This chapter describes some security features that you can enable on your Logical Domains system.
This chapter covers the following topics:
Authorization for the Logical Domains Manager has two levels:
Read – allows you to view, but not modify the configuration.
Read and write – allows you to view and change the configuration.
The changes are not made to the Solaris OS, but are added to the authorization file by the package script postinstall when the Logical Domains Manager is installed. Similarly, the authorization entries are removed by the package script preremove.
The following table lists the ldm subcommands with the corresponding user authorization that is needed to perform the commands.
Table 3–1 The ldm Subcommands and User Authorizations
The vntsd daemon provides an SMF property named vntsd/authorization. This property can be configured to enable the authorization checking of users and roles for a domain console or a console group. To enable authorization checking, use the svccfg command to set the value of this property to true. While this option is enabled, vntsd listens and accepts connections only on localhost. If the listen_addr property specifies an alternate IP address when vntsd/authorization is enabled, vntsd ignores the alternate IP address and continues to listen only on localhost.
By default, an authorization to access all guest consoles is added to the auth_attr database, when the vntsd service is enabled.
solaris.vntsd.consoles:::Access All LDoms Guest Consoles:: |
Superuser can use the usermod command to assign the required authorizations to other users or roles. This permits only the user or role who has the required authorizations to access a given domain console or console groups.
The following example gives user terry the authorization to access all domain consoles:
# usermod -A "solaris.vntsd.consoles" terry |
The following example adds a new authorization for a specific domain console with the name ldg1 and assigns that authorization to a user sam:
Add the new authorization entry to the auth_attr file for domain ldg1.
solaris.vntsd.console-ldg1:::Access Specific LDoms Guest Console:: |
Assign this authorization to user sam:
# usermod -A "solaris.vntsd.console-ldg1" sam |
For more information about authorizations and RBAC, see System Administration Guide: Security Services.
You set up authorization and profiles and assign roles for user accounts using the Solaris OS Role-Based Access Control (RBAC) adapted for the Logical Domains Manager. Refer to the Solaris 10 System Administrator Collection for more information about RBAC.
Authorization for the Logical Domains Manager has two levels:
Read – allows you to view, but not modify the configuration.
Read and write – allows you to view and change the configuration.
Following are the Logical Domains entries automatically added to the Solaris OS /etc/security/auth_attr file:
solaris.ldoms.:::LDom administration::
solaris.ldoms.grant:::Delegate LDom configuration::
solaris.ldoms.read:::View LDom configuration::
solaris.ldoms.write:::Manage LDom configuration::
Use the following steps as necessary to add authorizations in the /etc/security/auth_attr file for Logical Domains Manager users. Because the superuser already has solaris.* authorization, the superuser already has permission for solaris.ldoms.* authorizations.
Create a local user account for each user who needs authorization to use the ldm(1M) subcommands.
To add Logical Domains Manager authorization for a user, a local (non-LDAP) account must be created for that user. Refer to the Solaris 10 System Administrator Collection for details.
Do one of the following depending on which ldm(1M) subcommands you want the user to be able to access.
See Table 3–1 for a list of ldm(1M) commands and their user authorizations.
Add a read-only authorization for a user using the usermod(1M) command.
# usermod -A solaris.ldoms.read username |
Add a read and write authorization for a user using the usermod(1M) command.
# usermod -A solaris.ldoms.write username |
Delete all authorizations for a local user account (the only possible option).
# usermod -A `` username |
The SUNWldm package adds two system-defined RBAC profiles in the /etc/security/prof_attr file for use in authorizing access to the Logical Domains Manager by non-superusers. The two LDoms-specific profiles are:
LDoms Review:::Review LDoms configuration:auths=solaris.ldoms.read
LDoms Management:::Manage LDoms domains:auths=solaris.ldoms.*
One of the preceding profiles can be assigned to a user account using the following procedure.
Add an administrative profile for a local user account; for example, LDoms Management.
# usermod -P “LDoms Management” username |
The advantage of using this procedure is that only a user who has been assigned a specific role can assume the role. In assuming a role, a password is required if the role is given a password. This provides two layers of security. If a user has not been assigned a role, then the user cannot assume the role (by doing the su role-name command) even if the user has the correct password.
Create a role.
# roleadd -A solaris.ldoms.read ldm_read |
Assign a password to the role.
# passwd ldm_read |
Assign the role to a user; for example, user_1.
# useradd -R ldm_read user_1 |
Assign a password to the user (user_1).
# passwd user_1 |
Assign access only to the user_1 account to become the ldm_read account.
# su user_1 |
Type the user password when or if prompted.
Verify the user ID and access to the ldm_read role.
$ id uid=nn(user_1) gid=nn(<group name>) $ roles ldm_read |
Provide access to the user for ldm subcommands that have read authorization.
# su ldm_read |
Type the user password when or if prompted.
Type the id command to show the user.
$ id uid=nn(ldm_read) gid=nn(<group name>) |
In addition to the Logical Domains authorizations (solaris.ldoms.*), you must use the file_dac_read and file_dac_search privileges to migrate a domain to another system. By having these privileges, the user can read the Logical Domains Manager key, /var/opt/SUNWldm/server.key, which is only readable by superuser for security reasons.
Become superuser or assume an equivalent role.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Use the usermod command to add the file_dac_read and file_dac_search privileges for a user.
# usermod -K defaultpriv=basic,file_dac_read,file_dac_search username |
For more information about the usermod command, see the usermod(1M) man page.
The following command adds the file_dac_read and file_dac_search privileges for the ldm_mig user:
# usermod -K defaultpriv=basic,file_dac_read,file_dac_search ldm_mig |
Become superuser or assume an equivalent role.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.
Use the usermod command to delete all the privileges for a user.
# usermod -K defaultpriv=basic username |
For more information about the usermod command, see the usermod(1M) man page.
The following command deletes the privileges for the ldm_mig user:
# usermod -K defaultpriv=basic ldm_mig |
The Logical Domains Manager uses the Solaris OS Basic Security module (BSM) auditing capability. BSM auditing provides the means to examine the history of actions and events on your control domain to determine what happened. The history is kept in a log of what was done, when it was done, by whom, and what was affected.
To enable and disable this auditing capability, use the Solaris OS bsmconv(1M) and bsmunconv(1M) commands. This section also includes tasks that show how to verify the auditing capability, print audit output, and rotate audit logs. You can find further information about BSM auditing in the Solaris 10 System Administration Guide: Security Services.
Add vs in the flags: line of the /etc/security/audit_control file.
Run the bsmconv(1M) command.
# /etc/security/bsmconv |
For more information about this command, see the bsmconv(1M) man page.
Reboot the Solaris OS for auditing to take effect.
Type the following command.
# auditconfig -getcond |
Check that audit condition = auditing appears in the output.
Run the bsmunconv command to disable BSM auditing.
# /etc/security/bsmunconv |
For more information about this command, see the bsmunconv(1M) man page.
Reboot the Solaris OS for the disabling of auditing to take effect.
Use one of the following to print BSM audit output:
Use the auditreduce(1M) and praudit(1M) commands to print audit output.
# auditreduce -c vs | praudit # auditreduce -c vs -a 20060502000000 | praudit |
Use the praudit -x command to print XML output.