Monday Jul 23, 2007
I guess that it is time for another of my pet projects to come to light. For the last seven months or so (on and off),
I have been conducting some rudimentary fuzz testing on Solaris Nevada. Initially it started off as my winter (break) project with build 42 and has continued through a few other builds with my most recent being build 68.
For those unfamiliar with the concept, the goal of fuzz testing is to provide random input to programs and see how they behave. The results thus far have been pretty interesting. Many, in fact the vast majority, of programs in Nevada gracefully handled the input and either exited, provided a usage message or did something else equally benign. That said, a good number of programs failed to gracefully cope with the random input. In these cases, the typical response was a core dump although a few programs were triggered to enter an infinite loop - which was quite interesting.
The tests were conducted using code derived from the work published at the University of Wisconsin. In actuality, I only performed one of
a handful of tests that they support - stdin fuzz testing. Basically programs are subjected to the equivalent of:
$ program < [file_containing_some_random_input]
I would love to do some of their additional tests as time permits. At any rate, the results are in and to date, a
problem has been found with nearly 80 programs. Bug reports have been filed for each and every one and can be tracked
using the keyword fuzz at the OpenSolaris Bug Database Search. To
see the programs impacted thus far, try this link.
So far, a number of these have been reviewed and accepted and better still several have been already fixed and the
changes integrated back into the code base. Even cooler, some of the fixes have been accepted upstream in other
open-source projects such as X.org. What a great example of the participation age where the results of a single
test in Nevada have helped to improve the quality for every user of that code (regardless of the OS on which that
code is run).
Over time, I would love to see more sophisticated tests integrated into the testing process (e.g., command-line
argument aware fuzz input testing), but for now this will serve as a start to point us in the right direction.
I would love to know if others have conducted similar tests and how they turned out.
Take care,
Glenn
Technorati Tag:
OpenSolaris
Solaris
fuzz
security
Monday Jul 23, 2007
Way back when, I did a post that introduced the Solaris Interesting File Discovery Tool. Being a fan of automation, I had written the tool mainly for myself, but I was pleasantly surprised to hear that people were happily using it. This leads me to today's posting.
A month or so ago, Fredrich Maney dropped me an e-mail letting me know of his experience running the tool and what tweaks he had made to improve it for his environment. In particular, he wanted to run this tool on Solaris 9. Recognizing that
I had screwed up by not making the tool more broadly useable, I decided that an appropriate penance would be for me to
not only fix this bug but to also build in a few new enhancements. Today, I am happy to announce the arrival of the Solaris Interesting File Discovery tool version 0.4.
New to this version is:
- Support for Solaris 9 (and likely 8) in addition to Solaris 10;
- Support for Solaris ELF signature verification (Solaris 10 only);
- Support for file fingerprint (MD5) generation (Solaris 10 only);
Yes, I do realize the irony of allowing the tool to run on older versions of the operating system while at the same
time adding new features for only Solaris 10 and newer. Unfortunately, the older versions of the operating system
simply do not support ELF signatures or the digest(1) command. Hey, these are just a few of the many good reasons why
you should consider adopting Solaris 10 today!
Moving on... Let's take it on a brief spin to see what things look like. First, let's check out the options available:
# ./ifd-v0.4.sh -h
./ifd-v0.4.sh - Interesting File Discovery Tool
ifd -[ugnw] [-ds] [-q] { -c | -l | [Solaris Product Directory] }
-c Collect information from /var/sadm/install/contents
-d Calculate MD5 digest for each file (Solaris 10 only)
-g Print information on files with the set-gid bit set
-h Display this message
-l Collect information from /var/sadm/pkg
-n Print information on WW directories without sticky bit set
-q Quite mode. Do not print headers.
-s Validate ELF file signature for each file (Solaris 10 only)
-u Print information on files with the set-uid bit set
-w Print information on world writable files and directories
-? Display this message
So, let's fire it up with the works. In this example, we will use the /var/sadm/install/contents file as
our source and look for files that are set-uid, set-gid, or world writable (including a special check for world
writable directories that do not have their sticky bit set). Keep in mind that you can also point the tool at
the /var/sadm/pkg directory as well as a DVD/CD distribution depending on your needs. This allows you to
use the tool for a different OS (if you can point it at a mounted DVD for example) or your local system (without
a need for a separate OS distribution at all).
For each matching file, we will record:
- package that installed the file
- file permissions
- file owner
- file group
- status of ELF signature verification
- MD5 fingerprint (suitable for using with the Solaris Fingerprint Database)
- file name
So, without further ado...
