This section highlights information for existing customers about important new security features in this release.
Oracle Solaris protects the password to the GRUB menu. For more information, see Password-Protecting the GRUB Menu in Booting and Shutting Down Oracle Solaris 11.3 Systems.
On SPARC multidomain series servers where the Trusted Path Module (TPM) resides on the SP/SPP board, the TPM can fail over to a spare board. For more information, see TPM Failover Option in Securing Systems and Attached Devices in Oracle Solaris 11.3.
You can use verified boot to secure a kernel zone's boot process. Verified boot protects a kernel zone from corrupted kernel zone modules, malicious programs, and installation of unauthorized third-party kernel modules by securely loading Oracle Solaris kernel modules before execution. For more information, see Using Verified Boot to Secure an Oracle Solaris Kernel Zone in Creating and Using Oracle Solaris Kernel Zones.
You can encrypt the live migration of zones on SPARC and x86 platforms. Called secure live migration, encrypted live migration is the default. For more information, see About Secure Live Migration in Creating and Using Oracle Solaris Kernel Zones.
When you first log in to a desktop session, a dialog box informs you of your last login time and location. This notification if an unauthorized login has occurred is a good security practice and commonly required by various security policies. For more information, see the pam_unix_session(5) man page.
You can create an encrypted password, or password hash, by using the pwhash command. You can then provide the password during an initial boot sequence in Automatic Installation (AI). You can also pass the hash to the passwd command by using the –p option. See the pwhash(1) and passwd(1) man pages and Configuring Root and User Accounts in Installing Oracle Solaris 11.3 Systems.
You can implement smart cards and smart card readers in Oracle Solaris to provide two-factor user authentication (2FA) and nonrepudiation for a range of security solutions, including local login, remote login over a network, secure web communication and secure email. Logging in with a smart card in Oracle Solaris provides much stronger security than network login processes that depend on traditional passwords only. See Chapter 7, Using Smart Cards for Multifactor Authentication in Oracle Solaris in Managing Kerberos and Other Authentication Services in Oracle Solaris 11.3.
Oracle Solaris implements one-time passwords (OTP) that can be used with mobile authenticators that conform to RFC 4226 for HMAC-based OTPs and RFC 6238 for time-based OTPs. For more information, see Chapter 8, Using One-Time Passwords for Multifactor Authentication in Oracle Solaris in Managing Kerberos and Other Authentication Services in Oracle Solaris 11.3 and the otpadm (1M) and pam_otp_auth(5) man pages.
Compliance rules that are coded with variable values enable you to create tailorings whose rules check for the precise values that satisfy site security requirements. See Selecting Alternate Values for Variables in Compliance Rules in Oracle Solaris 11.3 Security Compliance Guide and the compliance-tailor(1M) man page.
You can schedule compliance assessments to run periodically. This functionality is disabled by default. See Running Assessments at Regular Intervals in Oracle Solaris 11.3 Security Compliance Guide and the compliance(1M) man page.
You can create a version or tailoring of an existing benchmark. Tailorings can provide an accurate assessment of the security posture of particular systems by removing failures and false positives from the assessment. For more information, see Oracle Solaris 11.3 Security Compliance Guide and the compliance(1M) and compliance-tailor(1M) man pages.
Protecting executables from stack corruption is now a security extension in Oracle Solaris rather than the no_exec_userstack system variable that previously was set in the /etc/system file. The nxstack security extension is set by default. In addition, the nxheap security extension protects from heap corruption. For more information, see the Protecting the Process Heap and Executable Stacks From Compromise in Securing Systems and Attached Devices in Oracle Solaris 11.3.
The Cryptographic Framework now includes the Camellia algorithm. To view the mechanisms that Camellia supports, run the cryptoadm list -m | grep camellia command. The SPARC T4 Series and SPARC T8 Series servers provide hardware acceleration for this algorithm.
