Solaris 11 Security - a live demo in slidesSolaris 11 Security - a live demo in slides - by Joerg...
Transcript of Solaris 11 Security - a live demo in slidesSolaris 11 Security - a live demo in slides - by Joerg...
-
c0t0d0s0//org1
Solaris 11 Security - a live demo in slides -
by Joerg „c0t0d0s0.org“ Möllenkamp
-
c0t0d0s0//org
This slideset was made to have a fallback for a live demo at a series of Oracle Breakfast events in Germany,as the presentation diverted a lot in the first location
in the light of recent events around privacy and security.
However most information is in the voice track that wasn‘t recorded.So this presentation may be not that useful.
If you need the voice track, ask your Oracle sales rep that he ask his managerto ask my manager to let me doing the presentation in your country ;)
-
c0t0d0s0//org
Primarily i used example from my practical work and from my own bloghowever i would like to thank two colleagues:
Glenn Faden for “Oracle Solaris Extended Policy and MySQL“https://blogs.oracle.com/gfaden/entry/oracle_solaris_extended_policy_and
Darren Moffat for “Compliance reporting with SCAP“https://blogs.oracle.com/darren/entry/compliance_reporting_with_scap“
I directly reused their blog entries for this presentation.
https://blogs.oracle.com/gfaden/entry/oracle_solaris_extended_policy_andhttps://blogs.oracle.com/gfaden/entry/oracle_solaris_extended_policy_andhttps://blogs.oracle.com/darren/entry/compliance_reporting_with_scaphttps://blogs.oracle.com/darren/entry/compliance_reporting_with_scap
-
c0t0d0s0//org4
Certifications
-
c0t0d0s0//org
Solaris 10 Common Criteria Evaluationhas been certified on EAL4+ level
-
c0t0d0s0//org
We have a common Criteria Certification.For Solaris 10 at the moment. For Solaris 11 in the future.
However the common criteria certification doesn‘t certify security.
-
c0t0d0s0//org
Solaris 10 Trusted Extensions Common Criteria Evaluationhas been certified on EAL4+ level
http://www.oracle.com/technetwork/topics/security/oracle-cc-evalsolaris-083233.html#sol10U3TX
The following protection profiles were used:Conditional Access Protection ProfileRole Based Access Control Protection ProfileLabel Security Protection Profiles
http://www.oracle.com/technetwork/topics/security/oracle-cc-evalsolaris-083233.html#sol10U3TXhttp://www.oracle.com/technetwork/topics/security/oracle-cc-evalsolaris-083233.html#sol10U3TXhttp://www.oracle.com/technetwork/topics/security/oracle-cc-evalsolaris-083233.html#sol10U3TXhttp://www.oracle.com/technetwork/topics/security/oracle-cc-evalsolaris-083233.html#sol10U3TX
-
c0t0d0s0//org
Solaris 11.1 is currently in certification.
http://www.oracle.com/technetwork/topics/security/security-evaluations-099357.html#InEvaluated
http://www.oracle.com/technetwork/topics/security/security-evaluations-099357.html#InEvaluatedhttp://www.oracle.com/technetwork/topics/security/security-evaluations-099357.html#InEvaluated
-
c0t0d0s0//org9
Is it really a Solaris 11 binary?
-
c0t0d0s0//org10
jmoekamp@server:~$ elfsign verify -v /usr/bin/oscapelfsign: verification of /usr/bin/oscap passed.format: rsa_md5_sha1.signer: CN=SunOS 5.10, OU=Solaris Signed Execution, O=Sun Microsystems Inc.
-
c0t0d0s0//org11
Sandboxing applications on Solaris 11.1
-
c0t0d0s0//org12
root@solaris# profiles -p "MySQL Service"MySQL Service> set desc="Locking down the MySQL Service"MySQL Service> add cmd=/lib/svc/method/mysql_51MySQL Service:mysql_51> set privs=basicMySQL Service:mysql_51> add privs={net_privaddr}:3306/tcpMySQL Service:mysql_51> add privs={file_write}:/var/mysql/5.1/data/*MySQL Service:mysql_51> add privs={file_write}:/tmp/mysql.sockMySQL Service:mysql_51> add privs={file_write}:/var/tmp/ib*MySQL Service:mysql_51> endMySQL Service> set uid=mysqlMySQL Service> set gid=mysqlMySQL Service> exit root@solaris#
-
c0t0d0s0//org13
root@solaris# svccfg -s mysql:version_51svc:/application/database/mysql:version_51> setprop method_context/profile="MySQL Service"svc:/application/database/mysql:version_51> setprop method_context/use_profile=truesvc:/application/database/mysql:version_51> refreshsvc:/application/database/mysql:version_51> exit
-
c0t0d0s0//org14
root@solaris# ipadm set-prop -p extra_priv_ports+=3306 tcproot@solaris# ipadm show-prop -p extra_priv_ports tcpPROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLEtcp extra_priv_ports rw 2049,4045, -- 2049,4045 1-65535 3306
-
c0t0d0s0//org15
# svcadm enable mysql:version_51
-
c0t0d0s0//org16
root@solaris# ppriv $(pgrep mysql)103697: /usr/mysql/5.1/bin/mysqld --basedir=/usr/mysql/5.1 --datadir=/var/mysqflags = PRIV_XPOLICY Extended policies: {net_privaddr}:3306/tcp {file_write}:/var/mysql/5.1/data/* {file_write}:/tmp/mysql.sock {file_write}:/var/tmp/ib* E: basic,!file_write I: basic,!file_write P: basic,!file_write L: all103609: /bin/sh /usr/mysql/5.1/bin/mysqld_safe --user=mysql --datadir=/var/mysflags = PRIV_XPOLICY Extended policies: {net_privaddr}:3306/tcp {file_write}:/var/mysql/5.1/data/* {file_write}:/tmp/mysql.sock {file_write}:/var/tmp/ib* E: basic,!file_write I: basic,!file_write P: basic,!file_write L: all
-
c0t0d0s0//org17
Find more information regarding this feature at:https://blogs.oracle.com/gfaden/entry/oracle_solaris_extended_policy_and
https://blogs.oracle.com/gfaden/entry/oracle_solaris_extended_policy_andhttps://blogs.oracle.com/gfaden/entry/oracle_solaris_extended_policy_and
-
c0t0d0s0//org18
Passwords
-
c0t0d0s0//org19
root@client:/etc/security# cat /etc/security/crypt.conf## Copyright 2008 Sun Microsystems, Inc. All rights reserved.# Use is subject to license terms.##ident "%Z%%M% %I% %E% SMI"## The algorithm name __unix__ is reserved.
1 crypt_bsdmd5.so.12a crypt_bsdbf.so.1md5 crypt_sunmd5.so.15 crypt_sha256.so.16 crypt_sha512.so.1
-
c0t0d0s0//org20
root@client:/etc/security# cat /etc/security/policy.conf | egrep "^CRYPT_DEFAULT"CRYPT_DEFAULT=5root@client:/etc/security# cat /etc/shadow | grep juniorjunior:$5$4aKvDFqA$2kL8GpuXjrd.f8XpanqhylEP5lDhy1DF5uo1ZYx74f3:15929::::::1440
-
c0t0d0s0//org21
root@client:/etc/security# cat /etc/default/passwd | grep -v "# " | egrep -v "^#$|^$"#ident "%Z%%M% %I% %E% SMI"MAXWEEKS=MINWEEKS=PASSLENGTH=6#NAMECHECK=NO#HISTORY=0#MINDIFF=3#MINALPHA=2#MINNONALPHA=1#MINUPPER=0#MINLOWER=0#MAXREPEATS=0#MINSPECIAL=0#MINDIGIT=0#WHITESPACE=YES#DICTIONLIST=#DICTIONDBDIR=/var/passwd
-
c0t0d0s0//org22
root@client:/# mkpwdict -s /usr/share/lib/dict/wordsmkpwdict: using default database location: /var/passwd.
