Oracle® Solaris 11.3 Security and Hardening Guidelines

Securing System Access and Use

You can configure Oracle Solaris security features to protect your system use, including applications and services on the system and on the network.

Table 6  Securing System Access and Use Task Map

Task Description For Instructions Prevent programs from heap or executable stack corruption. Verifies that security extensions that protect the stack and heap from compromise are enabled. Protecting the Process Heap and Executable Stacks From Compromise in Securing Systems and Attached Devices in Oracle Solaris 11.3 Configure auditing. Customizes audit configuration for coverage and file integrity. Using the Audit Service Protect core files that might contain sensitive information. Creates a directory with limited access that is dedicated to core files. Enabling File Paths in Troubleshooting System Administration Issues in Oracle Solaris 11.3 Administering Your Core File Specifications in Troubleshooting System Administration Issues in Oracle Solaris 11.3 Protect a web server with SSL Kernel Proxy. The Secure Sockets Layer (SSL) protocol can be used to encrypt and accelerate web server communications. Chapter 3, Web Servers and the Secure Sockets Layer Protocol in Securing the Network in Oracle Solaris 11.3 Protect legacy services with privileges and authorizations. Runs applications with least privilege by assigning limited rights to the application. Protecting a Legacy Service With SMF Create zones to contain applications. Zones are containers that isolate processes. They can isolate applications and parts of applications. For example, zones can be used to separate a web site's database from the site's web server. Introduction to Oracle Solaris Zones Create and administer immutable zones. You can administer an immutable zone, but you must take specific steps to enable administration. Administering Immutable Non-Global Zones in Creating and Using Oracle Solaris Zones Manage resources in zones. Zones provide a number of tools to manage zone resources. Administering Resource Management in Oracle Solaris 11.3

Protecting a Legacy Service With SMF

You can limit application configuration to trusted users or roles by adding the application to the Service Management Facility (SMF) feature of Oracle Solaris, then requiring rights to start, refresh, and stop the service.

For services that are run by inetd, you should control the number of concurrent processes to prevent a security breach. For more information, see Recommendations for Configuring Systems That Run inetd Based Services in Administering TCP/IP Networks, IPMP, and IP Tunnels in Oracle Solaris 11.3.

For information and procedures see the following:

• Locking Down Resources by Using Extended Privileges in Securing Users and Processes in Oracle Solaris 11.3

• Selected man pages include smf(5), smf_security(5), svcadm(1M), svcbundle(1M), and svccfg(1M).

Configuring a Kerberos Network

You can protect your network with the Kerberos service. This client-server architecture provides secure transactions over networks. The service offers strong user authentication, as well as integrity and privacy. Using the Kerberos service, you can log in to other systems, execute commands, exchange data, and transfer files securely. Additionally, the service enables administrators to restrict access to services and systems. As a Kerberos user, you can regulate other people's access to your account.

For information and procedures that are specific to MIT Kerberos on an Oracle Solaris system, see the following:

• Chapter 3, Planning for the Kerberos Service in Managing Kerberos and Other Authentication Services in Oracle Solaris 11.3.

• Chapter 4, Configuring the Kerberos Service in Managing Kerberos and Other Authentication Services in Oracle Solaris 11.3.

• Selected man pages include kadmin (1M) , pam_krb5 (5) , and kclient (1M) .

  ---

  Tip  -  Type man man-page at the command line for the Oracle Solaris versions of MIT Kerberos man pages.

  ---