JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Trusted Extensions Configuration and Administration     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

Part I Initial Configuration of Trusted Extensions

1.  Security Planning for Trusted Extensions

2.  Configuration Roadmap for Trusted Extensions

3.  Adding the Trusted Extensions Feature to Oracle Solaris (Tasks)

4.  Configuring Trusted Extensions (Tasks)

5.  Configuring LDAP for Trusted Extensions (Tasks)

Part II Administration of Trusted Extensions

6.  Trusted Extensions Administration Concepts

7.  Trusted Extensions Administration Tools

8.  Security Requirements on a Trusted Extensions System (Overview)

9.  Performing Common Tasks in Trusted Extensions

10.  Users, Rights, and Roles in Trusted Extensions (Overview)

11.  Managing Users, Rights, and Roles in Trusted Extensions (Tasks)

Customizing the User Environment for Security (Task Map)

How to Modify Default User Label Attributes

How to Modify policy.conf Defaults

How to Configure Startup Files for Users in Trusted Extensions

How to Log In to a Failsafe Session in Trusted Extensions

Managing Users and Rights (Task Map)

How to Modify a User's Label Range

How to Create a Rights Profile for Convenient Authorizations

How to Restrict a User's Set of Privileges

How to Prevent Account Locking for Users

How to Enable a User to Change the Security Level of Data

How to Delete a User Account From a Trusted Extensions System

12.  Remote Administration in Trusted Extensions (Tasks)

13.  Managing Zones in Trusted Extensions

14.  Managing and Mounting Files in Trusted Extensions

15.  Trusted Networking (Overview)

16.  Managing Networks in Trusted Extensions (Tasks)

17.  Trusted Extensions and LDAP (Overview)

18.  Multilevel Mail in Trusted Extensions (Overview)

19.  Managing Labeled Printing (Tasks)

20.  Devices in Trusted Extensions (Overview)

21.  Managing Devices for Trusted Extensions (Tasks)

22.  Trusted Extensions Auditing (Overview)

23.  Software Management in Trusted Extensions

A.  Site Security Policy

Creating and Managing a Security Policy

Site Security Policy and Trusted Extensions

Computer Security Recommendations

Physical Security Recommendations

Personnel Security Recommendations

Common Security Violations

Additional Security References

B.  Configuration Checklist for Trusted Extensions

Checklist for Configuring Trusted Extensions

C.  Quick Reference to Trusted Extensions Administration

Administrative Interfaces in Trusted Extensions

Oracle Solaris Interfaces Extended by Trusted Extensions

Tighter Security Defaults in Trusted Extensions

Limited Options in Trusted Extensions

D.  List of Trusted Extensions Man Pages

Trusted Extensions Man Pages in Alphabetical Order

Oracle Solaris Man Pages That Are Modified by Trusted Extensions

Glossary

Index

Customizing the User Environment for Security (Task Map)

The following task map describes common tasks that you can perform when customizing a system for all users, or when customizing an individual user's account. Many of these tasks are performed before regular users can log in.

Task
Description
For Instructions
Change label attributes.
Modify label attributes, such as minimum label and default label view, for a user account.
Change Trusted Extensions policy for all users of a system.
Changes the policy.conf file.
Turns on the screensaver or logs out the user after a set amount of time that the system is idle.
Removes unnecessary privileges from all regular users of a system.
Prevents labels from appearing on printed output at a public kiosk.
Configure initialization files for users.
Configures startup files, such as .bashrc, .cshrc, .copy_files, and .soffice for all users.
Log in to a failsafe session.
Fixes faulty user initialization files.

How to Modify Default User Label Attributes

You can modify the default user label attributes during the configuration of the first system. The changes must be copied to every Trusted Extensions system.


Caution

Caution - You must complete this task before any regular users access the system.


Before You Begin

You must be in the Security Administrator role in the global zone. For details, see How to Enter the Global Zone in Trusted Extensions.

  1. Review the default user attribute settings in the /etc/security/tsol/label_encodings file.

    For the defaults, see Table 1-2 in Planning User Security in Trusted Extensions.

  2. Modify the user attribute settings in the label_encodings file.
  3. Distribute a copy of the file to every Trusted Extensions system.

    Caution

    Caution - The label_encodings file must be the same on all systems. For one distribution method, see How to Copy Files to Portable Media in Trusted Extensions and How to Copy Files From Portable Media in Trusted Extensions.


How to Modify policy.conf Defaults

Changing the policy.conf defaults in Trusted Extensions is identical to changing any security-relevant system file in Oracle Solaris. Use this procedure to change the defaults for all users of a system.

Before You Begin

You must be in the root role in the global zone. For details, see How to Enter the Global Zone in Trusted Extensions.

  1. Review the default settings in the /etc/security/policy.conf file.

    For Trusted Extensions keywords, see Table 10-1.

