Go to main content
What's New in Oracle® Solaris 11.3

Exit Print View

Updated: November 2016

Security and Compliance Features

This section describes the security and compliance features in this release. These new features help prevent new threats through anti-malware protection and enable you to meet the strictest compliance obligations.

Silicon Secured Memory Support

The next generation SPARC platform offers new co-engineered hardware and software capabilities that enable applications to run with the highest levels of security, reliability, and speed. This functionality is known as Oracle's "Software in Silicon". Oracle Solaris 11.3 introduces a key Software in Silicon feature called Silicon Secured Memory (SSM). SSM detects common memory access errors including buffer overflows, unallocated or freed memory access errors, “double free” memory access errors, and stale pointer memory access errors. With SSM enabled, an error is likely to be raised if an application tries to access memory it should not have access to. Because SSM is a hardware implementation, it incurs minimal overhead and can be used in production to detect potential memory corruption issues. You can use SSM during application development to ensure such errors are caught during application testing and certification.

Oracle Solaris 11.3 supports SSM for both applications and observability tools. For example, applications and administrators can now control enabling or disabling SSM to start guarding memory access. Once enabled, SSM is transparently handled by Oracle Solaris. To monitor SSM, Oracle Solaris 11.3 includes new extensions for mdb and DTrace.

For more information about Software in Silicon, see: http://www.oracle.com/technetwork/server-storage/softwareinsilicon/index.html.

MD5 Signature Option for TCP

Oracle Solaris 11.3 supports MD5 hash signatures, which enable the authentication of TCP packets and ensure their integrity. TCP-based protocols that cannot use IPsec or do not the have the ability to authenticate TCP packets between hosts, can now set up keys and use these MD5 hash signatures on the TCP packets. The MD5 hash signature is intended primarily for the border gateway protocol (BGP). Note that there is a performance penalty associated with signing each packet.

For more information, see the tcpkey(1M) man page.

Verified Boot for Kernel Zones

Oracle Solaris Verified Boot now provides support for Oracle Solaris Kernel Zones. This anti-malware and integrity feature reduces the risk of introducing malicious or accidentally modified critical boot and kernel components. This feature checks the cryptographic signatures of the firmware, boot system, and kernel and kernel modules.

The three policy options are ignore, warn and continue, and refuse to load the component.

For more information, see the zonecfg(1M) man page. You can also see Securing Systems and Attached Devices in Oracle Solaris 11.3 and Creating and Using Oracle Solaris Kernel Zones.

SSH Mediators

Oracle Solaris 11.3 now offers a choice of SSH implementations. A new OpenSSH implementation based on OpenSSH 6.5pl co-exists with SunSSH. You can choose either of the implementations, using the pkg mediator mechanism. The default SSH implementation is SunSSH.

To switch between them, you would run the following commands:

# pkg mediator ssh
ssh          vendor            vendor     sunssh
# pkg install network/openssh
# pkg mediator -a ssh
ssh          vendor            vendor     sunssh
ssh          system            system     openssh
# pkg set-mediator -I openssh ssh
# pkg mediator ssh
ssh          system            local      openssh

The SSH packages have been refactored to provide a more seamless transition between SSH implementations.

For more information, see Managing Secure Shell Access in Oracle Solaris 11.3.

GRUB Menu Password Protection

Oracle Solaris 11.3 provides a feature that adds optional boot environment protection in a shared system. It also allows the GRUB menu to have a password protection option for menu loading, menu entry modification, and menu entry booting.

For more information, see the bootadm(1M) man page. You can also see Oracle Solaris 11 Security and Hardening Guidelines.

Compliance Tailoring

Oracle Solaris 11.3 adds the ability to refine the set of benchmarks used in assessing security compliance. This feature enables a better match to local security policies without modifying the base benchmark itself. The compliance command now includes a tailor subcommand, and a new interactive interface to support the creation of tailorings, enabling the individual inclusion or exclusion of benchmark rules used to assess a system.

The following example shows how you would create a new tailoring called mytailoring that adds two additional rules to the Baseline profile from the Oracle Solaris benchmark.

# compliance tailor -t mytailoring
tailoring: No existing tailoring: ’mytailoring’, initializing
tailoring:mytailoring> set benchmark=solaris
tailoring:mytailoring> set profile=Baseline
tailoring:mytailoring> include rule=OSC-47501
tailoring:mytailoring> include rule=OSC-49501
tailoring:mytailoring> export
set tailoring=mytailoring
# version=2014-11-29T04:16:39.000+00:00
set benchmark=solaris
set profile=Baseline
# Passwords require at least one digit
include OSC-47501
# Passwords require at least one uppercase character include OSC-49501
tailoring:mytailoring> exit

For more information, see the compliance-tailor(1M) man page.

Packet Filter

Oracle Solaris 11.3 includes the OpenBSD 5.5 Packet Filter (PF) firewall for filtering TCP/IP traffic. PF provides an alternative to the existing IP Filter (IPF) already included in Oracle Solaris, enabling both bandwidth management and packet prioritization. To use the PF firewall, you install the pkg:/network/firewall package and enable the svc:/network/firewall:default service instance.

For more information, see the pfctl(1M), pf.conf(5), and pf.os(5) man pages.

Immutable Global Zone – New Dynamic Policy for Zone Creation

Oracle Solaris 11.3 includes a new read-only policy (file-mac-profile), dynamic-zones. This profile enable administrators to create and destroy kernel zones and non-global zones in an immutable global zone environment while still providing benefits similar to the existing fixed-configuration profile. This profile is valid only for the global zone, which includes the global zone of a kernel zone.