tnrhtp(4)

NAME | SYNOPSIS | DESCRIPTION | ATTRIBUTES | EXAMPLES | FILES | NOTES | SEE ALSO | WARNINGS

NAME

tnrhtp– trusted network remote-host templates

SYNOPSIS

/etc/security/tsol/tnrhtp

DESCRIPTION

The tnrhtp database of templates is specified by the administrator for convenience when assigning accreditation and security attributes for each host in the distributed system, including the local host and network. tnrhtp works together with tnrhdb(4); IP addresses in tnrhdb can be assigned only to templates defined in the tnrhtp database. The administrator should run tnchkdb(1M) to check the syntax after each modification to the tnrhtp database.

Each entry in the template database is formed as one long line, with fields of the entry separated by semicolons (;):

template_name: field_name=value;[field_name=value; ...] 

A pound sign (#) as the first character of a line indicates a comment line, which is ignored.

The following host types are currently supported: unlabeled, sun_tsol, ripso, cipso, and tsix.

All fields of a particular host_type are mandatory unless otherwise indicated even if no value is set other than none. If this database is modified while the network is up, the changes do not take effect immediately unless tnctl(1M) is used to update the template entries; otherwise, the changes take effect when next polled by the trusted network daemon, tnd(1M). Administrators are allowed to add new templates and modify attributes of existing templates while the network is up.

The /etc/security/tsol/tnrhtp file is protected at label ADMIN_LOW with permission bits 444, owner root, and group sys.

When specifying a name for a template, note that only the first 31 characters of the template name are read and interpreted. You can use any printable character in a template name except for field delimiters, newline, or the comment character.

Trusted Solaris 8 and later releases extend the use of the domain of interpretation notion to all template types. The domain of interpretation defines the set of rules for translating between the external or internal representation of the security attributes and their network representation. Trusted Solaris systems that have the same domain of interpretation share that set of rules. They also share the same interpretation for the default attributes assigned to the unlabeled templates that have that same domain of interpretation.

Template for unlabeled Hosts

The template for the unlabeled host type has these fields:

template_name

Specify a name for the template.

host_type

unlabeled

doi

This is the domain of interpretation for def_label and def_cl fields.

def_label, def_cl

Define the default attributes to be applied to incoming data from the remote hosts that do not support these attributes. These defaults override the defaults specified for an interface in the tnidb(4) database.

min_sl, max_sl

Specify the accreditation range for unlabeled gateways of this template. The format is the same as that in the tnidb(4) database. All labels are specified in their hex format.

forced_privs

Define the effective privileges to be applied to the incoming packet received from a host that does not support privileges. The format of the privilege set is:

---

forced_privs=priv[,priv][...]|none|empty|all 

---

where

priv

The text string (such as net_mac_read) for privilege. (forced_privs=net_mac_read)

none

Apply no privileges. (forced_privs=none) .

empty

Take the default from tnidb(4). (forced_privs=empty)

all

Apply all privileges. (forced_privs=all)

ip_label

(Optional) Provide for IP labeling. When present, packets coming from hosts of this template are labeled using the IP option specified by ip_label. The format of the label is:

[ip_label=cipso|ripso|none|empty]

Template for sun_tsol Hosts

Host type sun_tsol has these fields:

template_name

Specify a name for the template.

host_type

sun_tsol

doi

This number is the domain of interpretation.

min_sl, max_sl

Specify the accreditation range for the remote hosts using this template. The format is the same as that in the tnidb(4) database. All labels are specified in their hex format.

allowed_privs

Limit the effective privilege set for an incoming packet. If a source host associated with this template sends a packet to a destination host, the destination will limit the privilege set of the incoming packet to that specified in this field. The format of the privilege set is:

allowed_privs=priv[,priv][...]|none|empty|all

where

priv

The text string (such as net_mac_read) for privilege. (allowed_privs=net_mac_read)

none

Apply no privileges. (allowed_privs=none)

empty

Take the default from tnidb(4). (allowed_privs=empty)

all

Apply all privileges. (allowed_privs=all)

ip_label

Provide for IP labeling. These are valid types for ip_label:

none

ripso and cipso options are not used to label data sent to the host. However, ripso and cipso security options may be sent to the host if the host is acting as a gateway.

