15/03/2006

hardening solaris ten

my first job on booting solaris 10 on hexagon, my sun fire t2000 system, was to harden the operating system. i want to make sure that the system is not going to be offering extraneous services to passers-by on the internet (even though everything but ssh will be firewalled off.) this will have the added bonus of stopping cpu being used unnecessarily. an initial portscan using the ubiquitous nmap utility revealed the following open ports:

robot$ nmap -p1-65535 -A hexagon

Interesting ports on hexagon (10.10.10.6):
(The 65514 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE VERSION
21/tcp open ftp Solaris ftpd
22/tcp open ssh SunSSH 1.1 (protocol 2.0)
23/tcp open telnet
25/tcp open smtp Sendmail 8.13.4+Sun/8.13.3
111/tcp open rpcbind 2-4 (rpc #100000)
513/tcp open login Berkeley remote login service
514/tcp open tcpwrapped
587/tcp open smtp Sendmail 8.13.4+Sun/8.13.3
898/tcp open http Solaris management console server
4045/tcp open nlockmgr 1-4 (rpc #100021)
5987/tcp open unknown
5988/tcp open unknown
7100/tcp open font-service Sun Solaris fs.auto
9010/tcp open tcpwrapped
22273/tcp open wnn6?
32771/tcp open status 1 (rpc #100024)
32772/tcp open fmproduct 1 (rpc #1073741824)
32773/tcp open rusersd 2-3 (rpc #100002)
32774/tcp open ttdbserverd 1 (rpc #100083)
32777/tcp open sometimes-rpc17?
32778/tcp open dmispd 1 (rpc #300598)
32779/tcp open snmpXdmid 1 (rpc #100249)
32795/tcp open unknown
Service Info: OSs: Solaris, Unix, SunOS

Nmap finished: 1 IP address (1 host up) scanned in 1778.040 seconds

as you can see, there's a lot of unwanted access provided there. at least ssh is there by default, but we also have telnet and rlogin, the X11 font server, as well as all those RPC services... solaris 10 manages services with the svcxsxxx utilities, and i will use them to turn off telnetd and rlogin, as follows:

root@hexagon# svcadm disable svc:/network/telnet
root@hexagon# svcadm disable svc:/network/login:rlogin
root@hexagon# svcadm disable svc:/application/x11/xfs
root@hexagon# svcadm disable svc:/network/ftp:default
root@hexagon# svcadm disable svc:/network/rpc/rusers
root@hexagon# svcadm disable svc:/network/rpc/rstat
root@hexagon# svcadm disable svc:/network/shell:default

and we can also get rid of the packages that provide telnetd itself, since it is inherently insecure, and there is always potential access via telnet to the console over the ALOM network port. first, check what packages need removed, then remove them with the pkgrm utility:

root@hexagon# pkginfo | grep -i telnet
SUNWtnetr Telnet Server Daemon (Root)
SUNWtnetc Telnet Command (client)
SUNWtnetd Telnet Server Daemon (Usr)
root@hexagon# pkgrm SUNWtnetr SUNWtnetd

hopefully, this has given you an idea of how to do all this manually. i also downloaded the sun solaris security toolkit which has a lot of useful scripts to automate the hardening process. the file you require is SUNWjass-4.2.0.pkg.tar.Z and is only 600KB. you need to be registered with sun to download anything, but this is useful anyway, since you need an id to get the latest security patches, and also to access the sun update connection site.

root@hexagon# uncompress SUNWjass-4.2.0.pkg.tar.Z
root@hexagon# tar xf SUNWjass-4.2.0.pkg.tar
root@hexagon# pkgadd -d . SUNWjass

Processing package instance <SUNWjass> from </root/install>

Solaris Security Toolkit 4.2.0(Solaris) 4.2.0
Copyright 2005 Sun Microsystems, Inc. All rights reserved.
Use is subject to license terms.
Using </opt> as the package base directory.
## Processing package information.
## Processing system information.
## Verifying package dependencies.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.
## Checking for setuid/setgid programs.

