Solaris Trusted Extensions Administrator's Procedures
Previous Next

Document Information

Preface

Part I Initial Configuration of Trusted Extensions

1.  Security Planning for Trusted Extensions

2.  Configuration Roadmap for Trusted Extensions

3.  Adding Solaris Trusted Extensions Software to the Solaris OS (Tasks)

4.  Configuring Trusted Extensions (Tasks)

5.  Configuring LDAP for Trusted Extensions (Tasks)

6.  Configuring a Headless System With Trusted Extensions (Tasks)

Part II Administration of Trusted Extensions

7.  Trusted Extensions Administration Concepts

8.  Trusted Extensions Administration Tools

9.  Getting Started as a Trusted Extensions Administrator (Tasks)

10.  Security Requirements on a Trusted Extensions System (Overview)

11.  Administering Security Requirements in Trusted Extensions (Tasks)

12.  Users, Rights, and Roles in Trusted Extensions (Overview)

13.  Managing Users, Rights, and Roles in Trusted Extensions (Tasks)

14.  Remote Administration in Trusted Extensions (Tasks)

15.  Trusted Extensions and LDAP (Overview)

16.  Managing Zones in Trusted Extensions (Tasks)

17.  Managing and Mounting Files in Trusted Extensions (Tasks)

18.  Trusted Networking (Overview)

19.  Managing Networks in Trusted Extensions (Tasks)

20.  Multilevel Mail in Trusted Extensions (Overview)

21.  Managing Labeled Printing (Tasks)

22.  Devices in Trusted Extensions (Overview)

23.  Managing Devices for Trusted Extensions (Tasks)

24.  Trusted Extensions Auditing (Overview)

25.  Software Management in Trusted Extensions (Tasks)

A.  Site Security Policy

Creating and Managing a Security Policy

Site Security Policy and Trusted Extensions

Computer Security Recommendations

Physical Security Recommendations

Personnel Security Recommendations

Common Security Violations

Additional Security References

B.  Using CDE Actions to Install Zones in Trusted Extensions

Associating Network Interfaces With Zones by Using CDE Actions (Task Map)

Preparing to Create Zones by Using CDE Actions (Task Map)

Creating Labeled Zones by Using CDE Actions (Task Map)

C.  Configuration Checklist for Trusted Extensions

Checklist for Configuring Trusted Extensions

D.  Quick Reference to Trusted Extensions Administration

Administrative Interfaces in Trusted Extensions

Solaris Interfaces Extended by Trusted Extensions

Tighter Security Defaults in Trusted Extensions

Limited Options in Trusted Extensions

E.  List of Trusted Extensions Man Pages

Trusted Extensions Man Pages in Alphabetical Order

Solaris Man Pages That Are Modified by Trusted Extensions

Glossary

Index

Glossary

accreditation range

A set of sensitivity labels that are approved for a class of users or resources. A set of valid labels. See also system accreditation range and user accreditation range.

administrative role

A role that gives required authorizations, privileged commands, privileged actions, and the Trusted Path security attribute to allow the role to perform administrative tasks. Roles perform a subset of Solaris superuser's capabilities, such as backup or auditing.

allocation

A mechanism by which access to a device is controlled. See device allocation.

application search path

In CDE, the search path is used by the system to find applications and certain configuration information. The application search path is controlled by a trusted role.

authorization

A right granted to a user or role to perform an action that would otherwise not be allowed by security policy. Authorizations are granted in rights profiles. Certain commands require the user to have certain authorizations to succeed. For example, to print a PostScript file requires the Print Postscript authorization.

CDE

See Common Desktop Environment.

CIPSO label

Common IP Security Option. CIPSO is the label standard that Trusted Extensions implements.

classification

The hierarchical component of a clearance or a label. A classification indicates a hierarchical level of security, for example, TOP SECRET or UNCLASSIFIED.

clearance

The upper limit of the set of labels at which a user can work. The lower limit is the minimum label that is assigned by the security administrator. A clearance can be one of two types, a session clearance or a user clearance.

client

A system connected to a network.

closed network

A network of systems that are configured with Trusted Extensions. The network is cut off from any non-Trusted Extensions host. The cutoff can be physical, where no wire extends past the Trusted Extensions network. The cutoff can be in the software, where the Trusted Extensions hosts recognize only Trusted Extensions hosts. Data entry from outside the network is restricted to peripherals attached to Trusted Extensions hosts. Contrast with open network.

