16 November 2004 - Solaris 10 Security - Peter Baer-Galvin
Solaris is evolving, but security is somewhat stable. Tutorial notes were based on build 63 (10 wasn't released yet).
New Stuff:
- stateful packet filter (Darren Reed's ipfilter!)
- user rights management
- process rights
- data integrity
- process containment
Stuff from Sun's website: Solaris 10 Sun Net Talk re: Solaris 10 Security - roadmap
RBAC - tied in to all the new Solaris stuff.
Will all the rols stuff require rewriting xhier tools? Or will we have to work around it somehow? (Or will we just ignore it?)
Roles are not (yet?) enforced in the kernel. No easy way (yet?) to distribute things around - although we could use xhier to ship them around. But maybe we can tie RBAC into LDAP?
Don't know if there will be a non-C API to give a program access to role-based stuff - but it may be somewhere on the roadmap.
slide 31 - significance of the home directory to RBAC is currently unclear.
Programs need to be suid root to use privileges - otherwise what's the point?
19 - Zones are very similar to jails, but they run on a single kernel (maybe jails do too?) They can be limited in terms of what devices they get and what filesystems they can see. root in global zone can see into each of the other zones - login and zlogin. Note that UIDs can be
very problematic - they've gotta match. Ick, just like NFS.
slide 49 - when setting up a zone, it doesn't get a filesystem unless you specify it. If you add a package to the global zone, you have to add it to the other zones too (assuming you want it there) - no automagic access.
Zones
may all share global swap - YUCK.
NFSv4 on build 69 seems to crash NetApps - wowzers. This may (have been | be) fixed by release-time.
dtrace has implications on research machines - given full-access role, somebody can see
absolutely everything.
Build 69 seemed to have issues in zones using ipfilter. Peter was playing around during a break and crashed it.
With IP aliases, you can't control source address for an application. Maybe a gotcha.
http://www.cisecurity.org
Solaris
SSH is "compatible" even with OpenSSH 3.8 - but it isn't openssh. It also enables X11 Forwarding by default. (!)
--
MikePatterson - 04 Jun 2005