Solaris 10 Security Feature Checklist

This table is a frequently tweaked, homebrew, opinionated, ad-hoc checklist of interesting, useful, nifty or neat security functionality that is in the Solaris Operating Environment, including some historical details.
The reason for this table's existence is to highlight and communicate existence of much security-related Solaris functionality that has previously failed to be successfully brought to the attention of the general public. There is a vast quantity of security functionality in Solaris 10, and not all of it is obvious, or sexy enough to be a featured marketing bullet-point.
Questions, error-fixes, additions and amendments to:

Alec Muffett,
Principal Engineer,
Financial Services/Advanced Technology Projects,
alec DOT muffett AT sun DOT com

Key

Keyword Meaning

- empty field

? document author needs to check this

bund bundled with, or fundamental to the OE (operating environment)

repl functionality replaced in recent versions of OE

cmpn available shipped on the Solaris "Companion" CD

e/v available shipped on the Solaris OE "Extra Value" CD

www available, web download required for part/all functionality

n/a not applicable ; not available

1.0 (etc.) Solaris versions 1.0, 1.1, 2.0, 2.1, 2.2, 2.3, 2.4, 2.5, 2.5.1, 2.6, 7, 8, 9, 10.

Keyword	Meaning
-	empty field
?	document author needs to check this
bund	bundled with, or fundamental to the OE (operating environment)
repl	functionality replaced in recent versions of OE
cmpn	available shipped on the Solaris "Companion" CD
e/v	available shipped on the Solaris OE "Extra Value" CD
www	available, web download required for part/all functionality
n/a	not applicable ; not available
1.0 (etc.)	Solaris versions 1.0, 1.1, 2.0, 2.1, 2.2, 2.3, 2.4, 2.5, 2.5.1, 2.6, 7, 8, 9, 10.

Table

Feature, Tool, or Protocol Functionality Available In S10? Available In T/Sol8? First Appeared Solaris Revision Release Notes

- System Auditing Features and Function - - - -

Basic Security Module (BSM auditing stuff) C2-compliant auditing trail bund bund 1.1 9: performance enhancements; 10: performance optimization, syslog integration, XML records

Basic Security Module (BSM non-auditing stuff) modifies config, installs tools, enables auditing, etc, so Solaris meets C2 requirements bund bund 1.1 since 2.6 recommended to dump in favour of Solaris Security Toolkit (JASS)

Basic Audit Reporting Tool (BART) "snapshots" filesystems content fingerprints and metadata so that changes can be detected/reported upon bund n/a 10 link with SSH for distributed checks

BSM Records into Syslog, and XML BSM audit trail now transferable/scrapeable via syslog (import into mgt software?); also XML data formats available bund n/a 10 Layer with IPsec to provide transport security

- Solaris Knobs, Buttons, Bells and Whistles - - - -

Fine-Grained Packaging Mechanism puts separate network services in separate packages, so you only install what you need bund bund 9 -

Reduced Network Software Group Package SUNWCrnet extremely small, supported, core solaris footprint; use as basis for building minimized systems bund n/a 10 caveat: no inbound networking is supported under SUNWCrnet ; probably too minimal for unaugmented use, add packages as necessary

Pluggable Authentication Modules (PAM) dynamically loadable modules to abstract the method of authentication bund bund 2.6 -

Fine-Grained Pluggable Authentication Modules (PAM) as pluggable authentication modules, but improved for more flexibility: significantly modularized to improve customer stackability bund n/a 9 -

Three-Strikes (N-strikes) PAM Module PAM module implementing account-locking on the N'th failed authentication attempt for selected users bund n/a 10 for use with local password files; not used for "root" due to risk of denial of service.

Password Dictionary & Complexity Checks PAM module implementing dictionary checks to reduce risks of using a trivially guessable password. bund n/a 10 previous solaris versions had hardwired complexity requirements: 2 alpha, 1 nonalpha, 3 diffs, definable minimum length, not username based.

