Solaris™ 10 Security Essentials is the ﬁrst book in the new series on Solaris system administration. It covers all of the features of the Solaris 10 Operating. It covers all of the breakthrough features of the Solaris 10 operating system in one place. Other books in the series, such as Solaris™ 10 Security Essentials and. Mar 4, Get Instant Access to Solaris 10 Security Essentials (Oracle Solaris Administration Series) By Sun Microsystems Security Engineers pdf.
|Language:||English, Spanish, Dutch|
|Distribution:||Free* [*Register to download]|
Oracle Solaris 10 systems and how to use Oracle Solaris security features to protect your data . _files/os/sunsol_10/scis-appendix-vpdf), Glenn Brunette, September , v Solaris 10 Security Essentials, Sun engineers, Solaris 10 System Administration Exam Prep CHAPTER 2 Installing the Solaris 10 Operating Environment CHAPTER 4 User and Security Administration The single-user bin directory contains essential commands used in the booting. We give the most wanted book entitled Solaris 10 Security Essentials Sun security essentials covers all of the security features and technolo. is available in pdf.
Most people call non- global zones simply "zones. The default native zone file system model on Oracle Solaris 10 is called "sparse-root.
Whole-root zones increase configuration flexibility but increase resource usage. There is no supported way to convert an existing sparse-root zone to a whole-root zone.
Creating a new zone is required. JumpStart: begin script AI: package repository B. AI: Use the installadm create-service command. Nokia 4A0-N01 - If you fail your exam, Pwcgop will full refund to you. Though you can participate in the use of important factors, only the guarantee of high quality, to provide students with a better teaching method, thus our EMC DES study dumps bring more outstanding teaching effect. Why should my FTP server be anywhere near the web server or mail server?
Modern firewall design allows individual dirty networks for services so why only have a single big dirty network playground for hackers? The fewer systems they can access from the compromised one the less likely it is they will spread to the internal networks. I also hate the term DMZ since the dirtiest network after internet is often the internal client one, and DMZ sits next to the internal networks rather than between them and internet these days so DMZ is very outdated.
Yup, nothing wrong with FTP if you ask me. It's simple, robust and can be made as secure as a remote connection can be. Certainly the method of choice for the Beeb's field reporters, safer and more robust than pretty much anything more "current", bar sFTP which ain't that "current" itself, if a good 20 years younger. What's your point? The problem with the "If its not broke, don't fit it" attitude is that, when it infects management, it is used as an excuse to deny or delay all preventative maintenance, patching, and so on.
Resulting in, eventually, system failures and security breaches due to outdated, bugged, and vulnerable versions of software or sub-optimal configuration.
Management would often prefer to have failures they can blame on software bugs or attackers to having a failed modification or patch being blamed on their own department. The problem with the "If its not broke, don't fit it" attitude And when the Damagement have the desire to fix everything regardless of whether it's broke, we end up with the Windows 8 UI. The problem is in how to educate the bosses enough that they understand what "maintenance" is without going batshit crazy on "new".
Or worse, "better because it's newer". Siemens Why blame the BBC? This stuff was outsourced to Siemens in I should know, I was one of the poor sods who was sold! That said from the sounds of it, the ftp access pre-dates even BBC Technology back to the days of the beardy wierdy geniuses at Kingswood Warren. Re: Siemens The service part of Siemens was bought out by Atos.
There will probably be much finger pointing as there often is with these things. That's if there was any serious threat. A "stepping stone" it may have been, but into what exactly? And let's face it, the Beeb is just a media organisation, not a bank or a holder of huge amounts of important personal data. Maybe someone could have done us a favour and taken Radio 1 off the air.
Remember that, if your control manifest is somehow corrupt, then all of the later comparisons against the original manifest are suspect. The sfpDB is a powerful tool for organizations that want to validate the integrity of their operating systems, baseline snapshots, and patches—or even to assist during digital forensic investigations in which the integrity of objects might be called into question.
While the announcement is important, this breakthrough does not impact the validity of the Solaris Fingerprint Database. For more information about the resistance of hash functions to attack, see, for example, http: With this information, the Solaris OS packaging tools can be used to gather additional information.
