5. sxadm - manage Solaris security extensions configuration sxadm

sxadm - manage Solaris security extensions configuration sxadm 


  • System Administration Commands					     sxadm(1M)



NAME
       sxadm - manage Solaris security extensions configuration

SYNOPSIS
       sxadm enable [-c	property=value[,property=value,...]]
	     extension[,extension,...]

       sxadm delcust [extension,...]

       sxadm disable extension[,extension,...]

       sxadm get [-p] [-o "all"	| field[,...]] <"all" |	property[,...]>
	    [extension]

       sxadm help [subcommand]

       sxadm set property=value[,property=value,...] extension

       sxadm status [-p] [extension]


       sxadm exec [-s extension=value],... command


DESCRIPTION
       The sxadm command configures and	provides information regarding Solaris
       security	extensions. These extensions can  be  applied  at  the	system
       level, or at the	process	level.


       Security	extensions for a process are determined	by exec(2), and	become
       effective for a process from that point forward.	Extensions persist for
       the  lifetime  of  the process until the	process	exits or calls exec(2)
       again. System level extensions can affect all processes.	Process	 level
       extensions  affect individual processes,	and are	inherited by any child
       processes, providing the	child process is not privileged. See  SECURITY
       EXTENSIONS.


       Individual  executables	can be tagged with security extension require-
       ments when built	 with  ld(1).  This  tagging  ensures  the  associated
       process requirements are	met regardless of any system level extensions.
       Executables with	tagged security	 extensions  can  be  overridden  with
       process level extensions. See EXECUTABLE	TAGGED EXTENSIONS.

   SECURITY EXTENSIONS
       The  following  security	 extensions  are  available.  These extensions
       reduce the chances of attackers finding known entry points, or planting
       exploitation code in locations that can later be	executed.

       ASLR- Address Space Layout Randomization

	   ASLR	 activates  the	 randomization of the location of key areas of
	   the process,	such as	the stack, brk-based heap, and memory  segment
	   mappings.  The memory mappings of an	application that is built as a
	   position-independent	executable are also randomized under ASLR.


       NXHEAP- Non-Executable Heap

	   NXHEAP prevents pages allocated for the  process  heap  from	 being
	   executable.


       NXSTACK-	Non-Executable Stack

	   NXSTACK  prevents  pages allocated for the process stack from being
	   executable.	Backward   compatibility   with	  legacy   /etc/system
	   noexec_user_stack and noexec_user_stack_log settings	is maintained,
	   although such controls are deprecated  and  sxadm  should  be  used
	   instead.



       By  default, the	global zone and	all non-global zones have the ASLR and
       NXHEAP extensions enabled only for tagged binaries, while  the  NXSTACK
       extension is enabled for	all processes.

   SECURITY EXTENSION PROPERTIES
       A  security  extension  can have	one or more properties.	All extensions
       have a model property. This property  defines  what  the	 extension  is
       applied to. Following are the model properties that exist.

       model=all	     Enable the	security extension for all processes.


       model=tagged-files    Enable  the  security  extension for tagged bina-
			     ries.


       model=default	     Follow the	security extension system default. See
			     SECURITY EXTENSIONS.



       Security	extensions may have additional properties.


       NXHEAP  and  NXSTACK  provide  a	logging	property, which, when enabled,
       reports attempts	to execute from	non-executable	memory	ranges	(stack
       for NXSTACK, heap and data for NXHEAP).

       log=enable     Enable logging.


       log=disable    Disable logging. (Default	configuration)


   MANAGING SECURITY EXTENSIONS
       Security	extensions can be modified system wide using the sxadm subcom-
       mands enable, disable, set, and delcust.	 For  example,	the  following
       sxadm commands enable extensions	system wide:

	 % sxadm enable	nxstack
	 % sxadm enable	aslr,nxheap




       The  following sxadm command also enables extensions system wide	but by
       specifically identifying	each property:

	 % sxadm enable	-c model=all aslr
	 % sxadm enable	-c model=all -c	log=enable nxstack




       Security	extensions can also be enabled or disabled for a process using
       the  sxadm  subcommand exec. This subcommand only affects the status of
       the security extension. Any  other  properties  of  the	extension  are
       inherited  from	the  system  properties.  The  following sxadm command
       ensures the foobar process executes with	disabled extensions:

	 % sxadm exec -s aslr=disable -s nxheap=disable	foobar



   EXECUTABLE TAGGED EXTENSIONS
       Individual executables can be tagged with security  extension  require-
       ments when built	with the following ld(1) options:

       -z alsr[=mode]	    Control ASLR tagging.


       -z nxheap[=mode]	    Control non-executable heap	tagging.


       -z nxstack[=mode]    Control non-executable stack tagging.



       The  mode can be	enabled	or disabled. If	the mode is not	supplied, then
       enabled is the default.


       The security extension defined within  a	 tagged	 executable  interacts
       with any	system wide security settings in the following manner.

	   o	  An  executable with an enabled, or disabled security setting
		  is honored without consulting	the system  security  setting.
		  Process  level  security settings override tagged executable
		  settings.

	   o	  Only executables that	have a	tagged	security  setting  are
		  honored when the system security setting is tagged-files.

SUB-COMMANDS
       The sxadm command has the following subcommands:

       sxadm enable [-c	property=value[,property=value,...]] extension[,exten-
       sion,...]

	   Enable the specified	extension for the current zone.	The -c	option
	   allows sxadm	to pass	property values	for the	specific extension.


       sxadm delcust [extension,...]

	   Restore  the	 extension  to	the default configuration. This	option
	   effectively deletes any customizations.


       sxadm disable extension[,extension,...]

	   Disable the specified extension for the current zone.


       sxadm help [subcommand]

	   Display usage information about sxadm or more detailed  information
	   for each subcommand.


       sxadm status [-p] [extension]

	   Report information on the status of all security extensions for the
	   current zone. If -p is specified, the output	 is  displayed	in  an
	   easily  parseable  format.  Specifying  an extension	on the command
	   line	filters	for the	specific extension. Machine  parseable	output
	   is a	list of	colon-separated	fields:

	     extension:status (model):configuration (model)


	   where:

	   extension	    The	name of	the extension


	   status	    The	 current  status for the extension (enabled or
			    disabled)


	   model	    The	current	model enabled for the security	exten-
			    sion (all, default,	tagged-binaries)


	   configuration    The	  stored   configuration   for	the  extension
			    (enabled, disabled,	or sys-	tem default)

			    The	characters colon (:), null sign	( ), and  new-
			    line (0fR) are not permitted for any of the	compo-
			    nents, extension_name, status, extra, and configu-
			    ration.


	   sxadm get [-p] [-o "all" | field[,...]] <"all" | property[,...]>
	   [extension]

	       Display the value of security extensions	properties. If	exten-
	       sion  is	 specified, display the	value of the property only for
	       the specified extension.	Specify	"all"  to  display  properties
	       associated  to  all  sections. For each property, the following
	       columns are displayed:

		 extension: the	extension the property refers to
		 name: the name	of the property
		 value:	the value of the property


	       All columns are displayed by default; specify particular	or all
	       columns,	using the -o option. If	-p is specified, the output is
	       displayed in an easily parseable	format.	Such format is a  list
	       of colon-separated fields:

		 extension:property:value


	       The  characters colon (:), null sign ( ), and newline (0fR) are
	       not permitted for any of	the components.



       sxadm set property=value[,property=value,...] extension

	   Assign value	to the property	of the specified extension.


