YASSP

Post installation steps (Updated for beta#12)


Overview

After completing the SECclean installation, there are further configuration steps that may be necessary. Your choices will depend upon the applications installed, the type of usage, the hostility of the network environment, and other site specific criteria. These steps are outlined below.

References and further reading
Changes to this document


Yassp configuration

After installing Yassp, it may be necessary to change the configuration to allow specific services disabled by yassp. Typically nothing needs to be enabled for bastion hosts. The configuration file /etc/yassp.conf is well commented, easy to understand and documented in the man pages yassp.conf(4) and yassp(1).

In the next sections we run through additional configuration, not directly covered by Yassp.


Mounting file systems restrictively in /etc/vfstab

Several options can be set to improve the security and robustness of filesystems when they are mounted. Run the mount command to check that filesystems options are effective.

Mount option OS Description When to use it
nosuid 2.x Disables SUID programs, but also disables devices! /var or /home or data disks where no SUID programs, or devices (and hence chroot environments are used).
/tmp won't work either, unless it is on disk.
logging 2.7 or later keeps a transaction log within the mounted partition. The advantage is an almost instantaneous filesystem check - which may take a considerable while with larger harddisks, e.g. 18 GB. The disadvantage is the additional time spent writing the transaction log. /usr /opt /home

Recommended for all file systems except: root (if Veritas VxVM is used), or where lots of file accesses are expected.
noatime 2.7 or later allows mounting file systems without updating inodes at each access to any file. This will significantly speed up services like web caches or news servers, which do a lot of file IO with small files. /var or any partition where lots of file access are expected (web cache or news partitions).
size=100m 2.5.1 or later Allow /tmp to only use 100MB of swap space. The value could be set to say 30% of swap space. /tmp
ro 2.x Read-only
Mounting filesystems read-only provides only a limited protection against Trojans/attackers (if they get root, they can remount read-write), but it saves time fsck'ing when shutting down, can improve performance (access times don't need to be updated) and can prevent the sysadmin from making mistakes or help detecting mistakes (accidentally deleting files etc.). 
Mounting read-only is a major argument for maintaining separate file systems for /usr or /opt.

Note that to mount /usr read-only, /usr/local often needs to be on a different partition.

Be very careful when editing vfstab, e.g. an error on the / or /usr lines can render the system unbootable! (If this happens, boot from cdrom in single user mode, mount the problem disk, correct vfstab and reboot). Some examples of vfstab entries are:

A simple server with only a root and /var partition, running Solaris 2.8:

fd                -                  /dev/fd fd - no -
/proc             -                  /proc proc - no -
/dev/dsk/c0t3d0s1 -                  -    swap  - no  logging
/dev/dsk/c0t3d0s0 /dev/rdsk/c0t3d0s0 /    ufs   1 no  logging
/dev/dsk/c0t3d0s7 /dev/rdsk/c0t3d0s7 /var ufs   1 no  logging,nosuid,noatime
swap              -                  /tmp tmpfs - yes size=100m

and on a larger server:

fd                -                  /dev/fd fd - no -
/proc             -                  /proc proc - no -
swap              -                  /tmp tmpfs - yes size=200M 
/dev/dsk/c0t8d0s0 /dev/rdsk/c0t8d0s0 /    ufs   1 no  logging
/dev/dsk/c0t8d0s1 -                  -    swap  - no  -
/dev/dsk/c0t8d0s4 /dev/rdsk/c0t8d0s4 /usr ufs   1 no  logging
/dev/dsk/c0t8d0s6 /dev/rdsk/c0t8d0s6 /var ufs   1 no  nosuid,noatime,logging
/dev/dsk/c0t8d0s5 /dev/rdsk/c0t8d0s5 /opt ufs   2 yes logging

RPC

RPC is a major security problem due it's lack of authentication, encryption and it's use of dynamic ports. Normally RPC should not be run on bastion or other sensitive hosts. However, some programs insist on having RPC e.g. CDE, OpenWindows, Disksuite and Legato Networker. If at all possible, avoid RPC (for example, the author prefers manual mirroring with a cpio script for warm standbys, rather than Disksuite). If RPC really is necessary, then....


General configuration


Logging

Syslog logging: Yassp uses a modified syslog configuration /etc/syslog.conf which enables more logging than the default and splits up services into separate logfiles (in /var/log).

