Solaris 10 Administration Topics Workshop                                      4- Security                              By...
About the Speaker                        Peter Baer Galvin - 781 273 4100                        pbg@cptech.com           ...
Objectives                        Explore the new Solaris 10 security features,                        from an admin point...
Prerequisites                        Recommend at least a couple of years of                        Solaris experience    ...
About the Tutorial                        Every SysAdmin has a different                        knowledge set             ...
Fair Warning                        Sites vary                        Circumstances vary                        Admin know...
Why Listen to Me?                        20 Years of Sun experience                        Seen much as a consultant      ...
Slide Ownership                   As indicated per slide, some slides copyright                   Sun Microsystems        ...
Overview                                     Lay of the Land                        Copyright 2009 Peter Baer Galvin - All...
Schedule                        Copyright 2009 Peter Baer Galvin - All Rights Reserved   10Saturday, May 2, 2009
Coverage                        Solaris 10 is a moving target                          This tutorial based on FCS (Jan / M...
Outline                        Overview                        Sun Overview                        DTrace (lab?)          ...
Outline                        PAM enhancements                        Auditing enhancements                        BSM   ...
Your Objectives?                         Copyright 2009 Peter Baer Galvin - All Rights Reserved   14Saturday, May 2, 2009
Lab Preparation                   Have device capable of telnet on USENIX                   network                       ...
Lab Preparation                   Or...                        Use virtualbox                        Use your own system  ...
Introduction                         Copyright 2009 Peter Baer Galvin - All Rights Reserved   17Saturday, May 2, 2009
Overview                        Solaris 10 includes lots of new security features                           Security is im...
Sun Overview                        Quick high-level overview of Sun’s view of                        Solaris security    ...
(From the Solaris 10 Sun Net Talk about Solaris 10 Security)                        Copyright 2009 Peter Baer Galvin - All...
(From the Solaris 10 Sun Net Talk about Solaris 10 Security)                        Copyright 2009 Peter Baer Galvin - All...
(From the Solaris 10 Sun Net Talk about Solaris 10 Security)                        Copyright 2009 Peter Baer Galvin - All...
(From the Solaris 10 Sun Net Talk about Solaris 10 Security)                        Copyright 2009 Peter Baer Galvin - All...
(From the Solaris 10 Sun Net Talk about Solaris 10 Security)                        Copyright 2009 Peter Baer Galvin - All...
(From the Solaris 10 Sun Net Talk about Solaris 10 Security)                        Copyright 2009 Peter Baer Galvin - All...
(From the Solaris 10 Sun Net Talk about Solaris 10 Security)                           Copyright 2009 Peter Baer Galvin - ...
(From the Solaris 10 Sun Net Talk about Solaris 10 Security)                          Copyright 2009 Peter Baer Galvin - A...
S10 Security Status                        According to Sun:                        Solaris 10 11/06 is currently in evalu...
Good Security Hygiene                        Checklist #1 - Use before making a change                             Is the ...
Virtualization and Security                        Copyright 2009 Peter Baer Galvin - All Rights Reserved   30Saturday, Ma...
Virtualization Options                   Containers / Zones (more below)                   Xen (xVM server) - bare metal h...
Security Impact                   Lots of security issues around virtualization                        How many “systems” ...
Zones Overview                   Think of them of chroot on steroids                   Virtualized operating system servic...
Zones Overview - 2                   Low physical resource use                        Up to 8192 zones per system!        ...
(From System Administration Guide: N1 Grid Containers, Resource Management, and Solaris Zones)                            ...
(From the Solaris 10 Sun Net Talk about Solaris 10 Security)                                  Copyright 2009 Peter Baer Ga...
LDOMs                  Logical domains                  Released April ’07                  Only on Niagara and future CMT...
Copyright 2009 Peter Baer Galvin - All Rights Reserved   38Saturday, May 2, 2009
LDOMs - Details                   Can create up to 1 LDOM per thread(!)                          Best practice seems to be...
DTrace                        Copyright 2009 Peter Baer Galvin - All Rights Reserved   40Saturday, May 2, 2009
DTrace and Security                        New tool has security implications                        DTrace so cool we nee...
DTrace Overview                        Best tool ever for understanding system behavior                        Uses langua...
DTrace and Security                        DTrace doesn’t “weaken” security model                             Root with or...
DTrace Example - 1                        connections.d snoop inbound TCP                        connections as they are e...
DTrace Example - 2                        The following script counts number of                        write(2) calls by a...
DTrace Example - 4                # dtrace -s write-calls-by-app.d                dtrace: script write-calls-by-app.d matc...
DTrace Example - 5                   Let’s have a look at the size of the writes                   to file descriptor 5, pe...
DTrace Example - 6                bash-2.05b# dtrace -s write-sshd-fd-5.d                dtrace: script write-sshd-fd-5.d ...
DTrace Example - 7                #!/usr/sbin/dtrace -s                #pragma D option flowindent                pid$1::$...
Copyright 2009 Peter Baer Galvin - All Rights Reserved   50Saturday, May 2, 2009
DTrace Toolkit                   DTrace Toolkit with lots (> 90) of great scripts                        Includes scripts ...
DTrace Toolkit Hits                   dexplorer - run a lot of tools for a few                   seconds and log output to...
DTrace One-Liners               Snarfed from http://www.solarisinternals.com/wiki/index.php/DTrace_Topics_One_Liners      ...
More DTrace One-liners            Memory              * Minor faults by process name,            dtrace -n vminfo:::as_fau...
DTrace Lab (!)                        Try some one-liners                           Which work in a non-global zone?      ...
RBAC                        Copyright 2009 Peter Baer Galvin - All Rights Reserved   56Saturday, May 2, 2009
RBAC                        Been in Solaris since release 8                        Basis for access control on Solaris    ...
Copyright 2009 Peter Baer Galvin - All Rights Reserved   58Saturday, May 2, 2009
RBAC Terminology                        Administrative Roles – (or just “roles”)                        for grouping autho...
RBAC Terminology - 2                        Authorizations – permissions that grant access to restricted actions          ...
Copyright 2009 Peter Baer Galvin - All Rights Reserved   61Saturday, May 2, 2009
RBAC Use                        User assumes a role - placed in a special profile-understanding shell                      ...
RBAC Use - 2                        Easiest RBAC admin is to use the Solaris Management                        Console (sm...
/etc/security/exec_attr                # head exec_attr                Application Server Management:suser:cmd:::/usr/apps...
Roles                        Typical types of roles:                          primary administrator - the traditional     ...
Solaris Privileges                          Copyright 2009 Peter Baer Galvin - All Rights Reserved   66Saturday, May 2, 2009
Privileges                        Really known as “least privilege”                            Only the minimum privileges...
Privileges - 2                        New level of management of rights within                        a Solaris 10 system ...
Privilege Sets                        E - Effective privilege set – the current set of                        privileges t...
Privileges Example                    traceroute is now privilege enabled                $ ls -l /usr/sbin/traceroute     ...
Privileges Example - 2                # ppriv -v 7841                7841:   /usr/sbin/traceroute 1.2.3.4                f...
Privileged Daemon Example                # ppriv `pgrep rpcbind`                153:    /usr/sbin/rpcbind                f...
RBAC and Privileges                        Use RBAC to assign specific privs to roles or users                        By de...
RBAC and Privileges - 2                # roleadd -u 201 -d /export/home/test -P                   "Process Management" tes...
RBAC and Privileges - 3                $ ppriv $$                10897: -bash                flags = <none>               ...
RBAC and Privileges - 4                $ roles                test                $su test                password:       ...
Privilege Assignment                        To add a privilege to a specific user, use the                        usermod c...
Privilege Assignment - 2                        Currently, native system programs are becoming privilege aware and having ...
Final Privilege Notes                        ppriv allows examination of a command to                        determine wha...
/etc/passwd                # cat /etc/passwd                root:x:0:1:Super-User:/:/sbin/sh                daemon:x:1:1::...
/etc/user_attr                # cat /etc/user_attr                #                # Copyright (c) 2003 by Sun Microsystem...
Labs                        Create new user “foo”                        Create new role “operator”                       ...
NFS V4                        Copyright 2009 Peter Baer Galvin - All Rights Reserved   83Saturday, May 2, 2009
NFS V4 Overview                        Stateful rather than stateless                        All traffic uses one port numb...
NFS V4 Overview - 2                        Supports client and server recovery from a crash                        Support...
NFS V4 Use                        Enable it via NFS_CLIENT_VERSMIN and                        NFS_CLIENT_VERSMAX in the /e...
Solaris Flash Archives                         Copyright 2009 Peter Baer Galvin - All Rights Reserved   87Saturday, May 2,...
System Build Technology                        What does it have to do with security?                           Capture st...
Flash Archives                        Create master system – single reference                        installation         ...
Flash Archives Initial Install                    Install master server however you’d like                    (Optional) P...
Flash Archives Deployment                        Create archive after full master install but before software             ...
Copyright 2009 Peter Baer Galvin - All Rights Reserved   92Saturday, May 2, 2009
Updating Clone with Flash Differential Archive                1.   Start from master identical to clone                2. ...
