Aruns Life: November 2008

Tuesday, November 18, 2008

Solaris ZFS and Containers: Overview

Tim Graves & Joost Pronk, Solaris Marketing
HOW to MANAGE SYSTEMS with
ZFS IN SOLARISTM CONTAINERS
> Solaris™ 10 How To Guides
Contents
Solaris ZFS and Containers: Overview Page 1
ZFS and Containers: An Example Page 2 > 8
Creating a zpool Page 2
Creating a Zone Page 2
Allocating a ZFS File System to a Zone Page 4
Creating New File Systems Page 5
Applying Quota to the File Systems Page 6
Changing the Mountpoint of a File System Page 6
Setting the Compression Property Page 7
Taking a Snapshot Page 8
Summary Page 8
For More Information Page 9
About This ZFS How To Guide
This guide is intended to show a new user the capabilities of ZFS when coupled with Solaris Containers. It describes
the assignment of a ZFS file system to a zone, and some of the ZFS administrative tasks possible in such a
configuration. Assigning a file system to a zone gives a zone administrator full delegated control of the ZFS file
system, enabling them to take snapshots, create sub file systems and perform other tasks without requiring the
global zone administrator's intervention.
After reading this guide, the user will have an understanding of how to delegate a ZFS file system to a container and
to manage it from within the container.
Contributors: Paul Steeves and Solaris ZFS Engineering team
Solaris ZFS and Containers: Overview
ZFS is a new file system from Sun provided in the Solaris 10
OS. It provides very high levels of data integrity and
performance, and improves the ease of file system
management by eliminating the need for a volume
manager. Also, because it is 128-bit based, it opens the
door to virtually unlimited data scalability.
Traditional file systems have a model of a single device or
volume for each file system. This makes administration
complex and potentially prone to administrative errors
which could result in the destruction of data or lack of
access to the data. ZFS uses a pooled storage model in
which storage capacity is held within an expandable pool
called a zpool. Multiple file systems can exist within a
zpool and they can share the capacity and IO resources of
the pool. This new architectural approach, the storage
version of virtual memory, permits easier administration of
file systems and enables performance breakthroughs.
Figure 1—ZFS automatically grows shared storage
Solaris Containers is Sun's operating system virtualization
technique. It consists of several technologies that work
together to foster improved resource management and
isolate the environment from the underlying OS. With
Solaris Containers, you can determine how to allocate
resources among applications and services, and ensure
they do not interfere with one another.
ZFS and Containers are tightly integrated to allow the zone
administrator delegated rights to control the ZFS file
systems. By using ZFS and Containers in combination you
can assign a portion of the storage pool to a container.
This means that the administrator for that container has
the authority to manage that portion of the storage pool,
but it is isolated from the rest of the system. (See the figure
below.) This lets you benefit from both the data integrity of
ZFS, as well as the high availability and resource control of
containers.
Figure 2—Containers let you isolate ZFS file systems
Note that while Containers technology has several aspects,
the example in this guide will focus solely on the zones
aspect.
ZFS How To Guide
1
Solaris 10 Operating System sun.com/solaris
scalable
STORAGE POOL
APPLICATION1 APPLICATION2 APPLICATION 3
ZFS
GLOBAL ZONE
NON-GLOBAL ZONE
ZFS Storage
Delegated
File
System
ZFS and Containers: An Example
This section is a step-by-step guide that shows how to perform certain ZFS file system tasks inside of Solaris Containers; for
example, taking snapshots and managing data compression. It does this by going through the following steps:
• Creating a zpool
• Creating a Zone
• Allocating a ZFS File System to a Zone
• Creating New File Systems
• Applying Quota to the File Systems
• Changing the Mountpoint of a File System
• Setting the Compression Property
• Taking a Snapshot
Each of these steps is described in detail below.
Creating a zpool
ZFS uses device names or partition names when dealing with pools and devices. For a device, this will be something like
c1t0d0 (for a SCSI device) or c1d1 (for an IDE device). For a partition, it will be something like c1t0d0s0 (for a SCSI device)
or c1d1s0 (for an IDE device). This example creates a pool that is mirrored using two disks.
1. To create a zpool in the global zone, use the zpool create command. Typically, you use two devices to provide
redundancy.
Note that the zpool create command may fail if the devices are in use or contain some types of existing data (e.g. UFS
file system). If they are in use, you will need to unmount them or otherwise stop using them. If they contain existing
data you can use the -f (force) flag to override the safety check, but be sure that you are not destroying any data you
want to retain.
2. Examine the pool properties using the zpool list command.
This shows you that there is one zpool, named mypool, with a capacity of 199GBytes.
Creating a Zone
To show ZFS working in an environment that is isolated from other applications on the system, you need to create a zone.
To create a zone:
1. Create a directory where the zone file system will reside, using the mkdir command. Be sure to chose a location where
the file system has at least 80MBytes of available space.
Note that in this example, for the sake of brevity, the root file system of the zone is a UFS file system.
Global# mkdir /zones
NAME SIZE USED AVAIL CAP HEALTH ALTROOT
mypool 199G 164K 199G 0% ONLINE -
Global# zpool list
Global# zpool create mypool mirror c2t5d0 c2t6d0
Solaris 10 Operating System sun.com/solaris
2
3
Solaris 10 Operating System sun.com/solaris
