Best Practices for keeping your Oracle Solaris workloads ... · PDF filecommitment to deliver any material, code, ... /group/prerequisite/oracle/oracle-ebs-server-R12-preinstall –Oracle

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. |

Best Practices for keeping your Oracle Solaris workloads secureCON6298

Darren J MoffatSenior Principal EngineerOracle Solaris EngineeringOctober, 2017


Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for information purposes only, and may not be incorporated into any contract. It is not a commitment to deliver any material, code, or functionality, and should not be relied upon in making purchasing decisions. The development, release, and timing of any features or functionality described for Oracle’s products remains at the sole discretion of Oracle.

3


Continuous Security 3 Axis of Risk needs 3 Axis of Control

4


Threat #1:Stolen privileged user credentialsPeople

5

Copyright © 2017 Oracle and/or its affiliates. All rights reserved. |

100%Of investigated data breaches involved stolen credentials

Privileged User Access needs more control than a simple 8 character password

Administrators have too many passwords

6

Source: Mandiant Threat Report, 2015


Oracle Solaris Helps mitigate Credential Abuse/Misuse

Time & Location Based Delegation

Activity-based profiles delivered with Solaris.

Not just a framework

Built in Multi-Factor Authentication

Smartcard & Standards based One Time Password

Secure Remote Audit and Logging

7


Authentication/Account Management

• UNIX pam_unix_{auth,cred,account}– Password (using strong hashes)

– Time/Day based Access

• LDAP

• Kerberos

• One Time Password (New in Solaris 11.3 SRU)– IETF Standards Based HOTP or TOTP

– Compatible with Google Authenticator, Yubikey and many others

• Smartcard pam_pkcs11 + PC/SC + USB CCID (New in Solaris 11.3 SRU)

Core PAM modules


Control Where & When

• Qualification of profile assignments to: user/host/netgroup– LDAP lookup order:

• Host specific

• Netgroup specific

• Unqualified

• Allows granting a user rights on a subset of hosts

• Use in conjunction with Time Based control & Multi-factor

• For Example:– Network Management only granted Mon-Fri 9-5 on development hosts

– Require use of Password + OTP

Scoping RBAC Profiles


Authentication

• Authentication policy set per system:

– /etc/security/policy.conf:PAM_POLICY=ldap

• Per User authentication policy overrides

– Policy stored with RBAC data

# usermod –S ldap –K pam_policy=krb5 darrenm

# usermod –S ldap –q @prod_db_hosts –K pam_policy=otp darrenm

# usermod –S ldap –q @dev_web_hosts –K pam_policy=unix darrenm


Granting administrator rights

# usermod –S ldap –q @dev –K profiles+=”Network Management” darrenm

$ pfexec ipadm create-addr …

# usermod –K auth_profiles+=”Network Management” darrenm

$ ipadm create-addr …

Re-authentication by darrenm is required to use profile:

Network Management

(Use ^C to cancel)

Password: ************

OTP Code: ******

Directly assigned to users, alternative to using shared account roles


Auditing

• First introduced with SunOS 3.5 as unbundled extra

• On by default in Solaris 11

• Events generated by privileged programs, syscalls, kernel subsystems

• Events grouped into Classes

• Upload events to Oracle Audit Vault, or send binary trail over secure transport or use syslog

• Session Annotation (at login and privilege elevation) planned for 11.4

Who, What, When, Where, Why


Threat #2:Unpatched and misconfigured systemsPlatform

13

Copyright © 2017 Oracle and/or its affiliates. All rights reserved. |

99.9%Of the exploited vulnerabilities were compromised more than a year after the CVE was published

14

Source: Verizon Data Breach Investigations Report, 2015


Exploited Vulnerabilities Compromised

15

74%

OF ORGANIZATIONSTAKE 3 MONTHS+

TO PATCH

Source: Verizon Data Breach Investigations Report, 2015; IIOUG Data Security Survey, 2014


