Wednesday Nov 04, 2009

NEW: Solaris 10 Security Deep Dive Presentation

Today, I am very happy to announce the availability of a new Solaris 10 Security Deep Dive training. This version has been updated for Solaris 10 10/2009 (also known as Update 8). From a security perspective, there have only been a few updates since my last posted version, but it is always good to be current. Items added in this new version include: ZFS user and group quotas, ZFS pre-defined ACL sets, NTPv4, and nss_ldap shadowAccount support. In addition, there was a bit of cleanup throughout and a new example was added for Trusted Extensions.

As usual, I have made this content available in both OpenDocument Format (ODF) and PDF. If you are using Microsoft Office, you can use the Sun MS Office ODF Plugin to read the source document.

For those of you who have downloaded one of the previous versions, thank you! There have been nearly 8,000 downloads of this presentation so far! If you have not had a chance, I would encourage you to download and check out a copy today. It is really amazing how many new and updated security features and capabilities there are in Solaris 10. If you have been away from Solaris (even Solaris 10) for a while, I am sure you will be shocked with what you can do today! As always, feedback is greatly appreciated!

Take care!

Glenn

Technorati Tag:

Monday Jun 15, 2009

NEW: Solaris 10 Security Deep Dive Presentation

It has sure been a busy month and really it has just begun. Today, I am happy to announce the availability of my Solaris 10 Security Deep Dive presentation, updated for the just released Solaris 10 05/2009 (Update 7). From a security perspective, there have only been a few updates since my last posted version, for Solaris 10 10/2008 (Update 6), but it is always good to be current. Of particular interest is a new slide focused on IPsec and IKE. As usual, I have made this content available in both OpenDocument Format (ODF) and PDF. If you are using Microsoft Office, you can use the Sun MS Office ODF Plugin to read the source document.

For those of you who have downloaded one of the previous versions, thank you! There have been nearly 5,000 downloads of this presentation so far! If you have not had a chance, I would encourage you to download and check out a copy today. It is really amazing how many new and updated security features and capabilities there are in Solaris 10. If you have been away from Solaris (even Solaris 10) for a while, I am sure you will be shocked with what you can do today! As always, feedback is greatly appreciated!

Take care!

Glenn

Technorati Tag:

Friday Jun 12, 2009

Encrypted Scratch Space in OpenSolaris 2009.06

Last week, I announced the availability of a set of scripts that could be used to enable encrypted swap in OpenSolaris 2009.06. Building upon this concept, today, I am happy to announce a new set of scripts that enables the creation of an encrypted file system (intended to be used as scratch space).

The method for creating these encrypted file systems is similar to the approach discussed by Darren in his posting on the topic of Encrypting ZFS Pools using LOFI. I had been working on a similar model for the Immutable Service Container project where I had wanted to be able to give each OpenSolaris zone that was created its own place to store sensitive information (such as key material) that would be effectively lost when the system was rebooted (without requiring a time-consuming disk scrubbing process).

The way these scripts work is quite simple. There is an SMF service, called isc-encrypted-scratch, that (if enabled) will automatically create encrypted scratch space for the global zone as well as any non-global zones on the system (by default). The creation of encrypted scratch space is configurable allowing you to specify which zones (including the global zone) can have one. You can specify which ZFS file system can be used as the home directory for the scratch space hierarchy. Using SMF properties and standard SMF service configuration methods, you can also specify the size of the encrypted scratch space.

Once created, you will have access to a ZFS file system (based upon a ZFS pool which itself is based upon an encrypted LOFI which itself is based upon a ZFS zvol - crazy eh?) The file systems created for the encrypted scratch space are destroyed and re-created upon boot (or service restart). Just as with the encrypted swap scripts, the encrypted LOFIs use ephemeral keys in conjunction with the AES-256-CBC cipher.

So, without further ado, let's get to the particulars. To enable encrypted scratch in OpenSolaris 2009.06, you need only follow the following steps.

