Skip Navigation Links | |
Exit Print View | |
Oracle Solaris Trusted Extensions Configuration and Administration Oracle Solaris 11 Express 11/10 |
Part I Initial Configuration of Trusted Extensions
1. Security Planning for Trusted Extensions
2. Configuration Roadmap for Trusted Extensions
3. Adding Trusted Extensions Software to the Oracle Solaris OS (Tasks)
4. Configuring Trusted Extensions (Tasks)
Setting Up the Global Zone and Logging In to Trusted Extensions
Check and Install Your Label Encodings File
Enable IPv6 Networking in Trusted Extensions
Configure the Domain of Interpretation
Reboot and Log In to Trusted Extensions
Create a Default Trusted Extensions System
Create Labeled Zones Interactively
Assign Labels to Two Zone Workspaces
Configure the Network Interfaces in Trusted Extensions
Make the Global Zone an LDAP Client in Trusted Extensions
Adding Network Interfaces and Routing to Labeled Zones
Add a Network Interface to Route an Existing Labeled Zone
Add a Network Interface That Does Not Use the Global Zone to Route an Existing Labeled Zone
Configure a Name Service Cache in Each Labeled Zone
Creating Roles and Users in Trusted Extensions
Create the Security Administrator Role in Trusted Extensions
Create a System Administrator Role
Create Users Who Can Assume Roles in Trusted Extensions
Verify That the Trusted Extensions Roles Work
Enable Users to Log In to a Labeled Zone
Creating Home Directories in Trusted Extensions
Create the Home Directory Server in Trusted Extensions
Enable Users to Access Their Home Directories in Trusted Extensions
Troubleshooting Your Trusted Extensions Configuration
Labeled Zone Is Unable to Access the X Server
Public Zone Does Not Connect to Global Zone
Additional Trusted Extensions Configuration Tasks
How to Copy Files to Portable Media in Trusted Extensions
5. Configuring LDAP for Trusted Extensions (Tasks)
6. Configuring a Headless System With Trusted Extensions (Tasks)
Part II Administration of Trusted Extensions
7. Trusted Extensions Administration Concepts
8. Trusted Extensions Administration Tools
9. Getting Started as a Trusted Extensions Administrator (Tasks)
10. Security Requirements on a Trusted Extensions System (Overview)
11. Administering Security Requirements in Trusted Extensions (Tasks)
12. Users, Rights, and Roles in Trusted Extensions (Overview)
13. Managing Users, Rights, and Roles in Trusted Extensions (Tasks)
14. Remote Administration in Trusted Extensions (Tasks)
15. Trusted Extensions and LDAP (Overview)
16. Managing Zones in Trusted Extensions (Tasks)
17. Managing and Mounting Files in Trusted Extensions (Tasks)
18. Trusted Networking (Overview)
19. Managing Networks in Trusted Extensions (Tasks)
20. Multilevel Mail in Trusted Extensions (Overview)
21. Managing Labeled Printing (Tasks)
22. Devices in Trusted Extensions (Overview)
23. Managing Devices for Trusted Extensions (Tasks)
24. Trusted Extensions Auditing (Overview)
25. Software Management in Trusted Extensions (Reference)
Creating and Managing a Security Policy
Site Security Policy and Trusted Extensions
Computer Security Recommendations
Physical Security Recommendations
Personnel Security Recommendations
Additional Security References
B. Configuration Checklist for Trusted Extensions
Checklist for Configuring Trusted Extensions
C. Quick Reference to Trusted Extensions Administration
Administrative Interfaces in Trusted Extensions
Oracle Solaris Interfaces Extended by Trusted Extensions
Tighter Security Defaults in Trusted Extensions
Limited Options in Trusted Extensions
D. List of Trusted Extensions Man Pages
Trusted Extensions Man Pages in Alphabetical Order
Oracle Solaris Man Pages That Are Modified by Trusted Extensions
The following two tasks enable you to transfer exact copies of configuration files to every Trusted Extensions system at your site. The final task enables you to remove Trusted Extensions customizations from an Oracle Solaris system.
When copying to portable media, label the media with the sensitivity label of the information.
Note - During Trusted Extensions configuration, the root role copies administrative files to and from portable media. Label the media with Trusted Path.
To copy administrative files, you must be in the root role in the global zone.
Use the Device Manager, and insert clean media. For details, see How to Allocate a Device in Trusted Extensions in Oracle Solaris Trusted Extensions User Guide.
The File Browser displays the contents of the clean media.
For example, you might have copied files to an /export/clientfiles folder.
For details, see How to Deallocate a Device in Trusted Extensions in Oracle Solaris Trusted Extensions User Guide.
Note - Remember to physically affix a label to the media with the sensitivity label of the copied files.
Example 4-6 Keeping Configuration Files Identical on All Systems
The system administrator wants to ensure that every system is configured with the same settings. So, on the first system that is configured, the administrator creates a directory that cannot be deleted between reboots. In that directory, the administrator places the files that must be identical or very similar on all systems.
For example, the administrator modifies DNS lookups and the policy.conf file for this site. So, the administrator copies the following files to the permanent directory.
# mkdir /export/commonfiles # cp /etc/security/policy.conf \ /etc/resolv.conf \ /etc/nsswitch.conf \ /export/commonfiles
The administrator uses the Device Manager to allocate a CD-ROM in the global zone, and transfers the files to the CD. On a separate CD-ROM, labeled ADMIN_HIGH, the administrator puts the label_encodings file for the site.
It is safe practice to rename the original Trusted Extensions file before replacing the file. When configuring a system, the root role renames and copies administrative files.
To copy administrative files, you must be in the root role in the global zone.
For details, see How to Allocate a Device in Trusted Extensions in Oracle Solaris Trusted Extensions User Guide.
The File Browser displays the contents.
For example, add .orig to the end of the original file:
# cp /etc/security/tsol/tnrhtp /etc/security/tsol/tnrhtp.orig
For details, see How to Deallocate a Device in Trusted Extensions in Oracle Solaris Trusted Extensions User Guide.
Example 4-7 Loading Common Configuration Files in Trusted Extensions
In this example, the root role needs to copy configuration files to portable media. These files are to be copied to each Trusted Extensions system.
First, the root role allocates the floppy_0 device in the Device Manager and responds yes to the mount query. Then, the root role inserts a clean diskette that is labeled Trusted Path. The administrator then navigates to the configuration files and copies them to the diskette.
To read from the diskette, the root role allocates the floppy_0 device on the receiving system, then downloads the contents.
To remove Trusted Extensions from your Oracle Solaris system, you perform specific steps to remove Trusted Extensions customizations to the Oracle Solaris system.
For portable media, affix a physical sticker with the sensitivity label of the zone to each archived zone.
For details, see How to Remove a Non-Global Zone in System Administration Guide: Oracle Solaris Zones, Oracle Solaris 10 Containers, and Resource Management.
# svcadm disable labeld
# audit -t
# svcadm disable allocate
Various services might need to be configured for your Oracle Solaris system. Candidates include auditing, basic networking, naming services, and file system mounts.