etc/init.d/umask.sh chmod 744 /etc/init.d/umask.sh for dir in /etc/rc?.d do ln –s ../init.d/umask $dir/S00umask.sh done Solaris 8 va-scan Set CMASK in /etc/default/init Copyright 2002, Marchany Mount Options Mount filesystems with nosuid, readonly options /usr can be mounted read-only /var can be mounted nosuid / can’t va-scan / is mounted RO at boot and then remounted RW. The second mount cancels the nosuid. Note: FS mounted in 1 mode and changed to another requires a reboot. Copyright 2002, Marchany Securing /etc/vfstab Protect OS binaries in /usr Prevent rogue SUID programs nosuid – SUID bit is ignored in FS Allow other software to be installed remount option allows you to apply options because some FS are mounted early in the boot process va-scan ro – FS is mounted Read Only mount –o remount, ro /usr Copyright 2002, Marchany Securing /etc/vfstab nosuid caution va-scan Implies nodev which means files in /dev/ and /devices will not function in a nosuid FS / cannot be mounted nosuid. Solaris ignores this option for root FS Creating a separate /devices and mounting the rest of the / nosuid doesn’t work. /devices doesn’t get mounted at boot so the kernel panics. Anon FTP areas require device files and must not be mounted nosuid Copyright 2002, Marchany The logging feature Logging option for FS creates transaction log, allows faster reboots but slower file writes and more disk space for logs Prevents physical access attack va-scan Continuously crash system until / is corrupted then the OS asks you to fsck /. At that point, you have a root shell and can install backdoors, etc Logging prevents this from happening so we’re a little safer from a physical access attack. Solaris 8 allows logging on /. Enable this if possible! Copyright 2002, Marchany /etc/rmmount.conf Add to /etc/rmmount.conf va-scan mount hsfs –o nosuid mount ufs –o nosuid Prevents SUID programs from being loaded from removable media. Default in Solaris 8 Common attack is to create SUID shell on CD or floppy, use this to get root on system you have physical access Copyright 2002, Marchany /etc/ftpusers Lists users NOT allowed to FTP Include root in /etc/ftpusers touch /etc/ftpusers for user in root daemon bin sys nobody\ noaccess nobody4 uucp adm lp smtp \ listen do echo $user >> /etc/ftpusers done chown root /etc/ftpusers; chgrp root \ /etc/ftpusers;chmod 600 /etc/ftpusers va-scan Copyright 2002, Marchany .rhosts Remove rhosts_auth from /etc/pam.conf Causes system to ignore .rhosts authentication grep –v rhosts_auth > /etc/pam.conf >\ /etc/pam.new mv /etc/pam.new /etc/pam.conf chmod 644 /etc/pam.conf va-scan Copyright 2002, Marchany Crontab va-scan Limit use by adding appropriate users to /etc/cron.d/cron.allow Only users listed in *.allow files can modify cron/at jobs Cron can still run jobs as other users Copyright 2002, Marchany More Scripts to Check Syslog Devfsadm (Solaris 7 or later) va-scan -t flag stops syslogd from listening on port 514/udp. Keeps the system from being a syslog server Solaris >=7 supports hot swap devices Solaris 8 device daemons also control dynamic pty allocation. If you don’t have hot swap devices, you can disable this script Copyright 2002, Marchany More Cleanup /etc/inittab va-scan Remove sc:234:respawn:/usr/lib/saf/sac –t 300 Disables listener on serial ports Login prompt will still appear on the console rm /etc/inetd.conf and add only what you need rm adm lp sys from /var/spool/cron/crontabs rm /etc/auto_* /etc/dfs/dfstab if not using NFS Copyright 2002, Marchany Finding Trojans: Fingerprints va-scan Use Solaris Fingerprint database to check for trojans Verifies local MD5 checksums of systems files with known checksums at the SunSolve site. sfbDB maps a digital fingerprint to a path name, package version/identifier and product name. Contains 1M entries used in Solaris OE, Solaris OE patches and unbundled products. Copyright 2002, Marchany Finding Trojans: Fingerprints Installation Download MD5 binaries from http://sunsolve.sun.com/md5/md5.tar.Z zcat md5.tar.Z |tar xvf – va-scan Creates a md5 directory with the binaries md5-sparc and md5-x86 chmod 700 md5/* chown