Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
<Insert Picture Here>
Oracle Solaris 11 SecurityGlenn FadenSolaris SecurityOracle Corporation
Security in Oracle Solaris 11
AuthenticationSSH X.509 Certificate support, Kerberos PKINIT (X.509). Kerberos data in LDAP. Root login disabled by default. Role auth via user password, Authentication caching.
Audit Auditing on by default, audit policy in SMF, Secure remote audit trail.
Delegation Fine-grained user/password/RBAC management CLI with LDAP support. Sudo with auditing.
Data SecurityZFS filesystem, swap, dump and zvol encryption, NFSv4/NT style ACLs, Multilevel security with file labeling. IPsec/IKE policy per zone. Per Zone NFS server and Kerberos Realm.
CryptographyTransparent Hardware Encryption for Solaris, Java. OpenSSL 4x faster. Trusted Platform Module (TPM) keystore, file integrity scanner. Signed binaries & packages, Oracle Key Manager appliance integration
Built-in, flexible, transparent, hardware assisted
Advanced Protection
• Integrated with all the other Solaris features– Zones, ZFS, SMF, Networking,
Automated Install, IPS, many others– Install and boot secure by default– The layered defense in depth give the highest levels
of containment
• Protect – protect data and the access to it• Prevent – contain user and application actions• Manage – manage and log security settings• Assure – providing an enterprise platform to
deploy application securely with confidence
Oracle Solaris Security
Tailored Security for Applications
• Audited and delegated administration– Restricted zone access– Service management
• Immutable Zones: read-only file systems• Data link and IP-layer protection• Hardware accelerated crypto operations
– OpenSSL 5x faster than IBM
• Encrypted ZFS for data protection– Remote key management– ZFS encryption on T4 is
3x faster than Intel
Defense in Depth
Security in Oracle Solaris 11
AuthenticationSSH X.509 Certificate support, Kerberos PKINIT (X.509). Kerberos data in LDAP. Root login disabled by default. Role auth via user password, Authentication caching.
Audit Auditing on by default, audit policy in SMF, Secure remote audit trail.
Delegation Fine-grained user/password/RBAC management CLI with LDAP support. Sudo with auditing.
Data SecurityZFS filesystem, swap, dump and zvol encryption, NFSv4/NT style ACLs, Multilevel security with file labeling. IPsec/IKE policy per zone. Per Zone NFS server and Kerberos Realm.
CryptographyTransparent Hardware Encryption for Solaris, Java. OpenSSL 4x faster. Trusted Platform Module (TPM) keystore, file integrity scanner. Signed binaries & packages, Oracle Key Manager appliance integration
Authentication
• Kerberos Server/Client– Kerberized applications– Hardware cryptographic
acceleration
• LDAP Server/Client• Active Directory client• PAM Local authentication• SSH PKI Support
Role Assumption• Root is a role by default:
– LiveCD and Text Installer– Choice with AI install
• Initial root password matches that of initial user but is expired and needs to be changed on first su(1M)
• Role authentication policy is configurable to require either user's or role's password
usermod -K roleauth=user root
• /bin/login no longer setuid– Started with privilege from console-login, in.telnetd,
in.rlogind, etc. when needed.
Configuring pam_tty_tickets
The following /etc/pam.conf changes the defaults so that tickets are valid for 10 minutes and from any tty on the system.
su auth required pam_unix_cred.so.1
su auth sufficient pam_tty_tickets.so.1 anytty timeout=10
su auth requisite pam_authtok_get_so.1
su auth required pam_dhkeys.so.1
su auth required pam_unix_auth.so.1
Security in Oracle Solaris 11
AuthenticationSSH X.509 Certificate support, Kerberos PKINIT (X.509). Kerberos data in LDAP. Root login disabled by default. Role auth via user password, Authentication caching.
Audit Auditing on by default, audit policy in SMF, Secure remote audit trail.
Delegation Fine-grained user/password/RBAC management CLI with LDAP support. Sudo with auditing.
