Microsoft PowerPoint - 솔라리스 보안.ppt

Solaris System Security Controls & System Hardening 발표자 : 김석 (nick: 김재벌 ) ostoneo@gmail.com

Agenda System H/W Security Consideration Installation Consideration Configuration Consideration File system security ( UFS, ZFS) Permission Acess Control UFS, ZFS Password security / Pluggable Crypt Role Based Access Control (RBAC) Service Management Facility ( SMF ) Compartmentalization ( Zones ) Integrity Management (intro. BART) Auditing / Basic Security Module (BSM) Incident Response

H/W Security Consideration Sparc #eeprom secuirty-mode=full #eprom security-password Ok>setenv security-mode command Ok>setenv security-password xxxxxxx Security-password = #eeprom security-#badlogins 키보드제한 /etc/default/kbd KEYBOARD_ABORT=disable X86 BIOS 상의 supervisor password 설정

Installation Considerations Disk Partioning 시고려사항 어떤어플리케이션이설치될것인가? 파일시스템의공간은얼마나차지할것인가? 특정디렉토리나파일에특정위협이존재하는가? 마운트시읽기전용 (Read Only 옵션적용 ) 특정프로그램이면 setuid 사용여부결정 (nosuid 옵션 ) 단일시스템일때 /var 디렉토리에대한고려는? /var, /var/mail, /var/audit 등 OS 설치시최소설치권장

Configuration Consideration Permission 유닉스의기본권한체계를이용한권한제어 (chmod ) Umask 를이용한기본권한제어 ( 022 027 ) Access control lists Ufs # ls -v file.2 -rw-r--r-- 1 marks staff 0 Oct 9 15:52 file.2 0:user::rw- 1:group::r-- #effective:r-- 2:mask:r-- 3:other:r-- # chmod A+user:lp:-wx file.2 # ls -v file.2 -rw-r--r--+ 1 marks staff 0 Oct 9 15:52 file.2 0:user::rw- 1:user:lp:-wx #effective:--- 2:group::r-- #effective:r-- 3:mask:r-- 4:other:r--

Configuration Consideration ZFS $ id uid=101(ostoneo) gid=101(ostoneo) $ mkdir local $ chmod A+everyone@:delete_child/delete:file_inherit/dir_inherit:deny \./local $ ls -ldv./local drwxr-xr-x+ 2 ostoneo ostoneo 2 Sep 18 22:52./local 0:everyone@:delete_child/delete:file_inherit/dir_inherit:deny 1:owner@::deny 2:owner@:list_directory/read_data/add_file/write_data/add_subdirectory /append_data/write_xattr/execute/write_attributes/write_acl /write_owner:allow 3:group@:add_file/write_data/add_subdirectory/append_data:deny 4:group@:list_directory/read_data/execute:allow 5:everyone@:add_file/write_data/add_subdirectory/append_data /write_xattr /write_attributes/write_acl/write_owner:deny 6:everyone@:list_directory/read_data/read_xattr/execute /read_attributes /read_acl/synchronize:allow $ cp /etc/hosts./local/ $ ls -l local/ total 2 -rw-r--r--+ 1 ostonoe ostoneo 53 Sep 18 22:53 hosts $ rm local/hosts rm: local/hosts not removed: Permission denied

Pluggable Authentication Modules 1995년 SUN에서개발, 솔라리스 2.6에최초탑재 사용자인증과관련한사용자커스터마이징제공 주로세션, 패스워드관리에사용 (ex : login ) /etc/pam.conf Refer. OpenSolaris Community Project: Pluggable Authentication Modules (PAM)http://www.opensolaris.org/os/community/security/projects/pam/ Sun Developer Network: User Authentication in the Solaris OS Part 1: http://developers.sun.com/solaris/articles/user_auth_solaris1.html Part 2: http://developers.sun.com/solaris/articles/user_auth_solaris2.html Sun BluePrint: Extending Authentication in the Solaris 9 OS Using PAM Part 1: http://www.sun.com/blueprints/0902/816-7669-10.pdf Part 2: http://www.sun.com/blueprints/1002/816-7670-10.pdf Solaris 10 System Administrator Collection: Authentication Services and Secure Communication http://docs.sun.com/app/docs/doc/816-4557/6maosrjio?a=view

