JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Trusted Extensions Configuration and Administration     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information


Part I Initial Configuration of Trusted Extensions

1.  Security Planning for Trusted Extensions

2.  Configuration Roadmap for Trusted Extensions

3.  Adding the Trusted Extensions Feature to Oracle Solaris (Tasks)

4.  Configuring Trusted Extensions (Tasks)

5.  Configuring LDAP for Trusted Extensions (Tasks)

Part II Administration of Trusted Extensions

6.  Trusted Extensions Administration Concepts

7.  Trusted Extensions Administration Tools

8.  Security Requirements on a Trusted Extensions System (Overview)

9.  Performing Common Tasks in Trusted Extensions

10.  Users, Rights, and Roles in Trusted Extensions (Overview)

11.  Managing Users, Rights, and Roles in Trusted Extensions (Tasks)

12.  Remote Administration in Trusted Extensions (Tasks)

13.  Managing Zones in Trusted Extensions

14.  Managing and Mounting Files in Trusted Extensions

15.  Trusted Networking (Overview)

16.  Managing Networks in Trusted Extensions (Tasks)

17.  Trusted Extensions and LDAP (Overview)

18.  Multilevel Mail in Trusted Extensions (Overview)

19.  Managing Labeled Printing (Tasks)

20.  Devices in Trusted Extensions (Overview)

Device Protection With Trusted Extensions Software

Device Label Ranges

Effects of Label Range on a Device

Device Access Policies

Device-Clean Scripts

Device Manager GUI

Enforcement of Device Security in Trusted Extensions

Devices in Trusted Extensions (Reference)

21.  Managing Devices for Trusted Extensions (Tasks)

22.  Trusted Extensions Auditing (Overview)

23.  Software Management in Trusted Extensions

A.  Site Security Policy

Creating and Managing a Security Policy

Site Security Policy and Trusted Extensions

Computer Security Recommendations

Physical Security Recommendations

Personnel Security Recommendations

Common Security Violations

Additional Security References

B.  Configuration Checklist for Trusted Extensions

Checklist for Configuring Trusted Extensions

C.  Quick Reference to Trusted Extensions Administration

Administrative Interfaces in Trusted Extensions

Oracle Solaris Interfaces Extended by Trusted Extensions

Tighter Security Defaults in Trusted Extensions

Limited Options in Trusted Extensions

D.  List of Trusted Extensions Man Pages

Trusted Extensions Man Pages in Alphabetical Order

Oracle Solaris Man Pages That Are Modified by Trusted Extensions



Device Protection With Trusted Extensions Software

On an Oracle Solaris system, devices can be protected by allocation and by authorization. By default, devices are available to regular users without an authorization. A system that is configured with the Trusted Extensions feature uses the device protection mechanisms of the Oracle Solaris OS.

However, by default, Trusted Extensions requires that a device be allocated for use, and that the user be authorized to use the device. In addition, devices are protected by labels. Trusted Extensions provides a graphical user interface (GUI) for administrators to manage devices. The same interface is used by users to allocate devices.

Note - In Trusted Extensions, users cannot use the allocate and deallocate commands. Users must use the Device Manager.

For information about device protection in Oracle Solaris, see Chapter 5, Controlling Access to Devices (Tasks), in Oracle Solaris 11.1 Administration: Security Services.

On a system that is configured with Trusted Extensions, two roles protect devices.

The following are the main features of device control with Trusted Extensions software:

Device Label Ranges

To prevent users from copying sensitive information, each allocatable device has a label range. To use an allocatable device, the user must be currently operating at a label within the device's label range. If the user is not, allocation is denied. The user's current label is applied to data that is imported or exported while the device is allocated to the user. The label of exported data is displayed when the device is deallocated. The user must physically label the medium that contains the exported data.

Effects of Label Range on a Device

To restrict direct login access through the console, the security administrator can set a restricted label range on the frame buffer.

For example, a restricted label range might be specified to limit access to a publicly accessible system. The label range enables users to access the system only at a label within the frame buffer's label range.

When a host has a local printer, a restricted label range on the printer limits the jobs that can be printed on the printer.

Device Access Policies

Trusted Extensions follows the same device policies as Oracle Solaris. The security administrator can change default policies and define new policies. The getdevpolicy command retrieves information about device policy, and the update_drv command changes device policy. For more information, see Configuring Device Policy (Task Map) in Oracle Solaris 11.1 Administration: Security Services. See also the getdevpolicy(1M) and update_drv(1M) man pages.

Device-Clean Scripts

A device-clean script is run when a device is allocated or deallocated. Oracle Solaris provides scripts for tape drives, CD-ROM drives, and diskette drives. If your site adds allocatable device types to the system, the added devices might need scripts. To see existing scripts, go to the /etc/security/lib directory. For more information, see Device-Clean Scripts in Oracle Solaris 11.1 Administration: Security Services.

For Trusted Extensions software, device-clean scripts must satisfy certain requirements. These requirements are described in the device_clean(5) man page.