Moving from NIS to LDAP                         Copyright 2009 Peter Baer Galvin - All Rights Reserved   94Saturday, May 2...
Why Move?                        NIS is old, limited, not secure                             Weak authentication          ...
NIS to LDAP Overview                        The NIS–to–LDAP transition service (N2L service) replaces                     ...
NIS to LDAP Overview - 2                        Behavior of the N2L service is controlled by the ypserv and               ...
FTP Server Enhancements                         Copyright 2009 Peter Baer Galvin - All Rights Reserved   98Saturday, May 2...
FTP Server Enhancements                        The sendfile() function is used for binary downloads                       ...
FTP Server Enhancements - 2                        ftpcount and ftpwho now support                        the -v option, w...
PAM Enhancements                        Copyright 2009 Peter Baer Galvin - All Rights Reserved   101Saturday, May 2, 2009
PAM Enhancements                        Pluggable Authentication Module (PAM) framework enhancements                      ...
PAM Enhancements - 2                        The pam_unix_auth module implements account locking for local users. Account  ...
PAM Enhancements - 3                        The functionality of the pam_unix_auth module has                        been ...
/etc/default/passwd                $ cat /etc/default/passwd                #ident "@(#)passwd.dfl 1.7      04/04/22 SMI" ...
/etc/default/passwd - 2                # HISTORY sets the number of prior password changes to keep and                # ch...
/etc/default/passwd - 3                # Password complexity tunables. The values listed are the defaults                #...
/etc/default/passwd - 4                #                #                # passwd performs dictionary lookups if DICTIONLI...
Stronger Password Crypto                        Modify /etc/security/policy.conf                        to use stronger pa...
BSM                          Copyright 2009 Peter Baer Galvin - All Rights Reserved   110Saturday, May 2, 2009
BSM                        Solaris Basic Security Module                           Also known as Solaris auditing         ...
BSM Setup                        BSM not enabled by default                           bsmconv configures BSM               ...
BSM Setup – cont                          audit_control is primary config file                        dir:/var/audit        ...
BSM Setup - cont                        Run audit –n out of cron to cycle the (otherwise infinite)                        l...
BSM Tuning                          Recommended auditing settings for more security-conscious                          sys...
Auditing Enhancements                         Copyright 2009 Peter Baer Galvin - All Rights Reserved   116Saturday, May 2,...
Auditing Enhancements                        Can use the syslog utility to store audit records in text format             ...
Auditing Enhancements - 2                        Audit metaclasses provide an umbrella for finer-grained audit             ...
Auditing Enhancements - 3                        Five audit tokens have been added:                            The cmd tok...
Solaris Cryptographic Framework                           Copyright 2009 Peter Baer Galvin - All Rights Reserved   120Satu...
Crypto Framework                        Provides common store of crypto algorithms and PKCS #11 libraries optimized for   ...
Figure 8–1 Overview of the Solaris Cryptographic Framework                                                                ...
Crypto Framework Admin                        Administration via cryptoadm command:                $ cryptoadm list       ...
Crypto Framework User Commands                        digest– Computes a message digest for one or more files or for       ...
Key Generation                          For MAC and encryption, need symmetric key                               Determine...
Encrypting                        Use a random number generator, or dd to create a key                             Note th...
Decrypting and verifying                        Example - Use AES for encryption using a                        keyphrase ...
Labs                        Pick an encryption algorithm and key length and                        encrypt and decrypt a s...
Kerberos Enhancements                        Copyright 2009 Peter Baer Galvin - All Rights Reserved   129Saturday, May 2, ...
Kerberos Enhancements                        The KDC software, the user commands and applications now support             ...
Kerberos Enhancements - 2                        Kerberos protocol support is provided in remote applications,            ...
Kerberos Enhancements - 3                        A new script to help automatically configure a Kerberos client            ...
Kerberos Enhancements - 4                        A new -e option has been included to several subcommands of the          ...
Kerberos Enhancements - 5                        Extensions to the password-changing utilities enable the Solaris         ...
Packet Filtering                         Copyright 2009 Peter Baer Galvin - All Rights Reserved   135Saturday, May 2, 2009
Packet Filtering Overview                        Solaris used to have nothing, then SunScreen was commercial,             ...
Packet Filtering Overview - 2                        Provides packet filtering and network address translation             ...
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
2009 04.s10-admin-topics4
Upcoming SlideShare
Loading in...5
×

2009 04.s10-admin-topics4

4,181

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
4,181
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
33
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

2009 04.s10-admin-topics4

  1. 1. Solaris 10 Administration Topics Workshop 4- Security By Peter Baer Galvin For Usenix Last Revision Apr 2009 Copyright 2009 Peter Baer Galvin - All Rights ReservedSaturday, May 2, 2009
  2. 2. About the Speaker Peter Baer Galvin - 781 273 4100 pbg@cptech.com www.cptech.com peter@galvin.info My Blog: www.galvin.info Bio Peter Baer Galvin is the Chief Technologist for Corporate Technologies, Inc., a leading systems integrator and VAR, and was the Systems Manager for Brown Universitys Computer Science Department. He has written articles for Byte and other magazines. He was contributing editor of the Solaris Corner for SysAdmin Magazine , wrote Petes Wicked World, the security column for SunWorld magazine, and Pete’s Super Systems, the systems administration column there. He is now Sun columnist for the Usenix ;login: magazine. Peter is co-author of the Operating Systems Concepts and Applied Operating Systems Concepts texbooks. As a consultant and trainer, Mr. Galvin has taught tutorials in security and system administration and given talks at many conferences and institutions. Copyright 2009 Peter Baer Galvin - All Rights Reserved 2Saturday, May 2, 2009
  3. 3. Objectives Explore the new Solaris 10 security features, from an admin point of view Some app/dev points made to guide developers Convey their current status, usability, and future functionality Help prepare for Solaris 10 deployment Some pre-Solaris 10 coverage when needed Copyright 2009 Peter Baer Galvin - All Rights Reserved 3Saturday, May 2, 2009
  4. 4. Prerequisites Recommend at least a couple of years of Solaris experience Or at least a few years of other Unix experience Best is a few years of admin experience, mostly on Solaris Copyright 2009 Peter Baer Galvin - All Rights Reserved 4Saturday, May 2, 2009
  5. 5. About the Tutorial Every SysAdmin has a different knowledge set A lot to cover, but notes should make good reference So some covered quickly, some in detail Setting base of knowledge Please ask questions But let’s take off-topic off-line Copyright 2009 Peter Baer Galvin - All Rights Reserved 5Saturday, May 2, 2009
  6. 6. Fair Warning Sites vary Circumstances vary Admin knowledge varies My goals Provide information useful for each of you at your sites Provide opportunity for you to learn from each other Copyright 2009 Peter Baer Galvin - All Rights Reserved 6Saturday, May 2, 2009
  7. 7. Why Listen to Me? 20 Years of Sun experience Seen much as a consultant Hopefully, youve used: My Usenix ;login: column The Solaris Corner @ www.samag.com The Solaris Security FAQ SunWorld “Petes Wicked World” SunWorld “Petes Super Systems” Unix Secure Programming FAQ (out of date) Operating System Concepts (The Dino Book), now 8th ed Applied Operating System Concepts Copyright 2009 Peter Baer Galvin - All Rights Reserved 7Saturday, May 2, 2009
  8. 8. Slide Ownership As indicated per slide, some slides copyright Sun Microsystems Feel free to share all the slides - as long as you don’t charge for them or teach from them for fee Copyright 2009 Peter Baer Galvin - All Rights Reserved 8Saturday, May 2, 2009
  9. 9. Overview Lay of the Land Copyright 2009 Peter Baer Galvin - All Rights ReservedSaturday, May 2, 2009
  10. 10. Schedule Copyright 2009 Peter Baer Galvin - All Rights Reserved 10Saturday, May 2, 2009
