Solaris Trusted Extensions Administrator's Procedures
Previous Next

Document Information

Preface

Part I Initial Configuration of Trusted Extensions

1.  Security Planning for Trusted Extensions

2.  Configuration Roadmap for Trusted Extensions

3.  Adding Solaris Trusted Extensions Software to the Solaris OS (Tasks)

4.  Configuring Trusted Extensions (Tasks)

5.  Configuring LDAP for Trusted Extensions (Tasks)

6.  Configuring a Headless System With Trusted Extensions (Tasks)

Part II Administration of Trusted Extensions

7.  Trusted Extensions Administration Concepts

8.  Trusted Extensions Administration Tools

9.  Getting Started as a Trusted Extensions Administrator (Tasks)

10.  Security Requirements on a Trusted Extensions System (Overview)

11.  Administering Security Requirements in Trusted Extensions (Tasks)

12.  Users, Rights, and Roles in Trusted Extensions (Overview)

13.  Managing Users, Rights, and Roles in Trusted Extensions (Tasks)

14.  Remote Administration in Trusted Extensions (Tasks)

15.  Trusted Extensions and LDAP (Overview)

16.  Managing Zones in Trusted Extensions (Tasks)

17.  Managing and Mounting Files in Trusted Extensions (Tasks)

18.  Trusted Networking (Overview)

19.  Managing Networks in Trusted Extensions (Tasks)

20.  Multilevel Mail in Trusted Extensions (Overview)

21.  Managing Labeled Printing (Tasks)

22.  Devices in Trusted Extensions (Overview)

23.  Managing Devices for Trusted Extensions (Tasks)

24.  Trusted Extensions Auditing (Overview)

Trusted Extensions and Auditing

Audit Management by Role in Trusted Extensions

Trusted Extensions Audit Reference

25.  Software Management in Trusted Extensions (Tasks)

A.  Site Security Policy

Creating and Managing a Security Policy

Site Security Policy and Trusted Extensions

Computer Security Recommendations

Physical Security Recommendations

Personnel Security Recommendations

Common Security Violations

Additional Security References

B.  Using CDE Actions to Install Zones in Trusted Extensions

Associating Network Interfaces With Zones by Using CDE Actions (Task Map)

Preparing to Create Zones by Using CDE Actions (Task Map)

Creating Labeled Zones by Using CDE Actions (Task Map)

C.  Configuration Checklist for Trusted Extensions

Checklist for Configuring Trusted Extensions

D.  Quick Reference to Trusted Extensions Administration

Administrative Interfaces in Trusted Extensions

Solaris Interfaces Extended by Trusted Extensions

Tighter Security Defaults in Trusted Extensions

Limited Options in Trusted Extensions

E.  List of Trusted Extensions Man Pages

Trusted Extensions Man Pages in Alphabetical Order

Solaris Man Pages That Are Modified by Trusted Extensions

Glossary

Index

Audit Management by Role in Trusted Extensions

Auditing in Trusted Extensions requires the same planning as in the Solaris OS. For details about planning, see Chapter 29, Planning for Solaris Auditing, in System Administration Guide: Security Services.

Role Setup for Audit Administration

In Trusted Extensions, auditing is the responsibility of two roles. The System Administrator role sets up the disks and the network of audit storage. The Security Administrator role decides what is to be audited, and specifies the information in the audit configuration files. As in the Solaris OS, you create the roles in software. The rights profiles for these two roles are provided. The initial setup team created the Security Administrator role during initial configuration. For details, see Create the Security Administrator Role in Trusted Extensions.

Note - A system only records the security-relevant events that the audit configuration files configure the system to record (that is, by preselection). Therefore, any subsequent audit review can only consider the events that have been recorded. As a result of misconfiguration, attempts to breach the security of the system can go undetected, or the administrator is unable to detect the user who is responsible for an attempted breach of security. Administrators must regularly analyze audit trails to check for breaches of security.

Audit Tasks in Trusted Extensions

The procedures to configure and manage auditing in Trusted Extensions differ slightly from Solaris procedures:

  • Audit configuration is performed in the global zone by one of two administrative roles. Then, the system administrator copies specific customized audit files from the global zone to every labeled zone. By following this procedure, user actions are audited identically in the global zone and in labeled zones.

    For details, see Audit Tasks of the Security Administrator and Audit Tasks of the System Administrator

  • Trusted Extensions administrators use a trusted editor to edit audit configuration files. In Trusted CDE, Trusted Extensions administrators use CDE actions to invoke the trusted editor. For the list of actions, see Trusted CDE Actions.

  • Trusted Extensions administrators use the Solaris Management Console to configure specific users. User-specific audit characteristics can be specified in this tool. Specifying user characteristics is only required when the user's audit characteristics differ from the audit characteristics of the systems on which the user works. For an introduction to the tool, see Solaris Management Console Tools.

Audit Tasks of the Security Administrator

The following tasks are security-relevant, and are therefore the responsibility of the security administrator. Follow the Solaris instructions, but use the Trusted Extensions administrative tools.

Task

For Solaris Instructions

Trusted Extensions Instructions

Configure audit files.

Configuring Audit Files (Task Map) in System Administration Guide: Security Services

Use the trusted editor. For details, see How to Edit Administrative Files in Trusted Extensions.

(Optional) Change default audit policy.

How to Configure Audit Policy in System Administration Guide: Security Services

Use the trusted editor.

Disable and re-enable auditing.

How to Disable the Auditing Service in System Administration Guide: Security Services

Auditing is enabled by default.

Manage auditing.

Solaris Auditing (Task Map) in System Administration Guide: Security Services

Use the trusted editor.

Ignore per-zone audit tasks.

Audit Tasks of the System Administrator

The following tasks are the responsibility of the system administrator. Follow the Solaris instructions, but use the Trusted Extensions administrative tools.

Task

For Solaris Instructions

Trusted Extensions Instructions

Create audit partitions and an audit administration server, export audit partitions, and mount audit partitions.

Create an audit_warn alias.

Configuring and Enabling the Auditing Service (Tasks) in System Administration Guide: Security Services

Perform all administration in the global zone.

Use the trusted editor.

Copy or loopback mount customized audit files to labeled zones.

Configuring the Auditing Service in Zones (Tasks) in System Administration Guide: Security Services

Copy the files to the first labeled zone, then copy the zone.

Or, loopback mount or copy the files to every labeled zone after the zones are created.

(Optional) Distribute audit configuration files.

No instructions

See How to Copy Files From Portable Media in Trusted Extensions

Manage auditing.

Solaris Auditing (Task Map) in System Administration Guide: Security Services

Ignore per-zone audit tasks.

Select audit records by label.

How to Select Audit Events From the Audit Trail in System Administration Guide: Security Services

To select records by label, use the auditreduce command with the -l option.
Previous Next