Security Enhancements

This section describes security enhancements in the Solaris 10 3/05 release that are new or have been enhanced since the Solaris 9 OS was originally distributed in May 2002. Process Rights Management and Reduced Networking Software Group are of particular importance. To view security enhancements that are new in the Solaris 10 7/05 release, see Security Enhancements.

In addition to the security features described in this section, see also the following security-related feature descriptions in the Developer Tools section and the Installation section:

• WAN Boot Installation Method

• Reduced Networking Software Group

• New Mechanisms for the Solaris Cryptographic Framework

• Retail and Nonretail Options for Providers in Solaris Cryptographic Framework

• Simple Authentication and Security Layer for Developers

• SPNEGO Pseudo-Mechanism for GSS-API Applications

• Enhanced crypt() Function for Software Developers

• Smart Card Terminal Interfaces

• Smartcard Middleware APIs

Signing ELF Objects

This feature is new in the Solaris 10 3/05 release.

The libraries and executable files in the Solaris 10 OS include digital signatures that can be used to verify the integrity of these files. The digital signature provides a way to detect any accidental change or deliberate tampering with the executable content of the file.

Plug-ins for the Solaris Cryptographic Framework are automatically verified when loaded by the system. The elfsign command can be used manually to verify any signed file. Developers and administrators can also use elfsign to sign their own code.

For further information, see the elfsign(1) man page.

Process Rights Management

This feature is new in the Software Express pilot program. This feature is included in the Solaris 10 3/05 release.

In the Solaris software, administrative tasks that previously required superuser rights are now protected by process rights management. Process rights management uses privileges to restrict processes at the command, user, role, or system level. A privilege is a discrete right that a process requires to perform an operation. The system restricts processes to only those privileges that are required to perform the current task. Therefore, fewer root processes are vulnerable to exploitation. The number of setuid programs has been greatly reduced.

As installed, the Software Express releases and the Solaris 10 3/05 release are completely compatible with previous releases of the Solaris Operating System in terms of the privileges enhancements. Unmodified programs that run as root run with all privileges.

Device Protection – Devices are protected with a security policy. The policy is enforced with privileges. Therefore, the permissions on a device file do not fully determine the device's availability. Privileges might also be required to operate the device.

System interfaces that were protected by UNIX permissions are now protected by privileges. For example, members of the group sys are no longer automatically allowed to open the /dev/ip device. Processes that are running with the net_rawaccess privilege can access the /dev/ip device. When the system boots, access to all devices is restricted until the devfsadm command runs during the boot sequence. The initial policy is as strict as possible. The policy prevents all users except the superuser from initiating connections.

See the following man pages for more information:

• getdevpolicy(1M)

• ppriv(1)

• add_drv(1M)

• update_drv(1M)

• rem_drv(1M)

• devfsadm(1M)

Processes that need to retrieve Solaris IP MIB information should open /dev/arp and push the “tcp” and “udp” modules. No privileges are required. This method is equivalent to opening /dev/ip and pushing the “arp”, “tcp” and “udp” modules. Because opening /dev/ip now requires a privilege, the /dev/arp method is preferred.

For further information, see the following sections in the System Administration Guide: Security Services:

• “Using Roles and Privileges (Overview)”

• “Privileges (Overview)”

• “Privileges (Tasks)”

Changes to PAM for the Solaris 10 OS

A new pam_deny module was added in the Software Express pilot program and enhanced in the Solaris Express 6/04 release. This feature is included in the Solaris 10 3/05 release. The module can be used to deny access to named PAM services. By default, the pam_deny module is not used. For more information, see the pam_deny(5) man page.

The Solaris 10 software includes the following changes to the PAM framework.

• The pam_authtok_check module now allows for strict password checking that uses new tunables in the /etc/default/passwd file. The new tunables define the following:

  • A list of comma-separated dictionary files that are used for checking common dictionary words in a password

  • The minimum differences that are required between a new password and an old password

  • The minimum number of alphabetic and nonalphabetic characters that must be used in a new password

  • The minimum number of uppercase and lowercase letters that must be used in a new password

  • The number of allowable consecutive repeating characters

  • The number of digits that must be used in the new password

  • Whether whitespaces are allowed in the new password

• The pam_unix_auth module implements account locking for local users. Account locking is enabled by the LOCK_AFTER_RETRIES tunable in /etc/security/policy.conf and the lock_after-retries key in /etc/user_attr.

