SOLARIS
TECHNICAL
WORKSHOP
Danilo Poccia
Senior Systems Engineer
Sun Microsystems Italia S.p.A.

Agenda
• Predictive Self-Healing
• DTrace
• ZFS
• Zones & Resource Management
• Security
2

Predictive Self-Healing
• Predictive Self-Healing has the following main
components:
> Fault Management Architecture (FMA)
> Service Management Facility (SMF)
> Traditionally, when a hardware or software fault occurred
on a Solaris system, a message would usually be logged
to the appropriate device specified in /etc/syslog.conf,
and the rest of the diagnosis and repair was left to the
administrator
> Predictive Self-Healing is a newly designed cohesive
architecture and methodology for automatically
diagnosing, reporting, and handling software and
hardware fault conditions
3

Fault Management Architecture
• FMA introduces a new software architecture and
methodology for fault management across Sun's
product line
• The Solaris FMA model provides for three activities
with which fault management code must concern
itself:
> Error handling
> Fault diagnosing
> Response
4

Fault Management Architecture
Error Fault
Event Event
Error Fault
Probe Fault Manager Handler
●
error detection ●
diagnosis ●
take action
● data gathering ● event recording ● fault handling
5

Fault Management Architecture
• User-level commands:
> fmd
> fmadm
> fmstat
> fmdump
• Events are URI:
> Fault Management Resource Identifier (FMRI)
> fmri-scheme://[authority]/path
6

FMA Sample
• Once a CPU fault has occurred, the administrator might see this
message on the console and logged to syslog:
SUNW-MSG-ID: SUN4U-8000-6H, TYPE: Fault, VER: 1, SEVERITY: Major
EVENT-TIME: Sun Oct 17 14:15:50 PDT 2004
PLATFORM: SUNW,Sun-Blade-1000, CSN: -, HOSTNAME: myhost
EVENT-ID: 64fe6c23-12b7-ccd1-f0a7-b531941738f8
DESC: The number of errors associated with this CPU has exceeded acceptable levels.
Refer to http://sun.com/msg/SUN4U-8000-6H for more information.
AUTO-RESPONSE: An attempt will be made to remove the affected CPU from service.
IMPACT: Performance of this system may be affected.
REC-ACTION: Schedule a repair procedure to replace the affected CPU.
Use fmdump -v -u <EVENT_ID> to identify the CPU.
• The CPU state changes from ok to faulted, the processes using that
CPU are terminated, and the CPU is taken offline. The state of the
CPU can be viewed by using the psrinfo command:
# psrinfo
0 on-line since 09/27/2004 16:57:30
1 faulted since 10/17/2004 14:15:50
7

FMA Sample
• Run the fmdump command listed in the fault message, using the
EVENT-ID for more information on the fault. The output shows that
CPU 1 has a problem and the component in Slot 1 needs replacing.
The text Slot 1, indicating the location of the defective part, can be
found silk screened on the motherboard:
# fmdump -v -u 64fe6c23-12b7-ccd1-f0a7-b531941738f8
TIME UUID SUNW-MSG-ID
Oct 17 14:15:50.1630 64fe6c23-12b7-ccd1-f0a7-b531941738f8 SUN4U-8000-6H
100% fault.cpu.ultraSPARC-III.l2cachedata
FRU: hc:///component=Slot 1
rsrc: cpu:///cpuid=1/serial=1107C270C8A
• Once a replacement CPU is delivered, the defective CPU from Slot 1
can be replaced and re-enabled
8

Service Management Facility
• The SMF delivers a unified Solaris service
configuration infrastructure capable of accurately
modeling any Solaris service and its interaction with
Solaris and other services
• Rather than the problematic use of rc scripts, SMF
starts services in parallel according to
dependencies, which allows the system to boot
faster, and reduces dependency conflicts
9

Service Management Facility
• Main components
> Service abstraction
> Repository of service information
> Daemon to access the repository (svc.configd)
> API for access to the repository
> Master restarter daemon (svc.startd)
> Delegated restarters (e.g. inetd)
> Command line tools
10

