Breaking the Kubernetes Kill Chain: Host Path Mount
2009 04.s10-admin-topics4
1. Solaris 10 Administration Topics Workshop
4- Security
By Peter Baer Galvin
For Usenix
Last Revision Apr 2009
Copyright 2009 Peter Baer Galvin - All Rights Reserved
Saturday, May 2, 2009
2. About the Speaker
Peter Baer Galvin - 781 273 4100
pbg@cptech.com
www.cptech.com
peter@galvin.info
My Blog: www.galvin.info
Bio
Peter Baer Galvin is the Chief Technologist for Corporate Technologies, Inc., a leading
systems integrator and VAR, and was the Systems Manager for Brown University's
Computer Science Department. He has written articles for Byte and other magazines.
He was contributing editor of the Solaris Corner for SysAdmin Magazine , wrote Pete's
Wicked World, the security column for SunWorld magazine, and Pete’s Super Systems,
the systems administration column there. He is now Sun columnist for the Usenix ;login:
magazine. Peter is co-author of the Operating Systems Concepts and Applied
Operating Systems Concepts texbooks. As a consultant and trainer, Mr. Galvin has
taught tutorials in security and system administration and given talks at many
conferences and institutions.
Copyright 2009 Peter Baer Galvin - All Rights Reserved 2
Saturday, May 2, 2009
3. Objectives
Explore the new Solaris 10 security features,
from an admin point of view
Some app/dev points made to guide
developers
Convey their current status, usability, and
future functionality
Help prepare for Solaris 10 deployment
Some pre-Solaris 10 coverage when needed
Copyright 2009 Peter Baer Galvin - All Rights Reserved 3
Saturday, May 2, 2009
4. Prerequisites
Recommend at least a couple of years of
Solaris experience
Or at least a few years of other Unix
experience
Best is a few years of admin experience,
mostly on Solaris
Copyright 2009 Peter Baer Galvin - All Rights Reserved 4
Saturday, May 2, 2009
5. About the Tutorial
Every SysAdmin has a different
knowledge set
A lot to cover, but notes should make
good reference
So some covered quickly, some in detail
Setting base of knowledge
Please ask questions
But let’s take off-topic off-line
Copyright 2009 Peter Baer Galvin - All Rights Reserved 5
Saturday, May 2, 2009
6. Fair Warning
Sites vary
Circumstances vary
Admin knowledge varies
My goals
Provide information useful for each of
you at your sites
Provide opportunity for you to learn
from each other
Copyright 2009 Peter Baer Galvin - All Rights Reserved 6
Saturday, May 2, 2009
7. Why Listen to Me?
20 Years of Sun experience
Seen much as a consultant
Hopefully, you've used:
My Usenix ;login: column
The Solaris Corner @ www.samag.com
The Solaris Security FAQ
SunWorld “Pete's Wicked World”
SunWorld “Pete's Super Systems”
Unix Secure Programming FAQ (out of date)
Operating System Concepts (The Dino Book), now 8th ed
Applied Operating System Concepts
Copyright 2009 Peter Baer Galvin - All Rights Reserved 7
Saturday, May 2, 2009
8. Slide Ownership
As indicated per slide, some slides copyright
Sun Microsystems
Feel free to share all the slides - as long as you
don’t charge for them or teach from them for
fee
Copyright 2009 Peter Baer Galvin - All Rights Reserved 8
Saturday, May 2, 2009
9. Overview
Lay of the Land
Copyright 2009 Peter Baer Galvin - All Rights Reserved
Saturday, May 2, 2009
10. Schedule
Copyright 2009 Peter Baer Galvin - All Rights Reserved 10
Saturday, May 2, 2009
11. Coverage
Solaris 10 is a moving target
This tutorial based on FCS (Jan / Mar 05)
Plus “Nevada” build 53
How to get Solaris 10
Download from Sun
Media Kits now shipping
How to get Solaris 10+
Join Solaris Express for month releases
Opensolaris.org for “untested” releases
Copyright 2009 Peter Baer Galvin - All Rights Reserved 11
Saturday, May 2, 2009
12. Outline
Overview
Sun Overview
DTrace (lab?)
RBAC (lab)
Privileges
NFS V4
Flash archives and live upgrade
Moving from NIS to LDAP
FTP client and server enhancements
Copyright 2009 Peter Baer Galvin - All Rights Reserved 12
Saturday, May 2, 2009
13. Outline
PAM enhancements
Auditing enhancements
BSM
Solaris Cryptographic Framework
Smartcard interfaces and APIs
Kerberos enhancements
Packet filtering
BART
Trusted Extensions
Overall Solaris 10 Security
Conclusions
References
Copyright 2009 Peter Baer Galvin - All Rights Reserved 13
Saturday, May 2, 2009
14. Your Objectives?
Copyright 2009 Peter Baer Galvin - All Rights Reserved 14
Saturday, May 2, 2009
15. Lab Preparation
Have device capable of telnet on USENIX
network
Or have a buddy
Learn your “magic number”
Telnet to 131.106.62.100+”magic number”
User “root, password “lisa”
It’s all very secure
Copyright 2009 Peter Baer Galvin - All Rights Reserved 15
Saturday, May 2, 2009
16. Lab Preparation
Or...
Use virtualbox
Use your own system
Use a remote machine you have legit access
to
Copyright 2009 Peter Baer Galvin - All Rights Reserved 16
Saturday, May 2, 2009
17. Introduction
Copyright 2009 Peter Baer Galvin - All Rights Reserved 17
Saturday, May 2, 2009
18. Overview
Solaris 10 includes lots of new security features
Security is important to administrators
It usually annoys users
We’ll look at each new feature, how useful,
powerful and annoying it is
Should provide a good roadmap for what to
use, when
How can they be used to solve the following
problems
Copyright 2009 Peter Baer Galvin - All Rights Reserved 18
Saturday, May 2, 2009
19. Sun Overview
Quick high-level overview of Sun’s view of
Solaris security
Copyright 2009 Peter Baer Galvin - All Rights Reserved 19
Saturday, May 2, 2009
20. (From the Solaris 10 Sun Net Talk about Solaris 10 Security)
Copyright 2009 Peter Baer Galvin - All Rights Reserved 20
Saturday, May 2, 2009
21. (From the Solaris 10 Sun Net Talk about Solaris 10 Security)
Copyright 2009 Peter Baer Galvin - All Rights Reserved 21
Saturday, May 2, 2009
22. (From the Solaris 10 Sun Net Talk about Solaris 10 Security)
Copyright 2009 Peter Baer Galvin - All Rights Reserved 22
Saturday, May 2, 2009
23. (From the Solaris 10 Sun Net Talk about Solaris 10 Security)
Copyright 2009 Peter Baer Galvin - All Rights Reserved 23
Saturday, May 2, 2009
24. (From the Solaris 10 Sun Net Talk about Solaris 10 Security)
Copyright 2009 Peter Baer Galvin - All Rights Reserved 24
Saturday, May 2, 2009
25. (From the Solaris 10 Sun Net Talk about Solaris 10 Security)
Copyright 2009 Peter Baer Galvin - All Rights Reserved 25
Saturday, May 2, 2009
26. (From the Solaris 10 Sun Net Talk about Solaris 10 Security)
Copyright 2009 Peter Baer Galvin - All Rights Reserved 26
Saturday, May 2, 2009
27. (From the Solaris 10 Sun Net Talk about Solaris 10 Security)
Copyright 2009 Peter Baer Galvin - All Rights Reserved 27
Saturday, May 2, 2009
28. S10 Security Status
According to Sun:
Solaris 10 11/06 is currently in evaluation at EAL4+, one of the
highest level of Common Criteria Certification, with three
Protection Profiles: Labeled Security Protection Profile (LSPP),
Controlled Access Protection Profile (CAPP) and Role-Based
Access Control Protection Profile (RBACPP). In addition,
Solaris 10 3/05 has completed evaluation at EAL4+ with CAPP
and RBACPP.
