SlideShare a Scribd company logo

UKOUG Tech17 - Stay Secure With Oracle Solaris

JomaSoft
JomaSoft

IT Security is more important than ever. Solaris 11 is installed "Secure by Default". Weak and modified configuration can be detected using the Security Compliance tool. On SPARC Systems Buffer Overflows can be detected. The Virtualization Features increase the overall Security by Separation of Applications. This Session provides samples to allow you to learn how to use this Security Technologies.

1 of 36
Download to read offline
1 Stay Secure With Oracle Solaris Marcel Hofstetter hofstetter@jomasoft.ch https://www.jomasoftmarcel.blogspot.ch CEO / Enterprise Consultant JomaSoft GmbH Oracle ACE „Solaris“
2 Agenda About JomaSoft Oracle ACE Program Solaris 11: Secure by Default Virtualization Compliance tool SPARC Silicon Secured Memory Compliance and Hardening using VDCF
3 About JomaSoft Engineering company founded July 2000 specialized in Solaris and software development, operations and consulting Product VDCF (Virtual Datacenter Cloud Framework) Installation, Management, Operations, Monitoring, Security and DR for Solaris 10/11, Virtualize using LDoms and Solaris Zones VDCF is used in production since 2006
4 About JomaSoft Flexible and Customer focused Oracle Certified Employees 17 Years Solaris Experience Regular Oracle Solaris Beta Tester Well connected with Oracle Solaris & LDOM Engineering Teams
5 500+ Technical Experts Helping Peers Globally 3 Membership Tiers • Oracle ACE Director • Oracle ACE • Oracle ACE Associate Nominate yourself or someone you know: acenomination.oracle.com bit.ly/OracleACEProgram Connect: @oracleace Facebook.com/oracleaces oracle-ace_ww@oracle.com
6 IT Security Not Topic of this Session - Firewalls - Applikation Development OS Security with Oracle Solaris - What's there by default - How can I check my Servers? - How can I protect my Applications? - Hardening
7 Solaris 11 – Secure by Default (1/7) No direct root Login g0086 console login: root Password: Roles can not login directly Login incorrect g0086 console login: marcel Password: Last login: Wed Sep 20 15:42:30 2017 from g0069.jomasoft- Oracle Corporation SunOS 5.11 11.3 March 2017 -bash-4.4$ su Password: Sep 20 17:16:55 g0086 su: 'su root' succeeded for marcel on /dev/console
8 Solaris 11 – Secure by Default (2/7) No direct root Login -bash-4.4$ id uid=501(larry) gid=10(staff) -bash-4.4$ su Password: Roles can only be assumed by authorized users su: Sorry -bash-4.4$ grep roles=root /etc/user_attr admin::::lock_after_retries=no;profiles=System Administrator;roles=root marcel::::profiles=VDCF Logger,VDCF admin Module;roles=root
9 Solaris 11 – Secure by Default (3/7) Auditing is activated (for Logins) # auditreduce -c lo | praudit -l | tail -4 header,69,2,login - ssh,fe,g0087,2017-09-01 15:37:32.707 +02:00,subject,root,root,root,root,root,6021,3233957173,15531 196630 g0069.jomasoft-lab.ch,return,failure,Permission denied header,69,2,login - ssh,na:fe,g0087,2017-09-01 15:37:38.864 +02:00,subject,- 1,-1,-1,-1,-1,6023,3999938775,12434 196630 g0069.jomasoft- lab.ch,return,failure,No account present for user header,69,2,login - ssh,,g0087,2017-09-01 15:37:42.013 +02:00,subject,marcel,marcel,staff,marcel,staff,6026,3889292888,15007 65558 g0069.jomasoft-lab.ch,return,success,0 file,2017-09-01 15:37:42.000 +02:00,
10 Solaris 11 – Secure by Default (4/7) Unsafe Services are not running or not installed -bash-4.4$ telnet g0086 Trying 192.168.100.86... telnet: Unable to connect to remote host: Connection refused -bash-4.4$ ftp g0086 ftp: connect: Connection refused -bash-4.4$ ssh g0086 Last login: Wed Sep 20 17:18:35 2017 from g0069.jomasoft- Oracle Corporation SunOS 5.11 11.3 March 2017 -bash-4.4$
11 Solaris 11 – Secure by Default (5/7) Daemons as non-root with Privileges # ps -f -u netadm,daemon,smmsp,dladm UID PID PPID C STIME TTY TIME CMD daemon 75 1 0 Aug 28 ? 0:00 /lib/crypto/kcfd netadm 46 1 0 Aug 28 ? 0:00 /usr/sbin/ibmgmtd netadm 66 1 0 Aug 28 ? 0:02 /lib/inet/ipmgmtd dladm 52 1 0 Aug 28 ? 0:02 /usr/sbin/dlmgmtd daemon 448 1 0 Aug 28 ? 0:00 /usr/sbin/rpcbind -w daemon 204 1 0 Aug 28 ? 0:00 /usr/lib/utmpd netadm 315 1 0 Aug 28 ? 0:02 /lib/inet/nwamd smmsp 644 1 0 Aug 28 ? 0:00 /usr/lib/inet/sendmail -Ac-q15m
12 Solaris 11 – Secure by Default (6/7) Restrictive umask -bash-4.4$ umask 0022 -bash-4.4$ touch /tmp/test -bash-4.4$ ls -l /tmp/test -rw-r--r-- 1 marcel staff 0 Sep 1 15:53 /tmp/test
13 Solaris 11 – Secure by Default (7/7) Role-based access control (RBAC) -bash-4.4$ profiles -a | grep ZFS ZFS File System Management ZFS Storage Management # usermod -P+"ZFS File System Management" marcel -bash-4.4$ zfs create rpool/test1 cannot create 'rpool/test1': permission denied -bash-4.4$ pfbash bash-4.4$ zfs create rpool/test1
14 Solaris 11 – pkg verify Detect changes -# ls -l /etc/shadow -r-------- 1 root sys 807 May 8 2017 /etc/shadow # chmod o+r /etc/shadow # ls -l /etc/shadow -r-----r-- 1 root sys 807 May 8 2017 /etc/shadow # pkg verify PACKAGE STATUS pkg://solaris/system/core-os ERROR file: etc/shadow ERROR: Mode: 0404 should be 0400
15 Solaris 11 – pkg fix Revert changes # pkg fix core-os Packages to fix: 1 Create boot environment: No Create backup boot environment: Yes Repairing: pkg://solaris/system/core-os@0.5.11,5.11- 0.175.3.14.0.5.0:20161105T004625Z PACKAGE STATUS pkg://solaris/system/core-os ERROR file: etc/shadow ERROR: Mode: 0404 should be 0400 PHASE ITEMS Updating modified actions 1/1 Updating package state database Done Updating package cache 0/0 Updating image state Done Creating fast lookup database Done Updating package cache 2/2 # ls -l /etc/shadow -r-------- 1 root sys 807 May 8 2017 /etc/shadow
16 CVE Common Vulnerabilities and Exposures Industrie Standard Namingconvention for Security Bugs Format: CVE-<jahr>-<nr> Sample: CVE-2014-7187 (Bash/Shellshock) Scoring: Common Vulnerability Scoring System (CVSS) Medium 4 – 6.9 / High 7 – 8.9 / Critical 9 – 10 Search u.v.a. https://www.cvedetails.com/ Oracle Solaris 376 Redhat Enterprise Linux 426 Windows 7 820
17 Solaris 11.3 – CVE Metadata Required: Metadata Package installed # pkg install solaris-11-cpu Analysis Is Fix installed for CVE-2014-7187 (Bash/Shellshock)? -bash-4.4$ pkg search -l CVE-2014-7187 INDEX ACTION VALUE PACKAGE info.cve set CVE-2014-7187 pkg:/support/critical-patch-update/solaris-11- cpu@2017.6-1 Is CVE-2017-3629 (Local Privilege Escalation) installed? -bash-4.4$ pkg search -l CVE-2017-3629 -bash-4.4$ Which Update is required for CVE-2017-3629? -bash-4.4$ pkg search CVE-2017-3629: | head -2 INDEX ACTION VALUE PACKAGE CVE-2017-3629 set pkg://solaris/network/legacy-remote-utilities@0.5.11,5.11- 0.175.3.22.0.3.0 pkg:/support/critical-patch-update/solaris-11-cpu@2017.7-1
18 SPARC-Virtualization: LDoms / Zonen Oracle & Fujitsu SPARC Server Systeme: T4-x, T5-x, M5, M6, M10, T7-x, M7-x, S7-2, M12, T8-x,M8-x Multiple, separated Solaris Instances on the same HW Combine with Zones Dedicated Memory Hacker on one Zone or LDom has limited Impact
19 Solaris – Virtualization using Zones Immutable (Read-Only) Zones A) file-mac-profile=flexible-configuration # touch /bla touch: cannot change times on /bla: Read-only file system # pkg install apache-22 pkg install: Could not complete the operation on /var/pkg/lock: read-only filesystem. # touch /etc/test # touch /var/myfile
20 Solaris – Virtualization using Zones Immutable (Read-Only) Zones B) file-mac-profile=fixed-configuration # touch /bla touch: cannot change times on /bla: Read-only file system # pkg install apache-22 pkg install: Could not complete the operation on /var/pkg/lock: read-only filesystem. # touch /etc/test touch: cannot change times on /etc/test: Read-only file system # touch /var/myfile
21 Solaris – Virtualization using Zones Immutable (Read-Only) Zones C) file-mac-profile=strict Completely Read-Only / Only Remote Logging # touch /bla touch: cannot change times on /bla: Read-only file system # pkg install apache-22 pkg install: Could not complete the operation on /var/pkg/lock: read-only filesystem. # touch /etc/test touch: cannot change times on /etc/test: Read-only file system # touch /var/myfile touch: cannot change times on /var/myfile: Read-only file system
22 Solaris – Virtualization using Zones Trusted Path for Immutable (Read-Only) Zones Beispiel mit file-mac-profile=strict -bash-4.1$ touch /etc/test touch: cannot change times on /etc/test: Permission denied On the global Zone / No RW Reboot required # zlogin -T v0128 [Connected to zone 'v0128' pts/3] Oracle Corporation SunOS 5.11 11.2 August 2014 root@v0128:~# touch /etc/test
23 Solaris 11.3 – Compliance tool Based on OpenSCAP Checks Systems against predefined Rules Allows to detect changes on the System Produces detailed HTML Report Execution: compliance assess -b solaris -p Baseline compliance assess -b solaris -p Recommended compliance assess -b pci-dss
24 Solaris 11.3 – Compliance tool
25 Solaris 11.3 – Compliance tool compliance Output # compliance assess -b solaris -p Baseline Assessment will be named 'solaris.Baseline.2017-09-01,16:37' Package integrity is verified OSC-54005 pass The OS version is current OSC-53005 pass Service svc:/network/ftp:default is in disabled state OSC-17510 pass Service svc:/network/rpc/gss is enabled if and only if Kerberos is configured OSC-63005 fail
26 SPARC – Silicon Secured Memory Integrated in SPARC CPU M7/M8 and S7 You detect and prevent - Memory Reference Errors - Buffer Overruns - Memory Usage after free Alternatives in Software are expensive and 30x – 70x slower Oracle Developer Studio Compiler includes Support for Discovery at Development Demo Video about OpenSSL Heartbleed https://swisdev.oracle.com/_files/ADI-Demo.html
27 SPARC – Silicon Secured Memory void main(int argc, char *argv[]) { char *buffer = malloc( sizeof(char) * 10); strcpy(buffer, "Test-Text"); for (int i = 0; i < 20; ++i) printf( "%c ", buffer[i] ); printf("|n"); free(buffer); } /opt/solarisstudio12.4/bin/cc -m64 -g -o buffer_overrun buffer_overrun.c -bash-4.4$ ./buffer_overrun T e s t - T e x t | - X TTTST E E ? P W D
28 SPARC – Silicon Secured Memory With SSM (ADI) activated the Program is stopped and can't access foreign Memory. -bash-4.4$ LD_PRELOAD_64=/lib/64/libadimalloc.so.1 ./buffer_overrun Segmentation Fault (core dumped) -bash-4.4$ echo ::status | mdb core debugging core file of buffer_overrun (64-bit) from g0072 file: /export/home/marcel/buffer_overrun initial argv: ./buffer_overrun threading model: native threads status: process terminated by SIGSEGV (Segmentation Fault), pc=100000bb0 , ADI version d mismatch for VA ffffffff7e93ffc0
29 SPARC – Silicon Secured Memory Detailed Results when using the Compiler Libraries LD_PRELOAD_64=/opt/developerstudio12.5/lib/compilers/sparcv9/libdiscoverADI.so ./ buffer_overrun T e s t - T e x t |
30 VDCF – Virtual Datacenter Cloud Framework Management Tool for Zones and LDOMs Installation, Operation, Migration, Monitoring, Security and Failover/DR Supports Solaris 10 + 11 on SPARC/x86 In productive use since 2006 Dynamic Virtualization Live / Cold Migration and Failover Resource Configuration and Monitoring Agility for your Enterprise Private Cloud Implemented by Admins for Admins
31 Dynamic Virtualization
32 VDCF – Compliance Assess 3 Standard Benchmarks: baseline, recommended, pci-dss VDCF Benchmarks: default & cdom -bash-4.4$ more /var/opt/jomasoft/vdcf/conf/compliance/cdom.tailor ..... # ------------------------------- # commented, activate if required # ------------------------------- .... # OSC-53005: The OS version is current #exclude OSC-53005 ... # -------------------------- # disabled to avoid failures # -------------------------- # OSC-55010: The r-protocols services are disabled in PAM exclude OSC-55010 # OSC-73505: ssh(1) is the only service binding a listener to non-loopback addresses exclude OSC-73505 # -------------------------------------- # added to detect more than the baseline # -------------------------------------- ..... # OSC-47500: Passwords require at least 1 digits include OSC-47500 # OSC-49500: Passwords require at least 1 upper-case characters include OSC-49500 # OSC-93005: User home directories have appropriate permissions include OSC-93005 .... Individual Benchmarks for Customers and Servers
33 VDCF – Compliance Assess Fully automated Compliance check over the Datacenter osmon -c assess all all_vserver Compliance Report
34 VDCF – Hardening Individual Hardening Profiles -bash-4.4$ more /var/opt/jomasoft/vdcf/conf/compliance/baseline.hardening OSC-12510: Service svc:/network/nfs/fedfs-client:default is in disabled state OSC-63005: Service svc:/network/rpc/gss is enabled if and only if Kerberos is configured OSC-93005: User home directories have appropriate permissions OSC-34010: Service svc:/application/cups/in-lpd:default is in disabled state OSC-85000: The maximum number of waiting TCP connections is set to at least 1024 OSC-99011: Service svc:/system/rad:remote is in enabled state Hardening -bash-4.4$ node -c harden name=g0087 profile=baseline Hardening started ... OSC-12510: Service svc:/network/nfs/fedfs-client:default is in disabled state - DONE OSC-34010: Service svc:/application/cups/in-lpd:default is in disabled state - DONE OSC-63005: Service svc:/network/rpc/gss is enabled if and only if Kerberos is configured - DONE OSC-85000: The maximum number of waiting TCP connections is set to at least 1024 - DONE (Changed from 128 to 1024) OSC-93005: User home directories have appropriate permissions - DONE OSC-99011: Service svc:/system/rad:remote is in enabled state - DONE Hardening of 6 items on Node g0087 was successful
35 VDCF – Online Ressources Produkt Documentation Online Complete Documentation and Videos on Webpage available Free Edition No-Cost Test Version with limited number of managable Servers. Test using combined POC Install and test together with JomaSoft on-site in your Test environment. Webpage https://www.jomasoft.ch/vdcf
36 Ending Slide Marcel Hofstetter hofstetter@jomasoft.ch http://www.jomasoftmarcel.blogspot.ch CEO / Enterprise Consultant JomaSoft GmbH Oracle ACE „Solaris“ Questions?
Ad

