Trusted Solaris Operating System - Technical FAQs

Question

My TSOL system is communicating with other hosts that it shouldn't.

Answer

The system ships with a temporary wildcard entry in /etc/security/tsol/boot/tnrhdb which is meant primarily to make initial installation work, and is not necessarily a good idea for the security design for your site.

After installation, it is important to configure the boot-time tnrhdb to have entries for your nis+ master, and any other hosts needed during boot.

Then, if you do not want to communicate AT ALL with any hosts other than those you've specified in tnrhdb, then this entry should be removed.

If you want to specify a specific type of communication for all unknown hosts, an appropriate 0.0.0.0 entry made in /etc/security/tsol/tnrhdb (or the nis+ tnrhdb) will override the boot entry once the system is up.

Once your changes are made, it is CRITICAL that:

-- for TS 2.5.1, the cache files /var/tsol/*_c be removed.
-- for TS 2.5.1 or TS 7, the system must be rebooted

See:

Trusted Solaris Administrator's Procedures Manual
        Managing Hosts and Networks
                Specifying Security Attributes in Trusted Network Databases and Setting Up Routing

• Replacing the Wildcard Entry
• Boot-time Trusted Network Databases
• To Change the Default Entry in the Boot-time tnrhdb/tnrhtp Files

URL: http://docs.sun.com/db/doc/805-8055

Applies to Trusted Solaris Release:

1.2, 2.5, 2.5.1, 7