The Answer Gang
The Creed of The QuerentA few of the Answer Gang this month have a special interest in seeing
the quality of the incoming questions improve. In good humor, here's
some ways to bump up your chances in the "Answer Gang might notice
my message and answer me" lotto.
From Querents Everywhere
Answered By Ben Okopnik, Heather Stern
From comp.unix.security's newest reader
Answered By Jim Dennis
[Ben] And Now, Cometh The Rant. Not to worry - it's not directed at anybody; this is just a personal peeve that addresses a common problem, here, in various places on Usenet, in tech support, etc. It also seems to be prevalent in the Linux community at large, and that's a trend I'd like to reverse, or at least contribute to slowing down.
Note that I speak only for myself - neither LG nor the rest of the Answer Gang have contributed their opinions to this (though they'd be more than welcome.)
Being part of the Answer Gang, as well as the Alpha Geek and Supreme Guru in other venues, I get questions about Linux, Life, and the Universe almost daily. Usually, the questions fall into one of two categories:
"Hi, I want to know about [Linux, brain surgery, love, astrophysics]."
"Hi. I have a Pentium 266/64MB/6.4GB running Debian Linux 2.2. I've just installed Mutt (version 1.0.1i) with PGP support built in - I double-checked by running "mutt -v", and it does. I'm getting a message - here, I wrote it down - it says "pgp: ^GRequires a later version", and I can't read the PGP-encoded e-mail that was sent to me. I've checked the PGP site at MIT and I do indeed have the latest version, 2.6.3a-7. Could you help me?"
My response to the first type, if indeed I do make one, is "Go away." My response to the second one is "Marry me!!!" (this has required building a much larger house, but never mind. There are very few of the second kind, anyway.)
The presumption in the first type is extremely annoying. It has driven a number of people, some of them True Gurus of their respective crafts, off Usenet and into virtual e-mail seclusion. There are many, many people out there who think nothing of asking a person they don't know to put in hours of work - it's one of the unfortunate side effects of easy communication provided by Net access. I would suggest that these folks walk into a lawyer's office and demand free help. (I would actually enjoy being a fly on the wall at that conference, short and loud as it may be.) There are indeed a number of us willing to provide free help - but in general, leeches and time moochers aren't welcome. Making sure you aren't one isn't that difficult - it simply takes consideration and common sense.
So, rather than ranting on about the manifold evils of this, let me contribute something substantial here: to wit, a checklist. This applies to TAG questions - and hopefully, to other issues. May it lead to greater consideration for others, a more harmonious life on the Net, and eternal World Peace. Or at least fewer wives and a smaller house.
[x] I have tried my best to resolve this problem with the knowledge and tools that I have at hand.
[x] I have tried my best to extend my understanding of the problem by studying the list of of Linux HOWTOs, searching the Net for relevant keywords, and scanning past issues of LG.
[x] I have performed the above two steps at least twice, in that order.
[x] Now that I can proceed no further, despite all my study and effort, I have done my utmost to put my question into a clear, understandable form. This also means that I have given all applicable information, have been specific about version/type/machine specifics, etc.
[x] I have also considered ways in which other people may misunderstand my question, and have rephrased it to avoid those misunderstandings. I have also used a spellchecker, lest my meaning be unclear in that manner.
[x] I have used the sacred 40 characters of "Subject" wisely, not wasting them on garbage like "NEWBIE NEEDS HELP!!!!" but thoughtfully choosing a good introduction, like "gcc dies with sig11 on kernel compilation".
[x] Only now have I hit the 'send' key. If someone expends their valuable time and effort to help me, I shall show my gratitude, if and when I am able, by helping others as I have been helped.
Selah.
There. Saving the world in seven easy steps. What more can you ask for?
A fair percentage of the Linux world reads our stuff. Every month. You really don't want to know how many questions we get. Our Senior Editor has mentioned that about 28% of the stuff we get is spam.
This is after you consider our procmail defenses; some of the lint trap contents *aren't* spam, it's questions for the Gang, and our sysadmin eventually forwards those to us. (Poor guy. Dan not only reads TAG and answers stuff, he keeps our lists running, our web servers humming, and has to read through all our spam in case it might be a real question. Sigh.)
Of the stuff that isn't "real" spam, I'd say well over 10% is questions which are not about Linux at all. Sometimes not even about computers! (I've stopped publishing any offtopic stuff unless more than one of us thinks it ought to go in.) The remainder is still huge.
So, we can't promise to answer every single question -- and we can't anyway. So while I have to hand it to this guy for his perseverence in the face of silence... we still can't promise to answer every single question!
