Remote administration presents a significant security risk, particularly from users on untrusted systems. By default, Trusted Extensions does not allow remote administration from any system.
Until the network is configured, all remote hosts are assigned the admin_low security template, that is, they are recognized as unlabeled hosts. Until the labeled zones are configured, the only zone available is the global zone. In Trusted Extensions, the global zone is the administrative zone. Only a role can access it. Specifically, an account must have a label range from ADMIN_LOW to ADMIN_HIGH to reach the global zone.
While in this initial state, Trusted Extensions systems are protected from remote attacks by several mechanisms. Mechanisms include netservices values, default ssh policy, default login policy, and default PAM policy.
At installation, no remote services except secure shell are enabled to listen on the network.
However, the ssh service cannot be used for remote login by root or by role because of ssh, login, and PAM policies.
The root account cannot be used for remote logins because root is a role. Roles cannot log in, as enforced by PAM.
Even if root is changed to a user account, the default login and ssh policies prevent remote logins by the root user.
Two default PAM values prevent remote logins.
The pam_roles module rejects local and remote logins from accounts of type role.
A Trusted Extensions PAM module, pam_tsol_account, rejects remote logins into the global zone unless the CIPSO protocol is used. The intent of this policy is for remote administration to be performed by another Trusted Extensions system.
So, as on an Oracle Solaris system, remote administration must be configured. Trusted Extensions adds two configuration requirements, the label range that is required to reach the global zone, and the pam_tsol_account module.