Security 11 Solaris
Transcript of Security 11 Solaris
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 1/167
1
Solaris 11 Security- a live demo in slides -
by Joerg „c0t0d0s0.org“ Möllenkamp
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 2/167
This slideset was made to have a fallback for a live d
at a series of Oracle Breakfast events in Germanyas the presentation diverted a lot in the first locatio
in the light of recent events around privacy and secu
However most information is in the voice track that wasn‘t
So this presentation may be not that useful.
If you need the voice track, ask your Oracle sales rep that he ask his manto ask my manager to let me doing the presentation in your country ;)
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 3/167
Primarily i used example from my practical work and from m
however i would like to thank two colleagues:
Glenn Faden for “Oracle Solaris Extended Policy and Mhttps://blogs.oracle.com/gfaden/entry/oracle_solaris_extended
Darren Moffat for “Compliance reporting with SCAP
https://blogs.oracle.com/darren/entry/compliance_reporting_
I directly reused their blog entries for this presentatio
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 4/167
4
Certifications
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 5/167
Solaris 10 Common Criteria Evaluationhas been certified on EAL4+ level
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 6/167
We have a common Criteria Certification.For Solaris 10 at the moment. For Solaris 11 in the fut
However the common criteria certification doesn‘t certify
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 7/167
Solaris 10 Trusted Extensions Common Criteria Evaluatiohas been certified on EAL4+ level
http://www.oracle.com/technet/oracle-cc-evalsolaris-083233
The following protection pro
Conditional Access Protection
Role Based Access Control Pr
Label Security Protection Prof
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 8/167
Solaris 11.1 is currently in certification.
http://www.oracle.com/technetwork/topics/security/security-evaluations-099357.ht
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 9/167
9
Is it really a Solaris 11binary?
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 10/167
10
jmoekamp@server:~$ elfsign verify -v /usr/bin/oscapelfsign: verification of /usr/bin/oscap passed.format: rsa_md5_sha1.signer: CN=SunOS 5.10, OU=Solaris Signed Execution, O=Sun Microsyst
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 11/167
11
Sandboxing applications onSolaris 11.1
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 12/167
12
root@solaris# profiles -p "MySQL Service" MySQL Service> set desc="Locking down the MySQL Service
MySQL Service> add cmd=/lib/svc/method/mysql_51 MySQL Service:mysql_51> set privs=basic MySQL Service:mysql_51> add privs={net_privaddr}:3306/t MySQL Service:mysql_51> add privs={file_write}:/var/mys MySQL Service:mysql_51> add privs={file_write}:/tmp/mys MySQL Service:mysql_51> add privs={file_write}:/var/tmp MySQL Service:mysql_51> end MySQL Service> set uid=mysql
MySQL Service> set gid=mysql MySQL Service> exitroot@solaris#
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 13/167
13
root@solaris# svccfg -s mysql:version_51svc:/application/database/mysql:version_51> setprop method_context/profilsvc:/application/database/mysql:version_51> setprop method_context/use_prsvc:/application/database/mysql:version_51> refreshsvc:/application/database/mysql:version_51> exit
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 14/167
14
root@solaris# ipadm set-prop -p extra_priv_ports+=3306 tcproot@solaris# ipadm show-prop -p extra_priv_ports tcpPROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT tcp extra_priv_ports rw 2049,4045, -- 2049,4045
3306
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 15/167
15
# svcadm enable mysql:version_51
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 16/167
16
root@solaris#
ppriv $(pgrep mysql)103697: /usr/mysql/5.1/bin/mysqld --basedir=/usr/mysql/5.1 --datadir=flags = PRIV_XPOLICY
Extended policies:
{net_privaddr}:3306/tcp
{file_write}:/var/mysql/5.1/data/*
{file_write}:/tmp/mysql.sock
{file_write}:/var/tmp/ib*
E: basic,!file_write
I: basic,!file_write
P: basic,!file_write
L: all103609: /bin/sh /usr/mysql/5.1/bin/mysqld_safe --user=mysql --datadirflags = PRIV_XPOLICY
Extended policies: {net_privaddr}:3306/tcp
{file_write}:/var/mysql/5.1/data/*
{file_write}:/tmp/mysql.sock
{file_write}:/var/tmp/ib*
E: basic,!file_write
I: basic,!file_write
P: basic,!file_write
L: all
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 17/167
17
Find more information regarding this feature at:https://blogs.oracle.com/gfaden/entry/oracle_solaris_extended_polic
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 18/167
18
Passwords
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 19/167
19
root@client:/etc/security# cat /etc/security/crypt.c## Copyright 2008 Sun Microsystems, Inc. All rights
# Use is subject to license terms.##ident "%Z%%M% %I% %E% SMI"## The algorithm name __unix__ is reserved.
1 crypt_bsdmd5.so.12a crypt_bsdbf.so.1md5 crypt_sunmd5.so.15 crypt_sha256.so.16 crypt_sha512.so.1
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 20/167
20
root@client:/etc/security# cat /etc/security/policy.conf | egrep "^CRYPT_DEFAULT=5root@client:/etc/security# cat /etc/shadow | grep juniorjunior:$5$4aKvDFqA$2kL8GpuXjrd.f8XpanqhylEP5lDhy1DF5uo1ZYx74f3:1592
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 21/167
21
root@client:/etc/security# cat /etc/default/passwd | grep -v "# " |#ident "%Z%%M% %I% %E% SMI"MAXWEEKS=MINWEEKS=
PASSLENGTH=6#NAMECHECK=NO#HISTORY=0#MINDIFF=3#MINALPHA=2#MINNONALPHA=1#MINUPPER=0#MINLOWER=0
#MAXREPEATS=0#MINSPECIAL=0#MINDIGIT=0#WHITESPACE=YES#DICTIONLIST=#DICTIONDBDIR=/var/passwd
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 22/167
22
root@client:/# mkpwdict -s /usr/share/lib/dict/wordsmkpwdict: using default database location: /var/passwd.