  11. 11. Coverage Solaris 10 is a moving target This tutorial based on FCS (Jan / Mar 05) Plus “Nevada” build 53 How to get Solaris 10 Download from Sun Media Kits now shipping How to get Solaris 10+ Join Solaris Express for month releases Opensolaris.org for “untested” releases Copyright 2009 Peter Baer Galvin - All Rights Reserved 11Saturday, May 2, 2009
  12. 12. Outline Overview Sun Overview DTrace (lab?) RBAC (lab) Privileges NFS V4 Flash archives and live upgrade Moving from NIS to LDAP FTP client and server enhancements Copyright 2009 Peter Baer Galvin - All Rights Reserved 12Saturday, May 2, 2009
  13. 13. Outline PAM enhancements Auditing enhancements BSM Solaris Cryptographic Framework Smartcard interfaces and APIs Kerberos enhancements Packet filtering BART Trusted Extensions Overall Solaris 10 Security Conclusions References Copyright 2009 Peter Baer Galvin - All Rights Reserved 13Saturday, May 2, 2009
  14. 14. Your Objectives? Copyright 2009 Peter Baer Galvin - All Rights Reserved 14Saturday, May 2, 2009
  15. 15. Lab Preparation Have device capable of telnet on USENIX network Or have a buddy Learn your “magic number” Telnet to 131.106.62.100+”magic number” User “root, password “lisa” It’s all very secure Copyright 2009 Peter Baer Galvin - All Rights Reserved 15Saturday, May 2, 2009
  16. 16. Lab Preparation Or... Use virtualbox Use your own system Use a remote machine you have legit access to Copyright 2009 Peter Baer Galvin - All Rights Reserved 16Saturday, May 2, 2009
  17. 17. Introduction Copyright 2009 Peter Baer Galvin - All Rights Reserved 17Saturday, May 2, 2009
  18. 18. Overview Solaris 10 includes lots of new security features Security is important to administrators It usually annoys users We’ll look at each new feature, how useful, powerful and annoying it is Should provide a good roadmap for what to use, when How can they be used to solve the following problems Copyright 2009 Peter Baer Galvin - All Rights Reserved 18Saturday, May 2, 2009
  19. 19. Sun Overview Quick high-level overview of Sun’s view of Solaris security Copyright 2009 Peter Baer Galvin - All Rights Reserved 19Saturday, May 2, 2009
  20. 20. (From the Solaris 10 Sun Net Talk about Solaris 10 Security) Copyright 2009 Peter Baer Galvin - All Rights Reserved 20Saturday, May 2, 2009
  21. 21. (From the Solaris 10 Sun Net Talk about Solaris 10 Security) Copyright 2009 Peter Baer Galvin - All Rights Reserved 21Saturday, May 2, 2009
  22. 22. (From the Solaris 10 Sun Net Talk about Solaris 10 Security) Copyright 2009 Peter Baer Galvin - All Rights Reserved 22Saturday, May 2, 2009
  23. 23. (From the Solaris 10 Sun Net Talk about Solaris 10 Security) Copyright 2009 Peter Baer Galvin - All Rights Reserved 23Saturday, May 2, 2009
  24. 24. (From the Solaris 10 Sun Net Talk about Solaris 10 Security) Copyright 2009 Peter Baer Galvin - All Rights Reserved 24Saturday, May 2, 2009
  25. 25. (From the Solaris 10 Sun Net Talk about Solaris 10 Security) Copyright 2009 Peter Baer Galvin - All Rights Reserved 25Saturday, May 2, 2009
  26. 26. (From the Solaris 10 Sun Net Talk about Solaris 10 Security) Copyright 2009 Peter Baer Galvin - All Rights Reserved 26Saturday, May 2, 2009
  27. 27. (From the Solaris 10 Sun Net Talk about Solaris 10 Security) Copyright 2009 Peter Baer Galvin - All Rights Reserved 27Saturday, May 2, 2009
  28. 28. S10 Security Status According to Sun: Solaris 10 11/06 is currently in evaluation at EAL4+, one of the highest level of Common Criteria Certification, with three Protection Profiles: Labeled Security Protection Profile (LSPP), Controlled Access Protection Profile (CAPP) and Role-Based Access Control Protection Profile (RBACPP). In addition, Solaris 10 3/05 has completed evaluation at EAL4+ with CAPP and RBACPP. Copyright 2009 Peter Baer Galvin - All Rights Reserved 28Saturday, May 2, 2009
  29. 29. Good Security Hygiene Checklist #1 - Use before making a change Is the syntax of the command correct? Is the command the right one to make the change? Is there a better way to make the change? Are the right options entered / selected? Is today Friday? Is today some other day on which it would be exceptionally bad to break something (such as the day before leaving for a vacation or conference)? What are the chances that executing this will break something? If this change would break something, can I undo the action? Is this a documented way to accomplish the task? If this is a new way to make a change, should I document it? And finally, what effect might this action have on security? Copyright 2009 Peter Baer Galvin - All Rights Reserved 29Saturday, May 2, 2009
  30. 30. Virtualization and Security Copyright 2009 Peter Baer Galvin - All Rights Reserved 30Saturday, May 2, 2009
  31. 31. Virtualization Options Containers / Zones (more below) Xen (xVM server) - bare metal hypervisor + guests Run other OSes (linux, win) with S10+ has the host Industry semi-standard Para-virtualization, x86 only LDOMs - hard partitions, shipped in May 2007 Run multiple copies of Solaris on the same coolthreads chip (Niagara, Rock in the future) Some resource management - move CPUs and mem VMWare - solaris as a guest, not a host so far, x86 only Traditional Sun Domains - SPARC only, Enterprise servers only Copyright 2009 Peter Baer Galvin - All Rights Reserved 31Saturday, May 2, 2009
  32. 32. Security Impact Lots of security issues around virtualization How many “systems” are in a given environment? Hidden / unknown systems “System” audit could involve dozens of OSes! Separately secure HW - servers, storage, devices, etc OS - per-os security regardless of HW Apps Virtualization infrastructure (ESX management, Solaris server, Hypervisor management, and on and on) Copyright 2009 Peter Baer Galvin - All Rights Reserved 32Saturday, May 2, 2009
  33. 33. Zones Overview Think of them of chroot on steroids Virtualized operating system services Isolated and “secure” environment for running apps Apps and users (and superusers) in zone cannot see / effect other zones Delegated admin control Virtualized device paths, network interfaces, network ports, process space, resource use (via resource manager) Application fault isolation Detach and attach containers between systems Cloning of a zone to create identical new zone Copyright 2009 Peter Baer Galvin - All Rights Reserved 33Saturday, May 2, 2009
  34. 34. Zones Overview - 2 Low physical resource use Up to 8192 zones per system! Differentiated file system Multiple versions of an app installed and running on a given system Inter-zone communication is only via network (but short-pathed through the kernel No application changes needed – no API or ABI Can restrict disk use of a zone via the loopback file driver (lofi) using a file as a file system Can dedicate an Ethernet port to a zone Allowing snooping, firewalling, managing that port by the zone Copyright 2009 Peter Baer Galvin - All Rights Reserved 34Saturday, May 2, 2009
  35. 35. (From System Administration Guide: N1 Grid Containers, Resource Management, and Solaris Zones) Copyright 2009 Peter Baer Galvin - All Rights Reserved 35Saturday, May 2, 2009
  36. 36. (From the Solaris 10 Sun Net Talk about Solaris 10 Security) Copyright 2009 Peter Baer Galvin - All Rights Reserved 36Saturday, May 2, 2009
  37. 37. LDOMs Logical domains Released April ’07 Only on Niagara and future CMT chips (Niagara II, Rock) Like enterprise-system domains but within one chip Slice the chip into multiple LDOMs, each with its own OS root, boot independently, et Now can run multiple OSes on 1 SPARC chip Copyright 2009 Peter Baer Galvin - All Rights Reserved 37Saturday, May 2, 2009
  38. 38. Copyright 2009 Peter Baer Galvin - All Rights Reserved 38Saturday, May 2, 2009
  39. 39. LDOMs - Details Can create up to 1 LDOM per thread(!) Best practice seems to be max one LDOM per core i.e. 8 LDOMs on Niagara I and II Nice intro blog http://blogs.sun.com/ash/entry/ultrasparc_t2_launched_today And nice flash demo http://www.sun.com/servers/coolthreads/ldoms/ Copyright 2009 Peter Baer Galvin - All Rights Reserved 39Saturday, May 2, 2009
  40. 40. DTrace Copyright 2009 Peter Baer Galvin - All Rights Reserved 40Saturday, May 2, 2009
  41. 41. DTrace and Security New tool has security implications DTrace so cool we need to take a quick look Copyright 2009 Peter Baer Galvin - All Rights Reserved 41Saturday, May 2, 2009
  42. 42. DTrace Overview Best tool ever for understanding system behavior Uses language D, based on C Fully dynamic, full probing of kernel and user apps Fully scalable Enabled in Solaris 10 – no custom kernel or configuration changes needed Use DTrace today to solve non-S10 problems Move the “problem” to a test / dev S10 machine, debug, and then back port the solution to the original machine Way to much to cover here So I’ll whet your appetite Got example code available at http://users.tpg.com.au/adsln4yb/ dtrace.html All DTrace resources at http://www.sun.com/bigadmin/content/ dtrace/ Copyright 2009 Peter Baer Galvin - All Rights Reserved 42Saturday, May 2, 2009