# ./ifd-v0.4.sh -c -d -s -u -g -w -n
Set-UID Programs
SUNWaccu 4755 root adm PASS 0c003207377f5bd2a9b5be5394205384 /usr/lib/acct/accton
SUNWbip 4555 root bin PASS ff140f86524789942e3fc66867f5be40 /usr/sbin/ping
SUNWbnuu 4511 root uucp PASS 6cf336d0ccf51c2b66a241fc615dc2da /usr/bin/ct
SUNWbnuu 4511 uucp uucp PASS 03c7fab44124264943e892ff0f9f318e /usr/bin/uustat
SUNWbnuu 4511 uucp uucp PASS 1491a5a26b6936d3eed53eab01890bcc /usr/bin/uuglist
SUNWbnuu 4511 uucp uucp PASS 453cdc99764045086d813708e268914c /usr/lib/uucp/uusched
SUNWbnuu 4511 uucp uucp PASS 4ad108e11de2ce16cb5a804ee9618589 /usr/lib/uucp/uuxqt
SUNWbnuu 4511 uucp uucp PASS 4ca26f335387f825b786fe650001e2a1 /usr/lib/uucp/remote.unknown
SUNWbnuu 4511 uucp uucp PASS 65cca9d2de0955d87dc52220da544c14 /usr/bin/uuname
SUNWbnuu 4511 uucp uucp PASS 7059dea52454585b825d2fe731bd9ccf /usr/bin/uucp
SUNWbnuu 4511 uucp uucp PASS 784a41f571364cf7dd15d91798494528 /usr/lib/uucp/uucico
SUNWbnuu 4511 uucp uucp PASS bdb1aa92b2169d8774f1ad8aea589aa7 /usr/bin/uux
SUNWbnuu 4511 uucp uucp PASS d6bb0cfc77f20d31c64d3af07044b8f6 /usr/bin/cu
SUNWcacaort 4511 root sys PASS 5bce4227db29f95813a6c7c13cc7d46d /usr/lib/cacao/lib/tools/cacaocsc
SUNWcdrw 4755 root bin PASS 7ab3bed64d212595784a85f65b062d51 /usr/bin/cdrw
SUNWcsu 4511 uucp bin PASS d9ac90c128f8f2750b3a49ae0c340ab4 /usr/bin/tip
SUNWcsu 4555 root bin PASS 226f94dd9845c934a98fc7f2aaa19523 /usr/bin/fdformat
SUNWcsu 4555 root bin PASS 24cf3f5258e5df4acccfed98a8822af3 /usr/lib/fs/ufs/ufsdump
SUNWcsu 4555 root bin PASS 316e3db185c014eae1d7881293a72c41 /usr/lib/utmp_update
SUNWcsu 4555 root bin PASS 3bfd7b1fc9811058b24bcbd42f826dc2 /usr/bin/amd64/uptime
SUNWcsu 4555 root bin PASS 61c7000154baedd954a9e9dd461e390e /usr/lib/fs/ufs/quota
SUNWcsu 4555 root bin PASS 6269d65e9c176610ca42d498970eeff8 /usr/bin/login
SUNWcsu 4555 root bin PASS 6493ff50d04d5cdb4264407f0f2e8c78 /usr/sbin/i86/whodo
SUNWcsu 4555 root bin PASS 78fe5243a4dc6a5f4dca4e3e23c6a673 /usr/bin/i86/uptime
SUNWcsu 4555 root bin PASS 7b5f21df1819f2b69237579b8a1a0fe6 /usr/sbin/allocate
SUNWcsu 4555 root bin PASS 8c97df084b4e5f98e282857926fd86cb /usr/bin/pfexec
SUNWcsu 4555 root bin PASS bf1cb47e81689184214c6a83f63cdfb1 /usr/bin/crontab
SUNWcsu 4555 root bin PASS c96b766b4ccbac6431b1e815bb65bdde /usr/lib/fs/ufs/ufsrestore
SUNWcsu 4555 root bin PASS ca0d8f737092afaed8fb083668d80be1 /usr/sbin/traceroute
SUNWcsu 4555 root bin PASS f535cdc0d54439c14d8c92e915df83ea /usr/sbin/amd64/whodo
SUNWcsu 4555 root sys PASS 14bb586161ad6de0d6e8b891a797f385 /usr/bin/su
SUNWcsu 4555 root sys PASS e213aa06105763694156369709f7c0dd /usr/bin/amd64/newtask
SUNWcsu 4555 root sys PASS f88d0e395c4e5a8403e2273af8d73ea6 /usr/bin/i86/newtask
SUNWcsu 4755 root sys PASS 526d58c2ecc92e8678700a8514f697c5 /usr/bin/at
SUNWcsu 4755 root sys PASS 8c028119f2a38570f3bac37b4a0f83db /usr/bin/atq
SUNWcsu 4755 root sys PASS b3013b0aacd83a60208b015d47568040 /usr/sbin/sacadm
SUNWcsu 4755 root sys PASS c84a3ab1da0e4db2fdfb45ea20bdb51e /usr/bin/newgrp
SUNWcsu 4755 root sys PASS eaaf142b658cafa113a8ec0c41e0ecdb /usr/bin/atrm
SUNWcsu 6555 root sys PASS 5c2f4716b3713a6b3258dc3ef9b3b5c7 /usr/bin/passwd
SUNWdtbas 6555 root sys PASS b7203985ff6f6d5d2d356597a4864d11 /usr/dt/bin/dtaction
SUNWdtdmn 6555 root daemon PASS fc82558b87e32747c81f398a9656e90d /usr/dt/bin/sdtcm_convert
