Oracle Solaris is installed “secure by default” (SBD). This security posture protects the system from intrusion and monitors login attempts, among other security features.
Initial user and root role accounts – The initial user account can log in from the console. This account is assigned the root role. The password for the initial user and the root accounts is identical at installation.
After logging in, the initial user can assume the root role to further configure the system. Upon assuming the role, the user is prompted to change the root password. Note that no role can log in directly, including the root role.
The initial user is assigned defaults from the /etc/security/policy.conf file. The defaults include the Basic Solaris User rights profile and the Console User rights profile. These rights profiles enable users to read and write to a CD or DVD, run any command on the system without privilege, and stop and restart their system when sitting at the console.
The initial user account is also assigned the System Administrator rights profile. Therefore, without assuming the root role, the initial user has some administrative rights, such as the right to install software and manage the naming service.
Password requirements – User passwords must be at least six characters long, and have at least two alphabetic characters and one non-alphabetic character. Passwords are hashed by using the SHA256 algorithm. When changing their password, all users including the root role must conform to these password requirements. For more information, see Passwords and Password Policy.
Limited network access – After installation, the system is protected from intrusion over the network. Remote login by the initial user is allowed over an authenticated, encrypted connection with the Secure Shell protocol. This is the only network protocol that accepts incoming packets. The Secure Shell key is wrapped by the AES128 algorithm. With encryption and authentication in place, the user can reach the remote system without interception, modification, or spoofing.
Recorded login attempts – The audit service is enabled for all login/logout events (login, logout, switching user, starting and stopping a Secure Shell session, and screen locking) and for all non-attributable (failed) logins. Because the root role cannot log in, the name of the user who is acting as root is recorded in the audit trail. The initial user can review the audit logs by a right granted through the System Administrator rights profile.
After the initial user is logged in, the kernel, file systems, system files, and desktop applications are protected by file permissions, privileges, and user rights. User rights are also known as role-based access control (RBAC).
Kernel protections – Many daemons and administrative commands are assigned just the privileges that enable them to succeed. Many daemons are run from special administrative accounts that do not have root (UID=0) privileges, so they cannot be hijacked to perform other tasks. These special administrative accounts cannot log in. Devices are protected by privileges.
File systems – By default, all file systems are ZFS file systems. The user's umask is 022, so when a user creates a new file or directory, only the user is allowed to modify it. Members of the user's group are allowed to read and search the directory, and read the file. Logins that are outside the user's group can list the directory and read the file. The default directory permissions are drwxr-xr-x (755). The file permissions are -rw-r--r-- (644).
System files – System configuration files are protected by file permissions. Only the root role or a user who is assigned the right to edit a specific system file can modify a system file.
Desktop applets – Desktop applets are protected by rights management. Therefore, administrative actions, such as the addition of remote printers in Print Manager, are restricted to users and roles who have administrative rights for printing.
The Oracle Hardware Management Package provides a set of utilities for configuring, managing, and monitoring Oracle servers. This value-add set of tools for Oracle hardware is always available. It can automatically deliver certain hardware-related information to ILOM to complete the view that it has of system hardware. For information about the utilities and security, see the Systems Management and Diagnostics Documentation" (https://www.oracle.com/technetwork/documentation/sys-mgmt-networking-190072.html#hwmgmt).