NAME | SYNOPSIS | DESCRIPTION | ATTRIBUTES | EXAMPLES | FILES | NOTES | SEE ALSO | WARNINGS
/etc/security/tsol/tnrhtp
The tnrhtp database of templates is specified by the administrator for convenience when assigning accreditation and security attributes for each host in the distributed system, including the local host and network. tnrhtp works together with tnrhdb(4); IP addresses in tnrhdb can be assigned only to templates defined in the tnrhtp database. The administrator should run tnchkdb(1M) to check the syntax after each modification to the tnrhtp database.
Each entry in the template database is formed as one long line, with fields of the entry separated by semicolons (;):
template_name: field_name=value;[field_name=value; ...]
A pound sign (#) as the first character of a line indicates a comment line, which is ignored.
The following host types are currently supported: unlabeled, sun_tsol, ripso, cipso, and tsix.
All fields of a particular host_type are mandatory unless otherwise indicated even if no value is set other than none. If this database is modified while the network is up, the changes do not take effect immediately unless tnctl(1M) is used to update the template entries; otherwise, the changes take effect when next polled by the trusted network daemon, tnd(1M). Administrators are allowed to add new templates and modify attributes of existing templates while the network is up.
The /etc/security/tsol/tnrhtp file is protected at label ADMIN_LOW
with permission bits 444, owner root, and group sys.
When specifying a name for a template, note that only the first 31 characters of the template name are read and interpreted. You can use any printable character in a template name except for field delimiters, newline, or the comment character.
Trusted Solaris 8 and later releases extend the use of the domain of interpretation notion to all template types. The domain of interpretation defines the set of rules for translating between the external or internal representation of the security attributes and their network representation. Trusted Solaris systems that have the same domain of interpretation share that set of rules. They also share the same interpretation for the default attributes assigned to the unlabeled templates that have that same domain of interpretation.
The template for the unlabeled host type has these fields:
Specify a name for the template.
unlabeled
This is the domain of interpretation for def_label and def_cl fields.
Define the default attributes to be applied to incoming data from the remote hosts that do not support these attributes. These defaults override the defaults specified for an interface in the tnidb(4) database.
Specify the accreditation range for unlabeled gateways of this template. The format is the same as that in the tnidb(4) database. All labels are specified in their hex format.
Define the effective privileges to be applied to the incoming packet received from a host that does not support privileges. The format of the privilege set is:
forced_privs=priv[,priv][...]|none|empty|all
The text string (such as net_mac_read) for privilege. (forced_privs=net_mac_read)
Apply no privileges. (forced_privs=none) .
Take the default from tnidb(4). (forced_privs=empty)
Apply all privileges. (forced_privs=all)
Host type sun_tsol has these fields:
Specify a name for the template.
sun_tsol
This number is the domain of interpretation.
Specify the accreditation range for the remote hosts using this template. The format is the same as that in the tnidb(4) database. All labels are specified in their hex format.
Limit the effective privilege set for an incoming packet. If a source host associated with this template sends a packet to a destination host, the destination will limit the privilege set of the incoming packet to that specified in this field. The format of the privilege set is:
allowed_privs=priv[,priv][...]|none|empty|allwhere
The text string (such as net_mac_read) for privilege. (allowed_privs=net_mac_read)
Apply no privileges. (allowed_privs=none)
Take the default from tnidb(4). (allowed_privs=empty)
Apply all privileges. (allowed_privs=all)
Provide for IP labeling. These are valid types for ip_label:
ripso and cipso options are not used to label data sent to the host. However, ripso and cipso security options may be sent to the host if the host is acting as a gateway.
For hosts that label their packets with the Revised IP Security Option per RFC 1108. If ripso is selected for a host, the ripso_label and ripso_error fields are required.
For hosts that label their packets according to the Common IP Security Options (Tag Type 1 only) as detailed by the Trusted Systems Interoperability Group (TSIG). If ip_label is set to cipso, then packets for which the host is the final destination will be labeled with a CIPSO label containing the specified doi. If the host is configured as a gateway, then the host will be able to route CIPSO-labeled packets containing the specified doi.
If ip_label is set to ripso, then packets for which the host is the final destination will be labeled with the specified RIPSO label. If the host is configured as a gateway, then the host will be able to route packets with the specified RIPSO label.
If ip_label is set to none and ripso_label is set, then the host will be able to forward packets labeled with the specified RIPSO label even though packets addressed to the host will not contain a RIPSO label.
Set this field explicitly to empty if no value is to be assigned.
