By Seán Boran
www.boran.com/security/sp/Solaris_hardening4.html
This article presents a concise step-by-step approach to securely installing Solaris for use in a firewall DMZ or other sensitive environment, using Sun's Jass tool (and with Solaris 8 the Sunscreen EFS lite firewall). This article was written (and tested) for Solaris 8, but the techniques described here should work fine on earlier versions too.
The hardening process is divided into the following steps:
- Preparation
News: 27.Jan'03 Corrections to sendmail setup.
22.Mar'02: The latest version of Jass is v0.3.5. The changes to Jass between these versions concern primarily new Driver profiles, new template and support for Solaris- Initial OS installation
- Install Jass
- Mounting file systems restrictively in /etc/vfstab
- Install a local firewall: Sunscreen EFS lite or IPF
- More hardening: routing, email, resolver, tools
- Patches
- RPC
- Logging, Cron, Permissions
- Limiting SUID Files
- Install an Integrity Checker: e.g. Tripwire
- Install, test, harden applications
- Going Live
Reference section
We assume that a "manual", as opposed to automated Jumpstart installation is used.
Connect the serial console, switch on, halt to the OK prompt by sending a Stop-A (~#,
~%b, or F5 depending on whether you use tip, cu or a vt100 terminal),
then start the installation procedure: boot cdrom - install .
Note: On Solaris 8, make sure your use "Software CD#1" and not the
"Installation CD".
Install the end user bundle (or even better only the core packages which take only 110MB), set hostname, terminal, IP parameters, timezone, etc. Don't enable any naming services like NIS or NFS. Don't enable power management, or mount any remote file systems (NFS).
| C-shell fans: If you use the C-Shell, the following will make command-line editing easier and enable history functions: csh; |
|||
Note: On Solaris 8, the user bundle can be customised via "F4", packages can be
added or removed.
Choose manual disk partitioning:
Reboot.
Set a strong password (7 or 8 chars with numbers, letters and punctuation) for root.
The installation is documented in /var/sadm/install_data/install_log
Next, we install man pages not included in the User Bundle and the recommended patches.
| Package notes: "core" bundle users may wish to add other useful packages now, for example: Terminfo: SUNWter Showrev: SUNWadmfw SUNWadmc The user bundle needs extra packages for compiling: SUNWarcx SUNWarc SUNWbtoox SUNWbtool SUNWbtoox SUNWdplx SUNWsprox SUNWhea SUNWlibm SUNWdfbh SUNWcg6h SUNWscpux For Sunscreen
3.1: SUNWeuluf SUNWsprot SUNWmfrun |
No man pages are installed with the user bundle, so install them while the Solaris CD is still mounted. Note: if you only installed the core bundle, SUNWlibc is needed for viewing the man pages (which needs sgml2roff), so add this package as well if needed (it is on CD#1 on Solaris8).
cd /cdrom/cdrom0/s0/Solaris_2.6/Product;
pkgadd -d . SUNWman SUNWdtma SUNWjvman SUNWpmowm SUNWolman SUNWxwmancd /cdrom/cdrom0/s0/Solaris_2.7/Product;
pkgadd -d . SUNWman SUNWdtmaz SUNWdtma SUNWjvman SUNWpmowm SUNWxwmanOn Solaris 8, insert CD#2. To save space, the man pages could be limited to the standard ones and java:cd /cdrom/cdrom0/Solaris_*/Product;
pkgadd -d . SUNWman SUNWjvman SUNWj2manWhile we're here, we'll install compression tools-
zlib (for OpenSSH) and bash/tcsh (because they are nice shells :).
pkgadd -d . SUNWgzip SUNWbash SUNWbzip SUNWtcsh SUNWzlibUpdate indices, so that "man -k keyword" will allow searching of relevant man pages:
/usr/lib/makewhatis /usr/man;
/usr/lib/makewhatis /usr/openwin/man;
Patches
| If you're impatient to learn about patch management tools for existing hosts, jump to the Patches section. |
Download and install the latest recommended and security patch bundle from Sun:
| Solaris | URL |
| 2.6 SPARC | ftp://sunsolve.sun.com/pub/patches/2.6_Recommended.tar.Z |
| 7 SPARC | ftp://sunsolve.sun.com/pub/patches/7_Recommended.zip |
| 7 Intel | ftp://sunsolve.sun.com/pub/patches/7_x86_Recommended.zip |
| 8 SPARC | ftp://sunsolve.sun.com/pub/patches/8_Recommended.zip |
| 8 Intel | ftp://sunsolve.sun.com/pub/patches/8_x86_Recommended.zip |
| 9 SPARC | ftp://sunsolve.sun.com/pub/patches/9_Recommended.zip |
These files can be many tens of megabytes, since they cover all Solaris packages, not just those relevant to your installation. The uncompressed versions can run to over 150MB.
- Have a quick read of the CLUSTER_README file.
- Save a log of what patches are installed already and unzip patches:
Core install notes: If the system was only installed with the "core" bundle, showrev will not be available (it requires the package SUNWadmfw). In this case, on Solaris 7 and later use patchadd -p.
Patchadd on Solaris 7 needs a little tweak to work with core only packages though:
cd /usr/sbin;
mv patchadd patchadd-orig;
sed s/\\/xpg4// patchadd-orig > patchadd;
chown root:bin patchadd;
chmod 555 patchadd;
cd /opt/install;
showrev -p > patches.before;
unzip -q *Recommended.zip;- When the bundled is unzipped, it creates a subdirectory. To install all the patches in one go, change to the subdirectory and run the install script, with either of the following methods:
a) On a new system where de-installation is unlikely to be necessary, install without being able to remove patches. This will save lots of disk space:
cd *Recommended;
./install_cluster -nosave;b) Installation on an existing system, or where de-installation of the patches must be possible if the patch cluster messes things up (this will take more disk space as copies are saved in /var/sadm/patch). Patches can only be individually de-installed, there is not "deinstall_cluster" functionality.
cd *Recommended;
./install_cluster;
- Some patches installations may give warnings/errors:
- "return code 8" means that the patch in question cannot be applied because the relevant Solaris modules are not installed. This error can be ignored.