• A new binding control flag has been defined. If the PAM module is successful and no preceding modules that are flagged as required have failed, then PAM skips the remaining modules and the authentication request succeeds. However, if a failure is returned, PAM records a required failure and then continues processing the stack. This control flag is documented in the pam.conf(4) man page.

• The pam_unix module has been removed and replaced by a set of service modules of equivalent or greater functionality. Many of these modules are new in the Solaris 9 system. Here is a list of the replacement modules:

  • pam_authtok_check

  • pam_authtok_get

  • pam_authtok_store

  • pam_dhkeys

  • pam_passwd_auth

  • pam_unix_account

  • pam_unix_auth

  • pam_unix_cred

  • pam_unix_session

• The functionality of the pam_unix_auth module has been split into two modules. The pam_unix_auth module now verifies that the password is correct for the user. The new pam_unix_cred module provides functions that establish user credential information.

• Additions to the pam_krb5 module have been made to manage the Kerberos credentials cache by using the PAM framework. See Kerberos Enhancements.

pam_ldap Changes

The following pam_ldap changes are new in the Solaris Express 10/04 release, except for the account management feature. This management feature is new in the Software Express pilot program and in the Solaris 9 12/02 release. See the pam_ldap(5) man page for more information about these changes.

• The previously supported use_first_pass and try_first_pass options are obsolete as of this Solaris 10 software release. These options are no longer needed. The options can safely be removed from pam.conf, and are silently ignored.

• Password prompting must be provided for by stacking pam_authtok_get before pam_ldap in the authentication and password module stacks, and by including pam_passwd_auth in the passwd_service_auth stack.

• The previously supported password update function is replaced in this release by the use of pam_authtok_store with the server_policy option.

• The pam_ldap account management feature strengthens the overall security of the LDAP Naming Service. Specifically, the account management feature does the following:

  • Allows for tracking password aging and expiration

  • Prevents users from choosing trivial or previously used passwords

  • Warns users if their passwords are about to expire

  • Locks out users after repeated login failures

  • Prevents users other than the authorized system administrator from deactivating initialized accounts

A clean, automated update cannot be provided for the changes in the previous list. Therefore, an upgrade to a Solaris 10 or subsequent release cannot automatically update the existing pam.conf file to reflect the pam_ldap changes. If the existing pam.conf file contains a pam_ldap configuration, the CLEANUP file notifies you after the upgrade. Examine the pam.conf file and modify it, as needed.

See the following man pages for further information:

• pam_passwd_auth(5)

• pam_authtok_get(5)

• pam_authtok_store(5)

• pam.conf(4)

For further information about Solaris naming and directory services, see the System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP). For information about Solaris security features, see the System Administration Guide: Security Services.

Solaris Secure Shell Enhancements

This feature description is new in the Solaris Express 10/04 release.

The following enhancements to Solaris Secure Shell are available in the Solaris 10 OS:

• Solaris Secure Shell is based on OpenSSH 3.5p1. The Solaris implementation also includes features and bug fixes from versions prior to OpenSSH 3.8p1.

• Solaris Secure Shell now supports the use of the GSS-API for user and host authentication that uses Kerberos V.

  PAM support, including password-aging support, has been improved.

• The default value of X11Forwarding is yes in the /etc/ssh/sshd config file.

• The ARCFOUR and AES128-CTR ciphers are now available. ARCFOUR is also known as RC4. The AES cipher is AES in counter mode.

• For further enhancements, see the description for sshd Daemon and /etc/default/login.

For further information about security in the Solaris 10 OS, see the System Administration Guide: Security Services.

OpenSSL and OpenSSL PKCS#11 Engine

This feature is new in the Solaris Express 8/04 release.

This release of Solaris includes the OpenSSL libraries and commands in /usr/sfw.

This release also includes an OpenSSL Engine interface to PKCS#11 so that OpenSSL consumers can access hardware and software cryptographic providers from the Solaris Cryptographic Framework.

