Defense Security Service (Unix Security Guide) Solaris Workshop

(Tito Cordero) (DSS Irving Field Office) (14 December 2005)

December 2005 Solaris Workshop (Introduction)

• Purpose – To provide descriptions on how to implement security features within the Solaris Unix platform

– Implement systems certification of the National Security Information at Protection Level 1 or Protection Level 2

– Provide the Information System Security Manager with oversight of NISPOM and Chapter 8 requirements within the UNIX platform

2 (Audit)

• Audit Capability – Set system time

• #date mmddHHMM yy ( see Solaris manual pages for date command) • #man date • Master Time server and slaves: • Ensure that the system designated to act as master time server has the correct time. • To synchronize the time on a time slave system with the designated master system, issue the command • #rdate

3 (Audit)

• To continually synchronize the slave system to the master, add the following lines to the crontab file:

# each hour, on the hour, run rdate command to synchronize # 0 * * * rdate

If system time is not set to US Cental Time Zone, what is the offset from Greenwich Mean Time (GMT -6.

4 (relevant logged events)

• The following files and directories describe the location to security relevant logged events:

– /var/adm/wtmpx, /var/adm/utmpx – Binary files recording all logins, logouts, and system reboots. The “last” command Is used to display the contents. – /var/adm/LOGINLOG – Failed login log. If this file exists, the login utility will log all failed logins here. – /var/adm/sulog – This file contains both successful and failed attempts to use the su (switch user) command. This will show persons accessing an account in which they are not authorized to access.

5 (relevant logged events)

– /etc/security/audit – Directory contains all the auditing records gathered for denial of file access. – /etc/local/audit – Directory contains all the filtered auditing records gathered for denial of file access

6 (Basic Security Module)

• To set up system auditing, perform the following steps: – Sun Solaris Basic Security Module (BSM) provides additional security features that are not supplied in standard SOLARIS. To enable BSM, perform the following steps: • Login as root – Bring the system into single-user mode by executing the following command: • # sync • # sync • # init 0 • # boot –s

7 (Basic Security Module)

• Change directories to the /etc/security: – #cd /etc/security

• Execute the bsmconv script: – #/bsmconv

• After running the script, halt the system and reboot into multi-user mode: – #sync – #sync – # Init 6 or reboot

8 (Basic Security Module)

• Auditing is enabled by starting the audit daemon (auditd). The existence of the /etc/security/audit_startup script, created during the BSM package installation, causes the daemon to run automatically when the system enters multi-user mode. This script automatically configures the event to class mappings and sets the audit policies.

9 (Basic Security Module)

• Set the following flags in the /etc/security/audit_control file: – Flags:ad, -fa, -fr, -fw, -fm, -fc, -fd, -cl, lo • Flags are defined as: ad administrative admin actions: mount, exports, ,etc. fa fileattr_acc Access of object attributes:stat, pathconf etc. fr file_read Read of data, open for reading, etc. fw file_write Write of data, open for reading, etc. fm file_attr_mod Change of object attributes: chown, flock, etc. fc file_creation Creation of object fd file_deletion Deletion of object

10 (Basic Security Module)

– cl file_close Close (2) system call – lo login_logout Login and Logout events

• A minus in front of the flag only logs failures of the described flag, where no sin logs both successes and failures. • Make the new data available to the BSM service, by either rebooting the system or entering the following command: #audit -s

11 (logons &logoffs)

• Successful logins, logouts, and system reboots are recorded in the binary files located at: – /var/adm/utmpx and /var/adm/wtmpx

• The login command will log via the syslog facility all login successes and failures. To redirect these to file – /var/adm/LOGINLOG

• add the following line to – /etc/syslog.conf

12 (logons &logoffs)

• Auth.notice /var/adm/LOGINLOG • Auth.info /var/adm/LOGINLOG • Auth.debug /var/adm/LOGINLOG

• Create the LOGINLOG file to track these notices: – # touch /var/adm/LOGINLOG – # chown root:sys /var/adm/LOGINLOG – # chmod 600 /var/adm/LOGINLOG

Restart the syslog daemon # /etc/inid./syslog stop # /etc/init.d.syslog start

13 (logons &logoffs)

• Failed logins are logged after five failed attempts to the /var/adm/loginlog file.