Recommended

SOUG - Experiences with Oracle Solaris 11.4
SOUG - Experiences with Oracle Solaris 11.4SOUG - Experiences with Oracle Solaris 11.4
SOUG - Experiences with Oracle Solaris 11.4
JomaSoft
 
Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)Troubleshooting Firewalls (2012 San Diego)
Troubleshooting Firewalls (2012 San Diego)
Cisco Security
 
UKOUG - What is Delivered with Solaris 11.4
UKOUG - What is Delivered with Solaris 11.4UKOUG - What is Delivered with Solaris 11.4
UKOUG - What is Delivered with Solaris 11.4
JomaSoft
 
Install Solaris 11.1 on a Virtualbox VM
Install Solaris 11.1 on a Virtualbox VMInstall Solaris 11.1 on a Virtualbox VM
Install Solaris 11.1 on a Virtualbox VM
Laurent Leturgez
 
Solaris 11 Consolidation Tools
Solaris 11 Consolidation ToolsSolaris 11 Consolidation Tools
Solaris 11 Consolidation Tools
Roman Ivanov
 
Understanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATUnderstanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NAT
Cisco Russia
 
Rac on NFS
Rac on NFSRac on NFS
Rac on NFS
mengjiagou
 
Presentation deploying oracle database 11g securely on oracle solaris
Presentation deploying oracle database 11g securely on oracle solarisPresentation deploying oracle database 11g securely on oracle solaris
Presentation deploying oracle database 11g securely on oracle solaris
xKinAnx
 
如何安装Oracle one off临时小补丁及注意事项
如何安装Oracle one off临时小补丁及注意事项如何安装Oracle one off临时小补丁及注意事项
如何安装Oracle one off临时小补丁及注意事项
maclean liu
 