SUNWdtdst 4555 root bin PASS 62343f01fb78de1f18cea2e3dc10bb0c /usr/dt/bin/dtprintinfo
SUNWdtdst 4555 root bin PASS 624a41d131fb86054da0f860c898e97e /usr/dt/bin/dtfile
SUNWdtdte 4555 root bin PASS 86794ad490355171a79d6941f0babde3 /usr/dt/bin/dtappgather
SUNWdtwm 4555 root bin PASS 3dd7de38e474409e4e677bacc10130b9 /usr/dt/bin/dtsession
SUNWgnome-sys-suspend 4711 root bin UNSIGN 290ca164439161635c0d23d525bcead8 /usr/lib/gnome-suspend
SUNWmcos 4555 root sys PASS 381166949a022ebf659ef0cab6e275ff /usr/lib/webconsole/adminverifier
SUNWmcos 4555 root sys PASS fe73cd9209baf01586c2bc44b003434e /usr/lib/webconsole/pamverifier
SUNWnisu 4555 root sys PASS f6f934c50750f22791b1a4a23db437cd /usr/bin/chkey
SUNWpcu 4511 root lp PASS 6b71b3fb8bd8edeb77e90bcb40896842 /usr/bin/lpset
SUNWpmowu 4555 root bin PASS ecabbf94c13052cfe793985f388a3357 /usr/openwin/bin/sys-suspend
SUNWpmu 4555 root bin PASS 5f13d302a6ae4d5e0d3d03e28fa8f845 /usr/sbin/pmconfig
SUNWpppdu 4555 root bin PASS f762762ffe2349a59156b2621d540db6 /usr/bin/pppd
SUNWpprou 4555 root bin PASS 227be03e256c6dcc8c07c45275837195 /usr/sbin/smpatch
SUNWpsm-lpd 4511 root bin PASS 69b0a7e7ef6952a3bf0b9094a718b85b /usr/lib/print/lpd-port
SUNWpsu 4511 root bin PASS e80d4264a38f803dc6ca696d22c0e97e /usr/lib/lp/bin/netpr
SUNWrcmdc 4555 root bin PASS 49fab30241d57a8ab085804312238a94 /usr/bin/rcp
SUNWrcmdc 4555 root bin PASS 54391ee93e29e392d094260b3d4b3d68 /usr/bin/rsh
SUNWrcmdc 4555 root bin PASS 569ac7fbd0df6eea1430a601b7ecca39 /usr/bin/rlogin
SUNWrcmdc 4555 root bin PASS 5f206a9c57570976301642b8a929d94d /usr/bin/rdist
SUNWrmvolmgr 4555 root bin PASS e8f97baf47fe6400567e0518c259e157 /usr/bin/rmformat
SUNWsndmu 4555 root bin PASS 6df3ae57fb3cc0f83bea9f806ebcb84f /usr/bin/mailq
SUNWsshcu 4555 root bin PASS 6a5efb5008794fa74074de7f06e1456a /usr/lib/ssh/ssh-keysign
SUNWwlanr 4755 root bin PASS b907467dcbc24e79f191fc31f90fae6d /sbin/wificonfig
SUNWxcu4 4555 root bin PASS 97cc4f6659c3f8b85910d28c07c0fa9c /usr/xpg4/bin/crontab
SUNWxcu4 4755 root sys PASS f4ae837685c632d8df16891caa718053 /usr/xpg4/bin/at
SUNWxcu6 4555 root bin PASS 418a5488f784886fb545afc70530e59f /usr/xpg6/bin/crontab
SUNWxorg-server 4555 root bin PASS 5641dd1147ea1a088dba31235d898aa3 /usr/X11/bin/i386/Xorg
SUNWxorg-server 4555 root bin PASS 83ece035a60d7f98ed2ab1b15dbd3c76 /usr/X11/bin/amd64/Xorg
SUNWxsun-server 4755 root bin PASS 1938f2c3b4548ad0113ce52ef2d3d328 /usr/openwin/bin/Xsun
SUNWxwplt 4755 root bin PASS 515b26b22fa5d787808a993512202600 /usr/openwin/bin/xlock
SUNWxwsvr 4555 root bin PASS f2187476d6491e7b439b997259a10062 /usr/X11/bin/xscreensaver
Set-GID Programs
SUNWcsu 2511 root mail PASS 0a732e9746d3033f82bd1a19c7521dfb /usr/bin/mailx
SUNWcsu 2511 root mail PASS 38aa1ab24793bcbd9dbff6b22447bf2a /usr/bin/mail
SUNWcsu 2555 root bin PASS b36e0818f80a0c2e2f0710d23e184d5d /usr/sbin/eeprom
SUNWcsu 2555 root sys PASS 128eeaab017cbb492f0f0bbfcfdc8ff1 /usr/sbin/amd64/prtconf
SUNWcsu 2555 root sys PASS 1e60d93817985dedb7720e1e5ab6892c /usr/sbin/i86/prtconf
SUNWcsu 2555 root sys PASS 3099609858ed2234ffaaa597ec5d3bba /usr/sbin/amd64/sysdef
SUNWcsu 2555 root sys PASS 51f912b98d75019889c8921f5b42e826 /usr/sbin/amd64/swap
SUNWcsu 2555 root sys PASS 749a05fa3cbe0f27a220678a9defe895 /usr/sbin/i86/sysdef
