SnatchBrain, The ramblings of an IT CTO/Instructor


Information Technology

Oracle ® Solaris ® 11 Update 4 – Security

#solaris #solaris114beta

This post describes the security and compliance features that are new in this release. These new features help prevent new threats through anti-malware protection and enable you to meet the strictest compliance obligations.

The engineering concept is security at every level. There are a number of built-in defense technologies that prevent attackers from gaining access and establishing a foothold in your data-center.

Secure Sandboxes
Oracle Solaris systems can run periodic assessments of the system security posture with the ability to have compliance results either pushed or pulled to a central location over a secure transport. The ability to graph historical compliance assessment status at the security benchmark and individual check layer is provided via compliance integration with the Oracle Solaris Web Dashboard. With multinode compliance you can centrally gather a compliance assessment for multiple instances which can be very beneficial for the development and deployment of applications where you want to ensure the entire set of instances are compliant and ready to roll out without needing to individually check each instance. Sandboxes are uniquely named sets of process attributes that can be used to specify security and resource isolation requirements. In Oracle Solaris 11.4, you can execute untrusted processes in temporary sandboxes.

What’s New in Oracle® Solaris 11.4 2
Persistent and hierarchical sandboxes can be created by using the sandboxadm command. Both temporary and persistent sandboxes can be entered by using the sandbox command. Sandboxes are suitable for constraining both privileged and unprivileged applications. Enhanced exploit mitigation controls leveraging SPARC Silicon Secured Secure Memory automatically protect key applications and the system kernel.
For more information, see “Configuring Sandboxes for Project Isolation” in Securing Users and Processes
in Oracle Solaris 11.4 and the sandboxing(7), sandbox(1), and sandboxadm(8) man pages.

Scheduled Compliance Assessment
An Oracle Solaris instance should be able to declare the compliance benchmarks that it is assessed against.
The instance should also periodically assess itself against that policy.
This Oracle Solaris release introduces two new features that support the ability to run compliance reports
against specific compliance benchmarks.
The existing SMF compliance service is modified as follows:
■ The current :default instance performs guide generation, so this instance is renamed to the :generateguide
instance and is enabled by default.
■ policy is the new SMF property group that is added to declare the policy or benchmark that the system
is to be assessed against:
<property_group name=’policy’ type=’application’>
<propval name=’value_authorisation’ type=’astring’
value=’solaris.compliance.assess’ />
<propval name=’benchmark’ type=’astring’ value=’solaris’ />
<propval name=’profile’ type=’astring’ value=’Baseline’ />
<propval name=’tailoring’ type=’astring’ value=” />
View and update compliance policy values with two new compliance subcommands that are
implemented over the SMF RAD transport:
compliance set-policy [ -b benchmark [ -p profile ]] [ -t tailoring ]
compliance get-policy
The get-policy output is not intended to be parsable, and its format can change without further notice.
For more information, see Oracle Solaris 11.4 Security Compliance Guide.

Per File Auditing
Per file auditing in Oracle Solaris 11.4 provides fine-grained, on-access auditing of specific files and directories. With this feature, system and security administrators can target specified files to be audited. The specified files can be accessed in certain ways, allowing for much easier collection and analysis of audit data.
For example:
# chmod A+everyone@:write_data/read_data:successful_access/failed_access:audit /data/db1
What’s New in Oracle® Solaris 11.4 3
This audit ACE ensures that an audit record is generated for any reads or writes, both success and denied access, on the /data/db1 file by any user on the system. Audit ACEs can also be added for metadata changes.
For more information, see “What’s New in the Audit Service in Oracle Solaris 11.4” in Managing Auditing in Oracle Solaris 11.4.

Verified Boot Auditing
In Oracle Solaris 11.4, this new feature helps you generate audit records to indicate the signature verification results of the kernel modules. The feature checks the Verified Boot boot_policy value when Oracle Solaris 11.4 boots, and outputs the value to an audit record for AUE_SYSTEMBOOT event. When Verified Boot is enabled with the value of boot_policy property as warning or enforce, Oracle Solaris audit produces AUE_MODLOAD audit events if an elfsign signature verification fails when a module is to be loaded. With Verified Boot enabled, you can keep track of events for kernel modules that have invalid signatures or signatures that have not been loaded into the system.
For more information, see “New Feature – Auditing Verified Boot” in Managing Auditing in Oracle Solaris

