Solaris Trusted Extensions Administrator's Procedures
Previous Next

Document Information

Preface

Part I Initial Configuration of Trusted Extensions

1.  Security Planning for Trusted Extensions

2.  Configuration Roadmap for Trusted Extensions

3.  Adding Solaris Trusted Extensions Software to the Solaris OS (Tasks)

4.  Configuring Trusted Extensions (Tasks)

Setting Up the Global Zone in Trusted Extensions

Creating Labeled Zones

Adding Network Interfaces and Routing to Labeled Zones

Creating Roles and Users in Trusted Extensions

Creating Home Directories in Trusted Extensions

Adding Users and Hosts to an Existing Trusted Network

Troubleshooting Your Trusted Extensions Configuration

Additional Trusted Extensions Configuration Tasks

5.  Configuring LDAP for Trusted Extensions (Tasks)

6.  Configuring a Headless System With Trusted Extensions (Tasks)

Part II Administration of Trusted Extensions

7.  Trusted Extensions Administration Concepts

8.  Trusted Extensions Administration Tools

9.  Getting Started as a Trusted Extensions Administrator (Tasks)

10.  Security Requirements on a Trusted Extensions System (Overview)

11.  Administering Security Requirements in Trusted Extensions (Tasks)

12.  Users, Rights, and Roles in Trusted Extensions (Overview)

13.  Managing Users, Rights, and Roles in Trusted Extensions (Tasks)

14.  Remote Administration in Trusted Extensions (Tasks)

15.  Trusted Extensions and LDAP (Overview)

16.  Managing Zones in Trusted Extensions (Tasks)

17.  Managing and Mounting Files in Trusted Extensions (Tasks)

18.  Trusted Networking (Overview)

19.  Managing Networks in Trusted Extensions (Tasks)

20.  Multilevel Mail in Trusted Extensions (Overview)

21.  Managing Labeled Printing (Tasks)

22.  Devices in Trusted Extensions (Overview)

23.  Managing Devices for Trusted Extensions (Tasks)

24.  Trusted Extensions Auditing (Overview)

25.  Software Management in Trusted Extensions (Tasks)

A.  Site Security Policy

Creating and Managing a Security Policy

Site Security Policy and Trusted Extensions

Computer Security Recommendations

Physical Security Recommendations

Personnel Security Recommendations

Common Security Violations

Additional Security References

B.  Using CDE Actions to Install Zones in Trusted Extensions

Associating Network Interfaces With Zones by Using CDE Actions (Task Map)

Preparing to Create Zones by Using CDE Actions (Task Map)

Creating Labeled Zones by Using CDE Actions (Task Map)

C.  Configuration Checklist for Trusted Extensions

Checklist for Configuring Trusted Extensions

D.  Quick Reference to Trusted Extensions Administration

Administrative Interfaces in Trusted Extensions

Solaris Interfaces Extended by Trusted Extensions

Tighter Security Defaults in Trusted Extensions

Limited Options in Trusted Extensions

E.  List of Trusted Extensions Man Pages

Trusted Extensions Man Pages in Alphabetical Order

Solaris Man Pages That Are Modified by Trusted Extensions

Glossary

Index

Additional Trusted Extensions Configuration Tasks

The following two tasks enable you to transfer exact copies of configuration files to every Trusted Extensions system at your site. The final task enables you to remove Trusted Extensions customizations from a Solaris system.

How to Copy Files to Portable Media in Trusted Extensions

When copying to portable media, label the media with the sensitivity label of the information.

Note - During Trusted Extensions configuration, superuser or an equivalent role copies administrative files to and from portable media. Label the media with Trusted Path.

Before You Begin

To copy administrative files, you must be superuser or in a role in the global zone.

  1. Allocate the appropriate device.

    Use the Device Allocation Manager, and insert clean media.  For details, see How to Allocate a Device in Trusted Extensions in Solaris Trusted Extensions User’s Guide.

    • In Solaris Trusted Extensions (CDE), a File Manager displays the contents of the portable media.

    • In Solaris Trusted Extensions (GNOME), a File Browser displays the contents.

    In In this procedure, File Manager is used to refer to this GUI.

  2. Open a second File Manager.
  3. Navigate to the folder that contains the files to be copied

    For example, you might have copied files to an /export/clientfiles folder.