This value must match the one returned by the following command: Just as with the version information, this value can be used to identify discrepancies between what is installed and what is supposed to be installed on the system. Visit the Solaris Fingerprint Database page at http: Click the Submit button to view the results. For this example, the following result is returned: It is good practice to use together both of the tools discussed in this chapter: As always, you must consider the intended uses of your system before deciding which advice to follow.
Evaluate any potential changes to ensure that they are appropriate for your environment, your applications, and your management practices. Center for Internet Security, Solaris 10 Benchmark, http: OpenSolaris Security Community Library, http: It also includes links to Sun BluePrints and other documents on individual security topics. See http: Among the advantages of SMF, which include automatic starting of dependent services and the ability to recover easily from a service outage, is the ability to use the power of role-based access control RBAC in an SMF manifest.
With RBAC, programs can run with the precise privileges and authorizations that the program needs, and no more. Solaris services are executables such as system processes, daemons, applications, and scripts. SMF provides simple, fast, and visible administration through the following features.
The source of the failure does not affect the automatic restart. The svcs -x command provides an explanation of why a service is not running.
Services can be started in parallel. While this practice is not recommended, you can use traditional scripts for some services and use SMF for others. For more information, see the smf 5 , svcadm 1M , svcs 1 , and svccfg 1M man pages.
Manifests, or snapshots of each service, are in a central repository. This overall snapshot initializes the system at reboot. During system boot, the manifests are imported into the SMF repository. You can have multiple manifests or snapshots of each service. The examples illustrate the following points. You can also require a more limited account than root to run the service.
List the status of the service. Enable the service. Verify that the service is online. Test and use the service.
Temporarily disabled by an administrator. This service is not running. No NFS filesystems are shared Enable the service on one or both systems. Verify that the service is running. In the following examples, you protect a system that includes non-global zones.
List the properties of the service. Change one or more properties of the service. Verify that the service property is changed. Verify that the property change is effective. Note that the ftp service is initially disabled on System A. A inetadm -m svc: A svcadm enable svc: Name A: Remote system type is UNIX. Using binary mode to transfer files. You want to establish monitoring before the service is online. A svcadm disable ftp A svcs -x ftp svc: Disabled by an administrator.
The man page for that command describes the arguments that the command accepts. You can select arguments to add to the exec property so that the command runs with those arguments when the service starts. Therefore, to modify the command that runs a service, you perform the following steps. List the exec property of the service. Add selected arguments to the exec property of the service. Verify that the exec property is changed.
In the following example, you modify the ftp service to provide debugging information and a detailed log of each transaction. Modify the exec property for the service and verify that the property is changed. First, enable the service. Web servers are frequently the targets of attackers. Other Solaris features, such as zones, are also useful when setting up network services. Add privileges to or remove privileges from the service. Verify that the service properties are changed. By default, the Apache2 service is disabled.
However, the http. To reduce the privileges of the Apache2 server and start the service with webservd, do the following. When the user and group are set in the SMF manifest, the service starts as webservd, not as root.
You can now enable the service. Verify that the service starts under webservd and has a limited set of privileges. These modes have been around since the birth of UNIX. The other mode is also called world or everyone. Modes can be either symbolic or absolute.
Symbolic are read, write, and execute, and are listed per mode. Absolute is an octal number constructed by adding the bits for user, group, and other. The values are shown in Table 4. So, to compute the octal value, you add the numbers that correspond to the symbolic mode.
The execute bit on a directory gives permission to search the directory. You want to make a script that you own readable, writable, and executable by you, readable and executable by group members, and with no permissions for others. In symbolic mode, you run the following command: For example, if you have created a shell script that has mode and you want to make it executable for you only, run the following command: With the execute bit, the script can be run as any other program. Without the execute bit, the script can be run if it is readable by passing the script as an argument to the appropriate shell.
The following command runs a readable script that does not have the execute bit set: The setgid bit on directories can only be set by using the symbolic mode. The following command sets the setgid bit on the directory. Files that are created by a script are especially susceptible to this kind of attack.
Consider the following script: To prevent this kind of attack, you should use the mktemp 1 command instead. However, the commands have restrictions. This privilege is not granted to users by default. The mask is written in absolute mode. For the Solaris OS, the default umask is Creating a directory with mode results in absolute permissions of By setting the umask to , members of your group can write to those directories. You can add permissions for individual users and also extra groups.
