Solaris Trusted Extensions Installation, Configuration

Student Guide - Volume I

SC-327-S10 Rev B

Disclaimer

This document contains proprietary information, is provided under a license agreement containing restrictions on use and disclosure, and is protected by copyright and other intellectual property laws. You may copy and print this document solely for your own use in an Oracle training course. The document may not be modified or altered in any way. Except as expressly permitted in your license agreement or allowed by law, you may not use, share, download, upload, copy, print, display, perform, reproduce, publish, license, post, transmit, or distribute this document in whole or in part without the express authorization of Oracle.

The information contained in this document is subject to change without notice. If you find any problems in the document, please report them in writing to: Oracle University, 500 Oracle Parkway, Redwood Shores, California 94065 USA. This document is not warranted to be error-free.

Sun Microsystems, Inc. Disclaimer

This training manual may include references to materials, offerings, or products that were previously offered by Sun Microsystems, Inc. Certain materials, offerings, services, or products may no longer be offered or provided.Oracle and its affiliates cannot be held responsible for any such references should they appear in the text provided.

Restricted Rights Notice If this documentation is delivered to the U.S. Government or anyone using the documentation on behalf of the U.S. Government, the following notice is applicable:

U.S. GOVERNMENT RIGHTS The U.S. Government’s rights to use, modify, reproduce, release, perform, display, or disclose these training materials are restricted by the terms of the applicable Oracle license agreement and/or the applicable U.S. Government contract.

Trademark Notice

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.

AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. UNIX is a registered trademark licensed through X/Open Company, Ltd. This page intentionally left blank. This page intentionally left blank. Table of Contents

About This Course ...... Preface-i Course Goals...... Preface-i

How Prepared Are You?...... Preface-iii Introductions ...... Preface-iv How to Use Course Materials...... Preface-v Conventions ...... Preface-vi Typographical Conventions...... Preface-viii Additional Conventions ...... Preface-ix Trusted Extensions Features ...... 1-1 Objectives ...... 1-1 Additional Resources...... 1-3 What is Trusted Extensions?...... 1-4 Common Criteria Certification ...... 1-5 Compartmented Mode Workstation...... 1-8 What is Trusted Extensions? The Answer...... 1-9 Mandatory Access Control ...... 1-10 Using Labeled Zones for Data Protection...... 1-11 Global Zone ...... 1-11 Principle of Least Privilege...... 1-12 Privileges ...... 1-12 Authorizations...... 1-13 User Accounts and Roles...... 1-13 Label-Aware Services...... 1-16 Multilevel Desktops...... 1-17 Trusted Extensions Networking...... 1-18 Exchanging Network Data...... 1-18 Multilevel Ports...... 1-19 Mounting Files in Trusted Extensions...... 1-20 Controlling Access to Removable Media Devices ...... 1-21 Multi-Level Printing ...... 1-22 Auditing ...... 1-23 System Management Tools...... 1-24 LDAP Naming Service ...... 1-25

vii Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision B Installing Solaris Trusted Extensions...... 2-1 Objectives ...... 2-1 Additional Resources...... 2-3 Solaris 10 and Trusted Extensions...... 2-4 Solaris Trusted Extensions System Requirements...... 2-5 Hardware Requirements ...... 2-5 Software Requirements...... 2-6 Enabling Solaris Trusted Extensions ...... 2-8 Installation Process ...... 2-8 Solaris Trusted Extensions Changes...... 2-10 Disabling Solaris Trusted Extensions ...... 2-11 Exercise: Installing Solaris 10 Trusted Extensions...... 2-14 Task 1 – Enable Solaris Trusted Extensions...... 2-15 Task 2 – Log in to a Solaris Trusted Extensions System...... 2-16 Task 3 – Disable Unnecessary SMF Services ...... 2-17 Exercise Summary ...... 2-18 Configuring Solaris Trusted Extensions ...... 3-1 Objectives ...... 3-1 Additional Resources...... 3-3 Implementation Considerations ...... 3-4 Site Security Policy...... 3-4 Data Types and Sensitivity Labels...... 3-5 Users and Their Clearances ...... 3-6 Network Configuration Issues ...... 3-7 Planning Your Network Configuration...... 3-7 Roles and the root Superuser...... 3-18 Using the LDAP Naming Service...... 3-19 Exercise: Configuring Solaris 10 Trusted Extensions ...... 3-20 Task 1 – Installing a Site-Specific label_encodings File... 3-21 Task 2 – Examining the Global Zone ...... 3-24 Task 3 – Initializing the Solaris Management Console (SMC) 3-25 Task 4 – Configure Network Interfaces...... 3-27 Task 5 – Create and Configure Labeled Zones...... 3-33 Task 6 – Create Roles and a User ...... 3-46 Task 7 – Create Role .profile Files ...... 3-50

