Go to main content

Trusted Extensions Configuration and Administration

Exit Print View

Updated: March 2019
 
 

Viewing Existing Security Templates

How to View Security Templates

You can view the list of security templates and the contents of each template. The examples shown in this procedure use the default security templates.

  1. List the available security templates.
    # tncfg list
    cipso
    admin_low
    adapt
    netif
  2. View the contents of the listed templates.
    # tncfg -t cipso info
    name=cipso
    host_type=cipso
    doi=1
    min_label=ADMIN_LOW
    max_label=ADMIN_HIGH
    host=127.0.0.1/32

    The 127.0.0.1/32 entry in the preceding cipso security template identifies this system as labeled. When a peer assigns this system to the peer's remote host template with the host_type of cipso, the two systems can exchange labeled packets.

    # tncfg -t admin_low info
    name=admin_low
    host_type=unlabeled
    doi=1
    def_label=ADMIN_LOW
    min_label=ADMIN_LOW
    max_label=ADMIN_HIGH
    host=0.0.0.0/0

      The 0.0.0.0/0 entry in the preceding admin_low security template enables all hosts that are not explicitly assigned to a security template to contact this system. These hosts are recognized as unlabeled.

    • The advantage of the 0.0.0.0/0 entry is that all hosts that this system requires at boot time, such as servers and gateways, can be found.

    • The disadvantage of the 0.0.0.0/0 entry is that any host on this system's network can contact this system. To restrict which hosts can contact this system, see How to Limit the Hosts That Can Be Contacted on the Trusted Network.

    # tncfg -t adapt info
    name=adapt
    host_type=adapt
    doi=1
    min_label=ADMIN_LOW
    max_label=ADMIN_HIGH
    host=0.0.0.0/0

    An adapt template identifies an adaptive host, that is, an untrusted system that cannot have a default label. Instead, its label is assigned by its receiving trusted system. The label is derived from the default label of the IP interface that receives the packet, as specified by the labeled system's netif template.

    # tncfg -t netif info
    name=netif
    host_type=netif
    doi=1
    def_label=ADMIN_LOW
    min_label=ADMIN_LOW
    max_label=ADMIN_HIGH
    host=127.0.0.1/32

    A netif template specifies a trusted local network interface, not a remote host. The default label of a netif template must equal the label of every zone with a dedicated network interface whose IP address matches a host address in that template. Additionally, the lower link that corresponds to the matching zone interface can be assigned only to other zones that share the same label.

How to Add Hosts to the System's Known Network

After you add hosts and groups of hosts to a system's /etc/hosts file, the hosts are known to the system. Only known hosts can be added to a security template.

Before You Begin

You are in the root role in the global zone.

  1. Add individual hosts to the /etc/hosts file.
    # pfedit /etc/hosts
    
    ...
    192.168.111.121   ahost
  2. Add a group of hosts to the /etc/hosts file.
    # pfedit /etc/hosts
    
    ...
    192.168.111.0   111-network