Note that the following instructions assume that privileged operations will be executed by someone with administrative access (directly or via Solaris role-based access control). For the examples below, no changes were made to the default RBAC configuration. The commands as written were executed as the user created during the installation process.
  • Add the Encrypted Scratch Space SMF service. First, you will need to download the archive containing the encrypted scratch space SMF service manifest and method files. Note that these files are user contributed and as such are not officially a part of the OpenSolaris release nor are they officially supported by Sun. If you are ok with these terms, you should now download the archive and install the files using the following commands:

    $ wget -qnd http://mediacast.sun.com/users/gbrunette/media/smf-encrypted-scratch-v0.1.tar.bz2
    
    $ bzip2 -d -c ./smf-encrypted-scratch-v0.1.tar.bz2 | tar xf -
    
    $ cd ./smf-encrypted-scratch
    
    $ pfexec ./install.sh
    
    $ svccfg import /var/svc/manifest/site/isc-enc-scratch.xml
    
  • Configure the Encrypted Scratch Space Service. Unlike the Encrypted Swap SMF Service, this service is not enabled automatically. This is to allow you the opportunity to adjust its configuration should you want to change any of the following properties:
    • config/scratch_root. This property defines the root ZFS file system to be used for the scratch space hierarchy. By default, it is set to rpool/export. Based upon this value, a collection of scratch files will be created under this location (each in its own directory tied to the name of the zone).
    • config/scratch_size. This property defines the size of the scratch space. This value is used during the initial creation of a ZFS volume (zvol) and accepts the same values as would be accepted by the zfs create -V command. The default size is 100 Mbytes. Note that today, each individual encrypted scratch space on a single system must be the same size.
    • config/zone_list. This property defines the zones for which encrypted scratch space will be created. By default, this is all zones including the global zone. Setting this value to a zone or list of zones will cause encrypted scratch spaces to be only created for those specified.

    For example, to configure this service to create 1Gbyte encrypted scratch spaces, use the command:

    $ svccfg -s isc-encrypted-scratch setprop config/scratch_size = 1g
    $ svcadm refresh isc-encrypted-scratch
    

  • Enable the Encrypted Scratch Space Service. Once you have finished configuring the service, you can enable it using the standard SMF method:

    $ svcadm enable isc-encrypted-scratch
    

  • Verify the Encrypted Scratch Space Service. To verify that the service is operating correctly, you can use the following commands to verify that everything has been properly created. First, let's make sure the service is running:

    $ svcs isc-encrypted-scratch
    STATE          STIME    FMRI
    online         12:40:02 svc:/system/isc-encrypted-scratch:default
    

    Next, let's verify that all of the proper ZFS mount points and files have been created. Note that the scratch root in this case is the default (rpool/export) and under this location a new scratch file system has been created under which there is a file system for each zone on the system (global and test). For each zone, a 1 Gbyte scratch file has been created.

    $ zfs list -r rpool/export/scratch
    NAME                                       USED  AVAIL  REFER  MOUNTPOINT
    rpool/export/scratch                      2.00G  5.21G    19K  /export/scratch
    rpool/export/scratch/global               1.00G  5.21G    19K  /export/scratch/global
    rpool/export/scratch/global/scratch_file     1G  6.21G  1.15M  -
    rpool/export/scratch/test                 1.00G  5.21G    19K  /export/scratch/test
    rpool/export/scratch/test/scratch_file       1G  6.21G  1.15M  -
    

    Next, let's verify that the encrypted LOFIs have been created. The mapping of the device files back to the actual scratch file zvols is left as an exercise for the reader.

    $ lofiadm
    Block Device             File                           Options
    /dev/lofi/1              /devices/pseudo/zfs@0:1c,raw   Encrypted
    /dev/lofi/2              /devices/pseudo/zfs@0:2c,raw   Encrypted
    

    Next, let's verify that new zpools and ZFS file systems have been created from the encrypted LOFIs:

    $ zpool list
    NAME             SIZE   USED  AVAIL    CAP  HEALTH  ALTROOT
    rpool           11.9G  4.06G  7.88G    34%  ONLINE  -
    scratch-global  1016M    82K  1016M     0%  ONLINE  -
    scratch-test    1016M    82K  1016M     0%  ONLINE  -
    
    $ zpool status scratch-global scratch-test
      pool: scratch-global
     state: ONLINE
     scrub: none requested
    config:
    
            NAME           STATE     READ WRITE CKSUM
            scratch-global  ONLINE       0     0     0
              /dev/lofi/1  ONLINE       0     0     0
    
    errors: No known data errors
    
      pool: scratch-test
     state: ONLINE
     scrub: none requested
    config:
    
            NAME           STATE     READ WRITE CKSUM
            scratch-test   ONLINE       0     0     0
              /dev/lofi/2  ONLINE       0     0     0
    
    errors: No known data errors
    
    $ zfs list /scratch-\*
    NAME             USED  AVAIL  REFER  MOUNTPOINT
    scratch-global    70K   984M    19K  /scratch-global
    scratch-test      70K   984M    19K  /scratch-test
    