Common Desktop Environment

The historical windowing environment for administering Trusted Extensions software. Trusted Extensions modifies the environment to create Trusted CDE. The GNOME desktop is also modified to create a Trusted GNOME desktop.

compartment

A nonhierarchical component of a label that is used with the classification component to form a clearance or a label. A compartment represents a collection of information, such as would be used by an engineering department or a multidisciplinary project team.

.copy_files file

An optional setup file on a multilabel system. This file contains a list of startup files, such as .cshrc or .mozilla, that the user environment or user applications require in order for the system or application to behave well. The files that are listed in .copy_files are then copied to the user's home directory at higher labels, when those directories are created. See also .link_files file.

DAC

See discretionary access control.

device

Devices include printers, computers, tape drives, floppy drives, CD-ROM drives, DVD drives, audio devices, and internal pseudo terminal devices. Devices are subject to the read equal write equal MAC policy. Access to removable devices, such as DVD drives, are controlled bydevice allocation.

device allocation

A mechanism for protecting the information on an allocatable device from access by anybody except the user who allocates the device. Until a device is deallocated, no one but the user who allocated a device can access any information that is associated with the device. For a user to allocate a device, that user must have been granted the Device Allocation authorization by the security administrator.

discretionary access control

The type of access that is granted or that is denied by the owner of a file or directory at the discretion of the owner. Solaris Trusted Extensions provides two kinds of discretionary access controls (DAC), UNIX permission bits and ACLs.

domain

A part of the Internet naming hierarchy. It represents a group of systems on a local network that share administrative files.

domain name

The identification of a group of systems on a local network. A domain name consists of a sequence of component names separated by periods (for example: example1.town.state.country.org). As you read a domain name from left to right, the component names identify more general, and usually remote, areas of administrative authority.

domain of interpretation (DOI)

On a Solaris system that is configured with Trusted Extensions, the domain of interpretation is used to differentiate between different label_encodings files that might have similar labels defined. The DOI is a set of rules that translates the security attributes on network packets to the representation of those security attributes by the local label_encodings file. When systems have the same DOI, they share that set of rules and can translate the labeled network packets.

evaluated configuration

One or more Trusted Extensions hosts that are running in a configuration that has been certified as meeting specific criteria by a certification authority. In the United States, those criteria are the TCSEC. The evaluating and certifying body is the NSA. Trusted Extensions software that is configured on the Solaris 10 11/06 release is certified to the Common Criteria v2.3 [August 2005], an ISO standard, to Evaluation Assurance Level (EAL) 4, and against a number of protection profiles.

The Common Criteria v2 (CCv2) and protection profiles make the earlier TCSEC U.S. standard obsolete through level B1+. A mutual recognition agreement for CCv2 has been signed by the United States, the United Kingdom, Canada, Denmark, the Netherlands, Germany, and France.

The Trusted Extensions configuration target provides functionality that is similar to the TCSEC C2 and B1 levels, with some additional functionality.

file system

A collection of files and directories that, when set into a logical hierarchy, make up an organized, structured set of information. File systems can be mounted from your local system or a remote system.

GFI

Government Furnished Information. In this manual, it refers to a U.S. government-provided label_encodings file. In order to use a GFI with Trusted Extensions software, you must add the Sun-specific LOCAL DEFINITIONS section to the end of the GFI. For details, see Chapter 5, Customizing LOCAL DEFINITIONS, in Solaris Trusted Extensions Label Administration.

host name

The name by which a system is known to other systems on a network. This name must be unique among all the systems within a given domain. Usually, a domain identifies a single organization. A host name can be any combination of letters, numbers, and minus sign (−), but it cannot begin or end with a minus sign.

initial label

The minimum label assigned to a user or role, and the label of the user's initial workspace. The initial label is the lowest label at which the user or role can work.

initial setup team

A team of at least two people who together oversee the enabling and configuration of Solaris Trusted Extensions software. One team member is responsible for security decisions, and the other for system administration decisions.