ripso

For hosts that label their packets with the Revised IP Security Option per RFC 1108. If ripso is selected for a host, the ripso_label and ripso_error fields are required.

cipso

For hosts that label their packets according to the Common IP Security Options (Tag Type 1 only) as detailed by the Trusted Systems Interoperability Group (TSIG). If ip_label is set to cipso, then packets for which the host is the final destination will be labeled with a CIPSO label containing the specified doi. If the host is configured as a gateway, then the host will be able to route CIPSO-labeled packets containing the specified doi.

ripso_label

If ip_label is set to ripso, then packets for which the host is the final destination will be labeled with the specified RIPSO label. If the host is configured as a gateway, then the host will be able to route packets with the specified RIPSO label.

If ip_label is set to none and ripso_label is set, then the host will be able to forward packets labeled with the specified RIPSO label even though packets addressed to the host will not contain a RIPSO label.

Set this field explicitly to empty if no value is to be assigned.

A ripso_label is made up of a classification level followed by a protection authority flag. The supported classification levels are: TOP_SECRET, SECRET, CONFIDENTIAL, UNCLASSIFIED or a hexadecimal representation, The supported protection authority flags are: GENSER, SIOP-ESI, SCI, NSA, DOE, or a hexadecimal representation.

ripso_error

These are the protection authority flags that are used to label ICMP messages generated in response to incoming RIPSO-labeled packets: GENSER, SIOP-ESI, SCI, NSA, DOE, or a hexadecimal representation. The classification level is taken from the ripso_label field. The sender's template is always used when labeling ICMP error messages with RIPSO labels.

This field can take multiple values; these must be separated by commas.

Set this field explicitly to empty if no value is to be assigned.

Template for ripso Hosts

The template for ripso host type is for non-sun_tsol hosts that label packets with the RIPSO basic security option. This template has these fields:

template_name

Specify a name for the template.

host_type

ripso

doi

(Optional) This number is the domain of interpretation. It applies to the def_label and def_cl fields.

ripso_label

A ripso_label is made up of a classification level followed by a protection authority flag. The supported classification levels are: TOP_SECRET, SECRET, CONFIDENTIAL, UNCLASSIFIED or a hexadecimal representation, The supported protection authority flags are: GENSER, SIOP-ESI, SCI, NSA, DOE, or a hexadecimal representation.

ripso_error

These are the protection authority flags that are used to label ICMP messages generated in response to incoming RIPSO-labeled packets.

This field can take multiple values; these must be separated by commas.

def_label, def_cl

Define the default attributes to be applied to incoming data from the remote hosts that do not support these attributes. These defaults override the defaults specified for an interface in the tnidb(4) database.

Set this field explicitly to empty if no value is to be assigned.

Default labels are not required for the remote-host entry if there are interface defaults that would be the same for the remote host.

min_sl, max_sl

Specify the accreditation range for the remote host gateway using this template. The format is the same as that in the tnidb(4) database. All labels are specified in their hex format.

forced_privs

Define the effective privileges to be applied to the incoming packet received from a host that does not support privileges. Having no privileges specified is not the same as specifying the word none. The format of the privilege set is:

forced_privs=priv[,priv][...]|none|empty|all 

where

priv

The text string (such as net_mac_read) for privilege. (forced_privs=net_mac_read)

none

Apply no privileges. (forced_privs=none)

empty

Take the default from tnidb(4). (forced_privs=empty)

all

Apply all privileges. (forced_privs=all)

Template for cipso Hosts

The template for cipso host type is for hosts that use CIPSO (Common IP Security Options — Tag Type 1 only) to label packets. This template has these fields:

template_name

Specify a name for the template.

host_type

cipso

doi

This number is the domain of interpretation. It is used in the CIPSO label.

min_sl, max_sl

Specify the accreditation range for the remote hosts using this template. The format is the same as that in the tnidb(4) database. All labels are specified in their hex format.

def_label, def_cl

Define the default attributes to be applied to incoming data from the remote hosts that do not support these attributes. These defaults override the defaults specified for an interface in the tnidb(4) database.