- "return code 2" indicates patches are already installed. This error can be ignored.
- "return code 25" means a patches requires another patch that is not yet installed. Try re-installing the bundle when finished, it may be a problem with the order of the installation of patches.
- Other errors should be investigated. Check the patch installation log:
more /var/sadm/install_data/Solaris_*Recommended_log
- Check to see what patches were actually installed:
cd ..;
showrev -p > patches.after;
diff patches.after patches.before;
Reboot and logon again as root.
Note: patches will be checked and updated again, in more detail, in the Patch section below.
See the section Jass Overview for an overview of this tool. This section has been tested with Jass v0.30 and v0.31.
First: Record a log of all command actions/taken in the this section, by running:
script -a /jassinstall.log
which will keep a log of all commands and results in jassinstall.log. This may be useful for browsing through later.
Download SUNWjass-0.3.5.pkg [1] to the target, e.g. to /opt/install.
Shutdown the network interface during this next phase, just in case (the interface name depends on the architecture e.g. le0 on old SPARCs):
ifconfig hme0 down
Install the Jass package, no actual hardening is done at this stage. An example log of the output is at [1]
pkgadd SUNWjass-0.3.5.pkg/opt/SUNWjass;
cd
Next we tune some Jass configuration settings
a) /opt/SUNWjass/Drivers/user.init is created with some custom settings, to tailor behaviour for this system. First copy /opt/SUNWjass/Drivers/user.init.SAMPLE to /opt/SUNWjass/Drivers/user.init and add the following to the bottom:
# user.init
# sb, 02.Oct.01
JASS_AGING_MAXWEEKS="26"
JASS_AGING_WARNWEEKS="1"
JASS_AGING_MINWEEKS="0"
JASS_LOGIN_RETRIES="5"
JASS_PASS_LENGTH="6"
JASS_SENDMAIL_MODE="\"\""
JASS_TMPFS_SIZE="200m"
JASS_UMASK="027"
JASS_SHELL_DISABLE="/sbin/noshell"
JASS_CRON_LOG_SIZE="20480";
## v0.3.1
## Don't save files replaced by patches:
JASS_REC_PATCH_OPTIONS="-o -d"b) I don't wish to enable BSM auditing or have process accounting, so comment out the lines "enable-bsm.fin" and "enable-process-accounting.fin" in Drivers/hardening.driver and Drivers/undoable-hardening.driver (jass v0.31).
d) If you didn't install the latest recommended patches above, Jass will do it for you, if you extract them into the 'Patches' directory. For example the Solaris 8 recommended bundles would be extracted into Patches/8_Recommended.
e) Jass with run Casper Dik's Fix-modes to tighten up file permissions, if you download FixModes.tar.Z from the Jass site to
/opt/SUNWjass/Packages.I recommend you do this.
Then we run Jass to do the actual hardening for standalone use:
/opt/SUNWjass/jass-execute -d hardening.driver
Switch off the scripting, remove the install directory if desired.
# exit
Script done, file is /jassinstall.log
Now reboot for the changes to have effect:
# reboot
Check for error messages on the console, fix if necessary. Login as root and check the process list, it should be something like the following example for Solaris 8:
# ps -ef
UID PID PPID C STIME TTY TIME CMD
root 0 0 3 17:05:33 ? 0:17 sched
root 1 0 0 17:05:33 ? 0:00 /etc/init -
root 2 0 0 17:05:33 ? 0:00 pageout
root 3 0 0 17:05:33 ? 0:00 fsflush
root 258 1 0 17:06:11 ? 0:00 /usr/lib/saf/sac -t 300
root 261 258 0 17:06:12 ? 0:00 /usr/lib/saf/ttymon
root 129 1 0 17:06:07 ? 0:00 /usr/sbin/in.routed -q
root 46 1 0 17:05:42 ? 0:00 /usr/lib/sysevent/syseventd
root 239 1 0 17:06:10 ? 0:00 /usr/lib/sendmail -q15m
root 218 1 0 17:06:08 ? 0:00 /usr/sbin/inetd -s -t
root 226 1 0 17:06:09 ? 0:00 /usr/sbin/syslogd -t
root 247 1 0 17:06:10 ? 0:00 /usr/sbin/vold
root 233 1 0 17:06:09 ? 0:00 /usr/sbin/cron
root 242 1 0 17:06:10 ? 0:00 /usr/sbin/nscd
root 251 1 0 17:06:11 ? 0:00 /usr/lib/utmpd
- Although inetd is running, no services are available in inetd.conf.
- Sendmail is left running is Queue mode (will deliver but not accept remote emails), which is fine.
- The routing daemon is left running in "quiet mode", if more that one interface is present.
- The following daemons are left running because they're not considered risky. Personally, I would prefer to stop every daemon that is not strictly necessary.
root 43 1 0 10:17:59 ? 0:00 /usr/lib/devfsadm/devfseventd
root 45 1 0 10:18:00 ? 0:00 /usr/lib/devfsadm/devfsadmd
root 46 1 0 17:05:42 ? 0:00 /usr/lib/sysevent/syseventd
root 247 1 0 17:06:10 ? 0:00 /usr/sbin/vold
root 242 1 0 17:06:10 ? 0:00 /usr/sbin/nscd
root 251 1 0 17:06:11 ? 0:00 /usr/lib/utmpdnetstat -a shows only SSH listening (if you have SSH installed).
If at this stage, you're convinced that you really will run Jass on your system, first read through the Jass Tips section. The following sections go through further configuration issues to complement the Jass settings.
SSH note: SSH is a good thing, essential for every UNIX box. There are several SSH variants (see the SSH section).
-----------------
TBD: need to write a note about Jass + jumpstart and what follows later on.
