62 Chapter 2 • Securing Solaris with the Bundled Security Tools ; Even though the Orange Book classification levels go from the lowest level D to the highest level A, in reality, except for a very few exceptions, most operating environments run under C1, C2, or B1 levels. Choosing Solaris 8 C2 Security ; The SunSCREEN Basic Security Module is required in order to bring the default installation of the Solaris 8 OE up to C2 level security. ; Auditing must be configured and managed with an organized methodology in order for it to be useful and controllable. ; Auditing can be finely configured and managed by editing the audit_control and audit_user files and utilizing the auditconfig, auditreduce, and praudit commands. Choosing Trusted Solaris 8 ; Choosing the Trusted Solaris 8 OE, although providing a very high level of security, requires a commitment of both human and system resources to administer and maintain. ; Role-Based Access Control (RBAC) and Mandatory Access Control (MAC), also known as labeling, are keystones to the comprehensive protection provided in Trusted Solaris 8 OE. ; Proper auditing and auditing analysis are cornerstones of all security systems.Administrators must always be vigilant for possible breaches. Solaris 8 Security Enhancements ; SunScreen SecureNet provides an effective means of encrypting network traffic. SunScreen Simple Key Management for Internet Protocols (SKIP) is the mechanism provided in SunScreen Secure Net for encrypting network traffic.Virtual private network (VPN) is a subset of SKIP and provides a way for a highly encrypted point-to-point connection or tunneling to be created either on a local LAN, across a WAN, or even across the Internet. www.syngress.com 158_HPsun_02 10/4/01 4:44 PM Page 62 Securing Solaris with the Bundled Security Tools • Chapter 2 63 ; The Solaris Security Toolkit is a group of scripts designed to help facilitate the creation of secure systems.The scripts are highly configurable, but since they are available for free as a download from Sun, they are not supported. ; OpenSSH is an open-source application that has been ported to Solaris 8 and can be compiled and linked to run in that environment. It provides a secure means of doing X-access communications between clients and servers. It works with the Solaris Security Toolkit for deployment and provides a necessary communications component that is normally disabled by the Toolkit by default. Q: Why should I set up auditing when I already have sufficient security in place? A: A friend related to me an anecdote that fits this scenario:A Marine was told by his sergeant to string razor wire around the encampment.After consider- able struggle with the difficult-to-handle razor wire, he asked his sergeant, “Sir, why are we stringing this wire around the encampment?”The sergeant replied,“It’s to make sure the enemy cannot and will not be able to breach our perimeter, Private!”The private, perplexed, pointed to the landmine field between the wire and the encampment and said,“Sir, then what is the land- mine field for?”The sergeant replied,“It’s for when the enemy breaches our perimeter, Private!”The moral of the story is, when it comes to security, never assume that you have enough. Q: How do I know when it is appropriate to use Trusted Solaris 8 instead of Solaris 8? A: It is difficult to determine the appropriate level of security in a given situa- tion.We as computer professionals are expected to not only understand the technology completely but are to take into account the sensitivity of the data www.syngress.com Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form. 158_HPsun_02 10/4/01 4:44 PM Page 63 64 Chapter 2 • Securing Solaris with the Bundled Security Tools and work within budget constraints as well. Generally, since there is always an expense with the increase of security, the main question to be answered is, “What would the damage be if the data is compromised?” By way of example, I’ll ask a rhetorical question:“How much security do you think protects the formula for Coca-Cola?” Q: Is Trusted Solaris 8 government-dictated design overkill for my needs? A: Although it is true that both Solaris 8 and Trusted Solaris 8 are based on the model that the U.S. government was using, the structure had been improved to the point that it can fit almost any security situation.The model security was originally based on was comprehensive and rigid. Now, over 15 years later, it has evolved to become even more comprehensive with the added benefit of flexibility. Q: What further training will I need to be able to properly administrate security in my work environment? A:This too is a question with many variables. In many cases, the information that is provided in this book would be more than adequate for implementa- tion of a sound security policy for your organization. In other cases, a much more in-depth understanding might be required. Many of the subjects that are included here have entire volumes written about them—their internals, their encryption methods and algorithms used.When it comes to security, enough knowledge is enough, but more is always better. Q: When is SunScreen SecureNet necessary? A: Networking is perhaps the most vulnerable link in the security chain. In the past, many organizations trusted the phone company to provide security in the dedicated links that comprised our WANs. Now we are less naive.We understand the concepts of