Wednesday Nov 04, 2009

NEW: Solaris 10 Security Deep Dive Presentation

Today, I am very happy to announce the availability of a new Solaris 10 Security Deep Dive training. This version has been updated for Solaris 10 10/2009 (also known as Update 8). From a security perspective, there have only been a few updates since my last posted version, but it is always good to be current. Items added in this new version include: ZFS user and group quotas, ZFS pre-defined ACL sets, NTPv4, and nss_ldap shadowAccount support. In addition, there was a bit of cleanup throughout and a new example was added for Trusted Extensions.

As usual, I have made this content available in both OpenDocument Format (ODF) and PDF. If you are using Microsoft Office, you can use the Sun MS Office ODF Plugin to read the source document.

For those of you who have downloaded one of the previous versions, thank you! There have been nearly 8,000 downloads of this presentation so far! If you have not had a chance, I would encourage you to download and check out a copy today. It is really amazing how many new and updated security features and capabilities there are in Solaris 10. If you have been away from Solaris (even Solaris 10) for a while, I am sure you will be shocked with what you can do today! As always, feedback is greatly appreciated!

Take care!

Glenn

Technorati Tag:

Monday Jun 15, 2009

NEW: Solaris 10 Security Deep Dive Presentation

It has sure been a busy month and really it has just begun. Today, I am happy to announce the availability of my Solaris 10 Security Deep Dive presentation, updated for the just released Solaris 10 05/2009 (Update 7). From a security perspective, there have only been a few updates since my last posted version, for Solaris 10 10/2008 (Update 6), but it is always good to be current. Of particular interest is a new slide focused on IPsec and IKE. As usual, I have made this content available in both OpenDocument Format (ODF) and PDF. If you are using Microsoft Office, you can use the Sun MS Office ODF Plugin to read the source document.

For those of you who have downloaded one of the previous versions, thank you! There have been nearly 5,000 downloads of this presentation so far! If you have not had a chance, I would encourage you to download and check out a copy today. It is really amazing how many new and updated security features and capabilities there are in Solaris 10. If you have been away from Solaris (even Solaris 10) for a while, I am sure you will be shocked with what you can do today! As always, feedback is greatly appreciated!

Take care!

Glenn

Technorati Tag:

Monday Mar 09, 2009

NEW: Solaris Package Companion v0.9

Today, I am proud to announce the release of version 0.9 of the Solaris Package Companion. This new version is primary based upon a set of patches provided by Jerome Blanchet that provided support for the collection and processing of reverse dependency information ("R" entries in a package's depend(4)) file) as well as enhanced processing and display of platform specific packages. Thank you, Jerome!

As is my tradition when a bug is found, I try and publish a little something extra as a mea cupla. Due to limited "free time", the "mea culpa" enhancement this time is quite minor but worth mentioning anyway. In past versions, there was no interface to change the information collection rules of the tool. If you wanted to disable the collection of certain types of information (such as package names or dependencies) you had to go into the code and change the relevent COLLECT_ variable. No longer. The defaults are still the same, but now the tool will honor variable settings originating from the shell or command line as follows:

$ env COLLECT_NAMES=0 ./spc-v0.9.ksh -r /tmp/myrepository -i -l

Note that the COLLECT_ variables are only used during the creation of a repository. Not a big enhancement, but one none the less! Thank you again Jerome for discovering the bug and offering a patch!

Keep the suggestions, reports and fixes coming!

Glenn

Technorati Tag:

Friday Nov 14, 2008

NEW: Solaris 10 Security Deep Dive Presentation

It must be that time of year again. At Sun's Customer Engineering Conference this year, I unveiled the latest update to my Solaris 10 Security Deep Dive Presentation. This version has been updated based upon Solaris 10 10/08 (Update 6) which means it is in sync with the most recently shipping version of Solaris 10. This version is in OpenDocument Format. Should you want a PDF version, you can use this copy.