  • (Optional) Add Encrypted Scratch Space to a Non-Global Zone. At this point, you have everything that you need to get started. In fact, for the global zone, there are no further steps, but you can now assign the scratch space to a non-global zone (if desired) using the standard zonecfg mechanisms. For example, you could do the following:

    $ pfexec zonecfg -z test
    zonecfg:test> add dataset
    zonecfg:test:dataset> set name=scratch-test
    zonecfg:test:dataset> end
    zonecfg:test> verify
    zonecfg:test> 
    

  • (Optional) Verify Encrypted Scratch Space in a Non-Global Zone. Once booted, the new encrypted scratch space data set will be made available to the non-global zone:

    $ pfexec zlogin test
    [Connected to zone 'test' pts/2]
    Last login: Fri Jun 12 09:57:43 on pts/2
    
    root@test:~# zpool list scratch-test
    NAME           SIZE   USED  AVAIL    CAP  HEALTH  ALTROOT
    scratch-test  1016M  74.5K  1016M     0%  ONLINE  -
    
    root@test:~# df -k /scratch-test
    Filesystem            kbytes    used   avail capacity  Mounted on
    scratch-test         1007616      19 1007546     1%    /scratch-test
    root@test:~# 
    

    Upon reboot, each of the zones will be shut down before the encrypted scratch space is destroyed. Note that upon global zone or service restart, the encrypted scratch space will be re-created and therefore will not persist across global zone reboots. The encrypted scratch space will persist across non-global zone reboots.

    There you have it! Enabling encrypted scratch in OpenSolaris 2009.06 (for the global and non-global zones) is as easy as following these few simple steps. It is worth stating that this solution is just a temporary workaround. Once ZFS encryption is available, it should be used instead of this approach. In the meantime, however, if you are interested in enabling encrypted scratch on your OpenSolaris 2009.06 systems, give this model at try and please be sure to send along your feedback!

    Take care!

    P.S. Some of you may be wondering why the SMF service and associated files are labeled with an ISC prefix? The answer is simple. They were developed and are being used as part of the Immutable Service Container project! Look for more information and materials from this project in the near future!

    Technorati Tag:

Thursday Jun 11, 2009

Impacting Solaris 10 Security Guidance

It is that time again! Work is kicking up over at the Center for Internet Security to update the Solaris 10 security benchmark. As I have previously covered, Sun has been working hand-in-hand with the Center for Internet Security for more than six years to develop best-in-class security hardening guidance for the Solaris operating system.

In recent years, the NSA and DISA have jumped in contributing their time and expertise towards the development of a unified set of Solaris security hardening guidance and best practices. Now is the time for the next step. Over the last several months, these groups have been working to comb through and integrate the recommendations found in the DISA UNIX STIG (Security Technical Implementation Guide) and associated checklist as it relates to Solaris. With this work now complete, an effort has been launched to develop a new draft CIS Solaris 10 Benchmark with these additions.

In addition to this effort, a secondary effort will soon be undertaken to update the Solaris 10 Benchmark for the latest release of the Solaris 10 05/2009 (Update 7). Currently, the Solaris 10 Benchmark supports Solaris 10 11/08 (Update 4). There are not that many things added to Solaris 10 since Solaris 10 11/08 that impact the hardening guide, but there are some items that will impact the Solaris Security Appendix that was published with the last version of the Benchmark.

The reason for my post today, however, is to say that the time is right if you are interested in Solaris, security, and want to get involved! We are always looking for people with a passion to help develop and improve the recommendations and settings in the Solaris 10 Benchmark. Want to learn more? Contact CIS!

P.S. Just in case you missed it - Sun and CIS also announced the availability of a security hardened virtual machine image based upon OpenSolaris for Amazon's EC2 (SunCloud will also be supported). Give it a try!

Take care!

Technorati Tag:

Monday Jun 08, 2009

Encrypted Swap in OpenSolaris 2009.06

Back in December 2008, LOFI encryption support was added to Solaris Nevada (build 105). With the release of OpenSolaris 2009.06, this functionality is now available as part of a released product. What does this have to do with encrypted swap you may ask? To get your answer, you need only review the lofi(7d) crypto support architectural review case (PSARC/2007/001). Toward the bottom is a section titled "Encrypted Swap". This information gives us everything that we need to enable encrypted swap on OpenSolaris -- almost.