Installing Solaris Security Toolkit 4.2.0 as <SUNWjass>

## Installing part 1 of 1.
/opt/SUNWjass/Audit/disable-IIim.aud
/opt/SUNWjass/Audit/disable-ab2.aud
...etc...
/opt/SUNWjass/rules.SAMPLE
/opt/SUNWjass/sysidcfg <symbolic link>
[ verifying class <none> ]

Installation of <SUNWjass> was successful.

you'll notice that the package was loaded from /root/install. this is because i modify the root user to have a different home directory. often / is a shared home directory for other system accounts and daemon user ids, and it's never a good ide to have the root .profile and other dot-files there. moving home is relatively easy though:

root@hexagon# usermod -d /root root
root@hexagon# mkdir /root
root@hexagon# chmod 700 /root
root@hexagon# mv /.[a-zA-Z0-9]* /root/

and even all the existing dot-files get copied across. the jaas security toolkit has a large number of configurable options, which are documented in the reference manual. the security blueprints collection is also a good place to look for information. to secure your solaris system with the jaas tool, execute the hardening driver using the following command:

root@hexagon# /opt/SUNWjass/bin/jass-execute -d hardening.driver |
tee jaas-hardening.log


which will lock down your system, and place a log of all output into jaas-hardening.txt. once this has completed, reboot to implement the changes. when you next login you will see that a security warning has been added:

|-----------------------------------------------------------------|
| This system is for the use of authorized users only. |
| Individuals using this computer system without authority, or in |
| excess of their authority, are subject to having all of their |
| activities on this system monitored and recorded by system |
| personnel. |
| |
| In the course of monitoring individuals improperly using this |
| system, or in the course of system maintenance, the activities |
| of authorized users may also be monitored. |
| |
| Anyone using this system expressly consents to such monitoring |
| and is advised that if such monitoring reveals possible |
| evidence of criminal activity, system personnel may provide the |
| evidence of such monitoring to law enforcement officials. |
|-----------------------------------------------------------------|

which should be modified to comply with local legal requirements. also, the passwords for any existing users will have been expired, and a much more stringent policy is now in place. if an nmap scan is run against the system now, you will see that most ports are closed, except ssh and one other that will be investigated later:

$ nmap -p 1-65535 -A hexagon | tee entries/hexagon.ports.03.txt

Interesting ports on hexagon (10.10.10.6):
(The 65533 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE VERSION
22/tcp open ssh SunSSH 1.1 (protocol 2.0)
22273/tcp open wnn6?

Nmap finished: 1 IP address (1 host up) scanned in 1814.355 seconds

next, i installed some useful extra utilities, from the sun freeware site. this has lots of GNU software compiled for SPARC on solaris 10, although you may want to check out sun's offerings from the solaris 10 companion dvd. sudo is a good replavement for the standard su program, curl makes retrieval of files from the internet simple and lsof lists all files that a process has . once you have downloaded them, installstallation follows the same basic pattern. this is how i installed the SMClsof and SFWsudo packages:

root@hexagon# gunzip lsof-4.76-sol10-sparc-local.gz
root@hexagon# ln -s /usr/sfw /usr/local
root@hexagon# pkgadd -d ./lsof-4.76-sol10-sparc-local

The following packages are available:
1 SMClsof lsof
(sparc) 4.76

Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]: all

Processing package instance <SMClsof>
from </root/install/lsof-4.76-sol10-sparc-local>

lsof(sparc) 4.76
Vic Abell
Using </usr/local> as the package base directory.
## Processing package information.
## Processing system information.
2 package pathnames are already properly installed.
## Verifying disk space requirements.
## Checking for conflicts with packages already installed.

The following files are already installed on the system and are being
used by another package:
* /usr/local/doc
* /usr/local/man

* - conflict with a file which does not belong to any package.

Do you want to install these conflicting files [y,n,?,q] n

Do you want to continue with the installation of <SMClsof> [y,n,?] y
## Checking for setuid/setgid programs.

The following files are being installed with setuid and/or setgid
permissions:
/usr/local/bin/lsof <setgid bin>

Do you want to install these as setuid/setgid files [y,n,?,q] y
## Processing package information.
## Processing system information.

