Solaris Trusted Extensions Administrator's Procedures
Previous Next

Document Information

Preface

Part I Initial Configuration of Trusted Extensions

1.  Security Planning for Trusted Extensions

2.  Configuration Roadmap for Trusted Extensions

3.  Adding Solaris Trusted Extensions Software to the Solaris OS (Tasks)

4.  Configuring Trusted Extensions (Tasks)

Setting Up the Global Zone in Trusted Extensions

Creating Labeled Zones

Adding Network Interfaces and Routing to Labeled Zones

Creating Roles and Users in Trusted Extensions

Creating Home Directories in Trusted Extensions

Adding Users and Hosts to an Existing Trusted Network

Troubleshooting Your Trusted Extensions Configuration

Additional Trusted Extensions Configuration Tasks

5.  Configuring LDAP for Trusted Extensions (Tasks)

6.  Configuring a Headless System With Trusted Extensions (Tasks)

Part II Administration of Trusted Extensions

7.  Trusted Extensions Administration Concepts

8.  Trusted Extensions Administration Tools

9.  Getting Started as a Trusted Extensions Administrator (Tasks)

10.  Security Requirements on a Trusted Extensions System (Overview)

11.  Administering Security Requirements in Trusted Extensions (Tasks)

12.  Users, Rights, and Roles in Trusted Extensions (Overview)

13.  Managing Users, Rights, and Roles in Trusted Extensions (Tasks)

14.  Remote Administration in Trusted Extensions (Tasks)

15.  Trusted Extensions and LDAP (Overview)

16.  Managing Zones in Trusted Extensions (Tasks)

17.  Managing and Mounting Files in Trusted Extensions (Tasks)

18.  Trusted Networking (Overview)

19.  Managing Networks in Trusted Extensions (Tasks)

20.  Multilevel Mail in Trusted Extensions (Overview)

21.  Managing Labeled Printing (Tasks)

22.  Devices in Trusted Extensions (Overview)

23.  Managing Devices for Trusted Extensions (Tasks)

24.  Trusted Extensions Auditing (Overview)

25.  Software Management in Trusted Extensions (Tasks)

A.  Site Security Policy

Creating and Managing a Security Policy

Site Security Policy and Trusted Extensions

Computer Security Recommendations

Physical Security Recommendations

Personnel Security Recommendations

Common Security Violations

Additional Security References

B.  Using CDE Actions to Install Zones in Trusted Extensions

Associating Network Interfaces With Zones by Using CDE Actions (Task Map)

Preparing to Create Zones by Using CDE Actions (Task Map)

Creating Labeled Zones by Using CDE Actions (Task Map)

C.  Configuration Checklist for Trusted Extensions

Checklist for Configuring Trusted Extensions

D.  Quick Reference to Trusted Extensions Administration

Administrative Interfaces in Trusted Extensions

Solaris Interfaces Extended by Trusted Extensions

Tighter Security Defaults in Trusted Extensions

Limited Options in Trusted Extensions

E.  List of Trusted Extensions Man Pages

Trusted Extensions Man Pages in Alphabetical Order

Solaris Man Pages That Are Modified by Trusted Extensions

Glossary

Index

Adding Network Interfaces and Routing to Labeled Zones

The following tasks support environments where each zone is connected to a separate physical network.

Task

Description

For Instructions

EITHER 1a: Add a network interface to each labeled zone and use the global zone to reach the external network.

Connects each labeled zone to a separate physical network. The labeled zones use the network routing that the global zone provides.

Add a Network Interface to Route an Existing Labeled Zone

OR 1b: Add a network interface to each labeled zone with a default route.

Connects each zone to a separate physical network. The labeled zones do not use the global zone for routing.

Add a Network Interface That Does Not Use the Global Zone to Route an Existing Labeled Zone

2. Create a name service cache in each labeled zone.

Configures a name service daemon for each zone.

Configure a Name Service Cache in Each Labeled Zone

Add a Network Interface to Route an Existing Labeled Zone

This procedure adds zone-specific network interfaces to existing labeled zones. This configuration supports environments where each labeled zone is connected to a separate physical network. The labeled zones use the network routing that the global zone provides.

Note - The global zone must configure an IP address for every subnet in which a non-global zone address is configured.

Before You Begin

You are superuser in the global zone.

For every zone, you have completed the tasks in Creating Labeled Zones.

  1. In the global zone, type the IP addresses and hostnames for the additional network interfaces into the /etc/hosts file.

    Use a standard naming convention, such as adding -zone-name to the name of the host.

    ## /etc/hosts in global zone
10.10.8.2   hostname-zone-name1
10.10.8.3   hostname-global-name1
10.10.9.2   hostname-zone-name2
10.10.9.3   hostname-global-name2
  2. For the network for each interface, add entries to the /etc/netmasks file.
    ## /etc/netmasks in global zone
10.10.8.0 255.255.255.0
10.10.9.0 255.255.255.0

    For more information, see the netmasks(4) man page.