Exercise Summary ...... 3-52 Access Controls...... 4-1 Objectives ...... 4-1 Additional Resources...... 4-3 Discretionary Access Controls...... 4-4 DAC Permissions...... 4-5 Basic File Permissions...... 4-5 Basic Directory Permissions...... 4-6 Special Permissions ...... 4-6 Access Control Lists ...... 4-9

viii Solaris Trusted ExtensionsTM Installation, Configuration and Administration Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision B Mandatory Access Controls...... 4-10 Entities in a Labeled Environment...... 4-11 Solaris Trusted Extensions Labels...... 4-12 Sensitivity Labels...... 4-14 Clearance Labels...... 4-14 Labeled Zones...... 4-15 Label Relationships...... 4-15 Accreditation Ranges...... 4-17 MAC Rules ...... 4-19 Users and Roles ...... 4-21 Administrative Labels...... 4-22 Exercise: Using MAC and Labels ...... 4-24 Task 1 – Review Access Control Terminology ...... 4-24 Task 2 – Examine and Identify Label Components...... 4-25 Task 3 – Exploring Label Relationships...... 4-26

Exercise Solutions: Using MAC and Labels ...... 4-27 Task 1 – Review Access Control Terminology ...... 4-27 Task 2 – Examine and Identify Label Components...... 4-28 Task 3 – Exploring Label Relationships...... 4-29 Exercise Summary ...... 4-30 User Interface Changes: TJDS and Trusted CDE...... 5-1 Objectives ...... 5-1 Additional Resources...... 5-3 Accessing Solaris Trusted Extensions ...... 5-4 Logging In...... 5-5 Trusted JDS User Interface...... 5-7 TJDS Default Panel ...... 5-8 TJDS Labeled Workspaces and Applications...... 5-10 Changing a Workspace Label ...... 5-10 TJDS Trusted Screenstripe ...... 5-12 Role Assumption...... 5-13 Trusted CDE User Interface ...... 5-15 CDE Front Panel Changes ...... 5-16 Trusted CDE Labeled Workspaces...... 5-16 Trusted Path Menu...... 5-16 Trusted CDE Labeled Workspaces and Applications...... 5-18 Trusted CDE Trusted Screenstripe ...... 5-20 The Trusted Path and the Global Zone ...... 5-21 Enforcing the MAC Rules ...... 5-22 User Configuration ...... 5-23 Exercise: Exploring User Interfaces ...... 5-26 Task 1 – Exploring the TJDS User Interface...... 5-26 Task 2 – Exploring the Trusted CDE User Interface...... 5-31 Task 3 – Creating Home Directory Dotfiles...... 5-35 Task 4 – Logging in to a Single-Level Session ...... 5-38

ix Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision B Exercise Summary ...... 5-39 Configuring and Installing the label_encodings File...... 6-1 Objectives ...... 6-1 Additional Resources...... 6-3 Review of Solaris Trusted Extensions Labels ...... 6-4 Label Components ...... 6-4 Introduction to the label_encodings File ...... 6-6 The label_encodings File Syntax...... 6-7 The label_encodings File’s Sections...... 6-9 The CLASSIFICATIONS: Section ...... 6-11 The INFORMATION LABELS: Section ...... 6-15 The SENSITIVITY LABELS: Section ...... 6-16 The CLEARANCES: Section ...... 6-25 Differences between CLEARANCES: and SENSITIVITY LABELS:...... 6-25 The CHANNELS: Section ...... 6-27 The PRINTER BANNERS: Section ...... 6-28 The ACCREDITATION RANGE: Section ...... 6-29 User Accreditation Range...... 6-30 Specifying System Accreditation Range-Related Constants ..... 6-34 The NAME INFORMATION LABELS: Section ...... 6-36 The LOCAL DEFINITIONS: section ...... 6-37 Analysis of a Sample label_encodings File ...... 6-39 The CLASSIFICATIONS: Section ...... 6-44 The INFORMATION LABELS: Section ...... 6-45 The SENSITIVITY LABELS Section...... 6-46 The CLEARANCES: Section ...... 6-48 The CHANNELS: Section ...... 6-49 The PRINTER BANNERS: Section ...... 6-50 The ACCREDITATION RANGE: Section ...... 6-51 The LOCAL DEFINITIONS: Section...... 6-52 Planning and Implementing Your Labeling Scheme...... 6-53 Changing the label_encodings File...... 6-53 Exercise: Modifying the label_encodings File ...... 6-55 Task 1 – Changing Colors of Classifications...... 6-56

