The Solaris Fingerprint Database - A Security Tool for Solaris Operating Environment Files



Similar documents
Sun StorEdge A5000 Installation Guide

N1 Grid Service Provisioning System 5.0 User s Guide for the Linux Plug-In

Sun Management Center Change Manager Release Notes

Upgrading the Solaris PC NetLink Software

Sun StorEdge RAID Manager Release Notes

Sun Enterprise Optional Power Sequencer Installation Guide

Optimizing Solaris Resources Through Load Balancing

Sun Cluster 2.2 7/00 Data Services Update: Apache Web Server

Solaris 10 Documentation README

Service Level Definitions and Interactions

Scrubbing Disks Using the Solaris Operating Environment Format Program

Comparing JavaServer Pages Technology and Microsoft Active Server Pages

SunFDDI 6.0 on the Sun Enterprise Server

Solaris Bandwidth Manager

Sun Enterprise 420R Server Product Notes

Solaris 9 9/05 Installation Roadmap

Sun StorEdge T3 Dual Storage Array - Part 1

JumpStart : NIS and sysidcfg

Sun StorEdge N8400 Filer Release Notes

Service Level Agreement in the Data Center

Exploring the iplanet Directory Server NIS Extensions

Sun Management Center 3.6 Version 5 Add-On Software Release Notes

Sun StorEdge Availability Suite Software Point-in-Time Copy Software Maximizing Backup Performance

Java Dynamic Management Architecture for Intelligent Networks

Reducing the Backup Window With Sun StorEdge Instant Image Software

LAN-Free Backups Using the Sun StorEdge Instant Image 3.0 Software

Developing a Security Policy

Disaster Recovery Requirements Analysis

Managing NFS Workloads

Sun TM SNMP Management Agent Release Notes, Version 1.6

Important Note on New Product Names

Sun Management Center 3.5 Update 1b Release Notes

Power Savings in the UltraSPARC T1 Processor

Rapid Recovery Techniques: Exploring the Solaris Software Registry

Sun Ultra TM. 5 and Ultra 10 Product Notes. Sun Microsystems, Inc. 901 San Antonio Road Palo Alto, CA U.S.A.

Sun StorEdge Enterprise Backup Software 7.2

HelloWorld SOAP Sample:

Rapid Recovery Techniques: Auditing Custom Software Configuration

Sun Management Center 3.6 Version 4 Add-On Software Release Notes

Sun Fire 6800/4810/4800/3800 Systems Software Release Notes

Automating Centralized File Integrity Checks in the Solaris 10 Operating System

Sun StorEdge Network FC Switch-8 and Switch-16 Release Notes

Solaris Resource Manager

Sun SNMP Management Agent Release Notes, Version 1.5.5

Service Level Management in the Data Center

Sun Grid Engine Release Notes

Sun Fire 6800/4810/4800/ 3800 Systems Product Notes

Start Here. Installation and Documentation Reference. Sun StorEdgeTM 6120 Array

N1 Grid Engine 6 Release Notes

The UltraSPARC T1 Processor - High Bandwidth For Throughput Computing

Sun Fire B10n Content Load Balancing Blade Product Notes

Data Center Design Philosophy

Sun StorEdge Instant Image 3.0 and Oracle8i Database Best Practices

Consolidation in the Data Center

Sun Microsystems, Inc Garcia Avenue Mountain View, CA FAX

SCSI Sense Key Error Guide

Solaris 9 Installation Roadmap

Java Management Extensions SNMP Manager API

RAID Controller PCI Card for the Sun Fire V60x and V65x Servers Release Notes

SunPCi Supporting Highly Available PC Applications with Solaris

Trust Modeling for Security Architecture Development

Netra Data Plane Software Suite 2.0 Update 2 Release Notes

Sun Fire 6800/4810/4800/3800 Systems Firmware Release Notes

Sun StorEdge RAID Manager 6.22 User s Guide

Sun Ray, Smart Cards, and Citrix

Brocade SilkWorm 4100 FC Switch Release Notes

Sun Fire Midframe Server Best Practices for Administration

Sun StorEdge SAN Foundation Release Notes

Sun Fire V480 Server Product Notes

Sun Remote System Control (RSC) Installation Guide

Sun 450 MHz UltraSPARC -II Module Upgrade

Sun Blade 1500 Workstation Product Notes

Sun StorEdge network FC switch-8 and switch-16 Release Notes

Sun N1 Service Provisioning System User s Guide for Linux Plug-In 2.0

Distributed Application Management using Jini Connection Technology

Operations Management Capabilities Model

Brocade 5300 Switch Hardware Release Notes

Brocade 300 Switch Hardware Release Notes

Sun Ray Server Software 3 Release Notes

Sun Fire V20z Server Release Notes

Sun Blade 100 and Sun Blade 150 Workstations

A Strategy for Managing Performance

MIGRATION WHITEPAPER MIGRATING FROM MICROSOFT OFFICE TO OPENOFFICE.ORG OR STAROFFICE 9

Sun GlassFish Enterprise Manager SNMP Monitoring 1.0 Installation and Quick Start Guide

Sun SM Remote Services Net Connect Solaris TM 9 4/04

Platform Notes: The SunHSI/P Device Driver

Netra X4200 M2 Server Site Planning Guide

Getting StartedWith Sun Java System Application Server 9.1 Update 2

Solaris Patch Management: Recommended Strategy

Solaris Volume Manager Administration Guide

Transcription:

The Solaris Fingerprint Database - A Security Tool for Solaris Operating Environment Files By Vasanthan Dasan - Support Services Strategy Group, Alex Noordergraaf - Enterprise Engineering, and Lou Ordorica - Global eservices Engineering Sun BluePrints OnLine - May 2001 http://www.sun.com/blueprints Sun Microsystems, Inc. 901 San Antonio Road Palo Alto, CA 94303 USA 650 960-1300 fax 650 969-9131 Part No.: 816-1148-10 Revision 01, May 2001

Copyright 2001 Sun Microsystems, Inc. 901 San Antonio Road, Palo Alto, California 94303 U.S.A. All rights reserved. This product or document is protected by copyright and distributed under licenses restricting its use, copying, distribution, and decompilation. No part of this product or document may be reproduced in any form by any means without prior written authorization of Sun and its licensors, if any. Third-party software, including font technology, is copyrighted and licensed from Sun suppliers. Parts of the product may be derived from Berkeley BSD systems, licensed from the University of California. UNIX is a registered trademark in the U.S. and other countries, exclusively licensed through X/Open Company, Ltd. Sun, Sun Microsystems, the Sun logo, The Network Is The Computer, SunSolve, Sun BluePrints and Solaris are trademarks, registered trademarks, or service marks of Sun Microsystems, Inc. in the U.S. and other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the U.S. and other countries. Products bearing SPARC trademarks are based upon an architecture developed by Sun Microsystems, Inc. The OPEN LOOK and Sun Graphical User Interface was developed by Sun Microsystems, Inc. for its users and licensees. Sun acknowledges the pioneering efforts of Xerox in researching and developing the concept of visual or graphical user interfaces for the computer industry. Sun holds a non-exclusive license from Xerox to the Xerox Graphical User Interface, which license also covers Sun s licensees who implement OPEN LOOK GUIs and otherwise comply with Sun s written license agreements. RESTRICTED RIGHTS: Use, duplication, or disclosure by the U.S. Government is subject to restrictions of FAR 52.227-14(g)(2)(6/87) and FAR 52.227-19(6/87), or DFAR 252.227-7015(b)(6/95) and DFAR 227.7202-3(a). DOCUMENTATION IS PROVIDED AS IS AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON- INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. Copyright 2001 Sun Microsystems, Inc., 901 San Antonio Road, Palo Alto, Californie 94303 Etats-Unis. Tous droits réservés. Ce produit ou document est protégé par un copyright et distribué avec des licences qui en restreignent l utilisation, la copie, la distribution, et la décompilation. Aucune partie de ce produit ou document ne peut être reproduite sous aucune forme, par quelque moyen que ce soit, sans l autorisation préalable et écrite de Sun et de ses bailleurs de licence, s il y en a. Le logiciel détenu par des tiers, et qui comprend la technologie relative aux polices de caractères, est protégé par un copyright et licencié par des fournisseurs de Sun. Des parties de ce produit pourront être dérivées des systèmes Berkeley BSD licenciés par l Université de Californie. UNIX est une marque déposée aux Etats-Unis et dans d autres pays et licenciée exclusivement par X/Open Company, Ltd. Sun, Sun Microsystems, le logo Sun, The Network Is The Computer, SunSolve, BluePrints OnLine et Solaris sont des marques de fabrique ou des marques déposées, ou marques de service, de Sun Microsystems, Inc. aux Etats-Unis et dans d autres pays. Toutes les marques SPARC sont utilisées sous licence et sont des marques de fabrique ou des marques déposées de SPARC International, Inc. aux Etats-Unis et dans d autres pays. Les produits portant les marques SPARC sont basés sur une architecture développée par Sun Microsystems, Inc. L interface d utilisation graphique OPEN LOOK et Sun a été développée par Sun Microsystems, Inc. pour ses utilisateurs et licenciés. Sun reconnaît les efforts de pionniers de Xerox pour la recherche et le développement du concept des interfaces d utilisation visuelle ou graphique pour l industrie de l informatique. Sun détient une licence non exclusive de Xerox sur l interface d utilisation graphique Xerox, cette licence couvrant également les licenciés de Sun qui mettent en place l interface d utilisation graphique OPEN LOOK et qui en outre se conforment aux licences écrites de Sun. CETTE PUBLICATION EST FOURNIE "EN L ETAT" ET AUCUNE GARANTIE, EXPRESSE OU IMPLICITE, N EST ACCORDEE, Y COMPRIS DES GARANTIES CONCERNANT LA VALEUR MARCHANDE, L APTITUDE DE LA PUBLICATION A REPONDRE A UNE UTILISATION PARTICULIERE, OU LE FAIT QU ELLE NE SOIT PAS CONTREFAISANTE DE PRODUIT DE TIERS. CE DENI DE GARANTIE NE S APPLIQUERAIT PAS, DANS LA MESURE OU IL SERAIT TENU JURIDIQUEMENT NUL ET NON AVENU. Please Recycle