The last update that I had posted was downloaded more than 2,000 times. That is a great number for such a specialized and technical topic. With all of these downloads, however, I have yet to hear from you! Please be sure to send along your feedback! I am particularly interested in things like:

  • Does the content meet your needs? How can it be improved?
  • What are your security requirements not met today by Solaris 10? What is your wish list?
  • Is their content where you would like more detailed information (e.g., a BluePrint)?

As I said in my last Solaris 10 Security Update... If you have not taken a look into what Solaris 10 can offer recently, you really must give it a look! Also, be on the look out for a posting very soon on a project called Immutable Service Containers. With that as a teaser, I will sign off for today... Take care!

Glenn

Technorati Tag:

Monday Aug 04, 2008

NEW: Solaris Package Companion v0.8.1 / Testing Tool v0.1

On the heels of the v0.8 release, Clive King was able to find a new bug introduced as a result of my attempting to make the code a little more in line with Korn Shell conventions. Clive, thank you for reporting the details! I have published an updated version as v0.8.1. As always, you can get all of the details at the OpenSolaris Solaris Package Companion Project Page

As is my tradition when a bug is found, I try and publish a little something extra as a mea cupla. This time is no different. In addition to version 0.8.1 of the Solaris Package Companion, I have also published a testing tool for the same.

The testing tool, called spc-test-v0.1.ksh is also available from the project page. This tool can test multiple versions of the tool against multiple repositories which is pretty cool when checking for regressions. There are currently 48 tests although tests can be easily added or removed as needed. It can optionally display the results to the screen, but by default it records them in a directory where a basic consistency check is performed to detect differences in output (for the same repository) resulting from the use of different versions of the tool. This is not intended to be an all encompassing test suite or even a piece of production code, but rather a basic sanity check to make sure the key functions are working as expected.

Thanks again, Clive!

Keep the suggestions, reports and fixes coming!

Glenn

Technorati Tag:

Friday Aug 01, 2008

NEW: Solaris Package Companion v0.8

Wow, has time passed since my last posting. I promise to do a quick update soon as a lot has been happening over the last six months! In the meantime, I wanted to tell you all about a new version of the Solaris Package Companion (version 0.8) that is now available.

For those not familiar with the tool, here is a brief overview:

   The Solaris Package Companion is a small Korn shell script that allows you to ask
   quite a number of interesting questions about the relationships between Solaris 
   metaclusters, clusters and packages as well as their respective dependencies. Very
   often, answers to these kinds of questions are essential for the construction of 
   minimized systems as well as more generally for OS golden images.

   The goal of the Solaris Package Companion, or SPC for short, is to do all of the 
   hard work so you don't have to. SPC will create a cache of important facts by mining
   information from the various packaging files and directories to allow you to quickly 
   and easily obtain answers to a variety of questions such as:

     \* What clusters or packages are contained in a given metacluster?
     \* What packages are contained in a given cluster?
     \* What metacluster or cluster contains a given package?
     \* On what other packages does a given package or cluster depend?
     \* Which packages depend on a given package?
     \* … and so on…

New to this release is a tree view display method that allows you to list the contents of metaclusters and clusters in a more eye-friendly tree-view. Thanks to Fredrich Maney for contributing the idea and code! Here are a few examples from the project page showing what this looks like:

To see what packages are included in a cluster, just use the "-t" option:

$ ./spc-v0.8.ksh -v -r ./myrepository -t SUNWCssh
   [C] SUNWCssh                  Secure Shell
      [P] SUNWsshcu                 SSH Common, (Usr)
      [P] SUNWsshdr                 SSH Server, (Root)
      [P] SUNWsshdu                 SSH Server, (Usr)
      [P] SUNWsshr                  SSH Client and utilities, (Root)
      [P] SUNWsshu                  SSH Client and utilities, (Usr)

To see what packages and clusters are included in a metacluster, just use the "-T" option:

