Chapter 5 Configuring a Workstation with No Name Service
This chapter covers how to configure a workstation without a name service. Administration is through local files.
Note -
Installation and configuration commands and actions are limited to particular roles and particular labels. Read each task for the administrative role that can perform it, and the label required.
Who Does What
Trusted Solaris software is designed to be installed and configured by an install team. Once the team has created users who can assume Trusted Solaris roles, and has rebooted the workstation, the software enforces task division by role. If two-person installation is not a site security requirement, you can assign the administrative roles to one person.
Local Files Configuration Tasks
A host that is administered using local files instead of a name service is configured much like a NIS+ root master, except that /etc files are used for administration rather than NIS+ tables.
Other setup tasks, such as protecting file systems, handling mail, and setting up printing are covered in Trusted Solaris Administrator's Procedures.
If you are configuring the workstation to satisfy criteria for an evaluated configuration, please read "Understand Your Site's Security Policy"
Depending on how you set up the workstation, some procedures can be omitted.
Log In and Launch a Terminal
-
Log on to the workstation as the user install.
See "How to Log In" if you have not logged in before.
-
Assume the root role.
See "How to Assume a Role" if you have not assumed a role before.
You are in a new workspace named root, designed for the root role. The session label is still
ADMIN_LOW, but the root role has more powers than the user install. -
Launch a terminal.
See "How to Launch a Terminal" if you are unfamiliar with launching a terminal in the Solaris or Trusted Solaris environment. The terminal contains a profile shell that is specific to the root role.
Protect the Workstation
Protect the PROM or the BIOS.
See "How to Protect Machine Hardware" if you are unfamiliar with the steps.
Check and Install the label_encodings File
The Trusted Solaris label_encodings(4) file has been checked and is installed. Note that it must be compatible with any Trusted Solaris host with which you are communicating.
Note -
The default label_encodings file is useful for demos, but it is not a good choice for use by a customer site. However, if you plan to use it, you can skip this step.
If you are familiar with label encodings files, you can use the following procedure. However, if you are not familiar with label encodings files, read the requirements and follow the procedures in Trusted Solaris Label Administration.
Follow the procedure in "How to Install a Label Encodings File".
Caution - You must successfully complete this step before continuing or the installation will fail.
Initialize the Solaris Management Console
Follow the procedure "To Initialize the SMC Server".
Set Up Network Files
Perform these tasks only if the security administrator has planned for an open network, you do not plan to use dynamic routing (the default), and you plan to access other workstations without using a name service.
Set up Static Routing
To set up static routing, complete one of the following procedures: "To Set Up Simple Static Routing" or "To Set Up Complex Static Routing".
Set up DNS
If your workstation is going to use DNS, click the Set DNS Servers action in the System_Admin folder and enter the nameservers.
For a detailed list of steps, see "Set Up DNS", except do not edit the nsswitch.conf file.
Add Hosts
If your workstation is going to contact other hosts, enter them in the /etc/hosts file.
Follow the procedure "How to Add Hosts".
Assign Templates to Remote Hosts
-
If this host is going to contact unlabeled hosts, the tnrhtp must have an appropriate unlabeled template for those unlabeled hosts. See "How to Add a Remote Host Template" for the explanation and procedure.
-
Follow the procedure "How to Assign a Remote Host Template".
Assign a remote host template to every host or network that this machine may contact. Include every host in the /etc/hosts file.
Create Administrative Roles
The administrative roles must be created before the users are created.
-
Follow the steps in "How to Create Administrative Roles".
Create Users to Assume Roles
The install team in the root role creates at least two users, to assume the roles secadmin and admin. It is also useful to create one or two users to assume the primaryadmin and oper roles. Where site security permits, a user can be assigned more than one administrative role.
Note -
Prerequisite: The secadmin and admin administrative roles have been created.
Still in the root role, follow the steps in "To Create a User", and select the this_host: Scope=Files, Policy=TSOL toolbox.
Reboot the Workstation
Note -
This step is required only if you have set up static routing or DNS.
Shut down the workstation from the TP (Trusted Path) menu, as described in "To Reboot the Workstation".
Verify That Users and Roles Work
Log in as a user, assume an administrative role, and test the role for effectiveness.
Using the this_host: Scope=Files, Policy=TSOL toolbox, follow the procedures in "How to Verify that Users and Roles Work" to ensure that every role is working.
Mount File Systems
Perform this task only if the security administrator has planned for an open network, and you plan to access a file server without using a name service.
Use the SMC Mounts tool to mount the file system, as described in "How to Mount a File System".
Share File Systems
Perform this task only if others are permitted to access directories on this workstation.
To share file systems that other workstations may access, use the SMC Shares tool as described in "How to Share a File System".
Delete the User install
The user install is useful for installing and initially configuring a workstation. Where site security requires, remove the user.
See "How to Delete a Local User" if you have not deleted a local user in the Trusted Solaris system before.
- © 2010, Oracle Corporation and/or its affiliates