Skip Navigation Links | |
Exit Print View | |
Transitioning From Oracle Solaris 10 to Oracle Solaris 11 Oracle Solaris 11 Information Library |
1. Transitioning From Oracle Solaris 10 to Oracle Solaris 11 (Overview)
2. Transitioning to an Oracle Solaris 11 Installation Method
7. Managing Network Configuration
8. Managing System Configuration
Roles, Rights, Privileges, and Authorizations
File and File System Security Changes
aclmode Property Is Reintroduced
10. Managing Oracle Solaris Releases in a Virtual Environment
11. User Account Management and User Environment Changes
12. Using Oracle Solaris Desktop Features
A. Transitioning From Previous Oracle Solaris 11 Releases to Oracle Solaris 11
Oracle Solaris 11 introduces the following key security changes:
Auditing – Auditing is a now a service and is enabled by default. No reboot is required when disabling or enabling this service. The auditconfig command is used to view information about audit policy and to change audit policy. The auditing of public objects generates less noise in the audit trail. In addition, auditing of non-kernel events has no performance impact.
For information about creating a ZFS file system for audit files, see How to Create ZFS File Systems for Audit Files in Oracle Solaris Administration: Security Services.
Basic Audit Reporting Tool (BART) – The default hash that is used by BART is now SHA256, not MD5. In addition to SHA256 being the default, you can also select the hash algorithm. See Chapter 5, Verifying File Integrity by Using BART, in Oracle Solaris Administration: Security Services.
Cryptographic Framework – This feature now includes more algorithms, mechanisms, plug-ins, and support for Intel and SPARC T4 hardware acceleration. Also, Oracle Solaris 11 provides better alignment with the NSA Suite B cryptography.
Kerberos DTrace providers – A new DTrace USDT provider that provides probes for Kerberos messages (Protocol Data Unit) has been added. The probes are modeled after the Kerberos message types that are described in RFC4120.
Key Management enhancements:
PKCS#11 keystore support for RSA keys in the Trusted Platform Module
PKCS#11 access to Oracle Key Manager for centralized enterprise key management
lofi command changes – lofi now supports the encryption of block devices. See lofi(7D).
profiles command changes – In Oracle Solaris 10, the command is only used to list profiles for a specific user or role, or a user's privileges for specific commands. In Oracle Solaris 11, you can also create and modify profiles in files and in LDAP by using the profiles command, See profiles(1).
sudo command – The sudo command is new in Oracle Solaris 11. This command generates Oracle Solaris audit records when running commands. The command also drops the proc_exec basic privilege, if the sudoers command entry is tagged as NOEXEC.
ZFS file system encryption – ZFS file system encryption is designed to keep your data secure. See Encrypting ZFS File Systems.
rstchown property – The rstchown tunable parameter that is used in previous releases to restrict chown operations is now a ZFS file system property, rstchown, and is also a general file system mount option. See Oracle Solaris Administration: ZFS File Systems and mount(1M).
If you attempt to set this obsolete parameter in the /etc/system file, the following message is displayed:
sorry, variable 'rstchown' is not defined in the 'kernel'
The following network security components are supported in this release:
Internet Key Exchange (IKE) and IPsec – IKE now includes more Diffie-Hellman groups and can also use Elliptic Curve Cryptography (ECC) groups. IPsec includes AES-CCM and AES-GCM modes and is now capable of protecting network traffic for the Trusted Extensions feature of Oracle Solaris (Trusted Extensions).
IPfilter Firewall – IPfilter Firewall, which is similar to the open source IPfilter feature, is compatible, manageable, and now highly integrated with SMF. This feature enables selective access to ports, based on IP address.
Kerberos – Kerberos is now capable of mutual authentication of clients and servers. Also, support for initial authentication by using X.509 certificates with the PKINIT protocol has been introduced. See Part V, Kerberos Service, in Oracle Solaris Administration: Security Services.
Secure by Default – In Oracle Solaris 10, this feature was introduced, but was netservices limited and was also turned off by default. In Oracle Solaris 11, this feature is enabled. The Secure by Default feature is used to disable and protect several network services from attack and provides minimization of network exposure. Note that only SSH is enabled.
SSH – Support for host and user authentication by using X.509 certificates is now available.
The following security features are excluded from Oracle Solaris 11:
Automated Security Enhancement Tool (ASET) – The ASET functionality is replaced by a combination of IPfilter, which includes svc.ipfd, BART, SMF, and other security features that are supported in Oracle Solaris 11.
Smartcard – Smartcard support is no longer available.