2 Configuring Oracle Solaris Security

This chapter describes the actions to take to configure security on your system. The chapter covers installing packages, configuring the system itself, then configuring various subsystems and additional applications that you might need, such as IPsec.

• Installing the Oracle Solaris OS

• Initially Securing the System

• Securing Users

• Protecting the Network

• Protecting File Systems

• Protecting and Modifying Files

• Securing System Access and Use

• Protecting SMF Services

• Adding Labeled Security

Installing the Oracle Solaris OS

The Oracle Solaris OS is installed by selecting a set of packages called a group from a package repository. Different groups supply packages for different uses, such as multipurpose servers, minimally installed or hardened systems, and desktop systems. Packages are signed and their secure transfer can be verified.

When you install the Oracle Solaris OS, choose the media that installs the appropriate group package, as follows:

• Oracle Solaris Large Server – Both the default manifest in an Automated Installer (AI) installation and the text installer install the group/system/solaris-large-server group, which provides an Oracle Solaris large server environment.

• Oracle Solaris Small Server – The Automated Installer (AI) installation and the text installer optionally install the group/system/solaris-small-server group, which provides a useful command-line environment to which you can add packages.

• Oracle Solaris Minimal Server – The Automated Installer (AI) installation and the text installer optionally install the group/system/solaris-minimal-server group, which provides a minimal command-line environment to which you can add just the packages that you want. This group can provide the base for a hardened system.

• Oracle Solaris Desktop – The AI can install the group/system/solaris-desktop group. Alternatively, after using the text installer, add the solaris-desktop package to provide an Oracle Solaris 11.4 desktop environment.

To automate installation with the Automated Installer (AI), see . You can secure AI installations with certificates and keys for the install server, for specified client systems, for all clients of a specified install service, and for any other AI clients.

To guide your media choice, see the following installation and package content guides:

• Automatically Installing Oracle Solaris 11.4 Systems

• Manually Installing an Oracle Solaris 11.4 System

• Creating a Custom Oracle Solaris 11.4 Image

• Updating Systems and Adding Software in Oracle Solaris 11.4

Initially Securing the System

The following tasks are best performed in order. At this point, the Oracle Solaris OS is installed and only the initial user who can assume the root role has access to the system.

1. Check that packages and their signatures are valid – Verifying Packages and Fixing Verification Errors in Updating Systems and Adding Software in Oracle Solaris 11.4

2. Ensure that security extensions protect executables – Preventing Intentional Misuse of System Resources in Securing Systems and Attached Devices in Oracle Solaris 11.4

3. Safeguard the hardware settings on the system – Controlling Access to System Hardware in Securing Systems and Attached Devices in Oracle Solaris 11.4

4. Disable unneeded services – Stopping a Service in Managing System Services in Oracle Solaris 11.4

5. Prevent the workstation owner from powering down the system – How to Remove Power Management Capability From Users in Securing Users and Processes in Oracle Solaris 11.4

6. Notify users before and after authentication that the system is monitored – How to Place a Security Message in Banner Files in Securing Systems and Attached Devices in Oracle Solaris 11.4

Securing Users

At this point, only the initial user who can assume the root role can access the system. The following tasks are best performed in order before regular users can log in.

1. (Optional) Configure restrictive file permissions for regular users – How to Set a More Restrictive umask Value for Regular Users in Securing Users and Processes in Oracle Solaris 11.4

2. Set account locking for regular users – How to Set Account Locking for Regular Users in Securing Users and Processes in Oracle Solaris 11.4

3. Monitor and record all administrative events – Viewing Audit Data in the Statistics Store in Managing Auditing in Oracle Solaris 11.4

4. Distribute discrete administrative tasks to roles – Assigning Rights to Users in Securing Users and Processes in Oracle Solaris 11.4

   For ease of role creation, use predefined ARMOR roles – Creating a Role in Securing Users and Processes in Oracle Solaris 11.4

5. (Optional) Limit a user's basic privileges – Removing Privileges From Users in Securing Users and Processes in Oracle Solaris 11.4

Protecting the Network

At this point, you might have created users who can assume roles, and have created the roles.

In your assigned role as network security administrator, perform tasks from the following list that site security requires. These network tasks strengthen the IP, ARP, and TCP protocols.

• Limit access to systems by would-be network sniffers – How to Enable Dynamic Routing on a Single-Interface System in Configuring an Oracle Solaris 11.4 System as a Router or a Load Balancer

• Prevent the dissemination of information about the network topology – How to Disable Broadcast Packet Forwarding in Securing the Network in Oracle Solaris 11.4 and How to Disable Responses to Echo Requests in Securing the Network in Oracle Solaris 11.4

• Prevent packets that do not have the address of the gateway in their header from moving beyond the gateway – How to Set Strict Multihoming in Securing the Network in Oracle Solaris 11.4

• Prevent Denial of Service (DoS) attacks by controlling the number of incomplete system connections – How to Set Maximum Number of Incomplete TCP Connections in Securing the Network in Oracle Solaris 11.4

• Prevent DoS attacks by controlling the number of permitted incoming connections – How to Set Maximum Number of Pending TCP Connections in Securing the Network in Oracle Solaris 11.4

• Increase security that administrative actions reduced – How to Reset Network Parameters to Secure Values in Securing the Network in Oracle Solaris 11.4

• Add TCP wrappers to network services to limit applications to legitimate users – Using TCP Wrappers in Oracle Solaris in Administering TCP/IP Networks, IPMP, and IP Tunnels in Oracle Solaris 11.4

• Configure a firewall – Configuring the Firewall in Oracle Solaris in Securing the Network in Oracle Solaris 11.4

• Configure encrypted and authenticated network connections – Configuring IPsec in Securing the Network in Oracle Solaris 11.4 and Configuring IKEv2 in Securing the Network in Oracle Solaris 11.4

• Configure Kerberos – Managing Kerberos in Oracle Solaris 11.4

Protecting File Systems

ZFS file systems are lightweight and can be encrypted, compressed, and configured with reserved space and disk space quotas. The tmpfs file system can grow without bound.