Copyright 2009 Peter Baer Galvin - All Rights Reserved 28
Saturday, May 2, 2009
29. Good Security Hygiene
Checklist #1 - Use before making a change
Is the syntax of the command correct?
Is the command the right one to make the change?
Is there a better way to make the change?
Are the right options entered / selected?
Is today Friday?
Is today some other day on which it would be exceptionally bad to
break something (such as the day before leaving for a vacation or
conference)?
What are the chances that executing this will break something?
If this change would break something, can I undo the action?
Is this a documented way to accomplish the task?
If this is a new way to make a change, should I document it?
And finally, what effect might this action have on security?
Copyright 2009 Peter Baer Galvin - All Rights Reserved 29
Saturday, May 2, 2009
31. Virtualization Options
Containers / Zones (more below)
Xen (xVM server) - bare metal hypervisor + guests
Run other OSes (linux, win) with S10+ has the host
Industry semi-standard
Para-virtualization, x86 only
LDOMs - hard partitions, shipped in May 2007
Run multiple copies of Solaris on the same coolthreads chip (Niagara, Rock
in the future)
Some resource management - move CPUs and mem
VMWare - solaris as a guest, not a host so far, x86 only
Traditional Sun Domains - SPARC only, Enterprise servers only
Copyright 2009 Peter Baer Galvin - All Rights Reserved 31
Saturday, May 2, 2009
32. Security Impact
Lots of security issues around virtualization
How many “systems” are in a given environment?
Hidden / unknown systems
“System” audit could involve dozens of OSes!
Separately secure
HW - servers, storage, devices, etc
OS - per-os security regardless of HW
Apps
Virtualization infrastructure (ESX management, Solaris
server, Hypervisor management, and on and on)
Copyright 2009 Peter Baer Galvin - All Rights Reserved 32
Saturday, May 2, 2009
33. Zones Overview
Think of them of chroot on steroids
Virtualized operating system services
Isolated and “secure” environment for running apps
Apps and users (and superusers) in zone cannot see / effect
other zones
Delegated admin control
Virtualized device paths, network interfaces, network ports,
process space, resource use (via resource manager)
Application fault isolation
Detach and attach containers between systems
Cloning of a zone to create identical new zone
Copyright 2009 Peter Baer Galvin - All Rights Reserved 33
Saturday, May 2, 2009
34. Zones Overview - 2
Low physical resource use
Up to 8192 zones per system!
Differentiated file system
Multiple versions of an app installed and running on a given system
Inter-zone communication is only via network (but short-pathed through the
kernel
No application changes needed – no API or ABI
Can restrict disk use of a zone via the loopback file driver (lofi) using a file as a
file system
Can dedicate an Ethernet port to a zone
Allowing snooping, firewalling, managing that port by the zone
Copyright 2009 Peter Baer Galvin - All Rights Reserved 34
Saturday, May 2, 2009
35. (From System Administration Guide: N1 Grid Containers, Resource Management, and Solaris Zones)
Copyright 2009 Peter Baer Galvin - All Rights Reserved 35
Saturday, May 2, 2009
36. (From the Solaris 10 Sun Net Talk about Solaris 10 Security)
Copyright 2009 Peter Baer Galvin - All Rights Reserved 36
Saturday, May 2, 2009
37. LDOMs
Logical domains
Released April ’07
Only on Niagara and future CMT chips (Niagara II,
Rock)
Like enterprise-system domains but within one chip
Slice the chip into multiple LDOMs, each with its own
OS root, boot independently, et
Now can run multiple OSes on 1 SPARC chip
Copyright 2009 Peter Baer Galvin - All Rights Reserved 37
Saturday, May 2, 2009
39. LDOMs - Details
Can create up to 1 LDOM per thread(!)
Best practice seems to be max one LDOM
per core
i.e. 8 LDOMs on Niagara I and II
Nice intro blog
http://blogs.sun.com/ash/entry/ultrasparc_t2_launched_today
And nice flash demo
http://www.sun.com/servers/coolthreads/ldoms/
Copyright 2009 Peter Baer Galvin - All Rights Reserved 39
Saturday, May 2, 2009
40. DTrace
Copyright 2009 Peter Baer Galvin - All Rights Reserved 40
Saturday, May 2, 2009
41. DTrace and Security
New tool has security implications
DTrace so cool we need to take a quick
look
Copyright 2009 Peter Baer Galvin - All Rights Reserved 41
Saturday, May 2, 2009
42. DTrace Overview
Best tool ever for understanding system behavior
Uses language D, based on C
Fully dynamic, full probing of kernel and user apps
Fully scalable
Enabled in Solaris 10 – no custom kernel or configuration changes needed
Use DTrace today to solve non-S10 problems
Move the “problem” to a test / dev S10 machine, debug, and then back port
the solution to the original machine
Way to much to cover here
So I’ll whet your appetite
Got example code available at http://users.tpg.com.au/adsln4yb/
dtrace.html
All DTrace resources at http://www.sun.com/bigadmin/content/
dtrace/
Copyright 2009 Peter Baer Galvin - All Rights Reserved 42
Saturday, May 2, 2009
43. DTrace and Security
DTrace doesn’t “weaken” security model
Root with or without DTrace is God
But with DTrace easier to be a bad God
Watch ssh typing
Watch shell I/O
DTrace disabled in zones by default
As of Nevada build 37 (and probably S10 U2), can give DTrace user
and process privileges to a zone
Zone can’t get DTrace kernel priv
Can’t see outside of the zone
# zonecfg -z myzone
zonecfg:myzone> set
limitpriv=default,dtrace_proc,dtrace_user
zonecfg:myzone> ^D
Copyright 2009 Peter Baer Galvin - All Rights Reserved 43
Saturday, May 2, 2009
44. DTrace Example - 1
connections.d snoop inbound TCP
connections as they are established,
displaying the server process that
accepted the connection
# ./connections.d
UID PID IP_SOURCE PORT CMD
0 254 192.168.001.001 23 /usr/sbin/inetd -s
0 254 192.168.001.001 23 /usr/sbin/inetd -s
0 254 192.168.001.001 79 /usr/sbin/inetd -s
0 254 192.168.001.001 21 /usr/sbin/inetd -s
0 254 192.168.001.001 79 /usr/sbin/inetd -s
100 2319 192.168.001.001 6000 /usr/openwin/bin/Xsun :0 -
nobanner
0 254 192.168.001.001 79 /usr/sbin/inetd -s [...]