Installing the Oracle SOA Suite on Red Hat 6
Installing the Oracle SOA Suite on Red Hat 6Installing the Oracle SOA Suite on Red Hat 6
Installing the Oracle SOA Suite on Red Hat 6
TUSHAR VARSHNEY
 
Kirankumar_Satuluri_540633_Linux_and_Unix_Administrator
Kirankumar_Satuluri_540633_Linux_and_Unix_AdministratorKirankumar_Satuluri_540633_Linux_and_Unix_Administrator
Kirankumar_Satuluri_540633_Linux_and_Unix_Administrator
skiankumar
 
Automated Configuration of Firmware
Automated Configuration of FirmwareAutomated Configuration of Firmware
Automated Configuration of Firmware
Michael Arnold
 
Oreilly solinea-managing-openstack
Oreilly solinea-managing-openstackOreilly solinea-managing-openstack
Oreilly solinea-managing-openstack
Vietnam Open Infrastructure User Group
 
Securing Infrastructure with OpenScap The Automation Way !!
Securing Infrastructure with OpenScap The Automation Way !!Securing Infrastructure with OpenScap The Automation Way !!
Securing Infrastructure with OpenScap The Automation Way !!
Jaskaran Narula
 
Chicago Docker Meetup Presentation - Mediafly
Chicago Docker Meetup Presentation - MediaflyChicago Docker Meetup Presentation - Mediafly
Chicago Docker Meetup Presentation - Mediafly
Mediafly
 
Rh401 rhel5.2
Rh401 rhel5.2Rh401 rhel5.2
Rh401 rhel5.2
Ranjeet Kumar Azad
 
Upgrade IOS Cisco Aironet 1130AG Series Access Point
Upgrade IOS Cisco Aironet 1130AG Series Access PointUpgrade IOS Cisco Aironet 1130AG Series Access Point
Upgrade IOS Cisco Aironet 1130AG Series Access Point
Dani Royman Simanjuntak
 
DEFCON 23 - Etienne Martineau - inter vm data exfiltration
DEFCON 23 - Etienne Martineau - inter vm data exfiltrationDEFCON 23 - Etienne Martineau - inter vm data exfiltration
DEFCON 23 - Etienne Martineau - inter vm data exfiltration
Felipe Prado
 
Karl Grzeszczak: September Docker Presentation at Mediafly
Karl Grzeszczak: September Docker Presentation at MediaflyKarl Grzeszczak: September Docker Presentation at Mediafly
Karl Grzeszczak: September Docker Presentation at Mediafly
Mediafly
 
Mysql repos testing.odp
Mysql repos testing.odpMysql repos testing.odp
Mysql repos testing.odp
Ramana Yeruva
 
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLI
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLICCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLI
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLI
Hoàng Hải Nguyễn
 
Develop and Maintain a Distro with Open Build Service
Develop and Maintain a Distro with Open Build ServiceDevelop and Maintain a Distro with Open Build Service
Develop and Maintain a Distro with Open Build Service
SUSE Labs Taipei
 
RHCE (RED HAT CERTIFIED ENGINEERING)
RHCE (RED HAT CERTIFIED ENGINEERING)RHCE (RED HAT CERTIFIED ENGINEERING)
RHCE (RED HAT CERTIFIED ENGINEERING)
Sumant Garg
 
Embedded Event Manager (EEM) on IOS (CiscoLive 2015)
Embedded Event Manager (EEM) on IOS (CiscoLive 2015)Embedded Event Manager (EEM) on IOS (CiscoLive 2015)
Embedded Event Manager (EEM) on IOS (CiscoLive 2015)
Arie Vayner
 
Основные понятия и аспекты построения отказоустойчивых Site-to-Site VPN на ASA
Основные понятия и аспекты построения отказоустойчивых Site-to-Site VPN на ASAОсновные понятия и аспекты построения отказоустойчивых Site-to-Site VPN на ASA
Основные понятия и аспекты построения отказоустойчивых Site-to-Site VPN на ASA
Cisco Russia
 
Distributed Compiler Icecc
Distributed Compiler IceccDistributed Compiler Icecc
Distributed Compiler Icecc
SZ Lin
 
OSDC 2018 | OPNsense: the “open” firewall for your datacenter by Thomas Niede...
OSDC 2018 | OPNsense: the “open” firewall for your datacenter by Thomas Niede...OSDC 2018 | OPNsense: the “open” firewall for your datacenter by Thomas Niede...
OSDC 2018 | OPNsense: the “open” firewall for your datacenter by Thomas Niede...
NETWAYS
 
Select, manage, and backport the long term stable kernels
Select, manage, and backport the long term stable kernelsSelect, manage, and backport the long term stable kernels
Select, manage, and backport the long term stable kernels
SZ Lin
 
Oracle Solaris 11.1 New Features
Oracle Solaris 11.1 New FeaturesOracle Solaris 11.1 New Features
Oracle Solaris 11.1 New Features
Orgad Kimchi
 
Drupal Deployment on Solaris - DrupalCamp Bay Area 2007 - Mattoon
Drupal Deployment on Solaris - DrupalCamp Bay Area 2007 - MattoonDrupal Deployment on Solaris - DrupalCamp Bay Area 2007 - Mattoon
Drupal Deployment on Solaris - DrupalCamp Bay Area 2007 - Mattoon
smattoon
 
Ad

More Related Content

What's hot (20)

如何安装Oracle one off临时小补丁及注意事项
如何安装Oracle one off临时小补丁及注意事项如何安装Oracle one off临时小补丁及注意事项
如何安装Oracle one off临时小补丁及注意事项
maclean liu
 
Installing the Oracle SOA Suite on Red Hat 6
Installing the Oracle SOA Suite on Red Hat 6Installing the Oracle SOA Suite on Red Hat 6
Installing the Oracle SOA Suite on Red Hat 6
TUSHAR VARSHNEY
 
Kirankumar_Satuluri_540633_Linux_and_Unix_Administrator
Kirankumar_Satuluri_540633_Linux_and_Unix_AdministratorKirankumar_Satuluri_540633_Linux_and_Unix_Administrator
Kirankumar_Satuluri_540633_Linux_and_Unix_Administrator
skiankumar
 
Automated Configuration of Firmware
Automated Configuration of FirmwareAutomated Configuration of Firmware
Automated Configuration of Firmware
Michael Arnold
 
Oreilly solinea-managing-openstack
Oreilly solinea-managing-openstackOreilly solinea-managing-openstack
Oreilly solinea-managing-openstack
Vietnam Open Infrastructure User Group
 
Securing Infrastructure with OpenScap The Automation Way !!
Securing Infrastructure with OpenScap The Automation Way !!Securing Infrastructure with OpenScap The Automation Way !!
Securing Infrastructure with OpenScap The Automation Way !!
Jaskaran Narula
 
Chicago Docker Meetup Presentation - Mediafly
Chicago Docker Meetup Presentation - MediaflyChicago Docker Meetup Presentation - Mediafly
Chicago Docker Meetup Presentation - Mediafly
Mediafly
 
Rh401 rhel5.2
Rh401 rhel5.2Rh401 rhel5.2
Rh401 rhel5.2
Ranjeet Kumar Azad
 
Upgrade IOS Cisco Aironet 1130AG Series Access Point
Upgrade IOS Cisco Aironet 1130AG Series Access PointUpgrade IOS Cisco Aironet 1130AG Series Access Point
Upgrade IOS Cisco Aironet 1130AG Series Access Point
Dani Royman Simanjuntak
 
DEFCON 23 - Etienne Martineau - inter vm data exfiltration
DEFCON 23 - Etienne Martineau - inter vm data exfiltrationDEFCON 23 - Etienne Martineau - inter vm data exfiltration
DEFCON 23 - Etienne Martineau - inter vm data exfiltration
Felipe Prado
 
Karl Grzeszczak: September Docker Presentation at Mediafly
Karl Grzeszczak: September Docker Presentation at MediaflyKarl Grzeszczak: September Docker Presentation at Mediafly
Karl Grzeszczak: September Docker Presentation at Mediafly
Mediafly
 
Mysql repos testing.odp
Mysql repos testing.odpMysql repos testing.odp
Mysql repos testing.odp
Ramana Yeruva
 
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLI
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLICCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLI
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLI
Hoàng Hải Nguyễn
 
Develop and Maintain a Distro with Open Build Service
Develop and Maintain a Distro with Open Build ServiceDevelop and Maintain a Distro with Open Build Service
Develop and Maintain a Distro with Open Build Service
SUSE Labs Taipei
 
RHCE (RED HAT CERTIFIED ENGINEERING)
RHCE (RED HAT CERTIFIED ENGINEERING)RHCE (RED HAT CERTIFIED ENGINEERING)
RHCE (RED HAT CERTIFIED ENGINEERING)
Sumant Garg
 
