Security Considerations

The Solaris Security Toolkit software, informally known as the JumpStart trademark Architecture and Security Scripts (JASS) toolkit, provides an automated, extensible, and scalable mechanism to build and maintain secure Solaris OS systems. The Solaris Security Toolkit provides security for devices critical to the management of your server, including the control domain in the Logical Domains Manager.

The Solaris Security Toolkit 4.2 software package, SUNWjass, provides the means to secure the Solaris Operating System on your control domain through the use of the install-ldm script by:

Letting the Solaris Security Toolkit automatically harden your control domain by using the Logical Domains Manager install script (install-ldm) and the control driver specific to the Logical Domains Manager (ldm_control-secure.driver).
Selecting an alternative driver when using the install script.
Selecting no driver when using the install script and applying your own Solaris hardening.

The SUNWjass package is located with the Logical Domains (LDoms) Manager 1.0.1 software package, SUNWldm, at Sun’s software download web site. You have the option to download and install the Solaris Security Toolkit 4.2 software package at the same time you download and install the Logical Domains Manager 1.0.1 software. The Solaris Security Toolkit 4.2 software package includes the required patches to enable the Solaris Security Toolkit software to work with the Logical Domains Manager. Once the software is installed, you can harden your system with Solaris Security Toolkit 4.2 software. Chapter 3 tells you how to install and configure the Solaris Security Toolkit, and harden your control domain.

Following are the security functions available to users of the Logical Domains Manager provided by the Solaris Security Toolkit:

Hardening – Modifying Solaris OS configurations to improve a system’s security using the Solaris Security Toolkit 4.2 software with required patches to enable the Solaris Security Toolkit to work with the Logical Domains Manager.
Minimizing – Installing the minimum number of core Solaris OS packages necessary for LDoms and LDoms Management Information Base (MIB) support.
Authorization – Setting up authorization using the Solaris OS Role-Based Access Control (RBAC) adapted for the Logical Domains Manager.
Auditing – Using the Solaris OS Basic Security module (BSM) adapted for the Logical Domains Manager to identify the source of security changes to the system to determine what was done, when it was done, by whom, and what was affected.
Compliance – Determining if a system’s configuration is in compliance with a predefined security profile using the Solaris Security Toolkit’s auditing feature.

Solaris Security Toolkit and the Logical Domains Manager

Chapter 3 tells you how to install the Solaris Security Toolkit to make it work with the Logical Domains Manager. You would install the Solaris Security Toolkit on the control domain, which is where the Logical Domains Manager runs. You can also install the Solaris Security Toolkit on the other logical domains. The only difference would be that you would use the ldm_control-secure.driver to harden the control domain and you would use another driver, such as the secure.driver, to harden the other logical domains. This is because the ldm_control-secure.driver is specific to the control domain. The ldm_control-secure.driver is based on the secure.driver and has been customized and tested for use with the Logical Domains Manager. Refer to the Solaris Security Toolkit 4.2 Reference Manual for more information about the secure.driver.

Hardening

The driver (ldm_control-secure.driver) that Solaris Security Toolkit uses to harden the Solaris OS on the control domain is specifically tailored so that the Logical Domains Manager can run with the OS. The ldm_control-secure.driver is analogous to the secure.driver described in the Solaris Security Toolkit 4.2 Reference Manual.

The ldm_control-secure.driver provides a baseline configuration for the control domain of a system running the Logical Domains Manager software. It is intended to provide fewer system services than typical for a Solaris OS domain, reserving the control domain for Logical Domains Manager operations, rather than general usage.

The install-ldm script installs the Logical Domains Manager software if it is not already installed, and enables the software.

Following is a short summary of the other notable changes from secure.driver.

