|Skip Navigation Links|
|Exit Print View|
|Trusted Extensions Configuration and Administration Oracle Solaris 11.1 Information Library|
Trusted Extensions uses the same security features that Oracle Solaris provides, and adds some features. For example, the Oracle Solaris OS provides eeprom protection, password requirements and strong password algorithms, system protection by locking out a user, and protection from keyboard shutdown.
Trusted Extensions differs from Oracle Solaris in that you typically administer systems by assuming a limited role. As in the Oracle Solaris OS, configuration files are modified by the root role.
In Trusted Extensions, roles are the conventional way to administer the system. Superuser is the root role, and is required for few tasks, such as setting audit flags, changing an account's password, and editing system files. Roles are created just as they are in Oracle Solaris.
The following roles are typical of a Trusted Extensions site:
root role – Created at Oracle Solaris installation
Security Administrator role – Created during or after initial configuration by the initial setup team
System Administrator role – Created during or after initial configuration by the initial setup team
To administer Trusted Extensions, you create roles that divide system and security functions.
The process of creating a role in Trusted Extensions is identical to the Oracle Solaris process. By default, roles are assigned the administrative label range of ADMIN_HIGH to ADMIN_LOW.
For an overview of role creation, see Using RBAC (Tasks) in Oracle Solaris 11.1 Administration: Security Services.
To create roles, see How to Create a Role in Oracle Solaris 11.1 Administration: Security Services.
On the trusted desktop, you can assume an assigned role by clicking your user name in the trusted stripe for the role choices. After confirming the role password, the current workspace is changed into a role workspace. A role workspace is in the global zone and has the trusted path attribute. Role workspaces are administrative workspaces.
In Trusted Extensions, you can extend existing security features. Also, Trusted Extensions provides unique security features.
The following security mechanisms that Oracle Solaris provides are extensible in Trusted Extensions as they are in Oracle Solaris:
Audit classes – Adding audit classes is described in Chapter 28, Managing Auditing (Tasks), in Oracle Solaris 11.1 Administration: Security Services.
Note - Vendors who want to add audit events need to contact an Oracle Solaris representative to reserve event numbers and obtain access to the audit interfaces.
Roles and rights profiles – Adding roles and rights profiles is described in Chapter 9, Using Role-Based Access Control (Tasks), in Oracle Solaris 11.1 Administration: Security Services.
Authorizations – For an example of adding a new authorization, see Customizing Device Authorizations in Trusted Extensions (Task Map).
As in Oracle Solaris, privileges cannot be extended.
Trusted Extensions provides the following unique security features:
Labels – Subjects and objects are labeled. Processes are labeled. Zones and the network are labeled. Workspaces and their objects are labeled.
Device Manager – By default, devices are protected by allocation requirements. The Device Manager GUI is the interface for administrators and for regular users.
TrustedExtensionsPolicy file – Administrators can change the policy on X server extensions that are unique to Trusted Extensions. For more information, see the TrustedExtensionsPolicy(4) man page.