JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris Trusted Extensions Configuration and Administration     Oracle Solaris 11 Express 11/10
search filter icon
search icon

Document Information


Part I Initial Configuration of Trusted Extensions

1.  Security Planning for Trusted Extensions

Planning for Security in Trusted Extensions

Understanding Trusted Extensions

Understanding Your Site's Security Policy

Devising an Administration Strategy for Trusted Extensions

Devising a Label Strategy

For International Customers of Trusted Extensions

Planning System Hardware and Capacity for Trusted Extensions

Planning Your Trusted Network

Planning for Zones in Trusted Extensions

Trusted Extensions Zones and Oracle Solaris Zones

Zone Creation in Trusted Extensions

Planning for Multilevel Access

Planning for the LDAP Naming Service in Trusted Extensions

Planning for Auditing in Trusted Extensions

Planning User Security in Trusted Extensions

Devising a Configuration Strategy for Trusted Extensions

Collecting Information Before Enabling Trusted Extensions

Backing Up the System Before Enabling Trusted Extensions

Results of Enabling Trusted Extensions From an Administrator's Perspective

2.  Configuration Roadmap for Trusted Extensions

3.  Adding Trusted Extensions Software to the Oracle Solaris OS (Tasks)

4.  Configuring Trusted Extensions (Tasks)

5.  Configuring LDAP for Trusted Extensions (Tasks)

6.  Configuring a Headless System With Trusted Extensions (Tasks)

Part II Administration of Trusted Extensions

7.  Trusted Extensions Administration Concepts

8.  Trusted Extensions Administration Tools

9.  Getting Started as a Trusted Extensions Administrator (Tasks)

10.  Security Requirements on a Trusted Extensions System (Overview)

11.  Administering Security Requirements in Trusted Extensions (Tasks)

12.  Users, Rights, and Roles in Trusted Extensions (Overview)

13.  Managing Users, Rights, and Roles in Trusted Extensions (Tasks)

14.  Remote Administration in Trusted Extensions (Tasks)

15.  Trusted Extensions and LDAP (Overview)

16.  Managing Zones in Trusted Extensions (Tasks)

17.  Managing and Mounting Files in Trusted Extensions (Tasks)

18.  Trusted Networking (Overview)

19.  Managing Networks in Trusted Extensions (Tasks)

20.  Multilevel Mail in Trusted Extensions (Overview)

21.  Managing Labeled Printing (Tasks)

22.  Devices in Trusted Extensions (Overview)

23.  Managing Devices for Trusted Extensions (Tasks)

24.  Trusted Extensions Auditing (Overview)

25.  Software Management in Trusted Extensions (Reference)

A.  Site Security Policy

Creating and Managing a Security Policy

Site Security Policy and Trusted Extensions

Computer Security Recommendations

Physical Security Recommendations

Personnel Security Recommendations

Common Security Violations

Additional Security References

B.  Configuration Checklist for Trusted Extensions

Checklist for Configuring Trusted Extensions

C.  Quick Reference to Trusted Extensions Administration

Administrative Interfaces in Trusted Extensions

Oracle Solaris Interfaces Extended by Trusted Extensions

Tighter Security Defaults in Trusted Extensions

Limited Options in Trusted Extensions

D.  List of Trusted Extensions Man Pages

Trusted Extensions Man Pages in Alphabetical Order

Oracle Solaris Man Pages That Are Modified by Trusted Extensions



Planning for Security in Trusted Extensions

This section outlines the planning that is required before enabling and configuring Trusted Extensions software.

For a checklist of Trusted Extensions configuration tasks, see Appendix B, Configuration Checklist for Trusted Extensions. If you are interested in localizing your site, see For International Customers of Trusted Extensions. If you are interested in running an evaluated configuration, see Understanding Your Site's Security Policy.

Understanding Trusted Extensions

The enabling and configuration of Trusted Extensions involves more than loading executable files, specifying your site's data, and setting configuration variables. Considerable background knowledge is required. Trusted Extensions software provides a labeled environment that is based on two Oracle Solaris features:

In Trusted Extensions, access to data is controlled by special security tags. These tags are called labels. Labels are assigned to users, processes, and objects, such as data files and directories. These labels supply mandatory access control (MAC), in addition to UNIX permissions, or discretionary access control (DAC).

