8.6. TRUSTED EXTENSIONS NETWORKING 115

By implementing this change, root no longer will be able to directly log into the system, and root will only be able to be accessed by those possessing the correct credentials and explicit approval to assume that role. It is critical therefore that at least one user account be assigned to the root role, otherwise the role itself would no longer be able to be accessed. Note that the risk of administrators being unable to log in and assume the root role to perform privileged operations can be reduced by ensuring that their accounts have account lockout disabled, are stored in the local files password tables, and have home directories that are mounted locally rather than over NFS. Solaris can still be configured such that booting the Solaris system into single user mode will enable administrators to log into the system directly as root, thereby providing a worst-case mechanism to access a privileged shell. In addition, there are a number of other rights profiles provided in the Solaris OS by default including: • Primary Administrator. Provides all of the capabilities of superuser in one profile. This profile grants rights that are equivalent to root. • System Administrator. Provides a profile that can do most of the superuser tasks but fewer connected with security administration. For example, this role can create accounts but it cannot set or reset user passwords. • Operator. Provides limited capabilities to manage files and offline media. Such profiles define sets of rights associated with a particular job, as is a common use of role-based access control.

8.6 TRUSTED EXTENSIONS NETWORKING

A key feature in Trusted Extensions is its labeled networking that enables distributed computation to be controlled relative to the MLS policy. As in previous versions of Trusted Extensions software, remote hosts can be single-level or multilevel. Single level hosts have an implicit label assigned to them based on their network or IP address. Nonlabel aware systems, such as workstations running Microsoft Windows TM, are assigned a specific label for communications purposes. Multilevel hosts are trusted to operate at a range of labels, and explicitly specify the label of every network packet when communicating with other trusted systems. Packet labels are specified using the Commercial IP Security Option CIPSO which encapsulates a sensitivity label as an IP option [ 53 ]. CIPSO is specified in the FIPS 188 Standard and is supported by Trusted Solaris 8 and other labeled systems. When specifying the labeling policy for network attributes, both label ranges and sets of disjoint labels can be enumerated. This ability to precisely define the labeling policy is required to support various multilevel configurations including guards, NFS servers, Sun Ray servers, name servers, print servers, workstations, and high-assurance grid computing. An administrator can also assign a label range to a router even if the router does not interpret labels. Although zones have unique labels, specific multilevel services can be configured for each zone. 116 CHAPTER 8. CASE STUDY: SOLARIS TRUSTED EXTENSIONS The network attributes database is maintained in an LDAP directory and shared by all trusted systems comprising a network of multilevel systems. IPsec can be used to authenticate the source IP addresses associated with incoming network packets. IPsec enforces integrity protection, and is used to encrypt data on multilevel networks. Zones can be configured to share a single IP address, or they can be assigned unique IP addresses. Similarly, they can share the same physical network interface, or can be configured to use separate network interfaces. Both shared and per-zone IP addresses can be used concurrently, with different labeling policies for each IP address. Solaris Zones technology allows multiple zones to share a single network interface through the use of virtual interfaces. Sharing of IP addresses is possible in Trusted Extensions because each packet is labeled. When a packet is received, the kernel uses the label of the packet to determine the appropriate zone to which it is authorized to be delivered. Sharing a single IP address for all zones is convenient for workstations and laptops, especially when DHCP is used. This simplifies deployment into infrastructures with limited IP addresses.

8.7 TRUSTED EXTENSIONS MULTILEVEL SERVICES

By default Solaris 10 with Trusted Extensions enables the following multilevel services: • X11 Window System with the Common Desktop Environment CDE or the Gnome- Desktop. • Printing using the Internet Protocol Printing or BSD Protocol Printing • Network File System • Sun Directory Server LDAP server • Label Translation Service • Name Service Cache Daemon All other services are polyinstantiated in each zone. However, additional multilevel services such as Web Servers and Secure Shell can be enabled administratively via theTrusted Path.We discuss the multilevel window system and printing in detail below. We also discuss the use of multilevel services across the network, using the labeled networking described in the previous section. Users can log in via the Trusted Path and can be authorized to select their multilevel desktop preference CDE or Gnome-based. Once authenticated they are presented with an option to select an explicit label or a range of labels within their clearance and the label range of their workstation or Sun Ray desktop unit.The window system initiates a user session in the zone whose label corresponds to the user’s default or minimum label. The window system provides menus for interacting with the Trusted Path to change the label of the current workspace or to create additional labeled workspaces. For each selected label, the