Security Diagnostic Review for Solaris 2.X
Gary Bahadur and Dan Robertson
How do you know what is happening to your Solaris machine in a timely manner? One method is through regularly scheduled security diagnostic reviews. A review in this sense is a snapshot in time of the system. Continuous reviews are necessary to ensure that the system settings are correct and secure over time. A thorough review of the UNIX system, as well as the environment in which it operates, can identify many security weaknesses. In this article, we'll describe how to perform a basic diagnostic review of a Solaris machine. The basic concepts and script commands discussed can be applied to most UNIX environments.
A diagnostic review covers user and system administration, network environmental controls, and administrative policies and procedures. There are a number of security issues related to each of these topics that can be fixed upon completion of the diagnostic review. The script we describe, sec-check.csh, will help determine a number of these security weaknesses and should be run periodically, such as every two months. The current and previous runs should then be compared to determine what changes have occurred on the system. This script is not all encompassing, however, so other tools or scripts available on the Internet or from commercial vendors should also be used to gain a complete understanding of your system.
There are a number of commercial products available that perform diagnostic reviews. Our script performs many of the standard checks that a commercial product will do and can be used on systems where installing a commercial product is not feasible. In cases when a firewall needs to be reviewed or the commercial product takes up too much space or has installation or execution errors, it is a good idea to have a backup method of reviewing the system. If you are running a version of UNIX that is not covered by one of the main diagnostic tools, the sec-check script can be modified to meet many of your needs.
To perform a thorough security diagnostic review of a UNIX system, several areas need to be covered. The system itself must be reviewed, including User Access, File Settings, System Settings, and Network Configuration. Each of these areas has potential security and administrative weaknesses that can be exploited by malicious users. Once the technical review of the system is completed, the administrative practices should be reviewed. In addition to reviewing the system and administrative practices, an external review of the system should be done by performing penetration tests to determine whether unauthorized remote access can be gained. (This area is not covered in detail in this article.)
Specific Solaris Commands
The checks mentioned in the following sections can be executed on most UNIX environments. The following items (listed in the script), which are specific to the Solaris environment, should also be checked:
- /etc/passwd file - The password file should be reviewed to ensure that only valid user names are in the file. A password guesser should be run against the encrypted shadowed password file to ensure that users have strong passwords that are not easily guessable. Use a program such as Crack 5.0 to check for weak passwords.
- Local accounts with blank passwords - Every account should have a strong password. Frequently, installed applications may have an account with a default blank password. An intruder could look at the password file to see whether any accounts have no password or if test accounts are present.
- Default password settings - When passwords are created, the default settings, such as password length, are applied. Verify that strong default settings are in place. Automated brute force password guessers can usually find weak passwords.
- Default login settings - Check the default login parameters, such as whether passwords are required or syslog is used. Ensure that secure settings are in place. These parameters should be set as securely as possible.
- logindevperm - Check the controls on system devices and how system users can access them. This may be a concern if console login is available to multiple users.
- Solaris loginlog - Check users that have logged into the system. Search for users who do not belong on the system or that you know should not be logging in. These may indicate an intruder.
- Solaris eeprom - eeprom can allow a user with physical access to the machine to gain root privileges. Ensure that eeprom has a strong password.
- sulog settings - Check the sulog file and the console settings. su should be forced. Direct root login should not be allowed. Review failed su attempts and look for any patterns or suspicious names.
- cron usage - Only specific users should be allowed to use cron. Not all users require it. The cron.allow and cron.deny files determine which accounts can use cron. Intruders usually modify cron files to set up back doors on compromised systems.
- NIS - There are many potential weaknesses associated with the use of NIS. NIS+ should be used to increase security. The NIS checks listed in the script perform basic user, services, and password checking.
On any system and environment, user management is always a good place to start looking for weaknesses and misconfigurations. A thorough review of each user account should be conducted covering the user's last logon date, when passwords were last changed, inactive users, password strength, and file ownership. Compromising a user account is the first step for an intruder in compromising an entire system. The user configuration section of the sec-check script checks the following:
- uid 0 - Multiple uids of 0 may indicate that there was an incorrectly set user ID, that an application or program is running as a root ID, or that an intruder has modified the password file and added a superuser. Verify that all IDs are valid and have the correct uid. Remove any uid 0 users that are not necessary.
- Mail file ownership - Incorrect ownership setting of mail files may allow users on the system to read mail of other system users. Verify that ownership is correct.
- .netrc files - These files store passwords and user names between systems and can be very dangerous if unauthorized individuals can read them. .netrc files are mainly for convenience and can usually be removed.
- .rhosts files - These files can allow unauthenticated access to the UNIX system. Most of the time, these are used as a matter of convenience rather than necessity. They should be removed. The rlogin capability should be disabled.
- .profile files - User profiles should be searched for incorrect settings. The path or umask may be set incorrectly in the .profile.
- Last login sessions - Check the last login of users. Users who have not been on the system in the past 45-60 days may not be valid users anymore. All system users should be reviewed to determine whether they are valid. If inactive users or users who are no longer part of the company attempt to login, that could indicate an intruder.
File ownership and permissions should be reviewed for the entire system. The following file checks should be performed:
System Configuration Review
- List suid/sgid files - suid/sgid files are executed with the privileges of the file owner/group, making them a favorite target for intruders. As an administrator, you should maintain a list of all suid/sgid files and note the creation of all new suid/sgid files.
- List files with the sticky bit - Files with the sticky bit set are used to prevent users from deleting files they do not own from places such as public directories.
