chapter 7 - performing security administration

P E R F O R M I N G S E C U R I T Y A D M I N I S T R A T I O N

Chapter 7

Overview

How system security is performed on Solaris 10 Security issues in accessing the system Security issues in accessing the data on the system Managing this security at both the data and system levels

Monitoring System Access

Objective : Monitor system access by using appropriate commands

Monitoring system access is an important task in the arena of system security.

Monitoring system access involves both watching login activities and allowing or denying logins.

In order to control the access, all the users must be required to have passwords, and the passwords must be managed. Therefore, password management and login management are

key to monitoring system access

Password Management

Password is an important component of a user account. In order to control system access, passwords must be

managed, beginning with making sure that every user has a password

To find the users who do not have password logins -p

A password has important parameters related to its age that you can manage have passwords

Password Management

passwd <username> [<options>]

Password Management

The following options are available for this command: -d. Delete the password; that means the logins will not

prompt for a password. -f. Force the user to change password at the next login. -l. Lock the account; no more logins will be allowed. -n <min>. Specify the minimum number of days

between two consecutive password changes. -s. Display password attributes for this user. -w <warn>. Specify the number of days before the

expiration date, when the user will get the warning. -x <max>. Specify the maximum number of days

allowed between two consecutive password changes

Login Management

You can find out who is currently logged into the system by using the who command, which has the following syntax:

who [<options>]

Following are the most common options for this command:

-b. Show the time for the last reboot.

-d. Show the processes that have expired.

-H. Print column headings above the output.

-l. List the processes that are waiting for someone to log in.

-q. Quick display—show only the number of users logged in and their names. When this option is given, all other options are ignored.

-r. Display the system run level.

Monitoring Failed Login Attempts

Failed login attempts are automatically recorded in the file /var/adm/loginlog. All you need to do is create this file, using the following command: touch /var/adm/loginlog

If you want to record each failed login attempt (that is, even if someone makes only one unsuccessful attempt to log in), edit the following file: /etc/default/login

Set the following parameter: SYSLOG_FAILED_LOGINS=0

Now, every failed login attempt will be recorded into the loginlog file

Temporarily Disabling User Logins

You may need to temporarily disable all user logins—for example, during system shutdown or system maintenance. In order to prevent all non-root users from logging in, you can create the file /etc/nologin: touch /etc/nologin

Capture Failed Login Attempts

Performing System Security

Monitoring Superuser Access Attempts The monitoring can be performed in two ways: observing the accesses, and restricting them


The system lists all the uses of the su command in the following file: /var/adm/sulog Remember, all attempts to switch users, not just the attempts to switch to superuser, are recorded in the sulog file. The

entries in the sulog file look like the following:

SU 01/23 15:23 - pts/0 jkerry-root MO 01/24 11:39 + pts/0 gbush-jkerry TU 01/25 10:49 + pts/0 root-jkerry

The columns in the output mean the following:

The first three columns indicate the time at which the attempt was made. The fourth column contains a minus sign (-) if the attempt was unsuccessful and a plus sign ( + ) if the attempt was

successful. The fifth column lists the port from which the attempt was made. The sixth column lists the name of the original user and the switched identity.

Before the system starts logging the usage of the su commands into the sulog file, you need to set it up by editing the following file:

/etc/default/su

Uncomment the following entry in this file: SULOG=/var/adm/sulog


Restricting Superuser Access You can also prevent users from having a superuser

access to the system remotely. If the system is set up for this, you can log in as a superuser only from the system console. In order to set up your system for this, edit the following file:

/etc/default/login

Uncomment the following line in this file:

CONSOLE=/dev/console


Objective : Control system security through restricting ftp access and using /etc/hosts.equiv and $HOME/ .rhosts files, and SSH fundamentals.

A user can also access the Solaris system through ftp. Even more dangerous access is through the .rhostsfile. So, these accesses need to be controlled and restricted


Restricting ftp Access The ftp utility, based on the open Internet standard called File Transfer Protocol

(FTP), is a standard tool used to transfer files across a network and across the Internet. If you leave your system with ftp enabled, the remote users may have access to your system by logging in through ftp. It is just another entryway into your system, and every entryway has to be guarded, from a security perspective.

You can restrict ftp access by using the following three files:

/etc/ftpd/ftpusers /etc/ftpd/ftphosts /etc/shells

The ftpusers file is used to restrict access at user level. This file contains a list of login names that you can see by issuing the following command:

# less /etc/ftpd/ftpusers


Restricting ftp Access The ftp utility, based on the open Internet standard called File Transfer Protocol (FTP), is a

standard tool used to transfer files across a network and across the Internet. If you leave your system with ftp enabled, the remote users may have access to your system by logging in through ftp. It is just another entryway into your system, and every entryway has to be guarded, from a security perspective.

You can restrict ftp access by using the following three files:

/etc/ftpd/ftpusers /etc/ftpd/ftphosts /etc/shells

The ftpusers file is used to restrict access at user level. This file contains a list of login names that you can see by issuing the following command:

# less /etc/ftpd/ftpusers Any login name included in this list is prohibited from using ftp. So, if you want to deny a user

access to your system through ftp, just edit the ftpusers file, type in that user's login name, and save the file. When a user attempts to start an ftp session, the system searches the user's login name in the ftpusers file. If a match is found, access is denied.


You can use the ftphosts file to restrict ftp access at host level in order to allow or deny access to a user coming from a specified host. For example, the following entry in the ftphosts file allows the user jkerry to connect to your system using ftp remotely from machines with IP addresses: 205.25.2.3, 195.26.3.4, and 210.23.4.5:

allow jkerry 205.25.2.3 195.26.3.4 210.23.4.5

However, the following entry denies user gbush an ftp access from the host machine with IP address 132.12.13.5:

deny gbush 132.12.13.5

A user interacts with the Solaris system through a shell, and there are several shells around. If the user is using a shell that the system does not support, obviously the user will be denied access. This indirect method can also be used to restrict ftp access. By default, the system supports a number of shells. You can restrict the number of shells supported by the system by creating the following file and typing in the shells that you want the system to support:

/etc/shells

Let's assume you made the following entries into this file:

/bin/sh /bin/csh /sbin/jsh

Now, if a user, for example, using the /etc/ksh shell attempts to gain ftp access, access will be denied.

Be careful about the combined effect of all these options. For example, if a user is using the allowed shell but the corresponding user name has included the ftpusers file, access will still be denied. The same is the case when the username is not in the ftpusersfile, but the user is using the wrong shell.

Restricting Access to Data

Objective : Restrict access to data in files through the use of group membership, ownership and special file permissions.

Permissions, Ownership, and Group Membership In UNIX, everything is about files; there are regular files, and there

are special files such as directories, devices, sockets, and named pipes. There is a uniform file permission system for all these file kinds. From a file's perspective, the world of users is divided into three continents: the user who owns the file (called owner), a group of users that has group ownership of the file, and everyone else (called world or others). Accordingly, the Solaris file permission system, akin to the traditional UNIX file permission system, has three levels of file access permissions:

Access permission for the owner of the file Access permission for the group of users that has the group

ownership of the file Access permission for all other users, called the world or others


• In the absolute mode, the permission symbols r, w, and x are represented by integers 4, 2, and 1, respectively. These integers are added to represent all the permissions granted for a user. For example, read-only permission is represented by 4; read and write by 6; and read, write, and execute together by 7

Summary

chapter 7 - performing security administration

Documents