Copyright 2009 Peter Baer Galvin - All Rights Reserved 44
Saturday, May 2, 2009
45. DTrace Example - 2
The following script counts number of
write(2) calls by application:
syscall::write:entry
{
@counts[execname] = count();
}
Copyright 2009 Peter Baer Galvin - All Rights Reserved 45
Saturday, May 2, 2009
46. DTrace Example - 4
# dtrace -s write-calls-by-app.d
dtrace: script 'write-calls-by-app.d' matched 1 probe
^C
dtrace 1
login 1
sshd 2
sh 6
telnet 6
w 7
df 12
in.telnetd 25
mixer_applet2 61
gnome-panel 108
metacity 125
gnome-terminal 197
#
Copyright 2009 Peter Baer Galvin - All Rights Reserved 46
Saturday, May 2, 2009
47. DTrace Example - 5
Let’s have a look at the size of the writes
to file descriptor 5, per section of user
code (!)
syscall::write:entry
/execname == "sshd" && arg0 == 5/
{
@[ustack()] = quantize(arg2);
}
Copyright 2009 Peter Baer Galvin - All Rights Reserved 47
Saturday, May 2, 2009
48. DTrace Example - 6
bash-2.05b# dtrace -s write-sshd-fd-5.d
dtrace: script 'write-sshd-fd-5.d' matched 1 probe
^C
libc.so.1`_write+0xc
sshd`atomicio+0x2d
805b59c
sshd`main+0xd59
805b1fa
value ------------- Distribution ------------- count
8 | 0
16 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 1
32 | 0
libc.so.1`_write+0xc
sshd`packet_write_poll+0x2e
sshd`packet_write_wait+0x23
sshd`userauth_finish+0x19f
805f42e
sshd`dispatch_run+0x49
sshd`do_authentication2+0x7c
sshd`main+0xdc7
805b1fa
value ------------- Distribution ------------- count
Copyright 2009 Peter Baer Galvin - All Rights Reserved 48
Saturday, May 2, 2009
49. DTrace Example - 7
#!/usr/sbin/dtrace -s
#pragma D option flowindent
pid$1::$2:entry
{
self->trace = 1;
}
pid$1:::entry, pid$1:::return, fbt:::
/self->trace/
{
printf("%s", curlwpsinfo->pr_syscall ?
"K" : "U");
}
pid$1::$2:return
/self->trace/
{
self->trace = 0;
}
Copyright 2009 Peter Baer Galvin - All Rights Reserved 49
Saturday, May 2, 2009
51. DTrace Toolkit
DTrace Toolkit with lots (> 90) of great scripts
Includes scripts for Python, Perl, Java, PHP, Ruby, Tcl,
Javascript
Best starting point for learning DTrace
Means you don’t have to be DTrace expert to use DTrace (for
good or evil)
http://www.opensolaris.org/os/community/dtrace/
dtracetoolkit/
Copyright 2009 Peter Baer Galvin - All Rights Reserved 51
Saturday, May 2, 2009
52. DTrace Toolkit Hits
dexplorer - run a lot of tools for a few
seconds and log output to a file
Other key scripts include
dtruss, dvmstat, execsnoop,
hotkernel, hotuser, errinfo,
iopattern, iosnoop, iotop,
opensnoop, procsystime, rwsnoop,
rwtop, statsnoop
Copyright 2009 Peter Baer Galvin - All Rights Reserved 52
Saturday, May 2, 2009
53. DTrace One-Liners
Snarfed from http://www.solarisinternals.com/wiki/index.php/DTrace_Topics_One_Liners
Processes
* New processes with arguments,
dtrace -n 'proc:::exec-success { trace(curpsinfo->pr_psargs); }'
Files
* Files opened by process name,
dtrace -n 'syscall::open*:entry { printf("%s %s",execname,copyinstr(arg0)); }'
* Files created using creat() by process name,
dtrace -n 'syscall::creat*:entry { printf("%s %s",execname,copyinstr(arg0)); }'
Syscalls
* Syscall count by process name,
dtrace -n 'syscall:::entry { @num[execname] = count(); }'
* Syscall count by syscall,
dtrace -n 'syscall:::entry { @num[probefunc] = count(); }'
* Syscall count by process ID,
dtrace -n 'syscall:::entry { @num[pid,execname] = count(); }'
* Read bytes by process name,
dtrace -n 'sysinfo:::readch { @bytes[execname] = sum(arg0); }'
I/O
* Write bytes by process name,
dtrace -n 'sysinfo:::writech { @bytes[execname] = sum(arg0); }'
* Read size distribution by process name,
dtrace -n 'sysinfo:::readch { @dist[execname] = quantize(arg0); }'
* Write size distribution by process name,
dtrace -n 'sysinfo:::writech { @dist[execname] = quantize(arg0); }'
Physical I/O
* Disk size by process ID,
dtrace -n 'io:::start { printf("%d %s %d",pid,execname,args[0]->b_bcount); }'
* Disk size aggregation
dtrace -n 'io:::start { @size[execname] = quantize(args[0]->b_bcount); }'
* Pages paged in by process name,
dtrace -n 'vminfo:::pgpgin { @pg[execname] = sum(arg0); }'
Copyright 2009 Peter Baer Galvin - All Rights Reserved 53
Saturday, May 2, 2009
54. More DTrace One-liners
Memory
* Minor faults by process name,
dtrace -n 'vminfo:::as_fault { @mem[execname] = sum(arg0); }'
User-land
* Sample user stack trace of specified process ID at 1001 Hertz
dtrace -n 'profile-1001 /pid == $target/ { @num[ustack()] = count(); }' -p PID
* Trace why threads are context switching off the CPU, from the user-land perspective,
dtrace -n 'sched:::off-cpu { @[execname, ustack()] = count(); }'
* User stack size for processes
dtrace -n 'sched:::on-cpu { @[execname] = max(curthread->t_procp->p_stksize);}'
Kernel
* Sample kernel stack trace at 1001 Hertz
dtrace -n 'profile-1001 /!pid/ { @num[stack()] = count(); }'
* Interrupts by CPU,
dtrace -n 'sdt:::interrupt-start { @num[cpu] = count(); }'
* CPU cross calls by process name,
dtrace -n 'sysinfo:::xcalls { @num[execname] = count(); }'
* Trace why threads are context switching off the CPU, from the kernel perspective,
dtrace -n 'sched:::off-cpu { @[execname, stack()] = count(); }'
* Kernel function calls by module
dtrace -n 'fbt:::entry { @calls[probemod] = count(); }'
Copyright 2009 Peter Baer Galvin - All Rights Reserved 54
Saturday, May 2, 2009
55. DTrace Lab (!)
Try some one-liners
Which work in a non-global zone?
Try some of the scripts in /usr/demo/dtrace
How useful is non-global zone
DTrace?
Copyright 2009 Peter Baer Galvin - All Rights Reserved 55
Saturday, May 2, 2009
56. RBAC
Copyright 2009 Peter Baer Galvin - All Rights Reserved 56
Saturday, May 2, 2009
57. RBAC
Been in Solaris since release 8
Basis for access control on Solaris
A bit, um, complicated
Quick review here
How many of you are using RBAC?
Let’s take the nickel tour to get up to
speed:
http://mediacast.sun.com/share/bartbl/
blog-5cent-rbac-tour.mov
Copyright 2009 Peter Baer Galvin - All Rights Reserved 57
Saturday, May 2, 2009
59. RBAC Terminology
Administrative Roles – (or just “roles”)
for grouping authorizations, profiles and
commands together as a common set of
functions. Think of these as special user
accounts to which profiles are assigned.
Profiles -- (also known as "execution
profiles" or "rights profiles") a collection
of authorizations, commands, and/or
other profiles that together provide for
performing a set of administrative tasks.
Copyright 2009 Peter Baer Galvin - All Rights Reserved 59
Saturday, May 2, 2009
60. RBAC Terminology - 2
Authorizations – permissions that grant access to restricted actions
that are otherwise prohibited by the security policy. These are typically
assigned in a profile, but can also be assigned to a user or a role. Think
of this as tokens that can be checked by RBAC-aware programs.
Rather than checking if UID=0 to allow an action, such programs can
check if, for example, the user has authorization token
“solaris.admin.diskmgr.read”.
Privileged program – a program with security attributes that enables
special functions depending on a check of user-id, group-id, privileges,
or authorizations. These are setuid or setgid programs, or programs
with assigned privileges.