$ ./spc-v0.8.ksh -v -r ./myrepository -T SUNWCmreq | head -10
[M] SUNWCmreq                 Minimal Core System Support
   [C] SUNWCfca                  Sun ISP Fibre Channel Device Drivers
      [P] SUNWqlc                   Qlogic ISP 2200/2202 Fibre Channel Device Driver
      [P] SUNWemlxs                 Emulex-Sun LightPulse Fibre Channel Adapter (FCA) driver (root)
   [C] SUNWCfct                  Sun Fibre Channel Transport Software
      [P] SUNWfcsm                  FCSM driver
      [P] SUNWfctl                  Sun Fibre Channel Transport layer
      [P] SUNWfcp                   Sun FCP SCSI Device Driver
      [P] SUNWfcip                  Sun FCIP IP/ARP over FibreChannel Device Driver
   [C] SUNWCfmd                  Fault Management Daemon and Utilities
[…]

I would also like to thank Peter Pickford for sharing a fix for a bug that resulted in the tool not properly recording all dependencies under certain circumstances. Thank you! While I was at it, I also took a little time to clean up the code a bit.

You can find more information, examples and the source code on the project page.

Keep the suggestions, reports and fixes coming!

Glenn

Technorati Tag:

Friday Nov 02, 2007

NEW: Solaris Package Companion v0.7

This one must have slipped my mind. Please accept my apologies. Back in September (2007), I published an updated version of the Solaris Package Companion. For those not familiar with the tool, here is a brief overview:

   The Solaris Package Companion is a small Korn shell script that allows you to ask
   quite a number of interesting questions about the relationships between Solaris 
   metaclusters, clusters and packages as well as their respective dependencies. Very
   often, answers to these kinds of questions are essential for the construction of 
   minimized systems as well as more generally for OS golden images.

   The goal of the Solaris Package Companion, or SPC for short, is to do all of the 
   hard work so you don't have to. SPC will create a cache of important facts by mining
   information from the various packaging files and directories to allow you to quickly 
   and easily obtain answers to a variety of questions such as:

     \* What clusters or packages are contained in a given metacluster?
     \* What packages are contained in a given cluster?
     \* What metacluster or cluster contains a given package?
     \* On what other packages does a given package or cluster depend?
     \* Which packages depend on a given package?
     \* … and so on…

New to this release is the tag before the item description to inform the user of the type of object being dispayed. [P] indicates a package while [C] is a cluster and [M] is a metacluster. Another new feature is the ability to fold packages back into their respective clusters (where possible). This can be helpful when trying to create a complete list of items for a standard OE image or JumpStart configuration. Essentially, this will report the cluster name in which the package is found. This can be accomplished using the -F (folding) option. The new -Z option will display the list of packages that depend on a specific cluster. There is also an new experimental option -f that will allow you to map a file to a package or cluster (with the -F option). This only works for local files reliably right now. Finally, special thanks to Dave Comay for reporting a bug - that has been fixed in this version too!

You can find more information, examples and the source code on the project page.

Technorati Tag:

Thursday Aug 31, 2006

Solaris Package Companion on OpenSolaris.org

This note is to announce the new Solaris Package Companion OpenSolaris project page (child of the SVR4 packaging project page) at:

http://www.opensolaris.org/os/project/svr4_packaging/package_companion/

Check it out to get all of the latest and greatest information, usage instructions, code and examples.

