Transition to Trusted Solaris 7

Trusted Solaris 7 is a security-enhanced version of the Solaris 7 operating environment. It upgrades Trusted Solaris 2.5.1 software, and includes:

• "Trusted Solaris 7 Changes to SunOS 5.7 (Solaris 7)"

• "Trusted Solaris 7 Changes to CDE 1.3"

• "Trusted Solaris 2.5.1 Changes to Solstice AdminSuite 2.3"

• "Changes from Trusted Solaris 2.5.1 to Trusted Solaris 7"

• "Trusted Solaris 7 Changes to Support the Sun Enterprise 10000 and Intel Platform"

Trusted Solaris 7 runs on hardware that was unsupported in Trusted Solaris 2.5.1:

• Intel architecture is supported.

• The Sun Enterprise^TM 10000, a sun4u machine, is supported.

Trusted Solaris 7 Changes to SunOS 5.7 (Solaris 7)

Unless explicitly stated otherwise, Trusted Solaris 7 supports the new features in the Solaris 7 release, such as 64-bit support and Sendmail version 8.8.8. The following Solaris 7 features function differently in the Trusted Solaris environment:

• Network printers use sockets, not pipes. See "Printing" for more information.

• Trusted Solaris 7 does not update the Solaris SUNWrdm package. Many items in that package apply to the Trusted Solaris environment. However, for late-breaking news particular to the Trusted Solaris environment, see the Trusted Solaris 7 Release Notes.

• The Trusted Solaris version of the Solaris 7 traceroute(1M) command follows Trusted Solaris security policy. The doors interfaces from Solaris 7 are enhanced for security; see the man pages door_create(3x) and door_tcred(3x).

• The following Solaris interfaces are not supported in Trusted Solaris 7:

  • bsmconv(1M) and bsmunconv(1M)

  • rexecd(1M)

  • rusers(1)

  • spell(1)

  • talk(1)

Trusted Solaris 7 Changes to Support the Sun Enterprise 10000 and Intel Platform

To run securely on the Sun Enterprise 10000 and on the Intel platform, Trusted Solaris 7 enhances installation and administration for security.

For the Sun Enterprise 10000:

• For remote (headless) workstation administration, see the new dtappsession(1) page in the CDE man package (installed in the directory /usr/dt/man). The man page is also printed in the Trusted Solaris 7 Reference Manual, 805-8065-10.

• There is no command line login. Administration of a newly installed Sun Enterprise 10000 is done remotely, using CDE. See the Trusted Solaris 7 Installation and Configuration on the Sun Enterprise 10000.

For the Intel Platform:

• There is no WebStart installation.

• The equivalent of PROM protection on SPARC is BIOS protection on Intel.

Trusted Solaris 7 Changes to CDE 1.3

Trusted Solaris 7 supports the new features in the CDE 1.3 release, such as the new front panel configuration, and it continues to support the visible Trusted Solaris features in CDE, such as labels, trusted stripe, privilege assignment to files, Admin Editor, and so on. Administrative actions that are new to CDE 1.3 function more securely in the Trusted Solaris environment, and are available in the System_Admin folder:

• Front panel device actions, such as Open Floppy and Open CD-ROM are protected by device allocation. The Trusted Solaris Device Allocation Manager is available from the Trusted Desktop subpanel.

• The System_Admin folder contains more administrative actions than in Trusted Solaris 2.5.1.

---

Note -

The Application Manager is now invoked from the Applications subpanel on the left side of the front panel. A terminal can be invoked from the Workspace menu, a right-button menu from the workspace background.

---

Trusted Solaris 2.5.1 Changes to Solstice AdminSuite 2.3

Trusted Solaris 7 retains the Trusted Solaris 2.5.1 security enhancements to the Database Manager (tnrhdb, tnrhtp, tnidb) and User Manager, and retains the Profile Manager, which enables the security administrator to administer execution profiles. Trusted Solaris 7 made no further enhancements to the databases in the Solstice_Apps folder.

Changes from Trusted Solaris 2.5.1 to Trusted Solaris 7

Trusted Solaris 7 changes affect users, administrators, and developers. Changes are in the areas of:

• "Authorization and Privilege Differences"

• "Commands and Functions"

• "File Systems and Mounting"

• "Labels"

• "Installation and Configuration"

• "Login and Remote Login"

• "Man Pages"

• "Printing"

• "System Start and Shutdown"

Installation and Configuration

The Trusted Solaris 2.5.1 system required the install team to configure labels during installation. In Trusted Solaris 7, the install team configures labels after installation.