date eavesdropping, intercepting, and spoofing.We know the vulnerabilities of the phone company’s data exchange switches and how easily they can be tapped. Now, with the advent of the Internet, it is even more difficult to control the flow of data within a company.What can be controlled, however, is the way the data is transmitted. Encryption tech- nology such as SunScreen SecureNet ensures that should data you are pro- tecting enter a vulnerable area of the network, it is still protected. www.syngress.com 158_HPsun_02 10/4/01 4:44 PM Page 64 Securing Solaris with the Bundled Security Tools • Chapter 2 65 Q: Should OpenSSH always be used for client connectivity issues? A: No.Actually, the Solaris Security Toolkit, by default, completely disables the traditional type of UNIX connectivity, such as remote shell and X-Window access, that is protected with OpenSSH.Today, with Java and other Web appli- cations, there are other methodologies of connectivity, which are discussed later in this book, that provide a similar level of security. www.syngress.com 158_HPsun_02 10/4/01 4:44 PM Page 65 158_HPsun_02 10/4/01 4:44 PM Page 66 Securing Solaris with Freeware Security Tools Solutions in this chapter: ■ Detecting Vulnerabilities with Portscanning ■ Discovering Unauthorized Systems Using IP Scanning ■ Detecting Unusual Traffic with Network Traffic Monitoring ■ Using Sudo ; Summary ; Solutions Fast Track ; Frequently Asked Questions Chapter 3 67 158_HPsun_03 10/4/01 5:08 PM Page 67 68 Chapter 3 • Securing Solaris with Freeware Security Tools Introduction One of the benefits of Solaris being a UNIX variant is the fact that software originally developed for other UNIX platforms is easily ported and configured for use under most modern versions of Solaris. Because of this, an abundance of freeware security-related software exists in the public domain.The downside is that this software is also easily obtained by malicious hackers, and may be used against you and your systems when you least expect it. We will start by examining a very popular portscanning tool that is easily adapted to finding openings in a vulnerable system, as well as determining what systems are attached to a particular subnet.Then we will look at a common and well-maintained network intrusion detection system that may be used to monitor for suspect or malicious traffic on your networks.We will examine the benefits of a dedicated network sniffer, and see how it can help enhance your network and system security. Finally, we will have a look at a tool that allows an administrator to grant access to super-user functions on a case-by-case and user-by-user basis. It is critical to remember that these tools, while well-supported in the UNIX community, are not the be-all, end-all for network, system, and user security.Are there better tools out there? It is difficult judge what is better when comparing something free to something that costs money (whether a little or a lot). Commercial tools, due to their price tag, often come with superior technical sup- port and maintenance resources available by phone, the World Wide Web and even through on-site support engineers.You generally will not find any of these offerings through an open source tool.With commercial software, the customer is usually proactively notified when a new version or bug fix is released, whereas with free software, the administrator must devote some portion of his or her time to verifying that the latest and greatest release is being used.Whether free or commercial, each type of software offers certain advantages over the other. Ultimately your organizational structure, your superiors and your budget allo- cations will decide which path you take. In some cases, you may have a mixed environment of free and commercial products. I have found that such a mixture often works best in heterogeneous environments.Your needs and restrictions will eventually determine what tools you use. As you start to explore and use these freeware tools, you should be aware of several things. First and foremost, these tools are open source and generally dis- tributed as source code only.This means you will need appropriate compilers, libraries and other utilities to get the software in a machine-runnable format. Since anyone can download this software, and because numerous parties tend to www.syngress.com 158_HPsun_03 10/4/01 5:08 PM Page 68 www.syngress.com mirror copies of these tools on various Web and FTP sites, you should be careful where you do your shopping.A couple of years ago a tool called SATAN was obtained, in source form, by a malicious hacker.This hacker inserted some code into the package’s source files that created various backdoors and vulnerabilities. Any well-meaning administrator who downloaded, compiled and used this ver- sion of SATAN left their systems vulnerable to attack.The best practice is to obtain your software from one of the following sources, in order of preference: ■ The author’s Web or FTP site ■ A mirror approved by the author (these are often listed under a mirrors link on the main site) ■ An internal mirror (if your organization is large enough to support such a system) ■ A security vendor page or FTP site ■ www.sunfreeware.com Each of these places should have clean, verified copies of the tool distribution and source code.You will also find various checksums for the tarball packages on the sites mentioned above. Once you