- Oracle Cloud...Security in Oracle Solaris 11 Authentication SSH X.509 Certificate support, Kerberos PKINIT (X.509). Kerberos data in LDAP. Root login

<Insert Picture Here>

Oracle Solaris 11 SecurityGlenn FadenSolaris SecurityOracle Corporation

Security in Oracle Solaris 11

AuthenticationSSH X.509 Certificate support, Kerberos PKINIT (X.509). Kerberos data in LDAP. Root login disabled by default. Role auth via user password, Authentication caching.

Audit Auditing on by default, audit policy in SMF, Secure remote audit trail.

Delegation Fine-grained user/password/RBAC management CLI with LDAP support. Sudo with auditing.

Data SecurityZFS filesystem, swap, dump and zvol encryption, NFSv4/NT style ACLs, Multilevel security with file labeling. IPsec/IKE policy per zone. Per Zone NFS server and Kerberos Realm.

CryptographyTransparent Hardware Encryption for Solaris, Java. OpenSSL 4x faster. Trusted Platform Module (TPM) keystore, file integrity scanner. Signed binaries & packages, Oracle Key Manager appliance integration

Built-in, flexible, transparent, hardware assisted

Advanced Protection

• Integrated with all the other Solaris features– Zones, ZFS, SMF, Networking,

Automated Install, IPS, many others– Install and boot secure by default– The layered defense in depth give the highest levels

of containment

• Protect – protect data and the access to it• Prevent – contain user and application actions• Manage – manage and log security settings• Assure – providing an enterprise platform to

deploy application securely with confidence

Oracle Solaris Security

Tailored Security for Applications

• Audited and delegated administration– Restricted zone access– Service management

• Immutable Zones: read-only file systems• Data link and IP-layer protection• Hardware accelerated crypto operations

– OpenSSL 5x faster than IBM

• Encrypted ZFS for data protection– Remote key management– ZFS encryption on T4 is

3x faster than Intel

Defense in Depth







Authentication

• Kerberos Server/Client– Kerberized applications– Hardware cryptographic

acceleration

• LDAP Server/Client• Active Directory client• PAM Local authentication• SSH PKI Support

Role Assumption• Root is a role by default:

– LiveCD and Text Installer– Choice with AI install

• Initial root password matches that of initial user but is expired and needs to be changed on first su(1M)

• Role authentication policy is configurable to require either user's or role's password

usermod -K roleauth=user root

• /bin/login no longer setuid– Started with privilege from console-login, in.telnetd,

in.rlogind, etc. when needed.

Configuring pam_tty_tickets

The following /etc/pam.conf changes the defaults so that tickets are valid for 10 minutes and from any tty on the system.

su auth required pam_unix_cred.so.1

su auth sufficient pam_tty_tickets.so.1 anytty timeout=10

su auth requisite pam_authtok_get_so.1

su auth required pam_dhkeys.so.1

su auth required pam_unix_auth.so.1







Auditing and Logging

LoggingApplication definedSyslog formatTroubleshoot user/application problemsLog policies

AuditingKernel Controlled• Low impact• Audit by

default• Secure

transmission• Evidence

quality

Auditing

• No reboot audit– Auditing by default without performance penalty– No reboot required to enable auditing

• Audit policy configuration now in SMF• More system configuration in SMF means more

auditing of system configuration change.– e.g.: /etc/default/nfs is now in SMF services

• Secure Remote Audit trail– GSS/Kerberos secured transport

• Audit Trail “Noise reduction”– Less “noise” in the audit trail for public files







Rights Management

DTrace Debugging

Delegation and Qualification

• Authorized users and roles may delegate their rights to others● Authorizations of the form solaris.foo.delegate convey

the right to delegate objects in the foo class● Can't delegate what you don't have

• Authorizations of the form solaris.foo.assign convey the right to assign any object in the foo class

• Authorizations appended with / apply to specific instances of elements in an object class● solaris.zone.manage/foobar● solaris.group.manage/staff

RBAC and Group Management• Solaris Management Console is gone• New and updated CLIs

