Securing SCO Operating Systems Simon Boardman

1
Securing SCO Operating SystemsSimon Boardman
2
Topics Covered

• Securing the SCO Unix OS
• Patches
• General
• Security Profiles
• Network Security
• Stopping Services at Start-Up
• inetd.conf
• TCPWrappers
• ipfilter
• Ssh
• ipsec

3
Patches

• Manually
• http//www.sco.com/support/download.html
• Automatically
• patchck
• http//www.sco.com/support/patchck.html
• patchck check
• patchck auto
• patchck o
• patchck -logs

4
Downloads
5
General Unix Security Administration

• From File permissions to asroot/tftadmin see
• http//uw714doc.sco.com/en/SEC_admin/CONTENTS.html
  
• http//osr600doc.sco.com/en/SEC_admin/CONTENTS.htm
  l
• http//osr507doc.sco.com/en/OSAdminG/CONTENTS.html
  
• Plus /etc/default/login CONSOLE
• Auditing?

6
Security
7
Security Profiles

• Select an appropriate security profile at ISL
  (Initial System Load - install time).
• A security profile is a set of pre-configured
  values for parameters that control the security
  behavior of your system, such as how long
  passwords last, or what privileges are assigned
  to users.
• Once you choose a profile, you can switch to
  another profile, or change any one of the dozens
  of parameters on an individual basis. You can
  change this post install using "relax". You can
  use "secdefs" and "secdefs -v" to determine what
  level of security you are currently at.

8
Security Profiles

• For details in what's in each one, visit
• http//uw714doc.sco.com/en/HANDBOOK/uaC.dfltsets.h
  tml
• http//osr600doc.sco.com/en/UG_admin/uaC.dfltsets.
  html
• http//osr507doc.sco.com/en/OSAdminG/uaC.dfltsets.
  html
• To see what exactly is covered by each security
  level then see the exact changes that are made
  in
• OSR5/OSR6 /tcb/lib/relax
• UW7 /etc/security/seclevel

9
Security Differences
10
Network Security At StartUp

• Networking services started by rc2(ADM)
• The /etc/rc2 script is invoked by init(M)
• r22wait/etc/rc2 1gt /dev/console 2gt1
  lt/dev/console
• /etc/rc2 messages are logged to
• /usr/adm/rc2.log
• Networking Services scripts called by rc2
  include
• Can disable a service as follows
• mv /etc/rc2.d/S87nfs /etc/rc2.d/s87nfs
• shutdown y g0 i6

S85tcp S86rpc P86sendmail S87nfs S90nis

P90apache S95docview S99cups
S99nmbd S99smbd
11
Network Security At StartUp

• Network services started by traditional rc2(ADM)
• S85tcp
• Symbolic link to /etc/tcp
• S86rpc
• Symbolic link to /etc/rpcinit
• Starts rpcbind(ADMN), rwalld(NADM) and sprayd
• P86sendmail (or MMDF equivalent)
• Starts sendmail(ADMN)
• S87nfs
• Symbolic link to /etc/nfs
• Starts exportfs(NADM), nfsd(NADM), biod(NADM),
  mountd(NADM), statd(1Mnfs), lockd(NADM),
  bootparamd(NADM) and pcnfsd(NADM)
• S90nis
• Symbolic link to /etc/nis
• Not configured or started by default

12
Network Security At StartUp

• Network services started by traditional rc2(ADM)
• P90apache
• Starts the apache web server on port 80
• S95docview
• Starts the OpenServer 6 documentation server on
  port 8457
• S99cups
• Starts the CUPS Print server, cupsd(8)
• Remote admin is disabled by default (See TA
  126211)
• S99nmbd
• Starts the NetBIOS name service, nmbd(8)
• S99smbd
• Starts the File and Print Server daemon, smbd(8)

13
OpenServer 6 Networking Start-up

• Multi-User Mode start-up

rc2
S87nfs
S86rpc
S85tcp
S99smbd
S99cups
P90apache
P86sendmail
S90nis
S95docview
S99nmbd
snmpd
sshd
named
inetd
pppd
prngd
lpd
ntpd
aasd
14
OpenServer 6 Networking Start-up

• Multi-User Mode start-up contd

inetd
rlogind
telnetd
ftpd
pop3
rexec
rshd
imap
swat
15
Network Security inetd.conf

• Services controlled by inetd(ADMN)
• inetd is knows as a Super Server
• inetd is started by /etc/rc2.d/S85tcp (/etc/tcp)
• inetd configures the services listed in
• /etc/inetd.conf
• inetd reads /etc/services (and /etc/protocol) to
  get the name, aliases, port and protocol to use
  for each service

