After completing the SECclean installation, there are further configuration steps that may be necessary. Your choices will depend upon the applications installed, the type of usage, the hostility of the network environment, and other site specific criteria. These steps are outlined below.
References and
further reading
Changes to this
document
After installing Yassp, it may be necessary to change the configuration to allow specific services disabled by yassp. Typically nothing needs to be enabled for bastion hosts. The configuration file /etc/yassp.conf is well commented, easy to understand and documented in the man pages yassp.conf(4) and yassp(1).
In the next sections we run through additional configuration, not directly covered by Yassp.
Several options can be set to improve the security and robustness of filesystems when they are mounted. Run the mount command to check that filesystems options are effective.
Mount option | OS | Description | When to use it |
nosuid | 2.x | Disables SUID programs, but also disables devices! | /var or /home or data disks
where no SUID programs, or devices (and hence chroot
environments are used). /tmp won't work either, unless it is on disk. |
logging | 2.7 or later | keeps a transaction log within the mounted partition. The advantage is an almost instantaneous filesystem check - which may take a considerable while with larger harddisks, e.g. 18 GB. The disadvantage is the additional time spent writing the transaction log. | /usr /opt /home Recommended for all file systems except: root (if Veritas VxVM is used), or where lots of file accesses are expected. |
noatime | 2.7 or later | allows mounting file systems without updating inodes at each access to any file. This will significantly speed up services like web caches or news servers, which do a lot of file IO with small files. | /var or any partition where lots of file access are expected (web cache or news partitions). |
size=100m | 2.5.1 or later | Allow /tmp to only use 100MB of swap space. The value could be set to say 30% of swap space. | /tmp |
ro | 2.x | Read-only Mounting filesystems read-only provides only a limited protection against Trojans/attackers (if they get root, they can remount read-write), but it saves time fsck'ing when shutting down, can improve performance (access times don't need to be updated) and can prevent the sysadmin from making mistakes or help detecting mistakes (accidentally deleting files etc.). |
Mounting read-only is a
major argument for maintaining separate file systems
for /usr or /opt. Note that to mount /usr read-only, /usr/local often needs to be on a different partition. |
Be very careful when editing vfstab, e.g. an error on the / or /usr lines can render the system unbootable! (If this happens, boot from cdrom in single user mode, mount the problem disk, correct vfstab and reboot). Some examples of vfstab entries are:
A simple server with only a root and /var partition, running Solaris 2.8:
fd - /dev/fd fd - no - /proc - /proc proc - no - /dev/dsk/c0t3d0s1 - - swap - no logging /dev/dsk/c0t3d0s0 /dev/rdsk/c0t3d0s0 / ufs 1 no logging /dev/dsk/c0t3d0s7 /dev/rdsk/c0t3d0s7 /var ufs 1 no logging,nosuid,noatime swap - /tmp tmpfs - yes size=100m
and on a larger server:
fd - /dev/fd fd - no - /proc - /proc proc - no - swap - /tmp tmpfs - yes size=200M /dev/dsk/c0t8d0s0 /dev/rdsk/c0t8d0s0 / ufs 1 no logging /dev/dsk/c0t8d0s1 - - swap - no - /dev/dsk/c0t8d0s4 /dev/rdsk/c0t8d0s4 /usr ufs 1 no logging /dev/dsk/c0t8d0s6 /dev/rdsk/c0t8d0s6 /var ufs 1 no nosuid,noatime,logging /dev/dsk/c0t8d0s5 /dev/rdsk/c0t8d0s5 /opt ufs 2 yes logging
RPC is a major security problem due it's lack of authentication, encryption and it's use of dynamic ports. Normally RPC should not be run on bastion or other sensitive hosts. However, some programs insist on having RPC e.g. CDE, OpenWindows, Disksuite and Legato Networker. If at all possible, avoid RPC (for example, the author prefers manual mirroring with a cpio script for warm standbys, rather than Disksuite). If RPC really is necessary, then....
Files which have the SUID bit set (an "s" where the execute bit for the owner/group is shown in 'ls' listings) allow the user executing the program to assume the identity/group of the owner of the program. This is typically used to allow normal users to access certain function typically only allowed to root, for example binding to low ports, mounting a floppy disk, etc. The problem is that historically, many security weakness have been found in such programs allowing attackers with local accounts to become root by exploiting buffer over flows, race conditions etc.
Solaris has many "SUID root" binaries and each
one presents a risk, so when hardening systems it is
advisable to disable as many SUID program as possible.
