USING SOLARIS™ OPERATING SYSTEM SECURITY TO ADDRESS PAYMENT CARD INDUSTRY (PCI) DSS COMPLIANCE:
A SYSTEMIC APPROACH TO SECURITY
Glenn Brunette, Distinguished Engineer, GSS Security Office Mark Thacker, Product Line Manager, Solaris Joel Weise, Principal Engineer, GSS Security Office
White Paper July 2007
�Sun Microsystems, Inc.
Table of Contents
Using Solaris™ Operating System Security to Address Payment Card Industry (PCI) DSS Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 A Definition of PCI DSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 A Systemic Approach to Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Solaris OS Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 File Integrity and Secure Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 User and Process Rights Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Network Service Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Cryptographic Services and Encrypted Communication . . . . . . . . . . . . . . . . . . . . . 6 Flexible Enterprise Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Repeatable Security Hardening and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Containment and Mandatory Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Related Solaris Security Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Related Solaris Security Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Related Sun Security Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
�1
Using Solaris Operating System Security to Address PCI DSS Compliance
Sun Microsystems, Inc.
Using Solaris™ Operating System Security to Address Payment Card Industry (PCI) DSS Compliance
The Solaris™ Operating System (Solaris OS), an advanced operating system from Sun™ Microsystems, is an ideal choice for organizations addressing the Payment Card Industry Data Security Standard (PCI DSS). Fully supported on more than 800 SPARC®based and x64/x86-based systems, the Solaris OS includes hundreds of features making it efficient, secure and reliable. This whitepaper presents security features of the Solaris 10 OS and related Sun technologies, and describes how they can be used by organizations in complying with the PCI DSS. Administrative, managerial, procedural or physical controls specified by the PCI DSS that the Solaris OS does not directly address are outside the scope of this paper. Note that a prescriptive solution for addressing the PCI DSS is not documented here, as compliance is site, application, infrastructure and deployment specific. Rather, the intent is to identify the Solaris OS features and options that can be leveraged to help address the PCI DSS. If detailed design and implementation instructions are required, please contact a local Sun representative or visit the Sun web site at
http://www.sun.com for more information.
A Definition of PCI DSS
According to the PCI Security Standards organization1, “the PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.” PCI DSS compliance is an exercise in risk management with the purpose of reducing risk in IT environments so that payment information can be processed without compromise. Given the nature of payment information and the variety of regulations that apply, IT systems must exhibit a sufficient level of security assurance to provide for the confidentiality, integrity, availability and privacy of both data and processing resources. For example, these resources must be protected so that they cannot be adversely affected by being delayed, deleted, modified or disclosed by an unauthorized entity. PCI DSS is a 'living' standard that is reviewed and updated as necessary to address new and evolving technologies and threats. An adaptive security approach such as SunSM Systemic Security is recommended to accommodate change and keep up with the evolving nature of the standard.
1. PCI Security Standards Council. http://www.pcisecuritystandards.org
�2
Using Solaris Operating System Security to Address PCI DSS Compliance
Sun Microsystems, Inc.
The primary information security objectives or principles of the PCI DSS version 1.1 are summarized in Table 1.
Table 1. PCI DSS Principles and associated requirements.
[1] Build and Maintain a Secure Network Requirement 1: Requirement 2: Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters
[2] Protect Cardholder Data Requirement 3: Requirement 4: Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks
[3] Maintain a Vulnerability Management Program Requirement 5: Requirement 6: Use and regularly update anti-virus software Develop and maintain secure systems and applications
[4] Implement Strong Access Control Measures Requirement 7: Requirement 8: Requirement 9: Restrict access to cardholder data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data
[5] Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes [6] Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security
A Systemic Approach to Security
It is important to understand that the PCI DSS is not a prescriptive list of mandated controls. Rather, the underlying intent of the standard is to ensure that organizations design, architect, implement and manage a comprehensive risk management and security program. An integral component of this security effort is a security architecture based upon systemic security principles. Sun Systemic Security is a comprehensive architectural approach that allows organizations to implement and manage controls that are capable of responding to new and different threats over time. The primary principles of this approach to security (versus, for example, a prescriptive or checklist approach) are self-preservation, defense in depth, least privilege, compartmentalization and proportionality. The security architecture is designed, implemented and managed within the context of a continuous improvement schema, helping organizations mature over time to anticipate evolving threats. These features make a security architecture based upon Sun Systemic Security an ideal solution for addressing the PCI DSS.
