Slide 1: SOLARIS TECHNICAL WORKSHOP
Danilo Poccia Senior Systems Engineer Sun Microsystems Italia S.p.A.
Slide 2: Agenda
• • • • •
Predictive Self-Healing DTrace ZFS Zones & Resource Management Security
2
Slide 3: Predictive Self-Healing
• Predictive Self-Healing has the following main components:
> Fault Management Architecture (FMA) > Service Management Facility (SMF) > Traditionally, when a hardware or software fault occurred
on a Solaris system, a message would usually be logged to the appropriate device specified in /etc/syslog.conf, and the rest of the diagnosis and repair was left to the administrator > Predictive Self-Healing is a newly designed cohesive architecture and methodology for automatically diagnosing, reporting, and handling software and hardware fault conditions
3
Slide 4: Fault Management Architecture
• FMA introduces a new software architecture and methodology for fault management across Sun's product line • The Solaris FMA model provides for three activities with which fault management code must concern itself:
> Error handling > Fault diagnosing > Response
4
Slide 5: Fault Management Architecture
Error Event
Fault Event
Error Probe
error detection ● data gathering
●
Fault Manager
diagnosis ● event recording
● ●
Fault Handler
take action ● fault handling
5
Slide 6: Fault Management Architecture
• User-level commands:
> > > >
fmd fmadm fmstat fmdump
• Events are URI:
> Fault Management Resource Identifier (FMRI) > fmri-scheme://[authority]/path
6
Slide 7: FMA Sample
• Once a CPU fault has occurred, the administrator might see this message on the console and logged to syslog:
SUNW-MSG-ID: SUN4U-8000-6H, TYPE: Fault, VER: 1, SEVERITY: Major EVENT-TIME: Sun Oct 17 14:15:50 PDT 2004 PLATFORM: SUNW,Sun-Blade-1000, CSN: -, HOSTNAME: myhost EVENT-ID: 64fe6c23-12b7-ccd1-f0a7-b531941738f8 DESC: The number of errors associated with this CPU has exceeded acceptable levels. Refer to http://sun.com/msg/SUN4U-8000-6H for more information. AUTO-RESPONSE: An attempt will be made to remove the affected CPU from service. IMPACT: Performance of this system may be affected. REC-ACTION: Schedule a repair procedure to replace the affected CPU. Use fmdump -v -u <EVENT_ID> to identify the CPU.
• The CPU state changes from ok to faulted, the processes using that CPU are terminated, and the CPU is taken offline. The state of the CPU can be viewed by using the psrinfo command:
# psrinfo 0 on-line 1 faulted since 09/27/2004 16:57:30 since 10/17/2004 14:15:50
7
Slide 8: FMA Sample
• Run the fmdump command listed in the fault message, using the EVENT-ID for more information on the fault. The output shows that CPU 1 has a problem and the component in Slot 1 needs replacing. The text Slot 1, indicating the location of the defective part, can be found silk screened on the motherboard:
# fmdump -v -u 64fe6c23-12b7-ccd1-f0a7-b531941738f8 TIME UUID SUNW-MSG-ID Oct 17 14:15:50.1630 64fe6c23-12b7-ccd1-f0a7-b531941738f8 SUN4U-8000-6H 100% fault.cpu.ultraSPARC-III.l2cachedata FRU: hc:///component=Slot 1 rsrc: cpu:///cpuid=1/serial=1107C270C8A
• Once a replacement CPU is delivered, the defective CPU from Slot 1 can be replaced and re-enabled
8
Slide 9: Service Management Facility
• The SMF delivers a unified Solaris service configuration infrastructure capable of accurately modeling any Solaris service and its interaction with Solaris and other services • Rather than the problematic use of rc scripts, SMF starts services in parallel according to dependencies, which allows the system to boot faster, and reduces dependency conflicts
9