Because of cryptographic import restrictions in some countries, symmetric key cryptographic algorithms are limited to 128–bit if the SUNWcry package is not installed. The SUNWcry package is not included with the Solaris software. This package is available instead as a separate controlled download.

sshd Daemon and /etc/default/login

This feature is new in the Solaris Express 10/04 release.

The sshd daemon uses the variables in /etc/default/login and the login command. The etc/default/login variables can be overridden by values in the sshd_config file.

For more information, see “Solaris Secure Shell and Login Environment Variables” in the System Administration Guide: Security Services. See also the sshd_config(4) man page.

New Password Options for Nonlogin and Locked Accounts

This feature is new in the Solaris Express 10/04 release.

The passwd command has two new options, -N and -u. The -N option creates a password entry for a nonlogin account. This option is useful for accounts that should not be logged in to, but must run cron jobs. The -u option unlocks a previously locked account.

For more information, see the passwd(1) man page.

-setcond Option to auditconfig Command Is Removed

This feature is new in the Solaris Express 10/04 release.

The -setcond option to the auditconfig command has been removed. To temporarily disable auditing, use the audit -t command. To restart auditing, use the audit -s command.

perzone Audit Policy

This feature is new in the Solaris Express 8/04 release.

The perzone audit policy enables non-global zones to be audited individually. A separate audit daemon runs in each zone. The daemon uses audit configuration files that are specific to the zone. Also, the audit queue is specific to the zone. By default, the policy is off.

For more information, see the auditd(1M) and auditconfig(1M) man pages.

Kerberos Enhancements

These Kerberos enhancements are included in the Solaris 10 release. Several of the enhancements are new in prior Software Express releases.

• Kerberos protocol support is provided in remote applications, such as ftp, rcp, rdist, rlogin, rsh, and telnet. See the man pages for each command or daemon and the krb5_auth_rules(5) man page for more information.

• The Kerberos principal database can now be transferred by incremental update instead of transferring the entire database each time. Incremental propagation provides several advantages including the following:

  • Increased database consistencies across servers

  • The need for fewer resources, such as network and CPU resources

  • Much more timely propagation of updates

  • An automated method of propagation

• A new script helps automatically configure a Kerberos client. The script helps an administrator quickly and easily set up a Kerberos client. For procedures that use the new script, see Chapter 22, “Configuring the Kerberos Service (Tasks),” in the System Administration Guide: Security Services. See also the kclient(1M) man page for more information.

• Several new encryption types have been added to the Kerberos service. These new encryption types increase security and enhance compatibility with other Kerberos implementations that support these encryption types. All of the encryption types are documented in the mech(4) man page. See “Using Kerberos Encryption Types” in the System Administration Guide: Security Services for more information. The encryption types offer the following capabilities:

  • AES encryption type can be used for high-speed, high-security encryption of Kerberos sessions. The use of AES is enabled through the Cryptographic Framework.

  • ARCFOUR-HMAC provides better compatibility with other Kerberos versions.

  • Triple DES (3DES) with SHA1 increases security. This encryption type also enhances interoperability with other Kerberos implementations that support this encryption type.

• The KDC software and kinit command now support the use of the TCP network protocol. This addition provides more robust operation and better interoperability with other Kerberos implementations. The KDC now “listens” on both the traditional UDP ports and on the TCP ports so that it can respond to requests that use either protocol. The kinit command first tries UDP when sending a request to the KDC. If a failure occurs, the kinit command then tries TCP.

• Support for IPv6 was added to the KDC software with kinit, klist, and kprop commands. Support for IPv6 addresses is provided by default. No configuration parameters need to change to enable this support.

• A new -e option has been added to several subcommands of the kadmin command. This new option allows for the selection of the encryption type when creating principals. See the kadmin(1M) man page for more information.

• Additions to the pam_krb5 module manage the Kerberos credentials cache by using the PAM framework. See the pam_krb5(5) man page for more information.

• Support is provided for auto-discovery of the Kerberos KDC, admin server, kpasswd server, and host or domain name-to-realm mappings that use DNS lookups. This support reduces some of the steps that are needed to install a Kerberos client. The client is able to locate a KDC server by using DNS instead of reading a configuration file. See the krb5.conf(4) man page for more information.

• A new PAM module called pam_krb5_migrate has been introduced. The new module helps in the automatic migration of users to the local Kerberos realm if the users do not already have Kerberos accounts. See the pam_krb5_migrate(5) man page for more information.

