| Skip Navigation Links | |
| Exit Print View | |
|
Trusted Extensions Configuration and Administration Oracle Solaris 11.1 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Trusted Extensions Configuration and Administration Oracle Solaris 11.1 Information Library |
Part I Initial Configuration of Trusted Extensions
1. Security Planning for Trusted Extensions
2. Configuration Roadmap for Trusted Extensions
3. Adding the Trusted Extensions Feature to Oracle Solaris (Tasks)
4. Configuring Trusted Extensions (Tasks)
5. Configuring LDAP for Trusted Extensions (Tasks)
Part II Administration of Trusted Extensions
6. Trusted Extensions Administration Concepts
7. Trusted Extensions Administration Tools
8. Security Requirements on a Trusted Extensions System (Overview)
Configurable Security Features
Role Creation in Trusted Extensions
Role Assumption in Trusted Extensions
Trusted Extensions Interfaces for Configuring Security Features
Extension of Oracle Solaris Security Features by Trusted Extensions
Security Requirements Enforcement
Users and Security Requirements
Group Administration Practices
Rules When Changing the Level of Security for Data
9. Performing Common Tasks in Trusted Extensions
10. Users, Rights, and Roles in Trusted Extensions (Overview)
11. Managing Users, Rights, and Roles in Trusted Extensions (Tasks)
12. Remote Administration in Trusted Extensions (Tasks)
13. Managing Zones in Trusted Extensions
14. Managing and Mounting Files in Trusted Extensions
15. Trusted Networking (Overview)
16. Managing Networks in Trusted Extensions (Tasks)
17. Trusted Extensions and LDAP (Overview)
18. Multilevel Mail in Trusted Extensions (Overview)
19. Managing Labeled Printing (Tasks)
20. Devices in Trusted Extensions (Overview)
21. Managing Devices for Trusted Extensions (Tasks)
22. Trusted Extensions Auditing (Overview)
23. Software Management in Trusted Extensions
Creating and Managing a Security Policy
Site Security Policy and Trusted Extensions
Computer Security Recommendations
Physical Security Recommendations
Personnel Security Recommendations
Additional Security References
B. Configuration Checklist for Trusted Extensions
Checklist for Configuring Trusted Extensions
C. Quick Reference to Trusted Extensions Administration
Administrative Interfaces in Trusted Extensions
Oracle Solaris Interfaces Extended by Trusted Extensions
Tighter Security Defaults in Trusted Extensions
Limited Options in Trusted Extensions
D. List of Trusted Extensions Man Pages
Trusted Extensions Man Pages in Alphabetical Order
Oracle Solaris Man Pages That Are Modified by Trusted Extensions
Trusted Extensions uses the same security features that Oracle Solaris provides, and adds some features. For example, the Oracle Solaris OS provides eeprom protection, password requirements and strong password algorithms, system protection by locking out a user, and protection from keyboard shutdown.
Trusted Extensions differs from Oracle Solaris in that you typically administer systems by assuming a limited role. As in the Oracle Solaris OS, configuration files are modified by the root role.
In Trusted Extensions, roles are the conventional way to administer the system. Superuser is the root role, and is required for few tasks, such as setting audit flags, changing an account's password, and editing system files. Roles are created just as they are in Oracle Solaris.
The following roles are typical of a Trusted Extensions site:
root role – Created at Oracle Solaris installation
Security Administrator role – Created during or after initial configuration by the initial setup team
System Administrator role – Created during or after initial configuration by the initial setup team
To administer Trusted Extensions, you create roles that divide system and security functions.
The process of creating a role in Trusted Extensions is identical to the Oracle Solaris process. By default, roles are assigned the administrative label range of ADMIN_HIGH to ADMIN_LOW.
For an overview of role creation, see Using RBAC (Tasks) in Oracle Solaris 11.1 Administration: Security Services.
To create roles, see How to Create a Role in Oracle Solaris 11.1 Administration: Security Services.
On the trusted desktop, you can assume an assigned role by clicking your user name in the trusted stripe for the role choices. After confirming the role password, the current workspace is changed into a role workspace. A role workspace is in the global zone and has the trusted path attribute. Role workspaces are administrative workspaces.
In Trusted Extensions, you can extend existing security features. Also, Trusted Extensions provides unique security features.
The following security mechanisms that Oracle Solaris provides are extensible in Trusted Extensions as they are in Oracle Solaris:
Audit classes – Adding audit classes is described in Chapter 28, Managing Auditing (Tasks), in Oracle Solaris 11.1 Administration: Security Services.
Note - Vendors who want to add audit events need to contact an Oracle Solaris representative to reserve event numbers and obtain access to the audit interfaces.
Roles and rights profiles – Adding roles and rights profiles is described in Chapter 9, Using Role-Based Access Control (Tasks), in Oracle Solaris 11.1 Administration: Security Services.
Authorizations – For an example of adding a new authorization, see Customizing Device Authorizations in Trusted Extensions (Task Map).
As in Oracle Solaris, privileges cannot be extended.
Trusted Extensions provides the following unique security features:
Labels – Subjects and objects are labeled. Processes are labeled. Zones and the network are labeled. Workspaces and their objects are labeled.
Device Manager – By default, devices are protected by allocation requirements. The Device Manager GUI is the interface for administrators and for regular users.
Change Password menu – This menu enables you to change your user or role password.
Change Workspace Label menu – Users in multilevel sessions can change the workspace label. Users can be required to provide a password when entering a workspace of a different label.
Selection Manager dialog box – Authorized users in multilevel sessions can upgrade or downgrade information to a different label.
TrustedExtensionsPolicy file – Administrators can change the policy on X server extensions that are unique to Trusted Extensions. For more information, see the TrustedExtensionsPolicy(4) man page.
|