Security Measures for Kernel Zones

Kernel zones, non-global zones, and global zones offer similar security features. IPsec and IKE protect the network, rights and auditing prevent unauthorized use of resources, and immutable zones add administrative security. For more information, see Security Measures for a System With Non-Global Zones in Creating and Using Oracle Solaris Zones.

Kernel zones has an additional security measure called verified boot. For more information, see Using Verified Boot to Secure an Oracle Solaris Kernel Zone and Using Verified Boot in Securing Systems and Attached Devices in Oracle Solaris 11.4.

The assignment of rights to administer zones to non-root users is a common security practice. By default, the global zone administrator (root) can administer all kernel zones, but root can distribute those rights.

For descriptions of zones rights profiles that apply to kernel zones and an overview of the admin resource in a zone, see Using Rights Profiles to Install and Manage Zones in Creating and Using Oracle Solaris Zones.

Note:

The examples and procedures in this guide assume that zones are administered by a non-root user. Typically, non-root users prefix zone administration commands with the pfbash or pfexec command to run the commands with rights. For more information, see the pfexec(1) man page.

Refer to the following for background and details about rights:

• Chapter 1, About Using Rights to Control Users and Processes in Securing Users and Processes in Oracle Solaris 11.4

• Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4

• admin Resource Type in Oracle Solaris Zones Configuration Resources