Several options can be set to improve the security and robustness of filesystems when they are mounted. Run the mount command to check that filesystems options are effective.
| Mount option | OS | Description | When to use it |
| nosuid | 2.x | Disables SUID programs, but also disables devices! | /var or /home or data disks where no SUID programs, or devices
(and hence chroot environments are used). /tmp won't work either, unless it is on disk. |
| logging | 2.7 or later | keeps a transaction log within the mounted partition. The advantage is an almost instantaneous filesystem check - which may take a considerable while with larger hard-disks, e.g. 50 GB. The disadvantage is the additional time spent writing the transaction log. | /usr /opt /home Recommended for all file systems except: root (if Veritas VxVM is used), or where file write performance is critical. |
| noatime | 2.7 or later | allows mounting file systems without updating inodes at each
access to any file. This will significantly speed up services like web caches or news
servers, which do a lot of file IO with small files. BUT, it make forensics more difficult in case of an intrusion, since access times are not recorded. |
/var or any partition where lots of file access are expected (web cache or news partitions). |
| size=200m | 2.5.1 or later | Allow /tmp to only use 200MB of swap space. The value could be set to say 30% of swap space. | /tmp |
| ro | 2.x | Read-only Mounting filesystems read-only provides only a limited protection against Trojans/attackers (if they get root, they can remount read-write). It may save time fsck'ing when booting, can improve performance (access times don't need to be updated) and can prevent the sysadmin from making mistakes or help detecting mistakes (accidentally deleting files etc.). |
Mounting read-only is a major argument for maintaining
separate file systems for /usr or /opt. Note that to mount /usr read-only, /usr/local often needs to be on a different partition. |
Be very careful when editing vfstab, e.g. an error on the / or /usr lines can render the system unbootable! If this happens, boot from cdrom in single user mode, mount the problem disk, correct vfstab and reboot. Some examples of vfstab entries are:
A simple server with only a root and /var partition, running Solaris 2.8:
fd - /dev/fd fd - no - /proc - /proc proc - no - /dev/dsk/c0t3d0s1 - - swap - no logging /dev/dsk/c0t3d0s0 /dev/rdsk/c0t3d0s0 / ufs 1 no logging /dev/dsk/c0t3d0s7 /dev/rdsk/c0t3d0s7 /var ufs 1 no logging,nosuid,noatime swap - /tmp tmpfs - yes size=100m
and on a larger server:
fd - /dev/fd fd - no - /proc - /proc proc - no - swap - /tmp tmpfs - yes size=200m /dev/dsk/c0t8d0s0 /dev/rdsk/c0t8d0s0 / ufs 1 no logging /dev/dsk/c0t8d0s1 - - swap - no - /dev/dsk/c0t8d0s4 /dev/rdsk/c0t8d0s4 /usr ufs 1 no logging /dev/dsk/c0t8d0s6 /dev/rdsk/c0t8d0s6 /var ufs 1 no nosuid,noatime,logging /dev/dsk/c0t8d0s5 /dev/rdsk/c0t8d0s5 /opt ufs 2 yes logging
Reboot to allow the vfstab values to have effect.
For maximum protection, a local firewall can be installed:
Sunscreen lite can be used to protect network communications to the local machine (among other things). Below we present a quick overview of setting up some simple rules on the command line, see [9] for a detailed discussion of Sunscreen configuration.
| Sunscreen Tip: Sun have published a paper on the Sunscreen lite v3.1, 18 months after this section was written, so it's worth checking out [9] .Likewise the Sunscreen Lite install doc is now online. |
|||
pkgadd -d /cdrom/sol_8_sparc_2/Solaris_8/Product SUNWsprot
Now go to the Sunscreen package directory and start a GUI installation tool:
/cdrom/cdrom0/SunScreen/screenInstaller
or a terminal hands-off installation:
./installer -nodisplay
# cd /opt/SUNWicg/SunScreen/bin;
# ./ssadm active
Active configuration: www default Initial.2# ./ssadm edit Initial
edit> list rule
1 "common" "*" "*" ALLOW
edit> list address
"*" RANGE 0.0.0.0 255.255.255.255
"le0.net" RANGE 176.17.17.0 176.17.17.255
"localhost" HOST
"smtp-server" HOST 1.1.1.1
"www_le0" GROUP { } { }
edit> list service common
"common" GROUP "tcp all" "udp all" "syslog" "dns" "rpc all" "nfs prog" "icmp all" "rip" "ftp" "rsh" "real audio" "pmap udp all" "pmap tcp all" "rpc tcp all" "nis" "archie" "traceroute" "ping"
So we see that the default policy allows quite a few services through.
Let's presume that we are setting up a HTTPD server (on port 80) and intend to manage it via SSH. We also want to allow ping and traceroute for initial trouble shooting. We could then create and active the new firewall policy restricting access to these services as follows
# ./ssadm edit Initial
edit> add service ssh SINGLE FORWARD "tcp" PORT 22
edit> add service myhttp GROUP ping traceroute ssh www
edit> replace rule 1 ALLOW myhttp "*" "*"
edit> list rule
1 "myhttp" "*" "*" ALLOW
edit> save
edit> verify
Configuration verified successfully (not activated).
edit> quit
www# ./ssadm activate Initial
Configuration activated successfully on www.Voila!
# cd /opt/SUNWicg/SunScreen/bin;
# ./ssadm edit Initial
edit> add address mgt_net RANGE 176.17.17.0 176.17.17.255
edit> add service mgt GROUP ping traceroute ssh
edit> add service https SINGLE FORWARD "tcp" PORT 443
edit> add service outgoing GROUP ping traceroute dns
edit>
edit> replace rule 1 ALLOW www "*" localhost
edit> replace rule 2 ALLOW https "*" localhost
edit> replace rule 3 ALLOW mgt mgt_net localhost
edit> replace rule 4 ALLOW outgoing localhost "*"
edit> replace rule 5 ALLOW smtp localhost mgt_net
edit>
edit> save
edit> verify
Configuration verified successfully (not activated).
# ./ssadm activate Initial
Configuration activated successfully on www.
Now test the network connections, to ensure the rules have the desired effect. To rollback to the initial configuration, delete all rules and add:
replace rule 1 ALLOW "common" "*" "*"
Finally, we can stop the remote Firewall management GUI. Why would we do this? If we are comfortable with the command line "ssadm" then one daemon more and one more configuration interface, that needs to be correctly configured and watched.
