Go to main content

Securing Users and Processes in Oracle® Solaris 11.4

Exit Print View

Updated: September 2018
 
 

Example - Protecting the FTP Service With a Label

In this example you label the FTP service for your organization. The FTP server contains labeled datasets that contain company-internal files that are labeled Confidential - Internal. Users who are cleared for Confidential - Internal files can use ftp to transfer those files. Users who are not cleared cannot get the files nor can they see them.

  1. On the FTP server, the administrator determines the hexadecimal number of the label at which the FTP service will run and installs the network/ftp package.

    # atohexlabel "Confidential - Internal"
    0x0002-08-20
    
    # pkg install network/ftp
  2. The administrator assigns the hexadecimal number of the "Confidential - Internal" clearance to the start method of the svc:/network/ftp service and restarts the service.

    # svccfg -s ftp
    svc:/network/ftp> set start/clearance = astring: 0x0002-08-20
    svc:/network/ftp> refresh
    svc:/network/ftp> exit
    
    # svcadm restart ftp
  3. The administrator creates a multilevel dataset and mounts it.

    # zfs -o multilevel=on rpool/ftp-files
    # zfs set mountpoint=/ftpsource rpool/ftp-files
  4. The administrator transfers datasets that are labeled Confidential - Internal to the new server.

    rs-sys # zfs send -r rpool/research-intern | ssh ftp1 zfs receive -d rpool/ftp-files
    hr-sys # zfs send -r rpool/hr-intern | ssh ftp1 zfs receive -d rpool/ftp-files
    tr-sys # zfs send -r rpool/training-intern | ssh ftp1 zfs receive -d rpool/ftp-files
  5. Before deployment, the administrator tests that users with the Confidential - Internal clearance can get files from the server.