Slide 10: Service Management Facility
• Main components
> > > > > > >
Service abstraction Repository of service information Daemon to access the repository (svc.configd) API for access to the repository Master restarter daemon (svc.startd) Delegated restarters (e.g. inetd) Command line tools
10
Slide 11: Service Management Facility
Management Agent Observability Agent inet-service Service
inetd (1M) Repository API svc.configd (1M) svc.startd (1M)
Process Contract
Repository Client
init (1M)
Kernel
11
Slide 12: Service Management Facility
• User-level commands:
> > > > >
svcs svcadm svccfg svcprop inetadm
• Services are URI:
> Fault Management Resource Identifier (FMRI) > fmri-scheme://[authority]/path > Scheme name is “svc” or “lrc”
12
Slide 13: Dynamic Tracing (DTrace)
• Features:
> Enables dynamic modification of the system to record > > > >
arbitrary data Promotes tracing on live systems Is completely safe – its use cannot induce fatal failure Allows tracing of both the kernel program and user-level programs Functions with low overhead when tracing is enabled and zero overhead when tracing is not being performed
13
Slide 14: Dynamic Tracing (DTrace)
• Components:
> Probe (provider:module:function:name) > Providers > Consumers
14
Slide 15: Dynamic Tracing (DTrace)
a.d b.d intrstat (1M) dtrace (1M) lockstat (1M) plockstat (1M) DTrace Consumers
libdtrace (3LIB) dtrace (7D)
userland kernel
DTrace
sysinfo syscall vminfo profile io fbt ... sched
DTrace Providers
15
Slide 16: D Programming Language
• Similar to awk “pattern action” pairs
> Enables complete access to kernel C types > Provides complete access to kernel static and global
variables > Provides complete support for ANSI-C operators > Supports strings as a built-in type (unlike C)
16
Slide 17: D Programming Language
• Command line:
> dtrace -n 'syscall:::entry { trace(execname)}'
• D Scripts:
> cat syscall.d
#!/usr/sbin/dtrace -s syscall:::entry { trace(execname); }
17
Slide 18: D Scripts Samples
• writes.d
> #!/usr/sbin/dtrace -s
syscall::write:entry { @numWrites[execname] = count(); }
• writes2.d
> #!/usr/sbin/dtrace -s
syscall::write:entry { @avgSize[execname] = avg(arg2); }
18
Slide 19: What is ZFS?
End-to End Data Integrity
A new way to manage data
Immense Data Software Capacity Developer
With checksumming and copy-on-write transactions
Easier Administration
The world's first 128-bit file system
Huge Performance Gains
A pooled storage model – no volume manager
Especially architected for speed
19
Slide 20: No More Volume Manager!
Application 1 Application 2
Automatically add capacity to shared storage pool
Application 3
ZFS
ZFS
Storage Pool
20
Slide 21: Copy-on-Write and Transactional
Uber-block Original Data New Data
Initial block tree
Original Pointers
Writes a copy of some changes New Uber-block
New Pointers
Copy-on-write of indirect blocks
Rewrites the Uber-block
21
Slide 22: End-to-End Checksums
Checksums are separated from the data
Entire I/O path is self-validating (uber-block)
Prevents: > Silent data corruption > Panics from corrupted metadata > Phantom writes > Misdirected reads and writes > DMA parity errors > Errors from driver bugs > Accidental overwrites
22
Slide 23: RAID-Z Protection
RAID-5, RAID-6 and More
• ZFS provides better than RAID-5 availability • Striping uses dynamic widths
> Each logical block is its own stripe
• All writes are full-stripe writes
> Eliminates read-modify-write (So it's fast!)
• Eliminates RAID-5 “write hole”
> No need for NVRAM
23
Slide 24: Self-Healing Data
ZFS can detect bad data using checksums and “heal” the data using its mirrored copy.
