Changes from the Trusted Solaris 7 release affect users, administrators, and developers. Changes affect the following areas:
Trusted Solaris 8 installation and configuration requires more disk and swap space than the Trusted Solaris 7 release required. Files to create local administrative roles are no longer provided on the installation CD-ROM; the root role creates the initial roles, then assigns the roles to the initial users.
Installation on most hardware is identical to Solaris 8 installation. The Trusted Solaris 8 environment supports the name services that are fully supported in the Solaris 8 and Solaris Management Console 2.0 releases. The following lists the exceptions:
Solaris Web Start is not supported.
Upgrade is not supported. Administrators who want to retain Trusted Solaris 2.5.1 or 7 database information (tsoluser, tsolprof, tnrhdb, tnrhtp) should back up these files. The files whose format and names have changed (tsoluser and tsolprof) should be converted on a Trusted Solaris 7 system before installing the Trusted Solaris 8 release. For the tsolconvert utility and procedure, see the following URL:
http://www.sun.com/software/solaris/trustedsolaris/ts_tech_faq/ |
The second installation CD-ROM is displayed in a text-only interface.
The Solaris Management Console requires that the install team allocate approximately 148 MBytes more swap to the host running the console. For example, if the previous swap was 256 MBytes, the Trusted Solaris 8 swap should be at least 404 MBytes.
Installing and configuring the Sun Enterprise 10000 is modified for Trusted Solaris security. See Trusted Solaris 8 Installation and Configuration on the Sun Enterprise 10000 for explanation and procedures.
To distribute a site label encodings file during Trusted Solaris 8 network installation requires a customized JumpStart installation that calls a site-created script to install the file at admin_high
.
The Trusted Solaris 8 release introduces significant configuration differences from earlier releases. Of particular interest are "Security Policy", "Labels", "Roles", "Auditing", "Devices" and "Trusted Networking".
The Trusted Solaris 8 environment, as well as the Solaris 8 environment, enables the administrator to set up network-wide user audit flags. The audit_user file can now be administered using a name service through the Solaris Management Console.
Authorizations are now part of the Solaris 8 environment. Therefore, Trusted Solaris 7 authorizations have been renamed in the Trusted Solaris 8 environment to correspond to their Solaris 8 counterparts. See the file /etc/security/auth_attr for a full list of authorizations, and the auth_attr(4) man page for an explanation of the syntax. The following tables show the Trusted Solaris 7 to Trusted Solaris 8 authorization name correspondences, ordered by authorization number.
Table 1-4 Authorizations 1 through 27
No. |
Trusted Solaris 7 Names |
Trusted Solaris 8 Equivalents |
---|---|---|
1 |
TSOL_AUTH_ENABLE_LOGIN |
solaris.login.enable |
2 |
TSOL_AUTH_REMOTE_LOGIN |
solaris.login.remote |
3 |
TSOL_AUTH_TERMINAL_LOGIN |
solaris.login.remote |
4 |
TSOL_AUTH_FILE_AUDIT |
solaris.file.audit |
5 |
TSOL_AUTH_FILE_DOWNGRADE_SL |
solaris.label.file.downgrade |
6 |
TSOL_AUTH_FILE_UPGRADE_SL |
solaris.label.file.upgrade |
7 |
TSOL_AUTH_FILE_OWNER |
solaris.file.owner |
8 |
TSOL_AUTH_FILE_CHOWN |
solaris.file.chown |
9 |
TSOL_AUTH_FILE_SETPRIV |
solaris.file.privs |
10 |
TSOL_AUTH_ALLOCATE |
solaris.device.allocate |
11 |
TSOL_AUTH_WIN_DOWNGRADE_SL |
solaris.label.win.downgrade |
12 |
TSOL_AUTH_WIN_UPGRADE_SL |
solaris.label.win.upgrade |
13 |
TSOL_AUTH_CRON_ADMIN |
solaris.jobs.admin |
14 |
TSOL_AUTH_SYS_ACCRED_SET |
solaris.label.range |
15 |
TSOL_AUTH_BYPASS_FILE_VIEW |
