Oracle Solaris 11 Security: What's New For Developers

September 2011

Ramesh Nagappan

Contents:

• Host and Application-Level Security
  • Access Control
  • File Access Privileges
  • Service Management Facility (SMF)
  • Kerberos Services
  • Oracle Solaris 11 Image Packaging System (IPS)
• Network and Communication Security
• High Performance Cryptography Services
  • Trusted Platform Module (TPM) Support
• Securing Data at Rest
• Multi-Level Security With Trusted Extensions
• Summary

This article presents a high-level introduction to new Oracle Solaris 11 security features and enhancements in the following five areas:

• Host and application-level security
• Network and communication security
• High-performance cryptography services
• Securing data at rest
• Multi-level security with Oracle Solaris Trusted Extensions

The sections below summarize what is new or changed in these areas, and how these new features can help you build a more comprehensive security architecture from an applications development perspective.

Host and Application-Level Security

Host and application security enhancements range from new and enhanced features for access control, privilege management, and service management capabilities.

Access Control

Oracle Solaris 11 has extended the existing least-privilege and Role Based Access Control (RBAC) features by introducing Root as a Role and Enhanced pfexec.

• With Root as a Role, the root account on Oracle Solaris 11 is now a role by default. Only authorized users can assume the root role rather than directly logging into a root user account. This allows authorized non-root users to complete tasks with super-user privileges. Privileged actions can be easily attributed to the users who actually invoked it using Oracle Solaris Auditing. At each user login, a unique audit session ID is generated and associated with the user's process. When a user switches to another user, all user actions are tracked with the same audit user ID. This feature helps in application environments where several administrators share the root password causing security and accountability issues.
• Enhanced pfexec is used to execute administrative commands requiring a higher privilege level. A new process flag is used to specify that all subsequent program executions be subject to RBAC policy. The flag is set at the first invocation of any of the complete set of profile shells pfsh(1), pfcsh(1), pfksh(1), pfksh93(1), pfbash(1), pftcsh(1), pfzsh(1), pfexec(1) and inherited by child processes. This feature eliminates the need for applications to modify shell scripts to invoke pfexec or profile shells. Another application of this feature is to limit the set of privileges given to programs with setuid to root. Processes that require the setuid mechanism traditionally ran with all privileges. Now they execute with only those privileges that are specified in their entry in the Forced Privileges rights profile, significantly reducing their potential to be an attack vector against the system.

File Access Privileges

Additionally, Oracle Solaris 11 has added three new "basic" privileges (file_read, file_write, and net_access) beyond the five that exist in Oracle Solaris 10. These new privileges satisfy several applications development needs for restricting read, write, and outbound network access.

The RBAC delegation feature in Oracle Solaris 11 is much more complete than what is available in competitive systems. The policy is that a user can only delegate what he/she currently has. This policy applies to role, group, and profile membership, as well as to individual authorizations and privileges. It facilitates true separation of duty through authorizations of delegation in user and password management tools.

The new Stop profile enables sandboxing user accounts, limiting default profiles, and authorizations.

Service Management Facility (SMF)

The Service Management Facility (SMF) in Oracle Solaris 11 has added several features that contribute to securing applications:

• Introduced the ability to notify administrators of service state transitions and fault management traps via SNMP traps or e-mail messages.
• With SMF, application processes can be assigned with privileges during startup and then privileges can be released after startup. This helps enforce security on exposures associated with starting applications as root.
• SMF integrates ipfilter capabilities for configuring and deploying host/service based firewalling. SMF supports setting properties for ipfilter configuration and also allows using a pre-populated configuration for deploying custom policies.

Kerberos Services

Oracle Solaris 11 introduces several improvements to Kerberos services, which include:

• Zero-configuration Kerberos client through DNS and Oracle Solaris Pluggable Authentication Module (PAM) as well as Microsoft Active Directory cooperation for better interoperability with Windows clients and proper mapping of UNIX users and groups to Active Directory entities.
• PKINIT support that allows users performing initial authentication using public-key cryptography.

Oracle Solaris 11 Image Packaging System (IPS)

The Oracle Solaris 11 Image Packaging System (IPS) introduced the notion of signed IPS packages that allow signing of packages, verifying package signatures, and setting signature policies for determining what checks need to be performed regarding the validity of the signature and certificate attributes.

Network and Communication Security

Oracle Solaris 11 is delivered in a "secure by default" environment configuration, which is designed to minimize external network attacks. By default, no network services except sshd are enabled to accept network traffic. Other enabled network services listen internally for requests within the Oracle Solaris 11 instance. This ensures that all network services are disabled by default or are set to listen for local system communications only.

Oracle Solaris 11 Zones technology adds the capability to create one or more virtualized and dedicated network stacks per zone using features called Exclusive IP Stacks and Network Virtualization. These features allow network administrators to create fine-grained network security policies on a per-zone basis. Examples of configurations include:

• Zone-specific IP routing, DHCPv4, and IPv6 stateless address configuration
• IP filter and NAT configurations
• MAC, DHCP, and IP anti-spoofing functionality
• IPSEC and IKE automating the provisioning of authenticating key material for IPSEC security associations

The zone administration capability in Oracle Solaris 11 has also been extended to facilitate delegated zone administration, allowing the specification of users and roles that can act as administrators for each zone.

