Solaris 10 Security Feature List
Alec Muffett, the admin of the security-interest internal mailing list has published its Solaris Security Feature List. A really really interesting document to read and read again ! Includes a list of security features and the Solaris release they appeared on.
The funny one being the trapping of the famous “rm -rf /” command, which doesn’t delete anything on S10 !
The Solaris 10 specific features :
- Basic Audit Reporting Tool (BART) : “Snapshots” filesystems content fingerprints and metadata so that changes can be detected/reported upon
- BSM Records into Syslog, and XML : BSM audit trail now transferable/scrapeable via syslog (import into mgt software?); also XML data formats available
- Reduced Network Software Group Package SUNWCrnet : Extremely small, supported, core solaris footprint; use as basis for building minimized systems
- Three-Strikes (N-strikes) PAM Module : PAM module implementing account-locking on the N’th failed authentication attempt for selected users
- Password Dictionary & Complexity Checks : PAM module implementing dictionary checks to reduce risks of using a trivially guessable password.
- Password-History PAM Module : PAM Module implementing password-reuse-prevention via “history” mechanism, for use with local password files
- Least Privilege / Process Privilege Mechanism : Fine-grained control of system privileges (privileged actions/system-calls) assignable piecemeal to specific users, processes, and system processes
- Daemon Privilege Overhaul / Reduction : Use of new new process privilege mechanism to greatly reduce quantity of root-privileged running daemon software
- nosetuid and nodevices mount options : Finer-grained replacement options to “mount” command, replacing former nosuid which implied both
- Deletion (”rm”) Command Mugtrap : “rm -rf /” is trapped to reduce accidental damage.
- Solaris Containers (Zones) : “padded-cell” minature replica Solaris instances within a system; next step beyond chroot(), with resource-control features
- Solaris Containers (Zones) : “Padded-cell” minature replica Solaris instances within a system; next step beyond chroot(), with resource-control features
- ipfilter : Popular, modular, open-source firewall with NAT and packetfilter, fully integrated into S10 kernel and supported
- IP-Forwarding Disabled by Default : TCP/IP packet forwarding is switched off by default in S10.
- Kernel/User Encryption Framework : Cryptographic services subsystem offering extensible open APIs and SPIs to encryption, authentication and key exchange algorithms.
- Kernel/User Encryption Framework Policy Control : Ability to set system-wide policy on which algorithms are available to applications and to the kernel
- Bundled OpenSSL : Bundled OpenSSL libs, commands, and header files
- PKCS11 bridge for OpenSSL : New openssl engine implemented using pkcs#11 as the interface to the solaris cryptographic framework
- Digest, HMAC, Encrypt, and Decrypt Commands : Links into crypto framework to provide generic multi-algorithm digest, MAC, encrypt, decrypt commandine tools, transparently leveraging HW accelerators, etc
- Java Crypto Acceleration : Java jvm configurable to take advantage of hardware cryptoacceleration via uEF/kEF