oder:
root@client:/# mkpwdict -s /usr/share/lib/dict/words -d /var/passwd
-
c0t0d0s0//org23
Address Space Layout Randomization
-
c0t0d0s0//org24
root@solaris:/# sxadm exec -s aslr=disable /usr/bin/pmap self1914: /usr/bin/pmap self1914: /usr/bin/pmap self0000000000400000 28K r-x-- /usr/bin/pmap0000000000417000 4K rw--- /usr/bin/pmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- /lib/amd64/libproc.so.1FFFF80FFBDE16000 8K rw--- /lib/amd64/libproc.so.1FFFF80FFBF430000 1764K r-x-- /lib/amd64/libc.so.1FFFF80FFBF5F9000 64K rw--- /lib/amd64/libc.so.1FFFF80FFBF609000 12K rw--- /lib/amd64/libc.so.1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- /lib/amd64/ld.so.1FFFF80FFBF7FA000 12K rwx-- /lib/amd64/ld.so.1FFFF80FFBF7FD000 8K rwx-- /lib/amd64/ld.so.1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
-
c0t0d0s0//org25
root@solaris:/# sxadm exec -s aslr=disable /usr/bin/pmap self1915: /usr/bin/pmap self1915: /usr/bin/pmap self0000000000400000 28K r-x-- /usr/bin/pmap0000000000417000 4K rw--- /usr/bin/pmap0000000000418000 40K rw--- [ heap ]FFFF80FFBDDD0000 216K r-x-- /lib/amd64/libproc.so.1FFFF80FFBDE16000 8K rw--- /lib/amd64/libproc.so.1FFFF80FFBF430000 1764K r-x-- /lib/amd64/libc.so.1FFFF80FFBF5F9000 64K rw--- /lib/amd64/libc.so.1FFFF80FFBF609000 12K rw--- /lib/amd64/libc.so.1FFFF80FFBF740000 4K rw--- [ anon ]FFFF80FFBF750000 24K rwx-- [ anon ]FFFF80FFBF760000 4K rw--- [ anon ]FFFF80FFBF770000 4K rw--- [ anon ]FFFF80FFBF780000 4K rw--- [ anon ]FFFF80FFBF790000 4K rw--- [ anon ]FFFF80FFBF792000 4K r--s- [ anon ]FFFF80FFBF795000 340K r-x-- /lib/amd64/ld.so.1FFFF80FFBF7FA000 12K rwx-- /lib/amd64/ld.so.1FFFF80FFBF7FD000 8K rwx-- /lib/amd64/ld.so.1FFFF80FFBFFFD000 12K rw--- [ stack ] total 2556K
-
c0t0d0s0//org26
root@solaris:/# sxadm exec -s aslr=enable /usr/bin/pmap self1917: /usr/bin/pmap self1917: /usr/bin/pmap self0000000000400000 28K r-x-- /usr/bin/pmap0000000000417000 4K rw--- /usr/bin/pmap0000000000418000 8K rw--- /usr/bin/pmap00000005D6666000 36K rw--- [ heap ]00007FF669C70000 216K r-x-- /lib/amd64/libproc.so.100007FF669CB6000 8K rw--- /lib/amd64/libproc.so.100007FF669CC0000 4K rw--- [ anon ]00007FF669CD0000 24K rwx-- [ anon ]00007FF669CE0000 4K rw--- [ anon ]00007FF669CF0000 1764K r-x-- /lib/amd64/libc.so.100007FF669EB9000 64K rw--- /lib/amd64/libc.so.100007FF669EC9000 12K rw--- /lib/amd64/libc.so.100007FF669ED0000 4K rw--- [ anon ]00007FF669EE0000 4K rw--- [ anon ]00007FF669EF0000 4K rw--- [ anon ]00007FF669EF2000 4K r--s- [ anon ]00007FF669EFC000 340K r-x-- /lib/amd64/ld.so.100007FF669F61000 12K rwx-- /lib/amd64/ld.so.100007FF669F64000 8K rwx-- /lib/amd64/ld.so.1FFFF80DDA254F000 16K rw--- [ stack ] total 2564K
-
c0t0d0s0//org27
root@solaris:/# sxadm exec -s aslr=enable /usr/bin/pmap self1918: /usr/bin/pmap self1918: /usr/bin/pmap self0000000000400000 28K r-x-- /usr/bin/pmap0000000000417000 4K rw--- /usr/bin/pmap0000000000418000 8K rw--- /usr/bin/pmap000000065B76D000 36K rw--- [ heap ]00007FFAACFC0000 216K r-x-- /lib/amd64/libproc.so.100007FFAAD006000 8K rw--- /lib/amd64/libproc.so.100007FFAAD010000 4K rw--- [ anon ]00007FFAAD020000 24K rwx-- [ anon ]00007FFAAD030000 4K rw--- [ anon ]00007FFAAD040000 1764K r-x-- /lib/amd64/libc.so.100007FFAAD209000 64K rw--- /lib/amd64/libc.so.100007FFAAD219000 12K rw--- /lib/amd64/libc.so.100007FFAAD220000 4K rw--- [ anon ]00007FFAAD230000 4K rw--- [ anon ]00007FFAAD240000 4K rw--- [ anon ]00007FFAAD242000 4K r--s- [ anon ]00007FFAAD24D000 340K r-x-- /lib/amd64/ld.so.100007FFAAD2B2000 12K rwx-- /lib/amd64/ld.so.100007FFAAD2B5000 8K rwx-- /lib/amd64/ld.so.1FFFF80DE1559E000 12K rw--- [ stack ]
-
c0t0d0s0//org28
root@solaris:/# sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) system default (default)
root@solaris:/# elfdump -d /usr/bin/pmap | grep "ASLR" [33] SUNW_ASLR 0x2 ENABLE
root@solaris:/# elfedit -e 'dyn:sunw_aslr disable' /usr/bin/pmap
root@solaris:/# elfdump -d /usr/bin/pmap | grep "ASLR" [33] SUNW_ASLR 0x1 DISABLE
-
c0t0d0s0//org29
root@solaris:/# sxadm enable -c model=all aslrroot@solaris:/# sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (all) enabled (all)
root@solaris:/# sxadm disable aslrroot@solaris:/# sxadm infoEXTENSION STATUS CONFIGURATIONaslr disabled disabled
root@solaris:/# sxadm enable -c model=tagged-files aslrroot@solaris:/# sxadm infoEXTENSION STATUS CONFIGURATIONaslr enabled (tagged-files) enabled (tagged-files)
-
c0t0d0s0//org30
pfedit
-
c0t0d0s0//org31
root@template:/etc/apache2/2.2# profiles -p "httpd edit"profiles:httpd edit> set auths=solaris.admin.edit/etc/apache2/2.2/httpd.confprofiles:httpd edit> set desc="Edit httpd"profiles:httpd edit> exit
-
c0t0d0s0//org32
root@template:/etc/apache2/2.2# usermod -P +"httpd edit" junior
-
c0t0d0s0//org33
junior@template:~$ profiles httpd edit Basic Solaris User All
-
c0t0d0s0//org34
junior@template:~$ vi /etc/apache2/2.2/httpd.conf
-
c0t0d0s0//org35
junior@template:~$ pfedit /etc/apache2/2.2/httpd.confpfedit: /etc/apache2/2.2/httpd.conf has been updated.
-
c0t0d0s0//org36
junior@template:~$ pfedit /etc/apache2/2.2/mime.typespfedit: User junior is not authorized to edit the file /etc/apache2/2.2/mime.types.
-
c0t0d0s0//org37
root@template:/etc/apache2/2.2# profiles -p "httpd edit"profiles:httpd edit> info" name=httpd edit" desc=Edit httpd" auths=solaris.admin.edit/etc/apache2/2.2/httpd.confprofiles:httpd edit> add auths=solaris.admin.edit/etc/apache2/2.2/mime.types
-
c0t0d0s0//org38
junior@template:~$ pfedit /etc/apache2/2.2/mime.typespfedit: no changes for /etc/apache2/2.2/mime.types.
