Hội thảo cơ bản an toàn

hệ điều hành Solaris

 Nội dung

1. Securing user
2. Securing Logins and Passwords
3. Controlling Access to Files
4. TCP Wrappers on Solaris
1. Securing user

• Rà soát tài khoản

Securing user

• Thông tin 1 User

/etc/passwd File
Các user hệ thống

• Các user hệ thống có UID từ 0 - 99

• UID number 60001 dùng cho account nobody
• UID number 60002 dùng cho account
noaccess
• Các UID từ 100 – 60000 là các UID sử thiết
lập cho người dùng
Các Account mặc định của hệ thống

•
Các Account mặc định của hệ thống

•
Rà soát account

• Kiểm tra thời điểm gần nhất account login

vào hệ thống
•
Xóa account

• userdel –r tên_user

Tham số -r: Xóa toàn bộ các file của user trong

thư mục home của user đó
Thủ tục tạo User

1. Tạo user bằng câu lệnh useradd

# useradd -u 1003 -g support -G itgroup \
-d /export/home/jsmith -m -c “joe smith” jsmith

2. Thiết lập password cho user bằng lệnh passwd

# passwd jsmith
New Password: <password>
Re-enter new Password: <password>
passwd: password successfully changed for jsmith

3. Yêu cầu user đổi password sau khi đăng nhập

# passwd -f jsmith
passwd: password information changed for jsmith
2. Securing Logins and Passwords

• /etc/default/passwd
• Displaying users without passwords
• Monitoring failed login attempts
• Monitoring all failed login attempts
• Monitoring All Failed SSH Login Attempts
• Monitoring who is using the su command
• Set Account Locking for Regular Users
/etc/default/passwd File
/etc/default/passwd File

• MAXWEEKS: Sets the maximum time period (in weeks) that the password
is valid
• MINWEEKS: Sets the minimum time period before the password can be
changed
• PASSLENGTH: Sets the minimum number of characters for a password.
Valid entries are 6, 7, and 8.
• WARNWEEKS (not shown): Sets the time period before a password’s
expiration to warn
the user that the password will expire
Note: The WARNWEEKS value does not exist by default in the
/etc/default/passwd file, but it can be added
/etc/default/passwd File

• NAMECHECK=NO: Sets password controls to verify that the user is not

using the login name as a component of the password. The default is to do
login name checking.

• HISTORY=0: Forces the passwd program to log up to 26 changes to the

user’s password. This prevents the user from reusing the same password
for 26 changes. If the HISTORY value is set to a number other than zero
(0), and then set back to zero, it causes the password log for a user to be
removed on the next password change.
/etc/default/passwd File

• MINDIFF=3: Specifies the minimum number of characters in the password

that must be different
• MINALPHA=2: Specifies the minimum number of alpha characters that
must appear in the password
• MINNONALPHA=1: Specifies the minimum number of non-alpha
characters that must appear in the password
• MINUPPER=0: Specifies the minimum number of uppercase characters
that must appear in the password
• MINLOWER=0: Specifies the minimum number of lowercase characters
that must appear in the password
• MAXREPEATS=0: Specifies the maximum number of times a password
can be repeated
• MINSPECIAL=0: Specifies the minimum number of special characters that
must appear in the password
• MINDIGIT 0 =0: Specifies the minimum number of digits for the password
• WHITESPACE=YES: Specifies whether or not whitespace is allowed in
the password
Displaying Users Without Passwords
Monitoring Failed Login Attempts
Monitoring All Failed Login Attempts
Monitoring All Failed Login Attempts: Example
Monitoring All Failed SSH Login Attempts

1. Add the following entry to the /etc/syslog.conf file:

auth.info /var/adm/messages

2. Restart the syslog daemon:

# svcadm restart svc:/system/system-log:default

3. Edit the /etc/ssh/sshd_config file

# Maximum number of retries for authentication
# Default is 6. Default (if unset) for MaxAuthTriesLog is MaxAuthTries / 2
MaxAuthTries 6
MaxAuthTriesLog 3

4. Restart the sshd daemon

# svcadm restart svc:/network/ssh:default
Monitoring Who Is Using the su Command
Set Account Locking for Regular Users

1. Set the LOCK_AFTER_RETRIES security attribute to YES

# vi /etc/security/policy.conf ...
#LOCK_AFTER_RETRIES=NO
LOCK_AFTER_RETRIES=YES
2. Set the RETRIES security attribute to 3
# vi /etc/default/login ...
#RETRIES=5 RETRIES=3
3. Controlling Access to Files
UNIX File Permissions
Interpreting File Permissions
Special File Permissions
Special File Permissions

# ls -l /usr/bin/su
-r-sr-xr-x 1 root sys 22292 Jan 15 17:49 /usr/bin/su
octal value 4###

chmod 4555 executable_file

# ls -l /usr/bin/write
-r-xr-sr-x 1 root tty 11484 Jan 15 17:55 /usr/bin/write

Octal value 2###

# chmod 2555 executable_file
# ls -ld /tmp
drwxrwxrwt 6 root sys 719 May 31 03:30 /tmp

Octal value 1###

# chmod 1777 public_directory

Finding files with special file permissions?
Finding files with special file permissions
Disabling Programs from Using Executable Stacks
4. TCP Wrappers on Solaris

Specifies systems that are allowed access to

network services
Enabling TCP Wrappers on Solaris

By default, tcp_wrappers is disabled:

# inetadm -p | grep tcp_wrappers
tcp_wrappers=FALSE

Enable TCP Wrappers support for inetd-based services

# inetadm -M tcp_wrappers=true# svcadm refresh inetd

Check setting has taken effect for inetd

# inetadm -l telnet | grep tcp_wrappers
default tcp_wrappers=TRUE

# svcprop -p defaults inetd

defaults/tcp_wrappers boolean true
Add the allow host to /etc/hosts.allow file

sshd:10.151.197.151 - 10.151.197.176
in.telnetd:10.151.197.151 - 10.151.197.176
ftpd:10.151.197.151 - 10.151.197.176

Add the deny host to /etc/hosts.deny file

sshd:10.151.197.
in.telnetd:10.151.197.
ftpd:10.151.197.
Thank You!