A ripso_label is made up of a classification level followed by a protection authority flag. The supported classification levels are: TOP_SECRET, SECRET, CONFIDENTIAL, UNCLASSIFIED or a hexadecimal representation, The supported protection authority flags are: GENSER, SIOP-ESI, SCI, NSA, DOE, or a hexadecimal representation.
These are the protection authority flags that are used to label ICMP messages generated in response to incoming RIPSO-labeled packets: GENSER, SIOP-ESI, SCI, NSA, DOE, or a hexadecimal representation. The classification level is taken from the ripso_label field. The sender's template is always used when labeling ICMP error messages with RIPSO labels.
This field can take multiple values; these must be separated by commas.
Set this field explicitly to empty if no value is to be assigned.
The template for ripso host type is for non-sun_tsol hosts that label packets with the RIPSO basic security option. This template has these fields:
Specify a name for the template.
ripso
(Optional) This number is the domain of interpretation. It applies to the def_label and def_cl fields.
A ripso_label is made up of a classification level followed by a protection authority flag. The supported classification levels are: TOP_SECRET, SECRET, CONFIDENTIAL, UNCLASSIFIED or a hexadecimal representation, The supported protection authority flags are: GENSER, SIOP-ESI, SCI, NSA, DOE, or a hexadecimal representation.
These are the protection authority flags that are used to label ICMP messages generated in response to incoming RIPSO-labeled packets.
This field can take multiple values; these must be separated by commas.
Define the default attributes to be applied to incoming data from the remote hosts that do not support these attributes. These defaults override the defaults specified for an interface in the tnidb(4) database.
Set this field explicitly to empty if no value is to be assigned.
Default labels are not required for the remote-host entry if there are interface defaults that would be the same for the remote host.
Specify the accreditation range for the remote host gateway using this template. The format is the same as that in the tnidb(4) database. All labels are specified in their hex format.
Define the effective privileges to be applied to the incoming packet received from a host that does not support privileges. Having no privileges specified is not the same as specifying the word none. The format of the privilege set is:
forced_privs=priv[,priv][...]|none|empty|allwhere
The text string (such as net_mac_read) for privilege. (forced_privs=net_mac_read)
Apply no privileges. (forced_privs=none)
Take the default from tnidb(4). (forced_privs=empty)
Apply all privileges. (forced_privs=all)
The template for cipso host type is for hosts that use CIPSO (Common IP Security Options — Tag Type 1 only) to label packets. This template has these fields:
Specify a name for the template.
cipso
This number is the domain of interpretation. It is used in the CIPSO label.
Specify the accreditation range for the remote hosts using this template. The format is the same as that in the tnidb(4) database. All labels are specified in their hex format.
Define the default attributes to be applied to incoming data from the remote hosts that do not support these attributes. These defaults override the defaults specified for an interface in the tnidb(4) database.
Defines the effective privileges to be applied to the incoming packet received from a host that does not support privileges. Having no privileges specified is not the same as specifying the word none. The format of the privilege set is:
forced_privs=priv[,priv][...]|none|empty|allwhere
The text string (such as net_mac_read) for privilege. (forced_privs=net_mac_read)
Apply no privileges. (forced_privs=none)
Take the default from tnidb(4). (forced_privs=empty)
Apply all privileges. (forced_privs=all)
The template for tsix host type is for hosts that use TSIX(RE) 1.1 protocols with token mapping to label packets. This template has these fields:
Specify a name for the template.
tsix
This number is the domain of interpretation.
Specify the accreditation range for the remote hosts using this template.
All labels are specified in their hex format.
Limit the effective privilege set for an incoming packet. If a source host associated with this template sends a packet to a destination host, the destination will limit the privilege set of the incoming packet to that specified in this field. The format of the privilege set is:
allowed_privs=priv[,priv][...]|none|empty|allwhere
The text string (such as net_mac_read) for privilege. (allowed_privs=net_mac_read)
Apply no privileges. (allowed_privs=none)
Take the default from tnidb(4). (allowed_privs=empty)
Apply all privileges. (allowed_privs=all)
Define the effective privileges to be applied to the incoming packet received from a host that is not supplying privileges. Having no privileges specified is not the same as specifying the word none. The format of the privilege set is:
forced_privs=priv[,priv][...]|none|empty|allwhere
The text string (such as net_mac_read) for privilege. (forced_privs=net_mac_read)
Apply no privileges. (forced_privs=none)
Take the default from tnidb(4). (forced_privs=empty)
Apply all privileges. (forced_privs=all)
Define the default attributes to be applied to incoming data from the remote hosts that are not supplying these attributes. These defaults override the defaults specified for an interface in the tnidb(4) database.