Data SecurityZFS filesystem, swap, dump and zvol encryption, NFSv4/NT style ACLs, Multilevel security with file labeling. IPsec/IKE policy per zone. Per Zone NFS server and Kerberos Realm.
CryptographyTransparent Hardware Encryption for Solaris, Java. OpenSSL 4x faster. Trusted Platform Module (TPM) keystore, file integrity scanner. Signed binaries & packages, Oracle Key Manager appliance integration
Auditing and Logging
LoggingApplication definedSyslog formatTroubleshoot user/application problemsLog policies
AuditingKernel Controlled• Low impact• Audit by
default• Secure
transmission• Evidence
quality
Auditing
• No reboot audit– Auditing by default without performance penalty– No reboot required to enable auditing
• Audit policy configuration now in SMF• More system configuration in SMF means more
auditing of system configuration change.– e.g.: /etc/default/nfs is now in SMF services
• Secure Remote Audit trail– GSS/Kerberos secured transport
• Audit Trail “Noise reduction”– Less “noise” in the audit trail for public files
Security in Oracle Solaris 11
AuthenticationSSH X.509 Certificate support, Kerberos PKINIT (X.509). Kerberos data in LDAP. Root login disabled by default. Role auth via user password, Authentication caching.
Audit Auditing on by default, audit policy in SMF, Secure remote audit trail.
Delegation Fine-grained user/password/RBAC management CLI with LDAP support. Sudo with auditing.
Data SecurityZFS filesystem, swap, dump and zvol encryption, NFSv4/NT style ACLs, Multilevel security with file labeling. IPsec/IKE policy per zone. Per Zone NFS server and Kerberos Realm.
CryptographyTransparent Hardware Encryption for Solaris, Java. OpenSSL 4x faster. Trusted Platform Module (TPM) keystore, file integrity scanner. Signed binaries & packages, Oracle Key Manager appliance integration
Rights Management
DTrace Debugging
Delegation and Qualification
• Authorized users and roles may delegate their rights to others● Authorizations of the form solaris.foo.delegate convey
the right to delegate objects in the foo class● Can't delegate what you don't have
• Authorizations of the form solaris.foo.assign convey the right to assign any object in the foo class
• Authorizations appended with / apply to specific instances of elements in an object class● solaris.zone.manage/foobar● solaris.group.manage/staff
RBAC and Group Management• Solaris Management Console is gone• New and updated CLIs
– userattr, profiles, user{add,mod,del},– role{add,mod,del}, group{add,mod,del}
• User Management profile can be granted to normal users and/or roles
– Sufficient for creating accounts with default attributes– Sufficient for creating groups and managing them– Requisite for delegation of user's RBAC attributes
• Fine-grained delegation is implemented for authorizations, groups, labels, profiles, privileges, projects, and roles
Managing Profiles
• The profiles(1) CLI has been reimplemented with using zonecfg(1M) as a model
• Both local and LDAP repositories• Interactive and command line modes
● Interactive● Auto-completion of all entries● Context-sensitive help● Bash-like editing
● Command line mode● Accepts multiple subcommands, separated by semicolon
● Can fully enumerate any or all profiles and their contents
Upgrading and Customizing Databases
• RBAC entries delivered via pkg(1M) are read-only– Maintained in subdirectories as separate files– Replaced when packages are updated– Name Service caches entries for efficient enumeration– Legacy files contain only user customizations
• profiles(1) CLI supports cloning and appending to facilitate customization
Modifying customized assignments
• Editing by hand is not supported• Use CLIs to assign, prepend, and remove values
to/from lists• For user and role commands
– -K key[+|-]=value[,value...]– -K auths+=solaris.zones.login/myzone– -P [+|-]profile[,profile...]
• For group commands– -U [+|-]user[,user...]
