Solaris 11 Security - a live demo in slidesSolaris 11 Security - a live demo in slides - by Joerg...

c0t0d0s0//org1

Solaris 11 Security - a live demo in slides -

by Joerg „c0t0d0s0.org“ Möllenkamp

c0t0d0s0//org

This slideset was made to have a fallback for a live demo at a series of Oracle Breakfast events in Germany,as the presentation diverted a lot in the first location

in the light of recent events around privacy and security.

However most information is in the voice track that wasn‘t recorded.So this presentation may be not that useful.

If you need the voice track, ask your Oracle sales rep that he ask his managerto ask my manager to let me doing the presentation in your country ;)

c0t0d0s0//org

Primarily i used example from my practical work and from my own bloghowever i would like to thank two colleagues:

Glenn Faden for “Oracle Solaris Extended Policy and MySQL“https://blogs.oracle.com/gfaden/entry/oracle_solaris_extended_policy_and

Darren Moffat for “Compliance reporting with SCAP“https://blogs.oracle.com/darren/entry/compliance_reporting_with_scap“

I directly reused their blog entries for this presentation.

https://blogs.oracle.com/gfaden/entry/oracle_solaris_extended_policy_andhttps://blogs.oracle.com/gfaden/entry/oracle_solaris_extended_policy_andhttps://blogs.oracle.com/darren/entry/compliance_reporting_with_scaphttps://blogs.oracle.com/darren/entry/compliance_reporting_with_scap

c0t0d0s0//org4

Certifications

c0t0d0s0//org

Solaris 10 Common Criteria Evaluationhas been certified on EAL4+ level

c0t0d0s0//org

We have a common Criteria Certification.For Solaris 10 at the moment. For Solaris 11 in the future.

However the common criteria certification doesn‘t certify security.

c0t0d0s0//org

Solaris 10 Trusted Extensions Common Criteria Evaluationhas been certified on EAL4+ level

http://www.oracle.com/technetwork/topics/security/oracle-cc-evalsolaris-083233.html#sol10U3TX

The following protection profiles were used:Conditional Access Protection ProfileRole Based Access Control Protection ProfileLabel Security Protection Profiles

http://www.oracle.com/technetwork/topics/security/oracle-cc-evalsolaris-083233.html#sol10U3TXhttp://www.oracle.com/technetwork/topics/security/oracle-cc-evalsolaris-083233.html#sol10U3TXhttp://www.oracle.com/technetwork/topics/security/oracle-cc-evalsolaris-083233.html#sol10U3TXhttp://www.oracle.com/technetwork/topics/security/oracle-cc-evalsolaris-083233.html#sol10U3TX

c0t0d0s0//org

Solaris 11.1 is currently in certification.

http://www.oracle.com/technetwork/topics/security/security-evaluations-099357.html#InEvaluated

http://www.oracle.com/technetwork/topics/security/security-evaluations-099357.html#InEvaluatedhttp://www.oracle.com/technetwork/topics/security/security-evaluations-099357.html#InEvaluated

c0t0d0s0//org9

Is it really a Solaris 11 binary?

c0t0d0s0//org10

jmoekamp@server:~$ elfsign verify -v /usr/bin/oscapelfsign: verification of /usr/bin/oscap passed.format: rsa_md5_sha1.signer: CN=SunOS 5.10, OU=Solaris Signed Execution, O=Sun Microsystems Inc.

c0t0d0s0//org11

Sandboxing applications on Solaris 11.1

c0t0d0s0//org12

root@solaris# profiles -p "MySQL Service"MySQL Service> set desc="Locking down the MySQL Service"MySQL Service> add cmd=/lib/svc/method/mysql_51MySQL Service:mysql_51> set privs=basicMySQL Service:mysql_51> add privs={net_privaddr}:3306/tcpMySQL Service:mysql_51> add privs={file_write}:/var/mysql/5.1/data/*MySQL Service:mysql_51> add privs={file_write}:/tmp/mysql.sockMySQL Service:mysql_51> add privs={file_write}:/var/tmp/ib*MySQL Service:mysql_51> endMySQL Service> set uid=mysqlMySQL Service> set gid=mysqlMySQL Service> exit root@solaris#

c0t0d0s0//org13

root@solaris# svccfg -s mysql:version_51svc:/application/database/mysql:version_51> setprop method_context/profile="MySQL Service"svc:/application/database/mysql:version_51> setprop method_context/use_profile=truesvc:/application/database/mysql:version_51> refreshsvc:/application/database/mysql:version_51> exit

c0t0d0s0//org14

root@solaris# ipadm set-prop -p extra_priv_ports+=3306 tcproot@solaris# ipadm show-prop -p extra_priv_ports tcpPROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLEtcp extra_priv_ports rw 2049,4045, -- 2049,4045 1-65535 3306

c0t0d0s0//org15

# svcadm enable mysql:version_51

c0t0d0s0//org16

root@solaris# ppriv $(pgrep mysql)103697: /usr/mysql/5.1/bin/mysqld --basedir=/usr/mysql/5.1 --datadir=/var/mysqflags = PRIV_XPOLICY Extended policies: {net_privaddr}:3306/tcp {file_write}:/var/mysql/5.1/data/* {file_write}:/tmp/mysql.sock {file_write}:/var/tmp/ib* E: basic,!file_write I: basic,!file_write P: basic,!file_write L: all103609: /bin/sh /usr/mysql/5.1/bin/mysqld_safe --user=mysql --datadir=/var/mysflags = PRIV_XPOLICY Extended policies: {net_privaddr}:3306/tcp {file_write}:/var/mysql/5.1/data/* {file_write}:/tmp/mysql.sock {file_write}:/var/tmp/ib* E: basic,!file_write I: basic,!file_write P: basic,!file_write L: all

c0t0d0s0//org17

Find more information regarding this feature at:https://blogs.oracle.com/gfaden/entry/oracle_solaris_extended_policy_and

https://blogs.oracle.com/gfaden/entry/oracle_solaris_extended_policy_andhttps://blogs.oracle.com/gfaden/entry/oracle_solaris_extended_policy_and

c0t0d0s0//org18

Passwords

c0t0d0s0//org19

root@client:/etc/security# cat /etc/security/crypt.conf## Copyright 2008 Sun Microsystems, Inc. All rights reserved.# Use is subject to license terms.##ident "%Z%%M% %I% %E% SMI"## The algorithm name __unix__ is reserved.