download the tarball, run the checksum utility, MD5 or other hash program (as instructed by the author/site maintainer) and be certain they match. If they do not, don’t use that code until you can verify its authenticity.Also keep in mind that some organizations frown on free software.While this is often a matter of principles and priorities, you should always verify with your superiors that free software security tools are welcome on the development and production networks. Permission, especially in writing, to use these tools is invaluable should something bad happen.At the very least, you will want to make your superiors aware of the tools that you will be using, what purposes they serve, and what dangers they may pose, if any. While the software is free, it is not without cost.You won’t have access to a formal support and troubleshooting resource, for starters.You will be on your own to deal with any bugs that crop up until the author gets around to fixing them.These factors, and the authenticity problems already mentioned, are the biggest drawbacks to using these tools.The benefits include the ability to manip- ulate the source code of these tools to get around various customizations or other unique situations that exist only in your environment.These changes may be very welcome to the author and may end up as part of the distribution! The ability to examine program code will help you to gain a deeper understanding of what it Securing Solaris with Freeware Security Tools • Chapter 3 69 158_HPsun_03 10/4/01 5:08 PM Page 69 70 Chapter 3 • Securing Solaris with Freeware Security Tools takes, on a machine-level side, to properly test, audit and secure a system. Finally, the software will enable you to use the tools and tactics of hackers to secure your systems.You will see through their eyes and begin to enter their mindset. Becoming the enemy for just a moment will, without a doubt, make you a better system security professional. www.syngress.com Know Your Enemy Researching security provides a unique insight into the state of your sys- tems, their vulnerabilities and the amount of work needed to bring your systems up to par. Investigation will also lead you to discover informa- tion about the latest hacks, exploits and vulnerabilities days, weeks or even months before they are published in mainstream media sources. Quite a few white hat or ethical hackers actively engage in hacking their own systems and software in an effort to uncover as-yet-unknown security risks and holes. Between the Web sites and repositories of the unethical and ethical hackers, one can easily get a good feel for what lies just beyond the horizon in terms of new exploits and vulnerabilities. I strongly suggest you utilize the Web and other resources, including peer and professional contacts, then keep abreast of the latest exploits and system vulnerabilities. Participate in the professional mailing lists for security and penetration testing experts, stay aware of new tools and tips for securing and verifying the security of systems, and generally be open-minded. All too often, administrators think that securing a system once is enough. Nothing could be farther from the truth. What checks out as secure today in Solaris 8 may in fact be tomorrow’s vulnerability. Expect to constantly research the latest activity of both the good guys and the bad guys to stay one step ahead of the game. If you don’t, complacency will set in and eventually someone will root your system. Remember: security is ongoing! Notes from the Underground… 158_HPsun_03 10/4/01 5:08 PM Page 70 Securing Solaris with Freeware Security Tools • Chapter 3 71 Detecting Vulnerabilities with Portscanning The typical Solaris installation comes with quite a few active ports. Perhaps the two most notorious of these ports, at least in recent times, are RPC-based ports for sadmind, the default administration daemon, and the portmapper for RPC services, rpcbind. Other seemingly more benign ports are also open by default on Solaris, such as telnet, FTP, finger, the r-command ports, and numerous other RPC-based services, obtained via the portmapper, such as rpc.sprayd, rpc.walld and others. The telnet port may be disabled, especially if you install a Secure Shell (SSH) server. SSH provides a much more secure means of pseudo-terminal access to remote systems by encrypting the datastream.Telnet itself is the most vulnerable since all transmitted data is sent in cleartext. Passwords and other critical informa- tion may easily be snooped from network telnet sessions.The FTP protocol also represents a vulnerability, mainly from buffer overflows or misconfiguration. If the service is not needed, simply disable it. If you do install SSH, then there is no reason to keep the r-command services running. Since these commands rely on minimal host or user-based authentication, and provide no encryption, you are better off removing them from the start.The finger service is very useful for both legitimate and illegitimate purposes, so leaving this service active is a matter of judgment. Generally, on a firewalled network with properly configured systems, I will leave finger enabled, as it tends to be very useful and most of the actual exploitable bugs have long since been fixed. The RPC-based services are, again, a judgment call. If you need the services offered (calendar, tooltalk, NFS, and so on), then you will need to check your configurations and settings and be sure that the services are configured with max- imum security. If you do not need them, simply comment them out from /etc/inetd.conf or prevent them from starting up in the run control scripts on your system. To see what ports, and consequently which services, are available to the out- side world, you should obtain a copy of the portscanner Nmap, which stands for Network Mapper.This software is easily available in many places and generally in two forms: a source-code only copy may be found at www.insecure.org, and a pre-compiled Solaris binary may be obtained from www.sunfreeware.com. Let’s take a brief tour of Nmap. www.syngress.com 158_HPsun_03 10/4/01 5:08 PM Page 71 [...]