Oracle Solaris 11.3 安全保障系统与设备指南

需积分: 5 189 浏览量更新于2024-06-24 收藏 773KB PDF 举报

身份认证购VIP最低享 7 折!

领优惠券(最高得80元）

Oracle Solaris 11.3 是一个高度安全的操作系统版本，专注于保护系统的稳定性和设备的安全性。本指南——《Securing Systems and Attached Devices in Oracle Solaris 11.3》（Part No: E54828）发布于2019年4月，它详细阐述了在Oracle Solaris 11.3中实施和管理网络安全的最佳实践。该文档的重要性在于，它提供了系统管理员和IT专业人员所需的关键技术策略，以确保操作系统及其连接的设备免受潜在威胁。本文档的核心知识点包括： 1. **安全策略与架构**：概述了Oracle Solaris 11.3的安全模型，强调了基于角色的访问控制（RBAC）和最小权限原则，以限制用户和进程对系统资源的访问。 2. **身份验证和授权**：介绍了多种身份验证方法，如PAM（Pluggable Authentication Modules）、Kerberos和本地身份验证，以及如何配置它们来增强系统的安全性。 3. **防火墙和网络策略**：讲解了如何使用Sun Firewalls、IPsec和Secure Shell (SSH)等工具来设置网络边界保护，并创建安全的通信路径。 4. **加密和数据保护**：涵盖了加密技术在存储、传输和备份数据时的应用，包括硬盘加密、SSL/TLS、以及安全套接字层（SSL）的使用。 5. **设备管理**：着重介绍如何安全地管理和监控系统中的物理设备，包括磁盘、网络接口和外部存储设备，以防止未经授权的访问和数据泄露。 6. **日志和审计**：详细说明了日志记录机制，包括设置和分析系统活动日志，以便及时发现和响应潜在的安全事件。 7. **安全更新和补丁管理**：强调了定期应用Oracle提供的安全更新和补丁以修复已知漏洞的重要性，以及如何有效地进行管理。 8. **安全最佳实践**：提供了一系列实用建议，如定期审计安全设置、培训用户关于安全意识、以及应对恶意软件和攻击的应急响应计划。 9. **法律和合规性**：提醒读者遵守版权法规，并强调在处理政府机构相关的软件或文档时，必须遵守美国政府的相关规定，如版权许可协议和信息安全法规。 10. **反逆向工程政策**：明确指出未经许可的逆向工程行为是被禁止的，除非法律法规要求为了实现兼容性。 Oracle Solaris 11.3 Securing Systems and Attached Devices-112 是一个全面的指南，旨在帮助管理员提升系统和设备的安全防护等级，降低潜在风险，确保企业IT环境的稳健运行。对于任何维护Oracle Solaris 11.3系统的IT专业人员来说，这是一个不可或缺的参考资料。

资源详情

资源推荐

Controlling Access to a Computer System

TABLE 1

Password Hashing Algorithms

Identifier

Description Algorithm Man Page

The MD5 algorithm that is compatible with MD5 algorithms on BSD

and Linux systems.

crypt_bsdmd5(5)

The Blowfish algorithm that is compatible with the Blowfish algorithm

on BSD systems.

Note - To promote FIPS 140-2 security, remove the Blowfish algorithm

(2a) from the CRYPT_ALGORITHMS_ALLOW=2a,5,6 entry in the /etc/

security/policy.conf file.

crypt_bsdbf(5)

md5

The Sun MD5 algorithm, which is considered stronger than the BSD and

Linux version of MD5.

crypt_sunmd5(5)

The SHA256 algorithm. SHA stands for Secure Hash Algorithm. This

algorithm is a member of the SHA-2 family. SHA256 supports 255-

character passwords. This algorithm is the default, (CRYPT_DEFAULT).

crypt_sha256(5)

The SHA512 algorithm.

crypt_sha512(5)

__unix__

Deprecated. The traditional UNIX encryption algorithm. This algorithm

can be of use when connecting to old systems.

crypt_unix(5)

Note - The algorithm that is used for a user's initial password continues to be used for new

password generation for that user even though a different default algorithm might have been

selected prior to generating a new password for that user. This mechanism applies under the

following conditions:

■

The algorithm is included in the list of allowed algorithms to be used for password

encryption.

