Comparison of Solaris Hardening Scripts
Yassp, SECUR, Titan, Bastille, Jass...
By Seán Boran
Note: This material is a bit
old, for the latest on Yassp, see
"Hardening Solaris with Yassp" Solaris_hardening3.html
The idea of this rough draft was a comparison of hardening tools
available, so we could see what Yassp needs to do.... Your feedback is most welcome,
email me at sean at boran.com. All updates are
documented in the section Changes
Contents:
- Summary and recommendations
- General Improvements (all Tools)
- JASS (sun)
- YASSP: Goodies, Disadvantages, Suggested
Improvements
- SECUR: Goodies, Disadvantages, Suggested
Improvements, Questions
- Titan: Goodies, Disadvantages, Suggested
Improvements
- Bastille (for Linux)
- Sean's Guidelines
- Chris's harden script
- References
- Changes to this document
Many people have obviously put in a huge amount of work to produce the various
packages. All make hardening solaris much easier than before and all improve security.
The short term goal is to produce script that have our consensus and can be published
at SANS.
The long term goal is a tool what is cross-platform, modular, extensible and includes the
best of all current hardening scripts & knowledge.
My personal opinion:
- I like Titan and Alberto's methods, structure (tar.Z, modules) and tools.
- I also like the new Yassp beta3 /etc/rc.conf and it's logs, more rigorous approach. Jean
is improving it and has SANS backing.
- But Titan and SECUR still have some things that yassp doesn't...
Are the TITAN authors listening? Perhaps they could voice their opinions?
What do you think? Some feedback from the Bastille people would be nice.
- The coding is still all done by Jean it would be useful to have a way for other
developers to contribute.
- The email list should be archived and made available on the web [6].
Jean has an archive, but we can't get it from the web yet.
The Target audience seems to be divided into those who want to:
- harden bastion hosts (like myself), and
- those who have large numbers of workstations and servers where security needs to be
improved without reducing functionality or incurring additional support problems...
The focus for Yassp is on SPARC rather than x86 Solaris.
- Update /etc/services with ssh, SecurID stuff, http, SSL stuff, etc. (yassp_b1 does this)
- When downloading scripts check signature/hash (for integrity).
- Suggestion from Jean: port the OpenBSD daily/weekly/Monthly/security scripts, including mtree.
Anyone had some though on that? Port would mean of course a localisation for solaris. What
about "aide"?
- Add /etc/defaultrouter (SECUR does this)
- Add /etc/notrouter (SECUR and yassp_b1 do this)
- Configure sendmail to forward email to a hub and set root alias:
If hosts are not supposed to send email outside the subnet, don't configure the mailhost
alias. Delete /usr/lib/sendmail if you don't need any kind of email.
Otherwise edit /etc/mail/aliases (at least point root to a real address), set mailhost
in /etc/hosts and in /etc/mail/sendmail.cf set the following to ensure all outgoing email
is channelled over mailhost:
Dj$w.YOURDOMAIN.COM.
DSmailhost
DRmailhost
DHmailhost
O FallbackMXhost=mailhost
- Create a manual log of system modifications /etc/mods
- Change the Root description from "Super-User" to "root
MACHINENAME" in /etc/passwd
- Split syslog into several files and add cron entries to prune with rotate_log.
secur: Allow a config for loghosts, not just syslog clients. (see Sean's Page [1])
- Sync time via either rdate (or better ntp).
Jean says: SUN's NTP sucks, especially if you have a clock connected to your serial.
Install the xntpd binaries for such clock is *very* OS/Arch dependant, especially if you
want to use the kernel loadable stream module which improve s the stability of your clock.
Sean says: well the one in 2.7 worked fine as a (general ntp) client for me.. Bastion
hosts need to have very good time sync for accurate logs.
- Tools:
- Install SSH (secur does this, the new yassp tarball installs a hacked SSH that
"supports better" SecurID auth). We have to think about RSA, see notes
below..
