Transitioning From Oracle® Solaris 10 to Oracle Solaris 11.2

Exit Print View

Updated: September 2014
 
 

Security Feature Changes

    Note the following key security changes:

  • Address Space Layout Randomization (ASLR) – Starting with Oracle Solaris 11.1, ASLR randomizes addresses that are used by a given binary. ASLR causes certain types of attacks that are based on knowing the exact location of certain memory ranges to fail and detects the attempt when it likely stops the executable. Use the sxadm command to configure ASLR. Use the elfedit command to change the tagging on a binary. See sxadm(1M) and elfedit(1).

  • Administrative Editor – Starting with Oracle Solaris 11.1, you can use the pfedit command to edit system files. If defined by the system administrator, the value of this editor is $EDITOR. If undefined, the editor defaults to the vi command. Start the editor as follows:

    $ pfedit system-filename

    In this release, auditing is on by default. For a secure system, use the interfaces that are always audited when auditing of administrative actions is turned on. Because pfedit use is always audited, it is the preferred command for editing system files. See pfedit (1M) and Chapter 3, Controlling Access to Systems, in Securing Systems and Attached Devices in Oracle Solaris 11.2 .

  • Auditing – Auditing is a service in Oracle Solaris 11 and is enabled by default. No reboot is required when disabling or enabling this service.You use the auditconfig command to view information about audit policy and to change audit policy. The auditing of public objects generates less noise in the audit trail. In addition, auditing of non-kernel events has no performance impact.

    For information about creating a ZFS file system for audit files, see How to Create ZFS File Systems for Audit Files in Managing Auditing in Oracle Solaris 11.2 .

  • Audit Remote Server (ARS) – ARS is a feature that receives and stores audit records from a system that is being audited and is configured with an active audit_remote plug-in. To distinguish an audited system from an ARS, the audited system can be termed the locally audited system. This feature is new in Oracle Solaris 11.1. Refer to the information about the –setremote option in auditconfig (1M) .

  • Compliance assessment – Use the compliance command (new in Oracle Solaris 11.2) to automate compliance assessment, not remediation. You can use the command to list, generate, and delete assessments and reports. See Oracle Solaris 11.2 Security Compliance Guide and compliance (1M) .

  • Basic Audit Reporting Tool (BART) – The default hash that is used by BART is SHA256, not MD5. In addition to SHA256 being the default, you can also select the hash algorithm. See Chapter 2, Verifying File Integrity by Using BART, in Securing Files and Verifying File Integrity in Oracle Solaris 11.2 .

  • cryptoadm command changes – As part of the implementation of the /etc/system.d directory for easier packaging of Oracle Solaris kernel configuration, the cryptoadm command has also been updated to write to files within the this directory rather than the /etc/system file as in previous releases. See cryptoadm (1M) .

  • Cryptographic Framework – This feature includes more algorithms, mechanisms, plug-ins, and support for Intel and SPARC T4 hardware acceleration. Also, Oracle Solaris 11 provides better alignment with the NSA Suite B cryptography. Many of the algorithms in the framework are optimized for x86 platforms with the SSE2 instruction set. For more information about T-Series optimizations, see Cryptographic Framework and SPARC T-Series Servers in Managing Encryption and Certificates in Oracle Solaris 11.2 .

  • dtrace command changes – As part of the implementation of the /etc/system.d directory for easier packaging of Oracle Solaris kernel configuration, the dtrace command has also been updated to write to files within the this directory rather than the /etc/system file as in previous releases. See dtrace (1M) .

  • Kerberos DTrace providers – A new DTrace USDT provider that provides probes for Kerberos messages (Protocol Data Unit) has been added. The probes are modeled after the Kerberos message types that are described in RFC 4120.

  • Key Management enhancements:

    • PKCS#11 keystore support for RSA keys in the Trusted Platform Module

    • PKCS#11 access to Oracle Key Manager for centralized enterprise key management

  • lofi command changes – The lofi command supports the encryption of block devices in this release. See lofi (7D) .

  • profiles command changes – In Oracle Solaris 10, this command is only used to list profiles for a specific user or role, or a user's privileges for specific commands. Starting with Oracle Solaris 11, you can create and modify profiles in files and in LDAP by using the profiles command, See profiles (1) .

  • sudo command – The sudo command is new in Oracle Solaris 11. This command generates Oracle Solaris audit records when running commands. The command also drops the proc_exec basic privilege, if the sudoers command entry is tagged as NOEXEC.

  • ZFS file system encryption – ZFS file system encryption is designed to keep your data secure. See Encrypting ZFS File Systems.

  • rstchown property – The rstchown tunable parameter that is used in previous releases to restrict chown operations is a ZFS file system property, rstchown, and is also a general file system mount option. See Managing ZFS File Systems in Oracle Solaris 11.2 and mount (1M) .

    If you attempt to set this obsolete parameter in the /etc/system file, the following message is displayed:

    sorry, variable 'rstchown' is not defined in the 'kernel'