oder:
root@client:/# mkpwdict -s /usr/share/lib/dict/words -d
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 23/167
23
Address SpaceLayout Randomization
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 24/167
24
root@solaris:/# sxadm exec -s aslr=disable /usr/bin/pmap self1914: /usr/bin/pmap self1914: /usr/bin/pmap self0000000000400000 28K r-x-- /usr/bin/pmap0000000000417000 4K rw--- /usr/bin/pmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- /lib/amd64/libproc.so.1
FFFF80FFBDE16000 8K rw--- /lib/amd64/libproc.so.1FFFF80FFBF430000 1764K r-x-- /lib/amd64/libc.so.1FFFF80FFBF5F9000 64K rw--- /lib/amd64/libc.so.1FFFF80FFBF609000 12K rw--- /lib/amd64/libc.so.1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]
FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- /lib/amd64/ld.so.1FFFF80FFBF7FA000 12K rwx-- /lib/amd64/ld.so.1FFFF80FFBF7FD000 8K rwx-- /lib/amd64/ld.so.1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 25/167
25
root@solaris:/# sxadm exec -s aslr=disable /usr/bin/pmap se1915: /usr/bin/pmap self1915: /usr/bin/pmap self0000000000400000 28K r-x-- /usr/bin/pmap0000000000417000 4K rw--- /usr/bin/pmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- /lib/amd64/libproc.so.1
FFFF80FFBDE16000 8K rw--- /lib/amd64/libproc.so.1FFFF80FFBF430000 1764K r-x-- /lib/amd64/libc.so.1FFFF80FFBF5F9000 64K rw--- /lib/amd64/libc.so.1FFFF80FFBF609000 12K rw--- /lib/amd64/libc.so.1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]
FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- /lib/amd64/ld.so.1FFFF80FFBF7FA000 12K rwx-- /lib/amd64/ld.so.1FFFF80FFBF7FD000 8K rwx-- /lib/amd64/ld.so.1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 26/167
26
root@solaris:/# sxadm exec -s aslr=enable /usr/bin/pmap sel1917: /usr/bin/pmap self1917: /usr/bin/pmap self0000000000400000 28K r-x-- /usr/bin/pmap0000000000417000 4K rw--- /usr/bin/pmap0000000000418000 8K rw--- /usr/bin/pmap00000005D6666000 36K rw--- [ heap ]00007FF669C70000 216K r-x-- /lib/amd64/libproc.so.100007FF669CB6000 8K rw--- /lib/amd64/libproc.so.1
00007FF669CC0000 4K rw--- [ anon ]00007FF669CD0000 24K rwx-- [ anon ]00007FF669CE0000 4K rw--- [ anon ]00007FF669CF0000 1764K r-x-- /lib/amd64/libc.so.100007FF669EB9000 64K rw--- /lib/amd64/libc.so.100007FF669EC9000 12K rw--- /lib/amd64/libc.so.100007FF669ED0000 4K rw--- [ anon ]00007FF669EE0000 4K rw--- [ anon ]
00007FF669EF0000 4K rw--- [ anon ]00007FF669EF2000 4K r--s- [ anon ]00007FF669EFC000 340K r-x-- /lib/amd64/ld.so.100007FF669F61000 12K rwx-- /lib/amd64/ld.so.100007FF669F64000 8K rwx-- /lib/amd64/ld.so.1FFFF80DDA254F000 16K rw--- [ stack ] total 2564K
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 27/167
27
root@solaris:/# sxadm exec -s aslr=enable /usr/bin/pmap sel1918: /usr/bin/pmap self1918: /usr/bin/pmap self0000000000400000 28K r-x-- /usr/bin/pmap0000000000417000 4K rw--- /usr/bin/pmap0000000000418000 8K rw--- /usr/bin/pmap000000065B76D000 36K rw--- [ heap ]
00007FFAACFC0000 216K r-x-- /lib/amd64/libproc.so.100007FFAAD006000 8K rw--- /lib/amd64/libproc.so.100007FFAAD010000 4K rw--- [ anon ]00007FFAAD020000 24K rwx-- [ anon ]00007FFAAD030000 4K rw--- [ anon ]00007FFAAD040000 1764K r-x-- /lib/amd64/libc.so.100007FFAAD209000 64K rw--- /lib/amd64/libc.so.100007FFAAD219000 12K rw--- /lib/amd64/libc.so.100007FFAAD220000 4K rw--- [ anon ]00007FFAAD230000 4K rw--- [ anon ]
00007FFAAD240000 4K rw--- [ anon ]00007FFAAD242000 4K r--s- [ anon ]00007FFAAD24D000 340K r-x-- /lib/amd64/ld.so.100007FFAAD2B2000 12K rwx-- /lib/amd64/ld.so.100007FFAAD2B5000 8K rwx-- /lib/amd64/ld.so.1FFFF80DE1559E000 12K rw--- [ stack ]
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 28/167
28
root@solaris:/# sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) system default (
root@solaris:/# elfdump -d /usr/bin/pmap | grep "ASLR" [33] SUNW_ASLR 0x2 ENABLE
root@solaris:/# elfedit -e 'dyn:sunw_aslr disable' /usr/bi
root@solaris:/# elfdump -d /usr/bin/pmap | grep "ASLR" [33] SUNW_ASLR 0x1 DISABLE
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 29/167
29
root@solaris:/# sxadm enable -c model=all aslrroot@solaris:/# sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (all) enabled (all)
root@solaris:/# sxadm disable aslrroot@solaris:/# sxadm infoEXTENSION STATUS CONFIGURATIONaslr disabled disabled
root@solaris:/# sxadm enable -c model=tagged-files aslrroot@solaris:/# sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) enabled (tagge
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 31/167
31
root@template:/etc/apache2/2.2# profiles -p "httpd editprofiles:httpd edit> set auths=solaris.admin.edit/etchttpd.confprofiles:httpd edit> set desc="Edit httpd"profiles:httpd edit> exit
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 32/167
32
root@template:/etc/apache2/2.2# usermod -P +"httpd ed
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 33/167
33
junior@template:~$ profiles httpd edit Basic Solaris User All
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 34/167
34
junior@template:~$ vi /etc/apache2/2.2/httpd.co
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 35/167
35
junior@template:~$ pfedit /etc/apache2/2.2/httpd.cpfedit: /etc/apache2/2.2/httpd.conf has been updat
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 36/167
36
junior@template:~$ pfedit /etc/apache2/2.2/mime.typespfedit: User junior is not authorized to edit the fiapache2/2.2/mime.types.
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 38/167
38
junior@template:~$ pfedit /etc/apache2/2.2/mime.typespfedit: no changes for /etc/apache2/2.2/mime.types.