Installation Differences

Installation on most hardware is identical to Solaris 7 installation. The two exceptions are:

• Solaris^TM Web Start is not supported

• Installing and configuring the Sun Enterprise^TM 10000 (E10000), also called Starfire^TM, is modified for Trusted Solaris security. See Trusted Solaris 7 Installation and Configuration on the Sun Enterprise 10000 for explanation and procedures.

Solaris installation features that Trusted Solaris 7 supports include:

• Trusted Solaris network and jumpstart installations are identical to Solaris network and jumpstart installations.

• sys-unconfig(1M) is supported.

• Unlike Trusted Solaris 2.5.1 installation, Trusted Solaris 7 installation does not offer label configuration options; sensitivity labels are configured after installation, not during. Therefore, the config_data file and its corresponding man page do not exist since there are no Trusted Solaris configuration options for network installations.

---

Note -

To distribute a site label encodings file during installation in Trusted Solaris 7 requires a customized JumpStart installation. See "Create a Finish Script to Add Files after Installation" in Trusted Solaris Installation and Configuration for an example.

---

Configuration Differences

To change default label configuration values, the security administrator edits the /etc/system file.

To enable the Stop-A shutdown mechanism, the security administrator edits the /etc/default/kbd file, except on the Sun Enterprise 10000, where the abort_enable keyword in the /etc/system file is still operative.

The Check Encodings System_Admin action enables an administrative role to install a site-specific label_encodings file.

Labels

Trusted Solaris 7 does not configure labels during installation (see "Installation and Configuration", documents how to create many compartments in labels, and does not support information labels.

Large Numbers of Compartments

"Bits Available for Classification and Compartment Components" in Trusted Solaris Label Administration documents how to create and manage large numbers of compartments in a label_encodings file.

Information Labels

Information labels (ILs) are not supported in Trusted Solaris 7 and later releases. Trusted Solaris software interprets any ILs on communications and files from systems running earlier releases as ADMIN_LOW.

Objects still have CMW labels, and CMW labels still include the IL component: IL[SL]; however, the IL component is fixed at ADMIN_LOW.

As a result, Trusted Solaris 7 has the following characteristics:

• ILs do not display in window labels; SLs (Sensitivity Labels) display alone within brackets.

• ILs do not float.

• Setting an IL on an object has no effect, and getting an object's IL will always return ADMIN_LOW.

• Although certain utilities, library functions, and system calls can manipulate IL strings, the resulting ILs cannot be set on any objects.

• Sensitivity labels, not information labels, display on printer banners and body pages.

• Options related to information labels in the label_encodings(4) file can be ignored.

• IL-related privileges are no longer used. See "Authorization and Privilege Differences" for a list.

• In auditing, the ilabel token is recorded as ADMIN_LOW, when it is recorded. The audit event numbers 519 (AUE_OFLOAT), 520 (AUE_SFLOAT), and 9036 (AUE_iil_change) continue to be reserved, but those events are no longer recorded.

Printing

Adding Trusted Solaris security to Solaris 7 printing changed several things about printing in the Trusted Solaris environment.

• Additional printing authorizations handle printing capabilities. Trusted Solaris 7 checks for user authorization where Trusted Solaris 2.5.1 checked for privilege. See "Authorization and Privilege Differences".

• Network printers do trusted printing only when directly cabled to a Trusted Solaris print server.

• Network printers can be configured as standalone nodes on the network to print at a single label without labeled output, by assigning the printer an IP address and a host name. See "Managing Printing" in Trusted Solaris Administrator's Procedures for the complete procedures.

• Users who print to a single-label printer from a trusted printer cannot list or delete the jobs in the queue.

File Systems and Mounting

The Trusted Solaris 7 implementation of file system security attributes is similar to the Solaris 7 implementation instead of the Trusted Solaris 2.5.1 implementation. Instead of attributes stored on a filesystem inode, the operating system manages the filesystem security attributes. The new implementation has consequences for Trusted Solaris 7 administrators:

Mount-time security attributes may be specified either by using the mount(1M) command with the -S option on the command line or by specifying the attributes in the vfstab_adjunct file. Mount-time security attributes override existing security attributes on a file system. However, they never override security attributes on the files and directories within the file system. When access-control decisions are made, security attributes on a file or directory take precedence over security attributes specified either at the filesystem level or at mount time.