• The ~/.k5login file can now be used with GSS applications, ftp and ssh. For more information, see the krb5_auth_rules(5) man page.

• The kproplog utility has been updated to display all attribute names per log entry. For more information, see the kproplog(1M) man page.

• A new configuration file option makes the strict Ticket Granting Ticket (TGT) verification feature optionally configurable on a per-realm basis. See the krb5.conf(4) man page for more information.

• Extensions to the password-changing utilities enable the Solaris Kerberos V5 administration server to accept password change requests from non-Solaris clients. See the kadmin(1M) man page for more information.

• The default location of the replay cache has been moved from RAM-based file systems to persistent storage in /var/krb5/rcache/. The new location protects against replays if a system is rebooted. Performance enhancements were made to the rcache code. However, overall replay cache performance might be slower because of the use of persistent storage.

• The replay cache can now be configured to use file storage or memory-only storage. Refer to the krb5envvar(5) man page for more information about environment variables that can be configured for key table and credential cache types or locations.

• The GSS credential table is no longer necessary for the Kerberos GSS mechanism. For more information, see the gsscred(1M), gssd(1M), and gsscred.conf(4) man pages.

• The Kerberos utilities, kinit and ktutil, are now based on MIT Kerberos version 1.2.1. This change added new options to the kinit command and new subcommands to the ktutil command. For more information, see the kinit(1) and the ktutil(1) man pages.

• The Solaris Kerberos Key Distribution Center (KDC) is now based on MIT Kerberos version 1.2.1. The KDC now defaults to a btree-based database, which is more reliable than the current hash-based database. See the kdb5_util(1M) man page for more information. For Solaris 9 users, this change is new in the Solaris 9 12/03 release.

TCP Wrappers for rpcbind

This feature is new in the Solaris Express 4/04 release.

TCP wrapper support has been added to the rpcbind command. This support allows the administrator to limit calls to rpcbind to selected hosts. The administrator can also log all calls to rpcbind.

For further information, see the rpcbind(1M) man page.

zonename Audit Token and Audit Policy Option

The Solaris Zones partitioning technology is new in the Solaris Express 2/04 release. See Solaris Zones Software Partitioning Technology. The related zonename enhancements that are described here were also introduced in the Solaris Express 2/04 release.

The zonename audit token records the name of the zone in which an audit event occurred. The zonename audit policy option determines, for all zones, whether the zonename token is included in audit records. If the criteria for audit class preselection vary between non-global zones, then you might want to analyze audit records by zone. The zonename audit policy enables you to postselect audit records by zone.

See “Auditing and Solaris Zones” in the System Administration Guide: Security Services.

For further information, see the audit.log(4), auditconfig(1M), and auditreduce(1M) man pages. See also “Using Solaris Auditing in Zones” in the System Administration Guide: Solaris Containers-Resource Management and Solaris Zones.

User Commands for Solaris Cryptographic Framework

This feature is new in the Solaris Express 1/04 release.

The digest, mac, and encrypt commands now include an option to list the algorithms that are available for each command. For the mac and encrypt commands, the output includes the key lengths that each algorithm accepts. Also, the -I <IV-file> option has been removed from the encrypt and decrypt commands.

For further information, see Chapter 14, “Solaris Cryptographic Framework (Tasks)” and “Protecting Files With the Solaris Cryptographic Framework” in the System Administration Guide: Security Services.

For more information, see the encrypt(1), digest(1), and mac(1) man pages.

IKE Configuration Parameters

This feature is new in the Solaris Express 1/04 release.

Retransmission parameters and packet time-out parameters have been added to the /etc/inet/ike/config file. The parameters enable the administrator to tune the IKE Phase 1 (Main Mode) negotiation. The tuning enables Solaris IKE to interoperate with platforms that implement the IKE protocol differently. The parameters also help the administrator adjust for network interference and heavy network traffic.

For a detailed description of the parameters, see the ike.config(4) man page.

Simple Authentication and Security Layer

This feature is new in the Solaris Express 12/03 release.

Simple Authentication and Security Layer (SASL) provides developers of applications with interfaces for adding authentication, data integrity checking, and encryption to connection-based protocols.

For further information, see Simple Authentication and Security Layer for Developers.