- Install tripwire (secur does this) or an equivalent like mtree. Add tripwire script for
remotely running via SSH
- Add script wtrim.pl & cron entry to prune wtmp near year end (see Sean's
Page [1])
- Add script & cron entry to prune cron log (see Sean's Page [1])
- Add script & cron entry to watch for dead processes (see Sean's Page [1])
- Improve more file permissions
chmod 0500 /usr/sbin/snoop /usr/sbin/devinfo
chmod 000 /bin/rdist
chmod o-rx /etc/security
chmod og-rwx /var/adm/vold.log
chmod u-s /usr/lib/sendmail #Not for mailgateways or
multi-user hosts
chmod 400 /.shosts /etc/sshd_config /etc/ssh_known_hosts
- Consider adding logcheck+logtail (Sean has improved versions of these) to report
significant log entries daily.
- Consider installing ID tools: klaxon, tocsin, snort.
- Maybe cops?
- Perl: I think we need perl since several scripts need it and it gives much great
flexibility for script writing. (included 2.8)
- More tools: traceroute (included in 2.7), gzip, top, lsof (very OS and arch dependent),
tcpd (compiled with logging on), fwtk, wuftpd compiled with anonymous off.
- vfstab Disk mounting:
- To reduce the risk of trojan horses and unauthorised modifications, in /etc/vfstab,
mount / with options "remount,nosuid", /var with "nosuid", /tmp with
"size=100m,nosuid" (allow /tmp to only use 100MB of swap space and disallow
execution of SUID programs).
- Once all software has been installed and checked: Mount /usr and /opt read-only (in
/etc/vfstab with "ro" option). This reduces the risk of trojan horses and
unauthorised modifications. Mount other partitions nosuid (SUID programs cannot
assume other identities).
Reboot.Run the mount command to check that filesystems options are effective.
- Consider adding chroot for DNS, anon ftp, user ftp, apache, and chroot support for
syslog...
Jean says: Does anyone has tested DNS/chroot under solaris? Which version? Does ndc
work 100%? for anon ftp, I was using a pkg built on top of wu-ftp compiled w/ anon user
only and which also include a script setting up correctly the ~ftp dir (copy/create the
right lib/dev/dir) I saw that 2.8 have wuftp (Modified) but didn't have check what the
diff.
- Consider adding nsyslog (for tcp sysloging, limiting of local connections and greater
configuration flexibility)... I've read about it but not used it.
Q: who has hard core experience with nsyslog? Can it be recommended?
- securing CDE: Find way of running CDE locally securely or without RPC?? (for situations
where we have really no choice, but to use CDE). RPC is needed for CDE, but not X11.
- Use weitse's rpcbind for access control and maybe for CDE above? Restricted to localhost
via hosts.allow. Even if it is old, does it still work well with the recent Solaris
versions? Are any of you using it heavily?
Jean says: works great on 2.[567] but what's about 2.8? As 2.8 IP stack has changed a lot
to support ipsec for ex.
- CheckPatches | GetApplyPatch
- policy checking (titan has this)
- IPfilter or other packets filters?
Sun has released JASS v0.11, a hardening tool for Solaris. here, we
take it for a test drive.
http://www.sun.com/blueprints/tools
JASS stands JumpStart Architecture and Security Scripts (Toolkit). The primary goal
behind the development of this Toolkit was to simplify and automate the process of
securing Solaris systems through JumpStart or in a standalone mode. It implements the
recommendations Sun's BluePrints OnLine security articles:
http://www.sun.com/blueprints/browsesubject.html#security
First off, checking out the license, we find it's pretty restrictive:
Distribution: Only Sun or an authorized Sun VAR may distribute the Toolkit......
License grant: Sun hereby grants a non-exclusive, non-transferable and royalty free
license to use, reproduce, and modify the Toolkit for the following internal purposes only
(no license is granted for any other purpose):
1. Your internal research use;
2. Your internal evaluation of the Toolkit;
3. Your internal use only, for the purposes of running your business or otherwise.
So it's not very 'free'.
Installation
Jass come in a small 50k tar file that extracts to the current directory (not that it
does NOT create a subdirectory and put all files there). This test involved as simple
installation on a brand new Solaris 8 installation.
