Sun Security Blog
Security
|
Historically, Trusted Solaris was a completely separate environment from "regular" Solaris. The Solaris 10 11/06 production release finally broke the mould, when Trusted Extensions integrated into the main Solaris release. Granted, the packages which need to be installed on the top of an unlabelled Solaris 10 install still need to be installed using an extra install tool, but you'll nonetheless find them on the regular distribution media under the Solaris_10/ExtraValue/CoBundled directory, right alongside the SunVTS hardware validation test suite. Configuring everything once the packages are in place is a more interesting proposition, but there's a good recipe here (for laptops). We make no bones about the fact that Trusted Solaris began life as an engineering project for the US Government, first went live 17 years ago, and has seen little use in the commercial world (with one or two notable exceptions) by its nature as a separate product with military heritage ever since - however, now that it's no longer a separate product, we believe that the time is right for commercial adoption. To this effect, we've been looking at some of the areas in the commercial world where its capabilities have a natural fit. So far, the partial list looks like:
Update: If we extend this a little further, we have: Any organisation where leakage of internal data is an issue could benefit from having a simple, two-label system of "Public" dominated by "Internal", where "Public" is the Internet connection and "Internal" is the Intranet. If all users are (as is the default) denied permission to downgrade data, then it becomes much more unlikely that internal data will leak. Giving users the ability to upgrade data by default still allows external data to be brought internal. This works well even when organisations do not differentiate between classifications of internal materials, and the Safe Browsing mechanism comes into its own, when web sites on the intranet need to make pointers to materials in the wider world.Press Officer and Auditor roles could also be created, which would potentially be the only roles allowed to downgrade data as part of the external release process. In educational establishments, denying the ability to upgrade and downgrade data means that while a number of websites can readily be viewed (assuming filtering software is already in place on the Internet link), data can't readily be plagiarised using cut and paste from external sources into essays, etc. Also, if Public and Internal zones are installed as whole-root rather than sparse-root zones, such that careful use of pkgrm can subsequently be used to deny access to internal tools (such as IM) in an external context, so cyber-bullying could be more readily tracked; bullies wouldn't be able to create anonymous / pseudonymous external accounts "on the fly" from which to abuse their victims. As well as co-location facilities, law firms may wish to extend their "duty of care" capability, in terms of ensuring segregation of client data, by having a compartmented label per client. If you have some more ideas, please add them in a comment :-)
tags: extensions security slotd solaris trusted Permalink | Comments [0]
One of the great, obvious, simple ideas which went into Solaris 10
was the Reduced Networking Cluster; after fragmenting and massaging
the core Solaris packages a bit, it became possible to offer a clean,
minimal, even spartan
installation of Solaris, a lightweight foundation upon which software
could be added as and when only necessary, leading to a very tiny and
yet supported machine configuration.
A colleague recently asked me for more information about the Reduced Networking Cluster, and frankly I was stumped, and then Glenn Brunette piped up that he'd written all about it back in 2004:-
The topic for this article is the Solaris 10 Reduced Networking Software Group (also commonly known as the Solaris 10 Reduced Networking Meta Cluster). This software group is new and joins the five existing software groups available in Solaris today: Core, End User, Developer, Entire and Entire + OEM software groups. The Reduced Networking Software Group is positioned as a subset of Core and represents the smallest amount of Solaris that can or should be installed and have a working and supported system. Note that for support reasons, it is not advised to remove packages installed by the Reduced Networking Software Group. ...etc; it's quite a long article but worthwhile, since it's one of the sadly few documents which look at this feature from an architectural perspective. So, folks, if you are into Minimized Solaris Configurations, you want to start with "SUNWCrnet". Less really is more, and it costs you nothing. :-) -Alec
tags: minimisation minimised minimization minimized security slotd solaris sunwcrnet Permalink | Comments [0]
Something a little different for today; my boss wrote to me regards some slideware:
Alec, I'd like to identify some aspects to trends in Security. Have you observed particular security trends for web computing? ...and this is my response. I'll be mailing him the URL. You get to see it first. :-) So, have I observed particular security trends in Web Computing? Not really, for reasons which I partially explain in a recent posting on my home blog - the short version being that I believe there are no new security bugs, ever, and from this it's a pretty easy step to declaring security to be a "solved problem", although that carries the proviso: "if and only if you bother to hire people who understand security". So if we want to write about the state of the art of "security and web computing" then I feel we should do it in terms of the "maturation" of Web Computing technologies. Twenty years of geekery has taught me all technologies go though a wild-and-insecure phase until the implementational goofs instilled by the visionaries get hammered out by the embarrassment of exploits, and the needs of business. How often do you see websites which still use plaintext password cookies in anger? Yes, some people still goof in implementation, but at least a large body of people now recognise that such design and implementation artifacts are goofs. For the people who don't know this, there are always consultants who can help. :-) So my thesis would be: people are getting used to the idea that perhaps mashups need a little more thought than "we'll just glue it together and it will work OK"; also people are finally getting to understand that the concept of "security" is bogus, being as it is actually an umbrella term for a bunch of qualities, including but not restricted to:
So as we move into an age of maturation of web technologies, attitudes and received wisdom are starting to shift; people are now less scared of letting just anyone write all over their website so long as you know who it is that is doing it, and people are beginning to realise that by replacing barriers-to-creation with knowledge-of-authorship (ie: identity, authentication, authorization) - plus the additional ability to 'roll back' so you can circumvent the expected but surviable inevitable vandalism - people realise you can now invite the world to create content with you. Sufficient technologies to solve all extant security problems now exist - modulo the chest-beating efforts of vendors to pitch new solutions to problems which they hope people will encounter - but from my perspective it's the shift in peoples' attitudes to security which is most interesting. "Forget prior restraint and access control, build trust, identity and integrity instead." I find that exciting; it's always been possible, but twenty years ago had you stated it was your goal, people would say you were nuts.
tags: identity mashup security solaris web web2.0 Permalink | Comments [0]
We like ZFS.