  4. For each file, do the following:
    1. Highlight the icon for the file.
    2. Drag the file to the File Manager for the portable media.
  5. Deallocate the device.

    For details, see How to Deallocate a Device in Trusted Extensions in Solaris Trusted Extensions User’s Guide.

  6. On the File Manager for the portable media, choose Eject from the File menu.

    Note - Remember to physically affix a label to the media with the sensitivity label of the copied files.

Example 4-9 Keeping Configuration Files Identical on All Systems

The system administrator wants to ensure that every machine is configured with the same settings. So, on the first machine that is configured, she creates a directory that cannot be deleted between reboots. In that directory, the administrator places the files that should be identical or very similar on all systems.

For example, she copies the Trusted Extensions toolbox that the Solaris Management Console uses for the LDAP scope, /var/sadm/smc/toolboxes/tsol_ldap/tsol_ldap.tbx. She has customized remote host templates in the tnrhtp file, has a list of DNS servers, and audit configuration files. She also modified the policy.conf file for her site. So, she copies the files to the permanent directory.

# mkdir /export/commonfiles
# cp /etc/security/policy.conf \ /etc/security/audit_control \ /etc/security/audit_startup \ /etc/security/tsol/tnrhtp \ /etc/resolv.conf \ /etc/nsswitch.conf \ /export/commonfiles

She uses the Device Allocation Manager to allocate a diskette in the global zone, and transfers the files to the diskette. On a separate diskette, labeled ADMIN_HIGH, she puts the label_encodings file for the site.

When she copies the files onto a system, she modifies the dir: entries in the /etc/security/audit_control file for that system.

How to Copy Files From Portable Media in Trusted Extensions

It is safe practice to rename the original Trusted Extensions file before replacing the file. When configuring a system, the root role renames and copies administrative files.

Before You Begin

To copy administrative files, you must be superuser or in a role in the global zone.

  1. Allocate the appropriate device.

    For details, see How to Allocate a Device in Trusted Extensions in Solaris Trusted Extensions User’s Guide.

    • In Solaris Trusted Extensions (CDE), a File Manager displays the contents of the portable media.

    • In Solaris Trusted Extensions (GNOME), a File Browser displays the contents.

    In this procedure, File Manager is used to refer to this GUI.

  2. Insert the media that contains the administrative files.
  3. If the system has a file of the same name, copy the original file to a new name.

    For example, add .orig to the end of the original file:

    # cp /etc/security/tsol/tnrhtp /etc/security/tsol/tnrhtp.orig
  4. Open a File Manager.
  5. Navigate to the desired destination directory, such as /etc/security/tsol
  6. For each file that you want to copy, do the following:
    1. In the File Manager for the mounted media, highlight the icon for the file.
    2. Then, drag the file to the destination directory in the second File Manager.
  7. Deallocate the device.

    For details, see How to Deallocate a Device in Trusted Extensions in Solaris Trusted Extensions User’s Guide.

  8. When prompted, eject and remove the media.
Example 4-10 Loading Audit Configuration Files in Trusted Extensions

In this example, roles are not yet configured on the system. The root user needs to copy configuration files to portable media. The contents of the media will then be copied to other systems. These files are to be copied to each system that is configured with Trusted Extensions software.

The root user allocates the floppy_0 device in the Device Allocation Manager and responds yes to the mount query. Then, the root user inserts the diskette with the configuration files and copies them to the disk. The diskette is labeled Trusted Path.

To read from the media, the root user allocates the device on the receiving host, then downloads the contents.

If the configuration files are on a tape, the root user allocates the mag_0 device. If the configuration files are on a CD-ROM, the root user allocates the cdrom_0 device.

How to Remove Trusted Extensions From the System

To remove Trusted Extensions from your Solaris system, you perform specific steps to remove Trusted Extensions customizations to the Solaris system.

  1. As in the Solaris OS, archive any data in the labeled zones that you want to keep.
  2. Remove the labeled zones from the system.

    For details, see How to Remove a Non-Global Zone in System Administration Guide: Virtualization Using the Solaris Operating System.

  3. Disable the Trusted Extensions service.
    # svcadm disable labeld
  4. Run the bsmunconv command.

    For the effect of this command, see the bsmunconv(1M) man page.

  5. (Optional) Reboot the system.
  6. Configure the system.

    Various services might need to be configured for your Solaris system. Candidates include auditing, basic networking, naming services, and file system mounts.
Previous Next