Copyright 2009 Peter Baer Galvin - All Rights Reserved 60
Saturday, May 2, 2009
62. RBAC Use
User assumes a role - placed in a special profile-understanding shell
pfcsh, pfksh, and pfsh
Shells know how to read through the various config files in /etc/
security (and /etc/user_attr)
Determines the rights profiles of the role and the components of those
profiles, enforces them
I.e., if a role had the Name Service Security rights profile, then user would
be allowed to run /usr/bin/nischown with the effective user-id of 0
(from /etc/security/exec_attr)
The administrator creates a profile of authorizations and privileged commands
for task or tasks
Can be assigned directly to a user or to (better) a role
Without authorizations, user is prevented from executing a privileged
application, or prevented from performing operations within a privileged
application
Copyright 2009 Peter Baer Galvin - All Rights Reserved 62
Saturday, May 2, 2009
63. RBAC Use - 2
Easiest RBAC admin is to use the Solaris Management
Console (smc)
User is allowed to assume zero or more roles by knowing
the password of the roles
Similar to using the su command
When the user assumes a role, the capabilities of the role are
available
List of roles available to that user is displayed by the roles
command
User su’s to an available role to accomplish privileged tasks
No default roles
Copyright 2009 Peter Baer Galvin - All Rights Reserved 63
Saturday, May 2, 2009
64. /etc/security/exec_attr
# head exec_attr
Application Server Management:suser:cmd:::/usr/appserver/bin/
asadmin:
Software Installation:suser:cmd:::/usr/bin/pkgparam:uid=0
Network Management:suser:cmd:::/usr/sbin/in.named:uid=0
File System Management:suser:cmd:::/usr/sbin/mount:uid=0
Software Installation:suser:cmd:::/usr/bin/pkgtrans:uid=0
Name Service Security:suser:cmd:::/usr/bin/nisaddcred:euid=0
Mail Management:suser:cmd:::/usr/sbin/makemap:euid=0
FTP Management:suser:cmd:::/usr/sbin/ftprestart:euid=0
File System Management:solaris:cmd:::/sbin/
mount:privs=sys_mount
Software Installation:suser:cmd:::/usr/sbin/install:euid=0
Copyright 2009 Peter Baer Galvin - All Rights Reserved 64
Saturday, May 2, 2009
65. Roles
Typical types of roles:
primary administrator - the traditional
superuser, with all privileges,
system administrator – an
administrator without security-
modification privileges,
operator – an administrator with a
limited, specific set of privileges,
advanced user – a user with privileges
to debug and fix her own system or
programs
Copyright 2009 Peter Baer Galvin - All Rights Reserved 65
Saturday, May 2, 2009
66. Solaris Privileges
Copyright 2009 Peter Baer Galvin - All Rights Reserved 66
Saturday, May 2, 2009
67. Privileges
Really known as “least privilege”
Only the minimum privileges to get a job done should be
available
Alternative to being root or no one
Done at the API level
SetUID programs can dictate fine grain access to kernel
features
Can limit what privs children have
Should further help can buffer overflows and other privilege
escalation methods
Done at the user or role level
All specific users to perform specific operations regardless of
the programs being run
Copyright 2009 Peter Baer Galvin - All Rights Reserved 67
Saturday, May 2, 2009
68. Privileges - 2
New level of management of rights within
a Solaris 10 system
Fine-grained privileges that can be
assigned to entities
The kernel enforces the new requirement
that, to perform a special function, the
entity must have the privilege to do so.
Can work in parallel with traditional
superuser functionality for backward
compatibility.
Copyright 2009 Peter Baer Galvin - All Rights Reserved 68
Saturday, May 2, 2009
69. Privilege Sets
E - Effective privilege set – the current set of
privileges that are in effect
I - Inheritable privilege set – the set of privileges that a
process can inherit across an exec()
P - Permitted privilege set - the set of privileges that
are available for use
L - Limit privilege set – the outside limit of what
privileges are available to a process and its children
Used to shrink the “I” set when a child is created, for
example
Copyright 2009 Peter Baer Galvin - All Rights Reserved 69
Saturday, May 2, 2009
70. Privileges Example
traceroute is now privilege enabled
$ ls -l /usr/sbin/traceroute
-r-sr-xr-x 1 root bin 35392 Jul 3
14:42 /usr/sbin/traceroute
$ /usr/sbin/traceroute 1.2.3.4 &
[2] 7841
# pcred 7841
7841: e/r/suid=101 e/r/sgid=14
Copyright 2009 Peter Baer Galvin - All Rights Reserved 70
Saturday, May 2, 2009
71. Privileges Example - 2
# ppriv -v 7841
7841: /usr/sbin/traceroute 1.2.3.4
flags = PRIV_AWARE
E:
file_link_any,proc_exec,proc_fork,proc_info,proc_sess
ion
I:
file_link_any,proc_exec,proc_fork,proc_info,proc_sess
ion
P:
file_link_any,net_icmpaccess,net_rawaccess,proc_exec,
proc_fork,proc_info,proc_session
L: none
Note exploit needs to execute fully in the context of traceroute to
make use of its privileges because the "Limit“ set is empty
Copyright 2009 Peter Baer Galvin - All Rights Reserved 71
Saturday, May 2, 2009
72. Privileged Daemon Example
# ppriv `pgrep rpcbind`
153: /usr/sbin/rpcbind
flags = PRIV_AWARE
E: basic,!file_link_any,net_privaddr,!
proc_exec,!proc_info,!proc_session,sys_nfs
I: basic,!file_link_any,!proc_exec,!
proc_fork,!proc_info,!proc_session
P: basic,!file_link_any,net_privaddr,!
proc_exec,!proc_info,!proc_session,sys_nfs
L: basic,!file_link_any,!proc_exec,!
proc_fork,!proc_info,!proc_session
Copyright 2009 Peter Baer Galvin - All Rights Reserved 72
Saturday, May 2, 2009
73. RBAC and Privileges
Use RBAC to assign specific privs to roles or users
By default, all non-setuid processes have the “basic” set of
privileges assigned
Create a role with that privilege and then allow the user to
assume that role
The list of available privileges is available in the privileges(5),
and via the all important ppriv command (the “-lv” options)
Divided into categories, including file, ipc, net, proc, and sys
privileges
For example, enable users in role “test” to do process
management and use DTrace features
Create “test” role in /etc/user_attr
Copyright 2009 Peter Baer Galvin - All Rights Reserved 73
Saturday, May 2, 2009
74. RBAC and Privileges - 2
# roleadd -u 201 -d /export/home/test -P
"Process Management" test
# rolemod -K
defaultpriv=basic,dtrace_proc,dtrace_user,
dtrace_kernel test
# grep test /etc/user_attr
test::::type=role;defaultpriv=basic,dtrace_
proc,dtrace_user,dtrace_kernel;profiles=Pr
ocess Management
# passwd test
New password:
Re-enter new password:
# mkdir -p /export/home/test
The user would need to switch to the role “test” to use
Copyright 2009 Peter Baer Galvin - All Rights Reserved 74
Saturday, May 2, 2009
75. RBAC and Privileges - 3
$ ppriv $$
10897: -bash
flags = <none>
E: basic
I: basic
P: basic
L: all
$ dtrace -s bitesize.d
dtrace: failed to initialize dtrace: DTrace requires additional
privileges
$ su - test
password:
Roles can only be assumed by authorized users
su: Sorry
# usermod –R test pbg
(then login as pbg)
Copyright 2009 Peter Baer Galvin - All Rights Reserved 75
Saturday, May 2, 2009
76. RBAC and Privileges - 4
$ roles
test
$su test
password:
$ ppriv $$
11022: pfsh
flags = <none>
E: basic,dtrace_kernel,dtrace_proc,dtrace_user
I: basic,dtrace_kernel,dtrace_proc,dtrace_user
P: basic,dtrace_kernel,dtrace_proc,dtrace_user
L: all
$ dtrace –s bitesize.d
. . .