Embedded Event Manager (EEM) on IOS (CiscoLive 2015)
Embedded Event Manager (EEM) on IOS (CiscoLive 2015)Embedded Event Manager (EEM) on IOS (CiscoLive 2015)
Embedded Event Manager (EEM) on IOS (CiscoLive 2015)
Arie Vayner
 
Основные понятия и аспекты построения отказоустойчивых Site-to-Site VPN на ASA
Основные понятия и аспекты построения отказоустойчивых Site-to-Site VPN на ASAОсновные понятия и аспекты построения отказоустойчивых Site-to-Site VPN на ASA
Основные понятия и аспекты построения отказоустойчивых Site-to-Site VPN на ASA
Cisco Russia
 
Distributed Compiler Icecc
Distributed Compiler IceccDistributed Compiler Icecc
Distributed Compiler Icecc
SZ Lin
 
OSDC 2018 | OPNsense: the “open” firewall for your datacenter by Thomas Niede...
OSDC 2018 | OPNsense: the “open” firewall for your datacenter by Thomas Niede...OSDC 2018 | OPNsense: the “open” firewall for your datacenter by Thomas Niede...
OSDC 2018 | OPNsense: the “open” firewall for your datacenter by Thomas Niede...
NETWAYS
 
Select, manage, and backport the long term stable kernels
Select, manage, and backport the long term stable kernelsSelect, manage, and backport the long term stable kernels
Select, manage, and backport the long term stable kernels
SZ Lin
 
如何安装Oracle one off临时小补丁及注意事项
如何安装Oracle one off临时小补丁及注意事项如何安装Oracle one off临时小补丁及注意事项
如何安装Oracle one off临时小补丁及注意事项
maclean liu
 
Installing the Oracle SOA Suite on Red Hat 6
Installing the Oracle SOA Suite on Red Hat 6Installing the Oracle SOA Suite on Red Hat 6
Installing the Oracle SOA Suite on Red Hat 6
TUSHAR VARSHNEY
 
Kirankumar_Satuluri_540633_Linux_and_Unix_Administrator
Kirankumar_Satuluri_540633_Linux_and_Unix_AdministratorKirankumar_Satuluri_540633_Linux_and_Unix_Administrator
Kirankumar_Satuluri_540633_Linux_and_Unix_Administrator
skiankumar
 
Automated Configuration of Firmware
Automated Configuration of FirmwareAutomated Configuration of Firmware
Automated Configuration of Firmware
Michael Arnold
 
Oreilly solinea-managing-openstack
Oreilly solinea-managing-openstackOreilly solinea-managing-openstack
Oreilly solinea-managing-openstack
Vietnam Open Infrastructure User Group
 
Securing Infrastructure with OpenScap The Automation Way !!
Securing Infrastructure with OpenScap The Automation Way !!Securing Infrastructure with OpenScap The Automation Way !!
Securing Infrastructure with OpenScap The Automation Way !!
Jaskaran Narula
 
Chicago Docker Meetup Presentation - Mediafly
Chicago Docker Meetup Presentation - MediaflyChicago Docker Meetup Presentation - Mediafly
Chicago Docker Meetup Presentation - Mediafly
Mediafly
 
Rh401 rhel5.2
Rh401 rhel5.2Rh401 rhel5.2
Rh401 rhel5.2
Ranjeet Kumar Azad
 
Upgrade IOS Cisco Aironet 1130AG Series Access Point
Upgrade IOS Cisco Aironet 1130AG Series Access PointUpgrade IOS Cisco Aironet 1130AG Series Access Point
Upgrade IOS Cisco Aironet 1130AG Series Access Point
Dani Royman Simanjuntak
 
DEFCON 23 - Etienne Martineau - inter vm data exfiltration
DEFCON 23 - Etienne Martineau - inter vm data exfiltrationDEFCON 23 - Etienne Martineau - inter vm data exfiltration
DEFCON 23 - Etienne Martineau - inter vm data exfiltration
Felipe Prado
 
Karl Grzeszczak: September Docker Presentation at Mediafly
Karl Grzeszczak: September Docker Presentation at MediaflyKarl Grzeszczak: September Docker Presentation at Mediafly
Karl Grzeszczak: September Docker Presentation at Mediafly
Mediafly
 
Mysql repos testing.odp
Mysql repos testing.odpMysql repos testing.odp
Mysql repos testing.odp
Ramana Yeruva
 
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLI
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLICCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLI
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLI
Hoàng Hải Nguyễn
 
Develop and Maintain a Distro with Open Build Service
Develop and Maintain a Distro with Open Build ServiceDevelop and Maintain a Distro with Open Build Service
Develop and Maintain a Distro with Open Build Service
SUSE Labs Taipei
 
RHCE (RED HAT CERTIFIED ENGINEERING)
RHCE (RED HAT CERTIFIED ENGINEERING)RHCE (RED HAT CERTIFIED ENGINEERING)
RHCE (RED HAT CERTIFIED ENGINEERING)
Sumant Garg
 
Embedded Event Manager (EEM) on IOS (CiscoLive 2015)
Embedded Event Manager (EEM) on IOS (CiscoLive 2015)Embedded Event Manager (EEM) on IOS (CiscoLive 2015)
Embedded Event Manager (EEM) on IOS (CiscoLive 2015)
Arie Vayner
 
Основные понятия и аспекты построения отказоустойчивых Site-to-Site VPN на ASA
Основные понятия и аспекты построения отказоустойчивых Site-to-Site VPN на ASAОсновные понятия и аспекты построения отказоустойчивых Site-to-Site VPN на ASA
Основные понятия и аспекты построения отказоустойчивых Site-to-Site VPN на ASA
Cisco Russia
 
Distributed Compiler Icecc
Distributed Compiler IceccDistributed Compiler Icecc
Distributed Compiler Icecc
SZ Lin
 
OSDC 2018 | OPNsense: the “open” firewall for your datacenter by Thomas Niede...
OSDC 2018 | OPNsense: the “open” firewall for your datacenter by Thomas Niede...OSDC 2018 | OPNsense: the “open” firewall for your datacenter by Thomas Niede...
OSDC 2018 | OPNsense: the “open” firewall for your datacenter by Thomas Niede...
NETWAYS
 
Select, manage, and backport the long term stable kernels
Select, manage, and backport the long term stable kernelsSelect, manage, and backport the long term stable kernels
Select, manage, and backport the long term stable kernels
SZ Lin
 

Similar to UKOUG Tech17 - Stay Secure With Oracle Solaris (20)

Oracle Solaris 11.1 New Features
Oracle Solaris 11.1 New FeaturesOracle Solaris 11.1 New Features
Oracle Solaris 11.1 New Features
Orgad Kimchi
 
Drupal Deployment on Solaris - DrupalCamp Bay Area 2007 - Mattoon
Drupal Deployment on Solaris - DrupalCamp Bay Area 2007 - MattoonDrupal Deployment on Solaris - DrupalCamp Bay Area 2007 - Mattoon
Drupal Deployment on Solaris - DrupalCamp Bay Area 2007 - Mattoon
smattoon
 
Drupal Efficiency using open source technologies from Sun
Drupal Efficiency using open source technologies from SunDrupal Efficiency using open source technologies from Sun
Drupal Efficiency using open source technologies from Sun
smattoon
 
Drupal Efficiency - Coding, Deployment, Scaling
Drupal Efficiency - Coding, Deployment, ScalingDrupal Efficiency - Coding, Deployment, Scaling
Drupal Efficiency - Coding, Deployment, Scaling
smattoon
 
Oracle Solaris 11 - Best for Enterprise Applications
Oracle Solaris 11 - Best for Enterprise ApplicationsOracle Solaris 11 - Best for Enterprise Applications
Oracle Solaris 11 - Best for Enterprise Applications
glynnfoster
 
Why Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container TechnologyWhy Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container Technology
Sagi Brody
 
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
ContainerDay Security 2023
 
EM12C High Availability without SLB and RAC
EM12C High Availability without SLB and RACEM12C High Availability without SLB and RAC
EM12C High Availability without SLB and RAC
Secure-24
 
SANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management DatabasesSANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management Databases
Phil Hagen
 
Making MySQL highly available using Oracle Grid Infrastructure
Making MySQL highly available using Oracle Grid InfrastructureMaking MySQL highly available using Oracle Grid Infrastructure
Making MySQL highly available using Oracle Grid Infrastructure
Ilmar Kerm
 
Whitepaper MS SQL Server on Linux
Whitepaper MS SQL Server on LinuxWhitepaper MS SQL Server on Linux
Whitepaper MS SQL Server on Linux
Roger Eisentrager
 
Oracle 11g R2 RAC setup on rhel 5.0
Oracle 11g R2 RAC setup on rhel 5.0Oracle 11g R2 RAC setup on rhel 5.0
Oracle 11g R2 RAC setup on rhel 5.0
Santosh Kangane
 
OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)
Jooho Lee
 
Hardening solaris
Hardening solarisHardening solaris
Hardening solaris
Femi Adeyemi
 
Linux Desktop Automation
Linux Desktop AutomationLinux Desktop Automation
Linux Desktop Automation
Rui Lapa
 
Installing oracle grid infrastructure and database 12c r1
Installing oracle grid infrastructure and database 12c r1Installing oracle grid infrastructure and database 12c r1
Installing oracle grid infrastructure and database 12c r1
Voeurng Sovann
 
Drupalcon2007 Sun
Drupalcon2007 SunDrupalcon2007 Sun
Drupalcon2007 Sun
smattoon
 
Presentation linux on power
Presentation linux on powerPresentation linux on power
Presentation linux on power
solarisyougood
 
les_02.ppt of the Oracle course train_2 file
les_02.ppt of the Oracle course train_2 fileles_02.ppt of the Oracle course train_2 file
les_02.ppt of the Oracle course train_2 file
YulinLiu27
 
Red Hat Linux 5 Hardening Tips - National Security Agency
Red Hat Linux 5 Hardening Tips - National Security AgencyRed Hat Linux 5 Hardening Tips - National Security Agency
Red Hat Linux 5 Hardening Tips - National Security Agency
sanchetanparmar
 
Oracle Solaris 11.1 New Features
Oracle Solaris 11.1 New FeaturesOracle Solaris 11.1 New Features
Oracle Solaris 11.1 New Features
Orgad Kimchi
 
Drupal Deployment on Solaris - DrupalCamp Bay Area 2007 - Mattoon
Drupal Deployment on Solaris - DrupalCamp Bay Area 2007 - MattoonDrupal Deployment on Solaris - DrupalCamp Bay Area 2007 - Mattoon
Drupal Deployment on Solaris - DrupalCamp Bay Area 2007 - Mattoon
smattoon
 
Drupal Efficiency using open source technologies from Sun
Drupal Efficiency using open source technologies from SunDrupal Efficiency using open source technologies from Sun
Drupal Efficiency using open source technologies from Sun
smattoon
 
Drupal Efficiency - Coding, Deployment, Scaling
Drupal Efficiency - Coding, Deployment, ScalingDrupal Efficiency - Coding, Deployment, Scaling
Drupal Efficiency - Coding, Deployment, Scaling
smattoon
 
Oracle Solaris 11 - Best for Enterprise Applications
Oracle Solaris 11 - Best for Enterprise ApplicationsOracle Solaris 11 - Best for Enterprise Applications
Oracle Solaris 11 - Best for Enterprise Applications
glynnfoster
 
Why Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container TechnologyWhy Managed Service Providers Should Embrace Container Technology
Why Managed Service Providers Should Embrace Container Technology
Sagi Brody
 
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
Container Security - Let's see Falco and Sysdig in Action by Stefan Trimborn
ContainerDay Security 2023
 
EM12C High Availability without SLB and RAC
EM12C High Availability without SLB and RACEM12C High Availability without SLB and RAC
EM12C High Availability without SLB and RAC
Secure-24
 
SANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management DatabasesSANS @Night There's Gold in Them Thar Package Management Databases
SANS @Night There's Gold in Them Thar Package Management Databases
Phil Hagen
 
Making MySQL highly available using Oracle Grid Infrastructure
Making MySQL highly available using Oracle Grid InfrastructureMaking MySQL highly available using Oracle Grid Infrastructure
Making MySQL highly available using Oracle Grid Infrastructure
Ilmar Kerm
 
Whitepaper MS SQL Server on Linux
Whitepaper MS SQL Server on LinuxWhitepaper MS SQL Server on Linux
Whitepaper MS SQL Server on Linux
Roger Eisentrager
 
Oracle 11g R2 RAC setup on rhel 5.0
Oracle 11g R2 RAC setup on rhel 5.0Oracle 11g R2 RAC setup on rhel 5.0
Oracle 11g R2 RAC setup on rhel 5.0
Santosh Kangane
 
OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)OpenSCAP Overview(security scanning for docker image and container)
OpenSCAP Overview(security scanning for docker image and container)
Jooho Lee
 
Hardening solaris
Hardening solarisHardening solaris
Hardening solaris
Femi Adeyemi
 
Linux Desktop Automation
Linux Desktop AutomationLinux Desktop Automation
Linux Desktop Automation
Rui Lapa
 
Installing oracle grid infrastructure and database 12c r1
Installing oracle grid infrastructure and database 12c r1Installing oracle grid infrastructure and database 12c r1
Installing oracle grid infrastructure and database 12c r1
Voeurng Sovann
 
Drupalcon2007 Sun
Drupalcon2007 SunDrupalcon2007 Sun
Drupalcon2007 Sun
smattoon
 
Presentation linux on power
Presentation linux on powerPresentation linux on power
Presentation linux on power
solarisyougood
 
les_02.ppt of the Oracle course train_2 file
les_02.ppt of the Oracle course train_2 fileles_02.ppt of the Oracle course train_2 file
les_02.ppt of the Oracle course train_2 file
YulinLiu27
 
Red Hat Linux 5 Hardening Tips - National Security Agency
Red Hat Linux 5 Hardening Tips - National Security AgencyRed Hat Linux 5 Hardening Tips - National Security Agency
Red Hat Linux 5 Hardening Tips - National Security Agency
sanchetanparmar
 
Ad

More from JomaSoft (18)

JomaSoft VDCF - Solaris Private Cloud
JomaSoft VDCF - Solaris Private CloudJomaSoft VDCF - Solaris Private Cloud
JomaSoft VDCF - Solaris Private Cloud
JomaSoft
 
Private Cloud mit Solaris auf SPARC
Private Cloud mit Solaris auf SPARCPrivate Cloud mit Solaris auf SPARC
Private Cloud mit Solaris auf SPARC
JomaSoft
 
Erfahrungen und Stolpersteine mit Solaris 11.4
Erfahrungen und Stolpersteine mit Solaris 11.4Erfahrungen und Stolpersteine mit Solaris 11.4
Erfahrungen und Stolpersteine mit Solaris 11.4
JomaSoft
 
Praktische Erfahrungen mit den kleinen SPARC S7-2 Servern
Praktische Erfahrungen mit den kleinen SPARC S7-2 ServernPraktische Erfahrungen mit den kleinen SPARC S7-2 Servern
Praktische Erfahrungen mit den kleinen SPARC S7-2 Servern
JomaSoft
 
Experiences with Oracle SPARC S7-2 Server
Experiences with Oracle SPARC S7-2 ServerExperiences with Oracle SPARC S7-2 Server
Experiences with Oracle SPARC S7-2 Server
JomaSoft
 
Increase Efficiency of Solaris Operations & SPARC Life Cycle
Increase Efficiency of Solaris Operations & SPARC Life CycleIncrease Efficiency of Solaris Operations & SPARC Life Cycle
Increase Efficiency of Solaris Operations & SPARC Life Cycle
JomaSoft
 
DOAG 2018 / Was bringt Solaris 11.4
DOAG 2018 / Was bringt Solaris 11.4DOAG 2018 / Was bringt Solaris 11.4
DOAG 2018 / Was bringt Solaris 11.4
JomaSoft
 
DOAG 2018 / Praktische Erfahrungen mit SPARC S7-2 Server
DOAG 2018 / Praktische Erfahrungen mit SPARC S7-2 ServerDOAG 2018 / Praktische Erfahrungen mit SPARC S7-2 Server
DOAG 2018 / Praktische Erfahrungen mit SPARC S7-2 Server
JomaSoft
 
DOAG2018 / Oracle DB erfolgreich betreiben auf SPARC/LDoms/Solaris/ZFS
DOAG2018 / Oracle DB erfolgreich betreiben auf SPARC/LDoms/Solaris/ZFSDOAG2018 / Oracle DB erfolgreich betreiben auf SPARC/LDoms/Solaris/ZFS
DOAG2018 / Oracle DB erfolgreich betreiben auf SPARC/LDoms/Solaris/ZFS
JomaSoft
 
Wie gehts weiter mit Oracle Solaris?
Wie gehts weiter mit Oracle Solaris?Wie gehts weiter mit Oracle Solaris?
Wie gehts weiter mit Oracle Solaris?
JomaSoft
 
Sicherheit, Compliance, Höchsteistung mit SPARC/Solaris
Sicherheit, Compliance, Höchsteistung mit SPARC/SolarisSicherheit, Compliance, Höchsteistung mit SPARC/Solaris
Sicherheit, Compliance, Höchsteistung mit SPARC/Solaris
JomaSoft
 
Rapid Deploy von OS, Virtualsierung und Applikation
Rapid Deploy von OS, Virtualsierung und ApplikationRapid Deploy von OS, Virtualsierung und Applikation
Rapid Deploy von OS, Virtualsierung und Applikation
JomaSoft
 