Application ZFS Mirror Application ZFS Mirror Application ZFS Mirror
Detects Bad Data
Gets Good Data from Mirror
“Heals” Bad Copy and Sends Back to Application
24
Slide 25: ZFS Snapshots
• • • • Provide a read-only point-in-time copy of filesystem Copy-on-write makes them essentially “free” Very space efficient – only changes are tracked And instantaneous – simply retains the old structure
New Uber-block
Snapshot Uber-block
Current Data
25
Slide 26: ZFS Clones
Writable copy of a snapshot Ideal for storing many private copies of shared data: ● Software installations ● Workspaces ● Diskless clients
Example: Create a clone of your OpenSolaris source code
# zfs clone tank/solaris@monday tank/ws/lori/fix
26
Slide 27: Quotas and Reservations
• To control pooled storage usage, administrators can set a quota on a per file system basis
> Limit Tim to a quota of 10g
# zfs set quota=10g tank/home/tim
• Or they can set a reservation (minimum)
> Guarantee Fred a reservation of 20g
# zfs set reservation=20g tank/home/fred
27
Slide 28: ZFS Implements “Adaptive Endian-ness” - Hosts always write in their
native “endian-ness”
Opposite “Endian” Systems - Write and copy operations will
eventually byteswap all data!
Configuration Data is Stored within the Data - When the data moves, so
does its config information
Storage Pool Migration
28
Slide 29: Data Compression
• Reduces the amount of disk space used • Reduces the amount of data transferred to disk – increasing data throughput > LZW ZFS > GZIP (1-9)
Data Compression
29
Slide 30: Copy-on-Write Design Multiple Block Sizes Pipelined I/O Dynamic Striping Intelligent Pre-Fetch
Architected for Speed
30
Slide 31: ZFS Turbo Charges Applications
Hybrid Storage Pools
• ZFS automatically:
> Determines data access patterns
and stores frequently accessed data in a read cache called L2ARC writes for more efficient use of low cost mechanical disks occur to a very fast SSD pool (ZIL) accelerating applications, such as databases & NFS
31
> Bundles IO into sequential staged
> Very fast synchronous writes
Slide 32: ZFS
• User-level commands:
> zpool > zfs
• Starting from Solaris 10 8/07 (Update 4) there is support for iSCSI target devices > iscsiadm (for iSCSI initiators) > iscsitadm (for iSCSI targets) • iSCSI integrated with ZFS (like NFS...), e.g.: > zfs create -V 2g tank/volumes/v2 > zfs set shareiscsi=on tank/volumes/v2 > iscsitadm list target
32
Slide 33: ZFS
• Starting from Solaris 10 10/08 (Update 6) there is support for ZFS boot (SPARC and x86) > Even the swap device is a ZFS volume, so there is no need to partition boot devices (single pool, multiple filesystems and volumes) > The creation of an Alternate Boot Environment (ABE) can be done with the lucreate command (and managed with all the lu* commands) that uses ZFS snapshots and clones to be fast and don't waste disk space
33
Slide 34: Cheap Data Replication
Between heterogeneous storage vendors • ZFS snapshots are “free” and “easy” • Snapshots can be transmitted in a full or incremental way • Data can be transmitted in clear on encrypted (ssh) • Possible solution: 1-minute shanpshot transmitted to remote site
Original System
ZFS over SSH
Replicated System
Original Data
ZFS
Replicated Data
34
Slide 35: ZFS + PostgreSQL = Greenplum
ZFS
Data Compression
35
Slide 36: Solaris Resource Manager
• Resource management functionality is a component of the Solaris environment
> Resource management enables you to control how
applications use available system resources
• You can do the following:
> Allocate computing resources, such as processor time > Monitor how the allocations are being used, then adjust
the allocations as necessary > Generate extended accounting information for analysis, billing, and capacity planning
36
Slide 37: Solaris Resource Manager
Projects and Tasks Extended Accounting Resource Controls Fair Share Scheduler Physical Memory Control (Using the Resource Capping Daemon) • Dynamic Resource Pools • • • • •
37
Slide 38: Projects and Tasks
• To optimize workload response, you must first be able to identify the workloads that are running on the system you are analyzing
> The project provides a network-wide administrative
identifier for related work > The task collects a group of processes into a manageable entity that represents a workload component
38
Slide 39: Extended Accounting
• The extended accounting subsystem labels usage records with the project for which the work was done
> You can also use extended accounting, in conjunction
with the Internet Protocol Quality of Service (IPQoS) flow accounting module
• User-level commands:
> acctadm
39
Slide 40: Resource Controls
• In the Solaris Operating System, the concept of a per-process resource limit has been extended to the task and project entities
> A resource control is identified by the prefix project, task,
or process. Resource controls can be observed on a system-wide basis. It is possible to update resource control values on a running system > In a zones environment, the prefix zone identifies a zone-wide resource control
• User-level commands:
> rctladm > prctl
40
Slide 41: Fair Share Scheduler
• A fundamental job of the operating system is to arbitrate which processes get access to the system's resources
> The process scheduler, which is also called the
dispatcher, is the portion of the kernel that controls allocation of the CPU to processes. The scheduler supports the concept of scheduling classes. Each class defines a scheduling policy that is used to schedule processes within the class > The default scheduler in the Solaris Operating System, the TS scheduler, tries to give every process relatively equal access to the available CPU
41
Slide 42: Fair Share Scheduler
• You can use the fair share scheduler (FSS) to control the allocation of available CPU resources among workloads, based on their importance.
