Tuesday, January 24, 2012

The MITRE Corporation: "Information Security Data Standards"

"The security and integrity of information systems is a critical issue within most types of organizations. Finding better ways to address the topic is the objective of many in industry, academia, and government. One of the more effective approaches gaining popularity in addressing these issues is the use of standard knowledge representations, enumerations, exchange formats and languages, as well as sharing of standard approaches to key compliance and conformance mandates. By standardizing and segregating the interactions amongst their operational, development and sustainment tools and processes organizations gain great freedom in selecting technologies, solutions and vendors. These "Making Security Measurable" initiatives provide the foundation for answering today’s increased demands for accountability, efficiency and interoperability without artificially constraining an organization’s solution options."


Installing a Network Card on Solaris x86

Prior to installing the physical network interface card (NIC), run the following commands:

# touch /reconfigure
# poweroff (init 5)

Make sure that the NIC is installed properly on PCI slot "X" of the PC’s motherboard.  Power on the machine and confirm that the BIOS is detecting the NIC card prior to driver installation.

To properly configure the new NIC, find out information about the installed NIC by performing the following command:

# /usr/bin/X11/scanpci

The command will output information about what devices are installed on your PCI slots.  To install the network card correctly, look for the vendor and device id.  The output should look like the following:

pci bus 0x0002 cardnum 0x00 function 0x00: vendor 0x14e4 device 0x165a 
   Broadcom Corporation NetXtreme BCM5722 Gigabit Ethernet PCI Express

Add your driver alias by performing the following:
# add_drv –a –i ‘”14e4,165a”’ bge


# vi /etc/driver_aliases
bge “14e4,165a”

# sys-unconfig
The machine will halt and then you will have to reconfigure your network card as well as other system related information.

Enable the network card
# ifconfig <DEVICE> plumb
# ifconfig <DEVICE> 192.168.1.xxx netmask 255.255.255.xxx up
# ifconfig –a

But wait if you just do that, next time you reboot, your entire configuration will be gone, to prevent this perform the following:

# vi /etc/hostname.<DEVICE>

Enter the following:
IP-address netmask + netmask netmask +

Now edit /etc/inet/hosts & /etc/inet/ipnodes
IP-address hostname     jumpstart3

After that is complete, reboot -- -r (SPARC) or reboot (x86)
Then the next step that you can do is to add some routing to this configuration:
# route –p add default your-gateway
# route –p add default
-p = persistence over reboot
Default = all destination

This will try to register a default gateway for the PC, if you want to add another routing for this PC to specified network you can do:
# route –p add –net network-address –gateway gateway-address

I suggest you always to use –p so that your routing won’t be flushed when the machine is reboot. Also you need your gateway in /etc/defaultrouter.

To check your routing you can type:
# netstat –rn

To flush your routing, but the one that from installation won’t be flushed
# route flush

These configurations at least will make your Solaris box able to communicate with other machine.

Monday, January 23, 2012

Determine Partition prior to Mount

This is how you determine what sort of partition type is located on your media attached to a Unix machine.  In this example, I am trying to mount a USB Hard Disk Drive (HDD) that has a UFS file system to my laptop.  I am working in a Solaris environment, so specific commands may vary:
  1. Make sure that the USB HDD is not plugged into a USB port on the laptop.
  2. Log into your system.
  3. Disable the volume manager: svcadm disable volfs
  4. Plug in the USB HDD to the laptop.
  5. Determine the SCSI ID for the USB HDD by performing the following command:
    # rmformat -l
    Looking for devices...
    1. Logical Node: /dev/rdsk/c0t2d0p0
       Physical Node: /pci@0,0/pci1028,293@1f,2/cdrom@2,0
       Connected Device: PLDS DVD-ROM DH-16D5S VD15
       Device Type: DVD Reader
    2. Logical Node: /dev/rdsk/c4t0d0p0
       Physical Node: /pci@0,0/pci1028,293@1a,7/storage@1/disk@0,0
       Connected Device: WD       10EAVS External  1.75
       Device Type: Removable
    3. Logical Node: /dev/rdsk/c0t3d0p0
       Physical Node: /pci@0,0/pci1028,293@1f,2/cdrom@3,0
       Connected Device: TSSTcorp DVD+-RW SH-216AB D200
       Device Type: DVD Reader/Writer
  6. Determine the partition of the USB HDD with the following command:
    # For file in /dev/dsk/c4t0d0* ; do echo $file ; fstyp $file 2>&1 /dev/null ; done
  7. Mount the USB HDD by performing the following:
    # mount /dev/dsk/c4t0d0s2 /USB
  8. Enable the volume manager: svcadm enable volfs

DIARMF and the fate of DIACAP

This is great news, no more DIACAP!