The Telnet server is disabled from running. You can use Secure Shell (ssh) instead. You also can still use the Telnet client to access virtual consoles started by the Logical Domains virtual network terminal server daemon (vntsd). For example, if a virtual console is running that is listening to TCP port 5001 on the local system, you can access it as follows.
# telnet localhost 5001
See Enabling the Logical Domains Manager Daemon for instructions on enabling vntsd. It is not automatically enabled.
The following finish scripts have been added. They enable the Logical Domains Manager to install and start. Some of these added scripts must be added to any customized drivers you make and some are optional. The scripts are marked as to whether they are required or optional.
- install-ldm.fin – Installs the SUNWldm package. (Required)
- enable-ldmd.fin – Enables the Logical Domains Manager daemon (ldmd) (Required)
- enable-ssh-root-login.fin – Enables the superuser to directly log in through the Secure Shell (ssh). (Optional)
The following files have changed. These changes are optional to make in any customized drivers you have and are marked as optional.
- /etc/ssh/sshd_config – Root account access is allowed for the entire network. This file is not used in either driver. (Optional)
- /etc/ipf/ipf.conf – UDP port 161 (SNMP) is opened. (Optional)
- /etc/host.allow – The Secure Shell daemon (sshd) is open for the entire network, not just the local subnet. (Optional)
The following finish scripts are disabled (commented out). You should comment out the disable-rpc.fin script in any customized driver you make. The other changes are optional. The scripts are marked as to whether they are required or optional.
- enable-ipfilter.fin – IP Filter, a network packet filter, is not enabled. (Optional)
- disable-rpc.fin – Leaves Remote Procedure Call (RPC) service enabled. The RPC service is used by many other system services, such as Network Information Service (NIS) and Network File System (NFS). (Required)
- disable-sma.fin – Leaves the System Management Agent (NET-SNMP) enabled. (Optional)
- disable-ssh-root-login.fin – ssh root login cannot be disabled.
- set-term-type.fin – Unneeded legacy script. (Optional)

Minimizing Logical Domains

The Solaris OS can be configured with different quantities of packages, depending on your needs. Minimization reduces this set of packages to the bare minimum required to run your desired applications. Minimization is important because it reduces the amount of software containing potential security vulnerabilities and also reduces the level of effort associated with keeping the installed software properly patched. The logical domain minimization activity provides JumpStart trademark support for installing a minimized Solaris OS that still fully supports any domain.

The Solaris Security Toolkit provides a JumpStart profile, minimal-ldm_control.profile, for minimizing a logical domain for LDoms, which installs all the Solaris OS packages necessary for LDoms and LDoms MIB support. If you want to use the LDoms MIB on the control domain, you need to add that package separately after you install the LDoms and Solaris Security Toolkit packages. It is not installed automatically with the other software. Refer to the Logical Domains (LDoms) Management Information Base (MIB) 1.0.1 Administration Guide for more information about installing and using the LDoms MIB.

Authorization

Authorization for the Logical Domains Manager has two levels:

Read – allows you to view, but not modify the configuration.
Read and write – allows you to view and change the configuration.

The changes are not made to the Solaris OS, but are added to the authorization file by the package script postinstall when the Logical Domains Manager is installed. Similarly, the authorization entries are removed by the package script preremove.

The following table lists the ldm subcommands with the corresponding user authorization that is needed to perform the commands.

**TABLE 2-1 `ldm` Subcommands and User Authorizations**
ldm Subcommand^[1]	User Authorization
`add-*`	`solaris.ldoms.write`
`bind-domain`	`solaris.ldoms.write`
`list`	`solaris.ldoms.read`
`list-*`	`solaris.ldoms.read`
`panic-domain`	`solaris.ldoms.write`
`remove-*`	`solaris.ldoms.write`
`set-*`	`solaris.ldoms.write`
`start-domain`	`solaris.ldoms.write`
`stop-domain`	`solaris.ldoms.write`
`unbind-domain`	`solaris.ldoms.write`

Auditing

Auditing the Logical Domains Manager CLI commands is done with Solaris OS Basic Security module (BSM) auditing. Refer to the Solaris 10 System Administration Guide: Security Services for detailed information about using Solaris OS BSM auditing.

BSM auditing is not enabled by default for the Logical Domains Manager; however, the infrastructure is provided. You can enable BSM auditing in one of two ways:

Run the enable-bsm.fin finish script in the Solaris Security Toolkit.
Use the Solaris OS bsmconv(1M) command.

For further details about enabling, verifying, disabling, printing output, and rotating logs using BSM auditing with the Logical Domains Manager, see Enabling and Using BSM Auditing.

Compliance

Solaris Security Toolkit does have its own auditing capabilities. The Solaris Security Toolkit software can automatically validate the security posture of any system running the Solaris OS by comparing it with a predefined security profile. Refer to “Auditing System Security” in the Solaris Security Toolkit 4.2 Administration Guide for more information about this compliance function.

^{1 (Table Footnote) Refers to all the resources you
can add, list, remove, or set.}