SUNWcsu 2555 root sys PASS c3ec5940f697917257fca3a16ec1a07a /usr/sbin/i86/swap
SUNWcsu 2555 root tty PASS 091ee44402b7870a55e8f3d47adb7ce2 /usr/sbin/wall
SUNWcsu 2555 root tty PASS 26116f7ed5064c4e29720b629d824bb9 /usr/bin/write
SUNWcsu 2755 root sys PASS 7b44b3ead9ecda4c465a826c2ab56ed9 /usr/sbin/prtdiag
SUNWcsu 6555 root sys PASS 5c2f4716b3713a6b3258dc3ef9b3b5c7 /usr/bin/passwd
SUNWdtbas 6555 root sys PASS b7203985ff6f6d5d2d356597a4864d11 /usr/dt/bin/dtaction
SUNWdtdmn 6555 root daemon PASS fc82558b87e32747c81f398a9656e90d /usr/dt/bin/sdtcm_convert
SUNWdtdst 2555 root mail PASS 36dd0001f2ed41be07b027d1c02d115d /usr/dt/bin/dtmailpr
SUNWdtdst 2555 root mail PASS fdae40512f82352ba3e74f1b463f97b1 /usr/dt/bin/dtmail
SUNWgnome-games 2555 root bin PASS 103f02a4a24446506c7f8ace5026cbe3 /usr/bin/gnobots2
SUNWgnome-games 2555 root bin PASS 3db3e19d6299bfa875501179d99846ec /usr/bin/mahjongg
SUNWgnome-games 2555 root bin PASS 411180c45b893cac7c0dc673849c5097 /usr/bin/gnotravex
SUNWgnome-games 2555 root bin PASS 60acedf6d46a25884726273d56b7bc0f /usr/bin/glines
SUNWgnome-games 2555 root bin PASS 6f80e05e7b954b46516ca69cd7fc1377 /usr/bin/gnibbles
SUNWgnome-games 2555 root bin PASS 7db26899831c27556158d650fc8bbde8 /usr/bin/gtali
SUNWgnome-games 2555 root bin PASS a9694142b04f9cd030b87a2f5392d4af /usr/bin/gnotski
SUNWgnome-games 2555 root bin PASS b31d94aadd219580d7fc0e8480c35279 /usr/bin/same-gnome
SUNWgnome-games 2555 root bin PASS ca97825cae9ab8fa3a6ee5aff97768e3 /usr/bin/gnomine
SUNWsndmu 2555 root smmsp PASS 6350af850a401cb3c609d9e0067958ac /usr/lib/sendmail
SUNWxprint-server 2755 root root PASS 36d71e7b95bf992c9101a0c9f44779fd /usr/openwin/bin/Xprt
SUNWxwplt 2755 root root PASS 59a296e934338ef9fa2d33347d8ed750 /usr/openwin/bin/lbxproxy
World Writable Files
SUNWbnur 1777 uucp uucp NOTELF [Target_Is_Directory] /var/spool/uucppublic
SUNWcsr 0666 root bin NOTELF d41d8cd98f00b204e9800998ecf8427e /var/adm/spellhist
SUNWcsr 1777 root bin NOTELF [Target_Is_Directory] /var/preserve
SUNWcsr 1777 root mail NOTELF [Target_Is_Directory] /var/mail
SUNWcsr 1777 root sys NOTELF [Target_Is_Directory] /var/tmp
SUNWdtscm 0666 root root NOTELF eb6d8ae6f20283755b339c0dc273988b /var/dt/dtpower/_current_scheme
SUNWdtscm 1777 root root NOTELF [Target_Is_Directory] /var/dt/dtpower/schemes
SUNWiqr 1777 root sys NOTELF [Target_Is_Directory] /var/imq/instances
SUNWkrbr 1777 root sys NOTELF [Target_Is_Directory] /var/krb5/rcache
SUNWmconr 0777 root sys NOTELF [Target_Is_Directory] /var/webconsole/tmp
SUNWpkgcmdsr 1777 root bin NOTELF [Target_Is_Directory] /var/spool/pkg
SUNWscpr 1777 root sys NOTELF [Target_Is_Directory] /tmp
SUNWsmbar 1777 root bin NOTELF [Target_Is_Directory] /var/spool/samba
Non-Sticky World Writable Directories
SUNWmconr 0777 root sys NOTELF [Target_Is_Directory] /var/webconsole/tmp
So whether you are interesting in finding set-uid or set-gid programs, verifying their integrity (directly via elfsign(1) or using the Solaris Fingerprint Database) or perhaps something else entirely, the Solaris Interesting File Discovery
tool could be another useful weapon in your security auditing/forensics arsenal.
For those interested, this output is from a Nevada build 68 system running in Parallels Desktop for Mac OS X otherwise
known as my desktop!
