<Insert Picture Here> Oracle Solaris 11 Security

Transcription

1

2 <Insert Picture Here> Oracle Solaris 11 Security Glenn Faden Solaris Security Oracle Corporation

3 Security in Oracle Solaris 11 Built-in, flexible, transparent, hardware assisted Authentication SSH X.509 Certificate support, Kerberos PKINIT (X.509). Kerberos data in LDAP. Root login disabled by default. Role auth via user password, Authentication caching. Audit Auditing on by default, audit policy in SMF, Secure remote audit trail. Delegation Fine-grained user/password/rbac management CLI with LDAP support. Sudo with auditing. Data Security ZFS filesystem, swap, dump and zvol encryption, NFSv4/NT style ACLs, Multilevel security with file labeling. IPsec/IKE policy per zone. Per Zone NFS server and Kerberos Realm. Cryptography Transparent Hardware Encryption for Solaris, Java. OpenSSL 4x faster. Trusted Platform Module (TPM) keystore, file integrity scanner. Signed binaries & packages, Oracle Key Manager appliance integration

4 Advanced Protection Oracle Solaris Security Integrated with all the other Solaris features Zones, ZFS, SMF, Networking, Automated Install, IPS, many others Install and boot secure by default The layered defense in depth give the highest levels of containment Protect protect data and the access to it Prevent contain user and application actions Manage manage and log security settings Assure providing an enterprise platform to deploy application securely with confidence

5 Tailored Security for Applications Defense in Depth Audited and delegated administration Restricted zone access Service management Immutable Zones: read-only file systems Data link and IP-layer protection Hardware accelerated crypto operations OpenSSL 5x faster than IBM Encrypted ZFS for data protection Remote key management ZFS encryption on T4 is 3x faster than Intel

6 Security in Oracle Solaris 11 Authentication SSH X.509 Certificate support, Kerberos PKINIT (X.509). Kerberos data in LDAP. Root login disabled by default. Role auth via user password, Authentication caching. Audit Auditing on by default, audit policy in SMF, Secure remote audit trail. Delegation Fine-grained user/password/rbac management CLI with LDAP support. Sudo with auditing. Data Security ZFS filesystem, swap, dump and zvol encryption, NFSv4/NT style ACLs, Multilevel security with file labeling. IPsec/IKE policy per zone. Per Zone NFS server and Kerberos Realm. Cryptography Transparent Hardware Encryption for Solaris, Java. OpenSSL 4x faster. Trusted Platform Module (TPM) keystore, file integrity scanner. Signed binaries & packages, Oracle Key Manager appliance integration

7 Authentication Kerberos Server/Client Kerberized applications Hardware cryptographic acceleration LDAP Server/Client Active Directory client PAM Local authentication SSH PKI Support

8 Role Assumption Root is a role by default: LiveCD and Text Installer Choice with AI install Initial root password matches that of initial user but is expired and needs to be changed on first su(1m) Role authentication policy is configurable to require either user's or role's password usermod -K roleauth=user root /bin/login no longer setuid Started with privilege from console-login, in.telnetd, in.rlogind, etc. when needed.

9 Configuring pam_tty_tickets The following /etc/pam.conf changes the defaults so that tickets are valid for 10 minutes and from any tty on the system. su auth required pam_unix_cred.so.1 su auth sufficient pam_tty_tickets.so.1 anytty timeout=10 su auth requisite pam_authtok_get_so.1 su auth required pam_dhkeys.so.1 su auth required pam_unix_auth.so.1

10 Security in Oracle Solaris 11 Authentication SSH X.509 Certificate support, Kerberos PKINIT (X.509). Kerberos data in LDAP. Root login disabled by default. Role auth via user password, Authentication caching. Audit Auditing on by default, audit policy in SMF, Secure remote audit trail. Delegation Fine-grained user/password/rbac management CLI with LDAP support. Sudo with auditing. Data Security ZFS filesystem, swap, dump and zvol encryption, NFSv4/NT style ACLs, Multilevel security with file labeling. IPsec/IKE policy per zone. Per Zone NFS server and Kerberos Realm. Cryptography Transparent Hardware Encryption for Solaris, Java. OpenSSL 4x faster. Trusted Platform Module (TPM) keystore, file integrity scanner. Signed binaries & packages, Oracle Key Manager appliance integration

11 Auditing and Logging Logging Application defined Syslog format Troubleshoot user/application problems Log policies Auditing Kernel Controlled Low impact Audit by default Secure transmission Evidence quality

12 Auditing No reboot audit Auditing by default without performance penalty No reboot required to enable auditing Audit policy configuration now in SMF More system configuration in SMF means more auditing of system configuration change. e.g.: /etc/default/nfs is now in SMF services Secure Remote Audit trail GSS/Kerberos secured transport Audit Trail Noise reduction Less noise in the audit trail for public files

