Oracle Solaris provides a network-wide security system that controls the way users access files, and protects system databases and system resources. It combines multiple security technologies such as networking, cryptographic capabilities, and trusted extensions to manage user rights.
Some of the highlights of security-related features in Oracle Solaris are:
You can administer security compliance tests by using the compliance command. You can assess and report the compliance of an Oracle Solaris system with security standards, also called security benchmarks and security policies. For more information, see Oracle Solaris 11.4 Compliance Guide.
An anti-malware and integrity feature that reduces the risk of introducing malicious or accidentally modified critical boot and kernel components. This feature checks the cryptographic signatures of the firmware, boot system, and kernel and kernel modules. Verified boot applies to the SPARC T5, SPARC M5, and SPARC M6 platforms. For more information, see Using Verified Boot in Securing Systems and Attached Devices in Oracle Solaris 11.4.
Provides automatic Security Association (SA) and key management between peer systems. For more information, see IKEv2 Protocol in Securing the Network in Oracle Solaris 11.4.
You can qualify user attributes by location. A new qualifier option for the usermod and rolemod commands can indicate the system or netgroup where user attributes apply. A new time-based policy for access to PAM services can be specified by using the new access_times keyword of the useradd command. For more information see the usermod(8), rolemod(8), and useradd(8) man pages. For examples, see Setting Remote Login Restrictions in Securing Users and Processes in Oracle Solaris 11.4.
The SPARC M7, SPARC M8, SPARC S7, SPARC T7, and SPARC T8 servers offer Application Data Integrity (ADI). Also called Secured Silicon Memory (SSM), ADI detects memory corruption in application code by adding version numbers to the application's memory pointers and the memory they point to.
The adiheap and adistack security extensions enable ADI usage on these platforms by the malloc() family of functions in the libumem and libc libraries. These functions provide scalable object-caching memory allocation with multithreaded application support. SPARC's ADI APIs detect buffer overrun errors, out-of-bounds pointer errors, stale pointer errors, and use-after-free error. For more information, see the libumem(3LIB) and libc(3LIB) man pages.
You can also use the libadimalloc library on platforms that support ADI. For more information, see the libadimalloc(3LIB) man page.
For more information, references, and examples, see Using Application Data Integrity (ADI) in Oracle Solaris 11.4 Programming Interfaces Guide.
Oracle Solaris Trusted Extensions is a set of advanced security features that allow you to label the data and applications according to the sensitivity level. It features the access control model that includes RBAC, Mandatory Access Control Labeling, Auditing, and Device Allocation. It is an optional layer of secure label technology in Oracle Solaris that allows data security policies to be separated from data ownership.
Trusted Extensions provides APIs to develop application will allow you to access and handle labels. For more information about Trusted Extensions APIs, see Trusted Extensions Developer’s Guide.
Authentication is a mechanism to validate whether a user or service matches the predefined criteria.
The main features of the Oracle Solaris authentication services are as follows:
Pluggable Authentication Module – Enables you to add new authentication methods and modify the authentication policies by installing PAM modules into the Oracle Solaris OS.
Simple Authentication and Security Layer – Provides authentication and security services to network protocols.
Secure Shell – Provides secure data communication and remote command-line login using cryptographic network protocol.
Pluggable Authentication Module (PAM) is a set of pluggable objects that enables system administrators to add new authentication services without changing system services. You can use it to modify user authentication, account, session, and password management functions in Oracle Solaris. Login, ssh, and other system entry services use the PAM framework to ensure that all login sessions are secure. Flexibility to modify the configuration files is the main feature that benefits the users.
For more information about PAM modules, see Chapter 3, Writing PAM Applications and Services in Developer’s Guide to Oracle Solaris 11.4 Security.
The Oracle Solaris Cryptographic Framework provides a set of services for kernel-level and user-level consumers. Oracle Solaris provides network security based on standard industry interfaces such as PAM, GSS-API, SASL, and PKCS #11. The Cryptographic Framework is a backbone of cryptographic services in Oracle Solaris. The framework provides standard PKCS#11 interfaces to accommodate consumers and providers of cryptographic services.
The framework has two parts:
User cryptographic framework for user-level applications
Kernel cryptographic framework for kernel-level modules
The main elements of the Cryptographic Framework are as follows:
libpkcs11.so library – Provides access through the RSA Security Inc. PKCS#11 Cryptographic Token Interface (Cryptoki). Applications must link to the libpkcs11.so library.
pkcs11_softtoken.so shared object – Contains user-level cryptographic mechanisms provided by Oracle.
Pluggable interface – Is the service provider interface (SPI) for PKCS #11 cryptographic services that are provided by Oracle and third-party developers. Providers are user-level libraries that are implemented through encryption services available through the hardware or software.
Scheduler and Load Balancer – Enables efficient load balancing, and dispatching cryptographic requests.
Kernel Programmer Interface – Provides kernel-level consumers with access to cryptographic services.
Service Provider Interface – Used by providers of kernel-level cryptographic services that are implemented in the hardware and the software.
Hardware and software cryptographic providers – Kernel-level cryptographic services that use software algorithms, hardware accelerator boards, or on-chip cryptographic capabilities.
Kernel cryptographic framework daemon – Used to manage system resources for cryptographic operations. The daemon also verifies cryptographic providers.
Module Verification Library – Used to verify the integrity and authenticity of all binaries that the cryptographic framework imports.
elfsign – Enables third-party providers of cryptographic services to request certificates from Oracle.
cryptoadm – Manages cryptographic services, such as disabling and enabling cryptographic mechanisms according to security policies.
Four types of applications can plug into the Cryptographic Framework:
User-level consumers
User-level providers
Kernel-level consumers
Kernel-level providers
The Oracle Solaris Key Management Framework provides tools and programming interfaces for managing public key infrastructure (PKI) objects.
The on-board cryptography in Oracle Solaris servers on-chip cryptographic acceleration eliminates the need for additional coprocessor cards, or power-consuming add-on components.
For more information about the Cryptographic Framework, see Chapter 8, Writing User-Level Cryptographic Applications in Developer’s Guide to Oracle Solaris 11.4 Security.