�3
Using Solaris Operating System Security to Address PCI DSS Compliance
Sun Microsystems, Inc.
A complete program should include the following features: • A security governance structure to ensure that executive management is accountable for and actively promotes security throughout the enterprise • A security policy that dictates which security elements should be implemented to enable appropriate risk management, privacy and security controls • A comprehensive security architecture built upon and leveraging the systemic security principles
Solaris OS Features
The Solaris OS should be considered not in isolation but as an integral component of an overall security effort. It is within this context of an overall security approach that the the various Solaris security features are described. As an operating system, the Solaris OS is not oriented towards direct support of administrative or managerial requirements such as a security policy or security procedures development. However, the Solaris OS is a critical component in the infrastructure used to enable compliance with these and other requirements of the standard. The following Solaris OS features can be used to address the pertinent PCI DSS requirements: • File Integrity and Secure Execution • User and Process Rights Management • Network Service Protection • Cryptographic Services and Encrypted Communication • Flexible Enterprise Authentication • Repeatable Security Hardening and Monitoring • Containment and Mandatory Access Control Each of these features is covered in more detail in the following sections. Each feature is briefly described, followed by a discussion of how that item can be applied to help address PCI DSS compliance.
File Integrity and Secure Execution
System administrators can detect possible attacks on their systems by monitoring for changes to file information. In the Solaris 10 OS, binaries are digitally signed, enabling administrators to track changes easily. In addition, all patches or enhancements are embedded with digital signatures, eliminating the false positives associated with upgrading or patching file integrity-checking software. Any binary can be signed—thirdparty commercial offerings, open source, or code developed on-site—without needing access to the source code. The Solaris 10 OS also introduces the Basic Audit and Reporting Tool (BART), a file integrity-checking application for data files and customer applications. The BART utility
�4
Using Solaris Operating System Security to Address PCI DSS Compliance
Sun Microsystems, Inc.
allows customers to create snapshots of their own data, applications and critical system files and periodically scan for changes to these files. Additionally, the Solaris Fingerprint Database project, hosted by Sun on the SunSolveSM Web site, provides digital fingerprints for all files shipped in the Solaris OS, spanning many previous generations of the operating system. The Solaris Fingerprint Database offers free online verification utilities that allow administrators to check the integrity of Solaris files on any existing system, to help confirm that no hacker has modified critical system files. Used individually or together, these file integrity tools provide powerful, flexible ways to monitor for changes to the operating system platform. Addressing PCI DSS
Relevant PCI DSS Principles #1: Build and Maintain a Secure Network #3: Maintain a Vulnerability Management Program #5: Regularly Monitor and Test Networks
The embedded digital signatures and file integrity checking tools in Solaris 10 can be used as part of a vulnerability management program and can assist in maintaining and monitoring network security. These features help identify changes to data or applications and can be scripted into a reactive response mechanism. Maintaining a vulnerability management program includes consideration of anti-virus scanning applications. It is important to note that the Solaris OS does not itself suffer from Microsoft Windows-specific viruses, a common threat to computer vulnerability. The built-in Solaris 10 OS file integrity features help to mitigate and react to inappropriate changes to files, and these features should be integrated within a comprehensive detection practice. For example, a system administrator can utilize the
bart command with a given set of special privileges in a nightly process to scan critical
system files and data for possible changes. If the nightly scan detects a change in a file, it can notify an administrator or take other corrective action. When used with privileges as noted, the file scanning process itself would not need to run with unlimited superuser power and could not be used as an attack vector to modify data.
