Hack Proofing Sun Solaris 8 Fast Track • Appendix 363 ; Monitor the system for rogue world-writable files, and change their access modes to something more restrictive (775 at the minimum, but preferably 644). Securing against Physical Inspections ; Change the security mode in the OpenBoot PROM to protect the system from booting from unauthorized media. ; Set a password that restricts access to OpenBoot configuration. ; Set the oem-banner to display an Authorized Use banner similar to the one used in /etc/issue and /etc/motd. Documenting Security Procedures and Configurations ; Create an administrative log, such as /var/adm/hostname.journal, that logs administrative changes made to the system as well as system information like the hardware configuration. ; Take periodic snapshots of the free disk space with the df command. ; Take periodic snapshots of the CPU and memory utilization metrics with the vmstat command. ❖ Chapter 2: Securing Solaris with the Bundled Security Tools The Orange Book ; The Orange Book is the foundation for computer security as it is modeled today, providing the de facto standard for assessing security levels with classifications such as C1, C2, and B1. ; The file security defined in the Orange Book provides the basic model used in virtually all computer systems today. ; Even though the Orange Book classification levels go from the lowest level D to the highest level A, in reality, except for a very few exceptions, most operating environments run under C1, C2, or B1 levels. www.syngress.com Chapter 1 Continued 158_HPsun_AppFT 10/5/01 11:42 AM Page 363 364 Appendix • Hack Proofing Sun Solaris 8 Fast Track Choosing Solaris 8 C2 Security ; The SunSCREEN Basic Security Module is required in order to bring the default installation of the Solaris 8 OE up to C2 level security. ; Auditing must be configured and managed with an organized methodology in order for it to be useful and controllable. ; Auditing can be finely configured and managed by editing the audit_control and audit_user files and utilizing the auditconfig, auditreduce, and praudit commands. Choosing Trusted Solaris 8 ; Choosing the Trusted Solaris 8 OE, although providing a very high level of security, requires a commitment of both human and system resources to administer and maintain. ; Role-Based Access Control (RBAC) and Mandatory Access Control (MAC), also known as labeling, are keystones to the comprehensive protection provided in Trusted Solaris 8 OE. ; Proper auditing and auditing analysis are cornerstones of all security systems. Administrators must always be vigilant for possible breaches. Solaris 8 Security Enhancements ; SunScreen SecureNet provides an effective means of encrypting network traffic. SunScreen Simple Key Management for Internet Protocols (SKIP) is the mechanism provided in SunScreen Secure Net for encrypting network traffic.Virtual private network (VPN) is a subset of SKIP and provides a way for a highly encrypted point-to-point connection or tunneling to be created either on a local LAN, across a WAN, or even across the Internet. ; The Solaris Security Toolkit is a group of scripts designed to help facilitate the creation of secure systems.The scripts are highly configurable, but since they are available for free as a download from Sun, they are not supported. ; OpenSSH is an open-source application that has been ported to Solaris 8 and can be compiled and linked to run in that environment. It provides a secure means of doing X-access communications between clients and www.syngress.com Chapter 2 Continued 158_HPsun_AppFT 10/5/01 11:42 AM Page 364 Hack Proofing Sun Solaris 8 Fast Track • Appendix 365 servers. It works with the Solaris Security Toolkit for deployment and provides a necessary communications component that is normally disabled by the Toolkit by default. ❖ Chapter 3: Securing Solaris with Freeware Security Tools Detecting Vulnerabilities with Portscanning ; Portscan your own networks regularly and become familiar with your network residents. ; Automate your scans, including results delivery, to make your life simpler and easier, but always be sure to take the time to review the results. ; Most portscanners require root privileges to use some of the more advanced features. Be certain your cron jobs run as root or you may get false results. ; Even security software can be compromised from time to time. For jobs and scripts