Goodbye DIACAP, hello DIARMF
by.  Len Marzigliano

"Every few months, an elite group of DoD security experts, IT managers, and senior leadership gather to chart the future course for how Information Assurance will be conducted within the Defense Department. Very soon, this group will introduce sweeping changes to the Certification and Accreditation process, to the extent that personnel roles, job titles, and even the moniker C&A itself will change, evolving into new nomenclature and a new era for the Information Assurance community of practice within the DoD. After implementation, the use of DIACAP Certification and Accreditation processes will cease and DIARMF Assessment and Authorization will become the ‘new normal’ for information technology professionals and risk managers throughout the Defense Department."

"The shift within DoD from DIACAP C&A to DIARMF A&A is a profound change, and the rise of Continuous Monitoring will double the stakes in terms of cost and effort. Practitioners of the traditionally civilian agency NIST standards will be in high demand because of their knowledge of the SP 800-53 control set and SP 800-53A control validation procedures, whereas DIACAP practitioners are only an upgrade course away from being spooled up on the new controls and processes. It’s impossible to understate how all Information Assurance practitioners must be prepared for the profound and swift changes that lie ahead."

Thursday, January 12, 2012

Performing a Reconfiguration Boot in Solaris

For example, you can use a boot process to add a new device to a newly generated /etc/path_to_inst file and to the /dev and /devices directories.

The following steps reconfigure a system to recognize a new disk.

  1. Create the /reconfigure file. This file causes the system to check for the presence of any newly installed devices the next time it is powered on or booted.

    # touch /reconfigure
  2. Shut down the system by using the init 5 command. This command safely powers off the system, allowing for addition or removal of devices. (If the device is already attached to your system, you can shut down to the ok prompt with the command init 0.)

    # init 5
  3. Install the peripheral device. Make sure that the address of the device being added does not conflict with the address of other devices on the system.
  4. Turn on the power to all external devices.
  5. Verify that the peripheral device has been added by issuing either the prtconf command or the format command.

    After the disk is recognized by the system, begin the process of defining disk slices.

    Note: I
    f the /reconfigure file was not created before the system was shut down, you can invoke a manual reconfiguration boot with the programmable read-only memory (PROM) level command: boot -r
Many systems are running critical customer applications on a 24-hour, 7-day-a-week basis. It might not be possible to perform a reconfiguration boot on these systems. In this situation, you can use the devfsadm command.

The devfsadm command performs the device reconfiguration process and updates the /etc/path_to_inst file and the /dev and /devices directories during reconfiguration events.
The devfsadm command attempts to load every driver in the system and attach all possible device instances.  It then creates the device files in the /devices directory and the logical links in the /dev directory.  In addition to managing these directories, the devfsadm command also maintains the /etc/path_to_inst file.

# devfsadm

To restrict the operation of the devfsadm command to a specific device class, use the -c option.

# devfsadm -c device_class

The values for device_class include disk, tape, port, audio, and pseudo.  For example, to restrict the devfsadm command to the disk device class, perform the command:

# devfsadm -c disk

Use the -c option more than once on the command line to specify multiple device classes. For example, to specify the disk, tape, and audio device classes, perform the command:

# devfsadm -c disk -c tape -c audio

To restrict the use of the devfsadm command to configure only devices for a named driver, use the -i option.

# devfsadm -i driver_name

The following examples use the -i option.

  • To configure only those disks supported by the dad driver, perform the command:

# devfsadm -i dad
  • To configure only those disks supported by the sd driver, perform the command:
# devfsadm -i sd
  • To configure devices supported by the st driver, perform the command:
# devfsadm -i st

For a verbose output of changes to the device tree, perform the command:

# devfsadm -v

To invoke cleanup routines that remove unreferenced symbolic links for devices, perform the command:

# devfsadm -C

The prtconf Command

Use the prtconf command to display the system's configuration information, including the total amount of memory installed and the configuration of system peripherals, which is formatted as a device tree.

