Skip Navigation Links | |
Exit Print View | |
System Administration Guide: Oracle Solaris Containers-Resource Management and Oracle Solaris Zones |
1. Introduction to Solaris 10 Resource Management
2. Projects and Tasks (Overview)
3. Administering Projects and Tasks
4. Extended Accounting (Overview)
5. Administering Extended Accounting (Tasks)
6. Resource Controls (Overview)
7. Administering Resource Controls (Tasks)
8. Fair Share Scheduler (Overview)
9. Administering the Fair Share Scheduler (Tasks)
10. Physical Memory Control Using the Resource Capping Daemon (Overview)
11. Administering the Resource Capping Daemon (Tasks)
13. Creating and Administering Resource Pools (Tasks)
14. Resource Management Configuration Example
15. Resource Control Functionality in the Solaris Management Console
16. Introduction to Solaris Zones
17. Non-Global Zone Configuration (Overview)
18. Planning and Configuring Non-Global Zones (Tasks)
19. About Installing, Halting, Cloning, and Uninstalling Non-Global Zones (Overview)
20. Installing, Booting, Halting, Uninstalling, and Cloning Non-Global Zones (Tasks)
21. Non-Global Zone Login (Overview)
22. Logging In to Non-Global Zones (Tasks)
23. Moving and Migrating Non-Global Zones (Tasks)
24. Solaris 10 9/10: Migrating a Physical Solaris System Into a Zone (Tasks)
25. About Packages and Patches on a Solaris System With Zones Installed (Overview)
26. Adding and Removing Packages and Patches on a Solaris System With Zones Installed (Tasks)
27. Solaris Zones Administration (Overview)
Global Zone Visibility and Access
Process ID Visibility in Zones
File Systems and Non-Global Zones
Mounting File Systems in Zones
Unmounting File Systems in Zones
Security Restrictions and File System Behavior
Non-Global Zones as NFS Clients
Use of mknod Prohibited in a Zone
Restriction on Accessing A Non-Global Zone From the Global Zone
Networking in Shared-IP Non-Global Zones
IP Traffic Between Shared-IP Zones on the Same Machine
Solaris IP Filter in Shared-IP Zones
IP Network Multipathing in Shared-IP Zones
Solaris 10 8/07: Networking in Exclusive-IP Non-Global Zones
Exclusive-IP Zone Partitioning
Exclusive-IP Data-Link Interfaces
IP Traffic Between Exclusive-IP Zones on the Same Machine
Solaris IP Filter in Exclusive-IP Zones
IP Network Multipathing in Exclusive-IP Zones
Device Use in Non-Global Zones
/dev and the /devices Namespace
Utilities That Do Not Work or Are Modified in Non-Global Zones
Utilities That Do Not Work in Non-Global Zones
SPARC: Utility Modified for Use in a Non-Global Zone
Running Applications in Non-Global Zones
Resource Controls Used in Non-Global Zones
Fair Share Scheduler on a Solaris System With Zones Installed
FSS Share Division in a Non-Global Zone
Extended Accounting on a Solaris System With Zones Installed
Privileges in a Non-Global Zone
Using IP Security Architecture in Zones
IP Security Architecture in Shared-IP Zones
Solaris 10 8/07: IP Security Architecture in Exclusive-IP Zones
Using Solaris Auditing in Zones
Configuring Audit in the Global Zone
Running DTrace in a Non-Global Zone
About Backing Up a Solaris System With Zones Installed
Backing Up Loopback File System Directories
Backing Up Your System From the Global Zone
Backing Up Individual Non-Global Zones on Your System
Determining What to Back Up in Non-Global Zones
Backing Up Application Data Only
General Database Backup Operations
About Restoring Non-Global Zones
Commands Used on a Solaris System With Zones Installed
28. Solaris Zones Administration (Tasks)
29. Upgrading a Solaris 10 System That Has Installed Non-Global Zones
30. Troubleshooting Miscellaneous Solaris Zones Problems
31. About Branded Zones and the Linux Branded Zone
32. Planning the lx Branded Zone Configuration (Overview)
33. Configuring the lx Branded Zone (Tasks)
34. About Installing, Booting, Halting, Cloning, and Uninstalling lx Branded Zones (Overview)
35. Installing, Booting, Halting, Uninstalling and Cloning lx Branded Zones (Tasks)
36. Logging In to lx Branded Zones (Tasks)
37. Moving and Migrating lx Branded Zones (Tasks)
38. Administering and Running Applications in lx Branded Zones (Tasks)
Solaris auditing is described in Chapter 28, Oracle Solaris Auditing (Overview), in System Administration Guide: Security Services. For zones considerations associated with auditing, see the following sections:
Chapter 29, Planning for Oracle Solaris Auditing, in System Administration Guide: Security Services
Auditing and Solaris Zones in System Administration Guide: Security Services
An audit record describes an event, such as logging in to a system or writing to a file. The record is composed of tokens, which are sets of audit data. By using the zonename token, you can configure Solaris auditing to identify audit events by zone. Use of the zonename token allows you to produce the following information:
Audit records that are marked with the name of the zone that generated the record
An audit log for a specific zone that the global administrator can make available to the zone administrator
Solaris audit trails are configured in the global zone. Audit policy is set in the global zone and applies to processes in all zones. The audit records can be marked with the name of the zone in which the event occurred. To include zone names in audit records, you must edit the /etc/security/audit_startup file before you install any non-global zones. The zone name selection is case-sensitive.
To configure auditing in the global zone to include all zone audit records, add this line to the /etc/security/audit_startup file:
/usr/sbin/auditconfig -setpolicy +zonename
As the global administrator in the global zone, execute the auditconfig utility:
global# auditconfig -setpolicy +zonename
For additional information, see the audit_startup(1M) and auditconfig(1M) man pages and “Configuring Audit Files (Task Map)” in System Administration Guide: Security Services.
When a non-global zone is installed, the audit_control file and the audit_user file in the global zone are copied to the zone's /etc/security directory. These files might require modification to reflect the zone's audit needs.
For example, each zone can be configured to audit some users differently from others. To apply different per-user preselection criteria, both the audit_control and the audit_user files must be edited. The audit_user file in the non-global zone might also require revisions to reflect the user base for the zone if necessary. Because each zone can be configured differently with regard to auditing users, it is possible for the audit_user file to be empty.
For additional information, see the audit_control(4) and audit_user(4) man pages.
By including the zonename token as described in Configuring Audit in the Global Zone, Solaris audit records can be categorized by zone. Records from different zones can then be collected by using the auditreduce command to create logs for a specific zone.
For more information, see the audit_startup(1M) and auditreduce(1M) man pages.