| Skip Navigation Links | |
| Exit Print View | |
|
Trusted Extensions Configuration and Administration Oracle Solaris 11.1 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Trusted Extensions Configuration and Administration Oracle Solaris 11.1 Information Library |
Part I Initial Configuration of Trusted Extensions
1. Security Planning for Trusted Extensions
2. Configuration Roadmap for Trusted Extensions
3. Adding the Trusted Extensions Feature to Oracle Solaris (Tasks)
4. Configuring Trusted Extensions (Tasks)
5. Configuring LDAP for Trusted Extensions (Tasks)
Part II Administration of Trusted Extensions
6. Trusted Extensions Administration Concepts
7. Trusted Extensions Administration Tools
8. Security Requirements on a Trusted Extensions System (Overview)
9. Performing Common Tasks in Trusted Extensions
10. Users, Rights, and Roles in Trusted Extensions (Overview)
11. Managing Users, Rights, and Roles in Trusted Extensions (Tasks)
12. Remote Administration in Trusted Extensions (Tasks)
13. Managing Zones in Trusted Extensions
14. Managing and Mounting Files in Trusted Extensions
15. Trusted Networking (Overview)
16. Managing Networks in Trusted Extensions (Tasks)
17. Trusted Extensions and LDAP (Overview)
18. Multilevel Mail in Trusted Extensions (Overview)
19. Managing Labeled Printing (Tasks)
20. Devices in Trusted Extensions (Overview)
21. Managing Devices for Trusted Extensions (Tasks)
22. Trusted Extensions Auditing (Overview)
23. Software Management in Trusted Extensions
Creating and Managing a Security Policy
Site Security Policy and Trusted Extensions
Computer Security Recommendations
Physical Security Recommendations
Personnel Security Recommendations
Additional Security References
B. Configuration Checklist for Trusted Extensions
Checklist for Configuring Trusted Extensions
C. Quick Reference to Trusted Extensions Administration
Administrative Interfaces in Trusted Extensions
Oracle Solaris Interfaces Extended by Trusted Extensions
Tighter Security Defaults in Trusted Extensions
Limited Options in Trusted Extensions
D. List of Trusted Extensions Man Pages
Trusted Extensions Man Pages in Alphabetical Order
Oracle Solaris Man Pages That Are Modified by Trusted Extensions
A set of sensitivity labels that are approved for a class of users or resources. A set of valid labels. See also system accreditation range and user accreditation range.
A role that gives required authorizations, privileged commands, and the Trusted Path security attribute to allow the role to perform administrative tasks. Roles perform a subset of Oracle Solaris root's capabilities, such as backup or auditing.
A mechanism by which access to a device is controlled. See device allocation.
A right granted to a user or role to perform an action that would otherwise not be allowed by security policy. Authorizations are granted in rights profiles. Certain commands require the user to have specific authorizations to succeed.
In Trusted Extensions, a labeled non-global zone. More generally, a non-global zone that contains non-native operating environments. See the brands(5) man page.
Common IP Security Option. CIPSO is the label standard that Trusted Extensions implements.
The hierarchical component of a clearance or a label. A classification indicates a hierarchical level of security, for example, TOP SECRET or UNCLASSIFIED.
The upper limit of the set of labels at which a user can work. The lower limit is the minimum label that is assigned by the security administrator. A clearance can be one of two types, a session clearance or a user clearance.
A system connected to a network.
A network of systems that are configured with Trusted Extensions. The network is cut off from any non-Trusted Extensions host. The cutoff can be physical, where no wire extends past the Trusted Extensions network. The cutoff can be in the software, where the Trusted Extensions hosts recognize only Trusted Extensions hosts. Data entry from outside the network is restricted to peripherals attached to Trusted Extensions hosts. Contrast with open network.
A nonhierarchical component of a label that is used with the classification component to form a clearance or a label. A compartment represents a collection of information, such as would be used by an engineering department or a multidisciplinary project team.
An optional setup file on a multilabel system. This file contains a list of startup files, such as .cshrc or .firefox, that the user environment or user applications require in order for the system or application to behave well. The files that are listed in .copy_files are then copied to the user's home directory at higher labels, when those directories are created. See also .link_files file.
