Go to main content

Securing Systems and Attached Devices in Oracle® Solaris 11.4

Exit Print View

Updated: July 2019
 
 

Controlling Access to a Computer System

In the workplace, all computers that are connected to a server can be thought of as one large multifaceted system. You are responsible for the security of this larger system. You need to defend the network from outsiders who are trying to gain access. You also need to ensure the integrity of the data on the computers within the network.

At the file level, Oracle Solaris provides standard security features that you can use to protect files, directories, and attached devices. At the system and network levels, the security issues are mostly the same. The first line of security defense is to control access to your system, as described in the following sections.

Maintaining Physical Security

To control access to your system, you must maintain the physical security of your computing environment. For instance, a system that is logged in and left unattended is vulnerable to unauthorized access. An intruder can gain access to the operating system and to the network. The computer's surroundings and the computer hardware must be physically protected from unauthorized access.

You can protect a SPARC system from unauthorized access to the hardware settings. Use the eeprom command to require a password to access the PROM. For more information, see How to Require a Password for SPARC Hardware Access. To protect x86 hardware, consult the vendor documentation.

Controlling Access to Boot Processes

    Oracle Solaris provides two technologies to control access to boot processes.

  • Verified Boot – Allows only signed boot and kernel software to run on the system.

    The value of the boot_policy property controls verified boot. The policy includes checking the bootblk and the loading of all kernel modules, including unix and genunix.

    The policy settings are stored in a Service Processor (SP), such as Oracle ILOM, Fujitsu SPARC M12, or Fujitsu M10 XSCF. The SP manages the hardware platform. For security reasons, the policy settings are purposely stored outside of the booted Oracle Solaris environment.

    For further information, see Policy for Verified Boot.

  • Trusted Platform Module (TPM) – Dedicated microcontroller that provides cryptographic functions to secure a system. TPM provides a cryptographic keystore and records hashes of firmware and software that are used to boot the system.

Controlling Access to USB Ports

Some Oracle platforms, such as the SPARC T7 platform, include external USB ports. Devices such as system controllers, power distribution units (PDUs), and network switches can use these USB connections. System administrators must protect their systems from attacks that exploit USB connections. Oracle Integrated Lights Out Manager (ILOM) can deny or limit system access through external USB ports.

For more information, see Using ILOM to Prevent Access to USB Ports.

Controlling Logins

You can prevent unauthorized logins to a system or the network through password assignment and login control. A password is a simple authentication mechanism. All accounts on a system must have a password. An account without a password makes your entire network accessible to an intruder who guesses a user name. A strong password algorithm protects against brute force attacks.

    When a user logs in to a system, the login command checks the appropriate naming service or directory service database according to the information in the name switch service, svc:/system/name-service/switch. To change values in a naming service database, you use the SMF commands. The naming services indicate the location of the databases that affect login:

  • files – Designates the /etc files on the local system

  • ldap – Designates the LDAP directory service on the LDAP server

  • nis – Designates the NIS database on the NIS master server

  • dns – Designates the domain name service on the network

For a description of the naming service, see the nscd(8) man page. For information about naming services and directory services, see Working With Oracle Solaris 11.4 Directory and Naming Services: DNS and NIS and Working With Oracle Solaris 11.4 Directory and Naming Services: LDAP.

The login command verifies the user name and password that were supplied by the user. If the user name is not in the password database, the login command denies access to the system. If the password is not correct for the user name that was specified, the login command denies access to the system. When the user supplies a valid user name and its corresponding password, the system grants the user access to the system.

PAM modules can streamline logging in to applications after a successful system login. For more information, see Chapter 1, Using Pluggable Authentication Modules in Managing Authentication in Oracle Solaris 11.4.

Sophisticated authentication and authorization mechanisms are available on Oracle Solaris systems. For a discussion of authentication and authorization mechanisms at the network level, see Authentication and Authorization for Remote Access.

Managing Password Information

When users log in to a system, they must supply both a user name and a password. Although logins are publicly known, passwords must be kept secret. Passwords should be known only to each user.

Your organization should have a password policy that follows industry standards. Users must choose their passwords carefully and follow your site's password policy.

Local Passwords

If your network uses local files to authenticate users, the password information is kept in the system's /etc/passwd and /etc/shadow files. The user names and other information are kept in the /etc/passwd file. The encrypted passwords themselves are kept in a separate shadow file, /etc/shadow. This security measure prevents a user from gaining access to the encrypted passwords. While the /etc/passwd file is available to anyone who can log in to a system, only the root account can read the /etc/shadow file. You can use the passwd command to change a user's password on a local system.

