In "Using Oracle Solaris 10 to Overcome Security Challenges," Mark Thacker describes how Oracle Solaris 10 uses the principle of least privilege to reduce the vulnerabilities of applications that perform privileged operations as root.
"Over 65 discrete, fine-grained privileges are built into the kernel and user access space. The concept of privileges as implemented in Oracle Solaris 10 is extended throughout the operating system — even the built-in tools take these rights and privileges into account. Using this approach, administrators can grant new
or existing applications only the appropriate privileges necessary to perform tasks. Many system components such as NFS, the Oracle Solaris Cryptographic Framework, IP Filter, file system mount commands, and more, are already configured to run with reduced privileges by default, with no configuration required by the administrator.
Mark goes on to provide clear explanations of how the following Solaris 10 security features work:
- User Rights Management (role-based access control), which an administrator uses to limit access to administrative functions while providing access to specific operating functions.
- Network Security and Encryption, which includes Secure-By-Default (one of those "Duh, why didn't I think of that" ideas), IP packet filtering firewall, an integreated cryptographic framework, and an arsenal of other tools that sysadmins can use to both keep out network intruders and comply with privacy regulations.
- Minimized and Hardened OS, which reduces the size of the target for hackers by only installing basic features and securing them at the same time.
- Containers and Trusted Extensions that enable sysadmins to isolate and protect applications and users in a virtualized environment.
This article is clear, easy to understand, and does a great job of explaining exactly how an admin can use the security tools of Solaris 10 to protect and certify an operating environment. Includes a solid list of security resources.
I found the picture of the bull in this BBC story.