chapter 7 - performing security administration
DESCRIPTION
Chapter 7 - Performing Security AdministrationTRANSCRIPT
P E R F O R M I N G S E C U R I T Y A D M I N I S T R A T I O N
Chapter 7
Overview
How system security is performed on Solaris 10 Security issues in accessing the system Security issues in accessing the data on the system Managing this security at both the data and system levels
Monitoring System Access
Objective : Monitor system access by using appropriate commands
Monitoring system access is an important task in the arena of system security.
Monitoring system access involves both watching login activities and allowing or denying logins.
In order to control the access, all the users must be required to have passwords, and the passwords must be managed. Therefore, password management and login management are
key to monitoring system access
Password Management
Password is an important component of a user account. In order to control system access, passwords must be
managed, beginning with making sure that every user has a password
To find the users who do not have password logins -p
A password has important parameters related to its age that you can manage have passwords
Password Management
passwd <username> [<options>]
Password Management
The following options are available for this command: -d. Delete the password; that means the logins will not
prompt for a password. -f. Force the user to change password at the next login. -l. Lock the account; no more logins will be allowed. -n <min>. Specify the minimum number of days
between two consecutive password changes. -s. Display password attributes for this user. -w <warn>. Specify the number of days before the
expiration date, when the user will get the warning. -x <max>. Specify the maximum number of days
allowed between two consecutive password changes
Login Management
You can find out who is currently logged into the system by using the who command, which has the following syntax:
who [<options>]
Following are the most common options for this command:
-b. Show the time for the last reboot.
-d. Show the processes that have expired.
-H. Print column headings above the output.
-l. List the processes that are waiting for someone to log in.
-q. Quick display—show only the number of users logged in and their names. When this option is given, all other options are ignored.
-r. Display the system run level.
Monitoring Failed Login Attempts
Failed login attempts are automatically recorded in the file /var/adm/loginlog. All you need to do is create this file, using the following command: touch /var/adm/loginlog
If you want to record each failed login attempt (that is, even if someone makes only one unsuccessful attempt to log in), edit the following file: /etc/default/login
Set the following parameter: SYSLOG_FAILED_LOGINS=0
Now, every failed login attempt will be recorded into the loginlog file
Temporarily Disabling User Logins
You may need to temporarily disable all user logins—for example, during system shutdown or system maintenance. In order to prevent all non-root users from logging in, you can create the file /etc/nologin: touch /etc/nologin
Capture Failed Login Attempts
Performing System Security
Monitoring Superuser Access Attempts The monitoring can be performed in two ways: observing the accesses, and restricting them
Performing System Security
The system lists all the uses of the su command in the following file: /var/adm/sulog Remember, all attempts to switch users, not just the attempts to switch to superuser, are recorded in the sulog file. The
entries in the sulog file look like the following:
SU 01/23 15:23 - pts/0 jkerry-root MO 01/24 11:39 + pts/0 gbush-jkerry TU 01/25 10:49 + pts/0 root-jkerry
The columns in the output mean the following:
The first three columns indicate the time at which the attempt was made. The fourth column contains a minus sign (-) if the attempt was unsuccessful and a plus sign ( + ) if the attempt was
successful. The fifth column lists the port from which the attempt was made. The sixth column lists the name of the original user and the switched identity.
Before the system starts logging the usage of the su commands into the sulog file, you need to set it up by editing the following file:
/etc/default/su
Uncomment the following entry in this file: SULOG=/var/adm/sulog
Performing System Security
Restricting Superuser Access You can also prevent users from having a superuser
access to the system remotely. If the system is set up for this, you can log in as a superuser only from the system console. In order to set up your system for this, edit the following file:
/etc/default/login
Uncomment the following line in this file:
CONSOLE=/dev/console
Performing System Security
Objective : Control system security through restricting ftp access and using /etc/hosts.equiv and $HOME/ .rhosts files, and SSH fundamentals.