The Solaris Fingerprint Database - A Security Tool for Solaris Operating Environment Files Overview Verifying whether system executables, configuration files, and startup scripts have been modified by a user has always been a difficult task. Security tools attempting to address this issue have been around for many years. These tools typically generate cryptographic checksums of files when a system is first installed. The Solaris Fingerprint Database (sfpdb) is a free SunSolve Online SM service that enables users to verify the integrity of files distributed with the Solaris Operating Environment (Solaris OE). Examples of these files include the /bin/su executable file, Solaris OE patches, and unbundled products such as Sun Forte Developer Tools. The list of checksums, generated for a system, must be updated after the system is modified by patch installation and software installations. The issue with these tools has always been verifying that the files used to generate the baseline checksums are correct and current. The Solaris Fingerprint Database addresses the issue of validating the base Sun provided files. This includes files distributed with Solaris OE media kits, unbundled software, and patches. The sfpdb provides a mechanism to verify that a true file in an official binary distribution is being used, and not an altered version that compromises system security and causes other problems. 1

How Does the sfpdb Work? Through the use of the MD5 hash algorithm, the Solaris Fingerprint Database compares a crytographically secure digital fingerprint with the trusted entry stored online in the sfpdb, and instantly identifies mismatches. The trusted entry is available over the internet at SunSolve OnLine website. The MD5 digital fingerprint, or hash, generated locally will be used to determine if a file has been modified. It is virtually impossible to modify a file and retain the original MD5 digital fingerprint. The algorithm used by the cksum(1) Solaris OE command is much easier to circumvent and re-create the hash of the unmodified file, which is why the MD5 algorithm is used instead. The sfpdb maps a digital fingerprint to a path name, package version/identifier, and product name. This is a one to many mapping, as some files may occur in several product and patch releases. Note Internet connectivity does not have to be available from all systems to use the sfpdb, as the files containing the MD5 hashes can be moved to an internet connected machine and verified either manually, or through the sfpdb Companion described at the end of this article. sfpdb Scope The goal of the sfpdb is to provide a comprehensive collection of digital fingerprints for Solaris OE software. To this end, the sfpdb is updated daily, and presently contains close to 1 million digital fingerprints for files used in the Solaris OE, Solaris OE patches, and unbundled products. Limitations Currently, foreign language versions of the Solaris OE and many encryption products are not supported. To suggest a product be added to sfpdb, please send email to: fingerprints@sun.com. 2 The Solaris Fingerprint Database - A Security Tool for Solaris Operating Environment Files May 2001

