𝔖 Scriptorium
✦   LIBER   ✦
πŸ“

Solaris 10 Security Essentials

✍ Scribed by Press, Sun Microsystems(Creator)

Publisher
Prentice Hall PTR
Year
2009
Tongue
English
Leaves
300
Category
Library
⬇  Acquire This Volume

No coin nor oath required. For personal study only.

✦ Synopsis

Solaris" " 10 Security Essentials "describes the various security technologies contained in the Solaris operating system. The book describes how to make installations secure and how to configure the OS to the particular needs of your environment, whether your systems are on the edge of the Internet or running a data center. The authors present the material in a straightforward way that makes a seemingly arcane subject accessible to system administrators at all levels. The strengths of the Solaris operating system s security model are its scalability and its adaptability. It can protect a single user with login authentication or multiple users with Internet and intranet configurations requiring user-rights management, authentication, encryption, IP security, key management, and more. This book is written for users who need to secure their laptops, network administrators who must secure an entire company, and everyone in between. The book s topics include
Zones virtualization security System hardening Trusted Extensions (Multi-layered Security) Privileges and role-based access control (RBAC) Cryptographic services and key management Auditing Network security Pluggable Authentication Modules (PAM) "Solaris" " 10 Security Essentials "is the first in a new series on Solaris system administration. It is a superb guide to deploying and managing secure computer environments.