that must run applications as root, consider setting them up in a chrooted environment.Always limit your exposure. ; Understand whether you absolutely need a given port and service available on a system. Open services are an inviting target for malicious hackers. ; Portscan everything, even your routers and firewalls. Nothing is necessarily immune from attack and compromise. Understand the whole network, from end to end. Discovering Unauthorized Systems Using IP Scanning ; A network scanner is only as effective as the IP documentation for the network you are scanning. ; Understanding and using arp tools is an important step toward discovering unwanted guests on your networks. ; Familiarize yourself with the common hardware vendor MAC prefixes on your network. Maintain hard copies if necessary. www.syngress.com Chapter 2 Continued 158_HPsun_AppFT 10/5/01 11:42 AM Page 365 366 Appendix • Hack Proofing Sun Solaris 8 Fast Track ; Conduct your ping sweeps at random times. Don’t fall into a pattern that a potential intruder may catch on to. Detecting Unusual Traffic with Network Traffic Monitoring ; Snoop, a built-in Solaris utility, is a powerful network tool for real-time monitoring of network activity for short periods of time. ; A dedicated sniffer/IDS system like Snort is the best way to get current and historically accurate information about network traffic types and patterns. ; Maintaining a static arp cache will help protect your network from spoofed arp entries, which can, at any other time, fool even some of the best IDS systems. ; Maintain a good set of IDS logs on backup tape.When a breach isn’t discovered immediately, that evidence may become very important. Using Sudo ; With Sudo, there is no need to give out your root passwords. ; Sudo’s logging features help you track and document the execution of super-user programs. In the event of unauthorized activity, this logging will help you track down the culprit. ; By grouping users together in Sudo’s configuration file, you can give a pool of qualified administrators access to the resources they need most. ; Be certain your users are trained in using Sudo and that they understand their limitations in relation to Sudo. ❖ Chapter 4: Securing Your Users Creating Secure Group Memberships ; Solaris provides several groups at installation time. Most are reserved for system utilities and daemon processes.The sysadmin group allows access to Admintool. Generally, GIDs less than 100 are reserved for system default www.syngress.com Chapter 3 Continued 158_HPsun_AppFT 10/5/01 11:42 AM Page 366 Hack Proofing Sun Solaris 8 Fast Track • Appendix 367 groups, as are GIDs over 60,000. Be aware that Admintool assigns a default group of 0, which is a serious security risk. ; Each user can be a member of one primary group and no more than 16 secondary groups. ; Roles-based Access Control (RBAC) is a new addition to Solaris 8. It allows systems administrators to delegate certain tasks to individuals or groups that were formerly reserved for the root user. RBAC attempts to address the all- or-nothing privilege set normally found on UNIX systems by providing a means to define new roles, delegate these roles to users or groups, and easily revoke such permissions. Understanding Solaris User Authentication ; The three files in /etc/default, passwd, su, and login, control account and login policies.There, systems administrators can set default umasks, paths, password length restrictions, and password expiration periods. ; Solaris uses the /etc/nsswitch.conf file to determine the order in which information services such as flat files, NIS, or NIS+ are searched for authentication data. Authenticating Users with NIS and NIS+ ; Distributed authentication systems demand a best practices form of security, rather than a point-by-point review of weaknesses and solutions. ; The ideal network for distributed network databases is controlled entirely by a single group of administrators. Users are not allowed to run their own machines on the secure network, nor are NIS or NIS+ services provided to such machines. ; Consider using SecureRPC to authenticate and encrypt RPC transactions. ; If SecureRPC is unavailable or unmanageable, consider using ipfilter or a portmapper replacement to prevent unauthorized access to RPC services. ; Keep UID 0 accounts local and rigidly protected. Root and root-like accounts should never be in