The prtconf command lists all possible instances of devices, whether the device is attached or not attached to the system. To view a list of only attached devices on the system, perform the command:

# prtconf | grep -v not
System Configuration:  <SYSTEM OUTPUT>
Memory size: <MEMORY OUTPUT>
System Peripherals (Software Nodes):

    scsi_vhci, instance #0
    options, instance #0
    pci, instance #0
        pci, instance #0
            ebus, instance #0
                power, instance #0
                su, instance #0
                su, instance #1
                fdthree, instance #0
            network, instance #0
            SUNW,m64B, instance #0
            ide, instance #0
                sd, instance #3
                dad, instance #1
        pci, instance #1
            scsi, instance #0
    pseudo, instance #0

Note: The grep -v not command is used to omit all lines containing the word "not" from the output (such as driver not attached).

Managing the Solaris File System Root Subdirectories

I have provided a list below to explain how Solaris manages their Root file system.

Critical Directories:
Directory Description
/ The root of the overall file system namespace.
/bin A symbolic link to the /usr/bin directory.  It is the directory location for the binary files of standard system commands.
/dev The primary directory for logical device names.  The contents of this directory are symbolic links that point to device files in the /devices directory.
/etc The directory that holds host-specific configuration files and databases for system administration.
/export The default directory for commonly shared file systems, such as users' home directories, application software, or other shared file systems.
/home The default directory or mount point for a user's home directory.
/kernel The directory of platform-independent loadable kernel modules that are required as part of the boot process.
/lib The contents of this directory are shared executable files and Service Management Facility executables.
/mnt A convenient, temporary mount point for file systems.
/opt The default directory or mount point for add-on application packages.
/platform The directory of platform-dependent loadable kernel modules.
/sbin The single-user bin directory that contains essential executables that are used during the booting process and in manual systemfailure recovery.
/usr The directory that contains programs, scripts, and libraries that are used by all system users.
/var The directory for varying files, which usually includes temporary, logging, or status files.

Following the introduction of the Service Management Facility and Zones, in the Solaris 10 OS, the /var directory hierarchy is more heavily used than in previous releases.

It is important that the /var directory has sufficient disk space available to store software package information, log files, spool files, and so on.

In-Memory System Directories:
Directory Description
/dev/fd The directory that contains special files relating to current file-descriptors in use by the system.
/devices The primary directory for physical device names.
/etc/mnttab A memory-based file, in its own file system, that contains details of current file system mounts.
/etc/svc/volatile The directory that contains log files and reference files relating to the current state of system services.
/proc The directory that stores current process-related information. Every process has its own set of subdirectories below the /proc directory.
/system/contract CTFS (the contract file system) is the interface for creating, controlling, and observing contracts. A contract enhances the relationship between a process and the system resources it depends on by providing richer error reporting and (optionally) a means of delaying the removal of a resource.

The service management facility (SMF) uses process contracts to track the processes which compose a service, so that a failure in a part of a multi-process service can be identified as a failure of that service.

The contract file system supports all the SMF services.
/system/object The OBJFS (object) file system describes the state of all modules currently loaded by the kernel. This file system is used by debuggers to access information about kernel symbols without having to access the kernel directly. It is used primarily for Dtrace activity.
/tmp The directory for temporary files. This directory is cleared during the boot sequence.
/var/run The directory that contains lock files, special files, and reference files for a variety of system processes and services.

Note: These in-memory directories are maintained by the kernel and system services. Users should never attempt to manually create, alter, or remove files from these directories.

Primary Subdirectories Under the /dev Directory
Directory Description
/dev/dsk Block disk devices
/dev/fd File descriptors
/dev/md Logical volume management metadisk devices
/dev/pts Pseudo terminal devices
/dev/rdsk Raw disk devices
/dev/rmt Raw magnetic tape devices
/dev/term Serial devices

Primary Subdirectories Under the /etc Directory:
Directory Description
/etc/acct Configuration information for the accounting system
/etc/cron.d Configuration information for the cron utility
/etc/default Default information for various programs
/etc/inet Configuration files for network services
/etc/init.d Scripts for starting and stopping services
/etc/lib Dynamic linking libraries needed when the /usr file system is not available
/etc/lp Configuration information for the printer subsystem
/etc/mail Configuration information for the mail subsystem
/etc/nfs Configuration file for NFS server logging
/etc/opt Configuration information for optional packages
/etc/rc#.d Legacy scripts that are executed when entering or leaving a specific run level
/etc/security Control files for Role Based Access Control and security privileges
/etc/skel Default shell initialization files for new user accounts
/etc/svc The Service Management Facility database and log files
/etc/zones Initialization and reference files for the Solaris 10 OS Zones facility

