Logical Domains 1.2 Administration Guide

Chapter 2 Security

This chapter describes the Solaris Security Toolkit software and how you can use it to secure the Solaris OS in your logical domains.

This chapter covers the following topics:

Security Considerations

The Solaris Security Toolkit software, informally known as the JumpStartTM Architecture and Security Scripts (JASS) toolkit, provides an automated, extensible, and scalable mechanism to build and maintain secure Solaris OS systems. The Solaris Security Toolkit provides security for devices critical to the management of your server, including the control domain in the Logical Domains Manager.

The Solaris Security Toolkit 4.2 software package, SUNWjass, provides the means to secure the Solaris Operating System on your control domain through the use of the install-ldm script by:

The SUNWjass package is located with the Logical Domains (LDoms) Manager 1.2 software package, SUNWldm, at Sun's software download web site. You have the option to download and install the Solaris Security Toolkit 4.2 software package at the same time you download and install the Logical Domains Manager 1.2 software. The Solaris Security Toolkit 4.2 software package includes the required patches to enable the Solaris Security Toolkit software to work with the Logical Domains Manager. Once the software is installed, you can harden your system with Solaris Security Toolkit 4.2 software. Chapter 3, Installing and Enabling Software tells you how to install and configure the Solaris Security Toolkit, and harden your control domain.

Following are the security functions available to users of the Logical Domains Manager provided by the Solaris Security Toolkit:

Solaris Security Toolkit and the Logical Domains Manager

Chapter 3, Installing and Enabling Software tells you how to install the Solaris Security Toolkit to make it work with the Logical Domains Manager. You would install the Solaris Security Toolkit on the control domain, which is where the Logical Domains Manager runs. You can also install the Solaris Security Toolkit on the other logical domains. The only difference would be that you would use the ldm_control-secure.driver to harden the control domain and you would use another driver, such as the secure.driver, to harden the other logical domains. This is because the ldm_control-secure.driver is specific to the control domain. The ldm_control-secure.driver is based on the secure.driver and has been customized and tested for use with the Logical Domains Manager. Refer to the Solaris Security Toolkit 4.2 Reference Manual for more information about the secure.driver.

Hardening the Solaris OS

The driver (ldm_control-secure.driver) that Solaris Security Toolkit uses to harden the Solaris OS on the control domain is specifically tailored so that the Logical Domains Manager can run with the OS. The ldm_control-secure.driver is analogous to the secure.driver described in the Solaris Security Toolkit 4.2 Reference Manual.

The ldm_control-secure.driver provides a baseline configuration for the control domain of a system running the Logical Domains Manager software. It is intended to provide fewer system services than typical for a Solaris OS domain, reserving the control domain for Logical Domains Manager operations, rather than general usage.

The install-ldm script installs the Logical Domains Manager software if it is not already installed, and enables the software.

Following is a short summary of the other notable changes from secure.driver.

Minimizing Logical Domains

The Solaris OS can be configured with different quantities of packages, depending on your needs. Minimization reduces this set of packages to the bare minimum required to run your desired applications. Minimization is important because it reduces the amount of software containing potential security vulnerabilities and also reduces the level of effort associated with keeping the installed software properly patched. The logical domain minimization activity provides JumpStart support for installing a minimized Solaris OS that still fully supports any domain.

The Solaris Security Toolkit provides a JumpStart profile, minimal-ldm_control.profile, for minimizing a logical domain for LDoms, which installs all the Solaris OS packages necessary for LDoms and LDoms MIB support. If you want to use the LDoms MIB on the control domain, you need to add that package separately after you install the LDoms and Solaris Security Toolkit packages. It is not installed automatically with the other software. Refer to the Logical Domains (LDoms) MIB 1.0.1 Administration Guide for more information about installing and using the LDoms MIB.

LDoms Manager Authorization

Authorization for the Logical Domains Manager has two levels:

The changes are not made to the Solaris OS, but are added to the authorization file by the package script postinstall when the Logical Domains Manager is installed. Similarly, the authorization entries are removed by the package script preremove.

The following table lists the ldm subcommands with the corresponding user authorization that is needed to perform the commands.

Table 2–1 The ldm Subcommands and User Authorizations

ldm Subcommand [Refers to all the resources you can add, list, remove, or set.]

User Authorization 





















Auditing LDoms Manager Commands

Auditing the Logical Domains Manager CLI commands is done with Solaris OS Basic Security module (BSM) auditing. Refer to the Solaris 10 System Administration Guide: Security Services for detailed information about using Solaris OS BSM auditing.

BSM auditing is not enabled by default for the Logical Domains Manager; however, the infrastructure is provided. You can enable BSM auditing in one of two ways:

For further details about enabling, verifying, disabling, printing output, and rotating logs using BSM auditing with the Logical Domains Manager, see Enabling and Using BSM Auditing.