You use the runat command, as the following example shows: See Section 4. This extra privilege compromises the system. The execution of a program with insecure mode is often referred to as promiscuous execution. Use the ls -v command to view the actual permissions: These parts correspond to the traditional UNIX permissions.
The difference is that each part has an allow list and a deny list, and the permissions are much more granular. The permissions listed in Table 4. Table 4. Basic attributes are considered the stat 2 level attributes. The ACL display is similar to the following: The aclinherit property determines ACL inheritance. In effect, passthrough mode disables secure mode. Then, the ACL permissions are reduced so that they are no greater than the owner-permission bits.
Such changes can inadvertently lead to an insecure system. These checksums are computed for patches and all bundled and most unbundled software media. You compute the hash, and then type the result in a form on the http: SUNWcsu version: For example, an older binary might have more vulnerabilities than the latest version. The SFD Web page accepts only signatures at a time. The sfpC. You can also use the tool on the command line like the one below to determine if all setuid programs are found in the Fingerprint Database: While BART is clearly useful for security incident detection, it is also handy for your change management process because the tool enables you to validate approved changes and detect changes that might have occurred outside of your approved process.
You never deal directly with the contents of the manifest. Instead, the bart command creates and compares manifests for you. Do not store it on the system that it describes. The MAC lets you verify that the manifest has not been altered.
To use a MAC, you need a secret key, which you use later when you want to verify that the manifest has not been tampered with. The resulting MAC can be stored with the control manifest. An attacker who alters the manifest will not be able to produce the same MAC value because he does not know the secret key.
Tip Remember to create a new control manifest when you have patched, added new software, or otherwise changed the system. The new control manifest provides a valid snapshot of the system for future comparison.
In the following example, you extract the MD5 information from the manifest, then use the SFD command line tool, sfpC. The elfsign sign command is used to sign ELF objects and the elfsign verify command is used to verify the digital signature. The properties are named: Two styles of permissions are supported. A permission set can then later be updated and all of the consumers of the set will automatically pick up the change.
Permission sets all begin with the symbol and are limited to 64 characters in length. Must also have mount permission destroy Destroy datasets. You can also delegate setting the following ZFS properties: If the.
Administrators are all-powerful and ordinary users are not. All the other accounts are pretty much powerless. System accounts such as daemon, uucp, bin, and sys, do not have any powers beyond those of normal user accounts.
In the heart of the operating system, the kernel, all privileged operations are protected by checks to verify that the process trying to perform that particular privileged operation has a UID of zero. With this trick, normal users can, for example, run the ping 1M command, which needs extra privileges to send out special packets on the network. Because of this user-ID switching, the program will be allowed to send its special type of packets on the network.
This, in brief, is the administrative model that has been commonplace in UNIX systems for over three decades; there is one administrative, all-powerful user, the one with UID zero.
For this discussion, this illustration provides enough information. Organizations want a better match between the function performed by an employee and the powers of that employee. Oftentimes, a daemon needs some additional privilege during startup or during certain periods of its lifecycle.
A daemon almost never needs all the superuser powers all the time, but the traditional model grants the daemon those powers. As a result, programming errors in daemons lead to system compromises because the privileges granted to the daemon UID 0 are used to gain control of the system.
Finally, the traditional model does not allow for much accountability or attributability. If administrators log in to the system as root, how does one tell which administrator was responsible for which action? Even when administrators log in as themselves and then su 1M to root, there is little evidence as to who did what.
These shortcomings are overcome in the Solaris OS with improvements in the Solaris security model that were introduced over several releases.
Section 5. Finally, Section 5. The real and effective IDs are used in policy decisions. The saved ID is used for transitioning between IDs. The only way for a user to gain additional privileges is to execute a setuid binary. Once the information is read or the resource obtained, the extra privileges are not needed anymore and can be dropped. When a privileged operation is to occur, the process regains the extra privilege by setting its effective UID back to the privileged UID.
For example, consider xscreensaver, the Solaris X11 screensaver. With the pcred 1 command, you can observe the different UIDs for Solaris processes: Just like the user IDs, the group IDs for each login process are set from the values found in the password database.
Each process can have one primary group and up to 32 supplementary groups.
For compatibility reasons, 16 supplementary groups is a common maximum. The effective group ID can be set to any of the groups that the process belongs to.