solaris.label.win.noview |
16 |
TSOL_AUTH_SHUTDOWN |
solaris.system.shutdown |
17 |
TSOL_AUTH_USER_IDENT |
solaris.admin.usermgr.write |
18 |
TSOL_AUTH_USER_PASSWORD |
solaris.admin.usermgr.pswd |
19 |
TSOL_AUTH_USER_SELF |
None |
20 |
TSOL_AUTH_USER_LABELS |
solaris.admin.usermgr.label |
21 |
TSOL_AUTH_USER_AUDIT |
solaris.admin.usermgr.audit |
22 |
TSOL_AUTH_USER_PROFILES |
solaris.profmgr.* |
23 |
TSOL_AUTH_USER_IDLE |
None |
24 |
TSOL_AUTH_USER_ROLES |
solaris.role.assign |
25 |
TSOL_AUTH_USER_HOME |
solaris.admin.usermgr.write |
26 |
TSOL_AUTH_PRINT_POSTSCRIPT |
solaris.print.ps |
27 |
TSOL_AUTH_PRINT_UNLABELED |
solaris.print.unlabeled |
Table 1-5 Authorization Numbers 28 through 55
No. |
Trusted Solaris 7 Names |
Trusted Solaris 8 Equivalents |
---|---|---|
28 |
TSOL_AUTH_DB_ALIASES |
None |
29 |
TSOL_AUTH_DB_AUTO_HOME |
solaris.admin.fsmgr.write |
30 |
TSOL_AUTH_DB_BOOTPARAMS |
None |
31 |
TSOL_AUTH_DB_ETHERS |
solaris.network.hosts.write |
32 |
TSOL_AUTH_DB_GROUP |
solaris.admin.usermgr.write |
33 |
TSOL_AUTH_DB_HOSTS |
solaris.network.hosts.write |
34 |
TSOL_AUTH_DB_LOCALE |
solaris.network.hosts.write |
35 |
TSOL_AUTH_DB_NETGROUP |
solaris.network.hosts.write |
36 |
TSOL_AUTH_DB_NETMASKS |
solaris.network.hosts.write |
37 |
TSOL_AUTH_DB_NETWORKS |
solaris.network.hosts.write |
38 |
TSOL_AUTH_DB_PASSWD |
solaris.admin.usermgr.pswd |
39 |
TSOL_AUTH_DB_PROTOCOLS |
None |
40 |
TSOL_AUTH_DB_RPC |
None |
41 |
TSOL_AUTH_DB_SERVICES |
None |
42 |
TSOL_AUTH_DB_TIMEZONE |
None |
43 |
TSOL_AUTH_DB_TNIDB |
solaris.network.security.write |
44 |
TSOL_AUTH_DB_TNRHDB |
solaris.network.security.write |
45 |
TSOL_AUTH_DB_TNRHTP |
solaris.network.security.write |
46 |
TSOL_AUTH_CRON_USER |
solaris.jobs.user |
47 |
TSOL_AUTH_AT_ADMIN |
solaris.jobs.admin |
48 |
TSOL_AUTH_AT_USER |
solaris.jobs.user |
49 |
TSOL_AUTH_PRINT_ADMIN |
solaris.print.admin |
50 |
TSOL_AUTH_PRINT_NOBANNER |
solaris.print.nobanner |
51 |
TSOL_AUTH_CONFIG_DEVICE |
solaris.device.config |
52 |
TSOL_AUTH_REVOKE_DEVICE |
solaris.device.revoke |
53 |
TSOL_AUTH_PRINT_CANCEL |
solaris.print.cancel |
54 |
TSOL_AUTH_PRINT_LIST |
solaris.print.list |
55 |
TSOL_AUTH_PRINT_MAC_OVERRIDE |
solaris.label.print |
Commands and functions have been modified due to technical changes in the product and removal of nonstandard interfaces.
The Trusted Solaris /usr/proc/bin/ commands have been moved to /usr/bin/ to correspond to their Solaris counterparts.
The library functions for the tsoluser and tsolprof databases have been replaced by functions for the new databases, user_attr, exec_attr, and prof_attr. See "Databases -- Users, Profiles, and Authorizations".
The library functions for authorizations have been replaced by Solaris functions. The functions have been extended for the Trusted Solaris environment. See Table 1-7 for the database man page correspondences. The following table shows the Trusted Solaris 8 man pages that describe Trusted Solaris 7 functionality.
Trusted Solaris 7 Database Functions |
Trusted Solaris 8 Man Page |
---|---|
getuserent(), setuserent(), getuserentbyname(), getuserentbyuid(), free_userent(), enduserent() |
getuserattr(3secdb) |
getprofent(), setprofent(), getprofentbyname(), getprofstr(), getprofstrbyname(), free_profent(), free_profstr(), endprofent(), endprofstr(), putprofstr() |
getprofattr(3secdb) |
auth_to_str(), str_to_auth(), auth_set_to_str(), str_to_auth_set(), free_auth_set(), get_auth_text(), chkauth() |
The user, rights profile, and authorization databases are now available in the Solaris 8 environment. Therefore, a Trusted Solaris 8 server can manage the rights and authorizations for Solaris 8 clients as well as Trusted Solaris 8 clients. The Solaris environment changed the name execution profile to rights, or rights profile.