User and Process Rights Management
In traditional UNIX platform-based operating systems, applications and users often need administrative access to perform their jobs. However, most implementations offer just one level of higher privilege: root or superuser. In this situation, any user or application given root access has the ability to make major changes to the operating system—and root access like this is typically the target of hacking attempts. The Solaris 10 OS offers unique User Rights Management (also known as role-based access control, or RBAC) and Process Rights Management (also known as privileges). Together, User and Process Rights Management technologies reduce risks by granting users and applications only the minimum capabilities needed to perform their duties. Unlike other solutions on the market, no application changes are required to take advantage of these security enhancements.
�5
Using Solaris Operating System Security to Address PCI DSS Compliance
Sun Microsystems, Inc.
Solaris applications also are protected from a possible form of intrusion known as stack smashing by a non-executable stack feature. Solaris applications running on 64-bit SPARC®, AMD and Intel processors work together to prevent virus and trojan applications from executing code, without requiring application re-compilation or suffering the performance penalties of other operating systems. Additionally, Solaris offers an extensive system event audit trail collection facility. Essentially all system events can be audited, with selective controls on which classes of events are audited governed on a per-user basis. Access to files, devices, roles, system services, and applications are recorded. This audit trail is part of Solaris 10's Common Criteria independent security certification and offers the ability to be exported into an open XML format or automatically transported to another system. Addressing PCI DSS
Relevant PCI DSS Principles #1: Build and Maintain a Secure Network #4: Implement Strong Access Control Measures
User and Process Rights Management technology can be used to build and maintain secure networks and implement strong access control measures. For example, all UNIX platform-based Web server software traditionally requires root access to serve applications on port 80, a commonly used Web TCP/IP port. However, with User and Process Rights Management, a Web server application on the Solaris 10 OS can be granted just the privileges required to enable it to bind to low numbered ports (port 80) without providing additional administrative access. If the Web server software is attacked, the hacker cannot escalate privileges, launch additional attacks, or gain further access to the system, nor compromise files and material related to cardholder data. The Web server itself could be managed by only a select group of users who have a specific role defined just to manage this particular service, and none other. This example is fully detailed in the document Eliminating Web Page Hijacking With Solaris
Security, as seen in the Reference section.
As another example, a person, or group of people, performing the task of system log analysis on a given set of machines should not have to have the ability to create or delete system log information. The User and Process Rights Management features can be used to create a role for those individuals. This role can grant them read-only access to certain commands and certain files that they do not own themselves, without granting them full administrative rights on the system. Because Solaris records the real identity of the person doing the activity in addition to the name of the role, all actions are accounted for on a Solaris system.
Network Service Protection
The Solaris 10 OS ships with Solaris IP Filter firewall software pre-installed. This integrated firewall can reduce the number of network services that are exposed to attack and provides protection against maliciously crafted networking packets. Starting in the Solaris 10 8/07 release, the IP Filter firewall can also filter traffic flowing between Solaris Containers when it is configured in the Global Zone. In addition, TCP Wrappers
�6
Using Solaris Operating System Security to Address PCI DSS Compliance
Sun Microsystems, Inc.