1 crypt_bsdmd5.so.12a crypt_bsdbf.so.1md5 crypt_sunmd5.so.15 crypt_sha256.so.16 crypt_sha512.so.1

c0t0d0s0//org20

root@client:/etc/security# cat /etc/security/policy.conf | egrep "^CRYPT_DEFAULT"CRYPT_DEFAULT=5root@client:/etc/security# cat /etc/shadow | grep juniorjunior:$5$4aKvDFqA$2kL8GpuXjrd.f8XpanqhylEP5lDhy1DF5uo1ZYx74f3:15929::::::1440

c0t0d0s0//org21

root@client:/etc/security# cat /etc/default/passwd | grep -v "# " | egrep -v "^#$|^$"#ident "%Z%%M% %I% %E% SMI"MAXWEEKS=MINWEEKS=PASSLENGTH=6#NAMECHECK=NO#HISTORY=0#MINDIFF=3#MINALPHA=2#MINNONALPHA=1#MINUPPER=0#MINLOWER=0#MAXREPEATS=0#MINSPECIAL=0#MINDIGIT=0#WHITESPACE=YES#DICTIONLIST=#DICTIONDBDIR=/var/passwd

c0t0d0s0//org22

root@client:/# mkpwdict -s /usr/share/lib/dict/wordsmkpwdict: using default database location: /var/passwd.

oder:

root@client:/# mkpwdict -s /usr/share/lib/dict/words -d /var/passwd

c0t0d0s0//org23

Address Space Layout Randomization

c0t0d0s0//org24

root@solaris:/# sxadm exec -s aslr=disable /usr/bin/pmap self1914: /usr/bin/pmap self1914: /usr/bin/pmap self0000000000400000 28K r-x-- /usr/bin/pmap0000000000417000 4K rw--- /usr/bin/pmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- /lib/amd64/libproc.so.1FFFF80FFBDE16000 8K rw--- /lib/amd64/libproc.so.1FFFF80FFBF430000 1764K r-x-- /lib/amd64/libc.so.1FFFF80FFBF5F9000 64K rw--- /lib/amd64/libc.so.1FFFF80FFBF609000 12K rw--- /lib/amd64/libc.so.1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- /lib/amd64/ld.so.1FFFF80FFBF7FA000 12K rwx-- /lib/amd64/ld.so.1FFFF80FFBF7FD000 8K rwx-- /lib/amd64/ld.so.1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K

c0t0d0s0//org25

root@solaris:/# sxadm exec -s aslr=disable /usr/bin/pmap self1915: /usr/bin/pmap self1915: /usr/bin/pmap self0000000000400000 28K r-x-- /usr/bin/pmap0000000000417000 4K rw--- /usr/bin/pmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- /lib/amd64/libproc.so.1FFFF80FFBDE16000 8K rw--- /lib/amd64/libproc.so.1FFFF80FFBF430000 1764K r-x-- /lib/amd64/libc.so.1FFFF80FFBF5F9000 64K rw--- /lib/amd64/libc.so.1FFFF80FFBF609000 12K rw--- /lib/amd64/libc.so.1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- /lib/amd64/ld.so.1FFFF80FFBF7FA000 12K rwx-- /lib/amd64/ld.so.1FFFF80FFBF7FD000 8K rwx-- /lib/amd64/ld.so.1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K

c0t0d0s0//org26

root@solaris:/# sxadm exec -s aslr=enable /usr/bin/pmap self1917: /usr/bin/pmap self1917: /usr/bin/pmap self0000000000400000 28K r-x-- /usr/bin/pmap0000000000417000 4K rw--- /usr/bin/pmap0000000000418000 8K rw--- /usr/bin/pmap00000005D6666000 36K rw--- [ heap ]00007FF669C70000 216K r-x-- /lib/amd64/libproc.so.100007FF669CB6000 8K rw--- /lib/amd64/libproc.so.100007FF669CC0000 4K rw--- [ anon ]00007FF669CD0000 24K rwx-- [ anon ]00007FF669CE0000 4K rw--- [ anon ]00007FF669CF0000 1764K r-x-- /lib/amd64/libc.so.100007FF669EB9000 64K rw--- /lib/amd64/libc.so.100007FF669EC9000 12K rw--- /lib/amd64/libc.so.100007FF669ED0000 4K rw--- [ anon ]00007FF669EE0000 4K rw--- [ anon ]00007FF669EF0000 4K rw--- [ anon ]00007FF669EF2000 4K r--s- [ anon ]00007FF669EFC000 340K r-x-- /lib/amd64/ld.so.100007FF669F61000 12K rwx-- /lib/amd64/ld.so.100007FF669F64000 8K rwx-- /lib/amd64/ld.so.1FFFF80DDA254F000 16K rw--- [ stack ] total 2564K

c0t0d0s0//org27

root@solaris:/# sxadm exec -s aslr=enable /usr/bin/pmap self1918: /usr/bin/pmap self1918: /usr/bin/pmap self0000000000400000 28K r-x-- /usr/bin/pmap0000000000417000 4K rw--- /usr/bin/pmap0000000000418000 8K rw--- /usr/bin/pmap000000065B76D000 36K rw--- [ heap ]00007FFAACFC0000 216K r-x-- /lib/amd64/libproc.so.100007FFAAD006000 8K rw--- /lib/amd64/libproc.so.100007FFAAD010000 4K rw--- [ anon ]00007FFAAD020000 24K rwx-- [ anon ]00007FFAAD030000 4K rw--- [ anon ]00007FFAAD040000 1764K r-x-- /lib/amd64/libc.so.100007FFAAD209000 64K rw--- /lib/amd64/libc.so.100007FFAAD219000 12K rw--- /lib/amd64/libc.so.100007FFAAD220000 4K rw--- [ anon ]00007FFAAD230000 4K rw--- [ anon ]00007FFAAD240000 4K rw--- [ anon ]00007FFAAD242000 4K r--s- [ anon ]00007FFAAD24D000 340K r-x-- /lib/amd64/ld.so.100007FFAAD2B2000 12K rwx-- /lib/amd64/ld.so.100007FFAAD2B5000 8K rwx-- /lib/amd64/ld.so.1FFFF80DE1559E000 12K rw--- [ stack ]

c0t0d0s0//org28

root@solaris:/# sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) system default (default)

root@solaris:/# elfdump -d /usr/bin/pmap | grep "ASLR" [33] SUNW_ASLR 0x2 ENABLE

root@solaris:/# elfedit -e 'dyn:sunw_aslr disable' /usr/bin/pmap

root@solaris:/# elfdump -d /usr/bin/pmap | grep "ASLR" [33] SUNW_ASLR 0x1 DISABLE

c0t0d0s0//org29

root@solaris:/# sxadm enable -c model=all aslrroot@solaris:/# sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (all) enabled (all)

root@solaris:/# sxadm disable aslrroot@solaris:/# sxadm infoEXTENSION STATUS CONFIGURATIONaslr disabled disabled

root@solaris:/# sxadm enable -c model=tagged-files aslrroot@solaris:/# sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) enabled (tagged-files)

c0t0d0s0//org30

pfedit

c0t0d0s0//org31

root@template:/etc/apache2/2.2# profiles -p "httpd edit"profiles:httpd edit> set auths=solaris.admin.edit/etc/apache2/2.2/httpd.confprofiles:httpd edit> set desc="Edit httpd"profiles:httpd edit> exit

c0t0d0s0//org32

root@template:/etc/apache2/2.2# usermod -P +"httpd edit" junior

c0t0d0s0//org33

junior@template:~$ profiles httpd edit Basic Solaris User All

c0t0d0s0//org34

junior@template:~$ vi /etc/apache2/2.2/httpd.conf

c0t0d0s0//org35

junior@template:~$ pfedit /etc/apache2/2.2/httpd.confpfedit: /etc/apache2/2.2/httpd.conf has been updated.