  43. 43. DTrace and Security DTrace doesn’t “weaken” security model Root with or without DTrace is God But with DTrace easier to be a bad God Watch ssh typing Watch shell I/O DTrace disabled in zones by default As of Nevada build 37 (and probably S10 U2), can give DTrace user and process privileges to a zone Zone can’t get DTrace kernel priv Can’t see outside of the zone # zonecfg -z myzone zonecfg:myzone> set limitpriv=default,dtrace_proc,dtrace_user zonecfg:myzone> ^D Copyright 2009 Peter Baer Galvin - All Rights Reserved 43Saturday, May 2, 2009
  44. 44. DTrace Example - 1 connections.d snoop inbound TCP connections as they are established, displaying the server process that accepted the connection # ./connections.d UID PID IP_SOURCE PORT CMD 0 254 192.168.001.001 23 /usr/sbin/inetd -s 0 254 192.168.001.001 23 /usr/sbin/inetd -s 0 254 192.168.001.001 79 /usr/sbin/inetd -s 0 254 192.168.001.001 21 /usr/sbin/inetd -s 0 254 192.168.001.001 79 /usr/sbin/inetd -s 100 2319 192.168.001.001 6000 /usr/openwin/bin/Xsun :0 - nobanner 0 254 192.168.001.001 79 /usr/sbin/inetd -s [...] Copyright 2009 Peter Baer Galvin - All Rights Reserved 44Saturday, May 2, 2009
  45. 45. DTrace Example - 2 The following script counts number of write(2) calls by application: syscall::write:entry { @counts[execname] = count(); } Copyright 2009 Peter Baer Galvin - All Rights Reserved 45Saturday, May 2, 2009
  46. 46. DTrace Example - 4 # dtrace -s write-calls-by-app.d dtrace: script write-calls-by-app.d matched 1 probe ^C dtrace 1 login 1 sshd 2 sh 6 telnet 6 w 7 df 12 in.telnetd 25 mixer_applet2 61 gnome-panel 108 metacity 125 gnome-terminal 197 # Copyright 2009 Peter Baer Galvin - All Rights Reserved 46Saturday, May 2, 2009
  47. 47. DTrace Example - 5 Let’s have a look at the size of the writes to file descriptor 5, per section of user code (!) syscall::write:entry /execname == "sshd" && arg0 == 5/ { @[ustack()] = quantize(arg2); } Copyright 2009 Peter Baer Galvin - All Rights Reserved 47Saturday, May 2, 2009
  48. 48. DTrace Example - 6 bash-2.05b# dtrace -s write-sshd-fd-5.d dtrace: script write-sshd-fd-5.d matched 1 probe ^C libc.so.1`_write+0xc sshd`atomicio+0x2d 805b59c sshd`main+0xd59 805b1fa value ------------- Distribution ------------- count 8 | 0 16 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 1 32 | 0 libc.so.1`_write+0xc sshd`packet_write_poll+0x2e sshd`packet_write_wait+0x23 sshd`userauth_finish+0x19f 805f42e sshd`dispatch_run+0x49 sshd`do_authentication2+0x7c sshd`main+0xdc7 805b1fa value ------------- Distribution ------------- count Copyright 2009 Peter Baer Galvin - All Rights Reserved 48Saturday, May 2, 2009
  49. 49. DTrace Example - 7 #!/usr/sbin/dtrace -s #pragma D option flowindent pid$1::$2:entry { self->trace = 1; } pid$1:::entry, pid$1:::return, fbt::: /self->trace/ { printf("%s", curlwpsinfo->pr_syscall ? "K" : "U"); } pid$1::$2:return /self->trace/ { self->trace = 0; } Copyright 2009 Peter Baer Galvin - All Rights Reserved 49Saturday, May 2, 2009
  50. 50. Copyright 2009 Peter Baer Galvin - All Rights Reserved 50Saturday, May 2, 2009
  51. 51. DTrace Toolkit DTrace Toolkit with lots (> 90) of great scripts Includes scripts for Python, Perl, Java, PHP, Ruby, Tcl, Javascript Best starting point for learning DTrace Means you don’t have to be DTrace expert to use DTrace (for good or evil) http://www.opensolaris.org/os/community/dtrace/ dtracetoolkit/ Copyright 2009 Peter Baer Galvin - All Rights Reserved 51Saturday, May 2, 2009
  52. 52. DTrace Toolkit Hits dexplorer - run a lot of tools for a few seconds and log output to a file Other key scripts include dtruss, dvmstat, execsnoop, hotkernel, hotuser, errinfo, iopattern, iosnoop, iotop, opensnoop, procsystime, rwsnoop, rwtop, statsnoop Copyright 2009 Peter Baer Galvin - All Rights Reserved 52Saturday, May 2, 2009
  53. 53. DTrace One-Liners Snarfed from http://www.solarisinternals.com/wiki/index.php/DTrace_Topics_One_Liners Processes * New processes with arguments, dtrace -n proc:::exec-success { trace(curpsinfo->pr_psargs); } Files * Files opened by process name, dtrace -n syscall::open*:entry { printf("%s %s",execname,copyinstr(arg0)); } * Files created using creat() by process name, dtrace -n syscall::creat*:entry { printf("%s %s",execname,copyinstr(arg0)); } Syscalls * Syscall count by process name, dtrace -n syscall:::entry { @num[execname] = count(); } * Syscall count by syscall, dtrace -n syscall:::entry { @num[probefunc] = count(); } * Syscall count by process ID, dtrace -n syscall:::entry { @num[pid,execname] = count(); } * Read bytes by process name, dtrace -n sysinfo:::readch { @bytes[execname] = sum(arg0); } I/O * Write bytes by process name, dtrace -n sysinfo:::writech { @bytes[execname] = sum(arg0); } * Read size distribution by process name, dtrace -n sysinfo:::readch { @dist[execname] = quantize(arg0); } * Write size distribution by process name, dtrace -n sysinfo:::writech { @dist[execname] = quantize(arg0); } Physical I/O * Disk size by process ID, dtrace -n io:::start { printf("%d %s %d",pid,execname,args[0]->b_bcount); } * Disk size aggregation dtrace -n io:::start { @size[execname] = quantize(args[0]->b_bcount); } * Pages paged in by process name, dtrace -n vminfo:::pgpgin { @pg[execname] = sum(arg0); } Copyright 2009 Peter Baer Galvin - All Rights Reserved 53Saturday, May 2, 2009
  54. 54. More DTrace One-liners Memory * Minor faults by process name, dtrace -n vminfo:::as_fault { @mem[execname] = sum(arg0); } User-land * Sample user stack trace of specified process ID at 1001 Hertz dtrace -n profile-1001 /pid == $target/ { @num[ustack()] = count(); } -p PID * Trace why threads are context switching off the CPU, from the user-land perspective, dtrace -n sched:::off-cpu { @[execname, ustack()] = count(); } * User stack size for processes dtrace -n sched:::on-cpu { @[execname] = max(curthread->t_procp->p_stksize);} Kernel * Sample kernel stack trace at 1001 Hertz dtrace -n profile-1001 /!pid/ { @num[stack()] = count(); } * Interrupts by CPU, dtrace -n sdt:::interrupt-start { @num[cpu] = count(); } * CPU cross calls by process name, dtrace -n sysinfo:::xcalls { @num[execname] = count(); } * Trace why threads are context switching off the CPU, from the kernel perspective, dtrace -n sched:::off-cpu { @[execname, stack()] = count(); } * Kernel function calls by module dtrace -n fbt:::entry { @calls[probemod] = count(); } Copyright 2009 Peter Baer Galvin - All Rights Reserved 54Saturday, May 2, 2009
  55. 55. DTrace Lab (!) Try some one-liners Which work in a non-global zone? Try some of the scripts in /usr/demo/dtrace How useful is non-global zone DTrace? Copyright 2009 Peter Baer Galvin - All Rights Reserved 55Saturday, May 2, 2009
  56. 56. RBAC Copyright 2009 Peter Baer Galvin - All Rights Reserved 56Saturday, May 2, 2009
  57. 57. RBAC Been in Solaris since release 8 Basis for access control on Solaris A bit, um, complicated Quick review here How many of you are using RBAC? Let’s take the nickel tour to get up to speed: http://mediacast.sun.com/share/bartbl/ blog-5cent-rbac-tour.mov Copyright 2009 Peter Baer Galvin - All Rights Reserved 57Saturday, May 2, 2009
  58. 58. Copyright 2009 Peter Baer Galvin - All Rights Reserved 58Saturday, May 2, 2009
  59. 59. RBAC Terminology Administrative Roles – (or just “roles”) for grouping authorizations, profiles and commands together as a common set of functions. Think of these as special user accounts to which profiles are assigned. Profiles -- (also known as "execution profiles" or "rights profiles") a collection of authorizations, commands, and/or other profiles that together provide for performing a set of administrative tasks. Copyright 2009 Peter Baer Galvin - All Rights Reserved 59Saturday, May 2, 2009
  60. 60. RBAC Terminology - 2 Authorizations – permissions that grant access to restricted actions that are otherwise prohibited by the security policy. These are typically assigned in a profile, but can also be assigned to a user or a role. Think of this as tokens that can be checked by RBAC-aware programs. Rather than checking if UID=0 to allow an action, such programs can check if, for example, the user has authorization token “solaris.admin.diskmgr.read”. Privileged program – a program with security attributes that enables special functions depending on a check of user-id, group-id, privileges, or authorizations. These are setuid or setgid programs, or programs with assigned privileges. Copyright 2009 Peter Baer Galvin - All Rights Reserved 60Saturday, May 2, 2009
  61. 61. Copyright 2009 Peter Baer Galvin - All Rights Reserved 61Saturday, May 2, 2009
  62. 62. RBAC Use User assumes a role - placed in a special profile-understanding shell pfcsh, pfksh, and pfsh Shells know how to read through the various config files in /etc/ security (and /etc/user_attr) Determines the rights profiles of the role and the components of those profiles, enforces them I.e., if a role had the Name Service Security rights profile, then user would be allowed to run /usr/bin/nischown with the effective user-id of 0 (from /etc/security/exec_attr) The administrator creates a profile of authorizations and privileged commands for task or tasks Can be assigned directly to a user or to (better) a role Without authorizations, user is prevented from executing a privileged application, or prevented from performing operations within a privileged application Copyright 2009 Peter Baer Galvin - All Rights Reserved 62Saturday, May 2, 2009
