Solaris CX-310-301 Manual de usuario

Solaris 9 Security CX-310-301 9 Undoing SST ...

Solaris 9 Security CX-310-301 10 Security Administrator for the Solaris 9 Operating System General Security Concepts This section is concern

Solaris 9 Security CX-310-301 11 ¾ Detect – You should, at regular intervals, run tests to see if you can break in to your systems. A number

Solaris 9 Security CX-310-301 12 is less likely that he/she will continue with the attack. Compare this aspect with adding security to your m

Solaris 9 Security CX-310-301 13 ¾ The procedure to follow in the event of a security breach ¾ Any special dispensation procedures, for exa

Solaris 9 Security CX-310-301 14 Application Security An insecure application can undermine the entire security policy and must be treated wi

Solaris 9 Security CX-310-301 15 ¾ Unnecessary services and ports being available, allowing known vulnerabilities to be exploited ¾ The sys

Solaris 9 Security CX-310-301 16 Accountability Accountability is the assignment of responsibility, frequently associated with user accounts

Solaris 9 Security CX-310-301 17 ¾ Individual – Detailed information on an individual person, family, company or Government is targeted. Ter

Solaris 9 Security CX-310-301 18 ¾ Employees – Probably the worst form of attacker is one from within. Normally an employee with a grudge ag

Solaris 9 Security CX-310-301 1 Introduction This CramSession will help you prepare for the Solaris 9 Sun Certified Security Administrator.

Solaris 9 Security CX-310-301 19 information for example, the attacker would consult publicly available sites such as www.cert.org or www.san

Solaris 9 Security CX-310-301 20 100000 2 tcp 111 rpcbind 100000 4 udp 111 rpcbind 100000 3 udp 111

Solaris 9 Security CX-310-301 21 220 ultra10.example.com ESMTP Sendmail 8.12.10+Sun/8.12.9; Thu, 1 Apr :49 +0100 (BST) 2004 18:38expn john 25

Solaris 9 Security CX-310-301 22 ¾ B2 – Fully documented configuration control, facility management and system configuration. Security admin

Solaris 9 Security CX-310-301 23 ¾ By operating lax permissions and revealing passwords Detection and Device Management This section looks

Solaris 9 Security CX-310-301 24 It should be noted that login attempts using CDE (dtlogin) will not be caught by this facility. Only attempt

Solaris 9 Security CX-310-301 25 ¾ Hardware error messages ¾ Failed su attempts ¾ User login failures ¾ System software and application e

Solaris 9 Security CX-310-301 26 ¾ daemon – Messages concerning daemon processes (syslogd, inetd for example) ¾ * - All of the facilities ¾

Solaris 9 Security CX-310-301 27 *.err;kern.notice;auth.notice /dev/sysmsg *.err;kern.debug;daemon.notice;mail.crit

Solaris 9 Security CX-310-301 28 access to your system. However, if you configure syslog to send its messages to one or more central logging

Solaris 9 Security CX-310-301 2 Make use of the manual pages because they provide a wealth of information about the utilities as well as full

Solaris 9 Security CX-310-301 29 Process Accounting Process accounting is installed as part of a default Solaris 9 installation and, although

Solaris 9 Security CX-310-301 30 ¾ /etc/security/audit_user – Provides more detailed control allowing specific users and actions to be audit

Solaris 9 Security CX-310-301 31 ¾ Reboot the system to bring it up with auditing enabled # /etc/security/bsmconv This script is used to en

Solaris 9 Security CX-310-301 32 Interpreting the Results Continuing the example scenario, you now want to inspect the audit file(s) to see i

Solaris 9 Security CX-310-301 33 Note: A reboot of the system automatically causes the current log file to close and a new one to be opened w

Solaris 9 Security CX-310-301 34 ¾ deallocate – Used to deallocate a device after a user has finished with it ¾ dminfo – Used to report inf

Solaris 9 Security CX-310-301 35 Security Attacks This section looks at different types of attacks that can be attempted against your systems

Solaris 9 Security CX-310-301 36 Preventing DoS Attacks Some DoS attacks can be prevented fairly easily, whilst for others there is little pr

Solaris 9 Security CX-310-301 37 Privilege Escalation Attacks Types of Attack ¾ Trojan Horse – As the name implies, this exploit involves i

Solaris 9 Security CX-310-301 38 Detecting Attacks There are various methods for detecting that an attack has taken place. This section looks

Solaris 9 Security CX-310-301 3 CRAMSESSION™ SINGLE USER LICENSE This is a legal agreement between you, an individual user, and CramSession

Solaris 9 Security CX-310-301 39 The result is shown in the next screenshot.