NIS Passwords

If your network uses NIS to authenticate users, password information is kept in the NIS password map. NIS does not support password aging. You can use the command passwd -r nis to change a user's password that is stored in an NIS password map.

LDAP Passwords

The Oracle Solaris LDAP naming service stores password information and shadow information in the ou=people container of the LDAP directory tree. On the Oracle Solaris LDAP naming service client, you can use the passwd -r ldap command to change a user's password. The LDAP naming service stores the password in the LDAP repository.

Password policy is enforced on the Oracle Directory Server Enterprise Edition. Specifically, the client's pam_ldap module follows the password policy controls that are enforced on Oracle Directory Server Enterprise Edition. For more information, see LDAP Naming Service Security Model in Working With Oracle Solaris 11.4 Directory and Naming Services: LDAP.

Password Parameters

The Oracle Solaris 11.4 release includes changes to the default password length and supported password hashes, and adds duration parameters. The legacy method of viewing and changing password parameter information in files is replaced by the SMF service, account-policy.


Note -  If you are using the account-policy SMF stencil and the config/etc_default_passwd property is enabled, review Modifying Rights System-Wide As SMF Properties in Securing Users and Processes in Oracle Solaris 11.4. See also the account-policy(8S) man page.

The following list of password attributes in the account-policy SMF stencil indicate the password parameters that are configurable:

password/history count
password/value_authorization astring solaris.account.setpolicy
password/aging_defaults/max_days count
password/aging_defaults/min_days count
password/aging_defaults/warn_days count
password/complexity/max_repeats count
password/complexity/min_alpha count
password/complexity/min_diff count
password/complexity/min_digit count
password/complexity/min_lower count
password/complexity/min_nonalpha count
password/complexity/min_special count
password/complexity/min_upper count
password/complexity/namecheck boolean
password/complexity/passlength count
password/complexity/whitespace boolean
password/crypt/algorithms_allow astring 2a 5 6
password/crypt/algorithms_deprecate astring
password/crypt/default astring 5
password/dictionary/db_dir astring
password/dictionary/min_word_length count
password/dictionary/word_list astring

Passwords can no longer be less than 8 characters in length. You can modify the password length for users.

Password Hashes

Strong password encryption provides an early barrier against attack. Oracle Solaris software provides six password encryption algorithms. The SHA algorithms provide robust password encryption.


Note -  To be FIPS 140-2 approved, use the SHA algorithms. For information, see passwd Command as a FIPS 140-2 Consumer in Using a FIPS 140-2 Enabled System in Oracle Solaris 11.4.
Password Algorithm Identifiers

You can specify the algorithms configuration for your site by enabling the config/etc_default_passwd property in the account-policy SMF stencil. For more information, review Modifying Rights System-Wide As SMF Properties in Securing Users and Processes in Oracle Solaris 11.4. See also the account-policy(8S) man page.

You indicate the algorithms by their identifier, as shown in the following table. For the identifier-algorithm mapping, see the /etc/security/crypt.conf file.


Note -  Use FIPS 140-2 approved algorithms when possible. For a list of FIPS 140-2 approved algorithms, see FIPS 140-2 Algorithm Lists and Certificate References for Oracle Solaris Systems in Using a FIPS 140-2 Enabled System in Oracle Solaris 11.4.
Table 1  Password Hashing Algorithms
Identifier
Description
Algorithm Man Page
1
The MD5 algorithm that is compatible with MD5 algorithms on BSD and Linux systems.
2a
The Blowfish algorithm that is compatible with the Blowfish algorithm on BSD systems.

Note -  To promote FIPS 140-2 security, remove the Blowfish algorithm (2a) from password/crypt/algorithms_allow.

md5
The Sun MD5 algorithm, which is considered stronger than the BSD and Linux version of MD5.
5
The SHA256 algorithm. SHA stands for Secure Hash Algorithm. This algorithm is a member of the SHA-2 family. SHA256 supports 255-character passwords. This algorithm is the default, (CRYPT_DEFAULT).
6
The SHA512 algorithm.
__unix__
Deprecated. The traditional UNIX encryption algorithm. This algorithm can be of use when connecting to old systems.

Note -  The algorithm that is used for a user's initial password continues to be used for new password generation for that user even though a different default algorithm might have been selected prior to generating a new password for that user. This mechanism applies under the following conditions:
  • The algorithm is included in the list of allowed algorithms to be used for password encryption.

  • The identifier is not _unix_.

For procedures describing how to switch algorithms for password encryption, see Changing the Default Algorithm for Password Encryption.