The Kernel SSL proxy supports SSLv3, but disables it by default. See SSL Kernel Proxy Encrypts Web Server Communications in Securing the Network in Oracle Solaris 11.3.
The pktool gencsr command can now create certificates for certificate authorities that do not follow the standard PKCS #10: Certification Request Syntax Specification Version 1.7, RFC 2986 (https://www.rfc-editor.org/info/rfc2986). See the pktool(1) man page.
When a certificate from a Certificate Authority (CA) is missing or corrupted, you can fix the resulting problem by adding or removing certificates from the Oracle Solaris keystore. For more information, see Adding CA Certificates to the Oracle Solaris CA Keystore in Managing Encryption and Certificates in Oracle Solaris 11.3.
Oracle Solaris provides client support for KMIP version 1.1, enabling clients to communicate with Key Management Interoperability Protocol (KMIP)-compliant servers such as the Oracle Key Vault (OKV). PKCS #11 applications, as clients, can communicate with KMIP-compliant servers to create and use asymmetric keys. See Chapter 5, KMIP and PKCS #11 Client Applications in Managing Encryption and Certificates in Oracle Solaris 11.3.
Oracle Solaris offers an openssh implementation of Secure Shell. This OpenSSH implementation is built on OpenSSH 7.2p2 plus additional features. The sunssh implementation is still the default. You use the pkg mediator command to switch between the two implementations. For more information, see OpenSSH Implementation of Secure Shell in Managing Secure Shell Access in Oracle Solaris 11.3.
To aid in making the transition to IPsec and IKEv2, Oracle Solaris provides the pass action and the ike_version option. The pass action enables a server to support IPsec and non-IPsec clients, and the ike_version option enables you to specify the version of the IKE protocol that an IPsec policy rule must use. This option helps a network run two versions of the IKE protocol and require the newer IKE protocol on only those systems that can support it. For information and links to examples, see What’s New in Network Security in Oracle Solaris 11.3 in Securing the Network in Oracle Solaris 11.3.
Oracle Solaris provides an additional firewall option, the OpenBSD Packet Filter (PF). For more information, see Chapter 4, OpenBSD Packet Filter Firewall in Oracle Solaris in Securing the Network in Oracle Solaris 11.3.
PF supports policy-based routing (PBR). For more information, see the route-to description in Packet Filter Rule Optional Actions in Securing the Network in Oracle Solaris 11.3.
PF adds the pflogd logging facility to PF. For more information, see Packet Filter Logging in Securing the Network in Oracle Solaris 11.3 and the pflogd (1M) man page.
You can verify whether a binary is protected by Oracle Solaris security extensions by running the elfdump -d app-path command. See Protecting Against Malware With Security Extensions in Securing Systems and Attached Devices in Oracle Solaris 11.3.
The Kerberos implementation in Oracle Solaris is based on the latest version of the Kerberos V5 network authentication protocol from the Massachusetts Institute of Technology (MIT). The Oracle Solaris implementation takes advantage of Oracle Solaris features, such as IPS, SMF, and Automated Installation (AI). For more information, see Introduction to MIT Kerberos on Oracle Solaris in Managing Kerberos and Other Authentication Services in Oracle Solaris 11.3. For information about storing delegated GSS-API credentials, see Per-Session GSS-API Credentials in Managing Secure Shell Access in Oracle Solaris 11.3.
Oracle Solaris provides the pkg:/support/critical-patch-update/solaris-11-cpu package to enable you to update your system to the latest critical patch updates that repair Common Vulnerabilities and Exposures (CVE). See Administering CVE Updates in Oracle Solaris in Oracle Solaris 11.3 Security Compliance Guide and Applying Support Updates in Adding and Updating Software in Oracle Solaris 11.3.
The dax_access privilege enables data analytics acceleration on the DAX co-processors on SPARC M7 servers and SPARC T7-Series servers for Oracle Database 12c. A database given this privilege can offload parts of query processing to the server hardware.