All proceeds from Ad Clicks goes to the author of this site.


Friday, February 09, 2007

15 minutes to an extra layer of Solaris Security

Well I’m working for a client that is security conscious as we all should be, I decided to add an extra layer of security to his front door, the machine that you ssh into. I created a simple zone on that box and telling the firewall to port forward all ssh traffic to the newly created zone. In the zone the users sees only read-only copy of files, and really can’t change much and has no access to data that is not part of the zone.

The zone lives on a ZFS filesystem, so I’m able to set a diskspace quota so that zone is limited too, so that they can’t use up all the free disk space and the intruder doesn’t even know how much disk space is on the box. When Solaris update 4 roles around we will also be able to cap memory usage so the user inside the zone won’t even be able to use more memory or even know how much memory is in the system. Crossbow when it migrates to official Solaris will allow us to limit network bandwidth and give it a lower priority to other traffic on the link to the net thus limiting the impact an attack on the front door will have on the rest of the system.

How is it done, I have documented it before but hey maybe we have some newbies and this document also combines all the info into one place. I can also show off the power of an e450, with mirrored root drives and zfs for the zone.

Create a filesystems that houses zones on the filesystem.

#zfs create mypool/zones
#zfs create data/zones/login

chown and chmod the filesystem for the new zone so only root can read/write/execute it and no one else.

#chown –R root /data/zones/login
#chmod -R 700 /data/zones/login

Configure the zone, add a network device, add /opt to the list of inherited read-only filesystems, and make it autoboot on power up.

#zonecfg –z login
set zonepath=/data/zones/login
set autoboot=true
add inherit-pkg-dir
set dir=/opt
add net
set address=login
set physical=hme0

Install the zone

#time zoneadm -z login install
Preparing to install zone .
Creating list of files to copy from the global zone.
Copying <2356> files to the zone.
Initializing zone product registry.
Determining zone package initialization order.
Preparing to initialize <1006> packages on the zone.
Initialized <1006> packages on zone.
Zone is initialized.
The file contains a log of the zone installation.

real 10m16.205s
user 3m45.007s
sys 5m2.149s

10 minutes later we now have our zone. Time to boot up and configure it

# zoneadm -z login boot
# zlogin -C login

Login, and lets lock down the zone.

# netservices limited
restarting syslogd
restarting sendmail
restarting wbem
dtlogin needs to be restarted. Restart now? [Y] y
restarting dtlogin

back to the global zone.

Now lets lock down some DOS attacks and make it look like we have only 4 GB of disk.

zfs set quota=4g data/opt # this is because /opt is on the zfs filesystem, limit it to 4GB
zfs set reservation=4g data/zones/login # make sure we have 4GB available to us.
zfs set quota=4g data/zones/login # limit us to 4GB of disk space
zfs set compression=on data/zones/login # turn on compression on it usually helps IO

So there you have it, a locked down zone that adds an extra layer of security to Solaris. If someone does manage to break in, you can halt the zone with one command, and mv the old zone out of the way for forensics and create its replacement in about 12 minutes, and be up and running without effecting any other systems.

With a few lines in the zone config you could make the zone use only 1cpu or a percentage of a cpu.


Anonymous Roman Romano said...

Would it be possible to snapshot the zone after creation (being ZFS hosted) and recover a 'compromised' zone in seconds rather than 12 minutes?
(N.B. I suggest this nervously as i've only just started my journey on the glorious OpenSolaris road.)

4:13 PM  
Anonymous widhalmt said...

Very nice idea... The only thing I want to mention is, that official Sun Documents tell you not to install the root of zones into ZFS. But as this zone could be easily set up again this is not much of a drawback.

9:48 AM  
Blogger chihungchan said...

I did similar thing in one of my project. However, I did not use port forwarding. WHat I did was to setup uesers in global zones with restricted shell and only allow them to run 2 commands (zonename and ssh). Also, the ssh authorized_keys is automatically setup such that when they login, the $HOME/.profile will auto ssh into the respective zone. BTW, can you share with us how your port forwarding is done. Many thanks.

4:38 PM  
Blogger François Bousquet said...

What is the purpose of all this? Users will log by ssh to a read only server?

11:45 AM  
Blogger jamesd_wi said...

"What is the purpose of all this? Users will log by ssh to a read only server?"

Yes its a read-only server, but its more, it allows an administrator to run applications to watch the visitor without the visitor knowing, it also limits what the visitor can do. Even if the user becomes root, he is still stuck in the zone, his actions are still monitored by the IDS or tripwire both running in global zone and there is nothing he can do about it.

The administrator can also put restraints on how much CPU resources and Disk resources the visitor can use. In the future the administrator will be able to limit ram and network resources that may be used.

11:58 AM  

Post a Comment

<< Home