Creating Security Templates

Language:

This section contains pointers to or examples of creating security templates for the following network configurations:

The DOI is a value different from 1. See How to Configure a Different Domain of Interpretation.
Trusted remote hosts are assigned a specific label. See Example 24, Creating a Security Template for a Gateway That Handles Packets at One Label.
Untrusted remote hosts are assigned a specific label. See Example 25, Creating an Unlabeled Security Template at the Label PUBLIC.

For more examples of security templates that address specific requirements, see Adding Hosts to Security Templates.

How to Create Security Templates

Before You Begin

You must be in the global zone in a role that can modify network security. For example, roles that are assigned the Information Security or Network Security rights profiles can modify security values. The Security Administrator role includes these rights profiles.

Note - For support purposes, do not alter or delete the default security templates.

You can copy and modify these templates.
And you can add and remove hosts that are assigned to these templates. For an example, see How to Limit the Hosts That Can Be Contacted on the Trusted Network.

(Optional)Determine the hexadecimal version of any label other than ADMIN_HIGH and ADMIN_LOW.
For labels such as CONFIDENTIAL, you can use either the label string or the hexadecimal value as the label value. The tncfg command accepts either format.
```
# atohexlabel "confidential : internal use only"
0x0004-08-48
```
For more information, see How to Obtain the Hexadecimal Equivalent for a Label.
Create a security template.
The tncfg -t command provides three ways to create new templates.
- Create a security template from scratch.
  Use the tncfg command in interactive mode. The info subcommand displays the values that are supplied by default. Press the Tab key to complete partial properties and values. Type exit to complete the template.
```
# tncfg -t newunlabeled
tncfg:newunlabeled> info
name=newunlabeled
host_type=unlabeled
doi=1
def_label=ADMIN_LOW
min_label=ADMIN_LOW
max_label=ADMIN_HIGH
tncfg:newunlabeled> set mTab
set max_label=" set min_label="Auto-complete shows two possible completions
tncfg:newunlabeled> set maTabUser types the letter a
tncfg:newunlabeled> set max_label=ADMIN_LOW
...
tncfg:newunlabeled> commit
tncfg:newunlabeled> exit
```
  You can also supply the complete list of attributes for a security template on the command line. Semicolons separate the set subcommands. An omitted attribute receives the default value. For information about network security attributes, see Network Security Attributes in Trusted Extensions.
```
# tncfg -t newunlabeled set host_type=unlabeled;set doi=1; \
set min_label=ADMIN_LOW;set max_label=ADMIN_LOW
```
- Copy and modify an existing security template.
```
# tncfg -t cipso
tncfg:cipso> set name=newcipso
tncfg:newcipso> info
name=newcipso
host_type=cipso
doi=1
min_label=ADMIN_LOW
max_label=ADMIN_HIGH
```
  Hosts that are assigned to the existing security template are not copied to the new template.
- Use a template file that the export subcommand creates.
```
# tncfg -f unlab_1 -f template-file
tncfg: unlab_1> set host_type=unlabeled
...
# tncfg -f template-file
```
  For an example of creating a source template for importing, see the tncfg(8) man page.

Example 24 Creating a Security Template for a Gateway That Handles Packets at One Label

In this example, the security administrator defines a gateway that can only pass packets at the label PUBLIC.

# tncfg -t cipso_public
tncfg:cipso_public> set host_type=cipso
tncfg:cipso_public> set doi=1
tncfg:cipso_public> set min_label="public"
tncfg:cipso_public> set max_label="public"
tncfg:cipso_public> commit
tncfg:cipso_public> exit

The security administrator then adds the gateway host to the security template. For the addition, see Example 27, Creating a Gateway That Handles Packets at One Label.

Example 25 Creating an Unlabeled Security Template at the Label PUBLIC

In this example, the security administrator creates an unlabeled template for untrusted hosts that can receive and send packets at the PUBLIC label only. This template might be assigned to hosts whose file systems must be mounted at the PUBLIC label by Trusted Extensions systems.

# tncfg -t public
tncfg:public> set host_type=unlabeled
tncfg:public> set doi=1
tncfg:public> set def_label="public"
tncfg:public> set min_sl="public"
tncfg:public> set max_sl="public"
tncfg:public> exit

The security administrator then adds hosts to the security template. For the addition, see Example 38, Creating an Unlabeled Subnetwork at the Label PUBLIC.