are integrated into the Solaris 10 OS, limiting access to service-based allowed domains. For example, access to an FTP server could be limited only to the internal.foo.com domain. The Solaris OS also provides protection against inappropriate use of network resources through its Secure By Default networking configuration. At installation time, a system administrator is offered a choice of running a system with many networking services disabled, and other more commonly used services are configured for use only by the system itself. An administrator can also choose to enable or disable how an individual network service listens for network connections and can reset the entire system to a secured state with one simple command. When configured in this manner, a Solaris 10 system retains a usable GUI interface, can browse the Web, send email and do other outbound communications. Only the Solaris Secure Shell encrypted remote access method is allowed for inbound communication. Addressing PCI DSS
Relevant PCI DSS Principles #1: Build and Maintain a Secure Network
The networking and filtering features of Solaris 10 can be used to help build and maintain a secure network. The IP Filter firewall and TCP Wrappers are integrated into the Solaris OS, enabling administrators to configure access to specific resources for specific customer segments and also help protect against certain types of Denial of Service attacks. By utilizing the Secure By Default networking configuration, system administrators start from a known good configuration in which no networking services are exposed for un-encrypted communication. From this starting point, an administrator can enable only the services needed for their specific site, thereby reducing exposure to attack by leaving other services disabled.
Cryptographic Services and Encrypted Communication
For high-performance, system-wide cryptographic routines, the Solaris Cryptographic Framework adds a standards-based, common API that provides a single point of administration and uniform access to both software and hardware-accelerated, cryptographic functions. The pluggable Solaris Cryptographic Framework can balance loads across accelerators, increasing encrypted network traffic throughput. This framework is available to applications written to use Public Key Cryptography Standards (PKCS) #11, Sun Java™ Enterprise System (using Netscape Security Services (NSS) cryptographic libraries), OpenSSL, and Java Cryptographic Extension (JCE) software. Starting with the Solaris 10 8/07 release, the Solaris Key Management Framework is available to assist in managing digital certificates. The Key Management framework provides a single set of administrative commands for digital certificate creation requests, manipulation and loading across the most common formats used by OpenSSL, PKCS#11 and the NSS cryptographic libraries. A system administrator can now easily manage the full lifecycle of a digital certificate, regardless if they deploy the
�7
Using Solaris Operating System Security to Address PCI DSS Compliance
Sun Microsystems, Inc.
certificate for use by a Web server, a VPN connection, a cryptographic accelerator card, a database or any other application. Because the Solaris Cryptographic and Key Management Frameworks provide transparent application to high-speed cryptographic routines and accelerator cards, customers can process encrypted data more easily and for less computational cost than in previous Solaris releases. This capability can help customers utilize encrypted communications in new situations and potentially perform more transactions per second than was previously possible. The Solaris OS also provides protection against theft of sensitive material by encrypting communications using the IPsec/IKE and Solaris Secure Shell protocols. Solaris IPsec/IKE complies with industry standards to provide encryption of data between two or more systems over the network without requiring any application modification. Because IPsec/IKE are standards-based protocols, the Solaris OS can communicate with other operating systems, routers and firewalls to provide data privacy and over-the-wire encryption. The Solaris Secure Shell protocol is a specific set of utilities that have been modified to allow for encrypted remote access and file transfer between two systems. Solaris Secure Shell implements the SSHv2 protocol and thus can interoperate with other operating systems or devices that utilize these protocols. Addressing PCI DSS
Relevant PCI DSS Principles #2: Protect Cardholder Data
The encrypted communication capabilities in Solaris 10 directly address protecting cardholder data. Sensitive data can be encrypted as it is moved between one or more systems using the IPsec/IKE and Solaris Cryptographic Framework. Because the Cryptographic and Key Management Frameworks provide a single point of administration, customers can easily disable encryption algorithms that they have not authorized for use and all applications will be disallowed access to those algorithms. This capability helps with compliance and auditing requirements to use strong encryption of sensitive material.