Password Aging expiry/locking of passwords after given period of time, with warning notices, etc bund n/a since well-before 2.0 -

Password-History PAM Module PAM Module implementing password-reuse-prevention via "history" mechanism, for use with local password files bund n/a 10 for use with local password files

Pluggable Crypt() Framework, and Long Passwords runtime-loadable password-hashing routines implementing long passwords, custom algorithms, etc bund n/a 9 provides compatibility with other long-password / passphrase systems, as well as hook for custom password algorithms.

BSD/Linux MD5 and Blowfish Long Passwords modules for the pluggable-crypt framework, transparently implementing BSD MD5 and Blowfish password compatability bund n/a 9 libraries providing fully-transparent interoperability with Linux and BSD password systems

Local-Port X-Windows Server can disallow x-windows server from listening to the network via "-nolisten tcp", for better security bund n/a 9 -

Pre-Hardened File Permissions improvements to the default filesystem permissions to increase robustness; ongoing refinement bund bund 7 further improved in 9 and 10

Role-Based Access Control (RBAC) allows selected users to perform privileged commands via a role mechanism, constraining access to resources and execution of some commands to suitably blessed users bund bund 8 made wider use-of in 10

Least Privilege / Process Privilege Mechanism fine-grained control of system privileges (privileged actions/system-calls) assignable piecemeal to specific users, processes, and system processes bund n/a 10 -

Daemon Privilege Overhaul / Reduction use of new new process privilege mechanism to greatly reduce quantity of root-privileged running daemon software bund n/a 10 -

TCP Wrappers popular open-source network-service access-control tool; constrains per-host and per-network access to services bund n/a 9 libwrap also protects (eg) ssh; new in 10: TCP Wrappers in 10 integrated into SMF'S inetd launcher, configurable on per-service basis; also 10: TCP-Wrapper rpcbind and Sendmail integration

File Access Control Lists (ACL) finely-grained user access-control, selective on a per-user, group, or other basis, or combination of same bund bund 2.5 available for files since 2.5, and devices since 8

nosetuid and nodevices mount options finer-grained replacement options to "mount" command, replacing former nosuid which implied both bund n/a 10 -

Global Stack Execution Control can prevent execution of code placed on the stack for all processes, improve resistance to buffer overflow bund bund 2.6 upgrades in 9+; see Per-Process Stack Execution Control

Per-Process Stack Execution Control as global stack execution control but for configurable for individual programs / processes bund n/a 9 10: feature extended to include full or near-full functionality on differingly-capable X86 platforms; SPARC continues to have full functionality.

Robust Loopback Credentials new getpeerucred() routine permits robust authentication for applications that are communicating over loopback (incl. between zones) bund n/a 10 -

Deletion ("rm") Command Mugtrap "rm -rf /" is trapped to reduce accidental damage. bund n/a 10 -

Solaris Containers (Zones) "padded-cell" minature replica Solaris instances within a system; next step beyond chroot(), with resource-control features bund n/a 10 superb piece of functionality for consolidation, too.

SMF Minimised Network Services Config bundled alternative config file for SMF which reduces number of running services bund n/a 10 -

Signed Executables digital signatures are attached to all executable files via elfsign command bund n/a 10 use alongside BART to check FS veracity/integrity; future may provide optional pluggable runtime security checks of some kind.

Solaris Security Toolkit (SST, JASS) supported operating-system hardening suite, with minimisation and integration with Jumpstart(tm) www www 7 www.sun.com/security/jass/

sunscreen fully-featured firewall, with NAT and packetfilter and VPN software www(8) e/v(9) repl(10) www 8 use v3.1-lite on 8 and below; use 3.2 on 9; see ipfilter for 10

ipfilter popular, modular, open-source firewall with NAT and packetfilter, fully integrated into S10 kernel and supported bund n/a 10 bundled in core operating system

IP Strict Destination Multihoming helps prevent network-address-spoofing attacks on machines with multiple network interfaces bund bund 2.6 -

IP-Forwarding Disabled by Default TCP/IP packet forwarding is switched off by default in S10. bund n/a 10 -

SYN flood protection SYN-flooding protection in the IP stack, against denial-of-service attacks bund bund 2.5 -

TCP Strong Sequence Numbers feature of TCP stack implementation that makes spoofing connections to TCP sessions much more difficult bund bund 2.6 -

- Hardware Devices and Raw Cryptography - - - -

Kernel/User Encryption Framework cryptographic services subsystem offering extensible open APIs and SPIs to encryption, authentication and key exchange algorithms. bund n/a 10 supplies SPARC/X86/AMD-optimized software implementation of common cryptographics algorithms, plus interface to Sun/IHV hardware accelerators & key-stores; automatic load balancing between hardware providers.

