This section describes the security and compliance features that are new in this release. These new features help prevent new threats through anti-malware protection and enable you to meet the strictest compliance obligations.
Sandboxes are uniquely named sets of process attributes that can be used to specify security and resource isolation requirements. In Oracle Solaris 11.4, you can execute untrusted processes in temporary sandboxes. Persistent and hierarchical sandboxes can be created by using the sandboxadm command. Both temporary and persistent sandboxes can be entered by using the sandbox command.
Sandboxes are suitable for constraining both privileged and unprivileged applications. Enhanced exploit mitigation controls leveraging SPARC Silicon Secured Secure Memory automatically protect key applications and the system kernel.
For more information, see Configuring Sandboxes for Project Isolation in Securing Users and Processes in Oracle Solaris 11.4 and the sandboxing(7), sandbox(1), and sandboxadm(8) man pages.
This Oracle Solaris release supports the ability to run and store compliance reports remotely, and to filter reports according to metadata.
You can run and administer compliance reports from a central system and store them on a common server. See Chapter 2, Centrally Managing Compliance Assessments in Oracle Solaris 11.4 Compliance Guide and the compliance-roster(8) man page.
You can tag compliance assessments for identification and filtering. See Using Metadata to Manage Assessments in Oracle Solaris 11.4 Compliance Guide and the Match Parameters section of the compliance(8) man page.
The standard benchmark for the Oracle Solaris compliance command includes checks for Oracle Solaris Cluster. The Oracle Solaris Cluster checks run only when the system has Oracle Solaris Cluster installed and configured.
See the following documentation for information about benchmarks, profiles, the compliance command, and Oracle Solaris Cluster compliance checks:
compliance(8) man page
Oracle Solaris Cluster 4.4 Security Guidelines
Per file auditing in Oracle Solaris 11.4 provides fine-grained, on-access auditing of specific files and directories. With this feature, system and security administrators can target specified files to be audited. The specified files can be accessed in certain ways, allowing for much easier collection and analysis of audit data.
# chmod A+everyone@:write_data/read_data:successful_access/failed_access:audit /data/db1
This audit ACE ensures that an audit record is generated for any reads or writes, both success and denied access, on the /data/db1 file by any user on the system. Audit ACEs can also be added for metadata changes.
For more information, see What’s New in the Audit Service in Oracle Solaris 11.4 in Managing Auditing in Oracle Solaris 11.4.
In Oracle Solaris 11.4, this new feature helps you generate audit records to indicate the signature verification results of the kernel modules. The feature checks the Verified Boot boot_policy value when Oracle Solaris 11.4 boots, and outputs the value to an audit record for AUE_SYSTEMBOOT event. When Verified Boot is enabled with the value of boot_policy property as warning or enforce, Oracle Solaris audit produces AUE_MODLOAD audit events if an elfsign signature verification fails when a module is to be loaded. With Verified Boot enabled, you can keep track of events for kernel modules that have invalid signatures or signatures that have not been loaded into the system.
For more information, see New Feature – Auditing Verified Boot in Managing Auditing in Oracle Solaris 11.4.
Oracle Solaris 11.4 introduces the admhist utility, which is used to provide a summary of system administration related events that have been run on the system, in a helpful, easy-to-understand format. The admhist utility leverages audit data that enables the praudit and auditreduce utilities to provide more detailed log analysis.
A variety of options are available that enable you to narrow the results by user, date, time, or type of event as follows. For example, you can identify privileged command executions by a particular user ID within the last 24 hours:
# admhist -v -a "last 24 hours" 2017-05-09 10:58:55 email@example.com cwd=/export/home/user1 /usr/sbin/zfs get quota rpool/export/home/user1 2017-05-09 10:59:16 firstname.lastname@example.org cwd=/export/home/user1 /usr/sbin/zfs set quota 40g 2017-05-09 10:59:27 email@example.com cwd=/export/home/user1 /usr/sbin/zfs get quota rpool/export/home/user1 2017-05-09 10:59:31 firstname.lastname@example.org cwd=/export/home/user1 /usr/bin/bash 2017-05-09 10:59:31 email@example.com cwd=/ /usr/bin/su
The output illustrates that the user user1 switched to the root user and increased his quota. The privileges that are used throughout the life of the process are examined when the command exits, which is why the su operation is listed at the end of the output.
