Information Technology Reference
In-Depth Information
5. Disable unnecessary services.
6. Reboot the Container to verify correct operation without those services.
7. Shut down the Container.
Limit the Container's ability to do undesirable things:
1. Remove unnecessary privileges with the
set limitpriv
subcommand of
zonecfg
(1M). This step must be performed
after
turning off unnecessary
services from within the Container. Some services that we will disable require
privileges that will be removed. During the first boot, if a service lacks the
privileges it needs, it will fail. Its failure might prevent the Container from
booting properly.
2. Identify necessary privileges with
privdebug
(available at
opensolaris.
org
). Add nondefault privileges to the Container so that it can fulfill its role.
3. Configure the Container with access to appropriate network interfaces. If
possible, this step should be performed
after
services and privileges have
been removed to prevent someone from attacking the system while it is in
the midst of being hardened.
4. Configure the Solaris IP Filter as necessary to prevent unwanted network
access. IP filter settings for a Container using shared-IP access are configured
from the global zone. An exclusive-IP Container manages its own IP filter
settings. This example uses shared-IP network access.
5. Boot the Container.
6. Configure the Container to run the application.
Chapter 6 discussed the commands that create and boot a Container. The com-
mands in this example assume that the Container already exists and was config-
ured with the following commands:
GZ#
zonecfg -z timelord
zonecfg:timelord>
create
zonecfg:timelord>
set zonepath=/zones/roots/timelord
zonecfg:timelord>
exit
After the Container has been booted and halted once, you can disable unneeded
Oracle Solaris services. The
svcadm
command makes that easy, but an even easier
method is available: The
netservices
(1M) command enables or disables all
Search WWH ::
Custom Search