Solaris Trusted Extensions Administrator's Procedures
Previous Next

Document Information

Preface

Part I Initial Configuration of Trusted Extensions

1.  Security Planning for Trusted Extensions

2.  Configuration Roadmap for Trusted Extensions

3.  Adding Solaris Trusted Extensions Software to the Solaris OS (Tasks)

4.  Configuring Trusted Extensions (Tasks)

5.  Configuring LDAP for Trusted Extensions (Tasks)

6.  Configuring a Headless System With Trusted Extensions (Tasks)

Part II Administration of Trusted Extensions

7.  Trusted Extensions Administration Concepts

8.  Trusted Extensions Administration Tools

9.  Getting Started as a Trusted Extensions Administrator (Tasks)

10.  Security Requirements on a Trusted Extensions System (Overview)

11.  Administering Security Requirements in Trusted Extensions (Tasks)

12.  Users, Rights, and Roles in Trusted Extensions (Overview)

13.  Managing Users, Rights, and Roles in Trusted Extensions (Tasks)

14.  Remote Administration in Trusted Extensions (Tasks)

15.  Trusted Extensions and LDAP (Overview)

16.  Managing Zones in Trusted Extensions (Tasks)

17.  Managing and Mounting Files in Trusted Extensions (Tasks)

18.  Trusted Networking (Overview)

19.  Managing Networks in Trusted Extensions (Tasks)

20.  Multilevel Mail in Trusted Extensions (Overview)

21.  Managing Labeled Printing (Tasks)

22.  Devices in Trusted Extensions (Overview)

23.  Managing Devices for Trusted Extensions (Tasks)

24.  Trusted Extensions Auditing (Overview)

25.  Software Management in Trusted Extensions (Tasks)

A.  Site Security Policy

Creating and Managing a Security Policy

Site Security Policy and Trusted Extensions

Computer Security Recommendations

Physical Security Recommendations

Personnel Security Recommendations

Common Security Violations

Additional Security References

B.  Using CDE Actions to Install Zones in Trusted Extensions

Associating Network Interfaces With Zones by Using CDE Actions (Task Map)

Preparing to Create Zones by Using CDE Actions (Task Map)

Creating Labeled Zones by Using CDE Actions (Task Map)

C.  Configuration Checklist for Trusted Extensions

Checklist for Configuring Trusted Extensions

D.  Quick Reference to Trusted Extensions Administration

Administrative Interfaces in Trusted Extensions

Solaris Interfaces Extended by Trusted Extensions

Tighter Security Defaults in Trusted Extensions

Limited Options in Trusted Extensions

E.  List of Trusted Extensions Man Pages

Trusted Extensions Man Pages in Alphabetical Order

Solaris Man Pages That Are Modified by Trusted Extensions

Glossary

Index

Associating Network Interfaces With Zones by Using CDE Actions (Task Map)

Do only one of the following tasks. For the trade-offs, see Planning for Multilevel Access.

Task

Description

For Instructions

Share a logical interface.

Map the global zone to one IP address, and map the labeled zones to a different IP address.

Specify Two IP Addresses for the System by Using a CDE Action

Share a physical interface.

Map all zones to one IP address.

Specify One IP Address for the System by Using a CDE Action

Specify Two IP Addresses for the System by Using a CDE Action

In this configuration, the host's address applies only to the global zone. Labeled zones share a second IP address with the global zone.

Before You Begin

You are superuser in the global zone. The system has already been assigned two IP addresses. You are in a Trusted CDE workspace.

  1. Navigate to the Trusted_Extensions folder.
    1. Click mouse button 3 on the background.
    2. From the Workspace menu, choose Applications → Application Manager.
    3. Double-click the Trusted_Extensions folder icon.

      This folder contains actions that set up interfaces, LDAP clients, and labeled zones.

  2. Double-click the Share Logical Interface action and answer the prompts.

    Note - The system must already have been assigned two IP addresses. For this action, provide the second address and a host name for that address. The second address is the shared address.

    Hostname:   Type the name for your labeled zones interface
IP Address: Type the IP address for the interface

    This action configures a host with more than one IP address. The IP address for the global zone is the name of the host. The IP address for a labeled zone has a different host name. In addition, the IP address for the labeled zones is shared with the global zone. When this configuration is used, labeled zones are able to reach a network printer.

    Tip - Use a standard naming convention for labeled zones. For example, add -zones to the host name.

  3. (Optional) In a terminal window, verify the results of the action.
    # ifconfig -a

    For example, the following output shows a shared logical interface, hme0:3 on network interface 192.168.0.12 for the labeled zones. The hme0 interface is the unique IP address of the global zone.

     lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
         inet 127.0.0.1 netmask ff000000 
         ether 0:0:00:00:00:0
 hme0: flags=1000843<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
         inet 192.168.0.11 netmask fffffe00 broadcast 192.168.0.255
 hme0:3 flags=1000843<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
         all-zones
         inet 192.168.0.12 netmask fffffe00 broadcast 192.168.0.255

    In the Solaris Express Community Edition. the loopback interface, lo0, is also an all-zones interface

      lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
         all-zones
         inet 127.0.0.1 netmask ff000000 
         ether 0:0:00:00:00:0
...

Specify One IP Address for the System by Using a CDE Action

In this configuration, the host's address applies to all the zones, including the labeled zones.

Before You Begin

You are superuser in the global zone. You are in a Trusted CDE workspace.

  1. Navigate to the Trusted_Extensions folder.
    1. Click mouse button 3 on the background.
    2. From the Workspace menu, choose Applications → Application Manager.
    3. Double-click the Trusted_Extensions folder icon.

      This folder contains actions that set up interfaces, LDAP clients, and labeled zones.

  2. Double-click the Share Physical Interface action.

    This action configures a host with one IP address. The global zone does not have a unique address. This system cannot be used as a multilevel print server or NFS server.

  3. (Optional) In a terminal window, verify the results of the action.
    # ifconfig -a

    The Share Physical Interface action configures all zones to have logical NICs. These logical NICs share a single physical NIC in the global zone.

    For example, the following output shows the shared physical interface, hme0 on network interface 192.168.0.11 for all the zones.

    lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
       inet 127.0.0.1 netmask ff000000
       ether 0:0:00:00:00:0
hme0: flags=1000843<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
       all-zones
       inet 192.168.0.11 netmask fffffe00 broadcast 192.168.0.255

    In the Solaris Express Community Edition. the loopback interface, lo0, is also an all-zones interface

      lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
         all-zones
         inet 127.0.0.1 netmask ff000000 
         ether 0:0:00:00:00:0
...
Previous Next