Solaris 9 Security CX-310-301 40 Note that the checksums match and the 1 match(es) indicates this too. The interactive method is quite labor

Solaris 9 Security CX-310-301 41 Using the find Command If you do not have access to a fingerprinting tool, then the find command is the next

Solaris 9 Security CX-310-301 42 -r-sr-xr-x 2 root bin 15296 Apr 7 2002 /usr/bin/sparcv9/uptime -r-sr-xr-x 2 root bin 15296 Apr

Solaris 9 Security CX-310-301 43 The following output shows the result of a Tripwire report after running a check on the fingerprint database

Solaris 9 Security CX-310-301 44 Include Files 35 0 0 0 Man Pages 35 0 0 0

Solaris 9 Security CX-310-301 45 Kernel Trust and OpenBoot The kernel is implicitly trusted because it IS the operating system. For this reas

Solaris 9 Security CX-310-301 46 This prompts the user to enter a password twice. Note: Setting the EEPROM password should not be done light

Solaris 9 Security CX-310-301 47 ¾ After a specified time of inactivity ¾ On a specific date ¾ Immediately You can also use a combination

Solaris 9 Security CX-310-301 48 Note: The expiry information is stored in /etc/shadow. Restricting root Logins It is bad practice to allow

Solaris 9 Security CX-310-301 4 The Content may be subject to export restrictions. You agree that you will not export the Content or any part

Solaris 9 Security CX-310-301 49 # find / -user 8888 -print -exec chown root {} \; /var/report1 /var/report2 /var/report3 Now list the files

Solaris 9 Security CX-310-301 50 ¾ It has become increasingly common, when choosing a password, to replace some vowels with numerals that ar

Solaris 9 Security CX-310-301 51 Another aspect of password aging is to be able to control how frequently a user may change their own passwor

Solaris 9 Security CX-310-301 52 ¾ The step above creates the file passwd.guess, which john will work on to try and obtain the actual passwo

Solaris 9 Security CX-310-301 53 It should also be remembered that password authentication is only one method of gaining access to a system.

Solaris 9 Security CX-310-301 54 ¾ SULOG – Normally set to /var/adm/sulog defines the log file that is written to when the su command is run

Solaris 9 Security CX-310-301 55 Creating A Profile A profile is created by making an entry with an editor, such as vi, in the file /etc/secu

Solaris 9 Security CX-310-301 56 Logging in to a Role To access the functionality of a role, you must first be logged in as a normal user. Th

Solaris 9 Security CX-310-301 57 ¾ Directories • Read – This allows the directory to be read, but the files cannot be listed • Write – Thi

Solaris 9 Security CX-310-301 58 ¾ An attacker can gain valuable information about the system which can be used later to aid further attacks

Solaris 9 Security CX-310-301 5 General Security Concepts ...

Solaris 9 Security CX-310-301 59 Setting ACLs To set # setfacl -s user::rwx,g::r--,o:---,mask:rw-,u:temptest:r-- testfile To see the ACL jus

Solaris 9 Security CX-310-301 60 Deleting an ACL To remove an ACL, use the setfacl –d command to remove the specific permissions. When the la

Solaris 9 Security CX-310-301 61 ¾ Control Flag – The deciding factor on what constitutes a success or failure – can be requisite, required,

Solaris 9 Security CX-310-301 62 ¾ Make sure the module is owned by root and the permissions should be equal to 555 ( or r-xr-xr-x ). You sh

Solaris 9 Security CX-310-301 63 ¾ Kerberos is not a transparent service, like PAM where modules can be plugged in. In order to use Kerberos

Solaris 9 Security CX-310-301 64 ¾ Network Address Translation (NAT) – where a corporate network can be made to look (externally) like it ha

Solaris 9 Security CX-310-301 65 It is good practice to disable all services and then only re-instate the services that are genuinely necessa

Solaris 9 Security CX-310-301 66 ¾ Only install the Solaris cluster containing packages that you actually need. There is no need to install

Solaris 9 Security CX-310-301 67 http://www.sun.com/solutions/blueprints/0601/jass_quick_start-v03.pdf and for a full install, configure and

Solaris 9 Security CX-310-301 68 ¾ Audit – This contains the scripts to run in order to carry out a verification check jass run. These scrip

Solaris 9 Security CX-310-301 6 Detection and Device Management...2

Solaris 9 Security CX-310-301 69 [NOTE] Copying /.profile from /opt/SUNWjass/Files/.profile. ================================================

Solaris 9 Security CX-310-301 70 You should note that not all SST actions can be undone, only those that are called by a script. This needs t

Solaris 9 Security CX-310-301 71 Network Connection Access, Authentication and Encryption The final section looks at remote connections and t

Solaris 9 Security CX-310-301 72 telnet stream tcp nowait root /usr/local/bin/tcpd in.telnetd –d1 Denying and Allowing Host Connects T

Solaris 9 Security CX-310-301 73 rm -f nul.c ( ./nul ; cat prototype ) > in.rlogind chmod 644 in.rlogind ¾ This creates banner files for

Solaris 9 Security CX-310-301 74 warning: ultra1: hostname alias warning: (official name: ultra1.mobileventures.homeip.net) client: hostnam

Solaris 9 Security CX-310-301 75 ¾ ssh – Secure session connection to replace telnet ¾ scp – Secure copy of files between hosts ¾ sshd – T

Solaris 9 Security CX-310-301 76 Generating a Client Key The client generates a key pair (private and public keys) by using the ssh-keygen

Solaris 9 Security CX-310-301 7 Using File Listings .......

Solaris 9 Security CX-310-301 8 The Set-Uid and Set-Gid Permissions ..................