> This importance is expressed by the number of shares of
CPU resources that you assign to each workload.
• User-level commands:
> dispadmin
42
Slide 43: Physical Memory Control
• The resource capping daemon and its associated utilities provide mechanisms for physical memory resource cap enforcement and administration
> Per-project physical memory caps are supported > The daemon repeatedly samples the resource utilization
of projects that have physical memory caps; the sampling interval used by the daemon is specified by the administrator > When the system's physical memory utilization exceeds the threshold for cap enforcement, and other conditions are met, the daemon takes action to reduce the resource consumption of projects with memory caps to levels at or below the caps
43
Slide 44: Physical Memory Control
• User-level commands:
> rcapd (managed by SMF as svc:/system/rcap:default) > rcapadm > rcapstat
• Starting from Solaris 10 8/07 (Update 4) rcap is zone aware (through zonecfg) > Physical memory (RSS) > Locked memory (not swappable) > Swapped memory
44
Slide 45: Dynamic Resource Pools
• Resource pools enable you to separate workloads so that workload consumption of certain resources does not overlap
> This resource reservation helps to achieve predictable
performance on systems with mixed workloads > Resource pools provide a persistent configuration mechanism for processor set (pset) configuration and, optionally, scheduling class assignment
45
Slide 46: Dynamic Resource Pools
• User-level commands:
> > > >
pooladm poolcfg poolbind psrset
46
Slide 47: IPQoS
• IPQoS enables system adminitrators to provide different levels of network service to customers an to critical applications
> IPQoS architecture is an implementation of the IETF
Differentiated (diffserv) model as defined in RFC 2475
• The Solaris OS implementation has added:
> Flow accounting module that gathers statistics for traffic
flows, through the flowaact command > Statistics gathering for traffic classes, through the kstat command > 802.1D user priority marking for VLANs
47
Slide 48: IPQoS
• Multifield classifier – Selects actions based on filters that configure the QoS policy of your organization • Meter – Measure the network traffic in compliance with the Diffserv model • Marker – Mark a packet's IP header with forwarding information for service differentiation • Simple packet dropper – Drops packets based on service differentiation
48
Slide 49: IPQoS Flow Sequence
49
Slide 50: IPQoS
• User-level commands:
> ipqosconf
• Modules:
> > > > > >
ipgpc (IP Generic Packet Classifier) dscpmk (Differentiated Services Code Point Marker) dlcosmk (Data Layer Class of Service Marker) tokemt (Token Meter) tswtclmt (Time Sliding Window Three Conformance Level Meter) flowacct (Flow Accounting)
50
Slide 51: Containers = Zones + RM
• Zones provide virtual operating system services that look like different Solaris instances to users and applications • This architecture isolates processes, hides the underlying platform and enables the global administrator to allow the use of system resources on a granular level • This separation can create a more secure environment, where multiple applications can coexist, in different zones, on one machine
51
Slide 52: Solaris Zones
• Zone features:
> > > > > > >
Security Isolation Virtualization Granularity Transparency Cloning Moving
52
Slide 53: Sample Zones Environment
global zone
global zone root: /
(v1280-room3-rack12-2; 129.76.4.24)
system services
(patrol)
audit services
(auditd)
security services
(login, BSM) console hme0
/usr
ce0
zone management
ce1
core services
remote admin/monitoring platform administration
(syseventd, devfsadm, ifconfig,...)
