Solaris Security Resources on OTN
By Rickramsey-Oracle on Nov 03, 2011
image courtesy of Faisal's photo stream on Flikr
Glenn Brunette describes how to more easily secure ZFS file systems compared to UFS file systems in this white paper, along the following lines:
UFS file systems have the following characteristics:
- UFS file systems are directly tied to disk slices
- Disk slice space is not easily expanded to increase capacity for UFS file systems because the disk generally contains other disk slices for active file systems
- In some cases, you have to reinstall the OS to increase the size of the UFS root file system
- UFS file system space is controlled by using UFS quotas
ZFS file systems have the following advantages:
- ZFS uses a pooled storage model where all the file systems in pool use available pool space.
- No relationship exists between ZFS file systems and disk slices except for the ZFS root file system.
- A long-standing boot limitation is that a ZFS root file system must be created on a disk slice.
- During installation, you define the size of the root pool disk slice or mirrored slices that contain the root file system.
- The root file system contains separate directories of system-related components, such as etc, usr, and var, unless you specify that var is separate file system.
- You can put a reservation and a quota on the /var file system to determine how much disk space is reserved for /var and how disk space it can consume.
For example, you might consider configuring a separate /var file system when installing a system that will be used as a mail server. This way, you can control the size of var with a quota so that root pool's space capacity is not exceeded.
In addition, if the ZFS root file system and the /var file system begin to exceed the pool's capacity, you can easily replace the root pool disk with a larger disk without having to unmount, restore a backup, or reinstall the root file system.
How should you configure your ZFS data sets for optimum security? Read Glenn's paper to find out. He not only provides security-based recommendations for ZFS, but also for:
- Software installation clusters
- Non-executable stacks
- USB Support
- Plugable Authentication Modules
- Service Management Facility
- Cryptographic services management
- And lots more
If you're inclined to read more about security, try these other two papers we published recently, plus OTN's security collection.