8.6. TRUSTED EXTENSIONS NETWORKING 115

By implementing this change, root no longer will be able to directly log into the system, and root will only be able to be accessed by those possessing the correct credentials and explicit approval to assume that role. It is critical therefore that at least one user account be assigned to the root role, otherwise the role itself would no longer be able to be accessed. Note that the risk of administrators being unable to log in and assume the root role to perform privileged operations can be reduced by ensuring that their accounts have account lockout disabled, are stored in the local files password tables, and have home directories that are mounted locally rather than over NFS. Solaris can still be configured such that booting the Solaris system into single user mode will enable administrators to log into the system directly as root, thereby providing a worst-case mechanism to access a privileged shell. In addition, there are a number of other rights profiles provided in the Solaris OS by default including: • Primary Administrator. Provides all of the capabilities of superuser in one profile. This profile grants rights that are equivalent to root. • System Administrator. Provides a profile that can do most of the superuser tasks but fewer connected with security administration. For example, this role can create accounts but it cannot set or reset user passwords. • Operator. Provides limited capabilities to manage files and offline media. Such profiles define sets of rights associated with a particular job, as is a common use of role-based access control.

8.6 TRUSTED EXTENSIONS NETWORKING

A key feature in Trusted Extensions is its labeled networking that enables distributed computation to be controlled relative to the MLS policy. As in previous versions of Trusted Extensions software, remote hosts can be single-level or multilevel. Single level hosts have an implicit label assigned to them based on their network or IP address. Nonlabel aware systems, such as workstations running Microsoft Windows TM, are assigned a specific label for communications purposes. Multilevel hosts are trusted to operate at a range of labels, and explicitly specify the label of every network packet when communicating with other trusted systems. Packet labels are specified using the Commercial IP Security Option CIPSO which encapsulates a sensitivity label as an IP option [ 53 ]. CIPSO is specified in the FIPS 188 Standard and is supported by Trusted Solaris 8 and other labeled systems. When specifying the labeling policy for network attributes, both label ranges and sets of disjoint labels can be enumerated. This ability to precisely define the labeling policy is required to support various multilevel configurations including guards, NFS servers, Sun Ray servers, name servers, print servers, workstations, and high-assurance grid computing. An administrator can also assign a label range to a router even if the router does not interpret labels. Although zones have unique labels, specific multilevel services can be configured for each zone.