JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris Trusted Extensions Administrator's Procedures     Oracle Solaris 10 8/11 Information Library
search filter icon
search icon

Document Information


1.  Trusted Extensions Administration Concepts

2.  Trusted Extensions Administration Tools

3.  Getting Started as a Trusted Extensions Administrator (Tasks)

4.  Security Requirements on a Trusted Extensions System (Overview)

Configurable Oracle Solaris Security Features

Trusted Extensions Interfaces for Configuring Security Features

Extension of Oracle Solaris Security Mechanisms by Trusted Extensions

Trusted Extensions Security Features

Security Requirements Enforcement

Users and Security Requirements

Email Usage

Password Enforcement

Information Protection

Password Protection

Group Administration

User Deletion Practices

Rules When Changing the Level of Security for Data

sel_config File

Customization of Solaris Trusted Extensions (CDE)

Front Panel Customization

Workspace Menu Customization

5.  Administering Security Requirements in Trusted Extensions (Tasks)

6.  Users, Rights, and Roles in Trusted Extensions (Overview)

7.  Managing Users, Rights, and Roles in Trusted Extensions (Tasks)

8.  Remote Administration in Trusted Extensions (Tasks)

9.  Trusted Extensions and LDAP (Overview)

10.  Managing Zones in Trusted Extensions (Tasks)

11.  Managing and Mounting Files in Trusted Extensions (Tasks)

12.  Trusted Networking (Overview)

13.  Managing Networks in Trusted Extensions (Tasks)

14.  Multilevel Mail in Trusted Extensions (Overview)

15.  Managing Labeled Printing (Tasks)

16.  Devices in Trusted Extensions (Overview)

17.  Managing Devices for Trusted Extensions (Tasks)

18.  Trusted Extensions Auditing (Overview)

19.  Software Management in Trusted Extensions (Tasks)

A.  Quick Reference to Trusted Extensions Administration

B.  List of Trusted Extensions Man Pages


Security Requirements Enforcement

To ensure that the security of the system is not compromised, administrators need to protect passwords, files, and audit data. Users need to be trained to do their part. To be consistent with the requirements for an evaluated configuration, follow the guidelines in this section.

Users and Security Requirements

Each site's security administrator ensures that users are trained in security procedures. The security administrator needs to communicate the following rules to new employees and remind existing employees of these rules on a regular basis:

Your site might want to provide additional suggestions.

Email Usage

It is an unsafe practice to use email to instruct users to take an action.

Tell users not to trust email with instructions that purport to come from an administrator. Doing so prevents the possibility that spoofed email messages could be used to fool users into changing a password to a certain value or divulging the password, which could subsequently be used to log in and compromise the system.

Password Enforcement

The System Administrator role must specify a unique user name and user ID when creating a new account. When choosing the name and ID for a new account, the administrator you must ensure that both the user name and associated ID are not duplicated anywhere on the network and have not been previously used.

The Security Administrator role is responsible for specifying the original password for each account and for communicating the passwords to users of new accounts. You must consider the following information when administering passwords:

Information Protection

You as an administrator are responsible for correctly setting up and maintaining discretionary access control (DAC) and mandatory access control (MAC) protections for security-critical files. Critical files include the following:


Caution - Because the protection mechanisms for LDAP entries are not subject to the access control policy enforced by the Trusted Extensions software, the default LDAP entries must not be extended, and their access rules must not be modified.

Password Protection

In local files, passwords are protected from viewing by DAC and from modifications by both DAC and MAC. Passwords for local accounts are maintained in the /etc/shadow file, which is readable only by superuser. For more information, see the shadow(4) man page.

Group Administration

The System Administrator role needs to verify on the local system and on the network that all groups have a unique group ID (GID).

When a local group is deleted from the system, the System Administrator role must ensure the following:

User Deletion Practices

When an account is deleted from the system, the System Administrator role and the Security Administrator role must take the following actions: