Note the following key security changes:
Address Space Layout Randomization (ASLR) – Starting with Oracle Solaris 11.1 ASLR randomizes addresses that are used by a given binary. ASLR causes certain types of attacks that are based on knowing the exact location of certain memory ranges to fail and detects the attempt when it likely stops the executable. Use the sxadm command to configure ASLR. Use the elfedit command to change the tagging on a binary. See sxadm(1M) and elfedit(1).
Administrative Editor – You can use the pfedit command to edit system files. If defined by the system administrator, the value of this editor is $EDITOR. If undefined, the editor defaults to the vim command. Start the editor as follows:
$ pfedit system-filename
In this release, auditing is on by default. For a secure system, use the interfaces that are always audited when auditing of administrative actions is turned on. Because pfedit use is always audited, it is the preferred command for editing system files. See pfedit(1M) and Chapter 3, Controlling Access to Systems in Securing Systems and Attached Devices in Oracle Solaris 11.3.
Auditing – Auditing is a service in Oracle Solaris 11 and is enabled by default. No reboot is required when disabling or enabling this service. You use the auditconfig command to view information about audit policy and to change audit policy. The auditing of public objects generates less noise in the audit trail. In addition, auditing of non-kernel events has no performance impact.
For information about creating a file system dedicated to audit files, see How to Create ZFS File Systems for Audit Files in Managing Auditing in Oracle Solaris 11.3.
Audit Remote Server (ARS) – ARS receives and stores audit records from a system that is configured with an active audit_remote plugin. To distinguish an audited system from an ARS, the audited system can be termed the locally audited system. Refer to the information about the –setremote option in auditconfig(1M).
Compliance assessment – Use the compliance command to automate compliance assessment and to guide remediation for compliance on a given security policy or benchmark versus other types of compliance requirements. See Oracle Solaris 11.3 Security Compliance Guide and compliance(1M).
Basic Audit Reporting Tool (BART) – The default hash that is used by BART is SHA256, not MD5. See Chapter 3, Verifying File Integrity by Using BART in Securing Files and Verifying File Integrity in Oracle Solaris 11.3.
cryptoadm command changes – As part of the implementation of the /etc/system.d directory for easier packaging of Oracle Solaris kernel configuration, the cryptoadm command has also been updated to write to files in this directory rather than to the protected files in the /etc/system directory. See cryptoadm(1M).
Cryptographic Framework – This feature includes more algorithms, mechanisms, plugins, and support for Intel and SPARC T4 hardware acceleration. Also, Oracle Solaris 11 provides better alignment with the NSA Suite B cryptography. Many of the algorithms in the framework are optimized for x86 platforms with the SSE2 instruction set. For more information about T-Series optimizations, see Cryptographic Framework Optimizations for SPARC Based Systems in Managing Encryption and Certificates in Oracle Solaris 11.3.
dtrace command changes – As part of the implementation of the /etc/system.d directory for easier packaging of Oracle Solaris kernel configuration, the dtrace command has also been updated to write to files in this directory rather than to the protected files in the /etc/system directory. See dtrace(1M).
FIPS 140-2 Level 1 cryptography – A system that is running in FIPS 140-2 mode has enabled at least one provider of FIPS 140-2 cryptography. Some applications use FIPS 140-2 cryptography automatically, for example the passwd command. Other applications must be enabled in FIPS 140-2 mode, for example, Secure Shell, while other applications run in FIPS 140-2 mode when their provider is enabled and the application uses FIPS 140-2 cryptography only, for example, Kerberos, IPsec, and the Apache HTTP Server. for more information, see Using a FIPS 140-2 Enabled System in Oracle Solaris 11.3.
Kerberos DTrace providers – A new DTrace USDT provider that provides probes for Kerberos messages (Protocol Data Unit) has been added. The probes are modeled after the Kerberos message types that are described in RFC 4120.
Key Management enhancements:
PKCS #11 keystore support for RSA keys in the Trusted Platform Module
PKCS #11 access to Oracle Key Manager for centralized enterprise key management
lofi command changes – The lofi command supports the encryption of block devices in this release. See lofi(7D).
nxheap and nxstack security extensions – Use the nxheap and nxstack security extensions to systematically make the stack and heap of all Oracle Solaris processes non-executable. The nxstack security extension replaces the noexec_user_stack system variable. For more information, see Protecting the Process Heap and Executable Stacks From Compromise in Securing Systems and Attached Devices in Oracle Solaris 11.3.
One-time passwords (OTP) are supported by installing the system/security/otp package. See Chapter 8, Using One-Time Passwords for Multifactor Authentication in Oracle Solaris in Managing Kerberos and Other Authentication Services in Oracle Solaris 11.3.
profiles command changes – In Oracle Solaris 10, this command is only used to list profiles for a specific user or role, or a user's privileges for specific commands. Starting with Oracle Solaris 11, you can create and modify profiles in files and in LDAP by using the profiles command, See profiles(1).
rstchown property – The rstchown tunable parameter that is used in previous releases to restrict chown operations is now a ZFS file system property and is also a general file system mount option. See Managing ZFS File Systems in Oracle Solaris 11.3 and the mount(1M) man page.
If you attempt to set this obsolete parameter in the /etc/system file, the following message is displayed:
sorry, variable 'rstchown' is not defined in the 'kernel'
sudo command – This command generates Oracle Solaris audit records when running other commands. The command also drops the proc_exec basic privilege, if the sudoers command entry is tagged as NOEXEC.
Verified boot – Secures a system's boot process and protects a system from threats, such as corruption of kernel modules, the insertion or substitution of malicious programs that masquerade as legitimate kernel modules, as well the unintended installation of third-party modules that might violate policies that control site changes. See Using Verified Boot in Securing Systems and Attached Devices in Oracle Solaris 11.3.
ZFS file system encryption – ZFS file system encryption is designed to keep your data secure. See Encrypting ZFS File Systems.
The following network security features are supported:
Internet Key Exchange (IKE) – IKE Version 2 (IKEv2) provides automatic key management for IPsec using the latest version of the IKE protocol. IKEv2 and IPsec use cryptographic algorithms from the Cryptographic Framework feature of Oracle Solaris. IKEv2 includes more Diffie-Hellman groups and can also use Elliptic Curve Cryptography (ECC) groups.
IKE and IPSec support latest algorithm mechanisms – Both features can use the latest algorithm mechanisms from the Cryptographic Framework. Also, in this release, Camellia is available. See Chapter 10, About Internet Key Exchange in Securing the Network in Oracle Solaris 11.3.
IP Security Architecture (IPsec) – IPsec includes AES-CCM and AES-GCM modes and is capable of protecting network traffic for the Trusted Extensions feature of IKEv2. See Chapter 8, About IP Security Architecture in Securing the Network in Oracle Solaris 11.3.
Packet Filter Firewall – This feature provides an alternative firewall to IPFilter. PF is based on a current version of OpenBSD Packet Filter, and is highly integrated with SMF and other Oracle Solaris features. See Chapter 4, OpenBSD Packet Filter Firewall in Oracle Solaris in Securing the Network in Oracle Solaris 11.3.
Kerberos – Starting with Oracle Solaris 11.3, Kerberos is based on a recent version of MIT Kerberos. See What’s New in Kerberos in Oracle Solaris 11.3 in Managing Kerberos and Other Authentication Services in Oracle Solaris 11.3.
OpenSSL 1.0.1 – Starting with Oracle Solaris 11.2, OpenSSL 1.0.1 is supported. This version of OpenSSL provides you with a choice between performance or FIPS 140-2 compliance. See https://blogs.oracle.com/observatory/entry/openssl_on_solaris_11_2.
Secure by Default – Secure by Default feature minimizes network exposure. In Oracle Solaris 10, this feature was introduced, but was turned off by default and had to be enabled manually. Starting with Oracle Solaris 11, this feature is enabled by default, and Secure Shell is the only network service that permits remote access. You can selectively enable remote access by other services.
Secure Shell – Two versions of .Secure Shell are supported, the legacy SunSSH, and a current OpenSSH version. See What’s New in Secure Shell in Oracle Solaris 11.3 in Managing Secure Shell Access in Oracle Solaris 11.3
SSL kernel proxy – See Chapter 3, Web Servers and the Secure Sockets Layer Protocol in Securing the Network in Oracle Solaris 11.3.
The following Pluggable Authentication Module (PAM) changes are introduced:
Module to enable per-user PAM stacks – Enables you to configure the PAM authentication policy on a per-user basis, when used in conjunction with the new pam_policy key (user_attr(4)). You can assign pam_policy to a user, as shown in this example:
# usermod -K pam_policy=krb5_only username
See pam_user_policy(5).
PAM configuration in /etc/pam.d – Adds support for configuring PAM by using per-service files. As a result, the contents of the /etc/pam.conf file have been migrated to multiple files within the /etc/pam.d/ directory, based on the relevant PAM service name. This mechanism is the correct method for configuring PAM in Oracle Solaris and is the default method that is used for all new installations. The /etc/pam.conf file is still consulted, so changes to this file continue to be recognized.
If you have never edited the /etc/pam.conf file, the file only contains comments that direct you to the per-service equivalents in the /etc/pam.d/ directory. If you previously edited the /etc/pam.conf file, for example, to enable LDAP or Kerberos, a new file name named /etc/pam.conf.new is delivered with the changes that you made. See pam.conf(4).
definitive flag added to pam.conf – The pam.conf file includes the definitive control_flag in this release. See pam.conf(4).
The following security features are removed:
Automated Security Enhancement Tool (ASET) – The ASET functionality is replaced by a combination of IP Filter, which includes svc.ipfd, BART, SMF, the security compliance tool (starting with Oracle Solaris 11.2), as well as other security features that are supported in this release.
Smartcard – Using a smartcard on a Sun Ray is no longer available. For current smartcard support, see Chapter 7, Using Smart Cards for Multifactor Authentication in Oracle Solaris in Managing Kerberos and Other Authentication Services in Oracle Solaris 11.3.