 |
 |
|
| Home > |
| | | | | ||||||||||||||||||||||||||||
|
|
|
Fast Track to the Solaris 10 OS Adoption: SecurityFunctionality & Usability IssuesPlease click on a question below or download a pdf version.
A: We have extended the auditing system to convert the raw audit trail into an XML-based (more readily parsable) version, or you can send it via syslog in a syslog-like textual format. It's expected that customers can use their existing audit log processing tools to handle the BSM audit trail, or new tools can be written parsing the XML output. At this point there isn't a simple tool, as most customers have very specific information outputs that they desire, so we're trying to simplify creating the scripts. Q: With ZFS/DFS on the Solaris 10 OS, does one still need to use SVNM or VxVM? A: No, with ZFS you do not need VxVM or SVM. Most file systems today require a volume manager because they only know how to deal with a single disk or volume. The interface between the file system and the volume manager makes it difficult to grow and shrink file systems, share space, and migrate live data. With ZFS, a separate volume manager is not needed. Instead many disks can be put into a single storage pool, which is shared by multiple file systems. This allows efficient use of the storage pool. For example, space is shared dynamically between the file systems in the pool without the need to grow or shrink them, and all file systems can utilize the maximum throughput of the pool. A: It is our intent to fully support as many x86 mobos as possible, and we have a very close working relationship with NVIDIA - stay tuned. A: It sounds like you want to either turn off SMC or harden it. If you're not interested in using it, you can use the service manager (latest Solaris Express program) to turn it off. On the protocol side, SMC uses CIM/WBEM protocol below it so you could run it over SSL to protect the session. You might look at the Solaris Security Toolkit for other hardening techniques for SST (AKA JASS). A: Minor correction in terms: Solaris OS Management Console is designed to provide both GUI and command-line methods of administrating many of the security aspects of versions 8, 9, 10. It does not currently control aspects such as IP Filter, IPsec/IKE rules and the like. The Sun Management Center is designed to provide overall Sun hardware management. Q: Assuming that Apache will be bundled with the Solaris 10 OS, will it have mod_ssl enabled? A: Apache will be bundled with the Solaris 10 OS, as it is for the Solaris 9 OS today. Our plans are to provide mod_ssl for both versions of Apache that are included in the Solaris 10 OS. This may or may not be available in the Solaris 10 OS GA release. I don't have a current status on this. Note that when it is included, the mod_ssl will work seamlessly with the Solaris OS Cryptographic Framework in the Solaris 10 OS. A: The problem you're seeing is the lack of a standard for doing administration of Kerberos information (passwd change is a subset of administration). There is a relatively new set/change password protocol, which we now support in the Solaris 9 OS. This allows for password changes to MIT KDCs (of course our utilities work with our KDC, too). This is available via our PAM module and kpasswd commands. A: Auditing of all file events has been provided since the early Solaris 2.x OS days. All events that occur to a file are audited if you enable the "Basic Security Module." In the Solaris 10 OS, we have an additional capability known as "Basic Audit Reporting Tool" (BART) that allows you to run a check periodically against a known good list of file attributes (file size, permissions, checksum) that you can use to check your own files or system files for changes over time. This is similar to Tripwire or AIDE in functionality. A: There are many ways you can take advantage of the Solaris 10 OS; one is using a Solaris Container for each of your applications, giving them the "feeling" that each is running on an isolated environment and the highest degree of security, please take a look at http://docs.sun.com/ and search for Solaris Containers. A: If you want an integrated SSO using a secure networking protocol, I'd suggest using Kerberos; its Active Directories preferred approach works well with the Solaris OS. Solaris OS offers a full Kerberos client, server, and infrastructure implementation. Oracle also offers a kit that enables it to use Kerberos for authentication. I don't have experience with Oracle's offering. Our Directory Server 5.2 also supports Kerberos authentication for protecting LDAP access. A: The security features in the Solaris 10 OS are truly breakthrough. We provide excellent privilege management capabilities for system administrators and developers to use, while providing backwards compatibility for the administrator who wants to just have "root." Solaris Containers also provides a new method of isolating processes and containing security breaches, but appears to users within that container as a full Solaris OS instance. Q: Are rights and permissions inheritable with Solaris Containers or must they be defined? A: A container is an isolated entity from the rest of your system and will behave as another system in your network; hence, you'll need to define rights and permissions as a "network" environment rather than as a local system. Q: Does the Solaris 10 OS provide any firewall functionalities? A: It includes a firewall based on IP Filter, which provides stateful packet filtering capability. It can also be used to deliver NAT (Network Address Translation) capabilities. IP Filter provides protection to a single server or a network of servers and clients. The IP Filter product included in the Solaris 10 OS is based on the next generation (version 4.x) of IP Filter. Enhancements made during the Solaris development process have been placed back into the open source version of IP Filter. A: We have made a number of changes to auditd to allow remote logging over syslog (to better integrate within an IDS) or producing the records in a more parsable format where you could have a post-processing script filter out the information you're looking for (this format is XML-based.) We've also made some improvements to our filters to allow for less information to be audited. For example, you can turn off audit of reads to world readable files (which normally isn't interesting). A: The Solaris OS Management Console in versions 8, 9, and 10 offers a centralized mechanism for controlling Role Based Access Control, profiles, etc. LDAP offers a centralized user ID repository and naming service on all of these systems as well. We also recommend our Identity Management product portfolio as a means of administering the full life cycle of user accounts and Web access. A: No, it's not part of the standard, and right now we're focusing on standards compliance. A: Sure, it's known as Process Rights Management, and information is available in technical form in the Solaris 10 OS documents on http://docs.sun.com/ as well as on the Solaris 10 OS white paper and datasheet at www.sun.com/solaris/ A: The way to migrate to a unified authentication scheme would be to use Kerberos. We've bundled Kerberos in the Solaris 9 OS and made some MS Interop improvements to Kerberos in the Solaris 10 OS. You should consider migrating from NIS+ to Kerberos protected LDAP, using Solaris's KDC and Sun's Directory Server (version 5.2 or later). We've improved the Directory Server to support Kerberos protected LDAP (using SASL and GSS-API) so you can secure your LDAP lookups and use Kerberos for your authentication authority. A: IP Filter is very common in the *BSD and UNIX world. It offers comparable features to Linux iptables. However, it's both stateful and non-stateful firewall, with quick loading and unloading and a text-based rules file. Yes, it is included and fully supported in the Solaris 10 OS. You may use it for both internal firewall (on a single server or workgroup) or for external Internet facing firewall.
| |
