Skip Navigation Links | |
Exit Print View | |
Oracle Solaris Trusted Extensions Configuration and Administration Oracle Solaris 11 Express 11/10 |
Part I Initial Configuration of Trusted Extensions
1. Security Planning for Trusted Extensions
2. Configuration Roadmap for Trusted Extensions
3. Adding Trusted Extensions Software to the Oracle Solaris OS (Tasks)
4. Configuring Trusted Extensions (Tasks)
Setting Up the Global Zone and Logging In to Trusted Extensions
Check and Install Your Label Encodings File
Enable IPv6 Networking in Trusted Extensions
Configure the Domain of Interpretation
Reboot and Log In to Trusted Extensions
Create a Default Trusted Extensions System
Create Labeled Zones Interactively
Assign Labels to Two Zone Workspaces
Configure the Network Interfaces in Trusted Extensions
Make the Global Zone an LDAP Client in Trusted Extensions
Adding Network Interfaces and Routing to Labeled Zones
Add a Network Interface to Route an Existing Labeled Zone
Add a Network Interface That Does Not Use the Global Zone to Route an Existing Labeled Zone
Creating Roles and Users in Trusted Extensions
Create the Security Administrator Role in Trusted Extensions
Create a System Administrator Role
Create Users Who Can Assume Roles in Trusted Extensions
Verify That the Trusted Extensions Roles Work
Enable Users to Log In to a Labeled Zone
Creating Home Directories in Trusted Extensions
Create the Home Directory Server in Trusted Extensions
Enable Users to Access Their Home Directories in Trusted Extensions
Troubleshooting Your Trusted Extensions Configuration
Labeled Zone Is Unable to Access the X Server
Public Zone Does Not Connect to Global Zone
Additional Trusted Extensions Configuration Tasks
How to Copy Files to Portable Media in Trusted Extensions
How to Copy Files From Portable Media in Trusted Extensions
How to Remove Trusted Extensions From the System
5. Configuring LDAP for Trusted Extensions (Tasks)
6. Configuring a Headless System With Trusted Extensions (Tasks)
Part II Administration of Trusted Extensions
7. Trusted Extensions Administration Concepts
8. Trusted Extensions Administration Tools
9. Getting Started as a Trusted Extensions Administrator (Tasks)
10. Security Requirements on a Trusted Extensions System (Overview)
11. Administering Security Requirements in Trusted Extensions (Tasks)
12. Users, Rights, and Roles in Trusted Extensions (Overview)
13. Managing Users, Rights, and Roles in Trusted Extensions (Tasks)
14. Remote Administration in Trusted Extensions (Tasks)
15. Trusted Extensions and LDAP (Overview)
16. Managing Zones in Trusted Extensions (Tasks)
17. Managing and Mounting Files in Trusted Extensions (Tasks)
18. Trusted Networking (Overview)
19. Managing Networks in Trusted Extensions (Tasks)
20. Multilevel Mail in Trusted Extensions (Overview)
21. Managing Labeled Printing (Tasks)
22. Devices in Trusted Extensions (Overview)
23. Managing Devices for Trusted Extensions (Tasks)
24. Trusted Extensions Auditing (Overview)
25. Software Management in Trusted Extensions (Reference)
Creating and Managing a Security Policy
Site Security Policy and Trusted Extensions
Computer Security Recommendations
Physical Security Recommendations
Personnel Security Recommendations
Additional Security References
B. Configuration Checklist for Trusted Extensions
Checklist for Configuring Trusted Extensions
C. Quick Reference to Trusted Extensions Administration
Administrative Interfaces in Trusted Extensions
Oracle Solaris Interfaces Extended by Trusted Extensions
Tighter Security Defaults in Trusted Extensions
Limited Options in Trusted Extensions
D. List of Trusted Extensions Man Pages
Trusted Extensions Man Pages in Alphabetical Order
Oracle Solaris Man Pages That Are Modified by Trusted Extensions
The following tasks support environments where each zone is connected to a separate physical network.
|
This procedure adds zone-specific network interfaces to existing labeled zones. This configuration supports environments where each labeled zone is connected to a separate physical network. The labeled zones use the network routing that the global zone provides.
