390 likes | 624 Views
Securing/Hardening UNIX. Section 7. Hardening Solaris. Session objective: This section is to show what and how to harden a Unix Platform - with a strong emphasis on what a hacker will do to you if you forget What is hardening?
E N D
Securing/Hardening UNIX Section 7
Hardening Solaris • Session objective: This section is to show what and how to harden a Unix Platform - with a strong emphasis on what a hacker will do to you if you forget • What is hardening? Making secure by improving file permissions, removing unnecessary services and patching the system
Recap on Unix Security Authorisation is by User and Group User / uid obtained at login from /etc/passwd Password stored in /etc/shadow Group / Gid is stored in /etc/group AIX - /etc/security/user - /etc/security/passwd HPUX -/tcb/auth*
/etc/passwd # more passwd root:x:0:1:Super-User:/:/sbin/sh daemon:x:1:1::/: bin:x:2:2::/usr/bin: sys:x:3:3::/: adm:x:4:4:Admin:/var/adm: lp:x:71:8:Line Printer Admin:/usr/spool/lp: smtp:x:0:0:Mail Daemon User:/: uucp:x:5:5:uucp Admin:/usr/lib/uucp: nuucp:x:9:9:uucp Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico listen:x:37:4:Network Admin:/usr/net/nls: nobody:x:60001:60001:Nobody:/: noaccess:x:60002:60002:No Access User:/: nobody4:x:65534:65534:SunOS 4.x Nobody:/: www:x:2000:200:WWW User:/export/home/www:/bin/sh
/etc/group $ cat group root::0:root other::1: bin::2:root,bin,daemon sys::3:root,bin,sys,adm adm::4:root,adm,daemon uucp::5:root,uucp mail::6:root tty::7:root,tty,adm lp::8:root,lp,adm nuucp::9:root,nuucp staff::10: daemon::12:root,daemon sysadmin::14: nobody::60001: noaccess::60002: nogroup::65534: www::200:root
/etc/shadow $ # cat shadow root:JipOt8gyLGBHw:10569:::::: daemon:NP:6445:::::: bin:NP:6445:::::: sys:NP:6445:::::: adm:NP:6445:::::: lp:NP:6445:::::: smtp:NP:6445:::::: uucp:NP:6445:::::: nuucp:NP:6445:::::: listen:*LK*::::::: nobody:NP:6445:::::: noaccess:NP:6445:::::: nobody4:NP:6445::::::
File permissions • rwx-rwx-rwx • Owner-group-everyone else
Outline • Patching • Service removal • Security settings • Default permissions • File permissions • ASET • Tripwire • Commercial Applications
Patching Why? – to remove security bugs Two tools built in to manage patches: • patchadd to install directory format patches to a Solaris system • patchrm to remove patches on a solaris system
Patching Some useful commands to manage patches: • ‘showrev –p’ shows all patches applied to the system • ‘pkgparam pkgid PATCHLIST’ shows all patches applied to the package identified by pkgid • ‘pkgparam pkgid PATCH_INFO_patch-number’ shows the installation date and name of host • ‘patchadd –p’ shows all patches applied to a system AIX – installp or smit
Patching ‘showrev –p’ # showrev Hostname: Bankx Hostid: 8388c2d53 Release: 5.8 Kernel architecture: sun4u Application architecture: sparc Hardware provider: Sun_Microsystems Domain: uk.bank.com Kernel version: SunOS 5.8 Generic 108528-09 June 2001
Service removal - Inetd Inetd – the super listener • Configuring this IS the NO. 1 major hardening task • Controlled by /etc/inetd.conf • How it can be used to hide network access once a machine is compromised or escalate access to root if writable. To modify • # cp inetd.conf inetd.conf.old • # vi inetd.conf • Comment out services not needed & save • # ps –ef | grep inetd then note the process id • #/sbin/kill –HUP “process id from above”
Service removal - Inetd Inetd.conf – before hardening (page 1) $more inetd.conf # # Syntax for TLI-based Internet services: # # <service_name> tli <proto> <flags> <user> <server_pathname> <args> # # Ftp and telnet are standard Internet services. # ftp stream tcp nowait root /usr/sbin/in.ftpd in.ftpd telnet stream tcp nowait root /usr/sbin/in.telnetd in.telnetd # #
Service removal - Inetd Inetd.conf – before hardening (page 2) Shell, login, exec, comsat and talk are BSD protocols. # shell stream tcp nowait root /usr/sbin/in.rshd in.rshd login stream tcp nowait root /usr/sbin/in.rlogind in.rlogind exec stream tcp nowait root /usr/sbin/in.rexecd in.rexecd comsat dgram udp wait root /usr/sbin/in.comsat in.comsat talk dgram udp wait root /usr/sbin/in.talkd in.talkd # # Must run as root (to read /etc/shadow); "-n" turns off logging in utmp/wtmp. # uucp stream tcp nowait root /usr/sbin/in.uucpd in.uucpd # Tftp service is provided primarily for booting. tftp dgram udp wait root /usr/sbin/in.tftpd in.tftpd # tftp dgram udp wait root /usr/sbin/in.tftpd in.tftpd -s /tftpboot # Finger, systat and netstat give out user information which may be --More--