(zonecfg, zoneadm, zlogin) (inetd, rpcbind, sshd, ...) (SNMP, SunMC, WBEM)
storage complex network device (hme0) network device (ce0) network device (ce1) 53
Slide 54: Sample Zones Environment
global zone
global zone root: /
(v1280-room3-rack12-2; 129.76.4.24)
database zone zone root: /zone/mysql
system services
(patrol)
mysql project
(mysqld)
audit services
(auditd)
dba users proj
(sh, bash, prstat) (inetd, sshd) zcons
security services
(login, BSM) console hme0
system project
hme0:3
zoneadmd
zone management
core services
remote admin/monitoring platform administration
(syseventd, devfsadm, ifconfig,...)
(zonecfg, zoneadm, zlogin) (inetd, rpcbind, sshd, ...) (SNMP, SunMC, WBEM)
storage complex network device (hme0) network device (ce0) network device (ce1) 54
Virtual Platform
ce0:3
/usr
/usr
ce0
ce1
Application Environment
Slide 55: Sample Zones Environment
global zone
global zone root: /
(v1280-room3-rack12-2; 129.76.4.24)
web zone zone root: /zone/web app_server zone zone root: /zone/app database zone zone root: /zone/mysql
system services
(patrol)
web service project
(Apache 1.3.22)
jes project
(j2se)
mysql project
(mysqld)
audit services
(auditd)
crypto project
(ssl)
app users proj
(sh, bash, prstat) (inetd, sshd) zcons ce0:1
dba users proj
(sh, bash, prstat) (inetd, sshd) zcons
security services
(login, BSM) console hme0
proxy project
(proxy) hme0:1 zcons
system project
hme0:2
system project
hme0:3
zoneadmd
zoneadmd
zoneadmd
zone management
core services
remote admin/monitoring platform administration
(syseventd, devfsadm, ifconfig,...)
(zonecfg, zoneadm, zlogin) (inetd, rpcbind, sshd, ...) (SNMP, SunMC, WBEM)
storage complex network device (hme0) network device (ce0) network device (ce1) 55
Virtual Platform
ce0:2
ce0:3
/usr
/usr
/usr
/usr
ce0
ce1
Application Environment
Slide 56: Zones
• User-level commands:
> zoneadm > zonecfg > zlogin
• Starting from Solaris 10 8/07 (Update 4) each zone can have a shared or exclusive IP stack > An exclusive IP stack uses a dedicated network interface > Waiting for the Crossbow project, you can use VLAN Tagging to create more network interfaces
56
Slide 57: Zones
• Starting from Solaris 10 5/08 (Update 5) CPU Capping (in can be applied to a zone > An 8 cores system with 3 zones can assign a CPU Capping of 1.75, 1.75 and 4.50 (as 1.75 + 1.75 + 4.50 = 8.00) > Actually the sum of all the CPU cappings can be greater than the overall capacity of the system (i.e. resource overbooking) • Starting from Solaris 10 10/08 (Update 6) a default router can be assigned for shared IP stack zones
57
Slide 58: Virtualize for Security
58
Slide 59: Cryptographically Signed ELF Objects
• ELF Objects Cryptographically Signed
> binaries, libraries, kernel modules, crypto modules, etc.
# file /usr/lib/ssh/sshd /usr/lib/ssh/sshd: ELF 32-bit MSB executable SPARC Version 1, dynamically linked, stripped # elfsign verify -e /usr/lib/ssh/sshd elfsign: verification of /usr/lib/ssh/sshd passed. # elfsign list -f signer -e /usr/bin/ls CN=SunOS 5.10, OU=Solaris Signed Execution, O=Sun Microsystems Inc
• Cryptographic modules must be signed by Sun.