Rapid Deployment mit JomaSoft VDCF
Rapid Deployment mit JomaSoft VDCFRapid Deployment mit JomaSoft VDCF
Rapid Deployment mit JomaSoft VDCF
JomaSoft
 
Effizienter Hardware LifeCycle auf Oracle SPARC M7 Server
Effizienter Hardware LifeCycle auf Oracle SPARC M7 ServerEffizienter Hardware LifeCycle auf Oracle SPARC M7 Server
Effizienter Hardware LifeCycle auf Oracle SPARC M7 Server
JomaSoft
 
Increase Efficiency of Solaris Operations & Hardware Life Cycle
Increase Efficiency of Solaris Operations & Hardware Life CycleIncrease Efficiency of Solaris Operations & Hardware Life Cycle
Increase Efficiency of Solaris Operations & Hardware Life Cycle
JomaSoft
 
JomaSoft & VDCF Overview
JomaSoft & VDCF OverviewJomaSoft & VDCF Overview
JomaSoft & VDCF Overview
JomaSoft
 
Wie setzt Swisscom Solaris 11 ein
Wie setzt Swisscom Solaris 11 einWie setzt Swisscom Solaris 11 ein
Wie setzt Swisscom Solaris 11 ein
JomaSoft
 
VDCF Overview
VDCF OverviewVDCF Overview
VDCF Overview
JomaSoft
 
JomaSoft VDCF - Solaris Private Cloud
JomaSoft VDCF - Solaris Private CloudJomaSoft VDCF - Solaris Private Cloud
JomaSoft VDCF - Solaris Private Cloud
JomaSoft
 
Private Cloud mit Solaris auf SPARC
Private Cloud mit Solaris auf SPARCPrivate Cloud mit Solaris auf SPARC
Private Cloud mit Solaris auf SPARC
JomaSoft
 
Erfahrungen und Stolpersteine mit Solaris 11.4
Erfahrungen und Stolpersteine mit Solaris 11.4Erfahrungen und Stolpersteine mit Solaris 11.4
Erfahrungen und Stolpersteine mit Solaris 11.4
JomaSoft
 
Praktische Erfahrungen mit den kleinen SPARC S7-2 Servern
Praktische Erfahrungen mit den kleinen SPARC S7-2 ServernPraktische Erfahrungen mit den kleinen SPARC S7-2 Servern
Praktische Erfahrungen mit den kleinen SPARC S7-2 Servern
JomaSoft
 
Experiences with Oracle SPARC S7-2 Server
Experiences with Oracle SPARC S7-2 ServerExperiences with Oracle SPARC S7-2 Server
Experiences with Oracle SPARC S7-2 Server
JomaSoft
 
Increase Efficiency of Solaris Operations & SPARC Life Cycle
Increase Efficiency of Solaris Operations & SPARC Life CycleIncrease Efficiency of Solaris Operations & SPARC Life Cycle
Increase Efficiency of Solaris Operations & SPARC Life Cycle
JomaSoft
 
DOAG 2018 / Was bringt Solaris 11.4
DOAG 2018 / Was bringt Solaris 11.4DOAG 2018 / Was bringt Solaris 11.4
DOAG 2018 / Was bringt Solaris 11.4
JomaSoft
 
DOAG 2018 / Praktische Erfahrungen mit SPARC S7-2 Server
DOAG 2018 / Praktische Erfahrungen mit SPARC S7-2 ServerDOAG 2018 / Praktische Erfahrungen mit SPARC S7-2 Server
DOAG 2018 / Praktische Erfahrungen mit SPARC S7-2 Server
JomaSoft
 
DOAG2018 / Oracle DB erfolgreich betreiben auf SPARC/LDoms/Solaris/ZFS
DOAG2018 / Oracle DB erfolgreich betreiben auf SPARC/LDoms/Solaris/ZFSDOAG2018 / Oracle DB erfolgreich betreiben auf SPARC/LDoms/Solaris/ZFS
DOAG2018 / Oracle DB erfolgreich betreiben auf SPARC/LDoms/Solaris/ZFS
JomaSoft
 
Wie gehts weiter mit Oracle Solaris?
Wie gehts weiter mit Oracle Solaris?Wie gehts weiter mit Oracle Solaris?
Wie gehts weiter mit Oracle Solaris?
JomaSoft
 
Sicherheit, Compliance, Höchsteistung mit SPARC/Solaris
Sicherheit, Compliance, Höchsteistung mit SPARC/SolarisSicherheit, Compliance, Höchsteistung mit SPARC/Solaris
Sicherheit, Compliance, Höchsteistung mit SPARC/Solaris
JomaSoft
 
Rapid Deploy von OS, Virtualsierung und Applikation
Rapid Deploy von OS, Virtualsierung und ApplikationRapid Deploy von OS, Virtualsierung und Applikation
Rapid Deploy von OS, Virtualsierung und Applikation
JomaSoft
 
Rapid Deployment mit JomaSoft VDCF
Rapid Deployment mit JomaSoft VDCFRapid Deployment mit JomaSoft VDCF
Rapid Deployment mit JomaSoft VDCF
JomaSoft
 
Effizienter Hardware LifeCycle auf Oracle SPARC M7 Server
Effizienter Hardware LifeCycle auf Oracle SPARC M7 ServerEffizienter Hardware LifeCycle auf Oracle SPARC M7 Server
Effizienter Hardware LifeCycle auf Oracle SPARC M7 Server
JomaSoft
 
Increase Efficiency of Solaris Operations & Hardware Life Cycle
Increase Efficiency of Solaris Operations & Hardware Life CycleIncrease Efficiency of Solaris Operations & Hardware Life Cycle
Increase Efficiency of Solaris Operations & Hardware Life Cycle
JomaSoft
 
JomaSoft & VDCF Overview
JomaSoft & VDCF OverviewJomaSoft & VDCF Overview
JomaSoft & VDCF Overview
JomaSoft
 
Wie setzt Swisscom Solaris 11 ein
Wie setzt Swisscom Solaris 11 einWie setzt Swisscom Solaris 11 ein
Wie setzt Swisscom Solaris 11 ein
JomaSoft
 
VDCF Overview
VDCF OverviewVDCF Overview
VDCF Overview
JomaSoft
 
Ad

Recently uploaded (20)

Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
AxisTechnolabs
 
Adobe Master Collection CC Crack Advance Version 2025
Adobe Master Collection CC Crack Advance Version 2025Adobe Master Collection CC Crack Advance Version 2025
Adobe Master Collection CC Crack Advance Version 2025
kashifyounis067
 
Adobe Lightroom Classic Crack FREE Latest link 2025
Adobe Lightroom Classic Crack FREE Latest link 2025Adobe Lightroom Classic Crack FREE Latest link 2025
Adobe Lightroom Classic Crack FREE Latest link 2025
kashifyounis067
 
The Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdfThe Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdf
drewplanas10
 
Adobe After Effects Crack FREE FRESH version 2025
Adobe After Effects Crack FREE FRESH version 2025Adobe After Effects Crack FREE FRESH version 2025
Adobe After Effects Crack FREE FRESH version 2025
kashifyounis067
 
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
steaveroggers
 
Maxon CINEMA 4D 2025 Crack FREE Download LINK
Maxon CINEMA 4D 2025 Crack FREE Download LINKMaxon CINEMA 4D 2025 Crack FREE Download LINK
Maxon CINEMA 4D 2025 Crack FREE Download LINK
younisnoman75
 
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software DevelopmentSecure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Shubham Joshi
 
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Lionel Briand
 
Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025
mu394968
 
PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025
mu394968
 
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Eric D. Schabell
 
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Ranjan Baisak
 
Exploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the FutureExploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the Future
ICS
 
Top 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docxTop 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docx
Portli
 
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Orangescrum
 
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& ConsiderationsDesigning AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Dinusha Kumarasiri
 
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Dele Amefo
 
Who Watches the Watchmen (SciFiDevCon 2025)
Who Watches the Watchmen (SciFiDevCon 2025)Who Watches the Watchmen (SciFiDevCon 2025)
Who Watches the Watchmen (SciFiDevCon 2025)
Allon Mureinik
 
FL Studio Producer Edition Crack 2025 Full Version
FL Studio Producer Edition Crack 2025 Full VersionFL Studio Producer Edition Crack 2025 Full Version
FL Studio Producer Edition Crack 2025 Full Version
tahirabibi60507
 
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
Interactive odoo dashboards for sales, CRM , Inventory, Invoice, Purchase, Pr...
AxisTechnolabs
 
Adobe Master Collection CC Crack Advance Version 2025
Adobe Master Collection CC Crack Advance Version 2025Adobe Master Collection CC Crack Advance Version 2025
Adobe Master Collection CC Crack Advance Version 2025
kashifyounis067
 
Adobe Lightroom Classic Crack FREE Latest link 2025
Adobe Lightroom Classic Crack FREE Latest link 2025Adobe Lightroom Classic Crack FREE Latest link 2025
Adobe Lightroom Classic Crack FREE Latest link 2025
kashifyounis067
 
The Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdfThe Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdf
drewplanas10
 
Adobe After Effects Crack FREE FRESH version 2025
Adobe After Effects Crack FREE FRESH version 2025Adobe After Effects Crack FREE FRESH version 2025
Adobe After Effects Crack FREE FRESH version 2025
kashifyounis067
 
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
steaveroggers
 
Maxon CINEMA 4D 2025 Crack FREE Download LINK
Maxon CINEMA 4D 2025 Crack FREE Download LINKMaxon CINEMA 4D 2025 Crack FREE Download LINK
Maxon CINEMA 4D 2025 Crack FREE Download LINK
younisnoman75
 
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software DevelopmentSecure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Shubham Joshi
 
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Lionel Briand
 
Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025
mu394968
 
PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025
mu394968
 
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Mastering Fluent Bit: Ultimate Guide to Integrating Telemetry Pipelines with ...
Eric D. Schabell
 
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Proactive Vulnerability Detection in Source Code Using Graph Neural Networks:...
Ranjan Baisak
 
Exploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the FutureExploring Wayland: A Modern Display Server for the Future
Exploring Wayland: A Modern Display Server for the Future
ICS
 
Top 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docxTop 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docx
Portli
 
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Orangescrum
 
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& ConsiderationsDesigning AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Dinusha Kumarasiri
 
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Dele Amefo
 
Who Watches the Watchmen (SciFiDevCon 2025)
Who Watches the Watchmen (SciFiDevCon 2025)Who Watches the Watchmen (SciFiDevCon 2025)
Who Watches the Watchmen (SciFiDevCon 2025)
Allon Mureinik
 
FL Studio Producer Edition Crack 2025 Full Version
FL Studio Producer Edition Crack 2025 Full VersionFL Studio Producer Edition Crack 2025 Full Version
FL Studio Producer Edition Crack 2025 Full Version
tahirabibi60507
 

