Logical Domains 1.3 Administration Guide

Chapter 3 Security

This chapter describes some security features that you can enable on your Logical Domains system.

This chapter covers the following topics:

LDoms Manager Authorization

Authorization for the Logical Domains Manager has two levels:

Read – allows you to view, but not modify the configuration.
Read and write – allows you to view and change the configuration.

The changes are not made to the Solaris OS, but are added to the authorization file by the package script postinstall when the Logical Domains Manager is installed. Similarly, the authorization entries are removed by the package script preremove.

The following table lists the ldm subcommands with the corresponding user authorization that is needed to perform the commands.

Table 3–1 The ldm Subcommands and User Authorizations


ldm Subcommand [Refers to all the resources you can add, list, remove, or set.]	User Authorization
`add-*`	`solaris.ldoms.write`
`bind-domain`	`solaris.ldoms.write`
`list`	`solaris.ldoms.read`
`list-*`	`solaris.ldoms.read`
`panic-domain`	`solaris.ldoms.write`
`remove-*`	`solaris.ldoms.write`
`set-*`	`solaris.ldoms.write`
`start-domain`	`solaris.ldoms.write`
`stop-domain`	`solaris.ldoms.write`
`unbind-domain`	`solaris.ldoms.write`

Configuring RBAC for Guest Console Access

The vntsd daemon provides an SMF property named vntsd/authorization. This property can be configured to enable the authorization checking of users and roles for a domain console or a console group. To enable authorization checking, use the svccfg command to set the value of this property to true. While this option is enabled, vntsd listens and accepts connections only on localhost. If the listen_addr property specifies an alternate IP address when vntsd/authorization is enabled, vntsd ignores the alternate IP address and continues to listen only on localhost.

By default, an authorization to access all guest consoles is added to the auth_attr database, when the vntsd service is enabled.

solaris.vntsd.consoles:::Access All LDoms Guest Consoles::

Superuser can use the usermod command to assign the required authorizations to other users or roles. This permits only the user or role who has the required authorizations to access a given domain console or console groups.

The following example gives user terry the authorization to access all domain consoles:

# usermod -A "solaris.vntsd.consoles" terry

The following example adds a new authorization for a specific domain console with the name ldg1 and assigns that authorization to a user sam:

Add the new authorization entry to the auth_attr file for domain ldg1.
solaris.vntsd.console-ldg1:::Access Specific LDoms Guest Console::

Assign this authorization to user sam:

# usermod -A "solaris.vntsd.console-ldg1" sam

For more information about authorizations and RBAC, see System Administration Guide: Security Services.

Creating Authorization and Profiles and Assigning Roles for User Accounts

You set up authorization and profiles and assign roles for user accounts using the Solaris OS Role-Based Access Control (RBAC) adapted for the Logical Domains Manager. Refer to the Solaris 10 System Administrator Collection for more information about RBAC.

Authorization for the Logical Domains Manager has two levels:

Read – allows you to view, but not modify the configuration.
Read and write – allows you to view and change the configuration.

Following are the Logical Domains entries automatically added to the Solaris OS /etc/security/auth_attr file:

solaris.ldoms.:::LDom administration::
solaris.ldoms.grant:::Delegate LDom configuration::
solaris.ldoms.read:::View LDom configuration::
solaris.ldoms.write:::Manage LDom configuration::

Managing User Authorizations

Add an Authorization for a User

Use the following steps as necessary to add authorizations in the /etc/security/auth_attr file for Logical Domains Manager users. Because the superuser already has solaris.* authorization, the superuser already has permission for solaris.ldoms.* authorizations.

Create a local user account for each user who needs authorization to use the ldm(1M) subcommands.

Note –
To add Logical Domains Manager authorization for a user, a local (non-LDAP) account must be created for that user. Refer to the Solaris 10 System Administrator Collection for details.

Do one of the following depending on which ldm(1M) subcommands you want the user to be able to access.

See Table 3–1 for a list of ldm(1M) commands and their user authorizations.
- Add a read-only authorization for a user using the usermod(1M) command.
  # usermod -A solaris.ldoms.read username
- Add a read and write authorization for a user using the usermod(1M) command.
  # usermod -A solaris.ldoms.write username

Delete All Authorizations for a User

Delete all authorizations for a local user account (the only possible option).
# usermod -A `` username

Managing User Profiles

The SUNWldm package adds two system-defined RBAC profiles in the /etc/security/prof_attr file for use in authorizing access to the Logical Domains Manager by non-superusers. The two LDoms-specific profiles are:

LDoms Review:::Review LDoms configuration:auths=solaris.ldoms.read
LDoms Management:::Manage LDoms domains:auths=solaris.ldoms.*

One of the preceding profiles can be assigned to a user account using the following procedure.

