This section contains pointers to or examples of creating security templates for the following network configurations:
The DOI is a value different from 1. See How to Configure a Different Domain of Interpretation.
Trusted remote hosts are assigned a specific label. See Example 16–1.
Untrusted remote hosts are assigned a specific label. See Example 16–2.
For more examples of security templates that address specific requirements, see Adding Hosts to Security Templates.
Before You Begin
You must be in the global zone in a role that can modify network security. For example, roles that are assigned the Information Security or Network Security rights profiles can modify security values. The Security Administrator role includes these rights profiles.
You can copy and modify these templates.
And you can add and remove hosts that are assigned to these templates. For an example, see How to Limit the Hosts That Can Be Contacted on the Trusted Network.
For labels such as CONFIDENTIAL, you can use either the label string or the hexadecimal value as the label value. The tncfg command accepts either format.
# atohexlabel "confidential : internal use only" 0x0004-08-48
For more information, see How to Obtain the Hexadecimal Equivalent for a Label.
The tncfg -t command provides three ways to create new templates.
Use the tncfg command in interactive mode. The info subcommand displays the values that are supplied by default. Press the Tab key to complete partial properties and values. Type exit to complete the template.
# tncfg -t newunlabeled tncfg:newunlabeled> info name=newunlabeled host_type=unlabeled doi=1 def_label=ADMIN_LOW min_label=ADMIN_LOW max_label=ADMIN_HIGH tncfg:newunlabeled> set mTab set max_label=" set min_label="Auto-complete shows two possible completions tncfg:newunlabeled> set maTabUser types the letter a tncfg:newunlabeled> set max_label=ADMIN_LOW ... tncfg:newunlabeled> commit tncfg:newunlabeled> exit
You can also supply the complete list of attributes for a security template on the command line. Semicolons separate the set subcommands. An omitted attribute receives the default value. For information about network security attributes, see Network Security Attributes in Trusted Extensions.
# tncfg -t newunlabeled set host_type=unlabeled;set doi=1; \ set min_label=ADMIN_LOW;set max_label=ADMIN_LOW
# tncfg -t cipso tncfg:cipso> set name=newcipso tncfg:newcipso> info name=newcipso host_type=cipso doi=1 min_label=ADMIN_LOW max_label=ADMIN_HIGH
Hosts that are assigned to the existing security template are not copied to the new template.
# tncfg -f unlab_1 -f template-file tncfg: unlab_1> set host_type=unlabeled ... # tncfg -f template-file
For an example of creating a source template for importing, see the tncfg(1M) man page.
In this example, the security administrator defines a gateway that can only pass packets at the label PUBLIC.
# tncfg -t cipso_public tncfg:cipso_public> set host_type=cipso tncfg:cipso_public> set doi=1 tncfg:cipso_public> set min_label="public" tncfg:cipso_public> set max_label="public" tncfg:cipso_public> commit tncfg:cipso_public> exit
The security administrator then adds the gateway host to the security template. For the addition, see Example 16–4.
Example 16-2 Creating an Unlabeled Security Template at the Label PUBLICIn this example, the security administrator creates an unlabeled template for untrusted hosts that can receive and send packets at the PUBLIC label only. This template might be assigned to hosts whose file systems must be mounted at the PUBLIC label by Trusted Extensions systems.
# tncfg -t public tncfg:public> set host_type=unlabeled tncfg:public> set doi=1 tncfg:public> set def_label="public" tncfg:public> set min_sl="public" tncfg:public> set max_sl="public" tncfg:public> exit
The security administrator then adds hosts to the security template. For the addition, see Example 16–15.