Running Linux Guest in less than CP Privilege Class G

An IBM Redpaper publication



Abstract

This paper provides guidance for hardening a z/VM system running Linux virtual machines in a hostile environment. Access to specific CP commands and resources is granted to a VM user based on the privilege classes assigned to the user. Good security practices dictate that a VM user should be granted as low a privilege class as possible. Linux virtual machines typically run in the lowest default CP privilege (class G). z/VM allows a system administrator to create a user defined privilege class, and to add specific CP commands to that privilege class. In this redpaper, we identify the CP commands and diagnose codes required to run Linux in a virtual machine. We then discuss a procedure to create a user defined privilege class, which has access only to those commands and diagnose codes required to run Linux guests. This privilege class has access to fewer commands and diagnose codes than the default G class.

Table of contents

Introduction
Interaction with CP
Communication between virtual machines
Additonal z/VM resources
An alternative approach
Sample MODIFY statements for the default z/VM 4.4 installation




Profile

Publish Date
25 May 2004

Last Update
11 June 2004


Rating:
(based on 4 reviews)


Author(s)

IBM Form Number
REDP-3870-00