Alternately, privileges can be directly assigned to users, as in:
pbg::::type=normal;roles=primary_administrator,test;
defaultpriv=basic,dtrace_proc,dtrace_user,dtrace_kernel
Copyright 2009 Peter Baer Galvin - All Rights Reserved 76
Saturday, May 2, 2009
77. Privilege Assignment
To add a privilege to a specific user, use the
usermod command to add the privilege to the
user’s default privileges, as in
# usermod –K
defaultpriv=basic,proc_clock_high_res
jdoe
Unfortunately, to be able to assign a specific
privilege to a specific command, the command
must be written to be privilege aware
Copyright 2009 Peter Baer Galvin - All Rights Reserved 77
Saturday, May 2, 2009
78. Privilege Assignment - 2
Currently, native system programs are becoming privilege aware and having
a limited set of privileges assigned to them
Includes most setuid-root and network daemons
API available with privileges to allow Solaris programmers to write
privilege aware programs
ppriv command can be used on a program that is failing due to a lack
of privilege, to determine exactly the privileges that the program
needs to succeed
Appropriate privileges can be assigned to the program, or assigned to
a role or user to allow that program to run properly when the
appropriate set of users runs it
Good white paper by Sun about privilege-enabling an arbitrary set-UID
program: http://www.sun.com/blueprints/
0406/819-6320.pdf
Copyright 2009 Peter Baer Galvin - All Rights Reserved 78
Saturday, May 2, 2009
79. Final Privilege Notes
ppriv allows examination of a command to
determine what privileges it would need
$ ppriv -e -D cat /etc/shadow
cat[418]: missing privilege
"file_dac_read" (euid =
21782),needed at ufs_access
+0x3c
cat: cannot open /etc/shadow
ppriv -l lists all available privileges
-v does so with details
Copyright 2009 Peter Baer Galvin - All Rights Reserved 79
Saturday, May 2, 2009
81. /etc/user_attr
# cat /etc/user_attr
#
# Copyright (c) 2003 by Sun Microsystems, Inc. All rights
reserved.
#
# /etc/user_attr
#
# user attributes. see user_attr(4)
#
#pragma ident "@(#)user_attr 1.1 03/07/09 SMI"
#
adm::::profiles=Log Management
lp::::profiles=Printer Management
root::::auths=solaris.*,solaris.grant;profiles=Web Console
Management,All;lock_after_retries=no
test::::type=role;defaultpriv=basic,dtrace_proc,dtrace_user,dtr
ace_kernel;profiles=Process Management
pbg::::type=normal;roles=test
Copyright 2009 Peter Baer Galvin - All Rights Reserved 81
Saturday, May 2, 2009
82. Labs
Create new user “foo”
Create new role “operator”
Find list of profiles
Add some profiles to role “operator”
Add user foo to role “operator”
Find list of privileges
Add some privileges to role “operator”
Add some privileges to user “foo”
Test user foo in role “operator”
Test user “foo” privileges
Explore the system to find all of the changes associated with the new user
and role
What file would you need to look in during an audit to check a user for more
privileges?
Copyright 2009 Peter Baer Galvin - All Rights Reserved 82
Saturday, May 2, 2009
83. NFS V4
Copyright 2009 Peter Baer Galvin - All Rights Reserved 83
Saturday, May 2, 2009
84. NFS V4 Overview
Stateful rather than stateless
All traffic uses one port number (2049)
Can negotiate security authentication protocol, including using
Kerberos (SEAM) and DES
The /etc/default/nfs file uses keywords to control the NFS
protocols that are used by both the client and the server
Uses the string representations to identify the owner or group_owner
via the nfsmapid daemon
Supports mandatory locking (multiple lock types)
When you unshare a file system, all the state for any open files or file
locks in that file system is destroyed
Servers use a pseudo file system to provide clients with access to
exported objects on the server
Server provides a view that just includes the exported file systems
Copyright 2009 Peter Baer Galvin - All Rights Reserved 84
Saturday, May 2, 2009
85. NFS V4 Overview - 2
Supports client and server recovery from a crash
Supports client fail-over between multiple replicated copies of a file
system on different servers
Supports volatile file handles
Delegation, a technique by which the server delegates the management
of a file to a client, is supported on both the client and the server.
I.e. the server could grant either a read delegation or a write
delegation to a client.
Does not use the following daemons:
lockd
mountd
nfslogd
statd
Copyright 2009 Peter Baer Galvin - All Rights Reserved 85
Saturday, May 2, 2009
86. NFS V4 Use
Enable it via NFS_CLIENT_VERSMIN and
NFS_CLIENT_VERSMAX in the /etc/
default/nfs file
Copyright 2009 Peter Baer Galvin - All Rights Reserved 86
Saturday, May 2, 2009
87. Solaris Flash Archives
Copyright 2009 Peter Baer Galvin - All Rights Reserved 87
Saturday, May 2, 2009
88. System Build Technology
What does it have to do with security?
Capture state of system just after
virgin build
Fast restore
Useful for comparison
Also good for DR / BC
This is available pre-Solaris 10, but
generally under-utilized
Copyright 2009 Peter Baer Galvin - All Rights Reserved 88
Saturday, May 2, 2009
89. Flash Archives
Create master system – single reference
installation
Then replicate master to clone systems
Initial install overwrites all filesystems
on target clone
Update only includes differences
between two system images (on
master and clone)
Differential update changes only
specified files of a clone based on a
master
Copyright 2009 Peter Baer Galvin - All Rights Reserved 89
Saturday, May 2, 2009
90. Flash Archives Initial Install
Install master server however you’d like
(Optional) Prepare customization scripts to reconfigure or customize the clone
system before or after installation
Create the Solaris Flash archive. The Solaris Flash archive contains a copy of
all of the files on the master system, unless you excluded some nonessential
files
Install the Solaris Flash archive on clone systems
Master and clone system must have the same kernel architecture
Can run scripts to customize clone or install extra packages using custom
jumpstart
(Optional) Save a copy of the master image
If you plan to create a differential archive, the master image must be
available and identical to the image installed on the clone systems
Note – best to start from Entire Plus OEM install image to get all drivers clones