Contents of the /usr Directory:
Directory Description
/usr/bin Standard system commands
/usr/ccs C-compilation programs and libraries
/usr/demo Demonstration programs and data
/usr/dt Directory or mount point for Common Desktop Environment (CDE) software
/usr/include Header files (for C programs, and so on)
/usr/jdk Directories that contain Java technology programs and libraries
/usr/kernel Platform-independent loadable kernel modules that are not generally required during the boot process
/usr/lib Architecture-dependent databases, various program libraries, and binaries that are not invoked directly by the user
/usr/opt Configuration information for optional packages
/usr/sbin System administration commands
/usr/spool Symbolic link to the /var/spool directory

Primary Subdirectories Under the /var Directory:
Directory Description
/var/adm Log files (for syslog, system accounting, and so on).
/var/crash For storing crash dump files following a catastrophic system failure. Files from this directory can be analyzed by Help Desk staff to determine the cause of the system crash.
/var/spool Spooled files (for mail, print services, and so on).
/var/svc Service Management Facility control files and logs.
/var/tmp Long-term storage of temporary files across a system reboot, as an alternative to the /tmp directory.

Passed the CISSP

Today I found out I passed the Certified Information Systems Security Professional (CISSP) exam.  For the first time in my life, I truly studied and succeeded.  It feels good to succeed ...

Wednesday, January 11, 2012

Solaris DHCP Configuration

Solaris can request IP address and other networking information dynamically with DHCP.

To permanently make an interface, for example e1000g0, obtain its IP address through DHCP, use the touch command to create the following two empty files as root:

# touch /etc/dhcp.e1000g0
# touch /etc/hostname.e1000g0

Now, add the hostname to the /etc/nodename.e1000g0 & /etc/hosts.  DHCP will populate the /etc/hosts file accordantly.

When you reboot, the interface will be dynamically configured.

To bring up the interface using DHCP without rebooting, use the following command:

# ifconfig e1000g0 dhcp start

The following commands can be used to display the DHCP lease information and release the DHCP lease, respectively:

# ifconfig e1000g0 dhcp status
# ifconfig e1000g0 dhcp release

Reference material:

Solaris 10 x86 u10 Resolution in Parallels

I have a Macbook Pro 13.3" and I was having issues trying to get my resolution setup correctly during my Solaris 10 installation with Parallels.  Here are some tips to get your resolution set to 1024x768.

By default Parallels installs the Solaris virtual machine at a very high resolution and for my 13.3" screen, this is a problem.

First things first ...

  1. 'init s' while in multi user mode
  2. To fix the screen resolution, perform the following command: /usr/X11/bin/xorgconfig
  3. Specify a mouse protocol type, for this option choose "PS/2 [PS/2 Mouse]."
  4. Choose 'y' to enable "Emulate3Buttons."  Just press <ENTER> to use the default device name.
  5. Select "Generic 101-key PC" for the keyboard type.
  6. For the country type, choose "U.S. English."  Just press <ENTER> for default variant name.
  7. Select 'n' for additional XKB options.
  8. Make sure to indicate the horizontal sync range of your monitor to specify, "31.5 - 37.9; Non-Interlaced SVGA, 1024x768 @ 60 Hz, 800x600 @ 72 Hz."
  9. Indicate the vertical sync range of your monitor to specify, '50-90.'  Click <ENTER> to fill in default names for monitor.
  10. Click 'y' to look at the card database.
  11. Choose "Generic VESA" as your corresponding card definition.  Press <ENTER> to continue.
  12. For your memory, this depends on your video card.  I chose '4096K' only because I use my virtual machine to test my scripts and hardening techniques.  Press <ENTER> to fill in default names for your video card.
  13. Review the list of resolution modes and choose "The modes are OK, continue."
  14. Make the color depth 24 bits (16 million colors).
  15. Now create your new xorg.conf file which will be placed in /etc/X11/xorg.conf.
  16. Reboot the system to verify changes are correct.