forced_privs

Defines the effective privileges to be applied to the incoming packet received from a host that does not support privileges. Having no privileges specified is not the same as specifying the word none. The format of the privilege set is:

forced_privs=priv[,priv][...]|none|empty|all 

where

priv

The text string (such as net_mac_read) for privilege. (forced_privs=net_mac_read)

none

Apply no privileges. (forced_privs=none)

empty

Take the default from tnidb(4). (forced_privs=empty)

all

Apply all privileges. (forced_privs=all)

Template for tsix Hosts

The template for tsix host type is for hosts that use TSIX(RE) 1.1 protocols with token mapping to label packets. This template has these fields:

template_name

Specify a name for the template.

host_type

tsix

doi

This number is the domain of interpretation.

min_sl, max_sl

Specify the accreditation range for the remote hosts using this template.

All labels are specified in their hex format.

allowed_privs

Limit the effective privilege set for an incoming packet. If a source host associated with this template sends a packet to a destination host, the destination will limit the privilege set of the incoming packet to that specified in this field. The format of the privilege set is:

allowed_privs=priv[,priv][...]|none|empty|all

where

priv

The text string (such as net_mac_read) for privilege. (allowed_privs=net_mac_read)

none

Apply no privileges. (allowed_privs=none)

empty

Take the default from tnidb(4). (allowed_privs=empty)

all

Apply all privileges. (allowed_privs=all)

forced_privs

Define the effective privileges to be applied to the incoming packet received from a host that is not supplying privileges. Having no privileges specified is not the same as specifying the word none. The format of the privilege set is:

forced_privs=priv[,priv][...]|none|empty|all 

where

priv

The text string (such as net_mac_read) for privilege. (forced_privs=net_mac_read)

none

Apply no privileges. (forced_privs=none)

empty

Take the default from tnidb(4). (forced_privs=empty)

all

Apply all privileges. (forced_privs=all)

def_label, def_cl

Define the default attributes to be applied to incoming data from the remote hosts that are not supplying these attributes. These defaults override the defaults specified for an interface in the tnidb(4) database.

Default labels are not required for the remote-host entry if there are interface defaults that would be the same for the remote host.

ip_label

Provide for IP labeling. These are valid types for ip_label:

none

ripso and cipso options are not used to label data sent to the host. However, ripso and cipso security options may be sent to the host if the host is acting as a gateway.

ripso

For hosts that label their packets with the Revised IP Security Option per RFC 1108. If RIPSO is selected for a host, the ripso_label field is required.

cipso

For hosts that label their packets according to the Common IP Security Options (Tag Type 1 only) as detailed by the Trusted Systems Interoperability Group (TSIG).

ripso_label

If ip_label is set to ripso, then packets for which the host is the final destination will be labeled with the specified RIPSO label. If the host is configured as a gateway, then the host will be able to route packets with the specified RIPSO label.

If set to none and ripso_label is set, then the host will be able to forward packets labeled with the specified RIPSO label even though packets addressed to the host will not contain a RIPSO label.

A ripso_label is made up of a classification level followed by a protection authority flag. The supported classification levels are: TOP_SECRET, SECRET, CONFIDENTIAL, UNCLASSIFIED or a hexadecimal representation, The supported protection authority flags are: GENSER, SIOP-ESI, SCI, NSA, DOE, or a hexadecimal representation.

ripso_error

These are the protection authority flags that are used to label ICMP messages generated in response to incoming RIPSO-labeled packets. These are supported protection authority flags: GENSER, SIOP-ESI, SCI, NSA, DOE. The classification level is taken from the ripso_label field. The sender's template is always used when labeling ICMP error messages with RIPSO labels.

This field can take multiple values; these must be separated by commas.

If you do not want to assign a value, you must set this field equal to empty.

ATTRIBUTES

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE	ATTRIBUTE VALUE
Availability	SUNWtsr

EXAMPLES

---

Example 1 Unlabeled Hosts




For the sake of clarity on this man page, examples are shown using a continuation character (\). In the database file, however, the backslash is not permitted because each entry is made on a single line.

