| Skip Navigation Links | |
| Exit Print View | |
|
Trusted Extensions Configuration and Administration Oracle Solaris 11.1 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Trusted Extensions Configuration and Administration Oracle Solaris 11.1 Information Library |
Part I Initial Configuration of Trusted Extensions
1. Security Planning for Trusted Extensions
2. Configuration Roadmap for Trusted Extensions
3. Adding the Trusted Extensions Feature to Oracle Solaris (Tasks)
4. Configuring Trusted Extensions (Tasks)
5. Configuring LDAP for Trusted Extensions (Tasks)
Part II Administration of Trusted Extensions
6. Trusted Extensions Administration Concepts
Trusted Extensions and the Oracle Solaris OS
Similarities Between Trusted Extensions and the Oracle Solaris OS
Differences Between Trusted Extensions and the Oracle Solaris OS
Basic Concepts of Trusted Extensions
Trusted Extensions Protections
Trusted Extensions and Access Control
Labels in Trusted Extensions Software
Dominance Relationships Between Labels
What Labels Protect and Where Labels Appear
7. Trusted Extensions Administration Tools
8. Security Requirements on a Trusted Extensions System (Overview)
9. Performing Common Tasks in Trusted Extensions
10. Users, Rights, and Roles in Trusted Extensions (Overview)
11. Managing Users, Rights, and Roles in Trusted Extensions (Tasks)
12. Remote Administration in Trusted Extensions (Tasks)
13. Managing Zones in Trusted Extensions
14. Managing and Mounting Files in Trusted Extensions
15. Trusted Networking (Overview)
16. Managing Networks in Trusted Extensions (Tasks)
17. Trusted Extensions and LDAP (Overview)
18. Multilevel Mail in Trusted Extensions (Overview)
19. Managing Labeled Printing (Tasks)
20. Devices in Trusted Extensions (Overview)
21. Managing Devices for Trusted Extensions (Tasks)
22. Trusted Extensions Auditing (Overview)
23. Software Management in Trusted Extensions
Creating and Managing a Security Policy
Site Security Policy and Trusted Extensions
Computer Security Recommendations
Physical Security Recommendations
Personnel Security Recommendations
Additional Security References
B. Configuration Checklist for Trusted Extensions
Checklist for Configuring Trusted Extensions
C. Quick Reference to Trusted Extensions Administration
Administrative Interfaces in Trusted Extensions
Oracle Solaris Interfaces Extended by Trusted Extensions
Tighter Security Defaults in Trusted Extensions
Limited Options in Trusted Extensions
D. List of Trusted Extensions Man Pages
Trusted Extensions Man Pages in Alphabetical Order
Oracle Solaris Man Pages That Are Modified by Trusted Extensions
Trusted Extensions software adds labels to a system that is running the Oracle Solaris OS. Labels implement mandatory access control (MAC). MAC, along with discretionary access control (DAC), protects system subjects (processes) and objects (data). Trusted Extensions software provides interfaces to handle label configuration, label assignment, and label policy.
Trusted Extensions software uses rights profiles, roles, auditing, privileges, and other security features of Oracle Solaris. You can use Secure Shell, BART, the Cryptographic Framework, IPsec, and IP Filter with Trusted Extensions. All features of the ZFS file system are available in Trusted Extensions, including snapshots and encryption.
Trusted Extensions software extends the Oracle Solaris OS. The following list provides an overview. See also Appendix C, Quick Reference to Trusted Extensions Administration.
Trusted Extensions controls access to data with special security tags that are called labels. Labels provide mandatory access control (MAC). MAC protection is in addition to UNIX file permissions, or discretionary access control (DAC). Labels are directly assigned to users, zones, devices, windows, and network endpoints. Labels are implicitly assigned to processes, files, and other system objects.
MAC cannot be overridden by regular users. Trusted Extensions requires regular users to operate in labeled zones. By default, no users or processes in labeled zones can override MAC.
As in the Oracle Solaris OS, the ability to override security policy can be assigned to specific processes or users when MAC can be overridden. For example, users can be authorized to change the label of a file. Such an action upgrades or downgrades the sensitivity of the information in that file.
Trusted Extensions adds to existing configuration files and commands. For example, Trusted Extensions adds audit events, authorizations, privileges, and rights profiles.
Some features that are optional on an Oracle Solaris system are required on a Trusted Extensions system. For example, zones and roles are required on a system that is configured with Trusted Extensions.
Some features that are optional on an Oracle Solaris system are enabled on a Trusted Extensions system. For example, many sites that configure Trusted Extensions require separation of duty when creating users and assigning security attributes.
Trusted Extensions can change the default behavior of Oracle Solaris. For example, on a system that is configured with Trusted Extensions, device allocation is required.
Trusted Extensions can narrow the options that are available in Oracle Solaris. For example, in Trusted Extensions, all zones are labeled zones. Unlike in Oracle Solaris, labeled zones must use the same pool of user IDs and group IDs. Additionally, in Trusted Extensions, labeled zones can share one IP address.
Trusted Extensions provides a multilevel version of the Oracle Solaris desktop, Solaris Trusted Extensions (GNOME). The name can be shortened to Trusted GNOME.
Trusted Extensions provides additional graphical user interfaces (GUIs) and command line interfaces (CLIs). For example, Trusted Extensions provides the Device Manager GUI to administer devices. In addition, the updatehome CLI is used to place startup files in users' home directories at every label.
Trusted Extensions requires the use of particular GUIs for administration. For example, on a system that is configured with Trusted Extensions, the Labeled Zone Manager is used to administer labeled zones, in addition to the zonecfg command.
Trusted Extensions limits what users can see. For example, a device that cannot be allocated by a user cannot be seen by that user.
Trusted Extensions limits users' desktop options. For example, users are allowed a limited time of workstation inactivity before the screen locks. By default, regular users cannot shut down the system.
When the monitors of a multiheaded Trusted Extensions system are configured horizontally, the trusted stripe stretches across the monitors. When the monitors are configured vertically, the trusted stripe appears in the lowest monitor.
However, when different workspaces are displayed on the monitors of a multiheaded system, Trusted GNOME displays a trusted stripe on each monitor.
|