But I will add for the benefit of those who send us the tricky ones and hope that we'll help them out, that the following features in his mail seriously delayed this fellow's answer:
He used almost no paragraph structure. Even if he'd gotten the paragraphs a little wrong, it would have made the question easier to read.
During formatting of this month's mail I have noticed a nasty trend, some webmail accounts but almost every Outlook Express mail has come in as "quoted printable". Now this is a mail encoding that is supposed to exist to protect special text ... say, something written in spanish ... from being mangled by the mail routers or cheap mail clients while being bounced around. (Hi Felipe!) However, when neither the original mail nor the HTML version has such weird characters, it only serves to annoy the heck out of my scripts.
I have to give credit to a lot of our querents this month who didn't get answers - for many it's not because you've failed at Ben's suggestions, but we of the Gang either didn't feel adept at tackling your question this time around, or we were all busy helping others.
So add to your checklist...
[x] If my message is long and rambly I will insert blank lines when I am changing thoughts. If it's hard for you, you can try a blank line between each of these:
- what type of system and linux I have
- what I'm trying to do
- how it's screwed me up so far
- things I tried to look up so I could fix it
- guesses at what next, and thanks for any clues.
[x] I have turned off the HTML attachment since it sends 3 or 4 times as many bits, and doesn't help when it gets there. I am sending plain ASCII text. (I'm not, however, afraid of using smileys and unhappy faces to express cheer and frustration.)
[x] If I am writing in a foreign language I will use quoted printable to defend my homeland's letterset from being mangled, and if I know any English at all I will tranlate it myself rather than wait a month or so extra for the translators to get to my mail.
In this message he responds to a clueless message in the comp.unix.security newsgroup. Despite his early sarcasm, he later provides a wealth of advice to newbie Solaris sysadmins and show, once again that "It's all just UNIX."
Newsgroups: comp.security.unix Subject: Re: Help References: <9377cp$r4t$1@newton3.pacific.net.sg> Followup-To:
In article <9377cp$r4t$1@newton3.pacific.net.sg>, May Hu wrote:
I'm new to Solaris, can some experts help me with security matters
in the Solaris Platform on SUN SPARC.
[JimD] I'm new the the field of medical science. Can some medical doctor help me with disease prevent on the human body.
What are the paths to pay attention to?
What are the logs or system logs do I require to checked or backup?
What are the things to pay more attention to in the Solaris platform?
What are the things to backup for system recovery, if there's any?
Hope to get some replies from any of you out there who are familiar
with the platform.
Thanks
May
So, let's try this:
Go get Unix System Administrator's Handbook by Evi Nemeth et al. (3rd Edition, Prentice Hall) --- that's commonly called the "Grape Book" because the cover is purple. The first two editions were widely referred as "the cranberry book" because the first had a cartoon with a reference to a cranberry patch on it and the second had a modified version of that cartoon (no patch) but was a dark red color that is reminiscent of cranberry juice.
Read it! USAH is not Solaris specific, but it should give you a good overview of UNIX systems administration.
While you're at the book store, get a copy of Essential System Administration (Aeleen Frisch, O'Reilly & Associates, 2nd Ed). This is often called "The Armadillo Book" because, in the O'Reilly tradition, it has a woodcut styled picture of an armadillo on the cover.
Read it! It is also not Solaris specific. See the penultimate (next to last) paragraph.
If I haven't irritated you enough, pick up a copy of my book, Linux System Administration (M Carling, Stephen Degler, and Jim Dennis (me)). It's also not about Solaris, but most of what it says is applicable to all UNIX platforms. My book doesn't duplicate much of what you'd find in Nemeth or Frisch. I wrote it in a context of having read those (and many others) and specifically avoided covering the topics that were adequately covered in the more basic books.
After you have a thorough grounding in systems administration, then you can learn a bit more specifically about UNIX security and then you can focus on Solaris security. If you find a shortcut that's really effective, let us know. However, you should expect to read about a half dozen fairly large books from cover to cover. There will be a test (every day on the job is a bit of a test in our field).
There is an interesting online UNIX SysAdmins Independent Learning (USAIL) project at Indiana University:
http://www.uwsg.iu.edu/usail
It seems to be a reasonable place to learn a bit of our craft. There are chapters that relate to each of your questions, and there are self-quizzes you can take using any web browser (even Lynx; which is still my favorite; all of URLs in this posting were checked in Lynx as I was writing it --- most were yanked in from my Lynx bookmarks file).
On the topic of security I'd recommend three titles to start with: Practical UNIX and Internet Security by Simson Garfinkel, and Gene Spafford (O'Reilly, 2nd Ed.), Building Internet Firewalls by Brent Chapman, Elizabeth Zwicky, and Simon Cooper (O'Reilly, 2nd Ed.) and Firewalls and Internet Security: Foiling The Wily Hacker by Steven Bellovin and William Cheswick (Addison Wesley?). I've heard a rumor that a second edition of the latter title is going to be released soon. (I've been holding out on buying a new copy; mine walked off a few years ago).