• If it isn’t installed– You don’t need to patch the security

vulnerabilities– Your auditor won’t get false positives on

versions– It can’t be configured in a non-compliant way

• Group packages as starting points– Add only what you need– Packages removed from a group stay removed

unless required in future for a dependency.– Better to start small & add than start big &

remove

• Signed packages using secure transport from boot loader onwards

Install Compliant Minimized Oracle Solaris

16

• pkg:/group/system/solaris-minimal-server– Minimal supported installation

• pkg:/group/system/solaris-small-server– Adds major features such as Oracle Solaris Zones

• pkg:/group/system/solaris-large-server– Adds most features including automated installer, many

more services

• pkg:/group/prerequisite/oracle/oracle-rdbms-server-12-1-preinstall– Oracle Database dependencies

• pkg:/group/prerequisite/oracle/oracle-ebs-server-R12-preinstall– Oracle E-Buisiness Server R12 dependencies


One Step Security Patching

# pkg update solaris-11-cpu@latest

The solaris-11-cpu IPS package contains the CVE number to package version mapping.

Integrated with Compliance Reporting


Simple AdministrationMajor Financial Customer’s Experiences Patching Oracle Solaris vs. Red Hat

18

Red HatEnterprise Linux

Solaris 1116X

Servers/AdminMANAGE

4000300020001000

250

4000

Machines/Administrator

1-Step Security Patching


Exploit Mitigation

• Prevent or reduce the ability of an attacker to take advantage of a bug

• Study attackers techniques, deploy counter measures

• Tradeoff between performance, usability and security

• Not all scenarios/mitigations are the same

– Some require hardware support

–Others require compiler support

– The best are runtime defences the OS gives you without performance impact

–NONE are full proof

Introduction


Exploit Mitigation

• Support of Architecture-provided protections

– Intel SMEP (Supervisor Mode Execution Prevention)

– SPARC fully separated user/kernel address space

• Reduced Kernel information leaking– /proc wchan, netstat socket addresses, modinfo module addresses…

• Per process/binary software mitigations

Architectural features


Exploit mitigation features: sxadm(8)

NXSTACKNon Executable Stack

Been around since Solaris 2.6 but now controlled via sxadm(8)Now on by defaultTag at build time with: -z nxstack=enable|disable

NXHEAPNon Executable Heap

New in 11.3, not enabled system wide by default since there are a small number of legitimate uses for an executable HEAP.Tag binaries at build time with: -z nxheap=enable|disable

ASLR Address Space Layout Randomisation

Added 11.1Not enabled system wide by default

sxadm delcust Go back to vendor delivered defaults

Install Time Policy svccfg extract security-extensions

21


Silicon Secured MemoryAvailable in Oracle SPARC S7, T7, M7, T8, M8 systems

• First hardware based memory protection

• Stops attackers from accessing application memory inappropriately

• Always on without compromise

• Improved efficiency & more secure and higher available applications

• Compatible with current applications

• Public API in libadi or system allocator

22

Application Memory

Pointer “B” GO

M7 Processor

Pointer “A”GO

Pointer “Y”


Oracle SPARC Exploit Mitigation with SSM planned for 11.4

ADISTACKNon Executable Stack

Automatic detection of buffer overflows that overwrite the register save area of a stack frame when the save area contains valid contents.

ADIHEAPNon Executable Heap

Heap allocators (such as malloc() in libc) may use this feature to reliably detect adjacent buffer overflows and statistically defend against stray pointers and use-after-free.

Kernel ADIKernel Heap Memory and buffer tag protection.Not able to be disabled so doesn’t show up in sxadm.

23


Tamper Resistant Immutable Systems

– Reduce risk of establishing a foothold

– Prevent administrator mistakes

– Update even though it’s un-writable by admin users and applications

Tamper Evident Software

– Firmware to Applications

– Install only known, trusted software

– Verified Boot

24

Continuous Security Protection


Immutable System

• Lock down a system with preconfigured security profiles

• Trusted Services via SMF planned for 11.4

25

Strict

Full read only root file system, log and audit remotely

Fixed Configuration

write to most of /var, local audit/log trail

Flexible

modify configuration, binaries still read-only

Dynamic-zones

As Fixed but allows add/remove of zones


Lifecycle: Immutable Zones Example

# zonecfg -z myzone 'set file-mac-profile=fixed-configuration’

# zoneadm -z myzone boot

# zlogin myzone

[Connected to zone 'myzone' pts/3]

myzone# rm /etc/passwd

rm: /etc/passwd: override protection 644 (yes/no)? y

rm: /etc/passwd not removed: Read-only file system

myzone# pkg install emacs

pkg install: Could not complete the operation on /var/pkg/lock:

read-only filesystem.