root:root md5/* Copyright 2002, Marchany Finding Trojans: Fingerprints Create MD5 Digital fingerprint Use to create fingerprints of files that have changed recently va-scan md5/md5-sparc <file name> … find /usr/bin –type f –mtime –1 –print | xargs –n100 md5/md5sparc > /tmp/md5s.txt Copyright 2002, Marchany Finding Trojans: Fingerprints Testing a Digital Fingerprint va-scan Go to http://sunsolve.sun.com, login using vtsug userid, click on Security Information, click on Solaris Fingerprints. Paste your digital fingerprints into the www form. Click submit. Wait a few and then view the results. Copyright 2002, Marchany Finding Trojans: Fingerprints Advantages Disadvantages va-scan Massive checksum DB of binaries WWW interface Easy to create file of checksums Need net access to Sun www site Doesn’t read input from a file 256 queries at a time Copyright 2002, Marchany Solaris Fingerprint Database Developed by Sun to help find trojan programs installed by hackers MD5 checksum of 1 million Sun binaries used in OE, Patches, unbundled products Need MD5 program va-scan http://sunsolve.sun.com/md5/md5.tar.Z Do the chmod, chown on /opt/md5 Copyright 2002, Marchany Solaris Fingerprint Database Create local MD5 /opt/md5/md5-sparc /usr/bin/su find /usr/bin –type f –mtime –1 –print\ \ | xargs –n100 /opt/md5/md5-sparc > \ /tmp/md5s.txt Compare MD5 list to Sun’s FPD va-scan http://sunsolve.sun.com/pub-cgi/fileFingerprints.pl Copy/paste MD5 into web form, press submit. 256 entries max at one time Copyright 2002, Marchany Solaris Fingerprint Database va-scan Database Companion automates the process of collecting and checking MD5 against the SFD Database Sidekick checks a system for known rootkits. It maintains a list of commonly trojaned Solaris binaries. Copyright 2002, Marchany Tripwire Available from www.tripwire.com First of the file integrity checkers Unix and NT versions available va-scan Network capable versions available Academic version is free. Commercial and NT versions are not. Useful in finding trojan programs Copyright 2002, Marchany Tripwire va-scan Generates a “signature” for each file based on checksums and other characteristics. These signatures are stored in a database file that should be kept offline. This is the baseline. Latest threat involves dynamic exec redirection. This is part of the newer Kernel Module Rootkits. Copyright 2002, Marchany Tripwire List of files to check: tw.config va-scan All files in a directory will be checked. Can prune directories from the check step. Can examine just the directory and nothing else. Can check by access time but not recommended since you’ll get a report of everything that changed. Everything! Copyright 2002, Marchany Tripwire va-scan To initialize the DB: tripwire –initialize Update DB interactively: tripwire -interactive Non-interactive DB update: tripwire – update <FN> Copyright 2002, Marchany Tripwire Security Issues Advantages Simple interface, good choice of crypto hash functions, good all-around tool Disadvantages va-scan Need to protect the DB Need to protect the vulnerable executables Kernel mod attacks, initial tw.config takes some time to customize, NT version is good but costs $$$, no network security Copyright 2002, Marchany va-scan Copyright 2002, Marchany User Accounts Some accounts can be deleted va-scan smtp, nuucp, listen passmgmt –d <account name> JASS toolkit contains a noshell command that will generate a syslog entry when someone tries to login a disabled account. Copyright 2002, Marchany User Accounts va-scan Lock userids: passwd –l <userid> Modify accounts: passwd –e <userid> System accounts in /etc/passwd have no shell assigned to them They also have NP in the password field of /etc/shadow UID/GID pairs must be unique across NFS. Recommend using the PID # as a UID Copyright 2002, Marchany at, cron, batch va-scan Access to these commands can be restricted using the at.allow, at.deny, cron.deny and cron.allow files in /usr/lib/cron If neither file exists, then only root can run cron or at commands Copyright 2002, Marchany Init System services controlled by the /etc/rcX.d directories where va-scan X=0 : X=S : X=1 : X=2 : X=3 : X=4 : X=5 : X=6 : shutdown single user mode start multi-user, no network services multi-user (default) unused shutdown and power off shutdown and reboot Copyright 2002, Marchany Init va-scan Start up scripts : SxxService Kill scripts : KxxService Main scripts live in /etc/init.d Symlinks are in the /etc/rcX.d directories Copyright 2002, Marchany RC Scripts Create S99local Some of the startup scripts can be disabled. Caution: your mileage will vary tremendously. Some examples: va-scan Startup ssh, portsentry, etc. S80lp, S73nfs.