The purpose of this section is to provide a brief
overview of the subject, a list of documents and scripts
for disabling SUID files is provided.
See [8] for SUID
references and further reading.
What SUID files are on the system?
The find command can be used to list all SUID files:
find / -perm -u+s -lsor all SGID files:
find / -perm -g+s -ls
How should we handle SUID files? Possible courses of action, in order of preference, are:
- Remove the package containing the offending file
- Disable the program (e.g. chmod 000 FILENAME)
- The SUID bit can be removed (e.g. chmod ug-s FILENAME)
- Restrict the file to a group of users (first remove world access: "chmod o-rwx", then allow a group "chgrp MYGROUP MYFILE") .
What SUID files need to be limited?
- On sensitive systems where users have accounts, or where key daemons run as non-root users, disabling a maximum of SUID files is desirable.
- One suggestion for paranoid systems is to disable all except 'pt_chmod', 'utmp_update' and 'su'.
- Reg Quinton explains each Solaris SUID file and recommends settings, together with an appropriate script that can be customised. The recommended settings are for "medium" security systems.
- Some tools like uucp are almost never needed. If possible remove the SUNWbnuu package or disable the setuid bits.
pkgrm SUNWbnuu
chmod ug-s /usr/bin/cu /usr/bin/uu* /usr/lib/uucp/*- Another often unused suite of tools is kcms (Kodak Color Management System), so either remove or disable:
pkgrm SUNWkcspg SUNWkcsrt
chmod ug-s /usr/openwin/bin/kcms*- Other tools are useful, but only root needs to use them (on most hosts) so remove the SUID bit, e.g.:
chmod ug-s /usr/sbin/snoop /usr/bin/netstat /usr/local/bin/top /usr/local/bin/lsof- We could check that all SUID files on the system are in the package database and haven't been changed:
find / -perm -u+s -exec pkgchk -p {} \; | more
The package DB only uses "checksums" (not hashes/signatures) and could easily be modified by an attacker, so don't trust the package commands as 'proof' that binaries are non modified, rather an indication.
- Or we could list all SUID files, with details and see what packages they belong to:
find / -perm -u+s -exec pkgchk -l -p {} \; | more
To Do: it would be useful to have packages that reset the SUID files for examples situations such as Bastion Hosts (high), multi-user servers (medium), workstations (low). The packages would also correct the pkg database so that 'pkgchk -n' would not report permissions errors after the SUID files had been adapted.
Syslog logging: Yassp uses a modified syslog configuration /etc/syslog.conf which enables more logging than the default and splits up services into separate logfiles (in /var/log).
Yassp has disabled the Solaris log pruning & other lines in the root cron. It added an entry to run the "daily" script, which you may wish to examine. This script prunes and compresses the logs listed in the LOGS variable (and moves them to /var/oldlogs), and uses rcs to backup configuration files in the BACKUPF variable to /var/backups. The default settings for these variables are:
BACKUPF="/etc/passwd /etc/shadow /etc/group /etc/yassp.conf /var/sadm/install/contents"
LOGS="/var/log/authlog /var/log/sshlog /var/adm/messages /var/adm/named /var/log/kernlog /var/log/userlog /var/log/maillog /var/log/daemonlog /var/log/lprlog /v ar/log/newslog /var/log/cronlog /var/log/local0log /var/log/local2log /var/log/loc al5log /var/log/alertlog"
Tweaks to consider:
It is desirable to regularly check the integrity of files on the system, to be assured that they have not been maliciously modified. Solaris provides "pkgchk -n" which checks the package databases against the size, permissions and checksums of actually installed files. This is useful and recommended, however checksums can be fooled and the package database can itself be manipulated, so it is no protection against the clever attacker (or the script kiddie with a clever rootkit). What is required, is a file integrity checker that uses secure hashing algorithms.
Which is why the Yassp Tarball installs tripwire in /secure/tripwire. Tripwire uses several secure hashing algorithms (and in it's commercial form, provides cryptographic signing of it's database).
At this stage of the installation, it is recommended to take a snapshot of the files on the newly configured system, i.e. initialise tripwire's database and then run regular checks to monitor for changes. If possible, keep the master database on another machine, offline or on write-once media.
What options do we have for integrity checking?
An example using the free Tripwire Version 1.2 (bundled with Yassp):
To run the first time:
/secure/tripwire/trip_host.sh -init HOST
Each time after that:
/secure/tripwire/trip_host.sh -check HOSTTo automate for many hosts, this script is then called from another script for each host that needs to be monitored. See the sample script trip_all [3]. This script also assumes that the commercial tripwire is used on the central trusted host (only). The commercial tripwire allows signing of the tripwire database, which makes it more secure.
