e29666
TRANSCRIPT
Oracle® VM Server for SPARC 3.0 SecurityGuide
Part No: E29666November 2012
Copyright © 2007, 2012, Oracle and/or its affiliates. All rights reserved.
This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectualproperty laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license,transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software,unless required by law for interoperability, is prohibited.
The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.
If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice isapplicable:
U.S. GOVERNMENT END USERS. Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/ordocumentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation andagency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system,integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to theprograms. No other rights are granted to the U.S. Government.
This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherentlydangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in dangerous applications, then you shallbe responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim anyliability for any damages caused by use of this software or hardware in dangerous applications.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registeredtrademarks of SPARC International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced MicroDevices. UNIX is a registered trademark of The Open Group.
This software or hardware and documentation may provide access to or information on content, products, and services from third parties. Oracle Corporation andits affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle Corporationand its affiliates will not be responsible for any loss, costs, or damages incurred due to your access to or use of third-party content, products, or services.
Ce logiciel et la documentation qui l’accompagne sont protégés par les lois sur la propriété intellectuelle. Ils sont concédés sous licence et soumis à des restrictionsd’utilisation et de divulgation. Sauf disposition de votre contrat de licence ou de la loi, vous ne pouvez pas copier, reproduire, traduire, diffuser, modifier, breveter,transmettre, distribuer, exposer, exécuter, publier ou afficher le logiciel, même partiellement, sous quelque forme et par quelque procédé que ce soit. Par ailleurs, il estinterdit de procéder à toute ingénierie inverse du logiciel, de le désassembler ou de le décompiler, excepté à des fins d’interopérabilité avec des logiciels tiers ou tel queprescrit par la loi.
Les informations fournies dans ce document sont susceptibles de modification sans préavis. Par ailleurs, Oracle Corporation ne garantit pas qu’elles soient exemptesd’erreurs et vous invite, le cas échéant, à lui en faire part par écrit.
Si ce logiciel, ou la documentation qui l’accompagne, est concédé sous licence au Gouvernement des Etats-Unis, ou à toute entité qui délivre la licence de ce logicielou l’utilise pour le compte du Gouvernement des Etats-Unis, la notice suivante s’applique:
U.S. GOVERNMENT END USERS. Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/ordocumentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation andagency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system,integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to theprograms. No other rights are granted to the U.S. Government.
Ce logiciel ou matériel a été développé pour un usage général dans le cadre d’applications de gestion des informations. Ce logiciel ou matériel n’est pas conçu ni n’estdestiné à être utilisé dans des applications à risque, notamment dans des applications pouvant causer des dommages corporels. Si vous utilisez ce logiciel ou matérieldans le cadre d’applications dangereuses, il est de votre responsabilité de prendre toutes les mesures de secours, de sauvegarde, de redondance et autres mesuresnécessaires à son utilisation dans des conditions optimales de sécurité. Oracle Corporation et ses affiliés déclinent toute responsabilité quant aux dommages causéspar l’utilisation de ce logiciel ou matériel pour ce type d’applications.
Oracle et Java sont des marques déposées d’Oracle Corporation et/ou de ses affiliés. Tout autre nom mentionné peut correspondre à des marques appartenant àd’autres propriétaires qu’Oracle.
Intel et Intel Xeon sont des marques ou des marques déposées d’Intel Corporation. Toutes les marques SPARC sont utilisées sous licence et sont des marques ou desmarques déposées de SPARC International, Inc. AMD, Opteron, le logo AMD et le logo AMD Opteron sont des marques ou des marques déposées d’Advanced MicroDevices. UNIX est une marque déposée d’The Open Group.
Ce logiciel ou matériel et la documentation qui l’accompagne peuvent fournir des informations ou des liens donnant accès à des contenus, des produits et des servicesémanant de tiers. Oracle Corporation et ses affiliés déclinent toute responsabilité ou garantie expresse quant aux contenus, produits ou services émanant de tiers. Enaucun cas, Oracle Corporation et ses affiliés ne sauraient être tenus pour responsables des pertes subies, des coûts occasionnés ou des dommages causés par l’accès àdes contenus, produits ou services tiers, ou à leur utilisation.
