Architecture-safe Solaris System

Source: hacker Base

The rapid development of the Internet brings great convenience to people, but the network security problem is becoming increasingly serious. Although the Solaris system is widely used, it cannot avoid security issues. The continuous release of system patches in the corresponding versions proves this.

In addition, such as security risks of the File System setuid program, DoS attacks of the Network Information Service NIS, and PPC security vulnerabilities of the Network File System Service NFS are all frequently used by attackers. This article starts with the Solsris system and analyzes the system's security vulnerabilities and corresponding preventive measures.

I. Prevent stack-based buffer overflow

More than 70% of successful Solaris server attacks exploit the "stack overflow" vulnerability, attackers can provide a program running as ROOT with more tasks than it can handle, attackers can change the execution process to execute the malicious code assigned by the attacker, so as to achieve the purpose of the attack. In the Solaris system, you can set the user stack as unexecutable to avoid attacks based on Stack Buffer Overflow.

The Solaris system later than version 2.6 provides the noexec_user_stack variable, which can be used to set whether the stack can be executed. By default, the variable value is 0, which provides settings that are compatible with ABI. If its value is not 0, the system sets the stack of all processes as readable and writable, but not executable.

1. Prohibit the program from using the executable stack.

Use the following steps to disable a program from using the executable stack:

1) Make yourself a Super User;
2) Add a setnoexec_user_stack = 1 to the/etc/system file;
3) type init6 to restart the system.

When a variable is set to a non-zero value, programs that use their stacks will receive a SIGSEGA signal, which usually terminates the process and generates a dump ). The program will also generate a warning message containing the program name, the user ID of the program running and the process ID of the program. As follows:

A. out [347] attempt to execute code on attack by uid 555
When the syslog core device is set to the notice level, this information is automatically recorded by the syslogd genie program. The information record is defined by default in the file syslog. conf. This indicates that this information is sent to the console and the/var/adm/messages file.

If the noexec_user_stack variable has been set, you can monitor the information to find potential security problems. You can also monitor the information to determine which programs depend on the executable stack to run.

You can use the mprotect command to clearly identify the program stack as executable. View the mprotect manual page for more information. Note that due to hardware limitations, the issue of executable stacks on the sun4m, sun4d, and sun4u platforms can only be detected.

2. Disable record of executable stack information

If you do not want to record the executable stack information, you can set the variable noexec_user_stack_log to 0 in the/etc/system file. Even if record of executable stack information is disabled, the SIGSEGA signal will generate a dump for the execution program.

Use the following steps to disable record of executable stack information:

1) become a Super User.
2) add a line set noexec_user_stack_log = 0 to the/etc/system file.
3) type init6 to restart the system.

Ii. Security Protection for Solaris systems

The first line of defense for system security is system access control. You can use the following methods to control and monitor system access. For example, dimension
Protects the system's physical security, maintains logon control, limits access to data in files, maintains network control, monitors system usage, sets correct path variables, monitors setuid programs, and monitors super user (root) login, install the firewall, and use the automatic Security Enhancement Tool (ASET ).

To control access to the system, the physical security of the computer's environment must be ensured. For example, if a user leaves after logging on to the computer, then anyone else can use the system to access the operating system and network. Be careful with the user's environment and remind them to avoid the above situation.

Use password and logon control to avoid unauthorized logon to the system or network. All accounts in the system should have passwords. Even if only one account in the system has no password, the entire network is available for those who know the account or can guess the account name.

Users are limited to access some system devices in the Solaris system.

Use the Directory and file permission settings in UNIX to control data access. When a user has read permission on a file, other users can change or delete the file. You can also set a file to be unreadable by other users.

Computers are often a part of the network. A network is used to allow the connected systems to exchange information and access the data and other resources provided by the systems connected to the network. The network provides a powerful and sophisticated computing method. Of course, the network also leads to some opportunities to undermine system security.

For example, in a network, every system provides information sharing. Because many users want to access the network, the chance of undesirable access increases. This is especially because of user errors. For example, a user uses a password that is easy to guess.

Use the tools provided by the system to account for the system and monitor each user's every action. It is very useful to monitor the system when it is suspected that an insecure factor exists.

PATH variables are very important. It can avoid data damages caused by unintentional execution of other people's programs. A program that creates security risks is called a Trojan Horse program. For example, a fake su program can be put in a public directory, and the Administrator may run it there. This program is like a common su command. Because it deletes itself after it is run, it is hard to say whether a Trojan horse has been run.

The path variables are automatically generated by the. login,. profile, and. cshrc startup files during logon. Set the current directory (.) at the end of the PATH variable to prevent users from executing this Trojan Horse program. You must not add a public and writable directory to the root path variable. The PATH variable of the Super User cannot contain the current directory. ASET detects the Startup File to make sure that the PATH variable settings are correct and do not contain the current directory (.).

Another method is to use a firewall or a secure gateway system to protect the network. The firewall divides the entire system into two networks, one of which is considered untrusted for access to the other. The firewall is set as a delegated system between the internal network and the external network.

The firewall system is also useful between several internal networks. For example, a firewall or security gateway computer cannot transmit data between two networks, unless the gateway computer is one of the data sources or data transmission purposes. Set a firewall that uses special protocols. For example, mail Transmission is allowed, but telnet and ftp services are not allowed. When the High Security Level of ASET is used, ASET will disable the transmission of IP protocol.

Iii. Solsris system patch installation

Like all operating systems, the Solaris system also inevitably has its vulnerabilities, some of which are almost catastrophic in terms of possible attack consequences. SUN

The company has an excellent tradition of providing patches to its customers, which exist in the form of a collection package or a single patch. Unfortunately, to completely patch our system, we need both a large set of patches and a single patch, here we introduce a method to combine patch packages with a single patch.

(1) log on to the system as root.

(2) Type umask 022 to set your license mode (patching the system requires that not only all patches are readable by the "nobody" user, but also all directories prior to the patch ).

(3) create a directory named patch and enter it.
# Mkdir export/home/patch
# Cd/export/home/patch

(4) use ftp to connect to the sunsolve site, obtain all the PatchReport files of the Solaris operating system version, and download the patch report files (such as get Solaris7.PatchReport) corresponding to the server operating system version ), download the patch pack and a single patch marked in the report.

(5) decompress the patch package, add all the individual patches to the patch_order file, and list all the patches that will be installed by the install_cluster script.

(6) decompress all the single patch package: ls *. zip | xargs-n1 unzip.

(7) now all the patches are ready. restart the computer to the single-user mode:
# Boot-s
# Mountall (mount all file systems)
# Cd/export/home/patch (go to the directory where all patches are saved)
#./Nstall_cluster

After installation, restart the server.

Iv. Security Settings to prevent Solaris system from being attacked

(1) block ping
& N