c0t0d0s0//org36

junior@template:~$ pfedit /etc/apache2/2.2/mime.typespfedit: User junior is not authorized to edit the file /etc/apache2/2.2/mime.types.

c0t0d0s0//org37

root@template:/etc/apache2/2.2# profiles -p "httpd edit"profiles:httpd edit> info" name=httpd edit" desc=Edit httpd" auths=solaris.admin.edit/etc/apache2/2.2/httpd.confprofiles:httpd edit> add auths=solaris.admin.edit/etc/apache2/2.2/mime.types

c0t0d0s0//org38

junior@template:~$ pfedit /etc/apache2/2.2/mime.typespfedit: no changes for /etc/apache2/2.2/mime.types.

c0t0d0s0//org39

# profiles -p "httpd configure"profiles:httpd configure> add always_audit=asprofiles:httpd configure> info" name=httpd configure" desc=Configure httpd" auths=solaris.admin.edit/etc/apache2/2.2/httpd.conf,solaris.admin.edit/etc/apache2/2.2/mime.types" always_audit=as" never_audit=noprofiles:httpd configure> exitroot@template:~#

c0t0d0s0//org40

root@template:~# auditreduce -c as | praudit

c0t0d0s0//org41

[..]header,486,2,edit administrative file,,fe80::a00:27ff:fea6:33cb,2013-08-12 07:45:52.306 +00:00subject,junior,junior,staff,junior,staff,4212,447467166,369 136704 MacBook-Pro-of-c0t0d0s0.fritz.boxpath,/etc/apache2/2.2/httpd.confuse of authorization,solaris.admin.edit/etc/apache2/2.2/httpd.conftext,--- /etc/apache2/2.2/httpd.conf Mo. Aug 12 07:45:00 2013 +++ /etc/apache2/2.2/httpd.conf.pfedit.1BaGoi Mo. Aug 12 07:45:52 2013 @@ -1,5 +1,6 @@ # Test # Test 2: +# Test 3: # # This is the main Apache HTTP server configuration file. It contains the # configuration directives that give the server its instructions.

return,success,0

c0t0d0s0//org42

Delegating privilege to restartservices(so you can keep the root password)

c0t0d0s0//org43

junior@template:~$ svcadm refresh apache22svcadm: svc:/network/http:apache22: Permission denied.

c0t0d0s0//org44

# svcs -a | grep "apache22"online 15:30:29 svc:/network/http:apache22

c0t0d0s0//org45

# auths add -t "Apache22 value" solaris.smf.value.http.apache22# auths add -t "Apache22 action" solaris.smf.action.http.apache22

c0t0d0s0//org46

# svccfg -s apache22 setprop general/value_authorization= astring: solaris.smf.value.http.apache22# svccfg -s apache22 setprop general/action_authorization= astring: solaris.smf.action.http.apache22

c0t0d0s0//org47

# profiles -p "httpd edit" \ add auths=solaris.smf.action.http.apache22

c0t0d0s0//org48

junior@template:~$ svcadm refresh apache22junior@template:~$

c0t0d0s0//org49

Privileges

c0t0d0s0//org50

$ ls -l /usr/sbin/traceroute-r-sr-xr-x 1 root bin 42324 Nov 21 00:09 /usr/sbin/traceroute$ ls -l /usr/sbin/ping-r-sr-xr-x 1 root bin 51396 Nov 18 19:31 /usr/sbin/ping

set-id to root, ping needs it to work ...

c0t0d0s0//org51

# chmod -s /sbin/ping# exit

$ ping -s 192.168.1.132ping: socket Permission denied

Remove the set-uid and ping will stop to work ...

c0t0d0s0//org52

jmoekamp@daddelkiste:~$ ppriv $$2153: -bashflags = E: basic I: basic P: basic L: all

c0t0d0s0//org53

contract_event,contract_identity,contract_observer,cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,file_chown,file_chown_self,file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_downgrade_sl,file_flag_set,file_link_any,file_owner,file_read,file_setid,file_upgrade_sl,file_write,graphics_access,graphics_map,ipc_dac_read,ipc_dac_write,ipc_owner,net_access,net_bindmlp,net_icmpaccess,net_mac_aware,net_mac_implicit,net_observability,net_privaddr,net_rawaccess,proc_audit,proc_chroot,proc_clock_highres,proc_exec,proc_fork,proc_info,proc_lock_memory,proc_owner,proc_priocntl,proc_session,proc_setid,proc_taskid,proc_zone,sys_acct,sys_admin,sys_audit,sys_config,sys_devices,sys_dl_config,sys_flow_config,sys_ib_config,sys_ib_info,sys_ip_config,sys_ipc_config,sys_iptun_config,sys_linkdir,sys_mount,sys_net_config,sys_nfs,sys_ppp_config,sys_res_bind,sys_res_config,sys_resource,sys_share,sys_smb,sys_suser_compat,sys_time,sys_trans_label,win_colormap,win_config,win_dac_read,win_dac_write,win_devices,win_dga,win_downgrade_sl,win_fontpath,win_mac_read,win_mac_write,win_selection,win_upgrade_sl

c0t0d0s0//org54


All privileges in their entirety assigned to one user are

#(almost)

c0t0d0s0//org55


Neat extension inSolaris 11:The ability to use networking is now a

privilege. It‘s part of the default default set of privileges,

but you can remove it.

