[ Pobierz całość w formacie PDF ]

#
#  devices is a colon-separated list of device names. A device name
# ending in  /* , such as  /dev/fbs/* , specifies all entries (except  .
# and  .. ) in a directory. A '#' begins a comment and may appear
# anywhere in an entry.
#
# console mode devices
#
/dev/console 0600 /dev/mouse:/dev/kbd
/dev/console 0600 /dev/sound/* # audio devices
/dev/console 0600 /dev/fbs/* # frame buffers
Solaris Hardening 3-9
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService August 1996
3
System Access Control
Login Access on Terminals and the Console (Continued)
Complete Block-off
By creating the file/etc/nologin all user logins can be disabled. The
contents of this file are displayed to the user:.
sun# cat /etc/nologin.txt
Operating times:
Monday through Friday: 8:00 AM to 6:00 PM
Saturday and Sunday no access
sun# crontab -1
0 8 * * 1-5 rm /etc/nologin
0 18 * * 1-5 cp /etc/nologin.txt /etc/nologin
Note  /etc/nologin is erased after a reboot.
3-10 Solaris Network Security
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService August 1996
3
System Access Control
lockscreen (xlock) and Logging Out
The most critical point of concern for security administrators is the
lack of cooperation on the part of users to log out during a break; that
is, to run lockscreen. To help overcome this user carelessness, set a
good example. Also, provide training on the need to demonstrate
conscientious work habits, and if all else fails, employ a program that
automatically invokes lockscreen.
Solaris Hardening 3-11
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService August 1996
3
Network Security
The network is an important element of the work place. It enables
sharing of resources and information. However, unlimited access can
create security problems.
This section of the module defines procedures to secure access to the
network and individual hosts.
Fundamental Security Features
Network security is a critical component of network administration. A
secure computer system must maintain the continuing integrity of the
information stored on it. Integrity means that the system must not
corrupt the information or allow any unauthorized access to it. Recall
many of the fundamental security features of the Solaris environment.
Secure NFS
One application built on top of Secure RPC is Secure NFS. A non
Secure NFS server validates a file request by authenticating the
machine but not the user. Anyone who has root privileges on the NFS-
client can assume any user ID using thesu command and impersonate
the owner of a file. With Secure NFS, access requests are DES
authenticated and this sort of impersonation is much harder.
With Secure NFS, users who have not been authenticated with the
server, will be given a user ID of -1 and the access rights of nobody.
The unauthenticated user will only be able to access files accordingly.
A more secure alternative to nobody can be given by defining theanon
option in the share command. If the user ID is set to -1, access is
totally denied:
share -F nfs -o rw=bear:skunk:giraffe,secure,anon=-1 /export/home
Restricting access to shared NFS file systems is also essential to
network security. The /etc/dfs/dfstab file can be modified to
restrict access to individual hosts and read-only permissions.
3-12 Solaris Network Security
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService August 1996
3
Network Security
Fundamental Security Features (Continued)
The files/etc/hosts.equiv and/.rhosts
The files /etc/hosts.equiv and /.rhosts can create an insecure
system by trusting remote hosts and users. These files should be used
cautiously. Avoid using the special character + (plus).
Solaris Hardening 3-13
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService August 1996
3
Critical Permissions
Are all the access permissions of critical directories defined properly to
restrict access to only those identities required?
You can take the first step in Solaris hardening by:
Scrutinizing your overall system at the root directory for
permission settings and ownership values.
Making adjustments based on low-level knowledge of the
environment.
The chart below describes several directory structures that are key to
the overall process.
Note  Some directories and files require tighter restrictions than
others:.
/ So that, for example,/etc is not
replaced by some other directory
/etc vi /tmp/xxxxx
mv /tmp/xxxxx /etc/passwd
/dev This includes all special files.
/usr/bin, /usr/ucb; Beware of Trojan Horses.
/usr/sbin; /sbin;
/usr/openwin/bin;...
/usr/lib; There are also attackers who can
/usr/openwin/lib;... write programs. If a library such as
libc were replaced by a new ver-
sion (to include its Trojan Horse)...
3-14 Solaris Network Security
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService August 1996
3
Access Control Lists (ACLs)
ACLs can provide greater control over file permissions. The traditional
UNIX file protection provides read, write, and execute permissions for
the three user classes: owner, group, and other. An ACL enables you to
define file permissions for the owner, the owner s group, other specific
users and groups, and default permissions for each of those categories.
Solaris Hardening 3-15
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService August 1996
3
Lab: ACL Commands
Exercise 1: Thesetfacl Command
Command Format
setfacl options acl_entry filename1 [filename2...]
Options
-m Creates an ACL
-s Replaces the entire ACL with the new ACL
-d Deletes ACL entries
acl_entry ACL entry, which is defined below
filename File or directory on which to set the ACL entries
Basic ACL Entries
ACL Entry Meaning
u[ser]::perms The owner s permissions.
g[roup]::perms Permissions for the owner s group.
o[ther]:perms Permissions for users other than the owner or
members of the owner s group.
m[ask]:perms The ACL mask. The mask entry indicates the
maximum permissions allowed for users
(other than the owner) and for groups. The
mask is a quick way to change permissions on
all the users and groups.
u[ser]:uid:perms Permissions for a specific user.
g[roup]:gid:perms Permissions for a specific group.
3-16 Solaris Network Security
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService August 1996
3
Lab: ACL Commands
Exercise 2: Thesetfacl Command
Procedure:
To add Read/Write Permissions for ssa20, type the following
command:
$ setfacl -m user:ssa20:6 ch3.doc
Procedure:
To check if a file has an acl,use the ls command. A plus sign (+) to
the right of the mode field indicates the file has an ACL:
$ ls -l ch1.doc
-rwxr-----+ 1 william sysadmin 163 Nov 11 11:12 ch1.doc
Procedure:
To delete the acl entry, type the following command: [ Pobierz całość w formacie PDF ]