JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris 11 Security Guidelines     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

1.  Overview of Oracle Solaris Security

2.  Configuring Oracle Solaris Security

Installing the Oracle Solaris OS

Securing the System

How to Verify Your Packages

How to Disable Unneeded Services

How to Remove Power Management Capability From Users

How to Place a Security Message in Banner Files

How to Place a Security Message on the Desktop Login Screen

Securing Users

How to Set Stronger Password Constraints

How to Set Account Locking for Regular Users

How to Set More Restrictive umask Value for Regular Users

How to Audit Significant Events in Addition to Login/Logout

How to Monitor lo Events in Real Time

How to Remove Unneeded Basic Privileges From Users

Securing the Kernel

Configuring the Network

How to Display a Security Message to ssh Users

How to Use TCP Wrappers

Protecting File Systems and Files

How to Limit the Size of the tmpfs File System

Protecting and Modifying Files

Securing Applications and Services

Creating Zones to Contain Critical Applications

Managing Resources in Zones

Configuring IPsec and IKE

Configuring IP Filter

Configuring Kerberos

Adding SMF to a Legacy Service

Creating a BART Snapshot of the System

Adding Multilevel (Labeled) Security

Configuring Trusted Extensions

Configuring Labeled IPsec

3.  Monitoring and Maintaining Oracle Solaris Security

A.  Bibliography for Oracle Solaris Security

Protecting File Systems and Files

ZFS file systems are lightweight and can be encrypted, compressed, and configured with reserved space and disk space limits.

The tmpfs file system can grow without bound. To prevent a denial of service (DOS) attack, complete How to Limit the Size of the tmpfs File System.

The following tasks configure a size limit for tmpfs and provide a glimpse of the protections that are available in ZFS, the default file system in Oracle Solaris. For additional information, see Setting ZFS Quotas and Reservations in Oracle Solaris 11.1 Administration: ZFS File Systems and the zfs(1M) man page.

Task
Description
For Instructions
Prevent DOS attacks by managing and reserving disk space.
Specifies the use of disk space by file system, by user or group, or by project.
Guarantee a minimum amount of disk space to a dataset and its descendants.
Guarantees disk space by file system, by user or group, or by project.
Encrypt data on a file system.
Protects a dataset with encryption and a passphrase to access the dataset at dataset creation.
Specify ACLs to protect files at a finer granularity than regular UNIX file permissions.
Extended security attributes can be useful in protecting files.

For a caution about using ACLs, see Hiding Within the Trees.

Limit the size of the tmpfs file system.
Prevents a malicious user from creating large files in /tmp to slow down the system.

How to Limit the Size of the tmpfs File System

The size of the tmpfs file system is not limited by default. Therefore, tmpfs can grow to fill the available system memory and swap. Because the /tmp directory is used by all applications and users, an application might occupy all available system memory. Similarly, an unprivileged user with malicious intent could cause a system slowdown by creating large files in the /tmp directory. To avoid a performance impact, you can limit the size of each tmpfs mount.

You might try several values to achieve best system performance.

Before You Begin

You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.

  1. Determine the amount of memory on your system.

    Note - The SPARC T3 series system that is used for the example in this procedure has a solid state disk (ssd) for faster I/O and has eight 279.40 MB disks. The system has around 500 GB of memory.


    # prtconf | head
    System Configuration:  Oracle Corporation  sun4v
    Memory size: 523776 Megabytes
    System Peripherals (Software Nodes):
    
    ORCL,SPARC-T3-4
        scsi_vhci, instance #0
            disk, instance #4
            disk, instance #5
            disk, instance #6
            disk, instance #8
  2. Compute a memory limit for tmpfs.

    Depending on the size of the system memory, you might want to compute a memory limit of around 20 percent for large systems and around 30 percent for smaller systems.

    So, for a smaller system, use .30 as the multiplier.

    10240M x .30 ≃ 340M

    For a larger system, use .20 as the multiplier.

    523776M x .20 ≃ 10475M
  3. Modify the swap entry in the /etc/vfstab file with the size limit.
    # pfedit /etc/vfstab
    #device       device       mount           FS      fsck    mount mount
    #to mount     to fsck      point           type    pass    at boot options
    #
    /devices      -            /devices        devfs   -       no      -
    /proc         -            /proc           proc    -       no      -
    ctfs          -            /system/contract ctfs   -       no      -
    objfs         -            /system/object  objfs   -       no      -
    sharefs       -            /etc/dfs/sharetab  sharefs -    no      -
    fd            -            /dev/fd         fd      -       no      -
    swap          -            /tmp            tmpfs   -       yes     -
    swap          -            tmpfs           -       yes     size=10400m
    /dev/zvol/dsk/rpool/swap   -      -        swap    -       no      - 
  4. Reboot the system.
    # reboot
  5. Verify that the size limit is in effect.
    # mount -v
    swap on /system/volatile type tmpfs 
    read/write/setuid/devices/rstchown/xattr/dev=89c0006 on Fri Sep 7 14:07:27 2012
    swap on /tmp type tmpfs 
    read/write/setuid/devices/rstchown/xattr/size=10400m/dev=89c0006 on Fri ...
  6. Monitor the memory usage and adjust it to the requirements of your site.

    The df command is somewhat useful. The swap command provides the most useful statistics.

    # df -h /tmp
    Filesystem Size Used Available Capacity Mounted on
    swap          7.  4G     44M    7.4G 1%       /tmp
    
    # swap -s
    total: 190248k bytes allocated + 30348k reserved = 220596k used,
    7743780k available 

    For more information, see the tmpfs(7FS), mount_tmpfs(1M), df(1M), and swap(1M) man pages.