Common Tasks in Trusted Extensions (Task Map)

The following task map describes common administrative procedures in Trusted Extensions.

How to Change the Password for root

Trusted Extensions provides a GUI for changing your password.

1. Assume the root role.

   For the steps, see How to Enter the Global Zone in Trusted Extensions.

2. Open the Trusted Path menu by clicking the trusted symbol in the trusted stripe.
3. Choose Change Login Password.

   If separate passwords are created per zone, the menu can read Change Workspace Password.

4. Change the password, and confirm the change.

How to Enforce a New Local User Password in a Labeled Zone

Under the following conditions, labeled zones must be rebooted:

• One or more local users have changed their passwords.

• All zones are using a single instance of the naming service cache daemon (nscd).

• The system is administered with files, not LDAP.

Before You Begin

You must be assigned the Zone Security rights profile.

• To enforce the password change, reboot the labeled zones that the users can access.

  Use one of the following methods:

  • Use the txzonemgr GUI.

    # txzonemgr &

    In the Labeled Zone Manager, navigate to the labeled zone and from the list of commands, select Halt, then select Boot.

  • In a terminal window in the global zone, use zone administration commands.

    You can choose to shut down or halt the system.

    • The zlogin command cleanly shuts down the zone.

      # zlogin labeled-zone shutdown -i 0
      # zoneadm -z labeled-zone boot

    • The halt subcommand bypasses the shutdown scripts.

      # zoneadm -z labeled-zone halt
      # zoneadm -z labeled-zone boot

Troubleshooting

To automatically update user passwords for labeled zones, you must either configure LDAP or configure one naming service per zone. You can also configure both.

• To configure LDAP, see Chapter 5, Configuring LDAP for Trusted Extensions (Tasks).

• Configuring one naming service per zone requires advanced networking skills. For the procedure, see How to Configure a Separate Name Service for Each Labeled Zone.

How to Regain Control of the Desktop's Current Focus

The “Secure Attention” key combination can be used to break a pointer grab or a keyboard grab by an untrusted application. The key combination can also be used to verify if a pointer or a keyboard has been grabbed by a trusted application. On a multiheaded system that has been spoofed to display more than one trusted stripe, this key combination warps the pointer to the authorized trusted stripe.

1. To regain control of a Sun keyboard, use the following key combination.

   Press the keys simultaneously to regain control of the current desktop focus. On the Sun keyboard, the diamond is the Meta key.

   <Meta> <Stop>

   If the grab, such as a pointer, is not trusted, the pointer moves to the stripe. A trusted pointer does not move to the trusted stripe.

2. If you are not using a Sun keyboard, use the following key combination.

   <Alt> <Break>

   Press the keys simultaneously to regain control of the current desktop focus on your laptop.

Example 9-1 Testing If the Password Prompt Can Be Trusted

On an x86 system that is using a Sun keyboard, the user has been prompted for a password. The cursor has been grabbed, and is in the password dialog box. To check that the prompt is trusted, the user presses the <Meta> <Stop> keys simultaneously. When the pointer remains in the dialog box, the user knows that the password prompt is trusted.

If the pointer had moved to the trusted stripe, the user would know that the password prompt could not be trusted, and contact the administrator.

Example 9-2 Forcing the Pointer to the Trusted Stripe

In this example, a user is not running any trusted processes but cannot see the mouse pointer. To bring the pointer to the center of the trusted stripe, the user presses the <Meta> <Stop> keys simultaneously.

How to Obtain the Hexadecimal Equivalent for a Label

This procedure provides an internal hexadecimal representation of a label. This representation is safe for storing in a public directory. For more information, see the atohexlabel(1M) man page.

Before You Begin

You must be in the Security Administrator role in the global zone. For details, see How to Enter the Global Zone in Trusted Extensions.

• To obtain the hexadecimal value for a label, do one of the following:
  • To obtain the hexadecimal value for a sensitivity label, pass the label to the command.

