OSNews

Solaris 10 brings a number of significant changes to improve overall security of the system, Solaris Containers and Security Rights Management have received much of the press. There are other features that contribute greatly to improved security of a Solaris system. Password security has been improved considerably by the inclusion of the following features:

1.A choice of encryption methods for passwords from the default crypt function, to an MD5 encryption that is compatible with BSD and Linux systems, Blowfish, Sun MD5, or a custom written module (9 4/04).

2.A password history can be enabled and hold up to 26 previously used passwords.

3.Solaris 10 allows you to create or use an existing password dictionary to check your passwords against for complexity requirements.

4.Passwords are now checked for complexity requirements that you specify.

About a year ago there was a link to a password dictionary that had 227,000,000 passwords being sent around the BugTrak mailing list. I downloaded the file, extracted it and had a 1 GB dictionary file. Modifying /etc/default/passwd to specify the path to the dictionary, I attempted to use the dictionary on my Ultra 30 and promptly locked the box up for 10 minutes while the password being used was being checked. This is not a fault of Solaris, but a dictionary of that size I would not recommended.

Another cool feature is TCP Wrapped rpcbind, any RPC request can be logged and RPC traffic can be limited to specifc hosts.

To check the integrity of a Solaris system, most administrators use Automated Security Enhancement Tool (ASET) which works, but is not protected from tampering in any way. Sun has addressed that issue with the Basic Audit Reporting Tool (BART) which can be used instead of ASET. BART allows any user to create a manifest of files on a particular machine (only root can create a manifest of the system). ASET requires root or Primary Administrator role level access to work which limits the functionality. BART also uses MD5 checksums for each entry in the manifest, and ASET does not meaning that malicious users would also have to generate an MD5 checksum that matches the manifest for each file they intended to modify, not an easy task. The firewall software bundled with previous releases of Solaris, Sun Screen has been replaced with IPFilter. It is started by default but is in an unconfigured state, which means remote connections with telnet and SSH will work with no problems.

Bundled Software

Unlike previous releases of Solaris where Sun provided a Companion CD with various tools, Solaris 10 (if a Full Distribution installation is done) comes with 185 packages, 30 of them directly supported by Sun:

Apache http server versions 1.3.33 and 2.0.52
BIND version 9.2
flex version 2.5.4
GNU GCC version 3.4.3
GNU make version 3.80
Internet Printing Protocol (IPP) support and modules for Apache
MySQL database version 4.0.15
Samba version 3.0.4

Webmin

In the past to get some of this software, you either had to download it from www.sunfreeware.com, www.blastwave.org, use the Software Companion CD, or build it yourself. Of course if you don't care for Sun's choices you can always download and install the software of your choice. I see it as a welcome addition to Solaris to include these tools. All you have to do is add /usr/sfw/bin and /usr/sfw/sbin to your PATH and “off you go”. What is interesting about the inclusion of Open Source software with Solaris 10 is what Sun will support. SSH and Samba are fully supported, they might not be the latest version, but this means patches will be provided. Will Sun provide updates for software included in Solaris 10 that is not supported, I don't know. But I do like the inclusion of the tools, if nothing else it saves the time in trying to find, download, and installing them.

Performance

Solaris 10 GA has not been on the streets for a month and people are already clamoring for benchmarks. I did some testing with iozone (www.iozone.org) on both my SPARC and x86 machines, but chose not to include them, the reasons why are simple:

1.Insufficient time to properly test both platforms correctly before publication using th GA Release.

2.Since there have been issues raised as to whether there would be a difference in how a benchmark would respond based on which compiler was used. Again I did not have sufficient time to test that theory to see if there was a significant difference between GCC and Sun Studio.

3.The performance of 7+ year old SPARC hardware is hardly a fair test for Solaris 10 considering that Solaris 10 is optimized for the UltraSPARC III or better CPU. Many of the SCSI systems ship with internal Fibre Channel disks that in my experience (SunFire V480) are really fast, especially after tuning maxphys.

Conclusion

I think that Sun has put some really nice touches on Solaris 10 that make it a better operating system for both administrators and users. The security enhancements are a long time coming, but are worth the wait. Is Solaris 10 perfect, in a word no it is not. But for most uses, including a a desktop OS I think Solaris 10 is a huge improvement over previous releases.