Skip Navigation Links | |
Exit Print View | |
Oracle Solaris Trusted Extensions Configuration and Administration Oracle Solaris 11 Express 11/10 |
Part I Initial Configuration of Trusted Extensions
1. Security Planning for Trusted Extensions
2. Configuration Roadmap for Trusted Extensions
3. Adding Trusted Extensions Software to the Oracle Solaris OS (Tasks)
4. Configuring Trusted Extensions (Tasks)
5. Configuring LDAP for Trusted Extensions (Tasks)
6. Configuring a Headless System With Trusted Extensions (Tasks)
Part II Administration of Trusted Extensions
7. Trusted Extensions Administration Concepts
8. Trusted Extensions Administration Tools
9. Getting Started as a Trusted Extensions Administrator (Tasks)
10. Security Requirements on a Trusted Extensions System (Overview)
11. Administering Security Requirements in Trusted Extensions (Tasks)
12. Users, Rights, and Roles in Trusted Extensions (Overview)
13. Managing Users, Rights, and Roles in Trusted Extensions (Tasks)
14. Remote Administration in Trusted Extensions (Tasks)
Secure Remote Administration in Trusted Extensions
Methods for Administering Remote Systems in Trusted Extensions
Remote Login by a Role in Trusted Extensions
Remote Role-Based Administration From Unlabeled Hosts
Remote Login Management in Trusted Extensions
Administering Trusted Extensions Remotely (Task Map)
How to Log In Remotely From the Command Line in Trusted Extensions
How to Enable Specific Users to Log In Remotely to the Global Zone in Trusted Extensions
How to Use Xvnc to Remotely Access a Trusted Extensions System
15. Trusted Extensions and LDAP (Overview)
16. Managing Zones in Trusted Extensions (Tasks)
17. Managing and Mounting Files in Trusted Extensions (Tasks)
18. Trusted Networking (Overview)
19. Managing Networks in Trusted Extensions (Tasks)
20. Multilevel Mail in Trusted Extensions (Overview)
21. Managing Labeled Printing (Tasks)
22. Devices in Trusted Extensions (Overview)
23. Managing Devices for Trusted Extensions (Tasks)
24. Trusted Extensions Auditing (Overview)
25. Software Management in Trusted Extensions (Reference)
Creating and Managing a Security Policy
Site Security Policy and Trusted Extensions
Computer Security Recommendations
Physical Security Recommendations
Personnel Security Recommendations
Additional Security References
B. Configuration Checklist for Trusted Extensions
Checklist for Configuring Trusted Extensions
C. Quick Reference to Trusted Extensions Administration
Administrative Interfaces in Trusted Extensions
Oracle Solaris Interfaces Extended by Trusted Extensions
Tighter Security Defaults in Trusted Extensions
Limited Options in Trusted Extensions
D. List of Trusted Extensions Man Pages
Trusted Extensions Man Pages in Alphabetical Order
Oracle Solaris Man Pages That Are Modified by Trusted Extensions
The following task map describes the tasks used to administer a remote Trusted Extensions system.
|
Note - The telnet command cannot be used for remote role assumption because this command cannot pass the primary and role identities to the pam_roles module.
The user and the role must be identically defined on the local and the remote system.
The role must have the Remote Login authorization. By default, this authorization is in the Remote Administration, and the Maintenance and Repair rights profiles.
The security administrator has completed the procedure Enable Remote Login by a Role in Trusted Extensions on every system that can be remotely administered. If the system can be administered from an unlabeled system, the procedure Enable Remote Login From an Unlabeled System has also been completed.
Use the rlogin command, the ssh command, or the ftp command.
If the rlogin -l or ssh command is used to log in, all commands that are in the role's rights profiles are available.
If the ftp command is used, see the ftp(1) man page for the commands that are available.
The user's default label range and the zone's default behavior are changed to enable remote login by a non-role. You might want to complete this procedure for a tester who is using a remote labeled system. For security reasons, the tester's system should be running a disjoint label from other users.
You must have a very good reason why this user can log in to the global zone.
You must be in the Security Administrator role in the global zone.
Assign a clearance of ADMIN_HIGH and a minimum label of ADMIN_LOW to each user. For details, see How to Modify a User's Label Range.
The user's labeled zones must also permit login.
Port 513 over the TCP protocol enables remote login. For an example, see How to Create a Multilevel Port for a Zone.
# tnctl -fz /etc/security/tsol/tnzonecfg
# svcadm restart svc:/network/login:rlogin
Virtual Network Computing (vnc) technology connects a client to a remote server, then displays the desktop of the remote server in a window on the client. Xvnc is the UNIX version of vnc, which is based on a standard X server. In Trusted Extensions, a client on any platform can connect to an Xvnc that is running Trusted Extensions software, log in to the Xvnc server, then display and work on a multilevel desktop.
You have installed and configured Trusted Extensions software on the system that is going to be used as the Xvnc server. You have created and booted the labeled zones. Your Xvnc server recognizes the vnc clients by hostname or IP address.
You are superuser in the global zone of the system that is going to be used as the Xvnc server.
For more information, see the Xvnc(1) and vncconfig(1) man pages.
Oracle Solaris uses GNOME Display Manager (GDM) version 2.8. In this GDM version, Xvnc is configured by using the ConsoleKit interfaces. These interfaces manage the switching of sessions and session migration for mechanisms such as virtual terminals. To modify the interfaces for Xvnc, see section "ConsoleKit Display Configuration" in the console-kit-daemon(1M) man page.
Follow option 3 in the the following blog entry : Configuring xvnc for Trusted Extensions.
Because Trusted Extensions requires all zones to connect to the Xvnc server in the global zone, you must do one of the following:
Make Xvnc available by using UNIX domain sockets.
This method is preferable because it does not require a privileged port.
Make Xvnc privileged to bind to a multilevel port (MLP) that uses the TCP protocol.
Because the ports 6000 through 6003 are already configured as MLPs, Xvnc must be a privileged process. You must assign the net_bindmlp to the Xvnc process. Without this privilege, the DISPLAY variable is unix:4, which indicates that the bind is single-level. Non-global zones cannot bind to a single-level port in the global zone.
# reboot
After reboot, verify that the Xvnc program is running.
# ps -ef | grep Xvnc root 2145 932 0 Apr 10 ? 6:15 /usr/X11/bin/Xvnc ...
For the client system, you have a choice of software. You can use Sun vnc software from the Oracle Solaris repository.
% /usr/bin/vncviewer Xvnc-server-hostname
Continue with the login procedure. For a description of the remaining steps, see Logging In to Trusted Extensions in Oracle Solaris Trusted Extensions User Guide.
If you logged in to the server as superuser, you can administer the server immediately. If you logged in to the server as a user, you must assume a role to administer the system.