Trusted Solaris 8 HW 7/03 Transition Guide

Changes From the Trusted Solaris 7 to the Trusted Solaris 8 Release

Changes from the Trusted Solaris 7 release affect users, administrators, and developers. Changes affect the following areas:

Installation and Configuration

Trusted Solaris 8 installation and configuration requires more disk and swap space than the Trusted Solaris 7 release required. Files to create local administrative roles are no longer provided on the installation CD-ROM. The root role creates the initial roles, then assigns the roles to the initial users.

Installation Differences

Installation on most hardware is identical to Solaris 8 installation. The Trusted Solaris 8 environment supports the name services that are fully supported in the Solaris 8 and Solaris Management Console 2.0 releases. The following lists the exceptions:


Note –

To distribute a site label encodings file during Trusted Solaris 8 network installation requires a customized JumpStart installation that calls a site-created script to install the file at admin_high.


Configuration Differences

The Trusted Solaris 8 release introduces significant configuration differences from earlier releases. Of particular interest are Security Policy, Labels, Roles, Auditing, Devices and Trusted Networking.

Auditing

The Trusted Solaris 8 environment, as well as the Solaris 8 environment, enables the administrator to set up network-wide user audit flags. The audit_user file can now be administered using a name service through the Solaris Management Console.

Authorizations

Authorizations are now part of the Solaris 8 environment. Therefore, Trusted Solaris 7 authorizations have been renamed in the Trusted Solaris 8 environment to correspond to their Solaris 8 counterparts. See the file /etc/security/auth_attr for a full list of authorizations, and the auth_attr(4) man page for an explanation of the syntax. The following tables show the Trusted Solaris 7 to Trusted Solaris 8 authorization name correspondences, ordered by authorization number.

Table 1–6 Authorizations 1 through 27

No. 

Trusted Solaris 7 Names 

Trusted Solaris 8 Equivalents 

TSOL_AUTH_ENABLE_LOGIN 

solaris.login.enable

TSOL_AUTH_REMOTE_LOGIN 

solaris.login.remote

TSOL_AUTH_TERMINAL_LOGIN 

solaris.login.remote

TSOL_AUTH_FILE_AUDIT 

solaris.file.audit

TSOL_AUTH_FILE_DOWNGRADE_SL 

solaris.label.file.downgrade

TSOL_AUTH_FILE_UPGRADE_SL 

solaris.label.file.upgrade

TSOL_AUTH_FILE_OWNER 

solaris.file.owner

TSOL_AUTH_FILE_CHOWN 

solaris.file.chown

TSOL_AUTH_FILE_SETPRIV 

solaris.file.privs

10 

TSOL_AUTH_ALLOCATE 

solaris.device.allocate

11 

TSOL_AUTH_WIN_DOWNGRADE_SL 

solaris.label.win.downgrade

12 

TSOL_AUTH_WIN_UPGRADE_SL 

solaris.label.win.upgrade

13 

TSOL_AUTH_CRON_ADMIN 

solaris.jobs.admin

14 

TSOL_AUTH_SYS_ACCRED_SET 

solaris.label.range

15 

TSOL_AUTH_BYPASS_FILE_VIEW 

solaris.label.win.noview

16 

TSOL_AUTH_SHUTDOWN 

solaris.system.shutdown

17 

TSOL_AUTH_USER_IDENT 

solaris.admin.usermgr.write

18 

TSOL_AUTH_USER_PASSWORD 

solaris.admin.usermgr.pswd

19 

TSOL_AUTH_USER_SELF 

None 

20 

TSOL_AUTH_USER_LABELS 

solaris.admin.usermgr.label

21 

TSOL_AUTH_USER_AUDIT 

solaris.admin.usermgr.audit

22 

TSOL_AUTH_USER_PROFILES 

solaris.profmgr.*

23 

TSOL_AUTH_USER_IDLE 

None 

24 

TSOL_AUTH_USER_ROLES 

solaris.role.assign

25 

TSOL_AUTH_USER_HOME 

solaris.admin.usermgr.write

26 

TSOL_AUTH_PRINT_POSTSCRIPT 

solaris.print.ps

27 

TSOL_AUTH_PRINT_UNLABELED 

solaris.print.unlabeled

Table 1–7 Authorization Numbers 28 through 55

No. 