At any rate, check out the tool and drop me a note with your feedback! I would love to hear from you!
Take care,
Glenn
Technorati Tag:
OpenSolaris
Solaris
security
Wednesday Feb 28, 2007
Today, there has been a lot of discussion about the new telnet worm which exploits the
recently announced
telnet vulnerability in Solaris 10 and Nevada.
Aside from the usual recommendation of you should not be using telnet.
You should be using SSH, I would like to cast a vote for the use of
IP Filter. IP Filter is quick and easy to configure and can help give
you visibility into attacks such as this. Beyond its initial use as an
enforcement point (blocking access to services such as telnet), IP Filter
is also a great tool to allow you to see what other systems are attempting
to do to yours.
An IP Filter entry for the telnet worm may look something like:
Feb 27 15:26:38 blackhole ipmon[100]: [ID 702911 local0.warning] 15:26:38.269526 ip.tun0 @0:11 b 192.168.1.112,55039 -> 192.168.19.6,23 PR tcp len 20 52 -S I
With this format, you could quickly whip up a script to tell you who is
knocking on your system's telnet door (even if telnet happens to be disabled -
which is the case on my system). See:
blackhole$ getent hosts `grep ipmon /var/adm/debug | grep " b " |\
grep ",23 PR" | awk '{ print $13 }' | awk -F, '{ print $1 }' | sort -u`
10.1.42.252 europa
10.1.88.164 io
10.1.90.171 castor
10.3.29.39 pollux
192.168.174.48 orion
192.168.43.112 mercury
With just a little scripting, you can easily find out systems (particularly
in an enterprise) that need some
special love and attention.
Technorati Tag:
OpenSolaris
Solaris
security
telnet
Saturday Nov 04, 2006
I just wanted to take a quick moment to announce the creation of a new
Presentations page in the
OpenSolaris
Security Community. This page has grouped together a bunch of the known Solaris 10 and OpenSolaris presentations all into one easy to find place.
To help kick this off, I have also uploaded a few new presentations including:
- Practical Solaris 10 Security. This presentation was originally given at the NSA Red Team/Blue Team Symposium and focuses on security controls from the viewpoint of someone attacking a Solaris 10 system. The goal of this presentation is to highlight the various protections that exist as well as highlight how they can be used together (in the spirit of defense in depth) to better protect systems, services and data from attackers.
- Enhancing Security Awareness and Control with DTrace. This presentation was given at the Sun Conference Engineering Conference and looks at how DTrace can potentially be used to provide greater (and more focused) insight into security-related events happening on a system. This presentation was given with a hands-on demonstration. The code for that demonstration will be made available shortly.
- Solaris 10 Security Technical Deep Dive. This is an updated version of a presentation that I have shared earlier. It has been tweaked and updated to account for functionality in Solaris 10 11/06 (Update 3).
If you have any feedback on these or any of the other presentations or if you are aware of Solaris 10 or OpenSolaris presentations that exist and can be referenced on the OpenSolaris Security Presentations page, please
drop us a note.
Take care!
Glenn
Technorati Tag:
OpenSolaris
Solaris
security
Tuesday Sep 26, 2006
Will wonders never cease? Today, I decided to plug my Treo 700p smart phone
into my newly upgraded Solaris laptop.
Honestly, I was not sure what would happen as this was the first time that I had tried to connect up a Palm device.
My goal for doing this was simple. I wanted to synchronize my calendar to my phone so that I would have a list of my appointments while I was on the road. I had wanted to use something more direct like SyncML, but that option was not available to me. Oh, well... I have been using Evolution lately to manage my appointments. What is interesting about my configuration is that my calendar is hosted on Sun's EdgeCal service which allows me to easily access and share my calendar from the Internet or within Sun. EdgeCal is basically a Sun Java System Calendar Server environment and I use the JESCS Evolution Connector to access EdgeCal. By the way, this all worked out of the box too!
So, back to today's experiment... Since Evolution already has an ability to synchronize with devices such as Palm Pilots, I decided to give that a try. The process was completely painless. I simply connected up the 700p via a USB port (actually on a USB hub since I am also using a USB keyboard and mouse), provided some basic settings information to Evolution (Pilot Synchronization Dialog) and hit the HotSync button. Evolution was able to not only find my device but also push the calendar information from EdgeCal to my phone in a matter of seconds. Way cool.
What is really nice is that I can also use the pilot-xfer command to also back up your device (to a ZFS partition in my case). You really have to love it
when things just work.
Take care,
Glenn
Technorati Tag:
OpenSolaris
Solaris
laptop
treo700p
Friday Sep 08, 2006
In a previous posting, I talked about the following certification exam (then in development): Sun Certified Security Administrator for the Solaris 10 Operating System. I would like to thank everyone who volunteered to participate in the beta program! Your support is greatly appreciated and helps to improve the quality of the exam (and certification) for everyone!
I am now happy to announce that the exam is ready to go live and will opened on September 25th! If you are a Solaris Systems, Network and/or Security Administrator, you definitely want to consider testing for this certification.