  63. 63. RBAC Use - 2 Easiest RBAC admin is to use the Solaris Management Console (smc) User is allowed to assume zero or more roles by knowing the password of the roles Similar to using the su command When the user assumes a role, the capabilities of the role are available List of roles available to that user is displayed by the roles command User su’s to an available role to accomplish privileged tasks No default roles Copyright 2009 Peter Baer Galvin - All Rights Reserved 63Saturday, May 2, 2009
  64. 64. /etc/security/exec_attr # head exec_attr Application Server Management:suser:cmd:::/usr/appserver/bin/ asadmin: Software Installation:suser:cmd:::/usr/bin/pkgparam:uid=0 Network Management:suser:cmd:::/usr/sbin/in.named:uid=0 File System Management:suser:cmd:::/usr/sbin/mount:uid=0 Software Installation:suser:cmd:::/usr/bin/pkgtrans:uid=0 Name Service Security:suser:cmd:::/usr/bin/nisaddcred:euid=0 Mail Management:suser:cmd:::/usr/sbin/makemap:euid=0 FTP Management:suser:cmd:::/usr/sbin/ftprestart:euid=0 File System Management:solaris:cmd:::/sbin/ mount:privs=sys_mount Software Installation:suser:cmd:::/usr/sbin/install:euid=0 Copyright 2009 Peter Baer Galvin - All Rights Reserved 64Saturday, May 2, 2009
  65. 65. Roles Typical types of roles: primary administrator - the traditional superuser, with all privileges, system administrator – an administrator without security- modification privileges, operator – an administrator with a limited, specific set of privileges, advanced user – a user with privileges to debug and fix her own system or programs Copyright 2009 Peter Baer Galvin - All Rights Reserved 65Saturday, May 2, 2009
  66. 66. Solaris Privileges Copyright 2009 Peter Baer Galvin - All Rights Reserved 66Saturday, May 2, 2009
  67. 67. Privileges Really known as “least privilege” Only the minimum privileges to get a job done should be available Alternative to being root or no one Done at the API level SetUID programs can dictate fine grain access to kernel features Can limit what privs children have Should further help can buffer overflows and other privilege escalation methods Done at the user or role level All specific users to perform specific operations regardless of the programs being run Copyright 2009 Peter Baer Galvin - All Rights Reserved 67Saturday, May 2, 2009
  68. 68. Privileges - 2 New level of management of rights within a Solaris 10 system Fine-grained privileges that can be assigned to entities The kernel enforces the new requirement that, to perform a special function, the entity must have the privilege to do so. Can work in parallel with traditional superuser functionality for backward compatibility. Copyright 2009 Peter Baer Galvin - All Rights Reserved 68Saturday, May 2, 2009
  69. 69. Privilege Sets E - Effective privilege set – the current set of privileges that are in effect I - Inheritable privilege set – the set of privileges that a process can inherit across an exec() P - Permitted privilege set - the set of privileges that are available for use L - Limit privilege set – the outside limit of what privileges are available to a process and its children Used to shrink the “I” set when a child is created, for example Copyright 2009 Peter Baer Galvin - All Rights Reserved 69Saturday, May 2, 2009
  70. 70. Privileges Example traceroute is now privilege enabled $ ls -l /usr/sbin/traceroute -r-sr-xr-x 1 root bin 35392 Jul 3 14:42 /usr/sbin/traceroute $ /usr/sbin/traceroute 1.2.3.4 & [2] 7841 # pcred 7841 7841: e/r/suid=101 e/r/sgid=14 Copyright 2009 Peter Baer Galvin - All Rights Reserved 70Saturday, May 2, 2009
  71. 71. Privileges Example - 2 # ppriv -v 7841 7841: /usr/sbin/traceroute 1.2.3.4 flags = PRIV_AWARE E: file_link_any,proc_exec,proc_fork,proc_info,proc_sess ion I: file_link_any,proc_exec,proc_fork,proc_info,proc_sess ion P: file_link_any,net_icmpaccess,net_rawaccess,proc_exec, proc_fork,proc_info,proc_session L: none Note exploit needs to execute fully in the context of traceroute to make use of its privileges because the "Limit“ set is empty Copyright 2009 Peter Baer Galvin - All Rights Reserved 71Saturday, May 2, 2009
  72. 72. Privileged Daemon Example # ppriv `pgrep rpcbind` 153: /usr/sbin/rpcbind flags = PRIV_AWARE E: basic,!file_link_any,net_privaddr,! proc_exec,!proc_info,!proc_session,sys_nfs I: basic,!file_link_any,!proc_exec,! proc_fork,!proc_info,!proc_session P: basic,!file_link_any,net_privaddr,! proc_exec,!proc_info,!proc_session,sys_nfs L: basic,!file_link_any,!proc_exec,! proc_fork,!proc_info,!proc_session Copyright 2009 Peter Baer Galvin - All Rights Reserved 72Saturday, May 2, 2009
  73. 73. RBAC and Privileges Use RBAC to assign specific privs to roles or users By default, all non-setuid processes have the “basic” set of privileges assigned Create a role with that privilege and then allow the user to assume that role The list of available privileges is available in the privileges(5), and via the all important ppriv command (the “-lv” options) Divided into categories, including file, ipc, net, proc, and sys privileges For example, enable users in role “test” to do process management and use DTrace features Create “test” role in /etc/user_attr Copyright 2009 Peter Baer Galvin - All Rights Reserved 73Saturday, May 2, 2009
  74. 74. RBAC and Privileges - 2 # roleadd -u 201 -d /export/home/test -P "Process Management" test # rolemod -K defaultpriv=basic,dtrace_proc,dtrace_user, dtrace_kernel test # grep test /etc/user_attr test::::type=role;defaultpriv=basic,dtrace_ proc,dtrace_user,dtrace_kernel;profiles=Pr ocess Management # passwd test New password: Re-enter new password: # mkdir -p /export/home/test The user would need to switch to the role “test” to use Copyright 2009 Peter Baer Galvin - All Rights Reserved 74Saturday, May 2, 2009
  75. 75. RBAC and Privileges - 3 $ ppriv $$ 10897: -bash flags = <none> E: basic I: basic P: basic L: all $ dtrace -s bitesize.d dtrace: failed to initialize dtrace: DTrace requires additional privileges $ su - test password: Roles can only be assumed by authorized users su: Sorry # usermod –R test pbg (then login as pbg) Copyright 2009 Peter Baer Galvin - All Rights Reserved 75Saturday, May 2, 2009
  76. 76. RBAC and Privileges - 4 $ roles test $su test password: $ ppriv $$ 11022: pfsh flags = <none> E: basic,dtrace_kernel,dtrace_proc,dtrace_user I: basic,dtrace_kernel,dtrace_proc,dtrace_user P: basic,dtrace_kernel,dtrace_proc,dtrace_user L: all $ dtrace –s bitesize.d . . . Alternately, privileges can be directly assigned to users, as in: pbg::::type=normal;roles=primary_administrator,test; defaultpriv=basic,dtrace_proc,dtrace_user,dtrace_kernel Copyright 2009 Peter Baer Galvin - All Rights Reserved 76Saturday, May 2, 2009
  77. 77. Privilege Assignment To add a privilege to a specific user, use the usermod command to add the privilege to the user’s default privileges, as in # usermod –K defaultpriv=basic,proc_clock_high_res jdoe Unfortunately, to be able to assign a specific privilege to a specific command, the command must be written to be privilege aware Copyright 2009 Peter Baer Galvin - All Rights Reserved 77Saturday, May 2, 2009
  78. 78. Privilege Assignment - 2 Currently, native system programs are becoming privilege aware and having a limited set of privileges assigned to them Includes most setuid-root and network daemons API available with privileges to allow Solaris programmers to write privilege aware programs ppriv command can be used on a program that is failing due to a lack of privilege, to determine exactly the privileges that the program needs to succeed Appropriate privileges can be assigned to the program, or assigned to a role or user to allow that program to run properly when the appropriate set of users runs it Good white paper by Sun about privilege-enabling an arbitrary set-UID program: http://www.sun.com/blueprints/ 0406/819-6320.pdf Copyright 2009 Peter Baer Galvin - All Rights Reserved 78Saturday, May 2, 2009
  79. 79. Final Privilege Notes ppriv allows examination of a command to determine what privileges it would need $ ppriv -e -D cat /etc/shadow cat[418]: missing privilege "file_dac_read" (euid = 21782),needed at ufs_access +0x3c cat: cannot open /etc/shadow ppriv -l lists all available privileges -v does so with details Copyright 2009 Peter Baer Galvin - All Rights Reserved 79Saturday, May 2, 2009
  80. 80. /etc/passwd # cat /etc/passwd root:x:0:1:Super-User:/:/sbin/sh daemon:x:1:1::/: bin:x:2:2::/usr/bin: sys:x:3:3::/: adm:x:4:4:Admin:/var/adm: lp:x:71:8:Line Printer Admin:/usr/spool/lp: uucp:x:5:5:uucp Admin:/usr/lib/uucp: nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico smmsp:x:25:25:SendMail Message Submission Program:/: listen:x:37:4:Network Admin:/usr/net/nls: gdm:x:50:50:GDM Reserved UID:/: webservd:x:80:80:WebServer Reserved UID:/: nobody:x:60001:60001:NFS Anonymous Access User:/: noaccess:x:60002:60002:No Access User:/: nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/: pbg:x:101:14::/export/home/pbg:/bin/bash test:x:201:1::/export/home/test:/bin/pfsh Copyright 2009 Peter Baer Galvin - All Rights Reserved 80Saturday, May 2, 2009