*, S74autofs, S88sendmail Copyright 2002, Marchany Kernel Adjustments Kernel Settings to Help Protect Your System From Network Attacks va-scan Copyright 2002, Marchany Kernel Adjustments ndd command display/sets kernel parms on the fly ndd ndd ndd ndd va-scan /dev/arp \? /dev/icmp \? /dev/ip \? /dev/tcp \? \? = list all driver parms and status: RO, RW Response of 0 means the option is disabled ndd –set <driver> <option> <value> to set a parameter Copyright 2002, Marchany Kernel Adjustments /etc/system contains kernel parameters Some kernel parameters can be adjusted to improve performance and security NFS Server va-scan Set nfssrv:nfs_portmon = 1 Forces NFS server to accept client requests from privileged port range (port<1024) May break file sharing with older versions of Linux, SCO Unix Copyright 2002, Marchany Kernel Adjustments Executable Stacks va-scan set noexec_user_stack = 1 set noexec_user_stack_log = 1 Helps defend against stack overflow attacks. Logs the attempt as well. All 64 bit Solaris use non-executable stacks by default Copyright 2002, Marchany Kernel Adjustments Core Files set sys:coredumpsize = 0 va-scan Prevents the creation of core files. Beware! Use the coreadm command to define target directories and file name patterns for core files. Useful in creating a central core repository. SUID/SGID will be prevented from creating core files if the above is set. Copyright 2002, Marchany Kernel Adjustments va-scan No ndd parameter documentation Parameter names may change with new releases Be Very Careful Copyright 2002, Marchany ARP Kernel Defense 2 types of ARP attacks DOS Local Remote Attacker feeds remote sys bogus info (cache poisoning Spoofing va-scan Attacker inserts bogus info into ARP cache Used to compromise remote systems on the local network Copyright 2002, Marchany ARP Kernel Defense ARP entries can be deleted or they time out in the cache Default TO is 5 minutes Default IP Routing Table TO is 20 minutes Change the Intervals ndd –set /dev/arp \ arp_cleanup_interval 60000 ndd –set /dev/ip \ ip_ire_flush_interval 60000 Units are in milliseconds. 60000 = 1 minute Only slows the attack va-scan Copyright 2002, Marchany IP Defense IP forwarding routes packets between network interfaces on one system Multihomed systems has several network I/F, each with a separate IP address va-scan Not intended to route/forward packets Used for NFS servers on multiple nets – server response is faster when connected to same net as clients Copyright 2002, Marchany IP Defense /etc/notrouter disables IP forwarding at boot time To dynamically disable IP forwarding: va-scan /etc/init.d/inetinit determines the configuration at boot ndd -set /dev/ip ip_forwarding 0 Solaris 8 allows you to set this per I/F Copyright 2002, Marchany IP Defense va-scan Strict Destination multihoming prevents packet spoofing on nonforwarding multihomed systems System will ignore packets sent to an interface from which it didn’t arrive ndd –set /dev/ip \ ip_forwarding 0 ndd -set /dev/ip \ ip_strict_dest_multihoming 1 Copyright 2002, Marchany IP Defense – Multicast Routing Used to send data to multiple systems simultaneously using only 1 net address Solaris 7: comment out from /etc/init.d/inetsvc va-scan mcastif=`/sbin/dchpinfo Yiaddr` to /usr/sbin/route add –interface – netmask “244.0.0.0” “224.0.0.0” “$mcastif” Solaris 8: (if [ “$_INIT_NET_STRATEGY….) to the /usr/sbin/route line Copyright 2002, Marchany IP Defense Eliminate DCHP, named startup support and multicast support. This leaves /etc/init.d/inetsvc script: #!