Securing Solaris Systems

About This Presentation

Title:

Securing Solaris Systems

Description:

Compilers and other Sun packages install here by default. ... Oracle. SUNWarc, SUNWbtool, SUNWsprot, SUNWtoo, SUNWlibCf. Man Pages. SUNWlibC, SUNWdoc, SUNWman ... – PowerPoint PPT presentation

Number of Views:97

Avg rating:3.0/5.0

Slides: 140

Provided by: randy174

Category:

more less

Transcript and Presenter's Notes

Title: Securing Solaris Systems

1
Securing Solaris Systems

Randy Marchany
VA Tech Computing Center
Marchany_at_vt.edu

2
Course Outline

OS Installation Tips
Cleaning System Scripts
Kernel settings
Testing Verification
CIS Benchmarks
TITAN
JASS

3
OS Installation Tips

Basic Tips During OS Installation

4
OS Installation Tips

Core base OS, 50Mb in size
End-user CDE/X Windows, UCB support,
NIS/NIS/LDAP
Developer man pages, include files(/usr/include)
, compiler libraries, make, ar, ld commands
Full OEM everything on the install CD
Make sure SUNWter is installed. This adds xterm
and other term support. Remote administration
requires this package.

5
OS Installation- Disk Partitions

Solaris 2.x no longer require as much swap space
as memory but it doesnt hurt
/var should be large - gt 2GB
/opt should be large - gt 2GB. Compilers and other
Sun packages install here by default.
DiskSuite requires 5MB on each disk for
configuration information
Veritas requires 2 free partitions to encapsulate
and mirror the root drive

6
OS Package Dependencies

NTP
SUNWntpr
SUNWntpu
Perl
SUNWlibm
SUNWlibms
Oracle
SUNWarc, SUNWbtool, SUNWsprot, SUNWtoo, SUNWlibCf
Man Pages
SUNWlibC, SUNWdoc, SUNWman

7
OS Package Dependencies

Developer Tools
SUNWhea, SUNWtnfc, SUNWarc, SUNWsprot, SUNWbtool,
SUNWtoo, SUNWhmdu, SUNWlibm, SUNWlibC, SUNWlibCf,
SUNWtnfd
X Client (not X Server)
SUNWxwrtl, SUNWxilow, SUNWxwplt, SUNWxwfnt,
SUNWxwice, SUNWmfrun, SUNWtltk, SUNWxilrl,
SUNWxildh
Virtual Adrian
SUNWsprot

8
Determining Which Package

Pomeranz Method
Attempt to install or run app
Find missing file(s) via error and/or truss
Check /var/sadm/install/contents of full OS
system, grep for file. This file contains the
package name
Add the needed package
Add appropriate dependencies
Repeat until done

9
Patches

Available from sunsolve.sun.com
2 install tools
Patchdiag available from sunsolve.sun.com
GASP available from discovery.cc.vt.edu and
Brian Reilly at Georgetown U
GUI front end to patchdiag
Patchdiag is required

10
Patches - GASP

Build from kit. Create a /tmp/patches
Modify the patchadd command to keep backout
option if you want it.
Start xgasp
Click on Generate Patch Report
Enter sunsolve userid/password
You can select individual patches or all of them
for download

11
(No Transcript)
12
(No Transcript)
13
(No Transcript)
14
Patches - Sunsolve

Go to http//sunsolve.sun.com
Login as vtsug/sunsucks
Use the search tools to find the patches you
need.
At a minimum, installed recommended and security
patches. This is NOT the complete answer
Install all patches then the applications
Do NOT install Sun sendmail patches if you are
using the VT sendmail.

15
OS Settings

Console Security (SPARC only)
Prevents someone from using console commands
Disable STOP-A sequence
Command Mode
Prevents EEPROM changes w/o proper password

16
OS Settings

Full Mode
Same as command mode with extras
Cant boot system w/o EEPROM password
Use eeprom command from shell
eeprom security-modefull
Use setenv command from OK prompt
OK setenv security-mode full

17
OS Settings

Disable keyboard abort sequence
Change the following line in /etc/default/kbd
from
KEYBOARD_ABORTenable
KEYBOARD_ABORTdisable
CAUTION system will have to powered down to
reset. No crash dumps from the PROM on a running
system for analysis.

