(Tito Cordero)
(DSS Irving Field Office)
(14 December 2005)
Defense Security Service (Unix Security Guide)
Solaris Workshop
December 2005 Solaris Workshop
2
(Introduction)
• Purpose
– To provide descriptions on how to implement security
features within the Solaris Unix platform
– Implement systems certification of the National Security
Information at Protection Level 1 or Protection Level 2
– Provide the Information System Security Manager with
oversight of NISPOM and Chapter 8 requirements within the
UNIX platform
3
(Audit)
• Audit Capability
– Set system time
• #date mmddHHMM yy ( see Solaris manual pages for date
command)
• #man date
• Master Time server and slaves:
• Ensure that the system designated to act as master time server
has the correct time.
• To synchronize the time on a time slave system with the
designated master system, issue the command
• #rdate <designated_master>
4
(Audit)
• To continually synchronize the slave system to the
master, add the following lines to the crontab file:
# each hour, on the hour, run rdate command to synchronize
#
0 * * * rdate<designated_master>
If system time is not set to US Cental Time Zone, what is the
offset from Greenwich Mean Time (GMT -6.
5
(relevant logged events)
• The following files and directories describe the
location to security relevant logged events:
– /var/adm/wtmpx, /var/adm/utmpx – Binary files recording all
logins, logouts, and system reboots. The “last” command Is
used to display the contents.
– /var/adm/LOGINLOG – Failed login log. If this file exists, the
login utility will log all failed logins here.
– /var/adm/sulog – This file contains both successful and
failed attempts to use the su (switch user) command. This
will show persons accessing an account in which they are
not authorized to access.
6
(relevant logged events)
– /etc/security/audit – Directory contains all the auditing
records gathered for denial of file access.
– /etc/local/audit – Directory contains all the filtered auditing
records gathered for denial of file access
7
(Basic Security Module)
• To set up system auditing, perform the following
steps:
– Sun Solaris Basic Security Module (BSM) provides
additional security features that are not supplied in standard
SOLARIS. To enable BSM, perform the following steps:
• Login as root
– Bring the system into single-user mode by executing the
following command:
• # sync
• # sync
• # init 0
• # boot –s
8
(Basic Security Module)
• Change directories to the /etc/security:
– #cd /etc/security
• Execute the bsmconv script:
– #/bsmconv
• After running the script, halt the system and reboot
into multi-user mode:
– #sync
– #sync
– # Init 6 or reboot
9
(Basic Security Module)
• Auditing is enabled by starting the audit daemon
(auditd). The existence of the
/etc/security/audit_startup script, created during the
BSM package installation, causes the daemon to run
automatically when the system enters multi-user
mode. This script automatically configures the event
to class mappings and sets the audit policies.
10
(Basic Security Module)
• Set the following flags in the
/etc/security/audit_control file:
– Flags:ad, -fa, -fr, -fw, -fm, -fc, -fd, -cl, lo
• Flags are defined as:
ad administrative admin actions: mount, exports, ,etc.
fa fileattr_acc Access of object attributes:stat, pathconf etc.
fr file_read Read of data, open for reading, etc.
fw file_write Write of data, open for reading, etc.
fm file_attr_mod Change of object attributes: chown, flock, etc.
fc file_creation Creation of object
fd file_deletion Deletion of object
11
(Basic Security Module)
– cl file_close Close (2) system call
– lo login_logout Login and Logout events
• A minus in front of the flag only logs failures of the
described flag, where no sin logs both successes
and failures.
• Make the new data available to the BSM service, by
either rebooting the system or entering the following
command: #audit -s
12
(logons &logoffs)
• Successful logins, logouts, and system reboots are
recorded in the binary files located at:
– /var/adm/utmpx and /var/adm/wtmpx
• The login command will log via the syslog facility all
login successes and failures. To redirect these to
file
– /var/adm/LOGINLOG
• add the following line to
– /etc/syslog.conf
13
(logons &logoffs)
• Auth.notice<TAB><TAB><TAB><TAB><TAB> /var/adm/LOGINLOG
• Auth.info <TAB><TAB><TAB><TAB><TAB> /var/adm/LOGINLOG
• Auth.debug <TAB><TAB><TAB><TAB><TAB>/var/adm/LOGINLOG
• Create the LOGINLOG file to track these notices:
– # touch /var/adm/LOGINLOG
– # chown root:sys /var/adm/LOGINLOG
– # chmod 600 /var/adm/LOGINLOG
Restart the syslog daemon
# /etc/inid./syslog stop
# /etc/init.d.syslog start
14
(logons &logoffs)
• Failed logins are logged after five failed attempts to
the /var/adm/loginlog file.