130524@25097
Contents
Preface .....................................................................................................................................................5
1 Oracle VM Server for SPARC Security Overview ............................................................................... 9Security Features Used by Oracle VM Server for SPARC ..................................................................9Oracle VM Server for SPARC Product Overview ............................................................................ 10Applying General Security Principles to Oracle VM Server for SPARC ....................................... 13
2 Secure Installation and Configuration of Oracle VM Server for SPARC .......................................17Installation ........................................................................................................................................... 17Postinstallation Configuration .......................................................................................................... 17
3 Oracle VM Server for SPARC Security Features ............................................................................... 19Security Model ..................................................................................................................................... 19Configuring and Using Authentication ............................................................................................ 19Configuring and Using RBAC ........................................................................................................... 20Configuring and Using Auditing ....................................................................................................... 20Configuring and Using Other Security Features ............................................................................. 21
4 Security Considerations for Developers ..........................................................................................23Oracle VM Server for SPARC XML Interface .................................................................................. 23
A Secure Deployment Checklist ...........................................................................................................25Oracle VM Server for SPARC Security Checklist ............................................................................ 25
3
4
Preface
The Oracle VM Server for SPARC 3.0 Security Guide includes information about how to securelyinstall, configure, and use the Oracle VM Server for SPARC 3.0 software.
Related DocumentationThe following table shows the documentation that is available for and related to the Oracle VMServer for SPARC 3.0 release.
TABLE P–1 Related Documentation
Application Title
Oracle VM Server for SPARC 3.0Software
Oracle VM Server for SPARC 3.0 Administration Guide
Oracle VM Server for SPARC 3.0 Security Guide
Oracle VM Server for SPARC 3.0 Reference Manual
Oracle VM Server for SPARC 3.0 Release Notes
Oracle VM Server for SPARC 3.0drd(1M) and vntsd(1M) man pages
Oracle Solaris OS Reference Manuals:■ Oracle Solaris 10 Documentation■ Oracle Solaris 11 Documentation
Oracle Solaris OS: Installation andConfiguration
Oracle Solaris OS Installation and Configuration Guides:■ Oracle Solaris 10 Documentation■ Oracle Solaris 11 Documentation
Oracle VM Server for SPARC andOracle Solaris OS Security
Oracle VM Server for SPARC White Paper and Oracle Solaris OSSecurity Guides:■ Secure Deployment of Oracle VM Server for SPARC
(http://www.oracle.com/technetwork/articles/systems-hardware-architecture/
secure-ovm-sparc-deployment-294062.pdf)■ Oracle Solaris 10 Security Guidelines■ Oracle Solaris 11 Security Guidelines
5
You can find documentation that relates to your server, software, or the Oracle Solaris OS athttp://www.oracle.com/technetwork/indexes/documentation/index.html. Use theSearch box to find the documents and the information that you need.
You can access the Oracle VM Server for SPARC discussion forum at http://forums.oracle.com/forums/forum.jspa?forumID=1047.
Access to Oracle SupportOracle customers have access to electronic support through My Oracle Support. Forinformation, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visithttp://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.
Typographic ConventionsThe following table describes the typographic conventions that are used in this book.
TABLE P–2 Typographic Conventions
Typeface Description Example
AaBbCc123 The names of commands, files, and directories,and onscreen computer output
Edit your .login file.
Use ls -a to list all files.
machine_name% you have mail.
AaBbCc123 What you type, contrasted with onscreencomputer output
machine_name% su
Password:
aabbcc123 Placeholder: replace with a real name or value The command to remove a file is rmfilename.
AaBbCc123 Book titles, new terms, and terms to beemphasized
Read Chapter 6 in the User's Guide.
A cache is a copy that is storedlocally.
Do not save the file.