Download and Installation This section describes how to download and install the MD5 software used to create MD5 digital fingerprints for use with the sfpdb. To Install the MD5 Program (SPARC and Intel Architecture): 1. Download the MD5 binaries from: http://sunsolve.sun.com/md5/md5.tar.z The MD5 programs are distributed in compressed tar file format. 2. Save the file to a directory (for example: /usr/local or /opt). 3. Unpack the archive: # zcat md5.tar.z tar xvf - The archive contents are extracted into a newly created directory called md5. The programs for SPARC and Intel Architecture hardware platforms are placed in this directory. 4. The file permissions on the extracted files must be modified before they can be executed. The following command will permit only root to read, write, and execute the md5 programs: # chmod 700 /opt/md5/* # ls -l total 94 -rwx------ 1 21782 320 23892 Apr 5 2000 md5-sparc -rwx------ 1 21782 320 23452 Apr 5 2000 md5-x86 Download and Installation 3

5. The owner and group of the extracted files must also be modified to correspond to a system defined user and group ID. Due to the sensitivity of the operations being performed by the md5 programs, they should be owned by the root user and the root group. The following demonstrates performing this on the md5 programs: # chown root:root /opt/md5/* # ls -l total 94 -rwx------ 1 root root 23892 Apr 5 2000 md5-sparc -rwx------ 1 root root 23452 Apr 5 2000 md5-x86 Note The Solaris Fingerprint Database can be used to verify the integrity of the executables included in the package itself. Creating an MD5 Digital Fingerprint The following is an example of how to use the md5 program to create an MD5 digital fingerprint: # /opt/md5/md5-sparc /usr/bin/su MD5 (/usr/bin/su) = cb2b71c32f4eb00469cbe4fd529e690c The md5 program can also be used to create multiple MD5 digital fingerprints, as shown in this example: # /opt/md5/md5-sparc /usr/bin/su /usr/bin/ls MD5 (/usr/bin/su) = cb2b71c32f4eb00469cbe4fd529e690c MD5 (/usr/bin/ls) = 351f5eab0baa6eddae391f84d0a6c192 Note The two previous examples were performed on a freshly installed Solaris 8 OE Update 3 system. No patches were installed. Do not rely on the output generated above as correct for every system. Use the following procedure, described in the Testing an MD5 Digital Fingerprint section. 4 The Solaris Fingerprint Database - A Security Tool for Solaris Operating Environment Files May 2001

Use the md5 program with the find(1) command to create MD5 digital fingerprints for files that have changed recently. The next example creates MD5 digital fingerprints for files stored in the /usr/bin directory modified in the last day: # find /usr/bin -type f -mtime -1 -print \ xargs -n100 /opt/md5/md5-sparc > /tmp/md5s.txt The results contained in the /tmp/md5s.txt file can be easily reviewed and copied into the Solaris Fingerprint Database web form. Note A maximum of 256 entires can be submitted into the web form at one time. The next example shows how to create MD5 digital fingerprints for all the files stored in the /usr/bin directory: # find /usr/bin -type f -print \ xargs -n100 /opt/md5/md5-sparc > /tmp/md5s.txt Testing an MD5 Digital Fingerprint To check the digital fingerprint against the trusted entry stored in the sfpdb: 1. Visit the Solaris Fingerprint Database page at: http://sunsolve.sun.com/pub-cgi/filefingerprints.pl The Solaris Fingerprint web form is displayed. 2. Copy and paste one or more MD5 digital fingerprints into the web form. For example, to verify the output of the md5 checksum of su generated in the previous case, the following would be pasted into the web form: MD5 (/usr/bin/su) = cb2b71c32f4eb00469cbe4fd529e690c Testing an MD5 Digital Fingerprint 5

