The Big Picture

This section outlines the planning required before installing and configuring the Trusted Solaris operating environment.

• "Understand the Trusted Solaris Environment."

• "Devise an Administration Strategy."

• "Devise a Label Strategy."

• "Plan Workstation Hardware and Capacity."

• "Plan Your Network."

• "Plan Auditing."

• "Devise an Installation and Configuration Strategy."

• "Collect Information."

• "Back Up the Workstation."

• "Install the Trusted Solaris Software."

• "Configure the Software."

Understand the Trusted Solaris Environment.

Installation and configuration of the Trusted Solaris environment involves more than loading executable files, entering your site's data, and setting configuration variables; it requires considerable background. Trusted Solaris provides a unique environment based on the following concepts:

• Superuser has been eliminated. No one can log in as or su to root.

• Capabilities formerly assigned to superuser are available to separate, discrete "roles" to be assigned to a limited number of users.

• Users are limited to those applications necessary for performing their jobs.

• In addition to UNIX permissions, access to data is controlled by special security tags called sensitivity labels which are assigned to users and objects (such as data files and directories).

• The ability to override security policy can be assigned to specific users and applications.

To familiarize yourself with the Trusted Solaris environment, you should at a minimum read the Trusted Solaris User's Guide and Trusted Solaris Administration Overview. You should also be familiar with the rest of the documentation set, which is described in the Trusted Solaris Documentation Roadmap.

Understand Your Site's Security Policy.

Through its configurability, the Trusted Solaris environment effectively lets you integrate your site's security policy with the operating environment. Thus, you need to have a good feel for the scope of your policy and the ability of Trusted Solaris to accommodate it. A good configuration should provide a balance between consistency with your site security policy and convenience for those working in the environment.

The Trusted Solaris operating environment is configured by default to conform with the ITSEC evaluation certificate FB1 (and FC2 which is less stringent). To meet these evaluated levels, you must:

• Select NIS+ as the naming service.

• Select multiple-label environment operation for the FB1 level. The FC2 level permits single- or multiple-label operation.

Note that your configuration may no longer conform with the ITSEC security levels if you do any of the following:

• Change the kernel switch settings in the /etc/system file, other than those switches and their values documented in this manual.

• Provide security-relevant execution profiles to non-administrative users.

• Change the default entries in these configurable files:

  • /usr/openwin/server/tsol/*

  • /usr/dt/app-defaults/C/Sel_Mgr

  • /usr/dt/bin/Xsession

  • /usr/dt/bin/Xtsolusersession

  • /usr/dt/config/sel_config

  • /usr/dt/app-defaults/C/Dtwm

  • /usr/dt/app-defaults/C/Dt

  • /usr/dt/config/C/sys.dtwmrc

Devise an Administration Strategy.

In place of superuser, the Trusted Solaris environment provides three trusted administrative roles for managing the environment:

• The security administrator is responsible for security-related tasks, such as setting up and assigning sensitivity labels, configuring auditing, and setting password policy.

• The system administrator is responsible for the non-security aspects of setup, maintenance, and general administration.

• The root role is mainly responsible for installing application software after the initial Trusted Solaris installation, in contrast to root's broader responsibilities in traditional UNIX environments.

There is also a less trusted role called "oper" for operator, that is responsible for backing up files. Since the environment is configurable, you can use these default roles, modify them, or create your own roles according to your security needs.

As part of your administration strategy, you need to decide:

• Which users will be handling which administration responsibilities.

• Which non-administrative users will be allowed to run trusted applications, that is, will be permitted to override security policy when necessary.

• Which users will have access to which groups of data.

Devise a Label Strategy.

Planning labels requires setting up a hierarchy of sensitivity levels and a categorization of information in your environment. The "label encodings" file contains this type of information for your organization. You can use one of the label_encodings files supplied on the Trusted Solaris CDROM, modify one of the supplied files, or create a new label encodings file specific to your site. The file should include the SUN-specific local extensions (at least the COLOR NAMES section) when used in the Trusted Solaris environment.

---

Note -

The default label_encodings file is useful for demos, but it is not a good choice for use by a customer site.

---

IMPORTANT: you must have the final version of the label encodings file you intend to use ready prior to configuring the first workstation.