NIS. www.syngress.com Chapter 4 Continued 158_HPsun_AppFT 10/5/01 11:42 AM Page 367 368 Appendix • Hack Proofing Sun Solaris 8 Fast Track Authenticating Users with Kerberos ; Kerberos is an authentication system that relies on mutual trust of a secure third party, called the Key Distribution Center (KDC).The basic tenet of Kerberos is that the Kerberos principal, or password, never travels on the network, even in encrypted form. ; Kerberos Ticket Granting Tickets (TGTs) are held by the workstation in a file called the credentials cache.These tickets have configurable validity periods.As long as a TGT is valid, the user will not have to enter a password to connect to Kerberized services.This feature is called single-sign-on. ; By allowing for the secure exchange of a secret key between the KDC, a service, and the user, Kerberos makes encrypted versions of common applications like rlogin, rsh, and Telnet possible. ; The lack of Kerberized clients for the PC and Macintosh platforms, particu- larly among e-mail software, hinders its effective deployment at most sites. ; A PAM-authenticated login, or /usr/krb5/bin/kinit, creates a credentials cache. From then on, for the validity period of the cache, the Kerberized rlogin, rsh, rcp, and Telnet commands will not require a password.The use of the -x option can force these commands to create an encrypted channel. ; At logout, /usr/krb5/bin/kdestroy should be used to remove existing credentials caches.This prevents an attacker from potentially using a still valid ticket to masquerade as another user. Authenticating Users with the Pluggable Authentication Modules ; PAM provides a flexible, interchangeable authentication mechanism. PAM can control all aspects of user accounts, from authentication to session and password management. PAM modules are stackable in that modules can be executed in any order, with some required at all times and some sufficient, to achieve different security strategies. ; Various PAM configurations can allow access to certain administrative functions by group membership. ; Some services can require different authentication methods, like SecurID or Radius, without affecting other services, simply by changing the pam.conf. www.syngress.com Chapter 4 Continued 158_HPsun_AppFT 10/5/01 11:42 AM Page 368 Hack Proofing Sun Solaris 8 Fast Track • Appendix 369 ❖ Chapter 5: Securing Your Files Establishing Permissions and Ownership ; Be very wary of SUID/SGID binaries. ; Use ACLs on all binaries left SUID/SGID after your audit. ; Consider the use of Role Based Access Control to allow limited access to privileged commands. ; Consider the use of FixModes to assist you in the correction of base permissions. Using NFS ; Be very cautious about the file systems or directories that you share. ; Share read-only files whenever possible. ; When mounting file systems, mount them NOSUID to ensure greater security. Locking Down FTP Services ; Seriously evaluate your need to run FTP services. ; Apply all vendor patches and test that vulnerabilities do not exist. ; Run anonymous FTP services only in a chrooted environment; verify that you cannot break out of the jail. ; If you allow download only, verify that you cannot create files on the server as an FTP user. Using Samba ; Never use hosts equiv or rhosts authentication! ; Always define each user’s home share explicitly, and use access control wherever possible. ; Be wary of any directive that allows program execution with root privilege. ; Protect your smbpasswd file as carefully as you would your /etc/shadow file. www.syngress.com 158_HPsun_AppFT 10/5/01 11:42 AM Page 369 370 Appendix • Hack Proofing Sun Solaris 8 Fast Track Monitoring and Auditing File Systems ; Be aware of your installed baseline. Be sure to take a snapshot of the system immediately after installation and configuration. Keep this snapshot well protected. ; If you opt to use BSM auditing, be sure that you use some sort of log reduction system.Audit logs can fill very fast and can clog the system if left unchecked. ; Also with BSM, remember to configure the audited events and monitor them for applicability.This setting is one that might require tuning! ❖ Chapter 6: Securing Your Network Configuring Solaris as a DHCP Server ; Determine your lease pools, default gateways, lease-time, and any other client data before beginning. ; Use the command-line dhcpconfig setup tool to create