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 39/167
39
# profiles -p "httpd configure"profiles:httpd configure> add always_audit=as
profiles:httpd configure> info name=httpd configure desc=Configure httpd auths=solaris.admin.edit/etc/apache2/2.2/httpd.conf,solaris.admin.edit/etc/apache2/2.2/mime.types always_audit=as never_audit=noprofiles:httpd configure> exitroot@template:~#
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 40/167
40
root@template:~# auditreduce -c as | praudit
[..]header 486 2 edit administrative file fe80::a00:27ff
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 41/167
41
header,486,2,edit administrative file,,fe80::a00:27ff2013-08-12 07:45:52.306 +00:00subject,junior,junior,staff,junior,staff,4212,447467166,369 MacBook-Pro-of-c0t0d0s0.fritz.boxpath,/etc/apache2/2.2/httpd.confuse of authorization,solaris.admin.edit/etc/apache2/2.2/httpd
text,--- /etc/apache2/2.2/httpd.conf Mo. Aug 12 07:45:00 2 +++ /etc/apache2/2.2/httpd.conf.pfedit.1BaGoi 07:45:52 2013 @@ -1,5 +1,6 @@ # Test # Test 2: +# Test 3:
# # This is the main Apache HTTP server configurationcontains the # configuration directives that give the server its ins
return,success,0
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 42/167
42
Delegating privilege to restartservices(so you can keep the rootpassword)
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 43/167
43
junior@template:~$ svcadm refresh apache22svcadm: svc:/network/http:apache22: Permission de
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 44/167
44
# svcs -a | grep "apache22"online 15:30:29 svc:/network/http:apache22
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 45/167
45
# auths add -t "Apache22 value" solaris.smf.value.ht# auths add -t "Apache22 action" solaris.smf.action.
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 46/167
46
# svccfg -s apache22 setprop general/value_autastring: solaris.smf.value.http.apache22# svccfg -s apache22 setprop general/action_autastring: solaris.smf.action.http.apache22
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 47/167
47
# profiles -p "httpd edit" \ add auths=solaris.smf.action.http.apache22
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 48/167
48
junior@template:~$ svcadm refresh apache2junior@template:~$
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 49/167
49
Privileges
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 50/167
50
$ ls -l /usr/sbin/traceroute-r-sr-xr-x 1 root bin 42324 Nov 21 00:09 /usr/sbin/tr$ ls -l /usr/sbin/ping-r-sr-xr-x 1 root bin 51396 Nov 18 19:31 /usr/sbin/p
set-id to root, ping needs it to work ...
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 51/167
51
# chmod -s /sbin/ping# exit
$ ping -s 192.168.1.132ping: socket Permission denied
Remove the set-uid and ping will stop to work ...
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 52/167
52
jmoekamp@daddelkiste:~$ ppriv $$2153: -bashflags = <none> E: basic I: basic P: basic
L: all
contract_event,contract_identity,contract_observer,cpce_kernel,dtrace_proc,dtrace_user,file_chown,file_chown
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 53/167
53
_dac_execute,file_dac_read,file_dac_search,file_dac_wowngrade_sl,file_flag_set,file_link_any,file_owner,fie_setid,file_upgrade_sl,file_write,graphics_access,gripc_dac_read,ipc_dac_write,ipc_owner,net_access,net_b
icmpaccess,net_mac_aware,net_mac_implicit,net_observabprivaddr,net_rawaccess,proc_audit,proc_chroot,proc_clo,proc_exec,proc_fork,proc_info,proc_lock_memory,proc_opriocntl,proc_session,proc_setid,proc_taskid,proc_zonesys_admin,sys_audit,sys_config,sys_devices,sys_dl_con
w_config,sys_ib_config,sys_ib_info,sys_ip_config,sys_sys_iptun_config,sys_linkdir,sys_mount,sys_net_config
s_ppp_config,sys_res_bind,sys_res_config,sys_resourcesys_smb,sys_suser_compat,sys_time,sys_trans_label,win_in_config,win_dac_read,win_dac_write,win_devices,win_dngrade_sl,win_fontpath,win_mac_read,win_mac_write,win_
win_upgrade_sl
contract_event,contract_identity,contract_observer,cpce_kernel,dtrace_proc,dtrace_user,file_chown,file_chown
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 54/167
54
_ _ _ _ _ _dac_execute,file_dac_read,file_dac_search,file_dac_wrowngrade_sl,file_flag_set,file_link_any,file_owner,file_setid,file_upgrade_sl,file_write,graphics_access,graipc_dac_read,ipc_dac_write,ipc_owner,net_access,net_bi
icmpaccess,net_mac_aware,net_mac_implicit,net_observabprivaddr,net_rawaccess,proc_audit,proc_chroot,proc_clo,proc_exec,proc_fork,proc_info,proc_lock_memory,proc_opriocntl,proc_session,proc_setid,proc_taskid,proc_zonesys_admin,sys_audit,sys_config,sys_devices,sys_dl_conf
w_config,sys_ib_config,sys_ib_info,sys_ip_config,sys_isys_iptun_config,sys_linkdir,sys_mount,sys_net_config,
s_ppp_config,sys_res_bind,sys_res_config,sys_resource,sys_smb,sys_suser_compat,sys_time,sys_trans_label,win_in_config,win_dac_read,win_dac_write,win_devices,win_dngrade_sl,win_fontpath,win_mac_read,win_mac_write,win_
win_upgrade_sl
All privileges in their entiretyassigned to one user are
#(almost)
contract_event,contract_identity,contract_observer,cpce_kernel,dtrace_proc,dtrace_user,file_chown,file_chown
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 55/167
55
_dac_execute,file_dac_read,file_dac_search,file_dac_wowngrade_sl,file_flag_set,file_link_any,file_owner,fie_setid,file_upgrade_sl,file_write,graphics_access,gripc_dac_read,ipc_dac_write,ipc_owner,net_access,net_b
icmpaccess,net_mac_aware,net_mac_implicit,net_observabprivaddr,net_rawaccess,proc_audit,proc_chroot,proc_clo,proc_exec,proc_fork,proc_info,proc_lock_memory,proc_opriocntl,proc_session,proc_setid,proc_taskid,proc_zonesys_admin,sys_audit,sys_config,sys_devices,sys_dl_con
w_config,sys_ib_config,sys_ib_info,sys_ip_config,sys_sys_iptun_config,sys_linkdir,sys_mount,sys_net_config
s_ppp_config,sys_res_bind,sys_res_config,sys_resourcesys_smb,sys_suser_compat,sys_time,sys_trans_label,win_in_config,win_dac_read,win_dac_write,win_devices,win_dngrade_sl,win_fontpath,win_mac_read,win_mac_write,win_
win_upgrade_sl
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 56/167
56
moekamp@daddelkiste:~$ ppriv -v $$2153: -bashflags = <none> E:file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_session I:file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_session P:file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_session L:contract_event,contract_identity,contract_observer,cpc_cpu,dtrace_kernel,dtrace_proc,dtrfile_chown_self,file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_downgt,file_link_any,file_owner,file_read,file_setid,file_upgrade_sl,file_write,graphics_accedac_read,ipc_dac_write,ipc_owner,net_access,net_bindmlp,net_icmpaccess,net_mac_aware,netservability,net_privaddr,net_rawaccess,proc_audit,proc_chroot,proc_clock_highres,proc_ex
fo,proc_lock_memory,proc_owner,proc_priocntl,proc_session,proc_setid,proc_taskid,proc_zon,sys_audit,sys_config,sys_devices,sys_dl_config,sys_flow_config,sys_ib_config,sys_ib_in_ipc_config,sys_iptun_config,sys_linkdir,sys_mount,sys_net_config,sys_nfs,sys_ppp_configs_config,sys_resource,sys_share,sys_smb,sys_suser_compat,sys_time,sys_trans_label,win_con_dac_read,win_dac_write,win_devices,win_dga,win_downgrade_sl,win_fontpath,win_mac_readlection,win_upgrade_sl
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 57/167
57
root@daddelkiste:~# ppriv $$2183: -bashflags = <none> E: all I: basic P: all
L: all
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 58/167
58
junior@daddelkiste:~$ dtrace -n 'syscall:::entry { @n= count(); }'dtrace: failed to initialize dtrace: DTrace requires privileges
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 59/167
59
root@daddelkiste:~# usermod -Kdefaultpriv=basic,dtrace_kernel,dtrace_proc,dtrace_uUX: usermod: junior is currently logged in, some chantake effect until next login.
