Security Questionnaire Version 1.4 from http://www.opensolaris.org/os/community/arc/bestpractices/security-questions/ When answering all of the following questions please describe when an environmental security assumption is the basis for an "Not Applicable" answer. 1. Are there any security requirements documented for this project? [ X ] No 1) What security issues are being addressed or potentially introduced by your project. A network server is being added to the system. 2. For each network (e.g., RPC over IP, TCP/IP, Serial, etc.) used by a project describe the following: 1. describe the protocol stack being used A) X Window System Protocol, Version 11 (X11) over TCP/IP B) Remote Frame Buffer (RFB) over TCP/IP C) HTTP over TCP/IP 2. list the service/application to which this project will communicate and the mechanism used (if IP based list static/dynamic ports used) A) X11 clients, port specified at configuration time, TCP port 6000 + X display id, Unix sockets in /tmp/.X11-unix, named pipes in /tmp/.X11-pipe B) VNC viewer clients, port specified at configuration time, traditionally TCP port 5900 + X display id C) Web browsers, port specified at configuration time, traditionally TCP port 5800 + X display id 3. describe what information will flow and/or be made available over this network connection A & B) Access to the contents of a desktop session C) Java applet used to provide a VNC viewer on systems without one already installed. 4. describe how each network service that is created, installed, used or depended upon is compliant with the Network Install-Time Security policy. 1. Specifically, how does each outbound service meet the protection requirements using: SVC1, SVC2, or SVC[3,4] including how OUT[1-3] protection is enforced. N/A - no outbound connections are opened by this service 2. Specifically, how does each inbound service meet the protection requirements using: SVC1, SVC2, or SVC[3,4] including how IN[1,2] protection is enforced A, B, & C) SVC2: Service is not run during installation, nor until started/enabled manually by end-user. Additionally: A) IN1/IN2 Standard X11 client authentication mechanisms are used, by default MIT-MAGIC-COOKIE, with Secure RPC, getpeerucred(), and host-address authentication options available as well. Nothing else is processed until the authentication is completed. If the x11-server SMF service or /usr/X11/bin/Xserver script is used to start Xvnc, this inherits the Secure-by-Default setting of disabling the X11 TCP port unless overridden in the SMF configuration. B) IN1/IN2 RFB defaults to requiring a client connection authenticate using a DES-encrypted challenge/response scheme to a password stored trivially obfuscated in the $HOME/.vnc/passwd file. Xvnc may be configured to not require authentication or to use a different file for the password. C) httpd port only opened if user specifically requests it via the -httpd command line flag. 3. How are the other aspects of the policy met (e.g. warning about install options which are non-compliant to administrator?) N/A 5. Describe how to disable each network service from your project and the side effects (e.g. dependencies) of doing so. A) Start Xvnc with -nolisten tcp Restricts X clients to those on the local host or forwarded via ssh -X (set by default in x11-server SMF manifest) B) Start Xvnc with -localhost option Restricts VNC viewers to those on the local host or forwarded via ssh tunneling C) Don't run Xvnc with the -httpd option Requires clients to have installed a VNC viewer 6. For each network service, discuss how it protects its communications from network-based: theft, replay, content change and user impersonation within the following sub-sections: 1. Does your service make decisions based on user, host or service identities? [X] Yes 1) Describe how your project authenticates or discover the host, user, or services identity? A) getpeeraddr(), getpeerucred() and/or Secure RPC B) DES-encrypted challenge/response to verify password of the VNC server (not a Unix user password) C) N/A 2) If authentication is done by another component explain how you obtain this information and why you believe its authentic. A) If you can't trust the kernel, who can you trust? B & C) N/A 3) If your project authenticates, explain the authentication process including any standards or existing components used. A) See X11 standards B) [Copied from the RFB Protocol Spec - http://www.realvnc.com/docs/rfbproto.pdf .] The server sends a random 16-byte challenge: No. of bytes Type [Value] Description 16 U8 challenge The client encrypts the challenge with DES, using a password supplied by the user as the key, and sends the resulting 16-byte response: No. of bytes Type [Value] Description 16 U8 response C) N/A 4) In addition, describe what happens if the authentication process fails. A & B) Client receives authentication failure response code (client UI determines how to present this) and is disconnected. C) N/A 5) If passwords or passphrases are used, discuss how they are protected from host or network-based theft, protected if stored beyond authentication, how they can be changed, and any validity checking which occurs. A & C) N/A B) Password is stored on the server side in obfuscated form in a file (default is $HOME/.vnc/passwd) and may be set or changed with the vncpasswd command. 2. Does your project make decisions about whether a requestor may access a particular resource? [ X ] Yes Explain how this occurs for both successful and unsuccessful access requests. See previous section on authentication. 3. Does your project protect its communications from passive listeners on the network? [ X ] No Explain why not. A & B) Current standards do not provide any standards compliant mechanism for this. Current standard recommendation is to use ssh tunneling to encrypt network traffic, though we've recently become aware of a project to add SSL support to VNC/RFB that may be an option in the future. C) Not needed - no private data is communicated, only publically available Java client applet. 