might need
Copyright 2009 Peter Baer Galvin - All Rights Reserved 90
Saturday, May 2, 2009
91. Flash Archives Deployment
Create archive after full master install but before software
configuration
I.E. No Solaris Volume Manager config
Master should be as inactive as possible
Create archive with flar create –n name options
path/filename
Save it to disk or tape
Make a copy for differential archive creation
Can keep multiple archives – just costs disk
Can compress archives
To install from an archive, select Solaris Flash installation during
standard installation procedures
Copyright 2009 Peter Baer Galvin - All Rights Reserved 91
Saturday, May 2, 2009
93. Updating Clone with Flash Differential Archive
1. Start from master identical to clone
2. Prepare the master system with changes
3. (Optional) Prepare customization scripts to reconfigure or customize the
clone system before or after installation
4. Mount the directory of a copy of the saved-unchanged master image
1. Second image is to be used to compare the two system images
2. Mount it from a Solaris Live Upgrade boot environment
3. Mount it from a clone system over NFS
4. Restore from backup using the ufsrestore command
5. Create the differential archive with the -A option of the flar create
command
6. Install the differential archive on clone systems with custom JumpStart
1. Or, use Solaris Live Upgrade to install the differential archive on an
inactive boot environment
Copyright 2009 Peter Baer Galvin - All Rights Reserved 93
Saturday, May 2, 2009
94. Moving from NIS to LDAP
Copyright 2009 Peter Baer Galvin - All Rights Reserved 94
Saturday, May 2, 2009
95. Why Move?
NIS is old, limited, not secure
Weak authentication
Not much encryption
Nonstandard
NIS+ is complicated and EOL
Sorry if you already moved to it
Don’t move to NIS+ if you haven’t already
LDAP is the wave of the future
“Standard”
Full features
Expandable, flexible, interoperable
Copyright 2009 Peter Baer Galvin - All Rights Reserved 95
Saturday, May 2, 2009
96. NIS to LDAP Overview
The NIS–to–LDAP transition service (N2L service) replaces
existing NIS daemons on the NIS master server with NIS–to–
LDAP transition daemons
The N2L service also creates a NIS–to–LDAP mapping file
on that server
Specifies the mapping between NIS map entries and
equivalent Directory Information Tree (DIT) entries in LDAP
A transitioned server is called an N2L server
Slave servers do not have an NISLDAPmapping file, so they
continue as usual
The slave servers periodically update their data from N2L
server
Copyright 2009 Peter Baer Galvin - All Rights Reserved 96
Saturday, May 2, 2009
97. NIS to LDAP Overview - 2
Behavior of the N2L service is controlled by the ypserv and
NISLDAPmapping configuration files
A script, inityp2l, assists with initial setup of configuration files.
Once N2L server has been established, you can maintain N2L
by editing configuration files
The N2L service supports:
Import of NIS maps into LDAP DIT
Client access to DIT information with speed and extensibility of
NIS
When using N2L LDAP directory is source of authoritative data
Eventually, all NIS clients can be replaced by Solaris LDAP naming
services clients
Many gory details in SysAdmin Guide to Naming and Directory
Services
Copyright 2009 Peter Baer Galvin - All Rights Reserved 97
Saturday, May 2, 2009
98. FTP Server Enhancements
Copyright 2009 Peter Baer Galvin - All Rights Reserved 98
Saturday, May 2, 2009
99. FTP Server Enhancements
The sendfile() function is used for binary downloads
New capabilities supported in the ftpaccess file
flush-wait controls the behavior at the end of a download or
directory listing
ipcos sets the IP Class of Service for either the control or data
connection
passive ports can be configured so that the kernel selects the TCP port
to listen on
quota-info enables retrieval of quota information
recvbuf sets the receive (upload) buffer size used for binary transfers
rhostlookup allows or disallows the lookup of the remote hosts name
sendbuf sets the send (download) buffer size used for binary transfers
xferlog format customizes the format of the transfer log entry
-4 option which makes the FTP server only listen for connections on an
IPv4 socket when running in standalone mode
Copyright 2009 Peter Baer Galvin - All Rights Reserved 99
Saturday, May 2, 2009
100. FTP Server Enhancements - 2
ftpcount and ftpwho now support
the -v option, which displays user counts
and process information for FTP server
classes defined in virtual host
ftpaccess files
The FTP client and server now support
Kerberos
Copyright 2009 Peter Baer Galvin - All Rights Reserved 100
Saturday, May 2, 2009
101. PAM Enhancements
Copyright 2009 Peter Baer Galvin - All Rights Reserved 101
Saturday, May 2, 2009
102. PAM Enhancements
Pluggable Authentication Module (PAM) framework enhancements
The pam_authtok_check module now allows for strict password checking
using new tunable parameters in the /etc/default/passwd file. The new
parameters define:
A list of comma separated dictionary files used for checking common
dictionary words in a password
The minimum differences required between a new password and an old
password
The minimum number of alphabetic or nonalphabetic characters that
must be used in a new password
The minimum number of uppercase or lowercase letters that must be
used in a new password
The number of allowable consecutive repeating characters
Copyright 2009 Peter Baer Galvin - All Rights Reserved 102
Saturday, May 2, 2009
103. PAM Enhancements - 2
The pam_unix_auth module implements account locking for local users. Account
locking is enabled by the LOCK_AFTER_RETRIES parameter in /etc/
security/policy.conf and the lock_after-retries key in /etc/user_attr
The pam_unix module has been removed and replaced by a set of service modules of
equivalent or greater functionality. Many of these modules were introduced in the Solaris 9
release. Here is a list of the replacement modules:
pam_authtok_check
pam_authtok_get
pam_authtok_store
pam_dhkeys
pam_passwd_auth
pam_unix_account
pam_unix_auth
pam_unix_cred
pam_unix_session
Copyright 2009 Peter Baer Galvin - All Rights Reserved 103
Saturday, May 2, 2009
104. PAM Enhancements - 3
The functionality of the pam_unix_auth module has
been split into two modules. The pam_unix_auth module now
verifies that the password is correct for the user. The new
pam_unix_cred module provides functions that
establish user credential information.
Additions to the pam_krb5 module have been made to manage the
Kerberos credentials cache using the PAM framework.
A new pam_deny module has been added. The module can
be used to deny access to services. By default, the
pam_deny module is not used
Copyright 2009 Peter Baer Galvin - All Rights Reserved 104
Saturday, May 2, 2009
105. /etc/default/passwd
$ cat /etc/default/passwd
#ident "@(#)passwd.dfl 1.7 04/04/22 SMI"
#
# Copyright 2004 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
MAXWEEKS=
MINWEEKS=
PASSLENGTH=6
# NAMECHECK enables/disables login name checking.
# The default is to do login name checking.
# Specifying a value of "NO" will disable login name checking.
#
#NAMECHECK=NO
Copyright 2009 Peter Baer Galvin - All Rights Reserved 105
Saturday, May 2, 2009
106. /etc/default/passwd - 2
# HISTORY sets the number of prior password changes to keep and
# check for a user when changing passwords. Setting the HISTORY
# value to zero (0), or removing/commenting out the flag will
# cause all users' prior password history to be discarded at the
# next password change by any user. No password history will
# be checked if the flag is not present or has zero value.
# The maximum value of HISTORY is 26.
#
# This flag is only enforced for user accounts defined in the
# local passwd(4)/shadow(4) files.
#
#HISTORY=0
#
Copyright 2009 Peter Baer Galvin - All Rights Reserved 106
Saturday, May 2, 2009
107. /etc/default/passwd - 3
# Password complexity tunables. The values listed are the defaults
# which are compatible with previous releases of passwd.
# See passwd(1) and pam_authtok_check(5) for use warnings and
# discussion of the use of these options.
#
#MINDIFF=3
#MINALPHA=2
#MINNONALPHA=1
#MINUPPER=0
#MINLOWER=0
#MAXREPEATS=0
#MINSPECIAL=0
#MINDIGIT=0
#WHITESPACE=YES
Copyright 2009 Peter Baer Galvin - All Rights Reserved 107
Saturday, May 2, 2009
108. /etc/default/passwd - 4
#
#
# passwd performs dictionary lookups if DICTIONLIST or
DICTIONDBDIR
# is defined. If the password database does not yet
exist, it is
# created by passwd. See passwd(1), pam_authtok_check(5)
and
# mkdict(1) for more information.
#
#DICTIONLIST=
#DICTIONDBDIR=/var/passwd
Copyright 2009 Peter Baer Galvin - All Rights Reserved 108
Saturday, May 2, 2009
109. Stronger Password Crypto
Modify /etc/security/policy.conf
to use stronger password crypto
CRYPT_DEFAULT=md5
Passwords less likely to be “crack”ed if
found encrypted
Copyright 2009 Peter Baer Galvin - All Rights Reserved 109
Saturday, May 2, 2009
110. BSM
Copyright 2009 Peter Baer Galvin - All Rights Reserved 110
Saturday, May 2, 2009
111. BSM
Solaris Basic Security Module
Also known as Solaris auditing
Part of Solaris for a while, but little used
Very detailed accounting of system / user
activities
Can be too much – watch your disk space
Good article at http://www.deer-run.com/
~hal/sysadmin/SolarisBSMAuditing.html
Except for disk space, not very resource
intensive
Copyright 2009 Peter Baer Galvin - All Rights Reserved 111
Saturday, May 2, 2009
112. BSM Setup
BSM not enabled by default
bsmconv configures BSM
Creates files in /etc/security
audit_startup runs at startup, configuring
auditing via auditconfig commands
/usr/bin/echo "Starting BSM services."