Using the Solaris Security Toolkit to Ensure Compliance

Solaris Security Toolkit does have its own auditing capabilities. The Solaris Security Toolkit software can automatically validate the security posture of any system running the Solaris OS by comparing it with a predefined security profile. Refer to “Auditing System Security” in the Solaris Security Toolkit 4.2 Administration Guide for more information about this compliance function.

Enabling and Using BSM Auditing

The Logical Domains Manager uses the Solaris OS Basic Security module (BSM) auditing capability. BSM auditing provides the means to examine the history of actions and events on your control domain to determine what happened. The history is kept in a log of what was done, when it was done, by whom, and what was affected.

If you want to use this auditing capability, this section describes how to enable, verify, disable, print output, and rotate audit logs. You can find further information about BSM auditing in the Solaris 10 System Administration Guide: Security Services.

You can enable BSM auditing in one of two ways. When you want to disable auditing, be sure you use the same method that you used in enabling. The two methods are as follows:

Here are the procedures for both methods.

ProcedureUse the enable-bsm.fin Finish Script

  1. Copy the ldm_control-secure.driver to my-ldm.driver, where my-ldm.driver is the name for your copy of the ldm_control-secure.driver.

  2. Copy the ldm_control-config.driver to my-ldm-config.driver, where my-ldm-config.driver is the name for your copy of the ldm_control-config.driver.

  3. Copy the ldm_control-hardening.driver to my-ldm-hardening.driver, where my-ldm-hardening.driver is the name for your copy of the ldm_control-hardening.driver.

  4. Edit my-ldm.driver to refer to the new configuration and hardening drivers, my-ldm-control.driver and my-ldm-hardening.driver, respectively.

  5. Edit my-ldm-hardening.driver, and remove the pound sign (#) from in front of the following line in the driver.

  6. Execute my-ldm.driver.

    # /opt/SUNWjass/bin/jass-execute -d my-ldm.driver
  7. Reboot the Solaris OS for auditing to take effect.

ProcedureUse the Solaris OS bsmconv(1M) Command

  1. Add vs in the flags: line of the /etc/security/audit_control file.

  2. Run the bsmconv(1M) command.

    # /etc/security/bsmconv

    For more information about this command, refer to the bsmconv(1M) man page.

  3. Reboot the Solaris OS for auditing to take effect.

ProcedureVerify that BSM Auditing is Enabled

  1. Type the following command.

    # auditconfig -getcond
  2. Check that audit condition = auditing appears in the output.

ProcedureDisable Auditing

You can disable auditing in one of two ways, depending on how you enabled it. See Enabling and Using BSM Auditing.

  1. Do one of the following.

    • Undo the Solaris Security Toolkit hardening run that enabled BSM auditing.

      # /opt/SUNWjass/bin/jass-execute -u
    • Run the Solaris OS bsmunconv(1M) command.

      # /etc/security/bsmunconv
  2. Reboot the Solaris OS for the disabling of auditing to take effect.

ProcedurePrint Audit Output

  1. Use one of the following to print BSM audit output:

    • Use the Solaris OS commands auditreduce(1M) and praudit(1M) to print audit output.

      # auditreduce -c vs | praudit
      # auditreduce -c vs -a 20060502000000 | praudit
    • Use the Solaris OS praudit -x command to print XML output.

ProcedureRotate Audit Logs

  1. Use the Solaris OS audit -n command to rotate audit logs.

Configuring RBAC for Guest Console Access

The vntsd daemon provides an SMF property named vntsd/authorization. This property can be configured to enable the authorization checking of users and roles for a domain console or a console group. To enable authorization checking, use the svccfg command to set the value of this property to true. While this option is enabled, vntsd listens and accepts connections only on localhost. If the listen_addr property specifies an alternate IP address when vntsd/authorization is enabled, vntsd ignores the alternate IP address and continues to listen only on localhost.

By default, an authorization to access all guest consoles is added to the auth_attr database, when the vntsd service is enabled.

solaris.vntsd.consoles:::Access All LDoms Guest Consoles::

Superuser can use the usermod command to assign the required authorizations to other users or roles. This permits only the user or role who has the required authorizations to access a given domain console or console groups.

The following example gives user terry the authorization to access all domain consoles:

# usermod -A "solaris.vntsd.consoles" terry

The following example adds a new authorization for a specific domain console with the name ldg1 and assigns that authorization to a user sam:

  1. Add the new authorization entry to the auth_attr file for domain ldg1.

    solaris.vntsd.console-ldg1:::Access Specific LDoms Guest Console::
  2. Assign this authorization to user sam:

    # usermod -A "solaris.vntsd.console-ldg1" sam

For more information about authorizations and RBAC, see System Administration Guide: Security Services.