Documentation Home
> Solaris Trusted Extensions Administrator's Procedures
Solaris Trusted Extensions Administrator's Procedures
Book Information
Index
Numbers and Symbols
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
R
S
T
U
V
W
X
Z
Preface
Part??I Initial Configuration of Trusted Extensions
Chapter??1 Security Planning for Trusted Extensions
Planning for Security in Trusted Extensions
Understanding Trusted Extensions
Understanding Your Site's Security Policy
Devising an Administration Strategy for Trusted Extensions
Devising a Label Strategy
For International Customers of Trusted Extensions
Planning System Hardware and Capacity for Trusted Extensions
Planning Your Trusted Network
Planning for Zones in Trusted Extensions
Trusted Extensions Zones and Solaris Zones
Zone Creation in Trusted Extensions
Planning for Multilevel Access
Planning for the LDAP Naming Service in Trusted Extensions
Planning for Auditing in Trusted Extensions
Planning User Security in Trusted Extensions
Devising a Configuration Strategy for Trusted Extensions
Collecting Information Before Enabling??Trusted Extensions
Backing Up the System Before Enabling??Trusted Extensions
Results of Enabling Trusted Extensions From an Administrator's Perspective
Chapter??2 Configuration Roadmap for Trusted Extensions
Task Map: Preparing a Solaris System for Trusted Extensions
Task Map: Preparing For and Enabling Trusted Extensions
Task Map: Configuring Trusted Extensions
Chapter??3 Adding Solaris Trusted Extensions Software to the Solaris OS (Tasks)
Initial Setup Team Responsibilities
Installing or Upgrading the Solaris OS for Trusted Extensions
Install a Solaris System to Support Trusted Extensions
Prepare an Installed Solaris System for Trusted Extensions
Collecting Information and Making Decisions Before Enabling??Trusted Extensions
Collect System Information Before Enabling Trusted Extensions
Make System and Security Decisions Before Enabling Trusted Extensions
Enabling the Solaris Trusted Extensions Service
Enable Solaris Trusted Extensions
Chapter??4 Configuring Trusted Extensions (Tasks)
Setting Up the Global Zone in Trusted Extensions
Check and Install Your Label Encodings File
Enable IPv6 Networking in Trusted Extensions
Configure the Domain of Interpretation
Reboot and Log In to Trusted Extensions
Initialize the Solaris Management Console Server in Trusted Extensions
Make the Global Zone an LDAP Client in Trusted Extensions
Creating Labeled Zones
Run the txzonemgr Script
Create the First Labeled Zone
Configure the Network Interfaces in Trusted Extensions
Clone the First Zone in Trusted Extensions
Verify the Status of the Public Zone
Create a Zone From the Snapshot
Activate Two Zone Workspaces
Adding Network Interfaces and Routing to Labeled Zones
Add a Network Interface to Route an Existing Labeled Zone
Add a Network Interface That Does Not Use the Global Zone to Route an Existing Labeled Zone
Configure a Name Service Cache in Each Labeled Zone
Creating Roles and Users in Trusted Extensions
Create Rights Profiles That Enforce Separation of Duty
Create the Security Administrator Role in Trusted Extensions
Create a Restricted System Administrator Role
Create Users Who Can Assume Roles in Trusted Extensions
Verify That the Trusted Extensions Roles Work
Enable Users to Log In to a Labeled Zone
Creating Home Directories in Trusted Extensions
Create the Home Directory Server in Trusted Extensions
Enable Users to Access Their Home Directories in Trusted Extensions
Adding Users and Hosts to an Existing Trusted Network
Add an NIS User to the LDAP Server
Troubleshooting Your Trusted Extensions Configuration
netservices limited Was Run After Trusted Extensions Was Enabled
Labeled Zone Is Unable to Access the X Server
Additional Trusted Extensions Configuration Tasks
How to Copy Files to Portable Media in Trusted Extensions
How to Copy Files From Portable Media in Trusted Extensions
How to Remove Trusted Extensions From the System
Chapter??5 Configuring LDAP for Trusted Extensions (Tasks)
Configuring an LDAP Server on a Trusted Extensions Host (Task Map)
Configuring an LDAP Proxy Server on a Trusted Extensions Host (Task Map)
Configuring the Sun Java System Directory Server on a Trusted Extensions System
Collect Information for the Directory Server for LDAP
Install the Sun Java System Directory Server
Configure the Logs for the Sun Java System Directory Server
Configure a Multilevel Port for the Sun Java System Directory Server
Populate the Sun Java System Directory Server
Creating a Trusted Extensions Proxy for an Existing Sun Java System Directory Server
Create an LDAP Proxy Server
Configuring the Solaris Management Console for LDAP (Task Map)