Note - The global zone must configure an IP address for every subnet in which a non-global zone address is configured.
You are in the root role in the global zone.
For every zone, you have completed the tasks in Creating Labeled Zones.
Use a standard naming convention, such as adding -zone-name to the name of the host.
## /etc/hosts in global zone 10.10.8.2 hostname-zone-name1 10.10.8.3 hostname-global-name1 10.10.9.2 hostname-zone-name2 10.10.9.3 hostname-global-name2
## /etc/netmasks in global zone 10.10.8.0 255.255.255.0 10.10.9.0 255.255.255.0
For more information, see the netmasks(4) man page.
# ipadm show-if IFNAME STATE CURRENT PERSISTENT lo0 ok -m-v------46 --- bge0 ok bm--------4- ---
# ipadm create-addr-T static -a 10.10.8.3 addrobj # ipadm create-addr-T static -a 10.10.9.3 addrobj
where addrobj has the format: interface-nameN#/random-string, as in igb0/static1.
For example, you might create the following address objects:
# ipadm create-addr-T static -a 10.10.8.3 bge0/zone1 # ipadm create-addr-T static -a 10.10.9.3 bge0/zone2
The global zone addresses are configured immediately upon system startup. The zone-specific addresses are configured when the zone is booted.
If the gateway to the network is not configured with labels, assign the admin_low security template. If the gateway to the network is labeled, assign a cipso security template.
You can create security templates of host type cipso that reflect the label of every network. For the procedures to create and assign the templates, see Configuring Trusted Network Databases (Task Map).
# zoneadm -z zone-name halt
# /usr/sbin/txzonemgr
# ipadm show-if
# netstat -rn
To debug zone configuration, see the following:
This procedure sets zone-specific default routes for existing labeled zones. In this configuration, the labeled zones do not use the global zone for routing.
The labeled zone must be plumbed in the global zone before the zone is booted. However, to isolate the labeled zone from the global zone, the interface must be in the down state when the zone is booted. For more information, see Zone Network Interfaces in System Administration Guide: Oracle Solaris Zones, Oracle Solaris 10 Containers, and Resource Management.
Note - A unique default route must be configured for every non-global zone that is booted.
You are in the root role in the global zone.
For every zone, you have completed the tasks in Creating Labeled Zones. You are using either the vni0 interface or the lo0 interface to connect the labeled zones to the global zone.
Use the ipadm show-addr command to determine the IP address and netmask. Use the zonecfg -z zonename info net command to determine if a default router has been assigned.
# touch /etc/hostname.interface # touch /etc/hostname.interface:n
For more information, see the netmasks(4) man page.
# ipadm create-if zone1-network-interface # ipadm create-if zone2-network-interface
# ipadm show-if IFNAME STATE CURRENT PERSISTENT bge0/zone1 disabled -m-v----46 --- bge0/zone2 disabled -m-v----46 ---
The zone-specific addresses are configured when the zone is booted.
## /etc/netmasks in global zone 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.0
For more information, see the netmasks(4) man page.
Create security templates of host type cipso that reflect the label of every network. To create and assign the templates, see Configuring Trusted Network Databases (Task Map).
In the Labeled Zone Manager, you will add the network interfaces for the labeled zones. In the terminal window, you will display information about the zone and set the default router.
# zoneadm -z zone-name halt
# zonecfg -z zone-name info net net: address: IP-address physical: zone-network-interface defrouter not specified
# zonecfg -z zone-name zonecfg:zone-name > select net address=IP-address zonecfg:zone-name:net> set defrouter=router-address zonecfg:zone-name:net> end zonecfg:zone-name > verify zonecfg:zone-name > commit zonecfg:zone-name > exit #
For more information, see the zonecfg(1M) man page and How to Configure the Zone in System Administration Guide: Oracle Solaris Zones, Oracle Solaris 10 Containers, and Resource Management.
