| System Management Services (SMS) 1.2 Administrator Guide |
|
| System Management Services (SMS) 1.2 Administrator Guide |
|
| C H A P T E R 2 |
SMS Security |
This chapter provides a brief overview of security as it pertains to SMS and the Sun Fire 15K server system.
The Sun Fire 15K platform hardware can be partitioned into one or more environments capable of running separate images of the Solaris operating environment. These environments are called dynamic system domains (DSD)s or domains .
A domain is logically equivalent to a physically separate server. The Sun Fire 15K hardware has been designed to enforce strict separation of the domain environments. This means that, except for errors in hardware shared by multiple domains, no hardware error in one domain affects another. In order for domains to act like separate servers, Sun Fire software was designed and implemented to enforce strict domain separation.
SMS provides services to all DSDs. In providing those services, no data obtained from one client DSD is leaked into data observable by another. This is particularly true for sensitive data such as buffers of console characters (including administrator passwords) or potentially sensitive data such as I/O buffers containing client DSD-owned data.
SMS limits administrator privilege to control the extent of damage that can occur due to administrator error, as well as to limit the exposure to damage caused by an external attack on a system password.
The security techniques that separate the data for the different domains revolve around implicit and explicit data labeling, so that it is clear which data can be mixed (data pertaining to a single domain) and which cannot (data from different domains).
The lowest level of security that promotes the data separation techniques using data labeling is equivalent to a B1 security rating from the National Security Agency defined rating scale.
SMS splits domain and platform administrative privileges. It is possible to assign separate administrative privileges for system management over each domain and for system management over the entire platform. There is also a subset of privileges available for platform operator and domain configurator-class users. Administrative privileges are granted so that audits can identify the individual who initiated any action.
SMS uses site-established Solaris user accounts and grants administrative privileges to those accounts through the use of Solaris group memberships. This allows a site considerable flexibility with respect to creating and consolidating default privileges. For example, by assigning the same Solaris group to represent the administrator privilege for more than one domain, groups of domains can be administered by one set of domain administrators.
It also allows the site considerable flexibility in assigning multiple administrative roles to individual administrators. A single user account with group membership in the union of all configured administrative privilege groups can be set up.
The platform administrator has control over the platform hardware. Limitations have been established with respect to controlling the hardware used by a running domain, but ultimately the platform administrator can shut down a running domain by powering off server hardware.
Each domain administrator has access to the Solaris console for that domain and the privilege to exert control over the software that runs in the domain or over the hardware assigned to the domain.
Levels of each type of administrative privilege provide a subset of status and monitoring privileges to a platform operator or domain configurator.
SMS provides an administrative privilege that grants access to functions provided exclusively for servicing the product in the field.
Administrative privilege configuration can be changed at will, by the superuser, using smsconfig -g without the need to stop or restart SMS.
SMS implements Solaris access control list (ACL) software to configure directory access for SMS groups using the -a and -r options of the smsconfig command. ACLs restrict access to platform and domain directories providing file system security. For information on ACLs, refer to the Solaris 9 System Administration Guide: Security Services .
The group identified as the platform administrator ( platadmn ) group provides configuration control, a means to get environmental status, the ability to assign boards to domains, power control, and other generic service processor functions. In short, the platform administrator group has all platform privileges excluding domain control and access to installation and service commands ( FIGURE 2-1 ).
The platform operator ( platoper ) group has a subset of platform privileges. This group has no platform control other than being able to perform power control. Therefore, this group is limited to platform power and status privileges ( FIGURE 2-2 ).
The platform service ( platsvc ) group possesses platform service command privileges in addition to limited platform control and platform configuration status privileges ( FIGURE 2-3 ).
The domain administrator ( dmn [domain_id] admn ) group provides the ability to access the console of its respective domain as well as perform other operations that affect, directly or indirectly, the respective domain. Therefore, the domain administrator group can perform domain control, domain status, and console access, but cannot perform platform wide control or platform resource allocation ( FIGURE 2-4 ).
There are 18 possible Sun Fire domains, A-R, identified by domain_id . Therefore, there are 18 Domain Administrator groups, each providing strict access over their respective domains.
The domain configuration ( dmn [domain_id] rcfg ) group has a subset of domain administration group privileges. This group has no domain control other than being able to power control boards in its domain or (re)configure boards into or from its domain ( FIGURE 2-5 ).
There are 18 possible Sun Fire domains identified by domain_id s. Therefore, there are 18 domain configuration groups, each allowing strict access over their respective domains.
The superuser privileges are limited to installation, help, and status privileges ( FIGURE 2-6 ).
The following is a list of all group privileges.
The nature of the Sun Fire 15K physical architecture, with an embedded system controller, as well as the supported administrative model (with multiple administrative privileges, and hence multiple administrators) dictates that an administrator utilize a remote network connection (from a workstation) to access SMS command interfaces to manage the Sun Fire 15K system.
Since the administrators will be providing information to verify their identity (passwords) and may possibly need to display sensitive data, it is important that the remote network connection be secure. Physical separation of the administrative networks provides security on the Sun Fire 15K system. Multiple external physical network connections are available on each SC. SMS supports up to six external network communities. As of this release, two external physical network connections are supported.
For more information, see Management Network Services .
| System Management Services (SMS) 1.2 Administrator Guide | 816-3267-10 |
|
Copyright © 2002, Sun Microsystems, Inc. All rights reserved.