> Signature must be validated before module can be loaded. > Crypto. modules will not load if not signed or have invalid signature.
59
Slide 60: Service Management Facility
• Provide a uniform mechanism to disable/manage services.
> e.g., svcadm [disable|enable] telnet
• Support alternative service profiles
> e.g., “Secure by Default” profile (since Solaris 10 11/06)
• Leverage authorizations to manage/configure services. • Define context to permit services to be started as a specific user and group and with specific privileges. • Support automatic service dependency resolution.
> e.g., svcadm enable -r nfs/client
• Facilitate delegated service restarts.
60
Slide 61: SMF Example
# svcprop -v -p start apache2 start/exec astring /lib/svc/method/http-apache2\ start start/timeout_seconds count 60 start/type astring method start/user astring webservd start/group astring webservd start/privileges astring basic,!proc_session,!proc_info,! file_link_any, net_privaddr start/limit_privileges astring :default start/use_profile boolean false start/supp_groups astring :default start/working_directory astring :default start/project astring :default start/resource_pool astring :default
Example taken from the Sun BluePrint: Limiting Service Privileges in the Solaris 10 Operating System, http://www.sun.com/blueprints/0505/819-2680.pdf
61
Slide 62: Solaris Secure By Default
• Only Secure Shell is reachable by default.
> root use of Secure Shell is not permitted by default.
• Existing services are configured in SMF to either be:
> Disabled by default > Listening for local (e.g., loopback) connections only
• Configuration can be selected using CLI or JumpStart:
> netservices: open (traditional) or limited (SBD) > service_profile: open or limited_net
• Default installation method in Nevada/OpenSolaris:
> Solaris upgrades are not changed or impacted. > Solaris 10 initial (fresh) installations can select SBD mode.
62
Slide 63: Solaris Secure By Default Example
# netservices netservices: usage: netservices [ open | limited ] # netservices limited restarting syslogd restarting sendmail dtlogin needs to be restarted. Restart now? [Y] y restarting dtlogin # netstat -af inet -P tcp | grep [...] *.sunrpc *.* 0 *.ssh *.* 0 localhost.smtp *.* 0 localhost.submission *.* 0 LISTEN 0 0 0 0 49152 49152 49152 49152 0 0 0 0 LISTEN LISTEN LISTEN LISTEN
63
Slide 64: Password and Related Controls
• Pluggable Crypt
> SHA-256, SHA-512, Sun MD5 (+ rounds), BSD MD5, Blowfish
• Password Complexity Checks
> Login Name != Password, White Space Permitted > Minimum Characters by Class ● Alphabetic, Non-Alphabetic, Uppercase, Lowercase, Digits, Special > Maximum Consecutive Repeating Characters > Local Banned Password List (Dictionary)
• Password Aging and History • Account Lockout
64
Slide 65: Password Management Example
$ passwd gbrunett Enter existing login password: New Password: passwd: The password must contain at least 1 numeric or special character(s). Please try again New Password: passwd: The password must contain at least 1 uppercase alpha character(s). Please try again New Password: passwd: Too many consecutively repeating characters. Maximum allowed is 3. Permission denied $ passwd gbrunett Enter existing login password: New Password: passwd: Password in history list.
65
Slide 66: User Rights Management (Roles)
Solaris Users versus Roles
> Roles can only be accessed by users already logged in. > Users cannot assume a role unless authorized.
$ id -a uid=80(webservd) gid=80(webservd) $ roles No roles $ su - root Password: Roles can only be assumed by authorized users su: Sorry
66
Slide 67: User Rights Management Example
$ profiles -l Object Access Management: /usr/bin/chgrp /usr/bin/chmod [...] [...] $ ls -ld mnt drwxr-xr-x 2 gbrunett gbrunett $ chown bin:bin mnt chown: mnt: Not owner $ pfexec chown bin:bin mnt $ ls -ld mnt drwxr-xr-x 2 bin bin 512 Nov 7 12:54 mnt 512 Nov 7 12:54 mnt privs=file_chown privs=file_owner
67
Slide 68: Process Privileges
●
Solaris kernel checks for privileges and not just UID == 0!