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 60/167
60
junior@daddelkiste:~$ dtrace -n 'syscall:::entry { @n
= count(); }'dtrace: description 'syscall:::entry ' matched 211 pr^C
automountd sshd dtrace auditd
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 61/167
61
# ps -ef | grep "kcfd"daemon 125 1 0 14:24:19 ? 0:00 /usr/lib/crypto/kcfd
root 734 728 0 15:54:08 pts/1 0:00 grep kcfd# ppriv -v 125125: /usr/lib/crypto/kcfdflags = PRIV_AWAREE: file_owner,proc_priocntl,sys_devicesI: noneP: file_owner,proc_priocntl,sys_devicesL: none
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 62/167
62
# svcadm -v enable -s apache2svc:/network/http:apache2 enabled.
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 63/167
63
jmoekamp@client:~$ ps -ef | grep "http"
webservd 1978 1975 0 12:19:15 ? 0:00 /usr/apache2/2.2/bin/httpd webservd 1979 1975 0 12:19:15 ? 0:00 /usr/apache2/2.2/bin/httpd webservd 1980 1975 0 12:19:15 ? 0:00 /usr/apache2/2.2/bin/httpd webservd 1984 1975 0 12:20:02 ? 0:00 /usr/apache2/2.2/bin/httpd root 1975 1 0 12:19:14 ? 0:01 /usr/apache2/2.2/bin/httpd webservd 1977 1975 0 12:19:15 ? 0:00 /usr/apache2/2.2/bin/httpd webservd 1976 1975 0 12:19:15 ? 0:00 /usr/apache2/2.2/bin/httpd
root@client:~# ppriv 19771977: /usr/apache2/2.2/bin/httpd -k start
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 64/167
64
1977: /usr/apache2/2.2/bin/httpd k startflags = <none> E: basic I: basic
P: basic L: allroot@client:~# ppriv 19751975: /usr/apache2/2.2/bin/httpd -k startflags = <none> E: all
I: basic P: all L: allroot@client:~#
The apache process as root has the following privileges:
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 65/167
65
contract_event,contract_identity,contract_observer,cpc_cpu,ernel,dtrace_proc,dtrace_user,file_chown,file_chown_self,fixecute,file_dac_read,file_dac_search,file_dac_write,file_dosl,file_flag_set,file_link_any,file_owner,file_read,file_se
_upgrade_sl,file_write,graphics_access,graphics_map,ipc_dacc_dac_write,ipc_owner,net_access,net_bindmlp,net_icmpaccess
_aware,net_mac_implicit,net_observability,net_privaddr,net_s,proc_audit,proc_chroot,proc_clock_highres,proc_exec,proc_c_info,proc_lock_memory,proc_owner,proc_priocntl,proc_sessisetid,proc_taskid,proc_zone,sys_acct,sys_admin,sys_audit,sy,sys_devices,sys_dl_config,sys_flow_config,sys_ib_config,syo,sys_ip_config,sys_ipc_config,sys_iptun_config,sys_linkdirnt,sys_net_config,sys_nfs,sys_ppp_config,sys_res_bind,sys_rg,sys_resource,sys_share,sys_smb,sys_suser_compat,sys_time,s_label,win_colormap,win_config,win_dac_read,win_dac_write,ces,win_dga,win_downgrade_sl,win_fontpath,win_mac_read,win_e,win_selection,win_upgrade_sl
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 66/167
contract event contract identity contract observer cpc cpu d
Apache really needs:
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 67/167
67
contract_event,contract_identity,contract_observer,cpc_cpu,dernel,dtrace_proc,dtrace_user,file_chown,file_chown_self,filxecute,file_dac_read,file_dac_search,file_dac_write,file_dowsl,file_flag_set,file_link_any,file_owner,file_read,file_set
_upgrade_sl,file_write,graphics_access,graphics_map,ipc_dac_
c_dac_write,ipc_owner,net_access,net_bindmlp,net_icmpaccess, _aware,net_mac_implicit,net_observability,net_privaddr,net_rs,proc_audit,proc_chroot,proc_clock_highres,proc_exec,proc_fc_info,proc_lock_memory,proc_owner,proc_priocntl,proc_sessiosetid,proc_taskid,proc_zone,sys_acct,sys_admin,sys_audit,sys_,sys_devices,sys_dl_config,sys_flow_config,sys_ib_config,sys_o,sys_ip_config,sys_ipc_config,sys_iptun_config,sys_linkdir,
nt,sys_net_config,sys_nfs,sys_ppp_config,sys_res_bind,sys_reg,sys_resource,sys_share,sys_smb,sys_suser_compat,sys_time,ss_label,win_colormap,win_config,win_dac_read,win_dac_write,wces,win_dga,win_downgrade_sl,win_fontpath,win_mac_read,win_me,win_selection,win_upgrade_sl
So you grant a large number of privileges to one process need.
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 68/167
68
contract_event,contract_identity,contract_observer,cpc_cpu,dernel,dtrace_proc,dtrace_user,file_chown,file_chown_self,filxecute,file_dac_read,file_dac_search,file_dac_write,file_dowsl,file_flag_set,file_link_any,file_owner,file_read,file_set
_upgrade_sl,file_write,graphics_access,graphics_map,ipc_dac_c_dac_write,ipc_owner,net_access,net_bindmlp,net_icmpaccess,
_aware,net_mac_implicit,net_observability,net_privaddr,net_rs,proc_audit,proc_chroot,proc_clock_highres,proc_exec,proc_fc_info,proc_lock_memory,proc_owner,proc_priocntl,proc_sessiosetid,proc_taskid,proc_zone,sys_acct,sys_admin,sys_audit,sys_,sys_devices,sys_dl_config,sys_flow_config,sys_ib_config,sys_
o,sys_ip_config,sys_ipc_config,sys_iptun_config,sys_linkdir,nt,sys_net_config,sys_nfs,sys_ppp_config,sys_res_bind,sys_reg,sys_resource,sys_share,sys_smb,sys_suser_compat,sys_time,ss_label,win_colormap,win_config,win_dac_read,win_dac_write,wces,win_dga,win_downgrade_sl,win_fontpath,win_mac_read,win_me,win_selection,win_upgrade_sl
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 69/167
69
svcadm -v disable -s apache2svc:/network/http:apache2 disabled.