✦ Table of Contents

Cover......Page 1
Contents......Page 6
Preface......Page 16
About the Authors......Page 20
1.1 A Solaris Security Story......Page 24
1.2 Security Services in the Solaris OS......Page 26
1.3 Configurable Security Services in the Solaris OS......Page 28
2.1 Securing Network Services......Page 32
2.1.1 Minimizing Installed Software......Page 33
2.1.2 Using SMF to Control Network Services......Page 34
2.1.4 Results of Applying Network Profiles......Page 37
2.2 Configuration Hardening......Page 39
2.2.1 Protect the OpenBoot PROM......Page 40
2.2.3 Log Core Dumps......Page 41
2.2.4 Lock Out Accounts......Page 42
2.3.1 Collecting Filesystem Object Attributes (Create Mode)......Page 43
2.3.2 Comparing Filesystem Object Attributes (Compare Mode)......Page 44
2.4 Signed ELF Filesystem Objects......Page 45
2.5.1 How the sfpDB Tool Works......Page 46
2.5.3 Testing an MD5 File Fingerprint......Page 48
3.1 Service Management Facility (SMF)......Page 52
3.2 How SMF Configuration Works......Page 53
3.3.1 Configuring the NFS Service......Page 54
3.3.2 Configuring the IP Filter Service......Page 55
3.3.3 Configuring the ftp Service......Page 57
3.3.4 Configuring the Apache2 Web Service......Page 61
4.1 Traditional UNIX File System Security......Page 64
4.1.1 setuid, setgid, and Sticky Bit......Page 65
4.1.3 Default umask......Page 68
4.1.4 setfacl/getfacl......Page 69
4.1.6 Promiscuous Execution......Page 70
4.2.1 Access Permissions......Page 71
4.2.2 Inheritance Flags......Page 73
4.2.3 ZFS per Filesystem ACL Properties......Page 74
4.3.1 Solaris Fingerprint Database (SFD)......Page 75
4.3.3 Basic Audit Reporting Tool (BART)......Page 76
4.3.5 Signed ELF Objects......Page 79
4.4 UFS and NFSv4 Mount Options......Page 80
4.5 ZFS Mount Options......Page 81
4.6 ZFS Delegated Administration......Page 82
5.1 Traditional UNIX Security Model......Page 86
5.1.1 Shortcomings of the Traditional UNIX Security Model......Page 87
5.1.2 Real and Effective IDs in the Traditional UNIX Model......Page 88
5.2 Solaris Fine-Grained Privileges......Page 89
5.2.1 Solaris Privilege Sets......Page 92
5.2.2 Privilege Bracketing......Page 93
5.2.4 Restricting Process Privileges......Page 94
5.3 Solaris Role-Based Access Control......Page 95
5.3.1 Solaris Roles......Page 96
5.3.2 Solaris Rights Profiles......Page 97
5.3.3 Managing Solaris Rights Profiles with the Solaris Management Console......Page 100
5.3.4 Solaris Predefined Rights Profiles......Page 102
5.3.5 Assigning Rights Profiles to Roles......Page 104
5.3.6 How Profiles Are Implemented......Page 109
5.3.7 Rights Profiles and Normal Users......Page 110
5.3.9 Using Solaris RBAC Locally......Page 111
5.4 Privileges for System Services......Page 113
5.4.1 Authorizations for System Services......Page 114
Chapter 6 Pluggable Authentication Modules (PAM)......Page 118
6.2.1 Introduction to PAM Modules......Page 119
6.2.2 The PAM Stacks for Solaris Login......Page 120
6.2.4 Standard Solaris PAM Modules......Page 122
6.3 The PAM Configuration File......Page 124
6.3.2 PAM Stacks and Module Flags......Page 125
6.3.3 The Module Flags for the PAM Stack for Solaris Login......Page 128
6.4 PAM Consumers......Page 129
6.4.1 PAM Configuration for the Remote Shell Daemon, in.rshd......Page 130
6.4.2 PAM Configuration for sshd......Page 131
6.5 The PAM Library......Page 132
6.6.1 Adding Additional PAM Modules......Page 133
6.6.2 Debugging PAM Stacks......Page 134
Chapter 7 Solaris Cryptographic Framework......Page 136
7.1.1 Consumers......Page 137
7.1.4 Tokens......Page 138
7.1.7 Metaslot......Page 139
7.1.10 Kernel Software Providers......Page 141
7.2.2 encrypt and decrypt Commands......Page 142
7.2.3 elfsign Command......Page 143
7.2.4 OpenSSL Libraries......Page 144
7.3.1 cryptoadm list Subcommand......Page 145
7.3.2 cryptoadm enable and disable Subcommands......Page 147
7.4 Hardware Acceleration......Page 148
7.4.2 How to Use Existing Hardware Providers in the Solaris OS......Page 149
7.5.1 Troubleshooting the Cryptographic Framework......Page 150
7.5.2 Determining What Encryption Is Being Handled in Hardware......Page 151
7.5.3 Using the Cryptographic Framework Through NSS......Page 152
7.5.4 Configuring Java to Use the Solaris Cryptographic Framework......Page 153
7.5.5 Configuring Apache Web Server to Use the Cryptographic Framework......Page 154
Chapter 8 Key Management Framework (KMF)......Page 156
8.1.1 pktool(1)......Page 157
8.2 KMF Policy-Enforcement Mechanism......Page 162
8.3.1 kmfcfg(1)......Page 163
8.4 KMF Programming Interfaces......Page 165
9.1 Introduction and Background......Page 168
9.1.2 Goals of Auditing......Page 169
9.2.4 Audit Policy......Page 170
9.3 Configuring Auditing......Page 171
9.3.2 audit_event File......Page 172
9.3.3 audit_control File......Page 173
9.3.5 Audit Policy......Page 175
9.3.6 Enabling Auditing......Page 178
9.3.8 audit_warn Script......Page 179
9.4.1 Details of an Audit Record......Page 180
9.4.2 Examining Parts of the Audit Trail......Page 183
9.5 Managing the Audit Trail......Page 186
9.5.2 Remote Storage......Page 187
9.6.1 Configuring an Audit Review Role That Is Not Audited......Page 188
9.6.2 Using the audit_syslog Plug-in......Page 189
9.6.3 Creating Your Own Audit Class......Page 190
10.1 IP Filter......Page 192
10.1.1 IP Filter Configuration......Page 193
10.1.3 Stateful Versus Stateless Filtering......Page 194
10.1.4 Troubleshooting IP Filter......Page 196
10.1.6 Filtering Inter-Zone Packetsβ€”Loopback Packet Filtering......Page 197
10.1.8 Using NAT with IP Filter......Page 199
10.1.9 Logging with IP Filter......Page 201
10.2 What Is IPsec?......Page 202
10.2.1 What Do IPsec Packets Look Like?......Page 203
10.2.2 How Is IPsec Configured?......Page 204
10.3 Solaris Secure Shell (SunSSH)......Page 215
10.3.2 Notable SunSSH Differences from OpenSSH......Page 216
10.4 Configuring SunSSH......Page 217
10.4.2 Authentication Methods......Page 218
10.4.3 SunSSH Commands......Page 219
10.5 OpenSSL......Page 222
10.5.1 PKCS #11 Engine......Page 223
10.6 Kerberos......Page 224
10.6.2 Introduction to Kerberos......Page 225
10.7 Kerberos in the Solaris OS......Page 227
10.7.1 Configuring a KDC......Page 228
10.7.3 Kerberos and LDAP......Page 229
10.8.1 Configure the kadmind Daemon......Page 230
10.8.2 Keytabs and Passwords......Page 231
10.8.3 Slave KDCs......Page 232
10.8.4 Configuring Kerberos Clients......Page 234
10.9.1 Example 1: SunSSH......Page 238
10.9.2 Kerberos Authorization......Page 239
10.10 Interoperability with Microsoft Active Directory......Page 240
10.10.1 Example: Generate a Keytab That Contains a Host Principal’s Key on a Windows 2003 Server......Page 241
11.1 The Concept of OS Virtualization: Introduction and Motivation......Page 244
11.2 The Architecture of Solaris Zones......Page 245
11.2.1 Branded Zones (BrandZ)......Page 246
11.2.3 Zones and Networking......Page 247
11.2.5 Zones and Devices......Page 248
11.3.1 Zone Administration......Page 249
11.3.2 Creating, Installing, and Booting a Zone for an Apache Web Server......Page 250
11.4.1 Isolation and Encapsulation......Page 252
11.4.2 Offering Replicated or Redundant Services Using Zones......Page 253
11.4.4 A Reduced Set of Privileges for Non-Global Zones......Page 255
11.4.5 Benefits of Exclusive IP Stack Instances......Page 258
11.5.1 Auditing Events in Non-Global Zones......Page 259
12.1 Why Use Trusted Extensions?......Page 262
12.2 Enabling Trusted Extensions......Page 263
12.3 Getting Started......Page 264
12.3.1 How Labels Are Used......Page 265
12.4 Configuring Your Trusted Network......Page 266
12.4.2 Construct Remote Host Templates......Page 267
12.4.4 Assigning a Security Template to a Host or a Group of Hosts......Page 269
12.4.5 Limiting the Hosts That Can Be Contacted on the Trusted Network......Page 270
12.5.1 Creating a Role......Page 271
12.5.2 Creating a User......Page 273
12.6.2 Creating Your First Zone......Page 274
12.7 Using the Multilevel Desktop......Page 277
12.7.1 Changing Your Workspace Label......Page 278
12.7.2 Moving Windows into Other Workspaces......Page 279
12.7.4 File System Protection......Page 280
12.7.7 Accessing Devices......Page 281
12.7.8 Accessing Your Network......Page 282
A......Page 284
C......Page 285
E......Page 286
H......Page 287
K......Page 288
M......Page 289
P......Page 290
S......Page 292
T......Page 293
W......Page 294
Z......Page 295

