test

Solaris Trusted Extensions Administrator's Procedures

Chapter 3 Adding Solaris Trusted Extensions Software to the Solaris OS (Tasks)

This chapter describes how to prepare the Solaris OS for Solaris Trusted Extensions software. This chapter also describes the information you need before enabling Trusted Extensions. Instructions on how to enable Trusted Extensions is also provided.

Initial Setup Team Responsibilities

Trusted Extensions software is designed to be enabled and configured by two people with distinct responsibilities. However, the Solaris installation program does not enforce this two-role task division. Instead, task division is enforced by roles. Because roles and users are not created until after installation, it is a good practice to have an initial setup team of at least two people present to enable and configure Trusted Extensions software.

Installing or Upgrading the Solaris OS for Trusted Extensions

The choice of Solaris installation options can affect the use and security of Trusted Extensions:

ProcedureInstall a Solaris System to Support Trusted Extensions

This task applies to fresh installations of the Solaris OS. If you are upgrading, see Prepare an Installed Solaris System for Trusted Extensions.

Install the Trusted Extensions Package After upgrading to the latest Dev release, and rebooting the system, open the Package Manager again to get the Trusted Extensions package. Enter trusted in the Search text area to get a list of Trusted Extensions packages. Select trusted-extensions . Then select Install/Update. There is also a new trusted-nonglobal package which enumerates the initial set of packages required in a labeled brand zone to run the Trusted Desktop. This will be retrieved from the repository when you install your first zone.

  1. When installing the Solaris OS, create a user account and the root role account.

    In Trusted Extensions, you use the root role to configure the system.

  2. Assign a different password to each account.

  3. After the default installation of OpenSolaris 2010.03 is completed, start the Package Manager.

  4. Install the Trusted Extensions package.

    1. For list of Trusted Extensions packages, type trusted in the Search text area.

    2. Select trusted-extensions.

    3. Select Install/Update.

    The correct packages are installed on your system.

ProcedurePrepare an Installed Solaris System for Trusted Extensions

This task applies to Solaris systems that have been in use, and on which you plan to run Trusted Extensions. Also, to run Trusted Extensions on an upgraded Solaris system, follow this procedure. Other tasks that might modify an installed Solaris system can be done during Trusted Extensions configuration.

Before You Begin

Trusted Extensions cannot be enabled in some Solaris environments:

  1. If non-global zones are installed on your system, remove them.

    Trusted Extensions use branded zones.

  2. If your system does not have a root password, create one.

    Administration tools in Trusted Extensions require passwords. If the root user does not have a password, then root cannot configure the system.

    Use the default crypt_unix password encryption method for the root user. For details, see Managing Password Information in System Administration Guide: Security Services.

    Note –

    Users must not disclose their passwords to another person, as that person might then have access to the data of the user and will not be uniquely identified or accountable. Note that disclosure can be direct, through the user deliberately disclosing her/his password to another person, or indirect, for example, through writing it down, or choosing an insecure password. The Solaris OS provides protection against insecure passwords, but cannot prevent a user from disclosing her or his password, or from writing it down.

  3. If you have created an xorg.conf file, you need to modify it.

    Add the following line to the end of the Module section in the /etc/X11/xorg.conf file.


    load "xtsol"
    Note –

    By default, the xorg.conf file does not exist. Do nothing if this file does not exist.

  4. (Optional) Dedicate a partition for audit files.

    Trusted Extensions enables auditing by default. For audit files, best practice is to create a dedicated partition.

Collecting Information and Making Decisions Before Enabling Trusted Extensions

For each system on which Solaris Trusted Extensions is going to be configured, you need to know some information, and make some decisions about configuration. For example, because you are going to create labeled zones, you might want to set aside disk space where the zones can be cloned as a Solaris ZFSTM File System. Solaris ZFS provides additional isolation for the zones.

ProcedureCollect System Information Before Enabling Trusted Extensions

  1. Determine the system's main hostname and IP address.

    If you are using DHCP, skip this step.

    The hostname is the name of the host on the network, and is the global zone. On a Solaris system, the getent command returns the hostname, as in:


    # getent hosts machine1
192.168.0.11   machine1

  2. Determine the IP address assignments for labeled zones.

    If you are using DHCP, skip this step.

    A system with two IP addresses can function as a multilevel server. A system with one IP address must have access to a multilevel server in order to print or perform multilevel tasks. For a discussion of IP address options, see Planning for Multilevel Access.