■

The identifier is not _unix_.

For procedures describing how to switch algorithms for password encryption, see “Changing

the Default Algorithm for Password Encryption” on page 61.

Password Hashes Configuration

The default algorithms configuration in the policy.conf file is as follows:

...

# crypt(3c) Algorithms Configuration

# CRYPT_ALGORITHMS_ALLOW specifies the algorithms that are allowed to

# be used for new passwords. This is enforced only in crypt_gensalt(3c).

CRYPT_ALGORITHMS_ALLOW=1,2a,md5,5,6

16 Securing Systems and Attached Devices in Oracle Solaris 11.3 • April 2019

Controlling Access to a Computer System

# To deprecate use of the traditional unix algorithm, uncomment below

# and change CRYPT_DEFAULT= to another algorithm. For example,

# CRYPT_DEFAULT=1 for BSD/Linux MD5.

#CRYPT_ALGORITHMS_DEPRECATE=__unix__

# The Oracle Solaris default is a SHA256 based algorithm. To revert to

# the policy in this Oracle Solaris release sets CRYPT_DEFAULT=__unix__,

# which is not listed in crypt.conf(4) since it is internal to libc.

CRYPT_DEFAULT=5

...

When you change the value for CRYPT_DEFAULT, the passwords of new users are encrypted with

the algorithm that is associated with the new value.

When existing users change their passwords, the way their old password was encrypted

affects which algorithm is used to encrypt the new password. For example, assume that

CRYPT_ALGORITHMS_ALLOW=1,2a,md5,5,6, and CRYPT_DEFAULT=6. The following table shows

which algorithm would be used to generate the encrypted password. The password consists of

identifier=algorithm.

Initial Password Changed Password Explanation

1 = crypt_bsdmd5

Uses same algorithm

The 1 identifier is in the CRYPT_ALGORITHMS_ALLOW list. The

user's password continues to be encrypted with the crypt_bsdmd5

algorithm.

2a = crypt_bsdbf

Uses same algorithm

The 2a identifier is in the CRYPT_ALGORITHMS_ALLOW list. Therefore,

the new password is encrypted with the crypt_bsbdf algorithm.

md5 = crypt_md5

Uses same algorithm

The md5 identifier is in the CRYPT_ALGORITHMS_ALLOW list. Therefore,

the new password is encrypted with the crypt_md5 algorithm.

5 = crypt_sha256

Uses same algorithm

The 5 identifier is in the CRYPT_ALGORITHMS_ALLOW list. Therefore,

the new password continues to be encrypted with the crypt_sha256

algorithm.

6 = crypt_sha512

Uses same algorithm

The 6 identifier is s the value of CRYPT_DEFAULT. Therefore, the

new password continues to be encrypted with the crypt_sha512

algorithm.

__unix__ =

crypt_unix

Uses crypt_sha512

algorithm

The __unix__ identifier is not in the CRYPT_ALGORITHMS_ALLOW

list. Therefore, the crypt_unix algorithm cannot be used. The new

password is encrypted with the CRYPT_DEFAULT algorithm.

For more information about configuring the algorithm choices, see the policy.conf(4) man

page. To specify password encryption algorithms, see “Changing the Default Algorithm for

Password Encryption” on page 61.

Chapter 1 • Managing Computer System Security 17

Controlling Access to a Computer System

Special System Accounts

The root account is one of several special system accounts. Of these accounts, only the root

account is assigned a password and can log in. The nuucp account can log in for file transfers.

The other system accounts either protect files or run administrative processes without using the

full powers of root.

Caution - Never change the password setting of a system account. System accounts from

Oracle Solaris are delivered in a safe and secure state. Do not revise or create system files with

a UID that is 101 or less.

The following table lists some system accounts and their uses. The system accounts perform

special functions. Each account on this list has a UID that is less than 100. For a full listing of

system files, use the command logins -s.