your DHCP server configuration. Be sure to enable logging. ; Use the GUI tool dhcpmgr tool to maintain your DHCP configurations and set up host specific options. Securing DNS Services on Solaris ; Understand that attackers can leverage unsecured DNS servers as a roadmap to identify and target interesting hosts for attack. ; Consider splitting your DNS into separately updated public and private servers. ; Configure BIND to run in a chroot jail. ; Restrict zone transfer information as tightly as possible in the named.conf file. www.syngress.com Chapter 5 Continued 158_HPsun_AppFT 10/5/01 11:42 AM Page 370 Hack Proofing Sun Solaris 8 Fast Track • Appendix 371 Configuring Solaris to Provide Anonymous FTP Services ; Add all users to the /etc/ftpusers file and remove them on a case-by-case basis depending on the user’s need for FTP services. ; Understand why anonymous FTP is inherently insecure.Then, if it is still determined to be a requirement, use the configuration script in the man page for in.ftpd(1M) to configure the anonymous FTP server in a chroot’ed Berkeley r-commands environment. Using X-Server Services Securely ; Understand the difference in security levels between host-based and user- based authentication. ; Unless resources are cramped on your Solaris servers, use XDM for OpenWindows, which takes care of generating magic cookies for you. ; Where possible, use SSH for forwarding X-connections for increased security and authentication. Using Remote Commands ; Restrict the use of the Berkeley r-commands as much as possible. ; Understand that /etc/hosts.equiv and .rhosts will allow password-less logins to your servers, which is often quite undesirable. ; Disable the Berkeley r-commands entirely and use SSH as a drop in replacement. SSH has a very low learning curve because it uses identical syntax to the Berkeley r-commands in almost all cases. ❖ Chapter 7: Providing Secure Web and Mail Services Configuring the Security Features of an Apache Web Server ; Write your CGI scripts with security as the first consideration. www.syngress.com Chapter 6 Continued 158_HPsun_AppFT 10/5/01 11:42 AM Page 371 372 Appendix • Hack Proofing Sun Solaris 8 Fast Track ; Configure your cgi-bin directories and restrict access to them as needed. ; Protect other parts of your Web tree with the <Directory> directive.You can restrict based on hostname, IP address, or several other criteria. ; Use Apache’s VirtualHost directive to hide the identity of your Web servers. Used in conjunction with multiple IP addresses, you may obtain some level of security for your systems. Monitoring Web Page Usage and Activity ; Perl is an excellent tool for simple Web monitoring scripts.With its inclusion in Solaris 8, make liberal use of its excellent string-handling capabilities. ; Monitor your server for excessive 404 results.A search engine or another page may have outdated link information.You will want to update this information to get users to the right parts of your site. ; If you have password-protected parts of your site, monitor your log files for excessive 403 results.A few may indicate a forgotten password, but several dozen or hundred may indicate a brute force attack against your site. Configuring the Security Features of Sendmail ; The access_db feature allows you a great amount of flexibility in who to accept mail from or for. ; Sendmail comes with relay capabilities turned off by default. Use caution when allowing even limited relaying. ; You should understand all the relaying features of sendmail and keep an eye on your mail server activity. If you notice a suspicious sendmail.cf or odd entries in your sendmail.mc file, suspect UBE activity. ; Utilize sendmail rulesets to help filter objectionable or unwanted e-mail, but use them carefully. Rulesets often have a high overhead in sendmail. ; Understand the relay configuration options for sendmail before making any real-world changes. In the event your changes do not work out, be ready to backtrack. www.syngress.com Chapter 7 Continued 158_HPsun_AppFT 10/5/01 11:42 AM Page 372 [...]