/bin/sh /usr/sbin/ifconfig –au netmask + broadcast + /usr/sbin/inetd –s -t va-scan Copyright 2002, Marchany IP Defense – Directed Broadcast Directed broadcast is sent from a remote machine to all systems on another net Used by “smurf” attack. CNS router rules limit smurf to the same subnet Forged ICMP echo request sent to broadcast w/ target source address ndd -set /dev/ip \ ip_forward_directed_broadcasts 0 va-scan Default is 1 Copyright 2002, Marchany IP Defense – Src Route Packet Source routed packet contains a specific path the packet should take to get to a target Bypasses router decisions Enabled by default Disable: ndd –set /dev/ip \ ip_forward_src_routed 0 va-scan Copyright 2002, Marchany ICMP Defense Usually safe to disable ICMP broadcasts All systems configured to respond to broadcast echo request will send an echo reply Disable: ndd -set /dev/ip \ ip_respond_to_echo_broadcast 0 va-scan This breaks PING. You won’t be able to ping this system Copyright 2002, Marchany ICMP Defense Individual timestamp requests are ok. No reason for broadcast request. Disable: ndd –set /dev/ip \ ip_respond_to_timestamp_broadcast 0 ndd –set /dev/ip \ ip_respond_to_timestamp 0 (unicast) va-scan Address mask used to get netmask. Printers, X-term use this. Solaris disables by default ndd – set /dev/ip ip_respond_to_address_mask_broadcast 0 Copyright 2002, Marchany TCP Defense Syn Floods work on unestablished connections 2 queues Q for established connections Q for unestablished connections Increase size on unestablished connect Q ndd –set /dev/tcp \ tcp_conn_req_max_q0 4096 ndd –set /dev/tcp \ tcp_ip_abort_cinterval 60000 va-scan Copyright 2002, Marchany TCP Defense Connection Exhaustion Attack Works on established connections OS has max # connect limit. Attacker exceeds this limit Default Q is 128. Increase to 1024 va-scan ndd –set \ /dev/tcp tcp_conn_req_max_q 1024 This increases the amount of memory needed to process all TCP connections Copyright 2002, Marchany TCP Defense IP Spoofing uses TCP Hijacking based on ISN prediction RFC 1498 defines better way to generate ISN 3 types: 0 – predictable; 1 – improved with random increment; 2 – RFC 1498 method Solaris 8 uses 2, modify Solaris 7 by editing /etc/default/inetinit and add line: va-scan TCP_STRONG_ISS=2 Copyright 2002, Marchany TCP Defense Privileged Ports can only be acquired by root owned processes NFS uses 2049, 4045. Hacker can set up fake NFS server listening on these ports Extend port range: ndd –set /dev/tcp \ tcp_smallest_nonpriv_port 2050 Add individual ports: ndd –set /dev/tcp \ tcp_extra_priv_ports_add 6112 va-scan Copyright 2002, Marchany ICMP Defense Redirect errors used to tell a system to use a different router Can be used in Man-in-the-Middle to install bogus routes Disable incoming: ndd –set /dev/ip ip_ignore_redirect 1 Disable outgoing: ndd –set /dev/ip ip_send_redirects 0 va-scan Copyright 2002, Marchany System Logs /etc/syslog.conf Program I/F: syslog() System command: logger Log files defined in /etc/syslog.conf /var/adm/messages (default) /var/log/syslog (default) /var/log/authlog (disabled by default) /usr/lib/newsyslog rotates logs every 7 days /var/adm/loginlog records failed login va-scan attempts Copyright 2002, Marchany Syslog Strategies Create a central syslog server Auth.debug @central-logger.vt.edu Install logcheck Create additional syslogs Auth.notice ifdef(‘LOGHOST’. /var/log/Today/auth.log, @loghost) va-scan Make sure your system is defined at LOGHOST in /etc/hosts Copyright 2002, Marchany Application Logs /var/adm/sulog /usr/bin/su cat, more /var/adm/vold.log /usr/sbin/vold cat, more /var/adm/wtmpx /usr/bin/login last /var/adm/loginlog /usr/bin/login /var/cron/log /usr/sbin/cron va-scan Copyright 2002, Marchany Must touch 1st System Accounting Use the sar command to gather system resource usage data: Archives stored in /var/adm/sa vmstat command collects data in a realtime data Need SUNWaccr, SUNWaccu, uncomment: Cpu, memory, disk, file I/O, system calls /etc/init.d/perf, /var/spool/cron/crontabs sys Reset default shell for user: sys passmgmt –m –s /sbin/sh sys va-scan Copyright 