Professional Documents
Culture Documents
June 2005
Darren J Moffat
Sr. Staff Engineer, Solaris Security
Solaris 10 Security
Agenda
● Solaris's Overall Security Goals
● Strategic Investment Areas
– Solaris 10 OS Features
– Solaris 10 Networking
● How do things fit together
● Applies to AMD64, SPARC and X86
2
Solaris 10 Security
Solaris Hardening
GOAL: Defend system from unauthorized access,
Provide high assurance of system integrity
4
Solaris 10 Security
Solaris 10 OS Security
● Conservative Security Posture @Install
– Minimal install option (Reduced Networking)
– More services off or local only after install
– Service Manager for hardening
● Privileges (Process Rights Mgmt)
– Decomposition of root privileges
– Default for compatibility (root has all privs)
– Privileges can be inherited or relinquished
● Zones (Containers)
– Virtualization into application environments
– Quarantine potentially risky software
– Global Zone can see into other zones (IDS use)
5
Solaris 10 Security
6
Solaris 10 Security
Solaris 10
Secure Remote Install (WANboot) Minimal Install Option
Service Management Framework Audit Enhancements
Granular Process Privileges Audit Logging w/syslog
File Integrity Checker (BART) Stateful Packet Filtering
Zones
7
Solaris 10 Security
Privilege Sets
● 48+ fine grained privileges instead of uid == 0
– ppriv -lv : Shows privilege and what it protects.
● Each process has 4 privilege sets in its' kernel cred:
● Inheritable set (I)
– The set of privileges child processes get on exec.
● Permitted set (P)
– The maximum set of privileges for the process
● Effective set (E)
– Subset of P that are currently asserted as needed by the process
● Limit set (L)
– Upper bound a process and its children can obtain (takes effect on
exec)
9
Solaris 10 Security
Basic Privileges
● New for Solaris 10 are basic privileges.
– Not in previous Trusted Solaris releases.
● These are things all normal users can normally do.
– proc_fork, proc_exec, proc_session,
proc_info, file_link_any
● Basic set will expand in future releases
● Dropping proc_fork and proc_exec from system
daemons that should never fork or exec gives extra protection
against buffer overflow exploits.
● Dropping proc_info means you can't even see other
processes exist.
11
Solaris 10 Security
12
Solaris 10 Security
$ ppriv -D $$
$ cat /etc/shadow
cat[3003]: missing privilege "file_dac_read" (euid =
35661, syscall = 225) needed at ufs_iaccess+0xd2
cat: cannot open /etc/shadow
$ cp /usr/sbin/ping /tmp
$ /tmp/ping jurassic
ping[3016]: missing privilege "net_icmpaccess" (euid = 35661,
syscall = 230) for "devpolicy" needed at so_socket+0xa7
/tmp/ping: socket Permission denied
13
Solaris 10 Security
14
Solaris 10 Security
15
Solaris 10 Security
SMF Profiles
● Solaris 10 GA has two SMF profiles
– generic.xml:
● Most services enabled similar to Solaris 9.
– generic_limited_net.xml
● Fewer remotely available network services enabled
● Only ssh for remote login, most other things off.
– More coming in future releases
● Support for site profile(s) to
enable/disable/configure services
– Applied after system default (one of the above)
16
Solaris 10 Security
LP:
LP: File
Web Integrity
Server Checker
Full FS
Access
LP–Less Privileged
Can be as simple as using SMF to start server 17
Solaris 10 Security
23
Solaris 10 Security
24
Solaris 10 Security
Password enhancements
● Failed login attempts can now lock account
– Accounts can be marked as no lock
● Can now unlock an account preserving old password,
passwd -u.
● Password history
● Improved control over password sanity checks
– Including cracklib support
● Support for pluggable crypt(3c) interface
– Supports Linux/BSD MD5 & Blowfish
– Custom modules (eg UK government)
25
Solaris 10 Security
Digest-MD5
CRAM-MD5
GSS-API
JCE
Module
Verification GSS-API
Provider
Daemon
JCE
Public Key
IKE
User-Level Kerberos
Certificate
Framework Consumer Interface (PKCS 11)
User-Level
Cert Validation
Cryptographic Framework
Private Keys
Certificates
Smart Card
Framework
26
Solaris 10 Security
Kerberos
IPsec IP
V5
Consumer Interface (KCAPI)
Kernel-Level
Cryptographic Framework Crypto/
Network
Color Index Provider Interface (KCSPI) Driver
LP–Less Privileged
Can be as simple as running server in a zone and starting it with SMF 29
Solaris 10 Security
Cryptographic Framework
Consumer Interface (PKCS 11)
Module
Verification User-Level
Daemon Cryptographic Framework
Provider Interface (PKCS 11)
Sun
Cryptoadm: Smart
Kernel Software
Policy & Configuration Card
Bridge Crypto
Plug-in Plug-in
/dev/cryptoadm /dev/crypto
Consumer Interface
Kernel-Level
Color Index Cryptographic Framework
a Future release Provider Interface
a Solaris 10
Sun Software Hardware
a ISV Interfaces Crypto Plug-in Accelerator
(DES, 3DES, AES, Crypto / Random
Blowfish, RSA,
MD5, SHA_1, ...) Plug-in
30
Solaris 10 Security
34
Solaris 10 Security
35
Solaris 10 Security
Kerberos Evolution
● Bundled Kerberos-aware applications
– Telnet, ftp, rsh, rlogin, rdist, KDC
– Mozilla, Apache, Secure Shell (via GSS-API)
● Enhanced interoperability and security
– TCP and IPv6 Support
– AES-128, AES-256, 3DES, RC4-HMAC
● Ease of deployment
– kclient automated system setup
– pam_krb5_migrate automated KDC population
● Incremental KDC DB propagation
37
Solaris 10 Security
Summary
● Role Based Access Control (RBAC)
● Process Least Privilege
● Zones (Solaris Containers)
● Packet Filter
● Service Management Framework
● Password enhancements
● Cryptographic Framework
● Kerberos enchancements
38
Questions?
Resources:
http://sun.com/solaris/security.jsp
Darren J Moffat
darren.moffat@sun.com
http://blogs.sun.com/darren