c0t0d0s0//org56

moekamp@daddelkiste:~$ ppriv -v $$2153: -bashflags = E: file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_session,sys_ib_info I: file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_session,sys_ib_info P: file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_session,sys_ib_info L: contract_event,contract_identity,contract_observer,cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,file_chown,file_chown_self,file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_downgrade_sl,file_flag_set,file_link_any,file_owner,file_read,file_setid,file_upgrade_sl,file_write,graphics_access,graphics_map,ipc_dac_read,ipc_dac_write,ipc_owner,net_access,net_bindmlp,net_icmpaccess,net_mac_aware,net_mac_implicit,net_observability,net_privaddr,net_rawaccess,proc_audit,proc_chroot,proc_clock_highres,proc_exec,proc_fork,proc_info,proc_lock_memory,proc_owner,proc_priocntl,proc_session,proc_setid,proc_taskid,proc_zone,sys_acct,sys_admin,sys_audit,sys_config,sys_devices,sys_dl_config,sys_flow_config,sys_ib_config,sys_ib_info,sys_ip_config,sys_ipc_config,sys_iptun_config,sys_linkdir,sys_mount,sys_net_config,sys_nfs,sys_ppp_config,sys_res_bind,sys_res_config,sys_resource,sys_share,sys_smb,sys_suser_compat,sys_time,sys_trans_label,win_colormap,win_config,win_dac_read,win_dac_write,win_devices,win_dga,win_downgrade_sl,win_fontpath,win_mac_read,win_mac_write,win_selection,win_upgrade_sl

c0t0d0s0//org57

root@daddelkiste:~# ppriv $$2183: -bashflags = E: all I: basic P: all L: all

c0t0d0s0//org58

junior@daddelkiste:~$ dtrace -n 'syscall:::entry { @num[execname] = count(); }'dtrace: failed to initialize dtrace: DTrace requires additional privileges

c0t0d0s0//org59

root@daddelkiste:~# usermod -K defaultpriv=basic,dtrace_kernel,dtrace_proc,dtrace_user juniorUX: usermod: junior is currently logged in, some changes may not take effect until next login.

c0t0d0s0//org60

junior@daddelkiste:~$ dtrace -n 'syscall:::entry { @num[execname] = count(); }'dtrace: description 'syscall:::entry ' matched 211 probes^C

automountd 1 sshd 24 dtrace 544 auditd 564

c0t0d0s0//org61

# ps -ef | grep "kcfd" daemon 125 1 0 14:24:19 ? 0:00 /usr/lib/crypto/kcfdroot 734 728 0 15:54:08 pts/1 0:00 grep kcfd# ppriv -v 125125: /usr/lib/crypto/kcfdflags = PRIV_AWAREE: file_owner,proc_priocntl,sys_devicesI: noneP: file_owner,proc_priocntl,sys_devicesL: none

c0t0d0s0//org62

# svcadm -v enable -s apache2svc:/network/http:apache2 enabled.

c0t0d0s0//org63

jmoekamp@client:~$ ps -ef | grep "http"webservd 1978 1975 0 12:19:15 ? 0:00 /usr/apache2/2.2/bin/httpd -k startwebservd 1979 1975 0 12:19:15 ? 0:00 /usr/apache2/2.2/bin/httpd -k startwebservd 1980 1975 0 12:19:15 ? 0:00 /usr/apache2/2.2/bin/httpd -k startwebservd 1984 1975 0 12:20:02 ? 0:00 /usr/apache2/2.2/bin/httpd -k start root 1975 1 0 12:19:14 ? 0:01 /usr/apache2/2.2/bin/httpd -k startwebservd 1977 1975 0 12:19:15 ? 0:00 /usr/apache2/2.2/bin/httpd -k startwebservd 1976 1975 0 12:19:15 ? 0:00 /usr/apache2/2.2/bin/httpd -k start

c0t0d0s0//org64

root@client:~# ppriv 19771977: /usr/apache2/2.2/bin/httpd -k startflags = E: basic I: basic P: basic L: allroot@client:~# ppriv 19751975: /usr/apache2/2.2/bin/httpd -k startflags = E: all I: basic P: all L: allroot@client:~#

c0t0d0s0//org65


The apache process as root has the following privileges:

c0t0d0s0//org66


The other processes have the following privileges:

c0t0d0s0//org67


Apache really needs:

c0t0d0s0//org68


So you grant a large number of privileges to one process , Apache don‘t need.

c0t0d0s0//org69

svcadm -v disable -s apache2svc:/network/http:apache2 disabled.

http:apache2http:apache2

c0t0d0s0//org70

root@client:~# svccfg -s apache22svc:/network/http:apache22> setprop start/user = astring: webservdsvc:/network/http:apache22> setprop start/group = astring: webservdsvc:/network/http:apache22> setprop start/privileges = astring: basic,!proc_session,!proc_info,!file_link_any,net_privaddrsvc:/network/http:apache22> setprop start/limit_privileges = astring: :defaultsvc:/network/http:apache22> setprop start/use_profile = boolean: falsesvc:/network/http:apache22> setprop start/supp_groups = astring: :defaultsvc:/network/http:apache22> setprop start/working_directory = astring: :defaultsvc:/network/http:apache22> setprop start/project = astring: :defaultsvc:/network/http:apache22> setprop start/resource_pool = astring: :defaultsvc:/network/http:apache22> endroot@client:~# svcadm -v refresh apache22Action refresh set for svc:/network/http:apache22.

http:apache22http:apache22http:apache22http:apache22http:apache22http:apache22http:apache22http:apache22http:apache22http:apache22http:apache22http:apache22http:apache22http:apache22http:apache22http:apache22http:apache22http:apache22http:apache22http:apache22http:apache22http:apache22

c0t0d0s0//org71

# echo "LockFile /var/apache2/2.2/logs/accept.lock" >> /etc/apache2/2.2/httpd.conf# echo "PidFile /var/apache2/2.2/run/httpd.pid" >> /etc/apache2/2.2/httpd.conf# mkdir -p -m 755 /var/apache2/2.2/run# chown webservd:webservd /var/apache2/2.2/run# svcadm enable apache22

c0t0d0s0//org72

webservd 3064 3061 0 16:49:18 ? 0:00 /usr/apache2/2.2/bin/httpd -k startwebservd 3062 3061 0 16:49:18 ? 0:00 /usr/apache2/2.2/bin/httpd -k startwebservd 3063 3061 0 16:49:18 ? 0:00 /usr/apache2/2.2/bin/httpd -k startwebservd 3066 3061 0 16:49:18 ? 0:00 /usr/apache2/2.2/bin/httpd -k startwebservd 3061 1 0 16:49:17 ? 0:00 /usr/apache2/2.2/bin/httpd -k startwebservd 3065 3061 0 16:49:18 ? 0:00 /usr/apache2/2.2/bin/httpd -k start

c0t0d0s0//org73

Read-only zone root

c0t0d0s0//org

74

zonecfg:testzone> set file-mac-profile=none

zonecfg:testzone> set file-mac-profile=strict

zonecfg:testzone> set file-mac-profile=fixed-configuration

zonecfg:testzone> set file-mac-profile=flexible-configuration

Standard, read-write, non-global zone, with no additional protection beyond the existing zones boundaries.

