Sun Microsystems 10 Accelerated automatic creation of zones on a ZFS file system, Zones hardening

5.1.15. Accelerated automatic creation of zones on a ZFS file system

[bf/ug] If a zone is configured on a ZFS file system, it can be duplicated very quickly by using ZFS snapshots. This procedure is described below by means of an example script. The script is available for download at http://blogs.sun.com/blogfinger/entry/how_to_create_a_lot.

In the first part of the script, the most important parameters for the zones are to be defined. These include for example:

∙Number of zones to be created

∙Network address range

∙Name of network interface

∙Net mask

∙Gateway

∙Base zone name (supplemented with number for the zone name)

∙Zone directory (supplemented with zone name)

∙Name of the zone that is used as the basis for cloning

∙Information for the sysidcfg file

∙Start status for the zone after installation

Once these settings have been made, the script can create the zones automatically and start in the configured state. More details on the script are available in the blog entry.

5.1.16. Zones hardening

[dd]To harden Solaris, the Solaris Security Toolkit is recommended as a general rule. Complete procedures and mechanisms can be found here:

http://www.sun.com/products-n-

solutions/hardware/docs/Software/enterprise_computing/systems_management/sst/index.html

Within the toolkit, the features that are required to harden sparse-root or whole-root zones are described. Details on this can be found here: http://www.sun.com/products-n-solutions/hardware/docs/html/819-1503-10/introduction.html#pgfId- 1001177

With Solaris 10 11/06, the feature "Secure by default" was introduced for network services which allows all network services except for sshd to be turned off or reconfigured by calling up netservices limited such that they will only react to requests by localhost. As a result, considerable safeguarding of zones in networks is possible using simple means.

80