(BTW: you might have noticed that most of the books on my list are in second editions or later. I expect that my own book would also benefit from further revision --- but only time will tell if the publishers have the interest).
Read all of those. Then get a few books that are more specific to Solaris. I've read through both of Janic Windsor's books (Solaris System Administrator's Guide and Solaris Advanced System Administrator's Guide) but I mostly don't use Solaris any more. The few Solaris and SunOS boxes I ever professionally administered are fading memories.
You can find more recommended books on the topics of systems administration at:
- SAGE - General reference books for Sysadmins
- http://www.usenix.org/sage/sysadmins/books/general.html
SAGE is the SysAdmin's Guild (the "e" is silent, we stole it from /etc/resolv.conf's filename!)
Once you have a reasonable educational foundation you can make better use of online resources (like this newsgroup). Of course you should start by reading the FAQs (Frequently Asked/Answered Questions) that relate to any topic about which you are tempted to ask a question. There's a very nice collection of FAQs at the obvious URL: http://www.faqs.org (Note: www.faq.org, no "s", is some sort of lame "portal" site that makes no effort to make FAQs available, ARGH!).
Here's a few appropriate FAQs and links for you:
For this newsgroup:
- comp.security.unix and comp.security.misc FAQ
- http://www.faqs.org/faqs/computer-security/most-common-qs
On Solaris:
- Solaris 2 Frequently Asked Questions (FAQ) 1.70
- http://www.faqs.org/faqs/Solaris2/FAQ
... this one is maintained by Casper Dik, who has been quite active on netnews, particularly in comp.unix.admin, for longer than I have.
On various security topics:
- Computer Security Index
- http://www.faqs.org/faqs/computer-security
So, with all of that advice let's review your questions:
What are the paths to pay attention to?
Since you are asking this in the context of comp.unix.security I can guess that you're really intended to ask something more like:
How would I know if an attacker has compromised my
system? What files are likely to be modified by a cracker?
This suggests that you'd like to install file integrity test system or an intrusion detection system (IDS). You could get a copy of Tripwire (by Gene Kim and Gene Spafford) which started as a free tool and is now maintained as a commercial product by Gene Kim's company at: http://www.tripwiresecurity.com) You could also look at AIDE (which is basically a freeware clone of Tripwire). AIDE (http://www.cs.tut.fi/~rammer/aide.html). is more popular among Linux, and *BSD users, but it will run on Solaris and should run on any other modern UNIX.
What are the logs or system logs do I require to checked or backup?
On most forms of UNIX you could even modify your /etc/syslog.conf to force it to copy certain types of messages to another system on your network or to a printer, through a serial line to a terminal or to another system. These sorts of customizations can provide you with a tamper resistant copy of your messages.
Setting up remote loghosts is considered to be a useful security measure. If the loghost is sufficiently hardened and dedicated it can consolidate copies of your logs and prevent the (otherwise successful) attacker from "covering his or her tracks" by editing the evidence out of the logs.
You can also create cron jobs that periodically scan your logs looking for anomalous entries, filtering out all the innocuous messages and mailing, printing or otherwise delivering the summaries to you.
In my book I give a very simple (10 line) awk script that loads a file full of patterns (regular expressions) and filters a file of all of them. It is an extremely simple anomaly detection engine. The hard part of using it is creating a list of patterns to meet your needs. Maintaining the pattern files for each of your logs is made more challenging by the fact that upgrades to your OS and other software can affect the messages that they generate.
On many UNIX systems you can look for a "logger" command (/usr/bin/logger, or /bin/logger) so that your shell scripts can easily post their own syslog messages. There are also modules and extensions to PERL, and Python (and probably others) that let you natively post messages to the system logs from scripts in those languages.
There are also replacements to the stock UNIX syslog system. So you could rip out the Solaris syslog daemon and install syslog-NG or some other package. That might offer better reliability (using TCP rather than UDP) security that conforms more closely to your needs (using encrypted tunnels for example) or more flexibility (letting you dispatch and filter based on regular expression rather than simple facility/level codes).
Obviously none of that last paragraph will make any sense until you understand how the conventional UNIX syslog system works. Go read those books and a few of the man pages on your system!
What are the things to pay more attention to in the Solaris platform?
What parts of Solaris really suck?