Trusted Solaris 7 Names 

Trusted Solaris 8 Equivalents 

28 

TSOL_AUTH_DB_ALIASES 

None 

29 

TSOL_AUTH_DB_AUTO_HOME 

solaris.admin.fsmgr.write

30 

TSOL_AUTH_DB_BOOTPARAMS 

None 

31 

TSOL_AUTH_DB_ETHERS 

solaris.network.hosts.write

32 

TSOL_AUTH_DB_GROUP 

solaris.admin.usermgr.write

33 

TSOL_AUTH_DB_HOSTS 

solaris.network.hosts.write

34 

TSOL_AUTH_DB_LOCALE 

solaris.network.hosts.write

35 

TSOL_AUTH_DB_NETGROUP 

solaris.network.hosts.write

36 

TSOL_AUTH_DB_NETMASKS 

solaris.network.hosts.write

37 

TSOL_AUTH_DB_NETWORKS 

solaris.network.hosts.write

38 

TSOL_AUTH_DB_PASSWD 

solaris.admin.usermgr.pswd

39 

TSOL_AUTH_DB_PROTOCOLS 

None 

40 

TSOL_AUTH_DB_RPC 

None 

41 

TSOL_AUTH_DB_SERVICES 

None 

42 

TSOL_AUTH_DB_TIMEZONE 

None 

43 

TSOL_AUTH_DB_TNIDB 

solaris.network.security.write

44 

TSOL_AUTH_DB_TNRHDB 

solaris.network.security.write

45 

TSOL_AUTH_DB_TNRHTP 

solaris.network.security.write

46 

TSOL_AUTH_CRON_USER 

solaris.jobs.user

47 

TSOL_AUTH_AT_ADMIN 

solaris.jobs.admin

48 

TSOL_AUTH_AT_USER 

solaris.jobs.user

49 

TSOL_AUTH_PRINT_ADMIN 

solaris.print.admin

50 

TSOL_AUTH_PRINT_NOBANNER 

solaris.print.nobanner

51 

TSOL_AUTH_CONFIG_DEVICE 

solaris.device.config

52 

TSOL_AUTH_REVOKE_DEVICE 

solaris.device.revoke

53 

TSOL_AUTH_PRINT_CANCEL 

solaris.print.cancel

54 

TSOL_AUTH_PRINT_LIST 

solaris.print.list

55 

TSOL_AUTH_PRINT_MAC_OVERRIDE 

solaris.label.print

Commands and Functions

Commands and functions have been modified. Some modifications are due to technical changes in the product. Some changes are due to removal of nonstandard interfaces.

Table 1–8 Trusted Solaris 8 Man Pages for User, Profile, and Authorization Functions

Trusted Solaris 7 Database Functions 

Trusted Solaris 8 Man Page 

getuserent(), setuserent(), getuserentbyname(), getuserentbyuid(), free_userent(), enduserent()

getuserattr(3secdb)

getprofent(), setprofent(), getprofentbyname(), getprofstr(), getprofstrbyname(), free_profent(), free_profstr(), endprofent(), endprofstr(), putprofstr()

getprofattr(3secdb)

auth_to_str(), str_to_auth(), auth_set_to_str(), str_to_auth_set(), free_auth_set(), get_auth_text(), chkauth()

getauthattr(3secdb)

Databases — Users, Profiles, and Authorizations

The user, rights profile, and authorization databases are now available in the Solaris 8 environment. Therefore, a Trusted Solaris 8 server can manage the rights and authorizations for Solaris 8 clients as well as Trusted Solaris 8 clients. The Solaris environment changed the name execution profile to rights, or rights profile.

Rights profiles are administered through the Solaris Management Console. The Trusted Solaris 7 Profile Manager is now the Rights tool, under Users (the User Manager). The Rights tool does not recognize symbolically linked commands.

Rights profiles are now hierarchical. Profiles can subsume other profiles, though this is not required. Hierarchical profiles eliminate the need to enumerate all profiles assigned to a user or role.

The names and contents of profiles have changed. Most profiles have been reconfigured. Some profiles have been eliminated.

Trusted Solaris extends the Solaris versions of the user, profile, and authorization databases to include CDE actions and Trusted Solaris security attributes, such as labels and new authorizations. The following table shows the new database names.

Table 1–9 Database Changes from the Trusted Solaris 7 to the Trusted Solaris 8 Release

Trusted Solaris 7 Database  

Trusted Solaris 8 Man Page 

/etc/security/tsol/tsolprof

exec_attr(4) and prof_attr(4)

/etc/security/tsol/tsoluser

user_attr(4)

/usr/lib/tsol/locale/C/auth_name

auth_attr(4)

auth_desc man page

Solaris Management Console help for the Authorizations tab 

Devices

Devices may be allocated outside of the trusted path. Separate authorizations specify that you are allocating within the trusted path and without the trusted path. For security, Trusted Solaris software keeps track of the username of the allocator. The Device Allocation Manager GUI can display and edit the device_maps(4) entry for an allocatable device. The GUI enables the administrator to specify if devices should be deallocated at logout or reboot. Device allocation can be done remotely or in shell scripts by authorized users.