18
Cleaning System Scripts

Some Startup and Boot Scripts to Check

19
Create umask for System Daemons

Solaris 7
echo umask 022 gt /etc/init.d/umask.sh
chmod 744 /etc/init.d/umask.sh
for dir in /etc/rc?.d
do
ln s ../init.d/umask dir/S00umask.sh
done
Solaris 8
Set CMASK in /etc/default/init

20
Mount Options

Mount filesystems with nosuid, read-only options
/usr can be mounted read-only
/var can be mounted nosuid
/ cant
/ is mounted RO at boot and then remounted RW.
The second mount cancels the nosuid.
Note FS mounted in 1 mode and changed to another
requires a reboot.

21
Securing /etc/vfstab

Protect OS binaries in /usr
ro FS is mounted Read Only
Prevent rogue SUID programs
nosuid SUID bit is ignored in FS
Allow other software to be installed
remount option allows you to apply options
because some FS are mounted early in the boot
process
mount o remount, ro /usr

22
Securing /etc/vfstab

nosuid caution
Implies nodev which means files in /dev/ and
/devices will not function in a nosuid FS
/ cannot be mounted nosuid. Solaris ignores this
option for root FS
Creating a separate /devices and mounting the
rest of the / nosuid doesnt work. /devices
doesnt get mounted at boot so the kernel panics.
Anon FTP areas require device files and must not
be mounted nosuid

23
The logging feature

Logging option for FS creates transaction log,
allows faster reboots but slower file writes and
more disk space for logs
Prevents physical access attack
Continuously crash system until / is corrupted
then the OS asks you to fsck /. At that point,
you have a root shell and can install backdoors,
etc
Logging prevents this from happening so were a
little safer from a physical access attack.
Solaris 8 allows logging on /. Enable this if
possible!

24
/etc/rmmount.conf

Add to /etc/rmmount.conf
mount hsfs o nosuid
mount ufs o nosuid
Prevents SUID programs from being loaded from
removable media. Default in Solaris 8
Common attack is to create SUID shell on CD or
floppy, use this to get root on system you have
physical access

25
/etc/ftpusers

Lists users NOT allowed to FTP
Include root in /etc/ftpusers
touch /etc/ftpusers
for user in root daemon bin sys nobody\ noaccess
nobody4 uucp adm lp smtp \ listen
do
echo user gtgt /etc/ftpusers
done
chown root /etc/ftpusers chgrp root \
/etc/ftpuserschmod 600 /etc/ftpusers

26
.rhosts

Remove rhosts_auth from /etc/pam.conf
Causes system to ignore .rhosts authentication
grep v rhosts_auth gt /etc/pam.conf gt\
/etc/pam.new
mv /etc/pam.new /etc/pam.conf
chmod 644 /etc/pam.conf

27
Crontab

Limit use by adding appropriate users to
/etc/cron.d/cron.allow
Only users listed in .allow files can modify
cron/at jobs
Cron can still run jobs as other users

28
More Scripts to Check

Syslog
-t flag stops syslogd from listening on port
514/udp. Keeps the system from being a syslog
server
Devfsadm (Solaris 7 or later)
Solaris gt7 supports hot swap devices
Solaris 8 device daemons also control dynamic pty
allocation. If you dont have hot swap devices,
you can disable this script

29
More Cleanup

/etc/inittab
Remove sc234respawn/usr/lib/saf/sac t 300
Disables listener on serial ports
Login prompt will still appear on the console
rm /etc/inetd.conf and add only what you need
rm adm lp sys from
/var/spool/cron/crontabs
rm /etc/auto_ /etc/dfs/dfstab if not using NFS

30
Finding Trojans Fingerprints

Use Solaris Fingerprint database to check for
trojans
Verifies local MD5 checksums of systems files
with known checksums at the SunSolve site.
sfbDB maps a digital fingerprint to a path name,
package version/identifier and product name.
Contains 1M entries used in Solaris OE, Solaris
OE patches and unbundled products.

31
Finding Trojans Fingerprints

Installation
Download MD5 binaries from http//sunsolve.sun.com
/md5/md5.tar.Z
zcat md5.tar.Z tar xvf
Creates a md5 directory with the binaries
md5-sparc and md5-x86
chmod 700 md5/
chown rootroot md5/

32
Finding Trojans Fingerprints

Create MD5 Digital fingerprint
md5/md5-sparc ltfile namegt
Use to create fingerprints of files that have
changed recently
find /usr/bin type f mtime 1 print xargs
n100 md5/md5-sparc gt /tmp/md5s.txt

33
Finding Trojans Fingerprints

Testing a Digital Fingerprint
Go to http//sunsolve.sun.com, login using vtsug
userid, click on Security Information, click on
Solaris Fingerprints.
Paste your digital fingerprints into the www
form. Click submit.
Wait a few and then view the results.

