Weekly Solaris Security Roundup -  2000/06/26 to 2000/07/02

Name:
Email:

Security Portal
Weekly Newsletter

Weekly Solaris Security Roundup Archive

By Seán Boran, sean AT boran.com, for Security Portal


The Rundown

Few vulnerabilities this week, but lots of discussions on the FOCUS-SUN and Yassp lists and a few interesting articles were published.

The tip of the week looks at chroot'ing BIND.


CERT Advisories & Sun Security Bulletins

none this week.

Patches have not yet been produced for the ufsrestore vulnerability noted two weeks ago.


News

Security Portal:

Last Monday, Jay Beale wrote a useful article on auditing the list of SUID programs on a system. Although concentrated on RedHat, the SUID explanations are equally valid for Solaris.

SecurityFocus:

Solaris Default Processes and init.d Part 3
This article is the third article of a series on Solaris init.d and default processes. Hal Flynn walks through the sequence of key processes that are started on Solaris 8 and gives a brief description of how each is started and what it does.
A deeper description of the daemons themselves would have interesting..

SecurityFocus - selected free Tools

Secure Password Generator 0.1.1 by GaveUp,  generates random passwords of a variable length that you choose. It can also optionally generate passwords with case sensitive and non-case sensitive letters, numbers, "special" characters, and ANSI characters.
Logger_pl 1.7c by Patricio Anguita, examines certain types of logs, watching for keywords and extracting interesting lines as it builds a smaller, and easy reading log analysis. If the same error repeats itself, the script will count the number of repetitions and output it between brackets at the end of the line. Its designed to work with files in the /var/log/ dir, like 'messages','secure', etc. It is especially useful when run from the crontab once a day on the combined syslog of many servers, e.g., you have configured all your servers to send syslog information to one host, so that logging is centralized.

Sun

SunSolve Article: Put A Trace On It: A Command You Can "truss''
A useful run over this 'trusty' tool that's useful for debugging.

Ducktank: Just found this new cracker site, with a few interesting articles, such as:

X Window Vulnerabilities making a strong comeback
Not only do some unix users leave their systems open with "xhost +", but some PC X11 servers (such as PC Xware and Exceed) are setup this way by default. This article describes exploiting and fixing such configurations.


Mailing lists, Bugtraq

Bugtraq vulnerabilities this week - Solaris:

none

Bugtraq vulnerabilities this week - Applications that run on Solaris:

2000-06-24: ISC DHCP Client 'remote root' Vulnerability
2000-06-22: Allaire JRun 2.3.x Sample Files Vulnerability
2000-06-22: Wu-Ftpd Remote Format String Stack Overwrite Vulnerability

FOCUS-Sun discussions this week:

06/30/00 Firewall in Sun
06/30/00 Max. No of processes
06/30/00 Solstice Disk Suite
06/30/00 Explanation of ssh Thread1 Thread2
06/29/00 Associating Socket with Process
06/29/00 Solaris 7 directories ownership (/tmp /var/tmp)
06/28/00 shells (or lack thereof) and associated risks
06/28/00 Associating Socket with Process
06/28/00 IP Accounting: Thread1 Thread2
06/28/00 Solaris 7 directories ownership
06/27/00 ipf fails to attach
06/27/00 SUMMARY: Running BIND chroot on Solaris
06/27/00 Daily sysadmin tasks
06/24/00 Locking down a Sun box
06/23/00 IPchains vs IPfilter
06/21/00 Sun Patch Methods Thread0 Thread1 Thread2

Yassp (the Solaris hardening tool) Developers' list:

Yassp beta#6 has been released with Cleanup and SECclean integrated into one package. Testing reveal a few minor bugs. Beta#9 should be out soon in tarball format. Looking promising! yassp.parc.xerox.com/june2000/seccleanbeta8.Z

Discussions:
tcpd in /usr/bin
contents of /etc/rc* not backed up
typos and tweaks
SERIOUS BUG (was: Re: YASSP)
yassp: root crontab
Beta8 tests
New feature: SUID checking?
SECclean beta#8 (No yassp tarball yet)
Two more questions
cleanup question
YASSP license
USERDENIED/ROOTNAME

See also: Main site, Dev. list archiveHardening Solaris Article.


Tip of the Week

The chroot mechanism can be used to reduce the risk posed by daemons if they are penetrated, by create a branch of the filesystem, which looks like / to the application.

Running BIND v8 chroot'ed on Solaris 7
I've spent the last two weeks chroot'ing BIND8 on Solaris 7 and have documented the process in detail. Only a primary has been chroot'ed so far, the above article will be updated over the next few weeks as a secondary is chrooted and it proves it self in production.


References and Resources

Sun Resources: Security Coordination Team, Security bulletins, General Sun Security, Solaris Security Datasheets, Java Security.

Patches

Sun security patches: sunsolve.sun.com/securitypatch
Public patches sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-access

If you have a maintenance contract, login to sunsolve and get both the PatchDiag tool and it's reference database.
If you don't, use the SecurityFocus Solaris Patch Calculator.

Web Publications, resources

SecurityFocus: Sun section, Vulnerability database.

Security Portal papers: Hardening Solaris, Review of the Sunscreen EFS3 firewall, All about SSH - Part I, All about SSH - Part II.

SANS Report: How To Eliminate The Ten Most Critical Internet Security Threats

BigAdmin SunFreeware
Solaris Guide Freeware4sun
Solaris Central BSD Today, Daemonnews
Solaris-System (x86) Forum IT Security Cookbook
Sunwhere index of resources Tools: tcpd, rdist, fwtk/smap
Nessus, Nmap, snort, Yassp.
Sunworld security columns
Solaris Security FAQ

General discussion resources

Personal interface to Sun resources: www.sun.com/MySun
BigAdmin discussion forum & FAQs: www.sun.com/bigadmin/home/index.html Newsgroups: comp.unix.solaris, comp.sys.sun.admin, comp.sys.sun.hardware,  alt.solaris.x86

Sun-managers Mailing list: This high quality list has been around for many years and is an invaluable resource to Sun system administrators.
Send a request to "majordomo@sunmanagers.ececs.uc.edu". The request should contain simply one line which says either "subscribe sun-managers" or "unsubscribe sun-managers". You can specify the particular e-mail address to be added after the word "subscribe".

SecurityFocus "FOCUS-Sun" list: see www.securityfocus.com/focus/sun/subscribe.html
Focus-Sun is meant to be a resource for Sun users and administrators, looking for that extra little bit of help ..., using Sun products in security roles, and getting additional information about the latest in Sun vulnerabilities. ... In addition, important announcements related to breaking vulnerabilities will be posted.