Service Management Facility
Management Observability inet-service Service
Agent Agent
inetd (1M)
Repository API
svc.configd (1M) svc.startd (1M)
Process Repository init (1M)
Contract Client
Kernel
11

Service Management Facility
• User-level commands:
> svcs
> svcadm
> svccfg
> svcprop
> inetadm
• Services are URI:
> Fault Management Resource Identifier (FMRI)
> fmri-scheme://[authority]/path
> Scheme name is “svc” or “lrc”
12

Dynamic Tracing (DTrace)
• Features:
> Enables dynamic modification of the system to record
arbitrary data
> Promotes tracing on live systems
> Is completely safe – its use cannot induce fatal failure
> Allows tracing of both the kernel program and user-level
programs
> Functions with low overhead when tracing is enabled
and zero overhead when tracing is not being performed
13

Dynamic Tracing (DTrace)
• Components:
> Probe (provider:module:function:name)
> Providers
> Consumers
14

Dynamic Tracing (DTrace)
a.d b.d
intrstat (1M) plockstat (1M)
DTrace
Consumers
dtrace (1M) lockstat (1M)
libdtrace (3LIB)
userland
dtrace (7D)
kernel
DTrace
sysinfo vminfo io ...
DTrace
Providers
syscall profile fbt sched
15

D Programming Language
• Similar to awk “pattern action” pairs
> Enables complete access to kernel C types
> Provides complete access to kernel static and global
variables
> Provides complete support for ANSI-C operators
> Supports strings as a built-in type (unlike C)
16

D Programming Language
• Command line:
> dtrace -n 'syscall:::entry { trace(execname)}'
• D Scripts:
> cat syscall.d
#!/usr/sbin/dtrace -s
syscall:::entry
{
trace(execname);
}
17

D Scripts Samples
• writes.d
> #!/usr/sbin/dtrace -s
syscall::write:entry
{
@numWrites[execname] = count();
}
• writes2.d
> #!/usr/sbin/dtrace -s
syscall::write:entry
{
@avgSize[execname] = avg(arg2);
}
18

What is ZFS?
A new way to manage data
End-to End Immense Data
Software
Data Integrity Capacity
Developer
With check- The world's
summing and first 128-bit
copy-on-write file system
transactions
Easier Huge Performance
Administration Gains
A pooled Especially
storage model – architected
no volume for speed
manager
19

No More Volume Manager!
Automatically add capacity to shared storage pool
Application 1 Application 2 Application 3
ZFS
ZFS
Storage Pool
20

Copy-on-Write and Transactional
Uber-block
Original Data
New Data
Initial block tree Writes a copy of some changes
Original Pointers New Uber-block
New Pointers
Copy-on-write of indirect blocks Rewrites the Uber-block
21

End-to-End Checksums
Checksums are
separated from
the data Prevents:
> Silent data corruption
> Panics from corrupted
metadata
> Phantom writes
> Misdirected reads and writes
> DMA parity errors
> Errors from driver bugs
> Accidental overwrites
Entire I/O path is self-validating (uber-block)
22

RAID-Z Protection
RAID-5, RAID-6 and More
• ZFS provides better than RAID-5 availability
• Striping uses dynamic widths
> Each logical block is its own stripe
• All writes are full-stripe writes
> Eliminates read-modify-write (So it's fast!)
• Eliminates RAID-5 “write hole”
> No need for NVRAM
23

Self-Healing Data
ZFS can detect bad data using checksums and “heal”
the data using its mirrored copy.
Application Application Application
ZFS Mirror ZFS Mirror ZFS Mirror
“Heals” Bad Copy and
Detects Bad Data Gets Good Data from Mirror Sends Back to Application
24

ZFS Snapshots
• Provide a read-only point-in-time copy of filesystem
• Copy-on-write makes them essentially “free”
• Very space efficient – only changes are tracked
• And instantaneous – simply retains the old structure
Snapshot Uber-block New Uber-block
Current Data
25