4. Describe how network-based access control is provided (e.g., this could be provided through technologies such as host-based firewalls/IPsec or application-level controls such as TCP Wrappers). See previous section on authentication. 5. Does your service protect the integrity of its communications over the network? [ X ] No Explain why not. A & B) Current standards do not provide any standards compliant mechanism for this. Current community recommendation is to use ssh tunneling to encrypt network traffic, though we've recently become aware of a project to add SSL support to VNC/RFB that may be an option in the future. C) Not provided in the open source implementation. Adding https to provide server certificate checking is a possible future project, but one not planned at this time. For now, users who require verification of VNC viewer software should install one directly on client system from a trusted source instead of relying on http download of java applet. 6. Describe how this network communication is protected against replay attacks in which a partial record of an earlier network exchange is replayed A) No protection available in X11 standard protocol B) See above section on challenge/response protocol C) No protection needed 7. Describe how your network communications could be exploited by a denial of service (DoS) attack. (For instance, what resources are allocated during session setup before the requestor has been authenticated) Not investigated, but to the best of my knowledge, few resources are allocated before authentication beyond the TCP socket and small amount of memory for the data structure associated with it. 3. Does this project use secret information (e.g. passwords, passphrases, PINs or equivalent authenticators) during authentication and/or authorization? [ X ] Yes 1. Describe all methods for how this secret information can be obtained (e.g. user prompted interactively.) vncpasswd prompts the user interactively to create the password file for the server. The VNC client mechanism to get the password on the other side is not part of this case. 1. If the secret information can be obtained via command line or environment variable, explain how the project complies with the SAC Reusable Passwords N/A 2. If the secret information can be obtained from persistent storage (e.g. file), explain how the storage is protected and compliant with the SAC Storing Reusable Passwords Policy At creation, file is chmod'ed 0600 by vncpasswd. Contents are obfuscated using DES encryption with a well-known key (hardcoded in the source code). 2. Describe how the secret information is: created, provisioned, updated, revoked, and checked for policies regarding its content (e.g. password strength checks.) Created and updated with vncpasswd command. Password is required by vncpasswd to be at least 6 characters - no other strength checks are available. 3. How is this secret information expunged from the project's memory after use (e.g. so it doesn't appear in core files?) Unknown 4. Does a non-privileged (e.g., not having access equivalent to uid 0 on pre-RBAC/Least Privilege OEs) user have access to all project functionality? [ X ] Yes Describe why there are no potential RASS (Reliability, Availability, Serviceability, and Security) reasons to restrict non-privileged access. I've never understood what this question wants, and still don't. 5. Except for networking (discussed above), does this project use cryptography for any purpose? [ X ] No 6. Is any privileged user or group account (e.g., suid root, or other privileged setting mechanism) software part of your project? [ X ] Yes Describe how the principle of least privilege (e.g. daemon dropping privileges once no longer needed) has been applied. Xvnc, like other Solaris X servers, is setgid root to establish X11 listening connections in /tmp/.X11-unix & /tmp/.X11-pipe, and to adjust client process priority via the IA scheduling class. Once established, gid 0 is dropped until needed for priocntl calls, which are bracketed with setegid() calls. In addition, list all privileges required for this software. N/A 7. Are any log, error, FMA, or audit events generated? Note - this question applies to all auditing mechanisms, whether implemented in Solaris auditing, J2SEs logging facility, or Windows event logging [ X ] Yes 1. List all security error events that may be generated and their causes. X client authentication & RFB client authentication errors are issued to stderr. 2. Will this project generate any audit records? [ X ] Yes List those events for which you will generate audit records. See LSARC/2004/109: Trusted Solaris X server extension 8. Will this project run on Solaris? [ X] Yes What is the smallest sized Solaris installation Meta Cluster (e.g. Solaris 10 "Reduced Networking" (PSARC 2002/254)) on which it has been tested? End User. If it will not run on the Reduced Networking Meta Cluster, what additional packages are necessary? Are these included in the appropriate package dependency files? X window system packages as noted in package dependencies. 9. Will the project undergo a security evaluation/certification by itself or as part of a larger product (e.g. Solaris releases are certified against the Common Criteria's CAPP at EAL4)? Unknown - will be integrated into Solaris, but do not know of any evaluation/certification plans for this component. 10. How does the project provide for failsafe defaults such that the security is not compromised? (For example, how does the project ensure that the security of the product isn't compromised by corrupted or missing configuration files) N/A