1. Securing Files and Verifying File Integrity in Oracle Solaris 11.4
  2. Labeling Files for Data Loss Protection
  3. Ideas for Using Labeled File Systems for Data Loss Protection

Ideas for Using Labeled File Systems for Data Loss Protection

Labeled file systems protect sensitive files from inadvertent or malicious tampering. You can use labeled file systems in the following ways:

  • Restrict access to core files – Store core files in labeled file systems so that access to these core files requires label dominance. You can use the %l format specification to specify the directory pathname corresponding to the label of the process generating the core file. For more information, see the labeling examples on the coreadm(8) man page.

  • Restrict access to audit files – Store audit files in labeled file systems. A labeled audit trail reduces access to the audit trail, including access to the contents of higher-labeled processes. Access to the audit trail will require label dominance. See How to Create a Labeled Audit Trail.

  • Restrict access to selected directories – Users can set TMPDIR to a labeled directory under their home directory. Similarly, you can configure the vim editor so that the backup and swap directories are labeled.

  • Restrict access to DTrace probes – Running DTrace on a labeled process requires process dominance. For information about DTrace probes, see the dtrace(8) man page.

  • Restrict access to database data and configuration – Make Oracle database instances more robust by assigning a label to the $ORACLE_HOME directory to protect the data and configuration files from rogue administrators. An administrator, including root, whose process does not dominate the database label would be unable to access the directory. Such labeling provides an extra level of security beyond encryption. For example, another user assuming the root role would be unable to change or remove files in $ORACLE_HOME.

  • Restrict modification of system configuration – Make the system configuration immutable by configuring the labeled system with the fixed-configuration immutable policy. An immutable policy prevents root from altering the labeled configuration. For more information, see the zonecfg(8) man page. When an immutable policy is in effect, changes to any method or sysconfig properties of any SMF service, including the clearance of the service, requires a clearance of the ADMIN_HIGH label from the requesting client. See How to Enforce a Fixed Configuration for a Labeled File System.