The driver (ldm_control-secure.driver) that Solaris Security Toolkit uses to harden the Solaris OS on the control domain is specifically tailored so that the Logical Domains Manager can run with the OS. The ldm_control-secure.driver is analogous to the secure.driver described in the Solaris Security Toolkit 4.2 Reference Manual.
The ldm_control-secure.driver provides a baseline configuration for the control domain of a system running the Logical Domains Manager software. It is intended to provide fewer system services than typical for a Solaris OS domain, reserving the control domain for Logical Domains Manager operations, rather than general usage.
The install-ldm script installs the Logical Domains Manager software if it is not already installed, and enables the software.
Following is a short summary of the other notable changes from secure.driver.
The Telnet server is disabled from running. You can use Secure Shell (ssh) instead. You also can still use the Telnet client to access virtual consoles started by the Logical Domains virtual network terminal server daemon (vntsd). For example, if a virtual console is running that is listening to TCP port 5001 on the local system, you can access it as follows.
# telnet localhost 5001 |
See Enabling the Logical Domains Manager Daemon for instructions on enabling vntsd. It is not automatically enabled.
The following finish scripts have been added. They enable the Logical Domains Manager to install and start. Some of these added scripts must be added to any customized drivers you make and some are optional. The scripts are marked as to whether they are required or optional.
The following files have changed. These changes are optional to make in any customized drivers you have and are marked as optional.
/etc/ssh/sshd_config – Root account access is allowed for the entire network. This file is not used in either driver. (Optional)
/etc/ipf/ipf.conf – UDP port 161 (SNMP) is opened. (Optional)
/etc/host.allow – The Secure Shell daemon (sshd) is open for the entire network, not just the local subnet. (Optional)
The following finish scripts are disabled (commented out). You should comment out the disable-rpc.fin script in any customized driver you make. The other changes are optional. The scripts are marked as to whether they are required or optional.
enable-ipfilter.fin – IP Filter, a network packet filter, is not enabled. (Optional)
disable-rpc.fin – Leaves Remote Procedure Call (RPC) service enabled. The RPC service is used by many other system services, such as Network Information Services (NIS) and network file system (NFS). (Required)
disable-sma.fin – Leaves the System Management Agent (NET-SNMP) enabled. (Optional)
disable-ssh-root-login.fin – ssh root login cannot be disabled.