---

# Sample ADMIN_LOW template entry for machines or networks.
# Note that the doi field is required.
#
admin_low:host_type=unlabeled;\
def_label=[0x00000000000000000000000000000000000000000000000
000000000000000000000];\
def_cl=0x000000000000000000000000000000000000000000000000000
00000000000000000;\
forced_privs=empty;\
min_sl=0x000000000000000000000000000000000000000000000000000
00000000000000000;\
max_sl=0x7ffffffffffffffffffffffffffffffffffffffffffffffffff
fffffffffffffffff;\
doi=0;\
ip_label=none;\
ripso_label=empty;\
ripso_error=empty;

---

Unless the label at which you want to communicate with an unlabeled host is ADMIN_LOW, you should not use the above template. A template matching an entry in your label encodings file, similar to the following example that matches an entry in the sample label_encodings file, should be used.

---

# Sample UNCLASSIFIED template entry
# based on the sample label_encodings file.
#
unclassified:host_type=unlabeled;\
def_label=[0x000100000000000000000000000000000000000000000
00000000000000000000000];\
def_cl=0x00040c0000000000000000000000000000000000000000000
003ffffffffffff0000;\
forced_privs=empty;\
min_sl=0x0000000000000000000000000000000000000000000000000
0000000000000000000;\
max_sl=0x7ffffffffffffffffffffffffffffffffffffffffffffffff
fffffffffffffffffff;\
doi=0;\
ip_label=none;\
ripso_label=empty;\
ripso_error=empty

---

---

---

Example 2 Sun TSOL Hosts




---

# A sample tnrhtp template entry for sun_tsol hosts or networks.
# Note that the doi field is required.
#
tsol:host_type=sun_tsol;\
min_sl=0x000000000000000000000000000000000000000000000000000
00000000000000000;\
max_sl=0x7ffffffffffffffffffffffffffffffffffffffffffffffffff
fffffffffffffffff;\
allowed_privs=all;\
ip_label=none;\
ripso_label=empty;\
ripso_error=empty;\
doi=0;

---

---

---

Example 3 Sun TSOL and RIPSO




---

# A sample tnrhtp template entry for sun_tsol hosts
# or networks that label packets with the RIPSO security option.
#
tsol_ripso:host_type=sun_tsol;\
min_sl=0x000000000000000000000000000000000000000000000000000
00000000000000000;\
max_sl=0x7ffffffffffffffffffffffffffffffffffffffffffffffffff
fffffffffffffffff;\
allowed_privs=all;\
ip_label=ripso;\
ripso_label=0x3d 0x20000000;\
ripso_error=0x80000000;\
doi=0;

---

---

---

Example 4 Sun TSOL and CIPSO




---

# A sample tnrhtp template entry for sun_tsol hosts
# or networks that label packets with the CIPSO security option.
#
tsol_cipso:host_type=sun_tsol;\
min_sl=0x000000000000000000000000000000000000000000000000000
00000000000000000;\
max_sl=0x7ffffffffffffffffffffffffffffffffffffffffffffffffff
fffffffffffffffff;\
allowed_privs=all;\
ip_label=cipso;\
ripso_label=empty;\
ripso_error=empty;\
doi=1;

---

---

---

Example 5 RIPSO Security Option




---

# A sample tnrhtp template entry for ripso hosts
# or networks that label packets with the RIPSO security option.
#
ripso_top_secret:host_type=ripso;\
ripso_label=0x3d 0x20000000;\
ripso_error=0x80000000;\
def_label=[0x00060c00000000000000000000000000000000000000000
00003ffffffffffff0000];\
def_cl=[0x00060c00000000000000000000000000000000000000000
00003ffffffffffff0000];\
forced_privs=empty;\
min_sl=0x000000000000000000000000000000000000000000000000000
00000000000000000;\
max_sl=0x7ffffffffffffffffffffffffffffffffffffffffffffffffff
fffffffffffffffff;\
doi=0;

---

---

---

Example 6 CIPSO Security Option




---

# A sample tnrhtp template entry for cipso hosts
# or networks that label packets with the CIPSO security option.
#
cipso:host_type=cipso;\
doi=1;\
min_sl=0x000000000000000000000000000000000000000000000000000
00000000000000000;\
max_sl=0x7ffffffffffffffffffffffffffffffffffffffffffffffffff
fffffffffffffffff;\
def_cl=0x7ffffffffffffffffffffffffffffffffffffffffffffffffff
fffffffffffffffff;\
forced_privs=empty;

