Thursday Nov 03, 2011

Solaris Security Resources on OTN

image courtesy of Faisal's photo stream on Flikr

An Overview of Oracle Solaris 10 Security Controls

Glenn Brunette describes how to more easily secure ZFS file systems compared to UFS file systems in this white paper, along the following lines:

UFS file systems have the following characteristics:

  • UFS file systems are directly tied to disk slices
  • Disk slice space is not easily expanded to increase capacity for UFS file systems because the disk generally contains other disk slices for active file systems
  • In some cases, you have to reinstall the OS to increase the size of the UFS root file system
  • UFS file system space is controlled by using UFS quotas

ZFS file systems have the following advantages:

  • ZFS uses a pooled storage model where all the file systems in pool use available pool space.
  • No relationship exists between ZFS file systems and disk slices except for the ZFS root file system.
  • A long-standing boot limitation is that a ZFS root file system must be created on a disk slice.
  • During installation, you define the size of the root pool disk slice or mirrored slices that contain the root file system.
  • The root file system contains separate directories of system-related components, such as etc, usr, and var, unless you specify that var is separate file system.
  • You can put a reservation and a quota on the /var file system to determine how much disk space is reserved for /var and how disk space it can consume.

For example, you might consider configuring a separate /var file system when installing a system that will be used as a mail server. This way, you can control the size of var with a quota so that root pool's space capacity is not exceeded.

In addition, if the ZFS root file system and the /var file system begin to exceed the pool's capacity, you can easily replace the root pool disk with a larger disk without having to unmount, restore a backup, or reinstall the root file system.

How should you configure your ZFS data sets for optimum security? Read Glenn's paper to find out. He not only provides security-based recommendations for ZFS, but also for:

  • Software installation clusters
  • Minimization
  • Non-executable stacks
  • Filesystems
  • USB Support
  • Plugable Authentication Modules
  • Service Management Facility
  • Cryptographic services management
  • Zones
  • And lots more

If you're inclined to read more about security, try these other two papers we published recently, plus OTN's security collection.

Oracle Solaris 11 Security: What's New for Developers

Recommendations for Creating Reduced or Minimal Solaris Configurations

OTN's Security Collection

- Rick Ramsey and Cindy Swearingen
Website
Newsletter
Facebook
Twitter

Tuesday Aug 16, 2011

Ginny Had A Bright Idea

image courtesy of Twenty Words

In the Olden Days before most of us were born, if a woman got a bright idea she got an immediate spanking from John Wayne. Thank goodness John Wayne has stopped doing that, or we wouldn't get to reap the benefits of the research Ginny Henningsen did with Oracle Solaris 11.

When Ginny read about all the different ways to download, install, patch, and manage updates in Solaris 11, she wasn't sure where to start. So she drew on her personal experience, the experience of other sysadmins and systems engineers, the documentation, and the related technical articles posted on OTN.

The result? These three very practical articles.

Article 1
Best Way To Update Software Using IPS in Oracle Solaris 11

The SVR4 packaging and patching systems in earlier versions of Solaris were designed by the Chosen for the Faithful. If you loved SunOS you could recite package nomenclature in your sleep and you always, always used the command line. Alas, nobody loves software for its own sake any more. At least, not enough of us do. And so, the latest version of Solaris does away with the mystery, the animal sacrifice, the practice of witchcraft, and the other requirements for mastery of earlier versions. Read how Ginny put away her potions and figured out the best way to use the new tools.

Article 2
Best Way to Automate ZFS Snapshots and Track Software Updates in Oracle Solaris 11

Boot environments in Solaris 11 perform a function similar to Live Upgrade environments in Oracle Solaris 10. Except that they're implemented with ZFS. Which means you can generate snapshots of your boot environments at every point you'd like to record. And the beauty of that is, of course, that you can return to any snapshot of the boot environment that you want to use. In this article, Ginny introduces TimeSlider, shows you how to configure it to take automatic snapshots, and explains how to keep a record of the software updates that have been made to the current boot environment.

Article 3
Best Way to Update Software in Oracle Solaris 11 Zones

Before the Zone there was the Container. And before the Container, the Zone. This is The Way of Software. In her third "Best Way" article, Ginny figures out the best way to manage software updates in Solaris 11 zones which, as you might expect, are different from Solaris 10 zones. After showing you those differences, she shows you how to create, configure, install, and clone a Solaris 11 zone, then how to upgrade both the global and non-global zones. As a bonus, you get to find out what to do if something goes wrong.

We're expecting more "Best Way" articles from Ginny down the road. So read these, try out their recommendations yourself, and tell us what you think.

And don't forget to save the lemur!

- Rick
Website
Newsletter
Facebook
Twitter

Wednesday Mar 30, 2011

Spotlight On Image Packaging System


Not getting enough technical specificity out of "record-breaking?"

How about "industry-leading?"

Not even "performance-enhancing?"

No?


The kind folks in Oracle Solaris marketing have decided to dig a little deeper and unearth the kind of information sysadmins and developers look for. They've put together three technology Spotlights.

Each spotlight provides solid technical info such as podcasts with engineers, how-to guides, quick-reference cards ("one-liners"), technical articles, documentation, training, and more. They're designed to make sure you have all the info you need to start actually using these technologies right now.

These are the current spotlights we have:

Keep an eye out for future Solaris 11 spotlights here. And, of course, on the front page of the OTN Systems Community.

- Rick
System Admin and Developer Community of the Oracle Technology Network

About

Contributors:
Rick Ramsey
Kemer Thomson
and members of the OTN community

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
12
13
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today
Blogs We Like