The Wrong Approach
Inside of one month, myself or thousands of other security consultants
could eradicate over 90% of the vulnerabilities plaguing Unix systems today.
Sound far fetched? It isn't as crazy as it sounds. More crazy as that
notion is why it hasn't been done years ago. In a complicated world,
sometimes the most simple of solutions really are simple. Despite
vendor claims or excuses, serious thought should be given to their
modus operandi as far as default installations.
When the average user installs a new Operating System (OS), they get all
the features and robust utilities for power computing. Along with
this power and flexibility, they inherent every security problem in the
OS. The end user is potentially at risk every time they dial into
their ISP to connect to the Internet. Business users put themselves at
risk 24/7 as their machines are connected to corporate networks, often
with little protection.
The current philosophy of 'out of box' OS installs is "start open, close
what you don't need". The immediate question and subject of many security
papers is, "What do I need?" New users to Solaris or Linux must
make decisions about what services to shut down. There are
two problems with this approach. How does the end user know what they
need, and more importantly, how do they know what is installed in order
to make the decision? Reading through pages of documentation is not the
first thing a new user wants to do. Downloading tools to perform their
own security audit is even more preposterous. Yet vendors expect their
users to do just that.
In a recent article,
Carole Fennely addresses this same point in talking
about securing the Operating System a Firewall will be run on. Why
should an administrator go through this level of additional work
to achieve security?
Sun Microsystems, Hewlett-Packard and other Unix vendors advertise
'secure' operating platforms. The catch to this claim is, you get to
do the dirty work in
making that claim true. How can any vendor make such wild claims when
they all suffer from a history of huge bugs? More insulting to their users
is making these claims all the while maintaining the worst philosophy of
security imaginable. Rather than start out with an open system that must
be locked down, why not take a different approach? Begin with a closed and
highly secure operating system. As users need functionality, they turn on
these services rather than turn off the unneeded ones. Yes, it is that
The problem with Unix
Almost every flavor of Unix comes with 50 to 100 SUID binaries. For those
of you unfamiliar with 'SUID', it means a program that operates under
a higher privilege than the person running it. In layman's terms, each
SUID binary represents on possible way for someone to gain increased
access because of bugs or misconfiguration. Almost every single administrative
tool on these systems is designed so that any user can run it, and worse,
run it under higher privilege. Why?! Each unix system comes with at least
one (often many) administrative accounts. Shouldn't these tools be exclusive
to accounts with higher privilege? After setup and install, most of my Unix
machines have between 3 and 10 SUID binaries. Yet Solaris 2.6 comes with almost
100 SUID files! RedHat Linux comes in at close to 40, while AIX is the most
baffling; Over 200 SUID files, but many of which are not accessible to the
average user. It appears they had the right idea in mind, but did not
follow through with the entire system.
The second problem plaguing most flavors of unix is the abundance of
insecure services that any network user can access. Relying on twenty
year old protocols like telnet, rsh and rcp, it puts users at risk from
transmitting secure information via insecure channels. Further, installing
services for calendar management, remote file system sharing and other
network features, they open up a user's machine to a world of potential
problems. In many cases, these services are never used and often forgotten.
Solution with Harmony
Not only is this solution a better practice in general, it is more in tune
to how the world of computers work. Experienced administrators are familiar
with their systems. They know the ins and outs, what services are required
and how to tweak the system. On a closed system, they would have the
knowledge to open the necessary services in order to meet user demands.
On the flip side, newcomers to Unix are not familiar with the details.
They do not know that you can shut off NFS, FTP and other services on many
home systems. This lends to the problem of open and insecure machines
littering the Internet. Starting out with a more closed system would help
eradicate these vulnerabilities.
Despite its lack of use, OpenBSD stands out as one platform that has
adopted this approach. With a reputation of strong security, the
development team has taken a keen interest in pro-active security and
addressed many issues that bite most vendors. As a result of their work,
OpenBSD continues to be perhaps the most secure version of Unix out
What would it take?
In the opening, I say it could be done in one month. In reality, most
unix vendors could sit down and change their default settings in a matter
of days. The trick is that all the documentation needs to be updated
to reflect the changes. Worse, insecure software that previously relied
on these open systems would have to be modified to maintain a smoothly
working system. These catches no doubt prevent vendors from taking a new
approach. What they fail to realize is that the time spent taking in
various bug reports and fixing them surpasses the time required to
do pro-active security auditing. When will they realize this?
Brian Martin (firstname.lastname@example.org)
Thanks to 'Bill' for inspiring me to finally write about this topic.