Kernel/User Encryption Framework Policy Control ability to set system-wide policy on which algorithms are available to applications and to the kernel bund n/a 10 -

Random Number Generator Device /dev/random and /dev/urandom devices for easy source of random data bund bund 9(8) leverages crypto framework in 10 for hardware acceleration, etc; backport to 8 available via patch.

SSL for LDAP SSL protection for LDAP traffic; can auth/encrypt LDAP transactions at a host level; client library supports digest-MD5 auth and SSL privacy/auth. bund n/a 9(8) backport to 8 available via patch.

Bundled OpenSSL bundled OpenSSL libs, commands, and header files bund n/a 10 -

Bundled Long-Key Encryption algorithms up to 128-bit shipped with OE bund + www n/a 10 even longer keys through web download (Blowfish 448, AES 256)

PKCS11 bridge for OpenSSL new openssl engine implemented using pkcs#11 as the interface to the solaris cryptographic framework bund n/a 10 -

Digest, HMAC, Encrypt, and Decrypt Commands links into crypto framework to provide generic multi-algorithm digest, MAC, encrypt, decrypt commandine tools, transparently leveraging HW accelerators, etc bund n/a 10 -

Java Crypto Acceleration java jvm configurable to take advantage of hardware cryptoacceleration via uEF/kEF bund n/a 10 -

- Security Services and Applied Cryptography - - - -

Generic Security Services API (GSS/API) application programmer interface to system-provided security services bund bund 7 (undoc in 2.6) Sun's implementation is pluggable (dlopen()) but many of the other ones aren't.

Kerberos (was: Sun Enterprise Authentication Manager) Kerberos Single-Sign-On, Secrecy and Authentication System bund(10) bund+www(9) ? 2.6 10: resynced with MIT codebase for extra crypto, and MS Active Directory interop; provides Kerberised telnet, ftp, rlogin, rsh, rcp, rdist, ssh, Mozilla and Apache

Secure NFS / Kerberised NFS NFS with strong authentication and privacy by using Kerberos via GSSAPI see Kerberos see Kerberos 8 -

PAM Password-to-Kerberos Migration Module pam_krb5_migrate module transparently migrates users from NIS/LDAP/files authentication, to Kerberos, on next login. bund n/a 9 requires Solaris10 KDC

RPCSEC_GSS RPC authentication flavor allowing use of GSS-API pluggable mechanisms (eg: Kerberos) to protect RPC traffic. bund bund 7 -

Secure TCP/IP Protocol (IPSEC) end-to-end TCP/IP encryption and host-authentication bund + www T/Sol8 04/01 8 Implementations of DES/3DES bundled, WWW download reqd for AES and Blowfish for keys > 128 bit; 10: works for IPv6 and across NAT

Internet Key Exchange (IKE) key management protocol standard, used in conjunction with ipsec bund requires SunScreen 3.2 9 10: works for IPv6 and across NAT

- Security-Related Software, Bundled and Open-Source - - - -

Secure Shell (ssh) open-source, encrypted, strongly-authenticated remote access and administration bund n/a 9 9: BSM Audit, i18n, TCP Wrappers, SOCKS and HTTP proxy support; 10: GSS-API and Kerberos, PAM, resync with OpenSSH 3.5p1, lots more.