  3. In the global zone, plumb the zone-specific physical interfaces.
    1. Identify the physical interfaces that are already plumbed.
      # ifconfig -a
    2. Configure the global zone addresses on each interface.
      # ifconfig interface-nameN1 plumb
# ifconfig interface-nameN1 10.10.8.3 up
# ifconfig interface-nameN2 plumb
# ifconfig interface-nameN2 10.10.9.3 up
    3. For each global zone address, create a hostname.interface-nameN file.
      # /etc/hostname.interface-nameN1
10.10.8.3
# /etc/hostname.interface-nameN2
10.10.9.3

    The global zone addresses are configured immediately upon system startup. The zone-specific addresses are configured when the zone is booted.

  4. Assign a security template to each zone-specific network interface.

    If the gateway to the network is not configured with labels, assign the admin_low security template. If the gateway to the network is labeled, assign a cipso security template.

    You can create security templates of host type cipso that reflect the label of every network. For the procedures to create and assign the templates, see Configuring Trusted Network Databases (Task Map).

  5. Halt every labeled zone to which you plan to add a zone-specific interface.
    # zoneadm -z zone-name halt
  6. Start the Labeled Zone Manager.
    # /usr/sbin/txzonemgr
  7. For each zone where you want to add a zone-specific interface, do the following:
    1. Select the zone.
    2. Select Add Network.
    3. Name the network interface.
    4. Type the IP address of the interface.
  8. In the Labeled Zone Manager for every completed zone, select Zone Console.
  9. Select Boot.
  10. In the Zone Console, verify that the interfaces have been created.
    # ifconfig -a
  11. Verify that the zone has a route to the gateway for the subnet.
    # netstat -rn
Troubleshooting

To debug zone configuration, see the following:

Add a Network Interface That Does Not Use the Global Zone to Route an Existing Labeled Zone

This procedure sets zone-specific default routes for existing labeled zones. In this configuration, the labeled zones do not use the global zone for routing.

The labeled zone must be plumbed in the global zone before the zone is booted. However, to isolate the labeled zone from the global zone, the interface must be in the down state when the zone is booted. For more information, see Chapter 17, Non-Global Zone Configuration (Overview), in System Administration Guide: Virtualization Using the Solaris Operating System.

Note - A unique default route must be configured for every non-global zone that is booted.

Before You Begin

You are superuser in the global zone.

For every zone, you have completed the tasks in Creating Labeled Zones. You are using either the vni0 interface or the lo0 interface to connect the labeled zones to the global zone.

  1. For every network interface, determine its IP address, netmask, and default router.

    Use the ifconfig -a command to determine the IP address and netmask. Use the zonecfg -z zonename info net command to determine if a default router has been assigned.

  2. Create an empty /etc/hostname.interface file for each labeled zone.
    # touch /etc/hostname.interface
# touch /etc/hostname.interface:n

    For more information, see the netmasks(4) man page.

  3. Plumb the network interfaces of the labeled zones.
    # ifconfig zone1-network-interface plumb
# ifconfig zone2-network-interface plumb
  4. Verify that the labeled zone's interfaces are in the down state.
    # ifconfig -a
zone1-network-interface zone1-IP-address down
zone2-network-interface zone2-IP-address down

    The zone-specific addresses are configured when the zone is booted.

  5. For the network for each interface, add entries to the /etc/netmasks file.
    ## /etc/netmasks in global zone
192.168.2.0 255.255.255.0
192.168.3.0 255.255.255.0

    For more information, see the netmasks(4) man page.

  6. Assign a security template to each zone-specific network interface.

    Create security templates of host type cipso that reflect the label of every network. To create and assign the templates, see Configuring Trusted Network Databases (Task Map).

  7. Run the txzonemgr script, and open a separate terminal window.

    In the Labeled Zone Manager, you will add the network interfaces for the labeled zones. In the terminal window, you will display information about the zone and set the default router.

  8. For every zone to which you are going to add a zone-specific network interface and router, complete the following steps:
    1. In the terminal window, halt the zone.
      # zoneadm -z zone-name halt
    2. In the Labeled Zone Manager, do the following:
      1. Select the zone.
      2. Select Add Network.
      3. Name the network interface.
      4. Type the IP address of the interface.
      5. In the terminal window, verify the zone configuration.
        # zonecfg -z zone-name info net
net:   address: IP-address
       physical: zone-network-interface
       defrouter not specified
    3. In the terminal window, configure the default router for the labeled zone's network.
      # zonecfg -z zone-name
zonecfg:zone-name > select net address=IP-address 
zonecfg:zone-name:net> set defrouter=router-address 
zonecfg:zone-name:net> end 
zonecfg:zone-name > verify 
zonecfg:zone-name > commit 
zonecfg:zone-name > exit 
#

      For more information, see the zonecfg(1M) man page and How to Configure the Zone in System Administration Guide: Virtualization Using the Solaris Operating System.

    4. Boot the labeled zone.
      # zoneadm -z zone-name boot
    5. In the global zone, verify that the labeled zone has a route to the gateway for the subnet.
      # netstat -rn

      A routing table is displayed. The destination and interface for the labeled zone is different from the entry for the global zone.