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 70/167
70
root@client:~# svccfg -s apache22svc:/network/http:apache22> setprop start/user = astring: webservdsvc:/network/http:apache22> setprop start/group = astring: webservd
svc:/network/http:apache22> setprop start/privileges = astring: basi!proc_info,!file_link_any,net_privaddrsvc:/network/http:apache22> setprop start/limit_privileges = astringsvc:/network/http:apache22> setprop start/use_profile = boolean: falsvc:/network/http:apache22> setprop start/supp_groups = astring: :desvc:/network/http:apache22> setprop start/working_directory = astrinsvc:/network/http:apache22> setprop start/project = astring: :defaulsvc:/network/http:apache22> setprop start/resource_pool = astring: :svc:/network/http:apache22> endroot@client:~# svcadm -v refresh apache22Action refresh set for svc:/network/http:apache22.
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 71/167
71
# echo "LockFile /var/apache2/2.2/logs/accept.lock" >> /etc/apache2/2.2/ht# echo "PidFile /var/apache2/2.2/run/httpd.pid" >> /etc/apache2/2.2/httpd# mkdir -p -m 755 /var/apache2/2.2/run# chown webservd:webservd /var/apache2/2.2/run# svcadm enable apache22
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 72/167
72
webservd 3064 3061 0 16:49:18 ? 0:00 /usr/apache2/2.2/bin/htwebservd 3062 3061 0 16:49:18 ? 0:00 /usr/apache2/2.2/bin/htwebservd 3063 3061 0 16:49:18 ? 0:00 /usr/apache2/2.2/bin/htwebservd 3066 3061 0 16:49:18 ? 0:00 /usr/apache2/2.2/bin/htwebservd 3061 1 0 16:49:17 ? 0:00 /usr/apache2/2.2/bin/htwebservd 3065 3061 0 16:49:18 ? 0:00 /usr/apache2/2.2/bin/ht
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 73/167
73
Read-only zone root
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 76/167
76
# mkdir /etc/keys# cd /etc/keys# openssl req -x509 -nodes -days 365 -subj "/C=DE/ST=HambuCN=server" -newkey rsa:1024 -keyout /etc/keys/mykey.pem -omycert.pem # cat mycert.pem mykey.pem > my.pem
# chown 600 *
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 77/167
77
# echo "pass" > /etc/keys/my.pass# ksslcfg create -f pem -i /etc/keys/my.pem -x 8080 -p /etc/keys/my
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 78/167
78
ksslcfg create -f pem -i /etc/keys/my.pem -x 8080 \-p /etc/keys/my.pass \-c "rsa_aes_256_cbc_sha,rsa_aes_128_cbc_sha,rsa_rc4_128_sha,rsaserver 443
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 79/167
79
# svcs -a | grep "kssl"online 9:03:33 svc:/network/ssl/proxy:kssl-server-443
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 80/167
80
# svcadm disable apache22# echo "Listen 192.168.178.108:8080" >> /etc/apache2/2# svcadm enable apache22
Portnumber and IP-Number have do be defined i
... otherwise it will not work.
# openssl s_client -connect server:443
CONNECTED(00000004)depth=0 /C=DE/ST=Hamburg/L=Hamburg/CN=serververify error:num=18:self signed certificateverify return:1depth=0 /C=DE/ST=Hamburg/L=Hamburg/CN=server
if t 1
Cipher : RC4-SHA
Session-ID:32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B15B99DBE9812Session-ID-ctx:Master-Key:1E7B502390951124779C5763B5E4BBAF0A9B0
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 81/167
81
verify return:1---Certificate chain0 s:/C=DE/ST=Hamburg/L=Hamburg/CN=serveri:/C=DE/ST=Hamburg/L=Hamburg/CN=server---
Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj/[...]V5jX3MU=-----END CERTIFICATE-----subject=/C=DE/ST=Hamburg/L=Hamburg/CN=serverissuer=/C=DE/ST=Hamburg/L=Hamburg/CN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328
bytes---New, TLSv1/SSLv3, Cipher is RC4-SHAServer public key is 1024 bitCompression: NONEExpansion: NONESSL-Session:Protocol : TLSv1
1E7B502390951124779C5763B5E4BBAF0A9B0503A5C5027B6FAD9CA7626B1AD8C62219E850Key-Arg : NoneStart Time: 1242985143Timeout : 300 (sec)Verify return code: 18 (self signed c
---GET / HTTP/1.0
HTTP/1.1 200 OKDate: Fri, 22 May 2009 09:39:13 GMTServer: Apache/2.2.11 (Unix) mod_ssl/0.9.8a DAV/2Last-Modified: Thu, 21 May 2009 21:26ETag: "341f3-2c-46a72cc211a8f"Accept-Ranges: bytesContent-Length: 44Connection: close
Content-Type: text/html
<html><body><h1>It works!</h1></body>html>read:errno=0
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 82/167
82
ZFS Encryption
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 83/167
83
# zfs create -o encryption=on rpool/export/p
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 85/167
85
aes-128-ccm (=on) aes-192-ccm
aes-256-ccm aes-128-gcm aes-192-gcm aes-256-gcm
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 86/167
86
zfs set checksum=sha256+mac <dataset>
If encryption!=off, something like automatic
occurs. This property is read-only from now on.
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 87/167
87
# pktool genkey keystore=pkcs11 keytype=aes keylen=128 lEnter PIN for Sun Software PKCS#11 softtoken:# zfs create -o encryption=on -o keysource=raw,pkcs11:obtank/project/CEnter PKCS#11 token PIN for 'tank/project/C':
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 88/167
88
# zfs create -o encryption=on -o keysource=raw,https://keys.example.com/mykey# cp myservercert.pem /etc/certs/CA/# svcadm refresh ca-certificates
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 89/167
89
$ zfs key -c rpool/export/projectEnter new passphrase for 'rpool/export/project
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 91/167
91
# zfs key -K tank/project/A# zfs clone -K tank/project/A@montag tank/proj
Changing the encryption key
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 93/167
93
SolarisCryptographic Framework
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 94/167
94
As soon as Solaris detects hardware acceleration for
cryptography, Solaris will use it (and applications usingOracle supplied openssl library or direct interfaces):
• on-chip crypto accelerator in T and current M series c
• instruction set extensions in Intel procs (AES-NI)
• supported crypto accelerator cards
Just a side-note: T-series crypto acceleration and Intel
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 95/167
95
ypacceleration have pretty much different performancecharacteristics.
