Logical Domains 1.2 Administration Guide

Chapter 2 Security

This chapter describes the Solaris Security Toolkit software and how you can use it to secure the Solaris OS in your logical domains.

This chapter covers the following topics:

Security Considerations

The Solaris Security Toolkit software , informally known as the JumpStart^TM Architecture and Security Scripts (JASS) toolkit, provides an automated, extensible, and scalable mechanism to build and maintain secure Solaris OS systems. The Solaris Security Toolkit provides security for devices critical to the management of your server, including the control domain in the Logical Domains Manager.

The Solaris Security Toolkit 4.2 software package, SUNWjass, provides the means to secure the Solaris Operating System on your control domain through the use of the install-ldm script by:

Letting the Solaris Security Toolkit automatically harden your control domain by using the Logical Domains Manager install script (install-ldm) and the control driver specific to the Logical Domains Manager (ldm_control-secure.driver).
Selecting an alternative driver when using the install script.
Selecting no driver when using the install script and applying your own Solaris hardening.

The SUNWjass package is located with the Logical Domains (LDoms) Manager 1.2 software package, SUNWldm, at Sun's software download web site. You have the option to download and install the Solaris Security Toolkit 4.2 software package at the same time you download and install the Logical Domains Manager 1.2 software. The Solaris Security Toolkit 4.2 software package includes the required patches to enable the Solaris Security Toolkit software to work with the Logical Domains Manager. Once the software is installed, you can harden your system with Solaris Security Toolkit 4.2 software. Chapter 3, Installing and Enabling Software tells you how to install and configure the Solaris Security Toolkit, and harden your control domain.

Following are the security functions available to users of the Logical Domains Manager provided by the Solaris Security Toolkit:

Hardening – Modifying Solaris OS configurations to improve a system's security using the Solaris Security Toolkit 4.2 software with required patches to enable the Solaris Security Toolkit to work with the Logical Domains Manager.
Minimizing – Installing the minimum number of core Solaris OS packages necessary for LDoms and LDoms Management Information Base (MIB) support.
Authorization – Setting up authorization using the Solaris OS Role-Based Access Control (RBAC) adapted for the Logical Domains Manager.
Auditing – Using the Solaris OS Basic Security module (BSM) adapted for the Logical Domains Manager to identify the source of security changes to the system to determine what was done, when it was done, by whom, and what was affected.
Compliance – Determining if a system's configuration is in compliance with a predefined security profile using the Solaris Security Toolkit's auditing feature.

Solaris Security Toolkit and the Logical Domains Manager

Chapter 3, Installing and Enabling Software tells you how to install the Solaris Security Toolkit to make it work with the Logical Domains Manager. You would install the Solaris Security Toolkit on the control domain, which is where the Logical Domains Manager runs. You can also install the Solaris Security Toolkit on the other logical domains. The only difference would be that you would use the ldm_control-secure.driver to harden the control domain and you would use another driver, such as the secure.driver, to harden the other logical domains . This is because the ldm_control-secure.driver is specific to the control domain. The ldm_control-secure.driver is based on the secure.driver and has been customized and tested for use with the Logical Domains Manager. Refer to the Solaris Security Toolkit 4.2 Reference Manual for more information about the secure.driver.

Hardening the Solaris OS

The driver (ldm_control-secure.driver) that Solaris Security Toolkit uses to harden the Solaris OS on the control domain is specifically tailored so that the Logical Domains Manager can run with the OS. The ldm_control-secure.driver is analogous to the secure.driver described in the Solaris Security Toolkit 4.2 Reference Manual.

The ldm_control-secure.driver provides a baseline configuration for the control domain of a system running the Logical Domains Manager software. It is intended to provide fewer system services than typical for a Solaris OS domain, reserving the control domain for Logical Domains Manager operations, rather than general usage.

The install-ldm script installs the Logical Domains Manager software if it is not already installed, and enables the software.

Following is a short summary of the other notable changes from secure.driver.