Yassp has disabled the Solaris log pruning & other lines in the root cron. It added an entry to run the "daily" script, which you may wish to examine. This script prunes and compresses the logs listed in the LOGS variable (and moves them to /var/oldlogs), and uses rcs to backup configuration files in the BACKUPF variable to /var/backups. The default settings for these variables are:

BACKUPF="/etc/passwd /etc/shadow /etc/group /etc/yassp.conf /var/sadm/install/contents"
LOGS="/var/log/authlog /var/log/sshlog /var/adm/messages /var/adm/named /var/log/kernlog /var/log/userlog /var/log/maillog /var/log/daemonlog /var/log/lprlog /v ar/log/newslog /var/log/cronlog /var/log/local0log /var/log/local2log /var/log/loc al5log /var/log/alertlog"

Tweaks to consider:


Integrity checking (tripwire)

It is desirable to regularly check the integrity of files on the system, to be assured that they have not been maliciously modified. Solaris provides "pkgchk -n" which checks the package databases against the size, permissions and checksums of actually installed files. This is useful and recommended, however checksums can be fooled and the package database can itself be manipulated, so it is no protection against the clever attacker (or the script kiddie with a clever rootkit). What is required, is a file integrity checker that uses secure hashing algorithms.

Which is why the Yassp Tarball installs tripwire in /secure/tripwire. Tripwire uses several secure hashing algorithms (and in it's commercial form, provides cryptographic signing of it's database).

At this stage of the installation, it is recommended to take a snapshot of the files on the newly configured system, i.e. initialise tripwire's database and then run regular checks to monitor for changes. If possible, keep the master database on another machine, offline or on write-once media.

What options do we have for integrity checking?

An example using the free Tripwire Version 1.2 (bundled with Yassp):


Final Note

If you've followed our suggestions up to now, you now have a system that is quite resistant to attack. To maintain this security, caution is needed:


References and further reading

[1] Patches:
      Sun sunsolve.sun.com sunsolve.sun.ch
      Patchdiag: sunsolve.sun.ch/private-cgi/show.pl?target=resources/tools
      Patch XREF file: sunsolve.sun.ch/private-cgi/show.pl?target=patches/patch-access
      SecurityFocus Vulnerability calculator SecurityFocus.com/focus/sun/form.html
      Reg Quinton/Bruce Barnett's CheckPatches and GetApplyPatch scripts
      Casper Dik's FastPatch, Joe Shambin's Patchreport.

[2] Further reading on Hardening:

YASSP

Hardening Solaris (based on Yassp beta12)
http://www.securityportal.com/topnews/solaris_hardening20000523.html
This article presents a concise step-by-step approach to securely installing Solaris for use in a firewall DMZ or other sensitive environment, using the Yassp tool - beta11. For Solaris 8, the Sunscreen EFS lite firewall is also presented.

Interview with Jean Chouanard
http://securityportal.com/cover/coverstory20000821.html

Titan

The Titan project
http://www.fish.com/titan/
http://www.fish.com/titan/TITAN_documentation.html
Titan is a collection of programs, each of which either fixes or tightens one or more potential security problems with a particular aspect in the setup or configuration of a Unix system. Conceived and created by Brad Powell, it was written in Bourne shell, and its simple modular design makes it trivial for anyone who can write a shell script or program to add to it, as well completely understand the internal workings of the system.

Hardening Solaris - Compass Security Draft 0.82, by Ivan Butler 
http://www.csnc.ch/download/sources/Hardening-Solaris V0.82.pdf  
This PDF document provides a step by step tutorial to creating a Solaris system resistant to various method of attack, based on the Titan scripts.

Sun

Sun's hardening tool, Jass
http://www.sun.com/blueprints/tools
Jass has a restrictive license and is still in beta. It was tested a few weeks back in 'Tip of the Week' and didn't seem ready for prime time.

Sun's hardening documentation:

More Hardening Papers

SecurityFocus, list of Sun relevant articles
http://www.securityfocus.com/focus/sun/menu.html?fm=0&action=unfold

Lance Spitzner's white papers
http://ww.enteract.com/~lspitz/papers.html
This papers are useful and referenced by many people. Worth a read.

Securing Solaris Servers - A Checklist Approach, by Paul D. J. Vandenberg and Susan D. Wyess
http://www.usenix.org/sage/sysadmins/solaris/index.html#host

This material is excerpted from an internal U.S. Government document on web security, which the authors played leading roles in preparing. This material has been officially reviewed, and the authors have been granted permission to use this material in a non-official publication.