-
c0t0d0s0//org39
# profiles -p "httpd configure"profiles:httpd configure> add always_audit=asprofiles:httpd configure> info" name=httpd configure" desc=Configure httpd" auths=solaris.admin.edit/etc/apache2/2.2/httpd.conf,solaris.admin.edit/etc/apache2/2.2/mime.types" always_audit=as" never_audit=noprofiles:httpd configure> exitroot@template:~#
-
c0t0d0s0//org40
root@template:~# auditreduce -c as | praudit
-
c0t0d0s0//org41
[..]header,486,2,edit administrative file,,fe80::a00:27ff:fea6:33cb,2013-08-12 07:45:52.306 +00:00subject,junior,junior,staff,junior,staff,4212,447467166,369 136704 MacBook-Pro-of-c0t0d0s0.fritz.boxpath,/etc/apache2/2.2/httpd.confuse of authorization,solaris.admin.edit/etc/apache2/2.2/httpd.conftext,--- /etc/apache2/2.2/httpd.conf Mo. Aug 12 07:45:00 2013 +++ /etc/apache2/2.2/httpd.conf.pfedit.1BaGoi Mo. Aug 12 07:45:52 2013 @@ -1,5 +1,6 @@ # Test # Test 2: +# Test 3: # # This is the main Apache HTTP server configuration file. It contains the # configuration directives that give the server its instructions.
return,success,0
-
c0t0d0s0//org42
Delegating privilege to restartservices(so you can keep the root password)
-
c0t0d0s0//org43
junior@template:~$ svcadm refresh apache22svcadm: svc:/network/http:apache22: Permission denied.
-
c0t0d0s0//org44
# svcs -a | grep "apache22"online 15:30:29 svc:/network/http:apache22
-
c0t0d0s0//org45
# auths add -t "Apache22 value" solaris.smf.value.http.apache22# auths add -t "Apache22 action" solaris.smf.action.http.apache22
-
c0t0d0s0//org46
# svccfg -s apache22 setprop general/value_authorization= astring: solaris.smf.value.http.apache22# svccfg -s apache22 setprop general/action_authorization= astring: solaris.smf.action.http.apache22
-
c0t0d0s0//org47
# profiles -p "httpd edit" \ add auths=solaris.smf.action.http.apache22
-
c0t0d0s0//org48
junior@template:~$ svcadm refresh apache22junior@template:~$
-
c0t0d0s0//org49
Privileges
-
c0t0d0s0//org50
$ ls -l /usr/sbin/traceroute-r-sr-xr-x 1 root bin 42324 Nov 21 00:09 /usr/sbin/traceroute$ ls -l /usr/sbin/ping-r-sr-xr-x 1 root bin 51396 Nov 18 19:31 /usr/sbin/ping
set-id to root, ping needs it to work ...
-
c0t0d0s0//org51
# chmod -s /sbin/ping# exit
$ ping -s 192.168.1.132ping: socket Permission denied
Remove the set-uid and ping will stop to work ...
-
c0t0d0s0//org52
jmoekamp@daddelkiste:~$ ppriv $$2153: -bashflags = E: basic I: basic P: basic L: all
-
c0t0d0s0//org53
contract_event,contract_identity,contract_observer,cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,file_chown,file_chown_self,file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_downgrade_sl,file_flag_set,file_link_any,file_owner,file_read,file_setid,file_upgrade_sl,file_write,graphics_access,graphics_map,ipc_dac_read,ipc_dac_write,ipc_owner,net_access,net_bindmlp,net_icmpaccess,net_mac_aware,net_mac_implicit,net_observability,net_privaddr,net_rawaccess,proc_audit,proc_chroot,proc_clock_highres,proc_exec,proc_fork,proc_info,proc_lock_memory,proc_owner,proc_priocntl,proc_session,proc_setid,proc_taskid,proc_zone,sys_acct,sys_admin,sys_audit,sys_config,sys_devices,sys_dl_config,sys_flow_config,sys_ib_config,sys_ib_info,sys_ip_config,sys_ipc_config,sys_iptun_config,sys_linkdir,sys_mount,sys_net_config,sys_nfs,sys_ppp_config,sys_res_bind,sys_res_config,sys_resource,sys_share,sys_smb,sys_suser_compat,sys_time,sys_trans_label,win_colormap,win_config,win_dac_read,win_dac_write,win_devices,win_dga,win_downgrade_sl,win_fontpath,win_mac_read,win_mac_write,win_selection,win_upgrade_sl
-
c0t0d0s0//org54
contract_event,contract_identity,contract_observer,cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,file_chown,file_chown_self,file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_downgrade_sl,file_flag_set,file_link_any,file_owner,file_read,file_setid,file_upgrade_sl,file_write,graphics_access,graphics_map,ipc_dac_read,ipc_dac_write,ipc_owner,net_access,net_bindmlp,net_icmpaccess,net_mac_aware,net_mac_implicit,net_observability,net_privaddr,net_rawaccess,proc_audit,proc_chroot,proc_clock_highres,proc_exec,proc_fork,proc_info,proc_lock_memory,proc_owner,proc_priocntl,proc_session,proc_setid,proc_taskid,proc_zone,sys_acct,sys_admin,sys_audit,sys_config,sys_devices,sys_dl_config,sys_flow_config,sys_ib_config,sys_ib_info,sys_ip_config,sys_ipc_config,sys_iptun_config,sys_linkdir,sys_mount,sys_net_config,sys_nfs,sys_ppp_config,sys_res_bind,sys_res_config,sys_resource,sys_share,sys_smb,sys_suser_compat,sys_time,sys_trans_label,win_colormap,win_config,win_dac_read,win_dac_write,win_devices,win_dga,win_downgrade_sl,win_fontpath,win_mac_read,win_mac_write,win_selection,win_upgrade_sl
All privileges in their entirety assigned to one user are
#(almost)
-
c0t0d0s0//org55
contract_event,contract_identity,contract_observer,cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,file_chown,file_chown_self,file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_downgrade_sl,file_flag_set,file_link_any,file_owner,file_read,file_setid,file_upgrade_sl,file_write,graphics_access,graphics_map,ipc_dac_read,ipc_dac_write,ipc_owner,net_access,net_bindmlp,net_icmpaccess,net_mac_aware,net_mac_implicit,net_observability,net_privaddr,net_rawaccess,proc_audit,proc_chroot,proc_clock_highres,proc_exec,proc_fork,proc_info,proc_lock_memory,proc_owner,proc_priocntl,proc_session,proc_setid,proc_taskid,proc_zone,sys_acct,sys_admin,sys_audit,sys_config,sys_devices,sys_dl_config,sys_flow_config,sys_ib_config,sys_ib_info,sys_ip_config,sys_ipc_config,sys_iptun_config,sys_linkdir,sys_mount,sys_net_config,sys_nfs,sys_ppp_config,sys_res_bind,sys_res_config,sys_resource,sys_share,sys_smb,sys_suser_compat,sys_time,sys_trans_label,win_colormap,win_config,win_dac_read,win_dac_write,win_devices,win_dga,win_downgrade_sl,win_fontpath,win_mac_read,win_mac_write,win_selection,win_upgrade_sl
Neat extension inSolaris 11:The ability to use networking is now a
privilege. It‘s part of the default default set of privileges,
but you can remove it.
-
c0t0d0s0//org56
moekamp@daddelkiste:~$ ppriv -v $$2153: -bashflags = E: file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_session,sys_ib_info I: file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_session,sys_ib_info P: file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_session,sys_ib_info L: contract_event,contract_identity,contract_observer,cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,file_chown,file_chown_self,file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_downgrade_sl,file_flag_set,file_link_any,file_owner,file_read,file_setid,file_upgrade_sl,file_write,graphics_access,graphics_map,ipc_dac_read,ipc_dac_write,ipc_owner,net_access,net_bindmlp,net_icmpaccess,net_mac_aware,net_mac_implicit,net_observability,net_privaddr,net_rawaccess,proc_audit,proc_chroot,proc_clock_highres,proc_exec,proc_fork,proc_info,proc_lock_memory,proc_owner,proc_priocntl,proc_session,proc_setid,proc_taskid,proc_zone,sys_acct,sys_admin,sys_audit,sys_config,sys_devices,sys_dl_config,sys_flow_config,sys_ib_config,sys_ib_info,sys_ip_config,sys_ipc_config,sys_iptun_config,sys_linkdir,sys_mount,sys_net_config,sys_nfs,sys_ppp_config,sys_res_bind,sys_res_config,sys_resource,sys_share,sys_smb,sys_suser_compat,sys_time,sys_trans_label,win_colormap,win_config,win_dac_read,win_dac_write,win_devices,win_dga,win_downgrade_sl,win_fontpath,win_mac_read,win_mac_write,win_selection,win_upgrade_sl
-
c0t0d0s0//org57
root@daddelkiste:~# ppriv $$2183: -bashflags = E: all I: basic P: all L: all
-
c0t0d0s0//org58
junior@daddelkiste:~$ dtrace -n 'syscall:::entry { @num[execname] = count(); }'dtrace: failed to initialize dtrace: DTrace requires additional privileges
-
c0t0d0s0//org59
root@daddelkiste:~# usermod -K defaultpriv=basic,dtrace_kernel,dtrace_proc,dtrace_user juniorUX: usermod: junior is currently logged in, some changes may not take effect until next login.