Permits updates to /var/* directories, with the exception of directories that contain system configuration components.

Read-only file system, no exceptions.

Permits modification of files in /etc/* directories, changes to root's home directory, and updates to /var/* directories. This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone

c0t0d0s0//org75

in-kernel SSL Proxy

c0t0d0s0//org76

# mkdir /etc/keys# cd /etc/keys# openssl req -x509 -nodes -days 365 -subj "/C=DE/ST=Hamburg/L=Hamburg/CN=server" -newkey rsa:1024 -keyout /etc/keys/mykey.pem -out /etc/keys/mycert.pem# cat mycert.pem mykey.pem > my.pem# chown 600 *

c0t0d0s0//org77

# echo "pass" > /etc/keys/my.pass# ksslcfg create -f pem -i /etc/keys/my.pem -x 8080 -p /etc/keys/my.pass server 443

c0t0d0s0//org78

ksslcfg create -f pem -i /etc/keys/my.pem -x 8080 \-p /etc/keys/my.pass \-c "rsa_aes_256_cbc_sha,rsa_aes_128_cbc_sha,rsa_rc4_128_sha,rsa_rc4_128_md5" \server 443

c0t0d0s0//org79

# svcs -a | grep "kssl"online 9:03:33 svc:/network/ssl/proxy:kssl-server-443

c0t0d0s0//org80

# svcadm disable apache22# echo "Listen 192.168.178.108:8080" >> /etc/apache2/2.2/httpd.conf # svcadm enable apache22

Portnumber and IP-Number have do be defined in httpd.conf... otherwise it will not work.

c0t0d0s0//org81

# openssl s_client -connect server:443CONNECTED(00000004)depth=0 /C=DE/ST=Hamburg/L=Hamburg/CN=serververify error:num=18:self signed certificateverify return:1depth=0 /C=DE/ST=Hamburg/L=Hamburg/CN=serververify return:1---Certificate chain0 s:/C=DE/ST=Hamburg/L=Hamburg/CN=serveri:/C=DE/ST=Hamburg/L=Hamburg/CN=server---Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj/[...]V5jX3MU=-----END CERTIFICATE-----subject=/C=DE/ST=Hamburg/L=Hamburg/CN=serverissuer=/C=DE/ST=Hamburg/L=Hamburg/CN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328 bytes---New, TLSv1/SSLv3, Cipher is RC4-SHAServer public key is 1024 bitCompression: NONEExpansion: NONESSL-Session:Protocol : TLSv1

Cipher : RC4-SHASession-ID: 32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD113915B99DBE9812Session-ID-ctx: Master-Key: 1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21EKey-Arg : NoneStart Time: 1242985143Timeout : 300 (sec)Verify return code: 18 (self signed certificate)---GET / HTTP/1.0

HTTP/1.1 200 OKDate: Fri, 22 May 2009 09:39:13 GMTServer: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8a DAV/2Last-Modified: Thu, 21 May 2009 21:26:30 GMTETag: "341f3-2c-46a72cc211a8f"Accept-Ranges: bytesContent-Length: 44Connection: closeContent-Type: text/html

It works!read:errno=0

c0t0d0s0//org82

ZFS Encryption

c0t0d0s0//org83

# zfs create -o encryption=on rpool/export/project

c0t0d0s0//org84

wrapping key (user setable)

encryption keyrandomnot user setable)

prompt file https pkcs#11

c0t0d0s0//org85

aes-128-ccm (=on) aes-192-ccmaes-256-ccmaes-128-gcmaes-192-gcmaes-256-gcm

c0t0d0s0//org86

zfs set checksum=sha256+mac

If encryption!=off, something like automatic

occurs. This property is read-only from now on.

c0t0d0s0//org87

# pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykeyEnter PIN for Sun Software PKCS#11 softtoken:# zfs create -o encryption=on -o keysource=raw,pkcs11:object=mykey tank/project/CEnter PKCS#11 token PIN for 'tank/project/C':

c0t0d0s0//org88

# zfs create -o encryption=on -o keysource=raw,https://keys.example.com/mykey tank/project/R# cp myservercert.pem /etc/certs/CA/# svcadm refresh ca-certificates

https://keys.example.com/mykeyhttps://keys.example.com/mykey

c0t0d0s0//org89

$ zfs key -c rpool/export/projectEnter new passphrase for 'rpool/export/project':

c0t0d0s0//org90

$ zfs key -c rpool/export/projectEnter new passphrase for 'rpool/export/project':

Changing the wrapping key

c0t0d0s0//org91

# zfs key -K tank/project/A# zfs clone -K tank/project/A@montag tank/project/D

Changing the encryption key

c0t0d0s0//org92

# zfs key -K tank/project/A# zfs clone -K tank/project/A@montag tank/project/D

Changing the encryption key for data written form now.

Creates a new data encryption key. Data written in the clone uses the new data encryption key, which is distinct from its original snapshot.

c0t0d0s0//org93

Solaris Cryptographic Framework

c0t0d0s0//org94

As soon as Solaris detects hardware acceleration for cryptography, Solaris will use it (and applications using the Oracle supplied openssl library or direct interfaces):• on-chip crypto accelerator in T and current M series chips• instruction set extensions in Intel procs (AES-NI)• supported crypto accelerator cards

c0t0d0s0//org95

Just a side-note: T-series crypto acceleration and Intel x86 acceleration have pretty much different performance characteristics.

T-Series: Acceleration by offloading crypto outside pipelineIntel x86: Acceleration by offering special in-pipeline instructions to accelerate execution

Sounds like splitting hairs ....

c0t0d0s0//org

c0t0d0s0//org98

Using ZFS to do two-factor encryption

c0t0d0s0//org99

jmoekamp@solaris:~$ rmformatLooking for devices... 1. Logical Node: /dev/rdsk/c10t0d0p0 Physical Node: /pci@0,0/pci8086,265c@b/storage@2/disk@0,0 Connected Device: SanDisk U3 Cruzer Micro 8.02 Device Type: Removable" Bus: USB" Size: 3.8 GB" Label: " Access permissions: Medium is not write protected.(...) 3. Logical Node: /dev/rdsk/c9t0d0p0 Physical Node: /pci@0,0/pci8086,265c@b/storage@1/disk@0,0 Connected Device: SanDisk U3 Cruzer Micro 8.02 Device Type: Removable" Bus: USB" Size: 3.8 GB" Label: " Access permissions: Medium is not write protected.

