Zones hardening – Sun Microsystems SOLARIS 10 User Manual
Page 87
Version 3.1-en
Solaris 10 Container Guide - 3.1 5. Cookbooks
Effective: 30/11/2009
5.1.15. Accelerated automatic creation of zones on a ZFS file system
[bf/ug] If a zone is configured on a ZFS file system, it can be duplicated very quickly by using ZFS
snapshots. This procedure is described below by means of an example script. The script is available
for download at
http://blogs.sun.com/blogfinger/entry/how_to_create_a_lot
.
In the first part of the script, the most important parameters for the zones are to be defined. These
include for example:
•
Number of zones to be created
•
Network address range
•
Name of network interface
•
Net mask
•
Gateway
•
Base zone name (supplemented with number for the zone name)
•
Zone directory (supplemented with zone name)
•
Name of the zone that is used as the basis for cloning
•
Information for the sysidcfg file
•
Start status for the zone after installation
Once these settings have been made, the script can create the zones automatically and start in the
configured state. More details on the script are available in the blog entry.
5.1.16. Zones hardening
[dd] To harden Solaris, the Solaris Security Toolkit is recommended as a general rule. Complete
procedures and mechanisms can be found here:
http://www.sun.com/products-n-
solutions/hardware/docs/Software/enterprise_computing/systems_management/sst/index.html
Within the toolkit, the features that are required to harden sparse-root or whole-root zones are
described. Details on this can be found here:
http://www.sun.com/products-n-solutions/hardware/docs/html/819-1503-10/introduction.html#pgfId-
1001177
With Solaris 10 11/06, the feature "Secure by default" was introduced for network services which
allows all network services except for sshd to be turned off or reconfigured by calling up
netservices limited such that they will only react to requests by localhost. As a result,
considerable safeguarding of zones in networks is possible using simple means.
80