Oracle^® Solaris 11.3 Security and Hardening Guidelines

Maintaining and Monitoring System Security

The tasks described in the following table maintain and monitor access and use of your system and data, and adherence to your site's security requirements.

Table 7  Maintaining and Monitoring the System Task Map

Task Description For Instructions Verify that you are running the latest version of the OS. Checks that the latest updates and security fixes are installed. Administering CVE Updates in Oracle Solaris in Oracle Solaris 11.3 Security Compliance Guide Verify that your local IPS repository is valid. Checks that the files in the local repository pass a series of checks. Also validates the signatures on signed packages. Ensuring Secure Package Installation From Your Local IPS Repository Verify the packages on the system. Checks that the packages after an update are identical to the source packages and verifies the signatures on signed packages. How to Verify Your Packages Run compliance tests. Assesses the system's compliance to security benchmarks. Oracle Solaris 11.3 Security Compliance Guide and the compliance(1M) man page Verify file integrity. After configuration, compares BART manifests at regular intervals to ensure that only files that should be changed are changed. How to Compare Manifests for the Same System Over Time in Securing Files and Verifying File Integrity in Oracle Solaris 11.3 Find suspicious files. Locates the potentially unauthorized use of the setuid and setgid permissions on programs. How to Find Files With Special File Permissions in Securing Files and Verifying File Integrity in Oracle Solaris 11.3 Review audit logs regularly. Locates unusual access and use of the system. Using the Audit Service Review audit logs for login and logout events in real time. Identifies attempted breaches near to the time that the attempts occur. Monitoring Audit Records in Real Time

Ensuring Secure Package Installation From Your Local IPS Repository

Maintaining a valid and secured IPS repository is essential for package installation. For secure repository creation and maintenance, follow Best Practices for Creating and Using Local IPS Package Repositories in Copying and Creating Package Repositories in Oracle Solaris 11.3. The practices include the following:

• Ensuring that you are verifying signatures on signed packages

• Verifying that the files in the repository pass a series of checks, including that packages are signed correctly

• Verifying access to the repository

For repository configuration and maintenance procedures, see Copying and Creating Package Repositories in Oracle Solaris 11.3. For verifying package installation, see How to Verify Your Packages.

Using the Audit Service

Auditing keeps a record of how the system is being used. The audit service includes tools to assist with the analysis of the auditing data.

The audit service is described in Managing Auditing in Oracle Solaris 11.3. For a list of the man pages and links to them, see Audit Service Man Pages in Managing Auditing in Oracle Solaris 11.3.

The following audit service procedures are useful in many secure environments:

• Create separate roles to configure auditing, review auditing, and start and stop the audit service. Assign the roles to trusted users.

  Use the Audit Configuration, Audit Review, and Audit Control rights profiles as the basis for your roles.

  To create roles or use the predefined ARMOR roles, see Assigning Rights to Users in Securing Users and Processes in Oracle Solaris 11.3.

• Audit all administrators with the cusa audit class.

  Events in the cusa audit class cover administrative actions that affect the system's security posture. For a description, see the /etc/security/audit_class file. For the procedure, see How to Audit Significant Events in Addition to Login/Logout.

• Send audit records to a central server.

  • Configure auditing to work with the Audit Remote Server (ARS).

    The audit service can use the Oracle Audit Vault to store, review, and analyze audit records. See Using Oracle Audit Vault and Database Firewall for Storage and Analysis of Audit Records in Managing Auditing in Oracle Solaris 11.3 and How to Send Audit Files to a Remote Repository in Managing Auditing in Oracle Solaris 11.3.

  • Schedule the secure transfer of complete audit files to an audit review file system on a separate ZFS pool.

• Monitor text summaries of selected audited events in the syslog utility

  Activate the audit_syslog plugin, then monitor the reported events.

  See How to Configure syslog Audit Logs in Managing Auditing in Oracle Solaris 11.3.

• Limit the size of audit files.

  Set the p_fsize attribute for the audit_binfile plugin to a useful size. Consider your reviewing schedule, disk space, and cron job frequency, among other factors.

  For examples, see How to Assign Audit Space for the Audit Trail in Managing Auditing in Oracle Solaris 11.3.

• Schedule the secure transfer of complete audit files to an audit review file system on a separate ZFS pool.

• Review complete audit files on the audit review file system.

Monitoring Audit Records in Real Time

The audit_syslog plugin enables you to record summaries of preselected audit events. To display the audit summaries in a terminal window as they are generated, run a command similar to the following:

# tail -0f  /var/adm/auditlog

To configure the audit log, see How to Configure syslog Audit Logs in Managing Auditing in Oracle Solaris 11.3.

Reviewing and Archiving Audit Logs

Audit records can be viewed in text format or in a browser in XML format.

For information and procedures see the following:

• Audit Logs in Managing Auditing in Oracle Solaris 11.3

• Preventing Audit Trail Overflow in Managing Auditing in Oracle Solaris 11.3

• Displaying Audit Trail Data in Managing Auditing in Oracle Solaris 11.3