c0t0d0s0//org100

root@solaris:/# zpool create a_keystore_usbstick /dev/dsk/c10t0d0p0root@solaris:/# zpool create datastore /dev/dsk/c9t0d0p0

c0t0d0s0//org101

root@solaris:/# zfs create -o encryption=on a_keystore_usbstick/keysEnter passphrase for 'a_keystore_usbstick/keys': supersecret Enter again: supersecret

c0t0d0s0//org102

root@solaris:/# pktool genkey keystore=file keytype=aes keylen=128 outkey=/a_keystore_usbstick/keys/joergsdatastick.key

c0t0d0s0//org103

root@solaris:/# zfs create -o encryption=on -o keysource=raw,file:///a_keystore_usbstick/keys/joergsdatastick.key datastick/joergssecrets

c0t0d0s0//org104

root@solaris:/datastick/joergssecrets# mv /home/jmoekamp/highlyconfidential_nda_presos.tgz .

c0t0d0s0//org105

root@solaris:/# zpool export a_keystore_usbstickroot@solaris:/# zpool export datastick

c0t0d0s0//org106

root@solaris:/# zpool import a_keystore_usbstickEnter passphrase for 'a_keystore_usbstick/keys': supersecretroot@solaris:/#

c0t0d0s0//org107

root@solaris:/# zpool import datastickroot@solaris:/# cd datastick/joergssecretsroot@solaris:/datastick/joergssecrets# ls highconfidential_nda_presos.tgz

c0t0d0s0//org108

Basic Auditing and Reporting Tool

c0t0d0s0//org109

# mkdir /bart-files# bart create -R /etc > /bart-files/etc.control.manifest

c0t0d0s0//org110

# cat etc.control.manifest | grep "/nsswitch.nisplus"/nsswitch.nisplus F 2525 100644 user::rw-,group::r--,mask:r--,other:r-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8

c0t0d0s0//org111

# touch /etc/thisisjustatest# chmod 777 /etc/nsswitch.files # echo "#just a test" >> /etc/nsswitch.nisplus

c0t0d0s0//org112

# touch /etc/thisisjustatest# chmod 777 /etc/nsswitch.files # echo "#just a test" >> /etc/nsswitch.nisplus

c0t0d0s0//org113

# bart create -R /etc > /bart-files/etc.check20130911.manifest

c0t0d0s0//org114

# cd /bart-files # bart compare etc.control.manifest etc.check20130911.manifest

/nsswitch.files:mode control:100644 test:100777acl control:user::rw-,group::r--,mask:r--,other:r-- test:user::rwx,group::rwx,mask:rwx,other:rwx/nsswitch.nisplus:size control:2525 test:2538mtime control:473976b5 test:47a44862contents control:79e8fd689a5221d1cd059e5077da71b8 test:3f79176ec352441db11ec8a3d02ef67c/thisisjustatest:add

c0t0d0s0//org115

Find more information regarding this feature at:http://www.c0t0d0s0.org/archives/4069-Less-known-Solaris-features-BART.html#

http://www.c0t0d0s0.org/archives/4069-Less-known-Solaris-features-BART.html#http://www.c0t0d0s0.org/archives/4069-Less-known-Solaris-features-BART.html#

c0t0d0s0//org116

Apropos Auditing

c0t0d0s0//org117

Auditing is activated by default

c0t0d0s0//org118

root@client:~# auditconfig -getflagsactive user default audit flags = lo(0x1000,0x1000)configured user default audit flags = lo(0x1000,0x1000)root@client:~# auditconfig -getnaflagsactive non-attributable audit flags = lo(0x1000,0x1000)configured non-attributable audit flags = lo(0x1000,0x1000)

c0t0d0s0//org119

root@client:~# auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt

Policy regarding auditing ... (explanation on the next slide)

c0t0d0s0//org120

root@client:~# auditconfig -lspolicypolicy string description:ahlt halt machine if it can not record an async eventall all policiesarge include exec environment args in audit recsargv include exec command line args in audit recscnt when no more space, drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recswindata_down include downgraded window information in audit recswindata_up include upgraded window information in audit recszonename include zonename token in audit recs

Which degree of detail? What happens with full disks?

c0t0d0s0//org121

root@client:~# auditconfig -getpluginPlugin: audit_binfile (active) Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=1

Plugin: audit_syslog (inactive) Attributes: p_flags=

Plugin: audit_remote (inactive) Attributes: p_hosts=;p_retries=3;p_timeout=5

c0t0d0s0//org122

root@client:~# auditconfig -setflags lo,ps,fwuser default audit flags = ps,lo,fw(0x101002,0x101002)root@client:~# auditconfig -setnaflags lo,nanon-attributable audit flags = lo,na(0x1400,0x1400)

c0t0d0s0//org123

root@client:~# auditconfig -setflags lo,ps,fwuser default audit flags = ps,lo,fw(0x101002,0x101002)root@client:~# auditconfig -setnaflags lo,nanon-attributable audit flags = lo,na(0x1400,0x1400)

lo and na are the only sensibleflags for non-attributable

c0t0d0s0//org124

root@client:~# usermod -K audit_flags=fw:as junior

c0t0d0s0//org125

root@client:~# auditconfig -lsevent | grep " lo "AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh accessAUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lockAUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff

c0t0d0s0//org126

root@client:~# auditconfig -lsevent | grep " ps "AUE_EXIT 1 ps exit(2)AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)root@client:~# auditconfig -lsevent | grep " fw "AUE_OPEN_W 76 fw open(2) - write

c0t0d0s0//org127

# auditreduce -c ps /var/audit/20130912183630.not_terminated.client | praudit

header,139,2,execve(2),,client,2013-09-12 18:40:55.924 +00:00path,/usr/sbin/auditreduceattribute,100555,root,bin,65538,65875,18446744073709551615subject,jmoekamp,root,root,root,root,2054,1440080956,2480 202240 192.168.10.1return,success,0

c0t0d0s0//org128

root@client:~# auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff,0xffffffffffffffff)

Not always (in the sense of: never) a good idea:

Useful after trying out - starting a new audit fileroot@client:~# audit -n

c0t0d0s0//org129

root@client:~# auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem38248 1 38233 14 0 37791 37788 0 3491 457 5169 0

all activated for a few seconds on an unloaded system:

c0t0d0s0//org130

SSH and X.509

c0t0d0s0//org131

root@ca:~# CA.pl -newcaCA certificate filename (or enter to create)

Making CA certificate ...Generating a 1024 bit RSA private key...............++++++..++++++writing new private key to '/etc/openssl/private/cakey.pem'Enter PEM pass phrase: supersecret1Verifying - Enter PEM pass phrase: supersecret1-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) []:DEState or Province Name (full name) []:Lower SaxonyLocality Name (eg, city) []:LueneburgOrganization Name (eg, company) []:c0t0d0s0.orgOrganizational Unit Name (eg, section) []:Security DepartmentCommon Name (e.g. server FQDN or YOUR name) []:CAEmail Address []:

Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:Using configuration from /etc/openssl/openssl.cnf

Enter pass phrase for /etc/openssl/private/cakey.pem: supersecret1Check that the request matches the signatureSignature okCertificate Details: Serial Number: b3:54:80:88:66:ad:e8:78 Validity Not Before: Sep 26 10:11:09 2013 GMT Not After : Sep 25 10:11:09 2016 GMT Subject: countryName = DE stateOrProvinceName = Lower Saxony organizationName = c0t0d0s0.org organizationalUnitName = Security Department commonName = CA X509v3 extensions: X509v3 Subject Key Identifier: 5B:1F:2F:71:86:12:30:40:50:15:52:81:8D:52:5A:A5:59:7E:36:44 X509v3 Authority Key Identifier: keyid:5B:1F:2F:71:86:12:30:40:50:15:52:81:8D:52:5A:A5:59:7E:36:44

X509v3 Basic Constraints: CA:TRUECertificate is to be certified until Sep 25 10:11:09 2016 GMT (1095 days)

Write out database with 1 new entriesData Base Updated#

c0t0d0s0//org132

root@ca:~# mkdir serverroot@ca:~# cd serverroot@ca:~/server# CA.pl -newreqGenerating a 1024 bit RSA private key.....++++++..................++++++writing new private key to 'newkey.pem'Enter PEM pass phrase: supersecret2Verifying - Enter PEM pass phrase: supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) []:DEState or Province Name (full name) []:Lower SaxonyLocality Name (eg, city) []:LueneburgOrganization Name (eg, company) []:c0t0d0s0.orgOrganizational Unit Name (eg, section) []:Server Certificates

Common Name (e.g. server FQDN or YOUR name) []:serverEmail Address []:

Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:Request is in newreq.pem, private key is in newkey.pem

c0t0d0s0//org133

root@ca:~# mkdir serverroot@ca:~# cd serverroot@ca:~/server# CA.pl -newreqGenerating a 1024 bit RSA private key.....++++++..................++++++writing new private key to 'newkey.pem'Enter PEM pass phrase: supersecret2Verifying - Enter PEM pass phrase: supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) []:DEState or Province Name (full name) []:Lower SaxonyLocality Name (eg, city) []:LueneburgOrganization Name (eg, company) []:c0t0d0s0.orgOrganizational Unit Name (eg, section) []:Server Certificates

Common Name (e.g. server FQDN or YOUR name) []:serverEmail Address []:


c0t0d0s0//org134

root@ca:~/server# CA.pl -signreqUsing configuration from /etc/openssl/openssl.cnfEnter pass phrase for /etc/openssl/private/cakey.pem: supersecret1Check that the request matches the signatureSignature okCertificate Details: Serial Number: b3:54:80:88:66:ad:e8:79 Validity Not Before: Sep 26 10:29:12 2013 GMT Not After : Sep 26 10:29:12 2014 GMT Subject: countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0.org organizationalUnitName = Server Certificates commonName = server X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier:

A7:DC:03:DE:B3:D5:FB:F9:C0:06:F1:1A:55:A9:AD:04:C4:9C:10:FA X509v3 Authority Key Identifier: keyid:5B:1F:2F:71:86:12:30:40:50:15:52:81:8D:52:5A:A5:59:7E:36:44

Certificate is to be certified until Sep 26 10:29:12 2014 GMT (365 days)Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcert.pemroot@ca:~/server# ls -ltotal 15-rw-r--r-- 1 root root 3196 Sep 26 12:29 newcert.pem-rw-r--r-- 1 root root 1041 Sep 26 12:28 newkey.pem-rw-r--r-- 1 root root 680 Sep 26 12:28 newreq.pem

c0t0d0s0//org135

root@ca:~/junior# CA.pl -newreqGenerating a 1024 bit RSA private key..........++++++......++++++writing new private key to 'newkey.pem'Enter PEM pass phrase:Verifying - Enter PEM pass phrase:Verify failureEnter PEM pass phrase: supersecret3Verifying - Enter PEM pass phrase: supersecret3-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) []:DEState or Province Name (full name) []:Lower SaxonyLocality Name (eg, city) []:LueneburgOrganization Name (eg, company) []:c0t0d0s0.orgOrganizational Unit Name (eg, section) []:User certificates

Common Name (e.g. server FQDN or YOUR name) []:juniorEmail Address []:


c0t0d0s0//org136

root@ca:~/junior# CA.pl -signreqUsing configuration from /etc/openssl/openssl.cnfEnter pass phrase for /etc/openssl/private/cakey.pem:Check that the request matches the signatureSignature okCertificate Details: Serial Number: b3:54:80:88:66:ad:e8:7a Validity Not Before: Sep 26 11:09:29 2013 GMT Not After : Sep 26 11:09:29 2014 GMT Subject: countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0.org organizationalUnitName = User certificates commonName = junior X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier:

A1:F2:FC:9D:8A:E2:AD:9A:F5:29:03:F5:B7:14:93:3C:64:62:8E:9C X509v3 Authority Key Identifier: keyid:5B:1F:2F:71:86:12:30:40:50:15:52:81:8D:52:5A:A5:59:7E:36:44

Certificate is to be certified until Sep 26 11:09:29 2014 GMT (365 days)Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcert.pem#

c0t0d0s0//org137

root@server:~# useradd -m junior80 blocksroot@server:~# passwd juniorNew Password:Re-enter new Password:passwd: password successfully changed for juniorroot@server:~#

root@client:~# useradd -m junior80 blocksroot@client:~# passwd juniorNew Password:Re-enter new Password:passwd: password successfully changed for junior

c0t0d0s0//org138

root@server:~# echo "192.168.10.51 server" >> /etc/hostsroot@server:~# echo "192.168.10.52 client" >> /etc/hosts

root@client:~# echo "192.168.10.51 server" >> /etc/hostsroot@client:~# echo "192.168.10.52 client" >> /etc/hosts

c0t0d0s0//org139

root@ca:~/server# scp /etc/openssl/cacert.pem [email protected]:/export/home/jmoekampPassword:cacert.pem 100% |****************************************| 3011 00:00root@ca:~/server# scp newcert.pem [email protected]:/export/home/jmoekampPassword:newcert.pem 100% |****************************************| 3196 00:00root@ca:~/server# scp newkey.pem [email protected]:/export/home/jmoekampPassword:newkey.pem 100% |****************************************| 1041 00:00

