Monday Jul 30, 2007

Trusted Extensions now open and core

Trusted Extensions binaries have been part of Solaris since the 3rd update release of Solaris 10. Over the weekend Trusted Extensions entered a new and very exciting era. Not only is it now part of the Solaris 10 binary product but there were two signficant changes.

  • First the packages are no longer extra and are always installed. Turning on Trusted Extensions is now just a matter of starting the labeling service: 'svcadm enable labeld'. This architecture change is discussed in PSARC/2006/254.
  • Secondly the source code to what was previously called the "TLC" gate migrated into the ON gate. Most of this is in usr/src - ie it is open and under the CDDL license. However there is one part that ended up in usr/closed and that is labeld. The information on how to call labeld is open so in theory other distros could create their own replacement daemon.
This is just the first part, the corresponding changes need to happen for the TX supplementary code for the other consolidations including JDS.

- Darren

Fresh Look:

A few months ago, started off in a new direction. The goal was to provide a large and highly visible stage for anyone within Sun who wanted to share their thoughts about security. Per the announcement:

If you are member of the Sun security community, and if you have something to say, where do you go to talk about the whole panoply of security? To where should you direct your voice? The answer, now, is here,

The goal of this effort was simple. It enabled Sun's security community to:

provide a point of consolidation, where people can find postings and feeds pertinent to their preferred topics - Security Alerts, Tips, New Products, Announcements of "Pertinent Stuff" internal and external to Sun - where you can find personally written content with a high signal-to-noise ratio, and where you can have conversations through comments, cross-linking, providing the immediacy which is a cornerstone of the modern web.

A lot of great content has been shared in this forum and across since that posting. In addition, the announcement said that:

Over the coming weeks there will be evolution and change, and you'll be hearing from real Sun people with real interest in security.

Well, it was more than just a few weeks, but it is certainly in this spirit that I am happy to announce the newly updated security landing page at This page has been revamped by real Sun people with real interest in security and this is just the beginning. We will be bringing you fresh news and content on a regular basis, will be working to update the rest of the security pages in the very near future, and will be working towards even closer integration with

For Sun employees, if you want your security postings to be visible on, you need only to tag your blog posting with the keyword security.

Check it out and let us know what you think!

Monday Jul 02, 2007

SLOTD: ZFS Crypto Design Review

The design review for phase one of the OpenSolaris ZFS Crypto Project starts now, details on how to participate are here. - Darren

Thursday Jun 28, 2007

SLOTD: Configuring Secure Shell for use with Kerberos

Jan Pechanec gives us a nice worked example on setting up the above, here. Yet another good feature in Solaris 10 11/06 :-).

Tuesday Jun 12, 2007

SPOTD: Eine Kleine SicherheitGeekMusik

As mentioned I was visiting the USA last week, and stopped-in on my former colleague and friend Keith Watson, who introduced me to the delights of MCPlus+ ("EmCeePlusPlus") - a nerdcore / geek-rap act who sing about cryptography and maths.

Cryppies will want to listen to track 4 off the album 'Algorhythms', viz Alice and Bo b.


SLOTD: A couple of security podcasts

A couple of podcasts on various security topics can be found on

The Systemic Security recording is of Hal Stern talking to Glenn Brunette about what we're building, documenting and sharing to (help) make everything that gets deployed more secure.

In the Solaris podcast they are joined by Darren Moffatt, and chat about what security features we have in Solaris (crypto, Trusted Extensions, RBAC...) and what will be coming in the future.

Ellyptic Curve Cryptography is the topic of the third podcast, this time with Hal discussing matters withVipul Gupta. After an overview of what ECC is, they look at the interoperability aspects of these algorithms.

Update: To hear another voice -- Joel Weise's -- on one of the topics Hal raised in those podcasts there's the systemic security "Net Talk" programme.


Monday Jun 11, 2007

SPOTD: An Update On Progress

So I've been away for a bit, but now I'm back; while I've been away:

Bleagh. I need coffee...

Sunday May 20, 2007

SPOTD: In a Secure By Default world, is the Solaris Security Toolkit still relevant?

Following the integration of the Secure By Default (SBD) work into Nevada build 42 and, subsequently, Solaris Express and Solaris 10 11/06, some colleagues have been asking me whether the Solaris Security Toolkit (SST, aka JASS) still has a useful part to play. My answer is "definitely", and here's why.

SBD acts to either disable services completely, or to force them to only bind listeners to a loopback ( interface. SST is equally capable when it comes to disabling services, however the "bind only to loopback" capability is currently beyond its capability.

By contrast, there's a whole bunch of things which SST can do that SBD doesn't, today. These include:

  • setting nscd cache timeouts to zero
  • restricting the use of cron and at
  • enforcing the use of particular password encryption algorithms and requiring the use of what are considered to be "strong" passwords
  • setting warning banners on login services
  • randomising packet sequence numbers (as per RFC 1948)
  • controlling where core files are put short, where SBD hardens a system by disabling or constraining service listeners, SST further hardens a system by finessing the ways in which services and the underlying OS capabilities (network stack, etc) are configured.

There's a few design reasons why SBD doesn't do all the things that SST does - such as enabling packet sequence number randomisation by setting TCP_STRONG_ISS to 2 in /etc/default/inetinit and setting nscd timeouts to 0. As SST isn't run on a system by default, whereas SBD is the default configuration on Nevada and Solaris Express (although not on Solaris 10, for reasons of backward compatibility), SST can "get away with" doing some things that SBD can't.

So, how can you best go about using the two capabilities together?

First, ensure that once you've installed SST, you also patch it with 122608-03 or later, so that it understands SBD. Next, depending on what services you intend to present from your system, you can set SBD to netservices limited; about the only situation I can think of when you wouldn't necessarily want to use SBD everywhere is when you want to present something which has a lot of dependencies on Solaris services, such as Sun Ray services. If you're building a SNAP server on Trusted Extensions, for instance, while it's sensible to use netservices limited on the non-global zones handling each label, it's easier to leave the global zone (aka Trusted Path) at netservices open, and lock it down with SST.

For a service with less complex dependencies, it's sensible to use netservices limited, open up whatever dependent services are required using SMF, and then apply SST. In the event that the system needs to be reconfigured, make sure that SST and SBD operations are "nested" correctly; as SST is the last thing applied it needs to be the first thing undone with jass-execute -u, and then SMF can be used to change the SBD profile before re-hardening with a suitably-modified SST .driver.


Thursday May 17, 2007

SPOTD: The Guide Book to Solaris Role-Based Access Control

An overview of the main bits and pieces of Solaris Role-Based Access Control (RBAC).[Read More]

SPOTD: The 5 Cent Tour of Solaris Role-Based Access Control

The 5 cent tour of Solaris Role-Based Access Control is a five minute overview of the main bits and pieces of RBAC.[Read More]


This blog provides security vulnerability fix notifications relevant to third party software components distributed and supported as part of Oracle Products.
Summarized version of this blog is available as a mapping of CVEs and solutions.


« August 2016