Register LDAP Credentials With the Solaris Management Console
Enable the Solaris Management Console to Accept Network Communications
Edit the LDAP Toolbox in the Solaris Management Console
Verify That the Solaris Management Console Contains Trusted Extensions Information
Chapter??6 Configuring a Headless System With Trusted Extensions (Tasks)
Headless System Configuration in Trusted Extensions (Task Map)
Enable Remote Login by root User in Trusted Extensions
Enable Remote Login by a Role in Trusted Extensions
Enable Remote Login From an Unlabeled System
Use a Remote Solaris Management Console to Administer in the Files Scope
Enable the Remote Display of Administrative GUIs
Use the rlogin or ssh Command to Log In and Administer a Headless System in Trusted Extensions
Part??II Administration of Trusted Extensions
Chapter??7 Trusted Extensions Administration Concepts
Trusted Extensions Software and the Solaris OS
Similarities Between Trusted Extensions and the Solaris OS
Differences Between Trusted Extensions and the Solaris OS
Multiheaded Systems and the Trusted Extensions Desktop
Basic Concepts of Trusted Extensions
Trusted Extensions Protections
Trusted Extensions and Access Control
Roles and Trusted Extensions
Labels in Trusted Extensions Software
Dominance Relationships Between Labels
Administrative Labels
Label Encodings File
Label Ranges
Account Label Range
Session Range
What Labels Protect and Where Labels Appear
Chapter??8 Trusted Extensions Administration Tools
Administration Tools for Trusted Extensions
txzonemgr Script
Device Manager
Solaris Management Console Tools
Trusted Extensions Tools in the Solaris Management Console
Security Templates Tool
Trusted Network Zones Tool
Client-Server Communication With the Solaris Management Console
Solaris Management Console Documentation
Label Builder in Trusted Extensions
Command Line Tools in Trusted Extensions
Configuration Files in Trusted Extensions
Remote Administration in Trusted Extensions
Chapter??9 Getting Started as a Trusted Extensions Administrator (Tasks)
Security Requirements When Administering Trusted Extensions
Role Creation in Trusted Extensions
Role Assumption in Trusted Extensions
Getting Started as a Trusted Extensions Administrator (Task Map)
How to Enter the Global Zone in Trusted Extensions
How to Exit the Global Zone in Trusted Extensions
How to Administer the Local System With the Solaris Management Console
How to Edit Administrative Files in Trusted Extensions
Chapter??10 Security Requirements on a Trusted Extensions System (Overview)
Configurable Solaris Security Features
Trusted Extensions Interfaces for Configuring Security Features
Extension of Solaris Security Mechanisms by Trusted Extensions
Trusted Extensions Security Features
Security Requirements Enforcement
Users and Security Requirements
Email Usage
Password Enforcement
Information Protection
Password Protection
Group Administration
User Deletion Practices
Rules When Changing the Level of Security for Data
sel_config File
Chapter??11 Administering Security Requirements in Trusted Extensions (Tasks)
Common Tasks in Trusted Extensions (Task Map)
How to Assign the Editor of Your Choice as the Trusted Editor
How to Change the Password for root
How to Regain Control of the Desktop's Current Focus
How to Obtain the Hexadecimal Equivalent for a Label
How to Obtain a Readable Label From Its Hexadecimal Form
How to Change Security Defaults in System Files
Chapter??12 Users, Rights, and Roles in Trusted Extensions (Overview)
User Security Features in Trusted Extensions
Administrator Responsibilities for Users
System Administrator Responsibilities for Users
Security Administrator Responsibilities for Users
Decisions to Make Before Creating Users in Trusted Extensions
Default User Security Attributes in Trusted Extensions
label_encodings File Defaults
policy.conf File Defaults in Trusted Extensions
Configurable User Attributes in Trusted Extensions
Security Attributes That Must Be Assigned to Users
Security Attribute Assignment to Users in Trusted Extensions
.copy_files and .link_files Files
Chapter??13 Managing Users, Rights, and Roles in Trusted Extensions (Tasks)
Customizing the User Environment for Security (Task Map)
How to Modify Default User Label Attributes
How to Modify policy.conf Defaults
How to Configure Startup Files for Users in Trusted Extensions
How to Lengthen the Timeout When Relabeling Information
How to Log In to a Failsafe Session in Trusted Extensions
Managing Users and Rights With the Solaris Management Console (Task Map)
How to Modify a User's Label Range in the Solaris Management Console
How to Create a Rights Profile for Convenient Authorizations
How to Restrict a User's Set of Privileges