• This delegation allows restricting access to non-global zones from the global zone. Individual authorizations for users and roles can now be specified on a per-zone basis.
• The delegated zone administration also supports per-user and per-zone authorizations restricting zone logins, cloning, and management.

High Performance Cryptography Services

To meet more stringent government standards, the Oracle Solaris Cryptographic Framework now supports the NSA Suite B algorithms.

• IPSEC and ZFS encryption can now use AES in CCM/GCM modes.
• IKE can now also use Elliptic Curve Cryptography (ECC) in addition to RSA and DSA for key exchange.

The Oracle Solaris Cryptographic Framework can fully leverage hardware-assisted cryptographic acceleration provided by Oracle T-series processors, Intel Westmere (AES-NI), and PKCS#11-based third-party Hardware Security Modules (HSMs).

• Both Java and non-Java applications can delegate SSL/TLS and WS-Security tasks involved with compute-intensive public-key encryption, bulk-encryption, and digest operations to hardware via Java PKCS#11 provider.
• The Oracle Solaris Cryptographic Framework provides the mechanisms to support delegating database encryption operations (AES CFB mode) to Oracle T-series processors or Intel Westmere (AES-NI) processors in database servers. This hardware-assisted encryption can be used to enhance Oracle Database performance with Transparent Data Encryption (TDE) for column-level and tablespace encryption.

The Oracle Solaris 11 bundled OpenSSL has added newer features to enable OpenSSL Dynamic Engine support, which allows third-party vendors to plug in their own engine implementations. FIPS Object Module support has also been added, allowing FIPS-140-2 validated OpenSSL engines to be used in FIPS mode.

• The Oracle Solaris OpenSSL pkcs11 engine will automatically leverage hardware assisted cryptographic acceleration support provided by Oracle T-series processors and Intel Westmere (AES-NI) processors.

To help with complex key management tasks associated with bulk encryption, the Oracle Solaris Cryptographic Framework provides a plug-in (pkcs11_kms) for Oracle Key Management System. This mechanism can be used by any PKCS#11-aware applications.

Trusted Platform Module (TPM) Support

Oracle Solaris 11 introduced Trusted Platform Module (TPM) support per Trusted Computing Group (TCG) specifications for TPM devices. With this support, Oracle Solaris can leverage TPM chips available on most system motherboards to provide secure storage of cryptographic keys intended for supporting encryption operations. TPM can be used as a PKCS#11 keystore for supporting application-level encryption operations on both SPARC and x86/x64 platforms.

Securing Data at Rest

Oracle Solaris 11 has introduced encryption support for Oracle Solaris ZFS, including the following features:

• ZFS encryption protects data on physical storage by defending against unauthorized access, man-in-the-middle attacks, and data theft on SAN and local disks. All data and file system metadata is encrypted with a comprehensive encryption key management facility.
• ZFS data sets, volumes (ZVOLS), and file systems can be encrypted.
• Users can be delegated the ability to load and/or change their key encrypting keys (wrapping keys) at any time. The user may choose to store the wrapping key in a file, passphrase, or PKCS#11 keystore (supporting centralized key management via Oracle Key Manager) or on an HTTPS URL.
• ZFS encryption uses Oracle Solaris Cryptographic Framework and automatically benefits from using hardware-assisted cryptographic acceleration provided by Oracle T-series processors and Intel Westmere (AES-NI) processors.
• ZFS encryption also provides support for assured deletion via key destruction.

The ZFS data sets in a zone can now also be protected with an additional layer of Mandatory Write Access. This is configured using the file-mac-profile option in the zone's configuration and selecting one of the predefined profiles.

LOFI administration utility (lofiadm) now allows a file to be presented as a block device and provides the ability to encrypt all the blocks written to a file.

Multi-Level Security With Trusted Extensions

Oracle Solaris 10 introduced Trusted Extensions as a special configuration for enabling multi-level security environment. It is enforced as labels through Mandatory Access Controls (MAC). With the release of Oracle Solaris 11, Trusted Extensions has several improvements, which include:

• Trusted Extensions bases its desktop and windowing system on GNOME and Xorg X11. The GNOME Display Manager provides access to multilevel desktop sessions. The use of the XACE extension to implement the Trusted Extensions security policy enables Oracle to stay in sync with the upstream Xorg X11 community. Additionally, all user activity is subject to the policy specified in their Rights Profiles.
• Trusted Extensions now enables per-label and per-user credentials. This feature enables the administrator to require a unique password for each label. This password is in addition to the session login password, enabling the administrator to set a per-zone encryption key for each label of every user's home directory.
• Trusted Extensions has been enhanced to explicitly set Security Labels on ZFS data sets. When Trusted Extensions labeling is configured, ZFS file systems are now automatically labeled with the new mlslabel feature. This feature ensures that ZFS file systems for a specific security label cannot be mounted on a zone of a different label and thus inadvertently upgrade or downgrade the data.
• The Trusted Extensions environment now supports labeled IPSEC/IKE for labeled communications by transferring data within separate labeled IPSEC security associations. This removes the need for redundant and expensive physical network infrastructures and ensures that the labeled processes in a multilevel security environment communicate across system boundaries with the traffic labeled and protected.

Summary

With the release of Oracle Solaris 11, Oracle reinforces its commitment to security with an enhanced set of new security features and improvements. These new security features and improvements enable you to build and deploy secure applications that can adapt to emerging security threats and meet evolving security standards.