Skip Navigation Links | |
Exit Print View | |
Oracle Solaris Trusted Extensions Configuration and Administration Oracle Solaris 11 Express 11/10 |
Part I Initial Configuration of Trusted Extensions
1. Security Planning for Trusted Extensions
2. Configuration Roadmap for Trusted Extensions
3. Adding Trusted Extensions Software to the Oracle Solaris OS (Tasks)
4. Configuring Trusted Extensions (Tasks)
Setting Up the Global Zone and Logging In to Trusted Extensions
Check and Install Your Label Encodings File
Enable IPv6 Networking in Trusted Extensions
Configure the Domain of Interpretation
Reboot and Log In to Trusted Extensions
Create a Default Trusted Extensions System
Create Labeled Zones Interactively
Assign Labels to Two Zone Workspaces
Configure the Network Interfaces in Trusted Extensions
Make the Global Zone an LDAP Client in Trusted Extensions
Adding Network Interfaces and Routing to Labeled Zones
Add a Network Interface to Route an Existing Labeled Zone
Add a Network Interface That Does Not Use the Global Zone to Route an Existing Labeled Zone
Configure a Name Service Cache in Each Labeled Zone
Creating Roles and Users in Trusted Extensions
Create the Security Administrator Role in Trusted Extensions
Create a System Administrator Role
Create Users Who Can Assume Roles in Trusted Extensions
Creating Home Directories in Trusted Extensions
Create the Home Directory Server in Trusted Extensions
Enable Users to Access Their Home Directories in Trusted Extensions
Troubleshooting Your Trusted Extensions Configuration
Labeled Zone Is Unable to Access the X Server
Public Zone Does Not Connect to Global Zone
Additional Trusted Extensions Configuration Tasks
How to Copy Files to Portable Media in Trusted Extensions
How to Copy Files From Portable Media in Trusted Extensions
How to Remove Trusted Extensions From the System
5. Configuring LDAP for Trusted Extensions (Tasks)
6. Configuring a Headless System With Trusted Extensions (Tasks)
Part II Administration of Trusted Extensions
7. Trusted Extensions Administration Concepts
8. Trusted Extensions Administration Tools
9. Getting Started as a Trusted Extensions Administrator (Tasks)
10. Security Requirements on a Trusted Extensions System (Overview)
11. Administering Security Requirements in Trusted Extensions (Tasks)
12. Users, Rights, and Roles in Trusted Extensions (Overview)
13. Managing Users, Rights, and Roles in Trusted Extensions (Tasks)
14. Remote Administration in Trusted Extensions (Tasks)
15. Trusted Extensions and LDAP (Overview)
16. Managing Zones in Trusted Extensions (Tasks)
17. Managing and Mounting Files in Trusted Extensions (Tasks)
18. Trusted Networking (Overview)
19. Managing Networks in Trusted Extensions (Tasks)
20. Multilevel Mail in Trusted Extensions (Overview)
21. Managing Labeled Printing (Tasks)
22. Devices in Trusted Extensions (Overview)
23. Managing Devices for Trusted Extensions (Tasks)
24. Trusted Extensions Auditing (Overview)
25. Software Management in Trusted Extensions (Reference)
Creating and Managing a Security Policy
Site Security Policy and Trusted Extensions
Computer Security Recommendations
Physical Security Recommendations
Personnel Security Recommendations
Additional Security References
B. Configuration Checklist for Trusted Extensions
Checklist for Configuring Trusted Extensions
C. Quick Reference to Trusted Extensions Administration
Administrative Interfaces in Trusted Extensions
Oracle Solaris Interfaces Extended by Trusted Extensions
Tighter Security Defaults in Trusted Extensions
Limited Options in Trusted Extensions
D. List of Trusted Extensions Man Pages
Trusted Extensions Man Pages in Alphabetical Order
Oracle Solaris Man Pages That Are Modified by Trusted Extensions
Role creation in Trusted Extensions is identical to role creation in the Oracle Solaris OS. However, in Trusted Extensions, a Security Administrator role is required.
This task map describes and links to the tasks that create roles and users.
|
You are in the root role in the global zone.
For information about the command, see the roleadd(1M) man page.
Use the following information as a guide:
Role name – secadmin
-c Local Security Officer
Do not provide proprietary information.
-d home-directory
-u role-UID
-K key=value
Assign the Information Security and User Security rights profiles.