If you've followed our suggestions up to now, you now have a system that is quite resistant to attack. To maintain this security, caution is needed:
[1] Patches:
Sun sunsolve.sun.com sunsolve.sun.ch
Patchdiag:
sunsolve.sun.ch/private-cgi/show.pl?target=resources/tools
Patch XREF file:
sunsolve.sun.ch/private-cgi/show.pl?target=patches/patch-access
SecurityFocus Vulnerability
calculator SecurityFocus.com/focus/sun/form.html
Reg Quinton/Bruce Barnett's
CheckPatches and GetApplyPatch scripts
Casper Dik's FastPatch,
Joe Shambin's Patchreport.
[2] Further reading on Hardening:
YASSP
Hardening Solaris (based on Yassp beta12)
http://www.securityportal.com/topnews/solaris_hardening20000523.html
This article presents a concise step-by-step approach to securely installing Solaris for use in a firewall DMZ or other sensitive environment, using the Yassp tool - beta11. For Solaris 8, the Sunscreen EFS lite firewall is also presented.Interview with Jean Chouanard
http://securityportal.com/cover/coverstory20000821.html
Titan
The Titan project
http://www.fish.com/titan/
http://www.fish.com/titan/TITAN_documentation.html
Titan is a collection of programs, each of which either fixes or tightens one or more potential security problems with a particular aspect in the setup or configuration of a Unix system. Conceived and created by Brad Powell, it was written in Bourne shell, and its simple modular design makes it trivial for anyone who can write a shell script or program to add to it, as well completely understand the internal workings of the system.Hardening Solaris - Compass Security Draft 0.82, by Ivan Butler
http://www.csnc.ch/download/sources/Hardening-Solaris V0.82.pdf
This PDF document provides a step by step tutorial to creating a Solaris system resistant to various method of attack, based on the Titan scripts.
Sun
Sun's hardening tool, Jass
http://www.sun.com/blueprints/tools
Jass has a restrictive license and is still in beta. It was tested a few weeks back in 'Tip of the Week' and didn't seem ready for prime time.Sun's hardening documentation:
- Solaris Operating Environment Security
http://www.sun.com/blueprints/0100/security.pdf
Discusses how to enhance system and network service security in Solaris.- Solaris Operating Environment Network Settings for Security:
http://www.sun.com/blueprints/1299/network.pdf
Discusses the many low-level network options available within Solaris and their affect on security.- Solaris Minimization for Security:
http://www.sun.com/blueprints/1299/minimization.pdf
A Simple, Reproducible and Secure Application Installation Methodology: Discusses OS minimization as a technique for reducing system vulnerabilities; a simple method for duplicating these installations on large numbers of servers is also introduced- JumpStart Architecture and Security Scripts for the Solaris Operating Environment Part 1
http://www.sun.com/blueprints/0700/jssec.pdf
This article is part one of a three part series presenting the JumpStart Architecture and Security Scripts tool (Toolkit) for Solaris. The Toolkit is a set of scripts which automatically harden and minimize Solaris Operating Environment systems. The modifications made are based on the recommendations made in the previously published Sun BluePrints OnLine security articles.More Hardening Papers
SecurityFocus, list of Sun relevant articles
http://www.securityfocus.com/focus/sun/menu.html?fm=0&action=unfoldLance Spitzner's white papers
http://ww.enteract.com/~lspitz/papers.html
This papers are useful and referenced by many people. Worth a read.Securing Solaris Servers - A Checklist Approach, by Paul D. J. Vandenberg and Susan D. Wyess
http://www.usenix.org/sage/sysadmins/solaris/index.html#host
This material is excerpted from an internal U.S. Government document on web security, which the authors played leading roles in preparing. This material has been officially reviewed, and the authors have been granted permission to use this material in a non-official publication.Hardening Solaris (pre Yassp), by Seán Boran
http://www.securityportal.com/coverstory19991025.html
This article presents a step-by-step approach to securely installing Solaris for use in a firewall DMZ. It's a bit old now and not as comprehensive as it should be, but it is useful for those who wish to 'manually harden' their system.tcp tuning under solaris, by Jens-S. Vöckler
http://www.rvs.uni-hannover.de/people/voeckler/tune/EN/tune.htmlSecurity: How to Documents, Information Systems and Technology, University of Waterloo
http://ist.uwaterloo.ca/security/howto/Wietse Venema's tools and papers (tcp wrapper, rpcbind/portmapper, postfix, Satan, ....)