---

---

---

Example 7 TSIX Host




---

# A sample tnrhtp template entry for tsix hosts
# or networks that label packets with the RIPSO security option.
#
tsix:host_type=tsix;\
min_sl=0x000000000000000000000000000000000000000000000000000
00000000000000000;\
max_sl=0x7ffffffffffffffffffffffffffffffffffffffffffffffffff
fffffffffffffffff;\
allowed_privs=all;\
forced_privs=empty;\
def_label=[0x00000000000000000000000000000000000000000000000
000000000000000000000];\
def_cl=0x7ffffffffffffffffffffffffffffffffffffffffffffffffff
fffffffffffffffff;\
ip_label=none;\
ripso_label=empty;\
ripso_error=empty; \
doi=0;

---

---

---

Example 8 Routing Unlabeled Packets through a Trusted Domain




---

# A sample tnrhtp template entry for unlabeled hosts
# or networks that are being securely routed through
# a trusted domain with RIPSO labels inserted.
#
ripso_secure_route:host_type=unlabeled;\
def_label=[0x00000000000000000000000000000000000000000000000
000000000000000000000];\
def_cl=0x000000000000000000000000000000000000000000000000000
00000000000000000;\
forced_privs=empty;\
min_sl=0x000000000000000000000000000000000000000000000000000
00000000000000000;\
max_sl=0x7ffffffffffffffffffffffffffffffffffffffffffffffffff
fffffffffffffffff;\
doi=0;\
ip_label=ripso;\
ripso_label=0x3d 0x20000000;\
ripso_error=0x80000000;

---

---

# A sample tnrhtp template entry for unlabeled hosts
# or networks that are being securely routed through
# a trusted domain with CIPSO labels inserted.
#

cipso_secure_route:host_type=unlabeled;\
def_label=[0x00000000000000000000000000000000000000000000000
000000000000000000000];\
def_cl=0x000000000000000000000000000000000000000000000000000
00000000000000000;\
forced_privs=empty;\
min_sl=0x000000000000000000000000000000000000000000000000000
00000000000000000;\
max_sl=0x7ffffffffffffffffffffffffffffffffffffffffffffffffff
fffffffffffffffff;\
ip_label=cipso;\
doi=0;\
ripso_label=empty;\
ripso_error=empty;

---

---

FILES

/etc/security/tsol/tnrhtp

Trusted network remote-host templates

NOTES

The doi entry is expected for all templates.

The cipso_doi entry is allowed for backward compatibility.

The doi entry is allowed to be empty for backward compatibility. The absence of the doi entry causes the default doi=0 to be used.

SEE ALSO

Trusted Solaris 8 HW 12/02 Reference Manual

smnettmpl(1M), tnchkdb(1M), tnd(1M), tnctl(1M), tnidb(4)

SunOS 5.8 Reference Manual

attributes(5)

WARNINGS

Changing a template while the network is up can change the security view of an undetermined number of hosts.

Allowing unlabeled hosts onto a Trusted Solaris network is a security risk. In order to avoid compromising the rest of your network, such hosts must be trusted in the sense that the administrator is certain that they will not be used to compromise the environment. These hosts should also be physically protected to restrict access to authorized individuals. If you cannot guarantee that an unlabeled host is physically secure from tampering, it and similar hosts should be isolated on a separate branch of the network.

Unlabeled hosts can be isolated using the Trusted Solaris labeling feature, which ensures that unlabeled packets originating from outside a trusted domain are routed according to their level of trust inside the domain (see Example 8). The gateway to the untrusted hosts must be a sun_tsol host type, and the gateway's database entries for these untrusted hosts and the interface connected to them must be set to reflect the accreditation of these hosts.

SunOS 5.8  Last Revised 8 June 2001

NAME | SYNOPSIS | DESCRIPTION | ATTRIBUTES | EXAMPLES | FILES | NOTES | SEE ALSO | WARNINGS