Installing lsof as <SMClsof>

## Installing part 1 of 1.
/usr/local/bin/lsof
/usr/local/doc &glt;conflicting pathname not installed>
/usr/local/doc/lsof/00.README.FIRST
/usr/local/doc/lsof/00CREDITS
/usr/local/doc/lsof/00DCACHE
/usr/local/doc/lsof/00DIALECTS
/usr/local/doc/lsof/00DIST
/usr/local/doc/lsof/00FAQ
/usr/local/doc/lsof/00LSOF-L
/usr/local/doc/lsof/00MANIFEST
/usr/local/doc/lsof/00PORTING
/usr/local/doc/lsof/00QUICKSTART
/usr/local/doc/lsof/00README
/usr/local/doc/lsof/00TEST
/usr/local/doc/lsof/00XCONFIG
/usr/local/doc/lsof/lsof.man
/usr/local/man <conflicting pathname not installed>
/usr/local/man/man8/lsof.8
[ verifying class <none> ]

Installation of <SMClsof> was successful
root@hexagon# bzip2 -d SFWsudo.bz2
root@hexagon# ln -s /usr/sfw /opt/sfw
root@hexagon# pkgadd -d ./SFWsudo

The following packages are available:
1 SFWsudo Sudo - superuser do
(sparc) 1.6.8.5,REV=2005.01.05.17.49

Select package(s) you wish to process (or 'all' to process
all packages). (default: all) [?,??,q]: all

Processing package instance <SFWsudo> from </root/install/SFWsudo>

Sudo - superuser do(sparc) 1.6.8.5,REV=2005.01.05.17.49

...and so on...

Installation of <SFWsudo> was successful.
root@hexagon# chmod u+s /usr/sfw/bin/sudo

important - notice that the sudo executable was not setuid root, and we had to change this after installation, to make it work! after this, the installs for any other packages will be very similar - use the above processes as a guide, just remember to check where in the filesystem things get installed, and either create symlinks or allow it as required. once sudo has been installed, you need to authorise users to have access to the root user. use the visudo command as root, and setup the sudoers file. i added the following line, which gives everyone in the sysadmin group root access:

%sysadmin       ALL=(ALL)       ALL


since we have lsof installed now, we can check what was holding the other port (22273/tcp) open. in the nmap output it is listed as wnn6? but we can check what process is using it with lsof and find as follows:

root@hexagon# lsof | grep -i wnn
jserver_m 741 root 3u IPv4 0x600036e0100 0t0 TCP *:wnn6 (BOUND)
jserver_m 741 root 4u IPv6 0x6000377f940 0t0 TCP *:wnn6 (LISTEN)
root@hexagon# find / -name "jserver_m" -print
/usr/lib/locale/ja/wnn/jserver_m

and we can see that it is a program called jserver_m that seems to have something to do with the japanese locale input method. i don't live in japan, or speak japanese, so this can be safely turned off. checking with svcs shows that it is started by init and can be disabled as follows:

root@hexagon# svcs | grep -i wnn
legacy_run 20:50:28 lrc:/etc/rc2_d/S94Wnn6
root@hexagon# /etc/init.d/Wnn6 stop
root@hexagon# mv /etc/rc2.d/S94Wnn6 /etc/rc2.d/_S94Wnn6.DISABLED

hopefully this has given you an idea of how best to approach hardening a solaris 10 system. the one thing not covered here is patching, which i will describe in another post. depending on how tightly you want things locked down initially, you can either manually turn off certain services or you can use sun's provided toolkit, and edit the default settings. this gives you a lot of flexibility, but i now have a system i feel safe about connecting to my router and assigning an IP address...

5 comments:

Anonymous said...

Hi,

I also running Solaris 10 on SPARC system and after I applied the 10 Recommended patch dated Aug 21 2006 it breaks the lsof version 4.76 on my system. I have the sample output below.

Have you seen this lsof behaviour before?

