(Tito Cordero)

(DSS Irving Field Office)

(14 December 2005)

Defense Security Service (Unix Security Guide)

Solaris Workshop

December 2005 Solaris Workshop

2

(Introduction)

• Purpose

– To provide descriptions on how to implement security

features within the Solaris Unix platform

– Implement systems certification of the National Security

Information at Protection Level 1 or Protection Level 2

– Provide the Information System Security Manager with

oversight of NISPOM and Chapter 8 requirements within the

UNIX platform

3

(Audit)

• Audit Capability

– Set system time

• #date mmddHHMM yy ( see Solaris manual pages for date

command)

• #man date

• Master Time server and slaves:

• Ensure that the system designated to act as master time server

has the correct time.

• To synchronize the time on a time slave system with the

designated master system, issue the command

• #rdate <designated_master>

4

(Audit)

• To continually synchronize the slave system to the

master, add the following lines to the crontab file:

# each hour, on the hour, run rdate command to synchronize

#

0 * * * rdate<designated_master>

If system time is not set to US Cental Time Zone, what is the

offset from Greenwich Mean Time (GMT -6.

5

(relevant logged events)

• The following files and directories describe the

location to security relevant logged events:

– /var/adm/wtmpx, /var/adm/utmpx – Binary files recording all

logins, logouts, and system reboots. The “last” command Is

used to display the contents.

– /var/adm/LOGINLOG – Failed login log. If this file exists, the

login utility will log all failed logins here.

– /var/adm/sulog – This file contains both successful and

failed attempts to use the su (switch user) command. This

will show persons accessing an account in which they are

not authorized to access.

6

(relevant logged events)

– /etc/security/audit – Directory contains all the auditing

records gathered for denial of file access.

– /etc/local/audit – Directory contains all the filtered auditing

records gathered for denial of file access

7

(Basic Security Module)

• To set up system auditing, perform the following

steps:

– Sun Solaris Basic Security Module (BSM) provides

additional security features that are not supplied in standard

SOLARIS. To enable BSM, perform the following steps:

• Login as root

– Bring the system into single-user mode by executing the

following command:

• # sync

• # sync

• # init 0

• # boot –s

8

(Basic Security Module)

• Change directories to the /etc/security:

– #cd /etc/security

• Execute the bsmconv script:

– #/bsmconv

• After running the script, halt the system and reboot

into multi-user mode:

– #sync

– #sync

– # Init 6 or reboot

9

(Basic Security Module)

• Auditing is enabled by starting the audit daemon

(auditd). The existence of the

/etc/security/audit_startup script, created during the

BSM package installation, causes the daemon to run

automatically when the system enters multi-user

mode. This script automatically configures the event

to class mappings and sets the audit policies.

10

(Basic Security Module)

• Set the following flags in the

/etc/security/audit_control file:

– Flags:ad, -fa, -fr, -fw, -fm, -fc, -fd, -cl, lo

• Flags are defined as:

ad administrative admin actions: mount, exports, ,etc.

fa fileattr_acc Access of object attributes:stat, pathconf etc.

fr file_read Read of data, open for reading, etc.

fw file_write Write of data, open for reading, etc.

fm file_attr_mod Change of object attributes: chown, flock, etc.

fc file_creation Creation of object

fd file_deletion Deletion of object

11

(Basic Security Module)

– cl file_close Close (2) system call

– lo login_logout Login and Logout events

• A minus in front of the flag only logs failures of the

described flag, where no sin logs both successes

and failures.

• Make the new data available to the BSM service, by

either rebooting the system or entering the following

command: #audit -s

12

(logons &logoffs)

• Successful logins, logouts, and system reboots are

recorded in the binary files located at:

– /var/adm/utmpx and /var/adm/wtmpx

• The login command will log via the syslog facility all

login successes and failures. To redirect these to

file

– /var/adm/LOGINLOG

• add the following line to

– /etc/syslog.conf

13

(logons &logoffs)

• Auth.notice<TAB><TAB><TAB><TAB><TAB> /var/adm/LOGINLOG

• Auth.info <TAB><TAB><TAB><TAB><TAB> /var/adm/LOGINLOG

• Auth.debug <TAB><TAB><TAB><TAB><TAB>/var/adm/LOGINLOG

• Create the LOGINLOG file to track these notices:

– # touch /var/adm/LOGINLOG

– # chown root:sys /var/adm/LOGINLOG

– # chmod 600 /var/adm/LOGINLOG

Restart the syslog daemon

# /etc/inid./syslog stop

# /etc/init.d.syslog start

14

(logons &logoffs)

• Failed logins are logged after five failed attempts to

the /var/adm/loginlog file.

