250 likes | 443 Views
(Tito Cordero) (DSS Irving Field Office) (14 December 2005). Defense Security Service. (Unix Security Guide ) Solaris Workshop. December 2005 Solaris Workshop. Purpose To provide descriptions on how to implement security features within the Solaris Unix platform
E N D
(Tito Cordero) (DSS Irving Field Office) (14 December 2005) Defense Security Service (Unix Security Guide) Solaris Workshop December 2005 Solaris Workshop
Purpose To provide descriptions on how to implement security features within the Solaris Unix platform Implement systems certification of the National Security Information at Protection Level 1 or Protection Level 2 Provide the Information System Security Manager with oversight of NISPOM and Chapter 8 requirements within the UNIX platform (Introduction)
Audit Capability Set system time #date mmddHHMM yy ( see Solaris manual pages for date command) #man date Master Time server and slaves: Ensure that the system designated to act as master time server has the correct time. To synchronize the time on a time slave system with the designated master system, issue the command #rdate <designated_master> (Audit)
To continually synchronize the slave system to the master, add the following lines to the crontab file: # each hour, on the hour, run rdate command to synchronize # 0 * * * rdate<designated_master> If system time is not set to US Cental Time Zone, what is the offset from Greenwich Mean Time (GMT -6. (Audit)
The following files and directories describe the location to security relevant logged events: /var/adm/wtmpx, /var/adm/utmpx – Binary files recording all logins, logouts, and system reboots. The “last” command Is used to display the contents. /var/adm/LOGINLOG – Failed login log. If this file exists, the login utility will log all failed logins here. /var/adm/sulog – This file contains both successful and failed attempts to use the su (switch user) command. This will show persons accessing an account in which they are not authorized to access. (relevant logged events)
/etc/security/audit – Directory contains all the auditing records gathered for denial of file access. /etc/local/audit – Directory contains all the filtered auditing records gathered for denial of file access (relevant logged events)
To set up system auditing, perform the following steps: Sun Solaris Basic Security Module (BSM) provides additional security features that are not supplied in standard SOLARIS. To enable BSM, perform the following steps: Login as root Bring the system into single-user mode by executing the following command: # sync # sync # init 0 # boot –s (Basic Security Module)
Change directories to the /etc/security: #cd /etc/security Execute the bsmconv script: #/bsmconv After running the script, halt the system and reboot into multi-user mode: #sync #sync # Init 6 or reboot (Basic Security Module)
Auditing is enabled by starting the audit daemon (auditd). The existence of the /etc/security/audit_startup script, created during the BSM package installation, causes the daemon to run automatically when the system enters multi-user mode. This script automatically configures the event to class mappings and sets the audit policies. (Basic Security Module)
Set the following flags in the /etc/security/audit_control file: Flags:ad, -fa, -fr, -fw, -fm, -fc, -fd, -cl, lo Flags are defined as: ad administrative admin actions: mount, exports, ,etc. fafileattr_acc Access of object attributes:stat, pathconf etc. frfile_read Read of data, open for reading, etc. fwfile_write Write of data, open for reading, etc. fmfile_attr_mod Change of object attributes: chown, flock, etc. fcfile_creation Creation of object fdfile_deletion Deletion of object (Basic Security Module)
cl file_close Close (2) system call lo login_logout Login and Logout events A minus in front of the flag only logs failures of the described flag, where no sin logs both successes and failures. Make the new data available to the BSM service, by either rebooting the system or entering the following command: #audit -s (Basic Security Module)
Successful logins, logouts, and system reboots are recorded in the binary files located at: /var/adm/utmpx and /var/adm/wtmpx The login command will log via the syslog facility all login successes and failures. To redirect these to file /var/adm/LOGINLOG add the following line to /etc/syslog.conf (logons &logoffs)