A user can also access the Solaris system through ftp. Even more dangerous access is through the .rhostsfile. So, these accesses need to be controlled and restricted
Performing System Security
Restricting ftp Access The ftp utility, based on the open Internet standard called File Transfer Protocol
(FTP), is a standard tool used to transfer files across a network and across the Internet. If you leave your system with ftp enabled, the remote users may have access to your system by logging in through ftp. It is just another entryway into your system, and every entryway has to be guarded, from a security perspective.
You can restrict ftp access by using the following three files:
/etc/ftpd/ftpusers /etc/ftpd/ftphosts /etc/shells
The ftpusers file is used to restrict access at user level. This file contains a list of login names that you can see by issuing the following command:
# less /etc/ftpd/ftpusers
Performing System Security
Restricting ftp Access The ftp utility, based on the open Internet standard called File Transfer Protocol (FTP), is a
standard tool used to transfer files across a network and across the Internet. If you leave your system with ftp enabled, the remote users may have access to your system by logging in through ftp. It is just another entryway into your system, and every entryway has to be guarded, from a security perspective.
You can restrict ftp access by using the following three files:
/etc/ftpd/ftpusers /etc/ftpd/ftphosts /etc/shells
The ftpusers file is used to restrict access at user level. This file contains a list of login names that you can see by issuing the following command:
# less /etc/ftpd/ftpusers Any login name included in this list is prohibited from using ftp. So, if you want to deny a user
access to your system through ftp, just edit the ftpusers file, type in that user's login name, and save the file. When a user attempts to start an ftp session, the system searches the user's login name in the ftpusers file. If a match is found, access is denied.
Performing System Security
You can use the ftphosts file to restrict ftp access at host level in order to allow or deny access to a user coming from a specified host. For example, the following entry in the ftphosts file allows the user jkerry to connect to your system using ftp remotely from machines with IP addresses: 205.25.2.3, 195.26.3.4, and 210.23.4.5:
allow jkerry 205.25.2.3 195.26.3.4 210.23.4.5
However, the following entry denies user gbush an ftp access from the host machine with IP address 132.12.13.5:
deny gbush 132.12.13.5
A user interacts with the Solaris system through a shell, and there are several shells around. If the user is using a shell that the system does not support, obviously the user will be denied access. This indirect method can also be used to restrict ftp access. By default, the system supports a number of shells. You can restrict the number of shells supported by the system by creating the following file and typing in the shells that you want the system to support:
/etc/shells
Let's assume you made the following entries into this file:
/bin/sh /bin/csh /sbin/jsh
Now, if a user, for example, using the /etc/ksh shell attempts to gain ftp access, access will be denied.
Be careful about the combined effect of all these options. For example, if a user is using the allowed shell but the corresponding user name has included the ftpusers file, access will still be denied. The same is the case when the username is not in the ftpusersfile, but the user is using the wrong shell.
Restricting Access to Data
Objective : Restrict access to data in files through the use of group membership, ownership and special file permissions.
Permissions, Ownership, and Group Membership In UNIX, everything is about files; there are regular files, and there
are special files such as directories, devices, sockets, and named pipes. There is a uniform file permission system for all these file kinds. From a file's perspective, the world of users is divided into three continents: the user who owns the file (called owner), a group of users that has group ownership of the file, and everyone else (called world or others). Accordingly, the Solaris file permission system, akin to the traditional UNIX file permission system, has three levels of file access permissions:
Access permission for the owner of the file Access permission for the group of users that has the group
ownership of the file Access permission for all other users, called the world or others
Restricting Access to Data
Restricting Access to Data
Restricting Access to Data
• In the absolute mode, the permission symbols r, w, and x are represented by integers 4, 2, and 1, respectively. These integers are added to represent all the permissions granted for a user. For example, read-only permission is represented by 4; read and write by 6; and read, write, and execute together by 7
Summary