For more details on this exam including a description of the exam, its prerequisites, as well as recommended training and other resources, check out the certification exam page.
Take care,
Glenn
Technorati Tag:
OpenSolaris
Solaris
security
Tuesday Sep 05, 2006
Today, I would like to go over a few of the changes that I made to my laptop in order to improve upon its overall security configuration. It should be noted that the list of changes made is relatively small (from the default) and is based upon how I plan to actually use the system. As a result, you may need more or different changes than those listed here based upon your specific needs. With that said, let's get into the details.
Nevada by default enforces the settings specified by the Secure by Default project. As a result, there were no network services listening on my laptop for external connections (with the exception of Secure Shell). This is a great start and significantly simplifies getting a desktop or laptop secured and ready for the network. Since I generally do not permit inbound access to my laptop, I also disabled Secure Shell:
blackhole$ pfexec svcadm disable ssh
blackhole$ svcs ssh
STATE STIME FMRI
disabled 21:30:12 svc:/network/ssh:default
At this point, there are literally no local services listening that an external person could access. As there is a need, I will temporarily enable services such as SSH or perhaps VNC (x11vnc), but the default is to leave them in a disabled state until they are required.
Next, I configured IP Filter - the firewall software built into Solaris. I have been a huge fan of IP Filter for years and was absolutely thrilled to see it integrated into Solaris 10. The configuration that I use is based upon a version for laptops that was developed by Darren Moffat. To be completely honest, I have a few different firewall policies that are automatically installed based on the network profile that I have selected. This allows me, for example, to have one firewall policy when I am connected via Ethernet on my home network and a different one when I am travelling.
Before installing the firewall policy, I needed to configure the file /etc/ipf/pfil.ap. Since I am working from a Toshiba Tecra M2, I had to uncomment the entry for the e1000g driver and add an entry for the ath driver as follows:
# egrep "e1000g|ath" /etc/ipf/pfil.ap
e1000g -1 0 pfil
ath -1 0 pfil
Next, I installed Darren's firewall configuration, /etc/ipf/ipf.conf. I will not provide my
specific settings - leaving the firewall configuration as an exercise for the reader.
#
# ipf.conf
#
# IP Filter rules to be loaded during startup
#
# See ipf(4) manpage for more information on
# IP Filter rules syntax.
pass out quick all keep state keep frags
# Drop all NETBIOS traffic but don't log it.
block in quick from any to any port = 137 #netbios-ns
block in quick from any to any port = 138 #netbios-dgm
block in quick from any to any port = 139 #netbios-ssn
# Allow incoming IKE/IPsec
pass in quick proto udp from any to any port = ike
pass in quick proto udp from any to any port = 4500
pass in proto esp from any to any
# Allow ping
# pass in quick proto icmp from any to any icmp-type echo
# Allow routing info
# pass in quick proto udp from any to port = route
# pass in quick proto icmp from any to any icmp-type 9 # routeradvert
# pass in quick proto igmp from any to any
# Block and log everything else that comes in
block in log all
block in from any to 255.255.255.255
block in from any to 127.0.0.1/32
For the first time IP Filter configuration, there are a few other steps that I will not
cover here now. Check out the documentation for the specifics.
With this complete, I turned my attention inward for a few additional configuration changes. You can read more about them in the Solaris 10 Benchmark published by the Center for Internet Security.
First, I modified the /etc/security/policy.conf file to set my default crypt(3C) algorithm to Sun MD5:
# The Solaris default is the traditional UNIX algorithm. This is not
# listed in crypt.conf(4) since it is internal to libc. The reserved
# name __unix__ is used to refer to it.
#
CRYPT_DEFAULT=md5
This is useful for a variety of reasons most notibly because it would freak out any script kiddy running stock
versions of Crack and john in an attack to guess passwords. In their stock
configurations (just download, compile and run), neither of these tools can successfully deal with the Sun MD5
password format. See the crypt_sunmd5(5) manual page:
This module is designed to make it difficult to crack pass-
words that use brute force attacks based on high speed MD5
implementations that use code inlining, unrolled loops, and
table lookup.
