Go to main content

Securing Systems and Attached Devices in Oracle® Solaris 11.4

Exit Print View

Updated: July 2019
 
 

Protecting Against Malware With Security Extensions

Oracle Solaris protects address space, process heap, and the process stack through the Security Extensions Framework. Security extensions are enabled by default for kernel processes, such as Kerberos daemons.

The Security Extensions Framework also protects platforms that run Oracle Solaris from various speculative execution vulnerabilities. These platform security extensions are managed slightly differently from the heap and stack extensions. See Protecting Platforms Against Speculative Execution Attacks.

Security extensions protect selected application binaries in Oracle Solaris. For example, the Apache HTTP Server, DHCP, Secure Shell, and sendmail are protected by security extensions. To see whether a binary is protected by security extensions, see Example 5, Determining Whether a Binary is Protected by a Security Extension.

You can use the framework's sxadm command to enable and disable security extensions for selected binaries and to manage their properties.

    The security extensions configurations for a binary include:

  • Disabled – The security extension is disabled for all binaries.

  • Tagged binaries – The security extension is controlled by the tag that is coded in the binaries.

  • Enabled – The security extension is enabled for all binaries, except for those that are explicitly tagged to disable it.

You can use the framework's sxadm status command to show the current status of the extension. The flags that indicate the status are:

  • c – Indicates a configurable security extension

  • k – Indicates a kernel security extension

  • p – Indicates that changes are pending which will be active after a reboot

  • r – Indicates that a reboot is requred after configuration changes

  • u – Indicates a userland security extension

sxadm includes a debugging interface, sxadm exec, which executes a specific program with a given security extension enabled or disabled for that single execution.