... excellent Sun security software and an Continued www.syngress.com 158_HPsun_ 03 10/4/01 5:08 PM Page 73 Securing Solaris with Freeware Security Tools • Chapter 3 impeccable database of vulnerabilities and exploits (including information for fixes and workarounds) relating to any number of operating systems, including Solaris The site also hosts several mailing lists, some of which are Solaris specific The Solaris. .. open ssh 80/tcp open http 111/tcp open sunrpc 4045/tcp open lockd 6000/tcp open X11 32 771/tcp open sometimes-rpc5 32 780/tcp open sometimes-rpc 23 www.syngress.com 158_HPsun_ 03 10/4/01 5:08 PM Page 79 Securing Solaris with Freeware Security Tools • Chapter 3 TCP Sequence Prediction: Class=truly random Difficulty=9999999 (Good luck!) Remote operating system guess: Solaris 2.6 - 2.7 with tcp_strong_iss=2... www.incoming-traveller.com www.syngress.com 73 158_HPsun_ 03 74 10/4/01 5:08 PM Page 74 Chapter 3 • Securing Solaris with Freeware Security Tools The portscan itself may take anywhere from 10 seconds, to 3 or 4 minutes, depending on how many open ports the scanner finds and has to report on.The normal output of Nmap after a scan will look something like Figure 3. 1 Figure 3. 1 The Normal Output of Nmap after a... Figure 3. 3 Figure 3. 3 Nmap Inventory Results for IPs and OSs on the Network Next, run Nmap with its -O option (as root!) to fingerprint hosts on the network: %nmap -O 10.1.1.0/24 >> /ip_and_fingerprints.out When Nmap finishes its run, your file will be appended with the following: Starting nmap V 2. 53 by fyodor@insecure.org (www.insecure.org/nmap/) Interesting ports on www.incoming-traveller.com(10.1.1 .33 :... more about Solaris security in general Another excellent site is the SunFreeware site at www.sunfreeware.com, run by Steven M Christensen Christensen is involved in numerous projects, but the SunFreeware site has arguably had the greatest impact on Solaris administrators and users to date Just now, Sun Microsystems is finally ramping up with an admin-oriented site called BigAdmin at www .sun. com/bigadmin... to acknowledge and correct mistakes www.syngress.com 158_HPsun_ 03 10/4/01 5:08 PM Page 93 Securing Solaris with Freeware Security Tools • Chapter 3 Summary The Nmap and Sudo tools are key to securing a system and keeping it secure One could look at Nmap as a means of protecting a Solaris 8 system from itself, and Sudo as a way of protecting a Solaris 8 system from users with a legitimate need for limited... until that last seven or eight months Interestingly, Sun links Big Admin to SunFreeware’s site Christensen’s site takes first honors in terms of locating software for most current revisions of Solaris (from 2.5 to 8), and for both the Sparc and Intel platform versions Sunfreeware.com boasts a wide range of precompiled applications for Solaris in standard Solaris package and Web Start formats Also included... smtp.The snmp services are started out www.syngress.com 75 158_HPsun_ 03 76 10/4/01 5:08 PM Page 76 Chapter 3 • Securing Solaris with Freeware Security Tools of /etc/rc3.d/ scripts and smtp starts in /etc/rc2.d/S88sendmail An open smtp service will show as port 25/tcp and snmp will show as one or both of ports 161/udp and 162/udp Since Solaris is highly configurable, it is not beyond the realm of possibility... is a Solaris 8 system and confusion reigns Referring to your meticulous documentation, you see that IP 10.1.1.11 should have a MAC address of 08:00:02:11:22 :33 (3Com network card prefix).This is not the real 10.1.1.11 Someone probably tried to poison your arp cache by publishing 08:00:20: 73: 51:02 as the hardware address for 10.1.1.11.This is one of the shortcomings of most arp implementations Solaris. .. Solaris system, acting in no other capacity than as a security monitoring and enforcement system In our previous scenarios, we developed a system in our company, admin.incoming-traveller.com, to play this role www.syngress.com 81 158_HPsun_ 03 82 10/4/01 5:08 PM Page 82 Chapter 3 • Securing Solaris with Freeware Security Tools Using Snoop First let’s take a look at one of the best tools on a stock Solaris . Frequently Asked Questions Chapter 3 67 158_HPsun_ 03 10/4/01 5:08 PM Page 67 68 Chapter 3 • Securing Solaris with Freeware Security Tools Introduction One of the benefits of Solaris being a UNIX variant. deeper understanding of what it Securing Solaris with Freeware Security Tools • Chapter 3 69 158_HPsun_ 03 10/4/01 5:08 PM Page 69 70 Chapter 3 • Securing Solaris with Freeware Security Tools takes,. a pre-compiled Solaris binary may be obtained from www.sunfreeware.com. Let’s take a brief tour of Nmap. www.syngress.com 158_HPsun_ 03 10/4/01 5:08 PM Page 71 72 Chapter 3 • Securing Solaris with