National Security, the "two man rule" and Solaris
By user12611852 on Jul 11, 2013
A recent article in Federal Computer week reports:
In the raging debate over the data breach at the National Security Agency, here’s a nugget that deserves more attention than it has received: The NSA'a director, Gen. Keith Alexander, recently instituted a two-man rule to limit the previously unfettered access of the 1,000-plus systems administrators who work for the agency. It ensures that no single person can gain access to confidential, sensitive and often top secret data.
In addition, DISA has published "Security Requirements Guides for Operating Systems" which require:
The operating system must enforce a two-person rule for changes to organization defined information system components and system level information.
Luckily, Solaris 10 and 11 have all the tools to assist in creating a "two man rule." In fact, we published a paper on the topic in 2005. Its comprehensive role and profile based collection of authorizations ensure that only user with the proper authorizations are allowed access to administrative tools. Solaris can be configured so that one user has the role of "Security Admin" while another user has the role of "System Admin." The security admin has privileges to add users and give (or remove) authorizations from those users but does not have all the other traditional capabilities of "root." In other words, the security admin cannot accidentally "rm -rf /" to corrupt the system. The system admin has authorizations to perform traditional system administration functions such as create file systems, manage services but cannot create new users or give himself additional privileges.
Many customers don't know that Solaris is built from a single source code base for both platforms and consists about 95% common code. Unless there is a specific difference in hardware support (virtualization, cryptography, hardware failure detection, dynamic reconfiguration) Solaris looks and works the same on both platforms from an administrative point of view.
In addition, Solaris helps to protect your software investment by providing a unique Binary compatibility guarantee. An application written to our ABI on SPARC or X86 from the Solaris 2.6 timeframe will continue to run on newer versions of the same platform running Solaris 11.
Our source code guarantee ensures that code written for SPARC will compile on X86 and vice versa.
Since the merger of Oracle and Sun, both Solaris and Oracle Database have been optimized to work better together. With the release of Oracle DB 12c, these enhancements include:
- Dynamic tracing probes for improved monitoring
- Dynamic SGA resizing for improved availability
- Improved DB startup times
- In kernel Oracle RAC performance enhancements
- Improved encryption, security and virtualization support
Choose Solaris and Oracle hardware and software for the most reliable, scalable and secure data center environments.