3. Press submit to view the results. The following is an example of the results that are returned: Results of Last Search cb2b71c32f4eb00469cbe4fd529e690c - (/usr/bin/su) - 1 match(es) canonical-path: /usr/bin/su package: SUNWcsu version:11.8.0,rev=2000.01.08.18.12 architecture: sparc source: Solaris 8/SPARC patch: 109005-01 Real World Results The sfpdb provides an excellent mechanism to determine whether system binaries have been replaced by trojaned, or malicously modified, executables. To demonstrate the sfpdb performance when encountering actual trojaned Solaris OE binaries, the following experiment was performed. A freshly installed Solaris 8 OE Update 3 (1/ 01) system, used in the previous examples, had a Solaris OE rootkit installed. The term rootkit is used to describe a set of scripts and executables packaged together which will allow the user to gain root access to a system. The sfpdb was then used to verify that trojaned executables were installed. The rootkit described in the next few examples was used in a successful attack on one of the HoneyNet projects systems. For more information on this project, refer to the Bibliography. Note Many Solaris OE rootkits are available on the internet; most search engines will find several in responding to a simple query for Solaris and rootkit. This rootkit, called sun2.rootkit, replaced several system files, namely: /bin/ls /usr/bin/ls /bin/ps /bin/netstat /usr/bin/netstat 6 The Solaris Fingerprint Database - A Security Tool for Solaris Operating Environment Files May 2001

The installation script, setup.sh, included in the rootkit, performed the following tasks. First, the rootkit backed up some, but not all, of the files it was going to replace by: cp /bin/ls./ls-back cp /bin/ps./ps-back cp /bin/netstat./netstat-back Then, the rootkit installed its own version of these files with the following commands: cp ls /bin/ls cp ls /usr/bin/ls cp ps /bin/ps cp netstat /bin/netstat cp netstat /usr/bin/netstat The trojaned executables were run through md5-sparc with the following command: # /opt/md5/md5-sparc /bin/ls /usr/bin/ls /bin/ps \ /bin/netstat /usr/bin/netstat Which generated the following: MD5 (/bin/ls) = da2ac2fc4645ff9fb737025f2d184aeb MD5 (/usr/bin/ls) = da2ac2fc4645ff9fb737025f2d184aeb MD5 (/bin/ps) = abd478c6597b4df1d565b9568f9e91bf MD5 (/bin/netstat) = 2f4ec308b282c5c362e9fbd052b961f6 MD5 (/usr/bin/netstat) = 2f4ec308b282c5c362e9fbd052b961f6 Real World Results 7

When run through the web interface of the sfpdb, the following output was produced: Results of Last Search da2ac2fc4645ff9fb737025f2d184aeb - (/bin/ls) - 0 match(es) Not found in this database. da2ac2fc4645ff9fb737025f2d184aeb - (/usr/bin/ls) - 0 match(es) Not found in this database. abd478c6597b4df1d565b9568f9e91bf - (/bin/ps) - 0 match(es) Not found in this database. 2f4ec308b282c5c362e9fbd052b961f6 - (/bin/netstat) - 0 match(es) Not found in this database. 2f4ec308b282c5c362e9fbd052b961f6 - (/usr/bin/netstat) - 0 match(es) Not found in this database. The Solaris Fingerprint Database correctly identified the trojaned executables as not being part of a Solaris OE distribution. Additional sfpdb Tools Recently, several tools making the sfpdb easier to use have been released by Glenn Brunette and Brad Powell. They are called sfpdb Companion and Sidekick. Both of these tools may be downloaded from the Sun BluePrints OnLine Tools site at: http://www.sun.com/blueprints/tools Solaris FingerPrint Database Companion (sfpc) The Solaris FingerPrint Database Companion (sfpc) automates the process of collecting and checking MD5 signatures against the sfpdb. The sfpc simplifies this process by accepting as input a file containing a list of MD5 hashes, breaking that list into manageable chunks, and sending it to the sfpdb for processing. Results are then parsed from the returned HTML output. The sfpc makes it much easier to check large lists of Solaris OE files by automating the submission of the files to the sfpdb web site. 8 The Solaris Fingerprint Database - A Security Tool for Solaris Operating Environment Files May 2001