- Since it was not done from a Jumpstart server, uncomment the STANDALONE and ROOT
lines at the bottom of ./Drivers/user.init
- in Sysidcfg/Solaris_8.0/sysidcfg, the following options need to be set appropriately:
system_locale=en_US
timezone=US/Eastern
network_interface=le0 {netmask=255.255.255.0 protocol_ipv6=no}
terminal=vt100
security_policy=NONE
name_service=NONE
timeserver=localhost
- Now were ready to run Jass, except the doc is scare on how to do this. Browsing through
the scripts and testing eventually told me to change to the directory containing the
extracted files/directories and then do the following (C-Shell):
setenv SI_CONFIG_DIR
`pwd`
sh Drivers/secure.driver
- We're not home and dry yet though, numerous popped up, apparently because files are not
where they are expected, or are no executable when they should be.
secure.driver: Driver
started.
secure.driver: Copying personalized files.
Copying /.cshrc from /opt/install/jass/Files//.cshrc.
secure.driver: Starting finish script: install-recommended-patches.fin
Drivers/secure.driver: ERROR: Could not find the 8_Recommended patch cluster
secure.driver: Starting finish script: set-root-password.fin
Drivers/secure.driver: ERROR: The system is not booted from mini-root.
secure.driver: Starting finish script: set-term-type.fin
Copying //etc/profile to //etc/profile.JASS.20001006144458 Adding default terminal type
(vt100) to login scripts.
Copying //etc/.login to //etc/.login.JASS.20001006144458
secure.driver: Driver finished. Drivers/hardening.driver Drivers/secure.driver:
Drivers/hardening.driver: not found
- Documentation: Doc in PDF from Sun, that is almost impossible to download (slow:
0.2kb/sec)
-
- Not free enough.
- Too betaist, doesn't work.
- Does not include any security tools (like Yassp includes tocsin, ssh, tripwire, etc.)
- Doc could be improved
Jean Chouanard's Yet Another Solaris Security Package [0] is a set
of scripts used internally by Xerox that are being offered to the world for free. Jean is
trying to make the scripts more general, to make them more useful outside of Xerox. The
first version appeared in summer 1999 and adheres to the SANS Solaris Guide [5],
but goes much further. We now have an improved yassp beta 3 that allows more individual
tuning.
- Documentation: Free html doc available on line, that is pretty good.
- Comprehensive, works, tested on bastion hosts.
- Can be backed out (great for testing).
- Package format (if you like packages)..
- Includes Kasper's fix-modes and Jens's tuning scripts.
- Supports supports Solaris 2.[567], and the i386 arch (not the tarball). 80% works on
Solaris8.
- /etc/rc.conf and /etc/yassp.conf allow sysadmins to configure what services they do and
don't want via these simple files (which look suspiciously like BSD!).
- Beta 3 has significant improvements.
- Jean has now made a tarball available too.. that includes the hardening packages
plus packages for "GNUgzip GNUrcs SSHsdi WVtcpd PARCdaily". It's doesn't allow
any more flexibility, just bundles a few binary packages, is only for SPARC Solaris 2.6/7
and not as well tested.
- The tarball does not ask you what you do or don't what to install/harden
- Is installs SSH with Jean's patches for SecurID, rather than the SSH1 or OpenSSH. (I
would avoid OpenSSH for another few months - testing I did showed up a few nigglies). Jean
is worried about the RSA patents if we distribute binaries... but the patent is up in
September- do we really need to worry? If yet, we'll need International and USA binaries
(linked against RSAREF).
- The GNU stuff is installed in /opt/local. Jean says this is a sun recommendation... if
so I still prefer /usr/local...
- Doc could be improved
- The "backout" works, but you lose any changes you made to some system files,
since they are replaced rather than edited.... unless you check out /tmp/SECCLEAN before
you next reboot.
- Path in /etc/default/su: Assumes you use /opt/local/{bin,etc,sbin}, I believe most
people use /usr/local, like myself.
- Some things cannot be easily customised on the install scripts (like PATH above).
- No SunOS or Linux versions.
- Solaris 7/8: /usr/lib/utmpd daemon is running by default. Is this necessary?
- Solaris 8: Although yassp does not officially support Solaris 8, it installed and worked
pretty well and is useful.
- Yassp did not have replacements for /etc/init.d/inetsvc /etc/init.d/inetinit and so
"partially failed" the install.