Lots of people like ZFS. Even Linux people are experimenting with ZFS, albeit as a user-space filesystem. But ZFS will be even better when you can have encrypted filesystems. So maybe check out OpenSolaris.org and see if you'ld like to help-out with the project ? - alec tags: encryption security slotd solaris zfs Permalink | Comments [2]
Time to bang my own trumpet - occasionally I receive requests to
address a particular customer's requirement, viz: three strikes lockout
where if a person fails to log in to a system (eg: mistyping a
password) - and if they fail to log-in three times in succession, then
some manner of portcullis drops and the resource is barred from
further access. The account gets locked, in the same-old way that was
popular on even-then-antiquated mainframes back when I was a student,
some 20 years ago.
So I wrote this explanation of my thoughts upon the matter:
"Three-Strikes" Password Security Considered Antiquated, Hazardous, Stupid and Wrong. - Alec tags: passwords security slotd solaris strikes three Permalink | Comments [0]
Another one in the "in case you missed it" category -
Glenn Brunette
on
How to enable 'snoop'
in
non-global zones;
it also serves as a useful primer about the use of limit privilege sets in zones - check out the
article by Rich Teer
for a more in-depth explanation.
I see you! snoop(1M)'ing in non-global zones! - Alec tags: privileges security slotd snoop solaris zones Permalink | Comments [0]
Scary Dave scribed thusly, back in November:
Dave's Bit Bucket tags: detection ids intrusion security slotd solaris Permalink | Comments [0]Karl MacMillan has blogged a response to Glenn Faden's comparison of Trusted Extensions and SE Linux as used in RHEL5 for LSPP(Labeled Security Protection Profile). I almost stopped reading after the first few paragraphs though because of the discussion about the use of "Trusted". In reality "Trusted Extensions" is really "Bell LaPadula Model Label Services" but that just doesn't roll off the tongue that easily nor does it build on the "Trusted Solaris" brand and show the relationship. "Trusted" for Solaris is about as meaning full as "Security Enhanced" for Linux :-) So the main reasons we use the "Trusted" moniker is marketing and brand awareness, and no I'm not in marketing :-) There are already some comments on Karl's blog from Glenn clarifying some points as well as some from David Comay about the overhead of Zones. Great to see this type of discussion happen in the open between the two communities. Hopefully a better understanding and scope for future collaboration is the outcome for all, particularly in the networking areas around IPsec. - Darren tags: rhel selinux solaris soltd trusted Permalink | Comments [1]
Solaris is - to the best of my knowledge - unique amongst Unix impementations in having a
pluggable password encryption routine
so that the administrator has the
option of selecting
a non-default
password hash routine
with the hope of making yourself more proof against
password cracking -
plus you can migrate users off-off older, weaker algorithms in a smooth fashion.
Brendan Gregg took this to the point of extreme silliness when he implemented a ROT13 password-hashing module for which he's posted the source; if you're not familiar with ROT13 it's the most trivial of pencil-and-paper ciphers, the sort of thing which got used to hide the punchlines of jokes posted via e-mail or on USENET. I wouldn't recommend rolling out Brendan's code in an enterprise deployment - not unless you want all your passwords cracked in about 3 milliseconds flat - but it makes a nice proof of concept, and shows what you are free to do with the pluggable crypt API. - alec tags: crypt password rot13 security slotd solaris Permalink | Comments [4]
Glenn Faden is one of Sun's hardline security geeks, the prime mover behind the Solaris
Trusted Extensions project which succeeds the older
Trusted Solaris.
I have been working on an architecture for multilevel mail in Trusted Extensions in which mail can be delivered to labeled zones that are only in the ready state (mounted but not running). This would reduce the overhead of the current polyinstantiation approach in which an instance of sendmail is running in each zone. For those unfamiliar with "trusted platforms", their core concept of "labelling" is to mark each file, directory, object, process or person on a machine with both a "compartment" (eg: finance, IT, payroll, human-resources) and some sort of "sensitivity" (eg: unclassified, confidential, secret); the trusted functionality permits "label-aware" applications to enforce need-to-know information handling rules. That may sound outre or faintly military ("top secret") but there are dozens of possibilities for systems where you can keep programs aloof from each other, or from the data which they are processing. Consider a webserver with one Internet-facing network interface, and another network interface attached to your credit-card database. Wouldn't it be nice to be assured that no data can pass from your credit-card data through to the Internet without being specially filtered, brokered and sanity checked? I find the idea rather appealing, I must admit. Or consider the possibility of multilevel Instant Messenger - there would be no cut-and-paste between internal IM and external AIM, Yahoo or Skype; that really gets some finance people (eg: the sort who deal with traders) rather excited... - alec tags: extensions labeling labelling security slotd solaris trusted Permalink | Comments [0]
As our first Security Link Of The Day we'd really like to mention
OpenSolaris and specifically the security
communities and projects within it; there are over a score of projects
including (but not limited to!) the following categories:
The best jumping-off points to investigate all the security possibilities are probably the Security Community Wiki and the main OpenSolaris Projects List. Do take a look. There's a lot of nifty stuff there. - alec tags: opensolaris security slotd solaris Permalink | Comments [0] |
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