Add a Profile for a User

Add an administrative profile for a local user account; for example, LDoms Management.
# usermod -P “LDoms Management” username

Delete All Profiles for a User

Delete all profiles for a local user account (the only possible option).
# usermod -P `` username

Assigning Roles to Users

The advantage of using this procedure is that only a user who has been assigned a specific role can assume the role. In assuming a role, a password is required if the role is given a password. This provides two layers of security. If a user has not been assigned a role, then the user cannot assume the role (by doing the su role-name command) even if the user has the correct password.

Create a Role and Assign the Role to a User

Create a role.

# roleadd -A solaris.ldoms.read ldm_read

Assign a password to the role.
# passwd ldm_read

Assign the role to a user; for example, user_1.
# useradd -R ldm_read user_1

Assign a password to the user (user_1).
# passwd user_1

Assign access only to the user_1 account to become the ldm_read account.
# su user_1

Type the user password when or if prompted.

Verify the user ID and access to the ldm_read role.

$ id
uid=nn(user_1) gid=nn(<group name>)
$ roles
ldm_read

Provide access to the user for ldm subcommands that have read authorization.
# su ldm_read

Type the user password when or if prompted.

Type the id command to show the user.

$ id
uid=nn(ldm_read) gid=nn(<group name>)

Adding the Privileges Needed to Migrate Domains

In addition to the Logical Domains authorizations (solaris.ldoms.*), you must use the file_dac_read and file_dac_search privileges to migrate a domain to another system. By having these privileges, the user can read the Logical Domains Manager key, /var/opt/SUNWldm/server.key, which is only readable by superuser for security reasons.

Add Other Privileges to Enable Domain Migration

Become superuser or assume an equivalent role.

Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

Use the usermod command to add the file_dac_read and file_dac_search privileges for a user.
# usermod -K defaultpriv=basic,file_dac_read,file_dac_search username
For more information about the usermod command, see the usermod(1M) man page.

The following command adds the file_dac_read and file_dac_search privileges for the ldm_mig user:
# usermod -K defaultpriv=basic,file_dac_read,file_dac_search ldm_mig

Delete All Privileges for a Local User Account

Become superuser or assume an equivalent role.

Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

Use the usermod command to delete all the privileges for a user.
# usermod -K defaultpriv=basic username
For more information about the usermod command, see the usermod(1M) man page.

The following command deletes the privileges for the ldm_mig user:
# usermod -K defaultpriv=basic ldm_mig

Enabling and Using BSM Auditing

The Logical Domains Manager uses the Solaris OS Basic Security module (BSM) auditing capability. BSM auditing provides the means to examine the history of actions and events on your control domain to determine what happened. The history is kept in a log of what was done, when it was done, by whom, and what was affected.

To enable and disable this auditing capability, use the Solaris OS bsmconv(1M) and bsmunconv(1M) commands. This section also includes tasks that show how to verify the auditing capability, print audit output, and rotate audit logs. You can find further information about BSM auditing in the Solaris 10 System Administration Guide: Security Services.

Enable BSM Auditing

Add vs in the flags: line of the /etc/security/audit_control file.

Run the bsmconv(1M) command.
# /etc/security/bsmconv
For more information about this command, see the bsmconv(1M) man page.

Reboot the Solaris OS for auditing to take effect.

Verify That BSM Auditing Is Enabled

Type the following command.
# auditconfig -getcond

Check that audit condition = auditing appears in the output.

Disable BSM Auditing

Run the bsmunconv command to disable BSM auditing.
# /etc/security/bsmunconv
For more information about this command, see the bsmunconv(1M) man page.

Reboot the Solaris OS for the disabling of auditing to take effect.

Print Audit Output

Use one of the following to print BSM audit output:
- Use the auditreduce(1M) and praudit(1M) commands to print audit output.
  # auditreduce -c vs | praudit # auditreduce -c vs -a 20060502000000 | praudit
- Use the praudit -x command to print XML output.

Rotate Audit Logs

Use the audit -n command to rotate audit logs.