- Solaris 8 already has an /etc/ftpusers, so installing the yassp package gave a warning
about replacing this file.
- One of the tune up parameters failed "applying security tweaks..name is
non-existent for this module", I must dig and find which one it is.
- A file permissions cleanup script for 2.8 is not yet available (although fix-modes seems
to support it).
- "/usr/sadm/lib/wbem/cimomboot start" is running: what on earth is that?
- Fix disadvantages above.
- see General Improvements (all Tools)
- Usr /usr/local not /opt/local (or make it configurable)
Jean says: this is painful as it's prebuilt into packages. What do the rest of the list
think?
- Clocked accounts: Alberto uses /usr/local/bin/noshell, which logs attempts to use these
accounts to syslog. Yassp uses /dev/null, since it works on both x86 and SPARC platform
and would require a binary for each.
I would like noshell to be included....
- Why is both yassp.conf and rc.conf needed? Maybe inetd enabling should be in rc.conf,
not yassp.conf?
What is the big advantage in having the PKG DB clean? Jean says :
- I want to work the way SUN work, and is trying to make them correcting their install.
Solaris 8 will be much better on that.
- I am not using tripwire on *all* install, but I am using the pkgDB on all (tripwire of
the poor:-)
- To be able to write a clean dependency check for the install, so that people won't
install twice or install wo/ having the right requirement.
Alberto has also produced a fine set of hardening scripts [8] based
on the SANS guidelines [5]. They are new to me, I've only just spend a
few hours going through them.
Be careful how you run it as it does not stop on errors. Study the readme carefully.
The following results are from a Solaris 2.7/SPARC box with an "end user"
install bundle.
- Simple tarball, no Package format (if you don't like packages). Simple to read &
review scripts.
- Includes Kasper's fix-modes
- Can be nicely configured to setup "Install types", specifying what
"modules" should be run for the different install types. Allows different
default router per network domain.
- Sets defaultrouter, notrouter.
- Bundles SSH1, tripwire, sudo.
- Alberto has tested his script with hundreds of hosts, mostly in DMZs.
- He's willing to improve/adapt SECUR.
- Documentation: Little doc, what is actually secured is not clearly
listed.
- Does NOT stop on errors.
- requires greater expertise than say, yassp.
- cannot be backed out
- Not in package format (if you like packages)
- Too much verbose output to screen (it runs the shell scripts with "-x"). Save
the shell session to a file, or you won't realised what happened. (Alberto uses his script
mostly with Jumpstart, and just checks the detailed log).
- A log file of changes, errors and history is not written.
- Tries to install patches via NFS.
- I would consider it better to download via ftp, rather than have RPC running. Even
better, install the OS, run SECUR, reboot, then connect to net, THEN install patches..
- Alberto uses Jumpstart alot,which uses NFS anyway, so he uses NFS too.
- Doesn't detect if it has been run already. Changes are appended to
many files, rather than edited, so there is a risk of double entries..
- Leaves a few /etc/rc2.d startup files that are not needed: K07dmi
K07snmpdx S20sysetup S80lp S80spc S85power S88utmpd S99dtlogin
Leaves a few /etc/rc3.d startup files that are not needed: S76snmpdx S77dmi
- This is only a problem is you install more than the "core" cluster (SUNWCreq),
otherwise this stuff is not installed.
- It assumes loghost is set in DNS.
I like interaction/automation and structure, but there is room for improvement.
- Fix disadvantages above.
- tee output to a log file at least? Don't delete 'runtmp'?
- Add "-t" to inetd command-line, just in case it is used.
- Create a menu script to configure parameters, show available configs and allow the user
to select the appropriate one?
- Check command line arguments (I gave in "." for the directory and it
could find almost none of the files to be installed, I re-ran it with and absolute path
and it ran fine.).
- see General Improvements (all Tools)
- Consider using the more detailed SSH config files from [9] and
keeping the SSH config files in /etc, rather than /usr/local/etc.
- Why not use /dev/null instead of /usr/local/bin/noshell for blocked accounts?
Reply: Actually I like the "noshell" because it writes, via syslog, the
failed attempts to login using that account.
