Seely
Seely
Seely
28 ; L O G I N : VO L . 3 5, N O. 3
experts on the team, but clear documentation of design and the very terse
installation leave very few moving parts to debug and should prevent any
perception of added expense. Using the virtualization technique, we were
able to save a little bit of space and power in an already cramped datacenter,
and by focusing on security issues as a design parameter I was able to make
a hardened solution that easily conformed to Department of Defense (DoD)
requirements for UNIX systems [5].
30 ; L O G I N : VO L . 3 5, N O. 3
chmod 400 /usr/sbin/snoop
chown –R root:root /root
chmod –R o-rwx,g-rwx /root
if [ -d bart ]
then
echo Creating BART baseline
cd bart
latest=`ls -tr1`
rightnow=bart.`hostname`.`date %Y%j%H%M`
bart create -r bart.rules > $rightnow
echo Comparing BART baseline
bart compare $latest $rightnow
[ $? -ne 0 ] && echo BART discrepancies found || echo BART integrity OK
cd ..
fi
LISTING 1 : THE LOCK SCRIPT DISABLES SERVICES, CHANGES PERMIS-
S I O N S T O R O O T O N LY F O R S O M E C O M M A N D S , A N D R U N S B A R T .
■■ unlock: A script that enables the services and utilities that are disabled by
the lock script.
■■ recursive.tar: A tar of the /var/named directory, used to quickly recreate the
chroot file environment on the production system.
■■ configure.sh: The script (Listing 2) to execute on the production build that
completes the configuration and makes the host ready for operations.
#!/bin/sh
groupadd named
useradd -m -d /var/named -c “BIND User” -s /bin/false -g named named
tar -xf bind.binaries.tar
tar -xf recursive.tar
cp syslog.conf /etc/syslog.conf
cp .profile /root/.profile
cp motd /etc/motd
cp ntp.conf /etc/inet/ntp.conf
cp server-chroot.xml /var/svc/manifest/network/dns/
cp resolv.conf /etc/resolv.conf
mkdir -p /var/named/var/named
mkdir /root/bart
mkdir /var/named/var/log
mkdir /var/named/var/run
cp /etc/rndc.key /var/named/etc
chown -R named:named /var/named
mkdir /var/named/dev
mknod /var/named/dev/poll c 135 0
chmod 666 /var/named/dev/poll
chmod 640 /var/named/etc/named.conf /var/named/var/named/*
svccfg validate /var/svc/manifest/network/dns/server-chroot.xml
svccfg delete dns/server
svccfg import server-chroot.xml
svcadm enable dns/server
svcadm enable ntp
svcadm disable network/inetd
svcadm disable cron
svcadm disable name-service-cache
svcadm disable iscsi/initiator
svcadm refresh system-log
LISTING 2 : THE CONFIGURE.SH SCRIPT SETS UP BIND AND DISABLES
UNNECESSARY NETWORK SERVICES.
32 ; L O G I N : VO L . 3 5, N O. 3
# ps -ef
UID PID PPID C STIME TTY TIME CMD
root 0 0 0 18:31:17 ? 119:31 sched
root 1 0 0 18:31:18 ? 0:00 /sbin/init
root 2 0 0 18:31:18 ? 0:00 pageout
root 3 0 0 18:31:18 ? 0:00 fsflush
root 240 1 0 18:31:29 ? 0:00 /usr/sbin/syslogd
root 7 1 0 18:31:19 ? 0:02 /lib/svc/bin/svc.startd
root 9 1 0 18:31:19 ? 0:05 /lib/svc/bin/svc.configd
daemon 130 1 0 18:31:26 ? 0:01 /usr/lib/crypto/kcfd
root 201 7 0 18:31:28 ? 0:00 /usr/lib/saf/sac -t 300
root 222 1 0 18:31:29 ? 0:00 /usr/lib/utmpd
root 336 232 0 18:44:34 console 0:00 ps -ef
root 232 7 0 18:31:29 console 0:00 -sh
root 110 1 0 18:31:25 ? 0:00
/usr/lib/sysevent/syseventd
root 263 1 0 18:31:32 ? 0:00 /usr/lib/inet/xntpd
root 205 201 0 18:31:28 ? 0:00 /usr/lib/saf/ttymon
named 267 1 0 18:31:33 ? 0:01 /usr/sbin/named -t
/var/named
root 248 1 0 18:31:30 ? 0:03 /usr/lib/fm/fmd/fmd
#
The CM Plan
One of the biggest concerns leadership had with the original DNS way of
doing business was the lack of configuration management or attribution for
system changes. By using the VMware images, a “golden image” concept,
extremely limited direct access, and a strict workflow, the DNS zones will be
extremely stable. The key to this approach is that all configuration changes
will be made offline to a candidate release; only after the candidate release
is tested and validated will it be cloned for production and then archived for
reference. Candidate change lists will be approved by the DNS, UNIX, and
Security teams before implementation. The planned battle rhythm is:
■■ Monthly: New numbered release incorporating updated DNS configura-
tions, security patches, antivirus updates as required by DISA standards [5,
10], and other approved configuration changes. Root password is changed
monthly.
■■ Annually: New major-number release for major operating system updates,
as released.
■■ As needed: Independent security scans as new scanning tools are updated.
■■ As needed: Emergency updates for security patches or DNS configurations.
REFERENCES
34 ; L O G I N : VO L . 3 5, N O. 3