  9. To remove the default route, select the zone's IP address, then remove the route.
    # zonecfg -z zone-name

zonecfg:zone-name > select net address=zone-IP-address
zonecfg:zone-name:net> remove net defrouter=zone-default-route
zonecfg:zone-name:net>  info net
net:
   address: zone-IP-address
   physical: zone-network-interface
   defrouter not specified
Example 4-5 Setting a Default Route for a Labeled Zone

In this example, the administrator routes the Secret zone to a separate physical subnet. Traffic to and from the Secret zone is not routed through the global zone. The administrator uses the Labeled Zone Manager and the zonecfg command, then verifies that routing works.

The administrator determines that qfe1 and qfe1:0 are not currently in use. and creates a mapping for two labeled zones. qfe1 is the designated interface for the Secret zone.

Interface IP Address    Netmask        Default Router
qfe1     192.168.2.22 255.255.255.0 192.168.2.2
qfe1:0   192.168.3.33 255.255.255.0 192.168.3.3

First, the administrator creates the /etc/hostname.qfe1 file and configures the /etc/netmasks file.

# touch /etc/hostname.qfe1
# cat /etc/netmasks
## /etc/netmasks in global zone
192.168.2.0 255.255.255.0

Then, the administrator plumbs the network interface and verifies that the interface is down.

# ifconfig qfe1 plumb
# ifconfig -a

Then, in the Solaris Management Console, the administrator creates a security template with a single label, Secret, and assigns the IP address of the interface to the template.

The administrator halts the zone.

# zoneadm -z secret halt

The administrator runs the txzonemgr script to open the Labeled Zone Manager.

# /usr/sbin/txzonemgr

In the Labeled Zone Manager, the administrator selects the Secret zone, selects Add Network, and then selects a network interface. The administrator closes the Labeled Zone Manager.

On the command line, the administrator selects the zone's IP address, then sets its default route. Before exiting the command, the administrator verifies the route and commits it.

# zonecfg -z secret
zonecfg: secret > select net address=192.168.6.22 
zonecfg: secret:net> set defrouter=192.168.6.2 
zonecfg: secret:net> end 
zonecfg: secret > verify 
zonecfg: secret > commit 
zonecfg: secret > info net 
  net:
     address: 192.168.6.22
     physical: qfe1
     defrouter: 192.168.6.2
zonecfg: secret > exit 
#

The administrator boots the zone.

# zoneadm -z secret boot

In a separate terminal window in the global zone, the administrator verifies the sending and receiving of packets.

# netstat -rn
Routing Table: IPv4
  Destination           Gateway           Flags  Ref     Use  Interface 
-------------------- -------------------- ----- ----- ------- --------- 
default              192.168.5.15         UG        1    2664 qfe0      
192.168.6.2          192.168.6.22         UG        1     240 qfe1      
192.168.3.3          192.168.3.33         U         1     183 qfe1:0    
127.0.0.1            127.0.0.1            UH        1     380 lo0       
...

Configure a Name Service Cache in Each Labeled Zone

This procedure enables you to separately configure a name service daemon (nscd) in each labeled zone. This configuration supports environments where each zone is connected to a subnetwork that runs at the label of the zone, and the subnetwork has its own name server for that label.

Note - This configuration does not satisfy the criteria for an evaluated configuration. In an evaluated configuration, the nscd daemon runs only in the global zone. Doors in each labeled zone connect the zone to the global nscd daemon.

Before You Begin

You are superuser in the global zone. root must not yet be a role. You have successfully completed Add a Network Interface to Route an Existing Labeled Zone.

This configuration requires that you have advanced networking skills. If LDAP is your naming service, you are responsible for establishing the LDAP client connection to each labeled zone. The nscd daemon caches the name service information, but does not route it.

  1. If you are using LDAP, verify a route to the LDAP server from the labeled zone.

    In a terminal window in every labeled zone, run the following command:

    zone-name # netstat -rn
  2. In the global zone, start the Labeled Zone Manager.
    # /usr/sbin/txzonemgr
  3. Select the Configure per-zone name service, and click OK.

    This option is intended to be used once, during initial system configuration.

  4. Configure each zone's nscd service.

    For assistance, see the nscd(1M) and nscd.conf(4) man pages.

  5. Reboot the system.
  6. For every zone, verify the route and the name service daemon.
    1. In the Zone Console, list the nscd service.
      zone-name # svcs -x name-service-cache
svc:/system/name-service-cache:default (name service cache)
 State: online since October 10, 2010  10:10:10 AM PDT
   See: nscd(1M)
   See: /etc/svc/volatile/system-name-service-cache:default.log
Impact: None.
    2. Verify the route to the subnetwork.
      zone-name # netstat -rn
  7. To remove the zone-specific name service daemons, do the following in the global zone:
    1. Open the Labeled Zone Manager.
    2. Select Unconfigure per-zone name service, and click OK.

      This selection removes the nscd daemon in every labeled zone.

    3. Reboot the system.
Previous Next