Titan v3.2.2 [2] has some interesting concepts that appeal immediately.... it was
tested on a SPARC4 with a virgin "End User Bundle" running Solaris 2.7.
- Simple tarball, easy installation.
- Modular structure (all modules are written in Bourne shell)
- Can be nicely configured to setup "Install types", specifying what
"modules" should be run for the different install types (three examples are
defined: firewall, desktop, server).
- Solaris 2.6, 2.7, SunOS 4.??
- Documentation:
- Pretty good HTML doc
- ./Titan -I does nothing, but prints the function of each module to standard out.
- Creates detailed log files
- There is a (limited) backout available, for most modules except permission changes.
- Policy checking/auditing: Titan can be used to check that a system is the way it should
be.
- Includes fix-modes, but also two other permissions modules ziplock.sh and file-own.sh.
- Allows different default router per network domain?
- Sets defaultrouter, notrouter?
- Does not bundle any tools such as SSH1, tripwire, sudo.
- Hardening is not severe enough for bastion hosts, Titan seems to concentrate on what one
would expect for Workstations and Servers.
"sample.Firewall" setup was tested and the following services were still
running: routed, devfseventd, devfsadmd, rpc, nfs, keyserv, lockd, powerd, snmp, dlogin,
dmispd. Inetd is still pretty open.
- Does not clean the package database?
- There no backout available for permission changes.
- requires greater expertise than say, yassp.
I had a quick install of RedHat 6.1 on SPARC and used the Bastille script [7] to harden it. It was interesting, because it's exactly what we want to
do on Solaris.
It has the advantage of being a tar ball + interactive script + logging of actions,
errors and options taken, but it is a bit difficult to automate, and I don't think it can
be undone. It's written in Perl, which is nice.
It has some interesting features like chrooting DNS, setting up user accounts, logging,
email, etc..
I published a set of Guidelines as part of an article for SecurityPortal [1].
Whereas I don't provide automated install scripts, it is a step-by-step approach and
provides quite a few scripts and example config files. The approach is also a bit more
global than just OS hardening.
I will update these Guidelines to include Yassp and feel they are complementary to both
Jean's and Alberto's work.
Chris Calabrese also wrote a hardening script [10], originally for
UNIXWARE. he says:
It is nicely flexible, allowing you to do several stock configs plus customizations
at package install time. On the other hand, it's fairly out of date, covers mostly stuff
covered by other scripts, is not very modular, and Solaris support isn't it's strong suit
(the original package was for UnixWare).
Hopefully this process will produce something much better and make it a non issue,
but until then it's probably worth looking at.
I'll do my best to look at it after Titan (or maybe someone on the list can do it and
send a summary to include here??)
[0] Jean Chouanard's YASSP www.yassp.org
[1] Sean's Hardening Solaris Guidelines
- Original
'manual' version
- New verison
integrating YASSP
[2] The Titan Project
[3] tcp tuning under
solaris by Jens-S. Vöckler
[4] Casper's fixmode
[5] "Solaris Security Step by Step", by Hal Pomeranz and 27
other professionals, is available in paper or PDF form from SANS.
You have to pay for it... but it's a good investment.
[6] The email discussion list has the address
secure-sol@parc.xerox.com. To register, send e-mail to secure-sol-request@parc.xerox.com
with a 'subscribe' in the Subject line or in the message body.
[7] www.bastille-linux.org
[8] Alberto Begliomini's SECUR ftp.coldstone.com/secur
[9] "All about SSH, part I/II" on SecurityPortal or
here.
[10] Chris Calabrese's Harden script. ftp.freebird.org/unixware/freebird/internet/systools/harden
28.Feb.'00 First Publication
28.Feb.'00 Evening: Added Chris's harden script.
01.Mar.00: Add Titan and feedback from Alberto on SECUR section, create new General
Improvements section. Update Summary.
03.Mar.00: Added Feedback from Jean+ Minor fix.
20.Mar'00: Updated after testing yassp beta 1.
13.Apr'00: Updated after testing yassp beta 3 on Solaris7/8 SPARC. Remove resources
section..
Seán Boran Last
Update: 24 November, 2000