|Skip Navigation Links|
|Exit Print View|
|Oracle Solaris 11 Security Guidelines Oracle Solaris 11.1 Information Library|
1. Overview of Oracle Solaris Security
2. Configuring Oracle Solaris Security
Installing the Oracle Solaris OS
How to Disable Unneeded Services
How to Remove Power Management Capability From Users
How to Place a Security Message in Banner Files
How to Place a Security Message on the Desktop Login Screen
How to Set Stronger Password Constraints
How to Set Account Locking for Regular Users
How to Set More Restrictive umask Value for Regular Users
How to Audit Significant Events in Addition to Login/Logout
How to Monitor lo Events in Real Time
How to Remove Unneeded Basic Privileges From Users
How to Display a Security Message to ssh Users
Protecting and Modifying Files
Securing Applications and Services
Creating Zones to Contain Critical Applications
Adding SMF to a Legacy Service
Creating a BART Snapshot of the System
Adding Multilevel (Labeled) Security
Configuring Trusted Extensions
3. Monitoring and Maintaining Oracle Solaris Security
ZFS file systems are lightweight and can be encrypted, compressed, and configured with reserved space and disk space limits.
The tmpfs file system can grow without bound. To prevent a denial of service (DOS) attack, complete How to Limit the Size of the tmpfs File System.
The following tasks configure a size limit for tmpfs and provide a glimpse of the protections that are available in ZFS, the default file system in Oracle Solaris. For additional information, see Setting ZFS Quotas and Reservations in Oracle Solaris 11.1 Administration: ZFS File Systems and the zfs(1M) man page.
The size of the tmpfs file system is not limited by default. Therefore, tmpfs can grow to fill the available system memory and swap. Because the /tmp directory is used by all applications and users, an application might occupy all available system memory. Similarly, an unprivileged user with malicious intent could cause a system slowdown by creating large files in the /tmp directory. To avoid a performance impact, you can limit the size of each tmpfs mount.
You might try several values to achieve best system performance.
Before You Begin
You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.
Note - The SPARC T3 series system that is used for the example in this procedure has a solid state disk (ssd) for faster I/O and has eight 279.40 MB disks. The system has around 500 GB of memory.
# prtconf | head System Configuration: Oracle Corporation sun4v Memory size: 523776 Megabytes System Peripherals (Software Nodes): ORCL,SPARC-T3-4 scsi_vhci, instance #0 disk, instance #4 disk, instance #5 disk, instance #6 disk, instance #8
Depending on the size of the system memory, you might want to compute a memory limit of around 20 percent for large systems and around 30 percent for smaller systems.
So, for a smaller system, use .30 as the multiplier.
10240M x .30 ≃ 340M
For a larger system, use .20 as the multiplier.
523776M x .20 ≃ 10475M
# pfedit /etc/vfstab #device device mount FS fsck mount mount #to mount to fsck point type pass at boot options # /devices - /devices devfs - no - /proc - /proc proc - no - ctfs - /system/contract ctfs - no - objfs - /system/object objfs - no - sharefs - /etc/dfs/sharetab sharefs - no - fd - /dev/fd fd - no - swap - /tmp tmpfs - yes - swap - tmpfs - yes size=10400m /dev/zvol/dsk/rpool/swap - - swap - no -
# mount -v swap on /system/volatile type tmpfs read/write/setuid/devices/rstchown/xattr/dev=89c0006 on Fri Sep 7 14:07:27 2012 swap on /tmp type tmpfs read/write/setuid/devices/rstchown/xattr/size=10400m/dev=89c0006 on Fri ...
The df command is somewhat useful. The swap command provides the most useful statistics.
# df -h /tmp Filesystem Size Used Available Capacity Mounted on swap 7. 4G 44M 7.4G 1% /tmp # swap -s total: 190248k bytes allocated + 30348k reserved = 220596k used, 7743780k available
For more information, see the tmpfs(7FS), mount_tmpfs(1M), df(1M), and swap(1M) man pages.