This chapter describes how to install the SunScreen software on a system running the Trusted SolarisTM 8 operating environment. Installing SunScreen on a system running Trusted Solaris is different than installing SunScreen on a regular Solaris software system because of the built-in security features. Trusted Solaris is an extension of the Solaris operating environment. Although these systems are similar, there are many differences that can thwart the efforts of an experienced Solaris software systems administrator. The following procedures show you how to prepare and configure a Trusted Solaris system to run the SunScreen firewall software. For more information regarding Trusted Solaris, see Trusted Solaris 8 Reference Manual. For the latest product information, see Trusted Solaris 8 Release Notes.
Be sure to make a map of your network before you begin this installation. See "Determining Your Security Policy" in SunScreen Installation Guide appendix for worksheets and instructions to aid you in determining your network configuration and your desired security level.
Topics covered include:
The following information specifically applies when SunScreen 3.2 is used on a system running the Trusted Solaris 8 operating environment (for more information regarding installing and configuring Trusted Solaris, see Trusted Solaris Installation and Configuration.)
Do not use the command line interface to install SunScreen 3.2 on Trusted Solaris 8 as it does not work. Use the File Manager with the admin role as described in "Installing SunScreen on Trusted Solaris" in the SunScreen 3.2 Installation Guide.
SunScreen 3.2 is supported on Trusted Solaris 8, but not on the previous versions, Trusted Solaris 7 or Trusted Solaris 2.5.1.
Use only the File Manager (see "To Install the Software on the Screen") to install the software on your system.
Packets with TSOL, CIPSO, and UNLABELED templates work. While other templates may work, no others were verified.
When two Trusted Solaris systems using the TSOL protocol talk to each other using the TSOL networking protocol, they typically use rpc program 110002 to exchange process attributes for peer processes. The entry in /etc/rpc is: tsolpeerinfo 110002 rpc.getpeerinfo peerinfod.
Services between two Trusted Solaris systems do not work if this service is blocked. You must allow the tsolpeerinfo service through your firewall, and the rule base must allow this service to be initiated from both ends of a connection.
This service works with STATIC NAT when tsolpeerinfo is allowed through in the rule base, however, it does not work with DYNAMIC NAT.
Every process in Trusted Solaris has privileges associated with it (called effective privileges). These effective privileges fall into the following categories:
Some privileges
All privileges
No privileges
A Trusted Solaris file also has a set of privileges called the allowed privileges. When you execute a Trusted Solaris file (to create a process), the resulting processes' effective privileges are the intersection of the file's allowed privileges and your privileges as defined in your users rights.
Therefore, all SunScreen executable files must have their allowed privileges set to all. This action is performed during installation of the SunScreen software through pkgadd.
This action is performed by the /usr/lib/sunscreen/lib/pkgadd shell script. When you use the installer, this script is automatically invoked.
A Trusted Solaris system needs the latest revision of the following patches installed from: http://sunsolve.Sun.COM/pub-cgi/show.pl.
110739
110337
110771
Refer to the README file included with the download for instructions.
The SunScreen software is installed by an administrative role. The admin role as described in the Trusted Solaris documentation can be used, or any role, that has the Software Installation rights.
The Screen's and Administration Station's software is installed by admin user.
Assume the admin role.
From the front panel, choose Allocate Device, then select and mount the CD-ROM device and wait for the File Manager to appear.
If the File Manager does not appear presently after allocating and mounting the CD-ROM, start the File Manager manually and select the /cdrom/cdrom0 directory.
In the File Manager, select View Hidden Objects from the View menu.
Double click on .install.
Double click on install.class.
The rest of the installation steps are the same as a regular SunScreen installation. Refer to the appropriate chapter in this book for further instructions on your particular installation.
Assume the admin role.
From the front panel, choose Allocate Device, then select and mount the CD-ROM device and wait for the File Manager to appear.
In the File Manager, select View Hidden Objects from the View menu.
Double click on .install.
Double click on install.class.
The rest of the installation steps are the same as a regular remote SunScreen installation. Refer to the appropriate chapter in this book for further instruction on your particular installation.
If you choose to install the SunScreen software on an Administration Station manually, after adding the sunscreen role, run the /usr/lib/sunscreen/lib/ts_setup command as the sunscreen role.
For a more detailed explanation of trusted networking, see the following URL by typing: .
http://www.sun.com/software/solaris/trustedsolaris/trustedsolaris.html |
You must create the sunscreen role to administer SunScreen (see "Assuming a Role and Working in a Role Workspace" in Trusted Solaris Administrator's Procedures.
Create a role named sunscreen using the Solaris Management Console as described in the Trusted Solaris documentation.
You can choose any UID and any GID, but you must assign the following rights:
SunScreen -- This is the list of commands needed to administer SunScreen.
Outside Accred -- This is the authorization needed to work at an administrative label.
By default, Trusted Solaris assigns the Basic Solaris User rights to all users. If you have modified your policy.conf file to exclude this right, you can either add this right manually to the sunscreen role or assign the Basic Commands and Basic Actions rights to the sunscreen role. This allows the sunscreen role to perform normal command line operations with no additional privilege.
If you choose to allow the sunscreen role to allocate devices, you must assign Convenient Authorizations rights to the role.
The sunscreen role must have a minimum label of ADMIN_LOW. The clearance can be assigned to ADMIN_HIGH, although this is not required.
For example, the sunscreen role is assigned a UID of 121, if not already in use, and a GID of 10. The SunScreen and Outside Accred rights are assigned to the role, and the minimum label is set to ADMIN_LOW. Make certain to assign a password.
Assign the sunscreen role to the user or users who administer SunScreen.