-
c0t0d0s0//org60
junior@daddelkiste:~$ dtrace -n 'syscall:::entry { @num[execname] = count(); }'dtrace: description 'syscall:::entry ' matched 211 probes^C
automountd 1 sshd 24 dtrace 544 auditd 564
-
c0t0d0s0//org61
# ps -ef | grep "kcfd" daemon 125 1 0 14:24:19 ? 0:00 /usr/lib/crypto/kcfdroot 734 728 0 15:54:08 pts/1 0:00 grep kcfd# ppriv -v 125125: /usr/lib/crypto/kcfdflags = PRIV_AWAREE: file_owner,proc_priocntl,sys_devicesI: noneP: file_owner,proc_priocntl,sys_devicesL: none
-
c0t0d0s0//org62
# svcadm -v enable -s apache2svc:/network/http:apache2 enabled.
-
c0t0d0s0//org63
jmoekamp@client:~$ ps -ef | grep "http"webservd 1978 1975 0 12:19:15 ? 0:00 /usr/apache2/2.2/bin/httpd -k startwebservd 1979 1975 0 12:19:15 ? 0:00 /usr/apache2/2.2/bin/httpd -k startwebservd 1980 1975 0 12:19:15 ? 0:00 /usr/apache2/2.2/bin/httpd -k startwebservd 1984 1975 0 12:20:02 ? 0:00 /usr/apache2/2.2/bin/httpd -k start root 1975 1 0 12:19:14 ? 0:01 /usr/apache2/2.2/bin/httpd -k startwebservd 1977 1975 0 12:19:15 ? 0:00 /usr/apache2/2.2/bin/httpd -k startwebservd 1976 1975 0 12:19:15 ? 0:00 /usr/apache2/2.2/bin/httpd -k start
-
c0t0d0s0//org64
root@client:~# ppriv 19771977: /usr/apache2/2.2/bin/httpd -k startflags = E: basic I: basic P: basic L: allroot@client:~# ppriv 19751975: /usr/apache2/2.2/bin/httpd -k startflags = E: all I: basic P: all L: allroot@client:~#
-
c0t0d0s0//org65
contract_event,contract_identity,contract_observer,cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,file_chown,file_chown_self,file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_downgrade_sl,file_flag_set,file_link_any,file_owner,file_read,file_setid,file_upgrade_sl,file_write,graphics_access,graphics_map,ipc_dac_read,ipc_dac_write,ipc_owner,net_access,net_bindmlp,net_icmpaccess,net_mac_aware,net_mac_implicit,net_observability,net_privaddr,net_rawaccess,proc_audit,proc_chroot,proc_clock_highres,proc_exec,proc_fork,proc_info,proc_lock_memory,proc_owner,proc_priocntl,proc_session,proc_setid,proc_taskid,proc_zone,sys_acct,sys_admin,sys_audit,sys_config,sys_devices,sys_dl_config,sys_flow_config,sys_ib_config,sys_ib_info,sys_ip_config,sys_ipc_config,sys_iptun_config,sys_linkdir,sys_mount,sys_net_config,sys_nfs,sys_ppp_config,sys_res_bind,sys_res_config,sys_resource,sys_share,sys_smb,sys_suser_compat,sys_time,sys_trans_label,win_colormap,win_config,win_dac_read,win_dac_write,win_devices,win_dga,win_downgrade_sl,win_fontpath,win_mac_read,win_mac_write,win_selection,win_upgrade_sl
The apache process as root has the following privileges:
-
c0t0d0s0//org66
contract_event,contract_identity,contract_observer,cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,file_chown,file_chown_self,file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_downgrade_sl,file_flag_set,file_link_any,file_owner,file_read,file_setid,file_upgrade_sl,file_write,graphics_access,graphics_map,ipc_dac_read,ipc_dac_write,ipc_owner,net_access,net_bindmlp,net_icmpaccess,net_mac_aware,net_mac_implicit,net_observability,net_privaddr,net_rawaccess,proc_audit,proc_chroot,proc_clock_highres,proc_exec,proc_fork,proc_info,proc_lock_memory,proc_owner,proc_priocntl,proc_session,proc_setid,proc_taskid,proc_zone,sys_acct,sys_admin,sys_audit,sys_config,sys_devices,sys_dl_config,sys_flow_config,sys_ib_config,sys_ib_info,sys_ip_config,sys_ipc_config,sys_iptun_config,sys_linkdir,sys_mount,sys_net_config,sys_nfs,sys_ppp_config,sys_res_bind,sys_res_config,sys_resource,sys_share,sys_smb,sys_suser_compat,sys_time,sys_trans_label,win_colormap,win_config,win_dac_read,win_dac_write,win_devices,win_dga,win_downgrade_sl,win_fontpath,win_mac_read,win_mac_write,win_selection,win_upgrade_sl
The other processes have the following privileges:
-
c0t0d0s0//org67
contract_event,contract_identity,contract_observer,cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,file_chown,file_chown_self,file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_downgrade_sl,file_flag_set,file_link_any,file_owner,file_read,file_setid,file_upgrade_sl,file_write,graphics_access,graphics_map,ipc_dac_read,ipc_dac_write,ipc_owner,net_access,net_bindmlp,net_icmpaccess,net_mac_aware,net_mac_implicit,net_observability,net_privaddr,net_rawaccess,proc_audit,proc_chroot,proc_clock_highres,proc_exec,proc_fork,proc_info,proc_lock_memory,proc_owner,proc_priocntl,proc_session,proc_setid,proc_taskid,proc_zone,sys_acct,sys_admin,sys_audit,sys_config,sys_devices,sys_dl_config,sys_flow_config,sys_ib_config,sys_ib_info,sys_ip_config,sys_ipc_config,sys_iptun_config,sys_linkdir,sys_mount,sys_net_config,sys_nfs,sys_ppp_config,sys_res_bind,sys_res_config,sys_resource,sys_share,sys_smb,sys_suser_compat,sys_time,sys_trans_label,win_colormap,win_config,win_dac_read,win_dac_write,win_devices,win_dga,win_downgrade_sl,win_fontpath,win_mac_read,win_mac_write,win_selection,win_upgrade_sl
Apache really needs:
-
c0t0d0s0//org68
contract_event,contract_identity,contract_observer,cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,file_chown,file_chown_self,file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_downgrade_sl,file_flag_set,file_link_any,file_owner,file_read,file_setid,file_upgrade_sl,file_write,graphics_access,graphics_map,ipc_dac_read,ipc_dac_write,ipc_owner,net_access,net_bindmlp,net_icmpaccess,net_mac_aware,net_mac_implicit,net_observability,net_privaddr,net_rawaccess,proc_audit,proc_chroot,proc_clock_highres,proc_exec,proc_fork,proc_info,proc_lock_memory,proc_owner,proc_priocntl,proc_session,proc_setid,proc_taskid,proc_zone,sys_acct,sys_admin,sys_audit,sys_config,sys_devices,sys_dl_config,sys_flow_config,sys_ib_config,sys_ib_info,sys_ip_config,sys_ipc_config,sys_iptun_config,sys_linkdir,sys_mount,sys_net_config,sys_nfs,sys_ppp_config,sys_res_bind,sys_res_config,sys_resource,sys_share,sys_smb,sys_suser_compat,sys_time,sys_trans_label,win_colormap,win_config,win_dac_read,win_dac_write,win_devices,win_dga,win_downgrade_sl,win_fontpath,win_mac_read,win_mac_write,win_selection,win_upgrade_sl
So you grant a large number of privileges to one process , Apache don‘t need.
