CA ControlMinder protects Solaris 10 zones in the same way it protects any computer. Each zone is protected in isolation from any other zones, with each rule you define in CA ControlMinder applying only to users working in that zone. Rules you apply in the global zone, even those that cover resources that are visible in a non-global zone, only apply to users who access them from the global zone.
Note: Make sure you protect non-global zone resources in both the non-global and the global zone as necessary.
Example: Global Zone Rules and Non-Global Zone Rules
In the following example, we define rules to protect a non-global zone (myZone1) file. All system files are always visible from the global zone.
The file we want to protect is /myZone1/root/bin/kill (path from global zone). To protect this file, we define the following CA ControlMinder rules:
nu admin_pers owner(nobody) nr FILE /myZone1/root/bin/kill defaccess(none) owner(nobody) authorize FILE /myZone1/root/bin/kill uid(admin_pers) access(all)
nu admin_pers owner(nobody) nr FILE /bin/kill defaccess(none) owner(nobody) authorize FILE /bin/kill uid(admin_pers) access(all)
Using these rules in both the global and non-global zones, we defined a user (admin_pers), defined our file as resource to be protected, and authorized our user to access the file. Without doing this in both zones, we would leave the resource exposed.
Copyright © 2013 CA Technologies.
All rights reserved.
|
|