This section highlights information for existing customers about important new security features in this release.
You can assess the compliance of your systems to security standards with the new compliance command. It enables you to assess and report the compliance of your system to industry standard security benchmarks, including PCI-DSS. For details, see Oracle Solaris 11.2 Security Compliance Guide and the compliance (1M) man page.
The Cryptographic Framework feature of Oracle Solaris is validated at FIPS 140-2, Level 1 for userland and kernel functions in the Oracle Solaris 11.1 SRU 5.5 and Oracle Solaris 11.1 SRU 3 releases.
For a list of Oracle FIPS 140-validated products, see Oracle FIPS 140 Software Validations.
For information about enabling FIPS 140 mode on your system, see Using a FIPS 140 Enabled System in Oracle Solaris 11.2 .
Oracle Solaris 11.1 is certified under the Canadian Common Criteria Scheme. See Oracle Solaris 11 Common Criteria EAL4+ Certification.
The audit service can use the Oracle Audit Vault to store, review, and analyze audit records. See Using Oracle Audit Vault and Database Firewall for Storage and Analysis of Audit Records in Managing Auditing in Oracle Solaris 11.2 .
Verified boot protects the boot process from threats on Oracle SPARC T5 Series servers and Oracle SPARC T7 Series servers. For more information, see Using Verified Boot in Securing Systems and Attached Devices in Oracle Solaris 11.2 .
You can secure Automatic Installation (AI) installations with certificates and keys for the install server, for specified client systems, for all clients of a specified install service, and for any other AI clients. Secure AI protects the transmission of Oracle Solaris packages to your systems. See Increasing Security for Automated Installations in Installing Oracle Solaris 11.2 Systems .
A new group installation package is available, pkg:/group/system/solaris-minimal-server. For a description and a comparison of group package contents, see Oracle Solaris 11.2 Package Group Lists .
You can install Kerberos clients by using AI, so that the client is a Kerberized system at first boot. See How to Configure Kerberos Clients Using AI in Installing Oracle Solaris 11.2 Systems .
In this release, physical global zones, called Immutable Global Zones, and virtual global zones, called Oracle Solaris Kernel Zones, can be read-only. Immutable global zones are slightly more powerful than Kernel Zones, but neither can permanently change the hardware or configuration of the system. Read-only zones boot faster and are more secure than zones that allow writes.
For maintenance, immutable global zones define a special set of processes, called the Trusted Computing Base (TCB) that can be configured through a protected login called the Trusted Path. For more information, see Chapter 12, Configuring and Administering Immutable Zones, in Creating and Using Oracle Solaris Zones . For information about zone configuration resources, see Introduction to Oracle Solaris Zones . See also the mwac(5) and tpd(5) man pages.
Oracle Solaris Kernel Zones are useful for deploying a compliant system. For example, you can configure a compliant system, create a Unified Archive, then deploy the image as a kernel zone. For more information, see the solaris-kz(5) man page, Creating and Using Oracle Solaris Kernel Zones , Oracle Solaris Zones Overview in Introduction to Oracle Solaris 11.2 Virtualization Environments , and Using Unified Archives for System Recovery and Cloning in Oracle Solaris 11.2 .
New features in user and process rights include the following:
Time-based and location-based access control to PAM services
Authorization Roles Managed on RBAC (ARMOR) predefined roles
Rights profiles that force users to provide a password before running a privileged action
The Network Observability and System Observability rights profiles for running the diagnostic commands ipstat, tcpstat, snoop, and intrstat with privilege and without being root
IKE Version 2 (IKEv2) provides the latest IKE protocol for automatic key management of IPsec-protected network packets. For details, see What’s New in Network Security in Oracle Solaris 11.2 in Securing the Network in Oracle Solaris 11.2 .
The Oracle Hardware Management Pack (HMP) supplies command-line tools for configuring and updating firmware. For information about how to use HMP securely with other Oracle hardware products such as network switches and network interface cards, see Oracle Hardware Management Pack for Oracle Solaris Security Guide .