Tuesday Jul 07, 2015

New Security Extensions in Oracle Solaris 11.3

In Solaris 11.3, we've expanded the security extensions framework to give you more tools to defend your installations. In addition to Address Space Layout Randomization (ASLR), we now offer tools to set a non-executable stack (NXSTACK) and a non-executable heap (NXHEAP). We've also improved the sxadm(1M) utility to make it easier to manage security extension configurations.

NXSTACK

When NXSTACK is enabled, the process stack memory segment is marked non-executable. This extension defends against attacks that rely on injecting malicious code and executing it on the stack. You can also configure NXSTACK to log each time a program tries to execute code on the stack. Log entries are output to /var/adm/messages.

Very few  non-malicious programs need to execute code on the stack, so NXSTACK is enabled by default in Solaris 11.3. If you have a program that needs to execute on the stack and you are able to recompile it, you can pass the "-z nxstack=disable" flag to Solaris Studio. Otherwise, you can use sxadm either to disable NXSTACK or set it to work only on tagged binaries. Most core Solaris utilities are tagged for NXSTACK.

Note that NXSTACK takes the place of the "noexec_user_stack" and "noexec_user_stack_log" entries in /etc/system. You can still use those entries to configure non-executable stack, and they will take precedence over any configuration of NXSTACK. However, they are considered deprecated and you are encouraged to switch to using NXSTACK through sxadm.

NXHEAP

When NXHEAP is enabled, the brk(2)-based heap memory segment is marked non-executable. This extension defends against attacks that rely on injecting code and executing it from the heap. You can also configure NXHEAP to log each time a program tries to execute code on the heap. NXHEAP log entries are also written to /var/adm/messages.

Some programs (such as interpreters) do have legitimate reasons to execute code from the heap, so NXHEAP is enabled by default only for tagged binaries. Most core Solaris utilities are already tagged for NXHEAP, and you can tag your own binaries by passing the linker flag "-z nxheap=enable" when compiling with Solaris Studio. Of course, NXHEAP can also be enabled or disabled globally with sxadm.

sxadm

We've made all sorts of improvements to sxadm in Solaris 11.3, so I'm only going to focus on three new subcommands that will help you configure the new security extensions.

sxadm get

"sxadm get" allows you to observe the properties of security extensions. For example, NXSTACK and NXHEAP have log properties that show whether or not logging is enabled for those extensions. You can query the log property with:

$ sxadm get log nxstack nxheap
EXTENSION           PROPERTY                      VALUE
nxstack             log                           enable
nxheap              log                           enable  

And you can get an easily parsable format by passing the "-p" flag:

$ sxadm get -p log nxstack nxheap
nxstack:log:enable
nxheap:log:enable

You can also query all properties (equivalent to "sxadm status") with:

$ sxadm get all
EXTENSION           PROPERTY                      VALUE
aslr                model                         tagged-files
nxstack             model                         all
--                  log                           enable
nxheap              model                         tagged-files
--                  log                           enable  

sxadm set

"sxadm set" allows you to set individual properties of extensions without needing to use "sxadm enable". For example, you can disable NXSTACK logging with:

$ sxadm get log nxstack
EXTENSION           PROPERTY                      VALUE
nxstack             log                           enable
$ sxadm set log=disable nxstack
$ sxadm get log nxstack
EXTENSION           PROPERTY                      VALUE
nxstack             log                           disable

sxadm delcust

"sxadm delcust" allows you to restore the default configuration for one or more security extensions. For example:

$ sxadm get all nxstack
EXTENSION           PROPERTY                      VALUE
nxstack             model                         tagged-files
--                  log                           disable
$ sxadm delcust nxstack
$ sxadm get all nxstack
EXTENSION           PROPERTY                      VALUE
nxstack             model                         all
--                  log                           enable

Of course, all of these new subcommands also work with ASLR, even though it only has one "model" property. For example:

$ sxadm get all aslr
EXTENSION           PROPERTY                      VALUE
aslr                model                         tagged-files
$ sxadm set model=all aslr
$ sxadm get all aslr
EXTENSION           PROPERTY                      VALUE
aslr                model                         all
$ sxadm delcust aslr
$ sxadm get all aslr
EXTENSION           PROPERTY                      VALUE
aslr                model                         tagged-files 

Conclusion

I hope you've enjoyed this quick introduction to all the work we've put into the Security Extensions Framework for Solaris 11.3, and I hope you're able to use some or all of it to meet your organization's security needs. For a more detailed explanation of sxadm and the individual security extensions, please see the sxadm(1M) man page.