The following tasks configure ZFS and tmpfs so provide a glimpse of the protections that are available in ZFS.

• Prevent DoS attacks by managing and reserving disk space – Setting ZFS Quotas in Managing ZFS File Systems in Oracle Solaris 11.4, Setting Reservations on ZFS File Systems in Managing ZFS File Systems in Oracle Solaris 11.4, and the zfs(8) man page

• Encrypt data on a file system – Encrypting ZFS File Systems in Managing ZFS File Systems in Oracle Solaris 11.4 and Examples of Encrypting ZFS File Systems in Managing ZFS File Systems in Oracle Solaris 11.4

• Prevent malicious users from creating large files in /tmp – Preventing tmpfs File Systems From Filling Up the System in Securing Files and Verifying File Integrity in Oracle Solaris 11.4

• Prevent unauthorized access to sensitive file systems – Labeling Files for Data Loss Protection in Securing Files and Verifying File Integrity in Oracle Solaris 11.4

Protecting and Modifying Files

By default, only the root role can modify system file permissions. Roles and users who are assigned the solaris.admin.edit/ path-to-system-file authorization can modify that system-file. Only the root role can search for all files.

The following tasks illustrate several strategies for protecting the files in your system.

• Configure restrictive file permissions for regular users – How to Set a More Restrictive umask Value for Regular Users in Securing Users and Processes in Oracle Solaris 11.4

• Use extended security attributes to protect files – Using File Attributes to Add Security to ZFS Files in Securing Files and Verifying File Integrity in Oracle Solaris 11.4

• Prevent accidental deletion of critical files, such as Oracle database logs – Preventing Accidental Deletions With the nounlink Attribute in Securing Files and Verifying File Integrity in Oracle Solaris 11.4

• Maintain system file integrity – How to Find Files With Special File Permissions in Securing Files and Verifying File Integrity in Oracle Solaris 11.4

Securing System Access and Use

You can configure Oracle Solaris security features to protect your system use, including applications and services on the system and on the network.

• Prevent buffer overflows – Preventing Process Heap Corruption Using adiheap in Securing Systems and Attached Devices in Oracle Solaris 11.4

• Prevent programs from heap or executable stack corruption – Protecting the Process Heap and Executable Stacks From Compromise in Securing Systems and Attached Devices in Oracle Solaris 11.4

• Customize auditing according to site security requirements – Managing Auditing in Oracle Solaris 11.4

• Protect core files that might contain sensitive information – Enabling File Paths in Troubleshooting System Administration Issues in Oracle Solaris 11.4 and Administering Your Core File Specifications in Troubleshooting System Administration Issues in Oracle Solaris 11.4

• Create zones to contain and isolate applications – Introduction to Oracle Solaris Zones

• Create read-only zones that cannot be modified – Configuring and Administering Immutable Zones in Creating and Using Oracle Solaris Zones

  Administer read-only zones – Administering Immutable Non-Global Zones in Creating and Using Oracle Solaris Zones

• Manage resources in zones – Administering Resource Management in Oracle Solaris 11.4

• Create a labeled environment with limited access – Labeling Files for Data Loss Protection in Securing Files and Verifying File Integrity in Oracle Solaris 11.4 and Labeling Processes for Data Loss Protection in Securing Users and Processes in Oracle Solaris 11.4

• Configure Kerberos – Managing Kerberos in Oracle Solaris 11.4

• Protect legacy services by assigning limited rights to the application – Protecting SMF Services

Protecting SMF Services

You can limit application configuration to trusted users or roles by adding the application to the Service Management Facility (SMF) feature of Oracle Solaris, then requiring rights to start, refresh, and stop the service.

For services that are run by inetd, you should control the number of concurrent processes to prevent a security breach. For more information, see the following:

• Recommendations for Systems That Run inetd Based Services in Administering TCP/IP Networks, IPMP, and IP Tunnels in Oracle Solaris 11.4

• Modifying Services that are Controlled by inetd in Managing System Services in Oracle Solaris 11.4

For information and procedures about SMF, see the following:

• Securing Service Tasks in Developing System Services in Oracle Solaris 11.4

• smf(7) and smf_security(7)

• svcadm(8), svcbundle(8), and svccfg(8)

Adding Labeled Security

Labeled security in Oracle Solaris is provided by two features, file and process labeling in Oracle Solaris, and the Trusted Extensions feature that is provided in an optional set of packages.

• File and process labeling enables administrators to apply labels to selected datasets and give clearances to selected users. Data that is not privileged is not explicitly labeled, and regular users cannot access labeled data. For more information, see:

  • Chapter 3, Labeling Files for Data Loss Protection in Securing Files and Verifying File Integrity in Oracle Solaris 11.4

  • Chapter 6, Labeling Processes for Data Loss Protection in Securing Users and Processes in Oracle Solaris 11.4

• Trusted Extensions labels all users, processes, and network communications.

  You must install the Trusted Extensions packages, then configure the system. The system/trusted and system/trusted/trusted-global-zone packages are sufficient for a headless system or server. Network configuration is required to communicate with other systems.

  For information and procedures, see the following:

  • Part 1, Initial Configuration of Trusted Extensions, in Trusted Extensions Configuration and Administration

  • Part 2, Administration of Trusted Extensions, in Trusted Extensions Configuration and Administration