IP address

Internet protocol address. A unique number that identifies a networked system so it can communicate by means of Internet protocols. In IPv4, the address consists of four numbers separated by periods. Most often, each part of the IP address is a number between 0 and 225. However, the first number must be less than 224 and the last number cannot be 0.

IP addresses are logically divided into two parts: the network, and the system on the network. The network number is similar to a telephone area code. In relation to the network, the system number is similar to a phone number.

label

A security identifier that is assigned to an object. The label is based on the level at which the information in that object should be protected. Depending on how the security administrator has configured the user, a user can see the sensitivity label, or no labels at all. Labels are defined in the label_encodings file.

label configuration

A Trusted Extensions installation choice of single-label or multilabel sensitivity labels. In most circumstances, label configuration is identical on all systems at your site.

label_encodings file

The file where the complete sensitivity label is defined, as are accreditation ranges, label view, default label visibility, default user clearance, and other aspects of labels.

label range

A set of sensitivity labels that are assigned to commands, zones, and allocatable devices. The range is specified by designating a maximum label and a minimum label. For commands, the minimum and maximum labels limit the labels at which the command can be executed. Remote hosts that do not recognize labels are assigned a single sensitivity label, as are any other hosts that the security administrator wants to restrict to a single label. A label range limits the labels at which devices can be allocated and restrict the labels at which information can be stored or processed when using the device.

label relationships

On a Solaris system that is configured with Trusted Extensions, a label can dominate another label, be equal to another label, or be disjoint from another label. For example, the label Top Secret dominates the label Secret. For two systems with the same domain of interpretation (DOI), the label Top Secret on one system is equal to the label Top Secret on the other system.

label set

See security label set.

labeled host

A labeled system that is part of a trusted network of labeled systems.

labeled system

A labeled system is a system that is running a multilevel operating system, such as Trusted Extensions or SELinux with MLS enabled. The system can send and receive network packets that are labeled with a Common IP Security Option (CIPSO) in the header of the packet.

labeled zone

On a Solaris system that is configured with Trusted Extensions, every zone is assigned a unique label. Although the global zone is labeled, labeled zone typically refers to a non-global zone that is assigned a label. Labeled zones have two different characteristics from non-global zones on a Solaris system that is not configured with labels. First, labeled zones must use the same pool of user IDs and group IDs. Second, labeled zones can share IP addresses.

.link_files file

An optional setup file on a multilabel system. This file contains a list of startup files, such as .cshrc or .mozilla, that the user environment or user applications require in order for the system or application to behave well. The files that are listed in .link_files are then linked to the user's home directory at higher labels, when those directories are created. See also .copy_files file.

MAC

See mandatory access control.

mandatory access control

Access control that is based on comparing the sensitivity label of a file, directory, or device to the sensitivity label of the process that is trying to access it. The MAC rule, read equal–read down, applies when a process at one label attempts to read a file at a lower label. The MAC rule, write equal-read down, applies when a process at one label attempts to write to a directory at another label.

minimum label

The lower bound of a user's sensitivity labels and the lower bound of the system's sensitivity labels. The minimum label set by the security administrator when specifying a user's security attributes is the sensitivity label of the user's first workspace at first login. The sensitivity label that is specified in the minimum label field by the security administrator in the label_encodings file sets the lower bound for the system.

multilevel desktop

On a Solaris system that is configured with Trusted Extensions, users can run a desktop at a particular label. If the user is authorized to work at more than one label, the user can create a separate workspace to work at each label. On this multilevel desktop, authorized users can cut and paste between windows at different labels, receive mail at different labels, and view and use labeled windows in workspaces of a different label.

multilevel port (MLP)

On a Solaris system that is configured with Trusted Extensions, an MLP is used to provide multilevel service in a zone. By default, the X server is a multilevel service that is defined in the global zone. An MLP is specified by port number and protocol. For example, the MLP of the X server for the multilevel desktop is specified by 6000-6003 and TCP.