To learn more about the label encodings file, see Trusted Solaris Label Administration. You can also refer to Compartmented Mode Workstation Labeling: Encodings Format.

Planning labels also involves planning label configuration. After installation, you need to make the following decisions regarding the use of labels:

• Single- or multiple-label environment - If all of your non-administrative users can operate at the same security label, select a single-label system. Multiple-label environments are required for the FB1 level. If you want a no-label system, select single-label, and then hide the labels for all users.

• Hide or display upgraded names in directories - If you want to prevent a user (or intruder) from viewing the names of files or directories at higher levels than the current sensitivity label, choose this option.

After installation, you can make the following label configuration display changes using the Solstice^TM AdminSuite^TM User Manager:

• Display administrative label names - You can show the actual administrative label names, or show substitute names for the labels.

• Hide or display labels - You can hide or display labels on a per-user basis.

For International Customers

When localizing a label_encodings file, international customers should localize the label names only. The administrative label names, ADMIN_HIGH and ADMIN_LOW, must not be localized. All labeled workstations that you contact, from any vendor, must have label names that match the label names in the Trusted Solaris label_encodings file.

Plan Workstation Hardware and Capacity.

Workstation hardware includes the workstation itself and its attached devices (tape drives, microphones, CD drives, and disk packs). Its capacity includes its memory, its network interfaces, and its disk space.

Consult the Solaris 7 Sun Hardware Platform Guide for a list of hardware that supports the Trusted Solaris environment. Any exceptions are noted in Trusted Solaris 7 Release Notes.

Peripheral hardware and capacity required for initial installation on a SPARC include:

• 32 MB minimum memory

• Local CDROM drive

Memory over the minimum is required on Trusted Solaris workstations that:

• Are used as servers: OS servers, name servers, file servers, audit servers, boot servers

• Run graphics or other large applications

• Run compilers

• Run number-crunching applications

• Run at more than one sensitivity label

• Are used by users who can assume an administrative role

Similarly, disk space requirements are greater on workstations that:

• Are used as servers: OS servers, name servers, file servers, audit servers, boot servers

• Are used by programmers

• Run graphics or other large applications

• Store files or large applications locally

• Have several smaller disks (for example, ten 104-Mbyte disks will waste more space trying to make things fit than a single 1-GByte disk)

• Are installed with the larger software clusters: Developer and Entire.

• Run at more than one label

• Are used by users who can assume an administrative role

For each Trusted Solaris workstation, you need to determine the following:

• Name and IP address

• Ethernet address (for network installations)

• Sun architecture (for network installations)

• Root password

• PROM security level: maintenance password only, or boot password

• PROM password (for Intel Architecture: BIOS protection)

• What devices may be attached to the workstation

• Which users may use the workstation

• Which printers at what labels may the workstation access

Plan Your Network.

If you are installing a non-networked workstation, you can skip this step.

For help in planning network hardware, see "Planning Your Network" in TCP/IP and Data Communications Administration Guide.

As in any client-server network, you need to identify hosts by their function (server or client) and configure the software appropriately. The following table lists servers you may need to create and their function. For more information, see System Administration Guide, Volume I.

Table 1-1 Possible Servers in a Trusted Solaris Environment

Create ...	If You Plan to ...
Audit data server	Enable auditing
Audit administration server	Analyze the audit trail
Boot server	Install on a subnet
File server	Centrally locate files for general use
Install server	Install over the network or use Custom JumpStart scripts
DNS server	Resolve internet names and addresses outside your local network
Home directory server	Enable remote mounting of users' home directories.
Mail server	Funnel mail to end user workstations from a central location
Network gateway	Operate an Failed Cross Reference Format
NIS+ root master (Name Server)	Establish a NIS+ domain
NIS+ replicas	Establish a NIS+ domain
NIS+ subdomain masters	Establish a NIS+ subdomain
OS server	Serve diskless clients
Print server	Print hard copy

To plan the system administration aspects of servers, see the administration guides in the Solaris 7 System Administrator Collection including:

• Mail Administration Guide

• Solaris Naming Setup and Configuration Guide

• System Administration Guide, Volume I

• System Administration Guide, Volume II

OS servers are covered in the Solstice AdminSuite 2.3 Administration Guide, and Trusted Solaris-specific administration is covered in Trusted Solaris Administrator's Procedures.