Note: Some emphasized itemsappear bold online.
Preface
Oracle VM Server for SPARC 3.0 Security Guide • November 20126
Shell Prompts in Command ExamplesThe following table shows UNIX system prompts and superuser prompts for shells that areincluded in the Oracle Solaris OS. In command examples, the shell prompt indicates whetherthe command should be executed by a regular user or a user with privileges.
TABLE P–3 Shell Prompts
Shell Prompt
Bash shell, Korn shell, and Bourne shell $
Bash shell, Korn shell, and Bourne shell for superuser #
C shell machine_name%
C shell for superuser machine_name#
Preface
7
8
Oracle VM Server for SPARC Security Overview
This chapter describes the following security features that are used by the Oracle VM Server forSPARC software:
■ “Security Features Used by Oracle VM Server for SPARC” on page 9■ “Oracle VM Server for SPARC Product Overview” on page 10■ “Applying General Security Principles to Oracle VM Server for SPARC” on page 13
Security Features Used by Oracle VM Server for SPARCThe Oracle VM Server for SPARC software is a virtualization product that permits more thanone Oracle Solaris virtual machine (VM) to run on one physical system, each with its ownOracle Solaris 10 or Oracle Solaris 11 OS installed. Each VM is also called a logical domain.Domains are independent instances and can run different versions of the Oracle Solaris OS aswell as different application software. For example, domains might have different packagerevisions installed, different services enabled, and system accounts with different passwords.See Oracle Solaris 10 Security Guidelines and Oracle Solaris 11 Security Guidelines forinformation about Oracle Solaris security.
The ldm command must be run on the control domain to configure the logical domain and toretrieve state information. Limiting access to the control domain and to the ldm command iscritical for the security of the domains that run on the system. To limit access to domainconfiguration data, use the Oracle VM Server for SPARC security features, such as therole-based access control (RBAC) feature of Oracle Solaris for consoles and solaris.ldoms
authorizations. See “Logical Domains Manager Profile Contents” in Oracle VM Server forSPARC 3.0 Administration Guide.
1C H A P T E R 1
9
The Oracle VM Server for SPARC software uses the following security features:
■ The security features that are available in the Oracle Solaris 10 OS and the Oracle Solaris 11OS are also available on domains that run the Oracle VM Server for SPARC software. SeeOracle Solaris 10 Security Guidelines and Oracle Solaris 11 Security Guidelines.
■ The Oracle Solaris OS security features can be applied to the Oracle VM Server for SPARCsoftware. For comprehensive information about ensuring Oracle VM Server for SPARCsecurity, see Secure Deployment of Oracle VM Server for SPARC.
■ The Oracle Solaris 10 OS and the Oracle Solaris 11 OS include security fixes that areavailable for your system. Obtain Oracle Solaris 10 OS fixes as security patches or updates.Obtain Oracle Solaris 11 OS fixes as Support Repository Updates (SRUs).
■ To limit access to the Oracle VM Server for SPARC administration commands, and domainconsoles, and to enable the Oracle VM Server for SPARC auditing feature, see Chapter 3,“Oracle VM Server for SPARC Security,” in Oracle VM Server for SPARC 3.0 AdministrationGuide.
Oracle VM Server for SPARC Product OverviewOracle VM Server for SPARC provides highly efficient, enterprise-class virtualizationcapabilities for Oracle's SPARC T-Series servers. Using the Oracle VM Server for SPARCsoftware, you can create up to 128 virtual servers, called logical domains, on a single system.This kind of configuration enables you to take advantage of the massive thread scale offered bySPARC T-Series servers and the Oracle Solaris OS.
A logical domain is a virtual machine that contains a discrete logical grouping of resources. Alogical domain has its own operating system and identity within a single computer system. Eachlogical domain can be created, destroyed, reconfigured, and rebooted independently, withoutrequiring you to perform a power cycle of the server. You can run a variety of applicationsoftware in different logical domains and keep them independent for performance and securitypurposes.