34
Finding Trojans Fingerprints

Advantages
Massive checksum DB of binaries
WWW interface
Easy to create file of checksums
Disadvantages
Need net access to Sun www site
Doesnt read input from a file
256 queries at a time

35
Solaris Fingerprint Database

Developed by Sun to help find trojan programs
installed by hackers
MD5 checksum of 1 million Sun binaries used in
OE, Patches, unbundled products
Need MD5 program
http//sunsolve.sun.com/md5/md5.tar.Z
Do the chmod, chown on /opt/md5

36
Solaris Fingerprint Database

Create local MD5
/opt/md5/md5-sparc /usr/bin/su
find /usr/bin type f mtime 1 print\ \ xargs
n100 /opt/md5/md5-sparc gt \ /tmp/md5s.txt
Compare MD5 list to Suns FPD
http//sunsolve.sun.com/pub-cgi/fileFingerprints.p
l
Copy/paste MD5 into web form, press submit. 256
entries max at one time

37
Solaris Fingerprint Database

Database Companion automates the process of
collecting and checking MD5 against the SFD
Database Sidekick checks a system for known
rootkits. It maintains a list of commonly
trojaned Solaris binaries.

38
Tripwire

Available from www.tripwire.com
First of the file integrity checkers
Unix and NT versions available
Network capable versions available
Academic version is free. Commercial and NT
versions are not.
Useful in finding trojan programs

39
Tripwire

Generates a signature for each file based on
checksums and other characteristics.
These signatures are stored in a database file
that should be kept offline.
This is the baseline.
Latest threat involves dynamic exec redirection.
This is part of the newer Kernel Module Rootkits.

40
Tripwire

List of files to check tw.config
All files in a directory will be checked.
Can prune directories from the check step.
Can examine just the directory and nothing else.
Can check by access time but not recommended
since youll get a report of everything that
changed. Everything!

41
Tripwire

To initialize the DB tripwire initialize
Update DB interactively tripwire
-interactive
Non-interactive DB update tripwire update
ltFNgt

42
Tripwire

Security Issues
Need to protect the DB
Need to protect the vulnerable executables
Advantages
Simple interface, good choice of crypto hash
functions, good all-around tool
Disadvantages
Kernel mod attacks, initial tw.config takes some
time to customize, NT version is good but costs
, no network security

43
(No Transcript)
44
User Accounts

Some accounts can be deleted
smtp, nuucp, listen
passmgmt d ltaccount namegt
JASS toolkit contains a noshell command that will
generate a syslog entry when someone tries to
login a disabled account.

45
User Accounts

Lock userids passwd l ltuseridgt
Modify accounts passwd e ltuseridgt
System accounts in /etc/passwd have no shell
assigned to them
They also have NP in the password field of
/etc/shadow
UID/GID pairs must be unique across NFS.
Recommend using the PID as a UID

46
at, cron, batch

Access to these commands can be restricted using
the at.allow, at.deny, cron.deny and cron.allow
files in /usr/lib/cron
If neither file exists, then only root can run
cron or at commands

47
Init

System services controlled by the /etc/rcX.d
directories where
X0 shutdown
XS single user mode
X1 start
X2 multi-user, no network services
X3 multi-user (default)
X4 unused
X5 shutdown and power off
X6 shutdown and reboot

48
Init

Start up scripts SxxService
Kill scripts KxxService
Main scripts live in /etc/init.d
Symlinks are in the /etc/rcX.d directories

49
RC Scripts

Create S99local
Startup ssh, portsentry, etc.
Some of the startup scripts can be disabled.
Caution your mileage will vary tremendously.
Some examples
S80lp, S73nfs., S74autofs, S88sendmail

50
Kernel Adjustments

Kernel Settings to Help Protect Your System From
Network Attacks

51
Kernel Adjustments

ndd command display/sets kernel parms on the fly
ndd /dev/arp \?
ndd /dev/icmp \?
ndd /dev/ip \?
ndd /dev/tcp \?
\? list all driver parms and status RO, RW
Response of 0 means the option is disabled
ndd set ltdrivergt ltoptiongt ltvaluegt to set a
parameter

