Another good document from Glenn Brunette. Privilege bracketing for a process allows you to :
1. drop any privileges that it will never need;
2. enable the remaining privileges exactly when it needs them;
3. relinquishe the use of privileges when they are no longer needed
The previous sfpDB blueprint has now been updated to Solaris 10. It adds the ability to check the signatures of now signed ELF binary objects ( man elfsign ), the use of the digest command instead of the (downloaded) md5 command, and few words about BART, the Basic Audit & Reporting Tool, whose integration with the sfpDB is described in another blueprint document.
Another great LDAP-related blueprint document by Michael Haines. Moving away from NIS and welcoming LDAP without being too scared thanks to NIS-2-LDAP technique.
This Sun BluePrints article demonstrates how the combination of the Solaris 10 Operating System and the UltraSPARC T1 processor can be used to create a high performance, secure Web site. It provides a brief overview of SSL technology, as well as an introduction to the Solaris Cryptographic Framework. Configuration details are included for common security applications, such as Apache, the Sun Java System Web Server, and secure Java technology applications, enabling these programs to utilize NCP and KSSL technology. A performance study of secure Web applications is also included.
Finally a document aggregates the SMF information that was disseminated everywhere on the internet. This very good document from Rob Romack covers the following topic :
- SMF basics
- SMF components
- Example SMF Manifest for a new service, including a description of all the existing attributes ( require_all, … )
- SMF at boot time + SMF and milestones (the one area that will likely trigger a bunch of calls to Sun Support )
- The funny demonstration of the fact that the SMF engine is tracking services with cycling dependencies
- An original use of the dependency system that would allow somebody to login as root only if the configured name service is not available
T: SMF, OpenSolaris, Solaris 10
A new blueprint document from Glenn Brunette of Sun that describes a number of ways to find out which privilege is required to run a certain application as user “whatever”. Besides the known option of the ppriv command, the privdebug perl script uses DTrace to provide easy observation.
The author then uses privdebug to find out how to build the list of required privileges to start Apache as user “whatever”, be it in the Global zone or in non-global zones. A good document to learn about privileges.
View the document
The privdebug script at OpenSolaris
This blueprint document describes a particular methodology using zones and resource pools to consolidate multiple web servers on a single Sun Fire T1000 server, particularly well adapted to this kind of workload. As usual, it includes a step-by-step process to have everything working. In addition, considerations about the Apache webserver compilation and optimization as well as some benchmarking make it an interesting read.
T: Zones
A hole is now filled. SMF & RBAC authorizations article was written because of the lack of official documentation around the topic. It was released as an extra exercise for interested people. This blueprint has the additional objective of defining each authorization related to SMF. Together with the typical Apache2 exercise, it gives valuable hints as how to delegate the administration of services to some of your users / co-admins.
An original use of Zones. Ressource Management is the main point here, together with traceability.
View the document