/usr/sbin/auditconfig -setpolicy +cnt
/usr/sbin/auditconfig -conf
/usr/sbin/auditconfig -aconf
Copyright 2009 Peter Baer Galvin - All Rights Reserved 112
Saturday, May 2, 2009
113. BSM Setup – cont
audit_control is primary config file
dir:/var/audit
flags:
minfree:20
naflags:lo
flags defines audit events to pay attention
to
naflags defines non-attributable events to
pay attention to
audit_event can fine-tune auditing (defines
events and divides them into classes)
audit_class defines masks for accessing classes
Copyright 2009 Peter Baer Galvin - All Rights Reserved 113
Saturday, May 2, 2009
114. BSM Setup - cont
Run audit –n out of cron to cycle the (otherwise infinite)
log file:
0 * * * * /usr/sbin/audit –n
Compress and move the audit log to secure storage
Do so rapidly on security-conscious machines (i.e. web
servers)
auditreduce can extract specific info from and audit
log
praudit can dump native audit binary data for
readability
Copyright 2009 Peter Baer Galvin - All Rights Reserved 114
Saturday, May 2, 2009
115. BSM Tuning
Recommended auditing settings for more security-conscious
systems from http://www.cisecurity.com/bench_solaris.html
Generated via this awk script:
awk 'BEGIN { FS = ":"; OFS = ":" }
($4 ~ /fm/) && ! ($2 ~ /MCTL|FCNTL|FLOCK|UTIME/)
{ $4 = $4 ",cc" }
($4 ~ /p[cms]/) &&
! ($2 ~ /FORK|CHDIR|KILL|VTRACE|SETGROUPS|SETPGRP/)
{ $4 = $4 ",cc" }
{ print }' audit_event >audit_event.new
And associated audit_control configuration:
dir:/var/audit
minfree:20
flags:lo,ad,cc
naflags:lo,ad,ex
Copyright 2009 Peter Baer Galvin - All Rights Reserved 115
Saturday, May 2, 2009
116. Auditing Enhancements
Copyright 2009 Peter Baer Galvin - All Rights Reserved 116
Saturday, May 2, 2009
117. Auditing Enhancements
Can use the syslog utility to store audit records in text format
Enable and configure in /etc/security/audit_control
dir:/var/audit
flags: lo,ad,-fm
minfree:20
naflags:lo,ad
plugin: name=audit_syslog.so;p_flags=lo,+ad;
qsize=512
Add audit.notice /var/adm/auditlog to /etc/
syslog.conf
touch /var/adm/auditlog
Use logadm to manage the logs
The praudit –x creates output formatted in XML
Copyright 2009 Peter Baer Galvin - All Rights Reserved 117
Saturday, May 2, 2009
118. Auditing Enhancements - 2
Audit metaclasses provide an umbrella for finer-grained audit
classes
The bsmconv command no longer disables the use of the Stop-A
key
The Stop-A event can be audited
The timestamp in audit records now displays in ISO 8601 format
Three audit policy options have been added:
public – Public objects are no longer audited for read-only events,
reducing the audit log size
perzone – A separate audit daemon runs in each zone
zonename – The name of the Solaris zone in which an audit event
occurred can be included in audit records
Copyright 2009 Peter Baer Galvin - All Rights Reserved 118
Saturday, May 2, 2009
119. Auditing Enhancements - 3
Five audit tokens have been added:
The cmd token records the list of arguments and the list of
environment variables that are associated with a command
The path_attr token records the sequence of attribute
file objects that are below the path token object
The privilege token records the use of privilege on a
process
The uauth token records the use of authorization with a
command or action
The zonename token records the name of the non-global
zone in which an audit event occurred
Copyright 2009 Peter Baer Galvin - All Rights Reserved 119
Saturday, May 2, 2009
121. Crypto Framework
Provides common store of crypto algorithms and PKCS #11 libraries optimized for
SPARC and x86
PKCS #11 – public key crypto standard defining technology-independent API for
crypto devices
Currently provides IPSec and Kerberos to kernel, libsasl and IKE to users via plugins:
User-level plugins – Shared objects that provide services by using PKCS #11
libraries, such as pkcs11_softtoken.so.1
Kernel-level plugins – Kernel modules that provide implementations of
cryptographic algorithms in software, such as AES
Hardware plugins – Device drivers and their associated hardware accelerators
i.e. Sun Crypto Accelerator 1000 board
Framework implements a standard interface, the PKCS #11, v2.11 library, for user-level
providers. Can be used by third-party applications to reach providers
Third parties can add signed libraries, signed kernel algorithm modules, and
signed device drivers to the framework
plugins are added when the pkgadd utility installs the third-party software
Copyright 2009 Peter Baer Galvin - All Rights Reserved 121
Saturday, May 2, 2009
122. Figure 8–1 Overview of the Solaris Cryptographic Framework
(From Solaris 10 Solaris Security for Developers Guide)
Copyright 2009 Peter Baer Galvin - All Rights Reserved 122
Saturday, May 2, 2009
123. Crypto Framework Admin
Administration via cryptoadm command:
$ cryptoadm list
user-level providers:
/usr/lib/security/$ISA/pkcs11_kernel.so
/usr/lib/security/$ISA/pkcs11_softtoken.so
kernel software providers:
des
aes
arcfour
blowfish
sha1
md5
rsa
swrand
kernel hardware providers:
Copyright 2009 Peter Baer Galvin - All Rights Reserved 123
Saturday, May 2, 2009
124. Crypto Framework User Commands
digest– Computes a message digest for one or more files or for
stdin. A digest is useful for verifying the integrity of a file. SHA1 and
MD5 are examples of digest functions.
mac – Computes a message authentication code (MAC) for one or
more files or for stdin. A MAC associates data with an authenticated
message. A MAC enables a receiver to verify that the message came
from the sender and that the message has not been tampered with.
The sha1_mac and md5_hmac mechanisms can compute a MAC.
encrypt – Encrypts files or stdin with a symmetric cipher. The
encrypt -l command lists the algorithms that are available.
Mechanisms that are listed under a user-level library are available to
the encrypt command. The framework provides AES, DES, 3DES
(Triple-DES), and ARCFOUR mechanisms for user encryption.
decrypt – Decrypts files or stdin that were encrypted with the
encrypt command. The decrypt command uses the identical key and
mechanism that were used to encrypt the original file.