The Telnet server is disabled from running. You can use Secure Shell (ssh) instead. You also can still use the Telnet client to access virtual consoles started by the Logical Domains virtual network terminal server daemon (vntsd). For example, if a virtual console is running that is listening to TCP port 5001 on the local system, you can access it as follows.
# telnet localhost 5001
See Enabling the Logical Domains Manager Daemon for instructions on enabling vntsd. It is not automatically enabled.
The following finish scripts have been added . They enable the Logical Domains Manager to install and start. Some of these added scripts must be added to any customized drivers you make and some are optional. The scripts are marked as to whether they are required or optional.
- install-ldm.fin – Installs the SUNWldm package. (Required)
- enable-ldmd.fin – Enables the Logical Domains Manager daemon (ldmd) (Required)
- enable-ssh-root-login.fin – Enables the superuser to directly log in through the Secure Shell (ssh). (Optional)
The following files have changed. These changes are optional to make in any customized drivers you have and are marked as optional.
- /etc/ssh/sshd_config – Root account access is allowed for the entire network. This file is not used in either driver. (Optional)
- /etc/ipf/ipf.conf – UDP port 161 (SNMP) is opened. (Optional)
- /etc/host.allow – The Secure Shell daemon (sshd) is open for the entire network, not just the local subnet. (Optional)
The following finish scripts are disabled (commented out). You should comment out the disable-rpc.fin script in any customized driver you make. The other changes are optional. The scripts are marked as to whether they are required or optional.
- enable-ipfilter.fin – IP Filter, a network packet filter, is not enabled. (Optional)
- disable-rpc.fin – Leaves Remote Procedure Call (RPC) service enabled. The RPC service is used by many other system services, such as Network Information Services (NIS) and network file system (NFS). (Required)
- disable-sma.fin – Leaves the System Management Agent (NET-SNMP) enabled. (Optional)
- disable-ssh-root-login.fin – ssh root login cannot be disabled.
- set-term-type.fin – Unneeded legacy script. (Optional)

Minimizing Logical Domains

The Solaris OS can be configured with different quantities of packages, depending on your needs. Minimization reduces this set of packages to the bare minimum required to run your desired applications. Minimization is important because it reduces the amount of software containing potential security vulnerabilities and also reduces the level of effort associated with keeping the installed software properly patched. The logical domain minimization activity provides JumpStart support for installing a minimized Solaris OS that still fully supports any domain.

The Solaris Security Toolkit provides a JumpStart profile, minimal-ldm_control.profile, for minimizing a logical domain for LDoms, which installs all the Solaris OS packages necessary for LDoms and LDoms MIB support. If you want to use the LDoms MIB on the control domain, you need to add that package separately after you install the LDoms and Solaris Security Toolkit packages. It is not installed automatically with the other software. Refer to the Logical Domains (LDoms) MIB 1.0.1 Administration Guide for more information about installing and using the LDoms MIB.

LDoms Manager Authorization

Authorization for the Logical Domains Manager has two levels:

Read – allows you to view, but not modify the configuration.
Read and write – allows you to view and change the configuration.

The changes are not made to the Solaris OS, but are added to the authorization file by the package script postinstall when the Logical Domains Manager is installed. Similarly, the authorization entries are removed by the package script preremove.

The following table lists the ldm subcommands with the corresponding user authorization that is needed to perform the commands.

Table 2–1 The ldm Subcommands and User Authorizations


ldm Subcommand [Refers to all the resources you can add, list, remove, or set.]	User Authorization
`add-*`	`solaris.ldoms.write`
`bind-domain`	`solaris.ldoms.write`
`list`	`solaris.ldoms.read`
`list-*`	`solaris.ldoms.read`
`panic-domain`	`solaris.ldoms.write`
`remove-*`	`solaris.ldoms.write`
`set-*`	`solaris.ldoms.write`
`start-domain`	`solaris.ldoms.write`
`stop-domain`	`solaris.ldoms.write`
`unbind-domain`	`solaris.ldoms.write`

Auditing LDoms Manager Commands

Auditing the Logical Domains Manager CLI commands is done with Solaris OS Basic Security module (BSM) auditing . Refer to the Solaris 10 System Administration Guide: Security Services for detailed information about using Solaris OS BSM auditing.

BSM auditing is not enabled by default for the Logical Domains Manager; however, the infrastructure is provided. You can enable BSM auditing in one of two ways:

Run the enable-bsm.fin finish script in the Solaris Security Toolkit.
Use the Solaris OS bsmconv(1M) command .

For further details about enabling, verifying, disabling, printing output, and rotating logs using BSM auditing with the Logical Domains Manager, see Enabling and Using BSM Auditing.

Using the Solaris Security Toolkit to Ensure Compliance

Solaris Security Toolkit does have its own auditing capabilities. The Solaris Security Toolkit software can automatically validate the security posture of any system running the Solaris OS by comparing it with a predefined security profile . Refer to “Auditing System Security” in the Solaris Security Toolkit 4.2 Administration Guide for more information about this compliance function.

