Interview with Jean Chouanard

By Sean Boran (sean at boran.com)
www.boran.com/security/sp/interview_chouanard.html 


August 21, 2000 - Jean Chouanard (chouanard@parc.xerox.com) is the main developer behind the Solaris hardening tool known as YASSP (Yet Another Solaris Security Package).

The YASSP home page is http://yassp.parc.xerox.com/. YASSP is in late beta and should reach release status by the end of August.


Personal

Tell us a bit about yourself: who you are, where you come from, and how you got into Solaris system administration and hardening.
I was born in Grenoble, France and moved to the US four years ago, spending two years in up-state New York and two years in California (working for Xerox). Originally a SW engineer, I moved to sysadmin by mistake and moved quickly on to Network architectures and security. Now I concentrate on net infrastructure (networks, routing, mail, dns and other network services), but I still love to debug code!


Who have been your major influences?
Lots or people within Xerox and especially within PARC, where there are real Internet veterans who have been there from the early days.


What is your favourite pastime? Your favourite music? Your loves & hates?
French cooking is my favourite pastime -- and my kids always find a way to keep me busy! I like 60's music, Classical, or South American (Latin). I love systems I can understand, and smart people. My hate list is too long, and we don't want to mention names!


YASSP

How about a one line summary of yassp, for those who don't know about it?
A tool to help you to secure Solaris.


Who is the target audience for YASSP?
We are aiming to cater for both the skilled and novice System Administrator.


What is the difference between YASSP and other hardening tools?
It is in package format and allows clean de-installation.


Why YASSP? Are there no other tools?
There was none at the beginning when YASSP was created internally in Xerox. It doesn't hurt to have several tools. YASSP also has a focus on bastion hosts on Internet servers. Other tools (e.g. Titan) concentrate on multi-user servers with many services.


What is Xerox's involvement?
I work for Xerox, and YASSP was originally created for Xerox internally.


When do you expect the first stable release to be available?
Within the next month.


What were the major difficulties in this project? E.g. resources, motivation, conflicts with other projects/Xerox work?
Time for testing (for multiple OS versions, hardwares, each time from scratch) and resources (finding Hardware and software tools like the SUNpro compiler).


What tips would you give to others planning to start or work on an OpenSource project?
Look at license issues in an early phase -- i.e. define and agree on the License early on.


Is YASSP modeled after any other similar efforts for other operating systems?
No, but of course similar tools exist, but different methods.


In general, how does a YASSP-hardened Solaris system benchmark against other operating systems related to security, such as AIX, OpenBSD, etc.?
I don't know precisely, but Solaris is not just chosen for performance, etc., but for other reasons, such as a particular application runs on Solaris, or because an organization standardizes on Sun. So Solaris is there, like it or not, and needs to be secured.


Given that Solaris is used in mission-critical situations, how does one maximize the benefit in applying YASSP to very specific applications, such as an e-commerce site, FTP server, corporate email system, database server?
We need to differentiate between general applications (ftp, email, web servers, etc.) which YASSP is easy to apply to, and specialized servers (database, e-commerce, in-house developments, etc.) where it is more difficult; the additional complexity means more tuning is required and a detailed understanding is needed of how the applications behave, what protocols and OS functions are used, etc.


Have you inquired if Sun will include it on their companion CD (i.e. the CD with free tools like emacs, vim, ghostscript and so forth), or inquired if Sun will ship YASSP with the distribution itself?
No official talks with Sun have take place yet, but it is planned to c-operate with Sun, where possible.


In fact, has Sun helped you at all in this project?
Some individuals working for Sun have helped, but there has been no official support, but we haven't officially asked for help, yet.


With OpenSSH for Solaris available, do you have any plans for an automated script to download OpenSSL, build and install it, and then download, build and install OpenSSH? Or to include OpenSSH?
SSH based on ssh1 is already included in YASSP. However, an OpenSSH package is now ready for testing. It was difficult getting OpenSSL libraries compiled for all platforms which are used by OpenSSH. The libraries are often optimized for different architectures, for performance. This optimization has to be switched off so that the package would run on various architectures. The penalty will be a reduction in performance. Only the OpenSSL libraries, not the entire distribution, is bundled in the OpenSSH package. The RSA license warning is also included, although it expires in September.


In the YASSP daily script, have you considered adding tripwire-like functionality?
Yes, but the daily script is mainly an example for the system administrator to customize, not a core functionality. I wanted to show administrators how to use RCS, for example, to manage changes to configuration files in a Firewall-1.


Any plans to add recommendations for stuff like downloading and installing the lite version of Sunscreen, which is quite useful for local port filtering (firewalling) on a workstation/server to give it that extra bit of protection?
Yes, this is referred to in the post-installation documentation.


What do you think about Sun's love of RPC-based services and the security implications? Also their default configuration of inetd.conf which leaves things like echo and chargen on, aren't these services rather archaic and dangerous?
I think it's historical and when these configuration files/protocols were originally written, security wasn't a problem. The question is why Sun hasn't tightened the default configuration in recent versions. The answer is either laziness or because they don't want to change something that customers do not ask for. So complain to Sun! If enough customers voice their concerns, the default security in Solaris may well improve.


Finally

How do see YASSP evolving?
There is still work to do. One idea is a "post-configuration management tool," which allows the system administrator to detect differences between the YASSP configuration and the current OS configuration, i.e. check for changes to startup scripts or new scripts added. Another idea is creating an easy-to-understand summary of the YASSP configuration, to make YASSP more accessible to novice administrators. Both of these are planned for next month.

We need feedback from end users; we also need thorough testing of YASSP on the different Solaris versions (2.6, 2.7, 2.8), 32-bit and 64-bit, SPARC (the various sun4* architectures) and Intel.


How do you see Sun/UNIX/Linux security evolving? Where do you think that the effort needs to be concentrated in the future?
1. Vendors need to make security a default option; a minimum level must be easily achieved.

2. Encryption, but there are legal problems (export restrictions, etc).


A final word to our readers?
Thanks to the people who have helped with YASSP and please don't hesitate to send some feedback.

 

Thanks for your time Jean, and thanks for your contribution to Solaris Security.


© Copyright 2000, SecurityPortal Inc. & Sean.Boran, All Rights Reserved, Last Update: 19 avril, 2002