... h4. [Understanding the Security Capabilities of Solaris Zones Software !Main^download.gif!|http://mapping.sun.com/profile/offer.jsp?id=120]
*by Glenn Brunette and Jeff Victor{*}{excerpt}
December 2008{excerpt}
Part of the Solaris 10 Operating System (OS), Solaris Zones are widely discussed across all corners of the Web. Over time, Solaris Zones have grown in popularity, third-party support has increased, and the technology has been enhanced continually to support new and different kinds of features and configurations.
So why does the world need yet another article about Solaris Zones? Simple. Most publications and sites focus on the consolidation benefits of Solaris Zones. While server and service consolidation is a key use case for Solaris Zones, there is so much more to the technology. Other materials focus on system administration practices related to configuration, installation, management, and troubleshooting. This is incredibly useful information, but there is still an important gap. Namely, many people do not have a full appreciation of the security benefits enabled by Solaris Zones, and sparse root zone configurations more specifically.
h4. Contents
* Zone Root File System
* Process Containment
* Operating System Privileges
** Default Privileges
** Required Privileges
** Prohibited Privileges
** Optional Privileges
* Operating System Kernel Modules
* Operating System Devices
* Networking
** Shared IP
** Exclusive IP
* Operating System Files
* Operating System Security Configuration
* Resource Management
** Memory Controls
*** Physical and Virtual Memory Capping
*** Shared Memory
*** Locked Memory
** CPU Controls
*** Fair Share Scheduler
*** CPU Capping
*** Private Pool
*** Shared Pool
** Miscellaneous Controls
* File Integrity Checks
* Security Auditing
* Solaris Trusted Extensions
* Summary
* About the Authors
* Acknowledgments
* References
* Ordering Sun Documents
* Accessing Sun Documentation Online
{panel:title=About the Authors|borderStyle=solid|titleBGColor=#F8D583|bgColor=white}
h6. Glenn Brunette
Glenn Brunette is a Global Systems Engineering Director and Chief Security Architect at Sun, where he leads a global team focused on advanced information security architectures. For his achievements and contributions to information security, Glenn was named a Sun Distinguished Engineer, an honor granted to less than 100 people in the company. His team was awarded a 2008 Sun Innovation Award for their project, Sun Systemic Security.
For over 15 years, Glenn has architected, developed, and delivered security solutions for a wide range of customers and industries. Currently, Glenn works in the Chief Architect's Office where he defines Sun's global security strategy and architecture, and works to improve the security of products and services used by Sun's customers. Glenn is the founder of Sun's Systemic Security approach, an OpenSolaris™ Security Community Leader, the co-founder of the Solaris Security Toolkit software, and a frequent author, contributor, and speaker at both Sun and industry events. Externally, Glenn has served in leadership positions at the National Cyber Security Partnership, the Enterprise Grid Alliance, as well as at the Center for Internet Security.
h6. Jeff Victor
Jeff Victor is a Sr. Systems Engineer at Sun Microsystems, Inc. He uses his 20\+ years of UNIX experience to drive the adoption of Sun's virtualization technologies through customer education, lecturing at industry conferences, and writing Sun BluePrints articles, other published documents, and his blog. Jeff is an OpenSolaris Zones Community Leader and original developer of the OpenSolaris Zones FAQ.
{panel}
{panel:title=Acknowledgments|borderStyle=solid|titleBGColor=#F8D583|bgColor=white} |
The authors would like to thank the following people for their inspiration, technical feedback, and overall support in the development of this article: John Banghart, Glenn Faden, John Howard, Jerry Jelinek, Dan McDonald, Erik Nordmark, Denny Olson, Scott Rotondo, Christoph Schuba, Sharon Veach, and Gary Winiger.
{panel} |