For information about using the Oracle VM Server for SPARC software, see Oracle VM Serverfor SPARC 3.0 Administration Guide and Oracle VM Server for SPARC 3.0 Reference Manual.For information about the required hardware and software, see Oracle VM Server for SPARC 3.0Release Notes.
Oracle VM Server for SPARC Product Overview
Oracle VM Server for SPARC 3.0 Security Guide • November 201210
The Oracle VM Server for SPARC software uses the following components to provide systemvirtualization:
■ Hypervisor. The hypervisor is a small firmware layer that provides a stable virtualizedmachine architecture to which an operating system can be installed. Oracle's Sun serversthat use the hypervisor provide hardware features to support the hypervisor's control overthe operating system activities on a logical domain.
The number of domains and the capabilities of each domain that a specific SPARChypervisor supports are server-dependent features. The hypervisor can allocate subsets ofthe server's CPU, memory, and I/O resources to a given logical domain. This allocationenables the support of multiple operating systems simultaneously, each within its ownlogical domain. Resources can be rearranged between separate logical domains with anarbitrary granularity. For example, CPUs are assignable to a logical domain with thegranularity of a CPU thread.
FIGURE 1–1 Hypervisor Supporting Two Logical Domains
Logical Domain A
Application
Application
Operating System A
Logical Domain B
Application
C P U , M e m o r y, a n d I / OC P U , M e m o r y, a n d I / OC P U , M e m o r y, a n d I / OC P U , M e m o r y, a n d I / O
H y p e r v i s o rH y p e r v i s o rH y p e r v i s o r
Hardware
Firmware
Kernel
User/Services
Operating System B
Oracle VM Server for SPARC Product Overview
Chapter 1 • Oracle VM Server for SPARC Security Overview 11
The service processor (SP), also known as the system controller (SC), monitors and runs thephysical machine, but it does not manage the logical domains. The Logical DomainsManager manages the logical domains.
■ Control domain. The Logical Domains Manager runs in this domain so that you can createand manage other logical domains, and to allocate virtual resources to other domains. Youcan have only one control domain per server. The control domain is the first domain that iscreated when you install the Oracle VM Server for SPARC software. The control domain isnamed primary.
■ Service domain. A service domain provides virtual device services to other domains, suchas a virtual switch, a virtual console concentrator, and a virtual disk server. Any domain canbe configured as a service domain.
■ I/O domain. An I/O domain has direct access to physical I/O devices, such as a networkcard in a PCI EXPRESS (PCIe) controller. An I/O domain can own a PCIe root complex, orit can own a PCIe slot or on-board PCIe device by using the direct I/O (DIO) feature. See“Assigning PCIe Endpoint Devices” in Oracle VM Server for SPARC 3.0 AdministrationGuide.
An I/O domain can share physical I/O devices with other domains in the form of virtualdevices when the I/O domain is also used as a service domain.
■ Root domain. A root domain has a PCIe root complex assigned to it. This domain owns thePCIe fabric and provides all fabric-related services, such as fabric error handling. A rootdomain is also an I/O domain, as it owns and has direct access to physical I/O devices.
The number of root domains that you can have depends on your platform architecture. Forexample, if you are using a Sun SPARC Enterprise T5440 server from Oracle, you can haveup to four root domains.
■ Guest domain. A guest domain is a non-I/O domain that consumes virtual device servicesthat are provided by one or more service domains. A guest domain does not have anyphysical I/O devices. It only has virtual I/O devices, such as virtual disks and virtual networkinterfaces.
Often, an Oracle VM Server for SPARC system has only a control domain that provides theservices that are performed by I/O domains and service domains. To improve redundancy andplatform serviceability, consider configuring more than one I/O domain on your Oracle VMServer for SPARC system.