root@ca:~/junior# scp newkey.pem junior@client:/export/home/juniorPassword:newkey.pem 100% |****************************************| 1041 00:00root@ca:~/junior# scp newcert.pem junior@client:/export/home/juniorPassword:newcert.pem 100% |****************************************| 3190 00:00root@ca:~/junior# scp /etc/openssl/cacert.pem [email protected]:/export/home/juniorPassword:cacert.pem 100% |****************************************| 3011 00:00

mailto:[email protected]:[email protected]

c0t0d0s0//org140

On the Server

c0t0d0s0//org141

root@server:~# lscacert.pem newcert.pem newkey.pem

c0t0d0s0//org142

root@server:~# lscacert.pem newcert.pem newkey.pem

c0t0d0s0//org143

root@server:~# pktool setpinEnter token passphrase: changemeCreate new passphrase: superserversecretRe-enter new passphrase: superserversecretPassphrase changed.root@server:~#

c0t0d0s0//org144

root@server:~# printf "superserversecret" > /etc/ssh/pinfile

c0t0d0s0//org145

root@server:~# printf "superserversecret" > /etc/ssh/pinfile

c0t0d0s0//org146

root@server:~# kmfcfg create dbfile=/etc/ssh/policy.xml policy=ssh ta-name=search mapper-name=cn

c0t0d0s0//org147

root@server:~# echo "TrustedAnchorKeystore /etc/ssh/cert" >> /etc/ssh/sshd_configroot@server:~# echo "KMFPolicyDatabase /etc/ssh/policy.xml" >> /etc/ssh/sshd_configroot@server:~# echo "KMFPolicyName ssh" >> /etc/ssh/sshd_configroot@server:~# echo "HostKey pkcs11:object=host;token=Sun Metaslot;pinfile=/etc/ssh/pinfile" >> /etc/ssh/sshd_config

c0t0d0s0//org148

root@server:~# pktool import keystore=pkcs11 infile=newkey.pem objtype=key label=hostEnter PIN for Sun Software PKCS#11 softtoken: superserversecret Enter PEM pass phrase: supersecret2Importing 1 keys

c0t0d0s0//org149

root@server:~# egrep -v "^ |^$|^Cert" /export/home/jmoekamp/cacert.pem > /etc/ssh/cert/cacert.cooked.pemroot@server:~# egrep -v "^ |^$|^Cert" newcert.pem > newcert.cooked.pemroot@server:~# pktool import keystore=pkcs11 infile=newcert.cooked.pem objtype=cert label=hostroot@server:~#

c0t0d0s0//org150

On the client

c0t0d0s0//org151

junior@client:~$ ls *.pemcacert.pem newcert.pem newkey.pem

c0t0d0s0//org152

root@client:~# kmfcfg create dbfile=/etc/ssh/policy.xml policy=ssh ta-name=search mapper-name=cnroot@client:~# egrep -v "^ |^$|^Cert" /export/home/junior/cacert.pem > /etc/ssh/cert/cacert.cooked.pem

c0t0d0s0//org153

junior@client:~$ pktool setpinEnter token passphrase: changemeCreate new passphrase: superusersecretRe-enter new passphrase: superusersecretPassphrase changed.

c0t0d0s0//org154

junior@client:~$ pktool import keystore=pkcs11 infile=newkey.pem objtype=key label=userEnter PIN for Sun Software PKCS#11 softtoken: superusersecretEnter PEM pass phrase: supersecret3Importing 1 keysjunior@client:~$ egrep -v "^ |^$|^Cert" newcert.pem > newcert.cooked.pemjunior@client:~$ pktool import keystore=pkcs11 infile=newcert.cooked.pem objtype=cert label=user

c0t0d0s0//org155

Testing it

c0t0d0s0//org156

root@server:~# svcadm disable sshroot@server:~# svcadm enable ssh

c0t0d0s0//org157

junior@client:~$ cd .sshjunior@client:~/.ssh$ printf "superusersecret" >> pinfilejunior@client:~/.ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore /etc/ssh/cert KMFPolicyDatabase /etc/ssh/policy.xml KMFPolicyName ssh IdentityFile pkcs11:object=user;token=Sun Software PKCS#11 softtoken;pinfile=/export/home/junior/.ssh/pinfile

c0t0d0s0//org158

junior@client:~/.ssh$ ssh junior@server-x509Last login: Thu Sep 26 20:07:14 2013 from clientOracle Corporation SunOS 5.11 11.1 September 2013junior@server:~$

c0t0d0s0//org159

Find more information regarding this feature at:http://www.c0t0d0s0.org/archives/7659-Using-X.509-support-for-SSH-on-Solaris-11.1.html

http://www.c0t0d0s0.org/archives/7659-Using-X.509-support-for-SSH-on-Solaris-11.1.htmlhttp://www.c0t0d0s0.org/archives/7659-Using-X.509-support-for-SSH-on-Solaris-11.1.html

c0t0d0s0//org160

OpenSCAP

c0t0d0s0//org161

„The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance). The National Vulnerability Database(NVD) is the U.S. government content repository for SCAP.“

http://en.wikipedia.org/wiki/Security_Content_Automation_Protocol

http://en.wikipedia.org/wiki/Security_Content_Automation_Protocolhttp://en.wikipedia.org/wiki/Security_Content_Automation_Protocol

c0t0d0s0//org162

ftp-banner.xml:

Enhanced SCAP Editor 0.0.11 5.8 2012-10-11T10:33:25 Enable a Warning Banner for the FTP Service Oracle Solaris 11 /etc/proftpd.conf contains "DisplayConnect /etc/issue"

/etc proftpd.conf ^DisplayConnect\s/etc/issue\s$ 1

c0t0d0s0//org163

/etc proftpd.conf ^DisplayConnect\s/etc/issue\s$ 1

c0t0d0s0//org164

$ oscap oval eval ftp-banner.xml Definition oval:com.oracle.solaris11:def:840: falseEvaluation done.

$ oscap oval eval --results results.xml --report report.html ftp-banner.xmlDefinition oval:com.oracle.solaris11:def:840: falseEvaluation done.OVAL Results are exported correctly.

c0t0d0s0//org165

c0t0d0s0//org166

To create your own OVAL-Files Enhanced SCAP Content Editor:

c0t0d0s0//org167

Find more information regarding this feature at:https://blogs.oracle.com/darren/entry/compliance_reporting_with_scap
https://blogs.oracle.com/darren/entry/compliance_reporting_with_scaphttps://blogs.oracle.com/darren/entry/compliance_reporting_with_scap

Solaris 11 Security - a live demo in slidesSolaris 11 Security - a live demo in slides - by Joerg...

Documents

Transcript of Solaris 11 Security - a live demo in slidesSolaris 11 Security - a live demo in slides - by Joerg...