For more information, see the admhist(8) man page, New Feature – Per-Privilege Logging of Audit Events in Managing Auditing in Oracle Solaris 11.4, and Using Oracle Solaris 11.4 StatsStore and System Web Interface.
Oracle Solaris 11.4 provides client support for using the Key Management Interoperability Protocol (KMIP) version 1.1. A new PKCS#11 provider, pkcs11_kmip, is provided in the Oracle Solaris Cryptographic Framework, which enables PKCS#11 applications to function as KMIP clients and communicate to KMIP-compliant servers.
Oracle Solaris 11.4 also includes a new command, kmipcfg, which initializes and manages the states of the pkcs11_kmip provider.
For more information, see Chapter 5, KMIP and PKCS #11 Client Applications in Managing Encryption and Certificates in Oracle Solaris 11.4 and the pkcs11_kmip(7) and kmipcfg(8) man pages.
File and process labeling in Oracle Solaris 11.4 provides a framework for restricting access to sensitive information. Files and directories can now be labeled to provide access to users or roles with sufficient clearance. The clearance policy also applies to processes with all privileges. Oracle Solaris 11.4 can generate logs of every access to labeled files, which can be used to meet compliance standards such as PCI-DSS and HIPAA.
For more information, see Labels and Clearances in Securing Files and Verifying File Integrity in Oracle Solaris 11.4 and the clearance(7) man page.
Silicon Secured Memory (SSM), also called Application Data Integrity (ADI), adds real-time checking of access to data in memory to help protect against malicious intrusion and flawed program code in production for greater security and reliability.
SSM is available via the default system memory allocator and is available inside a kernel zone. See Silicon Secured Memory Support in Oracle Solaris Kernel Zones.
The system default allocator (libc malloc) is now Application Data Integrity (ADI) aware. Binaries tagged with the sxadm command automatically receive the protection. See the ADIHEAP and ADISTACK protections in the Security Extensions section of the sxadm(8) man page.
SSM application programming interfaces are available for advanced customization. See Protecting Against Malware With Security Extensions in Securing Systems and Attached Devices in Oracle Solaris 11.4 and the adi(2) man page.
Oracle Solaris 11.4 includes the OpenBSD Packet Filter (PF) firewall for filtering TCP/IP traffic. PF firewall is a replacement to the IP Filter (IPF) in Oracle Solaris 11.4, enabling both bandwidth management and packet prioritization. To use the PF firewall, install the pkg:/network/firewall package and enable the svc:/network/firewall:default service instance.
PF includes the pflogd feature, a packet logging daemon that safely saves packets logged by the PF firewall. These packets are available from a capture datalink. The daemon reads packets from this datalink and stores them into a file. For more information, see the pflogd(8) man page.
PF supports ftp-proxy, a semi-transparent proxy for FTP, supporting IPv4 NAT. Systems running the PF firewall for NAT can use the ftp-proxy to allow FTP connections to pass through the firewall. For more information, see the ftp-proxy(8) man page.
For more information, see Chapter 4, Oracle Solaris Firewall in Securing the Network in Oracle Solaris 11.4 and the pfctl(8), pf.conf(7), and pf.os(7) man pages.
Oracle Solaris 11.4 provides an updated version of Kerberos, which includes improvements from the latest version of MIT Kerberos, as well as enhancements made for Oracle Solaris. Kerberos provides network authentication, and optionally provides message integrity and privacy, depending on how an application uses it.
For more information, see Chapter 1, Kerberos on Oracle Solaris in Managing Kerberos in Oracle Solaris 11.4 and the kerberos(5) man page.