UKOUG Tech17 - Stay Secure With Oracle Solaris

  • 1. 1 Stay Secure With Oracle Solaris Marcel Hofstetter [email protected] https://www.jomasoftmarcel.blogspot.ch CEO / Enterprise Consultant JomaSoft GmbH Oracle ACE „Solaris“
  • 2. 2 Agenda About JomaSoft Oracle ACE Program Solaris 11: Secure by Default Virtualization Compliance tool SPARC Silicon Secured Memory Compliance and Hardening using VDCF
  • 3. 3 About JomaSoft Engineering company founded July 2000 specialized in Solaris and software development, operations and consulting Product VDCF (Virtual Datacenter Cloud Framework) Installation, Management, Operations, Monitoring, Security and DR for Solaris 10/11, Virtualize using LDoms and Solaris Zones VDCF is used in production since 2006
  • 4. 4 About JomaSoft Flexible and Customer focused Oracle Certified Employees 17 Years Solaris Experience Regular Oracle Solaris Beta Tester Well connected with Oracle Solaris & LDOM Engineering Teams
  • 5. 5 500+ Technical Experts Helping Peers Globally 3 Membership Tiers • Oracle ACE Director • Oracle ACE • Oracle ACE Associate Nominate yourself or someone you know: acenomination.oracle.com bit.ly/OracleACEProgram Connect: @oracleace Facebook.com/oracleaces [email protected]
  • 6. 6 IT Security Not Topic of this Session - Firewalls - Applikation Development OS Security with Oracle Solaris - What's there by default - How can I check my Servers? - How can I protect my Applications? - Hardening
  • 7. 7 Solaris 11 – Secure by Default (1/7) No direct root Login g0086 console login: root Password: Roles can not login directly Login incorrect g0086 console login: marcel Password: Last login: Wed Sep 20 15:42:30 2017 from g0069.jomasoft- Oracle Corporation SunOS 5.11 11.3 March 2017 -bash-4.4$ su Password: Sep 20 17:16:55 g0086 su: 'su root' succeeded for marcel on /dev/console
  • 8. 8 Solaris 11 – Secure by Default (2/7) No direct root Login -bash-4.4$ id uid=501(larry) gid=10(staff) -bash-4.4$ su Password: Roles can only be assumed by authorized users su: Sorry -bash-4.4$ grep roles=root /etc/user_attr admin::::lock_after_retries=no;profiles=System Administrator;roles=root marcel::::profiles=VDCF Logger,VDCF admin Module;roles=root
  • 9. 9 Solaris 11 – Secure by Default (3/7) Auditing is activated (for Logins) # auditreduce -c lo | praudit -l | tail -4 header,69,2,login - ssh,fe,g0087,2017-09-01 15:37:32.707 +02:00,subject,root,root,root,root,root,6021,3233957173,15531 196630 g0069.jomasoft-lab.ch,return,failure,Permission denied header,69,2,login - ssh,na:fe,g0087,2017-09-01 15:37:38.864 +02:00,subject,- 1,-1,-1,-1,-1,6023,3999938775,12434 196630 g0069.jomasoft- lab.ch,return,failure,No account present for user header,69,2,login - ssh,,g0087,2017-09-01 15:37:42.013 +02:00,subject,marcel,marcel,staff,marcel,staff,6026,3889292888,15007 65558 g0069.jomasoft-lab.ch,return,success,0 file,2017-09-01 15:37:42.000 +02:00,
  • 10. 10 Solaris 11 – Secure by Default (4/7) Unsafe Services are not running or not installed -bash-4.4$ telnet g0086 Trying 192.168.100.86... telnet: Unable to connect to remote host: Connection refused -bash-4.4$ ftp g0086 ftp: connect: Connection refused -bash-4.4$ ssh g0086 Last login: Wed Sep 20 17:18:35 2017 from g0069.jomasoft- Oracle Corporation SunOS 5.11 11.3 March 2017 -bash-4.4$
  • 11. 11 Solaris 11 – Secure by Default (5/7) Daemons as non-root with Privileges # ps -f -u netadm,daemon,smmsp,dladm UID PID PPID C STIME TTY TIME CMD daemon 75 1 0 Aug 28 ? 0:00 /lib/crypto/kcfd netadm 46 1 0 Aug 28 ? 0:00 /usr/sbin/ibmgmtd netadm 66 1 0 Aug 28 ? 0:02 /lib/inet/ipmgmtd dladm 52 1 0 Aug 28 ? 0:02 /usr/sbin/dlmgmtd daemon 448 1 0 Aug 28 ? 0:00 /usr/sbin/rpcbind -w daemon 204 1 0 Aug 28 ? 0:00 /usr/lib/utmpd netadm 315 1 0 Aug 28 ? 0:02 /lib/inet/nwamd smmsp 644 1 0 Aug 28 ? 0:00 /usr/lib/inet/sendmail -Ac-q15m
  • 12. 12 Solaris 11 – Secure by Default (6/7) Restrictive umask -bash-4.4$ umask 0022 -bash-4.4$ touch /tmp/test -bash-4.4$ ls -l /tmp/test -rw-r--r-- 1 marcel staff 0 Sep 1 15:53 /tmp/test
  • 13. 13 Solaris 11 – Secure by Default (7/7) Role-based access control (RBAC) -bash-4.4$ profiles -a | grep ZFS ZFS File System Management ZFS Storage Management # usermod -P+"ZFS File System Management" marcel -bash-4.4$ zfs create rpool/test1 cannot create 'rpool/test1': permission denied -bash-4.4$ pfbash bash-4.4$ zfs create rpool/test1
  • 14. 14 Solaris 11 – pkg verify Detect changes -# ls -l /etc/shadow -r-------- 1 root sys 807 May 8 2017 /etc/shadow # chmod o+r /etc/shadow # ls -l /etc/shadow -r-----r-- 1 root sys 807 May 8 2017 /etc/shadow # pkg verify PACKAGE STATUS pkg://solaris/system/core-os ERROR file: etc/shadow ERROR: Mode: 0404 should be 0400
  • 15. 15 Solaris 11 – pkg fix Revert changes # pkg fix core-os Packages to fix: 1 Create boot environment: No Create backup boot environment: Yes Repairing: pkg://solaris/system/[email protected],5.11- 0.175.3.14.0.5.0:20161105T004625Z PACKAGE STATUS pkg://solaris/system/core-os ERROR file: etc/shadow ERROR: Mode: 0404 should be 0400 PHASE ITEMS Updating modified actions 1/1 Updating package state database Done Updating package cache 0/0 Updating image state Done Creating fast lookup database Done Updating package cache 2/2 # ls -l /etc/shadow -r-------- 1 root sys 807 May 8 2017 /etc/shadow
  • 16. 16 CVE Common Vulnerabilities and Exposures Industrie Standard Namingconvention for Security Bugs Format: CVE-<jahr>-<nr> Sample: CVE-2014-7187 (Bash/Shellshock) Scoring: Common Vulnerability Scoring System (CVSS) Medium 4 – 6.9 / High 7 – 8.9 / Critical 9 – 10 Search u.v.a. https://www.cvedetails.com/ Oracle Solaris 376 Redhat Enterprise Linux 426 Windows 7 820
  • 17. 17 Solaris 11.3 – CVE Metadata Required: Metadata Package installed # pkg install solaris-11-cpu Analysis Is Fix installed for CVE-2014-7187 (Bash/Shellshock)? -bash-4.4$ pkg search -l CVE-2014-7187 INDEX ACTION VALUE PACKAGE info.cve set CVE-2014-7187 pkg:/support/critical-patch-update/solaris-11- [email protected] Is CVE-2017-3629 (Local Privilege Escalation) installed? -bash-4.4$ pkg search -l CVE-2017-3629 -bash-4.4$ Which Update is required for CVE-2017-3629? -bash-4.4$ pkg search CVE-2017-3629: | head -2 INDEX ACTION VALUE PACKAGE CVE-2017-3629 set pkg://solaris/network/[email protected],5.11- 0.175.3.22.0.3.0 pkg:/support/critical-patch-update/[email protected]
  • 18. 18 SPARC-Virtualization: LDoms / Zonen Oracle & Fujitsu SPARC Server Systeme: T4-x, T5-x, M5, M6, M10, T7-x, M7-x, S7-2, M12, T8-x,M8-x Multiple, separated Solaris Instances on the same HW Combine with Zones Dedicated Memory Hacker on one Zone or LDom has limited Impact
  • 19. 19 Solaris – Virtualization using Zones Immutable (Read-Only) Zones A) file-mac-profile=flexible-configuration # touch /bla touch: cannot change times on /bla: Read-only file system # pkg install apache-22 pkg install: Could not complete the operation on /var/pkg/lock: read-only filesystem. # touch /etc/test # touch /var/myfile
  • 20. 20 Solaris – Virtualization using Zones Immutable (Read-Only) Zones B) file-mac-profile=fixed-configuration # touch /bla touch: cannot change times on /bla: Read-only file system # pkg install apache-22 pkg install: Could not complete the operation on /var/pkg/lock: read-only filesystem. # touch /etc/test touch: cannot change times on /etc/test: Read-only file system # touch /var/myfile
  • 21. 21 Solaris – Virtualization using Zones Immutable (Read-Only) Zones C) file-mac-profile=strict Completely Read-Only / Only Remote Logging # touch /bla touch: cannot change times on /bla: Read-only file system # pkg install apache-22 pkg install: Could not complete the operation on /var/pkg/lock: read-only filesystem. # touch /etc/test touch: cannot change times on /etc/test: Read-only file system # touch /var/myfile touch: cannot change times on /var/myfile: Read-only file system
  • 22. 22 Solaris – Virtualization using Zones Trusted Path for Immutable (Read-Only) Zones Beispiel mit file-mac-profile=strict -bash-4.1$ touch /etc/test touch: cannot change times on /etc/test: Permission denied On the global Zone / No RW Reboot required # zlogin -T v0128 [Connected to zone 'v0128' pts/3] Oracle Corporation SunOS 5.11 11.2 August 2014 root@v0128:~# touch /etc/test
  • 23. 23 Solaris 11.3 – Compliance tool Based on OpenSCAP Checks Systems against predefined Rules Allows to detect changes on the System Produces detailed HTML Report Execution: compliance assess -b solaris -p Baseline compliance assess -b solaris -p Recommended compliance assess -b pci-dss
  • 24. 24 Solaris 11.3 – Compliance tool
  • 25. 25 Solaris 11.3 – Compliance tool compliance Output # compliance assess -b solaris -p Baseline Assessment will be named 'solaris.Baseline.2017-09-01,16:37' Package integrity is verified OSC-54005 pass The OS version is current OSC-53005 pass Service svc:/network/ftp:default is in disabled state OSC-17510 pass Service svc:/network/rpc/gss is enabled if and only if Kerberos is configured OSC-63005 fail
  • 26. 26 SPARC – Silicon Secured Memory Integrated in SPARC CPU M7/M8 and S7 You detect and prevent - Memory Reference Errors - Buffer Overruns - Memory Usage after free Alternatives in Software are expensive and 30x – 70x slower Oracle Developer Studio Compiler includes Support for Discovery at Development Demo Video about OpenSSL Heartbleed https://swisdev.oracle.com/_files/ADI-Demo.html
  • 27. 27 SPARC – Silicon Secured Memory void main(int argc, char *argv[]) { char *buffer = malloc( sizeof(char) * 10); strcpy(buffer, "Test-Text"); for (int i = 0; i < 20; ++i) printf( "%c ", buffer[i] ); printf("|n"); free(buffer); } /opt/solarisstudio12.4/bin/cc -m64 -g -o buffer_overrun buffer_overrun.c -bash-4.4$ ./buffer_overrun T e s t - T e x t | - X TTTST E E ? P W D
  • 28. 28 SPARC – Silicon Secured Memory With SSM (ADI) activated the Program is stopped and can't access foreign Memory. -bash-4.4$ LD_PRELOAD_64=/lib/64/libadimalloc.so.1 ./buffer_overrun Segmentation Fault (core dumped) -bash-4.4$ echo ::status | mdb core debugging core file of buffer_overrun (64-bit) from g0072 file: /export/home/marcel/buffer_overrun initial argv: ./buffer_overrun threading model: native threads status: process terminated by SIGSEGV (Segmentation Fault), pc=100000bb0 , ADI version d mismatch for VA ffffffff7e93ffc0
  • 29. 29 SPARC – Silicon Secured Memory Detailed Results when using the Compiler Libraries LD_PRELOAD_64=/opt/developerstudio12.5/lib/compilers/sparcv9/libdiscoverADI.so ./ buffer_overrun T e s t - T e x t |
  • 30. 30 VDCF – Virtual Datacenter Cloud Framework Management Tool for Zones and LDOMs Installation, Operation, Migration, Monitoring, Security and Failover/DR Supports Solaris 10 + 11 on SPARC/x86 In productive use since 2006 Dynamic Virtualization Live / Cold Migration and Failover Resource Configuration and Monitoring Agility for your Enterprise Private Cloud Implemented by Admins for Admins
  • 32. 32 VDCF – Compliance Assess 3 Standard Benchmarks: baseline, recommended, pci-dss VDCF Benchmarks: default & cdom -bash-4.4$ more /var/opt/jomasoft/vdcf/conf/compliance/cdom.tailor ..... # ------------------------------- # commented, activate if required # ------------------------------- .... # OSC-53005: The OS version is current #exclude OSC-53005 ... # -------------------------- # disabled to avoid failures # -------------------------- # OSC-55010: The r-protocols services are disabled in PAM exclude OSC-55010 # OSC-73505: ssh(1) is the only service binding a listener to non-loopback addresses exclude OSC-73505 # -------------------------------------- # added to detect more than the baseline # -------------------------------------- ..... # OSC-47500: Passwords require at least 1 digits include OSC-47500 # OSC-49500: Passwords require at least 1 upper-case characters include OSC-49500 # OSC-93005: User home directories have appropriate permissions include OSC-93005 .... Individual Benchmarks for Customers and Servers
  • 33. 33 VDCF – Compliance Assess Fully automated Compliance check over the Datacenter osmon -c assess all all_vserver Compliance Report
  • 34. 34 VDCF – Hardening Individual Hardening Profiles -bash-4.4$ more /var/opt/jomasoft/vdcf/conf/compliance/baseline.hardening OSC-12510: Service svc:/network/nfs/fedfs-client:default is in disabled state OSC-63005: Service svc:/network/rpc/gss is enabled if and only if Kerberos is configured OSC-93005: User home directories have appropriate permissions OSC-34010: Service svc:/application/cups/in-lpd:default is in disabled state OSC-85000: The maximum number of waiting TCP connections is set to at least 1024 OSC-99011: Service svc:/system/rad:remote is in enabled state Hardening -bash-4.4$ node -c harden name=g0087 profile=baseline Hardening started ... OSC-12510: Service svc:/network/nfs/fedfs-client:default is in disabled state - DONE OSC-34010: Service svc:/application/cups/in-lpd:default is in disabled state - DONE OSC-63005: Service svc:/network/rpc/gss is enabled if and only if Kerberos is configured - DONE OSC-85000: The maximum number of waiting TCP connections is set to at least 1024 - DONE (Changed from 128 to 1024) OSC-93005: User home directories have appropriate permissions - DONE OSC-99011: Service svc:/system/rad:remote is in enabled state - DONE Hardening of 6 items on Node g0087 was successful
  • 35. 35 VDCF – Online Ressources Produkt Documentation Online Complete Documentation and Videos on Webpage available Free Edition No-Cost Test Version with limited number of managable Servers. Test using combined POC Install and test together with JomaSoft on-site in your Test environment. Webpage https://www.jomasoft.ch/vdcf