16
Network Security inetd.conf

• Services controlled by inetd(ADMN)
• On a traditional install inetd configures
  services including
• ftp stream tcp nowait root
  /etc/ftpd ftpd -a
• telnet stream tcp nowait NOLUID
  /etc/telnetd telnetd
• shell stream tcp nowait NOLUID
  /etc/rshd rshd
• login stream tcp nowait NOLUID
  /etc/rlogind rlogind
• exec stream tcp nowait NOLUID
  /etc/rexecd rexecd
• pop3 stream tcp nowait root
  /etc/popper popper
• imap stream tcp nowait root
  /etc/imapd imapd
• swat stream tcp nowait root
  /usr/sbin/swat swat
• Can disable a service by commenting it out
• telnet stream tcp nowait NOLUID
  /etc/telnetd telnetd
• And then restarting inetd with a SIGHUP
• kill -1 cat /etc/inetd.pid

17
inetd.conf - TCPWrappers

• tcpd(ADM) aka tcpwrappers 7.6
• Can be used to log and control access to inetd
  services
• To enable tcpwrappers on telnetd
• Edit /etc/inted.conf
• Comment out the entry
• telnet stream tcp nowait NOLUID
  /etc/telnetd telnetd
• Uncomment the entry
• telnet stream tcp nowait NOLUID
  /etc/tcpd telnetd
• Save the file
• Restart inetd using
• kill -1 cat /etc/inetd.pid
• Telnet to the server and check syslog
• Jul 11 172614 jrbt5 telnetd2102 connect from
  jrbhp1

18
inetd.conf - TCPWrappers

• Controlling Access using tcpd(ADM)
• hosts_access(SFF) control implemented using
• /etc/hosts.allow and
• /etc/hosts.deny
• These files contain no rules by default
• Access is controlled as follows
• Grant access if you match an entry in the
  /etc/hosts.allow file
• Deny access if you match an entry in the
  /etc/hosts.deny file
• Otherwise, grant access

19
inetd.conf - TCPWrappers

• Controlling Access using tcpd(ADM) contd
• Entries in hosts.allow and hosts.deny are of the
  form
• daemon_list client_list
• daemon_list is a list of one or more daemon
  process names or wildcards
• client_list is a list of one or more host names,
  host addresses, patterns or wildcards that will
  be matched against the client host name or
  address
• There are two basic options
• Deny all and add entries to /etc/hosts.allow
  (Mostly Closed)
• Allow all and add entries to /etc/hosts.deny
  (Mostly Open)

20
inetd.conf - TCPWrappers

• Some hosts_access(SFF) examples
• To deny everything, in /etc/hosts.deny add
• ALL ALL
• To allow everything leave /etc/hosts.allow empty
• To allow exceptions in /etc/hosts.allow add
• ftpd .friendly.domain
• telnetd ALL_at_192.168.124.1
• rlogind 192.168.1.0/255.255.255.0
• To report on blocked access
• ALL ALL spawn (echo Attempt from h a to d
  at date tee -a /var/log/tcp.deny.log mail
  me_at_sco.com )

21
OpenServer 6 and IPF

• IP Filter Firewall Package for OpenServer 6.0.0
• For a detailed HOW TO on firewall setup see
• http//osr600doc.sco.com/en/NET_tcp/ipf-howto.html
  
• See also
• ipf(ADMN), ipfilter(M) and ipnat(ADMN)
• Enable IP Filter as root using
• mkdev ipfilter
• Display the current incoming and outgoing rules
  with
• ipfstat -io

22
OpenServer 6 and OpenSSH

• OpenServer 6 MP3 ships with
• OpenSSH_4.6.p1
• The package provides
• ssh(1) (aka slogin(1)) for secure, encrypted
  login and remote command execution
• scp(1) for secure, encrypted remote copy
• sftp(1) for secure, encrypted file transfer
• Can also be used for, among other things
• Local Port Forwarding
• Dynamic Port Forwarding
• X11 Forwarding

23
OpenServer 6 and IPsec

• To enable and configure IPsec, see
• http//osr600doc.sco.com/en/NET_ipsec/ipsec_top.ht
  ml

24
IPSec
25
Not taking notes No problem

• Is all this documented somewhere to make it easy?
• http//www.sco.com/ta/126831

26
Questionnaire?

• Easy on to start Whats the tool for automating
  your patch administration?
• Wheres the file where you can control CONSOLE
  access to your server?
• Whats the Super Server controlling networking?
• And whats the services configuration file?
• Whats the most secure rcp, ftp or sftp?
• To deny telnet all access in which TCP Wrapper
  would I put ALL ALL?
• What the IP filter package called?
• What tool would I use to set up a VPN?

27
Questions?

• Thank you for your attention
• Any questions?