# zoneadm -z zone-name boot
# netstat -rn
A routing table is displayed. The destination and interface for the labeled zone is different from the entry for the global zone.
# zonecfg -z zone-name zonecfg:zone-name > select net address=zone-IP-address zonecfg:zone-name:net> remove net defrouter=zone-default-route zonecfg:zone-name:net> info net net: address: zone-IP-address physical: zone-network-interface defrouter not specified
Example 4-4 Setting a Default Route for a Labeled Zone
In this example, the administrator routes the Secret zone to a separate physical subnet. Traffic to and from the Secret zone is not routed through the global zone. The administrator uses the Labeled Zone Manager and the zonecfg command, then verifies that routing works.
The administrator determines that igb1 and igb1:0 are not currently in use, and creates a mapping for two labeled zones. igb1 is the designated interface for the Secret zone.
Interface IP Address Netmask Default Router igb1 192.168.2.22 255.255.255.0 192.168.2.2 igb1:0 192.168.3.33 255.255.255.0 192.168.3.3
First, the administrator creates the igb1 interface. The ipadm command shows that the interface is plumbed but not up.
# ipadm create-if igb1 # ipadm show-if IFNAME STATE CURRENT PERSISTENT igb1 disabled -m-v----46 --- all-zones ok -m-v----46 ---
Then, the administrator creates a security template with a single label, Secret, and assigns the IP address of the interface to the template.
The administrator halts the zone.
# zoneadm -z secret halt
The administrator runs the txzonemgr script to open the Labeled Zone Manager.
# /usr/sbin/txzonemgr
In the Labeled Zone Manager, the administrator selects the Secret zone, selects Add Network, and then selects a network interface. The administrator closes the Labeled Zone Manager.
On the command line, the administrator selects the zone's IP address, then sets its default route. Before exiting the command, the administrator verifies the route and commits it.
# zonecfg -z secret zonecfg: secret > select net address=192.168.6.22 zonecfg: secret:net> set defrouter=192.168.6.2 zonecfg: secret:net> end zonecfg: secret > verify zonecfg: secret > commit zonecfg: secret > info net net: address: 192.168.6.22 physical: igb1 defrouter: 192.168.6.2 zonecfg: secret > exit #
The administrator boots the zone.
# zoneadm -z secret boot
In a separate terminal window in the global zone, the administrator verifies the sending and receiving of packets.
# netstat -rn Routing Table: IPv4 Destination Gateway Flags Ref Use Interface -------------------- -------------------- ----- ----- ------- --------- default 192.168.5.15 UG 1 2664 igb0 192.168.6.2 192.168.6.22 UG 1 240 igb1 192.168.3.3 192.168.3.33 U 1 183 igb1:0 127.0.0.1 127.0.0.1 UH 1 380 lo0 ...
This procedure enables you to separately configure a name service daemon (nscd) in each labeled zone. This configuration supports environments where each zone is connected to a subnetwork that runs at the label of the zone, and the subnetwork has its own name server for that label.
Note - This configuration does not satisfy the criteria for an evaluated configuration. In an evaluated configuration, the nscd daemon runs only in the global zone. Doors in each labeled zone connect the zone to the global nscd daemon.
You are in the root role in the global zone. You have successfully completed Add a Network Interface to Route an Existing Labeled Zone.
This configuration requires that you have advanced networking skills.
# /usr/sbin/txzonemgr
Note - This option is intended to be used once, during initial system configuration.
For assistance, see the nscd(1M) and nscd.conf(4) man pages.
zone-name # svcs -x name-service-cache svc:/system/name-service-cache:default (name service cache) State: online since October 10, 2010 10:10:10 AM PDT See: nscd(1M) See: /etc/svc/volatile/system-name-service-cache:default.log Impact: None.
zone-name # netstat -rn
This selection removes the nscd daemon in every labeled zone.