| Skip Navigation Links | |
| Exit Print View | |
|
Oracle Solaris 11 Security Guidelines Oracle Solaris 11.1 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Oracle Solaris 11 Security Guidelines Oracle Solaris 11.1 Information Library |
1. Overview of Oracle Solaris Security
Oracle Solaris Security Protections
Oracle Solaris Security Technologies
Address Space Layout Randomization
File Permissions and Access Control Entries
Passwords and Password Constraints
Pluggable Authentication Module
Oracle Solaris 11 Security Defaults
System Access Is Limited and Monitored
Kernel, File, and Desktop Protections Are in Place
Additional Security Features Are in Place
Oracle Solaris 11 Security Evaluation
Site Security Policy and Practice
2. Configuring Oracle Solaris Security
The security features of Oracle Solaris can be configured to implement your site's security policy.
The following sections provide a short introduction to the security features of Oracle Solaris. The descriptions include references to more detailed explanations and to procedures in this guide and other Oracle Solaris system administration guides that demonstrate these features.
Address space layout randomization (ASLR) randomizes the addresses that are used by a given binary. ASLR can prevent certain types of attacks that are based on knowing the exact location of certain memory ranges, and can detect the attempt when it likely stops the executable. For more information, see Address Space Layout Randomization in Oracle Solaris 11.1 Administration: Security Services.
Auditing is the collecting of data about the use of system resources. The audit data provides a record of security-related system events. This data can then be used to assign responsibility for actions that take place on a system.
Auditing is a basic requirement for security evaluation, validation, and certification bodies. Auditing can also provide a deterrent to potential intruders.
For more information, see the following:
For a list of audit-related man pages, see Chapter 29, Auditing (Reference), in Oracle Solaris 11.1 Administration: Security Services.
For guidelines, see How to Audit Significant Events in Addition to Login/Logout and the man pages.
For an overview of auditing, see Chapter 26, Auditing (Overview), in Oracle Solaris 11.1 Administration: Security Services.
For auditing tasks, see Chapter 28, Managing Auditing (Tasks), in Oracle Solaris 11.1 Administration: Security Services.
The BART feature of Oracle Solaris enables you to comprehensively validate systems by performing file-level checks of a system over time. By creating BART manifests, you can easily and reliably gather information about the components of the software stack that is installed on deployed systems.
BART is a useful tool for integrity management on one system or on a network of systems.
For more information, see the following:
Selected man pages include bart(1M), bart_rules(4), and bart_manifest(4).
For guidelines, see Creating a BART Snapshot of the System, Verifying File Integrity by Using BART, and the man pages.
For an overview of BART, see Chapter 6, Verifying File Integrity by Using BART (Tasks), in Oracle Solaris 11.1 Administration: Security Services.
For examples of using BART, see Using BART (Tasks) in Oracle Solaris 11.1 Administration: Security Services and the man pages.
The Cryptographic Framework feature of Oracle Solaris and the Key Management Framework (KMF) feature of Oracle Solaris provide central repositories for cryptographic services and key management. Hardware, software, and end users have seamless access to optimized algorithms. The different storage mechanisms, administrative utilities, and programming interfaces for various public key infrastructures (PKIs) can use a unified interface when they adopt KMF interfaces.
The Cryptographic Framework provides cryptographic services to users and applications through individual commands, a user-level programming interface, a kernel programming interface, and user-level and kernel-level frameworks. The Cryptographic Framework provides these cryptographic services to applications and kernel modules in a manner seamless to the end user. It also brings direct cryptographic services, like encryption and decryption for files, to the end user.
KMF provides tools and programming interfaces for centrally managing public key objects, such as X.509 certificates and public/private key pairs. The formats for storing these objects can vary. KMF also provides a tool for managing policies that define the use of X.509 certificates by applications. KMF supports third-party plugins.
For more information, see the following:
Selected man pages include cryptoadm(1M), encrypt(1), mac(1), pktool(1), and kmfcfg(1).
For an overview of cryptographic services, see Chapter 11, Cryptographic Framework (Overview), in Oracle Solaris 11.1 Administration: Security Services and Chapter 13, Key Management Framework, in Oracle Solaris 11.1 Administration: Security Services.
For examples of using the Cryptographic Framework, see Chapter 12, Cryptographic Framework (Tasks), in Oracle Solaris 11.1 Administration: Security Services and the man pages.
The first line of defense for protecting objects in a file system are the default UNIX permissions that are assigned to every file system object. UNIX permissions support assigning unique access rights to the owner of the object, to a group assigned to the object, as well as to anyone else. Additionally, ZFS supports access control lists (ACLs), also called access control entries (ACEs), which more finely control access to individual or groups of file system objects.
For more information, see the following:
For instructions on setting ACLs on ZFS files, see the chmod(1) man page.
For an overview of file permissions, see Using UNIX Permissions to Protect Files in Oracle Solaris 11.1 Administration: Security Services.
For an overview and examples of protecting ZFS files, see Chapter 7, Using ACLs and Attributes to Protect Oracle Solaris ZFS Files, in Oracle Solaris 11.1 Administration: ZFS File Systems and the man pages.