File Systems and Mounting

The Trusted Solaris 8 implementation for specifying file system security attributes follows the Solaris 8 implementation. The Solaris 8 implementation has consequences for Trusted Solaris 8 administrators.

Mount-time security attributes may be specified either by using the mount(1M) command with the -o option on the command line or by specifying the attributes in the vfstab_adjunct file. The following mount-time security attributes have been removed: acl, attr_flg, uid, gid, and mode.

The vfstab_adjunct file is protected at the label admin_high.

Labels

The Trusted Solaris 8 environment protects the label_encodings(4) at the label admin_high. The default user label and clearance are defined in the label_encodings file.

The Label Builder used by administrators is now Java-based and accessed through the Solaris Management Console. The label builder that is accessed outside the Solaris Management Console is different. The users' label builder is the Motif label builder that was shipped with the Trusted Solaris 7 software.

In the Trusted Solaris 8 environment, the label attributes assigned to commands and actions in a profile no longer represent the restricted label range for execution. Instead, the attributes set the label and clearance of the process that is running the command. The attributes that are set are independent of the label of the original profile shell. This is a change to the profile shell from the Trusted Solaris 7 release. The behavior matches the way the system shell has always worked.

Man Pages

The following Trusted Solaris 7 man pages do not contain Trusted Solaris-specific modifications in the current release due to changes in implementation. The Solaris versions describe their functionality in the Trusted Solaris 8 environment:

The setmnt(1M) man page and command have been removed from the Solaris and Trusted Solaris environments.

The man pages in the following table contain Trusted Solaris-specific modifications to Solaris 8 man pages, or are Trusted Solaris 8 man pages new to this release:

Table 1–10 Man Pages Newly Created or Modified for the Trusted Solaris 8 Environment

Man Page Section 

Man Page 

 

Section 1 

auths(1)

crle(1)

date(1)

nca(1)

ncakmod(1)

nispasswd(1)

profiles(1)

roles(1)

Section 1M 

coreadm(1M)

devfsadm(1M)

init.wbem(1M)

mkdevalloc(1M)

mkdevmaps(1M)

nisclient(1M)

pkgchk(1M)

rmmount(1M)

rpc.yppasswdd(1M)

rpc.ypupdated(1M)

su(1M)

ypbind(1M)

ypserv(1M)

ypxfr(1M)

smc(1M)

smcron(1M)

smexec(1M)

smgroup(1M)

smhost(1M)

smmaillist(1M)

smmultisuer(1M)

smnetidb(1M)

smnettmpl(1M)

smnetwork(1M)

smuser(1M)

Section 2 

acct(2)

 

Section 3 

getauthattr(3SECDB)

getauusernam(3BSM)

grantpt(3C)

Section 4 

exec_attr(4)

logindevperm(4)

nca.if(4)

policy.conf(4)

prof_attr(4)

shadow(4)

user_attr(4)

Section 5 

pam_unix(5)

 

Printing

The Printer Administrator action in the System_Admin folder manages printers. To limit the label range of a printer, use the Device Allocation Manager.

Roles

The Trusted Solaris 8 environment has eliminated non-administrative roles. All roles in the Trusted Solaris environment are administrative ones. Roles are managed through the Administrative Roles tool in the Solaris Management Console. With the exception of the root role account, which must be a local account, role accounts are similar to user accounts in that their home directories are not necessarily local. Their home directories can be in the same location as users on the system.

In the Trusted Solaris 8 environment there are five recommended roles. Only the root role is provided on the installation CD-ROM. During system configuration the root role creates four roles (admin, secadmin, oper, and primaryadmin) and assigns existing profiles to them. The new role, primaryadmin, or Primary Administrator, is in fact an emergency administrator, to be used when the security administrator cannot do something. Once roles are created and assigned to users, the root role is no longer required and can be disabled. root is a much weaker role in the Trusted Solaris 8 release than it was in previous releases.

The names and contents of role profiles have changed to enable ease of administration. For example, the system administrator (the role admin) can now install most third-party software packages. The security administrator (secadmin) is only required when the applications being installed affect security. Also, prior to user account setup, the security administrator can set the security defaults for user accounts. Then when the system administrator sets up user accounts, the security administrator need not be present. It is also possible for the security administrator alone to set up user accounts.