Moving on, I enabled the following coreadm configuration:
# coreadm
global core file pattern: /var/core/core_%n_%f_%u_%g_%t_%p
global core file content: default
init core file pattern: core
init core file content: default
global core dumps: enabled
per-process core dumps: disabled
global setid core dumps: enabled
per-process setid core dumps: disabled
global core dump logging: enabled
This is nice in that the system will notify me (via syslog) of core dumps:
Sep 5 15:01:16 blackhole genunix: [ID 603404 kern.notice] NOTICE: core_log: sleep[5691] core dumped: /var/core/core_blackhole_sleep_101_101_1157482876_5691
and will store the core files in a protected directory, /var/core:
$ ls -ld /var/core
drwx------ 2 root root 512 Sep 3 21:13 /var/core
Moving along, I also set the following parameters:
# grep "noexec_user_stack" /etc/system
set noexec_user_stack = 1
set noexec_user_stack_log = 1
# grep nfs_portmon /etc/system
set nfssrv:nfs_portmon = 1
# grep TCP_STRONG_ISS= /etc/default/inetinit
TCP_STRONG_ISS=2
These are typical changes and are discussed in older Sun BluePrints as well as the CIS Benchmark. Next, I also created the loginlog file:
# ls -l /var/adm/loginlog
-rw------- 1 root sys 0 Sep 3 21:16 /var/adm/loginlog
and enabled debug logging in syslog:
# grep '*.debug' /etc/syslog.conf
*.debug /var/adm/debug
Be sure to create the /var/adm/debug file before restarting syslog. In addition, I also disabled login access on the laptop's serial ports:
# pmadm -d -p zsmon -s ttya
# pmadm -d -p zsmon -s ttyb
After installing a few basic warning banners in the typical places (see the CIS guide), I also changed
root's home directory, converted
root to be a
Solaris role, and assigned the rights to assume
root to only my local account:
$ getent passwd root
root:x:0:0:Super-User:/root:/sbin/sh
$ grep "^root:" /etc/user_attr
root::::type=role;[...]
$ roles
root
Lastly, using the normal methods, I also enabled and configured Solaris auditing and BART so that I can keep
tabs on what is going on. Of course, this is also in addition to BIOS and GRUB security changes that I will
not cover in this post.
Is this all you need to do? Well, unfortunately - it depends. There are certainly lots of other things that
I could do.
For example, I could disable rhosts authentication for the rsh and rlogin services. Recall however that each of those services is (1) disabled by default and (2) subject to the firewall policy in place. So, to successfully exploit this path, an attacker would need to change both of these settings - which require administrative privileges - enough to add rhosts entries back into /etc/pam.conf. So for me, it was about maximizing security while minimizing change. In this specific case, changes to those states or configuration files would be detected by BART and Solaris Auditing. Similarly, there is not much point (except as a reminder) for me to enable
password aging, history or complexity rules when I am the only user on the system (and the system does not accept
remote incoming connections - except in very limited cases).
You get the point... For another perspective, check out how John Clingan approached this problem.
My longer term hope is that we can further reduce the changes required out of the box by making many of the most common settings default Solaris values. That way, everyone could benefit from a stronger out of the box installation posture. SBD was a great step forward down this path. Let's look at a few examples of RFEs that are outstanding right now:
Would you like to see these implemented? If so, let us know! If you have a valid Solaris support contract, you can also contact support to have you added as a customer call record for one or more of these RFEs. Just as important - are there other security changes that you would like to see made by default in future versions of Solaris! If so, be sure to tell us! File bugs or RFEs! Talk with us! and (if you are so included) participate and help us make the changes!
Before I sign off, you may be wondering why not just use the Solaris Security Toolkit and be done with it? Certainly, I could have used the (currently unreleased) version that supports SBD and implemented these changes. In fact, most companies may want to go that route since SBD alone (as demonstrated above) covers just part of the problem space. The reason however is simple. I wanted to demonstrate what it would take for you to quickly and easily secure a new OpenSolaris or Nevada laptop from an out of the box state. All too often the tools and guides make people think that it is harder than it really is. Certainly, the Toolkit is essential for building repeatable, auditable configurations, but in the case of my one off - the time difference to implement is negligible.
Take care,
Glenn
Technorati Tag:
OpenSolaris
Solaris
laptop
security
Saturday Sep 02, 2006
[Read More]
Friday Sep 01, 2006
Several hours into day 1 of the upgraded laptop and no significant issues to report. The complete installation went smoothly and all of my productivity tools appear to have retained their settings and are working as expected including:
This is in addition to the other tools I mentioned in my previous post, including: frkit, Nvidia drivers, punchin, pkg_get, and inetmenu. The Nvidia drivers are correctly pushing my screen image (by default) to both the laptop LCD and my external flatscreen. What more count I ask for?
During the course of my new installation, I set aside enough space to install Trusted Extensions, so that will be my next big step, but before I do that, I am going to put the laptop through its paces for a few days to make ensure everything continues to work as expected.
You really have to love it when things just work!
Take care,
Glenn
Technorati Tag:
OpenSolaris
Solaris
laptop
Thursday Aug 31, 2006
Well, it has taken me quite a while but I finally have bitten the bullet and started upgrading my laptop to a newer version of Nevada. Given that my laptop is my office, I am always a little hesitant to change things when everything is working smoothly. An honestly, that has been the case for quite some time as is evidenced by the fact that I am still running (dare I say it) build 18!
While I have a number of other systems at home at build 42, I wanted to be able to showcase some of the latest and greatest technology found in the newer builds including (but certainly not limited to): SBD, ZFS, and Trusted Extensions. In fact, I have a number of conference sessions coming up (I will write about those later) where it will be great to highlight this great technology.
I will not go into the gory details, but for those interested, I did follow the usual procedures, namely (1) backup existing content, (2) download and burn the DVD ISO, (3) boot the DVD ISO and do the initial configuration, (4) click install and sit back.
