Solaris 10 Security Essentials

Preface xv About the Authors xix Chapter 1: Solaris Security Services 1 1.1 A Solaris Security Story 1 1.2 Security Services in the Solaris OS 3 1.3 Configurable Security Services in the Solaris OS 5 Chapter 2: Hardening Solaris Systems 9 2.1 Securing Network Services 9 2.2 Configuration Hardening 16 2.3 Basic Audit and Reporting Tool 20 2.4 Signed ELF Filesystem Objects 22 2.5 Solaris Fingerprint Database (sfpDB) 23 Chapter 3: System Protection with SMF 29 3.1 Service Management Facility (SMF) 29 3.2 How SMF Configuration Works 30 3.3 Modifying Solaris Services Defaults 31 Chapter 4: File System Security 41 4.1 Traditional UNIX File System Security 41 4.2 ZFS/NFSv4 ACLs 48 4.3 Maintaining File System Integrity 52 4.4 UFS and NFSv4 Mount Options 57 4.5 ZFS Mount Options 58 4.6 ZFS Delegated Administration 59 Chapter 5: Privileges and Role-Based Access Control 63 5.1 Traditional UNIX Security Model 63 5.2 Solaris Fine-Grained Privileges 66 5.3 Solaris Role-Based Access Control 72 5.4 Privileges for System Services 90 Chapter 6: Pluggable Authentication Modules (PAM) 95 6.1 The PAM Framework 96 6.2 The PAM Modules 96 6.3 The PAM Configuration File 101 6.4 PAM Consumers 106 6.5 The PAM Library 109 6.6 PAM Tasks 110 Chapter 7: Solaris Cryptographic Framework 113 7.1 PKCS #11 Standard and Library 114 7.2 User-Level Commands 119 7.3 Administration of the Solaris Cryptographic Framework 122 7.4 Hardware Acceleration 125 7.5 Examples of Using the Cryptographic Framework 127 Chapter 8: Key Management Framework (KMF) 133 8.1 Key Management Administrative Utility 134 8.2 KMF Policy-Enforcement Mechanism 139 8.3 Key Management Policy Configuration Utility 140 8.4 KMF Programming Interfaces 142 Chapter 9: Auditing 145 9.1 Introduction and Background 145 9.2 Definitions and Concepts 147 9.3 Configuring Auditing 148 9.4 Analyzing the Audit Trail 157 9.5 Managing the Audit Trail 163 9.6 Common Auditing Customizations 165 Chapter 10: Solaris Network Security 169 10.1 IP Filter 169

This book is the work of the engineers, architects, and writers at Sun Microsystems who conceptualized the services, wrote the procedures, and coded the Solaris OS's security features. These authors bring a vast range of industry and academic experience to the business of creating and deploying secure operating systems. Authors include Glenn Brunette, Hai-May Chao, Martin Englund, Glenn Faden, Mark Fenwick, Valerie Anne Fenwick, Wyllys Ingersoll, Wolfgang Ley, Darren Moffat, Pravas Kumar Panda, Jan Pechanec, Mark Phalan, Darren Reed, Scott Rotondo, Christoph Schuba, Sharon Read Veach, Joep Vesseur, and Paul Wernau.