Hardening Solaris (pre Yassp), by Seán Boran
http://www.securityportal.com/coverstory19991025.html
This article presents a step-by-step approach to securely installing Solaris for use in a firewall DMZ. It's a bit old now and not as comprehensive as it should be, but it is useful for those who wish to 'manually harden' their system.

tcp tuning under solaris, by Jens-S. Vöckler
http://www.rvs.uni-hannover.de/people/voeckler/tune/EN/tune.html

Security: How to Documents, Information Systems and Technology, University of Waterloo
http://ist.uwaterloo.ca/security/howto/

Wietse Venema's tools and papers (tcp wrapper, rpcbind/portmapper, postfix, Satan, ....)
ftp://ftp.porcupine.org/pub/security/index.html

Solaris Security Guide, Sabernet
http://www.sabernet.net/papers/Solaris.html

Solaris Security Step by Step, from SANS
http://www.sans.org
This available in paper or PDF form, is quite useful, but it's not free.

Sunworld

Softpanorama University Pages: Solaris Hardening and Security
http://www.softpanorama.org/Security/sos.shtml
This site is an index to many Solaris security papers and tools

Securiteam: Hardening Solaris SPARC/x86 security for Firewall usage - a step by step guide
http://www.securiteam.com/unixfocus/Hardening_Solaris_SPARC_x86_security_for_Firewall_usage_-_a_step_by_step_guide.html

More hardening Tools

New Approaches to Making Solaris More Secure, by Rich Teer (including hardening scripts)
http://www.sysadminmag.com/supplement/web_feature1.shtml

Securing Solaris, by Ido Dubrawsky
http://www.sysadminmag.com/supplement/913secsol.shtml

Casper Dik's fixmode (improves Solaris file permissions)
ftp.wins.uva.nl:/pub/solaris

Chris Calabrese's Harden script
ftp://ftp.freebird.org/unixware/freebird/internet/systools/harden  

Alberto Begliomini's SECUR
ftp://ftp.coldstone.com/secur

[3] Tripwire links:
      Free version V1.2  (last updated in 1994).
      Commercial Version  (starts at $495.-/server) also runs on NT.
      SecurityPortal article using Tripwire for Linux (useful examples)
      Sunworld article on tripwire.
      Sean's script for running tripwire: trip_host.sh , trip_all
      AIDE, a GPL file integrity checker

[4] General Application Hardening: LINKS TO BE DEFINED
[5] Email/sendmail links:
      SMAP & FWTK (Firewall Toolkit), Sendmail, Postfix,
      Qmail, Life with qmail
      Anti-Virus Mail Scanner for Sendmail amavis.org
      Scan4Virus- Virus Scan Wrapper for Qmail

[6] IPfilter
     IP Filter Based Firewalls HOWTO
     Firewalling with IPF
     Introduction to IP Filter
     Introduction to IP Filter Part 2

[7] Routing
      Sun's Routing Support Document/FAQ is an old, but comprehensive overview of routing, how it works in Solaris and how to configure/debug routing.

[8] Disabling SUID files:

Solaris 7 Setuid/Setgid Files Information Systems and Technology University of Waterloo
[Reg Quinton's documentation on Solaris 7 SUID files and associated scripts].
http://ist.uwaterloo.ca/security/howto/1999-04-21.html
Solaris 2.6: http://ist.uwaterloo.ca/security/howto/2000-08-22.html
Solaris 8: http://ist.uwaterloo.ca/security/howto/2000-08-17.html

Titan's ziplock module
http://www.titan.org

Example listing of SUID/SGID files on a Solaris 7 system:
http://www.boran.com/security/sp/solaris/suid_sol7.txt
Example listing of SUID/SGID files on a Solaris 8 system:
http://www.boran.com/security/sp/solaris/suid_sol8.txt


Changes to this document

10.Jul'00 sb Draft#1
22.Jul'00 sb Spelling & grammar. Fix link.
31.Jul'00 sb Serial port break, minor fixes, new logging & tripwire sections, improve vfstab.
1.Aug'00 sb Update 2: NTP, routing, rpc, tripwire, spelling/grammar.  (Thanks to Reg, Richard, Doug for feedback)
                      New: logging/"daily"
3.Aug'00 sb Update 3: Lots of little corrections after feedback from Jean, Reg, Doug, Sweth, Warren,..
                      New: Add References section, ToDo, Add note on umask in Yassp config section.
11.Aug'00 sb Update 4: routing, inetd, email server, rpc logging, tripwire, Email server, patches, IPF links. New: ROOTALLOWED, smrsh/qmail/postfix refs, refs to Sun Security docs, Final Note (Feedback from Jean, Doug,Paolo,Alex, Laurie).      

18.Aug'00 sb New: SUID files. Update: add "ro" to vfstab options.
23.Oct'00 sb Update: [2] Further reading on Hardening
15.Nov'00 sb Freshen for beta#12


Express Installation Home


Seán Boran SecurityPortal