Love to hear what you think!

g

Technorati Tag:

Monday Jul 10, 2006

Solaris Package Companion v0.6



Well, it is time for another update of the Solaris Package Companion. During the course of some additional testing, I found a few bugs which I have corrected in this new version. The biggest issue corrected in this update is the detection of packages versus clusters. I also added a check to avoid an exception case where a package is defined in a clustertoc(4) file but it cannot be found in the distribution (or on the local system when in local-only mode). For those interested, here is a diff:

blackhole$ diff spc-v0.5.ksh spc-v0.6.ksh
44,48c44,45
< BASEDIR=""
< REPOSITORY=""
<
< export BASEDIR REPOSITORY
<
---
> export BASEDIR=""
> export REPOSITORY=""
69c66,69
<    else
---
>    elif [ -d "`dirname ${fileName}`" ]; then
>       # GMB: This is a small hack to avoid generating an error message
>       #      when a package is listed in a "contents" file but it does
>       #      not otherwise exist (e.g., SUNWphx on snv_18)
88a89,94
>    if [ -z "${name}" ]; then
>       # This method should only be trusted when in "local only" mode.
>       if [ ${LOCAL_ONLY} -eq 1 ]; then
>          name="`pkgparam ${1} NAME 2>/dev/null`"
>       fi
>    fi
221c227
<             if [ `echo ${member} | grep -c "\^[A-Z]\*C"` -eq 1 ]; then
---
>             if [ -d ${C_DIR}/${member} ]; then

If you are interested in giving this version a whirl, please download version 0.6 and let me know what you think! Thank you to everyone who has provided feedback and ideas so far! Keep them coming!

Take care,

Glenn

Technorati Tag:

Friday Jun 30, 2006

Solaris Package Companion v0.5



A few days ago, I posted version 0.4 of the Solaris Package Companion. I had a little time today to do some tweaking based on the feedback that I have received so far. Today, I am pleased to announce that I have made version 0.5 available.

There is only two signficiant differences between versions 0.4 and 0.5. In version 0.5, you must specify that you want to create a working repository for the tool using the newly added -i option (which must be used with either the -l (local) or -s (source distribution) options. Once the repository has been created, the rest of the code should operate in the same manner as before.

The second difference is that during the creation of the repository, the tool will collect package names automatically. This way, you do not need to specify either the -l or -s options after the repository has been created. This makes the -v (verbose) mode a bit faster although the repository creation process (a one time event) is just a little bit longer.

You will still need to specify one of those two options if you want to try out the undocumented -f option to map a file name to a package (if possible). This functionality is still in development but feel free to try it out!

I did add a bunch of new exception handling code that should make it easier to know what is going on if there is a problem or if required arguments are not being passed in a way expected by the program. I hope that these updates will make this tool more easy for everyone to use. Please let me know what you think about the changes!

Thank you to everyone who has provided feedback and ideas so far! Keep them coming!

Take care,

Glenn

Technorati Tag:

Thursday Jun 22, 2006

Solaris Package Companion

[Read More]

Monday Sep 27, 2004

Foundation for Minimal Solaris 10 Systems

The topic for this article is the Solaris 10 Reduced Networking Software Group (also commonly known as the Solaris 10 Reduced Networking Meta Cluster). This software group is new and joins the five existing software groups available in Solaris today: Core, End User, Developer, Entire and Entire + OEM software groups. The Reduced Networking Software Group is positioned as a subset of Core and represents the smallest amount of Solaris that can or should be installed and have a working and supported system. Note that for support reasons, it is not advised to remove packages installed by the Reduced Networking Software Group.

To install the Reduced Networking Software Group, simply select it from the list when doing a graphical installation. If you are using JumpStart, then you should use the cluster keyword with the new value SUNWCrnet. The following is a sample JumpStart profile that uses the Reduced Networking Software Group. This profile was also used to build the system used as an example in this article.

install_type    initial_install
cluster         SUNWCrnet
partitioning    explicit
filesys         rootdisk.s1     768     swap
filesys         rootdisk.s0     free    /
system_type     standalone

During the installation process, you will see messages similar to the following:

Processing profile
        - Selecting cluster (SUNWCrnet)
        - Selecting all disks
        - Configuring boot device
        - Using disk (c0t0d0) for "rootdisk"
        - Configuring swap (c0t0d0s1)
        - Configuring / (c0t0d0s0)

One thing that may draw your attention is the following install-time message:

Verifying space allocation
        - Total software size:  152.67 Mbytes

Yes, it's true - the size of this installation is just a little over 150-Mbytes. Note that this size is based on the build of Solaris 10 that I was using and will certainly change before Solaris 10 is finalized, but I did want to mention it as an example of how small a Solaris installation can be. By leveraging the Reduced Networking Software Group, you are providing yourself with a solid foundation on which to deploy a minimized platform. So, let's see what we have...