> > > >
Division of root authority into over 60 discrete privileges. Privileges can be granted to processes based on need. Privileges can be disabled or dropped when not needed. Child processes can have different (fewer) privileges than the parent.
• Completely backward compatible and extensible.
> No changes required to use existing code.
• Privilege bracketing helps to mitigate effects of future flaws.
> e.g., proc_fork and proc_exec > e.g., proc_info
68
Slide 69: Process Privilege Sets
• E - Effective
> Privileges in effect
• I - Inheritable set
> Privileges of executed programs
• P - Permitted set
> Upper bound of E
• L - Limit set
> Upper bound for the process and
all its descendants
Effective Permitted Limit
69
Inheritable
Slide 70: Process Privilege Inheritance
• Limit (L) is unchanged • L is used to bound privileges in Inheritable (I)
> I' = I ∩ L
• Child's Permitted (P') & Effective (E') are:
> P' = E' = I'
• Typical process
> P = E = I = {basic} > L = {all privileges} > Since P = E = I, children run with same privileges
70
Slide 71: Using Process Privileges
• ppriv(1)
# ppriv -e -D -s -proc_fork,-proc_exec /bin/sh -c finger sh[387]: missing privilege "proc_fork" (euid = 0, syscall = 143) needed at cfork+0x18 /bin/sh: permission denied
• User Rights Management (RBAC)
# grep “Network Management” /etc/security/exec_attr Network Management:solaris:cmd:::/sbin/ifconfig:privs=sys_net_config Network Management:solaris:cmd:::/sbin/route:privs=sys_net_config
• Service Management Framework (SMF)
# svcprop -p start rpc/bind | grep privileges start/privileges astring basic,file_chown,file_chown_self,file_owner,net_privaddr, proc_setid,sys_nfs,net_bindmlp stop/limit_privileges astring :default
• Privilege Aware Commands / Services
e.g., ping, rmformat, quota, rpcbind, nfsd, mountd
71
Slide 72: Process Privileges Example
$ ppriv $$ 28983: bash flags = <none> E: basic I: basic P: basic L: all $ ppriv -l basic file_link_any proc_exec proc_fork proc_info proc_session
$ ppriv -De cat /etc/shadow cat[3988]: missing privilege "file_dac_read" (euid = 101, syscall = 225) needed at ufs_iaccess+0xc9 cat: cannot open /etc/shadow $ ppriv -s -proc_fork,-proc_exec -De /bin/vi [attempt to run a command/escape to a shell] vi[4180]: missing privilege "proc_fork" (euid = 101, syscall = 143) needed at cfork+0x3b
72
Slide 73: Process Privileges Debugging
web_svc zone: global zone: web_svc zone: global zone: STAT USED USED USED USED USED USED USED # svcadm disable apache2 # privdebug -v -f -n httpd # svcadm enable apache2 [output of privdebug command] PPID PID 4642 4647 4642 4647 1 4648 1 4648 1 4648 1 4648 1 4648 PRIV net_privaddr proc_fork proc_fork proc_fork proc_fork proc_fork proc_fork CMD httpd httpd httpd httpd httpd httpd httpd
TIMESTAMP 273414882013890 273415726182812 273416683669622 273416689205882 273416694002223 273416698814788 273416703377226
privdebug is available from the OpenSolaris Security Community, http://www.opensolaris.org/os/community/security/projects/privdebug/
73
Slide 74: IP Filter
● ● ● ● ● ● ● ●
Stateful and stateless packet inspection – IPv4, IPv6 Kernel-based packet filtering Protocol proxies (TCP, UDP, FTP, rcmds, etc.) Transparent proxy support Text-based configuration Support for both NAT and PAT SYSLOG Logging Lightweight, small footprint, high performance
74
Slide 75: Cryptographic Framework
●
Standards-based, pluggable framework
> Kernel support as well as user-land (PKCS#11) > Supports administrative policies (e.g., FIPS 140 algorithms only)
●
By default, supports major algorithms.