How to Prevent Account Locking for Users
How to Hide Labels From a User
How to Enable a User to Change the Security Level of Data
How to Delete a User Account From a Trusted Extensions System
Handling Other Tasks in the Solaris Management Console (Task Map)
Chapter??14 Remote Administration in Trusted Extensions (Tasks)
Secure Remote Administration in Trusted Extensions
Methods for Administering Remote Systems in Trusted Extensions
Remote Login by a Role in Trusted Extensions
Remote Role-Based Administration From Unlabeled Hosts
Remote Login Management in Trusted Extensions
Administering Trusted Extensions Remotely (Task Map)
How to Log In Remotely From the Command Line in Trusted Extensions
How to Remotely Administer Systems by Using the Solaris Management Console From a Trusted Extensions System
How to Remotely Administer Systems by Using the Solaris Management Console From an Unlabeled System
How to Enable Specific Users to Log In Remotely to the Global Zone in Trusted Extensions
How to Use Xvnc to Remotely Access a Trusted Extensions System
Chapter??15 Trusted Extensions and LDAP (Overview)
Using a Naming Service in Trusted Extensions
Non-Networked Trusted Extensions Systems
Trusted Extensions LDAP Databases
Using the LDAP Naming Service in Trusted Extensions
Chapter??16 Managing Zones in Trusted Extensions (Tasks)
Zones in Trusted Extensions
Zones and IP Addresses in Trusted Extensions
Zones and Multilevel Ports
Zones and ICMP in Trusted Extensions
Global Zone Processes and Labeled Zones
Zone Administration Utilities in Trusted Extensions
Managing Zones (Task Map)
How to Display Ready or Running Zones
How to Display the Labels of Mounted Files
How to Loopback Mount a File That Is Usually Not Visible in a Labeled Zone
How to Disable the Mounting of Lower-Level Files
How to Share a ZFS Dataset From a Labeled Zone
How to Enable Files to be Relabeled From a Labeled Zone
How to Configure a Multilevel Port for NFSv3 Over udp
How to Create a Multilevel Port for a Zone
Chapter??17 Managing and Mounting Files in Trusted Extensions (Tasks)
Sharing and Mounting Files in Trusted Extensions
NFS Mounts in Trusted Extensions
Sharing Files From a Labeled Zone
Access to NFS Mounted Directories in Trusted Extensions
Home Directory Creation in Trusted Extensions
Changes to the Automounter in Trusted Extensions
Trusted Extensions Software and NFS Protocol Versions
Mounting Labeled ZFS Datasets
Backing Up, Sharing, and Mounting Labeled Files (Task Map)
How to Back Up Files in Trusted Extensions
How to Restore Files in Trusted Extensions
How to Share Directories From a Labeled Zone
How to NFS Mount Files in a Labeled Zone
How to Troubleshoot Mount Failures in Trusted Extensions
Chapter??18 Trusted Networking (Overview)
The Trusted Network
Trusted Extensions Data Packets
Trusted Network Communications
Network Configuration Databases in Trusted Extensions
Network Commands in Trusted Extensions
Trusted Network Security Attributes
Network Security Attributes in Trusted Extensions
Host Type and Template Name in Security Templates
Default Label in Security Templates
Domain of Interpretation in Security Templates
Label Range in Security Templates
Security Label Set in Security Templates
Trusted Network Fallback Mechanism
Overview of Routing in Trusted Extensions
Background on Routing
Routing Table Entries in Trusted Extensions
Trusted Extensions Accreditation Checks
Source Accreditation Checks
Gateway Accreditation Checks
Destination Accreditation Checks
Administration of Routing in Trusted Extensions
Choosing Routers in Trusted Extensions
Gateways in Trusted Extensions
Routing Commands in Trusted Extensions
Administration of Labeled IPsec
Labels for IPsec-Protected Exchanges
Label Extensions for IPsec Security Associations
Label Extensions for IKE
Labels and Accreditation in Tunnel Mode IPsec
Confidentiality and Integrity Protections With Label Extensions
Chapter??19 Managing Networks in Trusted Extensions (Tasks)
Managing the Trusted Network (Task Map)
Configuring Trusted Network Databases (Task Map)
How to Determine If You Need Site-Specific Security Templates
How to Open the Trusted Networking Tools
How to Construct a Remote Host Template
How to Add Hosts to the System's Known Network
How to Assign a Security Template to a Host or a Group of Hosts
How to Limit the Hosts That Can Be Contacted on the Trusted Network
Configuring Routes and Checking Network Information in Trusted Extensions (Task Map)
How to Configure Routes With Security Attributes
How to Check the Syntax of Trusted Network Databases
How to Compare Trusted Network Database Information With the Kernel Cache
How to Synchronize the Kernel Cache With Trusted Network Databases