Coreadm enable system-wide policies about corefile creation bund bund 7 -

Snoop tcp/ip network analyser bund bund 2.1 -

Dig open-source DNS debugging / querying / analysing tool bund n/a 9 -

Ethereal open-source graphical network analyser cmpn n/a 8 -

Nmap open-source network mapping tool cmpn n/a 8 -

Snort open-source intrusion detection tool cmpn n/a 8 -

Sudo open-source role-management tool, cf: RBAC cmpn n/a 8 -

Tcpdump open-source network analyser cmpn n/a 8 -

- Security Services and Miscellany - - - -

Signed Patches software patches made available with digital signatures for proof of integrity/source www www - http://sunsolve.sun.com/

Solaris Fingerprint Database (SFPDB) web-accessible database of MD5 signatures of sun-sourced software www www early 2001, iirc http://sunsolve.sun.com/pub-cgi/fileFingerprints.pl

Feature, Tool, or Protocol	Functionality	Available In S10?	Available In T/Sol8?	First Appeared Solaris Revision	Release Notes
-	System Auditing Features and Function	-	-	-	-
Basic Security Module (BSM auditing stuff)	C2-compliant auditing trail	bund	bund	1.1	9: performance enhancements; 10: performance optimization, syslog integration, XML records
Basic Security Module (BSM non-auditing stuff)	modifies config, installs tools, enables auditing, etc, so Solaris meets C2 requirements	bund	bund	1.1	since 2.6 recommended to dump in favour of Solaris Security Toolkit (JASS)
Basic Audit Reporting Tool (BART)	"snapshots" filesystems content fingerprints and metadata so that changes can be detected/reported upon	bund	n/a	10	link with SSH for distributed checks
BSM Records into Syslog, and XML	BSM audit trail now transferable/scrapeable via syslog (import into mgt software?); also XML data formats available	bund	n/a	10	Layer with IPsec to provide transport security
-	Solaris Knobs, Buttons, Bells and Whistles	-	-	-	-
Fine-Grained Packaging Mechanism	puts separate network services in separate packages, so you only install what you need	bund	bund	9	-
Reduced Network Software Group Package SUNWCrnet	extremely small, supported, core solaris footprint; use as basis for building minimized systems	bund	n/a	10	caveat: no inbound networking is supported under SUNWCrnet ; probably too minimal for unaugmented use, add packages as necessary
Pluggable Authentication Modules (PAM)	dynamically loadable modules to abstract the method of authentication	bund	bund	2.6	-
Fine-Grained Pluggable Authentication Modules (PAM)	as pluggable authentication modules, but improved for more flexibility: significantly modularized to improve customer stackability	bund	n/a	9	-
Three-Strikes (N-strikes) PAM Module	PAM module implementing account-locking on the N'th failed authentication attempt for selected users	bund	n/a	10	for use with local password files; not used for "root" due to risk of denial of service.
Password Dictionary & Complexity Checks	PAM module implementing dictionary checks to reduce risks of using a trivially guessable password.	bund	n/a	10	previous solaris versions had hardwired complexity requirements: 2 alpha, 1 nonalpha, 3 diffs, definable minimum length, not username based.
Password Aging	expiry/locking of passwords after given period of time, with warning notices, etc	bund	n/a	since well-before 2.0	-
Password-History PAM Module	PAM Module implementing password-reuse-prevention via "history" mechanism, for use with local password files	bund	n/a	10	for use with local password files
Pluggable Crypt() Framework, and Long Passwords	runtime-loadable password-hashing routines implementing long passwords, custom algorithms, etc	bund	n/a	9	provides compatibility with other long-password / passphrase systems, as well as hook for custom password algorithms.
BSD/Linux MD5 and Blowfish Long Passwords	modules for the pluggable-crypt framework, transparently implementing BSD MD5 and Blowfish password compatability	bund	n/a	9	libraries providing fully-transparent interoperability with Linux and BSD password systems
Local-Port X-Windows Server	can disallow x-windows server from listening to the network via "-nolisten tcp", for better security	bund	n/a	9	-
