OpenSolaris

1. Community: Security
   1. Announcements
   2. News
   3. Blogs
   4. Discussions
   5. Community Projects
      1. Pluggable Authentication Module
      2. Trusted Extensions
         1. History
         2. Trusted Extensions Developer Guide
         3. Installing the Solaris Trusted Extensions Software on a Laptop Computer
         4. Experimental Java Classes for Trusted Extensions Labeling APIs
      3. Secure By Default
         1. Secure by Default Design
      4. Privilege Debugging
      5. RBAC - Role Based Access Control
      6. Auditing
      7. Basic File Privs
      8. Kerberos
      9. Java
      10. SSH
      11. Cryptographic Framework
   6. Library
      1. HOWTO Documents
         1. Privilege Bracketing
      2. Username length
   7. Presentations
   8. Events
   9. Leaders
   10. Observers
   11. Files
   12. Contributor Grants

OpenSolaris Community: Security

View the leaders for this community
Community Observers

• Cryptographic Framework
  
• Duckwater: Simplified name services management
  
• Fine Grained Access Policy (FGAP)
  
• Fingerprint Authentication
  
• Flexible Mandatory Access Control
  
• Forensic Tools
  
• IPsec Tunnel Reform
  
• Kerberos
  
• Key Management Framework
  
• Labeled IPsec
  
• Network Auto-Magic
  
• OpenSolaris Security Audit
  
• Reno: Login Process Enhancements for Interop
  
• Sparks: name service switch/nscd enhancements
  
• Trusted Platform Module support
  
• Validated Execution Project
  
• Virtual Network Machines
  
• Visual Panels
  
• Winchester: Schema mapping and ID mapping for AD Interoperability
  
• ZFS on disk encryption support
  
• lofi compression & cryptography support
  

What we cover:

Security projects in OpenSolaris: including but not limited to:

• Cryptographic Framework
• IPsec (joint with networking community)
  • kernel extensions to TCP/IP and
  • user programs that control IPsec
• GSS
  • kernel
  • libgss
• Kerberos
  • kernel
  • userland
• SASL
• SSH
• RBAC
• Solaris Auditing
  • libbsm
  • c2audit kernel module
• Trusted Extensions
  • Labeled Networking
  • Label-aware Filesystem Mounting and Sharing
  • Labeled Printing
  • Labeled Desktops
    • Trusted JDS

The technologies themselves and using them in other parts of the system.

• Questions/FAQs/Docs on secure programming for OpenSolaris.

• Place to discuss future/past/present security related changes for OpenSolaris. A place for Sun and the whole OpenSolaris community to share ideas for

improving OpenSolaris security.

The charter does NOT include:

A place to report security bugs/vulnerabilities in the binary Solaris product or other Sun products including the OpenSolaris source.

• For security vulnerability information contact security dash alert at sun dot com for now. In the future we may have an opensolaris.org mail address for this.

We believe in full disclosure, but please don't send security vulnerability information to the security-discuss alias, due to agreements on responsible disclosure with groups such as CERT and other vendors it may be prudent to contact these discussions in a controlled manner with a reduced audience.

We have this process already documented on the SunSolve security pages.

Announcements

31 Jan 2008	UPDATE: Solaris Security Best Practices
02 Nov 2007	New Solaris Security Best Practices
25 Jan 2007	Crypto Project
30 Oct 2006	Trusted Extensions Developer Guide
31 May 2006	Google Summer of Code 2006

News

Cryptographic Framework - Wolfgang Ley | OSDevCon 2008 - Prague | 06/26/2008

Presentation of the Cryptographic Framework by Wolfgang Ley at the OpenSolaris Developer Conference in Prague. Click on the link to see a video of the presentation, the slides, and a paper.

Multilevel Filesystems in Solaris Trusted Extensions | opensolaris.org | 07/21/2007

Glenn Faden presented a paper about the Multilevel Filesystems in Solaris Trusted Extensions at the 12th ACM symposium on Access control models and technologies. The paper is available at http://doi.acm.org/10.1145/1266840.1266859 or for your convenience, here: http://opensolaris.org/os/community/security/projects/tx/sacmat04s-faden-1.pdf

Comparitive Study of Containment Technologies | opensolaris.org | 06/14/2007

An interesting paper has been written by two Computer Science students, Magnus Eriksson and Staffan Palmroos, for their final thesis at Linköpings University in Sweden. The paper compares the use of Solaris zones, and SELinux Type Enforcement in implementing containment strategies. It explains the architectural elements of each system, and describes their experiences in deploying confined applications.

Google Summer of Code 2006 Results | opensolaris.org | 10/17/2006

The Google Summer of Code for 2006 has finished now and a copy of Johannes Nicolai's report is in the security community along with pointers to webrev's of the code changes.

Solaris Common Criteria Evaluation Updates | opensolaris.org | 06/27/2006

*Solaris 10 Release 11/06* and *Solaris Trusted Extensions* officially entered evaluation under the Common Criteria Certification Scheme. Solaris 10 11/06 will be evaluated against the *Controlled Access Protection Profile* and the *Role-Based Access Protection Profile*. The Solaris Trusted Extensions layer will be evaluated against the *Labeled Security Protection Profile*. Both products are seeking certification at the EAL4+ assurance level. The evaluation is being done in Canada by *CGI Information Systems and Management Consultants, Inc*. The products are listed under the Canadian Common Criteria web [Products in Evaluation](http://www.cse-cst.gc.ca/services/common-criteria/ongoing-evals-e.html) web site.

Blogs

bubbva - Whatever happened to NRM Music?

Aug 20, 4:41 PM

I was just completing my LinkedIn profile (finally), and was saddened to find that one of my favorite companies seems to have disappeared off of the face of the earth - NRM Music (aka National Record ...

bubbva - And a hush fell over the crowd....

Aug 18, 1:47 PM

I experienced something new this weekend - I was in the Opal Ultra Lounge in the MontBleu in Lake Tahoe.  Every TV in the casino and club was tuned into the Olympics, which people had been idly ...

darren - OpenSolaris ON development: Picking ws(1) vs bldenv(1).

Aug 15, 1:58 AM

To be able to build the ON source tree for OpenSolaris you first need to setup some environment variables. There are two tools provided in the SUNWonbld package (usually installed in /opt/onbld/bin) ...

bubbva - We've switched!

Aug 14, 11:35 AM

Things are starting to settle down now that mercurial is up and working for ON's Solaris development. I've yet to have done a push myself, but have approved several RTIs, updated the RTI nits ...

darren - Making files on ZFS Immutable (even by root!)

Aug 14, 5:24 AM

First lets look at the normal POSIX file permissions and show who we are and what privileges our shell is running with: # ls -l /tank/fs/hamlet.txt -rw-rw-rw- 1 root root 211179 Aug 14 ...