Break New Ground

Solaris Security Resources on OTN

Guest Author

image courtesy of Faisal's photo stream on Flikr

An Overview of Oracle Solaris 10 Security Controls

Glenn Brunette describes how to more easily secure ZFS file systems compared to UFS file systems in this white paper, along the following lines:

UFS file systems have the following characteristics:

  • UFS file systems are directly tied to disk slices
  • Disk slice space is not easily expanded to increase capacity for UFS file systems because the disk generally contains other disk slices for active file systems
  • In some cases, you have to reinstall the OS to increase the size of the UFS root file system
  • UFS file system space is controlled by using UFS quotas

ZFS file systems have the following advantages:

  • ZFS uses a pooled storage model where all the file systems in pool
    use available pool space.
  • No relationship exists between ZFS file systems and disk slices
    except for the ZFS root file system.
  • A long-standing boot limitation is that a ZFS root file system must
    be created on a disk slice.
  • During installation, you define the size of the root pool disk slice
    or mirrored slices that contain the root file system.
  • The root file system contains separate directories of system-related
    components, such as etc, usr, and var, unless you specify that var
    is separate file system.
  • You can put a reservation and a quota on the /var file system to
    determine how much disk space is reserved for /var and how disk space
    it can consume.

For example, you might consider configuring a separate /var file system
when installing a system that will be used as a mail server. This
way, you can control the size of var with a quota so that root pool's
space capacity is not exceeded.

In addition, if the ZFS root file system and the /var file system begin
to exceed the pool's capacity, you can easily replace the root pool
disk with a larger disk without having to unmount, restore a backup, or
reinstall the root file system.

How should you configure your ZFS data sets for optimum security? Read Glenn's paper to find out. He not only provides security-based recommendations for ZFS, but also for:

  • Software installation clusters
  • Minimization
  • Non-executable stacks
  • Filesystems
  • USB Support
  • Plugable Authentication Modules
  • Service Management Facility
  • Cryptographic services management
  • Zones
  • And lots more

If you're inclined to read more about security, try these other two papers we published recently, plus OTN's security collection.

Oracle Solaris 11 Security: What's New for Developers

Recommendations for Creating Reduced or Minimal Solaris Configurations

OTN's Security Collection

- Rick Ramsey and Cindy Swearingen





Be the first to comment

Comments ( 0 )
Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.