T-Series: Acceleration by offloading crypto outside pipeIntel x86: Acceleration by offering special in-pipelineinstructions to accelerate execution
Sounds like splitting hairs ....
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 98/167
98
Using ZFS to do two-factorencryption
jmoekamp@solaris:~$ rmformatLooking for devices... 1. Logical Node: /dev/rdsk/c10t0d0p0 Physical Node: /pci@0,0/pci8086,265c@b/storage@2/disk@ Connected Device: SanDisk U3 Cruzer Micro 8.02
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 99/167
99
Device Type: Removable Bus: USB Size: 3.8 GB
Label:Access permissions: Medium is not write protected.
(...) 3. Logical Node: /dev/rdsk/c9t0d0p0 Physical Node: /pci@0,0/pci8086,265c@b/storage@1/disk@ Connected Device: SanDisk U3 Cruzer Micro 8.02 Device Type: Removable
Bus: USB Size: 3.8 GB Label:
Access permissions: Medium is not write protected.
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 100/167
100
root@solaris:/# zpool create a_keystore_usbstick /dev/dsk/c1root@solaris:/# zpool create datastore /dev/dsk/c9t0d0p0
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 101/167
101
root@solaris:/# zfs create -o encryption=on a_keystore_usbEnter passphrase for 'a_keystore_usbstick/keys': supersecre
Enter again: supersecret
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 102/167
102
root@solaris:/# pktool genkey keystore=file keytype=aes koutkey=/a_keystore_usbstick/keys/joergsdatastick.key
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 103/167
103
root@solaris:/# zfs create -o encryption=on -o keysource=raa_keystore_usbstick/keys/joergsdatastick.key datastick/joer
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 104/167
104
root@solaris:/datastick/joergssecrets# mv /home/jmoekhighlyconfidential_nda_presos.tgz .
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 105/167
105
root@solaris:/# zpool export a_keystore_usbsticroot@solaris:/# zpool export datastick
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 106/167
106
root@solaris:/# zpool import a_keystore_usbstickEnter passphrase for 'a_keystore_usbstick/keys': supe
root@solaris:/#
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 107/167
107
root@solaris:/# zpool import datastickroot@solaris:/# cd datastick/joergssecretsroot@solaris:/datastick/joergssecrets# ls highconfidential_
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 108/167
108
Basic Auditingand Reporting Tool
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 109/167
109
# mkdir /bart-files# bart create -R /etc > /bart-files/etc.control.manifest
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 110/167
110
# cat etc.control.manifest | grep "/nsswitch.nisplus"/nsswitch.nisplus F 2525 100644 user::rw-,group::r--,mask:r473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 112/167
112
# touch /etc/thisisjustatest# chmod 777 /etc/nsswitch.files# echo "#just a test" >> /etc/nsswitch.nisplus
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 113/167
113
# bart create -R /etc > /bart-files/etc.check20130911.man
# cd /bart-files# bart compare etc.control.manifest etc.check20130911.mani
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 114/167
114
/nsswitch.files:
mode control:100644 test:100777acl control:user::rw-,group::r--,mask:r--,other:r--test:user::rwx,group::rwx,mask:rwx,other:rwx/nsswitch.nisplus:size control:2525 test:2538mtime control:473976b5 test:47a44862contents control:79e8fd689a5221d1cd059e5077da71b8 test:
3f79176ec352441db11ec8a3d02ef67c/thisisjustatest:add
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 115/167
115
Find more information regarding this feature at:http://www.c0t0d0s0.org/archives/4069-Less-known-Solaris-features-BART
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 116/167
116
Apropos Auditing
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 117/167
117
Auditing is activated by default
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 118/167
118
root@client:~# auditconfig -getflags
active user default audit flags = lo(0x1000,0x1000configured user default audit flags = lo(0x1000,0xroot@client:~# auditconfig -getnaflagsactive non-attributable audit flags = lo(0x1000,0xconfigured non-attributable audit flags = lo(0x100
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 119/167
119
root@client:~# auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt
Policy regarding auditing ... (explanation on the next s
root@client:~# auditconfig -lspolicypolicy string description:ahlt halt machine if it can not record an async eventall all policies
Which degree of detail? What happens with full disks?
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 120/167
120
arge include exec environment args in audit recsargv include exec command line args in audit recs
cnt when no more space, drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recs
windata_down include downgraded window information in audit re windata_up include upgraded window information in audit recszonename include zonename token in audit recs
root@client:~# auditconfig -getplugin
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 121/167
121
root@client: # auditconfig getpluginPlugin: audit_binfile (active)
Attributes: p_dir=/var/audit;p_fsize=0;p_m
Plugin: audit_syslog (inactive) Attributes: p_flags=
Plugin: audit_remote (inactive)
Attributes: p_hosts=;p_retries=3;p_timeout
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 122/167
122
root@client:~# auditconfig -setflags lo,ps,fwuser default audit flags = ps,lo,fw(0x101002,0x101root@client:~# auditconfig -setnaflags lo,nanon-attributable audit flags = lo,na(0x1400,0x1400
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 123/167
123
root@client:~# auditconfig -setflags lo,ps,fwuser default audit flags = ps,lo,fw(0x101002,0x101root@client:~# auditconfig -setnaflags lo,nanon-attributable audit flags = lo,na(0x1400,0x1400
lo and na are the onflags for non-attribu
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 124/167
124
root@client:~# usermod -K audit_flags=fw:as jun
root@client:~# auditconfig -lsevent | grep " lo "AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh access
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 125/167
125
AUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lock
AUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff
root@client:~# auditconfig -lsevent | grep " ps "AUE_EXIT 1 ps exit(2)
f k ll
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 126/167
126
AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)
root@client:~# auditconfig -lsevent | grep " fw "AUE_OPEN_W 76 fw open(2) - write
# auditreduce -c ps /var/audit/20130912183630.not_terminated.client | praudit
h d 139 2 (2) li t 2013 09 12 18 40 55 924 +00 00
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 127/167
127
header,139,2,execve(2),,client,2013-09-12 18:40:55.924 +00:00path,/usr/sbin/auditreduceattribute,100555,root,bin,65538,65875,18446744073709551615
subject,jmoekamp,root,root,root,root,2054,1440080956,2480 202240 192.168.10.1return,success,0
Not always (in the sense of: never) a good idea:
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 128/167
128
root@client:~# auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff,0xffffffffffff
Not always (in the sense of: never) a good idea:
Useful after trying out - starting a new audit file
root@client:~# audit -n
all activated for a few seconds on an unloaded system:
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 129/167
129
root@client:~# auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem 38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system:
SSH d X 509
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 130/167
130
SSH and X.509
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 131/167
root@ca:~# mkdir serverroot@ca:~# cd serverroot@ca:~/server# CA.pl -newreqGenerating a 1024 bit RSA private key.....++++++..................++++++
writing new private key to 'newkey.pem'Enter PEM pass phrase: supersecret2
Common Name (e.g. server F[]:serverEmail Address []:
Please enter the following 'extto be sent with your certificatA challenge password []:An optional company name []:
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 132/167
132
p p p
Verifying - Enter PEM pass phrase: supersecret2
-----
You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called aDistinguished Name or a DN.There are quite a few fields but you can leave someblankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) []:DE
State or Province Name (full name) []:Lower SaxonyLocality Name (eg, city) []:LueneburgOrganization Name (eg, company) []:c0t0d0s0.orgOrganizational Unit Name (eg, section) []:ServerCertificates
p p y []Request is in newreq.pem, newkey.pem
root@ca:~# mkdir serverroot@ca:~# cd serverroot@ca:~/server# CA.pl -newreqGenerating a 1024 bit RSA private key.....++++++..................++++++
writing new private key to 'newkey.pem'Enter PEM pass phrase: supersecret2
Common Name (e.g. server F[]:serverEmail Address []:
Please enter the following 'extto be sent with your certificatA challenge password []:An optional company name []:
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 133/167
133
Verifying - Enter PEM pass phrase: supersecret2
-----
You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called aDistinguished Name or a DN.There are quite a few fields but you can leave someblankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) []:DE
State or Province Name (full name) []:Lower SaxonyLocality Name (eg, city) []:LueneburgOrganization Name (eg, company) []:c0t0d0s0.orgOrganizational Unit Name (eg, section) []:ServerCertificates
Request is in newreq.pem, newkey.pem
root@ca:~/server# CA.pl -signreqUsing configuration from /etc/openssl/openssl.cnfEnter pass phrase for /etc/openssl/private/cakey.pem: supersecret1
Check that the request matches the signatureSignature okCertificate Details:
S i l N b
A7:DC:03:DE:B355:A9:AD:04:C4:9C:10:FA X509v3 Authority Ke 71:86:12:30:40:50:15:52:81:8D:5
Certificate is to be certified 2014 GMT (365 d )
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 134/167
134
Serial Number: b3:54:80:88:66:ad:e8:79 Validity Not Before: Sep 26 10:29:12 2013 GMT Not After : Sep 26 10:29:12 2014 GMT Subject: countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0.org organizationalUnitName = ServerCertificates commonName = server
X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier:
2014 GMT (365 days)Sign the certificate? [y/n]:y
1 out of 1 certificate reques[y/n]yWrite out database with 1 new eData Base UpdatedSigned certificate is in newcerroot@ca:~/server# ls -ltotal 15-rw-r--r-- 1 root root12:29 newcert.pem
-rw-r--r-- 1 root root12:28 newkey.pem -rw-r--r-- 1 root root12:28 newreq.pem
root@ca:~/junior# CA.pl -newreq
Generating a 1024 bit RSA private key..........++++++......++++++
writing new private key to 'newkey.pem'Enter PEM pass phrase:Verifying - Enter PEM pass phrase:Verify failureEnter PEM pass phrase: supersecret3
Common Name (e.g. server F
[]:juniorEmail Address []:
Please enter the following 'extto be sent with your certificatA challenge password []:An optional company name []:Request is in newreq.pem,
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 135/167
135
Verifying - Enter PEM pass phrase: supersecret3
-----
You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called aDistinguished Name or a DN.There are quite a few fields but you can leave someblankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) []:DE
State or Province Name (full name) []:Lower SaxonyLocality Name (eg, city) []:LueneburgOrganization Name (eg, company) []:c0t0d0s0.orgOrganizational Unit Name (eg, section) []:Usercertificates
newkey.pem
root@ca:~/junior# CA.pl -signreqUsing configuration from /etc/openssl/openssl.cnfEnter pass phrase for /etc/openssl/private/cakey.pem:Check that the request matches the signatureSignature okCertificate Details: Serial Number:
9A:F5:29:03:F5:B7:14:93:3C:64 X509v3 Authority 71:86:12:30:40:50:15:52:81:8D
Certificate is to be certifie2014 GMT (365 days)i i i /
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 136/167
136
b3:54:80:88:66:ad:e8:7a Validity
Not Before: Sep 26 11:09:29 2013 GMT Not After : Sep 26 11:09:29 2014 GMT Subject: countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0.org organizationalUnitName = Usercertificates commonName = junior X509v3 extensions:
X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier:
Sign the certificate? [y/n]:y
1 out of 1 certificate reque[y/n]yWrite out database with 1 newData Base UpdatedSigned certificate is in newc#
root@server:~# useradd -m junior80 blocksroot@server:~# passwd juniorNew Password:
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 137/167
137
Re-enter new Password:passwd: password successfully changed for juniorroot@server:~#
root@client:~# useradd -m junior80 blocksroot@client:~# passwd juniorNew Password:Re-enter new Password:passwd: password successfully changed for junior
root@server:~# echo "192.168.10.51 server" >> /etc/hostst@ # h "192 168 10 52 li t" >> / t /h t
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 138/167
138
root@server:~# echo "192.168.10.52 client" >> /etc/hosts
root@client:~# echo "192.168.10.51 server" >> /etc/hostsroot@client:~# echo "192.168.10.52 client" >> /etc/hosts
root@ca:~/server# scp /etc/openssl/cacert.pem [email protected]:/exporPassword:cacert.pem 100% |****************************************| 3011 root@ca:~/server# scp newcert.pem [email protected]:/export/home/jmoekaPassword:newcert.pem 100% |****************************************| 3196
@ / # k j k @192 168 1 109 / /h /j k
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 139/167
139
root@ca:~/server# scp newkey.pem [email protected]:/export/home/jmoekamPassword:
newkey.pem 100% |****************************************| 1041
root@ca:~/junior# scp newkey.pem junior@client:/export/home/juniorPassword:newkey.pem 100% |****************************************| 1041 root@ca:~/junior# scp newcert.pem junior@client:/export/home/juniorPassword:
newcert.pem 100% |****************************************| 3190 root@ca:~/junior# scp /etc/openssl/cacert.pem [email protected]:/export/Password:cacert.pem 100% |****************************************| 3011
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 141/167
141
root@server:~# lscacert.pem newcert.pem newkey.pem
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 142/167
142
root@server:~# lscacert.pem newcert.pem newkey.pem
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 143/167
143
root@server:~# pktool setpinEnter token passphrase: changemeCreate new passphrase: superserversecretRe-enter new passphrase: superserversecretPassphrase changed.root@server:~#
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 144/167
144
root@server:~# printf "superserversecret" > /etc/ssh/pinfile
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 146/167
146
root@server:~# kmfcfg create dbfile=/etc/ssh/policy.xml policname=search mapper-name=cn
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 148/167
148
root@server:~# pktool import keystore=pkcs11 infile=newkey.pem objtype=key Enter PIN for Sun Software PKCS#11 softtoken: superserversecret Enter PEM pass phrase: supersecret2Importing 1 keys
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 149/167
149
root@server:~# egrep -v "^ |^$|^Cert" /export/home/jmoekamp/cacert.pem > /etc/cacert.cooked.pem root@server:~# egrep -v "^ |^$|^Cert" newcert.pem > newcert.cooked.pem root@server:~# pktool import keystore=pkcs11 infile=newcert.cooked.pem objtyperoot@server:~#
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 150/167
150
On the client
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 151/167
151
junior@client:~$ ls *.pem cacert.pem newcert.pem newkey.pem
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 152/167
152
root@client:~# kmfcfg create dbfile=/etc/ssh/policy.xml policy=ssh ta-name=searcroot@client:~# egrep -v "^ |^$|^Cert" /export/home/junior/cacert.pem cacert.cooked.pem
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 153/167
153
junior@client:~$ pktool setpinEnter token passphrase: changemeCreate new passphrase: superusersecretRe-enter new passphrase: superusersecretPassphrase changed.