Password security # /etc/default/passwd MAXWEEKS= MINWEEKS= PASSLENGTH=6 #NAMECHECK=NO #HISTORY=0 #MINDIFF=3 #MINALPHA=2 #MINNONALPHA=1 #MINUPPER=0 History 는최대 26 개까지적용

Pluggable Crypt 솔라리스의전통적인암호화알고리즘 Crypt 단점 : 최대 8자리 백그라운드호환성지원은물론적용권장 SUN MD5 Crypt_sunmd5 module One way hashing Md5 hash messages crypt.conf, policy.conf Defence Brute force attack Max 255 characters support Salt 4096 round support BSD MD5 Blowfish

Pluggable Crypt /etc/security/policy.conf CRYPT_ALGORITHMS_ALLOW=1,2a,md5 새패스워드를위한알고리즘정의 CRYPT_ALGORITHMS_DEPRECATE= unix 지정된알고리즘거부 CRYPT_DEFAULT=md5 사용할기본알고리즘정의 /etc/security/crypt.conf md5 crypt_sunmd5.so.1 rounds=8000

RBAC Role Base Access Control Permission vs. rights exec_attr: Execution profiles specify commands and the user, group ids and default/limit privileges prof_attr: Rights Profiles are collections of execution profiles and authorizations auth_attr: Authorizations Definition user_attr: Profiles, Authorizations, Roles (grant& define), Projects All tables are multi-field with extensible key-value pairs: C APIs provided.

Compartmentalization(ZONE) Application Virtualization Isolation

Compartmentalization(ZONE) # mkdir /shared # mkdir /shared/data # mkdir /shared/config # mkdir /shared/logs # mkdir /shared/run # chown -R webservd:webservd /shared/run # chown -R webservd:webservd /shared/logs # mkdir /shared/data/run # cp -R /etc/apache2/* /shared/config # cp -R /var/apache2/* /shared/data # mkdir /zones

Compartmentalization(ZONE) # zonecfg -z datazone datazone: No such zone configured Use 'create' to begin configuring a new zone. zonecfg:datazone> create zonecfg:datazone> set zonepath=/zones/datazone zonecfg:datazone> set autoboot=true zonecfg:datazone> add fs zonecfg:datazone:fs> set dir=/shared zonecfg:datazone:fs> set special=/shared zonecfg:datazone:fs> set options=[rw,nodevices,noexec,nosuid] zonecfg:datazone:fs> set type=lofs zonecfg:datazone:fs> end zonecfg:datazone> add fs zonecfg:datazone:fs> set dir=/shared/run zonecfg:datazone:fs> set special=/shared/run zonecfg:datazone:fs> set options=[ro,nodevices,noexec,nosuid] zonecfg:datazone:fs> set type=lofs zonecfg:datazone:fs> end zonecfg:datazone> add fs zonecfg:datazone:fs> set dir=/shared/logs zonecfg:datazone:fs> set special=/shared/logs zonecfg:datazone:fs> set options=[ro,nodevices,noexec,nosuid] zonecfg:datazone:fs> set type=lofs zonecfg:datazone:fs> end

Compartmentalization(ZONE) zonecfg:datazone> add net zonecfg:datazone:net> set address=10.0.0.200 zonecfg:datazone:net> set physical=bge1 zonecfg:datazone:net> end zonecfg:datazone> add attr zonecfg:datazone:attr> set name=comment zonecfg:datazone:attr> set type=string zonecfg:datazone:attr> set value="data Container" zonecfg:datazone:attr> end zonecfg:datazone> verify zonecfg:datazone> commit zonecfg:datazone> exit