Solaris Fingerprint Database Sidekick (sfps) The sfpdb sidekick.sh is a script that works in conjunction with sfpdb and spfc by simplifying the process of checking a system for rootkits. Sidekick does this by maintaining a list of commonly trojaned Solaris OE executables, such as /usr/bin/ passwd and /usr/bin/login. sfpdb Frequently Asked Questions Why do some of the returned entries contain odd path names? In the process of gathering fingerprint data for the entries, it was discovered that many packages are not properly structured. Some path names may not be decided until installation. For these path names, it is not possible to derive the file name as found installed on the system; some path names are wrong, and some will contain $SOMEVAR values to be expanded during installation. In any case, if a file was positively identified, it was shipped on a CD by Sun. The pathname does not need to match. Will Sun publish the full content of the database? Sun is currently studying how best to publish the full content of the database, as for some applications, the web interface to a CGI program is too limiting. Conclusion The Solaris Fingerprint Database is a tool for the verification of system files through cryptographic checksums. By being able to verify the integrity of system files, administrators can determine if system binaries have been modified by malicious users or trojaned.this tool provides these capabilities for customers to use when verifying the integrity of their systems. It should also be noted that in the first six months of sfpdb availability from SunSolve service, several customers reported finding unexpected rootkits through its use. sfpdb Frequently Asked Questions 9

Bibliography HoneyNet project - http://project.honeynet.org HoneyNet Project - Know Your Enemy: Motives - http://project.honeynet.org/ papers/motives/ The Solaris Fingerprint Database - An Identification Tool for Solaris Software and Files http://sunsolve.sun.com/pub-cgi/show.pl?target=content/ content7 Author s Bio: Vasanthan Dasan Vasanthan Dasan is an ES Principal Engineer, one of 5 high-ranked engineers in Sun s Enterprise Services. Vasanthan joined Sun Microsystems in 1992 and is currently a Technology Strategist in the Support Services Global Strategy Business Development group. He is responsible for architecting application availability servies and for providing technical expertise on merger and acquisition activities. Vasanthan was the Chief Architect for Support Services Engineering, responsible for developing online support servies for Sun s customer support engineers and external customers. Prior to that, he worked on Solaris products such as CacheFS, AutoClient, Solstice PC Products, and Jumpstart as part of the Solaris engineering team. Vasanthan co-authored Hands-On Intranet, published by Prentice Hall, and has written numerous Sun whitepapers. He was largely responsible for Sun s early adoption of the Web in 1994, and holds one of the industry s first Web patents, awarded for the invention of web-based personal newspapers. Author s Bio: Alex Noodergraaf Alex Noordergraaf has more than 9 years experience in the area of Computer and Network Security. As a Senior Staff Engineer in the Enterprise Engineering group of Sun Microsystems, he is developing, documenting, and publishing security best practices through the Sun BluePrints OnLine program. Articles completed include recommendations on: Solaris Security settings, Solaris Minimization, and Solaris Network settings. Prior to his role in Enterprise Engineering he was a Senior Security Architect with Sun Professional Services, where he worked with many Fortune 500 companies on projects that included security assessments, architecture development, architectural reviews, and policy/procedure review and development. In addition to providing billable services to customers, he developed and delivered an Enterprise security assessment methodology and training curriculum to be used worldwide by SunPS. His customers have included major telecommunication firms, financial institutions, ISPs, and ASPs. 10 The Solaris Fingerprint Database - A Security Tool for Solaris Operating Environment Files May 2001

Author s Bio: Lou Ordorica Lou Ordorica worked for several years as a system administrator at Sun Microsystems. He went on to teach and write about system administration for Sun s employees and customers, and is currently providing online support to customers using the Web. Author s Bio: Vasanthan Dasan 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information