52
Kernel Adjustments

/etc/system contains kernel parameters
Some kernel parameters can be adjusted to improve
performance and security
NFS Server
Set nfssrvnfs_portmon 1
Forces NFS server to accept client requests from
privileged port range (portlt1024)
May break file sharing with older versions of
Linux, SCO Unix

53
Kernel Adjustments

Executable Stacks
set noexec_user_stack 1
set noexec_user_stack_log 1
Helps defend against stack overflow attacks. Logs
the attempt as well.
All 64 bit Solaris use non-executable stacks by
default

54
Kernel Adjustments

Core Files
set syscoredumpsize 0
Prevents the creation of core files. Beware!
Use the coreadm command to define target
directories and file name patterns for core
files. Useful in creating a central core
repository.
SUID/SGID will be prevented from creating core
files if the above is set.

55
Kernel Adjustments

No ndd parameter documentation
Parameter names may change with new releases
Be Very Careful

56
ARP Kernel Defense

2 types of ARP attacks
DOS
Local
Attacker inserts bogus info into ARP cache
Remote
Attacker feeds remote sys bogus info (cache
poisoning
Spoofing
Used to compromise remote systems on the local
network

57
ARP Kernel Defense

ARP entries can be deleted or they time out in
the cache
Default TO is 5 minutes
Default IP Routing Table TO is 20 minutes
Change the Intervals
ndd set /dev/arp \ arp_cleanup_interval 60000
ndd set /dev/ip \ ip_ire_flush_interval 60000
Units are in milliseconds. 60000 1 minute
Only slows the attack

58
IP Defense

IP forwarding routes packets between network
interfaces on one system
Multihomed systems has several network I/F, each
with a separate IP address
Not intended to route/forward packets
Used for NFS servers on multiple nets server
response is faster when connected to same net as
clients

59
IP Defense

/etc/notrouter disables IP forwarding at boot
time
/etc/init.d/inetinit determines the configuration
at boot
To dynamically disable IP forwarding
ndd -set /dev/ip ip_forwarding 0
Solaris 8 allows you to set this per I/F

60
IP Defense

Strict Destination multihoming prevents packet
spoofing on nonforwarding multihomed systems
System will ignore packets sent to an interface
from which it didnt arrive
ndd set /dev/ip \
ip_forwarding 0
ndd -set /dev/ip \ ip_strict_dest_multihoming
1

61
IP Defense Multicast Routing

Used to send data to multiple systems
simultaneously using only 1 net address
Solaris 7 comment out from /etc/init.d/inetsvc
mcastif/sbin/dchpinfo Yiaddr to
/usr/sbin/route add interface netmask
244.0.0.0 224.0.0.0 mcastif
Solaris 8 (if _INIT_NET_STRATEGY.) to the
/usr/sbin/route line

62
IP Defense

Eliminate DCHP, named startup support and
multicast support. This leaves /etc/init.d/inetsvc
script
!/bin/sh
/usr/sbin/ifconfig au netmask broadcast
/usr/sbin/inetd s -t

63
IP Defense Directed Broadcast

Directed broadcast is sent from a remote machine
to all systems on another net
Used by smurf attack. CNS router rules limit
smurf to the same subnet
Forged ICMP echo request sent to broadcast w/
target source address
ndd -set /dev/ip \ ip_forward_directed_broadc
asts 0
Default is 1

64
IP Defense Src Route Packet

Source routed packet contains a specific path the
packet should take to get to a target
Bypasses router decisions
Enabled by default
Disable
ndd set /dev/ip \ ip_forward_src_routed 0

65
ICMP Defense

Usually safe to disable ICMP broadcasts
All systems configured to respond to broadcast
echo request will send an echo reply
Disable
ndd -set /dev/ip \ ip_respond_to_echo_broadcast
0
This breaks PING. You wont be able to ping this
system

66
ICMP Defense

Individual timestamp requests are ok. No reason
for broadcast request.
Disable
ndd set /dev/ip \ ip_respond_to_timestamp_broad
cast 0
ndd set /dev/ip \ ip_respond_to_timestamp 0
(unicast)
Address mask used to get netmask. Printers,
X-term use this. Solaris disables by default
ndd set /dev/ip ip_respond_to_address_mask_broa
dcast 0

67
TCP Defense

Syn Floods work on unestablished connections
2 queues
Q for established connections
Q for unestablished connections
Increase size on unestablished connect Q
ndd set /dev/tcp \ tcp_conn_req_max_q0 4096
ndd set /dev/tcp \
tcp_ip_abort_cinterval 60000

