Go to main content

Securing Files and Verifying File Integrity in Oracle® Solaris 11.4

Exit Print View

Updated: August 2018

Initially Configuring Labels in Oracle Solaris

The procedures in this section install and configure a customized label policy. They include assigning labels to users and file systems. To harden this initial setup, see About Hardening Labeled File Systems.

How to Install Labels in Oracle Solaris

Before You Begin

You must be the initial user or an administrator with the Software Installation rights profile. The root role has all of these rights. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. Install the pkg:/system/file_labeling package.
    # pkg install file_labeling
  2. (Optional) Verify that the labeld:clearance service is enabled.
    $ svcs labeld:clearance
    STATE          STIME    FMRI
    online         Nov_18   svc:/system/labeld:clearance
  3. (Optional) View the current label policy by using the labelcfg list command.

    To view the policy details, use the labelcfg info command. For more information, see the labelcfg(8) man page. For sample output, see Viewing and Testing Sample Label Encodings Files.

How to Configure Your Label Policy

Defining a label policy is the first step in data loss protection. Later you will assign labels to file systems, and assign selected users a clearance that is higher than the default to view sensitive files.

    This procedure uses the following configuration parameters:

  • Encodings file = site-enc

  • Minimum label (Lower bound of user labels) = Public

  • Next higher classification = Confidential

  • Confidential label hierarchy = Confidential Internal Use Only, Confidential Restricted, Confidential Highly Restricted

  • Clearance (Upper bound of user labels) = Confidential Internal Use Only

Before You Begin

Complete a label policy assessment. To determine which labels to create, see Configuring Labels on an Oracle Solaris System.

You must be assigned the Object Label Management rights profile or be in the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. As root, assign the ADMIN_LOW clearance as the default clearance for all SMF services.

    If you are using the account-policy service, use the first option. For more information, see account-policy(8S) man page.

    • Modify the login_policy/clearance security attribute in SMF.

      Follow the How to Set Account Locking for All Logins in Securing Users and Processes in Oracle Solaris 11.4 procedure, and substitute login_policy/clearance for the property in the procedure

    • DEPRECATED: Comment out the original line in the policy.conf file and add the ADMIN_LOW clearance.
      # pfedit /etc/security/policy.conf
      ## Highest label at which SMF services run by default.
      ## For services that must run at a higher label, set a higher clearance
      ## on their start and restart methods.
  2. Create an encodings file.

    You can modify the label_encodings.compliance or label_encodings.default files in the /etc/security/tsol directory or create a new encodings file. The following command creates an encodings file from scratch.

    # labelcfg -e /etc/security/tsol/site-enc
  3. Title the label policy.
    labelcfg:site-enc> set title="Name Label Policy"
  4. Define the labels you will use at your site to protect data.

    Start with the lowest classification, which is typically the Public classification.

    labelcfg:site-enc> add classification="Public"
    labelcfg:Public> set shortname="P"
    labelcfg:Public> end

    Because public information is public throughout the organization, this label does not require compartments.

  5. Define the next higher classification.
    labelcfg:site-enc> add classification="Confidential"
    labelcfg:Confidential> set shortname="Conf"
    labelcfg:Confidential> end

    Add compartments to this classification to indicate levels of confidentiality from company-internal to very restricted.

  6. Create the lowest Confidential label by defining the classification's first compartment.
    labelcfg:site-enc> add compartment="Internal Use Only"
    labelcfg:Internal Use Only> set minclass="Confidential"
    labelcfg:Internal Use Only> end

    minclass indicates that this compartment cannot be used by the Public classification.

  7. Define the next higher label.

    This label is higher because its compartment bits include the Internal Use Only compartment bits.

    labelcfg:site-enc> add compartment="Restricted"
    labelcfg:Restricted> set minclass="Confidential"
    labelcfg:Restricted> set subcompartments="Internal Use Only"
    labelcfg:Restricted> end
  8. Define the next higher label and set Restricted as its subcompartment.
    labelcfg:site-enc> add compartment="Highly Restricted"
    labelcfg:Highly Restricted> set minclass="Confidential"
    labelcfg:Highly Restricted> set subcompartments=Restricted
    labelcfg:Highly Restricted> end
  9. Define the min_label value.
    labelcfg:site-enc> set min_label=Public

    Choose a label that is suitable for the organization, such as Public. This label is the lower bound for all processes.

  10. Define the clearance and commit the label policy.
    labelcfg:site-enc> set clearance="Confidential Internal Use Only"
    labelcfg:site-enc> commit

    This label is the default clearance for all user processes. Only users to whom you explicitly assign a higher label can access sensitive files.

