By Darren Moffat-Oracle on Oct 17, 2016
During an internal interest list discussion recently someone attemted to assert that Oracle Solaris was immune from virus attacks and therefore didn't need anti-virus.
is really no immunity to almost any security threat. There are layers of defense to specific threats.
Just like in the physical world there is no complete immunity from all
viruses - they can and do adapt and evolve and impact differently
depending on the host.
Someone in the discussion suggested that we were immune or better than others because we
have FIPS 140-2 validation, CC evaluation and a Compliance framework.
Trusted Extentsions is about controlling flows between applications and networks via labeling.
- This is at heart about data loss prevention and data classificatoin.
- Compliance (eg PCI-DSS or DISA STIG) is about providing evidence the system is configured to an approved configuration policy;
- I like to remind people that Compliance != Security: you can be compliant and insecure or secure (against your threat model) yet out of compliance.
- FIPS 140-2 is a 3rd party (NIST) validation that the vendor implemented the cryptographic primitives correctly.
- Good cryptography alone isn't enough, it can certainly help against some threats but not all. Most of the time data needs to be decrypted to be operated on anyway.
- Common Criteria is a 3rd party validation that we implemented an agreed feature set correctly.
Oracle Solaris does have a number of features that can be deployed to reduce
the risks where malware is the threat.
- Immutable Zones (including bare metal and LDOMs):
- This provides protection against malware persisting.
- Verified Boot:
- Detect corrupt or malicious kernel and modules
- Privileges / Extended Policy:
- Reduce the damage from security exploit bugs to prevent escalation and potential virus propagation.
- Role Base Access Control (RBAC) administration
- Use the least privilege possible to get the job done, and were required provide separation of duty (eg require two different admins to configure a new user account).
- Build onto of privileges and user authorisations.
- Signed Packages / Install over TLS
- Ensure we start out with and update to an OS and applications that haven't been tampered with since it left our (or yours) release engineering process.
Signed ELF binaries for userspace
- Manual/Periodic check to modified binaries - 'pkg verify' often a better option though since it covers more than just ELF binaries.
- Silicon Secured Memory (specifically ADI)
- Hardware assist for a specific class of bad programming errors that can (and often do) lead to corruption and/or security exploits in running software.
- ZFS can require Virus Scanning (using a 3rd party engine) on file access (local or remote)
The above is far from a comprehensive list of security features available in Oracle Solaris, some of the above have equivalents in other operating systems as well.
So do you need anti-virus software when deploying Solaris ?
That depends on your environment and threat model.
Personally if I was serving out file systems over SMB to Windows and macOS clients then I would seriously consider using the ZFS virus scanning integration, it provides a useful additional layer of defence. It might not be required or appropriate everywhere though.
One the other hand if I was building an OpenStack based cloud infrastruture my focus would be much more on using Immutable Zones and ensuring all the cloud infrastructure used TLS (or IPsec) to communicate securely.