The problem is that the encrypted swap portion of this ARC case was never completed as it is expected that the ZFS encryption project will provide this functionality when it integrates. Unfortunately, ZFS encryption is not here today, so until it is - we can enable a workaround using LOFI encryption. There are some "issues" to consider when using LOFI encryption that Darren Moffat covers well in his post on this subject.

So, without further ado, let's get to the particulars. To enable encrypted swap in OpenSolaris 2009.06, you need only follow the following steps.

Note that the following instructions assume that privileged operations will be executed by someone with administrative access (directly or via Solaris role-based access control). For the examples below, no changes were made to the default RBAC configuration. The commands as written were executed as the user created during the installation process.
  • Prevent the system from automatically adding swap devices or files. This is actually a little trickier than it sounds since the /sbin/swapadd program, called during the boot process, will attempt to use anything defined as swap that is not commented. I would prefer not to comment the files as it would then be harder to tell the difference between those we wanted to use for encrypted swap and those that were commented for some other reason. To work around this issue, you simply must edit the /etc/vfstab file and define the swap device or file as something other than "swap". For the scripts discussed below, we will use the key "enc-swap". Here is an example from /etc/vfstab:

    $ grep enc-swap /etc/vfstab
    /dev/zvol/dsk/rpool/swap      -      -      enc-swap      -      no      -
    
    $ swap -l
    No swap devices configured
    

  • Remove the existing swap devices or files. It is likely that your system will have already added the swap devices or files to the system. To determine if this is the case, simply use the following command:

    $ swap -l
    swapfile                   dev    swaplo   blocks     free
    /dev/zvol/dsk/rpool/swap 182,2         8  1226744  1226744
    

    If there are devices or files already configured, remove them using the following command:

    $ pfexec swap -d /dev/zvol/dsk/rpool/swap
    
    $ swap -l
    No swap devices configured
    

    If swap is in use, you may need to reboot you system in order to remove the device at this point. Note that the previous step (where the file system type was changed to enc-swap) will ensure that the device or file is not used upon boot.)

  • Add the encrypted swap SMF service. Here is where the magic lives. You will need to download the archive containing the encrypted swap SMF service manifest and method files. Note that these files are user contributed and as such are not officially a part of the OpenSolaris release nor are they officially supported by Sun. If you are ok with these terms, you should now download the archive and install the files using the following commands:

    $ wget -qnd http://mediacast.sun.com/users/gbrunette/media/smf-encrypted-swap-v0.1.tar.bz2
    
    $ bzip2 -d -c ./smf-encrypted-swap-v0.1.tar.bz2 | tar xf -
    
    $ cd ./smf-encrypted-swap
    
    $ pfexec ./install.sh
    
    $ svccfg import /var/svc/manifest/site/isc-enc-swap.xml
    

    The install.sh script is used to copy this service's SMF manifest and method scripts into the proper locations as well as set correct ownership and permissions of these files.

  • Verify the service is running and encrypted swap is configured. The last step is to verify that everything is working as expected. Use the following commands to verify the service was properly installed and enabled:

    $ svcs isc-encrypted-swap
    STATE          STIME    FMRI
    online         14:30:10 svc:/system/isc-encrypted-swap:default
    

    Use the following commands to verify that encrypted swap is in use:

    $ lofiadm
    Block Device             File                           Options
    /dev/lofi/1              /devices/pseudo/zfs@0:2c       Encrypted
    
    $ swap -l
    swapfile             dev    swaplo   blocks     free
    /dev/lofi/1         144,1         8  1226728  1226728
    

    The last two commands show that an encrypted block device was created at /dev/lofi/1 and that the device is currently in use as a swap device. It should be noted that no password, passphrase or other credential was given when the encryption was configured. This is because this service is configured to use an ephemeral key. The key is not stored on the system and is lost when the system is restarted. Upon each reboot, a new encrypted block device with a new ephemeral key will be used to configure encrypted swap.

