By Seán Boran (sean at boran.com) for SecurityPortal
Weekly Solaris Security Digest Archive
http://www.securityportal.com/research/research.wss.html
Sign up to get this digest by email.
Sun Bulletin #99, Potential security issue in Java class loading
http://sunsolve.sun.com/pub-cgi/secBulletin.plMost JVMs are vulnerable (exceptions are Hotspot 2, Internet Explorer and Netscape Navigator) to a bug whereby forbidden classes can be loaded.
Comment: Sun is a bit fuzzy on the details, but a patch to your Java VM is advisable on servers in hostile environments, multi-user servers and webservers using Java. HP have also announced fixes.
CERT Advisory CA-2000-21 Denial-of-Service Vulnerabilities in TCP/IP Stacks
http://www.cert.org/advisories/CA-2000-21.htmlBindView's RAZOR Security Team have found new DoS attacks that work against many TCP/IP stacks. They called these Naptha vulnerabilities. The attacker makes a A TCP connection and leaves the TCP/IP stack in one of several states, possibly starving system resources if many connections are used. No exploit code has been released. Sun has not finished analysis for Solaris, but Solaris to Solaris connections are not vulnerable.
See also the original advisory:
http://razor.bindview.com/publish/advisories/adv_NAPTHA.html
none
2000-11-25: Twig Remote Arbitrary Script Execution Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=19982000-11-24: Phorum Arbitrary File Read Vulnerability
http://securityfocus.com/vdb/bottom.html?vid=1997
The latest Solaris Recommended / Security Patch clusters are as follows:
Solaris 8 Nov/17/00
Solaris 7 Nov/02/00
Solaris 2.6 Nov/03/00
Solaris 2.5.1 Nov/02/00
ISC DHCPD, by Kurt Seifried
http://securityportal.com/closet/closet20001129.htmlAn overview of the free DHCP server, why it needs to be secured, how to chroot it, and run it as a non-root user.
Sun releases Trusted Solaris 8
http://www.sun.com/smi/Press/sunflash/2000-11/sunflash.20001120.1.html
Solaris Infrequently Asked and Obscure Questions, by Argoth
http://shells.devunix.org/~argoth/iaoq/Comment: looks interesting, but everything is displayed in one massive paragraph.
Sun Tech tips
http://www.wdpi.com/sunmicrotechtips/suntt.htmComment: not bad at all!
A SunSolve Patch Primer
http://sunsolve.sun.com/pub-cgi/show.pl?target=content/content1Comment: This is a useful overview of patches for sysadmins. It is a pity that Sun still keep the Patchdiag tool and access to all patches restricted to contract customers. I bought both Sparc and Intel versions of Solaris 8, why should I not have patch access?
The System Startup Daemon: init, by Dru Lavigne
http://www.oreillynet.com/pub/a/bsd/2000/11/28/FreeBSD_Basics.htmlComment: I agree this has nothing to do with Solaris, but if you still use SunOS4 you'll find FreeBSD starts up in a similar way :)
An Introduction to Incident Handling, by Chad Cook
http://www.securityfocus.com/frames/?focus=basics&content=/focus/basics/articles/inchan.htmlThis paper provides a short overview and several guidelines to handle incidents with regards to three of the most common attacks - viruses, system compromise and denial of service.
Comment: A good paper.
Solaris BSM Auditing, by Darren Moffat
http://www.securityfocus.com/focus/sun/articles/bsmaudit1.html
When considering the security of a system we need to be concerned not only with which features and tools we use to implement the access restrictions, but also with what logging of access we do. Logging is important for two main reasons: regular analysis of our logs gives us an early warning of suspicious activity and, if stored securely it can provide the evidence required to find out what went wrong when a breach in the security policy occurs. This article by Darren Moffat offers an overview of the Basic Security Module implementation and management aspects, and provides us insight helpful in raising security to another level in "Solaris BSM Auditing."
Comment: This is a useful tutorial on BSM. Note however that root cron stopped working when I enabled BSM on two Solaris 8 Intel systems. Other notes on BSM are available on:
http://www.boran.com/security/sp/Solaris_bsm.html
ECN and its impact on Intrusion Detection, by Toby Miller
http://www.securityfocus.com/focus/ids/articles/ECN.html
Recently, there has been some discussion on various mailing list(s) about the Explicit Congestion Notification (ECN) proposed standard and QUESO/nmap scan detection. The debate has been centered around the two reserve bits in the TCP header (bits 8 & 9) that QUESO sets in a SYN packet and those same two bits being used by ECN.
Thinking about Security Monitoring and Event Correlation, by Billy Smith
http://www.securityfocus.com/focus/ids/articles/thinking.htmlMost security devices provide logging and alerting of known and possibly unknown security events that occur on an information technology infrastructure. Despite all our technological advances and the introduction of devices like firewalls and VPNs, most companies do not monitor the information coming from these devices.