Task 2 – Changing the Name of a Classification...... 6-57 Task 3 – Inserting a Classification...... 6-59 Task 4 – [Optional] Restore Original label_encodings File ...... 6-60 Exercise Summary ...... 6-61 Configure Privileges, Authorizations, Rights Profiles, and Roles...... 7-1 Objectives ...... 7-1 Additional Resources...... 7-3 Principle of Least Privilege...... 7-4 Privileges and Process Rights Management (PRM) ...... 7-6

x Solaris Trusted ExtensionsTM Installation, Configuration and Administration Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision B Process Privileges ...... 7-8 Privilege Sets ...... 7-9 Zone Privileges ...... 7-12 Backward Compatibility With the Superuser Model...... 7-15 Privilege Escalation ...... 7-17 Privilege Debugging ...... 7-19 Using ppriv to Debug Privileges ...... 7-19 Using truss to Debug Privileges ...... 7-21 Using dtrace to Debug Privileges...... 7-23 Shell and System-Wide Privilege Debugging ...... 7-25 Solaris Trusted Extensions Privileges...... 7-27 User Rights Management...... 7-28 Role-Based Access Control ...... 7-28 Authorizations...... 7-29 Rights Profiles...... 7-36

Roles ...... 7-41 RBAC Files...... 7-46 Assigning Privileges ...... 7-48 SMF Assigned Privileges...... 7-49 Assigning Privileges With the ppriv Command...... 7-50 RBAC Assigned Privileges...... 7-52 Setting Zone-Wide Default Privileges...... 7-53 Using the pfexec Command ...... 7-56 Using Privileges and Authorizations ...... 7-59 Solaris Trusted Extensions RBAC Examples...... 7-59 Exercise: Privileges and Role-Based Access Control...... 7-62 Task 1 – Convert the root Account to a Role ...... 7-63 Task 2 – Configure File Relabeling Capabilities...... 7-66 Task 3 – Perform Privilege Debugging ...... 7-74 Exercise Summary ...... 7-78 Service Management...... 8-1 Objectives ...... 8-1 Additional Resources...... 8-3 Review of the Service Management Facility...... 8-4 SMF Manifests...... 8-4 Identifying SMF Services ...... 8-5 SMF Utilities...... 8-6 Added Solaris Trusted Extensions Services ...... 8-13 SMF and Privileges...... 8-15 Least Privilege and SMF...... 8-17 SMF Authorizations...... 8-18 SMF and Solaris Trusted Extensions Labeled Zones ...... 8-22 Secure by Default...... 8-24 SBD and Solaris Trusted Extensions...... 8-27 Re-Enabling Services...... 8-28

xi Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision B Exercise: Securing Solaris Trusted Extensions Services...... 8-30 Task 1 – Grant Service-Specific Authorizations ...... 8-30 Task 2 – Modify Service-Specific Properties ...... 8-35 Task 3 – Apply Secure by Default to a Labeled Zone...... 8-39 Exercise Summary ...... 8-43 Managing Devices...... 9-1 Objectives ...... 9-1 Additional Resources...... 9-3 Device Security...... 9-4 Device Allocation Mechanism...... 9-6 Device Allocation Manager ...... 9-7 Allocating Devices...... 9-7 Administering Device Allocation ...... 9-10 Device Allocation Configuration Files and Directories ...... 9-14 The device_allocate File ...... 9-14 The device_maps File...... 9-15 The /etc/security/lib Directory...... 9-16 Adding an Allocatable Device...... 9-18 Command-Line Tools ...... 9-19 Exercise: Managing Allocatable Devices ...... 9-21 Task 1– Authorize a User to Allocate Devices...... 9-21 Task 2 – Allocate a USB Device ...... 9-24 Exercise Summary ...... 9-27 Auditing ...... 10-1 Objectives ...... 10-1 Additional Resources...... 10-3 Overview of Solaris Auditing ...... 10-4 Audit Event Selection ...... 10-6 Audit System Rights Profiles and Roles...... 10-7 Planning for Auditing ...... 10-9 Cost of Increased CPU Overhead ...... 10-9 Cost of Analysis...... 10-10 Cost of Storage...... 10-10 Audit System Components ...... 10-12 Audit Events ...... 10-12 Audit Classes ...... 10-13 Audit Records ...... 10-16 Audit Log Files ...... 10-20 Configuring Auditing...... 10-22 Audit Flags and Pre-Selection ...... 10-22 The audit_control File ...... 10-24 The audit_user File ...... 10-28 Configuring Audit Partitions ...... 10-30 Configuring the syslog Plug-in ...... 10-33 Configuring Audit Policies ...... 10-35

