3 Maintaining and Monitoring Oracle Solaris Security

This chapter describes the actions to take to maintain and monitor security on your system, beginning with booting.

• Verifying System Integrity Before Regular Users Log In

• Monitoring System Security

Verifying System Integrity Before Regular Users Log In

Oracle Solaris provides ways to ensure that the booting process is secure and the packages on your system are valid.

• Verified boot – Secures the boot process. Verified boot is disabled by default.

  This feature protects the system from threats such as the installation of unauthorized kernel modules and trojan applications.

  For more information, review the following:

  • Chapter 2, Protecting Oracle Solaris System Integrity in Securing Systems and Attached Devices in Oracle Solaris 11.4

  • Using Verified Boot in Securing Systems and Attached Devices in Oracle Solaris 11.4

• Repository verification – Verifies that your local IPS repository files are valid.

  Maintaining a valid and secured IPS repository is essential for package installation. If you are using a local IPS repository, you can run the pkgrepo verify command to verify that the repository is not corrupted. With any signature policy other than ignore, the command verifies that signed packages are correctly signed.

  For more information, review the following:

  • Creating Package Repositories in Oracle Solaris 11.4

  • Best Practices for Creating and Using Local IPS Package Repositories in Creating Package Repositories in Oracle Solaris 11.4

• Package verification – Verifies that the installed packages are valid.

  After installing or updating packages, you can run the pkg verify command to ensure that the packages on your system did not install files with incorrect ownership or hashes, for example. With any signature policy other than ignore, the command verifies that signed packages are correctly signed.

  For more information, see the following:

  • Properties for Signing Packages in Updating Systems and Adding Software in Oracle Solaris 11.4

  • Verifying Packages and Fixing Verification Errors in Updating Systems and Adding Software in Oracle Solaris 11.4

  • pkg(1) man page

Monitoring System Security

Perform the following tasks to monitor access and use of your system and data, and adherence to your site's security requirements.

• Verify that you are running the latest version of the OS – Administering CVE Updates in Oracle Solaris in Oracle Solaris 11.4 Compliance Guide

• Assess the system's compliance to security benchmarks regularly

  The compliance assess command provides a snapshot of your system's security posture. The reports from the assessments suggest specific changes to your system to satisfy its default security policy. For more information, see Oracle Solaris 11.4 Compliance Guideand the compliance(8) man page.

• Verify file integrity regularly

  BART is a rule-based file integrity scanning and reporting tool that uses cryptographic-strength hashes and file system metadata to report changes. BART enables you to comprehensively validate systems by performing file-level checks of a system over time.

  After you verify that files are installed correctly, BART reports can easily and reliably track file changes. The reports might indicate that a system has not been patched, an intruder has installed unapproved files, or an intruder has changed the permissions or contents of system files, such as root-owned files.

  For more information, see the following:

  • Chapter 4, Verifying File Integrity by Using BART in Securing Files and Verifying File Integrity in Oracle Solaris 11.4

  • bart(8), bart_rules(5), and bart_manifest(5) man pages

• Find and remove suspicious files – How to Find Files With Special File Permissions in Securing Files and Verifying File Integrity in Oracle Solaris 11.4

• Review log files

  • SMF provides log files for every service. To locate the log file for a service, run the svcs -L service command.

  • The rsyslog daemon writes a centralized log that can inform and warn administrators of critical conditions in many services. See the rsyslogd(8) man page.

  • Other features create their own logs. For example, you can display package summary information with the pkg history command.

• Locate unusual access and use of the system by reviewing audit logs regularly

  Auditing keeps a record of how the system is being used. The audit service includes tools to assist with the analysis of the auditing data. For tools new in this release, see What's New in Security Features in Oracle Solaris 11.4.

  The audit service is described in Managing Auditing in Oracle Solaris 11.4. For a list of the man pages and links to them, see Audit Service Man Pages in Managing Auditing in Oracle Solaris 11.4.