-
c0t0d0s0//org69
svcadm -v disable -s apache2svc:/network/http:apache2 disabled.
http:apache2http:apache2
-
c0t0d0s0//org70
root@client:~# svccfg -s apache22svc:/network/http:apache22> setprop start/user = astring: webservdsvc:/network/http:apache22> setprop start/group = astring: webservdsvc:/network/http:apache22> setprop start/privileges = astring: basic,!proc_session,!proc_info,!file_link_any,net_privaddrsvc:/network/http:apache22> setprop start/limit_privileges = astring: :defaultsvc:/network/http:apache22> setprop start/use_profile = boolean: falsesvc:/network/http:apache22> setprop start/supp_groups = astring: :defaultsvc:/network/http:apache22> setprop start/working_directory = astring: :defaultsvc:/network/http:apache22> setprop start/project = astring: :defaultsvc:/network/http:apache22> setprop start/resource_pool = astring: :defaultsvc:/network/http:apache22> endroot@client:~# svcadm -v refresh apache22Action refresh set for svc:/network/http:apache22.
http:apache22http:apache22http:apache22http:apache22http:apache22http:apache22http:apache22http:apache22http:apache22http:apache22http:apache22http:apache22http:apache22http:apache22http:apache22http:apache22http:apache22http:apache22http:apache22http:apache22http:apache22http:apache22
-
c0t0d0s0//org71
# echo "LockFile /var/apache2/2.2/logs/accept.lock" >> /etc/apache2/2.2/httpd.conf# echo "PidFile /var/apache2/2.2/run/httpd.pid" >> /etc/apache2/2.2/httpd.conf# mkdir -p -m 755 /var/apache2/2.2/run# chown webservd:webservd /var/apache2/2.2/run# svcadm enable apache22
-
c0t0d0s0//org72
webservd 3064 3061 0 16:49:18 ? 0:00 /usr/apache2/2.2/bin/httpd -k startwebservd 3062 3061 0 16:49:18 ? 0:00 /usr/apache2/2.2/bin/httpd -k startwebservd 3063 3061 0 16:49:18 ? 0:00 /usr/apache2/2.2/bin/httpd -k startwebservd 3066 3061 0 16:49:18 ? 0:00 /usr/apache2/2.2/bin/httpd -k startwebservd 3061 1 0 16:49:17 ? 0:00 /usr/apache2/2.2/bin/httpd -k startwebservd 3065 3061 0 16:49:18 ? 0:00 /usr/apache2/2.2/bin/httpd -k start
-
c0t0d0s0//org73
Read-only zone root
-
c0t0d0s0//org
74
zonecfg:testzone> set file-mac-profile=none
zonecfg:testzone> set file-mac-profile=strict
zonecfg:testzone> set file-mac-profile=fixed-configuration
zonecfg:testzone> set file-mac-profile=flexible-configuration
Standard, read-write, non-global zone, with no additional protection beyond the existing zones boundaries.
Permits updates to /var/* directories, with the exception of directories that contain system configuration components.
Read-only file system, no exceptions.
Permits modification of files in /etc/* directories, changes to root's home directory, and updates to /var/* directories. This configuration provides closest functionality to the Oracle Solaris 10 native sparse root zone
-
c0t0d0s0//org75
in-kernel SSL Proxy
-
c0t0d0s0//org76
# mkdir /etc/keys# cd /etc/keys# openssl req -x509 -nodes -days 365 -subj "/C=DE/ST=Hamburg/L=Hamburg/CN=server" -newkey rsa:1024 -keyout /etc/keys/mykey.pem -out /etc/keys/mycert.pem# cat mycert.pem mykey.pem > my.pem# chown 600 *
-
c0t0d0s0//org77
# echo "pass" > /etc/keys/my.pass# ksslcfg create -f pem -i /etc/keys/my.pem -x 8080 -p /etc/keys/my.pass server 443
-
c0t0d0s0//org78
ksslcfg create -f pem -i /etc/keys/my.pem -x 8080 \-p /etc/keys/my.pass \-c "rsa_aes_256_cbc_sha,rsa_aes_128_cbc_sha,rsa_rc4_128_sha,rsa_rc4_128_md5" \server 443
-
c0t0d0s0//org79
# svcs -a | grep "kssl"online 9:03:33 svc:/network/ssl/proxy:kssl-server-443
-
c0t0d0s0//org80
# svcadm disable apache22# echo "Listen 192.168.178.108:8080" >> /etc/apache2/2.2/httpd.conf # svcadm enable apache22
Portnumber and IP-Number have do be defined in httpd.conf... otherwise it will not work.
-
c0t0d0s0//org81
# openssl s_client -connect server:443CONNECTED(00000004)depth=0 /C=DE/ST=Hamburg/L=Hamburg/CN=serververify error:num=18:self signed certificateverify return:1depth=0 /C=DE/ST=Hamburg/L=Hamburg/CN=serververify return:1---Certificate chain0 s:/C=DE/ST=Hamburg/L=Hamburg/CN=serveri:/C=DE/ST=Hamburg/L=Hamburg/CN=server---Server certificate-----BEGIN CERTIFICATE-----MIICoTCCAgqgAwIBAgIJAKyJdj/[...]V5jX3MU=-----END CERTIFICATE-----subject=/C=DE/ST=Hamburg/L=Hamburg/CN=serverissuer=/C=DE/ST=Hamburg/L=Hamburg/CN=server---No client certificate CA names sent---SSL handshake has read 817 bytes and written 328 bytes---New, TLSv1/SSLv3, Cipher is RC4-SHAServer public key is 1024 bitCompression: NONEExpansion: NONESSL-Session:Protocol : TLSv1
Cipher : RC4-SHASession-ID: 32CEF20CB9FE2A71C74D40BB2DB5CB304DA1B57540B7CFDD113915B99DBE9812Session-ID-ctx: Master-Key: 1E7B502390951124779C5763B5E4BBAF0A9B0693D08DCA8A587B503A5C5027B6FAD9CA7626B1AD8C62219E8502A5C21EKey-Arg : NoneStart Time: 1242985143Timeout : 300 (sec)Verify return code: 18 (self signed certificate)---GET / HTTP/1.0
HTTP/1.1 200 OKDate: Fri, 22 May 2009 09:39:13 GMTServer: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8a DAV/2Last-Modified: Thu, 21 May 2009 21:26:30 GMTETag: "341f3-2c-46a72cc211a8f"Accept-Ranges: bytesContent-Length: 44Connection: closeContent-Type: text/html
It works!read:errno=0
-
c0t0d0s0//org82
ZFS Encryption
-
c0t0d0s0//org83
# zfs create -o encryption=on rpool/export/project
-
c0t0d0s0//org84
wrapping key (user setable)
encryption keyrandomnot user setable)
prompt file https pkcs#11
-
c0t0d0s0//org85
aes-128-ccm (=on) aes-192-ccmaes-256-ccmaes-128-gcmaes-192-gcmaes-256-gcm
-
c0t0d0s0//org86
zfs set checksum=sha256+mac
If encryption!=off, something like automatic
occurs. This property is read-only from now on.
-
c0t0d0s0//org87
# pktool genkey keystore=pkcs11 keytype=aes keylen=128 label=mykeyEnter PIN for Sun Software PKCS#11 softtoken:# zfs create -o encryption=on -o keysource=raw,pkcs11:object=mykey tank/project/CEnter PKCS#11 token PIN for 'tank/project/C':
-
c0t0d0s0//org88
# zfs create -o encryption=on -o keysource=raw,https://keys.example.com/mykey tank/project/R# cp myservercert.pem /etc/certs/CA/# svcadm refresh ca-certificates
https://keys.example.com/mykeyhttps://keys.example.com/mykey
-
c0t0d0s0//org89
$ zfs key -c rpool/export/projectEnter new passphrase for 'rpool/export/project':
-
c0t0d0s0//org90
$ zfs key -c rpool/export/projectEnter new passphrase for 'rpool/export/project':
Changing the wrapping key
-
c0t0d0s0//org91
# zfs key -K tank/project/A# zfs clone -K tank/project/A@montag tank/project/D
Changing the encryption key
-
c0t0d0s0//org92
# zfs key -K tank/project/A# zfs clone -K tank/project/A@montag tank/project/D
Changing the encryption key for data written form now.