xii Solaris Trusted ExtensionsTM Installation, Configuration and Administration Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision B Auditing Labeled Zones...... 10-41 System-Wide Auditing ...... 10-42 Per-Zone Auditing ...... 10-44 The Audit Daemon...... 10-46 Audit System Post-Selection Utilities...... 10-48 The auditreduce Command ...... 10-48 The praudit Command ...... 10-52 Exercise: Configure Solaris Auditing ...... 10-55 Task 1 – Configure Audit System Administrative Rights ...... 10-55 Task 2 – Configure Solaris Auditing in the Global Zone ...... 10-60 Task 3 – Configure the syslog Plugin...... 10-65 Task 4 – Examine the Audit Trail...... 10-67 Task 5 – Examine ASCII Audit Records...... 10-71 Task 6 – Disable the Audit System...... 10-72 Exercise Summary ...... 10-73

Solaris Trusted Extensions Networking...... 11-1 Objectives ...... 11-1 Additional Resources...... 11-3 Introduction to Solaris Trusted Extensions Networking...... 11-4 Labeled Network Communications ...... 11-6 The CIPSO IP Option ...... 11-6 IP Version 6 HopOpt Extension Header...... 11-10 Unlabeled Network Communications...... 11-11 Solaris Trusted Extensions Network Interfaces...... 11-12 Zone-Specific IP Addresses...... 11-13 Shared IP Addresses ...... 11-14 Solaris Trusted Extensions Ports ...... 11-18 Single-Level Ports...... 11-18 Multilevel Ports...... 11-20 Port Contention...... 11-21 Configuring Multilevel Ports ...... 11-22 Configuring Solaris Trusted Extensions Networking...... 11-24 The tnrhtp File...... 11-24 The tnrhdb File...... 11-28 The tnzonecfg File ...... 11-30 Maintaining the Trusted Networking Configuration ...... 11-33 The tninfo Command ...... 11-34 The tnctl Command...... 11-36 The tnd Daemon ...... 11-37 The tnchkdb Command ...... 11-39 Accreditation Checking ...... 11-40 Outbound Packet Processing ...... 11-40 Inbound Packet Processing ...... 11-42 Special Cases ...... 11-43 Solaris Trusted Extensions Routing...... 11-45

xiii Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision B Configuring the Routing Table ...... 11-47 Routing in Labeled Zones...... 11-54 Multilevel RPC Services...... 11-57 Per-Zone Name Service Cache Daemons...... 11-58 Configuring DHCP ...... 11-61 Exercise: Networking TX Systems...... 11-62 Task 1– Change or Verify the Security Family Template Used by Labeled Zones...... 11-62 Task 2 – Enable Remote User Logins to a Labeled Zone ...... 11-64 Task 3 – Enable Remote Administration...... 11-68 Exercise Summary ...... 11-71 Configuring NFS and LOFS ...... 12-1 Objectives ...... 12-1 Additional Resources...... 12-3 Solaris Trusted Extensions NFS ...... 12-4 Solaris Trusted Extensions Mount Policies ...... 12-5 Solaris Trusted Extensions NFS Clients...... 12-7 NFS Client Mount Policy ...... 12-7 Process Flags and Mount Privileges ...... 12-8 NFS Mounting Rules ...... 12-9 Solaris Trusted Extensions NFS Servers ...... 12-11 NFS Server Mount Rules...... 12-11 Sharing and Mounting NFS Directories ...... 12-12 Global Zone Sharing Configuration ...... 12-12 Labeled Zone Sharing Configuration ...... 12-13 Comparing Mount Utilities...... 12-16 Loopback File System (LOFS) ...... 12-17 Displaying Loopback Mounts...... 12-17 Adding Additional Loopback Mounts ...... 12-18 Home Directories...... 12-19 Automounter Changes for Home Directories ...... 12-19 Troubleshooting File System Mounts...... 12-23 Exercise: Using NFS and LOFS File Systems...... 12-24 Task 1 – Configure a Trusted Extensions file Server to Share Labeled Files...... 12-25