Devices include printers, computers, tape drives, floppy drives, CD-ROM drives, DVD drives, audio devices, and internal pseudo terminal devices. Devices are subject to the read equal write equal MAC policy. Access to removable devices, such as DVD drives, are controlled bydevice allocation.
A mechanism for protecting the information on an allocatable device from access by anybody except the user who allocates the device. Until a device is deallocated, no one but the user who allocated a device can access any information that is associated with the device. For a user to allocate a device, that user must have been granted the Device Allocation authorization by the security administrator.
The type of access that is granted or that is denied by the owner of a file or directory at the discretion of the owner. Trusted Extensions provides two kinds of discretionary access controls (DAC), UNIX permission bits and ACLs.
A part of the Internet naming hierarchy. It represents a group of systems on a local network that share administrative files.
The identification of a group of systems. A domain name consists of a sequence of component names separated by periods (for example: example1.town.state.country.org). As you read a domain name from left to right, the component names identify more general, and usually remote, areas of administrative authority.
On an Oracle Solaris system that is configured with Trusted Extensions, the domain of interpretation is used to differentiate between different label_encodings files that might have similar labels defined. The DOI is a set of rules that translates the security attributes on network packets to the representation of those security attributes by the local label_encodings file. When systems have the same DOI, they share that set of rules and can translate the labeled network packets.
One or more Trusted Extensions hosts that are running in a configuration that has been certified as meeting specific criteria by a certification authority.
Trusted Extensions software is in evaluation for certification by Common Criteria v2.3 [August 2005], an ISO standard, to Evaluation Assurance Level (EAL) 4, and against a number of protection profiles.
A collection of files and directories that, when set into a logical hierarchy, make up an organized, structured set of information. File systems can be mounted from your local system or a remote system.
Government Furnished Information. In this manual, it refers to a U.S. government-provided label_encodings file. In order to use a GFI with Trusted Extensions software, you must add the Oracle-specific LOCAL DEFINITIONS section to the end of the GFI. For details, see Chapter 5, Customizing the LOCAL DEFINITIONS Section (Tasks), in Trusted Extensions Label Administration.
The name by which a system is known to other systems on a network. This name must be unique among all the systems within a given domain. Usually, a domain identifies a single organization. A host name can be any combination of letters, numbers, and minus sign (-), but it cannot begin or end with a minus sign.
The minimum label assigned to a user or role, and the label of the user's initial workspace. The initial label is the lowest label at which the user or role can work.
A team of at least two people who together oversee the enabling and configuration of Trusted Extensions software. One team member is responsible for security decisions, and the other for system administration decisions.
Internet protocol address. A unique number that identifies a networked system so it can communicate by means of Internet protocols. In IPv4, the address consists of four numbers separated by periods. Most often, each part of the IP address is a number between 0 and 225. However, the first number must be less than 224 and the last number cannot be 0.
IP addresses are logically divided into two parts: the network, and the system on the network. The network number is similar to a telephone area code. In relation to the network, the system number is similar to a phone number.
A security identifier that is assigned to an object. The label is based on the level at which the information in that object should be protected. Depending on how the security administrator has configured the user, a user can see the sensitivity label, or no labels at all. Labels are defined in the label_encodings file.
A Trusted Extensions installation choice of single-label or multilabel sensitivity labels. In most circumstances, label configuration is identical on all systems at your site.
The file where the complete sensitivity label is defined, as are accreditation ranges, label view, default label visibility, default user clearance, and other aspects of labels.
A set of sensitivity labels that are assigned to commands, zones, and allocatable devices. The range is specified by designating a maximum label and a minimum label. For commands, the minimum and maximum labels limit the labels at which the command can be executed. Remote hosts that do not recognize labels are assigned a single sensitivity label, as are any other hosts that the security administrator wants to restrict to a single label. A label range limits the labels at which devices can be allocated and restrict the labels at which information can be stored or processed when using the device.
On an Oracle Solaris system that is configured with Trusted Extensions, a label can dominate another label, be equal to another label, or be disjoint from another label. For example, the label Top Secret dominates the label Secret. For two systems with the same domain of interpretation (DOI), the label Top Secret on one system is equal to the label Top Secret on the other system.