13 Security in Oracle Solaris 11 Authentication SSH X.509 Certificate support, Kerberos PKINIT (X.509). Kerberos data in LDAP. Root login disabled by default. Role auth via user password, Authentication caching. Audit Auditing on by default, audit policy in SMF, Secure remote audit trail. Delegation Fine-grained user/password/rbac management CLI with LDAP support. Sudo with auditing. Data Security ZFS filesystem, swap, dump and zvol encryption, NFSv4/NT style ACLs, Multilevel security with file labeling. IPsec/IKE policy per zone. Per Zone NFS server and Kerberos Realm. Cryptography Transparent Hardware Encryption for Solaris, Java. OpenSSL 4x faster. Trusted Platform Module (TPM) keystore, file integrity scanner. Signed binaries & packages, Oracle Key Manager appliance integration

14 Rights Management DTrace Debugging

15 Delegation and Qualification Authorized users and roles may delegate their rights to others Authorizations of the form solaris.foo.delegate convey the right to delegate objects in the foo class Can't delegate what you don't have Authorizations of the form solaris.foo.assign convey the right to assign any object in the foo class Authorizations appended with / apply to specific instances of elements in an object class solaris.zone.manage/foobar solaris.group.manage/staff

16 RBAC and Group Management Solaris Management Console is gone New and updated CLIs userattr, profiles, user{add,mod,del}, role{add,mod,del}, group{add,mod,del} User Management profile can be granted to normal users and/or roles Sufficient for creating accounts with default attributes Sufficient for creating groups and managing them Requisite for delegation of user's RBAC attributes Fine-grained delegation is implemented for authorizations, groups, labels, profiles, privileges, projects, and roles

17 Managing Profiles The profiles(1) CLI has been reimplemented with using zonecfg(1m) as a model Both local and LDAP repositories Interactive and command line modes Interactive Auto-completion of all entries Context-sensitive help Bash-like editing Command line mode Accepts multiple subcommands, separated by semicolon Can fully enumerate any or all profiles and their contents

18 Upgrading and Customizing Databases RBAC entries delivered via pkg(1m) are read-only Maintained in subdirectories as separate files Replaced when packages are updated Name Service caches entries for efficient enumeration Legacy files contain only user customizations profiles(1) CLI supports cloning and appending to facilitate customization

19 Modifying customized assignments Editing by hand is not supported Use CLIs to assign, prepend, and remove values to/from lists For user and role commands -K key[+ -]=value[,value...] -K auths+=solaris.zones.login/myzone -P [+ -]profile[,profile...] For group commands -U [+ -]user[,user...] For profiles Use set, add, and remove subcommands

20 LDAP support Scope option added to RBAC and TX CLIs -S ldap files Default for modifications is files Default for lookups is follow name switch Default LDAP attributes are used Client machine must be initialized with admin credential # useradd jdoe -S ldap

21 sudo Integration sudo generates Solaris audit events sudo uses Solaris basic privilege, proc_exec, to implement NOEXEC restriction Initial Solaris users is automatically added to /etc/sudoers file sudo-like features added to su(1m) New PAM module, pam_tty_tickets, implements timerestricted authentication caching New role authentication option to authenticate via user's password instead of role's password

22 RBAC in the kernel pfexec(1) is now In-kernel No longer a setuid program All standard shells (including bash, tcsh, zsh) now available as profile shells A new process flag specifies that all execs are subject to RBAC policy ppriv shows: flags = PRIV_PFEXEC Inherited by all child processes unless the real uid changes exec(2) retrieves the process attributes via door call to a daemon process Transparent to programs, scripts, etc.

23 Solaris 11 RBAC Execution Flow exec pfbash bash Kernel fork/exec symlink pfexec Exec fails Set RBAC flag door call pfexecd Query RBAC attributes door return No door call Yes Is RBAC allowed? pfexecd Return RBAC attributes Exec fails Userland Yes Is RBAC flag set? door return nscd Lookup via name service Is DAC allowed? Execution starts No Yes Apply attributes No

24 Security in Oracle Solaris 11 Authentication SSH X.509 Certificate support, Kerberos PKINIT (X.509). Kerberos data in LDAP. Root login disabled by default. Role auth via user password, Authentication caching. Audit Auditing on by default, audit policy in SMF, Secure remote audit trail. Delegation Fine-grained user/password/rbac management CLI with LDAP support. Sudo with auditing. Data Security ZFS filesystem, swap, dump and zvol encryption, NFSv4/NT style ACLs, Multilevel security with file labeling. IPsec/IKE policy per zone. Per Zone NFS server and Kerberos Realm. Cryptography Transparent Hardware Encryption for Solaris, Java. OpenSSL 4x faster. Trusted Platform Module (TPM) keystore, file integrity scanner. Signed binaries & packages, Oracle Key Manager appliance integration

25 Application Sandboxing Restricting access to files, networks, and applications Stop profile facilitates specification of limited sets of commands and authorizations New basic privileges for locking down processes file_read Read objects in the file system file_write Write objects in the file system net_access Open TCP/UDP/SDP/SCTP network endpoint Privileges for setuid-to-root executables are specified in new Forced Privilege profile