2. Configure the zone (myzone), using the zonecfg command, and specify the location of the zone's files
(/zones/myzone). Use the following series of commands.
Again, for the purpose of streamlining, this example uses a very minimal zone. For more details on creating zones see
the Solaris Containers How To Do Stuff guide at:
www.sun.com/software/solaris/howtoguides/containersLowRes.jsp
3. Install the zone by using the zoneadm.
4. Boot the zone to complete the installation, using the zoneadm command.
5. Use the zlogin command to connect to the zone console.
It may take a short while for the first boot to configure everything, load all the service descriptors, and so on. You will
need to answer the system configuration details. Some suggestions are:
The zone will reboot after you have provided the configuration information.
6. Before you can proceed to the next stage, the configured zone needs to be shutdown (configuration changes are only
applied when the zone boots).
Global# zlogin myzone init 5
Terminal=(12)X Terminal Emulator (xterms)
Not Networked
No Kerberos
Name service = None
Time Zone = your-time-zone
root passwd = (Your choice – remember it though!)
Global# zlogin -C myzone
[Connected to zone 'myzone' console]
[Initial zone boot output, service descriptions are loaded etc.]
Global# zoneadm -z myzone boot
Global# zoneadm -z myzone install
Preparing to install zone
[Output from zoneadm, this may take a few mins]
Global# zonecfg -z myzone
myzone: No such zone configured
Use 'create' to begin configuring a new zone
zonecfg:myzone> create
zonecfg:myzone> set zonepath=/zones/myzone
zonecfg:myzone> verify
zonecfg:myzone> commit
zonecfg:myzone> exit
Allocating a ZFS File System to a Zone
Now that you have a zpool (mypool) and a zone (myzone) you are ready to allocate a ZFS file system to the zone.
1. To create a ZFS file system, use the zfs create command.
2. To apply a quota to the file system, use the zfs set quota command.
The file system and all of its child file systems can be no larger than the designated quota. Note that both these steps
must be performed in the global zone. Also notice that creating the file system in ZFS is much simpler than with a
traditional file system/volume manager combination.
To illustrate the isolation/security properties of containers with ZFS this example now creates a ZFS file system that will
remain outside the container. There is no need to apply a quota to this outside file system.
3. To create this other file system, again use the zfs create command.
4. To show the properties of all the pool and the file systems, use the ZFS list command.
To make the file system (myzonefs) available in the zone (myzone), the zone configuration needs to be updated.
5. To update the zone configuration, use the zonecfg command.
The mypool/myzonefs file system is now added to the zone configuration. Note that these steps must be performed with
the zone shut down, otherwise the zone configuration changes would not be visible until the next reboot. To check that
the zone is shut down try logging into it using zlogin myzone. If the zone is shut down the login will fail; if the zone is
running you will see a login prompt—login as root and shut the zone down with init 5. These steps are performed in the
global zone.
Global# zonecfg -z myzone
zonecfg:myzone> add dataset
zonecfg:myzone:dataset> set name=mypool/myzonefs
zonecfg:myzone:dataset> end
zonecfg:myzone> commit
zonecfg:myzone> exit
NAME USED AVAIL REFER MOUNTPOINT
mypool 396G 197G 99.5K /mypool
mypool/myfs 98.5K 197G 98.5K /mypool/myfs
mypool/myzonefs 98.5K 5G 98.5K /mypool/myzonefs
Global# zfs list
Global# zfs create mypool/myfs
Global# zfs set quota=5G mypool/myzonefs
Global# zfs create mypool/myzonefs
Solaris 10 Operating System sun.com/solaris
4
6. Now boot the zone.
7. Log in to the zone. (Leave a few seconds for the zone to boot.)
8. List the ZFS file systems in the zone.
Note the 5GByte maximum available from the external quota and that the other file systems in the pool
(mypool/myfs) are not visible. This demonstrates the isolation property that Containers provide.
Creating New File Systems
Administering ZFS file systems from the non-global zone is done just like it is in the global zone, although you are limited
to operating within the file system that is allocated to the zone (mypool/myzonefs). New ZFS file systems are always
created as a child of this file system because this is the only ZFS file system the non-global zone can see. The administrator
in the non-global zone can create these file systems. There is no need to involve administrator of the global zone, though
the administer could do so if it were necessary.
1. To create a new file system, use the zfs create command.
The non-global zone administrator can create as many child file systems as s/he wants and each child file system can have
its own file systems, and in that way form a hierarchy.
As a demonstration that the non-global zone administrator is limited to the assigned file systems, this example
demonstrates trying to break security by creating a file system outside the container's "space".
2. Try to create another file system outside of mypool/myzonefs, using the zfs create command.
As you can see, ZFS and zones security denies permission for the non-global zone to access resources it has not been
allocated and the operation fails.
MyZone# zfs create mypool/myzonefs1
cannot create 'mypool/myzonefs1': permission denied
NAME USED AVAIL REFER MOUNTPOINT
mypool 504M 197G 99K /mypool
mypool/myzonefs 197K 5.00G 98.5K /mypool/myzonefs
mypool/myzonefs/tim 98.5K 5.00G 98.5K /mypool/myzonefs/tim
MyZone# zfs create mypool/myzonefs/tim
MyZone# zfs list
NAME USED AVAIL REFER MOUNTPOINT
mypool 0M 200B - /mypool
mypool/myzonefs 8K 5G 8K /mypool/myzonefs
Global# zlogin -C myzone
[Connected to zone 'myzone' pts/3]
[Usual Solaris login sequence]
Global# zoneadm -z myzone boot
5
Solaris 10 Operating System sun.com/solaris
Applying Quota to the File Systems