Privileged Command Execution History Reporting
Oracle Solaris 11.4 introduces the admhist utility, which is used to provide a summary of system administration related events that have been run on the system, in a helpful, easy-to-understand format. The admhist utility leverages audit data that enables the praudit and auditreduce utilities to provide more detailed log analysis.
A variety of options are available that enable you to narrow the results by user, date, time, or type of event as follows. For example, you can identify privileged command executions by a particular user ID within the last 24 hours:
# admhist -v -a “last 24 hours”
2017-05-09 10:58:55 cwd=/export/home/user1 /usr/sbin/zfs get quota rpool/export/home/user1
2017-05-09 10:59:16 cwd=/export/home/user1 /usr/sbin/zfs set quota 40g
2017-05-09 10:59:27 cwd=/export/home/user1 /usr/sbin/zfs get quota rpool/export/home/user1
2017-05-09 10:59:31 cwd=/export/home/user1 /usr/bin/bash
2017-05-09 10:59:31 cwd=/ /usr/bin/su
The output illustrates that the user user1 switched to the root user and increased his quota. The privileges that are used throughout the life of the process are examined when the command exits, which is why the su operation is listed at the end of the output.
For more information, see the admhist(8) man page, “New Feature – Per-Privilege Logging of Audit
Events” in Managing Auditing in Oracle Solaris 11.4, and Using Oracle Solaris 11.4 Analytics.

KMIP Client Support
Oracle Solaris 11.4 provides client support for using the Key Management Interoperability Protocol (KMIP) version 1.1. A new PKCS#11 provider, pkcs11_kmip, is provided in the Oracle Solaris Cryptographic Framework.
What’s New in Oracle® Solaris 11.4 4
Framework, which enables PKCS#11 applications to function as KMIP clients and communicate to KMIPcompliant servers.
Oracle Solaris 11.4 also includes a new command, kmipcfg, which initializes and manages the states of the pkcs11_kmip provider.
For more information, see Chapter 5, “KMIP and PKCS #11 Client Applications” in Managing Encryption
and Certificates in Oracle Solaris 11.4 and the pkcs11_kmip(7) and kmipcfg(8) man pages.

File and Process Labeling
File and process labeling in Oracle Solaris 11.4 provides a framework for restricting access to sensitive information. Files and directories can now be labeled to provide access to users or roles with sufficient clearance. The clearance policy also applies to processes with all privileges. Oracle Solaris 11.4 can generate logs of every access to labeled files, which can be used to meet compliance standards such as PCIDSS and HIPAA.
For more information, see “Labels and Clearances” in Securing Files and Verifying File Integrity in Oracle Solaris 11.4 and the clearance(7) man page.

Silicon Secured Memory Security Exploit Mitigations
Silicon Secured Memory (SSM) adds real-time checking of access to data in memory to help protect against malicious intrusion and flawed program code in production for greater security and reliability. SSM is available via the default system memory allocator and is available inside a kernel zone. See “Silicon Secured Memory Support in Oracle Solaris Kernel Zones” on page 17.
The system default allocator (libc malloc) is now Application Data Integrity (ADI) aware. Binaries tagged with the sxadm command automatically receive the protection. See the ADIHEAP and ADISTACK protections in the Security Extensions section of the sxadm(8) man page. SSM application programming interfaces are available for advanced customization. See “Protecting Against Malware With Security Extensions” in Securing Systems and Attached Devices in Oracle Solaris 11.4 and the adi(2) man page.

Packet Filter
Oracle Solaris 11.4 includes the OpenBSD 5.5 Packet Filter (PF) firewall for filtering TCP/IP traffic. PF firewall is a replacement to the IP Filter (IPF) in Oracle Solaris 11.4, enabling both bandwidth management and packet prioritization. To use the PF firewall, install the pkg:/network/firewall package and enable the svc:/network/firewall:default service instance.
Note – Make sure you configure the firewall first. Enabling the firewall with the default configuration puts the service to a degraded state. The degraded firewall blocks all inbound sessions except ssh. Outbound sessions are allowed.
For more information, see Chapter 3, “Oracle Solaris Firewall” in Securing the Network in Oracle Solaris 11.4 and the pfctl(8), pf.conf(7), and pf.os(7) man pages.
What’s New in Oracle® Solaris 11.4 5

Oracle Solaris 11.4 supports ftp-proxy, a semi-transparent proxy for FTP, supporting IPv4 NAT. Systems running the PF firewall for NAT can use the ftp-proxy to allow FTP connections to pass through the firewall.
For more information, see the ftp-proxy(8) man page.

pflogd Daemon
Oracle Solaris 11.4 supports the pflogd feature, a packet logging daemon that safely saves packets logged by the PF firewall. These packets are available from a capture datalink. The daemon reads packets from this datalink and stores them into a file.
For more information, see the pflogd(8) man page.