ftp://ftp.porcupine.org/pub/security/index.htmlSolaris Security Guide, Sabernet
http://www.sabernet.net/papers/Solaris.htmlSolaris Security Step by Step, from SANS
http://www.sans.org
This available in paper or PDF form, is quite useful, but it's not free.Sunworld
- Sunworld security columns
http://www.sunworld.com/sunworldonline/common/swol-backissues-columns.html- Solaris Security FAQ
http://www.sunworld.com/common/security-faq.html- Padded Cells
http://www.sunworld.com/swol-01-1999/swol-01-security.htmlSoftpanorama University Pages: Solaris Hardening and Security
http://www.softpanorama.org/Security/sos.shtml
This site is an index to many Solaris security papers and toolsSecuriteam: Hardening Solaris SPARC/x86 security for Firewall usage - a step by step guide
http://www.securiteam.com/unixfocus/Hardening_Solaris_SPARC_x86_security_for_Firewall_usage_-_a_step_by_step_guide.htmlMore hardening Tools
New Approaches to Making Solaris More Secure, by Rich Teer (including hardening scripts)
http://www.sysadminmag.com/supplement/web_feature1.shtmlSecuring Solaris, by Ido Dubrawsky
http://www.sysadminmag.com/supplement/913secsol.shtmlCasper Dik's fixmode (improves Solaris file permissions)
ftp.wins.uva.nl:/pub/solarisChris Calabrese's Harden script
ftp://ftp.freebird.org/unixware/freebird/internet/systools/hardenAlberto Begliomini's SECUR
ftp://ftp.coldstone.com/secur
[3] Tripwire links:
Free version V1.2
(last updated in 1994).
Commercial Version
(starts at $495.-/server) also runs on NT.
SecurityPortal article using
Tripwire for Linux (useful examples)
Sunworld article on tripwire.
Sean's script for running
tripwire: trip_host.sh
, trip_all
AIDE, a GPL file
integrity checker
[4] General Application Hardening: LINKS
TO BE DEFINED
[5] Email/sendmail links:
SMAP & FWTK (Firewall Toolkit),
Sendmail, Postfix,
Qmail, Life with
qmail
Anti-Virus Mail Scanner for
Sendmail amavis.org
Scan4Virus-
Virus Scan Wrapper for Qmail
[6] IPfilter
IP Filter Based Firewalls
HOWTO
Firewalling
with IPF
Introduction to IP Filter
Introduction to IP Filter Part 2
[7] Routing
Sun's
Routing Support Document/FAQ is an old, but comprehensive
overview of routing, how it works in Solaris and how to
configure/debug routing.
[8] Disabling SUID files:
Solaris 7 Setuid/Setgid Files Information Systems and Technology University of Waterloo
[Reg Quinton's documentation on Solaris 7 SUID files and associated scripts].
http://ist.uwaterloo.ca/security/howto/1999-04-21.html
Solaris 2.6: http://ist.uwaterloo.ca/security/howto/2000-08-22.html
Solaris 8: http://ist.uwaterloo.ca/security/howto/2000-08-17.html
Titan's ziplock module
http://www.titan.org
Example listing of SUID/SGID files on a Solaris 7 system:
http://www.boran.com/security/sp/solaris/suid_sol7.txt
Example listing of SUID/SGID files on a Solaris 8 system:
http://www.boran.com/security/sp/solaris/suid_sol8.txt
10.Jul'00 sb Draft#1
22.Jul'00 sb Spelling & grammar. Fix
link.
31.Jul'00 sb Serial port break, minor fixes, new logging
& tripwire sections, improve vfstab.
1.Aug'00 sb Update 2: NTP, routing, rpc, tripwire,
spelling/grammar. (Thanks to Reg, Richard, Doug for
feedback)
New:
logging/"daily"
3.Aug'00 sb Update 3: Lots of little corrections after
feedback from Jean, Reg, Doug, Sweth, Warren,..
New: Add References section, ToDo, Add note on umask in Yassp
config section.
11.Aug'00 sb Update 4: routing, inetd, email server, rpc
logging, tripwire, Email server, patches, IPF links. New:
ROOTALLOWED, smrsh/qmail/postfix refs, refs to Sun Security
docs, Final Note (Feedback from Jean, Doug,Paolo,Alex,
Laurie).
18.Aug'00 sb New: SUID files. Update: add "ro" to vfstab
options.
23.Oct'00 sb Update: [2] Further reading on
Hardening
15.Nov'00 sb Freshen for beta#12
Express Installation Home