    $ atohexlabel "CONFIDENTIAL : INTERNAL USE ONLY"
    0x0004-08-48

    The string is not case-sensitive, but whitespace must be exact. For example, the following quoted strings return a hexadecimal label:

    • "CONFIDENTIAL : INTERNAL USE ONLY"

    • "cnf : Internal"

    • "confidential : internal"

    The following quoted strings return a parsing error:

    • "confidential:internal"

    • "confidential: internal"

  • To obtain the hexadecimal value for a clearance, use the -c option.

    $ atohexlabel -c "CONFIDENTIAL NEED TO KNOW"
    0x0004-08-68

    ---

    Note - Human readable sensitivity labels and clearance labels are formed according to rules in the label_encodings file. Each type of label uses rules from a separate section of this file. When a sensitivity label and a clearance label both express the same underlying level of sensitivity, the labels have identical hexadecimal forms. However, the labels can have different human readable forms. System interfaces that accept human readable labels as input expect one type of label. If the text strings for the label types differ, these text strings cannot be used interchangeably.

    In the label_encodings file, the text equivalent of a clearance label does not include a colon (:).

    ---

Example 9-3 Using the atohexlabel Command

When you pass a valid label in hexadecimal format, the command returns the argument.

$ atohexlabel 0x0004-08-68
0x0004-08-68

When you pass an administrative label, the command returns the argument.

$ atohexlabel admin_high
ADMIN_HIGH
atohexlabel admin_low
ADMIN_LOW

Troubleshooting

The error message atohexlabel parsing error found in <string> at position 0 indicates that the <string> argument that you passed to atohexlabel was not a valid label or clearance. Check your typing, and check that the label exists in your installed label_encodings file.

How to Obtain a Readable Label From Its Hexadecimal Form

This procedure provides a way to repair labels that are stored in internal databases. For more information, see the hextoalabel(1M) man page.

Before You Begin

You must be in the Security Administrator role in the global zone.

• To obtain the text equivalent for an internal representation of a label, do one of the following.
  • To obtain the text equivalent for a sensitivity label, pass the hexadecimal form of the label.

    $ hextoalabel 0x0004-08-68
    CONFIDENTIAL : NEED TO KNOW

  • To obtain the text equivalent for a clearance, use the -c option.

    $ hextoalabel -c 0x0004-08-68
    CONFIDENTIAL NEED TO KNOW

How to Change Security Defaults in System Files

Files in the /etc/security and /etc/default directories contain security values. For more information, see Chapter 3, Controlling Access to Systems (Tasks), in Oracle Solaris 11.1 Administration: Security Services.

---

Caution - Relax system security defaults only if site security policy allows you to.

---

Before You Begin

You are in the global zone and are assigned the solaris.admin.edit/filename authorization. By default, the root role has this authorization.

• Edit the system file.

  The following table lists the security files and which security values you might change in the files. The first two files are unique to Trusted Extensions.

  
  

  File Task For More Information sel_config in /usr/share/gnome/ Specifies how system behaves when information is moved to a different label. sel_config(4) man page TrustedExtensionsPolicy in /usr/lib/xorg/ Modify SUN_TSOL security policy enforcement of label separation in the X server. TrustedExtensionsPolicy(4) man page /etc/default/login Reduce the allowed number of password tries. See the example under How to Monitor All Failed Login Attempts in Oracle Solaris 11.1 Administration: Security Services. passwd(1) man page /etc/default/kbd Disable keyboard shutdown. How to Disable a System’s Abort Sequence in Oracle Solaris 11.1 Administration: Security Services Note - On hosts that are used by administrators for debugging, the default setting for KEYBOARD_ABORT allows access to the kadb kernel debugger. kadb(1M) man page /etc/security/policy.conf Require a more powerful algorithm for user passwords. Remove a basic privilege from all users of this host. Restrict users of this host to Basic Solaris User authorizations. policy.conf(4) man page /etc/default/passwd Require users to change passwords frequently. Require users to create maximally different passwords. Require a longer user password. Require a password that cannot be found in your dictionary. passwd(1) man page