JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris Trusted Extensions Configuration and Administration     Oracle Solaris 11 Express 11/10
search filter icon
search icon

Document Information


Part I Initial Configuration of Trusted Extensions

1.  Security Planning for Trusted Extensions

2.  Configuration Roadmap for Trusted Extensions

3.  Adding Trusted Extensions Software to the Oracle Solaris OS (Tasks)

Initial Setup Team Responsibilities

Preparing the Oracle Solaris OS and Adding Trusted Extensions

Install an Oracle Solaris System Securely

Prepare an Installed Oracle Solaris System for Trusted Extensions

Add Trusted Extensions Packages to an Oracle Solaris System

Collecting Information and Making Decisions Before Enabling Trusted Extensions

Collect System Information Before Enabling Trusted Extensions

Secure System Hardware and Make Security Decisions Before Enabling Trusted Extensions

Enabling the Trusted Extensions Service

Enable Trusted Extensions

4.  Configuring Trusted Extensions (Tasks)

5.  Configuring LDAP for Trusted Extensions (Tasks)

6.  Configuring a Headless System With Trusted Extensions (Tasks)

Part II Administration of Trusted Extensions

7.  Trusted Extensions Administration Concepts

8.  Trusted Extensions Administration Tools

9.  Getting Started as a Trusted Extensions Administrator (Tasks)

10.  Security Requirements on a Trusted Extensions System (Overview)

11.  Administering Security Requirements in Trusted Extensions (Tasks)

12.  Users, Rights, and Roles in Trusted Extensions (Overview)

13.  Managing Users, Rights, and Roles in Trusted Extensions (Tasks)

14.  Remote Administration in Trusted Extensions (Tasks)

15.  Trusted Extensions and LDAP (Overview)

16.  Managing Zones in Trusted Extensions (Tasks)

17.  Managing and Mounting Files in Trusted Extensions (Tasks)

18.  Trusted Networking (Overview)

19.  Managing Networks in Trusted Extensions (Tasks)

20.  Multilevel Mail in Trusted Extensions (Overview)

21.  Managing Labeled Printing (Tasks)

22.  Devices in Trusted Extensions (Overview)

23.  Managing Devices for Trusted Extensions (Tasks)

24.  Trusted Extensions Auditing (Overview)

25.  Software Management in Trusted Extensions (Reference)

A.  Site Security Policy

Creating and Managing a Security Policy

Site Security Policy and Trusted Extensions

Computer Security Recommendations

Physical Security Recommendations

Personnel Security Recommendations

Common Security Violations

Additional Security References

B.  Configuration Checklist for Trusted Extensions

Checklist for Configuring Trusted Extensions

C.  Quick Reference to Trusted Extensions Administration

Administrative Interfaces in Trusted Extensions

Oracle Solaris Interfaces Extended by Trusted Extensions

Tighter Security Defaults in Trusted Extensions

Limited Options in Trusted Extensions

D.  List of Trusted Extensions Man Pages

Trusted Extensions Man Pages in Alphabetical Order

Oracle Solaris Man Pages That Are Modified by Trusted Extensions



Collecting Information and Making Decisions Before Enabling Trusted Extensions

For each system on which Trusted Extensions is going to be configured, you need to make some configuration decisions. For example, you need to decide whether to install the default Trusted Extensions configuration, or customize your configuration.

Collect System Information Before Enabling Trusted Extensions

Before You Begin

If you are using DHCP, skip this task.

  1. Determine the system's main hostname and IP address.

    The hostname is the name of the host on the network, and is the global zone. On an Oracle Solaris system, the getent command returns the hostname, as in:

    # getent hosts machine1   machine1
  2. Determine the IP address assignments for labeled zones.

    A system with two IP addresses can function as a multilevel server. A system with one IP address must have access to a multilevel server in order to print or perform multilevel tasks. For a discussion of IP address options, see Planning for Multilevel Access.

    Servers require one IP address for the global zone and a second IP address for the labeled zones. The following is a host with a second IP address for labeled zones:

    # getent hosts machine1-zones   machine1-zones

Secure System Hardware and Make Security Decisions Before Enabling Trusted Extensions

For each system on which Trusted Extensions is going to be configured, make these configuration decisions before enabling the software.

  1. Decide how securely the system hardware needs to be protected.

    At a secure site, this step is performed on every Oracle Solaris system.

    • For SPARC systems, choose a PROM security level and provide a password.

    • For x86 systems, protect the BIOS.

    • On all systems, protect root with a password.

  2. Prepare your label_encodings file.

    If you have a site-specific label_encodings file, the file must be checked and installed before other configuration tasks can be started. If your site does not have a label_encodings file, you can use the default file that Oracle supplies. Oracle also supplies other label_encodings files, which you can find in the /etc/security/tsol directory. The Oracle files are demonstration files. They might not be suitable for production systems.

    To customize a file for your site, see Oracle Solaris Trusted Extensions Label Administration.

  3. From the list of labels in your label_encodings file, make a list of the labeled zones that you plan to create.

    For the default label_encodings file, the labels are the following, and the zone names can be similar to the following:

    The table displays the full label names and suggested zone names.
    Zone Name

    Note - The automatic configuration method creates the public and needtoknow zones.

    For ease of NFS mounting, the zone name of a particular label must be identical on every system. Some systems, such as multilevel print servers, do not need to have labeled zones installed. However, if you do install labeled zones on a print server, the zone names must be identical to the zone names of other systems on your network.

  4. Decide when to create roles.

    Your site's security policy can require you to administer Trusted Extensions by assuming a role. If so, or if you are configuring the system to satisfy criteria for an evaluated configuration, you must create additional roles early in the configuration process.

    If you are not required to configure the system by using discrete roles, you can choose to configure the system in the root role. This method of configuration is less secure. The root role can perform all tasks on the system, while other roles typically perform a more limited set of tasks. Therefore, configuration is more controlled when being performed by the roles that you create.

  5. Decide other security issues for each system and for the network.

    For example, you might want to consider the following security issues:

    • Determine which devices can be attached to the system and allocated for use.

    • Identify which printers at what labels are accessible from the system.

    • Identify any systems that have a limited label range, such as a gateway system or a public kiosk.

    • Identify which labeled systems can communicate with particular unlabeled systems.