... sticky bit, 132 Structured (Orange Book level B2), 37 su command, 17, 119, 352 policy variables, 106 Sudo, 88–92 command-line switches, 88 suid command, 139 SUID programs, searching for, 139 sulog, monitoring, 17 Sun Enterprise Authentication Mechanism, 100 SunFreeware, 72 SunScreen Lite, 251, 253–254 See also firewalls SunScreen Secure Net, 55–56 SunScreen SKIP, 56–57 SunSHIELD Basic Security Module,... aggressive filtering carries with it the risk that performance and browsing may be negatively impacted www.syngress.com 375 158_HPsun_AppFT 376 10/ 5/01 11:42 AM Page 376 Appendix • Hack Proofing Sun Solaris 8 Fast Track ❖ Chapter 10: Dissecting Hacks Securing against Denial of Service Hacks Configure network equipment to restrict traffic to permitted protocols, routable address spaces, and committed access rates... the system 192.168 .100 .1 trusts the host 192.168 .100 .54, the entry in the /etc/ hosts.equiv file for user jdoe would be: +192.168 .100 .54 jdoe Use tools such as arpwatch to try to detect possible MAC address spoofing attempts Use SSH in place of the r-services (i.e rsh, rlogin, rcp, etc.) www.syngress.com 377 158_HPsun_AppFT 378 10/ 5/01 11:42 AM Page 378 Appendix • Hack Proofing Sun Solaris 8 Fast Track... memberships, 101 104 important Solaris default groups, 101 H hacks brute force hacks, 306–309 buffer overflow, 295–306 denial of service, 288–295 IP spoofing, 314–317 social engineering, 334 trojan horse hacks, 309–313 using shell scripts to alert system administrators, 335–339 what to do when detected, 340–346 See also honeypots hardening mode, 58 heap, 295 honeypots, 340–346 building on a Sun System,...158_HPsun_AppFT 10/ 5/01 11:42 AM Page 373 Hack Proofing Sun Solaris 8 Fast Track • Appendix ❖ Chapter 8: Configuring Solaris as a Secure Router and Firewall Configuring Solaris as a Secure Router The ability to shut down all services on the system, make configuration changes to a running kernel, and create multiple layers and access control on the system without bouncing the system make Solaris the... connectivity with one another or a known accessible address www.syngress.com 373 158_HPsun_AppFT 374 10/ 5/01 11:42 AM Page 374 Appendix • Hack Proofing Sun Solaris 8 Fast Track Chapter 8 Continued Interfaces on a Solaris 8 system using IPv6 can be manually configured using data on the system or via data attained from DNS Solaris is capable of functioning as a gateway as well as a router In implementation,... with Kerberos, 109 –115 login policy variables, 105 106 with PAMs, 115–121 in Squid, 274–275 user-based, 183–186 of users with NIS and NIS+, 107 108 Authorized Use banners, 8 autoinst command, 58 automount command, 58 automountd daemon, disabling, 140 awk command, 139 B Berkeley r-commands See r-commands Berkeley Software Distribution (BSD), 200 BigAdmin, 72 BIND 381 158_HPsun_index 382 10/ 8/01 11:33... user chooses a password that is considered too weak, the password will be rejected and the user will be asked to choose another one www.syngress.com 158_HPsun_AppFT 10/ 5/01 11:42 AM Page 377 Hack Proofing Sun Solaris 8 Fast Track • Appendix Chapter 10 Continued Be sure to require the minimum password length to be eight characters.This can be controlled by changing the value of PASSMIN in /etc/ default/passwd... 139 Discard, disabling, 10 discretionary access control, 50 383 Discretionary (Orange Book level C), 36 Discretionary Security (Orange Book level C1), 36 disk usage information, 24–25 diskettes, disabling automounting of, 139–140 distributed denial of service hacks, 288 See also denial of service hacks DMZs, 341 DNS BIND, 174–181 configuring IPv6, 248–249 securing services on Solaris, 173–181 documentation... system ❖ Chapter 9: Using Squid on Solaris The Default Settings of a Squid Installation By default, Squid denies access to all browsers.You must configure an allowed range of IP addresses It is best to preserve Squid’s default-deny behavior to ensure your proxy is used only in the manner you expect www.syngress.com 158_HPsun_AppFT 10/ 5/01 11:42 AM Page 375 Hack Proofing Sun Solaris 8 Fast Track • Appendix . 9 Continued 158_HPsun_AppFT 10/ 5/01 11:42 AM Page 375 376 Appendix • Hack Proofing Sun Solaris 8 Fast Track ❖ Chapter 10: Dissecting Hacks Securing against Denial of Service Hacks ; Configure network. etc.). www.syngress.com Chapter 10 Continued 158_HPsun_AppFT 10/ 5/01 11:42 AM Page 377 378 Appendix • Hack Proofing Sun Solaris 8 Fast Track ❖ Chapter 11: Detecting and Denying Hacks Monitoring for Hacker Activity ;. levels. www.syngress.com Chapter 1 Continued 158_HPsun_AppFT 10/ 5/01 11:42 AM Page 363 364 Appendix • Hack Proofing Sun Solaris 8 Fast Track Choosing Solaris 8 C2 Security ; The SunSCREEN Basic Security Module is