ZFS Clones
Writable copy of a snapshot
Ideal for storing many private copies of shared data:
●
Software installations
● Workspaces
●
Diskless clients
Example: Create a clone of your OpenSolaris source code
# zfs clone tank/solaris@monday tank/ws/lori/fix
26

Quotas and Reservations
• To control pooled storage usage, administrators can
set a quota on a per file system basis
> Limit Tim to a quota of 10g
# zfs set quota=10g tank/home/tim
• Or they can set a reservation (minimum)
> Guarantee Fred a reservation of 20g
# zfs set reservation=20g tank/home/fred
27

ZFS Implements
“Adaptive Endian-ness”
- Hosts always write in their
native “endian-ness”
Opposite “Endian” Systems
- Write and copy operations will
eventually byteswap all data!
Configuration Data is
Stored within the Data
- When the data moves, so
does its config information
Storage Pool Migration
28

Data Compression
• Reduces the amount of disk space used
• Reduces the amount of data transferred to disk –
increasing data throughput
> LZW
ZFS
> GZIP (1-9)
Data Compression
29

Copy-on-Write Design
Multiple Block Sizes
Pipelined I/O
Dynamic Striping
Intelligent Pre-Fetch
Architected for Speed
30

ZFS Turbo Charges Applications
Hybrid Storage Pools
• ZFS automatically:
> Determines data access patterns
and stores frequently accessed
data in a read cache called L2ARC
> Bundles IO into sequential staged
writes for more efficient use of low
cost mechanical disks
> Very fast synchronous writes
occur to a very fast SSD pool (ZIL)
accelerating applications, such as
databases & NFS
31

ZFS
• User-level commands:
> zpool
> zfs
• Starting from Solaris 10 8/07 (Update 4) there is support for
iSCSI target devices
> iscsiadm (for iSCSI initiators)
> iscsitadm (for iSCSI targets)
• iSCSI integrated with ZFS (like NFS...), e.g.:
> zfs create -V 2g tank/volumes/v2
> zfs set shareiscsi=on tank/volumes/v2
> iscsitadm list target
32

ZFS
• Starting from Solaris 10 10/08 (Update 6) there is support
for ZFS boot (SPARC and x86)
> Even the swap device is a ZFS volume, so there is no
need to partition boot devices (single pool, multiple
filesystems and volumes)
> The creation of an Alternate Boot Environment (ABE)
can be done with the lucreate command (and managed
with all the lu* commands) that uses ZFS snapshots and
clones to be fast and don't waste disk space
33

Cheap Data Replication
Between heterogeneous storage vendors
• ZFS snapshots are “free” and “easy”
• Snapshots can be transmitted in a full or incremental way
• Data can be transmitted in clear on encrypted (ssh)
• Possible solution: 1-minute shanpshot transmitted to remote site
ZFS over SSH
Original System Replicated System
Original ZFS Replicated
Data Data
34

ZFS + PostgreSQL = Greenplum
ZFS
Data Compression
35

Solaris Resource Manager
• Resource management functionality is a component
of the Solaris environment
> Resource management enables you to control how
applications use available system resources
• You can do the following:
> Allocate computing resources, such as processor time
> Monitor how the allocations are being used, then adjust
the allocations as necessary
> Generate extended accounting information for analysis,
billing, and capacity planning
36

Solaris Resource Manager
• Projects and Tasks
• Extended Accounting
• Resource Controls
• Fair Share Scheduler
• Physical Memory Control (Using the Resource
Capping Daemon)
• Dynamic Resource Pools
37

Projects and Tasks
• To optimize workload response, you must first be
able to identify the workloads that are running on
the system you are analyzing
> The project provides a network-wide administrative
identifier for related work
> The task collects a group of processes into a
manageable entity that represents a workload
component
38

Extended Accounting
• The extended accounting subsystem labels usage
records with the project for which the work was
done
> You can also use extended accounting, in conjunction
with the Internet Protocol Quality of Service (IPQoS) flow
accounting module
• User-level commands:
> acctadm
39