Oracle VM Server for SPARC Product Overview
Oracle VM Server for SPARC 3.0 Security Guide • November 201212
Applying General Security Principles to Oracle VM Server forSPARC
You can configure guest domains in a variety of ways to provide varying levels of guest domainisolation, hardware sharing, and domain connectivity. These factors contribute to the securitylevel of the overall Oracle VM Server for SPARC configuration, to which you can apply some ofthe following general security principles:
■ Minimize the attack surface.■ Minimize the unintentional configuration errors by creating operational guidelines that
enable you to regularly evaluate the security of the system. See “Counter Measure #1:Operational Guidelines” in Secure Deployment of Oracle VM Server for SPARC.
■ Carefully plan the architecture of the virtual environment to maximize the isolation ofthe domains. See the counter measures described for “Threat #2: Errors in theArchitecture of the Virtual Environment” in Secure Deployment of Oracle VM Server forSPARC.
■ Carefully plan which resources to assign and whether they are to be shared. See “CounterMeasure #7: Carefully Assigning Hardware Resources” and “Counter Measure #8:Careful Assignment of Shared Resources” in Secure Deployment of Oracle VM Server forSPARC.
■ Ensure that the logical domains are protected from manipulation by applying thecounter measures described for “Threat #4: Manipulation of the ExecutionEnvironment” and “Counter Measure #28: Securing the Guest OS” in SecureDeployment of Oracle VM Server for SPARC.
■ Expose a guest domain to the network only when necessary. You can use virtual switchesto limit a guest domain's network connectivity to only the appropriate networks.
■ Follow the steps to minimize the attack surface for Oracle Solaris 10 and Oracle Solaris11 as described in Oracle Solaris 10 Security Guidelines and Oracle Solaris 11 SecurityGuidelines.
■ Protect the core of the hypervisor as described by “Counter Measure #15: ValidatingFirmware and Software Signatures” and “Counter Measure #16: Validating KernelModules” in Secure Deployment of Oracle VM Server for SPARC.
■ Protect the control domain against denial-of-service attacks. See “Counter Measure #17:Console Access” in Secure Deployment of Oracle VM Server for SPARC.
■ Ensure that the Logical Domains Manager cannot be run by unauthorized users. See“Threat #8: Unauthorized Use of Configuration Utilities” in Secure Deployment ofOracle VM Server for SPARC.
■ Ensure that the service domain cannot be accessed by unauthorized users or processes.See “Threat #9: Manipulation of a Service Domain” in Secure Deployment of Oracle VMServer for SPARC.
Applying General Security Principles to Oracle VM Server for SPARC
Chapter 1 • Oracle VM Server for SPARC Security Overview 13
■ Protect an I/O domain or a service domain against denial-of-service attacks. See “Threat#10: Denial-of-Service of IO Domain or Service Domain” in Secure Deployment ofOracle VM Server for SPARC.
■ Ensure that an I/O domain cannot be accessed by unauthorized users or processes. See“Threat #11: Manipulation of an IO Domain” in Secure Deployment of Oracle VM Serverfor SPARC.
■ Disable unnecessary domain manager services. The Logical Domains Manager providesnetwork services for domain access, monitoring, and migration. Disable any of thefollowing network services when they are not being used:■ Migration service on TCP port 8101
To disable this service, see the description of theldmd/incoming_migration_enabled and ldmd/outgoing_migration_enabled
properties in the ldmd(1M) man page.■ Extensible Messaging and Presence Protocol (XMPP) support on TCP port 6482
To disable this service, see “XML Transport” in Oracle VM Server for SPARC 3.0Administration Guide.
■ Simple Network Management Protocol (SNMP) on UDP port 161
Determine whether you want to use the Oracle VM Server for SPARC ManagementInformation Base (MIB) to observe domains. This feature requires that the SNMPservice is enabled. Based on your choice, do one of the following:■ Enable the SNMP service to use the Oracle VM Server for SPARC MIB.
Securely install the Oracle VM Server for SPARC MIB. See “How to Install theOracle VM Server for SPARC MIB Software Package” in Oracle VM Server forSPARC 3.0 Administration Guide and “Managing Security” in Oracle VM Serverfor SPARC 3.0 Administration Guide.