- List world writable files - There are only a few instances when files need to be world writable. Some system files need this permission, and some applications may need this permission. In most cases, however, world writable permission is not necessary. Be wary of system files that are writable, such as crontab or configuration files such as the rc* files. An intruder will look for world writable files.
- List /etc, /bin, /usr/bin, /sbin, / directories - These are important system directories. The files and permissions should be reviewed for validity. If these system files have incorrectly set permissions, they may allow excessive access.
Default UNIX settings are inherently weak. The following system configuration files should be reviewed:
Network Configuration Review
- /etc/inetd.conf - A good policy to follow when enabling services is to deny all services not necessary to the functioning of the system. Review all running services and determine which ones are not needed, then turn them off. tcpwrappers would be helpful. Unnecessary services provide a prime target for intruders.
- /etc/exports - Review all exported file systems and export permissions to determine whether excessive access, such as write access, is given. If exported directories have excessive permission, anyone may be able to read and modify the data, These directories should normally be read-only.
- /etc/profile - The system profile is applied to all users and should be reviewed to determine that no incorrect settings have been applied for all users (i.e., a umask with excessive permissions).
- /etc/ftpusers - In most systems, not all users need to use ftp. Users in this file are restricted from using this service. All system accounts, users who do not need ftp, and the "root" account should be in this file. Using the root password with ftp sends it in clear text on the network and allows potential sniffing by an intruder.
- cron files - Reviewing the use of cron may show evidence that an intruder has gained access to your system. Many intruders will modify cron jobs to perform some specific activity once they have compromised a system.
- sendmail.cf - Check the sendmail.cf file to determine your configuration. Commands such as vrfy and expn in Sendmail should be turned off. Sendmail is a major weakness in many UNIX environments.
- sulog - Review usage of the sulog to determine that only valid users are using su. Users attempting to use su who are not authorized to do so indicate an intruder. You can remove most users access to the su command to further protect su. Direct login to the root account should be denied, and the usage of su forced. A program such as sudo could be used.
The network setting can be misconfigured to inadvertently allow access to your UNIX system. A review of which connections are configured/permitted and the monitoring of network connections is very important. Many systems fall to an intruder because of connections to unsecure or compromised machines. The following checks should be performed:
- List rpcinfo - Checking the rpcinfo will tell you which RPC services are running. RPC services are known to have many weaknesses that can be compromised. Only necessary services should be used.
- Display netstat -rn - netstat will display network connections and routing tables. You should verify that these connections are all valid and correct. You may encounter routing problems if these are set up incorrectly.
- Check tcpwrappers - Check the restrictions on tcpwrappers if you are using it. It is easy to misconfigure tcpwrappers and allow unwanted access.
- Display syslog.conf - Review the syslog.conf file to determine how logging is taking place. If intruders compromise your system, they would normally review this file and change it to help hide their presence.
The sec-check script included here is not intended to be all encompassing. Thus, several additional areas should be checked on a regular basis for a more complete view of the security status of your systems. We recommend the following as a minimal augmentation of the script.
Along with a review of the settings on the system, the administrative procedures need to be reviewed. The change control, system documentation, and maintenance procedures should be clearly defined and followed for the successful administration of the machine and the network. In a large environment with multiple administrators and systems, consistently documented administrative procedures and controls must be followed. Otherwise different administrative practices will be followed across systems, and weaknesses may be introduced into the environment.
Corporate and system policies and procedures should also be reviewed. The system should adhere to defined policies and procedures, such as a written corporate security policy, an Internet security policy, or email policy. These policies should define usage of the system, services available, user training, user guidelines, and system configuration guidelines.
The script will perform an intrusive review of the internal setting of the system. Root access is required to run sec-check. To gain an understanding of how the machine looks to an outside intruder, a network scanning tool should be used against the system. There are several tools on the market that are considered scanning tools. These are executed against a given IP address without any special permission on the target device. Using available services on the machine and inherent weaknesses, these scanning tools attempt to determine if any available weaknesses exist on the target machine. These tools should be used as a part of a full diagnostic review of any UNIX system.
Solaris comes with several built-in options that can help with administration and security issues mentioned in the script, but beyond the script's functions. Using a combination of sec-check and these tools should greatly enhance the security and administration function of your system. These built-in options include:
- PAM - The Pluggable Authentication module that allows you to plug in new authentication mechanisms, such as Kerberos.
- Admintool - This tool performs user, group, password, printers, serial ports, and software administration.
- ASET - Automated Security Enhanced Tool provides a mechanism for administration of security options. It does automated checks and can run in different levels (i.e., low, medium, and high).
Once you have run the sec-check script and reviewed the output in detail, you need to fix any weaknesses found. It is very important to run a diagnostic tool on a periodic basis to ensure that your system weaknesses remain at a minimum over time.
Real-time monitoring programs should be installed to continuously check your system for weaknesses and possible intrusion attempts. Commercial tools should be used if possible. There are a number of freeware utilities that can assist in monitoring the system as well.
Most environments will have multiple UNIX operating systems running. This script can easily be enhanced to accommodate other operating system as well as adding more checks for system administration purposes. Most of the commands in the last four sections can be used on all UNIX environments. The first section can be replaced with checks specific to other operating systems such as AIX or HP-UX.
About the Author
Gary and Dan are both managers in Ernst & Young's Information Security Services group specializing in UNIX and Internet security attack and penetration testing. They can be reached at email@example.com and firstname.lastname@example.org.