See also Chapter 17, “Using SASL,” in the System Administration Guide: Security Services.

Audit Time Now Reported in ISO 8601 Format

This feature is new in the Solaris Express 12/03 release.

The file and header tokens in audit records now report time in ISO 8601 format. For example, the output from the praudit command for the file token is as follows:

Old File Token:

file,Mon Oct 13 11:21:35 PDT 2003, + 506 msec, /var/audit/20031013175058.20031013182135.machine1

New File Token:

file,2003-10-13 11:21:35.506 -07:00, /var/audit/20031013175058.20031013182135.machine1

Old Header Token:

header,173,2,settppriv(2),,machine1, Mon Oct 13 11:23:31 PDT 2003, + 50 msec

New Header Token:

header,173,2,settppriv(2),,machine1, 2003-10-13 11:23:31.050 -07:00

The XML output has also changed. For example, the output from the praudit -x command formats the file token as follows:

<file iso8601="2003-10-13 11:21:35.506 -07:00">
/var/audit/20031013175058.20031013182135.machine1</file>

Customized scripts or tools that parse praudit output might need to be updated to accommodate this change.

For further information, see Chapter 27, “Solaris Auditing (Overview)” and “Changes to Solaris Auditing for the Solaris 10 Release” in the System Administration Guide: Security Services.

Basic Audit and Reporting Tool

This feature is new in the Solaris Express 11/03 release.

Basic Audit and Reporting Tool (BART) is a command-line utility that enables OEMs, advanced users, and system administrators to do a check at file level of the software contents of a target system. The utility is useful for gathering information about what is installed on a system. BART also enables you to compare installed systems, and to compare the contents of a system over time.

For further information, see Chapter 5, “Using the Basic Audit Reporting Tool (Tasks),” in the System Administration Guide: Security Services.

See also the bart_manifest(4), bart_rules(4), and bart(1M) man pages.

IPsec and the Solaris Cryptographic Framework

This feature is new in the Solaris Express 9/03 release.

IPsec uses the Solaris Cryptographic Framework instead of its own encryption and authentication modules. The modules are optimized for the SPARC platform. In addition, a new ipsecalgs command-line utility and APIs are provided to query the list of supported IPsec algorithms and other IPsec properties.

For further information, see the ipsecalgs(1M) man page.

In the System Administration Guide: IP Services, see Chapter 18, “IP Security Architecture (Overview)” and “Authentication and Encryption Algorithms in IPsec.”

Solaris Cryptographic Framework for System Administrators

This feature is new in the Software Express pilot program. This feature is included in the Solaris 10 3/05 release.

The Solaris Cryptographic Framework provides cryptographic services to applications in the Solaris environment. The system administrator controls which encryption algorithms can be used through the cryptoadm command. The cryptoadm command enables you to perform the following functions:

• Manage available providers of cryptographic services

• Set cryptographic security policy, such as disabling algorithms from a particular provider

The framework comes with plug-ins for the AES, DES/3DES, RC4, MD5, SHA-1, DSA, RSA, and Diffie-Hellman algorithms. Plug-ins can be added or removed as needed.

The encrypt, decrypt, digest, and mac commands all use cryptographic algorithms from the framework.

For further information, see Chapter 13, “Solaris Cryptographic Framework (Overview),” in the System Administration Guide: Security Services.

See also the following man pages:

• cryptoadm(1M)

• kcfd(1M)

• libpkcs11(3LIB)

• pkcs11_kernel(5)

• pkcs11_softtoken(5)

Remote Audit Log

This feature is new in the Software Express pilot program. This feature is included in the Solaris 10 3/05 release.

In addition to recording audit events in the binary audit log, the Solaris releases enable you to record audit events to syslog.

The generation of syslog data allows you to use the same management and analysis tools that are available for syslog messages from a variety of Solaris and non-Solaris environments, including workstation, servers, firewalls, and routers. By using syslog.conf to route audit messages to remote storage, you protect log data from alteration or deletion by an attacker. However, the syslog option provides only a summary of audit record data. Also, when syslog data is stored on a remote system, the data is susceptible to network attacks such as denial of service and false or “spoofed” source addresses.

For further information, see Chapter 27, “Solaris Auditing (Overview)” and “Audit Files” in the System Administration Guide: Security Services.