Rights profiles are administered through the Solaris Management Console. The Trusted Solaris 7 Profile Manager is now the Rights tool, under Users (the User Manager). The Rights tool does not recognize symbolically linked commands.
Rights profiles are now hierarchical. Profiles can subsume other profiles, though this is not required. Hierarchical profiles eliminate the need to enumerate all profiles assigned to a user or role.
The names and contents of profiles have changed. Most profiles have been reconfigured; some profiles have been eliminated.
Trusted Solaris extends the Solaris versions of the user, profile, and authorization databases to include CDE actions and Trusted Solaris security attributes, such as labels and new authorizations. The following table shows the new database names.
Table 1-7 Database Changes from the Trusted Solaris 7 to the Trusted Solaris 8 Release
Trusted Solaris 7 Database |
Trusted Solaris 8 Man Page |
---|---|
/etc/security/tsol/tsolprof | |
/etc/security/tsol/tsoluser | |
/usr/lib/tsol/locale/C/auth_name | |
auth_desc man page |
SMC help for the Authorizations tab |
Devices may be allocated outside of the trusted path. Separate authorizations specify allocating within and without the trusted path. For security, Trusted Solaris software keeps track of the allocating username. The Device Allocation Manager GUI can display and edit the device_maps(4) entry for an allocatable device, and enables the administrator to specify if devices should be deallocated at logout or reboot. Device allocation can be done remotely or in shell scripts by authorized users.
The Trusted Solaris 8 implementation for specifying file system security attributes follows the Solaris 8 implementation. The Solaris 8 implementation has consequences for Trusted Solaris 8 administrators.
Mount-time security attributes may be specified either by using the mount(1M) command with the -o option on the command line or by specifying the attributes in the vfstab_adjunct file. The following mount-time security attributes have been removed: acl, attr_flg, uid, gid, and mode.
The vfstab_adjunct file is protected at the label admin_high
.
The Trusted Solaris 8 environment protects the label_encodings(4) at the label admin_high
. The default user
label and clearance are defined in the label_encodings file.
The Label Builder used by administrators is now Java-based and accessed through the Solaris Management Console. The label builder that is accessed outside the Solaris Management Console is the same Motif label builder that was shipped with the Trusted Solaris 7 software.
In the Trusted Solaris 8 environment, the label attributes assigned to commands and actions in a profile no longer represent the restricted label range for execution. Instead, the attributes set the label and clearance of the process that is running the command, independent of the label of the original profile shell. This is a change to the profile shell from the Trusted Solaris 7 release, although it matches the way the system shell has always worked.
The following Trusted Solaris 7 man pages do not contain Trusted Solaris-specific modifications in the current release due to changes in implementation. The Solaris versions describe their functionality in the Trusted Solaris 8 environment:
pfsh(1M), which points to the pfexec(1) man page.
The clist command in the profile and system shells no longer exists. See the smprofile(1M), or the profiles(1) and auths(1) man pages for the command to list the commands, actions, and authorizations in a rights profile.
The setmnt(1M) man page and command have been removed from the Solaris and Trusted Solaris environments.
The man pages in the following table contain Trusted Solaris-specific modifications to Solaris 8 man pages, or are Trusted Solaris 8 man pages new to this release:
Table 1-8 Man Pages Newly Created or Modified for the Trusted Solaris 8 Environment
Man Page Section |
Man Page |
|
---|---|---|
Section 1 | ||
Section 1M | ||
Section 2 |
|
|
Section 3 | ||
Section 4 | ||
Section 5 |
|
The Printer Administrator action in the System_Admin folder manages printers. To limit the label range of a printer, use the Device Allocation Manager.
The Trusted Solaris 8 environment has eliminated non-administrative roles. All roles in the Trusted Solaris environment are administrative ones. Roles are managed through the Administrative Roles tool in the Solaris Management Console. With the exception of the root role account, which must be a local account, role accounts are similar to user accounts in that their home directories are not necessarily local. Their home directories can be in the same location as users on the system.
In the Trusted Solaris 8 environment there are five recommended roles. Only the root role is provided on the installation CD-ROM. During system configuration the root role creates four roles (admin, secadmin, oper, and primaryadmin) and assigns existing profiles to them. The new role, primaryadmin, or Primary Administrator, is in fact an emergency administrator, to be used when the security administrator cannot do something. Once roles are created and assigned to users, the root role is no longer required and can be disabled. root is a much weaker role in the Trusted Solaris 8 release than it was in previous releases.