Service removal - Inetd Inetd.conf – before hardening (page 3) finger stream tcp nowait nobody /usr/sbin/in.fingerd in.fingerd echo stream tcp nowait root internal daytime stream tcp nowait root internal daytime dgram udp wait root internal chargen stream tcp nowait root internal # RPC services syntax: # <rpc_prog>/<vers> <endpoint-type> rpc/<proto> <flags> <user> \ # <pathname> <args> # Solstice system and network administration class agent server 100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind rquotad/1 tli rpc/datagram_v wait root /usr/lib/nfs/rquotad rquotad # The rusers service gives out user information. Sites concerned # with security may choose to disable it. rusersd/2-3 tli rpc/datagram_v,circuit_v wait root /usr/lib/netsv c/rusers/rpc.rusersd rpc.rusersd
Service removal - Inetd Inetd.conf – after hardening $more inetd.conf # # Syntax for TLI-based Internet services: # # <service_name> tli <proto> <flags> <user> <server_pathname> <args> echo stream tcp nowait root internal # Some sites harden the configuration still further with a tcp wrapper
Service removal - NFS NFS – the Network File System daemons • Configuring this IS the NO2 major hardening task • Controlled by /etc/dfs/dfstab which controls what is exported(I.e shared in Bill-Gates-Speak) • If not needed, all daemons should be not started rc3.d/s15nfs.server To modify a share to limit access to certain machines • # vi /etc/dfs/dfstab • Change share statement from share -F nfs -d “apps" /apps TO share -F nfs -o rw=192.9.200.1 -d “apps" /apps
Service removal – NFS AIX – /etc/exports HPUX – /etc/exports
Service removal – NFS (2) Identify the Network File System daemons # ps –ef then note the processes UID PID PPID C STIME TTY TIME CMD root 108 1 0 Dec 22 ? 0:00 /usr/sbin/rpcbind root 21787 21784 0 10:03:51 pts/1 0:00 ps -ef root 110 1 0 Dec 22 ? 0:00 /usr/sbin/keyserv root 146 1 0 Dec 22 ? 0:00 /usr/lib/nfs/lockd < root 144 1 0 Dec 22 ? 0:00 /usr/lib/nfs/statd < root 161 1 0 Dec 22 ? 0:08 /usr/lib/autofs/automountd root 199 1 0 Dec 22 ? 0:00 /usr/lib/lpsched root 269 1 0 Dec 22 ? 0:04 /usr/lib/snmp/snmpdx -y -c /etc/snmp/conf root 296 269 0 Dec 22 ? 0:00 mibiisa -p 32790 root 284 1 0 Dec 22 ? 0:00 /usr/lib/dmi/snmpXdmid -s avon root 294 291 0 Dec 22 ? 0:03 /usr/lib/saf/ttymon root 288 1 0 Dec 22 ? 0:00 /usr/dt/bin/dtlogin -daemon root 13496 1 0 Jan 15 ? 0:13 /usr/lib/sendmail -bd -q15m root 17075 1 0 Jan 19 ? 0:34 /usr/sbin/in.named $ Also remove - nfsd mountd biod
Service removal Generally, you should not start unnecessary daemons These may include: • Snmp = /usr/lib/snmp/snmpdx & mibiisa • RPC = /usr/sbin/rpcbind Rpcinfo –p Netstat –an AIX – portmap
Service removal • Ipsched • Routed • vold
Security settings Security settings: • /etc/passwd – check permissions, ensure integrity and locked accounts have a shell of /bin/false • /etc/shadow & group – check permissions and ensure integrity • /etc/default/login – restrict root access to console by: • CONSOLE=/dev/console • PASSREQ=YES • AIX – /etc/security/user or /etc/security/login • HPUX - /etc/securetty • /etc/default/inetinit - TCP initial sequence • TCP_STRONG_ISS=2
Security settings Solaris - Ip stack settings $ ndd -get /dev/ip ip_forward_directed_broadcasts 0 # ndd -get /dev/ip ip_forward_src_routed 0 # ndd -get /dev/ip ip_ignore_redirect 1 # ndd -get /dev/ip ip_respond_to_address_mask_broadcast 0 # ndd -get /dev/ip ip_respond_to_echo_broadcast 0 # ndd -get /dev/ip ip_respond_to_timestamp 0 # ndd -get /dev/ip ip_send_redirects 0 # ndd -get /dev/tcp tcp_rev_src_routes 0
Security settings AIX - Ip stack settings $ no –o ipforwarding $ no –o ipsendredirects $ no –o nonlocsrcroute $ no –o subnetsarelocal
Default permissions – keeping files tight • The umask determines the default file permission for new files created • Normally set in /etc/default/login /etc/profile • 3 digits such as 077 or 022 $ umask 022 $ > testfile $ls –l testfile -rwxr-xr-x 6 root sys 404 Jan 6 2000 testfile
File permissions Important categories: • System start-up scripts • System configuration file • Home directories • Cron • /dev esp kmem or drum • /proc • All other files