Friday Feb 22, 2013

Security Experts Spill the Beans on Oracle Solaris 11.1

There have been several recent blog posts about new security / crypto features in Oracle Solaris 11.1:

Glenn Faden has written on a few topics:

Dan Anderson writes about SPARC T4 Digest and Crypto Optimizations.

Darren Moffat shows how to run up a quick Python script to generate a crypt_sha256 hash from the command line.

Monday Feb 11, 2013

Oracle Solaris 11.1: Compliance Reporting with SCAP

Not "scap"; SCAPDarren Moffat writes about the new security compliance framework added in Oracle Solaris 11.1, the emerging Security Content Automation Protocol.

"One of the important parts is the OVAL (Open Vulnerability Assessment Language) standard [which] allows us to write a checkable security policy and verify it against running systems."

[Read More]


Wednesday Jun 23, 2010

Rights Profiles

A Rights Profile gives a user or role the privileges to perform one or more specified tasks. As the Primary Administrator of your system, you might not give rights profiles much thought because you basically have the authority to do everything. However, if you're creating accounts for other users on the system, it's unlikely that you want to also give them Primary Administrator powers.[Read More]

Tuesday Jun 22, 2010

Auditing

Someone recently asked on the opensolaris-help forum if it was possible to log ssh events into his OpenSolaris box. I provided a brief answer on how to use the OpenSolaris audit feature to track this information, but I thought a more thorough introduction to auditing may be warranted.[Read More]

Thursday May 27, 2010

Zones, X and Roles

My last two blog entries were actually written to set up this entry. What if I'm logged into the zone, assumed a role and need to run a GUI? An example use case here would be assuming the role of oracle and wanting to run something like the Oracle Database Configuration Assistant (DBCA). For the purposes of this entry, however, I'll stick to the simple Python GUI I used in my previous entry.[Read More]

Tuesday May 25, 2010

Roles

Of all the components of Solaris' Role Based Access Control (RBAC), roles are the easiest the implement. When I explain the concept of roles to people, they immediately get it.

OpenSolaris comes with a couple of roles pre-configured, most notably root. This has led to some frustration for newcomers to OpenSolaris as they don't understand why they can't log into their system as root.

But, as there is most likely no person in your organization named 'root', why do you wnat a user account on your system for a person that doesn't exist? Who is this root user and who's accountable for what they do on the system? Over time the password for the root user account always seems to proliferate. The principle of least privilege, another RBAC concept that I'm not addressing here, is meant to limit the need to hand out root access, but even in the absence of that, wouldn't it be nice to know who's doing what as root on your system?

[Read More]

Tuesday May 11, 2010

Locking Down Apache

I noticed my Apache web server had one process that ran as root, which then forked other processes as user webservd.  The reason for this is that apache wants access to port 80, which traditionally requires root privileges. To improve upon this all-or-nothing security model, Solaris 10 introduced the concept of fine-grained privileges, and in OpenSolaris there are now 75 of them.

What this means is that I can now give a process, which has traditionally run with root privileges, just the privileges it needs to get its job done - a concept known as least privilege. The trick, of course, is figuring out which privileges a process needs.

[Read More]

Wednesday Dec 23, 2009

Critical Security Update for Adobe Flash Player

Earlier this month, Adobe released a security update for its Flash Player. Adobe has assigned this update its highest risk rating of Critical. This update is available for OpenSolaris.[Read More]

Tuesday Jun 16, 2009

Security Screencasts

Today I came across 3 short screencasts by Christoph Schuba on various security related features in OpenSolaris:

Christoph's a senior engineer on the Solaris security team and a frequent presenter on the topic of OpenSolaris security at conferences. Each screencast is under 5 minutes. Enjoy.

Friday Dec 05, 2008

Understading RBAC

Role Based Access Control or RBAC is a powerful feature of OpenSolaris. However, all of the moving pieces involved can make it somewhat hard to comprehend. In this blog entry I attempt to distill what I've come to understand.

[Read More]
About

The Observatory is a blog for users of Oracle Solaris. Tune in here for tips, tricks and more as we explore the Solaris operating system from Oracle.

Search

Archives
« July 2015
SunMonTueWedThuFriSat
   
1
2
3
4
5
6
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
 
       
Today