The names and contents of role profiles have changed to enable ease of administration. For example, the system administrator (the role admin) can now install most third-party software packages. The security administrator (secadmin) is only required when the applications being installed affect security. Also, prior to user account setup, the security administrator can set the security defaults for user accounts. Then when the system administrator sets up user accounts, the security administrator need not be present. It is also possible for the security administrator alone to set up user accounts.
Roles (and users) can now be prevented from logging in if their password is incorrectly entered a number of times as specified by the value of the RETRIES (not the MAX_BADLOGINS) flag. For details, see the passwd(4) and shadow(4) man pages. The default is No, do not lock the account. The defaults can be changed, and individual user and role accounts can be given a non-default value. Note that the NIS name service does not support RETRIES or account locking.
Security policy is now configured similarly in the Solaris and Trusted Solaris 8 environments. The configuration file /etc/security/policy.conf contains default attributes for users created on the system. Label defaults are set in the label_encodings file. The defaults can be added to or overridden, but provide an ease-of-creation mechanism. The security administrator can set up sensible defaults for most users on the system. The Add User wizard in SMC will then create users with sensible defaults.
Trusted Solaris 7 software enabled the security administrator to extend the list of trusted libraries by creating a list of trusted library directories in a file named /etc/security/tsol/rtld. The Trusted Solaris 8 release uses a new Solaris 8 mechanism, the crle(1) command with the option -u. See Trusted Solaris Administrator's Procedures for sample procedures.
The Solaris Management Console Devices and Hardware tool manages serial lines and serial ports. To limit the label range of a serial port, use the Device Allocation Manager.
The trusted networking databases are now administered through the Solaris Management Console. The tnidb database is administered using the Interface Manager program. The tnrhtp database and tnrhdb databases are administered using the Security Families program. The tnrhdb is extended to handle IPv6 address formats and variable-length netmasks.
The Trusted Solaris 8 environment does not interoperate with hosts or networks that run Trusted Solaris 1.2 software (except as unlabeled). The msix template for Trusted Solaris 1.2 hosts in the tnrhtp database has been removed.
The following fields have been removed from the tnrhtp templates. For interoperability, these are ignored if present: def_uid, def_gid, def_audit_auid, def_audit_asid, def_audit_mask, and def_audit_termid.
The functions t6last_attr(3NSL) and t6peek_attr(3NSL) no longer return defaults for identity-based attributes.
The /etc/security/tsol/boot directory has been removed. To ensure that a Trusted Solaris machine can contact the necessary servers while booting, the security administrator should ensure that each necessary server (name service master, audit server, and so on) is covered by an entry in the machine's local tnrhdb file.
The /etc/security/tsol/tnrhtp file installed from the Trusted Solaris 8 Installation CD has templates that match the labels in the /etc/security/tsol/label_encodings file installed from the Trusted Solaris 8 Installation CD. The following table shows the correspondences between earlier versions of tnrhtp and the version shipped with the Trusted Solaris 8 release.
Table 1-9 Template Equivalents Between Trusted Solaris 8 and Earlier Releases
Template Names from Earlier Release |
Trusted Solaris 8 Replacement Names |
---|---|
unlab |
admin_low |
unclassified |
|
confidential |
|
secret |
|
top_secret |
|
tsol |
tsol |
tsol_1 |
tsol_ripso |
tsol_2 |
tsol_cipso |
ripso |
ripso_top_secret |
cipso |
cipso |
tsix |
tsix |
The cipso_doi keyword has been changed to the more general doi (Domain of Interpretation) in the tnrhtp database, because now it is used in the Trusted Solaris protocol and is not limited to the CIPSO IP options. Matching of the DOI value is enforced for incoming packets. For interoperability with the previous Trusted Solaris releases, the default DOI in the Trusted Solaris 8 release is 0 instead of empty (it is 1 for CIPSO host types), and the keyword cipso_doi is interpreted as the more general domain of interpretation.
Packets from unlabeled hosts outside a Trusted Solaris domain can be labeled for trusted routing through the secure domain to another host outside the domain using IP options. Incoming packets are labeled according to their originating host's entry in the tnrhdb, and routed through the Trusted Solaris domain according to their sensitivity level (carried in the IP option) and the trusted routing information. The label is then stripped at the exit. Note that trusted routing requires an IPv4 network; IPv6 does not support trusted routing.
The cache files /var/tsol/tn*_c are no longer used. The tnd handles caching and provides tnrhdb entries to the kernel on demand.
The software supplies defaults for network interfaces. Therefore, an interface needs to be listed explicitly in the tnidb database only when its desired security attributes differ from the defaults:
min_sl ADMIN_LOW max_sl ADMIN_HIGH def_label [ADMIN_LOW] def_cl ADMIN_HIGH forced_privs none