Securing a zone using the Solaris Security Toolkit
By John Clingan-Oracle on Aug 31, 2006
Yep. Still looking over my shoulder. Until recently, I was using a script I wrote to customize a zone. I had two reasons in mind. The first was to disable unnecessary services to conserve RAM, the second to secure the server. However, there is a better way. I've recently adopted the Solaris Security Toolkit (SST) thanks in part to Glenn.
The Solaris Security Toolkit is a configurable tool to harden a system. While best applied during a jumpstart (secure early & repeatably), it can also be applied to a newly installed system. Of course, a newly created zone is a great target for SST. My first application of the SST was to a zone created specifically for the purpose of understanding what the SST does to a host/zone. I have the ability to customize the SST via a driver file to enable or disable the hardening of various OS functions. In fact, while learning about the SST, I was rolling back the zone to repeatedly test out my customizations.
What is equally nice about the SST is that it not only hardens a system, it also enables the administrator to run an audit to detect modifications that stray from the SST hardening. There is one modification I would like, and that is for the SST to be zone aware. What I mean by that is the ability to run the SST from the global zone, and have the SST harden a specified list of non-global zones as well as the global zone. Right now, I have to install the SST into each and every local zone of interest. I'd like to leverage potential the economy of scale of the zones model. Then again, I want to get a bit smarter on "secure by default" to see how it plays with the SST.
If you are serious about security, consider utilizing SST.