Oracle Solaris provides a network-wide security system that controls the way users access files, and protects system databases and system resources. It combines multiple security technologies such as networking, cryptographic capabilities, and trusted extensions to manage user rights.
Some of the highlights of security-related features in Oracle Solaris are:
You can administer security compliance tests by using the compliance command. You can assess and report the compliance of an Oracle Solaris system with security standards, also called security benchmarks and security policies. For more information, see Oracle Solaris 11.3 Security Compliance Guide.
An anti-malware and integrity feature that reduces the risk of introducing malicious or accidentally modified critical boot and kernel components. This feature checks the cryptographic signatures of the firmware, boot system, and kernel and kernel modules. Verified boot applies to the SPARC T5, SPARC M5, and SPARC M6 platforms. For more information, see Using Verified Boot in Securing Systems and Attached Devices in Oracle Solaris 11.3.
Provides automatic Security Association (SA) and key management between peer systems.
You can qualify user attributes by location. A new qualifier option for the usermod and rolemod commands can indicate the system or netgroup where user attributes apply. A new time-based policy for access to PAM services can be specified by using the new access_times keyword of the useradd command. For more information see the usermod(1M), rolemod(1M), and useradd(1M) man pages.
Oracle Solaris Trusted Extensions is a set of advanced security features that allow you to label the data and applications according to the sensitivity level. It features the access control model that includes RBAC, Mandatory Access Control Labeling, Auditing, and Device Allocation. It is an optional layer of secure label technology in Oracle Solaris that allows data security policies to be separated from data ownership.
Trusted Extensions provides APIs to develop application will allow you to access and handle labels. For more information about Trusted Extensions APIs, see Trusted Extensions User’s Guide.
Authentication is a mechanism to validate whether a user or service matches the predefined criteria.
The main features of the Oracle Solaris authentication services are as follows:
Secure RPC – Protects remote procedures using the Diffie-Hellman authentication mechanism.
Pluggable Authentication Module – Enables you to add new authentication methods and modify the authentication policies by installing PAM modules into the Oracle Solaris OS.
Simple Authentication and Security Layer – Provides authentication and security services to network protocols.
Secure Shell – Provides secure data communication and remote command-line login using cryptographic network protocol.
Pluggable Authentication Module (PAM) is a set of pluggable objects that enables system administrators to add new authentication services without changing system services. You can use it to modify user authentication, account, session, and password management functions in Oracle Solaris. Login, ssh, and other system entry services use the PAM framework to ensure that all login sessions are secure. Flexibility to modify the configuration files is the main feature that benefits the users.
For more information about PAM modules, see Chapter 3, Writing PAM Applications and Services in Developer’s Guide to Oracle Solaris 11.3 Security.
For more information about the differences between the RHEL and Oracle Solaris implementations of PAM, see the section Pluggable Authentication Module in Red Hat Enterprise Linux to Oracle Solaris Porting Guide.
The Oracle Solaris Cryptographic Framework provides a set of cryptographic services for kernel-level and user-level consumers. Oracle Solaris provides network security based on standard industry interfaces such as PAM, GSS-API, SASL, and PKCS #11. The Cryptographic Framework is a backbone of cryptographic services in Oracle Solaris. The framework provides standard PKCS#11 interfaces to accommodate consumers and providers of cryptographic services.
The framework has two parts:
User cryptographic framework for user-level applications
Kernel cryptographic framework for kernel-level modules
The main elements of the Oracle Solaris Cryptographic Framework are as follows:
libpkcs11.so library – The framework provides access through the RSA Security Inc. PKCS#11 Cryptographic Token Interface (Cryptoki). Applications must link to the libpkcs11.so library.
pkcs11_softtoken.so shared object – Contains user-level cryptographic mechanisms provided by Oracle.
pkcs11_kernel.so shared object – Used to access kernel-level cryptographic mechanisms. It offers a PKCS#11 user interface for cryptographic services that are plugged into the kernel's service provider interface.
Pluggable interface – The pluggable interface is the service provider interface (SPI) for PKCS #11 cryptographic services that are provided by Oracle and third-party developers. Providers are user-level libraries that are implemented through encryption services available through the hardware or software.
Scheduler and Load Balancer – Enables efficient load balancing, and dispatching cryptographic requests.
Kernel Programmer Interface – Provides kernel-level consumers with access to cryptographic services.
Service Provider Interface – Used by providers of kernel-level cryptographic services that are implemented in the hardware and the software.
Hardware and software cryptographic providers – Kernel-level cryptographic services that use software algorithms, hardware accelerator boards, or on-chip cryptographic capabilities.
Kernel cryptographic framework daemon – Private daemon responsible for managing system resources for cryptographic operations. The daemon also verifies cryptographic providers.
Module Verification Library – Private library used to verify the integrity and authenticity of all binaries that the cryptographic framework imports.
elfsign – Utility offered to third-party providers of cryptographic services to request certificates from Oracle.
cryptoadm – User-level command for managing cryptographic services, such as disabling and enabling cryptographic mechanisms according to security policies.
Four types of applications can plug into the Oracle Solaris Cryptographic Framework:
User-level consumers
User-level providers
Kernel-level consumers
Kernel-level providers
The Oracle Solaris Key Management Framework provides tools and programming interfaces for managing public key infrastructure (PKI) objects.
The on-board cryptography in Oracle Solaris servers like UltraSPARC T1, UltraSPARC T2, and UltraSPARC T2+ on-chip cryptographic acceleration eliminates the need for additional coprocessor cards, or power-consuming add-on components. For more information about different function calls in RHEL and Oracle Solaris, see Red Hat Enterprise Linux to Oracle Solaris Porting Guide.
For more information about the Oracle Solaris Cryptographic Framework, see Chapter 9, Writing User-Level Cryptographic Applications in Developer’s Guide to Oracle Solaris 11.3 Security.