Resource Controls
• In the Solaris Operating System, the concept of a
per-process resource limit has been extended to the
task and project entities
> A resource control is identified by the prefix project, task,
or process. Resource controls can be observed on a
system-wide basis. It is possible to update resource
control values on a running system
> In a zones environment, the prefix zone identifies a
zone-wide resource control
• User-level commands:
> rctladm
> prctl
40

Fair Share Scheduler
• A fundamental job of the operating system is to
arbitrate which processes get access to the
system's resources
> The process scheduler, which is also called the
dispatcher, is the portion of the kernel that controls
allocation of the CPU to processes. The scheduler
supports the concept of scheduling classes. Each class
defines a scheduling policy that is used to schedule
processes within the class
> The default scheduler in the Solaris Operating System,
the TS scheduler, tries to give every process relatively
equal access to the available CPU
41

Fair Share Scheduler
• You can use the fair share scheduler (FSS) to
control the allocation of available CPU resources
among workloads, based on their importance.
> This importance is expressed by the number of shares of
CPU resources that you assign to each workload.
• User-level commands:
> dispadmin
42

Physical Memory Control
• The resource capping daemon and its associated
utilities provide mechanisms for physical memory
resource cap enforcement and administration
> Per-project physical memory caps are supported
> The daemon repeatedly samples the resource utilization
of projects that have physical memory caps; the
sampling interval used by the daemon is specified by the
administrator
> When the system's physical memory utilization exceeds
the threshold for cap enforcement, and other conditions
are met, the daemon takes action to reduce the resource
consumption of projects with memory caps to levels at or
below the caps
43

Physical Memory Control
• User-level commands:
> rcapd (managed by SMF as svc:/system/rcap:default)
> rcapadm
> rcapstat
• Starting from Solaris 10 8/07 (Update 4) rcap is zone aware
(through zonecfg)
> Physical memory (RSS)
> Locked memory (not swappable)
> Swapped memory
44

Dynamic Resource Pools
• Resource pools enable you to separate workloads
so that workload consumption of certain resources
does not overlap
> This resource reservation helps to achieve predictable
performance on systems with mixed workloads
> Resource pools provide a persistent configuration
mechanism for processor set (pset) configuration and,
optionally, scheduling class assignment
45

Dynamic Resource Pools
• User-level commands:
> pooladm
> poolcfg
> poolbind
> psrset
46

IPQoS
• IPQoS enables system adminitrators to provide
different levels of network service to customers an
to critical applications
> IPQoS architecture is an implementation of the IETF
Differentiated (diffserv) model as defined in RFC 2475
• The Solaris OS implementation has added:
> Flow accounting module that gathers statistics for traffic
flows, through the flowaact command
> Statistics gathering for traffic classes, through the kstat
command
> 802.1D user priority marking for VLANs
47

IPQoS
• Multifield classifier – Selects actions based on
filters that configure the QoS policy of your
organization
• Meter – Measure the network traffic in compliance
with the Diffserv model
• Marker – Mark a packet's IP header with forwarding
information for service differentiation
• Simple packet dropper – Drops packets based on
service differentiation
48

IPQoS Flow Sequence
49

IPQoS
• User-level commands:
> ipqosconf
• Modules:
> ipgpc (IP Generic Packet Classifier)
> dscpmk (Differentiated Services Code Point Marker)
> dlcosmk (Data Layer Class of Service Marker)
> tokemt (Token Meter)
> tswtclmt (Time Sliding Window Three Conformance Level Meter)
> flowacct (Flow Accounting)
50

Containers = Zones + RM
• Zones provide virtual operating system services that
look like different Solaris instances to users and
applications
• This architecture isolates processes, hides the
underlying platform and enables the global
administrator to allow the use of system resources
on a granular level
• This separation can create a more secure
environment, where multiple applications can
coexist, in different zones, on one machine
51

Solaris Zones
• Zone features:
> Security
> Isolation
> Virtualization
> Granularity
> Transparency
> Cloning
> Moving
52