Creates a new data encryption key. Data written in the clone uses the new data encryption key, which is distinct from its original snapshot.
-
c0t0d0s0//org93
Solaris Cryptographic Framework
-
c0t0d0s0//org94
As soon as Solaris detects hardware acceleration for cryptography, Solaris will use it (and applications using the Oracle supplied openssl library or direct interfaces):• on-chip crypto accelerator in T and current M series chips• instruction set extensions in Intel procs (AES-NI)• supported crypto accelerator cards
-
c0t0d0s0//org95
Just a side-note: T-series crypto acceleration and Intel x86 acceleration have pretty much different performance characteristics.
T-Series: Acceleration by offloading crypto outside pipelineIntel x86: Acceleration by offering special in-pipeline instructions to accelerate execution
Sounds like splitting hairs ....
-
c0t0d0s0//org
-
c0t0d0s0//org
-
c0t0d0s0//org98
Using ZFS to do two-factor encryption
-
c0t0d0s0//org99
jmoekamp@solaris:~$ rmformatLooking for devices... 1. Logical Node: /dev/rdsk/c10t0d0p0 Physical Node: /pci@0,0/pci8086,265c@b/storage@2/disk@0,0 Connected Device: SanDisk U3 Cruzer Micro 8.02 Device Type: Removable" Bus: USB" Size: 3.8 GB" Label: " Access permissions: Medium is not write protected.(...) 3. Logical Node: /dev/rdsk/c9t0d0p0 Physical Node: /pci@0,0/pci8086,265c@b/storage@1/disk@0,0 Connected Device: SanDisk U3 Cruzer Micro 8.02 Device Type: Removable" Bus: USB" Size: 3.8 GB" Label: " Access permissions: Medium is not write protected.
-
c0t0d0s0//org100
root@solaris:/# zpool create a_keystore_usbstick /dev/dsk/c10t0d0p0root@solaris:/# zpool create datastore /dev/dsk/c9t0d0p0
-
c0t0d0s0//org101
root@solaris:/# zfs create -o encryption=on a_keystore_usbstick/keysEnter passphrase for 'a_keystore_usbstick/keys': supersecret Enter again: supersecret
-
c0t0d0s0//org102
root@solaris:/# pktool genkey keystore=file keytype=aes keylen=128 outkey=/a_keystore_usbstick/keys/joergsdatastick.key
-
c0t0d0s0//org103
root@solaris:/# zfs create -o encryption=on -o keysource=raw,file:///a_keystore_usbstick/keys/joergsdatastick.key datastick/joergssecrets
-
c0t0d0s0//org104
root@solaris:/datastick/joergssecrets# mv /home/jmoekamp/highlyconfidential_nda_presos.tgz .
-
c0t0d0s0//org105
root@solaris:/# zpool export a_keystore_usbstickroot@solaris:/# zpool export datastick
-
c0t0d0s0//org106
root@solaris:/# zpool import a_keystore_usbstickEnter passphrase for 'a_keystore_usbstick/keys': supersecretroot@solaris:/#
-
c0t0d0s0//org107
root@solaris:/# zpool import datastickroot@solaris:/# cd datastick/joergssecretsroot@solaris:/datastick/joergssecrets# ls highconfidential_nda_presos.tgz
-
c0t0d0s0//org108
Basic Auditing and Reporting Tool
-
c0t0d0s0//org109
# mkdir /bart-files# bart create -R /etc > /bart-files/etc.control.manifest
-
c0t0d0s0//org110
# cat etc.control.manifest | grep "/nsswitch.nisplus"/nsswitch.nisplus F 2525 100644 user::rw-,group::r--,mask:r--,other:r-- 473976b5 0 3 79e8fd689a5221d1cd059e5077da71b8
-
c0t0d0s0//org111
# touch /etc/thisisjustatest# chmod 777 /etc/nsswitch.files # echo "#just a test" >> /etc/nsswitch.nisplus
-
c0t0d0s0//org112
# touch /etc/thisisjustatest# chmod 777 /etc/nsswitch.files # echo "#just a test" >> /etc/nsswitch.nisplus
-
c0t0d0s0//org113
# bart create -R /etc > /bart-files/etc.check20130911.manifest
-
c0t0d0s0//org114
# cd /bart-files # bart compare etc.control.manifest etc.check20130911.manifest
/nsswitch.files:mode control:100644 test:100777acl control:user::rw-,group::r--,mask:r--,other:r-- test:user::rwx,group::rwx,mask:rwx,other:rwx/nsswitch.nisplus:size control:2525 test:2538mtime control:473976b5 test:47a44862contents control:79e8fd689a5221d1cd059e5077da71b8 test:3f79176ec352441db11ec8a3d02ef67c/thisisjustatest:add
-
c0t0d0s0//org115
Find more information regarding this feature at:http://www.c0t0d0s0.org/archives/4069-Less-known-Solaris-features-BART.html#
http://www.c0t0d0s0.org/archives/4069-Less-known-Solaris-features-BART.html#http://www.c0t0d0s0.org/archives/4069-Less-known-Solaris-features-BART.html#
-
c0t0d0s0//org116
Apropos Auditing
-
c0t0d0s0//org117
Auditing is activated by default
-
c0t0d0s0//org118
root@client:~# auditconfig -getflagsactive user default audit flags = lo(0x1000,0x1000)configured user default audit flags = lo(0x1000,0x1000)root@client:~# auditconfig -getnaflagsactive non-attributable audit flags = lo(0x1000,0x1000)configured non-attributable audit flags = lo(0x1000,0x1000)
-
c0t0d0s0//org119
root@client:~# auditconfig -getpolicyconfigured audit policies = cntactive audit policies = cnt
Policy regarding auditing ... (explanation on the next slide)
-
c0t0d0s0//org120
root@client:~# auditconfig -lspolicypolicy string description:ahlt halt machine if it can not record an async eventall all policiesarge include exec environment args in audit recsargv include exec command line args in audit recscnt when no more space, drop recs and keep a cntgroup include supplementary groups in audit recsnone no policiespath allow multiple paths per eventperzone use a separate queue and auditd per zonepublic audit public filesseq include a sequence number in audit recstrail include trailer token in audit recswindata_down include downgraded window information in audit recswindata_up include upgraded window information in audit recszonename include zonename token in audit recs
Which degree of detail? What happens with full disks?