Note that the examples above have shown the service with a single swap device, but the SMF service has been written to support multiple swap devices or files. For example, a secondary swap file could be created using the following steps:

$ pfexec zfs create -V 1G rpool/export/swapfile

$ pfexec vi /etc/vfstab
[add the new entry for rpool/export/swapfile as verified in the next step]

$ grep enc-swap /etc/vfstab
/dev/zvol/dsk/rpool/swap      -      -      enc-swap      -      no      -
/dev/zvol/dsk/rpoo/export/swapfile      -      -      enc-swap      -      no      -

$ svcadm restart isc-encrypted-swap

$ lofiadm
Block Device             File                           Options
/dev/lofi/1              /devices/pseudo/zfs@0:2c       Encrypted
/dev/lofi/2              /devices/pseudo/zfs@0:3c       Encrypted

$ swap -l
swapfile             dev    swaplo   blocks     free
/dev/lofi/1         144,1         8  1226728  1226728
/dev/lofi/2         144,2         8  2097128  2097128

There you have it! Enabling encrypted swap in OpenSolaris 2009.06 is as easy as following these few simple steps. It is worth reiterating that this solution is just a temporary workaround. Once ZFS encryption is available, it should be used instead of this approach. In the meantime, however, if you are interested in enabling encrypted swap on your OpenSolaris 2009.06 systems, give this model at try and please be sure to send along your feedback!

Take care!

P.S. Some of you may be wondering why the SMF service and associated files are labeled with an ISC prefix? The answer is simple. They were developed and are being used as part of the Immutable Service Container project! Look for more information and materials from this project in the near future!

Technorati Tag:

Monday Mar 09, 2009

NEW: Solaris Package Companion v0.9

Today, I am proud to announce the release of version 0.9 of the Solaris Package Companion. This new version is primary based upon a set of patches provided by Jerome Blanchet that provided support for the collection and processing of reverse dependency information ("R" entries in a package's depend(4)) file) as well as enhanced processing and display of platform specific packages. Thank you, Jerome!

As is my tradition when a bug is found, I try and publish a little something extra as a mea cupla. Due to limited "free time", the "mea culpa" enhancement this time is quite minor but worth mentioning anyway. In past versions, there was no interface to change the information collection rules of the tool. If you wanted to disable the collection of certain types of information (such as package names or dependencies) you had to go into the code and change the relevent COLLECT_ variable. No longer. The defaults are still the same, but now the tool will honor variable settings originating from the shell or command line as follows:

$ env COLLECT_NAMES=0 ./spc-v0.9.ksh -r /tmp/myrepository -i -l

Note that the COLLECT_ variables are only used during the creation of a repository. Not a big enhancement, but one none the less! Thank you again Jerome for discovering the bug and offering a patch!

Keep the suggestions, reports and fixes coming!

Glenn

Technorati Tag:

Friday Feb 13, 2009

Solaris Security Chat in SecondLife

Virtual Glenn is a pretty strange concept, but for those who can move past it, check this out! This is a picture of my SecondLife avatar in front of the Solaris Campus stage. On February 24th, 2009 at 9 AM PT / 12 PM ET, I will be participating in an expert chat that will be loosely based around my blog article titled Top 5 Solaris 10 Security Features You Should Be Using. I will be talking a bit about each of the five items as well as answering questions. In total, the event will last about an hour and should be a lot of fun (assuming I can overcome being a SecondLife n00b!)

This will be my first presentation inside of a virtual world, and I would encourage anyone who is interested to get a login, a copy of the client, and join me on the 24th to have a little fun a world away. For more information, check out the Sun Virtual Worlds posting for the event! Hope to see you there!

Wednesday Dec 10, 2008

mod_privileges for Apache HTTPD

Special thanks to Matt Ingenthron for pointing out that mod_privileges has been integrated back in the Apache trunk (manual) recently. For more information check out NIQ's Soapbox posting on the subject.

Looks like I will have to find a new target (I am looking at you MySQL!) for my BluePrints. I have used the Apache with SMF privileges example in a few publications including Limiting Service Privileges in the Solaris 10 Operating System (2005) and Privilege Debugging in the Solaris 10 Operating System (2006). The content of these papers is still relevant in the general sense, but with the introduction of mod_security, some of this content will no longer be as useful for Apache. That said, lots of other services can and do benefit from the techniques described.

If you find yourself ever wanting to do something similar - converting your services to be privilege aware on Solaris 10, check out the Sun BluePrints article Privilege Bracketing in the Solaris 10 Operating System (2006). Also, check out the OpenSolaris Security Community project on Privilege Debugging as it can help you in finding out what privileges your programs and services need.

Until next time!