2002, Marchany System Accounting Run it every 20 minutes Archive data longer than 1 month Edit /etc/init.d/perf and scripts in /usr/lib/sa va-scan Change calls like `date +%d` to ‘date +%Y%m%d` sar command will still be looking for files in the old naming so you need to use the –f option to point to correct file /usr/lib/sa/sa2 purges raw data after 1 week. Remove the find command at the end of the sa2 script. Copyright 2002, Marchany Process Accounting You can tell the kernel to log data about every process on the system Can be selective enabled/disabled using the accton command Specify where the log file is Once enabled, the kernel logs 40 bytes of data for each process that runs to completion Use acctcom to examine the logs va-scan /usr/lib/acct/accton /var/adm/pacct Process accounting can cause 10-20% degradation Copyright 2002, Marchany RPC Services Rpcbind – central RPC service agent va-scan New RPC service registers with rpcbind Rpcbind maintains table of RPC services (program #) and the ports they listen Client contacts rpcbind first with a program # to determine the port to connect to its requestor Used by Disksuite, NFS, NIS+, Kerberos Copyright 2002, Marchany RPC Services - /etc/inetd.conf va-scan Testsvc, sadmind, rquotad, rpc.ruserd, rpc.sprayd, rpc.rwalld, rpc.rstatd, rpc.rexd, kcms.server, ufsd, cachefs, kerbd, xaudio, rpc.cmsd, rpcttdbserverd Remove all of these services unless specifically required Copyright 2002, Marchany RPC Services – Startup scripts /etc/rc2.d/S71rpc, /etc/rc3.d/S71rpc Rpcbind, keyserv, rpc.nisd, nis_cachmgr, rpc.nipasswdd NFS Server /etc/rc2.d/S73nfs.server, /etc/rc3.d/S15nfs.server va-scan Used by rpcbind, NIS/NIS+, NFS client/server Explicitly list client hosts, no world access Export lowest level dir only and RO Synchronize UID/GID between pairs Use strong authentication if possible (AUTH_DES, AUTH_KERB)Copyright 2002, Marchany Sendmail va-scan Use sendmail kit available from ftp://ftp.vt.edu/pub/cc/Solaris/sendmail X.tar.Z Sendmail kit built by VT with anti-relay and anti-spam filters Contains install and backout scripts Copyright 2002, Marchany Sendmail Tailor as necessary Solaris 8 undocumented way to have sendmail handle mail w/o cron va-scan echo “MODE=“””” > /etc/default/sendmail Sendmail will only process outgoing mail and no accept incoming connections. Useful if you forward mail to PID@vt.edu See Sun Blueprint tools page (www.sun.com/blueprints/tools) for replacement /etc/default/sendmail Copyright 2002, Marchany Name Service Caching (nscd) va-scan Provides caching for NS requests Performance boost, all NS requests made by system library call routed to nscd Sun recommends caching as little as possible Do not disable. NIS/NIS+ and some versions of Netscape break nscd – g : see current configuration Copyright 2002, Marchany Banner Files /etc/motd /etc/issue /etc/default/telnetd /etc/default/fptd BANNER=“place your text here” /etc/sendmail.cf va-scan BANNER=“place your text here” SmtpGreetingMessage=Put Warning here Copyright 2002, Marchany More on /etc/default /etc/default/cron /etc/default/su Set password aging, password length /etc/default/kbd va-scan Defines PATH, SUPATH for su command /etc/default/passwd CRONLOG=yes tells cron to log to /var/cron/log for each cron job. Roll this log often – see /etc/cron.d/logchecker Disable STOP-A on systems Copyright 2002, Marchany /etc/default/login va-scan CONSOLE – root logins allowed only on this device usually the console PATH, SUPATH – uncomment and set UMASK – uncomment and set RETRIES – number of failed logins before login exits SYSLOG_FAILED_LOGINS – number of failed logins before message logged to /var/adm/loginlog (Solaris 8) Copyright 2002, Marchany Additional Login Files va-scan Set UMASK, PATH in /etc/profile, /etc/.login Default files for userid creation in /etc/skel. These files are used by useradd or admintool programs Can be overridden by users Copyright 2002, Marchany Fix-modes Program Corrects insecure system file/directory perms: Uses /var/sadm/install/contents for list of programs to check va-scan Removes group/world write permissions Makes most files