πŸ“œ SIMILAR VOLUMES

Solaris 10 Security Essentials
πŸ“ Solaris 10 Security Essentials
✍ Sun Microsystems Security Engineers πŸ“‚ Library πŸ“… 2009 πŸ› Prentice Hall 🌐 English

Solaris β„’ 10 Security Essentials describes the various security technologies contained in the Solaris operating system. The book describes how to make installations secure and how to configure the OS to the particular needs of your environment, whether your systems are on the edge of the Internet

Solaris 10 ZFS Essentials
πŸ“ Solaris 10 ZFS Essentials
✍ Watanabe, Scott πŸ“‚ Library πŸ“… 2009 πŸ› Pearson Education [distributor], Prentice Hall 🌐 English

The ZFS file system offers a dramatic advance in data management with an innovative approach to data integrity, tremendous performance improvements, and a welcome integration of file system and volume management capabilities. The centerpiece of this new architecture is the concept of a virtual stora

Solaris 10 System Administration Essenti
πŸ“ Solaris 10 System Administration Essentials
✍ Solaris System Engineers πŸ“‚ Library πŸ“… 2009 πŸ› Prentice Hall 🌐 English

I was hoping this would be a new era of literature published by or in cooperation with Sun, a rebirth if you will. My expectations had been a little high as I anxiously awaited this book. Upon reading it I was greatly disappointed by the shallow level of the content. In all fairness I could ima

Solaris 10 System Administration Essenti
πŸ“ Solaris 10 System Administration Essentials
✍ Solaris System Engineers πŸ“‚ Library πŸ“… 2009 🌐 English

Solarisβ„’ 10 System Administration Essentials is the first book to concisely yet comprehensively cover all of the breakthrough features of the Solaris 10 operating system. The Solaris OS has a long history of innovation, and the Solaris 10 OS is a watershed release that includes features such as

Solaris 10 System Administration Essenti
πŸ“ Solaris 10 System Administration Essentials
✍ Engineers, Solaris System(Creator) πŸ“‚ Library πŸ“… 2009 πŸ› Prentice Hall PTR 🌐 English

<b><i>Solaris 10 System Administration Essentials</i></b>is the first book to concisely yet comprehensively cover all of the breakthrough features of the Solaris 10 operating system. The Solaris OS has a long history of innovation, and the Solaris 10 OS is a watershed release that includes features