Sample Zones Environment
global zone (v1280-room3-rack12-2; 129.76.4.24)
global zone root: /
system services
(patrol)
audit services
(auditd)
security services
(login, BSM)
console
hme0
/usr
ce0
ce1
zone management core services remote admin/monitoring platform administration
(zonecfg, zoneadm, zlogin) (inetd, rpcbind, sshd, ...) (SNMP, SunMC, WBEM) (syseventd, devfsadm, ifconfig,...)
storage complex
network device network device network device
(hme0) (ce0) (ce1)
53

Sample Zones Environment
global zone (v1280-room3-rack12-2; 129.76.4.24)
global zone root: / database zone
zone root: /zone/mysql
Environment
system services mysql project
Application
(patrol) (mysqld)
audit services dba users proj
(auditd) (sh, bash, prstat)
security services system project
(login, BSM) (inetd, sshd)
console
hme0:3
Platform
zcons
hme0
ce0:3
Virtual
/usr
/usr
ce0
ce1
zoneadmd
zone management core services remote admin/monitoring platform administration
(zonecfg, zoneadm, zlogin) (inetd, rpcbind, sshd, ...) (SNMP, SunMC, WBEM) (syseventd, devfsadm, ifconfig,...)
storage complex
network device network device network device
(hme0) (ce0) (ce1)
54

Sample Zones Environment
global zone (v1280-room3-rack12-2; 129.76.4.24)
global zone root: / web zone app_server zone database zone
zone root: /zone/mysql
zone root: /zone/web zone root: /zone/app
Environment
system services web service project jes project mysql project
Application
(patrol) (Apache 1.3.22) (j2se) (mysqld)
audit services crypto project app users proj dba users proj
(auditd) (ssl) (sh, bash, prstat) (sh, bash, prstat)
security services proxy project system project system project
(login, BSM) (proxy) (inetd, sshd) (inetd, sshd)
console
hme0:1
hme0:2
hme0:3
Platform
zcons
zcons
zcons
hme0
ce0:1
ce0:2
ce0:3
Virtual
/usr
/usr
/usr
/usr
ce0
ce1
zoneadmd zoneadmd zoneadmd
zone management core services remote admin/monitoring platform administration
(zonecfg, zoneadm, zlogin) (inetd, rpcbind, sshd, ...) (SNMP, SunMC, WBEM) (syseventd, devfsadm, ifconfig,...)
storage complex
network device network device network device
(hme0) (ce0) (ce1)
55

Zones
• User-level commands:
> zoneadm
> zonecfg
> zlogin
• Starting from Solaris 10 8/07 (Update 4) each zone can
have a shared or exclusive IP stack
> An exclusive IP stack uses a dedicated network interface
> Waiting for the Crossbow project, you can use VLAN
Tagging to create more network interfaces
56

Zones
• Starting from Solaris 10 5/08 (Update 5) CPU Capping (in
can be applied to a zone
> An 8 cores system with 3 zones can assign a CPU
Capping of 1.75, 1.75 and 4.50
(as 1.75 + 1.75 + 4.50 = 8.00)
> Actually the sum of all the CPU cappings can be greater
than the overall capacity of the system (i.e. resource
overbooking)
• Starting from Solaris 10 10/08 (Update 6) a default router
can be assigned for shared IP stack zones
57

Virtualize for Security
58

Cryptographically Signed ELF Objects
• ELF Objects Cryptographically Signed
> binaries, libraries, kernel modules, crypto modules, etc.
# file /usr/lib/ssh/sshd
/usr/lib/ssh/sshd: ELF 32-bit MSB executable
SPARC Version 1, dynamically linked, stripped
# elfsign verify -e /usr/lib/ssh/sshd
elfsign: verification of /usr/lib/ssh/sshd passed.
# elfsign list -f signer -e /usr/bin/ls
CN=SunOS 5.10, OU=Solaris Signed Execution,
O=Sun Microsystems Inc
• Cryptographic modules must be signed by Sun.
> Signature must be validated before module can be loaded.
> Crypto. modules will not load if not signed or have invalid signature.
59

