This procedure protects labeled hosts from being contacted by arbitrary unlabeled hosts. When Trusted Extensions is installed, this default template defines every host on the network. Use this procedure to enumerate specific unlabeled hosts.
The local tnrhdb file on each system is used to contact the network at boot time. By default, every host that is not provided with a CIPSO template is defined by the admin_low template. This template assigns every system that is not otherwise defined (0.0.0.0) to be an unlabeled system with the default label of admin_low.
The default admin_low template can be a security risk on a Trusted Extensions network. If site security requires strong protection, the security administrator can remove the 0.0.0.0 wildcard entry after the system is installed. The entry must be replaced with entries for every host that the system contacts during boot.
For example, DNS servers, home directory servers, audit servers, broadcast and multicast addresses, and routers must be in the local tnrhdb file after the 0.0.0.0 wildcard entry is removed.
If an application initially recognizes clients at the host address 0.0.0.0, then you must add the 0.0.0.0/32:admin_low host entry to the tnrhdb database. For example, to receive initial connection requests from potential Sun Ray clients, Sun Ray servers must include this entry. Then, when the server recognizes the clients, the clients are provided an IP address and connected as CIPSO clients.
You must be in the Security Administrator role in the global zone.
All hosts that are to be contacted at boot time must exist in the Computers and Networks tool.
In the Solaris Management Console, navigate to the Security Templates tool in the Files scope.
The Files scope protects the system during boot. To access the Security Templates tool, see How to Open the Trusted Networking Tools.
Modify the hosts that are assigned to the admin_low template.
Double-click the admin_low template.
Every host that is added can be contacted during boot at the label ADMIN_LOW.
Click the Hosts Assigned to Template tab.
Every host that is added can be contacted during boot at the label ADMIN_LOW.
Add each unlabeled host that must be contacted at boot time.
For details, see How to Assign a Security Template to a Host or a Group of Hosts.
Include every on-link router that is not running Trusted Extensions, through which this host must communicate.
Add the ranges of hosts that must be contacted at boot time.
Remove the 0.0.0.0 entry.
Modify the hosts that are assigned to the cipso template.
Double-click the cipso template.
Every host that is added can be contacted during boot.
Click the Hosts Assigned to Template tab.
Every host that is added can be contacted during boot at the label ADMIN_LOW.
Add each labeled host that must be contacted at boot time.
For details, see How to Assign a Security Template to a Host or a Group of Hosts.
Include the LDAP server.
Include every on-link router that is running Trusted Extensions, through which this host must communicate
Make sure that all network interfaces are assigned to the template.
Include broadcast addresses.
Add the ranges of hosts that must be contacted at boot time.
Verify that the host assignments allow the system to boot.
In this example, the security administrator creates a public gateway system. The administrator removes the 0.0.0.0 entry from the admin_low template and assigns the entry to an unlabeled template that is named public. The system then recognizes any system that is not listed in its tnrhdb file as an unlabeled system with the security attributes of the public security template.
The following describes an unlabeled template that was created specifically for public gateways.
Template Name: public Host Type: Unlabeled Default Label: Public Minimum Label: Public Maximum Label: Public DOI: 1 |
The following example shows the local tnrhdb database with entries for an LDAP client with two network interfaces. The client communicates with another network and with routers.
127.0.0.1:cipso Loopback address 192.168.112.111:cipso Interface 1 of this host 192.168.113.111:cipso Interface 2 of this host 10.6.6.2:cipso LDAP server 192.168.113.6:cipso Audit server 192.168.112.255:cipso Subnet broadcast address 192.168.113.255:cipso Subnet broadcast address 192.168.113.1:cipso Router 192.168.117.0:cipso Another Trusted Extensions network 192.168.112.12:public Specific network router 192.168.113.12:public Specific network router 224.0.0.2:public Multicast address 255.255.255.255:admin_low Broadcast address |
In this example, the security administrator configures a Sun Ray server to accept initial connection requests from potential clients. The server is using a private topology and is using the defaults:
# utadm -a bge0 |
First, the administrator determines the Solaris Management Console domain name:
SMCserver # /usr/sadm/bin/dtsetup scopes Getting list of managable scopes... Scope 1 file:/machine1.ExampleCo.COM/machine1.ExampleCo.COM |
Then, the administrator adds the entry for client initial connection to the Sun Ray server's tnrhdb database. Because the administrator is testing, the default wildcard address is still used for all unknown addresses:
SunRayServer # /usr/sadm/bin/smtnrhdb \ add -D file:/machine1.ExampleCo.COM/machine1.ExampleCo.COM \ -- -w 0.0.0.0 -p 32 -n admin_low Authenticating as user: root Please enter a string value for: password :: ... from machine1.ExampleCo.COM was successful. |
After this command, the tnhrdb database appears similar to the following. The result of the smtnrhdb command is highlighted:
## tnrhdb database ## Sun Ray server address 192.168.128.1:cipso ## Sun Ray client addresses on 192.168.128 network 192.168.128.0/24:admin_low ## Initial address for new clients 0.0.0.0/32:admin_low ## Default wildcard address 0.0.0.0:admin_low Other addresses to be contacted at boot |
# tnchkdb -h /etc/security/tsol/tnrhdb |
After this phase of testing succeeds, the administrator makes the configuration more secure by removing the default wildcard address, checks the syntax of the tnrhdb database, and tests again. The final tnhrdb database appears similar to the following:
## tnrhdb database ## Sun Ray server address 192.168.128.1:cipso ## Sun Ray client addresses on 192.168.128 network 192.168.128.0/24:admin_low ## Initial address for new clients 0.0.0.0/32:admin_low ## 0.0.0.0:admin_low - no other systems can enter network at admin_low Other addresses to be contacted at boot |