Typically, to prevent the user consuming all of the space, a non-global zone administrator will want to apply a quota to the
new file system. Of course, the child's quota can't be more than 5GByte as that's the quota specified by the global zone
administrator to all of the file systems below mypool/myzonefs.
1. To set a quota on our new file system, use the zfs set quota command.
The administrator of the non-global zone has set the quota of the child file system to be 1G. They have full authority to do
this because they are operating on their delegated resources and do not need to involve the global zone administrator.
The ZFS property inheritance mechanism applies across zone boundaries, so the non-global zone administrator can specify
his/her own property values should s/he wish to do so. As with normal ZFS property inheritance, these override inherited
values.
Changing the Mountpoint of a File System
Now that the file system is set up and has the correct quota assigned to it, it is ready for use. However, the place where
the file system appears (the mountpoint) is partially dictated by what the global zone administrator initially chose as the
pool name (in this example, mypool/myzonefs). But typically, a non-global zone administrator would want to change it.
1. To change the mountpoint, use the zfs set mountpoint command.
Note that the mountpoint can be changed for any file system independently.
NAME USED AVAIL REFER MOUNTPOINT
mypool 508M 197G 99K /mypool
mypool/myzonefs 198k 5.00G 99K /mypool/myzonefs
mypool/myzonefs/tim 98.5K 1024M 98.5K /export/home/tim
MyZone# zfs set mountpoint=/export/home/tim mypool/myzonefs/tim
MyZone# zfs list
NAME USED AVAIL REFER MOUNTPOINT
mypool 508M 197G 99K /mypool
mypool/myzonefs 198k 5.00G 99K /mypool/myzonefs
mypool/myzonefs/tim 98.5K 1024M 98.5K /mypool/myzonefs/tim
MyZone# zfs set quota=1G mypool/myzonefs/tim
MyZone# zfs list
Solaris 10 Operating System sun.com/solaris
6
Setting the Compression Property
The next example demonstrates the compression property. If compression is enabled, ZFS will transparently compress all of
the data before it is written to disk.
The benefits of compression are both saved disk space and possible write speed improvements.
1. To see what the current compression setting is, use the zfs get command.
Be aware that the compression property on the pool is inherited by the file system and child file system. So if the nonglobal
zone administrator sets the compression property for the delegated file system, it will set it for everything below, as
well.
2. To set the compression for the file system, use the zfs set command.
3. Examine the compression property again in the non-global zone.
Note the compression property has been inherited by mypool/myzonefs/tim as with normal ZFS administration.
NAME PROPERTY VALUE SOURCE
mypool compression off default
mypool/myzonefs compression on local
mypool/myzonefs/tim compression on Inherited from
mypool/myzonefs
MyZone# zfs get compression mypool mypool/myzonefs mypool/myzonefs/tim
MyZone# zfs set compression=on mypool/myzonefs
NAME PROPERTY VALUE SOURCE
mypool compression off default
mypool/myzonefs compression off default
mypool/myzonefs/tim compression off default
MyZone# zfs get compression mypool mypool/myzonefs mypool/myzonefs/tim
7
Solaris 10 Operating System sun.com/solaris
Taking a Snapshot
One of the major advantages of ZFS is the ability to create an instant snapshot of any file system. By delegating a file
system to a non-global zone this feature becomes available as an option for the non-global zone administrator.
1. To take a snapshot named “1st “ of the file system, use the zfs snapshot command.
As with ZFS file systems in the global zone, this snapshot is now accessible from the root of the file system in
.zfs/snapshot/1st.
Summary
Once a zone has been created and a ZFS file system has been allocated to it, the administrator for that (non-global) zone
can create file systems, take snapshots, create clones, and perform all the other functions of an administrator—within that
zone. Yet the global zone, and any other zones, are fully isolated from whatever happens in that zone.
The integration of Solaris Containers and Solaris ZFS is just another way that the Solaris 10 OS is providing cost benefits to
customers by allowing them to safely consolidate applications and more easily manage the data those applications use.
NAME USED AVAIL REFER MOUNTPOINT
mypool 512K 197G 99K /mypool
mypool/myzonefs 198K 5.00G 99K /mypool/myzonefs
mypool/myzonefs@1st 0K - 99K -
mypool/myzonefs/tim 98.5K 1024M 98.5K /export/home/tim
MyZone# zfs snapshot mypool/myzonefs@1st
MyZone# zfs list
Solaris 10 Operating System sun.com/solaris
8
For More information
While this Solaris How To Guide provides the rudimentary steps needed to get Solaris Container technology and the Solaris
ZFS file system working in collaboration with each other, more sophisticated configurations are possible. For more
information regarding Solaris Containers and Solaris ZFS, visit sun.com/solaris.
9
Solaris 10 Operating System sun.com/solaris
Manuals
Frequently Asked Questions (FAQ)
Web-Based Training
Solaris ZFS Administration Guide
ZFS FAQ
Additional Q&A
sun.com/solaris/zfs/faq
opensolaris.org/os/community/zfs/faq
Solaris ZFS Learning Center
(Including video presentations and demos)
Solaris Containers Learning Center
Solaris Containers How to Guide
sun.com/solaris/zfs
sun.com/solaris/containers
sun.com/solaris/howtoguides/containers
opensolaris.org/os/community/zfs/docs/zfsadmin_0417.pdf
Community Resources
OpenSolaris ZFS Community
Sun ZFS Blogs
opensolaris.org/os/community/zfs
opensolaris.org/os/community/zfs/blogs
sun.com/solaris
©2005 Sun Microsystems, Inc. All rights reserved. Sun, Sun Microsystems, the Sun logo and Solaris are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries.
Sun Microsystems, Inc. 4150 Network Circle, Santa Clara, CA 95054 USA Phone 1-650-960-1300 or 1-800-555-9SUN Web sun.com