Pre-Hardened File Permissions	improvements to the default filesystem permissions to increase robustness; ongoing refinement	bund	bund	7	further improved in 9 and 10
Role-Based Access Control (RBAC)	allows selected users to perform privileged commands via a role mechanism, constraining access to resources and execution of some commands to suitably blessed users	bund	bund	8	made wider use-of in 10
Least Privilege / Process Privilege Mechanism	fine-grained control of system privileges (privileged actions/system-calls) assignable piecemeal to specific users, processes, and system processes	bund	n/a	10	-
Daemon Privilege Overhaul / Reduction	use of new new process privilege mechanism to greatly reduce quantity of root-privileged running daemon software	bund	n/a	10	-
TCP Wrappers	popular open-source network-service access-control tool; constrains per-host and per-network access to services	bund	n/a	9	libwrap also protects (eg) ssh; new in 10: TCP Wrappers in 10 integrated into SMF'S inetd launcher, configurable on per-service basis; also 10: TCP-Wrapper `rpcbind` and Sendmail integration
File Access Control Lists (ACL)	finely-grained user access-control, selective on a per-user, group, or other basis, or combination of same	bund	bund	2.5	available for files since 2.5, and devices since 8
nosetuid and nodevices mount options	finer-grained replacement options to "mount" command, replacing former nosuid which implied both	bund	n/a	10	-
Global Stack Execution Control	can prevent execution of code placed on the stack for all processes, improve resistance to buffer overflow	bund	bund	2.6	upgrades in 9+; see Per-Process Stack Execution Control
Per-Process Stack Execution Control	as global stack execution control but for configurable for individual programs / processes	bund	n/a	9	10: feature extended to include full or near-full functionality on differingly-capable X86 platforms; SPARC continues to have full functionality.
Robust Loopback Credentials	new getpeerucred() routine permits robust authentication for applications that are communicating over loopback (incl. between zones)	bund	n/a	10	-
Deletion ("rm") Command Mugtrap	"rm -rf /" is trapped to reduce accidental damage.	bund	n/a	10	-
Solaris Containers (Zones)	"padded-cell" minature replica Solaris instances within a system; next step beyond chroot(), with resource-control features	bund	n/a	10	superb piece of functionality for consolidation, too.
SMF Minimised Network Services Config	bundled alternative config file for SMF which reduces number of running services	bund	n/a	10	-
Signed Executables	digital signatures are attached to all executable files via `elfsign` command	bund	n/a	10	use alongside BART to check FS veracity/integrity; future may provide optional pluggable runtime security checks of some kind.
Solaris Security Toolkit (SST, JASS)	supported operating-system hardening suite, with minimisation and integration with Jumpstart(tm)	www	www	7	www.sun.com/security/jass/
sunscreen	fully-featured firewall, with NAT and packetfilter and VPN software	www(8) e/v(9) repl(10)	www	8	use v3.1-lite on 8 and below; use 3.2 on 9; see ipfilter for 10
ipfilter	popular, modular, open-source firewall with NAT and packetfilter, fully integrated into S10 kernel and supported	bund	n/a	10	bundled in core operating system
IP Strict Destination Multihoming	helps prevent network-address-spoofing attacks on machines with multiple network interfaces	bund	bund	2.6	-
IP-Forwarding Disabled by Default	TCP/IP packet forwarding is switched off by default in S10.	bund	n/a	10	-
SYN flood protection	SYN-flooding protection in the IP stack, against denial-of-service attacks	bund	bund	2.5	-
TCP Strong Sequence Numbers	feature of TCP stack implementation that makes spoofing connections to TCP sessions much more difficult	bund	bund	2.6	-
-	Hardware Devices and Raw Cryptography	-	-	-	-
Kernel/User Encryption Framework	cryptographic services subsystem offering extensible open APIs and SPIs to encryption, authentication and key exchange algorithms.	bund	n/a	10	supplies SPARC/X86/AMD-optimized software implementation of common cryptographics algorithms, plus interface to Sun/IHV hardware accelerators & key-stores; automatic load balancing between hardware providers.