See security label set.
A labeled system that is part of a trusted network of labeled systems.
A labeled system is a system that is running a multilevel operating system, such as Trusted Extensions or SELinux with MLS enabled. The system can send and receive network packets that are labeled with a Common IP Security Option (CIPSO) in the header of the packet.
On an Oracle Solaris system that is configured with Trusted Extensions, every zone is assigned a label. Although the global zone is labeled, labeled zone typically refers to a non-global zone that is assigned a label. Labeled zones have two different characteristics from non-global zones on an Oracle Solaris system that is not configured with labels. First, labeled zones must use the same pool of user IDs and group IDs. Second, labeled zones can share IP addresses.
An optional setup file on a multilabel system. This file contains a list of startup files, such as .cshrc or .firefox, that the user environment or user applications require in order for the system or application to behave well. The files that are listed in .link_files are then linked to the user's home directory at higher labels, when those directories are created. See also .copy_files file.
Access control that is based on comparing the sensitivity label of a file, directory, or device to the sensitivity label of the process that is trying to access it. The MAC rule, read equal–read down, applies when a process at one label attempts to read a file at a lower label. The MAC rule, write equal-read down, applies when a process at one label attempts to write to a directory at another label.
The lower bound of a user's sensitivity labels and the lower bound of the system's sensitivity labels. The minimum label set by the security administrator when specifying a user's security attributes is the sensitivity label of the user's first workspace at first login. The sensitivity label that is specified in the minimum label field by the security administrator in the label_encodings file sets the lower bound for the system.
On an Oracle Solaris system that is configured with Trusted Extensions, users can run a desktop at a particular label. If the user is authorized to work at more than one label, the user can create a separate workspace to work at each label. On this multilevel desktop, authorized users can cut and paste between windows at different labels, receive mail at different labels, and view and use labeled windows in workspaces of a different label.
On an Oracle Solaris system that is configured with Trusted Extensions, an MLP is used to provide multilevel service in a zone. By default, the X server is a multilevel service that is defined in the global zone. An MLP is specified by port number and protocol. For example, the MLP of the X server for the multilevel desktop is specified by 6000-6003 and TCP.
A distributed network database that contains key system information about all the systems on a network, so that the systems can communicate with each other. Without such a service, each system has to maintain its own copy of the system information in the local /etc files.
A group of systems that are connected through hardware and software, sometimes referred to as a local area network (LAN). One or more servers are usually needed when systems are networked.
Computers that are not connected to a network or do not rely on other hosts.
A network of Trusted Extensions hosts that is connected physically to other networks and that uses Trusted Extensions software to communicate with non-Trusted Extensions hosts. Contrast with closed network.
When software that has been proved to be able satisfy the criteria for an evaluated configuration, is configured with settings that do not satisfy security criteria, the software is described as being outside the evaluated configuration.
A type of discretionary access control in which the owner specifies a set of bits to signify who can read, write, or execute a file or directory. Three different sets of permissions are assigned to each file or directory: one set for the owner, one set for the owner's group, and one set for all others.
Powers that are granted to a process that is executing a command. The full set of privileges describes the full capabilities of the system, from basic capabilities to administrative capabilities. Privileges that bypass security policy, such as setting the clock on a system, can be granted by a site's security administrator.
An action that executes a command on behalf of the user who invokes the command. A process receives a number of security attributes from the user, including the user ID (UID), the group ID (GID), the supplementary group list, and the user's audit ID (AUID). Security attributes received by a process include any privileges that are available to the command being executed and the sensitivity label of the current workspace.
A special shell that recognizes security attributes, such as privileges, authorizations, and special UIDs and GIDs. A profile shell typically limits users to fewer commands, but can allow these commands to run with more rights. The profile shell is the default shell of a trusted role.
A different system than the local system. A remote host can be an unlabeled host or a labeled host.
A bundling mechanism for commands and for the security attributes that are assigned to these executables. Rights profiles allow Oracle Solaris administrators to control who can execute which commands and to control the attributes these commands have when they are executed. When a user logs in, all rights assigned to that user are in effect, and the user has access to all the commands and authorizations assigned in all of that user's rights profiles.