Solaris Security or Unix Security?

1
1
Solaris Security: Step-by-Step
Hal Pomeranz
Deer Run Associates
All material in this course Copyright © Hal Pomeranz and Deer Run Associates,
2002. All rights reserved.
Hal Pomeranz * Founder/CEO * hal@deer-run.com
Deer Run Associates * PO Box 20370 * Oakland, CA 94620-0370
+1 510-339-7740 (voice) * +1 510-339-3941 (fax)
http://www.deer-run.com/
2
Solaris Security: Step-by-Step 2
Solaris Security or Unix Security?
• For this talk, we'll be using Solaris syntax
• However, the same steps can (and should)
be applied to any Unix-like OS
• Pointers to specific instructions for many
different OS types at the end of the course
While this talk will be looking primarily at the Solaris operating system, the 10
basic steps we'll be covering can be applied to any Unix-like operating system. The
trick is finding out the correct syntax for each vendor's operating system. At the
end of the talk, there are two pages of URLs which point to various Internet sites
that either have automated tools for hardening systems, or white papers and other
documentation on system hardening.
3
Solaris Security: Step-by-Step 3
Step 1: Minimize OS Image
• Choose the smallest OS install cluster
that's appropriate for your application
– Less that can go wrong (security & reliability)
– Less disk space consumed, faster reboots
• For Internet servers, use Core System
Support cluster
• Even smaller, customized package sets
can be used
The first step is to pick the smallest operating system image you can get away with
for your application. Extra features like Windowing systems and GUI-based
management tools, volume managers, etc. are convenient but can provide extra
avenues for attackers to break into your systems. We want to tend towards the
"security" end of the "security vs. ease-of-use" spectrum.
Internet servers– like Web servers, FTP servers, firewall devices, etc.– really only
need a bare minimum OS install. For Solaris, this is the Core System Support
cluster (SUNWCreq). This image does not include the Windowing system,
programming tools (/usr/ccs/bin, header files in /usr/include, etc.), or
even the system manual pages. You may want to customize the package list further
for your particular application. Sun has published a white paper on further
minimizing the Solaris operating system as part of their Blueprints™ series (URL at
the end of the talk).
One of the advantages to this kind of stripped-down OS install is size. The full
Solaris install requires at least a gigabyte of space just for the OS files themselves
(not counting swap space, space for logging, user and application data, etc). The
Core cluster can fit in a couple of hundred megabytes. Also, with less installed on
the system, there's less that can go wrong to cause the system to crash or lock up,
and rebooting or restarting the system happens much faster.
4
Solaris Security: Step-by-Step 4
Step 2: Apply Patches
• At least download and install Sun's
"Recommended Patch Cluster"
• Also check Patch Report file for additional
security patches
• Patches must be maintained on an
ongoing basis!
Once you've decided exactly which pieces of the operating system you wish to
install, download and install the Recommended Patch Cluster for your OS version.
It's important that you install all of the OS packages that you'll need before you
apply patches. If you install OS software after your patch install, you may end up
with unpatched software that has security issues.
Patches can be found at ftp://sunsolve.sun.com/pub/patches: the
cluster files are named _Recommended.zip (or .tar.Z for Solaris 2.6
and earlier). Note that not all security patches are necessarily included in the
recommended patch set, so you'll also want to check out the
Solaris.PatchReport files in the same directory.
New patches are coming out all the time, so figure out some mechanism for keeping
your machines up-to-date. If you're running a big farm of identical Internet servers,
you may just want to rebuild your machines in rotation (a few at a time) and install
up-to-date patches at that point.
5
Solaris Security: Step-by-Step 5
Step 3: Minimize Boot Services
• Disable everything not absolutely needed
• Big offenders:
– NFS, NIS, and other RPC-based services
– Sendmail, httpd, and other Internet servers
– SNMP, printer daemons, GUI logins, etc.
• Also remove related configuration files to
make system easier to audit
Patches cover security vulnerabilities that we're aware of, but new exploits are
being discovered every day. The best way to protect yourself from problems that
we don't know about yet is to turn off all of the services that you're not using.
There's an unbeatable smug feeling of satisfaction you get reading the latest
BUGTRAQ posting a knowing that you're not vulnerable because you elected not to
run a given service in the first place.
The basic principal here is:
If you don't need it, turn it off.
If you're not sure whether you need it or not, turn it off and see what breaks!
Prior to the distributed denial-of-service attacks in early Y2K, thousands of
Internet-connected machines were compromised via the well-known
rpc.ttdbserverd and rpc.cmsd holes. These machines later became the
"zombie" or "daemon" servers used in the attacks. You have to wonder why Web
servers need to be running Sun's calendar manager daemon– the answer being, of
course, that they don't!
Certain utilities are fine inside of a strongly firewalled environment– NFS, NIS,
print daemons, GUIs, etc.– but should never be used on machines that are
essentially connected directly to the Internet (Web servers, mail relays, etc.). Given
the rash of SNMP vulnerabilities in the last few months, definitely disable the
Solaris SNMP daemon if you're not currently using SNMP for network
management. Also, unless your system is a mail server, turn off the Sendmail
daemon or at least don't listen for incoming mail on port 25 (disable the –bd
switch).
6
Solaris Security: Step-by-Step 6
Step 4: Disable inetd Services
• Remote admin requires login shell access
and file transfer– SSH does both securely
• Consider running SSH and turning off
inetd completely
• If you must run inetd:
– Remove unused entries from inetd.conf
– Use TCP Wrappers on remaining entries
– Use inetd –t for extra logging
In addition to the other services started at boot time, inetd will start up a number
of other network-related services on demand. Everything that is run out of inetd
has probably had at least one security vulnerability reported against it in recent
memory. inetd enables clear-text login and file transfer protocols (like telnet,
FTP, and rlogin/rcp) which can be sniffed, spoofed, and hijacked. Other
services (like echo, chargen, etc.) can be used as denial-of-service attacks.
From a networking perspective, all you really need is the ability to administer your
systems remotely (and perhaps not even that if you're willing to do all your work at
the system console). This means you need the ability to log into the system over the
network and transfer files back and forth. SSH provides both of these services (and
more) and is encrypted to prevent eavesdropping and hijacking. It may be that all
you need is SSH– in which case you can turn off inetd completely.
If you must run inetd for some reason, make sure to eliminate all services that are
not absolutely required and use TCP Wrappers to protect the rest. Solaris also
supports "connection tracing" in inetd (start inetd with the –t flag) which
provides additional logging about each connection.
7
Solaris Security: Step-by-Step 7
Step 5: Tweak Kernel
Network configuration:
– Disable IP forwarding, drop source routed