    Most systems require a second IP address for the labeled zones. For example, the following is a host with a second IP address for labeled zones:


    # getent hosts machine1-zones
192.168.0.12   machine1-zones

  3. Collect LDAP configuration information.

    For the LDAP server that is running Trusted Extensions software, you need the following information:

    • The name of the Trusted Extensions domain that the LDAP server serves

    • The IP address of the LDAP server

    • The LDAP profile name that will be loaded

    For an LDAP proxy server, you also need the password for the LDAP proxy.

ProcedureMake System and Security Decisions Before Enabling Trusted Extensions

For each system on which Solaris Trusted Extensions is going to be configured, make these configuration decisions before enabling the software.

  1. Decide how securely the system hardware needs to be protected.

    At a secure site, this step has been done for every installed Solaris system.

    • For SPARC systems, a PROM security level and password has been provided.

    • For x86 systems, the BIOS is protected.

    • On all systems, root is protected with a password.

  2. Prepare your label_encodings file.

    If you have a site-specific label_encodings file, the file must be checked and installed before other configuration tasks can be started. If your site does not have a label_encodings file, you can use the default file that Sun supplies. Sun also supplies other label_encodings files, which you can find in the /etc/security/tsol directory. The Sun files are demonstration files. They might not be suitable for production systems.

    To customize a file for your site, see Solaris Trusted Extensions Label Administration.

  3. From the list of labels in your label_encodings file, make a list of the labeled zones that you need to create.

    For the default label_encodings file, the labels are the following, and the zone names can be similar to the following:

    Label 

    Zone Name 

    PUBLIC

    public

    CONFIDENTIAL : INTERNAL

    internal

    CONFIDENTIAL : NEED TO KNOW

    needtoknow

    CONFIDENTIAL : RESTRICTED

    restricted

    For ease of NFS mounting, the zone name of a particular label must be identical on every system. Some systems, such as multilevel print servers, do not need to have labeled zones installed. However, if you do install labeled zones on a print server, the zone names must be identical to the zone names of other systems on your network.

  4. Decide when to create roles.

    Your site's security policy can require you to administer Trusted Extensions by assuming a role. If so, or if you are configuring the system to satisfy criteria for an evaluated configuration, you must create roles early in the configuration process.

    If you are not required to configure the system by using roles, you can choose to configure the system as superuser. This method of configuration is less secure. Audit records do not indicate which user was superuser during configuration. Superuser can perform all tasks on the system, while a role can perform a more limited set of tasks. Therefore, configuration is more controlled when being performed by roles.

  5. Choose a zone creation method.

    You can create zones from scratch or clone zones. These methods differ in speed of creation. For the trade-offs, see Planning for Zones in Trusted Extensions.

  6. Plan your LDAP configuration.

    Using local files for administration is practical for non-networked systems.

    LDAP is the naming service for a networked environment. A populated LDAP server is required when you configure several machines.

    • If you have an existing Sun JavaTM System Directory Server (LDAP server), you can create an LDAP proxy server on a system that is running Trusted Extensions. The multilevel proxy server handles communications with the unlabeled LDAP server.

    • If you do not have an LDAP server, you can configure a system that runs Trusted Extensions software as a multilevel LDAP server.

  7. Decide other security issues for each system and for the network.

    For example, you might want to consider the following security issues:

    • Determine which devices can be attached to the system and allocated for use.

    • Identify which printers at what labels are accessible from the system.

    • Identify any systems that have a limited label range, such as a gateway system or a public kiosk.

    • Identify which labeled systems can communicate with particular unlabeled systems.

Enabling the Solaris Trusted Extensions Service

In the Solaris OS, Solaris Trusted Extensions is a service that is managed by the service management facility (SMF). The name of the service is svc:/system/labeld:default. By default, the labeld service is disabled.

ProcedureEnable Solaris Trusted Extensions

The labeld service attaches labels to communications endpoints. For example, the following are labeled:

Before You Begin

You have completed the tasks in Installing or Upgrading the Solaris OS for Trusted Extensions and Collecting Information and Making Decisions Before Enabling Trusted Extensions.

  1. Open a terminal window and enable the labeld service.


    # svcadm enable -s labeld

    The labeld service adds labels to the system and starts the Solaris auditing service and device allocation. Do not perform other tasks until the cursor returns to the prompt.

  2. Verify that the service is enabled.


    # svcs -x labeld
svc:/system/labeld:default (Trusted Extensions)
 State: online since weekday month date hour:minute:second year
   See: labeld(1M)
Impact: None.

  3. If you plan to perform any of the following tasks, do not reboot:

    • Protect the hardware.

    • Install your own label_encodings file.

    • Run on an IPv6 network.

    • Modify the CIPSO DOI.

      To perform any of these tasks, see Setting Up the Global Zone in Trusted Extensions. You will reboot after these tasks are accomplished.

  4. Otherwise, reboot.