Trusted Extensions admin scripts, offered to opensolaris.org
By davew on Aug 17, 2007
As just emailed to the fine folk on security-discuss-AT-opensolaris-DOT-org:
I will shortly have a working set of scripts to assist in the configuration and administration of Trusted Extensions (TX) systems as another element of the "TX-Ranger" initiative, which I've blogged about a little at http://blogs.sun.com/davew/entry/building_tx_ranger.
The idea driving TX-Ranger is to make TXs much easier to set up, play with, hack on, test software with and evaluate in a development environment than it currently is. TX is stunning technology, applicable to far more environments than those in which I see it currently being considered, and it would be a huge shame if its adoption was hampered by a lack of a few tools to make setting it up a straightforward exercise. I want to "make the world a more labelled place", so the easier it is for folk to flex TX's muscles for their purposes, the wider I'll grin :-).
While Trusted Solaris 8 found an almost exclusive home in Defence and Intelligence environments, changes in legislation and configuration mean that Trusted Extensions is far more applicable to today's academic and commercial world. Although the default set of labels (in /etc/security/tsol/label_encodings) reflects this, many organisations (and users) which don't traditionally do data classification could still benefit enormously from it simply by having two labels of "Internet" and "Internal", and allowing data to be written up from "Internet" but not down to it, thus preventing most types of data leak.
Glenn Faden already has some nifty tools for his "safe browsing" environment posted at http://blogs.sun.com/gfaden/entry/ want_to_try_safe_browsing, but this still requires having the base TX system configured correctly.
The TX-Ranger scripts automate much of the current manual effort required to configure a TX environment. While I've been made aware that some prototype Jumpstart tools exist for TX configuration, I have been careful not to examine them as their Open status is not currently guaranteed. The author of the TX-Ranger scripts being offered, Jeff Turner of Context-Switch, has kindly agreed that they can be released to opensolaris.org under a CDDL licence.
Among other things, these scripts (and attendant TX configuration files) will reduce the administrative work needed to set up a new label compartment element, to:
assign-compartment <name> <name presented in list by previous command>
...which is rather more straightforward than the current need to manually modify label_encodings and either put hex-containing strings into tnrhtp or do much mouse-shuffling around the Solaris Management console.
Also, once a label exists, actually making it function currently involves assigning it to a zone, potentially assigning it its own physical interface with zonecfg, cloning the zone, tweaking the zone's config to give it an appropriate IP address, etc. While the elegant little txzonemgr GUI tool makes some of this easier than it sounds, it's still not as easy as:
activate-label <label> <physical interface> <IP addr>
...which is how one of the TX-Ranger scripts is driven :-).
I'd love to hear about how I can best share this material with the OpenSolaris security community.
"The future's bright, the future's labelled" :-).
Client Solutions, Sun Microsystems UK
Tel: +44 780 3079264