Just as with user IDs, the saved group ID can be used to switch back and forth between privileged and nonprivileged IDs.
Starting with Solaris 10, the kernel no longer validates privileged operations by verifying that the user performing the operation has a UID of zero. These privileges are used to guard the privileged operations. As you can see in Table 5. Table 5. From the list in Table 5. For example, fork 2 and exec 2 have never been restricted to the root user. In Solaris 10, these operations are still allowed to all users by default, but they can be taken away by an administrator.
The historically unrestricted privileges are grouped together in what is called the basic set. By default, ordinary users are assigned this basic set. To see which privileges a process has, you can use the ppriv 1 command: Therefore, similar to normal users, for root the transition is mostly transparent as well. So if everything works as before, you might wonder, why go through all this trouble of introducing these privileges?
The answer is that this compatibility feature is an option. Even though this option is enabled by default, you can specify the privileges that normal users get when they log in or change the privileges that daemons run with. By restricting the privileges that you assign to users or daemons, you can harden the system by removing attack vectors that are not needed by the users or daemons anyway.
As an example of restricting privileges, note the privileges that have been assigned to the NFS daemon: Many of the Solaris system services have been rewritten as daemons that have all unneeded privileges removed, making the system safer to deploy. Privilege sets can be empty, or they can contain a number of privileges. Other examples are the empty set, containing no privileges at all, and the full set, containing all privileges. Apart from the traditional user and group IDs, this record also contains four privilege sets called the Effective set E , the Permitted set P , the Inheritable set I , and the Limit set L.
The privileges in the effective set are the privileges that the process is allowed to exercise, analogous to the effective UID in the traditional model.
The privileges in the permitted set are the privileges that the process is allowed to put in effect. The permitted set is thus the maximum set of privileges for the process. The combination of the effective and permitted set enables privilege bracketing, which is discussed in the next section.
The inheritable set contains all the privileges that can be carried over to a child process. The limit set contains an upper set of the privileges a process and its offspring is ever allowed to obtain. The limit set can never grow. For unprivileged processes, the E, P, and I sets are typically equal to the basic set of privileges.
The L set is typically the full set of privileges. When a process executes another program, the new process gets the following privilege sets: The new limit set L' is unchanged from the old limit set.
Privileges removed from the permitted set cannot be restored by the process. Privileges removed from the inheritable set cannot be carried over to the process child processes. The smaller the section that runs with extra privileges, the smaller the attack surface. In general, limiting the privileged code happens in one of two ways. The second scenario is implemented by removing privileges from the effective set. The privileges are added back for the privileged pieces of code.
Using this technique, programmers can bracket the privileged operations. The other sets E, P, I can never grow beyond the limit set. The next feature is that a process cannot control processes that have more privileges. Control includes sending signals to, reading memory from, or attaching to another process.
The rule of thumb for preventing privilege escalation is: Normal users can also gain privileges by executing setuid programs because the limit set all does not restrict the privileges that a user can obtain.
See the policy. The following example shows how this command can be used to manipulate process privilege sets: Some of them might be junior administrators, some more senior. Some administrators are employed by the owner of the system. Quite often, the administrators 5.
In those days, accountability was not as important as it is today. A role can only be assumed by a user who is already logged in to the system. That is, you can only su 1M to a role. To perform an administrative task, an ordinary user logs into the system, switches to a role that can perform the task, and only then performs that task. Because of this login restriction, auditors can always deduce which physical user performed an administrative task.
Therefore, you no longer need to share the root password with someone who does printer management. Instead, you share the password for the role that has been created to perform printer management. Roles can be created and managed by using either the command line tools roleadd 1M and rolemod 1M or using the graphical management tool, Solaris Management Console. Re-enter new Password: An executable can be any binary or shell script on the system. Printer Management: Examples of authorizations include: When these authorizations are granted to a role, that role is allowed to perform the associated operations.
Printer Management Manage printers, daemons, spooling: The solaris. Administer Printer:: Cancel Print Job:: List Jobs in Printer Queue:: Print without Banner:: Print Postscript:: Print without Label:: View Printer Queue at All Labels:: View Printer Information:: Update Printer Information:: Delete Printer Information:: Can perform simple administrative tasks: The examples have shown what these databases look like in plain text.