Flexible Enterprise Authentication
The Solaris 10 OS delivers a number of flexible authentication features. The Pluggable Authentication Modules (PAM), a key foundation of the Solaris OS, makes it possible to add authentication services to the Solaris OS dynamically. Sun and third-party vendors provide numerous PAM modules, and customers can create their own modules to meet specific security needs. Technologies such as the Solaris Kerberos Service and Lightweight Directory Access Protocol (LDAP) utilize the PAM framework in the Solaris OS to deliver strong authentication of users and applications. The Solaris Kerberos Service delivers Kerberos-enabled remote applications such as rsh, rcp, telnet, Solaris Secure Shell, and NFS file sharing. Kerberos-based protocols allow for enterprise single sign-on (SSO), authorization, and encrypted communication. In
�8
Using Solaris Operating System Security to Address PCI DSS Compliance
Sun Microsystems, Inc.
addition, Kerberos-based applications never transmit a password over the network unencrypted and are interoperable with many different operating systems. Lightweight Directory Access Protocol (LDAP) client-side authentication and interoperability enhancements enable enterprise-wide, secure, standards-based access to servers and applications. To enable easier integration with existing environments, existing native LDAP authentication software offers NIS and NIS+ to LDAP gateways. The Solaris OS supports encrypted LDAP authentication requests and can utilize strong password encryption, account lockout, password history and other features provided by the Sun Java Enterprise System Directory Server. All Solaris user and process rights management information can also be stored centrally through the LDAP-based directory server, allowing for centralized management of users and security role definitions. Local passwords on the Solaris platform have strong password encryption options, including MD5 and Blowfish, as well as account lockout, password history and complexity checking, and a banned passwords list. By providing strong password encryption, systems are less subject to successful password cracking should a password file ever be lost or stolen. Addressing PCI DSS
Relevant PCI DSS Principles #1: Build and Maintain a Secure Network #4: Implement Strong Access Control Measures
The strong authentication capabilities in the Solaris OS can be used to implement strong access control and help maintain a secure network. Specifically, each site can choose to change the default password encryption algorithm and can utilize technologies such as Kerberos and LDAP to encrypt their passwords. Systems that use encryption technologies such as these are more secure and less subject to being compromised by passwords or sensitive data transmitted unencrypted over the network. Requirements for strong passwords can also be enforced through the password complexity controls as well as flexible password encryption algorithms. The PCI DSS also requires unique IDs per user. Centralization of those identities through industry standard LDAP-based directory servers or Kerberos Key Distribution Centers allows for standardization and unification of logins.
Repeatable Security Hardening and Monitoring
New features in the Solaris 10 OS make it easier than ever to minimize and harden a system. Minimization is the process of reducing the number of running processes on a system to just those needed for the system to perform its task. Hardening a system is the process of changing system configuration to choose more secure methods of communication and authentication. The Reduced Networking Metacluster installation option creates a minimized Solaris OS image, ready for administrators to add functionality and services in direct support of their system's purpose. This minimized Solaris installation acts as a building block and offers no exposed network services and a very minimal number of running processes.
�9
Using Solaris Operating System Security to Address PCI DSS Compliance
Sun Microsystems, Inc.
As mentioned previously, Solaris 10 now includes a Secure By Default networking configuration that disables many unused network services, while configuring all other services for local system-only communications. Administrators can customize which services are running by utilizing the Solaris Service Manager. This functionality can be further protected using Solaris User and Process Rights Management to control exactly who can manage which services and with what privileges those services run. The freely available Solaris Security Toolkit assists in the process of installing and maintaining a minimized and hardened operating system security configuration. The toolkit integrates with the Solaris JumpStart™ installation process or can be used on an existing system to harden a system according to a site-defined security profile. A collection of sample profiles, based upon the knowledge gained through years of Sun installation experience, is provided. The toolkit also includes an audit mechanism to compare a running system configuration against a site-specified hardening profile. In this way, the toolkit can be used to both verify and enforce compliance with an organization's OS security standards. Addressing PCI DSS
Relevant PCI DSS Principles #1: Build and Maintain a Secure Network #5: Regularly Monitor and Test Networks
The security hardening and minimization tools available for the Solaris operating system help to build and monitor secure systems and networks. Specifically, the ability to customize a Solaris installation to include only the functionality that is absolutely necessary for proper functioning can help to reduce risk of exposure to attack. By utilizing the Solaris installation tools and the Solaris Security Toolkit, customers can also document the security hardening and minimization techniques they used to install Solaris and can dynamically check their system to ensure they are still in compliance with their desired security state. To assist customers during their regular security checks, the Solaris Security Toolkit can be run in an audit mode that compares current file permissions, password settings, enabled services, software loaded onto a system and more against the known list of security profiles used to install the system. If the current system state is different than the original installation state, the toolkit can automatically re-apply the needed security changes.
