Security Enhancements

Auditing Enhancements

Enhancements to the audit features in this Solaris release reduce noise in the trail, and enable administrators to use XML scripting to parse the trail. These enhancements include the following:

• Public files are no longer audited for read-only events. The public policy flag for the auditconfig command controls whether public files are audited. By not auditing public objects, the audit trail is greatly reduced. Attempts to read sensitive files are therefore easier to monitor.

• The praudit command has an additional output format, XML. The XML format enables the output to be read in a browser, and provides source for XML scripting for reports. See the praudit(1M) man page.

• The default set of audit classes has been restructured. Audit metaclasses provide support for finer-grained audit classes. See the audit_class(4) man page.

• The bsmconv command no longer disables the use of the Stop-A key. The Stop-A event is now audited to maintain security.

For further information, see the System Administration Guide: Security Services.

Smart Card Terminal Interfaces

Solaris smart card interfaces are a set of public interfaces for Smart Card Terminals. See Smart Card Terminal Interfaces.

Internet Key Exchange (IKE) Hardware Acceleration

Public-key operations in IKE can be accelerated by a Sun^TM Crypto Accelerator 1000 card. The operations are offloaded to the card. The offloading accelerates encryption and reduces demands on operating system resources.

For information about IKE, see the IPsec and IKE Administration Guide.

Enhanced crypt() Function

Password encryption protects passwords from being read by intruders. Three strong password encryption modules are now available in the software:

• A version of Blowfish that is compatible with Berkeley Software Distribution (BSD) systems

• A version of Memory Digest 5 (MD5) that is compatible with BSD and Linux systems

• A stronger version of MD5 that is compatible with other Solaris 9 systems

For information on how to protect your user passwords with these new encryption modules, see the System Administration Guide: Security Services. For information on the strength of the modules, see the crypt_bsdbf(5), crypt_bsdmd5(5), and crypt_sunmd5(5) man pages.

Password Management Feature in pam_ldap

The pam_ldap password management feature strengthens the overall security of the LDAP Naming Service when used in conjunction with the Sun ONE Directory Server (formerly iPlanet Directory Server). Specifically, the password management feature does the following:

• Allows for tracking password aging and expiration

• Prevents users from choosing trivial or previously used passwords

• Warns users if their passwords are about to expire

• Locks out users after repeated login failures

• Prevents users, other than the authorized system administrator, from deactivating initialized accounts

For further information on Solaris naming and directory services, see the System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP). For information about Solaris security features, see the System Administration Guide: Security Services.

Pluggable Authentication Module (PAM) Enhancement

The PAM framework was expanded by including a new control flag. The new control flag provides the ability to skip additional stack processing. This skipping is enabled if the current service module is successful and if no failure occurred on the previous mandatory modules.

For more information about this change, see the System Administration Guide: Security Services.