Command Reference
The following commands are commonly used to secure Solaris systems.
aset
The Automated Security Enhancement Tool (aset) is supplied by Sun as a multilevel system for investigating system weaknesses. In addition to reporting on potential vulnerabilities, aset can actually fix problems that are identified. There are three distinct operational levels for aset:
- Low level Undertakes a number of checks and reports any vulnerabilities found. No remedial action is performed.
- Medium level Undertakes a moderate number of checks and reports any vulnerabilities found. Restricts system access to some services and files.
Low-level reports are recommended to be run as a weekly cron job, allowing administrators to determine if newly installed applications, services, or patches have compromised system security. In contrast, a medium-level aset run should be performed on all newly installed systems that lie behind a firewall. For all systems that are directly connected to the Internet, such as Web and proxy servers, a high-level aset run should be performed directly after installation. This ensures that many of the default system permissions that are assigned to system files are reduced to an appropriate scope. It is possible to modify the asetenv file to change the actions that are performed when aset is executed. The individual tasks performed by aset include the following:
tune
|
Checks all file permissions
|
cklist
|
Validates system directories and file permissions
|
usrgrp
|
Checks user accounts and groups for integrity
|
sysconf
|
Verifies the system files stored in /etc
|
env
|
Parses environment variables stored in configuration files
|
eeprom
|
Checks the security level of the OpenBoot PROM monitor
|
firewall
|
Determines whether the system is secure enough to operate as a packet filter
|
TCP Wrappers
Logging access information can reveal whether an organization's networks have an authentication problem. In addition, specific instances of unauthorized access to various resources can be collated and, using statistical methods, can be assessed for regular patterns of abuse. Monitoring of log files can also be used by applications to accept or reject connections, based on historical data contained in centralized logging mechanisms provided under Solaris, such as the syslogd system-logging daemon.
One reason why access monitoring is not often discussed is that implementations of the standard UNIX network daemons that are spawned by the Internet super server inetd(discussed earlier) do not have a provision to write directly to a syslog file. Later Internet service daemons, such as the Apache Web server, run as standalone services not requiring inetd, but have enhanced logging facilities that are used to track Web site usage.
Wietse Venema's TCP Wrappers are a popular method of enabling daemons launched from inetd to log their accepted and rejected connections, because the wrapper programs that are installed for each service do not require alterations to existing binary software distributions or to existing configuration files. You can download TCP Wrappers in source form from ftp://ftp.porcupine.org/pub/security/index.html.
In their simplest form, TCP wrappers are used for monitoring only, but they could be used to build better applications that can reject connections on the basis of failed connections. For example, a flood of requests to log in using rsh from an untrusted host could be terminated after three failed attempts from a single host. TCP wrappers work by compiling a replacement daemon that points to the "real" daemon file, often located in a subdirectory below the daemon wrappers. The wrappers log the date and time of a service request, with a client hostname and whether the request was rejected or accepted. The current version of TCP Wrappers supports the SVR4 (System V Release 4) TLI network programming interface under Solaris, which has equivalent functionality to the Berkeley socket programming interface. In addition, the latest release supports access control and detection of host address or hostname spoofing. The latter is particularly important in the context of authentication services that provide access to services based on IP subnet ranges or specific hostnames in a LAN; if these are spoofed, and access is granted to a rogue client, the entire security infrastructure has failed. It is critical to detect and reject any unauthorized connections at any early stage, and TCP wrappers are an integral part of this mechanism.
Nov 18 11:00:52 server in.telnetd[1493]: connect from client.site.com Nov 18 11:25:03 server in.telnetd[1510]: connect from workstation.site.com Nov 18 11:25:22 server in.telnetd[1511]: connect from client.site.com Nov 18 12:16:30 server in.ftpd[1556]: connect from workstation.site.com
These entries indicate that between 11:00 A.M. and 1:00 P.M. on November 18, clients connected using Telnet from client.site.com and workstation.site.com. In addition, there was an FTP connection from workstation.site.com. Although this section has examined wrappers only for in.ftpd and in.telnetd, wrappers can be compiled for most services launched from inetd, including finger, talk, tftp (trivial FTP), and rsh (remote shell).