Oracle Solaris 11.4 provides an updated version of Kerberos, which includes improvements from the latest version of MIT Kerberos, as well as enhancements made for Oracle Solaris. Kerberos provides network authentication, and optionally provides message integrity and privacy, depending on how an application uses it.
For more information, see Chapter 1, “Kerberos on Oracle Solaris” in Managing Kerberos in Oracle Solaris 11.4 and the kerberos.7 man page.

The Simple Authentication and Security Layer (SASL) framework provides authentication and optional security services for network protocols. Oracle Solaris 11.4 bases its SASL implementation on the open source Cyrus SASL version 2.1.26 with a few changes. The SASL plugins are in the /usr/lib/sasl2 directory, and the default location for the SASL configuration files is the /etc/sasl2 directory. By basing the SASL version on open source, Oracle Solaris 11.4 is able to provide the latest SASL features, including security updates.
For more information, see Chapter 2, “Using Simple Authentication and Security Layer” in Managing Authentication in Oracle Solaris 11.4. libucrypto Library
Oracle Solaris 11.4 includes libucrypto, a lightweight library that provides access to hardware accelerated cryptography. Operations provided include symmetric and asymmetric encryption, digital signatures, message authentication codes, and cryptographic hashes. The libucrypto library provides lightweight access to hardware cryptographic primitives, when you do not need access to key storage, session management, or the standards based APIs provided by libpkcs11.
The libucrypto library enables fast access to hardware-accelerated cryptography. The library is fast for both the programmer and the processor, as it avoids locking and session management overhead.
What’s New in Oracle® Solaris 11.4 6
For more information, see “Simple and Fast ucrypto Provider” in Managing Encryption and Certificates in Oracle Solaris 11.4 and the libpkcs11(3LIB) man page.

PKCS #11 v2.40 Support for Oracle Solaris Cryptographic Framework
The Oracle Solaris Cryptographic Framework has been updated from PKCS #11 v2.20 to PKCS #11 v2.40. The updates include some of the latest mechanisms in PKCS #11 v2.40 including those from PKCS #11 v2.30. A new error code and a new value have also been introduced in PKCS #11 v2.40. The following new mechanisms have been added:
AES signing and verification
AES encryption and decryption
SHA-512/t message digesting
SHA-512/t general-length with HMAC
SHA-512/t key derivation
TLS 1.2
■ Error code CKR_CURVE_NOT_SUPPORTED for elliptic curve
If a specific elliptic curve cannot be supported, then the error code CKR_CURVE_NOT_SUPPORTED is returned. In the previous version, CKR_TEMPLATE_INCONSISTENT was returned if the curve was not supported.
What’s New in Oracle® Solaris 11.4 7
When C_GetAttributeValue() is called, and if an attribute cannot be returned because of its invalidity or unavailability, ulValueLen is set to CK_UNAVAILABLE_INFORMATION. The caller has to check if the returned attribute value is invalid or unavailable by comparing ulValueLen with CK_UNAVAILABLE_INFORMATION. Moreover, the caller has to treat ulValueLen = 0 as a valid value.
If an object has CKA_DESTROYABLE = CK_FALSE, then a request to C_DestroyObject for this particular object should result in CKR_ACTION_PROHIBITED being returned as error code.
■ Removing Restrictions with CKU_SO
This change removes the restrictions on having R/O open while CKU_SO is logged in. While R/O sessions can now co-exist with CKU_SO, those sessions behave as CKS_RO_PUBLIC_SESSION. An R/O session cannot be used to C_Login with CKU_SO. CKR_SESSION_READ_ONLY_EXISTS and CKR_SESSION_READ_WRITE_SO_EXISTS are deprecated.
For more information, see the SUNW_C_GetMechSession(3EXT), SUNW_C_KeyToObject(3EXT),
libpkcs11(3LIB), pkcs11_softtoken(7), pkcs11_kms(7), and pkcs11_tpm(7) man pages.

Defense Against Malware – Tamper Evident Software, Application Sandboxing, Immutable Lifecycle.