Packet filtering provides basic protection against network-based attacks. Oracle Solaris includes the IP Filter feature and TCP wrappers.
The IP Filter feature of Oracle Solaris creates a firewall to ward off network-based attacks.
Specifically, IP Filter provides stateful packet filtering capabilities and can filter packets by IP address or network, port, protocol, network interface, and traffic direction. It also includes stateless packet filtering and the capability to create and manage address pools. In addition, IP Filter also has the capability to perform network address translation (NAT) and port address translation (PAT).
For more information, see the following:
Selected man pages include ipfilter(5), ipf(1M), ipnat(1M), svc.ipfd(1M), and ipf(4).
For an overview of IP Filter, see Chapter 4, IP Filter in Oracle Solaris (Overview), in Securing the Network in Oracle Solaris 11.1.
For examples of using IP Filter, see Chapter 5, IP Filter (Tasks), in Securing the Network in Oracle Solaris 11.1 and the man pages.
For information and examples about the syntax of the IP Filter policy language, see the ipnat(4) man page.
TCP wrappers provide a way of implementing access controls by checking the address of a host requesting a particular network service against an ACL. Requests are granted or denied accordingly. TCP wrappers also log host requests for network services, which is a useful monitoring function. The Secure Shell and sendmail features of Oracle Solaris are configured to use TCP wrappers. Network services that might be placed under access control include proftpd and rpcbind.
TCP wrappers support a rich configuration policy language that enables organizations to specify security policy not only globally but on a per-service basis. Further access to services can be permitted or restricted based upon host name, IPv4 or IPv6 address, netgroup name, network, and even DNS domain.
For more information, see the following:
For information about TCP wrappers, see How to Use TCP Wrappers to Control Access to TCP Services in Configuring and Administering Oracle Solaris 11.1 Networks.
For information and examples of the syntax of the access control language for TCP wrappers, see the hosts_access(4) man page.
Strong user passwords help defend against attacks involving brute force guessing.
Oracle Solaris has a number of features that can be used to promote strong user passwords. Password length, content, frequency of change, and modification requirements can be set, and a password history can be kept. A password dictionary of passwords to be avoided is provided. Several possible password algorithms are available.
For more information, see the following:
Maintaining Login Control in Oracle Solaris 11.1 Administration: Security Services
Securing Logins and Passwords (Tasks) in Oracle Solaris 11.1 Administration: Security Services
Selected man pages include passwd(1) and crypt.conf(4).
The Pluggable Authentication Module (PAM) framework enables you to coordinate and configure user authentication requirements for accounts, credentials, sessions, and passwords.
The PAM framework enables organizations to customize the user authentication experience as well as account, session, and password management functionality. System entry services such as login and ftp use the PAM framework to ensure that all entry points for the system have been secured. This architecture enables the replacement or modification of authentication modules in the field to secure the system against any newly found weaknesses without requiring changes to any system services that use the PAM framework.
For more information, see the following:
pam.conf(4) man page
Privileges are fine-grained, discrete rights on processes that are enforced in the kernel. Oracle Solaris defines over 80 privileges, ranging from basic privileges like file_read to more specialized privileges like proc_clock_highres. Privileges can be granted to a command, a user, a role, or a system. Many Oracle Solaris commands and daemons run with only those privileges that are required to perform their task. The use of privileges is also called process rights management.
Privilege-aware programs can prevent intruders from gaining more privileges than the program itself uses. Additionally, privileges enable organizations to limit which privileges are granted to services and processes that run on their systems.
For more information, see the following:
Privileges (Overview) in Oracle Solaris 11.1 Administration: Security Services
Using Privileges (Tasks) in Oracle Solaris 11.1 Administration: Security Services
Chapter 2, Developing Privileged Applications, in Developer’s Guide to Oracle Solaris 11 Security
Selected man pages include ppriv(1) and privileges(5).
Remote access attacks can damage a system and a network. Securing network access is necessary in today's Internet environment, and is useful even in WAN and LAN environments.
IP security (IPsec) protects IP packets by authenticating the packets, by encrypting the packets, or by doing both. Oracle Solaris supports IPsec for both IPv4 and IPv6. Because IPsec is implemented well below the application layer, Internet applications can take advantage of IPsec without requiring modifications to their code.
IPsec and its key exchange protocol, IKE, use algorithms from the Cryptographic Framework. Additionally, the Cryptographic Framework provides a softtoken keystore for applications that use the metaslot. When IKE is configured to use the metaslot, organizations have the option of storing the keys on disk, on an attached hardware keystore, or in the softtoken keystore.
When properly administered, IPsec is an effective tool in securing network traffic.
For more information, see the following:
Chapter 6, IP Security Architecture (Overview), in Securing the Network in Oracle Solaris 11.1
Chapter 7, Configuring IPsec (Tasks), in Securing the Network in Oracle Solaris 11.1
Chapter 9, Internet Key Exchange (Overview), in Securing the Network in Oracle Solaris 11.1
Chapter 10, Configuring IKE (Tasks), in Securing the Network in Oracle Solaris 11.1
Selected man pages include ipsecconf(1M) and in.iked(1M).
