This section describes the security and compliance features in this release. These new features help prevent new threats through anti-malware protection and enable you to meet the strictest compliance obligations.
The next generation SPARC platform offers new co-engineered hardware and software capabilities that enable applications to run with the highest levels of security, reliability, and speed. This functionality is known as Oracle's "Software in Silicon". Oracle Solaris 11.3 introduces a key Software in Silicon feature called Silicon Secured Memory (SSM). SSM detects common memory access errors including buffer overflows, unallocated or freed memory access errors, “double free” memory access errors, and stale pointer memory access errors. With SSM enabled, an error is likely to be raised if an application tries to access memory it should not have access to. Because SSM is a hardware implementation, it incurs minimal overhead and can be used in production to detect potential memory corruption issues. You can use SSM during application development to ensure such errors are caught during application testing and certification.
Oracle Solaris 11.3 supports SSM for both applications and observability tools. For example, applications and administrators can now control enabling or disabling SSM to start guarding memory access. Once enabled, SSM is transparently handled by Oracle Solaris. To monitor SSM, Oracle Solaris 11.3 includes new extensions for mdb and DTrace.
For more information about Software in Silicon, see: http://www.oracle.com/technetwork/server-storage/softwareinsilicon/index.html.
Oracle Solaris 11.3 supports MD5 hash signatures, which enable the authentication of TCP packets and ensure their integrity. TCP-based protocols that cannot use IPsec or do not the have the ability to authenticate TCP packets between hosts, can now set up keys and use these MD5 hash signatures on the TCP packets. The MD5 hash signature is intended primarily for the border gateway protocol (BGP). Note that there is a performance penalty associated with signing each packet.
For more information, see the tcpkey (1M) man page.
Oracle Solaris Verified Boot now provides support for Oracle Solaris Kernel Zones. This anti-malware and integrity feature reduces the risk of introducing malicious or accidentally modified critical boot and kernel components. This feature checks the cryptographic signatures of the firmware, boot system, and kernel and kernel modules.
The three policy options are ignore, warn and continue, and refuse to load the component.
For more information, see the zonecfg (1M) man page. You can also see Securing Systems and Attached Devices in Oracle Solaris 11.3 and Creating and Using Oracle Solaris Kernel Zones.
Oracle Solaris 11.3 now offers a choice of SSH implementations. A new OpenSSH implementation based on OpenSSH 6.5pl co-exists with SunSSH. You can choose either of the implementations, using the pkg mediator mechanism. The default SSH implementation is SunSSH.
To switch between them, you would run the following commands:
# pkg mediator ssh MEDIATOR VER. SRC. VERSION IMPL. SRC. IMPLEMENTATION ssh vendor vendor sunssh # pkg install network/openssh # pkg mediator -a ssh MEDIATOR VER. SRC. VERSION IMPL. SRC. IMPLEMENTATION ssh vendor vendor sunssh ssh system system openssh # pkg set-mediator -I openssh ssh # pkg mediator ssh MEDIATOR VER. SRC. VERSION IMPL. SRC. IMPLEMENTATION ssh system local openssh
The SSH packages have been refactored to provide a more seamless transition between SSH implementations.
For more information, see Managing Secure Shell Access in Oracle Solaris 11.3.
Oracle Solaris 11.3 provides a feature that adds optional boot environment protection in a shared system. It also allows the GRUB menu to have a password protection option for menu loading, menu entry modification, and menu entry booting.
For more information, see the bootadm (1M) man page. You can also see Oracle Solaris 11.3 Security and Hardening Guidelines.
Oracle Solaris 11.3 adds the ability to refine the set of benchmarks used in assessing security compliance. This feature enables a better match to local security policies without modifying the base benchmark itself. The compliance command now includes a tailor subcommand, and a new interactive interface to support the creation of tailorings, enabling the individual inclusion or exclusion of benchmark rules used to assess a system.
The following example shows how you would create a new tailoring called mytailoring that adds two additional rules to the Baseline profile from the Oracle Solaris benchmark.
# compliance tailor -t mytailoring tailoring: No existing tailoring: ’mytailoring’, initializing tailoring:mytailoring> set benchmark=solaris tailoring:mytailoring> set profile=Baseline tailoring:mytailoring> include rule=OSC-47501 tailoring:mytailoring> include rule=OSC-49501 tailoring:mytailoring> export set tailoring=mytailoring # version=2014-11-29T04:16:39.000+00:00 set benchmark=solaris set profile=Baseline # Passwords require at least one digit include OSC-47501 # Passwords require at least one uppercase character include OSC-49501 tailoring:mytailoring> exit
For more information, see the compliance-tailor (1M) man page.
Oracle Solaris 11.3 includes the OpenBSD 5.5 Packet Filter (PF) firewall for filtering TCP/IP traffic. PF provides an alternative to the existing IP Filter (IPF) already included in Oracle Solaris, enabling both bandwidth management and packet prioritization. To use the PF firewall, you install the pkg:/network/firewall package and enable the svc:/network/firewall:default service instance.
Oracle Solaris 11.3 includes a new read-only policy (file-mac-profile), dynamic-zones. This profile enable administrators to create and destroy kernel zones and non-global zones in an immutable global zone environment while still providing benefits similar to the existing fixed-configuration profile. This profile is valid only for the global zone, which includes the global zone of a kernel zone.