SMF (Service Management Facility) 불필요한서비스제거 (ex : nis server) svcadm disable svc:/network/nis/server:default svcadm disable svc:/network/nis/passwd:default svcadm disable svc:/network/nis/update:default svcadm disable svc:/network/nis/xfr:default 텔넷서비스제거 svcadm disable telnet TCPWrapper 서비스 /etc/hosts.allow /etc/deny.allow inetadm -M tcp_wrappers=true

SMF (Service Management Facility) 불필요한서비스제거 (ex : sshd server protocol) /etc/ssh/sshd_config Protocol 보안이슈 MITM 공격취약점및 Downgrade Attack 취약점 Protocol 2

Integrity Management Signed ELF Objects SUN에의해개발된 Cryptographic 기반 compiled(elf Objects) Binary, library, shared objects, device drivers, kernel modules $ elfsign verify -e /usr/bin/ls elfsign: verification of /usr/bin/ls passed. $ elfsign verify -v -e /usr/bin/ls elfsign: verification of /usr/bin/ls passed. format: rsa_md5_sha1. signer: CN=SunOS 5.10, OU=Solaris Signed Execution, O=Sun Microsystems Inc.

Basic Audit Reporting Tool(BART) 매우유연한무결성검증도구 솔라리스 10 부터지원 Create 와 compare 모드의두가지모드지원 Object name, object type, owner(uid), group(gid), permission, ACLs, MD5 fingerprint # find /etc/security bart create I!Version 1.0! Tuesday, September 18, 2007 (11:24:33) # Format: #fname D size mode acl dirmtime uid gid #fname P size mode acl mtime uid gid #fname S size mode acl mtime uid gid #fname F size mode acl mtime uid gid contents

Basic Audit Reporting Tool(BART) Compare mode # bart compare manifest-before manifest-after /etc/security/exec_attr: size control:29654 test:29664 mtime control:46e8a76e test:46efee70 Contents control: caf727ccd4de989974c2c81fa7cfdf29test:071e79250e05b2363415e e5f05d25324

LSOF 1. 특정파일을사용중인프로세스확인 # lsof <path/filename> 2. internet socket 확인 # lsof -i # lsof -i:32337 3. 특정호스트에대한접속확인 # lsof -i @211.203.11.11 4. 특정포트로접속한리스트확인 # lsof -i @solaris.co.kr:80 5. 특정 user 가오픈한프로세스확인 # lsof -u <loginname> or lsof -u <uid> 6. 특정프로세스가오픈한파일리스트확인 # lsof -p <pid> # netstat -an (netstat -nlp) # fuser -n tcp 31337 # lsof -p pid

Rootkit Detection Tools www.rootkit.nl - MD5 hash compare - Look for default files used by rootkits - Wrong file permissions for binaries - Look for suspected strings in LKM and KLD modules - Look for hidden files - Optional scan within plaintext and binary files

System Auditing Tools www.rootkit.nl Examples of audit tests: - Available authentication methods - Expired SSL certificates - Outdated software - User accounts without password - Incorrect file permissions - Firewall auditing

BSM (Basic Security Module) BSM 기능 - 보안관련이벤트를모니터링 - 보안관련이벤트기록 - 허가되지않은 activity detect - C2 level logging 가능

BSM (Basic Security Module) 1. BSM enabling # /etc/security/bsmconv //auditd 데몬을자동으로생성하는 /etc/security/audit_startup 파일생성 2. configuring audited activity type # vi /etc/securiyt/audit_control dir:/var/audit dir:/var/audit1 flags:lo,ad,-fm minfree:10 naflags:

BSM (Basic Security Module) 1. BSM enabling # /etc/security/bsmconv //auditd 데몬을자동으로생성하는 /etc/security/audit_startup 파일생성 2. configuring audited activity type # vi /etc/securiyt/audit_control dir:/var/audit dir:/var/audit1 flags:lo,ad,-fm minfree:10 naflags:

BSM (Basic Security Module) 3. 사용자별로깅할 activity 지정 # vi /etc/security/audit_user root:all:^+fr audit:no:all user01:all:^fr 4. 시스템리부팅 # reboot 5. cat /etc/security/audit_data 466:/var/audit/20020302085715.not_terminated.oss1 6. auditing file 생겼는지확인... # cd /var/audit; ls -l 20020302073332.20020302073341.oss1 20020302085715.not_terminated.oss1

BSM (Basic Security Module) 7. 현재로그파일닫고새로운로그파일열기 #audit -n 20020302085715.20020302092530.oss1 20020302073332.20020302073341.oss1 20020302092530.not_terminated.oss1 8. auditing 일시정지 # audit -t //rebooting 후다시스타트됨 9. audit data 요약및레포트 ( 바이너리 --> ascii ) # auditreduce -a 20020302 -b +31d -u user01 -c lo praudit 10. Disabling BSM # /etc/security/bsmunconv

해킹사고발생시금해야할일. 케이블을뽑거나전원을종료하는일 보안패치를적용하는일 보안패치가누락시면책을목적 추가적인공격을막는다는명목 바이러스백신의엔진이업데이트되어있지않았음을확인하고백신을업데이트하는행위 일단다시깔고보자 사후약방문 추후동일한유형의침해사고가다시발생가능 정확한침해사고분석이이루어지지않음으로인해전체적인피해규모나증거수집이어렵다. 서비스정상화가최우선인상황에서는일단서비스정상화를위한작업을한후침해사고분석을고려하자. 서비스정상화가최우선인상황에서서비스정상화를먼저가용하도록 미리준비해놓은정확한침해사고분석을위해증거를먼저수집해놓은후에서비스정상화

해킹사고증거수집시유의사항 침해사고가발생한시스템의명령어는사용하지않는다 별도의포렌식도구를 CD 등으로제작 ( 포렌식툴킷 ) 정보수집에사용되는대부분의명령어는조작되었을가능성이높다 OOV(Order of Volatility) 를고려하여증거를수집한다 증거마다휘발성의정도가다르므로휘발성이높은것부터낮은것순으로수집하는것이바람직하다. 고속정보수집이요구됨. 자동화시키는것이중요하다 증거수집시자동화가가능한부분들은모두자동화시키도록한다 증거수집시간을단축할수있으며오타, 실수로인한증거유실을막을수있다 Perl, Shell script등을이용하여자동화한다. 솔라리스 10 의경우D Script 을이용하여수집도가능.

침해사고증거수집시유의사항 (cont d) 증거저장방법을고려해야한다. 침해사고가발생한시스템에증거를저장하는경우하드디스크상의여러증거들이파괴될가능성이매우높다 네트워크를이용한원격이미징기법을사용

Order of Volatility category data type life time CPU storage 레지스터캐쉬 System storge Kernel 램 (RAM) 네트워크정보프로세스정보 보통 1- 수 cycle 안에사라짐 시스템 shutdown 시사리짐 휘발성 Hard disk 이동식저장매체 스왑스페이스 스풀디렉토리임시디렉토리로그디렉토리나머지디렉토리 floppy/cd- ROM,tapes optical disk Hard-copied 데이터 overwrite 되거나삭제되면사라지는것으로간주 (overwrite 되거나지워진데이터는나중에살릴수있다 ) 매체가파괴될때까지존재

하드디스크이미지제작 dd usage dd if=<input file> of=<output file> bs=<block size> count=<block 개수 > skip=<block 개수 > <example> # dd if=/dev/rdsk/c0t0d0s0 of=suspect.hdd-s0.dd bs=1024 # dd if=/dev/c0t0d0s1 of=suspect.hdd-s1.dd bs=1024 count=10000 # dd if=dev/c0t0d0s2 of=suspect.hdd-s2 bs=1024 skip=10000 반드시 format 등을통하여 partition table 의정보를확인한다.