  81. 81. /etc/user_attr # cat /etc/user_attr # # Copyright (c) 2003 by Sun Microsystems, Inc. All rights reserved. # # /etc/user_attr # # user attributes. see user_attr(4) # #pragma ident "@(#)user_attr 1.1 03/07/09 SMI" # adm::::profiles=Log Management lp::::profiles=Printer Management root::::auths=solaris.*,solaris.grant;profiles=Web Console Management,All;lock_after_retries=no test::::type=role;defaultpriv=basic,dtrace_proc,dtrace_user,dtr ace_kernel;profiles=Process Management pbg::::type=normal;roles=test Copyright 2009 Peter Baer Galvin - All Rights Reserved 81Saturday, May 2, 2009
  82. 82. Labs Create new user “foo” Create new role “operator” Find list of profiles Add some profiles to role “operator” Add user foo to role “operator” Find list of privileges Add some privileges to role “operator” Add some privileges to user “foo” Test user foo in role “operator” Test user “foo” privileges Explore the system to find all of the changes associated with the new user and role What file would you need to look in during an audit to check a user for more privileges? Copyright 2009 Peter Baer Galvin - All Rights Reserved 82Saturday, May 2, 2009
  83. 83. NFS V4 Copyright 2009 Peter Baer Galvin - All Rights Reserved 83Saturday, May 2, 2009
  84. 84. NFS V4 Overview Stateful rather than stateless All traffic uses one port number (2049) Can negotiate security authentication protocol, including using Kerberos (SEAM) and DES The /etc/default/nfs file uses keywords to control the NFS protocols that are used by both the client and the server Uses the string representations to identify the owner or group_owner via the nfsmapid daemon Supports mandatory locking (multiple lock types) When you unshare a file system, all the state for any open files or file locks in that file system is destroyed Servers use a pseudo file system to provide clients with access to exported objects on the server Server provides a view that just includes the exported file systems Copyright 2009 Peter Baer Galvin - All Rights Reserved 84Saturday, May 2, 2009
  85. 85. NFS V4 Overview - 2 Supports client and server recovery from a crash Supports client fail-over between multiple replicated copies of a file system on different servers Supports volatile file handles Delegation, a technique by which the server delegates the management of a file to a client, is supported on both the client and the server. I.e. the server could grant either a read delegation or a write delegation to a client. Does not use the following daemons: lockd mountd nfslogd statd Copyright 2009 Peter Baer Galvin - All Rights Reserved 85Saturday, May 2, 2009
  86. 86. NFS V4 Use Enable it via NFS_CLIENT_VERSMIN and NFS_CLIENT_VERSMAX in the /etc/ default/nfs file Copyright 2009 Peter Baer Galvin - All Rights Reserved 86Saturday, May 2, 2009
  87. 87. Solaris Flash Archives Copyright 2009 Peter Baer Galvin - All Rights Reserved 87Saturday, May 2, 2009
  88. 88. System Build Technology What does it have to do with security? Capture state of system just after virgin build Fast restore Useful for comparison Also good for DR / BC This is available pre-Solaris 10, but generally under-utilized Copyright 2009 Peter Baer Galvin - All Rights Reserved 88Saturday, May 2, 2009
  89. 89. Flash Archives Create master system – single reference installation Then replicate master to clone systems Initial install overwrites all filesystems on target clone Update only includes differences between two system images (on master and clone) Differential update changes only specified files of a clone based on a master Copyright 2009 Peter Baer Galvin - All Rights Reserved 89Saturday, May 2, 2009
  90. 90. Flash Archives Initial Install Install master server however you’d like (Optional) Prepare customization scripts to reconfigure or customize the clone system before or after installation Create the Solaris Flash archive. The Solaris Flash archive contains a copy of all of the files on the master system, unless you excluded some nonessential files Install the Solaris Flash archive on clone systems Master and clone system must have the same kernel architecture Can run scripts to customize clone or install extra packages using custom jumpstart (Optional) Save a copy of the master image If you plan to create a differential archive, the master image must be available and identical to the image installed on the clone systems Note – best to start from Entire Plus OEM install image to get all drivers clones might need Copyright 2009 Peter Baer Galvin - All Rights Reserved 90Saturday, May 2, 2009
  91. 91. Flash Archives Deployment Create archive after full master install but before software configuration I.E. No Solaris Volume Manager config Master should be as inactive as possible Create archive with flar create –n name options path/filename Save it to disk or tape Make a copy for differential archive creation Can keep multiple archives – just costs disk Can compress archives To install from an archive, select Solaris Flash installation during standard installation procedures Copyright 2009 Peter Baer Galvin - All Rights Reserved 91Saturday, May 2, 2009
  92. 92. Copyright 2009 Peter Baer Galvin - All Rights Reserved 92Saturday, May 2, 2009
  93. 93. Updating Clone with Flash Differential Archive 1. Start from master identical to clone 2. Prepare the master system with changes 3. (Optional) Prepare customization scripts to reconfigure or customize the clone system before or after installation 4. Mount the directory of a copy of the saved-unchanged master image 1. Second image is to be used to compare the two system images 2. Mount it from a Solaris Live Upgrade boot environment 3. Mount it from a clone system over NFS 4. Restore from backup using the ufsrestore command 5. Create the differential archive with the -A option of the flar create command 6. Install the differential archive on clone systems with custom JumpStart 1. Or, use Solaris Live Upgrade to install the differential archive on an inactive boot environment Copyright 2009 Peter Baer Galvin - All Rights Reserved 93Saturday, May 2, 2009
  94. 94. Moving from NIS to LDAP Copyright 2009 Peter Baer Galvin - All Rights Reserved 94Saturday, May 2, 2009
  95. 95. Why Move? NIS is old, limited, not secure Weak authentication Not much encryption Nonstandard NIS+ is complicated and EOL Sorry if you already moved to it Don’t move to NIS+ if you haven’t already LDAP is the wave of the future “Standard” Full features Expandable, flexible, interoperable Copyright 2009 Peter Baer Galvin - All Rights Reserved 95Saturday, May 2, 2009
  96. 96. NIS to LDAP Overview The NIS–to–LDAP transition service (N2L service) replaces existing NIS daemons on the NIS master server with NIS–to– LDAP transition daemons The N2L service also creates a NIS–to–LDAP mapping file on that server Specifies the mapping between NIS map entries and equivalent Directory Information Tree (DIT) entries in LDAP A transitioned server is called an N2L server Slave servers do not have an NISLDAPmapping file, so they continue as usual The slave servers periodically update their data from N2L server Copyright 2009 Peter Baer Galvin - All Rights Reserved 96Saturday, May 2, 2009
  97. 97. NIS to LDAP Overview - 2 Behavior of the N2L service is controlled by the ypserv and NISLDAPmapping configuration files A script, inityp2l, assists with initial setup of configuration files. Once N2L server has been established, you can maintain N2L by editing configuration files The N2L service supports: Import of NIS maps into LDAP DIT Client access to DIT information with speed and extensibility of NIS When using N2L LDAP directory is source of authoritative data Eventually, all NIS clients can be replaced by Solaris LDAP naming services clients Many gory details in SysAdmin Guide to Naming and Directory Services Copyright 2009 Peter Baer Galvin - All Rights Reserved 97Saturday, May 2, 2009
  98. 98. FTP Server Enhancements Copyright 2009 Peter Baer Galvin - All Rights Reserved 98Saturday, May 2, 2009
  99. 99. FTP Server Enhancements The sendfile() function is used for binary downloads New capabilities supported in the ftpaccess file flush-wait controls the behavior at the end of a download or directory listing ipcos sets the IP Class of Service for either the control or data connection passive ports can be configured so that the kernel selects the TCP port to listen on quota-info enables retrieval of quota information recvbuf sets the receive (upload) buffer size used for binary transfers rhostlookup allows or disallows the lookup of the remote hosts name sendbuf sets the send (download) buffer size used for binary transfers xferlog format customizes the format of the transfer log entry -4 option which makes the FTP server only listen for connections on an IPv4 socket when running in standalone mode Copyright 2009 Peter Baer Galvin - All Rights Reserved 99Saturday, May 2, 2009
  100. 100. FTP Server Enhancements - 2 ftpcount and ftpwho now support the -v option, which displays user counts and process information for FTP server classes defined in virtual host ftpaccess files The FTP client and server now support Kerberos Copyright 2009 Peter Baer Galvin - All Rights Reserved 100Saturday, May 2, 2009