See also the following man pages:

• audit(1M)

• audit.log(4)

• audit_control(4)

• audit_syslog(5)

• syslog(3C)

• syslog.conf(4)

FTP Server Enhancements

This feature is new in the Software Express pilot program. This feature is included in the Solaris 10 3/05 release.

Scalability and transfer logging enhancements have been made to the FTP server including:

• The sendfile() function is used for binary downloads.

• New capabilities are supported in the ftpaccess file:

  • flush-wait controls the behavior at the end of a download or directory listing.

  • ipcos sets the IP Class of Service for either the control or data connection.

  • passive ports can be configured so that the kernel selects the TCP port to listen on.

  • quota-info enables retrieval of quota information.

  • recvbuf sets the receive (upload) buffer size that is used for binary transfers.

  • rhostlookup allows or disallows the lookup of the remote host's name.

  • sendbuf sets the send (download) buffer size that is used for binary transfers.

  • xferlog format customizes the format of the transfer log entry.

• A new -4 option makes the FTP server only listen for connections on an IPv4 socket when running in standalone mode.

The FTP client and server now support Kerberos. For more information, refer to the ftp(4) man page and to “Kerberos User Commands” in the System Administration Guide: Security Services.

In addition, ftpcount and ftpwho now support the -v option, which displays user counts and process information for FTP server classes that are defined in virtual host ftpaccess files.

For further information about these changes, see the following man pages:

• in.ftpd(1M)

• ftpaccess(4)

• ftpcount(1)

• ftpwho(1)

• sendfile(3EXT)

FTP Client

This feature is new in the Software Express pilot program. This feature is included in the Solaris 10 3/05 release.

The Solaris software includes a change to the FTP client. By default, a Solaris FTP client, connected to a Solaris FTP server, lists directories as well as plain files when the ls command is issued. If the FTP server is not running in the Solaris operating system, directories may not be listed.

To allow for the default Solaris behavior when connecting to non-Solaris FTP servers, the /etc/default/ftp file can be edited on each Solaris client. To make the change for individual users, the FTP_LS_SENDS_NLST environment variable can be set.

For more information, see the ftp(4) man page.

The FTP client and server now support Kerberos. For more information, refer to the ftp(4) man page and to “Kerberos User Commands” in the System Administration Guide: Security Services.

Internet Key Exchange (IKE) Key Storage on Sun Crypto Accelerator 4000 Board

This feature is new in the Software Express pilot program and in the Solaris 9 12/03 release. This feature is included in the Solaris 10 3/05 release.

IKE now runs on IPv6 as well as IPv4 networks. For information about keywords that are specific to the IPv6 implementation, see the ifconfig(1M) and ike.config(4) man pages.

When a Sun Crypto Accelerator 4000 board is attached, IKE can offload computation-intensive operations to the board, thus freeing the operating system for other tasks. IKE can also use the attached board to store public keys, private keys, and public certificates. Key storage on a separate piece of hardware provides additional security.

For further information, see the ikecert(1M) man page.

See also the following in System Administration Guide: IP Services:

• “IP Security Architecture (Overview)”

• “Internet Key Exchange (Overview)”

• “IKE and Hardware Storage”

• “Configuring IKE (Tasks)”

• “Configuring IKE to Find Attached Hardware”

IKE Hardware Acceleration

This feature is new in the Software Express pilot program and in the Solaris 9 4/03 release. This feature is included in the Solaris 10 3/05 release.

Public-key operations in IKE can be accelerated by a Sun Crypto Accelerator 1000 card and Sun Crypto Accelerator 4000 cards. The operations are offloaded to the card. The offloading accelerates encryption and reduces demands on Solaris Operating System resources.

For information about IKE, see the following in System Administration Guide: IP Services:

• “Configuring IKE to Find Attached Hardware”

• “Internet Key Exchange (Overview)”

• “IKE and Hardware Acceleration”

• “Configuring IKE (Tasks)”

• “Configuring IKE to Find Attached Hardware”

ipseckey Enhancement

This feature is new in the Software Express pilot program. This feature is included in the Solaris 10 3/05 release.

For network administrators who have installed IPsec or IKE on their systems, the ipseckey parser provides clearer help. The ipseckey monitor command now provides a timestamp for each event.