• Filesystem security attributes are not assigned using the tsol_attr flag; the flag has been removed.

Login and Remote Login

The Enable Logins dialog box offers more choices to the user.

Roles now have the remote login authorization in a profile. The root role has the authorization in the Maintenance and Repair profile. Remote logins by roles requires an additional step on every host where the roles need to remotely log in. See "Allowing Remote Logins by Administrative Roles" in Trusted Solaris Administrator's Procedures for the procedure.

In Trusted Solaris 2.5.1, the value for MAXBADLOGINS was set by default to 3 in the /etc/default/passwd file. Trusted Solaris 7 follows the Solaris model: the default of 5 for the variable RETRIES is set in the /etc/default/login file.

System Start and Shutdown

In Trusted Solaris 2.5.1, to enable a user to use the Stop-A sequence to bring down the computer, the administrator set the abort_enable keyword in the /etc/system file to 1. In Trusted Solaris 7, the administrator uncomments the #KBD_ABORT=enable line in the /etc/default/kbd file. By default, Stop-A is disabled.

Man Pages

Man pages are in a different format, have a different naming scheme, and can be viewed using AnswerBook2^TM technology. Changes in product functionality have caused corresponding changes in the man pages.

• Man pages are in SGML (Standardized General Markup Language). The online man command handles SGML; printed output is in troff.

• Most Trusted Solaris man pages are integrated into the SUNWman package; therefore, the tsol extension is not used. To view man pages in the Trusted Solaris environment, use the same syntax as in the Solaris 7 environment:

  man setfsattr man -s2 chmod man ls

• Answerbook technology is now browser-based. The Trusted Solaris 2.5.1 answerbook command (/usr/openwin/bin/answerbook) does not support this functionality. To view Sun's Solaris 7 and Trusted Solaris 7 documentation, use the command /usr/dt/bin/answerbook2, or choose the AnswerBook2 option from the Help menu on the Front Panel.

• The following man pages do not have Trusted Solaris specific modifications due to changes in installation:

  • install_scripts(1M)

  • add_install_client(1M)

  • rm_install_client(1M)

  • setup_install_server(1M)

• The following man pages have been moved or added due to changes in functionality:

  • dtappsession(1) -- Added to CDE man pages

  • mldstat(3) and mldlstat(3) -- Moved from system calls to library routines.

  • door_create(3x) and door_tcred(3x) -- Added Trusted Solaris security.

  • pam_tp_auth(5) and pam_tsol(5) -- Added Trusted Solaris security.

  • kbd(1) -- Added Trusted Solaris security. See "System Start and Shutdown".

• The following man pages have been removed due to changes in implementation:

  • config_data(4TSOL)

  • msgrcvl(2TSOL)

  • msgsndl(2TSOL)

  • semopl(2TSOL)

Commands and Functions

Commands and functions have been modified due to technical changes in the product and removal of nonstandard interfaces.

• The Pluggable Authentication Module (PAM) allows the customer to plug in a customized static randomword function.

• The following /usr/proc/bin/ commands have a standard interface:

  • pattr(1)

  • pclear(1)

  • plabel(1)

  • ppriv(1)

• The Trusted Solaris 2.5.1 mldstat() and mldlstat() system calls are library routines in Trusted Solaris 7.

• The runpd(1M) command has a slightly changed setup procedure.

Authorization and Privilege Differences

The lists of authorizations and privileges have changed. There are new authorizations, removed privileges, and new privileges. Authorizations are now handled by number rather than by manifest constant.

The following authorizations have been added for the printing system:

• TSOL_AUTH_PRINT_CANCEL

• TSOL_AUTH_PRINT_LIST

• TSOL_AUTH_PRINT_MAC_OVERRIDE

The privilege PRIV_SYS_SYSTEM_DOOR has been added.

The following IL-related privileges have been removed:

• PRIV_FILE_DOWNGRADE_IL

• PRIV_FILE_NOFLOAT

• PRIV_FILE_UPGRADE_IL

• PRIV_IPC_DOWNGRADE_IL

• PRIV_IPC_NOFLOAT

• PRIV_IPC_UPGRADE_IL

• PRIV_NET_DOWNGRADE_IL

• PRIV_NET_NOFLOAT

• PRIV_NET_UPGRADE_IL

• PRIV_PROC_NOFLOAT

• PRIV_PROC_SETIL

• PRIV_WIN_DOWNGRADE_IL

• PRIV_WIN_NOFLOAT

• PRIV_WIN_UPGRADE_IL