• Create the loginlog file to track failed logins
– # touch /var/adm/loginlog
– # chown root:sys /var/adm/loginlog
– # chmod 600 /var/adm/loginlog
• /var/adm/sulog: This is a file to record all successful
and failed attempts to use the su (switch user)
command.
15
(logons &logoffs)
• BSM – Adding the flag “lo” to the
/ect/security/audit_control file as described above
configures the BSM to record both successful and
unsuccessful logon/logoff events to the BSM log
files in the /etc/security/audit directory
16
(Blacklist)
• The blocking or blacklisting of a user ID, terminal or
access port and the reason for the action.
• In the file /etc/default/login set
– RETRIES=5
• (Exits the login after RETRIES unsuccessful attempts.)
– SYSLOG_FAILED_LOGINS=5
• (If there are SYSLOG_FAILED_LOGINS consecutive
unsuccessful login attempts, each of them will be logged in
/var/adm/loginlog, if it exits. Users get at most the minimum of
(RETRIES, SYSLOG_FAILED_LOGINS) unsuccessful attempts.)
17
(Blacklist)
– DISABLETIME=300
• (Disables the login for three hundred seconds after
SYSLOG_FAILED_LOGINS or RETRIES unsuccessful attempts.
This is set for 5 minutes by the 300.) (Note conflicts if
environment variable TIMEOUT is also set.)
• The five successive login failures will be logged in the
/var/adm/loginlog which was configured in prior steps. This
terminal port and failure will be logged in /var/adm/LOGINLOG
which was also configured in a prior step.
18
(Blacklist)
• Denial of access resulting from an excessive number
of unsuccessful logon attempts. In SOLARIS, by
default and as specifically configured in paragraph
2.1 e above, five attempts are allowed before an
attempted login dies. Login failures are reported via
the syslog facility.
19
(Audit Trail Protection)
• The contents of audit trails will be protected against
unauthorized access, modification, or deletion. Only
authorized admin and support personnel will have
permissions to access audit trail data. Log files
should be owned by root and have a group of sys.
With the exception of the messages files all files
should be set to have permissions such that only
root can read or write to the files. Read on the
messages files is allowed for all users as valuable
debugging messages are logged in this file.
20
(Audit Trail Protection)
• /var/adm/messages: – # chown root:sys /var/adm/messages
– # chmod 622 /var/adm/loginlog
• /var/adm/loginlog: – # chown root:sys /var/adm/loginlog
– # chmod 600 /var/adm/loginlog
• /var/adm/LOGINLOG: – # chown root:sys /var/adm/LOGINLOG
– # chmod 600 /var/adm/LOGINLOG
• Sulog – # chown root:sys /var/adm/sulog
– # chmod 600 /var/adm/sulog
21
(Audit Trail Protection)
• /etc/password and /etc/shadow:
– The passwd file should be “shadowed” by running the
pwconv command. This removes the encrypted passwords
from the /etc/passwd file that is readable by everyone and
places them in /etc/shadow which is readable only by root.
To implement this do the following:
• # pwconv
• # chmod 644 /etc/passwd
• # chmod 600 /etc/shadow
22
(Audit Trail Protection)
• Remove world permissions on the log directory:
– #chmod 640 /etc/security/audit/<hostname>
– #chmod root /etc/security/audit/<hostname>
• BSM – Apply required permissions to the audit trail
directory/subdir/files on the local machine:
– #chmod 640 /etc/security/audit/<hostname>
– #chmod root /etc/security/audit/<hostname>
23
(Audit Trail Analysis)
• Audit analysis and reporting will be scheduled and
performed at least weekly.
• To review /var/adm/messages:
– more /var/adm/messages
• Or
– view /var/adm/messages
• To review /var/adm/loginlog:
– more /var/adm/loginlog
• Or
– view /var/adm/loginlog
24
(Slide Title)
• To review /var/adm/sulog:
– more /var/adm/sulog
• Or
– view /var/adm/sulog
• To review Locked accounts:
– more /etc/shadow
• Or
– view /etc/shadow
• To review login information:
– # last
– # more /var/adm/loginlog
• Or
– # view /var/adm/loginlog