Disabling the following line in /etc/rc2.d/S63sunscreen
$SS_LIBDIR/run_httpd start efshttpdIn /opt/SUNWicg/SunScreen/lib/ss_boot, disable:
$SS_LIBDIR/ssadmserver start >/dev/console 2>&1
See also [9] for a detailed discussion of Sunscreen configuration.
The system has now gone through a first hardening phase and should be still working! Boot and login on the console as root. Check for error messages on the console, fix if necessary.
pkgrm SUNWsndmr SUNWsndmu) if you
don't need any kind of email. Otherwise,newaliases.
Dj$w.YOURDOMAIN.COM.
DSmailhost
DRmailhost
DHmailhost
O FallbackMXhost=mailhost/etc/mail/submit.cf to:DSmailhost$?m.$m$. MODE="" in /etc/init.d/sendmail)
to retry deliveries that fail initially. If Jass was not used for
hardening and sendmail has been stopped, /usr/lib/sendmail -q
can be added to the root crontab. Reboot, check for errors.
Install tools and scripts: All tools should already have been compiled and tested extensively on another machine. [These can be installed via Jumpstart, see Jass Tips]
Wait, don't skip to the next section just yet! Yes, patches make us all yawn... are they a waste of time? This sections presents some strategies for handling patches and tools to make life easier.
During installation, the Solaris recommend patch bundle was installed. However, not all security fixes are included in this bundle, and as time goes by you'll have to check regularly for new patches. Systems which have security patches installed are more secure than those which don't. For overview of the concepts of Solaris Patching, see "A SunSolve Patch Primer" [15].
Weakness are continually discovered in Solaris and 3rd party applications. Not only do the weakness pose threats but the volume of weaknesses and patches can be a threat: if not managed carefully, they will consume too much time or they will be simple ignored.
The first problem is to be aware that weaknesses and/or patches actually exist. Possible strategies are:
How do you decide whether a weakness is worth patching?
Warning: Patches may reverse some of Jass's changes. So reboot after applying patches, check carefully that no unexpected daemons are running and consider re-running Jass (it is designed to allow multiple runs).
Some patches installations may give warnings/errors:
RPC services should be avoided on sensitive servers, such as those on the Internet or in a DMZ. RPC uses dynamic ports and provides no standard access control methods. However, some programs insist on having RPC e.g. CDE, OpenWindows, Disksuite and Legato Networker. If possible avoid RPC, otherwise....
Improving Disksuite Security:
Disksuite is a tool bundled with Solaris that allows disks to be mirrored or gathered into RAID sets. This is useful feature to have in the system. The problem is that Disksuite uses RPC (specifically: two programs rpc.metamhd and rpc.metad which run from inetd).
How can Disksuite security be improved?
- Don't run Disksuite. This is my often choice.
- Hardware RAID systems have the advantage that no special software like Disksuite is needed. This is better for secure systems (simplicity) and in disaster scenarios you may find Disksuite isn't all that easy to handle.
- For system disks (where data does not change often), I've written a script for backing up boot disks with cpio. See also the section Boot disk backup.
- Run Disksuite but stop the associated RPC services (in /etc/inetd.conf) and stop rpcbind:
- The "metad" service can be disabled but this means the "metatool" will not work. Command line tools will work fine -- and you should know them in any case for disaster scenarios with system disks.
- The "metamhd" service can be disabled but this means you cannot share metadevices between systems.
OK, let's get back to general measures for RPC security:
- host access control on IP addresses. The local host is considered authorized. Host access control requires the libwrap.a library that comes with recent tcp wrapper implementations.
- requests that are forwarded by the rpcbind process will be forwarded through an unprivileged port.
- the rpcbind process refuses to forward requests to rpc daemons that do (or should) verify the origin of the request: at present, the list includes most of the calls to the NFS mountd/nfsd daemons and the NIS daemons.
- the rpcbind process refuses REMOTE requests sent to high-numbered UDP ports (instead of TCP or UDP ports 111). High-numbered ports are opened by the rpcbind server as a side effect of other activity. These ports could be abused to bypass packet filtering restrictions. See the advisory (and addendum) on www.secnet.com
Syslog logging: I replace Suns syslog.conf and that installed by Jass, with my own [3] - that enables more logging than the default and saves logs in /var/adm/messages. More details below.
I also disabled the Solaris log pruning and other lines in the
root cron. I've written a script /secure/weekly [3] which
includes the weekly entries listed below and can be run on both loghost and client, with a
cron entry like:
50 23 * * 6 sh /secure/weekly >/dev/null
Syslog configuration:
Syslog client: Designate one machine as the loghost (in /etc/hosts).
- Test that logging to the server works correctly:
logger -p auth.warn "test of syslog"
and check that it appears in the server logs.- If you would like a copy of logs to be kept locally, as well as remotely, uncomment the line in /etc/syslog.conf:
*.err;auth.info;kern.debug /var/adm/messages- If syslog does not work as expected, read the commented example and tips in syslog.conf.
Syslog server or "loghost":
- Give the loghost a whopping great disk for logs.