Kernel/User Encryption Framework Policy Control	ability to set system-wide policy on which algorithms are available to applications and to the kernel	bund	n/a	10	-
Random Number Generator Device	/dev/random and /dev/urandom devices for easy source of random data	bund	bund	9(8)	leverages crypto framework in 10 for hardware acceleration, etc; backport to 8 available via patch.
SSL for LDAP	SSL protection for LDAP traffic; can auth/encrypt LDAP transactions at a host level; client library supports digest-MD5 auth and SSL privacy/auth.	bund	n/a	9(8)	backport to 8 available via patch.
Bundled OpenSSL	bundled OpenSSL libs, commands, and header files	bund	n/a	10	-
Bundled Long-Key Encryption	algorithms up to 128-bit shipped with OE	bund + www	n/a	10	even longer keys through web download (Blowfish 448, AES 256)
PKCS11 bridge for OpenSSL	new openssl engine implemented using pkcs#11 as the interface to the solaris cryptographic framework	bund	n/a	10	-
Digest, HMAC, Encrypt, and Decrypt Commands	links into crypto framework to provide generic multi-algorithm digest, MAC, encrypt, decrypt commandine tools, transparently leveraging HW accelerators, etc	bund	n/a	10	-
Java Crypto Acceleration	java jvm configurable to take advantage of hardware cryptoacceleration via uEF/kEF	bund	n/a	10	-
-	Security Services and Applied Cryptography	-	-	-	-
Generic Security Services API (GSS/API)	application programmer interface to system-provided security services	bund	bund	7 (undoc in 2.6)	Sun's implementation is pluggable (`dlopen()`) but many of the other ones aren't.
Kerberos (was: Sun Enterprise Authentication Manager)	Kerberos Single-Sign-On, Secrecy and Authentication System	bund(10) bund+www(9)	?	2.6	10: resynced with MIT codebase for extra crypto, and MS Active Directory interop; provides Kerberised telnet, ftp, rlogin, rsh, rcp, rdist, ssh, Mozilla and Apache
Secure NFS / Kerberised NFS	NFS with strong authentication and privacy by using Kerberos via GSSAPI	see Kerberos	see Kerberos	8	-
PAM Password-to-Kerberos Migration Module	pam_krb5_migrate module transparently migrates users from NIS/LDAP/files authentication, to Kerberos, on next login.	bund	n/a	9	requires Solaris10 KDC
RPCSEC_GSS	RPC authentication flavor allowing use of GSS-API pluggable mechanisms (eg: Kerberos) to protect RPC traffic.	bund	bund	7	-
Secure TCP/IP Protocol (IPSEC)	end-to-end TCP/IP encryption and host-authentication	bund + www	T/Sol8 04/01	8	Implementations of DES/3DES bundled, WWW download reqd for AES and Blowfish for keys > 128 bit; 10: works for IPv6 and across NAT
Internet Key Exchange (IKE)	key management protocol standard, used in conjunction with ipsec	bund	requires SunScreen 3.2	9	10: works for IPv6 and across NAT
-	Security-Related Software, Bundled and Open-Source	-	-	-	-
Secure Shell (ssh)	open-source, encrypted, strongly-authenticated remote access and administration	bund	n/a	9	9: BSM Audit, i18n, TCP Wrappers, SOCKS and HTTP proxy support; 10: GSS-API and Kerberos, PAM, resync with OpenSSH 3.5p1, lots more.
Coreadm	enable system-wide policies about corefile creation	bund	bund	7	-
Snoop	tcp/ip network analyser	bund	bund	2.1	-
Dig	open-source DNS debugging / querying / analysing tool	bund	n/a	9	-
Ethereal	open-source graphical network analyser	cmpn	n/a	8	-
Nmap	open-source network mapping tool	cmpn	n/a	8	-
Snort	open-source intrusion detection tool	cmpn	n/a	8	-
Sudo	open-source role-management tool, cf: RBAC	cmpn	n/a	8	-
Tcpdump	open-source network analyser	cmpn	n/a	8	-
-	Security Services and Miscellany	-	-	-	-
Signed Patches	software patches made available with digital signatures for proof of integrity/source	www	www	-	http://sunsolve.sun.com/
Solaris Fingerprint Database (SFPDB)	web-accessible database of MD5 signatures of sun-sourced software	www	www	early 2001, iirc	http://sunsolve.sun.com/pub-cgi/fileFingerprints.pl

Contributors

Alec Muffett, Allen Wittenauer, Andreas Sterbenz, Benjamin Brumaire, Casper Dik, Darren Moffat, Efi Batchev, Glenn Brunette, Jason Reid, Kais Belgaied, Martin Englund, Nicholas Williams, Raju Alluri, Sharon Read Veach, Will Fiveash , and the rest of Sun's Security Community.