68
TCP Defense

Connection Exhaustion Attack
Works on established connections
OS has max connect limit. Attacker exceeds this
limit
Default Q is 128. Increase to 1024
ndd set \
/dev/tcp tcp_conn_req_max_q 1024
This increases the amount of memory needed to
process all TCP connections

69
TCP Defense

IP Spoofing uses TCP Hijacking based on ISN
prediction
RFC 1498 defines better way to generate ISN
3 types 0 predictable 1 improved with
random increment 2 RFC 1498 method
Solaris 8 uses 2, modify Solaris 7 by editing
/etc/default/inetinit and add line
TCP_STRONG_ISS2

70
TCP Defense

Privileged Ports can only be acquired by root
owned processes
NFS uses 2049, 4045. Hacker can set up fake NFS
server listening on these ports
Extend port range
ndd set /dev/tcp \ tcp_smallest_nonpriv_port
2050
Add individual ports
ndd set /dev/tcp \ tcp_extra_priv_ports_add
6112

71
ICMP Defense

Redirect errors used to tell a system to use a
different router
Can be used in Man-in-the-Middle to install bogus
routes
Disable incoming
ndd set /dev/ip ip_ignore_redirect 1
Disable outgoing
ndd set /dev/ip ip_send_redirects 0

72
System Logs

/etc/syslog.conf
Program I/F syslog()
System command logger
Log files defined in /etc/syslog.conf
/var/adm/messages (default)
/var/log/syslog (default)
/var/log/authlog (disabled by default)
/usr/lib/newsyslog rotates logs every 7 days
/var/adm/loginlog records failed login attempts

73
Syslog Strategies

Create a central syslog server
Auth.debug _at_central-logger.vt.edu
Install logcheck
Create additional syslogs
Auth.notice ifdef(LOGHOST. /var/log/Today/auth.
log, _at_loghost)
Make sure your system is defined at LOGHOST in
/etc/hosts

74
Application Logs
75
System Accounting

Use the sar command to gather system resource
usage data
Cpu, memory, disk, file I/O, system calls
Archives stored in /var/adm/sa
vmstat command collects data in a real-time data
Need SUNWaccr, SUNWaccu, uncomment
/etc/init.d/perf, /var/spool/cron/crontabs sys
Reset default shell for user sys
passmgmt m s /sbin/sh sys

76
System Accounting

Run it every 20 minutes
Archive data longer than 1 month
Edit /etc/init.d/perf and scripts in /usr/lib/sa
Change calls like date d to date Ymd
sar command will still be looking for files in
the old naming so you need to use the f option
to point to correct file
/usr/lib/sa/sa2 purges raw data after 1 week.
Remove the find command at the end of the sa2
script.

77
Process Accounting

You can tell the kernel to log data about every
process on the system
Can be selective enabled/disabled using the
accton command
Specify where the log file is
/usr/lib/acct/accton /var/adm/pacct
Once enabled, the kernel logs 40 bytes of data
for each process that runs to completion
Use acctcom to examine the logs
Process accounting can cause 10-20 degradation

78
RPC Services

Rpcbind central RPC service agent
New RPC service registers with rpcbind
Rpcbind maintains table of RPC services (program
) and the ports they listen
Client contacts rpcbind first with a program to
determine the port to connect to its requestor
Used by Disksuite, NFS, NIS, Kerberos

79
RPC Services - /etc/inetd.conf

Testsvc, sadmind, rquotad, rpc.ruserd,
rpc.sprayd, rpc.rwalld, rpc.rstatd, rpc.rexd,
kcms.server, ufsd, cachefs, kerbd, xaudio,
rpc.cmsd, rpcttdbserverd
Remove all of these services unless specifically
required

80
RPC Services Startup scripts

/etc/rc2.d/S71rpc, /etc/rc3.d/S71rpc
Rpcbind, keyserv, rpc.nisd, nis_cachmgr,
rpc.nipasswdd
Used by rpcbind, NIS/NIS, NFS client/server
NFS Server
/etc/rc2.d/S73nfs.server, /etc/rc3.d/S15nfs.server
Explicitly list client hosts, no world access
Export lowest level dir only and RO
Synchronize UID/GID between pairs
Use strong authentication if possible (AUTH_DES,
AUTH_KERB)

