JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris 11 Security Guidelines     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

1.  Overview of Oracle Solaris Security

Oracle Solaris Security Protections

Oracle Solaris Security Technologies

Address Space Layout Randomization

Audit Service

BART File Verification

Cryptographic Services

File Permissions and Access Control Entries

Packet Filtering

IP Filter

TCP Wrappers

Passwords and Password Constraints

Pluggable Authentication Module

Privileges in Oracle Solaris

Remote Access

IPsec and IKE

Secure Shell

Kerberos Service

Role-Based Access Control

Service Management Facility

Oracle Solaris ZFS File System

Oracle Solaris Zones

Trusted Extensions

Oracle Solaris 11 Security Defaults

System Access Is Limited and Monitored

Kernel, File, and Desktop Protections Are in Place

Additional Security Features Are in Place

Oracle Solaris 11 Security Evaluation

Site Security Policy and Practice

2.  Configuring Oracle Solaris Security

3.  Monitoring and Maintaining Oracle Solaris Security

A.  Bibliography for Oracle Solaris Security

Oracle Solaris 11 Security Defaults

After installation, Oracle Solaris protects the system from intrusion and monitors login attempts, among other security features.

System Access Is Limited and Monitored

Initial user and root role accounts – The initial user account can log in from the console. This account is assigned the root role. The password for the two accounts is initially identical.

Password requirements – User passwords must be at least six characters long, and have at least two alphabetic characters and one non-alphabetic character. Passwords are hashed by using the SHA256 algorithm. When changing their password, all users including the root role must conform to these password requirements.

Limited network access – After installation, the system is protected from intrusion over the network. Remote login by the initial user is allowed over an authenticated, encrypted connection with the ssh protocol. This is the only network protocol that accepts incoming packets. The ssh key is wrapped by the AES128 algorithm. With encryption and authentication in place, the user can reach the system without interception, modification, or spoofing.

Recorded login attempts – The audit service is enabled for all login/logout events (login, logout, switching user, starting and stopping an ssh session, and screen locking) and for all non-attributable (failed) logins. Because the root role cannot log in, the name of the user who is acting as root can be traced in the audit trail. The initial user can review the audit logs by a right granted through the System Administrator rights profile.

Kernel, File, and Desktop Protections Are in Place

After the initial user is logged in, the kernel, file systems, and desktop applications are protected by least privilege, permissions, and role-based access control (RBAC).

Kernel protections – Many daemons and administrative commands are assigned just the privileges that enable them to succeed. Many daemons are run from special administrative accounts that do not have root (UID=0) privileges, so they cannot be hijacked to perform other tasks. These special administrative accounts cannot log in. Devices are protected by privileges.

File systems – By default, all file systems are ZFS file systems. The user's umask is 022, so when a user creates a new file or directory, only the user is allowed to modify it. Members of the user's group are allowed to read and search the directory, and read the file. Logins that are outside the user's group can list the directory and read the file. The directory permissions are drwxr-xr-x (755). The file permissions are -rw-r--r-- (644).

Desktop applets – Desktop applets are protected by RBAC. For example, only the initial user or the root role can use the Package Manager applet to install new packages. The Package Manager is not displayed to regular users who are not assigned the rights to use it.

Additional Security Features Are in Place

Oracle Solaris 11 provides security features that can be used to configure your systems and users to satisfy site security requirements.