Chapter 1 Oracle VM Server for SPARC Security Overview
Security Features Used by Oracle VM Server for SPARC
Oracle VM Server for SPARC Product Overview
Security in a Virtualized Environment
Securing the Execution Environment
Threat: Unintentional Misconfiguration
Countermeasure: Creating Operational Guidelines
Threat: Errors in the Architecture of the Virtual Environment
Countermeasure: Carefully Assigning Guests to Hardware Platforms
Countermeasure: Planning an Oracle VM Server for SPARC Domain Migration
Countermeasure: Correctly Configuring Virtual Connections
Countermeasure: Using VLAN Tagging
Countermeasure: Using Virtual Security Appliances
Threat: Side Effects of Sharing Resources
Evaluation: Side Effects Through Shared Resources
Countermeasure: Carefully Assigning Hardware Resources
Countermeasure: Carefully Assigning Shared Resources
Summary: Side Effects Through Shared Resources
Threat: Manipulation of the Execution Environment
Evaluation: Manipulation of the Execution Environment
Countermeasure: Securing Interactive Access Paths
Countermeasure: Minimizing the Oracle Solaris OS
Countermeasure: Hardening the Oracle Solaris OS
Countermeasure: Using Role Separation and Application Isolation
Countermeasure: Configuring a Dedicated Management Network
Threat: Complete System Denial-of-Service
Evaluation: Complete System Denial-of-Service
Countermeasure: Securing the ILOM
Threat: Breaking the Isolation
Evaluation: Breaking the Isolation
Countermeasure: Validating Firmware and Software Signatures
Countermeasure: Validating Kernel Modules
Threat: Control Domain Denial-of-Service
Evaluation: Control Domain Denial-of-Service
Countermeasure: Securing Console Access
Threat: Unauthorized Use of Configuration Utilities
Evaluation: Unauthorized Use of Configuration Utilities
Countermeasure: Applying the Two-Person Rule
Countermeasure: Using Rights for the Logical Domains Manager
Countermeasure: Hardening the Logical Domains Manager
Countermeasure: Auditing the Logical Domains Manager
Threat: Manipulation of a Service Domain
Evaluation: Manipulation of a Service Domain
Countermeasure: Granularly Segregating Service Domains
Countermeasure: Isolating Service Domains and Guest Domains
Countermeasure: Restricting Access to Virtual Consoles
Threat: Experiencing a Denial-of-Service of an I/O Domain or a Service Domain
Evaluation: Experiencing a Denial-of-Service of an I/O Domain or a Service Domain
Countermeasure: Granularly Configuring I/O Domains
Countermeasure: Configuring Redundant Hardware and Root Domains
Threat: Manipulation of an I/O Domain
Evaluation: Manipulation in an I/O Domain
Countermeasure: Protecting Virtual Disks
Countermeasure: Securing the Guest Domain OS
Chapter 2 Secure Installation and Configuration of Oracle VM Server for SPARC
You can configure guest domains in a variety of ways to provide varying levels of guest domain isolation, hardware sharing, and domain connectivity. These factors contribute to the security level of the overall Oracle VM Server for SPARC configuration. For recommendations about deploying the Oracle VM Server for SPARC software in a secure manner, see Security in a Virtualized Environment and Defending Against Attacks.
You can apply some of the following general security principles:
Minimize the attack surface.
Minimize unintentional configuration errors by creating operational guidelines that enable you to regularly evaluate the security of the system. See Countermeasure: Creating Operational Guidelines.
Carefully plan the architecture of the virtual environment to maximize the isolation of the domains. See the countermeasures described for Threat: Errors in the Architecture of the Virtual Environment.
Carefully plan which resources to assign and whether they are to be shared. See Countermeasure: Carefully Assigning Hardware Resources and Countermeasure: Carefully Assigning Shared Resources.
Ensure that the logical domains are protected from manipulation by applying the countermeasures described for Threat: Manipulation of the Execution Environment and Countermeasure: Securing the Guest Domain OS.
Countermeasure: Using Role Separation and Application Isolation describes the importance of assigning functionality roles to the various domains and ensuring that the control domain runs software that provides the infrastructure that is required to host guest domains. You should run applications that can be run by other systems on guest domains that are designed for this purpose.
Countermeasure: Configuring a Dedicated Management Network describes a more advanced network configuration that connects servers with SPs to a dedicated management network to shield the SP from network access.
Expose a guest domain to the network only when necessary. You can use virtual switches to limit a guest domain's network connectivity to only the appropriate networks.
Follow the steps to minimize the attack surface for Oracle Solaris 10 and Oracle Solaris 11 as described in Oracle Solaris 10 Security Guidelines and Oracle Solaris 11 Security Guidelines .
Protect the core of the hypervisor as described by Countermeasure: Validating Firmware and Software Signatures and Countermeasure: Validating Kernel Modules.
Protect the control domain against denial-of-service attacks. See Countermeasure: Securing Console Access.
Ensure that the Logical Domains Manager cannot be run by unauthorized users. See Threat: Unauthorized Use of Configuration Utilities.
Ensure that the service domain cannot be accessed by unauthorized users or processes. See Threat: Manipulation of a Service Domain.
Protect an I/O domain or a service domain against denial-of-service attacks. See Threat: Experiencing a Denial-of-Service of an I/O Domain or a Service Domain.
Ensure that an I/O domain cannot be accessed by unauthorized users or processes. See Threat: Manipulation of an I/O Domain.
Disable unnecessary domain manager services. The Logical Domains Manager provides network services for domain access, monitoring, and migration. See Countermeasure: Hardening the Logical Domains Manager and Countermeasure: Securing the ILOM.
Provide the least privilege to perform an operation.
Isolate systems into security classes, which are groups of individual guest systems that share the same security requirements and privileges. By assigning only guest domains from a single security class to a single hardware platform, you create an isolation barrier, which prevents the domains from crossing into a different security class. See Countermeasure: Carefully Assigning Guests to Hardware Platforms.
Use rights to restrict the capability to manage domains with the ldm command. Only those users who must administer domains should be given this capability. Assign a role that uses the LDoms Management rights profile to users who require access to all of the ldm subcommands. Assign a role that uses the LDoms Review rights profile to users who only require access to the list-related ldm subcommands. See Using Rights Profiles and Roles in Oracle VM Server for SPARC 3.1 Administration Guide .
Use rights to restrict access to the console of only those domains that you, as the administrator of Oracle VM Server for SPARC, administer. Do not permit general access to all domains. See Controlling Access to a Domain Console by Using Rights in Oracle VM Server for SPARC 3.1 Administration Guide .
Monitor system activity.
Enable Oracle VM Server for SPARC auditing. See Enabling and Using Auditing in Oracle VM Server for SPARC 3.1 Administration Guide .