26 Data in Motion Protection Solaris defaults to ONLY SSH remotely accessible SSH & Kerberos easier to manage centrally using X.509 certificate based authentication YOUR Certificate Authorities as Trust Anchors Kerberos protection for NFSv3 & NFSv4 traffic Active Directory/Kerberos authentication for CIFS/SMB network shares Zero-configuration of Kerberos client via DNS New kdcmgr (1) for Key Distribution Center

27 Data in Motion Protection Zone file system security boundary now applies to NFS server as well. Each zone can serve a separate NFSv4 domain Each zone can be in a separate Kerberos Realm Per Zone IPsec policy Kernel SSL/TLS proxy Allows keeping private keys outside of the zone Hardware crypto acceleration on SPARC and Intel CPUs reduces overhead of encrypting network traffic SSH, IPsec/IKE, Kerberos, OpenSSL, KSSL

28 Immutable Zones Read only Zone Root Filesystem Flexible Strict Fixed None Oracle Solaris 11 Per zone configuration option Prevention against malicious and accidental change of the bootenvironment Extensible to other zone file systems Provides varying levels of strictness So that some things can be written # zonecfg -z ozone set file-mac-policy=fixed-configuration

29 Labeled Security Only enterprise OS that Need-toknow Internal Use Public Multilevel Desktop Services (Global Zone) Solaris Kernel net net net includes multilevel functionality as a bundled feature net Full support of Trusted Extensions included in standard Solaris license Zones architecture makes labeling completely transparent to applications

30 Security in Oracle Solaris 11 Built-in, flexible, transparent, hardware assisted Authentication SSH X.509 Certificate support, Kerberos PKINIT (X.509). Kerberos data in LDAP. Root login disabled by default. Role auth via user password, Authentication caching. Audit Auditing on by default, audit policy in SMF, Secure remote audit trail. Delegation Fine-grained user/password/rbac management CLI with LDAP support. Sudo with auditing. Data Security ZFS filesystem, swap, dump and zvol encryption, NFSv4/NT style ACLs, Multilevel security with file labeling. IPsec/IKE policy per zone. Per Zone NFS server and Kerberos Realm. Cryptography Transparent Hardware Encryption for Solaris, Java. OpenSSL 4x faster. Trusted Platform Module (TPM) keystore, file integrity scanner. Signed binaries & packages, Oracle Key Manager appliance integration

31 Cryptographic Security The framework for cryptography is standardized and extensible. Your current cryptographic choices and any future technology can easily plug in and just work. Standards-based framework Same API, software or hardware NSA Suite B algorithms Extensible for future technologies

32 System Integrity Protection Network package installation over HTTPS Protect sensitive package content in transit Solaris 11 packages are cryptographically signed You can add additional signatures System policy to require and verify signatures YOU choose who you trust per system image ELF binaries are still cryptographically signed Know they came from Oracle RE process For non packaged files bart(1m) provides a passive manifest comparison system using cryptographic hashes

33 Support for Cryptographic Hardware Performance Improvements for SPARC and Intel Many of these have been backported to S10 Updates. T1-T3 systems access hardware crypto via ncp/n2cp/n2rng modules T4 systems implement unprivileged instruction access, so no special hardware drivers are required (that is, no n2cp) Intel Westmere systems (AES-NI) also have unprivileged instruction access. Also, successors: Sandybridge, Ivybridge, etc.

34 Data at Rest Protection Encryption for UFS & other legacy filesystems via lofi driver. ZFS data set encryption (file system & ZVOL) Comprehensive wrapping key management Delegation: key use vs key change vs key location/type Local or Centralised Integrated with Oracle Key Manager via pkcs11_kms 3rd Party key management integration zfs(1m) key subcommand is scriptable Keys from any location policy on server side Data encryption key change at clone or on demand Oracle DB Transparent Data Encryption hardware acceleration on SPARC T3,T4 and Intel AES-NI

35 lofi encryption Encryption of lofi block devices Use Cryptographic Framework to automatically benefit from hardware acceleration. Can be used for encrypted swap lofiadm(1m) can use PKCS#11 for key storage: Softtoken, TPM, and Oracle Key Management System lofi devices can't be compressed & encrypted Example: # pktool genkey keytype=aes keylen=128 token=kms label=mykey Enter PIN for KMS: # lofiadm -c aes-128-cbc -T :::mykey -a /tmp/lofi Enter PIN KMS: /dev/lofi/1

36 ZFS Encryption Example: Using an external memory stick as the key source for an encrypted dataset # pktool genkey keystore=file outkey=/media/rmdisk0/mykey \ keytype=aes keylen=256 # zfs create encryption=aes-256-ccm \ -o keysource=raw,file:///media/rmdisk0/mykey tank/home/bob

37 Encrypted Home Directories User home directories are created as ZFS datasets Conditionally based on filesystem type of parent directory Initial encryption key inherited from parent dataset New PAM module, pam_zfs_key, supports mounting encrypted home directories with user's password User is granted ZFS permission to create home directory snapshots

38 For More Information / Try Out Today Product overview and download oracle.com/solaris Oracle Technology Network oracle.com/technetwork/server-storage/solaris11 System administrators community facebook.com/oraclesolaris Oracle Solaris Insider 38

39