Containment and Mandatory Access Control
The Solaris 10 OS includes isolation technology known as Solaris Containers. Each Solaris Container acts as an isolated Solaris instance with its own users, administrators, application software, file system, and networking. However, each instance also allows the global administrator to lock down certain settings such as network interface configuration and read-only shared directories. Applications running inside a Solaris Container do not have the ability to see or directly communicate with files or processes running inside another Solaris container on the same system. All applications on a Solaris Container also run with fewer maximum privileges than they would have
�10
Using Solaris Operating System Security to Address PCI DSS Compliance
Sun Microsystems, Inc.
running outside of a Solaris Container. In essence, a Solaris Container is a security boundary for an application and data. Solaris Trusted Extensions enhance Solaris Containers and implement Mandatory Access Control (MAC) based on sensitivity labels applied to a Solaris Container. The security policy in the Solaris OS is extended to support labels on elements of the operating system so that data marked as Confidential can't be accessed by public services such as Web browsers and email applications, regardless of who attempts the access. In addition, data can't be written to a device, such as a CD or USB Flash drive, that is labeled with a lower classification than the data itself, which helps protect most sensitive data. Labeling extends to network packets, the CDE and Sun Java Desktop System interfaces, file systems, devices, printers, and all processes. Addressing PCI DSS
Relevant PCI DSS Principles #1: Build and Maintain a Secure Network #2: Protect Cardholder Data #4: Implement Strong Access Control Measures
Containment and mandatory access controls help address the PCI DSS principles of maintaining secure networks, protecting cardholder data, and implementing strong access control measures. One requirement of the PCI DSS is to isolate services onto separate servers. Solaris Containers provide this separation, with all Solaris Containers isolated from each other. Even administrative or subversive action attempts within a Solaris Container do not directly affect data or applications running in another Solaris Container, because Solaris Resource Management allocations for virtual memory, CPU share and networking bandwidth override any errant process within a Solaris Container. Starting with the Solaris 10 8/07 release, a separate network stack and interface card can be assigned to each Solaris Container to further separation. Additionally, the use of Solaris Trusted Extensions helps to address the need to control the access to cardholder data. Data can be classified for internal use only once it's obtained, thus moving it to a different Solaris Container where it can not be maliciously or accidentally written to a Web site, CD or inappropriate storage location to be compromised or stolen. Beyond OS containment, Sun recommends that network containment models such as Sun's Service Delivery Network Architecture be leveraged to provide greater levels of security and agility.
Conclusion
Addressing the PCI DSS requires a comprehensive security program, and the Solaris OS is one critical component of such a program. The various features of the Solaris OS, as well as the other products and services available from Sun, provide a wide array of tools that can be used to address the vast majority of PCI DSS requirements. These Solaris OS security features and other Sun products noted in this whitepaper provide a solid foundation that can be used in conjunction with a comprehensive security architecture. Using a systemic security approach like this helps organizations mature over time, adapt to emerging threats, and continue to meet evolving security
�11
Using Solaris Operating System Security to Address PCI DSS Compliance
Sun Microsystems, Inc.
standards. It is only through such a holistic approach that an organization can fully address the requirements of the PCI DSS. For further assistance in developing such a program or for additional information regarding the use of the Solaris OS or other Sun products to address the PCI DSS, please contact a local Sun representative or visit the Sun web site at http://www.sun.com.