# df -k
Filesystem            kbytes    used   avail capacity  Mounted on
/dev/dsk/c0t0d0s0    7929156  164697 7685168     3%    /
/devices                   0       0       0     0%    /devices
ctfs                       0       0       0     0%    /system/contract
proc                       0       0       0     0%    /proc
mnttab                     0       0       0     0%    /etc/mnttab
swap                  956144     224  955920     1%    /etc/svc/volatile
objfs                      0       0       0     0%    /system/object
fd                         0       0       0     0%    /dev/fd
swap                  955928       8  955920     1%    /var/run
swap                  955920       0  955920     0%    /tmp

By the time all is said and done, the installed system is up to 161M. At present, this accounted for about 81 packages. This default configuration includes 28 set-uid programs and 11 set-gid programs. This is all much less than what is typically installed on most systems today. As noted above, this will certainly change before Solaris 10 is finalized, so don't hold me to those exact numbers. :-)

What is actually running on this system by default on this system? To answer this question, we look at the output of ps -aef:

# ps -aef
     UID   PID  PPID   C    STIME TTY         TIME CMD
    root     0     0   0 21:52:19 ?           0:06 sched
    root     1     0   0 21:52:22 ?           0:00 /sbin/init
    root     2     0   0 21:52:22 ?           0:00 pageout
    root     3     0   0 21:52:22 ?           0:01 fsflush
    root   432   376   0 22:31:05 console     0:00 ps -aef
    root     7     1   0 21:52:24 ?           0:03 /lib/svc/bin/svc.startd
    root     9     1   0 21:52:24 ?           0:16 svc.configd
    root   394   385   0 22:00:00 ?           0:00 /usr/lib/saf/ttymon
  daemon   335     1   0 21:53:40 ?           0:00 /usr/sbin/rpcbind
    root   340     1   0 21:53:40 ?           0:00 /usr/sbin/keyserv
  daemon   279     1   0 21:53:27 ?           0:00 /usr/lib/crypto/kcfd
    root   376     7   0 21:59:59 console     0:00 -sh
    root   278     1   0 21:53:26 ?           0:00 /usr/sbin/nscd
    root    79     1   0 21:52:46 ?           0:00 /usr/lib/sysevent/syseventd
    root   411     1   0 22:00:03 ?           0:00 /usr/lib/fm/fmd/fmd
    root   367     1   0 21:59:58 ?           0:00 /usr/lib/utmpd
    root   385     7   0 22:00:00 ?           0:00 /usr/lib/saf/sac -t 300
    root   389     1   0 22:00:00 ?           0:00 /usr/sbin/syslogd
    root   395     1   0 22:00:00 ?           0:00 /usr/lib/inet/inetd start
    root   397     1   0 22:00:00 ?           0:00 /usr/sbin/cron

As you can see, really only the bare minimum. This is also confirmed by our look at those network ports that are in use as reported by netstat -an:

# netstat -an

UDP: IPv4
   Local Address         Remote Address     State
-------------------- -------------------- -------
      \*.111                                 Idle
      \*.\*                                   Unbound
      \*.32772                               Idle
      \*.514                                 Idle
      \*.\*                                   Unbound

TCP: IPv4
   Local Address        Remote Address    Swind Send-Q Rwind Recv-Q  State
-------------------- -------------------- ----- ------ ----- ------ -------
      \*.\*                  \*.\*                0      0 49152      0 IDLE
      \*.111                \*.\*                0      0 49152      0 LISTEN
      \*.\*                  \*.\*                0      0 49152      0 IDLE