• For profiles– Use set, add, and remove subcommands
LDAP support
• Scope option added to RBAC and TX CLIs– -S ldap|files– Default for modifications is files– Default for lookups is “follow name switch”
• Default LDAP attributes are used• Client machine must be initialized with admin
credential
# useradd jdoe -S ldap
sudo Integration
• sudo generates Solaris audit events• sudo uses Solaris basic privilege, proc_exec, to
implement NOEXEC restriction• Initial Solaris users is automatically added to
/etc/sudoers file• sudo-like features added to su(1M)
● New PAM module, pam_tty_tickets, implements time-restricted authentication caching
● New role authentication option to authenticate via user's password instead of role's password
RBAC in the kernel
• pfexec(1) is now “In-kernel”– No longer a setuid program
• All standard shells (including bash, tcsh, zsh) now available as profile shells
• A new process flag specifies that all execs are subject to RBAC policy– ppriv shows: flags = PRIV_PFEXEC– Inherited by all child processes unless the real uid changes– exec(2) retrieves the process attributes via door call to a
daemon process– Transparent to programs, scripts, etc.
Solaris 11 RBAC Execution Flow
pfbash bash
Set RBAC flag
symlink
exec
Is DAC
allowed ?
Query RBACattributes
Lookup via name service
Return RBACattributes
Applyattributes
fork/exec
Is RBAC
flagset?
Execution starts
nscd
pfexec
pfexecd
pfexecd
Exec fails
Kernel
Userland
door calldoor call
door return
door return
YesNo No
Yes
Is RBACallowed
?
Exec fails
Yes
No
Security in Oracle Solaris 11
AuthenticationSSH X.509 Certificate support, Kerberos PKINIT (X.509). Kerberos data in LDAP. Root login disabled by default. Role auth via user password, Authentication caching.
Audit Auditing on by default, audit policy in SMF, Secure remote audit trail.
Delegation Fine-grained user/password/RBAC management CLI with LDAP support. Sudo with auditing.
Data SecurityZFS filesystem, swap, dump and zvol encryption, NFSv4/NT style ACLs, Multilevel security with file labeling. IPsec/IKE policy per zone. Per Zone NFS server and Kerberos Realm.
CryptographyTransparent Hardware Encryption for Solaris, Java. OpenSSL 4x faster. Trusted Platform Module (TPM) keystore, file integrity scanner. Signed binaries & packages, Oracle Key Manager appliance integration
Application Sandboxing
• Restricting access to files, networks, and applications– Stop profile facilitates specification of limited sets of
commands and authorizations– New basic privileges for locking down processes
• file_read– Read objects in the file system
• file_write– Write objects in the file system
• net_access– Open TCP/UDP/SDP/SCTP network endpoint
• Privileges for setuid-to-root executables are specified in new Forced Privilege profile
Data in Motion Protection
• Solaris defaults to ONLY SSH remotely accessible• SSH & Kerberos easier to manage centrally using
X.509 certificate based authentication– YOUR Certificate Authorities as Trust Anchors
• Kerberos protection for NFSv3 & NFSv4 traffic• Active Directory/Kerberos authentication for
CIFS/SMB network shares• Zero-configuration of Kerberos client via DNS• New kdcmgr (1) for Key Distribution Center
Data in Motion Protection
• Zone file system security boundary now applies to NFS server as well.– Each zone can serve a separate NFSv4 domain– Each zone can be in a separate Kerberos Realm
• Per Zone IPsec policy• Kernel SSL/TLS proxy
– Allows keeping private keys outside of the zone• Hardware crypto acceleration on SPARC and Intel
CPUs reduces overhead of encrypting network traffic– SSH, IPsec/IKE, Kerberos, OpenSSL, KSSL
Immutable Zones • Read only Zone Root Filesystem
– Per zone configuration option– Prevention against malicious and
accidental change of the boot-environment • Extensible to other zone file
systems– Provides varying levels of
“strictness”• So that some things can be
written
Flexible
Oracle Solaris 11
FixedStrict None
# zonecfg -z ozone set file-mac-policy=fixed-configuration
• Only enterprise OS that includes multilevel functionality as a bundled feature
●Full support of Trusted Extensions included in standard Solaris license●Zones architecture makes labeling completely transparent to applications
Labeled Security
Solaris Kernel
Multilevel Desktop Services(Global Zone)
Need-to-know
Internal Use
Public
net net net net
Security in Oracle Solaris 11
AuthenticationSSH X.509 Certificate support, Kerberos PKINIT (X.509). Kerberos data in LDAP. Root login disabled by default. Role auth via user password, Authentication caching.