File permissions -System start-up scripts Unix start-up sequence: • System boots and loads kernel • System kernel forks to create init pid 1 • Init reads /etc/inittab and runs any programs specified • In Solaris/HPUX 10, it then runs the scripts /etc/rc[0-5].d/* • In AIX / HPUX 8-9 , it then runs the scripts (i.e. /etc/rc.tcpip ) as defined point 3 If a hacker can add a command into either /etc/rc[0-5].d/* or /etc/inittab, it will be able to update an file on the system
File permissions - System configuration file A selection of key files and what a hacker might do them • /etc/hosts.equiv – add + + to the file • /etc/hosts – change the address of a host • /etc/pam.conf – change authentication (solaris only) • /etc/inetd.conf – add new service • /etc/profile – add “chmod 777 /etc/shadow” • /etc/nsswitch.conf – change name resolution/authentication • /etc/Resolv.conf – change name server (could effect trusted hosts) • /etc/passwd - change uid to 0 • /etc/shadow - change root password
File permissions – home directories Important files to look at: • .rhosts • .profile • .kshrc .netrc • .login .logout • .exrc
File permissions - general Things to look for • Suid files • Sgid files • World writeable files • World writeable directories
File permissions • Umtp and umtpx world write permissions • Files with no user associated with it • Files with no group associated with it
Radical hardening • remove root Suid bit if possible • remove gcc or cc • Mount file systems readonly • Large main memory – small swap
ASET • Automated Security Enhancement Tool • Comes with all new sun operating systems • Low setting ensures that all system files are set to release values. Reports potential weaknesses but does not make any changes • Medium Setting makes some changes to security settings but do not affect system services • High setting makes more changes to security settings and security takes precedence to system behaviour
ASET Task that ASET performs • Systems file verification check • System files check • User/Group check • System configuration files check • Environment check • eeprom check • Firewall setup
ASET output £ aset –p high *** Begin Enviroment Check ***Warning! umask set to umask 022 in /etc/profile - not recommended.*** End Enviroment Check ***======= ASET Execution Log =======ASET running at security level highMachine = server; Current time = 0114_20:26aset: Using /usr/aset as working directoryExecuting task list ... firewall env sysconf usrgrp tune cklist eepromAll tasks executed. Some background tasks may still be running.Run /usr/aset/util/taskstat to check their status: /usr/aset/util/taskstat [aset_dir]where aset_dir is ASET's operating directory,currently=/usr/aset.When the tasks complete, the reports can be found in: /usr/aset/reports/latest/*.rpt
ASET output II where aset_dir is ASET's operating directory,currently=/usr/aset.When the tasks complete, the reports can be found in: /usr/aset/reports/latest/*.rptYou can view them by: more /usr/aset/reports/latest/*.rpt*** Begin Firewall Task ***IP forwarding already disabled.IP forwarding already disabled in rc files.ROUTED daemon already configured to be opaque.*** End Firewall Task ****** Begin System Scripts Check ***cp: /usr/aset/archives/inetd.conf.arch.high: No space left on deviceCannot archive /etc/inetd.conf. Task skipped!Task firewall is done.Task env is done.Task sysconf is done.Task usrgrp is done.*** Begin Tune Task ***
ASET output III *** Begin Tune Task ***... setting attributes on the system objects defined in /usr/aset/masters/tune.high*** Begin User And Group Checking ***Checking /etc/passwd ...Checking /etc/shadow ...Warning! Shadow file, line 1, no password: root::6445::::::... end user check.Checking /etc/group ...... end group check.*** End User And Group Checking ***
Tripwire • Monitors file changes, verifies integrity and notifies of any violation on data at rest on network servers • Identifies attributes such as file size, access flags, write time, file permissions, file add, file delete, file modifications and etc • Supports Windows NT4, Win2K, Solaris 2.6,2.7 and 2.8, AIX 4.3, HP-UX 11.0 and 11i, FreeBSD 4.2 and 4.3 and some Linux flavours
Commercial Applications • Axent ESM • CA Unicenter • Bindview