naming service

A distributed network database that contains key system information about all the systems on a network, so that the systems can communicate with each other. With a naming service, the system information can be maintained, managed, and accessed on a network-wide basis. Sun supports the LDAP naming service. Without such a service, each system has to maintain its own copy of the system information in the local /etc files.

networked systems

A group of systems that are connected through hardware and software, sometimes referred to as a local area network (LAN). One or more servers are usually needed when systems are networked.

non-networked systems

Computers that are not connected to a network or do not rely on other hosts.

open network

A network of Solaris Trusted Extensions hosts that is connected physically to other networks and that uses Trusted Extensions software to communicate with non-Trusted Extensions hosts. Contrast with closed network.

outside the evaluated configuration

When software that has been proved to be able satisfy the criteria for an evaluated configuration, is configured with settings that do not satisfy security criteria, the software is described as being outside the evaluated configuration.

permission bits

A type of discretionary access control in which the owner specifies a set of bits to signify who can read, write, or execute a file or directory. Three different sets of permissions are assigned to each file or directory: one set for the owner, one set for the owner's group, and one set for all others.

primary administrator

The person who is entrusted to create new rights profiles for the organization, and to fix machine difficulties that are beyond the power of the security administrator and system administrator combined. This role should be assumed rarely. After initial security configuration, more secure sites can choose not to create this role, and not to assign any role the Primary Administrator profile.

privilege

Powers that are granted to a process that is executing a command. The full set of privileges describes the full capabilities of the system, from basic capabilities to administrative capabilities. Privileges that bypass security policy, such as setting the clock on a system, can be granted by a site's security administrator.

process

An action that executes a command on behalf of the user who invokes the command. A process receives a number of security attributes from the user, including the user ID (UID), the group ID (GID), the supplementary group list, and the user's audit ID (AUID). Security attributes received by a process include any privileges that are available to the command being executed and the sensitivity label of the current workspace.

profile shell

A special shell that recognizes privileges. A profile shell typically limits users to fewer commands, but can allow these commands to run with privilege. The profile shell is the default shell of a trusted role.

remote host

A different system than the local system. A remote host can be an unlabeled host or a labeled host.

rights profile

A bundling mechanism for commands and CDE actions and for the security attributes that are assigned to these executables. Rights profiles allow Solaris administrators to control who can execute which commands and to control the attributes these commands have when they are executed. When a user logs in, all rights assigned to that user are in effect, and the user has access to all the commands, CDE actions, and authorizations assigned in all of that user's rights profiles.

role

A role is like a user, except that a role cannot log in. Typically, a role is used to assign administrative capabilities. Roles are limited to a particular set of commands and CDE actions. See administrative role.

security administrator

In an organization where sensitive information must be protected, the person or persons who define and enforce the site's security policy. These persons are cleared to access all information that is being processed at the site. In software, the Security Administrator administrative role is assigned to one or more individuals who have the proper clearance. These administrators configure the security attributes of all users and hosts so that the software enforces the site's security policy. In contrast, see system administrator.

security attribute

An attribute that is used to enforce Trusted Extensions security policy. Various sets of security attributes are assigned to processes, users, zones, hosts, allocatable devices, and other objects.

security label set

Specifies a discrete set of security labels for a tnrhtp database entry. Hosts that are assigned to a template with a security label set can send and receive packets that match any one of the labels in the label set.

security policy

On a Trusted Extensions host, the set of DAC, MAC, and labeling rules that define how information can be accessed. At a customer site, the set of rules that define the sensitivity of the information being processed at that site and the measures that are used to protect the information from unauthorized access.

sensitivity label

A security label that is assigned to an object or a process. The label is used to limit access according to the security level of the data that is contained.

separation of duty

The security policy that two administrators or roles be required to create and authenticate a user. One administrator or role is responsible for creating the user, the user's home directory, and other basic administration. The other administrator or role is responsible for the user's security attributes, such as the password and the label range.