Understanding Your Site's Security Policy

Trusted Extensions effectively enables you to integrate your site's security policy with the Oracle Solaris OS. Thus, you need to have a good understanding of the scope of your policy and how Trusted Extensions software can implement that policy. A well-planned configuration must provide a balance between consistency with your site security policy and convenience for users who are working on the system.

Trusted Extensions is configured by default to conform with the Common Criteria for Information Technology Security Evaluation (ISO/IEC 15408) at Assurance Level EAL4 against the following protection profiles:

To meet these evaluated levels, you must configure LDAP as the naming service. Note that your configuration might no longer conform with the evaluation if you do any of the following:

For more information, see the Common Criteria web site.

Devising an Administration Strategy for Trusted Extensions

The root role or the System Administrator role is responsible for enabling Trusted Extensions. You can create roles to divide administrative responsibilities among several functional areas:

As part of your administration strategy, you need to decide the following:

Devising a Label Strategy

Planning labels requires setting up a hierarchy of sensitivity levels and a categorization of information on your system. The label_encodings file contains this type of information for your site. You can use one of the label_encodings files that are supplied with Trusted Extensions software. You could also modify one of the supplied files, or create a new label_encodings file that is specific to your site. The file must include the Oracle-specific local extensions, at least the COLOR NAMES section.


Caution - If you are supplying a label_encodings file, you must have the final version of the file ready before rebooting the system after you enable the Trusted Extensions service. The file should be on removable media.

Planning labels also involves planning the label configuration. After enabling the Trusted Extensions service, you need to decide if the system can run at a single label only, or if the system can run at multiple labels. If your regular users all operate at the same security label, then you can configure systems that will not be used for administration as single-label systems.

For more information, see Oracle Solaris Trusted Extensions Label Administration. You can also refer to Compartmented Mode Workstation Labeling: Encodings Format.

For International Customers of Trusted Extensions

When localizing a label_encodings file, international customers must localize the label names only. The administrative label names, ADMIN_HIGH and ADMIN_LOW, must not be localized. All labeled hosts that you contact, from any vendor, must have label names that match the label names in the label_encodings file.

Trusted Extensions supports fewer locales than does the Oracle Solaris OS. When you are working in a locale that Trusted Extensions does not support, text that is specific to Trusted Extensions, such as error messages about labels, is not translated into your locale. Oracle Solaris software continues to be translated into your locale.

Planning System Hardware and Capacity for Trusted Extensions

System hardware includes the system itself and its attached devices. Such devices include tape drives, microphones, CD-ROM drives, and disk packs. Hardware capacity includes system memory, network interfaces, and disk space.

Planning Your Trusted Network

For assistance in planning network hardware, see Chapter 1, Planning an IPv4 Addressing Scheme (Tasks), in System Administration Guide: IP Services.

Trusted Extensions software recognizes two host types, labeled and unlabeled. Each host type has a default security template, as shown in Table 1-1.

Table 1-1 Default Host Templates in Trusted Extensions

This table describes the purpose of each host type.
Host Type
Template Name
At initial boot, labels the global zone.

After initial boot, identifies hosts that send packets that do not include labels. For more information, see unlabeled system.

Identifies hosts or networks that send CIPSO packets. CIPSO packets are labeled.

If your network can be reached by other networks, you need to specify accessible domains and hosts. You also need to identify which Trusted Extensions hosts are going to serve as gateways. You need to identify the label accreditation range for these gateways, and the sensitivity label at which data from other hosts can be viewed.

The labeling of hosts, gateways, and networks is explained in Chapter 19, Managing Networks in Trusted Extensions (Tasks). These labeling tasks are performed after initial setup.

Planning for Zones in Trusted Extensions

Trusted Extensions software is added to the Oracle Solaris OS in the global zone. You then configure non-global zones that are labeled. You can create one labeled zone for every unique label, though you do not need to create a zone for every label in your label_encodings file.

Part of zone configuration is configuring the network. By default, labeled zones are configured to communicate with the global zone. Additionally, you can configure the zones on the system to communicate with other zones on the network.

Trusted Extensions Zones and Oracle Solaris Zones

Trusted Extensions zones, that is, labeled zones are a brand of Oracle Solaris zones. Labeled zones are primarily used to segregate data. In Trusted Extensions, regular users cannot remotely log in to a labeled zone. The zone console is the only interactive interface to a labeled zone, and only root can gain access to the zone console. For more about zone brands, see the brands(5) man page.