Figure 5. However, these roles cannot set passwords. Such a limited set of commands is not very practical. On the command line, the glue that holds them together is the -P option to the roleadd 1 and rolemod 1 commands. For example, consider the effects of the following rolemod commands: First, you create the role see Figure 5. You provide basic account information see Figure 5. You can assign an existing user to the role see Figure 5.
Finally, you verify the account details of the role see Figure 5. Such attributability is one of the features of RBAC. No unread mail No Plan. This 5. However, some organizations do not need to use all parts of the RBAC implementation. The following example shows her use of the pfexec utility: You can also use the Solaris Management Console.
Another common use of RBAC is to change the root user to a role. This change prevents remote logins as root, and enables you to specify which users are allowed to assume the root role.
The following example creates a new user carol, changes the root user into a role, and assigns the right to assume the role to carol. Define Rights 2. Execute commands with Execution Profiles applied Figure 5.
Create a local user named carol. See the useradd 1 man page for an explanation of the available options: Change the root account from a normal user account to a role: Assign the root role to carol: Other users cannot, even if they know the root password. Roles can only be assumed by authorized users su: Sorry 5. You can also specify exactly which privileges the process must run with.
Also, the DNS server starts with an explicit set of privileges. This set removes the privileges that the daemon does not need, and adds privileges that the daemon needs. Several Solaris applications use authorizations internally, like mailq 1M , cron 1 , and cdrw 1.
The SMF service itself also uses authorizations. As shown in Table 5. Otherwise, only superusers can control the SMF services. For example, the svc: If authorizations need to be added to an account, make sure to include the complete list of authorizations. For a similar example using the rolemod command, see Section 5. For more detailed and complete information, you are advised to read up on these particular subjects.
Some suggestions are given below. Limiting Services in the Solaris 10 Operating System http: See the intro 2 man page for an explanation of error codes. To enforce onetime passwords for the FTP service, for example, an administrator had to change the code of the FTP service.
With the introduction of PAM, application code changes are no longer required. In effect, PAM de-couples authentication from the service applications. Four conceptual pieces make up the PAM framework: A PAM stack is a collection of modules that together make up the required authentication scheme. After installation, some PAM modules are in use. Solaris provides two modules that implement these tasks: This simple example hides some complexity.
In addition to verifying that the password is accurate, an administrator would also want to check if the account has expired. Perhaps the password is up for renewal.
If a new password must be chosen, the administrator would need to ensure that the user has not reused an old password. If the user password does not match, what should the system do? Table 6. Lock account if too many authentication failures occurred. This example is among the more complicated PAM stacks. This list of modules handles most of the necessary steps a current Solaris system performs when a user logs in. The routines, by default, use the set of modules presented in Table 6.
The examples also illustrate the division between the different modules. This division allows you to customize the PAM stack by adding or dropping modules. You can add modules to the stack to implement processes that your environment requires. Warning You must not drop part of the authentication process from the stack without a very good reason.
For example, you could add modules to enforce the following kinds of restrictions. You might even want to implement a completely different authentication scheme that is based on identifying objects or colors if your users have trouble remembering or typing UNIX-style passwords.
These mechanisms are augmented with some specialized modules for Kerberos authentication. Because PAM is an open standard, many modules that implement additional restrictions and additional methods of authentication are available on the Internet. These steps can be grouped into different classes of actions. Each PAM module needs to provide services for one or more of these classes. The modules in Table 6. Each module has its own man page, which is listed in section 5 of the online manual system.
These man pages are written for the programmer, but once you have read through this entire chapter, they will be quite informative. Account management is also performed by the LDAP server. Verify that a user is allowed to assume a role.
It also prevents direct login by a role. Lock the account if too many failed login attempts are recorded.
This module is part of samba 7. Because Solaris can execute both bit and bit applications, each of the PAM modules is provided in both and bit format. The following section walks you through the basics.
Lines that start with a hash mark, , are comments that are ignored by the system. Usually application names such as login, ftp, rsh, and so on. Holds one of the four module types that were described previously: Allowed values are binding, include, optional, required, requisite, and sufficient. If the module is located elsewhere, you must use the full path name. When the module name alone is used, the system automatically searches the appropriate architecture directory.
Is used to pass options to the module. Which options are accepted depends on the module.