Additional Planning for Open Networks

If your network is open to other networks, you need to specify accessible domains and workstations, and identify which Trusted Solaris hosts will serve as gateways to access them. You need to identify the Trusted Solaris accreditation range for these gateways, and the sensitivity label at which data from other hosts may be viewed. Trusted Solaris software recognizes five labeled host types, including Trusted Solaris (sun_tsol), and provides eight templates by default, as shown in the following table.

Table 1-2 Templates Provided with Trusted Solaris Network Software

Host Type		Template Name	Purpose
Unlabeled		unlab	For hosts or networks that send unlabeled packets, for example, SUN workstations running Solaris software
Labeled
	Trusted Solaris 2.5.1 (sun_tsol)	tsol	For Trusted Solaris 2.5.1 hosts or networks
		tsol_1	For TS2.5.1 and 7 hosts or networks that label packets with the RIPSO security option
		tsol_2	For TS2.5.1 and 7 hosts or networks that label packets with the CIPSO security option
	TSIX	tsix	For TSIX(RE1.1) hosts or networks
	MSIX	msix	For hosts or networks that run Trusted Solaris 1.2 software
	CIPSO	cipso	For hosts or networks that send CIPSO packets
	RIPSO	ripso	For hosts or networks that send RIPSO packets

The tnrhtp(4) man page gives complete descriptions of each host type with several examples.

For more information on the security administration of servers, file systems, and network interfaces, see Trusted Solaris Administrator's Procedures.

Plan Auditing.

Auditing requires the storage and analysis of potentially a huge amount of data. Before you set up auditing, you need to:

• Decide which classes of activity you need to audit. It is good practice to keep these to a minimum.

• Plan how you are going to handle the storage and administration of the auditing data.

  Each host should have a disk dedicated to audit data collection with a primary partition and a second partition for overflow records.

  If you are auditing a network, you should dedicate at least one server to data collection and another server to data administration and analysis. Ideally, you should have your primary and secondary data collection areas on different hosts. In addition, it is recommended that you reserve a fallback area on the local hosts in case the network goes down.

• Read Trusted Solaris Audit Administration for step by step assistance.

Devise an Installation and Configuration Strategy.

The Trusted Solaris software is initially loaded by root. Since root cannot log into the Trusted Solaris environment, a local user named "install" has been provided for the first part of the configuration process. Subsequent configuration is a two-person process (by default) using the security administrator and the system administrator roles. Once the roles have been assigned to users, and the workstation is rebooted, the software enforces task division by role.

If two-person installation is not a site security requirement, assigning the two administrative roles to one person enables that person to configure both security and system information.

In a networked environment, consider installing and configuring workstations in the order NIS+ master, other NIS+ servers, other servers, and finally end user workstations.

Collect Information.

Each role needs to gather the information for the tasks particular to the role. Concrete examples are in Appendix D, Example Worksheets.

Back Up the Workstation.

If your workstation has any files on it that you want to save, make sure you perform a backup. The safest way to back up files is to do a level 0 dump. If you do not have a backup procedure in place, see the administrator's guide to your current operating system for instructions.

Install the Trusted Solaris Software.

Installing Trusted Solaris can be done interactively using CDROMs, over the network, or with Custom JumpStart^TM scripts. The first two workstations, the NIS+ root master and the install server (if you wish to do network or Custom JumpStart installs), must be installed interactively; subsequent workstations can be installed using the server. Installing over the network requires network setup; the installation program prompts the install team for needed information. Using Custom JumpStart requires some knowledge of Bourne shell scripting to automate installation; however, you can write scripts where no human interaction with the installation program is required.

For security reasons, the installation program does not offer some of the options that are available for Solaris 7 software. See "Differences from Solaris 7 Installation and Configuration" for details.

Configure the Software.

After the installation image is installed, the install team logs in as the user "install" and assumes the root role to configure initial security, network, and administrative role information, as shown in the following figure.

Figure 1-1 Two Roles Administering a Workstation

Once users who can assume the administrative roles are created, the install team reboots the workstation. Further configuration tasks are then restricted by the software to a particular role.

The security administrator sets up auditing, protects file systems, sets device policy, and protects users, among other tasks. The system administrator shares and mounts file systems and creates users, among other tasks.