  101. 101. PAM Enhancements Copyright 2009 Peter Baer Galvin - All Rights Reserved 101Saturday, May 2, 2009
  102. 102. PAM Enhancements Pluggable Authentication Module (PAM) framework enhancements The pam_authtok_check module now allows for strict password checking using new tunable parameters in the /etc/default/passwd file. The new parameters define: A list of comma separated dictionary files used for checking common dictionary words in a password The minimum differences required between a new password and an old password The minimum number of alphabetic or nonalphabetic characters that must be used in a new password The minimum number of uppercase or lowercase letters that must be used in a new password The number of allowable consecutive repeating characters Copyright 2009 Peter Baer Galvin - All Rights Reserved 102Saturday, May 2, 2009
  103. 103. PAM Enhancements - 2 The pam_unix_auth module implements account locking for local users. Account locking is enabled by the LOCK_AFTER_RETRIES parameter in /etc/ security/policy.conf and the lock_after-retries key in /etc/user_attr The pam_unix module has been removed and replaced by a set of service modules of equivalent or greater functionality. Many of these modules were introduced in the Solaris 9 release. Here is a list of the replacement modules: pam_authtok_check pam_authtok_get pam_authtok_store pam_dhkeys pam_passwd_auth pam_unix_account pam_unix_auth pam_unix_cred pam_unix_session Copyright 2009 Peter Baer Galvin - All Rights Reserved 103Saturday, May 2, 2009
  104. 104. PAM Enhancements - 3 The functionality of the pam_unix_auth module has been split into two modules. The pam_unix_auth module now verifies that the password is correct for the user. The new pam_unix_cred module provides functions that establish user credential information. Additions to the pam_krb5 module have been made to manage the Kerberos credentials cache using the PAM framework. A new pam_deny module has been added. The module can be used to deny access to services. By default, the pam_deny module is not used Copyright 2009 Peter Baer Galvin - All Rights Reserved 104Saturday, May 2, 2009
  105. 105. /etc/default/passwd $ cat /etc/default/passwd #ident "@(#)passwd.dfl 1.7 04/04/22 SMI" # # Copyright 2004 Sun Microsystems, Inc. All rights reserved. # Use is subject to license terms. # MAXWEEKS= MINWEEKS= PASSLENGTH=6 # NAMECHECK enables/disables login name checking. # The default is to do login name checking. # Specifying a value of "NO" will disable login name checking. # #NAMECHECK=NO Copyright 2009 Peter Baer Galvin - All Rights Reserved 105Saturday, May 2, 2009
  106. 106. /etc/default/passwd - 2 # HISTORY sets the number of prior password changes to keep and # check for a user when changing passwords. Setting the HISTORY # value to zero (0), or removing/commenting out the flag will # cause all users prior password history to be discarded at the # next password change by any user. No password history will # be checked if the flag is not present or has zero value. # The maximum value of HISTORY is 26. # # This flag is only enforced for user accounts defined in the # local passwd(4)/shadow(4) files. # #HISTORY=0 # Copyright 2009 Peter Baer Galvin - All Rights Reserved 106Saturday, May 2, 2009
  107. 107. /etc/default/passwd - 3 # Password complexity tunables. The values listed are the defaults # which are compatible with previous releases of passwd. # See passwd(1) and pam_authtok_check(5) for use warnings and # discussion of the use of these options. # #MINDIFF=3 #MINALPHA=2 #MINNONALPHA=1 #MINUPPER=0 #MINLOWER=0 #MAXREPEATS=0 #MINSPECIAL=0 #MINDIGIT=0 #WHITESPACE=YES Copyright 2009 Peter Baer Galvin - All Rights Reserved 107Saturday, May 2, 2009
  108. 108. /etc/default/passwd - 4 # # # passwd performs dictionary lookups if DICTIONLIST or DICTIONDBDIR # is defined. If the password database does not yet exist, it is # created by passwd. See passwd(1), pam_authtok_check(5) and # mkdict(1) for more information. # #DICTIONLIST= #DICTIONDBDIR=/var/passwd Copyright 2009 Peter Baer Galvin - All Rights Reserved 108Saturday, May 2, 2009
  109. 109. Stronger Password Crypto Modify /etc/security/policy.conf to use stronger password crypto CRYPT_DEFAULT=md5 Passwords less likely to be “crack”ed if found encrypted Copyright 2009 Peter Baer Galvin - All Rights Reserved 109Saturday, May 2, 2009
  110. 110. BSM Copyright 2009 Peter Baer Galvin - All Rights Reserved 110Saturday, May 2, 2009
  111. 111. BSM Solaris Basic Security Module Also known as Solaris auditing Part of Solaris for a while, but little used Very detailed accounting of system / user activities Can be too much – watch your disk space Good article at http://www.deer-run.com/ ~hal/sysadmin/SolarisBSMAuditing.html Except for disk space, not very resource intensive Copyright 2009 Peter Baer Galvin - All Rights Reserved 111Saturday, May 2, 2009
  112. 112. BSM Setup BSM not enabled by default bsmconv configures BSM Creates files in /etc/security audit_startup runs at startup, configuring auditing via auditconfig commands /usr/bin/echo "Starting BSM services." /usr/sbin/auditconfig -setpolicy +cnt /usr/sbin/auditconfig -conf /usr/sbin/auditconfig -aconf Copyright 2009 Peter Baer Galvin - All Rights Reserved 112Saturday, May 2, 2009
  113. 113. BSM Setup – cont audit_control is primary config file dir:/var/audit flags: minfree:20 naflags:lo flags defines audit events to pay attention to naflags defines non-attributable events to pay attention to audit_event can fine-tune auditing (defines events and divides them into classes) audit_class defines masks for accessing classes Copyright 2009 Peter Baer Galvin - All Rights Reserved 113Saturday, May 2, 2009
  114. 114. BSM Setup - cont Run audit –n out of cron to cycle the (otherwise infinite) log file: 0 * * * * /usr/sbin/audit –n Compress and move the audit log to secure storage Do so rapidly on security-conscious machines (i.e. web servers) auditreduce can extract specific info from and audit log praudit can dump native audit binary data for readability Copyright 2009 Peter Baer Galvin - All Rights Reserved 114Saturday, May 2, 2009
  115. 115. BSM Tuning Recommended auditing settings for more security-conscious systems from http://www.cisecurity.com/bench_solaris.html Generated via this awk script: awk BEGIN { FS = ":"; OFS = ":" } ($4 ~ /fm/) && ! ($2 ~ /MCTL|FCNTL|FLOCK|UTIME/) { $4 = $4 ",cc" } ($4 ~ /p[cms]/) && ! ($2 ~ /FORK|CHDIR|KILL|VTRACE|SETGROUPS|SETPGRP/) { $4 = $4 ",cc" } { print } audit_event >audit_event.new And associated audit_control configuration: dir:/var/audit minfree:20 flags:lo,ad,cc naflags:lo,ad,ex Copyright 2009 Peter Baer Galvin - All Rights Reserved 115Saturday, May 2, 2009
  116. 116. Auditing Enhancements Copyright 2009 Peter Baer Galvin - All Rights Reserved 116Saturday, May 2, 2009
  117. 117. Auditing Enhancements Can use the syslog utility to store audit records in text format Enable and configure in /etc/security/audit_control dir:/var/audit flags: lo,ad,-fm minfree:20 naflags:lo,ad plugin: name=audit_syslog.so;p_flags=lo,+ad; qsize=512 Add audit.notice /var/adm/auditlog to /etc/ syslog.conf touch /var/adm/auditlog Use logadm to manage the logs The praudit –x creates output formatted in XML Copyright 2009 Peter Baer Galvin - All Rights Reserved 117Saturday, May 2, 2009
  118. 118. Auditing Enhancements - 2 Audit metaclasses provide an umbrella for finer-grained audit classes The bsmconv command no longer disables the use of the Stop-A key The Stop-A event can be audited The timestamp in audit records now displays in ISO 8601 format Three audit policy options have been added: public – Public objects are no longer audited for read-only events, reducing the audit log size perzone – A separate audit daemon runs in each zone zonename – The name of the Solaris zone in which an audit event occurred can be included in audit records Copyright 2009 Peter Baer Galvin - All Rights Reserved 118Saturday, May 2, 2009
  119. 119. Auditing Enhancements - 3 Five audit tokens have been added: The cmd token records the list of arguments and the list of environment variables that are associated with a command The path_attr token records the sequence of attribute file objects that are below the path token object The privilege token records the use of privilege on a process The uauth token records the use of authorization with a command or action The zonename token records the name of the non-global zone in which an audit event occurred Copyright 2009 Peter Baer Galvin - All Rights Reserved 119Saturday, May 2, 2009
  120. 120. Solaris Cryptographic Framework Copyright 2009 Peter Baer Galvin - All Rights Reserved 120Saturday, May 2, 2009