Zone Creation in Trusted Extensions

Zone creation in Trusted Extensions is similar to zone creation in the Oracle Solaris OS. Trusted Extensions provides the txzonemgr script to step you through the process. The script has a command line option to automate the creation of two initial labeled zones.

Planning for Multilevel Access

Typically, printing and NFS are configured as multilevel services. On a properly configured system, every zone must be able to access one or more network addresses if every zone is to access multilevel services. The following configurations provide multilevel services:

A system that meets the following two conditions cannot provide multilevel services:

Tip - If users in labeled zones are not supposed to have access to a local multilevel printer, and you do not need NFS exports of home directories, then you can assign one IP address to a system that you configure with Trusted Extensions. On such a system, multilevel printing is not supported, and home directories cannot be shared. A typical use of this configuration is on a laptop.

Planning for the LDAP Naming Service in Trusted Extensions

If you are not planning to install a network of labeled systems, then you can skip this section.

If you plan to run Trusted Extensions on a network of systems, use LDAP as the naming service. For Trusted Extensions. a populated Sun Java System Directory Server (LDAP server) is required when you configure a network of systems. If your site has an existing LDAP server, you can populate the server with Trusted Extensions databases. To access the server, you set up an LDAP proxy on a Trusted Extensions system.

If your site does not have an existing LDAP server, you then plan to create an LDAP server on a system that is running Trusted Extensions software. The procedures are described in Chapter 5, Configuring LDAP for Trusted Extensions (Tasks).

Planning for Auditing in Trusted Extensions

By default, auditing is enabled when Trusted Extensions is first booted. Therefore, by default, all logins, screenlocks, and logouts are audited. To audit the users who are configuring the system, you can create roles early in the configuration process. When these roles configure the system, the audit records include the login user who assumes the role. See Creating Roles and Users in Trusted Extensions.

Planning auditing in Trusted Extensions is the same as in the Oracle Solaris OS. For details, see Part VII, Oracle Solaris Auditing, in System Administration Guide: Security Services. While Trusted Extensions adds classes, events, and audit tokens, the software does not change how auditing is administered. For Trusted Extensions additions to auditing, see Chapter 24, Trusted Extensions Auditing (Overview).

Planning User Security in Trusted Extensions

Trusted Extensions software provides reasonable security defaults for users. These security defaults are listed in Table 1-2. Where two values are listed, the first value is the default. The security administrator can modify these defaults to reflect the site's security policy. After the security administrator sets the defaults, the system administrator can create all the users, who inherit the established defaults. For descriptions of the keywords and values for these defaults, see the label_encodings(4) and policy.conf(4) man pages.

Table 1-2 Trusted Extensions Security Defaults for User Accounts

The table lists the security defaults in two files, policy.conf and label_encodings.
File name
lock | logout
no | yes
Console User
Basic Solaris User
LOCAL DEFINITIONS section of /etc/security/tsol/label_encodings
Default User Clearance
Default User Sensitivity Label

The system administrator can set up a standard user template that sets appropriate system defaults for every user. For example, by default each user's initial shell is a bash shell. The system administrator can set up a template that gives each user a C shell.

Devising a Configuration Strategy for Trusted Extensions

The following describes the configuration strategy from the most secure strategy to the least secure strategy:

Task division by role is shown in the following figure. The security administrator configures auditing, protects file systems, sets device policy, determines which programs require privilege to run, and protects users, among other tasks. The system administrator shares and mounts file systems, installs software packages, and creates users, among other tasks.

Figure 1-1 Administering a Trusted Extensions System: Task Division by Role

Illustration shows the configuration team tasks, then shows the tasks for the Security Administrator and the System Administrator.

Collecting Information Before Enabling Trusted Extensions

As when configuring the Oracle Solaris OS, collect system, user, network, and label information before configuring Trusted Extensions. For details, see Collect System Information Before Enabling Trusted Extensions.

Backing Up the System Before Enabling Trusted Extensions

If your system has files that must be saved, perform a backup before enabling the Trusted Extensions service. The safest way to back up files is to do a level 0 dump. If you do not have a backup procedure in place, see the administrator's guide to your current operating system for instructions.

Note - If you are migrating from a Trusted Solaris 8 release, you can restore your data only if the Trusted Extensions labels are identical to the Trusted Solaris 8 labels. Because Trusted Extensions does not create multilevel directories, each file and directory on backup media is restored to a zone whose label is identical to the file label in the backup. Backup must be completed before you reboot the system with Trusted Extensions enabled.