owned by root User files NOT installed with pkgadd will not be affected Core files in Solaris 8 are fixed. Things like CDE aren’t Copyright 2002, Marchany Building TCP Wrappers Available from ftp://ftp.porcupine.org/pub/security/ind ex.html Modify the Makefile va-scan Set REAL_DAEMON_DIR Send logging to LOG_AUTH Download the IPv6 version for Solaris 8 Use the advanced installation method Copyright 2002, Marchany Building OpenSSH va-scan OpenSSH implements SSH1, SSH2 Maintained by OpenBSD Tested on Solaris 2.6 5/98 Sparc, Solaris 7 11/99 Sparc, Solaris 8 4/01 Sparc with ForteDeveloper 6 update 1 and gcc 2.95.2 Copyright 2002, Marchany Building OpenSSH Prerequisite Components va-scan OpenSSH 2.9p2 from http://www.openssh.com/portable.html Zlib 1.1.3 from http://www.freesoftware.com/pub/infozip/zlib Solaris 8 CD – package format OpenSSL 0.9.6b from http://www.openssl.org/source PRNGD 0.9.19 from http://www.aet.tucottbus.de/personen/jaenicke/postfix_tls/prngd.ht ml (pseudo random number generator) Copyright 2002, Marchany Building OpenSSH Building zlib va-scan cd zlib-1.1.3 ./configure (for gcc) env CC=cc CFLAGS=“-xo4 –KPIC” ./configure make make install ls –l /usr/local/lib/libza.a Copyright 2002, Marchany Building OpenSSH Building OpenSSL cd openssl-0.9.6b ./Configure <compiler> make make install ls –l /usr/local/ssl/lib va-scan Building PRNGD cd prngd-0.9.19 make CC=gcc CFLAGS=“-O3 –DSOLARIS” SYSLIBS=“-lsocket –lnsl” make CC=cc CFLAGS=“-x04 –DSOLARIS – Copyright 2002, Marchany KPIC” SYSLIBS=“-lsocket –lnsl” Building OpenSSH Building PRNGD (cont’d) cp prngd /usr/local/sbin/prngd chown root:bin /usr/local/sbin/prngd chmod 755 /usr/local/sbin/prngd cp contrib/Solaris7/prngd.conf.solaris-7 /etc/prngd.conf cat /var/log/syslog > /etc/prngd-seed va-scan Copyright 2002, Marchany Building OpenSSH Building OpenSSH gcc version ./configure –prefix=/opt/OBSDssh –withpam –without-rsh –disable-suid-sh – sysconfdir=/etc \ --with-prngdsocket=/var/spool/prngd/pool make make install ls –l /opt/OBSDssh/bin/ssh va-scan Start: /etc/init.d/openssh.server start Copyright 2002, Marchany Building OpenSSH http://www.sun.com/blueprints/tools/m akeOpenSSHPackage.ksh builds a Solaris package containing OpenSSH ./makeOpenSSHPackage.ksh pkgadd –d OBSDssh.pkg OBSDssh va-scan Copyright 2002, Marchany /etc/sshd_config Guidelines va-scan ListenAddress – used to set up SSH servers on virtual I/F Protocol 2,1 – try v2 first then v1 SyslogFacility AUTH – send logging messages to LOG_AUTH like TCP Wrappers CheckMail, PrintMotd – done by SSH or login, your choice KeepAlive – send a heartbeat packet to verify the host is still reachable. Good for keeping hung sessions down Copyright 2002, Marchany /etc/sshd_config Guidelines IgnoreRhosts yes – disable all types of rhosts authentication PermitRootLogin no – forces people to su to root va-scan Be careful. This also prevents remote command execution and copying files from one system to another via scp Copyright 2002, Marchany SSH: Using RSA Authentication va-scan Generate your key pair using something like PGP Copy public key to remote system Remote system authenticates user by encrypting message w/public key User decrypts using private key and send it back to remote system Copyright 2002, Marchany SSH RSA Example % ssh-keygen –b 1024 –f ~/.ssh/identity […] Enter passphrase: XXXXXXXX Enter the same passphrase again: XXXXXXXX […] % scp ~/.ssh/identity.pub \ remotehost:~/.ssh/authorized_keys rcm@remotehost password: YYYYYYY Identity.pub | 0 KB| 0.3kB/s| ETA: 00:00| 100% % ssh remotehost Enter passphrase for RSA key rcm@thishost : KKKKKKK va-scan Copyright 2002, Marchany Testing & Verification Minimum Security Benchmark Procedures and Toolkits for Testing and Verifying System Security va-scan Copyright 2002, Marchany Testing & Verification Pomeranz Test va-scan Can get here from there Can’t get here from there Can’t get here as Superuser What’s Running? Can’t write in /usr Can’t run SUID from /var/tmp Check your logs Copyright 2002, Marchany Can Get Here From There ssh userid@securehost Reasons for failure va-scan Localhost isn’t in securehost’s