• Create the loginlog file to track failed logins – # touch /var/adm/loginlog – # chown root:sys /var/adm/loginlog – # chmod 600 /var/adm/loginlog

• /var/adm/sulog: This is a file to record all successful and failed attempts to use the su (switch user) command.

14 (logons &logoffs)

• BSM – Adding the flag “lo” to the /ect/security/audit_control file as described above configures the BSM to record both successful and unsuccessful logon/logoff events to the BSM log files in the /etc/security/audit directory

15 (Blacklist)

• The blocking or blacklisting of a user ID, terminal or access port and the reason for the action. • In the file /etc/default/login set – RETRIES=5

• (Exits the login after RETRIES unsuccessful attempts.) – SYSLOG_FAILED_LOGINS=5

• (If there are SYSLOG_FAILED_LOGINS consecutive unsuccessful login attempts, each of them will be logged in /var/adm/loginlog, if it exits. Users get at most the minimum of (RETRIES, SYSLOG_FAILED_LOGINS) unsuccessful attempts.)

16 (Blacklist)

– DISABLETIME=300

• (Disables the login for three hundred seconds after SYSLOG_FAILED_LOGINS or RETRIES unsuccessful attempts. This is set for 5 minutes by the 300.) (Note conflicts if environment variable TIMEOUT is also set.)

• The five successive login failures will be logged in the /var/adm/loginlog which was configured in prior steps. This terminal port and failure will be logged in /var/adm/LOGINLOG which was also configured in a prior step.

17 (Blacklist)

• Denial of access resulting from an excessive number of unsuccessful logon attempts. In SOLARIS, by default and as specifically configured in paragraph 2.1 e above, five attempts are allowed before an attempted login dies. Login failures are reported via the syslog facility.

18 (Audit Trail Protection)

• The contents of audit trails will be protected against unauthorized access, modification, or deletion. Only authorized admin and support personnel will have permissions to access audit trail data. Log files should be owned by root and have a group of sys. With the exception of the messages files all files should be set to have permissions such that only root can read or write to the files. Read on the messages files is allowed for all users as valuable debugging messages are logged in this file.

19 (Audit Trail Protection)

• /var/adm/messages: – # chown root:sys /var/adm/messages – # chmod 622 /var/adm/loginlog • /var/adm/loginlog: – # chown root:sys /var/adm/loginlog – # chmod 600 /var/adm/loginlog • /var/adm/LOGINLOG: – # chown root:sys /var/adm/LOGINLOG – # chmod 600 /var/adm/LOGINLOG • Sulog – # chown root:sys /var/adm/sulog – # chmod 600 /var/adm/sulog

20 (Audit Trail Protection)

• /etc/password and /etc/shadow:

– The passwd file should be “shadowed” by running the pwconv command. This removes the encrypted passwords from the /etc/passwd file that is readable by everyone and places them in /etc/shadow which is readable only by root. To implement this do the following:

• # pwconv • # chmod 644 /etc/passwd • # chmod 600 /etc/shadow

21 (Audit Trail Protection)

• Remove world permissions on the log directory: – #chmod 640 /etc/security/audit/ – #chmod root /etc/security/audit/

• BSM – Apply required permissions to the audit trail directory/subdir/files on the local machine: – #chmod 640 /etc/security/audit/ – #chmod root /etc/security/audit/

22 (Audit Trail Analysis)

• Audit analysis and reporting will be scheduled and performed at least weekly. • To review /var/adm/messages: – more /var/adm/messages • Or – view /var/adm/messages • To review /var/adm/loginlog: – more /var/adm/loginlog • Or – view /var/adm/loginlog

23 (Slide Title)

• To review /var/adm/sulog: – more /var/adm/sulog • Or – view /var/adm/sulog • To review Locked accounts: – more /etc/shadow • Or – view /etc/shadow • To review login information: – # last – # more /var/adm/loginlog • Or – # view /var/adm/loginlog

24 (Slide Title)

• Questions • Now a five minute recess • Test

25