  2. Modify the settings.

Example 11-1 Changing the System's Idle Settings

In this example, the security administrator wants idle systems to return to the login screen. The default locks an idle system. Therefore, the root role adds the IDLECMD keyword=value pair to the /etc/security/policy.conf file as follows:

IDLECMD=LOGOUT

The administrator also wants systems to be idle a shorter amount of time before logout. Therefore, the root role adds the IDLETIME keyword=value pair to the policy.conf file as follows:

IDLETIME=10

The system now logs out the user after the system is idle for 10 minutes.

Note that if the login user assumes a role, the user's IDLECMD and IDLETIME values are in effect for that role.

Example 11-2 Modifying Every User's Basic Privilege Set

In this example, the security administrator of a large Sun Ray installation does not want regular users to view the processes of other Sun Ray users. Therefore, on every system that is configured with Trusted Extensions, the root role removes proc_info from the basic set of privileges. The PRIV_DEFAULT setting in the /etc/policy.conf file is uncommented and modified as follows:

PRIV_DEFAULT=basic,!proc_info

Example 11-3 Assigning Printing-Related Authorizations to All Users of a System

In this example, site security permits a public kiosk computer to print without labels. On the public kiosk, the root role modifies the value for AUTHS_GRANTED in the /etc/security/policy.conf file. At the next boot, print jobs by all users of this kiosk print without page labels.

AUTHS_GRANTED=solaris.print.unlabeled

Then, the administrator decides to save paper by removing banner and trailer pages. The administrator further modifies the policy.conf entry.

AUTHS_GRANTED=solaris.print.unlabeled,solaris.print.nobanner

After the public kiosk is rebooted, all print jobs are unlabeled, and have no banner or trailer pages.

How to Configure Startup Files for Users in Trusted Extensions

Users can put a .copy_files file and .link_files file into their home directory at the label that corresponds to their minimum sensitivity label. Users can also modify the existing .copy_files and .link_files files at the users' minimum label. This procedure is for the administrator role to automate the setup for a site.

Before You Begin

You must be in the System Administrator role in the global zone. For details, see How to Enter the Global Zone in Trusted Extensions.

  1. Create two Trusted Extensions startup files.

    You are going to add .copy_files and .link_files to your list of startup files.

    # cd /etc/skel
    # touch .copy_files .link_files
  2. Customize the .copy_files file.
    1. In an editor, type the full pathname to the .copy_files file.
      # pfedit /etc/skel/.copy_files
    2. Type into .copy_files, one file per line, the files to be copied into the user's home directory at all labels.

      Use .copy_files and .link_files Files for ideas. For sample files, see Example 11-4.

  3. Customize the .link_files file.
    1. In an editor, type the full pathname to the .link_files.
      # pfedit /etc/skel/.link_files
    2. Type into .link_files, one file per line, the files to be linked into the user's home directory at all labels.
  4. Customize the other startup files for your users.
  5. (Optional) Create a skelP subdirectory for users whose default shell is a profile shell.

    The P indicates the Profile shell.

  6. Copy the customized startup files into the appropriate skeleton directory.
  7. Use the appropriate skelX pathname when you create the user.

    The X indicates the letter that begins the shell's name, such as B for Bourne, K for Korn, C for a C shell, and P for Profile shell.

Example 11-4 Customizing Startup Files for Users

In this example, the system administrator configures files for every user's home directory. The files are in place before any user logs in. The files are at the user's minimum label. At this site, the users' default shell is the C shell.

The system administrator creates a .copy_files and a .link_files file with the following contents:

## .copy_files for regular users
## Copy these files to my home directory in every zone
.mailrc
.mozilla
.soffice
:wq
## .link_files for regular users with C shells
## Link these files to my home directory in every zone
.bashrc
.bashrc.user
.cshrc
.login
:wq
## .link_files for regular users with Korn shells
# Link these files to my home directory in every zone
.ksh
.profile
:wq

In the shell initialization files, the administrator ensures that the users' print jobs go to a labeled printer.

## .cshrc file
setenv PRINTER conf-printer1
setenv LPDEST  conf-printer1
## .ksh file
export PRINTER conf-printer1
export LPDEST  conf-printer1

The customized files are copied to the appropriate skeleton directory.

$ cp .copy_files .link_files .bashrc .bashrc.user .cshrc \
.login .profile .mailrc /etc/skelC
$ cp .copy_files .link_files .ksh .profile .mailrc \
/etc/skelK

Troubleshooting

If you create a .copy_files files at your lowest label, then log in to a higher zone to run the updatehome command and the command fails with an access error, try the following:

Unless you are using NFS mounts for home directories, the automounter in the higher-level zone should be loopback mounting from /zone/lower-level-zone/export/home/username to /zone/lower-level-zone/home/username.

How to Log In to a Failsafe Session in Trusted Extensions

In Trusted Extensions, failsafe login is protected. If a regular user has customized shell initialization files and now cannot log in, you can use failsafe login to fix the user's files.

Before You Begin

You must know the root password.

  1. Type your user name in the login screen.
  2. At the bottom of the screen, choose Solaris Trusted Extensions Failsafe Session from the desktop menu.
  3. When prompted, type your password.
  4. When prompted for an additional password, type the root password.

    You can now debug the user's initialization files.