81
Sendmail

Use sendmail kit available from
ftp//ftp.vt.edu/pub/cc/Solaris/sendmailX.tar.Z
Sendmail kit built by VT with anti-relay and
anti-spam filters
Contains install and backout scripts

82
Sendmail

Tailor as necessary
Solaris 8 undocumented way to have sendmail
handle mail w/o cron
echo MODE gt /etc/default/sendmail
Sendmail will only process outgoing mail and no
accept incoming connections. Useful if you
forward mail to PID_at_vt.edu
See Sun Blueprint tools page (www.sun.com/blueprin
ts/tools) for replacement /etc/default/sendmail

83
Name Service Caching (nscd)

Provides caching for NS requests
Performance boost, all NS requests made by system
library call routed to nscd
Sun recommends caching as little as possible
Do not disable. NIS/NIS and some versions of
Netscape break
nscd g see current configuration

84
Banner Files

/etc/motd
/etc/issue
/etc/default/telnetd
BANNERplace your text here
/etc/default/fptd
BANNERplace your text here
/etc/sendmail.cf
SmtpGreetingMessagePut Warning here

85
More on /etc/default

/etc/default/cron
CRONLOGyes tells cron to log to /var/cron/log
for each cron job.
Roll this log often see /etc/cron.d/logchecker
/etc/default/su
Defines PATH, SUPATH for su command
/etc/default/passwd
Set password aging, password length
/etc/default/kbd
Disable STOP-A on systems

86
/etc/default/login

CONSOLE root logins allowed only on this device
usually the console
PATH, SUPATH uncomment and set
UMASK uncomment and set
RETRIES number of failed logins before login
exits
SYSLOG_FAILED_LOGINS number of failed logins
before message logged to /var/adm/loginlog
(Solaris 8)

87
Additional Login Files

Set UMASK, PATH in /etc/profile, /etc/.login
Default files for userid creation in /etc/skel.
These files are used by useradd or admintool
programs
Can be overridden by users

88
Fix-modes Program

Corrects insecure system file/directory perms
Removes group/world write permissions
Makes most files owned by root
Uses /var/sadm/install/contents for list of
programs to check
User files NOT installed with pkgadd will not be
affected
Core files in Solaris 8 are fixed. Things like
CDE arent

89
Building TCP Wrappers

Available from ftp//ftp.porcupine.org/pub/securit
y/index.html
Modify the Makefile
Set REAL_DAEMON_DIR
Send logging to LOG_AUTH
Download the IPv6 version for Solaris 8
Use the advanced installation method

90
Building OpenSSH

OpenSSH implements SSH1, SSH2
Maintained by OpenBSD
Tested on Solaris 2.6 5/98 Sparc, Solaris 7 11/99
Sparc, Solaris 8 4/01 Sparc with ForteDeveloper 6
update 1 and gcc 2.95.2

91
Building OpenSSH

Prerequisite Components
OpenSSH 2.9p2 from http//www.openssh.com/portable
.html
Zlib 1.1.3 from http//www.freesoftware.com/pub/in
fozip/zlib
Solaris 8 CD package format
OpenSSL 0.9.6b from http//www.openssl.org/source
PRNGD 0.9.19 from http//www.aet.tu-cottbus.de/per
sonen/jaenicke/postfix_tls/prngd.html (pseudo
random number generator)

92
Building OpenSSH

Building zlib
cd zlib-1.1.3
./configure (for gcc)
env CCcc CFLAGS-xo4 KPIC ./configure
make
make install
ls l /usr/local/lib/libza.a

93
Building OpenSSH

Building OpenSSL
cd openssl-0.9.6b
./Configure ltcompilergt
make
make install
ls l /usr/local/ssl/lib
Building PRNGD
cd prngd-0.9.19
make CCgcc CFLAGS-O3 DSOLARIS
SYSLIBS-lsocket lnsl
make CCcc CFLAGS-x04 DSOLARIS KPIC
SYSLIBS-lsocket lnsl

94
Building OpenSSH

Building PRNGD (contd)
cp prngd /usr/local/sbin/prngd
chown rootbin /usr/local/sbin/prngd
chmod 755 /usr/local/sbin/prngd
cp contrib/Solaris7/prngd.conf.solaris-7
/etc/prngd.conf
cat /var/log/syslog gt /etc/prngd-seed