  121. 121. Crypto Framework Provides common store of crypto algorithms and PKCS #11 libraries optimized for SPARC and x86 PKCS #11 – public key crypto standard defining technology-independent API for crypto devices Currently provides IPSec and Kerberos to kernel, libsasl and IKE to users via plugins: User-level plugins – Shared objects that provide services by using PKCS #11 libraries, such as pkcs11_softtoken.so.1 Kernel-level plugins – Kernel modules that provide implementations of cryptographic algorithms in software, such as AES Hardware plugins – Device drivers and their associated hardware accelerators i.e. Sun Crypto Accelerator 1000 board Framework implements a standard interface, the PKCS #11, v2.11 library, for user-level providers. Can be used by third-party applications to reach providers Third parties can add signed libraries, signed kernel algorithm modules, and signed device drivers to the framework plugins are added when the pkgadd utility installs the third-party software Copyright 2009 Peter Baer Galvin - All Rights Reserved 121Saturday, May 2, 2009
  122. 122. Figure 8–1 Overview of the Solaris Cryptographic Framework                                                                         (From Solaris 10 Solaris Security for Developers Guide) Copyright 2009 Peter Baer Galvin - All Rights Reserved 122Saturday, May 2, 2009
  123. 123. Crypto Framework Admin Administration via cryptoadm command: $ cryptoadm list user-level providers: /usr/lib/security/$ISA/pkcs11_kernel.so /usr/lib/security/$ISA/pkcs11_softtoken.so kernel software providers: des aes arcfour blowfish sha1 md5 rsa swrand kernel hardware providers: Copyright 2009 Peter Baer Galvin - All Rights Reserved 123Saturday, May 2, 2009
  124. 124. Crypto Framework User Commands digest– Computes a message digest for one or more files or for stdin. A digest is useful for verifying the integrity of a file. SHA1 and MD5 are examples of digest functions. mac – Computes a message authentication code (MAC) for one or more files or for stdin. A MAC associates data with an authenticated message. A MAC enables a receiver to verify that the message came from the sender and that the message has not been tampered with. The sha1_mac and md5_hmac mechanisms can compute a MAC. encrypt – Encrypts files or stdin with a symmetric cipher. The encrypt -l command lists the algorithms that are available. Mechanisms that are listed under a user-level library are available to the encrypt command. The framework provides AES, DES, 3DES (Triple-DES), and ARCFOUR mechanisms for user encryption. decrypt – Decrypts files or stdin that were encrypted with the encrypt command. The decrypt command uses the identical key and mechanism that were used to encrypt the original file. Copyright 2009 Peter Baer Galvin - All Rights Reserved 124Saturday, May 2, 2009
  125. 125. Key Generation For MAC and encryption, need symmetric key Determine algorithm to use and length of key needed $ encrypt -l Algorithm Keysize: Min Max (bits) ------------------------------------------ aes 128 128 arcfour 8 128 des 64 64 3des 192 192 $ mac -l Algorithm Keysize: Min Max (bits) ------------------------------------------ des_mac 64 64 sha1_hmac 8 512 md5_hmac 8 512 Copyright 2009 Peter Baer Galvin - All Rights Reserved 125Saturday, May 2, 2009
  126. 126. Encrypting Use a random number generator, or dd to create a key Note that bs is in bytes, so divide bits by 8 $ dd if=/dev/random of=keyfile bs=n count=1 Protect the key in the keyfile $ chmod 400 keyfile Example for AES: $ dd if=/dev/random of=$HOME/keyf/05.07.aes16 bs=16 count=1 $ chmod 400 ~/keyf/05.07.aes16 Now use the key to create an MD5 MAC: $ mac -v -a md5_hmac -k $HOME/keyf/05.07.mack64 email.attach md5_hmac (email.attach) = 02df6eb6c123ff25d78877eb1d55710c % echo "md5_hmac (email.attach) = 02df6eb6c123ff25d78877eb1d55710c" >> ~/mac.daily.05.07 Copyright 2009 Peter Baer Galvin - All Rights Reserved 126Saturday, May 2, 2009
  127. 127. Decrypting and verifying Example - Use AES for encryption using a keyphrase $ encrypt -a aes -i ticket.to.ride -o ~/enc/e.ticket.to.ride Enter key: <Type passphrase> The opposite of encrypt is decrypt: $ decrypt –a aes –i ~/enc/e.ticket.to.ride Enter Key: <decrypted message is output> Copyright 2009 Peter Baer Galvin - All Rights Reserved 127Saturday, May 2, 2009
  128. 128. Labs Pick an encryption algorithm and key length and encrypt and decrypt a sample message How do we use the MAC shown in the above slides? Compute a MAC or digest, modify a sample message, and then recompute Copyright 2009 Peter Baer Galvin - All Rights Reserved 128Saturday, May 2, 2009
  129. 129. Kerberos Enhancements Copyright 2009 Peter Baer Galvin - All Rights Reserved 129Saturday, May 2, 2009
  130. 130. Kerberos Enhancements The KDC software, the user commands and applications now support TCP Support for IPv6 was added to kinit, klist and kprop commands. Support for IPv6 addresses is provided by default. There are no configuration parameters to change to enable IPv6 support. No IPv6 support is available for the kadmin and kadmind commands. A new PAM module called pam_krb5_migrate has been introduced. Helps in the automatic migration of users to the local Kerberos realm, if they do not already have Kerberos accounts. The ~/.k5login file can now be used with the GSS applications ftp and ssh The kproplog utility has been updated to output all attribute names per log entry Copyright 2009 Peter Baer Galvin - All Rights Reserved 130Saturday, May 2, 2009
  131. 131. Kerberos Enhancements - 2 Kerberos protocol support is provided in remote applications, such as ftp, rcp, rdist, rlogin, rsh, ssh, and telnet The Kerberos principal database can now be transferred by incremental update instead of by transferring the entire database each time Increased database consistencies across servers The need for fewer resources (network, CPU, and so forth) Much more timely propagation of updates An automated method of propagation Copyright 2009 Peter Baer Galvin - All Rights Reserved 131Saturday, May 2, 2009
  132. 132. Kerberos Enhancements - 3 A new script to help automatically configure a Kerberos client Several new encryption types have been added to the Kerberos service The AES encryption type can be used for high speed, high security encryption of Kerberos sessions. The use of AES is enabled through the Cryptographic Framework. ARCFOUR-HMAC provides better compatibility with other Kerberos versions. Triple DES (3DES) with SHA1 increases security. This encryption type also enhances interoperability with other Kerberos implementations that support this encryption type. Copyright 2009 Peter Baer Galvin - All Rights Reserved 132Saturday, May 2, 2009
  133. 133. Kerberos Enhancements - 4 A new -e option has been included to several subcommands of the kadmin command. This new option allows for the selection of the encryption type during the creation of principals. Additions to the pam_krb5 module manage the Kerberos credentials cache by using the PAM framework. Support is provided for auto-discovery of the Kerberos KDC, admin server, kpasswd server, and host or domain name-to-realm mappings by using DNS lookups A new configuration file option makes the strict TGT verification feature optionally configurable on a per-realm basis Copyright 2009 Peter Baer Galvin - All Rights Reserved 133Saturday, May 2, 2009
  134. 134. Kerberos Enhancements - 5 Extensions to the password-changing utilities enable the Solaris Kerberos V5 administration server to accept password change requests from clients that do not run Solaris software. The default location of the replay cache has been moved from RAM- based file systems to persistent storage in /var/krb5/rcache The GSS credential table is no longer necessary for the Kerberos GSS mechanism The Kerberos utilities, kinit and ktutil, are now based on MIT Kerberos version 1.2.1 The Solaris Kerberos Key Distribution Center (KDC) is now based on MIT Kerberos version 1.2.1 Note that Kerberos V5 support means that (theoretically) NFS traffic can now be encrypted Copyright 2009 Peter Baer Galvin - All Rights Reserved 134Saturday, May 2, 2009
  135. 135. Packet Filtering Copyright 2009 Peter Baer Galvin - All Rights Reserved 135Saturday, May 2, 2009
  136. 136. Packet Filtering Overview Solaris used to have nothing, then SunScreen was commercial, then SunScreen was included, now ipfilter is standard Solaris IP Filter is a host-based firewall that is derived from the open source IP Filter code, developed and maintained by Darren Reed Based on version 4.0.33 of the open source IP Filter Uses the STREAMS module, pfil, to intercept packets By default, pfil is not autopushed onto network interface cards (NICs). Autopush of pfil is disabled for all drivers Copyright 2009 Peter Baer Galvin - All Rights Reserved 136Saturday, May 2, 2009
  137. 137. Packet Filtering Overview - 2 Provides packet filtering and network address translation (NAT), based upon a user-configurable policy Rules are configurable to filter either statefully or statelessly Command line interface only ipf for loading or clearing packet filter rules ipnat for loading or clearing NAT rules ippool for managing address pools associated with IP rules ipfstat for viewing per-interface statistics ipmon for viewing of logged packets Good info at http://www.obfuscation.org/ipf/ Only works in the global zone (so far) Copyright 2009 Peter Baer Galvin - All Rights Reserved 137Saturday, May 2, 2009
  1. Gostou de algum slide específico?

    Recortar slides é uma maneira fácil de colecionar informações para acessar mais tarde.

×