Auth.notice<TAB><TAB><TAB><TAB><TAB> /var/adm/LOGINLOG Auth.info <TAB><TAB><TAB><TAB><TAB> /var/adm/LOGINLOG Auth.debug <TAB><TAB><TAB><TAB><TAB>/var/adm/LOGINLOG Create the LOGINLOG file to track these notices: # touch /var/adm/LOGINLOG # chown root:sys /var/adm/LOGINLOG # chmod 600 /var/adm/LOGINLOG Restart the syslog daemon # /etc/inid./syslog stop # /etc/init.d.syslog start (logons &logoffs)
Failed logins are logged after five failed attempts to the /var/adm/loginlog file. Create the loginlog file to track failed logins # touch /var/adm/loginlog # chown root:sys /var/adm/loginlog # chmod 600 /var/adm/loginlog /var/adm/sulog: This is a file to record all successful and failed attempts to use the su (switch user) command. (logons &logoffs)
BSM – Adding the flag “lo” to the /ect/security/audit_control file as described above configures the BSM to record both successful and unsuccessful logon/logoff events to the BSM log files in the /etc/security/audit directory (logons &logoffs)
The blocking or blacklisting of a user ID, terminal or access port and the reason for the action. In the file /etc/default/login set RETRIES=5 (Exits the login after RETRIES unsuccessful attempts.) SYSLOG_FAILED_LOGINS=5 (If there are SYSLOG_FAILED_LOGINS consecutive unsuccessful login attempts, each of them will be logged in /var/adm/loginlog, if it exits. Users get at most the minimum of (RETRIES, SYSLOG_FAILED_LOGINS) unsuccessful attempts.) (Blacklist)
DISABLETIME=300 (Disables the login for three hundred seconds after SYSLOG_FAILED_LOGINS or RETRIES unsuccessful attempts. This is set for 5 minutes by the 300.) (Note conflicts if environment variable TIMEOUT is also set.) The five successive login failures will be logged in the /var/adm/loginlog which was configured in prior steps. This terminal port and failure will be logged in /var/adm/LOGINLOG which was also configured in a prior step. (Blacklist)
Denial of access resulting from an excessive number of unsuccessful logon attempts. In SOLARIS, by default and as specifically configured in paragraph 2.1 e above, five attempts are allowed before an attempted login dies. Login failures are reported via the syslog facility. (Blacklist)
The contents of audit trails will be protected against unauthorized access, modification, or deletion. Only authorized admin and support personnel will have permissions to access audit trail data. Log files should be owned by root and have a group of sys. With the exception of the messages files all files should be set to have permissions such that only root can read or write to the files. Read on the messages files is allowed for all users as valuable debugging messages are logged in this file. (Audit Trail Protection)
/var/adm/messages: # chown root:sys /var/adm/messages # chmod 622 /var/adm/loginlog /var/adm/loginlog: # chown root:sys /var/adm/loginlog # chmod 600 /var/adm/loginlog /var/adm/LOGINLOG: # chown root:sys /var/adm/LOGINLOG # chmod 600 /var/adm/LOGINLOG Sulog # chown root:sys /var/adm/sulog # chmod 600 /var/adm/sulog (Audit Trail Protection)
/etc/password and /etc/shadow: The passwd file should be “shadowed” by running the pwconv command. This removes the encrypted passwords from the /etc/passwd file that is readable by everyone and places them in /etc/shadow which is readable only by root. To implement this do the following: # pwconv # chmod 644 /etc/passwd # chmod 600 /etc/shadow (Audit Trail Protection)
Remove world permissions on the log directory: #chmod 640 /etc/security/audit/<hostname> #chmod root /etc/security/audit/<hostname> BSM – Apply required permissions to the audit trail directory/subdir/files on the local machine: #chmod 640 /etc/security/audit/<hostname> #chmod root /etc/security/audit/<hostname> (Audit Trail Protection)
Audit analysis and reporting will be scheduled and performed at least weekly. To review /var/adm/messages: more /var/adm/messages Or view /var/adm/messages To review /var/adm/loginlog: more /var/adm/loginlog Or view /var/adm/loginlog (Audit Trail Analysis)
To review /var/adm/sulog: more /var/adm/sulog Or view /var/adm/sulog To review Locked accounts: more /etc/shadow Or view /etc/shadow To review login information: # last # more /var/adm/loginlog Or # view /var/adm/loginlog (Slide Title)
Questions Now a five minute recess Test (Slide Title)