– Protect against SYN floods, Smurf attacks
– Drop ICMP redirects, reduce ARP timeouts
– Help stop remote network mapping efforts
Other kernel parameters:
– Enable stack protection
– Prevent core dumps
– Set limits on processes
There are a number of parameters in the Solaris kernel which can be tweaked to enhance security. Network
parameters are generally set using the ndd command (you'll need to add a script to your boot directories
which sets these parameters automatically), and other parameters can be set in /etc/system.
On the network side of things, Solaris systems by default have IP forwarding enabled (the system will act as
a router if it has multiple network interfaces) and source routed packets will be accepted. Neither of these
is a good idea. The default Solaris ARP timeout (20 minutes) makes ARP spoofing attacks much easier, so
tuning this value down can help. Increasing the values for number of half-open connections and reducing
the half-open connection timeout can help your system handle SYN flood type attacks more easily.
Disabling various types of ICMP messages can help you prevent attackers from mapping your networks
remotely, and even prevent your systems from being used as an amplifier network for a Smurf-style attack.
Similarly, you can prevent the machine from obeying ICMP redirects (which could be used to maliciously
change your routing table on the fly).
You should definitely add the following two lines to your /etc/system file:
set noexec_user_stack = 1
set noexec_user_stack_log = 1
This turns on "stack protection" (available for Solaris 2.6 and later only) which will help protect you from
many buffer overflow attacks. You may also want to disable core dumps in /etc/system on your
production servers (core dumps are world-readable and can contain sensitive information), but remember
that your developers will probably want the ability to get core files on their development workstations.
/etc/system can also allow you to set other limits (like the maximum number of processes per user,
etc.) that can help prevent local denial-of-service attacks.
8
Solaris Security: Step-by-Step 8
Step 6: Increase Logging
• Definitely tweak syslog.conf to capture
auth.info and daemon.notice msgs
• Create /var/adm/loginlog
• Additional levels of logging:
– System accounting (sar and friends)
– Process accounting
– Kernel level auditing (BSM)
The more information you log about your systems, the more likely you are to log something which
enables you to detect an attacker. Think about Cliff Stoll noticing an intruder on his system
because of a 75 cent accounting discrepancy (read The Cuckoo's Egg for more information).
At a minimum, tweak your syslog.conf file so that you at least log auth.info (and higher)
to a local log file and/or to some other machine. By default Solaris throws messages sent to
LOG_AUTH away, which is unfortunate since this is where all of the interesting security
information about the system goes. If you're using inetd connection tracing (inetd –t), then
you also need to log daemon.notice in order to get the connection logs from inetd.
If you create /var/adm/loginlog, then bad login messages will be logged to this file (and to
LOG_AUTH). Starting with Solaris 8, you can also set SYSLOG_FAILED_LOGINS in
/etc/default/login to control how many failed logins must occur before a message is
logged. If set to zero, then all failed logins are logged (hint: this is what you want).
There are several other options beyond these sorts of standard logging facilities. System accounting
keeps track of system usage information (CPU load, memory usage, disk usage, etc.)– by defining a
baseline for your system's performance, you can detect unexpected or illicit usage by detecting
departures from the baseline. Process accounting keeps track of which commands users are running
on your system, but can be a performance drag on the machine. Kernel level auditing (aka BSM)
keeps track of even more information, but generates huge audit logs and can also be a performance
drag.
9
Solaris Security: Step-by-Step 9
Step 7: Protect File Systems
• File systems should either be mounted
"nosuid" or "ro" (read-only)
• Set "logging" option on root file system
if you're running Solaris 8 or later
• Don't forget removable media devices:
– Turn off vold if possible
– Make sure rmmount.conf sets "nosuid"
From a file system perspective, you want to make it harder for attackers to replace OS programs with
their rootkits and other tools. You also want to prevent people from bringing unauthorized set-UID
binaries on your system. The simplest bit of wisdom here is the basic rule:
File systems should either be mounted "nosuid" or "ro".
In particular, the /usr file system contains all of the critical OS programs and set-UID binaries but is
relatively static, so you should mount /usr "ro" (read-only). When you need to install patches, you
can make the file system read-write again with the command "mount –o remount,rw /usr", but
you'll need to reboot the system to make it read-only again. You may be able to mount /opt,
/usr/local, and other file systems containing third-party software tools "ro" as well.
All other file systems should be mounted "nosuid". Unfortunately, Sun has decided that setting
"nosuid" also implies "nodev" (device files don't work), which means you can't mount the root file
system (which contains /devices) "nosuid"– and you can't make it read-only either. You also need
to be careful about the whole "nosuid"/"nodev" thing on file systems where you're running
chroot()ed daemons (FTP servers, BIND, etc.) since the "nosuid" will interfere with the device
files required in your chroot() directory structure.
Removable media is a great way for attackers to compromise your systems if they have physical access–
just bring in a CD-ROM with a set-UID copy of the shell on it. If your users don't need the ability to
mount CDs and floppies, turn off the system volume manager (you can use sudo to give your users this
ability without having to run the volume manager). Also, be sure to set the "nosuid" option for all
removable media devices in the volume manager configuration file, /etc/rmmount.conf (this is the
default for Solaris 8 and later).
10
Solaris Security: Step-by-Step 10
Step 8: Set Warning Banners
Authorized uses only.
All activity may be monitored and reported.
• Places to set warning banners:
– /etc/motd and /etc/issue
– /etc/default/{telnetd,ftpd}
– EEPROM
– GUI Login
While the legal precedents for various system warning messages are unclear, security experts
generally believe it's a good idea to inform users (authorized and otherwise) that the system is for
authorized users/uses only and that all activity may be monitored and the results of that monitoring
reported to the appropriate authorities as necessary. This message should definitely appear in the
/etc/motd file (displayed after login). Ideally, though, you'd like to present the message before
login. However, there are lots of different places you'll need to set the message because logins can
occur over a variety of channels including the standard system login (put message in
/etc/issue), telnet and FTP (use the BANNER variable in
/etc/default/{telnetd,ftpd}), and GUI logins
(/etc/dt/config/*/Xresources).
Here's a longer warning banner that was developed by the US Department of Justice:
This system is for the use of authorized users only. Individuals using this computer system
without authority, or in excess of their authority, are subject to having all of their activities on
this system monitored and recorded by system personnel.
In the course of monitoring individuals improperly using this system, or in the course of system