TABLE 2

Selected System Accounts and Their Uses

System Account UID Use

root 0

Has almost no restrictions. Can override other protections and permissions. The

root account has access to the entire system. The password for the root account

should be very carefully protected. The root account owns most of the Oracle

Solaris commands.

daemon 1

Controls background processing.

bin 2

Owns some Oracle Solaris commands.

sys 3

Owns many system files.

adm 4

Owns some administrative files.

lp 71

Owns the object data files and spooled data files for the printer.

uucp 5

Owns the object data files and spooled data files for UUCP, the UNIX system-to-

UNIX system copy program.

nuucp 9

Used by remote systems to log in to the system and start file transfers.

Two-Factor Authentication With OTP and Smart Cards

Oracle Solaris supports smart cards and one-time passwords (OTP). These technologies require

the user to provide two forms of identification. The first form is the UNIX user name and

password. The second is a smart card and PIN, or a mobile authenticator and a OTP. See

Chapter 7, “Using Smart Cards for Multifactor Authentication in Oracle Solaris” in Managing

Kerberos and Other Authentication Services in Oracle Solaris 11.3 and Chapter 8, “Using One-

Time Passwords for Multifactor Authentication in Oracle Solaris” in Managing Kerberos and

Other Authentication Services in Oracle Solaris 11.3.

18 Securing Systems and Attached Devices in Oracle Solaris 11.3 • April 2019

Controlling Access to System Resources

For more information, see “Protecting Against Malware With Security

Extensions” on page 52 and the sxadm(1M) man page.

Limiting and Monitoring Superuser Access

Your system requires a root password for superuser access. In the default configuration, a

user cannot remotely log in to a system as root. When logging in remotely, users must log in

with their user name and then use the su command to become root. You can monitor who has

been using the su command, especially those users who are trying to gain superuser access.

For procedures that monitor superuser and limit access to superuser, see “Monitoring and

Restricting root Access” on page 64.

Configuring Role-Based Access Control to

Replace Superuser

Role-based access control (RBAC), a feature of Oracle Solaris, distributes the capabilities of

superuser to administrative roles. Roles get these capabilities through bundles called rights

profiles. Regular users can also be assigned rights profiles.

Superuser, the root user, has access to every resource in the system. With RBAC, you can

replace many of root's responsibilities with a set of roles with discrete powers. For example,

you can set up one role to handle user account creation and another role to handle system file

modification. Although you might not modify the root account, you can leave the account as a

role, then not assign the role. This strategy effectively removes root access to the system.

Each role requires that a known user log in with her or his user name and password. After

logging in, the user then assumes the role with a specific role password. If you assign rights

profiles directly to a user, the user must open a profile shell to gain administrative powers.

For more information about RBAC, see “User Rights Management” in Securing Users and

Processes in Oracle Solaris 11.3.

Preventing Unintentional Misuse of System

Resources

You can prevent you and your users from making unintentional errors in the following ways:

■

You can keep from running a Trojan horse by correctly setting the PATH variable.

20 Securing Systems and Attached Devices in Oracle Solaris 11.3 • April 2019

剩余111页未读，继续阅读

weixin_40191861_zj

粉丝: 67
资源: 1万+

会员权益专享

Oracle Solaris 11.3 安全保障系统与设备指南

Oracle Solaris 11.2 Securing Systems and Attached Devices in Ora

spring security

springboot外文文献

Spring Security 5.x

Linux HMACSHA256

sqlserver安装功能选择

What role does Malysia play in the Belt and Road initiative with China?

请以下列题目撰写一个段落： Effects of college students doing part-time jobs

基于Spring Boot旅游网站参考文献

Advantages of a College Degree

@nuxtjs/helmet

ssm框架相关外文文献和翻译1500

securing the quality of supplies

android proguard

网络攻防技术分析的参考文献

kamailio tls

ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES) windows

sudo mysql secure installation

springboot 3.0 新特性

/etc/pam.d/su

会员权益专享

最新资源