-
c0t0d0s0//org121
root@client:~# auditconfig -getpluginPlugin: audit_binfile (active) Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=1
Plugin: audit_syslog (inactive) Attributes: p_flags=
Plugin: audit_remote (inactive) Attributes: p_hosts=;p_retries=3;p_timeout=5
-
c0t0d0s0//org122
root@client:~# auditconfig -setflags lo,ps,fwuser default audit flags = ps,lo,fw(0x101002,0x101002)root@client:~# auditconfig -setnaflags lo,nanon-attributable audit flags = lo,na(0x1400,0x1400)
-
c0t0d0s0//org123
root@client:~# auditconfig -setflags lo,ps,fwuser default audit flags = ps,lo,fw(0x101002,0x101002)root@client:~# auditconfig -setnaflags lo,nanon-attributable audit flags = lo,na(0x1400,0x1400)
lo and na are the only sensibleflags for non-attributable
-
c0t0d0s0//org124
root@client:~# usermod -K audit_flags=fw:as junior
-
c0t0d0s0//org125
root@client:~# auditconfig -lsevent | grep " lo "AUE_login 6152 lo login - localAUE_logout 6153 lo logoutAUE_telnet 6154 lo login - telnetAUE_rlogin 6155 lo login - rloginAUE_rshd 6158 lo rsh accessAUE_su 6159 lo suAUE_rexecd 6162 lo rexecdAUE_passwd 6163 lo passwdAUE_rexd 6164 lo rexdAUE_ftpd 6165 lo ftp accessAUE_ftpd_logout 6171 lo ftp logoutAUE_ssh 6172 lo login - sshAUE_role_login 6173 lo role loginAUE_rad_login 6174 lo connect to RADAUE_newgrp_login 6212 lo newgrp loginAUE_admin_authenticate 6213 lo admin loginAUE_screenlock 6221 lo screenlock - lockAUE_screenunlock 6222 lo screenlock - unlockAUE_zlogin 6227 lo login - zloginAUE_su_logout 6228 lo su logoutAUE_role_logout 6229 lo role logoutAUE_smbd_session 6244 lo smbd(1m) session setupAUE_smbd_logoff 6245 lo smbd(1m) session logoff
-
c0t0d0s0//org126
root@client:~# auditconfig -lsevent | grep " ps "AUE_EXIT 1 ps exit(2)AUE_FORKALL 2 ps forkall(2)AUE_VFORK 25 ps vfork(2)AUE_FORK1 241 ps fork1(2)root@client:~# auditconfig -lsevent | grep " fw "AUE_OPEN_W 76 fw open(2) - write
-
c0t0d0s0//org127
# auditreduce -c ps /var/audit/20130912183630.not_terminated.client | praudit
header,139,2,execve(2),,client,2013-09-12 18:40:55.924 +00:00path,/usr/sbin/auditreduceattribute,100555,root,bin,65538,65875,18446744073709551615subject,jmoekamp,root,root,root,root,2054,1440080956,2480 202240 192.168.10.1return,success,0
-
c0t0d0s0//org128
root@client:~# auditconfig -setflags alluser default audit flags = all(0xffffffffffffffff,0xffffffffffffffff)
Not always (in the sense of: never) a good idea:
Useful after trying out - starting a new audit fileroot@client:~# audit -n
-
c0t0d0s0//org129
root@client:~# auditstat gen nona kern aud ctl enq wrtn wblk rblk drop tot mem38248 1 38233 14 0 37791 37788 0 3491 457 5169 0
all activated for a few seconds on an unloaded system:
-
c0t0d0s0//org130
SSH and X.509
-
c0t0d0s0//org131
root@ca:~# CA.pl -newcaCA certificate filename (or enter to create)
Making CA certificate ...Generating a 1024 bit RSA private key...............++++++..++++++writing new private key to '/etc/openssl/private/cakey.pem'Enter PEM pass phrase: supersecret1Verifying - Enter PEM pass phrase: supersecret1-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) []:DEState or Province Name (full name) []:Lower SaxonyLocality Name (eg, city) []:LueneburgOrganization Name (eg, company) []:c0t0d0s0.orgOrganizational Unit Name (eg, section) []:Security DepartmentCommon Name (e.g. server FQDN or YOUR name) []:CAEmail Address []:
Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:Using configuration from /etc/openssl/openssl.cnf
Enter pass phrase for /etc/openssl/private/cakey.pem: supersecret1Check that the request matches the signatureSignature okCertificate Details: Serial Number: b3:54:80:88:66:ad:e8:78 Validity Not Before: Sep 26 10:11:09 2013 GMT Not After : Sep 25 10:11:09 2016 GMT Subject: countryName = DE stateOrProvinceName = Lower Saxony organizationName = c0t0d0s0.org organizationalUnitName = Security Department commonName = CA X509v3 extensions: X509v3 Subject Key Identifier: 5B:1F:2F:71:86:12:30:40:50:15:52:81:8D:52:5A:A5:59:7E:36:44 X509v3 Authority Key Identifier: keyid:5B:1F:2F:71:86:12:30:40:50:15:52:81:8D:52:5A:A5:59:7E:36:44
X509v3 Basic Constraints: CA:TRUECertificate is to be certified until Sep 25 10:11:09 2016 GMT (1095 days)
Write out database with 1 new entriesData Base Updated#
-
c0t0d0s0//org132
root@ca:~# mkdir serverroot@ca:~# cd serverroot@ca:~/server# CA.pl -newreqGenerating a 1024 bit RSA private key.....++++++..................++++++writing new private key to 'newkey.pem'Enter PEM pass phrase: supersecret2Verifying - Enter PEM pass phrase: supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) []:DEState or Province Name (full name) []:Lower SaxonyLocality Name (eg, city) []:LueneburgOrganization Name (eg, company) []:c0t0d0s0.orgOrganizational Unit Name (eg, section) []:Server Certificates
Common Name (e.g. server FQDN or YOUR name) []:serverEmail Address []:
Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:Request is in newreq.pem, private key is in newkey.pem
-
c0t0d0s0//org133
root@ca:~# mkdir serverroot@ca:~# cd serverroot@ca:~/server# CA.pl -newreqGenerating a 1024 bit RSA private key.....++++++..................++++++writing new private key to 'newkey.pem'Enter PEM pass phrase: supersecret2Verifying - Enter PEM pass phrase: supersecret2-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) []:DEState or Province Name (full name) []:Lower SaxonyLocality Name (eg, city) []:LueneburgOrganization Name (eg, company) []:c0t0d0s0.orgOrganizational Unit Name (eg, section) []:Server Certificates
Common Name (e.g. server FQDN or YOUR name) []:serverEmail Address []:
Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:Request is in newreq.pem, private key is in newkey.pem
-
c0t0d0s0//org134
root@ca:~/server# CA.pl -signreqUsing configuration from /etc/openssl/openssl.cnfEnter pass phrase for /etc/openssl/private/cakey.pem: supersecret1Check that the request matches the signatureSignature okCertificate Details: Serial Number: b3:54:80:88:66:ad:e8:79 Validity Not Before: Sep 26 10:29:12 2013 GMT Not After : Sep 26 10:29:12 2014 GMT Subject: countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0.org organizationalUnitName = Server Certificates commonName = server X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier:
A7:DC:03:DE:B3:D5:FB:F9:C0:06:F1:1A:55:A9:AD:04:C4:9C:10:FA X509v3 Authority Key Identifier: keyid:5B:1F:2F:71:86:12:30:40:50:15:52:81:8D:52:5A:A5:59:7E:36:44
Certificate is to be certified until Sep 26 10:29:12 2014 GMT (365 days)Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcert.pemroot@ca:~/server# ls -ltotal 15-rw-r--r-- 1 root root 3196 Sep 26 12:29 newcert.pem-rw-r--r-- 1 root root 1041 Sep 26 12:28 newkey.pem-rw-r--r-- 1 root root 680 Sep 26 12:28 newreq.pem
-
c0t0d0s0//org135
root@ca:~/junior# CA.pl -newreqGenerating a 1024 bit RSA private key..........++++++......++++++writing new private key to 'newkey.pem'Enter PEM pass phrase:Verifying - Enter PEM pass phrase:Verify failureEnter PEM pass phrase: supersecret3Verifying - Enter PEM pass phrase: supersecret3-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) []:DEState or Province Name (full name) []:Lower SaxonyLocality Name (eg, city) []:LueneburgOrganization Name (eg, company) []:c0t0d0s0.orgOrganizational Unit Name (eg, section) []:User certificates
Common Name (e.g. server FQDN or YOUR name) []:juniorEmail Address []:
Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:Request is in newreq.pem, private key is in newkey.pem
-
c0t0d0s0//org136
root@ca:~/junior# CA.pl -signreqUsing configuration from /etc/openssl/openssl.cnfEnter pass phrase for /etc/openssl/private/cakey.pem:Check that the request matches the signatureSignature okCertificate Details: Serial Number: b3:54:80:88:66:ad:e8:7a Validity Not Before: Sep 26 11:09:29 2013 GMT Not After : Sep 26 11:09:29 2014 GMT Subject: countryName = DE stateOrProvinceName = Lower Saxony localityName = Lueneburg organizationName = c0t0d0s0.org organizationalUnitName = User certificates commonName = junior X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier:
A1:F2:FC:9D:8A:E2:AD:9A:F5:29:03:F5:B7:14:93:3C:64:62:8E:9C X509v3 Authority Key Identifier: keyid:5B:1F:2F:71:86:12:30:40:50:15:52:81:8D:52:5A:A5:59:7E:36:44
Certificate is to be certified until Sep 26 11:09:29 2014 GMT (365 days)Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base UpdatedSigned certificate is in newcert.pem#
-
c0t0d0s0//org137
root@server:~# useradd -m junior80 blocksroot@server:~# passwd juniorNew Password:Re-enter new Password:passwd: password successfully changed for juniorroot@server:~#
root@client:~# useradd -m junior80 blocksroot@client:~# passwd juniorNew Password:Re-enter new Password:passwd: password successfully changed for junior
-
c0t0d0s0//org138
root@server:~# echo "192.168.10.51 server" >> /etc/hostsroot@server:~# echo "192.168.10.52 client" >> /etc/hosts
root@client:~# echo "192.168.10.51 server" >> /etc/hostsroot@client:~# echo "192.168.10.52 client" >> /etc/hosts
-
c0t0d0s0//org139
root@ca:~/server# scp /etc/openssl/cacert.pem [email protected]:/export/home/jmoekampPassword:cacert.pem 100% |****************************************| 3011 00:00root@ca:~/server# scp newcert.pem [email protected]:/export/home/jmoekampPassword:newcert.pem 100% |****************************************| 3196 00:00root@ca:~/server# scp newkey.pem [email protected]:/export/home/jmoekampPassword:newkey.pem 100% |****************************************| 1041 00:00
root@ca:~/junior# scp newkey.pem junior@client:/export/home/juniorPassword:newkey.pem 100% |****************************************| 1041 00:00root@ca:~/junior# scp newcert.pem junior@client:/export/home/juniorPassword:newcert.pem 100% |****************************************| 3190 00:00root@ca:~/junior# scp /etc/openssl/cacert.pem [email protected]:/export/home/juniorPassword:cacert.pem 100% |****************************************| 3011 00:00
-
c0t0d0s0//org140
On the Server
-
c0t0d0s0//org141
root@server:~# lscacert.pem newcert.pem newkey.pem
-
c0t0d0s0//org142
root@server:~# lscacert.pem newcert.pem newkey.pem
-
c0t0d0s0//org143
root@server:~# pktool setpinEnter token passphrase: changemeCreate new passphrase: superserversecretRe-enter new passphrase: superserversecretPassphrase changed.root@server:~#
-
c0t0d0s0//org144
root@server:~# printf "superserversecret" > /etc/ssh/pinfile
-
c0t0d0s0//org145
root@server:~# printf "superserversecret" > /etc/ssh/pinfile
-
c0t0d0s0//org146
root@server:~# kmfcfg create dbfile=/etc/ssh/policy.xml policy=ssh ta-name=search mapper-name=cn
-
c0t0d0s0//org147
root@server:~# echo "TrustedAnchorKeystore /etc/ssh/cert" >> /etc/ssh/sshd_configroot@server:~# echo "KMFPolicyDatabase /etc/ssh/policy.xml" >> /etc/ssh/sshd_configroot@server:~# echo "KMFPolicyName ssh" >> /etc/ssh/sshd_configroot@server:~# echo "HostKey pkcs11:object=host;token=Sun Metaslot;pinfile=/etc/ssh/pinfile" >> /etc/ssh/sshd_config
-
c0t0d0s0//org148
root@server:~# pktool import keystore=pkcs11 infile=newkey.pem objtype=key label=hostEnter PIN for Sun Software PKCS#11 softtoken: superserversecret Enter PEM pass phrase: supersecret2Importing 1 keys
-
c0t0d0s0//org149
root@server:~# egrep -v "^ |^$|^Cert" /export/home/jmoekamp/cacert.pem > /etc/ssh/cert/cacert.cooked.pemroot@server:~# egrep -v "^ |^$|^Cert" newcert.pem > newcert.cooked.pemroot@server:~# pktool import keystore=pkcs11 infile=newcert.cooked.pem objtype=cert label=hostroot@server:~#
-
c0t0d0s0//org150
On the client
-
c0t0d0s0//org151
junior@client:~$ ls *.pemcacert.pem newcert.pem newkey.pem
-
c0t0d0s0//org152
root@client:~# kmfcfg create dbfile=/etc/ssh/policy.xml policy=ssh ta-name=search mapper-name=cnroot@client:~# egrep -v "^ |^$|^Cert" /export/home/junior/cacert.pem > /etc/ssh/cert/cacert.cooked.pem
-
c0t0d0s0//org153
junior@client:~$ pktool setpinEnter token passphrase: changemeCreate new passphrase: superusersecretRe-enter new passphrase: superusersecretPassphrase changed.
-
c0t0d0s0//org154
junior@client:~$ pktool import keystore=pkcs11 infile=newkey.pem objtype=key label=userEnter PIN for Sun Software PKCS#11 softtoken: superusersecretEnter PEM pass phrase: supersecret3Importing 1 keysjunior@client:~$ egrep -v "^ |^$|^Cert" newcert.pem > newcert.cooked.pemjunior@client:~$ pktool import keystore=pkcs11 infile=newcert.cooked.pem objtype=cert label=user
-
c0t0d0s0//org155
Testing it
-
c0t0d0s0//org156
root@server:~# svcadm disable sshroot@server:~# svcadm enable ssh
-
c0t0d0s0//org157
junior@client:~$ cd .sshjunior@client:~/.ssh$ printf "superusersecret" >> pinfilejunior@client:~/.ssh$ cat configHost server-x509 Hostname server TrustedAnchorKeystore /etc/ssh/cert KMFPolicyDatabase /etc/ssh/policy.xml KMFPolicyName ssh IdentityFile pkcs11:object=user;token=Sun Software PKCS#11 softtoken;pinfile=/export/home/junior/.ssh/pinfile
-
c0t0d0s0//org158
junior@client:~/.ssh$ ssh junior@server-x509Last login: Thu Sep 26 20:07:14 2013 from clientOracle Corporation SunOS 5.11 11.1 September 2013junior@server:~$
-
c0t0d0s0//org159
Find more information regarding this feature at:http://www.c0t0d0s0.org/archives/7659-Using-X.509-support-for-SSH-on-Solaris-11.1.html
http://www.c0t0d0s0.org/archives/7659-Using-X.509-support-for-SSH-on-Solaris-11.1.htmlhttp://www.c0t0d0s0.org/archives/7659-Using-X.509-support-for-SSH-on-Solaris-11.1.html
-
c0t0d0s0//org160
OpenSCAP
-
c0t0d0s0//org161
„The Security Content Automation Protocol (SCAP) is a method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance). The National Vulnerability Database(NVD) is the U.S. government content repository for SCAP.“
http://en.wikipedia.org/wiki/Security_Content_Automation_Protocol
http://en.wikipedia.org/wiki/Security_Content_Automation_Protocolhttp://en.wikipedia.org/wiki/Security_Content_Automation_Protocol
-
c0t0d0s0//org162
ftp-banner.xml:
Enhanced SCAP Editor 0.0.11 5.8 2012-10-11T10:33:25 Enable a Warning Banner for the FTP Service Oracle Solaris 11 /etc/proftpd.conf contains "DisplayConnect /etc/issue"
/etc proftpd.conf ^DisplayConnect\s/etc/issue\s$ 1
-
c0t0d0s0//org163
/etc proftpd.conf ^DisplayConnect\s/etc/issue\s$ 1
-
c0t0d0s0//org164
$ oscap oval eval ftp-banner.xml Definition oval:com.oracle.solaris11:def:840: falseEvaluation done.
$ oscap oval eval --results results.xml --report report.html ftp-banner.xmlDefinition oval:com.oracle.solaris11:def:840: falseEvaluation done.OVAL Results are exported correctly.
-
c0t0d0s0//org165
-
c0t0d0s0//org166
To create your own OVAL-Files Enhanced SCAP Content Editor:
-
c0t0d0s0//org167
Find more information regarding this feature at:https://blogs.oracle.com/darren/entry/compliance_reporting_with_scap
https://blogs.oracle.com/darren/entry/compliance_reporting_with_scaphttps://blogs.oracle.com/darren/entry/compliance_reporting_with_scap