Service Management Facility
• Provide a uniform mechanism to disable/manage services.
> e.g., svcadm [disable|enable] telnet
• Support alternative service profiles
> e.g., “Secure by Default” profile (since Solaris 10 11/06)
• Leverage authorizations to manage/configure services.
• Define context to permit services to be started as a specific
user and group and with specific privileges.
• Support automatic service dependency resolution.
> e.g., svcadm enable -r nfs/client
• Facilitate delegated service restarts.
60

SMF Example
# svcprop -v -p start apache2
start/exec astring /lib/svc/method/http-apache2\\ start
start/timeout_seconds count 60
start/type astring method
start/user astring webservd
start/group astring webservd
start/privileges astring basic,!proc_session,!proc_info,!
file_link_any,
net_privaddr
start/limit_privileges astring :default
start/use_profile boolean false
start/supp_groups astring :default
start/working_directory astring :default
start/project astring :default
start/resource_pool astring :default
Example taken from the Sun BluePrint: Limiting Service Privileges in the Solaris 10
Operating System, http://www.sun.com/blueprints/0505/819-2680.pdf
61

Solaris Secure By Default
• Only Secure Shell is reachable by default.
> root use of Secure Shell is not permitted by default.
• Existing services are configured in SMF to either be:
> Disabled by default
> Listening for local (e.g., loopback) connections only
• Configuration can be selected using CLI or JumpStart:
> netservices: open (traditional) or limited (SBD)
> service_profile: open or limited_net
• Default installation method in Nevada/OpenSolaris:
> Solaris upgrades are not changed or impacted.
> Solaris 10 initial (fresh) installations can select SBD mode.
62

Solaris Secure By Default Example
# netservices
netservices: usage: netservices [ open | limited ]
# netservices limited
restarting syslogd
restarting sendmail
dtlogin needs to be restarted. Restart now? [Y] y
restarting dtlogin
# netstat -af inet -P tcp | grep LISTEN
[...]
*.sunrpc *.* 0 0 49152 0 LISTEN
*.ssh *.* 0 0 49152 0 LISTEN
localhost.smtp *.* 0 0 49152 0 LISTEN
localhost.submission *.* 0 0 49152 0 LISTEN
63

Password and Related Controls
• Pluggable Crypt
> SHA-256, SHA-512, Sun MD5 (+ rounds), BSD MD5, Blowfish
• Password Complexity Checks
> Login Name != Password, White Space Permitted
> Minimum Characters by Class
● Alphabetic, Non-Alphabetic, Uppercase, Lowercase, Digits, Special
> Maximum Consecutive Repeating Characters
> Local Banned Password List (Dictionary)
• Password Aging and History
• Account Lockout
64

Password Management Example
$ passwd gbrunett
Enter existing login password:
New Password:
passwd: The password must contain at least 1 numeric or special
character(s).
Please try again
New Password:
passwd: The password must contain at least 1 uppercase alpha character(s).
Please try again
New Password:
passwd: Too many consecutively repeating characters. Maximum allowed is 3.
Permission denied
$ passwd gbrunett
Enter existing login password:
New Password:
passwd: Password in history list.
65

User Rights Management (Roles)
Solaris Users versus Roles
> Roles can only be accessed by users already logged in.
> Users cannot assume a role unless authorized.
$ id -a
uid=80(webservd) gid=80(webservd)
$ roles
No roles
$ su - root
Password:
Roles can only be assumed by authorized users
su: Sorry
66

User Rights Management Example
$ profiles -l
Object Access Management:
/usr/bin/chgrp privs=file_chown
/usr/bin/chmod privs=file_owner
[...]
[...]
$ ls -ld mnt
drwxr-xr-x 2 gbrunett gbrunett 512 Nov 7 12:54 mnt
$ chown bin:bin mnt
chown: mnt: Not owner
$ pfexec chown bin:bin mnt
$ ls -ld mnt
drwxr-xr-x 2 bin bin 512 Nov 7 12:54 mnt
67