hosts.allow TCP Wrappers in sshd can’t find localhost’s name from its IP address sshd can’t read hosts.allow, hosts.deny The userid doesn’t exist on securehost RSA identity certificate not properly installed Copyright 2002, Marchany Can’t Get Here From There From badhost: ssh securehost Root should be getting an email if logcheck and syslog are working Reasons the connection might work Reasons for failure va-scan hosts.allow is too permissive Securehost may have an invalid sendmail.cf file Copyright 2002, Marchany Can’t Get Here As Superuser ssh –l root securehost Reason for success va-scan /etc/sshd-config is incorrect You shouldn’t allow direct root logins Copyright 2002, Marchany What’s Running? Do a ‘ps –ef’ or lsof on an idle system Reasons you might see different output: va-scan You’re logged in multiple times You logged in on the console Forgot to remove all recommended files from /etc/rc*.d /etc/defaultrouter doesn’t exist Copyright 2002, Marchany Can’t Write in /usr touch /usr/bin/BAD Should generate an error message. Reasons for success: va-scan Forgot to reboot/remount /usr in RO mode Incorrect configuration of /etc/vfstab Copyright 2002, Marchany Can’t Run SUID from /var/tmp # cd /var/tmp # cp /usr/bin/ps . # chmod 4111 ps ^D $ /usr/bin/ps –ef $ /var/tmp/ps –ef Reasons for Success: 1) still running as root 2) running wrong Version of ps 3) misconfigured /etc/vfstab va-scan Copyright 2002, Marchany Check Your Logs Reasons for failure va-scan /etc/syslog.conf has no auth.* entries Files/devices listed in /etc/syslog.conf are invalid Loghost is unreachable or misconfigured Forgot to modify TCP Wrapper’s Makefile to send logging messages to LOG_AUTH /etc/sshd_config is misconfigured Copyright 2002, Marchany Backups Have a complete level 0 dump of all file systems] Set up an alternate boot disk Lock it up and don’t re-use the tape/disk Make another dump every time you make significant changes Should you use network backup for sensitive servers? va-scan In our environment, it’s ok because of network topology Copyright 2002, Marchany Alternate Boot Disk Setup va-scan Install 2 identical internal disks Install OS on primary disk Partition 2nd disk identical to primary Format the secondary disk Create filesystems on secondary disk dd copy from primary to secondary Install ufs bootblock in s0 of secondary Modify /broot/etc/vfstab to mount secondary as /, change auto bootup device in EEPROM Copyright 2002, Marchany Security Benchmarks Tools and Benchmark Documents for Securing Solaris Systems va-scan Copyright 2002, Marchany Configurator va-scan http://www.deerrun.com/~hal/jumpstart/configurator Testing tool for SANS “Securing Solaris” and CIS “Solaris Security Benchmark” docs Will CHANGE your system setting to conform with the above docs Can be integrated into Jumpstart server or run in standalone mode Copyright 2002, Marchany CIS Solaris Benchmark Minimum actions to harden your system Configurator script available from va-scan http://www.deerrun.com/~hal/jumpstart/configurator Can be used to configure according to CIS benchmark or SANS Securing Solaris Copyright 2002, Marchany SANS Benchmark va-scan Available from http://security.vt.edu in the Online Books section. Need PID to get it. Contains step-by-step instructions in a manner similar to the CIS benchmark Systems can be configured using Hal Pomer Copyright 2002, Marchany JASS Free from www.sun.com/blueprints/tools Set of scripts to secure your system Can be used as part of a Jumpstart install va-scan Useful for lab situations It’s an “officially endorsed” Sun item JASS doesn’t secure systems enough Copyright 2002, Marchany YASSP va-scan http://www.yassp.org Jean Chouanard took an early version of the SANS Securing Solaris course Went home and wrote YASSP Comes in pkgadd format Endorsed by SANS Runs on Solaris 2.6, 7, 8(beta) Mailing list: secure-solrequest@parc.xerox.com Copyright 2002, Marchany YASSP Pros/Cons Pro Con va-scan pkgadd format very useful Works on Core, end-user, developer, Full Automatically installs security tools Not very modular /etc/yassp.conf hard to understand Copyright 2002, Marchany