References
• PCI Security Standards Council
http://www.pcisecuritystandards.org
• Sun Security
http://www.sun.com/security
• Solaris Security
http://www.sun.com/solaris/security
Related Solaris Security Publications
• Thacker, Mark. “Eliminating Web Page Hijacking Using Solaris Security”, Solaris 10 Security How To Guides.
http://www.sun.com/software/solaris/howtoguides/s10securityhowto.pdf
• Sun, Ning and Bhattacharya, Pallab. “Using the Cryptographic Accelerator of the UltraSPARC T1 Processor,” Sun BluePrints OnLine, March, 2006.
http://www.sun.com/blueprints/0306/819-5782.pdf
• Brunette, Glenn. “Enforcing the Two-Person Rule via Role-based Access Control in the Solaris 10 OS,” Sun BluePrints OnLine, August, 2005.
http://www.sun.com/blueprints/0805/819-3164.pdf
• Brunette, Glenn. “Restricting Service Administration in the Solaris 10 Operating System,” Sun BluePrints OnLine, June, 2005.
http://www.sun.com/blueprints/0605/819-2887.pdf
• Brunette, Glenn. “Limiting Service Privileges in the Solaris 10 Operating System,” Sun BluePrints OnLine, May 2005.
http://www.sun.com/blueprints/0505/819-2680.pdf
• Brunette, Glenn. “Integrating BART and the Solaris Fingerprint Database in the Solaris 10 Operating System,” Sun BluePrints OnLine, April, 2005.
http://www.sun.com/blueprints/0405/819-2260.pdf
• Brunette, Glenn. “Automating Centralized File Integrity Checks in the Solaris 10 Operating System,” Sun BluePrints OnLine, March, 2005.
http://www.sun.com/blueprints/0305/819-2259.pdf
Related Solaris Security Resources
• Solaris Security Learning Center
http://www.sun.com/solaris/secure
�12
Using Solaris Operating System Security to Address PCI DSS Compliance
Sun Microsystems, Inc.
• Personalizing Security in the Solaris 10 Operating System (Instructor-led Training)
http://www.sun.com/training/catalog/courses/SC-301-S10.xml
• Solaris Security Toolkit
http://www.sun.com/security/jass
• OpenSolaris Security Community Library
http://www.opensolaris.org/os/community/security/library
• OpenSolaris Security Presentations
http://www.opensolaris.org/os/community/security/preso
• Solaris Fingerprint Database Tools
http://www.opensolaris.org/os/community/security/projects/sfpdb
Related Sun Security Publications
• Brunette, Glenn. “Toward Systemically Secure IT Architectures,” Sun BluePrints OnLine, February, 2006.
http://www.sun.com/blueprints/0206/819-5605.pdf
• Lofstrand, Mikael and Carolan, Jason. “Sun's Pattern-Based Design Framework: The Service Delivery Network,” Sun BluePrints OnLine, September, 2005.
http://www.sun.com/blueprints/0905/819-4148.pdf
• Lofstrand, Mikael and Carolan, Jason. “The Service Delivery Network: A Case Study,” Sun BluePrints OnLine, April, 2006.
http://www.sun.com/blueprints/0406/819-6319.pdf
�13
Using Solaris Operating System Security to Address PCI DSS Compliance
Sun Microsystems, Inc.
�Using Solaris Operating System Security to Address PCI DSS Compliance
On the Web sun.com
Sun Microsystems, Inc. 4150 Network Circle, Santa Clara, CA 95054 USA Phone 1-650-960-1300 or 1-800-555-9SUN (9786) Web sun.com
© 2007 Sun Microsystems, Inc. All rights reserved. © 2006-2007 Sun Microsystems, Inc. Sun, Sun Microsystems, the Sun logo, Java, JumpStart, Solaris and SunSolve are trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the U.S. and other countries. Products bearing SPARC trademarks are based upon architecture developed by Sun Microsystems, Inc. Information subject to change without notice. SunWIN # 509468 Lit # SWWP13103-0 7/07