       sxadm exec -s [extension=value]... command

	   Execute the specified command with  a  specific  configuration  for
	   security  extensions.  For  each  security extension	not explicitly
	   configured on the command line, the system configuration  is	 used.
	   Child  processes  eventually	 spawned  by  command inherit the same
	   security extension configuration that is specified on  the  command
	   line. setuids and privileged	binaries do not	inherit	any configura-
	   tion. Multiple configurations can be	 expressed  from  the  command
	   line	using multiple -s options. If the same extension is configured
	   more	than once, the last occurrence takes precedence. In  the  fol-
	   lowing example, foobar is executed with ASLR	enabled:

	     % sxadm exec -s aslr=disable -s aslr=enable foobar


	   The	sxadm  exec  subcommand	 is designed to	accommodate the	common
	   case	in which a debugger is applied to  a  single  process  started
	   directly by the debugger. It	may not	be sufficient for more complex
	   scenarios. In such cases, it	may  be	 necessary  to	use  sxadm  to
	   change  the system or zone level security extension defaults, or to
	   apply per-object tagging using  the	ld(1)  utility,	 in  order  to
	   facilitate debugging.

	   This	 feature  is  primarily	of interest when extensions based on a
	   randomized secret are active	(for example,  ASLR),  since  changing
	   memory addresses can	complicate some	debugging scenarios. This fea-
	   ture	is also	useful for explicitly testing applications  with  dif-
	   ferent security extension configurations.


EXAMPLES
       Example 1 Displaying the	current	Security Extensions Configuration

	 $ sxadm status	-p
		aslr:enabled (tagged-files):system default (default)
		nxstack:enabled	(all):system default (default)
		nxheap:enabled (tagged-files):system default (default)
		$

		$ sxadm	status
		EXTENSION	 STATUS			  CONFIGURATION
		aslr		 enabled (tagged-files)	  system default (default)
		nxstack		 enabled (all)		  system default (default)
		nxheap		 enabled (tagged-files)	  system default (default)
		$



       Example 2 Use set/get to	set/retrieve Security Extensions Properties

	 $ sxadm get model aslr
		EXTENSION	PROPERTY	  VALUE
		aslr		model		 tagged-files
		$

		$ sxadm	set log=enable nxheap
		$ sxadm	get log	nxheap
		EXTENSION	PROPERTY	 VALUE
		nxheap		log		 enable
		$



       Example 3 Running a Debugging Session


       The  following  command	sequence illustrates a debugging session being
       conducted with ASLR disabled.


	 $ sxadm exec -s aslr=disable /bin/bash
		$
		# Because all processes	(except	privileged ones) inherit the(disabled)
		# ASLR configuration mdb, truss	& co will have repeatable results.

		$ truss	-t mmap	/bin/true
		mmap(0x00000000, 32, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1,0)
		= 0xFE5B0000
		mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1,0)
		= 0xFE5A0000
		mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1,0)
		= 0xFE590000
		[...]
		$ truss	-t mmap	/bin/true
		mmap(0x00000000, 32, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1,0)
		= 0xFE5B0000
		mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1,0)
		= 0xFE5A0000
		mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1,0)
		= 0xFE590000
		[...]
		$ truss	-t mmap	/bin/true
		mmap(0x00000000, 32, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1,0)
		= 0xFE5B0000
		mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1,0)
		= 0xFE5A0000
		mmap(0x00000000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1,0)
		= 0xFE590000



EXIT STATUS
       0

	   The command completed successfully.


       1

	   The command exited due to an	error.


ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:




       +-----------------------------+-----------------------------+
       |      ATTRIBUTE	TYPE	     |	    ATTRIBUTE VALUE	   |
       +-----------------------------+-----------------------------+
       |Availability		     |system/core-os		   |
       +-----------------------------+-----------------------------+
       |Interface Stability	     |Committed			   |
       +-----------------------------+-----------------------------+

SEE ALSO
       ld(1), exec(2), attributes(5)



SunOS 5.11			  15 Jun 2015			     sxadm(1M)
solaris manpages 2041
Log in to reply
 

© Lightnetics 2024