Professional Documents
Culture Documents
4- Security
By Peter Baer Galvin
For Usenix
Last Revision Apr 2009
Or...
Use virtualbox
Use your own system
Use a remote machine you have legit access
to
According to Sun:
Solaris 10 11/06 is currently in evaluation at EAL4+, one of the
highest level of Common Criteria Certification, with three
Protection Profiles: Labeled Security Protection Profile (LSPP),
Controlled Access Protection Profile (CAPP) and Role-Based
Access Control Protection Profile (RBACPP). In addition,
Solaris 10 3/05 has completed evaluation at EAL4+ with CAPP
and RBACPP.
Run other OSes (linux, win) with S10+ has the host
Industry semi-standard
Run multiple copies of Solaris on the same coolthreads chip (Niagara, Rock
in the future)
Can restrict disk use of a zone via the loopback file driver (lofi) using a file as a
file system
dtrace 1
login 1
sshd 2
sh 6
telnet 6
w 7
df 12
in.telnetd 25
mixer_applet2 61
gnome-panel 108
metacity 125
gnome-terminal 197
#
^C
libc.so.1`_write+0xc
sshd`atomicio+0x2d
805b59c
sshd`main+0xd59
805b1fa
8 | 0
16 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 1
32 | 0
libc.so.1`_write+0xc
sshd`packet_write_poll+0x2e
sshd`packet_write_wait+0x23
sshd`userauth_finish+0x19f
805f42e
sshd`dispatch_run+0x49
sshd`do_authentication2+0x7c
sshd`main+0xdc7
805b1fa
# head exec_attr
Application Server Management:suser:cmd:::/usr/appserver/bin/
asadmin:
Software Installation:suser:cmd:::/usr/bin/pkgparam:uid=0
Network Management:suser:cmd:::/usr/sbin/in.named:uid=0
File System Management:suser:cmd:::/usr/sbin/mount:uid=0
Software Installation:suser:cmd:::/usr/bin/pkgtrans:uid=0
Name Service Security:suser:cmd:::/usr/bin/nisaddcred:euid=0
Mail Management:suser:cmd:::/usr/sbin/makemap:euid=0
FTP Management:suser:cmd:::/usr/sbin/ftprestart:euid=0
File System Management:solaris:cmd:::/sbin/
mount:privs=sys_mount
Software Installation:suser:cmd:::/usr/sbin/install:euid=0
#
#
# passwd performs dictionary lookups if DICTIONLIST or
DICTIONDBDIR
# is defined. If the password database does not yet
exist, it is
# created by passwd. See passwd(1), pam_authtok_check(5)
and
# mkdict(1) for more information.
#
#DICTIONLIST=
#DICTIONDBDIR=/var/passwd
Modify /etc/security/policy.conf
to use stronger password crypto
CRYPT_DEFAULT=md5
Passwords less likely to be “crack”ed if
found encrypted
user-level providers:
/usr/lib/security/$ISA/pkcs11_kernel.so
/usr/lib/security/$ISA/pkcs11_softtoken.so
Install ipfilters
Build a rule to allow everything but finger in
Modify the rule to allow everything but ftp
out
Test the rules
Examine the firewall state
Examine the log files
Window
label stripe
Window icon
label stripe
Front panel
Trusted stripe
Containers andTrusted
(From Solaris Labels Extensions User’s Guide)
Trusted Extensions uses containers for labeling. Containers are also called zones. The global zone is
an administrative zone, so is not available to users. Non-global zones are called labeled zones.
Saturday, May 2, 2009 Labeled zones are used by users. The global zone shares some system files with users. When these
Enabling Trusted Solaris Extensions
4. IP address for the vni0 interface should be same as inthe hosts and ipnodes files
vni0 interface should include the all-zones option
Click Open
7. Add yourself as a normal user
From the Navigation bar, select System Configuration, and then double-click the Users icon
The login window opens
Log in as root
Click User Accounts, and then select Add User With Wizard from the Action menu
Follow the instructions to add the user
8. After your account is created, double click your user icon to modify settings
Open the Trusted Extensions Attributes tab and modify these items:
Set the Clearance value to CONFIDENTIAL RESTRICTED
Set the Lock Account After Maximum Failed Logins value to No
Set the Idle Time value to Forever
Click OK
9. Edit the /etc/user_attr file to append the following to your user entry:
;roles=root
(temporary workaround until you have verified that your system is working
correctly. At that time, you should configure root as a role)
10. Create security templates for the public and internal zones
From the Navigation bar, select System Configuration, and then double-click the
Computers and Networks icon
Click Security Templates, and then choose Add Template from the Action menu
Specify the template name as public
Set the default label to PUBLIC
Set the Domain of Interpretation value to 1
Click OK
Choose Add Template from the Action menu
Specify the template name as internal
Set the default label to CONFIDENTIAL : INTERNAL USER ONLY
Set the Domain of Interpretation value to 1
Click OK
11. Manually update the kernel cache with trusted networking parameter values
# tnctl -T /etc/security/tsol/tnrhtp
1. Run the txzonemgr script and follow each of these steps (You must click OK each time
to continue)
2. Create a new zone called public
Select Create A New Zone and click OK
Specify the zone name of public
Choose Select_Label and click OK
Choose PUBLIC
Choose Install to install the public zone
A window opens to show you the progress of the zone installation process
Choose Initialize to initialize the public zone
Choose Zone_Console to open the zone console window
Choose Boot to boot the zone
The public zone is rebooted automatically
The public zone will reboot again automatically
3. From the zone terminal console window, log in as superuser and run the
following commands:
Run these commands on a Solaris 10 11/06 system:
# rm /etc/auto_home_public
# netservices limited
# svcadm disable auditd
# svcadm disable cde-login
# exit
1. Caution - The inetmenu program might be replaced with another utility in the
future
2. Become superuser
2. Change to the /opt/tx directory
4. Unzip and install the inetmenu software
# gunzip inetmenu-1.9.pkg.gz
# pkgadd -d inetmenu-1.9.pkg
6. Run inetmenu
# inetmenu
http://www.opensolaris.org/os/community/
security/projects/tx/TrustedExtensionsArch.pdf
http://docs.sun.com/app/docs/coll/175.12
http://opensolaris.org/os/community/security/
projects/tx/tx-laptop-install/
Enable ipfilter
Uncomment or add the network interfaces to /etc/ipf/pfil.ap
Install a firewall configuration (next slide) into /etc/ipf/ipf.conf
Enable firewalling et al
# Allow ping
# ls -l /var/adm/loginlog
-rw------- 1 root sys 0 Sep 3 21:16 /var/adm/loginlog
# ls -l /var/adm/debug
-rw------- 1 root sys 0 Sep 3 21:16 /var/adm/debug
$ roles
root
(Have a look in /etc/user_attr to determine if other users
have privileges / roles that they shouldn’t.)
Enable and configured Solaris auditing and BART for
activity monitoring
Also secure BIOS and GRUB
Copyright 2009 Peter Baer Galvin - All Rights Reserved 184
Solaris OE Security
http://www.sun.com/solaris
http://www.sun.com/security/jass