TCP: IPv6
   Local Address                     Remote Address                 Swind Send-Q Rwind Recv-Q   State      If
--------------------------------- --------------------------------- ----- ------ ----- ------ ----------- -----
      \*.\*                               \*.\*                             0      0 49152      0 IDLE

SCTP:
        Local Address                   Remote Address          Swind  Send-Q Rwind  Recv-Q StrsI/O  State
------------------------------- ------------------------------- ------ ------ ------ ------ ------- -----------
0.0.0.0                         0.0.0.0                              0      0 102400      0  32/32  CLOSED

Active UNIX domain sockets
Address  Type          Vnode     Conn  Local Addr      Remote Addr
30001307e08 stream-ord 30001292a80 00000000 /var/run/.inetd.uds

As you can see, only a handful of ports are actually open by default on a system installed using the Reduced Networking Software Group. The ports open in the above example belonged to the rpcbind process (ports TCP/111, UDP/111, and UDP/32772) and the syslogd process (UDP/514). If you did not want these services running, you can disable them with the following commands:

# svcadm disable network/rpc/bind
# svcadm disable system/system-log

Alternatively, you could have also configured rpcbind to use TCP Wrappers by running the following commands:

# svccfg
svc:> select network/rpc/bind
svc:/network/rpc/bind> setprop config/enable_tcpwrappers = true
svc:/network/rpc/bind> quit
# svcadm restart network/rpc/bind:default

Certainly, you would then need to configure your TCP Wrappers hosts.allow(4) and hosts.deny(4) files accordingly. For syslogd, you could also have set the LOG_FROM_REMOTE parameter in the /etc/default/syslogd file to NO. This would have caused the syslogd process to not listen for incoming connections from remote hosts.

But I digress...

Now, since only 150-Mbytes of software was installed, it should come as no shock to you that there is a lot of other software that was not installed. This is why the Reduced Networking Software Group is a foundation for minimization. You will need to add any software packages (either manually or by defining them in your JumpStart installation profile) that you need for applications, services, management or support.

For example, let's look for some common programs and services to see what happens:

# echo $PATH
/usr/sbin:/usr/bin
# which telnet
no telnet in /usr/sbin /usr/bin
# which ftp
no ftp in /usr/sbin /usr/bin
# which rcp
no rcp in /usr/sbin /usr/bin
# which rsh
no rsh in /usr/sbin /usr/bin
# which ssh
no ssh in /usr/sbin /usr/bin
# which mount
/usr/sbin/mount
# mount -F nfs -o ro 10.1.1.100:/export/disk1 /mnt
mount: Operation not applicable to FSType nfs
# truss
truss: not found
# snoop
snoop: not found

As you can see, the Reduced Networking Software Group does not come with very much! It is precisely this reason however why it will help customers wishing to build minimal configurations. By providing a solid, core set of packages, customers are free to take an additive approach to building minimal systems by simply adding in those packages that they want or need. This approach is much improved from the typical method employed today that requires users to remove unnecessary software packages - as this approach was prone to error and often raised problems for the supportability of such configurations.

Since I believe that many people will want to have Secure Shell in their default configuration, I did want to provide the JumpStart installation profile entries that would help. If you would like Secure Shell (but do not care about tunnelling X11 connections), then you can use the following profile:

install_type    initial_install
cluster         SUNWCrnet
cluster         SUNWCssh add
package         SUNWgss  add
partitioning    explicit
filesys         rootdisk.s1     768     swap
filesys         rootdisk.s0     free    /
system_type     standalone

Well, that's all for now. Check back soon for another installment of lesser known and/or publicized security enhancements to the Solaris 10 OS. I still have a bunch lined up for you! Let me know what you think of this series of articles as well as ideas for future updates. Take care!

Technorati Tag:

About

gbrunett

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today