Information Technology

Oracle® Solaris 11.4

#solaris #solaris114beta

There is a new update coming to Oracle® Solaris® 11 that carries with it a great deal of security additions and enhancements.
I’ll post some of them in the coming days but I first wanted to provide my thoughts on Solaris.

Obviously Solaris is a very robust, secure, mature operating environment. Even with recent announcements relating to Solaris and SPARC®.

SolSupportNote that Extended Support for Solaris 11 ends November 2034 and Sustaining Support is marked as indefinite. So, let’s put to rest the idea that Oracle is no longer supporting their premier Unix Operating Environment.  Was there restructuring? – Yes, was there an abandonment of Oracle Solaris, no, and the totality of the new features that we will covering in the coming days bears strong witness to that.

In my opinion, if you are currently running Solaris there is no immediate, urgent need to look at spending time, money, and effort to migrate away from it. When paired with the SPARC processor is a secure, fast platform engineered for large-scale enterprise deployment. It provides compliance monitoring, performance monitoring, and ZERO overhead virtualization.

I have some difficulty biting my lower lip when I hear “technologists” speak of the gloom and doom of the “M” series processor and/or SPARC given Oracle’s announcements relating to it.

Oracle JUST released the M8 in July of 2017.  The chip isn’t even a year old.  As I understand it (please realize that I do not speak for Oracle and make no guarantees about product availability) Oracle plans to continue to invest in producing robust SPARC based servers with improvements to I/O, Memory, etc. The M8 remains the constant but servers will continue to be designed with new technologies.

How can one easily overlook the M8? Clocked to 5Ghz, 32KB L1 instruction cache, 16KB L1 data cache, 256KB L2 instruction cache, 128KB L2 data cache, 64 MB of shared L3 cache, the ability to issue 4 instructions at a time, 32 Cores, 16GB memory pages, security and database acceleration hardware on the die itself.

Modern applications use many threads working on large shared-memory segments. Bugs or pointer problems in these applications can cause highly unpredictable behavior and consume excessive amounts of an application developer’s time to troubleshoot and diagnose. Silent data corruption and buffer overruns are two of these difficult-to-diagnose problems. For both problems, Silicon Secured Memory dramatically reduces the time it takes for application developers to troubleshoot memory reference bugs. For silent data corruption, Silicon Secured Memory can facilitate immediate action to be taken by the application, preventing costly recovery efforts.

A robust CPU and an enterprise ready OS!  As I stated above, there is no reason to look to move away from SPARC/SOLARIS in the near future.

In the coming days I’ll post a bit about.

  • Key Features in Oracle Solaris 11.4
  • Security and Compliance Features

  • Data Management Features

  • Networking Features

  • Performance and Observability

  • Virtualization Features

  • System Management Features

  • Installation and Software Management Features

  • Enhancements for Developers



Information Technology

Speaking at Oracle OpenWorld 2017

If you are going to Oracle OpenWorld 2017 please stop by for my presentations.

Step to the Cloud: Ensuring Connectivity to the Cloud
Monday, Oct 02, 12:15 p.m. – 1:00 p.m. | Marriott Marquis (Yerba Buena Level) – Salon 13

In this session learn what to consider when migrating to the cloud. Topics include software-defined wide area networking, Oracle’s Anycast solution, Oracle’s acquisition of Dyn, how hosting client hardware within Equinix data centers improves performance and availability to Oracle’s cloud solution, and data security solutions. The session closes with a positive comparison of hosting on Oracle’s cloud machine when situations warrant.
State of the Art Cloud Platform: Infrastructure as a Service (IaaS)
Code: CON1172
Session Type: Conference Session

SAS on Oracle Cloud: Technical Implementation with Docker Containers
Wednesday, Oct 04, 10:45 a.m. – 11:30 a.m. | Moscone West – Room 2003

Selected as the partner for Oracle/SAS/Arrow to implement, provision, and provide professional services. In this session learn about the features of the solution and why using a Docker container in the Oracle Cloud to run SAS analytics makes both business and technical sense. Hear a summary of the integrated, optimized, turn-key cloud environment, and review the architecture. Attendees also see a demo of deploying the container and using the solution running in the container. Discover how easy it is to build once and run many times, as well as how easily IT departments can save both time and expense with container technology.
State of the Art Cloud Platform: Application Development
Code: CON7548
Session Type: Conference Session