- If you want to use my syslog.conf for servers that splits up the logs into one file per facility in /var/log, then:
Backup old syslog config:
mv /etc/syslog.conf /etc/syslog.conf.orig$$Download syslog.conf [3] to /etc/syslog.conf and set permissions:
chmod 644 /etc/syslog.conf- Jass will start syslog with the "-t" option, so it will not accept syslog connections from other hosts. So, to run a central syslog server, remove the '-t' option to the syslogd startup line in /etc/init.d/syslog and create the logs if they don't yet exist, for example:
## Syslog server by Sean for log in alertlog authlog cronlog daemonlog kernlog local0log local2log local5log lprlog maillog newslog userlog ; do if [ ! -f /var/log/$log ]; then /usr/bin/cp /dev/null /var/log/$log /usr/bin/chmod 0644 /var/log/$log fi done /usr/sbin/syslogd >/dev/msglog 2>&1 &; ## end Sean's edits- Restart syslog:
kill -1 `cat /etc/syslog.pid`- Use rotate_log [3] to prune and compress logs, add root cron entries (note that /secure/weekly includes all this):
## Prune syslog logs weekly, keeping the last 6 months or so:
55 23 * * 6 /secure/rotate_log -n 40 alertlog
55 23 * * 6 /secure/rotate_log -n 40 authlog
55 23 * * 6 /secure/rotate_log -n 20 cronlog
55 23 * * 6 /secure/rotate_log -n 40 daemonlog
55 23 * * 6 /secure/rotate_log -n 40 kernlog
55 23 * * 6 /secure/rotate_log -n 40 local0log
55 23 * * 6 /secure/rotate_log -n 40 local2log
55 23 * * 6 /secure/rotate_log -n 40 local5log
55 23 * * 6 /secure/rotate_log -n 20 newslog
55 23 * * 6 /secure/rotate_log -n 40 userlog
55 23 * * 6 /secure/rotate_log -n 10 lprlog
55 23 * * 6 /secure/rotate_log -n 20 maillog
Add a root cron entry for cleaning of other local logs on both workstations and servers (note that /secure/weekly also includes this)
# Solaris 2.x logs:
0 4 * * 6 /secure/rotate_log -L /var/adm -n 30 loginlog
0 4 * * 6 /secure/rotate_log -L /var/adm -n 30 sulog
0 4 * * 6 /secure/rotate_log -L /var/adm -n 2 vold.log
0 4 * * 6 /secure/rotate_cron
Add a root cron entry for Yearly cleaning of login entries
## Empty login/logout records at year end
0 0 31 12 * /secure/wtrim.pl wtmp 20
0 0 31 12 * /secure/wtrim.pl wtmpx 20
Other root cron entries:
Set date once a day with a reliable source using rdate (you may prefer NTP, it's more accurate, but complex, uses bandwidth and is an additional security worry). See also the section Time Synchronisation.
## Synchronise the time:
0 * * * * /usr/bin/rdate YOURTIMEHOST >/dev/null 2>&1
## Synchronise the time with NTP
#0 * * * * ntpdate YOURTIMEHOST1 YOURTIMEHOST2 >/dev/null 2>&1Consider installing a script to check that important daemons are running. For example, install monitor_processes.pl [3] and add a root cron entry:
## Check that important processes are running during office hours:
0,30 8-19 * * 1-5 /secure/monitor_processes.pl sshd httpd
Documentation:
Document configuration changes in a text file such as /etc/mods, update after each change, with date, author, files affected, description.
cat > /etc/mods <<EOF
15.10.01 sb New install of Solaris8 and tools according to hardening guidelines
EOF
Files which have the SUID bit set (an "s" where the execute bit for the owner/group is shown in 'ls' listings) allow the user executing the program to assume the identity/group of the owner of the program. This is typically used to allow normal users to access certain function typically only allowed to root, for example binding to low ports, mounting a floppy disk, etc. The problem is that historically, many security weakness have been found in such programs allowing attackers with local accounts to become root by exploiting buffer over flows, race conditions etc.
• Solaris has many "SUID root" binaries and each one presents a risk, so
when hardening systems it is advisable to disable as many SUID program as possible.
• The purpose of this section is to provide a brief overview of the subject, a list
of documents and scripts for disabling SUID files is provided.
• See [8] for SUID references and further reading.
What SUID files are on the system?
The find command can be used to list all SUID files:
find / -perm -u+s -lsor all SGID files:
find / -perm -g+s -ls
How should we handle SUID files? Possible courses of action, in order of preference, are:
- Remove the package containing the offending file
- Disable the program (e.g. chmod 000 FILENAME)
- The SUID bit can be removed (e.g. chmod ug-s FILENAME)
- Restrict the file to a group of users (first remove world access: "chmod o-rwx", then allow a group "chgrp MYGROUP MYFILE") .
What SUID files need to be limited?
- One suggestion for paranoid systems is to disable all except 'pt_chmod', 'utmp_update' and 'su'.
- Before removing SUID bits, we make a backup of all SUID files so that we can also go back and restore the previous state.
tar cvf /opt/suid_backups.tar `find / -type f \( -perm -u+s -o -perm -g+s \) -print`
This file may be 14MB or more, compression reduces the size significantly:
gzip /opt/suid_backups.tar
[These suid files can be minimized via a Jumpstart finish script, see Jass Tips]
- Specific examples on SUID limiting are presented below which reduce the number of SUID/SGID files from about 80 to 9. These were tested on both Solaris 8 and 7, on a DMZ server. Note that Solaris 8 has less SUID files than Solaris 7.
- Tools like uucp are almost never needed. If possible, remove the SUNWbnuu package or disable the SUID bits.
pkgrm SUNWbnuu
chmod ug-s /usr/bin/cu /usr/bin/uu* /usr/lib/uucp/*- Another often unused suite of tools is kcms (Kodak Color Management System), so either remove or disable:
pkgrm SUNWkcspf SUNWkcspx SUNWkcspg SUNWkcsrt;
chmod ug-s /usr/openwin/bin/kcms*- If no printer is needed:
chmod ug-s /usr/lib/lp/bin/netpr /usr/sbin/lpmove /usr/bin/lp /usr/bin/lpset /usr/bin/lpstat /usr/bin/cancel /etc/lp/alerts/printer- Only allow root to use ancient r* commands, since you only use SSH (right?):
chmod ug-s /usr/bin/rcp /usr/bin/rlogin /usr/bin/rsh- Only allow root to sniff the network, use rdist or list processes:
chmod ug-s /usr/sbin/snoop /usr/sbin/devinfo /bin/rdist /usr/bin/netstat /usr/local/bin/top /usr/local/bin/*/top /usr/sbin/traceroute /usr/local/bin/lsof /usr/bin/*/ps /usr/ucb/*/ps /usr/sbin/*/whodo /usr/bin/*/uptime /usr/bin/*/w
Note: 'ps' doesn't really need SUID on Solaris 2.5 and later (which have /proc), performance of the 'ps' command will be slightly reduced due to lack of caching.- dump or restore only need SUID for the archaic 'rmt/rsh' remote backups, so drop it.
