Logical Domains 1.2 Administration Guide

Solaris Security Toolkit and the Logical Domains Manager

Chapter 3, Installing and Enabling Software tells you how to install the Solaris Security Toolkit to make it work with the Logical Domains Manager. You would install the Solaris Security Toolkit on the control domain, which is where the Logical Domains Manager runs. You can also install the Solaris Security Toolkit on the other logical domains. The only difference would be that you would use the ldm_control-secure.driver to harden the control domain and you would use another driver, such as the secure.driver, to harden the other logical domains . This is because the ldm_control-secure.driver is specific to the control domain. The ldm_control-secure.driver is based on the secure.driver and has been customized and tested for use with the Logical Domains Manager. Refer to the Solaris Security Toolkit 4.2 Reference Manual for more information about the secure.driver.

Hardening the Solaris OS

The driver (ldm_control-secure.driver) that Solaris Security Toolkit uses to harden the Solaris OS on the control domain is specifically tailored so that the Logical Domains Manager can run with the OS. The ldm_control-secure.driver is analogous to the secure.driver described in the Solaris Security Toolkit 4.2 Reference Manual.

The ldm_control-secure.driver provides a baseline configuration for the control domain of a system running the Logical Domains Manager software. It is intended to provide fewer system services than typical for a Solaris OS domain, reserving the control domain for Logical Domains Manager operations, rather than general usage.

The install-ldm script installs the Logical Domains Manager software if it is not already installed, and enables the software.

Following is a short summary of the other notable changes from secure.driver.

The Telnet server is disabled from running. You can use Secure Shell (ssh) instead. You also can still use the Telnet client to access virtual consoles started by the Logical Domains virtual network terminal server daemon (vntsd). For example, if a virtual console is running that is listening to TCP port 5001 on the local system, you can access it as follows.
# telnet localhost 5001
See Enabling the Logical Domains Manager Daemon for instructions on enabling vntsd. It is not automatically enabled.
The following finish scripts have been added . They enable the Logical Domains Manager to install and start. Some of these added scripts must be added to any customized drivers you make and some are optional. The scripts are marked as to whether they are required or optional.
- install-ldm.fin – Installs the SUNWldm package. (Required)
- enable-ldmd.fin – Enables the Logical Domains Manager daemon (ldmd) (Required)
- enable-ssh-root-login.fin – Enables the superuser to directly log in through the Secure Shell (ssh). (Optional)
The following files have changed. These changes are optional to make in any customized drivers you have and are marked as optional.
- /etc/ssh/sshd_config – Root account access is allowed for the entire network. This file is not used in either driver. (Optional)
- /etc/ipf/ipf.conf – UDP port 161 (SNMP) is opened. (Optional)
- /etc/host.allow – The Secure Shell daemon (sshd) is open for the entire network, not just the local subnet. (Optional)
The following finish scripts are disabled (commented out). You should comment out the disable-rpc.fin script in any customized driver you make. The other changes are optional. The scripts are marked as to whether they are required or optional.
- enable-ipfilter.fin – IP Filter, a network packet filter, is not enabled. (Optional)
- disable-rpc.fin – Leaves Remote Procedure Call (RPC) service enabled. The RPC service is used by many other system services, such as Network Information Services (NIS) and network file system (NFS). (Required)
- disable-sma.fin – Leaves the System Management Agent (NET-SNMP) enabled. (Optional)
- disable-ssh-root-login.fin – ssh root login cannot be disabled.
- set-term-type.fin – Unneeded legacy script. (Optional)

Minimizing Logical Domains

The Solaris OS can be configured with different quantities of packages, depending on your needs. Minimization reduces this set of packages to the bare minimum required to run your desired applications. Minimization is important because it reduces the amount of software containing potential security vulnerabilities and also reduces the level of effort associated with keeping the installed software properly patched. The logical domain minimization activity provides JumpStart support for installing a minimized Solaris OS that still fully supports any domain.

The Solaris Security Toolkit provides a JumpStart profile, minimal-ldm_control.profile, for minimizing a logical domain for LDoms, which installs all the Solaris OS packages necessary for LDoms and LDoms MIB support. If you want to use the LDoms MIB on the control domain, you need to add that package separately after you install the LDoms and Solaris Security Toolkit packages. It is not installed automatically with the other software. Refer to the Logical Domains (LDoms) MIB 1.0.1 Administration Guide for more information about installing and using the LDoms MIB.

LDoms Manager Authorization

Authorization for the Logical Domains Manager has two levels:

Read – allows you to view, but not modify the configuration.
Read and write – allows you to view and change the configuration.

The changes are not made to the Solaris OS, but are added to the authorization file by the package script postinstall when the Logical Domains Manager is installed. Similarly, the authorization entries are removed by the package script preremove.

The following table lists the ldm subcommands with the corresponding user authorization that is needed to perform the commands.

Table 2–1 The ldm Subcommands and User Authorizations


ldm Subcommand [Refers to all the resources you can add, list, remove, or set.]	User Authorization
`add-*`	`solaris.ldoms.write`
`bind-domain`	`solaris.ldoms.write`
`list`	`solaris.ldoms.read`
`list-*`	`solaris.ldoms.read`
`panic-domain`	`solaris.ldoms.write`
`remove-*`	`solaris.ldoms.write`
`set-*`	`solaris.ldoms.write`
`start-domain`	`solaris.ldoms.write`
`stop-domain`	`solaris.ldoms.write`
`unbind-domain`	`solaris.ldoms.write`

Auditing LDoms Manager Commands

Auditing the Logical Domains Manager CLI commands is done with Solaris OS Basic Security module (BSM) auditing . Refer to the Solaris 10 System Administration Guide: Security Services for detailed information about using Solaris OS BSM auditing.

BSM auditing is not enabled by default for the Logical Domains Manager; however, the infrastructure is provided. You can enable BSM auditing in one of two ways:

Run the enable-bsm.fin finish script in the Solaris Security Toolkit.
Use the Solaris OS bsmconv(1M) command .

For further details about enabling, verifying, disabling, printing output, and rotating logs using BSM auditing with the Logical Domains Manager, see Enabling and Using BSM Auditing.

Using the Solaris Security Toolkit to Ensure Compliance

Solaris Security Toolkit does have its own auditing capabilities. The Solaris Security Toolkit software can automatically validate the security posture of any system running the Solaris OS by comparing it with a predefined security profile . Refer to “Auditing System Security” in the Solaris Security Toolkit 4.2 Administration Guide for more information about this compliance function.