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 154/167
154
junior@client:~$ pktool import keystore=pkcs11 infile=newkey.pem objtype=key lEnter PIN for Sun Software PKCS#11 softtoken: superusersecretEnter PEM pass phrase: supersecret3Importing 1 keysjunior@client:~$ egrep -v "^ |^$|^Cert" newcert.pem > newcert.cooked.pem junior@client:~$ pktool import keystore=pkcs11 infile=newcert.cooked.pem objty
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 155/167
155
Testing it
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 156/167
156
root@server:~# svcadm disable sshroot@server:~# svcadm enable ssh
junior@client:~$ cd .sshjunior@client:~/.ssh$ printf "superusersecret" >> pinfile
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 157/167
157
j $ p p pjunior@client:~/.ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore /etc/ssh/cert KMFPolicyDatabase /etc/ssh/policy.xml KMFPolicyName ssh IdentityFile pkcs11:object=user;token=Sun Software PKCsofttoken;pinfile=/export/home/junior/.ssh/pinfile
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 158/167
158
junior@client:~/.ssh$ ssh junior@server-x509Last login: Thu Sep 26 20:07:14 2013 from clientOracle Corporation SunOS 5.11 11.1 September 201junior@server:~$
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 159/167
159
Find more information regarding this feature at:http://www.c0t0d0s0.org/archives/7659-Using-X.509-support-for-SSH-on-S
OpenSCAP
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 161/167
161
„The Security Content Automation Protocol (SCAP) is a method for using specific standards to vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA complianc
Vulnerability Database(NVD) is the U.S. government content repository for SCAP.“
http://en.wikipedia.org/wiki/Security_Conte
ftp-banner.xml:
<?xml version="1.0" encoding="UTF-8"?><oval_definitions xmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xmlns:oval="http://oval.mitre.org/XMLSchema/oval-common-5"xmlns:oval-def="http://oval.mitre.org/XMLSchema/oval-definitions-5"xmlns:independent-def="http://oval.mitre.org/XMLSchema/oval-definitions-5#independent"xsi:schemaLocation="http://oval.mitre.org/XMLSchema/oval-definitions-5
oval-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-definitions-5#independent
independent-definitions-schema.xsd http://oval.mitre.org/XMLSchema/oval-common-5 oval-common-schema.xsd">
<generator>
</criteria> </definition> </definitions>
<tests> <textfilecontent54_testxmlns="http://oval.mitre.org/X
definitions-5#independent"id="oval:com.oracle.solaris11:comment="/etc/proftpd.conf con
issue""check_existence="all_exist">
<object object_ref="oval:com.ora </textfilecontent54_test> </tests> <objects> <textfilecontent54_object
xmlns="http://oval.mitre.org/Xdefinitions-5#independent"
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 162/167
162
<generator> <oval:product_name>Enhanced SCAP Editor</oval:product_name> <oval:product_version>0.0.11</oval:product_version> <oval:schema_version>5.8</oval:schema_version> <oval:timestamp>2012-10-11T10:33:25</oval:timestamp> </generator> <!--generated.oval.base.identifier=com.oracle.solaris11--> <definitions> <definition id="oval:com.oracle.solaris11:def:840" version="1"class="compliance"> <metadata> <title>Enable a Warning Banner for the FTP Service</title> <affected family="unix"> <platform>Oracle Solaris 11</platform> </affected> <description>/etc/proftpd.conf contains "DisplayConnect /etc/issue"</description> </metadata> <criteria operator="AND" negate="false" comment="Single test"> <criterion comment="/etc/proftpd.conf contains"DisplayConnect /etc/issue""
test_ref="oval:com.oracle.solaris11:tst:8400" negate="false"/>
id="oval:com.oracle.solaris11:
comment="/etc/proftpd.conf contissue""> <path datatype="string" operatio <filename datatype="string" operfilename> <pattern datatype="string"
operation="pattern match">^Dispattern> <instance datatype="int" operatiinstance> </textfilecontent54_object> </objects></oval_definitions>
<textfilecontent54_objectxmlns="http://oval.mitre.org/XMLSchema/oval-definitions-5#iid="oval:com.oracle.solaris11:obj:8400" version="1"
t "/ t / ft d f t i & t Di l C t / t
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 163/167
163
comment="/etc/proftpd.conf contains "DisplayConnect /et <path datatype="string" operation="equals">/etc</path> <filename datatype="string" operation="equals">proftpd.conf</ <pattern datatype="string"
operation="pattern match">^DisplayConnect\s/etc/issue\s$</ <instance datatype="int" operation="greater than or equal">1<</textfilecontent54_object>
$ oscap oval eval ftp-banner.xmlD fi iti l l l i 11 d f 840 f l
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 164/167
164
Definition oval:com.oracle.solaris11:def:840: false
Evaluation done.
$ oscap oval eval --results results.xml --report report.html ftp-bDefinition oval:com.oracle.solaris11:def:840: falseEvaluation done.OVAL Results are exported correctly.
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 165/167
165
To create your own OVAL-Files Enhanced SCAP Cont
8/11/2019 Security 11 Solaris
http://slidepdf.com/reader/full/security-11-solaris 167/167
167
Find more information regarding this feature at:https://blogs.oracle.com/darren/entry/compliance_reporting_with_sca