My answer is: "I don't know. Read the FAQ." I'm an expert on Linux, and I can tell you the parts of it that can be problematic for UNIX and Solaris users as they adopt it. (For example, if you were among the few people who actually use ACLs --- access control lists --- under Solaris or some other OS than you might find that Linux' lack of them in their standard kernels and distributions "really sucks." You might also hold that having to fetch and apply an unofficial kernel patch, rebuild your kernel, and install an extra set of utilities also "really sucks").
Again, the FAQ (and some strategic lurking in this newsgroup and on some of the mailing lists that are recommended in the FAQs) will answer that question.
What are the things to backup for system recovery, if there's any?
Recovery planning is one of the most important jobs of a system administrator. Doing backups is a part of a recovery plan, but it's ONLY A PART.
As I've mentioned in this post, I'm not a Solaris expert. I could write a 30 page HOWTO on doing Linux backups (in fact, I did, sort of; it's the latter half of chapter 3 in my book). Most of it would be the same under Solaris --- you have your choice of tar, cpio and dump (ufsdump under Solaris, I guess).
However, it is often as effective to know how to look for answers than to know the answers themselves. In this case I searched the FAQ (see above) and found that Casper had failed me. Apparently it's not frequently asked enough on the Solaris/SunOS newsgroups. There is a passing reference to the Solstice Backup documentation on the "AnswerBook" CDs that ship with Solaris. Perhaps that would be handy.
Next I went to Google. Google (http://www.google.com) is currently the best search engine on the 'net. I used the terms: solaris backup.
Here's the best couple of links I found:
- Solaris Backup FAQ/Top Ten
- http://www.ebsinc.com/solaris/backup.html
- Backup Central: Free Backup Software
- http://www.backupcentral.com/toc-free-backup-software.html
... which includes:
- Backup Central: hostdump.sh
- http://www.backupcentral.com/hostdump.html
... a general purpose full system backup script.
Obviously, I'm not a Solaris expert. Luckily Solaris is UNIX and I am pretty good at that. Most generic UNIX knowlege will serve you as well on Solaris, Linux, FreeBSD, etc as it would on a SCO or other system.
Whether the answers I've given to your specific questions make any sense depends on your background. If my references to tripwire, ufsdump, syslog facilities and levels, FAQs, man pages were confusing then you don't yet have the background to be a professional sysadmin. Go through USAIL, read the books I've suggested. If those are too advanced and confusing then try more basic ones like Mark G. Sobell's Practical Guide to Solaris (http://www.sobell.com) or Unix for the Impatient by Paul Abrahams and Bruce Larson. (Actually if USAIL is too advanced, then give up and start flipping burgers somewhere!).
Meanwhile, for your immediate needs you may want to hire a consultant to audit your current production systems, do AND TEST a full set of backups and to disable any unnecessary networking services and generally configure you system until you've learned enough to manage it yourself.
Unfortunately finding a good consultant is difficult. There are alot of snake oil salesmen and any decent huckster can wow you with technobabble that's indistinguishable from good advice. To the untrained ear; they sound the same. I can't help you much there. (I'm not available as a consultant these days, and I wouldn't be the right person for your Solaris boxes anyway. My wife is a UNIX/Linux consultant and she does offer a "phone technical interview" service --- where she can interview your prospective consultant or sysadmin over the phone and give you an evaluation of their UNIX proficiency).
Lastly: If you're going to become a professional Solaris sysadmin you'll want to have a copy on at least one NON-PRODUCTION system. You want to be able to experiment and to break things without disrupting your real business processes. If you're sure that you want to stick with Solaris then it would make sense to participate in Sun's "Free Solaris[tm] Binary License Program" http://www.sun.com/developers/tools/solaris (although their meaning of "free" is a bit loose since their CD will cost you $75 --- and they don't let you modify/sell copies of that!).
Personally I prefer Linux, FreeBSD (and OpenBSD and NetBSD) where "free" means you can download the ISO image and burn it to your own CD, you can buy the CD sets for prices ranging from $2 to about $100, and most of those you could copy and resell if you wanted to, and you get the source code and the right to make changes and redistribute your own custom versions of the software. That's a version of "free" that seems more liberated n'est ce pas?
For hardware you have two choices: get Solaris x86 and install it on a PC; or get a SPARC system. You can get used SPARC systems on eBay or other online auction sites for anywhere from $50 to $200 for old 32-bit SPARC classics, IPXs etc, to $500-2,000 for 64-bit UltraSPARC I and II systems. Caveat emptor!
So, that's the Linux Gazette "Answer Guy's" guide to becoming a Solaris security and system adminstration professional.
![[ Answer Guy Current Index ]](../../gx/dennis/answertoc.jpg) |
1
2
3
4
5
6
7 |
![[ Index of Past Answers ]](../../gx/dennis/answerpast.jpg)
 |