  11. (Optional) Display the details of your label hierarchy.
    labelcfg:site-enc> info
    title=Organization's Label Policy
    compartment=Highly Restricted
    compartment=Internal Use Only
    clearance=Confidential Internal Use Only
    labelcfg:site-enc> exit
  12. (Optional) Save your work into a flat file.

    The export subcommand produces output that can be used as input to the labelcfg command to create the exported label policy. In this example, the administrator saves the file to a secure directory.

    # labelcfg export -f /opt/adminfiles/site-enc-export1

Next Steps

If you have disjoint labels to define, you can do so now. For an example, see Example - Label Encodings File With Reused Compartment Bits and the labelcfg(8) man page.

How to Assign a Label to a File System

To create a labeled file system, you enable the multilevel ZFS property. This action can be performed at any time during the lifetime of a ZFS dataset.

Before You Begin

Create an encodings file. You must have logged out and logged back in. You also must be a user who can assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.4.

  1. Verify that your label policy is in effect.
    $ labelcfg list
    $ labelcfg info clearance
    $ plabel

    The clearance value returned by these two commands should be identical. If the values differ, you did not commit the value of clearance when you edited the encodings file or you have not logged out and logged back in.

  2. Assume the root role.
    $ su - root
  3. Modify or create the ZFS datasets that will contain sensitive, labeled files.
    • To modify an existing file system and set a label on the mount point:
      # zfs set -o multilevel=on -o rpool/existing-fs
      # setlabel "label" /existing-fs-mountpoint

      For example, to label the /export/home directory:

      # zfs set -o multilevel=on -o rpool/export/home
      # setlabel "Conf - Internal Use Only" /export/home
    • To create a labeled file system, mount it, and set a label on the mount point:

      Tip  -  For additional protection, encrypt every new multilevel file system.
      # zfs create -o multilevel=on -o encryption=on rpool/labeled-fs
      # zfs set =/mountpoint rpool/labeled-fs
      # setlabel "label" /mountpoint

      For example, you could label a directory that contains files for company-wide distribution.

      # zfs create -o multilevel=on -o encryption=on rpool/ftp-files
      # zfs set =/ftpsource rpool/ftp-files
      # setlabel "Conf - Internal Use Only" /ftpsource
  4. (Optional) Verify that the file system is labeled.
    # getlabel /mountpoint
  5. (Optional) Share the file system over NFS as a labeled file system.

    If you do not share a labeled file system with the share.nfs.labeled=on option, the files whose labels are higher than ADMIN_LOW cannot be accessed.

    Tip  -  To minimize the risk of identity spoofing, specify an NFS security option with the labeled option. See the nfssec(7) man page.
    # zfs share -o nfs=on -o share.nfs.labeled=on -o share.nfs.sec=krb5 rpool/labeled-fs
  6. (Optional) View the upper bound of the file system.

    The value of the mlslabel property is the upper bound of the file system and cannot be lowered.

    # zfs get mlslabel
    NAME                              PROPERTY  VALUE                 SOURCE
    rpool/VARSHARE/zones              mlslabel  none                       -
    rpool/dump                        mlslabel  -                          -
    rpool/export                      mlslabel  none                       -
    rpool/export/home                 mlslabel  Conf - Internal Use Only   -

    If higher-labeled files are added, the upper bound is raised to the label of the higher files. A labeled file system retains its label even if all labeled files are reset or removed.

  7. Assign clearances that are higher than the default clearance to trusted users and trusted roles.
    # usermod -K clearance="higher-than-default-clearance" trusted-user1
    # rolemod -K clearance="higher-than-default-clearance" trusted-role1
  8. (Optional) Assign clearances that are lower than the default clearance to guest users.
    # usermod -K clearance=Public guest
  9. Configure the auditing of sensitive files by enabling the labeled-only audit policy, then set the appropriate audit flags.

    This policy enables you to audit file-read events and set the audit flags for labeled files.

    # auditconfig -setpolicy +labeled-only
    # auditconfig -setflags fr,fw,fm,dc,fd,ex,lo

    When you enable the fr audit class when the labeled-only policy is in effect, only labeled files are audited for file read. Regular files are not.

Example 14  Finding Files of a Specified Label

The following script finds all files of a specified label.

# Find all files whose label matches $1

zfs list -Ho multilevel,mounted,mountpoint -t filesystem -r rpool|\
while read multilevel mounted mountpt;do
	if [ $multilevel == on -a $mounted == yes ];then
		for file in $(find $mountpt -print); do
			label=$(getlabel $file 2>/dev/null|cut -d: -f2|\
			    grep -i "$1" 2>/dev/null)
			if [[ -n $label ]]; then
				echo $file
				echo '\t'$label