For more information, see the ipseckey(1M) man page.

Credential Propagation Over Loopback Connections

This feature is new in the Software Express pilot program. This feature is included in the Solaris 10 3/05 release.

This Solaris release introduces ucred_t * as an abstract representation of the credentials of a process. These credentials can be retrieved by using door_ucred() in door servers and getpeerucred() for loopback connections. The credentials can be received by using recvmsg().

See the socket.h(3HEAD) man page for further information.

Auditing Header Token Contains Host Information

This feature is new in the Software Express pilot program. This feature is included in the Solaris 10 3/05 release.

The header token in audit records has been expanded to include the name of the host.

The old header is displayed as follows:

header,131,4,login - local,,Wed Dec 11 14:23:54 2002, + 471 msec

The new expanded header is displayed as follows:

header,162,4,login - local,,example-hostname,
Fri Mar 07 22:27:49 2003, + 770 msec

Customized scripts or tools that parse praudit output might need to be updated to reflect this change.

See Chapter 30, “Solaris Auditing (Reference)” and “header Token” in the System Administration Guide: Security Services for further information.

Auditing Enhancements

This feature is new in the Software Express pilot program and in the Solaris 9 8/03 release. This feature is included in the Solaris 10 3/05 release.

Enhancements to the audit features in the Solaris software reduce noise in the trail, and enable administrators to use XML scripting to parse the trail. These enhancements include the following:

• Public files are no longer audited for read-only events. The public policy flag for the auditconfig command controls whether public files are audited. By not auditing public objects, the audit trail is greatly reduced. Attempts to read sensitive files are therefore easier to monitor.

• The praudit command has an additional output format, XML. The XML format enables the output to be read in a browser, and provides source for XML scripting for reports. See the praudit(1M) man page.

• The default set of audit classes has been restructured. Audit metaclasses provide support for more specific audit classes. See the audit_class(4) man page.

• The bsmconv command no longer disables the use of the Stop-A key combination. The Stop-A event is now audited to maintain security.

For further information, see the following sections in the System Administration Guide: Security Services:

• “Solaris Auditing (Reference)”

• “Definitions of Audit Classes”

• “praudit Command”

• “Solaris Auditing (Overview)”

• “Audit Terminology and Concepts”

• “Changes to Solaris Auditing for the Solaris 10 Release”

New Audit Token path_attr

This feature is new in the Software Express pilot program. This feature is included in the Solaris 10 3/05 release.

The path_attr audit token contains access path information for an object. The access path specifies the sequence of attribute file objects below the path token object. Systems calls such as openat() access attribute files. For more information on extended file attributes, see the fsattr(5) man page.

The path_attr token has three fields:

• A token ID field that identifies this token as a path_attr token

• A count that represents the number of sections of attribute file paths

• One or more null-terminated strings

The praudit command displays the path_attr token as follows:

path_attr,1,attr_file_name

For further information, see Chapter 30, “Solaris Auditing (Reference)” and “path_attr Token” in the System Administration Guide: Security Services.

Password History Checking

This feature is new in the Software Express pilot program. This feature is included in the Solaris 10 3/05 release.

For login accounts that are defined in local files, a password history of up to 26 previously changed passwords can be enabled. When a user changes a password, the attempt fails if the new password matches one of the passwords in the history. Also, login name checking can be disabled.

See the passwd(1) man page for more information.

Enhanced crypt() Function

This feature is new in the Software Express pilot program and in the Solaris 9 12/02 release. This feature is included in the Solaris 10 3/05 release.

Password encryption protects passwords from being read by intruders. Three strong password encryption modules are now available in the software:

• A version of Blowfish that is compatible with Berkeley Software Distribution (BSD) systems

• A version of Message Digest 5 (MD5) that is compatible with BSD and Linux systems

• A stronger version of MD5 that is compatible with other Solaris systems

For information on how to protect your user passwords with these new encryption modules, see the following sections in the System Administration Guide: Security Services:

• “Controlling Access to Systems (Tasks)”

• “Managing Machine Security (Overview)”

• “Changing the Default Algorithm for Password Encryption”

For information on the strength of the modules, see the crypt_bsdbf(5), crypt_bsdmd5(5), and crypt_sunmd5(5) man pages.