National Security, the "two man rule" and Solaris

A recent article in Federal Computer week reports:

In the raging debate over the data breach at the National Security Agency, here’s a nugget that deserves more attention than it has received: The NSA'a director, Gen. Keith Alexander, recently instituted a two-man rule to limit the previously unfettered access of the 1,000-plus systems administrators who work for the agency. It ensures that no single person can gain access to confidential, sensitive and often top secret data.

 In addition, DISA has published "Security Requirements Guides for Operating Systems" which require:

 The operating system must enforce a two-person rule for changes to organization defined information system components and system level information.

Luckily, Solaris 10 and 11 have all the tools to assist in creating a "two man rule." In fact, we published a paper on the topic in 2005. Its comprehensive role and profile based collection of authorizations ensure that only user with the proper authorizations are allowed access to administrative tools.  Solaris can be configured so that one user has the role of "Security Admin" while another user has the role of "System Admin."  The security admin has privileges to add users and give (or remove) authorizations from those users but does not have all the other traditional capabilities of "root."  In other words, the security admin cannot accidentally "rm -rf /" to corrupt the system.  The system admin has authorizations to perform traditional system administration functions such as create file systems, manage services but cannot create new users or give himself additional privileges.

Solaris 11 is Oracle's premier Unix based operating system with support for SPARC based systems from Oracle and Fujitsu and X86 systems from a wide variety of vendors.

Many customers don't know that Solaris is built from a single source code base for both platforms and consists about 95% common code.  Unless there is a specific difference in hardware support (virtualization, cryptography, hardware failure detection, dynamic reconfiguration) Solaris looks and works the same on both platforms from an administrative point of view.

In addition, Solaris helps to protect your software investment by providing a unique Binary compatibility guarantee.  An application written to our ABI on SPARC or X86 from the Solaris 2.6 timeframe will continue to run on newer versions of the same platform running Solaris 11.  

Our source code guarantee ensures that code written for SPARC will compile on X86 and vice versa.

Since the merger of Oracle and Sun, both Solaris and Oracle Database have been optimized to work better together.  With the release of Oracle DB 12c, these enhancements include:

  • Dynamic tracing probes for improved monitoring
  • Dynamic SGA resizing for improved availability
  • Improved DB startup times
  • In kernel Oracle RAC performance enhancements 
  • Improved encryption, security and virtualization support


Choose Solaris and Oracle hardware and software for the most reliable, scalable and secure data center environments. 


Very good catch :-)
That's Solaris!

Posted by Carlos Azevedo on July 12, 2013 at 08:21 AM EDT #

"X86 systems from a wide variety of vendors."

Following that link:

Solaris 10 HCL:
1362 systems currently listed
2005 components currently listed

Solaris 11 HCL:

413 systems currently listed
197 components currently listed

Less support for i86pc hardware in Solaris 11 than is in Solaris 10. Bless Oracle.

Posted by UX-admin on July 28, 2013 at 12:15 AM EDT #

Solaris is the best when It comes to seurity <3

Posted by Farrukh Askari on July 28, 2013 at 04:10 AM EDT #

Solaris 10 was released in 2005. Eight years ago! Over those eight years many systems were qualified, many of which are no longer available and you would not want to use anyway. In addition, many more were laptop systems.

Solaris 11 is less than two years old.

Posted by UX-ADM on July 28, 2013 at 07:16 PM EDT #

"Solaris 10 was released in 2005. Eight years ago! Over those eight years many systems were qualified, many of which are no longer available and you would not want to use anyway. In addition, many more were laptop systems."

Indeed, many are laptop systems. How many laptop systems does Solaris 11 support?

I do not quite buy the argument. What I am insinuating is that Oracle has dropped support for pretty much any i86pc hardware which is not its own, bar a few models which are the result of behind-the-scenes special agreements.

Posted by UX-admin on July 28, 2013 at 07:28 PM EDT #

Post a Comment:
  • HTML Syntax: NOT allowed

Jim Laurent is an Oracle Sales consultant based in Reston, Virginia. He supports US DoD customers as part of the North American Public Sector hardware organization. With over 17 years experience at Sun and Oracle, he specializes in Solaris and server technologies. Prior to Oracle, Jim worked 11 years for Gould Computer Systems (later known as Encore).


« July 2016