Configuring Labeled IPsec (Task Map)
How to Apply IPsec Protections in a Multilevel Trusted Extensions Network
How to Configure a Tunnel Across an Untrusted Network
Troubleshooting the Trusted Network (Task Map)
How to Verify That a Host's Interfaces Are Up
How to Debug the Trusted Extensions Network
How to Debug a Client Connection to the LDAP Server
Chapter??20 Multilevel Mail in Trusted Extensions (Overview)
Multilevel Mail Service
Trusted Extensions Mail Features
Chapter??21 Managing Labeled Printing (Tasks)
Labels, Printers, and Printing
Restricting Access to Printers and Print Job Information in Trusted Extensions
Labeled Printer Output
Labeled Body Pages
Labeled Banner and Trailer Pages
PostScript Printing of Security Information
Printer Model Scripts
Additional Conversion Filters
Interoperability of Trusted Extensions With Trusted Solaris 8 Printing
Trusted Extensions Print Interfaces (Reference)
Managing Printing in Trusted Extensions (Task Map)
Configuring Labeled Printing (Task Map)
How to Configure a Multilevel Print Server and Its Printers
How to Configure a Zone for Single-Label Printing
How to Enable a Trusted Extensions Client to Access a Printer
How to Configure a Restricted Label Range for a Printer
Reducing Printing Restrictions in Trusted Extensions (Task Map)
How to Remove Labels From Printed Output
How to Assign a Label to an Unlabeled Print Server
How to Remove Page Labels From All Print Jobs
How to Enable Specific Users to Suppress Page Labels
How to Suppress Banner and Trailer Pages for Specific Users
How to Enable Users to Print PostScript Files in Trusted Extensions
Chapter??22 Devices in Trusted Extensions (Overview)
Device Protection With Trusted Extensions Software
Device Label Ranges
Effects of Label Range on a Device
Device Access Policies
Device-Clean Scripts
Device Manager GUI
Enforcement of Device Security in Trusted Extensions
Devices in Trusted Extensions (Reference)
Chapter??23 Managing Devices for Trusted Extensions (Tasks)
Handling Devices in Trusted Extensions (Task Map)
Using Devices in Trusted Extensions (Task Map)
Managing Devices in Trusted Extensions (Task Map)
How to Configure a Device in Trusted Extensions
How to Revoke or Reclaim a Device in Trusted Extensions
How to Protect Nonallocatable Devices in Trusted Extensions
How to Configure a Serial Line for Logins
How to Add a Device_Clean Script in Trusted Extensions
Customizing Device Authorizations in Trusted Extensions (Task Map)
How to Create New Device Authorizations
How to Add Site-Specific Authorizations to a Device in Trusted Extensions
How to Assign Device Authorizations
Chapter??24 Trusted Extensions Auditing (Overview)
Trusted Extensions and Auditing
Audit Management by Role in Trusted Extensions
Role Setup for Audit Administration
Audit Tasks in Trusted Extensions
Audit Tasks of the Security Administrator
Audit Tasks of the System Administrator
Trusted Extensions Audit Reference
Trusted Extensions Audit Classes
Trusted Extensions Audit Events
Trusted Extensions Audit Tokens
label Token
xatom Token
xclient Token
xcolormap Token
xcursor Token
xfont Token
xgc Token
xpixmap Token
xproperty Token
xselect Token
xwindow Token
Trusted Extensions Audit Policy Options
Extensions to Auditing Commands in Trusted Extensions
Chapter??25 Software Management in Trusted Extensions (Tasks)
Adding Software to Trusted Extensions
Solaris Security Mechanisms for Software
Evaluating Software for Security
Developer Responsibilities When Creating Trusted Programs
Security Administrator Responsibilities for Trusted Programs
Managing Software in Trusted Extensions (Tasks)
How to Add a Software Package in Trusted Extensions
How to Install a Java Archive File in Trusted Extensions
Appendix??A Site Security Policy
Creating and Managing a Security Policy
Site Security Policy and Trusted Extensions
Computer Security Recommendations
Physical Security Recommendations
Personnel Security Recommendations
Common Security Violations
Additional Security References
U.S. Government Publications
UNIX Security Publications
General Computer Security Publications
General UNIX Publications
Appendix??B Configuration Checklist for Trusted Extensions
Checklist for Configuring Trusted Extensions
Appendix??C Quick Reference to Trusted Extensions Administration
Administrative Interfaces in Trusted Extensions
Solaris Interfaces Extended by Trusted Extensions
Tighter Security Defaults in Trusted Extensions
Limited Options in Trusted Extensions
Appendix??D List of Trusted Extensions Man Pages
Trusted Extensions Man Pages in Alphabetical Order
Solaris Man Pages That Are Modified by Trusted Extensions
Glossary
© 2010, Oracle Corporation and/or its affiliates