Default labels are not required for the remote-host entry if there are interface defaults that would be the same for the remote host.
Provide for IP labeling. These are valid types for ip_label:
ripso and cipso options are not used to label data sent to the host. However, ripso and cipso security options may be sent to the host if the host is acting as a gateway.
For hosts that label their packets with the Revised IP Security Option per RFC 1108. If RIPSO is selected for a host, the ripso_label field is required.
For hosts that label their packets according to the Common IP Security Options (Tag Type 1 only) as detailed by the Trusted Systems Interoperability Group (TSIG).
If ip_label is set to ripso, then packets for which the host is the final destination will be labeled with the specified RIPSO label. If the host is configured as a gateway, then the host will be able to route packets with the specified RIPSO label.
If set to none and ripso_label is set, then the host will be able to forward packets labeled with the specified RIPSO label even though packets addressed to the host will not contain a RIPSO label.
A ripso_label is made up of a classification level followed by a protection authority flag. The supported classification levels are: TOP_SECRET, SECRET, CONFIDENTIAL, UNCLASSIFIED or a hexadecimal representation, The supported protection authority flags are: GENSER, SIOP-ESI, SCI, NSA, DOE, or a hexadecimal representation.
These are the protection authority flags that are used to label ICMP messages generated in response to incoming RIPSO-labeled packets. These are supported protection authority flags: GENSER, SIOP-ESI, SCI, NSA, DOE. The classification level is taken from the ripso_label field. The sender's template is always used when labeling ICMP error messages with RIPSO labels.
This field can take multiple values; these must be separated by commas.
If you do not want to assign a value, you must set this field equal to empty.
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE | ATTRIBUTE VALUE |
---|---|
Availability | SUNWtsr |
For the sake of clarity on this man page, examples are shown using a continuation character (\). In the database file, however, the backslash is not permitted because each entry is made on a single line.
# Sample ADMIN_LOW template entry for machines or networks. # Note that the doi field is required. # admin_low:host_type=unlabeled;\ def_label=[0x00000000000000000000000000000000000000000000000 000000000000000000000];\ def_cl=0x000000000000000000000000000000000000000000000000000 00000000000000000;\ forced_privs=empty;\ min_sl=0x000000000000000000000000000000000000000000000000000 00000000000000000;\ max_sl=0x7ffffffffffffffffffffffffffffffffffffffffffffffffff fffffffffffffffff;\ doi=0;\ ip_label=none;\ ripso_label=empty;\ ripso_error=empty;
Unless the label at which you want to communicate with an unlabeled host is ADMIN_LOW
, you should not use the above template. A template matching an entry in your label encodings file, similar to the following example that matches an entry in the sample label_encodings file, should be used.
# Sample UNCLASSIFIED template entry # based on the sample label_encodings file. # unclassified:host_type=unlabeled;\ def_label=[0x000100000000000000000000000000000000000000000 00000000000000000000000];\ def_cl=0x00040c0000000000000000000000000000000000000000000 003ffffffffffff0000;\ forced_privs=empty;\ min_sl=0x0000000000000000000000000000000000000000000000000 0000000000000000000;\ max_sl=0x7ffffffffffffffffffffffffffffffffffffffffffffffff fffffffffffffffffff;\ doi=0;\ ip_label=none;\ ripso_label=empty;\ ripso_error=empty
# A sample tnrhtp template entry for sun_tsol hosts or networks. # Note that the doi field is required. # tsol:host_type=sun_tsol;\ min_sl=0x000000000000000000000000000000000000000000000000000 00000000000000000;\ max_sl=0x7ffffffffffffffffffffffffffffffffffffffffffffffffff fffffffffffffffff;\ allowed_privs=all;\ ip_label=none;\ ripso_label=empty;\ ripso_error=empty;\ doi=0;
# A sample tnrhtp template entry for sun_tsol hosts # or networks that label packets with the RIPSO security option. # tsol_ripso:host_type=sun_tsol;\ min_sl=0x000000000000000000000000000000000000000000000000000 00000000000000000;\ max_sl=0x7ffffffffffffffffffffffffffffffffffffffffffffffffff fffffffffffffffff;\ allowed_privs=all;\ ip_label=ripso;\ ripso_label=0x3d 0x20000000;\ ripso_error=0x80000000;\ doi=0;
# A sample tnrhtp template entry for sun_tsol hosts # or networks that