95
Building OpenSSH

Building OpenSSH
gcc version
./configure prefix/opt/OBSDssh with-pam
without-rsh disable-suid-sh sysconfdir/etc
\ --with-prngd-socket/var/spool/prngd/pool
make
make install
ls l /opt/OBSDssh/bin/ssh
Start /etc/init.d/openssh.server start

96
Building OpenSSH

http//www.sun.com/blueprints/tools/makeOpenSSHPac
kage.ksh builds a Solaris package containing
OpenSSH
./makeOpenSSHPackage.ksh
pkgadd d OBSDssh.pkg OBSDssh

97
/etc/sshd_config Guidelines

ListenAddress used to set up SSH servers on
virtual I/F
Protocol 2,1 try v2 first then v1
SyslogFacility AUTH send logging messages to
LOG_AUTH like TCP Wrappers
CheckMail, PrintMotd done by SSH or login, your
choice
KeepAlive send a heartbeat packet to verify the
host is still reachable. Good for keeping hung
sessions down

98
/etc/sshd_config Guidelines

IgnoreRhosts yes disable all types of rhosts
authentication
PermitRootLogin no forces people to su to root
Be careful. This also prevents remote command
execution and copying files from one system to
another via scp

99
SSH Using RSA Authentication

Generate your key pair using something like PGP
Copy public key to remote system
Remote system authenticates user by encrypting
message w/public key
User decrypts using private key and send it back
to remote system

100
SSH RSA Example
ssh-keygen b 1024 f /.ssh/identity Enter
passphrase XXXXXXXX Enter the same passphrase
again XXXXXXXX scp /.ssh/identity.pub
\ remotehost/.ssh/authorized_keys
rcm_at_remotehost password YYYYYYY Identity.pub 0
KB 0.3kB/s ETA 0000 100 ssh
remotehost Enter passphrase for RSA key
rcm_at_thishost KKKKKKK
101
Testing Verification

Minimum Security Benchmark Procedures and
Toolkits for Testing and Verifying System Security

102
Testing Verification

Pomeranz Test
Can get here from there
Cant get here from there
Cant get here as Superuser
Whats Running?
Cant write in /usr
Cant run SUID from /var/tmp
Check your logs

103
Can Get Here From There

ssh userid_at_securehost
Reasons for failure
Localhost isnt in securehosts hosts.allow
TCP Wrappers in sshd cant find localhosts name
from its IP address
sshd cant read hosts.allow, hosts.deny
The userid doesnt exist on securehost
RSA identity certificate not properly installed

104
Cant Get Here From There

From badhost ssh securehost
Root should be getting an email if logcheck and
syslog are working
Reasons the connection might work
hosts.allow is too permissive
Reasons for failure
Securehost may have an invalid sendmail.cf file

105
Cant Get Here As Superuser

ssh l root securehost
Reason for success
/etc/sshd-config is incorrect
You shouldnt allow direct root logins ?

106
Whats Running?

Do a ps ef or lsof on an idle system
Reasons you might see different output
Youre logged in multiple times
You logged in on the console
Forgot to remove all recommended files from
/etc/rc.d
/etc/defaultrouter doesnt exist

107
Cant Write in /usr

touch /usr/bin/BAD
Should generate an error message.
Reasons for success
Forgot to reboot/remount /usr in RO mode
Incorrect configuration of /etc/vfstab

108
Cant Run SUID from /var/tmp
cd /var/tmp cp /usr/bin/ps . chmod 4111
ps D /usr/bin/ps ef /var/tmp/ps ef
Reasons for Success 1) still running as root 2)
running wrong Version of ps 3) misconfigured
/etc/vfstab
109
Check Your Logs

Reasons for failure
/etc/syslog.conf has no auth. entries
Files/devices listed in /etc/syslog.conf are
invalid
Loghost is unreachable or misconfigured
Forgot to modify TCP Wrappers Makefile to send
logging messages to LOG_AUTH
/etc/sshd_config is misconfigured

110
Backups

Have a complete level 0 dump of all file systems
Set up an alternate boot disk
Lock it up and dont re-use the tape/disk
Make another dump every time you make significant
changes
Should you use network backup for sensitive
servers?
In our environment, its ok because of network
topology

111
Alternate Boot Disk Setup

Install 2 identical internal disks
Install OS on primary disk
Partition 2nd disk identical to primary
Format the secondary disk
Create filesystems on secondary disk
dd copy from primary to secondary
Install ufs bootblock in s0 of secondary
Modify /broot/etc/vfstab to mount secondary as /,
change auto bootup device in EEPROM