TITAN va-scan Collection of programs/scripts which either fix or tighten security problems Not a replacement for anything. It’s a supplement to your system security toolkit. http://www.fish.com/titan Copyright 2002, Marchany TITAN Pros/Cons Pro Con va-scan Modular and extensible Verification function Linux version in beta test Writing modules can be complex Copyright 2002, Marchany Conclusions va-scan Keep an eye on your system Build minimal functionality then add what you need Mount FS RO or NOSUID Use SSH Verify everything Send Randy log excerpts of probes Copyright 2002, Marchany Appendix 1 Portsentry, IP Filter, logcheck configuration guidelines va-scan Copyright 2002, Marchany Portsentry va-scan Available from www.psionic.com Monitors ports and performs an action when an attempt to access the port is made. Usually access is denied to the probing systems. Monitors TCP and UDP traffic. A little more flexible than TCP Wrappers Copyright 2002, Marchany Portsentry Configuration Files va-scan Portsentry.conf contains the list of ports to be monitored. 3 levels of paranoia Copyright 2002, Marchany va-scan Copyright 2002, Marchany Logcheck Available from www.psionic.com Syslog keyword scanner When it matches something, it does something va-scan Send email Page someone Run a command Copyright 2002, Marchany logcheck.violations These keywords denote a problem and are flagged by logcheck. va-scan Copyright 2002, Marchany logcheck.ignore Phrases listed in this file are ignored by the logcheck program. va-scan Copyright 2002, Marchany logcheck.hacking Keywords in this file indicate an attack is taking place va-scan Copyright 2002, Marchany va-scan Copyright 2002, Marchany IP Filter va-scan Software package that can do NAT or basic firewall services. Designed to be used as a loadable kernel module but can be incorporated into a Unix kernel Can be configured to do IP Accounting (count # bytes), IP Filtering or IP authentication or NAT. http://coombs.anu.edu.au/~avalon/ipfilter.html Copyright 2002, Marchany IP Filter Can explicitly allow/deny any packet. Distinguishes between multiple interfaces. Filters by IP network, hosts or protocol. Filters by port number or port range. Logs the following: va-scan TCP/UDP/ICMP/IP packet headers First 128 bytes Pass or blocked status Copyright 2002, Marchany IP Filter Statistics collected include: va-scan Packets blocked Packets used for accounting (packet count) Packets passed Packets logged Inbound/outbound packet information Copyright 2002, Marchany va-scan Copyright 2002, Marchany IP Filter Log Format Jul 30 01:46:52 myhost.vt.edu ipmon[147]: [ID 702911local0.warning] 01:46:52.196772 hme0 @0:5 b 194.143.66.126,21 ->198.82.255.255,21 PR tcp len 20 40 -S IN Jul 30 01:47:03 myhost.vt.edu ipmon[147]: [ID 702911local0.warning] 01:47:03.269595 hme0 @0:5 b 194.143.66.126,21 ->198.82.255.255,21 PR tcp len 20 40 -S IN Jul 30 05:53:51 myhost.vt.edu ipmon[147]: [ID 702911local0.warning] 05:53:50.699235 hme0 @0:5 b 203.90.84.163,1781 ->198.82.255.255,21 PR tcp len 20 60 -S IN va-scan Copyright 2002, Marchany WWW Sites Sendmail Fix-modes ftp.science.uva.nl/pub/solaris/fix-modes.tar.gz OpenSSH va-scan ftp.vt.edu/pub/cc/Solaris/sendmail* ftp.sendmail.org/pub/sendmail Solaris 8 Installation CD http://www.openssh.com/portable.html Copyright 2002, Marchany WWW Sites OpenSSL Zlib ftp.porcupine.org/pub/security/index.html YASSP va-scan ftp.freesoftware.com/pub/infozip/zlib/ TCP Wrappers, rpcbind replacement www.openssl.org/source/ www.yassp.org Copyright 2002, Marchany WWW Sites TITAN JASS http://bastille-linux.sourceforge.net David Brumley’s comparison document va-scan www.sun.com/blueprints/tools Bastille www.fish.com/titan www.theorygroup.com/Theory Copyright 2002, Marchany WWW Sites Jason Rhoads’ Documents Sean Boran’s Security Documents va-scan www.sun.com/blueprints/browsesubject.html Hal Pomeranz’s site www.boran.com/security/sp/Solaris_hardening_to ol Solaris Blueprints On-line www.sabernet.net/papers www.deer-run.com/~hal/jumpstart Solaris Adv. Installation Guide Docs.sun.com/ab2/coll.214.7/SPARCINSTALL Copyright 2002, Marchany