Glenn

Technorati Tag:

Friday Nov 14, 2008

NEW: Solaris 10 Security Deep Dive Presentation

It must be that time of year again. At Sun's Customer Engineering Conference this year, I unveiled the latest update to my Solaris 10 Security Deep Dive Presentation. This version has been updated based upon Solaris 10 10/08 (Update 6) which means it is in sync with the most recently shipping version of Solaris 10. This version is in OpenDocument Format. Should you want a PDF version, you can use this copy.

The last update that I had posted was downloaded more than 2,000 times. That is a great number for such a specialized and technical topic. With all of these downloads, however, I have yet to hear from you! Please be sure to send along your feedback! I am particularly interested in things like:

  • Does the content meet your needs? How can it be improved?
  • What are your security requirements not met today by Solaris 10? What is your wish list?
  • Is their content where you would like more detailed information (e.g., a BluePrint)?

As I said in my last Solaris 10 Security Update... If you have not taken a look into what Solaris 10 can offer recently, you really must give it a look! Also, be on the look out for a posting very soon on a project called Immutable Service Containers. With that as a teaser, I will sign off for today... Take care!

Glenn

Technorati Tag:

Tuesday Aug 05, 2008

NEW: Solaris 10 Security Deep Dive Presentation

Way back when, I posted an update to the original Solaris 10 Security Deep Dive presentation that included support for Solaris 10 Update 3 (11/06). Well, it has been entirely too long since the last update, so I am happy to say that the wait has ended! A new version of the talk is ready for download! This has been quite a journey and a lot has changed in Solaris since it was first released back in 2005. If you have not taken a look into what Solaris can offer recently, I am sure you will be in for a pleasant surprise. Give it a look, and as always feedback is appreciated! Take care!

Glenn

Technorati Tag:

Monday Aug 04, 2008

NEW: Solaris Package Companion v0.8.1 / Testing Tool v0.1

On the heels of the v0.8 release, Clive King was able to find a new bug introduced as a result of my attempting to make the code a little more in line with Korn Shell conventions. Clive, thank you for reporting the details! I have published an updated version as v0.8.1. As always, you can get all of the details at the OpenSolaris Solaris Package Companion Project Page

As is my tradition when a bug is found, I try and publish a little something extra as a mea cupla. This time is no different. In addition to version 0.8.1 of the Solaris Package Companion, I have also published a testing tool for the same.

The testing tool, called spc-test-v0.1.ksh is also available from the project page. This tool can test multiple versions of the tool against multiple repositories which is pretty cool when checking for regressions. There are currently 48 tests although tests can be easily added or removed as needed. It can optionally display the results to the screen, but by default it records them in a directory where a basic consistency check is performed to detect differences in output (for the same repository) resulting from the use of different versions of the tool. This is not intended to be an all encompassing test suite or even a piece of production code, but rather a basic sanity check to make sure the key functions are working as expected.

Thanks again, Clive!

Keep the suggestions, reports and fixes coming!

Glenn

Technorati Tag:

Friday Aug 01, 2008

NEW: Solaris Package Companion v0.8

Wow, has time passed since my last posting. I promise to do a quick update soon as a lot has been happening over the last six months! In the meantime, I wanted to tell you all about a new version of the Solaris Package Companion (version 0.8) that is now available.

For those not familiar with the tool, here is a brief overview:

   The Solaris Package Companion is a small Korn shell script that allows you to ask
   quite a number of interesting questions about the relationships between Solaris 
   metaclusters, clusters and packages as well as their respective dependencies. Very
   often, answers to these kinds of questions are essential for the construction of 
   minimized systems as well as more generally for OS golden images.

   The goal of the Solaris Package Companion, or SPC for short, is to do all of the 
   hard work so you don't have to. SPC will create a cache of important facts by mining
   information from the various packaging files and directories to allow you to quickly 
   and easily obtain answers to a variety of questions such as:

     \* What clusters or packages are contained in a given metacluster?
     \* What packages are contained in a given cluster?
     \* What metacluster or cluster contains a given package?
     \* On what other packages does a given package or cluster depend?
     \* Which packages depend on a given package?
     \* … and so on…

New to this release is a tree view display method that allows you to list the contents of metaclusters and clusters in a more eye-friendly tree-view. Thanks to Fredrich Maney for contributing the idea and code! Here are a few examples from the project page showing what this looks like:

To see what packages are included in a cluster, just use the "-t" option:

$ ./spc-v0.8.ksh -v -r ./myrepository -t SUNWCssh
   [C] SUNWCssh                  Secure Shell
      [P] SUNWsshcu                 SSH Common, (Usr)
      [P] SUNWsshdr                 SSH Server, (Root)
      [P] SUNWsshdu                 SSH Server, (Usr)
      [P] SUNWsshr                  SSH Client and utilities, (Root)
      [P] SUNWsshu                  SSH Client and utilities, (Usr)

To see what packages and clusters are included in a metacluster, just use the "-T" option:

$ ./spc-v0.8.ksh -v -r ./myrepository -T SUNWCmreq | head -10
[M] SUNWCmreq                 Minimal Core System Support
   [C] SUNWCfca                  Sun ISP Fibre Channel Device Drivers
      [P] SUNWqlc                   Qlogic ISP 2200/2202 Fibre Channel Device Driver
      [P] SUNWemlxs                 Emulex-Sun LightPulse Fibre Channel Adapter (FCA) driver (root)
   [C] SUNWCfct                  Sun Fibre Channel Transport Software
      [P] SUNWfcsm                  FCSM driver
      [P] SUNWfctl                  Sun Fibre Channel Transport layer
      [P] SUNWfcp                   Sun FCP SCSI Device Driver
      [P] SUNWfcip                  Sun FCIP IP/ARP over FibreChannel Device Driver
   [C] SUNWCfmd                  Fault Management Daemon and Utilities
[…]

I would also like to thank Peter Pickford for sharing a fix for a bug that resulted in the tool not properly recording all dependencies under certain circumstances. Thank you! While I was at it, I also took a little time to clean up the code a bit.

You can find more information, examples and the source code on the project page.

Keep the suggestions, reports and fixes coming!

Glenn

Technorati Tag:

Thursday Jan 31, 2008

HEADSUP: Solaris 10 Security Best Practices

Just a quick heads-up note to say that the official Sun location for the Solaris 10 security recommendations documents has changed. While you can still get to the content from the OpenSolaris Security Community Library page, the new location is on sun.com.

The recommendations documents have been bundled into an archive so that they can be more easily downloaded in a single step. The individual documents are still available and can be downloaded at:

Monday Jan 07, 2008

Top 5 Solaris 10 Security Features You Should Be Using

Inspired by Solaris 10 winning a spot on the InfoWorld 2008 Technology of the Year Award list, I decided to write up a list of my own. I hope you forgive this little bit of cheerleading, but I just could not help myself...

The Top 5 Solaris 10 Security Features You Should Be Using!

This list is intended to highlight five security controls found in the Solaris 10 OS that will offer the most direct and immediate value to you and your organization. I stopped the list at five to simply provide a representative list, but you can see from this deep dive presentation that Solaris has a lot more to offer. At any rate, let's get on with the list... (drum roll please)...

5. Auditing.

Yes, Solaris has had its auditing facility in place since Solaris 2.3, but I can't even begin to count how often I talk with people who do not know that it exists. Solaris Auditing is a great facility to figure out what is happening on your systems. As a kernel-based facility, it can see and record everything that is happening - which is absolutely critical for organizations concerned with compliance. Martin has published a nice audit configuration to address the security requirements for the payment card industry. We also have a whitepaper that discusses how Solaris as a whole stacks up in this area, but I digress... Moving on.

4. Privileges.

You are likely using privileges without even knowing it, and that is a good thing. Solaris has implemented the principle of least privilege across many of the default set-uid binaries and system services. By default, many services are granted only those privileges they need (or simply drop those that they do not need). That said, why stop there? This Sun BluePrint describes how to integrate privileges into third-party or even your own applications. Further, for those doing software development, this paper talks about how to integrate privileges directly into your code to bracket your use of privileges - further limiting when your code will run with privileges. Don't know what privileges you need? Check out our privilege debugger - it will show you the way. By running with only those privileges that you need, your window of exposure is significantly reduced - and we can all agree that is a good thing.

3. Role-based Access Control.

Need to limit access to administrative functions? Do you occasionally need to perform privileged operations? Role-based Access Control or RBAC is the answer. Originally integrated in Solaris 8, RBAC has become increasingly more integrated with the rest of the operating system. For example, if you want to allow your operators to restart but not change system services, RBAC can help. Bart has developed a very nice tour of RBAC for those new to the technology. For those wanting something a little more advanced, you can use RBAC to implement a two-person (or four-eyes) access control scenario. Regardless, of whether you just want to want to just delegate root access or you want to implement a sophisticated access control policy, RBAC can scale to meet your needs.