Sizing Up Security Services, by Deborah Radcliff
http://www.computerworld.com/cwi/stories/0,1199,NAV47-68-84-90_STO54345,00.htmlYou hire a security consulting firm that analyzes your network. On his way out, the auditor leaves you to grapple with an 800-page report listing your network's 60,000 vulnerabilities......
Comment: A useful article to help selecting and handling Security Consultants.
Security group benchmarking Solaris, by Diane Frank
http://www.fcw.com/fcw/articles/2000/1127/web-cis-11-29-00.aspThe Center for Internet Security is preparing to release the first in a wave of security benchmarks for commercial products widely used in government, industry and academia. The Solaris benchmark should be out by the end of the year.
Comment: Few details are available, let's wait for the new year..
All tools are now summarised in the 'Weekly Security Tools Digest'
http://securityportal.com/topnews/weekly/tools.htmlOne tool that may interest Solaris sysadmins in particular is:
Solpromisc 1.0
UDP - Digital Security Architect
http://www.low-level.net/udp/projects.htmlSolpromisc is a kernel module which you can load to detect attempts to put devices into promiscuous mode from user space via DLPI (e.g. solsniff, tcpdump, anything pcap based). It dumps the cred struct for the process, and the driver responsible, to the dmesg output buffer for collection by syslog.
11/29/00 SunShield BSM and SSH
http://www.securityfocus.com/templates/archive.pike?threads=1&end=2000-12-02&tid=147661&start=2000-11-26&fromthread=0&list=92&11/29/00 FW: SunShield BSM and SSH
http://www.securityfocus.com/templates/archive.pike?threads=1&end=2000-12-02&tid=147657&start=2000-11-26&fromthread=0&list=92&11/28/00 Is fsirand still needed?
http://www.securityfocus.com/templates/archive.pike?threads=1&end=2000-12-02&tid=147318&start=2000-11-26&fromthread=0&list=92&11/26/00 Network Mapping
http://www.securityfocus.com/templates/archive.pike?threads=1&end=2000-12-02&tid=146949&start=2000-11-26&fromthread=0&list=92&11/24/00 unsafe start-up services
http://www.securityfocus.com/templates/archive.pike?fromthread=0&end=2000-11-25&start=2000-11-19&tid=146772&list=92&threads=1&11/24/00 locking a user immediately on Solaris 8
http://www.securityfocus.com/templates/archive.pike?fromthread=0&end=2000-11-25&start=2000-11-19&tid=146781&list=92&threads=1&
Yassp beta 15 is still current. A few more problems were fixed and the documentation is being updated. V1.0 is close. If you are a Solaris sysdmin, please consider testing Yassp and providing input on the documentation, programs and hardening at this very important stage before the final release.
Discussions
Another bug in the OPENssh package
http://www.theorygroup.com/Archive/YASSP/2000/msg00753.htmlSome questions from first time v 0.15rc2 user
http://www.theorygroup.com/Archive/YASSP/2000/msg00752.htmlSUMMARY: cron audit problem. job failed
http://www.theorygroup.com/Archive/YASSP/2000/msg00751.htmlBeta15: post install doc
http://www.theorygroup.com/Archive/YASSP/2000/msg00750.htmlSee also
http://www.yassp.org
Solaris recognizes disk devices dynamically when booting and loads appropriate drivers. New devices are not automatically recognised (presumably for faster booting).
If a new disk is added, the system is typically rebooted and told to search for new devices. This can be done by several methods:
There is an easier way, even without rebooting.
Tell Solaris to update /devices and then create appropriate device links for disks (and possibly tapes or serial ports):
drvconfig
disks
ports
tapes
Solaris 8 has a new command for managing devices, 'devfsadm'.
devfsadm(1M) maintains the /dev and /devices namespaces. It replaces the previous suite of devfs administration tools including drvconfig(1M), disks(1M), tapes(1M), ports(1M), audlinks(1M), and devlinks(1M).
devfsadmd(1M) is the daemon version of devfsadm(1M). The daemon is started by the /etc/rc* scripts during system startup and is responsible for handling both reconfiguration boot processing and updating /dev and /devices in response to dynamic reconfiguration event notifications from the kernel.
So this one command can be used for reconfiguring on Solaris 8:
devfsadm
Note: On my hardened Solaris 8 systems, the daemon 'devfsadmd' is disabled without any obvious ill effects. It is probably necessary on systems like the Starfire which support dynamic changing of hardware.
If you have any security tips/scripts you'd like to share with others, contact sean at boran.com.
A list of Solaris resources and references:
securityportal.com/topnews/weekly/solarisref.html
Seán Boran is an IT security consultant based in Switzerland and the author of the online IT Security Cookbook.
© Copyright 2000, SecurityPortal Inc. & Seán .Boran, All Rights Reserved, Last Update: 01 December, 2000 |