NAME | Synopsis | Description | Examples | Attributes | Files | See Also | Warnings | Notes
/etc/security/tsol/tnrhdb
The tnrhdb database specifies which remote-host template to use for each host, including the local host, in the distributed system. tnrhdb works together with the tnrhtp(4) database to enable the administrator to establish the security and network accreditation attributes for each host. If a host's IP address cannot be matched to some entry in the tnrhdb database, communication with the host is not permitted.
The trusted network software uses a network “longest prefix of matching bits” mechanism when looking for a tnrhdb entry for a host. The software looks first for an entry that is specific to the host. If the software does not find a matching entry, the software falls back to searching for an entry with the longest prefix of a matching bit pattern, and so on.
The actual numeric value of the subnet address or other subnetting information on the system (for example, from the netmasks(4) file) are not considered by this mechanism.
Using the “longest prefix of matching bits” mechanism, an IPv4 wildcard entry (IPv4 address 0.0.0.0) has a prefix length of 0 and hence can match any IPv4 address.
Each entry in tnrhdb consists of a line of the form IP-address:template.
This field is the IP address of the host or network that has the security properties that are specified by the template that is defined in the tnrhtp(4) database.
An entry can be a host address, for example, 10.100.100.201 or fe80\:\:9\:20ff\:fea0\:21f7. Or an entry can be an IPv4 or IPv6 subnet address.
An IPv4 subnet entry can take the form of a subnet address with an explicit prefix length (10.100.128.0/17) or the form of a subnet address with trailing zero octets that imply a prefix length (10.100.0.0).
An IPv6 subnet entry must take the form of a subnet address with a prefix length (fe80\:\:/10). See NOTES for the use of the backslash in tnrhdb entries.
When IPv4 subnet entries are specified by using the implied prefix length format, the actual prefix length will take the value 0, 8, 16, or 24 when there are 4, 3, 2, or 1 trailing zero octets, respectively. An entry with a non-zero value in the final octet is interpreted as a host address and implies a prefix length of 32. See EXAMPLES for sample IPv4 entries.
This value must be a valid template name in the tnrhtp database. For information on the security attributes, see tnrhtp(4).
More than one IP address can use the same template. If this database is modified while the network is up, the changes do not take effect until after tnctl(1M) is used to update the remote-host entries. Administrators are allowed to add new entries and modify existing entries while the network is up. The template field cannot contain any white spaces.
After each modification to the tnrhdb database, the administrator should run tnchkdb(1M) to check the syntax. If this database is modified while the network is up, the changes do not take effect until tnctl(1M) updates the kernel.
IPv4 Entry Host Address Implied Prefix or Wildcard? Length ============== ============== ============== 0.0.0.0 Wildcard 0 10.0.0.0 Wildcard 8 10.100.0.0 Wildcard 16 10.0.100.0 Wildcard 24 10.0.100.100 Host Address 32 |
The templates in the following example are first defined in the tnrhtp, then used in the tnrhdb file. The example shows a host that uses the template cipso, a host that uses the template public, and a host that uses the template needtoknow. There are two subnets. One subnet uses the template internal, and the other subnet uses the template secret. Every other host uses the template default-template that is specified in the wildcard entries for IPv4 hosts and IPv6 hosts.
# # Assume that templates default-template, cipso, public, # internal, needtoknow, and secret are defined in the # tnrhtp database. # # the first two entries are addresses of the IPv4 and # IPv6 loopback interfaces 127.0.0.1:cipso \:\:1:cipso 10.0.0.1:cipso 192.168.120.6:public 192.168.120.0:internal 192.168.120.7:needtoknow 192.168.121.0:secret 0.0.0.0:default-template 0\:\:0/0:default-template fe80\:\:a00\:20ff\:fea0\:21f7:cipso |
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE |
ATTRIBUTE VALUE |
---|---|
Availability |
SUNWtsg |
Stability |
Project Private |
smtnrhdb(1M), hosts(4), ipnodes(4), netmasks(4), tnchkdb(1M), tnctl(1M), tnd(1M), tninfo(1M), tnrhtp(4), tnzonecfg(4), attributes(5)
Chapter 12, Trusted Networking (Overview), in Solaris Trusted Extensions Administrator’s Procedures
Changing a template while the network is up can change the security view of an undetermined number of hosts.
The colon (:) character is a database separation character. If the colon is used as part of a data field, it must be escaped with a backslash (\), as in fe80\:\:a00\:20ff\:fea0\:21f7.
The administrator might want to create one tnrhdb entry for each host that runs Trusted Extensions software, and make one subnet entry that applies to all unlabeled hosts that have the same security attributes. Then, the administrator can make a separate entry for each host that must be assigned a different set of security attributes.
NAME | Synopsis | Description | Examples | Attributes | Files | See Also | Warnings | Notes