Thanks,

(andy)

# lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
pfild 74 root 4u IPv4 0t0 SOCK_RAW
pfild 74 root 5u IPv6 0t0 SOCK_RAW
pfild 74 root 6u IPv6 0t0 SOCK_RAW
nscd 120 root 8u IPv6 0x60001c4cb00 0t5990 TCP *:65535->[0:ffff:c72a:41fc::]:* (ESTABLISHED)
xntpd 198 root 19u IPv4 0x60000941a40 0t0 UDP *:65535
xntpd 198 root 20u IPv4 0x60000941840 0t0 UDP *:65535
xntpd 198 root 21u IPv4 0x60000941640 0t0 UDP *:65535
rpcbind 199 daemon 3u IPv4 0x60000940440 0t0 UDP *:65535
rpcbind 199 daemon 4u IPv4 0x60000940640 0t0 UDP *:65535
rpcbind 199 daemon 5u IPv4 0x60000940840 0t0 UDP *:65535
rpcbind 199 daemon 6u IPv4 0x6000094c6c0 0t0 TCP *:65535 (LISTEN)
rpcbind 199 daemon 7u IPv4 0x6000094c040 0t0 TCP *:65535 (IDLE)
xntpd 202 root 4u IPv4 0x60000940a40 0t0 UDP *:65535
statd 203 daemon 4u IPv4 0x60000940240 0t0 UDP *:*
statd 203 daemon 5u IPv4 0x60000940040 0t0 UDP *:65535
statd 203 daemon 7u IPv4 0x600011b7480 0t0 TCP *:65535 (LISTEN)
inetd 209 root 13u IPv6 0x600011b5a80 0t0 TCP *:* (LISTEN)
inetd 209 root 16u IPv4 0x600011b5400 0t0 TCP *:65535 (LISTEN)
inetd 209 root 17u IPv4 0x600011dba80 0t0 UDP *:65535
lockd 226 daemon 5u IPv4 0x600011dbc80 0t0 UDP *:65535
lockd 226 daemon 6u IPv4 0x600011b6e00 0t0 TCP *:65535 (LISTEN)
sshd 296 root 3u IPv6 0x600011b4d80 0t0 TCP *:* (LISTEN)
sendmail 310 root 5u IPv4 0x600011b4080 0t0 TCP *:65535 (LISTEN)
sendmail 310 root 6u IPv6 0x600013a54c0 0t0 TCP [0:600:11b:4080::]:* (LISTEN)
sendmail 310 root 7u IPv4 0x600013a4e40 0t0 TCP *:65535 (LISTEN)
cimomboot 321 root 3u IPv4 0x600013a47c0 0t0 TCP *:65535 (LISTEN)
dtlogin 368 root 5u IPv6 0x600011db280 0t0 UDP *:*
dtlogin 368 root 6u IPv4 0x600013a4140 0t0 TCP *:65535 (LISTEN)
snmpd 393 root 14u IPv4 0x600011dac80 0t0 UDP *:65535
snmpd 393 root 15u IPv4 0x600011db080 0t0 UDP *:65535
snmpd 393 root 16u IPv4 0x600011dae80 0t0 UDP *:*
lcfd 409 root 5u IPv4 0x600013a2740 0t0 TCP *:65535 (LISTEN)
dsmcad 417 root 5u IPv4 0x600019a3500 0t0 TCP *:65535 (LISTEN)
dsmcad 417 root 7u IPv4 0x600019a2e80 0t0 TCP *:65535 (LISTEN)
sshd 721 root 6u IPv6 0x60001ba5d40 0t16744 TCP *:65535->[0:ffff:c72a:41fc::]:* (ESTABLISHED)

Anonymous said...

Hi,

I am running Solaris 8 on SPARC and trying to install Solaris security toolkit. I get this error:
bash-3.00# pkgadd -d SUNWjass-4.2.0.pkg SUNWjass
pkgadd: ERROR: attempt to process datastream failed
- open of SUNWjass-4.2.0.pkg failed, errno=2
pkgadd: ERROR: could not process datastream from SUNWjass-4.2.0.pkg




Anyone seen this?

Thanks,

Hasib

Ikenna said...

specify either pkgadd -d ./ PACKAGE or pkgadd -d . ..



Ikenna Osakwe

kashif said...
This comment has been removed by the author.
kashif said...

Very useful; keep writing man, good luck!
Kashif Malik, UAE, Abu Dhabi