112
Security Benchmarks

Tools and Benchmark Documents for Securing
Solaris Systems

113
Configurator

http//www.deer-run.com/hal/jumpstart/configurato
r
Testing tool for SANS Securing Solaris and CIS
Solaris Security Benchmark docs
Will CHANGE your system setting to conform with
the above docs
Can be integrated into Jumpstart server or run in
standalone mode

114
CIS Solaris Benchmark

Minimum actions to harden your system
Configurator script available from
http//www.deer-run.com/hal/jumpstart/configurato
r
Can be used to configure according to CIS
benchmark or SANS Securing Solaris

115
SANS Benchmark

Available from http//security.vt.edu in the
Online Books section. Need PID to get it.
Contains step-by-step instructions in a manner
similar to the CIS benchmark
Systems can be configured using Hal Pomer

116
JASS

Free from www.sun.com/blueprints/tools
Set of scripts to secure your system
Can be used as part of a Jumpstart install
Useful for lab situations
Its an officially endorsed Sun item
JASS doesnt secure systems enough

117
YASSP

http//www.yassp.org
Jean Chouanard took an early version of the SANS
Securing Solaris course
Went home and wrote YASSP
Comes in pkgadd format
Endorsed by SANS
Runs on Solaris 2.6, 7, 8(beta)
Mailing list secure-sol-request_at_parc.xerox.com

118
YASSP Pros/Cons

Pro
pkgadd format very useful
Works on Core, end-user, developer, Full
Automatically installs security tools
Con
Not very modular
/etc/yassp.conf hard to understand

119
TITAN

Collection of programs/scripts which either fix
or tighten security problems
Not a replacement for anything. Its a supplement
to your system security toolkit.
http//www.fish.com/titan

120
TITAN Pros/Cons

Pro
Modular and extensible
Verification function
Linux version in beta test
Con
Writing modules can be complex

121
Conclusions

Keep an eye on your system
Build minimal functionality then add what you
need
Mount FS RO or NOSUID
Use SSH
Verify everything
Send Randy log excerpts of probes

122
Appendix 1

Portsentry, IP Filter, logcheck configuration
guidelines

123
Portsentry

Available from www.psionic.com
Monitors ports and performs an action when an
attempt to access the port is made.
Usually access is denied to the probing systems.
Monitors TCP and UDP traffic. A little more
flexible than TCP Wrappers

124
Portsentry Configuration Files

Portsentry.conf contains the list of ports to be
monitored.
3 levels of paranoia ?

125
(No Transcript)
126
Logcheck

Available from www.psionic.com
Syslog keyword scanner
When it matches something, it does something
Send email
Page someone
Run a command

127
logcheck.violations These keywords denote a
problem and are flagged by logcheck.
128
logcheck.ignore Phrases listed in this file are
ignored by the logcheck program.
129
logcheck.hacking Keywords in this file
indicate an attack is taking place
130
(No Transcript)
131
IP Filter

Software package that can do NAT or basic
firewall services.
Designed to be used as a loadable kernel module
but can be incorporated into a Unix kernel
Can be configured to do IP Accounting (count
bytes), IP Filtering or IP authentication or NAT.
http//coombs.anu.edu.au/avalon/ip-filter.html

132
IP Filter

Can explicitly allow/deny any packet.
Distinguishes between multiple interfaces.
Filters by IP network, hosts or protocol.
Filters by port number or port range.
Logs the following
TCP/UDP/ICMP/IP packet headers
First 128 bytes
Pass or blocked status

133
IP Filter

Statistics collected include
Packets blocked
Packets used for accounting (packet count)
Packets passed
Packets logged
Inbound/outbound packet information

134
(No Transcript)
135
IP Filter Log Format
Jul 30 014652 myhost.vt.edu ipmon147 ID
702911local0.warning 014652.196772 hme0 _at_05 b
194.143.66.126,21 -gt198.82.255.255,21 PR tcp len
20 40 -S IN Jul 30 014703 myhost.vt.edu
ipmon147 ID 702911local0.warning
014703.269595 hme0 _at_05 b 194.143.66.126,21
-gt198.82.255.255,21 PR tcp len 20 40 -S IN Jul
30 055351 myhost.vt.edu ipmon147 ID
702911local0.warning 055350.699235 hme0 _at_05 b
203.90.84.163,1781 -gt198.82.255.255,21 PR tcp len
20 60 -S IN
136
WWW Sites