chmod ug-s /usr/lib/fs/ufs/ufsdump /usr/lib/fs/ufs/ufsrestore
You might only allow root to use these anyway? In which case they can be further restricted with 'chmod 700'.- Disable YP, NIS+ SUID tools unless you need them:
chmod ug-s /usr/bin/chkey- If only root uses cron or at, then restrict them:
chmod ug-s /usr/bin/at /usr/bin/atq /usr/bin/atrm /usr/bin/crontab- If only root uses the serial line (for tty consoles):
chmod ug-s /usr/bin/tip- If only the root account administers the system:
chmod ug-s /usr/bin/admintool /usr/lib/fs/ufs/quota /usr/bin/fdformat /usr/bin/eject /usr/bin/volcheck /usr/bin/volrmmount /usr/bin/rmformat /usr/platform/*/sbin/eeprom /usr/sbin/wall
chmod ug-s /usr/sbin/arp /usr/bin/write /usr/sbin/sacadm /usr/sbin/*/sysdef /usr/sbin/*/prtconf /usr/platform/*/sbin/prtdiag* /usr/sbin/*/swap- If we don't use Openwindows and CDE, for example on servers:
chmod ug-s /usr/dt/bin/* /usr/openwin/*/*- Sendmail: Hosts which are not email relays or servers don't need it to be SUID:
chmod u-s /usr/lib/sendmail- If only root needs to manage devices
chmod u-s /usr/sbin/allocate /usr/sbin/mkdevalloc /usr/sbin/mkdevmaps /usr/sbin/list_devices /usr/sbin/deallocate- If only root needs to set power management:
chmod ug-s /usr/sbin/pmconfig- If the Solaris8 project feature is not used, 'newtask' does not need SUID:
chmod ug-s /usr/bin/newtask- Only root manages quotas (Solaris 7 and younger)
chmod ug-s /usr/lib/fs/ufs/quota- If users don't need to change group identification:
chmod ug-s /usr/bin/newgrp- Only allow root to query IPC (inter process communication) status. To check if IPC is used on your system, run: ipcs
chmod ug-s /usr/*/bin/*/ipcs /usr/bin/*/ipcsAfter appling the above commands on a Solaris 7 or 8 "user bundle" install, the list of SUIDs left is reduced to the following:
find / -type f \( -perm -u+s -o -perm -g+s \) -lsSUID files:
/usr/lib/pt_chmod /usr/lib/utmp_update /usr/bin/login /usr/bin/passwd /usr/bin/pfexec /usr/bin/su /usr/sbin/ping /opt/local/bin/sshSGID files:
/usr/bin/mail /usr/bin/mailx
Note: You'll also find that /usr/bin/yppasswd /usr/bin/nispasswd are SUID, but they are links to /usr/bin/passwd, so removing the SUID bits will stop normal users from changing their local passwords!
Some auditing ideas:
Further reading:
More file permissions tightening:
chmod o-rx /etc/security #Not needed for Solaris8 or later
chmod 400 /.shosts /etc/sshd_config /etc/ssh_known_hosts
To Do:
It would be useful to have packages that reset the SUID files for examples situations such as Bastion Hosts (high), multi-user servers (medium), workstations (low). The packages would also correct the pkg database so that 'pkgchk -n' would not report permissions errors after the SUID files had been adapted.
You should regularly check the integrity of files on the system, to be assured that they have not been maliciously modified. Solaris provides "pkgchk -n" which checks the package databases against the size, permissions and checksums of actually installed files. This is useful and recommended, however checksums can be fooled and the package database can itself be manipulated, so it is no protection against the clever attacker (or the script Kiddie with a clever rootkit). What is required, is a file integrity checker that uses secure (one-way) hashing algorithms.
Which is why the Yassp Tarball installs tripwire in /secure/tripwire. Tripwire uses several secure hashing algorithms (and in it's commercial form, provides cryptographic signing of it's database).
At this stage of the installation, it is recommended to take a snapshot of the files on the newly configured system, i.e. initialise tripwire's database and then run regular checks to monitor for changes. If possible, keep the master database on another machine, offline or on write-once media.
What options do we have for integrity checking?
An example using the free Tripwire Version 1.2 (bundled with Yassp):
To run the first time:
/secure/tripwire/trip_host.sh -init HOST
Each time after that:
/secure/tripwire/trip_host.sh -check HOST
To automate for many hosts, this script is then called from another script for each host that needs to be monitored. See the sample script trip_all. This script also assumes that the commercial tripwire is used on the central trusted host (only). The commercial tripwire allows signing of the tripwire database, which makes it more secure.
Depending on the function of the server, applications such as ftpd, BIND, proxies, etc. are installed at this point.
Hardening of specific applications like ftp, DNS, Email and also general application tips are discussed in a separate document [16].
Connect to the live network. Test in detail. Check log entries. Does the system behave as expected?
Have applications been tested in detail, by different people with different points of view, from different access points on the network?
The following activities should take place hourly, daily, weekly or monthly, depending on how critical the system is:
The primary goal behind the development of the Solaris Security Toolkit ("Jass") was to simplify and automate the process of securing Solaris systems through JumpStart or in a standalone mode. It implements the recommendations in Sun's BluePrints security articles. Jass is Sun's answer to Yassp and Titan, and has evolved into a capable, interesting, Solaris hardening tool.
"The Solaris Security Toolkit is a tool designed to assist in creation and deployment of secured Solaris Operating Environment systems. The Toolkit is comprised of a set of scripts and directories implementing the recommendations made in the Sun BluePrints OnLine program.
These scripts can be executed on Solaris systems through the JumpStart technology or directly from the command line. The Toolkit includes scripts to harden, patch, and minimize Solaris Operating Environment systems. Sun does not support the Toolkit."
Summary of changes since version 0.2 (November 2000) -> v0.3:
.
We start off with an example of running Jass on a new Solaris 8 workstation installed with a 'user bundle'. An example log of the output is [1]
First we install Jass:
pkgadd SUNWjass-0.3.8.pkgCopy over FixModes.tar.Z to /opt/SUNWjass/Packages, so FixModes will be run as part of the Jass installation.
