[This was originally published on Aviary Magazine and mirrored on attrition.org.]
Inside of one month, myself or thousands of other security consultants could eradicate over 90% of the vulnerabilities plaguing Unix systems today. Sound far fetched? It isn’t as crazy as it sounds. More crazy as that notion is why it hasn’t been done years ago. In a complicated world, sometimes the most simple of solutions really are simple. Despite vendor claims or excuses, serious thought should be given to their modus operandi as far as default installations.
When the average user installs a new Operating System (OS), they get all the features and robust utilities for power computing. Along with this power and flexibility, they inherent every security problem in the OS. The end user is potentially at risk every time they dial into their ISP to connect to the Internet. Business users put themselves at risk 24/7 as their machines are connected to corporate networks, often with little protection.
The current philosophy of ‘out of box’ OS installs is “start open, close what you don’t need”. The immediate question and subject of many security papers is, “What do I need?” New users to Solaris or Linux must make decisions about what services to shut down. There are two problems with this approach. How does the end user know what they need, and more importantly, how do they know what is installed in order to make the decision? Reading through pages of documentation is not the first thing a new user wants to do. Downloading tools to perform their own security audit is even more preposterous. Yet vendors expect their users to do just that.
In a recent article, Carole Fennelly addresses this same point in talking about securing the Operating System a Firewall will be run on. Why should an administrator go through this level of additional work to achieve security?
Sun Microsystems, Hewlett-Packard and other Unix vendors advertise ‘secure’ operating platforms. The catch to this claim is, you get to do the dirty work in making that claim true. How can any vendor make such wild claims when they all suffer from a history of huge bugs? More insulting to their users is making these claims all the while maintaining the worst philosophy of security imaginable. Rather than start out with an open system that must be locked down, why not take a different approach? Begin with a closed and highly secure operating system. As users need functionality, they turn on these services rather than turn off the unneeded ones. Yes, it is that simple.
The problem with Unix
Almost every flavor of Unix comes with 50 to 100 SUID binaries. For those of you unfamiliar with ‘SUID’, it means a program that operates under a higher privilege than the person running it. In layman’s terms, each SUID binary represents on possible way for someone to gain increased access because of bugs or misconfiguration. Almost every single administrative tool on these systems is designed so that any user can run it, and worse, run it under higher privilege. Why?! Each Unix system comes with at least one (often many) administrative accounts. Shouldn’t these tools be exclusive to accounts with higher privilege? After setup and install, most of my Unix machines have between 3 and 10 SUID binaries. Yet Solaris 2.6 comes with almost 100 SUID files! RedHat Linux comes in at close to 40, while AIX is the most baffling; Over 200 SUID files, but many of which are not accessible to the average user. It appears they had the right idea in mind, but did not follow through with the entire system.
The second problem plaguing most flavors of Unix is the abundance of insecure services that any network user can access. Relying on twenty year old protocols like telnet, rsh and rcp, it puts users at risk from transmitting secure information via insecure channels. Further, installing services for calendar management, remote file system sharing and other network features, they open up a user’s machine to a world of potential problems. In many cases, these services are never used and often forgotten.
Solution with Harmony
Not only is this solution a better practice in general, it is more in tune to how the world of computers work. Experienced administrators are familiar with their systems. They know the ins and outs, what services are required and how to tweak the system. On a closed system, they would have the knowledge to open the necessary services in order to meet user demands. On the flip side, newcomers to Unix are not familiar with the details. They do not know that you can shut off NFS, FTP and other services on many home systems. This lends to the problem of open and insecure machines littering the Internet. Starting out with a more closed system would help eradicate these vulnerabilities.
Despite its lack of use, OpenBSD stands out as one platform that has adopted this approach. With a reputation of strong security, the development team has taken a keen interest in pro-active security and addressed many issues that bite most vendors. As a result of their work, OpenBSD continues to be perhaps the most secure version of Unix out there.
What would it take?
In the opening, I say it could be done in one month. In reality, most Unix vendors could sit down and change their default settings in a matter of days. The trick is that all the documentation needs to be updated to reflect the changes. Worse, insecure software that previously relied on these open systems would have to be modified to maintain a smoothly working system. These catches no doubt prevent vendors from taking a new approach. What they fail to realize is that the time spent taking in various bug reports and fixing them surpasses the time required to do pro-active security auditing. When will they realize this?