■ Disable the SNMP service. To disable this service, see “How to Remove theOracle VM Server for SPARC MIB Software Package” in Oracle VM Server forSPARC 3.0 Administration Guide.
■ Discovery service on multicast address 239.129.9.27 and port 64535You cannot disable this service while the Logical Domains Manager daemon, ldmd, isrunning. Instead, use the IP Filter feature of Oracle Solaris to block access to thisservice, which minimizes the attack surface of the Logical Domains Manager.Blocking access prevents unauthorized use of the utility, which effectively countersdenial-of-service attacks and other attempts to misuse these network services. SeeChapter 20, “IP Filter in Oracle Solaris (Overview),” in Oracle Solaris Administration:IP Services and “Using IP Filter Rule Sets” in Oracle Solaris Administration: IPServices.
Also see “Counter Measure #14: Securing the ILOM” and “Counter Measure #20:Hardening LDoms Manager” in Secure Deployment of Oracle VM Server for SPARC.
Applying General Security Principles to Oracle VM Server for SPARC
Oracle VM Server for SPARC 3.0 Security Guide • November 201214
■ Provide the least privilege to perform an operation.■ Isolate systems into security classes, which are groups of individual guest systems that
share the same security requirements and privileges. By only assigning guestdomains from a single security class to a single hardware platform, you create anisolation breach, which prevents the domains from crossing into a different securityclass. See “Counter Measure #2: Carefully Assigning Guests to Hardware Platforms”in Secure Deployment of Oracle VM Server for SPARC.
■ Use RBAC to restrict the capability to manage domains with the ldm command. Onlythose users who must administer domains should be given this capability. Assign arole that uses the LDoms Management rights profile to users who require access to allof the ldm subcommands. Assign a role that uses the LDoms Review rights profile tousers who only require access to the list-related ldm subcommands. See “UsingRights Profiles and Roles” in Oracle VM Server for SPARC 3.0 Administration Guide.
■ Use RBAC to restrict access to the console of only those domains that you, as theadministrator of Oracle VM Server for SPARC, must access. Do not permit generalaccess to all domains. See “Using Rights Profiles and Roles” in Oracle VM Server forSPARC 3.0 Administration Guide.
■ Monitor system activity.Enable Oracle VM Server for SPARC auditing. See “Enabling and Using Auditing” inOracle VM Server for SPARC 3.0 Administration Guide.
For recommendations about deploying the Oracle VM Server for SPARC software in a securemanner, see “Recommended Deployment Options” in Secure Deployment of Oracle VM Serverfor SPARC.
Applying General Security Principles to Oracle VM Server for SPARC
Chapter 1 • Oracle VM Server for SPARC Security Overview 15
16
Secure Installation and Configuration of OracleVM Server for SPARC
This chapter describes the security considerations related to installing and configuring OracleVM Server for SPARC.
InstallationThe Oracle VM Server for SPARC software is automatically installed securely as an OracleSolaris 10 or an Oracle Solaris 11 package. After installation completes, you must haveadministrator privileges to configure the domains with the role-based access control (RBAC),auditing, and authorization features. These features are not enabled by default.
Postinstallation ConfigurationPerform the following tasks after you install the Oracle VM Server for SPARC software tomaximize secure usage:
■ Configure the control domain with the required virtual I/O services, such as the virtualswitch, virtual disk server, and virtual console concentrator services. See Chapter 4, “SettingUp Services and the Control Domain,” in Oracle VM Server for SPARC 3.0 AdministrationGuide.
■ Configure guest domains. See Chapter 5, “Setting Up Guest Domains,” in Oracle VM Serverfor SPARC 3.0 Administration Guide.You can use a virtual switch to configure guest domains by means of an administrativenetwork and a production network. In this case, a virtual switch is created by using theproduction network interface as the virtual switch network device. See “Counter Measure#13: Dedicated Management Network” in Secure Deployment of Oracle VM Server forSPARC.The security of a guest domain becomes compromised when any of its virtual disks arecompromised. So, ensure that virtual disks (network-attached storage, locally stored diskimage files, or physical disks) are stored in a secure location.
