Sun Microsystems plans to phase out its Trusted Solaris secure operating system and replace it with security extension software that can be used with its OpenSolaris operating system, said Mark Thacker, product line manager of Solaris security. OpenSolaris and the Solaris Trusted Extensions software will provide the full functionality of Trusted Solaris, according to Thacker. “This product will simply layer on top of Solaris 10. It will run on top of any piece of hardware that Solaris 10 runs on,” Thacker said. Trusted Extensions should be available by mid-2006.
That headline is VERY VERY VERY misleading. Sun is NOT plugging the plug on Trusted Solaris at all. It is just that we have integrated so much of the technology previously only available in Trusted Solaris into the standard Solaris product that Trusted Solaris no longer needs to be a separate release of its own, it can now be a truely layered add on.
This has major release engineering advantages for Sun and even more significant advantages for
customers because now they don’t have to wait for features or new hardware support in Trusted deployments.
Sun is VERY commited to the feature set of the Trusted Solaris product and this is one the the reasons that Solaris 10 now has so many of the features that were previously only in Trusted Solaris. The most notable of which is privileges rather than all powerful root. The kernel implementation of Zones is also very similar to how one implements MAC Labeling.
we learned this months and months ago, long time ago that they were going to make all new Solaris versions trusted instead of having a seperate OS for it.
Even said so during the solaris 10 launch.
it’s really a BETTER thing to do and anyone who says otherwise must be joking with their brains
This is all very interesting, but are so many unanswerd questions. Will the root zone be protected? Trusted Solaris normally runs without a super-user, instead having multiple “roles” that share tasks. The last time I looked at zones/containers there still is a root zone with a super-user in it.
And what about the filesystem? How about multi-level security? Will we be able to override MAC and DAC?
Actually, I feel the interesting thing about this bit of news, regardless how new or old it can be, is what the Feds are going to do, since they are one of the biggest customer’s for Trusted Solaris. Probably, upgrade like the rest of the public. But still when companies have been selling products that are very specific for a while, there needs to be some time to let the customer swallow up the news. Of course, Sun could have made all its systems more secure from they start, but they didn’t. Regardless, the point is that now, finally, things are starting to move to the center of the pie, where everyone can take advantage of it. Note that Sun, in general, has done a lot of security work in past. The problem with Sun is not based on technology. It’s based on implementation. They can come up with with great technology. Their problem has alwasys been making useful products with the technology they develop.
Sun could have made all its systems more secure from they start, but they didn’t
For Solaris 10 and onwards, there was and is a policy within Sun’s engineering teams of “Secure By Default” — security it taken very seriously not just within the kernel/OS groups, but also in all the other groups within Sun which produce software and hardware. Anything less is unacceptable.
Regarding your backhander “Their problem has always been making useful products with the technology they develop” – I’m a little confused by what you’re talking about. Java? Plenty of products out there. Solaris zones? yup – build it as core functionality into the OS and provide blueprints on how to make it work best for you. How about DTrace? Don’t forget all the work that’s been done by Sun wrt RFID.
One of the things which I really, really enjoy about working for Sun is that we spend so much on basic research. Elliptic Curve Cryptography — now that is a waaaaay out there technology which there aren’t any products based around. Yet. That’s one of the things about basic research: it sometimes takes a while to get product based around that research into the market.
“Of course, Sun could have made all its systems more secure from they start, but they didn’t.”
If you are referring to the stuff in Trusted Solaris and not basic Solaris, there’s a reason they are separate. Most of the stuff in Trusted Solaris is useless to most people and actually a burden.
Otherwise, securing Solaris is not difficult. The same overall rules apply to it as to Linux and other UNIX systems. In Solaris 10, it only got easier to manage, especially now that the /etc/rc?.d/ system is being phased out in favor of SMF. The smpatch service further trivializes installing system updates. Solaris 10 added a bunch of tools, like ipf, that aren’t hard to set up, either.
Also, if Sun went all the way and became like OpenBSD, people would complain about usability or some other nonsense to pick on.