This article presents a high-level introduction to new Oracle Solaris 11 security features and enhancements in the following five areas:
The sections below summarize what is new or changed in these areas, and how these new features can help you build a more comprehensive security architecture from an applications development perspective.
Host and application security enhancements range from new and enhanced features for access control, privilege management, and service management capabilities.
Oracle Solaris 11 has extended the existing least-privilege and Role Based Access Control (RBAC) features by introducing Root as a Role and Enhanced
pfexecis used to execute administrative commands requiring a higher privilege level. A new process flag is used to specify that all subsequent program executions be subject to RBAC policy. The flag is set at the first invocation of any of the complete set of profile shells
pfexec(1) and inherited by child processes. This feature eliminates the need for applications to modify shell scripts to invoke
pfexecor profile shells. Another application of this feature is to limit the set of privileges given to programs with
setuidto root. Processes that require the
setuidmechanism traditionally ran with all privileges. Now they execute with only those privileges that are specified in their entry in the Forced Privileges rights profile, significantly reducing their potential to be an attack vector against the system.
Additionally, Oracle Solaris 11 has added three new "basic" privileges (
net_access) beyond the five that exist in Oracle Solaris 10. These new privileges satisfy several applications development needs for restricting read, write, and outbound network access.
The RBAC delegation feature in Oracle Solaris 11 is much more complete than what is available in competitive systems. The policy is that a user can only delegate what he/she currently has. This policy applies to role, group, and profile membership, as well as to individual authorizations and privileges. It facilitates true separation of duty through authorizations of delegation in user and password management tools.
The new Stop profile enables sandboxing user accounts, limiting default profiles, and authorizations.
The Service Management Facility (SMF) in Oracle Solaris 11 has added several features that contribute to securing applications:
ipfiltercapabilities for configuring and deploying host/service based firewalling. SMF supports setting properties for
ipfilterconfiguration and also allows using a pre-populated configuration for deploying custom policies.
Oracle Solaris 11 introduces several improvements to Kerberos services, which include:
The Oracle Solaris 11 Image Packaging System (IPS) introduced the notion of signed IPS packages that allow signing of packages, verifying package signatures, and setting signature policies for determining what checks need to be performed regarding the validity of the signature and certificate attributes.
Oracle Solaris 11 is delivered in a "secure by default" environment configuration, which is designed to minimize external network attacks. By default, no network services except
sshd are enabled to accept network traffic. Other enabled network services listen internally for requests within the Oracle Solaris 11 instance. This ensures that all network services are disabled by default or are set to listen for local system communications only.
Oracle Solaris 11 Zones technology adds the capability to create one or more virtualized and dedicated network stacks per zone using features called Exclusive IP Stacks and Network Virtualization. These features allow network administrators to create fine-grained network security policies on a per-zone basis. Examples of configurations include:
The zone administration capability in Oracle Solaris 11 has also been extended to facilitate delegated zone administration, allowing the specification of users and roles that can act as administrators for each zone.
To meet more stringent government standards, the Oracle Solaris Cryptographic Framework now supports the NSA Suite B algorithms.
The Oracle Solaris Cryptographic Framework can fully leverage hardware-assisted cryptographic acceleration provided by Oracle T-series processors, Intel Westmere (AES-NI), and PKCS#11-based third-party Hardware Security Modules (HSMs).
The Oracle Solaris 11 bundled OpenSSL has added newer features to enable OpenSSL Dynamic Engine support, which allows third-party vendors to plug in their own engine implementations. FIPS Object Module support has also been added, allowing FIPS-140-2 validated OpenSSL engines to be used in FIPS mode.
To help with complex key management tasks associated with bulk encryption, the Oracle Solaris Cryptographic Framework provides a plug-in (pkcs11_kms) for Oracle Key Management System. This mechanism can be used by any PKCS#11-aware applications.
Oracle Solaris 11 introduced Trusted Platform Module (TPM) support per Trusted Computing Group (TCG) specifications for TPM devices. With this support, Oracle Solaris can leverage TPM chips available on most system motherboards to provide secure storage of cryptographic keys intended for supporting encryption operations. TPM can be used as a PKCS#11 keystore for supporting application-level encryption operations on both SPARC and x86/x64 platforms.
Oracle Solaris 11 has introduced encryption support for Oracle Solaris ZFS, including the following features:
The ZFS data sets in a zone can now also be protected with an additional layer of Mandatory Write Access. This is configured using the
file-mac-profile option in the zone's configuration and selecting one of the predefined profiles.
LOFI administration utility (
lofiadm) now allows a file to be presented as a block device and provides the ability to encrypt all the blocks written to a file.
Oracle Solaris 10 introduced Trusted Extensions as a special configuration for enabling multi-level security environment. It is enforced as labels through Mandatory Access Controls (MAC). With the release of Oracle Solaris 11, Trusted Extensions has several improvements, which include:
mlslabelfeature. This feature ensures that ZFS file systems for a specific security label cannot be mounted on a zone of a different label and thus inadvertently upgrade or downgrade the data.
With the release of Oracle Solaris 11, Oracle reinforces its commitment to security with an enhanced set of new security features and improvements. These new security features and improvements enable you to build and deploy secure applications that can adapt to emerging security threats and meet evolving security standards.
|Revision 1.1, 09/19/2011|