Go to main content

Trusted Extensions Configuration and Administration

Exit Print View

Updated: November 2020

Creating Security Templates

This section contains pointers to or examples of creating security templates for the following network configurations:

For more examples of security templates that address specific requirements, see Adding Hosts to Security Templates.

How to Create Security Templates

Before You Begin

You must be in the global zone in a role that can modify network security. For example, roles that are assigned the Information Security or Network Security rights profiles can modify security values. The Security Administrator role includes these rights profiles.

Note - For support purposes, do not alter or delete the default security templates.
  1. (Optional)Determine the hexadecimal version of any label other than ADMIN_HIGH and ADMIN_LOW.

    For labels such as CONFIDENTIAL, you can use either the label string or the hexadecimal value as the label value. The tncfg command accepts either format.

    # atohexlabel "confidential : internal use only"

    For more information, see How to Obtain the Hexadecimal Equivalent for a Label.

  2. Create a security template.

    The tncfg -t command provides three ways to create new templates.

    • Create a security template from scratch.

      Use the tncfg command in interactive mode. The info subcommand displays the values that are supplied by default. Press the Tab key to complete partial properties and values. Type exit to complete the template.

      # tncfg -t newunlabeled
      tncfg:newunlabeled> info
      tncfg:newunlabeled> set mTab
      set max_label=" set min_label="Auto-complete shows two possible completions
      tncfg:newunlabeled> set maTabUser types the letter a
      tncfg:newunlabeled> set max_label=ADMIN_LOW
      tncfg:newunlabeled> commit
      tncfg:newunlabeled> exit

      You can also supply the complete list of attributes for a security template on the command line. Semicolons separate the set subcommands. An omitted attribute receives the default value. For information about network security attributes, see Network Security Attributes in Trusted Extensions.

      # tncfg -t newunlabeled set host_type=unlabeled;set doi=1; \
      set min_label=ADMIN_LOW;set max_label=ADMIN_LOW
    • Copy and modify an existing security template.
      # tncfg -t cipso
      tncfg:cipso> set name=newcipso
      tncfg:newcipso> info

      Hosts that are assigned to the existing security template are not copied to the new template.

    • Use a template file that the export subcommand creates.
      # tncfg -f unlab_1 -f template-file
      tncfg: unlab_1> set host_type=unlabeled
      # tncfg -f template-file

      For an example of creating a source template for importing, see the tncfg(8) man page.

Example 24  Creating a Security Template for a Gateway That Handles Packets at One Label

In this example, the security administrator defines a gateway that can only pass packets at the label PUBLIC.

# tncfg -t cipso_public
tncfg:cipso_public> set host_type=cipso
tncfg:cipso_public> set doi=1
tncfg:cipso_public> set min_label="public"
tncfg:cipso_public> set max_label="public"
tncfg:cipso_public> commit
tncfg:cipso_public> exit

The security administrator then adds the gateway host to the security template. For the addition, see Example 27, Creating a Gateway That Handles Packets at One Label.

Example 25  Creating an Unlabeled Security Template at the Label PUBLIC

In this example, the security administrator creates an unlabeled template for untrusted hosts that can receive and send packets at the PUBLIC label only. This template might be assigned to hosts whose file systems must be mounted at the PUBLIC label by Trusted Extensions systems.

# tncfg -t public
tncfg:public> set host_type=unlabeled
tncfg:public> set doi=1
tncfg:public> set def_label="public"
tncfg:public> set min_sl="public"
tncfg:public> set max_sl="public"
tncfg:public> exit

The security administrator then adds hosts to the security template. For the addition, see Example 38, Creating an Unlabeled Subnetwork at the Label PUBLIC.