Solaris Management Console

A Java-based administrative GUI that contains toolboxes of administrative programs. In Trusted CDE, this GUI can be launched from the Application Manager. Most system, network, and user administration is done by using the Console toolboxes.

system

Generic name for a computer. After installation, a system on a network is often referred to as a host.

system accreditation range

The set of all valid labels that are created according to the rules that the security administrator defines in the label_encodings file, plus the two administrative labels that are used on every system that is configured with Trusted Extensions. The administrative labels are ADMIN_LOW and ADMIN_HIGH.

system administrator

In Trusted Extensions, the trusted role assigned to the user or users who are responsible for performing standard system management tasks such as setting up the non-security-relevant portions of user accounts. In contrast, see security administrator.

tnrhdb database

The trusted network remote host database. This database assigns a set of label characteristics to a remote host. The database is accessible either as a file in /etc/security/tsol/tnrhdb or from the LDAP server.

tnrhtp database

The trusted network remote host template. This database defines the set of label characteristics that a remote host can be assigned. The database is accessible either as a file in /etc/security/tsol/tnrhtp, or from the LDAP server.

toolbox

A collection of programs in the Solaris Management Console. On a Trusted Extensions host, administrators use Policy=TSOL toolboxes. Each toolbox has programs that are usable in the scope of the toolbox. For example, the Trusted Network Zones tool, which handles the system's tnzonecfg database, exists only in the Files toolbox, because its scope is always local. The User Accounts program exists in all toolboxes. To create a local user, the administrator uses the Files toolbox, and to create a network user, the administrator uses the LDAP toolbox.

trusted editor

On a Solaris system that is configured with Trusted Extensions, the trusted editor is used to create and modify administrative files. The file name cannot be changed by the editor. Also, use of the editor is audited and shell escape commands are disabled. In Trusted CDE, the Admin Editor action starts the trusted editor. In Trusted GNOME, the /usr/dt/bin/trusted_edit command starts the trusted editor.

Trusted Network databases

tnrhtp, the trusted network remote host template and tnrhdb, the trusted network remote host database together define the remote hosts that a Trusted Extensions system can communicate with.

trusted path

On a Solaris system that is configured with Trusted Extensions, the trusted path is a reliable, tamper-proof way to interact with the system. The trusted path is used to ensure that administrative functions cannot be compromised. User functions that must be protected, such as changing a password, also use the trusted path. When the trusted path is active, the desktop displays a tamper-proof indicator.

trusted role

See administrative role.

trusted stripe

A region that cannot be spoofed. In Trusted CDE, the trusted stripe is at the bottom of the screen, and in Trusted GNOME the stripe is at the top. The stripe provides visual feedback about the state of the window system: a trusted path indicator and window sensitivity label. When sensitivity labels are configured to not be viewable for a user, the trusted stripe is reduced to an icon that displays only the trusted path indicator.

txzonemgr script

The /usr/sbin/txzonemgr script provides a simple GUI for managing labeled zones. The script also provides menu items for networking options, name services options, and for clienting the global zone to an existing LDAP server. txzonemgr is run by root in the global zone.

unlabeled host

A networked system that sends unlabeled network packets, such as a system that is running the Solaris OS.

unlabeled system

To a Solaris system that is configured with Trusted Extensions, an unlabeled system is a system that is not running a multilevel operating system, such as Trusted Extensions or SELinux with MLS enabled. An unlabeled system does not send labeled packets. If the communicating Trusted Extensions system has assigned to the unlabeled system a single label, then network communication between the Trusted Extensions system and the unlabeled system happens at that label. An unlabeled system is also called a “single-level system”.

user accreditation range

The set of all possible labels at which a regular user can work on the system. The site's security administrator specifies the range in the label_encodings file file. The rules for well-formed labels that define the system accreditation range are additionally restricted by the values in the ACCREDITATION RANGE section of the file: the upper bound, the lower bound, the combination constraints and other restrictions.

user clearance

The clearance assigned by the security administrator that sets the upper bound of the set of labels at which a user can work at any time. The user can decide to accept the default, or can further restrict that clearance during any particular login session.
Previous Next