Protecting the Family Jewels
My high school track coach had a speech he gave at least once a year about "protecting the family jewels." I was clueless; I thought he was talking about my watch and class ring. Many Solaris system managers are equally clueless about how to protect the "family jewels" of their systems, namely the filesystems and files. One of the principles of computer security is "Know your systems." One way to accomplish Solaris filesystem security is by auditing the filesystems. There are several tools available to accomplish this.
ASET is Sun Microsystems' Automated System Enhancement Tool. Odds are you already have ASET installed on your Solaris system. ASET is part of the Sun package SUNWast. Check for SunWast with the following command:
pkginfo | grep SUNWast
ASET is a set of administrative utilities that can improve system security by allowing the system administrators to check the settings of system files, including both the attributes (permissions, ownership, etc.) and the contents of the system files. There are three security levels associated with ASET, low, medium and high. At the low level, ASET makes no modifications but checks and reports any potential security weaknesses. At the medium level, ASET modifies some of the settings of system files and parameters to restrict system access in order to reduce the risks from security attacks. ASET reports the security weaknesses and the modifications performed to restrict access. At the high level, further restrictions are made to system access, creating a very hardened system. More information can be found in the ASET man page and the administrator manual.
AIDE (Advanced Intrusion Detection Environment) is an open source system integrity checker, i.e., a utility that compares the properties of designated files and directories against information stored in a previously generated database. Any changes to these files are flagged and logged, including those that were added or deleted, with optional email reporting. Additionally, support files (databases, reports, etc.) are cryptographically signed. AIDE is available for download at http://www.cs.tut.fi/~rammer/aide.html.
Fix-modes is a set of scripts written by Casper Dik that try to make the filesystem modes more secure. It does this by removing group and world write permissions of all files, devices, and directories listed in /var/sadm/install/contents. Fix-modes creates an audit trail and its changes can be undone. Fix-modes is available at http://www.sun.com/blueprints/tools/FixModes_license.html.
One of the best tools for auditing a filesystem is good old find. For instance, to find all the files in /usr that are setuid or setgid, respectively, use these commands:
find /usr ?perm ?u+s ?print
find /usr ?perm ?g+s ?print
There should be no files in /etc that are have group and/or other write permissions set. To find those files use
find /etc ?type f ?perm -g+w ?print
find /etc ?type f ?perm -o+w ?print
There's no reason to be clueless about the family jewels residing on your systems when these tools are available. As my track coach used to say, "Nobody's gonna protect the family jewels for you."