> Encryption : AES, ECC, Blowfish, RC4, DES, 3DES, RSA > Digest : MD5, SHA-1, SHA-256, SHA-384, SHA-512 > MAC : DES MAC, MD5 HMAC, SHA-1 HMAC,
SHA-256 HMAC, SHA-384 HMAC, SHA-512 HMAC > Optimized for both SPARC, Intel and AMD
• Framework supports pluggable hardware/software providers:
> e.g., UltraSPARC T1/T2 and the Sun CryptoAccelerator 6000
75
Slide 76: Cryptographic Framework
Open Source Web Server Sun Java Web Server Java VM Application
Now the framework for cryptography is standardized and extensible. Your current cryptographic choices and any future technology can easily plug in and just work.
●
OpenSSL
NSS Java Enterprise System
JCE Java Crypto. Extensions
Commercial App PKCS 11
Consumer Interface (PKCS 11) Cryptographic Framework Provider Interface (PKCS 11) Sun Software Crypto. Plug-in
(DES, 3DES, AES, Blowfish, RSA, MD5, SHA_, RC4)
Hardware Accelerator UltraSPARC T1 UltraSPARC T2
Hardware Crypto. Accelerator 6000
Standards-based framework • Same API, software or hardware • Extensible for future technologies
76
Slide 77: Basic Audit and Reporting Tool
File-level integrity validation tool:
> Evalutes: uid, gid, permissions/acls, contents, mtime, size, type, etc. > Enables point-in-time comparison against a previous snapshot.
# cat ./rules /etc CHECK all # find /etc | bart create -I > newManifest # bart compare -r ./rules ./oldManifest ./newManifest /etc/user_attr: size control:28268 test:23520 acl control:user::rw-,group::rw-,mask:r-x,other:r-test:user::rw-,group::rw-,mask:r-x,other:rwcontents control:28dd3a3af2fcc103f422993de5b162f3 test:28893a3af2fcc103f422993de5b162f3
Sun BluePrint: Automating File Integrity Checks, http://www.sun.com/blueprints/0305/819-2259.pdf
77
Slide 78: Solaris Audit
• Kernel auditing of system calls and administrative actions.
> Can record events happening in any zone (from the global zone). > Can also delegate audit configuration to local zone administrators. > Can capture complete command line and environment. > Records original (audit) ID as well as current credentials. > Audit trail can be formatted as text, XML, and/or delivered via syslog.
• Example:
header,77,2,su,,tundra,2006-11-06 21:55:31.386 -08:00 subject,joe,joe,other,joe,other,2444,1898931306, 12114 22 marduk text,root return,failure,Authentication failed
Example adapted from the Sun BluePrint: Enforcing the Two-Person Rule Via Role-based Access Control in the Solaris 10 OS, http://www.sun.com/blueprints/0805/819-3164.pdf
78
Slide 79: Solaris 10 10/08: System Support
• Support for Intel's latest multicore Xeon processors • Improved support for Intel NUMA systems • Support for latest Intel/AMD instruction set extensions
> SSSE3, SSE4.1, SSE4.2, AMD SSE4A
• Fault Management support for Intel 5400 Northbridge, other x86 devices, e1000g and igb network controllers • NVIDIA SATA controller enhancements
79
Slide 80: Next Steps
1 2 3 4 5 6
> Get Solaris
sun.com/solaris/get
> Get Involved
opensolaris.org | bigadmin.com | developers.sun.com/solaris
> Get Trained
sun.com/solaris/freetraining | Learning Paths: sun.com/training/solaris
> Get Data Sheets and White Papers
sun.com/solaris/reference_materials sun.com/solaris/teachme
> Get Started with Solaris Learning Centers > Get Current
sun.com/solaris/move | bigadmin.com/apps | bigadmin.com/hcl
80
Slide 81: SOLARIS TECHNICAL WORKSHOP
Danilo Poccia danilo.poccia@sun.com blogs.sun.com/danilop
81
