| Skip Navigation Links | |
| Exit Print View | |
|
Transitioning From Oracle Solaris 10 to Oracle Solaris 11.1 Oracle Solaris 11.1 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Transitioning From Oracle Solaris 10 to Oracle Solaris 11.1 Oracle Solaris 11.1 Information Library |
1. Transitioning From Oracle Solaris 10 to an Oracle Solaris 11 Release (Overview)
2. Transitioning to an Oracle Solaris 11 Installation Method
6. Managing Software and Boot Environments
7. Managing Network Configuration
8. Managing System Configuration
Roles, Rights, Privileges, and Authorizations
Viewing Privileges and Authorizations
File and File System Security Changes
aclmode Property Is Reintroduced
10. Managing Oracle Solaris Releases in a Virtual Environment
Oracle Solaris 11 introduces the following key security changes:
Address Space Layout Randomization (ASLR) – Starting with Oracle Solaris 11.1, ASLR randomizes addresses that are used by a given binary. ASLR causes certain types of attacks that are based on knowing the exact location of certain memory ranges to fail and detects the attempt when it likely stops the executable. Use the sxadm command to configure ASLR. Use the elfedit command to change the tagging on a binary. See sxadm(1M) and elfedit(1).
Administrative Editor – Starting with Oracle Solaris 11.1, you can use the pfedit command to edit system files. If defined by the system administrator, the value of this editor is $EDITOR. If undefined, the editor defaults to the vi command. Start the editor as follows:
$ pfedit system-filename
See the pfedit(1M) man page and Chapter 3, Controlling Access to Systems (Tasks), in Oracle Solaris 11.1 Administration: Security Services.
Auditing – Auditing is a now a service and is enabled by default. No reboot is required when disabling or enabling this service. The auditconfig command is used to view information about audit policy and to change audit policy. The auditing of public objects generates less noise in the audit trail. In addition, auditing of non-kernel events has no performance impact.
For information about creating a ZFS file system for audit files, see How to Create ZFS File Systems for Audit Files in Oracle Solaris 11.1 Administration: Security Services.
Audit Remote Server (ARS) – ARS is a feature that receives and stores audit records from a system that is being audited and is configured with an active audit_remote plug-in. To distinguish an audited system from an ARS, the audited system can be termed the locally audited system. This feature is new in Oracle Solaris 11.1. Refer to the information about the -setremote option in the auditconfig(1M) man page.
Basic Audit Reporting Tool (BART) – The default hash that is used by BART is now SHA256, not MD5. In addition to SHA256 being the default, you can also select the hash algorithm. See Chapter 6, Verifying File Integrity by Using BART (Tasks), in Oracle Solaris 11.1 Administration: Security Services.
Cryptographic Framework – This feature now includes more algorithms, mechanisms, plug-ins, and support for Intel and SPARC T4 hardware acceleration. Also, Oracle Solaris 11 provides better alignment with the NSA Suite B cryptography.
Kerberos DTrace providers – A new DTrace USDT provider that provides probes for Kerberos messages (Protocol Data Unit) has been added. The probes are modeled after the Kerberos message types that are described in RFC4120.
Key Management enhancements:
PKCS#11 keystore support for RSA keys in the Trusted Platform Module
PKCS#11 access to Oracle Key Manager for centralized enterprise key management
lofi command changes – lofi now supports the encryption of block devices. See lofi(7D).
profiles command changes – In Oracle Solaris 10, the command is only used to list profiles for a specific user or role, or a user's privileges for specific commands. In Oracle Solaris 11, you can also create and modify profiles in files and in LDAP by using the profiles command, See profiles(1).
sudo command – The sudo command is new in Oracle Solaris 11. This command generates Oracle Solaris audit records when running commands. The command also drops the proc_exec basic privilege, if the sudoers command entry is tagged as NOEXEC.
ZFS file system encryption – ZFS file system encryption is designed to keep your data secure. See Encrypting ZFS File Systems.
rstchown property – The rstchown tunable parameter that is used in previous releases to restrict chown operations is now a ZFS file system property, rstchown, and is also a general file system mount option. See Oracle Solaris 11.1 Administration: ZFS File Systems and mount(1M).
If you attempt to set this obsolete parameter in the /etc/system file, the following message is displayed:
sorry, variable 'rstchown' is not defined in the 'kernel'
The following network security features are supported:
Internet Key Exchange (IKE) and IPsec – IKE now includes more Diffie-Hellman groups and can also use Elliptic Curve Cryptography (ECC) groups. IPsec includes AES-CCM and AES-GCM modes and is now capable of protecting network traffic for the Trusted Extensions feature of Oracle Solaris (Trusted Extensions).
IPfilter Firewall – IPfilter Firewall, which is similar to the open source IPfilter feature, is compatible, manageable, and now highly integrated with SMF. This feature enables selective access to ports, based on IP address.
Kerberos – Kerberos is now capable of mutual authentication of clients and servers. Also, support for initial authentication by using X.509 certificates with the PKINIT protocol has been introduced. See Part VI, Kerberos Service, in Oracle Solaris 11.1 Administration: Security Services.
Secure by Default – In Oracle Solaris 10, this feature was introduced, but was netservices limited and was also turned off by default. In Oracle Solaris 11, this feature is enabled. The Secure by Default feature is used to disable and protect several network services from attack and provides minimization of network exposure. Note that only SSH is enabled.
SSH – Support for host and user authentication by using X.509 certificates is now available.
The following Pluggable Authentication Module (PAM) changes are introduced:
Module to enable per-user PAM stacks - Enables you to configure the PAM authentication policy on a per-user basis, when used in conjunction with the new RBAC pam_policy key (user_attr(4)). The default pam.conf file has also been updated to enable you to use this feature by specifying the pam_policy in a user's extended attributes or in a profile that is assigned to a user. For example:
# usermod -K pam_policy=krb5_only username
See pam_user_policy(5).
PAM configuration in /etc/pam.d – Adds support for configuring PAM by using per-service files. As a result, the contents of the /etc/pam.conf file have been migrated to multiple files within the /etc/pam.d/ directory, based on the relevant PAM service name. This mechanism is now the method for configuring PAM in Oracle Solaris and is the default method that is used for all new installations. The /etc/pam.conf file is still consulted, so any existing or new changes that are made to this file continue to be recognized.
If you have never edited the /etc/pam.conf file, the file only contains comments that direct you to the per-service equivalents in the /etc/pam.d/ directory. If you previously edited the /etc/pam.conf file, for example, to enable LDAP or Kerberos, a new file name named /etc/pam.conf.new is delivered with the changes you made. See pam.conf(4).
definitive flag added to pam.conf – The pam.conf file now includes the definitive control_flag. See pam.conf(4).
The following security features are excluded from Oracle Solaris 11:
Automated Security Enhancement Tool (ASET) – The ASET functionality is replaced by a combination of IPfilter, which includes svc.ipfd, BART, SMF, and other security features that are supported in Oracle Solaris 11.
Smartcard – Smartcard support is no longer available.
|