Sandboxing Applications

• File read & write privileges take pathnames

– {file_write}:/var/log/my-app-errors.log

• net_privaddr: Port number ranges and protocol

– {net_privaddr}:443/tcp

• proc_setid: username or uid range

• proc_exec: pathname

• File and proc_exec can use wildcards in last path component eg:– {proc_exec}:/usr/bin/*

Control Privileged and Non Privileged Applications


My auditor says delete all the setuid root programs!

• The setuid bit for a root owned file is now just a marker

• Kernel upcalls to pfexecd asking for privilege specification

• Examples:• Forced Privilege:solaris:cmd:RO::/usr/lib/utmp_update:\

• privs={zone}\:/system/volatile/utmp*

• Forced Privilege:solaris:cmd:RO::/usr/sbin/ping:\

• privs=net_icmpaccess,sys_ip_config

• Forced Privilege:solaris:cmd:RO::/usr/sbin/traceroute:\

• privs=net_icmpaccess,net_rawaccess

• Forced Privilege:solaris:cmd:RO::/usr/sbin/whodo:privs=proc_owner

Sandboxing setuid root programs


Compliance Reporting

• Auditors want comprehensive reports– Don’t always have deep knowledge of OS, Application, Deployment Context

– Auditors often use tools which use wrong interfaces for OS release

• Configuration reporting is a low value activity for expensive staff

• Provide correct compliance check interfaces for OS release

• Provide vendor interpretation of security controls (> 200 Checks in 11.3)

• Don’t force customers to use 3rd party products –– Integrate with them using standard data formats SCAP/OVAL/XCCDF

• Integrates with Oracle Enterprise Manager Compliance Pack

Why Solaris Compliance reporting?

29


Simple, Tailor-able Compliance Reporting

30


Threat #3:Direct data accessData

31


52%

34%

11%

4%

Database

Network

Application

Middleware

IT Layers Most Vulnerable To Attacks

67%

15%

15%

3%

Database

Network

Application

Middleware

Allocation of Resources To Secure IT Layer

Source: CSO Online MarketPulse, 2013

Network Security is Not Enough: Protect the Data!


Data at Rest Encryption with ZFS

• High Performance hardware accelerated crypto on SPARC & Intel platforms

• FIPS 140-2 validated cryptography

• ZFS Online key wrapping key and data key change

• ZFS encryption works with compression and deduplication

• All ZFS filesystem data & metadata encrypted

• Available in Solaris & Oracle ZFS Storage Appliance


Standards Based Key Management

• Key Management Interoperability Protocol

– Standardised by OASIS

– Several Oracle product groups are active participants or hold key roles

• Delivered in Solaris 11.3 SRU– Libkmip, pkcs11_kmip, kmipcfg

• Provides integration to Oracle Key Vault (OKV) for Solaris

– eg, ZFS data set encryption & Oracle Database TDE wrapping keys in OKV

KMIP


Install and Maintain Security & ComplianceTraditional or DevOps Deployment

Develop & Test

Lock Down

VM

Create Unified Archive

Securely Deploy into Production

Generate Reports for Compliance

Lock DownRead-OnlyOracle Solaris Zones

Unified Archive

35

Generate Reports for Compliance


Leading Crypto Performance. Easiest to use, best integrated Security,

Compliance and data protection. Combined with best of breed open source security tools, Compliance Auditor Friendly

All Supported at least until 2034

36

Copyright © 2017, Oracle and/or its affiliates. All rights reserved. | 37

Documents

Best Practices for keeping your Oracle Solaris workloads ... · PDF filecommitment to deliver any material, code, ... /group/prerequisite/oracle/oracle-ebs-server-R12-preinstall –Oracle