– userattr, profiles, user{add,mod,del},– role{add,mod,del}, group{add,mod,del}

• User Management profile can be granted to normal users and/or roles

– Sufficient for creating accounts with default attributes– Sufficient for creating groups and managing them– Requisite for delegation of user's RBAC attributes

• Fine-grained delegation is implemented for authorizations, groups, labels, profiles, privileges, projects, and roles

Managing Profiles

• The profiles(1) CLI has been reimplemented with using zonecfg(1M) as a model

• Both local and LDAP repositories• Interactive and command line modes

● Interactive● Auto-completion of all entries● Context-sensitive help● Bash-like editing

● Command line mode● Accepts multiple subcommands, separated by semicolon

● Can fully enumerate any or all profiles and their contents

Upgrading and Customizing Databases

• RBAC entries delivered via pkg(1M) are read-only– Maintained in subdirectories as separate files– Replaced when packages are updated– Name Service caches entries for efficient enumeration– Legacy files contain only user customizations

• profiles(1) CLI supports cloning and appending to facilitate customization

Modifying customized assignments

• Editing by hand is not supported• Use CLIs to assign, prepend, and remove values

to/from lists• For user and role commands

– -K key[+|-]=value[,value...]– -K auths+=solaris.zones.login/myzone– -P [+|-]profile[,profile...]

• For group commands– -U [+|-]user[,user...]

• For profiles– Use set, add, and remove subcommands

LDAP support

• Scope option added to RBAC and TX CLIs– -S ldap|files– Default for modifications is files– Default for lookups is “follow name switch”

• Default LDAP attributes are used• Client machine must be initialized with admin

credential

# useradd jdoe -S ldap

sudo Integration

• sudo generates Solaris audit events• sudo uses Solaris basic privilege, proc_exec, to

implement NOEXEC restriction• Initial Solaris users is automatically added to

/etc/sudoers file• sudo-like features added to su(1M)

● New PAM module, pam_tty_tickets, implements time-restricted authentication caching

● New role authentication option to authenticate via user's password instead of role's password

RBAC in the kernel

• pfexec(1) is now “In-kernel”– No longer a setuid program

• All standard shells (including bash, tcsh, zsh) now available as profile shells

• A new process flag specifies that all execs are subject to RBAC policy– ppriv shows: flags = PRIV_PFEXEC– Inherited by all child processes unless the real uid changes– exec(2) retrieves the process attributes via door call to a

daemon process– Transparent to programs, scripts, etc.

Solaris 11 RBAC Execution Flow

pfbash bash

Set RBAC flag

symlink

exec

Is DAC

allowed ?

Query RBACattributes

Lookup via name service

Return RBACattributes

Applyattributes

fork/exec

Is RBAC

flagset?

Execution starts

nscd

pfexec

pfexecd

pfexecd

Exec fails

Kernel

Userland

door calldoor call

door return

door return

YesNo No

Yes

Is RBACallowed

?

Exec fails

Yes

No







Application Sandboxing

• Restricting access to files, networks, and applications– Stop profile facilitates specification of limited sets of

commands and authorizations– New basic privileges for locking down processes

• file_read– Read objects in the file system

• file_write– Write objects in the file system

• net_access– Open TCP/UDP/SDP/SCTP network endpoint

• Privileges for setuid-to-root executables are specified in new Forced Privilege profile

Data in Motion Protection

• Solaris defaults to ONLY SSH remotely accessible• SSH & Kerberos easier to manage centrally using

X.509 certificate based authentication– YOUR Certificate Authorities as Trust Anchors

• Kerberos protection for NFSv3 & NFSv4 traffic• Active Directory/Kerberos authentication for

CIFS/SMB network shares• Zero-configuration of Kerberos client via DNS• New kdcmgr (1) for Key Distribution Center

Data in Motion Protection

• Zone file system security boundary now applies to NFS server as well.– Each zone can serve a separate NFSv4 domain– Each zone can be in a separate Kerberos Realm

• Per Zone IPsec policy• Kernel SSL/TLS proxy

– Allows keeping private keys outside of the zone• Hardware crypto acceleration on SPARC and Intel