maintenance, the activities of authorized users may also be monitored.
Anyone using this system expressly consents to such monitoring and is advised that if such
monitoring reveals possible evidence of criminal activity, system personnel may provide the
evidence of such monitoring to law enforcement officials.
11
Solaris Security: Step-by-Step 11
Step 9: Tighten Access Control
• Root logins only on system console
• Disable or remove unused accounts
• Create /etc/ftpusers
• Disable .rhosts support
• Restrict cron/at access
• Set EEPROM security-mode
• Restrict XDMCP, set locking screen saver
• Make sure that CONSOLE=/dev/console is set in /etc/default/login so that root logins are
only allowed on the system console device. Normally users should be forced to log in and then su to
become root.
• Audit your password file and remove accounts that are not being used (like the uucp, nuucp, and smtp
users). All other "system" accounts (like adm, daemon, bin, etc.) should have their shells set to
/dev/null to block access.
• Create an /etc/ftpusers file (even if you don't have FTP enabled). Remember that
/etc/ftpusers is the list of users who are not allowed to FTP into the system– root belongs here, as do
all of the "system" accounts from /etc/password.
• If you're using SSH, then make sure your sshd_config file does not allow .rhosts functionality
("IgnoreRhosts yes", etc.). Also edit /etc/pam_conf and remove any lines containing
rhosts_auth, even if you've disabled rlogin/rcp.
• cron.allow and at.allow list the users who are allowed to run the crontab and at commands to
submit/modify/delete cron jobs. On production systems, it is often the case that only the root user needs
this functionality. Note that cron jobs will run as other users even if root is the only user listed in
cron.allow.
• Setting "eeprom security-mode=command" will cause the machine to prompt for a password
before boot-level commands are accepted. This prevents attackers with physical access from booting from
alternate media (like a CD-ROM) and bypassing your system security.
• If you're running X Windows on the machine, make sure to disable remote XDMCP access in
/etc/dt/config/Xaccess. You may also want to set a default locking screensaver timeout for your
users in /etc/dt/config/*/sys.resources.
12
Solaris Security: Step-by-Step 12
Step 10: Install Security Tools
Bare minimum required tools:
– SSH
– TCP Wrappers
– NTP
– fix-modes
Extra credit:
– Tripwire, AIDE, etc.
– Logsentry (formerly Logcheck) or Swatch
– Host-based firewall, Portsentry, etc.
It's pretty much impossible to completely secure a Solaris machine without adding some
freely-available security software from the Internet. fix-modes sets appropriate
permissions on various OS files and directories (get fix-modes from
ftp://ftp.science.uva.nl/pub/solaris/). SSH and TCP Wrappers are
critical for network security. NTP (the Network Time Protocol for keeping system
clocks in synch) doesn't necessarily seem like security software, but how are you
planning on investigating security incidents at your site if the time on your hosts doesn't
agree with the time on your routers, firewalls, and intrusion detection systems? SSH
and TCP Wrappers are bundled with the OS starting with Solaris 9. NTP has been
available in the Solaris OS since Solaris 2.6.
Beyond these tools, there are many other useful security tools out there. Tripwire,
AIDE, et al are all integrity checking tools which will tell you when files on your
machine have been modified (like after a successful break-in). Logsentry (formerly
Logcheck) and Swatch are tools which will automatically monitor your log files and
report "interesting" events to the administrator. You can also deploy host-based
firewalls (IPFilter is the free tool for Solaris and other Unix systems, but Sun making
their SunScreen product available for free as of Solaris 8) and monitoring tools like
Portsentry.
www.sunfreeware.com provides pre-compiled binaries for many of these tools in
Solaris pkgadd format.
13
Solaris Security: Step-by-Step 13
Looking Ahead to Solaris 9
• SSH and TCP Wrappers bundled in
• Sendmail upgraded to 8.12.x
• X server now supports –nolisten option
• Bundled log rotation service (logadm)
• Kernel /dev/random device
• Disk Suite (now "Solaris Volume Mgr ")
• UFS snapshots feature (fssnap)
Solaris 9 is now available and includes many, many useful new features (for more
detail, check out http://docs.sun.com/?p=/doc/806-5202/):
• Solaris 9 now ships with SSH and TCP Wrappers (as well as many other "Open
Source" tools like bash, zsh, GNU grep, GNU tar, etc).
• Solaris 9 ships with Sendmail 8.12.x by default. This is significant because it means
that /usr/lib/sendmail is no longer set-UID to root.
• The X server that ships with Solaris 9 now has a –nolisten option that enables
the admin or user to prevent their X server for listening for X events over the network.
Since local clients are still OK, users can still tunnel remote X events via SSH.
• Solaris 9 finally includes a generic log rotation/archiving tool called logadm. This
means you don't have to worry about /var/log/authlog et al growing without
bound and consuming /var.
• Solaris 9 finally includes a kernel /dev/random device for SSH, SSL, etc.
• Lot's of features have been added to the file system. Most interestingly, Solaris' UFS
file system now supports "snapshots"– temporary, copy-on-write style, static read-only
copies of the file system for easy backups, etc (Network Appliance users will be
familiar with this concept). An updated version of Sun's Disk Suite product (now
called the Solaris Volume Manager) is also bundled into the OS.
14
Solaris Security: Step-by-Step 14
Automated Hardening Tools
• JASS
http://www.sun.com/blueprints/tools/
• TITAN (Solaris and Linux)
http://www.fish.com/titan/
• YASSP
http://www.yassp.org/
• Hal's "configurator"
http://www.deer-run.com/~hal/jumpstart/
• Bastille (Linux and HP-UX)
http://www.bastille-linux.org/
The first four tools listed here are all automated tools for hardening Solaris systems
in similar ways to the material I've covered in this talk. Bastille does a similar job
for Linux systems (and for HP-UX as of the most recent beta release). TITAN now
supports both Solaris and Linux systems. YASSP development may be "dead in the
water" because the author of the tool no longer has time to maintain it.
My own home page (http://www.deer-run.com/~hal/) has a bunch of
other security-related information and useful tricks.
15
Solaris Security: Step-by-Step 15
Other Hardening Procedures
• Solaris, HP-UX, RedHat/Mandrake, IOS, Windows:
http://www.CISecurity.org/
• Solaris, RedHat/Mandrake, BIND, Apache:
http://www.boran.com/security/sp/
• Solaris, HP-UX, Tru64, Windows NT:
http://www.sabernet.net/papers/
• Sun Blueprints™ On-Line
http://www.sun.com/blueprints/browsesubject.html
Here are some additional URLs which point to hardening guidelines for a variety of
operating systems and applications.
In addition to free guidelines for various operating systems, the Center for Internet
Security is also providing free auditing tools to test your systems for compliance.
Unlike the automated "hardening" tools on the previous slide, the Center's tools are
strictly "read-only" and don't change any settings on the machine.
Sun's Blueprints™ series has contains lots of interesting documents. In particular
there are several documents by Alex Noordergraaf and others on topics ranging
from OS minimization, to network security settings in the kernel, to the JASS
toolkit.
16
Solaris Security: Step-by-Step 16
That's It!
• Thanks for listening!
• Any final questions?
This space intentionally left blank.

