Oracle Solaris Security for System Administrators

The Oracle Solaris 10 Operating System provides unmatched enterprise-class features for creating a secure platform for your applications. User and Process Rights Management work in conjunction with Solaris Containers to let you securely host thousands of applications and multiple customers on the same system. Security administrators can minimize and harden Oracle Solaris even better than before to implement a secure foundation for deploying services. Solaris Trusted Extensions is a standard part of Oracle Solaris and allows customers who have specific regulatory or information protection requirements to take advantage of labeling features previously only available in highly specialized operating systems or appliances. The Solaris Cryptographic Framework allows applications to speed crypto operations by transparently using built-in hardware acceleration found on many Oracle Sun systems and third party add-in cards.

Why Oracle Solaris Security?

  • Enable the strong mandatory access controls required by governments and financial institutions using Solaris Trusted Extensions
  • Verify the integrity of your system using built-in file signature protection
  • Reduce risk by granting only the privileges needed with User and Process Rights Management
  • Simplify administration by using the open standards-based Solaris Cryptographic and Key Management Frameworks for file and network encryption
  • Protect your system against attack using the Secure By Default networking profile, IP Filter firewall, TCP Wrappers and IPsec/IKE encryption.

Oracle Solaris Security Features

File Integrity and Secure Execution

System administrators can detect possible attacks on their systems by monitoring for changes to file information. In the Oracle Solaris 10 OS, binaries are digitally signed, so administrators can track changes easily, and all patches or enhancements are embedded with digital signatures, eliminating the false positives associated with upgrading or patching file integrity-checking software.

The Oracle Solaris 10 OS also introduces the Basic Audit and Reporting Tool (BART), a file integrity-checking application for data files and customer applications. The BART utility allows a customer to create snapshots of their own data, applications and critical system files and periodically scan for changes to these files. Additionally, the Solaris Fingerprint Database project, previously hosted by Sun on the SunSolve Web site, provides digital fingerprints for all files shipped in the Solaris OS, spanning many previous generations of the operating system. The Solaris Fingerprint Database offers free online verification utilities that allow you to check the integrity of Solaris files on any existing system to ensure that no hacker has modified critical system files. Used individually or together, these file integrity tools provide powerful, flexible ways to monitor for changes to your operating system platform.

User and Process Rights Management

In traditional UNIX platform-based operating systems, applications and users often need administrative access to perform their jobs. However, most implementations offer just one level of higher privilege: root or superuser. This means that any user or application given root access has the ability to make major changes to the operating system—and is typically the target of hacking attempts. The Oracle Solaris 10 OS offers unique User Rights Management (also known as role-based access control, or RBAC) and Process Rights Management (also known as privileges). Together, User and Process Rights Management technologies reduce risks by granting users and applications only the minimum capabilities needed to perform their duties. Unlike other solutions on the market, no application changes are required to take advantage of these security enhancements.

Oracle Solaris also offers protection against 'buffer overflow' attacks as well as an extensive audit trail that can be exported into common XML format for further analysis.

Network Service Protection

The Oracle Solaris 10 OS ships with Solaris IP Filter firewall software preinstalled. This integrated firewall can reduce the number of network services that are exposed to attack and provides protection against maliciously crafted networking packets. Starting in Solaris 10 8/07, the IP Filter firewall can also filter traffic flowing between Solaris Containers when it is configured in the Global Zone. In addition, TCP Wrappers are integrated into the Solaris 10 OS, limiting access to service-based allowed domains.

Oracle Solaris also provides protection against attack through its Secure By Default networking configuration. When configured in this manner, a Solaris 10 system retains a usable GUI interface, can browse the Web, send Email and do other outbound communications. Only the Solaris Secure Shell encrypted remote access method is allowed for inbound communication.

Cryptographic Services and Encrypted Communication

For high-performance, system-wide cryptographic routines, the Solaris Cryptographic Framework adds a standards-based, common API that provides a single point of administration and uniform access to both software and hardware-accelerated, cryptographic functions. The pluggable Solaris Cryptographic Framework can balance loads across accelerators, increasing encrypted network traffic throughput, and it is available to applications written to use Public Key Cryptography Standards (PKCS) #11, Sun Java Enterprise System, NSS, OpenSSL, and Java Cryptographic Extension software.

Starting with Orale Solaris 10 8/07, the Solaris Key Management Framework is introduced to assist in managing digital certificates. The Key Management framework provides a single set of administrative commands for digital certificate creation requests, manipulation and loading across the most common formats.

Oracle Solaris also provides protection against theft of sensitive material by encrypting communications using the IPsec/IKE and Solaris Secure Shell protocols. Solaris IPsec/IKE complies with industry standards to provide encryption of data between two or more systems over the network without any application modification at all. The Solaris Secure Shell protocol is a specific set of utilities that have been modified to allow for encrypted remote access and file transfer between two systems.

Flexible Enterprise Authentication

The Oracle Solaris 10 OS delivers a number of flexible authentication features. At the foundation of Oracle Solaris is support for Pluggable Authentication Mechanism (PAM), which make it possible to add authentication services to Solaris dynamically. Oracle and third-party vendors provide many PAM modules and customers can create their own to meet specific security needs.

The Solaris Kerberos Service delivers Kerberos-enabled remote applications such as rsh, rcp, telnet, Solaris Secure Shell, and NFS file sharing. Kerberos-based protocols allow for enterprise single sign-on (SSO), authorization and encrypted communication.

Lightweight Directory Access Protocol (LDAP) client-side authentication and interoperability enhancements enable enterprise-wide, secure, standards-based authentication to your servers and applications. All Oracle Solaris User and Process Rights management information can also be stored centrally in through the LDAP-based directory server, allowing for centralized management of users and security role definitions.

Local passwords have strong password encryption options, including MD5 and Blowfish, as well as account lockout, password history and complexity checking, and a banned passwords list. By providing strong password encryption, systems are less subject to successful password cracking should a password file ever be lost or stolen.

Repeatable Security Hardening and Monitoring

New features in the Oracle Solaris 10 OS make it easier than ever to minimize and harden a system. The Reduced Networking Metacluster install option creates a minimized Solaris OS image, ready for administrators to add functionality and services in direct support of their system's purpose.

As mentioned previously, Oracle Solaris 10 now includes a Secure By Default networking configuration that disables many unused network services, while configuring all other services for local system-only communications.

The freely available Oracle Solaris Security Toolkit assists in the process of installing and maintaining a minimized and hardened operating system security configuration. The Toolkit also includes an audit mechanism to compare a running system configuration against a site-specified hardening profile. In this way, the Toolkit can be used to both verify and enforce compliance with an organization's OS security standards.

Mandatory Access Control and Labeling

If your system requirements include privacy, increased accountability, and reduced risk of security violations, then Solaris Trusted Extensions is for you. A standard part of Oracle Solaris, true multi-level security is available for the first time in a commercial-grade operating system that runs all your existing applications.

Mandatory Access Control is enforced in Trusted Extensions by the use of User and Process Rights Management as well as Solaris Containers, which have an information sensitive label applied to them. Customers can quickly configure new labels, which protect files, networks, applications and users against inappropriate access, without writing complex, error prone security policy files.

Left Curve
System Administrator
Right Curve
Left Curve
Developer and ISVs
Right Curve
Left Curve
Related Products
Right Curve