The Secure Shell feature of Oracle Solaris enables users or services to access or transfer files between remote systems over an encrypted communications channel. In Secure Shell, all network traffic is encrypted. Secure Shell can also be used as an on-demand virtual private network (VPN) that can forward X Window system traffic or can connect individual port numbers between a local system and remote systems over an authenticated and encrypted network link.
Thus, Secure Shell prevents a would-be intruder from being able to read an intercepted communication and prevents an adversary from spoofing the system. By default, Secure Shell is the only active remote access mechanism on a newly installed system.
For more information, see the following:
Chapter 15, Using Secure Shell, in Oracle Solaris 11.1 Administration: Security Services
Selected man pages include ssh(1), sshd(1M), sshd_config(4), and ssh_config(4).
The Kerberos feature of the Oracle Solaris enables single sign-on and secure transactions, even over heterogeneous networks that run the Kerberos service.
Kerberos is based on the Kerberos V5 network authentication protocol that was developed at the Massachusetts Institute of Technology (MIT). The Kerberos service is a client-server architecture that provides secure transactions over networks. The service offers strong user authentication, as well as integrity and privacy. Using the Kerberos service, you can log in once and access other systems, execute commands, exchange data, and transfer files securely. Additionally, the service enables administrators to restrict access to services and systems.
For more information, see the following:
Part VI, Kerberos Service, in Oracle Solaris 11.1 Administration: Security Services
Selected man pages include kerberos(5) and kinit(1).
RBAC applies the security principle of least privilege by enabling organizations to selectively grant administrative rights to users or roles according to their unique needs and requirements.
The role-based access control (RBAC) feature of Oracle Solaris controls user access to tasks that would normally be restricted to the root role. By applying security attributes to processes and to users, RBAC can distribute administrative rights among several administrators. RBAC is also called user rights management.
For more information, see the following:
Selected man pages include rbac(5), roleadd(1M), profiles(1), and user_attr(4).
The Service Management Facility (SMF) feature of the Oracle Solaris is used to add, remove, configure, and manage services. SMF uses RBAC to control access to service management functions on the system. In particular, SMF uses authorizations to determine who can manage a service and what functions that person can perform.
SMF enables organizations to control access to services, as well as to control how those services are started, stopped, and refreshed.
For more information, see the following:
Chapter 1, Managing Services (Overview), in Managing Services and Faults in Oracle Solaris 11.1
Chapter 2, Managing Services (Tasks), in Managing Services and Faults in Oracle Solaris 11.1
Selected man pages include svcadm(1M), svcs(1), and smf(5).
ZFS is the default file system for Oracle Solaris 11. The ZFS file system fundamentally changes the way Oracle Solaris file systems are administered. ZFS is robust, scalable, and easy to administer. Because file system creation in ZFS is lightweight, you can easily establish quotas and reserved space. UNIX permissions and ACE protect files, and you can encrypt the entire dataset at creation. RBAC supports the delegated administration of ZFS datasets.
For more information, see the following:
The Oracle Solaris Zones software partitioning technology enables you to maintain the one-application-per-server deployment model while simultaneously sharing hardware resources.
Zones are virtualized operating environments that enable multiple applications to run in isolation from each other on the same physical hardware. This isolation prevents processes that run within a zone from monitoring or affecting processes that run in other zones, viewing each other's data, or manipulating the underlying hardware. Zones also provide an abstraction layer that separates applications from physical attributes of the system on which they are deployed, such as physical device paths and network interface names. In Oracle Solaris 11, you can configure a read-only zone root.
For more information, see the following:
Selected man pages include brands(5), zoneadm(1M), and zonecfg(1M).
The Trusted Extensions feature of Oracle Solaris is an optionally enabled layer of secure labeling technology that enables data security policies to be separated from data ownership. Trusted Extensions supports both traditional discretionary access control (DAC) policies based on ownership, as well as label-based mandatory access control (MAC) policies. Unless the Trusted Extensions layer is enabled, all labels are equal so the kernel is not configured to enforce the MAC policies. When the label-based MAC policies are enabled, all data flows are restricted based on a comparison of the labels associated with the processes (subjects) requesting access and the objects containing the data. Unlike most other multilevel operating systems, Trusted Extensions includes a multilevel desktop.
Trusted Extensions meets the requirements of the Common Criteria Labeled Security Protection Profile (LSPP), the Role-Based Access Protection Profile (RBACPP) and the Controlled Access Protection Profile (CAPP). However, the Trusted Extensions implementation is unique in its ability to provide high assurance, while maximizing compatibility and minimizing overhead.
For more information, see the following:
For information about configuring and maintaining Trusted Extensions, see Trusted Extensions Configuration and Administration.
For information about using the multilevel desktop, see Trusted Extensions User’s Guide.
Selected man pages include trusted_extensions(5) and labeld(1M).
|