Trusted Solaris
Trusted Solaris is a discontinued security-evaluated operating system based on Solaris by Sun Microsystems, featuring a mandatory access control model. The features were migrated into the base Solaris system.
Features
[edit]- Accounting
- Role-Based Access Control
- Auditing
- Device allocation
- Mandatory access control (MAC) labeling
- Copy & Paste restriction in the labeled desktop environment
Certification
[edit]Trusted Solaris 8 is Common Criteria certified at Evaluation Assurance Level EAL4+ against the CAPP, RBACPP, and LSPP protection profiles. It is the basis for the DoDIIS Trusted Workstation program.[1]
Solaris Trusted Extensions
[edit]Features that were previously only available in Trusted Solaris, such as fine-grained privileges, are now part of the standard Solaris release. In the Solaris 10 11/06 update a new component called Solaris Trusted Extensions was introduced, making it no longer necessary to have a different release with a modified kernel for labeled security environments. Solaris Trusted Extensions was included in the OpenSolaris project.
Solaris Trusted Extensions, when enabled, enforces a mandatory access control policy on all aspects of the operating system, including device access, file, networking, print and window management services. This is achieved by adding sensitivity labels to objects, thereby establishing explicit relationships between these objects. Only appropriate (and explicit) authorization allows applications and users read and/or write access to the objects.
The component also provides labeled security features in a desktop environment. In addition to extending support for the Common Desktop Environment from the Trusted Solaris 8 release, it delivered the first labeled environment based on GNOME.[2] Solaris Trusted Extensions facilitates the access of data at multiple classification levels through a single desktop environment. The labeled desktop support was removed in Oracle Solaris 11.4[3], support for labeled zones and file and process labels remains.
Solaris Trusted Extensions also implements labeled device access and labeled network communication, through the Commercial Internet Protocol Security Option (CIPSO) standard. CIPSO is used to pass security information within and between labeled zones.
Oracle Solaris 11.4 introduced a new "File and Process Labeling" feature that instead of using zones to represent all of the processes at a given label the label is stored in the process cred, this is similar to how labeling had been implemented in Trusted Solaris 8 and earlier. While this is still a Mandatory access control policy it is intended to be used as part of a data loss prevention strategy rather than the traditional Multilevel_security environment. The ZFS filesystem also supports per file labels via the multilevel dataset option.
Common Criteria evaluations that include the labeled security protection profile were performed for: Oracle Solaris 10 11/06 at EAL4+[4], Oracle Solaris 11.1[5].
References
[edit]- ^ Michael Elgo (2004-11-11). "DTW - DODIIS Trusted Workstation" (PDF). Sun Microsystems. Archived from the original (PDF) on 2012-03-03. Retrieved 2019-04-17.
- ^ "Solaris Trusted Extensions Data Sheet". Sun Microsystems. Archived from the original on 2010-07-26. Retrieved 2019-04-17.
- ^ "End of Feature Notices for Oracle Solaris 11.4".
- ^ "Certificate of Evaluation" (PDF).
- ^ "Certificate of Evaluation" (PDF).
External links
[edit]- Official website
- Solaris Trusted Extensions (Opensolaris) at the Wayback Machine (archived 2012-12-09)