Then we run the default Jass hardening for standalone use:
/opt/SUNWjass/jass-execute -d hardening.driver
On rebooting we find:
Next we try the 'undo' feature which allows us to go back to the configuration before Jass was run. It very nicely asks us which 'Jass run' we would like to undo:
/opt/SUNWjass/jass-execute -uThe undo seems to work fine, except for BSM auditing which is not cleanly removed, see also the undo log [1]. Jass can be run several times, and the undo can remove the effects of each previous run or all runs. Nice.
hardening.driver,
some extra daemons are left running that may not be needed on some systems: devfseventd,
devfsadmd, utmpd, nscd. They do not listen to any network ports though and
so pose less
risk. fix-modes tool for tightening file permissions and SSH for secure login must
be manually added, or, copy it to the Jass Packages directory
before running Jass, then Jass will run it for you. hardening-jumpstart.driver is an example script for actual hardening of a Jumpstart
server (for example, it allows rpc and nfs to run) and is not a general hardening
setup. /opt/SUNWjass/jass-execute -d audit.drivermd5.Drivers/hardening.driver. Jass is an interesting tool, well worth checking out. The fact that is sponsored (although not supported) by Sun, has most of the features of other hardening packages and is under constant improvement, should ensure it's elevation to a quasi standard.
The following are improvements/ideas that you may find useful to Jass in your environment. Example scripts can be found here. We assume the main driver used is hardening.driver.
JASS_REC_PATCH_OPTIONS="-o -d" to user.initDrivers/hardening.driver.
md5.tar.Z and FixModes.tar.Z
to /opt/SUNWjass/Packages to ensure they are installed when
Jass is run.
echo "Disabling nscd startup and shutdown scripts"
echo ""
if [ "${JASS_KILL_SCRIPT_DISABLE}" = "1" ]; then
disable_rc_file ${JASS_ROOT_DIR}/etc/rcS.d K40nscd
disable_rc_file ${JASS_ROOT_DIR}/etc/rc0.d K40nscd
disable_rc_file ${JASS_ROOT_DIR}/etc/rc1.d K40nscd
fi
disable_rc_file ${JASS_ROOT_DIR}/etc/rc2.d S76nscd
Then we add disable-nscd.fin to the JASS_SCRIPTS section of Drivers/hardening.driver, to activate the above script..
# Get IP address, chop off the host part and add ".1"
inet=`ifconfig -a | grep inet | egrep -v "127.0.0.1" | awk '{print $2}'`
#echo $inet
router=`echo $inet | awk -F'.' '{print $1 "." $2 "." $3 ".1"}'`
#echo $router
echo $router >> /a/etc/defaultrouter
.cshrc, .login - improve the path + prompt, reduce umask and add some aliases.
etc/syslog.conf - log to a central loghost and locally (see syslog.conf).
etc/motd, etc/issue, etc/default/ftpd, etc/default/telnetd - warning banners
etc/nsswitch.conf - add dns to host lookups or add NIS or NIS+
/etc/resolv.conf.$HOSTNAME
/etc/resolv.conf.$OS
# user.init
# sb, 02.Oct.01
JASS_AGING_MAXWEEKS="26"
JASS_AGING_WARNWEEKS="1"
JASS_AGING_MINWEEKS="0"
JASS_LOGIN_RETRIES="5"
JASS_PASS_LENGTH="6"
JASS_SENDMAIL_MODE="\"\""
JASS_TMPFS_SIZE="500m"
JASS_UMASK="027"
JASS_SHELL_DISABLE="/sbin/noshell"
JASS_CRON_LOG_SIZE="20480";## When used with Jumpstart:
JASS_ROOT_PASSWORD="xxxsomethingxxencryptedxxxx"
SERVER="17.17.17.2"
JASS_PACKAGE_MOUNT="${SERVER}:/jumpstart/Packages";
JASS_PATCH_MOUNT="${SERVER}:/jumpstart/Patches";## v0.3.1
## Don't save files replaced by patches:
JASS_REC_PATCH_OPTIONS="-o -d"
This article has been very specific, in the interest of making it practical. However, each security administrator has his own methods and each site has different requirements. There are many more issues than just those above, we address some more advanced topics in this section:
In August 2000, tocsin was significantly improved and version 2.1.1.2
released:
• fixed log file permissions
• new tcp or udp options (:t or :u) per service
• ported to Solaris 8 sparc/Intel
• new common package for Solaris sparc/Intel
• change UID to nobody after binding to the network
• new man page and startup file 'S70tocsin' added
• New options: -T tcp only, -D destination network only, -O log IP options,
-I invert port matching filter conditions.
This amazing little tool (it's only 20kB) is simple, but works quite well. The new
options allow significant reduction of false positives. For this article, it was tested on
Solaris 2.7-2.8/sparc and Solaris 2.8/Intel, but it should run on Solaris 2.6 and possible
2.5.1 also.
tocsin can be downloaded in source form (tocsin.tar.gz), or a Solaris package (AUBtocsin),
from [4].
Recommendation: Install one Tocsin per subnet, or on several sensitive hosts if switches rather than hubs are used, since all subnet traffic cannot be monitored by one Tocsin daemon.
