| Skip Navigation Links | |
| Exit Print View | |
|
Trusted Extensions Configuration and Administration Oracle Solaris 11.1 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Trusted Extensions Configuration and Administration Oracle Solaris 11.1 Information Library |
Part I Initial Configuration of Trusted Extensions
1. Security Planning for Trusted Extensions
2. Configuration Roadmap for Trusted Extensions
3. Adding the Trusted Extensions Feature to Oracle Solaris (Tasks)
4. Configuring Trusted Extensions (Tasks)
5. Configuring LDAP for Trusted Extensions (Tasks)
Part II Administration of Trusted Extensions
6. Trusted Extensions Administration Concepts
7. Trusted Extensions Administration Tools
8. Security Requirements on a Trusted Extensions System (Overview)
9. Performing Common Tasks in Trusted Extensions
10. Users, Rights, and Roles in Trusted Extensions (Overview)
11. Managing Users, Rights, and Roles in Trusted Extensions (Tasks)
12. Remote Administration in Trusted Extensions (Tasks)
Methods for Administering Remote Systems in Trusted Extensions
Configuring and Administering Remote Systems in Trusted Extensions (Task Map)
Enable Remote Administration of a Remote Trusted Extensions System
How to Configure a Trusted Extensions System With Xvnc for Remote Access
How to Log In and Administer a Remote Trusted Extensions System
13. Managing Zones in Trusted Extensions
14. Managing and Mounting Files in Trusted Extensions
15. Trusted Networking (Overview)
16. Managing Networks in Trusted Extensions (Tasks)
17. Trusted Extensions and LDAP (Overview)
18. Multilevel Mail in Trusted Extensions (Overview)
19. Managing Labeled Printing (Tasks)
20. Devices in Trusted Extensions (Overview)
21. Managing Devices for Trusted Extensions (Tasks)
22. Trusted Extensions Auditing (Overview)
23. Software Management in Trusted Extensions
Creating and Managing a Security Policy
Site Security Policy and Trusted Extensions
Computer Security Recommendations
Physical Security Recommendations
Personnel Security Recommendations
Additional Security References
B. Configuration Checklist for Trusted Extensions
Checklist for Configuring Trusted Extensions
C. Quick Reference to Trusted Extensions Administration
Administrative Interfaces in Trusted Extensions
Oracle Solaris Interfaces Extended by Trusted Extensions
Tighter Security Defaults in Trusted Extensions
Limited Options in Trusted Extensions
D. List of Trusted Extensions Man Pages
Trusted Extensions Man Pages in Alphabetical Order
Oracle Solaris Man Pages That Are Modified by Trusted Extensions
Remote administration presents a significant security risk, particularly from users on untrusted systems. By default, Trusted Extensions does not allow remote administration from any system.
Until the network is configured, all remote hosts are assigned the admin_low security template, that is, they are recognized as unlabeled hosts. Until the labeled zones are configured, the only zone available is the global zone. In Trusted Extensions, the global zone is the administrative zone. Only a role can access it. Specifically, an account must have a label range from ADMIN_LOW to ADMIN_HIGH to reach the global zone.
While in this initial state, Trusted Extensions systems are protected from remote attacks by several mechanisms. Mechanisms include netservices values, default ssh policy, default login policy, and default PAM policy.
At installation, no remote services except secure shell are enabled to listen on the network.
However, the ssh service cannot be used for remote login by root or by role because of ssh, login, and PAM policies.
The root account cannot be used for remote logins because root is a role. Roles cannot log in, as enforced by PAM.
Even if root is changed to a user account, the default login and ssh policies prevent remote logins by the root user.
Two default PAM values prevent remote logins.
The pam_roles module rejects local and remote logins from accounts of type role.
A Trusted Extensions PAM module, pam_tsol_account, rejects remote logins into the global zone unless the CIPSO protocol is used. The intent of this policy is for remote administration to be performed by another Trusted Extensions system.
So, as on an Oracle Solaris system, remote administration must be configured. Trusted Extensions adds two configuration requirements, the label range that is required to reach the global zone, and the pam_tsol_account module.
|