Roles (and users) can now be prevented from logging in if their password is incorrectly entered a number of times as specified by the value of the RETRIES (not the MAX_BADLOGINS) flag. For details, see the passwd(4) and shadow(4) man pages. The default is No, do not lock the account. The defaults can be changed, and individual user and role accounts can be given a non-default value. Note that the NIS name service does not support RETRIES or account locking.

Security Policy

Security policy is now configured similarly in the Solaris and Trusted Solaris 8 environments. The configuration file /etc/security/policy.conf contains default attributes for users created on the system. Label defaults are set in the label_encodings file. The defaults can be added to or overridden, but provide an ease-of-creation mechanism. The security administrator can set up sensible defaults for most users on the system. The Add User wizard in Solaris Management Console will then create users with sensible defaults.

Trusted Solaris 7 software enabled the security administrator to extend the list of trusted libraries by creating a list of trusted library directories in a file named /etc/security/tsol/rtld. The Trusted Solaris 8 release uses a new Solaris 8 mechanism, the crle(1) command with the option -u. See Trusted Solaris Administrator's Procedures for sample procedures.

Serial Ports

The Solaris Management Console Devices and Hardware tool manages serial lines and serial ports. To limit the label range of a serial port, use the Device Allocation Manager.

Trusted Networking

The trusted networking databases are now administered through the Solaris Management Console. The tnidb database is administered using the Interface Manager program. The tnrhtp database and tnrhdb databases are administered using the Security Families program. The tnrhdb is extended to handle IPv6 address formats and variable-length netmasks.

The Trusted Solaris 8 environment does not interoperate with hosts or networks that run Trusted Solaris 1.2 software (except as unlabeled). The msix template for Trusted Solaris 1.2 hosts in the tnrhtp database has been removed.

The following fields have been removed from the tnrhtp templates. For interoperability, these are ignored if present: def_uid, def_gid, def_audit_auid, def_audit_asid, def_audit_mask, and def_audit_termid.

The functions t6last_attr(3NSL) and t6peek_attr(3NSL) no longer return defaults for identity-based attributes.

The /etc/security/tsol/boot directory has been removed. To ensure that a Trusted Solaris machine can contact the necessary servers while booting, the security administrator should ensure that each necessary server (name service master, audit server, and so on) is covered by an entry in the machine's local tnrhdb file.

The /etc/security/tsol/tnrhtp file installed from the Trusted Solaris 8 Installation CD has templates that match the labels in the /etc/security/tsol/label_encodings file installed from the Trusted Solaris 8 Installation CD. The following table shows the correspondences between earlier versions of tnrhtp and the version shipped with the Trusted Solaris 8 release.

Table 1–11 Template Equivalents Between Trusted Solaris 8 and Earlier Releases

Template Names from Earlier Release 

Trusted Solaris 8 Replacement Names 

unlab

admin_low

unclassified

confidential

secret

top_secret

tsol

tsol

tsol_1

tsol_ripso

tsol_2

tsol_cipso

ripso

ripso_top_secret

cipso

cipso

tsix

tsix

The cipso_doi keyword has been changed to the more general doi (Domain of Interpretation) in the tnrhtp database, because now it is used in the Trusted Solaris protocol and is not limited to the CIPSO IP options. Matching of the DOI value is enforced for incoming packets. For interoperability with the previous Trusted Solaris releases, the default DOI in the Trusted Solaris 8 release is 0 instead of empty (it is 1 for CIPSO host types), and the keyword cipso_doi is interpreted as the more general domain of interpretation.

Packets from unlabeled hosts outside a Trusted Solaris domain can be labeled for trusted routing through the secure domain to another host outside the domain using IP options. Incoming packets are labeled according to their originating host's entry in the tnrhdb, and routed through the Trusted Solaris domain according to their sensitivity level (carried in the IP option) and the trusted routing information. The label is then stripped at the exit. Note that trusted routing requires an IPv4 network; IPv6 does not support trusted routing.

The cache files /var/tsol/tn*_c are no longer used. The tnd handles caching and provides tnrhdb entries to the kernel on demand.

The software supplies defaults for network interfaces. Therefore, an interface needs to be listed explicitly in the tnidb database only when its desired security attributes differ from the defaults:

min_sl  ADMIN_LOW
max_sl  ADMIN_HIGH
def_label  [ADMIN_LOW]
def_cl  ADMIN_HIGH
forced_privs none