The Simple Authentication and Security Layer (SASL) framework provides authentication and optional security services for network protocols. Oracle Solaris 11.4 bases its SASL implementation on the open source Cyrus SASL version 2.1.26 with a few changes.
The SASL plugins are in the /usr/lib/sasl2 directory, and the default location for the SASL configuration files is the /etc/sasl2 directory. By basing the SASL version on open source, Oracle Solaris 11.4 is able to provide the latest SASL features, including security updates.
For more information, see Chapter 2, Using Simple Authentication and Security Layer in Managing Authentication in Oracle Solaris 11.4.
This Oracle Solaris release offers an alternative to editing individual files in the /etc directory to establish system policy. The account-policy Service Management Facility (SMF) service stores login, su, shell variables, logging, security policy (policy.conf), and RBAC settings as properties in SMF. When the service is enabled, you set and get system policy through the service. Note that the /etc files might not indicate the policies that are in effect. For more information, see the account-policy(8S) man page and Modifying Rights System-Wide As SMF Properties in Securing Users and Processes in Oracle Solaris 11.4.
The Oracle Solaris Cryptographic Framework has been updated from PKCS #11 v2.20 to PKCS #11 v2.40. The updates include some of the latest mechanisms in PKCS #11 v2.40 including those from PKCS #11 v2.30. A new error code and a new value have also been introduced in PKCS #11 v2.40. The following new mechanisms have been added:
AES signing and verification
CKM_AES_XCBC_MAC CKM_AES_XCBC_MAC_96 CKM_AES_CMAC CKM_AES_GMAC
AES encryption and decryption
CKM_AES_GCM CKM_AES_CCM CKM_AES_CFB128
SHA-512/t message digesting
CKM_SHA512_224 CKM_SHA512_256 CKM_SHA512_T
SHA-512/t general-length with HMAC
CKM_SHA512_224_HMAC_GENERAL CKM_SHA512_256_HMAC_GENERAL CKM_SHA512_T_HMAC_GENERAL CKM_SHA512_224_HMAC CKM_SHA512_256_HMAC CKM_SHA512_T_HMAC
SHA-512/t key derivation
CKM_SHA512_224_KEY_DERIVATION CKM_SHA512_256_KEY_DERIVATION CKM_SHA512_T_KEY_DERIVATION
CKM_TLS12_MASTER_KEY_DERIVE CKM_TLS12_MASTER_KEY_DERIVE_DH CKM_TLS12_KEY_AND_MAC_DERIVE CKM_TLS12_KEY_SAFE_DERIVE CKM_TLS_KDF - replacing CKM_TLS_PRF CKM_TLS_MAC - replacing CKM_TLS_PRF
Error code CKR_CURVE_NOT_SUPPORTED for elliptic curve
If a specific elliptic curve cannot be supported, then the error code CKR_CURVE_NOT_SUPPORTED is returned. In the previous version, CKR_TEMPLATE_INCONSISTENT was returned if the curve was not supported.
When C_GetAttributeValue() is called, and if an attribute cannot be returned because of its invalidity or unavailability, ulValueLen is set to CK_UNAVAILABLE_INFORMATION. The caller has to check if the returned attribute value is invalid or unavailable by comparing ulValueLen with CK_UNAVAILABLE_INFORMATION. Moreover, the caller has to treat ulValueLen = 0 as a valid value.
Attributes CKA_DESTROYABLE and CKR_ACTION_PROHIBITED
If an object has CKA_DESTROYABLE = CK_FALSE, then a request to C_DestroyObject for this particular object should result in CKR_ACTION_PROHIBITED being returned as error code.
Removing Restrictions with CKU_SO
This change removes the restrictions on having R/O open while CKU_SO is logged in. While R/O sessions can now co-exist with CKU_SO, those sessions behave as CKS_RO_PUBLIC_SESSION. An R/O session cannot be used to C_Login with CKU_SO.
CKR_SESSION_READ_ONLY_EXISTS and CKR_SESSION_READ_WRITE_SO_EXISTS are deprecated.