Oracle Solaris protects data from booting through installation, use, and archiving.
The first line of defense for protecting objects in a file system are the default UNIX permissions that are assigned to every file system object. UNIX permissions support assigning unique access rights to the owner of the object, to a group assigned to the object, as well as to anyone else. Additionally, the default file system, ZFS, supports access control lists (ACLs), which more finely control access to individual or groups of file system objects.
For more information, see the following:
For an overview of file permissions, see Using UNIX Permissions to Protect Files in Securing Files and Verifying File Integrity in Oracle Solaris 11.3.
For a description of security-relevant ZFS file attributes, see Using File Attributes to Add Security to ZFS Files in Securing Files and Verifying File Integrity in Oracle Solaris 11.3 and the man pages.
For an overview and examples of protecting ZFS files, see Chapter 2, Using ACLs and Attributes to Protect Oracle Solaris ZFS Files in Securing Files and Verifying File Integrity in Oracle Solaris 11.3 and the man pages.
For instructions about setting ACLs on ZFS files, see the chmod(1) man page.
The Cryptographic Framework feature of Oracle Solaris and the Key Management Framework (KMF) feature of Oracle Solaris provide central repositories for cryptographic services and key management. Hardware, software, and end users have seamless access to optimized algorithms. KMF provides a unified interface for otherwise different storage mechanisms, administrative utilities, and programming interfaces for various public key infrastructures (PKIs).
The Cryptographic Framework provides a common store of algorithms and PKCS #11 libraries to handle cryptographic requirements. The PKCS #11 libraries are implemented according to the RSA Security Inc. PKCS #11 Cryptographic Token Interface (Cryptoki) standard. Cryptographic services, such as encryption and decryption for files, are available to regular users.
KMF provides tools and programming interfaces for centrally managing public key objects, such as X.509 certificates and public/private key pairs. The formats for storing these objects can vary. KMF also provides a tool for managing policies that define the use of X.509 certificates by applications. KMF supports third-party plugins.
For more information, see the following:
Selected man pages include cryptoadm(1M), digest(1), encrypt(1), mac(1), pktool(1), and kmfcfg(1).
For an overview of cryptographic services, see Chapter 1, Cryptography in Oracle Solaris in Managing Encryption and Certificates in Oracle Solaris 11.3 and Chapter 4, Managing Certificates in Oracle Solaris in Managing Encryption and Certificates in Oracle Solaris 11.3.
For examples of using the Cryptographic Framework, see Chapter 3, Using the Cryptographic Framework in Managing Encryption and Certificates in Oracle Solaris 11.3 and the man pages.
To enable the Cryptographic Framework FIPS 140-2 provider, see How to Create a Boot Environment With FIPS 140-2 Enabled in Managing Encryption and Certificates in Oracle Solaris 11.3.
ZFS is the default file system for Oracle Solaris 11. The ZFS file system fundamentally changes the way Oracle Solaris file systems are administered. ZFS is robust, scalable, and easy to administer. Because file system creation in ZFS is lightweight, you can easily establish quotas and reserved space. UNIX permissions and ACLs protect files, and you can encrypt the entire dataset at creation. Oracle Solaris rights management supports the delegated administration of ZFS datasets, that is, users who are assigned a limited set of privileges can administer ZFS datasets.
For more information, see the following:
User Rights Management in Securing Users and Processes in Oracle Solaris 11.3
Oracle Solaris ZFS Features in Managing ZFS File Systems in Oracle Solaris 11.3