Task 2 – Mount a Labeled Zone’s Shared Directory...... 12-29 Task 3 – Use a Loopback Mount from the Global Zone ...... 12-32 Exercise Summary ...... 12-34 Trusted Extensions Printing...... 13-1 Objectives ...... 13-1 Additional Resources...... 13-3 Labeled Printing Requirements ...... 13-4 Common Criteria Labeled Printing Requirements ...... 13-4 Printed Output Labeling...... 13-5 Printer Configuration Process...... 13-9

xiv Solaris Trusted ExtensionsTM Installation, Configuration and Administration Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision B Printer Installation and Configuration ...... 13-10 Printer Management Tools...... 13-10 Solaris Trusted Extensions Printer Types...... 13-11 Single-Level and Multilevel Printers...... 13-13 Printer Security Configuration...... 13-16 Restrict the Label Range of a Printer...... 13-16 Configure Other Printer Security Settings ...... 13-17 Print Commands Extensions...... 13-18 Exercise: Configuring Solaris Trusted Extensions Printing ...... 13-19 Task – Installing a Multi-Level BSD Printer...... 13-19 Exercise Summary ...... 13-23 Configuring LDAP ...... 14-1 Objectives ...... 14-1 Additional Resources...... 14-3 History of Directory Services ...... 14-4

NIS and NIS+...... 14-4 Advent of Directory Services ...... 14-4 History of LDAP...... 14-5 Basic LDAP Concepts and Terminology...... 14-6 Defining a Directory Service ...... 14-6 LDAP...... 14-7 LDAP Search Parameters ...... 14-10 LDAP and Solaris Trusted Extensions ...... 14-13 Trusted Extensions LDAP Databases ...... 14-13 Configuring LDAP on Trusted Extensions...... 14-15 Exercise: Reviewing LDAP and Solaris Trusted Extensions ...... 14-19 Task 1 – Review LDAP Terminology ...... 14-19 Task 2 – Review of LDAP and Solaris Trusted Extensions.... 14-19 Exercise Solutions: Reviewing LDAP and Solaris Trusted Extensions...... 14-21 Task 1 – Review LDAP Terminology ...... 14-21 Task 2 – LDAP and Solaris Trusted Extensions...... 14-22 Exercise Summary ...... 14-23 Migrating to Solaris Trusted Extensions...... A-1 Objectives ...... A-1 Additional Resources...... A-3 Migrating From Trusted Solaris 8 ...... A-4 Overview of Changes From Trusted Solaris 8...... A-4 Removed Trusted Solaris Features ...... A-5 Visibly Changed Features...... A-6 Detailed Changes From Trusted Solaris 8 ...... A-6 Differences Between Solaris 10 and Solaris Trusted Extensions ...... A-18 Installation and Configuration of Trusted Extensions ...... A-18 Desktops...... A-18 Security Attributes on CDE Actions...... A-19

xv Copyright 2009 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision B Administration Tools ...... A-19 Trusted Device Management ...... A-19 Additional Rights and Authorizations ...... A-20 Interoperating With Trusted Solaris 8 ...... A-22 General Network Connectivity ...... A-22 Printing...... A-23 NFS ...... A-24 Upgrading From Trusted Solaris 8 ...... A-25 Using the tar Command to Transfer Files ...... A-25 Exercise: Reviewing Trusted Extensions Migration ...... A-27 Exercise Solutions: Reviewing Trusted Extensions Migration ...... A-29 Installing Unbundled Applications...... B-1 Objectives ...... B-1 Additional Resources...... B-3 Unbundled Applications and MAC ...... B-4 Privileges for Unbundled Applications...... B-5 Privilege Data Types...... B-6 Backward Compatibility With the Superuser Model...... B-6 Privilege Interfaces ...... B-7 The setppriv() Function ...... B-8 Guidelines for Developing Privileged Applications...... B-9 Authorizations for Unbundled Applications...... B-11 Applications and Labeled Zones...... B-12 Labels in the Global Zone...... B-13 Labeled Zones...... B-13 Solaris Trusted Extensions APIs...... B-15 Label APIs ...... B-16 Types of Label APIs ...... B-17 Trusted X Window System APIs...... B-18 Label Builder APIs ...... B-19 Developer Concepts and Interfaces ...... B-20 Modified Interfaces...... B-20 Solaris Trusted Extensions (3TSOL) Library...... B-22 Applications That Use Multi-Level Ports...... B-25 Exercise: Reviewing Unbundled Applications ...... B-27

Exercise Solutions: Reviewing Unbundled Applications...... B-29 Exercise Summary ...... B-31