label packets with the CIPSO security option. # tsol_cipso:host_type=sun_tsol;\ min_sl=0x000000000000000000000000000000000000000000000000000 00000000000000000;\ max_sl=0x7ffffffffffffffffffffffffffffffffffffffffffffffffff fffffffffffffffff;\ allowed_privs=all;\ ip_label=cipso;\ ripso_label=empty;\ ripso_error=empty;\ doi=1;
# A sample tnrhtp template entry for ripso hosts # or networks that label packets with the RIPSO security option. # ripso_top_secret:host_type=ripso;\ ripso_label=0x3d 0x20000000;\ ripso_error=0x80000000;\ def_label=[0x00060c00000000000000000000000000000000000000000 00003ffffffffffff0000];\ def_cl=[0x00060c00000000000000000000000000000000000000000 00003ffffffffffff0000];\ forced_privs=empty;\ min_sl=0x000000000000000000000000000000000000000000000000000 00000000000000000;\ max_sl=0x7ffffffffffffffffffffffffffffffffffffffffffffffffff fffffffffffffffff;\ doi=0;
# A sample tnrhtp template entry for cipso hosts # or networks that label packets with the CIPSO security option. # cipso:host_type=cipso;\ doi=1;\ min_sl=0x000000000000000000000000000000000000000000000000000 00000000000000000;\ max_sl=0x7ffffffffffffffffffffffffffffffffffffffffffffffffff fffffffffffffffff;\ def_cl=0x7ffffffffffffffffffffffffffffffffffffffffffffffffff fffffffffffffffff;\ forced_privs=empty;
# A sample tnrhtp template entry for tsix hosts # or networks that label packets with the RIPSO security option. # tsix:host_type=tsix;\ min_sl=0x000000000000000000000000000000000000000000000000000 00000000000000000;\ max_sl=0x7ffffffffffffffffffffffffffffffffffffffffffffffffff fffffffffffffffff;\ allowed_privs=all;\ forced_privs=empty;\ def_label=[0x00000000000000000000000000000000000000000000000 000000000000000000000];\ def_cl=0x7ffffffffffffffffffffffffffffffffffffffffffffffffff fffffffffffffffff;\ ip_label=none;\ ripso_label=empty;\ ripso_error=empty; \ doi=0;
# A sample tnrhtp template entry for unlabeled hosts # or networks that are being securely routed through # a trusted domain with RIPSO labels inserted. # ripso_secure_route:host_type=unlabeled;\ def_label=[0x00000000000000000000000000000000000000000000000 000000000000000000000];\ def_cl=0x000000000000000000000000000000000000000000000000000 00000000000000000;\ forced_privs=empty;\ min_sl=0x000000000000000000000000000000000000000000000000000 00000000000000000;\ max_sl=0x7ffffffffffffffffffffffffffffffffffffffffffffffffff fffffffffffffffff;\ doi=0;\ ip_label=ripso;\ ripso_label=0x3d 0x20000000;\ ripso_error=0x80000000;
# A sample tnrhtp template entry for unlabeled hosts # or networks that are being securely routed through # a trusted domain with CIPSO labels inserted. # cipso_secure_route:host_type=unlabeled;\ def_label=[0x00000000000000000000000000000000000000000000000 000000000000000000000];\ def_cl=0x000000000000000000000000000000000000000000000000000 00000000000000000;\ forced_privs=empty;\ min_sl=0x000000000000000000000000000000000000000000000000000 00000000000000000;\ max_sl=0x7ffffffffffffffffffffffffffffffffffffffffffffffffff fffffffffffffffff;\ ip_label=cipso;\ doi=0;\ ripso_label=empty;\ ripso_error=empty;
The doi entry is expected for all templates.
The cipso_doi entry is allowed for backward compatibility.
The doi entry is allowed to be empty for backward compatibility. The absence of the doi entry causes the default doi=0 to be used.
Changing a template while the network is up can change the security view of an undetermined number of hosts.
Allowing unlabeled hosts onto a Trusted Solaris network is a security risk. In order to avoid compromising the rest of your network, such hosts must be trusted in the sense that the administrator is certain that they will not be used to compromise the environment. These hosts should also be physically protected to restrict access to authorized individuals. If you cannot guarantee that an unlabeled host is physically secure from tampering, it and similar hosts should be isolated on a separate branch of the network.
Unlabeled hosts can be isolated using the Trusted Solaris labeling feature, which ensures that unlabeled packets originating from outside a trusted domain are routed according to their level of trust inside the domain (see Example 8). The gateway to the untrusted hosts must be a sun_tsol host type, and the gateway's database entries for these untrusted hosts and the interface connected to them must be set to reflect the accreditation of these hosts.
NAME | SYNOPSIS | DESCRIPTION | ATTRIBUTES | EXAMPLES | FILES | NOTES | SEE ALSO | WARNINGS