Solaris™ 10 Zones

A sneak preview into a feature of the block buster Operating System of Sun Microsystems Inc.
Solaris™ 10 Zones
Document Stage Name Date
Created R Rajesh 11/December/2005
Updated
Approved Gary Riseborough 23/December/2005
Delivered
Change Log
The following is a script that was run on Solaris™ 10 Operating System to
create a zone by name apple-store. The exercise mentioned in this document
was conducted during the Sun courses on New Features of Solaris™ 10
Operating System delivered by Mr. Gary Riseborough (Employee of Sun
Microsystems Inc., Sydney, Australia). Author of this journal has included the
errors that were encountered, during the zone creation process, as well. Some
part of the output are omitted/modified for brevity. This is a simple zone
creation process. For insight into the complex zone creation process, please
visit the following web-location:
http://www.brendangregg.com/zones.html
[Brendan Gregg is an Instructor for Sun in Australia]
Author: R Rajesh 1
Caution: Due care has been taken to make this
document error-free. But the fact that the
contents of this document is copied from a text
file produced as a result of the “script -a”
command run on a Solaris box and that several
modifications had to be done on the same for
proper presentation makes it a candidate for
potential typographical errors. Kindly report the
errors spotted to the author at info@rajeshr.net
A sneak preview into a feature of the block buster Operating System of Sun Microsystems Inc.
Script started on Mon Nov 07 19:02:16 2005
# df -k
Filesystem kbytes used avail capacity Mounted on
/dev/dsk/c0t0d0s0 5063150 3096633 1915886 62% /
/devices 0 0 0 0% /devices
ctfs 0 0 0 0% /
system/contract
proc 0 0 0 0% /proc
mnttab 0 0 0 0% /etc/mnttab
swap 703864 968 702896 1% /etc/svc/volatile
objfs 0 0 0 0% /system/object
fd 0 0 0 0% /dev/fd
swap 702944 48 702896 1% /tmp
swap 702944 48 702896 1% /var/run
/dev/dsk/c0t0d0s7 14027418 13937 13873207 1% /export/home
# mkdir /export/home/zones
# zonecfg -z apple-store
apple-store: No such zone configured
Use 'create' to begin configuring a new zone.
zonecfg:apple-store> create
zonecfg:apple-store> set autoboot=true
zonecfg:apple-store> set zonepath=/export/home/zones/apple-store
zonecfg:apple-store> add net
zonecfg:apple-store:net> #### You need to set 2 variables for this:
zonecfg:apple-store:net> set physical=hme0
zonecfg:apple-store:net> set address=192.168.1.45.216
zonecfg:apple-store:net> end
zonecfg:apple-store> ### All this what have dones is in the memory
zonecfg:apple-store> verify
zonecfg:apple-store> commit
zonecfg:apple-store> exit
# #### Zone creation completed
# cd /etc/zones
# ls
SUNWblank.xml SUNWdefault.xml apple-store.xml index
# #### The file "apple-store.xml" is a newly created file
# more apple-store.xml

"file:///usr/shar
e/lib/xml/dtd/zonecfg.dtd.1">

autoboot="tru
e">

Author: R Rajesh 2
A sneak preview into a feature of the block buster Operating System of Sun Microsystems Inc.

# ### lib, platform, sbin, usr are the directories that are shared
# ifconfig -a
lo0: flags=2001000849 mtu
8232 index 1
inet 127.0.0.1 netmask ff000000
hme0: flags=1000843 mtu 1500
index 2
inet 192.168.1.216 netmask ffffff00 broadcast 192.168.1.255
ether 0:3:ba:10:2d:a7
# zoneadm -z apple-store install
could not verify net address=192.168.1.45.216 physical=hme0: Neither
an IPv4 nor an IPv6 address nor a host name
zoneadm: zone apple-store failed to verify
# ls
SUNWblank.xml SUNWdefault.xml apple-store.xml index
# vi apple-store.xml