Well, that is exactly where I am right now... Sitting back - about 68% through the installation. I have also downloaded the latest essentials for my M2 including: frkit,
Nvidia drivers, punchin, pkg_get, and inetmenu. With this and a "quick" download of StarOffice 8, I will be back in business in no time. Well, at 78% complete, I have enough time to go brew some tea,
so I will bid you all good night.
Take care,
Glenn
Technorati Tag:
OpenSolaris
Solaris
laptop
Thursday Aug 31, 2006
This note is to announce the new Solaris Package Companion OpenSolaris project
page (child of the SVR4 packaging project page) at:
http://www.opensolaris.org/os/project/svr4_packaging/package_companion/
Check it out to get all of the latest and greatest information, usage instructions, code and examples.
Love to hear what you think!
g
Technorati Tag:
OpenSolaris
Solaris
security
minimization
Wednesday Aug 23, 2006
Scott Rotondo just posted a new Solaris Secure by Default presentation that is being used to raise awareness of SBD including what it is, why it is important and how it is implemented and used. Check it out!
For more information check out these other SBD references:
References:
Part 1 of 3
Part 2 of 3
Part 3 of 3
Technorati Tag:
OpenSolaris
Solaris
security
SMF
SBD
Thursday Aug 17, 2006
A while back, I posted a version of my Solaris 10 technical deep-dive presentation. Well, I have finally had a chance to update it based on all of the latest goodies in
Solaris 10 Update 1 and 2 as well as Nevada. I have also added a bunch of new examples and screenshots.
For those who may have missed it, the goal of this presentation is to provide a technical "deep dive" overview for those interested in learning more about the security capabilities and features of Solaris 10. This presentation serves as a bridge between the higher level marketing presentations and technical presentations that are specific to individual technologies.
I would like to thank Mark Thacker, Darren Moffat, Casper Dik, and Shawn Emery for their contributions to this presentation!
So if this topic interests you, please download the latest version and send me your feedback! I will use the comments received to help guide future updates of the presentation. Also, be sure to let your sales team know if you would like to have someone from Sun come and talk with you about Solaris 10 security or any
of the content in this presentation. Thanks in advance!
Take care!
Glenn
Technorati Tag:
OpenSolaris
Solaris
security
Monday Jul 10, 2006
Well, it is time for another update of the Solaris Package Companion. During the course of some additional testing, I found a few bugs which I have corrected in this new version. The biggest issue corrected in this update is the detection of packages versus clusters. I also added a check to avoid an exception case where a package is defined in a clustertoc(4) file but it cannot be found in the distribution (or on the local system when in local-only mode). For those interested, here is a diff:
blackhole$ diff spc-v0.5.ksh spc-v0.6.ksh
44,48c44,45
< BASEDIR=""
< REPOSITORY=""
<
< export BASEDIR REPOSITORY
<
---
> export BASEDIR=""
> export REPOSITORY=""
69c66,69
< else
---
> elif [ -d "`dirname ${fileName}`" ]; then
> # GMB: This is a small hack to avoid generating an error message
> # when a package is listed in a "contents" file but it does
> # not otherwise exist (e.g., SUNWphx on snv_18)
88a89,94
> if [ -z "${name}" ]; then
> # This method should only be trusted when in "local only" mode.
> if [ ${LOCAL_ONLY} -eq 1 ]; then
> name="`pkgparam ${1} NAME 2>/dev/null`"
> fi
> fi
221c227
< if [ `echo ${member} | grep -c "^[A-Z]*C"` -eq 1 ]; then
---
> if [ -d ${C_DIR}/${member} ]; then
If you are interested in giving this version a whirl, please download version 0.6 and let me
know what you think! Thank you to everyone who has provided feedback and ideas so far!
Keep them coming!
Take care,
Glenn
Technorati Tag:
OpenSolaris
Solaris
security
minimization
Friday Jun 30, 2006
A few days ago, I posted version 0.4 of the Solaris Package Companion. I had a little time today to do some tweaking based on the feedback that I have received so far. Today, I am pleased to announce that I have made version 0.5 available.
There is only two signficiant differences between versions 0.4 and 0.5. In version 0.5, you must specify that you want to create a working repository for the tool using the newly added -i option (which must be used with either the -l (local) or -s (source distribution) options. Once the repository has been created, the rest of the code should operate in the same manner as before.
The second difference is that during the creation of the repository, the tool will collect package names automatically. This way, you do not need to specify either the -l or -s options after the repository has been created. This makes the -v (verbose) mode a bit faster although the repository creation process (a one time event) is just a little bit longer.
You will still need to specify one of those two options if you want to try out the undocumented -f option to map a file name to a package (if possible). This functionality is still in development but feel free to try it out!
I did add a bunch of new exception handling code that should make it easier to know what is going on if there is a problem or if required arguments are not being passed in a way expected by the program. I hope that these updates will make this tool more easy for everyone to use. Please let me know what you think about the changes!
Thank you to everyone who has provided feedback and ideas so far! Keep them coming!
Take care,
Glenn
Technorati Tag:
OpenSolaris
Solaris
security
minimization
Perley,
Thank you for letting me...
Joe,
Way cool. Thank you for th...