Process Privileges
● Solaris kernel checks for privileges and not just UID == 0!
> Division of root authority into over 60 discrete privileges.
> Privileges can be granted to processes based on need.
> Privileges can be disabled or dropped when not needed.
> Child processes can have different (fewer) privileges than the parent.
• Completely backward compatible and extensible.
> No changes required to use existing code.
• Privilege bracketing helps to mitigate effects of future flaws.
> e.g., proc_fork and proc_exec
> e.g., proc_info
68

Process Privilege Sets
• E - Effective • I - Inheritable set
> Privileges in effect > Privileges of executed programs
• P - Permitted set • L - Limit set
> Upper bound of E > Upper bound for the process and
all its descendants
Effective
Permitted Inheritable
Limit
69

Process Privilege Inheritance
• Limit (L) is unchanged
• L is used to bound privileges in Inheritable (I)
> I' = I ∩ L
• Child's Permitted (P') & Effective (E') are:
> P' = E' = I'
• Typical process
> P = E = I = {basic}
> L = {all privileges}
> Since P = E = I, children run with same privileges
70

Using Process Privileges
• ppriv(1)
# ppriv -e -D -s -proc_fork,-proc_exec /bin/sh -c finger
sh[387]: missing privilege \"proc_fork\" (euid = 0, syscall = 143)
needed at cfork+0x18
/bin/sh: permission denied
• User Rights Management (RBAC)
# grep “Network Management” /etc/security/exec_attr
Network Management:solaris:cmd:::/sbin/ifconfig:privs=sys_net_config
Network Management:solaris:cmd:::/sbin/route:privs=sys_net_config
• Service Management Framework (SMF)
# svcprop -p start rpc/bind | grep privileges
start/privileges astring
basic,file_chown,file_chown_self,file_owner,net_privaddr,
proc_setid,sys_nfs,net_bindmlp
stop/limit_privileges astring :default
• Privilege Aware Commands / Services
e.g., ping, rmformat, quota, rpcbind, nfsd, mountd
71

Process Privileges Example
$ ppriv $$ $ ppriv -l basic
28983: bash file_link_any
flags = <none> proc_exec
E: basic proc_fork
I: basic proc_info
P: basic proc_session
L: all
$ ppriv -De cat /etc/shadow
cat[3988]: missing privilege \"file_dac_read\" (euid =
101, syscall = 225) needed at ufs_iaccess+0xc9
cat: cannot open /etc/shadow
$ ppriv -s -proc_fork,-proc_exec -De /bin/vi
[attempt to run a command/escape to a shell]
vi[4180]: missing privilege \"proc_fork\" (euid = 101,
syscall = 143) needed at cfork+0x3b
72

Process Privileges Debugging
web_svc zone: # svcadm disable apache2
global zone: # privdebug -v -f -n httpd
web_svc zone: # svcadm enable apache2
global zone: [output of privdebug command]
STAT TIMESTAMP PPID PID PRIV CMD
USED 273414882013890 4642 4647 net_privaddr httpd
USED 273415726182812 4642 4647 proc_fork httpd
USED 273416683669622 1 4648 proc_fork httpd
USED 273416689205882 1 4648 proc_fork httpd
USED 273416694002223 1 4648 proc_fork httpd
USED 273416698814788 1 4648 proc_fork httpd
USED 273416703377226 1 4648 proc_fork httpd
privdebug is available from the OpenSolaris Security Community,
http://www.opensolaris.org/os/community/security/projects/privdebug/
73

IP Filter
●
Stateful and stateless packet inspection – IPv4, IPv6
●
Kernel-based packet filtering
●
Protocol proxies (TCP, UDP, FTP, rcmds, etc.)
●
Transparent proxy support
●
Text-based configuration
●
Support for both NAT and PAT
●
SYSLOG Logging
●
Lightweight, small footprint, high performance
74

