Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Save to My Library
Look up keyword or section
Like this
7Activity
P. 1
820-7017[1]

820-7017[1]

Ratings: (0)|Views: 774 |Likes:
Published by tashtiot
solaris zones
solaris zones

More info:

Published by: tashtiot on Jun 21, 2009
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

05/11/2014

pdf

text

original

 
 UNDERS TANDING THESECURITY CAPABILITIES OFSOLARIS™ ZONES SOFTWARE
 
Gl enn Brunette , Distinguished E ngineer , Global S ystems E ngineering Je  f Vict or , Sr . S ystems E ngineer , Global S ystems E ngineering Sun Bl ueP rints
 
 Online
 P ar t No 820 - 7017 - 10 R e vision 1.0, 12/21/ 08
 
 Sun Microsystems, Inc.
 T able of Contents
 Zone Root File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Process Containment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Operating System Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Default Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6Required Privileges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7Prohibited Privileges. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7Optional Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8Operating System Kernel Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9Operating System Devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10Networking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12Shared IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .13Exclusive IP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15Operating System Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16Operating System Security Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18Resource Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19Memory Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20Physical and Virtual Memory Capping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20Shared Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22Locked Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23CPU Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23Fair Share Scheduler. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24CPU Capping. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25Private Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25Shared Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27Miscellaneous Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27File Integrity Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28Security Auditing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31Solaris Trusted Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36About the Authors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37Ordering Sun Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38Accessing Sun Documentation Online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
 
 1
 Understanding the Security Capabilities of Solaris Zones Software
Sun Microsystems, Inc.
 Under standing the Security Capabilities of Solaris™ Zones Software
 P art of the Solaris
 
 10 Oper ating System (OS), Solaris Zones are widely discussed acrossall corners of the Web. Over time, Solaris Zones have grown in popularity, third-partysupport has increased, and the technology has been enhanced continually to supportnew and different kinds of features and configurations.So why does the world need yet another article about Solaris Zones? Simple. Mostpublications and sites focus on the consolidation benefits of Solaris Zones. While serverand service consolidation is a key use case for Solaris Zones, there is so much more tothe technology. Other materials focus on system administration practices related toconfiguration, installation, management, and troubleshooting. This is incredibly usefulinformation, but there is still an important gap. Namely, many people do not have a fullappreciation of the security benefits enabled by Solaris Zones, and sparse root zoneconfigurations more specifically.This Sun BluePrints™ article brings greater attention to the key security benefits of Solaris Zones. Using practical concepts and examples, readers can gain a newappreciation for the unique security capabilities enabled by this technology.
C onventions
 The f  ollowing conventions are used in this article:The functionality, content, and examples described in this article are based uponthe Solaris 10 OS 10/08 release, yet apply to the Solaris Express CommunityEdition (starting with Build 95). However, many of the features discussed apply toearlier versions of the Solaris 10 OS. Refer for the operating system release notesfor guidance regarding specific features or functionality.This article focuses on the security configuration as realized by a sparse-root zoneconfiguration. Some of the concepts discussed do not apply to whole-root zonesconfigurations. Readers unfamiliar with the basic concepts and practices involvingSolaris Zones can refer to “Introduction to Solaris Zones” in
System Administration Guide: Solaris Containers — Resource Management and Solaris Zones 
 loca ted a t
http://docs.sun.com/app/docs/doc/817-1592/zones.intro-1?a=view
  orbac k gr ound inf  orma tion.  E very command line pr ompt inc l udes a host name indica ting the z one in whic h thecommand is run. The name of the non- global z one is
 
 web
 , and the name of theglobal z one is
global
 . Eac h pr ompt has a suf   x indica ting whether the commandis t o be run as an unprivil eged user (
 $
 ) or if it r equir es administr a tive privil eges (
 #
 ).

Activity (7)

You've already reviewed this. Edit your review.
1 hundred reads
1 thousand reads
eb42023 liked this
shekar_bandi liked this
shekar_bandi liked this

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->