Tuesday Nov 13, 2007

NEW: Hack-Fu - Deconstructing the Security Capabilities of the Solaris 10 OS

For the Sun CEC 2007 conference this year, I revamped my originalPractical Solaris 10 Security presentation that I had originally mentioned here. The new version of the presentation is titled Hack-Fu - Deconstructing the Security Capabilities of the Solaris 10 OS.

While the title is a little more "catchy", the real change is that the presentation was enhanced to provide a more complete practical demonstration of Solaris 10 security capabilities. The presentation is structured from the viewpoint of a potential attacker examining the system from the network. As each new capability is discussed, barriers are lifted -- one by one -- until the attacker is given root access inside a Solaris 10 non-global zone.

While I have not had a chance to record the talk putting audio to the slides, you can still follow along as many of the examples in the presentation are based upon Sun BluePrints and HOWTOs that have already been published such as:

and a few others. I am always tuning and tweaking these presentations to address new features, improve their clarity, and make the examples more realistic. So, be sure to give it a look and send along your feedback. Also, don't forget to check out the OpenSolaris Security Community Presentations Library for other presentations featuring Solaris 10 and OpenSolaris content!

Take care,


Technorati Tag:

Friday Nov 02, 2007

NEW: Solaris Package Companion v0.7

This one must have slipped my mind. Please accept my apologies. Back in September (2007), I published an updated version of the Solaris Package Companion. For those not familiar with the tool, here is a brief overview:

   The Solaris Package Companion is a small Korn shell script that allows you to ask
   quite a number of interesting questions about the relationships between Solaris 
   metaclusters, clusters and packages as well as their respective dependencies. Very
   often, answers to these kinds of questions are essential for the construction of 
   minimized systems as well as more generally for OS golden images.

   The goal of the Solaris Package Companion, or SPC for short, is to do all of the 
   hard work so you don't have to. SPC will create a cache of important facts by mining
   information from the various packaging files and directories to allow you to quickly 
   and easily obtain answers to a variety of questions such as:

     \* What clusters or packages are contained in a given metacluster?
     \* What packages are contained in a given cluster?
     \* What metacluster or cluster contains a given package?
     \* On what other packages does a given package or cluster depend?
     \* Which packages depend on a given package?
     \* … and so on…

New to this release is the tag before the item description to inform the user of the type of object being dispayed. [P] indicates a package while [C] is a cluster and [M] is a metacluster. Another new feature is the ability to fold packages back into their respective clusters (where possible). This can be helpful when trying to create a complete list of items for a standard OE image or JumpStart configuration. Essentially, this will report the cluster name in which the package is found. This can be accomplished using the -F (folding) option. The new -Z option will display the list of packages that depend on a specific cluster. There is also an new experimental option -f that will allow you to map a file to a package or cluster (with the -F option). This only works for local files reliably right now. Finally, special thanks to Dave Comay for reporting a bug - that has been fixed in this version too!

You can find more information, examples and the source code on the project page.

Technorati Tag:

NEW: Solaris 10 Set-ID and World Writable Overview

Various organizations have often asked for more detail regarding the set-uid, set-gid and world writable programs that are shipped by the default in the Solaris OS. Well, the wait is over (at least for Solaris 10 8/07)!

Today, I am happy to announce the public release of an overview document that describes these file system objects in detail. This document is still a draft and could still needs to answer a few questions, but I believe that it is far enough along to open up the discussion and begin getting feedback from all of you! If you are interested and want a copy of the document, you can find it here. Looking forward to your comments!

From the document:

While there are often many files delivered by operating systems and other software products, organizations are often most concerned with those programs and services that have or run with special privilege. Unfortunately, there is at times a lack of information regarding what these programs do and why their privileges are necessary. The goal of this document is to provide additional information on four special classes of objects delivered by the Solaris OS: Set-UID Files, Set-GID Files, and World Writable Directories and Files. With this information, organizations will be able to better understand the privileged programs, directories and files that exist on their systems.

If you would like to make recommendations or even implement an improvement (such as one of the RFEs listed in the document), please consider joining the OpenSolaris Security Community!


Technorati Tag:

NEW: Solaris 10 Security Best Practices

It is with great pleasure that I can (albeit belatedly) announce the arrival of the latest security guidance from both Sun and the Center for Internet Security. Working together, in concert with representatives from academia, industry and government, we have published security guidance for Solaris 10 11/06 and 8/07. This content represents the best and most complete form of Solaris security guidance ever produced.

Not only are the recommendations based upon industry consensus but they are also supported by Sun. What is even better is that this material was completed with support and feedback from both the National Security Agency and the Defence Information Systems Agency. I would like to especially thank both organizations for their significant contributions to this material! This iteration brings us (Sun, CIS, NSA and DISA) closer than even toward a single, consistent set of security recommendations for the Solaris OS.

The Benchmark itself has been restructured. Today, it comes in the form of two documents: (1) the core hardening Benchmark itself and (2) an extended appendix covering additional Solaris security controls with examples and references for more information. Further, the Benchmark itself has been significantly reorganized to improve its correctness and flow. Thanks to Carole, our editor!

Some new elements to the Benchmark include headers for each item that tell you if a given recommendation is a Solaris 10 default value, for what platforms it applies and even what configuration settings you need to implement the recommendation using the Solaris Security Toolkit. Overall the document is a tremendous step forward toward bringing the world the best available insight into how to harden and more generally secure their Solaris systems. There have also been quite a few updates to account for changes and enhancements in Solaris. The Solaris Security Appendix document is completely new and provides an overview of the security capabilities of the Solaris OS with many examples and references for more information including step-by-step BluePrints and HOWTOS. If you are responsible for managing or securing a Solaris 10 system, these documents are for you!

You can find a copy of these documents at both the CIS web site as well as on OpenSolaris.org (CIS Solaris Benchmark, Solaris Security Appendix). As always, feedback and ideas for future revisions are encouraged! If you are interested in participating in future versions of these documents, please consider joining the CIS Unix Benchmark Team. Contact Dave for more information!


Technorati Tag:

Monday Aug 13, 2007

Solaris Fingerprint Companion v0.5

For some reason, the links to things on SunSolve like the Solaris Fingerprint Database have changed and as a result, tools like my Solaris Fingerprint Companion stopped working. I would like to publicly thank Richard Mayebo for being the first to let me know of this issue. In addition to just fixing the links, it felt like an excellent opportunity to re-test the tool with the latest versions of Perl shipping on both Nevada as well as Ubuntu. I am very happy to report that the Solaris Fingerprint Database Companion tool continues to work just fine (after the required add-ons are installed). I have posted the latest and greatest version here as part of the OpenSolaris Security Community.

Give it a try and let me know what you think!

Take care,


Technorati Tag:


This area of cyberspace is dedicated the goal of raising cybersecurity awareness. This blog will discuss cybersecurity risks, trends, news and best practices with a focus on improving mission assurance.


« July 2016