2C H A P T E R 2
17
The vntsd daemon is disabled by default. When this daemon is enabled, any user who islogged in to the control domain is permitted to connect to a guest domain's console. Toprevent this type of access, ensure that the vntsd daemon is disabled, or use RBAC to limitconsole connectivity access only to sanctioned users.
■ The service processor (SP) is configured securely by default. For information about usingthe Integrated Lights Out Management (ILOM) software to manage the SP, see thedocumentation for your platform at http://www.oracle.com/technetwork/documentation/sparc-tseries-servers-252697.html.
Postinstallation Configuration
Oracle VM Server for SPARC 3.0 Security Guide • November 201218
Oracle VM Server for SPARC Security Features
This chapter provides an overview of security features that are used by the Oracle VM Server forSPARC software.
For information about authentication, access control, and auditing, see Chapter 3, “Oracle VMServer for SPARC Security,” in Oracle VM Server for SPARC 3.0 Administration Guide.
Security ModelThe Oracle VM Server for SPARC software builds on the security model and features that arebuilt into the Oracle Solaris OS. For information about Oracle Solaris OS security guidelines,see Oracle Solaris 11 Security Guidelines and Oracle Solaris 10 Security Guidelines.
Configuring and Using AuthenticationLike a bare-metal Oracle Solaris installation, any user who has an account can log in to a logicaldomain, even the control domain. The Oracle VM Server for SPARC software does not createany user accounts. See “Installing the Logical Domains Manager” in Oracle VM Server forSPARC 3.0 Administration Guide. For information about how to secure Oracle Solaris users, see“Securing Users” in Oracle Solaris 11 Security Guidelines.
To use the Logical Domains Manager to perform domain management activities on the controldomain, a user must be granted special privileges to read and write configuration data. See“Logical Domains Manager Profile Contents” in Oracle VM Server for SPARC 3.0Administration Guide and “Using Rights Profiles and Roles” in Oracle VM Server for SPARC 3.0Administration Guide.
3C H A P T E R 3
19
Configuring and Using RBACYou can manage authorizations and rights profiles and assign roles to user accounts by usingthe role-based access control (RBAC) feature of the Oracle Solaris OS. For information aboutRBAC, see Chapter 9, “Using Role-Based Access Control (Tasks),” in System AdministrationGuide: Security Services.
Installing the Logical Domains Manager adds the necessary authorizations and rights profiles tothe local files. See “Using Rights Profiles and Roles” in Oracle VM Server for SPARC 3.0Administration Guide.
To configure users, authorizations, rights profiles, and roles in a naming service, see SystemAdministration Guide: Naming and Directory Services (DNS, NIS, and LDAP).
Configuring and Using AuditingYou should administer and audit an Oracle Solaris instance in a guest domain the same as youwould an Oracle Solaris OS running on a bare-metal system. You can customize the OracleSolaris OS auditing feature to audit only those functions and system services that are importantfor your environment. For Oracle VM Server for SPARC, ensure that the virtualization softwareclass is audited. You can perform other auditing-related tasks. See “Using the Audit Service” inOracle Solaris 11 Security Guidelines and “How to Audit Significant Events in Addition toLogin/Logout” in Oracle Solaris 11 Security Guidelines.
The Logical Domains Manager creates audit events and passes them to the Oracle Solaris auditsubsystem for storage and later examination. The history is kept in a log of what was done,when it was done, by whom, and what was affected. Note that you cannot view auditinformation for all of the domains in a system from its control domain.
So for each domain in the system, you can enable and disable the auditing feature based on theversion of the Oracle Solaris OS that runs on your system, as follows:
■ Oracle Solaris 10 OS. Use the bsmconv and bsmunconv commands. See the bsmconv(1M)and bsmunconv(1M) man pages, and the Oracle Solaris 10 version of System AdministrationGuide: Security Services.
