Go to main content

Oracle® Solaris 11.4 Security and Hardening Guidelines

Exit Print View

Updated: May 2020
 
 

What's New in Security Features in Oracle Solaris 11.4

This section highlights information for existing customers about important new security features in this release.

Compliance Security Features

Cryptography Security Features

Kernel and System Security Features

File and File System Security Features

User and Process Rights Features

For process labeling, see Kernel and System Security Features.


Note - Rights protect new features, such as the analytics dashboard for viewing the Oracle Solaris StatsStore. For the new authorizations and rights profiles that protect the StatsStore, see Statistics Store Authorizations and Administrative Profiles in Using Oracle Solaris 11.4 StatsStore and System Web Interface.

    Additional security attributes are available for users and systems.

  • The Service Management Facility (SMF) is the repository for system-wide security settings which were previously in the following files:

      /etc/security/policy.conf
      /etc/default/login
      /etc/default/passwd
      /etc/default/su

    The values are set in an SMF stencil when the svc:/system/account-policy:default service is enabled. The service is disabled by default, so as not to interrupt your legacy practices. When the service is enabled, the following modification to the Oracle Solaris 11.3 policy.conf file is replaced by a setprop command in Oracle Solaris 11.4:

    example-11u3$ ## /etc/security/policy.conf file
    PRIV_DEFAULT=basic,!file_link_any
    example-11u4-sys$ pfbash svccfg -s account-policy \
     setprop config/etc_security_policyconf/disabled = boolean: false
    example-11u4-sys$ pfbash svccfg -s account-policy \
     setprop rbac/default_privileges astring: = "basic,!file_link_any"

    Similar modifications to the properties of the account-policy service can affect logins and the security settings of the su command. For more information, see account-policy(8S).

  • The unlock_after user attribute has been added to the user_attr database. Administrators can use this new attribute to specify the time after which a successful authentication automatically unlocks a locked account. The time may be specified as a number of minutes, hours, days, or weeks. For further information, see What’s New in Rights in Oracle Solaris 11.4 in Securing Users and Processes in Oracle Solaris 11.4 and the user_attr(5) man page.

  • The annotation user attribute has been added to the user_attr database. Administrators can use this new attribute to require users to annotate their logins. For further information, see What’s New in Rights in Oracle Solaris 11.4 in Securing Users and Processes in Oracle Solaris 11.4 and the user_attr(5) man page.

  • In Oracle Solaris you can limit labeled file access to processes and users who have the clearance to handle those labeled files. Even privileged users and roles can be prevented from accessing the contents of labeled files. For more information, see Chapter 6, Labeling Processes for Data Loss Protection in Securing Users and Processes in Oracle Solaris 11.4.

Passwords and Authentication Security Features

Networking Security Features

Auditing Security Features