CPUs reduces overhead of encrypting network traffic– SSH, IPsec/IKE, Kerberos, OpenSSL, KSSL

Immutable Zones • Read only Zone Root Filesystem

– Per zone configuration option– Prevention against malicious and

accidental change of the boot-environment • Extensible to other zone file

systems– Provides varying levels of

“strictness”• So that some things can be

written

Flexible

Oracle Solaris 11

FixedStrict None

# zonecfg -z ozone set file-mac-policy=fixed-configuration

• Only enterprise OS that includes multilevel functionality as a bundled feature

●Full support of Trusted Extensions included in standard Solaris license●Zones architecture makes labeling completely transparent to applications

Labeled Security

Solaris Kernel

Multilevel Desktop Services(Global Zone)

Need-to-know

Internal Use

Public

net net net net







Built-in, flexible, transparent, hardware assisted

Cryptographic SecurityThe framework for cryptography is standardizedand extensible.

Your current cryptographic choices and any future technology can easily plug in and just work.

• Standards-based framework• Same API, software or hardware• NSA Suite B algorithms• Extensible for future technologies

System Integrity Protection

• Network package installation over HTTPS– Protect sensitive package content in transit

• Solaris 11 packages are cryptographically signed– You can add additional signatures

• System policy to require and verify signatures– YOU choose who you trust per system image

• ELF binaries are still cryptographically signed– Know they came from Oracle RE process

• For non packaged files bart(1M) provides a passive manifest comparison system using cryptographic hashes

Support for Cryptographic Hardware

• Performance Improvements for SPARC and Intel● Many of these have been backported to S10 Updates.● T1-T3 systems access hardware crypto via ncp/n2cp/n2rng

modules● T4 systems implement unprivileged instruction access, so no

special hardware drivers are required (that is, no n2cp)● Intel Westmere systems (AES-NI) also have unprivileged

instruction access. Also, successors: Sandybridge, Ivybridge, etc.

Data at Rest Protection• Encryption for UFS & other legacy filesystems

via lofi driver.• ZFS data set encryption (file system & ZVOL)

– Comprehensive wrapping key management• Delegation: key use vs key change vs key location/type• Local or Centralised• Integrated with Oracle Key Manager via pkcs11_kms• 3rd Party key management integration

– zfs(1M) key subcommand is scriptable– Keys from any https:// location – policy on server side

– Data encryption key change at clone or on demand• Oracle DB Transparent Data Encryption

– hardware acceleration on SPARC T3,T4 and Intel AES-NI

lofi encryption• Encryption of lofi block devices

– Use Cryptographic Framework to automatically benefit from hardware acceleration.

– Can be used for encrypted swap• lofiadm(1M) can use PKCS#11 for key storage:

– Softtoken, TPM, and Oracle Key Management System– lofi devices can't be compressed & encrypted

Example:# pktool genkey keytype=aes keylen=128 token=KMS label=mykeyEnter PIN for KMS: # lofiadm -c aes-128-cbc -T :::mykey -a /tmp/lofi Enter PIN KMS: /dev/lofi/1

ZFS Encryption

Example:– Using an external memory stick as the key source for

an encrypted dataset

# pktool genkey keystore=file outkey=/media/rmdisk0/mykey \ keytype=aes keylen=256

# zfs create encryption=aes-256-ccm \ -o keysource=raw,file:///media/rmdisk0/mykey tank/home/bob

Encrypted Home Directories

• User home directories are created as ZFS datasets● Conditionally based on filesystem type of parent directory● Initial encryption key inherited from parent dataset● New PAM module, pam_zfs_key, supports mounting

encrypted home directories with user's password• User is granted ZFS permission to create home

directory snapshots

For More Information / Try Out Today• Product overview and download

– oracle.com/solaris• Oracle Technology Network

– oracle.com/technetwork/server-storage/solaris11

• System administrators community– oracle.com/technetwork/systems

38

Oracle Solaris Insider

facebook.com/oraclesolaris

@ORCL_Solaris

Documents

- Oracle Cloud...Security in Oracle Solaris 11 Authentication SSH X.509 Certificate support, Kerberos PKINIT (X.509). Kerberos data in LDAP. Root login