• Create the loginlog file to track failed logins

– # touch /var/adm/loginlog

– # chown root:sys /var/adm/loginlog

– # chmod 600 /var/adm/loginlog

• /var/adm/sulog: This is a file to record all successful

and failed attempts to use the su (switch user)

command.

15

(logons &logoffs)

• BSM – Adding the flag “lo” to the

/ect/security/audit_control file as described above

configures the BSM to record both successful and

unsuccessful logon/logoff events to the BSM log

files in the /etc/security/audit directory

16

(Blacklist)

• The blocking or blacklisting of a user ID, terminal or

access port and the reason for the action.

• In the file /etc/default/login set

– RETRIES=5

• (Exits the login after RETRIES unsuccessful attempts.)

– SYSLOG_FAILED_LOGINS=5

• (If there are SYSLOG_FAILED_LOGINS consecutive

unsuccessful login attempts, each of them will be logged in

/var/adm/loginlog, if it exits. Users get at most the minimum of

(RETRIES, SYSLOG_FAILED_LOGINS) unsuccessful attempts.)

17

(Blacklist)

– DISABLETIME=300

• (Disables the login for three hundred seconds after

SYSLOG_FAILED_LOGINS or RETRIES unsuccessful attempts.

This is set for 5 minutes by the 300.) (Note conflicts if

environment variable TIMEOUT is also set.)

• The five successive login failures will be logged in the

/var/adm/loginlog which was configured in prior steps. This

terminal port and failure will be logged in /var/adm/LOGINLOG

which was also configured in a prior step.

18

(Blacklist)

• Denial of access resulting from an excessive number

of unsuccessful logon attempts. In SOLARIS, by

default and as specifically configured in paragraph

2.1 e above, five attempts are allowed before an

attempted login dies. Login failures are reported via

the syslog facility.

19

(Audit Trail Protection)

• The contents of audit trails will be protected against

unauthorized access, modification, or deletion. Only

authorized admin and support personnel will have

permissions to access audit trail data. Log files

should be owned by root and have a group of sys.

With the exception of the messages files all files

should be set to have permissions such that only

root can read or write to the files. Read on the

messages files is allowed for all users as valuable

debugging messages are logged in this file.

20

(Audit Trail Protection)

• /var/adm/messages: – # chown root:sys /var/adm/messages

– # chmod 622 /var/adm/loginlog

• /var/adm/loginlog: – # chown root:sys /var/adm/loginlog

– # chmod 600 /var/adm/loginlog

• /var/adm/LOGINLOG: – # chown root:sys /var/adm/LOGINLOG

– # chmod 600 /var/adm/LOGINLOG

• Sulog – # chown root:sys /var/adm/sulog

– # chmod 600 /var/adm/sulog

21

(Audit Trail Protection)

• /etc/password and /etc/shadow:

– The passwd file should be “shadowed” by running the

pwconv command. This removes the encrypted passwords

from the /etc/passwd file that is readable by everyone and

places them in /etc/shadow which is readable only by root.

To implement this do the following:

• # pwconv

• # chmod 644 /etc/passwd

• # chmod 600 /etc/shadow

22

(Audit Trail Protection)

• Remove world permissions on the log directory:

– #chmod 640 /etc/security/audit/<hostname>

– #chmod root /etc/security/audit/<hostname>

• BSM – Apply required permissions to the audit trail

directory/subdir/files on the local machine:

– #chmod 640 /etc/security/audit/<hostname>

– #chmod root /etc/security/audit/<hostname>

23

(Audit Trail Analysis)

• Audit analysis and reporting will be scheduled and

performed at least weekly.

• To review /var/adm/messages:

– more /var/adm/messages

• Or

– view /var/adm/messages

• To review /var/adm/loginlog:

– more /var/adm/loginlog

• Or

– view /var/adm/loginlog

24

(Slide Title)

• To review /var/adm/sulog:

– more /var/adm/sulog

• Or

– view /var/adm/sulog

• To review Locked accounts:

– more /etc/shadow

• Or

– view /etc/shadow

• To review login information:

– # last

– # more /var/adm/loginlog

• Or

– # view /var/adm/loginlog

25

(Slide Title)

• Questions

• Now a five minute recess

• Test