A role is like a user, except that a role cannot log in. Typically, a role is used to assign administrative capabilities. Roles are limited to a particular set of commands and authorizations. See administrative role.
In an organization where sensitive information must be protected, the person or persons who define and enforce the site's security policy. These persons are cleared to access all information that is being processed at the site. In software, the Security Administrator administrative role is assigned to one or more individuals who have the proper clearance. These administrators configure the security attributes of all users and hosts so that the software enforces the site's security policy. In contrast, see system administrator.
An attribute that is used to enforce Trusted Extensions security policy. Various sets of security attributes are assigned to processes, users, zones, hosts, allocatable devices, and other objects.
Specifies a discrete set of security labels for a tnrhtp database entry. Hosts that are assigned to a template with a security label set can send and receive packets that match any one of the labels in the label set.
On a Trusted Extensions host, the set of DAC, MAC, and labeling rules that define how information can be accessed. At a customer site, the set of rules that define the sensitivity of the information being processed at that site and the measures that are used to protect the information from unauthorized access.
A record in the tnrhtp database that defines the security attributes of a class of hosts that can access the Trusted Extensions network.
A security label that is assigned to an object or a process. The label is used to limit access according to the security level of the data that is contained.
The security policy that two administrators or roles be required to create and authenticate a user. One administrator or role is responsible for creating the user, the user's home directory, and other basic administration. The other administrator or role is responsible for the user's security attributes, such as the password and the label range.
Generic name for a computer. After installation, a system on a network is often referred to as a host.
The set of all valid labels that are created according to the rules that the security administrator defines in the label_encodings file, plus the two administrative labels that are used on every system that is configured with Trusted Extensions. The administrative labels are ADMIN_LOW and ADMIN_HIGH.
In Trusted Extensions, the trusted role assigned to the user or users who are responsible for performing standard system management tasks such as setting up the non-security-relevant portions of user accounts. In contrast, see security administrator.
The trusted network remote host database. This database assigns a set of label characteristics to a remote host. The database is accessible as a file in /etc/security/tsol/tnrhdb.
The trusted network remote host template. This database defines the set of label characteristics that a remote host can be assigned. The database is accessible either as a file in /etc/security/tsol/tnrhtp.
tnrhtp, the trusted network remote host template and tnrhdb, the trusted network remote host database together define the remote hosts that a Trusted Extensions system can communicate with.
On an Oracle Solaris system that is configured with Trusted Extensions, the trusted path is a reliable, tamper-proof way to interact with the system. The trusted path is used to ensure that administrative functions cannot be compromised. User functions that must be protected, such as changing a password, also use the trusted path. When the trusted path is active, the desktop displays a tamper-proof indicator.
See administrative role.
A region that cannot be spoofed. In Trusted GNOME the stripe is at the top. The stripe provides visual feedback about the state of the window system: a trusted path indicator and window sensitivity label. When sensitivity labels are configured to not be viewable for a user, the trusted stripe is reduced to an icon that displays only the trusted path indicator.
The /usr/sbin/txzonemgr script provides a simple GUI for managing labeled zones. The script also provides menu items for networking options. txzonemgr is run by root in the global zone.
A networked system that sends unlabeled network packets, such as a system that is running the Oracle Solaris OS.
To an Oracle Solaris system that is configured with Trusted Extensions, an unlabeled system is a system that is not running a multilevel operating system, such as Trusted Extensions or SELinux with MLS enabled. An unlabeled system does not send labeled packets. If the communicating Trusted Extensions system has assigned to the unlabeled system a single label, then network communication between the Trusted Extensions system and the unlabeled system happens at that label. An unlabeled system is also called a “single-level system”.
The set of all possible labels at which a regular user can work on the system. The site's security administrator specifies the range in the label_encodings file file. The rules for well-formed labels that define the system accreditation range are additionally restricted by the values in the ACCREDITATION RANGE section of the file: the upper bound, the lower bound, the combination constraints and other restrictions.
The clearance assigned by the security administrator that sets the upper bound of the set of labels at which a user can work at any time. The user can decide to accept the default, or can further restrict that clearance during any particular login session.
|