2. Zones.

You knew I would be getting to zones, right? Zones are IMHO one of the most significant security features in the Solaris 10 OS. Kernel and most user-land forms of root kits are essentially rendered non-effective when running your applications in a sparse-root non-global zone. Zones operate with fewer privileges than their global zone counterpart - making privilege-oriented attacks far more difficult to achieve. More than that, the core OS binaries, libraries and kernel modules are all effectively immutable in the default configuration since they are provided using read-only loopback mounts from the global zone. What does this mean? Simply put, you can't change them. This is a huge win for security, for change control, for IT governance - you name it. You can give access to applications to do their work in a safe environment without risking changes to the underlying OS. That said, if you need to make changes, Solaris is flexible enough to accommodate. You can add devices, file systems, network interfaces, even privileges to zones. You can enforce various resource controls on zones to prevent them from using an unfair share of Solaris resources. What's more - you can personalize your zone with its own hardening configuration, naming and authentication services, audit policy, and much more. You can even do some very interesting things with cooperating zones. Zones offer such compelling security capabilities that they (along with auditing, privileges and RBAC) serve as a cornerstone of Solaris Trusted Extensions, Sun's multi-level operating system that implements mandatory access control.

1. Network Secure by Default.

Last, but certainly not least on this list is Secure by Default or SBD. SBD was introduced in Solaris 10 11/06 as a means of significantly reducing the network-visible attack surface of the Solaris OS - particularly for out of box configurations. Huh? It means that when SBD is selected at installation time, the only Solaris OS service that will be exposed on the network is Secure Shell (rather than a traditionally long list of services that may or may not be used in your deployed environment). SBD can be selected at install time (for initial installs) or post-installation time (for upgrades and when you just want to enable it later). It will either turn off services that were deemed non-critical or set required services to a local-only state where they will respond only to requests coming from the local machine itself. This allows you to start from a more secure default configuration and enable only those services that you actually need. SBD can be configured in the global zone or in any number of non-global zones (since they can have their own configurations). For those wanting a bit more in terms of customization (for which services they want to disable, enable, set local-only, etc.), you may want to consider using the Solaris Security Toolkit where you can set policies against which the system configuration can be assessed or set. Regardless of which tool you choose, you can now more easily lock down your Solaris 10 deployments.

I hope you enjoyed this look at the Top 5 Solaris 10 Security Features You Should Be Using. If you want to learn more about what capabilities Solaris 10 has to offer, you have a wealth of options to help you get up to speed:

Until next time...

Glenn

Technorati Tag:

Friday Jan 04, 2008

UPDATED: Solaris - Now With More Fuzz

Every six months or so, I try to do a run of my fuzz tests against the Solaris OS. The first test was conducted a year ago with build 42 followed by a test during our summer break on build 68 of Nevada. It should come as no shock then that I conducted another test during the winter break on build 80.

The tools and methodology are the same (although there are still some kinks to be worked out to make it fully automated), but for those who have not read my earlier post, I will summarize. The tests were conducted on a fresh installation of Nevada build 80 built with the SUNWXCall (Entire + OEM) installation cluster. A sparse-root, non-global zone (called "fuzz") was created for the tests and the software was loaded into the zone. Next, the names of all of the ELF binaries were collected, using the make-exec-list script run from within in the non-global zone. Next, the make-fuzz-tests script was run to generate the 36 different fuzz files to be used as input for each binary tested. Lastly, the test was kicked off using the exec-fuzz-tests script. The script pretty much runs unattended except when I need to kill off runaway processes. I still need to add some code to kill off anything started at the end of each test so you do not end up with tons of extra processes running and consuming memory.

At any rate, the test run completed and I have posted my results in Bugster and the bugs are also available in the OpenSolaris Bug Database Search using the keyword fuzz. The programs impacted can be viewed using this query.

While I tend to do this kind of work for fun as a holiday distraction, it does have real benefit. Programs that fail during a fuzz test (usually core dumping although a runaway or two have also been found) fail due to unvalidated input that leads to a buffer overflow or arithmetic exception of some kind. Input validation is not to be taken lightly and should be performed by every program and service. In fact, on the CERT Top 10 Secure Coding Practices list, validate input is item #1 and with good reason.

Take care,

Glenn

Technorati Tag:

About

gbrunett

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today