| Skip Navigation Links | |
| Exit Print View | |
|
Trusted Extensions Configuration and Administration Oracle Solaris 11 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Trusted Extensions Configuration and Administration Oracle Solaris 11 Information Library |
Part I Initial Configuration of Trusted Extensions
1. Security Planning for Trusted Extensions
2. Configuration Roadmap for Trusted Extensions
3. Adding the Trusted Extensions Feature to Oracle Solaris (Tasks)
4. Configuring Trusted Extensions (Tasks)
5. Configuring LDAP for Trusted Extensions (Tasks)
Part II Administration of Trusted Extensions
6. Trusted Extensions Administration Concepts
7. Trusted Extensions Administration Tools
8. Security Requirements on a Trusted Extensions System (Overview)
9. Performing Common Tasks in Trusted Extensions (Tasks)
10. Users, Rights, and Roles in Trusted Extensions (Overview)
11. Managing Users, Rights, and Roles in Trusted Extensions (Tasks)
12. Remote Administration in Trusted Extensions (Tasks)
Remote Administration in Trusted Extensions
Configuring and Administering Remote Systems in Trusted Extensions (Task Map)
Enable Remote Administration of a Remote Trusted Extensions System
How to Configure a Trusted Extensions System With Xvnc for Remote Access
How to Log In and Administer a Remote Trusted Extensions System
13. Managing Zones in Trusted Extensions (Tasks)
14. Managing and Mounting Files in Trusted Extensions (Tasks)
15. Trusted Networking (Overview)
16. Managing Networks in Trusted Extensions (Tasks)
17. Trusted Extensions and LDAP (Overview)
18. Multilevel Mail in Trusted Extensions (Overview)
19. Managing Labeled Printing (Tasks)
20. Devices in Trusted Extensions (Overview)
21. Managing Devices for Trusted Extensions (Tasks)
22. Trusted Extensions Auditing (Overview)
23. Software Management in Trusted Extensions (Reference)
Creating and Managing a Security Policy
Site Security Policy and Trusted Extensions
Computer Security Recommendations
Physical Security Recommendations
Personnel Security Recommendations
Additional Security References
B. Configuration Checklist for Trusted Extensions
Checklist for Configuring Trusted Extensions
C. Quick Reference to Trusted Extensions Administration
Administrative Interfaces in Trusted Extensions
Oracle Solaris Interfaces Extended by Trusted Extensions
Tighter Security Defaults in Trusted Extensions
Limited Options in Trusted Extensions
D. List of Trusted Extensions Man Pages
Trusted Extensions Man Pages in Alphabetical Order
Oracle Solaris Man Pages That Are Modified by Trusted Extensions
In Trusted Extensions, you must use the ssh protocol with host-based authentication to reach and administer the remote system. Host-based authentication enables an identically-named user account to assume a role on the remote Trusted Extensions.
When host-based authentication is used, the ssh client sends both the original username and the role name to the remote system, the server. With this information, the server can pass sufficient content to the pam_roles module to enable role assumption without the user account logging in to the server.
The following methods of remote administration are possible in Trusted Extensions:
Administer from a Trusted Extensions system – For the most secure remote administration, both systems assign their peer to a CIPSO security template. See Example 12-1.
Administer from an unlabeled system – If administration by a Trusted Extensions system is not practical, the network protocol policy can be relaxed by specifying the allow_unlabeled option for the pam_tsol_account module in the pam.conf file.
If this policy is relaxed, the default security template must be changed so that arbitrary systems cannot reach the global zone. The admin_low template should be used sparingly, and the wildcard address 0.0.0.0 must not default to the ADMIN_LOW label. For details, see How to Limit the Hosts That Can Be Contacted on the Trusted Network.
In either administrative scenario, to use the root role for remote login, you must relax PAM policy by specifying the allow_remote option for the pam_roles module.
Typically, administrators use the ssh command to administer remote systems from the command line. With the -X option, Trusted Extensions administrative GUIs can be used.
Also, you can configure the remote Trusted Extensions with the Xvnc server. Then, a Virtual Network Computing (VNC) connection can be used to display the remote multilevel desktop and administer the system. See How to Configure a Trusted Extensions System With Xvnc for Remote Access.
|