Checklist for Configuring Trusted Extensions

The following list summarizes what is required to enable and configure Trusted Extensions at your site. Tasks that are covered elsewhere are cross-referenced.

1. Read.

   • Read the first five chapters of Part II, Administration of Trusted Extensions.

   • Understand site security requirements.

   • Read Site Security Policy and Trusted Extensions.

2. Prepare.

   • Decide the root password.

   • Decide the PROM or BIOS security level.

   • Decide the PROM or BIOS password.

   • Decide if attached peripherals are permitted.

   • Decide if access to remote printers is permitted.

   • Decide if access to unlabeled networks is permitted.

3. Enable Trusted Extensions. See Enabling the Trusted Extensions Service and Logging In.

   1. Install the Oracle Solaris OS.

   2. Load the Trusted Extensions packages.

   3. Enable svc:/system/labeld, the Trusted Extensions service.

   4. Reboot.

4. (Optional) Customize the global zone. See Setting Up the Global Zone in Trusted Extensions.

   1. If using a DOI different from 1, set the DOI in the /etc/system file and in every security template.

   2. Verify and install your site's label_encodings file.

   3. Reboot.

5. Add labeled zones. See Creating Labeled Zones.

   1. Configure two labeled zones automatically.

   2. Configure your labeled zones manually.

   3. Create labeled workspace.

6. Configure the LDAP naming service. See Chapter 5, Configuring LDAP for Trusted Extensions (Tasks).

   Create either a Trusted Extensions proxy server or a Trusted Extensions LDAP server. The files naming service requires no configuration.

7. Configure interfaces and routing for the global zone and for labeled zones. See Configuring the Network Interfaces in Trusted Extensions.

8. Configure the network. See Labeling Hosts and Networks (Tasks).

   • Identify single-label hosts and limited-range hosts.

   • Determine the labels to apply to incoming data from unlabeled hosts.

   • Customize the security templates.

   • Assign individual hosts to security templates.

   • Assign subnets to security templates.

9. Perform further configurations.

   1. Configure network connections for LDAP.

      • Assign the LDAP server or proxy server to the cipso host type in all security templates.

      • Assign LDAP clients to the cipso host type in all security templates.

      • Make the local system a client of the LDAP server.

   2. Configure local users and local administrative roles. See Creating Roles and Users in Trusted Extensions.

      • Create the Security Administrator role.

      • Create a local user who can assume the Security Administrator role.

      • Create other roles and possibly other local users to assume these roles.

   3. Create home directories at every label that the user can access. See Creating Centralized Home Directories in Trusted Extensions.

      • Create home directories on an NFS server.

      • Create local ZFS home directories that can be encrypted.

      • (Optional) Prevent users from reading their lower-level home directories.

   4. Configure printing. See Configuring Labeled Printing (Task Map).

   5. Configure devices. See Handling Devices in Trusted Extensions (Task Map).

      1. Assign the Device Management profile or the System Administrator profile to a role.

      2. To make devices usable, do one of the following:

         • Per system, make devices allocatable.

         • Assign the Allocate Device authorization to selected users and roles.

   6. Configure Oracle Solaris features.

      • Configure auditing.

      • Configure system security values.

      • Enable particular LDAP clients to administer LDAP.

      • Configure users in LDAP.

      • Configure network roles in LDAP.

   7. Mount and share file systems. See Chapter 14, Managing and Mounting Files in Trusted Extensions.