Enabling and Using BSM Auditing

The Logical Domains Manager uses the Solaris OS Basic Security module (BSM) auditing capability. BSM auditing provides the means to examine the history of actions and events on your control domain to determine what happened. The history is kept in a log of what was done, when it was done, by whom, and what was affected.

If you want to use this auditing capability, this section describes how to enable, verify, disable, print output, and rotate audit logs. You can find further information about BSM auditing in the Solaris 10 System Administration Guide: Security Services.

You can enable BSM auditing in one of two ways. When you want to disable auditing, be sure you use the same method that you used in enabling. The two methods are as follows:

Use the enable-bsm.fin finish script in the Solaris Security Toolkit.

The enable-bsm.fin script is not used by default by the ldm_control-secure.driver. You must enable the finish script in your chosen driver.
Use the Solaris OS bsmconv(1M) command.

Here are the procedures for both methods.

Use the `enable-bsm.fin` Finish Script

Copy the ldm_control-secure.driver to my-ldm.driver, where my-ldm.driver is the name for your copy of the ldm_control-secure.driver.

Copy the ldm_control-config.driver to my-ldm-config.driver, where my-ldm-config.driver is the name for your copy of the ldm_control-config.driver.

Copy the ldm_control-hardening.driver to my-ldm-hardening.driver, where my-ldm-hardening.driver is the name for your copy of the ldm_control-hardening.driver.

Edit my-ldm.driver to refer to the new configuration and hardening drivers, my-ldm-control.driver and my-ldm-hardening.driver, respectively.

Edit my-ldm-hardening.driver, and remove the pound sign (#) from in front of the following line in the driver.
enable-bsm.fin

Execute my-ldm.driver.

# /opt/SUNWjass/bin/jass-execute -d my-ldm.driver

Reboot the Solaris OS for auditing to take effect.

Use the Solaris OS bsmconv(1M) Command

Add vs in the flags: line of the /etc/security/audit_control file.

Run the bsmconv(1M) command.
# /etc/security/bsmconv
For more information about this command, refer to the bsmconv(1M) man page.

Reboot the Solaris OS for auditing to take effect.

Verify that BSM Auditing is Enabled

Type the following command.
# auditconfig -getcond

Check that audit condition = auditing appears in the output.

Disable Auditing

You can disable auditing in one of two ways, depending on how you enabled it. See Enabling and Using BSM Auditing.

Do one of the following.
- Undo the Solaris Security Toolkit hardening run that enabled BSM auditing.
  # /opt/SUNWjass/bin/jass-execute -u
- Run the Solaris OS bsmunconv(1M) command.
  # /etc/security/bsmunconv

Reboot the Solaris OS for the disabling of auditing to take effect.

Print Audit Output

Use one of the following to print BSM audit output:
- Use the Solaris OS commands auditreduce(1M) and praudit(1M) to print audit output.
  # auditreduce -c vs | praudit # auditreduce -c vs -a 20060502000000 | praudit
- Use the Solaris OS praudit -x command to print XML output.

Rotate Audit Logs

Use the Solaris OS audit -n command to rotate audit logs.

Configuring RBAC for Guest Console Access

The vntsd daemon provides an SMF property named vntsd/authorization. This property can be configured to enable the authorization checking of users and roles for a domain console or a console group. To enable authorization checking, use the svccfg command to set the value of this property to true. While this option is enabled, vntsd listens and accepts connections only on localhost. If the listen_addr property specifies an alternate IP address when vntsd/authorization is enabled, vntsd ignores the alternate IP address and continues to listen only on localhost.

By default, an authorization to access all guest consoles is added to the auth_attr database, when the vntsd service is enabled.

solaris.vntsd.consoles:::Access All LDoms Guest Consoles::

Superuser can use the usermod command to assign the required authorizations to other users or roles. This permits only the user or role who has the required authorizations to access a given domain console or console groups.

The following example gives user terry the authorization to access all domain consoles:

# usermod -A "solaris.vntsd.consoles" terry

The following example adds a new authorization for a specific domain console with the name ldg1 and assigns that authorization to a user sam:

Add the new authorization entry to the auth_attr file for domain ldg1.
solaris.vntsd.console-ldg1:::Access Specific LDoms Guest Console::

Assign this authorization to user sam:

# usermod -A "solaris.vntsd.console-ldg1" sam

For more information about authorizations and RBAC, see System Administration Guide: Security Services.