Audit Auditing on by default, audit policy in SMF, Secure remote audit trail.
Delegation Fine-grained user/password/RBAC management CLI with LDAP support. Sudo with auditing.
Data SecurityZFS filesystem, swap, dump and zvol encryption, NFSv4/NT style ACLs, Multilevel security with file labeling. IPsec/IKE policy per zone. Per Zone NFS server and Kerberos Realm.
CryptographyTransparent Hardware Encryption for Solaris, Java. OpenSSL 4x faster. Trusted Platform Module (TPM) keystore, file integrity scanner. Signed binaries & packages, Oracle Key Manager appliance integration
Built-in, flexible, transparent, hardware assisted
Cryptographic SecurityThe framework for cryptography is standardizedand extensible.
Your current cryptographic choices and any future technology can easily plug in and just work.
• Standards-based framework• Same API, software or hardware• NSA Suite B algorithms• Extensible for future technologies
System Integrity Protection
• Network package installation over HTTPS– Protect sensitive package content in transit
• Solaris 11 packages are cryptographically signed– You can add additional signatures
• System policy to require and verify signatures– YOU choose who you trust per system image
• ELF binaries are still cryptographically signed– Know they came from Oracle RE process
• For non packaged files bart(1M) provides a passive manifest comparison system using cryptographic hashes
Support for Cryptographic Hardware
• Performance Improvements for SPARC and Intel● Many of these have been backported to S10 Updates.● T1-T3 systems access hardware crypto via ncp/n2cp/n2rng
modules● T4 systems implement unprivileged instruction access, so no
special hardware drivers are required (that is, no n2cp)● Intel Westmere systems (AES-NI) also have unprivileged
instruction access. Also, successors: Sandybridge, Ivybridge, etc.
Data at Rest Protection• Encryption for UFS & other legacy filesystems
via lofi driver.• ZFS data set encryption (file system & ZVOL)
– Comprehensive wrapping key management• Delegation: key use vs key change vs key location/type• Local or Centralised• Integrated with Oracle Key Manager via pkcs11_kms• 3rd Party key management integration
– zfs(1M) key subcommand is scriptable– Keys from any https:// location – policy on server side
– Data encryption key change at clone or on demand• Oracle DB Transparent Data Encryption
– hardware acceleration on SPARC T3,T4 and Intel AES-NI
lofi encryption• Encryption of lofi block devices
– Use Cryptographic Framework to automatically benefit from hardware acceleration.
– Can be used for encrypted swap• lofiadm(1M) can use PKCS#11 for key storage:
– Softtoken, TPM, and Oracle Key Management System– lofi devices can't be compressed & encrypted
Example:# pktool genkey keytype=aes keylen=128 token=KMS label=mykeyEnter PIN for KMS: # lofiadm -c aes-128-cbc -T :::mykey -a /tmp/lofi Enter PIN KMS: /dev/lofi/1
ZFS Encryption
Example:– Using an external memory stick as the key source for
an encrypted dataset
# pktool genkey keystore=file outkey=/media/rmdisk0/mykey \ keytype=aes keylen=256
# zfs create encryption=aes-256-ccm \ -o keysource=raw,file:///media/rmdisk0/mykey tank/home/bob
Encrypted Home Directories
• User home directories are created as ZFS datasets● Conditionally based on filesystem type of parent directory● Initial encryption key inherited from parent dataset● New PAM module, pam_zfs_key, supports mounting
encrypted home directories with user's password• User is granted ZFS permission to create home
directory snapshots
For More Information / Try Out Today• Product overview and download
– oracle.com/solaris• Oracle Technology Network
– oracle.com/technetwork/server-storage/solaris11
• System administrators community– oracle.com/technetwork/systems
38
Oracle Solaris Insider
facebook.com/oraclesolaris
@ORCL_Solaris