"file:///usr/shar
e/lib/xml/dtd/zonecfg.dtd.1">

autoboot="true">

"apple-store.xml" 12 lines, 525 characters#
wq!"apple-store.xml" 12 lines, 523 characters
## zoneadm -z t apple-store install
Preparing to install zone .
Creating list of files to copy from the global zone.
Copying <2578> files to the zone.
Initializing zone product registry.
Determining zone package initialization order.
Preparing to initialize <914> packages on the zone.
Initializing package <0> of <914>: percent complete: 0%
Initializing package <1> of <914>: percent complete: 0%
Initializing package <2> of <914>: percent complete: 0%
Initializing package <3> of <914>: percent complete: 0%
Initializing package <4> of <914>: percent complete: 0%
Initializing package <5> of <914>: percent complete: 0%
Initializing package <6> of <914>: percent complete: 0%
Initializing package <7> of <914>: percent complete: 0%
Initializing package <8> of <914>: percent complete: 0%
Author: R Rajesh 3
A sneak preview into a feature of the block buster Operating System of Sun Microsystems Inc.
Initializing package <9> of <914>: percent complete: 0%
Initializing package <10> of <914>: percent complete: 1%
<------------------ Output Truncated for Brevity------------->
Initializing package <912> of <914>: percent complete: 99%
Initializing package <913> of <914>: percent complete: 99%
Initialized <914> packages on zone.
Zone is initialized.
The file root/var/sadm/system/logs/install_log> contains a log of the
zone installation.
# #### I had made a mistake while creating zones (IP address that I
gave was invalid). I edited the file, the one that is found in the /
etc/zones and changed the IP address and it worked fine.
# ifconfig -a
lo0: flags=2001000849 mtu
8232 index 1
inet 127.0.0.1 netmask ff000000
hme0: flags=1000803 mtu 1500 index 2
inet 192.168.1.216 netmask ffffff00 broadcast 192.168.1.255
ether 0:3:ba:10:2d:a7
# cd /export/home
# ls
lost+found zones
# cd zones
# ls
apple-store
# cd apple-store
# ls
root
# cd root
# ls
bin etc home mnt platform sbin tmp
var
dev export lib opt proc system usr
# zoneadm -list -cv
ID NAME STATUS PATH
0 global running /
- apple-store installed /export/home/zones/apple-store
# zoneadm -z apple-store boot
zoneadm: zone 'apple-store': "/usr/lib/fs/lofs/mount -o
ro,nosub,nodevices /sbin /export/home/zones/apple-store/root/sbin"
failed with exit code 33
zoneadm: zone 'apple-store': failed to loopback mount /sbin: Error 0
zoneadm: zone 'apple-store': call to zoneadmd failed
# zoneadm -z apple-store boot
zoneadm: zone 'apple-store': "/usr/lib/fs/lofs/mount -o
ro,nosub,nodevices /sbin /export/home/zones/apple-store/root/sbin"
failed with exit code 33
zoneadm: zone 'apple-store': failed to loopback mount /sbin: Error 0
zoneadm: zone 'apple-store': call to zoneadmd failed
#
### The booting process was failing on zone apple-store
Author: R Rajesh 4
A sneak preview into a feature of the block buster Operating System of Sun Microsystems Inc.
### Under the instruction from Gary I uninstalled it
#
# zoneadm -z apple-store uninstall
Are you sure you want to uninstall zone apple-store (y/[n])? y
#
### Reinstalling the zone
#
# zoneadm -z apple-store install
Preparing to install zone .
Creating list of files to copy from the global zone.
Copying <2578> files to the zone.
Initializing zone product registry.
Determining zone package initialization order.
Preparing to initialize <914> packages on the zone.
Initializing package <0> of <914>: percent complete: 0%
Initializing package <1> of <914>: percent complete: 0%
Initializing package <2> of <914>: percent complete: 0%
Initializing package <3> of <914>: percent complete: 0%
Initializing package <4> of <914>: percent complete: 0%
Initializing package <5> of <914>: percent complete: 0%
Initializing package <6> of <914>: percent complete: 0%
Initializing package <7> of <914>: percent complete: 0%
Initializing package <8> of <914>: percent complete: 0%
Initializing package <9> of <914>: percent complete: 0%
Initializing package <10> of <914>: percent complete: 1%
Initializing package <11> of <914>: percent complete: 1%
Initializing package <12> of <914>: percent complete: 1%
Initializing package <13> of <914>: percent complete: 1%
Initializing package <14> of <914>: percent complete: 1%
Initializing package <15> of <914>: percent complete: 1%
Initializing package <16> of <914>: percent complete: 1%
Initializing package <17> of <914>: percent complete: 1%
Initializing package <18> of <914>: percent complete: 1%
Initializing package <19> of <914>: percent complete: 2%
Initializing package <20> of <914>: percent complete: 2%
Initializing package <21> of <914>: percent complete: 2%
Initializing package <22> of <914>: percent complete: 2%
Initializing package <23> of <914>: percent complete: 2%
Initializing package <24> of <914>: percent complete: 2%
Initializing package <25> of <914>: percent complete: 2%
<---------------- Output omitted for Brevity ---------------->
Initializing package <913> of <914>: percent complete: 99%
Initialized <914> packages on zone.
Zone is initialized.
The file root/var/sadm/system/logs/install_log> contains a log of the
zone installation.
# zoneadm -z apple-store boot
zoneadm: zone 'apple-store': WARNING: hme0:1: no matching subnet
found in netmasks(4) for 192.168.45.216; using default of
255.255.255.0.
#
Author: R Rajesh 5
A sneak preview into a feature of the block buster Operating System of Sun Microsystems Inc.
#
#
#
#
#
#
# ####zone creation over successuflly. There was some error
initially. Under the advice from Gary I uninstalled and re-installed
the zones.
#
#
# exit
script done on Tue Nov 08 13:12:57 2005
Author: R Rajesh 6

Aruns Life

Tuesday, November 18, 2008

Solaris ZFS and Containers: Overview

Solaris Security or Unix Security?

Solaris™ 10 Zones

solaris 10 zone

Blog Archive

About Me