How Secure is Solaris 8?by Dr. Paul A. Watters, author of Solaris 8 Administrator's Guide
I'm often asked this question by high-level managers, and the reply I generally mutter under my breath is, "How long is a piece of string?" What I actually say is "All computer systems that allow any form of remote access are inherently insecure. Solaris is no better or worse than other computer systems." The general reply goes along the lines of "That still doesn't answer my question," to which I respond "In order to measure anything, for example, the security of operating environments, you need to have a criterion to measure it against." A yardstick for evaluating computer security is what is needed, but such evaluations are notoriously difficult to obtain.
There are several good reasons for this. First, if I worked for a consulting company certifying computer systems as secure or insecure, I'd no doubt exhaustively test a system for all known weaknesses and potential intrusions. Now suppose a week after certifying the system as secure, an intruder is discovered. I'd certainly be liable--maybe not in strict, civil-law terms, because a previously unknown weakness might have been discovered--but liable to lose further business with a valued client because of a perception of failure. Dealing with the unknown is part and parcel of the security business--which naturally leads to my second point. A proactive approach to predicting potential intrusions can be so successful that an attack never occurs. How, then, can a security evaluation occur if no attack has ever succeeded? Was this the result of good planning and tight operations? Or was it simply good luck? I may never know, but my customers may wonder.
As a multiprocess, multiuser, multithreaded operating system, SunOS provides all of the equipment for remote attacks to take place. Providing these facilities allows protocols like HTTP and FTP to be implemented in services that are now critical to the global e-business environment. At the same time, opening up port access for all and sundry uses increases the risk that an attack will occur-- there's an old adage that the safest Unix system is one that has the Ethernet unplugged. Indeed, some organizations have stopped using multiuser systems to run Web servers, instead opting for single-user systems.
As a multiprocess, multiuser, multithreaded operating system, SunOS provides all of the equipment for remote attacks to take place.
This seems to be a drastic measure, much like throwing the baby out with the bath water. There are criteria for evaluating the security of systems, although they are possibly better known in fable rather than as operational security policies. I am talking about the U.S. Department of Defense's Trusted Computer System Evaluation Criteria, better-known as the "DoD Orange Book," which classifies systems into discrete divisions of protection based on their adherence to a set of criteria. The four divisions are:
Minimal protection (Division D), which really means no protection at all.
Discretionary protection (Division C), which provides the ability to secure and audit access to files and other objects by authenticated users.
Mandatory protection (Division B), which requires the ability to secure and audit access to files and other objects by authenticated users.
Verified protection (Division A), where the application of formal methods is required to verify security.
At this time, the security features contained in Solaris 8 meet the criteria specified in Division C. Trusted Solaris 8, which is a more secure version of Solaris available separately from Sun Microsystems, meets the criteria specified in Division B. I'll discuss the features and requirements of these two divisions in detail, as Solaris is not a candidate for Division A or Division D classification.
The keyword for Division C is "discretionary;" meaning many of the safeguards that exist must be applied explicitly, rather than by default. Division C has two categories: C1, which provides for discretionary access protection, and C2, which requires controlled access protection. The difference between these two categories is apparent when examining authentication. While C1 provides for username and password authentication, C2 requires username and password authentication. Similarly, C1 provides access control lists for user and group-based authorization, while this is mandatory for C2 objects. In addition, C2 systems must provide logging and auditing facilities beyond those provided by C1 systems. When configured correctly, Solaris 8 appears to provide the features mandated by the C2 classification.
Trusted Solaris 8 is currently being evaluated for B1 classification, which is the weakest version of Division B. All Division B classifications are stronger than Division C, given the stricter administration of object-access privileges. The most important difference between a standard C2 and B1 system is the inclusion of security labeling for files, processes, and other objects managed by the operating system: these labels include "Top Secret", "Secret", "Confidential," and "Unclassified." No access to these objects is possible without the correct authorization. In addition, Trusted Solaris separates the roles of system administrator and security administrator, thus, it is not possible for a system administrator without security privileges to access data labeled appropriately. Since the "least privilege" principle is applied to access for all objects, the owner of a specific resource would need to explicitly grant access to other users. On a normal Solaris system, the root user may read all files on a local filesystem. The exception to this rule is when Role-Based Access Control (RBAC) has been installed and configured to reduce the access rights of the root user.
Let's look at an example of how security labels work in practice. In any particular session, a clearance level is established when a user logs in. Alternatively, you can choose multiple clearance levels for the same session if necessary (a good way to separate different clearance levels is to associate them with separate CDE, or common desktop environment, workspaces). Directories can store files with different security labels, however, only those with a security at or below your current clearance level will ever be displayed. For example, imagine three files in the directory /data: holiday.dat contains a list of employee holidays, and is labeled "Classified"; budget.dat contains a set of budget transactions, and is labeled "Secret"; and agents.dat contains a list of secret agent addresses, and is labeled "Top Secret". If your session clearance levels are labeled "Unclassified", then the following output will be displayed when trying to list the contents of the directory /data:
$ ls /data
If your session clearance levels are labeled "Classified", then the following output will be displayed when trying to list the contents of /data:
$ ls /data holiday.dat
If your session clearance levels are labeled "Secret", then the following output will be displayed when trying to list the contents of /data:
$ ls /data holiday.dat budget.dat
If your session clearance levels are labeled "Top Secret", then the following output will be displayed when trying to list the contents of /data:
$ ls /data holiday.dat budget.dat agents.dat
There is an excellent article on how Trusted Solaris can be used to defeat attacks on Web services on Sun's Web site. This article describes the lessons learned from a Web server hacking attack at apache.com.
You can also view which products have been evaluated as part of the The Trust Technology Assessment Program (TTAP) by the National Security Agency (NSA) and National Institute of Standards and Technology (NIST).
O'Reilly & Associates recently released (January 2002) Solaris 8 Administrator's Guide.
Sample Chapter 4, Network Configuration, is available free online.
For more information, or to order the book, click here.
Dr. Paul A. Watters is Head of Data Services at the Medical Research Council's National Survey of Health and Development, which is the oldest of the British birth cohort studies. He is also an honorary senior research fellow at University College London. Dr. Watters is the project manager for the MRC's Data Access Project, and is presently investigating methods for securing investigator access to public health data in large-scale distributed systems in a challenging ethical and legal environment.
Return to the O'Reilly Network.