Thursday April 27, 2006

OpenSolaris: Fine Grained Control of removable mass storage devices

I've had an idea about removable media that I think Tamarack based on some products I saw at InfoSec expo this week.

There were companies selling addon products for windows that let you control exactly which bits of physical USB/Firewire media are allowed to be mounted by certain users. This was all Windows software. The buisness problem is basically that some users should be able to use USB/Firewire removable media but most should not. It also addresses the accountability issues, ie only company supplied media should be used not Joe Bloggs iPod.

I think this would actually be very easy to fit into Tamarack so that we can have this control for local devices and devices on Sun Ray DTUs.

How I envisage this working is that there would be a device registration node some where on the network. It would "bless" a given USB/Firewire device as being allowed to be used by a certain user (or group of users) on a certain host (or group of hosts) This would update a repository that would be made available online to all clients in the network (say in LDAP). We also need an offline version of this repository for laptops (the assumption here is that the laptop user does NOT have full administrative access to the host - which is reasonable for coroprate deployments).

When Tamarack notices a mass-stroage device getting attached it would check the database (online or offline) to determine if the given device can be mounted by the requesting user.

For Trusted Extensions we probably also want the policy to include the MAC label the device is valid for.

I expect the policy would be based on a selection from: user/host/netgroup/group/label/deviceid.

This all assumes that for all USB devices there is a unique identifier that we can log that stays the same even after we reformat them. If that isn't the case this needs some more thought but should still be possible (I have some ideas).

Updated 2006-04-28 09:02: Seems the BBC actually pickedup on this and is running a story on it. This is exactly the risk case I'm talking about. We have had customers mention this previously but only at the level of "I want all USB mass storage turned off". Rather than having customers pay for expensive add ons this IMO should be core OS functionality.
Technorati Tags: OpenSolaris ( Apr 27 2006, 06:09:31 PM BST ) Permalink

OpenSolaris PAM repository

I've just setup the start of a PAM page on OpenSolaris.org as part of the OpenSolaris security community.

http://opensolaris.org/os/community/security/projects/pam/

I started with some of the PAM modules that I've had sitting in my home directory. I was interesting, for me, to see that I wrote some of these about 9 years ago. I've released these under the CDDL.

If other community members have modules they would like to contribute then send me the code and a description and I'll put them up there.

Note that there is no commitment that these modules will appear in any future release of Solaris or any other OpenSolaris based distro, but there is also nothing stopping distro makers from doing so.

( Apr 27 2006, 03:37:37 PM BST ) Permalink

Google Summer of Code: OpenSolaris Security Projects I've just added a few security related projects suggestions to the OpenSolaris Google Summer of Code list. I'm also willing to be a mentor for any of those projects.
Technorati Tags: OpenSolaris GoogleSoC ( Apr 27 2006, 12:05:13 PM BST ) Permalink

OpenSSL PKCS#11 engine now on OpenSSL.org

Thanks to Jan Pechanec the OpenSSL PKCS#11 engine, that was written by the Sun cryptographic framework teams, is now available as a patch on the http://www.openssl.org/contrib area. It is under the same license as the core of OpenSSL. This means that it should now be much easier for sites like Blastwave to ship an OpenSSL with the same functionality as the one on OpenSolaris.

For Blastwave, et al, this patch should build just fine even on Solaris 8 and doesn't itself depent on the existence of PKCS#11.

The code for this has been available on opensolaris.org for quite some time, this should make it much easier for other platforms and distributions to use.

The next step for us is to work more with the OpenSSL team to get this as part of the core distribution.

Technorati Tags: OpenSolaris Solaris Crypto OpenSSL ( Apr 27 2006, 10:18:43 AM BST ) Permalink

search

This is a personal weblog, I do not speak for my employer.

recent entries

• File notification in OpenSolaris - and a bit of shell internals
• Sending a Break to OpenSolaris hosted in Virtualbox
• (Secured) Remote Audit Trail in OpenSolaris
• TVOSUG First Meeting tonight (Mon 6th July)
• printf should not SEGV when passed NULL for %s format
• Encrypting ZFS pools using lofi crypto
• Running Privileged Applications in the OpenSolaris GNOME Desktop
• ZFS Crypto Update
• OpenSolaris "disk" encryption in snv_105
• ZFS Crypto update

navigation

links

rss feeds

All
/General
/Security
/Solaris