Password Hashes Configuration

Note -  If you are using the account-policy SMF stencil and the config/etc_default_passwd property is enabled, you change password configuration in SMF. For more information, see Modifying Rights System-Wide As SMF Properties in Securing Users and Processes in Oracle Solaris 11.4. See also the account-policy(8S) man page.

The account-policy service has three parameters that affect password hashes:

password/crypt/algorithms_allow astring 2a 5 6
password/crypt/algorithms_deprecate astring
password/crypt/default astring 5

When you change the value for password/crypt/default, the passwords of new users are encrypted with the algorithm that is associated with the new value.

When existing users change their passwords, the way their old password was encrypted affects which algorithm is used to encrypt the new password. For example, assume that the administrator has changed the password parameters to CRYPT_ALGORITHMS_ALLOW=1,2a,md5,5,6 and password/crypt/default=6. The following table shows which algorithm would be used to generate the encrypted password. The password consists of identifier=algorithm.

Initial Password
Changed Password
Explanation
1 = crypt_bsdmd5
Uses same algorithm
The 1 identifier is in the CRYPT_ALGORITHMS_ALLOW list. The user's password continues to be encrypted with the crypt_bsdmd5 algorithm.
2a = crypt_bsdbf
Uses same algorithm
The 2a identifier is in the CRYPT_ALGORITHMS_ALLOW list. Therefore, the new password is encrypted with the crypt_bsbdf algorithm.
md5 = crypt_md5
Uses same algorithm
The md5 identifier is in the CRYPT_ALGORITHMS_ALLOW list. Therefore, the new password is encrypted with the crypt_md5 algorithm.
5 = crypt_sha256
Uses same algorithm
The 5 identifier is in the CRYPT_ALGORITHMS_ALLOW list. Therefore, the new password continues to be encrypted with the crypt_sha256 algorithm.
6 = crypt_sha512
Uses same algorithm
The 6 identifier is s the value of CRYPT_DEFAULT. Therefore, the new password continues to be encrypted with the crypt_sha512 algorithm.
__unix__ = crypt_unix
Uses crypt_sha512 algorithm
The __unix__ identifier is not in the CRYPT_ALGORITHMS_ALLOW list. Therefore, the crypt_unix algorithm cannot be used. The new password is encrypted with the CRYPT_DEFAULT algorithm.

For more information about configuring the algorithm choices, see the account-policy(8S) man page. To specify password encryption algorithms, see Changing the Default Algorithm for Password Encryption.

Special System Accounts

The root account is one of several special system accounts. Of these accounts, only the root account is assigned a password and can log in. The nuucp account can log in for file transfers. The other system accounts either protect files or run administrative processes without using the full powers of root.


Caution

Caution  -  Never change the password setting of a system account. System accounts from Oracle Solaris are delivered in a safe and secure state. Do not revise or create system files with a UID that is 101 or less.


The following table lists some system accounts and their uses. The system accounts perform special functions. Each account on this list has a UID that is less than 100. For a full listing of system files, use the command logins –s.

Table 2  Selected System Accounts and Their Uses
System Account
UID
Use
root
0
Has almost no restrictions. Can override other protections and permissions. The root account has access to the entire system. The password for the root account should be very carefully protected. The root account owns most of the Oracle Solaris commands.
daemon
1
Controls background processing.
bin
2
Owns some Oracle Solaris commands.
sys
3
Owns many system files.
adm
4
Owns some administrative files.
lp
71
Owns the object data files and spooled data files for the printer.
uucp
5
Owns the object data files and spooled data files for UUCP, the UNIX system-to-UNIX system copy program.
nuucp
9
Used by remote systems to log in to the system and start file transfers.

Two-Factor Authentication With OTP and Smart Cards

Oracle Solaris supports smart cards and one-time passwords (OTP). These technologies require the user to provide two forms of identification. The first form is the UNIX user name and password. The second is a smart card and PIN, or a mobile authenticator and a OTP. See Chapter 3, Using Smart Cards for Multifactor Authentication in Oracle Solaris in Managing Authentication in Oracle Solaris 11.4 and Chapter 4, Using One-Time Passwords for Multifactor Authentication in Oracle Solaris in Managing Authentication in Oracle Solaris 11.4.

Remote Logins

Remote logins offer a tempting avenue for intruders. Oracle Solaris provides several commands to monitor, limit, and disable remote logins. For procedures, see Figure 4, Table 4, Securing Logins and Passwords Task Map.

By default, remote logins cannot gain control or read certain system devices, such as the system mouse, keyboard, frame buffer, or audio device. For more information, see the logindevperm(5) man page.