Note1: DLPI is the Datalink Provider Interface (a standard based on ISO 8886 and 8802 for Streams based kernel implementations of packet filtering)
Configure an appropriate /etc/ssh_config file (see also [7]), so that access is restricted to named hosts with known public keys (/etc/ssh_known_hosts) and rhosts authentication is disabled. Avoid trusts. Only allow specific users and hosts to access SSH. Deny daemon accounts access.
etc/[9]% saveit vfstab
copying file vfstab ===> /Backup.d/20000707/etc/vfstab
etc/[61]% saveit vfstab
copying file vfstab ===> /Backup.d/20000707/etc/vfstab.13:37
etc/[10]% ls -l /Backup.d/20000707/etc/vfs*
-rw-r--r-- 1 root sys 386 Mar 14 08:31 /Backup.d/20000707/etc/vfstab
-rw-r--r-- 1 root sys 386 Mar 14 08:31 /Backup.d/20000707/etc/vfstab.13:37
etc/[11]% tail /Backup.d/log-20000707
----------------------------------
Backup base directory /Backup.d
Backup requested by root
Date (dd/mm/aaaa) 07-07-2000
Time 11:36
/etc/vfstab
--------------------------------------------------------------
Backup base directory /Backup.d
Backup requested by root
Date (dd/mm/aaaa) 07-07-2000
Time 13:37
/etc/vfstab
The advantage of this tool are: simplicity and no clogging up the current directory with old versions of files, rcs directories etc. The script can be downloaded [3].
| [1] |
|
| [2] | Sunworld security columns www.sunworld.com/sunworldonline/common/swol-backissues-columns.html Solaris Security FAQ www.sunworld.com/common/security-faq.html Padded Cells: www.sunworld.com/swol-01-1999/swol-01-security.html |
| [3] | Scripts included /references in this article:
See www.boran.com/security/sp/solaris
or boran.dyndns.org/solaris |
| [4] | Doug Hughes: - tocsin can be downloaded in source form (tocsin.tar.gz), or a Solaris package (AUBtocsin), from: ftp://ftp.eng.auburn.edu/pub/doug - tips and links on Disksuite, VxVM and the SPARC Storagearray: www.eng.auburn.edu/pub/mail-lists/ssastuff |
| [5] | Tripwire: Free version V1.2 ftp.cerias.purdue.edu/pub/tools/unix/ids/tripwire (last updated in 1994). Commercial Version www.tripwiresecurity.com (starts at $495.-/server) also runs on NT. OpenSource Version www.tripwire.org on Linux only. Sunworld article: sunworld.com/sunworldonline/swol-02-2000/swol-02-security.html?0306a Policy examples: http://policy.tripwire.com Scripts - see www.boran.com/security/sp/solaris. |
| [6] | Sample tools for analysing logs: - Logcheck www.psionic.com/abacus/logcheck
|
| [7] | All About SSH PartI - Sean Boran All About SSH Part II - Sean Boran |
| [7a] | ftp.cs.hut.fi/pub/ssh |
| [8] | Disabling SUID files: Solaris 7
Setuid/Setgid Files Information Systems and Technology University of Waterloo Titan's ziplock module Example listing of SUID/SGID files on a Solaris 7 system: solaris/suid_sol7.txt Jass script for disabling SUID/SGID files. |
| [9] | Review: Sunscreen EFS3 Firewall -
Sean Boran SunscreenEFS.html Protect yourself with SunScreen Lite -
Mark Thacker Sun Blueprint on the Sunscreen lite v3.1 Sunscreen Lite install documentation is now available online |
| [10] | Casper Dik's fix-modes script contains a
huge number of file permission improvements for most Solaris versions. ftp.wins.uva.nl:/pub/solaris/fix-modes.tar.gz
Jens Vöckler's nettune script www.rvs.uni-hannover.de/people/voeckler/tune/EN/tune.html See also the local copy nettune. |
| [11] | The Titan Project www.titan.org |
| [12] | AIDE, a GPL file integrity
checker. www.cs.tut.fi/~rammer/aide.html
Basic File Integrity Checking (using AIDE) |
| [13] | My articles on BIND: bind_hardening.html BIND sources and home page: www.isc.org/products/BIND Testing Domains: www.ip-plus.net/tools/dns_check_set_en.html Chroot BIND 4.9.x on Solaris: www.homeport.org/~adam/dns.html Chroot BIND 8 on RedHat and OpenBSD www.psionic.com/papers/dns |
| [14] | Wietse Venema's tools and papers
(tcp wrapper, rpcbind/portmapper, postfix, Satan, ....) ftp.porcupine.org/pub/security/index.html |
| [15] | Patches:
|
| [16] | Hardening Applications, application_hardening.html |
| [17] | syslog replacements: syslog-ng www.balabit.hu/products/syslog-ng (tcp connections, content filtering, encryption, authentication) secure syslog www.core-sdi.com/english/slogging/ssyslog.html (encryption and authentication of a trusted auditors machine) Nsyslogd coombs.anu.edu.au/~avalon/nsyslog.html (tcp connections and SSL) 'Security Issues in Network Event Logging' working group, a
part of Internet Engineering Task Force (IETF) committee. |
| [18] | Security Advisories: www.cert.org, www.first.org, www.ciac.org CERT provide several useful firewall/hardening/intrusion detection papers online www.cert.org/tech_tips. Technical Discussion of advisories: www.SecurityFocus.com/sun |
| [19] | Security Newsletters: SecurityFocus, SANS. |
| [20] | IPfilter IP Filter Based Firewalls HOWTO Firewalling with IPF Introduction to IP Filter Introduction to IP Filter Part 2. |
| [21] | Routing: Sun's Routing Support Document/FAQ is an old, but comprehensive overview of routing, how it works in Solaris and how to configure/debug routing. Gated is a better routing daemon: www.gated.org |
| [22] | Solaris C2/BSM security notes - Sean Boran Solaris_bsm.html |
| [23] | Other Solaris hardening articles not listed above: Securing a Solaris Server -
ACCS Armoring Solaris by Lance Spitzner Center for Internet Security Solaris Security Benchmark |
27.Aug.01 New: Rewritten for Jass v03, using the original article
for Solaris+Yassp.
Updates: NTP, initial patches. Saveit link.
20.Sep.01 Update EFS lite.
04.Oct.01 Jass v0.31 update
22.Nov.01 Syslog server
03.May.02 Minor updates after testing Jass v0.35
25.Aug.02 Update package notes
Script to log user activity:
# Don't allow user to break out of this script:
#trap exit 2>/dev/null 0 1 2 3 13 15
# ensure log is restricted
umask 027
/bin/script -a /var/tmp/eyal.$$;
logout; echo bye
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.
| © Copyright 2001, Seán Boran, All Rights Reserved, Last Update: 27 Januar, 2003 |