Copyright 2009 Peter Baer Galvin - All Rights Reserved 124
Saturday, May 2, 2009
125. Key Generation
For MAC and encryption, need symmetric key
Determine algorithm to use and length of key needed
$ encrypt -l
Algorithm Keysize: Min Max (bits)
------------------------------------------
aes 128 128
arcfour 8 128
des 64 64
3des 192 192
$ mac -l
Algorithm Keysize: Min Max (bits)
------------------------------------------
des_mac 64 64
sha1_hmac 8 512
md5_hmac 8 512
Copyright 2009 Peter Baer Galvin - All Rights Reserved 125
Saturday, May 2, 2009
126. Encrypting
Use a random number generator, or dd to create a key
Note that bs is in bytes, so divide bits by 8
$ dd if=/dev/random of=keyfile bs=n count=1
Protect the key in the keyfile
$ chmod 400 keyfile
Example for AES:
$ dd if=/dev/random of=$HOME/keyf/05.07.aes16 bs=16 count=1
$ chmod 400 ~/keyf/05.07.aes16
Now use the key to create an MD5 MAC:
$ mac -v -a md5_hmac -k $HOME/keyf/05.07.mack64 email.attach
md5_hmac (email.attach) = 02df6eb6c123ff25d78877eb1d55710c
% echo "md5_hmac (email.attach) =
02df6eb6c123ff25d78877eb1d55710c" >> ~/mac.daily.05.07
Copyright 2009 Peter Baer Galvin - All Rights Reserved 126
Saturday, May 2, 2009
127. Decrypting and verifying
Example - Use AES for encryption using a
keyphrase
$ encrypt -a aes -i ticket.to.ride
-o ~/enc/e.ticket.to.ride
Enter key: <Type passphrase>
The opposite of encrypt is decrypt:
$ decrypt –a aes –i ~/enc/e.ticket.to.ride
Enter Key:
<decrypted message is output>
Copyright 2009 Peter Baer Galvin - All Rights Reserved 127
Saturday, May 2, 2009
128. Labs
Pick an encryption algorithm and key length and
encrypt and decrypt a sample message
How do we use the MAC shown in the above
slides?
Compute a MAC or digest, modify a sample
message, and then recompute
Copyright 2009 Peter Baer Galvin - All Rights Reserved 128
Saturday, May 2, 2009
129. Kerberos Enhancements
Copyright 2009 Peter Baer Galvin - All Rights Reserved 129
Saturday, May 2, 2009
130. Kerberos Enhancements
The KDC software, the user commands and applications now support
TCP
Support for IPv6 was added to kinit, klist and kprop commands.
Support for IPv6 addresses is provided by default. There are no
configuration parameters to change to enable IPv6 support. No IPv6
support is available for the kadmin and kadmind commands.
A new PAM module called pam_krb5_migrate has been introduced.
Helps in the automatic migration of users to the local Kerberos realm, if
they do not already have Kerberos accounts.
The ~/.k5login file can now be used with the GSS applications ftp and
ssh
The kproplog utility has been updated to output all attribute names per
log entry
Copyright 2009 Peter Baer Galvin - All Rights Reserved 130
Saturday, May 2, 2009
131. Kerberos Enhancements - 2
Kerberos protocol support is provided in remote applications,
such as ftp, rcp, rdist, rlogin, rsh, ssh, and telnet
The Kerberos principal database can now be transferred by
incremental update instead of by transferring the entire
database each time
Increased database consistencies across servers
The need for fewer resources (network, CPU, and so forth)
Much more timely propagation of updates
An automated method of propagation
Copyright 2009 Peter Baer Galvin - All Rights Reserved 131
Saturday, May 2, 2009
132. Kerberos Enhancements - 3
A new script to help automatically configure a Kerberos client
Several new encryption types have been added to the
Kerberos service
The AES encryption type can be used for high speed, high
security encryption of Kerberos sessions. The use of AES is
enabled through the Cryptographic Framework.
ARCFOUR-HMAC provides better compatibility with other
Kerberos versions.
Triple DES (3DES) with SHA1 increases security. This
encryption type also enhances interoperability with other
Kerberos implementations that support this encryption type.
Copyright 2009 Peter Baer Galvin - All Rights Reserved 132
Saturday, May 2, 2009
133. Kerberos Enhancements - 4
A new -e option has been included to several subcommands of the
kadmin command. This new option allows for the selection of the
encryption type during the creation of principals.
Additions to the pam_krb5 module manage the Kerberos
credentials cache by using the PAM framework.
Support is provided for auto-discovery of the Kerberos KDC,
admin server, kpasswd server, and host or domain name-to-realm
mappings by using DNS lookups
A new configuration file option makes the strict TGT verification
feature optionally configurable on a per-realm basis
Copyright 2009 Peter Baer Galvin - All Rights Reserved 133
Saturday, May 2, 2009
134. Kerberos Enhancements - 5
Extensions to the password-changing utilities enable the Solaris
Kerberos V5 administration server to accept password change requests
from clients that do not run Solaris software.
The default location of the replay cache has been moved from RAM-
based file systems to persistent storage in /var/krb5/rcache
The GSS credential table is no longer necessary for the Kerberos GSS
mechanism
The Kerberos utilities, kinit and ktutil, are now based on MIT Kerberos
version 1.2.1
The Solaris Kerberos Key Distribution Center (KDC) is now based on
MIT Kerberos version 1.2.1
Note that Kerberos V5 support means that (theoretically) NFS traffic
can now be encrypted
Copyright 2009 Peter Baer Galvin - All Rights Reserved 134
Saturday, May 2, 2009
135. Packet Filtering
Copyright 2009 Peter Baer Galvin - All Rights Reserved 135
Saturday, May 2, 2009
136. Packet Filtering Overview
Solaris used to have nothing, then SunScreen was commercial,
then SunScreen was included, now ipfilter is standard
Solaris IP Filter is a host-based firewall that is derived from the
open source IP Filter code, developed and maintained by
Darren Reed
Based on version 4.0.33 of the open source IP Filter
Uses the STREAMS module, pfil, to intercept packets
By default, pfil is not autopushed onto network interface cards
(NICs). Autopush of pfil is disabled for all drivers
Copyright 2009 Peter Baer Galvin - All Rights Reserved 136
Saturday, May 2, 2009
137. Packet Filtering Overview - 2
Provides packet filtering and network address translation
(NAT), based upon a user-configurable policy
Rules are configurable to filter either statefully or statelessly
Command line interface only
ipf for loading or clearing packet filter rules
ipnat for loading or clearing NAT rules
ippool for managing address pools associated with IP rules
ipfstat for viewing per-interface statistics
ipmon for viewing of logged packets
Good info at http://www.obfuscation.org/ipf/
Only works in the global zone (so far)
Copyright 2009 Peter Baer Galvin - All Rights Reserved 137
Saturday, May 2, 2009
138. ipfilter Details
Can match on the following IP header fields
Source or destination IP address (including inverted matches)
IP protocol
TOS (Type of Service)
IP options or IP security classes
Fragment
In addition it can:
Distinguish between various interfaces
Return an ICMP error or TCP reset for denied packets
Keep packet state information for TCP, UDP, and ICMP packet flows
Keep fragment state information for any IP packet, applying the same rule to
all fragments in that packet
Use redirection to set up true transparent proxy connections
Provide packet header details to a user program for authentication
Provide temporary storage of pre-authenticated rules for passing packets
Copyright 2009 Peter Baer Galvin - All Rights Reserved 138
Saturday, May 2, 2009
139. ipfilter Details - 2
Special provision is made for the three most common
Internet protocols, TCP, UDP and ICMP. Can match
based on:
TCP or UDP packets by port number or a port
number range
ICMP packets by type or code
Established TCP packet sessions
Any arbitrary combination of TCP flags
Note IPMP only supports stateless packet filtering
Copyright 2009 Peter Baer Galvin - All Rights Reserved 139
Saturday, May 2, 2009