|Skip Navigation Links|
|Exit Print View|
|Oracle Solaris 11 Security Guidelines Oracle Solaris 11.1 Information Library|
Oracle Solaris provides a solid foundation for company data and applications by protecting data on disk and in transit. Oracle Solaris resource management and Oracle Solaris Zones provide features that separate and protect applications from misuse. This containment, together with least privilege implemented through privileges and the role-based access control (RBAC) feature of Oracle Solaris, reduce the security risk of intruder or regular user actions. Authenticated and encrypted protocols such as IP security (IPsec) provide virtual private networks (VPNs) across the Internet, as well as tunnels within a LAN or a WAN for safe data delivery. Additionally, the auditing feature of Oracle Solaris ensures that records are kept of any activity of interest.
Oracle Solaris 11 security services provide defense in depth by offering layers of protection for the system and the network. Oracle Solaris protects the kernel by limiting, within kernel utilities, what privileged actions the utility can perform. The default network configuration provides data protection on the system and across the wire. IPsec, the IP Filter feature of Oracle Solaris, and Kerberos can provide additional protections.
Oracle Solaris security services include:
Protecting the kernel – Kernel daemons and devices are protected by file permissions and by privileges.
Protecting memory – Address space layout is randomized for userland processes.
Protecting logins – Logins require passwords. Passwords are strongly encrypted. Remote logins are initially limited to an encrypted and authenticated channel through the Secure Shell feature of Oracle Solaris. The root account cannot log in directly.
Protecting data – Data on disk is protected by file permissions. Additional layers of protection can be configured. For example, you can use access control lists (ACLs), place data in a zone, encrypt a file, encrypt an Oracle Solaris ZFS dataset, create a read-only ZFS dataset, and mount file systems so that setuid programs cannot be run and executable files cannot be executed.