Cryptographic Framework
●
Standards-based, pluggable framework
> Kernel support as well as user-land (PKCS#11)
> Supports administrative policies (e.g., FIPS 140 algorithms only)
●
By default, supports major algorithms.
> Encryption : AES, ECC, Blowfish, RC4, DES, 3DES, RSA
> Digest : MD5, SHA-1, SHA-256, SHA-384, SHA-512
> MAC : DES MAC, MD5 HMAC, SHA-1 HMAC,
SHA-256 HMAC, SHA-384 HMAC, SHA-512 HMAC
> Optimized for both SPARC, Intel and AMD
• Framework supports pluggable hardware/software providers:
> e.g., UltraSPARC T1/T2 and the Sun CryptoAccelerator 6000
75

Cryptographic Framework
Now the framework for
Open Source Sun Java Java VM
Web Server Web Server Application cryptography is standardized
and extensible.
NSS Java JCE Java
OpenSSL Enterprise Crypto.
System Extensions Your current cryptographic
Commercial App
choices and any future
PKCS 11 Consumer Interface (PKCS 11) technology can easily plug in
and just work.
Cryptographic Framework
Provider Interface (PKCS 11)
● Standards-based framework
• Same API, software or hardware
Sun Software
Crypto. Plug-in Hardware Hardware • Extensible for future technologies
Accelerator Crypto.
(DES, 3DES, Accelerator
AES, Blowfish, RSA, UltraSPARC T1 6000
MD5, SHA_, RC4) UltraSPARC T2
76

Basic Audit and Reporting Tool
File-level integrity validation tool:
> Evalutes: uid, gid, permissions/acls, contents, mtime, size, type, etc.
> Enables point-in-time comparison against a previous snapshot.
# cat ./rules
/etc
CHECK all
# find /etc | bart create -I > newManifest
# bart compare -r ./rules ./oldManifest ./newManifest
/etc/user_attr:
size control:28268 test:23520
acl control:user::rw-,group::rw-,mask:r-x,other:r--
test:user::rw-,group::rw-,mask:r-x,other:rw-
contents control:28dd3a3af2fcc103f422993de5b162f3
test:28893a3af2fcc103f422993de5b162f3
Sun BluePrint: Automating File Integrity Checks, http://www.sun.com/blueprints/0305/819-2259.pdf
77

Solaris Audit
• Kernel auditing of system calls and administrative actions.
> Can record events happening in any zone (from the global zone).
> Can also delegate audit configuration to local zone administrators.
> Can capture complete command line and environment.
> Records original (audit) ID as well as current credentials.
> Audit trail can be formatted as text, XML, and/or delivered via syslog.
• Example:
header,77,2,su,,tundra,2006-11-06 21:55:31.386 -08:00
subject,joe,joe,other,joe,other,2444,1898931306,
12114 22 marduk
text,root
return,failure,Authentication failed
Example adapted from the Sun BluePrint: Enforcing the Two-Person Rule Via Role-based
Access Control in the Solaris 10 OS, http://www.sun.com/blueprints/0805/819-3164.pdf
78

Solaris 10 10/08: System Support
• Support for Intel's latest multicore Xeon processors
• Improved support for Intel NUMA systems
• Support for latest Intel/AMD instruction set
extensions
> SSSE3, SSE4.1, SSE4.2, AMD SSE4A
• Fault Management support for Intel 5400
Northbridge, other x86 devices, e1000g and igb
network controllers
• NVIDIA SATA controller enhancements
79

Next Steps
> Get Solaris
1 sun.com/solaris/get
> Get Involved
2 opensolaris.org | bigadmin.com | developers.sun.com/solaris
3 > Get Trained
sun.com/solaris/freetraining | Learning Paths: sun.com/training/solaris
> Get Data Sheets and White Papers
4 sun.com/solaris/reference_materials
> Get Started with Solaris Learning Centers
5 sun.com/solaris/teachme
6 > Get Current
sun.com/solaris/move | bigadmin.com/apps | bigadmin.com/hcl
80

SOLARIS
TECHNICAL
WORKSHOP
Danilo Poccia
danilo.poccia@sun.com
blogs.sun.com/danilop
81