■ Oracle Solaris 11 OS. Use the audit command. See the audit(1M) man page and theOracle Solaris 11 version of System Administration Guide: Security Services.
For more information, see “Enabling and Using Auditing” in Oracle VM Server for SPARC 3.0Administration Guide.
Configuring and Using RBAC
Oracle VM Server for SPARC 3.0 Security Guide • November 201220
Configuring and Using Other Security FeaturesOracle VM Server for SPARC secures the usage of specific virtualization features. If enabled, thevntsd daemon is configured in the most secure configuration by default. It only acceptsconnections from the control domain and not over the network. You can configure a less secureoption to permit network connections, if needed. See the description of thevntsd/listen_addr property in the vntsd(1M) man page.
Take care when configuring vntsd to accept network connections. It is best to permit onlyconnections from the control domain or to disable vntsd for optimal security. See “ApplyingGeneral Security Principles to Oracle VM Server for SPARC” on page 13.
The Oracle VM Server for SPARC domain migration feature uses security measures. TheLogical Domains Manager on the source machine accepts the request to migrate a domain andestablishes a secure network connection with the Logical Domains Manager that runs on thetarget machine. The migration occurs after this connection has been established. These secureconnections are created by using authentication and encryption features. See “Security forMigration Operations” in Oracle VM Server for SPARC 3.0 Administration Guide.
In particular, the domain migration operation uses the Secure Sockets Layer (SSL), by default,to encrypt all traffic sent and received across the network. You can improve migrationperformance by assigning cryptographic units to the control domains of systems that supportthem.
When domain migration is not needed, you can disable the migration feature to prevent theldmd process from listening on the migration port.
If you use domain migration, ensure that the ldmd daemon is configured to require passwordauthentication during the migration. This is the default behavior.
Configuring and Using Other Security Features
Chapter 3 • Oracle VM Server for SPARC Security Features 21
22
Security Considerations for Developers
This chapter provides information that is helpful to developers who produce applications forthe Oracle VM Server for SPARC software.
Oracle VM Server for SPARC XML InterfaceYou can create external programs that interface with the Oracle VM Server for SPARC softwareby means of the Extensible Markup Language (XML) communication mechanism, which usesthe Extensible Messaging and Presence Protocol (XMPP).
Attackers might attempt to exploit this network protocol to access a system, so you mightconsider disabling XMPP. For information about disabling XMPP, see “XML Transport” inOracle VM Server for SPARC 3.0 Administration Guide. For information about the securitymechanisms that Logical Domains Manager uses, see “XMPP Server” in Oracle VM Server forSPARC 3.0 Administration Guide.
Note that disabling XMPP prevents you from using some key Oracle VM Server for SPARCfeatures, such as domain migration, memory dynamic reconfiguration, and the ldminit-system command.
4C H A P T E R 4
23
24
Secure Deployment Checklist
This checklist summarizes the steps that you can take to harden your Oracle VM Server forSPARC environment. The details are provided in other documents, such as the following:
■ Oracle VM Server for SPARC 3.0 Administration Guide■ Oracle Solaris 10 Security Guidelines■ Oracle Solaris 11 Security Guidelines■ Secure Deployment of Oracle VM Server for SPARC
Oracle VM Server for SPARC Security Checklist❒ Perform the Oracle Solaris hardening steps to your guest domains as you would in a
non-virtualized environment.❒ Use the LDoms Management and LDoms Review rights profiles to delegate the appropriate
privileges to users.❒ Use role-based access control (RBAC) to restrict access to the console of only those domains
that you, as the administrator of Oracle VM Server for SPARC, must access.❒ Enable the Oracle Solaris OS auditing feature for Oracle VM Server for SPARC.❒ Disable unnecessary domain manager services.❒ Only deploy guest systems of the same security class on one physical platform.❒ Ensure that there are no network connections between the administration of the execution
environment and the guest domains.❒ Only assign required resources to guest systems.
AA P P E N D I X A
25
26