1. Security Planning for Trusted Extensions
2. Configuration Roadmap for Trusted Extensions
3. Adding Trusted Extensions Software to the Solaris OS (Tasks)
4. Configuring Trusted Extensions (Tasks)
Setting Up the Global Zone in Trusted Extensions
Check and Install Your Label Encodings File
Enable IPv6 Networking in Trusted Extensions
Configure the Domain of Interpretation
Create ZFS Pool for Cloning Zones
Reboot and Log In to Trusted Extensions
Initialize the Solaris Management Console Server in Trusted Extensions
Make the Global Zone an LDAP Client in Trusted Extensions
Configure the Network Interfaces in Trusted Extensions
Copy or Clone a Zone in Trusted Extensions
Adding Network Interfaces and Routing to Labeled Zones
Add a Network Interface to Route an Existing Labeled Zone
Add a Network Interface That Does Not Use the Global Zone to Route an Existing Labeled Zone
Configure a Name Service Cache in Each Labeled Zone
Creating Roles and Users in Trusted Extensions
Create Rights Profiles That Enforce Separation of Duty
Create the Security Administrator Role in Trusted Extensions
Create a Restricted System Administrator Role
Create Users Who Can Assume Roles in Trusted Extensions
Verify That the Trusted Extensions Roles Work
Enable Users to Log In to a Labeled Zone
Creating Home Directories in Trusted Extensions
Create the Home Directory Server in Trusted Extensions
Enable Users to Access Their Home Directories in Trusted Extensions
Adding Users and Hosts to an Existing Trusted Network
Add an NIS User to the LDAP Server
Troubleshooting Your Trusted Extensions Configuration
netservices limited Was Run After Trusted Extensions Was Enabled
Cannot Open the Console Window in a Labeled Zone
Labeled Zone Is Unable to Access the X Server
Additional Trusted Extensions Configuration Tasks
How to Copy Files to Portable Media in Trusted Extensions
5. Configuring LDAP for Trusted Extensions (Tasks)
6. Configuring a Headless System With Trusted Extensions (Tasks)
B. Using CDE Actions to Install Zones in Trusted Extensions
The following two tasks enable you to transfer exact copies of configuration files to every Trusted Extensions system at your site. The final task enables you to remove Trusted Extensions customizations from a Solaris system.
When copying to portable media, label the media with the sensitivity label of the information.
Note - During Trusted Extensions configuration, superuser or an equivalent role copies administrative files to and from portable media. Label the media with Trusted Path.
To copy administrative files, you must be superuser or in a role in the global zone.
Use the Device Allocation Manager, and insert clean media. For details, see How to Allocate a Device in Trusted Extensions in Oracle Solaris Trusted Extensions User’s Guide.
In Solaris Trusted Extensions (CDE), a File Manager displays the contents of the portable media.
In Solaris Trusted Extensions (JDS), a File Browser displays the contents.
In this procedure, File Browser is used to refer to this GUI.
For example, you might have copied files to an /export/clientfiles folder.
For details, see How to Deallocate a Device in Trusted Extensions in Oracle Solaris Trusted Extensions User’s Guide.
Note - Remember to physically affix a label to the media with the sensitivity label of the copied files.
Example 4-9 Keeping Configuration Files Identical on All Systems
The system administrator wants to ensure that every machine is configured with the same settings. So, on the first machine that is configured, she creates a directory that cannot be deleted between reboots. In that directory, the administrator places the files that should be identical or very similar on all systems.
For example, she copies the Trusted Extensions toolbox that the Solaris Management Console uses for the LDAP scope, /var/sadm/smc/toolboxes/tsol_ldap/tsol_ldap.tbx. She has customized remote host templates in the tnrhtp file, has a list of DNS servers, and audit configuration files. She also modified the policy.conf file for her site. So, she copies the files to the permanent directory.
# mkdir /export/commonfiles # cp /etc/security/policy.conf \ /etc/security/audit_control \ /etc/security/audit_startup \ /etc/security/tsol/tnrhtp \ /etc/resolv.conf \ /etc/nsswitch.conf \ /export/commonfiles
She uses the Device Allocation Manager to allocate a diskette in the global zone, and transfers the files to the diskette. On a separate diskette, labeled ADMIN_HIGH, she puts the label_encodings file for the site.
When she copies the files onto a system, she modifies the dir: entries in the /etc/security/audit_control file for that system.
It is safe practice to rename the original Trusted Extensions file before replacing the file. When configuring a system, the root role renames and copies administrative files.
To copy administrative files, you must be superuser or in a role in the global zone.
For details, see How to Allocate a Device in Trusted Extensions in Oracle Solaris Trusted Extensions User’s Guide.
In Solaris Trusted Extensions (CDE), a File Manager displays the contents of the portable media.
In Solaris Trusted Extensions (JDS), a File Browser displays the contents.
In this procedure, File Browser is used to refer to this GUI.
For example, add .orig to the end of the original file:
# cp /etc/security/tsol/tnrhtp /etc/security/tsol/tnrhtp.orig
For details, see How to Deallocate a Device in Trusted Extensions in Oracle Solaris Trusted Extensions User’s Guide.
Example 4-10 Loading Audit Configuration Files in Trusted Extensions
In this example, roles are not yet configured on the system. The root user needs to copy configuration files to portable media. The contents of the media will then be copied to other systems. These files are to be copied to each system that is configured with Trusted Extensions software.
The root user allocates the floppy_0 device in the Device Allocation Manager and responds yes to the mount query. Then, the root user inserts the diskette with the configuration files and copies them to the disk. The diskette is labeled Trusted Path.
To read from the media, the root user allocates the device on the receiving host, then downloads the contents.
If the configuration files are on a tape, the root user allocates the mag_0 device. If the configuration files are on a CD-ROM, the root user allocates the cdrom_0 device.
To remove Trusted Extensions from your Solaris system, you perform specific steps to remove Trusted Extensions customizations to the Solaris system.
For details, see How to Remove a Non-Global Zone in System Administration Guide: Oracle Solaris Containers-Resource Management and Oracle Solaris Zones.
# svcadm disable labeld
For the effect of this command, see the bsmunconv(1M) man page.
Various services might need to be configured for your Solaris system. Candidates include auditing, basic networking, naming services, and file system mounts.