image courtesy of Faisal's photo stream on Flikr
Glenn Brunette describes how to more easily secure ZFS file systems compared to UFS file systems in this white paper, along the following lines:
UFS file systems have the following characteristics:
- UFS file systems are directly tied to disk slices
- Disk slice space is not easily expanded to increase capacity for UFS file systems because the disk generally contains other disk slices for active file systems
- In some cases, you have to reinstall the OS to increase the size of the UFS root file system
- UFS file system space is controlled by using UFS quotas
ZFS file systems have the following advantages:
- ZFS uses a pooled storage model where all the file systems in pool
use available pool space.
- No relationship exists between ZFS file systems and disk slices
except for the ZFS root file system.
- A long-standing boot limitation is that a ZFS root file system must
be created on a disk slice.
- During installation, you define the size of the root pool disk slice
or mirrored slices that contain the root file system.
- The root file system contains separate directories of system-related
components, such as etc, usr, and var, unless you specify that var
is separate file system.
- You can put a reservation and a quota on the /var file system to
determine how much disk space is reserved for /var and how disk space
it can consume.
For example, you might consider configuring a separate /var file system
when installing a system that will be used as a mail server. This
way, you can control the size of var with a quota so that root pool's
space capacity is not exceeded.
In addition, if the ZFS root file system and the /var file system begin
to exceed the pool's capacity, you can easily replace the root pool
disk with a larger disk without having to unmount, restore a backup, or
reinstall the root file system.
How should you configure your ZFS data sets for optimum security? Read Glenn's paper to find out. He not only provides security-based recommendations for ZFS, but also for:
- Software installation clusters
- Non-executable stacks
- USB Support
- Plugable Authentication Modules
- Service Management Facility
- Cryptographic services management
- And lots more
If you're inclined to read more about security, try these other two papers we published recently, plus OTN's security collection.
- Rick Ramsey and Cindy Swearingen