Note - For all administrative roles, use the administrative labels for the label range, set lock_after_retries=no and do not set password expiration dates.
# roleadd -c "Local Security Officer" -d /export/home1 \ -u 110 -K profiles="Information Security,User Security" -K lock_after_retries=no \ -K idletime=5 -K idlecmd=lock \ -K min_label=ADMIN_LOW -K clearance=ADMIN_HIGH secadmin
The root account provides an initial password for the role.
# passwd -r files secadmin New Password: <Type password> Re-enter new Password: <Retype password> passwd: password successfully changed for secadmin #
Assign a password of at least 6 alphanumeric characters. The password for the Security Administrator role, and all passwords, must be difficult to guess, thus reducing the chance of an adversary gaining unauthorized access by attempting to guess passwords.
Possible roles include the following:
admin Role – System Administrator rights profile
oper Role – Operator rights profile
To assign the role to a local user, see Example 4-5.
You are in the root role in the global zone.
# roleadd -c "Local System Administrator" -d /export/home1 \ -u 111 -K profiles="System Administrator" -K lock_after_retries=no \ -K idletime=5 -K idlecmd=lock \ -K min_label=ADMIN_LOW -K clearance=ADMIN_HIGH sysadmin
Where site security policy permits, you can choose to create a user who can assume more than one administrative role.
For secure user creation, the System Administrator role creates the user, and the Security Administrator role assigns security-relevant attributes, such as a password.
You must in the root role or in the Security Administrator role. The Security Administrator role has the least amount of privilege that is required for user creation.
The System Administrator performs this step.
Do not place proprietary information in the comment.
# useradd -c Second User -u 1201 -d /home/jdoe jdoe
The Security Administrator performs this step.
Note - For users who can assume roles, turn off account locking, and do not set password expiration dates.
# usermod -K lock_after_retries=no -K idletime=5 -K idlecmd=lock jdoe
Note - When the initial setup team chooses a password, the team must select a password that is difficult to guess, thus reducing the chance of an adversary gaining unauthorized access by attempting to guess passwords.
# usermod -R oper jdoe
After checking your site security policy, you might want to grant your first users the Convenient Authorizations rights profile. With this profile, users can allocate devices, print PostScript files, print without labels, remotely log in, and shut down the system. To create the profile, see How to Create a Rights Profile for Convenient Authorizations.
See Chapter 13, Managing Users, Rights, and Roles in Trusted Extensions (Tasks). Also see Managing Users and Rights (Task Map).
On a multilevel system, users and roles can be set up with files that list user initialization files to be copied or linked to other labels. For more information, see .copy_files and .link_files Files.
Example 4-5 Using the useradd Command to Create a Local User
In this example, the root role creates a local user who can assume the Security Administrator role. For details, see the useradd(1M) and atohexlabel(1M) man pages.
This user is going to have a label range that is wider than the default label range. So, the root role determines the hexadecimal format of the user's minimum label and clearance label.
# atohexlabel public 0x0002-08-08 # atohexlabel -c "confidential restricted" 0x0004-08-78
Next, the root role consults Table 1-2, and then creates the user.
# useradd -c "Local user for Security Admin" -d /export/home1 \ -K idletime=10 -K idlecmd=logout -K lock_after_retries=no -K min_label=0x0002-08-08 -K clearance=0x0004-08-78 jandoe
Then, the root role assigns an initial password.
# passwd -r files jandoe New Password: <Type password> Re-enter new Password: <Retype password> passwd: password successfully changed for jandoe #
Finally, the root role adds the Security Administrator role to the user's definition. The role was created in Create the Security Administrator Role in Trusted Extensions.
# usermod -R secadmin jandoe
To verify each role, assume the role. Then, perform tasks that only that role can perform.
If you have configured DNS or routing, you must reboot after you create the roles and before you verify that the roles work.
In the following trusted stripe, the user name is tester.
The System Administrator role should be able to modify non-security relevant properties, such as the home directory.
The Security Administrator role should be able to modify all properties of a user.
When the host is rebooted, the association between the devices and the underlying storage must be re-established.
You have created at least one labeled zone. That zone is not being used for cloning.
# svcs zones STATE STIME FMRI offline - svc:/system/zones:default
# svcadm restart svc:/system/zones:default
Regular users can now log in. Their session is in a labeled zone.